Skip to content

Commit

Permalink
Improved control of PrivateDnsZones beeing deployed (#543)
Browse files Browse the repository at this point in the history 
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>
  • Loading branch information
@picccard @github-actions @jtracey93
3 people authored Jun 9, 2023
1 parent 7fef1b2 commit bc38606
Show file tree
Hide file tree
Showing 15 changed files with 79 additions and 6 deletions.
12 changes: 12 additions & 0 deletions infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ parDisableBgpRoutePropagation | No | Switch to enable/disable BGP Propagat
parPrivateDnsZonesEnabled | No | Switch to enable/disable Private DNS Zones deployment.
parPrivateDnsZonesResourceGroup | No | Resource Group Name for Private DNS Zones.
parPrivateDnsZones | No | Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones
parPrivateDnsZoneAutoMergeAzureBackupZone | No | Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup.
parVpnGatewayConfig | No | Configuration for VPN virtual network gateway to be deployed. If a VPN virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. "parVpnGatewayConfig": { "value": {} }
parExpressRouteGatewayConfig | No | Configuration for ExpressRoute virtual network gateway to be deployed. If a ExpressRoute virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. "parExpressRouteGatewayConfig": { "value": {} }
parTags | No | Tags you would like to be applied to all resources in this module.
Expand Down Expand Up @@ -266,6 +267,14 @@ Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure

- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com`

### parPrivateDnsZoneAutoMergeAzureBackupZone

![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)

Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup.

- Default value: `True`

### parVpnGatewayConfig

![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
Expand Down Expand Up @@ -510,6 +519,9 @@ outHubVirtualNetworkId | string |
"privatelink.webpubsub.azure.com"
]
},
"parPrivateDnsZoneAutoMergeAzureBackupZone": {
"value": true
},
"parVpnGatewayConfig": {
"value": {
"name": "[format('{0}-Vpn-Gateway', parameters('parCompanyPrefix'))]",
Expand Down
4 changes: 4 additions & 0 deletions infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,9 @@ param parPrivateDnsZones array = [
'privatelink.webpubsub.azure.com'
]

@sys.description('Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup.')
param parPrivateDnsZoneAutoMergeAzureBackupZone bool = true

//ASN must be 65515 if deploying VPN & ER for co-existence to work: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager#limits-and-limitations
@sys.description('''Configuration for VPN virtual network gateway to be deployed. If a VPN virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e.
"parVpnGatewayConfig": {
Expand Down Expand Up @@ -755,6 +758,7 @@ module modPrivateDnsZones '../privateDnsZones/privateDnsZones.bicep' = if (parPr
parTags: parTags
parVirtualNetworkIdToLink: resHubVnet.id
parPrivateDnsZones: parPrivateDnsZones
parPrivateDnsZoneAutoMergeAzureBackupZone: parPrivateDnsZoneAutoMergeAzureBackupZone
parTelemetryOptOut: parTelemetryOptOut
}
}
Expand Down
3 changes: 3 additions & 0 deletions infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,9 @@
"privatelink.webpubsub.azure.com"
]
},
"parPrivateDnsZoneAutoMergeAzureBackupZone": {
"value": true
},
"parVpnGatewayConfig": {
"value": {
"name": "alz-Vpn-Gateway",
Expand Down
3 changes: 3 additions & 0 deletions infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,9 @@
"privatelink.redis.cache.chinacloudapi.cn"
]
},
"parPrivateDnsZoneAutoMergeAzureBackupZone": {
"value": true
},
"parVpnGatewayConfig": {
"value": {
"name": "alz-Vpn-Gateway",
Expand Down
2 changes: 1 addition & 1 deletion infra-as-code/bicep/modules/privateDnsZones/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ The following DNS Zone use a geo code associated to the Azure Region.

- `privatelink.xxx.backup.windowsazure.com`

If the Azure Region entered in `parLocation` matches a lookup to the map in `varAzBackupGeoCodes` we will append Geo Codes (value) used to generate region-specific DNS zone names for Azure Backup private endpoints. then insert Azure Backup Private DNS Zone with appropriate geo code inserted alongside zones in `parPrivateDnsZones` into a new array called `varPrivateDnsZonesMerge`. If not just return `parPrivateDnsZones` as the only values in `varPrivateDnsZonesMerge`.
If the Azure Region entered in `parLocation` matches a lookup to the map in `varAzBackupGeoCodes` we will append Geo Codes (value) used to generate region-specific DNS zone names for Azure Backup private endpoints. then insert Azure Backup Private DNS Zone with appropriate geo code inserted alongside zones in `parPrivateDnsZones` into a new array called `varPrivateDnsZonesMerge`. If not just return `parPrivateDnsZones` as the only values in `varPrivateDnsZonesMerge`. To override this see the parameter `parPrivateDnsZoneAutoMergeAzureBackupZone`.

> For more information on Azure Backup and Private Link, or geo codes, please refer to: [Create and use private endpoints for Azure Backup](https://learn.microsoft.com/azure/backup/private-endpoints#when-using-custom-dns-server-or-host-files)
Expand Down
12 changes: 12 additions & 0 deletions infra-as-code/bicep/modules/privateDnsZones/generateddocs/privateDnsZones.bicep.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ Parameter name | Required | Description
-------------- | -------- | -----------
parLocation | No | The Azure Region to deploy the resources into.
parPrivateDnsZones | No | Array of custom DNS Zones to provision in Hub Virtual Network.
parPrivateDnsZoneAutoMergeAzureBackupZone | No | Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup.
parTags | No | Tags you would like to be applied to all resources in this module.
parVirtualNetworkIdToLink | No | Resource ID of VNet for Private DNS Zone VNet Links.
parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry.
Expand All @@ -28,6 +29,14 @@ Array of custom DNS Zones to provision in Hub Virtual Network.

- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com`

### parPrivateDnsZoneAutoMergeAzureBackupZone

![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)

Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup.

- Default value: `True`

### parTags

![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
Expand Down Expand Up @@ -140,6 +149,9 @@ outPrivateDnsZonesNames | array |
"privatelink.webpubsub.azure.com"
]
},
"parPrivateDnsZoneAutoMergeAzureBackupZone": {
"value": true
},
"parTags": {
"value": {}
},
Expand Down
10 changes: 9 additions & 1 deletion ...a-as-code/bicep/modules/privateDnsZones/parameters/mc-privateDnsZones.parameters.all.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,11 +38,19 @@
"privatelink.redis.cache.chinacloudapi.cn"
]
},
"parPrivateDnsZoneAutoMergeAzureBackupZone": {
"value": true
},
"parTags": {
"value": {
"Environment": "Live"
}
},
"parVirtualNetworkIdToLink": {
"value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxxxxxxxx"
},
"parTelemetryOptOut": {
"value": false
}
}
}
}
2 changes: 1 addition & 1 deletion ...a-as-code/bicep/modules/privateDnsZones/parameters/mc-privateDnsZones.parameters.min.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,4 +45,4 @@
"value": false
}
}
}
}
3 changes: 3 additions & 0 deletions infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,9 @@
"privatelink.webpubsub.azure.com"
]
},
"parPrivateDnsZoneAutoMergeAzureBackupZone": {
"value": true
},
"parTags": {
"value": {
"Environment": "Live"
Expand Down
5 changes: 4 additions & 1 deletion infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,9 @@ param parPrivateDnsZones array = [
'privatelink.webpubsub.azure.com'
]

@sys.description('Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup.')
param parPrivateDnsZoneAutoMergeAzureBackupZone bool = true

@sys.description('Tags you would like to be applied to all resources in this module.')
param parTags object = {}

Expand Down Expand Up @@ -154,7 +157,7 @@ var varAzBackupGeoCodes = {
}

// If region entered in parLocation and matches a lookup to varAzBackupGeoCodes then insert Azure Backup Private DNS Zone with appropriate geo code inserted alongside zones in parPrivateDnsZones. If not just return parPrivateDnsZones
var varPrivateDnsZonesMerge = contains(varAzBackupGeoCodes, parLocation) ? union(parPrivateDnsZones, [ 'privatelink.${varAzBackupGeoCodes[toLower(parLocation)]}.backup.windowsazure.com' ]) : parPrivateDnsZones
var varPrivateDnsZonesMerge = parPrivateDnsZoneAutoMergeAzureBackupZone && contains(varAzBackupGeoCodes, parLocation) ? union(parPrivateDnsZones, [ 'privatelink.${varAzBackupGeoCodes[toLower(parLocation)]}.backup.windowsazure.com' ]) : parPrivateDnsZones

// Customer Usage Attribution Id
var varCuaid = '981733dd-3195-4fda-a4ee-605ab959edb6'
Expand Down
3 changes: 2 additions & 1 deletion infra-as-code/bicep/modules/vwanConnectivity/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,8 @@ The module will generate the following outputs:
| outVirtualHubName | string | alz-vhub-eastus |
| outVirtualHubId | string | /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-vwan-eastus/providers/Microsoft.Network/virtualHubs/alz-vhub-eastus |
| outDdosPlanResourceId | string | /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-vwan-eastus/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan |
| outPrivateDnsZones | array | `["name": "privatelink.azurecr.io", "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/net-lz-spk-eastus-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io"]` |
| outPrivateDnsZones | array | `[{"name":"privatelink.azurecr.io","id":"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/net-lz-spk-eastus-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io"},{"name":"privatelink.azurewebsites.net","id":"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/net-lz-spk-eastus-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"}]` |
| outPrivateDnsZonesNames | array | `["privatelink.azurecr.io", "privatelink.azurewebsites.net"]` |

## Deployment

Expand Down
13 changes: 13 additions & 0 deletions ...-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ parDdosPlanName | No | DDoS Plan Name.
parPrivateDnsZonesEnabled | No | Switch to enable/disable Private DNS Zones deployment.
parPrivateDnsZonesResourceGroup | No | Resource Group Name for Private DNS Zones.
parPrivateDnsZones | No | Array of DNS Zones to provision in Hub Virtual Network.
parPrivateDnsZoneAutoMergeAzureBackupZone | No | Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup.
parVirtualNetworkIdToLink | No | Resource ID of VNet for Private DNS Zone VNet Links
parTags | No | Tags you would like to be applied to all resources in this module.
parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry
Expand Down Expand Up @@ -200,6 +201,14 @@ Array of DNS Zones to provision in Hub Virtual Network.

- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com`

### parPrivateDnsZoneAutoMergeAzureBackupZone

![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)

Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup.

- Default value: `True`

### parVirtualNetworkIdToLink

![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
Expand Down Expand Up @@ -230,6 +239,7 @@ outVirtualHubName | array |
outVirtualHubId | array |
outDdosPlanResourceId | string |
outPrivateDnsZones | array |
outPrivateDnsZonesNames | array |

## Snippets

Expand Down Expand Up @@ -380,6 +390,9 @@ outPrivateDnsZones | array |
"privatelink.webpubsub.azure.com"
]
},
"parPrivateDnsZoneAutoMergeAzureBackupZone": {
"value": true
},
"parVirtualNetworkIdToLink": {
"value": ""
},
Expand Down
3 changes: 3 additions & 0 deletions ...as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,9 @@
"privatelink.redis.cache.chinacloudapi.cn"
]
},
"parPrivateDnsZoneAutoMergeAzureBackupZone": {
"value": true
},
"parVirtualNetworkIdToLink": {
"value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus"
},
Expand Down
3 changes: 3 additions & 0 deletions infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,9 @@
"privatelink.webpubsub.azure.com"
]
},
"parPrivateDnsZoneAutoMergeAzureBackupZone": {
"value": true
},
"parVirtualNetworkIdToLink": {
"value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus"
},
Expand Down
Loading

0 comments on commit bc38606

Please sign in to comment.