-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added Private Endpoint deployment option #609
base: features/private
Are you sure you want to change the base?
Conversation
@microsoft-github-policy-service agree |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the delay! Too much going on π
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, however I have some comments in addition to Michael's
- Use only the subnetResourceId to indicate a private deployment and drop the publicNetworkAccess parameter
- If subnetResourceId is specified, lets assess if we can have the deployment scripts also deployed in private, see this and this . Update the readme accordingly if applicable. We will probably need to have a dedicated storage account for scripts since this scenario only supports service endpoints
- Move the private endpoint deployment for keyVault into the keyVault module for better code organization
Hi team, any updates on this. Lots of customers extremely interested in deploying this however not being able to deploy with private endpoints is a blocker for them as it's against policy. Thanks! |
Sorry, I had to down prioritize this due to a hectic schedule, I hope I can look into this and update the requested changes within the coming weeks. |
β¦ed PVE to specific module
β¦ be disabled for PaaS services policy
Sorry for the delay I have had a very busy time and I will soon be out for a while. I hope I have adressed all you comments. |
No worries, I just submitted a PR to your fork with some changes. Please review and test if possible so we can finalize and merge :) |
Added deployment scripts private access
β¦torage already has a private endpoint
@sebassem deploying the resources work, however the deployment script fails It tries to access the FinOps storage account . I haven't had the time to look into all changes you have made, I only removed a Private Endpoint for blob storage because one already exsists. |
I assume you don't have a private dns zone for blob storage ? Without it the deployment script won't be able to access it |
You were right, it was the DNS, we have policies managing registration of private endpoints to the private DNS zones and it hadn't applied yet. I was trying to do to many things at once and didn't check that, sorry. It seem to work now, I noticed the the name of the export directory had changed from msexports to only exports. I have updated the README.md as well with the new expected name of the export folder. |
No worries, thanks for testing this. If the name change affects other parts of the code we can set it back to msexports, maybe I renamed it by mistake. Please let me know when you are happy with your testing so we can merge :) |
Co-authored-by: Brett Wilson <[email protected]>
#### Deployment | ||
|
||
1. Login | ||
> az login |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please change this to Powershell so it aligns with the module we're shipping.
2. Set target subscription | ||
> az account set -s `<SubscriptionId>` | ||
3. Execute deployment | ||
> az deployment group create --resource-group `<RG Name>` --location `<location>` --template-file .\main.bicep --parameters hubName='`<hubName>`' subnetResourceId='`<subnetResourceId>`' scriptsSubnetResourceId='`<scriptsSubnetResourceId>`' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please change to Powershell
- The private deployment assumes that the target environment already has the virtual network where the private endpoints will be deployed. | ||
- The virtual network needs to have two subnets; one for the private endpoints and one for the deployment scripts needed for the FinOps Hub. | ||
- The virtual network for the deployment scripts needs to have the [needed configuration](https://learn.microsoft.com/azure/azure-resource-manager/bicep/deployment-script-vnet). | ||
- A service endpoint configured for `Microsoft.Storage` | ||
- A subnet delegation for `Microsoft.ContainerInstance/containerGroups` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could provide this as part of the deployment so customers can retro-fit to their environment rather than leaving it undefined.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@MSBrett are you suggesting deploying the needed infra (vnet, dns zones ,....etc) ? And should it be deployed by default or with a flag ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd prefer to just ship it at a vnet which can be peered to a hub as required. What's the minimum address space we need for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would like to have the option to use an existing VNet as well, because deploying a new VNet for a single purpose won't fit all environments, however, this will require some more work, but will give an option for all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fair enough
π οΈ Description
Possibility to do deploy FinOps hub with private endpoints.
π¬ How did you test this change?
πββοΈ Do any of the following that apply?
π Did you update
docs/changelog.md
?π Did you update documentation?