Enterprise-Scale icon indicating copy to clipboard operation
Enterprise-Scale copied to clipboard
verified publisher icon Azure

Eventgrid - Topic - Private dns zone policy

Open SebastianClaesson opened this issue 10 months ago • 1 comments

Describe the bug The Azure Policy Set for "deploy-private-dns-zones" contains a policy definition parameter for DINE-Private-DNS-Azure-EventGridTopics. Which uses the following logic

[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridTopicsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridTopicsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]

However when the parameter 'dnsZoneSubscriptionId' is defined, and we get in the if clause to format the string, it will try and replace '{regionCode}' and/or '{regionName}'.

However the default value of the parameter dnsZoneNames with key 'azureEventGridTopicsPrivateDnsZoneId' is "privatelink.eventgrid.azure.net" Reference; azureEventGridTopicsPrivateDnsZoneId

According to the Event grid documentations the expected DNS zone should be in the following format; <TopicName>.<RegionName>.privatelink.eventgrid.azure.net

However it also states;

The recommended DNS zone name is privatelink.eventgrid.azure.net.

Which makes the initiative go against the recommendation. Reference; https://learn.microsoft.com/en-us/azure/event-grid/network-security#dns-changes-for-private-endpoints

This means that the logic done per default does not work and will only start creating entries in the dns zone 'privatelink.eventgrid.azure.net'. This is not a valid CNAME according to documentation as it must always have RegionName appended.

SebastianClaesson avatar Feb 07 '25 13:02 SebastianClaesson

The same goes for the following policies;

  • ~~DINE-Private-DNS-Azure-IoTHubs~~ (Has the logic but seems there's no need when checking docs)
  • DINE-Private-DNS-Azure-EventGridDomains

https://github.com/Azure/Enterprise-Scale/blob/b72497573d9d67efc322f5ce147670f9e196b789/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json#L1470C6-L1495C10

SebastianClaesson avatar Feb 07 '25 13:02 SebastianClaesson