-
Notifications
You must be signed in to change notification settings - Fork 20
/
Copy pathvWanResourceGroup.bicep
108 lines (98 loc) · 3.57 KB
/
vWanResourceGroup.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
targetScope = 'subscription'
param location string
param AddressSpace string
param deployFirewallInHub bool
param AzureFirewallTier string
param hubRgName string
param deployFirewallrules bool
param deployGatewayInHub bool
param tagsByResource object = {}
param firewallDNSproxy bool
param diagnosticWorkspaceId string
param internetTrafficRoutingPolicy bool
param privateTrafficRoutingPolicy bool
var vWanName = 'vWAN'
var firewallName = 'Firewall-Hub'
var gatewayName = 'Gateway-Hub'
resource hubrg 'Microsoft.Resources/resourceGroups@2023-07-01' = {
name: hubRgName
location: location
tags: tagsByResource[?'Microsoft.Resources/subscriptions/resourceGroups'] ?? {}
}
// Deploy vWan and vWan Hub
module vwan 'modules/vwan.bicep' = {
scope: hubrg
name: vWanName
params: {
AddressPrefix: AddressSpace
location: location
vWanName: vWanName
tagsByResource: tagsByResource
}
}
// If Azure Firewall deployed in vWan Hub
module AzFirewall 'modules/firewall.bicep' = if (deployFirewallInHub) {
scope: hubrg
name: firewallName
params: {
deployInVWan: true
azfwTier: AzureFirewallTier
firewallName: firewallName
vWanID: vwan.outputs.vWanHubID
location: location
tagsByResource: tagsByResource
firewallDNSproxy: firewallDNSproxy
}
}
// If Azure Firewall deployed in vWan Hub AND Firewall policy rules is selected
module firewallrules 'modules/firewallpolicyrules.bicep' = if (deployFirewallrules && deployFirewallInHub) {
scope: hubrg
name: 'firewallRules'
params: {
azFwPolicyName: deployFirewallInHub && deployFirewallrules ? AzFirewall.outputs.azFwPolicyName : 'none'
AddressSpace: AddressSpace
}
}
// If Azure Firewall deployed in vWan Hub: Add routes to default route table in vWan Hub for all RFC1918 address spaces + default route to Azure Firewall
module vwanRouteTable 'modules/vwanhubroutes.bicep' = {
scope: hubrg
name: 'routeTable'
params: {
vwanHubName: vwan.outputs.vWanHubName
AzFirewallID: deployFirewallInHub ? AzFirewall.outputs.azFwID : 'none'
deployFirewallInHub: deployFirewallInHub
internetTrafficRoutingPolicy: internetTrafficRoutingPolicy
privateTrafficRoutingPolicy: privateTrafficRoutingPolicy
}
}
module vpngateway 'modules/vwanvpngateway.bicep' = if (deployGatewayInHub) {
scope: hubrg
name: gatewayName
params: {
location: location
vpnGwName: gatewayName
vWanHubID: vwan.outputs.vWanHubID
}
}
module dcrvminsights 'modules/dcrvminsights.bicep' = if (!empty(diagnosticWorkspaceId)) {
scope: hubrg
name: 'dcr-vminsights'
params: {
diagnosticWorkspaceId: diagnosticWorkspaceId
location: location
tagsByResource: tagsByResource
}
}
output vwanHubName string = vwan.outputs.vWanHubName
output vWanHubID string = vwan.outputs.vWanHubID
output vWanID string = vwan.outputs.vWanID
output vWanHubAddressSpace string = vwan.outputs.vWanHubAddressSpace
output HubResourceGroupName string = hubrg.name
output vWanVpnGwID string = deployGatewayInHub ? vpngateway.outputs.vpnGwID : 'none'
output vWanVpnGwPip array = deployGatewayInHub ? vpngateway.outputs.vpnGwPip : []
output vWanFwPublicIP array = deployFirewallInHub ? AzFirewall.outputs.azFwIPvWan : []
output vWanFwIP string = deployFirewallInHub ? AzFirewall.outputs.azFwIP : 'none'
output vpnGwBgpIp array = deployGatewayInHub ? vpngateway.outputs.vpnGwBgpIp : []
output vpnGwBgpAsn int = deployGatewayInHub ? vpngateway.outputs.vpnGwBgpAsn : 0
output vpnGwName string = deployGatewayInHub ? vpngateway.outputs.vpnGwName : 'none'
output dcrvminsightsID string = !empty(diagnosticWorkspaceId) ? dcrvminsights.outputs.dcrID : 'none'