jochenvw/loadbalancer-with-diagnostics.bicep

## loadbalancer-with-diagnostics.bicep
/*
Deploys a opinionated network foundation - work in progress
- Log analytics workspace
- VNET with default subnets
- Diagnostics settings for all resources - pushing all logs+metrics to the log analytics workspace
*/
var resourceNamePrefix = 'jvw-lbspike'
var resourceLocation = 'westeurope'

/*
Main log analytics workspace - will serve a sink for *all* services' diagnostics settings
Typically referenced as 'workspaceId': workspace.id in Microsoft.Insights/diagnosticSettings resources
*/
resource workspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = {
  name: '${resourceNamePrefix}-logs'
  location: resourceLocation
}

/*
Virtual network with some defaults
- NOTE the 'gatewaysubnet', 'AzureBastionSubnet' and 'AzureFirewallSubnet' subnets.
  Subnets for the VPN gateway, Azure Bastion and Azure Firewall *must* have this name
- Adding subnets is easy (given there is still unused IP space). Removing/changing is quite a bit more difficult.
*/

resource network 'Microsoft.Network/virtualNetworks@2021-02-01' = {
  name: '${resourceNamePrefix}-vnet'
  location: resourceLocation
  properties:{
    addressSpace: {
      addressPrefixes: [
        '10.0.0.0/16'
      ]
    }
    subnets:[
      {
        name: 'gatewaysubnet'
        properties:{
          addressPrefix: '10.0.0.0/24'
        }
      }
      {
        name: 'AzureBastionSubnet'
        properties:{
          addressPrefix: '10.0.1.0/24'
        }
      }
      {
        name: 'AzureFirewallSubnet'
        properties:{
          addressPrefix: '10.0.2.0/24'
        }
      }
      {
        name: 'LoadBalancerSubnet'
        properties:{
          addressPrefix: '10.0.10.0/24'
        }
      }
      {
        name: 'AppTier'
        properties:{
          addressPrefix: '10.0.11.0/24'
        }
      }
      {
        name: 'DataTier'
        properties:{
          addressPrefix: '10.0.12.0/24'
        }
      }
    ]
  }
}

resource networkDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  scope: network
  name: '${resourceNamePrefix}-vnet-diagnostics'
  properties: {
    'workspaceId': workspace.id
    logs: [
      {
        category: 'VMProtectionAlerts'
        enabled: true
      }
    ]
    metrics: [
      {
        category: 'AllMetrics'
        enabled: true
      }
    ]
  }
}

/*
Public IP address for the Azure Firewall
- 'Standard' SKU is required and 'Static' allocation method as well
*/
resource azureFirewallPIP 'Microsoft.Network/publicIPAddresses@2021-02-01' = {
  name: '${resourceNamePrefix}-fw-pip'
  location: resourceLocation
  zones: [
    '1'
    '2'
    '3'
  ]
  properties: {
    publicIPAllocationMethod: 'Static'
  }
  sku: {
    name: 'Standard'
    tier: 'Regional'
  }
}

resource azureFirewallPIPDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  scope: azureFirewallPIP
  name: '${resourceNamePrefix}-fw-pip-diagnostics'
  properties: {
    'workspaceId': workspace.id
    logs: [
      {
        category: 'DDoSProtectionNotifications'
        enabled: true
      }
      {
        category: 'DDoSMitigationFlowLogs'
        enabled: true
      }
      {
        category: 'DDoSMitigationReports'
        enabled: true
      }
    ]
    metrics: [
      {
        category: 'AllMetrics'
        enabled: true
      }
    ]
  }
}

resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = {
  name: '${resourceNamePrefix}-fw'
  location: resourceLocation
  zones: [
    '1'
    '2'
    '3'
  ]
  properties: {
    ipConfigurations: [
      {
        name: azureFirewallPIP.name
        properties: {
          publicIPAddress: {
            id: azureFirewallPIP.id
          }
          subnet: {
            id: '${network.id}/subnets/AzureFirewallSubnet'
          }
        }
      }
    ]
  }
}

resource azureFirewallDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  scope: azureFirewall
  name: '${resourceNamePrefix}-fw-diagnostics'
  properties: {
    'workspaceId': workspace.id
    logs: [
      {
        category: 'AzureFirewallApplicationRule'
        enabled: true
      }
      {
        category: 'AzureFirewallNetworkRule'
        enabled: true
      }
      {
        category: 'AzureFirewallDnsProxy'
        enabled: true
      }
    ]
    metrics: [
      {
        category: 'AllMetrics'
        enabled: true
      }
    ]
  }
}

/*
Azure loadbalancer with a private in the LoadBalancer subnet
No backend pools configured at this point
*/
resource loadbalancer 'Microsoft.Network/loadBalancers@2021-02-01' = {
  name: '${resourceNamePrefix}-lb'
  location: resourceLocation
  sku: {
    name: 'Standard'
    tier: 'Regional'
  }
  properties: {
    frontendIPConfigurations: [
      {
        name: 'loadbalancerfrontendip'
        properties: {
          privateIPAddressVersion: 'IPv4'
          privateIPAllocationMethod: 'Dynamic'
          subnet: {
            id: '${network.id}/subnets/LoadBalancerSubnet'
          }
        }
      }
    ]
  }
}

resource azureLoadBalancerDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  scope: loadbalancer
  name: '${resourceNamePrefix}-lb-diagnostics'
  properties: {
    'workspaceId': workspace.id
    logs: [
    ]
    metrics: [
      {
        category: 'AllMetrics'
        enabled: true
      }
    ]
  }
}
	/*
	Deploys a opinionated network foundation - work in progress
	- Log analytics workspace
	- VNET with default subnets
	- Diagnostics settings for all resources - pushing all logs+metrics to the log analytics workspace
	*/
	var resourceNamePrefix = 'jvw-lbspike'
	var resourceLocation = 'westeurope'

	/*
	Main log analytics workspace - will serve a sink for all services' diagnostics settings
	Typically referenced as 'workspaceId': workspace.id in Microsoft.Insights/diagnosticSettings resources
	*/
	resource workspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = {
	name: '${resourceNamePrefix}-logs'
	location: resourceLocation
	}

	/*
	Virtual network with some defaults
	- NOTE the 'gatewaysubnet', 'AzureBastionSubnet' and 'AzureFirewallSubnet' subnets.
	Subnets for the VPN gateway, Azure Bastion and Azure Firewall must have this name
	- Adding subnets is easy (given there is still unused IP space). Removing/changing is quite a bit more difficult.
	*/

	resource network 'Microsoft.Network/virtualNetworks@2021-02-01' = {
	name: '${resourceNamePrefix}-vnet'
	location: resourceLocation
	properties:{
	addressSpace: {
	addressPrefixes: [
	'10.0.0.0/16'
	]
	}
	subnets:[
	{
	name: 'gatewaysubnet'
	properties:{
	addressPrefix: '10.0.0.0/24'
	}
	}
	{
	name: 'AzureBastionSubnet'
	properties:{
	addressPrefix: '10.0.1.0/24'
	}
	}
	{
	name: 'AzureFirewallSubnet'
	properties:{
	addressPrefix: '10.0.2.0/24'
	}
	}
	{
	name: 'LoadBalancerSubnet'
	properties:{
	addressPrefix: '10.0.10.0/24'
	}
	}
	{
	name: 'AppTier'
	properties:{
	addressPrefix: '10.0.11.0/24'
	}
	}
	{
	name: 'DataTier'
	properties:{
	addressPrefix: '10.0.12.0/24'
	}
	}
	]
	}
	}

	resource networkDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
	scope: network
	name: '${resourceNamePrefix}-vnet-diagnostics'
	properties: {
	'workspaceId': workspace.id
	logs: [
	{
	category: 'VMProtectionAlerts'
	enabled: true
	}
	]
	metrics: [
	{
	category: 'AllMetrics'
	enabled: true
	}
	]
	}
	}

	/*
	Public IP address for the Azure Firewall
	- 'Standard' SKU is required and 'Static' allocation method as well
	*/
	resource azureFirewallPIP 'Microsoft.Network/publicIPAddresses@2021-02-01' = {
	name: '${resourceNamePrefix}-fw-pip'
	location: resourceLocation
	zones: [
	'1'
	'2'
	'3'
	]
	properties: {
	publicIPAllocationMethod: 'Static'
	}
	sku: {
	name: 'Standard'
	tier: 'Regional'
	}
	}

	resource azureFirewallPIPDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
	scope: azureFirewallPIP
	name: '${resourceNamePrefix}-fw-pip-diagnostics'
	properties: {
	'workspaceId': workspace.id
	logs: [
	{
	category: 'DDoSProtectionNotifications'
	enabled: true
	}
	{
	category: 'DDoSMitigationFlowLogs'
	enabled: true
	}
	{
	category: 'DDoSMitigationReports'
	enabled: true
	}
	]
	metrics: [
	{
	category: 'AllMetrics'
	enabled: true
	}
	]
	}
	}

	resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = {
	name: '${resourceNamePrefix}-fw'
	location: resourceLocation
	zones: [
	'1'
	'2'
	'3'
	]
	properties: {
	ipConfigurations: [
	{
	name: azureFirewallPIP.name
	properties: {
	publicIPAddress: {
	id: azureFirewallPIP.id
	}
	subnet: {
	id: '${network.id}/subnets/AzureFirewallSubnet'
	}
	}
	}
	]
	}
	}

	resource azureFirewallDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
	scope: azureFirewall
	name: '${resourceNamePrefix}-fw-diagnostics'
	properties: {
	'workspaceId': workspace.id
	logs: [
	{
	category: 'AzureFirewallApplicationRule'
	enabled: true
	}
	{
	category: 'AzureFirewallNetworkRule'
	enabled: true
	}
	{
	category: 'AzureFirewallDnsProxy'
	enabled: true
	}
	]
	metrics: [
	{
	category: 'AllMetrics'
	enabled: true
	}
	]
	}
	}

	/*
	Azure loadbalancer with a private in the LoadBalancer subnet
	No backend pools configured at this point
	*/
	resource loadbalancer 'Microsoft.Network/loadBalancers@2021-02-01' = {
	name: '${resourceNamePrefix}-lb'
	location: resourceLocation
	sku: {
	name: 'Standard'
	tier: 'Regional'
	}
	properties: {
	frontendIPConfigurations: [
	{
	name: 'loadbalancerfrontendip'
	properties: {
	privateIPAddressVersion: 'IPv4'
	privateIPAllocationMethod: 'Dynamic'
	subnet: {
	id: '${network.id}/subnets/LoadBalancerSubnet'
	}
	}
	}
	]
	}
	}

	resource azureLoadBalancerDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
	scope: loadbalancer
	name: '${resourceNamePrefix}-lb-diagnostics'
	properties: {
	'workspaceId': workspace.id
	logs: [
	]
	metrics: [
	{
	category: 'AllMetrics'
	enabled: true
	}
	]
	}
	}