Enterprise-Scale icon indicating copy to clipboard operation
Enterprise-Scale copied to clipboard

Published 20 hours ago verified publisher icon Azure

🪲 Bug Report - No diagnostic settings for microsoft.networking/vpnGateways

Open CTCasperHagemann opened this issue 2 years ago • 3 comments

Describe the bug

First time using this project, so bear with me if I have overlooked something… After deploying the project with the recommended deployment flow, it appears that the VPN gateway deployed through the vwan topolody does not get any diagnostic settings through policies.

The below example is a simple wvan hub, with only firewall and VPN enabled.

To Reproduce

Steps to reproduce the behaviour:

  1. Deploy the project from step 1 to 8 and use the wvan topolody (https://github.com/Azure/ALZ-Bicep/wiki/DeploymentFlowVWAN).
  2. Go to the resource group of your hub resources and verify the diagnostic settings sub-menu

Expected behaviour

A policy should apply diagnostic settings on the object microsoft.network/vpngateways It appears that the policy file policydefinitionesdeploydiagnostics_vnetgw.json handles the type Microsoft.Network/virtualNetworkGateways, and not the type deployed with the vwan topolody The firewall deployed in the same subscription and Resource Group receives the correct diagnostic settings

Screenshots 📷

image

Correlation ID

Additional context

Maybe missing an entire policy definition for the object microsoft.network/vpngateways?

CTCasperHagemann avatar Jul 20 '22 06:07 CTCasperHagemann

Thanks for raising this @CTCasperHagemann, I have transferred this issue to the main ALZ repo as this is where we maintain all of the policies for all the implementation options 👍

From reviewing the issue your suspicions are correct and we are missing a diagnostic policy definition that is part of the bigger initative for the Microsoft.Network/vpnGateways resource (note this is for VWAN only and that VPN Gateways outside of VWAN use the type Microsoft.Network/virtualNetworkGateways, which we do have a policy for today in https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Diagnostics-VNetGW.html)

We will add this to the backlog to create a policy definition and add this to the ALZ policies.

We are currently completing some maintenance work on how we manage policies in ALZ, to actually makes this process easier going forward than it is today, which we hope to complete by the end of the month. So, this issue will be started once we have completed this work 👍

cc: @krowlandson

jtracey93 avatar Jul 20 '22 07:07 jtracey93

Trigger ADO Sync 1

jtracey93 avatar Sep 11 '22 07:09 jtracey93

Trigger ADO Sync 2

jtracey93 avatar Sep 11 '22 07:09 jtracey93

@jtracey93 can we get an update on this, just discovered we are missing this in our implementation!

chris5287 avatar Mar 08 '23 21:03 chris5287

Hey @chris5287 this is done but it is in our policy-refresh branch as we are making a large number of policy improvements.

We plan to complete this work in March and merge it into main and pull down to all of our implementation options shortly after.

You can see the policy we've created for this here and use it in the mean time: https://github.com/Azure/Enterprise-Scale/blob/policy-refresh/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW.json

Thanks

Jack

jtracey93 avatar Mar 08 '23 21:03 jtracey93

This is live in #1273

jtracey93 avatar Apr 25 '23 09:04 jtracey93