| JSON |
{
"properties": {
"displayName": "[Preview]: Configure private endpoints on Azure Recovery Services vaults",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your site recovery resources of Recovery Services vaults, you can reduce data leakage risks. To use private links, managed service identity must be assigned to Recovery Services Vaults. Learn more about private links at: https://docs.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-replication-private-endpoints.",
"metadata": {
"version": "1.0.0-preview",
"category": "Site Recovery",
"preview": true
},
"parameters": {
"privateEndpointSubnetId": {
"type": "String",
"metadata": {
"displayName": "Private endpoint subnet id",
"description": "A subnet with private endpoint network policies disabled",
"strongType": "Microsoft.Network/virtualNetworks/subnets"
}
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.RecoveryServices/vaults"
},
{
"field": "identity.type",
"contains": "Assigned"
},
{
"field": "Microsoft.RecoveryServices/vaults/privateEndpointStateForSiteRecovery",
"equals": "None"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.RecoveryServices/vaults/privateEndpointConnections",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
"/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567"
],
"deployment": {
"properties": {
"mode": "incremental",
"parameters": {
"name": {
"value": "[field('name')]"
},
"serviceId": {
"value": "[field('id')]"
},
"privateEndpointSubnetId": {
"value": "[parameters('privateEndpointSubnetId')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string"
},
"serviceId": {
"type": "string"
},
"privateEndpointSubnetId": {
"type": "string"
}
},
"variables": {
"privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"name": "[variables('privateEndpointName')]",
"apiVersion": "2020-06-01",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serviceId": {
"type": "string"
},
"privateEndpointSubnetId": {
"type": "string"
},
"subnetLocation": {
"type": "string"
}
},
"variables": {
"privateEndpointName": "[deployment().name]"
},
"resources": [
{
"name": "[concat(variables('privateEndpointName'))]",
"type": "Microsoft.Network/privateEndpoints",
"apiVersion": "2020-07-01",
"location": "[parameters('subnetLocation')]",
"tags": {
},
"properties": {
"subnet": {
"id": "[parameters('privateEndpointSubnetId')]"
},
"privateLinkServiceConnections": [
{
"name": "[concat(variables('privateEndpointName'))]",
"properties": {
"privateLinkServiceId": "[parameters('serviceId')]",
"groupIds": [
"AzureSiteRecovery"
],
"requestMessage": "autoapprove"
}
}
],
"manualPrivateLinkServiceConnections": [
]
}
}
]
},
"parameters": {
"serviceId": {
"value": "[parameters('serviceId')]"
},
"privateEndpointSubnetId": {
"value": "[parameters('privateEndpointSubnetId')]"
},
"subnetLocation": {
"value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
}
}
}
}
]
}
}
}
}
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/e95a8a5c-0987-421f-84ab-df4d88ebf7d1",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "e95a8a5c-0987-421f-84ab-df4d88ebf7d1"
}
|