Enterprise-Scale
Enterprise-Scale copied to clipboard
Azure
Add policy for private dns zone privatelink.database.windows.net
Describe the solution you'd like
Not all resource types seem to be included at this point in the policy set Deploy-Private DNS-Zone. Source: https://github.com/Azure/Enterprise-Scale/blob/main/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json
E.g. privatelink.database.windows.net
It would be great if this zone were added to the policy set, if not all remaining others.
Side node: Maybe the name of the policy set can be improved, to e.g. Deploy dns zone groups to private endpoints
Custom policy definition example code
{
"name": "Config-Private-DNS-SQL",
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2022-06-01",
"scope": null,
"properties": {
"displayName": "Configure Azure SQL DB to use private DNS zones",
"policyType": "Custom",
"mode": "Indexed",
"description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure SQL Database account. Learn more at: https://aka.ms/privatednszone.",
"metadata": {
"version": "2.0.0",
"category": "SQL DB"
},
"parameters": {
"privateDnsZoneId": {
"type": "String",
"metadata": {
"displayName": "Private Dns Zone Id",
"description": "The private DNS zone to deploy in a new private DNS zone group and link to the private endpoint",
"strongType": "Microsoft.Network/privateDnsZones"
}
},
"groupId": {
"type": "String",
"metadata": {
"displayName": "Group ID",
"description": "A group Id for the private endpoint"
},
"defaultValue": "sqlServer"
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/privateEndpoints"
},
{
"count": {
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"contains": "Microsoft.Sql/servers"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "[parameters('groupId')]"
}
]
}
},
"greaterOrEquals": 1
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
"/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f",
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"privateDnsZoneId": {
"type": "string"
},
"privateEndpointName": {
"type": "string"
},
"location": {
"type": "string"
}
},
"resources": [
{
"name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
"type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
"apiVersion": "2020-03-01",
"location": "[parameters('location')]",
"properties": {
"privateDnsZoneConfigs": [
{
"name": "privatelink_database_windows_net",
"properties": {
"privateDnsZoneId": "[parameters('privateDnsZoneId')]"
}
}
]
}
}
]
},
"parameters": {
"privateDnsZoneId": {
"value": "[parameters('privateDnsZoneId')]"
},
"privateEndpointName": {
"value": "[field('name')]"
},
"location": {
"value": "[field('location')]"
}
}
}
}
}
}
}
}
}
@cveld Thanks for raising the issue. Our initiative is based on available built-in policies (there are none for that namespace :)), and we do this as much as possible to minimize our teams overhead maintaining initiatives (and in particular custom policies). It is valuable feedback, and understand the high value this has, and will raise this in our next internal review, and action accordingly (will provide an update here).
Hi! Is there a way to raise this with the team that does the built-in policies? I guess sql database is the most used Azure PaaS service (after storage). :)
Waiting on this PR to be merged to enable custom assignment of Private DNS Zones: https://github.com/Azure/Enterprise-Scale/pull/1618