Last active
February 15, 2022 13:58
-
-
Save rbnmk/11e6175b7765e870be4eb53ef50eb6eb to your computer and use it in GitHub Desktop.
blog-lz-vnet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
targetScope = 'subscription' | |
param environment string = 'hub' | |
param location string = deployment().location | |
var envConfig = { | |
_tags: { | |
Customer: 'Robin Corp' | |
Solution: 'Corp IT Azure Infrastructure' | |
} | |
hub: { | |
_environmentTags: { | |
Environment: 'HUB' | |
} | |
subscriptionId: subscription().subscriptionId | |
resourceGroups: [ | |
'hub-networking' // IndexNr: 0 | |
'hub-management' // IndexNr: 1 | |
] | |
virtualNetworks: [ | |
{ | |
name: 'hub-vnet-1' | |
addressPrefixes: [ | |
'10.0.42.0/23' | |
] | |
dnsServers: [] | |
subnets: [ | |
{ | |
name: 'AzureBastionSubnet' | |
addressPrefix: '10.0.42.0/25' | |
nsgName: 'hub-nsg-bastion' | |
nsgSecurityRules: [ | |
{ | |
name: 'AllowSshRdpOutBound' | |
properties: { | |
protocol: 'Tcp' | |
sourcePortRange: '*' | |
sourceAddressPrefix: '*' | |
destinationPortRanges: [ | |
'22' | |
'3389' | |
] | |
destinationAddressPrefix: 'VirtualNetwork' | |
access: 'Allow' | |
priority: 100 | |
direction: 'Outbound' | |
} | |
} | |
] | |
nsgRulePreset: 'bastion' | |
routeTableName: '' | |
delegations: '' | |
privateEndpointNetworkPolicies: '' | |
privateLinkServiceNetworkPolicies: '' | |
serviceEndpoints: [] | |
} | |
] | |
} | |
] | |
} | |
} | |
resource resourceGroups 'Microsoft.Resources/resourceGroups@2021-04-01' = [for (rg, i) in envConfig[environment].resourceGroups: { | |
name: rg | |
location: location | |
tags: union(envConfig._tags, envConfig[environment]._environmentTags) | |
}] | |
module network 'modules/network.bicep' = [for (vnet, i) in envConfig[environment].virtualNetworks: { | |
name: '${environment}-network-${i + 1}' | |
scope: resourceGroups[0] // Select the index nr from the envConfig variable to deploy to the correct RG | |
params: { | |
vnet: vnet | |
tags: union(envConfig._tags, envConfig[environment]._environmentTags) | |
} | |
}] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var envConfig = { | |
_tags: { | |
Customer: 'Robin Corp' | |
Solution: 'Corp IT Azure Infrastructure' | |
} | |
hub: { | |
_environmentTags: { | |
Environment: 'HUB' | |
} | |
subscriptionId: subscription().subscriptionId | |
resourceGroups: [ | |
'hub-networking' // IndexNr: 0 | |
'hub-management' // IndexNr: 1 | |
] | |
virtualNetworks: [ | |
{ | |
name: 'hub-vnet-1' | |
addressPrefixes: [ | |
'10.0.42.0/23' | |
] | |
dnsServers: [] | |
subnets: [ | |
{ | |
name: 'AzureBastionSubnet' | |
addressPrefix: '10.0.42.0/25' | |
nsgName: 'hub-nsg-bastion' | |
nsgSecurityRules: [ | |
{ | |
name: 'AllowSshRdpOutBound' | |
properties: { | |
protocol: 'Tcp' | |
sourcePortRange: '*' | |
sourceAddressPrefix: '*' | |
destinationPortRanges: [ | |
'22' | |
'3389' | |
] | |
destinationAddressPrefix: 'VirtualNetwork' // Change this if you only want to allow access to specific network(s) | |
access: 'Allow' | |
priority: 100 | |
direction: 'Outbound' | |
} | |
} | |
] | |
nsgRulePreset: 'bastion' | |
routeTableName: '' | |
delegations: '' | |
privateEndpointNetworkPolicies: '' | |
privateLinkServiceNetworkPolicies: '' | |
serviceEndpoints: [] | |
} | |
] | |
} | |
] | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
module network 'modules/network.bicep' = [for (vnet, i) in envConfig[environment].virtualNetworks: { | |
name: '${environment}-network-${i + 1}' | |
scope: resourceGroups[0] // Select the index nr from the envConfig variable to deploy to the correct RG | |
params: { | |
vnet: vnet | |
tags: union(envConfig._tags, envConfig[environment]._environmentTags) | |
} | |
}] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
param vnet object | |
param tags object = {} | |
module networkSecurityGroups 'nsg.bicep' = [for i in range(0, length(vnet.subnets)): if (!empty(vnet.subnets[i].nsgName)) { | |
name: '${vnet.subnets[i].nsgName}-${i + 1}' | |
params: { | |
nsgName: vnet.subnets[i].nsgName | |
securityRules: vnet.subnets[i].nsgSecurityRules | |
rulePreset: vnet.subnets[i].nsgRulePreset | |
tags: tags | |
} | |
}] | |
module network 'vnet.bicep' = { | |
name: vnet.name | |
params: { | |
vnet: vnet | |
tags: tags | |
} | |
dependsOn: [ | |
networkSecurityGroups | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
param nsgName string | |
@allowed([ | |
'' | |
'bastion' | |
]) | |
param rulePreset string = '' | |
param securityRules array = [] | |
param tags object = {} | |
var defaultSecurityRules = { | |
bastion: [ | |
{ | |
name: 'AllowHttpsInBound' | |
properties: { | |
protocol: 'Tcp' | |
sourcePortRange: '*' | |
sourceAddressPrefix: 'Internet' | |
destinationPortRange: '443' | |
destinationAddressPrefix: '*' | |
access: 'Allow' | |
priority: 600 | |
direction: 'Inbound' | |
} | |
} | |
{ | |
name: 'AllowGatewayManagerInBound' | |
properties: { | |
protocol: 'Tcp' | |
sourcePortRange: '*' | |
sourceAddressPrefix: 'GatewayManager' | |
destinationPortRange: '443' | |
destinationAddressPrefix: '*' | |
access: 'Allow' | |
priority: 610 | |
direction: 'Inbound' | |
} | |
} | |
{ | |
name: 'AllowLoadBalancerInBound' | |
properties: { | |
protocol: 'Tcp' | |
sourcePortRange: '*' | |
sourceAddressPrefix: 'AzureLoadBalancer' | |
destinationPortRange: '443' | |
destinationAddressPrefix: '*' | |
access: 'Allow' | |
priority: 620 | |
direction: 'Inbound' | |
} | |
} | |
{ | |
name: 'AllowBastionHostCommunicationInBound' | |
properties: { | |
protocol: '*' | |
sourcePortRange: '*' | |
sourceAddressPrefix: 'VirtualNetwork' | |
destinationPortRanges: [ | |
'8080' | |
'5701' | |
] | |
destinationAddressPrefix: 'VirtualNetwork' | |
access: 'Allow' | |
priority: 630 | |
direction: 'Inbound' | |
} | |
} | |
{ | |
name: 'DenyAllInBound' | |
properties: { | |
protocol: '*' | |
sourcePortRange: '*' | |
sourceAddressPrefix: '*' | |
destinationPortRange: '*' | |
destinationAddressPrefix: '*' | |
access: 'Deny' | |
priority: 1000 | |
direction: 'Inbound' | |
} | |
} | |
{ | |
name: 'AllowAzureCloudCommunicationOutBound' | |
properties: { | |
protocol: 'Tcp' | |
sourcePortRange: '*' | |
sourceAddressPrefix: '*' | |
destinationPortRange: '443' | |
destinationAddressPrefix: 'AzureCloud' | |
access: 'Allow' | |
priority: 600 | |
direction: 'Outbound' | |
} | |
} | |
{ | |
name: 'AllowBastionHostCommunicationOutBound' | |
properties: { | |
protocol: '*' | |
sourcePortRange: '*' | |
sourceAddressPrefix: 'VirtualNetwork' | |
destinationPortRanges: [ | |
'8080' | |
'5701' | |
] | |
destinationAddressPrefix: 'VirtualNetwork' | |
access: 'Allow' | |
priority: 610 | |
direction: 'Outbound' | |
} | |
} | |
{ | |
name: 'AllowGetSessionInformationOutBound' | |
properties: { | |
protocol: '*' | |
sourcePortRange: '*' | |
sourceAddressPrefix: '*' | |
destinationAddressPrefix: 'Internet' | |
destinationPortRanges: [ | |
'80' | |
'443' | |
] | |
access: 'Allow' | |
priority: 620 | |
direction: 'Outbound' | |
} | |
} | |
{ | |
name: 'DenyAllOutBound' | |
properties: { | |
protocol: '*' | |
sourcePortRange: '*' | |
destinationPortRange: '*' | |
sourceAddressPrefix: '*' | |
destinationAddressPrefix: '*' | |
access: 'Deny' | |
priority: 1000 | |
direction: 'Outbound' | |
} | |
} | |
] | |
} | |
var rulePresetSelect = defaultSecurityRules[rulePreset] | |
resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2019-11-01' = { | |
name: nsgName | |
location: resourceGroup().location | |
tags: tags | |
properties: { | |
securityRules: length(rulePreset) > 0 ? union(securityRules, rulePresetSelect) : securityRules | |
} | |
} | |
output networkSecurityGroupName string = networkSecurityGroup.name | |
output networkSecurityGroupId string = networkSecurityGroup.id |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@description('Object parameter containing all information for the VNET') | |
param vnet object | |
param location string = resourceGroup().location | |
param tags object = {} | |
var rtId = [for i in range(0, length(vnet.subnets)): { | |
id: resourceId('Microsoft.Network/routeTables', vnet.subnets[i].routeTableName) | |
}] | |
var nsgId = [for i in range(0, length(vnet.subnets)): { | |
id: resourceId('Microsoft.Network/networkSecurityGroups', vnet.subnets[i].nsgName) | |
}] | |
var subnets = [for i in range(0, length(vnet.subnets)): { | |
name: vnet.subnets[i].name | |
properties: { | |
addressPrefix: vnet.subnets[i].addressPrefix | |
networkSecurityGroup: empty(vnet.subnets[i].nsgName) ? json('null') : nsgId[i] | |
routeTable: (empty(vnet.subnets[i].routeTableName) ? json('null') : rtId[i]) | |
delegations: (empty(vnet.subnets[i].delegations) ? json('null') : vnet.subnets[i].delegations) | |
serviceEndpoints: (empty(vnet.subnets[i].serviceEndpoints) ? json('null') : vnet.subnets[i].serviceEndpoints) | |
privateEndpointNetworkPolicies: (empty(vnet.subnets[i].privateEndpointNetworkPolicies) ? privateEndpointNetworkPolicyDefault : vnet.subnets[i].privateEndpointNetworkPolicies) | |
privateLinkServiceNetworkPolicies: (empty(vnet.subnets[i].privateLinkServiceNetworkPolicies) ? privateLinkServiceNetworkPolicyDefault : vnet.subnets[i].privateLinkServiceNetworkPolicies) | |
} | |
}] | |
var privateEndpointNetworkPolicyDefault = 'Enabled' | |
var privateLinkServiceNetworkPolicyDefault = 'Enabled' | |
resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' = { | |
name: vnet.name | |
location: location | |
tags: tags | |
properties: { | |
addressSpace: { | |
addressPrefixes: vnet.addressPrefixes | |
} | |
dhcpOptions: { | |
dnsServers: vnet.DnsServers | |
} | |
subnets: subnets | |
} | |
} | |
output virtualNetworkId string = virtualNetwork.id | |
output virtualNetworkName string = virtualNetwork.name | |
output virtualNetworkSubnets array = virtualNetwork.properties.subnets | |
output virtualNetwork object = virtualNetwork |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment