Create an App Service app and deploy Private Endpoint using Azure CLI

This sample script creates an app in App Service with its related resources, and then deploys a Private Endpoint.

If you don't have an Azure subscription, create an Azure free account before you begin.


  • This tutorial requires version 2.0.28 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

Create a resource group

Before you can create any resource, you have to create a resource group to host the Web App, the Virtual Network, and other network components. Create a resource group with az group create. This example creates a resource group named myResourceGroup in the francecentral location:

az group create --name myResourceGroup --location francecentral 

Create an App Service Plan

You need to create an App Service Plan to host your Web App. Create an App Service Plan with az appservice plan create. This example creates App Service Plan named myAppServicePlan in the francecentral location with P1V2 sku and only one worker:

az appservice plan create \
--name myAppServicePlan \
--resource-group myResourceGroup \
--location francecentral \
--sku P1V2 \
--number-of-workers 1

Create a Web App

Now that you have an App Service Plan you can deploy a Web App. Create a Web App with az webapp create. This example creates a Web App named mySiteName in the Plan named myAppServicePlan

az webapp create \
--name mySiteName \
--resource-group myResourceGroup \
--plan myAppServicePlan

Create a VNet

Create a Virtual Network with az network vnet create. This example creates a default Virtual Network named myVNet with one subnet named mySubnet:

az network vnet create \
--name myVNet \
--resource-group myResourceGroup \
--location francecentral \
--address-prefixes \
--subnet-name mySubnet \

Configure the Subnet

You need to update the subnet to disable private endpoint network policies. Update a subnet configuration named mySubnet with az network vnet subnet update:

az network vnet subnet update \
--name mySubnet \
--resource-group myResourceGroup \
--vnet-name myVNet \
--disable-private-endpoint-network-policies true

Create the Private Endpoint

Create the Private Endpoint for your Web App with az network private-endpoint create. This example creates a Private Endpoint named myPrivateEndpoint in the VNet myVNet in the Subnet mySubnet with a connection named myConnectionName to the resource ID of my Web App /subscriptions/SubscriptionID/resourceGroups/myResourceGroup/providers/Microsoft.Web/sites/myWebApp, the group parameter is sites for Web App type.

az network private-endpoint create \
--name myPrivateEndpoint \
--resource-group myResourceGroup \
--vnet-name myVNet \
--subnet mySubnet \
--connection-name myConnectionName \
--private-connection-resource-id /subscriptions/SubscriptionID/resourceGroups/myResourceGroup/providers/Microsoft.Web/sites/myWebApp \
--group-id sites

Configure the private zone

At the end, you need to create a private DNS zone named linked to the VNet to resolve DNS name of the Web App.

az network private-dns zone create \
--name \
--resource-group myResourceGroup

az network private-dns link vnet create \
--name myDNSLink \
--resource-group myResourceGroup \
--registration-enabled false \
--virtual-network myVNet \

az network private-endpoint dns-zone-group create \
--name myZoneGroup \
--resource-group myResourceGroup \
--endpoint-name myPrivateEndpoint \
--private-dns-zone \

Clean up deployment

After the sample script has been run, the following command can be used to remove the resource group and all resources associated with it.

az group delete --name myResourceGroup

Next steps