Resolve #386 & #330 (#398)

infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep

@@ -111,57 +111,70 @@ param parPrivateDnsZonesResourceGroup string = resourceGroup().name
 
 @description('Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones')
 param parPrivateDnsZones array = [
+  'privatelink.${toLower(parLocation)}.azmk8s.io'
+  'privatelink.${toLower(parLocation)}.batch.azure.com'
+  'privatelink.${toLower(parLocation)}.kusto.windows.net'
+  'privatelink.adf.azure.com'
+  'privatelink.afs.azure.net'
+  'privatelink.agentsvc.azure-automation.net'
+  'privatelink.analysis.windows.net'
+  'privatelink.api.azureml.ms'
+  'privatelink.azconfig.io'
+  'privatelink.azure-api.net'
   'privatelink.azure-automation.net'
-  'privatelink.database.windows.net'
-  'privatelink.sql.azuresynapse.net'
-  'privatelink.dev.azuresynapse.net'
+  'privatelink.azurecr.io'
+  'privatelink.azure-devices.net'
+  'privatelink.azurehdinsight.net'
+  'privatelink.azurehealthcareapis.com'
+  'privatelink.azurestaticapps.net'
   'privatelink.azuresynapse.net'
+  'privatelink.azurewebsites.net'
+  'privatelink.batch.azure.com'
   'privatelink.blob.core.windows.net'
-  'privatelink.table.core.windows.net'
-  'privatelink.queue.core.windows.net'
-  'privatelink.file.core.windows.net'
-  'privatelink.web.core.windows.net'
+  'privatelink.cassandra.cosmos.azure.com'
+  'privatelink.cognitiveservices.azure.com'
+  'privatelink.database.windows.net'
+  'privatelink.datafactory.azure.net'
+  'privatelink.dev.azuresynapse.net'
   'privatelink.dfs.core.windows.net'
+  'privatelink.dicom.azurehealthcareapis.com'
+  'privatelink.digitaltwins.azure.net'
+  'privatelink.directline.botframework.com'
   'privatelink.documents.azure.com'
-  'privatelink.mongo.cosmos.azure.com'
-  'privatelink.cassandra.cosmos.azure.com'
+  'privatelink.eventgrid.azure.net'
+  'privatelink.file.core.windows.net'
   'privatelink.gremlin.cosmos.azure.com'
-  'privatelink.table.cosmos.azure.com'
-  'privatelink.${toLower(parLocation)}.batch.azure.com'
-  'privatelink.postgres.database.azure.com'
-  'privatelink.mysql.database.azure.com'
-  'privatelink.mariadb.database.azure.com'
-  'privatelink.vaultcore.azure.net'
+  'privatelink.guestconfiguration.azure.com'
+  'privatelink.his.arc.azure.com'
+  'privatelink.kubernetesconfiguration.azure.com'
   'privatelink.managedhsm.azure.net'
-  'privatelink.${toLower(parLocation)}.azmk8s.io'
-  'privatelink.siterecovery.windowsazure.com'
-  'privatelink.servicebus.windows.net'
-  'privatelink.azure-devices.net'
-  'privatelink.eventgrid.azure.net'
-  'privatelink.azurewebsites.net'
-  'privatelink.api.azureml.ms'
-  'privatelink.notebooks.azure.net'
-  'privatelink.service.signalr.net'
+  'privatelink.mariadb.database.azure.com'
+  'privatelink.media.azure.net'
+  'privatelink.mongo.cosmos.azure.com'
   'privatelink.monitor.azure.com'
-  'privatelink.oms.opinsights.azure.com'
+  'privatelink.mysql.database.azure.com'
+  'privatelink.notebooks.azure.net'
   'privatelink.ods.opinsights.azure.com'
-  'privatelink.agentsvc.azure-automation.net'
-  'privatelink.afs.azure.net'
-  'privatelink.datafactory.azure.net'
-  'privatelink.adf.azure.com'
-  'privatelink.redis.cache.windows.net'
-  'privatelink.redisenterprise.cache.azure.net'
+  'privatelink.oms.opinsights.azure.com'
+  'privatelink.pbidedicated.windows.net'
+  'privatelink.postgres.database.azure.com'
+  'privatelink.prod.migration.windowsazure.com'
   'privatelink.purview.azure.com'
   'privatelink.purviewstudio.azure.com'
-  'privatelink.digitaltwins.azure.net'
-  'privatelink.azconfig.io'
-  'privatelink.cognitiveservices.azure.com'
-  'privatelink.azurecr.io'
+  'privatelink.queue.core.windows.net'
+  'privatelink.redis.cache.windows.net'
+  'privatelink.redisenterprise.cache.azure.net'
   'privatelink.search.windows.net'
-  'privatelink.azurehdinsight.net'
-  'privatelink.media.azure.net'
-  'privatelink.his.arc.azure.com'
-  'privatelink.guestconfiguration.azure.com'
+  'privatelink.service.signalr.net'
+  'privatelink.servicebus.windows.net'
+  'privatelink.siterecovery.windowsazure.com'
+  'privatelink.sql.azuresynapse.net'
+  'privatelink.table.core.windows.net'
+  'privatelink.table.cosmos.azure.com'
+  'privatelink.tip1.powerquery.microsoft.com'
+  'privatelink.token.botframework.com'
+  'privatelink.vaultcore.azure.net'
+  'privatelink.web.core.windows.net'
 ]
 
 //ASN must be 65515 if deploying VPN & ER for co-existence to work: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager#limits-and-limitations

infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json

@@ -89,58 +89,71 @@
     },
     "parPrivateDnsZones": {
       "value": [
+        "privatelink.xxxxxx.azmk8s.io", // Replace xxxxxx with target region (i.e. eastus)
+        "privatelink.xxxxxx.batch.azure.com", // Replace xxxxxx with target region (i.e. eastus)
+        "privatelink.xxxxxx.kusto.windows.net", // Replace xxxxxx with target region (i.e. eastus)
+        "privatelink.xxxxxx.backup.windowsazure.com", // Replace xxxxxx with target region geo code (i.e. for eastus, the geo code is eus)
+        "privatelink.adf.azure.com",
+        "privatelink.afs.azure.net",
+        "privatelink.agentsvc.azure-automation.net",
+        "privatelink.analysis.windows.net",
+        "privatelink.api.azureml.ms",
+        "privatelink.azconfig.io",
+        "privatelink.azure-api.net",
         "privatelink.azure-automation.net",
-        "privatelink.database.windows.net",
-        "privatelink.sql.azuresynapse.net",
-        "privatelink.dev.azuresynapse.net",
+        "privatelink.azurecr.io",
+        "privatelink.azure-devices.net",
+        "privatelink.azurehdinsight.net",
+        "privatelink.azurehealthcareapis.com",
+        "privatelink.azurestaticapps.net",
         "privatelink.azuresynapse.net",
+        "privatelink.azurewebsites.net",
+        "privatelink.batch.azure.com",
         "privatelink.blob.core.windows.net",
-        "privatelink.table.core.windows.net",
-        "privatelink.queue.core.windows.net",
-        "privatelink.file.core.windows.net",
-        "privatelink.web.core.windows.net",
+        "privatelink.cassandra.cosmos.azure.com",
+        "privatelink.cognitiveservices.azure.com",
+        "privatelink.database.windows.net",
+        "privatelink.datafactory.azure.net",
+        "privatelink.dev.azuresynapse.net",
         "privatelink.dfs.core.windows.net",
+        "privatelink.dicom.azurehealthcareapis.com",
+        "privatelink.digitaltwins.azure.net",
+        "privatelink.directline.botframework.com",
         "privatelink.documents.azure.com",
-        "privatelink.mongo.cosmos.azure.com",
-        "privatelink.cassandra.cosmos.azure.com",
+        "privatelink.eventgrid.azure.net",
+        "privatelink.file.core.windows.net",
         "privatelink.gremlin.cosmos.azure.com",
-        "privatelink.table.cosmos.azure.com",
-        "privatelink.xxxxxx.batch.azure.com", // Replace xxxxxx with target region (i.e. eastus)
-        "privatelink.postgres.database.azure.com",
-        "privatelink.mysql.database.azure.com",
-        "privatelink.mariadb.database.azure.com",
-        "privatelink.vaultcore.azure.net",
+        "privatelink.guestconfiguration.azure.com",
+        "privatelink.his.arc.azure.com",
+        "privatelink.kubernetesconfiguration.azure.com",
         "privatelink.managedhsm.azure.net",
-        "privatelink.xxxxxx.azmk8s.io", // Replace xxxxxx with target region (i.e. eastus)
-        "privatelink.xxxxxx.backup.windowsazure.com", // Replace xxxxxx with target region geo code (i.e. for eastus, the geo code is eus)
-        "privatelink.siterecovery.windowsazure.com",
-        "privatelink.servicebus.windows.net",
-        "privatelink.azure-devices.net",
-        "privatelink.eventgrid.azure.net",
-        "privatelink.azurewebsites.net",
-        "privatelink.api.azureml.ms",
-        "privatelink.notebooks.azure.net",
-        "privatelink.service.signalr.net",
+        "privatelink.mariadb.database.azure.com",
+        "privatelink.media.azure.net",
+        "privatelink.mongo.cosmos.azure.com",
         "privatelink.monitor.azure.com",
-        "privatelink.oms.opinsights.azure.com",
+        "privatelink.mysql.database.azure.com",
+        "privatelink.notebooks.azure.net",
         "privatelink.ods.opinsights.azure.com",
-        "privatelink.agentsvc.azure-automation.net",
-        "privatelink.afs.azure.net",
-        "privatelink.datafactory.azure.net",
-        "privatelink.adf.azure.com",
-        "privatelink.redis.cache.windows.net",
-        "privatelink.redisenterprise.cache.azure.net",
+        "privatelink.oms.opinsights.azure.com",
+        "privatelink.pbidedicated.windows.net",
+        "privatelink.postgres.database.azure.com",
+        "privatelink.prod.migration.windowsazure.com",
         "privatelink.purview.azure.com",
         "privatelink.purviewstudio.azure.com",
-        "privatelink.digitaltwins.azure.net",
-        "privatelink.azconfig.io",
-        "privatelink.cognitiveservices.azure.com",
-        "privatelink.azurecr.io",
+        "privatelink.queue.core.windows.net",
+        "privatelink.redis.cache.windows.net",
+        "privatelink.redisenterprise.cache.azure.net",
         "privatelink.search.windows.net",
-        "privatelink.azurehdinsight.net",
-        "privatelink.media.azure.net",
-        "privatelink.his.arc.azure.com",
-        "privatelink.guestconfiguration.azure.com"
+        "privatelink.service.signalr.net",
+        "privatelink.servicebus.windows.net",
+        "privatelink.siterecovery.windowsazure.com",
+        "privatelink.sql.azuresynapse.net",
+        "privatelink.table.core.windows.net",
+        "privatelink.table.cosmos.azure.com",
+        "privatelink.tip1.powerquery.microsoft.com",
+        "privatelink.token.botframework.com",
+        "privatelink.vaultcore.azure.net",
+        "privatelink.web.core.windows.net"
       ]
     },
     "parVpnGatewayConfig": {

infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep

@@ -53,7 +53,6 @@ var varModuleDeploymentNames = {
   modPolicyAssignmentIdentDeployVmBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
   modPolicyAssignmentMgmtDeployLogAnalytics: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployLAW-mgmt-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
   modPolicyAssignmentLzsDenyIpForwarding: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyIPForward-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
-  modPolicyAssignmentLzsDenyPublicIp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicIP-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
   modPolicyAssignmentLzsDenyRdpFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyRDPFromInet-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
   modPolicyAssignmentLzsDenySubnetWithoutNsg: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
   modPolicyAssignmentLzsDeployVmBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
@@ -116,7 +115,7 @@ var varPolicyAssignmentDenyPublicEndpoints = {
 }
 
 var varPolicyAssignmentDenyPublicIP = {
-  definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP'
+  definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749'
   libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json')
 }
 
@@ -759,22 +758,6 @@ module modPolicyAssignmentLzsDenyPublicEndpoints '../../../policy/assignments/po
   }
 }
 
-// Module - Policy Assignment - Deny-Public-IP
-module modPolicyAssignmentLzsDenyPublicIp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
-  scope: managementGroup(varManagementGroupIds.landingZonesCorp)
-  name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPublicIp
-  params: {
-    parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicIP.definitionId
-    parPolicyAssignmentName: varPolicyAssignmentDenyPublicIP.libDefinition.name
-    parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIP.libDefinition.properties.displayName
-    parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIP.libDefinition.properties.description
-    parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicIP.libDefinition.properties.parameters
-    parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicIP.libDefinition.identity.type
-    parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPublicIP.libDefinition.properties.enforcementMode
-    parTelemetryOptOut: parTelemetryOptOut
-  }
-}
-
 // Module - Policy Assignment - Deny-DataB-Pip
 module modPolicyAssignmentLzsDenyDataBPip '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
   scope: managementGroup(varManagementGroupIds.landingZonesCorp)

infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep

@@ -53,7 +53,6 @@ var varModuleDeploymentNames = {
   modPolicyAssignmentIdentDeployVMBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
   modPolicyAssignmentMgmtDeployLogAnalytics: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployLAW-mgmt-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
   modPolicyAssignmentLZsDenyIPForwarding: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyIPForward-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
-  modPolicyAssignmentLZsDenyPublicIP: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicIP-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
   modPolicyAssignmentLZsDenyRDPFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyRDPFromInet-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
   modPolicyAssignmentLZsDenySubnetWithoutNSG: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
   modPolicyAssignmentLZsDeployVMBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
@@ -101,7 +100,7 @@ var varPolicyAssignmentDenyPublicEndpoints = {
 }
 
 var varPolicyAssignmentDenyPublicIP = {
-  definitionId: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP'
+  definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749'
   libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json'))
 }
 
@@ -713,19 +712,3 @@ module modPolicyAssignmentLZsDenyPublicEndpoints '../../../policy/assignments/po
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
-
-// Module - Policy Assignment - Deny-Public-IP
-module modPolicyAssignmentLZsDenyPublicIP '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
-  scope: managementGroup(varManagementGroupIDs.landingZonesCorp)
-  name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyPublicIP
-  params: {
-    parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicIP.definitionId
-    parPolicyAssignmentName: varPolicyAssignmentDenyPublicIP.libDefinition.name
-    parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIP.libDefinition.properties.displayName
-    parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIP.libDefinition.properties.description
-    parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicIP.libDefinition.properties.parameters
-    parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicIP.libDefinition.identity.type
-    parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyPublicIP.libDefinition.properties.enforcementMode
-    parTelemetryOptOut: parTelemetryOptOut
-  }
-}

infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json

@@ -9,9 +9,14 @@
     "parameters": {
       "effect": {
         "value": "Deny"
+      },
+      "listOfResourceTypesNotAllowed": {
+        "value": [
+          "Microsoft.Network/publicIPAddresses"
+        ]
       }
     },
-    "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP",
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
     "scope": null,
     "enforcementMode": "Default"
   },

infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json

@@ -9,9 +9,14 @@
     "parameters": {
       "effect": {
         "value": "Deny"
+      },
+      "listOfResourceTypesNotAllowed": {
+        "value": [
+          "Microsoft.Network/publicIPAddresses"
+        ]
       }
     },
-    "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelManagementGroupId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP",
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
     "scope": null,
     "enforcementMode": "Default"
   },