From 80eccf16381262e78c9061db1a6c5b60a2501e5a Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Mon, 23 Sep 2024 21:00:30 -0500 Subject: [PATCH 1/3] Add condition for ddos output --- .../bicep/modules/vwanConnectivity/vwanConnectivity.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep index ef8ff1baa..fbe880f37 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep +++ b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep @@ -618,7 +618,7 @@ output outVirtualHubId array = [for (hub, i) in parVirtualWanHubs: { }] // Output DDoS Plan ID -output outDdosPlanResourceId string = resDdosProtectionPlan.id +output outDdosPlanResourceId string = parDdosEnabled ? resDdosProtectionPlan.id : '' // Output Private DNS Zones output outPrivateDnsZones array = (parPrivateDnsZonesEnabled ? modPrivateDnsZones.outputs.outPrivateDnsZones : []) From 5f423fa810e7f6e194becee57210800f03c4dcb6 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Mon, 23 Sep 2024 22:38:12 -0500 Subject: [PATCH 2/3] Add capability for active-active vnet gateway --- .../modules/hubNetworking/hubNetworking.bicep | 62 +++++++++++++++---- 1 file changed, 51 insertions(+), 11 deletions(-) diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep index 97751563b..6d8ea92d9 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -764,6 +764,26 @@ module modGatewayPublicIp '../publicIp/publicIp.bicep' = [for (gateway, i) in va } }] +// If the gateway is active-active, create a second public IP +module modGatewayPublicIpActiveActive '../publicIp/publicIp.bicep' = [for (gateway, i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr') && gateway.activeActive) { + name: 'deploy-Gateway-Public-IP-ActiveActive-${i}' + params: { + parLocation: parLocation + parAvailabilityZones: toLower(gateway.gatewayType) == 'expressroute' ? parAzErGatewayAvailabilityZones : toLower(gateway.gatewayType) == 'vpn' ? parAzVpnGatewayAvailabilityZones : [] + parPublicIpName: '${parPublicIpPrefix}${gateway.name}${parPublicIpSuffix}-aa' + parPublicIpProperties: { + publicIpAddressVersion: 'IPv4' + publicIpAllocationMethod: 'Static' + } + parPublicIpSku: { + name: parPublicIpSku + } + parResourceLockConfig: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock : parVirtualNetworkGatewayLock + parTags: parTags + parTelemetryOptOut: parTelemetryOptOut + } +}] + //Minumum subnet size is /27 supporting documentation https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub resource resGateway 'Microsoft.Network/virtualNetworkGateways@2023-02-01' = [for (gateway, i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) { name: gateway.name @@ -793,23 +813,43 @@ resource resGateway 'Microsoft.Network/virtualNetworkGateways@2023-02-01' = [for radiusServerAddress: gateway.vpnClientConfiguration.?radiusServerAddress ?? '' radiusServerSecret: gateway.vpnClientConfiguration.?radiusServerSecret ?? '' } : null - ipConfigurations: [ - { - id: resHubVnet.id - name: 'vnetGatewayConfig' - properties: { - publicIPAddress: { - id: (((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) ? modGatewayPublicIp[i].outputs.outPublicIpId : 'na') + + ipConfigurations: concat( + // Primary IP configuration + [ + { + id: resHubVnet.id + name: 'vnetGatewayConfig1' + properties: { + publicIPAddress: { + id: modGatewayPublicIp[i].outputs.outPublicIpId // Primary Public IP + } + subnet: { + id: resGatewaySubnetRef.id + } } - subnet: { - id: resGatewaySubnetRef.id + } + ], + // Add second IP configuration if activeActive is true + gateway.activeActive ? [ + { + id: resHubVnet.id + name: 'vnetGatewayConfig2' + properties: { + publicIPAddress: { + id: modGatewayPublicIpActiveActive[i].outputs.outPublicIpId // Secondary Public IP + } + subnet: { + id: resGatewaySubnetRef.id + } } } - } - ] + ] : [] + ) } }] + // Create a Virtual Network Gateway resource lock if gateway.name is not equal to noconfigVpn or noconfigEr and parGlobalResourceLock.kind != 'None' or if parVirtualNetworkGatewayLock.kind != 'None' resource resVirtualNetworkGatewayLock 'Microsoft.Authorization/locks@2020-05-01' = [for (gateway, i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr') && (parVirtualNetworkGatewayLock.kind != 'None' || parGlobalResourceLock.kind != 'None')) { scope: resGateway[i] From a5d114d8bf17d01b82b699e5634f29a5e9dc6ede Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Mon, 23 Sep 2024 22:41:07 -0500 Subject: [PATCH 3/3] Update API versions --- .../modules/hubNetworking/hubNetworking.bicep | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep index 6d8ea92d9..be79a84da 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -537,12 +537,12 @@ module modBastionPublicIp '../publicIp/publicIp.bicep' = if (parAzBastionEnabled } } -resource resBastionSubnetRef 'Microsoft.Network/virtualNetworks/subnets@2023-02-01' existing = if (parAzBastionEnabled) { +resource resBastionSubnetRef 'Microsoft.Network/virtualNetworks/subnets@2024-01-01' existing = if (parAzBastionEnabled) { parent: resHubVnet name: 'AzureBastionSubnet' } -resource resBastionNsg 'Microsoft.Network/networkSecurityGroups@2023-02-01' = if (parAzBastionEnabled) { +resource resBastionNsg 'Microsoft.Network/networkSecurityGroups@2024-01-01' = if (parAzBastionEnabled) { name: parAzBastionNsgName location: parLocation tags: parTags @@ -704,7 +704,7 @@ resource resBastionNsgLock 'Microsoft.Authorization/locks@2020-05-01' = if (parA // AzureBastionSubnet is required to deploy Bastion service. This subnet must exist in the parsubnets array if you enable Bastion Service. // There is a minimum subnet requirement of /27 prefix. // If you are deploying standard this needs to be larger. https://docs.microsoft.com/en-us/azure/bastion/configuration-settings#subnet -resource resBastion 'Microsoft.Network/bastionHosts@2023-02-01' = if (parAzBastionEnabled) { +resource resBastion 'Microsoft.Network/bastionHosts@2024-01-01' = if (parAzBastionEnabled) { location: parLocation name: parAzBastionName tags: parTags @@ -740,7 +740,7 @@ resource resBastionLock 'Microsoft.Authorization/locks@2020-05-01' = if (parAzBa } } -resource resGatewaySubnetRef 'Microsoft.Network/virtualNetworks/subnets@2023-02-01' existing = if (parVpnGatewayEnabled || parExpressRouteGatewayEnabled ) { +resource resGatewaySubnetRef 'Microsoft.Network/virtualNetworks/subnets@2024-01-01' existing = if (parVpnGatewayEnabled || parExpressRouteGatewayEnabled ) { parent: resHubVnet name: 'GatewaySubnet' } @@ -785,7 +785,7 @@ module modGatewayPublicIpActiveActive '../publicIp/publicIp.bicep' = [for (gatew }] //Minumum subnet size is /27 supporting documentation https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub -resource resGateway 'Microsoft.Network/virtualNetworkGateways@2023-02-01' = [for (gateway, i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) { +resource resGateway 'Microsoft.Network/virtualNetworkGateways@2024-01-01' = [for (gateway, i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) { name: gateway.name location: parLocation tags: parTags @@ -860,12 +860,12 @@ resource resVirtualNetworkGatewayLock 'Microsoft.Authorization/locks@2020-05-01' } }] -resource resAzureFirewallSubnetRef 'Microsoft.Network/virtualNetworks/subnets@2023-02-01' existing = if (parAzFirewallEnabled) { +resource resAzureFirewallSubnetRef 'Microsoft.Network/virtualNetworks/subnets@2024-01-01' existing = if (parAzFirewallEnabled) { parent: resHubVnet name: 'AzureFirewallSubnet' } -resource resAzureFirewallMgmtSubnetRef 'Microsoft.Network/virtualNetworks/subnets@2023-02-01' existing = if (parAzFirewallEnabled && (contains(map(parSubnets, subnets => subnets.name), 'AzureFirewallManagementSubnet'))) { +resource resAzureFirewallMgmtSubnetRef 'Microsoft.Network/virtualNetworks/subnets@2024-01-01' existing = if (parAzFirewallEnabled && (contains(map(parSubnets, subnets => subnets.name), 'AzureFirewallManagementSubnet'))) { parent: resHubVnet name: 'AzureFirewallManagementSubnet' } @@ -908,7 +908,7 @@ module modAzureFirewallMgmtPublicIp '../publicIp/publicIp.bicep' = if (parAzFire } } -resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2023-02-01' = if (parAzFirewallEnabled && parAzFirewallPoliciesEnabled) { +resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2024-01-01' = if (parAzFirewallEnabled && parAzFirewallPoliciesEnabled) { name: parAzFirewallPoliciesName location: parLocation tags: parTags @@ -947,7 +947,7 @@ resource resFirewallPoliciesLock 'Microsoft.Authorization/locks@2020-05-01' = if // AzureFirewallSubnet is required to deploy Azure Firewall . This subnet must exist in the parsubnets array if you deploy. // There is a minimum subnet requirement of /26 prefix. -resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2023-02-01' = if (parAzFirewallEnabled) { +resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2024-01-01' = if (parAzFirewallEnabled) { dependsOn: [ resGateway ] @@ -1060,7 +1060,7 @@ resource resAzureFirewallLock 'Microsoft.Authorization/locks@2020-05-01' = if (p } //If Azure Firewall is enabled we will deploy a RouteTable to redirect Traffic to the Firewall. -resource resHubRouteTable 'Microsoft.Network/routeTables@2023-02-01' = if (parAzFirewallEnabled) { +resource resHubRouteTable 'Microsoft.Network/routeTables@2024-01-01' = if (parAzFirewallEnabled) { name: parHubRouteTableName location: parLocation tags: parTags