mspnp · ckittel · Apr 6, 2023 · Apr 7, 2023 · Apr 7, 2023 · Apr 7, 2023
diff --git a/01-prerequisites.md b/01-prerequisites.md
@@ -32,11 +32,14 @@ This is the starting point for the instructions on deploying the [AKS baseline r
 
    1. [Register the ImageCleaner (Earser) preview feature = `EnableImageCleanerPreview`](https://learn.microsoft.com/azure/aks/image-cleaner#prerequisites)
 
+   1. [Register the Trusted Access preview feature = `TrustedAccessPreview`](https://learn.microsoft.com/azure/backup/azure-kubernetes-service-cluster-manage-backups#register-the-trusted-access) to support AKS Backup.
+
    ```bash
    az feature register --namespace "Microsoft.ContainerService" -n "EnableImageCleanerPreview"
+   az feature register --namespace "Microsoft.ContainerService" -n "TrustedAccessPreview"
 
    # Keep running until all say "Registered." (This may take up to 20 minutes.)
-   az feature list -o table --query "[?name=='Microsoft.ContainerService/EnableImageCleanerPreview'].{Name:name,State:properties.state}"
+   az feature list -o table --query "[?name=='Microsoft.ContainerService/EnableImageCleanerPreview' || name=='Microsoft.ContainerService/TrustedAccessPreview'].{Name:name,State:properties.state}"
 
    # When all say "Registered" then re-register the AKS resource provider
    az provider register --namespace Microsoft.ContainerService

diff --git a/05-bootstrap-prep.md b/05-bootstrap-prep.md
@@ -18,7 +18,8 @@ We'll be bootstrapping this cluster with the Flux GitOps agent as installed as a
 
 ### Additional resources
 
-In addition to ACR being deployed to support bootstrapping, this is where any other resources that are considered not tied to the lifecycle of an individual cluster is deployed. ACR is one example as talked about above. Another example could be an AKS Backup Vault and backup artifacts storage account which likely would exist prior to and after any individual AKS cluster's existance. When designing your pipelines, ensure to isolate components by their lifecycle watch for singletons in an architecture. These are typically resources like regional logging sinks, supporting global routing infrastructure, etc. This is in contrast to potentially transiently/replaceable components, like the AKS cluster itself. _This implemention does not represent a complete seperation of stamp vs regional resources, but is fairly close. Deviations are strickly for ease of deployment in this walkthrough instead of as examples of guidance._
+In addition to ACR being deployed to support bootstrapping, this is where any other resources that are considered not tied to the lifecycle of an individual cluster is deployed. ACR is one example as talked about above. Another example in this implementation, includes the AKS Backup Vault and backup artifacts storage account which likely would exist prior to and after any individual AKS cluster's existance. When designing your pipelines, ensure to isolate components by their lifecycle watch for singletons in an architecture. These are typically resources like regional logging sinks, supporting global routing infrastructure, etc. This is in contrast to potentially transiently/replaceable components, like the AKS cluster itself. _This implemention does not represent a complete seperation of stamp vs regional resources, but is fairly close. Deviations are strickly for ease of deployment in this walkthrough instead of as examples of guidance._
+
 ## Steps
 
 1. Create the AKS cluster resource group.

diff --git a/06-aks-cluster.md b/06-aks-cluster.md
@@ -20,7 +20,7 @@ Now that your [ACR instance is deployed and ready to support cluster bootstrappi
   :exclamation: By default, this deployment will allow unrestricted access to your cluster's API Server. You can limit access to the API Server to a set of well-known IP addresses (i.,e. a jump box subnet (connected to by Azure Bastion), build agents, or any other networks you'll administer the cluster from) by setting the `clusterAuthorizedIPRanges` parameter in all deployment options. This setting will also impact traffic originating from within the cluster trying to use the API server, so you will also need to include _all_ of the public IPs used by your egress Azure Firewall. For more information, see [Secure access to the API server using authorized IP address ranges](https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges#create-an-aks-cluster-with-api-server-authorized-ip-ranges-enabled).
 
    ```bash
-   # [This takes about 18 minutes.]
+   # [This takes about 25 minutes.]
    az deployment group create -g rg-bu0001a0008 -f cluster-stamp.bicep -p targetVnetResourceId=${RESOURCEID_VNET_CLUSTERSPOKE_AKS_BASELINE} clusterAdminMicrosoftEntraGroupObjectId=${MEIDOBJECTID_GROUP_CLUSTERADMIN_AKS_BASELINE} a0008NamespaceReaderMicrosoftEntraGroupObjectId=${MEIDOBJECTID_GROUP_A0008_READER_AKS_BASELINE} k8sControlPlaneAuthorizationTenantId=${TENANTID_K8SRBAC_AKS_BASELINE} appGatewayListenerCertificate=${APP_GATEWAY_LISTENER_CERTIFICATE_AKS_BASELINE} aksIngressControllerCertificate=${AKS_INGRESS_CONTROLLER_CERTIFICATE_BASE64_AKS_BASELINE} domainName=${DOMAIN_NAME_AKS_BASELINE} gitOpsBootstrappingRepoHttpsUrl=${GITOPS_REPOURL} gitOpsBootstrappingRepoBranch=${GITOPS_CURRENT_BRANCH_NAME} location=eastus2
    ```
 

diff --git a/acr-stamp.bicep b/acr-stamp.bicep
@@ -290,6 +290,222 @@ resource privateEndpointAcrToVnet 'Microsoft.Network/privateEndpoints@2022-09-01
   }
 }
 
+// Supports configuring the AKS Backup extension.
+resource bvAksBackupVault 'Microsoft.DataProtection/backupVaults@2023-01-01' = {
+  name: 'bvAksBackupVault'
+  location: location
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {
+    storageSettings: [
+      {
+        datastoreType: 'VaultStore'
+        type: 'ZoneRedundant'
+      }
+    ]
+    securitySettings: {
+      immutabilitySettings: {
+        state: 'Disabled'
+      }
+      softDeleteSettings: {
+        state: 'On'
+        retentionDurationInDays: 14
+      }
+    }
+    featureSettings: {}
+  }
+
+  // Daily UTC midnight Kubernetes backup policy as an example. Configure policy as needed.
+  resource aksPolicy 'backupPolicies' = {
+    name: 'bp-aks-default-daily'
+    properties: {
+      objectType: 'BackupPolicy'
+      datasourceTypes: [
+        'Microsoft.ContainerService/managedClusters'
+      ]
+      policyRules: [
+        {
+          objectType: 'AzureBackupRule'
+          name: 'BackupDaily'
+          backupParameters: {
+            objectType: 'AzureBackupParams'
+            backupType: 'Incremental'
+          }
+          dataStore: {
+            objectType: 'DataStoreInfoBase'
+            dataStoreType: 'OperationalStore'
+          }
+          trigger: {
+            objectType: 'ScheduleBasedTriggerContext'
+            schedule: {
+              timeZone: 'UTC'
+              repeatingTimeIntervals: [
+                'R/2023-01-01T00:00:00+00:00/P1D'
+              ]
+            }
+            taggingCriteria: [
+              {
+                tagInfo: {
+                  tagName: 'Default'
+                }
+                taggingPriority: 99
+                isDefault: true
+              }
+            ]
+          }
+        }
+        {
+          objectType: 'AzureRetentionRule'
+          name: 'Default'
+          isDefault: true
+          lifecycles: [
+            {
+              deleteAfter: {
+                objectType: 'AbsoluteDeleteOption'
+                duration: 'P7D'
+              }
+              targetDataStoreCopySettings: []
+              sourceDataStore: {
+                dataStoreType: 'OperationalStore'
+                objectType: 'DataStoreInfoBase'
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
+
+// This stores AKS Backup content, to be used by all clusters
+resource storageAksBackups 'Microsoft.Storage/storageAccounts@2022-09-01' = {
+  name: 'stbackup${subRgUniqueString}'
+  location: location
+  sku: {
+    name: 'Standard_GRS'
+  }
+  kind: 'StorageV2'
+  properties: {
+    allowSharedKeyAccess: false
+    defaultToOAuthAuthentication: true
+    publicNetworkAccess: 'Disabled'
+    allowCrossTenantReplication: false
+    allowBlobPublicAccess: false
+    minimumTlsVersion: 'TLS1_2'
+    isHnsEnabled: false
+    isLocalUserEnabled: false
+    isSftpEnabled: false
+    routingPreference: {
+      publishInternetEndpoints: true
+      publishMicrosoftEndpoints: true
+      routingChoice: 'MicrosoftRouting'
+    }
+    networkAcls: {
+      bypass: 'None'
+      virtualNetworkRules: []
+      ipRules: []
+      defaultAction: 'Deny'
+    }
+    encryption: {
+      keySource: 'Microsoft.Storage'
+      services: {
+        file: {
+          keyType: 'Account'
+          enabled: true
+        }
+        blob: {
+          keyType: 'Account'
+          enabled: true
+        }
+      }
+    }
+    supportsHttpsTrafficOnly: true
+    accessTier: 'Hot' 
+  }
+
+  resource blobservice 'blobServices' = {
+    name: 'default'
+  }
+}
+
+// Private DNS Zone for our AKS Backup storage account
+resource dnsPrivateZoneBlob 'Microsoft.Network/privateDnsZones@2020-06-01' = {
+  name: 'privatelink.blob.core.windows.net'
+  location: 'global'
+  properties: {}
+
+
+  // Enabling Storage Account Private Link on cluster virtual network.
+  resource vnetlnk 'virtualNetworkLinks' = {
+    name: 'to_${spokeVirtualNetwork.name}'
+    location: 'global'
+    properties: {
+      virtualNetwork: {
+        id: spokeVirtualNetwork.id
+      }
+      registrationEnabled: false
+    }
+  }
+}
+
+resource storageAksBackups_diagnosticsSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
+  name: 'default'
+  scope: storageAksBackups::blobservice
+  properties: {
+    workspaceId: laAks.id
+    logs: [
+      {
+        category: 'StorageRead'
+        enabled: true
+      }
+      {
+        category: 'StorageWrite'
+        enabled: true
+      }
+      {
+        category: 'StorageDelete'
+        enabled: true
+      }
+    ]
+  }
+}
+
+resource peAksBackupStorage 'Microsoft.Network/privateEndpoints@2022-07-01' = {
+  name: 'pe-${storageAksBackups.name}'
+  location: location
+  properties: {
+    subnet: {
+      id: spokeVirtualNetwork::snetPrivateLinkEndpoints.id
+    }
+    privateLinkServiceConnections: [
+      {
+        name: 'to_${spokeVirtualNetwork.name}'
+        properties: {
+          privateLinkServiceId: storageAksBackups.id
+          groupIds: [
+            'blob'
+          ]
+        }
+      }
+    ]
+  }
+
+  resource pdnszg 'privateDnsZoneGroups' = {
+    name: 'default'
+    properties: {
+      privateDnsZoneConfigs: [
+        {
+          name: 'privatelink-blob-core-windows-net'
+          properties: {
+            privateDnsZoneId: dnsPrivateZoneBlob.id
+          }
+        }
+      ]
+    }
+  }
+}
+
 /*** OUTPUTS ***/
 
 output containerRegistryName string = acrAks.name