Policy-driven governance means the usage of Azure Policy to build and provide guardrails, and to enable autonomy for the platform and application teams, regardless of their scale points. Those guardrails ensure that deployed workloads and applications are compliant with your organization's security and compliance requirements, and therefore a secure path to the public cloud.
Out of the box deployed product has a set of initial policies assigned to a different scopes of hierarchy.
Initially this scope only has policy assignments inherited from Jumpstart root management group.
Initially this scope only has policy assignments inherited from Jumpstart root management group.
Initially this scope only has policy assignments inherited from Jumpstart root management group.
Initially this scope only has policy assignments inherited from the Jumpstart root and [landing zones management group scopes.
Customizations depends on the features or policies desired to be changed. Multiple features uses policies as their deployment result and some policies are deployed by default tight with no feature. All policies can be customized, but in most cases it is advanced approach.
| Policy Assignment Name | Definition Type | Description |
|---|---|---|
| "Deploy-ASC-Monitoring" | Initiative | Azure Security Benchmark |
| "Deploy-MDFC-Config" | Custom Initiative | Deploy Microsoft Defender for Cloud configuration and Security Contacts. |
| "Deploy-AzActivity-Log" | Policy | Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events |
| "Deny-RSG-Locations" | Policy | Specifies the allowed locations (regions) where Resource Groups can be deployed. |
| "Deploy-Resource-Diag" | Custom Initiative | Ensures that Azure resources are configured to forward diagnostic logs and metrics to an Azure Log Analytics workspace. |
| "Deny-NSG-InboundRule-Any" | Custom Policy | This policy denies creation of NSG inbound rules where the source is '*' or 'Any' to enhance security |
| "Deny-Resource-Locations" | Policy | Specifies the allowed locations (regions) where Resources can be deployed. |
| "ISO-27001-2013" | Initiative | This initiative includes audit and virtual machine extension deployment policies that address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/iso27001-init. |
| "NW-agent-for-windows" | Custom Policy | Deploy Network Watcher agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. |
| "NW-agent-for-linux" | Custom Policy | Deploy Network Watcher agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. |
| "SQL-Auditing" | Custom Policy | Enable SQL Auditing on server level for PaaS to send logs to Log Analytics Workspace. |
| "Deploy-Update-Lin-Agent " | Custom Policy | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. |
| " Deploy-Update-Win-Agen" | Custom Policy | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. |
| Policy Display Name | Description |
|---|---|
| Configure Azure Defender for App Service to be enabled | Enables Microsoft Defender for App Service to monitor and protect web apps from common attacks. |
| Configure Azure Defender for Azure SQL database to be enabled | Enables Defender for Azure SQL Databases to detect anomalous and potentially harmful database activities. |
| Configure Azure Defender for open-source relational databases to be enabled | Ensures Defender is enabled for open-source relational databases to detect suspicious access or exploitation attempts. |
| Configure Azure Defender for Resource Manager to be enabled | Enables Defender for Azure Resource Manager to monitor for threats targeting management operations. |
| Configure Azure Defender for SQL servers on machines to be enabled | Turns on Defender for SQL servers running on machines to detect threats and vulnerabilities. |
| Configure Azure Kubernetes Service clusters to enable Defender profile | Ensures AKS clusters have Defender profile enabled for runtime protection and hardening. |
| Configure machines to receive a vulnerability assessment provider | Ensures virtual machines are configured to use a vulnerability assessment solution for security analysis. |
| Configure Microsoft Defender CSPM plan | Enables Defender Cloud Security Posture Management for enhanced visibility and risk reduction. |
| Configure Microsoft Defender for Azure Cosmos DB to be enabled | Enables Defender for Cosmos DB to detect anomalous database access and potential exploits. |
| Configure Microsoft Defender for Containers to be enabled | Enables Defender for Containers to provide protection for Kubernetes and containerized workloads. |
| Configure Microsoft Defender for Key Vault plan | Enables Defender for Key Vault to detect suspicious and unauthorized access attempts. |
| Configure Microsoft Defender for Servers plan | Enables Defender for Servers to protect VMs and hybrid machines with advanced threat detection. |
| Configure Microsoft Defender for Storage to be enabled | Enables Defender for Storage to detect potential threats such as malware or data exfiltration. |
| Configure Microsoft Defender threat protection for AI Services | Enables Defender’s threat protection for AI-based services. |
| Deploy Azure Policy Add-on to Azure Kubernetes Service clusters | Deploys the Azure Policy add-on to AKS clusters for governance and compliance monitoring. |
| Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data | Exports Defender for Cloud data to a Log Analytics workspace for analysis and monitoring. |
| Deploy Microsoft Defender for Cloud Security Contacts | Configures security contacts in Defender for Cloud to receive alerts and notifications. |
| Setup subscriptions to transition to an alternative vulnerability assessment solution | Ensures subscriptions transition to the built-in Defender Vulnerability Management solution. |
| Policy Display Name | Description |
|---|---|
| Deploy-Diagnostics-Storage | Deploys diagnostic settings for Storage accounts to stream resource logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-KeyVault | Deploys diagnostic settings for Key Vault to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-EventHub | Deploys diagnostic settings for Event Hub to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-LogicApps | Deploys diagnostic settings for Logic Apps to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-ServiceBus | Deploys diagnostic settings for Service Bus to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-StreamAnalytics | Deploys diagnostic settings for Stream Analytics to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-DataLakeAnalytics | Deploys diagnostic settings for Data Lake Analytics to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-Batch | Deploys diagnostic settings for Batch Account to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-VM | Deploys diagnostic settings for VMs to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-VNet | Deploys diagnostic settings for Virtual Networks to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-VMSS | Deploys diagnostic settings for VM Scale Sets to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-SQLDB | Deploys diagnostic settings for SQL Databases to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-AKS | Deploys diagnostic settings for AKS clusters to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-ExpressRoute | Deploys diagnostic settings for ExpressRoute to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-FrontDoor | Deploys diagnostic settings for Front Door to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-LoadBalancer | Deploys diagnostic settings for Load Balancers to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-IoTHub | Deploys diagnostic settings for IoT Hub to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-RedisCache | Deploys diagnostic settings for Redis Cache to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-VPNGateway | Deploys diagnostic settings for VPN Gateway to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-NSG | Deploys diagnostic settings for NSGs to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-AppGateway | Deploys diagnostic settings for Application Gateway to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-TrafficMgr | Deploys diagnostic settings for Traffic Manager to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-APIMgmt | Deploys diagnostic settings for API Management to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-Automation | Deploys diagnostic settings for Automation Account to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-AppInsights | Deploys diagnostic settings for Application Insights to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-DataFactory | Deploys diagnostic settings for Data Factory to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-HDInsight | Deploys diagnostic settings for HDInsight clusters to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-CognitiveServices | Deploys diagnostic settings for Cognitive Services to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-EventGrid | Deploys diagnostic settings for Event Grid to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-DataLakeStorageGen2 | Deploys diagnostic settings for Data Lake Storage Gen2 to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-ContainerRegistry | Deploys diagnostic settings for Container Registry to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-FrontDoorStd | Deploys diagnostic settings for Front Door Standard/Premium to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-ManagedIdentity | Deploys diagnostic settings for Managed Identity to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-HSM | Deploys diagnostic settings for Managed HSM to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-SQLMI | Deploys diagnostic settings for SQL Managed Instance to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-Synapse | Deploys diagnostic settings for Synapse Analytics to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-WebPubSub | Deploys diagnostic settings for Web PubSub to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-SignalR | Deploys diagnostic settings for SignalR Service to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-PrivateLink | Deploys diagnostic settings for Private Link to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-Bastion | Deploys diagnostic settings for Bastion to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-AppConfig | Deploys diagnostic settings for App Configuration to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-MySQL | Deploys diagnostic settings for Azure Database for MySQL to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-PostgreSQL | Deploys diagnostic settings for Azure Database for PostgreSQL to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-MariaDB | Deploys diagnostic settings for Azure Database for MariaDB to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-SQLMIArc | Deploys diagnostic settings for Azure Arc-enabled SQL Managed Instance to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-PostgreSQLArc | Deploys diagnostic settings for Azure Arc-enabled PostgreSQL Hyperscale to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-MediaServices | Deploys diagnostic settings for Media Services to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-SpringApps | Deploys diagnostic settings for Azure Spring Apps to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-CommServices | Deploys diagnostic settings for Azure Communication Services to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-AppServiceEnv | Deploys diagnostic settings for App Service Environment to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-CognitiveSearch | Deploys diagnostic settings for Azure Cognitive Search to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-FrontDoorPremium | Deploys diagnostic settings for Front Door Premium to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-SignalRStd | Deploys diagnostic settings for SignalR Service Standard/Premium to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-EventHubNamespace | Deploys diagnostic settings for Event Hubs Namespace to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-RedisCachePremium | Deploys diagnostic settings for Redis Cache Premium to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-VPNGatewayHighPerf | Deploys diagnostic settings for VPN Gateway High-Performance SKUs to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-NIC | Deploys diagnostic settings for Network Interfaces to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-LoadBalancerStandard | Deploys diagnostic settings for Load Balancer Standard to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-ApplicationInsightsClassic | Deploys diagnostic settings for classic Application Insights resources to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-StoragePremium | Deploys diagnostic settings for Storage Accounts Premium to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-ExpressRoutePremium | Deploys diagnostic settings for ExpressRoute Premium SKUs to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-ApplicationGatewayWAF | Deploys diagnostic settings for Application Gateway WAF to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-FrontDoorStandard | Deploys diagnostic settings for Front Door Standard to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-APIManagementPremium | Deploys diagnostic settings for API Management Service Premium to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-SQLDBPremium | Deploys diagnostic settings for SQL Database Premium tiers to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-StorageBlob | Deploys diagnostic settings specifically for Storage Blob service to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-StorageQueue | Deploys diagnostic settings specifically for Storage Queue service to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-StorageTable | Deploys diagnostic settings specifically for Storage Table service to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-StorageFile | Deploys diagnostic settings specifically for Storage File service to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-ApplicationGatewayStandard | Deploys diagnostic settings for Application Gateway Standard to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-VNetGateway | Deploys diagnostic settings for Virtual Network Gateway to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-VMSSPremium | Deploys diagnostic settings for Virtual Machine Scale Sets Premium SKUs to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-AKSAdvanced | Deploys diagnostic settings for AKS clusters with advanced monitoring to stream logs to a Log Analytics workspace when missing. |
| Deploy-Diagnostics-KeyVaultSoftDelete | Deploys diagnostic settings for Key Vault with soft delete enabled to stream logs to a Log Analytics workspace when missing. |
This scope also inherits all the policy assignments from the Jumpstart root and platform management group scopes.
| Policy Assignment Name | Definition Type | Description |
|---|---|---|
| "Enable-DDoS-VNET" | Policy | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs. |
This scope also inherits all the policy assignments from the Jumpstart root and platform management group scopes.
| Policy Assignment Name | Definition Type | Description |
|---|---|---|
| "Deny-Public-IP" | Custom Policy | This policy denies creation of Public IPs under the assigned scope. |
| "Deny-RDP-From-Internet" | Custom Policy | This policy denies any network security rule that allows RDP access from Internet. |
| "Deny-Subnet-Without-Nsg" | Custom Policy | This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets. |
| "Deploy-VM-Backup" | Policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. |
This scope also inherits all the policy assignments from the Jumpstart root and platform management group scopes.
| Policy Assignment Name | Definition Type | Description |
|---|---|---|
| "Deploy-Log-Analytics" | Policy | Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is a prerequisite for solutions like Updates and Change Tracking. |
This scope also inherits all the policy assignments from the Jumpstart root.
| Policy Assignment Name | Definition Type | Description |
|---|---|---|
| "Deny-IP-Forwarding" | Policy | This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team. |
| "Deny-RDP-From-Internet" | Custom Policy | This policy denies any network security rule that allows RDP access from Internet. |
| "Deny-Resource-Types" | Policy | Specifies the Resource Types to deny deployment by policy. |
| "Deny-Subnet-Without-Nsg" | Custom Policy | This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets. |
| "Deny-Storage-http" | Policy | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking. |
| "Deploy-AKS-Policy" | Policy | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. |
| "Deploy-SQL-DB-Auditing" | Policy | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |
| "Deploy-SQL-Threat" | Policy | Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. |
| "Deploy-VM-Backup" | Policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. |
| "Deny-Priv-Escalation-AKS" | Policy | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. |
| "Deny-Priv-Containers-AKS" | Policy | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. |
| "Enable-DDoS-VNET" | Policy | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs. |
| "Enforce-AKS-HTTPS" | Policy | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc. |
| "Enforce-TLS-SSL" | Custom Policy | Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. |
This scope also inherits all the policy assignments from the Jumpstart root and landing zones management group scopes.
| Policy Assignment Name | Definition Type | Description |
|---|---|---|
| "Deny-Public-Endpoints" | Custom Initiative | This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints. |
| "Deploy-Private-DNS-Zones" | Custom Initiative | This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones. |
| "Deny-Databricks-Sku" | Custom Policy | This policy Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID. |
| "Deny-Databricks-VirtualNetwork" | Custom Policy | This policy Enforces the use of vnet injection for Databricks workspaces. |
| "Deny-Databricks-NoPublicIp" | Custom Policy | This policy Prevent the deployment of Databricks workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs. |
| Policy Display Name | Description |
|---|---|
| Logic apps should disable public network access | Disabling public network access improves security by ensuring that the Logic App is not exposed on the public internet. (azadvertizer.net) |
| API Management should disable public network access to the service configuration endpoints | Prevents creation of a public endpoint for API Management service configuration. (github.com) |
| Public network access should be disabled for PaaS services | This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints. (azadvertizer.net) |
| Deny‑PublicEndpoint‑CosmosDB | Denies creation of public endpoints on Azure Cosmos DB resources. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑MariaDB | Denies creation of public endpoints on Azure Database for MariaDB servers. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑MySQL | Denies creation of public endpoints on Azure Database for MySQL servers. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑PostgreSql | Denies creation of public endpoints on Azure Database for PostgreSQL servers. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑KeyVault | Denies creation of public endpoints on Key Vaults. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑Sql | Denies creation of public endpoints on Azure SQL resources. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑Storage | Denies creation of public endpoints on Storage accounts. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑AKS | Denies creation of public endpoints on Azure Kubernetes Service clusters. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑AppConfig | Denies creation of public endpoints on Azure App Configuration resources. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑Automation | Denies creation of public endpoints on Azure Automation Accounts. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑EventHub | Denies creation of public endpoints on Event Hubs namespaces. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑ServiceBus | Denies creation of public endpoints on Service Bus namespaces. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑StorageQueue | Denies creation of public endpoints on Storage Queue service. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑StorageTable | Denies creation of public endpoints on Storage Table service. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑StorageBlob | Denies creation of public endpoints on Storage Blob service. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑StorageFile | Denies creation of public endpoints on Storage File service. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑KeyVaultManagedHSM | Denies creation of public endpoints on Managed HSM instances. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑CosmosDBCassandra | Denies creation of public endpoints on Azure Cosmos DB Cassandra API accounts. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑CosmosDBMongo | Denies creation of public endpoints on Azure Cosmos DB Mongo API accounts. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑CosmosDBGremlin | Denies creation of public endpoints on Azure Cosmos DB Gremlin API accounts. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑CosmosDBSQL | Denies creation of public endpoints on Azure Cosmos DB SQL API accounts. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑CosmosDBTable | Denies creation of public endpoints on Azure Cosmos DB Table API accounts. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑AppService | Denies creation of public endpoints on App Service plans and web apps. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑FunctionApp | Denies creation of public endpoints on Azure Function Apps. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑EventHubCapture | Denies creation of public endpoints on Event Hub Capture enabled namespaces. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑ServiceBusPremium | Denies creation of public endpoints on Service Bus Premium SKUs. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑ContainerRegistry | Denies creation of public endpoints on Azure Container Registries. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑RedisCacheStandard | Denies creation of public endpoints on Redis Cache Standard SKUs. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑RedisCachePremium | Denies creation of public endpoints on Redis Cache Premium SKUs. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑EventGrid | Denies creation of public endpoints on Event Grid topics and domains. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑SignalR | Denies creation of public endpoints on SignalR Service instances. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑ServiceFabric | Denies creation of public endpoints on Service Fabric clusters. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑SpringApps | Denies creation of public endpoints on Azure Spring Apps. (techcommunity.microsoft.com) |
| Policy Display Name | Description |
|---|---|
| Deploy-PrivateDNS-AKS | Configure Azure Kubernetes Service clusters to use private DNS zones for their private endpoints. |
| Deploy-PrivateDNS-AppConfig | Configure Azure App Configuration resources to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-AppService | Configure Azure App Service plans and apps to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-Automation | Configure Azure Automation Accounts to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-Batch | Configure Azure Batch accounts to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-CognitiveServices | Configure Cognitive Services resources to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-ContainerRegistry | Configure Container Registries to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-CosmosDB | Configure Azure Cosmos DB accounts to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-EventGrid | Configure Event Grid topics and domains to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-EventHub | Configure Event Hub namespaces to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-KeyVault | Configure Key Vaults to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-LogicApps | Configure Logic Apps to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-MySQL | Configure Azure Database for MySQL servers to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-PostgreSQL | Configure Azure Database for PostgreSQL servers to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-RedisCache | Configure Redis Cache instances to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-SQLDB | Configure Azure SQL Databases to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-Storage | Configure Storage accounts to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-Synapse | Configure Azure Synapse Analytics workspaces to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-WebPubSub | Configure Azure Web PubSub service instances to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-SpringApps | Configure Azure Spring Apps to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-APIManagement | Configure API Management instances to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-AppInsights | Configure Application Insights resources to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-FrontDoor | Configure Front Door Standard/Premium to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-FrontDoorClassic | Configure classic Front Door instances to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-FrontDoorPremium | Configure Front Door Premium to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-SignalR | Configure SignalR Service instances to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-ContainerApps | Configure Azure Container Apps to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-StorageBlob | Configure Storage Blob service to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-StorageQueue | Configure Storage Queue service to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-StorageTable | Configure Storage Table service to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-StorageFile | Configure Storage File service to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-PrivateLinkScope | Configure Private Link Scope resources to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-DataFactory | Configure Data Factory instances to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-HDInsight | Configure HDInsight clusters to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-Search | Configure Azure Cognitive Search resources to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-EventHubCapture | Configure Event Hub Capture enabled namespaces to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-Bastion | Configure Azure Bastion hosts to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-VPNGateway | Configure Virtual Network Gateways to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-LoadBalancer | Configure Standard Load Balancers to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-NIC | Configure Network Interfaces to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-SQLMI | Configure SQL Managed Instances to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-PostgreSQLArc | Configure Azure Arc-enabled PostgreSQL Hyperscale instances to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-SQLMIArc | Configure Azure Arc-enabled SQL Managed Instances to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-MariaDB | Configure Azure Database for MariaDB servers to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-MySQLFlexible | Configure Azure Database for MySQL Flexible servers to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-PostgreSQLFlexible | Configure Azure Database for PostgreSQL Flexible servers to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-CosmosDBCassandra | Configure Cosmos DB Cassandra API accounts to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-CosmosDBMongo | Configure Cosmos DB Mongo API accounts to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-CosmosDBSQL | Configure Cosmos DB SQL API accounts to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-CosmosDBGremlin | Configure Cosmos DB Gremlin API accounts to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-CosmosDBTable | Configure Cosmos DB Table API accounts to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-MediaServices | Configure Media Services accounts to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-CommunicationServices | Configure Azure Communication Services to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-FrontDoorManagement | Configure Front Door management endpoints to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-AppServiceEnvironment | Configure App Service Environment to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-SpringCloud | Configure Azure Spring Apps to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-WebApp | Configure Web Apps to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-FunctionApp | Configure Azure Function Apps to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-StreamAnalytics | Configure Stream Analytics jobs to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-EventHubNamespace | Configure Event Hub namespaces to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-ServiceBusNamespace | Configure Service Bus namespaces to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-RedisCachePremium | Configure Redis Cache Premium SKUs to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-RedisCacheStandard | Configure Redis Cache Standard SKUs to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-ApplicationGateway | Configure Application Gateway to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-ExpressRoute | Configure ExpressRoute instances to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-VNetGatewayHighPerf | Configure High-Performance Virtual Network Gateways to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-NetworkWatcher | Configure Network Watcher resources to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-SignalRStandard | Configure SignalR Service Standard/Premium to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-PrivateLinkService | Configure Private Link Services to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-AppConfigAdvanced | Configure advanced App Configuration instances to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-StorageAdvanced | Configure advanced Storage Accounts to use private DNS zones for private endpoints. |
Terraform IaC via Azure DevOps pipelines.
It is part of the Jumpstart rollout.
Each definition and assignment deployed with Jumpstart can be managed as per customer requirements via Azure Portal.
To manage each definition and assignment deployed with Jumpstart, requires Jumpstart Azure platform owner for Platform subscriptions and management groups. Landing Zone owner access is required for modifying definitions and assignments deployed with Landing zone scope.