last sync: 2021-Aug-04 14:59:26 UTC

Azure Policy definition

Configure Azure Monitor Private Link Scope to use private DNS zones

Name Configure Azure Monitor Private Link Scope to use private DNS zones
Azure Portal
Id 437914ee-c176-4fff-8986-7e05eb971365
Version 1.0.0
details on versioning
Category Monitoring
Microsoft docs
Description Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Monitor private link scope. Learn more at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#connect-to-a-private-endpoint.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Used RBAC Role
Role Name Role Id
Network Contributor 4d97b98b-1d4f-4787-a291-c67834d212e7
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-07-07 15:26:31 add 437914ee-c176-4fff-8986-7e05eb971365
Used in Initiatives none
JSON
{
  "properties": {
    "displayName": "Configure Azure Monitor Private Link Scope to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Monitor private link scope. Learn more at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#connect-to-a-private-endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "privateDnsZoneId1": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone for global endpoints used by Azure Monitor",
          "description": "One of the five private DNS zone IDs required for Microsoft.Insights/privateLinkScopes to resolve a private DNS Zone to your Azure Monitor Private Link scope.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
      },
      "privateDnsZoneId2": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone for workspace-specific mapping to OMS agents endpoints",
          "description": "One of the five private DNS zone IDs required for Microsoft.Insights/privateLinkScopes to resolve a private DNS Zone to your Azure Monitor Private Link scope.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
      },
      "privateDnsZoneId3": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone for workspace-specific mapping to ingestion endpoints",
          "description": "One of the five private DNS zone IDs required for Microsoft.Insights/privateLinkScopes to resolve a private DNS Zone to your Azure Monitor Private Link scope.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
      },
      "privateDnsZoneId4": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone for workspace-specific mapping to the agent service automation endpoints",
          "description": "One of the five private DNS zone IDs required for Microsoft.Insights/privateLinkScopes to resolve a private DNS Zone.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
      },
      "privateDnsZoneId5": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone for connectivity to the global agent's solution packs storage account",
          "description": "One of the five private DNS zone IDs required for Microsoft.Insights/privateLinkScopes to resolve a private DNS Zone.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
            "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]",
              "where": {
                "allOf": [
                  {
                  "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
                    "contains": "Microsoft.Insights/privateLinkScopes"
                  },
                  {
                  "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                    "equals": "azuremonitor"
                  }
                ]
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId1": {
                    "type": "string"
                  },
                  "privateDnsZoneId2": {
                    "type": "string"
                  },
                  "privateDnsZoneId3": {
                    "type": "string"
                  },
                  "privateDnsZoneId4": {
                    "type": "string"
                  },
                  "privateDnsZoneId5": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                  "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                  "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "privateDnsZone1",
                          "properties": {
                          "privateDnsZoneId": "[parameters('privateDnsZoneId1')]"
                          }
                        },
                        {
                          "name": "privateDnsZone2",
                          "properties": {
                          "privateDnsZoneId": "[parameters('privateDnsZoneId2')]"
                          }
                        },
                        {
                          "name": "privateDnsZone3",
                          "properties": {
                          "privateDnsZoneId": "[parameters('privateDnsZoneId3')]"
                          }
                        },
                        {
                          "name": "privateDnsZone4",
                          "properties": {
                          "privateDnsZoneId": "[parameters('privateDnsZoneId4')]"
                          }
                        },
                        {
                          "name": "privateDnsZone5",
                          "properties": {
                          "privateDnsZoneId": "[parameters('privateDnsZoneId5')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId1": {
                "value": "[parameters('privateDnsZoneId1')]"
                },
                "privateDnsZoneId2": {
                "value": "[parameters('privateDnsZoneId2')]"
                },
                "privateDnsZoneId3": {
                "value": "[parameters('privateDnsZoneId3')]"
                },
                "privateDnsZoneId4": {
                "value": "[parameters('privateDnsZoneId4')]"
                },
                "privateDnsZoneId5": {
                "value": "[parameters('privateDnsZoneId5')]"
                },
                "privateEndpointName": {
                "value": "[field('name')]"
                },
                "location": {
                "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "437914ee-c176-4fff-8986-7e05eb971365"
}