|
| 1 | +--- |
| 2 | +title: DoD Impact Level 4 blueprint sample |
| 3 | +description: Deploy steps for the DoD Impact Level 4 blueprint sample including blueprint artifact parameter details. |
| 4 | +ms.date: 02/09/2020 |
| 5 | +ms.topic: sample |
| 6 | +--- |
| 7 | +# Deploy the DoD Impact Level 4 blueprint sample |
| 8 | + |
| 9 | +To deploy the Azure Blueprints Department of Defense Impact Level 4 (DoD IL4) blueprint sample, the following steps must be taken: |
| 10 | + |
| 11 | +> [!div class="checklist"] |
| 12 | +> - Create a new blueprint from the sample |
| 13 | +> - Mark your copy of the sample as **Published** |
| 14 | +> - Assign your copy of the blueprint to an existing subscription |
| 15 | +
|
| 16 | +If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free) |
| 17 | +before you begin. |
| 18 | + |
| 19 | +## Create blueprint from sample |
| 20 | + |
| 21 | +First, implement the blueprint sample by creating a new blueprint in your environment using the |
| 22 | +sample as a starter. |
| 23 | + |
| 24 | +1. Select **All services** in the left pane. Search for and select **Blueprints**. |
| 25 | + |
| 26 | +1. From the **Getting started** page on the left, select the **Create** button under _Create a |
| 27 | + blueprint_. |
| 28 | + |
| 29 | +1. Find the **DoD Impact Level 4** blueprint sample under _Other Samples_ and select **Use this sample**. |
| 30 | + |
| 31 | +1. Enter the _Basics_ of the blueprint sample: |
| 32 | + |
| 33 | + - **Blueprint name**: Provide a name for your copy of the DoD Impact Level 4 blueprint sample. |
| 34 | + - **Definition location**: Use the ellipsis and select the management group to save your copy of |
| 35 | + the sample to. |
| 36 | + |
| 37 | +1. Select the _Artifacts_ tab at the top of the page or **Next: Artifacts** at the bottom of the |
| 38 | + page. |
| 39 | + |
| 40 | +1. Review the list of artifacts that make up the blueprint sample. Many of the artifacts have |
| 41 | + parameters that we'll define later. Select **Save Draft** when you've finished reviewing the |
| 42 | + blueprint sample. |
| 43 | + |
| 44 | +## Publish the sample copy |
| 45 | + |
| 46 | +Your copy of the blueprint sample has now been created in your environment. It's created in |
| 47 | +**Draft** mode and must be **Published** before it can be assigned and deployed. The copy of the |
| 48 | +blueprint sample can be customized to your environment and needs, but that modification may move it |
| 49 | +away from alignment with DoD Impact Level 4 controls. |
| 50 | + |
| 51 | +1. Select **All services** in the left pane. Search for and select **Blueprints**. |
| 52 | + |
| 53 | +1. Select the **Blueprint definitions** page on the left. Use the filters to find your copy of the |
| 54 | + blueprint sample and then select it. |
| 55 | + |
| 56 | +1. Select **Publish blueprint** at the top of the page. In the new page on the right, provide a |
| 57 | + **Version** for your copy of the blueprint sample. This property is useful for if you make a |
| 58 | + modification later. Provide **Change notes** such as "First version published from the DoD |
| 59 | + IL4 blueprint sample." Then select **Publish** at the bottom of the page. |
| 60 | + |
| 61 | +## Assign the sample copy |
| 62 | + |
| 63 | +Once the copy of the blueprint sample has been successfully **Published**, it can be assigned to a |
| 64 | +subscription within the management group it was saved to. This step is where parameters are |
| 65 | +provided to make each deployment of the copy of the blueprint sample unique. |
| 66 | + |
| 67 | +1. Select **All services** in the left pane. Search for and select **Blueprints**. |
| 68 | + |
| 69 | +1. Select the **Blueprint definitions** page on the left. Use the filters to find your copy of the |
| 70 | + blueprint sample and then select it. |
| 71 | + |
| 72 | +1. Select **Assign blueprint** at the top of the blueprint definition page. |
| 73 | + |
| 74 | +1. Provide the parameter values for the blueprint assignment: |
| 75 | + |
| 76 | + - Basics |
| 77 | + |
| 78 | + - **Subscriptions**: Select one or more of the subscriptions that are in the management group |
| 79 | + you saved your copy of the blueprint sample to. If you select more than one subscription, an |
| 80 | + assignment will be created for each using the parameters entered. |
| 81 | + - **Assignment name**: The name is pre-populated for you based on the name of the blueprint. |
| 82 | + Change as needed or leave as is. |
| 83 | + - **Location**: Select a region for the managed identity to be created in. Azure Blueprint uses |
| 84 | + this managed identity to deploy all artifacts in the assigned blueprint. To learn more, see |
| 85 | + [managed identities for Azure resources](../../../../active-directory/managed-identities-azure-resources/overview.md). |
| 86 | + - **Blueprint definition version**: Pick a **Published** version of your copy of the blueprint |
| 87 | + sample. |
| 88 | + |
| 89 | + - Lock Assignment |
| 90 | + |
| 91 | + Select the blueprint lock setting for your environment. For more information, see |
| 92 | + [blueprints resource locking](../../concepts/resource-locking.md). |
| 93 | + |
| 94 | + - Managed Identity |
| 95 | + |
| 96 | + Leave the default _system assigned_ managed identity option. |
| 97 | + |
| 98 | + - Artifact parameters |
| 99 | + |
| 100 | + The parameters defined in this section apply to the artifact under which it's defined. These |
| 101 | + parameters are [dynamic parameters](../../concepts/parameters.md#dynamic-parameters) since |
| 102 | + they're defined during the assignment of the blueprint. For a full list or artifact parameters |
| 103 | + and their descriptions, see [Artifact parameters table](#artifact-parameters-table). |
| 104 | + |
| 105 | +1. Once all parameters have been entered, select **Assign** at the bottom of the page. The blueprint |
| 106 | + assignment is created and artifact deployment begins. Deployment takes roughly an hour. To check |
| 107 | + on the status of deployment, open the blueprint assignment. |
| 108 | + |
| 109 | +> [!WARNING] |
| 110 | +> The Azure Blueprints service and the built-in blueprint samples are **free of cost**. Azure |
| 111 | +> resources are [priced by product](https://azure.microsoft.com/pricing/). Use the |
| 112 | +> [pricing calculator](https://azure.microsoft.com/pricing/calculator/) to estimate the cost of |
| 113 | +> running resources deployed by this blueprint sample. |
| 114 | +
|
| 115 | +## Artifact parameters table |
| 116 | + |
| 117 | +The following table provides a list of the blueprint artifact parameters: |
| 118 | + |
| 119 | +|Artifact name|Artifact type|Parameter name|Description| |
| 120 | +|-|-|-|-| |
| 121 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|Log Analytics workspace ID that VMs should be configured for|This is the ID (GUID) of the Log Analytics workspace that the VMs should be configured for.| |
| 122 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|List of resource types that should have diagnostic logs enabled|List of resource types to audit if diagnostic log setting is not enabled. Acceptable values can be found at [Azure Monitor diagnostic logs schemas](../../../../azure-monitor/platform/diagnostic-logs-schema.md#supported-log-categories-per-resource-type).| |
| 123 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|List of users that should be excluded from Windows VM Administrators group|A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; myUser2| |
| 124 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|List of users that should be included in Windows VM Administrators group|A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; myUser2| |
| 125 | +|\[Preview\]: Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)|Policy assignment|Log Analytics workspace for Linux VM Scale Sets (VMSS)|If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.| |
| 126 | +|\[Preview\]: Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)|Policy assignment|Optional: List of VM images that have supported Linux OS to add to scope|An empty array may be used to indicate no optional parameters: \[\]| |
| 127 | +|\[Preview\]: Deploy Log Analytics Agent for Linux VMs|Policy assignment|Log Analytics workspace for Linux VMs|If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.| |
| 128 | +|\[Preview\]: Deploy Log Analytics Agent for Linux VMs|Policy assignment|Optional: List of VM images that have supported Linux OS to add to scope|An empty array may be used to indicate no optional parameters: \[\]| |
| 129 | +|\[Preview\]: Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)|Policy assignment|Log Analytics workspace for Windows VM Scale Sets (VMSS)|If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.| |
| 130 | +|\[Preview\]: Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)|Policy assignment|Optional: List of VM images that have supported Windows OS to add to scope|An empty array may be used to indicate no optional parameters: \[\]| |
| 131 | +|\[Preview\]: Deploy Log Analytics Agent for Windows VMs|Policy assignment|Log Analytics workspace for Windows VMs|If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.| |
| 132 | +|\[Preview\]: Deploy Log Analytics Agent for Windows VMs|Policy assignment|Optional: List of VM images that have supported Windows OS to add to scope|An empty array may be used to indicate no optional parameters: \[\]| |
| 133 | +|Deploy Advanced Threat Protection on Storage Accounts|Policy assignment|Effect|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md).| |
| 134 | +|Deploy Auditing on SQL servers|Policy assignment|The value in days of the retention period (0 indicates unlimited retention)|Retention days (optional, 180 days if unspecified)| |
| 135 | +|Deploy Auditing on SQL servers|Policy assignment|Resource group name for storage account for SQL server auditing|Auditing writes database events to an audit log in your Azure Storage account (a storage account will be created in each region where a SQL Server is created that will be shared by all servers in that region). Important - for proper operation of Auditing do not delete or rename the resource group or the storage accounts.| |
| 136 | +|Deploy diagnostic settings for Network Security Groups|Policy assignment|Storage account prefix for network security group diagnostics|This prefix will be combined with the network security group location to form the created storage account name.| |
| 137 | +|Deploy diagnostic settings for Network Security Groups|Policy assignment|Resource group name for storage account for network security group diagnostics (must exist)|The resource group that the storage account will be created in. This resource group must already exist.| |
| 138 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|Allowed locations for resources and resource groups|List of Azure locations that your organization can specify when deploying resources. This provided value is also used by the 'Allowed locations' policy within the policy initiative.| |
| 139 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|Vulnerability assessment should be enabled on your SQL managed instances|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md).| |
| 140 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|Vulnerability assessment should be enabled on your SQL servers|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md).| |
| 141 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|Vulnerability assessment should be enabled on Virtual Machines|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md).| |
| 142 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|Geo-redundant storage should be enabled for Storage Accounts|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md).| |
| 143 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|Geo-redundant backup should be enabled for Azure Database for MariaDB|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md).| |
| 144 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|Geo-redundant backup should be enabled for Azure Database for MySQL|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md).| |
| 145 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|Geo-redundant backup should be enabled for Azure Database for PostgreSQL|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md).| |
| 146 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|Network Security Group rules for internet facing virtual machines should be hardened|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md).| |
| 147 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|Web Application should only be accessible over HTTPS|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md).| |
| 148 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|Function App should only be accessible over HTTPS|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md).| |
| 149 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|External accounts with write permissions should be removed from your subscription|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md).| |
| 150 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|External accounts with read permissions should be removed from your subscription|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md).| |
| 151 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|External accounts with owner permissions should be removed from your subscription|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md).| |
| 152 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|Deprecated accounts with owner permissions should be removed from your subscription|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md).| |
| 153 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|Deprecated accounts should be removed from your subscription|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md).| |
| 154 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|CORS shouldn't allow every resource to access your Web Application|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md).| |
| 155 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|System updates on virtual machine scale sets should be installed|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md).| |
| 156 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|MFA should be enabled on accounts with read permissions on your subscription|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md).| |
| 157 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|MFA should be enabled on accounts with owner permissions on your subscription|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md).| |
| 158 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|MFA should be enabled on accounts with write permissions on your subscription|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md).| |
| 159 | +|\[Preview\]: DoD Impact Level 4|Policy assignment|Long-term geo-redundant backup should be enabled for Azure SQL Databases|Information about policy effects can be found at [Understand Azure Policy Effects](../../../policy/concepts/effects.md).| |
| 160 | + |
| 161 | + |
| 162 | +## Next steps |
| 163 | + |
| 164 | +Now that you've reviewed the steps to deploy the DoD Impact Level 4 blueprint sample, visit the following |
| 165 | +articles to learn about the blueprint and control mapping: |
| 166 | + |
| 167 | +> [!div class="nextstepaction"] |
| 168 | +> [DoD Impact Level 4 blueprint - Overview](./index.md) |
| 169 | +> [DoD Impact Level 4 blueprint - Control mapping](./control-mapping.md) |
| 170 | +
|
| 171 | +Addition articles about blueprints and how to use them: |
| 172 | + |
| 173 | +- Learn about the [blueprint lifecycle](../../concepts/lifecycle.md). |
| 174 | +- Understand how to use [static and dynamic parameters](../../concepts/parameters.md). |
| 175 | +- Learn to customize the [blueprint sequencing order](../../concepts/sequencing-order.md). |
| 176 | +- Find out how to make use of [blueprint resource locking](../../concepts/resource-locking.md). |
| 177 | +- Learn how to [update existing assignments](../../how-to/update-existing-assignments.md). |
0 commit comments