Pull Request to update Private Link / Private DNS Zones and Update Po…

…rtal UI Selector in the mlz.portal.json (#796) * DfC #653 Fixed. Added Infrastructure Encryption on Storage. Added Private Link Service Network Policies. Added DNS Proxy. Added Private DNS Zones. (#791) * Added Private Link Service Network policies Added infra encryption to storage Fixed defender bug under "Discussion #653" Added KV Private DNS zone * Fixed bug in Defender security notifications Added additional Private DNS zones for Private Link Added VNet configuration to use Azure Firewall for DNS Made the Azure Firewall a DNS Proxy and forwarded DNS to Azure DNS * updates for testing private dns and private link * updates for testing private link * vault core replace * deployment condition for rsv dns * name fix privateLinkEndpointName * test updates dns * testing dns group * build json for private dns updates * update portal location * GitHub Action: Build Bicep to JSON --------- Co-authored-by: chbragg <48835410+chbragg@users.noreply.github.com> Co-authored-by: github-actions <github-actions@github.com>
Azure · Jan 13, 2024 · 809dbda · 809dbda
1 parent 896f325
commit 809dbda
Show file tree

Hide file tree

Showing 15 changed files with 3,207 additions and 293 deletions.
diff --git a/README.md b/README.md
@@ -49,7 +49,7 @@ You must have [Owner RBAC permissions](https://docs.microsoft.com/en-us/azure/ro
 
     | Azure Commercial | Azure Government |
     | :--- | :--- |
-    | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fmlz.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fform%2Fmlz.portal.json) | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fmlz.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fform%2Fmlz.portal.json) |
+    | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fprivatedns-dzikowski%2Fsrc%2Fbicep%2Fmlz.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fprivatedns-dzikowski%2Fsrc%2Fbicep%2Fform%2Fmlz.portal.json) | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fprivatedns-dzikowski%2Fsrc%2Fbicep%2Fmlz.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fprivatedns-dzikowski%2Fsrc%2Fbicep%2Fform%2Fmlz.portal.json) |
 <!-- markdownlint-enable MD013 -->
 
 2. After a successful deployment, see our [examples](./src/bicep/examples/README.md) directory for how to extend the capabilities of Mission Landing Zone.

diff --git a/src/bicep/add-ons/tier3/tier3.bicep b/src/bicep/add-ons/tier3/tier3.bicep
@@ -63,6 +63,8 @@ param virtualNetworkDiagnosticsLogs array = []
 @description('An array of Network Diagnostic Metrics to enable for the workload Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings.')
 param virtualNetworkDiagnosticsMetrics array = []
 
+param vNetDnsServers array = [firewallPrivateIPAddress]
+
 @description('An array of Network Security Group rules to apply to the workload Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.')
 param networkSecurityGroupRules array = []
 
@@ -164,6 +166,7 @@ module spokeNetwork '../../core/spoke-network.bicep' = {
 
     virtualNetworkName: workloadVirtualNetworkName
     virtualNetworkAddressPrefix: virtualNetworkAddressPrefix
+    vNetDnsServers: vNetDnsServers
     virtualNetworkDiagnosticsLogs: virtualNetworkDiagnosticsLogs
     virtualNetworkDiagnosticsMetrics: virtualNetworkDiagnosticsMetrics
 
@@ -176,6 +179,7 @@ module spokeNetwork '../../core/spoke-network.bicep' = {
     subnetAddressPrefix: subnetAddressPrefix
     subnetServiceEndpoints: subnetServiceEndpoints
     subnetPrivateEndpointNetworkPolicies: 'Enabled'
+    subnetPrivateLinkServiceNetworkPolicies: 'Enabled'
   }
 }
 
@@ -226,7 +230,7 @@ module workloadPolicyAssignment '../../modules/policy-assignment.bicep' = if (de
     operationsSubscriptionId: logAnalyticsWorkspaceResourceId_split[2]
    }
   }
-  
+
 module spokeDefender '../../modules/defender.bicep' = if (deployDefender) {
   name: 'set-${workloadName}-sub-defender'
   scope: subscription(workloadSubscriptionId)

diff --git a/src/bicep/bicepconfig.json b/src/bicep/bicepconfig.json
@@ -5,7 +5,7 @@
         "enabled": true,
         "rules": {
           "no-hardcoded-env-urls": {
-            "level": "error"
+            "level": "warning"
           },
           "no-unused-params": {
             "level": "error"

diff --git a/src/bicep/core/hub-network.bicep b/src/bicep/core/hub-network.bicep
@@ -8,6 +8,7 @@ param tags object = {}
 
 param logStorageAccountName string
 param logStorageSkuName string
+param vNetDnsServers array = []
 
 param logAnalyticsWorkspaceResourceId string
 
@@ -33,6 +34,10 @@ param routeTableRouteNextHopType string = 'VirtualAppliance'
 param firewallName string
 param firewallSkuTier string
 param firewallPolicyName string
+
+param enableProxy bool = false
+param dnsServers array = []
+
 param firewallSupernetIPAddress string
 
 @allowed([
@@ -105,6 +110,7 @@ module virtualNetwork '../modules/virtual-network.bicep' = {
     tags: tags
 
     addressPrefix: virtualNetworkAddressPrefix
+    vNetDnsServers: vNetDnsServers
 
     subnets: [
       {
@@ -219,6 +225,8 @@ module firewall '../modules/firewall.bicep' = {
     clientIpConfigurationSubnetResourceId: '${virtualNetwork.outputs.id}/subnets/${firewallClientSubnetName}'
     clientIpConfigurationPublicIPAddressResourceId: firewallClientPublicIPAddress.outputs.id
     firewallSupernetIPAddress: firewallSupernetIPAddress
+    enableProxy: enableProxy
+    dnsServers: dnsServers
 
     managementIpConfigurationName: firewallManagementIpConfigurationName
     managementIpConfigurationSubnetResourceId: '${virtualNetwork.outputs.id}/subnets/${firewallManagementSubnetName}'

diff --git a/src/bicep/core/spoke-network.bicep b/src/bicep/core/spoke-network.bicep
@@ -17,6 +17,7 @@ param virtualNetworkName string
 param virtualNetworkAddressPrefix string
 param virtualNetworkDiagnosticsLogs array
 param virtualNetworkDiagnosticsMetrics array
+param vNetDnsServers array
 
 param networkSecurityGroupName string
 param networkSecurityGroupRules array
@@ -35,6 +36,7 @@ param routeTableRouteNextHopIpAddress string = firewallPrivateIPAddress
 param routeTableRouteNextHopType string = 'VirtualAppliance'
 
 param subnetPrivateEndpointNetworkPolicies string
+param subnetPrivateLinkServiceNetworkPolicies string
 
 module logStorage '../modules/storage-account.bicep' = {
   name: 'logStorage'
@@ -85,6 +87,7 @@ module virtualNetwork '../modules/virtual-network.bicep' = {
     tags: tags
 
     addressPrefix: virtualNetworkAddressPrefix
+    vNetDnsServers: vNetDnsServers
 
     subnets: [
       {
@@ -99,6 +102,7 @@ module virtualNetwork '../modules/virtual-network.bicep' = {
           }
           serviceEndpoints: subnetServiceEndpoints            
           privateEndpointNetworkPolicies: subnetPrivateEndpointNetworkPolicies
+          privateLinkServiceNetworkPolicies: subnetPrivateLinkServiceNetworkPolicies
         }
       }
     ]