Before deployment of the Sovereign Landing Zone, the Required parameters identified below must be reviewed. The parameter file contains defaults for some values as well as sample values for complex data structures.
-
In the Sovereign Landing Zone repository, navigate to the
/orchestration/scripts/parametersfolder. -
Open
sovereignLandingZone.parameters.jsonin a text editor. -
Review and update at least the required parameters in the
"value":""field. Reference Parameter value descriptions for guidance on the full parameters available.- The SLZ deployment script will prompt the user for required values that are missed, but it's recommended to put all values in the parameter file.
-
Save the file.
This section contains descriptions and accepted values for all parameters within the sovereignLandingZone.parameters.json file. The Used By column indicates which parameters are used for a specific deployment step. We recommend first time users review and update the parameters marked as Required and use the all deployment step.
| Parameter | Description | Guidance, examples | Used By | |
|---|---|---|---|---|
| 1 | Required parDeploymentPrefix |
Prefix added to all Azure resources created by the SLZ. | 5 characters or less; can only contain letters, digits, '-', '.' or '_'. No other special characters supported. e.g.: slz |
all, bootstrap, compliance, platform, dashboard |
| 2 | Required parTopLevelManagementGroupName |
The name of the top-level management group for the SLZ. | e.g.: Sovereign Landing Zone | all, bootstrap |
| 3 | parDeploymentSuffix | Optional suffix that will be added to all Azure resources created by the the SLZ. Use a '-' at the start of the suffix value if a dash is needed. | 5 characters or less e.g. test1 |
all, bootstrap, compliance, platform, dashboard |
| 4 | parTopLevelManagementGroupParentId | Optional parent for Management Group hierarchy, used as intermediate root Management Group parent, if specified. If empty (default) will deploy beneath Tenant Root Management Group. | Sample Format - /providers/Microsoft.Management/managementGroups/{mgId} | all, bootstrap |
| 5 | Required parSubscriptionBillingScope |
The full resource ID of billing scope associated to the EA, MCA or MPA account you wish to create the subscription in. | Sample Format (EA): /providers/Microsoft.Billing/BillingAccounts/{BillingAccountId}/enrollmentAccounts/{EnrollmentAccountId} Sample Format (MCA): /providers/Microsoft.Billing/billingAccounts/{BillingAccountId} Sample Format (MPA): /providers/Microsoft.Billing/billingAccounts/{BillingAccountId} etc. |
all, bootstrap |
| 6 | Required parCustomer |
The name of the organization deploying the SLZ to brand the compliance dashboard appropriately. | 128 characters or less e.g.: Contoso |
all, dashboard |
| 7 | Required parDeploymentLocation |
Location used for deploying Azure resources. | Azure region to use for deployments. If Confidential Computing is required for your region, please reference the Confidential Computing page for the latest information on availability. e.g.: westeurope |
all, platform, dashboard |
| 8 | Required parAllowedLocations |
Full list of Azure regions allowed by policy where resources can be deployed that should include at least the parDeploymentLocation. |
An array of values (Azure regions). e.g.: ["eastus2", "westeurope"] |
all, compliance |
| 9 | Required parAllowedLocationsForConfidentialComputing |
Full list of Azure regions allowed by policy where Confidential computing resources can be deployed. This may be a completely different list from parAllowedLocations. |
An array of values (Azure regions). e.g.: ["eastus2", "westeurope"] |
all, compliance |
| 10 | parDeployDdosProtection | Toggles deployment of Azure DDOS protection. True to deploy, otherwise false. | true; false | all, platform |
| 11 | parDeployHubNetwork | Toggles deployment of the hub VNET. True to deploy, otherwise false. | true; false | all, platform |
| 12 | parEnableFirewall | Toggles deployment of Azure Firewall. True to deploy, otherwise false. | true; false | all, platform |
| 13 | parUsePremiumFirewall | Toggles deployment of the Premium SKU for Azure Firewall and only used if parEnableFirewall is enabled. True to use Premium SKU, otherwise false. |
true; false | all, platform |
| 14 | parAzFirewallPoliciesEnabled | Set this to true for the initial deployment as one firewall policy is required. Set this to false in subsequent deployments if using custom policies. | true; false | all, platform |
| 15 | parAzFirewallCustomPublicIps | Optional List of Custom Public IPs, which are assigned to firewalls ipConfigurations. | An array of public IP resource IDs e.g.: ["/subscriptions/{subId}/resourceGroups/{rgId}/providers/Microsoft.Network/publicIPAddresses/{ipId}"] |
all, platform |
| 16 | parHubNetworkAddressPrefix | CIDR range for the hub VNET. | CIDR range | all, platform |
| 17 | Deprecated parAzureBastionSubnet |
Deprecated Will be superseded the parCustomSubnets parameter in a future release. CIDR range for the Azure Bastion subnet. This parameter is deprecated soon, please use parameter parCustomSubnets instead. |
CIDR range | all, platform |
| 18 | Deprecated parGatewaySubnet |
Deprecated Will be superseded the parCustomSubnets parameter in a future release. CIDR range for the Gateway subnet. This parameter is deprecated soon, please use parameter parCustomSubnets instead. |
CIDR range | all, platform |
| 19 | Deprecated parAzureFirewallSubnet |
Deprecated Will be superseded the parCustomSubnets parameter in a future release. CIDR range for the Azure Firewall subnet. This parameter is deprecated soon, please use parameter parCustomSubnets instead. |
CIDR range | all, platform |
| 20 | parCustomSubnets | List of other subnets to deploy on the hub VNET and their CIDR ranges. | Sample Format: [{ "name": String,"ipAddressRange": CIDR,"networkSecurityGroupId": Resource ID,"routeTableId": Resource ID}] name - Name of the subnet, e.g.: ServerSubnetipAddressRange - CIDR range of the subnet, e.g.: 10.20.20.0/24networkSecurityGroupId - (Optional) Existing NSG resource ID to assign to the subnet, e.g.: /subscriptions/a0b00336-1234-40ca-a04e-23de7a23c132/resourceGroups/networkRG/providers/Microsoft.Network/networkSecurityGroups/defaultrouteTableId - (Optional) Existing route table resource ID to assign to the subnet, e.g.: /subscriptions/a0b00336-1234-40ca-a04e-23de7a23c132/resourceGroups/networkRG/providers/Microsoft.Network/routeTables/default |
all, platform |
| 21 | parLogRetentionInDays | Length of time, in days, to retain log files with usage enforced by ALZ policies. | Number of days e.g.: 365 |
all, compliance, platform |
| 22 | parManagementSubscriptionId | Optional management subscription ID when using an existing subscription. | Azure Subscription Id e.g.: /providers/Microsoft.Management/managementGroups/slz-platform-management1 |
all, bootstrap, platform, dashboard |
| 23 | parIdentitySubscriptionId | Optional identity subscription ID when using an existing subscription. | Azure Subscription Id e.g.: /providers/Microsoft.Management/managementGroups/slz-platform-identity1 |
all, bootstrap, platform |
| 24 | parConnectivitySubscriptionId | Optional connectivity subscription ID when using an existing subscription. | Azure Subscription Id e.g.: /providers/Microsoft.Management/managementGroups/slz-platform-connectivity1 |
all, bootstrap, platform |
| 25 | parDdosProtectionResourceId | Optional resource ID for an existing DDoS plan with usage enforced by ALZ policies. | DDoS Plan Resource Id e.g.:/subscriptions/{subId}/resourceGroups/{rgId}/providers/Microsoft.Network/ddosProtectionPlans/slz-ddos-plan-westus21 |
all, platform |
| 26 | parLogAnalyticsWorkspaceId | Optional resource ID for an existing Log Analytics Workspace with usage enforced by ALZ policies. | Log Analytics Workspace Resource Id e.g.: /subscriptions/{subId}/resourceGroups/{rgId}/providers/Microsoft.OperationalInsights/workspaces/slz-log-analytics-westus21 |
all, compliance |
| 27 | parRequireOwnerRolePermission | Set this to true if any policies in the initiative include a modify effect. | true; false | all, compliance |
| 28 | parPolicyExemptions | Optional list of policy exemptions. | Sample Format: [{ "parPolicyExemptionManagementGroup": Resource ID, "parPolicyAssignmentName": String, "parPolicyAssignmentScopeName": Resource ID, "parPolicyDefinitionReferenceIds": List, "parPolicyExemptionName": String, "parPolicyExemptionDisplayName": String, "parPolicyExemptionDescription": String }] parPolicyExemptionManagementGroup - Management group being exempted from the assignment scope, e.g.: slz-landingzones-confidential-corp parPolicyAssignmentName - Name of the original policy assignment, e.g.: Deploy-SLZ-Root parPolicyAssignmentScopeName - Top-level management group where policy was assigned, e.g.: slzparPolicyDefinitionReferenceIds - Array of reference IDs of the policies being exempted, e.g.: "['AllowedLocation']" parPolicyExemptionName - Customized name for exemption, e.g.: Disable-locations parPolicyExemptionDisplayName - Human readable customized name for exemption, e.g.: Disable Locations from Scope parPolicyExemptionDescription - Description of the exemption, e.g.: Disabling location restrictions defined on the top-level management group to the slz-landingzones-confidential-corp MG |
all, policyexemptions |
| 29 | parExpressRouteGatewayConfig | Optional configuration options for the ExpressRoute Gateway. | ExpressRoute Gateway Configuration Sample Format: { "sku": "standard", "vpntype": "RouteBased", "vpnGatewayGeneration": null, "enableBgp": false, "activeActive": false, "enableBgpRouteTranslationForNat": false, "enableDnsForwarding": false, "asn": 65515, "bgpPeeringAddress": "", "peerWeight": 5 } |
all, platform |
| 30 | parVpnGatewayConfig | Optional configuration options for the VPN Gateway. | VPN Gateway Configuration Sample Format: { "sku": "VpnGw1", "vpntype": "RouteBased", "generation": "Generation1", "enableBgp": false, "activeActive": false, "enableBgpRouteTranslationForNat": false, "enableDnsForwarding": false, "asn": 65515, "bgpPeeringAddress": "", "peerWeight": 5 } |
all, platform |
| 31 | parDeployBastion | Toggles deployment of Azure Bastion. True to deploy, otherwise false. | true; false | all, platform |
| 32 | parLandingZoneMgChildren | Optional array of child management groups to deploy under the SLZ Landing Zones management group. | Sample Format: [{"id": "mymg", "displayName": "My MG display name"}] | all, bootstrap |
| 33 | parDeployAlzDefaultPolicies | Toggles assignment of ALZ policies. True to deploy, otherwise false. | true; false | all, compliance |
| 34 | parAutomationAccountName | Optional resource name for an existing Azure Automation account with usage enforced by ALZ policies. | Automation Account name e.g.: slz-managed-identity-westus21 |
all, compliance |
| 35 | parPrivateDnsResourceGroupId | Optional resource ID of the Azure Resource Group that contains the Private DNS Zones with usage enforced by ALZ policies. | Resource Group ID e.g.: /subscriptions/{subId}/resourceGroups/slz-rg-hub-network-westus2 |
all, compliance |
| 36 | parMsDefenderForCloudEmailSecurityContact | An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to. | Email address | all, compliance |
| 37 | parBastionOutboundSshRdpPorts | Array of outbound destination ports and ranges for Azure Bastion. | An array of values (ports) e.g.: ["22", "3389"] |
all, platform |
| 38 | parInvokePolicyScanSync | Toggles executing the policy scan in synchronous mode. True to run policy scan in synchronous mode, False for asynchronous. When set to false, policy remediation needs to be manually triggered once the scan is complete. Note that when policy scan is run asynchronously, there isn't a way to track its progress. | true; false | all, compliance |
| 39 | parInvokePolicyRemediationSync | Toggles executing the policy scan in synchronous mode. True to run policy remediation in synchronous mode, False for asynchronous. | true; false | all, compliance |
| 40 | parPolicyEffect | The policy effect used in all assignments for the Sovereignty Baseline policy initiatives. | Choose one: "Audit", "Deny", "Disabled" | all, compliance |
| 41 | parPolicyAssignmentEnforcementMode | The enforcement mode used in all policy and initiative assignments. | Choose one: "Default", "DoNotEnforce" | all, compliance |
| 42 | parDeployLogAnalyticsWorkspace | Toggles deployment of Log Analytics Workspace. True to deploy, otherwise false. | true; false | all, platform |
| 43 | parCustomerPolicySets | Optional additional policy initiatives to assign. | Sample Format: [{ "policySetDefinitionId": Resource ID, "policySetAssignmentName": String, "policySetAssignmentDisplayName": String, "policySetAssignmentDescription": String, "policySetManagementGroupAssignmentScope": Resource ID, "policyParameterFilePath": File Path }] policySetDefinitionId - Definition ID for the policy initiative to assign, e.g.: /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 policySetAssignmentName - Custom name for the assignment, e.g.: Microsoft-Cloud-Security-Benchmark policySetAssignmentDisplayName - Custom display name for the assignment, e.g.: Microsoft Cloud Security BenchmarkpolicySetAssignmentDescription - Custom description for the assignment, e.g.: "e.g.: Microsoft-Cloud-Security-Benchmark policySetManagementGroupAssignmentScope - Management group ID to assign the initiative on, e.g.: slz policyParameterFilePath - (Optional) Path to the assignment parameter file, e.g.: ./parameters/policyParameters/nist800Parameter.json |
all, compliance |
| 44 | parTags | Tags that will be assigned to subscription and resources created by this deployment script. | See the SLZ parameter file for a sample configuration. | all, bootstrap, platform, and dashboard |