Skip to content

Commit

Permalink
New Mini-Orchestration Module - hubPeeredSpoke (#223)
Browse files Browse the repository at this point in the history 
* hubPeeredSpoke

* SecondCommit

* ThirdCommit

Co-authored-by: Jack Tracey <[email protected]>
@KiZach @jtracey93
KiZach and jtracey93 authored May 10, 2022
1 parent 2c0ea75 commit 257e591
Showing 7 changed files with 513 additions and 20 deletions.
41 changes: 21 additions & 20 deletions docs/wiki/CustomerUsage.md
View file
Original file line number Diff line number Diff line change
@@ -27,23 +27,24 @@ module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdTen
## Module PID Value Mapping
The following are the unique ID's (also known as PIDs) used in each of the modules.

| Module Name | PID |
| --------------------------- | ------------------------------------ |
| customRoleDefinitions | 032d0904-3d50-45ef-a6c1-baa9d82e23ff |
| getManagementGroupName | cff0ca56-5d8c-4594-bf79-5c046809b017 |
| hubNetworking | 2686e846-5fdc-4d4f-b533-16dcb09d6e6c |
| logging | f8087c67-cc41-46b2-994d-66e4b661860d |
| managementGroups | 9b7965a0-d77c-41d6-85ef-ec3dfea4845b |
| policy-definitions | 2b136786-9881-412e-84ba-f4c2822e1ac9 |
| policy-assignments | 78001e36-9738-429c-a343-45cc84e8a527 |
| alzDefaultPolicyAssignments | 98cef979-5a6b-403b-83c7-10c8f04ac9a2 |
| publicIp | 3f85b84c-6bad-4c42-86bf-11c233241c22 |
| resourceGroup | b6718c54-b49e-4748-a466-88e3d7c789c8 |
| roleAssignments | 59c2ac61-cd36-413b-b999-86a3e0d958fb |
| spokeNetworking | 0c428583-f2a1-4448-975c-2d6262fd193a |
| subscriptionPlacement | 3dfa9e81-f0cf-4b25-858e-167937fd380b |
| virtualNetworkPeer | ab8e3b12-b0fa-40aa-8630-e3f7699e2142 |
| vwanConnectivity | 7f94f23b-7a59-4a5c-9a8d-2a253a566f61 |
| vnetPeeringVwan | 7b5e6db2-1e8c-4b01-8eee-e1830073a63d |
| privateDnsZones | 981733dd-3195-4fda-a4ee-605ab959edb6 |
| hubSpoke - Orchestration | 50ad3b1a-f72c-4de4-8293-8a6399991beb |
| Module Name | PID |
| ------------------------------ | ------------------------------------ |
| customRoleDefinitions | 032d0904-3d50-45ef-a6c1-baa9d82e23ff |
| getManagementGroupName | cff0ca56-5d8c-4594-bf79-5c046809b017 |
| hubNetworking | 2686e846-5fdc-4d4f-b533-16dcb09d6e6c |
| logging | f8087c67-cc41-46b2-994d-66e4b661860d |
| managementGroups | 9b7965a0-d77c-41d6-85ef-ec3dfea4845b |
| policy-definitions | 2b136786-9881-412e-84ba-f4c2822e1ac9 |
| policy-assignments | 78001e36-9738-429c-a343-45cc84e8a527 |
| alzDefaultPolicyAssignments | 98cef979-5a6b-403b-83c7-10c8f04ac9a2 |
| publicIp | 3f85b84c-6bad-4c42-86bf-11c233241c22 |
| resourceGroup | b6718c54-b49e-4748-a466-88e3d7c789c8 |
| roleAssignments | 59c2ac61-cd36-413b-b999-86a3e0d958fb |
| spokeNetworking | 0c428583-f2a1-4448-975c-2d6262fd193a |
| subscriptionPlacement | 3dfa9e81-f0cf-4b25-858e-167937fd380b |
| virtualNetworkPeer | ab8e3b12-b0fa-40aa-8630-e3f7699e2142 |
| vwanConnectivity | 7f94f23b-7a59-4a5c-9a8d-2a253a566f61 |
| vnetPeeringVwan | 7b5e6db2-1e8c-4b01-8eee-e1830073a63d |
| privateDnsZones | 981733dd-3195-4fda-a4ee-605ab959edb6 |
| hubSpoke - Orchestration | 50ad3b1a-f72c-4de4-8293-8a6399991beb |
| hubPeeredSpoke - Orchestration | 8ea6f19a-d698-4c00-9afb-5c92d4766fd2 |
127 changes: 127 additions & 0 deletions infra-as-code/bicep/orchestration/hubPeeredSpoke/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
# Module: Orchestration - hubPeeredSpoke - Spoke network, including peering to Hub (Hub & Spoke or Virtual WAN)

This module acts as an orchestration module that create and configures a spoke network to deliver the Azure Landing Zone Hub & Spoke architecture, for both traditional Hub & Spoke and Virtual WAN, which is also described in the wiki on the [Deployment Flow article](https://github.com/Azure/ALZ-Bicep/wiki/DeploymentFlow).

Module deploys the following resources:

- Subscription placement in Management Group hierarchy - if parPeeredVnetSubscriptionMGPlacement is specified
- Virtual Network (Spoke VNet)
- UDR - if parNextHopIPAddress and resource id of hub virtual network object is specified
- Hub to Spoke peering - if resource id of hub virtual network object is specified in parHubVirtualNetworkID
- Spoke to hub peering - if resource id of hub virtual network object is specified in parHubVirtualNetworkID
- Spoke to virtual WAN peering - if resource id of virtual WAN hub object is specified in parHubVirtualNetworkID

Note that only one peering type can be created with this module, so either traditional Hub & Spoke OR Azure virtual WAN.

## Parameters

The module requires the following inputs:

| Parameter | Type | Default | Description | Requirement | Example |
| -------------------------------------- | ------ | --------------------------------------------------------------- | ---------------------------------------------------------------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
| parLocation | string | `deployment().location` | The region to deploy all resoruces into | Valid Azure Region | `northeurope` |
| parTopLevelManagementGroupPrefix | string | `'alz'` | Prefix for the management group hierarchy | None | `alz` |
| parPeeredVnetSubscriptionId | string | Empty string `''` | Subscription Id to the Virtual Network Hub object | None | `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` |
| parTags | object | Empty object `{}` | Array of Tags to be applied to all resources in module | None | `{"key": "value"}` |
| parTelemetryOptOut | bool | false | Set Parameter to true to Opt-out of deployment telemetry | None | false |
| parPeeredVnetSubscriptionMGPlacement | string | Empty string `''` | The location (MG hierarchy) to place the subscription in | None | `'alz-platform-landingZonesCorp'` |
| parResourceGroupNameForSpokeNetworking | string | `$parTopLevelManagementGroupPrefix-$parRegion-spoke-networking` | Name of Resource Group to be created to contain resources | None | `Hub_Networking_POC` |
| parDdosProtectionPlanId | string | Empty string `''` | Existing DDoS Protection plan to utilize | None | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/Hub_Networking_POC/providers/Microsoft.Network/ddosProtectionPlans/alz-Ddos-Plan` |
| parSpokeNetworkName | string | `vnet-spoke` | The Name of the Spoke Virtual Network. | None | `vnet-spoke` |
| parSpokeNetworkAddressPrefix | string | `10.11.0.0/16` | CIDR for Spoke Network | None | `10.11.0.0/16` |
| parDNSServerIPArray | array | Empty array `[]` | Array IP DNS Servers to use for VNet DNS Resolution | None | `['10.10.1.4', '10.20.1.5']` |
| parNextHopIPAddress | string | Empty string `''` | IP Address where network traffic should route to | None | `192.168.50.4` |
| parBGPRoutePrapogation | bool | false | Switch to enable BGP Route Propagation on VNet Route Table | None | false |
| parSpokeToHubRouteTableName | string | 'rtb-spoke-to-hub' | Name of Route table to create for the default route of Hub | None | `rtb-spoke-to-hub` |
| parHubVirtualNetworkID | string | Empty string `''` | Virtual Network ID of Hub Virtual Network, or Azure Virtuel WAN hub ID | None | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/Hub_Networking_POC/providers/Microsoft.Network/virtualNetworks/alz-vnet-hub-northeurope`
| parAllowSpokeForwardedTraffic | bool | false | Switch to enable/disable forwarded Traffic from outside spoke network | None | false |
| parAllowHubVPNGatewayTransit | bool | false | Switch to enable/disable VPN Gateway for the hub network peering | None | false |

## Outputs

The module will generate the following outputs:

| Output | Type | Example |
| --------------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------- |
| outSpokeVirtualNetworkName | string | `vnet-spoke` |
| outSpokeVirtualNetworkid | string | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxx/resourceGroups/Hub_Networking_POC/providers/Microsoft.Network/virtualNetworks/vnet-spoke` |

## Deployment

This module is intended to be called from other modules as a reusable resource, but an example on how to deploy has been added below for completeness.

In this example, the spoke resources will be deployed to the resource group specified. According to the Azure Landing Zone Conceptual Architecture, the spoke resources should be deployed into the Landing Zones subscriptions. During the deployment step, we will take the parameters provided in the example parameter files.

> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice.
### Azure CLI
```bash
# For Azure global regions
# Set Azure Corp Landing zone subscription ID as the the current subscription
$LandingZoneSubscriptionId="[your landing zone subscription ID]"
$Location="[your landing zone subscription ID]"
$TopLevelManagemetGroupID="alz"
az account set --subscription $LandingZoneSubscriptionId

az deployment mg create \
--location $Location --management-group-id $TopLevelManagemetGroupID \
--template-file .\infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.bicep \
--parameters @infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.parameters.example.json
```
OR
```bash
# For Azure China regions
# Set Azure Corp Landing zone subscription ID as the the current subscription
$LandingZoneSubscriptionId="[your landing zone subscription ID]"
$Location="[your landing zone subscription ID]"
$TopLevelManagemetGroupID="alz"
az account set --subscription $LandingZoneSubscriptionId

az deployment mg create \
--location $Location --management-group-id $TopLevelManagemetGroupID \
--template-file .\infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.bicep \
--parameters @infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.parameters.example.json
```

### PowerShell

```powershell
# For Azure global regions
# Set Azure Corp Landing zone subscription ID as the the current subscription
$LandingZoneSubscriptionId="[your landing zone subscription ID]"
$Location="[your landing zone subscription ID]"
$TopLevelManagemetGroupID="alz"
Select-AzSubscription -SubscriptionId $LandingZoneSubscriptionId
New-AzManagementGroupDeployment `
-Location $Location -ManagementGroupId $TopLevelManagemetGroupID `
-TemplateFile infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.bicep `
-TemplateParameterFile infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.parameters.example.json `
```
OR
```powershell
# For Azure China regions
# Set Platform connectivity subscription ID as the the current subscription
$LandingZoneSubscriptionId="[your landing zone subscription ID]"
$Location="[your landing zone subscription ID]"
$TopLevelManagemetGroupID="alz"
Select-AzSubscription -SubscriptionId $LandingZoneSubscriptionId
New-AzManagementGroupDeployment `
-Location $Location -ManagementGroupId $TopLevelManagemetGroupID `
-TemplateFile infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.bicep `
-TemplateParameterFile infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.parameters.example.json `
```

## Bicep Visualizer

![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer")






64 changes: 64 additions & 0 deletions infra-as-code/bicep/orchestration/hubPeeredSpoke/bicepconfig.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
{
"analyzers": {
"core": {
"enabled": true,
"verbose": true,
"rules": {
"adminusername-should-not-be-literal": {
"level": "error"
},
"no-hardcoded-env-urls": {
"level": "error"
},
"no-unnecessary-dependson": {
"level": "error"
},
"no-unused-params": {
"level": "error"
},
"no-unused-vars": {
"level": "error"
},
"outputs-should-not-contain-secrets": {
"level": "error"
},
"prefer-interpolation": {
"level": "error"
},
"secure-parameter-default": {
"level": "error"
},
"simplify-interpolation": {
"level": "error"
},
"protect-commandtoexecute-secrets": {
"level": "error"
},
"use-stable-vm-image": {
"level": "error"
},
"explicit-values-for-loc-params": {
"level": "error"
},
"no-hardcoded-location": {
"level": "error"
},
"no-loc-expr-outside-params": {
"level": "error"
},
"max-outputs": {
"level": "error"
},
"max-params": {
"level": "error"
},
"max-resources": {
"level": "error"
},
"max-variables": {
"level": "error"
}
}
}
}
}
Loading

0 comments on commit 257e591

Please sign in to comment.