mongodb · christineschen · Apr 4, 2026 · Apr 6, 2026 · Apr 6, 2026 · Apr 13, 2026
@@ -0,0 +1,11 @@
+```release-note:enhancement
+data-source/mongodbatlas_stream_privatelink_endpoint: Adds `AZURE_BLOB_STORAGE` as a vendor type for AZURE provider
+```
+
+```release-note:enhancement
+data-source/mongodbatlas_stream_privatelink_endpoints: Adds `AZURE_BLOB_STORAGE` as a vendor type for AZURE provider
+```
+
+```release-note:enhancement
+resource/mongodbatlas_stream_privatelink_endpoint: Adds `AZURE_BLOB_STORAGE` as a vendor type for AZURE provider
+```
@@ -341,6 +341,45 @@ output "dns_domain" {
 }
 ```
 
+### Azure Blob Storage Privatelink
+
+~> **NOTE:** An Azure cluster must be provisioned in the same region before creating an Azure Blob Storage private endpoint.
+
+```terraform
+resource "mongodbatlas_advanced_cluster" "cluster" {
+  project_id   = var.project_id
+  name         = var.cluster_name
+  cluster_type = "REPLICASET"
+  replication_specs = [{
+    region_configs = [{
+      priority      = 7
+      provider_name = "AZURE"
+      region_name   = "US_EAST_2"
+      electable_specs = {
+        instance_size = "M10"
+        node_count    = 3
+      }
+    }]
+  }]
+}
+
+resource "mongodbatlas_stream_privatelink_endpoint" "this" {
+  project_id    = var.project_id
+  vendor        = "AZURE_BLOB_STORAGE"
+  provider_name = "AZURE"
+  region        = var.atlas_region
+  # dns_domain follows the format `{storageAccount}.blob.core.windows.net`
+  dns_domain = "${var.storage_account_name}.blob.core.windows.net"
+  # service_endpoint_id follows the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Storage/storageAccounts/{storageAccount}`
+  service_endpoint_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${var.azure_resource_group}/providers/Microsoft.Storage/storageAccounts/${var.storage_account_name}"
+  depends_on          = [mongodbatlas_advanced_cluster.cluster, azurerm_private_endpoint.blob_endpoint]
+}
+
+output "privatelink_endpoint_id" {
+  value = mongodbatlas_stream_privatelink_endpoint.this.id
+}
+```
+
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
@@ -358,6 +397,8 @@ output "dns_domain" {
 
 	* AZURE provider with EVENTHUB or CONFLUENT vendor.
 
+	* AZURE provider with AZURE_BLOB_STORAGE vendor. This should follow the format `{storageAccount}.blob.core.windows.net`.
+
 	* For GCP provider with PUBSUB vendor, the API computes this process.
 - `dns_sub_domain` (List of String) Sub-Domain name of Confluent cluster. These are typically your availability zones. Required for AWS Provider and CONFLUENT vendor. If your AWS CONFLUENT cluster doesn't use subdomains, you must set this to the empty array [].
 - `error_message` (String) Error message if the connection is in a failed state.
@@ -367,13 +408,13 @@ output "dns_domain" {
 - `provider_name` (String) Provider where the endpoint is deployed. Valid values are AWS, AZURE, and GCP.
 - `region` (String) The region of the Provider’s cluster. See [AZURE](https://www.mongodb.com/docs/atlas/reference/microsoft-azure/#stream-processing-instances) and [AWS](https://www.mongodb.com/docs/atlas/reference/amazon-aws/#stream-processing-instances) supported regions. When the vendor is `CONFLUENT`, this is the domain name of Confluent cluster. When the vendor is `MSK`, this is computed by the API from the provided `arn`.
 - `service_attachment_uris` (List of String) List of GCP service attachment URIs for Confluent vendor. Required for GCP provider with CONFLUENT vendor.
-- `service_endpoint_id` (String) For AZURE EVENTHUB, this is the [namespace endpoint ID](https://learn.microsoft.com/en-us/rest/api/eventhub/namespaces/get). For AWS CONFLUENT cluster, this is the [VPC Endpoint service name](https://docs.confluent.io/cloud/current/networking/private-links/aws-privatelink.html).
+- `service_endpoint_id` (String) For AZURE EVENTHUB, this is the [namespace endpoint ID](https://learn.microsoft.com/en-us/rest/api/eventhub/namespaces/get). For AWS CONFLUENT cluster, this is the [VPC Endpoint service name](https://docs.confluent.io/cloud/current/networking/private-links/aws-privatelink.html). For AZURE_BLOB_STORAGE, this is the Azure Resource Manager path of the storage account in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Storage/storageAccounts/{storageAccount}`.
 - `state` (String) Status of the connection.
 - `vendor` (String) Vendor that manages the endpoint. The following are the vendor values per provider:
 
 	* **AWS**: MSK, CONFLUENT, and S3
 
-	* **Azure**: EVENTHUB and CONFLUENT
+	* **Azure**: EVENTHUB, CONFLUENT, and AZURE_BLOB_STORAGE
 
 	* **GCP**: CONFLUENT and PUBSUB
 

@@ -341,6 +341,45 @@ output "dns_domain" {
 }
 ```
 
+### Azure Blob Storage Privatelink
+
+~> **NOTE:** An Azure cluster must be provisioned in the same region before creating an Azure Blob Storage private endpoint.
+
+```terraform
+resource "mongodbatlas_advanced_cluster" "cluster" {
+  project_id   = var.project_id
+  name         = var.cluster_name
+  cluster_type = "REPLICASET"
+  replication_specs = [{
+    region_configs = [{
+      priority      = 7
+      provider_name = "AZURE"
+      region_name   = "US_EAST_2"
+      electable_specs = {
+        instance_size = "M10"
+        node_count    = 3
+      }
+    }]
+  }]
+}
+
+resource "mongodbatlas_stream_privatelink_endpoint" "this" {
+  project_id    = var.project_id
+  vendor        = "AZURE_BLOB_STORAGE"
+  provider_name = "AZURE"
+  region        = var.atlas_region
+  # dns_domain follows the format `{storageAccount}.blob.core.windows.net`
+  dns_domain = "${var.storage_account_name}.blob.core.windows.net"
+  # service_endpoint_id follows the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Storage/storageAccounts/{storageAccount}`
+  service_endpoint_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${var.azure_resource_group}/providers/Microsoft.Storage/storageAccounts/${var.storage_account_name}"
+  depends_on          = [mongodbatlas_advanced_cluster.cluster, azurerm_private_endpoint.blob_endpoint]
+}
+
+output "privatelink_endpoint_id" {
+  value = mongodbatlas_stream_privatelink_endpoint.this.id
+}
+```
+
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
@@ -364,6 +403,8 @@ Read-Only:
 
 	* AZURE provider with EVENTHUB or CONFLUENT vendor.
 
+	* AZURE provider with AZURE_BLOB_STORAGE vendor. This should follow the format `{storageAccount}.blob.core.windows.net`.
+
 	* For GCP provider with PUBSUB vendor, the API computes this process.
 - `dns_sub_domain` (List of String) Sub-Domain name of Confluent cluster. These are typically your availability zones. Required for AWS Provider and CONFLUENT vendor. If your AWS CONFLUENT cluster doesn't use subdomains, you must set this to the empty array [].
 - `error_message` (String) Error message if the connection is in a failed state.
@@ -375,13 +416,13 @@ Read-Only:
 - `provider_name` (String) Provider where the endpoint is deployed. Valid values are AWS, AZURE, and GCP.
 - `region` (String) The region of the Provider’s cluster. See [AZURE](https://www.mongodb.com/docs/atlas/reference/microsoft-azure/#stream-processing-instances) and [AWS](https://www.mongodb.com/docs/atlas/reference/amazon-aws/#stream-processing-instances) supported regions. When the vendor is `CONFLUENT`, this is the domain name of Confluent cluster. When the vendor is `MSK`, this is computed by the API from the provided `arn`.
 - `service_attachment_uris` (List of String) List of GCP service attachment URIs for Confluent vendor. Required for GCP provider with CONFLUENT vendor.
-- `service_endpoint_id` (String) For AZURE EVENTHUB, this is the [namespace endpoint ID](https://learn.microsoft.com/en-us/rest/api/eventhub/namespaces/get). For AWS CONFLUENT cluster, this is the [VPC Endpoint service name](https://docs.confluent.io/cloud/current/networking/private-links/aws-privatelink.html).
+- `service_endpoint_id` (String) For AZURE EVENTHUB, this is the [namespace endpoint ID](https://learn.microsoft.com/en-us/rest/api/eventhub/namespaces/get). For AWS CONFLUENT cluster, this is the [VPC Endpoint service name](https://docs.confluent.io/cloud/current/networking/private-links/aws-privatelink.html). For AZURE_BLOB_STORAGE, this is the Azure Resource Manager path of the storage account in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Storage/storageAccounts/{storageAccount}`.
 - `state` (String) Status of the connection.
 - `vendor` (String) Vendor that manages the endpoint. The following are the vendor values per provider:
 
 	* **AWS**: MSK, CONFLUENT, and S3
 
-	* **Azure**: EVENTHUB and CONFLUENT
+	* **Azure**: EVENTHUB, CONFLUENT, and AZURE_BLOB_STORAGE
 
 	* **GCP**: CONFLUENT and PUBSUB
 

@@ -210,6 +210,30 @@ resource "mongodbatlas_stream_connection" "example_gcp_pubsub_psc" {
 }
 ```
 
+### Example Azure Blob Storage Connection with Private Link
+
+~> **NOTE:** An Azure cluster must be provisioned in the same region before creating an Azure Blob Storage private endpoint.
+
+```terraform
+resource "mongodbatlas_stream_connection" "example_azure_blob_private_link" {
+    project_id      = var.project_id
+    workspace_name  = mongodbatlas_stream_workspace.example.workspace_name
+    connection_name = "AzureBlobStoragePLConnection"
+    type            = "AzureBlobStorage"
+    azure = {
+      service_principal_id = "<AZURE_SERVICE_PRINCIPAL_ID>"
+      storage_account_name = "<AZURE_STORAGE_ACCOUNT_NAME>"
+      region               = "<AZURE_REGION>"
+    }
+    networking = {
+      access = {
+        type          = "PRIVATE_LINK"
+        connection_id = mongodbatlas_stream_privatelink_endpoint.azure_blob.id
+      }
+    }
+}
+```
+
 ### Example Https Connection
 
 ```terraform

@@ -344,6 +344,45 @@ output "dns_domain" {
 }
 ```
 
+### Azure Blob Storage Privatelink
+
+~> **NOTE:** An Azure cluster must be provisioned in the same region before creating an Azure Blob Storage private endpoint.
+
+```terraform
+resource "mongodbatlas_advanced_cluster" "cluster" {
+  project_id   = var.project_id
+  name         = var.cluster_name
+  cluster_type = "REPLICASET"
+  replication_specs = [{
+    region_configs = [{
+      priority      = 7
+      provider_name = "AZURE"
+      region_name   = "US_EAST_2"
+      electable_specs = {
+        instance_size = "M10"
+        node_count    = 3
+      }
+    }]
+  }]
+}
+
+resource "mongodbatlas_stream_privatelink_endpoint" "this" {
+  project_id    = var.project_id
+  vendor        = "AZURE_BLOB_STORAGE"
+  provider_name = "AZURE"
+  region        = var.atlas_region
+  # dns_domain follows the format `{storageAccount}.blob.core.windows.net`
+  dns_domain = "${var.storage_account_name}.blob.core.windows.net"
+  # service_endpoint_id follows the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Storage/storageAccounts/{storageAccount}`
+  service_endpoint_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${var.azure_resource_group}/providers/Microsoft.Storage/storageAccounts/${var.storage_account_name}"
+  depends_on          = [mongodbatlas_advanced_cluster.cluster, azurerm_private_endpoint.blob_endpoint]
+}
+
+output "privatelink_endpoint_id" {
+  value = mongodbatlas_stream_privatelink_endpoint.this.id
+}
+```
+
 ### Further Examples
 - [AWS Confluent PrivateLink](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v2.11.0/examples/mongodbatlas_stream_privatelink_endpoint/confluent_serverless)
 - [Confluent Dedicated Cluster](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v2.11.0/examples/mongodbatlas_stream_privatelink_endpoint/confluent_dedicated_cluster)
@@ -352,6 +391,7 @@ output "dns_domain" {
 - [GCP Confluent PrivateLink](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v2.11.0/examples/mongodbatlas_stream_privatelink_endpoint/gcp_confluent)
 - [GCP Pub/Sub Private Service Connect](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v2.11.0/examples/mongodbatlas_stream_privatelink_endpoint/gcp_pubsub)
 - [Azure PrivateLink](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v2.11.0/examples/mongodbatlas_stream_privatelink_endpoint/azure)
+- [Azure Blob Storage PrivateLink](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v2.11.0/examples/mongodbatlas_stream_privatelink_endpoint/azure_blob_storage)
 
 <!-- schema generated by tfplugindocs -->
 ## Schema
@@ -364,7 +404,7 @@ output "dns_domain" {
 
 	* **AWS**: MSK, CONFLUENT, and S3
 
-	* **Azure**: EVENTHUB and CONFLUENT
+	* **Azure**: EVENTHUB, CONFLUENT, and AZURE_BLOB_STORAGE
 
 	* **GCP**: CONFLUENT and PUBSUB
 
@@ -377,11 +417,13 @@ output "dns_domain" {
 
 	* AZURE provider with EVENTHUB or CONFLUENT vendor.
 
+	* AZURE provider with AZURE_BLOB_STORAGE vendor. This should follow the format `{storageAccount}.blob.core.windows.net`.
+
 	* For GCP provider with PUBSUB vendor, the API computes this process.
 - `dns_sub_domain` (List of String) Sub-Domain name of Confluent cluster. These are typically your availability zones. Required for AWS Provider and CONFLUENT vendor. If your AWS CONFLUENT cluster doesn't use subdomains, you must set this to the empty array [].
 - `region` (String) The region of the Provider’s cluster. See [AZURE](https://www.mongodb.com/docs/atlas/reference/microsoft-azure/#stream-processing-instances) and [AWS](https://www.mongodb.com/docs/atlas/reference/amazon-aws/#stream-processing-instances) supported regions. When the vendor is `CONFLUENT`, this is the domain name of Confluent cluster. When the vendor is `MSK`, this is computed by the API from the provided `arn`.
 - `service_attachment_uris` (List of String) List of GCP service attachment URIs for Confluent vendor. Required for GCP provider with CONFLUENT vendor.
-- `service_endpoint_id` (String) For AZURE EVENTHUB, this is the [namespace endpoint ID](https://learn.microsoft.com/en-us/rest/api/eventhub/namespaces/get). For AWS CONFLUENT cluster, this is the [VPC Endpoint service name](https://docs.confluent.io/cloud/current/networking/private-links/aws-privatelink.html).
+- `service_endpoint_id` (String) For AZURE EVENTHUB, this is the [namespace endpoint ID](https://learn.microsoft.com/en-us/rest/api/eventhub/namespaces/get). For AWS CONFLUENT cluster, this is the [VPC Endpoint service name](https://docs.confluent.io/cloud/current/networking/private-links/aws-privatelink.html). For AZURE_BLOB_STORAGE, this is the Azure Resource Manager path of the storage account in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Storage/storageAccounts/{storageAccount}`.
 
 ### Read-Only
 

@@ -0,0 +1,63 @@
+resource "azurerm_resource_group" "rg" {
+  name     = var.azure_resource_group
+  location = var.azure_region
+}
+
+resource "azurerm_virtual_network" "vnet" {
+  name                = var.vnet_name
+  address_space       = var.vnet_address_space
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+}
+
+resource "azurerm_subnet" "subnet" {
+  name                 = var.subnet_name
+  resource_group_name  = azurerm_resource_group.rg.name
+  virtual_network_name = azurerm_virtual_network.vnet.name
+  address_prefixes     = var.subnet_address_prefix
+}
+
+resource "azurerm_storage_account" "storage" {
+  name                     = var.storage_account_name
+  resource_group_name      = azurerm_resource_group.rg.name
+  location                 = azurerm_resource_group.rg.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+  # Disable public access so all traffic goes through the private endpoint
+  public_network_access_enabled = false
+}
+
+resource "azurerm_private_dns_zone" "dns_zone" {
+  name                = "privatelink.blob.core.windows.net"
+  resource_group_name = azurerm_resource_group.rg.name
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "dns_zone_link" {
+  name                  = "${var.vnet_name}-dns-link"
+  resource_group_name   = azurerm_resource_group.rg.name
+  private_dns_zone_name = azurerm_private_dns_zone.dns_zone.name
+  virtual_network_id    = azurerm_virtual_network.vnet.id
+}
+
+resource "azurerm_private_endpoint" "blob_endpoint" {
+  name                = "pe-${var.storage_account_name}"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  subnet_id           = azurerm_subnet.subnet.id
+
+  private_service_connection {
+    name                           = "psc-${var.storage_account_name}"
+    is_manual_connection           = false
+    private_connection_resource_id = azurerm_storage_account.storage.id
+    subresource_names              = ["blob"]
+  }
+
+  private_dns_zone_group {
+    name                 = "default-dns-group"
+    private_dns_zone_ids = [azurerm_private_dns_zone.dns_zone.id]
+  }
+
+  depends_on = [azurerm_private_dns_zone_virtual_network_link.dns_zone_link]
+}
+
+data "azurerm_client_config" "current" {}
@@ -0,0 +1,32 @@
+resource "mongodbatlas_advanced_cluster" "cluster" {
+  project_id   = var.project_id
+  name         = var.cluster_name
+  cluster_type = "REPLICASET"
+  replication_specs = [{
+    region_configs = [{
+      priority      = 7
+      provider_name = "AZURE"
+      region_name   = "US_EAST_2"
+      electable_specs = {
+        instance_size = "M10"
+        node_count    = 3
+      }
+    }]
+  }]
+}
+
+resource "mongodbatlas_stream_privatelink_endpoint" "this" {
+  project_id    = var.project_id
+  vendor        = "AZURE_BLOB_STORAGE"
+  provider_name = "AZURE"
+  region        = var.atlas_region
+  # dns_domain follows the format `{storageAccount}.blob.core.windows.net`
+  dns_domain = "${var.storage_account_name}.blob.core.windows.net"
+  # service_endpoint_id follows the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Storage/storageAccounts/{storageAccount}`
+  service_endpoint_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${var.azure_resource_group}/providers/Microsoft.Storage/storageAccounts/${var.storage_account_name}"
+  depends_on          = [mongodbatlas_advanced_cluster.cluster, azurerm_private_endpoint.blob_endpoint]
+}
+
+output "privatelink_endpoint_id" {
+  value = mongodbatlas_stream_privatelink_endpoint.this.id
+}
@@ -0,0 +1,9 @@
+provider "azurerm" {
+  features {}
+  # assumes Azure CLI login ('az login') or other standard auth
+}
+
+provider "mongodbatlas" {
+  client_id     = var.atlas_client_id
+  client_secret = var.atlas_client_secret
+}