microsoft · eerhardt · Feb 6, 2026 · Feb 6, 2026 · Feb 6, 2026 · Feb 6, 2026
diff --git a/src/Aspire.Hosting.Azure.AppConfiguration/AzureAppConfigurationExtensions.cs b/src/Aspire.Hosting.Azure.AppConfiguration/AzureAppConfigurationExtensions.cs
@@ -1,6 +1,8 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+#pragma warning disable ASPIREAZURE003 // Type is for evaluation purposes only and is subject to change or removal in future updates. Suppress this diagnostic to proceed.
+
 using Aspire.Hosting.ApplicationModel;
 using Aspire.Hosting.Azure;
 using Aspire.Hosting.Azure.AppConfiguration;
@@ -36,24 +38,43 @@ public static IResourceBuilder<AzureAppConfigurationResource> AddAzureAppConfigu
 
         var configureInfrastructure = (AzureResourceInfrastructure infrastructure) =>
         {
+            var azureResource = (AzureAppConfigurationResource)infrastructure.AspireResource;
+
+            // Check if this App Configuration has a private endpoint (via annotation)
+            var hasPrivateEndpoint = azureResource.HasAnnotationOfType<PrivateEndpointTargetAnnotation>();
+
             var store = AzureProvisioningResource.CreateExistingOrNewProvisionableResource(infrastructure,
                 (identifier, name) =>
                 {
                     var resource = AppConfigurationStore.FromExisting(identifier);
                     resource.Name = name;
                     return resource;
                 },
-                (infrastructure) => new AppConfigurationStore(infrastructure.AspireResource.GetBicepIdentifier())
+                (infrastructure) =>
                 {
-                    SkuName = "standard",
-                    DisableLocalAuth = true,
-                    Tags = { { "aspire-resource-name", infrastructure.AspireResource.Name } }
+                    var appConfig = new AppConfigurationStore(infrastructure.AspireResource.GetBicepIdentifier())
+                    {
+                        SkuName = "standard",
+                        DisableLocalAuth = true,
+                        Tags = { { "aspire-resource-name", infrastructure.AspireResource.Name } }
+                    };
+
+                    // When using private endpoints, disable public network access.
+                    if (hasPrivateEndpoint)
+                    {
+                        appConfig.PublicNetworkAccess = AppConfigurationPublicNetworkAccess.Disabled;
+                    }
+
+                    return appConfig;
                 });
 
             infrastructure.Add(new ProvisioningOutput("appConfigEndpoint", typeof(string)) { Value = store.Endpoint.ToBicepExpression() });
 
             // We need to output name to externalize role assignments.
             infrastructure.Add(new ProvisioningOutput("name", typeof(string)) { Value = store.Name.ToBicepExpression() });
+
+            // Output the resource id for private endpoint support.
+            infrastructure.Add(new ProvisioningOutput("id", typeof(string)) { Value = store.Id.ToBicepExpression() });
         };
 
         var resource = new AzureAppConfigurationResource(name, configureInfrastructure);

diff --git a/src/Aspire.Hosting.Azure.AppConfiguration/AzureAppConfigurationResource.cs b/src/Aspire.Hosting.Azure.AppConfiguration/AzureAppConfigurationResource.cs
@@ -1,6 +1,8 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+#pragma warning disable ASPIREAZURE003 // Type is for evaluation purposes only and is subject to change or removal in future updates. Suppress this diagnostic to proceed.
+
 using Aspire.Hosting.ApplicationModel;
 using Azure.Provisioning.AppConfiguration;
 using Azure.Provisioning.Primitives;
@@ -14,7 +16,7 @@ namespace Aspire.Hosting.Azure;
 /// <param name="configureInfrastructure">Callback to configure the Azure resources.</param>
 public class AzureAppConfigurationResource(string name, Action<AzureResourceInfrastructure> configureInfrastructure)
     : AzureProvisioningResource(name, configureInfrastructure),
-    IResourceWithConnectionString, IResourceWithEndpoints
+    IResourceWithConnectionString, IResourceWithEndpoints, IAzurePrivateEndpointTarget
 {
     private EndpointReference EmulatorEndpoint => new(this, "emulator");
 
@@ -33,6 +35,11 @@ public class AzureAppConfigurationResource(string name, Action<AzureResourceInfr
     /// </summary>
     public BicepOutputReference NameOutputReference => new("name", this);
 
+    /// <summary>
+    /// Gets the "id" output reference for the resource.
+    /// </summary>
+    public BicepOutputReference Id => new("id", this);
+
     /// <summary>
     /// Gets the connection string template for the manifest for the Azure App Configuration resource.
     /// </summary>
@@ -69,4 +76,10 @@ public override ProvisionableResource AddAsExistingResource(AzureResourceInfrast
         infra.Add(store);
         return store;
     }
+
+    BicepOutputReference IAzurePrivateEndpointTarget.Id => Id;
+
+    IEnumerable<string> IAzurePrivateEndpointTarget.GetPrivateLinkGroupIds() => ["configurationStores"];
+
+    string IAzurePrivateEndpointTarget.GetPrivateDnsZoneName() => "privatelink.azconfig.io";
 }
diff --git a/src/Aspire.Hosting.Azure.CosmosDB/AzureCosmosDBExtensions.cs b/src/Aspire.Hosting.Azure.CosmosDB/AzureCosmosDBExtensions.cs
@@ -1,6 +1,8 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+#pragma warning disable ASPIREAZURE003 // Type is for evaluation purposes only and is subject to change or removal in future updates. Suppress this diagnostic to proceed.
+
 using System.Diagnostics.CodeAnalysis;
 using System.Globalization;
 using Aspire.Hosting;
@@ -454,35 +456,49 @@ private static void ConfigureCosmosDBInfrastructure(AzureResourceInfrastructure
         var azureResource = (AzureCosmosDBResource)infrastructure.AspireResource;
         bool disableLocalAuth = !azureResource.UseAccessKeyAuthentication;
 
+        // Check if this CosmosDB has a private endpoint (via annotation)
+        var hasPrivateEndpoint = azureResource.HasAnnotationOfType<PrivateEndpointTargetAnnotation>();
+
         var cosmosAccount = AzureProvisioningResource.CreateExistingOrNewProvisionableResource(infrastructure,
             (identifier, name) =>
             {
                 var resource = CosmosDBAccount.FromExisting(identifier);
                 resource.Name = name;
                 return resource;
             },
-            (infrastructure) => new CosmosDBAccount(infrastructure.AspireResource.GetBicepIdentifier())
+            (infrastructure) =>
             {
-                Kind = CosmosDBAccountKind.GlobalDocumentDB,
-                Capabilities = azureResource.UseDefaultAzureSku ? [] : new BicepList<CosmosDBAccountCapability>
-                {
-                    new CosmosDBAccountCapability { Name = CosmosConstants.EnableServerlessCapability }
-                },
-                ConsistencyPolicy = new ConsistencyPolicy()
-                {
-                    DefaultConsistencyLevel = DefaultConsistencyLevel.Session
-                },
-                DatabaseAccountOfferType = CosmosDBAccountOfferType.Standard,
-                Locations =
+                var account = new CosmosDBAccount(infrastructure.AspireResource.GetBicepIdentifier())
                 {
-                    new CosmosDBAccountLocation
+                    Kind = CosmosDBAccountKind.GlobalDocumentDB,
+                    Capabilities = azureResource.UseDefaultAzureSku ? [] : new BicepList<CosmosDBAccountCapability>
                     {
-                        LocationName = new IdentifierExpression("location"),
-                        FailoverPriority = 0
-                    }
-                },
-                DisableLocalAuth = disableLocalAuth,
-                Tags = { { "aspire-resource-name", infrastructure.AspireResource.Name } }
+                        new CosmosDBAccountCapability { Name = CosmosConstants.EnableServerlessCapability }
+                    },
+                    ConsistencyPolicy = new ConsistencyPolicy()
+                    {
+                        DefaultConsistencyLevel = DefaultConsistencyLevel.Session
+                    },
+                    DatabaseAccountOfferType = CosmosDBAccountOfferType.Standard,
+                    Locations =
+                    {
+                        new CosmosDBAccountLocation
+                        {
+                            LocationName = new IdentifierExpression("location"),
+                            FailoverPriority = 0
+                        }
+                    },
+                    DisableLocalAuth = disableLocalAuth,
+                    Tags = { { "aspire-resource-name", infrastructure.AspireResource.Name } }
+                };
+
+                // When using private endpoints, disable public network access.
+                if (hasPrivateEndpoint)
+                {
+                    account.PublicNetworkAccess = CosmosDBPublicNetworkAccess.Disabled;
+                }
+
+                return account;
             });
 
         foreach (var database in azureResource.Databases)
@@ -594,6 +610,9 @@ private static void ConfigureCosmosDBInfrastructure(AzureResourceInfrastructure
 
         // We need to output name to externalize role assignments.
         infrastructure.Add(new ProvisioningOutput("name", typeof(string)) { Value = cosmosAccount.Name.ToBicepExpression() });
+
+        // Output the resource id for private endpoint support.
+        infrastructure.Add(new ProvisioningOutput("id", typeof(string)) { Value = cosmosAccount.Id.ToBicepExpression() });
     }
 
     internal static void AddContributorRoleAssignment(AzureResourceInfrastructure infra, CosmosDBAccount cosmosAccount, BicepValue<Guid> principalId)

diff --git a/src/Aspire.Hosting.Azure.CosmosDB/AzureCosmosDBResource.cs b/src/Aspire.Hosting.Azure.CosmosDB/AzureCosmosDBResource.cs
@@ -1,6 +1,8 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+#pragma warning disable ASPIREAZURE003 // Type is for evaluation purposes only and is subject to change or removal in future updates. Suppress this diagnostic to proceed.
+
 using System.Diagnostics;
 using System.Diagnostics.CodeAnalysis;
 using Aspire.Hosting.ApplicationModel;
@@ -18,7 +20,8 @@ public class AzureCosmosDBResource(string name, Action<AzureResourceInfrastructu
     : AzureProvisioningResource(name, configureInfrastructure),
     IResourceWithConnectionString,
     IResourceWithEndpoints,
-    IResourceWithAzureFunctionsConfig
+    IResourceWithAzureFunctionsConfig,
+    IAzurePrivateEndpointTarget
 {
     internal List<AzureCosmosDBDatabaseResource> Databases { get; } = [];
 
@@ -66,6 +69,11 @@ public class AzureCosmosDBResource(string name, Action<AzureResourceInfrastructu
     /// </summary>
     public BicepOutputReference NameOutputReference => new("name", this);
 
+    /// <summary>
+    /// Gets the "id" output reference for the resource.
+    /// </summary>
+    public BicepOutputReference Id => new("id", this);
+
     /// <summary>
     /// Gets a value indicating whether the resource uses access key authentication.
     /// </summary>
@@ -251,4 +259,10 @@ IEnumerable<KeyValuePair<string, ReferenceExpression>> IResourceWithConnectionSt
             yield return new("ConnectionString", ConnectionStringExpression);
         }
     }
+
+    BicepOutputReference IAzurePrivateEndpointTarget.Id => Id;
+
+    IEnumerable<string> IAzurePrivateEndpointTarget.GetPrivateLinkGroupIds() => ["Sql"];
+
+    string IAzurePrivateEndpointTarget.GetPrivateDnsZoneName() => "privatelink.documents.azure.com";
 }
diff --git a/src/Aspire.Hosting.Azure.EventHubs/AzureEventHubsExtensions.cs b/src/Aspire.Hosting.Azure.EventHubs/AzureEventHubsExtensions.cs
@@ -1,6 +1,8 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+#pragma warning disable ASPIREAZURE003 // Type is for evaluation purposes only and is subject to change or removal in future updates. Suppress this diagnostic to proceed.
+
 using System.Text;
 using System.Text.Json;
 using System.Text.Json.Nodes;
@@ -45,6 +47,11 @@ public static IResourceBuilder<AzureEventHubsResource> AddAzureEventHubs(
 
         var configureInfrastructure = static (AzureResourceInfrastructure infrastructure) =>
         {
+            var azureResource = (AzureEventHubsResource)infrastructure.AspireResource;
+
+            // Check if this Event Hubs has a private endpoint (via annotation)
+            var hasPrivateEndpoint = azureResource.HasAnnotationOfType<PrivateEndpointTargetAnnotation>();
+
             var eventHubsNamespace = AzureProvisioningResource.CreateExistingOrNewProvisionableResource(infrastructure,
                 (identifier, name) =>
                 {
@@ -67,6 +74,10 @@ public static IResourceBuilder<AzureEventHubsResource> AddAzureEventHubs(
                         {
                             Name = skuParameter
                         },
+                        // When using private endpoints, disable public network access.
+                        PublicNetworkAccess = hasPrivateEndpoint
+                            ? AzureProvisioning.EventHubsPublicNetworkAccess.Disabled
+                            : AzureProvisioning.EventHubsPublicNetworkAccess.Enabled,
                         Tags = { { "aspire-resource-name", infrastructure.AspireResource.Name } }
                     };
                     return resource;
@@ -92,7 +103,8 @@ public static IResourceBuilder<AzureEventHubsResource> AddAzureEventHubs(
             // We need to output name to externalize role assignments.
             infrastructure.Add(new ProvisioningOutput("name", typeof(string)) { Value = eventHubsNamespace.Name.ToBicepExpression() });
 
-            var azureResource = (AzureEventHubsResource)infrastructure.AspireResource;
+            // Output the resource id for private endpoint support.
+            infrastructure.Add(new ProvisioningOutput("id", typeof(string)) { Value = eventHubsNamespace.Id.ToBicepExpression() });
 
             foreach (var hub in azureResource.Hubs)
             {

diff --git a/src/Aspire.Hosting.Azure.EventHubs/AzureEventHubsResource.cs b/src/Aspire.Hosting.Azure.EventHubs/AzureEventHubsResource.cs
@@ -1,6 +1,8 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+#pragma warning disable ASPIREAZURE003 // Type is for evaluation purposes only and is subject to change or removal in future updates. Suppress this diagnostic to proceed.
+
 using Aspire.Hosting.ApplicationModel;
 using Azure.Provisioning.EventHubs;
 using Azure.Provisioning.Primitives;
@@ -13,7 +15,7 @@ namespace Aspire.Hosting.Azure;
 /// <param name="name">The name of the resource.</param>
 /// <param name="configureInfrastructure">Callback to configure the Azure Event Hubs resource.</param>
 public class AzureEventHubsResource(string name, Action<AzureResourceInfrastructure> configureInfrastructure)
-    : AzureProvisioningResource(name, configureInfrastructure), IResourceWithConnectionString, IResourceWithEndpoints, IResourceWithAzureFunctionsConfig
+    : AzureProvisioningResource(name, configureInfrastructure), IResourceWithConnectionString, IResourceWithEndpoints, IResourceWithAzureFunctionsConfig, IAzurePrivateEndpointTarget
 {
     private static readonly string[] s_eventHubClientNames =
     [
@@ -43,6 +45,11 @@ public class AzureEventHubsResource(string name, Action<AzureResourceInfrastruct
     /// </summary>
     public BicepOutputReference NameOutputReference => new("name", this);
 
+    /// <summary>
+    /// Gets the "id" output reference for the resource.
+    /// </summary>
+    public BicepOutputReference Id => new("id", this);
+
     internal EndpointReference EmulatorEndpoint => new(this, "emulator");
 
     /// <summary>
@@ -205,4 +212,10 @@ IEnumerable<KeyValuePair<string, ReferenceExpression>> IResourceWithConnectionSt
             yield return new("ConnectionString", ReferenceExpression.Create($"Endpoint={EmulatorEndpoint.Property(EndpointProperty.HostAndPort)};SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=SAS_KEY_VALUE;UseDevelopmentEmulator=true"));
         }
     }
+
+    BicepOutputReference IAzurePrivateEndpointTarget.Id => Id;
+
+    IEnumerable<string> IAzurePrivateEndpointTarget.GetPrivateLinkGroupIds() => ["namespace"];
+
+    string IAzurePrivateEndpointTarget.GetPrivateDnsZoneName() => "privatelink.servicebus.windows.net";
 }
diff --git a/src/Aspire.Hosting.Azure.KeyVault/AzureKeyVaultResource.cs b/src/Aspire.Hosting.Azure.KeyVault/AzureKeyVaultResource.cs
@@ -1,6 +1,8 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+#pragma warning disable ASPIREAZURE003 // Type is for evaluation purposes only and is subject to change or removal in future updates. Suppress this diagnostic to proceed.
+
 using Aspire.Hosting.ApplicationModel;
 using Azure.Provisioning.KeyVault;
 using Azure.Provisioning.Primitives;
@@ -13,7 +15,7 @@ namespace Aspire.Hosting.Azure;
 /// <param name="name">The name of the resource.</param>
 /// <param name="configureInfrastructure">Callback to configure the Azure resources.</param>
 public class AzureKeyVaultResource(string name, Action<AzureResourceInfrastructure> configureInfrastructure)
-    : AzureProvisioningResource(name, configureInfrastructure), IResourceWithEndpoints, IResourceWithConnectionString, IAzureKeyVaultResource
+    : AzureProvisioningResource(name, configureInfrastructure), IResourceWithEndpoints, IResourceWithConnectionString, IAzureKeyVaultResource, IAzurePrivateEndpointTarget
 {
     /// <summary>
     /// The secrets for this Key Vault.
@@ -29,6 +31,11 @@ public class AzureKeyVaultResource(string name, Action<AzureResourceInfrastructu
     /// </summary>
     public BicepOutputReference NameOutputReference => new("name", this);
 
+    /// <summary>
+    /// Gets the "id" output reference for the Azure Key Vault resource.
+    /// </summary>
+    public BicepOutputReference Id => new("id", this);
+
     /// <summary>
     /// Gets a value indicating whether the Azure Key Vault resource is running in the local emulator.
     /// </summary>
@@ -139,4 +146,10 @@ IEnumerable<KeyValuePair<string, ReferenceExpression>> IResourceWithConnectionSt
     {
         yield return new("Uri", UriExpression);
     }
+
+    BicepOutputReference IAzurePrivateEndpointTarget.Id => Id;
+
+    IEnumerable<string> IAzurePrivateEndpointTarget.GetPrivateLinkGroupIds() => ["vault"];
+
+    string IAzurePrivateEndpointTarget.GetPrivateDnsZoneName() => "privatelink.vaultcore.azure.net";
 }