From bfbc289207875a402e4b7fa2181d260788d14f0d Mon Sep 17 00:00:00 2001
From: Erika Gressi <erikag@microsoft.com>
Date: Sun, 10 Jul 2022 19:48:22 +0200
Subject: [PATCH 01/11] publicNetworkAccess param

---
 .../configurationStores/deploy.bicep                     | 7 ++++---
 modules/Microsoft.Batch/batchAccounts/deploy.bicep       | 7 ++++---
 modules/Microsoft.Compute/disks/deploy.bicep             | 7 ++++---
 .../Microsoft.ContainerRegistry/registries/deploy.bicep  | 7 ++++---
 modules/Microsoft.DataFactory/factories/deploy.bicep     | 5 +++--
 modules/Microsoft.EventGrid/topics/deploy.bicep          | 9 +++++++--
 .../namespaces/networkRuleSets/deploy.bicep              | 5 +++--
 modules/Microsoft.KeyVault/vaults/deploy.bicep           | 9 +++++----
 .../workspaces/deploy.bicep                              | 5 +++--
 modules/Microsoft.Storage/storageAccounts/deploy.bicep   | 6 +++---
 10 files changed, 40 insertions(+), 27 deletions(-)

diff --git a/modules/Microsoft.AppConfiguration/configurationStores/deploy.bicep b/modules/Microsoft.AppConfiguration/configurationStores/deploy.bicep
index d447225b45..d5ac3dcbfc 100644
--- a/modules/Microsoft.AppConfiguration/configurationStores/deploy.bicep
+++ b/modules/Microsoft.AppConfiguration/configurationStores/deploy.bicep
@@ -30,12 +30,13 @@ param disableLocalAuth bool = false
 @description('Optional. Property specifying whether protection against purge is enabled for this configuration store.')
 param enablePurgeProtection bool = false
 
+@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.')
 @allowed([
-  'Disabled'
+  ''
   'Enabled'
+  'Disabled'
 ])
-@description('Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled.')
-param publicNetworkAccess string = 'Enabled'
+param publicNetworkAccess string = ''
 
 @description('Optional. The amount of time in days that the configuration store will be retained when it is soft deleted.')
 @minValue(1)
diff --git a/modules/Microsoft.Batch/batchAccounts/deploy.bicep b/modules/Microsoft.Batch/batchAccounts/deploy.bicep
index 34f5e2daf1..11a5f81a58 100644
--- a/modules/Microsoft.Batch/batchAccounts/deploy.bicep
+++ b/modules/Microsoft.Batch/batchAccounts/deploy.bicep
@@ -33,12 +33,13 @@ param poolAllocationMode string = 'BatchService'
 @description('Conditional. The key vault to associate with the Batch account. Required if the \'poolAllocationMode\' is set to \'UserSubscription\' and requires the service principal \'Microsoft Azure Batch\' to be granted contributor permissions on this key vault.')
 param keyVaultReferenceResourceId string = ''
 
+@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.')
 @allowed([
-  'Disabled'
+  ''
   'Enabled'
+  'Disabled'
 ])
-@description('Optional. The network access type for operating on the resources in the Batch account.')
-param publicNetworkAccess string = 'Enabled'
+param publicNetworkAccess string = ''
 
 @description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.')
 @minValue(0)
diff --git a/modules/Microsoft.Compute/disks/deploy.bicep b/modules/Microsoft.Compute/disks/deploy.bicep
index 1db051aed9..debb39149a 100644
--- a/modules/Microsoft.Compute/disks/deploy.bicep
+++ b/modules/Microsoft.Compute/disks/deploy.bicep
@@ -92,12 +92,13 @@ param networkAccessPolicy string = 'DenyAll'
 @description('Optional. Sources of a disk creation.')
 param osType string = ''
 
+@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.')
 @allowed([
-  'Disabled'
+  ''
   'Enabled'
+  'Disabled'
 ])
-@description('Optional. Policy for controlling export on the disk.')
-param publicNetworkAccess string = 'Disabled'
+param publicNetworkAccess string = ''
 
 @description('Optional. True if the image from which the OS disk is created supports accelerated networking.')
 param acceleratedNetwork bool = false
diff --git a/modules/Microsoft.ContainerRegistry/registries/deploy.bicep b/modules/Microsoft.ContainerRegistry/registries/deploy.bicep
index 025c2bbc54..487b919d79 100644
--- a/modules/Microsoft.ContainerRegistry/registries/deploy.bicep
+++ b/modules/Microsoft.ContainerRegistry/registries/deploy.bicep
@@ -57,12 +57,13 @@ param retentionPolicyDays int = 15
 @description('Optional. Enable a single data endpoint per region for serving data. Not relevant in case of disabled public access.')
 param dataEndpointEnabled bool = false
 
+@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.')
 @allowed([
-  'Disabled'
+  ''
   'Enabled'
+  'Disabled'
 ])
-@description('Optional. Whether or not public network access is allowed for the container registry. - Enabled or Disabled.')
-param publicNetworkAccess string = 'Enabled'
+param publicNetworkAccess string = ''
 
 @description('Optional. Whether to allow trusted Azure services to access a network restricted registry. Not relevant in case of public access. - AzureServices or None.')
 param networkRuleBypassOptions string = 'AzureServices'
diff --git a/modules/Microsoft.DataFactory/factories/deploy.bicep b/modules/Microsoft.DataFactory/factories/deploy.bicep
index 19383e59fd..28829aa852 100644
--- a/modules/Microsoft.DataFactory/factories/deploy.bicep
+++ b/modules/Microsoft.DataFactory/factories/deploy.bicep
@@ -10,12 +10,13 @@ param integrationRuntime object = {}
 @description('Optional. Location for all Resources.')
 param location string = resourceGroup().location
 
-@description('Optional. Whether or not public network access is allowed for this resource.')
+@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.')
 @allowed([
+  ''
   'Enabled'
   'Disabled'
 ])
-param publicNetworkAccess string = 'Disabled'
+param publicNetworkAccess string = ''
 
 @description('Optional. Boolean to define whether or not to configure git during template deployment.')
 param gitConfigureLater bool = true
diff --git a/modules/Microsoft.EventGrid/topics/deploy.bicep b/modules/Microsoft.EventGrid/topics/deploy.bicep
index c75a508aa7..164b9c2655 100644
--- a/modules/Microsoft.EventGrid/topics/deploy.bicep
+++ b/modules/Microsoft.EventGrid/topics/deploy.bicep
@@ -4,8 +4,13 @@ param name string
 @description('Optional. Location for all Resources.')
 param location string = resourceGroup().location
 
-@description('Optional. Determines if traffic is allowed over public network.')
-param publicNetworkAccess string = 'Enabled'
+@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.')
+@allowed([
+  ''
+  'Enabled'
+  'Disabled'
+])
+param publicNetworkAccess string = ''
 
 @description('Optional. Array of IPs to whitelist.')
 param inboundIpRules array = []
diff --git a/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep b/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep
index 6c73af97bc..4e613d55f4 100644
--- a/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep
+++ b/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep
@@ -1,12 +1,13 @@
 @description('Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment.')
 param namespaceName string
 
+@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.')
 @allowed([
+  ''
   'Enabled'
   'Disabled'
 ])
-@description('Optional. This determines if traffic is allowed over public network. Default it is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only.')
-param publicNetworkAccess string = 'Enabled'
+param publicNetworkAccess string = ''
 
 @allowed([
   'Allow'
diff --git a/modules/Microsoft.KeyVault/vaults/deploy.bicep b/modules/Microsoft.KeyVault/vaults/deploy.bicep
index 2b012b70a0..b291dbac93 100644
--- a/modules/Microsoft.KeyVault/vaults/deploy.bicep
+++ b/modules/Microsoft.KeyVault/vaults/deploy.bicep
@@ -64,12 +64,13 @@ param vaultSku string = 'premium'
 @description('Optional. Service endpoint object information. For security reasons, it is recommended to set the DefaultAction Deny.')
 param networkAcls object = {}
 
-@description('Optional. Property to specify whether the vault will accept traffic from public internet. If set to "disabled" all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules.')
+@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.')
 @allowed([
-  'enabled'
-  'disabled'
+  ''
+  'Enabled'
+  'Disabled'
 ])
-param publicNetworkAccess string = 'enabled'
+param publicNetworkAccess string = ''
 
 @description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.')
 @minValue(0)
diff --git a/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep
index c3c63ac945..8c9f8846d1 100644
--- a/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep
+++ b/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep
@@ -131,12 +131,13 @@ param imageBuildCompute string = ''
 @sys.description('Conditional. The user assigned identity resource id that represents the workspace identity. Required if \'userAssignedIdentities\' is not empty and may not be used if \'systemAssignedIdentity\' is enabled.')
 param primaryUserAssignedIdentity string = ''
 
-@sys.description('Optional. Whether requests from Public Network are allowed.')
+@sys.description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.')
 @allowed([
+  ''
   'Enabled'
   'Disabled'
 ])
-param publicNetworkAccess string = 'Disabled'
+param publicNetworkAccess string = ''
 
 // ================//
 // Variables       //
diff --git a/modules/Microsoft.Storage/storageAccounts/deploy.bicep b/modules/Microsoft.Storage/storageAccounts/deploy.bicep
index 3cc2c27179..0f97438816 100644
--- a/modules/Microsoft.Storage/storageAccounts/deploy.bicep
+++ b/modules/Microsoft.Storage/storageAccounts/deploy.bicep
@@ -119,13 +119,13 @@ param enableDefaultTelemetry bool = true
 @description('Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules.')
 param basetime string = utcNow('u')
 
+@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.')
 @allowed([
+  ''
   'Enabled'
   'Disabled'
 ])
-
-@description('Optional. Enable or disallow public network access to Storage Account..')
-param publicNetworkAccess string = 'Enabled'
+param publicNetworkAccess string = ''
 
 @description('Optional. Allows HTTPS traffic only to storage service if sets to true.')
 param supportsHttpsTrafficOnly bool = true

From 3f71050a8e4c82bf815af1f3164a8c71194e9fd7 Mon Sep 17 00:00:00 2001
From: Erika Gressi <erikag@microsoft.com>
Date: Sun, 10 Jul 2022 19:54:14 +0200
Subject: [PATCH 02/11] publicNetworkAccess resource

---
 .../Microsoft.AppConfiguration/configurationStores/deploy.bicep | 2 +-
 modules/Microsoft.Batch/batchAccounts/deploy.bicep              | 2 +-
 modules/Microsoft.Compute/disks/deploy.bicep                    | 2 +-
 modules/Microsoft.ContainerRegistry/registries/deploy.bicep     | 2 +-
 modules/Microsoft.EventGrid/topics/deploy.bicep                 | 2 +-
 .../Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep  | 2 +-
 modules/Microsoft.KeyVault/vaults/deploy.bicep                  | 2 +-
 .../Microsoft.MachineLearningServices/workspaces/deploy.bicep   | 2 +-
 modules/Microsoft.Storage/storageAccounts/deploy.bicep          | 2 +-
 9 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/modules/Microsoft.AppConfiguration/configurationStores/deploy.bicep b/modules/Microsoft.AppConfiguration/configurationStores/deploy.bicep
index d5ac3dcbfc..64af32f508 100644
--- a/modules/Microsoft.AppConfiguration/configurationStores/deploy.bicep
+++ b/modules/Microsoft.AppConfiguration/configurationStores/deploy.bicep
@@ -156,7 +156,7 @@ resource configurationStore 'Microsoft.AppConfiguration/configurationStores@2021
     createMode: createMode
     disableLocalAuth: disableLocalAuth
     enablePurgeProtection: sku == 'Free' ? false : enablePurgeProtection
-    publicNetworkAccess: publicNetworkAccess
+    publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null)
     softDeleteRetentionInDays: sku == 'Free' ? 0 : softDeleteRetentionInDays
   }
 }
diff --git a/modules/Microsoft.Batch/batchAccounts/deploy.bicep b/modules/Microsoft.Batch/batchAccounts/deploy.bicep
index 11a5f81a58..f4eb236dbe 100644
--- a/modules/Microsoft.Batch/batchAccounts/deploy.bicep
+++ b/modules/Microsoft.Batch/batchAccounts/deploy.bicep
@@ -190,7 +190,7 @@ resource batchAccount 'Microsoft.Batch/batchAccounts@2022-01-01' = {
       url: keyVaultReferenceKeyVault.properties.vaultUri
     } : null
     poolAllocationMode: poolAllocationMode
-    publicNetworkAccess: publicNetworkAccess
+    publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null)
   }
 }
 
diff --git a/modules/Microsoft.Compute/disks/deploy.bicep b/modules/Microsoft.Compute/disks/deploy.bicep
index debb39149a..64e0ee9065 100644
--- a/modules/Microsoft.Compute/disks/deploy.bicep
+++ b/modules/Microsoft.Compute/disks/deploy.bicep
@@ -161,7 +161,7 @@ resource disk 'Microsoft.Compute/disks@2021-08-01' = {
     maxShares: maxShares
     networkAccessPolicy: networkAccessPolicy
     osType: empty(osType) ? any(null) : osType
-    publicNetworkAccess: publicNetworkAccess
+    publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null)
     supportedCapabilities: empty(osType) ? {} : {
       acceleratedNetwork: acceleratedNetwork
     }
diff --git a/modules/Microsoft.ContainerRegistry/registries/deploy.bicep b/modules/Microsoft.ContainerRegistry/registries/deploy.bicep
index 487b919d79..3dec090c19 100644
--- a/modules/Microsoft.ContainerRegistry/registries/deploy.bicep
+++ b/modules/Microsoft.ContainerRegistry/registries/deploy.bicep
@@ -245,7 +245,7 @@ resource registry 'Microsoft.ContainerRegistry/registries@2021-09-01' = {
       } : null
     }
     dataEndpointEnabled: dataEndpointEnabled
-    publicNetworkAccess: publicNetworkAccess
+    publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null)
     networkRuleBypassOptions: networkRuleBypassOptions
     networkRuleSet: !empty(networkRuleSetIpRules) ? {
       defaultAction: networkRuleSetDefaultAction
diff --git a/modules/Microsoft.EventGrid/topics/deploy.bicep b/modules/Microsoft.EventGrid/topics/deploy.bicep
index 164b9c2655..6472a79da0 100644
--- a/modules/Microsoft.EventGrid/topics/deploy.bicep
+++ b/modules/Microsoft.EventGrid/topics/deploy.bicep
@@ -111,7 +111,7 @@ resource topic 'Microsoft.EventGrid/topics@2020-06-01' = {
   location: location
   tags: tags
   properties: {
-    publicNetworkAccess: publicNetworkAccess
+    publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null)
     inboundIpRules: (empty(inboundIpRules) ? null : inboundIpRules)
   }
 }
diff --git a/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep b/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep
index 4e613d55f4..6942e9807a 100644
--- a/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep
+++ b/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep
@@ -52,7 +52,7 @@ resource networkRuleSet 'Microsoft.EventHub/namespaces/networkRuleSets@2021-11-0
   name: 'default'
   parent: namespace
   properties: {
-    publicNetworkAccess: !empty(ipRules) || !empty(virtualNetworkRules) ? null : publicNetworkAccess
+    publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null)
     defaultAction: !empty(ipRules) || !empty(virtualNetworkRules) ? 'Deny' : defaultAction
     trustedServiceAccessEnabled: trustedServiceAccessEnabled
     ipRules: publicNetworkAccess == 'Disabled' ? null : ipRules
diff --git a/modules/Microsoft.KeyVault/vaults/deploy.bicep b/modules/Microsoft.KeyVault/vaults/deploy.bicep
index b291dbac93..b96a4bd8d8 100644
--- a/modules/Microsoft.KeyVault/vaults/deploy.bicep
+++ b/modules/Microsoft.KeyVault/vaults/deploy.bicep
@@ -213,7 +213,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
       family: 'A'
     }
     networkAcls: !empty(networkAcls) ? networkAcls_var : null
-    publicNetworkAccess: publicNetworkAccess
+    publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null)
   }
 }
 
diff --git a/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep
index 8c9f8846d1..9e7702072c 100644
--- a/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep
+++ b/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep
@@ -221,7 +221,7 @@ resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-07-01' = {
     } : null
     imageBuildCompute: imageBuildCompute
     primaryUserAssignedIdentity: primaryUserAssignedIdentity
-    publicNetworkAccess: publicNetworkAccess
+    publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null)
   }
 }
 
diff --git a/modules/Microsoft.Storage/storageAccounts/deploy.bicep b/modules/Microsoft.Storage/storageAccounts/deploy.bicep
index 0f97438816..8739cd0152 100644
--- a/modules/Microsoft.Storage/storageAccounts/deploy.bicep
+++ b/modules/Microsoft.Storage/storageAccounts/deploy.bicep
@@ -242,7 +242,7 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = {
       ipRules: (!empty(networkAcls) && contains(networkAcls, 'ipRules')) ? networkAcls.ipRules : []
     } : null
     allowBlobPublicAccess: allowBlobPublicAccess
-    publicNetworkAccess: publicNetworkAccess
+    publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null)
     azureFilesIdentityBasedAuthentication: !empty(azureFilesIdentityBasedAuthentication) ? azureFilesIdentityBasedAuthentication : null
   }
 }

From 6f581170ac48dac29a0ca0e3787977e53a4124aa Mon Sep 17 00:00:00 2001
From: Erika Gressi <erikag@microsoft.com>
Date: Sun, 10 Jul 2022 20:06:06 +0200
Subject: [PATCH 03/11] update eventhub

---
 .../configurationStores/readme.md                          | 2 +-
 modules/Microsoft.Batch/batchAccounts/readme.md            | 2 +-
 modules/Microsoft.EventHub/namespaces/deploy.bicep         | 2 +-
 .../namespaces/networkRuleSets/deploy.bicep                | 7 +++----
 .../namespaces/networkRuleSets/deploy.bicep                | 2 +-
 5 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/modules/Microsoft.AppConfiguration/configurationStores/readme.md b/modules/Microsoft.AppConfiguration/configurationStores/readme.md
index 3a36c165c4..42e1502cd5 100644
--- a/modules/Microsoft.AppConfiguration/configurationStores/readme.md
+++ b/modules/Microsoft.AppConfiguration/configurationStores/readme.md
@@ -48,7 +48,7 @@ This module deploys an App Configuration Store.
 | `location` | string | `[resourceGroup().location]` |  | Location for all Resources. |
 | `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. |
 | `privateEndpoints` | array | `[]` |  | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. |
-| `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | Control permission for data plane traffic coming from public networks while private endpoint is enabled. |
+| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. |
 | `roleAssignments` | array | `[]` |  | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
 | `softDeleteRetentionInDays` | int | `1` |  | The amount of time in days that the configuration store will be retained when it is soft deleted. |
 | `systemAssignedIdentity` | bool | `False` |  | Enables system assigned managed identity on the resource. |
diff --git a/modules/Microsoft.Batch/batchAccounts/readme.md b/modules/Microsoft.Batch/batchAccounts/readme.md
index 3c85c2f26b..e83ea9b824 100644
--- a/modules/Microsoft.Batch/batchAccounts/readme.md
+++ b/modules/Microsoft.Batch/batchAccounts/readme.md
@@ -51,7 +51,7 @@
 | `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. |
 | `poolAllocationMode` | string | `'BatchService'` | `[BatchService, UserSubscription]` | The allocation mode for creating pools in the Batch account. Determines which quota will be used. |
 | `privateEndpoints` | array | `[]` |  | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. |
-| `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | The network access type for operating on the resources in the Batch account. |
+| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. |
 | `storageAccessIdentity` | string | `''` |  | The reference to a user assigned identity associated with the Batch pool which a compute node will use. |
 | `storageAuthenticationMode` | string | `'StorageKeys'` | `[BatchAccountManagedIdentity, StorageKeys]` | The authentication mode which the Batch service will use to manage the auto-storage account. |
 | `systemAssignedIdentity` | bool | `False` |  | Enables system assigned managed identity on the resource. |
diff --git a/modules/Microsoft.EventHub/namespaces/deploy.bicep b/modules/Microsoft.EventHub/namespaces/deploy.bicep
index 842f8b7ee1..a17fe111bc 100644
--- a/modules/Microsoft.EventHub/namespaces/deploy.bicep
+++ b/modules/Microsoft.EventHub/namespaces/deploy.bicep
@@ -268,7 +268,7 @@ module eventHubNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (!em
   name: '${uniqueString(deployment().name, location)}-EvhbNamespace-NetworkRuleSet'
   params: {
     namespaceName: eventHubNamespace.name
-    publicNetworkAccess: contains(networkRuleSets, 'publicNetworkAccess') ? networkRuleSets.publicNetworkAccess : 'Enabled'
+    publicNetworkAccess: contains(networkRuleSets, 'publicNetworkAccess') ? networkRuleSets.publicNetworkAccess : (!empty(privateEndpoints) ? 'Disabled' : null)
     defaultAction: contains(networkRuleSets, 'defaultAction') ? networkRuleSets.defaultAction : 'Allow'
     trustedServiceAccessEnabled: contains(networkRuleSets, 'trustedServiceAccessEnabled') ? networkRuleSets.trustedServiceAccessEnabled : true
     ipRules: contains(networkRuleSets, 'ipRules') ? networkRuleSets.ipRules : []
diff --git a/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep b/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep
index 6942e9807a..4cbe8e7851 100644
--- a/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep
+++ b/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep
@@ -1,13 +1,12 @@
 @description('Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment.')
 param namespaceName string
 
-@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.')
+@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled.')
 @allowed([
-  ''
   'Enabled'
   'Disabled'
 ])
-param publicNetworkAccess string = ''
+param publicNetworkAccess string
 
 @allowed([
   'Allow'
@@ -52,7 +51,7 @@ resource networkRuleSet 'Microsoft.EventHub/namespaces/networkRuleSets@2021-11-0
   name: 'default'
   parent: namespace
   properties: {
-    publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null)
+    publicNetworkAccess: publicNetworkAccess
     defaultAction: !empty(ipRules) || !empty(virtualNetworkRules) ? 'Deny' : defaultAction
     trustedServiceAccessEnabled: trustedServiceAccessEnabled
     ipRules: publicNetworkAccess == 'Disabled' ? null : ipRules
diff --git a/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep
index 9c85ef10c5..7ce50929ac 100644
--- a/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep
+++ b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep
@@ -12,7 +12,7 @@ param enableDefaultTelemetry bool = true
 @description('Required. Configure default action in virtual network rule set.')
 param defaultAction string
 
-@description('Required. Configure Publice Network Access restrictions in virtual network rule set.')
+@description('Required. Configure Public Network Access restrictions in virtual network rule set.')
 param publicNetworkAccess string
 
 @description('Required. Configure Trusted Services in virtual network rule set.')

From 381faaf30cf9d49eb78a358db4f95edc10c92ba0 Mon Sep 17 00:00:00 2001
From: Erika Gressi <erikag@microsoft.com>
Date: Sun, 10 Jul 2022 20:08:16 +0200
Subject: [PATCH 04/11] revert eventhub

---
 .../namespaces/networkRuleSets/deploy.bicep                 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep b/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep
index 4cbe8e7851..6c73af97bc 100644
--- a/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep
+++ b/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep
@@ -1,12 +1,12 @@
 @description('Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment.')
 param namespaceName string
 
-@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled.')
 @allowed([
   'Enabled'
   'Disabled'
 ])
-param publicNetworkAccess string
+@description('Optional. This determines if traffic is allowed over public network. Default it is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only.')
+param publicNetworkAccess string = 'Enabled'
 
 @allowed([
   'Allow'
@@ -51,7 +51,7 @@ resource networkRuleSet 'Microsoft.EventHub/namespaces/networkRuleSets@2021-11-0
   name: 'default'
   parent: namespace
   properties: {
-    publicNetworkAccess: publicNetworkAccess
+    publicNetworkAccess: !empty(ipRules) || !empty(virtualNetworkRules) ? null : publicNetworkAccess
     defaultAction: !empty(ipRules) || !empty(virtualNetworkRules) ? 'Deny' : defaultAction
     trustedServiceAccessEnabled: trustedServiceAccessEnabled
     ipRules: publicNetworkAccess == 'Disabled' ? null : ipRules

From e60d78c2814521792959d5cc04de604e5531be24 Mon Sep 17 00:00:00 2001
From: Erika Gressi <erikag@microsoft.com>
Date: Sun, 10 Jul 2022 21:45:26 +0200
Subject: [PATCH 05/11] disk pe

---
 modules/Microsoft.Compute/disks/deploy.bicep | 25 ++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/modules/Microsoft.Compute/disks/deploy.bicep b/modules/Microsoft.Compute/disks/deploy.bicep
index 64e0ee9065..94198a5652 100644
--- a/modules/Microsoft.Compute/disks/deploy.bicep
+++ b/modules/Microsoft.Compute/disks/deploy.bicep
@@ -100,6 +100,9 @@ param osType string = ''
 ])
 param publicNetworkAccess string = ''
 
+@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.')
+param privateEndpoints array = []
+
 @description('Optional. True if the image from which the OS disk is created supports accelerated networking.')
 param acceleratedNetwork bool = false
 
@@ -120,6 +123,8 @@ param tags object = {}
 @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
 param enableDefaultTelemetry bool = true
 
+var enableReferencedModulesTelemetry = false
+
 resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
   name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
   properties: {
@@ -168,6 +173,26 @@ resource disk 'Microsoft.Compute/disks@2021-08-01' = {
   }
 }
 
+module disk_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: {
+  name: '${uniqueString(deployment().name, location)}-ContainerRegistry-PrivateEndpoint-${index}'
+  params: {
+    groupIds: [
+      privateEndpoint.service
+    ]
+    name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(disk.id, '/'))}-${privateEndpoint.service}-${index}'
+    serviceResourceId: disk.id
+    subnetResourceId: privateEndpoint.subnetResourceId
+    enableDefaultTelemetry: enableReferencedModulesTelemetry
+    location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location
+    lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock
+    privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : []
+    roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : []
+    tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {}
+    manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : []
+    customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : []
+  }
+}]
+
 resource disk_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) {
   name: '${disk.name}-${lock}-lock'
   properties: {

From 749a2bbbc1b6bfc46050721e7bb3d96e1cf2c00e Mon Sep 17 00:00:00 2001
From: Erika Gressi <erikag@microsoft.com>
Date: Mon, 11 Jul 2022 13:00:59 +0200
Subject: [PATCH 06/11] readme update

---
 modules/Microsoft.Compute/disks/readme.md     | 82 ++++++++++++++++++-
 .../registries/readme.md                      |  2 +-
 .../Microsoft.DataFactory/factories/readme.md |  2 +-
 modules/Microsoft.EventGrid/topics/readme.md  |  2 +-
 modules/Microsoft.KeyVault/vaults/readme.md   |  2 +-
 .../workspaces/readme.md                      |  2 +-
 .../namespaces/networkRuleSets/readme.md      |  2 +-
 .../storageAccounts/readme.md                 |  2 +-
 8 files changed, 88 insertions(+), 8 deletions(-)

diff --git a/modules/Microsoft.Compute/disks/readme.md b/modules/Microsoft.Compute/disks/readme.md
index 06951fb6aa..536102cf6d 100644
--- a/modules/Microsoft.Compute/disks/readme.md
+++ b/modules/Microsoft.Compute/disks/readme.md
@@ -16,6 +16,8 @@ This template deploys a disk
 | `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) |
 | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) |
 | `Microsoft.Compute/disks` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-08-01/disks) |
+| `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) |
+| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) |
 
 ## Parameters
 
@@ -44,7 +46,8 @@ This template deploys a disk
 | `maxShares` | int | `1` |  | The maximum number of VMs that can attach to the disk at the same time. Default value is 0. |
 | `networkAccessPolicy` | string | `'DenyAll'` | `[AllowAll, AllowPrivate, DenyAll]` | Policy for accessing the disk via network. |
 | `osType` | string | `''` | `[Windows, Linux, ]` | Sources of a disk creation. |
-| `publicNetworkAccess` | string | `'Disabled'` | `[Disabled, Enabled]` | Policy for controlling export on the disk. |
+| `privateEndpoints` | array | `[]` |  | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. |
+| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. |
 | `roleAssignments` | array | `[]` |  | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
 | `securityDataUri` | string | `''` |  | If create option is ImportSecure, this is the URI of a blob to be imported into VM guest state. |
 | `sourceResourceId` | string | `''` |  | If create option is Copy, this is the ARM id of the source snapshot or disk. |
@@ -154,6 +157,83 @@ tags: {
 </details>
 <p>
 
+### Parameter Usage: `privateEndpoints`
+
+To use Private Endpoint the following dependencies must be deployed:
+
+- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`.  Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module.
+- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information.
+
+<details>
+
+<summary>Parameter JSON format</summary>
+
+```json
+"privateEndpoints": {
+    "value": [
+        // Example showing all available fields
+        {
+            "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here
+            "subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001",
+            "service": "<<serviceName>>", // e.g. vault, registry, file, blob, queue, table etc.
+            "privateDnsZoneResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified
+                "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net"
+            ],
+            "customDnsConfigs": [ // Optional
+                {
+                    "fqdn": "customname.test.local",
+                    "ipAddresses": [
+                        "10.10.10.10"
+                    ]
+                }
+            ]
+        },
+        // Example showing only mandatory fields
+        {
+            "subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001",
+            "service": "<<serviceName>>" // e.g. vault, registry, file, blob, queue, table etc.
+        }
+    ]
+}
+```
+
+</details>
+
+<details>
+
+<summary>Bicep format</summary>
+
+```bicep
+privateEndpoints:  [
+    // Example showing all available fields
+    {
+        name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here
+        subnetResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001'
+        service: '<<serviceName>>' // e.g. vault registry file blob queue table etc.
+        privateDnsZoneResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified
+            '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net'
+        ]
+        // Optional
+        customDnsConfigs: [
+            {
+                fqdn: 'customname.test.local'
+                ipAddresses: [
+                    '10.10.10.10'
+                ]
+            }
+        ]
+    }
+    // Example showing only mandatory fields
+    {
+        subnetResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001'
+        service: '<<serviceName>>' // e.g. vault registry file blob queue table etc.
+    }
+]
+```
+
+</details>
+<p>
+
 ## Outputs
 
 | Output Name | Type | Description |
diff --git a/modules/Microsoft.ContainerRegistry/registries/readme.md b/modules/Microsoft.ContainerRegistry/registries/readme.md
index 4b97f63697..4c0037875c 100644
--- a/modules/Microsoft.ContainerRegistry/registries/readme.md
+++ b/modules/Microsoft.ContainerRegistry/registries/readme.md
@@ -59,7 +59,7 @@ Azure Container Registry is a managed, private Docker registry service based on
 | `networkRuleSetDefaultAction` | string | `'Deny'` | `[Allow, Deny]` | The default action of allow or deny when no other rules match. |
 | `networkRuleSetIpRules` | array | `[]` |  | The IP ACL rules. |
 | `privateEndpoints` | array | `[]` |  | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. |
-| `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | Whether or not public network access is allowed for the container registry. - Enabled or Disabled. |
+| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. |
 | `quarantinePolicyStatus` | string | `'disabled'` | `[disabled, enabled]` | The value that indicates whether the quarantine policy is enabled or not. |
 | `replications` | _[replications](replications/readme.md)_ array | `[]` |  | All replications to create. |
 | `retentionPolicyDays` | int | `15` |  | The number of days to retain an untagged manifest after which it gets purged. |
diff --git a/modules/Microsoft.DataFactory/factories/readme.md b/modules/Microsoft.DataFactory/factories/readme.md
index 16527bdac5..f66b2ccab7 100644
--- a/modules/Microsoft.DataFactory/factories/readme.md
+++ b/modules/Microsoft.DataFactory/factories/readme.md
@@ -53,7 +53,7 @@
 | `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. |
 | `managedVirtualNetworkName` | string | `''` |  | The name of the Managed Virtual Network. |
 | `privateEndpoints` | array | `[]` |  | Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. |
-| `publicNetworkAccess` | string | `'Disabled'` | `[Enabled, Disabled]` | Whether or not public network access is allowed for this resource. |
+| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. |
 | `roleAssignments` | array | `[]` |  | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
 | `systemAssignedIdentity` | bool | `False` |  | Enables system assigned managed identity on the resource. |
 | `tags` | object | `{object}` |  | Tags of the resource. |
diff --git a/modules/Microsoft.EventGrid/topics/readme.md b/modules/Microsoft.EventGrid/topics/readme.md
index 23e643ef60..c97ac5d2b6 100644
--- a/modules/Microsoft.EventGrid/topics/readme.md
+++ b/modules/Microsoft.EventGrid/topics/readme.md
@@ -43,7 +43,7 @@ This module deploys an event grid topic.
 | `location` | string | `[resourceGroup().location]` |  | Location for all Resources. |
 | `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. |
 | `privateEndpoints` | array | `[]` |  | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. |
-| `publicNetworkAccess` | string | `'Enabled'` |  | Determines if traffic is allowed over public network. |
+| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. |
 | `roleAssignments` | array | `[]` |  | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
 | `tags` | object | `{object}` |  | Tags of the resource. |
 
diff --git a/modules/Microsoft.KeyVault/vaults/readme.md b/modules/Microsoft.KeyVault/vaults/readme.md
index 0a0677d84a..e39cf1e141 100644
--- a/modules/Microsoft.KeyVault/vaults/readme.md
+++ b/modules/Microsoft.KeyVault/vaults/readme.md
@@ -51,7 +51,7 @@ This module deploys a key vault and its child resources.
 | `name` | string | `''` |  | Name of the Key Vault. If no name is provided, then unique name will be created. |
 | `networkAcls` | object | `{object}` |  | Service endpoint object information. For security reasons, it is recommended to set the DefaultAction Deny. |
 | `privateEndpoints` | array | `[]` |  | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. |
-| `publicNetworkAccess` | string | `'enabled'` | `[enabled, disabled]` | Property to specify whether the vault will accept traffic from public internet. If set to "disabled" all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules. |
+| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. |
 | `roleAssignments` | array | `[]` |  | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
 | `secrets` | secureObject | `{object}` |  | All secrets to create. |
 | `softDeleteRetentionInDays` | int | `90` |  | softDelete data retention days. It accepts >=7 and <=90. |
diff --git a/modules/Microsoft.MachineLearningServices/workspaces/readme.md b/modules/Microsoft.MachineLearningServices/workspaces/readme.md
index 80c6dc976e..461e37e5c2 100644
--- a/modules/Microsoft.MachineLearningServices/workspaces/readme.md
+++ b/modules/Microsoft.MachineLearningServices/workspaces/readme.md
@@ -65,7 +65,7 @@ This module deploys a Machine Learning Services Workspace.
 | `location` | string | `[resourceGroup().location]` |  | Location for all resources. |
 | `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. |
 | `privateEndpoints` | array | `[]` |  | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. |
-| `publicNetworkAccess` | string | `'Disabled'` | `[Enabled, Disabled]` | Whether requests from Public Network are allowed. |
+| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. |
 | `roleAssignments` | array | `[]` |  | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
 | `tags` | object | `{object}` |  | Resource tags. |
 
diff --git a/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md
index 9c670d3871..5c67e41d5a 100644
--- a/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md
+++ b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md
@@ -21,7 +21,7 @@ This module deploys ServiceBus Namespaces NetworkRuleSets.
 | :-- | :-- | :-- | :-- |
 | `defaultAction` | string |  | Configure default action in virtual network rule set. |
 | `name` | string | `'default'` | The default is the only valid ruleset. |
-| `publicNetworkAccess` | string |  | Configure Publice Network Access restrictions in virtual network rule set. |
+| `publicNetworkAccess` | string |  | Configure Public Network Access restrictions in virtual network rule set. |
 | `trustedServiceAccessEnabled` | bool |  | Configure Trusted Services in virtual network rule set. |
 
 **Conditional parameters**
diff --git a/modules/Microsoft.Storage/storageAccounts/readme.md b/modules/Microsoft.Storage/storageAccounts/readme.md
index 14ed811f7f..02f1589e02 100644
--- a/modules/Microsoft.Storage/storageAccounts/readme.md
+++ b/modules/Microsoft.Storage/storageAccounts/readme.md
@@ -64,7 +64,7 @@ This module is used to deploy a storage account, with the ability to deploy 1 or
 | `name` | string | `''` |  | Name of the Storage Account. Autogenerated with a unique string if not provided. |
 | `networkAcls` | object | `{object}` |  | Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny. |
 | `privateEndpoints` | array | `[]` |  | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. |
-| `publicNetworkAccess` | string | `'Enabled'` | `[Enabled, Disabled]` | Enable or disallow public network access to Storage Account.. |
+| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. |
 | `queueServices` | _[queueServices](queueServices/readme.md)_ object | `{object}` |  | Queue service and queues to create. |
 | `requireInfrastructureEncryption` | bool | `True` |  | A Boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true. |
 | `roleAssignments` | array | `[]` |  | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |

From 207454dfe255a9f1b102ad061c60d041e852b572 Mon Sep 17 00:00:00 2001
From: Erika Gressi <erikag@microsoft.com>
Date: Mon, 11 Jul 2022 15:28:26 +0200
Subject: [PATCH 07/11] reverd compute disk implementation

---
 modules/Microsoft.Compute/disks/deploy.bicep | 34 +++-----------------
 1 file changed, 4 insertions(+), 30 deletions(-)

diff --git a/modules/Microsoft.Compute/disks/deploy.bicep b/modules/Microsoft.Compute/disks/deploy.bicep
index 94198a5652..1db051aed9 100644
--- a/modules/Microsoft.Compute/disks/deploy.bicep
+++ b/modules/Microsoft.Compute/disks/deploy.bicep
@@ -92,16 +92,12 @@ param networkAccessPolicy string = 'DenyAll'
 @description('Optional. Sources of a disk creation.')
 param osType string = ''
 
-@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.')
 @allowed([
-  ''
-  'Enabled'
   'Disabled'
+  'Enabled'
 ])
-param publicNetworkAccess string = ''
-
-@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.')
-param privateEndpoints array = []
+@description('Optional. Policy for controlling export on the disk.')
+param publicNetworkAccess string = 'Disabled'
 
 @description('Optional. True if the image from which the OS disk is created supports accelerated networking.')
 param acceleratedNetwork bool = false
@@ -123,8 +119,6 @@ param tags object = {}
 @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
 param enableDefaultTelemetry bool = true
 
-var enableReferencedModulesTelemetry = false
-
 resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
   name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
   properties: {
@@ -166,33 +160,13 @@ resource disk 'Microsoft.Compute/disks@2021-08-01' = {
     maxShares: maxShares
     networkAccessPolicy: networkAccessPolicy
     osType: empty(osType) ? any(null) : osType
-    publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null)
+    publicNetworkAccess: publicNetworkAccess
     supportedCapabilities: empty(osType) ? {} : {
       acceleratedNetwork: acceleratedNetwork
     }
   }
 }
 
-module disk_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: {
-  name: '${uniqueString(deployment().name, location)}-ContainerRegistry-PrivateEndpoint-${index}'
-  params: {
-    groupIds: [
-      privateEndpoint.service
-    ]
-    name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(disk.id, '/'))}-${privateEndpoint.service}-${index}'
-    serviceResourceId: disk.id
-    subnetResourceId: privateEndpoint.subnetResourceId
-    enableDefaultTelemetry: enableReferencedModulesTelemetry
-    location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location
-    lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock
-    privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : []
-    roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : []
-    tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {}
-    manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : []
-    customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : []
-  }
-}]
-
 resource disk_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) {
   name: '${disk.name}-${lock}-lock'
   properties: {

From 87788e49537bfc0c8b61fdb4d828a45951292cac Mon Sep 17 00:00:00 2001
From: Erika Gressi <erikag@microsoft.com>
Date: Mon, 11 Jul 2022 15:29:14 +0200
Subject: [PATCH 08/11] reverd compute disk readme

---
 modules/Microsoft.Compute/disks/readme.md | 82 +----------------------
 1 file changed, 1 insertion(+), 81 deletions(-)

diff --git a/modules/Microsoft.Compute/disks/readme.md b/modules/Microsoft.Compute/disks/readme.md
index 536102cf6d..06951fb6aa 100644
--- a/modules/Microsoft.Compute/disks/readme.md
+++ b/modules/Microsoft.Compute/disks/readme.md
@@ -16,8 +16,6 @@ This template deploys a disk
 | `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) |
 | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) |
 | `Microsoft.Compute/disks` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-08-01/disks) |
-| `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) |
-| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) |
 
 ## Parameters
 
@@ -46,8 +44,7 @@ This template deploys a disk
 | `maxShares` | int | `1` |  | The maximum number of VMs that can attach to the disk at the same time. Default value is 0. |
 | `networkAccessPolicy` | string | `'DenyAll'` | `[AllowAll, AllowPrivate, DenyAll]` | Policy for accessing the disk via network. |
 | `osType` | string | `''` | `[Windows, Linux, ]` | Sources of a disk creation. |
-| `privateEndpoints` | array | `[]` |  | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. |
-| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. |
+| `publicNetworkAccess` | string | `'Disabled'` | `[Disabled, Enabled]` | Policy for controlling export on the disk. |
 | `roleAssignments` | array | `[]` |  | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
 | `securityDataUri` | string | `''` |  | If create option is ImportSecure, this is the URI of a blob to be imported into VM guest state. |
 | `sourceResourceId` | string | `''` |  | If create option is Copy, this is the ARM id of the source snapshot or disk. |
@@ -157,83 +154,6 @@ tags: {
 </details>
 <p>
 
-### Parameter Usage: `privateEndpoints`
-
-To use Private Endpoint the following dependencies must be deployed:
-
-- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`.  Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module.
-- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information.
-
-<details>
-
-<summary>Parameter JSON format</summary>
-
-```json
-"privateEndpoints": {
-    "value": [
-        // Example showing all available fields
-        {
-            "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here
-            "subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001",
-            "service": "<<serviceName>>", // e.g. vault, registry, file, blob, queue, table etc.
-            "privateDnsZoneResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified
-                "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net"
-            ],
-            "customDnsConfigs": [ // Optional
-                {
-                    "fqdn": "customname.test.local",
-                    "ipAddresses": [
-                        "10.10.10.10"
-                    ]
-                }
-            ]
-        },
-        // Example showing only mandatory fields
-        {
-            "subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001",
-            "service": "<<serviceName>>" // e.g. vault, registry, file, blob, queue, table etc.
-        }
-    ]
-}
-```
-
-</details>
-
-<details>
-
-<summary>Bicep format</summary>
-
-```bicep
-privateEndpoints:  [
-    // Example showing all available fields
-    {
-        name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here
-        subnetResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001'
-        service: '<<serviceName>>' // e.g. vault registry file blob queue table etc.
-        privateDnsZoneResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified
-            '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net'
-        ]
-        // Optional
-        customDnsConfigs: [
-            {
-                fqdn: 'customname.test.local'
-                ipAddresses: [
-                    '10.10.10.10'
-                ]
-            }
-        ]
-    }
-    // Example showing only mandatory fields
-    {
-        subnetResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001'
-        service: '<<serviceName>>' // e.g. vault registry file blob queue table etc.
-    }
-]
-```
-
-</details>
-<p>
-
 ## Outputs
 
 | Output Name | Type | Description |

From cae5853cadff3d6edfc159346de32e72244c6ac7 Mon Sep 17 00:00:00 2001
From: Erika Gressi <erikag@microsoft.com>
Date: Mon, 11 Jul 2022 17:07:08 +0200
Subject: [PATCH 09/11] reverted eventhub

---
 modules/Microsoft.EventHub/namespaces/deploy.bicep | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/Microsoft.EventHub/namespaces/deploy.bicep b/modules/Microsoft.EventHub/namespaces/deploy.bicep
index a17fe111bc..842f8b7ee1 100644
--- a/modules/Microsoft.EventHub/namespaces/deploy.bicep
+++ b/modules/Microsoft.EventHub/namespaces/deploy.bicep
@@ -268,7 +268,7 @@ module eventHubNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (!em
   name: '${uniqueString(deployment().name, location)}-EvhbNamespace-NetworkRuleSet'
   params: {
     namespaceName: eventHubNamespace.name
-    publicNetworkAccess: contains(networkRuleSets, 'publicNetworkAccess') ? networkRuleSets.publicNetworkAccess : (!empty(privateEndpoints) ? 'Disabled' : null)
+    publicNetworkAccess: contains(networkRuleSets, 'publicNetworkAccess') ? networkRuleSets.publicNetworkAccess : 'Enabled'
     defaultAction: contains(networkRuleSets, 'defaultAction') ? networkRuleSets.defaultAction : 'Allow'
     trustedServiceAccessEnabled: contains(networkRuleSets, 'trustedServiceAccessEnabled') ? networkRuleSets.trustedServiceAccessEnabled : true
     ipRules: contains(networkRuleSets, 'ipRules') ? networkRuleSets.ipRules : []

From d170cbf9d2815acde0c4e21cc9a40f1597145090 Mon Sep 17 00:00:00 2001
From: Erika Gressi <erikag@microsoft.com>
Date: Tue, 12 Jul 2022 02:39:06 +0200
Subject: [PATCH 10/11] ml no null

---
 .../Microsoft.MachineLearningServices/workspaces/deploy.bicep   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep
index 9e7702072c..bef21f22c5 100644
--- a/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep
+++ b/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep
@@ -221,7 +221,7 @@ resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-07-01' = {
     } : null
     imageBuildCompute: imageBuildCompute
     primaryUserAssignedIdentity: primaryUserAssignedIdentity
-    publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null)
+    publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : 'Enabled')
   }
 }
 

From 7fd820e060088d3a84cf807e1cc28d88a935ca34 Mon Sep 17 00:00:00 2001
From: Erika Gressi <erikag@microsoft.com>
Date: Tue, 12 Jul 2022 17:16:30 +0200
Subject: [PATCH 11/11] replace id

---
 .../Microsoft.MachineLearningServices/workspaces/deploy.bicep   | 2 +-
 modules/Microsoft.MachineLearningServices/workspaces/readme.md  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep
index bef21f22c5..e6190f0f65 100644
--- a/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep
+++ b/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep
@@ -128,7 +128,7 @@ param cMKUserAssignedIdentityResourceId string = ''
 @sys.description('Optional. The compute name for image build.')
 param imageBuildCompute string = ''
 
-@sys.description('Conditional. The user assigned identity resource id that represents the workspace identity. Required if \'userAssignedIdentities\' is not empty and may not be used if \'systemAssignedIdentity\' is enabled.')
+@sys.description('Conditional. The user assigned identity resource ID that represents the workspace identity. Required if \'userAssignedIdentities\' is not empty and may not be used if \'systemAssignedIdentity\' is enabled.')
 param primaryUserAssignedIdentity string = ''
 
 @sys.description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.')
diff --git a/modules/Microsoft.MachineLearningServices/workspaces/readme.md b/modules/Microsoft.MachineLearningServices/workspaces/readme.md
index 461e37e5c2..1b85a98404 100644
--- a/modules/Microsoft.MachineLearningServices/workspaces/readme.md
+++ b/modules/Microsoft.MachineLearningServices/workspaces/readme.md
@@ -35,7 +35,7 @@ This module deploys a Machine Learning Services Workspace.
 **Conditional parameters**
 | Parameter Name | Type | Default Value | Description |
 | :-- | :-- | :-- | :-- |
-| `primaryUserAssignedIdentity` | string | `''` | The user assigned identity resource id that represents the workspace identity. Required if 'userAssignedIdentities' is not empty and may not be used if 'systemAssignedIdentity' is enabled. |
+| `primaryUserAssignedIdentity` | string | `''` | The user assigned identity resource ID that represents the workspace identity. Required if 'userAssignedIdentities' is not empty and may not be used if 'systemAssignedIdentity' is enabled. |
 | `systemAssignedIdentity` | bool | `False` | Enables system assigned managed identity on the resource. Required if `userAssignedIdentities` is not provided. |
 | `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. Required if `systemAssignedIdentity` is set to false. |