Enterprise-Scale
Enterprise-Scale copied to clipboard
Azure
Built-in policies DINE policies for DNSZoneGroup registration missing
Describe the bug
Custom ESLZ "Configure Azure PaaS services to use private DNS zones" does not work as expected; tested with storage account, although it does configure the private endpoint with the appropriate private DNS zone, it does NOT also automatically create the respective A record for the private endpoint
Steps to reproduce
- Deploy ESLZ
- create a storage account with private endpoint, and do not pre-configure it with private DNS, since the policy is supposed to do so
Screenshots
@pkorolo - as per our chat this afternoon, could you please provide the information you shared with me this afternoon 👍
further details:
- the problematic Policy (actually Initiative) is the "Configure Azure PaaS services to use private DNS zones"; I tested only with storage accounts, not other PaaS Services, but the outcome was the following:
- private endpoint is properly configured with the correct (respective) private DNS zone, BUT
- the respective A record is never created within that DNS zone
In previous versions, where we relied on custom (per PaaS type) ESLZ Policies (afaik we do not have them anymore in the latest ESLZ), the functionality was 100% OK (both private endpoint configuration and A record creation was functioning properly)
Looping in @sitarant, @krowlandson to this issue as I understand they have also seen similar when implementing these policies with the Terraform module.
@pkorolo - I have done some investigation and this is related to the shift to built-in policies for this that was done in our July update, where blob is not yet included. (See what's new below)
https://github.com/Azure/Enterprise-Scale/wiki/Whats-new#policy-1
I will follow-up with the eng. team to get an ETA on when we can expect it to be available.
In the meantime, as a workaround, you can create a custom policy based on this doc and add it to the "Configure Azure PaaS services to use private DNS zones" initiative.
Apologies for the inconvenience.
Hey @pkorolo,
Just picking this back up and re-triaging. Is this effectively saying that the Deploy-Private-DNS-Zones ALZ Custom Policy Initiative does not contain a policy for configuring blob storage private DNS zone groups?
It doesn't look like there is a built-in so we would have to work with the storage PG to get one published or create a custom one. I checked here for all the latest built-ins https://www.azadvertizer.net/azpolicyadvertizer_all.html#%7B%22col_3%22%3A%7B%22flt%22%3A%22private%20DNS%20zones%22%7D%2C%22col_0%22%3A%7B%7D%2C%22col_8%22%3A%7B%7D%2C%22page_length%22%3A100%7D
We have also already done some gap analysis of private link supported services and whether there is a built-in private DNS zone group DINE policy.
Let us know
Hello @jtracey93
Indeed, some months back when I was doing some testing, the custom initiative then called "Configure Azure PaaS services to use private DNS zones" (definition: /providers/Microsoft.Management/managementGroups/<alz_root_mg>/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones ), which was a bundle of individual build-in policies (per-PaaS Service), did not include the respective DINE policy for (blob) storage.
Now it has been a while since then (I haven't re-deployed and tested in the interim), and maybe this is not the case anymore. For sure back then, it was, hence if you see the thread above, Johan proposed (as interim resolution), to edit the initiative and add the missing DINE policies from the (previously existing) custom ones (as per existing documentation).
If you have a relatively recent deployment, you can check if the respective initiative now does include DINE policies for storage services' private DNS zone groups or not. If you don't have something handy, I will redeploy myself rather soon (by the end of the week that is), and check for myself (and let you know of course).
Hope this helps!