v0.16.5

Summary

This release contains a number of changes that add features and functionality for the Sovereign Landing Zone (SLZ)

Although one of these changes, #651 & #652, may be of use to others as it reduces the requirement for Tenant Root "/" permissions to deploy the Management Groups. Review the Management Groups Module README and look to use the managementGroupsScopeEscape.bicep module in place of the managementGroups.bicep if this is of interest to you.

FYI if interested in this you will need permissions on an existing Management Group to target the ARM deployment to 👍

Breaking Changes

None 👍

What's Changed

• Format pipeline-script for mgDiagSettings by @picccard in #648
• Fix #647 by @jtracey93 in #649
• Add new modules for MGs & Subscription Alias with targetScope = MG (Non-Breaking) by @jtracey93 in #651
• Make MG ID Changes Logic To Be Non-Breaking by @jtracey93 in #652
• Update Policy Library (automated) by @cae-pr-creator in #655
• ALZ Policy Assignment for Confidential Corp by @sid2305 in #653

Full Changelog: v0.16.4...v0.16.5

What's Changed

• Format pipeline-script for mgDiagSettings by @picccard in #648
• Fix #647 by @jtracey93 in #649
• Add new modules for MGs & Subscription Alias with targetScope = MG (Non-Breaking) by @jtracey93 in #651
• Make MG ID Changes Logic To Be Non-Breaking by @jtracey93 in #652
• Update Policy Library (automated) by @cae-pr-creator in #655
• ALZ Policy Assignment for Confidential Corp by @sid2305 in #653
• v0.16.5 release updates by @jtracey93 in #657

Full Changelog: v0.16.4...v0.16.5

v0.16.4

Summary

Another packed release with lots of great enhancements and community contributions 🥳😍

At a high level we have added:

• The latest upstream policy refresh from the ALZ repo
  • See the What's New wiki page in the ALZ repo for more info https://aka.ms/alz/whatsnew
• Added privatelink.azuredatabricks.net Private DNS Zone
• AAD Renamed to Entra ID
• Added ability to specify a fallback/failover vNet to link all your Private Link Private DNS Zones too - thanks @Acenl12
• Added VPN GW P2S support in Hub & Spoke model - thanks @juang903
• Azure Firewall changes:
  • Now able to specify Custom DNS Servers in DNS proxy feature - thanks @juang903
  • Now able to specify Threat Intel Mode - thanks @oZakari
  • Outputs now available for Private IP address of Azure Firewall
• Multiple Accelerator enhancements - thanks @MilesCameron-DMs & @oZakari
• Our GitHub Issues now are using GitHub Issue Forms, for an easier expeirence - thanks @jhajduk-microsoft

Things to be aware of

No breaking changes, don't worry 👍

But as part of the policy refresh we have added support for Azure Databricks Private Link/Endpoint configuration in the Deploy-Private-DNS-Zones initative. This requires the privatelink.azuredatabricks.net Private DNS Zone to exist.

Therefore we have updated our Private DNS Zone, Hub Networking & Virtual WAN Modules to deploy this new zone, but if you have made any customizations but want to take our policies in, please be aware that you'll need to ensure this zone is added to your environment 👍

What's Changed

• Acceleratorpics by @MilesCameron-DMs in #579
• Updates to Accelerator Documentation by @oZakari in #614
• Update Policy Library (automated) by @cae-pr-creator in #619
• Github Issue forms by @jhajduk-microsoft in #593
• Update ALZ Repo Bicep with Entra product names by @lachaves in #621
• Update Policy Library (automated) by @cae-pr-creator in #623
• Add fallback vnet for failover dns resolving. by @Acenl12 in #601
• Corrected Accelerator links and steps by @oZakari in #628
• Azure Firewall custom DNS server by @juang903 in #615
• Add Azure Firewall Private IPs as Output for VWAN Modules by @jtracey93 in #631
• Update Accelerator docs for ALZ-PowerShell-Module by @oZakari in #636
• BugFix-ParTopLevelManagementGroupPrefix-description-change by @oZakari in #637
• VPN Gateway P2S support by @juang903 in #617
• Update Policy Library (automated) by @cae-pr-creator in #639
• Add threat intel mode property for applicable firewall resources by @oZakari in #644

New Contributors

• @Acenl12 made their first contribution in #601

Full Changelog: v0.16.3...v0.16.4

v0.16.3

Summary

Another release, its been a busy month, but more great updates to ALZ Bicep 👍

In this release we add:

• Routing Intent support for Virtual WAN modules - https://learn.microsoft.com/azure/virtual-wan/how-to-routing-policies
• Ability to propagate the default route (0.0.0.0/0) from a VWAN Hub to spoke vNets via the enableInternetSecurity property
• Naming flexibility for Virtual WAN Hub Connections, if desired
• Azure Bastion Native Client Support (aka Tunnelling) - https://learn.microsoft.com/azure/bastion/native-client - thanks @juang903 🥳

What's Changed

• Add Bastion native client support by @juang903 in #607
• Add VWAN Features: Routing Intent, VHC Naming, Enable Internet Security by @jtracey93 in #612
• Release v0.16.3 by @jtracey93 in #613

New Contributors

• @juang903 made their first contribution in #607

Full Changelog: v0.16.2...v0.16.3

v0.16.2

Summary

A small patch release with no breaking changes 👍

Finally fixing the Bastion NSG only being deployed when Bastion is enabled 🥳

What's Changed

• fix: Description of parPlatformMgAlzDefaultsEnable by @baartch in #597
• Add paths in push trigger for accelerator workflows by @stalejohnsen in #599
• Update Policy Library (automated) by @cae-pr-creator in #603
• Fix #573 (bastion NSG) again and release v0.16.2 by @jtracey93 in #604
• Bastion NSG Conditional Deployment by @JamJarchitect in #606

Full Changelog: v0.16.1...v0.16.2

v0.16.1

Summary

Just some fixes for the Accelerator around RP registration for MG Diagnostic Settings on the Management Subscription, no other ALZ Bicep module changes

What's Changed

• Remove unnecessary usage of Alz.Tools Module by @jtracey93 in #592
• ALZ-Bicep-Accelerator Register missing resource provider by @sebassem in #595

New Contributors

• @sebassem made their first contribution in #595

Full Changelog: v0.16.0...v0.16.1

v0.16.0

Summary

This release incorporates the ability to preview changes prior to deploying to your environment for the Accelerator. There are also some improvements to the Bicep Linter and associated configurations, bug fixes, and general improvements to the modules.

We have also pulled in the latest upstream policy changes from the Azure/Enterprise-Scale repo. See the What's New? for more info on what.

See the below "What's Changed" section for more information on the enhancements we have made

Highlights

• Accelerator: This release introduces the Azure Bicep What-If operation within the Accelerator deployment scripts to be able to evaluate and analyze changes to your environment during a pull-request.
• Relaxed linting rules and reduce maintenance overhead as part of #568
• Added support for the new Sentinel simplified pricing tier in #582

Breaking Changes

As part of #582 we have introduced a very minor/small "breaking change", technically you don't need to do anything and you will just move to the new pricing model, however if you want to stay on your current/the old pricing model you need to do the following once upgrading to v0.16.0:

1. Set parUseSentinelClassicPricingTiers to true

What's Changed

• Enhance Use of Bicep Linter & Simplify Config by @jtracey93 in #568
• Issue forms by @jhajduk-microsoft in #562
• Documentation: Added release process diagram by @oZakari in #569
• FabricBot: Onboarding to GitOps.ResourceManagement because of FabricBot decommissioning by @microsoft-github-policy-service in #570
• Update Policy Library (automated) by @cae-pr-creator in #572
• Add if (parAzBastionEnabled) to nsg create bastion by @woutermation in #575
• Update Azure resources APIs to recent versions before they are too old over 2 years by @VeronicaSea in #577
• Enhance Accelerator documentation for Git by @oZakari in #580
• Feature addvalidation by @MilesCameron-DMs in #539
• PR for Feature #537: Simplify workflow names in Accelerator by @oZakari in #578
• Add CODEOWNERS & Fix Sentinel Simplified Pricing by @jtracey93 in #582
• Update Policy Library (automated) by @cae-pr-creator in #584

New Contributors

• @microsoft-github-policy-service made their first contribution in #570
• @woutermation made their first contribution in #575
• @VeronicaSea made their first contribution in #577
• @MilesCameron-DMs made their first contribution in #539

Full Changelog: v0.15.0...v0.16.0

v0.16.0-pre

This is a pre-release. Please carry on using v0.15.0 for production deployments.

v0.15.0

Summary

This release mainly bring Azure DevOps Support to the Accelerator. However, we have also fixed a number of other pieces and made a good amount of nice, simple, enhancements to existing modules (none of which are breaking changes 👍)

We have also pulled in the latest upstream policy changes from the Azure/Enterprise-Scale repo as part of our quarterly policy refresh work. 🥳

See the below "What's Changed" section for more information on the enhancements we have made

Highlights

• Accelerator: There is now support for Azure DevOps Pipelines. See Getting Started if you're using Azure DevOps Pipelines

What's Changed

• Update Policy Library (automated) by @cae-pr-creator in #525
• Update parameter descriptions and typos by @picccard in #524
• Update Policy Library (automated) by @cae-pr-creator in #532
• Accelerator Pipelines for Azure Devops by @picccard in #503
• Fix doc for module outputs by @picccard in #542
• Update Policy Library (automated) by @cae-pr-creator in #538
• Increase api version for LAW by @jtracey93 in #546
• Option for subnet delegations by @picccard in #526
• Update PSRule Baseline and Version by @jtracey93 in #552
• Add parPlatformMgAlzDefaultsEnable parameter to policy assignment by @sachabruttin in #551
• Improved control of PrivateDnsZones beeing deployed by @picccard in #543
• Added ZT Deployment Guide by @brsteph in #554
• Remove old dependsOn by @picccard in #556
• Unlink log analytics workspace and automation account by @picccard in #555
• Update README.md for alzDefaults module by @picccard in #557
• Feature: Add LZ Child MG Flex for ALZ Default Policy Assignments & Add Release Checks by @jtracey93 in #559
• Feature: Added documentation changes for Accelerator and Azure DevOps support by @oZakari in #563
• Update Policy Library (automated) by @cae-pr-creator in #564
• Prep for v0.15.0 by @jtracey93 in #566

New Contributors

• @sachabruttin made their first contribution in #551
• @brsteph made their first contribution in #554

Full Changelog: v0.14.0...v0.15.0

v0.15.0-pre

This is a pre-release. Please carry on using v0.14.0 for production deployments.

v0.15.0 will be out shortly, with the addition of Azure DevOps support for the Accelerator. Watch this space... 👍

v0.14.0

Summary

This release includes our recent policy refresh work from the upstream repo and also the launch of our ALZ Bicep Accelerator 🥳

Highlights

• Updated policy definitions, initiatives and assignments from upstream ALZ repo - as documented here
• Launch of the ALZ Bicep Accelerator - thanks @oZakari, @lovelysandwich, @Nepomuceno for your work and efforts here 👍(also thanks to @stalejohnsen for testing and providing feedback)
  • Recommended way to consume ALZ Bicep
  • GitHub Actions support only today, but will add Azure DevOps and others other time - please raise issues/feature requests
  • Guidance on staying up-to-date and customizing modules
• Added support for Azure Firewall Basic SKU - thanks @JamJarchitect
• Added policy assignment exclusion feature - thanks @stalejohnsen
• Added platform child Management Group flexibility - thanks @JamJarchitect
• Private DNS Zone Linking in hubPeeredSpoke.bicep orchestration module - thanks @JamJarchitect
• In the Logging module we have removed the Service Map solution from being deployed as per guidance here.

Policy Changes

Information on policy changes can be found in the Whats New Wiki Page in the Azure Landing Zones/Enterprise-Scale repo

Deny-RDP-From-Internet replacement with Deny-MgmtPorts-Internet

The Deny-RDP-From-Internet policy assignment has been replaced with the assignment of the new policy Deny-MgmtPorts-Internet. The alzDefaultPolicyAssignments.bicep has been updated with this change, so to clean up the old `Deny-RDP-From-Internet assignment use the below PowerShell code snippet.

$mgPrefix = "alz" # UPDATE ME
$mgSuffix = "" # UPDATE ME

Get-AzPolicyAssignment -Id "/providers/Microsoft.Management/managementGroups/$mgPrefix-landingzones$mgSuffix/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet"
Get-AzPolicyAssignment -Id "/providers/Microsoft.Management/managementGroups/$mgPrefix-platform-identity$mgSuffix/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet"

Remove-AzPolicyAssignment -Id "/providers/Microsoft.Management/managementGroups/$mgPrefix-landingzones$mgSuffix/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet"
Remove-AzPolicyAssignment -Id "/providers/Microsoft.Management/managementGroups/$mgPrefix-platform-identity$mgSuffix/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet"

You are welcome to continue using the Deny-RDP-From-Internet if you wish, it is still valid and works as desired, we have just enhanced the control with the new policy and would advise reviewing and migrating to it for better controls preventing the exposure of Management Ports to the internet

Breaking Changes

1. There is a policy initiative Enforce-TLS-SSL that has had a parameter removed, on purpose, that means a breaking change unfortunately. To resolve this follow the below guidance:
   • Run the following PowerShell commands to remove the policy assignment and initiative, then redeploy the latest versions of:
     a. customPolicyDefinitions.bicep
     b. alzDefaultPolicyAssignments.bicep

$mgPrefix = "alz" # UPDATE ME
$mgSuffix = "" # UPDATE ME

Get-AzPolicyAssignment -Id "/providers/Microsoft.Management/managementGroups/$mgPrefix-landingzones$mgSuffix/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL"

Remove-AzPolicyAssignment -Id "/providers/Microsoft.Management/managementGroups/$mgPrefix-landingzones$mgSuffix/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL"

Remove-AzPolicySetDefinition -Id "/providers/Microsoft.Management/managementGroups/$mgPrefix$mgSuffix/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit" -Force

Further info can be found in Update Azure landing zone custom policies

What's Changed / Pull Requests

• Remove unrequired parameters from mgDiagSettings - Fix #473 by @jtracey93 in #474
• Removing second VWan Hub as per conversation with jtracey93 by @lovelysandwich in #480
• 26294 - Feature - Accelerator Pipelines and Scripts by @oZakari in #479
• 26740 - Feature - Generated Parameter Markdowns for Orchestration by @JamJarchitect in #466
• Deploy-VM-Backup optional parameters for exclusion tag by @stalejohnsen in #482
• 26294 - Feature - Accelerator Pipeline Adjustments by @oZakari in #483
• Update RSG API version & workflow to only run on this repo by @jtracey93 in #486
• 26294: Accelerator Pipeline Adjustments by @oZakari in #487
• 26294: Accelerator - Add ability to import env file and minor fixes by @oZakari in #488
• hubNetwork: Dynamic prefix and suffix for Public IPs by @picccard in #493
• New parameter for Alzdefaults exclusions by @stalejohnsen in #494
• Fix doc link for parameter description by @stalejohnsen in #495
• 26016 - Feature - Child Landing Zone Management Groups Flexibility by @JamJarchitect in #496
• Remove Service map from LogAnalyticsWorskpace Solutions by @lachaves in #501
• 26808 - Feature - Add support to allow Private DNS Zone VNet Linking for Spoke VNets by @JamJarchitect in #500
• Accelerator Documentation and remove hard-coded rg values by @oZakari in #497
• Remove accelerator doc temporarily by @oZakari in #506
• Update Policy Library (automated) - Policy Refresh FY23 Q3 by @cae-pr-creator in #499
• Nested deployments should get passed the value for parTelemetryOptOut by @picccard in #502
• ADO 27172 - Add Zero Trust Networking Telemetry - Phase 1 by @jtracey93 in #508
• remove unused duplicate asn property by @picccard in #511
• Update Policy Library (automated) by @cae-pr-creator in #514
• 25520 - Azfw Basic SKU by @JamJarchitect in #510
• Fixes #517 by making the deployment name for the recently added module unique on the zones resource ID by @jtracey93 in #518
• Fix deployment double loop in #519 by @jtracey93 in #520
• add option to set NSG and UDR on subnets in hub-vnet by @picccard in #513
• Accelerator documentation for v0.14.0 release by @oZakari in #507
• Minor Tweaks by @jtracey93 in #521

New Contributors

A huge thanks to all new contributors and we welcome many more contributions in the future 😎

• @lovelysandwich made their first contribution in #480
• @stalejohnsen made their first contribution in #482
• @picccard made their first contribution in #493

Full Changelog: v0.13.0...v0.14.0