The azure-native:appconfiguration:ConfigurationStore resource, part of the Pulumi Azure Native provider, provisions an Azure App Configuration store: a centralized service for managing application settings and feature flags. This guide focuses on three capabilities: store creation with SKU selection, data plane proxy for ARM integration, and authentication mode enforcement.
Configuration stores require an Azure resource group and subscription. Once provisioned, they provide an endpoint where applications retrieve key-value pairs and feature flags. The examples are intentionally small. Combine them with your own network policies, encryption settings, and managed identities.
Create a configuration store with standard SKU
Most deployments start by provisioning a store in a specific region with the Standard SKU, which provides the baseline feature set for centralized configuration.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const configurationStore = new azure_native.appconfiguration.ConfigurationStore("configurationStore", {
configStoreName: "contoso",
location: "westus",
resourceGroupName: "myResourceGroup",
sku: {
name: "Standard",
},
tags: {
myTag: "myTagValue",
},
});
import pulumi
import pulumi_azure_native as azure_native
configuration_store = azure_native.appconfiguration.ConfigurationStore("configurationStore",
config_store_name="contoso",
location="westus",
resource_group_name="myResourceGroup",
sku={
"name": "Standard",
},
tags={
"myTag": "myTagValue",
})
package main
import (
appconfiguration "github.com/pulumi/pulumi-azure-native-sdk/appconfiguration/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := appconfiguration.NewConfigurationStore(ctx, "configurationStore", &appconfiguration.ConfigurationStoreArgs{
ConfigStoreName: pulumi.String("contoso"),
Location: pulumi.String("westus"),
ResourceGroupName: pulumi.String("myResourceGroup"),
Sku: &appconfiguration.SkuArgs{
Name: pulumi.String("Standard"),
},
Tags: pulumi.StringMap{
"myTag": pulumi.String("myTagValue"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var configurationStore = new AzureNative.AppConfiguration.ConfigurationStore("configurationStore", new()
{
ConfigStoreName = "contoso",
Location = "westus",
ResourceGroupName = "myResourceGroup",
Sku = new AzureNative.AppConfiguration.Inputs.SkuArgs
{
Name = "Standard",
},
Tags =
{
{ "myTag", "myTagValue" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.appconfiguration.ConfigurationStore;
import com.pulumi.azurenative.appconfiguration.ConfigurationStoreArgs;
import com.pulumi.azurenative.appconfiguration.inputs.SkuArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var configurationStore = new ConfigurationStore("configurationStore", ConfigurationStoreArgs.builder()
.configStoreName("contoso")
.location("westus")
.resourceGroupName("myResourceGroup")
.sku(SkuArgs.builder()
.name("Standard")
.build())
.tags(Map.of("myTag", "myTagValue"))
.build());
}
}
resources:
configurationStore:
type: azure-native:appconfiguration:ConfigurationStore
properties:
configStoreName: contoso
location: westus
resourceGroupName: myResourceGroup
sku:
name: Standard
tags:
myTag: myTagValue
The configStoreName sets a unique identifier within your resource group. The location determines the Azure region where the store runs. The sku property controls the feature tier; Standard provides higher throughput and additional capabilities compared to Free. Tags help organize resources for cost tracking and governance.
Enable data plane proxy for ARM integration
Applications that access configuration through Azure Resource Manager can enable data plane proxy, which routes requests through ARM’s authentication and private link infrastructure.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const configurationStore = new azure_native.appconfiguration.ConfigurationStore("configurationStore", {
configStoreName: "contoso",
dataPlaneProxy: {
authenticationMode: azure_native.appconfiguration.AuthenticationMode.Pass_through,
privateLinkDelegation: azure_native.appconfiguration.PrivateLinkDelegation.Enabled,
},
location: "westus",
resourceGroupName: "myResourceGroup",
sku: {
name: "Standard",
},
});
import pulumi
import pulumi_azure_native as azure_native
configuration_store = azure_native.appconfiguration.ConfigurationStore("configurationStore",
config_store_name="contoso",
data_plane_proxy={
"authentication_mode": azure_native.appconfiguration.AuthenticationMode.PASS_THROUGH,
"private_link_delegation": azure_native.appconfiguration.PrivateLinkDelegation.ENABLED,
},
location="westus",
resource_group_name="myResourceGroup",
sku={
"name": "Standard",
})
package main
import (
appconfiguration "github.com/pulumi/pulumi-azure-native-sdk/appconfiguration/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := appconfiguration.NewConfigurationStore(ctx, "configurationStore", &appconfiguration.ConfigurationStoreArgs{
ConfigStoreName: pulumi.String("contoso"),
DataPlaneProxy: &appconfiguration.DataPlaneProxyPropertiesArgs{
AuthenticationMode: pulumi.String(appconfiguration.AuthenticationMode_Pass_Through),
PrivateLinkDelegation: pulumi.String(appconfiguration.PrivateLinkDelegationEnabled),
},
Location: pulumi.String("westus"),
ResourceGroupName: pulumi.String("myResourceGroup"),
Sku: &appconfiguration.SkuArgs{
Name: pulumi.String("Standard"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var configurationStore = new AzureNative.AppConfiguration.ConfigurationStore("configurationStore", new()
{
ConfigStoreName = "contoso",
DataPlaneProxy = new AzureNative.AppConfiguration.Inputs.DataPlaneProxyPropertiesArgs
{
AuthenticationMode = AzureNative.AppConfiguration.AuthenticationMode.Pass_through,
PrivateLinkDelegation = AzureNative.AppConfiguration.PrivateLinkDelegation.Enabled,
},
Location = "westus",
ResourceGroupName = "myResourceGroup",
Sku = new AzureNative.AppConfiguration.Inputs.SkuArgs
{
Name = "Standard",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.appconfiguration.ConfigurationStore;
import com.pulumi.azurenative.appconfiguration.ConfigurationStoreArgs;
import com.pulumi.azurenative.appconfiguration.inputs.DataPlaneProxyPropertiesArgs;
import com.pulumi.azurenative.appconfiguration.inputs.SkuArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var configurationStore = new ConfigurationStore("configurationStore", ConfigurationStoreArgs.builder()
.configStoreName("contoso")
.dataPlaneProxy(DataPlaneProxyPropertiesArgs.builder()
.authenticationMode("Pass-through")
.privateLinkDelegation("Enabled")
.build())
.location("westus")
.resourceGroupName("myResourceGroup")
.sku(SkuArgs.builder()
.name("Standard")
.build())
.build());
}
}
resources:
configurationStore:
type: azure-native:appconfiguration:ConfigurationStore
properties:
configStoreName: contoso
dataPlaneProxy:
authenticationMode: Pass-through
privateLinkDelegation: Enabled
location: westus
resourceGroupName: myResourceGroup
sku:
name: Standard
When dataPlaneProxy is configured, configuration requests flow through ARM rather than directly to the store endpoint. The authenticationMode property set to “Pass-through” forwards the caller’s identity to the store. The privateLinkDelegation property set to “Enabled” allows private endpoint connections to route through ARM’s network path.
Require Azure AD authentication only
Security-conscious deployments disable local authentication (access keys) to enforce Azure AD-based access control.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const configurationStore = new azure_native.appconfiguration.ConfigurationStore("configurationStore", {
configStoreName: "contoso",
disableLocalAuth: true,
location: "westus",
resourceGroupName: "myResourceGroup",
sku: {
name: "Standard",
},
});
import pulumi
import pulumi_azure_native as azure_native
configuration_store = azure_native.appconfiguration.ConfigurationStore("configurationStore",
config_store_name="contoso",
disable_local_auth=True,
location="westus",
resource_group_name="myResourceGroup",
sku={
"name": "Standard",
})
package main
import (
appconfiguration "github.com/pulumi/pulumi-azure-native-sdk/appconfiguration/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := appconfiguration.NewConfigurationStore(ctx, "configurationStore", &appconfiguration.ConfigurationStoreArgs{
ConfigStoreName: pulumi.String("contoso"),
DisableLocalAuth: pulumi.Bool(true),
Location: pulumi.String("westus"),
ResourceGroupName: pulumi.String("myResourceGroup"),
Sku: &appconfiguration.SkuArgs{
Name: pulumi.String("Standard"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var configurationStore = new AzureNative.AppConfiguration.ConfigurationStore("configurationStore", new()
{
ConfigStoreName = "contoso",
DisableLocalAuth = true,
Location = "westus",
ResourceGroupName = "myResourceGroup",
Sku = new AzureNative.AppConfiguration.Inputs.SkuArgs
{
Name = "Standard",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.appconfiguration.ConfigurationStore;
import com.pulumi.azurenative.appconfiguration.ConfigurationStoreArgs;
import com.pulumi.azurenative.appconfiguration.inputs.SkuArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var configurationStore = new ConfigurationStore("configurationStore", ConfigurationStoreArgs.builder()
.configStoreName("contoso")
.disableLocalAuth(true)
.location("westus")
.resourceGroupName("myResourceGroup")
.sku(SkuArgs.builder()
.name("Standard")
.build())
.build());
}
}
resources:
configurationStore:
type: azure-native:appconfiguration:ConfigurationStore
properties:
configStoreName: contoso
disableLocalAuth: true
location: westus
resourceGroupName: myResourceGroup
sku:
name: Standard
Setting disableLocalAuth to true removes the ability to authenticate using connection strings or access keys. All access must use Azure AD identities with appropriate role assignments. This enforces identity-based access control and eliminates shared secret management.
Beyond these examples
These snippets focus on specific configuration store features: SKU selection and regional placement, data plane proxy and ARM integration, and authentication mode controls. They’re intentionally minimal rather than full configuration management solutions.
The examples require pre-existing infrastructure such as Azure resource groups and Azure subscriptions with appropriate permissions. They focus on configuring the store rather than provisioning the surrounding infrastructure.
To keep things focused, common store patterns are omitted, including:
- Customer-managed encryption keys (encryption property)
- Managed identity configuration (identity property)
- Network access controls (publicNetworkAccess)
- Soft delete and purge protection settings
These omissions are intentional: the goal is to illustrate how each store feature is wired, not provide drop-in configuration modules. See the App Configuration ConfigurationStore resource reference for all available configuration options.
Let's create Azure App Configuration Stores
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Configuration & Immutability
location, configStoreName, createMode, and resourceGroupName.pulumi package add azure-native appconfiguration [ApiVersion].Authentication & Security
disableLocalAuth to true to disable all authentication methods other than AAD authentication. This property defaults to false.dataPlaneProxy with authenticationMode (e.g., Pass-through) and privateLinkDelegation (e.g., Enabled) to specify data plane proxy settings for Azure Resource Manager.publicNetworkAccess property to control permission for data plane traffic coming from public networks while private endpoint is enabled.Data Protection & Recovery
softDeleteRetentionInDays property.enablePurgeProtection to true to prevent the configuration store from being permanently deleted during the soft delete retention period. This property defaults to false.SKU & Pricing Tier
Standard SKU. Specify the SKU using the sku property with a name field.Using a different cloud?
Explore integration guides for other cloud providers: