Skip to content

Instantly share code, notes, and snippets.

@lachlanwright
Created Nov 10, 2021
Embed
What would you like to do?
@description('Number of spoke Vnets to create. Defaults to 2.')
param spokeVnetCount int = 2
@description('Management groups that the network manager has access to.')
param managementGroupScopes array = []
@description('Subscriptions that the network manager has access to.')
param subscriptionScopes array = []
resource hub 'Microsoft.Network/virtualNetworks@2019-11-01' = {
name: 'vnet-hub'
location: resourceGroup().location
properties: {
addressSpace: {
addressPrefixes: [
'10.0.0.0/24'
]
}
subnets: [
{
name: 'GatewaySubnet'
properties: {
addressPrefix: '10.0.0.0/27'
}
}
{
name: 'default'
properties: {
addressPrefix: '10.0.0.32/27'
}
}
]
}
}
resource spoke 'Microsoft.Network/virtualNetworks@2019-11-01' = [for i in range(0, spokeVnetCount): {
name: 'vnet-spoke${i}'
location: resourceGroup().location
tags: {
spoke: 'true'
}
properties: {
addressSpace: {
addressPrefixes: [
'10.0.${(i + 1)}.0/24'
]
}
subnets: [
{
name: 'default'
properties: {
addressPrefix: '10.0.${(i + 1)}.0/27'
}
}
]
}
}]
resource publicIPAddress 'Microsoft.Network/publicIPAddresses@2019-11-01' = {
name: 'pip-gw-hub'
location: resourceGroup().location
sku: {
name: 'Standard'
}
properties: {
publicIPAllocationMethod: 'Dynamic'
}
}
resource virtualNetworkGateway 'Microsoft.Network/virtualNetworkGateways@2020-11-01' = {
name: 'gw-hub'
location: resourceGroup().location
properties: {
ipConfigurations: [
{
name: 'default'
properties: {
privateIPAllocationMethod: 'Dynamic'
subnet: {
id: '${hub.id}/subnets/GatewaySubnet'
}
publicIPAddress: {
id: publicIPAddress.id
}
}
}
]
sku: {
name: 'VpnGw1'
tier: 'VpnGw1'
}
gatewayType: 'Vpn'
vpnType: 'RouteBased'
enableBgp: true
}
}
resource networkManager 'Microsoft.Network/networkManagers@2021-02-01-preview' = {
name: 'vnm-network-manager'
location: resourceGroup().location
properties: {
networkManagerScopeAccesses: [
'Connectivity'
'SecurityAdmin'
]
networkManagerScopes: {
managementGroups: managementGroupScopes
subscriptions: subscriptionScopes
}
}
resource networkGroup 'networkGroups' = {
name: 'spokes'
properties: {
conditionalMembership: '''
{
"field": "tags['spoke']",
"exists": true
}
'''
}
}
resource hubAndSpoke 'connectivityConfigurations' = {
name: 'hub-and-spoke'
properties: {
appliesToGroups: [
{
groupConnectivity: 'None'
isGlobal: 'False'
networkGroupId: networkGroup.id
useHubGateway: 'True'
}
]
connectivityTopology: 'HubAndSpoke'
hubs: [
{
resourceId: hub.id
resourceType: hub.type
}
]
isGlobal: 'False'
}
}
resource allowOnPremPolicy 'securityAdminConfigurations' = {
name: 'allow-on-prem'
properties: {
deleteExistingNSGs: 'True'
securityType: 'AdminPolicy'
}
resource allowOnPremRules 'ruleCollections' = {
name: 'allow-on-prem'
properties: {
appliesToGroups: [
{
networkGroupId: networkGroup.id
}
]
}
resource allowOnPremIn 'rules' = {
name: 'allow-on-prem-in'
kind: 'Custom'
properties: {
access: 'Allow'
direction: 'Inbound'
priority: 100
sources: [
{
addressPrefix: '0.0.0.0/0'
addressPrefixType: 'IPPrefix'
}
]
destinationPortRanges: [
'3389'
'22'
'80'
'443'
]
protocol: 'Tcp'
}
}
resource allowOnPremOut 'rules' = {
name: 'sallow-on-prem-out'
kind: 'Custom'
properties: {
access: 'Allow'
direction: 'Outbound'
priority: 100
destinations: [
{
addressPrefix: '0.0.0.0/0'
addressPrefixType: 'IPPrefix'
}
]
destinationPortRanges: [
'3389'
'22'
'80'
'443'
]
protocol: 'Tcp'
}
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment