Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Various Features & Fix Various Bugs to VWAN & Hub Networking #226

Merged
merged 12 commits into from
May 5, 2022
Merged

Add Various Features & Fix Various Bugs to VWAN & Hub Networking #226

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
71cef99
add AZs for FW - bot + DDOS & DNS Zones to VWAN Connectivity. Fix var…
jtracey93 Apr 28, 2022
91d6690
updte fw naming and remove uneeded properties from azfw as in policy
jtracey93 Apr 28, 2022
6648534
remove example outputs
jtracey93 Apr 28, 2022
453dc9d
update name
jtracey93 Apr 28, 2022
a6270bf
flip ternery
jtracey93 Apr 28, 2022
43b3d4d
Merge branch 'main' into fix-219-vwan
jtracey93 Apr 29, 2022
24efe4b
update pip module to add AZs
jtracey93 Apr 29, 2022
36f9097
update fw api version and add azfw pip azs
jtracey93 Apr 29, 2022
c78754c
add vwan route table if azfw enabled and enable azfw zones
jtracey93 Apr 29, 2022
d04f5f6
increase MD line length
jtracey93 May 3, 2022
856cd1f
Merge branch 'main' into fix-219-vwan
jtracey93 May 5, 2022
ebadbf7
change default for MC for DDoS
jtracey93 May 5, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/linters/.markdown-lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ MD004: false # Unordered list style
MD007:
indent: 2 # Unordered list indentation
MD013:
line_length: 850 # Line length 80 is far to short
line_length: 900 # Line length 80 is far to short
MD026:
punctuation: ".,;:!。,;:" # List of not allowed
MD029: false # Ordered list item prefix
Expand Down
71 changes: 34 additions & 37 deletions infra-as-code/bicep/modules/hubNetworking/README.md
View file
Open in desktop

Large diffs are not rendered by default.

68 changes: 32 additions & 36 deletions infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,10 @@ param parDdosPlanName string = '${parCompanyPrefix}-ddos-plan'
param parAzureFirewallEnabled bool = true

@description('Azure Firewall Name. Default: {parCompanyPrefix}-azure-firewall ')
param parAzureFirewallName string = '${parCompanyPrefix}-azure-firewall'
param parAzureFirewallName string = '${parCompanyPrefix}-azfw-${parLocation}'

@description('Azure Firewall Policies Name. Default: {parCompanyPrefix}-fwpol-{parLocation}')
param parFirewallPoliciesName string = '${parCompanyPrefix}-azfwpolicy-${parLocation}'

@description('Azure Firewall Tier associated with the Firewall to deploy. Default: Standard ')
@allowed([
Expand All @@ -64,6 +67,14 @@ param parAzureFirewallName string = '${parCompanyPrefix}-azure-firewall'
])
param parAzureFirewallTier string = 'Standard'

@allowed([
'1'
'2'
'3'
])
@description('Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty.')
param parAzureFirewallAvailabilityZones array = []

@description('Switch which enables DNS Proxy to be enabled on the Azure Firewall. Default: true')
param parNetworkDNSEnableProxy bool = true

Expand Down Expand Up @@ -351,6 +362,7 @@ module modAzureFirewallPublicIP '../publicIp/publicIp.bicep' = if (parAzureFirew
name: 'deploy-Firewall-Public-IP'
params: {
parLocation: parLocation
parAvailabilityZones: parAzureFirewallAvailabilityZones
parPublicIPName: '${parAzureFirewallName}-PublicIP'
parPublicIPProperties: {
publicIPAddressVersion: 'IPv4'
Expand All @@ -364,43 +376,28 @@ module modAzureFirewallPublicIP '../publicIp/publicIp.bicep' = if (parAzureFirew
}
}

resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2021-05-01' = if (parAzureFirewallEnabled) {
name: parFirewallPoliciesName
location: parLocation
tags: parTags
properties: {
dnsSettings: {
enableProxy: parNetworkDNSEnableProxy
}
sku: {
tier: parAzureFirewallTier
}
}
}

// AzureFirewallSubnet is required to deploy Azure Firewall . This subnet must exist in the parsubnets array if you deploy.
// There is a minimum subnet requirement of /26 prefix.
resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = if (parAzureFirewallEnabled) {
resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-05-01' = if (parAzureFirewallEnabled) {
name: parAzureFirewallName
location: parLocation
tags: parTags
zones: (!empty(parAzureFirewallAvailabilityZones) ? parAzureFirewallAvailabilityZones : json('null'))
properties: {
networkRuleCollections: [
{
name: 'VmInternetAccess'
properties: {
priority: 101
action: {
type: 'Allow'
}
rules: [
{
name: 'AllowVMAppAccess'
description: 'Allows VM access to the web'
protocols: [
'TCP'
]
sourceAddresses: [
parHubNetworkAddressPrefix
]
destinationAddresses: [
'*'
]
destinationPorts: [
'80'
'443'
]
}
]
}
}
]
ipConfigurations: [
{
name: 'ipconfig1'
Expand All @@ -414,13 +411,12 @@ resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = if (pa
}
}
]
threatIntelMode: 'Alert'
sku: {
name: 'AZFW_VNet'
tier: parAzureFirewallTier
}
additionalProperties: {
'Network.DNS.EnableProxy': '${parNetworkDNSEnableProxy}'
firewallPolicy: {
id: resFirewallPolicies.id
}
}
}
Expand Down Expand Up @@ -451,7 +447,7 @@ module modPrivateDnsZones '../privateDnsZones/privateDnsZones.bicep' = if (parPr
params: {
parLocation: parLocation
parTags: parTags
parHubVirtualNetworkId: resHubVirtualNetwork.id
parVirtualNetworkIdToLink: resHubVirtualNetwork.id
parPrivateDnsZones: parPrivateDnsZones
}
}
Expand Down
5 changes: 4 additions & 1 deletion infra-as-code/bicep/modules/hubNetworking/hubNetworking.parameters.example.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,11 +55,14 @@
"value": true
},
"parAzureFirewallName": {
"value": "alz-azure-firewall"
"value": "alz-azfw-eastus"
},
"parAzureFirewallTier": {
"value": "Standard"
},
"parAzureFirewallAvailabilityZones": {
"value": []
},
"parNetworkDNSEnableProxy": {
"value": true
},
Expand Down
5 changes: 4 additions & 1 deletion infra-as-code/bicep/modules/hubNetworking/mc-hubNetworking.parameters.example.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,11 +55,14 @@
"value": true
},
"parAzureFirewallName": {
"value": "alz-azure-firewall"
"value": "alz-azfw-chinaeast2"
},
"parAzureFirewallTier": {
"value": "Standard"
},
"parAzureFirewallAvailabilityZones": {
"value": []
},
"parNetworkDNSEnableProxy": {
"value": true
},
Expand Down
Binary file modified infra-as-code/bicep/modules/hubNetworking/media/hubNetworkingBicepVisualizer.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
22 changes: 11 additions & 11 deletions infra-as-code/bicep/modules/privateDnsZones/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,13 @@ Module deploys the following resources:

The module requires the following inputs:

| Parameter | Type | Default | Description | Requirement | Example |
| ---------------------- | ------ | ---------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| parLocation | string | `resourceGroup().location` | The Azure Region to deploy the resources into | None | `eastus` |
| parPrivateDnsZones | array | See example parameters file [`privateDnsZones.parameters.example.json`](privateDnsZones.parameters.example.json) | Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones - See [DNS Zones](#dns-zones) for more info | None | See Default |
| parTags | object | Empty Array [] | List of tags (Key Value Pairs) to be applied to resources | None | environment: 'development' |
| parHubVirtualNetworkId | string | | Resource ID of the Hub Virtual Network | Valid Resource ID of the Virtual Network | /subscriptions/[your platform management subscription ID]/resourceGroups/Hub_PrivateDNS_POC/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus |
| parTelemetryOptOut | bool | false | Set Parameter to true to Opt-out of deployment telemetry | None | false |
| Parameter | Type | Default | Description | Requirement | Example |
| ------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| parLocation | string | `resourceGroup().location` | The Azure Region to deploy the resources into | None | `eastus` |
| parPrivateDnsZones | array | See example parameters file [`privateDnsZones.parameters.example.json`](privateDnsZones.parameters.example.json) | Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones - See [DNS Zones](#dns-zones) for more info | None | See Default |
| parTags | object | Empty Array [] | List of tags (Key Value Pairs) to be applied to resources | None | environment: 'development' |
| parVirtualNetworkIdToLink | string | Empty String | Resource ID of VNet for Private DNS Zone VNet Links | Valid Resource ID of the Virtual Network | /subscriptions/[your platform connectivity subscription ID]/resourceGroups/Hub_PrivateDNS_POC/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus |
| parTelemetryOptOut | bool | false | Set Parameter to true to Opt-out of deployment telemetry | None | false |

## DNS Zones

Expand Down Expand Up @@ -70,7 +70,7 @@ There are two different sets of input parameters; one for deploying to Azure glo
```bash
# For Azure global regions
# Set Platform connectivity subscription ID as the the current subscription
ConnectivitySubscriptionId="[your platform management subscription ID]"
ConnectivitySubscriptionId="[your platform connectivity subscription ID]"
az account set --subscription $ConnectivitySubscriptionId

az group create --location eastus \
Expand All @@ -85,7 +85,7 @@ OR
```bash
# For Azure China regions
# Set Platform connectivity subscription ID as the the current subscription
ConnectivitySubscriptionId="[your platform management subscription ID]"
ConnectivitySubscriptionId="[your platform connectivity subscription ID]"
az account set --subscription $ConnectivitySubscriptionId

az group create --location chinaeast2 \
Expand All @@ -102,7 +102,7 @@ az deployment group create \
```powershell
# For Azure global regions
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId = "[your platform management subscription ID]"
$ConnectivitySubscriptionId = "[your platform connectivity subscription ID]"

Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId

Expand All @@ -118,7 +118,7 @@ OR
```powershell
# For Azure China regions
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId = "[your platform management subscription ID]"
$ConnectivitySubscriptionId = "[your platform connectivity subscription ID]"

Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId

Expand Down
3 changes: 3 additions & 0 deletions infra-as-code/bicep/modules/privateDnsZones/mc-privateDnsZones.parameters.example.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,9 @@
"Environment": "POC"
}
},
"parVirtualNetworkIdToLink": {
"value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxxxxxxxx"
},
"parTelemetryOptOut": {
"value": false
}
Expand Down
8 changes: 4 additions & 4 deletions infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,8 @@ param parPrivateDnsZones array = [
@description('Tags you would like to be applied to all resources in this module. Default: empty array')
param parTags object = {}

@description('Resource ID of Hub VNet for Private DNS Zone VNet Links')
param parHubVirtualNetworkId string
@description('Resource ID of VNet for Private DNS Zone VNet Links')
param parVirtualNetworkIdToLink string = ''

@description('Set Parameter to true to Opt-out of deployment telemetry')
param parTelemetryOptOut bool = false
Expand All @@ -75,13 +75,13 @@ resource resPrivateDnsZones 'Microsoft.Network/privateDnsZones@2020-06-01' = [fo
tags: parTags
}]

resource resVirtualNetworkLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = [for privateDnsZoneName in parPrivateDnsZones: {
resource resVirtualNetworkLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = [for privateDnsZoneName in parPrivateDnsZones: if (!empty(parVirtualNetworkIdToLink)) {
name: '${privateDnsZoneName}/${privateDnsZoneName}'
location: 'global'
properties: {
registrationEnabled: false
virtualNetwork: {
id: parHubVirtualNetworkId
id: parVirtualNetworkIdToLink
}
}
dependsOn: resPrivateDnsZones
Expand Down
Loading