Azure · AlexanderSehr · Mar 7, 2022 · Mar 5, 2022 · Mar 5, 2022 · Mar 5, 2022
@@ -42,6 +42,7 @@ stages:
         parameters:
           removeDeployment: '${{ parameters.removeDeployment }}'
           deploymentBlocks:
+            - path: $(modulePath)/.parameters/min.parameters.json
             - path: $(modulePath)/.parameters/parameters.json
 
   - stage: Publishing

@@ -81,7 +81,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        parameterFilePaths: ['parameters.json']
+        parameterFilePaths: ['min.parameters.json', 'parameters.json']
     steps:
       - name: 'Checkout'
         uses: actions/checkout@v2

@@ -68,6 +68,14 @@ param hubRouteTables array = []
 @description('Optional. Virtual network connections to create for the virtual hub.')
 param hubVirtualNetworkConnections array = []
 
+@allowed([
+  'CanNotDelete'
+  'NotSpecified'
+  'ReadOnly'
+])
+@description('Optional. Specify the type of lock.')
+param lock string = 'NotSpecified'
+
 @description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered')
 param cuaId string = ''
 
@@ -113,6 +121,15 @@ resource virtualHub 'Microsoft.Network/virtualHubs@2021-05-01' = {
   }
 }
 
+resource virtualHub_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') {
+  name: '${virtualHub.name}-${lock}-lock'
+  properties: {
+    level: lock
+    notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
+  }
+  scope: virtualHub
+}
+
 module virtualHub_routeTables 'hubRouteTables/deploy.bicep' = [for (routeTable, index) in hubRouteTables: {
   name: '${uniqueString(deployment().name, location)}-routeTable-${index}'
   params: {

@@ -6,6 +6,7 @@ This module deploys a virtual hub.
 
 | Resource Type | API Version |
 | :-- | :-- |
+| `Microsoft.Authorization/locks` | 2017-04-01 |
 | `Microsoft.Network/virtualHubs` | 2021-05-01 |
 | `Microsoft.Network/virtualHubs/hubRouteTables` | 2021-05-01 |
 | `Microsoft.Network/virtualHubs/hubVirtualNetworkConnections` | 2021-05-01 |
@@ -22,13 +23,14 @@ This module deploys a virtual hub.
 | `hubRouteTables` | _[hubRouteTables](hubRouteTables/readme.md)_ array | `[]` |  | Optional. Route tables to create for the virtual hub. |
 | `hubVirtualNetworkConnections` | _[hubVirtualNetworkConnections](hubVirtualNetworkConnections/readme.md)_ array | `[]` |  | Optional. Virtual network connections to create for the virtual hub. |
 | `location` | string | `[resourceGroup().location]` |  | Optional. Location for all resources. |
+| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. |
 | `name` | string |  |  | Required. The virtual hub name. |
 | `p2SVpnGatewayId` | string |  |  | Optional. Resource ID of the Point-to-Site VPN Gateway to link to |
 | `preferredRoutingGateway` | string |  | `[ExpressRoute, None, VpnGateway, ]` | Optional. The preferred routing gateway types |
 | `routeTableRoutes` | array | `[]` |  | Optional. VirtualHub route tables |
 | `securityPartnerProviderId` | string |  |  | Optional. ID of the Security Partner Provider to link to |
 | `securityProviderName` | string |  |  | Optional. The Security Provider name. |
-| `sku` | string | `Standard` | `Basic`,`Standard` | Optional. The sku of this VirtualHub. |
+| `sku` | string | `Standard` | `[Basic, Standard]` | Optional. The sku of this VirtualHub. |
 | `tags` | object | `{object}` |  | Optional. Tags of the resource. |
 | `virtualHubRouteTableV2s` | array | `[]` |  | Optional. List of all virtual hub route table v2s associated with this VirtualHub. |
 | `virtualRouterAsn` | int | `-1` |  | Optional. VirtualRouter ASN. |
@@ -63,6 +65,7 @@ Tag names and tag values can be provided as needed. A tag can be left without a
 
 ## Template references
 
+- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks)
 - [Virtualhubs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/virtualHubs)
 - [Virtualhubs/Hubroutetables](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/virtualHubs/hubRouteTables)
 - [Virtualhubs/Hubvirtualnetworkconnections](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/virtualHubs/hubVirtualNetworkConnections)
@@ -20,7 +20,7 @@ var builtInRoleNames = {
   'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
 }
 
-resource virtualWan 'Microsoft.Network/virtualWans@2021-03-01' existing = {
+resource virtualWan 'Microsoft.Network/virtualWans@2021-05-01' existing = {
   name: last(split(resourceId, '/'))
 }
 

@@ -0,0 +1,9 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "name": {
+            "value": "<<namePrefix>>-az-vw-min-001"
+        }
+    }
+}
@@ -5,17 +5,17 @@
         "name": {
             "value": "<<namePrefix>>-az-vw-x-001"
         },
-        "vpnsiteAddressspaceList": {
-            "value": []
+        "type": {
+            "value": "Basic"
         },
-        "vpnsitePublicIPAddress": {
-            "value": "1.2.3.4"
+        "allowBranchToBranchTraffic": {
+            "value": true
         },
-        "vpnsiteBgpAsn": {
-            "value": 65010
+        "allowVnetToVnetTraffic": {
+            "value": true
         },
-        "vpnsiteBgpPeeringAddress": {
-            "value": "1.1.1.1"
+        "disableVpnEncryption": {
+            "value": true
         },
         "roleAssignments": {
             "value": [

@@ -1,49 +1,24 @@
 @description('Optional. Location where all resources will be created.')
 param location string = resourceGroup().location
 
-@description('Required. Name of the Virtual Wan.')
+@description('Required. Name of the Virtual WAN.')
 param name string
 
-@description('Optional. Sku of the Virtual Wan.')
+@description('Optional. The type of the Virtual WAN.')
 @allowed([
   'Standard'
   'Basic'
 ])
-param virtualWanSku string = 'Standard'
+param type string = 'Standard'
 
-@description('Optional. Name of the Virtual Hub. A virtual hub is created inside a virtual wan.')
-param virtualHubName string = 'SampleVirtualHub'
+@description('Optional. True if branch to branch traffic is allowed.')
+param allowBranchToBranchTraffic bool = false
 
-@description('Optional. Name of the Vpn Gateway. A vpn gateway is created inside a virtual hub.')
-param vpnGatewayName string = 'SampleVpnGateway'
+@description('Optional. True if VNET to VNET traffic is allowed. ')
+param allowVnetToVnetTraffic bool = false
 
-@description('Optional. Name of the vpnsite. A vpnsite represents the on-premise vpn device. A public ip address is mandatory for a vpn site creation.')
-param vpnSiteName string = 'SampleVpnSite'
-
-@description('Optional. Name of the vpnconnection. A vpn connection is established between a vpnsite and a vpn gateway.')
-param connectionName string = 'SampleVpnsiteVpnGwConnection'
-
-@description('Optional. A list of static routes corresponding to the vpn site. These are configured on the vpn gateway.')
-param vpnsiteAddressspaceList array = []
-
-@description('Required. he public IP address of a vpn site.')
-param vpnsitePublicIPAddress string
-
-@description('Required. The bgp asn number of a vpnsite.')
-param vpnsiteBgpAsn int
-
-@description('Required. The bgp peer IP address of a vpnsite.')
-param vpnsiteBgpPeeringAddress string
-
-@description('Optional. The hub address prefix. This address prefix will be used as the address prefix for the hub vnet')
-param addressPrefix string = '192.168.0.0/24'
-
-@description('Optional. his needs to be set to true if BGP needs to enabled on the vpn connection.')
-@allowed([
-  'true'
-  'false'
-])
-param enableBgp string = 'false'
+@description('Optional. VPN encryption to be disabled or not.')
+param disableVpnEncryption bool = false
 
 @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'')
 param roleAssignments array = []
@@ -67,12 +42,15 @@ module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) {
   params: {}
 }
 
-resource virtualWan 'Microsoft.Network/virtualWans@2021-03-01' = {
+resource virtualWan 'Microsoft.Network/virtualWans@2021-05-01' = {
   name: name
   location: location
   tags: tags
   properties: {
-    type: virtualWanSku
+    allowBranchToBranchTraffic: allowBranchToBranchTraffic
+    allowVnetToVnetTraffic: allowVnetToVnetTraffic ? allowVnetToVnetTraffic : null
+    disableVpnEncryption: disableVpnEncryption
+    type: type
   }
 }
 
@@ -85,91 +63,6 @@ resource virtualWan_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock !
   scope: virtualWan
 }
 
-resource virtualHub 'Microsoft.Network/virtualHubs@2021-03-01' = {
-  name: virtualHubName
-  location: location
-  properties: {
-    addressPrefix: addressPrefix
-    virtualWan: {
-      id: virtualWan.id
-    }
-  }
-}
-
-resource virtualHub_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') {
-  name: '${virtualHub.name}-${lock}-lock'
-  properties: {
-    level: lock
-    notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
-  }
-  scope: virtualHub
-}
-
-resource vpnSite 'Microsoft.Network/vpnSites@2021-03-01' = {
-  name: vpnSiteName
-  location: location
-  properties: {
-    addressSpace: {
-      addressPrefixes: vpnsiteAddressspaceList
-    }
-    bgpProperties: {
-      asn: vpnsiteBgpAsn
-      bgpPeeringAddress: vpnsiteBgpPeeringAddress
-      peerWeight: 0
-    }
-    deviceProperties: {
-      linkSpeedInMbps: 0
-    }
-    ipAddress: vpnsitePublicIPAddress
-    virtualWan: {
-      id: virtualWan.id
-    }
-  }
-}
-
-resource vpnSite_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') {
-  name: '${vpnSite.name}-${lock}-lock'
-  properties: {
-    level: lock
-    notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
-  }
-  scope: vpnSite
-}
-
-resource vpnGateway 'Microsoft.Network/vpnGateways@2021-03-01' = {
-  name: vpnGatewayName
-  location: location
-  properties: {
-    connections: [
-      {
-        name: connectionName
-        properties: {
-          connectionBandwidth: 10
-          enableBgp: any(enableBgp)
-          remoteVpnSite: {
-            id: vpnSite.id
-          }
-        }
-      }
-    ]
-    virtualHub: {
-      id: virtualHub.id
-    }
-    bgpSettings: {
-      asn: 65515
-    }
-  }
-}
-
-resource vpnGateway_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') {
-  name: '${vpnGateway.name}-${lock}-lock'
-  properties: {
-    level: lock
-    notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
-  }
-  scope: vpnGateway
-}
-
 module virtualWan_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: {
   name: '${uniqueString(deployment().name, location)}-VWan-Rbac-${index}'
   params: {

@@ -8,32 +8,22 @@ This template deploys a virtual WAN.
 | :-- | :-- |
 | `Microsoft.Authorization/locks` | 2017-04-01 |
 | `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview |
-| `Microsoft.Network/virtualHubs` | 2021-03-01 |
-| `Microsoft.Network/virtualWans` | 2021-03-01 |
-| `Microsoft.Network/vpnGateways` | 2021-03-01 |
-| `Microsoft.Network/vpnSites` | 2021-03-01 |
+| `Microsoft.Network/virtualWans` | 2021-05-01 |
 
 ## Parameters
 
 | Parameter Name | Type | Default Value | Possible Values | Description |
 | :-- | :-- | :-- | :-- | :-- |
-| `addressPrefix` | string | `192.168.0.0/24` |  | Optional. The hub address prefix. This address prefix will be used as the address prefix for the hub vnet |
-| `connectionName` | string | `SampleVpnsiteVpnGwConnection` |  | Optional. Name of the vpnconnection. A vpn connection is established between a vpnsite and a vpn gateway. |
+| `allowBranchToBranchTraffic` | bool | `False` |  | Optional. True if branch to branch traffic is allowed. |
+| `allowVnetToVnetTraffic` | bool | `False` |  | Optional. True if VNET to VNET traffic is allowed.  |
 | `cuaId` | string |  |  | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered |
-| `enableBgp` | string | `false` | `[true, false]` | Optional. his needs to be set to true if BGP needs to enabled on the vpn connection. |
+| `disableVpnEncryption` | bool | `False` |  | Optional. VPN encryption to be disabled or not. |
 | `location` | string | `[resourceGroup().location]` |  | Optional. Location where all resources will be created. |
 | `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. |
-| `name` | string |  |  | Required. Name of the Virtual Wan. |
+| `name` | string |  |  | Required. Name of the Virtual WAN. |
 | `roleAssignments` | array | `[]` |  | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' |
 | `tags` | object | `{object}` |  | Optional. Tags of the resource. |
-| `virtualHubName` | string | `SampleVirtualHub` |  | Optional. Name of the Virtual Hub. A virtual hub is created inside a virtual wan. |
-| `virtualWanSku` | string | `Standard` | `[Standard, Basic]` | Optional. Sku of the Virtual Wan. |
-| `vpnGatewayName` | string | `SampleVpnGateway` |  | Optional. Name of the Vpn Gateway. A vpn gateway is created inside a virtual hub. |
-| `vpnsiteAddressspaceList` | array | `[]` |  | Optional. A list of static routes corresponding to the vpn site. These are configured on the vpn gateway. |
-| `vpnsiteBgpAsn` | int |  |  | Required. The bgp asn number of a vpnsite. |
-| `vpnsiteBgpPeeringAddress` | string |  |  | Required. The bgp peer IP address of a vpnsite. |
-| `vpnSiteName` | string | `SampleVpnSite` |  | Optional. Name of the vpnsite. A vpnsite represents the on-premise vpn device. A public ip address is mandatory for a vpn site creation. |
-| `vpnsitePublicIPAddress` | string |  |  | Required. he public IP address of a vpn site. |
+| `type` | string | `Standard` | `[Standard, Basic]` | Optional. The type of the Virtual WAN. |
 
 ### Parameter Usage: `roleAssignments`
 
@@ -86,7 +76,4 @@ Tag names and tag values can be provided as needed. A tag can be left without a
 
 - [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks)
 - [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments)
-- [Virtualhubs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/virtualHubs)
-- [Virtualwans](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/virtualWans)
-- [Vpngateways](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/vpnGateways)
-- [Vpnsites](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/vpnSites)
+- [Virtualwans](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/virtualWans)
@@ -28,6 +28,14 @@ param vpnGatewayScaleUnit int = 2
 @description('Optional. Tags of the resource.')
 param tags object = {}
 
+@allowed([
+  'CanNotDelete'
+  'NotSpecified'
+  'ReadOnly'
+])
+@description('Optional. Specify the type of lock.')
+param lock string = 'NotSpecified'
+
 @description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered')
 param cuaId string = ''
 
@@ -51,6 +59,15 @@ resource vpnGateway 'Microsoft.Network/vpnGateways@2021-05-01' = {
   }
 }
 
+resource vpnGateway_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') {
+  name: '${vpnGateway.name}-${lock}-lock'
+  properties: {
+    level: lock
+    notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
+  }
+  scope: vpnGateway
+}
+
 module vpnGateway_natRules 'natRules/deploy.bicep' = [for (natRule, index) in natRules: {
   name: '${deployment().name}-NATRule-${index}'
   params: {