Azure · jtracey93 · May 3, 2023 · Apr 28, 2023 · Apr 28, 2023 · Apr 28, 2023
diff --git a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md
@@ -78,7 +78,7 @@ The IP address range for all virtual networks to use.
 
 The name and IP address range for each subnet in the virtual networks.
 
-- Default value: `  `
+- Default value: `   `
 
 ### parDnsServerIps
 
@@ -190,7 +190,7 @@ Azure Firewall Tier associated with the Firewall to deploy.
 
 - Default value: `Standard`
 
-- Allowed values: `Standard`, `Premium`
+- Allowed values: `Basic`, `Standard`, `Premium`
 
 ### parAzFirewallAvailabilityZones
 
@@ -357,6 +357,10 @@ outHubVirtualNetworkId | string |
                 {
                     "name": "AzureFirewallSubnet",
                     "ipAddressRange": "10.10.254.0/24"
+                },
+                {
+                    "name": "AzureFirewallManagementSubnet",
+                    "ipAddressRange": "10.10.253.0/24"
                 }
             ]
         },

diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep
@@ -27,6 +27,10 @@ param parSubnets array = [
     name: 'AzureFirewallSubnet'
     ipAddressRange: '10.10.254.0/24'
   }
+  {
+    name: 'AzureFirewallManagementSubnet'
+    ipAddressRange: '10.10.253.0/24'
+  }
 ]
 
 @sys.description('Array of DNS Server IP addresses for VNet.')
@@ -74,6 +78,7 @@ param parAzFirewallPoliciesName string = '${parCompanyPrefix}-azfwpolicy-${parLo
 
 @sys.description('Azure Firewall Tier associated with the Firewall to deploy.')
 @allowed([
+  'Basic'
   'Standard'
   'Premium'
 ])
@@ -561,6 +566,11 @@ resource resAzureFirewallSubnetRef 'Microsoft.Network/virtualNetworks/subnets@20
   name: 'AzureFirewallSubnet'
 }
 
+resource resAzureFirewallMgmtSubnetRef 'Microsoft.Network/virtualNetworks/subnets@2021-08-01' existing = if (parAzFirewallEnabled && (contains(map(parSubnets, subnets => subnets.name), 'AzureFirewallManagementSubnet'))) {
+  parent: resHubVnet
+  name: 'AzureFirewallManagementSubnet'
+}
+
 module modAzureFirewallPublicIp '../publicIp/publicIp.bicep' = if (parAzFirewallEnabled) {
   name: 'deploy-Firewall-Public-IP'
   params: {
@@ -579,11 +589,33 @@ module modAzureFirewallPublicIp '../publicIp/publicIp.bicep' = if (parAzFirewall
   }
 }
 
+module modAzureFirewallMgmtPublicIp '../publicIp/publicIp.bicep' = if (parAzFirewallEnabled && (contains(map(parSubnets, subnets => subnets.name), 'AzureFirewallManagementSubnet'))) {
+  name: 'deploy-Firewall-mgmt-Public-IP'
+  params: {
+    parLocation: parLocation
+    parAvailabilityZones: parAzFirewallAvailabilityZones
+    parPublicIpName: '${parPublicIpPrefix}${parAzFirewallName}-mgmt${parPublicIpSuffix}'
+    parPublicIpProperties: {
+      publicIpAddressVersion: 'IPv4'
+      publicIpAllocationMethod: 'Static'
+    }
+    parPublicIpSku: {
+      name: 'Standard'
+    }
+    parTags: parTags
+    parTelemetryOptOut: parTelemetryOptOut
+  }
+}
+
 resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2021-08-01' = if (parAzFirewallEnabled) {
   name: parAzFirewallPoliciesName
   location: parLocation
   tags: parTags
-  properties: {
+  properties: (parAzFirewallTier == 'Basic') ? {
+    sku: {
+      tier: parAzFirewallTier
+    }
+  } : {
     dnsSettings: {
       enableProxy: parAzFirewallDnsProxyEnabled
     }
@@ -596,11 +628,46 @@ resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2021-08-01' = i
 // AzureFirewallSubnet is required to deploy Azure Firewall . This subnet must exist in the parsubnets array if you deploy.
 // There is a minimum subnet requirement of /26 prefix.
 resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-08-01' = if (parAzFirewallEnabled) {
+  dependsOn: [
+    resGateway
+  ]
   name: parAzFirewallName
   location: parLocation
   tags: parTags
   zones: (!empty(parAzFirewallAvailabilityZones) ? parAzFirewallAvailabilityZones : [])
-  properties: {
+  properties: parAzFirewallTier == 'Basic' ? {
+    ipConfigurations: [
+      {
+        name: 'ipconfig1'
+        properties: {
+          subnet: {
+            id: resAzureFirewallSubnetRef.id
+          }
+          publicIPAddress: {
+            id: parAzFirewallEnabled ? modAzureFirewallPublicIp.outputs.outPublicIpId : ''
+          }
+        }
+      }
+    ]
+    managementIpConfiguration: {
+      name: 'mgmtIpConfig'
+      properties: {
+        publicIPAddress: {
+          id: parAzFirewallEnabled ? modAzureFirewallMgmtPublicIp.outputs.outPublicIpId : ''
+        }
+        subnet: {
+          id: resAzureFirewallMgmtSubnetRef.id
+        }
+      }
+    }
+    sku: {
+      name: 'AZFW_VNet'
+      tier: parAzFirewallTier
+    }
+    firewallPolicy: {
+      id: resFirewallPolicies.id
+    }
+  } : {
     ipConfigurations: [
       {
         name: 'ipconfig1'

diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json
@@ -27,6 +27,10 @@
         {
           "name": "AzureFirewallSubnet",
           "ipAddressRange": "10.20.255.0/24"
+        },
+        {
+          "name": "AzureFirewallManagementSubnet",
+          "ipAddressRange": "10.10.253.0/24"
         }
       ]
     },

diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json
@@ -18,6 +18,10 @@
         {
           "name": "AzureFirewallSubnet",
           "ipAddressRange": "10.20.255.0/24"
+        },
+        {
+          "name": "AzureFirewallManagementSubnet",
+          "ipAddressRange": "10.10.253.0/24"
         }
       ]
     },

diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json b/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json
@@ -27,6 +27,10 @@
         {
           "name": "AzureFirewallSubnet",
           "ipAddressRange": "10.20.255.0/24"
+        },
+        {
+          "name": "AzureFirewallManagementSubnet",
+          "ipAddressRange": "10.10.253.0/24"
         }
       ]
     },

diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json b/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json
@@ -21,6 +21,10 @@
         {
           "name": "AzureFirewallSubnet",
           "ipAddressRange": "10.20.255.0/24"
+        },
+        {
+          "name": "AzureFirewallManagementSubnet",
+          "ipAddressRange": "10.10.253.0/24"
         }
       ]
     },

diff --git a/...-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md b/...-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md
@@ -54,7 +54,7 @@ Azure Firewall Tier associated with the Firewall to deploy.
 
 - Default value: `Standard`
 
-- Allowed values: `Standard`, `Premium`
+- Allowed values: `Basic`, `Standard`, `Premium`
 
 ### parVirtualHubEnabled
 

diff --git a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep
@@ -9,6 +9,7 @@ param parCompanyPrefix string = 'alz'
 
 @sys.description('Azure Firewall Tier associated with the Firewall to deploy.')
 @allowed([
+  'Basic'
   'Standard'
   'Premium'
 ])
@@ -195,7 +196,7 @@ resource resVhub 'Microsoft.Network/virtualHubs@2022-01-01' = [for hub in parVir
     virtualWan: {
       id: resVwan.id
     }
-    virtualRouterAutoScaleConfiguration:{
+    virtualRouterAutoScaleConfiguration: {
       minCapacity: hub.parVirtualRouterAutoScaleConfiguration
     }
     hubRoutingPreference: hub.parHubRoutingPreference
@@ -223,7 +224,7 @@ resource resVhubRouteTable 'Microsoft.Network/virtualHubs/hubRouteTables@2022-01
   }
 }]
 
-resource resVpnGateway 'Microsoft.Network/vpnGateways@2021-05-01' = [for (hub, i) in parVirtualWanHubs: if ((parVirtualHubEnabled) && (hub.parVpnGatewayEnabled)) {
+resource resVpnGateway 'Microsoft.Network/vpnGateways@2022-09-01' = [for (hub, i) in parVirtualWanHubs: if ((parVirtualHubEnabled) && (hub.parVpnGatewayEnabled)) {
   dependsOn: resVhub
   name: '${parVpnGatewayName}-${hub.parHubLocation}'
   location: hub.parHubLocation
@@ -241,7 +242,7 @@ resource resVpnGateway 'Microsoft.Network/vpnGateways@2021-05-01' = [for (hub, i
   }
 }]
 
-resource resErGateway 'Microsoft.Network/expressRouteGateways@2021-05-01' = [for (hub, i) in parVirtualWanHubs: if ((parVirtualHubEnabled) && (hub.parExpressRouteGatewayEnabled)) {
+resource resErGateway 'Microsoft.Network/expressRouteGateways@2022-09-01' = [for (hub, i) in parVirtualWanHubs: if ((parVirtualHubEnabled) && (hub.parExpressRouteGatewayEnabled)) {
   dependsOn: resVhub
   name: '${parExpressRouteGatewayName}-${hub.parHubLocation}'
   location: hub.parHubLocation
@@ -262,7 +263,11 @@ resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2022-05-01' = i
   name: parAzFirewallPoliciesName
   location: parLocation
   tags: parTags
-  properties: {
+  properties: (parAzFirewallTier == 'Basic') ? {
+    sku: {
+      tier: parAzFirewallTier
+    }
+  } : {
     dnsSettings: {
       enableProxy: parAzFirewallDnsProxyEnabled
     }
@@ -315,7 +320,6 @@ module modPrivateDnsZones '../privateDnsZones/privateDnsZones.bicep' = if (parPr
   }
 }
 
-
 // Optional Deployments for Customer Usage Attribution
 module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdResourceGroup.bicep' = if (!parTelemetryOptOut) {
   name: 'pid-${varCuaid}-${uniqueString(parLocation)}'
@@ -327,18 +331,17 @@ module modCustomerUsageAttributionZtnP1 '../../CRML/customerUsageAttribution/cua
   params: {}
 }
 
-
 // Output Virtual WAN name and ID
 output outVirtualWanName string = resVwan.name
 output outVirtualWanId string = resVwan.id
 
 // Output Virtual WAN Hub name and ID
-output outVirtualHubName array = [ for (hub, i) in parVirtualWanHubs: {
+output outVirtualHubName array = [for (hub, i) in parVirtualWanHubs: {
   virtualhubname: resVhub[i].name
   virtualhubid: resVhub[i].id
 }]
 
-output outVirtualHubId array = [ for (hub, i) in parVirtualWanHubs: {
+output outVirtualHubId array = [for (hub, i) in parVirtualWanHubs: {
   virtualhubid: resVhub[i].id
 }]
 // Output DDoS Plan ID