From 930cfa2884cb339a2cdd7b3de2830fb081989bcc Mon Sep 17 00:00:00 2001 From: JamJarchitect Date: Fri, 28 Apr 2023 16:12:54 +0100 Subject: [PATCH 01/16] basic sku added and vwan connectivity updated --- .../modules/hubNetworking/hubNetworking.bicep | 43 ++++++++++++++++++- .../vwanConnectivity/vwanConnectivity.bicep | 3 +- 2 files changed, 43 insertions(+), 3 deletions(-) diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep index 1d25327ca..dec2dcf85 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -27,6 +27,10 @@ param parSubnets array = [ name: 'AzureFirewallSubnet' ipAddressRange: '10.10.254.0/24' } + { + name: 'AzureFirewallManagementSubnet' + ipAddressRange: '10.10.253.0/24' + } ] @sys.description('Array of DNS Server IP addresses for VNet.') @@ -74,6 +78,7 @@ param parAzFirewallPoliciesName string = '${parCompanyPrefix}-azfwpolicy-${parLo @sys.description('Azure Firewall Tier associated with the Firewall to deploy.') @allowed([ + 'Basic' 'Standard' 'Premium' ]) @@ -242,7 +247,7 @@ param parTags object = {} param parTelemetryOptOut bool = false @sys.description('Define outbound destination ports or ranges for SSH or RDP that you want to access from Azure Bastion.') -param parBastionOutboundSshRdpPorts array = ['22','3389'] +param parBastionOutboundSshRdpPorts array = [ '22', '3389' ] var varSubnetProperties = [for subnet in parSubnets: { name: subnet.name @@ -563,6 +568,11 @@ resource resAzureFirewallSubnetRef 'Microsoft.Network/virtualNetworks/subnets@20 name: 'AzureFirewallSubnet' } +resource resAzureFirewallMgmtSubnetRef 'Microsoft.Network/virtualNetworks/subnets@2021-08-01' existing = if (parAzFirewallEnabled && (contains(map(parSubnets, subnets => subnets.name), 'AzureFirewallManagementSubnet'))) { + parent: resHubVnet + name: 'AzureFirewallManagementSubnet' +} + module modAzureFirewallPublicIp '../publicIp/publicIp.bicep' = if (parAzFirewallEnabled) { name: 'deploy-Firewall-Public-IP' params: { @@ -581,12 +591,30 @@ module modAzureFirewallPublicIp '../publicIp/publicIp.bicep' = if (parAzFirewall } } +module modAzureFirewallMgmtPublicIp '../publicIp/publicIp.bicep' = if (parAzFirewallEnabled && (contains(map(parSubnets, subnets => subnets.name), 'AzureFirewallManagementSubnet'))) { + name: 'deploy-Firewall-mgmt-Public-IP' + params: { + parLocation: parLocation + parAvailabilityZones: parAzFirewallAvailabilityZones + parPublicIpName: '${parPublicIpPrefix}${parAzFirewallName}-mgmt-${parPublicIpSuffix}' + parPublicIpProperties: { + publicIpAddressVersion: 'IPv4' + publicIpAllocationMethod: 'Static' + } + parPublicIpSku: { + name: 'Standard' + } + parTags: parTags + parTelemetryOptOut: parTelemetryOptOut + } +} + resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2021-08-01' = if (parAzFirewallEnabled) { name: parAzFirewallPoliciesName location: parLocation tags: parTags properties: { - dnsSettings: { + dnsSettings: (parAzFirewallTier == 'Basic') ? {} : { enableProxy: parAzFirewallDnsProxyEnabled } sku: { @@ -616,6 +644,17 @@ resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-08-01' = if (pa } } ] + managementIpConfiguration: (parAzFirewallTier == 'Basic') ? { + name: 'mgmtIpConfig' + properties: { + publicIPAddress: { + id: parAzFirewallEnabled ? modAzureFirewallMgmtPublicIp.outputs.outPublicIpId : '' + } + subnet: { + id: resAzureFirewallMgmtSubnetRef.id + } + } + } : {} sku: { name: 'AZFW_VNet' tier: parAzFirewallTier diff --git a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep index 9c44f6017..0eb930c1e 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep +++ b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep @@ -9,6 +9,7 @@ param parCompanyPrefix string = 'alz' @sys.description('Azure Firewall Tier associated with the Firewall to deploy.') @allowed([ + 'Basic' 'Standard' 'Premium' ]) @@ -263,7 +264,7 @@ resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2022-05-01' = i location: parLocation tags: parTags properties: { - dnsSettings: { + dnsSettings: (parAzFirewallTier == 'Basic') ? {} : { enableProxy: parAzFirewallDnsProxyEnabled } sku: { From 8d5b231365ceca157ad34f750e6a7301e53ed9a0 Mon Sep 17 00:00:00 2001 From: JamJarchitect Date: Fri, 28 Apr 2023 20:37:04 +0100 Subject: [PATCH 02/16] basic fw sku --- .../modules/hubNetworking/hubNetworking.bicep | 10 ++++++--- .../vwanConnectivity/vwanConnectivity.bicep | 22 ++++++++++--------- 2 files changed, 19 insertions(+), 13 deletions(-) diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep index dec2dcf85..9d6ac965b 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -82,7 +82,7 @@ param parAzFirewallPoliciesName string = '${parCompanyPrefix}-azfwpolicy-${parLo 'Standard' 'Premium' ]) -param parAzFirewallTier string = 'Standard' +param parAzFirewallTier string = 'Basic' @allowed([ '1' @@ -613,8 +613,12 @@ resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2021-08-01' = i name: parAzFirewallPoliciesName location: parLocation tags: parTags - properties: { - dnsSettings: (parAzFirewallTier == 'Basic') ? {} : { + properties: (parAzFirewallTier == 'Basic') ? { + sku: { + tier: parAzFirewallTier + } + } : { + dnsSettings: { enableProxy: parAzFirewallDnsProxyEnabled } sku: { diff --git a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep index 0eb930c1e..5ff5ae479 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep +++ b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep @@ -13,7 +13,7 @@ param parCompanyPrefix string = 'alz' 'Standard' 'Premium' ]) -param parAzFirewallTier string = 'Standard' +param parAzFirewallTier string = 'Basic' @sys.description('Switch to enable/disable Virtual Hub deployment.') param parVirtualHubEnabled bool = true @@ -39,8 +39,8 @@ param parVirtualWanHubName string = '${parCompanyPrefix}-vhub' ''') param parVirtualWanHubs array = [ { - parVpnGatewayEnabled: true - parExpressRouteGatewayEnabled: true + parVpnGatewayEnabled: false + parExpressRouteGatewayEnabled: false parAzFirewallEnabled: true parVirtualHubAddressPrefix: '10.100.0.0/23' parHubLocation: 'eastus' @@ -196,7 +196,7 @@ resource resVhub 'Microsoft.Network/virtualHubs@2022-01-01' = [for hub in parVir virtualWan: { id: resVwan.id } - virtualRouterAutoScaleConfiguration:{ + virtualRouterAutoScaleConfiguration: { minCapacity: hub.parVirtualRouterAutoScaleConfiguration } hubRoutingPreference: hub.parHubRoutingPreference @@ -263,8 +263,12 @@ resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2022-05-01' = i name: parAzFirewallPoliciesName location: parLocation tags: parTags - properties: { - dnsSettings: (parAzFirewallTier == 'Basic') ? {} : { + properties: (parAzFirewallTier == 'Basic') ? { + sku: { + tier: parAzFirewallTier + } + } : { + dnsSettings: { enableProxy: parAzFirewallDnsProxyEnabled } sku: { @@ -316,7 +320,6 @@ module modPrivateDnsZones '../privateDnsZones/privateDnsZones.bicep' = if (parPr } } - // Optional Deployments for Customer Usage Attribution module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdResourceGroup.bicep' = if (!parTelemetryOptOut) { name: 'pid-${varCuaid}-${uniqueString(parLocation)}' @@ -328,18 +331,17 @@ module modCustomerUsageAttributionZtnP1 '../../CRML/customerUsageAttribution/cua params: {} } - // Output Virtual WAN name and ID output outVirtualWanName string = resVwan.name output outVirtualWanId string = resVwan.id // Output Virtual WAN Hub name and ID -output outVirtualHubName array = [ for (hub, i) in parVirtualWanHubs: { +output outVirtualHubName array = [for (hub, i) in parVirtualWanHubs: { virtualhubname: resVhub[i].name virtualhubid: resVhub[i].id }] -output outVirtualHubId array = [ for (hub, i) in parVirtualWanHubs: { +output outVirtualHubId array = [for (hub, i) in parVirtualWanHubs: { virtualhubid: resVhub[i].id }] // Output DDoS Plan ID From 30ddf1eb262df7e3efc1b294676798a6c226396d Mon Sep 17 00:00:00 2001 From: Jack Tracey <41163455+jtracey93@users.noreply.github.com> Date: Fri, 28 Apr 2023 20:42:34 +0100 Subject: [PATCH 03/16] Update infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep --- infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep index 9d6ac965b..44ce9a6cd 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -82,7 +82,7 @@ param parAzFirewallPoliciesName string = '${parCompanyPrefix}-azfwpolicy-${parLo 'Standard' 'Premium' ]) -param parAzFirewallTier string = 'Basic' +param parAzFirewallTier string = 'Standard' @allowed([ '1' From dd345f623a21296ab2bf4e8f40a93163f1b1a4ee Mon Sep 17 00:00:00 2001 From: Jack Tracey <41163455+jtracey93@users.noreply.github.com> Date: Fri, 28 Apr 2023 20:42:40 +0100 Subject: [PATCH 04/16] Update infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep --- .../bicep/modules/vwanConnectivity/vwanConnectivity.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep index 5ff5ae479..4d869542b 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep +++ b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep @@ -13,7 +13,7 @@ param parCompanyPrefix string = 'alz' 'Standard' 'Premium' ]) -param parAzFirewallTier string = 'Basic' +param parAzFirewallTier string = 'Standard' @sys.description('Switch to enable/disable Virtual Hub deployment.') param parVirtualHubEnabled bool = true From 56920bf59f83cf67d6c2745bee2b8b2da2bf047c Mon Sep 17 00:00:00 2001 From: Jack Tracey <41163455+jtracey93@users.noreply.github.com> Date: Fri, 28 Apr 2023 20:42:45 +0100 Subject: [PATCH 05/16] Update infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep --- .../bicep/modules/vwanConnectivity/vwanConnectivity.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep index 4d869542b..0f7f06e5e 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep +++ b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep @@ -39,7 +39,7 @@ param parVirtualWanHubName string = '${parCompanyPrefix}-vhub' ''') param parVirtualWanHubs array = [ { - parVpnGatewayEnabled: false + parVpnGatewayEnabled: true parExpressRouteGatewayEnabled: false parAzFirewallEnabled: true parVirtualHubAddressPrefix: '10.100.0.0/23' From 3a45b7cb382a69517f4eac2d2e09fa319df57aff Mon Sep 17 00:00:00 2001 From: Jack Tracey <41163455+jtracey93@users.noreply.github.com> Date: Fri, 28 Apr 2023 20:42:50 +0100 Subject: [PATCH 06/16] Update infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep --- .../bicep/modules/vwanConnectivity/vwanConnectivity.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep index 0f7f06e5e..f1090be6c 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep +++ b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep @@ -40,7 +40,7 @@ param parVirtualWanHubName string = '${parCompanyPrefix}-vhub' ''') param parVirtualWanHubs array = [ { parVpnGatewayEnabled: true - parExpressRouteGatewayEnabled: false + parExpressRouteGatewayEnabled: true parAzFirewallEnabled: true parVirtualHubAddressPrefix: '10.100.0.0/23' parHubLocation: 'eastus' From 8facb7434a322955ca668700a9016ffad0cf7f79 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 28 Apr 2023 19:46:26 +0000 Subject: [PATCH 07/16] Generate Parameter Markdowns [jtracey93/f54bf8b4] --- .../hubNetworking/generateddocs/hubNetworking.bicep.md | 8 ++++++-- .../generateddocs/vwanConnectivity.bicep.md | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md index fa1bddbed..1fa57699c 100644 --- a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md +++ b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md @@ -78,7 +78,7 @@ The IP address range for all virtual networks to use. The name and IP address range for each subnet in the virtual networks. -- Default value: ` ` +- Default value: ` ` ### parDnsServerIps @@ -190,7 +190,7 @@ Azure Firewall Tier associated with the Firewall to deploy. - Default value: `Standard` -- Allowed values: `Standard`, `Premium` +- Allowed values: `Basic`, `Standard`, `Premium` ### parAzFirewallAvailabilityZones @@ -357,6 +357,10 @@ outHubVirtualNetworkId | string | { "name": "AzureFirewallSubnet", "ipAddressRange": "10.10.254.0/24" + }, + { + "name": "AzureFirewallManagementSubnet", + "ipAddressRange": "10.10.253.0/24" } ] }, diff --git a/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md b/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md index 84719fa3a..077ab53cb 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md +++ b/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md @@ -54,7 +54,7 @@ Azure Firewall Tier associated with the Firewall to deploy. - Default value: `Standard` -- Allowed values: `Standard`, `Premium` +- Allowed values: `Basic`, `Standard`, `Premium` ### parVirtualHubEnabled From e13428c683febb8694c4e18a35fd32ff038d9b11 Mon Sep 17 00:00:00 2001 From: JamJarchitect Date: Fri, 28 Apr 2023 22:01:41 +0100 Subject: [PATCH 08/16] gateway dependency --- infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep | 3 +++ 1 file changed, 3 insertions(+) diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep index 44ce9a6cd..577e102f4 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -630,6 +630,9 @@ resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2021-08-01' = i // AzureFirewallSubnet is required to deploy Azure Firewall . This subnet must exist in the parsubnets array if you deploy. // There is a minimum subnet requirement of /26 prefix. resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-08-01' = if (parAzFirewallEnabled) { + dependsOn: [ + resGateway + ] name: parAzFirewallName location: parLocation tags: parTags From 171e93e6d25e29eb54af5456291051a16f2cd74c Mon Sep 17 00:00:00 2001 From: JamJarchitect Date: Tue, 2 May 2023 11:56:01 +0100 Subject: [PATCH 09/16] api update in vwan connectivity for VPN and ER gateways --- .../bicep/modules/vwanConnectivity/vwanConnectivity.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep index f1090be6c..d7750a01d 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep +++ b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep @@ -224,7 +224,7 @@ resource resVhubRouteTable 'Microsoft.Network/virtualHubs/hubRouteTables@2022-01 } }] -resource resVpnGateway 'Microsoft.Network/vpnGateways@2021-05-01' = [for (hub, i) in parVirtualWanHubs: if ((parVirtualHubEnabled) && (hub.parVpnGatewayEnabled)) { +resource resVpnGateway 'Microsoft.Network/vpnGateways@2022-09-01' = [for (hub, i) in parVirtualWanHubs: if ((parVirtualHubEnabled) && (hub.parVpnGatewayEnabled)) { dependsOn: resVhub name: '${parVpnGatewayName}-${hub.parHubLocation}' location: hub.parHubLocation @@ -242,7 +242,7 @@ resource resVpnGateway 'Microsoft.Network/vpnGateways@2021-05-01' = [for (hub, i } }] -resource resErGateway 'Microsoft.Network/expressRouteGateways@2021-05-01' = [for (hub, i) in parVirtualWanHubs: if ((parVirtualHubEnabled) && (hub.parExpressRouteGatewayEnabled)) { +resource resErGateway 'Microsoft.Network/expressRouteGateways@2022-09-01' = [for (hub, i) in parVirtualWanHubs: if ((parVirtualHubEnabled) && (hub.parExpressRouteGatewayEnabled)) { dependsOn: resVhub name: '${parExpressRouteGatewayName}-${hub.parHubLocation}' location: hub.parHubLocation From bc778da5878c5521912d8558b5d61bdd57c245dc Mon Sep 17 00:00:00 2001 From: JamJarchitect Date: Tue, 2 May 2023 13:43:06 +0100 Subject: [PATCH 10/16] dependson removed and param files for hubnetworking --- .../bicep/modules/hubNetworking/hubNetworking.bicep | 5 +---- .../parameters/hubNetworking.parameters.all.json | 4 ++++ .../parameters/hubNetworking.parameters.min.json | 4 ++++ .../parameters/mc-hubNetworking.parameters.all.json | 4 ++++ .../parameters/mc-hubNetworking.parameters.min.json | 4 ++++ 5 files changed, 17 insertions(+), 4 deletions(-) diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep index 09e1ec9a6..0a8d921c7 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -245,7 +245,7 @@ param parTags object = {} param parTelemetryOptOut bool = false @sys.description('Define outbound destination ports or ranges for SSH or RDP that you want to access from Azure Bastion.') -param parBastionOutboundSshRdpPorts array = [ '22', '3389' ] +param parBastionOutboundSshRdpPorts array = ['22','3389'] var varSubnetProperties = [for subnet in parSubnets: { name: subnet.name @@ -628,9 +628,6 @@ resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2021-08-01' = i // AzureFirewallSubnet is required to deploy Azure Firewall . This subnet must exist in the parsubnets array if you deploy. // There is a minimum subnet requirement of /26 prefix. resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-08-01' = if (parAzFirewallEnabled) { - dependsOn: [ - resGateway - ] name: parAzFirewallName location: parLocation tags: parTags diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json index 5508e8369..99475f7b0 100644 --- a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json +++ b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json @@ -27,6 +27,10 @@ { "name": "AzureFirewallSubnet", "ipAddressRange": "10.20.255.0/24" + }, + { + "name": "AzureFirewallManagementSubnet", + "ipAddressRange": "10.10.253.0/24" } ] }, diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json index 98d4bee01..ade1d5847 100644 --- a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json +++ b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json @@ -18,6 +18,10 @@ { "name": "AzureFirewallSubnet", "ipAddressRange": "10.20.255.0/24" + }, + { + "name": "AzureFirewallManagementSubnet", + "ipAddressRange": "10.10.253.0/24" } ] }, diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json b/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json index 016cc04de..bca5bbf86 100644 --- a/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json +++ b/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json @@ -27,6 +27,10 @@ { "name": "AzureFirewallSubnet", "ipAddressRange": "10.20.255.0/24" + }, + { + "name": "AzureFirewallManagementSubnet", + "ipAddressRange": "10.10.253.0/24" } ] }, diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json b/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json index 0d0cba621..473a79b84 100644 --- a/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json +++ b/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json @@ -21,6 +21,10 @@ { "name": "AzureFirewallSubnet", "ipAddressRange": "10.20.255.0/24" + }, + { + "name": "AzureFirewallManagementSubnet", + "ipAddressRange": "10.10.253.0/24" } ] }, From 9bf011643b5554404ee1f108a990748bbc568e1f Mon Sep 17 00:00:00 2001 From: JamJarchitect Date: Tue, 2 May 2023 14:54:01 +0100 Subject: [PATCH 11/16] sku update --- .../modules/hubNetworking/hubNetworking.bicep | 27 ++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep index 0a8d921c7..de0a41ff6 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -632,7 +632,7 @@ resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-08-01' = if (pa location: parLocation tags: parTags zones: (!empty(parAzFirewallAvailabilityZones) ? parAzFirewallAvailabilityZones : []) - properties: { + properties: parAzFirewallTier == 'Basic' ? { ipConfigurations: [ { name: 'ipconfig1' @@ -646,7 +646,7 @@ resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-08-01' = if (pa } } ] - managementIpConfiguration: (parAzFirewallTier == 'Basic') ? { + managementIpConfiguration: { name: 'mgmtIpConfig' properties: { publicIPAddress: { @@ -656,7 +656,28 @@ resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-08-01' = if (pa id: resAzureFirewallMgmtSubnetRef.id } } - } : {} + } + sku: { + name: 'AZFW_VNet' + tier: parAzFirewallTier + } + firewallPolicy: { + id: resFirewallPolicies.id + } + } : { + ipConfigurations: [ + { + name: 'ipconfig1' + properties: { + subnet: { + id: resAzureFirewallSubnetRef.id + } + publicIPAddress: { + id: parAzFirewallEnabled ? modAzureFirewallPublicIp.outputs.outPublicIpId : '' + } + } + } + ] sku: { name: 'AZFW_VNet' tier: parAzFirewallTier From f826823e46c7db8c0074c02150e7da5ec5f34543 Mon Sep 17 00:00:00 2001 From: JamJarchitect Date: Tue, 2 May 2023 15:07:30 +0100 Subject: [PATCH 12/16] gateway dependson for firewall --- .../bicep/modules/hubNetworking/hubNetworking.bicep | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep index de0a41ff6..9ff5cf0da 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -82,7 +82,7 @@ param parAzFirewallPoliciesName string = '${parCompanyPrefix}-azfwpolicy-${parLo 'Standard' 'Premium' ]) -param parAzFirewallTier string = 'Standard' +param parAzFirewallTier string = 'Basic' @allowed([ '1' @@ -628,6 +628,9 @@ resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2021-08-01' = i // AzureFirewallSubnet is required to deploy Azure Firewall . This subnet must exist in the parsubnets array if you deploy. // There is a minimum subnet requirement of /26 prefix. resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-08-01' = if (parAzFirewallEnabled) { + dependsOn: [ + resGateway + ] name: parAzFirewallName location: parLocation tags: parTags From eb1bd608cac3623b614cd084167d28da1ff33ef0 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 2 May 2023 14:10:54 +0000 Subject: [PATCH 13/16] Generate Parameter Markdowns [JamJarchitect/6cb99d85] --- .../hubNetworking/generateddocs/hubNetworking.bicep.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md index 64f6702ca..088c185fd 100644 --- a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md +++ b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md @@ -188,7 +188,7 @@ Azure Firewall Policies Name. Azure Firewall Tier associated with the Firewall to deploy. -- Default value: `Standard` +- Default value: `Basic` - Allowed values: `Basic`, `Standard`, `Premium` @@ -404,7 +404,7 @@ outHubVirtualNetworkId | string | "value": "[format('{0}-azfwpolicy-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]" }, "parAzFirewallTier": { - "value": "Standard" + "value": "Basic" }, "parAzFirewallAvailabilityZones": { "value": [] From ee1f21e986bfe8571d263d6bf3c7439d969bfea4 Mon Sep 17 00:00:00 2001 From: JamJarchitect Date: Tue, 2 May 2023 15:30:31 +0100 Subject: [PATCH 14/16] default sku to standard --- infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep index 9ff5cf0da..5af481bdb 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -82,7 +82,7 @@ param parAzFirewallPoliciesName string = '${parCompanyPrefix}-azfwpolicy-${parLo 'Standard' 'Premium' ]) -param parAzFirewallTier string = 'Basic' +param parAzFirewallTier string = 'Standard' @allowed([ '1' From 2304806a638efe287117659a6ef0764e313f6cce Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 2 May 2023 14:33:33 +0000 Subject: [PATCH 15/16] Generate Parameter Markdowns [JamJarchitect/6cb99d85] --- .../hubNetworking/generateddocs/hubNetworking.bicep.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md index 088c185fd..64f6702ca 100644 --- a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md +++ b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md @@ -188,7 +188,7 @@ Azure Firewall Policies Name. Azure Firewall Tier associated with the Firewall to deploy. -- Default value: `Basic` +- Default value: `Standard` - Allowed values: `Basic`, `Standard`, `Premium` @@ -404,7 +404,7 @@ outHubVirtualNetworkId | string | "value": "[format('{0}-azfwpolicy-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]" }, "parAzFirewallTier": { - "value": "Basic" + "value": "Standard" }, "parAzFirewallAvailabilityZones": { "value": [] From 378280f6ce02a69ebb6da09b8f97e57de7eba8fe Mon Sep 17 00:00:00 2001 From: JamJarchitect Date: Tue, 2 May 2023 15:35:41 +0100 Subject: [PATCH 16/16] double space in public ip name for mgmt --- infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep index 5af481bdb..cf30572da 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -594,7 +594,7 @@ module modAzureFirewallMgmtPublicIp '../publicIp/publicIp.bicep' = if (parAzFire params: { parLocation: parLocation parAvailabilityZones: parAzFirewallAvailabilityZones - parPublicIpName: '${parPublicIpPrefix}${parAzFirewallName}-mgmt-${parPublicIpSuffix}' + parPublicIpName: '${parPublicIpPrefix}${parAzFirewallName}-mgmt${parPublicIpSuffix}' parPublicIpProperties: { publicIpAddressVersion: 'IPv4' publicIpAllocationMethod: 'Static'