Fix Azure SQL Server private endpoints

[eerhardt]

Description

Added support for Azure SQL Server deployment scripts in private endpoint scenarios, enabling secure, automated database role assignments for managed identities.

Deployment scripts need to be part of the vnet and need Azure Storage accounts to mount file shares.

Introduced resource annotations and preparer classes to detect and configure ACI subnet and storage account infrastructure, with both automatic and explicit configuration options. Implemented subnet address allocation logic, updated Bicep modules and manifest files, and ensured scripts run in delegated subnets with proper outbound rules and Azure Files access. Added tests to verify all configuration combinations. Updated project references and dependencies.

Fix #14421

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
• Did you add public API?
  • Yes
    • If yes, did you have an API Review for it?
      • No
    • Did you add <remarks /> and <code /> elements on your triple slash comments?
      • Yes
      • No
• Does the change make any security assumptions or guarantees?
  • Yes
    • If yes, have you done a threat model and had a security review?
      • Yes
      • No
• Does the change require an update in our Aspire docs?
  • Yes
    • Link to aspire.dev issue:
      • New issue
  • No

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 14664

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 14664"

[eerhardt]

I think this is ready for review.

One issue is that Azure.Provisioning.Network is still unstable and we need to reference it from our Aspire.Hosting.Azure.Sql (stable) package. We will need to get that package stable and make our Aspire.Hosting.Azure.Network package stable (but will add [Experimental] to the whole assembly).

[Copilot]

Pull request overview

Adds VNet-integrated Azure deployment script support for Azure SQL Server private endpoint scenarios, enabling database role assignment scripts to run inside delegated subnets and use Azure Storage for script/log/file share mounting.

Changes:

• Introduces private-endpoint notification plumbing to trigger SQL deployment-script infrastructure (ACI subnet + storage + NSG + storage files private endpoint).
• Adds subnet address allocation logic and new configuration APIs to explicitly choose deployment-script subnet/storage.
• Adds snapshot-based tests and updates playground modules/manifests to cover private endpoint scenarios.

Reviewed changes

Copilot reviewed 35 out of 35 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureSqlDeploymentScriptTests.SqlWithPrivateEndpoint_SubnetBeforePrivateEndpoint.verified.bicep	New snapshot covering subnet-first configuration ordering.
tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureSqlDeploymentScriptTests.SqlWithPrivateEndpoint_StorageBeforePrivateEndpoint.verified.bicep	New snapshot covering storage-first configuration ordering.
tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureSqlDeploymentScriptTests.SqlWithPrivateEndpoint_ExplicitSubnet_AutoCreatesStorage.verified.bicep	Snapshot for explicit subnet + auto storage behavior.
tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureSqlDeploymentScriptTests.SqlWithPrivateEndpoint_ExplicitStorage_AutoCreatesSubnet.verified.bicep	Snapshot for explicit storage + auto subnet behavior.
tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureSqlDeploymentScriptTests.SqlWithPrivateEndpoint_BothExplicitSubnetAndStorage.verified.bicep	Snapshot for explicit subnet + explicit storage behavior.
tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureSqlDeploymentScriptTests.SqlWithPrivateEndpoint_AutoCreatesBothSubnetAndStorage.verified.bicep	Snapshot for full auto behavior.
tests/Aspire.Hosting.Azure.Tests/AzureSqlDeploymentScriptTests.cs	Adds tests for multiple ordering/configuration combinations.
src/Aspire.Hosting.Azure/ExistingAzureResourceAnnotation.cs	Expands “existing resource name” annotation to support BicepOutputReference.
src/Aspire.Hosting.Azure/AzureProvisioningResource.cs	Implements BicepOutputReference handling when creating existing resources.
src/Aspire.Hosting.Azure.Sql/SubnetAddressAllocator.cs	Adds CIDR parsing + /29 allocation logic for auto-created ACI subnet.
src/Aspire.Hosting.Azure.Sql/AzureSqlServerResource.cs	Adds private-endpoint notification handling, deployment script subnet/storage wiring, and model preparation logic.
src/Aspire.Hosting.Azure.Sql/AzureSqlExtensions.cs	Adds WithAdminDeploymentScriptSubnet / WithAdminDeploymentScriptStorage APIs.
src/Aspire.Hosting.Azure.Sql/Aspire.Hosting.Azure.Sql.csproj	Adds project references to Azure Network and Azure Storage packages.
src/Aspire.Hosting.Azure.Sql/AdminDeploymentScriptSubnetAnnotation.cs	Introduces an annotation to carry the deployment-script subnet reference.
src/Aspire.Hosting.Azure.Network/AzureVirtualNetworkResource.cs	Makes Subnets publicly accessible.
src/Aspire.Hosting.Azure.Network/AzureSubnetServiceDelegationAnnotation.cs	Makes subnet delegation annotation public.
src/Aspire.Hosting.Azure.Network/AzurePrivateEndpointExtensions.cs	Adds notification hook interface and calls it during private endpoint creation.
playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/vnet.module.bicep	Adds SQL ACI subnet outputs/params to the playground VNet module.
playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/sql.module.bicep	Adds SQL module for the playground scenario.
playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/sql-store.module.bicep	Adds storage module used by deployment scripts in playground.
playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/sql-nsg.module.bicep	Adds NSG module for deployment script outbound rules in playground.
playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/sql-admin-identity.module.bicep	Adds module to reference the SQL admin identity output.
playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/sql-admin-identity-roles-sql-store.module.bicep	Adds role assignment module for admin identity -> storage files access.
playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/privatelink-file-core-windows-net.module.bicep	Adds private DNS zone module for storage files.
playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/privatelink-database-windows-net.module.bicep	Adds private DNS zone module for SQL.
playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/private-endpoints-sql-pe.module.bicep	Adds playground SQL private endpoint module.
playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/private-endpoints-files-pe.module.bicep	Adds playground storage files private endpoint module.
playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/aspire-manifest.json	Wires new modules/params for SQL + deployment-script infra.
playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/api-roles-sql.module.bicep	Adds deployment script role assignment module for SQL DB access.
playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/api-containerapp.module.bicep	Passes SQL connection env vars/connection strings into the playground container app.
playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/Program.cs	Adds SQL + private endpoint + DB reference to the playground AppHost.
playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/AzureVirtualNetworkEndToEnd.AppHost.csproj	Adds Azure SQL hosting package reference for the playground.
playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.ApiService/Program.cs	Adds a simple /sql endpoint using SqlConnection.
playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.ApiService/AzureVirtualNetworkEndToEnd.ApiService.csproj	Adds SqlClient package reference for the playground API.

[eerhardt]

/deployment-test

[github-actions]

🚀 Deployment tests starting on PR #14664...

This will deploy to real Azure infrastructure. Results will be posted here when complete.

View workflow run

[eerhardt]

/deployment-test

[github-actions]

🚀 Deployment tests starting on PR #14664...

This will deploy to real Azure infrastructure. Results will be posted here when complete.

View workflow run

[Copilot]

Pull request overview

Copilot reviewed 37 out of 37 changed files in this pull request and generated 5 comments.

Comments suppressed due to low confidence (1)

src/Aspire.Hosting.Azure.Network/AzureSubnetServiceDelegationAnnotation.cs:24

• AzureSubnetServiceDelegationAnnotation is now public, but its XML docs are still minimal (no details on expected values, behavior, or usage). Since this is a newly public API in src/, it should include more complete documentation (e.g., describe how it affects subnet provisioning, what Name vs ServiceName should be set to, and include an example of applying the annotation to a subnet).

/// <summary>
/// Annotation to specify a service delegation for an Azure Subnet.
/// </summary>
/// <param name="name">The name of the service delegation.</param>
/// <param name="serviceName">The service name for the delegation (e.g., "Microsoft.App/environments").</param>
public sealed class AzureSubnetServiceDelegationAnnotation(string name, string serviceName) : IResourceAnnotation
{
    /// <summary>
    /// Gets or sets the name associated with the service delegation.
    /// </summary>
    public string Name { get; set; } = name;

    /// <summary>
    /// Gets or sets the name of the service associated with the service delegation.
    /// </summary>
    public string ServiceName { get; set; } = serviceName;
}

[Copilot]

OnPrivateEndpointCreated is not idempotent: if multiple private endpoints are added for the same SQL server (or the extension is called more than once), this method will create additional admin identity/NSG resources and register multiple BeforeStartEvent subscriptions. Consider guarding so the setup runs only once per SQL server (e.g., check AdminIdentity/DeploymentScriptNetworkSecurityGroup/a dedicated flag before adding resources and subscribing).

Suggested change

	// Create a deployment script storage account (publish mode only).
	// The BeforeStartEvent handler will remove the default storage if it's no longer
	// needed if the user swapped it via WithAdminDeploymentScriptStorage.
	AzureStorageResource? createdStorage = null;
	if (DeploymentScriptStorage is null)
	{
	DeploymentScriptStorage = CreateDeploymentScriptStorage(builder, builder.CreateResourceBuilder(this)).Resource;
	createdStorage = DeploymentScriptStorage;
	}
	var admin = builder.AddAzureUserAssignedIdentity($"{Name}-admin-identity")
	.WithAnnotation(new ExistingAzureResourceAnnotation(AdminName));
	AdminIdentity = admin.Resource;
	DeploymentScriptNetworkSecurityGroup = builder.AddNetworkSecurityGroup($"{Name}-nsg")
	.WithSecurityRule(new AzureSecurityRule()
	{
	Name = "allow-outbound-443-AzureActiveDirectory",
	Priority = 100,
	Direction = SecurityRuleDirection.Outbound,
	Access = SecurityRuleAccess.Allow,
	Protocol = SecurityRuleProtocol.Tcp,
	SourceAddressPrefix = "*",
	SourcePortRange = "*",
	DestinationAddressPrefix = AzureServiceTags.AzureActiveDirectory,
	DestinationPortRange = "443",
	})
	.WithSecurityRule(new AzureSecurityRule()
	{
	Name = "allow-outbound-443-Sql",
	Priority = 200,
	Direction = SecurityRuleDirection.Outbound,
	Access = SecurityRuleAccess.Allow,
	Protocol = SecurityRuleProtocol.Tcp,
	SourceAddressPrefix = "*",
	SourcePortRange = "*",
	DestinationAddressPrefix = AzureServiceTags.Sql,
	DestinationPortRange = "443",
	}).Resource;
	builder.Eventing.Subscribe<BeforeStartEvent>((data, token) =>
	{
	PrepareDeploymentScriptInfrastructure(data.Model, this, createdStorage);
	return Task.CompletedTask;
	});
	// Create deployment script infrastructure (publish mode only) once per SQL server.
	// The BeforeStartEvent handler will remove the default storage if it's no longer
	// needed if the user swapped it via WithAdminDeploymentScriptStorage.
	if (AdminIdentity is null && DeploymentScriptNetworkSecurityGroup is null)
	{
	AzureStorageResource? createdStorage = null;
	if (DeploymentScriptStorage is null)
	{
	DeploymentScriptStorage = CreateDeploymentScriptStorage(builder, builder.CreateResourceBuilder(this)).Resource;
	createdStorage = DeploymentScriptStorage;
	}
	var admin = builder.AddAzureUserAssignedIdentity($"{Name}-admin-identity")
	.WithAnnotation(new ExistingAzureResourceAnnotation(AdminName));
	AdminIdentity = admin.Resource;
	DeploymentScriptNetworkSecurityGroup = builder.AddNetworkSecurityGroup($"{Name}-nsg")
	.WithSecurityRule(new AzureSecurityRule()
	{
	Name = "allow-outbound-443-AzureActiveDirectory",
	Priority = 100,
	Direction = SecurityRuleDirection.Outbound,
	Access = SecurityRuleAccess.Allow,
	Protocol = SecurityRuleProtocol.Tcp,
	SourceAddressPrefix = "*",
	SourcePortRange = "*",
	DestinationAddressPrefix = AzureServiceTags.AzureActiveDirectory,
	DestinationPortRange = "443",
	})
	.WithSecurityRule(new AzureSecurityRule()
	{
	Name = "allow-outbound-443-Sql",
	Priority = 200,
	Direction = SecurityRuleDirection.Outbound,
	Access = SecurityRuleAccess.Allow,
	Protocol = SecurityRuleProtocol.Tcp,
	SourceAddressPrefix = "*",
	SourcePortRange = "*",
	DestinationAddressPrefix = AzureServiceTags.Sql,
	DestinationPortRange = "443",
	}).Resource;
	builder.Eventing.Subscribe<BeforeStartEvent>((data, token) =>
	{
	PrepareDeploymentScriptInfrastructure(data.Model, this, createdStorage);
	return Task.CompletedTask;
	});
	}

[Copilot]

IAzurePrivateEndpointTargetNotification introduces a new public extensibility surface, but the XML docs don’t explain when OnPrivateEndpointCreated is called (run vs publish mode), what implementations are allowed/expected to do inside it, or any ordering/side-effect constraints. Please expand the docs (remarks + example) to make this contract clear to consumers implementing it.

Suggested change

	/// An optional interface that can be implemented by resources that are targets for
	/// Azure private endpoints, to receive a notification when a private endpoint is created for them.
	/// </summary>
	public interface IAzurePrivateEndpointTargetNotification : IAzurePrivateEndpointTarget
	{
	/// <summary>
	/// Handles the event that occurs when a new Azure private endpoint resource is created.
	/// </summary>
	/// <param name="privateEndpoint">The Azure private endpoint resource that was created. Cannot be null.</param>
	/// Defines a contract for resources that are targets for Azure private endpoints and want to
	/// receive notifications when private endpoint resources are created for them.
	/// </summary>
	/// <remarks>
	/// Implement this interface on a resource type that also implements <see cref="IAzurePrivateEndpointTarget"/>
	/// when you need to customize the Aspire application model each time an <see cref="AzurePrivateEndpointResource"/>
	/// is created targeting that resource.
	/// </remarks>
	public interface IAzurePrivateEndpointTargetNotification : IAzurePrivateEndpointTarget
	{
	/// <summary>
	/// Called by the hosting infrastructure when a new Azure private endpoint resource is created for this target.
	/// </summary>
	/// <param name="privateEndpoint">
	/// The builder for the Azure private endpoint resource that was created. This value is never <c>null</c>.
	/// </param>
	/// <remarks>
	/// <para>
	/// This callback is invoked as part of Aspire application model construction, during both "run" and "publish"
	/// workflows, whenever the hosting infrastructure creates an <see cref="AzurePrivateEndpointResource"/> that
	/// targets the implementing resource.
	/// Implementations should treat this method as a configuration hook for the <paramref name="privateEndpoint"/>
	/// and must not assume anything about the order in which different resources or callbacks are processed.
	/// </para>
	/// <para>
	/// Implementations are expected to:
	/// <list type="bullet">
	/// <item>
	/// <description>
	/// Restrict their work to updating the supplied <paramref name="privateEndpoint"/>, for example by configuring
	/// DNS zone groups, tags, or other application model metadata on the private endpoint resource.
	/// </description>
	/// </item>
	/// <item>
	/// <description>
	/// Avoid performing long-running or blocking operations, network calls, or other side effects external to the
	/// Aspire application model. This method should be fast and side-effect free with respect to external systems.
	/// </description>
	/// </item>
	/// <item>
	/// <description>
	/// Be idempotent. Callers may invoke this method more than once for the same logical endpoint during model
	/// construction, so implementations should tolerate duplicate calls without changing the resulting configuration.
	/// </description>
	/// </item>
	/// </list>
	/// </para>
	/// </remarks>
	/// <example>
	/// This example shows a resource that configures each created private endpoint by adding a custom parameter:
	/// <code>
	/// public sealed class MyDatabaseResource : IAzurePrivateEndpointTargetNotification
	/// {
	/// public void OnPrivateEndpointCreated(IResourceBuilder&lt;AzurePrivateEndpointResource&gt; privateEndpoint)
	/// {
	/// // Configure the private endpoint resource in the Aspire application model.
	/// privateEndpoint.WithParameter("dnsZoneGroupName", "my-database-dns-zone-group");
	/// }
	/// }
	/// </code>
	/// </example>

[Copilot]

The new public extension methods WithAdminDeploymentScriptSubnet / WithAdminDeploymentScriptStorage have <remarks> but no <example> / <code> section, while other public Azure SQL extension methods in this file (e.g., RunAsContainer) include a usage example. Consider adding an example showing a private-endpoint SQL server using these methods so consumers can apply them correctly.

[Copilot]

TriggerCleanupResourceGroup no longer starts the az group delete process (the process creation and Start() call are commented out). This will leave resource groups behind after the test run and can cause leaks/costs and quota issues in CI. Please re-enable the deletion or replace it with an equivalent cleanup mechanism (and ensure the cleanup path is still best-effort / fire-and-forget if that’s the intent).

[eerhardt]

@copilot - revert this change so th resource group gets cleaned up.

[Copilot]

AllocateDeploymentScriptSubnet can underflow and effectively loop for a very long time if the VNet CIDR range is smaller than a /29 (e.g., /30 or /31): candidate is computed with unsigned arithmetic and can wrap to a huge value, making the while (candidate >= vnetStart) loop iterate billions of times. Add an early guard that validates the VNet prefix provides at least 8 addresses (or directly checks vnetEnd - vnetStart + 1 >= blockSize) and fail fast with a clear exception when it doesn't.

[github-actions]

❌ Deployment E2E Tests failed

Summary: 23 passed, 1 failed, 0 cancelled

View workflow run

Passed Tests

• ✅ AksStarterWithRedisDeploymentTests
• ✅ AcaCustomRegistryDeploymentTests
• ✅ AksStarterDeploymentTests
• ✅ AcaCompactNamingUpgradeDeploymentTests
• ✅ AppServiceReactDeploymentTests
• ✅ PythonFastApiDeploymentTests
• ✅ AzureKeyVaultDeploymentTests
• ✅ AzureEventHubsDeploymentTests
• ✅ VnetSqlServerConnectivityDeploymentTests
• ✅ AppServicePythonDeploymentTests
• ✅ AcaStarterDeploymentTests
• ✅ AcaExistingRegistryDeploymentTests
• ✅ AzureServiceBusDeploymentTests
• ✅ AuthenticationTests
• ✅ VnetKeyVaultInfraDeploymentTests
• ✅ VnetStorageBlobInfraDeploymentTests
• ✅ AzureContainerRegistryDeploymentTests
• ✅ VnetSqlServerInfraDeploymentTests
• ✅ AzureStorageDeploymentTests
• ✅ AzureAppConfigDeploymentTests
• ✅ VnetKeyVaultConnectivityDeploymentTests
• ✅ VnetStorageBlobConnectivityDeploymentTests
• ✅ AzureLogAnalyticsDeploymentTests

Failed Tests

• ❌ AcaCompactNamingDeploymentTests

🎬 Terminal Recordings

Test	Recording
DeployAzureAppConfigResource	▶️ View Recording
DeployAzureContainerRegistryResource	▶️ View Recording
DeployAzureEventHubsResource	▶️ View Recording
DeployAzureKeyVaultResource	▶️ View Recording
DeployAzureLogAnalyticsResource	▶️ View Recording
DeployAzureServiceBusResource	▶️ View Recording
DeployAzureStorageResource	▶️ View Recording
DeployPythonFastApiTemplateToAzureAppService	▶️ View Recording
DeployPythonFastApiTemplateToAzureContainerApps	▶️ View Recording
DeployReactTemplateToAzureAppService	▶️ View Recording
DeployStarterTemplateToAks	▶️ View Recording
DeployStarterTemplateToAzureContainerApps	▶️ View Recording
DeployStarterTemplateWithCustomRegistry	▶️ View Recording
DeployStarterTemplateWithExistingRegistry	▶️ View Recording
DeployStarterTemplateWithKeyVaultPrivateEndpoint	▶️ View Recording
DeployStarterTemplateWithRedisToAks	▶️ View Recording
DeployStarterTemplateWithSqlServerPrivateEndpoint	▶️ View Recording
DeployStarterTemplateWithStorageBlobPrivateEndpoint	▶️ View Recording
DeployVnetKeyVaultInfrastructure	▶️ View Recording
DeployVnetSqlServerInfrastructure	▶️ View Recording
DeployVnetStorageBlobInfrastructure	▶️ View Recording
DeployWithCompactNamingFixesStorageCollision	▶️ View Recording
UpgradeFromGaToDevDoesNotDuplicateStorageAccounts	▶️ View Recording