CanadaPubSecALZ

What's Changed

Pull Requests

• Scripts to generate config from template, support JSON config intellisense in editors, fix bugs in deployment scripts by @skeeler in https://github.com/Azure/CanadaPubSecALZ/pull/379

Issues Resolved

• #383 Configure new Azure DevOps organization for testing CanadaPubSecALZ [environment]
• #378 Deploy landing zones to new Azure subscriptions in new primary tenant [environment]
• #377 Scripts to generate CanadaPubSecALZ configuration files using existing environment as template [enhancement]
• #376 CanadaPubSecALZ configuration JSON schema support for editors [enhancement]
• #375 Fix subscription filtering bug in deployment scripts [bug]
• #374 Fix path normalization bug in deployment scripts [bug]

Full Changelog: https://github.com/Azure/CanadaPubSecALZ/compare/v1.2.0...v1.3.0

What's Changed

• Update hubnetwork-azfw.md by @obay in https://github.com/Azure/CanadaPubSecALZ/pull/345
• Updated documents, from docs.microsoft.com - to Learn. by @lukemurraynz in https://github.com/Azure/CanadaPubSecALZ/pull/350
• Fixed Linter warnings & build errors by @tredell in https://github.com/Azure/CanadaPubSecALZ/pull/354
• Identity Archetype by @tredell in https://github.com/Azure/CanadaPubSecALZ/pull/359
• Bug fixes - network routing & ADO Identity Pipelines by @tredell in https://github.com/Azure/CanadaPubSecALZ/pull/362
• Update DDoS.bicep by @ylepine in https://github.com/Azure/CanadaPubSecALZ/pull/363
• Update identity.md by @DavidChristiansen in https://github.com/Azure/CanadaPubSecALZ/pull/365

New Contributors

• @obay made their first contribution in https://github.com/Azure/CanadaPubSecALZ/pull/345
• @lukemurraynz made their first contribution in https://github.com/Azure/CanadaPubSecALZ/pull/350
• @ylepine made their first contribution in https://github.com/Azure/CanadaPubSecALZ/pull/363
• @DavidChristiansen made their first contribution in https://github.com/Azure/CanadaPubSecALZ/pull/365

Full Changelog: https://github.com/Azure/CanadaPubSecALZ/compare/v1.1.0...v1.2.0

What's Changed

• Support data collection rule by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/331
• Network security group support for private endpoints subnet by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/333
• Suppress false positive linter warning: secure-secrets-in-params by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/335
• Update diagnostic settings profile name by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/337
• Revised Event Hub Diagnostic Settings policy by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/339
• Version August 2022 schema changes by @skeeler in https://github.com/Azure/CanadaPubSecALZ/pull/342

Full Changelog: https://github.com/Azure/CanadaPubSecALZ/compare/v1.0.1...v1.1.0

What's Changed

• Fix typo in machine learning archetype doc by @sabyadg in https://github.com/Azure/CanadaPubSecALZ/pull/327
• Resolve linter warning: prefer-unquoted-property-names by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/322
• Azure Firewall - Update log categories in diagnostic settings by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/324
• Support new KMS DNS in Azure Global Cloud by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/329

New Contributors

• @sabyadg made their first contribution in https://github.com/Azure/CanadaPubSecALZ/pull/327

Full Changelog: https://github.com/Azure/CanadaPubSecALZ/compare/v1.0.0...v1.0.1

What's Changed

• Fix typo in onboarding guidance by @Ifyagolu in https://github.com/Azure/CanadaPubSecALZ/pull/320

New Contributors

• @Ifyagolu made their first contribution in https://github.com/Azure/CanadaPubSecALZ/pull/320

Full Changelog: https://github.com/Azure/CanadaPubSecALZ/compare/v0.11.0...v1.0.0

What's Changed

• PowerShell deployment scripts by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/271
• Powershell deployment script for archetypes by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/273
• Deployment flow diagram by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/274
• GitHub workflow implementation by @skeeler in https://github.com/Azure/CanadaPubSecALZ/pull/276
• Support schema validation by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/277
• Add environment configuration override and protect sensitive parameters by @skeeler in https://github.com/Azure/CanadaPubSecALZ/pull/280
• Pass-thru secure strings by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/281
• Fix DeploySubscriptionIds parameter type casting by @skeeler in https://github.com/Azure/CanadaPubSecALZ/pull/282
• Correct wiring of the subscriptions-ci pipeline and prompt for NVA firewall username & password by @skeeler in https://github.com/Azure/CanadaPubSecALZ/pull/285
• Support jobs in GitHub Actions by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/286
• Ensure multiple subscriptions can be moved to a management group in parallel by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/288
• Separate Azure Firewall Policy deployment switch & unique telemetry tracking for policy assignments by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/289
• Disable metrics in diagnostic settings for AKS through Policy by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/295
• Concurrent role deployment with PowerShell & GitHub Actions by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/299
• GitHub Actions: disable fail fast for matrix deployments by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/297
• Flexible policy deployment using PowerShell & GitHub Actions by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/300
• Log Analytics solutions for SQL servers on machines by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/303
• Serial defender plan deployments & revised resource/resource group names by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/307
• Update resource group names for Logging & Networking by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/309
• Documentation for Service Health by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/310
• Reference the Guardrails Solution Accelerator for 30-day guardrail assessment by @igomaa in https://github.com/Azure/CanadaPubSecALZ/pull/313

New Contributors

• @igomaa made their first contribution in https://github.com/Azure/CanadaPubSecALZ/pull/313

Full Changelog: https://github.com/Azure/CanadaPubSecALZ/compare/v0.10.0...v0.11.0

Breaking Changes

Note that several issues were addressed that resulted in breaking changes for this release.

Refer to this list of issues for more details: v0.10.0 breaking changes

What's Changed

• Use built-in policy for Cosmos DB for Defender Plan by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/232
• Updating recommendations to reflect licensing reqs by @ccmsft in https://github.com/Azure/CanadaPubSecALZ/pull/229
• Fix order of platform-connectivity-hub-azfw-policy pipeline listed in run-pipelines.bat script #233 by @skeeler in https://github.com/Azure/CanadaPubSecALZ/pull/234
• PBMM & HITRUST/HIPAA policy update by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/238
• Migrate Logging configuration to JSON parameters file by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/236
• Onboarding documentation structure improvements by @skeeler in https://github.com/Azure/CanadaPubSecALZ/pull/242
• Support logging infrastructure for multiple regions in same subscription by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/244
• Support multiple private dns zone configuration when updating private DNS Zones through Azure Policy by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/246
• Include new Databricks' log categories for diagnostic settings by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/248
• Azure Active Directory support for Synapse by @mosharafMS in https://github.com/Azure/CanadaPubSecALZ/pull/259
• Migrate Networking configuration to JSON parameters file by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/250
• Revise subnet configuration for Generic Subscription archetype by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/252
• Revise subnet configuration for Machine Learning archetype by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/254
• Revise subnet configuration for Healthcare archetype by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/256
• Removed extra configuration files by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/260
• Update onboarding guide by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/262
• Support for optional subnets in Machine Learning & Healthcare archetypes by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/264
• Organize deployment parameters for Hub Networking with Azure Firewall by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/265
• Updated documentation by @ghostme in https://github.com/Azure/CanadaPubSecALZ/pull/267
• Organize deployment parameters for Hub Networking with NVA by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/266
• Snapshot ARM parameters JSON schemas by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/268

Full Changelog: https://github.com/Azure/CanadaPubSecALZ/compare/v0.9.0...v0.10.0

What's Changed

• Configurable management group hierarchy by @skeeler in https://github.com/Azure/CanadaPubSecALZ/pull/186
• Show Variables fix by @skeeler in https://github.com/Azure/CanadaPubSecALZ/pull/191
• subscription(generic): add instructions for configuring parameters by @autocloudarc in https://github.com/Azure/CanadaPubSecALZ/pull/193
• Instructions for backfilling management group hierarchy by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/197
• Revise subscription deployment instructions by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/201
• Ensure values from multiline variables are properly logged by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/202
• Fix pipeline scripts reference to subscription-ci by @skeeler in https://github.com/Azure/CanadaPubSecALZ/pull/207
• Delete Lock for Log Analytics Workspace resource group by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/205
• Support Defender Plan for Cosmos DB by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/200
• fixing doc typo in hubnetwork-azfw by @SunChero in https://github.com/Azure/CanadaPubSecALZ/pull/211
• Backward compatibility when setting pipeline variables from management group hierarchy by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/213
• Update OZ subnet name to App Management Zone by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/217
• Document delete lock usage by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/216
• ADO Pipeline onboarding - add instructions for customizing policy set assignments in by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/215
• Formatting changes to policy section by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/218
• Improve delete-management-groups.bat script by @skeeler in https://github.com/Azure/CanadaPubSecALZ/pull/224
• Private DNS Policy - Change Cosmos DB namespace to Microsoft.DocumentDB by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/228
• Flexible policy assignment parameters JSON files by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/222
• Externalize Log Analytics Workspace parameters when loading pipeline variables by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/220
• Initial GC 30-day cloud guardrails compliance/guidance by @ccmsft in https://github.com/Azure/CanadaPubSecALZ/pull/226
• Update networking documentation for generic subscription archetype by @ghostme in https://github.com/Azure/CanadaPubSecALZ/pull/230

New Contributors

• @SunChero made their first contribution in https://github.com/Azure/CanadaPubSecALZ/pull/211
• @ccmsft made their first contribution in https://github.com/Azure/CanadaPubSecALZ/pull/226

Full Changelog: https://github.com/Azure/CanadaPubSecALZ/compare/v0.8.0...v0.9.0

What's Changed

• Enhance PBMM policy assignment to disable diagnostic settings metrics by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/156
• Update scripts documentation by @skeeler in https://github.com/Azure/CanadaPubSecALZ/pull/158
• Update Deployment Script's Azure CLI version to 2.32.0 by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/164
• Update DevOps Onboarding section of main readme by @skeeler in https://github.com/Azure/CanadaPubSecALZ/pull/162
• Repository clean up by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/165
• Linter: no-loc-expr-outside-params - ensure compliance by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/169
• Support for Tag inheritance from Subscription to Resource Group by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/161
• Instructions for Azure DevOps Environments by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/175
• Update create-pipelines.bat onboarding script to auto-provision environment by @skeeler in https://github.com/Azure/CanadaPubSecALZ/pull/178
• Update onboarding doc for logging & networking management group settings by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/177
• Snapshot JSON schemas to v0.4.0 by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/182
• docs(networking): don't have to comment variables by @autocloudarc in https://github.com/Azure/CanadaPubSecALZ/pull/184

New Contributors

• @autocloudarc made their first contribution in https://github.com/Azure/CanadaPubSecALZ/pull/184

Full Changelog: https://github.com/Azure/CanadaPubSecALZ/compare/v0.7.0...v0.8.0

What's Changed

• Update method for upgrading Azure CLI by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/128
• App service machine learning landing zone support by @hudua in https://github.com/Azure/CanadaPubSecALZ/pull/127
• Diagnostic Settings Policies for Azure App Service & Function App by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/133
• Switch to built-in Audit diagnostic setting policy by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/135
• Diagnostic Settings for App Service & Function App by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/136
• Align custom role definitions to CAF by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/138
• Diagnostic Settings Policies for PaaS services by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/143
• Private Endpoint for App Service by @hudua in https://github.com/Azure/CanadaPubSecALZ/pull/144
• Flexible policy assignment scope by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/147
• Removed 'privatelink.monitor.azure.com' from Private DNS Zones by @SlavaRoikhman in https://github.com/Azure/CanadaPubSecALZ/pull/149
• Automation scripts for Azure DevOps onboarding by @skeeler in https://github.com/Azure/CanadaPubSecALZ/pull/151
• Snapshot landing zone schema to v0.3.0 by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/152

New Contributors

• @SlavaRoikhman made their first contribution in https://github.com/Azure/CanadaPubSecALZ/pull/149

Full Changelog: https://github.com/Azure/CanadaPubSecALZ/compare/v0.6.0...v0.7.0

What's Changed

• Update the number of scenarios for RBAC by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/109
• Enable Diagnostic Settings for Log Analytics Workspace by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/108
• Instructions for configuring Service connection in Azure DevOps by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/110
• Moved delete policy & policyset disclaimer to a more noticeable spot by @tredell in https://github.com/Azure/CanadaPubSecALZ/pull/115
• Create Azure DevOps Setup onboarding guide by @skeeler in https://github.com/Azure/CanadaPubSecALZ/pull/116
• AKS - Restrict Egress traffic by using outboundType: userDefinedRouting (#97) by @Adeelku in https://github.com/Azure/CanadaPubSecALZ/pull/111
• Add ado.md with links to new pages for backward compatibility by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/117
• Support for disabling policy enforcement for policy sets assignments by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/120
• Archetype authoring guide by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/112
• Update Bicep Linter rules & fix automation syntax by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/124
• Migrate Microsoft Defender for Cloud plans for AKS and ACR to Containers plan by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/122
• GitHub Actions for consistency checks by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/125
• Policy defintion for LA Diag backup and ASR Events by @ghostme in https://github.com/Azure/CanadaPubSecALZ/pull/126

New Contributors

• @tredell made their first contribution in https://github.com/Azure/CanadaPubSecALZ/pull/115

Full Changelog: https://github.com/Azure/CanadaPubSecALZ/compare/v0.5.0...v0.6.0

What's Changed

• Update Bicep Linter rules & fix automation syntax (#124)

Full Changelog: https://github.com/Azure/CanadaPubSecALZ/compare/v0.5.0...v0.5.1

What's Changed

• Telemetry - enable Azure customer usage attribution by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/59
• Platform Management Group alignment with Reference Architecture by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/76. See https://github.com/Azure/CanadaPubSecALZ/blob/main/docs/architecture.md#3-management-groups
• Support AAD authentication for SQLDB by @mosharafMS in https://github.com/Azure/CanadaPubSecALZ/pull/74
• Azure Backup Recovery Vault for Generic Subscription by @ghostme in https://github.com/Azure/CanadaPubSecALZ/pull/95
• AKS - Azure CNI and Calico Network Policy (#48) by @Adeelku in https://github.com/Azure/CanadaPubSecALZ/pull/96
• Support Audit, Deny & Disabled effects for Tag policy by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/91
• Parameterize Log Analytics Workspace log retention days by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/44
• Support for Azure Bastion Standard SKU by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/46
• Ensure PRs does not trigger pipeline runs by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/92
• Parity between GitHub & Azure DevOps pull request validation pipeline by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/42
• AuditEvent log category for Automation Account's Diagnostic Settings by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/63
• Remove connection string from being added to Key Vault by @mosharafMS in https://github.com/Azure/CanadaPubSecALZ/pull/90
• Branding changes & policy re-organization by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/82
• Azure DevOps Onboarding Guide updates by @nataliakon in https://github.com/Azure/CanadaPubSecALZ/pull/51. See https://github.com/Azure/CanadaPubSecALZ/blob/main/docs/onboarding/ado.md
• Azure Policy Authoring Guide by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/54 & https://github.com/Azure/CanadaPubSecALZ/pull/55. See https://github.com/Azure/CanadaPubSecALZ/blob/main/docs/policy/authoring-guide.md
• Documentation improvements for archetypes by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/89
• Improve archetype parameter JSON schemas by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/61
• Parameters schema snapshot for v0.2.0 by @SenthuranSivananthan in https://github.com/Azure/CanadaPubSecALZ/pull/104

New Contributors

• @mosharafMS made their first contribution in https://github.com/Azure/CanadaPubSecALZ/pull/74
• @ghostme made their first contribution in https://github.com/Azure/CanadaPubSecALZ/pull/95
• @Adeelku made their first contribution in https://github.com/Azure/CanadaPubSecALZ/pull/96

Full Changelog: https://github.com/Azure/CanadaPubSecALZ/compare/v0.4.0...v0.5.0

This release includes:

• Documentation in markdown (see https://github.com/Azure/CanadaPubSecALZ/tree/main/docs)
• JSON schema based validation for subscription parameters (see https://github.com/Azure/CanadaPubSecALZ/tree/main/schemas/v0.1.0/landingzones)
• Built-in Azure Defender Policies for subscriptions
• Bug fix - Ensure resource tags are applied to Log Analytics Workspace solutions
• Bug fix - Bicep linter configuration (bicepconfig.json) for Azure Firewall moved to correct directory

cc: @Vallentyne, @hudua, @SenthuranSivananthan, @skeeler, @obrien-j, @nataliakon, @mnigh

This release is based on Azure Landing Zones for Canadian Public Sector version: v0.3.0 (September 2021 Release)

The purpose of the reference implementation is to guide Canadian Public Sector customers on building Landing Zones in their Azure environment. The reference implementation is based on Cloud Adoption Framework for Azure and provides an opinionated implementation that enables ITSG-33 regulatory compliance by using NIST SP 800-53 Rev. 4 and Canada Federal PBMM Regulatory Compliance Policy Sets.

Architecture supported up to Treasury Board of Canada Secretariat (TBS) Cloud Profile 3 - Cloud Only Applications. This profile is applicable to Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) with characteristics :

• Cloud-based services hosting sensitive (up to Protected B) information
• No direct system to system network interconnections required with GC data centers

Current release supports:

• Supports Azure Policy Sets (customers are encouraged to review the compliance results and adjust their environment based on their requirements):
  • Azure Security Benchmark
  • Canada Federal Protected B (PBMM)
  • CIS Microsoft Foundation v1.3.0
  • HITRUST/HIPAA
  • NIST 800-53 R4 & NIST 800-53 R5
• DDOS Standard Protection
• Shared Azure Bastion in Hub
• Shared Private DNS Zones in Hub
• Bring-your-own DNS for Spoke subscriptions
• Service Health alerts
• Hub & Spoke networking with cloud-only access using Network Virtual Appliances (NVAs)
• Hub & Spoke networking with cloud-only access using Azure Firewall (with and without forced tunneling)
• 3 Archetypes:
  • Generic Subscription
  • Machine Learning
  • Healthcare
• Azure DevOps Pipelines for:
  • Management Groups
  • Log Analytics
  • Azure Policies
  • Roles
  • Hub Networking - Fortinet Firewalls (only pay-as-you-go images)
  • Hub Networking - Azure Firewall & Azure Firewall Policy
  • Subscriptions (Archetypes)

cc: @adamlash, @Vallentyne, @hudua, @MG-Microsoft, @SenthuranSivananthan, @skeeler