IaC Bazaar
AzureLive-tested

Azure Private Endpoint (Private Link)

An Azure Private Endpoint giving a target PaaS resource a private IP inside your VNet so traffic stays on the Microsoft backbone — wire to existing subnet/target or run fully self-contained.

terraformAzure#azure
azure-private-endpointterraform v1.7

Verification

Live-tested

Really deployed, verified, idempotent and destroyed in a cloud sandbox.

Conformance

  • Static validation (fmt · validate · tflint)
  • Security scan (Checkov)
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live-tested — applied, verified, destroyed

Last verified 2026-06-30 · how we verify

Documentation

azure-private-endpoint

Status: static-validated, live-test pending. Ships under live-test quarantine until promoted by the Azure live lane. Schema is validated against the azurerm v4 provider docs.

An Azure Private Endpoint (Private Link) to a target PaaS resource — a Storage Account, Key Vault, Azure SQL, App Service, and so on. The endpoint gives the service a private IP inside your VNet so traffic stays on the Microsoft backbone and never traverses the public internet.

It works two ways:

  • Production wiring — point it at an existing subnet (subnet_id) and an existing target (target_resource_id).
  • Self-contained — set create_network = true to build a dedicated VNet + subnet, and/or create_demo_target = true to stand up a locked-down demo Storage Account target. With both on, one tofu apply yields a complete Private Link example (VNet + subnet + storage + endpoint), and tofu destroy removes it all.

Works with Terraform and OpenTofu (>= 1.6), azurerm provider >= 4.0, < 5.0, random >= 3.0, < 4.0.

What it provisions

  • azurerm_private_endpoint — the endpoint + its auto-created NIC, with a private_service_connection to the target's chosen subresource_names.
  • (optional, create_network) azurerm_virtual_network + azurerm_subnet (subnet has private_endpoint_network_policies = "Disabled").
  • (optional, create_demo_target) azurerm_storage_account — public access off, shared keys off, TLS 1.2+, infrastructure (double) encryption on — named uniquely via random_string.
  • (optional, create_private_dns_zone) azurerm_private_dns_zone and, when a network is also created, an azurerm_private_dns_zone_virtual_network_link, with the endpoint's records registered automatically.

Common subresource (group ID) names

Target servicesubresource_names
Storage (blob / file / dfs / queue / table / web)["blob"], ["file"], …
Key Vault["vault"]
Azure SQL Database / Synapse["sqlServer"]
Cosmos DB (SQL API)["Sql"]
App Service / Function App["sites"]
Azure Container Registry["registry"]

Requirements

RequirementVersion
Terraform / OpenTofu>= 1.6
hashicorp/azurerm>= 4.0, < 5.0
hashicorp/random>= 3.0, < 4.0

Authenticate via az login (or a service principal) and set ARM_SUBSCRIPTION_ID. See docs/CONNECTING-PROVIDERS.md#azure.

Verification

Static-validated (tofu fmt, tofu validate, tflint, checkov). Live apply/verify/destroy testing pending Azure sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).

Usage code & full reference unlock after purchase

The complete copy-paste usage, the full input/output reference, and operational notes ship with your licence — shown here and bundled in the download.

  • Usage — connect to an existing target
  • Usage — self-contained (own VNet + demo Storage target)
  • Inputs
  • Outputs
  • Security notes