Merge branch 'policy-refresh-q2fy24' of https://github.com/Azure/Ente…

…rprise-Scale into MDFCVulnerabilityUpdate
Azure · Jan 30, 2024 · 071672d · 071672d
2 parents fcde3df + b1b39a9
commit 071672d
Show file tree

Hide file tree

Showing 6 changed files with 28 additions and 8 deletions.
diff --git a/docs/wiki/ALZ-Deprecated-Services.md b/docs/wiki/ALZ-Deprecated-Services.md
@@ -25,7 +25,8 @@ Policies being deprecated:
 | RDP access from the Internet should be blocked<br>ID: `Deny-RDP-From-Internet` | [`Deny-MgmtPorts-From-Internet`](https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html)  | Deprecated policy as it is superseded by a more flexible policy                  |
 | Deploy SQL Database Transparent Data Encryption<br>ID: [`Deploy SQL Database Transparent Data Encryption`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-Tde.html) |	`86a912f6-9a06-4e26-b447-11b16ba8659f` | Custom policy replaced by built-in requires less administration overhead |
 | Azure Machine Learning should have disabled public network access<br>ID: [`Deny-MachineLearning-PublicNetworkAccess`](https://www.azadvertizer.net/azpolicyadvertizer/Deny-MachineLearning-PublicNetworkAccess.html) | [`438c38d2-3772-465a-a9cc-7a6666a275ce`](https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html) | Custom policy replaced by built-in requires less administration overhead |
-| Public network access should be disabled for MariaDB<br>ID: [`Deny-PublicEndpoint-MariaDB`](https://www.azadvertizer.net/azpolicyadvertizer/Deny-PublicEndpoint-MariaDB.html) | [`fdccbe47-f3e3-4213-ad5d-ea459b2fa077`](https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html) | Custom policy replaced by built-in requires less administration overhead<br>NOTE: US Gov (Fairfax) initiative still points to the deprecated policy as built-in is not yet available. |
+| Public network access should be disabled for MariaDB<br>ID: [`Deny-PublicEndpoint-MariaDB`](https://www.azadvertizer.net/azpolicyadvertizer/Deny-PublicEndpoint-MariaDB.html) | [`fdccbe47-f3e3-4213-ad5d-ea459b2fa077`](https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html) | Deprecating policies for MariaDB see [`ALZ Policy FAQ & Tips`](https://github.com/Azure/Enterprise-Scale/blob/main/docs/wiki/ALZ-Policies-FAQ.md). |
+| Diagnostic Settings for MariaDB to Log Analytics Workspace <br>ID: [`Deploy-Diagnostics-MariaDB`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Diagnostics-MariaDB.html) | Deprecating due to service retirement | Deprecating policies for MariaDB, see [`ALZ Policy FAQ & Tips`](./ALZ-Policies-FAQ) |
 | Deploy SQL Database Vulnerability Assessments<br>ID: [`Deploy-Sql-vulnerabilityAssessments`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments.html) | [`Deploy-Sql-vulnerabilityAssessments_20230706`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html) | Custom policy replaced by updated custom policy providing bug fix |
 
 ### More Information

diff --git a/docs/wiki/ALZ-Policies-FAQ.md b/docs/wiki/ALZ-Policies-FAQ.md
@@ -20,6 +20,17 @@ To view the current list of GitHub issues related to diagnostic settings, please
 
 Similarly, as Microsoft Monitor Agent (MMA) is on a deprecation path, Azure Monitor Agent (AMA) is the recommended replacement and there are a number of requests to support AMA specific policies. AMA is currently in preview, and we are working with the product group to ensure that the policies are updated as soon as possible. Some policies are ready, however, the initiative to activate all components is still being worked on.
 
+### Azure Database for MariaDB (Jan 2024)
+
+Azure Database for MariaDB is being deprecated, with the retirement process beginning on January 19, 2024. Due to retirement Azure is phasing out MariaDB policies, aligning with a strategic shift to Azure Database for MySQL - Flexible Server. This includes deprecating Azure Landing Zone (ALZ) custom policies 'Diagnostic Settings (Deploy)' and 'Public Endpoint (Deny)' for MariaDB. These policies are becoming redundant with MariaDB's phase-out:
+
+1. Diagnostic Settings (Deploy) for MariaDB
+2. Public Endpoint (Deny) for MariaDB
+
+**Action for Users:** Users are encouraged to migrate to Azure Database for MySQL - Flexible Server. This migration will involve updating or replacing existing MariaDB-related policies with ones suitable for the MySQL Flexible Server environment.
+
+For more information on Azure Database for MariaDB, its retirement, and the migration process, visit [What's happening to Azure Database for MariaDB?](https://learn.microsoft.com/en-us/azure/mariadb/whats-happening-to-mariadb).
+
 ### Sovereign Clouds (US Gov and China)
 
 Numerous GitHub issues related to sovereign clouds are currently within our scope, and our team is actively endeavoring to resolve these concerns.

diff --git a/docs/wiki/Deploying-ALZ-ZTNetwork.md b/docs/wiki/Deploying-ALZ-ZTNetwork.md
@@ -1,6 +1,8 @@
 ## Azure landing zone portal accelerator deployment with Zero Trust network principles
 
-This guide will review how to deploy the Azure landing zone portal accelerator with a jump start on Zero Trust Networking Principles for Azure landing zones. If you are looking for a complete walkthrough of the Azure landing zones portal accelerator select one of the deployment guides in the wiki navigation on the right of this page under "Deploying Enterprise-Scale". For more information on Zero Trust security model and principles visit [Embrace proactive security with Zero Trust](/security/business/zero-trust). Let's review the [Zero Trust aligned networking](/security/zero-trust/deploy/networks) configurations in the [Azure landing zone portal accelerator](/azure/cloud-adoption-framework/ready/landing-zone/#azure-landing-zone-portal-accelerator).
+This guide will review how to deploy the Azure landing zone portal accelerator with a jump start on Zero Trust Networking Principles for Azure landing zones. If you are looking for a complete walkthrough of the Azure landing zones portal accelerator select one of the deployment guides in the wiki navigation on the right of this page under "Deploying Enterprise-Scale". For more information on Zero Trust security model and principles visit [What is Zero Trust?](https://learn.microsoft.com/security/zero-trust/zero-trust-overview) in the [Zero Trust Guidance Center](https://learn.microsoft.com/security/zero-trust/).
+
+Let's review the [Zero Trust aligned networking](https://learn.microsoft.com/security/zero-trust/deploy/networks) configurations in the [Azure landing zone portal accelerator](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/#azure-landing-zone-portal-accelerator).
 
 ## Platform management, security, and governance
 

diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
@@ -52,6 +52,7 @@ Yes, the Q2 Policy Refresh has been delayed due to a light past quarter and some
 
 - 🎉 Added new initiative default assignment at the Intermediate Root Management Group for [Resources should be Zone Resilient](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/130fb88f-0fc9-4678-bfe1-31022d71c7d5.html) in Audit mode.
 - Added new default assignment at the Intermediate Root Management Group for [Resource Group and Resource locations should match](https://www.azadvertizer.net/azpolicyadvertizer/0a914e76-4921-4c19-b460-a2d36003525a.html), which will help customers better manage and identify regionally deployed resources and ultimately support improved resilience.
+- We are deprecating MariaDB custom policies. For more information: [ALZ Policies FAQ](./ALZ-Policies-FAQ) 
 - Fixed a typo in the Private DNS Zones initiative for the policy definition IDs for Databrics (corrected to Databricks). While not a breaking change, it is recommended to redeploy the initiative to ensure the correct policy definition IDs are used if you are using Private DNS Zones for Databricks - specifically if you have configured any exclusions or overrides for the Databricks policy definitions, as these rely on the policy definition ID (which has been updated). You will need to recreate the exclusions or overrides for Databricks if you choose not to redeploy the initiative.
 - Added ['Container Apps environment should disable public network access'](https://www.azadvertizer.net/azpolicyadvertizer/d074ddf8-01a5-4b5e-a2b8-964aed452c0a.html) to ['Deny-PublicPaaSEndpoints'.](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deny-PublicPaaSEndpoints.html)
 - Added ['Container Apps should only be accessible over HTTPS'](https://www.azadvertizer.net/azpolicyadvertizer/0e80e269-43a4-4ae9-b5bc-178126b8a5cb.html) to this ['Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit'.](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html)
@@ -64,6 +65,10 @@ Yes, the Q2 Policy Refresh has been delayed due to a light past quarter and some
 - Bug fix for Portal Accelerator deployment when deploying using a single platform subscription. Previously, a single tenant deployment would have three failed deployments for diagnostic settings which were looking for non-existent management groups (Management, Identity and Connectivity). This has been fixed and the deployment will now succeed.
 - Added drop down selection option for Azure Private Link Private DNS Zones as part of portal based ALZ deployment experience where you can select to deploy or not to deploy a subset of Private Link Private DNS zones.
 
+#### Documentation
+
+- Updated broken links in [Deploying ALZ ZT Network](https://github.com/Azure/Enterprise-Scale/wiki/Deploying-ALZ-ZTNetwork#azure-landing-zone-portal-accelerator-deployment-with-zero-trust-network-principles)
+
 ### December 2023
 
 #### Tooling