Skip to content

Commit

Permalink
Add Various Features & Fix Various Bugs to VWAN & Hub Networking (#226)
Browse files Browse the repository at this point in the history 
* add AZs for FW - bot + DDOS & DNS Zones to VWAN Connectivity. Fix various typos also

* updte fw naming and remove uneeded properties from azfw as in policy

* remove example outputs

* update name

* flip ternery

* update pip module to add AZs

* update fw api version and add azfw pip azs

* add vwan route table if azfw enabled and enable azfw zones

* increase MD line length

* change default for MC for DDoS
  • Loading branch information
@jtracey93
jtracey93 authored May 5, 2022
1 parent a9541d5 commit d5f712d
Show file tree
Hide file tree
Showing 18 changed files with 561 additions and 269 deletions.
2 changes: 1 addition & 1 deletion .github/linters/.markdown-lint.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ MD004: false # Unordered list style
MD007:
indent: 2 # Unordered list indentation
MD013:
line_length: 850 # Line length 80 is far to short
line_length: 900 # Line length 80 is far to short
MD026:
punctuation: ".,;:!。,;:" # List of not allowed
MD029: false # Ordered list item prefix
Expand Down
71 changes: 34 additions & 37 deletions infra-as-code/bicep/modules/hubNetworking/README.md
View file

Large diffs are not rendered by default.

68 changes: 32 additions & 36 deletions infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,10 @@ param parDdosPlanName string = '${parCompanyPrefix}-ddos-plan'
param parAzureFirewallEnabled bool = true

@description('Azure Firewall Name. Default: {parCompanyPrefix}-azure-firewall ')
param parAzureFirewallName string = '${parCompanyPrefix}-azure-firewall'
param parAzureFirewallName string = '${parCompanyPrefix}-azfw-${parLocation}'

@description('Azure Firewall Policies Name. Default: {parCompanyPrefix}-fwpol-{parLocation}')
param parFirewallPoliciesName string = '${parCompanyPrefix}-azfwpolicy-${parLocation}'

@description('Azure Firewall Tier associated with the Firewall to deploy. Default: Standard ')
@allowed([
Expand All @@ -64,6 +67,14 @@ param parAzureFirewallName string = '${parCompanyPrefix}-azure-firewall'
])
param parAzureFirewallTier string = 'Standard'

@allowed([
'1'
'2'
'3'
])
@description('Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty.')
param parAzureFirewallAvailabilityZones array = []

@description('Switch which enables DNS Proxy to be enabled on the Azure Firewall. Default: true')
param parNetworkDNSEnableProxy bool = true

Expand Down Expand Up @@ -351,6 +362,7 @@ module modAzureFirewallPublicIP '../publicIp/publicIp.bicep' = if (parAzureFirew
name: 'deploy-Firewall-Public-IP'
params: {
parLocation: parLocation
parAvailabilityZones: parAzureFirewallAvailabilityZones
parPublicIPName: '${parAzureFirewallName}-PublicIP'
parPublicIPProperties: {
publicIPAddressVersion: 'IPv4'
Expand All @@ -364,43 +376,28 @@ module modAzureFirewallPublicIP '../publicIp/publicIp.bicep' = if (parAzureFirew
}
}

resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2021-05-01' = if (parAzureFirewallEnabled) {
name: parFirewallPoliciesName
location: parLocation
tags: parTags
properties: {
dnsSettings: {
enableProxy: parNetworkDNSEnableProxy
}
sku: {
tier: parAzureFirewallTier
}
}
}

// AzureFirewallSubnet is required to deploy Azure Firewall . This subnet must exist in the parsubnets array if you deploy.
// There is a minimum subnet requirement of /26 prefix.
resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = if (parAzureFirewallEnabled) {
resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-05-01' = if (parAzureFirewallEnabled) {
name: parAzureFirewallName
location: parLocation
tags: parTags
zones: (!empty(parAzureFirewallAvailabilityZones) ? parAzureFirewallAvailabilityZones : json('null'))
properties: {
networkRuleCollections: [
{
name: 'VmInternetAccess'
properties: {
priority: 101
action: {
type: 'Allow'
}
rules: [
{
name: 'AllowVMAppAccess'
description: 'Allows VM access to the web'
protocols: [
'TCP'
]
sourceAddresses: [
parHubNetworkAddressPrefix
]
destinationAddresses: [
'*'
]
destinationPorts: [
'80'
'443'
]
}
]
}
}
]
ipConfigurations: [
{
name: 'ipconfig1'
Expand All @@ -414,13 +411,12 @@ resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = if (pa
}
}
]
threatIntelMode: 'Alert'
sku: {
name: 'AZFW_VNet'
tier: parAzureFirewallTier
}
additionalProperties: {
'Network.DNS.EnableProxy': '${parNetworkDNSEnableProxy}'
firewallPolicy: {
id: resFirewallPolicies.id
}
}
}
Expand Down Expand Up @@ -451,7 +447,7 @@ module modPrivateDnsZones '../privateDnsZones/privateDnsZones.bicep' = if (parPr
params: {
parLocation: parLocation
parTags: parTags
parHubVirtualNetworkId: resHubVirtualNetwork.id
parVirtualNetworkIdToLink: resHubVirtualNetwork.id
parPrivateDnsZones: parPrivateDnsZones
}
}
Expand Down
5 changes: 4 additions & 1 deletion infra-as-code/bicep/modules/hubNetworking/hubNetworking.parameters.example.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,11 +55,14 @@
"value": true
},
"parAzureFirewallName": {
"value": "alz-azure-firewall"
"value": "alz-azfw-eastus"
},
"parAzureFirewallTier": {
"value": "Standard"
},
"parAzureFirewallAvailabilityZones": {
"value": []
},
"parNetworkDNSEnableProxy": {
"value": true
},
Expand Down
5 changes: 4 additions & 1 deletion infra-as-code/bicep/modules/hubNetworking/mc-hubNetworking.parameters.example.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,11 +55,14 @@
"value": true
},
"parAzureFirewallName": {
"value": "alz-azure-firewall"
"value": "alz-azfw-chinaeast2"
},
"parAzureFirewallTier": {
"value": "Standard"
},
"parAzureFirewallAvailabilityZones": {
"value": []
},
"parNetworkDNSEnableProxy": {
"value": true
},
Expand Down
Binary file modified infra-as-code/bicep/modules/hubNetworking/media/hubNetworkingBicepVisualizer.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
22 changes: 11 additions & 11 deletions infra-as-code/bicep/modules/privateDnsZones/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,13 @@ Module deploys the following resources:

The module requires the following inputs:

| Parameter | Type | Default | Description | Requirement | Example |
| ---------------------- | ------ | ---------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| parLocation | string | `resourceGroup().location` | The Azure Region to deploy the resources into | None | `eastus` |
| parPrivateDnsZones | array | See example parameters file [`privateDnsZones.parameters.example.json`](privateDnsZones.parameters.example.json) | Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones - See [DNS Zones](#dns-zones) for more info | None | See Default |
| parTags | object | Empty Array [] | List of tags (Key Value Pairs) to be applied to resources | None | environment: 'development' |
| parHubVirtualNetworkId | string | | Resource ID of the Hub Virtual Network | Valid Resource ID of the Virtual Network | /subscriptions/[your platform management subscription ID]/resourceGroups/Hub_PrivateDNS_POC/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus |
| parTelemetryOptOut | bool | false | Set Parameter to true to Opt-out of deployment telemetry | None | false |
| Parameter | Type | Default | Description | Requirement | Example |
| ------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| parLocation | string | `resourceGroup().location` | The Azure Region to deploy the resources into | None | `eastus` |
| parPrivateDnsZones | array | See example parameters file [`privateDnsZones.parameters.example.json`](privateDnsZones.parameters.example.json) | Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones - See [DNS Zones](#dns-zones) for more info | None | See Default |
| parTags | object | Empty Array [] | List of tags (Key Value Pairs) to be applied to resources | None | environment: 'development' |
| parVirtualNetworkIdToLink | string | Empty String | Resource ID of VNet for Private DNS Zone VNet Links | Valid Resource ID of the Virtual Network | /subscriptions/[your platform connectivity subscription ID]/resourceGroups/Hub_PrivateDNS_POC/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus |
| parTelemetryOptOut | bool | false | Set Parameter to true to Opt-out of deployment telemetry | None | false |

## DNS Zones

Expand Down Expand Up @@ -70,7 +70,7 @@ There are two different sets of input parameters; one for deploying to Azure glo
```bash
# For Azure global regions
# Set Platform connectivity subscription ID as the the current subscription
ConnectivitySubscriptionId="[your platform management subscription ID]"
ConnectivitySubscriptionId="[your platform connectivity subscription ID]"
az account set --subscription $ConnectivitySubscriptionId

az group create --location eastus \
Expand All @@ -85,7 +85,7 @@ OR
```bash
# For Azure China regions
# Set Platform connectivity subscription ID as the the current subscription
ConnectivitySubscriptionId="[your platform management subscription ID]"
ConnectivitySubscriptionId="[your platform connectivity subscription ID]"
az account set --subscription $ConnectivitySubscriptionId

az group create --location chinaeast2 \
Expand All @@ -102,7 +102,7 @@ az deployment group create \
```powershell
# For Azure global regions
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId = "[your platform management subscription ID]"
$ConnectivitySubscriptionId = "[your platform connectivity subscription ID]"
Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
Expand All @@ -118,7 +118,7 @@ OR
```powershell
# For Azure China regions
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId = "[your platform management subscription ID]"
$ConnectivitySubscriptionId = "[your platform connectivity subscription ID]"
Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
Expand Down
3 changes: 3 additions & 0 deletions infra-as-code/bicep/modules/privateDnsZones/mc-privateDnsZones.parameters.example.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,9 @@
"Environment": "POC"
}
},
"parVirtualNetworkIdToLink": {
"value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxxxxxxxx"
},
"parTelemetryOptOut": {
"value": false
}
Expand Down
8 changes: 4 additions & 4 deletions infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,8 @@ param parPrivateDnsZones array = [
@description('Tags you would like to be applied to all resources in this module. Default: empty array')
param parTags object = {}

@description('Resource ID of Hub VNet for Private DNS Zone VNet Links')
param parHubVirtualNetworkId string
@description('Resource ID of VNet for Private DNS Zone VNet Links')
param parVirtualNetworkIdToLink string = ''

@description('Set Parameter to true to Opt-out of deployment telemetry')
param parTelemetryOptOut bool = false
Expand All @@ -75,13 +75,13 @@ resource resPrivateDnsZones 'Microsoft.Network/privateDnsZones@2020-06-01' = [fo
tags: parTags
}]

resource resVirtualNetworkLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = [for privateDnsZoneName in parPrivateDnsZones: {
resource resVirtualNetworkLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = [for privateDnsZoneName in parPrivateDnsZones: if (!empty(parVirtualNetworkIdToLink)) {
name: '${privateDnsZoneName}/${privateDnsZoneName}'
location: 'global'
properties: {
registrationEnabled: false
virtualNetwork: {
id: parHubVirtualNetworkId
id: parVirtualNetworkIdToLink
}
}
dependsOn: resPrivateDnsZones
Expand Down
Loading

0 comments on commit d5f712d

Please sign in to comment.