diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 4d23cdb72c..c342cf7130 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -59,7 +59,7 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
- uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+ uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: SARIF file
path: results.sarif
@@ -68,6 +68,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard (optional).
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
- name: "Upload to code-scanning"
- uses: github/codeql-action/upload-sarif@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
+ uses: github/codeql-action/upload-sarif@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
with:
sarif_file: results.sarif
diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
index 4bb8e31477..ebf5c9061e 100644
--- a/docs/wiki/Whats-new.md
+++ b/docs/wiki/Whats-new.md
@@ -59,6 +59,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
#### Tooling
- Updated the ***Baseline alerts and monitoring*** integration section in the portal accelerator to deploy the latest release of AMBA (2025-03-03). To read more on the changes, see the [What's new](https://aka.ms/amba/alz/whatsnew) page in the AMBA documentation.
+- Added the ability to deploy a NAT Gateway into the Corp and Online subscriptions to provide [secure and scalable outbound internet access](https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access) for workloads.
- The portal accelerator now deploys all SKUs of Azure Firewall with the [management NIC](https://learn.microsoft.com/azure/firewall/management-nic) to route its management traffic via the AzureFirewallManagementSubnet.
### February 2025
diff --git a/docs/wiki/media/ALZ Policy Assignments v2.xlsx b/docs/wiki/media/ALZ Policy Assignments v2.xlsx
index 977f4aba41..d42d6faf18 100644
Binary files a/docs/wiki/media/ALZ Policy Assignments v2.xlsx and b/docs/wiki/media/ALZ Policy Assignments v2.xlsx differ
diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index 24e83eb89f..169fd3a37d 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -5154,6 +5154,25 @@
},
"visible": "[or(equals(steps('connectivity').enableHub, 'nva'), equals(steps('connectivity').enableHub, 'vhub'))]"
},
+ {
+ "name": "corpNatGateway",
+ "type": "Microsoft.Common.OptionsGroup",
+ "label": "Deploy NAT Gateway into corp landing zones (optional)?",
+ "defaultValue": "Yes",
+ "toolTip": "If 'Yes' is selected for corp landing zones, ARM will deploy a NAT gateway into the Corp subscriptions to provide secure outbound internet access to the workloads in this subscription.Default outbound access in Azure.",
+ "constraints": {
+ "allowedValues": [
+ {
+ "label": "Yes (recommended)",
+ "value": "Yes"
+ },
+ {
+ "label": "No",
+ "value": "No"
+ }
+ ]
+ }
+ },
{
"name": "esCorpLzSub",
"type": "Microsoft.Common.DropDown",
@@ -5340,6 +5359,25 @@
}
}
},
+ {
+ "name": "onlineNatGateway",
+ "type": "Microsoft.Common.OptionsGroup",
+ "label": "Deploy NAT Gateway into online landing zones (optional)?",
+ "defaultValue": "Yes",
+ "toolTip": "If 'Yes' is selected for online landing zones, ARM will deploy a NAT gateway into the online subscriptions to provide secure outbound internet access to the workloads in this subscription.Default outbound access in Azure.",
+ "constraints": {
+ "allowedValues": [
+ {
+ "label": "Yes (recommended)",
+ "value": "Yes"
+ },
+ {
+ "label": "No",
+ "value": "No"
+ }
+ ]
+ }
+ },
{
"name": "esOnlineLzSub",
"type": "Microsoft.Common.DropDown",
@@ -5392,7 +5430,7 @@
"type": "Microsoft.Common.InfoBox",
"visible": true,
"options": {
- "text": "Please carefully review each of the initiatives and the controls they enforce to ensure they align with your organization's compliance requirements. You can hover over the workload name to show the tooltip, which includes a link to the initiative definition.",
+ "text": "Please carefully review each of the initiatives and the controls they enforce to ensure they align with your organization's compliance requirements. You can hover over the workload name to show the tooltip, which includes a link to the initiative definition.
Enforce = The policy is active and will block non-compliant actions
Audit only = The policy logs non-compliant actions but does not block them
Disabled = The policy is inactive and does not track or enforce compliance",
"uri": "https://aka.ms/alz/policies",
"style": "Info"
}
@@ -5406,13 +5444,13 @@
"name": "enableWsCMKInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "Customer Managed Keys",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected management groups to apply Customer Managed Keys initiative to. This applies to all services that support CMK if enabled. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply the Customer Managed Keys initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -5420,7 +5458,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -5513,13 +5551,13 @@
"name": "enableWsBotServiceInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "AI Bot Service",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -5527,7 +5565,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -5612,13 +5650,13 @@
"name": "enableWsCognitiveServicesInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "AI Search",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -5626,7 +5664,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -5711,13 +5749,13 @@
"name": "enableWsMachineLearningInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "Machine Learning",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -5725,7 +5763,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -5810,13 +5848,13 @@
"name": "enableWsOpenAIInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "Azure OpenAI",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -5824,7 +5862,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -5918,13 +5956,13 @@
"name": "enableWsDataExplorerInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "Data Explorer",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -5932,7 +5970,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -6017,13 +6055,13 @@
"name": "enableWsDataFactoryInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "Data Factory",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -6031,7 +6069,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -6116,13 +6154,13 @@
"name": "enableWsSynapseInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "Synapse",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -6130,7 +6168,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -6221,13 +6259,13 @@
"name": "enableWsComputeInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "Compute",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -6235,7 +6273,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -6320,13 +6358,13 @@
"name": "enableWsVirtualDesktopInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "Virtual Desktop",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -6334,7 +6372,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -6425,13 +6463,13 @@
"name": "enableWsContainerAppsInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "Container Apps",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -6439,7 +6477,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -6524,13 +6562,13 @@
"name": "enableWsContainerInstanceInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "Container Instance",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -6538,7 +6576,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -6623,13 +6661,13 @@
"name": "enableWsContainerRegistryInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "Container Registry",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -6637,7 +6675,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -6722,13 +6760,13 @@
"name": "enableWsKubernetesInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "Kubernetes",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -6736,7 +6774,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -6827,13 +6865,13 @@
"name": "enableWsCosmosDbInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "Cosmos DB",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -6841,7 +6879,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -6926,13 +6964,13 @@
"name": "enableWsMySQLInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "MySQL",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -6940,7 +6978,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -7025,13 +7063,13 @@
"name": "enableWsPostgreSQLInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "PostgreSQL",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -7039,7 +7077,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -7124,13 +7162,13 @@
"name": "enableWsSQLInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "SQL",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -7138,7 +7176,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -7229,13 +7267,13 @@
"name": "enableWsEventGridInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "Event Grid",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -7243,7 +7281,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -7328,13 +7366,13 @@
"name": "enableWsEventHubInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "Event Hub",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -7342,7 +7380,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -7427,13 +7465,13 @@
"name": "enableWsServiceBusInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "Service Bus",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -7441,7 +7479,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -7532,13 +7570,13 @@
"name": "enableWsAutomationInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "Automation Accounts",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -7546,7 +7584,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -7638,13 +7676,13 @@
"name": "enableWsNetworkInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "Network and Networking services",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": "[equals(steps('connectivity').enableDdoS, 'Yes')]",
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -7652,7 +7690,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -7743,13 +7781,13 @@
"name": "enableWsKeyVaultSupInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "Key Vault - Supplementary",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -7757,7 +7795,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -7848,13 +7886,13 @@
"name": "enableWsStorageInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "Storage",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -7862,7 +7900,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -7953,13 +7991,13 @@
"name": "enableWsAPIMInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "API Management",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for API Management. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -7967,7 +8005,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -8052,13 +8090,13 @@
"name": "enableWsAppServicesInitiatives",
"type": "Microsoft.Common.OptionsGroup",
"label": "App Services",
- "defaultValue": "No",
+ "defaultValue": "Audit only",
"visible": true,
- "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.",
+ "toolTip": "If 'Enforce' or 'Audit only' is selected you will have the option to select management groups to apply this initiative to. Check initiative here.",
"constraints": {
"allowedValues": [
{
- "label": "Yes",
+ "label": "Enforce",
"value": "Yes"
},
{
@@ -8066,7 +8104,7 @@
"value": "Audit"
},
{
- "label": "No",
+ "label": "Disabled",
"value": "No"
}
]
@@ -9873,9 +9911,11 @@
"enableVmBackupForIdentity": "[steps('identity').enableVmBackupForIdentity]",
"identityAddressPrefix": "[steps('identity').identityAddressPrefix]",
"identityAddressPrefixSecondary": "[steps('identity').esIdentitySecondarySubSection.identityAddressPrefixSecondary]",
+ "corpDeployNATGateway": "[if(or(not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').corpSection.corpNatGateway,'')]",
"corpConnectedLzSubscriptionId": "[if(or(not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').corpSection.lzConnectedSubs,'')]",
"corpLzSubscriptionId": "[if(or(not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').corpSection.esCorpLzSub,'')]",
"onlineLzSubscriptionId": "[if(or(not(contains(steps('landingZones').onlineSection.esOnlineLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').onlineSection.esOnlineLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').onlineSection.esOnlineLzSub,'')]",
+ "onlineDeployNATGateway": "[if(or(not(contains(steps('landingZones').onlineSection.esOnlineLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').onlineSection.esOnlineLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').onlineSection.onlineNatGateway,'')]",
"enableLzDdoS": "[steps('landingZones').lzSection.enableLzDdoS]",
"denyPublicEndpoints": "[steps('landingZones').corpSection.denyPublicEndpoints]",
"denyPipOnNicForCorp": "[steps('landingZones').corpSection.denyPipOnNicForCorp]",
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 962ec7e7bf..2a494d0923 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -778,6 +778,12 @@
"description": "Provide the subscription ids for existing, empty subscriptions you want to move in as your first corp landing zones and connect to virtual networking hub."
}
},
+ "corpDeployNATGateway": {
+ "type": "string",
+ "metadata": {
+ "description": "An option to deploy a NAT gateway into the Corp subscriptions to provide secure outbound internet access."
+ }
+ },
"corpLzSubscriptionId": {
"type": "array",
"defaultValue": [],
@@ -792,6 +798,12 @@
"description": "Provide the subscription ids for existing, empty subscriptions you want to move in as your first online landing zones."
}
},
+ "onlineDeployNATGateway": {
+ "type": "string",
+ "metadata": {
+ "description": "An option to deploy a NAT gateway into the online subscriptions to provide secure outbound internet access."
+ }
+ },
"enableLzDdoS": {
"type": "string",
"defaultValue": "No",
@@ -1770,6 +1782,7 @@
"sandboxPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-ALZ-SandboxPolicyAssignment.json')]",
"ddosPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json')]",
"corpVnetPeering": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vnetPeering.json')]",
+ "corpNatGateway": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/corp-nat-gateway.json')]",
"corpVwanPeering": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vnetPeeringVwan.json')]",
"hubVnetPeering": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vnetPeeringHub.json')]",
"hubVnetRouting": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/vnetRouteTable.json')]",
@@ -1830,6 +1843,10 @@
"mgmtGroupDeploymentName": "[take(concat('alz-Mgs', variables('deploymentSuffix')), 64)]",
"mgmtSubscriptionPlacement": "[take(concat('alz-MgmtSub', variables('deploymentSuffix')), 64)]",
"corpPeeringDeploymentName": "[take(concat('alz-CorpPeering', variables('deploymentSuffix')), 60)]",
+ "corpConnectedNatGWDeploymentName": "[take(concat('alz-CorpConnectedNatGw', variables('deploymentSuffix')), 60)]",
+ "corpNatGWDeploymentName": "[take(concat('alz-CorpNatGw', variables('deploymentSuffix')), 60)]",
+ "onlineNatGWDeploymentName": "[take(concat('alz-onlineNatGw', variables('deploymentSuffix')), 60)]",
+ "corpNatGWRgDeploymentName": "[take(concat('alz-CorpNatGwRg', variables('deploymentSuffix')), 60)]",
"hubPeeringDeploymentName": "[take(concat('alz-HubPeering', variables('deploymentSuffix')), 60)]",
"hubPeering2DeploymentName": "[take(concat('alz-HubPeering2', variables('deploymentSuffix')), 60)]",
"connectivitySubscriptionPlacement": "[take(concat('alz-ConnectivitySub', variables('deploymentSuffix')), 64)]",
@@ -2014,7 +2031,8 @@
"privateDnsRg2": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-privatedns-02')]",
"identityVnetRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]",
"identityVnetRgSecondary": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocationSecondary'))]",
- "lzVnetRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]"
+ "lzVnetRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]",
+ "natGwRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-natgw-', parameters('connectivityLocation'))]"
},
// Declaring deterministic names for platform resources that will be created
"platformResourceNames": {
@@ -2037,7 +2055,9 @@
"azFwIpName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-fwpip-', parameters('connectivityLocation'))]",
"identityVnet": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]",
"identityVnetSecondary": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocationSecondary'))]",
- "lzVnet": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]"
+ "lzVnet": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]",
+ "natGatewayName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-natgw-', parameters('connectivityLocation'))]",
+ "natGatewayPublicIpName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-natgwpip-', parameters('connectivityLocationSecondary'))]"
},
// Declaring deterministic resourceId's for platform resources that will be created
"singleVsDedicatedMgmtSub": "[if(empty(parameters('managementSubscriptionId')), parameters('singlePlatformSubscriptionId'), parameters('managementSubscriptionId'))]",
@@ -7725,6 +7745,80 @@
}
}
},
+ {
+ // Creating resource group for online Nat gateway deployment
+ "condition": "[and(not(empty(parameters('onlineLzSubscriptionId'))), equals(parameters('onlineDeployNATGateway'), 'Yes'))]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-06-01",
+ "name": "[concat(variables('deploymentNames').corpNatGWRgDeploymentName, copyIndex())]",
+ "subscriptionId": "[if(not(empty(parameters('onlineLzSubscriptionId'))), parameters('onlineLzSubscriptionId')[copyIndex()], '')]",
+ "location": "[deployment().location]",
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]"
+ ],
+ "copy": {
+ "name": "deployOnlineNatGwRg",
+ "count": "[length(parameters('onlineLzSubscriptionId'))]"
+ },
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "contentVersion": "1.0.0.0",
+ "uri": "[variables('deploymentUris').resourceGroup]"
+ },
+ "parameters": {
+ "rgName": {
+ "value": "[variables('platformRgNames').natGwRg]"
+ },
+ "location": {
+ "value": "[parameters('connectivityLocation')]"
+ }
+ }
+ }
+ },
+ {
+ // Deploy a NAT gateway into the Online subscriptions
+ "condition": "[and(not(empty(parameters('onlineLzSubscriptionId'))), equals(parameters('onlineDeployNATGateway'), 'Yes'))]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-06-01",
+ "name": "[concat(variables('deploymentNames').onlineNatGWDeploymentName, copyIndex())]",
+ "subscriptionId": "[if(not(empty(parameters('onlineLzSubscriptionId'))), parameters('onlineLzSubscriptionId')[copyIndex()], '')]",
+ "resourceGroup": "[concat(variables('platformRgNames').natGwRg)]",
+ "dependsOn": [
+ "deployOnlineNatGwRg",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]",
+ "corpConnectedMoveLzs"
+ ],
+ "copy": {
+ "name": "deployNatGw",
+ "count": "[length(parameters('onlineLzSubscriptionId'))]"
+ },
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "contentVersion": "1.0.0.0",
+ "uri": "[variables('deploymentUris').corpNatGateway]"
+ },
+ "parameters": {
+ "natGatewayName": {
+ "value": "[take(concat(variables('platformResourceNames').natGatewayName, '-', parameters('corpLzSubscriptionId')[copyIndex()]), 64)]"
+ },
+ "natGatewayPublicIpName": {
+ "value": "[take(concat(variables('platformResourceNames').natGatewayPublicIpName, '-', parameters('corpLzSubscriptionId')[copyIndex()]), 64)]"
+ },
+ "location": {
+ "value": "[parameters('connectivityLocation')]"
+ }
+ }
+ }
+ },
{
// Placing subscriptions into corp landing zone management group
"condition": "[not(empty(parameters('corpLzSubscriptionId')))]",
@@ -7850,6 +7944,127 @@
}
}
},
+ {
+ // Creating resource group for Corp Nat gateway deployment
+ "condition": "[and(not(empty(parameters('corpLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'Yes'))]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-06-01",
+ "name": "[concat(variables('deploymentNames').corpNatGWRgDeploymentName, copyIndex())]",
+ "subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
+ "location": "[deployment().location]",
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]"
+ ],
+ "copy": {
+ "name": "deployNatGwRg",
+ "count": "[length(parameters('corpLzSubscriptionId'))]"
+ },
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "contentVersion": "1.0.0.0",
+ "uri": "[variables('deploymentUris').resourceGroup]"
+ },
+ "parameters": {
+ "rgName": {
+ "value": "[variables('platformRgNames').natGwRg]"
+ },
+ "location": {
+ "value": "[parameters('connectivityLocation')]"
+ }
+ }
+ }
+ },
+ {
+ // Deploy a NAT gateway into the Corp subscriptions
+ "condition": "[and(not(empty(parameters('corpLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'Yes'))]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-06-01",
+ "name": "[concat(variables('deploymentNames').corpNatGWDeploymentName, copyIndex())]",
+ "subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
+ "resourceGroup": "[concat(variables('platformRgNames').natGwRg)]",
+ "dependsOn": [
+ "deployNatGwRg",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]",
+ "corpConnectedMoveLzs"
+ ],
+ "copy": {
+ "name": "deployNatGw",
+ "count": "[length(parameters('corpLzSubscriptionId'))]"
+ },
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "contentVersion": "1.0.0.0",
+ "uri": "[variables('deploymentUris').corpNatGateway]"
+ },
+ "parameters": {
+ "natGatewayName": {
+ "value": "[take(concat(variables('platformResourceNames').natGatewayName, '-', parameters('corpLzSubscriptionId')[copyIndex()]), 64)]"
+ },
+ "natGatewayPublicIpName": {
+ "value": "[take(concat(variables('platformResourceNames').natGatewayPublicIpName, '-', parameters('corpLzSubscriptionId')[copyIndex()]), 64)]"
+ },
+ "location": {
+ "value": "[parameters('connectivityLocation')]"
+ }
+ }
+ }
+ },
+ {
+ // Deploy a NAT gateway into the Corp connected subscriptions
+ "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('corpConnectedLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'Yes'))]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-06-01",
+ "name": "[concat(variables('deploymentNames').corpConnectedNatGWDeploymentName, copyIndex())]",
+ "subscriptionId": "[if(not(empty(parameters('corpConnectedLzSubscriptionId'))), parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs, '')]",
+ "resourceGroup": "[variables('platformRgNames').lzVnetRg]",
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]",
+ "[concat(variables('deploymentNames').corpPeeringDeploymentName, copyIndex())]",
+ "corpConnectedMoveLzs"
+ ],
+ "copy": {
+ "name": "deployNatGw",
+ "count": "[length(parameters('corpConnectedLzSubscriptionId'))]"
+ },
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "contentVersion": "1.0.0.0",
+ "uri": "[variables('deploymentUris').corpNatGateway]"
+ },
+ "parameters": {
+ "natGatewayName": {
+ "value": "[take(concat(variables('platformResourceNames').natGatewayName, '-', parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs), 64)]"
+ },
+ "natGatewayPublicIpName": {
+ "value": "[take(concat(variables('platformResourceNames').natGatewayPublicIpName, '-', parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs), 64)]"
+ },
+ "location": {
+ "value": "[parameters('connectivityLocation')]"
+ }
+ }
+ }
+ },
/*{
// Peering corp connected lz vnet to connectivity sub (when vwan is selected)
"condition": "[and(equals(parameters('enableHub'), 'vwan'), not(empty(parameters('corpConnectedLzSubscriptionId'))))]",
diff --git a/eslzArm/subscriptionTemplates/corp-nat-gateway.json b/eslzArm/subscriptionTemplates/corp-nat-gateway.json
new file mode 100644
index 0000000000..f6c53bd973
--- /dev/null
+++ b/eslzArm/subscriptionTemplates/corp-nat-gateway.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "natGatewayName": {
+ "type": "string",
+ "metadata": {
+ "description": "Name of the NAT Gateway."
+ }
+ },
+ "natGatewayPublicIpName": {
+ "type": "string",
+ "metadata": {
+ "description": "Name of the NAT Gateway Public IP."
+ }
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "displayName": "location",
+ "description": "Location of the NAT gateway"
+ },
+ "defaultValue": "[deployment().location]"
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Network/publicIPAddresses",
+ "apiVersion": "2024-05-01",
+ "name": "[parameters('natGatewayPublicIpName')]",
+ "sku": {
+ "name": "Standard"
+ },
+ "location": "[parameters('location')]",
+ "properties": {
+ "publicIPAllocationMethod": "Static"
+ }
+ },
+ {
+ "type": "Microsoft.Network/natGateways",
+ "apiVersion": "2024-05-01",
+ "name": "[parameters('natGatewayName')]",
+ "sku": {
+ "name": "Standard"
+ },
+ "zones": [],
+ "location": "[parameters('location')]",
+ "properties": {
+ "publicIpAddresses": [
+ {
+ "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('natGatewayPublicIpName'))]"
+ }
+ ]
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Network/publicIPAddresses', parameters('natGatewayPublicIpName'))]"
+ ]
+ }
+ ]
+}
\ No newline at end of file