Here is example private endpoint network setup in hub-spoke network topology:
This architecture deploys Private DNS Zone to the hub network.
Spoke deployments then update the private IP addresses of the services deployed to the
spoke networks.
If you want to mimic typical Enterprise environment, then create 3 different service principals to your environment (here using simplified naming conventions):
hub: contributor inrg-pedemo-hubresource groupspoke1: contributor inrg-pedemo-spoke1resource groupspoke2: contributor inrg-pedemo-spoke2resource group
On top of the contributor role you need to have additional permissions for service principals for
VNet peering
and
Private DNS Zone.
E.g. spoke1 needs to update Private DNS Zone record set in rg-pedemo-hub and make VNet
peering between spoke1 and hub VNets (same permissions apply for spoke2).
You can choose to use e.g. Network Contributor role in your setup, if don't
want to create custom role.
You can use following code to login as service principal:
$tenantId = "<your tenant id>"
$clientID = "<your service principal Application (client) ID>"
$clientSecret = "<your service principal secret>"
$clientPassword = ConvertTo-SecureString $clientSecret -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($clientID, $clientPassword)
Login-AzAccount -Credential $credentials -ServicePrincipal -TenantId $tenantId
# Verify correct context
Get-AzSubscriptionNow you can use correct service principals for deploying their individual templates.
bicep build .\hub\main.bicep && .\hub\deploy.ps1bicep build .\spoke1\main.bicep && .\spoke1\deploy.ps1bicep build .\spoke2\main.bicep && .\spoke2\deploy.ps1