Generating README for Bicep Files
Tao Yang's System Center Blog
by Tao Yang
2d ago
Introduction [PSDocs] (https://github.com/microsoft/PSDocs) is a tool developed by Microsoft’s Bernie White, who is also the creator of my favourite tool PSRules. PSDocs is a PowerShell module that you can use to generate README.md files for your Azure Resource Manager (ARM) templates. I have used it in several projects, to make sure all my bicep templates and modules are documented. I have created a script that use PSDocs to generate README files for any bicep files, all you need is a metadata.json file in the same folder as your bicep file. The script will generate a README.md file for the b ..read more
Visit website
Using Policy Metadata in Azure Policy Initiatives
Tao Yang's System Center Blog
by Tao Yang
1w ago
When checking the Policy Compliance status on Azure Portal, if you click on an policy assignment for a Initiative, you may have noticed some of the policy initiatives have grouped individual policies based on the security control so it provided you an aggregated view on which security control is compliant or not compliant. i.e. the screenshot below is the compliance status for the Azure Security Benchmark initiative, which has grouped the individual policies based on the security requirements: When defining Azure Policy Initiative definitions, you have the ability to map individual member pol ..read more
Visit website
Using Azure Policy to Create DNS Records for Private Endpoints
Tao Yang's System Center Blog
by Tao Yang
1w ago
Azure Private Link allows you to access Azure PaaS services over a private endpoint in in your virtual network. To make your Azure PaaS resources accessible via Private links, you will need to: Create one or more private endpoints for the Azure resource Create a DNS record for the private endpoint on the specific Azure Private DNS Zone for the particular Private Link service If you are operating within a Azure Enterprise Scale Landing Zone architecture, you may face the challenge of creating the DNS records for the private endpoints due to the limitation in security permissions. For example ..read more
Visit website
How To Restrict Event Hub Public Network Access via Azure Policy
Tao Yang's System Center Blog
by Tao Yang
1M ago
Yesterday I published a policy definition to restrict Event Hub public network access. After reading my blog post, my friend and colleague Ahmad Abdalla told me there is a gap in my policy definition. Although once assigned, the policy will deny the creation of a NEW Event Hub namespaces with public network access enabled, but if you are enabling public network access on an EXISTING Event Hub namespace via the Azure portal, the policy does not deny the operation. After some investigation, I found that in the Activity Log that my update on the Azure portal was actually targeted the Microsoft.E ..read more
Visit website
Bicep Template for VNet Isolated CloudShell
Tao Yang's System Center Blog
by Tao Yang
1M ago
Introduction Based on what I have seen over the past few years, the use of Azure CloudShell is actively discouraged by most of my customers. Customers would normally have an Azure Policy assigned to restrict the public access of Storage Accounts. Since by default, when you firstly initiated the CloudShell, it creates a public facing storage account for you, it’s not possible to use CloudShell in this case. Few months ago, I bumped into a blog post from Thomas Maurer Connect Azure Cloud Shell to Virtual Network vNet, I found it was really interesting, and can potentially help me overcome a pro ..read more
Visit website
Azure Policy Definitions for Event Hub Minimum TLS Version and Public Network Access
Tao Yang's System Center Blog
by Tao Yang
1M ago
Azure Event Hub Namespace has added support for 2 additional properties in the latest API version 2022-01-01-preview: minimumTlsVersion: the minimum TLS version that the Event Hub Namespace supports. publicNetworkAccess: This determines if traffic is allowed over public network. By default it is enabled. Since Microsoft has not released any built-in policies for controlling these 2 properties, I have created 2 custom policies to enforce the minimum TLS version and restrict public network access. You can find the policy definitions in my Azure Policy GitHub repo Enforce Event Hub minimum TL ..read more
Visit website
Azure Private Endpoints with Static IP Addresses
Tao Yang's System Center Blog
by Tao Yang
1M ago
In my current project, we have a requirement that all Private Endpoint (PE) connections must use static IP addresses. All Private Endpoint IP addresses must be pre-allocated so that we can streamline the process of raising firewall requests to integrate with customer’s on-premises network. This post will show you how to create Private Endpoint with static IP addresses using Azure Bicep. Static IP assignments for Private Endpoints is supported by the Azure Microsoft.Network resource provider since API version 2021-03-01. You can define the static IP in the ipConfigurations property for the Priv ..read more
Visit website
Minimum Permissions for Azure Policy Template Deployment
Tao Yang's System Center Blog
by Tao Yang
1M ago
When comes into security, a general rule of thumb is to ALWAYS use the least privilege principle when assigning permissions. I rarely come across customers that agrees to grant Owner role to service principals we use for our Azure Infrastructure as Code (IaC) pipelines. In this post, I will show you the minimum permissions required to deploy Azure Policy resources. Azure provides a built-in role definition called Resource Policy Contributor. It has enough permissions to create Azure policy related resources. Here is the role definition in JSON: { "id": "/providers/Microsoft.Authorization ..read more
Visit website
Azure Bicep Modules for Azure Policy Resources
Tao Yang's System Center Blog
by Tao Yang
1M ago
Although I’m a big fan of Microsoft CARML Bicep module repo, and have used many of their modules in my projects, Sometimes I still prefer using the modules I have created myself. I created 3 Bicep modules a while back for Azure Policy Definitions, Initiatives and Assignments. They are all created for management-group scoped deployments because I have not had requirements for subscription scoped deployments to date. I have used these modules in several projects now. I thought I’d share with the community, gives you an alternative to the CARML modules. You can find the modules coupled with sampl ..read more
Visit website
Azure policy to Audit Storage Account without Lifecycle Management Rule
Tao Yang's System Center Blog
by Tao Yang
5M ago
I created a new Azure Policy definition today to audit storage accounts that do not have lifecycle management rules. The policy definition can be found in my AzurePolicy GitHub repo HERE ..read more
Visit website

Follow Tao Yang's System Center Blog on Feedspot

Continue with Google
OR