Release 1.0.0 (#13)

* Release 1.0.0

* Release 1.0.0

* Release 1.0.0

---------

Co-authored-by: Microsoft Open Source <[email protected]>

README.md

@@ -1,8 +1,8 @@
-# Sovereign Landing Zone Preview
+# Sovereign Landing Zone
 
-The Sovereign Landing Zone (SLZ) Preview provides opinionated infrastructure-as-code automation for deploying workloads that help meet certain regulatory compliance requirements for the public sector and government agencies around the world. 
+The Sovereign Landing Zone (SLZ) is a [Microsoft Cloud for Sovereignty](https://microsoft.com/sovereignty) offering that provides opinionated infrastructure-as-code automation for deploying workloads to help meet regulatory compliance requirements for the public sector and government agencies around the world. 
 
-You can begin by navigating to the [Overview](/docs/01-Overview.md) document to begin. The documentation will cover the concepts around SLZ Preview, architecture, and deployment paths. Please reference [FAQ's](/docs/12-FAQ.md) for common questions and [Troubleshooting](/docs/13-Troubleshooting.md) for common issues.
+You can begin by navigating to the [Overview](/docs/01-Overview.md) document. The documentation will cover the concepts around SLZ, architecture, and deployment paths. Please reference [FAQ's](/docs/12-FAQ.md) for common questions and [Troubleshooting](/docs/13-Troubleshooting.md) for common issues.
 
 ## Contributing
 
@@ -35,6 +35,6 @@ trademarks or logos is subject to and must follow
 Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship.
 Any use of third-party trademarks or logos are subject to those third-party's policies.
 
-## Preview Notice
+## Microsoft Legal Notice
 
-**Preview Terms**. The Sovereign Landing Zone Preview (the "PREVIEW") is licensed to you as part of your [Azure subscription](https://azure.microsoft.com/en-us/support/legal/) and subject to terms applicable to "Previews" as detailed in the Universal License Terms for Online Services section of the <u></u>Microsoft Product Terms and the [Microsoft Products and Services Data Protection Addendum ("DPA")](https://www.microsoft.com/licensing/terms/welcome/welcomepage). AS STATED IN THOSE TERMS, PREVIEWS ARE PROVIDED "AS-IS," "WITH ALL FAULTS," AND "AS AVAILABLE," AND ARE EXCLUDED FROM THE SERVICE LEVEL AGREEMENTS AND LIMITED WARRANTY. Previews may employ lesser or different privacy and security measures than those typically present in Azure Services. Unless otherwise noted, you should not use Previews to process Personal Data or other data that is subject to legal or regulatory compliance requirements. The following terms in the [DPA](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) do not apply to Previews: Processing of Personal Data; GDPR, Data Security, and HIPAA Business Associate. We may change or discontinue Previews at any time without notice. We also may choose not to release a Preview into General Availability. 
+The **Sovereign Landing Zone** (1) is not designed, intended, or made available as legal services, (2) is not intended to substitute for professional legal counsel or judgment, and (3) should not be used in place of consulting with a qualified professional legal professional for your specific needs. Microsoft makes no warranty that the **Sovereign Landing Zone** is accurate, up-to-date, or complete. You are wholly responsible for ensuring your own compliance with all applicable laws and regulations.

dependencies/infra-as-code/bicep/modules/customRoleDefinitions/README.md

@@ -9,7 +9,7 @@ Module supports the following custom roles:
 - [*ManagementGroupId] Network management (NetOps)
 - [*ManagementGroupId] Security operations (SecOps)
 
-*The custom role names are prefixed with `[ManagementGroupId]` since custom roles scoped at Management Group level must be unique within the Azure AD tenant. This will alleviate any conflicts if you chose to deploy a [canary environment](https://aka.ms/alz/canary).
+*The custom role names are prefixed with `[ManagementGroupId]` since custom roles scoped at Management Group level must be unique within the Microsoft Entra tenant. This will alleviate any conflicts if you chose to deploy a [canary environment](https://aka.ms/alz/canary).
 For example, if the `ManagementGroupId` = **alz**, then each role will have this prefix **[alz]** like `[alz] Subscription owner`. See the [example output deployment](#example-deployment-output) below.
 
 ## Parameters

dependencies/infra-as-code/bicep/modules/hubNetworking/README.md

@@ -35,6 +35,31 @@ Module deploys the following resources:
 >
 > See child module, [`privateDnsZones.bicep` docs](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/privateDnsZones#dns-zones) for more info on how this works
 
+To configure P2S VPN connections edit the vpnClientConfiguration value in the `parVpnGatewayConfig` parameter.
+
+AAD Authentication Example:
+
+```bicep
+"vpnClientConfiguration": {
+  "vpnClientAddressPool": {
+    "addressPrefixes": [
+      "172.16.0.0/24"
+    ]
+  },
+  "vpnClientProtocols": [
+    "OpenVPN"
+  ],
+  "vpnAuthenticationTypes": [
+    "AAD"
+  ],
+  "aadTenant": "https://login.microsoftonline.com/{AzureAD TenantID}",
+  "aadAudience": "41b23e61-6c1e-4545-b367-cd054e0ed4b4",
+  "aadIssuer": "https://sts.windows.net/{AzureAD TenantID}/"
+}
+```
+
+Replace the values for `aadTenant`, `aadAudience`, and `aadIssuer` as documented [here](https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant#enable-authentication)
+
 ## Outputs
 
 The module will generate the following outputs:

dependencies/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md

@@ -26,16 +26,19 @@ parAzFirewallEnabled | No       | Switch to enable/disable Azure Firewall deploy
 parAzFirewallName | No       | Azure Firewall Name.
 parAzFirewallPoliciesName | No       | Azure Firewall Policies Name.
 parAzFirewallTier | No       | Azure Firewall Tier associated with the Firewall to deploy.
+parAzFirewallIntelMode | No       | The Azure Firewall Threat Intelligence Mode. If not set, the default value is Alert.
 parAzFirewallAvailabilityZones | No       | Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty.
 parAzErGatewayAvailabilityZones | No       | Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP.
 parAzVpnGatewayAvailabilityZones | No       | Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP.
 parAzFirewallDnsProxyEnabled | No       | Switch to enable/disable Azure Firewall DNS Proxy.
+parAzFirewallDnsServers | No       | Array of custom DNS servers used by Azure Firewall
 parHubRouteTableName | No       | Name of Route table to create for the default route of Hub.
 parDisableBgpRoutePropagation | No       | Switch to enable/disable BGP Propagation on route table.
 parPrivateDnsZonesEnabled | No       | Switch to enable/disable Private DNS Zones deployment.
 parPrivateDnsZonesResourceGroup | No       | Resource Group Name for Private DNS Zones.
 parPrivateDnsZones | No       | Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones
 parPrivateDnsZoneAutoMergeAzureBackupZone | No       | Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup.
+parVirtualNetworkIdToLinkFailover | No       | Resource ID of Failover VNet for Private DNS Zone VNet Failover Links
 parVpnGatewayConfig | No       | Configuration for VPN virtual network gateway to be deployed. If a VPN virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. "parVpnGatewayConfig": {   "value": {} }
 parExpressRouteGatewayConfig | No       | Configuration for ExpressRoute virtual network gateway to be deployed. If a ExpressRoute virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. "parExpressRouteGatewayConfig": {   "value": {} }
 parTags        | No       | Tags you would like to be applied to all resources in this module.
@@ -204,6 +207,16 @@ Azure Firewall Tier associated with the Firewall to deploy.
 
 - Allowed values: `Basic`, `Standard`, `Premium`
 
+### parAzFirewallIntelMode
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+The Azure Firewall Threat Intelligence Mode. If not set, the default value is Alert.
+
+- Default value: `Alert`
+
+- Allowed values: `Alert`, `Deny`, `Off`
+
 ### parAzFirewallAvailabilityZones
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
@@ -236,6 +249,12 @@ Switch to enable/disable Azure Firewall DNS Proxy.
 
 - Default value: `True`
 
+### parAzFirewallDnsServers
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Array of custom DNS servers used by Azure Firewall
+
 ### parHubRouteTableName
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
@@ -274,7 +293,7 @@ Resource Group Name for Private DNS Zones.
 
 Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones
 
-- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com`
+- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azuredatabricks.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com`
 
 ### parPrivateDnsZoneAutoMergeAzureBackupZone
 
@@ -284,6 +303,12 @@ Set Parameter to false to skip the addition of a Private DNS Zone for Azure Back
 
 - Default value: `True`
 
+### parVirtualNetworkIdToLinkFailover
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Resource ID of Failover VNet for Private DNS Zone VNet Failover Links
+
 ### parVpnGatewayConfig
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
@@ -293,7 +318,7 @@ Configuration for VPN virtual network gateway to be deployed. If a VPN virtual n
   "value": {}
 }
 
-- Default value: `@{name=[format('{0}-Vpn-Gateway', parameters('parCompanyPrefix'))]; gatewayType=Vpn; sku=VpnGw1; vpnType=RouteBased; generation=Generation1; enableBgp=False; activeActive=False; enableBgpRouteTranslationForNat=False; enableDnsForwarding=False; bgpPeeringAddress=; bgpsettings=}`
+- Default value: `@{name=[format('{0}-Vpn-Gateway', parameters('parCompanyPrefix'))]; gatewayType=Vpn; sku=VpnGw1; vpnType=RouteBased; generation=Generation1; enableBgp=False; activeActive=False; enableBgpRouteTranslationForNat=False; enableDnsForwarding=False; bgpPeeringAddress=; bgpsettings=; vpnClientConfiguration=}`
 
 ### parExpressRouteGatewayConfig
 
@@ -437,6 +462,9 @@ outHubVirtualNetworkId | string |
         "parAzFirewallTier": {
             "value": "Standard"
         },
+        "parAzFirewallIntelMode": {
+            "value": "Alert"
+        },
         "parAzFirewallAvailabilityZones": {
             "value": []
         },
@@ -449,6 +477,9 @@ outHubVirtualNetworkId | string |
         "parAzFirewallDnsProxyEnabled": {
             "value": true
         },
+        "parAzFirewallDnsServers": {
+            "value": []
+        },
         "parHubRouteTableName": {
             "value": "[format('{0}-hub-routetable', parameters('parCompanyPrefix'))]"
         },
@@ -477,6 +508,7 @@ outHubVirtualNetworkId | string |
                 "privatelink.azurecr.io",
                 "privatelink.azure-devices.net",
                 "privatelink.azure-devices-provisioning.net",
+                "privatelink.azuredatabricks.net",
                 "privatelink.azurehdinsight.net",
                 "privatelink.azurehealthcareapis.com",
                 "privatelink.azurestaticapps.net",
@@ -534,6 +566,9 @@ outHubVirtualNetworkId | string |
         "parPrivateDnsZoneAutoMergeAzureBackupZone": {
             "value": true
         },
+        "parVirtualNetworkIdToLinkFailover": {
+            "value": ""
+        },
         "parVpnGatewayConfig": {
             "value": {
                 "name": "[format('{0}-Vpn-Gateway', parameters('parCompanyPrefix'))]",
@@ -550,7 +585,8 @@ outHubVirtualNetworkId | string |
                     "asn": 65515,
                     "bgpPeeringAddress": "",
                     "peerWeight": 5
-                }
+                },
+                "vpnClientConfiguration": {}
             }
         },
         "parExpressRouteGatewayConfig": {