Implement IAzurePrivateEndpointTarget on more Azure resources

[eerhardt]

Description

Follow up to #13108

Contributes to #13750

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
    • If yes, did you have an API Review for it?
      • Yes
      • No
    • Did you add <remarks /> and <code /> elements on your triple slash comments?
      • Yes
      • No
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
    • If yes, have you done a threat model and had a security review?
      • Yes
      • No
  • No
• Does the change require an update in our Aspire docs?
  • Yes
    • Link to aspire.dev issue:
      • Add docs for Azure Virtual Networks, Subnets, and Private Endpoints microsoft/aspire.dev#376
  • No

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 14360

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 14360"

[Copilot]

Pull request overview

This pull request implements the IAzurePrivateEndpointTarget interface on additional Azure resources to enable private endpoint support for secure network isolation. This is a follow-up to PR #13108 and contributes to issue #13750 which aims to support Azure Virtual Networks and Private Endpoints for critical resources.

Changes:

• Implements IAzurePrivateEndpointTarget interface on 13 Azure resource types (CosmosDB, SQL Server, PostgreSQL, Redis, Service Bus, Event Hubs, Key Vault, App Configuration, Search, SignalR, Web PubSub, and Storage sub-resources Table and DataLake)
• Adds private endpoint detection logic to conditionally disable public network access when private endpoints are configured
• Skips firewall rule provisioning when resources use private endpoints
• Outputs resource IDs in Bicep templates for private endpoint linking
• Adds comprehensive test coverage with 11 new test methods and 2 additional storage tests
• Updates 80+ snapshot test files to include resource ID outputs

Reviewed changes

Copilot reviewed 112 out of 112 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/Aspire.Hosting.Azure.{Service}/Azure{Service}Resource.cs (13 files)	Implements IAzurePrivateEndpointTarget interface with Id property, GetPrivateLinkGroupIds(), and GetPrivateDnsZoneName() methods
src/Aspire.Hosting.Azure.{Service}/Azure{Service}Extensions.cs (11 files)	Adds private endpoint detection logic and conditional public network access disabling
tests/Aspire.Hosting.Azure.Tests/AzurePrivateEndpointLockdownTests.cs	New test file with 11 tests covering private endpoint scenarios for all supported services
tests/Aspire.Hosting.Azure.Tests/AzureStoragePrivateEndpointLockdownTests.cs	Adds 2 new tests for Table and DataLake storage private endpoints
tests/Aspire.Hosting.Azure.Tests/Snapshots/*.verified.bicep (80+ files)	Updates snapshot tests to include resource ID outputs and verify correct Bicep generation

[eerhardt]

✅ Manual Testing Summary — Private Endpoint Support

Tested the new IAzurePrivateEndpointTarget implementation for Azure CosmosDB and Azure Managed Redis by deploying a full Aspire app to Azure.

CLI Version: 13.2.0-pr.14360.g4a3bd835 (commit 4a3bd835)

Test App Setup

AppHost — configured with:

• AddAzureContainerAppEnvironment("env") with WithDelegatedSubnet() on a /23 subnet
• AddAzureVirtualNetwork("myvnet") with two subnets: aca-subnet (10.0.0.0/23) and pe-subnet (10.0.2.0/24)
• AddAzureCosmosDB("cosmos") + AddCosmosDatabase("itemsdb")
• AddAzureManagedRedis("redis")
• peSubnet.AddPrivateEndpoint(cosmos) and peSubnet.AddPrivateEndpoint(redis) — the new APIs from this PR

API Service (ASP.NET Core minimal APIs):

• Aspire.Microsoft.Azure.Cosmos for CosmosDB client
• Aspire.Microsoft.Azure.StackExchangeRedis with AddRedisClientBuilder("redis").WithAzureAuthentication()
• GET /items — creates a new CosmosDB entry and lists all items
• GET /items/{id} — reads a specific item
• GET /redis/{key}/{value} — sets a Redis key
• GET /redis/{key} — gets a Redis key

Result

Deployed to Azure and verified both CosmosDB and Redis are accessible through private endpoints. Both read and write operations succeeded via the API endpoints.