Tag: IaC

Automatically approve Pending Private Endpoint Connections in your pipeline


azure

 

After adding a origin to Azure Front Door, or adding a SQL server to a Azure Search indexer via Private link, the Private Endpoint Connection is left in a ‘Pending’ non functional state. Normally you approve these manually by locating the endpoint on the target resource and approve it. But, if you want to have your deployments fully automated, this script may help. (It can also be used to run manually from a prompt or in Visual Studio Code)

 
Save the script as ‘ApprovePrivateEndpointConnections.ps1’

<#
.SYNOPSIS
    Approves all pending private endpoint connections for a given Azure resource.
    Thomas Odell Balkeståhl 2026-03-10

.PARAMETER ResourceGroup
    The resource group of the target resource.

.PARAMETER ResourceName
    The name of the target resource.

.PARAMETER ResourceType
    The Azure resource type, e.g. ‘Microsoft.Sql/servers’, ‘Microsoft.Storage/storageAccounts’, ‘Microsoft.Web/sites’, etc.

.PARAMETER Description
    Optional approval description. Defaults to ‘Approved via automation script’.

.PARAMETER Simulation
    When set to $true, lists pending connections but does not approve them.

.EXAMPLE
    .\ApprovePrivateEndpointConnections.ps1 `
        -ResourceGroup ‘rg-team-product-prd’ `
        -ResourceName ‘asql-team-product-prd-sc’ `
        -ResourceType ‘Microsoft.Sql/servers’ `
        -Simulation $true
#>
param (
    [Parameter(Mandatory = $true)]
    [string] $ResourceGroup,

    [Parameter(Mandatory = $true)]
    [string] $ResourceName,

    [Parameter(Mandatory = $true)]
    [string] $ResourceType,

    [Parameter(Mandatory = $false)]
    [string] $Description = ‘Approved via automation script’,

    [Parameter(Mandatory = $false)]
    [bool] $Simulation = $false
)

function Get-PendingConnections {
    az network private-endpoint-connection list `
        –resource-group $ResourceGroup `
        –name $ResourceName `
        –type $ResourceType `
        –query “[?properties.privateLinkServiceConnectionState.status == ‘Pending’].id” `
        –output tsv
}

# List all private endpoint connections and filter those with status ‘Pending’
Write-Host “Listing private endpoint connections for ‘$ResourceName’…”

$pendingConnections = Get-PendingConnections

if (-not $pendingConnections) {
    Write-Host “No pending connections found on first attempt. Waiting 2 minutes before retrying…”
    Start-Sleep -Seconds 120

    Write-Host “Retrying…”
    $pendingConnections = Get-PendingConnections
}

if (-not $pendingConnections) {
    Write-Host “No pending private endpoint connections found after retry. Exiting.”
} else {
    foreach ($connectionId in $pendingConnections) {
        if ($Simulation) {
            Write-Host ”  -> (Simulation) Would approve: $connectionId”
        } else {
            Write-Host “Approving connection: $connectionId”

            $result = az network private-endpoint-connection approve `
            –id $connectionId `
            –description $Description 2>&1

            if ($LASTEXITCODE -eq 0) {
                Write-Host ”  -> Approved: $connectionId”
            } else {
                Write-Host ”  -> FAILED to approve: $connectionId”
                Write-Host ”     Error: $result”
            }
        }
    }
}

To use in Pipeline (YML):
(The AzureCLI@2 task will execute the script using the named Service Connection in Azure DevOps)

 

          – task: AzureCLI@2
            displayName: ‘Approve Private Endpoint Connections’
            inputs:
              azureSubscription: ${{ variables.serviceConnection }}
              scriptType: ‘ps’
              scriptLocation: ‘scriptPath’
              scriptPath: ‘deployment/iac/scripts/ApprovePrivateEndpointConnections.ps1’
              arguments: >-
                -ResourceGroup “${{ variables.ResourceGroupName }}”
                -ResourceName “${{ variables.ResourceName }}”
                -ResourceType “Microsoft.Sql/servers”
 
 

az network private-endpoint-connection approve on Learn
https://learn.microsoft.com/en-us/cli/azure/network/private-endpoint-connection?view=azure-cli-latest#az-network-private-endpoint-connection-approve

 


___________________________________________________________________________________________________

Enjoy!

Regards

 Thomas Odell Balkeståhl on LinkedIn

Adding a User Defined Route for API Management with a Service Tag via Bicep


azure

If you are setting up API Management with Internal network (vNet/Subnet) and a public IP.
There are a few prepreqs, among them is to add an NSG to the subnet with a number of predefined rules, these are documented by Microsoft and are rather easy to get hold of.
What also is a requirement, is if you have a peered vNet…then you need to add a Route table to the subnet with a User Defined Route, this to route the API Management traffic straight out to the internet to access the management service.

If you create the APIM service without the route, you will get an error that the APIM management service can’t be contected.

Running the diagnostic in the network gui gets us this dialogue:

APIMDiagnose

The UDR is easy enough to add using the portal, but…if you are a IaC shop, and want to deploy using Bicep, then its an undocumented feature.

And you do want to use the Service Tag, because the IP/IP range can change to the API Management.

I solved it after some research, this is what you do.

Simple add the Service Tag name as the addressPrefix. This will when deploying the UDR set it to use Service Tag and set it to the correct one.

APIM_UDR

The bicep resources would look something like this:

resource routeTable 'Microsoft.Network/routeTables@2023-04-01' = {
  name: 'rt-${appPrefix}-${appName}'
  location: location
  properties: {
    disableBgpRoutePropagation: false
    routes: []
  }
}

resource route 'Microsoft.Network/routeTables/routes@2023-04-01' = {
  name: 'ApiManagement'
  parent: routeTable
  properties: {
    addressPrefix: 'ApiManagement'
    nextHopType: 'Internet'
    hasBgpOverride: false
  }
}
 
Happy deployment!
 

References

Private Endpoint Overview (GitHub) (Go here in case there are updates…)
https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/private-link/private-endpoint-overview.md


___________________________________________________________________________________________________

Enjoy!

Regards

 Thomas Odell Balkeståhl on LinkedIn