diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 5c26a100c8..f1c67916f1 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -340,6 +340,33 @@ jobs: managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' + job_deploy_udr: + runs-on: ubuntu-20.04 + name: 'Deploy sqlmi route tables' + env: + namespace: 'Microsoft.Network\routeTables' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/deployModule + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + job_deploy_sqlmi_udr: runs-on: ubuntu-20.04 name: 'Deploy sqlmi route tables' @@ -351,7 +378,7 @@ jobs: strategy: fail-fast: false matrix: - parameterFilePaths: ['parameters.json'] + parameterFilePaths: ['sqlMi.parameters.json'] steps: - name: 'Checkout' uses: actions/checkout@v2 diff --git a/arm/Microsoft.Network/virtualNetworks/.parameters/min.parameters.json b/arm/Microsoft.Network/virtualNetworks/.parameters/min.parameters.json new file mode 100644 index 0000000000..ef7a6d7206 --- /dev/null +++ b/arm/Microsoft.Network/virtualNetworks/.parameters/min.parameters.json @@ -0,0 +1,22 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "sxx-az-vnet-min-001" + }, + "addressPrefixes": { + "value": [ + "10.0.0.0/16" + ] + }, + "subnets": { + "value": [ + { + "name": "default", + "addressPrefix": "10.0.0.0/16" + } + ] + } + } +} diff --git a/arm/Microsoft.Network/virtualNetworks/.parameters/parameters.json b/arm/Microsoft.Network/virtualNetworks/.parameters/parameters.json index 2ce331a6ff..1edc7171f5 100644 --- a/arm/Microsoft.Network/virtualNetworks/.parameters/parameters.json +++ b/arm/Microsoft.Network/virtualNetworks/.parameters/parameters.json @@ -19,66 +19,18 @@ { "name": "sxx-az-subnet-x-001", "addressPrefix": "10.0.0.0/24", - "networkSecurityGroupName": "", - "routeTableName": "", + "networkSecurityGroupName": "adp-sxx-az-nsg-x-001", "serviceEndpoints": [ - { - "service": "Microsoft.EventHub" - }, - { - "service": "Microsoft.Sql" - }, - { - "service": "Microsoft.Storage" - }, - { - "service": "Microsoft.KeyVault" - } + "Microsoft.EventHub", + "Microsoft.Sql", + "Microsoft.Storage", + "Microsoft.KeyVault" ], - "delegations": [] + "routeTableName": "adp-sxx-az-udr-x-001" }, { "name": "sxx-az-subnet-x-002", - "addressPrefix": "10.0.1.0/24", - "networkSecurityGroupName": "", - "routeTableName": "", - "serviceEndpoints": [ - { - "service": "Microsoft.EventHub" - }, - { - "service": "Microsoft.Sql" - }, - { - "service": "Microsoft.Storage" - }, - { - "service": "Microsoft.KeyVault" - } - ], - "delegations": [] - }, - { - "name": "sxx-az-subnet-x-003", - "addressPrefix": "10.0.2.0/24", - "networkSecurityGroupName": "", - "routeTableName": "", - "serviceEndpoints": [], - "delegations": [ - { - "name": "sqlMiDel", - "properties": { - "serviceName": "Microsoft.Sql/managedInstances" - } - } - ] - }, - { - "name": "sxx-az-subnet-x-004", "addressPrefix": "10.0.3.0/24", - "networkSecurityGroupName": "", - "routeTableName": "", - "serviceEndpoints": [], "delegations": [ { "name": "netappDel", @@ -89,29 +41,9 @@ ] }, { - "name": "AzureFirewallSubnet", - "addressPrefix": "10.0.4.0/24", - "networkSecurityGroupName": "", - "routeTableName": "", - "serviceEndpoints": [], - "delegations": [] - }, - { - "name": "AzureBastionSubnet", - "addressPrefix": "10.0.5.0/24", - "networkSecurityGroupName": "", - "routeTableName": "", - "serviceEndpoints": [], - "delegations": [] - }, - { - "name": "sxx-az-subnet-x-005", + "name": "sxx-az-subnet-x-003", "addressPrefix": "10.0.6.0/24", - "networkSecurityGroupName": "", - "routeTableName": "", - "serviceEndpoints": [], - "delegations": [], - "privateEndpointNetworkPolicies": "Disabled", // This property must be set to disabled for subnets that contain private endpoints. It confirms that NSGs rules will not apply to private endpoints (currently not supported). Default Value when not specified is "Enabled". + "privateEndpointNetworkPolicies": "Disabled", "privateLinkServiceNetworkPolicies": "Enabled" } ] diff --git a/arm/Microsoft.Network/virtualNetworks/.parameters/vnetPeering.parameters.json b/arm/Microsoft.Network/virtualNetworks/.parameters/vnetPeering.parameters.json index 904184b7cf..1dafaf6ee9 100644 --- a/arm/Microsoft.Network/virtualNetworks/.parameters/vnetPeering.parameters.json +++ b/arm/Microsoft.Network/virtualNetworks/.parameters/vnetPeering.parameters.json @@ -3,116 +3,18 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "sxx-az-vnet-x-001" + "value": "sxx-az-vnet-peer-x-002" }, "addressPrefixes": { "value": [ - "10.0.0.0/16" + "10.0.0.0/24" ] }, "subnets": { "value": [ { "name": "GatewaySubnet", - "addressPrefix": "10.0.255.0/24" - }, - { - "name": "sxx-az-subnet-x-001", - "addressPrefix": "10.0.0.0/24", - "networkSecurityGroupName": "", - "routeTableName": "", - "serviceEndpoints": [ - { - "service": "Microsoft.EventHub" - }, - { - "service": "Microsoft.Sql" - }, - { - "service": "Microsoft.Storage" - }, - { - "service": "Microsoft.KeyVault" - } - ], - "delegations": [] - }, - { - "name": "sxx-az-subnet-x-002", - "addressPrefix": "10.0.1.0/24", - "networkSecurityGroupName": "", - "routeTableName": "", - "serviceEndpoints": [ - { - "service": "Microsoft.EventHub" - }, - { - "service": "Microsoft.Sql" - }, - { - "service": "Microsoft.Storage" - }, - { - "service": "Microsoft.KeyVault" - } - ], - "delegations": [] - }, - { - "name": "sxx-az-subnet-x-003", - "addressPrefix": "10.0.2.0/24", - "networkSecurityGroupName": "", - "routeTableName": "", - "serviceEndpoints": [], - "delegations": [ - { - "name": "sqlMiDel", - "properties": { - "serviceName": "Microsoft.Sql/managedInstances" - } - } - ] - }, - { - "name": "sxx-az-subnet-x-004", - "addressPrefix": "10.0.3.0/24", - "networkSecurityGroupName": "", - "routeTableName": "", - "serviceEndpoints": [], - "delegations": [ - { - "name": "netappDel", - "properties": { - "serviceName": "Microsoft.Netapp/volumes" - } - } - ] - }, - { - "name": "AzureFirewallSubnet", - "addressPrefix": "10.0.4.0/24", - "networkSecurityGroupName": "", - "routeTableName": "", - "serviceEndpoints": [], - "delegations": [] - }, - { - "name": "AzureBastionSubnet", - "addressPrefix": "10.0.5.0/24", - "networkSecurityGroupName": "", - "routeTableName": "", - "serviceEndpoints": [], - "delegations": [] - }, - { - "name": "sxx-az-subnet-x-005", - "addressPrefix": "10.0.6.0/24", - "networkSecurityGroupName": "", - "routeTableName": "", - "serviceEndpoints": [], - "delegations": [], - "privateEndpointNetworkPolicies": "Disabled", // This property must be set to disabled for subnets that contain private endpoints. It confirms that NSGs rules will not apply to private endpoints (currently not supported). Default Value when not specified is "Enabled". - "privateLinkServiceNetworkPolicies": "Enabled" + "addressPrefix": "10.0.0.0/26" } ] }, @@ -123,17 +25,11 @@ "allowForwardedTraffic": true, "allowGatewayTransit": false, "allowVirtualNetworkAccess": true, - "useRemoteGateways": false - } - ] - }, - "roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] + "useRemoteGateways": false, + "remotePeeringEnabled": true, + "remotePeeringName": "customName", + "remotePeeringAllowVirtualNetworkAccess": true, + "remotePeeringAllowForwardedTraffic": true } ] }, diff --git a/arm/Microsoft.Network/virtualNetworks/deploy.bicep b/arm/Microsoft.Network/virtualNetworks/deploy.bicep index bc28073ee2..c85f3f6238 100644 --- a/arm/Microsoft.Network/virtualNetworks/deploy.bicep +++ b/arm/Microsoft.Network/virtualNetworks/deploy.bicep @@ -11,10 +11,6 @@ param addressPrefixes array @minLength(1) param subnets array -@description('Optional. Resource Group where NSGs are deployed, if different than VNET Resource Group.') -@minLength(1) -param nsgResourceGroup string = resourceGroup().name - @description('Optional. DNS Servers associated to the Virtual Network.') param dnsServers array = [] @@ -105,7 +101,7 @@ module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { params: {} } -resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-05-01' = { +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-03-01' = { name: name location: location tags: tags @@ -116,34 +112,72 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-05-01' = { ddosProtectionPlan: !empty(ddosProtectionPlanId) ? ddosProtectionPlan : null dhcpOptions: !empty(dnsServers) ? dnsServers_var : null enableDdosProtection: !empty(ddosProtectionPlanId) - subnets: [for item in subnets: { - name: item.name + subnets: [for subnet in subnets: { + name: subnet.name properties: { - addressPrefix: item.addressPrefix - networkSecurityGroup: contains(item, 'networkSecurityGroupName') ? (empty(item.networkSecurityGroupName) ? null : json('{"id": "${resourceId(nsgResourceGroup, 'Microsoft.Network/networkSecurityGroups', item.networkSecurityGroupName)}"}')) : null - routeTable: contains(item, 'routeTableName') ? (empty(item.routeTableName) ? null : json('{"id": "${resourceId('Microsoft.Network/routeTables', item.routeTableName)}"}')) : null - serviceEndpoints: contains(item, 'serviceEndpoints') ? (empty(item.serviceEndpoints) ? null : item.serviceEndpoints) : null - delegations: contains(item, 'delegations') ? (empty(item.delegations) ? null : item.delegations) : null - natGateway: contains(item, 'natGatewayName') ? (empty(item.natGatewayName) ? null : json('{"id": "${resourceId('Microsoft.Network/natGateways', item.natGatewayName)}"}')) : null - privateEndpointNetworkPolicies: contains(item, 'privateEndpointNetworkPolicies') ? (empty(item.privateEndpointNetworkPolicies) ? null : item.privateEndpointNetworkPolicies) : null - privateLinkServiceNetworkPolicies: contains(item, 'privateLinkServiceNetworkPolicies') ? (empty(item.privateLinkServiceNetworkPolicies) ? null : item.privateLinkServiceNetworkPolicies) : null + addressPrefix: subnet.addressPrefix } }] } } -module virtualNetworkPeerings_resource 'virtualNetworkPeerings/deploy.bicep' = [for (virtualNetworkPeering, index) in virtualNetworkPeerings: { - name: '${uniqueString(deployment().name, location)}-VNet-VNetPeering-${index}' +@batchSize(1) +module virtualNetwork_subnets 'subnets/deploy.bicep' = [for (subnet, index) in subnets: { + name: '${uniqueString(deployment().name, location)}-subnet-${index}' + params: { + virtualNetworkName: virtualNetwork.name + name: subnet.name + addressPrefix: subnet.addressPrefix + addressPrefixes: contains(subnet, 'addressPrefixes') ? subnet.addressPrefixes : [] + applicationGatewayIpConfigurations: contains(subnet, 'applicationGatewayIpConfigurations') ? subnet.applicationGatewayIpConfigurations : [] + delegations: contains(subnet, 'delegations') ? subnet.delegations : [] + ipAllocations: contains(subnet, 'ipAllocations') ? subnet.ipAllocations : [] + natGatewayName: contains(subnet, 'natGatewayName') ? subnet.natGatewayName : '' + networkSecurityGroupName: contains(subnet, 'networkSecurityGroupName') ? subnet.networkSecurityGroupName : '' + networkSecurityGroupNameResourceGroupName: contains(subnet, 'networkSecurityGroupNameResourceGroupName') ? subnet.networkSecurityGroupNameResourceGroupName : resourceGroup().name + privateEndpointNetworkPolicies: contains(subnet, 'privateEndpointNetworkPolicies') ? subnet.privateEndpointNetworkPolicies : '' + privateLinkServiceNetworkPolicies: contains(subnet, 'privateLinkServiceNetworkPolicies') ? subnet.privateLinkServiceNetworkPolicies : '' + routeTableName: contains(subnet, 'routeTableName') ? subnet.routeTableName : '' + serviceEndpointPolicies: contains(subnet, 'serviceEndpointPolicies') ? subnet.serviceEndpointPolicies : [] + serviceEndpoints: contains(subnet, 'serviceEndpoints') ? subnet.serviceEndpoints : [] + } +}] + +// Local to Remote peering +module virtualNetwork_peering_local 'virtualNetworkPeerings/deploy.bicep' = [for (peering, index) in virtualNetworkPeerings: { + name: '${uniqueString(deployment().name, location)}-virtualNetworkPeering-local-${index}' params: { localVnetName: name - remoteVirtualNetworkId: virtualNetworkPeering.remoteVirtualNetworkId - name: contains(virtualNetworkPeering, 'name') ? virtualNetworkPeering.name : '${name}-${last(split(virtualNetworkPeering.remoteVirtualNetworkId, '/'))}' - allowForwardedTraffic: contains(virtualNetworkPeering, 'allowForwardedTraffic') ? virtualNetworkPeering.allowForwardedTraffic : true - allowGatewayTransit: contains(virtualNetworkPeering, 'allowGatewayTransit') ? virtualNetworkPeering.allowGatewayTransit : false - allowVirtualNetworkAccess: contains(virtualNetworkPeering, 'allowVirtualNetworkAccess') ? virtualNetworkPeering.allowVirtualNetworkAccess : true - doNotVerifyRemoteGateways: contains(virtualNetworkPeering, 'doNotVerifyRemoteGateways') ? virtualNetworkPeering.doNotVerifyRemoteGateways : true - useRemoteGateways: contains(virtualNetworkPeering, 'useRemoteGateways') ? virtualNetworkPeering.useRemoteGateways : false + remoteVirtualNetworkId: peering.remoteVirtualNetworkId + name: contains(peering, 'name') ? peering.name : '${name}-${last(split(peering.remoteVirtualNetworkId, '/'))}' + allowForwardedTraffic: contains(peering, 'allowForwardedTraffic') ? peering.allowForwardedTraffic : true + allowGatewayTransit: contains(peering, 'allowGatewayTransit') ? peering.allowGatewayTransit : false + allowVirtualNetworkAccess: contains(peering, 'allowVirtualNetworkAccess') ? peering.allowVirtualNetworkAccess : true + doNotVerifyRemoteGateways: contains(peering, 'doNotVerifyRemoteGateways') ? peering.doNotVerifyRemoteGateways : true + useRemoteGateways: contains(peering, 'useRemoteGateways') ? peering.useRemoteGateways : false + } + dependsOn: [ + virtualNetwork_subnets + ] +}] + +// Remote to local peering (reverse) +module virtualNetwork_peering_remote 'virtualNetworkPeerings/deploy.bicep' = [for (peering, index) in virtualNetworkPeerings: if (contains(peering, 'remotePeeringEnabled') ? peering.remotePeeringEnabled == true : false) { + name: '${uniqueString(deployment().name, location)}-virtualNetworkPeering-remote-${index}' + scope: resourceGroup(split(peering.remoteVirtualNetworkId, '/')[4]) + params: { + localVnetName: last(split(peering.remoteVirtualNetworkId, '/')) + remoteVirtualNetworkId: virtualNetwork.id + name: contains(peering, 'remotePeeringName') ? peering.remotePeeringName : '${last(split(peering.remoteVirtualNetworkId, '/'))}-${name}' + allowForwardedTraffic: contains(peering, 'remotePeeringAllowForwardedTraffic') ? peering.remotePeeringAllowForwardedTraffic : true + allowGatewayTransit: contains(peering, 'remotePeeringAllowGatewayTransit') ? peering.remotePeeringAllowGatewayTransit : false + allowVirtualNetworkAccess: contains(peering, 'remotePeeringAllowVirtualNetworkAccess') ? peering.remotePeeringAllowVirtualNetworkAccess : true + doNotVerifyRemoteGateways: contains(peering, 'remotePeeringDoNotVerifyRemoteGateways') ? peering.remotePeeringDoNotVerifyRemoteGateways : true + useRemoteGateways: contains(peering, 'remotePeeringUseRemoteGateways') ? peering.remotePeeringUseRemoteGateways : false } + dependsOn: [ + virtualNetwork_subnets + ] }] resource virtualNetwork_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lock != 'NotSpecified') { diff --git a/arm/Microsoft.Network/virtualNetworks/readme.md b/arm/Microsoft.Network/virtualNetworks/readme.md index 6501668eb6..98a1b1f281 100644 --- a/arm/Microsoft.Network/virtualNetworks/readme.md +++ b/arm/Microsoft.Network/virtualNetworks/readme.md @@ -10,6 +10,7 @@ This template deploys a virtual network (vNet). | `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | | `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview | | `Microsoft.Network/virtualNetworks` | 2021-05-01 | +| `Microsoft.Network/virtualNetworks/subnets` | 2021-03-01 | | `Microsoft.Network/virtualNetworks/virtualNetworkPeerings` | 2021-02-01 | ## Parameters @@ -30,12 +31,25 @@ This template deploys a virtual network (vNet). | `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | | `name` | string | | | Required. The Virtual Network (vNet) Name. | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `subnets` | array | | | Required. An Array of subnets to deploy to the Virual Network. | -| `nsgResourceGroup` | string | `[resourceGroup().name]` | | Optional. Resource Group where NSGs are deployed, if different than VNET Resource Group. | +| `subnets` | _[subnets](subnets/readme.md)_ array | | | Required. An Array of subnets to deploy to the Virual Network. | | `tags` | object | `{object}` | | Optional. Tags of the resource. | | `virtualNetworkPeerings` | _[virtualNetworkPeerings](virtualNetworkPeerings/readme.md)_ array | `[]` | | Optional. Virtual Network Peerings configurations | | `workspaceId` | string | | | Optional. Resource ID of log analytics. | +### Parameter Usage: `virtualNetworkPeerings` + +As the virtual network peering array allows you to deploy not only a one-way but also two-way peering (i.e reverse), you can use the following ***additional*** properties on top of what is documented in _[virtualNetworkPeerings](virtualNetworkPeerings/readme.md)_. + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `remotePeeringEnabled` | bool | `false` | | Optional. Set to true to also deploy the reverse peering for the configured remote virtual networks to the local network | +| `remotePeeringName` | string | `'${last(split(peering.remoteVirtualNetworkId, '/'))}-${name}'` | | Optional. The Name of Vnet Peering resource. If not provided, default value will be - | +| `remotePeeringAllowForwardedTraffic` | bool | `true` | | Optional. Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. | +| `remotePeeringAllowGatewayTransit` | bool | `false` | | Optional. If gateway links can be used in remote virtual networking to link to this virtual network. | +| `remotePeeringAllowVirtualNetworkAccess` | bool | `true` | | Optional. Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. | +| `remotePeeringDoNotVerifyRemoteGateways` | bool | `true` | | Optional. If we need to verify the provisioning state of the remote gateway. | +| `remotePeeringUseRemoteGateways` | bool | `false` | | Optional. If remote gateways can be used on this virtual network. If the flag is set to `true`, and allowGatewayTransit on local peering is also `true`, virtual network will use gateways of local virtual network for transit. Only one peering can have this flag set to `true`. This flag cannot be set if virtual network already has a gateway. | + ### Parameter Usage: `addressPrefixes` The `addressPrefixes` parameter accepts a JSON Array of string values containing the IP Address Prefixes for the Virtual Network (vNet). @@ -50,55 +64,6 @@ Here's an example of specifying a single Address Prefix: } ``` -### Parameter Usage: `subnets` - -The `subnets` parameter accepts a JSON Array of `subnet` objects to deploy to the Virtual Network. - -Here's an example of specifying a couple Subnets to deploy: - -```json -"subnets": { - "value": [ - { - "name": "GatewaySubnet", - "addressPrefix": "10.0.255.0/24", - "networkSecurityGroupName": "nsgName1", - "routeTableName": "UdrName1", - "delegations": [], - "natGateway": "", // Name of the NAT Gateway to use for the subnet. - "serviceEndpoints": [ - { - "service": "Microsoft.EventHub" - }, - { - "service": "Microsoft.Sql" - }, - { - "service": "Microsoft.Storage" - }, - { - "service": "Microsoft.KeyVault" - } - ] - }, - { - "name": "examplePrivateEndpointSubnet", - "addressPrefix": "10.0.200.0/24", - "networkSecurityGroupName": "nsgName2", - "routeTableName": "UdrName2", - "delegations": [], - "natGateway": "", // Name of the NAT Gateway to use for the subnet. - "serviceEndpoints": [], - "privateEndpointNetworkPolicies": "Disabled" // This property must be set to disabled for subnets that contain private endpoints. Default Value when not specified is "Enabled". - }, - { - "name": "data", - "addressPrefix": "10.1.1.0/24" - } - ] -} -``` - ### Parameter Usage: `roleAssignments` ```json @@ -140,16 +105,14 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Considerations -When defining the Subnets to deploy using the `subnets` parameter, the JSON format to pass it must match the Subnet object that is normally passed in to the `subnets` property of a `virtualNetwork` within an ARM Template. - The network security group and route table resources must reside in the same resource group as the virtual network. ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | -| `subnetNames` | array | The names of the deployed subnets | -| `subnetResourceIds` | array | The resource IDs of the deployed subnets | +| `subnetNames` | array | | +| `subnetResourceIds` | array | | | `virtualNetworkName` | string | The name of the virtual network | | `virtualNetworkResourceGroup` | string | The resource group the virtual network was deployed into | | `virtualNetworkResourceId` | string | The resource ID of the virtual network | @@ -160,4 +123,5 @@ The network security group and route table resources must reside in the same res - [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments) - [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) - [Virtualnetworks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/virtualNetworks) +- [Virtualnetworks/Subnets](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/virtualNetworks/subnets) - [Virtualnetworks/Virtualnetworkpeerings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/virtualNetworks/virtualNetworkPeerings) diff --git a/arm/Microsoft.Network/virtualNetworks/subnets/.bicep/nested_cuaId.bicep b/arm/Microsoft.Network/virtualNetworks/subnets/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/arm/Microsoft.Network/virtualNetworks/subnets/.bicep/nested_cuaId.bicep @@ -0,0 +1 @@ + diff --git a/arm/Microsoft.Network/virtualNetworks/subnets/deploy.bicep b/arm/Microsoft.Network/virtualNetworks/subnets/deploy.bicep new file mode 100644 index 0000000000..55668a3878 --- /dev/null +++ b/arm/Microsoft.Network/virtualNetworks/subnets/deploy.bicep @@ -0,0 +1,124 @@ +@description('Optional. The Name of the subnet resource.') +param name string + +@description('Required. The name of the parent virtual network') +param virtualNetworkName string + +@description('Required. The address prefix for the subnet.') +param addressPrefix string + +@description('Optional. The network security group to assign to the subnet') +param networkSecurityGroupName string = '' + +@description('Optional. Resource Group where NSGs are deployed, if different than VNET Resource Group.') +@minLength(1) +param networkSecurityGroupNameResourceGroupName string = resourceGroup().name + +@description('Optional. The route table to assign to the subnet') +param routeTableName string = '' + +@description('Optional. The service endpoints to enable on the subnet') +param serviceEndpoints array = [] + +@description('Optional. The delegations to enable on the subnet') +param delegations array = [] + +@description('Optional. The name of the NAT Gateway to use for the subnet') +param natGatewayName string = '' + +@description('Optional. enable or disable apply network policies on private end point in the subnet.') +@allowed([ + 'Disabled' + 'Enabled' + '' +]) +param privateEndpointNetworkPolicies string = '' + +@description('Optional. enable or disable apply network policies on private link service in the subnet.') +@allowed([ + 'Disabled' + 'Enabled' + '' +]) +param privateLinkServiceNetworkPolicies string = '' + +@description('Optional. List of address prefixes for the subnet.') +param addressPrefixes array = [] + +@description('Optional. Application gateway IP configurations of virtual network resource.') +param applicationGatewayIpConfigurations array = [] + +@description('Optional. Array of IpAllocation which reference this subnet') +param ipAllocations array = [] + +@description('Optional. An array of service endpoint policies.') +param serviceEndpointPolicies array = [] + +var formattedServiceEndpoints = [for serviceEndpoint in serviceEndpoints: { + service: serviceEndpoint +}] + +@description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') +param cuaId string = '' + +module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-03-01' existing = { + name: virtualNetworkName +} + +resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2021-03-01' existing = if (!empty(networkSecurityGroupName)) { + name: networkSecurityGroupName + scope: resourceGroup(networkSecurityGroupNameResourceGroupName) +} + +resource routeTable 'Microsoft.Network/routeTables@2021-03-01' existing = if (!empty(routeTableName)) { + name: routeTableName +} + +resource natGateway 'Microsoft.Network/natGateways@2021-03-01' existing = if (!empty(natGatewayName)) { + name: natGatewayName +} + +resource subnet 'Microsoft.Network/virtualNetworks/subnets@2021-03-01' = { + name: name + parent: virtualNetwork + properties: { + addressPrefix: addressPrefix + networkSecurityGroup: !empty(networkSecurityGroupName) ? { + id: networkSecurityGroup.id + } : null + routeTable: !empty(routeTableName) ? { + id: routeTable.id + } : null + natGateway: !empty(natGatewayName) ? { + id: natGateway.id + } : null + serviceEndpoints: !empty(formattedServiceEndpoints) ? formattedServiceEndpoints : [] + delegations: delegations + privateEndpointNetworkPolicies: !empty(privateEndpointNetworkPolicies) ? any(privateEndpointNetworkPolicies) : null + privateLinkServiceNetworkPolicies: !empty(privateLinkServiceNetworkPolicies) ? any(privateLinkServiceNetworkPolicies) : null + addressPrefixes: addressPrefixes + applicationGatewayIpConfigurations: applicationGatewayIpConfigurations + ipAllocations: ipAllocations + serviceEndpointPolicies: serviceEndpointPolicies + } +} + +@description('The resource group the virtual network peering was deployed into') +output subnetResourceGroup string = resourceGroup().name + +@description('The name of the virtual network peering') +output subnetName string = subnet.name + +@description('The resource ID of the virtual network peering') +output subnetResourceId string = subnet.id + +@description('The address prefix for the subnet') +output subnetAddressPrefix string = subnet.properties.addressPrefix + +@description('List of address prefixes for the subnet') +output subnetAddressPrefixes array = !empty(addressPrefixes) ? subnet.properties.addressPrefixes : [] diff --git a/arm/Microsoft.Network/virtualNetworks/subnets/readme.md b/arm/Microsoft.Network/virtualNetworks/subnets/readme.md new file mode 100644 index 0000000000..5664403ec2 --- /dev/null +++ b/arm/Microsoft.Network/virtualNetworks/subnets/readme.md @@ -0,0 +1,73 @@ +# Virtual Network Subnets `[Microsoft.Network/virtualNetworks/subnets]` + +This module deploys a virtual network subnet. + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Network/virtualNetworks/subnets` | 2021-03-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `addressPrefix` | string | | | Required. The address prefix for the subnet. | +| `addressPrefixes` | array | `[]` | | Optional. List of address prefixes for the subnet. | +| `applicationGatewayIpConfigurations` | array | `[]` | | Optional. Application gateway IP configurations of virtual network resource. | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | +| `delegations` | array | `[]` | | Optional. The delegations to enable on the subnet | +| `ipAllocations` | array | `[]` | | Optional. Array of IpAllocation which reference this subnet | +| `name` | string | | | Optional. The Name of the subnet resource. | +| `natGatewayName` | string | | | Optional. The name of the NAT Gateway to use for the subnet | +| `networkSecurityGroupName` | string | | | Optional. The network security group to assign to the subnet | +| `networkSecurityGroupNameResourceGroupName` | string | `[resourceGroup().name]` | | Optional. Resource Group where NSGs are deployed, if different than VNET Resource Group. | +| `privateEndpointNetworkPolicies` | string | | `[Disabled, Enabled, ]` | Optional. enable or disable apply network policies on private end point in the subnet. | +| `privateLinkServiceNetworkPolicies` | string | | `[Disabled, Enabled, ]` | Optional. enable or disable apply network policies on private link service in the subnet. | +| `routeTableName` | string | | | Optional. The route table to assign to the subnet | +| `serviceEndpointPolicies` | array | `[]` | | Optional. An array of service endpoint policies. | +| `serviceEndpoints` | array | `[]` | | Optional. The service endpoints to enable on the subnet | +| `virtualNetworkName` | string | | | Required. The name of the parent virtual network | + +### Parameter Usage: `delegations` + +```json +"delegations": [ + { + "name": "sqlMiDel", + "properties": { + "serviceName": "Microsoft.Sql/managedInstances" + } + } +] +``` + +### Parameter Usage: `serviceEndpoints` + +```json +"serviceEndpoints": [ + "Microsoft.EventHub", + "Microsoft.Sql", + "Microsoft.Storage", + "Microsoft.KeyVault" +] +``` + +## Considerations + +The `privateEndpointNetworkPolicies` property must be set to disabled for subnets that contain private endpoints. It confirms that NSGs rules will not apply to private endpoints (currently not supported, [reference](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview#limitations)). Default Value when not specified is "Enabled". + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `subnetAddressPrefix` | string | The address prefix for the subnet | +| `subnetAddressPrefixes` | array | List of address prefixes for the subnet | +| `subnetName` | string | The name of the virtual network peering | +| `subnetResourceGroup` | string | The resource group the virtual network peering was deployed into | +| `subnetResourceId` | string | The resource ID of the virtual network peering | + +## Template references + +- [Virtualnetworks/Subnets](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/virtualNetworks/subnets) diff --git a/docs/wiki/TestingDesign.md b/docs/wiki/TestingDesign.md index dea558d6e0..097c9a35a9 100644 --- a/docs/wiki/TestingDesign.md +++ b/docs/wiki/TestingDesign.md @@ -120,6 +120,7 @@ Since also dependency resources are in turn subject to dependencies with each ot >**Note**: This resource has a global scope name. 1. Event hub namespace and Event hub: This resource is leveraged by all resources supporting diagnostic settings on an event hub. >**Note**: This resource has a global scope name. + 1. Route table: This resource is leveraged by a test subnet deployment of the [Virtual Network] module. 1. Route table: This resource is leveraged by the virtual network subnet dedicated to test [SQL managed instance]. >**Note**: This resource is deployed and configured only if sqlmi dependency resources are enabled. 1. Network watcher: This resource is leveraged by the [NSG flow logs] resource. diff --git a/utilities/pipelines/dependencies/Microsoft.Network/routeTables/parameters/parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/routeTables/parameters/parameters.json index 0c59507939..6e5ccb81ad 100644 --- a/utilities/pipelines/dependencies/Microsoft.Network/routeTables/parameters/parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.Network/routeTables/parameters/parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "adp-sxx-az-udr-x-sqlmi" + "value": "adp-sxx-az-udr-x-001" } } } diff --git a/utilities/pipelines/dependencies/Microsoft.Network/routeTables/parameters/sqlMi.parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/routeTables/parameters/sqlMi.parameters.json new file mode 100644 index 0000000000..0c59507939 --- /dev/null +++ b/utilities/pipelines/dependencies/Microsoft.Network/routeTables/parameters/sqlMi.parameters.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "adp-sxx-az-udr-x-sqlmi" + } + } +} diff --git a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/parameters.json index 77e505da44..9d21ac6034 100644 --- a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/parameters.json @@ -21,18 +21,10 @@ "addressPrefix": "10.0.0.0/24", "networkSecurityGroupName": "adp-sxx-az-nsg-x-001", "serviceEndpoints": [ - { - "service": "Microsoft.EventHub" - }, - { - "service": "Microsoft.Sql" - }, - { - "service": "Microsoft.Storage" - }, - { - "service": "Microsoft.KeyVault" - } + "Microsoft.EventHub", + "Microsoft.Sql", + "Microsoft.Storage", + "Microsoft.KeyVault" ] }, { @@ -40,18 +32,10 @@ "addressPrefix": "10.0.1.0/24", "networkSecurityGroupName": "adp-sxx-az-nsg-x-001", "serviceEndpoints": [ - { - "service": "Microsoft.EventHub" - }, - { - "service": "Microsoft.Sql" - }, - { - "service": "Microsoft.Storage" - }, - { - "service": "Microsoft.KeyVault" - } + "Microsoft.EventHub", + "Microsoft.Sql", + "Microsoft.Storage", + "Microsoft.KeyVault" ] }, { @@ -59,9 +43,7 @@ "addressPrefix": "10.0.2.0/24", "networkSecurityGroupName": "adp-sxx-az-nsg-x-001", "serviceEndpoints": [ - { - "service": "Microsoft.ServiceBus" - } + "Microsoft.ServiceBus" ] }, {