last sync: 2025-Jul-25 17:39:48 UTC
HDInsight
Azure HDInsight clusters should be injected into a virtual network
Injecting Azure HDInsight clusters in a virtual network unlocks advanced HDInsight networking and security features and provides you with control over your network security configuration.
BuiltIn
False
2021-03-02
1.0.0
1.0.0
AzureCloud:true
AzureChinaCloud:unknown
AzureUSGovernment:unknown
AzureChinaCloud:unknown
AzureUSGovernment:unknown
GA
Indexed
allowed: 'Audit', 'Deny', 'Disabled'
default: 'Audit'
default: 'Audit'
Uses 3 Fx/Operator(s):
• count()
• parameters()
• where()
• count()
• parameters()
• where()
if (1)
• 'Microsoft.HDInsight/clusters'
only applicable for Policy defintions of type: Static
JSON deep dive
{
"displayName": "Azure HDInsight clusters should be injected into a virtual network",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Injecting Azure HDInsight clusters in a virtual network unlocks advanced HDInsight networking and security features and provides you with control over your network security configuration.",
"metadata": {
"version": "1.0.0",
"category": "HDInsight"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Disabled",
"Deny"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.HDInsight/clusters"
},
{
"count": {
"field": "Microsoft.HDInsight/clusters/computeProfile.roles[*]",
"where": {
"anyOf": [
{
"field": "Microsoft.HDInsight/clusters/computeProfile.roles[*].virtualNetworkProfile.id",
"exists": false
},
{
"field": "Microsoft.HDInsight/clusters/computeProfile.roles[*].virtualNetworkProfile.subnet",
"exists": false
}
]
}
},
"greater": 0
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}{"displayName":"Azure HDInsight clusters should be injected into a virtual network","policyType":"BuiltIn","mode":"Indexed","description":"Injecting Azure HDInsight clusters in a virtual network unlocks advanced HDInsight networking and security features and provides you with control over your network security configuration.","metadata":{"version":"1.0.0","category":"HDInsight"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled","Deny"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.HDInsight/clusters"},{"count":{"field":"Microsoft.HDInsight/clusters/computeProfile.roles[*]","where":{"anyOf":[{"field":"Microsoft.HDInsight/clusters/computeProfile.roles[*].virtualNetworkProfile.id","exists":false},{"field":"Microsoft.HDInsight/clusters/computeProfile.roles[*].virtualNetworkProfile.subnet","exists":false}]}},"greater":0}]},"then":{"effect":"[parameters('effect')]"}}}HDInsight
Azure HDInsight clusters should use customer-managed keys to encrypt data at rest
Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/hdi.cmk.
BuiltIn
False
2021-02-10
1.0.1
1.0.1
AzureCloud:true
AzureChinaCloud:unknown
AzureUSGovernment:true
AzureChinaCloud:unknown
AzureUSGovernment:true
1.*.*
parity:unknown
parity:unknown
GA
Indexed
allowed: 'Audit', 'Deny', 'Disabled'
default: 'Audit'
default: 'Audit'
Used in 10 Policy Set(s):
• DORA 2022 2554 (f9c0485f-da8e-43b5-961e-58ebd54b907c) [Regulatory Compliance] BuiltIn
• FedRAMP High (d5264498-16f4-418a-b659-fa7ef418175f) [Regulatory Compliance] BuiltIn
• FedRAMP Moderate (e95f5a9f-57ad-4d03-bb0b-b1d16db93693) [Regulatory Compliance] BuiltIn
• K ISMS P 2018 (e0782c37-30da-4a78-9f92-50bfe7aa2553) [Regulatory Compliance] BuiltIn
• NIST SP 800-171 Rev. 2 (03055927-78bd-4236-86c0-f36125a10dc9) [Regulatory Compliance] BuiltIn
• NIST SP 800-53 Rev. 4 (cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f) [Regulatory Compliance] BuiltIn
• NIST SP 800-53 Rev. 5 (179d1daa-458f-4e47-8086-2a68d0d6c38f) [Regulatory Compliance] BuiltIn
• NL BIO Cloud Theme (6ce73208-883e-490f-a2ac-44aac3b3687f) [Regulatory Compliance] BuiltIn
• NL BIO Cloud Theme V2 (d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee) [Regulatory Compliance] BuiltIn
• [Preview]: CMMC 2.0 Level 2 (4e50fd13-098b-3206-61d6-d1d78205cb45) [Regulatory Compliance] BuiltIn
Uses 1 Fx/Operator(s):
• parameters()
• parameters()
if (1)
• 'Microsoft.HDInsight/clusters/diskEncryptionProperties.keyName' (ref)
if (1)
• 'Microsoft.HDInsight/clusters'
Used 10x as a control:
• NZISM_v3.7_14.1.13.C.03. (ref)
• CSA_v4.0.12_CEK_12 (ref)
• RMiT_v1.0_11.5 (ref)
• FedRAMP_Moderate_R4_AU-8 (ref)
• NIST_SP_800-53_R5.1.1_CM.3 (ref)
• ISO_IEC_27002_2022_5.24 (ref)
• Azure_Security_Benchmark_v3.0_PV-5 (ref)
• NIST_SP_800-53_R5_AU-6(1) (ref)
• SWIFT_CSCF_2024_6.4 (ref)
• NIST_SP_800-53_R4_AU-4 (ref)
only applicable for Policy defintions of type: Static
JSON deep dive
{
"displayName": "Azure HDInsight clusters should use customer-managed keys to encrypt data at rest",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/hdi.cmk.",
"metadata": {
"version": "1.0.1",
"category": "HDInsight"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.HDInsight/clusters"
},
{
"field": "Microsoft.HDInsight/clusters/diskEncryptionProperties.keyName",
"exists": false
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}{"displayName":"Azure HDInsight clusters should use customer-managed keys to encrypt data at rest","policyType":"BuiltIn","mode":"Indexed","description":"Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default,customer data is encrypted with service-managed keys,but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle,including rotation and management. Learn more at https://aka.ms/hdi.cmk.","metadata":{"version":"1.0.1","category":"HDInsight"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.HDInsight/clusters"},{"field":"Microsoft.HDInsight/clusters/diskEncryptionProperties.keyName","exists":false}]},"then":{"effect":"[parameters('effect')]"}}}HDInsight
Azure HDInsight clusters should use encryption at host to encrypt data at rest
Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service.
BuiltIn
False
2021-01-22
1.0.0
1.0.0
AzureCloud:true
AzureChinaCloud:unknown
AzureUSGovernment:true
AzureChinaCloud:unknown
AzureUSGovernment:true
1.*.*
parity:unknown
parity:unknown
GA
Indexed
allowed: 'Audit', 'Deny', 'Disabled'
default: 'Audit'
default: 'Audit'
Used in 10 Policy Set(s):
• DORA 2022 2554 (f9c0485f-da8e-43b5-961e-58ebd54b907c) [Regulatory Compliance] BuiltIn
• FedRAMP High (d5264498-16f4-418a-b659-fa7ef418175f) [Regulatory Compliance] BuiltIn
• FedRAMP Moderate (e95f5a9f-57ad-4d03-bb0b-b1d16db93693) [Regulatory Compliance] BuiltIn
• K ISMS P 2018 (e0782c37-30da-4a78-9f92-50bfe7aa2553) [Regulatory Compliance] BuiltIn
• NIST SP 800-171 Rev. 2 (03055927-78bd-4236-86c0-f36125a10dc9) [Regulatory Compliance] BuiltIn
• NIST SP 800-53 Rev. 4 (cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f) [Regulatory Compliance] BuiltIn
• NIST SP 800-53 Rev. 5 (179d1daa-458f-4e47-8086-2a68d0d6c38f) [Regulatory Compliance] BuiltIn
• NL BIO Cloud Theme (6ce73208-883e-490f-a2ac-44aac3b3687f) [Regulatory Compliance] BuiltIn
• NL BIO Cloud Theme V2 (d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee) [Regulatory Compliance] BuiltIn
• [Preview]: CMMC 2.0 Level 2 (4e50fd13-098b-3206-61d6-d1d78205cb45) [Regulatory Compliance] BuiltIn
Uses 1 Fx/Operator(s):
• parameters()
• parameters()
if (1)
• 'Microsoft.HDInsight/clusters/diskEncryptionProperties.encryptionAtHost' (ref)
if (1)
• 'Microsoft.HDInsight/clusters'
Used 10x as a control:
• NZISM_v3.7_14.1.13.C.03. (ref)
• CSA_v4.0.12_CEK_12 (ref)
• RMiT_v1.0_11.5 (ref)
• FedRAMP_Moderate_R4_AU-8 (ref)
• NIST_SP_800-53_R5.1.1_CM.3 (ref)
• ISO_IEC_27002_2022_5.24 (ref)
• Azure_Security_Benchmark_v3.0_PV-5 (ref)
• NIST_SP_800-53_R5_AU-6(1) (ref)
• SWIFT_CSCF_2024_6.4 (ref)
• NIST_SP_800-53_R4_AU-4 (ref)
only applicable for Policy defintions of type: Static
JSON deep dive
{
"displayName": "Azure HDInsight clusters should use encryption at host to encrypt data at rest",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service.",
"metadata": {
"version": "1.0.0",
"category": "HDInsight"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.HDInsight/clusters"
},
{
"anyOf": [
{
"field": "Microsoft.HDInsight/clusters/diskEncryptionProperties.encryptionAtHost",
"exists": false
},
{
"field": "Microsoft.HDInsight/clusters/diskEncryptionProperties.encryptionAtHost",
"equals": false
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}{"displayName":"Azure HDInsight clusters should use encryption at host to encrypt data at rest","policyType":"BuiltIn","mode":"Indexed","description":"Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host,data stored on the VM host is encrypted at rest and flows encrypted to the Storage service.","metadata":{"version":"1.0.0","category":"HDInsight"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.HDInsight/clusters"},{"anyOf":[{"field":"Microsoft.HDInsight/clusters/diskEncryptionProperties.encryptionAtHost","exists":false},{"field":"Microsoft.HDInsight/clusters/diskEncryptionProperties.encryptionAtHost","equals":false}]}]},"then":{"effect":"[parameters('effect')]"}}}HDInsight
Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes
Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission.
BuiltIn
False
2021-01-22
1.0.0
1.0.0
AzureCloud:true
AzureChinaCloud:unknown
AzureUSGovernment:true
AzureChinaCloud:unknown
AzureUSGovernment:true
1.*.*
parity:unknown
parity:unknown
GA
Indexed
allowed: 'Audit', 'Deny', 'Disabled'
default: 'Audit'
default: 'Audit'
Used in 10 Policy Set(s):
• DORA 2022 2554 (f9c0485f-da8e-43b5-961e-58ebd54b907c) [Regulatory Compliance] BuiltIn
• FedRAMP High (d5264498-16f4-418a-b659-fa7ef418175f) [Regulatory Compliance] BuiltIn
• FedRAMP Moderate (e95f5a9f-57ad-4d03-bb0b-b1d16db93693) [Regulatory Compliance] BuiltIn
• K ISMS P 2018 (e0782c37-30da-4a78-9f92-50bfe7aa2553) [Regulatory Compliance] BuiltIn
• NIST SP 800-171 Rev. 2 (03055927-78bd-4236-86c0-f36125a10dc9) [Regulatory Compliance] BuiltIn
• NIST SP 800-53 Rev. 4 (cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f) [Regulatory Compliance] BuiltIn
• NIST SP 800-53 Rev. 5 (179d1daa-458f-4e47-8086-2a68d0d6c38f) [Regulatory Compliance] BuiltIn
• NL BIO Cloud Theme (6ce73208-883e-490f-a2ac-44aac3b3687f) [Regulatory Compliance] BuiltIn
• NL BIO Cloud Theme V2 (d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee) [Regulatory Compliance] BuiltIn
• [Preview]: CMMC 2.0 Level 2 (4e50fd13-098b-3206-61d6-d1d78205cb45) [Regulatory Compliance] BuiltIn
Uses 1 Fx/Operator(s):
• parameters()
• parameters()
if (1)
• 'Microsoft.HDInsight/clusters/encryptionInTransitProperties.isEncryptionInTransitEnabled' (ref)
if (1)
• 'Microsoft.HDInsight/clusters'
Used 10x as a control:
• NZISM_v3.7_14.1.13.C.03. (ref)
• CSA_v4.0.12_CEK_12 (ref)
• RMiT_v1.0_11.5 (ref)
• FedRAMP_Moderate_R4_AU-8 (ref)
• NIST_SP_800-53_R5.1.1_CM.3 (ref)
• ISO_IEC_27002_2022_5.24 (ref)
• Azure_Security_Benchmark_v3.0_PV-5 (ref)
• NIST_SP_800-53_R5_AU-6(1) (ref)
• SWIFT_CSCF_2024_6.4 (ref)
• NIST_SP_800-53_R4_AU-4 (ref)
only applicable for Policy defintions of type: Static
JSON deep dive
{
"displayName": "Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission.",
"metadata": {
"version": "1.0.0",
"category": "HDInsight"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.HDInsight/clusters"
},
{
"anyOf": [
{
"field": "Microsoft.HDInsight/clusters/encryptionInTransitProperties.isEncryptionInTransitEnabled",
"exists": false
},
{
"field": "Microsoft.HDInsight/clusters/encryptionInTransitProperties.isEncryptionInTransitEnabled",
"equals": false
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}{"displayName":"Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes","policyType":"BuiltIn","mode":"Indexed","description":"Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission.","metadata":{"version":"1.0.0","category":"HDInsight"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.HDInsight/clusters"},{"anyOf":[{"field":"Microsoft.HDInsight/clusters/encryptionInTransitProperties.isEncryptionInTransitEnabled","exists":false},{"field":"Microsoft.HDInsight/clusters/encryptionInTransitProperties.isEncryptionInTransitEnabled","equals":false}]}]},"then":{"effect":"[parameters('effect')]"}}}HDInsight
Azure HDInsight should use private link
Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl.
BuiltIn
False
2021-10-08
1.0.0
1.0.0
AzureCloud:true
AzureChinaCloud:unknown
AzureUSGovernment:unknown
AzureChinaCloud:unknown
AzureUSGovernment:unknown
GA
Indexed
allowed: 'AuditIfNotExists', 'Disabled'
default: 'AuditIfNotExists'
default: 'AuditIfNotExists'
Used in 1 Policy Set(s):
• Evaluate Private Link Usage Across All Supported Azure Resources (7379ef4c-89b0-48b6-a5cc-fd3a75eaef93) [SDN] BuiltIn
Uses 2 Fx/Operator(s):
• count()
• parameters()
• count()
• parameters()
if (1)
• 'Microsoft.HDInsight/clusters'
only applicable for Policy defintions of type: Static
JSON deep dive
{
"displayName": "Azure HDInsight should use private link",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl.",
"metadata": {
"version": "1.0.0",
"category": "HDInsight"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.HDInsight/clusters"
},
{
"anyOf": [
{
"field": "Microsoft.HDInsight/clusters/networkProperties.privateLink",
"equals": "Enabled"
},
{
"count": {
"field": "Microsoft.HDInsight/clusters/privateLinkConfigurations[*]"
},
"greaterOrEquals": 1
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.HDInsight/clusters/privateEndpointConnections",
"existenceCondition": {
"field": "Microsoft.HDInsight/clusters/privateEndpointConnections/privateLinkServiceConnectionState.status",
"equals": "Approved"
}
}
}
}
}{"displayName":"Azure HDInsight should use private link","policyType":"BuiltIn","mode":"Indexed","description":"Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure HDInsight clusters,you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl.","metadata":{"version":"1.0.0","category":"HDInsight"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.HDInsight/clusters"},{"anyOf":[{"field":"Microsoft.HDInsight/clusters/networkProperties.privateLink","equals":"Enabled"},{"count":{"field":"Microsoft.HDInsight/clusters/privateLinkConfigurations[*]"},"greaterOrEquals":1}]}]},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.HDInsight/clusters/privateEndpointConnections","existenceCondition":{"field":"Microsoft.HDInsight/clusters/privateEndpointConnections/privateLinkServiceConnectionState.status","equals":"Approved"}}}}}HDInsight
Configure Azure HDInsight clusters to use private DNS zones
Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure HDInsight clusters. Learn more at: https://aka.ms/hdi.pl.
BuiltIn
False
2021-10-08
1.0.0
1.0.0
AzureCloud:true
AzureChinaCloud:unknown
AzureUSGovernment:unknown
AzureChinaCloud:unknown
AzureUSGovernment:unknown
GA
Indexed
allowed: 'DeployIfNotExists', 'Disabled'
default: 'DeployIfNotExists'
default: 'DeployIfNotExists'
Uses 1 RBAC Role(s):
• Network Contributor (4d97b98b-1d4f-4787-a291-c67834d212e7)
• Network Contributor (4d97b98b-1d4f-4787-a291-c67834d212e7)
Used in 1 Policy Set(s):
• Configure Azure PaaS services to use private DNS zones (Deploy-Private-DNS-Zones) [Network] ALZ
Uses 5 Fx/Operator(s):
• concat()
• count()
• field()
• parameters()
• where()
• concat()
• count()
• field()
• parameters()
• where()
only applicable for Policy defintions of type: Static
JSON deep dive
{
"displayName": "Configure Azure HDInsight clusters to use private DNS zones",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure HDInsight clusters. Learn more at: https://aka.ms/hdi.pl.",
"metadata": {
"version": "1.0.0",
"category": "HDInsight"
},
"parameters": {
"privateDnsZoneId": {
"type": "String",
"metadata": {
"displayName": "Private DNS Zone ID for Azure HDInsight clusters",
"description": "The private DNS zone name required for Azure HDInsight clusters to resolve a private DNS Zone.",
"strongType": "Microsoft.Network/privateDnsZones",
"assignPermissions": true
}
},
"groupId": {
"type": "String",
"metadata": {
"displayName": "Group ID",
"description": "Target group id (sub resource type) for the private endpoint."
}
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/privateEndpoints"
},
{
"count": {
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"contains": "Microsoft.HDInsight/clusters"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "[parameters('groupId')]"
}
]
}
},
"greaterOrEquals": 1
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"privateDnsZoneId": {
"type": "string"
},
"privateEndpointName": {
"type": "string"
},
"location": {
"type": "string"
}
},
"resources": [
{
"name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
"type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
"apiVersion": "2020-03-01",
"location": "[parameters('location')]",
"properties": {
"privateDnsZoneConfigs": [
{
"name": "hdinsightCluster-privateDnsZone",
"properties": {
"privateDnsZoneId": "[parameters('privateDnsZoneId')]"
}
}
]
}
}
]
},
"parameters": {
"privateDnsZoneId": {
"value": "[parameters('privateDnsZoneId')]"
},
"privateEndpointName": {
"value": "[field('name')]"
},
"location": {
"value": "[field('location')]"
}
}
}
}
}
}
}
}{"displayName":"Configure Azure HDInsight clusters to use private DNS zones","policyType":"BuiltIn","mode":"Indexed","description":"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure HDInsight clusters. Learn more at: https://aka.ms/hdi.pl.","metadata":{"version":"1.0.0","category":"HDInsight"},"parameters":{"privateDnsZoneId":{"type":"String","metadata":{"displayName":"Private DNS Zone ID for Azure HDInsight clusters","description":"The private DNS zone name required for Azure HDInsight clusters to resolve a private DNS Zone.","strongType":"Microsoft.Network/privateDnsZones","assignPermissions":true}},"groupId":{"type":"String","metadata":{"displayName":"Group ID","description":"Target group id (sub resource type) for the private endpoint."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/privateEndpoints"},{"count":{"field":"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]","where":{"allOf":[{"field":"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId","contains":"Microsoft.HDInsight/clusters"},{"field":"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]","equals":"[parameters('groupId')]"}]}},"greaterOrEquals":1}]},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.Network/privateEndpoints/privateDnsZoneGroups","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"privateDnsZoneId":{"type":"string"},"privateEndpointName":{"type":"string"},"location":{"type":"string"}},"resources":[{"name":"[concat(parameters('privateEndpointName'),'/deployedByPolicy')]","type":"Microsoft.Network/privateEndpoints/privateDnsZoneGroups","apiVersion":"2020-03-01","location":"[parameters('location')]","properties":{"privateDnsZoneConfigs":[{"name":"hdinsightCluster-privateDnsZone","properties":{"privateDnsZoneId":"[parameters('privateDnsZoneId')]"}}]}}]},"parameters":{"privateDnsZoneId":{"value":"[parameters('privateDnsZoneId')]"},"privateEndpointName":{"value":"[field('name')]"},"location":{"value":"[field('location')]"}}}}}}}}HDInsight
Configure Azure HDInsight clusters with private endpoints
Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl.
BuiltIn
False
2021-10-08
1.0.0
1.0.0
AzureCloud:true
AzureChinaCloud:unknown
AzureUSGovernment:unknown
AzureChinaCloud:unknown
AzureUSGovernment:unknown
GA
Indexed
allowed: 'DeployIfNotExists', 'Disabled'
default: 'DeployIfNotExists'
default: 'DeployIfNotExists'
Uses 1 RBAC Role(s):
• Contributor (b24988ac-6180-42a0-ab88-20f7382dd24c)
• Contributor (b24988ac-6180-42a0-ab88-20f7382dd24c)
Uses 14 Fx/Operator(s):
• concat()
• count()
• deployment()
• field()
• first()
• length()
• min()
• parameters()
• reference()
• split()
• substring()
• take()
• uniquestring()
• variables()
• concat()
• count()
• deployment()
• field()
• first()
• length()
• min()
• parameters()
• reference()
• split()
• substring()
• take()
• uniquestring()
• variables()
if (1)
• 'Microsoft.HDInsight/clusters'
thenDeployment (2)
• 'Microsoft.Network/privateEndpoints'
• 'Microsoft.Resources/deployments'
only applicable for Policy defintions of type: Static
JSON deep dive
{
"displayName": "Configure Azure HDInsight clusters with private endpoints",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl.",
"metadata": {
"version": "1.0.0",
"category": "HDInsight"
},
"parameters": {
"privateEndpointSubnetId": {
"type": "String",
"metadata": {
"displayName": "Private endpoint subnet ID",
"description": "A subnet with private endpoint network policies disabled.",
"strongType": "Microsoft.Network/virtualNetworks/subnets"
}
},
"groupId": {
"type": "String",
"metadata": {
"displayName": "Group ID",
"description": "Target group id (sub resource type) for the private endpoint."
}
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.HDInsight/clusters"
},
{
"anyOf": [
{
"field": "Microsoft.HDInsight/clusters/networkProperties.privateLink",
"equals": "Enabled"
},
{
"count": {
"field": "Microsoft.HDInsight/clusters/privateLinkConfigurations[*]"
},
"greaterOrEquals": 1
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.HDInsight/clusters/privateEndpointConnections",
"existenceCondition": {
"field": "Microsoft.HDInsight/clusters/privateEndpointConnections/privateLinkServiceConnectionState.status",
"equals": "Approved"
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"properties": {
"mode": "incremental",
"parameters": {
"name": {
"value": "[field('name')]"
},
"serviceId": {
"value": "[field('id')]"
},
"groupId": {
"value": "[parameters('groupId')]"
},
"privateEndpointSubnetId": {
"value": "[parameters('privateEndpointSubnetId')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string"
},
"serviceId": {
"type": "string"
},
"groupId": {
"type": "string"
},
"privateEndpointSubnetId": {
"type": "string"
}
},
"variables": {
"privateEndpointName": "[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"name": "[variables('privateEndpointName')]",
"apiVersion": "2020-06-01",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serviceId": {
"type": "string"
},
"privateEndpointSubnetId": {
"type": "string"
},
"groupId": {
"type": "string"
},
"subnetLocation": {
"type": "string"
}
},
"variables": {
"privateEndpointName": "[deployment().name]"
},
"resources": [
{
"name": "[variables('privateEndpointName')]",
"type": "Microsoft.Network/privateEndpoints",
"apiVersion": "2020-07-01",
"location": "[parameters('subnetLocation')]",
"tags": {},
"properties": {
"subnet": {
"id": "[parameters('privateEndpointSubnetId')]"
},
"privateLinkServiceConnections": [
{
"name": "[variables('privateEndpointName')]",
"properties": {
"privateLinkServiceId": "[parameters('serviceId')]",
"groupIds": [
"[parameters('groupId')]"
],
"requestMessage": "Request to auto approve."
}
}
],
"manualPrivateLinkServiceConnections": []
}
}
]
},
"parameters": {
"serviceId": {
"value": "[parameters('serviceId')]"
},
"groupId": {
"value": "[parameters('groupId')]"
},
"privateEndpointSubnetId": {
"value": "[parameters('privateEndpointSubnetId')]"
},
"subnetLocation": {
"value": "[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"
}
}
}
}
]
}
}
}
}
}
}
}{"displayName":"Configure Azure HDInsight clusters with private endpoints","policyType":"BuiltIn","mode":"Indexed","description":"Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure HDInsight clusters,you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl.","metadata":{"version":"1.0.0","category":"HDInsight"},"parameters":{"privateEndpointSubnetId":{"type":"String","metadata":{"displayName":"Private endpoint subnet ID","description":"A subnet with private endpoint network policies disabled.","strongType":"Microsoft.Network/virtualNetworks/subnets"}},"groupId":{"type":"String","metadata":{"displayName":"Group ID","description":"Target group id (sub resource type) for the private endpoint."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.HDInsight/clusters"},{"anyOf":[{"field":"Microsoft.HDInsight/clusters/networkProperties.privateLink","equals":"Enabled"},{"count":{"field":"Microsoft.HDInsight/clusters/privateLinkConfigurations[*]"},"greaterOrEquals":1}]}]},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.HDInsight/clusters/privateEndpointConnections","existenceCondition":{"field":"Microsoft.HDInsight/clusters/privateEndpointConnections/privateLinkServiceConnectionState.status","equals":"Approved"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","parameters":{"name":{"value":"[field('name')]"},"serviceId":{"value":"[field('id')]"},"groupId":{"value":"[parameters('groupId')]"},"privateEndpointSubnetId":{"value":"[parameters('privateEndpointSubnetId')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"name":{"type":"string"},"serviceId":{"type":"string"},"groupId":{"type":"string"},"privateEndpointSubnetId":{"type":"string"}},"variables":{"privateEndpointName":"[concat('pe-',substring(parameters('name'),0,min(length(parameters('name')),50)),'-',uniquestring(deployment().name))]"},"resources":[{"type":"Microsoft.Resources/deployments","name":"[variables('privateEndpointName')]","apiVersion":"2020-06-01","properties":{"mode":"Incremental","expressionEvaluationOptions":{"scope":"inner"},"template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serviceId":{"type":"string"},"privateEndpointSubnetId":{"type":"string"},"groupId":{"type":"string"},"subnetLocation":{"type":"string"}},"variables":{"privateEndpointName":"[deployment().name]"},"resources":[{"name":"[variables('privateEndpointName')]","type":"Microsoft.Network/privateEndpoints","apiVersion":"2020-07-01","location":"[parameters('subnetLocation')]","tags":{},"properties":{"subnet":{"id":"[parameters('privateEndpointSubnetId')]"},"privateLinkServiceConnections":[{"name":"[variables('privateEndpointName')]","properties":{"privateLinkServiceId":"[parameters('serviceId')]","groupIds":["[parameters('groupId')]"],"requestMessage":"Request to auto approve."}}],"manualPrivateLinkServiceConnections":[]}}]},"parameters":{"serviceId":{"value":"[parameters('serviceId')]"},"groupId":{"value":"[parameters('groupId')]"},"privateEndpointSubnetId":{"value":"[parameters('privateEndpointSubnetId')]"},"subnetLocation":{"value":"[reference(first(take(split(parameters('privateEndpointSubnetId'),'/subnets'),1)),'2020-07-01','Full').location]"}}}}]}}}}}}}
Monitoring
[Deprecated]: Deploy Diagnostic Settings for HDInsight to Log Analytics workspace
Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.
ALZ
False
2024-06-03
1.1.0-deprecated
n/a
AzureCloud:true
AzureChinaCloud:true
AzureUSGovernment:true
AzureChinaCloud:true
AzureUSGovernment:true
Deprecated
Indexed
allowed: 'DeployIfNotExists', 'Disabled'
default: 'DeployIfNotExists'
default: 'DeployIfNotExists'
Uses 2 RBAC Role(s):
• Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
• Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa)
• Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
• Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa)
Used in 1 Policy Set(s):
• [Deprecated]: Deploy Diagnostic Settings to Azure Services (Deploy-Diagnostics-LogAnalytics) [Monitoring] ALZ
Uses 3 Fx/Operator(s):
• concat()
• field()
• parameters()
• concat()
• field()
• parameters()
if (1)
• 'Microsoft.HDInsight/clusters'
only applicable for Policy defintions of type: Static
JSON deep dive
{
"policyType": "Custom",
"mode": "Indexed",
"displayName": "[Deprecated]: Deploy Diagnostic Settings for HDInsight to Log Analytics workspace",
"description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.",
"metadata": {
"deprecated": true,
"version": "1.1.0-deprecated",
"category": "Monitoring",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
"AzureCloud",
"AzureChinaCloud",
"AzureUSGovernment"
]
},
"parameters": {
"logAnalytics": {
"type": "String",
"metadata": {
"displayName": "Log Analytics workspace",
"description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
"strongType": "omsWorkspace"
}
},
"effect": {
"type": "String",
"defaultValue": "DeployIfNotExists",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"profileName": {
"type": "String",
"defaultValue": "setbypolicy",
"metadata": {
"displayName": "Profile name",
"description": "The diagnostic settings profile name"
}
},
"metricsEnabled": {
"type": "String",
"defaultValue": "True",
"allowedValues": [
"True",
"False"
],
"metadata": {
"displayName": "Enable metrics",
"description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
}
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.HDInsight/clusters"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"name": "[parameters('profileName')]",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
"equals": "true"
},
{
"field": "Microsoft.Insights/diagnosticSettings/workspaceId",
"equals": "[parameters('logAnalytics')]"
}
]
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
],
"deployment": {
"properties": {
"mode": "Incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceName": {
"type": "String"
},
"logAnalytics": {
"type": "String"
},
"location": {
"type": "String"
},
"profileName": {
"type": "String"
},
"metricsEnabled": {
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.HDInsight/clusters/providers/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
"location": "[parameters('location')]",
"dependsOn": [],
"properties": {
"workspaceId": "[parameters('logAnalytics')]",
"metrics": [
{
"category": "AllMetrics",
"enabled": "[parameters('metricsEnabled')]",
"retentionPolicy": {
"days": 0,
"enabled": false
},
"timeGrain": null
}
],
"logs": []
}
}
],
"outputs": {}
},
"parameters": {
"logAnalytics": {
"value": "[parameters('logAnalytics')]"
},
"location": {
"value": "[field('location')]"
},
"resourceName": {
"value": "[field('name')]"
},
"profileName": {
"value": "[parameters('profileName')]"
},
"metricsEnabled": {
"value": "[parameters('metricsEnabled')]"
}
}
}
}
}
}
}
}{"policyType":"Custom","mode":"Indexed","displayName":"[Deprecated]: Deploy Diagnostic Settings for HDInsight to Log Analytics workspace","description":"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.","metadata":{"deprecated":true,"version":"1.1.0-deprecated","category":"Monitoring","source":"https://github.com/Azure/Enterprise-Scale/","alzCloudEnvironments":["AzureCloud","AzureChinaCloud","AzureUSGovernment"]},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.","strongType":"omsWorkspace"}},"effect":{"type":"String","defaultValue":"DeployIfNotExists","allowedValues":["DeployIfNotExists","Disabled"],"metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"}},"profileName":{"type":"String","defaultValue":"setbypolicy","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"}},"metricsEnabled":{"type":"String","defaultValue":"True","allowedValues":["True","False"],"metadata":{"displayName":"Enable metrics","description":"Whether to enable metrics stream to the Log Analytics workspace - True or False"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.HDInsight/clusters"},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters('profileName')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"true"},{"field":"Microsoft.Insights/diagnosticSettings/workspaceId","equals":"[parameters('logAnalytics')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"Incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"String"},"logAnalytics":{"type":"String"},"location":{"type":"String"},"profileName":{"type":"String"},"metricsEnabled":{"type":"String"}},"variables":{},"resources":[{"type":"Microsoft.HDInsight/clusters/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters('resourceName'),'/','Microsoft.Insights/',parameters('profileName'))]","location":"[parameters('location')]","dependsOn":[],"properties":{"workspaceId":"[parameters('logAnalytics')]","metrics":[{"category":"AllMetrics","enabled":"[parameters('metricsEnabled')]","retentionPolicy":{"days":0,"enabled":false},"timeGrain":null}],"logs":[]}}],"outputs":{}},"parameters":{"logAnalytics":{"value":"[parameters('logAnalytics')]"},"location":{"value":"[field('location')]"},"resourceName":{"value":"[field('name')]"},"profileName":{"value":"[parameters('profileName')]"},"metricsEnabled":{"value":"[parameters('metricsEnabled')]"}}}}}}}}Resilience
[Preview]: Azure HDInsight should be Zone Aligned
Azure HDInsight can be configured to be Zone Aligned or not. Azure HDInsight that has exactly one entry in its zones array is considered Zone Aligned. This policy ensures that an Azure HDInsight cluster is configured to operate within a single availability zone.
BuiltIn
False
2024-02-20
1.0.0-preview
1.0.0-preview
AzureCloud:true
AzureChinaCloud:unknown
AzureUSGovernment:true
AzureChinaCloud:unknown
AzureUSGovernment:true
1.*.*-preview
parity:unknown
parity:unknown
Preview
Indexed
allowed: 'Audit', 'Deny', 'Disabled'
default: 'Audit'
default: 'Audit'
Used in 1 Policy Set(s):
• [Preview]: Resources should be Zone Resilient (130fb88f-0fc9-4678-bfe1-31022d71c7d5) [Resilience] BuiltIn
Uses 2 Fx/Operator(s):
• count()
• parameters()
• count()
• parameters()
if (1)
• 'Microsoft.HDInsight/clusters/zones[*]' (ref)
if (1)
• 'Microsoft.HDInsight/Clusters'
only applicable for Policy defintions of type: Static
JSON deep dive
{
"displayName": "[Preview]: Azure HDInsight should be Zone Aligned",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Azure HDInsight can be configured to be Zone Aligned or not. Azure HDInsight that has exactly one entry in its zones array is considered Zone Aligned. This policy ensures that an Azure HDInsight cluster is configured to operate within a single availability zone.",
"metadata": {
"category": "Resilience",
"version": "1.0.0-preview",
"preview": true
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "This parameter lets you choose the effect of the policy. If you choose Audit (default), the policy will only audit resources for compliance. If you choose Deny, the policy will deny the creation of non-compliant resources. If you choose Disabled, the policy will not enforce compliance (useful, for example, as a second assignment to ignore a subset of non-compliant resources in a single resource group)."
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.HDInsight/Clusters"
},
{
"not": {
"count": {
"field": "Microsoft.HDInsight/clusters/zones[*]"
},
"equals": 1
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}{"displayName":"[Preview]: Azure HDInsight should be Zone Aligned","policyType":"BuiltIn","mode":"Indexed","description":"Azure HDInsight can be configured to be Zone Aligned or not. Azure HDInsight that has exactly one entry in its zones array is considered Zone Aligned. This policy ensures that an Azure HDInsight cluster is configured to operate within a single availability zone.","metadata":{"category":"Resilience","version":"1.0.0-preview","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"This parameter lets you choose the effect of the policy. If you choose Audit (default),the policy will only audit resources for compliance. If you choose Deny,the policy will deny the creation of non-compliant resources. If you choose Disabled,the policy will not enforce compliance (useful,for example,as a second assignment to ignore a subset of non-compliant resources in a single resource group)."},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.HDInsight/Clusters"},{"not":{"count":{"field":"Microsoft.HDInsight/clusters/zones[*]"},"equals":1}}]},"then":{"effect":"[parameters('effect')]"}}}
1
to
9
of
9
Page
1
of
1