Azure Private Endpoint (Private Link)
An Azure Private Endpoint giving a target PaaS resource a private IP inside your VNet so traffic stays on the Microsoft backbone — wire to existing subnet/target or run fully self-contained.
Verification
Live-testedReally deployed, verified, idempotent and destroyed in a cloud sandbox.
Conformance
- Static validation (fmt · validate · tflint)
- Security scan (Checkov)
- Plan tests (mocked: validation rules · outputs)
Provenance
- SHA-256 checksum
- Signature (pending)
Functional
- Live-tested — applied, verified, destroyed
Last verified 2026-06-30 · how we verify
Documentation
azure-private-endpoint
Status: static-validated, live-test pending. Ships under live-test quarantine until promoted by the Azure live lane. Schema is validated against the azurerm v4 provider docs.
An Azure Private Endpoint (Private Link) to a target PaaS resource — a Storage Account, Key Vault, Azure SQL, App Service, and so on. The endpoint gives the service a private IP inside your VNet so traffic stays on the Microsoft backbone and never traverses the public internet.
It works two ways:
- Production wiring — point it at an existing subnet (
subnet_id) and an existing target (target_resource_id). - Self-contained — set
create_network = trueto build a dedicated VNet + subnet, and/orcreate_demo_target = trueto stand up a locked-down demo Storage Account target. With both on, onetofu applyyields a complete Private Link example (VNet + subnet + storage + endpoint), andtofu destroyremoves it all.
Works with Terraform and OpenTofu (>= 1.6), azurerm provider
>= 4.0, < 5.0, random >= 3.0, < 4.0.
What it provisions
azurerm_private_endpoint— the endpoint + its auto-created NIC, with aprivate_service_connectionto the target's chosensubresource_names.- (optional,
create_network)azurerm_virtual_network+azurerm_subnet(subnet hasprivate_endpoint_network_policies = "Disabled"). - (optional,
create_demo_target)azurerm_storage_account— public access off, shared keys off, TLS 1.2+, infrastructure (double) encryption on — named uniquely viarandom_string. - (optional,
create_private_dns_zone)azurerm_private_dns_zoneand, when a network is also created, anazurerm_private_dns_zone_virtual_network_link, with the endpoint's records registered automatically.
Common subresource (group ID) names
| Target service | subresource_names |
|---|---|
| Storage (blob / file / dfs / queue / table / web) | ["blob"], ["file"], … |
| Key Vault | ["vault"] |
| Azure SQL Database / Synapse | ["sqlServer"] |
| Cosmos DB (SQL API) | ["Sql"] |
| App Service / Function App | ["sites"] |
| Azure Container Registry | ["registry"] |
Requirements
| Requirement | Version |
|---|---|
| Terraform / OpenTofu | >= 1.6 |
hashicorp/azurerm | >= 4.0, < 5.0 |
hashicorp/random | >= 3.0, < 4.0 |
Authenticate via az login (or a service principal) and set
ARM_SUBSCRIPTION_ID. See docs/CONNECTING-PROVIDERS.md#azure.
Verification
Static-validated (tofu fmt, tofu validate, tflint, checkov). Live
apply/verify/destroy testing pending Azure sandbox availability — see catalog
status.
License
Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).
Usage code & full reference unlock after purchase
The complete copy-paste usage, the full input/output reference, and operational notes ship with your licence — shown here and bundled in the download.
- Usage — connect to an existing target
- Usage — self-contained (own VNet + demo Storage target)
- Inputs
- Outputs
- Security notes