Update parameter order for hubnetworking (#175)

* Add updated files * Update mc parameters * Add lineshift to readme * Change er vnet gw sku to std Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>
Azure · Mar 10, 2022 · eabee47 · eabee47
1 parent 70ed0d0
commit eabee47
Show file tree

Hide file tree

Showing 4 changed files with 282 additions and 270 deletions.
diff --git a/infra-as-code/bicep/modules/hubNetworking/README.md b/infra-as-code/bicep/modules/hubNetworking/README.md
@@ -131,7 +131,7 @@ New-AzResourceGroup -Name 'Hub_Networking_POC' `
   
 New-AzResourceGroupDeployment `
   -TemplateFile infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep `
-  -TemplateParameterFile infra-as-code/bicep/modules/hubNetworking/mc-hubNetworking.parameters.example.json
+  -TemplateParameterFile infra-as-code/bicep/modules/hubNetworking/mc-hubNetworking.parameters.example.json `
   -ResourceGroupName 'Hub_Networking_POC'
 ```
 ## Example Output in Azure global regions

diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep
@@ -13,81 +13,35 @@ VERSION: 1.2.0
 */
 
 @description('The Azure Region to deploy the resources into. Default: resourceGroup().location')
-param parRegion string = resourceGroup().location
+param parLocation string = resourceGroup().location
 
-@description('Switch which allows Bastion deployment to be disabled. Default: true')
-param parBastionEnabled bool = true
-
-@description('Switch which allows DDOS deployment to be disabled. Default: true')
-param parDDoSEnabled bool = true
-
-@description('DDOS Plan Name. Default: {parCompanyPrefix}-DDos-Plan')
-param parDDoSPlanName string = '${parCompanyPrefix}-DDoS-Plan'
-
-@description('Switch which allows Azure Firewall deployment to be disabled. Default: true')
-param parAzureFirewallEnabled bool = true
-
-@description('Switch which enables DNS Proxy to be enabled on the Azure Firewall. Default: true')
-param parNetworkDNSEnableProxy bool = true
+@description('Prefix value which will be prepended to all resource names. Default: alz')
+param parCompanyPrefix string = 'alz'
 
-@description('Switch which allows BGP Propagation to be disabled on the route tables: Default: false')
-param parDisableBGPRoutePropagation bool = false
+@description('Prefix Used for Hub Network. Default: {parCompanyPrefix}-hub-{parLocation}')
+param parHubNetworkName string = '${parCompanyPrefix}-hub-${parLocation}'
 
-@description('Switch which allows Private DNS Zones to be disabled. Default: true')
-param parPrivateDNSZonesEnabled bool = true
+@description('The IP address range for all virtual networks to use. Default: 10.10.0.0/16')
+param parHubNetworkAddressPrefix string = '10.10.0.0/16'
 
-//ASN must be 65515 if deploying VPN & ER for co-existence to work: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager#limits-and-limitations
-@description('''Configuration for VPN virtual network gateway to be deployed. If a VPN virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. 
-"parVpnGatewayConfig": {
-  "value": {}
-}''')
-param parVpnGatewayConfig object = {
-  name: '${parCompanyPrefix}-Vpn-Gateway'
-  gatewaytype: 'Vpn'
-  sku: 'VpnGw1'
-  vpntype: 'RouteBased'
-  generation: 'Generation1'
-  enableBgp: false
-  activeActive: false
-  enableBgpRouteTranslationForNat: false
-  enableDnsForwarding: false
-  asn: 65515
-  bgpPeeringAddress: ''
-  bgpsettings: {
-    asn: 65515
-    bgpPeeringAddress: ''
-    peerWeight: 5
+@description('The name and IP address range for each subnet in the virtual networks. Default: AzureBastionSubnet, GatewaySubnet, AzureFirewall Subnet')
+param parSubnets array = [
+  {
+    name: 'AzureBastionSubnet'
+    ipAddressRange: '10.10.15.0/24'
   }
-}
-
-@description('''Configuration for ExpressRoute virtual network gateway to be deployed. If a ExpressRoute virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. 
-"parExpressRouteGatewayConfig": {
-  "value": {}
-}''')
-param parExpressRouteGatewayConfig object = {
-  name: '${parCompanyPrefix}-ExpressRoute-Gateway'
-  gatewaytype: 'ExpressRoute'
-  sku: 'ErGw1AZ'
-  vpntype: 'RouteBased'
-  vpnGatewayGeneration: 'None'
-  enableBgp: false
-  activeActive: false
-  enableBgpRouteTranslationForNat: false
-  enableDnsForwarding: false
-  asn: '65515'
-  bgpPeeringAddress: ''
-  bgpsettings: {
-    asn: '65515'
-    bgpPeeringAddress: ''
-    peerWeight: '5'
+  {
+    name: 'GatewaySubnet'
+    ipAddressRange: '10.10.252.0/24'
   }
-}
-
-@description('Prefix value which will be prepended to all resource names. Default: alz')
-param parCompanyPrefix string = 'alz'
+  {
+    name: 'AzureFirewallSubnet'
+    ipAddressRange: '10.10.254.0/24'
+  }
+]
 
-@description('Azure Bastion SKU or Tier to deploy.  Currently two options exist Basic and Standard. Default: Standard')
-param parBastionSku string = 'Standard'
+@description('Array of DNS Server IP addresses for VNet. Default: Empty Array')
+param parDNSServerIPArray array = []
 
 @description('Public IP Address SKU. Default: Standard')
 @allowed([
@@ -96,14 +50,23 @@ param parBastionSku string = 'Standard'
 ])
 param parPublicIPSku string = 'Standard'
 
-@description('Tags you would like to be applied to all resources in this module. Default: empty array')
-param parTags object = {}
+@description('Switch which allows Bastion deployment to be disabled. Default: true')
+param parBastionEnabled bool = true
 
-@description('The IP address range for all virtual networks to use. Default: 10.10.0.0/16')
-param parHubNetworkAddressPrefix string = '10.10.0.0/16'
+@description('Name Associated with Bastion Service:  Default: {parCompanyPrefix}-bastion')
+param parBastionName string = '${parCompanyPrefix}-bastion'
+
+@description('Azure Bastion SKU or Tier to deploy.  Currently two options exist Basic and Standard. Default: Standard')
+param parBastionSku string = 'Standard'
+
+@description('Switch which allows DDOS deployment to be disabled. Default: true')
+param parDDoSEnabled bool = true
 
-@description('Prefix Used for Hub Network. Default: {parCompanyPrefix}-hub-{parRegion}')
-param parHubNetworkName string = '${parCompanyPrefix}-hub-${parRegion}'
+@description('DDOS Plan Name. Default: {parCompanyPrefix}-DDos-Plan')
+param parDDoSPlanName string = '${parCompanyPrefix}-DDoS-Plan'
+
+@description('Switch which allows Azure Firewall deployment to be disabled. Default: true')
+param parAzureFirewallEnabled bool = true
 
 @description('Azure Firewall Name. Default: {parCompanyPrefix}-azure-firewall ')
 param parAzureFirewallName string = '${parCompanyPrefix}-azure-firewall'
@@ -115,27 +78,17 @@ param parAzureFirewallName string = '${parCompanyPrefix}-azure-firewall'
 ])
 param parAzureFirewallTier string = 'Standard'
 
+@description('Switch which enables DNS Proxy to be enabled on the Azure Firewall. Default: true')
+param parNetworkDNSEnableProxy bool = true
+
 @description('Name of Route table to create for the default route of Hub. Default: {parCompanyPrefix}-hub-routetable')
 param parHubRouteTableName string = '${parCompanyPrefix}-hub-routetable'
 
-@description('The name and IP address range for each subnet in the virtual networks. Default: AzureBastionSubnet, GatewaySubnet, AzureFirewall Subnet')
-param parSubnets array = [
-  {
-    name: 'AzureBastionSubnet'
-    ipAddressRange: '10.10.15.0/24'
-  }
-  {
-    name: 'GatewaySubnet'
-    ipAddressRange: '10.10.252.0/24'
-  }
-  {
-    name: 'AzureFirewallSubnet'
-    ipAddressRange: '10.10.254.0/24'
-  }
-]
+@description('Switch which allows BGP Propagation to be disabled on the route tables: Default: false')
+param parDisableBGPRoutePropagation bool = false
 
-@description('Name Associated with Bastion Service:  Default: {parCompanyPrefix}-bastion')
-param parBastionName string = '${parCompanyPrefix}-bastion'
+@description('Switch which allows Private DNS Zones to be disabled. Default: true')
+param parPrivateDNSZonesEnabled bool = true
 
 @description('Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones')
 param parPrivateDnsZones array = [
@@ -154,13 +107,13 @@ param parPrivateDnsZones array = [
   'privatelink.cassandra.cosmos.azure.com'
   'privatelink.gremlin.cosmos.azure.com'
   'privatelink.table.cosmos.azure.com'
-  'privatelink.${parRegion}.batch.azure.com'
+  'privatelink.${parLocation}.batch.azure.com'
   'privatelink.postgres.database.azure.com'
   'privatelink.mysql.database.azure.com'
   'privatelink.mariadb.database.azure.com'
   'privatelink.vaultcore.azure.net'
-  'privatelink.${parRegion}.azmk8s.io'
-  '${parRegion}.privatelink.siterecovery.windowsazure.com'
+  'privatelink.${parLocation}.azmk8s.io'
+  '${parLocation}.privatelink.siterecovery.windowsazure.com'
   'privatelink.servicebus.windows.net'
   'privatelink.azure-devices.net'
   'privatelink.eventgrid.azure.net'
@@ -183,8 +136,55 @@ param parPrivateDnsZones array = [
   'privatelink.search.windows.net'
 ]
 
-@description('Array of DNS Server IP addresses for VNet. Default: Empty Array')
-param parDNSServerIPArray array = []
+//ASN must be 65515 if deploying VPN & ER for co-existence to work: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager#limits-and-limitations
+@description('''Configuration for VPN virtual network gateway to be deployed. If a VPN virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. 
+"parVpnGatewayConfig": {
+  "value": {}
+}''')
+param parVpnGatewayConfig object = {
+  name: '${parCompanyPrefix}-Vpn-Gateway'
+  gatewaytype: 'Vpn'
+  sku: 'VpnGw1'
+  vpntype: 'RouteBased'
+  generation: 'Generation1'
+  enableBgp: false
+  activeActive: false
+  enableBgpRouteTranslationForNat: false
+  enableDnsForwarding: false
+  asn: 65515
+  bgpPeeringAddress: ''
+  bgpsettings: {
+    asn: 65515
+    bgpPeeringAddress: ''
+    peerWeight: 5
+  }
+}
+
+@description('''Configuration for ExpressRoute virtual network gateway to be deployed. If a ExpressRoute virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. 
+"parExpressRouteGatewayConfig": {
+  "value": {}
+}''')
+param parExpressRouteGatewayConfig object = {
+  name: '${parCompanyPrefix}-ExpressRoute-Gateway'
+  gatewaytype: 'ExpressRoute'
+  sku: 'ErGw1AZ'
+  vpntype: 'RouteBased'
+  vpnGatewayGeneration: 'None'
+  enableBgp: false
+  activeActive: false
+  enableBgpRouteTranslationForNat: false
+  enableDnsForwarding: false
+  asn: '65515'
+  bgpPeeringAddress: ''
+  bgpsettings: {
+    asn: '65515'
+    bgpPeeringAddress: ''
+    peerWeight: '5'
+  }
+}
+
+@description('Tags you would like to be applied to all resources in this module. Default: empty array')
+param parTags object = {}
 
 @description('Set Parameter to true to Opt-out of deployment telemetry')
 param parTelemetryOptOut bool = false
@@ -210,14 +210,14 @@ var varCuaid = '2686e846-5fdc-4d4f-b533-16dcb09d6e6c'
 
 resource resDDoSProtectionPlan 'Microsoft.Network/ddosProtectionPlans@2021-02-01' = if (parDDoSEnabled) {
   name: parDDoSPlanName
-  location: parRegion
+  location: parLocation
   tags: parTags
 }
 
 //DDos Protection plan will only be enabled if parDDoSEnabled is true.  
 resource resHubVirtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' = {
   name: parHubNetworkName
-  location: parRegion
+  location: parLocation
   tags: parTags
   properties: {
     addressSpace: {
@@ -239,7 +239,7 @@ resource resHubVirtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' = {
 module modBastionPublicIP '../publicIp/publicIp.bicep' = if (parBastionEnabled) {
   name: 'deploy-Bastion-Public-IP'
   params: {
-    parLocation: parRegion
+    parLocation: parLocation
     parPublicIPName: '${parBastionName}-PublicIP'
     parPublicIPSku: {
       name: parPublicIPSku
@@ -262,7 +262,7 @@ resource resBastionSubnetRef 'Microsoft.Network/virtualNetworks/subnets@2021-02-
 // There is a minimum subnet requirement of /27 prefix.  
 // If you are deploying standard this needs to be larger. https://docs.microsoft.com/en-us/azure/bastion/configuration-settings#subnet
 resource resBastion 'Microsoft.Network/bastionHosts@2021-02-01' = if (parBastionEnabled) {
-  location: parRegion
+  location: parLocation
   name: parBastionName
   tags: parTags
   sku: {
@@ -294,7 +294,7 @@ resource resGatewaySubnetRef 'Microsoft.Network/virtualNetworks/subnets@2021-02-
 module modGatewayPublicIP '../publicIp/publicIp.bicep' = [for (gateway, i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) {
   name: 'deploy-Gateway-Public-IP-${i}'
   params: {
-    parLocation: parRegion
+    parLocation: parLocation
     parPublicIPName: '${gateway.name}-PublicIP'
     parPublicIPProperties: {
       publicIPAddressVersion: 'IPv4'
@@ -311,7 +311,7 @@ module modGatewayPublicIP '../publicIp/publicIp.bicep' = [for (gateway, i) in va
 //Minumum subnet size is /27 supporting documentation https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub
 resource resGateway 'Microsoft.Network/virtualNetworkGateways@2021-02-01' = [for (gateway, i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) {
   name: gateway.name
-  location: parRegion
+  location: parLocation
   tags: parTags
   properties: {
     activeActive: gateway.activeActive
@@ -351,7 +351,7 @@ resource resAzureFirewallSubnetRef 'Microsoft.Network/virtualNetworks/subnets@20
 module modAzureFirewallPublicIP '../publicIp/publicIp.bicep' = if (parAzureFirewallEnabled) {
   name: 'deploy-Firewall-Public-IP'
   params: {
-    parLocation: parRegion
+    parLocation: parLocation
     parPublicIPName: '${parAzureFirewallName}-PublicIP'
     parPublicIPProperties: {
       publicIPAddressVersion: 'IPv4'
@@ -369,7 +369,7 @@ module modAzureFirewallPublicIP '../publicIp/publicIp.bicep' = if (parAzureFirew
 // There is a minimum subnet requirement of /26 prefix.  
 resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = if (parAzureFirewallEnabled) {
   name: parAzureFirewallName
-  location: parRegion
+  location: parLocation
   tags: parTags
   properties: {
     networkRuleCollections: [
@@ -429,7 +429,7 @@ resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = if (pa
 //If Azure Firewall is enabled we will deploy a RouteTable to redirect Traffic to the Firewall.
 resource resHubRouteTable 'Microsoft.Network/routeTables@2021-02-01' = if (parAzureFirewallEnabled) {
   name: parHubRouteTableName
-  location: parRegion
+  location: parLocation
   tags: parTags
   properties: {
     routes: [