v0.23.2

What's Changed

• fix: cspm plan pricing tier by @jaredfholgate in #1098

Full Changelog: v0.23.1...v0.23.2

v0.23.1

What's Changed

• refactor: Add gateway udt, add allowed values, and mgmt ip for firewall by @oZakari in #947
• chore: removed old reference to parameter parPrivateDnsZoneAutoMergeAzureBackupZone by @picccard in #1075
• feat: adding switch for internet fallback on Private DNS zones by @picccard in #1020
• chore: remove old reference to parameter parAzFirewallAvailabilityZones by @picccard in #1076
• fix: use correct parameter for vwan hub default routetable name by @picccard in #1077
• fix: use new parameter parVirtualNetworkResourceIdsToLinkTo by @picccard in #1078
• feat: General networking fixes and improvements by @oZakari in #1092

Breaking Changes

1. Gateway Configuration Refactor

PR: #947 — Add gateway UDTs, allowed values, and management IP for firewall

As part of the migration to user-defined types (UDTs) for properties within the parVpnGatewayConfig and parExpressRouteGatewayConfig parameters, the following changes apply:

• Supported SKUs limited to Availability Zones
  Only gateway SKUs with zone support are now allowed, aligning with Azure’s Gateway SKU Consolidation and Migration Guide.

• Property name alignment
  The generation property in parVpnGatewayConfig has been renamed to vpnGatewayGeneration to align with parExpressRouteGatewayConfig.

• Case sensitivity correction
  The property bgpsettings is now case-sensitive and must be written as bgpSettings.

• Subproperty type enforcement
  The asn and peerweight subproperties within bgpSettings now require integer values instead of strings.

---

2. Private DNS Zone Internet Fallback

PR: #1020 — Add switch for internet fallback on Private DNS zones

• Default behavior remains unchanged.
• ⚠️ If the parameter parPrivateDnsZones includes any non-privatelink zones (for example, contoso.internal), virtual network links for those zones will fail because the resolutionPolicy property is only valid for privatelink zones.

Example:

parPrivateDnsZones:
  - 'privatelink.postgres.database.azure.com'
  - 'privatelink.mysql.database.azure.com'
  - 'contoso.internal' # Will fail – not a privatelink zone

3. Management IP Configuration for Existing Azure Firewalls

Support for Management IP Configuration was introduced in v0.23.1. However, due to an Azure platform limitation, you cannot add a Management IP to an existing Azure Firewall.

Attempts to add a Management IP to an existing Firewall will fail with the error:

{
  "code": "AzureFirewallManagementIpConfigCannotBeAdded",
  "message": "AzureFirewall <name> management IP configuration cannot be added to an existing firewall. Redeploy with a management IP configuration if you want to use forced tunneling support.",
  "details": []
}

What this means

• Existing Firewalls cannot be updated in place to include a Management IP.
• You must redeploy the Firewall with the Management IP defined at creation.
• Stop/start operations may cause the Firewall’s private IP address to change, which can impact:
  • Route tables
  • DNS settings
  • Spoke network configurations

Full Changelog: v0.23.0...v0.23.1

v0.23.0

Summary

This release includes our ALZ Policy Refresh for H2 FY25 (please click to see release notes over in our other repo).

It also includes the addition of our Security Management Group as announced here.

Breaking Changes

There is a single breaking change for the Enforce-Guardrails-Network workload compliance policy which you can see guidance on here.

What's Changed

• feat: add security MG & change docs generation workflow and guidance by @jtracey93 in #1062
• feat: Update Policy Library (automated) - Policy Refresh H2 FY25 by @cae-pr-creator[bot] in #1063

Full Changelog: v0.22.5...v0.23.0

v0.23.0-pre

Full Changelog: v0.22.5...v0.23.0-pre

v0.22.5

What's Changed

• fix: add fix for MDFC discovery tier - destroy script by @jtracey93 in #1061

Full Changelog: v0.22.4...v0.22.5

v0.22.4

What's Changed

• fix: sidecar-network-vwan-deployment-name by @KiZach in #1046
• chore: update version.json by @MarcoJanse in #1049
• feat: Update version.json by @jtracey93 in #1054

Full Changelog: v0.22.3...v0.22.4

v0.22.3

Summary

This is a focused release that introduces a few impactful enhancements across network, monitoring, and policy features. Key highlights include support for deploying an optional sidecar Virtual Network (VNet) with Virtual WAN (vWAN), improved flexibility in VM Insights configuration, and fine-grained control over policy assignment enforcement behavior.

Huge thanks to @picccard for his contribution to improving VM Insights flexibility. We appreciate the help and welcome contributions from anyone looking to improve the ALZ Bicep modules!

What's Changed

• feat: Sidecar network for VWAN by @oZakari in #1017
  → Introduces support for a sidecar VNet alongside the vWAN Hub using the new parSidecarVirtualNetwork parameter.
  → Includes new type sideCarVirtualNetworkType for clean input structure and modular deployment.

• feat: Added VmInsight DCR without need for dependency agent by @picccard in #1026
  → Adds a new parameter parDataCollectionRuleVMInsightsExperience to allow selecting between PerfOnly and PerfAndMap VM Insights experiences, removing the need for the Dependency Agent in some cases.

• feat: Added new parameter for policy assignment DoNotEnforce flexibility by @oZakari in #1032
  → Adds parPolicyAssignmentsToDisableEnforcement to enable setting specific ALZ policy assignments to DoNotEnforce, rather than excluding them from being deployed entirely with the existing parameter parExcludedPolicyAssignments.

Breaking Changes

None

Full Changelog: v0.22.2...v0.22.3

v0.22.2

What's Changed

• refactor: Remove redundant ternary by @marcovossen in #993
• fix: Add required change tracking solution by @oZakari in #997
• fix: Fix bugs specific to AMA configuration by @oZakari in #1005
• fix: automation account fixes for api version and conditional lock config by @oZakari in #1012

Breaking Changes

Standardizing the default name of the MDFC SQL data collection rule for Azure Monitoring Agent (AMA). Please ensure that this value is updated in all relevant configurations and policy assignments to avoid any issues with resource references.

• Updated the DataCollectionRuleMDFCSQLResourceId pattern in accelerator/.config/ALZ-Powershell-Auto.config.json to use alz-ama-mdfcsql-dcr instead of ama-mdfcsql-default-dcr.
• Updated the DataCollectionRuleMDFCSQLResourceId value in accelerator/.config/ALZ-Powershell.config.json to reflect the same change.
• Updated the parDataCollectionRuleMDFCSQLResourceId parameter value in alzDefaultPolicyAssignments.parameters.all.json and alzDefaultPolicyAssignments.parameters.min.json to align with the new resource ID naming convention. [1] [2]

Logging Parameter Name Changes

• Removed parLogAnalyticsWorkspaceSolutionsLock parameter and replaced with parSecurityInsightsOnboardingLock and parSecurityInsightsOnboardingLock within the [logging modulehttps://github.com/Azure/ALZ-Bicep/blob/main/infra-as-code/bicep/modules/logging/logging.bicep).
• Removed parUseSentinelClassicPricingTiers parameter as no longer supporting Sentinel Classic Pricing Tiers.

New Contributors

• @marcovossen made their first contribution in #993

Full Changelog: v0.22.1...v0.22.2

v0.22.1

What's Changed

• refactor: Disable automation account by default by @oZakari in #980
• feat: Add option to change vwan type by @oZakari in #983
• feat: add ability to override varManagementGroupIds values in alzDefaultPolicyAssignments.bicep & workloadSpecificPolicyAssignments.bicep to support rename of ALZ default MGs and fix #986 by @jtracey93 in #987

Breaking Changes

None 👍🏼

Full Changelog: v0.22.0...v0.22.1

v0.22.0

Summary

The key addition in this release is a new module for deploying Workload Specific Policy Assignments. The Workload Specific Compliance policies are now assigned by default (Audit). This enables auditing compliance for specific workloads, such as SQL and Storage, which is often required in highly regulated industries like financial services and healthcare. Please note that these policies were previously available; however, they were not assigned by default.

As part of this update, we have also refactored the ALZ Default Policy Assignments module by moving Sovereign Landing Zone-specific assignments and exemptions to the new module. This change helps prevent occasional issues with exceeding the 4MB ARM template limit.

What's Changed

• fix: Remove default security contact email and correct TLS assignment by @oZakari in #971
• feat: add fallbacktointernet for dns zone by @jantorep in #962
• refactor: Separation of policy assignments module to avoid hitting ARM size limit and include workload specific policy assignments by @oZakari in #975
• chore: Update version.json for release v0.22.0 by @oZakari in #979

Breaking Changes

Module: alzDefaultPolicyAssignments.bicep

This update introduces breaking changes by removing the following parameters previously associated with Sovereign Landing Zones:

• parTopLevelPolicyAssignmentSovereigntyGlobal
• parPolicyAssignmentSovereigntyConfidential
• parAllowedVirtualMachineSKUs

These parameters, along with their related policy assignments and exemptions, have been migrated to the workloadSpecificPolicyAssignments.bicep module.

Required Action

If you are using the alzDefaultPolicyAssignments.bicep module, and you are intending on upgrading to this version or upcoming version, you must:

1. Remove these parameters from your existing parameter files for this module.
2. Update your configurations accordingly in the workloadSpecificPolicyAssignments.bicep module.

New Contributors

• @jantorep made their first contribution in #962

Full Changelog: v0.21.0...v0.22.0