Skip to content
This repository has been archived by the owner on Jan 30, 2025. It is now read-only.

Commit

Permalink
Updated documentation (Azure#267)
Browse files Browse the repository at this point in the history
  • Loading branch information
@ghostme
ghostme authored Apr 27, 2022
1 parent d68824a commit 926521a
Show file tree
Hide file tree
Showing 3 changed files with 4 additions and 5 deletions.
1 change: 0 additions & 1 deletion docs/archetypes/generic-subscription.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -348,7 +348,6 @@ The rest of the segments for the **virtualNetworkId** string must also match the
in case a different prefix besides **pubsec** was used to conform to a specific and preferred naming convention or organization prefix (item **2**), or the default VNET name of hub-vnet was also changed to something else,
(**item 3**) - again based on a specific and preferred naming convention that may have been used before when the actual hub VNET was deployed.

> Each subnet in the spoke virtual network has its own User Defined Route (UDR). This allows for scenarios in which subnets can have different routing rules. It is possible for a single User Defined Route to be associated with many spoke subnets by customizing the automation code.
### Deployment Instructions

### Virtual Appliance IP
Expand Down
4 changes: 2 additions & 2 deletions docs/archetypes/hubnetwork-azfw.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ There will be at least one shared Application Gateway instance and multiple dedi

Network design will require 3 IP blocks:

* [RFC 1918][rfc1918] for Azure native-traffic (including IaaS and PaaS). Example: `10.18.0.0/16`
* [RFC 1918][rfc1918] for Azure native-traffic (including IaaS and PaaS). This will also include the Azure Gateway subnet. Example: `10.18.0.0/16`
* [RFC 1918][rfc1918] for Azure Bastion. Example: `192.168.0.0/16`
* [RFC 6598][rfc1918] for department to department traffic through GCnet. Example: `100.60.0.0/16`

Expand Down Expand Up @@ -169,7 +169,7 @@ Required routing rules to enforce the security controls required to protect the
| PrdSpokesUdr | `0.0.0.0/0`, `10.18.0.0/16` and `100.60.0.0/16` via Azure Firewall VIP. | All production spoke virtual networks. | Via peering, spokes learn static routes to reach any IP in the Hub. Hence, we override the Hub virtual network's IPs (10.18/16 and 100.60/16) and force traffic via Firewall. |
| DevSpokesUdr | Same as above. | All development spoke virtual networks. | Same as above. |
| MrzSpokeUdr | Same as above. | Mrz spoke virtual network | Same as above. |
| PazSubnetUdr | Same as above. | Force traffic from Application Gateway to be sent via the Firewall VIP | Same as above. |
| PazSubnetUdr | Same as above. | Force traffic from Application Gateway to be sent via the Firewall VIP | Same as above. The 0.0.0.0./0 "Next hop type" should be updated as "Internet" and not the Virtual Appliance IP if deploying Azure Application Gateway.. |

## Azure Firewall Rules

Expand Down
4 changes: 2 additions & 2 deletions docs/archetypes/hubnetwork-nva-fortigate.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ There will be at least one shared Application Gateway instance and multiple dedi

Network design will require 3 IP blocks:

* [RFC 1918][rfc1918] for Azure native-traffic (including IaaS and PaaS). Example: `10.18.0.0/16`
* [RFC 1918][rfc1918] for Azure native-traffic (including IaaS and PaaS). This will also include the Azure Gateway subnet. Example: `10.18.0.0/16`
* [RFC 1918][rfc1918] for Azure Bastion. Example: `192.168.0.0/16`
* [RFC 6598][rfc1918] for department to department traffic through GCnet. Example: `100.60.0.0/16`

Expand Down Expand Up @@ -176,7 +176,7 @@ Required routing rules to enforce the security controls required to protect the
| PrdSpokesUdr | 0.0.0.0/0 via PrdInt ILB VIP<br />10.18.0.0/16 via PrdInt ILB VIP<br />100.60.0.0/16 via PrdInt ILB VIP | All production spoke virtual networks. | Via peering, spokes learn static routes to reach any IP in the Hub. Hence, we override the Hub virtual network's IPs (10.18/16 and 100.60/16) and force traffic via Firewall. |
| DevSpokesUdr | 0.0.0.0/0 via DevInt ILB VIP<br />10.18.0.0/16 via DevInt ILB VIP<br />100.60.0.0/16 via DevInt ILB VIP | All development spoke virtual networks. | Same as above. |
| MrzSpokeUdr | 0.0.0.0/0 via PrdInt ILB VIP<br />10.18.0.0/16 via PrdInt ILB VIP<br />100.60.0.0/16 via PrdInt ILB VIP | Mrz spoke virtual network | Same as above |
| PazSubnetUdr | 10.18.4.0/24 via PrdExtFW VIP<br />(Future) ProdSpokeIPs via PrdExt ILB VIP<br />(Future) DevSpokeIPs via DevExt ILB VIP | Shared PAZ subnet (Application Gateway) | Force traffic from Application Gateway to be sent via the Firewall External ILBs |
| PazSubnetUdr | 10.18.4.0/24 via PrdExtFW VIP<br />(Future) ProdSpokeIPs via PrdExt ILB VIP<br />(Future) DevSpokeIPs via DevExt ILB VIP | Shared PAZ subnet (Application Gateway) | Force traffic from Application Gateway to be sent via the Firewall External ILBs. The 0.0.0.0./0 "Next hop type" should be updated as "Internet" and not the Virtual Appliance IP if deploying Azure Application Gateway |

## Firewall configuration details

Expand Down

0 comments on commit 926521a

Please sign in to comment.