Skip to content

azurermPrivateEndpoint

Manages a Private Endpoint.

Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. Private Endpoint uses a private IP address from your VNet, effectively bringing the service into your VNet. The service could be an Azure service such as Azure Storage, SQL, etc. or your own Private Link Service.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermVirtualNetworkExample = new azurerm.virtualNetwork.VirtualNetwork(
  this,
  "example_1",
  {
    address_space: ["10.0.0.0/16"],
    location: azurermResourceGroupExample.location,
    name: "example-network",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkExample.overrideLogicalId("example");
const azurermPublicIpExample = new azurerm.publicIp.PublicIp(
  this,
  "example_2",
  {
    allocation_method: "Static",
    location: azurermResourceGroupExample.location,
    name: "example-pip",
    resource_group_name: azurermResourceGroupExample.name,
    sku: "Standard",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermPublicIpExample.overrideLogicalId("example");
const azurermSubnetEndpoint = new azurerm.subnet.Subnet(this, "endpoint", {
  address_prefixes: ["10.0.2.0/24"],
  enforce_private_link_endpoint_network_policies: true,
  name: "endpoint",
  resource_group_name: azurermResourceGroupExample.name,
  virtual_network_name: azurermVirtualNetworkExample.name,
});
const azurermSubnetService = new azurerm.subnet.Subnet(this, "service", {
  address_prefixes: ["10.0.1.0/24"],
  enforce_private_link_service_network_policies: true,
  name: "service",
  resource_group_name: azurermResourceGroupExample.name,
  virtual_network_name: azurermVirtualNetworkExample.name,
});
const azurermLbExample = new azurerm.lb.Lb(this, "example_5", {
  frontend_ip_configuration: [
    {
      name: azurermPublicIpExample.name,
      public_ip_address_id: azurermPublicIpExample.id,
    },
  ],
  location: azurermResourceGroupExample.location,
  name: "example-lb",
  resource_group_name: azurermResourceGroupExample.name,
  sku: "Standard",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLbExample.overrideLogicalId("example");
const azurermPrivateLinkServiceExample =
  new azurerm.privateLinkService.PrivateLinkService(this, "example_6", {
    load_balancer_frontend_ip_configuration_ids: [
      `\${${azurermLbExample.frontendIpConfiguration}.0.id}`,
    ],
    location: azurermResourceGroupExample.location,
    name: "example-privatelink",
    nat_ip_configuration: [
      {
        name: azurermPublicIpExample.name,
        primary: true,
        subnet_id: azurermSubnetService.id,
      },
    ],
    resource_group_name: azurermResourceGroupExample.name,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermPrivateLinkServiceExample.overrideLogicalId("example");
const azurermPrivateEndpointExample =
  new azurerm.privateEndpoint.PrivateEndpoint(this, "example_7", {
    location: azurermResourceGroupExample.location,
    name: "example-endpoint",
    private_service_connection: [
      {
        is_manual_connection: false,
        name: "example-privateserviceconnection",
        private_connection_resource_id: azurermPrivateLinkServiceExample.id,
      },
    ],
    resource_group_name: azurermResourceGroupExample.name,
    subnet_id: azurermSubnetEndpoint.id,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermPrivateEndpointExample.overrideLogicalId("example");

Using a Private Link Service Alias with existing resources:

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const dataAzurermResourceGroupExample =
  new azurerm.dataAzurermResourceGroup.DataAzurermResourceGroup(
    this,
    "example",
    {
      name: "example-resources",
    }
  );
const dataAzurermVirtualNetworkVnet =
  new azurerm.dataAzurermVirtualNetwork.DataAzurermVirtualNetwork(
    this,
    "vnet",
    {
      name: "example-network",
      resource_group_name: dataAzurermResourceGroupExample.name,
    }
  );
const dataAzurermSubnetSubnet = new azurerm.dataAzurermSubnet.DataAzurermSubnet(
  this,
  "subnet",
  {
    name: "default",
    resource_group_name: dataAzurermResourceGroupExample.name,
    virtual_network_name: dataAzurermVirtualNetworkVnet.name,
  }
);
const azurermPrivateEndpointExample =
  new azurerm.privateEndpoint.PrivateEndpoint(this, "example_3", {
    location: dataAzurermResourceGroupExample.location,
    name: "example-endpoint",
    private_service_connection: [
      {
        is_manual_connection: true,
        name: "example-privateserviceconnection",
        private_connection_resource_alias:
          "example-privatelinkservice.d20286c8-4ea5-11eb-9584-8f53157226c6.centralus.azure.privatelinkservice",
        request_message: "PL",
      },
    ],
    resource_group_name: dataAzurermResourceGroupExample.name,
    subnet_id: dataAzurermSubnetSubnet.id,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermPrivateEndpointExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • name - (Required) Specifies the Name of the Private Endpoint. Changing this forces a new resource to be created.

  • resourceGroupName - (Required) Specifies the Name of the Resource Group within which the Private Endpoint should exist. Changing this forces a new resource to be created.

  • location - (Required) The supported Azure location where the resource exists. Changing this forces a new resource to be created.

  • subnetId - (Required) The ID of the Subnet from which Private IP Addresses will be allocated for this Private Endpoint. Changing this forces a new resource to be created.

  • customNetworkInterfaceName - (Optional) The custom name of the network interface attached to the private endpoint. Changing this forces a new resource to be created.

  • privateDnsZoneGroup - (Optional) A privateDnsZoneGroup block as defined below.

  • privateServiceConnection - (Required) A privateServiceConnection block as defined below.

  • ipConfiguration - (Optional) One or more ipConfiguration blocks as defined below. This allows a static IP address to be set for this Private Endpoint, otherwise an address is dynamically allocated from the Subnet.

  • tags - (Optional) A mapping of tags to assign to the resource.

A privateDnsZoneGroup block supports the following:

  • name - (Required) Specifies the Name of the Private DNS Zone Group.

  • privateDnsZoneIds - (Required) Specifies the list of Private DNS Zones to include within the privateDnsZoneGroup.

A privateServiceConnection block supports the following:

  • name - (Required) Specifies the Name of the Private Service Connection. Changing this forces a new resource to be created.

  • isManualConnection - (Required) Does the Private Endpoint require Manual Approval from the remote resource owner? Changing this forces a new resource to be created.

-> NOTE: If you are trying to connect the Private Endpoint to a remote resource without having the correct RBAC permissions on the remote resource set this value to true.

  • privateConnectionResourceId - (Optional) The ID of the Private Link Enabled Remote Resource which this Private Endpoint should be connected to. One of privateConnectionResourceId or privateConnectionResourceAlias must be specified. Changing this forces a new resource to be created. For a web app or function app slot, the parent web app should be used in this field instead of a reference to the slot itself.

  • privateConnectionResourceAlias - (Optional) The Service Alias of the Private Link Enabled Remote Resource which this Private Endpoint should be connected to. One of privateConnectionResourceId or privateConnectionResourceAlias must be specified. Changing this forces a new resource to be created.

  • subresourceNames - (Optional) A list of subresource names which the Private Endpoint is able to connect to. subresourceNames corresponds to groupId. Possible values are detailed in the product documentation in the subresources column. Changing this forces a new resource to be created.

-> NOTE: Some resource types (such as Storage Account) only support 1 subresource per private endpoint.

  • requestMessage - (Optional) A message passed to the owner of the remote resource when the private endpoint attempts to establish the connection to the remote resource. The request message can be a maximum of 140 characters in length. Only valid if isManualConnection is set to true.

An ipConfiguration block supports the following:

  • name - (Required) Specifies the Name of the IP Configuration. Changing this forces a new resource to be created.

  • privateIpAddress - (Required) Specifies the static IP address within the private endpoint's subnet to be used. Changing this forces a new resource to be created.

  • subresourceName - (Optional) Specifies the subresource this IP address applies to. subresourceNames corresponds to groupId. Changing this forces a new resource to be created.

  • memberName - (Optional) Specifies the member name this IP address applies to. If it is not specified, it will use the value of subresourceName. Changing this forces a new resource to be created.

-> NOTE: memberName will be required and will not take the value of subresourceName in the next major version.

Attributes Reference

The following attributes are exported:

  • id - The ID of the Private Endpoint.

  • networkInterface - A networkInterface block as defined below.

  • customDnsConfigs - A customDnsConfigs block as defined below.

  • privateDnsZoneConfigs - A privateDnsZoneConfigs block as defined below.

  • ipConfiguration - A ipConfiguration block as defined below.

  • privateDnsZoneConfigs - A privateDnsZoneConfigs block as defined below.

A networkInterface block exports:

  • id - The ID of the network interface associated with the privateEndpoint.

  • name - The name of the network interface associated with the privateEndpoint.

A privateDnsZoneGroup block exports:

  • id - The ID of the Private DNS Zone Group.

A customDnsConfigs block exports:

  • fqdn - The fully qualified domain name to the privateEndpoint.

  • ipAddresses - A list of all IP Addresses that map to the privateEndpoint fqdn.

-> NOTE: If a Private DNS Zone Group has been defined and is currently connected correctly this block will be empty.

A privateDnsZoneConfigs block exports:

  • name - The name of the Private DNS Zone that the config belongs to.

  • id - The ID of the Private DNS Zone Config.

  • privateDnsZoneId - A list of IP Addresses

  • recordSets - A recordSets block as defined below.

A privateServiceConnection block exports:

  • privateIpAddress - (Computed) The private IP address associated with the private endpoint, note that you will have a private IP address assigned to the private endpoint even if the connection request was rejected.

An ipConfiguration block exports:

  • name - (Required) The Name of the IP Configuration.

  • privateIpAddress - (Required) The static IP address set by this configuration. It is recommended to use the private IP address exported in the privateServiceConnection block to obtain the address associated with the private endpoint.

  • subresourceName - (Required) The subresource this IP address applies to, which corresponds to the groupId.

A privateDnsZoneConfigs block exports:

  • recordSets - A recordSets block as defined below.

A recordSets block exports:

  • name - The name of the Private DNS Zone that the config belongs to.

  • type - The type of DNS record.

  • fqdn - The fully qualified domain name to the privateDnsZone.

  • ttl - The time to live for each connection to the privateDnsZone.

  • ipAddresses - A list of all IP Addresses that map to the privateDnsZone fqdn.

-> NOTE: If a Private DNS Zone Group has not been configured correctly the recordSets attributes will be empty.

Example HCL Configurations

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 60 minutes) Used when creating the Private Endpoint.
  • update - (Defaults to 60 minutes) Used when updating the Private Endpoint.
  • read - (Defaults to 5 minutes) Used when retrieving the Private Endpoint.
  • delete - (Defaults to 60 minutes) Used when deleting the Private Endpoint.

Import

Private Endpoints can be imported using the resourceId, e.g.

terraform import azurerm_private_endpoint.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Network/privateEndpoints/endpoint1