New Mini-Orchestration Module - hubPeeredSpoke (#223)

* hubPeeredSpoke * SecondCommit * ThirdCommit Co-authored-by: Jack Tracey <[email protected]>
Azure · May 10, 2022 · 257e591 · 257e591
1 parent 2c0ea75
commit 257e591
Showing 7 changed files with 513 additions and 20 deletions.
diff --git a/docs/wiki/CustomerUsage.md b/docs/wiki/CustomerUsage.md
@@ -27,23 +27,24 @@ module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdTen
 ## Module PID Value Mapping
 The following are the unique ID's (also known as PIDs) used in each of the modules.
 
-| Module Name                 | PID                                  |
-| --------------------------- | ------------------------------------ |
-| customRoleDefinitions       | 032d0904-3d50-45ef-a6c1-baa9d82e23ff |
-| getManagementGroupName      | cff0ca56-5d8c-4594-bf79-5c046809b017 |
-| hubNetworking               | 2686e846-5fdc-4d4f-b533-16dcb09d6e6c |
-| logging                     | f8087c67-cc41-46b2-994d-66e4b661860d |
-| managementGroups            | 9b7965a0-d77c-41d6-85ef-ec3dfea4845b |
-| policy-definitions          | 2b136786-9881-412e-84ba-f4c2822e1ac9 |
-| policy-assignments          | 78001e36-9738-429c-a343-45cc84e8a527 |
-| alzDefaultPolicyAssignments | 98cef979-5a6b-403b-83c7-10c8f04ac9a2 |
-| publicIp                    | 3f85b84c-6bad-4c42-86bf-11c233241c22 |
-| resourceGroup               | b6718c54-b49e-4748-a466-88e3d7c789c8 |
-| roleAssignments             | 59c2ac61-cd36-413b-b999-86a3e0d958fb |
-| spokeNetworking             | 0c428583-f2a1-4448-975c-2d6262fd193a |
-| subscriptionPlacement       | 3dfa9e81-f0cf-4b25-858e-167937fd380b |
-| virtualNetworkPeer          | ab8e3b12-b0fa-40aa-8630-e3f7699e2142 |
-| vwanConnectivity            | 7f94f23b-7a59-4a5c-9a8d-2a253a566f61 |
-| vnetPeeringVwan             | 7b5e6db2-1e8c-4b01-8eee-e1830073a63d |
-| privateDnsZones             | 981733dd-3195-4fda-a4ee-605ab959edb6 |
-| hubSpoke - Orchestration    | 50ad3b1a-f72c-4de4-8293-8a6399991beb |
+| Module Name                    | PID                                  |
+| ------------------------------ | ------------------------------------ |
+| customRoleDefinitions          | 032d0904-3d50-45ef-a6c1-baa9d82e23ff |
+| getManagementGroupName         | cff0ca56-5d8c-4594-bf79-5c046809b017 |
+| hubNetworking                  | 2686e846-5fdc-4d4f-b533-16dcb09d6e6c |
+| logging                        | f8087c67-cc41-46b2-994d-66e4b661860d |
+| managementGroups               | 9b7965a0-d77c-41d6-85ef-ec3dfea4845b |
+| policy-definitions             | 2b136786-9881-412e-84ba-f4c2822e1ac9 |
+| policy-assignments             | 78001e36-9738-429c-a343-45cc84e8a527 |
+| alzDefaultPolicyAssignments    | 98cef979-5a6b-403b-83c7-10c8f04ac9a2 |
+| publicIp                       | 3f85b84c-6bad-4c42-86bf-11c233241c22 |
+| resourceGroup                  | b6718c54-b49e-4748-a466-88e3d7c789c8 |
+| roleAssignments                | 59c2ac61-cd36-413b-b999-86a3e0d958fb |
+| spokeNetworking                | 0c428583-f2a1-4448-975c-2d6262fd193a |
+| subscriptionPlacement          | 3dfa9e81-f0cf-4b25-858e-167937fd380b |
+| virtualNetworkPeer             | ab8e3b12-b0fa-40aa-8630-e3f7699e2142 |
+| vwanConnectivity               | 7f94f23b-7a59-4a5c-9a8d-2a253a566f61 |
+| vnetPeeringVwan                | 7b5e6db2-1e8c-4b01-8eee-e1830073a63d |
+| privateDnsZones                | 981733dd-3195-4fda-a4ee-605ab959edb6 |
+| hubSpoke - Orchestration       | 50ad3b1a-f72c-4de4-8293-8a6399991beb |
+| hubPeeredSpoke - Orchestration | 8ea6f19a-d698-4c00-9afb-5c92d4766fd2 |
diff --git a/infra-as-code/bicep/orchestration/hubPeeredSpoke/README.md b/infra-as-code/bicep/orchestration/hubPeeredSpoke/README.md
@@ -0,0 +1,127 @@
+# Module: Orchestration - hubPeeredSpoke - Spoke network, including peering to Hub (Hub & Spoke or Virtual WAN)
+
+This module acts as an orchestration module that create and configures a spoke network to deliver the Azure Landing Zone Hub & Spoke architecture, for both traditional Hub & Spoke and Virtual WAN, which is also described in the wiki on the [Deployment Flow article](https://github.com/Azure/ALZ-Bicep/wiki/DeploymentFlow).
+
+Module deploys the following resources:
+
+- Subscription placement in Management Group hierarchy - if parPeeredVnetSubscriptionMGPlacement is specified
+- Virtual Network (Spoke VNet)
+- UDR - if parNextHopIPAddress and resource id of hub virtual network object is specified
+- Hub to Spoke peering - if resource id of hub virtual network object is specified in parHubVirtualNetworkID
+- Spoke to hub peering - if resource id of hub virtual network object is specified in parHubVirtualNetworkID
+- Spoke to virtual WAN peering - if resource id of virtual WAN hub object is specified in parHubVirtualNetworkID
+
+Note that only one peering type can be created with this module, so either traditional Hub & Spoke OR Azure virtual WAN.
+
+## Parameters
+
+The module requires the following inputs:
+
+ | Parameter                              | Type   | Default                                                         | Description                                                            | Requirement        | Example                                                                                                                                                    |
+ | -------------------------------------- | ------ | --------------------------------------------------------------- | ---------------------------------------------------------------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
+ | parLocation                            | string | `deployment().location`                                       | The region to deploy all resoruces into                                | Valid Azure Region | `northeurope`                                                                                                                                              |
+ | parTopLevelManagementGroupPrefix       | string | `'alz'`                                                         | Prefix for the management group hierarchy                              | None               | `alz`                                                                                                                                                      |
+ | parPeeredVnetSubscriptionId            | string | Empty string `''`                                               | Subscription Id to the Virtual Network Hub object                      | None               | `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`                                                                                                                     |
+ | parTags                                | object | Empty object `{}`                                               | Array of Tags to be applied to all resources in module                 | None               | `{"key": "value"}`                                                                                                                                         |
+ | parTelemetryOptOut                     | bool   | false                                                           | Set Parameter to true to Opt-out of deployment telemetry               | None               | false                                                                                                                                                      |
+ | parPeeredVnetSubscriptionMGPlacement   | string | Empty string `''`                                               | The location (MG hierarchy) to place the subscription in               | None               | `'alz-platform-landingZonesCorp'`                                                              |
+ | parResourceGroupNameForSpokeNetworking | string | `$parTopLevelManagementGroupPrefix-$parRegion-spoke-networking` | Name of Resource Group to be created to contain resources              | None               | `Hub_Networking_POC`                                                                                                                                       |
+ | parDdosProtectionPlanId                | string | Empty string `''`                                               | Existing DDoS Protection plan to utilize                               | None               | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/Hub_Networking_POC/providers/Microsoft.Network/ddosProtectionPlans/alz-Ddos-Plan`      |
+ | parSpokeNetworkName                    | string | `vnet-spoke`                                                    | The Name of the Spoke Virtual Network.                                 | None               | `vnet-spoke`                                                                                                                                               |
+ | parSpokeNetworkAddressPrefix           | string | `10.11.0.0/16`                                                  | CIDR for Spoke Network                                                 | None               | `10.11.0.0/16`                                                                                                                                             |
+ | parDNSServerIPArray                    | array  | Empty array `[]`                                                | Array IP DNS Servers to use for VNet DNS Resolution                    | None               | `['10.10.1.4', '10.20.1.5']`                                                                                                                               |
+ | parNextHopIPAddress                    | string | Empty string `''`                                               | IP Address where network traffic should route to                       | None               | `192.168.50.4`                                                                                                                                             |
+ | parBGPRoutePrapogation                 | bool   | false                                                           | Switch to enable BGP Route Propagation on VNet Route Table             | None               | false                                                                                                                                                      |
+ | parSpokeToHubRouteTableName            | string | 'rtb-spoke-to-hub'                                              | Name of Route table to create for the default route of Hub             | None               | `rtb-spoke-to-hub`                                                                                                                                         |
+ | parHubVirtualNetworkID                 | string | Empty string `''`                                               | Virtual Network ID of Hub Virtual Network, or Azure Virtuel WAN hub ID | None               | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/Hub_Networking_POC/providers/Microsoft.Network/virtualNetworks/alz-vnet-hub-northeurope`  
+ | parAllowSpokeForwardedTraffic          | bool   | false                                                           | Switch to enable/disable forwarded Traffic from outside spoke network  | None               | false                                                                                                                                                      |
+ | parAllowHubVPNGatewayTransit           | bool   | false                                                           | Switch to enable/disable VPN Gateway for the hub network peering       | None               | false                                                                                                                                                      |
+
+## Outputs
+
+The module will generate the following outputs:
+
+| Output                      | Type   | Example                                                                                                                                             |
+| --------------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------- |
+| outSpokeVirtualNetworkName  | string | `vnet-spoke`                                                                                                                                        |
+| outSpokeVirtualNetworkid    | string | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxx/resourceGroups/Hub_Networking_POC/providers/Microsoft.Network/virtualNetworks/vnet-spoke`        |
+
+## Deployment
+
+This module is intended to be called from other modules as a reusable resource, but an example on how to deploy has been added below for completeness.
+
+In this example, the spoke resources will be deployed to the resource group specified. According to the Azure Landing Zone Conceptual Architecture, the spoke resources should be deployed into the Landing Zones subscriptions. During the deployment step, we will take the parameters provided in the example parameter files.
+
+> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice.
+
+### Azure CLI
+```bash
+# For Azure global regions
+# Set Azure Corp Landing zone subscription ID as the the current subscription 
+$LandingZoneSubscriptionId="[your landing zone subscription ID]"
+$Location="[your landing zone subscription ID]"
+$TopLevelManagemetGroupID="alz"
+az account set --subscription $LandingZoneSubscriptionId
+
+az deployment mg create \
+    --location $Location --management-group-id $TopLevelManagemetGroupID \
+    --template-file .\infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.bicep \
+    --parameters @infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.parameters.example.json
+```
+OR
+```bash
+# For Azure China regions
+# Set Azure Corp Landing zone subscription ID as the the current subscription
+$LandingZoneSubscriptionId="[your landing zone subscription ID]"
+$Location="[your landing zone subscription ID]"
+$TopLevelManagemetGroupID="alz"
+az account set --subscription $LandingZoneSubscriptionId
+
+az deployment mg create \
+    --location $Location --management-group-id $TopLevelManagemetGroupID \
+    --template-file .\infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.bicep \
+    --parameters @infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.parameters.example.json
+```
+
+### PowerShell
+
+```powershell
+# For Azure global regions
+# Set Azure Corp Landing zone subscription ID as the the current subscription 
+$LandingZoneSubscriptionId="[your landing zone subscription ID]"
+$Location="[your landing zone subscription ID]"
+$TopLevelManagemetGroupID="alz"
+
+Select-AzSubscription -SubscriptionId $LandingZoneSubscriptionId
+  
+New-AzManagementGroupDeployment `
+  -Location $Location -ManagementGroupId $TopLevelManagemetGroupID `
+  -TemplateFile infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.bicep `
+  -TemplateParameterFile infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.parameters.example.json `
+```
+OR
+```powershell
+# For Azure China regions
+# Set Platform connectivity subscription ID as the the current subscription 
+$LandingZoneSubscriptionId="[your landing zone subscription ID]"
+$Location="[your landing zone subscription ID]"
+$TopLevelManagemetGroupID="alz"
+
+Select-AzSubscription -SubscriptionId $LandingZoneSubscriptionId
+  
+New-AzManagementGroupDeployment `
+  -Location $Location -ManagementGroupId $TopLevelManagemetGroupID `
+  -TemplateFile infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.bicep `
+  -TemplateParameterFile infra-as-code\bicep\orchestration\hubPeeredSpoke\hubPeeredSpoke.parameters.example.json `
+
+```
+
+## Bicep Visualizer
+
+![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer")
+
+
+
+
+
+
diff --git a/infra-as-code/bicep/orchestration/hubPeeredSpoke/bicepconfig.json b/infra-as-code/bicep/orchestration/hubPeeredSpoke/bicepconfig.json
@@ -0,0 +1,64 @@
+{
+  "analyzers": {
+    "core": {
+      "enabled": true,
+      "verbose": true,
+      "rules": {
+        "adminusername-should-not-be-literal": {
+          "level": "error"
+        },
+        "no-hardcoded-env-urls": {
+          "level": "error"
+        },
+        "no-unnecessary-dependson": {
+          "level": "error"
+        },
+        "no-unused-params": {
+          "level": "error"
+        },
+        "no-unused-vars": {
+          "level": "error"
+        },
+        "outputs-should-not-contain-secrets": {
+          "level": "error"
+        },
+        "prefer-interpolation": {
+          "level": "error"
+        },
+        "secure-parameter-default": {
+          "level": "error"
+        },
+        "simplify-interpolation": {
+          "level": "error"
+        },
+        "protect-commandtoexecute-secrets": {
+          "level": "error"
+        },
+        "use-stable-vm-image": {
+          "level": "error"
+        },
+        "explicit-values-for-loc-params": {
+          "level": "error"
+        },
+        "no-hardcoded-location": {
+          "level": "error"
+        },
+        "no-loc-expr-outside-params": {
+          "level": "error"
+        },
+        "max-outputs": {
+          "level": "error"
+        },
+        "max-params": {
+          "level": "error"
+        },
+        "max-resources": {
+          "level": "error"
+        },
+        "max-variables": {
+          "level": "error"
+        }
+      }
+    }
+  }
+}
diff --git a/infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep b/infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep
@@ -0,0 +1,189 @@
+targetScope = 'managementGroup'
+
+// **Parameters**
+// Generic Parameters - Used in multiple modules
+@description('The region to deploy all resoruces into. DEFAULTS TO deployment().location')
+param parLocation string = deployment().location
+
+@description('Prefix for the management group hierarchy. DEFAULTS TO = alz')
+@minLength(2)
+@maxLength(10)
+param parTopLevelManagementGroupPrefix string = 'alz'
+
+@description('Subscription Id to the Virtual Network Hub object. DEFAULTS TO empty')
+param parPeeredVnetSubscriptionId string = ''
+
+@description('Array of Tags to be applied to all resources in module. Default: empty array')
+param parTags object = {}
+
+@description('Set Parameter to true to Opt-out of deployment telemetry DEFAULTS TO = false')
+param parTelemetryOptOut bool = true
+
+// Subscription Module Parameters
+@description('The Management Group Id to place the subscription in. DEFAULTS TO empty')
+param parPeeredVnetSubscriptionMgPlacement string = ''
+
+// Resource Group Module Parameters
+@description('Name of Resource Group to be created to contain spoke networking resources like the virtual network.  Default: {parTopLevelManagementGroupPrefix}-{parLocation}-spoke-networking')
+param parResourceGroupNameForSpokeNetworking string = '${parTopLevelManagementGroupPrefix}-${parLocation}-spoke-networking'
+
+// Spoke Networking Module Parameters
+@description('Existing DDoS Protection plan to utilize. Default: Empty string')
+param parDdosProtectionPlanId string = ''
+
+@description('The Name of the Spoke Virtual Network. Default: vnet-spoke')
+param parSpokeNetworkName string = 'vnet-spoke'
+
+@description('CIDR for Spoke Network. Default: 10.11.0.0/16')
+param parSpokeNetworkAddressPrefix string = '10.11.0.0/16'
+
+@description('Array of DNS Server IP addresses for VNet. Default: Empty Array')
+param parDnsServerIpArray  array = []
+
+@description('IP Address where network traffic should route to. Default: Empty string')
+param parNextHopIpAddress string = ''
+
+@description('Switch which allows BGP Route Propogation to be disabled on the route table')
+param parBgpRoutePropagation bool = false
+
+@description('Name of Route table to create for the default route of Hub. Default: rtb-spoke-to-hub')
+param parSpoketoHubRouteTableName string = 'rtb-spoke-to-hub'
+
+// Peering Modules Parameters
+@description('Virtual Network ID of Hub Virtual Network, or Azure Virtuel WAN hub ID. No default')
+param parHubVirtualNetworkId string
+
+@description('Switch to enable/disable forwarded Traffic from outside spoke network. Default = false')
+param parAllowSpokeForwardedTraffic bool = false
+
+@description('Switch to enable/disable VPN Gateway for the hub network peering. Default = false')
+param parAllowHubVpnGatewayTransit bool = false
+
+// **Variables**
+// Customer Usage Attribution Id
+var varCuaid = '8ea6f19a-d698-4c00-9afb-5c92d4766fd2'
+
+// Orchestration Module Variables
+var varDeploymentNameWrappers = {
+  basePrefix: 'ALZBicep'
+  baseSuffixManagementGroup: '${parLocation}-${uniqueString(parLocation, parTopLevelManagementGroupPrefix)}-mg'
+  baseSuffixSubscription: '${parLocation}-${uniqueString(parLocation, parTopLevelManagementGroupPrefix)}-sub'
+  baseSuffixResourceGroup: '${parLocation}-${uniqueString(parLocation, parTopLevelManagementGroupPrefix)}-rg'
+}
+
+var varModuleDeploymentNames = {
+  modSubscriptionPlacement: take('${varDeploymentNameWrappers.basePrefix}-modSubscriptionPlacement-${parPeeredVnetSubscriptionMgPlacement}-${varDeploymentNameWrappers.baseSuffixManagementGroup}', 64)
+  modResourceGroup: take('${varDeploymentNameWrappers.basePrefix}-modResourceGroup-${varDeploymentNameWrappers.baseSuffixSubscription}', 64)
+  modSpokeNetworking: take('${varDeploymentNameWrappers.basePrefix}-modSpokeNetworking-${varDeploymentNameWrappers.baseSuffixResourceGroup}', 61)
+  modSpokePeeringToHub: take('${varDeploymentNameWrappers.basePrefix}-modVnetPeering-ToHub-${varDeploymentNameWrappers.baseSuffixResourceGroup}', 61)
+  modSpokePeeringFromHub: take('${varDeploymentNameWrappers.basePrefix}-modVnetPeering-FromHub-${varDeploymentNameWrappers.baseSuffixResourceGroup}', 61)
+  modVnetPeeringVwan: take('${varDeploymentNameWrappers.basePrefix}-modVnetPeeringVwan-${varDeploymentNameWrappers.baseSuffixResourceGroup}', 61)
+}
+
+var varHubVirtualNetworkName = (!empty(parHubVirtualNetworkId) && contains(parHubVirtualNetworkId, '/providers/Microsoft.Network/virtualNetworks/') ? split(parHubVirtualNetworkId, '/')[8] : '' )
+
+var varHubVirtualNetworkResourceGroup = (!empty(parHubVirtualNetworkId) && contains(parHubVirtualNetworkId, '/providers/Microsoft.Network/virtualNetworks/') ? split(parHubVirtualNetworkId, '/')[4] : '' )
+
+var varHubVirtualNetworkSubscriptionId = (!empty(parHubVirtualNetworkId) && contains(parHubVirtualNetworkId, '/providers/Microsoft.Network/virtualNetworks/') ? split(parHubVirtualNetworkId, '/')[2] : '' )
+
+var varNextHopIPAddress = (!empty(parHubVirtualNetworkId) && contains(parHubVirtualNetworkId, '/providers/Microsoft.Network/virtualNetworks/') ? parNextHopIpAddress : '' )
+
+var varVirtualHubResourceId = (!empty(parHubVirtualNetworkId) && contains(parHubVirtualNetworkId, '/providers/Microsoft.Network/virtualHubs/') ? parHubVirtualNetworkId : '' )
+
+var varVirtualHubResourceGroup = (!empty(parHubVirtualNetworkId) && contains(parHubVirtualNetworkId, '/providers/Microsoft.Network/virtualHubs/') ? split(parHubVirtualNetworkId, '/')[4] : '' )
+
+var varVirtualHubSubscriptionId = (!empty(parHubVirtualNetworkId) && contains(parHubVirtualNetworkId, '/providers/Microsoft.Network/virtualHubs/') ? split(parHubVirtualNetworkId, '/')[2] : '' )
+
+// **Modules**
+// Module - Customer Usage Attribution - Telemtry
+module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) {
+  scope: managementGroup(parTopLevelManagementGroupPrefix)
+  name: 'pid-${varCuaid}-${uniqueString(parLocation, parPeeredVnetSubscriptionId)}'
+  params: {}
+}
+
+// Module - Subscription Placement - Management
+module modSubscriptionPlacement '../../modules/subscriptionPlacement/subscriptionPlacement.bicep' = if (!empty(parPeeredVnetSubscriptionMgPlacement)) {
+  scope: managementGroup(parTopLevelManagementGroupPrefix)
+  name: varModuleDeploymentNames.modSubscriptionPlacement
+  params: {
+    parTargetManagementGroupId: parPeeredVnetSubscriptionMgPlacement
+    parSubscriptionIds: [
+      parPeeredVnetSubscriptionId
+    ]
+    parTelemetryOptOut: parTelemetryOptOut
+  }
+}
+
+// Module - Resource Group
+module modResourceGroup '../../modules/resourceGroup/resourceGroup.bicep' = {
+  scope: subscription(parPeeredVnetSubscriptionId)
+  name: varModuleDeploymentNames.modResourceGroup
+  params: {
+    parLocation: parLocation
+    parResourceGroupName: parResourceGroupNameForSpokeNetworking
+    parTags: parTags
+    parTelemetryOptOut: parTelemetryOptOut
+  }
+}
+
+// Module - Spoke Virtual Network
+module modSpokeNetworking '../../modules/spokeNetworking/spokeNetworking.bicep' = {
+  scope: resourceGroup(parPeeredVnetSubscriptionId,parResourceGroupNameForSpokeNetworking)
+  name: varModuleDeploymentNames.modSpokeNetworking
+  dependsOn: [
+    modResourceGroup
+  ]
+  params: {
+    parSpokeNetworkName: parSpokeNetworkName
+    parSpokeNetworkAddressPrefix: parSpokeNetworkAddressPrefix
+    parDdosProtectionPlanId: parDdosProtectionPlanId
+    parDnsServerIPs: parDnsServerIpArray
+    parNextHopIPAddress: varNextHopIPAddress
+    parSpokeToHubRouteTableName: parSpoketoHubRouteTableName
+    parBGPRoutePropagation: parBgpRoutePropagation
+    parTags: parTags
+    parTelemetryOptOut: parTelemetryOptOut
+    parLocation: parLocation
+  }
+}
+
+// Module - Hub to Spoke peering.
+module modHubPeeringToSpoke '../../modules/vnetPeering/vnetPeering.bicep' = if (!empty(varHubVirtualNetworkName)) {
+  scope: resourceGroup(varHubVirtualNetworkSubscriptionId,varHubVirtualNetworkResourceGroup)
+  name: varModuleDeploymentNames.modSpokePeeringFromHub
+  params: {
+    parDestinationVirtualNetworkID: (!empty(varHubVirtualNetworkName) ? modSpokeNetworking.outputs.outSpokeVirtualNetworkId : '')
+    parDestinationVirtualNetworkName: (!empty(varHubVirtualNetworkName) ? modSpokeNetworking.outputs.outSpokeVirtualNetworkName : '')
+    parSourceVirtualNetworkName: varHubVirtualNetworkName
+    parAllowForwardedTraffic: parAllowSpokeForwardedTraffic
+    parAllowGatewayTransit: parAllowHubVpnGatewayTransit
+    parTelemetryOptOut: parTelemetryOptOut
+  }
+}
+
+// Module - Spoke to Hub peering.
+module modSpokePeeringToHub '../../modules/vnetPeering/vnetPeering.bicep' = if (!empty(varHubVirtualNetworkName)) {
+  scope: resourceGroup(parPeeredVnetSubscriptionId,parResourceGroupNameForSpokeNetworking)
+  name: varModuleDeploymentNames.modSpokePeeringToHub
+  params: {
+    parDestinationVirtualNetworkID: parHubVirtualNetworkId
+    parDestinationVirtualNetworkName: varHubVirtualNetworkName
+    parSourceVirtualNetworkName: (!empty(varHubVirtualNetworkName) ? modSpokeNetworking.outputs.outSpokeVirtualNetworkName : '')
+    parUseRemoteGateways: parAllowHubVpnGatewayTransit
+    parTelemetryOptOut: parTelemetryOptOut
+  }
+}
+
+// Module -  Spoke to Azure Virtual WAN Hub peering.
+module modhubVirtualNetworkConnection '../../modules/vnetPeeringVwan/hubVirtualNetworkConnection.bicep' = if (!empty(varVirtualHubResourceId)) {
+  scope: resourceGroup(varVirtualHubSubscriptionId, varVirtualHubResourceGroup)  
+  name: varModuleDeploymentNames.modVnetPeeringVwan
+  params: {
+    parVirtualHubResourceId: varVirtualHubResourceId
+    parRemoteVirtualNetworkResourceId: modSpokeNetworking.outputs.outSpokeVirtualNetworkId
+  }
+}
+
+output outSpokeVirtualNetworkName string = modSpokeNetworking.outputs.outSpokeVirtualNetworkName
+output outSpokeVirtualNetworkid string = modSpokeNetworking.outputs.outSpokeVirtualNetworkId
diff --git a/infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.parameters.example.json b/infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.parameters.example.json
@@ -0,0 +1,56 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+      "parLocation": {
+        "value": "westeurope"
+      },
+      "parTopLevelManagementGroupPrefix": {
+        "value": "alz"
+      },
+      "parPeeredVnetSubscriptionId": {
+        "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+      },
+      "parPeeredVnetSubscriptionMgPlacement": {
+        "value": "alz-platform-connectivity"
+      },
+      "parDdosProtectionPlanId": {
+        "value": ""
+      },
+      "parSpokeNetworkName": {
+        "value": "vnet-spoke"
+      },
+      "parSpokeNetworkAddressPrefix": {
+        "value": "10.202.0.0/24"
+      },
+      "parDnsServerIpArray": {
+        "value": []
+      },
+      "parNextHopIpAddress": {
+        "value": "10.20.255.4"
+      },
+      "parBgpRoutePropagation": {
+        "value": false
+      },      
+      "parSpoketoHubRouteTableName": {
+        "value": "rtb-spoke-to-hub"
+      },
+      "parHubVirtualNetworkId": {
+        "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-westeurope-hub-networking/providers/Microsoft.Network/virtualNetworks/alz-hub-westeurope"
+      },
+      "parAllowSpokeForwardedTraffic": {
+        "value": false
+      },
+      "parAllowHubVPNGatewayTransit": {
+        "value": true
+      },
+      "parTags": {
+        "value": {
+          "Environment": "POC"
+        }
+      },
+      "parTelemetryOptOut": {
+        "value": true
+      }
+    }
+  }
diff --git a/infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.vwan.parameters.example.json b/infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.vwan.parameters.example.json
@@ -0,0 +1,56 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+      "parLocation": {
+        "value": "westeurope"
+      },
+      "parTopLevelManagementGroupPrefix": {
+        "value": "alz"
+      },
+      "parPeeredVnetSubscriptionId": {
+        "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+      },
+      "parPeeredVnetSubscriptionMgPlacement": {
+        "value": "alz-platform-connectivity"
+      },
+      "parDdosProtectionPlanId": {
+        "value": ""
+      },
+      "parSpokeNetworkName": {
+        "value": "vnet-spoke"
+      },
+      "parSpokeNetworkAddressPrefix": {
+        "value": "10.202.0.0/24"
+      },
+      "parDnsServerIpArray": {
+        "value": []
+      },
+      "parNextHopIpAddress": {
+        "value": "10.20.255.4"
+      },
+      "parBgpRoutePropagation": {
+        "value": false
+      },      
+      "parSpoketoHubRouteTableName": {
+        "value": "rtb-spoke-to-hub"
+      },
+      "parHubVirtualNetworkId": {
+        "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-westeurope-hub-networking/providers/Microsoft.Network/virtualHubs/alz-vhub-westeurope"
+      },
+      "parAllowSpokeForwardedTraffic": {
+        "value": false
+      },
+      "parAllowHubVPNGatewayTransit": {
+        "value": true
+      },
+      "parTags": {
+        "value": {
+          "Environment": "POC"
+        }
+      },
+      "parTelemetryOptOut": {
+        "value": true
+      }
+    }
+  }
diff --git a/infra-as-code/bicep/orchestration/hubPeeredSpoke/media/bicepVisualizer.png b/infra-as-code/bicep/orchestration/hubPeeredSpoke/media/bicepVisualizer.png