Azure - ARM Templates - Create Private Endpoint with complete deployment

Question

I'm trying to simply deploy a Azure Storage account with a Private Endpoint using an ARM Template using Complete Deployment.

Template is below:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "location": {
      "type": "string"
    },
    "storageAccountName": {
      "type": "string"
    },
    "accountType": {
      "type": "string"
    },
    "kind": {
      "type": "string"
    },
    "accessTier": {
      "type": "string"
    },
    "minimumTlsVersion": {
      "type": "string"
    },
    "supportsHttpsTrafficOnly": {
      "type": "bool"
    },
    "allowBlobPublicAccess": {
      "type": "bool"
    },
    "allowSharedKeyAccess": {
      "type": "bool"
    },
    "allowCrossTenantReplication": {
      "type": "bool"
    },
    "defaultOAuth": {
      "type": "bool"
    },
    "networkAclsBypass": {
      "type": "string"
    },
    "networkAclsDefaultAction": {
      "type": "string"
    },
    "keySource": {
      "type": "string"
    },
    "encryptionEnabled": {
      "type": "bool"
    },
    "keyTypeForTableAndQueueEncryption": {
      "type": "string"
    },
    "infrastructureEncryptionEnabled": {
      "type": "bool"
    },
    "isContainerRestoreEnabled": {
      "type": "bool"
    },
    "isBlobSoftDeleteEnabled": {
      "type": "bool"
    },
    "blobSoftDeleteRetentionDays": {
      "type": "int"
    },
    "isContainerSoftDeleteEnabled": {
      "type": "bool"
    },
    "containerSoftDeleteRetentionDays": {
      "type": "int"
    },
    "changeFeed": {
      "type": "bool"
    },
    "isVersioningEnabled": {
      "type": "bool"
    },
    "isShareSoftDeleteEnabled": {
      "type": "bool"
    },
    "shareSoftDeleteRetentionDays": {
      "type": "int"
    },
    "privateEndpointName": {
      "type": "string"
    },
    "privateEndpointConnectionName": {
      "type": "string"
    }
  },
  "functions": [],
  "variables": {},
  "resources": [
    {
      "name": "[parameters('storageAccountName')]",
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2021-08-01",
      "location": "[parameters('location')]",
      "properties": {
        "accessTier": "[parameters('accessTier')]",
        "minimumTlsVersion": "[parameters('minimumTlsVersion')]",
        "supportsHttpsTrafficOnly": "[parameters('supportsHttpsTrafficOnly')]",
        "allowBlobPublicAccess": "[parameters('allowBlobPublicAccess')]",
        "allowSharedKeyAccess": "[parameters('allowSharedKeyAccess')]",
        "allowCrossTenantReplication": "[parameters('allowCrossTenantReplication')]",
        "defaultToOAuthAuthentication": "[parameters('defaultOAuth')]",
        "networkAcls": {
          "bypass": "[parameters('networkAclsBypass')]",
          "defaultAction": "[parameters('networkAclsDefaultAction')]",
          "ipRules": []
        },
        "encryption": {
          "keySource": "[parameters('keySource')]",
          "services": {
            "blob": {
              "enabled": "[parameters('encryptionEnabled')]"
            },
            "file": {
              "enabled": "[parameters('encryptionEnabled')]"
            },
            "table": {
              "enabled": "[parameters('encryptionEnabled')]"
            },
            "queue": {
              "enabled": "[parameters('encryptionEnabled')]"
            }
          },
          "requireInfrastructureEncryption": "[parameters('infrastructureEncryptionEnabled')]"
        }
      },
      "dependsOn": [],
      "sku": {
        "name": "[parameters('accountType')]"
      },
      "kind": "[parameters('kind')]",
      "tags": {}
    },
    {
      "apiVersion": "2021-05-01",
      "name": "[parameters('privateEndpointName')]",
      "type": "Microsoft.Network/privateEndpoints",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]"
      ],
      "properties": {
        "privateLinkServiceConnections": [
          {
            "id": "[concat(resourceGroup().id, '/providers/Microsoft.Network/privateEndpoints/privateLinkServiceConnections/', parameters('privateEndpointConnectionName'))]",
            "name": "[parameters('privateEndpointConnectionName')]",
            "properties": {
              "privateLinkServiceId": "/subscriptions/<subID>/resourcegroups/test-aue-storg-dev/providers/Microsoft.Storage/storageAccounts/testauesto01dev",
              "groupIds": ["blob"]
            }
          }
        ],
        "manualPrivateLinkServiceConnections": [],
        "subnet": {
          "id": "/subscriptions/<subID>/resourceGroups/vnet-aue-rg/providers/Microsoft.Network/virtualNetworks/test-vnet-dev/subnets/test-subnet"
        }
      }
    }
  ],
  "outputs": {}
}

The issue I am having is that the creation of a Private Endpoint automatically creates a NIC. Because this isn't specified in the original ARM template, with 'Complete' deployment, the deployment tries to delete this NIC after it is created. Does anyone know a way around this?

Thanks in advance,

score 2 · Accepted Answer · answered Feb 22 '22 at 16:55

To achieve the above requirement First you have to register the feature AllowPrivateEndpointCustomNicName ,Once you register this you can create nic in the ARM TEMPLETE and attach it to the private endpoint customNetworkInterfaceName. To show the feature is registered or not you can use the below cmd

az feature show --namespace Microsoft.Network --name AllowPrivateEndpointCustomNicName

To register the feature you can use below:

az feature register --namespace Microsoft.Network --name AllowPrivateEndpointCustomNicName

Once the feature status showing as registered , use the below cmd to save the changes done to the provider.

az provider register -n Microsoft.Network

Once all the above steps are done you can use the below template :

TEMPLETE:-

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
},

"storageAccountName": {
"type": "string"
},
"accountType": {
"type": "string"
},
"kind": {
"type": "string"
},
"accessTier": {
"type": "string"
},
"minimumTlsVersion": {
"type": "string"
},
"supportsHttpsTrafficOnly": {
"type": "bool"
},
"allowBlobPublicAccess": {
"type": "bool"
},
"allowSharedKeyAccess": {
"type": "bool"
},
"allowCrossTenantReplication": {
"type": "bool"
},
"defaultOAuth": {
"type": "bool"
},
"networkAclsBypass": {
"type": "string"
},
"networkAclsDefaultAction": {
"type": "string"
},
"keySource": {
"type": "string"
},
"encryptionEnabled": {
"type": "bool"
},
"keyTypeForTableAndQueueEncryption": {
"type": "string"
},
"infrastructureEncryptionEnabled": {
"type": "bool"
},
"isContainerRestoreEnabled": {
"type": "bool"
},
"isBlobSoftDeleteEnabled": {
"type": "bool"
},
"blobSoftDeleteRetentionDays": {
"type": "int"
},
"isContainerSoftDeleteEnabled": {
"type": "bool"
},
"containerSoftDeleteRetentionDays": {
"type": "int"
},
"changeFeed": {
"type": "bool"
},
"isVersioningEnabled": {
"type": "bool"
},
"isShareSoftDeleteEnabled": {
"type": "bool"
},
"shareSoftDeleteRetentionDays": {
"type": "int"
},
"privateEndpointName": {
"type": "string"
},
"privateEndpointConnectionName": {
"type": "string"
}
},
"functions": [],
"variables": {},
"resources": [
{

"type": "Microsoft.Network/networkInterfaces",

"apiVersion": "2020-11-01",

"name": "ajaytestprivateendpoint-nic",

"location": "westus2",

"properties": {

"ipConfigurations": [

{

"name": "privateEndpointIpConfig.ajay",

"properties": {

"privateIPAllocationMethod": "Dynamic",

"subnet": {

"id": "[resourceId('RGNAME', 'Microsoft.Network/virtualNetworks/subnets','VNET NAME', 'subnet name')]"

},

"primary": true,

"privateIPAddressVersion": "IPv4"

}

}

],

"dnsSettings": {

"dnsServers": []

},
"enableAcceleratedNetworking": false,
"enableIPForwarding": false
}
},   
                
{
"name": "[parameters('storageAccountName')]",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-08-01",
"location": "[parameters('location')]",
"properties": {
"accessTier": "[parameters('accessTier')]",
"minimumTlsVersion": "[parameters('minimumTlsVersion')]",
"supportsHttpsTrafficOnly": "[parameters('supportsHttpsTrafficOnly')]",
"allowBlobPublicAccess": "[parameters('allowBlobPublicAccess')]",
"allowSharedKeyAccess": "[parameters('allowSharedKeyAccess')]",
"allowCrossTenantReplication": "[parameters('allowCrossTenantReplication')]",
"defaultToOAuthAuthentication": "[parameters('defaultOAuth')]",
"networkAcls": {
"bypass": "[parameters('networkAclsBypass')]",
"defaultAction": "[parameters('networkAclsDefaultAction')]",
"ipRules": []
},
"encryption": {
"keySource": "[parameters('keySource')]",
"services": {
"blob": {
"enabled": "[parameters('encryptionEnabled')]"
},
"file": {
"enabled": "[parameters('encryptionEnabled')]"
},
"table": {
"enabled": "[parameters('encryptionEnabled')]"
},
"queue": {
"enabled": "[parameters('encryptionEnabled')]"
}
},
"requireInfrastructureEncryption": "[parameters('infrastructureEncryptionEnabled')]"
}
},
"dependsOn": [],
"sku": {
"name": "[parameters('accountType')]"
},
"kind": "[parameters('kind')]",
"tags": {}
},
{
"apiVersion": "2021-05-01",
"name": "[parameters('privateEndpointName')]",
"type": "Microsoft.Network/privateEndpoints",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]","[resourceId('Microsoft.Network/networkInterfaces','ajaytestprivateendpoint-nic')]"
],
"properties": {
"customNetworkInterfaceName": "[resourceId('Microsoft.Network/networkInterfaces','ajaytestprivateendpoint-nic')]",                              
"privateLinkServiceConnections": [
{
"id": "[concat(resourceGroup().id, '/providers/Microsoft.Network/privateEndpoints/privateLinkServiceConnections/', parameters('privateEndpointConnectionName'))]",
"name": "[parameters('privateEndpointConnectionName')]",
"properties": {
"privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]",
"groupIds": ["blob"]
}
}
],
"manualPrivateLinkServiceConnections": [],
"subnet": {
"id": "[resourceId('RGNAME', 'Microsoft.Network/virtualNetworks/subnets','vnetname', 'subnetname')]"
}

}

}
],
"outputs": {}
}

Hello, i activated `Microsoft.Network/AllowPrivateEndpointCustomNicName` with following command. But it stay's pending since yesterday. What else can i do? `az feature register --namespace Microsoft.Network --name AllowPrivateEndpointCustomNicName` ; `az provider register -n Microsoft.Network` — sdhd, Mar 15 '22 at 09:13
@sdhd - Getting the same issue. Status seems to be stuck at "Pending". Any idea how to solve this? — user1987392, Mar 26 '22 at 22:48
Todo i tried again. It's state is still pending. What do i wrong? — sdhd, Apr 14 '22 at 12:51
I had a call with Microsoft. It's no longer necessary to register the feature, it will be stuck on pending. You can unregister it. You only need to ensure that the correct network policies are enabled. — JoakimE, May 11 '22 at 06:16
Does this still work? I'm getting an error: CustomNicNameAlreadyExists — Jaykul, Jun 15 '22 at 20:01

Azure - ARM Templates - Create Private Endpoint with complete deployment

1 Answers1