The azure-native:batch:BatchAccount resource, part of the Pulumi Azure Native provider, defines an Azure Batch account: the top-level container for pools, jobs, and compute resources. This guide focuses on four capabilities: storage account integration, pool allocation modes, managed identity configuration, and network access controls.
Batch accounts reference existing Storage accounts for application packages and outputs, Key Vault instances for certificate management, and resource groups. The examples are intentionally small. Combine them with your own storage, networking, and identity infrastructure.
Create a Batch account with linked storage
Most deployments start by linking a Batch account to a Storage account for application packages, task outputs, and resource files.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const batchAccount = new azure_native.batch.BatchAccount("batchAccount", {
accountName: "sampleacct",
autoStorage: {
storageAccountId: "/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage",
},
location: "japaneast",
resourceGroupName: "default-azurebatch-japaneast",
});
import pulumi
import pulumi_azure_native as azure_native
batch_account = azure_native.batch.BatchAccount("batchAccount",
account_name="sampleacct",
auto_storage={
"storage_account_id": "/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage",
},
location="japaneast",
resource_group_name="default-azurebatch-japaneast")
package main
import (
batch "github.com/pulumi/pulumi-azure-native-sdk/batch/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := batch.NewBatchAccount(ctx, "batchAccount", &batch.BatchAccountArgs{
AccountName: pulumi.String("sampleacct"),
AutoStorage: &batch.AutoStorageBasePropertiesArgs{
StorageAccountId: pulumi.String("/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage"),
},
Location: pulumi.String("japaneast"),
ResourceGroupName: pulumi.String("default-azurebatch-japaneast"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var batchAccount = new AzureNative.Batch.BatchAccount("batchAccount", new()
{
AccountName = "sampleacct",
AutoStorage = new AzureNative.Batch.Inputs.AutoStorageBasePropertiesArgs
{
StorageAccountId = "/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage",
},
Location = "japaneast",
ResourceGroupName = "default-azurebatch-japaneast",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.batch.BatchAccount;
import com.pulumi.azurenative.batch.BatchAccountArgs;
import com.pulumi.azurenative.batch.inputs.AutoStorageBasePropertiesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var batchAccount = new BatchAccount("batchAccount", BatchAccountArgs.builder()
.accountName("sampleacct")
.autoStorage(AutoStorageBasePropertiesArgs.builder()
.storageAccountId("/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage")
.build())
.location("japaneast")
.resourceGroupName("default-azurebatch-japaneast")
.build());
}
}
resources:
batchAccount:
type: azure-native:batch:BatchAccount
properties:
accountName: sampleacct
autoStorage:
storageAccountId: /subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage
location: japaneast
resourceGroupName: default-azurebatch-japaneast
The autoStorage property connects your Batch account to an existing Storage account via its resource ID. The accountName must be globally unique within Azure (3-24 characters, lowercase letters and numbers only). The location determines which Azure region hosts the account.
Use your own subscription for pool allocation
Organizations that need direct control over compute resources can configure Batch to create pools in their subscription rather than in a Batch-managed subscription.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const batchAccount = new azure_native.batch.BatchAccount("batchAccount", {
accountName: "sampleacct",
autoStorage: {
storageAccountId: "/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage",
},
keyVaultReference: {
id: "/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.KeyVault/vaults/sample",
url: "http://sample.vault.azure.net/",
},
location: "japaneast",
poolAllocationMode: azure_native.batch.PoolAllocationMode.UserSubscription,
resourceGroupName: "default-azurebatch-japaneast",
});
import pulumi
import pulumi_azure_native as azure_native
batch_account = azure_native.batch.BatchAccount("batchAccount",
account_name="sampleacct",
auto_storage={
"storage_account_id": "/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage",
},
key_vault_reference={
"id": "/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.KeyVault/vaults/sample",
"url": "http://sample.vault.azure.net/",
},
location="japaneast",
pool_allocation_mode=azure_native.batch.PoolAllocationMode.USER_SUBSCRIPTION,
resource_group_name="default-azurebatch-japaneast")
package main
import (
batch "github.com/pulumi/pulumi-azure-native-sdk/batch/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := batch.NewBatchAccount(ctx, "batchAccount", &batch.BatchAccountArgs{
AccountName: pulumi.String("sampleacct"),
AutoStorage: &batch.AutoStorageBasePropertiesArgs{
StorageAccountId: pulumi.String("/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage"),
},
KeyVaultReference: &batch.KeyVaultReferenceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.KeyVault/vaults/sample"),
Url: pulumi.String("http://sample.vault.azure.net/"),
},
Location: pulumi.String("japaneast"),
PoolAllocationMode: batch.PoolAllocationModeUserSubscription,
ResourceGroupName: pulumi.String("default-azurebatch-japaneast"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var batchAccount = new AzureNative.Batch.BatchAccount("batchAccount", new()
{
AccountName = "sampleacct",
AutoStorage = new AzureNative.Batch.Inputs.AutoStorageBasePropertiesArgs
{
StorageAccountId = "/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage",
},
KeyVaultReference = new AzureNative.Batch.Inputs.KeyVaultReferenceArgs
{
Id = "/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.KeyVault/vaults/sample",
Url = "http://sample.vault.azure.net/",
},
Location = "japaneast",
PoolAllocationMode = AzureNative.Batch.PoolAllocationMode.UserSubscription,
ResourceGroupName = "default-azurebatch-japaneast",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.batch.BatchAccount;
import com.pulumi.azurenative.batch.BatchAccountArgs;
import com.pulumi.azurenative.batch.inputs.AutoStorageBasePropertiesArgs;
import com.pulumi.azurenative.batch.inputs.KeyVaultReferenceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var batchAccount = new BatchAccount("batchAccount", BatchAccountArgs.builder()
.accountName("sampleacct")
.autoStorage(AutoStorageBasePropertiesArgs.builder()
.storageAccountId("/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage")
.build())
.keyVaultReference(KeyVaultReferenceArgs.builder()
.id("/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.KeyVault/vaults/sample")
.url("http://sample.vault.azure.net/")
.build())
.location("japaneast")
.poolAllocationMode("UserSubscription")
.resourceGroupName("default-azurebatch-japaneast")
.build());
}
}
resources:
batchAccount:
type: azure-native:batch:BatchAccount
properties:
accountName: sampleacct
autoStorage:
storageAccountId: /subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage
keyVaultReference:
id: /subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.KeyVault/vaults/sample
url: http://sample.vault.azure.net/
location: japaneast
poolAllocationMode: UserSubscription
resourceGroupName: default-azurebatch-japaneast
The poolAllocationMode property set to UserSubscription places pool VMs directly in your subscription, giving you visibility and control over compute resources. This mode requires keyVaultReference for certificate management. Key Vault stores certificates that Batch uses to authenticate pool nodes.
Enable managed identity for Azure resource access
Batch accounts can use system-assigned managed identities to authenticate to other Azure services without storing credentials.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const batchAccount = new azure_native.batch.BatchAccount("batchAccount", {
accountName: "sampleacct",
autoStorage: {
storageAccountId: "/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage",
},
identity: {
type: azure_native.batch.ResourceIdentityType.SystemAssigned,
},
location: "japaneast",
resourceGroupName: "default-azurebatch-japaneast",
});
import pulumi
import pulumi_azure_native as azure_native
batch_account = azure_native.batch.BatchAccount("batchAccount",
account_name="sampleacct",
auto_storage={
"storage_account_id": "/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage",
},
identity={
"type": azure_native.batch.ResourceIdentityType.SYSTEM_ASSIGNED,
},
location="japaneast",
resource_group_name="default-azurebatch-japaneast")
package main
import (
batch "github.com/pulumi/pulumi-azure-native-sdk/batch/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := batch.NewBatchAccount(ctx, "batchAccount", &batch.BatchAccountArgs{
AccountName: pulumi.String("sampleacct"),
AutoStorage: &batch.AutoStorageBasePropertiesArgs{
StorageAccountId: pulumi.String("/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage"),
},
Identity: &batch.BatchAccountIdentityArgs{
Type: batch.ResourceIdentityTypeSystemAssigned,
},
Location: pulumi.String("japaneast"),
ResourceGroupName: pulumi.String("default-azurebatch-japaneast"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var batchAccount = new AzureNative.Batch.BatchAccount("batchAccount", new()
{
AccountName = "sampleacct",
AutoStorage = new AzureNative.Batch.Inputs.AutoStorageBasePropertiesArgs
{
StorageAccountId = "/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage",
},
Identity = new AzureNative.Batch.Inputs.BatchAccountIdentityArgs
{
Type = AzureNative.Batch.ResourceIdentityType.SystemAssigned,
},
Location = "japaneast",
ResourceGroupName = "default-azurebatch-japaneast",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.batch.BatchAccount;
import com.pulumi.azurenative.batch.BatchAccountArgs;
import com.pulumi.azurenative.batch.inputs.AutoStorageBasePropertiesArgs;
import com.pulumi.azurenative.batch.inputs.BatchAccountIdentityArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var batchAccount = new BatchAccount("batchAccount", BatchAccountArgs.builder()
.accountName("sampleacct")
.autoStorage(AutoStorageBasePropertiesArgs.builder()
.storageAccountId("/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage")
.build())
.identity(BatchAccountIdentityArgs.builder()
.type("SystemAssigned")
.build())
.location("japaneast")
.resourceGroupName("default-azurebatch-japaneast")
.build());
}
}
resources:
batchAccount:
type: azure-native:batch:BatchAccount
properties:
accountName: sampleacct
autoStorage:
storageAccountId: /subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage
identity:
type: SystemAssigned
location: japaneast
resourceGroupName: default-azurebatch-japaneast
The identity property with type SystemAssigned creates a managed identity that Azure automatically provisions and manages. This identity can authenticate to Storage, Key Vault, or other Azure services without explicit credentials. You grant permissions by assigning Azure roles to the identity after account creation.
Restrict access to private networks only
Compliance requirements may mandate that Batch accounts reject public internet access and operate exclusively through private endpoints.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const batchAccount = new azure_native.batch.BatchAccount("batchAccount", {
accountName: "sampleacct",
autoStorage: {
storageAccountId: "/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage",
},
keyVaultReference: {
id: "/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.KeyVault/vaults/sample",
url: "http://sample.vault.azure.net/",
},
location: "japaneast",
publicNetworkAccess: azure_native.batch.PublicNetworkAccessType.Disabled,
resourceGroupName: "default-azurebatch-japaneast",
});
import pulumi
import pulumi_azure_native as azure_native
batch_account = azure_native.batch.BatchAccount("batchAccount",
account_name="sampleacct",
auto_storage={
"storage_account_id": "/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage",
},
key_vault_reference={
"id": "/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.KeyVault/vaults/sample",
"url": "http://sample.vault.azure.net/",
},
location="japaneast",
public_network_access=azure_native.batch.PublicNetworkAccessType.DISABLED,
resource_group_name="default-azurebatch-japaneast")
package main
import (
batch "github.com/pulumi/pulumi-azure-native-sdk/batch/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := batch.NewBatchAccount(ctx, "batchAccount", &batch.BatchAccountArgs{
AccountName: pulumi.String("sampleacct"),
AutoStorage: &batch.AutoStorageBasePropertiesArgs{
StorageAccountId: pulumi.String("/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage"),
},
KeyVaultReference: &batch.KeyVaultReferenceArgs{
Id: pulumi.String("/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.KeyVault/vaults/sample"),
Url: pulumi.String("http://sample.vault.azure.net/"),
},
Location: pulumi.String("japaneast"),
PublicNetworkAccess: batch.PublicNetworkAccessTypeDisabled,
ResourceGroupName: pulumi.String("default-azurebatch-japaneast"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var batchAccount = new AzureNative.Batch.BatchAccount("batchAccount", new()
{
AccountName = "sampleacct",
AutoStorage = new AzureNative.Batch.Inputs.AutoStorageBasePropertiesArgs
{
StorageAccountId = "/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage",
},
KeyVaultReference = new AzureNative.Batch.Inputs.KeyVaultReferenceArgs
{
Id = "/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.KeyVault/vaults/sample",
Url = "http://sample.vault.azure.net/",
},
Location = "japaneast",
PublicNetworkAccess = AzureNative.Batch.PublicNetworkAccessType.Disabled,
ResourceGroupName = "default-azurebatch-japaneast",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.batch.BatchAccount;
import com.pulumi.azurenative.batch.BatchAccountArgs;
import com.pulumi.azurenative.batch.inputs.AutoStorageBasePropertiesArgs;
import com.pulumi.azurenative.batch.inputs.KeyVaultReferenceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var batchAccount = new BatchAccount("batchAccount", BatchAccountArgs.builder()
.accountName("sampleacct")
.autoStorage(AutoStorageBasePropertiesArgs.builder()
.storageAccountId("/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage")
.build())
.keyVaultReference(KeyVaultReferenceArgs.builder()
.id("/subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.KeyVault/vaults/sample")
.url("http://sample.vault.azure.net/")
.build())
.location("japaneast")
.publicNetworkAccess("Disabled")
.resourceGroupName("default-azurebatch-japaneast")
.build());
}
}
resources:
batchAccount:
type: azure-native:batch:BatchAccount
properties:
accountName: sampleacct
autoStorage:
storageAccountId: /subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.Storage/storageAccounts/samplestorage
keyVaultReference:
id: /subscriptions/subid/resourceGroups/default-azurebatch-japaneast/providers/Microsoft.KeyVault/vaults/sample
url: http://sample.vault.azure.net/
location: japaneast
publicNetworkAccess: Disabled
resourceGroupName: default-azurebatch-japaneast
The publicNetworkAccess property set to Disabled blocks all public internet connectivity to the Batch account. Access requires private endpoints (configured separately) that connect through your virtual network. This configuration also includes keyVaultReference because private accounts typically need Key Vault for certificate management.
Beyond these examples
These snippets focus on specific Batch account features: storage account integration, pool allocation modes and Key Vault references, and managed identity and network access controls. They’re intentionally minimal rather than full compute environments.
The examples reference pre-existing infrastructure such as Storage accounts for application packages and outputs, Key Vault instances for certificate management, and resource groups and Azure subscriptions. They focus on configuring the account rather than provisioning everything around it.
To keep things focused, common account patterns are omitted, including:
- Encryption configuration (customer-managed keys)
- Network profiles and private endpoint setup
- Authentication mode restrictions (allowedAuthenticationModes)
- Tags for cost tracking and organization
These omissions are intentional: the goal is to illustrate how each account feature is wired, not provide drop-in Batch modules. See the Batch Account resource reference for all available configuration options.
Let's create Azure Batch Accounts
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Account Configuration & Naming
What properties can't I change after creating a Batch account?
The
accountName and resourceGroupName properties are immutable and cannot be changed after creation. Changing these values requires recreating the Batch account.What are the naming requirements for Batch account names?
Batch account names must be 3-24 characters long, use only lowercase letters and numbers, and be unique within the Azure region. The name becomes part of the DNS endpoint (e.g.,
http://accountname.region.batch.azure.com/).Is autoStorage required when creating a Batch account?
Yes,
autoStorage is a required property. You must provide a storageAccountId linking to an Azure Storage account, as shown in all the examples.Pool Allocation & Authentication
What's the difference between BatchService and UserSubscription pool allocation modes?
BatchService (the default) allows authentication using access keys or Microsoft Entra ID, while UserSubscription requires Microsoft Entra ID authentication only. UserSubscription mode also requires a
keyVaultReference and manages quotas at the subscription level instead of the account level.Why aren't quota values returned for my Batch account?
When
poolAllocationMode is set to UserSubscription, quota properties like dedicatedCoreQuota and lowPriorityCoreQuota aren’t returned because quotas are managed at the subscription level, not the account level.What does allowedAuthenticationModes control?
The
allowedAuthenticationModes property controls which authentication methods can be used with the data plane. It does not affect control plane authentication.When do I need to configure a Key Vault reference?
A
keyVaultReference is required when using UserSubscription pool allocation mode. Provide both the Key Vault id and url properties.Security & Networking
How do I create a private Batch account that blocks public network access?
Set
publicNetworkAccess to Disabled. Public network access is enabled by default if not specified.How do I configure a system-assigned managed identity for my Batch account?
Set the
identity property with type as SystemAssigned.When does the networkProfile property take effect?
The
networkProfile property only takes effect when publicNetworkAccess is enabled.