Search code examples
azureazure-monitorazure-private-linkazure-managed-grafana

Bicep script to create "Managed Private Endpoint" to access Azure Monitor Workspace privately

My goal is to enable Azure Managed Grafana to access an Azure Monitor account which doesn't have a public endpoint and hence should be accessed privately. I figured through this documentation that a "Managed Private Endpoint" is what I need and I was successfully able to create a working configuration in the Portal. However, I failed to find the corresponding Bicep scripts to create said "Managed Private Endpoints".

The part that creates Grafana and private endpoints look like the code below (the module in which Microsoft.Monitor/accounts is created is left out)

resource managedGrafana 'Microsoft.Dashboard/grafana@2022-08-01' = {
  name: 'mg-global'
  location: location
  sku: {
    name: 'Standard'
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    apiKey: 'Disabled'
    publicNetworkAccess: 'Disabled'
    grafanaIntegrations: {
      azureMonitorWorkspaceIntegrations: [
        {
          azureMonitorWorkspaceResourceId: resourceId('microsoft.monitor/accounts', monitorWorkspaceName)
        }
      ]
    }
  }
}

resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-02-01' = {
  name: 'pe-global-grafana'
  location: location
  properties: {
    privateLinkServiceConnections: [
      {
        name: 'pe-grafana'
        properties: {
          privateLinkServiceId: managedGrafana.id
          groupIds: [
            'grafana'
          ]
        }
      }
    ]
    subnet: {
      id: subnetId
    }
  }
}


resource privateEndpointPrometheus 'Microsoft.Network/privateEndpoints@2022-11-01' = {
  name: 'pe-global-prometheus'
  location: location
  properties: {
    privateLinkServiceConnections: [
      {
        name: 'pe-prometheus'
        properties: {
          privateLinkServiceId: monitorWorkspaceId
          groupIds: [
            'prometheusMetrics'
          ]
        }
      }
    ]
    subnet: {
      id: subnetId
    }
  }
}
Solution

  • To answer my own question: As to date (August 2023) it is not possible to create Grafana managed private endpoints in Bicep. An alternative is to call the ARM endpoint directly, e.g:

    az rest --method put --url "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Dashboard/grafana/<AZURE_GRAFANA_NAME>/managedPrivateEndpoints/managed-endpoint?api-version=2022-10-01-preview" \
--body "{ \"location\": \"<LOCATION>\", \"properties\": { \
\"privateLinkResourceId\":\"<Resource ID to Azure Monitor Workspace>\", \"groupIds\": \
[ \"prometheusMetrics\" ], \"requestMessage\": \"\", \
\"privateLinkResourceRegion\": \"<LOCATION>\" } }"