diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep index 97751563b..6d8ea92d9 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -764,6 +764,26 @@ module modGatewayPublicIp '../publicIp/publicIp.bicep' = [for (gateway, i) in va } }] +// If the gateway is active-active, create a second public IP +module modGatewayPublicIpActiveActive '../publicIp/publicIp.bicep' = [for (gateway, i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr') && gateway.activeActive) { + name: 'deploy-Gateway-Public-IP-ActiveActive-${i}' + params: { + parLocation: parLocation + parAvailabilityZones: toLower(gateway.gatewayType) == 'expressroute' ? parAzErGatewayAvailabilityZones : toLower(gateway.gatewayType) == 'vpn' ? parAzVpnGatewayAvailabilityZones : [] + parPublicIpName: '${parPublicIpPrefix}${gateway.name}${parPublicIpSuffix}-aa' + parPublicIpProperties: { + publicIpAddressVersion: 'IPv4' + publicIpAllocationMethod: 'Static' + } + parPublicIpSku: { + name: parPublicIpSku + } + parResourceLockConfig: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock : parVirtualNetworkGatewayLock + parTags: parTags + parTelemetryOptOut: parTelemetryOptOut + } +}] + //Minumum subnet size is /27 supporting documentation https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub resource resGateway 'Microsoft.Network/virtualNetworkGateways@2023-02-01' = [for (gateway, i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) { name: gateway.name @@ -793,23 +813,43 @@ resource resGateway 'Microsoft.Network/virtualNetworkGateways@2023-02-01' = [for radiusServerAddress: gateway.vpnClientConfiguration.?radiusServerAddress ?? '' radiusServerSecret: gateway.vpnClientConfiguration.?radiusServerSecret ?? '' } : null - ipConfigurations: [ - { - id: resHubVnet.id - name: 'vnetGatewayConfig' - properties: { - publicIPAddress: { - id: (((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) ? modGatewayPublicIp[i].outputs.outPublicIpId : 'na') + + ipConfigurations: concat( + // Primary IP configuration + [ + { + id: resHubVnet.id + name: 'vnetGatewayConfig1' + properties: { + publicIPAddress: { + id: modGatewayPublicIp[i].outputs.outPublicIpId // Primary Public IP + } + subnet: { + id: resGatewaySubnetRef.id + } } - subnet: { - id: resGatewaySubnetRef.id + } + ], + // Add second IP configuration if activeActive is true + gateway.activeActive ? [ + { + id: resHubVnet.id + name: 'vnetGatewayConfig2' + properties: { + publicIPAddress: { + id: modGatewayPublicIpActiveActive[i].outputs.outPublicIpId // Secondary Public IP + } + subnet: { + id: resGatewaySubnetRef.id + } } } - } - ] + ] : [] + ) } }] + // Create a Virtual Network Gateway resource lock if gateway.name is not equal to noconfigVpn or noconfigEr and parGlobalResourceLock.kind != 'None' or if parVirtualNetworkGatewayLock.kind != 'None' resource resVirtualNetworkGatewayLock 'Microsoft.Authorization/locks@2020-05-01' = [for (gateway, i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr') && (parVirtualNetworkGatewayLock.kind != 'None' || parGlobalResourceLock.kind != 'None')) { scope: resGateway[i] diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json index 36763ff08..fa8cb3846 100644 --- a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json +++ b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json @@ -6,7 +6,7 @@ "value": "eastus" }, "parCompanyPrefix": { - "value": "alz" + "value": "test" }, "parHubNetworkName": { "value": "alz-hub-eastus" @@ -55,7 +55,7 @@ "value": "-PublicIP" }, "parAzBastionEnabled": { - "value": true + "value": false }, "parAzBastionName": { "value": "alz-bastion" @@ -70,13 +70,13 @@ "value": "nsg-AzureBastionSubnet" }, "parDdosEnabled": { - "value": true + "value": false }, "parDdosPlanName": { "value": "alz-ddos-plan" }, "parAzFirewallEnabled": { - "value": true + "value": false }, "parAzFirewallName": { "value": "alz-azfw-eastus" @@ -100,7 +100,7 @@ "value": [] }, "parAzFirewallDnsProxyEnabled": { - "value": true + "value": false }, "parAzFirewallDnsServers": { "value": [] @@ -112,7 +112,7 @@ "value": false }, "parPrivateDnsZonesEnabled": { - "value": true + "value": false }, "parPrivateDnsZones": { "value": [ @@ -200,7 +200,7 @@ "vpnType": "RouteBased", "generation": "Generation1", "enableBgp": false, - "activeActive": false, + "activeActive": true, "enableBgpRouteTranslationForNat": false, "enableDnsForwarding": false, "bgpPeeringAddress": "", @@ -213,7 +213,7 @@ } }, "parExpressRouteGatewayEnabled": { - "value": true + "value": false }, "parExpressRouteGatewayConfig": { "value": { @@ -223,7 +223,7 @@ "vpnType": "RouteBased", "generation": "None", "enableBgp": false, - "activeActive": false, + "activeActive": true, "enableBgpRouteTranslationForNat": false, "enableDnsForwarding": false, "bgpPeeringAddress": "",