diff --git a/docs/reference/adventureworks/README.md b/docs/reference/adventureworks/README.md index c186896a4f..0324c3aed4 100644 --- a/docs/reference/adventureworks/README.md +++ b/docs/reference/adventureworks/README.md @@ -25,10 +25,10 @@ Please refer to the [Enterprise-Scale Landing Zones User Guide](https://github.c If customer started with a Enterprise-Scale foundation deployment, and if the business requirements changes over time, such as migration of on-premise applications to Azure that requires hybrid connectivity, you will simply create the **Connectivity** Subscription, place it into the **Platform > Connectivity** Management Group and assign Azure Policy for the hub and spoke network topology. -## Pre-requisites +## Prerequisites -To deploy this ARM template, your user/service principal must have Owner permission at the Tenant root. -See the following [instructions](../../EnterpriseScale-Setup-azure.md) on how to grant access. +To deploy this ARM template, there are a number of prerequisites that must be met. +See [here](../../wiki/Deploying-ALZ-Pre-requisites.md) for more details. ### Optional prerequisites diff --git a/docs/reference/contoso/Readme.md b/docs/reference/contoso/Readme.md index 748c58f284..df141ab03b 100644 --- a/docs/reference/contoso/Readme.md +++ b/docs/reference/contoso/Readme.md @@ -22,10 +22,10 @@ Please refer to [Enterprise-Scale Landing Zones User Guide](https://github.com/A If customer started with a Enterprise-Scale foundation deployment, and if the business requirements changes over time, such as migration of on-prem applications to Azure that requires hybrid connectivity, you will simply create the **Connectivity** Subscription and place it into the **Platform > Connectivity** Management Group and assign Azure Policy for the VWAN network topology. -## Pre-requisites +## Prerequisites -To deploy this ARM template, your user/service principal must have Owner permission at the Tenant root. -See the following [instructions](../../EnterpriseScale-Setup-azure.md) on how to grant access. +To deploy this ARM template, there are a number of prerequisites that must be met. +See [here](../../wiki/Deploying-ALZ-Pre-requisites.md) for more details. ### Optional prerequisites diff --git a/docs/reference/treyresearch/README.md b/docs/reference/treyresearch/README.md index 204ff32206..a91656c496 100644 --- a/docs/reference/treyresearch/README.md +++ b/docs/reference/treyresearch/README.md @@ -20,9 +20,10 @@ Please refer to [Enterprise-Scale Landing Zones User Guide](https://github.com/A If the business requirements change over time, the architecture allows for creating additional subscriptions and placing them into the suitable management group and assigning Azure policies. For more details, see the next steps section at the end of this document. -## Pre-requisites +## Prerequisites -To deploy this ARM template, your user/service principal must have Owner permission at the Microsoft Entra Tenant root. See the following [instructions](https://learn.microsoft.com/azure/role-based-access-control/elevate-access-global-admin) on how to grant access before you proceed. +To deploy this ARM template, there are a number of prerequisites that must be met. +See [here](../../wiki/Deploying-ALZ-Pre-requisites.md) for more details. ## Optional pre-requisites diff --git a/docs/reference/wingtip/README.md b/docs/reference/wingtip/README.md index f539bf1cbf..1364b45a71 100644 --- a/docs/reference/wingtip/README.md +++ b/docs/reference/wingtip/README.md @@ -17,10 +17,10 @@ Please refer to [Enterprise-Scale Landing Zones User Guide](https://github.com/A If the business requirements changes over time, such as migration of on-prem applications to Azure that requires hybrid connectivity, the architecture allows you to expand and implement networking without refactoring Azure Design with no disruption to what is already in Azure. The Enterprise-Scale architecture allows to create the Connectivity Subscription and place it into the platform Management Group and assign Azure Policies or/and deploy the target networking topology using either Virtual WAN or Hub and Spoke networking topology. For more details, see the *next steps* section at the end of this document. -## Pre-requisites +## Prerequisites -To deploy this ARM template, your user/service principal must have Owner permission at the Tenant root. -See the following [instructions](../../EnterpriseScale-Setup-azure.md) on how to grant access before you proceed. +To deploy this ARM template, there are a number of prerequisites that must be met. +See [here](../../wiki/Deploying-ALZ-Pre-requisites.md) for more details. ### Optional pre-requisites diff --git a/docs/wiki/ALZ-Policies.md b/docs/wiki/ALZ-Policies.md index 0568c209fb..0a968c138e 100644 --- a/docs/wiki/ALZ-Policies.md +++ b/docs/wiki/ALZ-Policies.md @@ -67,7 +67,7 @@ This management group is a parent to all the other management groups created wit | **Policy Type** | **Count** | | :--- | :---: | -| `Policy Definition Sets` | **9** | +| `Policy Definition Sets` | **10** | | `Policy Definitions` | **2** | @@ -87,6 +87,8 @@ The table below provides the specific **Custom** and **Built-in** **policy defin | **Deny the Deployment of Classic Resources** | **Not allowed resource types** | `Policy Definition`, **Built-in** | Denies deployment of classic resource types under the assigned scope | Deny | | **Audit-UnusedResourcesCostOptimization** | **Audit-UnusedResourcesCostOptimization** | `Policy Definition Set`, **Custom** | Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost. | Audit | | **Deny Virtual Machines and Virtual Machine Scale Sets from not using OS Managed Disks** | **Deny Virtual Machines and Virtual Machine Scale Sets from not using OS Managed Disks** | `Policy Definition`, **Custom** | Deny virtual machines not using managed disk. It checks the managedDisk property on virtual machine OS Disk fields. | Deny | +| **Deploy Azure Monitor Baseline Alerts for Service Health** | **Deploy Azure Monitor Baseline Alerts for Service Health** | `Policy Definition Set`, **Custom** | Deploys service health alerts, action group and alert processing rule. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives/Service Health initiative. | DeployIfNotExists | + ### Platform @@ -126,7 +128,7 @@ This management group contains a dedicated subscription for connectivity. This s | **Policy Type** | **Count** | | :--- | :---: | -| `Policy Definition Sets` | **0** | +| `Policy Definition Sets` | **1** | | `Policy Definitions` | **1** | @@ -135,6 +137,7 @@ The table below provides the specific **Custom** and **Built-in** **policy defin | Assignment Name | Definition Name | Policy Type | Description | Effect(s) | | -------------------------------------------------------------------------- | -------------------------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | | **Virtual networks should be protected by Azure DDoS Network Protection** | **Virtual networks should be protected by Azure DDoS Network Protection** | `Policy Definition`, **Built-in** | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Network Protection. For more information, visit https://aka.ms/ddosprotectiondocs. | Modify | +| **Deploy Azure Monitor Baseline Alerts for Connectivity** | **Deploy Azure Monitor Baseline Alerts for Connectivity** | `Policy Definition Set`, **Custom** | Deploys alerting for connectivity related resources. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives/Connectivity initiative. | DeployIfNotExists | ### Management @@ -151,7 +154,7 @@ This management group contains a dedicated subscription for management, monitori | **Policy Type** | **Count** | | :--- | :---: | -| `Policy Definition Sets` | **0** | +| `Policy Definition Sets` | **1** | | `Policy Definitions` | **1** | @@ -160,6 +163,8 @@ The table below provides the specific **Custom** and **Built-in** **policy defin | Assignment Name | Definition Name | Policy Type | Description | Effect(s) | | ------------------------ | ---------------------------------------------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | ----------------- | | **Deploy-Log-Analytics** | **Configure Log Analytics workspace and automation account to centralize logs and monitoring** | `Policy Definition`, **Built-in** | Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. | DeployIfNotExists | +| **Deploy Azure Monitor Baseline Alerts for Management** | **Deploy Azure Monitor Baseline Alerts for Management** | `Policy Definition Set`, **Custom** | Deploys alerting for management related resources. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives/Management initiative. | DeployIfNotExists | + ### Identity @@ -176,7 +181,7 @@ This management group contains a dedicated subscription for identity. This subsc | **Policy Type** | **Count** | | :--- | :---: | -| `Policy Definition Sets` | **0** | +| `Policy Definition Sets` | **1** | | `Policy Definitions` | **4** | @@ -188,6 +193,7 @@ The table below provides the specific **Custom** and **Built-in** **policy defin | **Management port access from the Internet should be blocked** | **Management port access from the Internet should be blocked** | `Policy Definition`, **Custom** | This policy denies any network security rule that allows management port access from Internet (Default port 22, 3389). | Deny | | **Subnets should have a Network Security Group** | **Subnets should have a Network Security Group** | `Policy Definition`, **Custom** | This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level. | Deny | | **Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy** | **Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy** | `Policy Definition`, **Built-in** | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. | DeployIfNotExists | +| **Deploy Azure Monitor Baseline Alerts for Identity** | **Deploy Azure Monitor Baseline Alerts for Identity** | `Policy Definition Set`, **Custom** | Deploys alerting for identity related resources. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives/Identity initiative. | DeployIfNotExists | ### Landing Zones @@ -204,7 +210,7 @@ This is the parent management group for all the landing zone child management gr | **Policy Type** | **Count** | | :--- | :---: | -| `Policy Definition Sets` | **3** | +| `Policy Definition Sets` | **4** | | `Policy Definitions` | **14** | @@ -229,6 +235,7 @@ The table below provides the specific **Custom** and **Built-in** **policy defin | **Kubernetes clusters should not allow container privilege escalation** | **Kubernetes clusters should not allow container privilege escalation** | `Policy Definition`, **Built-in** | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. | Audit | | **Kubernetes clusters should be accessible only over HTTPS** | **Kubernetes clusters should be accessible only over HTTPS** | `Policy Definition`, **Built-in** | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. | Deny | | **Web Application Firewall (WAF) should be enabled for Application Gateway** | **Web Application Firewall (WAF) should be enabled for Application Gateway** | `Policy Definition`, **Built-in** | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit | +| **Deploy Azure Monitor Baseline Alerts for Landing Zone** | **Deploy Azure Monitor Baseline Alerts for Landing Zone** | `Policy Definition Set`, **Custom** | Deploys alerting for landing zone related resources. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives. | DeployIfNotExists | ### Corp diff --git a/docs/wiki/Deploying-ALZ-BasicSetup.md b/docs/wiki/Deploying-ALZ-BasicSetup.md index 44d45118cd..e49bbc9779 100644 --- a/docs/wiki/Deploying-ALZ-BasicSetup.md +++ b/docs/wiki/Deploying-ALZ-BasicSetup.md @@ -8,10 +8,7 @@ Please refer to [Trey Research reference implementation](https://github.com/Azur ## 1. Pre-requisites -### Required Permissions - -To provision Azure landing zone portal accelerator in your environment, **your user/service principal must have Owner permission at the Microsoft Entra Tenant root**. -Refer to these [instructions](./Deploying-Enterprise-Scale-Pre-requisites) on how to grant access before you proceed. +There are a number of prerequisites which need to be met before you can provision an Azure landing zones environment via the deployment experience in the Azure portal. See the following [instructions](./Deploying-ALZ-Pre-requisites.md) on how to grant access before you proceed. ### Subscriptions @@ -74,7 +71,6 @@ On the *Platform management, security, and governance* blade, you will: - Enable **Deploy Log Analytics workspace and enable monitoring for your platform and resources** to get a central [Log Analytics Workspace](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-platform-logs#log-analytics-and-workspaces) and an [Automation Account deployed](https://learn.microsoft.com/en-us/azure/automation/automation-intro) deployed, and a set of [Azure Policies](https://github.com/Azure/Enterprise-Scale/blob/main/docs/ESLZ-Policies.md) applied at the root of the Azure landing zone Management Group hierarchy to make sure Activity Logs from all your Subscriptions, and Diagnostic Logs from all your VMs and PaaS resources are sent to Log Analytics. - ![mgmtTab-enableLogs](./media/clip_image014-1-singlesubscription.jpg) - If required you can customize the retention time of your monitoring data from it's default of 30 days by using the **Log Analytics Data Retention (days)** slider. **Please note:** Increasing the retention time to more than 30 days will increase your costs. @@ -113,19 +109,11 @@ Click **Next: Platform Devops and Automation>** to configure how your Azure envi ![mgmtTab-next](./media/clip_image014asc-4-singlesubscription.jpg) -## 6. Platform DevOps and Automation - -Azure landing zone portal accelerator provides an integrated CI/CD pipeline via [AzOps](https://github.com/Azure/AzOps) that can be used with GitHub Actions. The *Platform Devops and Automation* tab allows you to bootstrap your CI/CD pipeline including your Azure landing zone deployment settings. For detailed steps for setting up this configuration, refer to the [Deploy Azure landing zone portal accelerator Platform DevOps and Automation](./Deploying-ALZ-Platform-DevOps) article. - -**In this tutorial, your Azure landing zone deployment will be triggered using the Azure Portal experience**. - -Set **Deploy integrated CI/CD pipeline** to **No**. - -![iacTab-next](./media/clip_image-iac-1-singlesubscription.jpg) +## 6. Baseline alerts and monitoring -Click **Next: Network topology and connectivity>** to proceed with configuring your network setup. +On the *Baseline alerts and monitoring* blade, you can configure automated alert configuration for the different scopes in your Azure landing zone implementation. Enabling the different baseline alerts will assign the relevant initiative to the corresponding management group. If you enable the "Deploy one or more Azure Monitor Baseline Alerts" option, you **must** provide an email address to get email notifications from Azure Monitor for the deployment to proceed. -![iacTab-next](./media/clip_image-iac-2-singlesubscription.jpg) +![baseline alerts and monitoring](./media/alz-portal-baselinealerts.jpg) ## 7. Network topology and connectivity @@ -256,7 +244,7 @@ In the top section you can **select** from a set of **recommended Azure policies In the bottom two sections you can choose to bring in N number of existing subscriptions that will be bootstrapped as landing zones, governed by Azure Policy: -![lzTab-intro](./media/clip_image037-1-singlesubscription.jpg) + - **Select the subscriptions you want to move to corp management group:** Corp Landing Zones are meant to host workloads that require connectivity to other resources within the corporate network via the Hub in the Platform Subscription. @@ -265,10 +253,7 @@ For Corp Landing Zones its virtual network can be connected (recommended) to the In this tutorial, a "Corp" Landing Zone is provisioned using an existing (empty) subscription and connected to the Hub virtual network previously configured. Please note, additional subscriptions can be added. - Set **Connect corp landing zones to the connectivity hub (optional)** to **Yes**, then **select** an empty subscription (*corp-subscription*) and assign an address space: - - ![lzTab-corpLZs](./media/clip_image037-2-singlesubscription.jpg) - + - **Select the subscriptions you want to move to online management group**: Online Landing Zones are meant to host workloads that do not require connectivity/hybrid connectivity with the corporate network or that not even require a virtual network. diff --git a/docs/wiki/Deploying-ALZ-CustomerUsage.md b/docs/wiki/Deploying-ALZ-CustomerUsage.md index 9d51eafd11..fb35f31c9f 100644 --- a/docs/wiki/Deploying-ALZ-CustomerUsage.md +++ b/docs/wiki/Deploying-ALZ-CustomerUsage.md @@ -27,6 +27,16 @@ The following are the unique ID's (also known as PIDs) used in each of the modul | ------------------------------------------------------------------------- | ------------------------------------ | | ALZ Accelerator/ESLZ ARM Deployment | 35c42e79-00b3-42eb-a9ac-e542953efb3c | | ALZ Accelerator/ESLZ ARM Deployment - Zero Trust Networking - Phase 1 | f09f64b8-5cb3-4b16-900d-6ba1df8a597e | +| ALZ Accelerator/ESLZ ARM Deployment - Azure Monitor baseline alerts | 5f0e5693-3998-4ae2-8115-ee96e38dac62 | + +## External modules telemetry tracking + +In addition to the above, there are a number of modules in external repos that are used in the ALZ ARM Template. Telemetry tracking for these modules is enabled or disabled via the same radio button toggle as described above, i.e. if telemetry tracking is enabled all the different PIDs will be deployed, conversely if it's disabled no PIDs will be deployed. The table below lists the different modules and link to PID documentation for same. + +| Module Name | PID documentation | +| ------------------------------------------------------------------------- | ------------------------------------ | +| [Azure Monitor Baseline Alerts for ALZ](https://aka.ms/amba) | [Telemetry](https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz/Telemetry)| + ### What is Zero Trust Network Telemetry diff --git a/docs/wiki/Deploying-ALZ-Foundation.md b/docs/wiki/Deploying-ALZ-Foundation.md index 2e432dbbd6..42b1331197 100644 --- a/docs/wiki/Deploying-ALZ-Foundation.md +++ b/docs/wiki/Deploying-ALZ-Foundation.md @@ -4,7 +4,7 @@ This section will describe how to deploy an the Azure landing zone portal accele ## 1. Pre-requisites -To provision your Azure landing zones environment with the deployment experience in the Azure portal, your user/service principal must have Owner permission at the Microsoft Entra Tenant root. See the following [instructions](./Deploying-Enterprise-Scale-Pre-requisites) on how to grant access before you proceed. +There are a number of prerequisites which need to be met before you can provision an Azure landing zones environment via the deployment experience in the Azure portal. See the following [instructions](./Deploying-ALZ-Pre-requisites.md) on how to grant access before you proceed. ### Optional pre-requisites @@ -44,7 +44,14 @@ Please note that if you enable the "Deploy Azure Security Center and enable secu ![Azure Security Center Email Contact](./media/clip_image014asc.jpg) -## 6. Network topology and connectivity + +## 6. Baseline alerts and monitoring + +On the *Baseline alerts and monitoring* blade, you can configure automated alert configuration for the different scopes in your Azure landing zone implementation. Enabling the different baseline alerts will assign the relevant initiative to the corresponding management group. If you enable the "Deploy one or more Azure Monitor Baseline Alerts" option, you **must** provide an email address to get email notifications from Azure Monitor for the deployment to proceed. + +![baseline alerts and monitoring](./media/alz-portal-baselinealerts.jpg) + +## 7. Network topology and connectivity On the *Network topology and connectivity* blade, you can configure the core networking platform resources, such as hub virtual network, gateways (VPN and/or ExpressRoute), Azure Firewall, DDoS Network Protection and Azure Private DNS Zones for Azure PaaS services. To deploy and configure these network resources, you must select a network topology. @@ -52,7 +59,7 @@ On the *Network topology and connectivity* blade, you can configure the core net ![Network](https://user-images.githubusercontent.com/79409563/137819649-d1bb97eb-fda7-446a-b9cd-9f447306d3f6.jpg) -## 7. Identity +## 8. Identity On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned. @@ -60,24 +67,24 @@ On the *Identity* blade you can specify if you want to assign recommended polici ![Identity](https://user-images.githubusercontent.com/79409563/137819658-2efaed58-14f0-46f6-81f5-ff1e6859e9d3.jpg) -## 8. Landing zone configuration +## 9. Landing zone configuration In the top section you can select which policies you want to assign broadly to all of your application landing zones. You also have the ability to set policies to *Audit only* which will assign the policies for Audit. In the bottom two sections you can optionally bring in N number of subscriptions that will be bootstrapped as landing zones, governed by Azure Policy. You can indicate which subscriptions you would like to be bootstrapped as landing zones for corp connectivity and which ones for online connectivity only. Please note that for this [scenario](https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/wingtip/README.md) we only require *online* landing zones. ![Landingzone](./media/alz-portal-landingzones.jpg) -## 9. Decommissioned/Sandbox +## 10. Decommissioned/Sandbox You can optionally choose to change whether default policy assignments for Decommissioned and Sandbox management groups are enabled, set to audit only or disabled. ![Decommissioned and Sandbox options](./media/alz-portal-decommsandbox.jpg) -## 10. Review + create +## 11. Review + create *Review + Create* page will validate your permission and configuration before you can click deploy. Once it has been validated successfully, you can click *Create* ![Graphical user interface, text, application, email Description automatically generated](./media/clip_image039.jpg) -## 11. Post deployment activities +## 12. Post deployment activities Once Azure landing zone portal accelerator has been deployed, you can grant your application teams/business units access to their respective landing zones. Whenever there is a need for a new landing zone, you can place them into the Online management group. \ No newline at end of file diff --git a/docs/wiki/Deploying-ALZ-HubAndSpoke.md b/docs/wiki/Deploying-ALZ-HubAndSpoke.md index d0e92f34a0..1b3b98fff1 100644 --- a/docs/wiki/Deploying-ALZ-HubAndSpoke.md +++ b/docs/wiki/Deploying-ALZ-HubAndSpoke.md @@ -4,7 +4,7 @@ This section will describe how to deploy the Azure landing zone portal accelerat ## 1. Pre-requisites -To provision your Azure environment with the deployment experience in the Azure portal, your user/service principal must have Owner permission at the Microsoft Entra Tenant root. See the following [instructions](./Deploying-Enterprise-Scale-Pre-requisites) on how to grant access before you proceed. +There are a number of prerequisites which need to be met before you can provision an Azure landing zones environment via the deployment experience in the Azure portal. See the following [instructions](./Deploying-ALZ-Pre-requisites.md) on how to grant access before you proceed. ### Optional pre-requisites @@ -44,7 +44,13 @@ Please note that if you enable the "Deploy Azure Security Center and enable secu ![Azure Security Center Email Contact](./media/clip_image014asc.jpg) -## 6. Network topology and connectivity +## 6. Baseline alerts and monitoring + +On the *Baseline alerts and monitoring* blade, you can configure automated alert configuration for the different scopes in your Azure landing zone implementation. Enabling the different baseline alerts will assign the relevant initiative to the corresponding management group. If you enable the "Deploy one or more Azure Monitor Baseline Alerts" option, you **must** provide an email address to get email notifications from Azure Monitor for the deployment to proceed. + +![baseline alerts and monitoring](./media/alz-portal-baselinealerts.jpg) + +## 7. Network topology and connectivity On the *Network topology and connectivity* blade, you will configure the core networking platform resources, such as hub virtual network, gateways (VPN and/or ExpressRoute), Azure Firewall, DDoS Network Protection and Azure Private DNS Zones for Azure PaaS services. To deploy and configure these network resources, you must: * In the Deploy network topology option, select either "Hub and spoke with Azure Firewall" or "Hub and spoke with your own third-party NVA". For this example, we will select the "Hub and spoke with Azure Firewall". @@ -69,12 +75,12 @@ Depending on your requirements, you may choose to deploy additional network infr ![img](./media/clip_image036b.png) -## 7. Identity +## 8. Identity On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned, and you will need to provide the address space for the virtual network that will be deployed on this subscription. Please note that this virtual network will be connected to the hub virtual network via VNet peering. ![img](./media/clip_image036c.png) -## 8. Landing zone configuration +## 9. Landing zone configuration In the top section you can select which policies you want to assign broadly to all of your application landing zones. You also have the ability to set policies to *Audit only* which will assign the policies for Audit. @@ -86,18 +92,18 @@ As part of the policies that you can assign to your landing zones, the Azure lan ![Landing zone configuration](./media/clip_image037.jpg) -## 9. Decommissioned/Sandbox +## 10. Decommissioned/Sandbox You can optionally choose to change whether default policy assignments for Decommissioned and Sandbox management groups are enabled, set to audit only or disabled. ![Decommissioned and Sandbox options](./media/alz-portal-decommsandbox.jpg) -## 10. Review + create +## 11. Review + create *Review + Create* page will validate your permission and configuration before you can click deploy. Once it has been validated successfully, you can click *Create* ![Graphical user interface, text, application, email Description automatically generated](./media/clip_image039.jpg) -## 11. Post deployment activities +## 12. Post deployment activities Once Azure landing zone portal accelerator has deployed, you can grant your application teams/business units access to their respective landing zones. Whenever there’s a need for a new landing zone, you can place them into their respective management groups (Online or Corp) given the characteristics of assumed workloads and their requirements. diff --git a/docs/wiki/Deploying-ALZ-Pre-requisites.md b/docs/wiki/Deploying-ALZ-Pre-requisites.md index 68d3258c90..cba2e19a62 100644 --- a/docs/wiki/Deploying-ALZ-Pre-requisites.md +++ b/docs/wiki/Deploying-ALZ-Pre-requisites.md @@ -54,3 +54,12 @@ New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $user.Id ``` > Please note: sometimes it can take up to 15 minutes for permission to propagate at tenant root scope. It is highly recommended that you log out and log back in to refresh the token before you proceed with the deployment.* + +### Azure Monitor Baseline Alerts prerequisites + +The Azure Monitor Baseline Alerts are deployed as part of the Enterprise-Scale deployment, and they require the following: + +1. For the policies to work, the following Azure resource providers, normally registered by default, must be registered on all subscriptions in scope: + - Microsoft.AlertsManagement + - Microsoft.Insights +Please see [here](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) for details on how to register a resource provider should you need to do so. \ No newline at end of file diff --git a/docs/wiki/Deploying-ALZ-VWAN.md b/docs/wiki/Deploying-ALZ-VWAN.md index 82cc714d26..321145716f 100644 --- a/docs/wiki/Deploying-ALZ-VWAN.md +++ b/docs/wiki/Deploying-ALZ-VWAN.md @@ -4,7 +4,7 @@ This section will describe how to deploy Azure landing zone portal accelerator w ## 1. Pre-requisites -To provision your Azure environment with the deployment experience in the Azure portal, your user/service principal must have Owner permission at the Microsoft Entra ID Tenant root. See the following [instructions](./Deploying-Enterprise-Scale-Pre-requisites) on how to grant access before you proceed. +There are a number of prerequisites which need to be met before you can provision an Azure landing zones environment via the deployment experience in the Azure portal. See the following [instructions](./Deploying-ALZ-Pre-requisites.md) on how to grant access before you proceed. ### Optional pre-requisites @@ -44,11 +44,17 @@ Please note that if you enable the "Deploy Azure Security Center and enable secu ![Azure Security Center Email Contact](./media/clip_image014asc.jpg) -## 6. Network topology and connectivity +## 6. Baseline alerts and monitoring + +On the *Baseline alerts and monitoring* blade, you can configure automated alert configuration for the different scopes in your Azure landing zone implementation. Enabling the different baseline alerts will assign the relevant initiative to the corresponding management group. If you enable the "Deploy one or more Azure Monitor Baseline Alerts" option, you **must** provide an email address to get email notifications from Azure Monitor for the deployment to proceed. + +![baseline alerts and monitoring](./media/alz-portal-baselinealerts.jpg) + +## 7. Network topology and connectivity On the *Network topology and connectivity* blade, you will configure the core networking platform resources, such as hub virtual network, gateways (VPN and/or ExpressRoute), Azure Firewall, DDoS Network Protection and Azure Private DNS Zones for Azure PaaS services. To deploy and configure these network resources, you must select a network topology. For this scenario: -* Select "Virtual WAN (Microsoft managed)") as the network topology +* Select "Virtual WAN (Microsoft managed)" as the network topology * Provide a dedicated (empty) subscription that will be used to host the requisite networking infrastructure. * Provide the address space to be assigned to the vWAN hub * Select an Azure region where the first vWAN hub will be created @@ -63,13 +69,13 @@ Depending on your requirements, you may choose to deploy additional network infr ![vwan](./media/clip_image078.jpg) -## 7. Identity +## 8. Identity On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned, and you will need to provide the address space for the virtual network that will be deployed on this subscription. Please note that this virtual network will be connected to the hub virtual network via VNet peering. ![img](./media/clip_image036c.png) -## 8. Landing zone configuration +## 9. Landing zone configuration In the top section you can select which policies you want to assign broadly to all of your application landing zones. You also have the ability to set policies to *Audit only* which will assign the policies for Audit. @@ -81,18 +87,18 @@ As part of the policies that you can assign to your landing zones, the Azure lan ![Graphical user interface, application Description automatically generated](./media/clip_image037.jpg) -## 9. Decommissioned/Sandbox +## 10. Decommissioned/Sandbox You can optionally choose to change whether default policy assignments for Decommissioned and Sandbox management groups are enabled, set to audit only or disabled. ![Decommissioned and Sandbox options](./media/alz-portal-decommsandbox.jpg) -## 10. Review + create +## 11. Review + create *Review + Create* page will validate your permission and configuration before you can click deploy. Once it has been validated successfully, you can click *Create* ![Graphical user interface, text, application, email Description automatically generated](./media/clip_image039.jpg) -## 11. Post deployment activities +## 12. Post deployment activities Once Azure landing zone portal accelerator is deployed, you can grant your application teams/business units access to their respective landing zones. Whenever there’s a need for a new landing zone, you can place them into their respective management groups (Online or Corp) given the characteristics of assumed workloads and their requirements. diff --git a/docs/wiki/Deploying-ALZ.md b/docs/wiki/Deploying-ALZ.md index f34f1a812a..ab5361f20c 100644 --- a/docs/wiki/Deploying-ALZ.md +++ b/docs/wiki/Deploying-ALZ.md @@ -84,6 +84,12 @@ Provide a prefix that will be used to create the management group hierarchy and ![ESLZ-Company-Prefix](./media/ESLZ-Company-Prefix.JPG) +## Baseline alerts and monitoring + +On the *Baseline alerts and monitoring* blade, you can configure automated alert configuration for the different scopes in your Azure landing zone implementation. Enabling the different baseline alerts will assign the relevant initiative to the corresponding management group. If you enable the "Deploy one or more Azure Monitor Baseline Alerts" option, you **must** provide an email address to get email notifications from Azure Monitor for the deployment to proceed. + +![baseline alerts and monitoring](./media/alz-portal-baselinealerts.jpg) + ### Platform management, security, and governance On the *Platform management, security, and governance* blade, you will configure the core components to enable platform monitoring and security. The options you enable will also be enforced using Azure Policy to ensure resources, landing zones, and more are continuously compliant as your deployments scales and grows. To enable this, you must provide a dedicated (empty) subscription that will be used to host the requisite infrastructure. diff --git a/docs/wiki/FAQ.md b/docs/wiki/FAQ.md index 0750d6711f..03bbd448d0 100644 --- a/docs/wiki/FAQ.md +++ b/docs/wiki/FAQ.md @@ -169,3 +169,7 @@ We will, when ready, provide Azure landing zones specific migration guidance tha ### What if we are not ready to make the switch and migrate, right now? Another good question. You will need to plan, and complete, the migration to the Azure Monitor Agent before the Log Analytics Agent is retired as [documented here.](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/) + +### Where do I find more information about the Azure Monitor Baseline Alerts initiative included in the Azure landing zones Portal Accelerator? + +Great question! As this is maintained in a repository outside of the Azure landing zones repository please refer to [Azure Monitor Baseline Alerts wiki](https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz) for more details. diff --git a/docs/wiki/What-is-Enterprise-Scale.md b/docs/wiki/What-is-Enterprise-Scale.md index 23bc122d47..11d16ce468 100644 --- a/docs/wiki/What-is-Enterprise-Scale.md +++ b/docs/wiki/What-is-Enterprise-Scale.md @@ -25,7 +25,7 @@ The following table outlines key customer requirements in terms of landing zones | Best-practices from cloud provider | Yes. Proven and validated with customers | | Be aligned with cloud provider's platform roadmap | Yes. | | UI Experience and simplified setup | Yes. Via the Azure portal | -| All critical services are present and properly configured according to recommended best practices for identity & access management, governance, security, network and logging | Yes. Using a multi-subscription design, aligned with Azure platform roadmap | +| All critical services are present and properly configured according to recommended best practices for identity & access management, governance, security, network, monitoring and logging | Yes. Using a multi-subscription design, aligned with Azure platform roadmap | | Automation capabilities (IaC/DevOps) | Yes. ARM/Bicep, Terraform, Azure Policy, GitHub/Azure DevOps CI/CD pipeline options included | | Provides long-term self-sufficiency | Yes. Enterprise-scale architecture -> 1:N landing zones. Approach & architecture prepare the customer for long-term self-sufficiency. The RIs reference implementations are there to get you started | | Enables migration velocity across the organization | Yes. Enterprise-scale Scale architecture -> 1:N landing zones. Architecture includes designs for segmentation and separation of duty to empower teams to act within appropriate landing zones | diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index ccb0591c15..fcd76cd464 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -1,6 +1,7 @@ ## In this Section - [Updates](#updates) + - [October 2023](#october-2023) - [September 2023](#september-2023) - [August 2023](#august-2023) - [July 2023](#july-2023) @@ -38,6 +39,13 @@ This article will be updated as and when changes are made to the above and anyth Here's what's changed in Enterprise Scale/Azure Landing Zones: +### October 2023 + +#### Policy + +- The portal accelerator experience has been updated to include deployment of Azure Monitor baseline alerts. Details on the policies deployed can be found [here](https://aka.ms/amba/alz). + + ### September 2023 #### Policy diff --git a/docs/wiki/media/ALZ Policy Assignments v2.xlsx b/docs/wiki/media/ALZ Policy Assignments v2.xlsx index 069d35c655..0a315196e3 100644 Binary files a/docs/wiki/media/ALZ Policy Assignments v2.xlsx and b/docs/wiki/media/ALZ Policy Assignments v2.xlsx differ diff --git a/docs/wiki/media/ESLZ-Company-Prefix-singlesubscription.jpg b/docs/wiki/media/ESLZ-Company-Prefix-singlesubscription.jpg index c48a3ab90b..ba09cb014f 100644 Binary files a/docs/wiki/media/ESLZ-Company-Prefix-singlesubscription.jpg and b/docs/wiki/media/ESLZ-Company-Prefix-singlesubscription.jpg differ diff --git a/docs/wiki/media/ESLZ-Company-Prefix.JPG b/docs/wiki/media/ESLZ-Company-Prefix.JPG index 20ccef94bc..c177d07ab2 100644 Binary files a/docs/wiki/media/ESLZ-Company-Prefix.JPG and b/docs/wiki/media/ESLZ-Company-Prefix.JPG differ diff --git a/docs/wiki/media/ESLZ-Company-Prefix.png b/docs/wiki/media/ESLZ-Company-Prefix.png index 232d9a4eb3..1bec22d826 100644 Binary files a/docs/wiki/media/ESLZ-Company-Prefix.png and b/docs/wiki/media/ESLZ-Company-Prefix.png differ diff --git a/docs/wiki/media/alz-portal-baselinealerts.jpg b/docs/wiki/media/alz-portal-baselinealerts.jpg new file mode 100644 index 0000000000..6b7244cfc9 Binary files /dev/null and b/docs/wiki/media/alz-portal-baselinealerts.jpg differ diff --git a/docs/wiki/media/alz-portal-decommsandbox.jpg b/docs/wiki/media/alz-portal-decommsandbox.jpg index 041da89c91..de2d2b20f8 100644 Binary files a/docs/wiki/media/alz-portal-decommsandbox.jpg and b/docs/wiki/media/alz-portal-decommsandbox.jpg differ diff --git a/docs/wiki/media/clip_image010.jpg b/docs/wiki/media/clip_image010.jpg index f4eed32bdd..f9efeef989 100644 Binary files a/docs/wiki/media/clip_image010.jpg and b/docs/wiki/media/clip_image010.jpg differ diff --git a/docs/wiki/media/clip_image014-singlesubscription.jpg b/docs/wiki/media/clip_image014-singlesubscription.jpg index 61e952b935..d5db5542e6 100644 Binary files a/docs/wiki/media/clip_image014-singlesubscription.jpg and b/docs/wiki/media/clip_image014-singlesubscription.jpg differ diff --git a/docs/wiki/media/clip_image014.jpg b/docs/wiki/media/clip_image014.jpg index be5f7c9993..0522465cc5 100644 Binary files a/docs/wiki/media/clip_image014.jpg and b/docs/wiki/media/clip_image014.jpg differ diff --git a/docs/wiki/media/clip_image036b-0-singlesubscription.png b/docs/wiki/media/clip_image036b-0-singlesubscription.png index 699fc558a6..3199dea8d6 100644 Binary files a/docs/wiki/media/clip_image036b-0-singlesubscription.png and b/docs/wiki/media/clip_image036b-0-singlesubscription.png differ diff --git a/docs/wiki/media/clip_image036c-singlesubscription.png b/docs/wiki/media/clip_image036c-singlesubscription.png index 40526397d9..70245fd4e1 100644 Binary files a/docs/wiki/media/clip_image036c-singlesubscription.png and b/docs/wiki/media/clip_image036c-singlesubscription.png differ diff --git a/docs/wiki/media/clip_image037-3-singlesubscription.jpg b/docs/wiki/media/clip_image037-3-singlesubscription.jpg index b9c80a4610..fee78b8628 100644 Binary files a/docs/wiki/media/clip_image037-3-singlesubscription.jpg and b/docs/wiki/media/clip_image037-3-singlesubscription.jpg differ diff --git a/docs/wiki/media/clip_image037-4-singlesubscription.jpg b/docs/wiki/media/clip_image037-4-singlesubscription.jpg index be1841b7cd..78826ff3ad 100644 Binary files a/docs/wiki/media/clip_image037-4-singlesubscription.jpg and b/docs/wiki/media/clip_image037-4-singlesubscription.jpg differ diff --git a/docs/wiki/media/clip_image039-singlesubscription.jpg b/docs/wiki/media/clip_image039-singlesubscription.jpg index b3234cd358..c1cc13f603 100644 Binary files a/docs/wiki/media/clip_image039-singlesubscription.jpg and b/docs/wiki/media/clip_image039-singlesubscription.jpg differ diff --git a/docs/wiki/media/clip_image039.jpg b/docs/wiki/media/clip_image039.jpg index a51e1cf287..2afa8a73e9 100644 Binary files a/docs/wiki/media/clip_image039.jpg and b/docs/wiki/media/clip_image039.jpg differ diff --git a/docs/wiki/media/zt1.png b/docs/wiki/media/zt1.png index 522eef35c8..a7987bb468 100644 Binary files a/docs/wiki/media/zt1.png and b/docs/wiki/media/zt1.png differ diff --git a/docs/wiki/media/zt3.png b/docs/wiki/media/zt3.png index 793e93734a..0119e1a956 100644 Binary files a/docs/wiki/media/zt3.png and b/docs/wiki/media/zt3.png differ diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 0b5cbb6e81..efd1235f2a 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -957,6 +957,153 @@ } ] }, + { + "name": "monitor", + "label": "Baseline alerts and monitoring", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "ALZ - Baseline Alerts", + "elements": [ + { + "name": "baselinealertsintro", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "Azure Landing Zones will create ARM automation to deploy baseline alerts automatically as resources are deployed. Note that selecting Yes to the Option 'Deploy one or more Azure Monitor Baseline Alerts', will automatically import all policies and initiatives and will assign the Deploy Azure Monitor Baseline Alerts for Service Health policy initiative at the intermediate root.", + "uri": "https://aka.ms/amba/alz/docs", + "style": "Info" + } + }, + { + "name": "enableMonitorBaselines", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy one or more Azure Monitor Baseline Alerts", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected Azure Monitor Baseline Alerts can be enabled for the selected resources. Note that choosing Yes will import all Monitor baseline alerts into your environment, and assign the Deploy Azure Monitor Service Health policy initiative to your designated intermediate root. For more information on what is included in the Service Health initiative please refer to https://aka.ms/amba/alz/wiki under Azure Policy Initiatives and Alert Details", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "monitorAlertsResourceGroup", + "type": "Microsoft.Common.TextBox", + "label": "Resource group for baseline alerts", + "toolTip": "Resource group for activity log alerts and action groups. Will be created in all subscriptions in scope for the policy", + "visible": "[equals(steps('monitor').enableMonitorBaselines,'Yes')]", + "defaultValue": "rg-amba-monitoring-001", + "constraints": { + "required": "[equals(steps('monitor').enableMonitorBaselines,'Yes')]", + "regex": "^[a-zA-Z0-9][a-zA-Z0-9-_.()]{0,89}[a-zA-Z0-9]$", + "validationMessage": "Please provide a valid resource group name" + } + }, + { + "name": "emailContactActionGroup", + "type": "Microsoft.Common.TextBox", + "label": "Email contact for action group notifications", + "toolTip": "Email address to get email notifications from alerts", + "visible": "[equals(steps('monitor').enableMonitorBaselines,'Yes')]", + "defaultValue": "", + "constraints": { + "required": "[equals(steps('monitor').enableMonitorBaselines,'Yes')]", + "regex": "^[\\w-\\.]+@([\\w-]+\\.)+[\\w-]{2,4}$", + "validationMessage": "Please provide a valid email address" + } + }, + { + "name": "enableMonitorConnectivity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Monitor Baseline Alerts for Connectivity. ", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected the Deploy Azure Monitor Baseline Alerts for Connectivity policy initiative is assigned to the Connectivity management group. This will ensure that relevant new resources created within that scope are configured with appropriate baseline alerts. For more details on what is included in the initiative please refer to https://aka.ms/amba/alz/wiki under Azure Policy Initiatives and Alert Details.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('monitor').enableMonitorBaselines,'Yes')]" + }, + { + "name": "enableMonitorIdentity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Monitor Baseline Alerts for Identity", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected the Deploy Azure Monitor Baseline Alerts for Identity policy initiative is assigned to the Identity management group. This will ensure that relevant new resources created within that scope are configured with appropriate baseline alerts. For more details on what is included in the initiative please refer to https://aka.ms/amba/alz/wiki under Azure Policy Initiatives and Alert Details.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('monitor').enableMonitorBaselines,'Yes')]" + }, + { + "name": "enableMonitorManagement", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Monitor Baseline Alerts for Management", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected the Deploy Azure Monitor Baseline Alerts for Management policy initiative is assigned to the Management management group. This will ensure that relevant new resources created within that scope are configured with appropriate baseline alerts. For more details on what is included in the initiative please refer to https://aka.ms/amba/alz/wiki under Azure Policy Initiatives and Alert Details.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('monitor').enableMonitorBaselines,'Yes')]" + }, + { + "name": "enableMonitorLandingZones", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Monitor Baseline Alerts for Landing Zones", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected the Deploy Azure Monitor Baseline Alerts for Landing Zone policy initiative is assigned to the Landing Zones management group. This will ensure that relevant new resources created within that scope are configured with appropriate baseline alerts. For more details on what is included in the initiative please refer to https://aka.ms/amba/alz/wiki under Azure Policy Initiatives and Alert Details.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('monitor').enableMonitorBaselines,'Yes')]" + } + ] + }, { "name": "connectivity", "label": "Network topology and connectivity", @@ -2971,6 +3118,13 @@ "enableAscForContainers": "[steps('management').enableAscForContainers]", "enableMDEndpoints": "[steps('management').enableMDEndpoints]", "enableSecuritySolution": "[steps('management').enableSecuritySolution]", + "enableMonitorBaselines": "[steps('monitor').enableMonitorBaselines]", + "monitorAlertsResourceGroup": "[steps('monitor').monitorAlertsResourceGroup]", + "emailContactActionGroup": "[steps('monitor').emailContactActionGroup]", + "enableMonitorConnectivity": "[steps('monitor').enableMonitorConnectivity]", + "enableMonitorIdentity": "[steps('monitor').enableMonitorIdentity]", + "enableMonitorManagement": "[steps('monitor').enableMonitorManagement]", + "enableMonitorLandingZones": "[steps('monitor').enableMonitorLandingZones]", "connectivitySubscriptionId": "[if(not(equals(steps('connectivity').esNwSubSection.esNwSub,steps('management').esMgmtSubSection.esMgmtSub)),steps('connectivity').esNwSubSection.esNwSub,'')]", "addressPrefix": "[coalesce(steps('connectivity').esAddressHubVWAN, steps('connectivity').esAddressHubHS, '')]", "connectivityLocation": "[steps('connectivity').connectivityLocation]", diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 97601698af..1cd1b6e560 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -259,6 +259,62 @@ "No" ] }, + "enableMonitorBaselines": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "If 'Yes' is selected, ARM will assign a policy initiative to deploy alerting for Service Health in your environment. If 'No', it will be ignored." + } + }, + "enableMonitorConnectivity": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "If 'Yes' is selected, ARM will assign a policy initiative to deploy alerting for select connectivity resources in your environment. If 'No', it will be ignored." + } + }, + "enableMonitorIdentity": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "If 'Yes' is selected, ARM will assign a policy initiative to deploy alerting for select identity resources in your environment. If 'No', it will be ignored." + } + }, + "enableMonitorManagement": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "If 'Yes' is selected, ARM will assign a policy initiative to deploy alerting for select management resources in your environment. If 'No', it will be ignored." + } + }, + "enableMonitorLandingZones": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "If 'Yes' is selected, ARM will assign a policy initiative to deploy alerting for select resources in your environment. If 'No', it will be ignored." + } + }, + "monitorAlertsResourceGroup": { + "type": "string", + "defaultValue": "", + "maxLength": 90, + "metadata": { + "description": "Name of the resource group to be created for monitoring resources in each subscription." + } + }, + "emailContactActionGroup": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "Email address for alerting purposes." + } + }, "connectivitySubscriptionId": { "type": "string", "defaultValue": "", @@ -783,6 +839,10 @@ "decommissionedManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').decommissioned)]", "sandboxManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').sandboxes)]" }, + // Declaring root uris for external dependency repositories. + "rootUris": { + "monitorRepo": "https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/2023-09-29/" + }, // Declaring all required deployment uri's used for deployments of composite ARM templates for ESLZ "azPrivateDnsPolicyAssignmentMapping": { "https://management.azure.com/": "managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json", @@ -845,7 +905,9 @@ "govMdfcPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/gov/fairfaxDINE-MDFCConfigPolicyAssignment.json')]", "costOptimizationPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/AUDIT-UnusedResourcesPolicyAssignment.json')]", "VMUnmanagedDiskPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json')]", - "diagnosticSettingsforManagementGroups": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/diagSettingsMGs/diagSettingsMGs.json')]" + "diagnosticSettingsforManagementGroups": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/diagSettingsMGs/diagSettingsMGs.json')]", + // references to https://github.com/Azure/azure-monitor-baseline-alerts + "monitorPolicyDefinitions": "[uri(variables('rootUris').monitorRepo, 'patterns/alz/alzArm.json')]" }, // Declaring deterministic deployment names "deploymentSuffix": "[concat('-', deployment().location, '-', guid(parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow')))]", @@ -857,12 +919,18 @@ "identitySubscriptionPlacement": "[take(concat('alz-IdentitySub', variables('deploymentSuffix')), 64)]", "roleDefsDeploymentName": "[take(concat('alz-RoleDefs', variables('deploymentSuffix')), 64)]", "policyDeploymentName": "[take(concat('alz-Policy', variables('deploymentSuffix')), 64)]", + "monitorPolicyDeploymentName": "[take(concat('alz-MonitorPolicy', variables('deploymentSuffix')), 64)]", "ddosRgDeploymentName": "[take(concat('alz-DDoSRg', variables('deploymentSuffix')), 64)]", "ddosDeploymentName": "[take(concat('alz-DDoS', variables('deploymentSuffix')), 64)]", "ddosHubPolicyDeploymentName": "[take(concat('alz-DDoSHubPolicy', variables('deploymentSuffix')), 64)]", "ddosLzPolicyDeploymentName": "[take(concat('alz-DDoSLZPolicy', variables('deploymentSuffix')), 64)]", "monitoringDeploymentName": "[take(concat('alz-Monitoring', variables('deploymentSuffix')), 64)]", "logAnalyticsPolicyDeploymentName": "[take(concat('alz-LAPolicy', variables('deploymentSuffix')), 64)]", + "monitorConnectivityDeploymentName": "[take(concat('alz-ConnectivityMonitor', variables('deploymentSuffix')), 64)]", + "monitorIdentityDeploymentName": "[take(concat('alz-IdentityMonitor', variables('deploymentSuffix')), 64)]", + "monitorManagementDeploymentName": "[take(concat('alz-ManagementMonitor', variables('deploymentSuffix')), 64)]", + "monitorLandingZoneDeploymentName": "[take(concat('alz-LandingZoneMonitor', variables('deploymentSuffix')), 64)]", + "monitorServiceHealthDeploymentName": "[take(concat('alz-SvcHealthMonitor', variables('deploymentSuffix')), 64)]", "monitoringSolutionsDeploymentName": "[take(concat('alz-Solutions', variables('deploymentSuffix')), 64)]", "asbPolicyDeploymentName": "[take(concat('alz-ASB', variables('deploymentSuffix')), 64)]", "resourceDiagnosticsPolicyDeploymentName": "[take(concat('alz-ResourceDiagnostics', variables('deploymentSuffix')), 64)]", @@ -922,6 +990,7 @@ "costOptimizationDeploymentName": "[take(concat('alz-CostOptimization', variables('deploymentSuffix')), 64)]", "denyVMUnmanagedDiskPolicyDeploymentName": "[take(concat('alz-NoUnmanagedDiskResource', variables('deploymentSuffix')), 64)]", "ztnPhase1PidCuaDeploymentName": "[take(concat('pid-', variables('ztnPhase1CuaId'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'), coalesce(parameters('connectivitySubscriptionId'), parameters('singlePlatformSubscriptionId'))), '-ztnp1'), 64)]", + "ambaPortalPidCuaDeploymentName": "[take(concat('pid-', variables('ambaPortalCuaId'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'), coalesce(parameters('connectivitySubscriptionId'), parameters('singlePlatformSubscriptionId'))), '-ztnp1'), 64)]", "diagnosticSettingsforMGsDeploymentName": "[take(concat('alz-DiagSettingsMGs', variables('deploymentSuffix')), 64)]" }, "esLiteDeploymentNames": { @@ -940,7 +1009,8 @@ "ddosLiteDeploymentName": "[take(concat('alz-DDoSLite', variables('deploymentSuffix')), 64)]", "ddosHubLitePolicyDeploymentName": "[take(concat('alz-DDoSHubPolicyLite', variables('deploymentSuffix')), 64)]", "privateDnsZoneRgLiteDeploymentName": "[take(concat('alz-PrivDNSRGLite', variables('deploymentSuffix')), 64)]", - "privateDnsZonesLiteDeploymentName": "[take(concat('alz-PrivDNSLite', variables('deploymentSuffix')), 35)]" + "privateDnsZonesLiteDeploymentName": "[take(concat('alz-PrivDNSLite', variables('deploymentSuffix')), 35)]", + "monitorPolicyLiteDeploymentName": "[take(concat('alz-MonitorPolicyLite', variables('deploymentSuffix')), 64)]" }, // Declaring deterministic names for Resource Groups that will be created for platform resources "platformRgNames": { @@ -1128,7 +1198,8 @@ "networkContributor": "4d97b98b-1d4f-4787-a291-c67834d212e7" }, "cuaid": "35c42e79-00b3-42eb-a9ac-e542953efb3c", - "ztnPhase1CuaId": "f09f64b8-5cb3-4b16-900d-6ba1df8a597e" + "ztnPhase1CuaId": "f09f64b8-5cb3-4b16-900d-6ba1df8a597e", + "ambaPortalCuaId": "5f0e5693-3998-4ae2-8115-ee96e38dac62" }, "resources": [ /* @@ -1200,6 +1271,161 @@ } } }, + { + // Deploying AMBA custom policies. Note: These policies are pulled from AMBA remote repo (https://www.github.com/Azure/azure-monitor-baseline-alerts). See definition of deploymentUris.monitorPolicyDefinitions for more details + "condition": "[and(empty(parameters('singlePlatformSubscriptionId')), equals(parameters('enableMonitorBaselines'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').monitorPolicyDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').monitorPolicyDefinitions]" + }, + "parameters": { + "enterpriseScaleCompanyPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "telemetryOptOut": { + "value": "[parameters('telemetryOptOut')]" + }, + "platformManagementGroup": { + "value": "[variables('mgmtGroups').platform]" + }, + "IdentityManagementGroup": { + "value": "[variables('mgmtGroups').identity]" + }, + "managementManagementGroup": { + "value": "[variables('mgmtGroups').management]" + }, + "connectivityManagementGroup": { + "value": "[variables('mgmtGroups').connectivity]" + }, + "LandingZoneManagementGroup": { + "value": "[variables('mgmtGroups').lzs]" + }, + "enableAMBAConnectivity": { + "value": "[parameters('enableMonitorConnectivity')]" + }, + "enableAMBAIdentity": { + "value": "[parameters('enableMonitorIdentity')]" + }, + "enableAMBALandingZone": { + "value": "[parameters('enableMonitorLandingZones')]" + }, + "enableAMBAManagement": { + "value": "[parameters('enableMonitorManagement')]" + }, + "enableAMBAServiceHealth": { + "value": "[parameters('enableMonitorBaselines')]" + }, + "delayCount": { + "value": "[parameters('delayCount')]" + }, + "policyAssignmentParametersCommon": { + "value": { + "alzMonitorResourceGroupName": { + "value": "[parameters('monitorAlertsResourceGroup')]" + }, + "alzMonitorResourceGroupLocation": { + "value": "[deployment().location]" + } + } + }, + "policyAssignmentParametersServiceHealth": { + "value": { + "alzMonitorActionGroupEmail": { + "value": "[parameters('emailContactActionGroup')]" + } + } + } + } + } + }, + { + /// Deploying AMBA custom policies. Note: These policies are pulled from AMBA remote repo (https://www.github.com/Azure/azure-monitor-baseline-alerts). See definition of deploymentUris.monitorPolicyDefinitions for more details + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableMonitorBaselines'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('esLiteDeploymentNames').monitorPolicyLiteDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').monitorPolicyDefinitions]" + }, + "parameters": { + "enterpriseScaleCompanyPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "telemetryOptOut": { + "value": "[parameters('telemetryOptOut')]" + }, + "platformManagementGroup": { + "value": "[variables('mgmtGroups').platform]" + }, + "IdentityManagementGroup": { + "value": "[variables('mgmtGroups').platform]" + }, + "managementManagementGroup": { + "value": "[variables('mgmtGroups').platform]" + }, + "connectivityManagementGroup": { + "value": "[variables('mgmtGroups').platform]" + }, + "LandingZoneManagementGroup": { + "value": "[variables('mgmtGroups').lzs]" + }, + "enableAMBAConnectivity": { + "value": "[parameters('enableMonitorConnectivity')]" + }, + "enableAMBAIdentity": { + "value": "[parameters('enableMonitorIdentity')]" + }, + "enableAMBALandingZone": { + "value": "[parameters('enableMonitorLandingZones')]" + }, + "enableAMBAManagement": { + "value": "[parameters('enableMonitorManagement')]" + }, + "enableAMBAServiceHealth": { + "value": "[parameters('enableMonitorBaselines')]" + }, + "delayCount": { + "value": "[parameters('delayCount')]" + }, + "policyAssignmentParametersCommon": { + "value": { + "alzMonitorResourceGroupName": { + "value": "[parameters('monitorAlertsResourceGroup')]" + }, + "alzMonitorResourceGroupLocation": { + "value": "[deployment().location]" + } + } + }, + "policyAssignmentParametersServiceHealth": { + "value": { + "alzMonitorActionGroupEmail": { + "value": "[parameters('emailContactActionGroup')]" + } + } + } + } + } + }, { // One of Azure's untold stories..... "type": "Microsoft.Resources/deployments", @@ -4243,6 +4469,21 @@ "resources": [] } } + }, + { + "condition": "[and(equals(parameters('telemetryOptOut'), 'No'), equals(parameters('enableMonitorBaselines'), 'Yes'))]", + "apiVersion": "2020-06-01", + "name": "[variables('deploymentNames').ambaPortalPidCuaDeploymentName]", + "location": "[deployment().location]", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } } ], "outputs": { @@ -4251,4 +4492,4 @@ "value": "[concat(deployment().name, ' has successfully deployed. Welcome to Azure Landing Zones!')]" } } -} +} \ No newline at end of file diff --git a/eslzArm/eslzArm.test.param.json b/eslzArm/eslzArm.test.param.json index e4333210f6..c83eb04fc8 100644 --- a/eslzArm/eslzArm.test.param.json +++ b/eslzArm/eslzArm.test.param.json @@ -11,6 +11,27 @@ "enableLogAnalytics": { "value": "Yes" }, + "enableMonitorBaselines": { + "value": "Yes" + }, + "enableMonitorConnectivity": { + "value": "Yes" + }, + "enableMonitorIdentity": { + "value": "Yes" + }, + "enableMonitorManagement": { + "value": "Yes" + }, + "enableMonitorLandingZones": { + "value": "Yes" + }, + "monitorAlertsResourceGroup": { + "value": "rg-amba-monitoring-001" + }, + "emailContactActionGroup": { + "value": "test.user@replace.me" + }, "retentionInDays": { "value": "30" },