Azure · jtracey93 · Mar 8, 2024 · Nov 28, 2023 · Nov 28, 2023 · Nov 28, 2023
diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
@@ -41,6 +41,20 @@ This article will be updated as and when changes are made to the above and anyth
 
 Here's what's changed in Enterprise Scale/Azure Landing Zones:
 
+### Policy Refresh FY23Q3
+
+- Updated `Audit-PrivateLinkDnsZones` display name to inlcude the fact it can be `audit` or `deny`
+- Added the [Configure BotService resources to use private DNS zones](https://www.azadvertizer.net/azpolicyadvertizer/6a4e6f44-f2af-4082-9702-033c9e88b9f8.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment.
+- Added the [Configure Azure Managed Grafana workspaces to use private DNS zones](https://www.azadvertizer.net/azpolicyadvertizer/4c8537f8-cd1b-49ec-b704-18e82a42fd58.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment.
+- Added the [Configure Azure Virtual Desktop hostpool resources to use private DNS zones](https://www.azadvertizer.net/azpolicyadvertizer/9427df23-0f42-4e1e-bf99-a6133d841c4a.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment.
+- Added the [Configure Azure Virtual Desktop workspace resources to use private DNS zones](https://www.azadvertizer.net/azpolicyadvertizer/34804460-d88b-4922-a7ca-537165e060ed.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment.
+- Added the [Configure Azure Device Update for IoT Hub accounts to use private DNS zones](https://www.azadvertizer.net/azpolicyadvertizer/a222b93a-e6c2-4c01-817f-21e092455b2a.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment.
+- Added the [Configure Azure Arc Private Link Scopes to use private DNS zones](https://www.azadvertizer.net/azpolicyadvertizer/55c4db33-97b0-437b-8469-c4f4498f5df9.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment.
+- Added the [Deploy - Configure IoT Central to use private DNS zones](https://www.azadvertizer.net/azpolicyadvertizer/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment.
+- Added the [Configure Recovery Services vaults to use private DNS zones for backup](https://www.azadvertizer.net/azpolicyadvertizer/af783da1-4ad1-42be-800d-d19c70038820.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment.
+- Added the [Configure a private DNS Zone ID for table groupID](https://www.azadvertizer.net/azpolicyadvertizer/028bbd88-e9b5-461f-9424-a1b63a7bee1a.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment.
+- Added the [Configure a private DNS Zone ID for table_secondary groupID](https://www.azadvertizer.net/azpolicyadvertizer/c1d634a5-f73d-4cdd-889f-2cc7006eb47f.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment.
+
 ### March 2024
 
 #### Documentation
@@ -106,6 +120,7 @@ Yes, the Q2 Policy Refresh has been delayed due to a light past quarter and some
 - Updated broken links in [Deploying ALZ ZT Network](https://github.com/Azure/Enterprise-Scale/wiki/Deploying-ALZ-ZTNetwork#azure-landing-zone-portal-accelerator-deployment-with-zero-trust-network-principles)
 - Added wiki document for recommended Resource Providers to register for Subscriptions in ALZ [ALZ Azure Resource Provider Recommendations](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Resource-Provider-Recommendations)
 
+
 ### December 2023
 
 #### Tooling

diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
@@ -1280,6 +1280,9 @@
                                 {
                                     "value": "privatelink.azurehealthcareapis.com"
                                 },
+                                {
+                                    "value": "privatelink.azureiotcentral.com"
+                                },
                                 {
                                     "value": "privatelink.azurestaticapps.net"
                                 },
@@ -1325,12 +1328,18 @@
                                 {
                                     "value": "privatelink.documents.azure.com"
                                 },
+                                {
+                                    "value": "privatelink.dp.kubernetesconfiguration.azure.com"
+                                },
                                 {
                                     "value": "privatelink.eventgrid.azure.net"
                                 },
                                 {
                                     "value": "privatelink.file.core.windows.net"
                                 },
+                                {
+                                    "value": "privatelink.grafana.azure.com"
+                                },
                                 {
                                     "value": "privatelink.gremlin.cosmos.azure.com"
                                 },
@@ -1429,6 +1438,12 @@
                                 },
                                 {
                                     "value": "privatelink.webpubsub.azure.com"
+                                },
+                                {
+                                    "value": "privatelink.wvd.microsoft.com"
+                                },
+                                {
+                                    "value" : "privatelink-global.wvd.microsoft.com"
                                 }
                             ],
                             "visible": "[and(or(equals(steps('connectivity').enableHub, 'vhub'), equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enablePrivateDnsZones,'No')))]",
@@ -1511,6 +1526,10 @@
                                         "label": "privatelink.azurehealthcareapis.com",
                                         "value": "privatelink.azurehealthcareapis.com"
                                     },
+                                    {
+                                        "label": "privatelink.azureiotcentral.com",
+                                        "value": "privatelink.azureiotcentral.com"
+                                    },
                                     {
                                         "label": "privatelink.azurestaticapps.net",
                                         "value": "privatelink.azurestaticapps.net"
@@ -1571,6 +1590,10 @@
                                         "label": "privatelink.documents.azure.com",
                                         "value": "privatelink.documents.azure.com"
                                     },
+                                    {
+                                        "label": "privatelink.dp.kubernetesconfiguration.azure.com",
+                                        "value": "privatelink.dp.kubernetesconfiguration.azure.com"
+                                    },
                                     {
                                         "label": "privatelink.eventgrid.azure.net",
                                         "value": "privatelink.eventgrid.azure.net"
@@ -1579,6 +1602,10 @@
                                         "label": "privatelink.file.core.windows.net",
                                         "value": "privatelink.file.core.windows.net"
                                     },
+                                    {
+                                        "label": "privatelink.grafana.azure.com",
+                                        "value": "privatelink.grafana.azure.com"
+                                    },
                                     {
                                         "label": "privatelink.gremlin.cosmos.azure.com",
                                         "value": "privatelink.gremlin.cosmos.azure.com"
@@ -1710,6 +1737,14 @@
                                     {
                                         "label": "privatelink.webpubsub.azure.com",
                                         "value": "privatelink.webpubsub.azure.com"
+                                    },
+                                    {
+                                        "label": "privatelink.wvd.microsoft.com",
+                                        "value": "privatelink.wvd.microsoft.com"
+                                    },
+                                    {
+                                        "label": "privatelink-global.wvd.microsoft.com",
+                                        "value": "privatelink-global.wvd.microsoft.com"
                                     }
                                 ]
                             }

diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json
@@ -34,6 +34,76 @@
         }
     },
     "variables": {
+        "azBackupGeoCodes": {
+            "australiacentral": "acl",
+            "australiacentral2": "acl2",
+            "australiaeast": "ae",
+            "australiasoutheast": "ase",
+            "brazilsouth": "brs",
+            "brazilsoutheast": "bse",
+            "centraluseuap": "ccy",
+            "canadacentral": "cnc",
+            "canadaeast": "cne",
+            "centralus": "cus",
+            "eastasia": "ea",
+            "eastus2euap": "ecy",
+            "eastus": "eus",
+            "eastus2": "eus2",
+            "francecentral": "frc",
+            "francesouth": "frs",
+            "germanynorth": "gn",
+            "germanywestcentral": "gwc",
+            "centralindia": "inc",
+            "southindia": "ins",
+            "westindia": "inw",
+            "italynorth": "itn",
+            "japaneast": "jpe",
+            "japanwest": "jpw",
+            "jioindiacentral": "jic",
+            "jioindiawest": "jiw",
+            "koreacentral": "krc",
+            "koreasouth": "krs",
+            "northcentralus": "ncus",
+            "northeurope": "ne",
+            "norwayeast": "nwe",
+            "norwaywest": "nww",
+            "qatarcentral": "qac",
+            "southafricanorth": "san",
+            "southafricawest": "saw",
+            "southcentralus": "scus",
+            "swedencentral": "sdc",
+            "swedensouth": "sds",
+            "southeastasia": "sea",
+            "switzerlandnorth": "szn",
+            "switzerlandwest": "szw",
+            "uaecentral": "uac",
+            "uaenorth": "uan",
+            "uksouth": "uks",
+            "ukwest": "ukw",
+            "westcentralus": "wcus",
+            "westeurope": "we",
+            "westus": "wus",
+            "westus2": "wus2",
+            "westus3": "wus3",
+            "usdodcentral": "udc",
+            "usdodeast": "ude",
+            "usgovarizona": "uga",
+            "usgoviowa": "ugi",
+            "usgovtexas": "ugt",
+            "usgovvirginia": "ugv",
+            "usnateast": "exe",
+            "usnatwest": "exw",
+            "usseceast": "rxe",
+            "ussecwest": "rxw",
+            "chinanorth": "bjb",
+            "chinanorth2": "bjb2",
+            "chinanorth3": "bjb3",
+            "chinaeast": "sha",
+            "chinaeast2": "sha2",
+            "chinaeast3": "sha3",
+            "germanycentral": "gec",
+            "germanynortheast": "gne"
+        },
         "baseId": "[concat(parameters('dnsZoneResourceGroupId'), '/providers/Microsoft.Network/privateDnsZones/')]",
         "policyParameterMapping": {
             "azureFilePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.afs.azure.net')]",
@@ -87,7 +157,21 @@
             "azureEventHubNamespacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.servicebus.windows.net')]",
             "azureMachineLearningWorkspacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.api.azureml.ms')]",
             "azureServiceBusNamespacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.servicebus.windows.net')]",
-            "azureCognitiveSearchPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.search.windows.net')]"
+            "azureCognitiveSearchPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.search.windows.net')]",
+            "azureBotServicePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.directline.botframework.com')]",
+            "azureManagedGrafanaWorkspacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.grafana.azure.com')]",
+            "azureVirtualDesktopHostpoolPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.wvd.microsoft.com')]",
+            "azureVirtualDesktopWorkspacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.wvd.microsoft.com')]",
+            "azureIotDeviceupdatePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-devices.net')]",
+            "azureArcGuestconfigurationPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.guestconfiguration.azure.com')]",
+            "azureArcHybridResourceProviderPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.his.arc.azure.com')]",
+            "azureArcKubernetesConfigurationPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.dp.kubernetesconfiguration.azure.com')]",
+            "azureIotCentralPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azureiotcentral.com')]",
+            "azureStorageTablePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.table.core.windows.net')]",
+            "azureStorageTableSecondaryPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.table.core.windows.net')]",
+            "azureSiteRecoveryBackupPrivateDnsZoneID": "[concat(variables('baseId'), replace('privatelink.regionGeoShortCode.backup.windowsazure.com','regionGeoShortCode',variables('azBackupGeoCodes')[toLower(parameters('location'))]))]",
+            "azureSiteRecoveryBlobPrivateDnsZoneID": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]",
+            "azureSiteRecoveryQueuePrivateDnsZoneID": "[concat(variables('baseId'), 'privatelink.queue.core.windows.net')]"
         },
         "policyDefinitions": {
             "deployPrivateDnsZones": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones')]"
@@ -282,6 +366,48 @@
                     },
                     "azureCognitiveSearchPrivateDnsZoneId": {
                         "value": "[variables('policyParameterMapping').azureCognitiveSearchPrivateDnsZoneId]"
+                    },
+                    "azureBotServicePrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureBotServicePrivateDnsZoneId]"
+                    },
+                    "azureManagedGrafanaWorkspacePrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureManagedGrafanaWorkspacePrivateDnsZoneId]"
+                    },
+                    "azureVirtualDesktopHostpoolPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureVirtualDesktopHostpoolPrivateDnsZoneId]"
+                    },
+                    "azureVirtualDesktopWorkspacePrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureVirtualDesktopWorkspacePrivateDnsZoneId]"
+                    },
+                    "azureIotDeviceupdatePrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureIotDeviceupdatePrivateDnsZoneId]"
+                    },
+                    "azureArcGuestconfigurationPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureArcGuestconfigurationPrivateDnsZoneId]"
+                    },
+                    "azureArcHybridResourceProviderPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureArcHybridResourceProviderPrivateDnsZoneId]"
+                    },
+                    "azureArcKubernetesConfigurationPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureArcKubernetesConfigurationPrivateDnsZoneId]"
+                    },
+                    "azureIotCentralPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureIotCentralPrivateDnsZoneId]"
+                    },
+                    "azureStorageTablePrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureStorageTablePrivateDnsZoneId]"
+                    },
+                    "azureStorageTableSecondaryPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureStorageTableSecondaryPrivateDnsZoneId]"
+                    },
+                    "azureSiteRecoveryBackupPrivateDnsZoneID": {
+                        "value": "[variables('policyParameterMapping').azureSiteRecoveryBackupPrivateDnsZoneID]"
+                    },
+                    "azureSiteRecoveryBlobPrivateDnsZoneID": {
+                        "value": "[variables('policyParameterMapping').azureSiteRecoveryBlobPrivateDnsZoneID]"
+                    },
+                    "azureSiteRecoveryQueuePrivateDnsZoneID": {
+                        "value": "[variables('policyParameterMapping').azureSiteRecoveryQueuePrivateDnsZoneID]"
                     }
                 }
             }