2025

High Scale Private Endpoints

Today one of my colleagues asked an excellent question which had me stumped. He was looking at the Virtual Network Terraform Resource and found the private_endpoint_vnet_policies property, but couldn’t find any documentation explaining the purpose. So I tried my own Google-fu and similarly failed to find any information. I did manage to find the privateEndpointVNetPolicies property of the Microsoft.Network/virtualNetworks api, but as normal the API documentation expects you to understand the settings, it doesn’t explain them to you.

Use a Parameter to Assign User Assigned Managed Identities to Resources with Bicep

Isn’t that title a mouthful.

Coming from Terraform, there are somethings that seem strange in Bicep. One of those is the way that the Resource Manager API handles assigning User Assigned Managed Identities (UAMIs). If you look at the API documentation for a resource (in this case we are going to use an Event Hub Namespace, but this applies to all resources that can have a UAMI assigned) you will see that the userAssignedIdentities value of the identity property looks lkie this:

2024

Automatic Virtual Network CIDR Assignments with Azure IPAM and Bicep

Recently Microsoft announced a public preview of native IP Address Management in Azure, powered by Virtual Network Manager. Being new technology, and with a new landing zone to build, I decided to test and see if we could use it to make IP management simpler.

The starting point was to completely miss the documentation and try and work it out myself. Sadly, the API documentation has yet to be updated to cover the new properties, and tracing the portal requests didn’t help either, since it uses a slightly different flow (sigh!).

Self-Hosted GitHub Runners FOR FREE!

I recently had the privilege of opening the New Zealand GitHub User Group with a presentation on using Azure Container Apps for self-hosted GitHub Actions Runners. The recording of the session is available on YouTube.

Deploy a Flex Consumption Function App with Terraform

Update

As of v4.21.0 of the AzureRM provider, there is now a native azurerm_function_app_flex_consumption resource for deploying Flex Consumption Function Apps.

Azure Virtual WAN Route Maps and Reflected Routes

Microsoft have make controlling routing within a Virtual WAN much easier thanks to a combination of Routing Intent and Route Maps (in preview at time of writing). Route Maps work in the same manner (at least theoretically) to route map configuratons network administrators are used to in on-premises equipment.

In testing tehm out for a customer, I ran straight into a problem. I like to keep things tidy, and when I looked at the output of the outbound route map configuration for a site to site VPN with AWS, I didn’t like that it showed all my AWS routes being published back out to the VPN. So I configured a route map rule to drop reflected routes.

2022

App Service, App Settings, and Container Registry with Managed Identity

Managed Identities in Azure are a wonderful thing. No passwords to change, no keys to rotate. The biggest shame is that frequently they seem to be implemented as an afterthought.

One example I recently ran into was the use of an App Service Managed Identity to pull a container from Azure Container Registry. While you can configure an App Service to pull from ACR with a Managed Identity, what the documentation doesn’t tell you is that you still need the DOCKER_REGISTRY_SERVER_USERNAME and DOCKER_REGISTRY_SERVER_PASSWORD App Settings to be configured on the App Service. It doesn’t matter what values you put in these, the point is they must exist. If they don’t, the container will fail to pull with a credential error.