Built-in policies DINE policies for DNSZoneGroup registration missing #725
Comments
|
@victorar /@daltondhcp - can you have a look at this when back? :-) |
jtracey93
added
the
waiting for response
|
@pkorolo - as per our chat this afternoon, could you please provide the information you shared with me this afternoon 👍 |
|
further details:
In previous versions, where we relied on custom (per PaaS type) ESLZ Policies (afaik we do not have them anymore in the latest ESLZ), the functionality was 100% OK (both private endpoint configuration and A record creation was functioning properly) |
jtracey93
added
engineering
|
Looping in @sitarant, @krowlandson to this issue as I understand they have also seen similar when implementing these policies with the Terraform module. |
|
@pkorolo - I have done some investigation and this is related to the shift to built-in policies for this that was done in our July update, where blob is not yet included. (See what's new below) I will follow-up with the eng. team to get an ETA on when we can expect it to be available. In the meantime, as a workaround, you can create a custom policy based on this doc and add it to the "Configure Azure PaaS services to use private DNS zones" initiative. Apologies for the inconvenience. |
daltondhcp
changed the title
daltondhcp
added
enhancement
|
Trigger ADO Sync 1 |
|
Trigger ADO Sync 2 |
|
Hey @pkorolo, Just picking this back up and re-triaging. Is this effectively saying that the It doesn't look like there is a built-in so we would have to work with the storage PG to get one published or create a custom one. I checked here for all the latest built-ins https://www.azadvertizer.net/azpolicyadvertizer_all.html#%7B%22col_3%22%3A%7B%22flt%22%3A%22private%20DNS%20zones%22%7D%2C%22col_0%22%3A%7B%7D%2C%22col_8%22%3A%7B%7D%2C%22page_length%22%3A100%7D We have also already done some gap analysis of private link supported services and whether there is a built-in private DNS zone group DINE policy. Let us know |
|
Hello @jtracey93 Indeed, some months back when I was doing some testing, the custom initiative then called "Configure Azure PaaS services to use private DNS zones" (definition: /providers/Microsoft.Management/managementGroups/<alz_root_mg>/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones ), which was a bundle of individual build-in policies (per-PaaS Service), did not include the respective DINE policy for (blob) storage. Now it has been a while since then (I haven't re-deployed and tested in the interim), and maybe this is not the case anymore. If you have a relatively recent deployment, you can check if the respective initiative now does include DINE policies for storage services' private DNS zone groups or not. Hope this helps! |
ghost
locked as resolved and limited conversation to collaborators
Describe the bug
Custom ESLZ "Configure Azure PaaS services to use private DNS zones" does not work as expected; tested with storage account, although it does configure the private endpoint with the appropriate private DNS zone, it does NOT also automatically create the respective A record for the private endpoint
Steps to reproduce
Screenshots
The text was updated successfully, but these errors were encountered: