The azure-native:network:PrivateEndpoint resource, part of the Pulumi Azure Native provider, creates a private endpoint that establishes private connectivity to Azure services through a VNet subnet. This guide focuses on four capabilities: Private Link service connections, static IP configuration, application security group integration, and manual approval workflows.
Private endpoints require an existing VNet with subnets and reference Private Link services or Azure PaaS services that support private connectivity. The examples are intentionally small. Combine them with your own VNet infrastructure and DNS configuration.
Connect to a Private Link service with static IP
Most private connectivity scenarios start by creating an endpoint in your VNet that connects to an Azure service without traversing the public internet.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const privateEndpoint = new azure_native.network.PrivateEndpoint("privateEndpoint", {
customNetworkInterfaceName: "testPeNic",
ipConfigurations: [{
groupId: "file",
memberName: "file",
name: "pestaticconfig",
privateIPAddress: "192.168.0.6",
}],
location: "eastus2euap",
privateEndpointName: "testPe",
privateLinkServiceConnections: [{
groupIds: ["groupIdFromResource"],
privateLinkServiceId: "/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/privateLinkServices/testPls",
requestMessage: "Please approve my connection.",
}],
resourceGroupName: "rg1",
subnet: {
id: "/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet",
},
});
import pulumi
import pulumi_azure_native as azure_native
private_endpoint = azure_native.network.PrivateEndpoint("privateEndpoint",
custom_network_interface_name="testPeNic",
ip_configurations=[{
"group_id": "file",
"member_name": "file",
"name": "pestaticconfig",
"private_ip_address": "192.168.0.6",
}],
location="eastus2euap",
private_endpoint_name="testPe",
private_link_service_connections=[{
"group_ids": ["groupIdFromResource"],
"private_link_service_id": "/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/privateLinkServices/testPls",
"request_message": "Please approve my connection.",
}],
resource_group_name="rg1",
subnet={
"id": "/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet",
})
package main
import (
network "github.com/pulumi/pulumi-azure-native-sdk/network/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := network.NewPrivateEndpoint(ctx, "privateEndpoint", &network.PrivateEndpointArgs{
CustomNetworkInterfaceName: pulumi.String("testPeNic"),
IpConfigurations: network.PrivateEndpointIPConfigurationArray{
&network.PrivateEndpointIPConfigurationArgs{
GroupId: pulumi.String("file"),
MemberName: pulumi.String("file"),
Name: pulumi.String("pestaticconfig"),
PrivateIPAddress: pulumi.String("192.168.0.6"),
},
},
Location: pulumi.String("eastus2euap"),
PrivateEndpointName: pulumi.String("testPe"),
PrivateLinkServiceConnections: network.PrivateLinkServiceConnectionArray{
&network.PrivateLinkServiceConnectionArgs{
GroupIds: pulumi.StringArray{
pulumi.String("groupIdFromResource"),
},
PrivateLinkServiceId: pulumi.String("/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/privateLinkServices/testPls"),
RequestMessage: pulumi.String("Please approve my connection."),
},
},
ResourceGroupName: pulumi.String("rg1"),
Subnet: &network.SubnetTypeArgs{
Id: pulumi.String("/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var privateEndpoint = new AzureNative.Network.PrivateEndpoint("privateEndpoint", new()
{
CustomNetworkInterfaceName = "testPeNic",
IpConfigurations = new[]
{
new AzureNative.Network.Inputs.PrivateEndpointIPConfigurationArgs
{
GroupId = "file",
MemberName = "file",
Name = "pestaticconfig",
PrivateIPAddress = "192.168.0.6",
},
},
Location = "eastus2euap",
PrivateEndpointName = "testPe",
PrivateLinkServiceConnections = new[]
{
new AzureNative.Network.Inputs.PrivateLinkServiceConnectionArgs
{
GroupIds = new[]
{
"groupIdFromResource",
},
PrivateLinkServiceId = "/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/privateLinkServices/testPls",
RequestMessage = "Please approve my connection.",
},
},
ResourceGroupName = "rg1",
Subnet = new AzureNative.Network.Inputs.SubnetArgs
{
Id = "/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.network.PrivateEndpoint;
import com.pulumi.azurenative.network.PrivateEndpointArgs;
import com.pulumi.azurenative.network.inputs.PrivateEndpointIPConfigurationArgs;
import com.pulumi.azurenative.network.inputs.PrivateLinkServiceConnectionArgs;
import com.pulumi.azurenative.network.inputs.SubnetArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var privateEndpoint = new PrivateEndpoint("privateEndpoint", PrivateEndpointArgs.builder()
.customNetworkInterfaceName("testPeNic")
.ipConfigurations(PrivateEndpointIPConfigurationArgs.builder()
.groupId("file")
.memberName("file")
.name("pestaticconfig")
.privateIPAddress("192.168.0.6")
.build())
.location("eastus2euap")
.privateEndpointName("testPe")
.privateLinkServiceConnections(PrivateLinkServiceConnectionArgs.builder()
.groupIds("groupIdFromResource")
.privateLinkServiceId("/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/privateLinkServices/testPls")
.requestMessage("Please approve my connection.")
.build())
.resourceGroupName("rg1")
.subnet(SubnetArgs.builder()
.id("/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet")
.build())
.build());
}
}
resources:
privateEndpoint:
type: azure-native:network:PrivateEndpoint
properties:
customNetworkInterfaceName: testPeNic
ipConfigurations:
- groupId: file
memberName: file
name: pestaticconfig
privateIPAddress: 192.168.0.6
location: eastus2euap
privateEndpointName: testPe
privateLinkServiceConnections:
- groupIds:
- groupIdFromResource
privateLinkServiceId: /subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/privateLinkServices/testPls
requestMessage: Please approve my connection.
resourceGroupName: rg1
subnet:
id: /subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
The subnet property places the endpoint in your VNet, allocating a private IP from that subnet’s address space. The privateLinkServiceConnections property defines the target service and subresource (groupId). The ipConfigurations array lets you specify a static IP address instead of accepting a dynamic assignment; groupId and memberName identify which service subresource receives the IP.
Apply network security policies with application security groups
When private endpoints need to participate in network security rules, you can associate them with application security groups.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const privateEndpoint = new azure_native.network.PrivateEndpoint("privateEndpoint", {
applicationSecurityGroups: [{
id: "/subscriptions/subId/resourceGroups/rg1/provders/Microsoft.Network/applicationSecurityGroup/asg1",
}],
location: "eastus2euap",
privateEndpointName: "testPe",
privateLinkServiceConnections: [{
groupIds: ["groupIdFromResource"],
privateLinkServiceId: "/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/privateLinkServices/testPls",
requestMessage: "Please approve my connection.",
}],
resourceGroupName: "rg1",
subnet: {
id: "/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet",
},
});
import pulumi
import pulumi_azure_native as azure_native
private_endpoint = azure_native.network.PrivateEndpoint("privateEndpoint",
application_security_groups=[{
"id": "/subscriptions/subId/resourceGroups/rg1/provders/Microsoft.Network/applicationSecurityGroup/asg1",
}],
location="eastus2euap",
private_endpoint_name="testPe",
private_link_service_connections=[{
"group_ids": ["groupIdFromResource"],
"private_link_service_id": "/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/privateLinkServices/testPls",
"request_message": "Please approve my connection.",
}],
resource_group_name="rg1",
subnet={
"id": "/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet",
})
package main
import (
network "github.com/pulumi/pulumi-azure-native-sdk/network/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := network.NewPrivateEndpoint(ctx, "privateEndpoint", &network.PrivateEndpointArgs{
ApplicationSecurityGroups: network.ApplicationSecurityGroupTypeArray{
&network.ApplicationSecurityGroupTypeArgs{
Id: pulumi.String("/subscriptions/subId/resourceGroups/rg1/provders/Microsoft.Network/applicationSecurityGroup/asg1"),
},
},
Location: pulumi.String("eastus2euap"),
PrivateEndpointName: pulumi.String("testPe"),
PrivateLinkServiceConnections: network.PrivateLinkServiceConnectionArray{
&network.PrivateLinkServiceConnectionArgs{
GroupIds: pulumi.StringArray{
pulumi.String("groupIdFromResource"),
},
PrivateLinkServiceId: pulumi.String("/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/privateLinkServices/testPls"),
RequestMessage: pulumi.String("Please approve my connection."),
},
},
ResourceGroupName: pulumi.String("rg1"),
Subnet: &network.SubnetTypeArgs{
Id: pulumi.String("/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var privateEndpoint = new AzureNative.Network.PrivateEndpoint("privateEndpoint", new()
{
ApplicationSecurityGroups = new[]
{
new AzureNative.Network.Inputs.ApplicationSecurityGroupArgs
{
Id = "/subscriptions/subId/resourceGroups/rg1/provders/Microsoft.Network/applicationSecurityGroup/asg1",
},
},
Location = "eastus2euap",
PrivateEndpointName = "testPe",
PrivateLinkServiceConnections = new[]
{
new AzureNative.Network.Inputs.PrivateLinkServiceConnectionArgs
{
GroupIds = new[]
{
"groupIdFromResource",
},
PrivateLinkServiceId = "/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/privateLinkServices/testPls",
RequestMessage = "Please approve my connection.",
},
},
ResourceGroupName = "rg1",
Subnet = new AzureNative.Network.Inputs.SubnetArgs
{
Id = "/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.network.PrivateEndpoint;
import com.pulumi.azurenative.network.PrivateEndpointArgs;
import com.pulumi.azurenative.network.inputs.ApplicationSecurityGroupArgs;
import com.pulumi.azurenative.network.inputs.PrivateLinkServiceConnectionArgs;
import com.pulumi.azurenative.network.inputs.SubnetArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var privateEndpoint = new PrivateEndpoint("privateEndpoint", PrivateEndpointArgs.builder()
.applicationSecurityGroups(ApplicationSecurityGroupArgs.builder()
.id("/subscriptions/subId/resourceGroups/rg1/provders/Microsoft.Network/applicationSecurityGroup/asg1")
.build())
.location("eastus2euap")
.privateEndpointName("testPe")
.privateLinkServiceConnections(PrivateLinkServiceConnectionArgs.builder()
.groupIds("groupIdFromResource")
.privateLinkServiceId("/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/privateLinkServices/testPls")
.requestMessage("Please approve my connection.")
.build())
.resourceGroupName("rg1")
.subnet(SubnetArgs.builder()
.id("/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet")
.build())
.build());
}
}
resources:
privateEndpoint:
type: azure-native:network:PrivateEndpoint
properties:
applicationSecurityGroups:
- id: /subscriptions/subId/resourceGroups/rg1/provders/Microsoft.Network/applicationSecurityGroup/asg1
location: eastus2euap
privateEndpointName: testPe
privateLinkServiceConnections:
- groupIds:
- groupIdFromResource
privateLinkServiceId: /subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/privateLinkServices/testPls
requestMessage: Please approve my connection.
resourceGroupName: rg1
subnet:
id: /subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
The applicationSecurityGroups property attaches the endpoint to existing ASGs, allowing you to reference the endpoint in NSG rules without managing individual IP addresses. This simplifies security policy management when you have multiple endpoints that should share the same traffic rules.
Request manual approval for cross-tenant connections
When connecting to Private Link services where you lack automatic approval rights, you use manual approval connections.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const privateEndpoint = new azure_native.network.PrivateEndpoint("privateEndpoint", {
customNetworkInterfaceName: "testPeNic",
ipConfigurations: [{
groupId: "file",
memberName: "file",
name: "pestaticconfig",
privateIPAddress: "192.168.0.5",
}],
location: "eastus",
manualPrivateLinkServiceConnections: [{
groupIds: ["groupIdFromResource"],
privateLinkServiceId: "/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/privateLinkServices/testPls",
requestMessage: "Please manually approve my connection.",
}],
privateEndpointName: "testPe",
resourceGroupName: "rg1",
subnet: {
id: "/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet",
},
});
import pulumi
import pulumi_azure_native as azure_native
private_endpoint = azure_native.network.PrivateEndpoint("privateEndpoint",
custom_network_interface_name="testPeNic",
ip_configurations=[{
"group_id": "file",
"member_name": "file",
"name": "pestaticconfig",
"private_ip_address": "192.168.0.5",
}],
location="eastus",
manual_private_link_service_connections=[{
"group_ids": ["groupIdFromResource"],
"private_link_service_id": "/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/privateLinkServices/testPls",
"request_message": "Please manually approve my connection.",
}],
private_endpoint_name="testPe",
resource_group_name="rg1",
subnet={
"id": "/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet",
})
package main
import (
network "github.com/pulumi/pulumi-azure-native-sdk/network/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := network.NewPrivateEndpoint(ctx, "privateEndpoint", &network.PrivateEndpointArgs{
CustomNetworkInterfaceName: pulumi.String("testPeNic"),
IpConfigurations: network.PrivateEndpointIPConfigurationArray{
&network.PrivateEndpointIPConfigurationArgs{
GroupId: pulumi.String("file"),
MemberName: pulumi.String("file"),
Name: pulumi.String("pestaticconfig"),
PrivateIPAddress: pulumi.String("192.168.0.5"),
},
},
Location: pulumi.String("eastus"),
ManualPrivateLinkServiceConnections: network.PrivateLinkServiceConnectionArray{
&network.PrivateLinkServiceConnectionArgs{
GroupIds: pulumi.StringArray{
pulumi.String("groupIdFromResource"),
},
PrivateLinkServiceId: pulumi.String("/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/privateLinkServices/testPls"),
RequestMessage: pulumi.String("Please manually approve my connection."),
},
},
PrivateEndpointName: pulumi.String("testPe"),
ResourceGroupName: pulumi.String("rg1"),
Subnet: &network.SubnetTypeArgs{
Id: pulumi.String("/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var privateEndpoint = new AzureNative.Network.PrivateEndpoint("privateEndpoint", new()
{
CustomNetworkInterfaceName = "testPeNic",
IpConfigurations = new[]
{
new AzureNative.Network.Inputs.PrivateEndpointIPConfigurationArgs
{
GroupId = "file",
MemberName = "file",
Name = "pestaticconfig",
PrivateIPAddress = "192.168.0.5",
},
},
Location = "eastus",
ManualPrivateLinkServiceConnections = new[]
{
new AzureNative.Network.Inputs.PrivateLinkServiceConnectionArgs
{
GroupIds = new[]
{
"groupIdFromResource",
},
PrivateLinkServiceId = "/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/privateLinkServices/testPls",
RequestMessage = "Please manually approve my connection.",
},
},
PrivateEndpointName = "testPe",
ResourceGroupName = "rg1",
Subnet = new AzureNative.Network.Inputs.SubnetArgs
{
Id = "/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.network.PrivateEndpoint;
import com.pulumi.azurenative.network.PrivateEndpointArgs;
import com.pulumi.azurenative.network.inputs.PrivateEndpointIPConfigurationArgs;
import com.pulumi.azurenative.network.inputs.PrivateLinkServiceConnectionArgs;
import com.pulumi.azurenative.network.inputs.SubnetArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var privateEndpoint = new PrivateEndpoint("privateEndpoint", PrivateEndpointArgs.builder()
.customNetworkInterfaceName("testPeNic")
.ipConfigurations(PrivateEndpointIPConfigurationArgs.builder()
.groupId("file")
.memberName("file")
.name("pestaticconfig")
.privateIPAddress("192.168.0.5")
.build())
.location("eastus")
.manualPrivateLinkServiceConnections(PrivateLinkServiceConnectionArgs.builder()
.groupIds("groupIdFromResource")
.privateLinkServiceId("/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/privateLinkServices/testPls")
.requestMessage("Please manually approve my connection.")
.build())
.privateEndpointName("testPe")
.resourceGroupName("rg1")
.subnet(SubnetArgs.builder()
.id("/subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet")
.build())
.build());
}
}
resources:
privateEndpoint:
type: azure-native:network:PrivateEndpoint
properties:
customNetworkInterfaceName: testPeNic
ipConfigurations:
- groupId: file
memberName: file
name: pestaticconfig
privateIPAddress: 192.168.0.5
location: eastus
manualPrivateLinkServiceConnections:
- groupIds:
- groupIdFromResource
privateLinkServiceId: /subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/privateLinkServices/testPls
requestMessage: Please manually approve my connection.
privateEndpointName: testPe
resourceGroupName: rg1
subnet:
id: /subscriptions/subId/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
The manualPrivateLinkServiceConnections property creates a connection request that remains pending until the service owner approves it. The requestMessage helps the owner understand why you need access. This workflow is common when connecting to services in other subscriptions or tenants.
Beyond these examples
These snippets focus on specific private endpoint features: Private Link service connections (automatic and manual approval), static IP configuration, and application security group integration. They’re intentionally minimal rather than full networking solutions.
The examples reference pre-existing infrastructure such as VNets and subnets, Private Link services or Azure PaaS services, and application security groups (for relevant examples). They focus on configuring the private endpoint rather than provisioning the surrounding network.
To keep things focused, common private endpoint patterns are omitted, including:
- Custom DNS configurations (customDnsConfigs)
- Extended location for edge deployments
- Tags for resource organization
These omissions are intentional: the goal is to illustrate how each private endpoint feature is wired, not provide drop-in networking modules. See the Private Endpoint resource reference for all available configuration options.
Let's configure Azure Private Endpoints
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Connection Configuration
What's the difference between automatic and manual approval connections?
Use
privateLinkServiceConnections for automatic approval when you have access to approve the connection. Use manualPrivateLinkServiceConnections when the network admin doesn’t have access to approve connections to the remote resource and manual approval is required.Can I use both automatic and manual approval connections on the same endpoint?
No,
privateLinkServiceConnections and manualPrivateLinkServiceConnections are mutually exclusive. Choose one connection type based on your approval workflow.How do I include a request message with my connection?
Add a
requestMessage field to your connection configuration (either privateLinkServiceConnections or manualPrivateLinkServiceConnections). For example: requestMessage: "Please approve my connection."Network Configuration
How do I assign a static private IP to my endpoint?
Configure the
ipConfigurations array with groupId, memberName, name, and privateIPAddress fields. For example, to assign 192.168.0.6, set privateIPAddress: "192.168.0.6" along with the appropriate group and member identifiers.Can I customize the network interface name?
Yes, use
customNetworkInterfaceName to specify a custom name for the network interface attached to the private endpoint.What subnet information do I need to provide?
You must provide the full subnet resource ID in the
subnet.id field, such as /subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.Network/virtualNetworks/{vnet}/subnets/{subnet}.Resource Properties & Immutability
What properties can't be changed after creating a private endpoint?
Three properties are immutable:
privateEndpointName, resourceGroupName, and subnet. To change any of these, you must recreate the private endpoint.Can I move a private endpoint to a different subnet?
No, the
subnet property is immutable. You must delete and recreate the private endpoint to use a different subnet.Advanced Features
How do I integrate my private endpoint with application security groups?
Add the
applicationSecurityGroups array with ASG resource IDs to include the private endpoint’s IP configuration in those security groups.Can I use a different Azure API version?
Yes, the resource uses API version 2024-05-01 by default. To use a different version (such as 2023-02-01 or others), generate a local SDK package using
pulumi package add azure-native network [ApiVersion].