Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move AMPLS to Operations Tier #739

Merged
merged 5 commits into from
Aug 29, 2022
Merged

Move AMPLS to Operations Tier #739

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
087c6bb
removed AMPLS deployment
FabienGilbert Aug 24, 2022
fbbcf5e
support for subnet PrivateEndpointNetworkPolicies
FabienGilbert Aug 24, 2022
c4af4b3
removed private DNS zones deployment
FabienGilbert Aug 24, 2022
0e5925a
new module for private DNS zones creation
FabienGilbert Aug 24, 2022
8d95971
moved AMPLS PV Endpoint to OPS;PV DNS zones to HUB
FabienGilbert Aug 24, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 0 additions & 21 deletions src/bicep/core/hub-network.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ param tags object = {}
param logStorageAccountName string
param logStorageSkuName string

param logAnalyticsWorkspaceName string
param logAnalyticsWorkspaceResourceId string

param virtualNetworkName string
Expand Down Expand Up @@ -71,11 +70,6 @@ param firewallManagementPublicIPAddressAvailabilityZones array
param publicIPAddressDiagnosticsLogs array
param publicIPAddressDiagnosticsMetrics array

param supportedClouds array = [
'AzureCloud'
'AzureUSGovernment'
]

module logStorage '../modules/storage-account.bicep' = {
name: 'logStorage'
params: {
Expand Down Expand Up @@ -238,21 +232,6 @@ module firewall '../modules/firewall.bicep' = {
}
}

module azureMonitorPrivateLink '../modules/private-link.bicep' = if ( contains(supportedClouds, environment().name) ){
name: 'azure-monitor-private-link'
params: {
logAnalyticsWorkspaceName: logAnalyticsWorkspaceName
logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId
privateEndpointSubnetName: subnetName
privateEndpointVnetName: virtualNetwork.outputs.name
location: location
tags: tags
}
dependsOn: [
subnet
]
}

output virtualNetworkName string = virtualNetwork.outputs.name
output virtualNetworkResourceId string = virtualNetwork.outputs.id
output subnetName string = subnet.name
Expand Down
5 changes: 4 additions & 1 deletion src/bicep/core/spoke-network.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ param routeTableRouteAddressPrefix string = '0.0.0.0/0'
param routeTableRouteNextHopIpAddress string = firewallPrivateIPAddress
param routeTableRouteNextHopType string = 'VirtualAppliance'

param subnetPrivateEndpointNetworkPolicies string

module logStorage '../modules/storage-account.bicep' = {
name: 'logStorage'
params: {
Expand Down Expand Up @@ -95,7 +97,8 @@ module virtualNetwork '../modules/virtual-network.bicep' = {
routeTable: {
id: routeTable.outputs.id
}
serviceEndpoints: subnetServiceEndpoints
serviceEndpoints: subnetServiceEndpoints
privateEndpointNetworkPolicies: subnetPrivateEndpointNetworkPolicies
}
}
]
Expand Down
53 changes: 51 additions & 2 deletions src/bicep/mlz.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,12 @@ param sharedServicesSubscriptionId string = subscription().subscriptionId
@description('The region to deploy resources into. It defaults to the deployment location.')
param location string = deployment().location

@description('Supported Azure Clouds array. It defaults to the Public cloud and the Azure US Government cloud.')
param supportedClouds array = [
'AzureCloud'
'AzureUSGovernment'
]

// RESOURCE NAMING PARAMETERS

@description('A suffix to use for naming deployments uniquely. It defaults to the Bicep resolution of the "utcNow()" function.')
Expand Down Expand Up @@ -661,6 +667,7 @@ var spokes = [
subnetName: identitySubnetName
subnetAddressPrefix: identitySubnetAddressPrefix
subnetServiceEndpoints: identitySubnetServiceEndpoints
subnetPrivateEndpointNetworkPolicies: 'Enabled'
}
{
name: operationsName
Expand All @@ -678,6 +685,7 @@ var spokes = [
subnetName: operationsSubnetName
subnetAddressPrefix: operationsSubnetAddressPrefix
subnetServiceEndpoints: operationsSubnetServiceEndpoints
subnetPrivateEndpointNetworkPolicies: 'Disabled'
}
{
name: sharedServicesName
Expand All @@ -695,6 +703,7 @@ var spokes = [
subnetName: sharedServicesSubnetName
subnetAddressPrefix: sharedServicesSubnetAddressPrefix
subnetServiceEndpoints: sharedServicesSubnetServiceEndpoints
subnetPrivateEndpointNetworkPolicies: 'Enabled'
}
]

Expand Down Expand Up @@ -768,8 +777,6 @@ module hubNetwork './core/hub-network.bicep' = {

logStorageAccountName: hubLogStorageAccountName
logStorageSkuName: logStorageSkuName

logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name
logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id

virtualNetworkName: hubVirtualNetworkName
Expand Down Expand Up @@ -843,6 +850,8 @@ module spokeNetworks './core/spoke-network.bicep' = [for spoke in spokes: {
subnetName: spoke.subnetName
subnetAddressPrefix: spoke.subnetAddressPrefix
subnetServiceEndpoints: spoke.subnetServiceEndpoints

subnetPrivateEndpointNetworkPolicies: spoke.subnetPrivateEndpointNetworkPolicies
}
}]

Expand Down Expand Up @@ -899,6 +908,20 @@ module spokePolicyAssignments './modules/policy-assignment.bicep' = [for spoke i
}
}]

// PRIVATE DNS

module azurePrivateDns './modules/private-dns.bicep' = {
name: 'azure-private-dns'
scope: resourceGroup(hubSubscriptionId, hubResourceGroupName)
params: {
vnetName: hubNetwork.outputs.virtualNetworkName
tags: tags
}
dependsOn: [
hubNetwork
]
}

// CENTRAL LOGGING

module hubSubscriptionActivityLogging './modules/central-logging.bicep' = {
Expand All @@ -913,6 +936,29 @@ module hubSubscriptionActivityLogging './modules/central-logging.bicep' = {
]
}

module azureMonitorPrivateLink './modules/private-link.bicep' = if ( contains(supportedClouds, environment().name) ){
name: 'azure-monitor-private-link'
scope: resourceGroup(operationsSubscriptionId, operationsResourceGroupName)
params: {
logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name
logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.id
privateEndpointSubnetName: operationsSubnetName
privateEndpointVnetName: operationsVirtualNetworkName
monitorPrivateDnsZoneId: azurePrivateDns.outputs.monitorPrivateDnsZoneId
omsPrivateDnsZoneId: azurePrivateDns.outputs.omsPrivateDnsZoneId
odsPrivateDnsZoneId: azurePrivateDns.outputs.odsPrivateDnsZoneId
agentsvcPrivateDnsZoneId: azurePrivateDns.outputs.agentsvcPrivateDnsZoneId
storagePrivateDnsZoneId: azurePrivateDns.outputs.storagePrivateDnsZoneId
location: location
tags: tags
}
dependsOn: [
logAnalyticsWorkspace
spokeNetworks
azurePrivateDns
]
}

module spokeSubscriptionActivityLogging './modules/central-logging.bicep' = [for spoke in spokes: if (spoke.subscriptionId != hubSubscriptionId) {
name: 'activity-logs-${spoke.name}-${deploymentNameSuffix}'
scope: subscription(spoke.subscriptionId)
Expand Down Expand Up @@ -1012,6 +1058,9 @@ module remoteAccess './core/remote-access.bicep' = if (deployRemoteAccess) {

logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id
}
dependsOn: [
azureMonitorPrivateLink
]
}

/*
Expand Down
132 changes: 132 additions & 0 deletions src/bicep/modules/private-dns.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
/*
Copyright (c) Microsoft Corporation.
Licensed under the MIT License.
*/

@description('The name of the virtual network the private dns zones will be connected to')
param vnetName string

@description('The name of the the resource group where the virtual network exists')
param vnetResourceGroup string = resourceGroup().name

@description('The subscription id of the subscription the virtual network exists in')
param vnetSubscriptionId string = subscription().subscriptionId

@description('The tags that will be associated to the resources')
param tags object

var privateDnsZones_privatelink_monitor_azure_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.monitor.azure.com' : 'privatelink.monitor.azure.us' )
var privateDnsZones_privatelink_ods_opinsights_azure_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.ods.opinsights.azure.com' : 'privatelink.ods.opinsights.azure.us' )
var privateDnsZones_privatelink_oms_opinsights_azure_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.oms.opinsights.azure.com' : 'privatelink.oms.opinsights.azure.us' )
var privateDnsZones_privatelink_blob_core_cloudapi_net_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.blob.${environment().suffixes.storage}' : 'privatelink.blob.core.usgovcloudapi.net' )
var privateDnsZones_privatelink_agentsvc_azure_automation_name = ( environment().name =~ 'AzureCloud' ? 'privatelink.agentsvc.azure-automation.net' : 'privatelink.agentsvc.azure-automation.us' )

resource privatelink_monitor_azure_com 'Microsoft.Network/privateDnsZones@2018-09-01' = {
name: privateDnsZones_privatelink_monitor_azure_name
location: 'global'
tags: tags
}

resource privatelink_oms_opinsights_azure_com 'Microsoft.Network/privateDnsZones@2018-09-01' = {
name: privateDnsZones_privatelink_oms_opinsights_azure_name
location: 'global'
tags: tags
}

resource privatelink_ods_opinsights_azure_com 'Microsoft.Network/privateDnsZones@2018-09-01' = {
name: privateDnsZones_privatelink_ods_opinsights_azure_name
location: 'global'
tags: tags
}

resource privatelink_agentsvc_azure_automation_net 'Microsoft.Network/privateDnsZones@2018-09-01' = {
name: privateDnsZones_privatelink_agentsvc_azure_automation_name
location: 'global'
tags: tags
}

resource privatelink_blob_core_cloudapi_net 'Microsoft.Network/privateDnsZones@2018-09-01' = {
name: privateDnsZones_privatelink_blob_core_cloudapi_net_name
location: 'global'
tags: tags
}

resource privatelink_monitor_azure_com_privatelink_monitor_azure_com_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = {
name: '${privateDnsZones_privatelink_monitor_azure_name}/${privateDnsZones_privatelink_monitor_azure_name}-link'
location: 'global'
properties: {
registrationEnabled: false
virtualNetwork: {
id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', vnetName )
}
}
dependsOn: [
privatelink_monitor_azure_com
]
}

resource privatelink_oms_opinsights_azure_com_privatelink_oms_opinsights_azure_com_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = {
name: '${privateDnsZones_privatelink_oms_opinsights_azure_name}/${privateDnsZones_privatelink_oms_opinsights_azure_name}-link'
location: 'global'
properties: {
registrationEnabled: false
virtualNetwork: {
id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', vnetName )
}
}
dependsOn: [
privatelink_oms_opinsights_azure_com
privatelink_monitor_azure_com_privatelink_monitor_azure_com_link
]
}

resource privatelink_ods_opinsights_azure_com_privatelink_ods_opinsights_azure_com_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = {
name: '${privateDnsZones_privatelink_ods_opinsights_azure_name}/${privateDnsZones_privatelink_ods_opinsights_azure_name}-link'
location: 'global'
properties: {
registrationEnabled: false
virtualNetwork: {
id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', vnetName )
}
}
dependsOn: [
privatelink_ods_opinsights_azure_com
privatelink_oms_opinsights_azure_com_privatelink_oms_opinsights_azure_com_link
]
}

resource privatelink_agentsvc_azure_automation_net_privatelink_agentsvc_azure_automation_net_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = {
name: '${privateDnsZones_privatelink_agentsvc_azure_automation_name}/${privateDnsZones_privatelink_agentsvc_azure_automation_name}-link'
location: 'global'
properties: {
registrationEnabled: false
virtualNetwork: {
id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', vnetName )
}
}
dependsOn: [
privatelink_agentsvc_azure_automation_net
privatelink_ods_opinsights_azure_com_privatelink_ods_opinsights_azure_com_link
]
}

resource privateDnsZones_privatelink_blob_core_cloudapi_net_privateDnsZones_privatelink_blob_core_cloudapi_net_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = {
name: '${privateDnsZones_privatelink_blob_core_cloudapi_net_name}/${privateDnsZones_privatelink_blob_core_cloudapi_net_name}-link'
location: 'global'
properties: {
registrationEnabled: false
virtualNetwork: {
id: resourceId(vnetSubscriptionId, vnetResourceGroup, 'Microsoft.Network/virtualNetworks', vnetName )
}
}
dependsOn: [
privatelink_blob_core_cloudapi_net
privatelink_agentsvc_azure_automation_net_privatelink_agentsvc_azure_automation_net_link
]
}

output monitorPrivateDnsZoneId string = privatelink_monitor_azure_com.id
output omsPrivateDnsZoneId string = privatelink_oms_opinsights_azure_com.id
output odsPrivateDnsZoneId string = privatelink_ods_opinsights_azure_com.id
output agentsvcPrivateDnsZoneId string = privatelink_agentsvc_azure_automation_net.id
output storagePrivateDnsZoneId string = privatelink_blob_core_cloudapi_net.id
Loading