First I would like to congratulate on the extensive article on private endpoints topologies! It has been very helpful to me and my colleagues to derive a nice strategy for private endpoints in our organization.
We are following the guidelines for the Enterprise Scale adoption by Microsoft, and making some adjustments to our hub and spoke model to adapt to some networking challenges we face.
I'm trying to adapt the CreatePrivateDnsZoneGroup policy to our scenario, but I'm not having success with it.
Our scenario is the following:
We have two subscriptions, SubsDNS and SubsNetworks
On SubsDNS, we have all of the privatelink.* DNS Zones created.
On SubsNetworks, we have VNET-A and VNET-B created.
The goal we want to achieve is:
When a private endpoint is created in VNET-A, the Policy for CreatePrivateDnsZoneGroup runs a DeployIfNotExists, and creates the DNS register on the correspondent privatelink.* DNS Zone on SubsDNS.
If the private endpoint is created in VNET-B, the Policy ignores it.
Now, I've been trying to tamper with the policy you posted to do the following:
I've added an extra condition in the if-allOf box to check for the subnet.id of where the private endpoint was created.
{
"field": "Microsoft.Network/privateEndpoints/subnet.id",
"equals": "[parameters('subnetId')]"
}
But the policy is showing as "Compliant" even without the DNS entry created on SubsDNS.
I'm new to the Azure Policies part, and I still find it somewhat confusing and hard to troubleshoot. I would appreciate if you have any tips on how to overcome this.
Regards!