AzInitiativeAdvertizer

last sync: 2025-Oct-31 18:22:44 UTC

Configure Azure PaaS services to use private DNS zones

Azure Landing Zones (ALZ) Policy Initiative (PolicySet)

Source

Repository Azure Landing Zones (ALZ) GitHub
JSON Deploy-Private-DNS-Zones

Display name

Configure Azure PaaS services to use private DNS zones

Id

Deploy-Private-DNS-Zones

Version

2.4.0
Details on versioning

Category

Network

Description

This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones

Cloud environments

AzureCloud

Type

Custom Azure Landing Zones (ALZ)

Deprecated

False

Preview

False

Policy-used summary

Policy types	Policy states	Policy categories
Total Policies: 48 Builtin Policies: 48 Static Policies: 0 ALZ Policies: 0	Deprecated: 3 GA: 54 Preview: 2	32 categories: App Configuration: 1 App Service: 1 Automation: 2 Azure Arc: 1 Azure Databricks: 2 Backup: 1 Batch: 1 Bot Service: 1 Cache: 1 Cognitive Services: 1 Compute: 1 Container Registry: 1 Cosmos DB: 5 Data Factory: 2 Desktop Virtualization: 2 Event Grid: 2 Event Hub: 1 HDInsight: 1 Internet of Things: 4 Key Vault: 1 Machine Learning: 1 Managed Grafana: 1 Media Services: 3 Migrate: 1 Monitoring: 1 Search: 1 Service Bus: 1 SignalR: 1 Site Recovery: 1 Storage: 12 Synapse: 3 Web PubSub: 1

Policy-used

Policy DisplayName	Policy Id	Category	Effect	Roles#	Roles	State	Type	policy in AzUSGov
[Deprecated]: Configure Azure Media Services to use private DNS zones	b4a7f6c1-585e-4177-ad5b-c2c93f4bb991	Media Services	Default Disabled Allowed DeployIfNotExists, Disabled	1	Network Contributor	Deprecated	BuiltIn	unknown
[Preview]: Configure Azure Recovery Services vaults to use private DNS zones	942bd215-1a66-44be-af65-6a1c0318dbe2	Site Recovery	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	Preview	BuiltIn	unknown
[Preview]: Configure Recovery Services vaults to use private DNS zones for backup	af783da1-4ad1-42be-800d-d19c70038820	Backup	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	Preview	BuiltIn	unknown
Configure a private DNS Zone ID for blob groupID	75973700-529f-4de2-b794-fb9b6781b6b0	Storage	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure a private DNS Zone ID for blob_secondary groupID	d847d34b-9337-4e2d-99a5-767e5ac9c582	Storage	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure a private DNS Zone ID for dfs groupID	83c6fe0f-2316-444a-99a1-1ecd8a7872ca	Storage	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure a private DNS Zone ID for dfs_secondary groupID	90bd4cb3-9f59-45f7-a6ca-f69db2726671	Storage	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure a private DNS Zone ID for file groupID	6df98d03-368a-4438-8730-a93c4d7693d6	Storage	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure a private DNS Zone ID for queue groupID	bcff79fb-2b0d-47c9-97e5-3023479b00d1	Storage	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure a private DNS Zone ID for queue_secondary groupID	da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6	Storage	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure a private DNS Zone ID for table groupID	028bbd88-e9b5-461f-9424-a1b63a7bee1a	Storage	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure a private DNS Zone ID for table_secondary groupID	c1d634a5-f73d-4cdd-889f-2cc7006eb47f	Storage	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure a private DNS Zone ID for web groupID	9adab2a5-05ba-4fbd-831a-5bf958d04218	Storage	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure a private DNS Zone ID for web_secondary groupID	d19ae5f1-b303-4b82-9ca8-7682749faf0c	Storage	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure App Service apps to use private DNS zones	b318f84a-b872-429b-ac6d-a01b96814452	App Service	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure Azure AI Search services to use private DNS zones	fbc14a67-53e4-4932-abcc-2049c6706009	Search	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure Azure Arc Private Link Scopes to use private DNS zones	55c4db33-97b0-437b-8469-c4f4498f5df9	Azure Arc	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure Azure Automation accounts with private DNS zones	6dd01e4f-1be1-4e80-9d0b-d109e04cb064	Automation	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure Azure Cache for Redis to use private DNS zones	e016b22b-e0eb-436d-8fd7-160c4eaed6e2	Cache	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure Azure Databricks workspace to use private DNS zones	0eddd7f3-3d9b-4927-a07a-806e8ac9486c	Azure Databricks	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure Azure Device Update for IoT Hub accounts to use private DNS zones	a222b93a-e6c2-4c01-817f-21e092455b2a	Internet of Things	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	2	Contributor, Network Contributor	GA	BuiltIn	unknown
Configure Azure File Sync to use private DNS zones	06695360-db88-47f6-b976-7500d4297475	Storage	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	2	Network Contributor, Private DNS Zone Contributor	GA	BuiltIn	true
Configure Azure HDInsight clusters to use private DNS zones	43d6e3bd-fc6a-4b44-8b4d-2151d8736a11	HDInsight	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure Azure Key Vaults to use private DNS zones	ac673a9a-f77d-4846-b2d8-a57f8e1c01d4	Key Vault	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	true
Configure Azure Machine Learning workspace to use private DNS zones	ee40564d-486e-4f68-a5ca-7a621edae0fb	Machine Learning	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure Azure Managed Grafana workspaces to use private DNS zones	4c8537f8-cd1b-49ec-b704-18e82a42fd58	Managed Grafana	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure Azure Migrate resources to use private DNS zones	7590a335-57cf-4c95-babd-ecbc8fafeb1f	Migrate	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure Azure Monitor Private Link Scope to use private DNS zones	437914ee-c176-4fff-8986-7e05eb971365	Monitoring	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure Azure Synapse workspaces to use private DNS zones	1e5ed725-f16c-478b-bd4b-7bfa2f7940b9	Synapse	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure Azure Virtual Desktop hostpool resources to use private DNS zones	9427df23-0f42-4e1e-bf99-a6133d841c4a	Desktop Virtualization	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure Azure Virtual Desktop workspace resources to use private DNS zones	34804460-d88b-4922-a7ca-537165e060ed	Desktop Virtualization	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure Azure Web PubSub Service to use private DNS zones	0b026355-49cb-467b-8ac4-f777874e175a	Web PubSub	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure BotService resources to use private DNS zones	6a4e6f44-f2af-4082-9702-033c9e88b9f8	Bot Service	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure Cognitive Services accounts to use private DNS zones	c4bc6f10-cb41-49eb-b000-d5ab82e2a091	Cognitive Services	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure Container registries to use private DNS zones	e9585a95-5b8c-4d03-b193-dc7eb5ac4c32	Container Registry	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure CosmosDB accounts to use private DNS zones	a63cc0bd-cda4-4178-b705-37dc439d3e0f	Cosmos DB	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure disk access resources to use private DNS zones	bc05b96c-0b36-4ca9-82f0-5c53f96ce05a	Compute	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure Event Hub namespaces to use private DNS zones	ed66d4f5-8220-45dc-ab4a-20d1749c74e6	Event Hub	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure IoT Hub device provisioning instances to use private DNS zones	aaa64d2d-2fa3-45e5-b332-0b031b9b30e8	Internet of Things	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Contributor	GA	BuiltIn	unknown
Configure private DNS zones for private endpoints connected to App Configuration	7a860e27-9ca2-4fc6-822d-c2d248c300df	App Configuration	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure private DNS zones for private endpoints that connect to Azure Data Factory	86cd96e1-1745-420d-94d4-d3f2fe415aa4	Data Factory	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Configure Service Bus namespaces to use private DNS zones	f0fcf93c-c063-4071-9668-c47474bd3564	Service Bus	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Deploy - Configure Azure Event Grid domains to use private DNS zones	d389df0a-e0d7-4607-833c-75a6fdac2c2d	Event Grid	Default DeployIfNotExists Allowed deployIfNotExists, DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Deploy - Configure Azure Event Grid topics to use private DNS zones	baf19753-7502-405f-8745-370519b20483	Event Grid	Default DeployIfNotExists Allowed deployIfNotExists, DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Deploy - Configure Azure IoT Hubs to use private DNS zones	c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02	Internet of Things	Default DeployIfNotExists Allowed deployIfNotExists, DeployIfNotExists, disabled, Disabled	2	Contributor, Network Contributor	GA	BuiltIn	unknown
Deploy - Configure IoT Central to use private DNS zones	d627d7c6-ded5-481a-8f2e-7e16b1e6faf6	Internet of Things	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	2	Contributor, Network Contributor	GA	BuiltIn	unknown
Deploy - Configure private DNS zones for private endpoints connect to Azure SignalR Service	b0e86710-7fb7-4a6c-a064-32e9b829509e	SignalR	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown
Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts	4ec38ebc-381f-45ee-81a4-acbc4be878f8	Batch	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Network Contributor	GA	BuiltIn	unknown

Roles used

Total Roles usage: 52
Total Roles unique usage: 3

Role	Role Id	#Policies	Policies
Contributor	b24988ac-6180-42a0-ab88-20f7382dd24c	4	Configure Azure Device Update for IoT Hub accounts to use private DNS zones, Configure IoT Hub device provisioning instances to use private DNS zones, Deploy - Configure Azure IoT Hubs to use private DNS zones, Deploy - Configure IoT Central to use private DNS zones
Network Contributor	4d97b98b-1d4f-4787-a291-c67834d212e7	47	[Deprecated]: Configure Azure Media Services to use private DNS zones, [Preview]: Configure Azure Recovery Services vaults to use private DNS zones, [Preview]: Configure Recovery Services vaults to use private DNS zones for backup, Configure a private DNS Zone ID for blob groupID, Configure a private DNS Zone ID for blob_secondary groupID, Configure a private DNS Zone ID for dfs groupID, Configure a private DNS Zone ID for dfs_secondary groupID, Configure a private DNS Zone ID for file groupID, Configure a private DNS Zone ID for queue groupID, Configure a private DNS Zone ID for queue_secondary groupID, Configure a private DNS Zone ID for table groupID, Configure a private DNS Zone ID for table_secondary groupID, Configure a private DNS Zone ID for web groupID, Configure a private DNS Zone ID for web_secondary groupID, Configure App Service apps to use private DNS zones, Configure Azure AI Search services to use private DNS zones, Configure Azure Arc Private Link Scopes to use private DNS zones, Configure Azure Automation accounts with private DNS zones, Configure Azure Cache for Redis to use private DNS zones, Configure Azure Databricks workspace to use private DNS zones, Configure Azure Device Update for IoT Hub accounts to use private DNS zones, Configure Azure File Sync to use private DNS zones, Configure Azure HDInsight clusters to use private DNS zones, Configure Azure Key Vaults to use private DNS zones, Configure Azure Machine Learning workspace to use private DNS zones, Configure Azure Managed Grafana workspaces to use private DNS zones, Configure Azure Migrate resources to use private DNS zones, Configure Azure Monitor Private Link Scope to use private DNS zones, Configure Azure Synapse workspaces to use private DNS zones, Configure Azure Virtual Desktop hostpool resources to use private DNS zones, Configure Azure Virtual Desktop workspace resources to use private DNS zones, Configure Azure Web PubSub Service to use private DNS zones, Configure BotService resources to use private DNS zones, Configure Cognitive Services accounts to use private DNS zones, Configure Container registries to use private DNS zones, Configure CosmosDB accounts to use private DNS zones, Configure disk access resources to use private DNS zones, Configure Event Hub namespaces to use private DNS zones, Configure private DNS zones for private endpoints connected to App Configuration, Configure private DNS zones for private endpoints that connect to Azure Data Factory, Configure Service Bus namespaces to use private DNS zones, Deploy - Configure Azure Event Grid domains to use private DNS zones, Deploy - Configure Azure Event Grid topics to use private DNS zones, Deploy - Configure Azure IoT Hubs to use private DNS zones, Deploy - Configure IoT Central to use private DNS zones, Deploy - Configure private DNS zones for private endpoints connect to Azure SignalR Service, Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts
Private DNS Zone Contributor	b12aa53e-6015-4669-85d0-8515ebb3ae7f	1	Configure Azure File Sync to use private DNS zones

History

none

JSON compare

compare mode: version left: version right:

JSON

EPAC