Add private link support for high log scale (#1512)

* add private link support for high log scale

* update use right public access

* update split

* update for syslog template

Author: wanlonghenry

scripts/onboarding/aks/onboarding-msi-azure-policy/azure-policy.parameters.json

@@ -94,5 +94,13 @@
         "Microsoft-Perf",
         "Microsoft-RetinaNetworkFlowLogs"
       ]
+    },
+    "useAzureMonitorPrivateLinkScope": {
+      "type": "Boolean",
+      "defaultValue": false
+    },
+    "azureMonitorPrivateLinkScopeResourceId": {
+      "type": "String",
+      "defaultValue": "/subscriptions/<SubscriptionId>/resourceGroups/<ResourceGroup>/providers/microsoft.insights/privateLinkScopes/<azureMonitorPrivateLinkScopeName>"
     }
 }

scripts/onboarding/aks/onboarding-msi-azure-policy/azure-policy.rules.json

@@ -70,13 +70,20 @@
 				},
 				"streams": {
 					"type": "array"
+				},
+				"useAzureMonitorPrivateLinkScope": {
+					"type": "bool"
+				},
+				"azureMonitorPrivateLinkScopeResourceId": {
+					"type": "string"
 				}
 			  },
 			  "variables": {
 				"clusterSubscriptionId": "[split(parameters('aksResourceId'),'/')[2]]",
 				"clusterResourceGroup": "[split(parameters('aksResourceId'),'/')[4]]",
 				"clusterName": "[split(parameters('aksResourceId'),'/')[8]]",
 				"clusterLocation": "[replace(parameters('aksResourceLocation'),' ', '')]",
+				"workspaceName": "[split(parameters('workspaceResourceId'),'/')[8]]",
 				"workspaceLocation":"[replace(parameters('workspaceRegion'),' ', '')]",
 				"dcrNameFull": "[Concat('MSCI', '-', variables('workspaceLocation'), '-', variables('clusterName'))]",
 				"dcrName":"[if(greater(length(variables('dcrNameFull')), 64), substring(variables('dcrNameFull'), 0, 64), variables('dcrNameFull'))]",
@@ -87,6 +94,14 @@
 				"ingestionDCEName": "[if(greater(length(variables('ingestionDCENameFull')), 43), substring(variables('ingestionDCENameFull'), 0, 43), variables('ingestionDCENameFull'))]",
 				"ingestionDCE": "[if(endsWith(variables('ingestionDCEName'), '-'), substring(variables('ingestionDCEName'), 0, 42), variables('ingestionDCEName'))]",
 				"ingestionDataCollectionEndpointId": "[resourceId(variables('clusterSubscriptionId'), variables('clusterResourceGroup'), 'Microsoft.Insights/dataCollectionEndpoints', variables('ingestionDCE'))]",
+				"configDCENameFull": "[Concat('MSCI-config', '-', variables('clusterLocation'), '-', variables('clusterName'))]",
+				"configDCEName": "[if(greater(length(variables('configDCENameFull')), 43), substring(variables('configDCENameFull'), 0, 43), variables('configDCENameFull'))]",
+				"configDCE": "[if(endsWith(variables('configDCEName'), '-'), substring(variables('configDCEName'), 0, 42), variables('configDCEName'))]",
+				"configDCEAssociationName": "configurationAccessEndpoint",
+				"configDataCollectionEndpointId": "[resourceId(variables('clusterSubscriptionId'), variables('clusterResourceGroup'), 'Microsoft.Insights/dataCollectionEndpoints', variables('configDCE'))]",
+				"privateLinkScopeName": "[split(parameters('azureMonitorPrivateLinkScopeResourceId'),'/')[8]]",
+				"privateLinkScopeResourceGroup": "[split(parameters('azureMonitorPrivateLinkScopeResourceId'),'/')[4]]",
+				"privateLinkScopeSubscriptionId": "[split(parameters('azureMonitorPrivateLinkScopeResourceId'),'/')[2]]",
 				"ciOnlyTemplate": {
 					"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
 					"contentVersion": "1.0.0.0",
@@ -211,6 +226,20 @@
 				}
 			  },
 			  "resources": [
+				{
+					"condition": "[parameters('useAzureMonitorPrivateLinkScope')]",
+					"type": "Microsoft.Insights/dataCollectionEndpoints",
+					"apiVersion": "2022-06-01",
+					"name": "[variables('configDCE')]",
+					"location": "[variables('clusterLocation')]",
+					"tags": "[parameters('resourceTagValues')]",
+					"kind": "Linux",
+					"properties": {
+						"networkAcls": {
+							"publicNetworkAccess": "[if(parameters('useAzureMonitorPrivateLinkScope'), 'Disabled', 'Enabled')]"
+						}
+					}
+				},
 				{
 					"condition": "[variables('enableHighLogScaleMode')]",
 					"type": "Microsoft.Insights/dataCollectionEndpoints",
@@ -221,7 +250,7 @@
 					"kind": "Linux",
 					"properties": {
 						"networkAcls": {
-							"publicNetworkAccess": "Enabled"
+							"publicNetworkAccess": "[if(parameters('useAzureMonitorPrivateLinkScope'), 'Disabled', 'Enabled')]"
 						}
 					}
 				},
@@ -269,14 +298,137 @@
 					  "parameters": {}
 					}
 				},
+				{
+					"condition": "[parameters('useAzureMonitorPrivateLinkScope')]",
+					"type": "Microsoft.Resources/deployments",
+					"name": "[Concat('aks-monitoring-msi-dcea-config', '-', uniqueString(parameters('aksResourceId')))]",
+					"apiVersion": "2017-05-10",
+					"subscriptionId": "[variables('clusterSubscriptionId')]",
+					"resourceGroup": "[variables('clusterResourceGroup')]",
+					"dependsOn": [
+						"[resourceId('Microsoft.Insights/dataCollectionEndpoints/', variables('configDCE'))]"
+					],
+					"properties": {
+					  "mode": "Incremental",
+					  "template": {
+					    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+						"contentVersion": "1.0.0.0",
+						"parameters": {},
+						"variables": {},
+						"resources": [
+						  {
+						    "type": "Microsoft.ContainerService/managedClusters/providers/dataCollectionRuleAssociations",
+							"name": "[concat(variables('clusterName'),'/microsoft.insights/', variables('configDCEAssociationName'))]",
+							"apiVersion": "2022-06-01",
+							"properties": {
+								"description": "Association of data collection rule endpoint. Deleting this association will break the data collection endpoint for this AKS Cluster.",
+								"dataCollectionEndpointId": "[variables('configDataCollectionEndpointId')]"
+							}
+						  }
+						]
+					  },
+					  "parameters": {}
+					}
+				},
+				{
+					"condition": "[parameters('useAzureMonitorPrivateLinkScope')]",
+					"type": "Microsoft.Resources/deployments",
+					"name": "[Concat('aks-monitoring-msi-ampls-scope-config', '-', uniqueString(parameters('aksResourceId')))]",
+					"apiVersion": "2017-05-10",
+					"subscriptionId": "[variables('privateLinkScopeSubscriptionId')]",
+					"resourceGroup": "[variables('privateLinkScopeResourceGroup')]",
+					"dependsOn": [
+						"[resourceId('Microsoft.Insights/dataCollectionEndpoints/', variables('configDCE'))]"
+					],
+					"properties": {
+					  "mode": "Incremental",
+					  "template": {
+					    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+						"contentVersion": "1.0.0.0",
+						"parameters": {},
+						"variables": {},
+						"resources": [
+						  {
+							"type": "microsoft.insights/privatelinkscopes/scopedresources",
+							"name": "[concat(variables('privateLinkScopeName'), '/', concat(variables('configDCE'), '-connection'))]",
+							"apiVersion": "2021-07-01-preview",
+							"properties": {
+							  "linkedResourceId": "[variables('configDataCollectionEndpointId')]"
+							}
+						  }
+						]
+					  },
+					  "parameters": {}
+					}
+				},
+				{
+					"condition": "[and(parameters('useAzureMonitorPrivateLinkScope'), variables('enableHighLogScaleMode'))]",
+					"type": "Microsoft.Resources/deployments",
+					"name": "[Concat('aks-monitoring-msi-ampls-scope-ingest', '-', uniqueString(parameters('aksResourceId')))]",
+					"apiVersion": "2017-05-10",
+					"subscriptionId": "[variables('privateLinkScopeSubscriptionId')]",
+					"resourceGroup": "[variables('privateLinkScopeResourceGroup')]",
+					"dependsOn": [
+						"[resourceId('Microsoft.Insights/dataCollectionEndpoints/', variables('ingestionDCE'))]"
+					],
+					"properties": {
+					  "mode": "Incremental",
+					  "template": {
+					    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+						"contentVersion": "1.0.0.0",
+						"parameters": {},
+						"variables": {},
+						"resources": [
+						  {
+							"type": "microsoft.insights/privatelinkscopes/scopedresources",
+							"name": "[concat(variables('privateLinkScopeName'), '/', concat(variables('ingestionDCE'), '-connection'))]",
+							"apiVersion": "2021-07-01-preview",
+							"properties": {
+							  "linkedResourceId": "[variables('ingestionDataCollectionEndpointId')]"
+							}
+						  }
+						]
+					  },
+					  "parameters": {}
+					}
+				},
+				{
+					"condition": "[parameters('useAzureMonitorPrivateLinkScope')]",
+					"type": "Microsoft.Resources/deployments",
+					"name": "[Concat('aks-monitoring-msi-ampls-scope', '-', uniqueString(parameters('workspaceResourceId')))]",
+					"apiVersion": "2017-05-10",
+					"subscriptionId": "[variables('privateLinkScopeSubscriptionId')]",
+					"resourceGroup": "[variables('privateLinkScopeResourceGroup')]",
+					"properties": {
+					  "mode": "Incremental",
+					  "template": {
+						"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+						"contentVersion": "1.0.0.0",
+						"parameters": {},
+						"variables": {},
+						"resources": [
+						  {
+							"type": "microsoft.insights/privatelinkscopes/scopedresources",
+							"name": "[concat(variables('privateLinkScopeName'), '/', concat(variables('workspaceName'), '-connection'))]",
+							"apiVersion": "2021-07-01-preview",
+							"properties": {
+								"linkedResourceId": "[parameters('workspaceResourceId')]"
+							}
+						  }
+						]
+					  },
+					  "parameters": {}
+					}
+				},
 				{
 					"type": "Microsoft.Resources/deployments",
 					"name": "[Concat('aks-monitoring-msi-addon', '-',  uniqueString(parameters('aksResourceId')))]",
 					"apiVersion": "2017-05-10",
 					"subscriptionId": "[variables('clusterSubscriptionId')]",
 					"resourceGroup": "[variables('clusterResourceGroup')]",
 					"dependsOn": [
-						"[Concat('aks-monitoring-msi-dcra', '-',  uniqueString(parameters('aksResourceId')))]"
+						"[Concat('aks-monitoring-msi-dcra', '-',  uniqueString(parameters('aksResourceId')))]",
+						"[Concat('aks-monitoring-msi-dcea-config', '-', uniqueString(parameters('aksResourceId')))]"
 					],
 					"properties": {
 					  "mode": "Incremental",
@@ -356,6 +508,12 @@
 			  },
 			  "streams": {
 				"value": "[parameters('streams')]"
+  			  },
+  			  "useAzureMonitorPrivateLinkScope": {
+				"value": "[parameters('useAzureMonitorPrivateLinkScope')]"
+  			  },
+  			  "azureMonitorPrivateLinkScopeResourceId": {
+			  	"value": "[parameters('azureMonitorPrivateLinkScopeResourceId')]"
 			  }
 			}
 		  }

scripts/onboarding/aks/onboarding-msi-bicep-syslog/existingClusterOnboarding.bicep

@@ -42,6 +42,12 @@ param enableContainerLogV2 bool
 @description('Enable Retina Network Flow Logs in omsagent addon profile')
 param enableRetinaNetworkFlowLogs bool = false
 
+@description('Flag to indicate if Azure Monitor Private Link Scope should be used or not')
+param useAzureMonitorPrivateLinkScope bool
+
+@description('Specify the Resource Id of the Azure Monitor Private Link Scope.')
+param azureMonitorPrivateLinkScopeResourceId string
+
 var clusterSubscriptionId = split(aksResourceId, '/')[2]
 var clusterResourceGroup = split(aksResourceId, '/')[4]
 var clusterName = split(aksResourceId, '/')[8]
@@ -54,14 +60,38 @@ var enableHighLogScaleMode = contains(streams, 'Microsoft-ContainerLogV2-HighSca
 var ingestionDceNameFull = 'MSCI-ingest-${workspaceLocation}-${clusterName}'
 var ingestionDceName = (length(ingestionDceNameFull) > 43) ? substring(ingestionDceNameFull, 0, 43) : ingestionDceNameFull
 var ingestionDce = endsWith(ingestionDceName, '-') ? substring(ingestionDceName, 0, 42) : ingestionDceName
+var clusterLocation = replace(aksResourceLocation, ' ', '')
+var configDceNameFull = 'MSCI-config-${clusterLocation}-${clusterName}'
+var configDceName = (length(configDceNameFull) > 43) ? substring(configDceNameFull, 0, 43) : configDceNameFull
+var configDce = endsWith(configDceName, '-') ? substring(configDceName, 0, 42) : configDceName
+var configDceAssociationName = 'configurationAccessEndpoint'
+var configDataCollectionEndpointId = resourceId(clusterSubscriptionId, clusterResourceGroup, 'Microsoft.Insights/dataCollectionEndpoints', configDce)
+var privateLinkScopeName = split(azureMonitorPrivateLinkScopeResourceId, '/')[8]
+
 var ingestionDataCollectionEndpointId = resourceId(clusterSubscriptionId, clusterResourceGroup, 'Microsoft.Insights/dataCollectionEndpoints', ingestionDce)
 
+resource configDataCollectionEndpoint 'Microsoft.Insights/dataCollectionEndpoints@2022-06-01' = if (useAzureMonitorPrivateLinkScope) {
+  name: configDce
+  location: clusterLocation
+  tags: resourceTagValues
+  kind: 'Linux'
+  properties: {
+    networkAcls: {
+      publicNetworkAccess: useAzureMonitorPrivateLinkScope ? 'Disabled' : 'Enabled'
+    }
+  }
+}
+
 resource ingestionDataCollectionEndpoint 'Microsoft.Insights/dataCollectionEndpoints@2022-06-01' = if (enableHighLogScaleMode) {
   name: ingestionDce
   location: workspaceRegion
   tags: resourceTagValues
   kind: 'Linux'
-  properties: {}
+  properties: {
+    networkAcls: {
+      publicNetworkAccess: useAzureMonitorPrivateLinkScope ? 'Disabled' : 'Enabled'
+    }
+  }
 }
 
 resource aks_monitoring_msi_dcr 'Microsoft.Insights/dataCollectionRules@2022-06-01' = {
@@ -125,6 +155,45 @@ resource aks_monitoring_msi_dcr 'Microsoft.Insights/dataCollectionRules@2022-06-
   }
 }
 
+#disable-next-line BCP174
+resource aks_monitoring_msi_dcra_config 'Microsoft.ContainerService/managedClusters/providers/dataCollectionRuleAssociations@2022-06-01' = if (useAzureMonitorPrivateLinkScope) {
+  name: '${clusterName}/microsoft.insights/${configDceAssociationName}'
+  properties: {
+    description: 'Association of data collection rule endpoint. Deleting this association will break the data collection endpoint for this AKS Cluster.'
+    dataCollectionEndpointId: configDataCollectionEndpointId
+  }
+  dependsOn: [
+    configDataCollectionEndpoint
+  ]
+}
+
+resource privateLinkScope_config 'Microsoft.Insights/privateLinkScopes/scopedResources@2021-07-01-preview' = if (useAzureMonitorPrivateLinkScope) {
+  name: '${privateLinkScopeName}/${configDce}-connection'
+  properties: {
+    linkedResourceId: configDataCollectionEndpointId
+  }
+  dependsOn: [
+    configDataCollectionEndpoint
+  ]
+}
+
+resource privateLinkScope_ingestion 'Microsoft.Insights/privateLinkScopes/scopedResources@2021-07-01-preview' = if (useAzureMonitorPrivateLinkScope && enableHighLogScaleMode) {
+  name: '${privateLinkScopeName}/${ingestionDce}-connection'
+  properties: {
+    linkedResourceId: ingestionDataCollectionEndpointId
+  }
+  dependsOn: [
+    ingestionDataCollectionEndpoint
+  ]
+}
+
+resource privateLinkScope_workspace 'Microsoft.Insights/privateLinkScopes/scopedResources@2021-07-01-preview' = if (useAzureMonitorPrivateLinkScope) {
+  name: '${privateLinkScopeName}/${split(workspaceResourceId, '/')[8]}-connection'
+  properties: {
+    linkedResourceId: workspaceResourceId
+  }
+}
+
 resource aks_monitoring_msi_addon 'Microsoft.ContainerService/managedClusters@2023-04-01' = {
   name: clusterName
   location: aksResourceLocation

scripts/onboarding/aks/onboarding-msi-bicep-syslog/existingClusterParam.json

@@ -92,6 +92,12 @@
         "Microsoft-Perf",
         "Microsoft-RetinaNetworkFlowLogs"
       ]
+    },
+    "useAzureMonitorPrivateLinkScope": {
+      "value": false
+    },
+    "azureMonitorPrivateLinkScopeResourceId": {
+      "value": "/subscriptions/<SubscriptionId>/resourceGroups/<ResourceGroup>/providers/microsoft.insights/privateLinkScopes/<azureMonitorPrivateLinkScopeName>"
     }
   }
 }