diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 9ee6e32d65..034fd881c8 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -1,6 +1,7 @@ ## In this Section - [Updates](#updates) + - [July 2024](#july-2024) - [June 2024](#june-2024) - [🆕 AMA Updates](#-ama-updates) - [🔃 Policy Refresh H2 FY24](#-policy-refresh-h2-fy24) @@ -46,6 +47,12 @@ This article will be updated as and when changes are made to the above and anyth Here's what's changed in Enterprise Scale/Azure Landing Zones: +### July 2024 + +#### Policy + +- Fixed parameter allowed values for `modifyNsgRuleAccess` in the [Enforce-Guardrails-Network](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Network.html) initiative. + ### June 2024 #### Documentation diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json index b82c80aee0..5de3aa42eb 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.28.1.47646", - "templateHash": "10303493817097178140" + "templateHash": "15191055657091623735" } }, "parameters": { @@ -97,7 +97,7 @@ "$fxv#25": "{\n \"name\": \"Enforce-Guardrails-Kubernetes\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Kubernetes\",\n \"description\": \"This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Kubernetes\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aksKms\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksCni\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivateCluster\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksCommandInvoke\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksReadinessOrLivenessProbes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivContainers\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivEscalation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksAllowedCapabilities\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksTempDisk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksInternalLb\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksDefaultNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksNakedPods\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksShareHostProcessAndNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksWindowsContainerAdministrator\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Windows-Container-Administrator\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksWindowsContainerAdministrator')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Shared-Host-Process-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksShareHostProcessAndNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Naked-Pods\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksNakedPods')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Default-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksDefaultNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Internal-Lb\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksInternalLb')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Temp-Disk-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksTempDisk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Allowed-Capabilities\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksAllowedCapabilities')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Escalation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivEscalation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Containers\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivContainers')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-ReadinessOrLiveness-Probes\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksReadinessOrLivenessProbes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Command-Invoke\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCommandInvoke')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Policy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPolicy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Private-Cluster\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivateCluster')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Kms\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksKms')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Cni\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCni')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#26": "{\n \"name\": \"Enforce-Guardrails-MachineLearning\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Machine Learning\",\n \"description\": \"This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mlUserAssignedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlOutdatedOS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Outdated-Os\",\n \"groupNames\": [],\n \"parameters\": {\n \"effects\": {\n \"value\": \"[[parameters('mlOutdatedOS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78\",\n \"policyDefinitionReferenceId\": \"Deny-ML-User-Assigned-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlUserAssignedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#27": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#28": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#28": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\"\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Allow\",\n \"Deny\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#29": "{\n \"name\": \"Enforce-Guardrails-OpenAI\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Open AI (Cognitive Service)\",\n \"description\": \"This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveServicesOutboundNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAcls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-OutboundNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesOutboundNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-NetworkAcls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAcls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Cust-Storage\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#3": "{\n \"name\": \"Deploy-Sql-Security_20240529\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-Sql-Security\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"Array\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#30": "{\n \"name\": \"Enforce-Guardrails-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for PostgreSQL\",\n \"description\": \"This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"PostgreSQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"postgreSqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3\",\n \"policyDefinitionReferenceId\": \"Dine-PostgreSql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json index a90c9872ab..64d4afca19 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Network and Networking services", "description": "This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -229,9 +229,8 @@ "type": "string", "defaultValue": "Deny", "allowedValues": [ - "Audit", - "Deny", - "Disabled" + "Allow", + "Deny" ] }, "modifyNsgRuleProtocol": {