last sync: 2021-May-10 15:04:35 UTC

Azure Policy definition

Deploy - Configure Azure IoT Hubs with private endpoints

Name Deploy - Configure Azure IoT Hubs with private endpoints
Azure Portal
Id bf684997-3909-404e-929c-d4a38ed23b2e
Version 1.0.0
details on versioning
Category Internet of Things
Microsoft docs
Description A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your IoT hub to allow services inside your virtual network to reach IoT Hub without requiring traffic to be sent to IoT Hub's public endpoint.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Used RBAC Role
Role Name Role Id
Network Contributor 4d97b98b-1d4f-4787-a291-c67834d212e7
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-03-02 15:11:40 add bf684997-3909-404e-929c-d4a38ed23b2e
Used in Initiatives none
JSON
{
  "properties": {
    "displayName": "Deploy - Configure Azure IoT Hubs with private endpoints",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your IoT hub to allow services inside your virtual network to reach IoT Hub without requiring traffic to be sent to IoT Hub's public endpoint.",
    "metadata": {
      "version": "1.0.0",
      "category": "Internet of Things"
    },
    "parameters": {
      "privateEndpointSubnetId": {
        "type": "String",
        "metadata": {
          "displayName": "Private endpoint subnet id",
          "description": "A subnet with private endpoint network policies disabled.",
          "strongType": "Microsoft.Network/virtualNetworks/subnets"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Devices/IotHubs"
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Devices/IotHubs/PrivateEndpointConnections",
          "existenceCondition": {
            "field": "Microsoft.Devices/IotHubs/PrivateEndpointConnections/privateLinkServiceConnectionState.status",
            "equals": "Approved"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "name": {
                "value": "[field('name')]"
                },
                "serviceId": {
                "value": "[field('id')]"
                },
                "privateEndpointSubnetId": {
                "value": "[parameters('privateEndpointSubnetId')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "serviceId": {
                    "type": "string"
                  },
                  "privateEndpointSubnetId": {
                    "type": "string"
                  }
                },
                "variables": {
                "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                  "name": "[variables('privateEndpointName')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "serviceId": {
                            "type": "string"
                          },
                          "privateEndpointSubnetId": {
                            "type": "string"
                          },
                          "subnetLocation": {
                            "type": "string"
                          }
                        },
                        "variables": {
                        "privateEndpointName": "[deployment().name]"
                        },
                        "resources": [
                          {
                          "name": "[variables('privateEndpointName')]",
                            "type": "Microsoft.Network/privateEndpoints",
                            "apiVersion": "2020-07-01",
                          "location": "[parameters('subnetLocation')]",
                            "tags": {
                              
                            },
                            "properties": {
                              "subnet": {
                              "id": "[parameters('privateEndpointSubnetId')]"
                              },
                              "privateLinkServiceConnections": [
                                {
                                "name": "[variables('privateEndpointName')]",
                                  "properties": {
                                  "privateLinkServiceId": "[parameters('serviceId')]",
                                    "groupIds": [
                                      "iotHub"
                                    ],
                                    "requestMessage": "autoapprove"
                                  }
                                }
                              ],
                              "manualPrivateLinkServiceConnections": [
                                
                              ]
                            }
                          }
                        ]
                      },
                      "parameters": {
                        "serviceId": {
                        "value": "[parameters('serviceId')]"
                        },
                        "privateEndpointSubnetId": {
                        "value": "[parameters('privateEndpointSubnetId')]"
                        },
                        "subnetLocation": {
                        "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/bf684997-3909-404e-929c-d4a38ed23b2e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "bf684997-3909-404e-929c-d4a38ed23b2e"
}