Search code examples
azureazure-resource-managerazure-bicep

Azure Bicep - How to create diagnostic settings for NetworkInterface of private endpoint

I have a Bicep script that creates storage account, and a private endpoint. Now I want to create diagnostic settings for this private endpoint. Azure private endpoint doesn’t support diagnostic settings itself. Users need to add the diagnostic settings to the NetworkInterface that links to the private endpoint.

However, I couldn’t find a way to implement this with Bicep script. The example code shows what I’m trying to do.

param vnetResourceGroup = 'testRg'
param vnetName string = 'testvnet'
param subnetName string = 'testsnet'
param storageAccountName string = 'testst'
param loggingWorkspaceId string = '/subscriptions/xxx_subscription_id/resourcegroups/xxx_resource_group/providers/microsoft.operationalinsights/workspaces/xxx-applogs-workspace'

resource vnet 'Microsoft.Network/virtualNetworks@2021-05-01' existing = {
  scope: resourceGroup(vnetResourceGroup)
  name: vnetName
}

resource subnet 'Microsoft.Network/virtualNetworks/subnets@2022-07-01' existing = {
  parent: vnet
  name: subnetName
}

resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = {
  name: storageAccountName
  location: location
  sku: {
    name: 'Standard_ZRS'
  }
  kind: 'StorageV2'
  properties: {
    accessTier: 'Hot'
    minimumTlsVersion: 'TLS1_2'
    supportsHttpsTrafficOnly: true
    allowBlobPublicAccess: false
    publicNetworkAccess: 'Disabled'
    networkAcls: {
      bypass: 'AzureServices'
      defaultAction: 'Allow'
    }
  }
}

resource storagePrivateEndpoint 'Microsoft.Network/privateEndpoints@2022-07-01' = {
  name: '${storageAccount.name}-pe'
  location: location
  properties: {
    subnet: {
      id: subnet.id
    }
    privateLinkServiceConnections: [
      {
        name: '${storageAccount.name}-pe-link'
        properties: {
          privateLinkServiceId: storageAccount.id
          groupIds: [
            'blob'
          ]
        }
      }
    ]
  }
}

// Create disgnostic settings for the network interfaces.
resource storagePEDiagnosticSetting3 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  name: '${storageAccount.name}-pe-ni-logs'
  // Note: this scope value won't compile.
  // scope: ? storagePrivateEndpoint.properties.networkInterfaces[0]
  properties: {
    workspaceId: loggingWorkspaceId
    metrics: [
      {
        category: 'AllMetrics'
        enabled: true
      }
    ]
  }
}

I expect I can create a diagnostic settings for NetworkInterface of private endpoint. Thank you!

Solution

  • The scope for diagnosticSettings resource expect a network interface resource.
    you would need to create a module in order to set diagnostics settings for the network interface:

    // diagnostic-settings.bicep
param logName string
param networkInterfaceName string
param loggingWorkspaceId string

resource networkInterface 'Microsoft.Network/networkInterfaces@2022-07-01' existing = {
  name: networkInterfaceName
}

// Create diagnostic settings for the network interfaces.
resource diagnosticSetting 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  scope: networkInterface
  name: logName
  properties: {
    workspaceId: loggingWorkspaceId
    metrics: [
      {
        category: 'AllMetrics'
        enabled: true
      }
    ]
  }
}

    From you main, you can invoke the module like that:

    // main.bicep

...

module diangSetting 'diagnostic-settings.bicep' = {
  name: '${storageAccount.name}-pe-ni-logs'
  scope: resourceGroup()
  params: {
    logName: '${storageAccount.name}-pe-ni-logs'
    loggingWorkspaceId: loggingWorkspaceId
    networkInterfaceName: storagePrivateEndpoint.properties.networkInterfaces[0].name
  }
}