diff --git a/.azuredevops/modulePipelines/ms.network.vpnGateways.yml b/.azuredevops/modulePipelines/ms.network.vpnGateways.yml new file mode 100644 index 0000000000..ee7445ae29 --- /dev/null +++ b/.azuredevops/modulePipelines/ms.network.vpnGateways.yml @@ -0,0 +1,52 @@ +name: 'Network - VPN Gateway' + +parameters: + - name: removeDeployment + displayName: Remove deployed module + type: boolean + default: true + - name: prerelease + displayName: Publish prerelease module + type: boolean + default: false + +trigger: + batch: true + branches: + include: + - main + paths: + include: + - '/.azuredevops/modulePipelines/ms.network.vpnGateways.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' + - '/arm/Microsoft.Network/vpnGateways/*' + exclude: + - '/**/*.md' + +variables: + - template: '/.azuredevops/pipelineVariables/global.variables.yml' + - group: 'PLATFORM_VARIABLES' + - name: modulePath + value: '/arm/Microsoft.Network/vpnGateways' + +stages: + - stage: Validation + displayName: Pester tests + jobs: + - template: /.azuredevops/pipelineTemplates/jobs.validateModulePester.yml + + - stage: Deployment + displayName: Deployment tests + jobs: + - template: /.azuredevops/pipelineTemplates/jobs.validateModuleDeployment.yml + parameters: + removeDeployment: '${{ parameters.removeDeployment }}' + deploymentBlocks: + - path: $(modulePath)/.parameters/min.parameters.json + - path: $(modulePath)/.parameters/parameters.json + + - stage: Publishing + displayName: Publish module + condition: and(succeeded(), or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), eq(variables['Build.SourceBranch'], 'refs/heads/master'), eq('${{ parameters.prerelease }}', 'true'))) + jobs: + - template: /.azuredevops/pipelineTemplates/jobs.publishModule.yml diff --git a/.github/workflows/ms.network.vpngateways.yml b/.github/workflows/ms.network.vpngateways.yml new file mode 100644 index 0000000000..4c5b639ad7 --- /dev/null +++ b/.github/workflows/ms.network.vpngateways.yml @@ -0,0 +1,135 @@ +name: 'Network - VPN Gateway' + +on: + workflow_dispatch: + inputs: + removeDeployment: + type: boolean + description: 'Remove deployed module' + required: false + default: 'true' + prerelease: + type: boolean + description: 'Publish prerelease module' + required: false + default: 'false' + push: + branches: + - main + paths: + - '.github/actions/templates/**' + - '.github/workflows/ms.network.vpnGateways.yml' + - 'arm/Microsoft.Network/vpnGateways/**' + - '!*/**/readme.md' + - 'utilities/pipelines/**' + - '!utilities/pipelines/dependencies/**' + +env: + modulePath: 'arm/Microsoft.Network/vpnGateways' + workflowPath: '.github/workflows/ms.network.vpnGateways.yml' + AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' + ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' + +jobs: + ############################ + # SET INPUT PARAMETERS # + ############################ + job_set_workflow_param: + runs-on: ubuntu-20.04 + name: 'Set input parameters to output variables' + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Set input parameters' + id: get-workflow-param + uses: ./.github/actions/templates/getWorkflowInput + with: + workflowPath: '${{ env.workflowPath}}' + outputs: + removeDeployment: ${{ steps.get-workflow-param.outputs.removeDeployment }} + + #################### + # Pester Tests # + #################### + job_module_pester_validation: + runs-on: ubuntu-20.04 + name: 'Pester tests' + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Run tests' + uses: ./.github/actions/templates/validateModulePester + with: + modulePath: '${{ env.modulePath }}' + + #################### + # Deployment tests # + #################### + job_module_deploy_validation: + runs-on: ubuntu-20.04 + name: 'Deployment tests' + needs: + - job_set_workflow_param + - job_module_pester_validation + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['min.parameters.json', 'parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: deep-mm/set-variables@v1.0 + with: + variableFileName: 'global.variables' + - name: 'Using parameter file [${{ matrix.parameterFilePaths }}]' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + parameterFilePath: '${{ env.modulePath }}/.parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ needs.job_set_workflow_param.outputs.removeDeployment }}' + + ############### + # PUBLISH # + ############### + job_publish_module: + name: 'Publish module' + if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' + runs-on: ubuntu-20.04 + needs: + - job_set_workflow_param + - job_module_deploy_validation + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: deep-mm/set-variables@v1.0 + with: + variableFileName: 'global.variables' + - name: 'Publish module' + uses: ./.github/actions/templates/publishModule + with: + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + templateSpecsRGName: '${{ env.templateSpecsRGName }}' + templateSpecsRGLocation: '${{ env.templateSpecsRGLocation }}' + templateSpecsDescription: '${{ env.templateSpecsDescription }}' + templateSpecsDoPublish: '${{ env.templateSpecsDoPublish }}' + bicepRegistryName: '${{ env.bicepRegistryName }}' + bicepRegistryRGName: '${{ env.bicepRegistryRGName }}' + bicepRegistryRgLocation: '${{ env.bicepRegistryRgLocation }}' + bicepRegistryDoPublish: '${{ env.bicepRegistryDoPublish }}' diff --git a/arm/Microsoft.Network/vpnGateways/.bicep/nested_cuaId.bicep b/arm/Microsoft.Network/vpnGateways/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/arm/Microsoft.Network/vpnGateways/.bicep/nested_cuaId.bicep @@ -0,0 +1 @@ + diff --git a/arm/Microsoft.Network/vpnGateways/.parameters/min.parameters.json b/arm/Microsoft.Network/vpnGateways/.parameters/min.parameters.json new file mode 100644 index 0000000000..4ed3a736e6 --- /dev/null +++ b/arm/Microsoft.Network/vpnGateways/.parameters/min.parameters.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-az-vpngw-min-001" + }, + "virtualHubResourceId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualHubs/<>-az-vhub-min-001" + } + } +} diff --git a/arm/Microsoft.Network/vpnGateways/.parameters/parameters.json b/arm/Microsoft.Network/vpnGateways/.parameters/parameters.json new file mode 100644 index 0000000000..af4f1eca8f --- /dev/null +++ b/arm/Microsoft.Network/vpnGateways/.parameters/parameters.json @@ -0,0 +1,65 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-az-vpngw-x-001" + }, + "virtualHubResourceId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualHubs/<>-az-vhub-x-001" + }, + "bgpSettings": { + "value": { + "asn": 65515, + "peerWeight": 0 + } + }, + "connections": { + "value": [ + { + "name": "Connection-<>-az-vsite-x-001", + "connectionBandwidth": 10, + "enableBgp": true, + "routingConfiguration": { + "associatedRouteTable": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualHubs/<>-az-vhub-x-001/hubRouteTables/defaultRouteTable" + }, + "propagatedRouteTables": { + "labels": [ + "default" + ], + "ids": [ + { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualHubs/<>-az-vhub-x-001/hubRouteTables/defaultRouteTable" + } + ] + }, + "vnetRoutes": { + "staticRoutes": [] + } + }, + "remoteVpnSiteResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/vpnSites/<>-az-vsite-x-001" + } + ] + }, + "natRules": { + "value": [ + { + "name": "natRule1", + "internalMappings": [ + { + "addressSpace": "10.4.0.0/24" + } + ], + "externalMappings": [ + { + "addressSpace": "192.168.21.0/24" + } + ], + "type": "Static", + "mode": "EgressSnat" + } + ] + } + } +} diff --git a/arm/Microsoft.Network/vpnGateways/connections/.bicep/nested_cuaId.bicep b/arm/Microsoft.Network/vpnGateways/connections/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/arm/Microsoft.Network/vpnGateways/connections/.bicep/nested_cuaId.bicep @@ -0,0 +1 @@ + diff --git a/arm/Microsoft.Network/vpnGateways/connections/deploy.bicep b/arm/Microsoft.Network/vpnGateways/connections/deploy.bicep new file mode 100644 index 0000000000..58548c3f68 --- /dev/null +++ b/arm/Microsoft.Network/vpnGateways/connections/deploy.bicep @@ -0,0 +1,95 @@ +@description('Required. The name of the VPN connection.') +param name string + +@description('Required. The name of the VPN gateway this VPN connection is associated with.') +param vpnGatewayName string + +@description('Optional. The IPSec policies to be considered by this connection.') +param ipsecPolicies array = [] + +@description('Optional. The traffic selector policies to be considered by this connection.') +param trafficSelectorPolicies array = [] + +@description('Optional. List of all VPN site link connections to the gateway.') +param vpnLinkConnections array = [] + +@description('Optional. Routing configuration indicating the associated and propagated route tables for this connection.') +param routingConfiguration object = {} + +@description('Optional. Enable policy-based traffic selectors.') +param usePolicyBasedTrafficSelectors bool = false + +@description('Optional. Use local Azure IP to initiate connection.') +param useLocalAzureIpAddress bool = false + +@description('Optional. Enable rate limiting.') +param enableRateLimiting bool = false + +@description('Optional. Enable internet security.') +param enableInternetSecurity bool = false + +@description('Optional. Enable BGP flag.') +param enableBgp bool = false + +@description('Optional. Routing weight for VPN connection.') +param routingWeight int = 0 + +@description('Optional. Expected bandwidth in MBPS.') +param connectionBandwidth int = 10 + +@description('Optional. Gateway connection protocol.') +@allowed([ + 'IKEv1' + 'IKEv2' +]) +param vpnConnectionProtocolType string = 'IKEv2' + +@description('Optional. SharedKey for the VPN connection.') +param sharedKey string = '' + +@description('Optional. Reference to a VPN site to link to') +param remoteVpnSiteResourceId string = '' + +@description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') +param cuaId string = '' + +module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource vpnGateway 'Microsoft.Network/vpnGateways@2021-05-01' existing = { + name: vpnGatewayName +} + +resource vpnConnection 'Microsoft.Network/vpnGateways/vpnConnections@2021-05-01' = { + name: name + parent: vpnGateway + properties: { + connectionBandwidth: connectionBandwidth + enableBgp: enableBgp + enableInternetSecurity: enableInternetSecurity + enableRateLimiting: enableRateLimiting + ipsecPolicies: ipsecPolicies + remoteVpnSite: !empty(remoteVpnSiteResourceId) ? { + id: remoteVpnSiteResourceId + } : null + routingConfiguration: routingConfiguration + routingWeight: routingWeight + sharedKey: sharedKey + trafficSelectorPolicies: trafficSelectorPolicies + useLocalAzureIpAddress: useLocalAzureIpAddress + usePolicyBasedTrafficSelectors: usePolicyBasedTrafficSelectors + vpnConnectionProtocolType: vpnConnectionProtocolType + vpnLinkConnections: vpnLinkConnections + } +} + +@description('The name of the VPN connection') +output name string = vpnConnection.name + +@description('The resource ID of the VPN connection') +output resourceId string = vpnConnection.id + +@description('The name of the resource group the VPN connection was deployed into') +output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.Network/vpnGateways/connections/readme.md b/arm/Microsoft.Network/vpnGateways/connections/readme.md new file mode 100644 index 0000000000..407b36df3d --- /dev/null +++ b/arm/Microsoft.Network/vpnGateways/connections/readme.md @@ -0,0 +1,66 @@ +# VPN Gateways Connections `[Microsoft.Network/vpnGateways/connections]` + +This module deploys VPN Gateways Connections. + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Network/vpnGateways/vpnConnections` | 2021-05-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `connectionBandwidth` | int | `10` | | Optional. Expected bandwidth in MBPS. | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | +| `enableBgp` | bool | `False` | | Optional. Enable BGP flag. | +| `enableInternetSecurity` | bool | `False` | | Optional. Enable internet security. | +| `enableRateLimiting` | bool | `False` | | Optional. Enable rate limiting. | +| `ipsecPolicies` | array | `[]` | | Optional. The IPSec Policies to be considered by this connection. | +| `name` | string | | | Required. The name of the VPN connection. | +| `remoteVpnSiteResourceId` | string | | | Optional. Reference to a VPN site to link to | +| `routingConfiguration` | object | `{object}` | | Optional. Routing Configuration indicating the associated and propagated route tables for this connection. | +| `routingWeight` | int | `0` | | Optional. Routing weight for VPN connection. | +| `sharedKey` | string | | | Optional. SharedKey for the VPN connection. | +| `trafficSelectorPolicies` | array | `[]` | | Optional. The Traffic Selector Policies to be considered by this connection. | +| `useLocalAzureIpAddress` | bool | `False` | | Optional. Use local azure IP to initiate connection. | +| `usePolicyBasedTrafficSelectors` | bool | `False` | | Optional. Enable policy-based traffic selectors. | +| `vpnConnectionProtocolType` | string | `IKEv2` | `[IKEv1, IKEv2]` | Optional. Gateway connection protocol. | +| `vpnGatewayName` | string | | | Required. The name of the VPN gateway this VPN connection is associated with. | +| `vpnLinkConnections` | array | `[]` | | Optional. List of all VPN site link connections to the gateway. | + +### Parameter Usage: `routingConfiguration` + +```json +"routingConfiguration": { + "associatedRouteTable": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualHubs/SampleVirtualHub/hubRouteTables/defaultRouteTable" + }, + "propagatedRouteTables": { + "labels": [ + "default" + ], + "ids": [ + { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualHubs/SampleVirtualHub/hubRouteTables/defaultRouteTable" + } + ] + }, + "vnetRoutes": { + "staticRoutes": [] + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the VPN connection | +| `resourceGroupName` | string | The name of the resource group the VPN connection was deployed into | +| `resourceId` | string | The resource ID of the VPN connection | + +## Template references + +- [Vpngateways/Vpnconnections](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/vpnGateways/vpnConnections) diff --git a/arm/Microsoft.Network/vpnGateways/connections/version.json b/arm/Microsoft.Network/vpnGateways/connections/version.json new file mode 100644 index 0000000000..41f66cc990 --- /dev/null +++ b/arm/Microsoft.Network/vpnGateways/connections/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.1" +} diff --git a/arm/Microsoft.Network/vpnGateways/deploy.bicep b/arm/Microsoft.Network/vpnGateways/deploy.bicep new file mode 100644 index 0000000000..72cdd9a388 --- /dev/null +++ b/arm/Microsoft.Network/vpnGateways/deploy.bicep @@ -0,0 +1,93 @@ +@description('Required. Name of the VPN gateway') +param name string + +@description('Optional. Location where all resources will be created.') +param location string = resourceGroup().location + +@description('Optional. The connections to create in the VPN gateway') +param connections array = [] + +@description('Optional. List of all the NAT Rules to associate with the gateway.') +param natRules array = [] + +@description('Required. The resource ID of a virtual Hub to connect to. Note: The virtual Hub and Gateway must be deployed into the same location.') +param virtualHubResourceId string + +@description('Optional. BGP settings details.') +param bgpSettings object = {} + +@description('Optional. Enable BGP routes translation for NAT on this VPN gateway.') +param enableBgpRouteTranslationForNat bool = false + +@description('Optional. Enable routing preference property for the public IP interface of the VPN gateway.') +param isRoutingPreferenceInternet bool = false + +@description('Optional. The scale unit for this VPN gateway.') +param vpnGatewayScaleUnit int = 2 + +@description('Optional. Tags of the resource.') +param tags object = {} + +@description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') +param cuaId string = '' + +module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource vpnGateway 'Microsoft.Network/vpnGateways@2021-05-01' = { + name: name + location: location + tags: tags + properties: { + bgpSettings: bgpSettings + enableBgpRouteTranslationForNat: enableBgpRouteTranslationForNat + isRoutingPreferenceInternet: isRoutingPreferenceInternet + vpnGatewayScaleUnit: vpnGatewayScaleUnit + virtualHub: { + id: virtualHubResourceId + } + } +} + +module vpnGateway_natRules 'natRules/deploy.bicep' = [for (natRule, index) in natRules: { + name: '${deployment().name}-NATRule-${index}' + params: { + name: natRule.name + vpnGatewayName: vpnGateway.name + externalMappings: contains(natRule, 'externalMappings') ? natRule.externalMappings : [] + internalMappings: contains(natRule, 'internalMappings') ? natRule.internalMappings : [] + ipConfigurationId: contains(natRule, 'ipConfigurationId') ? natRule.ipConfigurationId : '' + mode: contains(natRule, 'mode') ? natRule.mode : '' + type: contains(natRule, 'type') ? natRule.type : '' + } +}] + +module vpnGateway_connections 'connections/deploy.bicep' = [for (connection, index) in connections: { + name: '${deployment().name}-Connection-${index}' + params: { + name: connection.name + vpnGatewayName: vpnGateway.name + connectionBandwidth: contains(connection, 'connectionBandwidth') ? connection.connectionBandwidth : 10 + enableBgp: contains(connection, 'enableBgp') ? connection.enableBgp : false + enableInternetSecurity: contains(connection, 'enableInternetSecurity') ? connection.enableInternetSecurity : false + remoteVpnSiteResourceId: contains(connection, 'remoteVpnSiteResourceId') ? connection.remoteVpnSiteResourceId : '' + enableRateLimiting: contains(connection, 'enableRateLimiting') ? connection.enableRateLimiting : false + routingConfiguration: contains(connection, 'routingConfiguration') ? connection.routingConfiguration : {} + routingWeight: contains(connection, 'routingWeight') ? connection.routingWeight : 0 + sharedKey: contains(connection, 'sharedKey') ? connection.sharedKey : '' + useLocalAzureIpAddress: contains(connection, 'useLocalAzureIpAddress') ? connection.useLocalAzureIpAddress : false + usePolicyBasedTrafficSelectors: contains(connection, 'usePolicyBasedTrafficSelectors') ? connection.usePolicyBasedTrafficSelectors : false + vpnConnectionProtocolType: contains(connection, 'vpnConnectionProtocolType') ? connection.vpnConnectionProtocolType : 'IKEv2' + } +}] + +@description('The name of the VPN gateway') +output name string = vpnGateway.name + +@description('The resource ID of the VPN gateway') +output resourceId string = vpnGateway.id + +@description('The name of the resource group the VPN gateway was deployed into') +output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.Network/vpnGateways/natRules/.bicep/nested_cuaId.bicep b/arm/Microsoft.Network/vpnGateways/natRules/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/arm/Microsoft.Network/vpnGateways/natRules/.bicep/nested_cuaId.bicep @@ -0,0 +1 @@ + diff --git a/arm/Microsoft.Network/vpnGateways/natRules/deploy.bicep b/arm/Microsoft.Network/vpnGateways/natRules/deploy.bicep new file mode 100644 index 0000000000..678d803487 --- /dev/null +++ b/arm/Microsoft.Network/vpnGateways/natRules/deploy.bicep @@ -0,0 +1,63 @@ +@description('Required. The name of the NAT rule.') +param name string + +@description('Required. The name of the VPN gateway this NAT rule is associated with.') +param vpnGatewayName string + +@description('Optional. An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range.') +param externalMappings array = [] + +@description('Optional. An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range.') +param internalMappings array = [] + +@description('Optional. A NAT rule must be configured to a specific VPN Gateway instance. This is applicable to Dynamic NAT only. Static NAT rules are automatically applied to both VPN Gateway instances.') +param ipConfigurationId string = '' + +@description('Optional. The type of NAT rule for VPN NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub\'s site-to-site VPN gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub\'s Site-to-site VPN gateway.') +@allowed([ + '' + 'EgressSnat' + 'IngressSnat' +]) +param mode string = '' + +@description('Optional. The type of NAT rule for VPN NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability.') +@allowed([ + '' + 'Dynamic' + 'Static' +]) +param type string = '' + +@description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') +param cuaId string = '' + +module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource vpnGateway 'Microsoft.Network/vpnGateways@2021-05-01' existing = { + name: vpnGatewayName +} + +resource natRule 'Microsoft.Network/vpnGateways/natRules@2021-05-01' = { + name: name + parent: vpnGateway + properties: { + externalMappings: externalMappings + internalMappings: internalMappings + ipConfigurationId: !empty(ipConfigurationId) ? ipConfigurationId : null + mode: !empty(mode) ? any(mode) : null + type: !empty(type) ? any(type) : null + } +} + +@description('The name of the NAT rule') +output name string = natRule.name + +@description('The resource ID of the NAT rule') +output resourceId string = natRule.id + +@description('The name of the resource group the NAT rule was deployed into') +output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.Network/vpnGateways/natRules/readme.md b/arm/Microsoft.Network/vpnGateways/natRules/readme.md new file mode 100644 index 0000000000..fb244edbdb --- /dev/null +++ b/arm/Microsoft.Network/vpnGateways/natRules/readme.md @@ -0,0 +1,34 @@ +# VPN Gateways NATRules `[Microsoft.Network/vpnGateways/natRules]` + +This module deploys VPN Gateways NATRules + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Network/vpnGateways/natRules` | 2021-05-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | +| `externalMappings` | array | `[]` | | Optional. An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range. | +| `internalMappings` | array | `[]` | | Optional. An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range. | +| `ipConfigurationId` | string | | | Optional. A NAT rule must be configured to a specific VPN Gateway instance. This is applicable to Dynamic NAT only. Static NAT rules are automatically applied to both VPN Gateway instances. | +| `mode` | string | | `[, EgressSnat, IngressSnat]` | Optional. The type of NAT rule for VPN NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub's Site-to-site VPN gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub's Site-to-site VPN gateway. | +| `name` | string | | | Required. The name of the NAT rule. | +| `type` | string | | `[, Dynamic, Static]` | Optional. The type of NAT rule for VPN NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability. | +| `vpnGatewayName` | string | | | Required. The name of the VPN gateway this NAT rule is associated with. | + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the NAT rule | +| `resourceGroupName` | string | The name of the resource group the NAT rule was deployed into | +| `resourceId` | string | The resource ID of the NAT rule | + +## Template references + +- [Vpngateways/Natrules](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/vpnGateways/natRules) diff --git a/arm/Microsoft.Network/vpnGateways/natRules/version.json b/arm/Microsoft.Network/vpnGateways/natRules/version.json new file mode 100644 index 0000000000..41f66cc990 --- /dev/null +++ b/arm/Microsoft.Network/vpnGateways/natRules/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.1" +} diff --git a/arm/Microsoft.Network/vpnGateways/readme.md b/arm/Microsoft.Network/vpnGateways/readme.md new file mode 100644 index 0000000000..8b4cabcd31 --- /dev/null +++ b/arm/Microsoft.Network/vpnGateways/readme.md @@ -0,0 +1,93 @@ +# VPN Gateways `[Microsoft.Network/vpnGateways]` + +This module deploys VPN Gateways. + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Network/vpnGateways` | 2021-05-01 | +| `Microsoft.Network/vpnGateways/natRules` | 2021-05-01 | +| `Microsoft.Network/vpnGateways/vpnConnections` | 2021-05-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `bgpSettings` | object | `{object}` | | Optional. BGP settings details. | +| `connections` | _[connections](connections/readme.md)_ array | `[]` | | Optional. The connections to create in the VPN gateway | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | +| `enableBgpRouteTranslationForNat` | bool | `False` | | Optional. Enable BGP routes translation for NAT on this VPNGateway. | +| `isRoutingPreferenceInternet` | bool | `False` | | Optional. Enable Routing Preference property for the Public IP Interface of the VPNGateway. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location where all resources will be created. | +| `name` | string | | | Required. Name of the VPN gateway | +| `natRules` | _[natRules](natRules/readme.md)_ array | `[]` | | Optional. List of all the NAT Rules to associate with the gateway. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `virtualHubResourceId` | string | | | Required. The resource ID of a virtual Hub to connect to. Note: The virtual Hub and Gateway must be deployed into the same location. | +| `vpnGatewayScaleUnit` | int | `2` | | Optional. The scale unit for this VPN gateway. | + +### Parameter Usage: + +### Parameter Usage: `bgpSettings` + +```json +"bgpSettings": { + "asn": 65515, + "peerWeight": 0, + "bgpPeeringAddresses": [ + { + "ipconfigurationId": "Instance0", + "defaultBgpIpAddresses": [ + "10.0.0.12" + ], + "customBgpIpAddresses": [], + "tunnelIpAddresses": [ + "20.84.35.53", + "10.0.0.4" + ] + }, + { + "ipconfigurationId": "Instance1", + "defaultBgpIpAddresses": [ + "10.0.0.13" + ], + "customBgpIpAddresses": [], + "tunnelIpAddresses": [ + "20.84.34.225", + "10.0.0.5" + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the VPN gateway | +| `resourceGroupName` | string | The name of the resource group the VPN gateway was deployed into | +| `resourceId` | string | The resource ID of the VPN gateway | + +## Template references + +- [Vpngateways](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/vpnGateways) +- [Vpngateways/Natrules](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/vpnGateways/natRules) +- [Vpngateways/Vpnconnections](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/vpnGateways/vpnConnections) diff --git a/arm/Microsoft.Network/vpnGateways/version.json b/arm/Microsoft.Network/vpnGateways/version.json new file mode 100644 index 0000000000..41f66cc990 --- /dev/null +++ b/arm/Microsoft.Network/vpnGateways/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.1" +}