Update Azure SQL Server docs for private endpoints #486
Description
Azure SQL Server has special private endpoint logic for its admin deployment script logic to work. We should update the docs with the following information:
- Azure SQL Server has a deployment script that runs to give your app's managed identity access to the SQL database.
- In order for this script to execute successfully, the Azure Container Instance it runs on needs to be able to access the SQL server.
- To accomplish this, ACI needs a subnet delegated to it to run the container in.
- Additionally, when executed in this mode, ACI needs an Azure Storage account to mount the file share for the script contents and logs.
- Aspire Azure SQL Server will automatically create these resources - allocating a minimal subnet at an open address in the top of the vnet range. It will also allocate a new Storage account with the correct settings.
- You can modify this behavior in the following ways:
- Call
ClearDefaultRoleAssignments, which will disable the deployment script - and remove the default subnet and storage resources.- NOTE: this means the deployment script will no longer add the app's managed identity access to the database. You will need to ensure your application has appropriate access in order for your app to successfully connect to the db.
- Specify your own subnet using
WithAdminDeploymentScriptSubnet- Aspire will automatically delegate this subnet to ACI
- Specify your own storage account using
WithAdminDeploymentScriptStorage- Aspire will automatically create a
StorageFileDataPrivilegedContributorrole assignment from the deploymentScript's identity to this Storage account.
- Aspire will automatically create a
- Call