From 79ce59fb76577b37df1c2f5e8e736bb831723c6a Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Sat, 11 Feb 2023 12:03:46 +1100 Subject: [PATCH 1/3] updated vnet gw module and readme --- .../.test/expressRoute/deploy.test.bicep | 1 + .../.test/vpn/dependencies.bicep | 19 +++ .../.test/vpn/deploy.test.bicep | 46 ++++++- .../virtualNetworkGateways/deploy.bicep | 38 +++++- .../virtualNetworkGateways/readme.md | 116 +++++++++++++++++- 5 files changed, 214 insertions(+), 6 deletions(-) diff --git a/modules/Microsoft.Network/virtualNetworkGateways/.test/expressRoute/deploy.test.bicep b/modules/Microsoft.Network/virtualNetworkGateways/.test/expressRoute/deploy.test.bicep index aa6497436d..2d2f1ba297 100644 --- a/modules/Microsoft.Network/virtualNetworkGateways/.test/expressRoute/deploy.test.bicep +++ b/modules/Microsoft.Network/virtualNetworkGateways/.test/expressRoute/deploy.test.bicep @@ -89,5 +89,6 @@ module testDeployment '../../deploy.bicep' = { Role: 'DeploymentValidation' ServiceName: 'DeploymentValidation' } + enableDnsForwarding: true } } diff --git a/modules/Microsoft.Network/virtualNetworkGateways/.test/vpn/dependencies.bicep b/modules/Microsoft.Network/virtualNetworkGateways/.test/vpn/dependencies.bicep index 49ffdf8cda..d1b8588e4b 100644 --- a/modules/Microsoft.Network/virtualNetworkGateways/.test/vpn/dependencies.bicep +++ b/modules/Microsoft.Network/virtualNetworkGateways/.test/vpn/dependencies.bicep @@ -7,6 +7,9 @@ param virtualNetworkName string @description('Required. The name of the Managed Identity to create.') param managedIdentityName string +@description('Required. The name of the Local Network Gateway to create.') +param localNetworkGatewayName string + var addressPrefix = '10.0.0.0/16' resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { @@ -34,8 +37,24 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018- location: location } +resource localNetworkGateway 'Microsoft.Network/localNetworkGateways@2022-07-01' = { + name: localNetworkGatewayName + location: location + properties: { + gatewayIpAddress: '100.100.100.100' + localNetworkAddressSpace: { + addressPrefixes: [ + '192.168.0.0/24' + ] + } + } +} + @description('The resource ID of the created Virtual Network.') output vnetResourceId string = virtualNetwork.id @description('The principal ID of the created Managed Identity.') output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Local Network Gateway.') +output localNetworkGatewayResourceId string = localNetworkGateway.id diff --git a/modules/Microsoft.Network/virtualNetworkGateways/.test/vpn/deploy.test.bicep b/modules/Microsoft.Network/virtualNetworkGateways/.test/vpn/deploy.test.bicep index 95fd6a73d4..0dbbd7ff06 100644 --- a/modules/Microsoft.Network/virtualNetworkGateways/.test/vpn/deploy.test.bicep +++ b/modules/Microsoft.Network/virtualNetworkGateways/.test/vpn/deploy.test.bicep @@ -34,6 +34,7 @@ module nestedDependencies 'dependencies.bicep' = { params: { virtualNetworkName: 'dep-<>-vnet-${serviceShort}' managedIdentityName: 'dep-<>-msi-${serviceShort}' + localNetworkGatewayName: 'dep-<>-lng-${serviceShort}' } } @@ -61,7 +62,7 @@ module testDeployment '../../deploy.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '<>${serviceShort}001' - virtualNetworkGatewaySku: 'VpnGw1AZ' + virtualNetworkGatewaySku: 'VpnGw2AZ' virtualNetworkGatewayType: 'Vpn' vNetResourceId: nestedDependencies.outputs.vnetResourceId activeActive: true @@ -86,5 +87,48 @@ module testDeployment '../../deploy.bicep' = { } ] vpnType: 'RouteBased' + enablePrivateIpAddress: true + gatewayDefaultSiteLocalNetworkGatewayId: nestedDependencies.outputs.localNetworkGatewayResourceId + disableIPSecReplayProtection: true + allowRemoteVnetTraffic: true + natRules: [ + { + name: 'nat-rule-1-static-IngressSnat' + properties: { + type: 'Static' + mode: 'IngressSnat' + internalMappings: [ + { + addressSpace: '10.100.0.0/24' + portRange: '100' + } + ] + externalMappings: [ + { + addressSpace: '192.168.0.0/24' + portRange: '100' + } + ] + } + } + { + name: 'nat-rule-2-dynamic-EgressSnat' + properties: { + type: 'Dynamic' + mode: 'EgressSnat' + internalMappings: [ + { + addressSpace: '172.16.0.0/26' + } + ] + externalMappings: [ + { + addressSpace: '10.200.0.0/26' + } + ] + } + } + ] + enableBgpRouteTranslationForNat: true } } diff --git a/modules/Microsoft.Network/virtualNetworkGateways/deploy.bicep b/modules/Microsoft.Network/virtualNetworkGateways/deploy.bicep index 9bcdd8df0c..1ce0819735 100644 --- a/modules/Microsoft.Network/virtualNetworkGateways/deploy.bicep +++ b/modules/Microsoft.Network/virtualNetworkGateways/deploy.bicep @@ -66,6 +66,30 @@ param asn int = 65815 @description('Optional. The IP address range from which VPN clients will receive an IP address when connected. Range specified must not overlap with on-premise network.') param vpnClientAddressPoolPrefix string = '' +@description('Optional. Configures this gateway to accept traffic from remote Virtual WAN networks.') +param allowVirtualWanTraffic bool = false + +@description('Optional. Configure this gateway to accept traffic from other Azure Virtual Networks. This configuration does not support connectivity to Azure Virtual WAN.') +param allowRemoteVnetTraffic bool = false + +@description('Optional. disableIPSecReplayProtection flag. Used for VPN Gateways.') +param disableIPSecReplayProtection bool = false + +@description('Optional. Whether DNS forwarding is enabled or not and is only supported for Express Route Gateways.') +param enableDnsForwarding bool = false + +@description('Optional. Whether private IP needs to be enabled on this gateway for connections or not. Used for configuring a Site-to-Site VPN connection over ExpressRoute private peering.') +param enablePrivateIpAddress bool = false + +@description('Optional. The reference to the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting.') +param gatewayDefaultSiteLocalNetworkGatewayId string = '' + +@description('Optional. NatRules for virtual network gateway. NAT is supported on the the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ and is supported for IPsec/IKE cross-premises connections only.') +param natRules array = [] + +@description('Optional. EnableBgpRouteTranslationForNat flag. Can only be used when "natRules" are enabled on the Virtual Network Gateway.') +param enableBgpRouteTranslationForNat bool = false + @description('Optional. Client root certificate data used to authenticate VPN clients. Cannot be configured if vpnClientAadConfiguration is provided.') param clientRootCertData string = '' @@ -335,20 +359,30 @@ module publicIPAddress '../publicIPAddresses/deploy.bicep' = [for (virtualGatewa // VNET Gateway // ============ -resource virtualNetworkGateway 'Microsoft.Network/virtualNetworkGateways@2021-08-01' = { +resource virtualNetworkGateway 'Microsoft.Network/virtualNetworkGateways@2022-07-01' = { name: name location: location tags: tags properties: { ipConfigurations: ipConfiguration activeActive: isActiveActiveValid + allowRemoteVnetTraffic: allowRemoteVnetTraffic + allowVirtualWanTraffic: allowVirtualWanTraffic enableBgp: isBgpValid bgpSettings: isBgpValid ? bgpSettings : null + disableIPSecReplayProtection: disableIPSecReplayProtection + enableDnsForwarding: enableDnsForwarding + enablePrivateIpAddress: enablePrivateIpAddress + enableBgpRouteTranslationForNat: enableBgpRouteTranslationForNat + gatewayType: virtualNetworkGatewayType + gatewayDefaultSite: !empty(gatewayDefaultSiteLocalNetworkGatewayId) ? { + id: gatewayDefaultSiteLocalNetworkGatewayId + } : null + natRules: natRules sku: { name: virtualNetworkGatewaySku tier: virtualNetworkGatewaySku } - gatewayType: virtualNetworkGatewayType vpnType: vpnTypeVar vpnClientConfiguration: !empty(vpnClientAddressPoolPrefix) ? vpnClientConfiguration : null } diff --git a/modules/Microsoft.Network/virtualNetworkGateways/readme.md b/modules/Microsoft.Network/virtualNetworkGateways/readme.md index b4086db5ec..44c9c7cee1 100644 --- a/modules/Microsoft.Network/virtualNetworkGateways/readme.md +++ b/modules/Microsoft.Network/virtualNetworkGateways/readme.md @@ -18,7 +18,7 @@ This module deploys a virtual network gateway. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/publicIPAddresses` | [2022-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-07-01/publicIPAddresses) | -| `Microsoft.Network/virtualNetworkGateways` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-08-01/virtualNetworkGateways) | +| `Microsoft.Network/virtualNetworkGateways` | [2022-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-07-01/virtualNetworkGateways) | ## Parameters @@ -37,6 +37,8 @@ This module deploys a virtual network gateway. | :-- | :-- | :-- | :-- | :-- | | `activeActive` | bool | `True` | | Value to specify if the Gateway should be deployed in active-active or active-passive configuration. | | `activeGatewayPipName` | string | `[format('{0}-pip2', parameters('name'))]` | | Specifies the name of the Public IP used by the Virtual Network Gateway when active-active configuration is required. If it's not provided, a '-pip' suffix will be appended to the gateway's name. | +| `allowRemoteVnetTraffic` | bool | `False` | | Configure this gateway to accept traffic from other Azure Virtual Networks. This configuration does not support connectivity to Azure Virtual WAN. | +| `allowVirtualWanTraffic` | bool | `False` | | Configures this gateway to accept traffic from remote Virtual WAN networks. | | `asn` | int | `65815` | | ASN value. | | `clientRevokedCertThumbprint` | string | `''` | | Thumbprint of the revoked certificate. This would revoke VPN client certificates matching this thumbprint from connecting to the VNet. | | `clientRootCertData` | string | `''` | | Client root certificate data used to authenticate VPN clients. Cannot be configured if vpnClientAadConfiguration is provided. | @@ -46,12 +48,18 @@ This module deploys a virtual network gateway. | `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | | `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | +| `disableIPSecReplayProtection` | bool | `False` | | disableIPSecReplayProtection flag. Used for VPN Gateways. | | `domainNameLabel` | array | `[]` | | DNS name(s) of the Public IP resource(s). If you enabled active-active configuration, you need to provide 2 DNS names, if you want to use this feature. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com. | | `enableBgp` | bool | `True` | | Value to specify if BGP is enabled or not. | +| `enableBgpRouteTranslationForNat` | bool | `False` | | EnableBgpRouteTranslationForNat flag. Can only be used when "natRules" are enabled on the Virtual Network Gateway. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `enableDnsForwarding` | bool | `False` | | Whether DNS forwarding is enabled or not and is only supported for Express Route Gateways. | +| `enablePrivateIpAddress` | bool | `False` | | Whether private IP needs to be enabled on this gateway for connections or not. Used for configuring a Site-to-Site VPN connection over ExpressRoute private peering. | +| `gatewayDefaultSiteLocalNetworkGatewayId` | string | `''` | | The reference to the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting. | | `gatewayPipName` | string | `[format('{0}-pip1', parameters('name'))]` | | Specifies the name of the Public IP used by the Virtual Network Gateway. If it's not provided, a '-pip' suffix will be appended to the gateway's name. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `natRules` | array | `[]` | | NatRules for virtual network gateway. NAT is supported on the the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ and is supported for IPsec/IKE cross-premises connections only. | | `publicIpdiagnosticLogCategoriesToEnable` | array | `[allLogs]` | `[allLogs, DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. | | `publicIpDiagnosticSettingsName` | string | `'diagnosticSettings'` | | The name of the diagnostic setting, if deployed. | | `publicIPPrefixResourceId` | string | `''` | | Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | @@ -427,6 +435,7 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy '<>-dm-nvger' ] enableDefaultTelemetry: '' + enableDnsForwarding: true gatewayPipName: '<>-pip-nvger' roleAssignments: [ { @@ -497,6 +506,9 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy "enableDefaultTelemetry": { "value": "" }, + "enableDnsForwarding": { + "value": true + }, "gatewayPipName": { "value": "<>-pip-nvger" }, @@ -539,21 +551,64 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy params: { // Required parameters name: '<>nvgvpn001' - virtualNetworkGatewaySku: 'VpnGw1AZ' + virtualNetworkGatewaySku: 'VpnGw2AZ' virtualNetworkGatewayType: 'Vpn' vNetResourceId: '' // Non-required parameters activeActive: true + allowRemoteVnetTraffic: true diagnosticEventHubAuthorizationRuleId: '' diagnosticEventHubName: '' diagnosticLogsRetentionInDays: 7 diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' + disableIPSecReplayProtection: true domainNameLabel: [ '<>-dm-nvgvpn' ] + enableBgpRouteTranslationForNat: true enableDefaultTelemetry: '' + enablePrivateIpAddress: true + gatewayDefaultSiteLocalNetworkGatewayId: '' lock: 'CanNotDelete' + natRules: [ + { + name: 'nat-rule-1-static-IngressSnat' + properties: { + externalMappings: [ + { + addressSpace: '192.168.0.0/24' + portRange: '100' + } + ] + internalMappings: [ + { + addressSpace: '10.100.0.0/24' + portRange: '100' + } + ] + mode: 'IngressSnat' + type: 'Static' + } + } + { + name: 'nat-rule-2-dynamic-EgressSnat' + properties: { + externalMappings: [ + { + addressSpace: '10.200.0.0/26' + } + ] + internalMappings: [ + { + addressSpace: '172.16.0.0/26' + } + ] + mode: 'EgressSnat' + type: 'Dynamic' + } + } + ] publicIpZones: [ '1' ] @@ -587,7 +642,7 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy "value": "<>nvgvpn001" }, "virtualNetworkGatewaySku": { - "value": "VpnGw1AZ" + "value": "VpnGw2AZ" }, "virtualNetworkGatewayType": { "value": "Vpn" @@ -599,6 +654,9 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy "activeActive": { "value": true }, + "allowRemoteVnetTraffic": { + "value": true + }, "diagnosticEventHubAuthorizationRuleId": { "value": "" }, @@ -614,17 +672,69 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy "diagnosticWorkspaceId": { "value": "" }, + "disableIPSecReplayProtection": { + "value": true + }, "domainNameLabel": { "value": [ "<>-dm-nvgvpn" ] }, + "enableBgpRouteTranslationForNat": { + "value": true + }, "enableDefaultTelemetry": { "value": "" }, + "enablePrivateIpAddress": { + "value": true + }, + "gatewayDefaultSiteLocalNetworkGatewayId": { + "value": "" + }, "lock": { "value": "CanNotDelete" }, + "natRules": { + "value": [ + { + "name": "nat-rule-1-static-IngressSnat", + "properties": { + "externalMappings": [ + { + "addressSpace": "192.168.0.0/24", + "portRange": "100" + } + ], + "internalMappings": [ + { + "addressSpace": "10.100.0.0/24", + "portRange": "100" + } + ], + "mode": "IngressSnat", + "type": "Static" + } + }, + { + "name": "nat-rule-2-dynamic-EgressSnat", + "properties": { + "externalMappings": [ + { + "addressSpace": "10.200.0.0/26" + } + ], + "internalMappings": [ + { + "addressSpace": "172.16.0.0/26" + } + ], + "mode": "EgressSnat", + "type": "Dynamic" + } + } + ] + }, "publicIpZones": { "value": [ "1" From 5f2b616c91306492d40158f08529a55aa6b39b0c Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Sat, 11 Feb 2023 12:24:25 +1100 Subject: [PATCH 2/3] Added nat rules child module --- .../.test/expressRoute/deploy.test.bicep | 1 - .../virtualNetworkGateways/deploy.bicep | 19 ++++- .../natRules/deploy.bicep | 70 +++++++++++++++++++ .../virtualNetworkGateways/natRules/readme.md | 54 ++++++++++++++ .../natRules/version.json | 4 ++ .../virtualNetworkGateways/readme.md | 9 +-- 6 files changed, 147 insertions(+), 10 deletions(-) create mode 100644 modules/Microsoft.Network/virtualNetworkGateways/natRules/deploy.bicep create mode 100644 modules/Microsoft.Network/virtualNetworkGateways/natRules/readme.md create mode 100644 modules/Microsoft.Network/virtualNetworkGateways/natRules/version.json diff --git a/modules/Microsoft.Network/virtualNetworkGateways/.test/expressRoute/deploy.test.bicep b/modules/Microsoft.Network/virtualNetworkGateways/.test/expressRoute/deploy.test.bicep index 2d2f1ba297..aa6497436d 100644 --- a/modules/Microsoft.Network/virtualNetworkGateways/.test/expressRoute/deploy.test.bicep +++ b/modules/Microsoft.Network/virtualNetworkGateways/.test/expressRoute/deploy.test.bicep @@ -89,6 +89,5 @@ module testDeployment '../../deploy.bicep' = { Role: 'DeploymentValidation' ServiceName: 'DeploymentValidation' } - enableDnsForwarding: true } } diff --git a/modules/Microsoft.Network/virtualNetworkGateways/deploy.bicep b/modules/Microsoft.Network/virtualNetworkGateways/deploy.bicep index 1ce0819735..7eaa69a769 100644 --- a/modules/Microsoft.Network/virtualNetworkGateways/deploy.bicep +++ b/modules/Microsoft.Network/virtualNetworkGateways/deploy.bicep @@ -75,7 +75,7 @@ param allowRemoteVnetTraffic bool = false @description('Optional. disableIPSecReplayProtection flag. Used for VPN Gateways.') param disableIPSecReplayProtection bool = false -@description('Optional. Whether DNS forwarding is enabled or not and is only supported for Express Route Gateways.') +@description('Optional. Whether DNS forwarding is enabled or not and is only supported for Express Route Gateways. The DNS forwarding feature flag must be enabled on the current subscription.') param enableDnsForwarding bool = false @description('Optional. Whether private IP needs to be enabled on this gateway for connections or not. Used for configuring a Site-to-Site VPN connection over ExpressRoute private peering.') @@ -371,14 +371,13 @@ resource virtualNetworkGateway 'Microsoft.Network/virtualNetworkGateways@2022-07 enableBgp: isBgpValid bgpSettings: isBgpValid ? bgpSettings : null disableIPSecReplayProtection: disableIPSecReplayProtection - enableDnsForwarding: enableDnsForwarding + enableDnsForwarding: virtualNetworkGatewayType == 'ExpressRoute' ? enableDnsForwarding : null enablePrivateIpAddress: enablePrivateIpAddress enableBgpRouteTranslationForNat: enableBgpRouteTranslationForNat gatewayType: virtualNetworkGatewayType gatewayDefaultSite: !empty(gatewayDefaultSiteLocalNetworkGatewayId) ? { id: gatewayDefaultSiteLocalNetworkGatewayId } : null - natRules: natRules sku: { name: virtualNetworkGatewaySku tier: virtualNetworkGatewaySku @@ -391,6 +390,20 @@ resource virtualNetworkGateway 'Microsoft.Network/virtualNetworkGateways@2022-07 ] } +module virtualNetworkGateway_natRules 'natRules/deploy.bicep' = [for (natRule, index) in natRules: { + name: '${deployment().name}-NATRule-${index}' + params: { + name: natRule.name + virtualNetworkGatewayName: virtualNetworkGateway.name + externalMappings: contains(natRule, 'externalMappings') ? natRule.externalMappings : [] + internalMappings: contains(natRule, 'internalMappings') ? natRule.internalMappings : [] + ipConfigurationId: contains(natRule, 'ipConfigurationId') ? natRule.ipConfigurationId : '' + mode: contains(natRule, 'mode') ? natRule.mode : '' + type: contains(natRule, 'type') ? natRule.type : '' + enableDefaultTelemetry: enableReferencedModulesTelemetry + } +}] + resource virtualNetworkGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { name: '${virtualNetworkGateway.name}-${lock}-lock' properties: { diff --git a/modules/Microsoft.Network/virtualNetworkGateways/natRules/deploy.bicep b/modules/Microsoft.Network/virtualNetworkGateways/natRules/deploy.bicep new file mode 100644 index 0000000000..d0c3eab4f8 --- /dev/null +++ b/modules/Microsoft.Network/virtualNetworkGateways/natRules/deploy.bicep @@ -0,0 +1,70 @@ +@description('Required. The name of the NAT rule.') +param name string + +@description('Conditional. The name of the parent Virtual Network Gateway this NAT rule is associated with. Required if the template is used in a standalone deployment.') +param virtualNetworkGatewayName string + +@description('Optional. An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range.') +param externalMappings array = [] + +@description('Optional. An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range.') +param internalMappings array = [] + +@description('Optional. A NAT rule must be configured to a specific Virtual Network Gateway instance. This is applicable to Dynamic NAT only. Static NAT rules are automatically applied to both Virtual Network Gateway instances.') +param ipConfigurationId string = '' + +@description('Optional. The type of NAT rule for Virtual Network NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub\'s site-to-site Virtual Network gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub\'s Site-to-site Virtual Network gateway.') +@allowed([ + '' + 'EgressSnat' + 'IngressSnat' +]) +param mode string = '' + +@description('Optional. The type of NAT rule for Virtual Network NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability.') +@allowed([ + '' + 'Dynamic' + 'Static' +]) +param type string = '' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource virtualNetworkGateway 'Microsoft.Network/virtualNetworkGateways@2022-07-01' existing = { + name: virtualNetworkGatewayName +} + +resource natRule 'Microsoft.Network/virtualNetworkGateways/natRules@2022-07-01' = { + name: name + parent: virtualNetworkGateway + properties: { + externalMappings: externalMappings + internalMappings: internalMappings + ipConfigurationId: !empty(ipConfigurationId) ? ipConfigurationId : null + mode: !empty(mode) ? any(mode) : null + type: !empty(type) ? any(type) : null + } +} + +@description('The name of the NAT rule.') +output name string = natRule.name + +@description('The resource ID of the NAT rule.') +output resourceId string = natRule.id + +@description('The name of the resource group the NAT rule was deployed into.') +output resourceGroupName string = resourceGroup().name diff --git a/modules/Microsoft.Network/virtualNetworkGateways/natRules/readme.md b/modules/Microsoft.Network/virtualNetworkGateways/natRules/readme.md new file mode 100644 index 0000000000..1bfe38b62a --- /dev/null +++ b/modules/Microsoft.Network/virtualNetworkGateways/natRules/readme.md @@ -0,0 +1,54 @@ +# VPN Gateways NATRules `[Microsoft.Network/virtualNetworkGateways/natRules]` + +This module deploys Virtual Network Gateways NATRules + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Network/virtualNetworkGateways/natRules` | [2022-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-07-01/virtualNetworkGateways/natRules) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the NAT rule. | + +**Conditional parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `virtualNetworkGatewayName` | string | The name of the parent Virtual Network Gateway this NAT rule is associated with. Required if the template is used in a standalone deployment. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `externalMappings` | array | `[]` | | An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range. | +| `internalMappings` | array | `[]` | | An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range. | +| `ipConfigurationId` | string | `''` | | A NAT rule must be configured to a specific Virtual Network Gateway instance. This is applicable to Dynamic NAT only. Static NAT rules are automatically applied to both Virtual Network Gateway instances. | +| `mode` | string | `''` | `['', EgressSnat, IngressSnat]` | The type of NAT rule for Virtual Network NAT. IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub's site-to-site Virtual Network gateway. EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub's Site-to-site Virtual Network gateway. | +| `type` | string | `''` | `['', Dynamic, Static]` | The type of NAT rule for Virtual Network NAT. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address while Dynamic NAT assigns an IP and port based on availability. | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the NAT rule. | +| `resourceGroupName` | string | The name of the resource group the NAT rule was deployed into. | +| `resourceId` | string | The resource ID of the NAT rule. | + +## Cross-referenced modules + +_None_ diff --git a/modules/Microsoft.Network/virtualNetworkGateways/natRules/version.json b/modules/Microsoft.Network/virtualNetworkGateways/natRules/version.json new file mode 100644 index 0000000000..41f66cc990 --- /dev/null +++ b/modules/Microsoft.Network/virtualNetworkGateways/natRules/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.1" +} diff --git a/modules/Microsoft.Network/virtualNetworkGateways/readme.md b/modules/Microsoft.Network/virtualNetworkGateways/readme.md index 44c9c7cee1..443c93c644 100644 --- a/modules/Microsoft.Network/virtualNetworkGateways/readme.md +++ b/modules/Microsoft.Network/virtualNetworkGateways/readme.md @@ -19,6 +19,7 @@ This module deploys a virtual network gateway. | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/publicIPAddresses` | [2022-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-07-01/publicIPAddresses) | | `Microsoft.Network/virtualNetworkGateways` | [2022-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-07-01/virtualNetworkGateways) | +| `Microsoft.Network/virtualNetworkGateways/natRules` | [2022-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-07-01/virtualNetworkGateways/natRules) | ## Parameters @@ -53,13 +54,13 @@ This module deploys a virtual network gateway. | `enableBgp` | bool | `True` | | Value to specify if BGP is enabled or not. | | `enableBgpRouteTranslationForNat` | bool | `False` | | EnableBgpRouteTranslationForNat flag. Can only be used when "natRules" are enabled on the Virtual Network Gateway. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `enableDnsForwarding` | bool | `False` | | Whether DNS forwarding is enabled or not and is only supported for Express Route Gateways. | +| `enableDnsForwarding` | bool | `False` | | Whether DNS forwarding is enabled or not and is only supported for Express Route Gateways. The DNS forwarding feature flag must be enabled on the current subscription. | | `enablePrivateIpAddress` | bool | `False` | | Whether private IP needs to be enabled on this gateway for connections or not. Used for configuring a Site-to-Site VPN connection over ExpressRoute private peering. | | `gatewayDefaultSiteLocalNetworkGatewayId` | string | `''` | | The reference to the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting. | | `gatewayPipName` | string | `[format('{0}-pip1', parameters('name'))]` | | Specifies the name of the Public IP used by the Virtual Network Gateway. If it's not provided, a '-pip' suffix will be appended to the gateway's name. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `natRules` | array | `[]` | | NatRules for virtual network gateway. NAT is supported on the the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ and is supported for IPsec/IKE cross-premises connections only. | +| `natRules` | _[natRules](natRules/readme.md)_ array | `[]` | | NatRules for virtual network gateway. NAT is supported on the the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ and is supported for IPsec/IKE cross-premises connections only. | | `publicIpdiagnosticLogCategoriesToEnable` | array | `[allLogs]` | `[allLogs, DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. | | `publicIpDiagnosticSettingsName` | string | `'diagnosticSettings'` | | The name of the diagnostic setting, if deployed. | | `publicIPPrefixResourceId` | string | `''` | | Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | @@ -435,7 +436,6 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy '<>-dm-nvger' ] enableDefaultTelemetry: '' - enableDnsForwarding: true gatewayPipName: '<>-pip-nvger' roleAssignments: [ { @@ -506,9 +506,6 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy "enableDefaultTelemetry": { "value": "" }, - "enableDnsForwarding": { - "value": true - }, "gatewayPipName": { "value": "<>-pip-nvger" }, From 54a9d6878bc9d21c7c0f65a8a2a893ec749ffe98 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Sat, 11 Feb 2023 12:26:21 +1100 Subject: [PATCH 3/3] Updated tests --- .../.test/vpn/deploy.test.bicep | 56 ++++----- .../virtualNetworkGateways/readme.md | 112 ++++++++---------- 2 files changed, 78 insertions(+), 90 deletions(-) diff --git a/modules/Microsoft.Network/virtualNetworkGateways/.test/vpn/deploy.test.bicep b/modules/Microsoft.Network/virtualNetworkGateways/.test/vpn/deploy.test.bicep index 0dbbd7ff06..164cbe40c5 100644 --- a/modules/Microsoft.Network/virtualNetworkGateways/.test/vpn/deploy.test.bicep +++ b/modules/Microsoft.Network/virtualNetworkGateways/.test/vpn/deploy.test.bicep @@ -94,39 +94,35 @@ module testDeployment '../../deploy.bicep' = { natRules: [ { name: 'nat-rule-1-static-IngressSnat' - properties: { - type: 'Static' - mode: 'IngressSnat' - internalMappings: [ - { - addressSpace: '10.100.0.0/24' - portRange: '100' - } - ] - externalMappings: [ - { - addressSpace: '192.168.0.0/24' - portRange: '100' - } - ] - } + type: 'Static' + mode: 'IngressSnat' + internalMappings: [ + { + addressSpace: '10.100.0.0/24' + portRange: '100' + } + ] + externalMappings: [ + { + addressSpace: '192.168.0.0/24' + portRange: '100' + } + ] } { name: 'nat-rule-2-dynamic-EgressSnat' - properties: { - type: 'Dynamic' - mode: 'EgressSnat' - internalMappings: [ - { - addressSpace: '172.16.0.0/26' - } - ] - externalMappings: [ - { - addressSpace: '10.200.0.0/26' - } - ] - } + type: 'Dynamic' + mode: 'EgressSnat' + internalMappings: [ + { + addressSpace: '172.16.0.0/26' + } + ] + externalMappings: [ + { + addressSpace: '10.200.0.0/26' + } + ] } ] enableBgpRouteTranslationForNat: true diff --git a/modules/Microsoft.Network/virtualNetworkGateways/readme.md b/modules/Microsoft.Network/virtualNetworkGateways/readme.md index 443c93c644..8a481d829e 100644 --- a/modules/Microsoft.Network/virtualNetworkGateways/readme.md +++ b/modules/Microsoft.Network/virtualNetworkGateways/readme.md @@ -570,40 +570,36 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy lock: 'CanNotDelete' natRules: [ { + externalMappings: [ + { + addressSpace: '192.168.0.0/24' + portRange: '100' + } + ] + internalMappings: [ + { + addressSpace: '10.100.0.0/24' + portRange: '100' + } + ] + mode: 'IngressSnat' name: 'nat-rule-1-static-IngressSnat' - properties: { - externalMappings: [ - { - addressSpace: '192.168.0.0/24' - portRange: '100' - } - ] - internalMappings: [ - { - addressSpace: '10.100.0.0/24' - portRange: '100' - } - ] - mode: 'IngressSnat' - type: 'Static' - } + type: 'Static' } { + externalMappings: [ + { + addressSpace: '10.200.0.0/26' + } + ] + internalMappings: [ + { + addressSpace: '172.16.0.0/26' + } + ] + mode: 'EgressSnat' name: 'nat-rule-2-dynamic-EgressSnat' - properties: { - externalMappings: [ - { - addressSpace: '10.200.0.0/26' - } - ] - internalMappings: [ - { - addressSpace: '172.16.0.0/26' - } - ] - mode: 'EgressSnat' - type: 'Dynamic' - } + type: 'Dynamic' } ] publicIpZones: [ @@ -695,40 +691,36 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy "natRules": { "value": [ { + "externalMappings": [ + { + "addressSpace": "192.168.0.0/24", + "portRange": "100" + } + ], + "internalMappings": [ + { + "addressSpace": "10.100.0.0/24", + "portRange": "100" + } + ], + "mode": "IngressSnat", "name": "nat-rule-1-static-IngressSnat", - "properties": { - "externalMappings": [ - { - "addressSpace": "192.168.0.0/24", - "portRange": "100" - } - ], - "internalMappings": [ - { - "addressSpace": "10.100.0.0/24", - "portRange": "100" - } - ], - "mode": "IngressSnat", - "type": "Static" - } + "type": "Static" }, { + "externalMappings": [ + { + "addressSpace": "10.200.0.0/26" + } + ], + "internalMappings": [ + { + "addressSpace": "172.16.0.0/26" + } + ], + "mode": "EgressSnat", "name": "nat-rule-2-dynamic-EgressSnat", - "properties": { - "externalMappings": [ - { - "addressSpace": "10.200.0.0/26" - } - ], - "internalMappings": [ - { - "addressSpace": "172.16.0.0/26" - } - ], - "mode": "EgressSnat", - "type": "Dynamic" - } + "type": "Dynamic" } ] },