Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
/*
Deploys a opinionated network foundation - work in progress
- Log analytics workspace
- VNET with default subnets
- Diagnostics settings for all resources - pushing all logs+metrics to the log analytics workspace
*/
var resourceNamePrefix = 'jvw-lbspike'
var resourceLocation = 'westeurope'
/*
Main log analytics workspace - will serve a sink for *all* services' diagnostics settings
Typically referenced as 'workspaceId': workspace.id in Microsoft.Insights/diagnosticSettings resources
*/
resource workspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = {
name: '${resourceNamePrefix}-logs'
location: resourceLocation
}
/*
Virtual network with some defaults
- NOTE the 'gatewaysubnet', 'AzureBastionSubnet' and 'AzureFirewallSubnet' subnets.
Subnets for the VPN gateway, Azure Bastion and Azure Firewall *must* have this name
- Adding subnets is easy (given there is still unused IP space). Removing/changing is quite a bit more difficult.
*/
resource network 'Microsoft.Network/virtualNetworks@2021-02-01' = {
name: '${resourceNamePrefix}-vnet'
location: resourceLocation
properties:{
addressSpace: {
addressPrefixes: [
'10.0.0.0/16'
]
}
subnets:[
{
name: 'gatewaysubnet'
properties:{
addressPrefix: '10.0.0.0/24'
}
}
{
name: 'AzureBastionSubnet'
properties:{
addressPrefix: '10.0.1.0/24'
}
}
{
name: 'AzureFirewallSubnet'
properties:{
addressPrefix: '10.0.2.0/24'
}
}
{
name: 'LoadBalancerSubnet'
properties:{
addressPrefix: '10.0.10.0/24'
}
}
{
name: 'AppTier'
properties:{
addressPrefix: '10.0.11.0/24'
}
}
{
name: 'DataTier'
properties:{
addressPrefix: '10.0.12.0/24'
}
}
]
}
}
resource networkDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
scope: network
name: '${resourceNamePrefix}-vnet-diagnostics'
properties: {
'workspaceId': workspace.id
logs: [
{
category: 'VMProtectionAlerts'
enabled: true
}
]
metrics: [
{
category: 'AllMetrics'
enabled: true
}
]
}
}
/*
Public IP address for the Azure Firewall
- 'Standard' SKU is required and 'Static' allocation method as well
*/
resource azureFirewallPIP 'Microsoft.Network/publicIPAddresses@2021-02-01' = {
name: '${resourceNamePrefix}-fw-pip'
location: resourceLocation
zones: [
'1'
'2'
'3'
]
properties: {
publicIPAllocationMethod: 'Static'
}
sku: {
name: 'Standard'
tier: 'Regional'
}
}
resource azureFirewallPIPDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
scope: azureFirewallPIP
name: '${resourceNamePrefix}-fw-pip-diagnostics'
properties: {
'workspaceId': workspace.id
logs: [
{
category: 'DDoSProtectionNotifications'
enabled: true
}
{
category: 'DDoSMitigationFlowLogs'
enabled: true
}
{
category: 'DDoSMitigationReports'
enabled: true
}
]
metrics: [
{
category: 'AllMetrics'
enabled: true
}
]
}
}
resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = {
name: '${resourceNamePrefix}-fw'
location: resourceLocation
zones: [
'1'
'2'
'3'
]
properties: {
ipConfigurations: [
{
name: azureFirewallPIP.name
properties: {
publicIPAddress: {
id: azureFirewallPIP.id
}
subnet: {
id: '${network.id}/subnets/AzureFirewallSubnet'
}
}
}
]
}
}
resource azureFirewallDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
scope: azureFirewall
name: '${resourceNamePrefix}-fw-diagnostics'
properties: {
'workspaceId': workspace.id
logs: [
{
category: 'AzureFirewallApplicationRule'
enabled: true
}
{
category: 'AzureFirewallNetworkRule'
enabled: true
}
{
category: 'AzureFirewallDnsProxy'
enabled: true
}
]
metrics: [
{
category: 'AllMetrics'
enabled: true
}
]
}
}
/*
Azure loadbalancer with a private in the LoadBalancer subnet
No backend pools configured at this point
*/
resource loadbalancer 'Microsoft.Network/loadBalancers@2021-02-01' = {
name: '${resourceNamePrefix}-lb'
location: resourceLocation
sku: {
name: 'Standard'
tier: 'Regional'
}
properties: {
frontendIPConfigurations: [
{
name: 'loadbalancerfrontendip'
properties: {
privateIPAddressVersion: 'IPv4'
privateIPAllocationMethod: 'Dynamic'
subnet: {
id: '${network.id}/subnets/LoadBalancerSubnet'
}
}
}
]
}
}
resource azureLoadBalancerDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
scope: loadbalancer
name: '${resourceNamePrefix}-lb-diagnostics'
properties: {
'workspaceId': workspace.id
logs: [
]
metrics: [
{
category: 'AllMetrics'
enabled: true
}
]
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment