diff --git a/docs/wiki/Deploying-ALZ-BasicSetup.md b/docs/wiki/Deploying-ALZ-BasicSetup.md index e49bbc9779..8478a3fd14 100644 --- a/docs/wiki/Deploying-ALZ-BasicSetup.md +++ b/docs/wiki/Deploying-ALZ-BasicSetup.md @@ -46,6 +46,7 @@ On the *Azure Core setup* blade you will: - **Provide a prefix** that will be used to name your management group hierarchy **and** platform resources. - Choose between using dedicated subscriptions or a single subscription to host platform resources. +- Choose between deploying in a single region, or in two regions. **Please Note:** A dedicated platform subscriptions is in general recommended. However, some Customers have the requirement to host their platform and applications within a single subscription. This tutorial is aimed at Customers with this requirement. @@ -53,6 +54,10 @@ On the *Azure Core setup* blade you will: ![ESLZ-Company-Prefix](./media/ESLZ-Company-Prefix-singlesubscription.jpg) +Next, select if you wish to **Deploy in a secondary region**. If this is left as *Yes*, then you will receive additional inputs later in the process to deploy resources in a secondary region. + +![ALZ-Secondary-Region](./media/ALZ-secondaryregion-singlesubscription.jpg) + Click **Next: Platform management, security, and governance>**. ![coreSetupTab-next](./media/ESLZ-Company-Prefix-2-singlesubscription.jpg) @@ -208,6 +213,24 @@ On the *Network topology and connectivity* blade you will configure your core ne ![networkTab-fwSubnet](./media/clip_image036b-10-singlesubscription.png) +### Deploying networking resources in a second region + +If you selected **Deploy in a secondary region** in the Core steps, you will also configure a secondary region for networking platform resource in this blade. This secondary platform network deployment prepares you you to take advantage of capacity in multiple regions, and for recovery or multi-region high availability. + +The deployment will use the same deployment type as the primary region - either two hub and spokes with Azure firewall, two hub and spokes with your own-third party NVA, or an additional virtual WAN hub. + +![img](./media/clip_image080.png) + +You will need to specify the additional region to deploy to, and then you will be given the option to deploy and configure your gateways and (if applicable) your Azure firewall. + +![img](./media/clip_image081.png) + +For best results, use similar inputs to make sure that your regional deployments can both support the same architecture. However, if you want to forgo deploying a gateway or firewall in the second region, you can select the appropriate options. + +Once deployed, your regional hubs will be peered together and have routing tables assigned to the firewall subnets to handle routing to each other. You can add routes to this route table later, as you add spoke networks. If you have deployed DDoS protection in the primary region, it will be applied to the secondary region as well. + +Your Private DNS zones will be deployed in a resource group linked to your primary region, and will be assigned to both regions. See [Private Link and DNS integration at scale](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale) for more information. + Click **Next: Identity>** once you had configured your network setup. ![networkTab-next](./media/clip_image036b-13-singlesubscription.png) diff --git a/docs/wiki/Deploying-ALZ-HubAndSpoke.md b/docs/wiki/Deploying-ALZ-HubAndSpoke.md index 1b3b98fff1..c936f4d1d2 100644 --- a/docs/wiki/Deploying-ALZ-HubAndSpoke.md +++ b/docs/wiki/Deploying-ALZ-HubAndSpoke.md @@ -34,6 +34,10 @@ Provide a prefix that will be used to create the management group hierarchy and ![ESLZ-Company-Prefix](./media/ESLZ-Company-Prefix.JPG) +Next, select if you wish to **Deploy in a secondary region**. If this is left as *Yes*, then you will receive additional inputs later in the process to deploy resources in a secondary region. + +![ALZ-Secondary-Region](./media/ALZ-secondaryregion-multisubscription.jpg) + ## 5. Platform management, security, and governance On the *Platform management, security, and governance* blade, you will configure the core components to enable platform monitoring and security. The options you enable will also be enforced using Azure Policy to ensure resources, landing zones, and configuration are continuously compliant as your deployments scales with business demand. To enable this, you must provide a dedicated (empty) subscription that will be used to host the requisite infrastructure. @@ -74,12 +78,33 @@ Depending on your requirements, you may choose to deploy additional network infr ![img](./media/clip_image036b.png) +### Deploying networking resources in a second region + +If you selected **Deploy in a secondary region** in the Core steps, you will also configure a secondary region for networking platform resource in this blade. This secondary platform network deployment prepares you you to take advantage of capacity in multiple regions, and for recovery or multi-region high availability. + +The deployment will use the same deployment type as the primary region - either two hub and spokes with Azure firewall, two hub and spokes with your own-third party NVA, or an additional virtual WAN hub. + +![img](./media/clip_image080.png) + +You will need to specify the additional region to deploy to, and then you will be given the option to deploy and configure your gateways and (if applicable) your Azure firewall. + +![img](./media/clip_image081.png) + +For best results, use similar inputs to make sure that your regional deployments can both support the same architecture. However, if you want to forgo deploying a gateway or firewall in the second region, you can select the appropriate options. + +Once deployed, your regional hubs will be peered together and have routing tables assigned to the firewall subnets to handle routing to each other. You can add routes to this route table later, as you add spoke networks. If you have deployed DDoS protection in the primary region, it will be applied to the secondary region as well. + +Your Private DNS zones will be deployed in a resource group linked to your primary region, and will be assigned to both regions. See [Private Link and DNS integration at scale](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale) for more information. ## 8. Identity -On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned, and you will need to provide the address space for the virtual network that will be deployed on this subscription. Please note that this virtual network will be connected to the hub virtual network via VNet peering. +On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned, and you will need to provide the address space for the virtual network that will be deployed on this subscription. Please note that this virtual network will be connected to the hub virtual network via VNet peering. ![img](./media/clip_image036c.png) +In addition, you selected **Deploy in a secondary region** and deployed a network topology, you also have the option to deploy an additional Identity virtual network in that region. It will be peered to the hub in your secondary region. + +![img](./media/clip_image085.png) + ## 9. Landing zone configuration In the top section you can select which policies you want to assign broadly to all of your application landing zones. You also have the ability to set policies to *Audit only* which will assign the policies for Audit. diff --git a/docs/wiki/Deploying-ALZ-VWAN.md b/docs/wiki/Deploying-ALZ-VWAN.md index 321145716f..5f57b63d2c 100644 --- a/docs/wiki/Deploying-ALZ-VWAN.md +++ b/docs/wiki/Deploying-ALZ-VWAN.md @@ -34,6 +34,10 @@ Provide a prefix that will be used to create the management group hierarchy and ![ESLZ-Company-Prefix](./media/ESLZ-Company-Prefix.JPG) +Next, select if you wish to **Deploy in a secondary region**. If this is left as *Yes*, then you will receive additional inputs later in the process to deploy resources in a secondary region. + +![ALZ-Secondary-Region](./media/ALZ-secondaryregion-multisubscription.jpg) + ## 5. Platform management, security, and governance On the *Platform management, security, and governance* blade, you will configure the core components to enable platform monitoring and security. The options you enable will also be enforced using Azure Policy to ensure resources, landing zones, and more are continuously compliant as your deployments scales and grows. To enable this, you must provide a dedicated (empty) subscription that will be used to host the requisite infrastructure. @@ -69,12 +73,26 @@ Depending on your requirements, you may choose to deploy additional network infr ![vwan](./media/clip_image078.jpg) +### Deploying networking resources in a second region + +If you selected **Deploy in a secondary region** in the Core steps, you will also configure a secondary region for networking platform resource in this blade. This secondary platform network deployment prepares you you to take advantage of capacity in multiple regions, and for recovery or multi-region high availability. + +The deployment will deploy an additional virtual hub in the secondary region that you specify. + +You will need to provide the configuration for the virtual hub, same as the primary region. + +![img](./media/clip_image084.png) + ## 8. Identity On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned, and you will need to provide the address space for the virtual network that will be deployed on this subscription. Please note that this virtual network will be connected to the hub virtual network via VNet peering. ![img](./media/clip_image036c.png) +In addition, you selected **Deploy in a secondary region** and deployed a network topology, you also have the option to deploy an additional Identity virtual network in that region. It will be connected to the hub in your secondary region. + +![img](./media/clip_image085.png) + ## 9. Landing zone configuration In the top section you can select which policies you want to assign broadly to all of your application landing zones. You also have the ability to set policies to *Audit only* which will assign the policies for Audit. diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index b2a7aa2a98..aaf3c6c82a 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -144,6 +144,17 @@ Special Note: Existing consumers of ALZ will notice that some "assigned by defau #### Documentation - Archived the readme content in the eslzArm folder as it is no longer relevant. Please refer to the [ALZ Wiki](https://aka.ms/alz/wiki) for the latest information on how to deploy Enterprise-Scale Landing Zones. To view the content that was previously here, refer to the [archive](https://github.com/Azure/Enterprise-Scale/blob/45d5c2bd8c1a9e19b1a46a3a0dabb311e5320b64/eslzArm/README.md). +- Added new instructions for deploying hub and spoke network topology in [multiple regions](./Deploying-ALZ-HubAndSpoke#deploying-networking-resources-in-an-additional-region). +- Added new instructions for deploying additional vWAN hubs in [multiple regions](./Deploying-ALZ-HubAndSpoke#deploying-networking-resources-in-an-additional-region). + +#### Tooling + +- Added functionality to deploy platform resources into multiple regions. In the Core settings, you will have the option to deploy resources in a secondary region. If you select **Yes** you will have new options: + - In the **Networking topology and connectivity** tab: + - If you select *Hub and spoke with Azure Firewall* you will deploy a second hub in a secondary region. You can configure the IP space, VPN Gateway settings, ExpressRoute Gateway settings, and Azure Firewall settings for this region. Both of the hubs will be peered, with routing for the hubs to the Azure Firewalls being deployed. If you select DDoS protection or to select the creation of Azure Private DNS Zones, these will be linked to the second hub as well. + - If you select *Hub and spoke with your third-party NVA* you will deploy a second hub in a secondary region. You can configure the IP space, VPN Gateway settings, and ExpressRoute Gateway settings for this region. Both of the hubs will be peered, but no routing configured. If you select DDoS protection or to select the creation of Azure Private DNS Zones, these will be linked to the second hub as well. + - If you select *Virtual WAN* you will deploy a second virtual hub in a secondary region, as part of your virtual WAN deployment. You can configure the IP space, VPN Gateway settings, ExpressRoute Gateway settings, and Azure Firewall settings for this region. Both of the hubs will be peered, with routing for the hubs to the Azure Firewalls being deployed. + - In the **Identity** tab, if you have selected a topology to deploy, you will have the option to deploy an Identity virtual network to the secondary region, peered to the hub in that region. ### April 2024 diff --git a/docs/wiki/media/ALZ-secondaryregion-multisubscription.jpg b/docs/wiki/media/ALZ-secondaryregion-multisubscription.jpg new file mode 100644 index 0000000000..af18ad250f Binary files /dev/null and b/docs/wiki/media/ALZ-secondaryregion-multisubscription.jpg differ diff --git a/docs/wiki/media/ALZ-secondaryregion-singlesubscription.jpg b/docs/wiki/media/ALZ-secondaryregion-singlesubscription.jpg new file mode 100644 index 0000000000..c7e930ae4e Binary files /dev/null and b/docs/wiki/media/ALZ-secondaryregion-singlesubscription.jpg differ diff --git a/docs/wiki/media/clip_image080.png b/docs/wiki/media/clip_image080.png new file mode 100644 index 0000000000..4747e08e5a Binary files /dev/null and b/docs/wiki/media/clip_image080.png differ diff --git a/docs/wiki/media/clip_image081.png b/docs/wiki/media/clip_image081.png new file mode 100644 index 0000000000..85ee27aac8 Binary files /dev/null and b/docs/wiki/media/clip_image081.png differ diff --git a/docs/wiki/media/clip_image082.png b/docs/wiki/media/clip_image082.png new file mode 100644 index 0000000000..39139bada3 Binary files /dev/null and b/docs/wiki/media/clip_image082.png differ diff --git a/docs/wiki/media/clip_image083.png b/docs/wiki/media/clip_image083.png new file mode 100644 index 0000000000..c178c9d5fb Binary files /dev/null and b/docs/wiki/media/clip_image083.png differ diff --git a/docs/wiki/media/clip_image084.png b/docs/wiki/media/clip_image084.png new file mode 100644 index 0000000000..79e9e1be21 Binary files /dev/null and b/docs/wiki/media/clip_image084.png differ diff --git a/docs/wiki/media/clip_image085.png b/docs/wiki/media/clip_image085.png new file mode 100644 index 0000000000..b97f2b96f1 Binary files /dev/null and b/docs/wiki/media/clip_image085.png differ diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 8a93b6fffe..047668d1f5 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -206,6 +206,26 @@ ], "visible": "[equals(steps('core').platformSubscription, 'Single')]" }, + { + "name": "deploySecondaryRegion", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy in a secondary region", + "defaultValue": "Yes (recommended)", + "visible": true, + "toolTip": "If you select Yes, you will be prompted to deploy resources in an additional region where appropriate.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, { "name": "denyClassicResources", "type": "Microsoft.Common.OptionsGroup", @@ -1077,6 +1097,16 @@ }, "visible": true }, + { + "name": "esNwNVANote", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('connectivity').enableHub, 'nva')]", + "options": { + "text": "For high availability of third-party NVAs please see the guidance: Deploy highly available NVAs", + "uri": "https://learn.microsoft.com/azure/architecture/networking/guide/nva-ha", + "style": "Info" + } + }, { "name": "esNwSubSection", "type": "Microsoft.Common.Section", @@ -2782,213 +2812,1330 @@ } ] } - } - ] - }, - { - "name": "identity", - "label": "Identity", - "subLabel": { - "preValidation": "", - "postValidation": "" - }, - "bladeTitle": "ALZ - Identity Settings", - "elements": [ - { - "name": "multiPlatformIdentitySub", - "type": "Microsoft.Common.InfoBox", - "visible": "[not(equals(steps('core').platformSubscription, 'Single'))]", - "options": { - "text": "To enable identity (AuthN/AuthZ) for workloads in landing zones, you must allocate an identity Subscription that is dedicated to host your Active Directory domain controllers. Please note, this Subscription will be moved to the identity Management Group, and ARM will assign the selected policies. We recommend using a new Subscription with no existing resources.", - "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management", - "style": "Info" - } - }, - { - "name": "singlePlatformIdentitySub", - "type": "Microsoft.Common.InfoBox", - "visible": "[equals(steps('core').platformSubscription, 'Single')]", - "options": { - "text": "To enable identity (AuthN/AuthZ) for workloads in landing zones, it is recommended to assign specific policies to govern the virtual machines used for Active Directory domain controllers.", - "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management", - "style": "Info" - } - }, - { - "name": "esIdentity", - "type": "Microsoft.Common.OptionsGroup", - "label": "Assign recommended policies to govern identity and domain controllers", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, Azure Policy will be assigned at the scope to govern your identity resources.", - "constraints": { - "allowedValues": [ - { - "label": "Yes (recommended)", - "value": "Yes" - }, - { - "label": "No", - "value": "No" - } - ] - }, - "visible": true }, { - "name": "esIdentitySubSection", + "name": "esNetworkSecondarySubSection", "type": "Microsoft.Common.Section", - "label": "Identity subscription", - "elements": [ + "label": "Secondary Region Networking", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), equals(steps('core').deploySecondaryRegion, 'Yes'))]", + "elements":[ { - "name": "esIdentitySubUniqueWarning", + "name": "secondaryRegionNetworkInfo", "type": "Microsoft.Common.InfoBox", - "visible": true, + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'No')))]", "options": { - "text": "Ensure you select a subscription that is dedicated/unique for Identity. Selecting the same Subscription here for Management or Connectivity will result in a deployment failure. If you want to use a single Subscription for all platform resources, select 'Single' on the 'Azure Core Setup' blade.", - "uri": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions#organization-and-governance-design-considerations", - "style": "Warning" + "text": "Your second region's networking resources will be deployed in the same subscription as the first region's. If you select the same region twice, the secondary resources will not be deployed and you may encounter errors.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/define-an-azure-network-topology", + "style": "Info" } }, { - "name": "esIdentitySub", + "name": "connectivityLocationSecondary", "type": "Microsoft.Common.DropDown", - "label": "Identity subscription", - "defaultValue": "[parse('[]')]", - "toolTip": "", - "multiselect": false, - "selectAll": false, + "label": "Region to extend networking", "filter": true, - "filterPlaceholder": "Filter subscriptions...", - "multiLine": true, - "visible": true, + "toolTip": "Select the target region for your second connectivity deployment (requires you to provide a subscriptionId for connectivity)", + "defaultValue": "[parse('[]')]", "constraints": { - "allowedValues": "[steps('basics').getSubscriptions.data]", + "allowedValues": "[map(steps('basics').getLocations.value,(item) => parse(concat('{\"label\":\"',item.displayName,'\",\"value\":\"',item.name,'\"}')))]", "required": true - } - } - ], - "visible": "[and(equals(steps('identity').esIdentity,'Yes'), not(equals(steps('core').platformSubscription, 'Single')))]" - }, - { - "name": "identitypolicies", - "type": "Microsoft.Common.TextBlock", - "visible": "[equals(steps('identity').esIdentity,'Yes')]", - "options": { - "text": "Select which of the the recommended policies you will assign to your identity management group.", - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#policy-driven-governance" - } - } - }, - { - "name": "denyMgmtPortsForIdentity", - "type": "Microsoft.Common.OptionsGroup", - "label": "Prevent inbound management ports from internet", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and prevent inbound management ports (22, 3389) from internet.
Uses the custom policy Management port access from the Internet should be blocked.", - "constraints": { - "allowedValues": [ - { - "label": "Yes (recommended)", - "value": "Yes" }, - { - "label": "No", - "value": "No" + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'No')))]" + }, + { + "name": "esAddressHubVWANSecondary", + "type": "Microsoft.Common.TextBox", + "label": "Address space for your second virtual hub (required for vWAN hub)", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.200.0.0/23)", + "defaultValue": "10.200.0.0/23", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(1[0-9]|2[0-4]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [10,24]." + } + ] } - ] - }, - "visible": "[equals(steps('identity').esIdentity,'Yes')]" - }, - { - "name": "denySubnetWithoutNsgForIdentity", - "type": "Microsoft.Common.OptionsGroup", - "label": "Ensure subnets are associated with NSG", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure NSGs must be associated with subnets being created.
Uses the custom policy Subnets should have a Network Security Group.", - "constraints": { - "allowedValues": [ - { - "label": "Yes (recommended)", - "value": "Yes" - }, - { - "label": "No", - "value": "No" + }, + { + "name": "esAddressHubHSSecondary", + "type": "Microsoft.Common.TextBox", + "label": "Address space for your second hub virtual network(required for hub virtual network)", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.200.0.0/16)", + "defaultValue": "10.200.0.0/16", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'vwan')), not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'vwan')))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(1[0-9]|2[0-4]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [10,24]." + } + ] } - ] - }, - "visible": "[equals(steps('identity').esIdentity,'Yes')]" - }, - { - "name": "denyPipForIdentity", - "type": "Microsoft.Common.OptionsGroup", - "label": "Prevent usage of public IP", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure public IP resources cannot be created.
Uses the policy Not allowed resource types with parameters including Public IP Address resources.", - "constraints": { - "allowedValues": [ - { - "label": "Yes (recommended)", - "value": "Yes" - }, - { - "label": "No", - "value": "No" + }, + { + "name": "esNwZtnNote", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')))]", + "options": { + "text": "ALZ defaults are aligned to Zero Trust Networking principles. Click on this box to learn more about the Zero Trust Networking principles and how to apply them.", + "uri": "https://learn.microsoft.com/security/zero-trust/deploy/networks", + "style": "Info" } - ] - }, - "visible": "[and(equals(steps('identity').esIdentity,'Yes'), not(equals(steps('core').platformSubscription, 'Single')))]" - }, - { - "name": "enableVmBackupForIdentity", - "type": "Microsoft.Common.OptionsGroup", - "label": "Ensure Azure VMs (Windows & Linux) are enabled for Azure Backup", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and enable Azure Backup on all VMs in the landing zones.
Uses the policy Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy.", - "constraints": { - "allowedValues": [ - { - "label": "Yes (recommended)", - "value": "Yes" - }, - { - "label": "No", - "value": "No" + }, + { + "name": "enableVpnGwSecondary", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy VPN Gateway in your second region", + "defaultValue": "No", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'No')))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy VPN gateway", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] } - ] - }, - "visible": "[equals(steps('identity').esIdentity,'Yes')]" - }, - { - "name": "esIdentityConnectivity", - "type": "Microsoft.Common.OptionsGroup", - "label": "Create virtual network and connect to the connectivity hub (optional)?", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected for corp landing zones, ARM will connect the subscriptions to the hub virtual network via VNet peering.", - "constraints": { - "allowedValues": [ - { - "label": "Yes (recommended)", - "value": "Yes" - }, - { - "label": "No", - "value": "No" + }, + { + "name": "gwRegionalOrAzSecondary", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy zone redundant or regional VPN Gateway in your second region", + "defaultValue": "Zone redundant (recommended)", + "visible": "[and(and(equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary,'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))), equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary,'Yes'),contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').esNetworkSecondarySubSection.connectivityLocationSecondary))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Virtual Gateway to the selected region and availability zones.", + "constraints": { + "allowedValues": [ + { + "label": "Zone redundant (recommended)", + "value": "Zone" + }, + { + "label": "Regional", + "value": "Regional" + } + ] } - ] - }, - "visible": "[and(and(equals(steps('identity').esIdentity,'Yes'), not(equals(steps('core').platformSubscription, 'Single'))), equals(steps('identity').esIdentity, 'Yes'), not(equals(steps('connectivity').enableHub,'No')))]" - }, - { - "name": "identityAddressPrefix", - "type": "Microsoft.Common.TextBox", - "label": "Virtual network address space", - "placeholder": "", - "defaultValue": "10.110.0.0/24", - "toolTip": "The virtual network's address space, specified as one address prefixes in CIDR notation (e.g. 192.168.1.0/24)", - "constraints": { + }, + { + "name": "enableVpnActiveActiveSecondary", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy VPN Gateway in Active/Active mode in your second region", + "defaultValue": "No", + "visible": "[and(equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary,'Yes'), not(equals(steps('connectivity').enableHub, 'vwan')), equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary,'Yes'))]", + "toolTip": "Deploy the VPN gateway in Active/Active mode", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esGwNoAzSkuSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway SKU for your second region", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))), equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary,'Yes'), not(contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').esNetworkSecondarySubSection.connectivityLocationSecondary)))]", + "toolTip": "Select the required SKU for the VPN gateway.", + "constraints": { + "allowedValues": [ + { + "label": "VpnGw2", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", + "value": "VpnGw2" + }, + { + "label": "VpnGw3", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", + "value": "VpnGw3" + }, + { + "label": "VpnGw4", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", + "value": "VpnGw4" + }, + { + "label": "VpnGw5", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", + "value": "VpnGw5" + } + ] + } + }, + { + "name": "gwAzSkuSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway SKU for your second region", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))), equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary,'Yes'), equals(steps('connectivity').esNetworkSecondarySubSection.gwRegionalOrAzSecondary, 'Zone') ,contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').esNetworkSecondarySubSection.connectivityLocationSecondary))]", + "toolTip": "Select the required SKU for the VPN gateway.", + "constraints": { + "allowedValues": [ + { + "label": "VpnGw2AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", + "value": "VpnGw2AZ" + }, + { + "label": "VpnGw3AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", + "value": "VpnGw3AZ" + }, + { + "label": "VpnGw4AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", + "value": "VpnGw4AZ" + }, + { + "label": "VpnGw5AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", + "value": "VpnGw5AZ" + } + ] + } + }, + { + "name": "gwRegionalSkuSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway SKU for your second region", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))), equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary,'Yes'), equals(steps('connectivity').esNetworkSecondarySubSection.gwRegionalOrAzSecondary, 'Regional'))]", + "toolTip": "Select the required SKU for the VPN gateway.", + "constraints": { + "allowedValues": [ + { + "label": "VpnGw2", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", + "value": "VpnGw2" + }, + { + "label": "VpnGw3", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", + "value": "VpnGw3" + }, + { + "label": "VpnGw4", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", + "value": "VpnGw4" + }, + { + "label": "VpnGw5", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", + "value": "VpnGw5" + } + ] + } + }, + { + "name": "vpnGateWayScaleUnitSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway scale unit for your second region", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary, 'Yes'), equals(steps('connectivity').enableHub, 'vwan'))]", + "toolTip": "Select the VPN Gateway scale unit", + "constraints": { + "allowedValues": [ + { + "label": "1 scale unit", + "description": "Supports 500 Mbps x2", + "value": "1" + }, + { + "label": "2 scale units", + "description": "Supports 1 Gbps x 2", + "value": "2" + }, + { + "label": "3 scale units", + "description": "Supports 1.5 Gbps x 2", + "value": "3" + }, + { + "label": "4 scale units", + "description": "Supports 2 Gbps x 2", + "value": "4" + }, + { + "label": "5 scale units", + "description": "Supports 2.5 Gbps x 2", + "value": "5" + }, + { + "label": "6 scale units", + "description": "Supports 3 Gbps x 2", + "value": "6" + }, + { + "label": "7 scale units", + "description": "Supports 3.5 Gbps x 2", + "value": "7" + }, + { + "label": "8 scale units", + "description": "Supports 4 Gbps x 2", + "value": "8" + }, + { + "label": "9 scale units", + "description": "Supports 4.5 Gbps x 2", + "value": "9" + }, + { + "label": "10 scale units", + "description": "Supports 5 Gbps x 2", + "value": "10" + }, + { + "label": "11 scale units", + "description": "Supports 5.5 Gbps x 2", + "value": "11" + }, + { + "label": "12 scale units", + "description": "Supports 6 Gbps x 2", + "value": "12" + }, + { + "label": "13 scale units", + "description": "Supports 6.5 Gbps x 2", + "value": "13" + }, + { + "label": "14 scale units", + "description": "Supports 7 Gbps x 2", + "value": "14" + }, + { + "label": "15 scale units", + "description": "Supports 7.5 Gbps x 2", + "value": "15" + }, + { + "label": "16 scale units", + "description": "Supports 8 Gbps x 2", + "value": "16" + }, + { + "label": "17 scale units", + "description": "Supports 8.5 Gbps x 2", + "value": "17" + }, + { + "label": "18 scale units", + "description": "Supports 9 Gbps x 2", + "value": "18" + }, + { + "label": "19 scale units", + "description": "Supports 9.5 Gbps x 2", + "value": "19" + }, + { + "label": "20 scale units", + "description": "Supports 10 Gbps x 2", + "value": "20" + } + ] + } + }, + { + "name": "subnetMaskForGwSecondary", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for VPN/ExpressRoute Gateways in your second region", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.200.1.0/24)", + "defaultValue": "10.200.1.0/24", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'vwan')), or(equals(steps('connectivity').esNetworkSecondarySubSection.enableErGwSecondary, 'Yes'),equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary, 'Yes')))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(2[0-7]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [20,27]." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), 8), equals(last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), '.'), 1)), last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForGwSecondary, '/')), '.'), 1))), true)]", + "message": "CIDR range not within virtual network CIDR range (first octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), 16), equals(last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), '.'), 2)), last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForGwSecondary, '/')), '.'), 2))), true)]", + "message": "CIDR range not within virtual network CIDR range (second octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), 24), equals(last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), '.'), 3)), last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForGwSecondary, '/')), '.'), 3))), true)]", + "message": "CIDR range not within virtual network CIDR range (third octet)." + }, + { + "isValid": "[lessOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), last(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForGwSecondary, '/')))]", + "message": "CIDR range not within virtual network CIDR range (subnet mask)." + } + ] + } + }, + { + "name": "enableErGwSecondary", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy ExpressRoute Gateway in your second region", + "defaultValue": "No", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'No')))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Express Route gateway", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "erRegionalOrAzSecondary", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy zone redundant or regional ExpressRoute Gateway in your second region", + "defaultValue": "Zone redundant (recommended)", + "visible": "[and(and(equals(steps('connectivity').esNetworkSecondarySubSection.enableErGwSecondary, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))),equals(steps('connectivity').esNetworkSecondarySubSection.enableErGwSecondary,'Yes'),contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').esNetworkSecondarySubSection.connectivityLocationSecondary))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Express Route Gateway to the selected region and availability zones.", + "constraints": { + "allowedValues": [ + { + "label": "Zone redundant (recommended)", + "value": "Zone" + }, + { + "label": "Regional", + "value": "Regional" + } + ] + } + }, + { + "name": "erAzSkuSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway SKU for your second region", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('connectivity').esNetworkSecondarySubSection.enableErGwSecondary, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))),equals(steps('connectivity').esNetworkSecondarySubSection.enableErGwSecondary,'Yes'), equals(steps('connectivity').esNetworkSecondarySubSection.erRegionalOrAzSecondary, 'Zone'), contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').esNetworkSecondarySubSection.connectivityLocationSecondary))]", + "toolTip": "Select the required SKU for the Express Route gateway.", + "constraints": { + "allowedValues": [ + { + "label": "ErGw1AZ", + "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", + "value": "ErGw1AZ" + }, + { + "label": "ErGw2AZ", + "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", + "value": "ErGw2AZ" + }, + { + "label": "ErGw3AZ", + "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", + "value": "ErGw3AZ" + } + ] + } + }, + { + "name": "erRegionalSkuSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway SKU for your second region", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('connectivity').esNetworkSecondarySubSection.enableErGwSecondary, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))), equals(steps('connectivity').esNetworkSecondarySubSection.enableErGwSecondary,'Yes'), equals(steps('connectivity').esNetworkSecondarySubSection.erRegionalOrAzSecondary, 'Regional'), contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').esNetworkSecondarySubSection.connectivityLocationSecondary))]", + "toolTip": "Select the required SKU for the Express Route gateway.", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", + "value": "Standard" + }, + { + "label": "HighPerformance", + "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", + "value": "HighPerformance" + }, + { + "label": "UltraPerformance", + "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", + "value": "UltraPerformance" + } + ] + } + }, + { + "name": "esErNoAzSkuSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway SKU for your second region", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('connectivity').esNetworkSecondarySubSection.enableErGwSecondary, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))),equals(steps('connectivity').esNetworkSecondarySubSection.enableErGwSecondary,'Yes'), not(contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast,italynorth', ','), steps('connectivity').esNetworkSecondarySubSection.connectivityLocationSecondary)))]", + "toolTip": "Select the required SKU for the Express Route gateway.", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", + "value": "Standard" + }, + { + "label": "HighPerformance", + "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", + "value": "HighPerformance" + }, + { + "label": "UltraPerformance", + "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", + "value": "UltraPerformance" + } + ] + } + }, + { + "name": "expressRouteScaleUnitSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway scale unit for your second region", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(equals(steps('connectivity').esNetworkSecondarySubSection.enableErGwSecondary, 'Yes'), equals(steps('connectivity').enableHub, 'vwan'))]", + "toolTip": "Select the ExpressRoute Gateway scale unit", + "constraints": { + "allowedValues": [ + { + "label": "1 scale unit", + "description": "Supports 2 Gbps", + "value": "1" + }, + { + "label": "2 scale units", + "description": "Supports 4 Gbps", + "value": "2" + }, + { + "label": "3 scale units", + "description": "Supports 6 Gbps", + "value": "3" + }, + { + "label": "4 scale units", + "description": "Supports 8 Gbps", + "value": "4" + }, + { + "label": "5 scale units", + "description": "Supports 10 Gbps", + "value": "5" + }, + { + "label": "6 scale units", + "description": "Supports 12 Gbps", + "value": "6" + }, + { + "label": "7 scale units", + "description": "Supports 14 Gbps", + "value": "7" + }, + { + "label": "8 scale units", + "description": "Supports 16 Gbps", + "value": "8" + }, + { + "label": "9 scale units", + "description": "Supports 18 Gbps", + "value": "9" + }, + { + "label": "10 scale units", + "description": "Supports 20 Gbps", + "value": "10" + } + ] + } + }, + { + "name": "enableAzFwSecondary", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Azure Firewall in your second region", + "defaultValue": "Yes (recommended)", + "visible": "[or(equals(steps('connectivity').enableHub, 'vhub'), equals(steps('connectivity').enableHub, 'vwan'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "firewallSkuSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Select Azure Firewall tier for your second region", + "defaultValue": "Premium", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[equals(steps('connectivity').esNetworkSecondarySubSection.enableAzFwSecondary, 'Yes')]", + "toolTip": "Select Azure Firewall tier", + "constraints": { + "allowedValues": [ + { + "label": "Basic", + "description": "Basic Azure Firewall", + "value": "Basic" + }, + { + "label": "Standard", + "description": "Standard Azure Firewall", + "value": "Standard" + }, + { + "label": "Premium", + "description": "Premium Azure Firewall adds support for TLS inspection, IDPS, URL filtering and web categories.", + "value": "Premium" + } + ] + } + }, + { + "name": "esFWAZNoteSecondary", + "type": "Microsoft.Common.InfoBox", + "visible": "[if(or(equals(steps('connectivity').enableHub, 'vhub'), equals(steps('connectivity').enableHub, 'vwan')), and(equals(steps('connectivity').esNetworkSecondarySubSection.enableAzFwSecondary,'Yes'), contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').esNetworkSecondarySubSection.connectivityLocationSecondary)), false)]", + "options": { + "text": "ALZ enables Availability Zones for all services that it deploys by default for maximum resiliency in regions where Availability Zones are supported, including for Azure Firewall. Review the selected Availability Zones meet your architectural requirements and that you understand the added costs for inbound and outbound data transfers associated with Avaialability Zones, before proceeding. Click on this box to learn more about the Availability Zones and Azure Firewall.", + "uri": "https://learn.microsoft.com/en-us/azure/firewall/features#built-in-high-availability", + "style": "Info" + } + }, + { + "name": "firewallZonesSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Select Availability Zones for the Azure Firewall in your second region", + "defaultValue": [{"value": "1"}, {"value": "2"}, {"value": "3"}], + "multiselect": true, + "selectAll": true, + "filter": true, + "visible": "[if(or(equals(steps('connectivity').enableHub, 'vhub'), equals(steps('connectivity').enableHub, 'vwan')), and(equals(steps('connectivity').esNetworkSecondarySubSection.enableAzFwSecondary,'Yes'), contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').esNetworkSecondarySubSection.connectivityLocationSecondary)), false)]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall to the selected region and availability zones.", + "constraints": { + "allowedValues": [ + { + "label": "Zone 1", + "value": "1" + }, + { + "label": "Zone 2", + "value": "2" + }, + { + "label": "Zone 3", + "value": "3" + } + ] + } + }, + { + "name": "subnetMaskForAzFwSecondary", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for Azure Firewall in your second region", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.200.0.0/24)", + "defaultValue": "10.200.0.0/24", + "visible": "[and(equals(steps('connectivity').esNetworkSecondarySubSection.enableAzFwSecondary, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan')))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(2[0-6]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [20,26]." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), 8), equals(last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), '.'), 1)), last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForAzFwSecondary, '/')), '.'), 1))), true)]", + "message": "CIDR range not within virtual network CIDR range (first octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), 16), equals(last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), '.'), 2)), last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForAzFwSecondary, '/')), '.'), 2))), true)]", + "message": "CIDR range not within virtual network CIDR range (second octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), 24), equals(last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), '.'), 3)), last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForAzFwSecondary, '/')), '.'), 3))), true)]", + "message": "CIDR range not within virtual network CIDR range (third octet)." + }, + { + "isValid": "[lessOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), last(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForAzFwSecondary, '/')))]", + "message": "CIDR range not within virtual network CIDR range (subnet mask)." + } + ] + } + }, + { + "name": "subnetMaskForAzFwMgmtSecondary", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for Azure Firewall Mgmt (Optional Only for Basic SKU) in your second region", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.200.0.0/26)", + "defaultValue": "10.200.2.0/24", + "visible": "[and(equals(steps('connectivity').esNetworkSecondarySubSection.enableAzFwSecondary, 'Yes'), equals(steps('connectivity').esNetworkSecondarySubSection.firewallSkuSecondary, 'Basic'), not(equals(steps('connectivity').enableHub, 'vwan')))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(2[0-6]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [20,26]." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), 8), equals(last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), '.'), 1)), last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForAzFwSecondary, '/')), '.'), 1))), true)]", + "message": "CIDR range not within virtual network CIDR range (first octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), 16), equals(last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), '.'), 2)), last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForAzFwSecondary, '/')), '.'), 2))), true)]", + "message": "CIDR range not within virtual network CIDR range (second octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), 24), equals(last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), '.'), 3)), last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForAzFwSecondary, '/')), '.'), 3))), true)]", + "message": "CIDR range not within virtual network CIDR range (third octet)." + }, + { + "isValid": "[lessOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), last(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForAzFwSecondary, '/')))]", + "message": "CIDR range not within virtual network CIDR range (subnet mask)." + } + ] + } + }, + { + "name": "enableAzFwDnsProxySecondary", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Firewall as a DNS proxy in your second region", + "defaultValue": "No", + "visible": "[and(equals(steps('connectivity').esNetworkSecondarySubSection.enableAzFwSecondary, 'Yes'), not(equals(steps('connectivity').esNetworkSecondarySubSection.firewallSkuSecondary, 'Basic')))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will enable Azure Firewall as a DNS Proxy.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "enablevWANRoutingIntentSecondary", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable vWAN Routing Intent in your second", + "defaultValue": "No", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), equals(steps('connectivity').esNetworkSecondarySubSection.enableAzFwSecondary, 'Yes'))]", + "toolTip": "Enable vWan Routing Intent and set Azure Firewall as the next hop either for Internet Traffic, Private Traffic or both", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "vWANRoutingIntentforInternetTrafficSecondary", + "type": "Microsoft.Common.OptionsGroup", + "label": "Select Yes if you want to enable routing intent policy to apply on Internet Traffic for your second region", + "defaultValue": "No", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), equals(steps('connectivity').enableAzFw, 'Yes'),equals(steps('connectivity').esNetworkSecondarySubSection.enablevWANRoutingIntentSecondary, 'Yes'))]", + "toolTip": "Enable vWAN Routing Intent for Internet Traffic", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "vWANRoutingIntentforPrivateTrafficSecondary", + "type": "Microsoft.Common.OptionsGroup", + "label": "Select Yes if you want to enable routing intent policy to apply on Private Traffic", + "defaultValue": "No", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), equals(steps('connectivity').esNetworkSecondarySubSection.enableAzFwSecondary, 'Yes'),equals(steps('connectivity').esNetworkSecondarySubSection.enablevWANRoutingIntentSecondary, 'Yes'))]", + "toolTip": "Enable vWAN Routing Intent for Private Traffic for your second region", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "vWANHubRoutingPreferenceSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Hub Routing Preference for secondary region", + "defaultValue": "ExpressRoute (default)", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')))]", + "toolTip": "Preference used in selecting best path when the virtual hub learns multiple paths to the same destination route-prefix.Virtual hub routing preference.", + "constraints": { + "allowedValues": [ + { + "label": "ExpressRoute (default)", + "description": "ExpressRoute is the preferred path. (default)", + "value": "ExpressRoute" + }, + { + "label": "VPN", + "description": "VPN is the preferred path", + "value": "VpnGateway" + }, + { + "label": "AS Path", + "description": "AS Path is the preferred path", + "value": "ASPath" + } + ] + } + }, + { + "name": "vWANHubCapacitySecondary", + "type": "Microsoft.Common.DropDown", + "label": "Virtual Hub Capacity in second region", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')))]", + "toolTip": "Routing infrastructure units determine the minimum throughput of the Virtual WAN hub router and the number of Virtual Machines that can be deployed in Virtual Networks connected to the Virtual WAN hub. Two routing infrastructure units are included at no extra cost with a deployment of a hub.Virtual Hub Capacity.", + "constraints": { + "allowedValues": [ + { + "label": "2", + "description": "2 Routing Infrastructure Units, 3 Gbps Aggregate Throughput, Supports 2000 VMs", + "value": "2" + }, + { + "label": "3", + "description": "3 Routing Infrastructure Units, 3 Gbps Aggregate Throughput, Supports 3000 VMs", + "value": "3" + }, + { + "label": "4", + "description": "4 Routing Infrastructure Units, 4 Gbps Aggregate Throughput, Supports 4000 VMs", + "value": "4" + }, + { + "label": "5", + "description": "5 Routing Infrastructure Units, 5 Gbps Aggregate Throughput, Supports 5000 VMs", + "value": "5" + }, + { + "label": "6", + "description": "6 Routing Infrastructure Units, 6 Gbps Aggregate Throughput, Supports 6000 VMs", + "value": "6" + }, + { + "label": "7", + "description": "7 Routing Infrastructure Units, 7 Gbps Aggregate Throughput, Supports 7000 VMs", + "value": "7" + }, + { + "label": "8", + "description": "8 Routing Infrastructure Units, 8 Gbps Aggregate Throughput, Supports 8000 VMs", + "value": "8" + }, + { + "label": "9", + "description": "9 Routing Infrastructure Units, 9 Gbps Aggregate Throughput, Supports 9000 VMs", + "value": "9" + }, + { + "label": "10", + "description": "10 Routing Infrastructure Units, 10 Gbps Aggregate Throughput, Supports 10000 VMs", + "value": "10" + }, + { + "label": "11", + "description": "11 Routing Infrastructure Units, 11 Gbps Aggregate Throughput, Supports 11000 VMs", + "value": "11" + }, + { + "label": "12", + "description": "12 Routing Infrastructure Units, 12 Gbps Aggregate Throughput, Supports 12000 VMs", + "value": "12" + }, + { + "label": "13", + "description": "13 Routing Infrastructure Units, 13 Gbps Aggregate Throughput, Supports 13000 VMs", + "value": "13" + }, + { + "label": "14", + "description": "14 Routing Infrastructure Units, 14 Gbps Aggregate Throughput, Supports 14000 VMs", + "value": "14" + }, + { + "label": "15", + "description": "15 Routing Infrastructure Units, 15 Gbps Aggregate Throughput, Supports 15000 VMs", + "value": "15" + }, + { + "label": "16", + "description": "16 Routing Infrastructure Units, 16 Gbps Aggregate Throughput, Supports 16000 VMs", + "value": "16" + }, + { + "label": "17", + "description": "17 Routing Infrastructure Units, 17 Gbps Aggregate Throughput, Supports 17000 VMs", + "value": "17" + }, + { + "label": "18", + "description": "18 Routing Infrastructure Units, 18 Gbps Aggregate Throughput, Supports 18000 VMs", + "value": "18" + }, + { + "label": "19", + "description": "19 Routing Infrastructure Units, 19 Gbps Aggregate Throughput, Supports 19000 VMs", + "value": "19" + }, + { + "label": "20", + "description": "20 Routing Infrastructure Units, 20 Gbps Aggregate Throughput, Supports 20000 VMs", + "value": "20" + }, + { + "label": "21", + "description": "21 Routing Infrastructure Units, 21 Gbps Aggregate Throughput, Supports 21000 VMs", + "value": "21" + }, + { + "label": "22", + "description": "22 Routing Infrastructure Units, 22 Gbps Aggregate Throughput, Supports 22000 VMs", + "value": "22" + }, + { + "label": "23", + "description": "23 Routing Infrastructure Units, 23 Gbps Aggregate Throughput, Supports 23000 VMs", + "value": "23" + }, + { + "label": "24", + "description": "24 Routing Infrastructure Units, 24 Gbps Aggregate Throughput, Supports 24000 VMs", + "value": "24" + }, + { + "label": "25", + "description": "25 Routing Infrastructure Units, 25 Gbps Aggregate Throughput, Supports 25000 VMs", + "value": "25" + }, + { + "label": "26", + "description": "26 Routing Infrastructure Units, 26 Gbps Aggregate Throughput, Supports 26000 VMs", + "value": "26" + }, + { + "label": "27", + "description": "27 Routing Infrastructure Units, 27 Gbps Aggregate Throughput, Supports 27000 VMs", + "value": "27" + }, + { + "label": "28", + "description": "28 Routing Infrastructure Units, 28 Gbps Aggregate Throughput, Supports 28000 VMs", + "value": "28" + }, + { + "label": "29", + "description": "29 Routing Infrastructure Units, 29 Gbps Aggregate Throughput, Supports 29000 VMs", + "value": "29" + }, + { + "label": "30", + "description": "30 Routing Infrastructure Units, 30 Gbps Aggregate Throughput, Supports 30000 VMs", + "value": "30" + }, + { + "label": "31", + "description": "31 Routing Infrastructure Units, 31 Gbps Aggregate Throughput, Supports 31000 VMs", + "value": "31" + }, + { + "label": "32", + "description": "32 Routing Infrastructure Units, 32 Gbps Aggregate Throughput, Supports 32000 VMs", + "value": "32" + }, + { + "label": "33", + "description": "33 Routing Infrastructure Units, 33 Gbps Aggregate Throughput, Supports 33000 VMs", + "value": "33" + }, + { + "label": "34", + "description": "34 Routing Infrastructure Units, 34 Gbps Aggregate Throughput, Supports 34000 VMs", + "value": "34" + }, + { + "label": "35", + "description": "35 Routing Infrastructure Units, 35 Gbps Aggregate Throughput, Supports 35000 VMs", + "value": "35" + }, + { + "label": "36", + "description": "36 Routing Infrastructure Units, 36 Gbps Aggregate Throughput, Supports 36000 VMs", + "value": "36" + }, + { + "label": "37", + "description": "37 Routing Infrastructure Units, 37 Gbps Aggregate Throughput, Supports 37000 VMs", + "value": "37" + }, + { + "label": "38", + "description": "38 Routing Infrastructure Units, 38 Gbps Aggregate Throughput, Supports 38000 VMs", + "value": "38" + }, + { + "label": "39", + "description": "39 Routing Infrastructure Units, 39 Gbps Aggregate Throughput, Supports 39000 VMs", + "value": "39" + }, + { + "label": "40", + "description": "40 Routing Infrastructure Units, 40 Gbps Aggregate Throughput, Supports 40000 VMs", + "value": "40" + }, + { + "label": "41", + "description": "41 Routing Infrastructure Units, 41 Gbps Aggregate Throughput, Supports 41000 VMs", + "value": "41" + }, + { + "label": "42", + "description": "42 Routing Infrastructure Units, 42 Gbps Aggregate Throughput, Supports 42000 VMs", + "value": "42" + }, + { + "label": "43", + "description": "43 Routing Infrastructure Units, 43 Gbps Aggregate Throughput, Supports 43000 VMs", + "value": "43" + }, + { + "label": "44", + "description": "44 Routing Infrastructure Units, 44 Gbps Aggregate Throughput, Supports 44000 VMs", + "value": "44" + }, + { + "label": "45", + "description": "45 Routing Infrastructure Units, 45 Gbps Aggregate Throughput, Supports 45000 VMs", + "value": "45" + }, + { + "label": "46", + "description": "46 Routing Infrastructure Units, 46 Gbps Aggregate Throughput, Supports 46000 VMs", + "value": "46" + }, + { + "label": "47", + "description": "47 Routing Infrastructure Units, 47 Gbps Aggregate Throughput, Supports 47000 VMs", + "value": "47" + }, + { + "label": "48", + "description": "48 Routing Infrastructure Units, 48 Gbps Aggregate Throughput, Supports 48000 VMs", + "value": "48" + }, + { + "label": "49", + "description": "49 Routing Infrastructure Units, 49 Gbps Aggregate Throughput, Supports 49000 VMs", + "value": "49" + }, + { + "label": "50", + "description": "50 Routing Infrastructure Units, 50 Gbps Aggregate Throughput, Supports 50000 VMs", + "value": "50" + } + ] + } + } + ] + } + ] + }, + { + "name": "identity", + "label": "Identity", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "ALZ - Identity Settings", + "elements": [ + { + "name": "multiPlatformIdentitySub", + "type": "Microsoft.Common.InfoBox", + "visible": "[not(equals(steps('core').platformSubscription, 'Single'))]", + "options": { + "text": "To enable identity (AuthN/AuthZ) for workloads in landing zones, you must allocate an identity Subscription that is dedicated to host your Active Directory domain controllers. Please note, this Subscription will be moved to the identity Management Group, and ARM will assign the selected policies. We recommend using a new Subscription with no existing resources.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management", + "style": "Info" + } + }, + { + "name": "singlePlatformIdentitySub", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('core').platformSubscription, 'Single')]", + "options": { + "text": "To enable identity (AuthN/AuthZ) for workloads in landing zones, it is recommended to assign specific policies to govern the virtual machines used for Active Directory domain controllers.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management", + "style": "Info" + } + }, + { + "name": "esIdentity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Assign recommended policies to govern identity and domain controllers", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, Azure Policy will be assigned at the scope to govern your identity resources.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esIdentitySubSection", + "type": "Microsoft.Common.Section", + "label": "Identity subscription", + "elements": [ + { + "name": "esIdentitySubUniqueWarning", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "Ensure you select a subscription that is dedicated/unique for Identity. Selecting the same Subscription here for Management or Connectivity will result in a deployment failure. If you want to use a single Subscription for all platform resources, select 'Single' on the 'Azure Core Setup' blade.", + "uri": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions#organization-and-governance-design-considerations", + "style": "Warning" + } + }, + { + "name": "esIdentitySub", + "type": "Microsoft.Common.DropDown", + "label": "Identity subscription", + "defaultValue": "[parse('[]')]", + "toolTip": "", + "multiselect": false, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter subscriptions...", + "multiLine": true, + "visible": true, + "constraints": { + "allowedValues": "[steps('basics').getSubscriptions.data]", + "required": true + } + } + ], + "visible": "[and(equals(steps('identity').esIdentity,'Yes'), not(equals(steps('core').platformSubscription, 'Single')))]" + }, + { + "name": "identitypolicies", + "type": "Microsoft.Common.TextBlock", + "visible": "[equals(steps('identity').esIdentity,'Yes')]", + "options": { + "text": "Select which of the the recommended policies you will assign to your identity management group.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#policy-driven-governance" + } + } + }, + { + "name": "denyMgmtPortsForIdentity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent inbound management ports from internet", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and prevent inbound management ports (22, 3389) from internet.
Uses the custom policy Management port access from the Internet should be blocked.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('identity').esIdentity,'Yes')]" + }, + { + "name": "denySubnetWithoutNsgForIdentity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure subnets are associated with NSG", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure NSGs must be associated with subnets being created.
Uses the custom policy Subnets should have a Network Security Group.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('identity').esIdentity,'Yes')]" + }, + { + "name": "denyPipForIdentity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent usage of public IP", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure public IP resources cannot be created.
Uses the policy Not allowed resource types with parameters including Public IP Address resources.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[and(equals(steps('identity').esIdentity,'Yes'), not(equals(steps('core').platformSubscription, 'Single')))]" + }, + { + "name": "enableVmBackupForIdentity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure Azure VMs (Windows & Linux) are enabled for Azure Backup", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and enable Azure Backup on all VMs in the landing zones.
Uses the policy Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('identity').esIdentity,'Yes')]" + }, + { + "name": "esIdentityConnectivity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Create virtual network and connect to the connectivity hub (optional)?", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected for corp landing zones, ARM will connect the subscriptions to the hub virtual network via VNet peering.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[and(and(equals(steps('identity').esIdentity,'Yes'), not(equals(steps('core').platformSubscription, 'Single'))), equals(steps('identity').esIdentity, 'Yes'), not(equals(steps('connectivity').enableHub,'No')))]" + }, + { + "name": "identityAddressPrefix", + "type": "Microsoft.Common.TextBox", + "label": "Virtual network address space", + "placeholder": "", + "defaultValue": "10.110.0.0/24", + "toolTip": "The virtual network's address space, specified as one address prefixes in CIDR notation (e.g. 192.168.1.0/24)", + "constraints": { "required": true, "validations": [ { @@ -2998,7 +4145,53 @@ ] }, "visible": "[and(equals(steps('identity').esIdentityConnectivity, 'Yes'), not(equals(steps('connectivity').enableHub,'No')))]" - } + }, + { + "name": "esIdentitySecondarySubSection", + "type": "Microsoft.Common.Section", + "label": "Secondary Region Identity", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), equals(steps('core').deploySecondaryRegion, 'Yes'))]", + "elements":[ + { + "name": "esIdentityConnectivitySecondary", + "type": "Microsoft.Common.OptionsGroup", + "label": "Create virtual network and connect to the connectivity hub in your secondary region (optional)?", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected for corp landing zones, ARM will connect the subscriptions to the hub virtual network via VNet peering.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[and(equals(steps('identity').esIdentityConnectivity, 'Yes'), not(equals(steps('connectivity').enableHub,'No')))]" + }, + { + "name": "identityAddressPrefixSecondary", + "type": "Microsoft.Common.TextBox", + "label": "Virtual network address space", + "placeholder": "", + "defaultValue": "10.210.0.0/24", + "toolTip": "The secondary virtual network's address space, specified as one address prefixes in CIDR notation (e.g. 192.168.1.0/24)", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(1[0-9]|2[0-9]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [10,29]." + } + ] + }, + "visible": "[and(equals(steps('identity').esIdentitySecondarySubSection.esIdentityConnectivitySecondary, 'Yes'), not(equals(steps('connectivity').enableHub,'No')))]" + } + ] + } ] }, { @@ -7833,12 +9026,42 @@ "privateTrafficRoutingPolicy": "[if(equals(steps('connectivity').vWANRoutingIntentforPrivateTraffic, 'Yes'), 'true', 'false')]", "vWANHubRoutingPreference": "[steps('connectivity').vWANHubRoutingPreference]", "vWANHubCapacity": "[steps('connectivity').vWANHubCapacity]", + "addressPrefixSecondary": "[coalesce(steps('connectivity').esNetworkSecondarySubSection.esAddressHubVWANSecondary, steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '')]", + "connectivityLocationSecondary": "[steps('connectivity').esNetworkSecondarySubSection.connectivityLocationSecondary]", + "enablePrivateDnsZonesSecondary": "No", + "privateDnsZonesToDeploySecondary": null, + "enableVpnGwSecondary": "[steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary]", + "gwRegionalOrAzSecondary": "[steps('connectivity').esNetworkSecondarySubSection.gwRegionalOrAzSecondary]", + "enableVpnActiveActiveSecondary": "[steps('connectivity').esNetworkSecondarySubSection.enableVpnActiveActiveSecondary]", + "gwRegionalSkuSecondary": "[coalesce(steps('connectivity').esNetworkSecondarySubSection.gwRegionalSkuSecondary, steps('connectivity').esNetworkSecondarySubSection.esGwNoAzSkuSecondary)]", + "gwAzSkuSecondary": "[steps('connectivity').esNetworkSecondarySubSection.gwAzSkuSecondary]", + "vpnGateWayScaleUnitSecondary": "[steps('connectivity').esNetworkSecondarySubSection.vpnGateWayScaleUnitSecondary]", + "subnetMaskForGwSecondary": "[steps('connectivity').esNetworkSecondarySubSection.subnetMaskForGwSecondary]", + "enableErGwSecondary": "[steps('connectivity').esNetworkSecondarySubSection.enableErGwSecondary]", + "erAzSkuSecondary": "[steps('connectivity').esNetworkSecondarySubSection.erAzSkuSecondary]", + "erRegionalSkuSecondary": "[coalesce(steps('connectivity').esNetworkSecondarySubSection.erRegionalSkuSecondary, steps('connectivity').esNetworkSecondarySubSection.esErNoAzSkuSecondary)]", + "erRegionalOrAzSecondary": "[steps('connectivity').esNetworkSecondarySubSection.erRegionalOrAzSecondary]", + "expressRouteScaleUnitSecondary": "[steps('connectivity').esNetworkSecondarySubSection.expressRouteScaleUnitSecondary]", + "enableSecondaryRegion": "[steps('core').deploySecondaryRegion]", + "enableHubSecondary": "[steps('connectivity').enableHub]", + "enableAzFwSecondary": "[steps('connectivity').esNetworkSecondarySubSection.enableAzFwSecondary]", + "enableAzFwDnsProxySecondary": "[if(equals(steps('connectivity').esNetworkSecondarySubSection.firewallSkuSecondary, 'Basic'), 'No', steps('connectivity').esNetworkSecondarySubSection.enableAzFwDnsProxySecondary)]", + "firewallSkuSecondary": "[steps('connectivity').esNetworkSecondarySubSection.firewallSkuSecondary]", + "firewallZonesSecondary": "[steps('connectivity').esNetworkSecondarySubSection.firewallZonesSecondary]", + "subnetMaskForAzFwSecondary": "[steps('connectivity').esNetworkSecondarySubSection.subnetMaskForAzFwSecondary]", + "subnetMaskForAzFwMgmtSecondary": "[steps('connectivity').esNetworkSecondarySubSection.subnetMaskForAzFwMgmtSecondary]", + "enablevWANRoutingIntentSecondary": "[steps('connectivity').esNetworkSecondarySubSection.enablevWANRoutingIntentSecondary]", + "internetTrafficRoutingPolicySecondary": "[if(equals(steps('connectivity').esNetworkSecondarySubSection.vWANRoutingIntentforInternetTrafficSecondary, 'Yes'), 'true', 'false')]", + "privateTrafficRoutingPolicySecondary": "[if(equals(steps('connectivity').esNetworkSecondarySubSection.vWANRoutingIntentforPrivateTrafficSecondary, 'Yes'), 'true', 'false')]", + "vWANHubRoutingPreferenceSecondary": "[steps('connectivity').esNetworkSecondarySubSection.vWANHubRoutingPreferenceSecondary]", + "vWANHubCapacitySecondary": "[steps('connectivity').esNetworkSecondarySubSection.vWANHubCapacitySecondary]", "identitySubscriptionId": "[if(or(not(equals(steps('identity').esIdentitySubSection.esIdentitySub,steps('management').esMgmtSubSection.esMgmtSub)),not(equals(steps('identity').esIdentitySubSection.esIdentitySub,steps('connectivity').esNwSubSection.esNwSub))),steps('identity').esIdentitySubSection.esIdentitySub,'')]", "denyMgmtPortsForIdentity": "[steps('identity').denyMgmtPortsForIdentity]", "denySubnetWithoutNsgForIdentity": "[steps('identity').denySubnetWithoutNsgForIdentity]", "denyPipForIdentity": "[steps('identity').denyPipForIdentity]", "enableVmBackupForIdentity": "[steps('identity').enableVmBackupForIdentity]", "identityAddressPrefix": "[steps('identity').identityAddressPrefix]", + "identityAddressPrefixSecondary": "[steps('identity').esIdentitySecondarySubSection.identityAddressPrefixSecondary]", "corpConnectedLzSubscriptionId": "[if(or(not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').corpSection.lzConnectedSubs,'')]", "corpLzSubscriptionId": "[if(or(not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').corpSection.esCorpLzSub,'')]", "onlineLzSubscriptionId": "[if(or(not(contains(steps('landingZones').onlineSection.esOnlineLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').onlineSection.esOnlineLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').onlineSection.esOnlineLzSub,'')]", diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 4f8e63a38a..0246739664 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -447,6 +447,177 @@ "description": "vWAN Hub Capacity" } }, + "addressPrefixSecondary": { + "type": "string", + "defaultValue": "" + }, + "connectivityLocationSecondary": { + "type": "string", + "defaultValue": "[deployment().location]" + }, + "enablePrivateDnsZonesSecondary": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "privateDnsZonesToDeploySecondary": { + "type": "array", + "defaultValue": [] + }, + "enableVpnGwSecondary": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableVpnActiveActiveSecondary": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "gwRegionalOrAzSecondary": { + "type": "string", + "defaultValue": "" + }, + "gwRegionalSkuSecondary": { + "type": "string", + "defaultValue": "" + }, + "gwAzSkuSecondary": { + "type": "string", + "defaultValue": "" + }, + "vpnGateWayScaleUnitSecondary": { + "type": "string", + "defaultValue": "1" + }, + "subnetMaskForGwSecondary": { + "type": "string", + "defaultValue": "" + }, + "enableErGwSecondary": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "erAzSkuSecondary": { + "type": "string", + "defaultValue": "" + }, + "erRegionalSkuSecondary": { + "type": "string", + "defaultValue": "" + }, + "erRegionalOrAzSecondary": { + "type": "string", + "defaultValue": "" + }, + "expressRouteScaleUnitSecondary": { + "type": "string", + "defaultValue": "1" + }, + "enableSecondaryRegion": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes" + }, + "enableHubSecondary": { + "type": "string", + "allowedValues": [ + "vhub", + "vwan", + "nva", + "No" + ], + "defaultValue": "No" + }, + "enableAzFwSecondary": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "enableAzFwDnsProxySecondary": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "firewallSkuSecondary": { + "type": "string", + "allowedValues": [ + "Basic", + "Standard", + "Premium" + ], + "defaultValue": "Standard" + }, + "firewallZonesSecondary": { + "type": "array", + "defaultValue": [] + }, + "subnetMaskForAzFwSecondary": { + "type": "string", + "defaultValue": "" + }, + "subnetMaskForAzFwMgmtSecondary": { + "type": "string", + "defaultValue": "" + }, + "enablevWANRoutingIntentSecondary": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "internetTrafficRoutingPolicySecondary": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Enable vWAN Routing Intent and Policy for Internet Traffic" + } + }, + "privateTrafficRoutingPolicySecondary": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Enable vWAN Routing Intent and Policy for Private Traffic" + } + }, + "vWANHubRoutingPreferenceSecondary": { + "type": "string", + "defaultValue": "ExpressRoute", + "metadata": { + "description": "vWAN Hub Routing Preference" + } + }, + "vWANHubCapacitySecondary": { + "type": "string", + "defaultValue": "2", + "metadata": { + "description": "vWAN Hub Capacity" + } + }, "identitySubscriptionId": { "type": "string", "defaultValue": "", @@ -495,6 +666,10 @@ "type": "string", "defaultValue": "" }, + "identityAddressPrefixSecondary": { + "type": "string", + "defaultValue": "" + }, "corpConnectedLzSubscriptionId": { "type": "array", "defaultValue": [], @@ -1462,6 +1637,8 @@ "ddosPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json')]", "corpVnetPeering": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vnetPeering.json')]", "corpVwanPeering": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vnetPeeringVwan.json')]", + "hubVnetPeering": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vnetPeeringHub.json')]", + "hubVnetRouting": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/vnetRouteTable.json')]", "privateDnsZones": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/privateDnsZones.json')]", "roleAssignments": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/roleAssignments/roleAssignment.json')]", "classicResourcesPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-ClassicResourceTypesPolicyAssignment.json')]", @@ -1517,6 +1694,8 @@ "mgmtGroupDeploymentName": "[take(concat('alz-Mgs', variables('deploymentSuffix')), 64)]", "mgmtSubscriptionPlacement": "[take(concat('alz-MgmtSub', variables('deploymentSuffix')), 64)]", "corpPeeringDeploymentName": "[take(concat('alz-CorpPeering', variables('deploymentSuffix')), 60)]", + "hubPeeringDeploymentName": "[take(concat('alz-HubPeering', variables('deploymentSuffix')), 60)]", + "hubPeering2DeploymentName": "[take(concat('alz-HubPeering2', variables('deploymentSuffix')), 60)]", "connectivitySubscriptionPlacement": "[take(concat('alz-ConnectivitySub', variables('deploymentSuffix')), 64)]", "identitySubscriptionPlacement": "[take(concat('alz-IdentitySub', variables('deploymentSuffix')), 64)]", "roleDefsDeploymentName": "[take(concat('alz-RoleDefs', variables('deploymentSuffix')), 64)]", @@ -1546,7 +1725,11 @@ "ascGovPolicyDeploymentName": "[take(concat('alz-Gov-ASC', variables('deploymentSuffix')), 64)]", "vnetConnectivityHubDeploymentName": "[take(concat('alz-HubSpoke', variables('deploymentSuffix')), 64)]", "vwanConnectivityHubDeploymentName": "[take(concat('alz-VWanHub', variables('deploymentSuffix')), 64)]", + "vnetConnectivityHub2DeploymentName": "[take(concat('alz-HubSpoke2', variables('deploymentSuffix')), 64)]", + "vnetConnectivityRouteTableDeploymentName": "[take(concat('alz-HubRoute', variables('deploymentSuffix')), 64)]", + "vnetConnectivityRouteTable2DeploymentName": "[take(concat('alz-HubRoute2', variables('deploymentSuffix')), 64)]", "nvaConnectivityHubDeploymentName": "[take(concat('alz-NVAHub', variables('deploymentSuffix')), 64)]", + "nvaConnectivityHub2DeploymentName": "[take(concat('alz-NVAHub2', variables('deploymentSuffix')), 64)]", "azVmMonitorPolicyDeploymentName": "[take(concat('alz-AzVmMonitor', variables('deploymentSuffix')), 64)]", "azVmssMonitorPolicyDeploymentName": "[take(concat('alz-AzVmssMonitor', variables('deploymentSuffix')), 64)]", "azVmHybridMonitorPolicyDeploymentName": "[take(concat('alz-AzVmHybridMonitor', variables('deploymentSuffix')), 64)]", @@ -1588,9 +1771,13 @@ "corpConnectedLzSubs": "[take(concat('alz-CorpPeering', variables('deploymentSuffix')), 50)]", "privateDnsZoneRgDeploymentName": "[take(concat('alz-PrivDNSRG', variables('deploymentSuffix')), 64)]", "privateDnsZonesDeploymentName": "[take(concat('alz-PrivDNSZones', variables('deploymentSuffix')), 35)]", + "privateDnsZoneRg2DeploymentName": "[take(concat('alz-PrivDNSRG2', variables('deploymentSuffix')), 64)]", + "privateDnsZones2DeploymentName": "[take(concat('alz-PrivDNSZones2', variables('deploymentSuffix')), 35)]", "dnsZoneRoleAssignmentDeploymentName": "[take(concat('alz-DNSZoneRole', variables('deploymentSuffix')), 64)]", "identityPeeringDeploymentName": "[take(concat('alz-IDPeering', variables('deploymentSuffix')), 64)]", + "identityPeering2DeploymentName": "[take(concat('alz-IDPeering2', variables('deploymentSuffix')), 64)]", "identityVwanPeeringDeploymentName": "[take(concat('alz-IDVwanPeering', variables('deploymentSuffix')), 64)]", + "identityVwanPeering2DeploymentName": "[take(concat('alz-IDVwanPeering2', variables('deploymentSuffix')), 64)]", "mdEndpointsDeploymentName": "[take(concat('alz-MDEndpoints', variables('deploymentSuffix')), 64)]", "mdEndpointsAMADeploymentName": "[take(concat('alz-MDEndpointsAMA', variables('deploymentSuffix')), 64)]", "corpConnectedLzVwanSubs": "[take(concat('alz-CorpConnLzsVwan', variables('deploymentSuffix')), 50)]", @@ -1603,6 +1790,7 @@ "denyVMUnmanagedDiskPolicyDeploymentName": "[take(concat('alz-NoUnmanagedDiskResource', variables('deploymentSuffix')), 64)]", "ztnPhase1PidCuaDeploymentName": "[take(concat('pid-', variables('ztnPhase1CuaId'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'), coalesce(parameters('connectivitySubscriptionId'), parameters('singlePlatformSubscriptionId'))), '-ztnp1'), 64)]", "ambaPortalPidCuaDeploymentName": "[take(concat('pid-', variables('ambaPortalCuaId'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'), coalesce(parameters('connectivitySubscriptionId'), parameters('singlePlatformSubscriptionId'))), '-ztnp1'), 64)]", + "pidCuaDeploymentNameSecondaryRegion": "[take(concat('pid-', variables('cuaidSecondaryRegion'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]", "diagnosticSettingsforMGsDeploymentName": "[take(concat('alz-DiagSettingsMGs', variables('deploymentSuffix')), 64)]", "userAssignedIdentityDeploymentName": "[take(concat('alz-UserAssignedIdentity', variables('deploymentSuffix')), 60)]", "azureUpdateManagerPolicyDeploymentName": "[take(concat('alz-AzureUpdateManager', variables('deploymentSuffix')), 64)]", @@ -1659,11 +1847,20 @@ "vnetConnectivityHubLiteDeploymentName": "[take(concat('alz-VnetHubLite', variables('deploymentSuffix')), 64)]", "vwanConnectivityHubLiteDeploymentName": "[take(concat('alz-VWanHubLite', variables('deploymentSuffix')), 64)]", "nvaConnectivityHubLiteDeploymentName": "[take(concat('alz-NVAHubLite', variables('deploymentSuffix')), 64)]", + "vnetConnectivityHubLite2DeploymentName": "[take(concat('alz-VnetHubLite2', variables('deploymentSuffix')), 64)]", + "hubPeeringDeploymentName": "[take(concat('alz-HubPeering', variables('deploymentSuffix')), 60)]", + "hubPeering2DeploymentName": "[take(concat('alz-HubPeering2', variables('deploymentSuffix')), 60)]", + "vnetConnectivityRouteTableDeploymentName": "[take(concat('alz-HubRoute', variables('deploymentSuffix')), 64)]", + "vnetConnectivityRouteTable2DeploymentName": "[take(concat('alz-HubRoute2', variables('deploymentSuffix')), 64)]", + "nvaConnectivityHubLite2DeploymentName": "[take(concat('alz-NVAHubLite2', variables('deploymentSuffix')), 64)]", "ddosRgLiteDeploymentName": "[take(concat('alz-DDoSRgLite', variables('deploymentSuffix')), 64)]", "ddosLiteDeploymentName": "[take(concat('alz-DDoSLite', variables('deploymentSuffix')), 64)]", "ddosHubLitePolicyDeploymentName": "[take(concat('alz-DDoSHubPolicyLite', variables('deploymentSuffix')), 64)]", "privateDnsZoneRgLiteDeploymentName": "[take(concat('alz-PrivDNSRGLite', variables('deploymentSuffix')), 64)]", "privateDnsZonesLiteDeploymentName": "[take(concat('alz-PrivDNSLite', variables('deploymentSuffix')), 35)]", + "privateDnsZonesLite1DeploymentName": "[take(concat('alz-PrivDNSLite1', variables('deploymentSuffix')), 35)]", + "privateDnsZoneRgLite2DeploymentName": "[take(concat('alz-PrivDNSRGLite2', variables('deploymentSuffix')), 64)]", + "privateDnsZonesLite2DeploymentName": "[take(concat('alz-PrivDNSLite2', variables('deploymentSuffix')), 35)]", "monitorPolicyLiteDeploymentName": "[take(concat('alz-MonitorPolicyLite', variables('deploymentSuffix')), 64)]", "dataCollectionRuleVmInsightsLiteDeploymentName": "[take(concat('alz-DataCollectionRuleVmInsightsLite', variables('deploymentSuffix')), 64)]", "dataCollectionRuleChangeTrackingLiteDeploymentName": "[take(concat('alz-DataCollectionRuleChangeTrackingLite', variables('deploymentSuffix')), 64)]", @@ -1674,9 +1871,12 @@ "platformRgNames": { "mgmtRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-mgmt')]", "connectivityRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnethub-', parameters('connectivityLocation'))]", + "connectivityRgSecondary": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnethub-', parameters('connectivityLocationSecondary'))]", "ddosRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-ddos')]", "privateDnsRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-privatedns')]", + "privateDnsRg2": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-privatedns-02')]", "identityVnetRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]", + "identityVnetRgSecondary": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocationSecondary'))]", "lzVnetRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]" }, // Declaring deterministic names for platform resources that will be created @@ -1694,10 +1894,12 @@ "azFwName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-fw-', parameters('connectivityLocation'))]", "azErGwIpName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-erpip-', parameters('connectivityLocation'))]", "hubName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-hub-', parameters('connectivityLocation'))]", + "hubNameSecondary": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-hub-', parameters('connectivityLocationSecondary'))]", "vwanName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vwan-', parameters('connectivityLocation'))]", "azVpnGwIpName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-gwpip-', parameters('connectivityLocation'))]", "azFwIpName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-fwpip-', parameters('connectivityLocation'))]", "identityVnet": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]", + "identityVnetSecondary": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocationSecondary'))]", "lzVnet": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]" }, // Declaring deterministic resourceId's for platform resources that will be created @@ -1711,7 +1913,9 @@ "automationResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.Automation/automationAccounts/', variables('platformResourceNames').automationAccount)]", "ddosProtectionResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').ddosRg, '/providers/Microsoft.Network/ddosProtectionPlans/', variables('platformResourceNames').ddosName)]", "vNetHubResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRg, '/providers/Microsoft.Network/virtualNetworks/', variables('platformResourceNames').hubName)]", + "vNetHubResourceIdSecondary": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRgSecondary, '/providers/Microsoft.Network/virtualNetworks/', variables('platformResourceNames').hubNameSecondary)]", "vWanHubResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRg, '/providers/Microsoft.Network/virtualHubs/', variables('platformResourceNames').hubName)]", + "vWanHubResourceIdSecondary": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRg, '/providers/Microsoft.Network/virtualHubs/', variables('platformResourceNames').hubNameSecondary)]", "privateDnsRgResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').privateDnsRg)]", "azFirewallResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRg, '/providers/Microsoft.Network/azureFirewalls/', variables('platformResourceNames').azFwName)]", "userAssignedIdentityResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', variables('platformResourceNames').userAssignedIdentity)]" @@ -1805,7 +2009,8 @@ "cuaidNetworkingHubSpoke": "f7fcc714-0c0d-4011-87bf-319810bbb03d", "cuaidNetworkingVirtualWan": "0263335d-f570-470c-8389-aa6c916e5008", "ztnPhase1CuaId": "f09f64b8-5cb3-4b16-900d-6ba1df8a597e", - "ambaPortalCuaId": "5f0e5693-3998-4ae2-8115-ee96e38dac62" + "ambaPortalCuaId": "5f0e5693-3998-4ae2-8115-ee96e38dac62", + "cuaidSecondaryRegion": "b8cb7850-a693-4b04-a3a8-5441491966d6" }, "resources": [ /* @@ -4744,6 +4949,54 @@ }, "vWanHubCapacity": { "value": "[parameters('vWANHubCapacity')]" + }, + "enableHubSecondary": { + "value": "[parameters('enableHubSecondary')]" + }, + "enableAzFwSecondary": { + "value": "[parameters('enableAzFwSecondary')]" + }, + "firewallSkuSecondary": { + "value": "[parameters('firewallSkuSecondary')]" + }, + "firewallZonesSecondary": { + "value": "[parameters('firewallZonesSecondary')]" + }, + "enableAzFwDnsProxySecondary": { + "value": "[parameters('enableAzFwDnsProxySecondary')]" + }, + "addressPrefixSecondary": { + "value": "[parameters('addressPrefixSecondary')]" + }, + "enableVpnGwSecondary": { + "value": "[parameters('enableVpnGwSecondary')]" + }, + "enableErGwSecondary": { + "value": "[parameters('enableErGwSecondary')]" + }, + "locationSecondary": { + "value": "[parameters('connectivityLocationSecondary')]" + }, + "expressRouteScaleUnitSecondary": { + "value": "[parameters('expressRouteScaleUnitSecondary')]" + }, + "vpnGateWayScaleUnitSecondary": { + "value": "[parameters('vpnGateWayScaleUnitSecondary')]" + }, + "enablevWANRoutingIntentSecondary": { + "value": "[parameters('enablevWANRoutingIntentSecondary')]" + }, + "internetTrafficRoutingPolicySecondary": { + "value": "[parameters('internetTrafficRoutingPolicySecondary')]" + }, + "privateTrafficRoutingPolicySecondary": { + "value": "[parameters('privateTrafficRoutingPolicySecondary')]" + }, + "vWANHubRoutingPreferenceSecondary": { + "value": "[parameters('vWANHubRoutingPreferenceSecondary')]" + }, + "vWANHubCapacitySecondary": { + "value": "[parameters('vWANHubCapacitySecondary')]" } } } @@ -4784,7 +5037,7 @@ } }, { - // Creating Private DNS Zones into the connectivity subscription + // Creating Private DNS Zones into the connectivity subscription and linking them to a secondary location if provided. "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -4797,7 +5050,9 @@ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHub2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHub2DeploymentName)]" ], "copy": { "name": "dnsZones", @@ -4815,57 +5070,465 @@ }, "connectivityHubResourceId": { "value": "[variables('platformResourceIds').vNetHubResourceId]" + }, + "connectivityHubResourceIdSecondary": { + "value": "[variables('platformResourceIds').vNetHubResourceIdSecondary]" + }, + "enablePrivateDnsZonesSecondary": { + "value": "[parameters('enablePrivateDnsZonesSecondary')]" + }, + "enableHubSecondary": { + "value": "[parameters('enableHubSecondary')]" } } - } - }, + } + }, + { + // Creating resource group for Private DNS Zones for a secondary region + "condition": "[and(equals(parameters('enablePrivateDnsZonesSecondary'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').privateDnsZoneRg2DeploymentName]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHub2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHub2DeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceGroup]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').privateDnsRg2]" + }, + "location": { + "value": "[parameters('connectivityLocationSecondary')]" + } + } + } + }, + { + // Creating Private DNS Zones into the connectivity subscription for a secondary region + "condition": "[and(equals(parameters('enablePrivateDnsZonesSecondary'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('deploymentNames').privateDnsZones2DeploymentName, copyIndex())]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').privateDnsRg2]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').privateDnsZoneRg2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHub2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHub2DeploymentName)]" + ], + "copy": { + "name": "dnsZones", + "count": "[length(variables('privateDnsZonesMergedWithBackupPlaceholderRemoved'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').privateDnsZones]" + }, + "parameters": { + "privateDnsZoneName": { + "value": "[concat(variables('privateDnsZonesMergedWithBackupPlaceholderRemoved')[copyIndex()])]" + }, + "connectivityHubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceIdSecondary]" + }, + "connectivityHubResourceIdSecondary": { + "value": "placeholder" + }, + "enablePrivateDnsZonesSecondary": { + "value": "[parameters('enablePrivateDnsZonesSecondary')]" + }, + "enableHubSecondary": { + "value": "No" + } + } + } + }, /* - The following deployments will deploy and configure the Azure policy governance for the landing zones + The following optional deployment will configure virtual network hub into the connectivity subscription for a secondary region */ { - // Deploying Private DNS Zones policy assignment for PaaS services using built-in policies - "condition": "[or(equals(parameters('enablePrivateDnsZonesForLzs'), 'Yes'), equals(parameters('enablePrivateDnsZonesForLzs'), 'Audit'))]", + // Creating the virtual network hub (hub and spoke) in a secondary region + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableHubSecondary'), 'vhub'))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[variables('deploymentNames').privateDnsPolicyDeploymentName]", - "location": "[deployment().location]", - "scope": "[variables('scopes').corpManagementGroup]", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').connectivityManagementGroup]", + "name": "[variables('deploymentNames').vnetConnectivityHub2DeploymentName]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]", - "dnsZones", - "dnsZonesLite", - "policyCompletion" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" ], + "location": "[deployment().location]", "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').privateDnsZonePolicyAssignment]" + "uri": "[variables('deploymentUris').vnetConnectivityHub]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHubSecondary')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFwSecondary')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefixSecondary')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGwSecondary')]" + }, + "enableErGw": { + "value": "[parameters('enableErGwSecondary')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, "location": { - "value": "[parameters('connectivityLocation')]" + "value": "[parameters('connectivityLocationSecondary')]" }, - "dnsZoneResourceGroupId": { - "value": "[variables('platformResourceIds').privateDnsRgResourceId]" + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" }, - "enforcementMode": { - "value": "[if(equals(parameters('enablePrivateDnsZonesForLzs'), 'Yes'), 'Default', 'DoNotEnforce')]" + "subnetMaskForAzFw": { + "value": "[parameters('subnetMaskForAzFwSecondary')]" + }, + "subnetMaskForAzFwMgmt": { + "value": "[parameters('subnetMaskForAzFwMgmtSecondary')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGwSecondary')]" + }, + "firewallSku": { + "value": "[parameters('firewallSkuSecondary')]" + }, + "firewallZones": { + "value": "[parameters('firewallZonesSecondary')]" + }, + "enableAzFwDnsProxy": { + "value": "[parameters('enableAzFwDnsProxySecondary')]" + }, + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActiveSecondary')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAzSecondary')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSkuSecondary')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSkuSecondary')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAzSecondary')]" + }, + "erAzSku": { + "value": "[parameters('erAzSkuSecondary')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSkuSecondary')]" } } } }, { - // Assigning RBAC for Private DNS Zone Policy assignment to the connectivity hub - "condition": "[equals(parameters('enablePrivateDnsZonesForLzs'), 'Yes')]", + // Creating the virtual network hub (with NVA) in a secondary region + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableHubSecondary'), 'nva'))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[variables('deploymentNames').dnsZoneRoleAssignmentDeploymentName]", - "location": "[deployment().location]", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').connectivityManagementGroup]", + "name": "[variables('deploymentNames').nvaConnectivityHub2DeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').nvaConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHubSecondary')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefixSecondary')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGwSecondary')]" + }, + "enableErGw": { + "value": "[parameters('enableErGwSecondary')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('connectivityLocationSecondary')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGwSecondary')]" + }, + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActiveSecondary')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAzSecondary')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSkuSecondary')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSkuSecondary')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAzSecondary')]" + }, + "erAzSku": { + "value": "[parameters('erAzSkuSecondary')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSkuSecondary')]" + } + } + } + }, + { + // Peering the primary hub and the secondary hub (when nva or vhub is selected) + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))), or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), or(equals(parameters('enableHubSecondary'), 'nva'), equals(parameters('enableHubSecondary'), 'vhub')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deploymentNames').hubPeeringDeploymentName]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "location": "[parameters('connectivityLocation')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identityPeeringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identityPeering2DeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').hubVnetPeering]" + }, + "parameters": { + "hubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceId]" + }, + "hubResourceIdSecondary": { + "value": "[variables('platformResourceIds').vNetHubResourceIdSecondary]" + }, + "hubLocation": { + "value": "[parameters('connectivityLocation')]" + }, + "hubLocationSecondary": { + "value": "[parameters('connectivityLocationSecondary')]" + }, + "hubRgName": { + "value": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnethub-', parameters('connectivityLocation'))]" + }, + "hubRgNameSecondary": { + "value": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnethub-', parameters('connectivityLocationSecondary'))]" } + } + } + }, + { + // Creating route table from first region to second region + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))), equals(parameters('enableHub'), 'vhub'), equals(parameters('enableAzFw'), 'Yes'), equals(parameters('enableAzFwSecondary'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').vnetConnectivityRouteTableDeploymentName]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').connectivityRg]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').privateDnsZoneRgDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHub2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHub2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').hubPeeringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').hubVnetRouting]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "connectivityHubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceId]" + }, + "subnetName": { + "value": "AzureFirewallSubnet" + }, + "cidrRange": { + "value": "[parameters('addressPrefixSecondary')]" + }, + "targetFWSubnetCidr": { + "value": "[parameters('subnetMaskForAzFwSecondary')]" + }, + "sourceFWSubnetCidr": { + "value": "[parameters('subnetMaskForAzFw')]" + }, + "hubLocation": { + "value": "[parameters('connectivityLocation')]" + } + } + } + }, + { + // Creating route table from second region to first region + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))), equals(parameters('enableHub'), 'vhub'), equals(parameters('enableAzFw'), 'Yes'), equals(parameters('enableAzFwSecondary'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').vnetConnectivityRouteTable2DeploymentName]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').connectivityRgSecondary]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').privateDnsZoneRgDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHub2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHub2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').hubPeeringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').hubVnetRouting]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "connectivityHubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceIdSecondary]" + }, + "subnetName": { + "value": "AzureFirewallSubnet" + }, + "cidrRange": { + "value": "[parameters('addressPrefix')]" + }, + "targetFWSubnetCidr": { + "value": "[parameters('subnetMaskForAzFw')]" + }, + "sourceFWSubnetCidr": { + "value": "[parameters('subnetMaskForAzFwSecondary')]" + }, + "hubLocation": { + "value": "[parameters('connectivityLocationSecondary')]" + } + } + } + }, + /* + The following deployments will deploy and configure the Azure policy governance for the landing zones + */ + { + // Deploying Private DNS Zones policy assignment for PaaS services using built-in policies + "condition": "[or(equals(parameters('enablePrivateDnsZonesForLzs'), 'Yes'), equals(parameters('enablePrivateDnsZonesForLzs'), 'Audit'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').privateDnsPolicyDeploymentName]", + "location": "[deployment().location]", + "scope": "[variables('scopes').corpManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]", + "dnsZones", + "dnsZonesLite", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').privateDnsZonePolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "location": { + "value": "[parameters('connectivityLocation')]" + }, + "dnsZoneResourceGroupId": { + "value": "[variables('platformResourceIds').privateDnsRgResourceId]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enablePrivateDnsZonesForLzs'), 'Yes'), 'Default', 'DoNotEnforce')]" + } + } + } + }, + { + // Assigning RBAC for Private DNS Zone Policy assignment to the connectivity hub + "condition": "[equals(parameters('enablePrivateDnsZonesForLzs'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').dnsZoneRoleAssignmentDeploymentName]", + "location": "[deployment().location]", "subscriptionId": "[variables('singleVsDedicatedConnectivitySub')]", "dependsOn": [ "[variables('deploymentNames').privateDnsPolicyDeploymentName]" @@ -6376,7 +7039,7 @@ } }, { - // Peer vnet in identity subscription to connectivity hub if vhub or nva contidion is true + // Peer vnet in identity subscription to connectivity hub if vhub or nva condition is true "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('identityAddressPrefix'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-06-01", @@ -6423,7 +7086,54 @@ } }, { - // Peer vnet in identity subscription to connectivity hub if vwan contidion is true + // Peer vnet in identity subscription to connectivity hub in a secondary region if vhub or nva condition is true + "condition": "[and(or(equals(parameters('enableHubSecondary'), 'nva'), equals(parameters('enableHubSecondary'), 'vhub')), not(empty(parameters('identityAddressPrefix'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deploymentNames').identityPeering2DeploymentName]", + "subscriptionId": "[parameters('identitySubscriptionId')]", + "location": "[parameters('connectivityLocationSecondary')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHub2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHub2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').corpVnetPeering]" + }, + "parameters": { + "vNetRgName": { + "value": "[variables('platformRgNames').identityVnetRgSecondary]" + }, + "vNetName": { + "value": "[take(concat(variables('platformResourceNames').identityVnetSecondary, '-', uniqueString(parameters('identitySubscriptionId'))), 64)]" + }, + "vNetLocation": { + "value": "[parameters('connectivityLocationSecondary')]" + }, + "vNetCidrRange": { + "value": "[parameters('identityAddressPrefixSecondary')]" + }, + "hubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceIdSecondary]" + }, + "azureFirewallResourceId": { + "value": "[if(equals(parameters('enableAzFwDnsProxySecondary'), 'Yes'), variables('platformResourceIds').azFirewallResourceIdSecondary, '')]" + } + } + } + }, + { + // Peer vnet in identity subscription to connectivity hub if vwan condition is true "condition": "[and(equals(parameters('enableHub'), 'vwan'), not(empty(parameters('identityAddressPrefix'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-06-01", @@ -6469,33 +7179,80 @@ } } }, - /* - The following deployments will place landing zone subscriptions into online/corp (connected or disconnected) - */ { - // Placing subscription(s) into online landing zone management group - "condition": "[not(empty(parameters('onlineLzSubscriptionId')))]", + // Peer vnet in identity subscription to connectivity hub if vwan condition is true + "condition": "[and(equals(parameters('enableHubSecondary'), 'vwan'), not(empty(parameters('identityAddressPrefixSecondary'))))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[concat(variables('deploymentNames').onlineLzSubs, copyIndex())]", - "scope": "[variables('scopes').onlineManagementGroup]", - "location": "[deployment().location]", + "apiVersion": "2020-06-01", + "name": "[variables('deploymentNames').identityVwanPeering2DeploymentName]", + "subscriptionId": "[parameters('identitySubscriptionId')]", + "location": "[parameters('connectivityLocationSecondary')]", "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHub2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHub2DeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" ], - "copy": { - "name": "onlineLzs", - "count": "[length(parameters('onlineLzSubscriptionId'))]" - }, "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').subscriptionPlacement]" + "uri": "[variables('deploymentUris').corpVwanPeering]" + }, + "parameters": { + "vNetRgName": { + "value": "[variables('platformRgNames').identityVnetRgSecondary]" + }, + "vNetName": { + "value": "[take(concat(variables('platformResourceNames').identityVnetSecondary, '-', uniqueString(parameters('identitySubscriptionId'))), 64)]" + }, + "vNetLocation": { + "value": "[parameters('connectivityLocationSecondary')]" + }, + "vNetCidrRange": { + "value": "[parameters('identityAddressPrefixSecondary')]" + }, + "vWanHubResourceId": { + "value": "[variables('platformResourceIds').vWanHubResourceIdSecondary]" + }, + "azureFirewallResourceId": { + "value": "[if(equals(parameters('enableAzFwDnsProxySecondary'), 'Yes'), variables('platformResourceIds').azFirewallResourceIdSecondary, '')]" + } + } + } + }, + /* + The following deployments will place landing zone subscriptions into online/corp (connected or disconnected) + */ + { + // Placing subscription(s) into online landing zone management group + "condition": "[not(empty(parameters('onlineLzSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('deploymentNames').onlineLzSubs, copyIndex())]", + "scope": "[variables('scopes').onlineManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "copy": { + "name": "onlineLzs", + "count": "[length(parameters('onlineLzSubscriptionId'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" }, "parameters": { "targetManagementGroupId": { @@ -7006,11 +7763,48 @@ } } }, - /* - Note: ES Lite only: deploy private DNS zones + /* + Note: ES Lite only: deploy RG for Private DNS zones to platform subscription in a secondary region */ { - // Creating Private DNS Zones into the connectivity subscription + // Creating resource group for Private DNS Zones for a secondary region + "condition": "[and(equals(parameters('enablePrivateDnsZonesSecondary'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLitedeploymentNames').privateDnsZoneRgLite2DeploymentName]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLite2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLite2DeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceGroup]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').privateDnsRg2]" + }, + "location": { + "value": "[parameters('connectivityLocationSecondary')]" + } + } + } + }, + /* + Note: ES Lite only: deploy private DNS zones for primary region + */ + { + // Creating Private DNS Zones into the connectivity subscription for only a primary region, and linking them to the secondary if provided. "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -7023,7 +7817,9 @@ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vwanConnectivityHubLiteDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLite2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLite2DeploymentName)]" ], "copy": { "name": "dnsZonesLite", @@ -7041,6 +7837,62 @@ }, "connectivityHubResourceId": { "value": "[variables('platformResourceIds').vNetHubResourceId]" + }, + "connectivityHubResourceIdSecondary": { + "value": "[variables('platformResourceIds').vNetHubResourceIdSecondary]" + }, + "enablePrivateDnsZonesSecondary": { + "value": "[parameters('enablePrivateDnsZonesSecondary')]" + }, + "enableHubSecondary": { + "value": "[parameters('enableHubSecondary')]" + } + } + } + }, + /* + Note: ES Lite only: deploy private DNS zones in a secondary region + */ + { + // Creating Private DNS Zones into the connectivity subscription for a secondary region + "condition": "[and(equals(parameters('enablePrivateDnsZonesSecondary'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('esLitedeploymentNames').privateDnsZonesLite2DeploymentName, copyIndex())]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').privateDnsRg2]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').privateDnsZoneRgLite2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLite2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLite2DeploymentName)]" + ], + "copy": { + "name": "dnsZonesLite", + "count": "[length(variables('privateDnsZonesMergedWithBackupPlaceholderRemoved'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').privateDnsZones]" + }, + "parameters": { + "privateDnsZoneName": { + "value": "[concat(variables('privateDnsZonesMergedWithBackupPlaceholderRemoved')[copyIndex()])]" + }, + "connectivityHubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceIdSecondary]" + }, + "connectivityHubResourceIdSecondary": { + "value": "placeholder" + }, + "enablePrivateDnsZonesSecondary": { + "value": "[parameters('enablePrivateDnsZonesSecondary')]" + }, + "enableHubSecondary": { + "value": "No" } } } @@ -7331,6 +8183,385 @@ }, "vWanHubCapacity": { "value": "[parameters('vWANHubCapacity')]" + }, + "enableHubSecondary": { + "value": "[parameters('enableHubSecondary')]" + }, + "enableAzFwSecondary": { + "value": "[parameters('enableAzFwSecondary')]" + }, + "firewallSkuSecondary": { + "value": "[parameters('firewallSkuSecondary')]" + }, + "firewallZonesSecondary": { + "value": "[parameters('firewallZonesSecondary')]" + }, + "enableAzFwDnsProxySecondary": { + "value": "[parameters('enableAzFwDnsProxySecondary')]" + }, + "addressPrefixSecondary": { + "value": "[parameters('addressPrefixSecondary')]" + }, + "enableVpnGwSecondary": { + "value": "[parameters('enableVpnGwSecondary')]" + }, + "enableErGwSecondary": { + "value": "[parameters('enableErGwSecondary')]" + }, + "locationSecondary": { + "value": "[parameters('connectivityLocationSecondary')]" + }, + "expressRouteScaleUnitSecondary": { + "value": "[parameters('expressRouteScaleUnitSecondary')]" + }, + "vpnGateWayScaleUnitSecondary": { + "value": "[parameters('vpnGateWayScaleUnitSecondary')]" + }, + "enablevWANRoutingIntentSecondary": { + "value": "[parameters('enablevWANRoutingIntentSecondary')]" + }, + "internetTrafficRoutingPolicySecondary": { + "value": "[parameters('internetTrafficRoutingPolicySecondary')]" + }, + "privateTrafficRoutingPolicySecondary": { + "value": "[parameters('privateTrafficRoutingPolicySecondary')]" + }, + "vWANHubRoutingPreferenceSecondary": { + "value": "[parameters('vWANHubRoutingPreferenceSecondary')]" + }, + "vWANHubCapacitySecondary": { + "value": "[parameters('vWANHubCapacitySecondary')]" + } + } + } + }, + /* + Note: ES Lite only: deploys hub and spoke in a secondary region + */ + { + // Configuring and deploying the connectivity hub (hub and spoke) in a secondary region + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))),equals(parameters('enableHubSecondary'), 'vhub'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-05-01", + "scope": "[variables('scopes').platformManagementGroup]", + "name": "[variables('esLitedeploymentNames').vnetConnectivityHubLite2DeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').vnetConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHubSecondary')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFwSecondary')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefixSecondary')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGwSecondary')]" + }, + "enableErGw": { + "value": "[parameters('enableErGwSecondary')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('connectivityLocationSecondary')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('singlePlatformSubscriptionId')]" + }, + "subnetMaskForAzFw": { + "value": "[parameters('subnetMaskForAzFwSecondary')]" + }, + "subnetMaskForAzFwMgmt": { + "value": "[parameters('subnetMaskForAzFwMgmtSecondary')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGwSecondary')]" + }, + "firewallSku": { + "value": "[parameters('firewallSkuSecondary')]" + }, + "firewallZones": { + "value": "[parameters('firewallZonesSecondary')]" + }, + "enableAzFwDnsProxy": { + "value": "[parameters('enableAzFwDnsProxySecondary')]" + }, + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActiveSecondary')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAzSecondary')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSkuSecondary')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSkuSecondary')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAzSecondary')]" + }, + "erAzSku": { + "value": "[parameters('erAzSkuSecondary')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSkuSecondary')]" + } + } + } + }, + /* + Note: ES Lite only: deploys virtual hub (NVA) in a secondary region + */ + { + // Configuring and deploying the connectivity hub (NVA) in a secondary region + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))),equals(parameters('enableHubSecondary'), 'nva'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-05-01", + "scope": "[variables('scopes').platformManagementGroup]", + "name": "[variables('esLitedeploymentNames').nvaConnectivityHubLite2DeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').nvaConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHubSecondary')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefixSecondary')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGwSecondary')]" + }, + "enableErGw": { + "value": "[parameters('enableErGwSecondary')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('connectivityLocationSecondary')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('singlePlatformSubscriptionId')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGwSecondary')]" + }, + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActiveSecondary')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAzSecondary')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSkuSecondary')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSkuSecondary')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAzSecondary')]" + }, + "erAzSku": { + "value": "[parameters('erAzSkuSecondary')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSkuSecondary')]" + } + } + } + }, + /* + Note: ES Lite only: deploys peering between hub networks in the primary and secondary region + */ + { + // Peering the primary hub and the secondary hub (when nva or vhub is selected) + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), or(equals(parameters('enableHubSecondary'), 'nva'), equals(parameters('enableHubSecondary'), 'vhub')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('esLitedeploymentNames').hubPeeringDeploymentName]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "location": "[parameters('connectivityLocation')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLite2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLite2DeploymentName)]", + "corpConnectedMoveLzs" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').hubVnetPeering]" + }, + "parameters": { + "hubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceId]" + }, + "hubResourceIdSecondary": { + "value": "[variables('platformResourceIds').vNetHubResourceIdSecondary]" + }, + "hubLocation": { + "value": "[parameters('connectivityLocation')]" + }, + "hubLocationSecondary": { + "value": "[parameters('connectivityLocationSecondary')]" + }, + "hubRgName": { + "value": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnethub-', parameters('connectivityLocation'))]" + }, + "hubRgNameSecondary": { + "value": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnethub-', parameters('connectivityLocationSecondary'))]" } + } + } + }, + /* + Note: ES Lite only: deploys route tables to forward traffic between hubs + */ + { + // Creating routing from first region to second region + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableHub'), 'vhub'), equals(parameters('enableAzFw'), 'Yes'), equals(parameters('enableAzFwSecondary'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLitedeploymentNames').vnetConnectivityRouteTableDeploymentName]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').connectivityRg]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').privateDnsZoneRgLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLite2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLite2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').hubPeeringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').hubVnetRouting]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "connectivityHubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceId]" + }, + "subnetName": { + "value": "AzureFirewallSubnet" + }, + "cidrRange": { + "value": "[parameters('addressPrefixSecondary')]" + }, + "targetFWSubnetCidr": { + "value": "[parameters('subnetMaskForAzFwSecondary')]" + }, + "sourceFWSubnetCidr": { + "value": "[parameters('subnetMaskForAzFw')]" + }, + "hubLocation": { + "value": "[parameters('connectivityLocation')]" + } + } + } + }, + /* + Note: ES Lite only: deploys route tables to forward traffic between hubs + */ + { + // Creating routing from second region to first region + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableHub'), 'vhub'), equals(parameters('enableAzFw'), 'Yes'), equals(parameters('enableAzFwSecondary'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLitedeploymentNames').vnetConnectivityRouteTable2DeploymentName]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').connectivityRgSecondary]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').privateDnsZoneRgLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLite2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLite2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').hubPeeringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').hubVnetRouting]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "connectivityHubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceIdSecondary]" + }, + "subnetName": { + "value": "AzureFirewallSubnet" + }, + "cidrRange": { + "value": "[parameters('addressPrefix')]" + }, + "targetFWSubnetCidr": { + "value": "[parameters('subnetMaskForAzFw')]" + }, + "sourceFWSubnetCidr": { + "value": "[parameters('subnetMaskForAzFwSecondary')]" + }, + "hubLocation": { + "value": "[parameters('connectivityLocationSecondary')]" } } } @@ -7617,25 +8848,24 @@ } }, { - "condition": "[and(equals(parameters('telemetryOptOut'), 'No'), equals(parameters('enableDdoS'), 'Yes'), equals(parameters('enableAzFw'), 'Yes'), equals(parameters('firewallSku'), 'Premium'), equals(parameters('denySubnetWithoutNsg'), 'Yes'), equals(parameters('denySubnetWithoutNsgForIdentity'), 'Yes'), equals(parameters('enableStorageHttps'), 'Yes'), or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'vwan')), or(not(empty(parameters('connectivitySubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))))]", + "condition": "[and(equals(parameters('telemetryOptOut'), 'No'), equals(parameters('enableMonitorBaselines'), 'Yes'))]", "apiVersion": "2022-09-01", - "name": "[variables('deploymentNames').ztnPhase1PidCuaDeploymentName]", - "subscriptionId": "[coalesce(parameters('connectivitySubscriptionId'), parameters('singlePlatformSubscriptionId'))]", + "name": "[variables('deploymentNames').ambaPortalPidCuaDeploymentName]", "location": "[deployment().location]", "type": "Microsoft.Resources/deployments", "properties": { "mode": "Incremental", "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [] } } }, { - "condition": "[and(equals(parameters('telemetryOptOut'), 'No'), equals(parameters('enableMonitorBaselines'), 'Yes'))]", + "condition": "[and(equals(parameters('telemetryOptOut'), 'No'), equals(parameters('enableSecondaryRegion'), 'Yes'))]", "apiVersion": "2022-09-01", - "name": "[variables('deploymentNames').ambaPortalPidCuaDeploymentName]", + "name": "[variables('deploymentNames').pidCuaDeploymentNameSecondaryRegion]", "location": "[deployment().location]", "type": "Microsoft.Resources/deployments", "properties": { diff --git a/eslzArm/eslzArm.test.param.json b/eslzArm/eslzArm.test.param.json index 1c6a1dc71d..49f805b566 100644 --- a/eslzArm/eslzArm.test.param.json +++ b/eslzArm/eslzArm.test.param.json @@ -146,6 +146,66 @@ "subnetMaskForAzFw": { "value": "" }, + "addressPrefixSecondary": { + "value": "10.200.0.0/16" + }, + "enablePrivateDnsZonesSecondary": { + "value": "Yes" + }, + "enableVpnGwSecondary": { + "value": "No" + }, + "enableVpnActiveActiveSecondary": { + "value": "Yes" + }, + "gwRegionalOrAzSecondary": { + "value": "" + }, + "gwRegionalSkuSecondary": { + "value": "" + }, + "gwAzSkuSecondary": { + "value": "" + }, + "vpnGateWayScaleUnitSecondary": { + "value": "1" + }, + "subnetMaskForGwSecondary": { + "value": "" + }, + "enableErGwSecondary": { + "value": "No" + }, + "erAzSkuSecondary": { + "value": "" + }, + "erRegionalSkuSecondary": { + "value": "" + }, + "erRegionalOrAzSecondary": { + "value": "" + }, + "expressRouteScaleUnitSecondary": { + "value": "1" + }, + "enableHubSecondary": { + "value": "vhub" + }, + "enableAzFwSecondary": { + "value": "No" + }, + "enableAzFwDnsProxySecondary": { + "value": "No" + }, + "firewallSkuSecondary": { + "value": "Standard" + }, + "firewallZonesSecondary": { + "value": [] + }, + "subnetMaskForAzFwSecondary": { + "value": "" + }, "denyMgmtPortsForIdentity": { "value": "Yes" }, @@ -164,6 +224,9 @@ "identityAddressPrefix": { "value": "10.110.0.0/24" }, + "identityAddressPrefixSecondary": { + "value": "10.210.0.0/24" + }, "enableLzDdoS": { "value": "No" }, diff --git a/eslzArm/resourceGroupTemplates/privateDnsZones.json b/eslzArm/resourceGroupTemplates/privateDnsZones.json index 4f9b10acc7..2663b1af5b 100644 --- a/eslzArm/resourceGroupTemplates/privateDnsZones.json +++ b/eslzArm/resourceGroupTemplates/privateDnsZones.json @@ -10,6 +10,19 @@ }, "connectivityHubResourceId": { "type": "string" + }, + "connectivityHubResourceIdSecondary": { + "type": "string", + "defaultValue": "placeholder" + + }, + "enablePrivateDnsZonesSecondary": { + "type": "string", + "defaultValue": "No" + }, + "enableHubSecondary": { + "type": "string", + "defaultValue": "No" } }, "resources": [ @@ -38,6 +51,22 @@ "id": "[parameters('connectivityHubResourceId')]" } } + }, + { + "type": "virtualNetworkLinks", + "apiVersion": "2020-06-01", + "name": "[concat('linkingOf', parameters('privateDnsZoneName'),2)]", + "location": "global", + "condition": "[and(equals(parameters('enablePrivateDnsZonesSecondary'), 'No'), not(equals(parameters('enableHubSecondary'), 'No')))]", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', parameters('privateDnsZoneName'))]" + ], + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[parameters('connectivityHubResourceIdSecondary')]" + } + } } ] } diff --git a/eslzArm/resourceGroupTemplates/vnetRouteTable.json b/eslzArm/resourceGroupTemplates/vnetRouteTable.json new file mode 100644 index 0000000000..f879e4a617 --- /dev/null +++ b/eslzArm/resourceGroupTemplates/vnetRouteTable.json @@ -0,0 +1,76 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix" : { + "type": "string" + }, + "connectivityHubResourceId": { + "type": "string" + }, + "subnetName": { + "type": "string" + }, + "cidrRange": { + "type": "string" + }, + "targetFWSubnetCidr": { + "type": "string" + }, + "sourceFWSubnetCidr": { + "type": "string" + }, + "hubLocation": { + "type": "string" + } + }, + "variables": { + "routeTableName": "[concat(parameters('topLevelManagementGroupPrefix'), '-rt-hub-', parameters('hubLocation'))]", + "vNetName": "[last(split(parameters('connectivityHubResourceId'), '/'))]", + "nextHopIP": "[first(split(cidrsubnet(parameters('targetFWSubnetCidr'), 32, 4), '/'))]" + }, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2020-07-01", + "name": "[variables('routeTableName')]", + "location": "[parameters('hubLocation')]", + "properties": { + "routes": [ + { + "name": "hubRoute", + "properties": { + "addressPrefix": "[parameters('cidrRange')]", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[variables('nextHopIP')]" + } + }, + { + "name": "internetRoute", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "Internet" + } + } + ] + + } + }, + { + "type": "Microsoft.Network/virtualNetworks/subnets", + "apiVersion": "2020-07-01", + "name": "[concat(variables('vNetName'), '/', parameters('subnetName'))]", + "properties": { + "addressPrefix": "[parameters('sourceFWSubnetCidr')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', variables('routeTableName'))]" + } + + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/routeTables', variables('routeTableName'))]" + ] + } + ] +} + diff --git a/eslzArm/subscriptionTemplates/azFw-basepolicy.json b/eslzArm/subscriptionTemplates/azFw-basepolicy.json new file mode 100644 index 0000000000..6c23ee3fca --- /dev/null +++ b/eslzArm/subscriptionTemplates/azFw-basepolicy.json @@ -0,0 +1,118 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "location": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Location of the HUB" + }, + "defaultValue": "[deployment().location]" + }, + "enableAzFwDnsProxy": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No", + "metadata": { + "description": "Select whether the Azure Firewall should be used as DNS Proxy or not." + } + }, + "connectivitySubscriptionId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Provide the subscription id for the dedicated connectivity subscription." + } + }, + "firewallSku": { + "type": "string", + "allowedValues": [ + "Basic", + "Standard", + "Premium" + ], + "defaultValue": "Standard" + } + }, + "variables": { + "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-fwBasePolicy-', parameters('location'))]", + "azFwPolicyName": "[concat(parameters('topLevelManagementGroupPrefix'), '-azfwpolicy-base-', parameters('location'))]", + "resourceDeploymentName": "[take(concat(deployment().name, '-azfwpolicy-base-', parameters('location')), 64)]", + "azFirewallPolicyId": { + "id": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/firewallPolicies/', variables('azFwPolicyName'))]" + }, + "azFirewallDnsSettings": { + "enableProxy": true + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[concat('alz-', parameters('location'), '-', substring(uniqueString(parameters('connectivitySubscriptionId')),0,6), '-azFwBasePolicy')]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[variables('rgName')]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('resourceDeploymentName')]", + "resourceGroup": "[variables('rgName')]", + "dependsOn": [ + "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Network/firewallPolicies", + "apiVersion": "2020-11-01", + "name": "[variables('azFwPolicyName')]", + "location": "[parameters('location')]", + "properties": { + "dnsSettings": "[if(equals(parameters('enableAzFwDnsProxy'), 'Yes'), variables('azFirewallDnsSettings'), json('null'))]", + "sku": { + "tier": "[parameters('firewallSku')]" + + } + } + } + ] + } + } + } + ] + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/hubspoke-connectivity.json b/eslzArm/subscriptionTemplates/hubspoke-connectivity.json index 62e4c32f2f..4a65306e51 100644 --- a/eslzArm/subscriptionTemplates/hubspoke-connectivity.json +++ b/eslzArm/subscriptionTemplates/hubspoke-connectivity.json @@ -303,10 +303,10 @@ "location": "[parameters('location')]", "name": "[variables('azVpnGwIpName')]", "sku": { - "name": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Standard', 'Basic')]" + "name": "Standard" }, "properties": { - "publicIPAllocationMethod": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" + "publicIPAllocationMethod": "Static" } }, { @@ -316,10 +316,10 @@ "location": "[parameters('location')]", "name": "[variables('azVpnGwAAIpName')]", "sku": { - "name": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Standard', 'Basic')]" + "name": "Standard" }, "properties": { - "publicIPAllocationMethod": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" + "publicIPAllocationMethod": "Static" } }, { @@ -444,10 +444,10 @@ "location": "[parameters('location')]", "name": "[variables('azErGwIpName')]", "sku": { - "name": "[if(equals(parameters('erRegionalOrAz'), 'Zone'), 'Standard', 'Basic')]" + "name": "Standard" }, "properties": { - "publicIPAllocationMethod": "[if(equals(parameters('erRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" + "publicIPAllocationMethod": "Static" } }, { @@ -535,6 +535,7 @@ "dnsSettings": "[if(equals(parameters('enableAzFwDnsProxy'), 'Yes'), variables('azFirewallDnsSettings'), json('null'))]", "sku": { "tier": "[parameters('firewallSku')]" + } } }, diff --git a/eslzArm/subscriptionTemplates/vnetPeering.json b/eslzArm/subscriptionTemplates/vnetPeering.json index a1f4bc65bd..750935b657 100644 --- a/eslzArm/subscriptionTemplates/vnetPeering.json +++ b/eslzArm/subscriptionTemplates/vnetPeering.json @@ -80,7 +80,7 @@ { "type": "Microsoft.Resources/resourceGroups", "apiVersion": "2020-06-01", - "name": "NetworkWatcherRG", + "name": "[concat('NetworkWatcherRG-', parameters('vNetLocation'))]", "location": "[parameters('vNetLocation')]", "properties": {} } diff --git a/eslzArm/subscriptionTemplates/vnetPeeringHub.json b/eslzArm/subscriptionTemplates/vnetPeeringHub.json new file mode 100644 index 0000000000..0cebe9390e --- /dev/null +++ b/eslzArm/subscriptionTemplates/vnetPeeringHub.json @@ -0,0 +1,113 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "hubResourceId": { + "type": "string", + "metadata": { + "description": "Provide the resourceId for the primary hub." + } + }, + "hubResourceIdSecondary": { + "type": "string", + "metadata": { + "description": "Provide the resourceId for the secondary hub." + } + }, + "hubLocation": { + "type": "string", + "metadata": { + "description": "Provide the location for the primary hub." + } + }, + "hubLocationSecondary": { + "type": "string", + "metadata": { + "description": "Provide the location for the secondary hub." + } + }, + "hubRgName": { + "type": "string", + "metadata": { + "description": "Provide the name of the RG of the primary hub." + } + }, + "hubRgNameSecondary": { + "type": "string", + "metadata": { + "description": "Provide the name of the RG of the Secondary hub." + } + } + }, + "variables": { + "hubName": "[last(split(parameters('hubResourceId'), '/'))]", + "hubNameSecondary": "[last(split(parameters('hubResourceIdSecondary'), '/'))]" + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('alz-vnet-', parameters('hubLocation'), '-', substring(uniqueString(subscription().id),0,6))]", + "resourceGroup": "[parameters('hubRgName')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "apiVersion": "2020-07-01", + "name": "[concat(variables('hubName'), '/peerTo', variables('hubNameSecondary'))]", + "properties": { + "remoteVirtualNetwork": { + "id": "[parameters('hubResourceIdSecondary')]" + }, + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": true, + "allowGatewayTransit": false, + "useRemoteGateways": false + } + } + ], + "outputs": {} + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('alz-vnet-', parameters('hubLocationSecondary'), '-', substring(uniqueString(subscription().id),0,6))]", + "resourceGroup": "[parameters('hubRgNameSecondary')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "apiVersion": "2020-07-01", + "name": "[concat(variables('hubNameSecondary'), '/peerTo', variables('hubName'))]", + "properties": { + "remoteVirtualNetwork": { + "id": "[parameters('hubResourceId')]" + }, + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": true, + "allowGatewayTransit": false, + "useRemoteGateways": false + } + } + ], + "outputs": {} + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/vnetPeeringVwan.json b/eslzArm/subscriptionTemplates/vnetPeeringVwan.json index 0027eec257..a0f502f0e4 100644 --- a/eslzArm/subscriptionTemplates/vnetPeeringVwan.json +++ b/eslzArm/subscriptionTemplates/vnetPeeringVwan.json @@ -58,7 +58,7 @@ { "type": "Microsoft.Resources/resourceGroups", "apiVersion": "2020-06-01", - "name": "NetworkWatcherRG", + "name": "[concat('NetworkWatcherRG-', parameters('vNetLocation'))]", "location": "[parameters('vNetLocation')]", "properties": {} } diff --git a/eslzArm/subscriptionTemplates/vwan-connectivity.json b/eslzArm/subscriptionTemplates/vwan-connectivity.json index 274c10c96b..5523d24d21 100644 --- a/eslzArm/subscriptionTemplates/vwan-connectivity.json +++ b/eslzArm/subscriptionTemplates/vwan-connectivity.json @@ -137,6 +137,132 @@ "vWAN Hub Capacity Units" }, "defaultValue": "2" + }, + "addressPrefixSecondary": { + "type": "string", + "metadata": { + "displayName": "addressPrefix", + "description": "Address prefix of the VHUB" + }, + "defaultValue": "10.100.0.0/23" + }, + "locationSecondary": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Location of the VHUB" + }, + "defaultValue": "[deployment().location]" + }, + "enableHubSecondary": { + "type": "string", + "allowedValues": [ + "vwan", + "No" + ], + "defaultValue": "No" + }, + "enableAzFwSecondary": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "firewallSkuSecondary": { + "type": "string", + "allowedValues": [ + "Basic", + "Standard", + "Premium" + ], + "defaultValue": "Standard" + }, + "enableAzFwDnsProxySecondary": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No", + "metadata": { + "description": "Select whether the Azure Firewall should be used as DNS Proxy or not." + } + }, + "enableVpnGwSecondary": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "enableErGwSecondary": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "vpnGateWayScaleUnitSecondary": { + "type": "string", + "defaultValue": "1" + }, + "expressRouteScaleUnitSecondary": { + "type": "string", + "defaultValue": "1" + }, + "firewallZonesSecondary": { + "type": "array", + "defaultValue": [] + }, + "internetTrafficRoutingPolicySecondary": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Enable vWAN Routing Intent and Policy for Internet Traffic" + } + }, + "privateTrafficRoutingPolicySecondary": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Enable vWAN Routing Intent and Policy for Private Traffic" + } + }, + "enablevWANRoutingIntentSecondary":{ + "type": "string", + "allowedValues":[ + "Yes", + "No" + ], + "metadata": { + "description": + "Enable vWAN Routing Intent" + } + }, + "vWANHubRoutingPreferenceSecondary":{ + "type": "string", + "defaultValue": "ExpressRoute", + "allowedValues":[ + "ExpressRoute", + "VpnGateway", + "ASPath" + ], + "metadata": { + "description": + "vWAN Hub Routing Preference" + } + }, + "vWANHubCapacitySecondary":{ + "type": "string", + "metadata": { + "description": + "vWAN Hub Capacity Units" + }, + "defaultValue": "2" } }, "variables": { @@ -159,7 +285,21 @@ "azFirewallDnsSettings": { "enableProxy": true }, - "routingIntentnexthop":"[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables ('rgName'), '/providers/Microsoft.Network/azureFirewalls/', variables ('azFwName'))]" + "routingIntentnexthop":"[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables ('rgName'), '/providers/Microsoft.Network/azureFirewalls/', variables ('azFwName'))]", + "vpngwnameSecondary": "[concat(parameters('topLevelManagementGroupPrefix'), '-vpngw-', parameters('locationSecondary'))]", + "ergwnameSecondary": "[concat(parameters('topLevelManagementGroupPrefix'), '-ergw-', parameters('locationSecondary'))]", + "vHubNameSecondary": "[concat(parameters('topLevelManagementGroupPrefix'), '-hub-', parameters('locationSecondary'))]", + "azFwNameSecondary": "[concat(parameters('topLevelManagementGroupPrefix'), '-fw-', parameters('locationSecondary'))]", + "azFwPolicyNameSecondary": "[concat(parameters('topLevelManagementGroupPrefix'), '-azfwpolicy-', parameters('locationSecondary'))]", + "vwanhubSecondary": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualHubs/', variables('vhubnameSecondary'))]", + "vhubskuSecondary": "Standard", + "azFirewallPolicyIdSecondary": { + "id": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/firewallPolicies/', variables('azFwPolicyNameSecondary'))]" + }, + "azFirewallDnsSettingsSecondary": { + "enableProxy": true + }, + "routingIntentnexthopSecondary":"[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables ('rgName'), '/providers/Microsoft.Network/azureFirewalls/', variables ('azFwNameSecondary'))]" }, "resources": [ { @@ -236,7 +376,7 @@ "location": "[parameters('location')]", "name": "[variables('vpngwname')]", "dependsOn": [ - "[concat('Microsoft.Network/virtualHubs/',variables('vhubname'))]" + "[concat('Microsoft.Network/virtualHubs/', variables('vhubname'))]" ], "properties": { "virtualHub": { @@ -290,7 +430,7 @@ "zones": "[if(not(empty(parameters('firewallZones'))), parameters('firewallZones'), json('null'))]", "dependsOn": [ "[concat('Microsoft.Network/firewallPolicies/', variables('azFwPolicyName'))]", - "[concat('Microsoft.Network/virtualHubs/',variables('vhubname'))]" + "[concat('Microsoft.Network/virtualHubs/', variables('vhubname'))]" ], "properties": { "sku": { @@ -317,7 +457,7 @@ "apiVersion": "2023-04-01", "name":"[concat(variables('vhubname'),'/','RoutingIntent')]", "dependsOn": [ - "[concat('Microsoft.Network/virtualHubs/',variables('vhubname'))]", + "[concat('Microsoft.Network/virtualHubs/', variables('vhubname'))]", "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables ('rgName'), '/providers/Microsoft.Network/azureFirewalls/', variables ('azFwName'))]" ], "properties":{ @@ -334,7 +474,136 @@ createArray( createObject('name', 'PrivateTraffic', 'destinations', createArray('PrivateTraffic'), 'nextHop', variables('routingIntentnexthop')))))]" } + }, + //Begin Secondary vhub Deployment + { + "condition": "[and(equals(parameters('enableHubSecondary'), 'vwan'), not(empty(parameters('addressPrefixSecondary'))))]", + "type": "Microsoft.Network/virtualHubs", + "apiVersion": "2023-04-01", + "location": "[parameters('locationSecondary')]", + "name": "[variables('vHubNameSecondary')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualWans/', variables('vWanName'))]" + ], + "properties": { + "virtualWan": { + "id": "[variables('vwanresourceid')]" + }, + "addressPrefix": "[parameters('addressPrefixSecondary')]", + "sku": "[variables('vhubskuSecondary')]", + "hubRoutingPreference": "[parameters('vWANHubRoutingPreferenceSecondary')]", + "virtualRouterAutoScaleConfiguration": { + "minCapacity": "[int(parameters('vWANHubCapacitySecondary'))]" + } + } + }, + { + "condition": "[and(equals(parameters('enableHubSecondary'), 'vwan'), equals(parameters('enableVpnGwSecondary'), 'Yes'))]", + "type": "Microsoft.Network/vpnGateways", + "apiVersion": "2020-05-01", + "location": "[parameters('locationSecondary')]", + "name": "[variables('vpngwnameSecondary')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualHubs/', variables('vHubNameSecondary'))]" + ], + "properties": { + "virtualHub": { + "id": "[variables('vwanhub')]" + }, + "bgpSettings": { + "asn": "[variables('vpnbgpasn')]" + }, + "vpnGatewayScaleUnit": "[int(parameters('vpnGateWayScaleUnit'))]" + } + }, + { + "condition": "[and(equals(parameters('enableHubSecondary'), 'vwan'), equals(parameters('enableErGwSecondary'), 'Yes'))]", + "type": "Microsoft.Network/expressRouteGateways", + "apiVersion": "2020-05-01", + "location": "[parameters('locationSecondary')]", + "name": "[variables('ergwnameSecondary')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualHubs/', variables('vHubNameSecondary'))]" + ], + "properties": { + "virtualHub": { + "id": "[variables('vwanhubSecondary')]" + }, + "autoScaleConfiguration": { + "bounds": { + "min": "[int(parameters('expressRouteScaleUnitSecondary'))]" + } + } + } + }, + { + "condition": "[equals(parameters('enableAzFwSecondary'), 'Yes')]", + "type": "Microsoft.Network/firewallPolicies", + "apiVersion": "2020-11-01", + "name": "[variables('azFwPolicyNameSecondary')]", + "location": "[parameters('locationSecondary')]", + "properties": { + "dnsSettings": "[if(equals(parameters('enableAzFwDnsProxySecondary'), 'Yes'), variables('azFirewallDnsSettingsSecondary'), json('null'))]", + "sku": { + "tier": "[parameters('firewallSkuSecondary')]" + } + } + }, + { + "condition": "[equals(parameters('enableAzFwSecondary'), 'Yes')]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/azureFirewalls", + "name": "[variables('azFwNameSecondary')]", + "location": "[parameters('locationSecondary')]", + "zones": "[if(not(empty(parameters('firewallZonesSecondary'))), parameters('firewallZonesSecondary'), json('null'))]", + "dependsOn": [ + "[concat('Microsoft.Network/firewallPolicies/', variables('azFwPolicyNameSecondary'))]", + "[concat('Microsoft.Network/virtualHubs/', variables('vhubnamesecondary'))]" + ], + "properties": { + "sku": { + "Name": "AZFW_Hub", + "Tier": "[parameters('firewallSkuSecondary')]" + }, + "hubIPAddresses": { + "publicIPs": { + "addresses": "[json('[]')]", + "count": 1 + } + }, + "virtualHub": { + "id": "[variables('vwanhubSecondary')]" + }, + "firewallPolicy": { + "id": "[variables('azFirewallPolicyIdSecondary').id]" + } + } + }, + { + "condition":"[and(equals(parameters('enablevWANRoutingIntentSecondary'), 'Yes'),equals(parameters('enableAzFwSecondary'), 'Yes'))]", + "type": "Microsoft.Network/virtualHubs/routingIntent", + "apiVersion": "2023-04-01", + "name":"[concat(variables('vHubNameSecondary'),'/','RoutingIntent')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualHubs/', variables('vHubNameSecondary'))]", + "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables ('rgName'), '/providers/Microsoft.Network/azureFirewalls/', variables ('azFwNameSecondary'))]" + ], + "properties":{ + "routingPolicies": "[ + if(and(equals(parameters('internetTrafficRoutingPolicySecondary'), true()), + equals(parameters('privateTrafficRoutingPolicySecondary'), true())), + createArray( + createObject('name', 'PublicTraffic', 'destinations', createArray('Internet'), 'nextHop', variables('routingIntentnexthopSecondary')), + createObject('name', 'PrivateTraffic', 'destinations', createArray('PrivateTraffic'), 'nextHop', variables('routingIntentnexthopSecondary'))), + if(and(equals(parameters('internetTrafficRoutingPolicySecondary'), true()), + equals(parameters('privateTrafficRoutingPolicySecondary'), false())), + createArray( + createObject('name', 'PublicTraffic', 'destinations', createArray('Internet'), 'nextHop', variables('routingIntentnexthopSecondary'))), + createArray( + createObject('name', 'PrivateTraffic', 'destinations', createArray('PrivateTraffic'), 'nextHop', variables('routingIntentnexthopSecondary')))))]" + } } + ] } }