However, it is essential to set up appropriate access controls to ensure that only authorized persons can use this tool.

To do this, in the Azure portal, with an account that has global Admin rights on your tenant, and User Access Administrator rights on your Root Management Group, you can restrict access to Azure Copilot by following these steps:

• Go to the Azure portal.
• Navigate to Copilot in Azure Admin Center
• Click on Access Management.
• Change the setting Available to all users to Not available to all users
• Grant access rights to eligible users by adding a role on the root tenant Group Copilot in Azure User

Now there may be several reasons to take this action:

• You want to prevent Microsoft from collecting data on your prompts. FAQ Azure Copilot Prompts provided by users and responses from Microsoft Azure Copilot are collected and used to improve Microsoft products and services only when users have given their explicit consent to include this information in feedback
• You want to establish strict governance over the use of AI in your organization.
• For large enterprises, you want to guard against a wait time on the use of Copilot by only providing it to a limited number of users. Current limitations

And finally, it is important to be aware that blocking this feature may impact your user’s productivity, as they will not be able to benefit from the advantages of AI in their daily tasks. Indeed, Azure Copilot can help users automate tasks, find information more quickly, and improve their overall efficiency. Today, the service contains many features and is enriched week by week.

Copilot Capabilities, to this day:

• Understand your Azure environment:

  • Get insights into resources via Azure Resource Graph queries
  • Understand service events and health status
  • Analyze, estimate, and optimize costs
  • Search for Azure Advisor recommendations
  • Visualize network topology
  • Analyze your attack surface
  • Review Azure Firewall IDPS attacks

• Work smarter with Azure services:

  • Run commands
  • Deploy and manage virtual machines
  • Discover and deploy workload templates
  • Use AKS clusters effectively
  • Get insights into Azure Monitor metrics and logs

• Work smarter with Azure Local

  • Manage and troubleshoot storage accounts
  • Resolve disk performance issues
  • Design, troubleshoot, and secure networks
  • Resolve Azure Arc extension issues
  • Improve Azure SQL Database-based applications

• Write and optimize code:

  • Generate Azure CLI scripts
  • Generate PowerShell scripts
  • Generate Terraform and Bicep configurations
  • Create API management policies
  • Generate Kubernetes YAML files
  • Resolve application issues faster with App Service

In my opinion, in 2025, having a corporate policy that prohibits the use of AI is counterproductive. Companies that do not leverage AI risk falling behind their competitors who adopt it. It is essential to find a balance between governance and innovation to remain competitive in the market.

Azure Copilot is an essential tool for all profiles using the Cloud, whether as a developer, architect, infrastructure, SRE, Cyber Expert, FinOps, and more. So weigh the pros and cons carefully before limiting the use of Copilot in the enterprise.

Now on Azure, as you know, the name of a resource is used to identify it within Azure and therefore cannot be modified. You therefore have three main choices to name your resources :

• a Well-defined and respected naming agreement respected by all.
• Naming based on your use cases.
• The Cat Naming Convention which consists in named any way your resources by typing anything on your keyboard. My favorite method for demonstrations.

Now in the life of a business, it is often occur to change the names of the teams, projects, applications, etc. And we therefore end up with resources with obsolete names.

It is possible to add a tag called hidden-title which allows you to add an additional name to your resource as below:

And as you can see, the tag is not visible from the portal. but it is visible when you retrieve the information about your resource in powershell for example.

Get-AzResource -ResourceGroupName $rgName

Name              : jhyblmpw
ResourceGroupName : tags-rg
ResourceType      : Microsoft.Storage/storageAccounts
Location          : westeurope
ResourceId        : /subscriptions/c4dc16cad0f/resourceGroups/tags-rg/providers/Microsoft.Storage/storageAccounts/jhyblmpw
Tags              :
                    Name          Value
                    ============  ========================
                    hidden-title  Awesome storage for demo

It is of course possible to remove the tags via the portal by creating a new tag with the same name and an empty value.

You can use other hidden tags while of course respecting the limit of 50 tags per resource.

It is about Get-AzAccessToken a very practical method to get a valid token to interact with Azure APIs.

As we can see below:

get-azaccesstoken
WARNING: Upcoming breaking changes in the cmdlet 'Get-AzAccessToken' :
The Token property of the output type will be changed from String to SecureString. Add the [-AsSecureString] switch to avoid the impact of this upcoming breaking change.
- The change is expected to take effect in Az version : '14.0.0'
- The change is expected to take effect in Az.Accounts version : '5.0.0'
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.

To make the change, you have to pass -AsSecureString to have the same result you will have in version 14.

$token = Get-AzAccessToken  -AsSecureString

$token.Token
System.Security.SecureString

The problem is that the token is now in a SecureString format, which is not usable as is for using it in REST calls.

You need to convert it to a plain text string.

ConvertFrom-SecureString $token.Token -AsPlainText

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkNOdjBPSTNSd3FsSEZFVm5hb01Bc2hDSDJYRSIsImtpZCI6IkNOdjBPSTNSd3FsSEZFVm5hb01Bc2hDS...

And now you can use it in your REST calls.

So make the change in your scripts before updating your module.

If like me, you have been using Azure Policy for a long time, you should see that the definition of the policy provided by Microsoft can vary from one release to another. Technically these versions provide that new useful features, but hey I don’t really like having deployed safety elements without my eye.

So now these police have versions, and to use them it’s very simple, you just need to make this order to list the versions of a policy:

get-azpolicyDefinition -Name '36fd7371-8eb7-4321-9c30-a7100022d048' | Select DisplayName, Versions

DisplayName                                    Versions
-----------                                    --------
Requires resources to not have a specific tag. {2.0.0, 1.1.1, 1.0.1, 1.0.0}

And to assign the one you want just make this order:

# Select your definition
$definition = get-azpolicyDefinition -Name '36fd7371-8eb7-4321-9c30-a7100022d048' -Version 1.1.1

# Assign your policy
$policyparams = @{
    Name = 'test-policy-version'
    DisplayName = 'Test policy version'
    Scope = $rg.ResourceId
    PolicyDefinition = $definition
    Description = 'Test policy version'
}

New-AzPolicyAssignment @policyparams

And good news, this respects the management of semantic versions, and not versions with more or less obscure dates such as Azure Providers resources.

At the time I had offered a solution based on Azure DNS Resolver to redirect the Forward DNS to a public DNS like Google.

Well, know that from Microsoft has released a new feature where it is possible to bring this configuration to the level of your private DNS zone. Thanks to this bicep there Resolutionpolicy: ‘nxdomainredirect’:

resource vnetLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2024-06-01' = {
  name: 'link-to-vnet-${uniqueString(deployment().name)}'
  parent: privateDnsZone
  tags: tags
  location: 'global'
  properties: {
    virtualNetwork: {
      id: vnetId
    }
    registrationEnabled: false
    resolutionPolicy: 'NxDomainRedirect'
  }
}

This option is very practical, since in our Lab we go from this result:

[VM]
vm
[Run cmd]
nslookup labprivatelinkv5b65ik.blob.core.windows.net
Enable succeeded:
[stdout]
Server:         127.0.0.53
Address:        127.0.0.53#53

** server can't find labprivatelinkv5b65ik.blob.core.windows.net: NXDOMAIN


[stderr]

------------------------------------------
[VM]
vm
[Run cmd]
nslookup labprivatelinkv5b65ik.blob.core.windows.net 8.8.8.8
Enable succeeded:
[stdout]
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
labprivatelinkv5b65ik.blob.core.windows.net     canonical name = labprivatelinkv5b65ik.privatelink.blob.core.windows.net.
labprivatelinkv5b65ik.privatelink.blob.core.windows.net canonical name = blob.ams09prdstr07a.store.core.windows.net.
Name:   blob.ams09prdstr07a.store.core.windows.net
Address: 20.60.223.100


[stderr]

à celui là :

[VM]
vm
[Run cmd]
nslookup labprivatelinkv5b65ik.blob.core.windows.net
Enable succeeded:
[stdout]
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
labprivatelinkv5b65ik.blob.core.windows.net     canonical name = labprivatelinkv5b65ik.privatelink.blob.core.windows.net.
labprivatelinkv5b65ik.privatelink.blob.core.windows.net canonical name = blob.ams09prdstr07a.store.core.windows.net.
Name:   blob.ams09prdstr07a.store.core.windows.net
Address: 20.60.223.100


[stderr]

------------------------------------------
[VM]
vm
[Run cmd]
nslookup labprivatelinkv5b65ik.blob.core.windows.net 8.8.8.8
Enable succeeded:
[stdout]
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
labprivatelinkv5b65ik.blob.core.windows.net     canonical name = labprivatelinkv5b65ik.privatelink.blob.core.windows.net.
labprivatelinkv5b65ik.privatelink.blob.core.windows.net canonical name = blob.ams09prdstr07a.store.core.windows.net.
Name:   blob.ams09prdstr07a.store.core.windows.net
Address: 20.60.223.100


[stderr]

------------------------------------------

So no need to set up unitary forWarde, and you can let azure manage this part there for you. A time saving especially when you work with tools like Synapse or Fabric which offers to create Managed Private Endpoint for many of your services.

I would update the lab to add this use box to the list.

For those who handle everyday network elements, you know that IPs management is an important point in order to avoid overlap, to identify your components or your environments. It is therefore necessary to have a mapping at one point to find out which IP belongs to whom and where it is in my ecosystem.

So it is possible to manage your IPS via different tools, passing from the Excel sheet (because Excel can do everything, even be the pillar of the worst tool idea to manage your tools) up to different IP Address Manager (IPAM) of the market, and there are a lot according to Wikipedia

For me the essential elements of an IPAM are:

• The management of access to this one to add new ranges, and draw into these.
• Recover IPs from our infrastructure as code, namely reserving a range for my virtual network, and keep it even if I launch my stack 200 times.
• View the place available in my ranges.
• Research to know where my asset is in a search and not 2 hours of investigation, namely I type an IP type 10.0.0.4, I want to find the Pool of IP which corresponds, if a range has been allocated and to whom.

We will therefore look at what Microsoft provides us with, which has the advantage of being integrated into Azure, and therefore in the APIs of this one, that means that you can do bicep.

So we are going to create our Network Manager and our IPS Address Ranges.

param location string = 'northeurope'

var cidr = '10.0.0.0/20'
var envPrefix = [for i in range(0, 2): cidrSubnet(cidr, 21, i)]

resource networkManager 'Microsoft.Network/networkManagers@2024-05-01' = {
  name: 'demo-networkmanager'
  location: location
  properties: {
    networkManagerScopes: {
      subscriptions: [
        subscription().id
      ]
    }
  }
}

resource globalPrefix 'Microsoft.Network/networkManagers/ipamPools@2024-05-01' = {
  name: 'azure-rf1918-global'
  location: location
  parent: networkManager
  properties: {
    addressPrefixes: [
      cidr
    ]
  }
}

resource prdPrefix 'Microsoft.Network/networkManagers/ipamPools@2024-05-01' = {
  name: 'azure-rf1918-prd'
  location: location
  parent: networkManager
  properties: {
    addressPrefixes: [
      envPrefix[0]
    ]
    parentPoolName: globalPrefix.name
  }
}

resource devPrefix 'Microsoft.Network/networkManagers/ipamPools@2024-05-01' = {
  name: 'azure-rf1918-dev'
  location: location
  parent: networkManager
  properties: {
    addressPrefixes: [
      envPrefix[1]
    ]
    parentPoolName: globalPrefix.name
  }
}

Good point here, the creation is simple, we can quite easily add ranges, and even managed a notion of inheritance to subdivide our ranges.

Now for the allowance within a virtual network, it is possible to do like this, here I create 10 virtual networks, to make sure that it takes many different ranges:

resource vnets 'Microsoft.Network/virtualNetworks@2024-05-01' = [
  for i in range(0, 8): {
    name: 'vnet-dev-${i}'
    location: location
    properties: {
      addressSpace: {
        ipamPoolPrefixAllocations: [
          {
            numberOfIpAddresses: '128'
            pool: {
              id: devPrefix.id
            }
          }
        ]
      }
    }
  }
]

Second good point, we can easily create our virtual network from bicep so that it can recover an IP from our IPAM.

For the occupation part of our ranges, here again we can see it simply from Azure:

So a good point for that.

And now for the search, we will say that it’s brand new and that all the tools is improving over time. But to date the proposed search feature is only useful if you know what to look for and where.

In conclusion, Microsoft offers with this functionality something that had been eagerly awaited for several years, properly integrated with the APIs and the management of our network stacks, but which in my opinion still lacks some features to decide to change IPAM to this day.

Now, if you want to automate tests to verify all API versions, you need to know all of them.

To discover the different API versions, there are several methods. The first is to consult the Azure REST API documentation provided by Microsoft, but this can be tedious.

The second (and probably the most commonly used so far) is to trigger an error and check the list of available APIs in the error message, as shown below:

$header = @{ 'Content-Type' = 'application/json'; 'Authorization' = 'Bearer ' + (Get-AzAccessToken).Token }
$url = "https://management.azure.com/subscriptions/$((Get-AzContext).Subscription.Id)/providers/Microsoft.Authorization/roleAssignments?api-version=dummyapi"
Invoke-WebRequest -headers $header $url

--- 
Invoke-WebRequest:
{
  "error": {
    "code": "InvalidResourceType",
}

However, you will agree, there are better ways to find all the available versions.

It is therefore possible to retrieve the different APIs using the following command:

(Get-AzResourceProvider -ProviderNamespace "Microsoft.Authorization" | Where-Object { $_.ResourceTypes.ResourceTypeName -eq "roleAssignments" } | Select-Object ResourceTypes).ResourceTypes.ApiVersions

--- 
2022-04-01
2022-01-01-preview
2021-04-01-preview
2020-10-01-preview
2020-08-01-preview
2020-04-01-preview
2020-03-01-preview
2019-04-01-preview
2018-12-01-preview
2018-09-01-preview
2018-07-01
2018-01-01-preview
2017-10-01-preview
2017-09-01
2017-05-01
2016-07-01
2015-07-01
2015-06-01
2015-05-01-preview
2014-10-01-preview
2014-07-01-preview
2014-04-01-preview

And there you have it, all that’s left is to integrate this into a proper test CI pipeline.

In this post, we will focus on managing ACL for your Azure services, and more specifically on the inbound IP source.

Start with how to create a Network Security Perimeter with bicep:

resource nsp 'Microsoft.Network/networkSecurityPerimeters@2023-08-01-preview' = {
  name: 'demo${uniqueString(resourceGroup().id)}'
  location: loc
}

The service is created, now you need a profile. And my advice is to create at least 2 profiles, one with the Learning Mode for the tests, and one with the enforce mode to apply the rules. With the bicep autocompletion, its appears you have only this two mode available. Today we will focus on the enforced mode, we will see the learning mode later, and how to exploit the learning phase to build the security around your services.

resource nsp_enforce 'Microsoft.Network/networkSecurityPerimeters/profiles@2023-08-01-preview' = {
  name: 'enforce_profile'
  parent: nsp
  location: loc
  properties: {}
}

resource nsp_enforce_accessrule 'Microsoft.Network/networkSecurityPerimeters/profiles/accessRules@2023-08-01-preview' = {
  name: 'allowed_ip'
  parent: nsp_enforce
  location: loc
  properties: {
    direction: 'Inbound'
    addressPrefixes: [
      '28.38.76.11/32'
      '52.51.0.0/24'
    ]
  }
}

It is important to know that the possible IPS to be put here must absolutely be public, no RFC1918 here.

And to finish you must associate your profile with your Azure resources, and this is where you will define the mode of access to know: Enforced, Learning

resource nsp_association_storage 'Microsoft.Network/networkSecurityPerimeters/resourceAssociations@2023-08-01-preview' = {
  name: 'testwwonsp${uniqueString(resourceGroup().id, sto.id)}'
  parent: nsp
  location: loc
  properties: {
    accessMode: 'Enforced'
    profile: {
      id: nsp_enforce.id
    }
    privateLinkResource: {
      id: sto.id
    }
  }
}

resource nsp_association_keyvault 'Microsoft.Network/networkSecurityPerimeters/resourceAssociations@2023-08-01-preview' = {
  name: 'testwwonsp${uniqueString(resourceGroup().id, key.id)}'
  parent: nsp
  location: loc
  properties: {
    accessMode:'Enforced'
    profile: {
      id: nsp_enforce.id
    }
    privateLinkResource: {
      id: key.id
    }
  }
}

resource nsp_association_eventhub 'Microsoft.Network/networkSecurityPerimeters/resourceAssociations@2023-08-01-preview' = {
  name: 'testwwonsp${uniqueString(resourceGroup().id, eventhub.id)}'
  parent: nsp
  location: loc
  properties: {
    accessMode: 'Enforced'
    profile: {
      id: nsp_enforce.id
    }
    privateLinkResource: {
      id: eventhub.id
    }
  }
}

Now why I am ultra fan of Network Security Perimeter, it’s simply because I define the list of my IPs only in one place, and I especially don’t have to worry about applying it to all types of resources that I protect. As a reminder if I wanted to do the same in bicep for my storage and keyvault services I would do the next bicep:

resource sto_without_nsp 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: 'stononsp${uniqueString(resourceGroup().id)}'
  location: loc
  kind: 'StorageV2'
  identity: {
    type: 'SystemAssigned'
  }
  sku: {
    name: 'standard_lrs'
  }
  properties: {
    supportsHttpsTrafficOnly: true
    networkAcls: {
      bypass: 'AzureServices'
      ipRules: [
        {
          value: '28.38.76.11'
          action: 'Allow'
        }
        {
          value: '52.51.0.0/24'
          action: 'Allow'
        }
      ]
      defaultAction: 'Deny'
    }
  }
}

resource key_without_nsp 'Microsoft.KeyVault/vaults@2023-07-01' = {
  name: 'keynonsp${uniqueString(resourceGroup().id)}'
  location: loc
  properties: {
    sku: {
      family: 'A'
      name: 'standard'
    }
    tenantId: subscription().tenantId
    enableRbacAuthorization: true
    networkAcls: {
      bypass: 'AzureServices'
      ipRules: [
        {
          value: '28.38.76.11/32'
        }
        {
          value: '52.51.0.0/24'
        }
      ]
      defaultAction: 'Deny'
    }
  }
}

resource eventhub_without_nsp 'Microsoft.EventHub/namespaces@2024-05-01-preview' = {
  name: 'eventhubnonsp${uniqueString(resourceGroup().id)}'
  location: loc
  identity: {
    type: 'SystemAssigned'
  }
  sku: {
    name: 'Standard'
    tier: 'Standard'
  }
  properties: {
    isAutoInflateEnabled: false
    disableLocalAuth: true  
  }
}

resource eventhub_without_nspacl 'Microsoft.EventHub/namespaces/networkRuleSets@2024-05-01-preview' = {
  name: 'default'
  parent: eventhub_without_nsp
  properties: {
    defaultAction: 'Deny'
    ipRules: [
      {
        ipMask: '28.38.76.11/32'
        action: 'Allow'
      }
      {
        ipMask: '52.51.0.0/24'
        action: 'Allow'
      }
    ]
  }
}

So I have for my storage, Keyvault and EventHub 3 different implementations to put my rules. Here Azure Storage does not support the ranges in /32, we are therefore obliged to put the IP, and for event hub it is an inner resource.

So we see that Network Security Perimeter will help us simplify our infra as code without being concerned about this part. Or even a complex management of Policy to be set up to automatically add all the IPs you want.

Now it is a preview, and therefore I hope that other features will arrive because for the moment the big blockers that I see by adoption today are as follows:

• We don’t see the security elements if we look at the details of the service via the portal, or via the PowerShell commands, for example:

➜  (Get-AzKeyVault -name $keyVaultName -ResourceGroupName nsp).NetworkAcls

DefaultAction                 : Allow
Bypass                        : AzureServices
IpAddressRanges               :
IpAddressRangesText           :
VirtualNetworkResourceIds     :
VirtualNetworkResourceIdsText :

• No integration into Microsoft Defender for Cloud, my resources always seem exposed. And I guess it’s the same for other CNAPPs.

• Not all Azure services are supported for example for this inbound IPs control.

But for me it is a service to monitor because it will be a game changer for the future of perimeter security in the public cloud.

Tell me in comments if you have other aspects of the service you want me to dig.

However, if you have several policies that change the same field. What can happen if you assign the same policy twice on different scopes with different parameters, or if you have a governance problem, it can be complicated to know which prime on the other

There is conflicteffect that exists, and this one offer a control to prioritize which policy take over on the other. This field has multiple values: audit, deny ou disabled.

And good news, by default the value is deny and it’s the value i advise for your policy.

Indeed, if we have a policy conflict, we will have an error when updating the resource, while a policy with an audit effect will simply not play the modification operations in the event of a conflict.

Here is an example of a policy with a configured conflict effect.

{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Storage/storageAccounts"
        },
        {
          "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
          "equals": "false"
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": {
        "conflictEffect": "deny",
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
        ],
        "operations": [
          {
            "condition": "[greaterOrEquals(requestContext().apiVersion, '2019-04-01')]",
            "operation": "addOrReplace",
            "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
            "value": true
          }
        ]
      }
    }
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "The effect determines what happens when the policy rule is evaluated to match"
      },
      "allowedValues": [
        "Modify",
        "Disabled"
      ],
      "defaultValue": "Modify"
    }
  }
}

And now if we want to make a public registry, well today it is not possible, but Microsoft hosts for you Azure Verified Module which is also based on Azure Container Registry but which contains a set of modules validated by Microsoft based on Open Source Restity: Azure Verified Module

Recently I updated my Sandbox Toolkit based on Azure Function, and I decided among other things to redo my infra as code thanks to AVM, so I suggest making a feedback on it.

Let’s start by creating an Azure storage:

module stg 'br/public:avm/res/storage/storage-account:0.11.1' = {
  name: 'sandbox-storage'
  scope: resourceGroup
  params: {
    name: 'stg${uniqueString(resourceGroup.id)}'
    skuName: 'Standard_LRS'
    publicNetworkAccess: 'Enabled'
    networkAcls: {
      bypass: 'AzureServices'
      defaultAction: 'Allow'
    }
  }
}

So firstly it is very simple to access via VsCode since the search for modules is done directly with autocompletion, it remains up to know Azure Resource Providers you want to use. And good news, it is easily to explore the contents of the module that you simply use via a click in VsCode, no need to refer to the Github.

For having implemented modules which is important to define is the management of your input and output parameters of the module, and good news AVM contains standards on these elements and offers a lot of parameter with default values For all (apart from the name of course), and good news these parameters are typical, so you will be well guided when creating your templates, and in the build of your bicep file will fail if you have not followed the typing .

Now, everything is not perfect, and it is an open source project, so the level of templates is not always the same, for example if I take storage I have these elements for the NetworkAcls part:

@description('Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information. If in use, bypass needs to be supplied. For security reasons, it is recommended to set the DefaultAction Deny.')
param networkAcls networkAclsType?

type networkAclsType = {
  @description('Optional. Sets the resource access rules. Array entries must consist of "tenantId" and "resourceId" fields only.')
  resourceAccessRules: {
    @description('Required. The ID of the tenant in which the resource resides in.')
    tenantId: string

    @description('Required. The resource ID of the target service. Can also contain a wildcard, if multiple services e.g. in a resource group should be included.')
    resourceId: string
  }[]?

  @description('Optional. Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Possible values are any combination of Logging,Metrics,AzureServices (For example, "Logging, Metrics"), or None to bypass none of those traffics.')
  bypass: (
    | 'None'
    | 'AzureServices'
    | 'Logging'
    | 'Metrics'
    | 'AzureServices, Logging'
    | 'AzureServices, Metrics'
    | 'AzureServices, Logging, Metrics'
    | 'Logging, Metrics')?

  @description('Optional. Sets the virtual network rules.')
  virtualNetworkRules: array?

  @description('Optional. Sets the IP ACL rules.')
  ipRules: array?

  @description('Optional. Specifies the default action of allow or deny when no other rules match.')
  defaultAction: ('Allow' | 'Deny')?
}

While for Keyvault, it’s much more light:

@description('Optional. Rules governing the accessibility of the resource from specific network locations.')
param networkAcls object?

Afterwards, I remind you that this is an open source project, so I strongly encourage you to contribute if something is missing, of course if you have time. They are also looking for: Needs Contributor

The use of this type of module will allow you to speed up the implementation of your templates based on these modules, and not to have to redo them on your side. And as a bonus, since it is a module you can always use yours if you wish.

Since good news never comes alone, this registry also contains tests for each of the resources you can press to find the settings you need, for example for storage:

For example, the implementation of a Kind type BlockBlobStorage

targetScope = 'subscription'

metadata name = 'Deploying as a Block Blob Storage'
metadata description = 'This instance deploys the module as a Premium Block Blob Storage account.'

// ========== //
// Parameters //
// ========== //

@description('Optional. The name of the resource group to deploy for testing purposes.')
@maxLength(90)
param resourceGroupName string = 'dep-${namePrefix}-storage.storageaccounts-${serviceShort}-rg'

@description('Optional. The location to deploy resources to.')
param resourceLocation string = deployment().location

@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
param serviceShort string = 'ssablock'

@description('Optional. A token to inject into the name of each resource.')
param namePrefix string = '#_namePrefix_#'

// ============ //
// Dependencies //
// ============ //

// General resources
// =================
resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
  name: resourceGroupName
  location: resourceLocation
}

// ============== //
// Test Execution //
// ============== //

@batchSize(1)
module testDeployment '../../../main.bicep' = [
  for iteration in ['init', 'idem']: {
    scope: resourceGroup
    name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
    params: {
      location: resourceLocation
      name: '${namePrefix}${serviceShort}001'
      skuName: 'Premium_LRS'
      kind: 'BlockBlobStorage'
    }
  }
]

But also lots of others, such as the management of encryption keys.

AVM does not only contain modules for Azure Resources, but also for user patterns, such as the implementation of the Landing Zone of Test (given the criticality of the subject, I advise you to use an external module only for tests)

And finally, Azure Verified Module is not an initiative that for Bicep, but also for Terraform!

Well and if I was going to make a request for a request now…