Scripted Actions Azure Runbook Enable Private Endpoints
This script adds private endpoints to allow the Nerdio Manager app service to communicate with the SQL database, key vault, and automation account over a private network, with no traffic routed over the public internet. Access to the SQL database and key vault is restricted to the private network.
The MakeAppServicePrivate parameter can be set to "true" to limit access to the app service to clients on the private network or peered networks.
Supplying ResourceIds for one or more existing networks causes those networks to be peered to the new private network.
If the VNet and subnets specified in the parameters already exist, the existing resources are used. If they do not exist, they are created.
Names for resources created by this script, such as private endpoint names, can be customized by cloning this script and editing the variables at the top of the script.
If you want to create resources prior to running this script, such as DNS zones or private endpoints, you can clone the script and edit the resource names to match those you have created. The script finds and uses the existing resources, as long as they are in the same resource group as Nerdio Manager.
The user cost attribution resources (app service, LAW, key vault and app insights) are also put on the private network.
If MakeSaStoragePrivate is "true," the scripted actions storage account is placed on the private VNet.
A hybrid worker VM is created to allow the storage account to be made private while retaining Azure Runbook functionality. This results in increased cost for Nerdio Manager Azure resources.
AVD VMs need access to the storage account to run scripted actions. Use the PeerVnetIds parameter to peer the AVD VNet to the private endpoint VNet.
Runtime Parameters
The following parameters can be specified at runtime:
Parameter | Description |
|---|---|
PrivateLinkVnetName | VNet for private endpoints. If the VNet does not exist, it is created. If specifying an existing VNet, the VNet or its resource group must be linked to Nerdio Manager in Settings > Azure environment. |
VnetAddressRange | Address range for the private endpoint VNet. This parameter is disregarded if the VNet and subnet have already been created. |
PrivateEndpointSubnetName | Name of private endpoint subnet. If the subnet does not exist, it is created. |
PrivateEndpointSubnetRange | Address range for private endpoint subnet. Not used if subnet already exists. |
AppServiceSubnetName | App service subnet name. If the subnet does not exist, it is created. |
AppServiceSubnetRange | Address range for app service subnet. Not used if subnet already exists |
ExistingDNSZonesRG | If you have private DNS zones already configured for use with the new private endpoints, specify their resource group here. The script finds and uses the existing DNS zones. Note: This resource group must be linked to Nerdio Manager in Settings > Azure environment, or the Nerdio Manager app registration must be given access to the resource group. |
MakeSaStoragePrivate | Makes the scripted actions storage account private. This means that the Azure automation account is not able to access the storage account. To address this, the script creates a hybrid worker VM, if one does not already exist. This results in increased cost for Nerdio Manager Azure resources. You can create a hybrid worker in the automation account before running this script; this causes the script to skip creation of a hybrid worker VM. After creating a hybrid worker via this script or manually, you need to update Nerdio Manager to use the new hybrid worker.
|
PeerVnetIds | Optional. Valid values are "All" or a comma-separated list of Azure resource IDs of VNets to peer to the private endpoint VNet. If "All" is selected, then all VNets Nerdio Manager manages are peered. The VNets or their resource groups must be linked to Nerdio Manager in Settings > Azure environment. |
MakeAzureMonitorPrivate | Warning: Because Azure Monitor uses some shared endpoints, setting up a private link even for a single resource changes the DNS configuration that affects traffic to all resources. You may not want to enable this if you have existing Log Analytics Workspaces or Insights. To minimize potential impact, this script sets ingestion and query access mode to "Open'" and disables public access on the Nerdio Manager resources only. This can be modified by cloning this script and modifying the AMPLS settings variables. |
MakeAppServicePrivate | Limits access to the Nerdio Manager application. If set to "true," only hosts on the VNet created by this script, or on peered VNets, are able to access the app service URL. Warning: You may no longer be able to access Nerdio Manager after enabling this option. |
Comments (0 comments)