
Primary LanguagePowerShellMIT LicenseMIT

Nested Teamplates

The Nested Templates are built to be generic in nature with the ability to pass in the values needed to build your specific architecture. Below you will find details on how to utilize each of the nested templates in this folder:

Table of Contents

Network Templates

VNet Template

This template will deploy a Virtual Network in Azure. It accepts a dynamic list of Subnets with their IP Ranges.

Typical Nested Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
vNETName Name of the Virtual Network pocVNET
addressRange Address Range the the entire subnet
subnets Array of subnets with their IP Range. The subnet range should be seperated from the IP Range with the | deliminator ["subnetA|","subnetB|","subnetC|"]


"vnetId": The resource id of the VNet created

Sample Deployment

  "name": "deployVNET",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2017-05-10",
  "dependsOn": [
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('deployVNETTemplateURL')]",
      "contentVersion": ""
    "parameters": {
      "vNETName": {
        "value": "pocVNET"
      "addressRange": {
        "value": ""
      "subnets": {
        "value": [

NSG-EMPTY-ExistingSubnet Template

This template will deploy an empty NSG and attach it to an exising Subnet

Typical Nested Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
virtualNetworkName Name of the existing Virtual Network pocVNET
subnetName Name of the subnet in the existing VNet to attach the NSG to subnetA
addressPrefix The IP range of the subnet attaching the NSG to
nsgName Name of the NSG subnetA-NSG
privateEndpointNetworkPolicies Boolean on if private endpoint network policies are enabled false



Sample Deployment

    "name": "deployAKSNSG",
    "type": "Microsoft.Resources/deployments",
    "apiVersion": "2018-05-01",
    "resourceGroup": "[parameters('resourceGroup')]",
    "dependsOn": [
    "properties": {
      "mode": "Incremental",
      "templateLink": {
        "uri": "[variables('deployNSGEmptySETemplateURL')]",
        "contentVersion": ""
      "parameters": {
        "virtualNetworkName": {
          "value": "[variables('vnetName')]"
        "subnetName": {
          "value": "AKS-SN"
        "addressPrefix": {
          "value": "[reference('getAKSAddressPrefix').outputs.addressPrefix.value]"
        "nsgName": {
          "value": "AKS-NSG"
        "privateEndpointNetworkPolicies": {
          "value": false

NSG-EMPTY-ExistingSubnet with Service EndpointTemplate

This template will deploy an empty NSG and attach it to an exising Subnet

Typical Nested Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
virtualNetworkName Name of the existing Virtual Network pocVNET
subnetName Name of the subnet in the existing VNet to attach the NSG to subnetA
addressPrefix The IP range of the subnet attaching the NSG to
nsgName Name of the NSG subnetA-NSG
privateEndpointNetworkPolicies Boolean on if private endpoint network policies are enabled false
serviceEndpoints Array of the service endpoints to enable ["Microsoft.Sql"]



Sample Deployment

    "name": "deployAKSNSG",
    "type": "Microsoft.Resources/deployments",
    "apiVersion": "2018-05-01",
    "resourceGroup": "[parameters('resourceGroup')]",
    "dependsOn": [
    "properties": {
      "mode": "Incremental",
      "templateLink": {
        "uri": "[variables('deployNSGEmptySETemplateURL')]",
        "contentVersion": ""
      "parameters": {
        "virtualNetworkName": {
          "value": "[variables('vnetName')]"
        "subnetName": {
          "value": "AKS-SN"
        "addressPrefix": {
          "value": "[reference('getAKSAddressPrefix').outputs.addressPrefix.value]"
        "nsgName": {
          "value": "AKS-NSG"
        "privateEndpointNetworkPolicies": {
          "value": false
        "serviceEndpoints": {
          "value": [

NSG-ExistingSubnet Template

This template will deploy an NSG and attach it to an exising Subnet. You pass in the NSG rules for the NSG using an array.

Typical Nested Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
virtualNetworkName Name of the existing Virtual Network pocVNET
subnetName Name of the subnet in the existing VNet to attach the NSG to subnetA
addressPrefix The IP range of the subnet attaching the NSG to
nsgName Name of the NSG subnetA-NSG
securityRules Array of security rules with a | deleminator RuleName|Description|Protocol|Source Port Range|Destination Port Range|Source Address Prefix|Destination Address Prefix|Access|Priority|Direction
privateEndpointNetworkPolicies Boolean on if private endpoint network policies are enabled false



Sample Deployment

  "name": "deployAKSNSG",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2017-05-10",
  "dependsOn": [
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('deployNSGTemplateURL')]",
      "contentVersion": ""
    "parameters": {
      "virtualNetworkName": {
        "value": "pocVNET"
      "subnetName": {
        "value": "subnetB"
      "addressPrefix": {
        "value": "[reference(resourceId(resourceGroup().name, 'Microsoft.Network/virtualNetworks/subnets', 'pocVNEt', 'subnetB'), '2018-03-01').addressPrefix]"
      "nsgName": {
        "value": "subnetB-NSG"
      "securityRules": {
        "value": [
      "privateEndpointNetworkPolicies": {
        "value": false

NSG-ExistingSubnet with Service Endpoints Template

This template will deploy an NSG and attach it to an exising Subnet. You pass in the NSG rules for the NSG using an array.

Typical Nested Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
virtualNetworkName Name of the existing Virtual Network pocVNET
subnetName Name of the subnet in the existing VNet to attach the NSG to subnetA
addressPrefix The IP range of the subnet attaching the NSG to
nsgName Name of the NSG subnetA-NSG
securityRules Array of security rules with a | deleminator RuleName|Description|Protocol|Source Port Range|Destination Port Range|Source Address Prefix|Destination Address Prefix|Access|Priority|Direction
privateEndpointNetworkPolicies Boolean on if private endpoint network policies are enabled false
serviceEndpoints Array of the service endpoints to enable ["Microsoft.Sql"]



Sample Deployment

  "name": "deployAKSNSG",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2017-05-10",
  "dependsOn": [
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('deployNSGTemplateURL')]",
      "contentVersion": ""
    "parameters": {
      "virtualNetworkName": {
        "value": "pocVNET"
      "subnetName": {
        "value": "subnetB"
      "addressPrefix": {
        "value": "[reference(resourceId(resourceGroup().name, 'Microsoft.Network/virtualNetworks/subnets', 'pocVNEt', 'subnetB'), '2018-03-01').addressPrefix]"
      "nsgName": {
        "value": "subnetB-NSG"
      "securityRules": {
        "value": [
      "privateEndpointNetworkPolicies": {
        "value": false
      "serviceEndpoints": {
          "value": [

Public IP Address Template

This template will deploy standard sku Public IP Address

Typical Nested Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
publicIpAddressName Name of the public IP poc-pip
sku SKU for the Public IP. Either basic or standard Standard
allocationMethod Static or Dynamic allocation of IP Static


"publicIPID": The resource id of the public ip created

Sample Deployment

  "name": "deployPublicIP1",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2017-05-10",
  "dependsOn": [],
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('deployPublicIPTemplateURL')]",
      "contentVersion": ""
    "parameters": {
      "publicIpAddressName": {
        "value": "pocpip"
      "sku": {
          "value": "Standard"
      "allocationMethod": {
          "value": "Static"

Get Network Interface IP Template

This template will return the first IP address assigned to a Azure Network Interface. This can be used to get an IP so you can add it to a Private DNS Zone

Typical Neted Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
nicID ResourceId for the network interface [reference('deploySqlServerPE').outputs.nicID.value]


"nicIP": IP Address of the NIC

Sample Deployment

  "name": "getSqlServerNICIP",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2017-05-10",
  "dependsOn": [
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('getNICIPUrL')]",
      "contentVersion": ""
    "parameters": {
      "nicID": {
        "value": "[reference('deploySqlServerPE').outputs.nicID.value]"

Private Endpoint

This template will create a Private Endpoint for any PaaS Service that has this functionality

Typical Neted Template used before

Any PaaS Service that can utilize a Private Endpoint

Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
peName Private Endpoint resource name poc-sql-ep
resourceID ResourceId for the network interface [reference('deploySqlDb').outputs.sqlServerId.value]
vnetID ResourceId for the Virtual Network the Private Endpoint wil sit on [reference('deployVNET').outputs.vnetId.value]
subnetName Name of the subnet to palce the private endpoint on PrivateEP-SN
groupID The ID(s) of the group(s) obtained from the remote resource that this private endpoint should connect to. - string SqlServer


"nicID": Resource ID of the virtual nic created by the Private Endpoint

Sample Deployment

  "name": "deploySqlServerPE",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2017-05-10",
  "dependsOn": [
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('deployPrivateEndpointURL')]",
      "contentVersion": ""
    "parameters": {
      "peName": {
        "value": "[concat(parameters('sqlServerName'),'_pe')]"
      "resourceID": {
        "value": "[reference('deploySqlDb').outputs.sqlServerId.value]"
      "vnetID": {
        "value": "[reference('deployVNET').outputs.vnetId.value]"
      "subnetName": {
        "value": "PrivateEP-SN"
      "groupID": {
        "value": "SqlServer"

Private DNS Zone

This template will create a Private DNS Zone and attach it to a VNet. This is often used to resolve Private Endpoints within Azure.

Typical Neted Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
zoneName The DNS zone name privatelink.database.windows.net
vnetID ResourceId for the Virtual Network Private DNS Zone will attach to [reference('deployVNET').outputs.vnetId.value]



Sample Deployment

  "name": "deploySqlDbDNSZone",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2017-05-10",
  "dependsOn": [
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('deployDNSZoneTemplateURL')]",
      "contentVersion": ""
    "parameters": {
      "zone_name": {
        "value": "privatelink.database.windows.net"
      "vnet_id": {
        "value": "[reference('deployVNET').outputs.vnetID.value]"

Private DNS A Record

This template will create an A Record in an Azure Private DNS Zone

Typical Neted Template used before

PrivateDNSZone GetNicIP

Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
zoneName The DNS zone name privatelink.database.windows.net
recordName Name of the record to be created [parameters('sqlServerName')]
recordValue IP Address to be associated with the A record [reference('getSqlServerNICIP').outputs.nicIP.value]



Sample Deployment

  "name": "createSqlDbARecord",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2017-05-10",
  "dependsOn": [
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('deployDNSARecordTemplateURL')]",
      "contentVersion": ""
    "parameters": {
      "zoneName": {
        "value": "privatelink.database.windows.net"
      "recordName": {
        "value": "[parameters('sqlServerName')]"
      "recordValue": {
        "value": "[reference('getSqlServerNICIP').outputs.nicIP.value]"

This template will retrieve the address prefix for a subnet.

Typical Neted Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
vnetName Name of the virtual network poc-vnet
subnetName Name of the subnet within the virtual network poc-subnet



Sample Deployment

    "name": "getAKSAddressPrefix",
    "type": "Microsoft.Resources/deployments",
    "apiVersion": "2018-05-01",
    "resourceGroup": "[parameters('resourceGroup')]",
    "dependsOn": [
    "properties": {
      "mode": "Incremental",
      "templateLink": {
        "uri": "[variables('getSubnetAddressPrefixTemplateURL')]",
        "contentVersion": ""
      "parameters": {
        "vnetName": {
          "value": "[variables('vnetName')]"
        "subnetName": {
          "value": "AKS-SN"

Storage Templates

Storage Account

This template will create a storage account.

Typical Neted Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
saName The name of the storage account pocsa
skuName Name of the record to be created. Allowed values: Standard_LRS,Standard_GRS,Standard_RAGRS,Standard_ZRS,Premium_LRS,Premium_ZRS,Standard_GZRS,Standard_RAGZRS Standard_LRS
skuTier Standard or Premium Standard


saId: Resource ID of the storage account saConnectionString: Connection string for the storage account

Sample Deployment

  "name": "createSqlDbARecord",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2017-05-10",
  "dependsOn": [
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('deployDNSARecordTemplateURL')]",
      "contentVersion": ""
    "parameters": {
      "zoneName": {
        "value": "privatelink.database.windows.net"
      "recordName": {
        "value": "[parameters('sqlServerName')]"
      "recordValue": {
        "value": "[reference('getSqlServerNICIP').outputs.nicIP.value]"

Managed Identity Template

User Assigned Managed Identity Template

This template will create a User Assigned Managed Identity.

Typical Nested Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
identityName Name of the identity to be created pocGW-Identity


"principalId": The principal ID of the Managed Identity that was created
"resourceId": The resource id of the Managed Identity that was created

Sample Deployment

  "name": "createManagedIdentity",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2017-05-10",
  "resourceGroup": "[parameters('resourceGroup')]",
  "dependsOn": [
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('createManagedIdentityTemplateURL')]",
      "contentVersion": ""
    "parameters": {
      "identityName": {
          "value": "[concat(parameters('applicationGatewayName'),'-identity')]"

Monitoring Template

Application Insights Template

This template will create an Application Insights.

Typical Nested Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
name Application Insights instance name poc-appinsights


"appInsightsID": The resource id of the Application Insights instance that was created

Sample Deployment

  "name": "deployAppInsights",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2017-05-10",
  "dependsOn": [
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('deployAppInsightsTemplateURL')]",
      "contentVersion": ""
    "parameters": {
      "name": {
        "value": "[parameters('appInsightsName')]"

Log Analytics Workspace Template

This template will create a Log Analytics Workspace.

Typical Nested Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
workspaceName Log Analytics workspace name poc-laworkspace


"workspaceId": The resource id of the Log Analytics Workspace that was created
"workspaceKey": The primary key for the workspace "customerId": The customer id for the workspace

Sample Deployment

  "name": "deployLAWorkspace",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2017-05-10",
  "dependsOn": [
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('deployLogAnalyticsURL')]",
      "contentVersion": ""
    "parameters": {
      "workspaceName": {
        "value": "[parameters('workspaceName')]"

Enabled VM Insights on an Existing VM Template

This template will enable VM Insights (Azure Monitor for VMs) to an existing VM

Typical Neted Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
vmResourceId ResourceId for the VM to be monitored [reference('deployJumpBox').outputs.vmID.value]
osType Linux or Windows Windows
workspaceResourceId Resource ID of the log analytics workspace to use [reference('deployLAWorkspace').outputs.workspaceId.value]



Sample Deployment

  "name": "addJumpBoxInsights",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2017-05-10",
  "dependsOn": [
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('addVMInsightsURL')]",
      "contentVersion": ""
    "parameters": {
      "VmResourceId": {
        "value": "[reference('deployJumpBox').outputs.vmID.value]"
      "osType": {
        "value": "Windows"
      "WorkspaceResourceId": {
        "value": "[reference('deployLAWorkspace').outputs.workspaceId.value]"

Enabled APIM Diagnostic Template

This template will enable all diagnostic settings on a APIM resource to be sent to Log Aanalytic

Typical Neted Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
workspaceId ResourceId for thelog analytics workspace to use [reference('deployLAWorkspace').outputs.workspaceId.value]
logs Array of logs to collect from diagnostic settings ["GatewayLogs"]
metrics Arra of metrics to collect from diagnostic settings ["Capacity"]
apimName Name of the APIM resource poc-apim



Sample Deployment


Enabled AppGW Diagnostic Template

This template will enable all diagnostic settings on a APIM resource to be sent to Log Aanalytic

Typical Neted Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
workspaceId ResourceId for thelog analytics workspace to use [reference('deployLAWorkspace').outputs.workspaceId.value]
logs Array of logs to collect from diagnostic settings ["ApplicationGatewayAccessLog","ApplicationGatewayPerformanceLog","ApplicationGatewayFirewallLog"]
metrics Arra of metrics to collect from diagnostic settings ["AllMetrics"]
appgwName Name of the APIM resource poc-apim



Sample Deployment

    "name": "deployAppGWDiagnostics",
    "type": "Microsoft.Resources/deployments",
    "apiVersion": "2018-05-01",
    "resourceGroup": "[parameters('resourceGroup')]",
    "dependsOn": [
    "properties": {
      "mode": "Incremental",
      "templateLink": {
        "uri": "[variables('deployAppGWDiagnosticsTemplateURL')]",
        "contentVersion": ""
      "parameters": {
        "workspaceId": {
            "value": "[reference('deployLogAnalytics').outputs.workspaceId.value]"
        "logs": {
            "value": [
        "metrics": {
            "value": [
        "appgwName": {
          "value": "[variables('applicationGatewayName')]"

Enabled Azure SQL DB Diagnostic Template

This template will enable diagnostic settings on a Bastion resource to be sent to Log Aanalytic

Typical Neted Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
workspaceId ResourceId for thelog analytics workspace to use [reference('deployLAWorkspace').outputs.workspaceId.value]
logs Array of logs to collect from diagnostic settings ["BastionAuditLogs"]
bastionName Name of the Bastion resource poc-bastion



Sample Deployment

    "name": "deployAzureBastionDiagnostics",
    "type": "Microsoft.Resources/deployments",
    "apiVersion": "2018-05-01",
    "resourceGroup": "[parameters('resourceGroup')]",
    "dependsOn": [
    "properties": {
      "mode": "Incremental",
      "templateLink": {
        "uri": "[variables('deployAzureBastionDiagnosticsTemplateURL')]",
        "contentVersion": ""
      "parameters": {
        "workspaceId": {
            "value": "[reference('deployLogAnalytics').outputs.workspaceId.value]"
        "logs": {
            "value": [
        "bastionName": {
          "value": "[variables('bastionHostName')]"

Enabled AppGW Diagnostic Template

This template will enable diagnostic settings on an Azure SQL DB resource to be sent to Log Aanalytic

Typical Neted Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
workspaceId ResourceId for thelog analytics workspace to use [reference('deployLAWorkspace').outputs.workspaceId.value]
logs Array of logs to collect from diagnostic settings ["AutomaticTuning","Errors","Timeouts","Deadlocks"]
metrics Array of metrics to collect from diagnostic settings ["Basic","InstanceAndAppAdvanced","WorkloadManagement"]
sqldbName Name of the Azure SQL DB resource poc-database



Sample Deployment

    "name": "deploySQLDBDiagnostics",
    "type": "Microsoft.Resources/deployments",
    "apiVersion": "2018-05-01",
    "resourceGroup": "[parameters('resourceGroup')]",
    "dependsOn": [
    "properties": {
      "mode": "Incremental",
      "templateLink": {
        "uri": "[variables('deploySQLDBDiagnosticsTemplateURL')]",
        "contentVersion": ""
      "parameters": {
        "workspaceId": {
            "value": "[reference('deployLogAnalytics').outputs.workspaceId.value]"
        "logs": {
            "value": [
        "metrics": {
            "value": [
        "sqldbName": {
          "value": "[concat(variables('sqlServerName'),'/',variables('sqlDatabaseName'))]"

Security Template

Key Vault Template

This template will deploy an Azure Key Vault

Typical Nested Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
vaultName Key Vault name poc-keyvault


"vaultId": The resource id of the Key Vault that was created

Sample Deployment

  "name": "deployKeyVault",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2017-05-10",
  "dependsOn": [
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('deployKeyVaultURL')]",
      "contentVersion": ""
    "parameters": {
      "vaultName": {
        "value": "[parameters('vaultName')]"
      "workspaceID": {
        "value": "[reference('deployLAWorkspace').outputs.workspaceId.value]"

Key Vault Secret Template

This template will add a secret to an Azure Key Vault

Typical Nested Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
vaultName Key Vault name poc-keyvault
secretName Secret name to add to Key Vault supersecret
contentType Type of data being added to secret text/plain
value Value of the secret being added supersecretvalue



Sample Deployment

  "name": "addKeyVaultSecret",
  "type": "Microsoft.Resources/deployments",
  "resourceGroup": "[parameters('keyVaultResourceGroup')]",
  "apiVersion": "2017-05-10",
  "dependsOn": [
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('addKeyVaultSecretTemplate')]",
      "contentVersion": ""
    "parameters": {
      "keyVaultName": {
          "value": "[parameters('keyVaultName')]"
      "secretName": {
        "value": "[parameters('keyVaultSecretName')]"
      "contentType": {
          "value": "[parameters('keyVaultContentType')]"
      "value": {
          "value": "[parameters('keyVaultSecretValue')]"

Key Vault Access Policy Template

This template will create an acces policy to secrets in an existing Key Vault. It is currently limited to grating rights to secrets.

RBAC Role Assignment

This template will assign a RBAC Role to a principal id

Typical Neted Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
roleAssignmentName Name of the role assignment AKS Custom Admin
roleDefinitionId Role ID that you are assigning "4d97b98b-1d4f-4787-a291-c67834d212e7"
principalId Principal ID that will be assigned the role "[reference('deployAKSCluster').outputs.aksPrincipalId.value"
scope Scope of the role assignment "[concat(subscription().id,'/resourceGroups/',parameters('resourceGroup'))]"



Sample Deployment

    "name": "grantAKSMINetworkRole",
    "type": "Microsoft.Resources/deployments",
    "apiVersion": "2018-05-01",
    "resourceGroup": "[parameters('resourceGroup')]",
    "dependsOn": [
    "properties": {
      "mode": "Incremental",
      "templateLink": {
        "uri": "[variables('grantRBACTemplateURL')]",
        "contentVersion": ""
      "parameters": {
        "roleAssignmentName": {
          "value": "[parameters('aksNetworkGuid')]"
        "roleDefinitionId": {
          "value": "4d97b98b-1d4f-4787-a291-c67834d212e7"
        "principalId": {
          "value": "[reference('deployAKSCluster').outputs.aksPrincipalId.value]"
        "scope": {
          "value": "[concat(subscription().id,'/resourceGroups/',parameters('resourceGroup'))]"

<a name=IaaSTemplates">IaaS Templates

Ubuntu Virtual Machine

This template will create a Ubuntu Virtual Machine.

Typical Neted Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
subnetName Subnet name where the nic will be placed shared-SN
virtualNetworkId VNet ID where the nic will be placed [reference('deployVNet').outputs.vnetID.value]
virtualMachineName Name of the Virtual Machine pocVM
ubuntuOSVersion Allowd values: 18.04-LTS, 16.04-LTS, 14.04.4-LTS 18.04-LTS
adminUsername Administrator username LinuxAdmin
adminPassword Administrator password ABCabc1234
zone Availability zone to place the VM 1


"vmID": Resource id of the virtual machine created
"nicID": Resource id of the nic created

Sample Deployment

  "name": "deployUbuntuBox",
  "comments":"NOTE: OS and Datadisks cannot be tagged when provisioned within VM.  Would need to provision DISK with tags first, then reference",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2017-05-10",
  "dependsOn": [
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('deployUbuntuServerTemplateURL')]",
      "contentVersion": ""
    "parameters": {
      "subnetID": {
        "value": "[reference('deployVNET').outputs.sharedSubnetID.value]"
      "virtualMachineName": {
        "value": "[parameters('ubuntuName')]"
      "virtualMachineSize": {
        "value": "[parameters('ubuntuSize')]"
      "adminUsername": {
        "value": "[parameters('adminUserName')]"
      "adminPassword": {
        "value": "[parameters('adminPassword')]"
      "ubuntuOSVersion": {
        "value": "18.04-LTS"
      "zone": {
        "value": "1"

Windows Virtual Machine

This template will create a Windows Virtual Machine.

Typical Neted Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
subnetID Subnet ID where the nic will be placed [concat(reference('deployVNET').outputs.vnetId.value,'/subnets/Shared-SN')]
virtualMachineName Name of the Virtual Machine pocVM
virtualMachineSize Azure VM Size for the VM Standard_DS1_v2
adminUsername Administrator username WindowsAdmin
adminPassword Administrator password ABCabc1234
sku Sku for the virtual machine being deployed 2019-Datacenter


"vmID": Resource id of the virtual machine created
"nicID": Resource id of the nic created

Sample Deployment

    "name": "deployJumpBox",
    "comments":"NOTE: OS and Datadisks cannot be tagged when provisioned within VM.  Would need to provision DISK with tags first, then reference",
    "type": "Microsoft.Resources/deployments",
    "apiVersion": "2018-05-01",
    "resourceGroup": "[parameters('resourceGroup')]",
    "dependsOn": [
    "properties": {
      "mode": "Incremental",
      "templateLink": {
        "uri": "[variables('deployWindowsServerTemplateURL')]",
        "contentVersion": ""
      "parameters": {
        "subnetID": {
          "value": "[concat(reference('deployVNET').outputs.vnetId.value,'/subnets/Shared-SN')]"
        "virtualMachineName": {
          "value": "[variables('jumpName')]"
        "virtualMachineSize": {
          "value": "[variables('jumpSize')]"
        "adminUsername": {
          "value": "[parameters('adminUserName')]"
        "adminPassword": {
          "value": "[parameters('adminPassword')]"
        "sku": {
          "value": "[variables('jumpSKU')]"

Azure Bastion Template

This template will deploy an Azure Bastion to an existing VNET

Typical Neted Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
bastionHostName Name for the bastion host poc-bastionhost
subnetId SubnetID of the subnet dedicated to Azure Bastion [concat(reference('deployVNET').outputs.vnetId.value,'/subnets/AzureBastionSubnet')]
publicIpId Resource ID of the public ip for the bastion host [reference('deployPublicIPBastion').outputs.publicIPID.value]



Sample Deployment

  "name": "deployPublicIPBastion",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2017-05-10",
  "resourceGroup": "[parameters('resourceGroup')]",
  "dependsOn": [],
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('deployPublicIPTemplateURL')]",
      "contentVersion": ""
    "parameters": {
      "publicIpAddressName": {
        "value": "[concat(parameters('bastionHostName'),'pip1')]"
      "sku": {
          "value": "Standard"
      "allocationMethod": {
          "value": "Static"
  "name": "deployAzureBastion",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2017-05-10",
  "dependsOn": [
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('deployAzureBastionTemplateURL')]",
      "contentVersion": ""
    "parameters": {
      "bastionHostName": {
          "value": "[parameters('bastionHostName')]"
      "subnetId": {
          "value": "[concat(reference('deployVNET').outputs.vnetId.value,'/subnets/AzureBastionSubnet')]"
      "publicIpId": {
          "value": "[reference('deployPublicIPBastion').outputs.publicIPID.value]"

Load Balancer Templates

AppGW with HTTP Listener Template

This template will deploy an Application Gateway with a HTTP Listeners and Basic routing rules. Note this does not deploy path based routing or a private IP listener

Typical Nested Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
applicationGatewayName Name of the Application Gateway pocAppGW
tier Standard, WAF, Standard_v2, WAF_v2 WAF_v2
skuSize Name of an application gateway SKU. - Standard_Small, Standard_Medium, Standard_Large, WAF_Medium, WAF_Large, Standard_v2, WAF_v2 WAF_v2
minCapacity Min number of AppGW Capacity 2
maxCapacity Min number of AppGW Capacity 4
zones The Availability Zones the AppGW can be scaled to ["1","2","3"]
subnetID Resource ID of the subnet the AppGW will sit on "[concat(reference('deployVNET').outputs.vnetId.value,'/subnets/AppGW-SN')]"
publicIpAddressesId Public IP for the Frontend. Format: name|publicIP Resource ID [
"[concat('PIP1|',reference('deployPublicIP1').outputs.publicIPID.value )]"
frontendPorts Ports that the AppGW will listen on. Format: name|port HTTP80|80
backendAddresses The backend pools for the AppGW. Format: name|backend IP or URL [
backendHttpSettings The HTTP Setting for the backend pool. Format: name|port|protocol|cookieBasedAffinity|RequestTimeout|path [
httpListeners The HTTP Listener Settings for the frontend ip: Format: name|fronte ip config name|frontend port name [
requestRoutingRules Routing rules for the AppGW. Format: name|httpListener name|backend pool name|backend http setting name [



Sample Deployment

  "name": "deployAppGW",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2017-05-10",
  "dependsOn": [
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('deployAppGWHTTPListenerTemplateURL')]",
      "contentVersion": ""
    "parameters": {
      "applicationGatewayName": {
          "value": "[parameters('applicationGatewayName')]"
      "tier": {
          "value": "[parameters('appgwtier')]"
      "skuSize": {
          "value": "[parameters('appgwskuSize')]"
      "minCapacity": {
          "value": "[parameters('appgwMinCapacity')]",
      "maxCapacity": {
          "value": "[parameters('appgwMaxCapacity')]",
      "zones": {
          "value": "[parameters('appgwzones')]"
      "subnetID": {
          "value": "[concat(reference('deployVNET').outputs.vnetId.value,'/subnets/AppGW-SN')]"
      "publicIpAddressesIds": {
          "value": [
            "[concat('PIP1|',reference('deployPublicIP1').outputs.publicIPID.value )]"
      "frontendPorts": {
          "value": [
      "backendAddresses": {
          "value": [
      "backendHttpSettings": {
          "value": [
      "httpListeners": {
          "value": [
      "requestRoutingRules": {
          "value": [

AppGW with HTTPS Listener Template and Key Vault Integration

This template will deploy an Application Gateway with a HTTPS Listeners and Basic routing rules. This will pull the template from an existing key vault with the certificate uploaded. The template make the following assumptions:

  1. There will be a different certificate for each HTTP Listener
  2. There will be only a single certificate for each HTTP Listener
  3. The order of the certificate parameter will match the order you want them applied ot the HTTP Listeners

Typical Nested Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
applicationGatewayName Name of the Application Gateway pocAppGW
tier Standard, WAF, Standard_v2, WAF_v2 WAF_v2
skuSize Name of an application gateway SKU. - Standard_Small, Standard_Medium, Standard_Large, WAF_Medium, WAF_Large, Standard_v2, WAF_v2 WAF_v2
minCapacity Min number of AppGW Capacity 2
maxCapacity Min number of AppGW Capacity 4
zones The Availability Zones the AppGW can be scaled to ["1","2","3"]
subnetID Resource ID of the subnet the AppGW will sit on "[concat(reference('deployVNET').outputs.vnetId.value,'/subnets/AppGW-SN')]"
keyVaultName The name of the Key Vault that contains the SSL certificates pocKeyVault
identityID The user Assigned Managed Identity resource ID that will be attahed to the GW and used to pull the certificates poc-identity
certificates Reference to the certificates in the Key Vault. Format: Cert Name in AppGW|Path in KeyVault [
publicIpAddressesId Public IP for the Frontend. Format: name|publicIP Resource ID [
"[concat('PIP1|',reference('deployPublicIP1').outputs.publicIPID.value )]"
frontendPorts Ports that the AppGW will listen on. Format: name|port HTTP80|80
backendAddresses The backend pools for the AppGW. Format: name|backend IP or URL [
backendHttpSettings The HTTP Setting for the backend pool. Format: name|port|protocol|cookieBasedAffinity|RequestTimeout|path [
httpListeners The HTTP Listener Settings for the frontend ip: Format: name|fronte ip config name|frontend port name [
requestRoutingRules Routing rules for the AppGW. Format: name|httpListener name|backend pool name|backend http setting name [



Sample Deployment

  "name": "deployAppGW",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2017-05-10",
  "resourceGroup": "[parameters('resourceGroup')]",
  "dependsOn": [
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('deployAppGWHTTPSListenerKVTemplateURL')]",
      "contentVersion": ""
    "parameters": {
      "applicationGatewayName": {
          "value": "[parameters('applicationGatewayName')]"
      "tier": {
          "value": "[parameters('appgwtier')]"
      "skuSize": {
          "value": "[parameters('appgwskuSize')]"
      "minCapacity": {
          "value": "[parameters('appgwMinCapacity')]",
      "maxCapacity": {
          "value": "[parameters('appgwMaxCapacity')]",
      "zones": {
          "value": "[parameters('appgwzones')]"
      "subnetID": {
          "value": "[concat(reference('deployVNET').outputs.vnetId.value,'/subnets/AppGW-SN')]"
      "publicIpAddressesIds": {
          "value": [
            "[concat('PIP1|',reference('deployPublicIP1').outputs.publicIPID.value )]"
      "keyVaultName": {
        "value": "[parameters('keyVaultName')]"
      "identityID": {
          "value": "[reference('createManagedIdentity').outputs.resourceId.value]"
      "certificates": {
          "value": "[parameters('certificates')]"
      "frontendPorts": {
          "value": [
      "backendAddresses": {
          "value": [
      "backendHttpSettings": {
          "value": [
      "httpListeners": {
          "value": [
      "requestRoutingRules": {
          "value": [

Typical Nested Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
keyVaultName Name of the Key Vault to add the access polity poc-keyvault
secrets This is an array of the rights given to access secrets [ "get", "list", "set" ]
objectId This object id you want the rights granted to "[reference('createManagedIdentity').outputs.principalId.value]"



Sample Deployment

  "name": "deployKeyVaultAccess",
  "type": "Microsoft.Resources/deployments",
  "resourceGroup": "[parameters('keyVaultResourceGroup')]",
  "apiVersion": "2017-05-10",
  "dependsOn": [
  "properties": {
      "mode": "Incremental",
      "templateLink": {
      "uri": "[variables('deployKeyVaultAccessTemplate')]",
      "contentVersion": ""
      "parameters": {
          "keyVaultName": {
              "value": "[parameters('keyVaultName')]"
          "secrets": {
              "value": [
          "objectId": {
              "value": "[reference('createManagedIdentity').outputs.principalId.value]"

<a name"ContainerTemplates">Container Templates

Private AKS Cluster

This template will AKS cluster with Linux nodes.

Typical Neted Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
aksResourceName The name of the Managed Cluster resource. pocAKSCluster
nodeResourceGroup The name of AKS node resource group. pocNodeRG
vnetName Name of the vnet the AKS Nodes will live pocVnet
subnetName Nameof the subnet the AKS Nodes will live AKS-SN
dnsPrefix Optional DNS prefix to use with hosted Kubernetes API server FQDN.
vmSize Size of the nodes to be deployed Standard_DS2_v2
osDiskSizeGB Size of the OS disk. Allowed values between 0-1023 1023
kubernetesVersion The version of Kubernetes. 1.7.7
networkPlugin Network plugin used for building Kubernetes network. Allowed values: azure or kubenet azure
numNodes Number of nodes to run in the cluster 3
enableRBAC Boolean flag to turn on and off of RBAC. true
enablePrivateCluster Enable private network access to the Kubernetes cluster. true
enableHttpApplicationRouting Boolean flag to turn on and off http application routing. false
networkPolicy Network policy used for building Kubernetes network. calico
vnetSubnetID Resource ID of the subnet where the nodes will exists [reference('deployVNET').outputs.aksSubnetID.value]
serviceCidr A CIDR notation IP range from which to assign service cluster IPs.
dnsServiceIP Containers DNS server IP address.
dockerBridgeCidr A CIDR notation IP for Docker bridge.


"controlPlaneFQDN": The FQDN for the AKS Control Plane
"aksID": The resource id for the AKS Cluster

Sample Deployment

  "name": "deployPrivateAKSCluster",
  "comments":"apiVersion is flagged, but haven't changed as not sure if this is needed for some features.",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2019-10-01",
  "dependsOn": [
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('deployAzureAKSTemplateURL')]",
      "contentVersion": ""
    "parameters": {
      "aksResourceName": {
        "value": "[parameters('aksResourceName')]"
        "value": "[parameters('nodeResourceGroup')]"
      "vnetName" : {
        "value": "[parameters('vnetName')]"
      "subnetName" : {
        "value": "AKS-SN"
      "dnsPrefix": {
          "value": "[parameters('dnsPrefix')]"
      "kubernetesVersion": {
          "value": "[parameters('kubernetesVersion')]"
      "networkPlugin": {
          "value": "[parameters('networkPlugin')]"
      "enableRBAC": {
          "value": "[parameters('enableRBAC')]"
      "vmssNodePool": {
          "value": "[parameters('vmssNodePool')]"
      "enablePrivateCluster": {
          "value": "[parameters('enablePrivateCluster')]"
      "enableHttpApplicationRouting": {
          "value": "[parameters('enableHttpApplicationRouting')]"
      "networkPolicy": {
          "value": "[parameters('networkPolicy')]"
      "vnetSubnetID": {
          "value": "[reference('deployVNET').outputs.aksSubnetID.value]"
      "serviceCidr": {
          "value": "[parameters('serviceCidr')]"
      "dnsServiceIP": {
          "value": "[parameters('dnsServiceIP')]"
      "dockerBridgeCidr": {
          "value": "[parameters('dockerBridgeCidr')]"

Azure Container Registry Template

This template will deploy an Azure Container Registry

Typical Nested Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
acrName Azure Container Registry name poc-acr


"acrId": The resource id of the Azure Container Registry created

Sample Deployment

  "name": "deployACR",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2017-05-10",
  "dependsOn": [
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('deployACRURL')]",
      "contentVersion": ""
    "parameters": {
      "acrName": {
        "value": "[parameters('acrName')]"

Web Management

APIM Template

This template will deploy an Azure API Management Instance

Typical Nested Template used before


Typical Nested Template used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
apimName Name for the APIM instance poc-apim
sku Allowed Values: Basic, Consumption, Developer, Standard, Premium Standard
capacity Capacity of the SKU (number of deployed units of the SKU). 2
apimEmail Publisher email example@microsoft.com
subnetID Resource ID of the subnet that APIM will sit on [concat(reference('deployVNET').outputs.vnetId.value,'/subnets/APIM-SN')]
publisherName Publisher Name Microsoft
virtualNetworkType Allowed Values: Internal, External Internal
disableGateway Boolean allowing you to diable gateway false


"APIMIP": The resource id of the APIM Instance created

Sample Deployment

  "name": "deployAPIM",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2017-05-10",
  "dependsOn": [
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('deployAPIMTemplateURL')]",
      "contentVersion": ""
    "parameters": {
      "apimname": {
        "value": "[parameters('apimName')]"
      "sku": {
        "value": "[parameters('apimsku')]"
      "capacity": {
        "value": "[parameters('apimcapacity')]"
      "apimEmail": {
        "value": "[parameters('apimEmail')]"
      "subnetID": {
        "value": "[concat(reference('deployVNET').outputs.vnetId.value,'/subnets/APIM-SN')]"
      "publisherName": {
        "value": "[parameters('apimPublisherName')]"
      "virtualNetworkType": {
        "value": "[parameters('apimVirtualNetworkType')]"
      "disableGateway": {
        "value": "[parameters('apimDisableGateway')]"

Azure Redis Cache VNet Integrated Template

This template will deploy a premium version of Azure Redis Cache injected on a VNet

Typical Nested Templates used before


Typical Nested Templates used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
cahceName Name for the Azure Redis Cache poc-azurecache
capacity The size of the Redis cache to deploy 2
subnetId Resource ID of the subnet it will reside on [concat(reference('deployVNET').outputs.vnetId.value,'/subnets/AzureBastionSubnet')]
saConnectionString Storage Account Connection String [reference('deployStorage').outputs.saConnectionString.value]
ipAddress IP Address to be assigned to cache
backupEnabled Boolean either enabling or disabling backup true
backupFrequency How often to run a backup 90
maxSnapshots Maximum number of snaphots allowed 10



Sample Deployment

  "name": "deployAzureCacheVault",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2017-05-10",
  "dependsOn": [
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "[variables('deployAzureCacheBusURL')]",
      "contentVersion": ""
    "parameters": {
      "cacheName": {
        "value": "[parameters('cacheName')]"
      "subnetId": {
        "value": "[concat(reference('deployVNET').outputs.vnetId.value,'/subnets/privateep-SN')]"
      "saConnectionString": {
        "value": "[reference('deployPrivateStorage').outputs.saConnectionString.value]"
      "ipAddress": {
        "value": ""
      "bakcupEnabled": {
        "value": true
      "backupFrequency": {
        "value": 90
      "maxSnaphots": {
        "value": 10

Data Templates

Azure SQL Database

This template will deploy an Azure SQL Database

Typical Nested Templates used before


Typical Nested Templates used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
administratorLogin Admin Login for the SQL Server sqladmin
administratorLoginPassword Admin password for the SQL Server SecretPassword01
serverName SQL Server Name to host the Azure SQL DB pocSQLServer
publicNetworkAccess Boolean value on if public network access is allowed to the SQL Server false
useVAManagedIdentity Boolean value on weather to create a System Managed Identity true
allowAzureIps Boolean value on if Azure IPs are allowed through firewall true
collation The collation of the database. SQL_Latin1_General_CP1_CI_AS
databaseName Name of the Azure DB to be created pocDB
tier The tier or edition of the particular SKU, e.g. Basic, Premium. GeneralPurpose
skuName The name of the SKU, typically, a letter + Number code, e.g. P3. GP_S_Gen5_24
maxSizeBytes The max size of the database expressed in bytes. 1024
sampleName The name of the sample schema to apply when creating this database. - AdventureWorksLT, WideWorldImportersStd, WideWorldImportersFull WideWorldImportersFull
zoneRedundant Whether or not this database is zone redundant, which means the replicas of this database will be spread across multiple availability zones true
licenseType The license type to apply for this database. - LicenseIncluded or BasePrice LicenseIncluded
readScaleOut f enabled, connections that have application intent set to readonly in their connection string may be routed to a readonly secondary replica. This property is only settable for Premium and Business Critical databases. - Enabled or Disabled Disabled
numberOfReplicas The number of readonly secondary replicas associated with the database to which readonly application intent connections may be routed. This property is only settable for Hyperscale edition databases. 0
minCapacity Minimal capacity that database will always have allocated, if not paused 2
autoPauseDelay Time in minutes after which database is automatically paused. A value of -1 means that automatic pause is disabled -1


sqlServerId: Resource ID of the SQL Server created

Sample Deployment

    "name": "deploySqlDb",
    "type": "Microsoft.Resources/deployments",
    "apiVersion": "2018-05-01",
    "resourceGroup": "[parameters('resourceGroup')]",
    "dependsOn": [
    "properties": {
      "mode": "Incremental",
      "templateLink": {
        "uri": "[variables('deployAzureSqlDbURL')]",
        "contentVersion": ""
      "parameters": {
        "collation": {
          "value": "SQL_Latin1_General_CP1_CI_AS"
        "databaseName": {
            "value": "[variables('sqlDatabaseName')]"
        "tier": {
            "value": "GeneralPurpose"
        "skuName": {
            "value": "GP_S_Gen5_24"
        "maxSizeBytes": {
            "value": 1099511627776
        "sampleName": {
            "value": ""
        "serverName": {
            "value": "[variables('sqlServerName')]"
        "zoneRedundant": {
            "value": false
        "licenseType": {
            "value": ""
        "readScaleOut": {
            "value": "Disabled"
        "numberOfReplicas": {
            "value": 0
        "minCapacity": {
            "value": "3"
        "autoPauseDelay": {
            "value": "180"
        "useVAManagedIdentity": {
            "value": true
        "administratorLogin": {
          "value": "[parameters('adminUsername')]"
        "administratorLoginPassword": {
            "value": "[parameters('adminPassword')]"
        "publicNetworkAccess": {
          "value": "Disabled"

Azure SQL Database Allow VNet

This template will allow an Azure Virtual Network access to an Azure SQL DB.

Typical Nested Templates used before


Typical Nested Templates used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
serverName SQL Server name poc-sqlserver
subnetID Subnet ID that will be allowed to access the database [concat(reference('deployVNET').outputs.vnetId.value,'/subnets/AKS-SN')]


sqlServerId: Resource ID of the SQL Server created

Sample Deployment

    "name": "allowAKSVNet",
    "type": "Microsoft.Resources/deployments",
    "apiVersion": "2018-05-01",
    "resourceGroup": "[parameters('resourceGroup')]",
    "dependsOn": [
    "properties": {
      "mode": "Incremental",
      "templateLink": {
        "uri": "[variables('allowSQLVNetTemplateURL')]",
        "contentVersion": ""
      "parameters": {
        "serverName": {
            "value": "[variables('sqlServerName')]"
        "subnetID": {
            "value": "[concat(reference('deployVNET').outputs.vnetId.value,'/subnets/AKS-SN')]"

Configuration Scripts

DSC AKS-SQL Configuration

This template is an example of deploying a DSC script to a virtual machine. This script configures AKS with a SQL backend.

Typical Nested Templates used before


Typical Nested Templates used after


Utilizing Template

This template requires you to pass in the following parameters:

Parameter Description Example
vmName VM name were the dsc script will run poc-jump
configModuleURL URL for the dsc script [variables('jumpConfigModuleURL')]
configFunction Function in the script to be executed [variables('jumpConfigFunction')]
lbIP IP address to use in the load balancer in AKS
acrName Name of the Azure Container registry to store the docker images poc-acr
aksName Name of the AKS resource in Azure poc-aks
gwName Name of the AppGW resource to use as a front end. poc-appgw
rgName Resource group that contains your resources pocrg
saName Name of a storage account to utilize. poc-sa
aiKey Application Insights Instrumentation Key. [reference('deployAppInsights').outputs.aiKey.value]
sqlName SQL Server name. poc-sql
dbName Database name that is on the sql server. exampledb
sqlAdmin Acccount that has SQL admin rights pocAdmin
sqlPwd Password for the SQL admin account SecurePassword123
saKey Storage Account Key for the storage account saName [reference('deploySAAccount').outputs.saKey.value]



Sample Deployment

    "name": "configJumpBox",
    "type": "Microsoft.Resources/deployments",
    "apiVersion": "2018-05-01",
    "resourceGroup": "[parameters('resourceGroup')]",
    "dependsOn": [
    "properties": {
      "mode": "Incremental",
      "templateLink": {
        "uri": "[variables('addDSCExtension')]",
        "contentVersion": ""
      "parameters": {
        "vmName": {
          "value": "[variables('jumpName')]"
        "configModuleURL": {
          "value": "[variables('jumpConfigModuleURL')]"
        "configFunction": {
          "value": "[variables('jumpConfigFunction')]"
        "lbIP": {
          "value": "[variables('lbIP')]"
        "acrName": {
          "value": "[variables('acrName')]"
        "aksName": {
          "value": "[variables('AksresourceName')]"
        "gwName": {
          "value": "[variables('applicationGatewayName')]"
        "rgName": {
          "value": "[parameters('resourceGroup')]"
        "saName": {
            "value": "[variables('saName')]"
        "aiKey": {
            "value": "[reference('deployAppInsights').outputs.aiKey.value]"
        "sqlName": {
            "value": "[variables('sqlServerName')]"
        "dbName": {
            "value": "[variables('sqlDatabaseName')]"
        "sqlAdmin": {
            "value": "[parameters('adminUserName')]"
        "sqlPwd": {
            "value": "[parameters('adminPassword')]"
        "saKey": {
          "value": "[reference('deploySAAccount').outputs.saKey.value]"