diff --git a/azresources/compute/web/appservice-linux-container.bicep b/azresources/compute/web/appservice-linux-container.bicep index c35ddda1..ed97cdcb 100644 --- a/azresources/compute/web/appservice-linux-container.bicep +++ b/azresources/compute/web/appservice-linux-container.bicep @@ -28,6 +28,16 @@ param aiIKey string @description('Virtual Network Integration Subnet Resource Id.') param vnetIntegrationSubnetId string +@description('Whether to deploy private endpoint for inbound traffic') +param enablePrivateEndpoint bool + +@description('Private DNS Zone Resource Id.') +param privateZoneId string + +@description('Private endpoint subnet ID') +param privateEndpointSubnetId string + + // Linux Web App with Virtual Network Integration resource app 'Microsoft.Web/sites@2021-02-01' = { name: name @@ -74,3 +84,39 @@ resource app 'Microsoft.Web/sites@2021-02-01' = { } } } + + +resource appservice_linuxcontainer_pe 'Microsoft.Network/privateEndpoints@2020-06-01' = if (enablePrivateEndpoint) { + location: resourceGroup().location + name: '${app.name}-endpoint' + properties: { + subnet: { + id: privateEndpointSubnetId + } + privateLinkServiceConnections: [ + { + name: '${app.name}-endpoint' + properties: { + privateLinkServiceId: app.id + groupIds: [ + 'sites' + ] + } + } + ] + } + + resource appservice_pe_dns_reg 'privateDnsZoneGroups@2020-06-01' = { + name: 'default' + properties: { + privateDnsZoneConfigs: [ + { + name: 'privatelink_azure_websites_net' + properties: { + privateDnsZoneId: privateZoneId + } + } + ] + } + } +} diff --git a/config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/8c6e48a4-4c73-4a1f-9f95-9447804f2c98_machinelearning_canadacentral.json b/config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/8c6e48a4-4c73-4a1f-9f95-9447804f2c98_machinelearning_canadacentral.json index 620c5bbc..357a4057 100644 --- a/config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/8c6e48a4-4c73-4a1f-9f95-9447804f2c98_machinelearning_canadacentral.json +++ b/config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/8c6e48a4-4c73-4a1f-9f95-9447804f2c98_machinelearning_canadacentral.json @@ -96,7 +96,8 @@ "value": { "enabled": true, "skuName": "P1V2", - "skuTier": "Premium" + "skuTier": "Premium", + "enablePrivateEndpoint": true } }, "sqldb": { diff --git a/config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/ec6c5689-db04-4f1e-b76d-834a51dd0e27_machinelearning_canadacentral.json b/config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/ec6c5689-db04-4f1e-b76d-834a51dd0e27_machinelearning_canadacentral.json index 880412c6..54c19d5b 100644 --- a/config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/ec6c5689-db04-4f1e-b76d-834a51dd0e27_machinelearning_canadacentral.json +++ b/config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/ec6c5689-db04-4f1e-b76d-834a51dd0e27_machinelearning_canadacentral.json @@ -103,7 +103,8 @@ "value": { "enabled": true, "skuName": "P1V2", - "skuTier": "Premium" + "skuTier": "Premium", + "enablePrivateEndpoint": true } }, "sqldb": { diff --git a/config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/f08c3057-1713-4a6f-b7e6-0df355b60c30_machinelearning_canadacentral.json b/config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/f08c3057-1713-4a6f-b7e6-0df355b60c30_machinelearning_canadacentral.json index 4df79300..428de61d 100644 --- a/config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/f08c3057-1713-4a6f-b7e6-0df355b60c30_machinelearning_canadacentral.json +++ b/config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/f08c3057-1713-4a6f-b7e6-0df355b60c30_machinelearning_canadacentral.json @@ -103,7 +103,8 @@ "value": { "enabled": true, "skuName": "P1V2", - "skuTier": "Premium" + "skuTier": "Premium", + "enablePrivateEndpoint": true } }, "sqldb": { diff --git a/config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/f459218a-e8bb-49c9-b768-ee6828a144aa_machinelearning_canadacentral.json b/config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/f459218a-e8bb-49c9-b768-ee6828a144aa_machinelearning_canadacentral.json index edd81006..9e3df610 100644 --- a/config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/f459218a-e8bb-49c9-b768-ee6828a144aa_machinelearning_canadacentral.json +++ b/config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/f459218a-e8bb-49c9-b768-ee6828a144aa_machinelearning_canadacentral.json @@ -103,7 +103,8 @@ "value": { "enabled": true, "skuName": "P1V2", - "skuTier": "Premium" + "skuTier": "Premium", + "enablePrivateEndpoint": true } }, "sqldb": { diff --git a/docs/archetypes/machinelearning.md b/docs/archetypes/machinelearning.md index 70eb92db..8288ccc1 100644 --- a/docs/archetypes/machinelearning.md +++ b/docs/archetypes/machinelearning.md @@ -89,8 +89,6 @@ Subscription can be moved to a target Management Group through Azure ARM Templat | Monitoring | Application Insights - Application performance and monitoring cloud service | - | [Azure Docs](https://docs.microsoft.com/azure/azure-monitor/app/app-insights-overview) -> For App Service, for using the SKU tier `Premium` to support private endpoints, it may require a quota increase. - The intended cloud service workflows and data movements for this archetype include: 1. Data can be ingested from various sources using Data Factory, which uses managed virtual network for its Azure hosted integration runtime. @@ -131,10 +129,12 @@ Once the machine learning archetype is deployed and available to use, access con | Azure Storage Account for Azure ML | Network ACL deny | Private endpoint on `blob`, `file` + DNS registration to either hub or spoke | `privateEndpoints`| | Azure Data Factory | Public network access disabled, Azure integration runtime with managed virtual network | Private endpoint on `dataFactory` + DNS registration to either hub or spoke | `privateEndpoints`| | Azure Kubernetes Service | Private cluster, network profile set with either kubenet or Azure CNI | N/A | `aks`| -| Azure App Service | Virtual Network integration | N/A | `appService` | +| Azure App Service | Virtual Network integration. Public network access can be disabled, using private endpoint instead | Private endpoint on `azureWebsites` + DNS registration to either hub or spoke | `appService`, `privateEndpoints` | | Azure Container Registry | Network ACL deny, public network access disabled | Private endpoint on `registry` + DNS registration to either hub or spoke | `privateEndpoints`|f | Azure Application Insights | N/A | N/A | N/A | +> For App Service, private endpoint requires the SKU tier `Premium`: https://docs.microsoft.com/azure/app-service/networking/private-endpoint so this may require a quota increase. + This archetype also has the following security features as options for deployment: * Customer managed keys for encryption at rest, including Azure ML, storage, Container Registry, Data Factory, SQL Database / Managed Instance, and Kubernetes Service. @@ -272,7 +272,7 @@ Reference implementation uses parameter files with `object` parameters to consol | Deployment with AKS using Network Plugin: Azure CNI + Network Policy: Calico | [tests/schemas/lz-machinelearning/AKS-AzureCNI-Calico.json](../../tests/schemas/lz-machinelearning/AKS-AzureCNI-Calico.json) | `parameters.aks.value.networkPlugin` equals ***azure***, `parameters.aks.value.networkPlugin` equals ***calico***, `parameters.aks.value.podCidr` is ***empty***, `parameters.aks.value.serviceCidr` is filled, `parameters.aks.value.dnsServiceIP` is filled and `parameters.aks.value.dockerBridgeCidr` is filled | | Deployment with AKS using Network Plugin: Azure CNI + Network Policy: Azure | [tests/schemas/lz-machinelearning/AKS-AzureCNI-AzureNP.json](../../tests/schemas/lz-machinelearning/AKS-AzureCNI-AzureNP.json) | `parameters.aks.value.networkPlugin` equals ***azure***, `parameters.aks.value.networkPlugin` equals ***azure***, `parameters.aks.value.podCidr` is ***empty***, `parameters.aks.value.serviceCidr` is filled, `parameters.aks.value.dnsServiceIP` is filled and `parameters.aks.value.dockerBridgeCidr` is filled | | Deployment without Azure App Service for Linux Containers | [tests/schemas/lz-machinelearning/AppServiceLinuxContainerIsFalse.json](../../tests/schemas/lz-machinelearning/AppServiceLinuxContainerIsFalse.json) | `parameters.appServiceLinuxContainer.value.enabled` is false. | - +| Deployment with Azure App Service for Linux Containers without Private Endpoint| [tests/schemas/lz-machinelearning/AppServiceLinuxContainerPrivateEndpointIsFalse.json](../../tests/schemas/lz-machinelearning/AppServiceLinuxContainerPrivateEndpointIsFalse.json) | `parameters.appServiceLinuxContainer.value.enabled` is true, `parameters.appServiceLinuxContainer.value.sku{Name,Tier}` are filled, and `parameters.appServiceLinuxContainer.value.enablePrivateEndpoint` is false. | ### Example Deployment Parameters This example configures: @@ -418,7 +418,8 @@ This example configures: "value": { "enabled": true, "skuName": "P1V2", - "skuTier": "Premium" + "skuTier": "Premium", + "enablePrivateEndpoint": true } }, "aml": { diff --git a/docs/media/architecture/archetype-machinelearning-networking.jpg b/docs/media/architecture/archetype-machinelearning-networking.jpg index 23f9e6bd..9c79f889 100644 Binary files a/docs/media/architecture/archetype-machinelearning-networking.jpg and b/docs/media/architecture/archetype-machinelearning-networking.jpg differ diff --git a/landingzones/lz-machinelearning/lz.bicep b/landingzones/lz-machinelearning/lz.bicep index 5a5729cf..53b2536b 100644 --- a/landingzones/lz-machinelearning/lz.bicep +++ b/landingzones/lz-machinelearning/lz.bicep @@ -414,7 +414,10 @@ module appServiceLC '../../azresources/compute/web/appservice-linux-container.bi storageId: dataLakeMetaData.outputs.storageId vnetIntegrationSubnetId: networking.outputs.appServiceSubnetId - + enablePrivateEndpoint: appServiceLinuxContainer.enablePrivateEndpoint + privateEndpointSubnetId: networking.outputs.privateEndpointSubnetId + privateZoneId: networking.outputs.asPrivateDnsZoneId + tags: resourceTags } } diff --git a/landingzones/lz-machinelearning/networking.bicep b/landingzones/lz-machinelearning/networking.bicep index b2cff326..30586de0 100644 --- a/landingzones/lz-machinelearning/networking.bicep +++ b/landingzones/lz-machinelearning/networking.bicep @@ -584,6 +584,21 @@ module privatezone_acr '../../azresources/network/private-dns-zone.bicep' = { } } +module privatezone_as '../../azresources/network/private-dns-zone.bicep' = { + name: 'deploy-privatezone-as' + scope: resourceGroup() + params: { + zone: 'privatelink.azurewebsites.net' + vnetId: vnet.id + + dnsCreateNewZone: !hubNetwork.privateDnsManagedByHub + dnsLinkToVirtualNetwork: !hubNetwork.privateDnsManagedByHub || (hubNetwork.privateDnsManagedByHub && !usingCustomDNSServers) + dnsExistingZoneSubscriptionId: hubNetwork.privateDnsManagedByHubSubscriptionId + dnsExistingZoneResourceGroupName: hubNetwork.privateDnsManagedByHubResourceGroupName + registrationEnabled: false + } +} + module privatezone_datalake_blob '../../azresources/network/private-dns-zone.bicep' = { name: 'deploy-privatezone-blob' scope: resourceGroup() @@ -698,5 +713,6 @@ output sqlDBPrivateDnsZoneId string = privatezone_sqldb.outputs.privateDnsZoneId output amlApiPrivateDnsZoneId string = privatezone_azureml_api.outputs.privateDnsZoneId output amlNotebooksPrivateDnsZoneId string = privatezone_azureml_notebook.outputs.privateDnsZoneId output aksPrivateDnsZoneId string = privatezone_aks.outputs.privateDnsZoneId +output asPrivateDnsZoneId string = privatezone_as.outputs.privateDnsZoneId output aksUdrNAme string = udrAKS.name diff --git a/schemas/latest/landingzones/types/appServiceLinuxContainer.json b/schemas/latest/landingzones/types/appServiceLinuxContainer.json index f17a20e1..f4316c33 100644 --- a/schemas/latest/landingzones/types/appServiceLinuxContainer.json +++ b/schemas/latest/landingzones/types/appServiceLinuxContainer.json @@ -22,12 +22,20 @@ }, "skuTier": { "type": "string" + }, + "enablePrivateEndpoint": { + "type": "boolean", + "enum": [ + true, + false + ] } }, "required": [ "enabled", "skuName", - "skuTier" + "skuTier", + "enablePrivateEndpoint" ] }, { diff --git a/schemas/latest/readme.md b/schemas/latest/readme.md index 3ee25e7f..6155dd72 100644 --- a/schemas/latest/readme.md +++ b/schemas/latest/readme.md @@ -2,6 +2,18 @@ ## Landing Zone Schemas +### January 16, 2021 +Changed `appServiceLinuxContainer` schema object to support optional inbound private endpoint. + +**Example** +```json +"appServiceLinuxContainer": { + "value": { + "enablePrivateEndpoint": true + } +} +``` + ### December 30, 2021 Changed `aks` schema object to support optional deployment of AKS using the `enabled` key as a required field. diff --git a/tests/landingzones/lz-machinelearning/deployment-tests/app-service-vnet.bicep b/tests/landingzones/lz-machinelearning/deployment-tests/app-service-vnet.bicep index 7849a485..f2cd96b2 100644 --- a/tests/landingzones/lz-machinelearning/deployment-tests/app-service-vnet.bicep +++ b/tests/landingzones/lz-machinelearning/deployment-tests/app-service-vnet.bicep @@ -97,7 +97,24 @@ module privatezone_datalake_file '../../../../azresources/network/private-dns-zo } } +module privatezone_as '../../../../azresources/network/private-dns-zone.bicep' = { + name: 'deploy-privatezone-as' + scope: resourceGroup() + params: { + zone: 'privatelink.azurewebsites.net' + vnetId: vnet.id + + dnsCreateNewZone: true + dnsLinkToVirtualNetwork: true + dnsExistingZoneSubscriptionId: '' + dnsExistingZoneResourceGroupName: '' + registrationEnabled: false + } +} + + output privateEndpointSubnetId string = '${vnet.id}/subnets/pe' output appServiceSubnetId string = '${vnet.id}/subnets/appService' output dataLakeBlobPrivateDnsZoneId string = privatezone_datalake_blob.outputs.privateDnsZoneId output dataLakeFilePrivateDnsZoneId string = privatezone_datalake_file.outputs.privateDnsZoneId +output asPrivateDnsZoneId string = privatezone_as.outputs.privateDnsZoneId diff --git a/tests/landingzones/lz-machinelearning/deployment-tests/app-service.bicep b/tests/landingzones/lz-machinelearning/deployment-tests/app-service.bicep index 058bd1f7..54157745 100644 --- a/tests/landingzones/lz-machinelearning/deployment-tests/app-service.bicep +++ b/tests/landingzones/lz-machinelearning/deployment-tests/app-service.bicep @@ -10,7 +10,7 @@ targetScope = 'subscription' resource rgCompute 'Microsoft.Resources/resourceGroups@2020-06-01' existing = { - name: 'testasp234' + name: 'testpeenablednot' } module appInsights '../../../../azresources/monitor/ai-web.bicep' = { @@ -68,6 +68,9 @@ module appService '../../../../azresources/compute/web/appservice-linux-containe storageId: dataLakeMetaData.outputs.storageId vnetIntegrationSubnetId: networking.outputs.appServiceSubnetId + enablePrivateEndpoint: false + privateEndpointSubnetId: networking.outputs.privateEndpointSubnetId + privateZoneId: networking.outputs.asPrivateDnsZoneId } } diff --git a/tests/landingzones/lz-machinelearning/deployment-tests/test-runner.bicep b/tests/landingzones/lz-machinelearning/deployment-tests/test-runner.bicep index 1a63aa33..0ce00f4c 100644 --- a/tests/landingzones/lz-machinelearning/deployment-tests/test-runner.bicep +++ b/tests/landingzones/lz-machinelearning/deployment-tests/test-runner.bicep @@ -108,6 +108,7 @@ module test '../../../../landingzones/lz-machinelearning/main.bicep' = { enabled: true skuName: 'P1V2' skuTier: 'Premium' + enablePrivateEndpoint: true } hubNetwork: { diff --git a/tests/landingzones/lz-machinelearning/e2e-flow-tests/deploy-to-app-service.sh b/tests/landingzones/lz-machinelearning/e2e-flow-tests/deploy-to-app-service.sh index 57e65bd5..682e195a 100644 --- a/tests/landingzones/lz-machinelearning/e2e-flow-tests/deploy-to-app-service.sh +++ b/tests/landingzones/lz-machinelearning/e2e-flow-tests/deploy-to-app-service.sh @@ -17,3 +17,5 @@ az webapp config appsettings set --resource-group --name --name --linux-fx-version 'DOCKER|.azurecr.io/test_image:' az resource update --resource-group --name /config/web --set properties.acrUseManagedIdentityCreds=true --resource-type 'Microsoft.Web/sites/config' +# can redeploy app service if anything issues come up +az webapp create --resource-group --plan --name --deployment-container-image-name 'DOCKER|' \ No newline at end of file diff --git a/tests/schemas/lz-machinelearning/AKS-AzureCNI-AzureNP.json b/tests/schemas/lz-machinelearning/AKS-AzureCNI-AzureNP.json index 6f9044de..f1ee5e3e 100644 --- a/tests/schemas/lz-machinelearning/AKS-AzureCNI-AzureNP.json +++ b/tests/schemas/lz-machinelearning/AKS-AzureCNI-AzureNP.json @@ -131,7 +131,8 @@ "value": { "enabled": true, "skuName": "P1V2", - "skuTier": "Premium" + "skuTier": "Premium", + "enablePrivateEndpoint": true } }, "sqldb": { diff --git a/tests/schemas/lz-machinelearning/AKS-AzureCNI-Calico.json b/tests/schemas/lz-machinelearning/AKS-AzureCNI-Calico.json index c559b83c..dec62141 100644 --- a/tests/schemas/lz-machinelearning/AKS-AzureCNI-Calico.json +++ b/tests/schemas/lz-machinelearning/AKS-AzureCNI-Calico.json @@ -131,7 +131,8 @@ "value": { "enabled": true, "skuName": "P1V2", - "skuTier": "Premium" + "skuTier": "Premium", + "enablePrivateEndpoint": true } }, "sqldb": { diff --git a/tests/schemas/lz-machinelearning/AKS-Kubenet-Calico.json b/tests/schemas/lz-machinelearning/AKS-Kubenet-Calico.json index c61a0799..81f05b7d 100644 --- a/tests/schemas/lz-machinelearning/AKS-Kubenet-Calico.json +++ b/tests/schemas/lz-machinelearning/AKS-Kubenet-Calico.json @@ -131,7 +131,8 @@ "value": { "enabled": true, "skuName": "P1V2", - "skuTier": "Premium" + "skuTier": "Premium", + "enablePrivateEndpoint": true } }, "sqldb": { diff --git a/tests/schemas/lz-machinelearning/AKSIsFalse.json b/tests/schemas/lz-machinelearning/AKSIsFalse.json index 10dd5f2d..42015a95 100644 --- a/tests/schemas/lz-machinelearning/AKSIsFalse.json +++ b/tests/schemas/lz-machinelearning/AKSIsFalse.json @@ -124,7 +124,8 @@ "value": { "enabled": true, "skuName": "P1V2", - "skuTier": "Premium" + "skuTier": "Premium", + "enablePrivateEndpoint": true } }, "sqldb": { diff --git a/tests/schemas/lz-machinelearning/AppServiceLinuxContainerPrivateEndpointIsFalse.json b/tests/schemas/lz-machinelearning/AppServiceLinuxContainerPrivateEndpointIsFalse.json new file mode 100644 index 00000000..3b3f069d --- /dev/null +++ b/tests/schemas/lz-machinelearning/AppServiceLinuxContainerPrivateEndpointIsFalse.json @@ -0,0 +1,236 @@ + +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "serviceHealthAlerts": { + "value": { + "resourceGroupName": "pubsec-service-health", + "incidentTypes": [ + "Incident", + "Security" + ], + "regions": [ + "Global", + "Canada East", + "Canada Central" + ], + "receivers": { + "app": [ + "alzcanadapubsec@microsoft.com" + ], + "email": [ + "alzcanadapubsec@microsoft.com" + ], + "sms": [ + { + "countryCode": "1", + "phoneNumber": "5555555555" + } + ], + "voice": [ + { + "countryCode": "1", + "phoneNumber": "5555555555" + } + ] + }, + "actionGroupName": "Sub3 ALZ action group", + "actionGroupShortName": "sub3-alert", + "alertRuleName": "Sub3 ALZ alert rule", + "alertRuleDescription": "Alert rule for Azure Landing Zone" + } + }, + "securityCenter": { + "value": { + "email": "alzcanadapubsec@microsoft.com", + "phone": "5555555555" + } + }, + "subscriptionRoleAssignments": { + "value": [ + { + "comments": "Built-in Role: Contributor", + "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "securityGroupObjectIds": [ + "38f33f7e-a471-4630-8ce9-c6653495a2ee" + ] + }, + { + "comments": "Custom Role: Landing Zone Application Owner", + "roleDefinitionId": "b4c87314-c1a1-5320-9c43-779585186bcc", + "securityGroupObjectIds": [ + "38f33f7e-a471-4630-8ce9-c6653495a2ee" + ] + } + ] + }, + "subscriptionBudget": { + "value": { + "createBudget": true, + "name": "MonthlySubscriptionBudget", + "amount": 1000, + "timeGrain": "Monthly", + "contactEmails": [ + "alzcanadapubsec@microsoft.com" + ] + } + }, + "subscriptionTags": { + "value": { + "ISSO": "isso-tag" + } + }, + "resourceTags": { + "value": { + "ClientOrganization": "client-organization-tag", + "CostCenter": "cost-center-tag", + "DataSensitivity": "data-sensitivity-tag", + "ProjectContact": "project-contact-tag", + "ProjectName": "project-name-tag", + "TechnicalContact": "technical-contact-tag" + } + }, + "resourceGroups": { + "value": { + "automation": "azmlcmk102021W1Automation", + "compute": "azmlcmk102021W1Compute", + "monitor": "azmlcmk102021W1Monitor", + "networking": "azmlcmk102021W1Network", + "networkWatcher": "NetworkWatcherRG", + "security": "azmlcmk102021W1Security", + "storage": "azmlcmk102021W1Storage" + } + }, + "useCMK": { + "value": true + }, + "automation": { + "value": { + "name": "azmlcmk102021W1automation" + } + }, + "keyVault": { + "value": { + "secretExpiryInDays": 3650 + } + }, + "aks": { + "value": { + "version": "1.21.2", + "enabled": true, + "networkPlugin": "azure" , + "networkPolicy": "azure", + "podCidr": "", + "serviceCidr": "20.0.0.0/16" , + "dnsServiceIP": "20.0.0.10", + "dockerBridgeCidr": "30.0.0.1/16" + } + }, + "appServiceLinuxContainer": { + "value": { + "enabled": true, + "skuName": "P1V2", + "skuTier": "Premium", + "enablePrivateEndpoint": false + } + }, + "sqldb": { + "value": { + "enabled": true, + "sqlAuthenticationUsername": "azadmin", + "aadAuthenticationOnly": false, + "aadLoginName": "DBA Group", + "aadLoginObjectID": "4e4ea47c-ee21-4add-ad2f-a75d0d8014e0", + "aadLoginType": "Group" + } + }, + "sqlmi": { + "value": { + "enabled": true, + "username": "azadmin" + } + }, + "aml": { + "value": { + "enableHbiWorkspace": false + } + }, + "hubNetwork": { + "value": { + "virtualNetworkId": "/subscriptions/ed7f4eed-9010-4227-b115-2a5e37728f27/resourceGroups/pubsec-hub-networking-rg/providers/Microsoft.Network/virtualNetworks/hub-vnet", + "rfc1918IPRange": "10.18.0.0/22", + "rfc6598IPRange": "100.60.0.0/16", + "egressVirtualApplianceIp": "10.18.1.4", + "privateDnsManagedByHub": true, + "privateDnsManagedByHubSubscriptionId": "ed7f4eed-9010-4227-b115-2a5e37728f27", + "privateDnsManagedByHubResourceGroupName": "pubsec-dns-rg" + } + }, + "network": { + "value": { + "peerToHubVirtualNetwork": true, + "useRemoteGateway": false, + "name": "azmlcmk102021W1vnet", + "dnsServers": [ + "10.18.1.4" + ], + "addressPrefixes": [ + "10.1.0.0/16" + ], + "subnets": { + "oz": { + "comments": "Foundational Elements Zone (OZ)", + "name": "oz", + "addressPrefix": "10.1.1.0/25" + }, + "paz": { + "comments": "Presentation Zone (PAZ)", + "name": "paz", + "addressPrefix": "10.1.2.0/25" + }, + "rz": { + "comments": "Application Zone (RZ)", + "name": "rz", + "addressPrefix": "10.1.3.0/25" + }, + "hrz": { + "comments": "Data Zone (HRZ)", + "name": "hrz", + "addressPrefix": "10.1.4.0/25" + }, + "sqlmi": { + "comments": "SQL Managed Instances Delegated Subnet", + "name": "sqlmi", + "addressPrefix": "10.1.5.0/25" + }, + "databricksPublic": { + "comments": "Databricks Public Delegated Subnet", + "name": "databrickspublic", + "addressPrefix": "10.1.6.0/25" + }, + "databricksPrivate": { + "comments": "Databricks Private Delegated Subnet", + "name": "databricksprivate", + "addressPrefix": "10.1.7.0/25" + }, + "privateEndpoints": { + "comments": "Private Endpoints Subnet", + "name": "privateendpoints", + "addressPrefix": "10.1.8.0/25" + }, + "aks": { + "comments": "AKS Subnet", + "name": "aks", + "addressPrefix": "10.1.9.0/25" + }, + "appService": { + "comments": "App Service Subnet", + "name": "appService", + "addressPrefix": "10.1.10.0/25" + } + } + } + } + } + } \ No newline at end of file diff --git a/tests/schemas/lz-machinelearning/BudgetIsFalse.json b/tests/schemas/lz-machinelearning/BudgetIsFalse.json index 5b13b61b..57932000 100644 --- a/tests/schemas/lz-machinelearning/BudgetIsFalse.json +++ b/tests/schemas/lz-machinelearning/BudgetIsFalse.json @@ -124,7 +124,8 @@ "value": { "enabled": true, "skuName": "P1V2", - "skuTier": "Premium" + "skuTier": "Premium", + "enablePrivateEndpoint": true } }, "sqldb": { diff --git a/tests/schemas/lz-machinelearning/BudgetIsTrue.json b/tests/schemas/lz-machinelearning/BudgetIsTrue.json index b9ae93fe..3c149380 100644 --- a/tests/schemas/lz-machinelearning/BudgetIsTrue.json +++ b/tests/schemas/lz-machinelearning/BudgetIsTrue.json @@ -130,7 +130,8 @@ "value": { "enabled": true, "skuName": "P1V2", - "skuTier": "Premium" + "skuTier": "Premium", + "enablePrivateEndpoint": true } }, "sqldb": { diff --git a/tests/schemas/lz-machinelearning/EmptyResourceTags.json b/tests/schemas/lz-machinelearning/EmptyResourceTags.json index 663e5479..8a7ea0cf 100644 --- a/tests/schemas/lz-machinelearning/EmptyResourceTags.json +++ b/tests/schemas/lz-machinelearning/EmptyResourceTags.json @@ -123,7 +123,8 @@ "value": { "enabled": true, "skuName": "P1V2", - "skuTier": "Premium" + "skuTier": "Premium", + "enablePrivateEndpoint": true } }, "sqldb": { diff --git a/tests/schemas/lz-machinelearning/EmptySubscriptionTags.json b/tests/schemas/lz-machinelearning/EmptySubscriptionTags.json index e2a97e61..a8baab4d 100644 --- a/tests/schemas/lz-machinelearning/EmptySubscriptionTags.json +++ b/tests/schemas/lz-machinelearning/EmptySubscriptionTags.json @@ -128,7 +128,8 @@ "value": { "enabled": true, "skuName": "P1V2", - "skuTier": "Premium" + "skuTier": "Premium", + "enablePrivateEndpoint": true } }, "sqldb": { diff --git a/tests/schemas/lz-machinelearning/FullDeployment-With-Hub.json b/tests/schemas/lz-machinelearning/FullDeployment-With-Hub.json index c0ec09f5..156c7b51 100644 --- a/tests/schemas/lz-machinelearning/FullDeployment-With-Hub.json +++ b/tests/schemas/lz-machinelearning/FullDeployment-With-Hub.json @@ -130,7 +130,8 @@ "value": { "enabled": true, "skuName": "P1V2", - "skuTier": "Premium" + "skuTier": "Premium", + "enablePrivateEndpoint": true } }, "sqldb": { diff --git a/tests/schemas/lz-machinelearning/FullDeployment-Without-Hub.json b/tests/schemas/lz-machinelearning/FullDeployment-Without-Hub.json index 742972e0..945e45fa 100644 --- a/tests/schemas/lz-machinelearning/FullDeployment-Without-Hub.json +++ b/tests/schemas/lz-machinelearning/FullDeployment-Without-Hub.json @@ -130,7 +130,8 @@ "value": { "enabled": true, "skuName": "P1V2", - "skuTier": "Premium" + "skuTier": "Premium", + "enablePrivateEndpoint": true } }, "sqldb": { diff --git a/tests/schemas/lz-machinelearning/SQLDB-aadAuthOnly.json b/tests/schemas/lz-machinelearning/SQLDB-aadAuthOnly.json index c0ec09f5..156c7b51 100644 --- a/tests/schemas/lz-machinelearning/SQLDB-aadAuthOnly.json +++ b/tests/schemas/lz-machinelearning/SQLDB-aadAuthOnly.json @@ -130,7 +130,8 @@ "value": { "enabled": true, "skuName": "P1V2", - "skuTier": "Premium" + "skuTier": "Premium", + "enablePrivateEndpoint": true } }, "sqldb": { diff --git a/tests/schemas/lz-machinelearning/SQLDB-mixedAuth.json b/tests/schemas/lz-machinelearning/SQLDB-mixedAuth.json index 681e86f1..c3c2fd35 100644 --- a/tests/schemas/lz-machinelearning/SQLDB-mixedAuth.json +++ b/tests/schemas/lz-machinelearning/SQLDB-mixedAuth.json @@ -130,7 +130,8 @@ "value": { "enabled": true, "skuName": "P1V2", - "skuTier": "Premium" + "skuTier": "Premium", + "enablePrivateEndpoint": true } }, "sqldb": { diff --git a/tests/schemas/lz-machinelearning/SQLDB-sqlAuth.json b/tests/schemas/lz-machinelearning/SQLDB-sqlAuth.json index b9ae93fe..3c149380 100644 --- a/tests/schemas/lz-machinelearning/SQLDB-sqlAuth.json +++ b/tests/schemas/lz-machinelearning/SQLDB-sqlAuth.json @@ -130,7 +130,8 @@ "value": { "enabled": true, "skuName": "P1V2", - "skuTier": "Premium" + "skuTier": "Premium", + "enablePrivateEndpoint": true } }, "sqldb": { diff --git a/tests/schemas/lz-machinelearning/SQLDBIsFalse.json b/tests/schemas/lz-machinelearning/SQLDBIsFalse.json index 25495d66..7c72df97 100644 --- a/tests/schemas/lz-machinelearning/SQLDBIsFalse.json +++ b/tests/schemas/lz-machinelearning/SQLDBIsFalse.json @@ -130,7 +130,8 @@ "value": { "enabled": true, "skuName": "P1V2", - "skuTier": "Premium" + "skuTier": "Premium", + "enablePrivateEndpoint": true } }, "sqldb": { diff --git a/tests/schemas/lz-machinelearning/SQLMIIsFalse.json b/tests/schemas/lz-machinelearning/SQLMIIsFalse.json index d1156672..35338ba5 100644 --- a/tests/schemas/lz-machinelearning/SQLMIIsFalse.json +++ b/tests/schemas/lz-machinelearning/SQLMIIsFalse.json @@ -130,7 +130,8 @@ "value": { "enabled": true, "skuName": "P1V2", - "skuTier": "Premium" + "skuTier": "Premium", + "enablePrivateEndpoint": true } }, "sqldb": { diff --git a/tests/schemas/lz-machinelearning/WithoutCMK.json b/tests/schemas/lz-machinelearning/WithoutCMK.json index 79664f2c..3fa13b7b 100644 --- a/tests/schemas/lz-machinelearning/WithoutCMK.json +++ b/tests/schemas/lz-machinelearning/WithoutCMK.json @@ -130,7 +130,8 @@ "value": { "enabled": true, "skuName": "P1V2", - "skuTier": "Premium" + "skuTier": "Premium", + "enablePrivateEndpoint": true } }, "sqldb": {