Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Bicep resource definition
The managedEnvironments/privateEndpointConnections resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.App/managedEnvironments/privateEndpointConnections resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.App/managedEnvironments/privateEndpointConnections@2026-01-01' = {
parent: resourceSymbolicName
name: 'string'
properties: {
privateEndpoint: {}
privateLinkServiceConnectionState: {
actionsRequired: 'string'
description: 'string'
status: 'string'
}
}
}
Property Values
Microsoft.App/managedEnvironments/privateEndpointConnections
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| parent | In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource. For more information, see Child resource outside parent resource. |
Symbolic name for resource of type: managedEnvironments |
| properties | Resource properties. | PrivateEndpointConnectionProperties |
PrivateEndpoint
| Name | Description | Value |
|---|
PrivateEndpointConnectionProperties
| Name | Description | Value |
|---|---|---|
| privateEndpoint | The resource of private end point. | PrivateEndpoint |
| privateLinkServiceConnectionState | A collection of information about the state of the connection between service consumer and provider. | PrivateLinkServiceConnectionState (required) |
PrivateLinkServiceConnectionState
| Name | Description | Value |
|---|---|---|
| actionsRequired | A message indicating if changes on the service provider require any updates on the consumer. | string |
| description | The reason for approval/rejection of the connection. | string |
| status | Indicates whether the connection has been Approved/Rejected/Removed by the owner of the service. | 'Approved' 'Disconnected' 'Pending' 'Rejected' |
ARM template resource definition
The managedEnvironments/privateEndpointConnections resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.App/managedEnvironments/privateEndpointConnections resource, add the following JSON to your template.
{
"type": "Microsoft.App/managedEnvironments/privateEndpointConnections",
"apiVersion": "2026-01-01",
"name": "string",
"properties": {
"privateEndpoint": {
},
"privateLinkServiceConnectionState": {
"actionsRequired": "string",
"description": "string",
"status": "string"
}
}
}
Property Values
Microsoft.App/managedEnvironments/privateEndpointConnections
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2026-01-01' |
| name | The resource name | string (required) |
| properties | Resource properties. | PrivateEndpointConnectionProperties |
| type | The resource type | 'Microsoft.App/managedEnvironments/privateEndpointConnections' |
PrivateEndpoint
| Name | Description | Value |
|---|
PrivateEndpointConnectionProperties
| Name | Description | Value |
|---|---|---|
| privateEndpoint | The resource of private end point. | PrivateEndpoint |
| privateLinkServiceConnectionState | A collection of information about the state of the connection between service consumer and provider. | PrivateLinkServiceConnectionState (required) |
PrivateLinkServiceConnectionState
| Name | Description | Value |
|---|---|---|
| actionsRequired | A message indicating if changes on the service provider require any updates on the consumer. | string |
| description | The reason for approval/rejection of the connection. | string |
| status | Indicates whether the connection has been Approved/Rejected/Removed by the owner of the service. | 'Approved' 'Disconnected' 'Pending' 'Rejected' |
Usage Examples
Terraform (AzAPI provider) resource definition
The managedEnvironments/privateEndpointConnections resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.App/managedEnvironments/privateEndpointConnections resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.App/managedEnvironments/privateEndpointConnections@2026-01-01"
name = "string"
parent_id = "string"
body = {
properties = {
privateEndpoint = {
}
privateLinkServiceConnectionState = {
actionsRequired = "string"
description = "string"
status = "string"
}
}
}
}
Property Values
Microsoft.App/managedEnvironments/privateEndpointConnections
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| parent_id | The ID of the resource that is the parent for this resource. | ID for resource of type: managedEnvironments |
| properties | Resource properties. | PrivateEndpointConnectionProperties |
| type | The resource type | "Microsoft.App/managedEnvironments/privateEndpointConnections@2026-01-01" |
PrivateEndpoint
| Name | Description | Value |
|---|
PrivateEndpointConnectionProperties
| Name | Description | Value |
|---|---|---|
| privateEndpoint | The resource of private end point. | PrivateEndpoint |
| privateLinkServiceConnectionState | A collection of information about the state of the connection between service consumer and provider. | PrivateLinkServiceConnectionState (required) |
PrivateLinkServiceConnectionState
| Name | Description | Value |
|---|---|---|
| actionsRequired | A message indicating if changes on the service provider require any updates on the consumer. | string |
| description | The reason for approval/rejection of the connection. | string |
| status | Indicates whether the connection has been Approved/Rejected/Removed by the owner of the service. | 'Approved' 'Disconnected' 'Pending' 'Rejected' |
Usage Examples
Terraform Samples
A basic example of deploying Container App Environment Private Endpoint Connection.
terraform {
required_providers {
azapi = {
source = "Azure/azapi"
}
}
}
provider "azapi" {
skip_provider_registration = false
}
variable "resource_name" {
type = string
default = "acctest5925"
}
variable "location" {
type = string
default = "westeurope"
}
resource "azapi_resource" "resourceGroup" {
type = "Microsoft.Resources/resourceGroups@2020-06-01"
name = var.resource_name
location = var.location
}
resource "azapi_resource" "workspace" {
type = "Microsoft.OperationalInsights/workspaces@2022-10-01"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
location = var.location
body = {
properties = {
features = {
disableLocalAuth = false
enableLogAccessUsingOnlyResourcePermissions = true
}
publicNetworkAccessForIngestion = "Enabled"
publicNetworkAccessForQuery = "Enabled"
retentionInDays = 30
sku = {
name = "PerGB2018"
}
workspaceCapping = {
dailyQuotaGb = -1
}
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
data "azapi_resource_action" "sharedKeys" {
type = "Microsoft.OperationalInsights/workspaces@2020-08-01"
resource_id = azapi_resource.workspace.id
action = "sharedKeys"
response_export_values = ["*"]
}
# Create Virtual Network for private endpoint
resource "azapi_resource" "virtualNetwork" {
type = "Microsoft.Network/virtualNetworks@2023-05-01"
parent_id = azapi_resource.resourceGroup.id
name = "${var.resource_name}-vnet"
location = var.location
body = {
properties = {
addressSpace = {
addressPrefixes = ["10.0.0.0/16"]
}
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
# Create Subnet for private endpoint (minimum /27 required for workload profiles)
resource "azapi_resource" "subnet" {
type = "Microsoft.Network/virtualNetworks/subnets@2023-05-01"
parent_id = azapi_resource.virtualNetwork.id
name = "${var.resource_name}-subnet"
body = {
properties = {
addressPrefix = "10.0.0.0/21"
privateEndpointNetworkPolicies = "Disabled"
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
# Create Container Apps Environment with workload profiles (required for private endpoints)
resource "azapi_resource" "managedEnvironment" {
type = "Microsoft.App/managedEnvironments@2024-10-02-preview"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
location = var.location
body = {
properties = {
appLogsConfiguration = {
destination = "log-analytics"
logAnalyticsConfiguration = {
customerId = azapi_resource.workspace.output.properties.customerId
sharedKey = data.azapi_resource_action.sharedKeys.output.primarySharedKey
}
}
# Enable workload profiles (default for new environments, but explicitly set)
workloadProfiles = [
{
name = "Consumption"
workloadProfileType = "Consumption"
}
]
# Disable public network access to enable private endpoints
publicNetworkAccess = "Disabled"
vnetConfiguration = {
# Note: For private endpoints, we don't inject into VNet but create separate private endpoint
}
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
# Create Private Endpoint for the Container Apps Environment
resource "azapi_resource" "privateEndpoint" {
type = "Microsoft.Network/privateEndpoints@2023-05-01"
parent_id = azapi_resource.resourceGroup.id
name = "${var.resource_name}-pe"
location = var.location
body = {
properties = {
subnet = {
id = azapi_resource.subnet.id
}
privateLinkServiceConnections = [
{
name = "${var.resource_name}-connection"
properties = {
privateLinkServiceId = azapi_resource.managedEnvironment.id
groupIds = ["managedEnvironments"]
}
}
]
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
# Create Private DNS Zone for Container Apps
resource "azapi_resource" "privateDnsZone" {
type = "Microsoft.Network/privateDnsZones@2020-06-01"
parent_id = azapi_resource.resourceGroup.id
name = "acctestzone.azurecontainerapps.dev"
location = "global"
body = {
properties = {}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
# Link VNet to Private DNS Zone
resource "azapi_resource" "vnetLink" {
type = "Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01"
parent_id = azapi_resource.privateDnsZone.id
name = "${var.resource_name}-vnet-link"
location = "global"
body = {
properties = {
virtualNetwork = {
id = azapi_resource.virtualNetwork.id
}
registrationEnabled = false
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
# Create DNS Zone Group for automatic DNS record management
resource "azapi_resource" "privateDnsZoneGroup" {
type = "Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2023-05-01"
parent_id = azapi_resource.privateEndpoint.id
name = "default"
body = {
properties = {
privateDnsZoneConfigs = [
{
name = "config"
properties = {
privateDnsZoneId = azapi_resource.privateDnsZone.id
}
}
]
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
data "azapi_resource_list" "privateEndpointConnections" {
type = "Microsoft.App/managedEnvironments/privateEndpointConnections@2024-10-02-preview"
parent_id = azapi_resource.managedEnvironment.id
response_export_values = ["*"]
}
output "privateEndpointConnections" {
value = data.azapi_resource_list.privateEndpointConnections.output
}
locals {
privateEndpointConnectionIds = [
for pe in data.azapi_resource_list.privateEndpointConnections.output.value : pe.id
]
}
# Note: The private endpoint connection is automatically created when the private endpoint is created
# This resource manages the approval state of the connection
resource "azapi_update_resource" "privateEndpointConnection" {
for_each = toset(local.privateEndpointConnectionIds)
type = "Microsoft.App/managedEnvironments/privateEndpointConnections@2024-10-02-preview"
resource_id = each.value
body = {
properties = {
privateLinkServiceConnectionState = {
status = "Approved"
description = "Auto-approved"
actionsRequired = "None"
}
}
}
}