Azure · skeeler · Mar 24, 2022 · Mar 23, 2022 · Mar 23, 2022 · Mar 24, 2022
@@ -7,6 +7,7 @@
   - [Overview](#overview)
   - [Azure Deployment](#azure-deployment)
     - [Schema Definition](#schema-definition)
+    - [Delete Locks](#delete-locks)
     - [Deployment Scenarios](#deployment-scenarios)
     - [Example Deployment Parameters](#example-deployment-parameters)
   - [Recommended Parameter Property Updates](#recommended-parameter-property-updates)
@@ -87,8 +88,16 @@ Reference implementation uses parameter files with `object` parameters to consol
     * [Backup Recovery Vault](../../schemas/latest/landingzones/types/backupRecoveryVault.json)
     * [Hub Network](../../schemas/latest/landingzones/types/hubNetwork.json)
 
+### Delete Locks
+
+As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have.  You can set the lock level to `CanNotDelete` or `ReadOnly`.  Please see [Azure Docs](https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources) for more information.
+
+**This archetype does not use `CanNotDelete` nor `ReadOnly` locks as part of the deployment.  You may customize the deployment templates when it's required for your environment.**
+
 ### Deployment Scenarios
 
+> Sample deployment scenarios are based on the latest JSON parameters file schema definition.  If you have an older version of this repository, please use the examples from your repository.
+
 | Scenario | Example JSON Parameters | Notes |
 |:-------- |:----------------------- |:----- |
 | Deployment with Hub Virtual Network | [tests/schemas/lz-generic-subscription/FullDeployment-With-Hub.json](../../tests/schemas/lz-generic-subscription/FullDeployment-With-Hub.json) | - |

@@ -12,6 +12,7 @@
 * [Testing](#testing)
 * [Azure Deployment](#azure-deployment)
   * [Schema Definition](#schema-definition)
+  * [Delete Locks](#delete-locks)
   * [Deployment Scenarios](#deployment-scenarios)
   * [Example Deployment Parameters](#example-deployment-parameters)
   * [Deployment Instructions](#deployment-instructions)
@@ -247,8 +248,16 @@ Reference implementation uses parameter files with `object` parameters to consol
     * [Azure SQL Database](../../schemas/latest/landingzones/types/sqldb.json)
     * [Azure Synapse Analytics](../../schemas/latest/landingzones/types/synapse.json)
 
+### Delete Locks
+
+As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have.  You can set the lock level to `CanNotDelete` or `ReadOnly`.  Please see [Azure Docs](https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources) for more information.
+
+**This archetype does not use `CanNotDelete` nor `ReadOnly` locks as part of the deployment.  You may customize the deployment templates when it's required for your environment.**
+
 ### Deployment Scenarios
 
+> Sample deployment scenarios are based on the latest JSON parameters file schema definition.  If you have an older version of this repository, please use the examples from your repository.
+
 | Scenario | Example JSON Parameters | Notes |
 |:-------- |:----------------------- |:----- |
 | Deployment with Hub Virtual Network | [tests/schemas/lz-healthcare/FullDeployment-With-Hub.json](../../tests/schemas/lz-healthcare/FullDeployment-With-Hub.json) | - |

@@ -11,6 +11,7 @@
 * [Required Routes](#required-routes)
 * [Azure Firewall Rules](#azure-firewall-rules)
 * [Log Analytics Integration](#log-analytics-integration)
+* [Delete Locks](#delete-locks)
 
 ## Overview
 
@@ -187,17 +188,19 @@ Below are sample queries that can also be used to query Log Analytics Workspace
 
 **Sample Firewall Logs Query**
 
-```
+```none
 AzureDiagnostics 
 | where Category contains "AzureFirewall"
 | where msg_s contains "Deny"
 | project TimeGenerated, msg_s
 | order by TimeGenerated desc
 ```
+
 ![Sample DNS Logs](../media/architecture/hubnetwork-azfw/azfw-logs-fw.jpg)
 
 **Sample DNS Logs Query**
-```
+
+```none
 AzureDiagnostics
 | where Category == "AzureFirewallDnsProxy"
 | where msg_s !contains "NOERROR"
@@ -207,11 +210,21 @@ AzureDiagnostics
 
 ![Sample DNS Logs](../media/architecture/hubnetwork-azfw/azfw-logs-dns.jpg)
 
-
 [itsg22]: https://www.cyber.gc.ca/sites/default/files/publications/itsg-22-eng.pdf
 [cloudUsageProfiles]: https://github.com/canada-ca/cloud-guardrails/blob/master/EN/00_Applicable-Scope.md
 [rfc1918]: https://tools.ietf.org/html/rfc1918
 [rfc6598]: https://tools.ietf.org/html/rfc6598
 [nsgAzureLoadBalancer]: https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview#allowazureloadbalancerinbound
 [nsgAzureBastion]: https://docs.microsoft.com/azure/bastion/bastion-nsg#apply
 [nsgAppGatewayV2]: https://docs.microsoft.com/azure/application-gateway/configuration-infrastructure#network-security-groups
+
+## Delete Locks
+
+As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have.  You can set the lock level to `CanNotDelete` or `ReadOnly`.  Please see [Azure Docs](https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources) for more information.
+
+By default, this archetype deploys `CanNotDelete` lock to prevent accidental deletion at:
+
+* Hub Virtual Network resource group
+* Management Restricted Zone resource group
+* Public Access Zone resource group
+* DDoS resource group (when enabled)
@@ -12,7 +12,7 @@
 * [Required Routes](#required-routes)
 * [Firewall configuration details](#firewall-configuration-details)
 * [Fortigate Licences](#fortigate-licences)
-
+* [Delete Locks](#delete-locks)
 
 ## Overview
 
@@ -63,7 +63,7 @@ Network design will require 3 IP blocks:
 
 ## Management Restricted Zone Virtual Network
 
-* Management Access Zone (OZ) - to host any privileged access workstations (PAW), with Management Public IPs forwarded via the hub's firewall. 
+* Management Access Zone (OZ) - to host any privileged access workstations (PAW), with Management Public IPs forwarded via the hub's firewall.
 * Management (OZ) – hosting the management servers (domain controllers).
 * Infrastructure (OZ) – hosting other common infrastructure, like file shares.
 * Security Management (OZ) – hosting security, proxies and patching servers.
@@ -82,11 +82,13 @@ Application Gateway can have either public or private frontends (also with [RFC
 The Backend URL should map to a VIP and Port mapping in the firewall's External network. In the future, Backend URLs could be directly pointed to the Frontend subnets in the spoke. The firewall performs DNAT and sends to the webserver, which will answer to the source IP (Application Gateway's internal IP), which means the webserver may need a UDR to force traffic destined to Application Gateway to re-traverse the firewall (next-hop), which is considered asymmetric routing ([other example topologies](https://docs.microsoft.com/azure/architecture/example-scenario/gateway/firewall-application-gateway#application-gateway-before-firewall)).
 
 ## User Defined Routes
+
 All traffic to be sent to the Hub's firewall via the Internal Load Balancer in the Int_Prod Zone (or for Dev Landing Zones, the Int_Dev ILB) Private Endpoints and Private DNS Design.
 
 Azure supports connecting to PaaS services using [RFC 1918][rfc1918] private IPs, avoiding all traffic from the internet and only allowing connections from designated private endpoints as a special kind of NICs in the subnet of choice. Private DNS resolution must be implemented so the PaaS service URLs properly translate to the individual private IP of the private endpoint.
 
 ## Network Security Groups
+
 Below is a list of requirements for the NSGs in each subnet:
 
 * Hub Virtual Network
@@ -218,18 +220,19 @@ The 4 NICs will be mapped as follows (IPs shown for firewall 1 and 2, and the VI
 | PAZ (via Public) | NIC 1 | NIC 1 | - | NIC 1 |
 | Internal (LZ Spokes) | NIC 3 | NIC 3 | NIC 3 | -
 
-
 ## Fortigate Licences
 
 The Fortigate firewall can be consumed in two modes: bring-your-own-license (BYOL) or pay-as-you-go (PAYG), where the hourly fee includes the fortigate license premium. Both require acceptance of the Fortigate license and billing plans, which can be automated with the following CLI:
 
 **Bring your own license (BYOL)**
-```
+
+```bash
 az vm image accept-terms --plan fortinet_fw-vm --offer fortinet_fortiweb-vm_v5 --publish fortinet --subscription XXX
 ```
 
 **Pay as you go license (PAYG)**
-```
+
+```bash
 az vm image accept-terms --plan fortinet_fw-vm-payg_20190624 --offer fortinet_fortiweb-vm_v5 --publish fortinet --subscription XXX
 ```
 
@@ -241,6 +244,16 @@ For that reason, it's recommended to boot a Windows management VM in the MRZ (Ma
 
 * https://portal.azure.com/#create/fortinet.fortigatengfw-high-availabilityfortigate-ha
 
+## Delete Locks
+
+As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have.  You can set the lock level to `CanNotDelete` or `ReadOnly`.  Please see [Azure Docs](https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources) for more information.
+
+By default, this archetype deploys `CanNotDelete` lock to prevent accidental deletion at:
+
+* Hub Virtual Network resource group
+* Management Restricted Zone resource group
+* Public Access Zone resource group
+* DDoS resource group (when enabled)
 
 
 [itsg22]: https://www.cyber.gc.ca/sites/default/files/publications/itsg-22-eng.pdf

@@ -4,6 +4,7 @@
 
 * [Overview](#overview)
 * [Schema Definition](#schema-definition)
+* [Delete Locks](#delete-locks)
 * [Deployment Instructions](#deployment-instructions)
 
 ## Overview
@@ -51,6 +52,12 @@ Reference implementation uses parameter files with `object` parameters to consol
     * [Subscription Tags](../../schemas/latest/landingzones/types/subscriptionTags.json)
     * [Resource Tags](../../schemas/latest/landingzones/types/resourceTags.json)
 
+## Delete Locks
+
+As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have.  You can set the lock level to `CanNotDelete` or `ReadOnly`.  Please see [Azure Docs](https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources) for more information.
+
+By default, this archetype deploys `CanNotDelete` lock to prevent accidental deletion on all resource groups it creates.
+
 ## Deployment Instructions
 
 Use the [Azure DevOps Pipelines](../onboarding/azure-devops-pipelines.md) onboarding guide to configure this archetype.
@@ -16,6 +16,7 @@
     - [Test Scenarios](#test-scenarios)
   - [Azure Deployment](#azure-deployment)
     - [Schema Definition](#schema-definition)
+    - [Delete Locks](#delete-locks)
     - [Deployment Scenarios](#deployment-scenarios)
     - [Example Deployment Parameters](#example-deployment-parameters)
     - [Deployment Instructions](#deployment-instructions)
@@ -88,7 +89,6 @@ Subscription can be moved to a target Management Group through Azure ARM Templat
 | Key Management | Azure Key Vault - Centralized cloud storage of secrets and keys | Private Endpoint | [Azure Docs](https://docs.microsoft.com/azure/key-vault/general/overview)
 | Monitoring | Application Insights - Application performance and monitoring cloud service | - | [Azure Docs](https://docs.microsoft.com/azure/azure-monitor/app/app-insights-overview)
 
-
 The intended cloud service workflows and data movements for this archetype include:
 
 1. Data can be ingested from various sources using Data Factory, which uses managed virtual network for its Azure hosted integration runtime.
@@ -171,7 +171,6 @@ Since all traffic is redirected through the NVA / Firewall, the following destin
  | `dc.services.visualstudio.com` ; `*.ods.opinsights.azure.com` ; `*.oms.opinsights.azure.com` ; `*.monitoring.azure.com` ; `data.policy.core.windows.net` ; `store.policy.core.windows.net` | HTTPS | 443 | AKS Addons required FQDNs|
  | `security.ubuntu.com` ; `azure.archive.ubuntu.com` ; `changelogs.ubuntu.com` | HTTP | 80 | AKS Optional recommended FQDNs |
 
-
 ## Testing
 
 Test scripts are provided to verify end to end integration. These tests are not automated so minor modifications are needed to set up and run.
@@ -252,8 +251,16 @@ Reference implementation uses parameter files with `object` parameters to consol
     * [Azure SQL Database](../../schemas/latest/landingzones/types/sqldb.json)
     * [Azure SQL Managed Instances](../../schemas/latest/landingzones/types/sqlmi.json)
 
+### Delete Locks
+
+As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have.  You can set the lock level to `CanNotDelete` or `ReadOnly`.  Please see [Azure Docs](https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources) for more information.
+
+**This archetype does not use `CanNotDelete` nor `ReadOnly` locks as part of the deployment.  You may customize the deployment templates when it's required for your environment.**
+
 ### Deployment Scenarios
 
+> Sample deployment scenarios are based on the latest JSON parameters file schema definition.  If you have an older version of this repository, please use the examples from your repository.
+
 | Scenario | Example JSON Parameters | Notes |
 |:-------- |:----------------------- |:----- |
 | Deployment with Hub Virtual Network | [tests/schemas/lz-machinelearning/FullDeployment-With-Hub.json](../../tests/schemas/lz-machinelearning/FullDeployment-With-Hub.json) | - |