Microsoft.Network privateEndpoints

  • Article

Bicep resource definition

The privateEndpoints resource type can be deployed to:

For a list of changed properties in each API version, see change log.

Remarks

For guidance on creating private endpoints, see Create virtual network resources by using Bicep.

Resource format

To create a Microsoft.Network/privateEndpoints resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Network/privateEndpoints@2022-07-01' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  extendedLocation: {
    name: 'string'
    type: 'EdgeZone'
  }
  properties: {
    applicationSecurityGroups: [
      {
        id: 'string'
        location: 'string'
        properties: {}
        tags: {}
      }
    ]
    customDnsConfigs: [
      {
        fqdn: 'string'
        ipAddresses: [
          'string'
        ]
      }
    ]
    customNetworkInterfaceName: 'string'
    ipConfigurations: [
      {
        name: 'string'
        properties: {
          groupId: 'string'
          memberName: 'string'
          privateIPAddress: 'string'
        }
      }
    ]
    manualPrivateLinkServiceConnections: [
      {
        id: 'string'
        name: 'string'
        properties: {
          groupIds: [
            'string'
          ]
          privateLinkServiceConnectionState: {
            actionsRequired: 'string'
            description: 'string'
            status: 'string'
          }
          privateLinkServiceId: 'string'
          requestMessage: 'string'
        }
      }
    ]
    privateLinkServiceConnections: [
      {
        id: 'string'
        name: 'string'
        properties: {
          groupIds: [
            'string'
          ]
          privateLinkServiceConnectionState: {
            actionsRequired: 'string'
            description: 'string'
            status: 'string'
          }
          privateLinkServiceId: 'string'
          requestMessage: 'string'
        }
      }
    ]
    subnet: {
      id: 'string'
      name: 'string'
      properties: {
        addressPrefix: 'string'
        addressPrefixes: [
          'string'
        ]
        applicationGatewayIpConfigurations: [
          {
            id: 'string'
            name: 'string'
            properties: {
              subnet: {
                id: 'string'
              }
            }
          }
        ]
        delegations: [
          {
            id: 'string'
            name: 'string'
            properties: {
              serviceName: 'string'
            }
            type: 'string'
          }
        ]
        ipAllocations: [
          {
            id: 'string'
          }
        ]
        natGateway: {
          id: 'string'
        }
        networkSecurityGroup: {
          id: 'string'
          location: 'string'
          properties: {
            flushConnection: bool
            securityRules: [
              {
                id: 'string'
                name: 'string'
                properties: {
                  access: 'string'
                  description: 'string'
                  destinationAddressPrefix: 'string'
                  destinationAddressPrefixes: [
                    'string'
                  ]
                  destinationApplicationSecurityGroups: [
                    {
                      id: 'string'
                      location: 'string'
                      properties: {}
                      tags: {}
                    }
                  ]
                  destinationPortRange: 'string'
                  destinationPortRanges: [
                    'string'
                  ]
                  direction: 'string'
                  priority: int
                  protocol: 'string'
                  sourceAddressPrefix: 'string'
                  sourceAddressPrefixes: [
                    'string'
                  ]
                  sourceApplicationSecurityGroups: [
                    {
                      id: 'string'
                      location: 'string'
                      properties: {}
                      tags: {}
                    }
                  ]
                  sourcePortRange: 'string'
                  sourcePortRanges: [
                    'string'
                  ]
                }
                type: 'string'
              }
            ]
          }
          tags: {}
        }
        privateEndpointNetworkPolicies: 'string'
        privateLinkServiceNetworkPolicies: 'string'
        routeTable: {
          id: 'string'
          location: 'string'
          properties: {
            disableBgpRoutePropagation: bool
            routes: [
              {
                id: 'string'
                name: 'string'
                properties: {
                  addressPrefix: 'string'
                  hasBgpOverride: bool
                  nextHopIpAddress: 'string'
                  nextHopType: 'string'
                }
                type: 'string'
              }
            ]
          }
          tags: {}
        }
        serviceEndpointPolicies: [
          {
            id: 'string'
            location: 'string'
            properties: {
              contextualServiceEndpointPolicies: [
                'string'
              ]
              serviceAlias: 'string'
              serviceEndpointPolicyDefinitions: [
                {
                  id: 'string'
                  name: 'string'
                  properties: {
                    description: 'string'
                    service: 'string'
                    serviceResources: [
                      'string'
                    ]
                  }
                  type: 'string'
                }
              ]
            }
            tags: {}
          }
        ]
        serviceEndpoints: [
          {
            locations: [
              'string'
            ]
            service: 'string'
          }
        ]
      }
      type: 'string'
    }
  }
}

Property values

privateEndpoints

Name Description Value
name The resource name string (required)

Character limit: 2-64

Valid characters:
Alphanumerics, underscores, periods, and hyphens.

Start with alphanumeric. End alphanumeric or underscore.
location Resource location. string
tags Resource tags. Dictionary of tag names and values. See Tags in templates
extendedLocation The extended location of the load balancer. ExtendedLocation
properties Properties of the private endpoint. PrivateEndpointProperties

ExtendedLocation

Name Description Value
name The name of the extended location. string
type The type of the extended location. 'EdgeZone'

PrivateEndpointProperties

Name Description Value
applicationSecurityGroups Application security groups in which the private endpoint IP configuration is included. ApplicationSecurityGroup[]
customDnsConfigs An array of custom dns configurations. CustomDnsConfigPropertiesFormat[]
customNetworkInterfaceName The custom name of the network interface attached to the private endpoint. string
ipConfigurations A list of IP configurations of the private endpoint. This will be used to map to the First Party Service's endpoints. PrivateEndpointIPConfiguration[]
manualPrivateLinkServiceConnections A grouping of information about the connection to the remote resource. Used when the network admin does not have access to approve connections to the remote resource. PrivateLinkServiceConnection[]
privateLinkServiceConnections A grouping of information about the connection to the remote resource. PrivateLinkServiceConnection[]
subnet The ID of the subnet from which the private IP will be allocated. Subnet

ApplicationSecurityGroup

Name Description Value
id Resource ID. string
location Resource location. string
properties Properties of the application security group. ApplicationSecurityGroupPropertiesFormat
tags Resource tags. object

ApplicationSecurityGroupPropertiesFormat

This object doesn't contain any properties to set during deployment. All properties are ReadOnly.

CustomDnsConfigPropertiesFormat

Name Description Value
fqdn Fqdn that resolves to private endpoint ip address. string
ipAddresses A list of private ip addresses of the private endpoint. string[]

PrivateEndpointIPConfiguration

Name Description Value
name The name of the resource that is unique within a resource group. string
properties Properties of private endpoint IP configurations. PrivateEndpointIPConfigurationProperties

PrivateEndpointIPConfigurationProperties

Name Description Value
groupId The ID of a group obtained from the remote resource that this private endpoint should connect to. string
memberName The member name of a group obtained from the remote resource that this private endpoint should connect to. string
privateIPAddress A private ip address obtained from the private endpoint's subnet. string

PrivateLinkServiceConnection

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the private link service connection. PrivateLinkServiceConnectionProperties

PrivateLinkServiceConnectionProperties

Name Description Value
groupIds The ID(s) of the group(s) obtained from the remote resource that this private endpoint should connect to. string[]
privateLinkServiceConnectionState A collection of read-only information about the state of the connection to the remote resource. PrivateLinkServiceConnectionState
privateLinkServiceId The resource id of private link service. string
requestMessage A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars. string

PrivateLinkServiceConnectionState

Name Description Value
actionsRequired A message indicating if changes on the service provider require any updates on the consumer. string
description The reason for approval/rejection of the connection. string
status Indicates whether the connection has been Approved/Rejected/Removed by the owner of the service. string

Subnet

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the subnet. SubnetPropertiesFormat
type Resource type. string

SubnetPropertiesFormat

Name Description Value
addressPrefix The address prefix for the subnet. string
addressPrefixes List of address prefixes for the subnet. string[]
applicationGatewayIpConfigurations Application gateway IP configurations of virtual network resource. ApplicationGatewayIPConfiguration[]
delegations An array of references to the delegations on the subnet. Delegation[]
ipAllocations Array of IpAllocation which reference this subnet. SubResource[]
natGateway Nat gateway associated with this subnet. SubResource
networkSecurityGroup The reference to the NetworkSecurityGroup resource. NetworkSecurityGroup
privateEndpointNetworkPolicies Enable or Disable apply network policies on private end point in the subnet. 'Disabled'
'Enabled'
privateLinkServiceNetworkPolicies Enable or Disable apply network policies on private link service in the subnet. 'Disabled'
'Enabled'
routeTable The reference to the RouteTable resource. RouteTable
serviceEndpointPolicies An array of service endpoint policies. ServiceEndpointPolicy[]
serviceEndpoints An array of service endpoints. ServiceEndpointPropertiesFormat[]

ApplicationGatewayIPConfiguration

Name Description Value
id Resource ID. string
name Name of the IP configuration that is unique within an Application Gateway. string
properties Properties of the application gateway IP configuration. ApplicationGatewayIPConfigurationPropertiesFormat

ApplicationGatewayIPConfigurationPropertiesFormat

Name Description Value
subnet Reference to the subnet resource. A subnet from where application gateway gets its private address. SubResource

SubResource

Name Description Value
id Resource ID. string

Delegation

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a subnet. This name can be used to access the resource. string
properties Properties of the subnet. ServiceDelegationPropertiesFormat
type Resource type. string

ServiceDelegationPropertiesFormat

Name Description Value
serviceName The name of the service to whom the subnet should be delegated (e.g. Microsoft.Sql/servers). string

NetworkSecurityGroup

Name Description Value
id Resource ID. string
location Resource location. string
properties Properties of the network security group. NetworkSecurityGroupPropertiesFormat
tags Resource tags. object

NetworkSecurityGroupPropertiesFormat

Name Description Value
flushConnection When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. bool
securityRules A collection of security rules of the network security group. SecurityRule[]

SecurityRule

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the security rule. SecurityRulePropertiesFormat
type The type of the resource. string

SecurityRulePropertiesFormat

Name Description Value
access The network traffic is allowed or denied. 'Allow'
'Deny' (required)
description A description for this rule. Restricted to 140 chars. string
destinationAddressPrefix The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. string
destinationAddressPrefixes The destination address prefixes. CIDR or destination IP ranges. string[]
destinationApplicationSecurityGroups The application security group specified as destination. ApplicationSecurityGroup[]
destinationPortRange The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. string
destinationPortRanges The destination port ranges. string[]
direction The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. 'Inbound'
'Outbound' (required)
priority The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. int
protocol Network protocol this rule applies to. '*'
'Ah'
'Esp'
'Icmp'
'Tcp'
'Udp' (required)
sourceAddressPrefix The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from. string
sourceAddressPrefixes The CIDR or source IP ranges. string[]
sourceApplicationSecurityGroups The application security group specified as source. ApplicationSecurityGroup[]
sourcePortRange The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. string
sourcePortRanges The source port ranges. string[]

RouteTable

Name Description Value
id Resource ID. string
location Resource location. string
properties Properties of the route table. RouteTablePropertiesFormat
tags Resource tags. object

RouteTablePropertiesFormat

Name Description Value
disableBgpRoutePropagation Whether to disable the routes learned by BGP on that route table. True means disable. bool
routes Collection of routes contained within a route table. Route[]

Route

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the route. RoutePropertiesFormat
type The type of the resource. string

RoutePropertiesFormat

Name Description Value
addressPrefix The destination CIDR to which the route applies. string
hasBgpOverride A value indicating whether this route overrides overlapping BGP routes regardless of LPM. bool
nextHopIpAddress The IP address packets should be forwarded to. Next hop values are only allowed in routes where the next hop type is VirtualAppliance. string
nextHopType The type of Azure hop the packet should be sent to. 'Internet'
'None'
'VirtualAppliance'
'VirtualNetworkGateway'
'VnetLocal' (required)

ServiceEndpointPolicy

Name Description Value
id Resource ID. string
location Resource location. string
properties Properties of the service end point policy. ServiceEndpointPolicyPropertiesFormat
tags Resource tags. object

ServiceEndpointPolicyPropertiesFormat

Name Description Value
contextualServiceEndpointPolicies A collection of contextual service endpoint policy. string[]
serviceAlias The alias indicating if the policy belongs to a service string
serviceEndpointPolicyDefinitions A collection of service endpoint policy definitions of the service endpoint policy. ServiceEndpointPolicyDefinition[]

ServiceEndpointPolicyDefinition

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the service endpoint policy definition. ServiceEndpointPolicyDefinitionPropertiesFormat
type The type of the resource. string

ServiceEndpointPolicyDefinitionPropertiesFormat

Name Description Value
description A description for this rule. Restricted to 140 chars. string
service Service endpoint name. string
serviceResources A list of service resources. string[]

ServiceEndpointPropertiesFormat

Name Description Value
locations A list of locations. string[]
service The type of the endpoint service. string

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
min.io Azure Gateway

Deploy to Azure		 Fully private min.io Azure Gateway deployment to provide an S3 compliant storage API backed by blob storage
AKS Cluster with a NAT Gateway and an Application Gateway

Deploy to Azure		 This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
Azure Cloud Shell - VNet

Deploy to Azure		 This template deploys Azure Cloud Shell resources into an Azure virtual network.
Create a Private AKS Cluster

Deploy to Azure		 This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine.
Create a Private AKS Cluster with a Public DNS Zone

Deploy to Azure		 This sample shows how to a deploy a private AKS cluster with a Public DNS Zone.
WebApp consuming a Azure SQL Private Endpoint

Deploy to Azure		 This template shows how to create a Web app that consumes a private endpoint pointing to Azure SQL Server
Create an API Management service with a private endpoint

Deploy to Azure		 This template will create an API Management service, a virtual network and a private endpoint exposing the API Management service to the virtual network.
Azure Batch pool without public IP addresses

Deploy to Azure		 This template creates Azure Batch simplified node communication pool without public IP addresses.
Azure Databricks All-in-one Templat VNetInjection-Pvtendpt

Deploy to Azure		 This template allows you to create a network security group, a virtual network and an Azure Databricks workspace with the virtual network, and Private Endpoint.
Azure Digital Twins with Function and Private Link service

Deploy to Azure		 This template creates an Azure Digital Twins service configured with a Virtual Network connected Azure Function that can communicate through a Private Link Endpoint to Digital Twins. It also creates a Private DNS Zone to allow seamless hostname resolution of the Digital Twins Endpoint from the Virtual Network to the Private Endpoint internal subnet IP address. The hostname is stored as a setting to the Azure Function with name 'ADT_ENDPOINT'.
Create an Azure Cosmos DB Account with a private endpoint

Deploy to Azure		 This template will create a Cosmos account, a virtual network and a private endpoint exposing the Cosmos account to the virtual network.
Connect to a Event Hubs namespace via private endpoint

Deploy to Azure		 This sample shows how to use configure a virtual network and private DNS zone to access a Event Hubs namespace via a private endpoint.
Connect to a Key Vault via private endpoint

Deploy to Azure		 This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint.
Azure Machine Learning end-to-end secure setup

Deploy to Azure		 This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Azure Machine Learning end-to-end secure setup (legacy)

Deploy to Azure		 This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Create an Azure Machine Learning service workspace (vnet)

Deploy to Azure		 This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up.
Create an Azure Machine Learning service workspace (legacy)

Deploy to Azure		 This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up.
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure		 This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology

Deploy to Azure		 This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering.
Private Link service example

Deploy to Azure		 This template shows how to create a private link service
Azure Cognitive Search service with private endpoint

Deploy to Azure		 This template creates an Azure Cognitive Search service with a private endpoint.
Connect to a Service Bus namespace via private endpoint

Deploy to Azure		 This sample shows how to use configure a virtual network and private DNS zone to access a Service Bus namespace via private endpoint.
Private Endpoint example

Deploy to Azure		 This template shows how to create a private endpoint pointing to Azure SQL Server
Connect to a storage account from a VM via private endpoint

Deploy to Azure		 This sample shows how to use connect a virtual network to access a blob storage account via private endpoint.
Connect to an Azure File Share via a Private Endpoint

Deploy to Azure		 This sample shows how to use configure a virtual network and private DNS zone to access an Azure File Share via a private endpoint.
App Service Environment with Azure SQL backend

Deploy to Azure		 This template creates an App Service Environment with an Azure SQL backend along with private endpoints along with associated resources typically used in an private/isolated environment.
Create Function App and private endpoint-secured Storage

Deploy to Azure		 This template allows you to deploy an Azure Function App that communicates with Azure Storage over private endpoints.
Function App secured by Azure Frontdoor

Deploy to Azure		 This template allows you to deploy an azure premium function protected and published by Azure Frontdoor premium. The conenction between Azure Frontdoor and Azure Functions is protected by Azure Private Link.
Web App with Private Endpoint

Deploy to Azure		 This template allows you to create a Web App and expose it through Private Endpoint
Application Gateway with internal API Management and Web App

Deploy to Azure		 Application Gateway routing Internet traffic to a virtual network (internal mode) API Management instance which services a web API hosted in an Azure Web App.
Web App with VNet Injection and Private Endpoint

Deploy to Azure		 This template allows you to create a secure end to end solution with two web apps, front end and back end, front end will consume securely the back through VNet injection and Private Endpoint

ARM template resource definition

The privateEndpoints resource type can be deployed to:

For a list of changed properties in each API version, see change log.

Remarks

For guidance on creating private endpoints, see Create virtual network resources by using Bicep.

Resource format

To create a Microsoft.Network/privateEndpoints resource, add the following JSON to your template.

{
  "type": "Microsoft.Network/privateEndpoints",
  "apiVersion": "2022-07-01",
  "name": "string",
  "location": "string",
  "tags": {
    "tagName1": "tagValue1",
    "tagName2": "tagValue2"
  },
  "extendedLocation": {
    "name": "string",
    "type": "EdgeZone"
  },
  "properties": {
    "applicationSecurityGroups": [
      {
        "id": "string",
        "location": "string",
        "properties": {},
        "tags": {}
      }
    ],
    "customDnsConfigs": [
      {
        "fqdn": "string",
        "ipAddresses": [ "string" ]
      }
    ],
    "customNetworkInterfaceName": "string",
    "ipConfigurations": [
      {
        "name": "string",
        "properties": {
          "groupId": "string",
          "memberName": "string",
          "privateIPAddress": "string"
        }
      }
    ],
    "manualPrivateLinkServiceConnections": [
      {
        "id": "string",
        "name": "string",
        "properties": {
          "groupIds": [ "string" ],
          "privateLinkServiceConnectionState": {
            "actionsRequired": "string",
            "description": "string",
            "status": "string"
          },
          "privateLinkServiceId": "string",
          "requestMessage": "string"
        }
      }
    ],
    "privateLinkServiceConnections": [
      {
        "id": "string",
        "name": "string",
        "properties": {
          "groupIds": [ "string" ],
          "privateLinkServiceConnectionState": {
            "actionsRequired": "string",
            "description": "string",
            "status": "string"
          },
          "privateLinkServiceId": "string",
          "requestMessage": "string"
        }
      }
    ],
    "subnet": {
      "id": "string",
      "name": "string",
      "properties": {
        "addressPrefix": "string",
        "addressPrefixes": [ "string" ],
        "applicationGatewayIpConfigurations": [
          {
            "id": "string",
            "name": "string",
            "properties": {
              "subnet": {
                "id": "string"
              }
            }
          }
        ],
        "delegations": [
          {
            "id": "string",
            "name": "string",
            "properties": {
              "serviceName": "string"
            },
            "type": "string"
          }
        ],
        "ipAllocations": [
          {
            "id": "string"
          }
        ],
        "natGateway": {
          "id": "string"
        },
        "networkSecurityGroup": {
          "id": "string",
          "location": "string",
          "properties": {
            "flushConnection": "bool",
            "securityRules": [
              {
                "id": "string",
                "name": "string",
                "properties": {
                  "access": "string",
                  "description": "string",
                  "destinationAddressPrefix": "string",
                  "destinationAddressPrefixes": [ "string" ],
                  "destinationApplicationSecurityGroups": [
                    {
                      "id": "string",
                      "location": "string",
                      "properties": {},
                      "tags": {}
                    }
                  ],
                  "destinationPortRange": "string",
                  "destinationPortRanges": [ "string" ],
                  "direction": "string",
                  "priority": "int",
                  "protocol": "string",
                  "sourceAddressPrefix": "string",
                  "sourceAddressPrefixes": [ "string" ],
                  "sourceApplicationSecurityGroups": [
                    {
                      "id": "string",
                      "location": "string",
                      "properties": {},
                      "tags": {}
                    }
                  ],
                  "sourcePortRange": "string",
                  "sourcePortRanges": [ "string" ]
                },
                "type": "string"
              }
            ]
          },
          "tags": {}
        },
        "privateEndpointNetworkPolicies": "string",
        "privateLinkServiceNetworkPolicies": "string",
        "routeTable": {
          "id": "string",
          "location": "string",
          "properties": {
            "disableBgpRoutePropagation": "bool",
            "routes": [
              {
                "id": "string",
                "name": "string",
                "properties": {
                  "addressPrefix": "string",
                  "hasBgpOverride": "bool",
                  "nextHopIpAddress": "string",
                  "nextHopType": "string"
                },
                "type": "string"
              }
            ]
          },
          "tags": {}
        },
        "serviceEndpointPolicies": [
          {
            "id": "string",
            "location": "string",
            "properties": {
              "contextualServiceEndpointPolicies": [ "string" ],
              "serviceAlias": "string",
              "serviceEndpointPolicyDefinitions": [
                {
                  "id": "string",
                  "name": "string",
                  "properties": {
                    "description": "string",
                    "service": "string",
                    "serviceResources": [ "string" ]
                  },
                  "type": "string"
                }
              ]
            },
            "tags": {}
          }
        ],
        "serviceEndpoints": [
          {
            "locations": [ "string" ],
            "service": "string"
          }
        ]
      },
      "type": "string"
    }
  }
}

Property values

privateEndpoints

Name Description Value
type The resource type 'Microsoft.Network/privateEndpoints'
apiVersion The resource api version '2022-07-01'
name The resource name string (required)

Character limit: 2-64

Valid characters:
Alphanumerics, underscores, periods, and hyphens.

Start with alphanumeric. End alphanumeric or underscore.
location Resource location. string
tags Resource tags. Dictionary of tag names and values. See Tags in templates
extendedLocation The extended location of the load balancer. ExtendedLocation
properties Properties of the private endpoint. PrivateEndpointProperties

ExtendedLocation

Name Description Value
name The name of the extended location. string
type The type of the extended location. 'EdgeZone'

PrivateEndpointProperties

Name Description Value
applicationSecurityGroups Application security groups in which the private endpoint IP configuration is included. ApplicationSecurityGroup[]
customDnsConfigs An array of custom dns configurations. CustomDnsConfigPropertiesFormat[]
customNetworkInterfaceName The custom name of the network interface attached to the private endpoint. string
ipConfigurations A list of IP configurations of the private endpoint. This will be used to map to the First Party Service's endpoints. PrivateEndpointIPConfiguration[]
manualPrivateLinkServiceConnections A grouping of information about the connection to the remote resource. Used when the network admin does not have access to approve connections to the remote resource. PrivateLinkServiceConnection[]
privateLinkServiceConnections A grouping of information about the connection to the remote resource. PrivateLinkServiceConnection[]
subnet The ID of the subnet from which the private IP will be allocated. Subnet

ApplicationSecurityGroup

Name Description Value
id Resource ID. string
location Resource location. string
properties Properties of the application security group. ApplicationSecurityGroupPropertiesFormat
tags Resource tags. object

ApplicationSecurityGroupPropertiesFormat

This object doesn't contain any properties to set during deployment. All properties are ReadOnly.

CustomDnsConfigPropertiesFormat

Name Description Value
fqdn Fqdn that resolves to private endpoint ip address. string
ipAddresses A list of private ip addresses of the private endpoint. string[]

PrivateEndpointIPConfiguration

Name Description Value
name The name of the resource that is unique within a resource group. string
properties Properties of private endpoint IP configurations. PrivateEndpointIPConfigurationProperties

PrivateEndpointIPConfigurationProperties

Name Description Value
groupId The ID of a group obtained from the remote resource that this private endpoint should connect to. string
memberName The member name of a group obtained from the remote resource that this private endpoint should connect to. string
privateIPAddress A private ip address obtained from the private endpoint's subnet. string

PrivateLinkServiceConnection

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the private link service connection. PrivateLinkServiceConnectionProperties

PrivateLinkServiceConnectionProperties

Name Description Value
groupIds The ID(s) of the group(s) obtained from the remote resource that this private endpoint should connect to. string[]
privateLinkServiceConnectionState A collection of read-only information about the state of the connection to the remote resource. PrivateLinkServiceConnectionState
privateLinkServiceId The resource id of private link service. string
requestMessage A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars. string

PrivateLinkServiceConnectionState

Name Description Value
actionsRequired A message indicating if changes on the service provider require any updates on the consumer. string
description The reason for approval/rejection of the connection. string
status Indicates whether the connection has been Approved/Rejected/Removed by the owner of the service. string

Subnet

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the subnet. SubnetPropertiesFormat
type Resource type. string

SubnetPropertiesFormat

Name Description Value
addressPrefix The address prefix for the subnet. string
addressPrefixes List of address prefixes for the subnet. string[]
applicationGatewayIpConfigurations Application gateway IP configurations of virtual network resource. ApplicationGatewayIPConfiguration[]
delegations An array of references to the delegations on the subnet. Delegation[]
ipAllocations Array of IpAllocation which reference this subnet. SubResource[]
natGateway Nat gateway associated with this subnet. SubResource
networkSecurityGroup The reference to the NetworkSecurityGroup resource. NetworkSecurityGroup
privateEndpointNetworkPolicies Enable or Disable apply network policies on private end point in the subnet. 'Disabled'
'Enabled'
privateLinkServiceNetworkPolicies Enable or Disable apply network policies on private link service in the subnet. 'Disabled'
'Enabled'
routeTable The reference to the RouteTable resource. RouteTable
serviceEndpointPolicies An array of service endpoint policies. ServiceEndpointPolicy[]
serviceEndpoints An array of service endpoints. ServiceEndpointPropertiesFormat[]

ApplicationGatewayIPConfiguration

Name Description Value
id Resource ID. string
name Name of the IP configuration that is unique within an Application Gateway. string
properties Properties of the application gateway IP configuration. ApplicationGatewayIPConfigurationPropertiesFormat

ApplicationGatewayIPConfigurationPropertiesFormat

Name Description Value
subnet Reference to the subnet resource. A subnet from where application gateway gets its private address. SubResource

SubResource

Name Description Value
id Resource ID. string

Delegation

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a subnet. This name can be used to access the resource. string
properties Properties of the subnet. ServiceDelegationPropertiesFormat
type Resource type. string

ServiceDelegationPropertiesFormat

Name Description Value
serviceName The name of the service to whom the subnet should be delegated (e.g. Microsoft.Sql/servers). string

NetworkSecurityGroup

Name Description Value
id Resource ID. string
location Resource location. string
properties Properties of the network security group. NetworkSecurityGroupPropertiesFormat
tags Resource tags. object

NetworkSecurityGroupPropertiesFormat

Name Description Value
flushConnection When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. bool
securityRules A collection of security rules of the network security group. SecurityRule[]

SecurityRule

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the security rule. SecurityRulePropertiesFormat
type The type of the resource. string

SecurityRulePropertiesFormat

Name Description Value
access The network traffic is allowed or denied. 'Allow'
'Deny' (required)
description A description for this rule. Restricted to 140 chars. string
destinationAddressPrefix The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. string
destinationAddressPrefixes The destination address prefixes. CIDR or destination IP ranges. string[]
destinationApplicationSecurityGroups The application security group specified as destination. ApplicationSecurityGroup[]
destinationPortRange The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. string
destinationPortRanges The destination port ranges. string[]
direction The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. 'Inbound'
'Outbound' (required)
priority The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. int
protocol Network protocol this rule applies to. '*'
'Ah'
'Esp'
'Icmp'
'Tcp'
'Udp' (required)
sourceAddressPrefix The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from. string
sourceAddressPrefixes The CIDR or source IP ranges. string[]
sourceApplicationSecurityGroups The application security group specified as source. ApplicationSecurityGroup[]
sourcePortRange The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. string
sourcePortRanges The source port ranges. string[]

RouteTable

Name Description Value
id Resource ID. string
location Resource location. string
properties Properties of the route table. RouteTablePropertiesFormat
tags Resource tags. object

RouteTablePropertiesFormat

Name Description Value
disableBgpRoutePropagation Whether to disable the routes learned by BGP on that route table. True means disable. bool
routes Collection of routes contained within a route table. Route[]

Route

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the route. RoutePropertiesFormat
type The type of the resource. string

RoutePropertiesFormat

Name Description Value
addressPrefix The destination CIDR to which the route applies. string
hasBgpOverride A value indicating whether this route overrides overlapping BGP routes regardless of LPM. bool
nextHopIpAddress The IP address packets should be forwarded to. Next hop values are only allowed in routes where the next hop type is VirtualAppliance. string
nextHopType The type of Azure hop the packet should be sent to. 'Internet'
'None'
'VirtualAppliance'
'VirtualNetworkGateway'
'VnetLocal' (required)

ServiceEndpointPolicy

Name Description Value
id Resource ID. string
location Resource location. string
properties Properties of the service end point policy. ServiceEndpointPolicyPropertiesFormat
tags Resource tags. object

ServiceEndpointPolicyPropertiesFormat

Name Description Value
contextualServiceEndpointPolicies A collection of contextual service endpoint policy. string[]
serviceAlias The alias indicating if the policy belongs to a service string
serviceEndpointPolicyDefinitions A collection of service endpoint policy definitions of the service endpoint policy. ServiceEndpointPolicyDefinition[]

ServiceEndpointPolicyDefinition

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the service endpoint policy definition. ServiceEndpointPolicyDefinitionPropertiesFormat
type The type of the resource. string

ServiceEndpointPolicyDefinitionPropertiesFormat

Name Description Value
description A description for this rule. Restricted to 140 chars. string
service Service endpoint name. string
serviceResources A list of service resources. string[]

ServiceEndpointPropertiesFormat

Name Description Value
locations A list of locations. string[]
service The type of the endpoint service. string

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
min.io Azure Gateway

Deploy to Azure		 Fully private min.io Azure Gateway deployment to provide an S3 compliant storage API backed by blob storage
AKS Cluster with a NAT Gateway and an Application Gateway

Deploy to Azure		 This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
Azure Cloud Shell - VNet

Deploy to Azure		 This template deploys Azure Cloud Shell resources into an Azure virtual network.
Create a Private AKS Cluster

Deploy to Azure		 This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine.
Create a Private AKS Cluster with a Public DNS Zone

Deploy to Azure		 This sample shows how to a deploy a private AKS cluster with a Public DNS Zone.
WebApp consuming a Azure SQL Private Endpoint

Deploy to Azure		 This template shows how to create a Web app that consumes a private endpoint pointing to Azure SQL Server
Create an API Management service with a private endpoint

Deploy to Azure		 This template will create an API Management service, a virtual network and a private endpoint exposing the API Management service to the virtual network.
Azure Batch pool without public IP addresses

Deploy to Azure		 This template creates Azure Batch simplified node communication pool without public IP addresses.
Azure Databricks All-in-one Templat VNetInjection-Pvtendpt

Deploy to Azure		 This template allows you to create a network security group, a virtual network and an Azure Databricks workspace with the virtual network, and Private Endpoint.
Azure Digital Twins with Function and Private Link service

Deploy to Azure		 This template creates an Azure Digital Twins service configured with a Virtual Network connected Azure Function that can communicate through a Private Link Endpoint to Digital Twins. It also creates a Private DNS Zone to allow seamless hostname resolution of the Digital Twins Endpoint from the Virtual Network to the Private Endpoint internal subnet IP address. The hostname is stored as a setting to the Azure Function with name 'ADT_ENDPOINT'.
Create an Azure Cosmos DB Account with a private endpoint

Deploy to Azure		 This template will create a Cosmos account, a virtual network and a private endpoint exposing the Cosmos account to the virtual network.
Connect to a Event Hubs namespace via private endpoint

Deploy to Azure		 This sample shows how to use configure a virtual network and private DNS zone to access a Event Hubs namespace via a private endpoint.
Connect to a Key Vault via private endpoint

Deploy to Azure		 This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint.
Azure Machine Learning end-to-end secure setup

Deploy to Azure		 This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Azure Machine Learning end-to-end secure setup (legacy)

Deploy to Azure		 This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Create an Azure Machine Learning service workspace (vnet)

Deploy to Azure		 This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up.
Create an Azure Machine Learning service workspace (legacy)

Deploy to Azure		 This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up.
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure		 This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology

Deploy to Azure		 This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering.
Private Link service example

Deploy to Azure		 This template shows how to create a private link service
Azure Cognitive Search service with private endpoint

Deploy to Azure		 This template creates an Azure Cognitive Search service with a private endpoint.
Connect to a Service Bus namespace via private endpoint

Deploy to Azure		 This sample shows how to use configure a virtual network and private DNS zone to access a Service Bus namespace via private endpoint.
Private Endpoint example

Deploy to Azure		 This template shows how to create a private endpoint pointing to Azure SQL Server
Connect to a storage account from a VM via private endpoint

Deploy to Azure		 This sample shows how to use connect a virtual network to access a blob storage account via private endpoint.
Connect to an Azure File Share via a Private Endpoint

Deploy to Azure		 This sample shows how to use configure a virtual network and private DNS zone to access an Azure File Share via a private endpoint.
App Service Environment with Azure SQL backend

Deploy to Azure		 This template creates an App Service Environment with an Azure SQL backend along with private endpoints along with associated resources typically used in an private/isolated environment.
Create Function App and private endpoint-secured Storage

Deploy to Azure		 This template allows you to deploy an Azure Function App that communicates with Azure Storage over private endpoints.
Function App secured by Azure Frontdoor

Deploy to Azure		 This template allows you to deploy an azure premium function protected and published by Azure Frontdoor premium. The conenction between Azure Frontdoor and Azure Functions is protected by Azure Private Link.
Web App with Private Endpoint

Deploy to Azure		 This template allows you to create a Web App and expose it through Private Endpoint
Application Gateway with internal API Management and Web App

Deploy to Azure		 Application Gateway routing Internet traffic to a virtual network (internal mode) API Management instance which services a web API hosted in an Azure Web App.
Web App with VNet Injection and Private Endpoint

Deploy to Azure		 This template allows you to create a secure end to end solution with two web apps, front end and back end, front end will consume securely the back through VNet injection and Private Endpoint

Terraform (AzAPI provider) resource definition

The privateEndpoints resource type can be deployed to:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/privateEndpoints resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Network/privateEndpoints@2022-07-01"
  name = "string"
  location = "string"
  parent_id = "string"
  tags = {
    tagName1 = "tagValue1"
    tagName2 = "tagValue2"
  }
  body = jsonencode({
    properties = {
      applicationSecurityGroups = [
        {
          id = "string"
          location = "string"
          properties = {}
          tags = {}
        }
      ]
      customDnsConfigs = [
        {
          fqdn = "string"
          ipAddresses = [
            "string"
          ]
        }
      ]
      customNetworkInterfaceName = "string"
      ipConfigurations = [
        {
          name = "string"
          properties = {
            groupId = "string"
            memberName = "string"
            privateIPAddress = "string"
          }
        }
      ]
      manualPrivateLinkServiceConnections = [
        {
          id = "string"
          name = "string"
          properties = {
            groupIds = [
              "string"
            ]
            privateLinkServiceConnectionState = {
              actionsRequired = "string"
              description = "string"
              status = "string"
            }
            privateLinkServiceId = "string"
            requestMessage = "string"
          }
        }
      ]
      privateLinkServiceConnections = [
        {
          id = "string"
          name = "string"
          properties = {
            groupIds = [
              "string"
            ]
            privateLinkServiceConnectionState = {
              actionsRequired = "string"
              description = "string"
              status = "string"
            }
            privateLinkServiceId = "string"
            requestMessage = "string"
          }
        }
      ]
      subnet = {
        id = "string"
        name = "string"
        properties = {
          addressPrefix = "string"
          addressPrefixes = [
            "string"
          ]
          applicationGatewayIpConfigurations = [
            {
              id = "string"
              name = "string"
              properties = {
                subnet = {
                  id = "string"
                }
              }
            }
          ]
          delegations = [
            {
              id = "string"
              name = "string"
              properties = {
                serviceName = "string"
              }
              type = "string"
            }
          ]
          ipAllocations = [
            {
              id = "string"
            }
          ]
          natGateway = {
            id = "string"
          }
          networkSecurityGroup = {
            id = "string"
            location = "string"
            properties = {
              flushConnection = bool
              securityRules = [
                {
                  id = "string"
                  name = "string"
                  properties = {
                    access = "string"
                    description = "string"
                    destinationAddressPrefix = "string"
                    destinationAddressPrefixes = [
                      "string"
                    ]
                    destinationApplicationSecurityGroups = [
                      {
                        id = "string"
                        location = "string"
                        properties = {}
                        tags = {}
                      }
                    ]
                    destinationPortRange = "string"
                    destinationPortRanges = [
                      "string"
                    ]
                    direction = "string"
                    priority = int
                    protocol = "string"
                    sourceAddressPrefix = "string"
                    sourceAddressPrefixes = [
                      "string"
                    ]
                    sourceApplicationSecurityGroups = [
                      {
                        id = "string"
                        location = "string"
                        properties = {}
                        tags = {}
                      }
                    ]
                    sourcePortRange = "string"
                    sourcePortRanges = [
                      "string"
                    ]
                  }
                  type = "string"
                }
              ]
            }
            tags = {}
          }
          privateEndpointNetworkPolicies = "string"
          privateLinkServiceNetworkPolicies = "string"
          routeTable = {
            id = "string"
            location = "string"
            properties = {
              disableBgpRoutePropagation = bool
              routes = [
                {
                  id = "string"
                  name = "string"
                  properties = {
                    addressPrefix = "string"
                    hasBgpOverride = bool
                    nextHopIpAddress = "string"
                    nextHopType = "string"
                  }
                  type = "string"
                }
              ]
            }
            tags = {}
          }
          serviceEndpointPolicies = [
            {
              id = "string"
              location = "string"
              properties = {
                contextualServiceEndpointPolicies = [
                  "string"
                ]
                serviceAlias = "string"
                serviceEndpointPolicyDefinitions = [
                  {
                    id = "string"
                    name = "string"
                    properties = {
                      description = "string"
                      service = "string"
                      serviceResources = [
                        "string"
                      ]
                    }
                    type = "string"
                  }
                ]
              }
              tags = {}
            }
          ]
          serviceEndpoints = [
            {
              locations = [
                "string"
              ]
              service = "string"
            }
          ]
        }
        type = "string"
      }
    }
    extendedLocation = {
      name = "string"
      type = "EdgeZone"
    }
  })
}

Property values

privateEndpoints

Name Description Value
type The resource type "Microsoft.Network/privateEndpoints@2022-07-01"
name The resource name string (required)

Character limit: 2-64

Valid characters:
Alphanumerics, underscores, periods, and hyphens.

Start with alphanumeric. End alphanumeric or underscore.
location Resource location. string
parent_id To deploy to a resource group, use the ID of that resource group. string (required)
tags Resource tags. Dictionary of tag names and values.
extendedLocation The extended location of the load balancer. ExtendedLocation
properties Properties of the private endpoint. PrivateEndpointProperties

ExtendedLocation

Name Description Value
name The name of the extended location. string
type The type of the extended location. "EdgeZone"

PrivateEndpointProperties

Name Description Value
applicationSecurityGroups Application security groups in which the private endpoint IP configuration is included. ApplicationSecurityGroup[]
customDnsConfigs An array of custom dns configurations. CustomDnsConfigPropertiesFormat[]
customNetworkInterfaceName The custom name of the network interface attached to the private endpoint. string
ipConfigurations A list of IP configurations of the private endpoint. This will be used to map to the First Party Service's endpoints. PrivateEndpointIPConfiguration[]
manualPrivateLinkServiceConnections A grouping of information about the connection to the remote resource. Used when the network admin does not have access to approve connections to the remote resource. PrivateLinkServiceConnection[]
privateLinkServiceConnections A grouping of information about the connection to the remote resource. PrivateLinkServiceConnection[]
subnet The ID of the subnet from which the private IP will be allocated. Subnet

ApplicationSecurityGroup

Name Description Value
id Resource ID. string
location Resource location. string
properties Properties of the application security group. ApplicationSecurityGroupPropertiesFormat
tags Resource tags. object

ApplicationSecurityGroupPropertiesFormat

This object doesn't contain any properties to set during deployment. All properties are ReadOnly.

CustomDnsConfigPropertiesFormat

Name Description Value
fqdn Fqdn that resolves to private endpoint ip address. string
ipAddresses A list of private ip addresses of the private endpoint. string[]

PrivateEndpointIPConfiguration

Name Description Value
name The name of the resource that is unique within a resource group. string
properties Properties of private endpoint IP configurations. PrivateEndpointIPConfigurationProperties

PrivateEndpointIPConfigurationProperties

Name Description Value
groupId The ID of a group obtained from the remote resource that this private endpoint should connect to. string
memberName The member name of a group obtained from the remote resource that this private endpoint should connect to. string
privateIPAddress A private ip address obtained from the private endpoint's subnet. string

PrivateLinkServiceConnection

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the private link service connection. PrivateLinkServiceConnectionProperties

PrivateLinkServiceConnectionProperties

Name Description Value
groupIds The ID(s) of the group(s) obtained from the remote resource that this private endpoint should connect to. string[]
privateLinkServiceConnectionState A collection of read-only information about the state of the connection to the remote resource. PrivateLinkServiceConnectionState
privateLinkServiceId The resource id of private link service. string
requestMessage A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars. string

PrivateLinkServiceConnectionState

Name Description Value
actionsRequired A message indicating if changes on the service provider require any updates on the consumer. string
description The reason for approval/rejection of the connection. string
status Indicates whether the connection has been Approved/Rejected/Removed by the owner of the service. string

Subnet

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the subnet. SubnetPropertiesFormat
type Resource type. string

SubnetPropertiesFormat

Name Description Value
addressPrefix The address prefix for the subnet. string
addressPrefixes List of address prefixes for the subnet. string[]
applicationGatewayIpConfigurations Application gateway IP configurations of virtual network resource. ApplicationGatewayIPConfiguration[]
delegations An array of references to the delegations on the subnet. Delegation[]
ipAllocations Array of IpAllocation which reference this subnet. SubResource[]
natGateway Nat gateway associated with this subnet. SubResource
networkSecurityGroup The reference to the NetworkSecurityGroup resource. NetworkSecurityGroup
privateEndpointNetworkPolicies Enable or Disable apply network policies on private end point in the subnet. "Disabled"
"Enabled"
privateLinkServiceNetworkPolicies Enable or Disable apply network policies on private link service in the subnet. "Disabled"
"Enabled"
routeTable The reference to the RouteTable resource. RouteTable
serviceEndpointPolicies An array of service endpoint policies. ServiceEndpointPolicy[]
serviceEndpoints An array of service endpoints. ServiceEndpointPropertiesFormat[]

ApplicationGatewayIPConfiguration

Name Description Value
id Resource ID. string
name Name of the IP configuration that is unique within an Application Gateway. string
properties Properties of the application gateway IP configuration. ApplicationGatewayIPConfigurationPropertiesFormat

ApplicationGatewayIPConfigurationPropertiesFormat

Name Description Value
subnet Reference to the subnet resource. A subnet from where application gateway gets its private address. SubResource

SubResource

Name Description Value
id Resource ID. string

Delegation

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a subnet. This name can be used to access the resource. string
properties Properties of the subnet. ServiceDelegationPropertiesFormat
type Resource type. string

ServiceDelegationPropertiesFormat

Name Description Value
serviceName The name of the service to whom the subnet should be delegated (e.g. Microsoft.Sql/servers). string

NetworkSecurityGroup

Name Description Value
id Resource ID. string
location Resource location. string
properties Properties of the network security group. NetworkSecurityGroupPropertiesFormat
tags Resource tags. object

NetworkSecurityGroupPropertiesFormat

Name Description Value
flushConnection When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. bool
securityRules A collection of security rules of the network security group. SecurityRule[]

SecurityRule

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the security rule. SecurityRulePropertiesFormat
type The type of the resource. string

SecurityRulePropertiesFormat

Name Description Value
access The network traffic is allowed or denied. "Allow"
"Deny" (required)
description A description for this rule. Restricted to 140 chars. string
destinationAddressPrefix The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. string
destinationAddressPrefixes The destination address prefixes. CIDR or destination IP ranges. string[]
destinationApplicationSecurityGroups The application security group specified as destination. ApplicationSecurityGroup[]
destinationPortRange The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. string
destinationPortRanges The destination port ranges. string[]
direction The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. "Inbound"
"Outbound" (required)
priority The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. int
protocol Network protocol this rule applies to. "*"
"Ah"
"Esp"
"Icmp"
"Tcp"
"Udp" (required)
sourceAddressPrefix The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from. string
sourceAddressPrefixes The CIDR or source IP ranges. string[]
sourceApplicationSecurityGroups The application security group specified as source. ApplicationSecurityGroup[]
sourcePortRange The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. string
sourcePortRanges The source port ranges. string[]

RouteTable

Name Description Value
id Resource ID. string
location Resource location. string
properties Properties of the route table. RouteTablePropertiesFormat
tags Resource tags. object

RouteTablePropertiesFormat

Name Description Value
disableBgpRoutePropagation Whether to disable the routes learned by BGP on that route table. True means disable. bool
routes Collection of routes contained within a route table. Route[]

Route

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the route. RoutePropertiesFormat
type The type of the resource. string

RoutePropertiesFormat

Name Description Value
addressPrefix The destination CIDR to which the route applies. string
hasBgpOverride A value indicating whether this route overrides overlapping BGP routes regardless of LPM. bool
nextHopIpAddress The IP address packets should be forwarded to. Next hop values are only allowed in routes where the next hop type is VirtualAppliance. string
nextHopType The type of Azure hop the packet should be sent to. "Internet"
"None"
"VirtualAppliance"
"VirtualNetworkGateway"
"VnetLocal" (required)

ServiceEndpointPolicy

Name Description Value
id Resource ID. string
location Resource location. string
properties Properties of the service end point policy. ServiceEndpointPolicyPropertiesFormat
tags Resource tags. object

ServiceEndpointPolicyPropertiesFormat

Name Description Value
contextualServiceEndpointPolicies A collection of contextual service endpoint policy. string[]
serviceAlias The alias indicating if the policy belongs to a service string
serviceEndpointPolicyDefinitions A collection of service endpoint policy definitions of the service endpoint policy. ServiceEndpointPolicyDefinition[]

ServiceEndpointPolicyDefinition

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the service endpoint policy definition. ServiceEndpointPolicyDefinitionPropertiesFormat
type The type of the resource. string

ServiceEndpointPolicyDefinitionPropertiesFormat

Name Description Value
description A description for this rule. Restricted to 140 chars. string
service Service endpoint name. string
serviceResources A list of service resources. string[]

ServiceEndpointPropertiesFormat

Name Description Value
locations A list of locations. string[]
service The type of the endpoint service. string