azureazure-powershellazure-private-link
Using the New-AzPrivateLinkServiceConnection Command-let to Create a Manual Private Link Service Connection
I am trying to create a private link to a Microsoft partner service in Azure using Powershell.
When I configure the endpoint through the Azure console, the segment of the template for the endpoint looks as follows:
{
"type": "Microsoft.Network/privateEndpoints",
"apiVersion": "2020-11-01",
"name": "[parameters('privateEndpoints_foo_pl_silverfish_name')]",
"location": "eastus2",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_foo_pl_vnet_name'), 'foo_pl_subnet')]"
],
"tags": {
"owner": "foo"
},
"properties": {
"privateLinkServiceConnections": [],
"manualPrivateLinkServiceConnections": [
{
"name": "[parameters('privateEndpoints_foo_pl_silverfish_name')]",
"properties": {
"privateLinkServiceId": "xyz-prod.67395a8a-a9d4-4c85-bd01-109a99e7eca2.eastus2.azure.privatelinkservice",
"groupIds": [],
"privateLinkServiceConnectionState": {
"status": "Approved"
}
}
}
],
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_foo_pl_vnet_name'), 'foo_pl_subnet')]"
},
"customDnsConfigs": []
}
}
You can see the privateLinkServiceConnections array is empty. I've got content under the manualPrivateLinkServiceConnections array, which doesn't conform to the options in the New-AzPrivateLinkServiceConnection commandlet.
This is with me creating the private endpoint through the console:
Can I create a manual private link service connection with the New-AzPrivateLinkServiceConnection and New-AzPrivateEndpoint commandlets?
## Create the private link service configuration
$plink = New-AzPrivateLinkServiceConnection `
-Name 'foo_pl_silverfish_config' `
-PrivateLinkServiceId 'xyz-prod.67395a8a-a9d4-4c85-bd01-109a99e7eca2.eastus2.azure.privatelinkservice'
$privateEndpoint = New-AzPrivateEndpoint `
-ResourceGroupName 'foo_private_link' `
-Name 'foo_pl_db' `
-Location 'eastus2' `
-Subnet $sub `
-PrivateLinkServiceConnection $plink
I get the following error when running the above:
New-AzPrivateEndpoint: Operation returned an invalid status code 'BadRequest'
StatusCode: 400
ReasonPhrase: Bad Request
ErrorCode: LinkedInvalidPropertyId
ErrorMessage: Property id 'xyz-prod.67395a8a-a9d4-4c85-bd01-109a99e7eca2.eastus2.azure.privatelinkservice' at path 'properties.privateLinkServiceConnections[0].properties.privateLinkServiceId' is invalid. Expect fully qualified resource Id that start with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'.
Solution
The only way I was able to build the private endpoint was using an ARM template that I deployed via Powershell script.
The ARM template looks like the following:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The location for resources created as part of the deployment."
}
},
"virtualNetworkName": {
"type": "string",
"metadata": {
"description": "The name of the virtual network hosting the private endpoint for the Astra private link."
}
},
"privatelinkEndpointSubnetName": {
"type": "string",
"metadata": {
"description": "The name of the subnet hosting the private endpoint."
}
},
"privatelinkEndpointSubnetCIDR": {
"type": "string",
"metadata": {
"description": "The CIDR range associated with the subnet hosting the private endpoint."
}
},
"privateEndpointName": {
"type": "string",
"metadata": {
"description": "The name of the private endpoint associated with the database's private link."
}
},
"AstraDBServiceName": {
"type": "string",
"metadata": {
"description": "The 'Service Name' for the subject Astra DB database."
}
}
},
"variables": {
"PrivatelinkEndpointSubnetNameRef": "[concat(parameters('virtualNetworkName'), '/', parameters('privatelinkEndpointSubnetName'))]",
"PrivatelinkEndpointSubnetIdRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('privatelinkEndpointSubnetName'))]"
},
"resources": [{
"apiVersion": "2018-04-01",
"type": "Microsoft.Network/virtualNetworks/subnets",
"name": "[variables('PrivatelinkEndpointSubnetNameRef')]",
"location": "[parameters('location')]",
"properties": {
"addressPrefix": "[concat(parameters('privatelinkEndpointSubnetCIDR'))]",
"privateLinkServiceNetworkPolicies": "Disabled",
"privateEndpointNetworkPolicies": "Disabled"
}
},
{
"dependsOn": [
"[variables('PrivatelinkEndpointSubnetIdRef')]"
],
"apiVersion": "2019-02-01",
"type": "Microsoft.Network/privateEndpoints",
"name": "[parameters('privateEndpointName')]",
"location": "[parameters('location')]",
"properties": {
"manualPrivateLinkServiceConnections": [{
"name": "{plsConnection}",
"properties": {
"privateLinkServiceId": "[parameters('AstraDBServiceName')]",
"requestMessage": "Please approve my connection, thanks."
}
}],
"subnet": {
"id": "[variables('PrivatelinkEndpointSubnetIdRef')]"
}
}
}
]
}
Here is the code I would use to build the template...
$arm_template_parameters = @{
'AstraDBServiceName' = 'abc.593caf89-071c-4be7-f5ce9d3f9bc6
.eastus.azure.privatelinkservice'
'privateEndpointName' = 'myEndpoint'
'virtualNetworkName' = 'myVNET'
'privatelinkEndpointSubnetName' = 'mySubnet'
'privatelinkEndpointSubnetCIDR' = '10.0.2.0/24'
}
New-AzResourceGroupDeployment `
-Name 'myDeployment' `
-ResourceGroupName 'myResourceGroup' `
-TemplateFile '.\template.json' `
-TemplateParameterObject $arm_template_parameters `
-verbose
The problem for me is I ONLY have a resource id or alias. I can build from an ARM template or the Azure console. All the examples building the PE using Powershell require me to know the details about the service's load balancer, which I don't.