last sync: 2021-Nov-26 17:15:01 UTC

Azure Policy definition

[Preview]: Configure private endpoints on Azure Recovery Services vaults

Name [Preview]: Configure private endpoints on Azure Recovery Services vaults
Azure Portal
Id e95a8a5c-0987-421f-84ab-df4d88ebf7d1
Version 1.0.0-preview
details on versioning
Category Site Recovery
Microsoft docs
Description Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your site recovery resources of Recovery Services vaults, you can reduce data leakage risks. To use private links, managed service identity must be assigned to Recovery Services Vaults. Learn more about private links at: https://docs.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-replication-private-endpoints.
Mode Indexed
Type BuiltIn
Preview True
Deprecated FALSE
Effect Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Used RBAC Role
Role Name Role Id
Network Contributor 4d97b98b-1d4f-4787-a291-c67834d212e7
Site Recovery Contributor 6670b86e-a3f7-4917-ac9b-5d6ab1be4567
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-05-26 13:43:16 add e95a8a5c-0987-421f-84ab-df4d88ebf7d1
Used in Initiatives none
JSON
{
  "displayName": "[Preview]: Configure private endpoints on Azure Recovery Services vaults",
  "policyType": "BuiltIn",
  "mode": "Indexed",
  "description": "Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your site recovery resources of Recovery Services vaults, you can reduce data leakage risks. To use private links, managed service identity must be assigned to Recovery Services Vaults. Learn more about private links at: https://docs.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-replication-private-endpoints.",
  "metadata": {
    "version": "1.0.0-preview",
    "category": "Site Recovery",
    "preview": true
  },
  "parameters": {
    "privateEndpointSubnetId": {
      "type": "String",
      "metadata": {
        "displayName": "Private endpoint subnet id",
        "description": "A subnet with private endpoint network policies disabled",
        "strongType": "Microsoft.Network/virtualNetworks/subnets"
      }
    },
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": [
        "DeployIfNotExists",
        "Disabled"
      ],
      "defaultValue": "DeployIfNotExists"
    }
  },
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.RecoveryServices/vaults"
        },
        {
          "field": "identity.type",
          "contains": "Assigned"
        },
        {
          "field": "Microsoft.RecoveryServices/vaults/privateEndpointStateForSiteRecovery",
          "equals": "None"
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": {
        "type": "Microsoft.RecoveryServices/vaults/privateEndpointConnections",
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
          "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567"
        ],
        "deployment": {
          "properties": {
            "mode": "incremental",
            "parameters": {
              "name": {
                "value": "[field('name')]"
              },
              "serviceId": {
                "value": "[field('id')]"
              },
              "privateEndpointSubnetId": {
                "value": "[parameters('privateEndpointSubnetId')]"
              }
            },
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "name": {
                  "type": "string"
                },
                "serviceId": {
                  "type": "string"
                },
                "privateEndpointSubnetId": {
                  "type": "string"
                }
              },
              "variables": {
                "privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
              },
              "resources": [
                {
                  "type": "Microsoft.Resources/deployments",
                  "name": "[variables('privateEndpointName')]",
                  "apiVersion": "2020-06-01",
                  "properties": {
                    "mode": "Incremental",
                    "expressionEvaluationOptions": {
                      "scope": "inner"
                    },
                    "template": {
                      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                      "contentVersion": "1.0.0.0",
                      "parameters": {
                        "serviceId": {
                          "type": "string"
                        },
                        "privateEndpointSubnetId": {
                          "type": "string"
                        },
                        "subnetLocation": {
                          "type": "string"
                        }
                      },
                      "variables": {
                        "privateEndpointName": "[deployment().name]"
                      },
                      "resources": [
                        {
                          "name": "[concat(variables('privateEndpointName'))]",
                          "type": "Microsoft.Network/privateEndpoints",
                          "apiVersion": "2020-07-01",
                          "location": "[parameters('subnetLocation')]",
                          "tags": {},
                          "properties": {
                            "subnet": {
                              "id": "[parameters('privateEndpointSubnetId')]"
                            },
                            "privateLinkServiceConnections": [
                              {
                                "name": "[concat(variables('privateEndpointName'))]",
                                "properties": {
                                  "privateLinkServiceId": "[parameters('serviceId')]",
                                  "groupIds": [
                                    "AzureSiteRecovery"
                                  ],
                                  "requestMessage": "autoapprove"
                                }
                              }
                            ],
                            "manualPrivateLinkServiceConnections": []
                          }
                        }
                      ]
                    },
                    "parameters": {
                      "serviceId": {
                        "value": "[parameters('serviceId')]"
                      },
                      "privateEndpointSubnetId": {
                        "value": "[parameters('privateEndpointSubnetId')]"
                      },
                      "subnetLocation": {
                        "value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
                      }
                    }
                  }
                }
              ]
            }
          }
        }
      }
    }
  }
}