fix: Private DNS Zones Bug (#695) (#891)

* accelerator files * updates to v0.2.0 of ptn * docs update * add output for names * fmt * bump to pdns 0.2.1 * hub MR changes * add rel notes draft * remove pdns module * doc updates * update params * fix psrule * readme updates * remove
Azure · Nov 6, 2024 · c282211 · c282211
1 parent d1edb92
commit c282211
Show file tree

Hide file tree

Showing 34 changed files with 1,042 additions and 3,167 deletions.
diff --git a/accelerator/.config/ALZ-Powershell-Auto.config.json b/accelerator/.config/ALZ-Powershell-Auto.config.json
@@ -603,16 +603,6 @@
             }
           ]
         },
-        "AK8sPrivateLink": {
-          "source": "calculated",
-          "pattern": "privatelink.{%Location%}.azmk8s.io",
-          "targets": [
-            {
-              "Name": "parPrivateDnsZones.value[0]",
-              "Destination": "Parameters"
-            }
-          ]
-        },
         "parAzBastionName": {
           "source": "calculated",
           "pattern": "alz-bastion-{%Location%}",
@@ -693,76 +683,6 @@
             }
           ]
         },
-        "AK8sPrivateLinkSecondary": {
-          "source": "calculated",
-          "pattern": "privatelink.{%SecondaryLocation%}.azmk8s.io",
-          "targets": [
-            {
-              "Name": "parPrivateDnsZonesSecondaryLocation.value[0]",
-              "Destination": "Parameters"
-            }
-          ]
-        },
-        "BatchPrivateLink": {
-          "source": "calculated",
-          "pattern": "privatelink.{%Location%}.batch.azure.com",
-          "targets": [
-            {
-              "Name": "parPrivateDnsZones.value[1]",
-              "Destination": "Parameters"
-            }
-          ]
-        },
-        "BatchPrivateLinkSecondary": {
-          "source": "calculated",
-          "pattern": "privatelink.{%SecondaryLocation%}.batch.azure.com",
-          "targets": [
-            {
-              "Name": "parPrivateDnsZonesSecondaryLocation.value[1]",
-              "Destination": "Parameters"
-            }
-          ]
-        },
-        "KustoPrivateLink": {
-          "source": "calculated",
-          "pattern": "privatelink.{%Location%}.kusto.windows.net",
-          "targets": [
-            {
-              "Name": "parPrivateDnsZones.value[2]",
-              "Destination": "Parameters"
-            }
-          ]
-        },
-        "KustoPrivateLinkSecondary": {
-          "source": "calculated",
-          "pattern": "privatelink.{%SecondaryLocation%}.kusto.windows.net",
-          "targets": [
-            {
-              "Name": "parPrivateDnsZonesSecondaryLocation.value[2]",
-              "Destination": "Parameters"
-            }
-          ]
-        },
-        "BackupPrivateLink": {
-          "source": "calculated",
-          "pattern": "privatelink.{%Location%}.backup.windowsazure.com",
-          "targets": [
-            {
-              "Name": "parPrivateDnsZones.value[3]",
-              "Destination": "Parameters"
-            }
-          ]
-        },
-        "BackupPrivateLinkSecondary": {
-          "source": "calculated",
-          "pattern": "privatelink.{%SecondaryLocation%}.backup.windowsazure.com",
-          "targets": [
-            {
-              "Name": "parPrivateDnsZonesSecondaryLocation.value[3]",
-              "Destination": "Parameters"
-            }
-          ]
-        },
         "ConnectivityResourceGroupName": {
           "source": "calculated",
           "pattern": "rg-{%Prefix%}-connectivity",

diff --git a/accelerator/.config/ALZ-Powershell.config.json b/accelerator/.config/ALZ-Powershell.config.json
@@ -603,46 +603,6 @@
         }
       ]
     },
-    "AK8sPrivateLink": {
-      "Type": "Computed",
-      "Value": "privatelink.{%Location%}.azmk8s.io",
-      "Targets": [
-        {
-          "Name": "parPrivateDnsZones.value.[0]",
-          "Destination": "Parameters"
-        }
-      ]
-    },
-    "BatchPrivateLink": {
-      "Type": "Computed",
-      "Value": "privatelink.{%Location%}.batch.azure.com",
-      "Targets": [
-        {
-          "Name": "parPrivateDnsZones.value.[1]",
-          "Destination": "Parameters"
-        }
-      ]
-    },
-    "KustoPrivateLink": {
-      "Type": "Computed",
-      "Value": "privatelink.{%Location%}.kusto.windows.net",
-      "Targets": [
-        {
-          "Name": "parPrivateDnsZones.value.[2]",
-          "Destination": "Parameters"
-        }
-      ]
-    },
-    "BackupPrivateLink": {
-      "Type": "Computed",
-      "Value": "privatelink.{%Location%}.backup.windowsazure.com",
-      "Targets": [
-        {
-          "Name": "parPrivateDnsZones.value.[3]",
-          "Destination": "Parameters"
-        }
-      ]
-    },
     "UpstreamReleaseVersion": {
       "Type": "Computed",
       "Value": "{REPLACED_BY_ALZ_POWERSHELL_MODULE}",

diff --git a/docs/wiki/CustomerUsage.md b/docs/wiki/CustomerUsage.md
@@ -48,7 +48,6 @@ The following are the unique ID's (also known as PIDs) used in each of the modul
 | virtualNetworkPeer                | ab8e3b12-b0fa-40aa-8630-e3f7699e2142 |
 | vwanConnectivity                  | 7f94f23b-7a59-4a5c-9a8d-2a253a566f61 |
 | vnetPeeringVwan                   | 7b5e6db2-1e8c-4b01-8eee-e1830073a63d |
-| privateDnsZones                   | 981733dd-3195-4fda-a4ee-605ab959edb6 |
 | hubSpoke - Orchestration          | 50ad3b1a-f72c-4de4-8293-8a6399991beb |
 | hubPeeredSpoke - Orchestration    | 8ea6f19a-d698-4c00-9afb-5c92d4766fd2 |
 | SubPlacementAll - Orchestration   | bb800623-86ff-4ab4-8901-93c2b70967ae |

diff --git a/infra-as-code/bicep/modules/hubNetworking/README.md b/infra-as-code/bicep/modules/hubNetworking/README.md
@@ -22,20 +22,6 @@ Module deploys the following resources:
 > - Although there are generated parameter markdowns for Azure Commercial Cloud, this same module can still be used in Azure China. Example parameter are in the [parameters](./parameters/) folder.
 >
 > - The file `parameters/hubNetworking.parameters.az.all.json` contains parameter values for SKUs that are compatible with availability zones for relevant resource types. In cases where you are deploying to a region that does not support availability zones, you should opt for the `parameters/hubNetworking.parameters.all.json` file.
->
-> - When deploying using the `parameters/hubNetworking.parameters.all.json` you must update the `parPrivateDnsZones` parameter by replacing the `xxxxxx` placeholders with the deployment region or geo code, for Azure Backup. Failure to do so will cause these services to be unreachable over private endpoints.
->
-> For example, if deploying to East US the following zone entries:
-> - `privatelink.xxxxxx.azmk8s.io`
-> - `privatelink.xxxxxx.backup.windowsazure.com`
-> - `privatelink.xxxxxx.batch.azure.com`
->
-> Will become:
-> - `privatelink.eastus.azmk8s.io`
-> - `privatelink.eus.backup.windowsazure.com`
-> - `privatelink.eastus.batch.azure.com`
->
-> See child module, [`privateDnsZones.bicep` docs](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/privateDnsZones#dns-zones) for more info on how this works
 
 To configure P2S VPN connections edit the vpnClientConfiguration value in the `parVpnGatewayConfig` parameter.
 

diff --git a/...de/bicep/modules/hubNetworking/generateddocs/hubNetworking-multiRegion.bicep.md b/...de/bicep/modules/hubNetworking/generateddocs/hubNetworking-multiRegion.bicep.md
@@ -76,9 +76,9 @@ parDisableBgpRoutePropagationSecondaryLocation | No       | Switch to enable/dis
 parHubRouteTableLock | No       | Resource Lock Configuration for Hub Route Table.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
 parPrivateDnsZonesEnabled | No       | Switch to enable/disable Private DNS Zones deployment.
 parPrivateDnsZonesResourceGroup | No       | Resource Group Name for Private DNS Zones.
-parPrivateDnsZones | No       | Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones
-parPrivateDnsZoneAutoMergeAzureBackupZone | No       | Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup.
+parPrivateDnsZones | No       | Array of DNS Zones to provision and link to Hub Virtual Networks. Default: All known Azure Private DNS Zones, baked into underlying AVM module see: https://github.com/Azure/bicep-registry-modules/tree/main/avm/ptn/network/private-link-private-dns-zones#parameter-privatelinkprivatednszones
 parVirtualNetworkIdToLinkFailover | No       | Resource ID of Failover VNet for Private DNS Zone VNet Failover Links
+parVirtualNetworkResourceIdsToLinkTo | No       | Array of Resource IDs of VNets to link to Private DNS Zones. Hub VNets are automatically included by module.
 parPrivateDNSZonesLock | No       | Resource Lock Configuration for Private DNS Zone(s).  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
 parVpnGatewayEnabled | No       | Switch to enable/disable VPN virtual network gateway deployment.
 parVpnGatewayEnabledSecondaryLocation | No       | Switch to enable/disable VPN virtual network gateway deployment in secondary location.
@@ -686,23 +686,19 @@ Resource Group Name for Private DNS Zones.
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
 
-Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones
+Array of DNS Zones to provision and link to Hub Virtual Networks. Default: All known Azure Private DNS Zones, baked into underlying AVM module see: https://github.com/Azure/bicep-registry-modules/tree/main/avm/ptn/network/private-link-private-dns-zones#parameter-privatelinkprivatednszones
 
-- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] [format('privatelink.{0}.backup.windowsazure.com', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azuredatabricks.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.dp.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com`
-
-### parPrivateDnsZoneAutoMergeAzureBackupZone
+### parVirtualNetworkIdToLinkFailover
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
 
-Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup.
-
-- Default value: `True`
+Resource ID of Failover VNet for Private DNS Zone VNet Failover Links
 
-### parVirtualNetworkIdToLinkFailover
+### parVirtualNetworkResourceIdsToLinkTo
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
 
-Resource ID of Failover VNet for Private DNS Zone VNet Failover Links
+Array of Resource IDs of VNets to link to Private DNS Zones. Hub VNets are automatically included by module.
 
 ### parPrivateDNSZonesLock
 
@@ -1140,83 +1136,14 @@ outBastionNsgNameSecondaryLocation | string |
             "value": "[resourceGroup().name]"
         },
         "parPrivateDnsZones": {
-            "value": [
-                "[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))]",
-                "[format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))]",
-                "[format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))]",
-                "[format('privatelink.{0}.backup.windowsazure.com', toLower(parameters('parLocation')))]",
-                "privatelink.adf.azure.com",
-                "privatelink.afs.azure.net",
-                "privatelink.agentsvc.azure-automation.net",
-                "privatelink.analysis.windows.net",
-                "privatelink.api.azureml.ms",
-                "privatelink.azconfig.io",
-                "privatelink.azure-api.net",
-                "privatelink.azure-automation.net",
-                "privatelink.azurecr.io",
-                "privatelink.azure-devices.net",
-                "privatelink.azure-devices-provisioning.net",
-                "privatelink.azuredatabricks.net",
-                "privatelink.azurehdinsight.net",
-                "privatelink.azurehealthcareapis.com",
-                "privatelink.azurestaticapps.net",
-                "privatelink.azuresynapse.net",
-                "privatelink.azurewebsites.net",
-                "privatelink.batch.azure.com",
-                "privatelink.blob.core.windows.net",
-                "privatelink.cassandra.cosmos.azure.com",
-                "privatelink.cognitiveservices.azure.com",
-                "privatelink.database.windows.net",
-                "privatelink.datafactory.azure.net",
-                "privatelink.dev.azuresynapse.net",
-                "privatelink.dfs.core.windows.net",
-                "privatelink.dicom.azurehealthcareapis.com",
-                "privatelink.digitaltwins.azure.net",
-                "privatelink.directline.botframework.com",
-                "privatelink.documents.azure.com",
-                "privatelink.eventgrid.azure.net",
-                "privatelink.file.core.windows.net",
-                "privatelink.gremlin.cosmos.azure.com",
-                "privatelink.guestconfiguration.azure.com",
-                "privatelink.his.arc.azure.com",
-                "privatelink.dp.kubernetesconfiguration.azure.com",
-                "privatelink.managedhsm.azure.net",
-                "privatelink.mariadb.database.azure.com",
-                "privatelink.media.azure.net",
-                "privatelink.mongo.cosmos.azure.com",
-                "privatelink.monitor.azure.com",
-                "privatelink.mysql.database.azure.com",
-                "privatelink.notebooks.azure.net",
-                "privatelink.ods.opinsights.azure.com",
-                "privatelink.oms.opinsights.azure.com",
-                "privatelink.pbidedicated.windows.net",
-                "privatelink.postgres.database.azure.com",
-                "privatelink.prod.migration.windowsazure.com",
-                "privatelink.purview.azure.com",
-                "privatelink.purviewstudio.azure.com",
-                "privatelink.queue.core.windows.net",
-                "privatelink.redis.cache.windows.net",
-                "privatelink.redisenterprise.cache.azure.net",
-                "privatelink.search.windows.net",
-                "privatelink.service.signalr.net",
-                "privatelink.servicebus.windows.net",
-                "privatelink.siterecovery.windowsazure.com",
-                "privatelink.sql.azuresynapse.net",
-                "privatelink.table.core.windows.net",
-                "privatelink.table.cosmos.azure.com",
-                "privatelink.tip1.powerquery.microsoft.com",
-                "privatelink.token.botframework.com",
-                "privatelink.vaultcore.azure.net",
-                "privatelink.web.core.windows.net",
-                "privatelink.webpubsub.azure.com"
-            ]
-        },
-        "parPrivateDnsZoneAutoMergeAzureBackupZone": {
-            "value": true
+            "value": []
         },
         "parVirtualNetworkIdToLinkFailover": {
             "value": ""
         },
+        "parVirtualNetworkResourceIdsToLinkTo": {
+            "value": []
+        },
         "parPrivateDNSZonesLock": {
             "value": {
                 "kind": "None",