///////////////////////////////// Parameters ////////////////////////////////////////////////////////////// @description('Specifies the location for all resources.') param parLocation string = resourceGroup().location @description('Tags you would like to be applied to all resources in this module. Default: Empty Object') param parTags object = {} @description('Log Analytics Workspace name. Default: alz-log-analytics') param parLogAnalyticsWorkspaceName string = 'log-analytics' @description('Log Analytics region name - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings. Default: resourceGroup().location') param parLogAnalyticsWorkspaceLocation string = resourceGroup().location @allowed([ 'CapacityReservation' 'Free' 'LACluster' 'PerGB2018' 'PerNode' 'Premium' 'Standalone' 'Standard' ]) @description('Log Analytics Workspace sku name. Default: PerGB2018') param parLogAnalyticsWorkspaceSkuName string = 'PerGB2018' @minValue(30) @maxValue(730) @description('Number of days of log retention for Log Analytics Workspace. Default: 365') param parLogAnalyticsWorkspaceLogRetentionInDays int = 31 @allowed([ 'AgentHealthAssessment' 'AntiMalware' 'AzureActivity' 'ChangeTracking' 'Security' 'SecurityInsights' 'ServiceMap' 'SQLAdvancedThreatProtection' 'SQLVulnerabilityAssessment' 'SQLAssessment' 'Updates' 'VMInsights' ]) @description('Solutions that will be added to the Log Analytics Workspace. Default: [AgentHealthAssessment, AntiMalware, AzureActivity, ChangeTracking, Security, SecurityInsights, ServiceMap, SQLAssessment, Updates, VMInsights]') param parLogAnalyticsWorkspaceSolutions array = [ 'AgentHealthAssessment' 'AntiMalware' 'AzureActivity' 'ChangeTracking' 'Security' 'SecurityInsights' 'ServiceMap' 'SQLAdvancedThreatProtection' 'SQLVulnerabilityAssessment' 'SQLAssessment' 'Updates' 'VMInsights' ] param parHubVnetName string = 'vnet-hub-contoso' param parHubVnetResourceGroupname string = 'alz-20-network' @description('Customs Private DNS Zone for monitor') param parPrivateDnsZoneMonitor string = 'privatelink.monitor.azure.com' @description('Customs Private DNS Zone for keyvault') param parPrivateDnsZoneOmsOpinsIghts string = 'privatelink.oms.opinsights.azure.com' @description('Customs Private DNS Zone for keyvault') param parPrivateDnsZoneOdsOpinsights string = 'privatelink.ods.opinsights.azure.com' @description('Customs Private DNS Zone for keyvault') param parPrivateDnsZoneagentSvcAzureAutomation string = 'privatelink.agentsvc.azure-automation.net' @description('Customs Private DNS Zone for keyvault') param parPrivateDnsZoneBlob string = 'privatelink.blob.core.windows.net' @description('Resource ID of VNet for Private DNS Zone VNet Links. Default: Empty String') param parVirtualNetworkIdToLink string ///////////////////////////////// Resources. LAW. ////////////////////////////////////////////////////////////// resource resLogAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = { name: parLogAnalyticsWorkspaceName location: parLocation tags: parTags properties: { sku: { name: parLogAnalyticsWorkspaceSkuName } retentionInDays: parLogAnalyticsWorkspaceLogRetentionInDays } } resource resLogAnalyticsWorkspaceSolutions 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = [for solution in parLogAnalyticsWorkspaceSolutions: { name: '${solution}(${resLogAnalyticsWorkspace.name})' location: parLogAnalyticsWorkspaceLocation tags: parTags properties: { workspaceResourceId: resLogAnalyticsWorkspace.id } plan: { name: '${solution}(${resLogAnalyticsWorkspace.name})' product: 'OMSGallery/${solution}' publisher: 'Microsoft' promotionCode: '' } }] ///////////////////////////////// Resources. LAW. Private Endpoints ////////////////////////////////////////////////////////////// ////// Resources. Existing VNET resource resExistingHubVnet 'Microsoft.Network/virtualNetworks@2022-05-01' existing = { name: parHubVnetName scope: resourceGroup(parHubVnetResourceGroupname) } resource resExistingSubnetForprivateEnpoint 'Microsoft.Network/virtualNetworks/subnets@2022-05-01' existing = { name: 'privendpoints' parent: resExistingHubVnet } ////// Resources. AMPLS and link to LAW resource resAMprivateLinkScope 'microsoft.insights/privateLinkScopes@2021-07-01-preview' = { name: 'ampls-alz' location: 'global' properties: { accessModeSettings: { ingestionAccessMode: 'Open' queryAccessMode: 'Open' } } } resource resAMprivateLinkScope_ConnectionToLaw 'Microsoft.Insights/privateLinkScopes/scopedResources@2021-07-01-preview' = { name: '${parLogAnalyticsWorkspaceName}-connection' parent: resAMprivateLinkScope properties: { linkedResourceId: resLogAnalyticsWorkspace.id } } ////// Resources. Private DNS Zones for LAW private Endpoint resource resPrivateDnsZoneMonitor 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: parPrivateDnsZoneMonitor location: 'global' tags: parTags } resource resPrivateDnsZoneOmsOpinsIghts 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: parPrivateDnsZoneOmsOpinsIghts location: 'global' tags: parTags } resource resPrivateDnsZoneOdsOpinsights 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: parPrivateDnsZoneOdsOpinsights location: 'global' tags: parTags } resource resPrivateDnsZoneagentSvcAzureAutomation 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: parPrivateDnsZoneagentSvcAzureAutomation location: 'global' tags: parTags } resource resPrivateDnsZoneBlob 'Microsoft.Network/privateDnsZones@2020-06-01' = { name: parPrivateDnsZoneBlob location: 'global' tags: parTags } ////// Resources. Private DNS Zones Links to Hub VNET resource resVirtualNetworkLinkForMonitor 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = { name: '${parHubVnetName}-link-Monitor' location: 'global' parent: resPrivateDnsZoneMonitor properties: { registrationEnabled: false virtualNetwork: { id: parVirtualNetworkIdToLink } } } resource resVirtualNetworkLinkForOmsOpinsIghts 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = { name: '${parHubVnetName}-link-OmsOpinsIghts' location: 'global' parent: resPrivateDnsZoneOmsOpinsIghts properties: { registrationEnabled: false virtualNetwork: { id: parVirtualNetworkIdToLink } } } resource resVirtualNetworkLinkForOdsOpinsights 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = { name: '${parHubVnetName}-link-OdsOpinsights' location: 'global' parent: resPrivateDnsZoneOdsOpinsights properties: { registrationEnabled: false virtualNetwork: { id: parVirtualNetworkIdToLink } } } resource resVirtualNetworkLinkForagentSvcAzureAutomation 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = { name: '${parHubVnetName}-link-agentSvcAzureAutomation' location: 'global' parent: resPrivateDnsZoneagentSvcAzureAutomation properties: { registrationEnabled: false virtualNetwork: { id: parVirtualNetworkIdToLink } } } resource resVirtualNetworkLinkForBlob 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = { name: '${parHubVnetName}-link-Blob' location: 'global' parent: resPrivateDnsZoneBlob properties: { registrationEnabled: false virtualNetwork: { id: parVirtualNetworkIdToLink } } } resource reslawPrivateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { name: 'law-privendpoint' location: parLocation properties: { privateLinkServiceConnections: [ { name: 'law-PrivateEndpoint-PrivateLinkConnection' properties: { privateLinkServiceId: resAMprivateLinkScope.id // Old = resLogAnalyticsWorkspace.id groupIds: [ 'azuremonitor' ] } } ] subnet: { id: resExistingSubnetForprivateEnpoint.id } } } ////// Resources. DNS Zones Group resource resPrivEnpointDnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2022-05-01' = { name: 'default' parent: reslawPrivateEndpoint properties: { privateDnsZoneConfigs: [ { name: 'privatelink-monitor-azure-com' properties: { privateDnsZoneId: resPrivateDnsZoneMonitor.id } } { name: 'privatelink-oms-opinsights-azure-com' properties: { privateDnsZoneId: resPrivateDnsZoneOmsOpinsIghts.id } } { name: 'privatelink-ods-opinsights-azure-com' properties: { privateDnsZoneId: resPrivateDnsZoneOdsOpinsights.id } } { name: 'privatelink-agentsvc-azure-automation-net' properties: { privateDnsZoneId: resPrivateDnsZoneagentSvcAzureAutomation.id } } { name: 'privatelink-blob-core-windows-net' properties: { privateDnsZoneId: resPrivateDnsZoneBlob.id } } ] } }