Corp and Online Landing Zones
Online: This is the dedicated Management Group for Online landing zones, meaning workloads that may require direct internet inbound/outbound connectivity or also for workloads that may not require a VNet.
Corp: This is the dedicated Management Group for Corp landing zones, meaning workloads that requires connectivity/hybrid connectivity with the corporate network thru the hub in the connectivity subscription.
Landing zones for application teams are placed under either
- online - landing zones with internet access
- corp - landing zones with on-prem network access
Active Policies Corp
| Policy | Effect | Description | Rationale |
|---|---|---|---|
| Audit Private Link Private DNS Zone resources | Audit | Audits the deployment of Private Link Private DNS Zone resources in the Corp landing zone. | This policy helps to ensure that Private Link Private DNS Zone resources are deployed correctly and securely. By auditing the deployment of these resources, we can identify any potential issues or vulnerabilities and take corrective action to mitigate them. |
| Configure Azure PaaS services to use private DNS zones | Deploy | This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones | This policy helps to ensure that Azure PaaS services are integrated with Azure Private DNS zones, which provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. |
| Deny the deployment of vWAN/ER/VPN gateway resources | Deny | Denies deployment of vWAN/ER/VPN gateway resources in the Corp landing zone. | By denying these resources, we can ensure that all traffic to and from the resource is routed through the private network, which is more secure. |
| Public network access should be disabled for PaaS services | Deny | This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints | By disabling public network access, we can ensure that all traffic to and from the resource is routed through the private network, which is more secure. |
| Deny network interfaces having a public IP associated | Deny | This policy denies network interfaces from having a public IP associated to it under the assigned scope. | By denying public IP addresses, we can ensure that all traffic to and from the resource is routed through the private network, which is more secure. |
Active Policies Online
Service and Location Restrictions
| Policy | Effect | Description | Rationale |
|---|
Compliance Statements
- Service and Location Restrictions: Restricts deployment of vWAN/ER/VPN gateway resources in the Corp landing zone Restricts creation of Azure PaaS services with exposed public endpoints Restricts network interfaces from having a public IP associated to it under the assigned scope
- Centralized audit logs: Audits the deployment of Private Link Private DNS Zone resources in the Corp landing zone.