Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
- Latest
- 2025-06-01
- 2025-01-01
- 2024-01-01
- 2023-05-01
- 2023-04-01
- 2023-01-01
- 2022-09-01
- 2022-05-01
- 2021-09-01
- 2021-08-01
- 2021-06-01
- 2021-04-01
- 2021-02-01
- 2021-01-01
- 2020-08-01-preview
- 2019-06-01
- 2019-04-01
- 2018-11-01
- 2018-07-01
- 2018-03-01-preview
- 2018-02-01
- 2017-10-01
- 2017-06-01
- 2016-12-01
- 2016-05-01
- 2016-01-01
- 2015-06-15
- 2015-05-01-preview
Bicep resource definition
The storageAccounts resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Storage/storageAccounts resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Storage/storageAccounts@2021-04-01' = {
  scope: resourceSymbolicName or scope
  extendedLocation: {
    name: 'string'
    type: 'string'
  }
  identity: {
    type: 'string'
    userAssignedIdentities: {
      {customized property}: {}
    }
  }
  kind: 'string'
  location: 'string'
  name: 'string'
  properties: {
    accessTier: 'string'
    allowBlobPublicAccess: bool
    allowCrossTenantReplication: bool
    allowSharedKeyAccess: bool
    azureFilesIdentityBasedAuthentication: {
      activeDirectoryProperties: {
        azureStorageSid: 'string'
        domainGuid: 'string'
        domainName: 'string'
        domainSid: 'string'
        forestName: 'string'
        netBiosDomainName: 'string'
      }
      defaultSharePermission: 'string'
      directoryServiceOptions: 'string'
    }
    customDomain: {
      name: 'string'
      useSubDomainName: bool
    }
    encryption: {
      identity: {
        userAssignedIdentity: 'string'
      }
      keySource: 'string'
      keyvaultproperties: {
        keyname: 'string'
        keyvaulturi: 'string'
        keyversion: 'string'
      }
      requireInfrastructureEncryption: bool
      services: {
        blob: {
          enabled: bool
          keyType: 'string'
        }
        file: {
          enabled: bool
          keyType: 'string'
        }
        queue: {
          enabled: bool
          keyType: 'string'
        }
        table: {
          enabled: bool
          keyType: 'string'
        }
      }
    }
    isHnsEnabled: bool
    isNfsV3Enabled: bool
    keyPolicy: {
      keyExpirationPeriodInDays: int
    }
    largeFileSharesState: 'string'
    minimumTlsVersion: 'string'
    networkAcls: {
      bypass: 'string'
      defaultAction: 'string'
      ipRules: [
        {
          action: 'Allow'
          value: 'string'
        }
      ]
      resourceAccessRules: [
        {
          resourceId: 'string'
          tenantId: 'string'
        }
      ]
      virtualNetworkRules: [
        {
          action: 'Allow'
          id: 'string'
          state: 'string'
        }
      ]
    }
    routingPreference: {
      publishInternetEndpoints: bool
      publishMicrosoftEndpoints: bool
      routingChoice: 'string'
    }
    sasPolicy: {
      expirationAction: 'string'
      sasExpirationPeriod: 'string'
    }
    supportsHttpsTrafficOnly: bool
  }
  sku: {
    name: 'string'
  }
  tags: {
    {customized property}: 'string'
  }
}
Property Values
Microsoft.Storage/storageAccounts
| Name | Description | Value | 
|---|---|---|
| extendedLocation | Optional. Set the extended location of the resource. If not set, the storage account will be created in Azure main region. Otherwise it will be created in the specified extended location | ExtendedLocation | 
| identity | The identity of the resource. | Identity | 
| kind | Required. Indicates the type of storage account. | 'BlobStorage' 'BlockBlobStorage' 'FileStorage' 'Storage' 'StorageV2' (required) | 
| location | Required. Gets or sets the location of the resource. This will be one of the supported and registered Azure Geo Regions (e.g. West US, East US, Southeast Asia, etc.). The geo region of a resource cannot be changed once it is created, but if an identical geo region is specified on update, the request will succeed. | string (required) | 
| name | The resource name | string Constraints: Min length = 3 Max length = 24 (required) | 
| properties | The parameters used to create the storage account. | StorageAccountPropertiesCreateParametersOrStorageAccountProperties | 
| scope | Use when creating a resource at a scope that is different than the deployment scope. | Set this property to the symbolic name of a resource to apply the extension resource. | 
| sku | Required. Gets or sets the SKU name. | Sku (required) | 
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates | 
ActiveDirectoryProperties
| Name | Description | Value | 
|---|---|---|
| azureStorageSid | Specifies the security identifier (SID) for Azure Storage. | string (required) | 
| domainGuid | Specifies the domain GUID. | string (required) | 
| domainName | Specifies the primary domain that the AD DNS server is authoritative for. | string (required) | 
| domainSid | Specifies the security identifier (SID). | string (required) | 
| forestName | Specifies the Active Directory forest to get. | string (required) | 
| netBiosDomainName | Specifies the NetBIOS domain name. | string (required) | 
AzureFilesIdentityBasedAuthentication
| Name | Description | Value | 
|---|---|---|
| activeDirectoryProperties | Required if choose AD. | ActiveDirectoryProperties | 
| defaultSharePermission | Default share permission for users using Kerberos authentication if RBAC role is not assigned. | 'None' 'StorageFileDataSmbShareContributor' 'StorageFileDataSmbShareElevatedContributor' 'StorageFileDataSmbShareOwner' 'StorageFileDataSmbShareReader' | 
| directoryServiceOptions | Indicates the directory service used. | 'AADDS' 'AD' 'None' (required) | 
CustomDomain
| Name | Description | Value | 
|---|---|---|
| name | Gets or sets the custom domain name assigned to the storage account. Name is the CNAME source. | string (required) | 
| useSubDomainName | Indicates whether indirect CName validation is enabled. Default value is false. This should only be set on updates. | bool | 
Encryption
| Name | Description | Value | 
|---|---|---|
| identity | The identity to be used with service-side encryption at rest. | EncryptionIdentity | 
| keySource | The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Storage, Microsoft.Keyvault | 'Microsoft.Keyvault' 'Microsoft.Storage' (required) | 
| keyvaultproperties | Properties provided by key vault. | KeyVaultProperties | 
| requireInfrastructureEncryption | A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. | bool | 
| services | List of services which support encryption. | EncryptionServices | 
EncryptionIdentity
| Name | Description | Value | 
|---|---|---|
| userAssignedIdentity | Resource identifier of the UserAssigned identity to be associated with server-side encryption on the storage account. | string | 
EncryptionService
| Name | Description | Value | 
|---|---|---|
| enabled | A boolean indicating whether or not the service encrypts the data as it is stored. | bool | 
| keyType | Encryption key type to be used for the encryption service. 'Account' key type implies that an account-scoped encryption key will be used. 'Service' key type implies that a default service key is used. | 'Account' 'Service' | 
EncryptionServices
| Name | Description | Value | 
|---|---|---|
| blob | The encryption function of the blob storage service. | EncryptionService | 
| file | The encryption function of the file storage service. | EncryptionService | 
| queue | The encryption function of the queue storage service. | EncryptionService | 
| table | The encryption function of the table storage service. | EncryptionService | 
ExtendedLocation
| Name | Description | Value | 
|---|---|---|
| name | The name of the extended location. | string | 
| type | The type of the extended location. | 'EdgeZone' | 
Identity
| Name | Description | Value | 
|---|---|---|
| type | The identity type. | 'None' 'SystemAssigned' 'SystemAssigned,UserAssigned' 'UserAssigned' (required) | 
| userAssignedIdentities | Gets or sets a list of key value pairs that describe the set of User Assigned identities that will be used with this storage account. The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is permitted here. | IdentityUserAssignedIdentities | 
IdentityUserAssignedIdentities
| Name | Description | Value | 
|---|
IPRule
| Name | Description | Value | 
|---|---|---|
| action | The action of IP ACL rule. | 'Allow' | 
| value | Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. | string (required) | 
KeyPolicy
| Name | Description | Value | 
|---|---|---|
| keyExpirationPeriodInDays | The key expiration period in days. | int (required) | 
KeyVaultProperties
| Name | Description | Value | 
|---|---|---|
| keyname | The name of KeyVault key. | string | 
| keyvaulturi | The Uri of KeyVault. | string | 
| keyversion | The version of KeyVault key. | string | 
NetworkRuleSet
| Name | Description | Value | 
|---|---|---|
| bypass | Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Possible values are any combination of Logging|Metrics|AzureServices (For example, "Logging, Metrics"), or None to bypass none of those traffics. | 'AzureServices' 'Logging' 'Metrics' 'None' | 
| defaultAction | Specifies the default action of allow or deny when no other rules match. | 'Allow' 'Deny' (required) | 
| ipRules | Sets the IP ACL rules | IPRule[] | 
| resourceAccessRules | Sets the resource access rules | ResourceAccessRule[] | 
| virtualNetworkRules | Sets the virtual network rules | VirtualNetworkRule[] | 
ResourceAccessRule
| Name | Description | Value | 
|---|---|---|
| resourceId | Resource Id | string | 
| tenantId | Tenant Id | string | 
RoutingPreference
| Name | Description | Value | 
|---|---|---|
| publishInternetEndpoints | A boolean flag which indicates whether internet routing storage endpoints are to be published | bool | 
| publishMicrosoftEndpoints | A boolean flag which indicates whether microsoft routing storage endpoints are to be published | bool | 
| routingChoice | Routing Choice defines the kind of network routing opted by the user. | 'InternetRouting' 'MicrosoftRouting' | 
SasPolicy
| Name | Description | Value | 
|---|---|---|
| expirationAction | The SAS expiration action. Can only be Log. | 'Log' (required) | 
| sasExpirationPeriod | The SAS expiration period, DD.HH:MM:SS. | string (required) | 
Sku
| Name | Description | Value | 
|---|---|---|
| name | The SKU name. Required for account creation; optional for update. Note that in older versions, SKU name was called accountType. | 'Premium_LRS' 'Premium_ZRS' 'Standard_GRS' 'Standard_GZRS' 'Standard_LRS' 'Standard_RAGRS' 'Standard_RAGZRS' 'Standard_ZRS' (required) | 
StorageAccountCreateParametersTags
| Name | Description | Value | 
|---|
StorageAccountPropertiesCreateParametersOrStorageAccountProperties
| Name | Description | Value | 
|---|---|---|
| accessTier | Required for storage accounts where kind = BlobStorage. The access tier used for billing. | 'Cool' 'Hot' | 
| allowBlobPublicAccess | Allow or disallow public access to all blobs or containers in the storage account. The default interpretation is true for this property. | bool | 
| allowCrossTenantReplication | Allow or disallow cross AAD tenant object replication. The default interpretation is true for this property. | bool | 
| allowSharedKeyAccess | Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true. | bool | 
| azureFilesIdentityBasedAuthentication | Provides the identity based authentication settings for Azure Files. | AzureFilesIdentityBasedAuthentication | 
| customDomain | User domain assigned to the storage account. Name is the CNAME source. Only one custom domain is supported per storage account at this time. To clear the existing custom domain, use an empty string for the custom domain name property. | CustomDomain | 
| encryption | Not applicable. Azure Storage encryption is enabled for all storage accounts and cannot be disabled. | Encryption | 
| isHnsEnabled | Account HierarchicalNamespace enabled if sets to true. | bool | 
| isNfsV3Enabled | NFS 3.0 protocol support enabled if set to true. | bool | 
| keyPolicy | KeyPolicy assigned to the storage account. | KeyPolicy | 
| largeFileSharesState | Allow large file shares if sets to Enabled. It cannot be disabled once it is enabled. | 'Disabled' 'Enabled' | 
| minimumTlsVersion | Set the minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property. | 'TLS1_0' 'TLS1_1' 'TLS1_2' | 
| networkAcls | Network rule set | NetworkRuleSet | 
| routingPreference | Maintains information about the network routing choice opted by the user for data transfer | RoutingPreference | 
| sasPolicy | SasPolicy assigned to the storage account. | SasPolicy | 
| supportsHttpsTrafficOnly | Allows https traffic only to storage service if sets to true. The default value is true since API version 2019-04-01. | bool | 
UserAssignedIdentity
| Name | Description | Value | 
|---|
VirtualNetworkRule
| Name | Description | Value | 
|---|---|---|
| action | The action of virtual network rule. | 'Allow' | 
| id | Resource ID of a subnet, for example: /subscriptions/{subscriptionId}/resourceGroups/{groupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. | string (required) | 
| state | Gets the state of virtual network rule. | 'Deprovisioning' 'Failed' 'NetworkSourceDeleted' 'Provisioning' 'Succeeded' | 
Usage Examples
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
| Module | Description | 
|---|---|
| Storage Account | AVM Resource Module for Storage Account | 
| Storage Account - File Share | AVM Child Module for Storage Account - File Share | 
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
| Bicep File | Description | 
|---|---|
| 101-1vm-2nics-2subnets-1vnet | Creates a new VM with two NICs which connect to two different subnets within the same VNet. | 
| 2 VMs in a Load Balancer and configure NAT rules on the LB | This template allows you to create 2 Virtual Machines in an Availability Set and configure NAT rules through the load balancer. This template also deploys a Storage Account, Virtual Network, Public IP address and Network Interfaces. In this template, we use the resource loops capability to create the network interfaces and virtual machines | 
| 2 VMs in VNET - Internal Load Balancer and LB rules | This template allows you to create 2 Virtual Machines in a VNET and under an internal Load balancer and configure a load balancing rule on Port 80. This template also deploys a Storage Account, Virtual Network, Public IP address, Availability Set and Network Interfaces. | 
| AKS Cluster with a NAT Gateway and an Application Gateway | This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. | 
| AKS cluster with the Application Gateway Ingress Controller | This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault | 
| Azure AI Foundry basic setup | This set of templates demonstrates how to set up Azure AI Foundry with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. | 
| Azure AI Foundry basic setup | This set of templates demonstrates how to set up Azure AI Foundry with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. | 
| Azure AI Foundry Network Restricted | This set of templates demonstrates how to set up Azure AI Foundry with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. | 
| Azure AI Foundry with Microsoft Entra ID Authentication | This set of templates demonstrates how to set up Azure AI Foundry with Microsoft Entra ID authentication for dependent resources, such as Azure AI Services and Azure Storage. | 
| Azure AI Studio basic setup | This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. | 
| Azure AI Studio Network Restricted | This set of templates demonstrates how to set up Azure AI Studio with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. | 
| Azure Cloud Shell - VNet storage | This template deploys Azure Cloud Shell storage into an Azure virtual network. | 
| Azure Digital Twins with Function and Private Link service | This template creates an Azure Digital Twins service configured with a Virtual Network connected Azure Function that can communicate through a Private Link Endpoint to Digital Twins. It also creates a Private DNS Zone to allow seamless hostname resolution of the Digital Twins Endpoint from the Virtual Network to the Private Endpoint internal subnet IP address. The hostname is stored as a setting to the Azure Function with name 'ADT_ENDPOINT'. | 
| Azure Function app and an HTTP-triggered function | This example deploys an Azure Function app and an HTTP-triggered function inline in the template. It also deploys a Key Vault and populates a secret with the function app's host key. | 
| Azure Function App Hosted on Linux Consumption Plan | This template provisions a function app on a Linux Consumption plan, which is a dynamic hosting plan. The app runs on demand and you're billed per execution, with no standing resource committment. | 
| Azure Function App with a Deployment Slot | This template provisions a function app on a Premium plan with production slot and an additional deployment slot. | 
| Azure Function App with Event Hub and Managed Identity | his template provisions an Azure Function app on a Linux Consumption plan, along with an Event Hub, Azure Storage, and Application Insights. The function app is able to use managed identity to connect to the Event Hub and Storage account | 
| Azure Function App with Virtual Network Integration | This template provisions a function app on a Premium plan with regional virtual network integration enabled to a newly created virtual network. | 
| Azure Machine Learning end-to-end secure setup | This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. | 
| Azure Machine Learning end-to-end secure setup (legacy) | This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. | 
| Azure Storage Account Encryption with customer-managed key | This template deploys a Storage Account with a customer-managed key for encryption that's generated and placed inside a Key Vault. | 
| Basic Agent Setup API Keys | This set of templates demonstrates how to set up Azure AI Agent Service with the basic setup using API keys authetication for the AI Service/AOAI connection. Agents use multi-tenant search and storage resources fully managed by Microsoft. You won’t have visibility or control over these underlying Azure resources. | 
| Basic Agent Setup Identity | This set of templates demonstrates how to set up Azure AI Agent Service with the basic setup using managed identity authetication for the AI Service/AOAI connection. Agents use multi-tenant search and storage resources fully managed by Microsoft. You won’t have visibility or control over these underlying Azure resources. | 
| Create a Batch Account using a template | This template creates a Batch Account and a storage account. | 
| Create a blob for the data factory copy data tool quickstart | This template creates a blob storage and uploads a file for the copy data tool quickstart | 
| Create a CDN Profile, Endpoint and a Storage Account | This template creates a CDN Profile and a CDN Endpoint with origin as a Storage Account. Note that user needs to create a public container in the Storage Account in order for CDN Endpoint to serve content from the Storage Account. | 
| Create a data share from a storage account | This template creates a data share from a storage account | 
| Create a function app in the Flex Consumption plan | Flex Consumption hosting is recommended for functions that require rapid dynamic scale (including to zero instances), managed identity connections, and virtual network integration. | 
| Create a Media Services Account using a template | This template creates an Azure Media Services Account with its Storage account. | 
| Create a Private AKS Cluster | This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine. | 
| Create a sandbox setup of Azure Firewall with Linux VMs | This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses, 1 sample application rule, 1 sample network rule and default private ranges | 
| Create a sandbox setup of Azure Firewall with Zones | This template creates a virtual network with three subnets (server subnet, jumpbox subnet, and Azure Firewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the ServerSubnet,an Azure Firewall with one or more Public IP addresses, one sample application rule, and one sample network rule and Azure Firewall in Availability Zones 1, 2, and 3. | 
| Create a standard internal load balancer | This template creates a standard internal Azure Load Balancer with a rule load-balancing port 80 | 
| Create a Standard Storage Account | This template creates a Standard Storage Account | 
| Create a storage account with file share | This template creates an Azure storage account and file share. | 
| Create a storage account with multiple Blob containers | Creates an Azure storage account and multiple blob containers. | 
| Create a storage account with multiple file shares | Creates an Azure storage account and multiple file shares. | 
| Create a Storage Account with SSE | This template creates a Storage Account with Storage Service Encryption for Data at Rest | 
| Create a subscription, resourceGroup and storageAccount | This template is a management group template that will create a subscription, a resourceGroup and a storageAccount in the same template. It can be used for an Enterprise Agreement billing mode only. The official documentation shows modifications needed for other types of accounts. | 
| Create a V2 data factory | This template creates a V2 data factory that copies data from a folder in an Azure Blob Storage to another folder in the storage. | 
| Create a VM with multiple NICs and RDP accessible | This template allows you to create a Virtual Machines with multiple (2) network interfaces (NICs), and RDP connectable with a configured load balancer and an inbound NAT rule. More NICs can easily be added with this template. This template also deploys a Storage Account, Virtual Network, Public IP address, and 2 Network Interfaces (front-end and back-end). | 
| Create a WordPress site | This template creates a WordPress site on Container Instance | 
| Create an AKS compute target with a Private IP address | This template creates an AKS compute target in given Azure Machine Learning service workspace with a private IP address. | 
| Create an Azure Firewall with IpGroups | This template creates an Azure Firewall with Application and Network Rules referring to IP Groups. Also, includes a Linux Jumpbox vm setup | 
| Create an Azure Machine Learning service workspace | This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the minimal set of resources you require to get started with Azure Machine Learning. | 
| Create an Azure Machine Learning service workspace (CMK) | This deployment template specifies how to create an Azure Machine Learning workspace with service-side encryption using your encryption keys. | 
| Create an Azure Machine Learning service workspace (CMK) | This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. The example shows how to configure Azure Machine Learning for encryption with a customer-managed encryption key. | 
| Create an Azure Machine Learning service workspace (legacy) | This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up. | 
| Create an Azure Machine Learning service workspace (vnet) | This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up. | 
| Create an Azure Storage Account and Blob Container on Azure | This template creates an Azure Storage account and a blob container. | 
| Create an on-demand SFTP Server with persistent storage | This template demonstrates an on-demand SFTP server using an Azure Container Instance (ACI). | 
| Create an Ubuntu GNOME desktop | This template creates an ubuntu desktop machine. This works great for use as a jumpbox behind a NAT. | 
| Create AVD with FSLogix and AD DS Join | This template allows you to create Azure Virtual Desktop resources such as host pool, application group, workspace, FSLogix storage account, file share, recovery service vault for file share backup a test session host, its extensions with Microsoft Entra ID join pr Active directory domain join. | 
| Create Azure VM Replication and Disaster Recovery | This template allows you to create Azure Virtual machine site replication disaster recovery. | 
| Create Blob Storage and Event Grid subscription to the Blob | Creates Azure Blob Storage account and then creates an Event Grid subscription to that Blob. | 
| Create Function App and private endpoint-secured Storage | This template allows you to deploy an Azure Function App that communicates with Azure Storage over private endpoints. | 
| Create Key Vault with logging enabled | This template creates an Azure Key Vault and an Azure Storage account that is used for logging. It optionally creates resource locks to protect your Key Vault and storage resources. | 
| Create new Ubuntu VM pre-populated with Puppet Agent | This template creates a Ubuntu VM and installs the Puppet Agent into it using the CustomScript extension. | 
| Create Recovery Services Vault and Enable Diagnostics | This template creates a Recovery Services Vault and enables diagnostics for Azure Backup. This also deploys storage account and oms workspace. | 
| Create Storage Account & enable protection via Backup Vault | Template that creates storage account and enable operational and vaulted backup via Backup Vault | 
| Create Storage Account with SFTP enabled | Creates an Azure Storage account and a blob container that can be accessed using SFTP protocol. Access can be password or public-key based. | 
| Creates a Dapr microservices app using Container Apps | Create a Dapr microservices app using Container Apps. | 
| Creates a Dapr pub-sub servicebus app using Container Apps | Create a Dapr pub-sub servicebus app using Container Apps. | 
| Deploy a 5 Node Secure Cluster | This template allows you to deploy a secure 5 node Service Fabric Cluster running Windows Server 2019 Datacenter on a Standard_D2_v2 Size VMSS. | 
| Deploy a Linux or Windows VM with MSI | This template allows you to deploy a Linux or Windows VM with a Managed Service Identity. | 
| Deploy a Linux-based HBase cluster in HDInsight | This template allows you to create a Linux-based HBase cluster in Azure HDInsight. | 
| Deploy a Nextflow genomics cluster | This template deploys a scalable Nextflow cluster with a Jumpbox, n cluster nodes, docker support and shared storage. | 
| Deploy a simple Windows VM | This template allows you to deploy a simple Windows VM using a few different options for the Windows version, using the latest patched version. This will deploy an A2 size VM in the resource group location and return the FQDN of the VM. | 
| Deploy a simple Windows VM with tags | This template will deploy a D2_v3 Windows VM, NIC, Storage Account, Virtual Network, Public IP Address, and Network Security Group. The tag object is created in the variables and will be applied on all resources, where applicable. | 
| Deploy a Spark cluster in Azure HDInsight | This template allows you to create a Spark cluster in Azure HDInsight. | 
| Deploy a Ubuntu Linux DataScience VM 18.04 | This template deploy a Ubuntu Server with some tools for Data Science. You can provide the username, password, virtual machine name and select between CPU or GPU computing. | 
| Deploy a Virtual Machine with Custom Data | This template allows you to create a Virtual Machine with Custom Data passed down to the VM. This template also deploys a Storage Account, Virtual Network, Public IP addresses and a Network Interface. | 
| Deploy a Windows VM and enable backup using Azure Backup | This template allows you to deploy a Windows VM and Recovery Services Vault configured with the DefaultPolicy for Protection. | 
| Deploy a Windows VM with Windows Admin Center extension | This template allows you to deploy a Windows VM with Windows Admin Center extension to manage the VM directly from Azure Portal. | 
| Deploy an AZ enabled Azure Function Premium plan | This template allows you to deploy an Azure Function Premium plan with availability zones support, including an availability zones enabled storage account. | 
| Deploy an Azure Function Premium plan with vnet integration | This template allows you to deploy an Azure Function Premium plan with regional virtual network integration enabled to a newly created virtual network. | 
| Deploy an Interative Hive cluster in HDInsight | This template allows you to create an Interative Hive (LLAP) cluster in HDInsight and the dependent Azure Storage account. The SSH authentication method for the cluster is username and password. For a template using SSH public key authentication, see /samples/azure/azure-quickstart-templates/hdinsight-linux-ssh-publickey | 
| Deploy Azure Data Explorer db with Event Grid connection | Deploy Azure Data Explorer db with Event Grid connection. | 
| Deploy HDInsight cluster with Storage and SSH password | This template allows you to create a Linux-based Hadoop cluster in HDInsight and the dependent Azure Storage account. The SSH authentication method for the cluster is username and password. For a template using SSH public key authentication, see /samples/azure/azure-quickstart-templates/hdinsight-linux-ssh-publickey/ | 
| Deploy Kafka on HDInsight in a virtual network | This template allows you to create an Azure Virtual Network and a Kafka on HDInsight cluster in the virtual network. The SSH authentication method for the cluster is username and password. For a template using SSH public key authentication, see /samples/azure/azure-quickstart-templates/hdinsight-linux-ssh-publickey/ | 
| Deploy Secure AI Foundry with a managed virtual network | This template creates a secure Azure AI Foundry environment with robust network and identity security restrictions. | 
| Deploy the Sports Analytics on Azure Architecture | Creates an Azure storage account with ADLS Gen 2 enabled, an Azure Data Factory instance with linked services for the storage account (an the Azure SQL Database if deployed), and an Azure Databricks instance. The AAD identity for the user deploying the template and the managed identity for the ADF instance will be granted the Storage Blob Data Contributor role on the storage account. There are also options to deploy an Azure Key Vault instance, an Azure SQL Database, and an Azure Event Hub (for streaming use cases). When an Azure Key Vault is deployed, the data factory managed identity and the AAD identity for the user deploying the template will be granted the Key Vault Secrets User role. | 
| Deploys a static website | Deploys a static website with a backing storage account | 
| Dokku Instance | Dokku is a mini-heroku-style PaaS on a single VM. | 
| Enable NSG Flow Logs | This template create an NSG Flow Logs resource | 
| FinOps hub | This template creates a new FinOps hub instance, including Data Explorer, Data Lake storage, and Data Factory. | 
| Front Door Premium with blob origin and Private Link | This template creates a Front Door Premium and an Azure Storage blob container, and uses a private endpoint for Front Door to send traffic to the storage account. | 
| Front Door Standard/Premium with Azure Functions origin | This template creates a Front Door Standard/Premium, an Azure Functions app, and configures the function app to validate that traffic has come through the Front Door origin. | 
| Front Door Standard/Premium with static website origin | This template creates a Front Door Standard/Premium and an Azure Storage static website, and configured Front Door to send traffic to the static website. | 
| Function App | This template deploy an empty Function App and a hosting plan. | 
| Function App secured by Azure Frontdoor | This template allows you to deploy an azure premium function protected and published by Azure Frontdoor premium. The conenction between Azure Frontdoor and Azure Functions is protected by Azure Private Link. | 
| JBoss EAP on RHEL (clustered, multi-VM) | This template allows you to create multiple RHEL 8.6 VMs running JBoss EAP 7.4 cluster and also deploys a web application called eap-session-replication, you can log into the admin console using the JBoss EAP username and password configured at the time of the deployment. | 
| Join a VM to an existing domain | This template demonstrates domain join to a private AD domain up in cloud. | 
| Moesif API Analytics and Monetization | The template will log API calls from Azure API Management to Moesif API analytics and monetization platform | 
| More is possible with Azure Data Factory - One click to try Azure Data Factory | This template creates a data factory pipeline for a copy activity from Azure Blob into another Azure Blob | 
| Multi VM Template with Managed Disk | This template will create N number of VM's with managed disks, public IPs and network interfaces. It will create the VMs in a single Availability Set. They will be provisioned in a Virtual Network which will also be created as part of the deployment | 
| Network Secured Agent with User Managed Identity | This set of templates demonstrates how to set up Azure AI Agent Service with virtual network isolation using User Managed Identity authetication for the AI Service/AOAI connection and private network links to connect the agent to your secure data. | 
| Private Function App and private endpoint-secured Storage | This template provisions a function app on a Premium plan that has private endpoints and communicates with Azure Storage over private endpoints. | 
| Provision a function app on a Consumption plan | This template provisions a function app on a Consumption plan, which is a dynamic hosting plan. The app runs on demand and you're billed per execution, with no standing resource committment. There are other templates available for provisioning on a dedicated hosting plan. | 
| Provision a function app running on an App Service Plan | This template provisions a function app on a dedicated hosting plan, meaning it will be run and billed just like any App Service site. | 
| Provision Consumption plan function with a Deployment Slot | This template provisions a function app on a Consumption plan, which is a dynamic hosting plan. The app runs on demand and you're billed per execution, with no standing resource committment. There are other templates available for provisioning on a dedicated hosting plan. | 
| Retrieve Azure Storage access keys in ARM template | This template will create a Storage account, after which it will create a API connection by dynamically retrieving the primary key of the Storage account. The API connection is then used in a Logic App as a trigger polling for blob changes. | 
| SQL Server availability group on AKS | This creates a new AKS Cluster and then deploys SQL Server availability groups into it using a CNAB package deployed using Duffle and ACI | 
| Standard Agent Setup | This set of templates demonstrates how to set up Azure AI Agent Service with the standard setup, meaning with managed identity authentication for project/hub connections and public internet access enabled. Agents use customer-owned, single-tenant search and storage resources. With this setup, you have full control and visibility over these resources, but you will incur costs based on your usage. | 
| Storage account with Advanced Threat Protection | This template allows you to deploy an Azure Storage account with Advanced Threat Protection enabled. | 
| Storage Account with SSE and blob deletion retention policy | This template creates a Storage Account with Storage Service Encryption and a blob deletion retention policy | 
| Use ARM template to create IoT Hub, route and view messages | Use this template to deploy an IoT Hub and a storage account. Run an app to send messages to the hub that are routed to storage, then view the results. | 
| Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology | This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. | 
| Virtual machine with an RDP port | Creates a virtual machine and creates a NAT rule for RDP to the VM in load balancer | 
| Virtual Machine with Conditional Resources | This template allows deploying a linux VM using new or existing resources for the Virtual Network, Storage and Public IP Address. It also allows for choosing between SSH and Password authenticate. The templates uses conditions and logic functions to remove the need for nested deployments. | 
| VMs in Availability Zones with a Load Balancer and NAT | This template allows you to create Virtual Machines distributed across Availability Zones with a Load Balancer and configure NAT rules through the load balancer. This template also deploys a Virtual Network, Public IP address and Network Interfaces. In this template, we use the resource loops capability to create the network interfaces and virtual machines | 
| Windows Docker Host with Portainer and Traefik pre-installed | Windows Docker Host with Portainer and Traefik pre-installed | 
| Windows Server VM with SSH | Deploy a single Windows VM with Open SSH enabled so that you can connect through SSH using key-based authentication. | 
ARM template resource definition
The storageAccounts resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Storage/storageAccounts resource, add the following JSON to your template.
{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2021-04-01",
  "name": "string",
  "extendedLocation": {
    "name": "string",
    "type": "string"
  },
  "identity": {
    "type": "string",
    "userAssignedIdentities": {
      "{customized property}": {
      }
    }
  },
  "kind": "string",
  "location": "string",
  "properties": {
    "accessTier": "string",
    "allowBlobPublicAccess": "bool",
    "allowCrossTenantReplication": "bool",
    "allowSharedKeyAccess": "bool",
    "azureFilesIdentityBasedAuthentication": {
      "activeDirectoryProperties": {
        "azureStorageSid": "string",
        "domainGuid": "string",
        "domainName": "string",
        "domainSid": "string",
        "forestName": "string",
        "netBiosDomainName": "string"
      },
      "defaultSharePermission": "string",
      "directoryServiceOptions": "string"
    },
    "customDomain": {
      "name": "string",
      "useSubDomainName": "bool"
    },
    "encryption": {
      "identity": {
        "userAssignedIdentity": "string"
      },
      "keySource": "string",
      "keyvaultproperties": {
        "keyname": "string",
        "keyvaulturi": "string",
        "keyversion": "string"
      },
      "requireInfrastructureEncryption": "bool",
      "services": {
        "blob": {
          "enabled": "bool",
          "keyType": "string"
        },
        "file": {
          "enabled": "bool",
          "keyType": "string"
        },
        "queue": {
          "enabled": "bool",
          "keyType": "string"
        },
        "table": {
          "enabled": "bool",
          "keyType": "string"
        }
      }
    },
    "isHnsEnabled": "bool",
    "isNfsV3Enabled": "bool",
    "keyPolicy": {
      "keyExpirationPeriodInDays": "int"
    },
    "largeFileSharesState": "string",
    "minimumTlsVersion": "string",
    "networkAcls": {
      "bypass": "string",
      "defaultAction": "string",
      "ipRules": [
        {
          "action": "Allow",
          "value": "string"
        }
      ],
      "resourceAccessRules": [
        {
          "resourceId": "string",
          "tenantId": "string"
        }
      ],
      "virtualNetworkRules": [
        {
          "action": "Allow",
          "id": "string",
          "state": "string"
        }
      ]
    },
    "routingPreference": {
      "publishInternetEndpoints": "bool",
      "publishMicrosoftEndpoints": "bool",
      "routingChoice": "string"
    },
    "sasPolicy": {
      "expirationAction": "string",
      "sasExpirationPeriod": "string"
    },
    "supportsHttpsTrafficOnly": "bool"
  },
  "sku": {
    "name": "string"
  },
  "tags": {
    "{customized property}": "string"
  }
}
Property Values
Microsoft.Storage/storageAccounts
| Name | Description | Value | 
|---|---|---|
| apiVersion | The api version | '2021-04-01' | 
| extendedLocation | Optional. Set the extended location of the resource. If not set, the storage account will be created in Azure main region. Otherwise it will be created in the specified extended location | ExtendedLocation | 
| identity | The identity of the resource. | Identity | 
| kind | Required. Indicates the type of storage account. | 'BlobStorage' 'BlockBlobStorage' 'FileStorage' 'Storage' 'StorageV2' (required) | 
| location | Required. Gets or sets the location of the resource. This will be one of the supported and registered Azure Geo Regions (e.g. West US, East US, Southeast Asia, etc.). The geo region of a resource cannot be changed once it is created, but if an identical geo region is specified on update, the request will succeed. | string (required) | 
| name | The resource name | string Constraints: Min length = 3 Max length = 24 (required) | 
| properties | The parameters used to create the storage account. | StorageAccountPropertiesCreateParametersOrStorageAccountProperties | 
| sku | Required. Gets or sets the SKU name. | Sku (required) | 
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates | 
| type | The resource type | 'Microsoft.Storage/storageAccounts' | 
ActiveDirectoryProperties
| Name | Description | Value | 
|---|---|---|
| azureStorageSid | Specifies the security identifier (SID) for Azure Storage. | string (required) | 
| domainGuid | Specifies the domain GUID. | string (required) | 
| domainName | Specifies the primary domain that the AD DNS server is authoritative for. | string (required) | 
| domainSid | Specifies the security identifier (SID). | string (required) | 
| forestName | Specifies the Active Directory forest to get. | string (required) | 
| netBiosDomainName | Specifies the NetBIOS domain name. | string (required) | 
AzureFilesIdentityBasedAuthentication
| Name | Description | Value | 
|---|---|---|
| activeDirectoryProperties | Required if choose AD. | ActiveDirectoryProperties | 
| defaultSharePermission | Default share permission for users using Kerberos authentication if RBAC role is not assigned. | 'None' 'StorageFileDataSmbShareContributor' 'StorageFileDataSmbShareElevatedContributor' 'StorageFileDataSmbShareOwner' 'StorageFileDataSmbShareReader' | 
| directoryServiceOptions | Indicates the directory service used. | 'AADDS' 'AD' 'None' (required) | 
CustomDomain
| Name | Description | Value | 
|---|---|---|
| name | Gets or sets the custom domain name assigned to the storage account. Name is the CNAME source. | string (required) | 
| useSubDomainName | Indicates whether indirect CName validation is enabled. Default value is false. This should only be set on updates. | bool | 
Encryption
| Name | Description | Value | 
|---|---|---|
| identity | The identity to be used with service-side encryption at rest. | EncryptionIdentity | 
| keySource | The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Storage, Microsoft.Keyvault | 'Microsoft.Keyvault' 'Microsoft.Storage' (required) | 
| keyvaultproperties | Properties provided by key vault. | KeyVaultProperties | 
| requireInfrastructureEncryption | A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. | bool | 
| services | List of services which support encryption. | EncryptionServices | 
EncryptionIdentity
| Name | Description | Value | 
|---|---|---|
| userAssignedIdentity | Resource identifier of the UserAssigned identity to be associated with server-side encryption on the storage account. | string | 
EncryptionService
| Name | Description | Value | 
|---|---|---|
| enabled | A boolean indicating whether or not the service encrypts the data as it is stored. | bool | 
| keyType | Encryption key type to be used for the encryption service. 'Account' key type implies that an account-scoped encryption key will be used. 'Service' key type implies that a default service key is used. | 'Account' 'Service' | 
EncryptionServices
| Name | Description | Value | 
|---|---|---|
| blob | The encryption function of the blob storage service. | EncryptionService | 
| file | The encryption function of the file storage service. | EncryptionService | 
| queue | The encryption function of the queue storage service. | EncryptionService | 
| table | The encryption function of the table storage service. | EncryptionService | 
ExtendedLocation
| Name | Description | Value | 
|---|---|---|
| name | The name of the extended location. | string | 
| type | The type of the extended location. | 'EdgeZone' | 
Identity
| Name | Description | Value | 
|---|---|---|
| type | The identity type. | 'None' 'SystemAssigned' 'SystemAssigned,UserAssigned' 'UserAssigned' (required) | 
| userAssignedIdentities | Gets or sets a list of key value pairs that describe the set of User Assigned identities that will be used with this storage account. The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is permitted here. | IdentityUserAssignedIdentities | 
IdentityUserAssignedIdentities
| Name | Description | Value | 
|---|
IPRule
| Name | Description | Value | 
|---|---|---|
| action | The action of IP ACL rule. | 'Allow' | 
| value | Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. | string (required) | 
KeyPolicy
| Name | Description | Value | 
|---|---|---|
| keyExpirationPeriodInDays | The key expiration period in days. | int (required) | 
KeyVaultProperties
| Name | Description | Value | 
|---|---|---|
| keyname | The name of KeyVault key. | string | 
| keyvaulturi | The Uri of KeyVault. | string | 
| keyversion | The version of KeyVault key. | string | 
NetworkRuleSet
| Name | Description | Value | 
|---|---|---|
| bypass | Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Possible values are any combination of Logging|Metrics|AzureServices (For example, "Logging, Metrics"), or None to bypass none of those traffics. | 'AzureServices' 'Logging' 'Metrics' 'None' | 
| defaultAction | Specifies the default action of allow or deny when no other rules match. | 'Allow' 'Deny' (required) | 
| ipRules | Sets the IP ACL rules | IPRule[] | 
| resourceAccessRules | Sets the resource access rules | ResourceAccessRule[] | 
| virtualNetworkRules | Sets the virtual network rules | VirtualNetworkRule[] | 
ResourceAccessRule
| Name | Description | Value | 
|---|---|---|
| resourceId | Resource Id | string | 
| tenantId | Tenant Id | string | 
RoutingPreference
| Name | Description | Value | 
|---|---|---|
| publishInternetEndpoints | A boolean flag which indicates whether internet routing storage endpoints are to be published | bool | 
| publishMicrosoftEndpoints | A boolean flag which indicates whether microsoft routing storage endpoints are to be published | bool | 
| routingChoice | Routing Choice defines the kind of network routing opted by the user. | 'InternetRouting' 'MicrosoftRouting' | 
SasPolicy
| Name | Description | Value | 
|---|---|---|
| expirationAction | The SAS expiration action. Can only be Log. | 'Log' (required) | 
| sasExpirationPeriod | The SAS expiration period, DD.HH:MM:SS. | string (required) | 
Sku
| Name | Description | Value | 
|---|---|---|
| name | The SKU name. Required for account creation; optional for update. Note that in older versions, SKU name was called accountType. | 'Premium_LRS' 'Premium_ZRS' 'Standard_GRS' 'Standard_GZRS' 'Standard_LRS' 'Standard_RAGRS' 'Standard_RAGZRS' 'Standard_ZRS' (required) | 
StorageAccountCreateParametersTags
| Name | Description | Value | 
|---|
StorageAccountPropertiesCreateParametersOrStorageAccountProperties
| Name | Description | Value | 
|---|---|---|
| accessTier | Required for storage accounts where kind = BlobStorage. The access tier used for billing. | 'Cool' 'Hot' | 
| allowBlobPublicAccess | Allow or disallow public access to all blobs or containers in the storage account. The default interpretation is true for this property. | bool | 
| allowCrossTenantReplication | Allow or disallow cross AAD tenant object replication. The default interpretation is true for this property. | bool | 
| allowSharedKeyAccess | Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true. | bool | 
| azureFilesIdentityBasedAuthentication | Provides the identity based authentication settings for Azure Files. | AzureFilesIdentityBasedAuthentication | 
| customDomain | User domain assigned to the storage account. Name is the CNAME source. Only one custom domain is supported per storage account at this time. To clear the existing custom domain, use an empty string for the custom domain name property. | CustomDomain | 
| encryption | Not applicable. Azure Storage encryption is enabled for all storage accounts and cannot be disabled. | Encryption | 
| isHnsEnabled | Account HierarchicalNamespace enabled if sets to true. | bool | 
| isNfsV3Enabled | NFS 3.0 protocol support enabled if set to true. | bool | 
| keyPolicy | KeyPolicy assigned to the storage account. | KeyPolicy | 
| largeFileSharesState | Allow large file shares if sets to Enabled. It cannot be disabled once it is enabled. | 'Disabled' 'Enabled' | 
| minimumTlsVersion | Set the minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property. | 'TLS1_0' 'TLS1_1' 'TLS1_2' | 
| networkAcls | Network rule set | NetworkRuleSet | 
| routingPreference | Maintains information about the network routing choice opted by the user for data transfer | RoutingPreference | 
| sasPolicy | SasPolicy assigned to the storage account. | SasPolicy | 
| supportsHttpsTrafficOnly | Allows https traffic only to storage service if sets to true. The default value is true since API version 2019-04-01. | bool | 
UserAssignedIdentity
| Name | Description | Value | 
|---|
VirtualNetworkRule
| Name | Description | Value | 
|---|---|---|
| action | The action of virtual network rule. | 'Allow' | 
| id | Resource ID of a subnet, for example: /subscriptions/{subscriptionId}/resourceGroups/{groupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. | string (required) | 
| state | Gets the state of virtual network rule. | 'Deprovisioning' 'Failed' 'NetworkSourceDeleted' 'Provisioning' 'Succeeded' | 
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description | 
|---|---|
| (++)Ethereum on Ubuntu | This template deploys a (++)Ethereum client on a Ubuntu virtual machines | 
| 1 VM in vNet - Multiple data disks | This template creates a single VM running Windows Server 2016 with multiple data disks attached. | 
| 101-1vm-2nics-2subnets-1vnet | Creates a new VM with two NICs which connect to two different subnets within the same VNet. | 
| 2 VMs in a Load Balancer and configure NAT rules on the LB | This template allows you to create 2 Virtual Machines in an Availability Set and configure NAT rules through the load balancer. This template also deploys a Storage Account, Virtual Network, Public IP address and Network Interfaces. In this template, we use the resource loops capability to create the network interfaces and virtual machines | 
| 2 VMs in VNET - Internal Load Balancer and LB rules | This template allows you to create 2 Virtual Machines in a VNET and under an internal Load balancer and configure a load balancing rule on Port 80. This template also deploys a Storage Account, Virtual Network, Public IP address, Availability Set and Network Interfaces. | 
| 201-vnet-2subnets-service-endpoints-storage-integration | Creates 2 new VMs with a NIC each, in two different subnets within the same VNet. Sets service endpoint on one of the subnets and secures storage account to that subnet. | 
| AKS Cluster with a NAT Gateway and an Application Gateway | This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. | 
| AKS cluster with the Application Gateway Ingress Controller | This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault | 
| Apache Webserver on Ubuntu VM | This template uses the Azure Linux CustomScript extension to deploy an Apache web server. The deployment template creates an Ubuntu VM, installs Apache2 and creates a simple HTML file. Go to ../demo.html to see the deployed page. | 
| App Configuration with VM | This template references existing key-value configurations from an existing config store and uses retrieved values to set properties of the resources the template creates. | 
| App Service Environment with Azure SQL backend | This template creates an App Service Environment with an Azure SQL backend along with private endpoints along with associated resources typically used in an private/isolated environment. | 
| Azure AI Foundry basic setup | This set of templates demonstrates how to set up Azure AI Foundry with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. | 
| Azure AI Foundry basic setup | This set of templates demonstrates how to set up Azure AI Foundry with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. | 
| Azure AI Foundry Network Restricted | This set of templates demonstrates how to set up Azure AI Foundry with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. | 
| Azure AI Foundry with Microsoft Entra ID Authentication | This set of templates demonstrates how to set up Azure AI Foundry with Microsoft Entra ID authentication for dependent resources, such as Azure AI Services and Azure Storage. | 
| Azure AI Studio basic setup | This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. | 
| Azure AI Studio Network Restricted | This set of templates demonstrates how to set up Azure AI Studio with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. | 
| Azure Cloud Shell - VNet storage | This template deploys Azure Cloud Shell storage into an Azure virtual network. | 
| Azure Digital Twins with Function and Private Link service | This template creates an Azure Digital Twins service configured with a Virtual Network connected Azure Function that can communicate through a Private Link Endpoint to Digital Twins. It also creates a Private DNS Zone to allow seamless hostname resolution of the Digital Twins Endpoint from the Virtual Network to the Private Endpoint internal subnet IP address. The hostname is stored as a setting to the Azure Function with name 'ADT_ENDPOINT'. | 
| Azure Function app and an HTTP-triggered function | This example deploys an Azure Function app and an HTTP-triggered function inline in the template. It also deploys a Key Vault and populates a secret with the function app's host key. | 
| Azure Function App Hosted on Dedicated Plan | This template provisions a function app on a dedicated hosting plan, meaning it will be run and billed just like any App Service site. | 
| Azure Function App Hosted on Linux Consumption Plan | This template provisions a function app on a Linux Consumption plan, which is a dynamic hosting plan. The app runs on demand and you're billed per execution, with no standing resource committment. | 
| Azure Function App Hosted on Premium Plan | This template provisions a function app on a Premium plan. | 
| Azure Function App Hosted on Windows Consumption Plan | This template provisions a function app on a Windows Consumption plan, which is a dynamic hosting plan. The app runs on demand and you're billed per execution, with no standing resource committment. | 
| Azure Function App with a Deployment Slot | This template provisions a function app on a Premium plan with production slot and an additional deployment slot. | 
| Azure Function App with Event Hub and Managed Identity | his template provisions an Azure Function app on a Linux Consumption plan, along with an Event Hub, Azure Storage, and Application Insights. The function app is able to use managed identity to connect to the Event Hub and Storage account | 
| Azure Function App with Virtual Network Integration | This template provisions a function app on a Premium plan with regional virtual network integration enabled to a newly created virtual network. | 
| Azure Logic App with Function | This template creates a Serverless app in Azure with Logic Apps and Functions. The Logic App triggers on an HTTP POST, calls the Azure Function, and returns the response. | 
| Azure Machine Learning end-to-end secure setup | This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. | 
| Azure Machine Learning end-to-end secure setup (legacy) | This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. | 
| Azure Machine Learning Workspace | This template creates a new Azure Machine Learning Workspace, along with an encrypted Storage Account, KeyVault and Applications Insights Logging | 
| Azure managed disk performance meter | This template allows you to run a managed disk performance test for different workload types using fio utility. | 
| Azure managed disk RAID performance meter | This template allows you to run a managed disk RAID performance test for different workload types using fio utility. | 
| Azure SQL Server with Auditing written to a blob storage | This template allows you to deploy an Azure SQL server with Auditing enabled to write audit logs to a blob storage | 
| Azure Storage Account Encryption with customer-managed key | This template deploys a Storage Account with a customer-managed key for encryption that's generated and placed inside a Key Vault. | 
| Azure Synapse Proof-of-Concept | This template creates a proof of concept environment for Azure Synapse, including SQL Pools and optional Apache Spark Pools | 
| Azure sysbench CPU performance meter | This template allows you to run a CPU performance test using sysbench utility. | 
| Azure VM-to-VM multithreaded throughput meter | This template allows you to run VM-to-VM throughput test with NTttcp utility. | 
| Barracuda Web Application Firewall with Backend IIS Servers | This Azure quickstart template deploys a Barracuda Web Application Firewall Solution on Azure with required number of backend Windows 2012 based IIS Web Servers.Templates includes latest Barracuda WAF with Pay as you go license and latest Windows 2012 R2 Azure Image for IIS.The Barracuda Web Application Firewall inspects inbound web traffic and blocks SQL injections, Cross-Site Scripting, malware uploads & application DDoS and other attacks targeted at your web applications. One External LB is deployed with NAT rules to enable Remote desktop access to backend web servers. Please follow post deployment configuration guide available in GitHub template directory to learn more about post deployment steps related to Barracuda web application firewall and web applications publishing. | 
| Basic Agent Setup API Keys | This set of templates demonstrates how to set up Azure AI Agent Service with the basic setup using API keys authetication for the AI Service/AOAI connection. Agents use multi-tenant search and storage resources fully managed by Microsoft. You won’t have visibility or control over these underlying Azure resources. | 
| Basic Agent Setup Identity | This set of templates demonstrates how to set up Azure AI Agent Service with the basic setup using managed identity authetication for the AI Service/AOAI connection. Agents use multi-tenant search and storage resources fully managed by Microsoft. You won’t have visibility or control over these underlying Azure resources. | 
| Basic RDS farm deployment | This template creates a basic RDS farm deployment | 
| Bitcore Node and Utilities for Bitcoin on CentOS VM | This template uses the Azure Linux CustomScript extension to deploy a Bitcore Node instance with the complete set of Bitcoin utilities. The deployment template creates a CentOS VM, installs Bitcore and provides a simple bitcored executable. With this template, you will be running a full node on the Bitcoin network as well as a block explorer called Insight. | 
| Chef Backend High-Availability Cluster | This template creates a chef-backend cluster with front-end nodes attached | 
| Chef with JSON parameters on Ubuntu/CentOS | Deploy an Ubuntu/CentOS VM With Chef with JSON parameters | 
| Classroom Linux JupyterHub | This template deploy a Jupyter Server for a classroom of up to 100 users. You can provide the username, password, virtual machine name and select between CPU or GPU computing. | 
| CloudLens with Moloch example | This template shows how to setup network visibility in the Azure public cloud using the CloudLens agent to tap traffic on one vm and forward it to a network packet storing & indexing tool, in this case Moloch. | 
| Concourse CI | Concourse is a CI system composed of simple tools and ideas. It can express entire pipelines, integrating with arbitrary resources, or it can be used to execute one-off tasks, either locally or in another CI system. This template can help to prepare neccessary Azure resources to setup such a CI system, and make the setup more simple. | 
| Connect to a Event Hubs namespace via private endpoint | This sample shows how to use configure a virtual network and private DNS zone to access a Event Hubs namespace via a private endpoint. | 
| Connect to a Key Vault via private endpoint | This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint. | 
| Connect to a Service Bus namespace via private endpoint | This sample shows how to use configure a virtual network and private DNS zone to access a Service Bus namespace via private endpoint. | 
| Connect to a storage account from a VM via private endpoint | This sample shows how to use connect a virtual network to access a blob storage account via private endpoint. | 
| Connect to an Azure File Share via a Private Endpoint | This sample shows how to use configure a virtual network and private DNS zone to access an Azure File Share via a private endpoint. | 
| Create 2 VMs in LB and a SQL Server VM with NSG | This template creates 2 Windows VMs (that can be used as web FE) with in an Availability Set and a Load Balancer with port 80 open. The two VMs can be reached using RDP on port 6001 and 6002. This template also create a SQL Server 2014 VM that can be reached via RDP connection defined in a Network Security Group. | 
| Create 2 VMs Linux with LB and SQL Server VM with SSD | This template creates 2 Linux VMs (that can be used as web FE) with in an Availability Set and a Load Balancer with port 80 open. The two VMs can be reached using SSH on port 6001 and 6002. This template also create a SQL Server 2014 VM that can be reached via RDP connection defined in a Network Security Group. All VMs storage can use Premium Storage (SSD) and you can choose to creare VMs with all DS sizes | 
| Create a Batch Account using a template | This template creates a Batch Account and a storage account. | 
| Create a blob for the data factory copy data tool quickstart | This template creates a blob storage and uploads a file for the copy data tool quickstart | 
| Create a CDN Profile, Endpoint and a Storage Account | This template creates a CDN Profile and a CDN Endpoint with origin as a Storage Account. Note that user needs to create a public container in the Storage Account in order for CDN Endpoint to serve content from the Storage Account. | 
| Create a data management gateway and install on an Azure VM | This template deploys a virtual machine and creates a workable data management gateway | 
| Create a data share from a storage account | This template creates a data share from a storage account | 
| Create a DevTest environment with P2S VPN and IIS | This template creates a simple DevTest environment with a Point-to-Site VPN and IIS on a Windows server which is a great way to get started. | 
| Create a Firewall with FirewallPolicy and IpGroups | This template creates an Azure Firewall with FirewalllPolicy referencing Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup | 
| Create a Firewall, FirewallPolicy with Explicit Proxy | This template creates an Azure Firewall, FirewalllPolicy with Explicit Proxy and Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup | 
| Create a function app and call it using a Custom Resource | This template creates function app used as the workload for a custom resource provider in a template deployment. | 
| Create a function app in the Flex Consumption plan | Flex Consumption hosting is recommended for functions that require rapid dynamic scale (including to zero instances), managed identity connections, and virtual network integration. | 
| Create a Media Services Account using a template | This template creates an Azure Media Services Account with its Storage account. | 
| Create a Pay As You Go (PAYG) Environment with an IoT Hub | This template enables you to deploy a Pay As You Go (PAYG) Time Series Insights environment that is configured to consume events from an IoT Hub. | 
| Create a Private AKS Cluster | This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine. | 
| Create a Private AKS Cluster with a Public DNS Zone | This sample shows how to a deploy a private AKS cluster with a Public DNS Zone. | 
| Create a sandbox setup of Azure Firewall with Linux VMs | This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses, 1 sample application rule, 1 sample network rule and default private ranges | 
| Create a sandbox setup of Azure Firewall with Zones | This template creates a virtual network with three subnets (server subnet, jumpbox subnet, and Azure Firewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the ServerSubnet,an Azure Firewall with one or more Public IP addresses, one sample application rule, and one sample network rule and Azure Firewall in Availability Zones 1, 2, and 3. | 
| Create a sandbox setup with Firewall Policy | This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses. Also creates a Firewall policy with 1 sample application rule, 1 sample network rule and default private ranges | 
| Create a standard internal load balancer | This template creates a standard internal Azure Load Balancer with a rule load-balancing port 80 | 
| Create a Standard Storage Account | This template creates a Standard Storage Account | 
| Create a Storage Account | This module allows you to create a storageAccount. | 
| Create a Storage Account File Share via Containers | This template creates a storage account and a file share via azure-cli in a Container Instance | 
| Create a storage account with file share | This template creates an Azure storage account and file share. | 
| Create a storage account with multiple Blob containers | Creates an Azure storage account and multiple blob containers. | 
| Create a storage account with multiple file shares | Creates an Azure storage account and multiple file shares. | 
| Create a Storage Account with SSE | This template creates a Storage Account with Storage Service Encryption for Data at Rest | 
| Create a subscription, resourceGroup and storageAccount | This template is a management group template that will create a subscription, a resourceGroup and a storageAccount in the same template. It can be used for an Enterprise Agreement billing mode only. The official documentation shows modifications needed for other types of accounts. | 
| Create a two VM SQL Server Reporting Services Deployment | This template creates two new Azure VMs, each with a public IP address, it configures one VM to be an SSRS Server, one with SQL Server mixed auth for the SSRS Catalog with the SQL Agent Started. All VMs have public facing RDP and diagnostics enabled , the diagnostics is stored in a consolidated diagnostics storage account different than the vm disk | 
| Create a V2 data factory | This template creates a V2 data factory that copies data from a folder in an Azure Blob Storage to another folder in the storage. | 
| Create a VM from a EfficientIP VHD | This template creates a VM from a EfficientIP VHD and let you connect it to an existing VNET that can reside in another Resource Group then the virtual machine | 
| Create a VM from a Windows Image with 4 Empty Data Disks | This template allows you to create a Windows Virtual Machine from a specified image. It also attaches 4 empty data disks. Note that you can specify the size of the empty data disks. | 
| Create a VM from User Image | This template allows you to create a Virtual Machines from a User image. This template also deploys a Virtual Network, Public IP addresses and a Network Interface. | 
| Create a VM in a new or existing vnet from a custom VHD | This template creates a VM from a specialized VHD and let you connect it to a new or existing VNET that can reside in another Resource Group than the virtual machine | 
| Create a VM in a new or existing vnet from a generalized VHD | This template creates a VM from a generalized VHD and let you connect it to a new or existing VNET that can reside in another Resource Group than the virtual machine | 
| Create a VM in a VNET in different Resource Group | This template creates a VM in a VNET which is in a different Resource Group | 
| Create a VM with a dynamic selection of data disks | This template allows the user to select the number of data disks they'd like to add to the VM. | 
| Create a VM with multiple NICs and RDP accessible | This template allows you to create a Virtual Machines with multiple (2) network interfaces (NICs), and RDP connectable with a configured load balancer and an inbound NAT rule. More NICs can easily be added with this template. This template also deploys a Storage Account, Virtual Network, Public IP address, and 2 Network Interfaces (front-end and back-end). | 
| Create a WordPress site | This template creates a WordPress site on Container Instance | 
| Create a WordPress site in a virtual network | This template creates a WordPress site on Container Instance in a virtual network. And output a public site FQDN which could access WordPress site. | 
| Create AML workspace with multiple Datasets & Datastores | This template creates Azure Machine Learning workspace with multiple datasets & datastores. | 
| Create an AKS compute target with a Private IP address | This template creates an AKS compute target in given Azure Machine Learning service workspace with a private IP address. | 
| Create an Azure Firewall sandbox with forced tunneling | This template creates an Azure Firewall sandbox (Linux) with one firewall force tunneled through another firewall in a peered VNET | 
| Create an Azure Firewall with IpGroups | This template creates an Azure Firewall with Application and Network Rules referring to IP Groups. Also, includes a Linux Jumpbox vm setup | 
| Create an Azure Machine Learning service workspace | This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the minimal set of resources you require to get started with Azure Machine Learning. | 
| Create an Azure Machine Learning service workspace (CMK) | This deployment template specifies how to create an Azure Machine Learning workspace with service-side encryption using your encryption keys. | 
| Create an Azure Machine Learning service workspace (CMK) | This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. The example shows how to configure Azure Machine Learning for encryption with a customer-managed encryption key. | 
| Create an Azure Machine Learning service workspace (legacy) | This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up. | 
| Create an Azure Machine Learning service workspace (vnet) | This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up. | 
| Create an Azure Storage Account and Blob Container on Azure | This template creates an Azure Storage account and a blob container. | 
| Create an on-demand SFTP Server with persistent storage | This template demonstrates an on-demand SFTP server using an Azure Container Instance (ACI). | 
| Create an Ubuntu GNOME desktop | This template creates an ubuntu desktop machine. This works great for use as a jumpbox behind a NAT. | 
| Create and encrypt a new Linux VMSS with jumpbox | This template deploys a Linux VMSS using the latest Linux image, adds data volumes, and then encrypts the data volumes of each Linux VMSS instance. It also deploys a jumpbox with a public IP address in the same virtual network as the Linux VMSS instances with private IP addresses. This allows connecting to the jumpbox via its public IP address, and then connecting to the Linux VMSS instances via private IP addresses. | 
| Create and encrypt a new Windows VMSS with jumpbox | This template allows you to deploy a simple VM Scale Set of Windows VMs using the lastest patched version of serveral Windows versions. This template also deploys a jumpbox with a public IP address in the same virtual network. You can connect to the jumpbox via this public IP address, then connect from there to VMs in the scale set via private IP addresses.This template enables encryption on the VM Scale Set of Windows VMs. | 
| Create AVD with FSLogix and AD DS Join | This template allows you to create Azure Virtual Desktop resources such as host pool, application group, workspace, FSLogix storage account, file share, recovery service vault for file share backup a test session host, its extensions with Microsoft Entra ID join pr Active directory domain join. | 
| Create Azure VM Replication and Disaster Recovery | This template allows you to create Azure Virtual machine site replication disaster recovery. | 
| Create Blob Storage and Event Grid subscription to the Blob | Creates Azure Blob Storage account and then creates an Event Grid subscription to that Blob. | 
| Create Function App and private endpoint-secured Storage | This template allows you to deploy an Azure Function App that communicates with Azure Storage over private endpoints. | 
| Create HA data management gateway and install on an Azure VMs | This template deploys multiple virtual machines with workable HA data management gateway | 
| Create HDInsight Linux Cluster and run a script action | Template creates an HDInsight Linux cluster in a virtual network and then runs a custom script action on every node and sets environment var. | 
| Create Key Vault with logging enabled | This template creates an Azure Key Vault and an Azure Storage account that is used for logging. It optionally creates resource locks to protect your Key Vault and storage resources. | 
| Create new Ubuntu VM pre-populated with Puppet Agent | This template creates a Ubuntu VM and installs the Puppet Agent into it using the CustomScript extension. | 
| Create Recovery Services Vault and Enable Diagnostics | This template creates a Recovery Services Vault and enables diagnostics for Azure Backup. This also deploys storage account and oms workspace. | 
| Create SQL MI with configured sending of logs and metrics | This template allows you to deploy SQL MI and additional resources used for storing logs and metrics (diagnostic workspace, storage account, event hub). | 
| Create Storage Account & enable protection via Backup Vault | Template that creates storage account and enable operational and vaulted backup via Backup Vault | 
| Create Storage Account with SFTP enabled | Creates an Azure Storage account and a blob container that can be accessed using SFTP protocol. Access can be password or public-key based. | 
| Create Ubuntu vm data disk raid0 | This template creates a virtual machine with multiple disks attached. A script partitions and formats the disks in raid0 array. | 
| Create VM from existing VHDs and connect it to existingVNET | This template creates a VM from VHDs (OS + data disk) and let you connect it to an existing VNET that can reside in another Resource Group then the virtual machine | 
| Creates a Dapr microservices app using Container Apps | Create a Dapr microservices app using Container Apps. | 
| Creates a Dapr pub-sub servicebus app using Container Apps | Create a Dapr pub-sub servicebus app using Container Apps. | 
| Creates a function app with managed service identity | Creates a function app with managed service identity enabled with Application Insights set up for logs and metrics. | 
| Creates an HDInsight cluster running ADAM | Creates an HDInsight linux cluster running the genomics analysis platform ADAM | 
| Creates an HDInsight cluster running Apache Spark 1.4.1 | Creates an HDInsight linux cluster running Apache Spark 1.4.1. | 
| Deploy a 3 Nodetype Secure Cluster with NSGs enabled | This template allows you to deploy a secure 3 nodetype Service fabric Cluster running Windows server 2016 Data center on a Standard_D2 Size VMs. Use this template allows you ro control the inbound and outbound network traffic using Network Security Groups. | 
| Deploy a 5 Node Secure Cluster | This template allows you to deploy a secure 5 node Service Fabric Cluster running Windows Server 2019 Datacenter on a Standard_D2_v2 Size VMSS. | 
| Deploy a 5 Node Ubuntu Service Fabric Cluster | This template allows you to deploy a secure 5 node Service Fabric Cluster running Ubuntu on a Standard_D2_V2 Size VMSS. | 
| Deploy a Django app | This template uses the Azure Linux CustomScript extension to deploy an application. This example creates an Ubuntu VM, does a silent install of Python, Django and Apache, then creates a simple Django app | 
| Deploy a HDInsight cluster and a SQL database | This template allows you to create a HDInsight cluster and a SQL Database for testing Sqoop. | 
| Deploy a HDInsight cluster with an edge node | This template allows you to create an HDInsight cluster running Linux with an empty edge node. For more information, see /azure/hdinsight/hdinsight-apps-use-edge-node | 
| Deploy a Hub and Spoke topology sandbox | This template creates a basic hub-and-spoke topology setup. It creates a Hub VNet with subnets DMZ, Management, Shared and Gateway (optionally), with two Spoke VNets (development and production) containing a workload subnet each. It also deploys a Windows Jump-Host on the Management subnet of the HUB, and establishes VNet peerings between the Hub and the two spokes. | 
| Deploy a Kibana dashboard with Docker | This template allows you to deploy an Ubuntu VM with Docker installed (using the Docker Extension) and Kibana/Elasticsearch containers created and configured to serve an analytic dashboard. | 
| Deploy a LAMP app | This template uses the Azure Linux CustomScript extension to deploy an application. It creates an Ubuntu VM, does a silent install of MySQL, Apache and PHP, then creates a simple PHP script. | 
| Deploy a Linux or Windows VM with MSI | This template allows you to deploy a Linux or Windows VM with a Managed Service Identity. | 
| Deploy a Linux or Windows VMSS with MSI | This template allows you to deploy a Linux or Windows Virtual Machine Scale Set with a Managed Service Identity. That identity is then used to access Azure services. | 
| Deploy a Linux VM (Ubuntu) with multiple NICs | This template creates a VNet with multiple subnets and deploys a Ubuntu VM with multiple NICs | 
| Deploy a Linux VM with the Azul Zulu OpenJDK JVM | This template allows you to create a Linux VM with the Azul Zulu OpenJDK JVM. | 
| Deploy a Linux-based HBase cluster in HDInsight | This template allows you to create a Linux-based HBase cluster in Azure HDInsight. | 
| Deploy a MySQL Server | This template uses the Azure Linux CustomScript extension to deploy a MySQL server. It creates an Ubuntu VM, does a silent install of MySQL server, version:5.6 | 
| Deploy a Nextflow genomics cluster | This template deploys a scalable Nextflow cluster with a Jumpbox, n cluster nodes, docker support and shared storage. | 
| Deploy a Premium Windows VM | This template allows you to deploy a Premium Windows VM using a few different options for the Windows version, using the latest patched version. | 
| Deploy a Premium Windows VM with diagnostics | This template allows you to deploy a Premium Windows VM using a few different options for the Windows version, using the latest patched version. | 
| Deploy a secure VNet and a HDInsight cluster within the VNet | This template allows you to create an Azure VNet and an HDInsight Hadoop cluster running Linux within the VNet. | 
| Deploy a simple FreeBSD VM in resource group location | This template allows you to deploy a simple FreeBSD VM using a few different options for the FreeBSD version, using the latest patched version. This will deploy in resource group location on a D1 VM Size. | 
| Deploy a simple Linux VM with Accelerated Networking | This template allows you to deploy a simple Linux VM with Accelerated Networking using Ubuntu version 18.04-LTS with the latest patched version. This will deploy a D3_v2 size VM in the resource group location and return the FQDN of the VM. | 
| Deploy a simple VM Scale Set with Linux VMs and a Jumpbox | This template allows you to deploy a simple VM Scale Set of Linux VMs using the latest patched version of Ubuntu Linux 15.10 or 14.04.4-LTS. There is also a jumpbox to enable connections from outside of the VNet the VMs are in. | 
| Deploy a simple VM Scale Set with Windows VMs | This template allows you to deploy a simple VM Scale Set of Windows VMs using the lastest patched version of various Windows Versions. These VMs are behind a load balancer with NAT rules for rdp connections. | 
| Deploy a simple VM Scale Set with Windows VMs and a Jumpbox | This template allows you to deploy a simple VM Scale Set of Windows VMs using the lastest patched version of serveral Windows versions. This template also deploys a jumpbox with a public IP address in the same virtual network. You can connect to the jumpbox via this public IP address, then connect from there to VMs in the scale set via private IP addresses. | 
| Deploy a simple Windows VM | This template allows you to deploy a simple Windows VM using a few different options for the Windows version, using the latest patched version. This will deploy an A2 size VM in the resource group location and return the FQDN of the VM. | 
| Deploy a simple Windows VM with tags | This template will deploy a D2_v3 Windows VM, NIC, Storage Account, Virtual Network, Public IP Address, and Network Security Group. The tag object is created in the variables and will be applied on all resources, where applicable. | 
| Deploy a Spark cluster in a VNet | This template allows you to create an Azure VNet and an HDInsight Spark cluster within the VNet. | 
| Deploy a Spark cluster in Azure HDInsight | This template allows you to create a Spark cluster in Azure HDInsight. | 
| Deploy a Storage Account for SAP ILM Store | The Microsoft Azure Storage Account can now be used as a ILM Store to persist the Archive files and attachments from an SAP ILM system. An ILM Store is a component which fulfills the requirements of SAP ILM compliant storage systems. One can store archive files in a storage media using WebDAV interface standards while making use of SAP ILM Retention Management rules. For more information about SAP ILM Store, refer to the <a href='https://www.sap.com'> SAP Help Portal </a>. | 
| Deploy a Ubuntu Linux DataScience VM 18.04 | This template deploy a Ubuntu Server with some tools for Data Science. You can provide the username, password, virtual machine name and select between CPU or GPU computing. | 
| Deploy a Ubuntu VM with the OMS extension | This template allows you to deploy a Ubuntu VM with the OMS extension installed and onboarded to a specified workspace | 
| Deploy a Virtual Machine with Custom Data | This template allows you to create a Virtual Machine with Custom Data passed down to the VM. This template also deploys a Storage Account, Virtual Network, Public IP addresses and a Network Interface. | 
| Deploy a VM Scale Set with Linux VMs behind ILB | This template allows you to deploy a VM Scale Set of Linux VMs using the latest patched version of Ubuntu Linux 15.10 or 14.04.4-LTS. These VMs are behind an internal load balancer with NAT rules for ssh connections. | 
| Deploy a VNet, and a HBase cluster within the VNet | This template allows you to create an Azure VNet and an HDInsight HBase cluster running Linux within the VNet. | 
| Deploy a Windows VM and enable backup using Azure Backup | This template allows you to deploy a Windows VM and Recovery Services Vault configured with the DefaultPolicy for Protection. | 
| Deploy a Windows VM with the Azul Zulu OpenJDK JVM | This template allows you to create a Windows VM with the Azul Zulu OpenJDK JVM | 
| Deploy a Windows VM with the OMS extension | This template allows you to deploy a Windows VM with the OMS extension installed and onboarded to a specified workspace | 
| Deploy a Windows VM with Windows Admin Center extension | This template allows you to deploy a Windows VM with Windows Admin Center extension to manage the VM directly from Azure Portal. | 
| Deploy a WordPress blog with Docker | This template allows you to deploy an Ubuntu VM with Docker installed (using the Docker Extension) and WordPress/MySQL containers created and configured to serve a blog server. | 
| Deploy an AZ enabled Azure Function Premium plan | This template allows you to deploy an Azure Function Premium plan with availability zones support, including an availability zones enabled storage account. | 
| Deploy an Azure Function Premium plan with vnet integration | This template allows you to deploy an Azure Function Premium plan with regional virtual network integration enabled to a newly created virtual network. | 
| Deploy an Azure VNet and two HBase clusters within the VNet | This template allows you to configure an HBase environment with two HBase clusters within a VNet for configuring HBase replication. | 
| Deploy an Interative Hive cluster in HDInsight | This template allows you to create an Interative Hive (LLAP) cluster in HDInsight and the dependent Azure Storage account. The SSH authentication method for the cluster is username and password. For a template using SSH public key authentication, see /samples/azure/azure-quickstart-templates/hdinsight-linux-ssh-publickey | 
| Deploy an Open-Source Parse Server with Docker | This template allows you to deploy an Ubuntu VM with Docker installed (using the Docker Extension) and an Open Source Parse Server container created and configured to replace the (now sunset) Parse service. | 
| Deploy an R-server HDInsight cluster | This template allows you to create an HDInsight cluster running Linux with R Server for HDInsight. This template also creates an Azure Storage account. The SSH authentication method for the cluster is username / password. | 
| Deploy Azure Data Explorer db with Event Grid connection | Deploy Azure Data Explorer db with Event Grid connection. | 
| Deploy CKAN | This template deploys CKAN using Apache Solr (for search) and PostgreSQL (database) on an Ubuntu VM. CKAN, Solr and PostgreSQL are deployed as individual Docker containers on the VM. | 
| Deploy Darktrace Autoscaling vSensors | This template allows you to deploy an automatically autoscaling deployment of Darktrace vSensors | 
| Deploy Drupal with VM Scale Set, Azure Files and Mysql | Deploy a VM Scale Set behind a load balancer/NAT & each VM running Drupal (Apache / PHP). All nodes share the created Azure file share storage and MySQL database | 
| Deploy HBase replication with two VNets in one region | This template allows you to configure aN HBase environment with two HBase clusters within two VNets in the same region for configuring HBase replication. | 
| Deploy HDInsight cluster + Confluent Schema Registry node | This template allows you to create an HDInsight cluster running Linux with a schema registry edge node. For more information, see /azure/hdinsight/hdinsight-apps-use-edge-node | 
| Deploy HDInsight cluster with existing linked storage | This template allows you to create an Hadoop cluster in HDInsight and the dependent default storage account. The template also links an existing storage account. The linked storage account usually contains the business data. | 
| Deploy HDInsight cluster with Storage and SSH password | This template allows you to create a Linux-based Hadoop cluster in HDInsight and the dependent Azure Storage account. The SSH authentication method for the cluster is username and password. For a template using SSH public key authentication, see /samples/azure/azure-quickstart-templates/hdinsight-linux-ssh-publickey/ | 
| Deploy HDInsight on Linux (w/ Azure Storage, SSH key) | This template allows you to create an HDInsight cluster running Linux. This template also creates an Azure Storage account. The SSH authentication method for the cluster is username / public key. | 
| Deploy HDInsight on new Data Lake Store and Storage | This template allows you to deploy a new Linux HDInsight cluster with new Data Lake Store and Storage accounts. | 
| Deploy IOMAD cluster on Ubuntu | This template deploys IOMAD as a LAMP application on Ubuntu. It creates a one or more Ubuntu VM for the front end and a single VM for the backend. It does a silent install of Apache and PHP on the front end VM's and MySQL on the backend VM. Then it deploys IOMAD on the cluster. It configures a load balancer for directing requests to the front end VM's. It also configures NAT rules to allow admin access to each of the VM's. It also sets up a moodledata data directory using file storage shared among the VM's. After the deployment is successful, you can go to /iomad on each frontend VM (using web admin access) to start configuring IOMAD. | 
| Deploy IOMAD on Ubuntu on a single VM | This template deploys IOMAD as a LAMP application on Ubuntu. It creates a single Ubuntu VM, does a silent install of MySQL, Apache and PHP on it, and then deploys IOMAD on it. After the deployment is successful, you can go to /iomad to start congfiguring IOMAD. | 
| Deploy Kafka on HDInsight in a virtual network | This template allows you to create an Azure Virtual Network and a Kafka on HDInsight cluster in the virtual network. The SSH authentication method for the cluster is username and password. For a template using SSH public key authentication, see /samples/azure/azure-quickstart-templates/hdinsight-linux-ssh-publickey/ | 
| Deploy Linux HBase cluster with enhanced writes in HDInsight | This template allows you to create a Linux-based HBase cluster with enhanced writes in Azure HDInsight. | 
| Deploy Neo4J in Docker and data on external disk | This template allows you to deploy an Ubuntu VM with Docker installed (using the Docker Extension) and a Neo4J container which uses an external disk to store it's data. | 
| Deploy Octopus Deploy 3.0 with a trial license | This template allows you to deploy a single Octopus Deploy 3.0 server with a trial license. This will deploy on a single Windows Server 2012R2 VM (Standard D2) and SQL DB (S1 tier) into the location specified for the Resource Group. | 
| Deploy Open edX (lilac version) through tutor | This template creates a single Ubuntu VM, and deploys Open edX through tutor on them. | 
| Deploy Open edX Dogwood (Multi-VM) | This template creates a network of Ubuntu VMs, and deploys Open edX Dogwood on them. Deployment supports 1-9 application VMs and backend Mongo and MySQL VMs. | 
| Deploy Open edX fullstack (Ficus) on a single Ubuntu VM | This template creates a single Ubuntu VM and deploys Open edX fullstack (Ficus) on it. | 
| Deploy OpenLDAP cluster on Ubuntu | This template deploys an OpenLDAP cluster on Ubuntu. It creates multiple Ubuntu VMs (up to 5, but can be easily increased) and does a silent install of OpenLDAP on them. Then it sets up N-way multi-master replication on them. After the deployment is successful, you can go to /phpldapadmin to start congfiguring OpenLDAP. | 
| Deploy OpenLDAP on Ubuntu on a single VM | This template deploys OpenLDAP on Ubuntu. It creates a single Ubuntu VM and does a silent install of OpenLDAP on it. After the deployment is successful, you can go to /phpldapadmin to start congfiguring OpenLDAP. | 
| Deploy OpenSIS Community Edition cluster on Ubuntu | This template deploys OpenSIS Community Edition as a LAMP application on Ubuntu. It creates a one or more Ubuntu VM for the front end and a single VM for the backend. It does a silent install of Apache and PHP on the front end VM's and MySQL on the backend VM. Then it deploys OpenSIS Community Edition on the cluster. After the deployment is successful, you can go to /opensis-ce on each of the front end VM's (using web admin access) to start congfiguring OpenSIS. | 
| Deploy OpenSIS Community Edition on Ubuntu on a single VM | This template deploys OpenSIS Community Edition as a LAMP application on Ubuntu. It creates a single Ubuntu VM, does a silent install of MySQL, Apache and PHP on it, and then deploys OpenSIS Community Edition. After the deployment is successful, you can go to /opensis-ce to start congfiguting OpenSIS. | 
| Deploy Secure AI Foundry with a managed virtual network | This template creates a secure Azure AI Foundry environment with robust network and identity security restrictions. | 
| Deploy Shibboleth Identity Provider cluster on Ubuntu | This template deploys Shibboleth Identity Provider on Ubuntu in a clustered configuration. After the deployment is successful, you can go to https://your-domain:8443/idp/profile/Status (note port number) to check success. | 
| Deploy Shibboleth Identity Provider on Ubuntu on a single VM | This template deploys Shibboleth Identity Provider on Ubuntu. After the deployment is successful, you can go to https://your-domain:8443/idp/profile/status (note port number) to check success. | 
| Deploy Shibboleth Identity Provider on Windows (single VM) | This template deploys Shibboleth Identity Provider on Windows. It creates a single Windows VM, installs JDK and Apache Tomcat, deploys Shibboleth Identity Provider, and then configures everything for SSL access to the Shibboleth IDP. After the deployment is successful, you can go to https://your-server:8443/idp/profile/status to check success. | 
| Deploy SQL Always ON setup with existing SQL Virtual Machines | Deploy SQL Always ON setup with existing SQL Virtual Machines. The virtual machines should already be joined to an existing domain and must be running enterprise version of SQL Server. | 
| Deploy the Sports Analytics on Azure Architecture | Creates an Azure storage account with ADLS Gen 2 enabled, an Azure Data Factory instance with linked services for the storage account (an the Azure SQL Database if deployed), and an Azure Databricks instance. The AAD identity for the user deploying the template and the managed identity for the ADF instance will be granted the Storage Blob Data Contributor role on the storage account. There are also options to deploy an Azure Key Vault instance, an Azure SQL Database, and an Azure Event Hub (for streaming use cases). When an Azure Key Vault is deployed, the data factory managed identity and the AAD identity for the user deploying the template will be granted the Key Vault Secrets User role. | 
| Deploys a 3 node Consul Cluster | This template deploys a 3 node Consul cluster and auto-joins the nodes via Atlas. Consul is a tool for service discovery, distributed key/value store and a bunch of other cool things. Atlas is provided by Hashicorp (makers of Consul) as a way to quickly create Consul clusters without having to manually join each node | 
| Deploys a N-node CentOS Cluster | This template deploys a 2-10 node CentOS cluster with 2 networks. | 
| Deploys a static website | Deploys a static website with a backing storage account | 
| Dev Environment for AZ-400 Labs | VM with VS2017 Community, Docker-desktop, Git and VS Code for AZ-400 (Azure DevOps) Labs | 
| Diagnostics with Event Hub and ELK | This template deploys an Elasticsearch cluster and Kibana and Logstash VMs. Logstash is configured with an input plugin to pull diagnostics data from Event Hub. | 
| Discover Private IP dynamically | This template allows you to discover a private IP for a NIC dynamically. It passes the private IP of NIC0 to VM1 using custom script extensions which writes it to a file on VM1. | 
| Django App with SQL Databases | This template uses the Azure Linux CustomScript extension to deploy an application. This example creates an Ubuntu VM, does a silent install of Python, Django and Apache, then creates a simple Django app. The template also creates a SQL Database, with a sample table with some sample data which displayed in the web browser using a query | 
| DNS Forwarder VM | This template shows how to create a DNS server that forwards queries to Azure's internal DNS servers. This is useful for setting up DNS resultion between virtual networks (as described in https://azure.microsoft.com/documentation/articles/virtual-networks-name-resolution-for-vms-and-role-instances/). | 
| DNX on Ubuntu | Spins up an Ubuntu 14.04 server and installs the .NET Execution context (DNX) plus a sample application | 
| Docker Swarm Cluster | This template creates a high-availability Docker Swarm cluster | 
| Dokku Instance | Dokku is a mini-heroku-style PaaS on a single VM. | 
| Drone on Ubuntu VM | This template provisions an instance of Ubuntu 14.04 LTS with the Docker Extension and Drone CI package. | 
| Elasticsearch cluster, Kibana and Logstash for Diagnostics | This template deploys an Elasticsearch cluster and Kibana and Logstash VMs. Logstash is configured with an input plugin to pull diagnostics data from existing Azure Storage Tables. | 
| Enable NSG Flow Logs | This template create an NSG Flow Logs resource | 
| EPiserverCMS in Azure | This template allows you to create resources required for EpiServerCMS deployment in Azure | 
| eShop Website with ILB ASE | An App Service Environment is a Premium service plan option of Azure App Service that provides a fully isolated and dedicated environment for securely running Azure App Service apps at high scale, including Web Apps, Mobile Apps, and API Apps. | 
| FinOps hub | This template creates a new FinOps hub instance, including Data Explorer, Data Lake storage, and Data Factory. | 
| Front Door Premium with blob origin and Private Link | This template creates a Front Door Premium and an Azure Storage blob container, and uses a private endpoint for Front Door to send traffic to the storage account. | 
| Front Door Standard/Premium with Azure Functions origin | This template creates a Front Door Standard/Premium, an Azure Functions app, and configures the function app to validate that traffic has come through the Front Door origin. | 
| Front Door Standard/Premium with static website origin | This template creates a Front Door Standard/Premium and an Azure Storage static website, and configured Front Door to send traffic to the static website. | 
| Function App | This template deploy an empty Function App and a hosting plan. | 
| Function App on Linux Consumption Plan with Remote Build | This template provisions a function app on a Linux Consumption plan and perform remote build during code deployment. The app runs on demand and you're billed per execution, with no standing resource committment. | 
| Function App secured by Azure Frontdoor | This template allows you to deploy an azure premium function protected and published by Azure Frontdoor premium. The conenction between Azure Frontdoor and Azure Functions is protected by Azure Private Link. | 
| GitHub Enterprise Server | GitHub Enterprise Server is the private version of GitHub.com that will run on a VM in your Azure subscription. It makes collaborative coding possible and enjoyable for enterprise software development teams. | 
| GlassFish on SUSE | This template deploys a load balanced GlassFish (v3 or v4) cluster, consisting of a user defined number of SUSE (OpenSUSE or SLES) VMs. | 
| Go Expanse on Ubuntu | This template deploys a Go Expanse client on Ubuntu virtual machines | 
| HDInsight with Load-based Autoscale Enabled | This template allows you to create an HDInsight Spark cluster with load-based Autoscale enabled. | 
| HDInsight with schedule-based Autoscale Enabled | This template allows you to create an HDInsight Spark cluster with schedule-based Autoscale enabled. | 
| IBM Cloud Pak for Data on Azure | This template deploys an Openshift cluster on Azure with all the required resources, infrastructure and then deploys IBM Cloud Pak for Data along with the add-ons that user chooses. | 
| Install Phabricator on an Ubuntu VM | This template deploys Phabricator on an Ubuntu Virtual Machine. This template also deploys a Storage Account, Virtual Network, Public IP addresses and a Network Interface. | 
| Install Scrapy on Ubuntu using Custom Script Linux Extension | This template deploys Scrapy on an Ubuntu Virtual Machine. The user can upload a spider to start to crawl. This template also deploys a Storage Account, Virtual Network, Public IP addresses and a Network Interface. | 
| Intel Lustre clients using CentOS gallery image | This template creates multiple Intel Lustre 2.7 client virtual machines using Azure gallery OpenLogic CentOS 6.6 or 7.0 images and mounts an existing Intel Lustre filesystem | 
| IPv6 in Azure Virtual Network (VNET) | Create a dual stack IPv4/IPv6 VNET with 2 VMs. | 
| Java CI/CD using Jenkins and Azure Web Apps | This is a sample for Java CI/CD using Jenkins and Azure Web Apps. | 
| JBoss EAP on RHEL (clustered, multi-VM) | This template allows you to create multiple RHEL 8.6 VMs running JBoss EAP 7.4 cluster and also deploys a web application called eap-session-replication, you can log into the admin console using the JBoss EAP username and password configured at the time of the deployment. | 
| JBoss EAP on RHEL (clustered, VMSS) | This template allows you to create RHEL 8.6 VMSS instances running JBoss EAP 7.4 cluster and also deploys a web application called eap-session-replication, you can log into the admin console using the JBoss EAP username and password configured at the time of the deployment. | 
| JBoss EAP on RHEL (stand-alone VM) | This template allows you to create a RHEL 8.6 VM running JBoss EAP 7.4 and also deploys a web application called JBoss-EAP on Azure, you can log into the admin console using the JBoss EAP username and password configured at the time of the deployment. | 
| JBoss EAP server running a test application called dukes | This template allows you to create an Red Hat VM running JBoss EAP 7 and and also deploy a web application called dukes, you can login into the admin console using the user and password configured at the time of the deployment. | 
| Jenkins Cluster with Windows & Linux Worker | 1 Jenkins master with 1 Linux node and 1 windows node | 
| JMeter environment for Elasticsearch | This template will deploy a JMeter environment into an existing virtual network. One master node and multiple subordinate nodes are deployed into a new jmeter subnet. This template works in conjunction with the Elasticsearch quickstart template. | 
| Join a VM to an existing domain | This template demonstrates domain join to a private AD domain up in cloud. | 
| KEMP LoadMaster HA Pair | This template deploys a KEMP LoadMaster HA Pair | 
| Linux VM with Serial Output | This template creates a simple Linux VM with minimal parameters and serial/console configured to output to storage | 
| Lustre HPC client and server nodes | This template creates Lustre client and server node VMs and related infrastructure such as VNETs | 
| Marketplace Sample VM with Conditional Resources | This template allows deploying a linux VM using new or existing resources for the Virtual Network, Storage and Public IP Address. It also allows for choosing between SSH and Password authenticate. The templates uses conditions and logic functions to remove the need for nested deployments. | 
| McAfee Endpoint Security (trial license) on Windows VM | This template creates a Windows VM and sets up a trial version of McAfee Endpoint Security | 
| Memcached service cluster using multiple Ubuntu VMs | This template creates one or more memcached services on Ubuntu 14.04 VMs in a private subnet. It also creates one publicly accessible Apache VM with a PHP test page to confirm that memcached is installed and accessible. | 
| Migrate to Azure SQL database using Azure DMS | The Azure Database Migration Service (DMS) is designed to streamline the process of migrating on-premises databases to Azure. DMS will simplify the migration of existing on-premises SQL Server and Oracle databases to Azure SQL Database, Azure SQL Managed Instance or Microsoft SQL Server in an Azure Virtual Machine. This template would deploy an instance of Azure Database Migration service, an Azure VM with SQL server installed on it which will act as a Source server with pre created database on it and a Target Azure SQL DB server which will have a pre-created schema of the database to be migrated from Source to Target server. The template will also deploy the required resources like NIC, vnet etc for supporting the Source VM, DMS service and Target server. | 
| min.io Azure Gateway | Fully private min.io Azure Gateway deployment to provide an S3 compliant storage API backed by blob storage | 
| Moesif API Analytics and Monetization | The template will log API calls from Azure API Management to Moesif API analytics and monetization platform | 
| More is possible with Azure Data Factory - One click to try Azure Data Factory | This template creates a data factory pipeline for a copy activity from Azure Blob into another Azure Blob | 
| Multi tier App with NSG, ILB, AppGateway | This template deploys a Virtual Network, segregates the network through subnets, deploys VMs and configures load balancing | 
| Multi tier traffic manager, L4 ILB, L7 AppGateway | This template deploys a Virtual Network, segregates the network through subnets, deploys VMs and configures load balancing | 
| Multi VM Template with Managed Disk | This template will create N number of VM's with managed disks, public IPs and network interfaces. It will create the VMs in a single Availability Set. They will be provisioned in a Virtual Network which will also be created as part of the deployment | 
| Multi-client VNS3 network appliance | VNS3 is a software only virtual appliance that provides the combined features and functions of a Security Appliance, Application Delivery Controller and Unified Threat Management device at the cloud application edge. Key benefits, On top of cloud networking, Always on end to end encryption, Federate data centres, cloud regions, cloud providers, and/or containers, creating one unified address space, Attestable control over encryption keys, Meshed network manageable at scale, Reliable HA in the Cloud, Isolate sensitive applications (fast low cost Network Segmentation), Segmentation within applications, Analysis of all data in motion in the cloud. Key network functions; virtual router, switch, firewall, vpn concentrator, multicast distributor, with plugins for WAF, NIDS, Caching, Proxy Load Balancers and other Layer 4 thru 7 network functions, VNS3 doesn't require new knowledge or training to implement, so you can integrate with existing network equipment. | 
| Multiple Windows-VM with custom-script | Multiple Windows VMs with custom-script of choice. | 
| Network Secured Agent with User Managed Identity | This set of templates demonstrates how to set up Azure AI Agent Service with virtual network isolation using User Managed Identity authetication for the AI Service/AOAI connection and private network links to connect the agent to your secure data. | 
| Nylas N1 email sync engine on Debian | This template installs and configures Nylas N1 open source sync engine on a Debian VM. | 
| Openshift Container Platform 4.3 | Openshift Container Platform 4.3 | 
| Orchard CMS Video Portal Web App | This template provides a easy way to deploy Orchard CMS on Azure App Service Web Apps with the Azure Media Services module enabled and configured. | 
| OS Patching extension on a Ubuntu VM | This template creates a Ubuntu VM and installs the OSPatching extension | 
| Private Function App and private endpoint-secured Storage | This template provisions a function app on a Premium plan that has private endpoints and communicates with Azure Storage over private endpoints. | 
| Provision a function app on a Consumption plan | This template provisions a function app on a Consumption plan, which is a dynamic hosting plan. The app runs on demand and you're billed per execution, with no standing resource committment. There are other templates available for provisioning on a dedicated hosting plan. | 
| Provision a function app running on an App Service Plan | This template provisions a function app on a dedicated hosting plan, meaning it will be run and billed just like any App Service site. | 
| Provision a function app with source deployed from GitHub | This template deploys a Function App hosted in a new dedicated App Service Plan. The Function App has a child resource that enables continous integration and deploys the function code from a GitHub repository. | 
| Provision Consumption plan function with a Deployment Slot | This template provisions a function app on a Consumption plan, which is a dynamic hosting plan. The app runs on demand and you're billed per execution, with no standing resource committment. There are other templates available for provisioning on a dedicated hosting plan. | 
| Python Proxy on Ubuntu using Custom Script Linux Extension | This template deploys Python Proxy on an Ubuntu Virtual Machine. This template also deploys a Storage Account, Virtual Network, Public IP addresses and a Network Interface. | 
| Qlik Sense Enterprise single node | This template provisions a single node Qlik Sense Enterprise site. Bring your own license. | 
| Red Hat Enterprise Linux VM (RHEL 7.8 unmanaged) | This template will deploy a Red Hat Enterprise Linux VM (RHEL 7.8), using the Pay-As-You-Go RHEL VM image for the selected version on Standard A1_v2 VM in the location of your chosen resource group with an additional 100 GiB data disk attached to the VM. Additional charges apply to this image - consult Azure VM Pricing page for details. | 
| Red Hat full cross-platform dev box with Team Services agent | This template allows you to create an Red Hat VM with a full set of cross-platform SDKs and Visual Studio Team Services Linux build agent. Once the VM is successfully provisioned, Team Services build agent installation can be verified by looking under your Team Services account settings under Agent pools. Languages/Tools supported: OpenJDK Java 6, 7 and 8; Ant, Maven and Gradle; npm and nodeJS; groovy and gulp; Gnu C and C++ along with make; Perl, Python, Ruby and Ruby on Rails; .NET Core; Docker Engine and Compose; and go | 
| Red Hat Linux 3-Tier Solution on Azure | This template allows you to deploy a 3 Tier architecture using 'Red Hat Enterprise Linux 7.3' virtual machines. Architecture includes Virtual Network, external and internal load balancers, Jump VM, NSGs etc along with multiple RHEL Virtual machines in each tier | 
| Red Hat Tomcat server for use with Team Services deployments | This template allows you to create an Red Hat VM running Apache2 and Tomcat7 and enabled to support Visual Studio Team Services Apache Tomcat Deployment task, the Copy Files over SSH task, and the FTP Upload task (using ftps) to enable deployment of web applications. | 
| Redundant haproxy with Azure load-balancer and floating IP | This template creates a redundant haproxy setup with 2 Ubuntu VMs configured behind Azure load balancer with floating IP enabled. Each of the Ubuntu VMs run haproxy to load balance requests to other application VMs (running Apache in this case). Keepalived enables redundancy for the haproxy VMs by assigning the floating IP to the MASTER and blocking the load-balancer probe on the BACKUP. This template also deploys a Storage Account, Virtual Network, Public IP address, Network Interfaces. | 
| Remote Desktop Services with High Availability | This ARM Template sample code will deploy a Remote Desktop Services 2019 Session Collection lab with high availability. The goal is to deploy a fully redundant, highly available solution for Remote Desktop Services, using Windows Server 2019. | 
| Retrieve Azure Storage access keys in ARM template | This template will create a Storage account, after which it will create a API connection by dynamically retrieving the primary key of the Storage account. The API connection is then used in a Logic App as a trigger polling for blob changes. | 
| ROS on Azure with Windows VM | This template creates a Windows VM and installs the ROS into it using the CustomScript extension. | 
| SAP NW 2-tier compatible Marketplace image | This template allows you to deploy a VM using a operating system that is supported by SAP. | 
| Scalable Umbraco CMS Web App | This template provides a easy way to deploy umbraco CMS web app on Azure App Service Web Apps. | 
| Secure Ubuntu by Trailbot | This template provides a Ubuntu VM which comes with a special demon called Trailbot Watcher that monitors system files and logs, triggers Smart Policies upon modification and generates a blockchain-anchored, immutable audit trail of everything happening to them. | 
| Secure VM password with Key Vault | This template allows you to deploy a simple Windows VM by retrieving the password that is stored in a Key Vault. Therefore the password is never put in plain text in the template parameter file | 
| Simple Umbraco CMS Web App | This template provides a easy way to deploy umbraco CMS web app on Azure App Service Web Apps. | 
| Spin up a Torque cluster | Template spins up a Torque cluster. | 
| SQL Provisioning CSP | Microsoft Azure has a new subscription offering, CSP Subscriptions. Some aspects of SQL VM deployment are not yet supported in CSP subscriptions. This includes the SQL IaaS Agent Extension, which is required for features such as SQL Automated Backup and SQL Automated Patching. | 
| SQL Server 2014 SP1 Enterprise all SQL VM features enabled | This template will create a SQL Server 2014 SP1 Enterprise edition with Auto Patching, Auto Backup and Azure Key Vault Integration features enabled. | 
| SQL Server 2014 SP1 Enterprise with Auto Patching | This template will create a SQL Server 2014 SP1 Enterprise edition with Auto Patching feature enabled. | 
| SQL Server 2014 SP2 Enterprise with Auto Backup | This template will create a SQL Server 2014 SP2 Enterprise edition with Auto Backup feature enabled | 
| SQL Server availability group on AKS | This creates a new AKS Cluster and then deploys SQL Server availability groups into it using a CNAB package deployed using Duffle and ACI | 
| Standalone Ethereum Studio | This template deploys a docker with standalone version of Ethereum Studio on Ubuntu. | 
| Standard Agent Setup | This set of templates demonstrates how to set up Azure AI Agent Service with the standard setup, meaning with managed identity authentication for project/hub connections and public internet access enabled. Agents use customer-owned, single-tenant search and storage resources. With this setup, you have full control and visibility over these resources, but you will incur costs based on your usage. | 
| Storage account with Advanced Threat Protection | This template allows you to deploy an Azure Storage account with Advanced Threat Protection enabled. | 
| Storage Account with SSE and blob deletion retention policy | This template creates a Storage Account with Storage Service Encryption and a blob deletion retention policy | 
| SUSE Linux Enterprise Server VM (SLES 12) | This template will allow you to deploy a SUSE Linux Enterprise Server VM (SLES 12), using the Pay-As-You-Go SLES VM image for the selected version on Standard D1 VM in the location of your chosen resource group with an additional 100 GiB data disk attached to the VM. Additional charges apply to this image - consult Azure VM Pricing page for details. | 
| Symantec Endpoint Protection extension trial on Windows VM | This template creates a Windows VM and sets up a trial version of Symantec Endpoint Protection | 
| Telegraf-InfluxDB-Grafana | This template allows you to deploy an instance of Telegraf-InfluxDB-Grafana on a Linux Ubuntu 14.04 LTS VM. This will deploy a VM in the resource group location and return the FQDN of the VM and installs the components of Telegraf, InfluxDB and Grafana. The template provides configuration for telegraf with plugins enabled for Docker,container host metrics. | 
| Terraform on Azure | This template allows you to deploy a Terraform workstation as a Linux VM with MSI. | 
| Two-Tier-nodejsapp-migration-to-containers-on-Azure | Two-tier app migration to azure containers and PaaS database. | 
| Ubuntu Apache2 Web server with requested test page | This template allows you to quickly create an Ubuntu VM running Apache2 with the test page content you define as a parameter. This can be useful for quick validation/demo/prototyping. | 
| Ubuntu full cross-platform dev box with Team Services agent | This template allows you to create an Ubuntu VM with a full set of cross-platform SDKs and Visual Studio Team Services Linux build agent. Once the VM is successfully provisioned, Team Services build agent installation can be verified by looking under your Team Services account settings under Agent pools. Languages/Tools supported: OpenJDK Java 7 and 8; Ant, Maven and Gradle; npm and nodeJS; groovy and gulp; Gnu C and C++ along with make; Perl, Python, Ruby and Ruby on Rails; .NET; and go | 
| Ubuntu VM with OpenJDK 7/8, Maven and Team Services agent | This template allows you to create an Ubuntu VM software build machine with OpenJDK 7 and 8, Maven (and thus Ant) and Visual Studio Team Services Linux build agent. Once the VM is successfully provisioned, Team Services build agent installation can be verified by looking under your Team Services account settings under Agent pools | 
| Use ARM template to create IoT Hub, route and view messages | Use this template to deploy an IoT Hub and a storage account. Run an app to send messages to the hub that are routed to storage, then view the results. | 
| Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology | This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. | 
| Use output from a Custom Script Extension during Deployment | This is useful to the VM's compute to perform some task during deployment that Azure Resource Manager does not provide. The output of that compute (script) can then be leveraged elsewhere in the deployment. This is useful if the compute resource is needed in the deployment (e.g. a jumpbox, DC, etc), a bit wasteful if it is not. | 
| Vert.x, OpenJDK, Apache, and MySQL Server on Ubuntu VM | This template uses the Azure Linux CustomScript extension to deploy Vert.x, OpenJDK, Apache, and MySQL Server on Ubuntu 14.04 LTS. | 
| Virtual machine with an RDP port | Creates a virtual machine and creates a NAT rule for RDP to the VM in load balancer | 
| Virtual Machine with Conditional Resources | This template allows deploying a linux VM using new or existing resources for the Virtual Network, Storage and Public IP Address. It also allows for choosing between SSH and Password authenticate. The templates uses conditions and logic functions to remove the need for nested deployments. | 
| Visual Studio 2019 CE with Docker Desktop | Container Development with Visual Studio 2019 CE with Docker Desktop | 
| Visual Studio and Visual Studio Team Services Build Agent VM | This template expands the Visual Studio Dev VM template. It creates the VM in a new vnet, storage account, nic, and public ip with the new compute stack then installs the Visual Studio Team Services build agent. | 
| VM bootstorm workload template | This template creates requested number of VMs and boot them simultaneously to calculate average VM boot time | 
| VMAccess extension on a Ubuntu VM | This template creates a Ubuntu VM and installs the VMAccess extension | 
| VMs in Availability Zones with a Load Balancer and NAT | This template allows you to create Virtual Machines distributed across Availability Zones with a Load Balancer and configure NAT rules through the load balancer. This template also deploys a Virtual Network, Public IP address and Network Interfaces. In this template, we use the resource loops capability to create the network interfaces and virtual machines | 
| VNS3 network appliance for cloud connectivity and security | VNS3 is a software only virtual appliance that provides the combined features and functions of a security appliance, application delivery controller and unified threat management device at the cloud application edge. Key benefits, on top of cloud networking, always on end to end encryption, federate data centres, cloud regions, cloud providers, and/or containers, creating one unified address space, attestable control over encryption keys, meshed network manageable at scale, reliable HA in the cloud, isolate sensitive applications (fast low cost Network Segmentation), segmentation within applications, Analysis of all data in motion in the cloud. Key network functions; virtual router, switch, firewall, vpn concentrator, multicast distributor, with plugins for WAF, NIDS, caching, proxy, load balancers and other layer 4 thru 7 network functions, VNS3 doesn't require new knowledge or training to implement, so you can integrate with existing network equipment. | 
| Web App with a SQL Database, Azure Cosmos DB, Azure Search | This template provisions a Web App, a SQL Database, Azure Cosmos DB, Azure Search and Application Insights. | 
| Web App with diagnostics logging to Blob Container | Deploy a Web App with diagnostics logging to Storage Account Blob Container enabled. | 
| WildFly 18 on CentOS 8 (stand-alone VM) | This template allows you to create a CentOS 8 VM running WildFly 18.0.1.Final and also deploy a web application called JBoss-EAP on Azure, you can login into the Admin Console using the Wildfly username and password configured at the time of the deployment. | 
| Windows Docker Host with Portainer and Traefik pre-installed | Windows Docker Host with Portainer and Traefik pre-installed | 
| Windows Server VM with SSH | Deploy a single Windows VM with Open SSH enabled so that you can connect through SSH using key-based authentication. | 
Terraform (AzAPI provider) resource definition
The storageAccounts resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Storage/storageAccounts resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Storage/storageAccounts@2021-04-01"
  name = "string"
  parent_id = "string"
  identity {
    type = "string"
    identity_ids = [
      "string"
    ]
  }
  location = "string"
  tags = {
    {customized property} = "string"
  }
  body = {
    extendedLocation = {
      name = "string"
      type = "string"
    }
    kind = "string"
    properties = {
      accessTier = "string"
      allowBlobPublicAccess = bool
      allowCrossTenantReplication = bool
      allowSharedKeyAccess = bool
      azureFilesIdentityBasedAuthentication = {
        activeDirectoryProperties = {
          azureStorageSid = "string"
          domainGuid = "string"
          domainName = "string"
          domainSid = "string"
          forestName = "string"
          netBiosDomainName = "string"
        }
        defaultSharePermission = "string"
        directoryServiceOptions = "string"
      }
      customDomain = {
        name = "string"
        useSubDomainName = bool
      }
      encryption = {
        identity = {
          userAssignedIdentity = "string"
        }
        keySource = "string"
        keyvaultproperties = {
          keyname = "string"
          keyvaulturi = "string"
          keyversion = "string"
        }
        requireInfrastructureEncryption = bool
        services = {
          blob = {
            enabled = bool
            keyType = "string"
          }
          file = {
            enabled = bool
            keyType = "string"
          }
          queue = {
            enabled = bool
            keyType = "string"
          }
          table = {
            enabled = bool
            keyType = "string"
          }
        }
      }
      isHnsEnabled = bool
      isNfsV3Enabled = bool
      keyPolicy = {
        keyExpirationPeriodInDays = int
      }
      largeFileSharesState = "string"
      minimumTlsVersion = "string"
      networkAcls = {
        bypass = "string"
        defaultAction = "string"
        ipRules = [
          {
            action = "Allow"
            value = "string"
          }
        ]
        resourceAccessRules = [
          {
            resourceId = "string"
            tenantId = "string"
          }
        ]
        virtualNetworkRules = [
          {
            action = "Allow"
            id = "string"
            state = "string"
          }
        ]
      }
      routingPreference = {
        publishInternetEndpoints = bool
        publishMicrosoftEndpoints = bool
        routingChoice = "string"
      }
      sasPolicy = {
        expirationAction = "string"
        sasExpirationPeriod = "string"
      }
      supportsHttpsTrafficOnly = bool
    }
    sku = {
      name = "string"
    }
  }
}
Property Values
Microsoft.Storage/storageAccounts
| Name | Description | Value | 
|---|---|---|
| extendedLocation | Optional. Set the extended location of the resource. If not set, the storage account will be created in Azure main region. Otherwise it will be created in the specified extended location | ExtendedLocation | 
| identity | The identity of the resource. | Identity | 
| kind | Required. Indicates the type of storage account. | 'BlobStorage' 'BlockBlobStorage' 'FileStorage' 'Storage' 'StorageV2' (required) | 
| location | Required. Gets or sets the location of the resource. This will be one of the supported and registered Azure Geo Regions (e.g. West US, East US, Southeast Asia, etc.). The geo region of a resource cannot be changed once it is created, but if an identical geo region is specified on update, the request will succeed. | string (required) | 
| name | The resource name | string Constraints: Min length = 3 Max length = 24 (required) | 
| parent_id | The ID of the resource to apply this extension resource to. | string (required) | 
| properties | The parameters used to create the storage account. | StorageAccountPropertiesCreateParametersOrStorageAccountProperties | 
| sku | Required. Gets or sets the SKU name. | Sku (required) | 
| tags | Resource tags | Dictionary of tag names and values. | 
| type | The resource type | "Microsoft.Storage/storageAccounts@2021-04-01" | 
ActiveDirectoryProperties
| Name | Description | Value | 
|---|---|---|
| azureStorageSid | Specifies the security identifier (SID) for Azure Storage. | string (required) | 
| domainGuid | Specifies the domain GUID. | string (required) | 
| domainName | Specifies the primary domain that the AD DNS server is authoritative for. | string (required) | 
| domainSid | Specifies the security identifier (SID). | string (required) | 
| forestName | Specifies the Active Directory forest to get. | string (required) | 
| netBiosDomainName | Specifies the NetBIOS domain name. | string (required) | 
AzureFilesIdentityBasedAuthentication
| Name | Description | Value | 
|---|---|---|
| activeDirectoryProperties | Required if choose AD. | ActiveDirectoryProperties | 
| defaultSharePermission | Default share permission for users using Kerberos authentication if RBAC role is not assigned. | 'None' 'StorageFileDataSmbShareContributor' 'StorageFileDataSmbShareElevatedContributor' 'StorageFileDataSmbShareOwner' 'StorageFileDataSmbShareReader' | 
| directoryServiceOptions | Indicates the directory service used. | 'AADDS' 'AD' 'None' (required) | 
CustomDomain
| Name | Description | Value | 
|---|---|---|
| name | Gets or sets the custom domain name assigned to the storage account. Name is the CNAME source. | string (required) | 
| useSubDomainName | Indicates whether indirect CName validation is enabled. Default value is false. This should only be set on updates. | bool | 
Encryption
| Name | Description | Value | 
|---|---|---|
| identity | The identity to be used with service-side encryption at rest. | EncryptionIdentity | 
| keySource | The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Storage, Microsoft.Keyvault | 'Microsoft.Keyvault' 'Microsoft.Storage' (required) | 
| keyvaultproperties | Properties provided by key vault. | KeyVaultProperties | 
| requireInfrastructureEncryption | A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. | bool | 
| services | List of services which support encryption. | EncryptionServices | 
EncryptionIdentity
| Name | Description | Value | 
|---|---|---|
| userAssignedIdentity | Resource identifier of the UserAssigned identity to be associated with server-side encryption on the storage account. | string | 
EncryptionService
| Name | Description | Value | 
|---|---|---|
| enabled | A boolean indicating whether or not the service encrypts the data as it is stored. | bool | 
| keyType | Encryption key type to be used for the encryption service. 'Account' key type implies that an account-scoped encryption key will be used. 'Service' key type implies that a default service key is used. | 'Account' 'Service' | 
EncryptionServices
| Name | Description | Value | 
|---|---|---|
| blob | The encryption function of the blob storage service. | EncryptionService | 
| file | The encryption function of the file storage service. | EncryptionService | 
| queue | The encryption function of the queue storage service. | EncryptionService | 
| table | The encryption function of the table storage service. | EncryptionService | 
ExtendedLocation
| Name | Description | Value | 
|---|---|---|
| name | The name of the extended location. | string | 
| type | The type of the extended location. | 'EdgeZone' | 
Identity
| Name | Description | Value | 
|---|---|---|
| type | The identity type. | 'None' 'SystemAssigned' 'SystemAssigned,UserAssigned' 'UserAssigned' (required) | 
| userAssignedIdentities | Gets or sets a list of key value pairs that describe the set of User Assigned identities that will be used with this storage account. The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is permitted here. | IdentityUserAssignedIdentities | 
IdentityUserAssignedIdentities
| Name | Description | Value | 
|---|
IPRule
| Name | Description | Value | 
|---|---|---|
| action | The action of IP ACL rule. | 'Allow' | 
| value | Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. | string (required) | 
KeyPolicy
| Name | Description | Value | 
|---|---|---|
| keyExpirationPeriodInDays | The key expiration period in days. | int (required) | 
KeyVaultProperties
| Name | Description | Value | 
|---|---|---|
| keyname | The name of KeyVault key. | string | 
| keyvaulturi | The Uri of KeyVault. | string | 
| keyversion | The version of KeyVault key. | string | 
NetworkRuleSet
| Name | Description | Value | 
|---|---|---|
| bypass | Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Possible values are any combination of Logging|Metrics|AzureServices (For example, "Logging, Metrics"), or None to bypass none of those traffics. | 'AzureServices' 'Logging' 'Metrics' 'None' | 
| defaultAction | Specifies the default action of allow or deny when no other rules match. | 'Allow' 'Deny' (required) | 
| ipRules | Sets the IP ACL rules | IPRule[] | 
| resourceAccessRules | Sets the resource access rules | ResourceAccessRule[] | 
| virtualNetworkRules | Sets the virtual network rules | VirtualNetworkRule[] | 
ResourceAccessRule
| Name | Description | Value | 
|---|---|---|
| resourceId | Resource Id | string | 
| tenantId | Tenant Id | string | 
RoutingPreference
| Name | Description | Value | 
|---|---|---|
| publishInternetEndpoints | A boolean flag which indicates whether internet routing storage endpoints are to be published | bool | 
| publishMicrosoftEndpoints | A boolean flag which indicates whether microsoft routing storage endpoints are to be published | bool | 
| routingChoice | Routing Choice defines the kind of network routing opted by the user. | 'InternetRouting' 'MicrosoftRouting' | 
SasPolicy
| Name | Description | Value | 
|---|---|---|
| expirationAction | The SAS expiration action. Can only be Log. | 'Log' (required) | 
| sasExpirationPeriod | The SAS expiration period, DD.HH:MM:SS. | string (required) | 
Sku
| Name | Description | Value | 
|---|---|---|
| name | The SKU name. Required for account creation; optional for update. Note that in older versions, SKU name was called accountType. | 'Premium_LRS' 'Premium_ZRS' 'Standard_GRS' 'Standard_GZRS' 'Standard_LRS' 'Standard_RAGRS' 'Standard_RAGZRS' 'Standard_ZRS' (required) | 
StorageAccountCreateParametersTags
| Name | Description | Value | 
|---|
StorageAccountPropertiesCreateParametersOrStorageAccountProperties
| Name | Description | Value | 
|---|---|---|
| accessTier | Required for storage accounts where kind = BlobStorage. The access tier used for billing. | 'Cool' 'Hot' | 
| allowBlobPublicAccess | Allow or disallow public access to all blobs or containers in the storage account. The default interpretation is true for this property. | bool | 
| allowCrossTenantReplication | Allow or disallow cross AAD tenant object replication. The default interpretation is true for this property. | bool | 
| allowSharedKeyAccess | Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true. | bool | 
| azureFilesIdentityBasedAuthentication | Provides the identity based authentication settings for Azure Files. | AzureFilesIdentityBasedAuthentication | 
| customDomain | User domain assigned to the storage account. Name is the CNAME source. Only one custom domain is supported per storage account at this time. To clear the existing custom domain, use an empty string for the custom domain name property. | CustomDomain | 
| encryption | Not applicable. Azure Storage encryption is enabled for all storage accounts and cannot be disabled. | Encryption | 
| isHnsEnabled | Account HierarchicalNamespace enabled if sets to true. | bool | 
| isNfsV3Enabled | NFS 3.0 protocol support enabled if set to true. | bool | 
| keyPolicy | KeyPolicy assigned to the storage account. | KeyPolicy | 
| largeFileSharesState | Allow large file shares if sets to Enabled. It cannot be disabled once it is enabled. | 'Disabled' 'Enabled' | 
| minimumTlsVersion | Set the minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property. | 'TLS1_0' 'TLS1_1' 'TLS1_2' | 
| networkAcls | Network rule set | NetworkRuleSet | 
| routingPreference | Maintains information about the network routing choice opted by the user for data transfer | RoutingPreference | 
| sasPolicy | SasPolicy assigned to the storage account. | SasPolicy | 
| supportsHttpsTrafficOnly | Allows https traffic only to storage service if sets to true. The default value is true since API version 2019-04-01. | bool | 
UserAssignedIdentity
| Name | Description | Value | 
|---|
VirtualNetworkRule
| Name | Description | Value | 
|---|---|---|
| action | The action of virtual network rule. | 'Allow' | 
| id | Resource ID of a subnet, for example: /subscriptions/{subscriptionId}/resourceGroups/{groupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}. | string (required) | 
| state | Gets the state of virtual network rule. | 'Deprovisioning' 'Failed' 'NetworkSourceDeleted' 'Provisioning' 'Succeeded' | 
Usage Examples
Terraform Samples
A basic example of deploying Azure Storage Account.
terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
  }
}
provider "azapi" {
  skip_provider_registration = false
}
variable "resource_name" {
  type    = string
  default = "acctest0001"
}
variable "location" {
  type    = string
  default = "westeurope"
}
resource "azapi_resource" "resourceGroup" {
  type     = "Microsoft.Resources/resourceGroups@2020-06-01"
  name     = var.resource_name
  location = var.location
}
resource "azapi_resource" "storageAccount" {
  type      = "Microsoft.Storage/storageAccounts@2021-09-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  location  = var.location
  body = {
    kind = "StorageV2"
    properties = {
      accessTier                   = "Hot"
      allowBlobPublicAccess        = true
      allowCrossTenantReplication  = true
      allowSharedKeyAccess         = true
      defaultToOAuthAuthentication = false
      encryption = {
        keySource = "Microsoft.Storage"
        services = {
          queue = {
            keyType = "Service"
          }
          table = {
            keyType = "Service"
          }
        }
      }
      isHnsEnabled      = false
      isNfsV3Enabled    = false
      isSftpEnabled     = false
      minimumTlsVersion = "TLS1_2"
      networkAcls = {
        defaultAction = "Allow"
      }
      publicNetworkAccess      = "Enabled"
      supportsHttpsTrafficOnly = true
    }
    sku = {
      name = "Standard_LRS"
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}
A withprivateendpoint example of deploying Azure Storage Account.
terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=4.20.0"
    }
  }
}
provider "azurerm" {
  features {
    resource_group {
      prevent_deletion_if_contains_resources = false
    }
  }
  subscription_id = var.subscription_id
}
provider "azapi" {
  skip_provider_registration = false
}
variable "resource_name" {
  type    = string
  default = "acctest0001"
}
variable "location" {
  type    = string
  default = "westeurope"
}
variable "subscription_id" {
  type    = string
  default = "00000000-0000-0000-0000-000000000000"
}
variable "vm_admin_username" {
  type    = string
  default = "adminuser"
}
variable "vm_admin_password" {
  type      = string
  default   = "P@$$w0rd1234!"
  sensitive = true
}
resource "azurerm_resource_group" "example" {
  name     = var.resource_name
  location = var.location
}
resource "azurerm_virtual_network" "example" {
  name                = "${var.resource_name}-vnet"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location
  address_space       = ["10.0.0.0/16"]
}
resource "azurerm_subnet" "main" {
  name                 = "main"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.1.0/24"]
}
resource "azurerm_subnet" "vm" {
  name                 = "vm"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.2.0/24"]
}
resource "azurerm_subnet" "bastion" {
  name                 = "AzureBastionSubnet"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.3.0/24"]
}
resource "azurerm_private_dns_zone" "blob" {
  name                = "privatelink.blob.core.windows.net"
  resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_private_dns_zone" "queue" {
  name                = "privatelink.queue.core.windows.net"
  resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_private_dns_zone" "web" {
  name                = "privatelink.web.core.windows.net"
  resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "web" {
  name                  = "web"
  resource_group_name   = azurerm_resource_group.example.name
  private_dns_zone_name = azurerm_private_dns_zone.web.name
  virtual_network_id    = azurerm_virtual_network.example.id
}
resource "azurerm_private_dns_zone_virtual_network_link" "blob" {
  name                  = "blob"
  resource_group_name   = azurerm_resource_group.example.name
  private_dns_zone_name = azurerm_private_dns_zone.blob.name
  virtual_network_id    = azurerm_virtual_network.example.id
}
resource "azurerm_private_dns_zone_virtual_network_link" "queue" {
  name                  = "queue"
  resource_group_name   = azurerm_resource_group.example.name
  private_dns_zone_name = azurerm_private_dns_zone.queue.name
  virtual_network_id    = azurerm_virtual_network.example.id
}
resource "azurerm_public_ip" "example" {
  name                = "${var.resource_name}-ip"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  allocation_method   = "Static"
  sku                 = "Standard"
}
resource "azurerm_bastion_host" "example" {
  name                = "${var.resource_name}-bastion"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  sku                 = "Basic"
  ip_configuration {
    name                 = "configuration"
    subnet_id            = azurerm_subnet.bastion.id
    public_ip_address_id = azurerm_public_ip.example.id
  }
}
resource "azurerm_network_interface" "example" {
  name                = "${var.resource_name}-nic"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  ip_configuration {
    name                          = "internal"
    subnet_id                     = azurerm_subnet.vm.id
    private_ip_address_allocation = "Dynamic"
  }
}
resource "azurerm_windows_virtual_machine" "example" {
  name                              = var.resource_name
  resource_group_name               = azurerm_resource_group.example.name
  location                          = azurerm_resource_group.example.location
  size                              = "Standard_F2"
  admin_username                    = var.vm_admin_username
  admin_password                    = var.vm_admin_password
  vm_agent_platform_updates_enabled = true
  network_interface_ids = [
    azurerm_network_interface.example.id,
  ]
  os_disk {
    caching              = "ReadWrite"
    storage_account_type = "Standard_LRS"
  }
  source_image_reference {
    publisher = "MicrosoftWindowsServer"
    offer     = "WindowsServer"
    sku       = "2022-Datacenter"
    version   = "latest"
  }
  identity {
    type = "SystemAssigned"
  }
}
resource "azapi_resource" "storageAccount" {
  type      = "Microsoft.Storage/storageAccounts@2023-05-01"
  parent_id = azurerm_resource_group.example.id
  name      = "${var.resource_name}sa"
  location  = azurerm_resource_group.example.location
  body = {
    kind = "StorageV2"
    properties = {
      accessTier                   = "Hot"
      allowBlobPublicAccess        = false
      allowCrossTenantReplication  = false
      allowSharedKeyAccess         = true
      defaultToOAuthAuthentication = false
      dnsEndpointType              = "Standard"
      encryption = {
        keySource = "Microsoft.Storage"
        services = {
          blob = {
            enabled = true
            keyType = "Account"
          }
          file = {
            enabled = true
            keyType = "Account"
          }
        }
      }
      isHnsEnabled       = false
      isLocalUserEnabled = true
      isNfsV3Enabled     = false
      isSftpEnabled      = false
      minimumTlsVersion  = "TLS1_2"
      networkAcls = {
        bypass              = "AzureServices"
        defaultAction       = "Allow"
        ipRules             = []
        resourceAccessRules = []
        virtualNetworkRules = []
      }
      publicNetworkAccess      = "Disabled"
      supportsHttpsTrafficOnly = true
    }
    sku = {
      name = "Standard_LRS"
    }
  }
}
resource "azurerm_role_assignment" "example" {
  scope                = azapi_resource.storageAccount.id
  role_definition_name = "Contributor"
  principal_id         = azurerm_windows_virtual_machine.example.identity[0].principal_id
}
resource "azurerm_private_endpoint" "blob" {
  name                = "${var.resource_name}-private-endpoint-blob"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  subnet_id           = azurerm_subnet.main.id
  private_service_connection {
    name                           = "${var.resource_name}-private-endpoint-connection"
    private_connection_resource_id = azapi_resource.storageAccount.id
    subresource_names              = ["blob"]
    is_manual_connection           = false
  }
  private_dns_zone_group {
    name                 = "storage-private-endpoint-dns-zone-group"
    private_dns_zone_ids = [azurerm_private_dns_zone.blob.id]
  }
}
resource "azurerm_private_endpoint" "queue" {
  name                = "${var.resource_name}-private-endpoint-queue"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  subnet_id           = azurerm_subnet.main.id
  private_service_connection {
    name                           = "${var.resource_name}-private-endpoint-connection-q"
    private_connection_resource_id = azapi_resource.storageAccount.id
    subresource_names              = ["queue"]
    is_manual_connection           = false
  }
  private_dns_zone_group {
    name                 = "storage-private-endpoint-dns-zone-group-q"
    private_dns_zone_ids = [azurerm_private_dns_zone.queue.id]
  }
}
resource "azurerm_private_endpoint" "web" {
  name                = "${var.resource_name}-private-endpoint-web"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  subnet_id           = azurerm_subnet.main.id
  private_service_connection {
    name                           = "${var.resource_name}-private-endpoint-connection-web"
    private_connection_resource_id = azapi_resource.storageAccount.id
    subresource_names              = ["web"]
    is_manual_connection           = false
  }
  private_dns_zone_group {
    name                 = "storage-private-endpoint-dns-zone-group-web"
    private_dns_zone_ids = [azurerm_private_dns_zone.web.id]
  }
}
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
| Module | Description | 
|---|---|
| Storage Account | AVM Resource Module for Storage Account |