From 6de4c0c20ddc4961d94baca120b22068988d48bb Mon Sep 17 00:00:00 2001 From: Fabien Gilbert Date: Fri, 12 Aug 2022 16:26:45 -0400 Subject: [PATCH 1/3] support for Standard SKU --- src/bicep/modules/firewall.bicep | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/bicep/modules/firewall.bicep b/src/bicep/modules/firewall.bicep index d4f3ada14..6450d92c2 100644 --- a/src/bicep/modules/firewall.bicep +++ b/src/bicep/modules/firewall.bicep @@ -8,6 +8,10 @@ param name string param location string = resourceGroup().location param tags object = {} +@allowed([ + 'Standard' + 'Premium' +]) param skuTier string @allowed([ @@ -42,15 +46,17 @@ param logAnalyticsWorkspaceResourceId string param logs array param metrics array +var intrusionDetectionObject = { + mode: intrusionDetectionMode +} + resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-02-01' = { name: firewallPolicyName location: location tags: tags properties: { threatIntelMode: threatIntelMode - intrusionDetection:{ - mode: intrusionDetectionMode - } + intrusionDetection: ((skuTier == 'Premium') ? intrusionDetectionObject : null) sku: { tier: skuTier } From 7d3b6b030ab8512ddf721b1762d0e813217e5b92 Mon Sep 17 00:00:00 2001 From: Fabien Gilbert Date: Tue, 16 Aug 2022 17:05:40 -0400 Subject: [PATCH 2/3] move AMPLS Private Endpoint to Operations VNET --- src/bicep/core/hub-network.bicep | 16 ---- src/bicep/core/spoke-network.bicep | 5 +- src/bicep/mlz.bicep | 58 +++++++++++- src/bicep/modules/private-dns.bicep | 132 +++++++++++++++++++++++++++ src/bicep/modules/private-link.bicep | 129 ++++---------------------- 5 files changed, 211 insertions(+), 129 deletions(-) create mode 100644 src/bicep/modules/private-dns.bicep diff --git a/src/bicep/core/hub-network.bicep b/src/bicep/core/hub-network.bicep index 71fa81a12..7eae655e9 100644 --- a/src/bicep/core/hub-network.bicep +++ b/src/bicep/core/hub-network.bicep @@ -9,7 +9,6 @@ param tags object = {} param logStorageAccountName string param logStorageSkuName string -param logAnalyticsWorkspaceName string param logAnalyticsWorkspaceResourceId string param virtualNetworkName string @@ -238,21 +237,6 @@ module firewall '../modules/firewall.bicep' = { } } -module azureMonitorPrivateLink '../modules/private-link.bicep' = if ( contains(supportedClouds, environment().name) ){ - name: 'azure-monitor-private-link' - params: { - logAnalyticsWorkspaceName: logAnalyticsWorkspaceName - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId - privateEndpointSubnetName: subnetName - privateEndpointVnetName: virtualNetwork.outputs.name - location: location - tags: tags - } - dependsOn: [ - subnet - ] -} - output virtualNetworkName string = virtualNetwork.outputs.name output virtualNetworkResourceId string = virtualNetwork.outputs.id output subnetName string = subnet.name diff --git a/src/bicep/core/spoke-network.bicep b/src/bicep/core/spoke-network.bicep index 385be9563..157e0defc 100644 --- a/src/bicep/core/spoke-network.bicep +++ b/src/bicep/core/spoke-network.bicep @@ -34,6 +34,8 @@ param routeTableRouteAddressPrefix string = '0.0.0.0/0' param routeTableRouteNextHopIpAddress string = firewallPrivateIPAddress param routeTableRouteNextHopType string = 'VirtualAppliance' +param subnetPrivateEndpointNetworkPolicies string + module logStorage '../modules/storage-account.bicep' = { name: 'logStorage' params: { @@ -95,7 +97,8 @@ module virtualNetwork '../modules/virtual-network.bicep' = { routeTable: { id: routeTable.outputs.id } - serviceEndpoints: subnetServiceEndpoints + serviceEndpoints: subnetServiceEndpoints + privateEndpointNetworkPolicies: subnetPrivateEndpointNetworkPolicies } } ] diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index c8f87605d..3298dc173 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -42,6 +42,11 @@ param sharedServicesSubscriptionId string = subscription().subscriptionId @description('The region to deploy resources into. It defaults to the deployment location.') param location string = deployment().location +param supportedClouds array = [ + 'AzureCloud' + 'AzureUSGovernment' +] + // RESOURCE NAMING PARAMETERS @description('A suffix to use for naming deployments uniquely. It defaults to the Bicep resolution of the "utcNow()" function.') @@ -661,6 +666,7 @@ var spokes = [ subnetName: identitySubnetName subnetAddressPrefix: identitySubnetAddressPrefix subnetServiceEndpoints: identitySubnetServiceEndpoints + subnetPrivateEndpointNetworkPolicies: 'Enabled' } { name: operationsName @@ -677,7 +683,8 @@ var spokes = [ networkSecurityGroupDiagnosticsMetrics: operationsNetworkSecurityGroupDiagnosticsMetrics subnetName: operationsSubnetName subnetAddressPrefix: operationsSubnetAddressPrefix - subnetServiceEndpoints: operationsSubnetServiceEndpoints + subnetServiceEndpoints: operationsSubnetServiceEndpoints + subnetPrivateEndpointNetworkPolicies: 'Disabled' } { name: sharedServicesName @@ -694,7 +701,8 @@ var spokes = [ networkSecurityGroupDiagnosticsMetrics: sharedServicesNetworkSecurityGroupDiagnosticsMetrics subnetName: sharedServicesSubnetName subnetAddressPrefix: sharedServicesSubnetAddressPrefix - subnetServiceEndpoints: sharedServicesSubnetServiceEndpoints + subnetServiceEndpoints: sharedServicesSubnetServiceEndpoints + subnetPrivateEndpointNetworkPolicies: 'Disabled' } ] @@ -769,7 +777,6 @@ module hubNetwork './core/hub-network.bicep' = { logStorageAccountName: hubLogStorageAccountName logStorageSkuName: logStorageSkuName - logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id virtualNetworkName: hubVirtualNetworkName @@ -786,6 +793,8 @@ module hubNetwork './core/hub-network.bicep' = { subnetAddressPrefix: hubSubnetAddressPrefix subnetServiceEndpoints: hubSubnetServiceEndpoints + gatewaySubnetAddressPrefix: gatewaySubnetAddressPrefix + firewallName: firewallName firewallSkuTier: firewallSkuTier firewallPolicyName: firewallPolicyName @@ -843,6 +852,8 @@ module spokeNetworks './core/spoke-network.bicep' = [for spoke in spokes: { subnetName: spoke.subnetName subnetAddressPrefix: spoke.subnetAddressPrefix subnetServiceEndpoints: spoke.subnetServiceEndpoints + + subnetPrivateEndpointNetworkPolicies: spoke.subnetPrivateEndpointNetworkPolicies } }] @@ -899,6 +910,21 @@ module spokePolicyAssignments './modules/policy-assignment.bicep' = [for spoke i } }] +// PRIVATE DNS + +module azurePrivateDns './modules/private-dns.bicep' = { + name: 'azure-private-dns' + scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) + params: { + vnetName: hubNetwork.outputs.virtualNetworkName + tags: tags + } + dependsOn: [ + hubNetwork + ] +} + + // CENTRAL LOGGING module hubSubscriptionActivityLogging './modules/central-logging.bicep' = { @@ -913,6 +939,29 @@ module hubSubscriptionActivityLogging './modules/central-logging.bicep' = { ] } +module azureMonitorPrivateLink './modules/private-link.bicep' = if ( contains(supportedClouds, environment().name) ){ + name: 'azure-monitor-private-link' + scope: resourceGroup(operationsSubscriptionId, operationsResourceGroupName) + params: { + logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id + privateEndpointSubnetName: operationsSubnetName + privateEndpointVnetName: operationsVirtualNetworkName + monitorPrivateDnsZoneId: azurePrivateDns.outputs.monitorPrivateDnsZoneId + omsPrivateDnsZoneId: azurePrivateDns.outputs.omsPrivateDnsZoneId + odsPrivateDnsZoneId: azurePrivateDns.outputs.odsPrivateDnsZoneId + agentsvcPrivateDnsZoneId: azurePrivateDns.outputs.agentsvcPrivateDnsZoneId + storagePrivateDnsZoneId: azurePrivateDns.outputs.storagePrivateDnsZoneId + location: location + tags: tags + } + dependsOn: [ + logAnalyticsWorkspace + spokeNetworks + azurePrivateDns + ] +} + module spokeSubscriptionActivityLogging './modules/central-logging.bicep' = [for spoke in spokes: if (spoke.subscriptionId != hubSubscriptionId) { name: 'activity-logs-${spoke.name}-${deploymentNameSuffix}' scope: subscription(spoke.subscriptionId) @@ -1012,6 +1061,9 @@ module remoteAccess './core/remote-access.bicep' = if (deployRemoteAccess) { logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id } + dependsOn: [ + azureMonitorPrivateLink + ] } /* diff --git a/src/bicep/modules/private-dns.bicep b/src/bicep/modules/private-dns.bicep new file mode 100644 index 000000000..f482d03a7 --- /dev/null +++ b/src/bicep/modules/private-dns.bicep @@ -0,0 +1,132 @@ +/* +Copyright (c) Microsoft Corporation. +Licensed under the MIT License. +*/ + +@description('The name of the virtual network the private dns zones will be connected to') +param vnetName string + +@description('The name of the the resource group where the virtual network exists') +param vnetResourceGroup string = resourceGroup().name + +@description('The subscription id of the subscription the virtual network exists in') +param vnetSubscriptionId string = subscription().subscriptionId + +@description('The tags that will be associated to the resources') +param tags object + +var privateDnsZones_privatelink_monitor_azure_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.monitor.azure.com' : 'privatelink.monitor.azure.us' ) +var privateDnsZones_privatelink_ods_opinsights_azure_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.ods.opinsights.azure.com' : 'privatelink.ods.opinsights.azure.us' ) +var privateDnsZones_privatelink_oms_opinsights_azure_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.oms.opinsights.azure.com' : 'privatelink.oms.opinsights.azure.us' ) +var privateDnsZones_privatelink_blob_core_cloudapi_net_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.blob.${environment().suffixes.storage}' : 'privatelink.blob.core.usgovcloudapi.net' ) +var privateDnsZones_privatelink_agentsvc_azure_automation_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.agentsvc.azure-automation.net' : 'privatelink.agentsvc.azure-automation.us' ) + +resource privatelink_monitor_azure_com 'Microsoft.Network/privateDnsZones@2018-09-01' = { + name: privateDnsZones_privatelink_monitor_azure_name + location: 'global' + tags: tags +} + +resource privatelink_oms_opinsights_azure_com 'Microsoft.Network/privateDnsZones@2018-09-01' = { + name: privateDnsZones_privatelink_oms_opinsights_azure_name + location: 'global' + tags: tags +} + +resource privatelink_ods_opinsights_azure_com 'Microsoft.Network/privateDnsZones@2018-09-01' = { + name: privateDnsZones_privatelink_ods_opinsights_azure_name + location: 'global' + tags: tags +} + +resource privatelink_agentsvc_azure_automation_net 'Microsoft.Network/privateDnsZones@2018-09-01' = { + name: privateDnsZones_privatelink_agentsvc_azure_automation_name + location: 'global' + tags: tags +} + +resource privatelink_blob_core_cloudapi_net 'Microsoft.Network/privateDnsZones@2018-09-01' = { + name: privateDnsZones_privatelink_blob_core_cloudapi_net_name + location: 'global' + tags: tags +} + +resource privatelink_monitor_azure_com_privatelink_monitor_azure_com_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { + name: '${privateDnsZones_privatelink_monitor_azure_name}/${privateDnsZones_privatelink_monitor_azure_name}-link' + location: 'global' + properties: { + registrationEnabled: false + virtualNetwork: { + id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', vnetName ) + } + } + dependsOn: [ + privatelink_monitor_azure_com + ] +} + +resource privatelink_oms_opinsights_azure_com_privatelink_oms_opinsights_azure_com_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { + name: '${privateDnsZones_privatelink_oms_opinsights_azure_name}/${privateDnsZones_privatelink_oms_opinsights_azure_name}-link' + location: 'global' + properties: { + registrationEnabled: false + virtualNetwork: { + id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', vnetName ) + } + } + dependsOn: [ + privatelink_oms_opinsights_azure_com + privatelink_monitor_azure_com_privatelink_monitor_azure_com_link + ] +} + +resource privatelink_ods_opinsights_azure_com_privatelink_ods_opinsights_azure_com_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { + name: '${privateDnsZones_privatelink_ods_opinsights_azure_name}/${privateDnsZones_privatelink_ods_opinsights_azure_name}-link' + location: 'global' + properties: { + registrationEnabled: false + virtualNetwork: { + id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', vnetName ) + } + } + dependsOn: [ + privatelink_ods_opinsights_azure_com + privatelink_oms_opinsights_azure_com_privatelink_oms_opinsights_azure_com_link + ] +} + +resource privatelink_agentsvc_azure_automation_net_privatelink_agentsvc_azure_automation_net_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { + name: '${privateDnsZones_privatelink_agentsvc_azure_automation_name}/${privateDnsZones_privatelink_agentsvc_azure_automation_name}-link' + location: 'global' + properties: { + registrationEnabled: false + virtualNetwork: { + id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', vnetName ) + } + } + dependsOn: [ + privatelink_agentsvc_azure_automation_net + privatelink_ods_opinsights_azure_com_privatelink_ods_opinsights_azure_com_link + ] +} + +resource privateDnsZones_privatelink_blob_core_cloudapi_net_privateDnsZones_privatelink_blob_core_cloudapi_net_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { + name: '${privateDnsZones_privatelink_blob_core_cloudapi_net_name}/${privateDnsZones_privatelink_blob_core_cloudapi_net_name}-link' + location: 'global' + properties: { + registrationEnabled: false + virtualNetwork: { + id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', vnetName ) + } + } + dependsOn: [ + privatelink_blob_core_cloudapi_net + privatelink_agentsvc_azure_automation_net_privatelink_agentsvc_azure_automation_net_link + ] +} + +output monitorPrivateDnsZoneId string = privatelink_monitor_azure_com.id +output omsPrivateDnsZoneId string = privatelink_oms_opinsights_azure_com.id +output odsPrivateDnsZoneId string = privatelink_ods_opinsights_azure_com.id +output agentsvcPrivateDnsZoneId string = privatelink_agentsvc_azure_automation_net.id +output storagePrivateDnsZoneId string = privatelink_blob_core_cloudapi_net.id diff --git a/src/bicep/modules/private-link.bicep b/src/bicep/modules/private-link.bicep index cd8bc172c..46c559731 100644 --- a/src/bicep/modules/private-link.bicep +++ b/src/bicep/modules/private-link.bicep @@ -30,6 +30,21 @@ param vnetSubscriptionId string = subscription().subscriptionId @description('The location of this resource') param location string = resourceGroup().location +@description('Azure Monitor Private DNS Zone resource id') +param monitorPrivateDnsZoneId string + +@description('OMS Private DNS Zone resource id') +param omsPrivateDnsZoneId string + +@description('ODS Private DNS Zone resource id') +param odsPrivateDnsZoneId string + +@description('Agentsvc Private DNS Zone resource id') +param agentsvcPrivateDnsZoneId string + +@description('Azure Blob Storage Private DNS Zone resource id') +param storagePrivateDnsZoneId string + var privateLinkConnectionName = take('plconn${logAnalyticsWorkspaceName}${uniqueData}', 80) var privateLinkEndpointName = take('pl${logAnalyticsWorkspaceName}${uniqueData}', 80) var privateLinkScopeName = take('plscope${logAnalyticsWorkspaceName}${uniqueData}', 80) @@ -83,31 +98,31 @@ resource dnsZonePrivateLinkEndpoint 'Microsoft.Network/privateEndpoints/privateD { name: 'monitor' properties: { - privateDnsZoneId: privatelink_monitor_azure_com.id + privateDnsZoneId: monitorPrivateDnsZoneId } } { name: 'oms' properties: { - privateDnsZoneId: privatelink_oms_opinsights_azure_com.id + privateDnsZoneId: omsPrivateDnsZoneId } } { name: 'ods' properties: { - privateDnsZoneId: privatelink_ods_opinsights_azure_com.id + privateDnsZoneId: odsPrivateDnsZoneId } } { name: 'agentsvc' properties: { - privateDnsZoneId: privatelink_agentsvc_azure_automation_net.id + privateDnsZoneId: agentsvcPrivateDnsZoneId } } { name: 'storage' properties: { - privateDnsZoneId: privatelink_blob_core_cloudapi_net.id + privateDnsZoneId: storagePrivateDnsZoneId } } ] @@ -116,107 +131,3 @@ resource dnsZonePrivateLinkEndpoint 'Microsoft.Network/privateEndpoints/privateD subnetPrivateEndpoint ] } -var privateDnsZones_privatelink_monitor_azure_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.monitor.azure.com' : 'privatelink.monitor.azure.us' ) -var privateDnsZones_privatelink_ods_opinsights_azure_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.ods.opinsights.azure.com' : 'privatelink.ods.opinsights.azure.us' ) -var privateDnsZones_privatelink_oms_opinsights_azure_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.oms.opinsights.azure.com' : 'privatelink.oms.opinsights.azure.us' ) -var privateDnsZones_privatelink_blob_core_cloudapi_net_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.blob.${environment().suffixes.storage}' : 'privatelink.blob.core.usgovcloudapi.net' ) -var privateDnsZones_privatelink_agentsvc_azure_automation_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.agentsvc.azure-automation.net' : 'privatelink.agentsvc.azure-automation.us' ) - -resource privatelink_monitor_azure_com 'Microsoft.Network/privateDnsZones@2018-09-01' = { - name: privateDnsZones_privatelink_monitor_azure_name - location: 'global' -} - -resource privatelink_oms_opinsights_azure_com 'Microsoft.Network/privateDnsZones@2018-09-01' = { - name: privateDnsZones_privatelink_oms_opinsights_azure_name - location: 'global' -} - -resource privatelink_ods_opinsights_azure_com 'Microsoft.Network/privateDnsZones@2018-09-01' = { - name: privateDnsZones_privatelink_ods_opinsights_azure_name - location: 'global' -} - -resource privatelink_agentsvc_azure_automation_net 'Microsoft.Network/privateDnsZones@2018-09-01' = { - name: privateDnsZones_privatelink_agentsvc_azure_automation_name - location: 'global' -} - -resource privatelink_blob_core_cloudapi_net 'Microsoft.Network/privateDnsZones@2018-09-01' = { - name: privateDnsZones_privatelink_blob_core_cloudapi_net_name - location: 'global' -} - -resource privatelink_monitor_azure_com_privatelink_monitor_azure_com_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { - name: '${privateDnsZones_privatelink_monitor_azure_name}/${privateDnsZones_privatelink_monitor_azure_name}-link' - location: 'global' - properties: { - registrationEnabled: false - virtualNetwork: { - id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', privateEndpointVnetName ) - } - } - dependsOn: [ - privatelink_monitor_azure_com - ] -} - -resource privatelink_oms_opinsights_azure_com_privatelink_oms_opinsights_azure_com_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { - name: '${privateDnsZones_privatelink_oms_opinsights_azure_name}/${privateDnsZones_privatelink_oms_opinsights_azure_name}-link' - location: 'global' - properties: { - registrationEnabled: false - virtualNetwork: { - id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', privateEndpointVnetName ) - } - } - dependsOn: [ - privatelink_oms_opinsights_azure_com - privatelink_monitor_azure_com_privatelink_monitor_azure_com_link - ] -} - -resource privatelink_ods_opinsights_azure_com_privatelink_ods_opinsights_azure_com_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { - name: '${privateDnsZones_privatelink_ods_opinsights_azure_name}/${privateDnsZones_privatelink_ods_opinsights_azure_name}-link' - location: 'global' - properties: { - registrationEnabled: false - virtualNetwork: { - id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', privateEndpointVnetName ) - } - } - dependsOn: [ - privatelink_ods_opinsights_azure_com - privatelink_oms_opinsights_azure_com_privatelink_oms_opinsights_azure_com_link - ] -} - -resource privatelink_agentsvc_azure_automation_net_privatelink_agentsvc_azure_automation_net_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { - name: '${privateDnsZones_privatelink_agentsvc_azure_automation_name}/${privateDnsZones_privatelink_agentsvc_azure_automation_name}-link' - location: 'global' - properties: { - registrationEnabled: false - virtualNetwork: { - id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', privateEndpointVnetName ) - } - } - dependsOn: [ - privatelink_agentsvc_azure_automation_net - privatelink_ods_opinsights_azure_com_privatelink_ods_opinsights_azure_com_link - ] -} - -resource privateDnsZones_privatelink_blob_core_cloudapi_net_privateDnsZones_privatelink_blob_core_cloudapi_net_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { - name: '${privateDnsZones_privatelink_blob_core_cloudapi_net_name}/${privateDnsZones_privatelink_blob_core_cloudapi_net_name}-link' - location: 'global' - properties: { - registrationEnabled: false - virtualNetwork: { - id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', privateEndpointVnetName ) - } - } - dependsOn: [ - privatelink_blob_core_cloudapi_net - privatelink_agentsvc_azure_automation_net_privatelink_agentsvc_azure_automation_net_link - ] -} From 9c93b9923800bffe8535b836f2f5ff2e2fbc822d Mon Sep 17 00:00:00 2001 From: Fabien Gilbert Date: Tue, 16 Aug 2022 17:33:15 -0400 Subject: [PATCH 3/3] Revert "move AMPLS Private Endpoint to Operations VNET" This reverts commit 7d3b6b030ab8512ddf721b1762d0e813217e5b92. --- src/bicep/core/hub-network.bicep | 16 ++++ src/bicep/core/spoke-network.bicep | 5 +- src/bicep/mlz.bicep | 58 +----------- src/bicep/modules/private-dns.bicep | 132 --------------------------- src/bicep/modules/private-link.bicep | 129 ++++++++++++++++++++++---- 5 files changed, 129 insertions(+), 211 deletions(-) delete mode 100644 src/bicep/modules/private-dns.bicep diff --git a/src/bicep/core/hub-network.bicep b/src/bicep/core/hub-network.bicep index 7eae655e9..71fa81a12 100644 --- a/src/bicep/core/hub-network.bicep +++ b/src/bicep/core/hub-network.bicep @@ -9,6 +9,7 @@ param tags object = {} param logStorageAccountName string param logStorageSkuName string +param logAnalyticsWorkspaceName string param logAnalyticsWorkspaceResourceId string param virtualNetworkName string @@ -237,6 +238,21 @@ module firewall '../modules/firewall.bicep' = { } } +module azureMonitorPrivateLink '../modules/private-link.bicep' = if ( contains(supportedClouds, environment().name) ){ + name: 'azure-monitor-private-link' + params: { + logAnalyticsWorkspaceName: logAnalyticsWorkspaceName + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId + privateEndpointSubnetName: subnetName + privateEndpointVnetName: virtualNetwork.outputs.name + location: location + tags: tags + } + dependsOn: [ + subnet + ] +} + output virtualNetworkName string = virtualNetwork.outputs.name output virtualNetworkResourceId string = virtualNetwork.outputs.id output subnetName string = subnet.name diff --git a/src/bicep/core/spoke-network.bicep b/src/bicep/core/spoke-network.bicep index 157e0defc..385be9563 100644 --- a/src/bicep/core/spoke-network.bicep +++ b/src/bicep/core/spoke-network.bicep @@ -34,8 +34,6 @@ param routeTableRouteAddressPrefix string = '0.0.0.0/0' param routeTableRouteNextHopIpAddress string = firewallPrivateIPAddress param routeTableRouteNextHopType string = 'VirtualAppliance' -param subnetPrivateEndpointNetworkPolicies string - module logStorage '../modules/storage-account.bicep' = { name: 'logStorage' params: { @@ -97,8 +95,7 @@ module virtualNetwork '../modules/virtual-network.bicep' = { routeTable: { id: routeTable.outputs.id } - serviceEndpoints: subnetServiceEndpoints - privateEndpointNetworkPolicies: subnetPrivateEndpointNetworkPolicies + serviceEndpoints: subnetServiceEndpoints } } ] diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 3298dc173..c8f87605d 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -42,11 +42,6 @@ param sharedServicesSubscriptionId string = subscription().subscriptionId @description('The region to deploy resources into. It defaults to the deployment location.') param location string = deployment().location -param supportedClouds array = [ - 'AzureCloud' - 'AzureUSGovernment' -] - // RESOURCE NAMING PARAMETERS @description('A suffix to use for naming deployments uniquely. It defaults to the Bicep resolution of the "utcNow()" function.') @@ -666,7 +661,6 @@ var spokes = [ subnetName: identitySubnetName subnetAddressPrefix: identitySubnetAddressPrefix subnetServiceEndpoints: identitySubnetServiceEndpoints - subnetPrivateEndpointNetworkPolicies: 'Enabled' } { name: operationsName @@ -683,8 +677,7 @@ var spokes = [ networkSecurityGroupDiagnosticsMetrics: operationsNetworkSecurityGroupDiagnosticsMetrics subnetName: operationsSubnetName subnetAddressPrefix: operationsSubnetAddressPrefix - subnetServiceEndpoints: operationsSubnetServiceEndpoints - subnetPrivateEndpointNetworkPolicies: 'Disabled' + subnetServiceEndpoints: operationsSubnetServiceEndpoints } { name: sharedServicesName @@ -701,8 +694,7 @@ var spokes = [ networkSecurityGroupDiagnosticsMetrics: sharedServicesNetworkSecurityGroupDiagnosticsMetrics subnetName: sharedServicesSubnetName subnetAddressPrefix: sharedServicesSubnetAddressPrefix - subnetServiceEndpoints: sharedServicesSubnetServiceEndpoints - subnetPrivateEndpointNetworkPolicies: 'Disabled' + subnetServiceEndpoints: sharedServicesSubnetServiceEndpoints } ] @@ -777,6 +769,7 @@ module hubNetwork './core/hub-network.bicep' = { logStorageAccountName: hubLogStorageAccountName logStorageSkuName: logStorageSkuName + logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id virtualNetworkName: hubVirtualNetworkName @@ -793,8 +786,6 @@ module hubNetwork './core/hub-network.bicep' = { subnetAddressPrefix: hubSubnetAddressPrefix subnetServiceEndpoints: hubSubnetServiceEndpoints - gatewaySubnetAddressPrefix: gatewaySubnetAddressPrefix - firewallName: firewallName firewallSkuTier: firewallSkuTier firewallPolicyName: firewallPolicyName @@ -852,8 +843,6 @@ module spokeNetworks './core/spoke-network.bicep' = [for spoke in spokes: { subnetName: spoke.subnetName subnetAddressPrefix: spoke.subnetAddressPrefix subnetServiceEndpoints: spoke.subnetServiceEndpoints - - subnetPrivateEndpointNetworkPolicies: spoke.subnetPrivateEndpointNetworkPolicies } }] @@ -910,21 +899,6 @@ module spokePolicyAssignments './modules/policy-assignment.bicep' = [for spoke i } }] -// PRIVATE DNS - -module azurePrivateDns './modules/private-dns.bicep' = { - name: 'azure-private-dns' - scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) - params: { - vnetName: hubNetwork.outputs.virtualNetworkName - tags: tags - } - dependsOn: [ - hubNetwork - ] -} - - // CENTRAL LOGGING module hubSubscriptionActivityLogging './modules/central-logging.bicep' = { @@ -939,29 +913,6 @@ module hubSubscriptionActivityLogging './modules/central-logging.bicep' = { ] } -module azureMonitorPrivateLink './modules/private-link.bicep' = if ( contains(supportedClouds, environment().name) ){ - name: 'azure-monitor-private-link' - scope: resourceGroup(operationsSubscriptionId, operationsResourceGroupName) - params: { - logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name - logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id - privateEndpointSubnetName: operationsSubnetName - privateEndpointVnetName: operationsVirtualNetworkName - monitorPrivateDnsZoneId: azurePrivateDns.outputs.monitorPrivateDnsZoneId - omsPrivateDnsZoneId: azurePrivateDns.outputs.omsPrivateDnsZoneId - odsPrivateDnsZoneId: azurePrivateDns.outputs.odsPrivateDnsZoneId - agentsvcPrivateDnsZoneId: azurePrivateDns.outputs.agentsvcPrivateDnsZoneId - storagePrivateDnsZoneId: azurePrivateDns.outputs.storagePrivateDnsZoneId - location: location - tags: tags - } - dependsOn: [ - logAnalyticsWorkspace - spokeNetworks - azurePrivateDns - ] -} - module spokeSubscriptionActivityLogging './modules/central-logging.bicep' = [for spoke in spokes: if (spoke.subscriptionId != hubSubscriptionId) { name: 'activity-logs-${spoke.name}-${deploymentNameSuffix}' scope: subscription(spoke.subscriptionId) @@ -1061,9 +1012,6 @@ module remoteAccess './core/remote-access.bicep' = if (deployRemoteAccess) { logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id } - dependsOn: [ - azureMonitorPrivateLink - ] } /* diff --git a/src/bicep/modules/private-dns.bicep b/src/bicep/modules/private-dns.bicep deleted file mode 100644 index f482d03a7..000000000 --- a/src/bicep/modules/private-dns.bicep +++ /dev/null @@ -1,132 +0,0 @@ -/* -Copyright (c) Microsoft Corporation. -Licensed under the MIT License. -*/ - -@description('The name of the virtual network the private dns zones will be connected to') -param vnetName string - -@description('The name of the the resource group where the virtual network exists') -param vnetResourceGroup string = resourceGroup().name - -@description('The subscription id of the subscription the virtual network exists in') -param vnetSubscriptionId string = subscription().subscriptionId - -@description('The tags that will be associated to the resources') -param tags object - -var privateDnsZones_privatelink_monitor_azure_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.monitor.azure.com' : 'privatelink.monitor.azure.us' ) -var privateDnsZones_privatelink_ods_opinsights_azure_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.ods.opinsights.azure.com' : 'privatelink.ods.opinsights.azure.us' ) -var privateDnsZones_privatelink_oms_opinsights_azure_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.oms.opinsights.azure.com' : 'privatelink.oms.opinsights.azure.us' ) -var privateDnsZones_privatelink_blob_core_cloudapi_net_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.blob.${environment().suffixes.storage}' : 'privatelink.blob.core.usgovcloudapi.net' ) -var privateDnsZones_privatelink_agentsvc_azure_automation_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.agentsvc.azure-automation.net' : 'privatelink.agentsvc.azure-automation.us' ) - -resource privatelink_monitor_azure_com 'Microsoft.Network/privateDnsZones@2018-09-01' = { - name: privateDnsZones_privatelink_monitor_azure_name - location: 'global' - tags: tags -} - -resource privatelink_oms_opinsights_azure_com 'Microsoft.Network/privateDnsZones@2018-09-01' = { - name: privateDnsZones_privatelink_oms_opinsights_azure_name - location: 'global' - tags: tags -} - -resource privatelink_ods_opinsights_azure_com 'Microsoft.Network/privateDnsZones@2018-09-01' = { - name: privateDnsZones_privatelink_ods_opinsights_azure_name - location: 'global' - tags: tags -} - -resource privatelink_agentsvc_azure_automation_net 'Microsoft.Network/privateDnsZones@2018-09-01' = { - name: privateDnsZones_privatelink_agentsvc_azure_automation_name - location: 'global' - tags: tags -} - -resource privatelink_blob_core_cloudapi_net 'Microsoft.Network/privateDnsZones@2018-09-01' = { - name: privateDnsZones_privatelink_blob_core_cloudapi_net_name - location: 'global' - tags: tags -} - -resource privatelink_monitor_azure_com_privatelink_monitor_azure_com_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { - name: '${privateDnsZones_privatelink_monitor_azure_name}/${privateDnsZones_privatelink_monitor_azure_name}-link' - location: 'global' - properties: { - registrationEnabled: false - virtualNetwork: { - id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', vnetName ) - } - } - dependsOn: [ - privatelink_monitor_azure_com - ] -} - -resource privatelink_oms_opinsights_azure_com_privatelink_oms_opinsights_azure_com_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { - name: '${privateDnsZones_privatelink_oms_opinsights_azure_name}/${privateDnsZones_privatelink_oms_opinsights_azure_name}-link' - location: 'global' - properties: { - registrationEnabled: false - virtualNetwork: { - id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', vnetName ) - } - } - dependsOn: [ - privatelink_oms_opinsights_azure_com - privatelink_monitor_azure_com_privatelink_monitor_azure_com_link - ] -} - -resource privatelink_ods_opinsights_azure_com_privatelink_ods_opinsights_azure_com_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { - name: '${privateDnsZones_privatelink_ods_opinsights_azure_name}/${privateDnsZones_privatelink_ods_opinsights_azure_name}-link' - location: 'global' - properties: { - registrationEnabled: false - virtualNetwork: { - id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', vnetName ) - } - } - dependsOn: [ - privatelink_ods_opinsights_azure_com - privatelink_oms_opinsights_azure_com_privatelink_oms_opinsights_azure_com_link - ] -} - -resource privatelink_agentsvc_azure_automation_net_privatelink_agentsvc_azure_automation_net_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { - name: '${privateDnsZones_privatelink_agentsvc_azure_automation_name}/${privateDnsZones_privatelink_agentsvc_azure_automation_name}-link' - location: 'global' - properties: { - registrationEnabled: false - virtualNetwork: { - id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', vnetName ) - } - } - dependsOn: [ - privatelink_agentsvc_azure_automation_net - privatelink_ods_opinsights_azure_com_privatelink_ods_opinsights_azure_com_link - ] -} - -resource privateDnsZones_privatelink_blob_core_cloudapi_net_privateDnsZones_privatelink_blob_core_cloudapi_net_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { - name: '${privateDnsZones_privatelink_blob_core_cloudapi_net_name}/${privateDnsZones_privatelink_blob_core_cloudapi_net_name}-link' - location: 'global' - properties: { - registrationEnabled: false - virtualNetwork: { - id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', vnetName ) - } - } - dependsOn: [ - privatelink_blob_core_cloudapi_net - privatelink_agentsvc_azure_automation_net_privatelink_agentsvc_azure_automation_net_link - ] -} - -output monitorPrivateDnsZoneId string = privatelink_monitor_azure_com.id -output omsPrivateDnsZoneId string = privatelink_oms_opinsights_azure_com.id -output odsPrivateDnsZoneId string = privatelink_ods_opinsights_azure_com.id -output agentsvcPrivateDnsZoneId string = privatelink_agentsvc_azure_automation_net.id -output storagePrivateDnsZoneId string = privatelink_blob_core_cloudapi_net.id diff --git a/src/bicep/modules/private-link.bicep b/src/bicep/modules/private-link.bicep index 46c559731..cd8bc172c 100644 --- a/src/bicep/modules/private-link.bicep +++ b/src/bicep/modules/private-link.bicep @@ -30,21 +30,6 @@ param vnetSubscriptionId string = subscription().subscriptionId @description('The location of this resource') param location string = resourceGroup().location -@description('Azure Monitor Private DNS Zone resource id') -param monitorPrivateDnsZoneId string - -@description('OMS Private DNS Zone resource id') -param omsPrivateDnsZoneId string - -@description('ODS Private DNS Zone resource id') -param odsPrivateDnsZoneId string - -@description('Agentsvc Private DNS Zone resource id') -param agentsvcPrivateDnsZoneId string - -@description('Azure Blob Storage Private DNS Zone resource id') -param storagePrivateDnsZoneId string - var privateLinkConnectionName = take('plconn${logAnalyticsWorkspaceName}${uniqueData}', 80) var privateLinkEndpointName = take('pl${logAnalyticsWorkspaceName}${uniqueData}', 80) var privateLinkScopeName = take('plscope${logAnalyticsWorkspaceName}${uniqueData}', 80) @@ -98,31 +83,31 @@ resource dnsZonePrivateLinkEndpoint 'Microsoft.Network/privateEndpoints/privateD { name: 'monitor' properties: { - privateDnsZoneId: monitorPrivateDnsZoneId + privateDnsZoneId: privatelink_monitor_azure_com.id } } { name: 'oms' properties: { - privateDnsZoneId: omsPrivateDnsZoneId + privateDnsZoneId: privatelink_oms_opinsights_azure_com.id } } { name: 'ods' properties: { - privateDnsZoneId: odsPrivateDnsZoneId + privateDnsZoneId: privatelink_ods_opinsights_azure_com.id } } { name: 'agentsvc' properties: { - privateDnsZoneId: agentsvcPrivateDnsZoneId + privateDnsZoneId: privatelink_agentsvc_azure_automation_net.id } } { name: 'storage' properties: { - privateDnsZoneId: storagePrivateDnsZoneId + privateDnsZoneId: privatelink_blob_core_cloudapi_net.id } } ] @@ -131,3 +116,107 @@ resource dnsZonePrivateLinkEndpoint 'Microsoft.Network/privateEndpoints/privateD subnetPrivateEndpoint ] } +var privateDnsZones_privatelink_monitor_azure_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.monitor.azure.com' : 'privatelink.monitor.azure.us' ) +var privateDnsZones_privatelink_ods_opinsights_azure_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.ods.opinsights.azure.com' : 'privatelink.ods.opinsights.azure.us' ) +var privateDnsZones_privatelink_oms_opinsights_azure_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.oms.opinsights.azure.com' : 'privatelink.oms.opinsights.azure.us' ) +var privateDnsZones_privatelink_blob_core_cloudapi_net_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.blob.${environment().suffixes.storage}' : 'privatelink.blob.core.usgovcloudapi.net' ) +var privateDnsZones_privatelink_agentsvc_azure_automation_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.agentsvc.azure-automation.net' : 'privatelink.agentsvc.azure-automation.us' ) + +resource privatelink_monitor_azure_com 'Microsoft.Network/privateDnsZones@2018-09-01' = { + name: privateDnsZones_privatelink_monitor_azure_name + location: 'global' +} + +resource privatelink_oms_opinsights_azure_com 'Microsoft.Network/privateDnsZones@2018-09-01' = { + name: privateDnsZones_privatelink_oms_opinsights_azure_name + location: 'global' +} + +resource privatelink_ods_opinsights_azure_com 'Microsoft.Network/privateDnsZones@2018-09-01' = { + name: privateDnsZones_privatelink_ods_opinsights_azure_name + location: 'global' +} + +resource privatelink_agentsvc_azure_automation_net 'Microsoft.Network/privateDnsZones@2018-09-01' = { + name: privateDnsZones_privatelink_agentsvc_azure_automation_name + location: 'global' +} + +resource privatelink_blob_core_cloudapi_net 'Microsoft.Network/privateDnsZones@2018-09-01' = { + name: privateDnsZones_privatelink_blob_core_cloudapi_net_name + location: 'global' +} + +resource privatelink_monitor_azure_com_privatelink_monitor_azure_com_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { + name: '${privateDnsZones_privatelink_monitor_azure_name}/${privateDnsZones_privatelink_monitor_azure_name}-link' + location: 'global' + properties: { + registrationEnabled: false + virtualNetwork: { + id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', privateEndpointVnetName ) + } + } + dependsOn: [ + privatelink_monitor_azure_com + ] +} + +resource privatelink_oms_opinsights_azure_com_privatelink_oms_opinsights_azure_com_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { + name: '${privateDnsZones_privatelink_oms_opinsights_azure_name}/${privateDnsZones_privatelink_oms_opinsights_azure_name}-link' + location: 'global' + properties: { + registrationEnabled: false + virtualNetwork: { + id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', privateEndpointVnetName ) + } + } + dependsOn: [ + privatelink_oms_opinsights_azure_com + privatelink_monitor_azure_com_privatelink_monitor_azure_com_link + ] +} + +resource privatelink_ods_opinsights_azure_com_privatelink_ods_opinsights_azure_com_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { + name: '${privateDnsZones_privatelink_ods_opinsights_azure_name}/${privateDnsZones_privatelink_ods_opinsights_azure_name}-link' + location: 'global' + properties: { + registrationEnabled: false + virtualNetwork: { + id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', privateEndpointVnetName ) + } + } + dependsOn: [ + privatelink_ods_opinsights_azure_com + privatelink_oms_opinsights_azure_com_privatelink_oms_opinsights_azure_com_link + ] +} + +resource privatelink_agentsvc_azure_automation_net_privatelink_agentsvc_azure_automation_net_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { + name: '${privateDnsZones_privatelink_agentsvc_azure_automation_name}/${privateDnsZones_privatelink_agentsvc_azure_automation_name}-link' + location: 'global' + properties: { + registrationEnabled: false + virtualNetwork: { + id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', privateEndpointVnetName ) + } + } + dependsOn: [ + privatelink_agentsvc_azure_automation_net + privatelink_ods_opinsights_azure_com_privatelink_ods_opinsights_azure_com_link + ] +} + +resource privateDnsZones_privatelink_blob_core_cloudapi_net_privateDnsZones_privatelink_blob_core_cloudapi_net_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { + name: '${privateDnsZones_privatelink_blob_core_cloudapi_net_name}/${privateDnsZones_privatelink_blob_core_cloudapi_net_name}-link' + location: 'global' + properties: { + registrationEnabled: false + virtualNetwork: { + id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', privateEndpointVnetName ) + } + } + dependsOn: [ + privatelink_blob_core_cloudapi_net + privatelink_agentsvc_azure_automation_net_privatelink_agentsvc_azure_automation_net_link + ] +}