How to deploy an Azure Data Explorer Cluster resource with the ALZ policies activated

REZAI Arash 0 Reputation points
2024-10-30T14:30:29.5333333+00:00

Hi,
I've detected some limitations with a built-in policy definition that is part of the initiative "Deny-PublicPaaSEndpoints" in ALZ and that is preventing people from creating something, which is supposed to be accepted, through the GUI.

This is the policy:

Public network access on Azure Data Explorer should be disabled - 43bc7be6-5e69-4b0d-a2bb-e815557ca673

While it works fine to set "/clusters" to "Disabled" through code, it seems the Portal doesn't explicitly do that by default when choosing the Connectivity method "Private endpoint".

I would like to sort this behavior in the Portal such that colleagues would be able to deploy an Azure Data Explorer Cluster without having to do that through code... but how?

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
926 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Pavan Minukuri 520 Reputation points Microsoft Vendor
    2024-10-30T17:43:13.6466667+00:00

    Hi REZAI Arash,
    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

    It seems like you are having trouble with a built-in policy definition that is preventing you from creating something through the GUI. Specifically, the policy "Public network access on Azure Data Explorer should be disabled" is not allowing you to create an Azure Data Explorer Cluster through the Portal when using the Connectivity method "Private endpoint".

    To resolve this issue, you can try updating the policy definition to include the "Private endpoint" connectivity method as an exception. Here are the steps to do that:

    1. Go to the Azure Policy page in the Azure Portal.
    2. Select the policy definition "Public network access on Azure Data Explorer should be disabled".
    3. Click on the "Edit" button at the top of the page.
    4. Scroll down to the "Exceptions" section and click on the "Add exception" button.
    5. In the "Add exception" dialog, select "Connectivity method" as the exception type and "Private endpoint" as the connectivity method.
    6. Click on the "Add" button to save the exception.
    7. Click on the "Review + create" button at the top of the page to save the updated policy definition.

    With this exception added to the policy definition, your colleagues should be able to deploy an Azure Data Explorer Cluster through the Portal using the "Private endpoint" connectivity method without having to do that through code.

    For better understand please refer this link: https://learn.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage https://learn.microsoft.com/en-us/azure/governance/policy/assign-policy-portal

    If you have any further queries, do let us know, If the answer is helpful, please click "Accept Answer".

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.