AzPolicyAdvertizer

last sync: 2025-Sep-22 17:23:02 UTC

Configure App Service apps to use private DNS zones

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

Configure App Service apps to use private DNS zones

b318f84a-b872-429b-ac6d-a01b96814452

Version

1.1.0
Details on versioning

Versioning

Versions supported for Versioning: 2
1.1.0
1.0.1
Built-in Versioning [Preview]

Category

App Service
Microsoft Learn

Description

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns.

Cloud environments

AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown

Available in AzUSGov

Unknown, no evidence if Policy definition is/not available in AzureUSGovernment

Mode

Indexed

Type

BuiltIn

Preview

False

Deprecated

False

Effect

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

RBAC role(s)

Role Name	Role Id
Network Contributor	4d97b98b-1d4f-4787-a291-c67834d212e7

Rule aliases

IF (3)

Alias	Namespace	ResourceType	Path	PathIsDefault	Modifiable
Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]	Microsoft.Network	privateEndpoints	properties.privateLinkServiceConnections[*]	True	False
Microsoft.Network/privateEndpoints/privateLinkServiceConnections[].groupIds[]	Microsoft.Network	privateEndpoints	properties.privateLinkServiceConnections[].properties.groupIds[]	True	False
Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId	Microsoft.Network	privateEndpoints	properties.privateLinkServiceConnections[*].properties.privateLinkServiceId	True	False

Rule resource types

IF (2)

Microsoft.Network/privateEndpoints
Microsoft.Web/sites

THEN-Deployment (1)

Microsoft.Network/privateEndpoints/privateDnsZoneGroups

Compliance

Not a Compliance control

Initiatives usage

Rows: 1-1 / 1
Records:
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, **[empty]**, **[nonempty]**, **rgx:**
Learn more
TableFilter v0.7.3
https://www.tablefilter.com/
©2015-2025 Max Guglielmi
Close
?
Page of 1
Initiative DisplayName	Initiative Id	Initiative Category	State	Type	polSet in AzUSGov

Configure Azure PaaS services to use private DNS zones	Deploy-Private-DNS-Zones	Network	GA	ALZ

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2025-09-05 17:23:04	change	Minor (1.0.1 > 1.1.0)
2022-07-01 16:32:34	change	Patch (1.0.0 > 1.0.1)
2021-06-22 14:29:30	add	b318f84a-b872-429b-ac6d-a01b96814452

JSON compare

compare mode: version left: version right:

1.0.1 → 1.1.0 RENAMED Viewed

@@ -1,11 +1,11 @@
 {
-    "displayName": "Configure App Services to use private DNS zones",
     "policyType": "BuiltIn",
     "mode": "Indexed",
     "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns.",
     "metadata": {
-        "version": "1.0.1",
         "category": "App Service"
     },
     "parameters": {
         "privateDnsZoneId": {
@@ -46,9 +46,9 @@
                                     "contains": "Microsoft.Web/sites"
                                 },
                                 {
                                     "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
-                                    "equals": "sites"
                                 }
                             ]
                         }
                     },

 {
+    "displayName": "Configure App Service apps to use private DNS zones",
     "policyType": "BuiltIn",
     "mode": "Indexed",
     "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns.",
     "metadata": {
+        "version": "1.1.0",
         "category": "App Service"
     },
     "parameters": {
         "privateDnsZoneId": {
                                     "contains": "Microsoft.Web/sites"
                                 },
                                 {
                                     "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
+                                    "contains": "sites"
                                 }
                             ]
                         }
                     },

JSON

api-version=2021-06-01
EPAC

{7 itemsdisplayName: "Configure App Service apps to use private DNS zones",
policyType: "BuiltIn",
mode: "Indexed",
description: "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns.",
metadata: {2 itemsversion: "1.1.0",
category: "App Service"
},
parameters: {2 itemsprivateDnsZoneId: {2 itemstype: "String",
metadata: {3 itemsdisplayName: "Private Dns Zone Id",
description: "The private DNS zone to deploy in a new private DNS zone group and link to the private endpoint",
strongType: "Microsoft.Network/privateDnsZones"
}
},
effect: {4 itemstype: "String",
metadata: {2 itemsdisplayName: "Effect",
description: "Enable or disable the execution of the policy"
},
allowedValues: [2 items"DeployIfNotExists",
"Disabled"
],
defaultValue: "DeployIfNotExists"
}
},
policyRule: {2 itemsif: {1 itemallOf: [2 items{2 itemsfield: "type",
equals: "Microsoft.Network/privateEndpoints"
},
{2 itemscount: {2 itemsfield: "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]",
where: {1 itemallOf: [2 items{2 itemsfield: "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
contains: "Microsoft.Web/sites"
},
{2 itemsfield: "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
contains: "sites"
}
]
}
},
greaterOrEquals: 1
}
]
},
then: {2 itemseffect: "[parameters('effect')]",
details: {3 itemstype: "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
roleDefinitionIds: [1 item"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" Network Contributor 
],
deployment: {1 itemproperties: {3 itemsmode: "incremental",
template: {4 items$schema: "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
contentVersion: "1.0.0.0",
parameters: {3 itemsprivateDnsZoneId: {1 itemtype: "string"
},
privateEndpointName: {1 itemtype: "string"
},
location: {1 itemtype: "string"
}
},
resources: [1 item{5 itemsname: 🔍"[
    concat(
        parameters('privateEndpointName'),
       '/deployedByPolicy'
    )
]",
type: "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
apiVersion: "2020-03-01",
location: "[parameters('location')]",
properties: {1 itemprivateDnsZoneConfigs: [1 item{2 itemsname: "websites-privateDnsZone",
properties: {1 itemprivateDnsZoneId: "[parameters('privateDnsZoneId')]"
}
}
]
}
}
]
},
parameters: {3 itemsprivateDnsZoneId: {1 itemvalue: "[parameters('privateDnsZoneId')]"
},
privateEndpointName: {1 itemvalue: "[field('name')]"
},
location: {1 itemvalue: "[field('location')]"
}
}
}
}
}
}
}
}

Configure App Service apps to use private DNS zones

Azure BuiltIn Policy definition

TableFilter v0.7.3