Enhance DNS with Additional Azure Policy Assignments

[AErmie]

We have Azure Private DNS Resolver deployed to support Private Endpoint resolution within a VNet. If an end-user were to create a resource with a Private Endpoint, the corresponding DNS A-record is not created automatically.

Following the guidance in the Private Link and DNS integration at scale documentation, we should assign the Configure Azure PaaS services to use private DNS zones policy initiative so that DNS records are automatically created.

[!NOTE] We need to remember to assign the Private DNS Zone Contributor role role in the subscription and resource group where the private DNS zones are hosted to the managed identity created by the DeployIfNotExists policy assignment that will be responsible to create and manage the private endpoint DNS record in the private DNS zone.

Additionally, we should deploy and assign the Deny PrivateLinks Private DNS Zones creation policy, to prevent end-users from creating their own "privatelink.*" private DNS zones, and use the centralized one (that is linked with the Private DNS Resolver) instead.

Acceptance Criteria

Generated by Zenhub AI

• [ ] Scenario: Enhance DNS with Additional Azure Policy Assignments
  • Given an existing Azure Private DNS Resolver deployment
  • When the following policies are assigned:
  • Configure Azure PaaS services to use private DNS zones
  • Deny PrivateLinks Private DNS Zones creation
  • Then end-users should not be able to create their own "privatelink.*" private DNS zones, and DNS records for Private Endpoints should automatically be created in the centralized zone.

[AErmie]

The following Azure Policies should be deployed (aka made available for use), and assigned (aka applied) at a Management Group level:

• Public network access should be disabled for PaaS services
• Configure Azure PaaS services to use private DNS zones

UPDATE

After discussion with the team, we decided to only apply/assign the Configure Azure PaaS services to use private DNS zones policy. We will not currently restrict the deployment of PaaS resources to private-only.

[AErmie]

The Configure Azure PaaS services to use private DNS zones policy has been deployed and assigned at the root Management Group level.

It has been successfully tested by creating a Private Endpoint for an Azure resource, and confirming that a new A-record is automatically created in the Private DNS Zone. The approximate duration for this automation to discover/trigger/complete is ~10 minutes.

[AErmie]

The Deny the creation of private DNS policy has been deployed and assigned at the root Landing Zone Management Group level.

It has been successfully tested by attempting to create a local Private DNS Zone. When we tested this policy, the portal UI did not block/prevent the option for creating a local private DNS zone, even during evaluation before executing deployment. However, after triggering the deployment, when the operation attempted to create the DNS zone, that component failed.

I would have rather linked the portal to immediately invalidate the deployment before being able to click "deploy", but at least we know the policy works!