Documentation: Missing guidance when deploying with an existing Firewall.

[MiguelElGallo]

Documentation Issue

Hello, Some guidance, specially parameters (for example DNS),are missing for the following case, which is common:

• Another team (not data team) deploys a Azure Landing, which looks like this: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/
• This Landing Zone has already a connectivity subscription, which has firewall, dns, etc. (the data team deployment cannot change those resource)
• The Landing Zone deploys to the data team a Subscription with a Vnet peered to the connectivity subscription

Data team, needs to deploy a smaller version of the Data Management Zone ( Purview and DNS?, etc.). No guidance and exists, we have been trying for 3 days, and no success yet, mainly DNS issues we guess.

We think this is common scenario if you are following: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/

Can you please explain a bit about this case?

Thanks!

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[marvinbuss]

Hi @MiguelElGallo, Sorry for the late response. I guess you are not a MSFT employee. Can you ping me on LinkedIn, so that I can better understand your challenges? https://www.linkedin.com/in/marvinbuss/

It seems like you are asking us to provide the option to deploy DNS & Firewall, only DNS or none of the two. This would most likely solve your problems?

[imcloud-unni]

Hi @MiguelElGallo

I have the same concern. Currently the Data Management Landing Zone Documentation is describing on how to deploy the resources in Data Management Landing Zone Subscription only with a service principal account created under this subscription.

How about a case (mine as well):

1. There exists a subscription under an AD Tenant where we have created the Hub and Connectivity Zone that has the Firewall, VPN gateway/ DNs private resolver/others, etc.
2. We have another subscription under the same AD tenant, where we are going to create the Data Management Landing Zone. During the deployment, the service principal might need to access the "Hub and Connectivity Zone" because we have the existing Firewall, DNS private resolver, etc. 3.But in the documentation, the service principal guide is aligned in such a way that all items are created in the Data Management Landing Zone ?

How can we deploy the Data Management Landing Zone, while utilizing a existing Firewall, DNS resolver endpoints and other resources that are in another subscription, but under the same AD tenant.

[marvinbuss]

Sorry for the late response @imcloud-unni, There is a property to disable the Firewall and DNS deployment which you can find here: https://github.com/Azure/data-management-zone/blob/ffdae90a6c8ad26165cc77c1cf5586f0332a1aaa/infra/params.dev.json#L29-L31

If you want to deploy into an existing Azure Virtual Network provided by the platform team, you have to make some modifications to the network.bicep. Should not be too difficult to make these changes. If you need help with them, then deel free to ping me.