Problem
I’m now attempting to construct a Bicep template that will deploy a storage account while restricting it to the proper existing vnet, as well as deploy a private endpoint and link it to our existing Private DNS Zone in a distinct subscription while also producing the A record. The template now deploys the storage account to the proper vnet and creates a new private endpoint, but I’m stumped as to how to attach it to an existing private dns zone and produce the A record. Any assistance would be really helpful. Thanks!
resource stg 'Microsoft.Storage/storageAccounts@2020-08-01-preview' = {
name: name
location: location
sku: {
name: storageSku
}
kind: 'StorageV2'
properties: {
minimumTlsVersion: 'TLS1_2'
allowBlobPublicAccess: true
networkAcls: {
bypass: 'AzureServices'
virtualNetworkRules: [
{
id: '${}'
action: 'Allow'
}
]
ipRules: []
defaultAction: 'Deny'
}
}
}
resource privateEndpointName_resource 'Microsoft.Network/privateEndpoints@2019-04-01' = {
name: privateEndpointName
location: location
properties: {
privateLinkServiceConnections: [
{
name: privateEndpointName
properties: {
privateLinkServiceId: resourceId('Microsoft.Storage/storageAccounts', stg.name)
groupIds: [
groupId
]
}
}
]
manualPrivateLinkServiceConnections: []
subnet: {
id: '${}'
}
}
}
resource privateDNSZone_name 'Microsoft.Network/privateDnsZones@2018-09-01' existing = {
scope: resourceGroup(, )
name: privateDNSZone_name_var
}
resource privateDNSZone_name_vnetName_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' existing = {
scope: resourceGroup(, )
name: '${}'
}
resource privateEndpointName_default 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-03-01' existing = {
name: '${privateEndpointName_resource.name}/default'
}
Asked by EG92
Solution #1
Here’s an example using sqlserver privatelink, but it should be same for storage:
resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-06-01' = {
name: '${sqlServer.name}-plink'
location: location
properties: {
subnet: {
id: privateLinkSnetId
}
privateLinkServiceConnections: [
{
name: '${sqlServer.name}-plink'
properties: {
privateLinkServiceId: sqlServer.id
groupIds: [
'sqlServer'
]
}
}
]
}
}
resource privateDNSZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-06-01' = {
name: '${privateEndpoint.name}/default'
properties: {
privateDnsZoneConfigs: [
{
name: 'privatelink-database-windows-net'
properties: {
privateDnsZoneId: privateLinkDnsZoneId
}
}
]
}
}
However, keep in mind that there is no link between Storage Account and any of the services: blob, queue, table, or files.
When you attach a private endpoint to a DNS zone, the A record should be created automatically.
If you want to do cross-resource group or cross-subscription deployments, you’ll need to use a module – you can’t deploy resources in different scopes within the same file (module), but you can make that resource group deployment create another deployment into a different resource group in the same or different subscription.
Answered by Miq
Post is based on https://stackoverflow.com/questions/66910040/bicep-arm-creating-storage-account-with-endpoint-link-to-existing-dns-zone-with