When creating a private link using ARM or Bicep, you need to specify a few settings, one of which are groupId for the privateLinkServiceConnections of the resource type you are connecting it to. You can’t omit this value and it has to be exactly correct in order for the deployment to succeed, it is even case sensitive.
Example:
resource myPrivateEndpoint 'Microsoft.Network/privateEndpoints@2022-09-01' = {
name: '${webAppName}-privateendpoint'
location: location
properties: {
subnet: {
id: resourceId(networking.vNetResourceGroup, 'Microsoft.Network/virtualNetworks/subnets', networking.existingVNetName, privateLinkSubnet)
}
privateLinkServiceConnections: [
{
name: '${appService}-privateLink'
properties: {
privateLinkServiceId: appService.id
groupIds: [
'sites'
]
}
}
]
}
dependsOn: [
appService
]
}
I have scoured the earth to find a list of them, the documentation of private endpoint bicep helpfully states that it is a ‘string’, but leaves out the values for the different resource types that you can connect to. This is all the documentation tells you:
PrivateEndpointIPConfigurationProperties
Name | Description | Value |
---|---|---|
groupId | The ID of a group obtained from the remote resource that this private endpoint should connect to. | string |
Name | Description | Value |
---|---|---|
groupIds | The ID(s) of the group(s) obtained from the remote resource that this private endpoint should connect to. | string[] |
There’s also a number of examples that helps find the groupid for sql, blob, table sites and a few more. But every time you need it for a new bicep, you have to look and look for the correct value.
Today, I spent some time not giving up, I started collecting every groupid I could find in a list, and after finding maybe 15 different ones, I got real lucky. Via a series of related searches I got to the key word ‘ListSupportedPrivateLinkResources’. This took me to a public GitHub repo named ‘Private Endpoint Overview’. A bit down on this page, there is a table called ‘private link resource’. This lists in turn: Private-link resource name, Resource type & Subresources. Subresources is the goldmine!
This is the (complete?) list of resource types that can have a Private Endpoint and their groupid’s
Private-link resource name | Resource type | Subresources |
---|---|---|
Azure App Configuration | Microsoft.Appconfiguration/configurationStores | configurationStores |
Azure Automation | Microsoft.Automation/automationAccounts | Webhook, DSCAndHybridWorker |
Azure Cosmos DB | Microsoft.AzureCosmosDB/databaseAccounts | SQL, MongoDB, Cassandra, Gremlin, Table |
Azure Batch | Microsoft.Batch/batchAccounts | batchAccount, nodeManagement |
Azure Cache for Redis | Microsoft.Cache/Redis | redisCache |
Azure Cache for Redis Enterprise | Microsoft.Cache/redisEnterprise | redisEnterprise |
Azure Cognitive Services | Microsoft.CognitiveServices/accounts | account |
Azure Managed Disks | Microsoft.Compute/diskAccesses | managed disk |
Azure Container Registry | Microsoft.ContainerRegistry/registries | registry |
Azure Kubernetes Service – Kubernetes API | Microsoft.ContainerService/managedClusters | management |
Azure Data Factory | Microsoft.DataFactory/factories | dataFactory |
Azure Data Explorer | Microsoft.Kusto/clusters | cluster |
Azure Database for MariaDB | Microsoft.DBforMariaDB/servers | mariadbServer |
Azure Database for MySQL | Microsoft.DBforMySQL/servers | mysqlServer |
Azure Database for PostgreSQL – Single server | Microsoft.DBforPostgreSQL/servers | postgresqlServer |
Azure Device Provisioning Service | Microsoft.Devices/provisioningServices | iotDps |
Azure IoT Hub | Microsoft.Devices/IotHubs | iotHub |
Azure IoT Central | Microsoft.IoTCentral/IoTApps | IoTApps |
Azure Digital Twins | Microsoft.DigitalTwins/digitalTwinsInstances | API |
Azure Event Grid | Microsoft.EventGrid/domains | domain |
Azure Event Grid | Microsoft.EventGrid/topics | topic |
Azure Event Hub | Microsoft.EventHub/namespaces | namespace |
Azure HDInsight | Microsoft.HDInsight/clusters | cluster |
Azure API for FHIR (Fast Healthcare Interoperability Resources) | Microsoft.HealthcareApis/services | fhir |
Azure Key Vault HSM (hardware security module) | Microsoft.Keyvault/managedHSMs | HSM |
Azure Key Vault | Microsoft.KeyVault/vaults | vault |
Azure Machine Learning | Microsoft.MachineLearningServices/workspaces | amlworkspace |
Azure Migrate | Microsoft.Migrate/assessmentProjects | project |
Application Gateway | Microsoft.Network/applicationgateways | application gateway |
Private Link service (your own service) | Microsoft.Network/privateLinkServices | empty |
Power BI | Microsoft.PowerBI/privateLinkServicesForPowerBI | Power BI |
Microsoft Purview | Microsoft.Purview/accounts | account |
Microsoft Purview | Microsoft.Purview/accounts | portal |
Azure Backup | Microsoft.RecoveryServices/vaults | AzureBackup, AzureSiteRecovery |
Azure Relay | Microsoft.Relay/namespaces | namespace |
Azure Cognitive Search | Microsoft.Search/searchServices | searchService |
Azure Service Bus | Microsoft.ServiceBus/namespaces | namespace |
Azure SignalR Service | Microsoft.SignalRService/SignalR | signalr |
Azure SignalR Service | Microsoft.SignalRService/webPubSub | webpubsub |
Azure SQL Database | Microsoft.Sql/servers | SQL Server (sqlServer) |
Azure Storage | Microsoft.Storage/storageAccounts | Blob (blob, blob_secondary) Table (table, table_secondary) Queue (queue, queue_secondary) File (file, file_secondary) Web (web, web_secondary) Dfs (dfs, dfs_secondary) |
Azure File Sync | Microsoft.StorageSync/storageSyncServices | File Sync Service |
Azure Synapse | Microsoft.Synapse/privateLinkHubs | web |
Azure Synapse Analytics | Microsoft.Synapse/workspaces | Sql, SqlOnDemand, Dev |
Azure App Service | Microsoft.Web/hostingEnvironments | hosting environment |
Azure App Service | Microsoft.Web/sites | sites |
Azure Static Web Apps | Microsoft.Web/staticSites | staticSites |
Azure Media Services | Microsoft.Media/mediaservices | keydelivery, liveevent, streamingendpoint |
Resource Management Private Links | Microsoft.Authorization/resourceManagementPrivateLinks | ResourceManagement |
Azure Databricks | Microsoft.Databricks/workspaces | databricks_ui_api, browser_authentication |
Azure Monitor Private Link Scope | Microsoft.Insights/privatelinkscopes | azuremonitor |
References
Private Endpoint Overview (GitHub) (Go here in case there are updates…)
https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/private-link/private-endpoint-overview.md
___________________________________________________________________________________________________
Enjoy!
Regards