Update DNS for private endpoint (#1109)

* Added new built-in policies into the initiative * Update corresponding assignment * Update What's New page Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Kevin Rowlandson <[email protected]>
Azure · Nov 23, 2022 · 4f23cea · 4f23cea
1 parent e04594e
commit 4f23cea
Show file tree

Hide file tree

Showing 5 changed files with 811 additions and 7 deletions.
diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
@@ -72,6 +72,20 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
   - Version 1.0.0 -> 1.1.0
   - Added system databases master, model, tempdb, msdb, resource to exclusion parameter as default values
   - Added as Policy Rule 'notIn' which will exclude the above databases from the policy
+- Updated "**Deploy-Private-DNS-Zones**" Custom initiative for **Azure Public Cloud**, with latest built-in Policies. Policies were added for the following Services:
+  - Azure Automation
+  - Azure Cosmos DB (all APIs: SQL, MongoDB, Cassandra, Gremlin, Table)
+  - Azure Data Factory
+  - Azure HDInsight
+  - Azure Migrate (missing Private DNS Zone also added)
+  - Azure Storage (Blob, Queue, File, Static Web, DFS and all relative secondaries)
+  - Azure Synapse Analytics
+  - Azure Media Services
+  - Azure Monitor
+- Minor fixes related to "**Deploy-Private-DNS-Zones**" Custom Initiative and respective Assignment:
+  - Added missing Zones for **"WebPubSub"** and **"azure-devices-provisioning"**, so Initiative Assignment works correctly
+  - Minor correction related to **ASR Private DNS Zone variable**, so Initiative Assignment works correctly
+  - Convertion of **"Azure Batch"** Private DNS Zone (from regional to global), to properly align with latest respective documentation and functionality
 - Renamed Azure DDoS Standard Protection references to [Azure DDoS Network Protection](https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-sku-comparison#ddos-network-protection). 
 - Incremented version for policy Deploy-DDoSProtection from "version":"1.0.0" to "version": "1.0.1"
 - Added `Configure Microsoft Defender for Azure Cosmos DB to be enabled` to the `Deploy Microsoft Defender for Cloud configuration` initiative and updated version to `3.1.0` - Fixing issue [issue #1081](https://github.com/Azure/Enterprise-Scale/issues/1081)

diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
@@ -891,7 +891,7 @@
             "privatelink.cassandra.cosmos.azure.com",
             "privatelink.gremlin.cosmos.azure.com",
             "privatelink.table.cosmos.azure.com",
-            "[concat('privatelink.', parameters('connectivityLocation'), '.batch.azure.com')]",
+            "privatelink.batch.azure.com",
             "privatelink.postgres.database.azure.com",
             "privatelink.mysql.database.azure.com",
             "privatelink.mariadb.database.azure.com",
@@ -925,7 +925,10 @@
             "privatelink.azurehdinsight.net",
             "privatelink.his.arc.azure.com",
             "privatelink.guestconfiguration.azure.com",
-            "privatelink.media.azure.net"
+            "privatelink.media.azure.net",
+            "privatelink.prod.migration.windowsazure.com",
+            "privatelink.webpubsub.azure.com",
+            "privatelink.azure-devices-provisioning.net"
         ],
         "azBackupGeoCodes": {
             "australiacentral": "acl",

diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json
@@ -33,10 +33,41 @@
         "baseId": "[concat(parameters('dnsZoneResourceGroupId'), '/providers/Microsoft.Network/privateDnsZones/')]",
         "policyParameterMapping": {
             "azureFilePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.afs.azure.net')]",
+            "azureAutomationWebhookPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-automation.net')]",
+            "azureAutomationDSCHybridPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-automation.net')]",
+            "azureCosmosSQLPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.documents.azure.com')]",
+            "azureCosmosMongoPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.mongo.cosmos.azure.com')]",
+            "azureCosmosCassandraPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.cassandra.cosmos.azure.com')]",
+            "azureCosmosGremlinPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.gremlin.cosmos.azure.com')]",
+            "azureCosmosTablePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.table.cosmos.azure.com')]",
+            "azureDataFactoryPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.datafactory.azure.net')]",
+            "azureDataFactoryPortalPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.adf.azure.com')]",
+            "azureHDInsightPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azurehdinsight.net')]",
+            "azureMigratePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.prod.migration.windowsazure.com')]",
+            "azureStorageBlobPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]",
+            "azureStorageBlobSecPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]",
+            "azureStorageQueuePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.queue.core.windows.net')]",
+            "azureStorageQueueSecPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.queue.core.windows.net')]",
+            "azureStorageFilePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.file.core.windows.net')]",
+            "azureStorageStaticWebPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.web.core.windows.net')]",
+            "azureStorageStaticWebSecPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.web.core.windows.net')]",
+            "azureStorageDFSPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.dfs.core.windows.net')]",
+            "azureStorageDFSSecPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.dfs.core.windows.net')]",
+            "azureSynapseSQLPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.sql.azuresynapse.net')]",
+            "azureSynapseSQLODPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.sql.azuresynapse.net')]",
+            "azureSynapseDevPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.dev.azuresynapse.net')]",
+            "azureMediaServicesKeyPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.media.azure.net')]",
+            "azureMediaServicesLivePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.media.azure.net')]",
+            "azureMediaServicesStreamPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.media.azure.net')]",
+            "azureMonitorPrivateDnsZoneId1": "[concat(variables('baseId'), 'privatelink.monitor.azure.com')]",
+            "azureMonitorPrivateDnsZoneId2": "[concat(variables('baseId'), 'privatelink.oms.opinsights.azure.com')]",
+            "azureMonitorPrivateDnsZoneId3": "[concat(variables('baseId'), 'privatelink.ods.opinsights.azure.com')]",
+            "azureMonitorPrivateDnsZoneId4": "[concat(variables('baseId'), 'privatelink.agentsvc.azure-automation.net')]",
+            "azureMonitorPrivateDnsZoneId5": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]",
             "azureWebPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.webpubsub.azure.com')]",
-            "azureBatchPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.', parameters('location'), '.batch.azure.com')]",
+            "azureBatchPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.batch.azure.com')]",
             "azureAppPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azconfig.io')]",
-            "azureAsrPrivateDnsZoneId": "[concat(variables('baseId'), '.privatelink.siterecovery.windowsazure.com')]",
+            "azureAsrPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.siterecovery.windowsazure.com')]",
             "azureIotPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-devices-provisioning.net')]",
             "azureKeyVaultPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.vaultcore.azure.net')]",
             "azureSignalRPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.service.signalr.net')]",
@@ -84,6 +115,99 @@
                     "azureFilePrivateDnsZoneId": {
                         "value": "[variables('policyParameterMapping').azureFilePrivateDnsZoneId]"
                     },
+                    "azureAutomationWebhookPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureAutomationWebhookPrivateDnsZoneId]"
+                    },
+                    "azureAutomationDSCHybridPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureAutomationDSCHybridPrivateDnsZoneId]"
+                    },
+                    "azureCosmosSQLPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureCosmosSQLPrivateDnsZoneId]"
+                    },
+                    "azureCosmosMongoPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureCosmosMongoPrivateDnsZoneId]"
+                    },
+                    "azureCosmosCassandraPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureCosmosCassandraPrivateDnsZoneId]"
+                    },
+                    "azureCosmosGremlinPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureCosmosGremlinPrivateDnsZoneId]"
+                    },
+                    "azureCosmosTablePrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureCosmosTablePrivateDnsZoneId]"
+                    },
+                    "azureDataFactoryPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureDataFactoryPrivateDnsZoneId]"
+                    },
+                    "azureDataFactoryPortalPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureDataFactoryPortalPrivateDnsZoneId]"
+                    },
+                    "azureHDInsightPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureHDInsightPrivateDnsZoneId]"
+                    },
+                    "azureMigratePrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureMigratePrivateDnsZoneId]"
+                    },
+                    "azureStorageBlobPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureStorageBlobPrivateDnsZoneId]"
+                    },
+                    "azureStorageBlobSecPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureStorageBlobSecPrivateDnsZoneId]"
+                    },
+                    "azureStorageQueuePrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureStorageQueuePrivateDnsZoneId]"
+                    },
+                    "azureStorageQueueSecPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureStorageQueueSecPrivateDnsZoneId]"
+                    },
+                    "azureStorageFilePrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureStorageFilePrivateDnsZoneId]"
+                    },
+                    "azureStorageStaticWebPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureStorageStaticWebPrivateDnsZoneId]"
+                    },
+                    "azureStorageStaticWebSecPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureStorageStaticWebSecPrivateDnsZoneId]"
+                    },
+                    "azureStorageDFSPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureStorageDFSPrivateDnsZoneId]"
+                    },
+                    "azureStorageDFSSecPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureStorageDFSSecPrivateDnsZoneId]"
+                    },
+                    "azureSynapseSQLPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureSynapseSQLPrivateDnsZoneId]"
+                    },
+                    "azureSynapseSQLODPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureSynapseSQLODPrivateDnsZoneId]"
+                    },
+                    "azureSynapseDevPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureSynapseDevPrivateDnsZoneId]"
+                    },
+                    "azureMediaServicesKeyPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureMediaServicesKeyPrivateDnsZoneId]"
+                    },
+                    "azureMediaServicesLivePrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureMediaServicesLivePrivateDnsZoneId]"
+                    },
+                    "azureMediaServicesStreamPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureMediaServicesStreamPrivateDnsZoneId]"
+                    },
+                    "azureMonitorPrivateDnsZoneId1": {
+                        "value": "[variables('policyParameterMapping').azureMonitorPrivateDnsZoneId1]"
+                    },
+                    "azureMonitorPrivateDnsZoneId2": {
+                        "value": "[variables('policyParameterMapping').azureMonitorPrivateDnsZoneId2]"
+                    },
+                    "azureMonitorPrivateDnsZoneId3": {
+                        "value": "[variables('policyParameterMapping').azureMonitorPrivateDnsZoneId3]"
+                    },
+                    "azureMonitorPrivateDnsZoneId4": {
+                        "value": "[variables('policyParameterMapping').azureMonitorPrivateDnsZoneId4]"
+                    },
+                    "azureMonitorPrivateDnsZoneId5": {
+                        "value": "[variables('policyParameterMapping').azureMonitorPrivateDnsZoneId5]"
+                    },
                     "azureWebPrivateDnsZoneId": {
                         "value": "[variables('policyParameterMapping').azureWebPrivateDnsZoneId]"
                     },