[Modules] Connect Azure Firewall to a VirtualHub

modules/Microsoft.Network/azureFirewalls/.test/hub/dependencies.bicep

@@ -0,0 +1,43 @@
+@description('Optional. The location to deploy to.')
+param location string = resourceGroup().location
+
+param virtualWanName string
+
+param virtualHubName string
+
+param firewallPolicyName string
+
+resource virtualWan 'Microsoft.Network/virtualWans@2021-08-01' = {
+  name: virtualWanName
+  location: location
+  properties: {
+    disableVpnEncryption: false
+    allowBranchToBranchTraffic: true
+    type: 'Standard'
+  }
+}
+
+resource virtualHub 'Microsoft.Network/virtualHubs@2021-08-01' = {
+  name: virtualHubName
+  location: location
+  properties: {
+    addressPrefix: '10.1.0.0/16'
+    virtualWan: {
+      id: virtualWan.id
+    }
+  }
+}
+
+resource policy 'Microsoft.Network/firewallPolicies@2021-08-01' = {
+  name: firewallPolicyName
+  location: location
+  properties: {
+    threatIntelMode: 'Alert'
+  }
+}
+
+@description('The resource ID of the created Virtual Hub.')
+output virtualHubResourceId string = virtualHub.id
+
+@description('The resource ID of the created Firewall Policie.')
+output firewallPolicyResourceId string = policy.id

modules/Microsoft.Network/azureFirewalls/.test/hub/deploy.test.bicep

@@ -0,0 +1,58 @@
+targetScope = 'subscription'
+
+// ========== //
+// Parameters //
+// ========== //
+@description('Optional. The name of the resource group to deploy for a testing purposes.')
+@maxLength(90)
+param resourceGroupName string = 'ms.network.azurefirewalls-${serviceShort}-rg'
+
+@description('Optional. The location to deploy resources to.')
+param location string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'nafhub'
+
+@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).')
+param enableDefaultTelemetry bool = true
+
+// =========== //
+// Deployments //
+// =========== //
+
+// General resources
+// =================
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: resourceGroupName
+  location: location
+}
+
+module resourceGroupResources 'dependencies.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, location)}-paramNested'
+  params: {
+    virtualWanName: 'dep-<<namePrefix>>-vwan-${serviceShort}'
+    virtualHubName: 'dep-<<namePrefix>>-vhub-${serviceShort}'
+    firewallPolicyName: 'dep-<<namePrefix>>-afwp-${serviceShort}'
+  }
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+
+module testDeployment '../../deploy.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name)}-test-${serviceShort}'
+  params: {
+    enableDefaultTelemetry: enableDefaultTelemetry
+    name: '<<namePrefix>>${serviceShort}001'
+    firewallPolicyId: resourceGroupResources.outputs.firewallPolicyResourceId
+    virtualHubId: resourceGroupResources.outputs.virtualHubResourceId
+    hubIPAddresses: {
+      publicIPs: {
+        count: 1
+      }
+    }
+  }
+}

modules/Microsoft.Network/azureFirewalls/deploy.bicep

@@ -1,22 +1,15 @@
 @description('Required. Name of the Azure Firewall.')
 param name string
 
-@description('Optional. Name of an Azure Firewall SKU.')
-@allowed([
-  'AZFW_VNet'
-  'AZFW_Hub'
-])
-param azureSkuName string = 'AZFW_VNet'
-
 @description('Optional. Tier of an Azure Firewall.')
 @allowed([
   'Standard'
   'Premium'
 ])
 param azureSkuTier string = 'Standard'
 
-@description('Required. Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a public ip is not provided, then the public ip that is created as part of this module will be applied with the subnet provided in this variable.')
-param vNetId string
+@description('Conditional. Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a public ip is not provided, then the public ip that is created as part of this module will be applied with the subnet provided in this variable. Required if `virtualHubId` is empty.')
+param vNetId string = ''
 
 @description('Optional. The public ip resource ID to associate to the AzureFirewallSubnet. If empty, then the public ip that is created as part of this module will be applied to the AzureFirewallSubnet.')
 param azureFirewallSubnetPublicIpId string = ''
@@ -42,6 +35,12 @@ param natRuleCollections array = []
 @description('Optional. Resource ID of the Firewall Policy that should be attached.')
 param firewallPolicyId string = ''
 
+@description('Conditional. IP addresses associated with AzureFirewall. Required if `virtualHubId` is supplied.')
+param hubIPAddresses object = {}
+
+@description('Conditional. The virtualHub resource ID to which the firewall belongs. Required if `vNetId` is empty.')
+param virtualHubId string = ''
+
 @allowed([
   'Alert'
   'Deny'
@@ -148,6 +147,8 @@ var newPip = {
   } : null
 }
 
+var azureSkuName = empty(vNetId) ? 'AZFW_Hub' : 'AZFW_VNet'
+
 var ipConfigurations = concat([
     {
       name: !empty(azureFirewallSubnetPublicIpId) ? last(split(azureFirewallSubnetPublicIpId, '/')) : publicIPAddress.outputs.name
@@ -190,7 +191,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena
 }
 
 // create a public ip address if one is not provided and the flag is true
-module publicIPAddress '../../Microsoft.Network/publicIPAddresses/deploy.bicep' = if (empty(azureFirewallSubnetPublicIpId) && isCreateDefaultPublicIP) {
+module publicIPAddress '../../Microsoft.Network/publicIPAddresses/deploy.bicep' = if (empty(azureFirewallSubnetPublicIpId) && isCreateDefaultPublicIP && azureSkuName == 'AZFW_VNet') {
   name: '${uniqueString(deployment().name, location)}-Firewall-PIP'
   params: {
     name: contains(publicIPAddressObject, 'name') ? (!(empty(publicIPAddressObject.name)) ? publicIPAddressObject.name : '${name}-pip') : '${name}-pip'
@@ -230,7 +231,7 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-08-01' = {
   location: location
   zones: length(zones) == 0 ? null : zones
   tags: tags
-  properties: {
+  properties: azureSkuName == 'AZFW_VNet' ? {
     threatIntelMode: threatIntelMode
     firewallPolicy: empty(firewallPolicyId) ? null : {
       id: firewallPolicyId
@@ -243,6 +244,18 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-08-01' = {
     applicationRuleCollections: applicationRuleCollections
     natRuleCollections: natRuleCollections
     networkRuleCollections: networkRuleCollections
+  } : {
+    firewallPolicy: empty(firewallPolicyId) ? null : {
+      id: firewallPolicyId
+    }
+    sku: {
+      name: azureSkuName
+      tier: azureSkuTier
+    }
+    hubIPAddresses: empty(hubIPAddresses) ? null : hubIPAddresses
+    virtualHub: empty(virtualHubId) ? null : {
+      id: virtualHubId
+    }
   }
   dependsOn: [
     publicIPAddress
@@ -294,10 +307,10 @@ output name string = azureFirewall.name
 output resourceGroupName string = resourceGroup().name
 
 @description('The private IP of the Azure firewall.')
-output privateIp string = azureFirewall.properties.ipConfigurations[0].properties.privateIPAddress
+output privateIp string = contains(azureFirewall.properties, 'ipConfigurations') ? azureFirewall.properties.ipConfigurations[0].properties.privateIPAddress : ''
 
 @description('The public ipconfiguration object for the AzureFirewallSubnet.')
-output ipConfAzureFirewallSubnet object = azureFirewall.properties.ipConfigurations[0]
+output ipConfAzureFirewallSubnet object = contains(azureFirewall.properties, 'ipConfigurations') ? azureFirewall.properties.ipConfigurations[0] : {}
 
 @description('List of Application Rule Collections.')
 output applicationRuleCollections array = applicationRuleCollections