From f2af0bacf43808b16165ef831f73b25e40ea78d7 Mon Sep 17 00:00:00 2001 From: Fernando Antivero Date: Fri, 29 May 2026 13:09:15 -0300 Subject: [PATCH] remove ARM JSON templates and update pipeline to Bicep - Delete all .json ARM templates (azuredeploy.json + 5 nested) - Update pipeline to use --template-file with Bicep instead of --template-uri with remote JSON - Remove commented-out ARM TTK stage (JSON-only tooling) - Add workingDirectory to pipeline steps for relative template paths Co-authored-by: GitHub Copilot (Claude Opus 4.6) --- .../secure-hybrid-network/azuredeploy.json | 182 ---- .../secure-hybrid-network/azurepipeline.yml | 62 +- .../azure-network-azuredeploy-v2.json | 166 --- .../azure-network-azuredeploy.json | 989 ------------------ .../azure-network-local-gateway.json | 75 -- .../mock-onprem-azuredeploy.json | 374 ------- .../mock-onprem-local-gateway.json | 79 -- 7 files changed, 8 insertions(+), 1919 deletions(-) delete mode 100644 solutions/secure-hybrid-network/azuredeploy.json delete mode 100644 solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy-v2.json delete mode 100644 solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json delete mode 100644 solutions/secure-hybrid-network/nestedtemplates/azure-network-local-gateway.json delete mode 100644 solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.json delete mode 100644 solutions/secure-hybrid-network/nestedtemplates/mock-onprem-local-gateway.json diff --git a/solutions/secure-hybrid-network/azuredeploy.json b/solutions/secure-hybrid-network/azuredeploy.json deleted file mode 100644 index 075c2720..00000000 --- a/solutions/secure-hybrid-network/azuredeploy.json +++ /dev/null @@ -1,182 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "mockOnPremResourceGroup": { - "type": "string", - "defaultValue": "site-to-site-mock-prem" - }, - "azureNetworkResourceGroup": { - "type": "string", - "defaultValue": "site-to-site-azure-network" - }, - "adminUserName": { - "type": "string", - "metadata": { - "description": "The admin user name for both the Windows and Linux virtual machines." - } - }, - "adminPassword": { - "type": "securestring", - "metadata": { - "description": "The admin password for both the Windows and Linux virtual machines." - } - }, - "sharedKey": { - "type": "securestring", - "metadata": { - "description": "The shared key used for VPN site-to-site connections." - } - }, - "resourceGrouplocation": { - "type": "string", - "defaultValue": "eastus" - } - }, - "variables": { - "mockOnPremTemplate": "[uri(deployment().properties.templateLink.uri, 'nestedtemplates/mock-onprem-azuredeploy.json')]", - "azureVirtualNetworkTemplate": "[uri(deployment().properties.templateLink.uri, 'nestedtemplates/azure-network-azuredeploy.json')]", - "mockOnPremLocalGatewayTemplate": "[uri(deployment().properties.templateLink.uri, 'nestedtemplates/mock-onprem-local-gateway.json')]", - "azureVirtualNetworkLocalGatewayTemplate": "[uri(deployment().properties.templateLink.uri, 'nestedtemplates/azure-network-local-gateway.json')]" - - }, - "resources": [ - { - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2019-10-01", - "name": "[parameters('mockOnPremResourceGroup')]", - "location": "[parameters('resourceGrouplocation')]" - }, - { - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2019-10-01", - "name": "[parameters('azureNetworkResourceGroup')]", - "location": "[parameters('resourceGrouplocation')]" - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-06-01", - "name": "onPremMock", - "resourceGroup": "[parameters('mockOnPremResourceGroup')]", - "dependsOn": [ - "[resourceId('Microsoft.Resources/resourceGroups', parameters('mockOnPremResourceGroup'))]" - ], - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "[variables('mockOnPremTemplate')]", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "adminUsername": { - "value": "[parameters('adminUsername')]" - }, - "adminPassword": { - "value": "[parameters('adminPassword')]" - }, - "location": { - "value": "[parameters('resourceGrouplocation')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-06-01", - "name": "azureNetwork", - "resourceGroup": "[parameters('azureNetworkResourceGroup')]", - "dependsOn": [ - "[resourceId('Microsoft.Resources/resourceGroups', parameters('azureNetworkResourceGroup'))]" - ], - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "[variables('azureVirtualNetworkTemplate')]", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "adminUsername": { - "value": "[parameters('adminUsername')]" - }, - "adminPassword": { - "value": "[parameters('adminPassword')]" - }, - "location": { - "value": "[parameters('resourceGrouplocation')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-06-01", - "name": "mockOnPremLocalGateway", - "resourceGroup": "[parameters('mockOnPremResourceGroup')]", - "dependsOn": [ - "azureNetwork", - "onPremMock" - ], - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "[variables('mockOnPremLocalGatewayTemplate')]", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "gatewayIpAddress": { - "value": "[reference('azureNetwork').outputs.vpnIp.value]" - }, - "azureCloudVnetPrefix": { - "value": "[reference('azureNetwork').outputs.mocOnpremNetwork.value]" - }, - "spokeNetworkAddressPrefix": { - "value": "[reference('azureNetwork').outputs.spokeNetworkAddressPrefix.value]" - }, - "mocOnpremGatewayName": { - "value": "[reference('onPremMock').outputs.mocOnpremGatewayName.value]" - }, - "sharedKey": { - "value": "[parameters('sharedKey')]" - }, - "location": { - "value": "[parameters('resourceGrouplocation')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-06-01", - "name": "azureNetworkLocalGateway", - "resourceGroup": "[parameters('azureNetworkResourceGroup')]", - "dependsOn": [ - "azureNetwork", - "onPremMock" - ], - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "[variables('azureVirtualNetworkLocalGatewayTemplate')]", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "azureCloudVnetPrefix": { - "value": "[reference('onPremMock').outputs.mocOnpremNetworkPrefix.value]" - }, - "gatewayIpAddress": { - "value": "[reference('onPremMock').outputs.vpnIp.value]" - }, - "azureNetworkGatewayName": { - "value": "[reference('azureNetwork').outputs.azureGatewayName.value]" - }, - "sharedKey": { - "value": "[parameters('sharedKey')]" - }, - "location": { - "value": "[parameters('resourceGrouplocation')]" - } - } - } - } - ] -} \ No newline at end of file diff --git a/solutions/secure-hybrid-network/azurepipeline.yml b/solutions/secure-hybrid-network/azurepipeline.yml index d6bf94e8..d7c68e49 100644 --- a/solutions/secure-hybrid-network/azurepipeline.yml +++ b/solutions/secure-hybrid-network/azurepipeline.yml @@ -1,20 +1,10 @@ variables: - name: location value: southcentralus - - name: template-location - value: "/solutions/secure-hybrid-network/*" - - name: template-name - value: "azuredeploy.json" - name: adminUserName value: "azureadmin" - - name: pester-script-location - value: "/tests/Test.ARMTemplate.ps1" - - name: ttk-skip-test - value: "DependsOn-Best-Practices,IDs-Should-Be-Derived-From-ResourceIDs,Secure-Params-In-Nested-Deployments" - - name: artifactsLocationTemplate - value: "https://raw.githubusercontent.com/mspnp/samples/main/solutions/secure-hybrid-network/" - name: mock-on-prem-resource-group-name - value: secure-moc-onprem-$(Build.BuildId) + value: secure-mock-onprem-$(Build.BuildId) - name: azure-network-resource-group-name value: secure-vnet-azure-$(Build.BuildId) @@ -47,42 +37,12 @@ schedules: always: true stages: - # Run ARM TTK and publish test results (Windows only) - # - stage: armTemplateToolkit - - # jobs: - # - job: armttk - # pool: - # vmImage: 'windows-latest' - # continueOnError: false - # timeoutInMinutes: 20 - - # steps: - - # - task: PowerShell@2 - # displayName: ARM-TTK and Pester - # inputs: - # targetType: 'inline' - # script: | - # git clone https://github.com/Azure/arm-ttk.git --quiet $env:BUILD_ARTIFACTSTAGINGDIRECTORY\arm-ttk - # import-module $env:BUILD_ARTIFACTSTAGINGDIRECTORY\arm-ttk\arm-ttk - # Install-Module Pester -AllowClobber -RequiredVersion 4.10.1 -Force -SkipPublisherCheck -AcceptLicense - # Import-Module Pester -RequiredVersion 4.10.1 -ErrorAction Stop - # $results = Invoke-Pester -Script @{Path = "$(System.DefaultWorkingDirectory)$(pester-script-location)"; Parameters = @{TemplatePath = "$(System.DefaultWorkingDirectory)$(template-location)$(template-name)"; Skip = "$(ttk-skip-test)"}} -OutputFormat NUnitXml -OutputFile TEST-ARMTemplate.xml -PassThru - # if ($results.TestResult.Result -contains "Failed") {Write-Error -Message "Test Failed"} - - # - task: PublishTestResults@2 - # inputs: - # testResultsFormat: 'NUnit' - # testResultsFiles: TEST-ARMTemplate.xml - # condition: always() - # Deploy template - stage: validateAndDeploy dependsOn: [] jobs: - - job: arm + - job: deploy pool: vmImage: ubuntu-latest continueOnError: false @@ -95,11 +55,9 @@ stages: azureSubscription: $(serviceConnection) scriptType: "bash" scriptLocation: "inlineScript" + workingDirectory: $(System.DefaultWorkingDirectory)/solutions/secure-hybrid-network inlineScript: | - uriTemplate=$(artifactsLocationTemplate) - deployUri="${uriTemplate/REPLACEREF/$(Build.SourceVersion)}azuredeploy.json" - artifactUri="${uriTemplate/REPLACEREF/$(Build.SourceVersion)}" - az deployment sub validate --template-uri $deployUri --location eastus --parameters resourceGrouplocation=$(location) mockOnPremResourceGroup=$(mock-on-prem-resource-group-name) azureNetworkResourceGroup=$(azure-network-resource-group-name) adminUserName=$(adminUserName) adminPassword=$(adminPassword) sharedKey=$(sharedKey) --name validate-$(Build.BuildId) + az deployment sub validate --template-file azuredeploy.bicep --location eastus --parameters resourceGrouplocation=$(location) mockOnPremResourceGroup=$(mock-on-prem-resource-group-name) azureNetworkResourceGroup=$(azure-network-resource-group-name) adminUserName=$(adminUserName) adminPassword=$(adminPassword) sharedKey=$(sharedKey) --name validate-$(Build.BuildId) - task: AzureCLI@2 displayName: Deploy template @@ -107,11 +65,9 @@ stages: azureSubscription: $(serviceConnection) scriptType: "bash" scriptLocation: "inlineScript" + workingDirectory: $(System.DefaultWorkingDirectory)/solutions/secure-hybrid-network inlineScript: | - uriTemplate=$(artifactsLocationTemplate) - deployUri="${uriTemplate/REPLACEREF/$(Build.SourceVersion)}azuredeploy.json" - artifactUri="${uriTemplate/REPLACEREF/$(Build.SourceVersion)}" - az deployment sub create --template-uri $deployUri --location eastus --parameters resourceGrouplocation=$(location) mockOnPremResourceGroup=$(mock-on-prem-resource-group-name) azureNetworkResourceGroup=$(azure-network-resource-group-name) adminUserName=$(adminUserName) adminPassword=$(adminPassword) sharedKey=$(sharedKey) --name deploy-$(Build.BuildId) + az deployment sub create --template-file azuredeploy.bicep --location eastus --parameters resourceGrouplocation=$(location) mockOnPremResourceGroup=$(mock-on-prem-resource-group-name) azureNetworkResourceGroup=$(azure-network-resource-group-name) adminUserName=$(adminUserName) adminPassword=$(adminPassword) sharedKey=$(sharedKey) --name deploy-$(Build.BuildId) - task: AzureCLI@2 displayName: Deploy template again @@ -119,11 +75,9 @@ stages: azureSubscription: $(serviceConnection) scriptType: "bash" scriptLocation: "inlineScript" + workingDirectory: $(System.DefaultWorkingDirectory)/solutions/secure-hybrid-network inlineScript: | - uriTemplate=$(artifactsLocationTemplate) - deployUri="${uriTemplate/REPLACEREF/$(Build.SourceVersion)}azuredeploy.json" - artifactUri="${uriTemplate/REPLACEREF/$(Build.SourceVersion)}" - az deployment sub create --template-uri $deployUri --location eastus --parameters resourceGrouplocation=$(location) mockOnPremResourceGroup=$(mock-on-prem-resource-group-name) azureNetworkResourceGroup=$(azure-network-resource-group-name) adminUserName=$(adminUserName) adminPassword=$(adminPassword) sharedKey=$(sharedKey) --name deploy-$(Build.BuildId) + az deployment sub create --template-file azuredeploy.bicep --location eastus --parameters resourceGrouplocation=$(location) mockOnPremResourceGroup=$(mock-on-prem-resource-group-name) azureNetworkResourceGroup=$(azure-network-resource-group-name) adminUserName=$(adminUserName) adminPassword=$(adminPassword) sharedKey=$(sharedKey) --name deploy-$(Build.BuildId) # Clean up deployment - stage: cleanupResourceGroupBasic diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy-v2.json b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy-v2.json deleted file mode 100644 index 0bf4c942..00000000 --- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy-v2.json +++ /dev/null @@ -1,166 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.39.26.7824", - "templateHash": "11434533286408150086" - } - }, - "parameters": { - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]" - }, - "firewallName": { - "type": "string", - "metadata": { - "description": "Name of the Azure Firewall" - } - }, - "firewallPrivateIp": { - "type": "string", - "metadata": { - "description": "Private IP address of the firewall" - } - }, - "internalLoadBalancerPrivateIp": { - "type": "string", - "metadata": { - "description": "Private IP address of the internal load balancer" - } - }, - "hubVnetName": { - "type": "string", - "defaultValue": "vnet-hub", - "metadata": { - "description": "Name of the hub virtual network" - } - }, - "firewallPublicIpName": { - "type": "string", - "defaultValue": "pip-firewall", - "metadata": { - "description": "Name of the firewall public IP" - } - }, - "spokeAddressPrefix": { - "type": "string", - "defaultValue": "10.100.0.0/16", - "metadata": { - "description": "Spoke network address prefix for source filtering" - } - } - }, - "resources": [ - { - "type": "Microsoft.Network/azureFirewalls", - "apiVersion": "2024-05-01", - "name": "[parameters('firewallName')]", - "location": "[parameters('location')]", - "properties": { - "sku": { - "name": "AZFW_VNet", - "tier": "Standard" - }, - "threatIntelMode": "Alert", - "ipConfigurations": [ - { - "name": "[parameters('firewallName')]", - "properties": { - "publicIPAddress": { - "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('firewallPublicIpName'))]" - }, - "subnet": { - "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('hubVnetName'), 'AzureFirewallSubnet')]" - } - } - } - ], - "applicationRuleCollections": [ - { - "name": "spoke-outbound", - "properties": { - "priority": 100, - "action": { - "type": "Allow" - }, - "rules": [ - { - "name": "all-internet", - "protocols": [ - { - "protocolType": "Http", - "port": 80 - }, - { - "protocolType": "Https", - "port": 443 - } - ], - "targetFqdns": [ - "*" - ], - "sourceAddresses": [ - "*" - ] - } - ] - } - }, - { - "name": "spoke-windows-update", - "properties": { - "priority": 200, - "action": { - "type": "Allow" - }, - "rules": [ - { - "name": "windows-update", - "fqdnTags": [ - "WindowsUpdate" - ], - "sourceAddresses": [ - "[parameters('spokeAddressPrefix')]" - ] - } - ] - } - } - ], - "natRuleCollections": [ - { - "name": "dnat-onprem-to-spoke", - "properties": { - "priority": 100, - "action": { - "type": "Dnat" - }, - "rules": [ - { - "name": "onprem-to-web", - "protocols": [ - "TCP" - ], - "sourceAddresses": [ - "192.168.0.0/16" - ], - "destinationAddresses": [ - "[parameters('firewallPrivateIp')]" - ], - "destinationPorts": [ - "80" - ], - "translatedAddress": "[parameters('internalLoadBalancerPrivateIp')]", - "translatedPort": "80" - } - ] - } - } - ] - } - } - ] -} \ No newline at end of file diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json deleted file mode 100644 index eb7dae0e..00000000 --- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json +++ /dev/null @@ -1,989 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "adminUserName": { - "type": "string", - "defaultValue": "azureadmin" - }, - "adminPassword": { - "type": "securestring" - }, - "webServerInstanceCount": { - "type": "int", - "defaultValue": 2, - "metadata": { - "description": "The count of Windows virtual machines to create." - } - }, - "vmSize": { - "type": "string", - "defaultValue": "Standard_D2s_v3" - }, - "configureSitetosite": { - "type": "bool", - "defaultValue": true - }, - "hubNetwork": { - "type": "object", - "defaultValue": { - "name": "vnet-hub", - "addressPrefix": "10.0.0.0/20" - } - }, - "spokeNetwork": { - "type": "object", - "defaultValue": { - "name": "vnet-spoke", - "addressPrefix": "10.100.0.0/16", - "subnetName": "snet-spoke-resources", - "subnetPrefix": "10.100.0.0/24", - "subnetNsgName": "nsg-spoke-resources" - } - }, - "vpnGateway": { - "type": "object", - "defaultValue": { - "name": "vpn-azure-network", - "subnetName": "GatewaySubnet", - "subnetPrefix": "10.0.2.0/27", - "publicIPAddressName": "pip-vgn-gateway" - } - }, - "bastionHost": { - "type": "object", - "defaultValue": { - "name": "AzureBastionHost", - "subnetName": "AzureBastionSubnet", - "subnetPrefix": "10.0.1.0/26", - "publicIPAddressName": "pip-bastion", - "nsgName": "nsg-hub-bastion" - } - }, - "azureFirewall": { - "type": "object", - "defaultValue": { - "name": "AzureFirewall", - "subnetName": "AzureFirewallSubnet", - "subnetPrefix": "10.0.3.0/26", - "publicIPAddressName": "pip-firewall" - } - }, - "spokeRoutes": { - "type": "object", - "defaultValue": { - "tableName": "spoke-routes", - "routeNameFirewall": "spoke-to-firewall" - } - }, - "gatewayRoutes": { - "type": "object", - "defaultValue": { - "tableName": "gateway-routes", - "routeNameFirewall": "gateway-to-firewall" - } - }, - "internalLoadBalancer": { - "type": "object", - "defaultValue": { - "name": "lb-internal", - "backendName": "lb-backend", - "frontendName": "lb-frontend", - "probeName": "lb-probe" - } - }, - "location": { - "type": "string" - } - }, - "variables": { - "logAnalyticsWorkspace": "[concat('la-', uniqueString(subscription().subscriptionId, resourceGroup().id))]", - "vmssName": "vmss-web-server", - "peering-name-hub-to-spoke": "hub-to-spoke", - "peering-name-spoke-to-hub": "spoke-to-hub", - "windowsOSVersion": "2025-datacenter-core-smalldisk-g2" - }, - "resources": [ - { - "comments": "Log Analytics workspace", - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2020-08-01", - "name": "[variables('logAnalyticsWorkspace')]", - "location": "[parameters('location')]", - "properties": { - "sku": { - "name": "PerGB2018" - }, - "features": { - "searchVersion": 1 - } - } - }, - { - "comments": "Hub virtual network and diagnostic configuration", - "type": "Microsoft.Network/virtualNetworks", - "apiVersion": "2020-05-01", - "name": "[parameters('hubNetwork').name]", - "location": "[parameters('location')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('bastionHost').nsgName)]", - "[resourceId('Microsoft.Network/routeTables', parameters('gatewayRoutes').tableName)]" - ], - "properties": { - "addressSpace": { - "addressPrefixes": [ - "[parameters('hubNetwork').addressPrefix]" - ] - }, - "subnets": [ - { - "name": "[parameters('vpnGateway').subnetName]", - "properties": { - "addressPrefix": "[parameters('vpnGateway').subnetPrefix]", - "routeTable": { - "id": "[resourceId('Microsoft.Network/routeTables', parameters('gatewayRoutes').tableName)]" - } - } - }, - { - "name": "[parameters('azureFirewall').subnetName]", - "properties": { - "addressPrefix": "[parameters('azureFirewall').subnetPrefix]" - } - }, - { - "name": "[parameters('bastionHost').subnetName]", - "properties": { - "addressPrefix": "[parameters('bastionHost').subnetPrefix]", - "defaultOutboundAccess": false, - "networkSecurityGroup": { - "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('bastionHost').nsgName)]" - } - } - } - ] - }, - "resources": [ - { - "type": "providers/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "name": "[concat('Microsoft.Insights/default', variables('logAnalyticsWorkspace'))]", - "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('hubNetwork').name)]", - "[resourceId('Microsoft.OperationalInsights/workspaces', variables('logAnalyticsWorkspace'))]" - ], - "properties": { - "workspaceId": "[resourceId('Microsoft.OperationalInsights/workspaces', variables('logAnalyticsWorkspace'))]", - "logs": [ - { - "category": "VMProtectionAlerts", - "enabled": true - } - ], - "metrics": [ - { - "category": "AllMetrics", - "enabled": true - } - ] - } - } - ] - }, - { - "comments": "Spoke virtual network, subnet, and diagnostic configuration", - "type": "Microsoft.Network/virtualNetworks", - "apiVersion": "2020-05-01", - "name": "[parameters('spokeNetwork').name]", - "location": "[parameters('location')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('spokeNetwork').subnetNsgName)]", - "[resourceId('Microsoft.Network/routeTables', parameters('spokeRoutes').tableName)]" - ], - "properties": { - "addressSpace": { - "addressPrefixes": [ - "[parameters('spokeNetwork').addressPrefix]" - ] - }, - "subnets": [ - { - "name": "[parameters('spokeNetwork').subnetName]", - "properties": { - "addressPrefix": "[parameters('spokeNetwork').addressPrefix]", - "networkSecurityGroup": { - "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('spokeNetwork').subnetNsgName)]" - }, - "routeTable": { - "id": "[resourceId('Microsoft.Network/routeTables', parameters('spokeRoutes').tableName)]" - } - } - } - ] - }, - "resources": [ - { - "type": "providers/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "name": "[concat('Microsoft.Insights/default', variables('logAnalyticsWorkspace'))]", - "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('spokeNetwork').name)]", - "[resourceId('Microsoft.OperationalInsights/workspaces', variables('logAnalyticsWorkspace'))]" - ], - "properties": { - "workspaceId": "[resourceId('Microsoft.OperationalInsights/workspaces', variables('logAnalyticsWorkspace'))]", - "logs": [ - { - "category": "VMProtectionAlerts", - "enabled": true - } - ], - "metrics": [ - { - "category": "AllMetrics", - "enabled": true - } - ] - } - } - ] - }, - { - "comments": "Virtual network peering hub to spoke one", - "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", - "apiVersion": "2020-05-01", - "name": "[concat(parameters('hubNetwork').name, '/', variables('peering-name-hub-to-spoke'))]", - "location": "[parameters('location')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('hubNetwork').name)]", - "[resourceId('Microsoft.Network/virtualNetworks', parameters('spokeNetwork').name)]", - "[resourceId('Microsoft.Network/virtualNetworkGateways', parameters('vpnGateway').name)]" - ], - "properties": { - "allowVirtualNetworkAccess": true, - "allowForwardedTraffic": true, - "allowGatewayTransit": true, - "useRemoteGateways": false, - "remoteVirtualNetwork": { - "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('spokeNetwork').name)]" - } - } - }, - { - "comments": "Virtual network peering spoke one to hub", - "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", - "apiVersion": "2020-05-01", - "name": "[concat(parameters('spokeNetwork').name, '/', variables('peering-name-spoke-to-hub'))]", - "location": "[parameters('location')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('hubNetwork').name)]", - "[resourceId('Microsoft.Network/virtualNetworks', parameters('spokeNetwork').name)]", - "[resourceId('Microsoft.Network/virtualNetworkGateways', parameters('vpnGateway').name)]" - ], - "properties": { - "allowVirtualNetworkAccess": true, - "allowForwardedTraffic": true, - "allowGatewayTransit": false, - "useRemoteGateways": true, - "remoteVirtualNetwork": { - "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('hubNetwork').name)]" - } - } - }, - { - "comments": "Public IP address for Bastion", - "type": "Microsoft.Network/publicIpAddresses", - "apiVersion": "2020-05-01", - "name": "[parameters('bastionHost').publicIPAddressName]", - "location": "[parameters('location')]", - "sku": { - "name": "Standard" - }, - "properties": { - "publicIPAllocationMethod": "Static" - } - }, - { - "comments": "Network security group, rules for Bastion", - "type": "Microsoft.Network/networkSecurityGroups", - "apiVersion": "2019-11-01", - "name": "[parameters('bastionHost').nsgName]", - "location": "[parameters('location')]", - "properties": { - "securityRules": [ - { - "name": "bastion-in-allow", - "properties": { - "protocol": "Tcp", - "sourcePortRange": "*", - "sourceAddressPrefix": "Internet", - "destinationPortRange": "443", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": 100, - "direction": "Inbound" - } - }, - { - "name": "bastion-control-in-allow", - "properties": { - "protocol": "Tcp", - "sourcePortRange": "*", - "sourceAddressPrefix": "GatewayManager", - "destinationPortRange": "443", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": 120, - "direction": "Inbound" - } - }, - { - "name": "bastion-in-host", - "properties": { - "protocol": "*", - "sourcePortRange": "*", - "destinationPortRanges": [ - "8080", - "5701" - ], - "sourceAddressPrefix": "VirtualNetwork", - "destinationAddressPrefix": "VirtualNetwork", - "access": "Allow", - "priority": 130, - "direction": "Inbound" - } - }, - { - "name": "bastion-vnet-out-allow", - "properties": { - "protocol": "Tcp", - "sourcePortRange": "*", - "sourceAddressPrefix": "*", - "destinationPortRanges": [ - "22", - "3389" - ], - "destinationAddressPrefix": "VirtualNetwork", - "access": "Allow", - "priority": 100, - "direction": "Outbound" - } - }, - { - "name": "bastion-azure-out-allow", - "properties": { - "protocol": "Tcp", - "sourcePortRange": "*", - "sourceAddressPrefix": "*", - "destinationPortRange": "443", - "destinationAddressPrefix": "AzureCloud", - "access": "Allow", - "priority": 120, - "direction": "Outbound" - } - }, - { - "name": "bastion-out-host", - "properties": { - "protocol": "*", - "sourcePortRange": "*", - "destinationPortRanges": [ - "8080", - "5701" - ], - "sourceAddressPrefix": "VirtualNetwork", - "destinationAddressPrefix": "VirtualNetwork", - "access": "Allow", - "priority": 130, - "direction": "Outbound" - } - }, - { - "name": "bastion-out-deny", - "properties": { - "protocol": "*", - "sourcePortRange": "*", - "destinationPortRange": "*", - "sourceAddressPrefix": "*", - "destinationAddressPrefix": "*", - "access": "Deny", - "priority": 1000, - "direction": "Outbound" - } - } - ] - }, - "resources": [ - { - "type": "providers/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "name": "[concat('Microsoft.Insights/default', variables('logAnalyticsWorkspace'))]", - "dependsOn": [ - "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('bastionHost').nsgName)]", - "[resourceId('Microsoft.OperationalInsights/workspaces', variables('logAnalyticsWorkspace'))]" - ], - "properties": { - "workspaceId": "[resourceId('Microsoft.OperationalInsights/workspaces', variables('logAnalyticsWorkspace'))]", - "logs": [ - { - "category": "NetworkSecurityGroupEvent", - "enabled": true - }, - { - "category": "NetworkSecurityGroupRuleCounter", - "enabled": true - } - ] - } - } - ] - }, - { - "comments": "Azure Bastion and diagnostic configuration", - "type": "Microsoft.Network/bastionHosts", - "apiVersion": "2020-06-01", - "name": "[parameters('bastionHost').name]", - "location": "[parameters('location')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('hubNetwork').name)]", - "[resourceId('Microsoft.Network/publicIpAddresses', parameters('bastionHost').publicIPAddressName)]" - ], - "properties": { - "ipConfigurations": [ - { - "name": "IpConf", - "properties": { - "subnet": { - "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('hubNetwork').name, parameters('bastionHost').subnetName)]" - }, - "publicIPAddress": { - "id": "[resourceId('Microsoft.Network/publicIpAddresses', parameters('bastionHost').publicIPAddressName)]" - } - } - } - ] - }, - "resources": [ - { - "type": "providers/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "name": "[concat('Microsoft.Insights/default', variables('logAnalyticsWorkspace'))]", - "dependsOn": [ - "[resourceId('Microsoft.Network/bastionHosts', parameters('bastionHost').name)]", - "[resourceId('Microsoft.OperationalInsights/workspaces', variables('logAnalyticsWorkspace'))]" - ], - "properties": { - "workspaceId": "[resourceId('Microsoft.OperationalInsights/workspaces', variables('logAnalyticsWorkspace'))]", - "logs": [ - { - "category": "BastionAuditLogs", - "enabled": true - } - ] - } - } - ] - }, - { - "comments": "Public IP address for VPN Gateway", - "condition": "[parameters('configureSitetosite')]", - "type": "Microsoft.Network/publicIPAddresses", - "apiVersion": "2024-05-01", - "name": "[parameters('vpnGateway').publicIPAddressName]", - "location": "[parameters('location')]", - "sku": { - "name": "Standard" - }, - "zones": [ - "1", - "2", - "3" - ], - "properties": { - "publicIPAllocationMethod": "Static" - } - }, - { - "comments": "VPN Gateway", - "condition": "[parameters('configureSitetosite')]", - "type": "Microsoft.Network/virtualNetworkGateways", - "apiVersion": "2019-11-01", - "name": "[parameters('vpnGateway').name]", - "location": "[parameters('location')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('hubNetwork').name)]", - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('vpnGateway').publicIPAddressName)]" - ], - "properties": { - "ipConfigurations": [ - { - "properties": { - "privateIPAllocationMethod": "Dynamic", - "subnet": { - "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('hubNetwork').name, parameters('vpnGateway').subnetName)]" - }, - "publicIPAddress": { - "id": "[resourceId('Microsoft.Network/publicIpAddresses', parameters('vpnGateway').publicIPAddressName)]" - } - }, - "name": "vnetGatewayConfig" - } - ], - "sku": { - "name": "VpnGw2AZ", - "tier": "VpnGw2AZ" - }, - "gatewayType": "Vpn", - "vpnType": "RouteBased", - "enableBgp": false, - "bgpSettings":{ - "asn": 60001 - } - }, - "resources": [ - { - "condition": "[parameters('configureSitetosite')]", - "type": "providers/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "name": "[concat('Microsoft.Insights/default', variables('logAnalyticsWorkspace'))]", - "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworkGateways', parameters('vpnGateway').name)]" - ], - "properties": { - "workspaceId": "[resourceId('Microsoft.OperationalInsights/workspaces', variables('logAnalyticsWorkspace'))]", - "logs": [ - { - "category": "GatewayDiagnosticLog", - "enabled": true - }, - { - "category": "TunnelDiagnosticLog", - "enabled": true - }, - { - "category": "RouteDiagnosticLog", - "enabled": true - }, - { - "category": "IKEDiagnosticLog", - "enabled": true - }, - { - "category": "P2SDiagnosticLog", - "enabled": true - } - ] - } - } - ] - }, - { - "comments": "Public IP address for Azure Firewall", - "type": "Microsoft.Network/publicIPAddresses", - "apiVersion": "2019-11-01", - "name": "[parameters('azureFirewall').publicIPAddressName]", - "location": "[parameters('location')]", - "sku": { - "name": "Standard" - }, - "properties": { - "publicIPAllocationMethod": "Static" - } - }, - { - "comments": "Azure Firewall and diagnostic configuration", - "type": "Microsoft.Network/azureFirewalls", - "apiVersion": "2020-05-01", - "name": "[parameters('azureFirewall').name]", - "location": "[parameters('location')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('hubNetwork').name)]" - ], - "properties": { - "sku": { - "name": "AZFW_VNet", - "tier": "Standard" - }, - "threatIntelMode": "Alert", - "ipConfigurations": [ - { - "name": "[parameters('azureFirewall').name]", - "properties": { - "publicIPAddress": { - "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('azureFirewall').publicIPAddressName)]" - }, - "subnet": { - "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('hubNetwork').name, parameters('azureFirewall').subnetName)]" - } - } - } - ], - "applicationRuleCollections": [ - { - "name": "spoke-outbound", - "properties": { - "priority": 100, - "action": { - "type": "Allow" - }, - "rules": [ - { - "name": "windows-update", - "fqdnTags": [ - "WindowsUpdate" - ], - "sourceAddresses": [ - "[parameters('spokeNetwork').addressPrefix]" - ] - } - ] - } - } - ] - }, - "resources": [ - { - "type": "providers/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "name": "[concat('Microsoft.Insights/default', variables('logAnalyticsWorkspace'))]", - "dependsOn": [ - "[resourceId('Microsoft.Network/azureFirewalls', parameters('azureFirewall').name)]", - "[resourceId('Microsoft.OperationalInsights/workspaces', variables('logAnalyticsWorkspace'))]" - ], - "properties": { - "workspaceId": "[resourceId('Microsoft.OperationalInsights/workspaces', variables('logAnalyticsWorkspace'))]", - "logs": [ - { - "category": "AzureFirewallApplicationRule", - "enabled": true - }, - { - "category": "AzureFirewallNetworkRule", - "enabled": true - }, - { - "category": "AzureFirewallDnsProxy", - "enabled": true - } - ] - } - } - ] - }, - { - "comments": "Network security group + rules for spoke network and diagnostic configuration", - "type": "Microsoft.Network/networkSecurityGroups", - "apiVersion": "2019-11-01", - "name": "[parameters('spokeNetwork').subnetNsgName]", - "location": "[parameters('location')]", - "properties": { - "securityRules": [ - { - "name": "allow-http-traffic-from-external", - "properties": { - "protocol": "*", - "sourcePortRange": "*", - "destinationPortRange": "80", - "sourceAddressPrefix": "*", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": 100, - "direction": "Inbound" - } - }, - { - "name": "allow-http-traffic-from-vnet", - "properties": { - "protocol": "*", - "sourcePortRange": "*", - "destinationPortRange": "80", - "sourceAddressPrefix": "10.0.0.0/16", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": 110, - "direction": "Inbound" - } - } - ] - }, - "resources": [ - { - "type": "providers/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "name": "[concat('Microsoft.Insights/default', variables('logAnalyticsWorkspace'))]", - "dependsOn": [ - "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('spokeNetwork').subnetNsgName)]", - "[resourceId('Microsoft.OperationalInsights/workspaces', variables('logAnalyticsWorkspace'))]" - ], - "properties": { - "workspaceId": "[resourceId('Microsoft.OperationalInsights/workspaces', variables('logAnalyticsWorkspace'))]", - "logs": [ - { - "category": "NetworkSecurityGroupEvent", - "enabled": true - }, - { - "category": "NetworkSecurityGroupRuleCounter", - "enabled": true - } - ] - } - } - ] - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets", - "apiVersion": "2024-11-01", - "name": "[variables('vmssName')]", - "location": "[parameters('location')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('spokeNetwork').name)]", - "[resourceId('Microsoft.Network/loadBalancers', parameters('internalLoadBalancer').name)]" - ], - "identity": { - "type": "SystemAssigned" - }, - "sku": { - "name": "[parameters('vmSize')]", - "tier": "Standard", - "capacity": "[parameters('webServerInstanceCount')]" - }, - "properties": { - "orchestrationMode": "Uniform", - "overprovision": false, - "upgradePolicy": { - "mode": "Manual" - }, - "virtualMachineProfile": { - "osProfile": { - "computerNamePrefix": "websvr", - "adminUsername": "[parameters('adminUsername')]", - "adminPassword": "[parameters('adminPassword')]", - "windowsConfiguration": { - "enableAutomaticUpdates": true - } - }, - "storageProfile": { - "imageReference": { - "publisher": "MicrosoftWindowsServer", - "offer": "WindowsServer", - "sku": "[variables('windowsOSVersion')]", - "version": "latest" - }, - "osDisk": { - "createOption": "FromImage" - } - }, - "networkProfile": { - "networkInterfaceConfigurations": [ - { - "name": "[concat(variables('vmssName'), '-nic')]", - "properties": { - "primary": true, - "ipConfigurations": [ - { - "name": "ipconfig", - "properties": { - "primary": true, - "subnet": { - "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('spokeNetwork').name, parameters('spokeNetwork').subnetName)]" - }, - "loadBalancerBackendAddressPools": [ - { - "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', parameters('internalLoadBalancer').name, parameters('internalLoadBalancer').backendName)]" - } - ] - } - } - ] - } - } - ] - }, - "securityProfile": { - "encryptionAtHost": false - }, - "extensionProfile": { - "extensions": [ - { - "name": "installIIS", - "properties": { - "publisher": "Microsoft.Compute", - "type": "CustomScriptExtension", - "typeHandlerVersion": "1.7", - "autoUpgradeMinorVersion": true, - "settings": { - "commandToExecute": "powershell.exe Install-WindowsFeature -name Web-Server -IncludeManagementTools" - } - } - }, - { - "name": "AzurePolicyforWindows", - "properties": { - "publisher": "Microsoft.GuestConfiguration", - "type": "ConfigurationforWindows", - "typeHandlerVersion": "1.0", - "autoUpgradeMinorVersion": true, - "enableAutomaticUpgrade": true, - "settings": {}, - "protectedSettings": {} - } - } - ] - } - } - } - }, - { - "comments": "Route / force tunnel from spokes to Azure firewall", - "type": "Microsoft.Network/routeTables", - "apiVersion": "2020-05-01", - "name": "[parameters('spokeRoutes').tableName]", - "location": "[parameters('location')]", - "properties": { - "disableBgpRoutePropagation": false - } - }, - { - "comments": "Route associated with spoke / resources subnet, any address, through Azure firewall", - "type": "Microsoft.Network/routeTables/routes", - "apiVersion": "2020-07-01", - "name": "[concat(parameters('spokeRoutes').tableName, '/', parameters('spokeRoutes').routeNameFirewall)]", - "dependsOn": [ - "[resourceId('Microsoft.Network/routeTables', parameters('spokeRoutes').tableName)]" - ], - "properties": { - "addressPrefix": "0.0.0.0/0", - "nextHopType": "VirtualAppliance", - "nextHopIpAddress": "[reference(resourceId('Microsoft.Network/azureFirewalls', parameters('azureFirewall').name), '2020-05-01').ipConfigurations[0].properties.privateIpAddress]" - } - }, - { - "comments": "Route / force tunnel from spokes to Azure firewall", - "type": "Microsoft.Network/routeTables", - "apiVersion": "2020-05-01", - "name": "[parameters('gatewayRoutes').tableName]", - "location": "[parameters('location')]", - "properties": { - "disableBgpRoutePropagation": false - } - }, - { - "type": "Microsoft.Network/routeTables/routes", - "apiVersion": "2020-07-01", - "name": "[concat(parameters('gatewayRoutes').tableName, '/', parameters('gatewayRoutes').routeNameFirewall)]", - "dependsOn": [ - "[resourceId('Microsoft.Network/routeTables', parameters('gatewayRoutes').tableName)]" - ], - "properties": { - "addressPrefix": "[parameters('spokeNetwork').addressPrefix]", - "nextHopType": "VirtualAppliance", - "nextHopIpAddress": "[reference(resourceId('Microsoft.Network/azureFirewalls', parameters('azureFirewall').name), '2020-05-01').ipConfigurations[0].properties.privateIpAddress]" - } - }, - { - "type": "Microsoft.Network/loadBalancers", - "apiVersion": "2020-05-01", - "name": "[parameters('internalLoadBalancer').name]", - "location": "[parameters('location')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('spokeNetwork').name)]" - ], - "sku": { - "name": "Standard" - }, - "properties": { - "frontendIPConfigurations": [ - { - "name": "[parameters('internalLoadBalancer').frontendName]", - "properties": { - "subnet": { - "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('spokeNetwork').name, parameters('spokeNetwork').subnetName)]" - }, - "privateIPAllocationMethod": "Dynamic" - } - } - ], - "backendAddressPools": [ - { - "name": "[parameters('internalLoadBalancer').backendName]" - } - ], - "loadBalancingRules": [ - { - "name": "[parameters('internalLoadBalancer').probeName]", - "properties": { - "frontendIPConfiguration": { - "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', parameters('internalLoadBalancer').name, parameters('internalLoadBalancer').frontendName)]" - }, - "frontendPort": 80, - "backendPort": 80, - "enableFloatingIP": false, - "idleTimeoutInMinutes": 4, - "protocol": "Tcp", - "enableTcpReset": false, - "loadDistribution": "Default", - "disableOutboundSnat": false, - "backendAddressPool": { - "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', parameters('internalLoadBalancer').name, parameters('internalLoadBalancer').backendName)]" - }, - "probe": { - "id": "[concat(resourceId('Microsoft.Network/loadBalancers', parameters('internalLoadBalancer').name), '/probes/', parameters('internalLoadBalancer').probeName)]" - } - } - } - ], - "probes": [ - { - "name": "[parameters('internalLoadBalancer').probeName]", - "properties": { - "protocol": "Http", - "port": 80, - "requestPath": "/", - "intervalInSeconds": 15, - "numberOfProbes": 2 - } - } - ] - }, - "resources": [ - { - "type": "providers/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "name": "[concat('Microsoft.Insights/default', variables('logAnalyticsWorkspace'))]", - "dependsOn": [ - "[resourceId('Microsoft.Network/loadBalancers', parameters('internalLoadBalancer').name)]", - "[resourceId('Microsoft.OperationalInsights/workspaces', variables('logAnalyticsWorkspace'))]" - ], - "properties": { - "workspaceId": "[resourceId('Microsoft.OperationalInsights/workspaces', variables('logAnalyticsWorkspace'))]", - "metrics": [ - { - "category": "AllMetrics", - "enabled": true - } - ] - } - } - ] - } - ], - "outputs": { - "vpnIp": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Network/virtualNetworkGateways', parameters('vpnGateway').name)).bgpSettings.bgpPeeringAddresses[0].tunnelIpAddresses[0]]" - }, - "mocOnpremNetwork": { - "type": "string", - "value": "[parameters('hubNetwork').addressPrefix]" - }, - "spokeNetworkAddressPrefix": { - "type": "string", - "value": "[parameters('spokeNetwork').addressPrefix]" - }, - "azureGatewayName": { - "type": "string", - "value": "[parameters('vpnGateway').name]" - } - } -} diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-local-gateway.json b/solutions/secure-hybrid-network/nestedtemplates/azure-network-local-gateway.json deleted file mode 100644 index 5fe715dc..00000000 --- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-local-gateway.json +++ /dev/null @@ -1,75 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "connectionName": { - "type": "string", - "defaultValue": "hub-to-mock-prem" - }, - "gatewayIpAddress": { - "type": "string" - }, - "azureCloudVnetPrefix": { - "type": "string" - }, - "azureNetworkGatewayName": { - "type": "string" - }, - "localNetworkGatewayName": { - "type": "string", - "defaultValue": "local-gateway-azure-network" - }, - "sharedKey": { - "type": "securestring" - }, - "location": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Network/localNetworkGateways", - "apiVersion": "2020-05-01", - "name": "[parameters('localNetworkGatewayName')]", - "location": "[parameters('location')]", - "properties": { - "localNetworkAddressSpace": { - "addressPrefixes": [ - "[parameters('azureCloudVnetPrefix')]" - ] - }, - "gatewayIpAddress": "[parameters('gatewayIpAddress')]", - "bgpSettings": { - "asn": 40000, - "bgpPeeringAddress": "[parameters('gatewayIpAddress')]" - } - } - }, - { - "type": "Microsoft.Network/connections", - "apiVersion": "2020-05-01", - "name": "[parameters('connectionName')]", - "location": "[parameters('location')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/localNetworkGateways', parameters('localNetworkGatewayName'))]" - ], - "properties": { - "virtualNetworkGateway1": { - "id": "[resourceId('Microsoft.Network/virtualNetworkGateways', parameters('azureNetworkGatewayName'))]" - }, - "localNetworkGateway2": { - "id": "[resourceId('Microsoft.Network/localNetworkGateways', parameters('localNetworkGatewayName'))]" - }, - "connectionType": "IPsec", - "connectionProtocol": "IKEv2", - "routingWeight": 100, - "sharedKey": "[parameters('sharedKey')]", - "enableBgp": false, - "useLocalAzureIpAddress": false, - "usePolicyBasedTrafficSelectors": false, - "expressRouteGatewayBypass": false, - "dpdTimeoutSeconds": 0 - } - } - ] -} \ No newline at end of file diff --git a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.json b/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.json deleted file mode 100644 index 48225509..00000000 --- a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.json +++ /dev/null @@ -1,374 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "adminUserName": { - "type": "string" - }, - "adminPassword": { - "type": "securestring" - }, - "mocOnpremNetwork": { - "type": "object", - "defaultValue": { - "name": "vnet-onprem", - "addressPrefix": "192.168.0.0/16", - "subnetName": "mgmt", - "subnetPrefix": "192.168.1.128/25" - } - }, - "mocOnpremGateway": { - "type": "object", - "defaultValue": { - "name": "vpn-mock-prem", - "subnetName": "GatewaySubnet", - "subnetPrefix": "192.168.255.224/27", - "publicIPAddressName": "pip-onprem-vpn-gateway" - } - }, - "bastionHost": { - "type": "object", - "defaultValue": { - "name": "AzureBastionHost", - "subnetName": "AzureBastionSubnet", - "subnetPrefix": "192.168.254.0/26", - "publicIPAddressName": "pip-bastion", - "nsgName": "nsg-hub-bastion" - } - }, - "vmSize": { - "type": "string", - "defaultValue": "Standard_D2s_v3" - }, - "configureSitetosite": { - "type": "bool", - "defaultValue": true - }, - "location": { - "type": "string" - } - }, - "variables": { - "nicNameWindows": "nic-windows", - "vmNameWindows": "vm-windows", - "windowsOSVersion": "2025-datacenter-smalldisk-g2" - }, - "resources": [ - { - "comments": "Hub virtual network and diagnostic configuration", - "type": "Microsoft.Network/virtualNetworks", - "apiVersion": "2020-05-01", - "name": "[parameters('mocOnpremNetwork').name]", - "location": "[parameters('location')]", - "properties": { - "addressSpace": { - "addressPrefixes": [ - "[parameters('mocOnpremNetwork').addressPrefix]" - ] - }, - "subnets": [ - { - "name": "[parameters('mocOnpremNetwork').subnetName]", - "properties": { - "addressPrefix": "[parameters('mocOnpremNetwork').subnetPrefix]" - } - }, - { - "name": "[parameters('mocOnpremGateway').subnetName]", - "properties": { - "addressPrefix": "[parameters('mocOnpremGateway').subnetPrefix]" - } - }, - { - "name": "[parameters('bastionHost').subnetName]", - "properties": { - "addressPrefix": "[parameters('bastionHost').subnetPrefix]", - "defaultOutboundAccess": false - } - } - ] - } - }, - { - "comments": "Public IP address for VPN Gateway", - "condition": "[parameters('configureSitetosite')]", - "type": "Microsoft.Network/publicIPAddresses", - "apiVersion": "2019-11-01", - "name": "[parameters('mocOnpremGateway').publicIPAddressName]", - "location": "[parameters('location')]", - "properties": { - "publicIPAllocationMethod": "Static" - } - }, - { - "comments": "VPN Gateway", - "condition": "[parameters('configureSitetosite')]", - "type": "Microsoft.Network/virtualNetworkGateways", - "apiVersion": "2019-11-01", - "name": "[parameters('mocOnpremGateway').name]", - "location": "[parameters('location')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('mocOnpremNetwork').name)]", - "[resourceId('Microsoft.Network/publicIPAddresses', parameters('mocOnpremGateway').publicIPAddressName)]" - ], - "properties": { - "ipConfigurations": [ - { - "properties": { - "privateIPAllocationMethod": "Dynamic", - "subnet": { - "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('mocOnpremNetwork').name, parameters('mocOnpremGateway').subnetName)]" - }, - "publicIPAddress": { - "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('mocOnpremGateway').publicIPAddressName)]" - } - }, - "name": "vnetGatewayConfig" - } - ], - "sku": { - "name": "VpnGw2", - "tier": "VpnGw2" - }, - "gatewayType": "Vpn", - "vpnType": "RouteBased", - "enableBgp": false, - "bgpSettings":{ - "asn": 60001 - } - } - }, - { - "comments": "Public IP address for Bastion", - "type": "Microsoft.Network/publicIpAddresses", - "apiVersion": "2020-05-01", - "name": "[parameters('bastionHost').publicIPAddressName]", - "location": "[parameters('location')]", - "sku": { - "name": "Standard" - }, - "properties": { - "publicIPAllocationMethod": "Static" - } - }, - { - "comments": "Network security group, rules for Bastion", - "type": "Microsoft.Network/networkSecurityGroups", - "apiVersion": "2019-11-01", - "name": "[parameters('bastionHost').nsgName]", - "location": "[parameters('location')]", - "properties": { - "securityRules": [ - { - "name": "bastion-in-allow", - "properties": { - "protocol": "Tcp", - "sourcePortRange": "*", - "sourceAddressPrefix": "Internet", - "destinationPortRange": "443", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": 100, - "direction": "Inbound" - } - }, - { - "name": "bastion-control-in-allow", - "properties": { - "protocol": "Tcp", - "sourcePortRange": "*", - "sourceAddressPrefix": "GatewayManager", - "destinationPortRange": "443", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": 120, - "direction": "Inbound" - } - }, - { - "name": "bastion-in-host", - "properties": { - "protocol": "*", - "sourcePortRange": "*", - "destinationPortRanges": [ - "8080", - "5701" - ], - "sourceAddressPrefix": "VirtualNetwork", - "destinationAddressPrefix": "VirtualNetwork", - "access": "Allow", - "priority": 130, - "direction": "Inbound" - } - }, - { - "name": "bastion-vnet-out-allow", - "properties": { - "protocol": "Tcp", - "sourcePortRange": "*", - "sourceAddressPrefix": "*", - "destinationPortRanges": [ - "22", - "3389" - ], - "destinationAddressPrefix": "VirtualNetwork", - "access": "Allow", - "priority": 100, - "direction": "Outbound" - } - }, - { - "name": "bastion-azure-out-allow", - "properties": { - "protocol": "Tcp", - "sourcePortRange": "*", - "sourceAddressPrefix": "*", - "destinationPortRange": "443", - "destinationAddressPrefix": "AzureCloud", - "access": "Allow", - "priority": 120, - "direction": "Outbound" - } - }, - { - "name": "bastion-out-host", - "properties": { - "protocol": "*", - "sourcePortRange": "*", - "destinationPortRanges": [ - "8080", - "5701" - ], - "sourceAddressPrefix": "VirtualNetwork", - "destinationAddressPrefix": "VirtualNetwork", - "access": "Allow", - "priority": 130, - "direction": "Outbound" - } - }, - { - "name": "bastion-out-deny", - "properties": { - "protocol": "*", - "sourcePortRange": "*", - "destinationPortRange": "*", - "sourceAddressPrefix": "*", - "destinationAddressPrefix": "*", - "access": "Deny", - "priority": 1000, - "direction": "Outbound" - } - } - ] - } - }, - { - "comments": "Azure Bastion and diagnostic configuration", - "type": "Microsoft.Network/bastionHosts", - "apiVersion": "2020-06-01", - "name": "[parameters('bastionHost').name]", - "location": "[parameters('location')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('mocOnpremNetwork').name)]", - "[resourceId('Microsoft.Network/publicIpAddresses', parameters('bastionHost').publicIPAddressName)]" - ], - "properties": { - "ipConfigurations": [ - { - "name": "IpConf", - "properties": { - "subnet": { - "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('mocOnpremNetwork').name, parameters('bastionHost').subnetName)]" - }, - "publicIPAddress": { - "id": "[resourceId('Microsoft.Network/publicIpAddresses', parameters('bastionHost').publicIPAddressName)]" - } - } - } - ] - } - }, - { - "comments": "Network interface for Windows VMs (optional)", - "type": "Microsoft.Network/networkInterfaces", - "apiVersion": "2020-05-01", - "name": "[variables('nicNameWindows')]", - "location": "[parameters('location')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('mocOnpremNetwork').name)]" - ], - "properties": { - "ipConfigurations": [ - { - "name": "ipconfig", - "properties": { - "privateIPAllocationMethod": "Dynamic", - "subnet": { - "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('mocOnpremNetwork').name, parameters('mocOnpremNetwork').subnetName)]" - } - } - } - ] - } - }, - { - "comments": "Windows VMs (optional)", - "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2019-07-01", - "name": "[variables('vmNameWindows')]", - "location": "[parameters('location')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/networkInterfaces', variables('nicNameWindows'))]" - ], - "properties": { - "hardwareProfile": { - "vmSize": "[parameters('vmSize')]" - }, - "osProfile": { - "computerName": "[variables('vmNameWindows')]", - "adminUsername": "[parameters('adminUsername')]", - "adminPassword": "[parameters('adminPassword')]", - "windowsConfiguration": { - "enableAutomaticUpdates": true, - "patchSettings": { - "assessmentMode": "AutomaticByPlatform", - "patchMode": "AutomaticByPlatform" - } - } - }, - "storageProfile": { - "imageReference": { - "publisher": "MicrosoftWindowsServer", - "offer": "WindowsServer", - "sku": "[variables('windowsOSVersion')]", - "version": "latest" - }, - "osDisk": { - "createOption": "FromImage" - } - }, - "networkProfile": { - "networkInterfaces": [ - { - "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nicNameWindows'))]" - } - ] - } - } - } - ], - "outputs": { - "vpnIp": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Network/virtualNetworkGateways', parameters('mocOnpremGateway').name)).bgpSettings.bgpPeeringAddresses[0].tunnelIpAddresses[0]]" - }, - "mocOnpremNetworkPrefix": { - "type": "string", - "value": "[parameters('mocOnpremNetwork').addressPrefix]" - }, - "mocOnpremGatewayName": { - "type": "string", - "value": "[parameters('mocOnpremGateway').name]" - } - } -} \ No newline at end of file diff --git a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-local-gateway.json b/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-local-gateway.json deleted file mode 100644 index c7fbfa04..00000000 --- a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-local-gateway.json +++ /dev/null @@ -1,79 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "connectionName": { - "type": "string", - "defaultValue": "mock-prem-to-hub" - }, - "azureCloudVnetPrefix": { - "type": "string" - }, - "spokeNetworkAddressPrefix": { - "type": "string" - }, - "gatewayIpAddress": { - "type": "string" - }, - "mocOnpremGatewayName": { - "type": "string" - }, - "localNetworkGateway": { - "type": "string", - "defaultValue": "local-gateway-moc-prem" - }, - "sharedKey": { - "type": "securestring" - }, - "location": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Network/localNetworkGateways", - "apiVersion": "2020-05-01", - "name": "[parameters('localNetworkGateway')]", - "location": "[parameters('location')]", - "properties": { - "localNetworkAddressSpace": { - "addressPrefixes": [ - "[parameters('azureCloudVnetPrefix')]", - "[parameters('spokeNetworkAddressPrefix')]" - ] - }, - "gatewayIpAddress": "[parameters('gatewayIpAddress')]", - "bgpSettings": { - "asn": 40000, - "bgpPeeringAddress": "[parameters('gatewayIpAddress')]" - } - } - }, - { - "type": "Microsoft.Network/connections", - "apiVersion": "2020-05-01", - "name": "[parameters('connectionName')]", - "location": "[parameters('location')]", - "dependsOn": [ - "[resourceId('Microsoft.Network/localNetworkGateways', parameters('localNetworkGateway'))]" - ], - "properties": { - "virtualNetworkGateway1": { - "id": "[resourceId('Microsoft.Network/virtualNetworkGateways', parameters('mocOnpremGatewayName'))]" - }, - "localNetworkGateway2": { - "id": "[resourceId('Microsoft.Network/localNetworkGateways', parameters('localNetworkGateway'))]" - }, - "connectionType": "IPsec", - "connectionProtocol": "IKEv2", - "routingWeight": 100, - "sharedKey": "[parameters('sharedKey')]", - "enableBgp": false, - "useLocalAzureIpAddress": false, - "usePolicyBasedTrafficSelectors": false, - "expressRouteGatewayBypass": false, - "dpdTimeoutSeconds": 0 - } - } - ] -} \ No newline at end of file