Private endpoints.

Author: sivakami

.pipelines/swiftv2-long-running/scripts/create_pe.sh

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+set -e
+trap 'echo "[ERROR] Failed during Private Endpoint or DNS setup." >&2' ERR
+
+SUBSCRIPTION_ID=$1
+LOCATION=$2
+RG=$3
+SA1_NAME=$4  # from previous script (storage account 1)
+SA2_NAME=$5  # from previous script (storage account 2)
+VNET_A1="cx_vnet_a1"
+
+SUBNET_PE_A1="pe"
+PE_NAME="${SA1_NAME}-pe"
+PRIVATE_DNS_ZONE="privatelink.blob.core.windows.net"
+LINK_NAME="${VNET_A1}-link"
+
+echo "==> Creating Private DNS zone: $PRIVATE_DNS_ZONE"
+az network private-dns zone create -g "$RG" -n "$PRIVATE_DNS_ZONE" --output none \
+  && echo "[OK] DNS zone $PRIVATE_DNS_ZONE created."
+
+echo "==> Linking DNS zone $PRIVATE_DNS_ZONE to VNet $VNET_A1"
+az network private-dns link-vnet create \
+  -g "$RG" -n "$LINK_NAME" \
+  --zone-name "$PRIVATE_DNS_ZONE" \
+  --virtual-network "$VNET_A1" \
+  --registration-enabled false --output none \
+  && echo "[OK] Linked DNS zone to $VNET_A1."
+
+echo "==> Creating Private Endpoint for Storage Account: $SA1_NAME"
+SA1_ID=$(az storage account show -g "$RG" -n "$SA1_NAME" --query id -o tsv)
+az network private-endpoint create \
+  -g "$RG" -n "$PE_NAME" -l "$LOCATION" \
+  --vnet-name "$VNET_A1" --subnet "$SUBNET_PE_A1" \
+  --private-connection-resource-id "$SA1_ID" \
+  --group-id blob \
+  --connection-name "${PE_NAME}-conn" \
+  --output none \
+  && echo "[OK] Private Endpoint $PE_NAME created for $SA1_NAME."
+
+echo "==> Linking Private Endpoint to DNS zone"
+NIC_ID=$(az network private-endpoint show -g "$RG" -n "$PE_NAME" --query 'networkInterfaces[0].id' -o tsv)
+FQDN=$(az storage account show -g "$RG" -n "$SA1_NAME" --query 'primaryEndpoints.blob' -o tsv | sed 's#https://##; s#/##')
+PRIVATE_IP=$(az network nic show --ids "$NIC_ID" --query 'ipConfigurations[0].privateIpAddress' -o tsv)
+
+az network private-dns record-set a add-record \
+  -g "$RG" -z "$PRIVATE_DNS_ZONE" -n "$FQDN" -a "$PRIVATE_IP" --output none \
+  && echo "[OK] Added Private DNS record for $SA1_NAME → $PRIVATE_IP"
+
+echo "Private Endpoint setup complete for $SA1_NAME (accessible only within VNet A1)."

.pipelines/swiftv2-long-running/scripts/create_storage.sh

@@ -30,3 +30,7 @@ for SA in "$SA1" "$SA2"; do
 done
 
 echo "All storage accounts created successfully."
+set +x
+	echo "##vso[task.setvariable variable=StorageAccount1;isOutput=true]$SA1"
+	echo "##vso[task.setvariable variable=StorageAccount2;isOutput=true]$SA2"
+set -x

.pipelines/swiftv2-long-running/template/long-running-pipeline-template.yaml

@@ -92,6 +92,7 @@ stages:
         steps:
           - checkout: self
           - task: AzureCLI@2
+            name: CreateStorageTask
             displayName: "Run create_storage.sh"
             inputs:
               azureSubscription: ${{ parameters.serviceConnection }}
@@ -102,6 +103,9 @@ stages:
                 ${{ parameters.subscriptionId }}
                 ${{ parameters.location }}
                 ${{ parameters.resourceGroupName }}
+        outputs:
+          StorageAccount1: $[ dependencies.Create_Storage.outputs['CreateStorageTask.StorageAccount1'] ]
+          StorageAccount2: $[ dependencies.Create_Storage.outputs['CreateStorageTask.StorageAccount2'] ]
 
       # ------------------------------------------------------------
       # Job 5: Create NSG
@@ -124,3 +128,29 @@ stages:
                 ${{ parameters.subscriptionId }}
                 ${{ parameters.resourceGroupName }}
                 ${{ parameters.location }}
+      # ------------------------------------------------------------
+      # Job 6: Create Private Endpoint
+      # ------------------------------------------------------------
+      - job: Create_PrivateEndpoint
+        displayName: "Create Private Endpoint for Storage"
+        dependsOn: Create_Storage
+        pool:
+          vmImage: ubuntu-latest
+        variables:
+          StorageAccount1: $[ dependencies.Create_Storage.outputs['CreateStorageTask.StorageAccount1'] ]
+          StorageAccount2: $[ dependencies.Create_Storage.outputs['CreateStorageTask.StorageAccount2'] ]
+        steps:
+          - checkout: self
+          - task: AzureCLI@2
+            displayName: "Run create_private_endpoint.sh"
+            inputs:
+              azureSubscription: ${{ parameters.serviceConnection }}
+              scriptType: bash
+              scriptLocation: scriptPath
+              scriptPath: ".pipelines/swiftv2-long-running/scripts/create_private_endpoint.sh"
+              arguments: >
+                ${{ parameters.subscriptionId }}
+                ${{ parameters.location }}
+                ${{ parameters.resourceGroupName }}
+                $(StorageAccount1)
+                $(StorageAccount2)