ALZ-Bicep icon indicating copy to clipboard operation
ALZ-Bicep copied to clipboard

Published 20 hours ago verified publisher icon Azure

💡 Feature Request - Policy assignments for private DNS records

Open JimmyKarlsson112 opened this issue 3 years ago • 4 comments

Describe the solution you'd like

Support for private DNS records auto creation in central connectivity subscription and of creation of private DNS zones in Corp landing zone. Docs: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale

Describe alternatives you've considered

Policy Definitions are in place. Could be good to have a feature toggle (true & false). Support for multi-region would be great but for first iteration one region would suffice.

Additional context

Add any other context or screenshots about the feature request here. 📷

JimmyKarlsson112 avatar Feb 09 '22 07:02 JimmyKarlsson112

Thanks for raising this @JimmyKarlsson112, as discussed offline this is something we are already aware of and will start working on soon.

Stay tuned for a new release 👍

jtracey93 avatar Feb 09 '22 12:02 jtracey93

Just FYI:

I've used policy-based deployments for Private Link DNS zones in the past. The goal was to have auto-deployment policies for all Private DNS records regarding Private Link.

Some of the 'auto-deploy-dns-entry' policies suggested by the responsible Azure Resource Team collides with other policies, because of the way that 'subgroup' is addressed in some policies. See this open issue: https://github.com/Azure/azure-policy/issues/858

There could be more of those issues. Just wanna let you know before implementation.

cloudchristoph avatar Apr 19 '22 23:04 cloudchristoph

Just FYI:

I've used policy-based deployments for Private Link DNS zones in the past. The goal was to have auto-deployment policies for all Private DNS records regarding Private Link.

Some of the 'auto-deploy-dns-entry' policies suggested by the responsible Azure Resource Team collides with other policies, because of the way that 'subgroup' is addressed in some policies. See this open issue: Azure/azure-policy#858

There could be more of those issues. Just wanna let you know before implementation.

Thanks @cloudchristoph, good spot was talking to a customer and colleague about this just last week (@matt-FFFFFF). You indeed found the fix by including the following in the if condition of the policy to further narrow the PE mapping to a service:

{
  field: "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
  contains: "Microsoft.CognitiveServices/accounts" //change this to the associated service you require
}

jtracey93 avatar Apr 20 '22 10:04 jtracey93

Ado sync

jtracey93 avatar Sep 07 '22 20:09 jtracey93

ADO 25171

jtracey93 avatar Nov 15 '22 17:11 jtracey93