Azure · SebastianClaesson · Feb 11, 2025 · Feb 11, 2025 · Feb 11, 2025 · May 7, 2025
@@ -1,6 +1,7 @@
 ## In this Section
 
 - [In this Section](#in-this-section)
+- [May 2025](#7th-may-2025-07052025)
 - [January 2025](#29th-january-2025-29012025)
 - [September 2024](#25th-september-2024-25092024)
 - [June 2024](#12th-june-2024-12062024)
@@ -19,6 +20,16 @@ On this page you will find the meeting recordings and PowerPoint slides from pre
 
 > Short link to this page is [aka.ms/alz/community](https://aka.ms/alz/community)
 
+## 7th May 2025 (07/05/2025)
+
+### Recording
+
+[![Screenshot of Azure Landing Zones Community Call from May 2025 recording on YouTube](./media/community-calls/may-2025/youtube-thumb.png)](https://youtu.be/Dc95Nx3HsPw?si=ncl0jrc67desWnik)
+
+### Slides
+
+A PDF of the PowerPoint slides are available [here.](./media/community-calls/may-2025/ALZ-Community-Call-07052025.pdf)
+
 ## 29th January 2025 (29/01/2025)
 
 ### Recording

@@ -60,7 +60,15 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 
 #### Policy
 
+- FIX: Updated Deny-MgmtPorts-From-Internet Policy Definition to deny the use of "0.0.0.0/0" as a Source Address Prefix in Network Security Rules. "0.0.0.0/0" is equivalent to "Internet" or "*", and therefore should be denied.
 - FIX: Updated the Audit-Tags-Mandatory-RG Policy Defintion to mode 'All' from 'Indexed' so that it evaluates resource group tags as intended.
+- Updated the initiative [Deploy-Private-DNS-Zones](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-Private-DNS-Zones.html), Removing the 'Effect1' parameter from the policy set "Deploy-Private-DNS-Zones" and using the "Effect" parameter.
+- Update eventgrid topic and domain name DNS zone name in the initiative [Deploy-Private-DNS-Zones](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-Private-DNS-Zones.html) to also contain regionName.
+
+
+#### Other
+
+- The May community call recording and slides have been uploaded to YouTube and wiki, all available from [aka.ms/alz/community](https://aka.ms/alz/community)
 
 ### April 2025
 

@@ -9,7 +9,7 @@
         "displayName": "Management port access from the Internet should be blocked",
         "description": "This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports.",
         "metadata": {
-            "version": "2.1.1",
+            "version": "2.2.0",
             "category": "Network",
             "source": "https://github.com/Azure/Enterprise-Scale/",
             "replacesPolicy": "Deny-RDP-From-Internet",
@@ -125,6 +125,10 @@
                                                 "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                                                 "equals": "Internet"
                                             },
+                                            {
+                                                "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
+                                                "equals": "0.0.0.0/0"
+                                            },           
                                             {
                                                 "not": {
                                                     "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
@@ -136,6 +140,12 @@
                                                     "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
                                                     "notEquals": "Internet"
                                                 }
+                                            },
+                                            {
+                                                "not": {
+                                                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
+                                                    "notEquals": "0.0.0.0/0"
+                                                }
                                             }
                                         ]
                                     }
@@ -224,6 +234,10 @@
                                                         "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
                                                         "equals": "Internet"
                                                     },
+                                                    {
+                                                        "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
+                                                        "equals": "0.0.0.0/0"
+                                                    },                                                    
                                                     {
                                                         "not": {
                                                             "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]",
@@ -235,6 +249,12 @@
                                                             "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]",
                                                             "notEquals": "Internet"
                                                         }
+                                                    },
+                                                    {
+                                                        "not": {
+                                                            "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]",
+                                                            "notEquals": "0.0.0.0/0"
+                                                        }
                                                     }
                                                 ]
                                             }

@@ -8,7 +8,7 @@
     "displayName": "Configure Azure PaaS services to use private DNS zones",
     "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones",
     "metadata": {
-      "version": "2.4.0",
+      "version": "3.0.0",
       "category": "Network",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -142,8 +142,8 @@
           "azureDataFactoryPrivateDnsZoneId": "privatelink.datafactory.azure.net",
           "azureDatabricksPrivateDnsZoneId": "privatelink.azuredatabricks.net",
           "azureDiskAccessPrivateDnsZoneId": "privatelink.blob.core.windows.net",
-          "azureEventGridDomainsPrivateDnsZoneId": "privatelink.eventgrid.azure.net",
-          "azureEventGridTopicsPrivateDnsZoneId": "privatelink.eventgrid.azure.net",
+          "azureEventGridDomainsPrivateDnsZoneId": "{regionName}.privatelink.eventgrid.azure.net",
+          "azureEventGridTopicsPrivateDnsZoneId": "{regionName}.privatelink.eventgrid.azure.net",
           "azureEventHubNamespacePrivateDnsZoneId": "privatelink.servicebus.windows.net",
           "azureFilePrivateDnsZoneId": "privatelink.afs.azure.net",
           "azureHDInsightPrivateDnsZoneId": "privatelink.azurehdinsight.net",
@@ -808,18 +808,6 @@
           "Disabled"
         ],
         "defaultValue": "DeployIfNotExists"
-      },
-      "effect1": {
-        "type": "string",
-        "metadata": {
-          "displayName": "Effect",
-          "description": "Enable or disable the execution of the policy"
-        },
-        "allowedValues": [
-          "deployIfNotExists",
-          "Disabled"
-        ],
-        "defaultValue": "deployIfNotExists"
       }
     },
     "policyDefinitions": [
@@ -1434,7 +1422,7 @@
             "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridTopicsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridTopicsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
           },
           "effect": {
-            "value": "[[parameters('effect1')]"
+            "value": "[[parameters('effect')]"
           }
         },
         "groupNames": []
@@ -1476,7 +1464,7 @@
             "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotHubsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotHubsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
           },
           "effect": {
-            "value": "[[parameters('effect1')]"
+            "value": "[[parameters('effect')]"
           }
         },
         "groupNames": []
@@ -1490,7 +1478,7 @@
             "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridDomainsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridDomainsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
           },
           "effect": {
-            "value": "[[parameters('effect1')]"
+            "value": "[[parameters('effect')]"
           }
         },
         "groupNames": []