AzPolicyAdvertizer

last sync: 2021-Aug-04 14:59:26 UTC

Azure Policy definition

Configure Azure Monitor Private Link Scope to use private DNS zones

Name Configure Azure Monitor Private Link Scope to use private DNS zones
Azure Portal

Id 437914ee-c176-4fff-8986-7e05eb971365

Version 1.0.0
details on versioning

Category Monitoring
Microsoft docs

Description Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Monitor private link scope. Learn more at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#connect-to-a-private-endpoint.

Mode Indexed

Type BuiltIn

Preview FALSE

Deprecated FALSE

Effect Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)

Used RBAC Role

Role Name	Role Id
Network Contributor	4d97b98b-1d4f-4787-a291-c67834d212e7

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2021-07-07 15:26:31	add	437914ee-c176-4fff-8986-7e05eb971365

Used in Initiatives none

JSON

{
  "properties": {
    "displayName": "Configure Azure Monitor Private Link Scope to use private DNS zones",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Monitor private link scope. Learn more at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#connect-to-a-private-endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "privateDnsZoneId1": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone for global endpoints used by Azure Monitor",
          "description": "One of the five private DNS zone IDs required for Microsoft.Insights/privateLinkScopes to resolve a private DNS Zone to your Azure Monitor Private Link scope.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
      },
      "privateDnsZoneId2": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone for workspace-specific mapping to OMS agents endpoints",
          "description": "One of the five private DNS zone IDs required for Microsoft.Insights/privateLinkScopes to resolve a private DNS Zone to your Azure Monitor Private Link scope.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
      },
      "privateDnsZoneId3": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone for workspace-specific mapping to ingestion endpoints",
          "description": "One of the five private DNS zone IDs required for Microsoft.Insights/privateLinkScopes to resolve a private DNS Zone to your Azure Monitor Private Link scope.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
      },
      "privateDnsZoneId4": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone for workspace-specific mapping to the agent service automation endpoints",
          "description": "One of the five private DNS zone IDs required for Microsoft.Insights/privateLinkScopes to resolve a private DNS Zone.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
      },
      "privateDnsZoneId5": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone for connectivity to the global agent's solution packs storage account",
          "description": "One of the five private DNS zone IDs required for Microsoft.Insights/privateLinkScopes to resolve a private DNS Zone.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
          },
          {
            "count": {
            "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]",
              "where": {
                "allOf": [
                  {
                  "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
                    "contains": "Microsoft.Insights/privateLinkScopes"
                  },
                  {
                  "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
                    "equals": "azuremonitor"
                  }
                ]
              }
            },
            "greaterOrEquals": 1
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneId1": {
                    "type": "string"
                  },
                  "privateDnsZoneId2": {
                    "type": "string"
                  },
                  "privateDnsZoneId3": {
                    "type": "string"
                  },
                  "privateDnsZoneId4": {
                    "type": "string"
                  },
                  "privateDnsZoneId5": {
                    "type": "string"
                  },
                  "privateEndpointName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                  "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                  "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "privateDnsZone1",
                          "properties": {
                          "privateDnsZoneId": "[parameters('privateDnsZoneId1')]"
                          }
                        },
                        {
                          "name": "privateDnsZone2",
                          "properties": {
                          "privateDnsZoneId": "[parameters('privateDnsZoneId2')]"
                          }
                        },
                        {
                          "name": "privateDnsZone3",
                          "properties": {
                          "privateDnsZoneId": "[parameters('privateDnsZoneId3')]"
                          }
                        },
                        {
                          "name": "privateDnsZone4",
                          "properties": {
                          "privateDnsZoneId": "[parameters('privateDnsZoneId4')]"
                          }
                        },
                        {
                          "name": "privateDnsZone5",
                          "properties": {
                          "privateDnsZoneId": "[parameters('privateDnsZoneId5')]"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "privateDnsZoneId1": {
                "value": "[parameters('privateDnsZoneId1')]"
                },
                "privateDnsZoneId2": {
                "value": "[parameters('privateDnsZoneId2')]"
                },
                "privateDnsZoneId3": {
                "value": "[parameters('privateDnsZoneId3')]"
                },
                "privateDnsZoneId4": {
                "value": "[parameters('privateDnsZoneId4')]"
                },
                "privateDnsZoneId5": {
                "value": "[parameters('privateDnsZoneId5')]"
                },
                "privateEndpointName": {
                "value": "[field('name')]"
                },
                "location": {
                "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "437914ee-c176-4fff-8986-7e05eb971365"
}