Skip to content

Commit

Permalink
Add VWAN Features: Routing Intent, VHC Naming, Enable Internet Securi…
Browse files Browse the repository at this point in the history
…ty (#612)

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
  • Loading branch information
jtracey93 and github-actions[bot] authored Aug 14, 2023
1 parent d96464b commit 4536006
Show file tree
Hide file tree
Showing 16 changed files with 212 additions and 24 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ Parameter name | Required | Description
-------------- | -------- | -----------
parVirtualWanHubResourceId | Yes | Virtual WAN Hub resource ID.
parRemoteVirtualNetworkResourceId | Yes | Remote Spoke virtual network resource ID.
parVirtualHubConnectionPrefix | No | Optional Virtual Hub Connection Name Prefix.
parVirtualHubConnectionSuffix | No | Optional Virtual Hub Connection Name Suffix. Example: -vhc
parEnableInternetSecurity | No | Enable Internet Security for the Virtual Hub Connection.

### parVirtualWanHubResourceId

Expand All @@ -21,6 +24,28 @@ Virtual WAN Hub resource ID.

Remote Spoke virtual network resource ID.

### parVirtualHubConnectionPrefix

![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)

Optional Virtual Hub Connection Name Prefix.

### parVirtualHubConnectionSuffix

![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)

Optional Virtual Hub Connection Name Suffix. Example: -vhc

- Default value: `-vhc`

### parEnableInternetSecurity

![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)

Enable Internet Security for the Virtual Hub Connection.

- Default value: `False`

## Outputs

Name | Type | Description
Expand All @@ -45,6 +70,15 @@ outHubVirtualNetworkConnectionResourceId | string |
},
"parRemoteVirtualNetworkResourceId": {
"value": ""
},
"parVirtualHubConnectionPrefix": {
"value": ""
},
"parVirtualHubConnectionSuffix": {
"value": "-vhc"
},
"parEnableInternetSecurity": {
"value": false
}
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ Parameter name | Required | Description
-------------- | -------- | -----------
parVirtualWanHubResourceId | Yes | Virtual WAN Hub resource ID.
parRemoteVirtualNetworkResourceId | Yes | Remote Spoke virtual network resource ID.
parVirtualHubConnectionPrefix | No | Optional Virtual Hub Connection Name Prefix.
parVirtualHubConnectionSuffix | No | Optional Virtual Hub Connection Name Suffix. Example: -vhc
parEnableInternetSecurity | No | Enable Internet Security for the Virtual Hub Connection.
parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. Default: false

### parVirtualWanHubResourceId
Expand All @@ -22,6 +25,28 @@ Virtual WAN Hub resource ID.

Remote Spoke virtual network resource ID.

### parVirtualHubConnectionPrefix

![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)

Optional Virtual Hub Connection Name Prefix.

### parVirtualHubConnectionSuffix

![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)

Optional Virtual Hub Connection Name Suffix. Example: -vhc

- Default value: `-vhc`

### parEnableInternetSecurity

![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)

Enable Internet Security for the Virtual Hub Connection.

- Default value: `False`

### parTelemetryOptOut

![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
Expand Down Expand Up @@ -55,6 +80,15 @@ outHubVirtualNetworkConnectionResourceId | string |
"parRemoteVirtualNetworkResourceId": {
"value": ""
},
"parVirtualHubConnectionPrefix": {
"value": ""
},
"parVirtualHubConnectionSuffix": {
"value": "-vhc"
},
"parEnableInternetSecurity": {
"value": false
},
"parTelemetryOptOut": {
"value": false
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,18 +7,28 @@ param parVirtualWanHubResourceId string
@sys.description('Remote Spoke virtual network resource ID.')
param parRemoteVirtualNetworkResourceId string

@sys.description('Optional Virtual Hub Connection Name Prefix.')
param parVirtualHubConnectionPrefix string = ''

@sys.description('Optional Virtual Hub Connection Name Suffix. Example: -vhc')
param parVirtualHubConnectionSuffix string = '-vhc'

@sys.description('Enable Internet Security for the Virtual Hub Connection.')
param parEnableInternetSecurity bool = false

var varVwanHubName = split(parVirtualWanHubResourceId, '/')[8]

var varSpokeVnetName = split(parRemoteVirtualNetworkResourceId, '/')[8]

var varVnetPeeringVwanName = '${varVwanHubName}/${varSpokeVnetName}-vhc'
var varVnetPeeringVwanName = '${varVwanHubName}/${parVirtualHubConnectionPrefix}${varSpokeVnetName}${parVirtualHubConnectionSuffix}'

resource resVnetPeeringVwan 'Microsoft.Network/virtualHubs/hubVirtualNetworkConnections@2023-02-01' = if (!empty(parVirtualWanHubResourceId) && !empty(parRemoteVirtualNetworkResourceId)) {
name: varVnetPeeringVwanName
properties: {
remoteVirtualNetwork: {
id: parRemoteVirtualNetworkResourceId
}
enableInternetSecurity: parEnableInternetSecurity
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,15 @@
"parRemoteVirtualNetworkResourceId": {
"value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/spokevnet-rg/providers/Microsoft.Network/virtualNetworks/vnet-spoke"
},
"parVirtualHubConnectionPrefix": {
"value": ""
},
"parVirtualHubConnectionSuffix": {
"value": "-vhc"
},
"parEnableInternetSecurity": {
"value": false
},
"parTelemetryOptOut": {
"value": false
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,15 @@ param parVirtualWanHubResourceId string
@sys.description('Remote Spoke virtual network resource ID.')
param parRemoteVirtualNetworkResourceId string

@sys.description('Optional Virtual Hub Connection Name Prefix.')
param parVirtualHubConnectionPrefix string = ''

@sys.description('Optional Virtual Hub Connection Name Suffix. Example: -vhc')
param parVirtualHubConnectionSuffix string = '-vhc'

@sys.description('Enable Internet Security for the Virtual Hub Connection.')
param parEnableInternetSecurity bool = false

@sys.description('Set Parameter to true to Opt-out of deployment telemetry. Default: false')
param parTelemetryOptOut bool = false

Expand All @@ -27,9 +36,12 @@ var varModhubVirtualNetworkConnectionDeploymentName = take('deploy-vnet-peering-
module modhubVirtualNetworkConnection 'hubVirtualNetworkConnection.bicep' = if (!empty(parVirtualWanHubResourceId) && !empty(parRemoteVirtualNetworkResourceId)) {
scope: resourceGroup(varVwanSubscriptionId, varVwanResourceGroup)
name: varModhubVirtualNetworkConnectionDeploymentName
params: {
params: {
parVirtualWanHubResourceId: parVirtualWanHubResourceId
parRemoteVirtualNetworkResourceId: parRemoteVirtualNetworkResourceId
parVirtualHubConnectionPrefix: parVirtualHubConnectionPrefix
parVirtualHubConnectionSuffix: parVirtualHubConnectionSuffix
parEnableInternetSecurity: parEnableInternetSecurity
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ parVirtualHubEnabled | No | Switch to enable/disable Virtual Hub deploymen
parAzFirewallDnsProxyEnabled | No | Switch to enable/disable Azure Firewall DNS Proxy.
parVirtualWanName | No | Prefix Used for Virtual WAN.
parVirtualWanHubName | No | Prefix Used for Virtual WAN Hub.
parVirtualWanHubs | No | Array Used for multiple Virtual WAN Hubs deployment. Each object in the array represents an individual Virtual WAN Hub configuration. Add/remove additional objects in the array to meet the number of Virtual WAN Hubs required. - `parVpnGatewayEnabled` - Switch to enable/disable VPN Gateway deployment on the respective Virtual WAN Hub. - `parExpressRouteGatewayEnabled` - Switch to enable/disable ExpressRoute Gateway deployment on the respective Virtual WAN Hub. - `parAzFirewallEnabled` - Switch to enable/disable Azure Firewall deployment on the respective Virtual WAN Hub. - `parVirtualHubAddressPrefix` - The IP address range in CIDR notation for the vWAN virtual Hub to use. - `parHubLocation` - The Virtual WAN Hub location. - `parHubRoutingPreference` - The Virtual WAN Hub routing preference. The allowed values are `ASN`, `VpnGateway`, `ExpressRoute`. - `parVirtualRouterAutoScaleConfiguration` - The Virtual WAN Hub capacity. The value should be between 2 to 50.
parVirtualWanHubs | No | Array Used for multiple Virtual WAN Hubs deployment. Each object in the array represents an individual Virtual WAN Hub configuration. Add/remove additional objects in the array to meet the number of Virtual WAN Hubs required. - `parVpnGatewayEnabled` - Switch to enable/disable VPN Gateway deployment on the respective Virtual WAN Hub. - `parExpressRouteGatewayEnabled` - Switch to enable/disable ExpressRoute Gateway deployment on the respective Virtual WAN Hub. - `parAzFirewallEnabled` - Switch to enable/disable Azure Firewall deployment on the respective Virtual WAN Hub. - `parVirtualHubAddressPrefix` - The IP address range in CIDR notation for the vWAN virtual Hub to use. - `parHubLocation` - The Virtual WAN Hub location. - `parHubRoutingPreference` - The Virtual WAN Hub routing preference. The allowed values are `ASN`, `VpnGateway`, `ExpressRoute`. - `parVirtualRouterAutoScaleConfiguration` - The Virtual WAN Hub capacity. The value should be between 2 to 50. - `parVirtualHubRoutingIntentDestinations` - The Virtual WAN Hub routing intent destinations, leave empty if not wanting to enable routing intent. The allowed values are `Internet`, `PrivateTraffic`.
parVpnGatewayName | No | Prefix Used for VPN Gateway.
parExpressRouteGatewayName | No | Prefix Used for ExpressRoute Gateway.
parAzFirewallName | No | Azure Firewall Name.
Expand Down Expand Up @@ -102,6 +102,7 @@ Array Used for multiple Virtual WAN Hubs deployment. Each object in the array re
- `parHubLocation` - The Virtual WAN Hub location.
- `parHubRoutingPreference` - The Virtual WAN Hub routing preference. The allowed values are `ASN`, `VpnGateway`, `ExpressRoute`.
- `parVirtualRouterAutoScaleConfiguration` - The Virtual WAN Hub capacity. The value should be between 2 to 50.
- `parVirtualHubRoutingIntentDestinations` - The Virtual WAN Hub routing intent destinations, leave empty if not wanting to enable routing intent. The allowed values are `Internet`, `PrivateTraffic`.



Expand Down Expand Up @@ -283,7 +284,8 @@ outPrivateDnsZonesNames | array |
"parVirtualHubAddressPrefix": "10.100.0.0/23",
"parHubLocation": "[parameters('parLocation')]",
"parHubRoutingPreference": "ExpressRoute",
"parVirtualRouterAutoScaleConfiguration": 2
"parVirtualRouterAutoScaleConfiguration": 2,
"parVirtualHubRoutingIntentDestinations": []
}
]
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,8 @@
"parVirtualHubAddressPrefix": "10.100.0.0/23",
"parHubLocation": "chinaeast2",
"parHubRoutingPreference": "ExpressRoute",
"parVirtualRouterAutoScaleConfiguration": 2
"parVirtualRouterAutoScaleConfiguration": 2,
"parVirtualHubRoutingIntentDestinations": []
}
]
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,8 @@
"parVirtualHubAddressPrefix": "10.100.0.0/23",
"parHubLocation": "chinaeast2",
"parHubRoutingPreference": "ExpressRoute",
"parVirtualRouterAutoScaleConfiguration": 2
"parVirtualRouterAutoScaleConfiguration": 2,
"parVirtualHubRoutingIntentDestinations": []
}
]
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,8 @@
"parVirtualHubAddressPrefix": "10.100.0.0/23",
"parHubLocation": "eastus",
"parHubRoutingPreference": "ExpressRoute",
"parVirtualRouterAutoScaleConfiguration": 2
"parVirtualRouterAutoScaleConfiguration": 2,
"parVirtualHubRoutingIntentDestinations": []
}
]
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,8 @@
"parVirtualHubAddressPrefix": "10.100.0.0/23",
"parHubLocation": "eastus",
"parHubRoutingPreference": "ExpressRoute",
"parVirtualRouterAutoScaleConfiguration": 2
"parVirtualRouterAutoScaleConfiguration": 2,
"parVirtualHubRoutingIntentDestinations": []
}
]
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ module minimum_vwan_conn '../vwanConnectivity.bicep' = {
parHubLocation: 'centralus'
parhubRoutingPreference: 'ExpressRoute' //allowed values are 'ASN','VpnGateway','ExpressRoute'
parvirtualRouterAutoScaleConfiguration: 2 //minimum capacity should be between 2 to 50
parVirtualHubRoutingIntentDestinations: []
}]
parAzFirewallDnsProxyEnabled: true
parVirtualWanName: '${parCompanyPrefix}-vwan-${parLocation}'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ param parVirtualWanHubName string = '${parCompanyPrefix}-vhub'
- `parHubLocation` - The Virtual WAN Hub location.
- `parHubRoutingPreference` - The Virtual WAN Hub routing preference. The allowed values are `ASN`, `VpnGateway`, `ExpressRoute`.
- `parVirtualRouterAutoScaleConfiguration` - The Virtual WAN Hub capacity. The value should be between 2 to 50.
- `parVirtualHubRoutingIntentDestinations` - The Virtual WAN Hub routing intent destinations, leave empty if not wanting to enable routing intent. The allowed values are `Internet`, `PrivateTraffic`.
''')
param parVirtualWanHubs array = [ {
Expand All @@ -46,6 +47,7 @@ param parVirtualWanHubs array = [ {
parHubLocation: parLocation
parHubRoutingPreference: 'ExpressRoute' //allowed values are 'ASN','VpnGateway','ExpressRoute'.
parVirtualRouterAutoScaleConfiguration: 2 //minimum capacity should be between 2 to 50
parVirtualHubRoutingIntentDestinations: []
}
]

Expand Down Expand Up @@ -177,7 +179,7 @@ var varZtnP1CuaId = '3ab23b1e-c5c5-42d4-b163-1402384ba2db'
var varZtnP1Trigger = (parDdosEnabled && !(contains(map(parVirtualWanHubs, hub => hub.parAzFirewallEnabled), false)) && (parAzFirewallTier == 'Premium')) ? true : false

// Virtual WAN resource
resource resVwan 'Microsoft.Network/virtualWans@2023-02-01' = {
resource resVwan 'Microsoft.Network/virtualWans@2023-04-01' = {
name: parVirtualWanName
location: parLocation
tags: parTags
Expand All @@ -189,7 +191,7 @@ resource resVwan 'Microsoft.Network/virtualWans@2023-02-01' = {
}
}

resource resVhub 'Microsoft.Network/virtualHubs@2023-02-01' = [for hub in parVirtualWanHubs: if (parVirtualHubEnabled && !empty(hub.parVirtualHubAddressPrefix)) {
resource resVhub 'Microsoft.Network/virtualHubs@2023-04-01' = [for hub in parVirtualWanHubs: if (parVirtualHubEnabled && !empty(hub.parVirtualHubAddressPrefix)) {
name: '${parVirtualWanHubName}-${hub.parHubLocation}'
location: hub.parHubLocation
tags: parTags
Expand All @@ -206,7 +208,7 @@ resource resVhub 'Microsoft.Network/virtualHubs@2023-02-01' = [for hub in parVir
}
}]

resource resVhubRouteTable 'Microsoft.Network/virtualHubs/hubRouteTables@2023-02-01' = [for (hub, i) in parVirtualWanHubs: if (parVirtualHubEnabled && hub.parAzFirewallEnabled) {
resource resVhubRouteTable 'Microsoft.Network/virtualHubs/hubRouteTables@2023-04-01' = [for (hub, i) in parVirtualWanHubs: if (parVirtualHubEnabled && hub.parAzFirewallEnabled && empty(hub.parVirtualHubRoutingIntentDestinations)) {
parent: resVhub[i]
name: 'defaultRouteTable'
properties: {
Expand All @@ -227,6 +229,20 @@ resource resVhubRouteTable 'Microsoft.Network/virtualHubs/hubRouteTables@2023-02
}
}]

resource resVhubRoutingIntent 'Microsoft.Network/virtualHubs/routingIntent@2023-04-01' = [for (hub, i) in parVirtualWanHubs: if (parVirtualHubEnabled && hub.parAzFirewallEnabled && !empty(hub.parVirtualHubRoutingIntentDestinations)) {
parent: resVhub[i]
name: '${parVirtualWanHubName}-${hub.parHubLocation}-Routing-Intent'
properties: {
routingPolicies: [for destination in hub.parVirtualHubRoutingIntentDestinations: {
name: destination == 'Internet' ? 'PublicTraffic' : destination == 'PrivateTraffic' ? 'PrivateTraffic' : 'N/A'
destinations: [
destination
]
nextHop: resAzureFirewall[i].id
}]
}
}]

resource resVpnGateway 'Microsoft.Network/vpnGateways@2023-02-01' = [for (hub, i) in parVirtualWanHubs: if ((parVirtualHubEnabled) && (hub.parVpnGatewayEnabled)) {
dependsOn: resVhub
name: '${parVpnGatewayName}-${hub.parHubLocation}'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ parSpokeToHubRouteTableName | No | Name of Route table to create for the d
parHubVirtualNetworkId | Yes | Virtual Network ID of Hub Virtual Network, or Azure Virtuel WAN hub ID.
parAllowSpokeForwardedTraffic | No | Switch to enable/disable forwarded Traffic from outside spoke network.
parAllowHubVpnGatewayTransit | No | Switch to enable/disable VPN Gateway for the hub network peering.
parVirtualHubConnectionPrefix | No | Optional Virtual Hub Connection Name Prefix.
parVirtualHubConnectionSuffix | No | Optional Virtual Hub Connection Name Suffix. Example: -vhc
parEnableInternetSecurity | No | Enable Internet Security for the Virtual Hub Connection.

### parLocation

Expand Down Expand Up @@ -160,6 +163,28 @@ Switch to enable/disable VPN Gateway for the hub network peering.

- Default value: `False`

### parVirtualHubConnectionPrefix

![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)

Optional Virtual Hub Connection Name Prefix.

### parVirtualHubConnectionSuffix

![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)

Optional Virtual Hub Connection Name Suffix. Example: -vhc

- Default value: `-vhc`

### parEnableInternetSecurity

![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)

Enable Internet Security for the Virtual Hub Connection.

- Default value: `False`

## Outputs

Name | Type | Description
Expand Down Expand Up @@ -235,6 +260,15 @@ outSpokeVirtualNetworkId | string |
},
"parAllowHubVpnGatewayTransit": {
"value": false
},
"parVirtualHubConnectionPrefix": {
"value": ""
},
"parVirtualHubConnectionSuffix": {
"value": "-vhc"
},
"parEnableInternetSecurity": {
"value": false
}
}
}
Expand Down
Loading

0 comments on commit 4536006

Please sign in to comment.