Fix Azure SQL Server private endpoints#14664
Merged
eerhardt merged 16 commits intomicrosoft:release/13.2from Mar 5, 2026
Merged
Fix Azure SQL Server private endpoints#14664eerhardt merged 16 commits intomicrosoft:release/13.2from
eerhardt merged 16 commits intomicrosoft:release/13.2from
Conversation
Contributor
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 14664Or
iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 14664" |
Member
Author
|
I think this is ready for review. One issue is that Azure.Provisioning.Network is still unstable and we need to reference it from our Aspire.Hosting.Azure.Sql (stable) package. We will need to get that package stable and make our Aspire.Hosting.Azure.Network package stable (but will add [Experimental] to the whole assembly). |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds VNet-integrated Azure deployment script support for Azure SQL Server private endpoint scenarios, enabling database role assignment scripts to run inside delegated subnets and use Azure Storage for script/log/file share mounting.
Changes:
- Introduces private-endpoint notification plumbing to trigger SQL deployment-script infrastructure (ACI subnet + storage + NSG + storage files private endpoint).
- Adds subnet address allocation logic and new configuration APIs to explicitly choose deployment-script subnet/storage.
- Adds snapshot-based tests and updates playground modules/manifests to cover private endpoint scenarios.
Reviewed changes
Copilot reviewed 35 out of 35 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureSqlDeploymentScriptTests.SqlWithPrivateEndpoint_SubnetBeforePrivateEndpoint.verified.bicep | New snapshot covering subnet-first configuration ordering. |
| tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureSqlDeploymentScriptTests.SqlWithPrivateEndpoint_StorageBeforePrivateEndpoint.verified.bicep | New snapshot covering storage-first configuration ordering. |
| tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureSqlDeploymentScriptTests.SqlWithPrivateEndpoint_ExplicitSubnet_AutoCreatesStorage.verified.bicep | Snapshot for explicit subnet + auto storage behavior. |
| tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureSqlDeploymentScriptTests.SqlWithPrivateEndpoint_ExplicitStorage_AutoCreatesSubnet.verified.bicep | Snapshot for explicit storage + auto subnet behavior. |
| tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureSqlDeploymentScriptTests.SqlWithPrivateEndpoint_BothExplicitSubnetAndStorage.verified.bicep | Snapshot for explicit subnet + explicit storage behavior. |
| tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureSqlDeploymentScriptTests.SqlWithPrivateEndpoint_AutoCreatesBothSubnetAndStorage.verified.bicep | Snapshot for full auto behavior. |
| tests/Aspire.Hosting.Azure.Tests/AzureSqlDeploymentScriptTests.cs | Adds tests for multiple ordering/configuration combinations. |
| src/Aspire.Hosting.Azure/ExistingAzureResourceAnnotation.cs | Expands “existing resource name” annotation to support BicepOutputReference. |
| src/Aspire.Hosting.Azure/AzureProvisioningResource.cs | Implements BicepOutputReference handling when creating existing resources. |
| src/Aspire.Hosting.Azure.Sql/SubnetAddressAllocator.cs | Adds CIDR parsing + /29 allocation logic for auto-created ACI subnet. |
| src/Aspire.Hosting.Azure.Sql/AzureSqlServerResource.cs | Adds private-endpoint notification handling, deployment script subnet/storage wiring, and model preparation logic. |
| src/Aspire.Hosting.Azure.Sql/AzureSqlExtensions.cs | Adds WithAdminDeploymentScriptSubnet / WithAdminDeploymentScriptStorage APIs. |
| src/Aspire.Hosting.Azure.Sql/Aspire.Hosting.Azure.Sql.csproj | Adds project references to Azure Network and Azure Storage packages. |
| src/Aspire.Hosting.Azure.Sql/AdminDeploymentScriptSubnetAnnotation.cs | Introduces an annotation to carry the deployment-script subnet reference. |
| src/Aspire.Hosting.Azure.Network/AzureVirtualNetworkResource.cs | Makes Subnets publicly accessible. |
| src/Aspire.Hosting.Azure.Network/AzureSubnetServiceDelegationAnnotation.cs | Makes subnet delegation annotation public. |
| src/Aspire.Hosting.Azure.Network/AzurePrivateEndpointExtensions.cs | Adds notification hook interface and calls it during private endpoint creation. |
| playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/vnet.module.bicep | Adds SQL ACI subnet outputs/params to the playground VNet module. |
| playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/sql.module.bicep | Adds SQL module for the playground scenario. |
| playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/sql-store.module.bicep | Adds storage module used by deployment scripts in playground. |
| playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/sql-nsg.module.bicep | Adds NSG module for deployment script outbound rules in playground. |
| playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/sql-admin-identity.module.bicep | Adds module to reference the SQL admin identity output. |
| playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/sql-admin-identity-roles-sql-store.module.bicep | Adds role assignment module for admin identity -> storage files access. |
| playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/privatelink-file-core-windows-net.module.bicep | Adds private DNS zone module for storage files. |
| playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/privatelink-database-windows-net.module.bicep | Adds private DNS zone module for SQL. |
| playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/private-endpoints-sql-pe.module.bicep | Adds playground SQL private endpoint module. |
| playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/private-endpoints-files-pe.module.bicep | Adds playground storage files private endpoint module. |
| playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/aspire-manifest.json | Wires new modules/params for SQL + deployment-script infra. |
| playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/api-roles-sql.module.bicep | Adds deployment script role assignment module for SQL DB access. |
| playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/api-containerapp.module.bicep | Passes SQL connection env vars/connection strings into the playground container app. |
| playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/Program.cs | Adds SQL + private endpoint + DB reference to the playground AppHost. |
| playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/AzureVirtualNetworkEndToEnd.AppHost.csproj | Adds Azure SQL hosting package reference for the playground. |
| playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.ApiService/Program.cs | Adds a simple /sql endpoint using SqlConnection. |
| playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.ApiService/AzureVirtualNetworkEndToEnd.ApiService.csproj | Adds SqlClient package reference for the playground API. |
src/Aspire.Hosting.Azure.Network/AzurePrivateEndpointExtensions.cs
Outdated
Show resolved
Hide resolved
Member
Author
|
/deployment-test |
Contributor
|
🚀 Deployment tests starting on PR #14664... This will deploy to real Azure infrastructure. Results will be posted here when complete. |
Contributor
|
🚀 Deployment tests starting on PR #14664... This will deploy to real Azure infrastructure. Results will be posted here when complete. |
Contributor
|
❌ Deployment E2E Tests failed Summary: 22 passed, 2 failed, 0 cancelled Passed Tests
Failed Tests
🎬 Terminal Recordings
|
Member
Author
|
/deployment-test |
Contributor
|
🚀 Deployment tests starting on PR #14664... This will deploy to real Azure infrastructure. Results will be posted here when complete. |
Contributor
|
❌ Deployment E2E Tests failed Summary: 22 passed, 2 failed, 0 cancelled Passed Tests
Failed Tests
🎬 Terminal Recordings
|
Member
Author
|
/deployment-test |
Contributor
|
🚀 Deployment tests starting on PR #14664... This will deploy to real Azure infrastructure. Results will be posted here when complete. |
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 37 out of 37 changed files in this pull request and generated 5 comments.
Comments suppressed due to low confidence (1)
src/Aspire.Hosting.Azure.Network/AzureSubnetServiceDelegationAnnotation.cs:24
AzureSubnetServiceDelegationAnnotationis nowpublic, but its XML docs are still minimal (no details on expected values, behavior, or usage). Since this is a newly public API insrc/, it should include more complete documentation (e.g., describe how it affects subnet provisioning, whatNamevsServiceNameshould be set to, and include an example of applying the annotation to a subnet).
/// <summary>
/// Annotation to specify a service delegation for an Azure Subnet.
/// </summary>
/// <param name="name">The name of the service delegation.</param>
/// <param name="serviceName">The service name for the delegation (e.g., "Microsoft.App/environments").</param>
public sealed class AzureSubnetServiceDelegationAnnotation(string name, string serviceName) : IResourceAnnotation
{
/// <summary>
/// Gets or sets the name associated with the service delegation.
/// </summary>
public string Name { get; set; } = name;
/// <summary>
/// Gets or sets the name of the service associated with the service delegation.
/// </summary>
public string ServiceName { get; set; } = serviceName;
}
src/Aspire.Hosting.Azure.Network/IAzurePrivateEndpointTargetNotification.cs
Show resolved
Hide resolved
tests/Aspire.Deployment.EndToEnd.Tests/VnetSqlServerConnectivityDeploymentTests.cs
Outdated
Show resolved
Hide resolved
Contributor
|
❌ Deployment E2E Tests failed Summary: 23 passed, 1 failed, 0 cancelled Passed Tests
Failed Tests
🎬 Terminal Recordings
|
This was referenced Feb 28, 2026
mitchdenny
approved these changes
Mar 2, 2026
Member
mitchdenny
left a comment
mitchdenny
left a comment
There was a problem hiding this comment.
Reviewed the approach — the notification-based pattern (IAzurePrivateEndpointTargetNotification) is a clean way to let resources react to PE creation. The automatic subnet allocation via SubnetAddressAllocator, managed identity setup, NSG rules, and storage provisioning all look correct. Good test coverage across ordering combinations and the ClearDefaultRoleAssignments cleanup path. LGTM.
Added support for Azure SQL Server deployment scripts in private endpoint scenarios, enabling secure, automated database role assignments for managed identities. Deployment scripts need to be part of the vnet and need Azure Storage accounts to mount file shares. Introduced resource annotations and preparer classes to detect and configure ACI subnet and storage account infrastructure, with both automatic and explicit configuration options. Implemented subnet address allocation logic, updated Bicep modules and manifest files, and ensured scripts run in delegated subnets with proper outbound rules and Azure Files access. Added tests to verify all configuration combinations. Updated project references and dependencies. Fix microsoft#14421
Refactor code to use an IDistributedApplicationBuilder
The deploymentScript can't run until the private endpoints are ready.
…tRoleAssignmentsAnnotation. This happens when ClearDefaultRoleAssignments is called on the sql server, which suppresses the deployment script. If the deployment script isn't needed, these resources aren't needed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Added support for Azure SQL Server deployment scripts in private endpoint scenarios, enabling secure, automated database role assignments for managed identities.
Deployment scripts need to be part of the vnet and need Azure Storage accounts to mount file shares.
Introduced resource annotations and preparer classes to detect and configure ACI subnet and storage account infrastructure, with both automatic and explicit configuration options. Implemented subnet address allocation logic, updated Bicep modules and manifest files, and ensured scripts run in delegated subnets with proper outbound rules and Azure Files access. Added tests to verify all configuration combinations. Updated project references and dependencies.
Fix #14421
Checklist
<remarks />and<code />elements on your triple slash comments?aspire.devissue: Update Azure SQL Server docs for private endpoints aspire.dev#486