Added Private Endpoint deployment option #609
Conversation
microsoft-github-policy-service
bot
added
the
Solution: FinOps hubs
microsoft-github-policy-service
bot
added
the
Needs: Review π
@microsoft-github-policy-service agree |
src/templates/finops-hub/README.md
Outdated
|
|
||
| **Prerequisites** | ||
| The Private Endpoint deployment assumes that the target environment is prepared to handle DNS registration, and that a Self-Hosted Integration Runtime is available. | ||
| > See [Private Endpoint DNS](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) and [Private Link and DNS integration at scale](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale) for details. |
There was a problem hiding this comment.
| > See [Private Endpoint DNS](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) and [Private Link and DNS integration at scale](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale) for details. | |
| > See [Private Endpoint DNS](https://learn.microsoft.com/azure/private-link/private-endpoint-dns) and [Private Link and DNS integration at scale](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale) for details. |
src/templates/finops-hub/README.md
Outdated
| #### Overview | ||
| The purpose of this deployment is to deploy the FinOps Hub in an environment that does not allow public access. | ||
|
|
||
| **Prerequisites** |
There was a problem hiding this comment.
Wouldn't these be relevant for the portal deployment as well? Can you add them to the prereq section above? We should probably also add them to docs/finops-hub/template.md (but that can happen in a separate PR).
src/templates/finops-hub/README.md
Outdated
| The Private Endpoint deployment assumes that the target environment is prepared to handle DNS registration, and that a Self-Hosted Integration Runtime is available. | ||
| > See [Private Endpoint DNS](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) and [Private Link and DNS integration at scale](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale) for details. | ||
|
|
||
| > If the target environment has policies preventing Public IP addresses for PaaS services, the subscription needs to be temporarily moved to a staging Management Group or location where the policy does not apply. |
There was a problem hiding this comment.
Is there a built-in policy like this? Would it be helpful to link to it/them?
| > If the target environment has policies preventing Public IP addresses for PaaS services, the subscription needs to be temporarily moved to a staging Management Group or location where the policy does not apply. | |
| > If the target environment has policies preventing public IP addresses for PaaS services, the subscription needs to be temporarily moved to a staging management group or location where the policy does not apply. |
| > If the target environment has policies preventing Public IP addresses for PaaS services, the subscription needs to be temporarily moved to a staging Management Group or location where the policy does not apply. | ||
| This is to ensure that the script steps in the deployment can be executed. | ||
|
|
||
| 1. Register the Microsoft.EventGrid and Microsoft.CostManagementExports resource providers |
There was a problem hiding this comment.
nit: I just realized we have this in the prereqs and as the first step. Do you think we need it in both? Should we remove it from the steps?
There was a problem hiding this comment.
If we're going to support vNet injection we should include a spoke vNet along with the required DNS zones, NSGs and potentially a UDR too if there's a router in the hub.
src/templates/finops-hub/README.md
Outdated
| 4. Execute deployment | ||
| > az deployment group create --resource-group `<RG Name>` --template-file .\main.bicep --parameters hubName='`<hubName>`' subnetResourceId='`<subnetResourceId>`' publicNetworkAccess='Disabled' | ||
|
|
||
| 5. Share and add the Self-Hosted Integration Runtime to the FinOps Azure Data Factory. |
There was a problem hiding this comment.
| 5. Share and add the Self-Hosted Integration Runtime to the FinOps Azure Data Factory. | |
| 5. Share and add the Self-Hosted Integration Runtime to the Data Factory instance. |
| @description('Optional. To disable Public Network Access, set to "Disabled".') | ||
| param publicNetworkAccess string = '' |
There was a problem hiding this comment.
| @description('Optional. To disable Public Network Access, set to "Disabled".') | |
| param publicNetworkAccess string = '' | |
| @description('Optional. Indicates whether public network access should be disabled. Default = false.') | |
| param disablePublicNetworkAccess bool = false |
| @@ -67,6 +69,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-11-01' = { | |||
| createMode: 'default' | |||
| tenantId: subscription().tenantId | |||
| accessPolicies: formattedAccessPolicies | |||
| publicNetworkAccess: !empty(publicNetworkAccess) ? publicNetworkAccess : 'Enabled' | |||
There was a problem hiding this comment.
| publicNetworkAccess: !empty(publicNetworkAccess) ? publicNetworkAccess : 'Enabled' | |
| publicNetworkAccess: disablePublicNetworkAccess ? 'Disabled' : 'Enabled' |
| @description('Optional. To disable Public Network Access, set to "Disabled".') | ||
| param publicNetworkAccess string = '' |
There was a problem hiding this comment.
| @description('Optional. To disable Public Network Access, set to "Disabled".') | |
| param publicNetworkAccess string = '' | |
| @description('Optional. Indicates whether public network access should be disabled. Default = false.') | |
| param disablePublicNetworkAccess bool = false |
| @@ -62,6 +68,7 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = { | |||
| isHnsEnabled: true | |||
| minimumTlsVersion: 'TLS1_2' | |||
| allowBlobPublicAccess: false | |||
| publicNetworkAccess: publicNetworkAccess == 'Disabled' ? 'Disabled' : 'Enabled' | |||
There was a problem hiding this comment.
| publicNetworkAccess: publicNetworkAccess == 'Disabled' ? 'Disabled' : 'Enabled' | |
| publicNetworkAccess: disablePublicNetworkAccess ? 'Disabled' : 'Enabled' |
| param subnetResourceId string = '' | ||
|
|
||
| @description('Optional. To disable Public Network Access, set to "Disabled".') | ||
| param publicNetworkAccess string = '' |
There was a problem hiding this comment.
Out of curiosity, is there a reason why someone would specify a subnetResourceId and not disable public network access? What about disable public network access without specifying a subnetResourceId? Just curious if it would make sense to remove the network access option and have everything work off the subnetResourceId parameter.
(Sorry, I don't have any context on this, so it may be obvious to others π)
There was a problem hiding this comment.
+1 , if a user provides a subnetResourceId then we should assume that they want to disable public access and use this param as the condition
microsoft-github-policy-service
bot
added
the
Needs: Attention π
There was a problem hiding this comment.
LGTM, however I have some comments in addition to Michael's
- Use only the subnetResourceId to indicate a private deployment and drop the publicNetworkAccess parameter
- If subnetResourceId is specified, lets assess if we can have the deployment scripts also deployed in private, see this and this . Update the readme accordingly if applicable. We will probably need to have a dedicated storage account for scripts since this scenario only supports service endpoints
- Move the private endpoint deployment for keyVault into the keyVault module for better code organization
|
Hi team, any updates on this. Lots of customers extremely interested in deploying this however not being able to deploy with private endpoints is a blocker for them as it's against policy. Thanks! |
|
Sorry, I had to down prioritize this due to a hectic schedule, I hope I can look into this and update the requested changes within the coming weeks. |
β¦ed PVE to specific module
β¦ be disabled for PaaS services policy
|
Sorry for the delay I have had a very busy time and I will soon be out for a while. I hope I have adressed all you comments. |
No worries, I just submitted a PR to your fork with some changes. Please review and test if possible so we can finalize and merge :) |
Added deployment scripts private access
β¦torage already has a private endpoint
|
@sebassem deploying the resources work, however the deployment script fails
It tries to access the FinOps storage account . I haven't had the time to look into all changes you have made, I only removed a Private Endpoint for blob storage because one already exsists. |
I assume you don't have a private dns zone for blob storage ? Without it the deployment script won't be able to access it |
|
You were right, it was the DNS, we have policies managing registration of private endpoints to the private DNS zones and it hadn't applied yet. I was trying to do to many things at once and didn't check that, sorry. It seem to work now, I noticed the the name of the export directory had changed from msexports to only exports. I have updated the README.md as well with the new expected name of the export folder. |
|
Too fast, I saw the pipeline kick off and left, today I see that i failed. Seems like the column |
No worries, thanks for testing this. If the name change affects other parts of the code we can set it back to msexports, maybe I renamed it by mistake. Please let me know when you are happy with your testing so we can merge :) |
|
Co-authored-by: Brett Wilson <[email protected]>
| #### Deployment | ||
|
|
||
| 1. Login | ||
| > az login |
There was a problem hiding this comment.
Please change this to Powershell so it aligns with the module we're shipping.
| 2. Set target subscription | ||
| > az account set -s `<SubscriptionId>` | ||
| 3. Execute deployment | ||
| > az deployment group create --resource-group `<RG Name>` --location `<location>` --template-file .\main.bicep --parameters hubName='`<hubName>`' subnetResourceId='`<subnetResourceId>`' scriptsSubnetResourceId='`<scriptsSubnetResourceId>`' |
There was a problem hiding this comment.
Please change to Powershell
| - The private deployment assumes that the target environment already has the virtual network where the private endpoints will be deployed. | ||
| - The virtual network needs to have two subnets; one for the private endpoints and one for the deployment scripts needed for the FinOps Hub. | ||
| - The virtual network for the deployment scripts needs to have the [needed configuration](https://learn.microsoft.com/azure/azure-resource-manager/bicep/deployment-script-vnet). | ||
| - A service endpoint configured for `Microsoft.Storage` | ||
| - A subnet delegation for `Microsoft.ContainerInstance/containerGroups` |
There was a problem hiding this comment.
Could provide this as part of the deployment so customers can retro-fit to their environment rather than leaving it undefined.
π οΈ Description
Possibility to do deploy FinOps hub with private endpoints.
π¬ How did you test this change?
πββοΈ Do any of the following that apply?
π Did you update
docs/changelog.md?π Did you update documentation?