From 6ab72ee0ef09ccf0ecba1469cbc40ebe41e96540 Mon Sep 17 00:00:00 2001 From: rozkurt <72864397+rozkurt@users.noreply.github.com> Date: Wed, 11 Oct 2023 11:57:42 +0200 Subject: [PATCH] Azure vWAN Routing Intent support for Portal Deployment (#1437) Co-authored-by: Recep Ozkurt Co-authored-by: Sacha Narinx Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> --- docs/wiki/Whats-new.md | 8 +-- eslzArm/eslz-portal.json | 63 +++++++++++++++++++ eslzArm/eslzArm.json | 31 +++++++++ .../vwan-connectivity.json | 52 ++++++++++++++- 4 files changed, 149 insertions(+), 5 deletions(-) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index b85760ae02..b5f49e2384 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -46,6 +46,10 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: - The portal accelerator experience has been updated to include deployment of Azure Monitor baseline alerts. Details on the policies deployed can be found [here](https://aka.ms/amba/alz). - Fixed issue with couple of Policy file names to align with the actual name of the policies +#### Tooling + +- Added vWAN Hub Routing Intent support to Portal Accelerator for scenarios that include Azure Firewall deployment +- Enhanced the ALZ Portal Accelerator to provide the ability to deploy the Azure VPN Gateway in Active/Active mode as per feedback from [#655](https://github.com/Azure/Enterprise-Scale/issues/655). ### September 2023 @@ -73,10 +77,6 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: - Deploy-VM-Monitoring (Management Group: Intermediate Root) - Deploy-VMSS-Monitoring (Management Group: Intermediate Root) -#### Tooling - -- Enhanced the ALZ Portal Accelerator to provide the ability to deploy the Azure VPN Gateway in Active/Active mode as per feedback from [#655](https://github.com/Azure/Enterprise-Scale/issues/655). - #### Other - [Azure Landing Zone External Community Call - September 2023 - Hosted & Published](https://github.com/Azure/Enterprise-Scale/wiki/Community-Calls#25th-september-2023-25092023) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index efd1235f2a..23076d1d6a 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -1972,6 +1972,66 @@ } ] } + }, + { + "name": "enablevWANRoutingIntent", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable vWAN Routing Intent", + "defaultValue": "No", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), equals(steps('connectivity').enableAzFw, 'Yes'))]", + "toolTip": "Enable vWan Routing Intent and set Azure Firewall as the next hop either for Internet Traffic, Private Traffic or both", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "vWANRoutingIntentforInternetTraffic", + "type": "Microsoft.Common.OptionsGroup", + "label": "Select Yes if you want to enable routing intent policy to apply on Internet Traffic", + "defaultValue": "No", + "visible":"[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), equals(steps('connectivity').enableAzFw, 'Yes'),equals(steps('connectivity').enablevWANRoutingIntent, 'Yes'))]", + "toolTip": "Enable vWAN Routing Intent for Internet Traffic", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "vWANRoutingIntentforPrivateTraffic", + "type": "Microsoft.Common.OptionsGroup", + "label": "Select Yes if you want to enable routing intent policy to apply on Private Traffic", + "defaultValue": "No", + "visible":"[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), equals(steps('connectivity').enableAzFw, 'Yes'),equals(steps('connectivity').enablevWANRoutingIntent, 'Yes'))]", + "toolTip": "Enable vWAN Routing Intent for Private Traffic", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } } ] }, @@ -3149,6 +3209,9 @@ "firewallZones": "[steps('connectivity').firewallZones]", "subnetMaskForAzFw": "[steps('connectivity').subnetMaskForAzFw]", "subnetMaskForAzFwMgmt": "[steps('connectivity').subnetMaskForAzFwMgmt]", + "enablevWANRoutingIntent":"[steps('connectivity').enablevWANRoutingIntent]", + "internetTrafficRoutingPolicy":"[if(equals(steps('connectivity').vWANRoutingIntentforInternetTraffic, 'Yes'), 'true', 'false')]", + "privateTrafficRoutingPolicy":"[if(equals(steps('connectivity').vWANRoutingIntentforPrivateTraffic, 'Yes'), 'true', 'false')]", "identitySubscriptionId": "[if(or(not(equals(steps('identity').esIdentitySubSection.esIdentitySub,steps('management').esMgmtSubSection.esMgmtSub)),not(equals(steps('identity').esIdentitySubSection.esIdentitySub,steps('connectivity').esNwSubSection.esNwSub))),steps('identity').esIdentitySubSection.esIdentitySub,'')]", "denyMgmtPortsForIdentity": "[steps('identity').denyMgmtPortsForIdentity]", "denySubnetWithoutNsgForIdentity": "[steps('identity').denySubnetWithoutNsgForIdentity]", diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 1cd1b6e560..77ba73f51f 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -455,6 +455,28 @@ "type": "string", "defaultValue": "" }, + "enablevWANRoutingIntent":{ + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "internetTrafficRoutingPolicy": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Enable vWAN Routing Intent and Policy for Internet Traffic" + } + }, + "privateTrafficRoutingPolicy": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Enable vWAN Routing Intent and Policy for Private Traffic" + } + }, "identitySubscriptionId": { "type": "string", "defaultValue": "", @@ -2402,6 +2424,15 @@ }, "vpnGateWayScaleUnit": { "value": "[parameters('vpnGateWayScaleUnit')]" + }, + "enablevWANRoutingIntent":{ + "value":"[parameters('enablevWANRoutingIntent')]" + }, + "internetTrafficRoutingPolicy":{ + "value":"[parameters('internetTrafficRoutingPolicy')]" + }, + "privateTrafficRoutingPolicy":{ + "value":"[parameters('privateTrafficRoutingPolicy')]" } } } diff --git a/eslzArm/subscriptionTemplates/vwan-connectivity.json b/eslzArm/subscriptionTemplates/vwan-connectivity.json index 072030d10b..549fd7d55b 100644 --- a/eslzArm/subscriptionTemplates/vwan-connectivity.json +++ b/eslzArm/subscriptionTemplates/vwan-connectivity.json @@ -91,6 +91,31 @@ "firewallZones": { "type": "array", "defaultValue": [] + }, + "internetTrafficRoutingPolicy": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Enable vWAN Routing Intent and Policy for Internet Traffic" + } + }, + "privateTrafficRoutingPolicy": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Enable vWAN Routing Intent and Policy for Private Traffic" + } + }, + "enablevWANRoutingIntent":{ + "type": "string", + "allowedValues":[ + "Yes", + "No" + ], + "metadata": { + "description": + "Enable vWAN Routing Intent" + } } }, "variables": { @@ -112,7 +137,8 @@ }, "azFirewallDnsSettings": { "enableProxy": true - } + }, + "routingIntentnexthop":"[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables ('rgName'), '/providers/Microsoft.Network/azureFirewalls/', variables ('azFwName'))]" }, "resources": [ { @@ -259,6 +285,30 @@ "id": "[variables('azFirewallPolicyId').id]" } } + }, + { + "condition":"[and(equals(parameters('enablevWANRoutingIntent'), 'Yes'),equals(parameters('enableAzFw'), 'Yes'))]", + "type": "Microsoft.Network/virtualHubs/routingIntent", + "apiVersion": "2023-04-01", + "name":"[concat(variables('vhubname'),'/','RoutingIntent')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualHubs/',variables('vhubname'))]", + "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables ('rgName'), '/providers/Microsoft.Network/azureFirewalls/', variables ('azFwName'))]" + ], + "properties":{ + "routingPolicies": "[ + if(and(equals(parameters('internetTrafficRoutingPolicy'), true()), + equals(parameters('privateTrafficRoutingPolicy'), true())), + createArray( + createObject('name', 'PublicTraffic', 'destinations', createArray('Internet'), 'nextHop', variables('routingIntentnexthop')), + createObject('name', 'PrivateTraffic', 'destinations', createArray('PrivateTraffic'), 'nextHop', variables('routingIntentnexthop'))), + if(and(equals(parameters('internetTrafficRoutingPolicy'), true()), + equals(parameters('privateTrafficRoutingPolicy'), false())), + createArray( + createObject('name', 'PublicTraffic', 'destinations', createArray('Internet'), 'nextHop', variables('routingIntentnexthop'))), + createArray( + createObject('name', 'PrivateTraffic', 'destinations', createArray('PrivateTraffic'), 'nextHop', variables('routingIntentnexthop')))))]" + } } ] }