New policy: Configure private DNS Zones for an Azure Data Explorer cluster groupID #494
+353
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Configure private DNS Zones for an Azure Data Explorer cluster groupID
This is one of those special private endpoints that require a registration in multiple private DNS zones just for one PE (4 in this case), similarly to Configure Azure Monitor Private Link Scope to use private DNS zones (that one has 5).
There exists just one subresource for Microsoft.Kusto/Clusters, but i implemented a
policyRuleon the combination ofprivateLinkServiceIdandgroupIds, so if there will be another subresource implemented for kusto, this policy won't collide.I copied the wording and style from configure-a-private-dns-zone-id-for-cognitive-services-account-groupid.
I ran it through the Confirm-PolicyDefinitionIsValid.ps1 without issues and formatted via
Out-FormattedPolicyDefinition.ps1.If you want to verify this policy yourself in your own environment, you can take the Private Endpoint as Bicep, as specified at erwinkramer/kusto-event-hub-law, or just deploy that whole solution. Or you can use the azure-quickstart-template and only implement the PE.
After PR merge
Should be a built-in one @ https://github.com/Azure/azure-policy , because the generic Configure a private DNS Zone ID for file groupID isn't suitable for multiple zone registrations for one PE. Let me know if you want me to post an 'idea' into Azure feedback as suggested in the readme here after completion.
Include in Enterprise Scale - Deploy-Private-DNS-Zones set definition, that definition already has a
azureDataExplorerPrivateDnsZoneIdvalue added fordnsZoneNames, but no policy is using that value yet. Could be the one in this PR. I can suggest a PR for that repo, after the policy is promoted to built-in. Let me know if you like that.