Merge pull request #269669 from robswain/1057275-policies

Stacyrch140 · web-flow · commit 20b7d79fb546 · 2024-03-26T13:24:08.000-04:00
ADO 1057275 - add Azure Policy support
diff --git a/articles/private-5g-core/azure-policy-reference.md b/articles/private-5g-core/azure-policy-reference.md
@@ -0,0 +1,24 @@
+---
+title: Azure Policy definitions for Azure Private 5G Core
+description: List of Azure Policy definitions for Azure Private 5G Core.
+author: robswain
+ms.author: robswain
+ms.service: private-5g-core
+ms.topic: reference
+ms.custom: subject-policy-reference
+ms.date: 03/20/2024
+---
+# Azure Policy policy definitions for Azure Private 5G Core
+
+This page lists the [Azure Policy](../governance/policy/overview.md) policy definitions for Azure Private 5G Core. For the full list of Azure Policy definitions across Azure services, see [Azure Policy built-in definitions](../governance/policy/samples/built-in-policies.md).
+
+The name of each policy definition links to the policy definition in the Azure portal. Use the link in the **Version** column to view the source on the [Azure Policy GitHub repo](https://github.com/Azure/azure-policy).
+
+To assign a policy to your Azure Private 5G Core deployment, see [Create and manage policies to enforce compliance](../governance/policy/tutorials/create-and-manage.md).
+
+[!INCLUDE [](../../includes/policy/reference/bycat/policies-mobile-network.md)]
+
+## Next steps
+
+- [Azure Policy definition structure](../governance/policy/concepts/definition-structure.md)
+- [Understanding policy effects](../governance/policy/concepts/effects.md)
diff --git a/articles/private-5g-core/security.md b/articles/private-5g-core/security.md
@@ -32,11 +32,14 @@ Azure Private 5G Core packet core instances are deployed on Azure Stack Edge dev
 
 In addition to the default [Encryption at rest](#encryption-at-rest) using Microsoft-Managed Keys (MMK), you can optionally use Customer Managed Keys (CMK) when [creating a SIM group](manage-sim-groups.md#create-a-sim-group) or [when deploying a private mobile network](how-to-guide-deploy-a-private-mobile-network-azure-portal.md#deploy-your-private-mobile-network) to encrypt data with your own key.
 
-If you elect to use a CMK, you will need to create a Key URI in your [Azure Key Vault](../key-vault/index.yml) and a [User-assigned identity](../active-directory/managed-identities-azure-resources/overview.md) with read, wrap, and unwrap access to the key.
+If you elect to use a CMK, you will need to create a Key URI in your [Azure Key Vault](../key-vault/index.yml) and a [User-assigned identity](../active-directory/managed-identities-azure-resources/overview.md) with read, wrap, and unwrap access to the key. Note that:
 
 - The key must be configured to have an activation and expiration date and we recommend that you [configure cryptographic key auto-rotation in Azure Key Vault](../key-vault/keys/how-to-configure-key-rotation.md).
 - The SIM group accesses the key via the user-assigned identity.
-- For additional information on configuring CMK for a SIM group, see [Configure customer-managed keys](/azure/cosmos-db/how-to-setup-cmk).
+
+For further information on configuring CMK, see [Configure customer-managed keys](/azure/cosmos-db/how-to-setup-cmk).
+
+You can use Azure Policy to enforce using CMK for SIM groups. See [Azure Policy definitions for Azure Private 5G Core](azure-policy-reference.md).
 
 > [!IMPORTANT]
 > Once a SIM group is created, you cannot change the encryption type. However, if the SIM group uses CMK, you can update the key used for encryption.
@@ -75,6 +78,8 @@ If you decide to set up Microsoft Entra ID for local monitoring access, after de
 
 See [Choose the authentication method for local monitoring tools](collect-required-information-for-a-site.md#choose-the-authentication-method-for-local-monitoring-tools) for additional information on configuring local monitoring access authentication.
 
+You can use Azure Policy to enforce using Entra ID for local monitoring access. See [Azure Policy definitions for Azure Private 5G Core](azure-policy-reference.md).
+
 ## Next steps
 
 - [Deploy a private mobile network - Azure portal](how-to-guide-deploy-a-private-mobile-network-azure-portal.md)
diff --git a/articles/private-5g-core/toc.yml b/articles/private-5g-core/toc.yml
@@ -194,6 +194,8 @@ items:
      href: differentiated-services-codepoint-5qi-mapping.md
    - name: Support lifetime
      href: support-lifetime.md
+   - name: Azure Policy definitions
+     href: azure-policy-reference.md     
 - name: Resources
   items:
   - name: Azure Private 5G Core product page
diff --git a/articles/private-5g-core/whats-new.md b/articles/private-5g-core/whats-new.md
@@ -23,6 +23,19 @@ To help you stay up to date with the latest developments, this article covers:
 This page is updated regularly with the latest developments in Azure Private 5G Core.
 
 ## March 2024
+### Azure Policy support
+
+**Type:** New feature
+
+**Date available:** March 26, 2024
+
+You can now use [Azure Policy](../governance/policy/overview.md) to enforce security-related settings in your AP5GC deployment. Azure Policy allows you to ensure compliance with organizational standards across supported Azure services. AP5GC has built-in policy definitions for:
+
+- using Microsoft Entra ID to access local monitoring tools
+- using customer-managed keys to encrypt SIM groups.
+
+See [Azure Policy policy definitions for Azure Private 5G Core](azure-policy-reference.md) for details.
+
 ### SUPI concealment
 
 **Type:** New feature
