How to Create System-Generated Private Endpoints for Azure Storage Account Using Bicep?

Gupta, Shalu 35

Hello everyone,

I am trying to provision an Azure Storage account along with private endpoints using a Bicep template. I am able to create the first two private endpoints (for blob and file) with the following Bicep code:

resource mlBlobStoragePrivateEndpoint 'Microsoft.Network/privateEndpoints@2022-11-01' = {
  name: mlBlobStoragePrivateEndpointName
  location: location
  properties: {
    subnet: {
      id: vnet::privateEndpointsSubnet.id
    }
    privateLinkServiceConnections: [
      {
        name: mlBlobStoragePrivateEndpointName
        properties: {
          groupIds: [
            'blob'
          ]
          privateLinkServiceId: mlStorage.id
        }
      }
    ]
  }
}
resource mlFileStoragePrivateEndpoint 'Microsoft.Network/privateEndpoints@2022-11-01' = {
  name: mlFileStoragePrivateEndpointName
  location: location
  properties: {
    subnet: {
      id: vnet::privateEndpointsSubnet.id
    }
    privateLinkServiceConnections: [
      {
        name: mlFileStoragePrivateEndpointName
        properties: {
          groupIds: [
            'file'
          ]
          privateLinkServiceId: mlStorage.id
        }
      }
    ]
  }
}

These create private endpoints for blob and file successfully. However, I noticed that two additional private endpoints (with _SYS_PE prefix) are automatically created by the Azure Portal when setting up the storage account. These are visible in the Private Endpoint Connections tab (see the attached screenshot).

I could not find any reference in the Azure documentation about how these system-generated endpoints are created. Here's what I want to know:

Are these system endpoints automatically created when using certain Azure services or configurations?
How can I replicate the creation of these _SYS private endpoints using a Bicep template?
Is there any special configuration or additional properties required in the Bicep code to enable these private endpoints?

Error Context: Additionally, I'm encountering an issue in my pipeline while creating data assets. Here's the error snippet:

Error in creating data asset with Exception:

1 answer

Vinodh247 27,976 MVP

Hi ,

Thanks for reaching out to Microsoft Q&A.

The _SYS_PE private endpoints for Azure Storage accounts are system-generated private endpoints used internally by Azure for specific operations or services (e.g., Azure Backup, Azure Data Lake). These are automatically created by Azure when certain configurations or features are enabled for your storage account. Let's address your queries step-by-step:

Are these system endpoints automatically created when using certain Azure services or configurations?

Yes, the _SYS_PE private endpoints are automatically created when you enable specific Azure services or features, such as:

Azure Backup for the storage account.
Azure Data Lake Storage (hierarchical namespace) features.
Services that internally rely on private communication to Azure-managed resources.

For example:

Enabling Azure Backup for a storage account automatically creates these private endpoints for backup-specific traffic.
Using Data Lake Storage Gen2 hierarchical namespace may create additional system private endpoints for internal operations.

How can I replicate the creation of these _SYS private endpoints using a Bicep template?

You cannot directly create _SYS_PE private endpoints using Bicep or any other Infrastructure-as-Code tools. These are managed by Azure and are created automatically when you configure certain features. However, you can:

Ensure the required configurations are enabled in your Bicep template, which may trigger Azure to create the system-generated private endpoints.
Examples of such configurations include enabling hierarchical namespace (isHnsEnabled) or Azure Backup policies.

Is there any special configuration or additional properties required in the Bicep code to enable these private endpoints?

The _SYS_PE endpoints are not explicitly configured. Instead, ensure the following in your Bicep template:

Enable the required feature or service: Ensure that hierarchical namespace, Azure Backup, or any dependent service is properly configured in the storage account's properties.
Private Endpoint Configuration: Ensure private endpoints for the relevant services (e.g., blob, file) are configured in the subnet.
Permissions: Ensure your service principal or account has adequate permissions (e.g., Storage Blob Data Contributor) for all private endpoint configurations.

Error Context

The error snippet you provided seems incomplete. Could you provide more details about the error, such as:

The full exception message.
The part of the pipeline or script where it occurs.

This will help narrow down the issue further.

Summary

_SYS_PE private endpoints are created automatically when enabling certain Azure features or services.
You cannot explicitly define _SYS_PE endpoints in Bicep, but enabling the relevant services or configurations will trigger Azure to create them.
Review your storage account and service configurations in Bicep to ensure all prerequisites for these private endpoints are met.

Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.

Gupta, Shalu 35

Hi @Vinodh247 ,

Thank you for your detailed explanation and clarifications regarding the _SYS_PE private endpoints. I appreciate the step-by-step insights, especially around how these endpoints are automatically created based on specific configurations or features.

To provide additional context, here’s the situation I’m encountering:

The _SYS_PE private endpoint configuration is present in the production environment storage account but missing in the development environment storage account.
I’ve compared both the JSON and Bicep scripts for the configurations in these environments but couldn’t pinpoint what enables this in production and why it is absent in development.

The issue arises when I try to run the pipeline to create an Azure ML endpoint in ML Studio. Specifically, the error occurs in the Register Test Data step. I suspected that this might be related to the absence of the _SYS_PE setting in the storage account. Below is the full error log for reference:

1) Resource was not found.

Details:
(x) Asset marketing_buddy_flow_train_eval does not exist in workspace mlws-ufscbres-dev.
Resolutions:
1) Double-check that the resource has been specified correctly and that you have access to it.
If using the CLI, you can also check the full log in debug mode for more details by adding --debug to the end of your command
Additional Resources: The easiest way to author a yaml specification file is using IntelliSense and auto-completion Azure ML VS code extension provides: 
2024-11-25 12:07:00,953 - register_data_asset - INFO - Processing element: {'PROMPT_FLOW_CONFIG_NAME': 'marketing_buddy_flow', 'ENV_NAME': 'dev', 'DATA_PURPOSE': 'eval_data', 'DATA_PATH': 'data/eval_data_new.jsonl', 'DATASET_NAME': 'marketing_buddy_flow_train_new_eval', 'RELATED_EXP_DATASET': 'marketing_buddy_flow_train_new', 'DATASET_DESC': 'this dataset is for evaluating flows'}
2024-11-25 12:07:00,953 - register_data_asset - INFO - Inside first if
2024-11-25 12:07:00,953 - register_data_asset - INFO - elem data purpose: eval_data
2024-11-25 12:07:00,953 - register_data_asset - INFO - elem environment_name: dev

Pipeline scipt:

parameters:
  - name: exec_environment
    displayName: "Execution Environment"
    default: "dev"
  - name: flow_to_execute
    displayName: "type of model to execute"
  - name: deployment_type
    displayName: "determine type of deployment - aks, aml, docker, webapp"
  - name: connection_details
    displayName: "determine the variable containing all connection details"
  - name: registry_details
    displayName: "determine the variable containing acr details"

stages:
  - stage: execute_prompt_experiment
    jobs:
      - job: Execute_ml_Job_Pipeline
        steps:
          - template: templates/configure_azureml_agent.yml

          - template: templates/get_connection_details.yml
          #=====================================
          # Registers experiment dataset in Azure ML as Data Asset
          # Reads appropriate field values from data_config.json based on environment and data purpose
          #=====================================
          - template: templates/execute_python_code.yml
            parameters:
              step_name: "Register Training Data"
              script_parameter: |
                python -m llmops.common.register_data_asset \
                  --subscription_id "$(SUBSCRIPTION_ID)" \
                  --data_purpose "training_data" \
                  --flow_to_execute ${{ parameters.flow_to_execute }} \
                  --env_name ${{ parameters.exec_environment }}

          #=====================================
          # Executes Standard flow for a scenario
          # Generates Reports for each RUN as well as consolidated one
          # Execute a RUN for each unique variant combination (keeping default variant id for other nodes)
          # Loads appropriate experiment data from Azure ML data asset
          # Reads appropriate field values from mapping_config.json based on environment and evaluation flow name
          # Prompt Flow connections should pre-exist
          # used automatic (serverless) runtime by default
          # writes the RUN ID in run_id.txt file. Used in next step
          #=====================================
          - template: templates/execute_python_code.yml
            parameters:
              step_name: "Execute Standard Flow"
              script_parameter: |
                python -m llmops.common.prompt_pipeline \
                  --subscription_id "$(SUBSCRIPTION_ID)" \
                  --build_id $(BUILD.BUILDID) \
                  --env_name ${{ parameters.exec_environment }} \
                  --flow_to_execute ${{ parameters.flow_to_execute }} \
                  --data_purpose "training_data" \
                  --output_file run_id.txt

          #=====================================
          # Reads run_id.txt file. Assigns it to variable RUN_NAME
          # RUN_NAME Used in next step for evaluation of flows
          #=====================================
          - task: AzureCLI@2
            displayName: Read Standard Flow run_id
            name: read_run_id
            inputs:
              azureSubscription: $(AZURE_RM_SVC_CONN)
              scriptType: bash
              scriptLocation: inlineScript
              workingDirectory: $(System.DefaultWorkingDirectory)
              inlineScript: |
                readarray arr <"run_id.txt"
                run_name=${arr[0]}
                echo $run_name
                echo "##vso[task.setvariable variable=RUN_NAME;isOutput=true;]$run_name"

          #=====================================
          # Registers evaluation dataset in Azure ML as Data Asset
          # Reads appropriate field values from data_config.json based on environment and data purpose
          #=====================================
          - template: templates/execute_python_code.yml
            parameters:
              step_name: "Register Test Data"
              script_parameter: |
                python -m llmops.common.register_data_asset \
                  --subscription_id "$(SUBSCRIPTION_ID)" \
                  --data_purpose "test_data" \
                  --flow_to_execute ${{ parameters.flow_to_execute }} \
                  --env_name ${{ parameters.exec_environment }}

  #=====================================
  # This starts the deployment stage. It will
  # - configure build agent by installing all dependencies
  # - registers the flow with Azure ML registry
  # - gets the latest flow version from registry
  # - deploys the flow to either Kubernetes or AML Compute as real time endpoint.
  #=====================================
  - stage: deploy_prompts
    displayName: deploy_prompts
    dependsOn:
      - execute_prompt_experiment
    variables:
      - name: run_id_from_submit_job
        value: $[ stageDependencies.execute_prompt_experiment.Execute_ml_Job_Pipeline.outputs['read_run_id.RUN_NAME'] ]
    #=====================================
    # Manual Approval is enabled by default
    # For removal of Manual Approval:
    # Remove the job ApproveDeployment
    # and remove its dependency from job deploy_flow
    #=====================================
    jobs:
      - job: ApproveDeployment
        displayName: Approve for prompt deployment
        pool: server
        timeoutInMinutes: 60 # job times out in 60 minutes
        steps:
          - task: ManualValidation@0
            timeoutInMinutes: 60 # task times out in 60 minutes
            inputs:
              #=====================================
              # Update the notification email id
              #=====================================
              notifyUsers: |
                ******@unilever.com
              instructions: "$(run_id_from_submit_job)"
              onTimeout: "reject"

      - job: deploy_flow
        dependsOn:
          - ApproveDeployment
        steps:
          - template: templates/get_connection_details.yml

          - template: templates/configure_azureml_agent.yml

          #=====================================
          # Registers the flow in Azure ML registry
          # Writes latest model version to model_version.txt file.
          # model_version.txt file is read in next step
          #=====================================
          - template: templates/execute_python_code.yml
            parameters:
              step_name: "Register Standard Flow"
              script_parameter: |
                python -m llmops.common.deployment.register_model \
                  --subscription_id $(SUBSCRIPTION_ID) \
                  --flow_to_execute ${{ parameters.flow_to_execute }} \
                  --output_file "model_version.txt" \
                  --build_id $(Build.Buildid) \
                  --env_name ${{ parameters.exec_environment }}

          #=====================================
          # Reads model_version.txt file. Assigns it to variable MODEL_VERSION
          # MODEL_VERSION Used in next step for deployment
          #=====================================
          - task: AzureCLI@2
            displayName: Read Model Version
            name: read_model_version
            inputs:
              azureSubscription: $(AZURE_RM_SVC_CONN)
              scriptType: bash
              scriptLocation: inlineScript
              workingDirectory: $(System.DefaultWorkingDirectory)
              inlineScript: |
                readarray arr <"model_version.txt"
                model_version=${arr[0]}
                echo $model_version
                echo "##vso[task.setvariable variable=MODEL_VERSION;isOutput=true;]$model_version"

          #=====================================
          # Executes Kubernetes deployment when parameter deployment_type == 'aks'
          # Reads 'kubernetes_endpoint' field values from deployment_config.json
          #=====================================
          - ${{ if eq(lower(parameters.deployment_type), 'aks') }}:
              - template: templates/kubernetes_deployment.yml
                parameters:
                  SUBSCRIPTION_ID: $(SUBSCRIPTION_ID)
                  flow_to_execute: ${{ parameters.flow_to_execute }}
                  DEPLOY_ENVIRONMENT: ${{ parameters.exec_environment }}
                  MODEL_VERSION: $(read_model_version.MODEL_VERSION)
                  KEY_VAULT_NAME: $(KEYVAULT_NAME)

          #=====================================
          # Executes AML Compute deployment when parameter deployment_type == 'aml'
          # Reads 'azure_managed_endpoint' field values from deployment_config.json
          #=====================================
          - ${{ if eq(lower(parameters.deployment_type), 'aml') }}:
              - template: templates/aml_real_deployment.yml
                parameters:
                  SUBSCRIPTION_ID: $(SUBSCRIPTION_ID)
                  flow_to_execute: ${{ parameters.flow_to_execute }}
                  DEPLOY_ENVIRONMENT: ${{ parameters.exec_environment }}
                  MODEL_VERSION: $(read_model_version.MODEL_VERSION)
                  KEY_VAULT_NAME: $(KEYVAULT_NAME)

          #=====================================
          # Executes Azure Webapp deployment when parameter
          # deployment_type == 'webapp' using docker image
          # Reads 'webapp_endpoint' field values from deployment_config.json
          #=====================================
          - ${{ if eq(lower(parameters.deployment_type), 'webapp') }}:
              - template: templates/webapp_deployment.yml
                parameters:
                  FLOW_TO_EXECUTE: ${{ parameters.flow_to_execute }}
                  DEPLOY_ENVIRONMENT: ${{ parameters.exec_environment }}
                  CONNECTION_DETAILS: ${{ parameters.connection_details }}
                  REGISTRY_DETAILS: ${{ parameters.registry_details }}

Given this, I suspect the absence of the _SYS_PE endpoints or a missing configuration in the development storage account might be causing the issue.

Additionally, I will follow your suggestion to review the configurations thoroughly and ensure that all prerequisites for these private endpoints are met. Please let me know if you have further insights or recommendations for resolving this discrepancy.

Thank you once again for your help!

Vinodh247 27,976 Reputation points MVP

2024-11-26T17:10:58.8+00:00
Compare Configurations and Enable Features in Development

To replicate the production environment, ensure the following settings match:

Hierarchical Namespace (HNS): Check if HNS is enabled on the storage account:
bash az storage account show --name <storage-account-name> --query
If disabled in development, enable it (this is irreversible):
bash az storage account update --name <storage-account-name> --enable-hierarchical-namespace
Azure Backup: Verify if Azure Backup is configured for the production storage account. If yes, replicate the configuration in development. Azure ML: Ensure that the storage account is properly integrated with Azure ML and assigned the necessary IAM roles:

Reader role for Azure ML.

Storage Blob Contributor or Storage Blob Data Contributor role for managing blobs.

Investigate Missing _SYS_PE Endpoints

_SYS_PE endpoints are system-managed. Verify if production has additional services configured (e.g., Azure Backup, ML pipelines, Data Lake) that could trigger their creation.

Use the following Azure CLI commands to check private endpoint connections:
bash az network private-endpoint-connection list --resource-group <rg-name> --name <storage-account-name>

If _SYS_PE endpoints appear in production but not in development, identify associated services or features that enabled them.

Role Assignments and Access

Ensure the service principal or identity running the pipeline has the necessary permissions:

Reader or Contributor role for the storage account.

Azure ML roles for managing datasets, such as Contributor or Owner.

Double-check that the data/eval_data_new.jsonl file path and dataset names are consistent in the development environment.

Debugging the ML Pipeline

Enable debug mode in the Azure ML pipeline for detailed error logs:
bash az ml pipeline run --file pipeline.yml --debug

Confirm that all variables (e.g., SUBSCRIPTION_ID, exec_environment) are correctly passed.

Sync Configuration Using Bicep

To ensure consistent configurations, explicitly declare settings in the Bicep template:
bicep resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { name: storageAccountName location: location kind: 'StorageV2' sku: { name: 'Standard_LRS' } properties: { isHnsEnabled: true }

}

- If enabling features triggers `_SYS_PE` creation, validate this with deployments. 6. Manually Trigger Private Endpoint Creation - If `_SYS_PE` endpoints are not created automatically despite matching configurations, consider manually creating equivalent private endpoints for the required sub-resources (e.g., `blob`, `file`): ```typescript bicep resource blobPrivateEndpoint 'Microsoft.Network/privateEndpoints@2022-11-01' = { name: 'blobEndpoint' location: location properties: { subnet: { id: subnet.id } privateLinkServiceConnections: [ { name: 'blobEndpointConnection' properties: { groupIds: ['blob'] privateLinkServiceId: storageAccount.id } } ] } }

Recommendations

Investigate System Features:

Compare all storage account features and services tied to production and development environments to identify discrepancies.

Pipeline Debugging:

Check the exact dataset registration step causing the issue and ensure all references and paths are valid.

Mirror Production Features:

Enable hierarchical namespaces, backup, and other services in development to replicate _SYS_PE endpoint behavior.

Share via

How to Create System-Generated Private Endpoints for Azure Storage Account Using Bicep?

1 answer

Your answer