Comments (3)
adforeman
commented on June 11, 2024
3
As a work around I was able to identify the kind for the Cognitive Service resource within the ARM deployment of the policy, using the reference function.
"privateDnsZoneId": "[if(equals(reference(parameters('privateLinkServiceId')[0], '2022-12-01', 'Full').kind, 'OpenAI'), parameters('openaiPrivateDnsZoneId'), parameters('defaultPrivateDnsZoneId'))]"Below is a policy I use to automatically deploy (deployIfNotExists) the Private DNS Zone Group for a Private Endpoint Connection, where the resource type is Cognitive Service (Microsoft.CognitiveServices/accounts) and the sub-resource is "account". The policy requires 2 x parameters to specify the Resource IDs of the Private DNS Zones. Both the default ID for all Cognitive Services (defaultPrivateDnsZoneId) and OpenAI specific (openaiPrivateDnsZoneId).
{
"mode": "Indexed",
"parameters": {
"defaultPrivateDnsZoneId": {
"type": "String",
"metadata": {
"displayName": "Default Private DNS Zone ID",
"description": "The default Private DNS Zone ID for Cognitive Services resources (except Azure OpenAI).",
"strongType": "Microsoft.Network/privateDnsZones"
}
},
"openaiPrivateDnsZoneId": {
"type": "String",
"metadata": {
"displayName": "OpenAI Private DNS Zone ID",
"description": "The Private DNS Zone ID for Azure OpenAI resources.",
"strongType": "Microsoft.Network/privateDnsZones"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"equals": "Microsoft.Network/privateEndpoints",
"field": "type"
},
{
"count": {
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"contains": "Microsoft.CognitiveServices/accounts"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "account"
}
]
}
},
"greaterOrEquals": 1
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
"/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7"
],
"deployment": {
"properties": {
"mode": "incremental",
"parameters": {
"defaultPrivateDnsZoneId": {
"value": "[parameters('defaultPrivateDnsZoneId')]"
},
"openaiPrivateDnsZoneId": {
"value": "[parameters('openaiPrivateDnsZoneId')]"
},
"privateEndpointName": {
"value": "[field('name')]"
},
"location": {
"value": "[field('location')]"
},
"privateLinkServiceId": {
"value": "[field('Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"defaultPrivateDnsZoneId": {
"type": "string"
},
"openaiPrivateDnsZoneId": {
"type": "string"
},
"privateEndpointName": {
"type": "string"
},
"location": {
"type": "string"
},
"privateLinkServiceId": {
"type": "array"
}
},
"resources": [
{
"apiVersion": "2022-07-01",
"location": "[parameters('location')]",
"name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
"properties": {
"privateDnsZoneConfigs": [
{
"name": "account-private-dns-zone",
"properties": {
"privateDnsZoneId": "[if(equals(reference(parameters('privateLinkServiceId')[0], '2022-12-01', 'Full').kind, 'OpenAI'), parameters('openaiPrivateDnsZoneId'), parameters('defaultPrivateDnsZoneId'))]"
}
}
]
},
"type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups"
}
]
}
}
}
}
}
}
}from industry.
unix68
commented on June 11, 2024
@adforeman Thanks a lot for submitting this solution. It definitely helped us implementing a policy which worked for OpenAI and the other CognServices.
It was also approved by MS support that your solution is the way to go - at least until there is no official solution provided/documented by MS.
from industry.
Related Issues (20)
- Documentation: management subscriptions block appears twice in reference architecture HOT 1
- FSI Landing Zones on Microsoft Azure documentation
- Documentation: Unable to locate PowerOps module HOT 1
- Bug: Reference implementation assign two polices to Citizen Developer Enviornment HOT 3
- Bug: UK South location is not available
- Documentation: FSI readme wrong link - E
- Documentation: AODS->Azure Operator Nexus
- add KV Min Size and LifeTime trigger Policies HOT 1
- Bug: Mistyped domain name for privatelink.sql.azuresynapse.net in the privateDnsPolicyParameterMapping definition
- Retail Churn Model failed
- Feature: Azure Operator Nexus Landing Zones
- Power Platform Landing Zones deployment failure HOT 19
- Update Firewall policy to match Firewall sku
- Bug: Storage Policies about Min Retention Days and CORs are not effective
- Rename OpenAiPolicySetDefinition to CognitiveServices
- Update Private DNS Resolver to have option for inbound and outbound
- Optional DDoS configuration for public IPs only
- Add option to provide custom BGP communities HOT 1
- Bug: AFO Landing Zone Deployment Issue HOT 14
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from industry.