Configure Azure Device Update for IoT Hub accounts to use private DNS zones

Azure BuiltIn Policy definition

Alias

Namespace

ResourceType

Path

PathIsDefault

DefaultPath

Modifiable

Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]

Microsoft.Network

privateEndpoints

properties.privateLinkServiceConnections[*]

True

False

Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]

Microsoft.Network

privateEndpoints

properties.privateLinkServiceConnections[*].properties.groupIds[*]

True

False

Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId

Microsoft.Network

privateEndpoints

properties.privateLinkServiceConnections[*].properties.privateLinkServiceId

True

False

Rows: 1-1 / 1

Records:

Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.3

https://www.tablefilter.com/
©2015-2025 Max Guglielmi

Page of 1

Initiative DisplayName

Initiative Id

Initiative Category

State

Type

polSet in AzUSGov

Configure Azure PaaS services to use private DNS zones

Deploy-Private-DNS-Zones

Network

ALZ

Date/Time (UTC ymd) (i)

Change type

Change detail

2022-05-16 16:31:13

add

a222b93a-e6c2-4c01-817f-21e092455b2a

{

displayName: "Configure Azure Device Update for IoT Hub accounts to use private DNS zones",
policyType: "BuiltIn",
mode: "Indexed",
description: "Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for Device Updatefor IoT Hub private endpoints.",
metadata: {2 items
- version: "1.0.0",
- category: "Internet of Things"
},
parameters: {2 items
- privateDnsZoneId: {2 items
  - type: "String",
  - metadata: {4 items
    - displayName: "Private DNS Zone ID",
    - description: "Specifies the private DNS zone to use to configure private endpoint",
    - strongType: "Microsoft.Network/privateDnsZones",
    - assignPermissions: true
    }
  },
- effect: {4 items
  - type: "String",
  - metadata: {2 items
    - displayName: "Effect",
    - description: "Enable or disable the execution of the policy"
    },
  - allowedValues: [2 items
    - "DeployIfNotExists",
    - "Disabled"
    ],
  - defaultValue: "DeployIfNotExists"
  }
},
policyRule: {2 items
- if: {1 item
  - allOf: [2 items
    - {2 items
      - field: "type",
      - equals: "Microsoft.Network/privateEndpoints"
      },
    - {2 items
      - count: {2 items
        field: "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]",
        where: {1 item
        allOf: [2 items
        {2 items
        field: "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
        contains: "Microsoft.DeviceUpdate/accounts"
        },
        {2 items
        field: "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
        equals: "DeviceUpdate"
        }
        ]
        }
        },
      - greaterOrEquals: 1
      }
    ]
  },
- then: {2 items
  - effect: "[parameters('effect')]",
  - details: {3 items
    - type: "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
    - roleDefinitionIds: [2 items
      - "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" Network Contributor ,
      - "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" Contributor
      ],
    - deployment: {1 item
      - properties: {3 items
        mode: "incremental",
        template: {4 items
        $schema: "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
        contentVersion: "1.0.0.0",
        parameters: {3 items
        privateDnsZoneId: {1 item
        type: "string"
        },
        privateEndpointName: {1 item
        type: "string"
        },
        location: {1 item
        type: "string"
        }
        },
        resources: [1 item
        {5 items
        name: 🔍"[ concat( parameters('privateEndpointName'), '/deployedByPolicy' ) ]",
        type: "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
        apiVersion: "2020-03-01",
        location: "[parameters('location')]",
        properties: {1 item
        privateDnsZoneConfigs: [1 item
        {2 items
        name: "privatelink.azure-devices.net",
        properties: {1 item
        privateDnsZoneId: "[parameters('privateDnsZoneId')]"
        }
        }
        ]
        }
        }
        ]
        },
        parameters: {3 items
        privateDnsZoneId: {1 item
        value: "[parameters('privateDnsZoneId')]"
        },
        privateEndpointName: {1 item
        value: "[field('name')]"
        },
        location: {1 item
        value: "[field('location')]"
        }
        }
        }
      }
    }
  }
}

}