Closed juanandmsft closed 9 months ago
Hi @juanandmsft, thanks for raising this issue. May I kindly ask that you open an Azure support ticket for this issue so that it can be prioritized by engineering based on customer impact. This will be far more effective than our team tracking down owners and asking for them to address this (which we will do anyway).
Hi @juanandmsft! We've reached out to PG to address this issue and are tracking it in the backlog. As this is a built-in policy, there isn't much the ALZ team can do to resolve the issue. I highly recommend asking customers impacted by this to open support tickets to increase visibility and help PG validate impact - which will help them prioritize. I'll be closing the issue here, but feel free to re-open or create a new issue should you need to.
@juanandmsft PG have acknowledged the issue and have suggested the following workaround: https://github.com/microsoft/industry/issues/380
Describe the bug
The ALZ policy initiative definition at [modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json] leverages the built-in policy "Configure Cognitive Services accounts to use private DNS zones" (c4bc6f10-cb41-49eb-b000-d5ab82e2a091) registers it in "privatelink.cognitiveservices.azure.com". However, when creating an Azure OpenAI resource it should go under zone "privatelink.openai.azure.com".
The policy itself only has one zone parameter, so cannot specify both "privatelink.openai.azure.com" and "privatelink.cognitiveservices.azure.com", and Azure OpenAI resource matches the privateLinkServiceId criteria "Microsoft.CognitiveServices/accounts" as most Azure AI services.
The Azure OpenAI resource has a "kind" property that flags the "Microsoft.CognitiveServices/accounts" as OpenAI, but the private endpoint resource does not have any similar property usable in policy to distinguish it from private endpoints for regular cognitive services accounts.
Steps to reproduce
Screenshots
Opened a bug for built-in policy definition here.