Merge pull request #783 from Azure/mqtt-private-endpoint

Add private endpoint for eventgrid
Azure · Nov 6, 2024 · af782ea · af782ea
2 parents 6e1769e + 348dd12
commit af782ea
Show file tree

Hide file tree

Showing 5 changed files with 135 additions and 1 deletion.
diff --git a/dev-infrastructure/modules/maestro/maestro-infra.bicep b/dev-infrastructure/modules/maestro/maestro-infra.bicep
@@ -35,6 +35,13 @@ param maestroKeyVaultName string
 @description('The name for the Managed Identity that will be created for Key Vault Certificate management.')
 param kvCertOfficerManagedIdentityName string
 
+@description('Allow public network access to the EventGrid Namespace')
+@allowed([
+  'Enabled'
+  'Disabled'
+])
+param publicNetworkAccess string = 'Enabled'
+
 //
 //   K E Y    V A U L T
 //
@@ -110,7 +117,7 @@ resource eventGridNamespace 'Microsoft.EventGrid/namespaces@2024-06-01-preview'
   }
   properties: {
     isZoneRedundant: true
-    publicNetworkAccess: 'Enabled'
+    publicNetworkAccess: publicNetworkAccess
     topicSpacesConfiguration: {
       state: 'Enabled'
       maximumSessionExpiryInHours: 1

diff --git a/dev-infrastructure/modules/private-endpoint.bicep b/dev-infrastructure/modules/private-endpoint.bicep
@@ -0,0 +1,84 @@
+param location string
+
+@description('The service type the private endpoint is created for')
+@allowed([
+  'eventgrid'
+])
+param serviceType string
+
+@description('The group id of the private endpoint service')
+@allowed([
+  'topicspace'
+])
+param groupId string
+
+@description('The private link service id')
+param privateLinkServiceId string
+
+@description('The subnet ids to create the private endpoint in')
+param subnetIds array
+
+@description('The vnet id to link the private endpoint to')
+param vnetId string
+
+var endpointConfig = {
+  eventgrid: {
+    topicspace: 'privatelink.ts.eventgrid.azure.net'
+  }
+}
+
+resource eventGridPrivateEndpointDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = {
+  name: endpointConfig[serviceType][groupId]
+  location: 'global'
+  properties: {}
+}
+
+resource privatEndpoint 'Microsoft.Network/privateEndpoints@2023-09-01' = [
+  for aksNodeSubnetId in subnetIds: {
+    name: '${serviceType}-${uniqueString(aksNodeSubnetId)}'
+    location: location
+    properties: {
+      privateLinkServiceConnections: [
+        {
+          name: '${serviceType}-private-endpoint'
+          properties: {
+            privateLinkServiceId: privateLinkServiceId
+            groupIds: [groupId]
+          }
+        }
+      ]
+      subnet: {
+        id: aksNodeSubnetId
+      }
+    }
+  }
+]
+
+resource privateEndpointDnsGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2023-09-01' = [
+  for index in range(0, length(subnetIds)): {
+    name: '${serviceType}-${uniqueString(subnetIds[index])}'
+    parent: privatEndpoint[index]
+    properties: {
+      privateDnsZoneConfigs: [
+        {
+          name: 'config1'
+          properties: {
+            privateDnsZoneId: eventGridPrivateEndpointDnsZone.id
+          }
+        }
+      ]
+    }
+  }
+]
+
+resource eventGridPrivateDnsZoneVnetLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = {
+  name: uniqueString('eventgrid-${uniqueString(vnetId)}')
+  parent: eventGridPrivateEndpointDnsZone
+  location: 'global'
+  properties: {
+    registrationEnabled: false
+    virtualNetwork: {
+      id: vnetId
+    }
+  }
+}
diff --git a/dev-infrastructure/templates/mgmt-cluster.bicep b/dev-infrastructure/templates/mgmt-cluster.bicep
@@ -236,3 +236,24 @@ module mgmtKeyVault '../modules/keyvault/keyvault.bicep' = {
     purpose: 'mgmt'
   }
 }
+
+// 
+//  E V E N T   G R I D   P R I V A T E   E N D P O I N T   C O N N E C T I O N
+//
+
+resource eventGridNamespace 'Microsoft.EventGrid/namespaces@2024-06-01-preview' existing = {
+  name: maestroEventGridNamespacesName
+  scope: resourceGroup(regionalResourceGroup)
+}
+
+module eventGrindPrivateEndpoint '../modules/private-endpoint.bicep' = {
+  name: 'eventGridPrivateEndpoint'
+  params: {
+    location: location
+    subnetIds: [mgmtCluster.outputs.aksNodeSubnetId]
+    privateLinkServiceId: eventGridNamespace.id
+    vnetId: mgmtCluster.outputs.aksVnetId
+    serviceType: 'eventgrid'
+    groupId: 'topicspace'
+  }
+}
diff --git a/dev-infrastructure/templates/region.bicep b/dev-infrastructure/templates/region.bicep
@@ -66,5 +66,6 @@ module maestroInfra '../modules/maestro/maestro-infra.bicep' = {
     maxClientSessionsPerAuthName: maestroEventGridMaxClientSessionsPerAuthName
     maestroKeyVaultName: maestroKeyVaultName
     kvCertOfficerManagedIdentityName: maestroKeyVaultCertOfficerMSIName
+    publicNetworkAccess: 'Enabled'
   }
 }
diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep
@@ -394,3 +394,24 @@ module oidc '../modules/oidc/main.bicep' = {
     svcCluster
   ]
 }
+
+//
+//  E V E N T   G R I D   P R I V A T E   E N D P O I N T   C O N N E C T I O N
+//
+
+resource eventGridNamespace 'Microsoft.EventGrid/namespaces@2024-06-01-preview' existing = {
+  name: maestroEventGridNamespacesName
+  scope: resourceGroup(regionalResourceGroup)
+}
+
+module eventGrindPrivateEndpoint '../modules/private-endpoint.bicep' = {
+  name: 'eventGridPrivateEndpoint'
+  params: {
+    location: location
+    subnetIds: [svcCluster.outputs.aksNodeSubnetId]
+    privateLinkServiceId: eventGridNamespace.id
+    serviceType: 'eventgrid'
+    groupId: 'topicspace'
+    vnetId: svcCluster.outputs.aksVnetId
+  }
+}