Skip to content

Whats new

Jump to bottom
github-actions edited this page Nov 14, 2023 · 159 revisions

Wiki content

Clone this wiki locally

In this Section

Enterprise Scale/Azure Landing Zones is updated regularly. This page is where you'll find out about the latest updates to Enterprise Scale/Azure Landing Zones for:

Note: Please check the latest release notes for each of the tools, as these will contain more detailed notes relating to changes in each of the tools.

This article will be updated as and when changes are made to the above and anything else of relevance for Enterprise Scale/Azure Landing Zones. Make sure to check back here often to keep up with new updates and changes.

Important: Previous changes to the above in relation to Enterprise Scale will not be listed here. However going forward, this page will be updated.

Updates

Here's what's changed in Enterprise Scale/Azure Landing Zones:

November 2023

Tooling

  • Added virtual hub routing preference support to Portal Accelerator for scenarios where you need to influence routing decisions in virtual hub router towards on-premises. For existing ALZ customers please visit Configure virtual hub routing preference for details on how to configure virtual hub routing preference settings.
  • Added virtual hub capacity option to Portal Accelerator which provides an option to select the number of routing infrastracture units. Please visit Virtual hub capacity for more details on Azure vWAN Virtual Hub Capacity configuration.
  • Fixed a bug in the portal accelerator experience when deploying with single platform subscription and selecting virtual WAN networking topology - Invalid Template error.

Docs

  • Fixed in ALZ Azure Setup the bash command to assign at root scope Owner role to a Service Principal.

October 2023

Policy

  • The portal accelerator experience has been updated to include deployment of Azure Monitor baseline alerts. Details on the policies deployed can be found here.
  • Fixed issue with couple of Policy file names to align with the actual name of the policies
  • Bug fix for Deploy-MDFC-Config version
  • Add support to deploy ALZ Portal Accelerator into new Italy North region

Tooling

  • Fixed a bug in the portal accelerator experience when deploying a VPN Gateway and Azure Firewall (Basic SKU) - IP address overlap error.
  • Added vWAN Hub Routing Intent support to Portal Accelerator for scenarios that include Azure Firewall deployment. For existing ALZ customers please visit How to configure Virtual WAN Hub routing intent and routing policies for details on how to add routing intent to your environment.
  • Enhanced the ALZ Portal Accelerator to provide the ability to deploy the Azure VPN Gateway in Active/Active mode as per feedback from #655.

Docs

  • Updated the ALZ Wiki FAQ to include a section on why we've enabled GitHub Releases - read here.
  • Updated the ALZ Wiki FAQ to include a section on why some solutions may not deploy in an ALZ governed environment and how to work around it.

September 2023

Policy

Important: For existing ALZ deployments, you will need to redeploy the below assignments with least privilege RBAC roles, and review and remove existing service principals Owner role assignments. The below list includes the scope that needs to be reviewed. For new deployments, the below assignments will be deployed with least privilege RBAC roles.

Where to find RBAC roles to cleanup

  • Remediating default policy/initiative assignments using Owner role to be least privilege where possible. Updated assignments:
    • Deploy-AzActivity-Log (Management Group: Intermediate Root)
    • Deploy-AKS-Policy (added additional required role)
    • Deploy-Resource-Diag (Management Group: Intermediate Root)
    • Deploy-SQL-TDE (Management Group: Landing Zone)
    • Deploy-VM-Backup (Management Group: Landing Zone)
    • Deploy-VM-Monitoring (Management Group: Intermediate Root)
    • Deploy-VMSS-Monitoring (Management Group: Intermediate Root)

Other

August 2023

Policy

  • Updating custom policies using over permissive roles (Owner) to use resource scoped roles (e.g., Storage Account Contributor, Azure SQL Contributor, etc.):
    • Deploy-Storage-sslEnforcement
    • Deploy-SqlMi-minTLS
      • Added evaluationDelay as provisioning takes around 4 hours and policy remediation fails on create due to time outs (as it normally triggers after 10 minutes).
    • Deploy-SQL-minTLS
    • Deploy-MySQL-sslEnforcement (changed from Owner to Contributor role, no built in roles currently available)
    • Deploy-PostgreSQL-sslEnforcement (changed from Owner to Contributor role, no built in roles currently available)
  • Updated to the new Configure Microsoft Defender for Storage to be enabled built-in policy to the Deploy-MDFC-Config initiative and assignment.
    • Read more about the new Microsoft Defender for Storage here: aka.ms//DefenderForStorage.
    • NOTE: there are additional cost considerations associated with this feature - more info.

Other

  • Renamed Azure Active Directory to Microsoft Entra ID

July 2023

Major update in this release: introducing the Policy Testing Framework foundation, along with tests for all assigned infrastructure policies that use the DENY effect. This will allow us to test the policies in a more automated fashion, and will help us to ensure that we don't introduce any regressions in the future and maintain a higher level of quality for our policies. We will be adding additional tests for custom policies in the future.

Policy

  • Added additional initiative assignment for Enforce-Guardrails-KeyVault to the Platform Management Group to improve security coverage. Initially this assignment was only applied to the Landing Zone Management Group.
    • Update Portal RI to include the new assignment option for the Key Vault initiative under Platform Management.
  • Added new custom policy to audit Virtual Machines not using Azure Hybrid Benefit (Audit-AzureHybridBenefit)
  • Fixing bug in Deploy-Sql-vulnerabilityAssessments to achieve compliance if successfully remediated. NOTE: Due to the need to change parameters, this is a breaking change. The original policy will remain in place but will be deprecated and a new policy will be deployed for the fix Deploy-Sql-vulnerabilityAssessments_20230706 - please update assignments accordingly - many thanks @Matt-FFFFFF.
  • Bug fix for Management port access from the Internet should be blocked not enforcing deny effect when a deployment includes rules defined in network security group properties (i.e., when specifying rules when creating the NSG) - many thanks to @DavidRobson.
  • QoL updates: adding supersededBy metadata and adding links in the description to deprecated custom policies to point to the superseding policy - aligned with ALZ specific feature updates in AzAdvertizer.
  • Policy Testing Framework implemented for custom ALZ DENY policies (See Tooling section below).

Tooling

  • Enhanced the Azure Firewall Basic experience in the ALZ Portal Accelerator based on feedback from #1370 by removing the DNS proxy option when selecting the Basic SKU
  • Updated Sentinel deployment to use new simplified pricing tier
  • Established a Policy Testing Framework based on Pester, built on the work done by @fawohlsc in this repo azure-policy-testing

Docs

  • Updated contribution guide to include a new section to describe how to implement tooltips when adding new policies with default assignments that require updates to the portal reference implementation.
  • Adding text to the ALZ-Policies wiki page to clarify that we do use preview policies as part of initiatives in some default assignments.

June 2023

Policy

  • Fixed default assignment for SQLEncryption (DINE-SQLEncryptionPolicyAssignment) to use the correct policy definition.
  • Added new default assignment for SQLThreatDetection (DINE-SQLThreatPolicyAssignment) to use the previous policy definition from DINE-SQLEncryptionPolicyAssignment.
  • Updated the assignment DINE-LogAnalyticsPolicyAssignment (Deploy-Log-Analytics) to default enforcement mode to "DoNotEnforce". The Log Analytics workspace is deployed directly by the reference implementations, and as a result this policy is no longer required to deploy the Log Analytics workspace. Retaining the assignment for auditing purposes.
  • Added new custom policies for (many thanks @jeetgarg):

Tooling

  • Updated Portal Accelerator tooltips to provide more relevance and links to associated policies or initiatives.

Other

  • When the option to deploy Log Analytics workspace and enable monitoring is enabled (Yes) in the Platform management, security, and governance section, Diagnostic Settings for Management Groups are also deployed.

May 2023

Policy

  • Updated Deploy-Diagnostics-APIMgmt.json to support resource-specific destination table in the diagnostic setting for API Management.
  • Updated Deploy-Diagnostics-LogAnalytics.json policy initiative with new parameter to support resource-specific destination table in the diagnostic setting for API Management.
  • Updated Deploy-Diagnostics-Firewall.json to support resource-specific destination table in the diagnostic setting for Firewall
  • Updated Deploy-Diagnostics-LogAnalytics.json policy initiative with new parameter to support resource-specific destination table in the diagnostic setting for Firewall
  • Updated Deploy-Diagnostics-APIMgmt.json to support resource-specific destination table in the diagnostic setting for API Management
  • Updated Deploy-Diagnostics-LogAnalytics.json policy initiative with new parameter to support resource-specific destination table in the diagnostic setting for API Management
  • Bug fix for effect for the Key Vault setting (incorrect case) in Deploy-MDFC-Config.json initiative.
  • Bug fix for Management port access from the Internet should be blocked when a destination port array is submitted that contains port ranges that includes a denied port (22, 3389, and any others) when creating new NSG rules.
  • Bug fix for AppService append sites with minimum TLS version to enforce. where the policy was preventing the creation of connection strings via API. The fix revises the policy rule logic to address the blocking issue.
  • Fixed minor grammatical errors in two policy assignments.
  • Deprecated policy Deny-MachineLearning-PublicNetworkAccess.
  • Update initiative Deny-PublicPaaSEndpoints to replace deprecated policy Deny-MachineLearning-PublicNetworkAccess with builtin 438c38d2-3772-465a-a9cc-7a6666a275ce.
  • Deprecated policy Deny-PublicEndpoint-MariaDB.
  • Update initiative Deny-PublicPaaSEndpoints to replace deprecated policy Deny-PublicEndpoint-MariaDB with builtin fdccbe47-f3e3-4213-ad5d-ea459b2fa077 - special note: US Gov/Fairfax still uses the now deprecated policy as the builtin is not yet available.
  • Standardized denied network resources in policy assignments for Corp and Sandbox management groups as per GH #1333.
  • Added non-compliance message to Enforce-ALZ-Sandbox initiative assignment.

Docs

  • Updated wiki deployment guides for the four main scenarios to include the new Decommissioned and Sandbox step in the portal accelerator.
  • Updated ALZ Policies wiki to make the link to the Excel spreadsheet more prominent.
  • Updated ALZ Policies wiki images to reflect policy initiative assignments now included for Decommissioned and Sandbox management groups.
  • Updated the ALZ Policy Assignments Excel spreadsheet to include a release version column so users can track when those policies last changed and verified all assignments have a relevant AzAdvertizer link for policy details.
  • Azure Enablement Show: Updating your Azure landing zones published
  • Tech Community Blog: Azure Monitor Baseline Alerts (Preview) published
  • Updated wiki documentation to so reflect the removal of the "Platform DevOps and automation" section from ALZ Portal Accelerator
  • Added support for Azure Firewall Basic SKU to Hub & Spoke and Virtual WAN deployments in the ALZ Portal Accelerator
  • Updated wiki documentation towards Subscription Vending approach for landing zone (subscription) creation
  • A brand new ALZ Policy FAQ and Tips page has been added to the wiki to help answer some of the most common questions and provide some useful tips for working with ALZ policies.
  • Updated ALZ Contribution Guide to include new section on how to contribute to ALZ policies resulting in breaking changes, and some minor refactoring to make it more readable.

Tooling

Other

April 2023

We are pleased to announce that we are starting regular Azure Policy reviews for Azure Landing Zone. This includes a review of new built-in policies released and their suitability for ALZ, built-in policies that can replace custom ALZ policies, built-in policies that have been deprecated and addition of new ALZ custom policies and initiatives as identified based on best practices, issues raised and customer feedback. Most importantly, we have also provided default assignments for all the new policies at the appropriate ALZ Management Group level. This will ensure that all new policies are automatically assigned to the appropriate scope and will be in compliance with the ALZ baseline. This will also ensure that the ALZ is always up to date with the latest Azure Policy definitions.

This update includes many ALZ Azure Policies and Initiatives that have been added or updated to enhance the security, governance, and management of ALZ. As part of our commitment to continuous improvement, we have also enhanced our policy review process, with a focus on transitioning away from deprecated policies where possible, move from custom to built-in policies providing the same or enhanced functionality, and implementing new policies to keep ALZ as part of the current review cycle. We have also implemented non-compliance messages where supported to provide a better user experience when a policy is non-compliant.

This is the first major review and refresh of Azure Policy since ALZ was GA'd. Since GA many new built-in policies and initiatives have been released which has driven the need for this review. We believe that a regular review cycle will allow us to stay on top of emerging trends and new policies, ensuring that our Azure environment remains secure and compliant. Should you identify policies or initiatives that should be considered for ALZ, kindly submit an GitHub issue. For more information, please refer to the ALZ Policies or the new Excel spreadsheet version.

We strongly advise staying up-to-date to ensure the best possible security posture for your Azure environment, see Keep your Azure landing zone up to date. For those with existing deployments or policies, we have provided Brownfield guidance to help you navigate the process of updating to the latest policies. We recognize that there may be breaking changes when upgrading an existing deployment or policies and for details follow our recently released guidance to support you in this process:

Please note that, in some cases, moving to the new Built-In Policy definitions, deploying changes to existing custom policies or removing deprecated policies will require a new Policy Assignment and removing the previous Policy Assignment, which will mean compliance history for the Policy Assignment will be lost. However, if you have configured your Activity Logs and Security Center to export to a Log Analytics Workspace, Policy Assignment historic data will be stored here as per the retention duration configured. Thank you for your cooperation, and we look forward to continuing to work with you to ensure the security and compliance of our Azure environment.

While we've made every effort to test the stability of this release, should you have any issues and the guidance provided does not resolve your issue, please open a GitHub issue so we can do our best to support you and document the fix for others.

Policy

Breaking Changes

Note that a number of initiatives have been updated that will fail to deploy if you have existing deployments. This is due to the fact that the number of parameters and default values have changed, as we've added or removed policies from the initiative. To resolve this, you will need to remove the existing initiative assignments and then redeploy the updated initiative.

Initiative Name Change Recommended Action
Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit (azadvertizer.net) Removed a deprecated policy, superceding policy is already in the initiative Remove existing initiative assignment, delete the custom initiative and remove the orphaned identity. Deploy the updated initiative.
New
  • New Initiative for the Decommissioned landingzones including policies:
    • Initiative name: Enforce-ALZ-Decomm
      • Allowed resource types - resources are not allowed to be deployed, however, authorization, lock and tag management are permitted.
      • New policy to deploy an auto shutdown policy for virtual machines - Deploy-Vm-autoShutdown
      • Portal accelerator updated with additional tab and options to enable this initiative.
  • New Initiative for the Sandboxes landingzones including policies:
  • Added initiative assignment [Preview]: Deploy Microsoft Defender for Endpoint agent to 'Intermediate Root' Management Group.
  • Added assignment of Network interfaces should not have public IPs built-in Policy to the 'Corp' Management Group.
  • Added new initiative and assignment to implement recommended guardrails for Azure Key Vault at the landing zones management group
    • Initiative name: ENFORCE-Guardrails-KeyVault
    • Policies included: ALZ Polices
    • Portal accelerator updated
  • Added two new policy assignments to govern Corp Management Group networking:
    • DENY-HybridNetworking - blocks the provisioning of vWAN/ER/VPN, including gateways, in Corp
    • AUDIT-PeDnsZones - audits the provisioning of Private Link Private DNS Zones in Corp
      • NOTE: The policy default values include all the static Private DNS Zones only. When assigned via the ALZ portal experience the assignment includes all the Private DNS Zones that are deployed as part of the ALZ Portal experience, including the geo code/regional zones for Azure Backup, AKS etc.
  • Added new policy assignment to audit WAF enabled on Application Gateways (Audit-AppGW-WAF)
  • Added new initiative and assignment to enable Azure Compute Security Baseline compliance auditing for Windows and Linux virtual machines (Enforce-ACSB)
  • Added new Diagnostic setting category for Host Pools Diagnostic Settings to Deploy-Diagnostics-WVDHostPools
    • ConnectionGraphicsData
  • Added new Diagnostic setting category for EventGrid Topics Diagnostic Settings to Deploy-Diagnostics-EventGridTopic
    • DataPlaneRequests
  • Added two new policy initiative assignments to enable Advanced Threat Detection for databases at intermediate root:
  • Add new Azure Policy Initiative and assignment (Audit-UnusedResourcesCostOptimization), at the intermediate root management group (e.g. contoso), to audit unused resources that are driving costs.
  • Added new assignment to deny deployment of virtual machines and virtual machine scale sets using unmanaged OS disks.
  • Added a policy assignment to deny Classic resources at the Intermediate Root management group
Update
Retire
  • Deprecated the custom ALZ policy Deploy SQL Database Transparent Data Encryption as there is now a built-in policy available in Azure Policy Deploy SQL DB transparent data encryption.
  • No longer assign Databricks custom policies at Corp management group scope. Policies:
    • Deny-Databricks-NoPublicIp
    • Deny-Databricks-Sku
    • Deny-Databricks-VirtualNetwork

If you are not using these policies, we advise you remove the assignment at Corp management group level, if you are not utilizing them.

Portal Accelerator

  • FIX: Updated the Fairfax (US Gov) portal accelerator experience so it now works as expected.
  • Service Map solution has been removed as an option to be deployed, as this has been superseded by VM Insights, as documented here. Guidance on migrating and removing the Service Map solution can be found here.

Other

March 2023

Docs

Tooling

  • Added additional deployment telemetry collection data point for Zero Trust Networking intent as documented here.
  • Defaulted Azure Firewall SKU/Tier to Premium from Standard. SKU/Tier can still be set back to Standard if desired

February 2023

Policy

  • Updated Deploy-Diagnostics-Databricks.json policy with missing log categories
  • Updated Deploy-Diagnostics-PostgreSQL.json policy to include setting Diagnostic Settings on PostgreSQL flexible server
  • Updated Deploy-Diagnostics-Website.json policy to set Diagnostic Settings based on the AppService plan, as the Premium Tier has more categories available.
  • Removed duplicated category entry from Deploy-Diagnostics-VNetGW.json policy.

Tooling

  • Added note to the portal experience on the "Platform DevOps and automation" blade warning that a management/platform subscription must be selected otherwise the blade will be blank

January 2023

Policy

  • Updated Deploy-SQLVulnerabilityAssessments.json policy to use Storage Account Contributor for storing the logs.
  • Updated the same policy parameter description for email recipients explaining string type and how to format input.
  • Fix typo in Deny-MachineLearning-PublicAccessWhenBehindVnet.json.

Other

  • ALZ External Community Call held. Recording and slides can be found here.

December 2022

Docs

Original URL New URL
docs/ESLZ-Policies.md wiki/ALZ-Policies
docs/EnterpriseScale-Architecture.md wiki/ALZ-Architecture
docs/EnterpriseScale-Contribution.md wiki/ALZ-Contribution
docs/EnterpriseScale-Deploy-landing-zones.md wiki/ALZ-Deploy-landing-zones
docs/EnterpriseScale-Deploy-reference-implentations.md wiki/ALZ-Deploy-reference-implementations
docs/EnterpriseScale-Deploy-workloads.md wiki/ALZ-Deploy-workloads
docs/EnterpriseScale-Known-Issues.md wiki/ALZ-Known-Issues
docs/EnterpriseScale-Roadmap.md wiki/ALZ-Roadmap
docs/EnterpriseScale-Setup-aad-permissions.md wiki/ALZ-Setup-aad-permissions
docs/EnterpriseScale-Setup-azure.md wiki/ALZ-Setup-azure

Tooling

  • Added ALZ Custom RBAC Role Definitions, as listed here to ALZ Portal Experience. Fixing #1079

Policy

  • Updated "Deploy Diagnostic Settings to Azure Services" initiative replacing deprecated policy for diagnostic settings on Storage Account
  • Removed all exclusions (parameters) from the Microsoft Cloud Security Benchmark (currently Azure Security Benchmark) initiative assignment to standardize across reference architectures and align with best practice. Impacted assignment: Deploy-ASC-Monitoring
  • Updated "**Deploy Diagnostic Settings for Data Factory to Log Analytics workspace" to include new categories of: SandboxPipelineRuns & SandboxActivityRuns
  • Add missing minimalSeverity parameter to Deploy-ASC-SecurityContacts Policy Definition

Tooling

  • Removed ActivityLog Solution as an option to be deployed into the Log Analytics Workspace. As this has been superseded by the Activity Log Insights Workbook, as documented here.

November 2022

Docs

Tooling

  • Updated ALZ Portal Accelerator to support all available Availability Zones as listed here
  • Update ALZ Portal Accelerator Private DNS Zones for Private Link, fixing issue #1073

Policy

  • "Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace" definition added and also added to Deploy-Diagnostics-LogAnalytics initiative

  • "Deploy Diagnostic Settings for Databricks to Log Analytics workspace" definition update

    • Version 1.1.0 -> 1.2.0
    • Added missing log categories

  • "Deploy SQL Database security Alert Policies configuration with email admin accounts" definition update

    • Version 1.0.0 -> 1.1.1
    • Changed email addresses from hardcoding to array parameter

  • "Deploy SQL Database Transparent Data Encryption" definition update

    • Version 1.0.0 -> 1.1.0
    • Added system databases master, model, tempdb, msdb, resource to exclusion parameter as default values
    • Added as Policy Rule 'notIn' which will exclude the above databases from the policy

  • Updated "Deploy-Private-DNS-Zones" Custom initiative for Azure Public Cloud, with latest built-in Policies. Policies were added for the following Services:

    • Azure Automation
    • Azure Cosmos DB (all APIs: SQL, MongoDB, Cassandra, Gremlin, Table)
    • Azure Data Factory
    • Azure HDInsight
    • Azure Migrate (missing Private DNS Zone also added)
    • Azure Storage (Blob, Queue, File, Static Web, DFS and all relative secondaries)
    • Azure Synapse Analytics
    • Azure Media Services
    • Azure Monitor

  • Minor fixes related to "Deploy-Private-DNS-Zones" Custom Initiative and respective Assignment:

    • Added missing Zones for "WebPubSub" and "azure-devices-provisioning", so Initiative Assignment works correctly
    • Minor correction related to ASR Private DNS Zone variable, so Initiative Assignment works correctly
    • Conversion of "Azure Batch" Private DNS Zone (from regional to global), to properly align with latest respective documentation and functionality

  • Renamed Azure DDoS Standard Protection references to Azure DDoS Network Protection.

  • Incremented version for policy Deploy-DDoSProtection from "version":"1.0.0" to "version": "1.0.1"

  • Added Configure Microsoft Defender for Azure Cosmos DB to be enabled to the Deploy Microsoft Defender for Cloud configuration initiative and updated version to 3.1.0 - Fixing issue issue #1081

  • Added AZFWFlowTrace category for Azure Firewall in associated Diagnostic Policy

  • Deprecated the following ALZ policies

    in favour of Azure built-in policies with the same or enhanced functionality.

ALZ Policy ID(s) Azure Builti-in Policy ID(s)
Deploy-Nsg-FlowLogs-to-LA e920df7f-9a64-4066-9b58-52684c02a091
Deploy-Nsg-FlowLogs e920df7f-9a64-4066-9b58-52684c02a091
Deny-PublicIp 6c112d4e-5bc7-47ae-a041-ea2d9dccd749

  • ""Deploy-ASC-SecurityContacts"" definition update

    • displayName and description update to "Deploy Microsoft Defender for Cloud Security Contacts"
    • Added new parameter minimalSeverity with settings
      • Default value High
      • Allowed values: High, Medium, Low

  • ""Deploy-MDFC-Config"" definition update

    • Updated policy definitions set Deploy-MDFC-Config, Deploy-MDFC-Config(US Gov), Deploy-MDFC-Config (China)
      • added new parameter minimalSeverity.
      • added default value for multiple parameters.

Other

  • No updates, yet.

October 2022

Docs

Tooling

  • Release v2.4.1 of the Azure landing zones Terraform module adds a new diagnostic category for Azure Firewall, as reported in issue #1063
  • Update the Azure landing zone portal accelerator to use Resource Graph with a generic drop down UI element to improve user experience for subscription selection.
  • Update the Azure landing zone portal accelerator to have more unique naming for deployment names in same tenant, using utcNow() function in deploymentSuffix variable - fixes #1077
  • Update the Azure landing zone portal accelerator to have more unique naming for vNet names - fixes #881
    • vNet naming pattern changed:
      • From:
        • Identity vNet: <Subscription ID>-<Root ID Prefix>-vnet-<Region Short Name>
        • Corp vNets: <Subscription ID>-<Root ID Prefix>-vnet-<Region Short Name>
      • To:
        • Identity vNet: <Root ID Prefix>-vnet-<Region Short Name>-<Subscription ID> (then trimmed to 64 characters, using take() function, starting at front - so Subscription ID will get trimmed)
        • Corp vNets: <Root ID Prefix>-vnet-<Region Short Name>-<Subscription ID> (then trimmed to 64 characters, using take() function, starting at front - so Subscription ID will get trimmed)
    • ⚠️This is a breaking change, only if you attempt to redeploy the Azure landing zone portal accelerator over the top of an existing Azure landing zone portal accelerator deployment that was deployed prior to 12/10/2022 (12th October 2022)⚠️
      • The outcome if you do this will be that new vNets will be created based on what you input into the Azure landing zone portal accelerator form when you fill it out. Even if you input exactly the same inputs and details as the first time you deployed it.
        • However, this is a very uncommon action and if you are impacted please raise an issue on the repo and we can assist further
  • Release of various ALZ-Bicep versions:
  • Updated Azure landing zone portal accelerator with a note around existing Management Group Name/IDs on "Azure core setup" blade linking to FAQ Q&As

Policy

  • Added Configure Microsoft Defender for Azure Cosmos DB to be enabled to the Deploy Microsoft Defender for Cloud configuration initiative and updated version to 3.1.0 - Fixing issue issue #1081
  • Updated the Diagnostic Settings Policies to leverage the profileName parameter properly, rather than hardcoded value (setByPolicy) - Fixing issue issue #478

Other

  • No updates, yet.

September 2022

Docs

Tooling

Policy

  • No updates, yet.

Other

  • No updates, yet.

August 2022

Docs

  • No updates, yet.

Tooling

  • Updated the eslzArm implementation (Portal accelerator) to use a new policies.json file. This file is now programmatically generated from a library of individual resource definitions using a Bicep template, and was introduced to:
    • Simplify maintenance of individual policies
    • Improve traceability and testability of policy changes
    • Provide universal support across multiple cloud environments, including AzureCloud (public), AzureChinaCloud and AzureUSGovernment
    • As a bonus, we have also improved consistency of metadata implemented across the policies
  • Updated Azure Backup geo codes for new regions across ARM, Bicep and Terraform implementation options

Policy

  • No updates, yet.

Other

  • No updates, yet.

July 2022

Docs

  • Updated the ALZ Terraform module Wiki to reflect the latest fixes.
  • Various updates to CAF ALZ Docs
    • Identity and Access Management
    • Network Topology and Connectivity
    • Management
    • Platform Automation and DevOps

Tooling

  • ALZ Terraform module hotfix release v2.1.2, for regional private endpoint DNS zones
  • ALZ Bicep modules release v0.9.2 released
    • Added Landing Zone Management Group Children Flexibility
    • Added Policy Assignments for Mooncake (Azure China)
    • Fixed Azure Backup Private DNS Zone Geo Codes bug, fixing issue #279
  • ALZ Accelerator (Portal Experience) updated to fix Azure Backup Private DNS Zone Geo Codes, fixing issue #1004

Policy

  • No updates, yet.

Other

  • No updates, yet.

June 2022

Docs

Tooling

  • Fixed issue #979 by adding support for the additional Log Analytics Solutions of SQLVulnerabilityAssessment and SQLAdvancedThreatProtection to the Azure Landing Zone Accelerator (portal experience)
  • ALZ Terraform module minor release v2.1.0, to provide feature parity on the fix for issue #979
  • ALZ Terraform module hotfix release v2.1.1 (see release notes for more information).

Policy

  • Renamed Diagnostic Settings Policies from WVD to AVD - Fixing issue issue #962
    • displayName and description updated only. name left as WVD to avoid in-place update issues for existing deployments
    • Add 2 new categories for Host Pools Diagnostic Settings
      • NetworkData
      • SessionHostManagement
  • Added AVD Scaling Plans Diagnostic Settings called Deploy-Diagnostics-AVDScalingPlans for Azure Public only - as not supported in Fairfax or Mooncake as per https://learn.microsoft.com/azure/virtual-desktop/autoscale-scaling-plan - Fixing issue issue #962
    • Added to Deploy-Diagnostics-LogAnalytics Policy Initiative
  • Added additional log categories to Deploy-Diagnostics-Firewall for Azure Firewall Diagnostic Settings Policy - Fixing issue issue #985
  • Added additional log categories to Deploy-Diagnostics-APIMgmt for Azure API Management Diagnostic Settings Policy - Fixing issue issue #986
  • Added new Policy for for Azure Bastion Diagnostic Settings Policy called Deploy-Diagnostics-Bastion - Fixing issue issue #968
    • Added to Deploy-Diagnostics-LogAnalytics Policy Initiative
  • Updated Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess mode from Indexed to All - Fixing issue issue #978
  • Updated Deploy-Storage-sslEnforcement existence condition - Fixing issue issue #971
  • Updated Deploy-Diagnostics-MlWorkspace metrics and categories - Fixing issue issue #893

Other

  • No updates, yet.

May 2022

Docs

Tooling

Policy

  • No updates, yet.

Other

  • Published resources from the third Azure Landing Zones Community Call - held on the 2nd May 2022

April 2022

Docs

Tooling

  • Azure Landing Zones Terraform Module v2.0.0 released 🥳
    • Adds support for Virtual WAN plus much more
    • Checkout release notes for details on all the changes and fixes
    • Checkout upgrade guide for details on how to upgrade to the latest release
  • Updated Private DNS Zones that are created for Private Link/Endpoints in Portal Experience as per documentation here: Azure Private Endpoint DNS configuration
  • Added Telemetry to Portal Experience. More info here Telemetry Tracking Using Customer Usage Attribution (PID)
  • Increase preparingToLaunch deployment delay in portal experience to improve scenario in issue 902
  • Added warnings to use dedicated Subscriptions for platform services when selecting the dedicated model to help avoid deployment failures seen when selecting the same Subscription in the dedicated platform Subscription model for Management, Identity and Connectivity
    • Improving experience as suggested in issue 910
    • Customers wanting a single subscription for platform services should select the 'Single' option on the 'Azure Core Setup' blade

Policy

  • Added new custom policy definition called Deny vNet peering to non-approved vNets
    • This is useful in scenarios where you only want to allow vNet peering to say a central hub vNet and not allow other vNet peerings between landing zones to be enabled.

Other

  • No updates, yet.

February 2022

Docs

Tooling

  • The Bicep version of Azure Landing Zone (formerly Enterprise-scale) is here! 🥳
  • Updated accelerator (portal) experience to deploy an Azure Firewall Policy Premium SKU instead of Standard when Premium is selected for the Azure Firewall in a Hub & Spoke VNet Connectivity model.
  • Updated accelerator (portal) experience to deploy an Azure Firewall Policy for customers using the Virtual WAN connectivity model.

Policy

  • Renamed Deploy-ASCDF-Config to Deploy-MDFC-Config and updated version to 3.0.0 - fixing issue 923

Other

  • No updates, yet.

January 2022

Docs

  • No updates, yet.

Tooling

  • New release v1.1.0 of the caf-enterprise-scale Terraform module, providing updates to the published policies and a number of bug fixes.

Policy

  • Updated Deny-Subnet-Without-Nsg & Deny-Subnet-Without-Udr to version 2.0.0
    • Fixes scenario described in issue issue #407
  • Updated Deploy-ASCDF-Config policy initiative with changes relating to new Microsoft Defender for Cloud Containers plan as documented in issue #874
    • Updated in Public (Commercial), Fairfax (Gov) and Mooncake (China)
    • Updated portal experiences for Public and Fairfax
Policy Definition Display Name Policy Definition ID Note
[Deprecated]: Configure Azure Defender for container registries to be enabled d3d1e68e-49d4-4b56-acff-93cef644b432 REMOVED - Old ACR policy
[Deprecated]: Configure Azure Defender for Kubernetes to be enabled 133047bf-1369-41e3-a3be-74a11ed1395a REMOVED - Old AKS Policy
Configure Microsoft Defender for Containers to be enabled c9ddb292-b203-4738-aead-18e2716e858f ADDED - New grouped containers policy for the new plan

Other

  • No updates, yet.

December 2021

Docs

Updated TOC

  • Updated DIY instructions for deploying Enterprise-Scale in Azure China with:
    • Additional details of some deployment steps
    • Microsoft Defender for Cloud configuration policy set definition and policy assignment specific to Azure China
    • Differentiate between Az VM Backup policy assignment for identity management group, and landing zone management group in the DIY guidance

Policy

  • The following policy definitions for Microsoft Defender for Cloud configurations are not available as built-in in Azure China. The policy set definition will be updated as when these policy definitions are available:
    • defenderForOssDb, defenderForSqlServerVirtualMachines, defenderForAppServices, defenderForAppServices, defenderForStorageAccounts, defenderForKeyVaults, defenderForDns, defenderForArm

November 2021

Docs

  • No updates, yet.

Tooling

  • New release v1.1.0 of the caf-enterprise-scale Terraform module, providing updates to the published policies and a number of bug fixes.

Policy

  • Replaced Deploy-Default-Udr policy with Deploy-Custom-Route-Table that allows deploying custom route tables with an arbitrary set of UDRs (including a 0/0 default route if needed). See here for usage details.

  • Updated Deploy-Budget policy, to v1.1.0, adding new parameter of budgetName that defaults to: budget-set-by-policy - closing issue #842

    • Including Fairfax
    • Also Mooncake (Azure China) even though not in use yet

  • Added AuditEvent to Deploy-Diagnostics-AA Policy Definition to ensure correct compliance reporting on Automation Account used for diagnostics - closing issue #864

Other

  • Published resources from the second Enterprise Scale Community Call - held on the 17th November 2021

October 2021

Docs

Tooling

  • Terraform Enterprise Scale Module reaches GA (V1.0.0) - see release notes
  • ESLZ reference implementation updated with built-in (11) policies for Azure Security Center, enforcing (DeployIfNotExists) Azure Security Center with Standard Tier for Azure Defender for the following services:
    • Kubernetes
    • App Services
    • VMs
    • Key Vault
    • Azure Resource Manager
    • DNS
    • Open-source relational databases
    • SQL on VMs
    • SQL databases
    • Storage
    • Container Registries

Policy

  • No updates, yet.

Other

  • No updates, yet.

September 2021

Docs

Tooling

Policy

Custom ESLZ Policy Name Custom ESLZ Policy Display Name Custom Category Built-In Policy Name/ID Built-In Policy Display Name Built-In Category Notes
Deny-Databricks-NoPublicIp Deny public IPs for Databricks cluster Databricks Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.
Deny-Databricks-Sku Deny non-premium Databricks sku Databricks Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.
Deny-Databricks-VirtualNetwork Deny Databricks workspaces without Vnet injection Databricks Enforces the use of vnet injection for Databricks workspaces.
Deny-MachineLearning-PublicNetworkAccess Azure Machine Learning should have disabled public network access Machine Learning Denies public network access for Azure Machine Learning workspaces.

Other

  • No updates, yet.

August 2021

Docs

Tooling

Policy

  • Some minor changes to parameters and variables, tidying up some code.
  • Updated policy Deploy-VNET-HubSpoke to address #726 and #728

Other

  • Published resources from the first Enterprise Scale Community Call - held on the 25th August 2021

July 2021

Docs

Tooling

  • Portal Experience Updated
    • Merged Contoso, AdventureWorks, and Wingtip into one ESLZ deployment experience via first-party deployment in the portal ("Deploy To Azure" button) experience
      • Support "N" network topologies in same experience (Hub and Spoke, Virtual WAN, Hub and Spoke with NVA)
      • Added option for VNET Peering the Identity subscription's VNET to the Connectivity subscription's Hub VNET
      • Added option for VNET peering Landing Zones to Connectivity subscription when Hub & Spoke is the selected topology (Virtual WAN is excluded due to concurrency issues, at this time) - closing issue #517
      • Navigate policy assignment for identity, when using single vs dedicated subscriptions for platform purposes
      • Optimized the execution graph
  • Re-structured the ARM templates for all resource deployments
    • eslzArm.json is used to orchestrate the E2E composition of ESLZ, and subsequent resource deployments based on user input from the portal ("Deploy To Azure" button) experience
    • The composite ARM templates can be sequenced on their own, independently of each other (although strict sequencing is required to ensure the same outcome)
      • Guidance coming soon for this
    • Customers can deploy from private repository if they want to sequence at their own pace.
  • AzOps release v1.3.0
  • AzOps release v1.3.1
  • AzOps release v1.4.0

Policy

  • Various custom ESLZ Azure Policies have moved to Built-In Azure Policies, see below table for more detail:

You may continue to use the ESLZ custom Azure Policy as it will still function as it does today. However, we recommend you move to assigning the new Built-In version of the Azure Policy.

Please note that moving to the new Built-In Policy Definition will require a new Policy Assignment and removing the previous Policy Assignment, which will mean compliance history for the Policy Assignment will be lost. However, if you have configured your Activity Logs and Security Center to export to a Log Analytics Workspace; Policy Assignment historic data will be stored here as per the retention duration configured.

Policy Definitions Updates

Custom ESLZ Policy Name Custom ESLZ Policy Display Name Custom Category Built-In Policy Name/ID Built-In Policy Display Name Built-In Category Notes
Deny-PublicEndpoint-Aks Public network access on AKS API should be disabled Kubernetes 040732e8-d947-40b8-95d6-854c95024bf8 Azure Kubernetes Service Private Clusters should be enabled Kubernetes
Deny-PublicEndpoint-CosmosDB Public network access should be disabled for CosmosDB SQL 797b37f7-06b8-444c-b1ad-fc62867f335a Azure Cosmos DB should disable public network access Cosmos DB
Deny-PublicEndpoint-KeyVault Public network access should be disabled for KeyVault Key Vault 55615ac9-af46-4a59-874e-391cc3dfb490 [Preview]: Azure Key Vault should disable public network access Key Vault
Deny-PublicEndpoint-MySQL Public network access should be disabled for MySQL SQL c9299215-ae47-4f50-9c54-8a392f68a052 Public network access should be disabled for MySQL flexible servers SQL
Deny-PublicEndpoint-PostgreSql Public network access should be disabled for PostgreSql SQL 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 Public network access should be disabled for PostgreSQL flexible servers SQL
Deny-PublicEndpoint-Sql Public network access on Azure SQL Database should be disabled SQL 1b8ca024-1d5c-4dec-8995-b1a932b41780 Public network access on Azure SQL Database should be disabled SQL
Deny-PublicEndpoint-Storage Public network access onStorage accounts should be disabled Storage 34c877ad-507e-4c82-993e-3452a6e0ad3c Storage accounts should restrict network access Storage
Deploy-Diagnostics-AKS Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace Monitoring 6c66c325-74c8-42fd-a286-a74b0e2939d Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace Kubernetes
Deploy-Diagnostics-Batch Deploy Diagnostic Settings for Batch to Log Analytics workspace Monitoring c84e5349-db6d-4769-805e-e14037dab9b5 Deploy Diagnostic Settings for Batch Account to Log Analytics workspace Monitoring
Deploy-Diagnostics-DataLakeStore Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace Monitoring d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03 Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace Monitoring
Deploy-Diagnostics-EventHub Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace Monitoring 1f6e93e8-6b31-41b1-83f6-36e449a42579 Deploy Diagnostic Settings for Event Hub to Log Analytics workspace Monitoring
Deploy-Diagnostics-KeyVault Deploy Diagnostic Settings for Key Vault to Log Analytics workspace Monitoring bef3f64c-5290-43b7-85b0-9b254eef4c47 Deploy Diagnostic Settings for Key Vault to Log Analytics workspace Monitoring
Deploy-Diagnostics-LogicAppsWF Deploy Diagnostic Settings for Logic Apps Workflow runtime to Log Analytics workspace Monitoring b889a06c-ec72-4b03-910a-cb169ee18721 Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace Monitoring This is currently not assigned as per #691
Deploy-Diagnostics-RecoveryVault Deploy Diagnostic Settings for Recovery Services vaults to Log Analytics workspace Monitoring c717fb0c-d118-4c43-ab3d-ece30ac81fb3 Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories Backup
Deploy-Diagnostics-SearchServices Deploy Diagnostic Settings for Search Services to Log Analytics workspace Monitoring 08ba64b8-738f-4918-9686-730d2ed79c7d Deploy Diagnostic Settings for Search Services to Log Analytics workspace Monitoring
Deploy-Diagnostics-ServiceBus Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace Monitoring 04d53d87-841c-4f23-8a5b-21564380b55e Deploy Diagnostic Settings for Service Bus to Log Analytics workspace Monitoring
Deploy-Diagnostics-SQLDBs Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace Monitoring b79fa14e-238a-4c2d-b376-442ce508fc84 Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace SQL
Deploy-Diagnostics-StreamAnalytics Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace Monitoring 237e0f7e-b0e8-4ec4-ad46-8c12cb66d673 Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace Monitoring
Deploy-DNSZoneGroup-For-Blob-PrivateEndpoint Deploy DNS Zone Group for Storage-Blob Private Endpoint Network TBC TBC TBC This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon!
Deploy-DNSZoneGroup-For-File-PrivateEndpoint Deploy DNS Zone Group for Storage-File Private Endpoint Network TBC TBC TBC This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon!
Deploy-DNSZoneGroup-For-KeyVault-PrivateEndpoint Deploy DNS Zone Group for Key Vault Private Endpoint Network ac673a9a-f77d-4846-b2d8-a57f8e1c01d4 [Preview]: Configure Azure Key Vaults to use private DNS zones Key Vault
Deploy-DNSZoneGroup-For-Queue-PrivateEndpoint Deploy DNS Zone Group for Storage-Queue Private Endpoint Network TBC TBC TBC This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon!
Deploy-DNSZoneGroup-For-Sql-PrivateEndpoint Deploy DNS Zone Group for SQL Private Endpoint Network TBC TBC TBC This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon!
Deploy-DNSZoneGroup-For-Table-PrivateEndpoint Deploy DNS Zone Group for Storage-Table Private Endpoint Network TBC TBC TBC This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon!
Deploy-LA-Config Deploy the configurations to the Log Analytics in the subscription Monitoring Policy Removed Policy Removed TBC This policy has been removed as it is handled as a resource deployment in the ARM templates, portal experience and Terraform module.
Deploy-Log-Analytics Deploy the Log Analytics in the subscription Monitoring 8e3e61b3-0b32-22d5-4edf-55f87fdb5955 Configure Log Analytics workspace and automation account to centralize logs and monitoring Monitoring

Policy Initiatives Updates

Custom ESLZ Policy Name Custom ESLZ Policy Display Name Custom Category New Policy Name/ID New Policy Display Name New Category Notes
Deploy-Diag-LogAnalytics Deploy Diagnostic Settings to Azure Services N/A Deploy-Diagnostics-LogAnalytics Deploy Diagnostic Settings to Azure Services Monitoring Moved to using a mix of Built-In (as above) and custom policy definitions
Deny-PublicEndpoints Public network access should be disabled for PAAS services Network Deny-PublicPaaSEndpoints Public network access should be disabled for PaaS services N/A Moved to using Built-In policy definitions only (as above)
New Policy New Policy N/A Deploy-Private-DNS-Zones Configure Azure PaaS services to use private DNS zones Network
  • Moved several of the diagnostics Policies to built-in, and updating the diagnostics Initiative
    • This means there's a new resource name as update of existing one is not be allowed due to removal of parameters
  • Added Policy Initiative for enforcing Private DNS Zone Association with Private Link (using built-in)
  • Added Policy Initiative for denying Public Endpoints (using built-in)
  • Updated description and display name for all Policy Assignments

Other

No updates, yet.

June 2021

Docs

Tooling

Policy

  • Updated Deny-Subnet-Without-UDR policy, to v1.1.0, to allow exclusion of subnets like the AzureBastionSubnet - closing issue #604
  • Updated Deny-Subnet-Without-Nsg policy, to v1.1.0, to allow exclusion of subnets like the GatewaySubnet, AzureFirewallSubnet and AzureFirewallManagementSubnet - closing issue #456
  • Updated Deny-VNet-Peering and Deny-VNET-Peer-Cross-Sub policies mode to All from Indexed. - closing issue #583

Other

  • Contoso Reference Implementation Update - Virtual WAN Hub default CIDR changed from /16 to /23 - closing issue #440

This wiki is being actively developed

If you discover any documentation bugs or would like to request new content, please raise them as an issue.

Contributions to this wiki are done through the main repo under docs/wiki.