Hub Networking configuration moved to ARM parameters file (JSON) #261
SenthuranSivananthan
announced in
Announcements
Replies: 2 comments
-
We are upgrading the parameters layout for Hub Networking with Azure Firewall so that related parameters are consolidated into
New Layout: Expand/collapse{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serviceHealthAlerts": {
"value": {
"resourceGroupName": "pubsec-service-health",
"incidentTypes": [
"Incident",
"Security"
],
"regions": [
"Global",
"Canada East",
"Canada Central"
],
"receivers": {
"app": [
"[email protected]"
],
"email": [
"[email protected]"
],
"sms": [
{
"countryCode": "1",
"phoneNumber": "5555555555"
}
],
"voice": [
{
"countryCode": "1",
"phoneNumber": "5555555555"
}
]
},
"actionGroupName": "ALZ action group",
"actionGroupShortName": "alz-alert",
"alertRuleName": "ALZ alert rule",
"alertRuleDescription": "Alert rule for Azure Landing Zone"
}
},
"securityCenter": {
"value": {
"email": "[email protected]",
"phone": "5555555555"
}
},
"subscriptionRoleAssignments": {
"value": [
{
"comments": "Built-in Contributor Role",
"roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"securityGroupObjectIds": [
"38f33f7e-a471-4630-8ce9-c6653495a2ee"
]
}
]
},
"subscriptionBudget": {
"value": {
"createBudget": false
}
},
"subscriptionTags": {
"value": {
"ISSO": "isso-tbd"
}
},
"resourceTags": {
"value": {
"ClientOrganization": "client-organization-tag",
"CostCenter": "cost-center-tag",
"DataSensitivity": "data-sensitivity-tag",
"ProjectContact": "project-contact-tag",
"ProjectName": "project-name-tag",
"TechnicalContact": "technical-contact-tag"
}
},
"privateDnsZones": {
"value": {
"enabled": true,
"resourceGroupName": "pubsec-dns-rg"
}
},
"ddosStandard": {
"value": {
"enabled": false,
"resourceGroupName": "pubsec-ddos-rg",
"planName": "ddos-plan"
}
},
"publicAccessZone": {
"value": {
"enabled": true,
"resourceGroupName": "pubsec-public-access-zone-rg"
}
},
"managementRestrictedZone": {
"value": {
"enabled": true,
"resourceGroupName": "pubsec-management-restricted-zone-rg",
"network": {
"name": "management-restricted-vnet",
"addressPrefixes": ["10.18.4.0/22"],
"subnets": [
{
"comments": "Management (Access Zone) Subnet",
"name": "MazSubnet",
"addressPrefix": "10.18.4.0/25",
"nsg": {
"enabled": true
},
"udr": {
"enabled": true
}
},
{
"comments": "Infrastructure Services (Restricted Zone) Subnet",
"name": "InfSubnet",
"addressPrefix": "10.18.4.128/25",
"nsg": {
"enabled": true
},
"udr": {
"enabled": true
}
},
{
"comments": "Security Services (Restricted Zone) Subnet",
"name": "SecSubnet",
"addressPrefix": "10.18.5.0/26",
"nsg": {
"enabled": true
},
"udr": {
"enabled": true
}
},
{
"comments": "Logging Services (Restricted Zone) Subnet",
"name": "LogSubnet",
"addressPrefix": "10.18.5.64/26",
"nsg": {
"enabled": true
},
"udr": {
"enabled": true
}
},
{
"comments": "Core Management Interfaces (Restricted Zone) Subnet",
"name": "MgmtSubnet",
"addressPrefix": "10.18.5.128/26",
"nsg": {
"enabled": true
},
"udr": {
"enabled": true
}
}
]
}
}
},
"hub": {
"value": {
"resourceGroupName": "pubsec-hub-networking-rg",
"bastion": {
"enabled": true,
"name": "bastion",
"sku": "Standard",
"scaleUnits": 2
},
"azureFirewall": {
"name": "pubsecAzureFirewall",
"availabilityZones": ["1", "2", "3"],
"forcedTunnelingEnabled": false,
"forcedTunnelingNextHop": "10.17.1.4"
},
"network": {
"name": "hub-vnet",
"addressPrefixes": [
"10.18.0.0/22",
"100.60.0.0/16"
],
"addressPrefixBastion": "192.168.0.0/16",
"subnets": {
"gateway": {
"comments": "Gateway Subnet used for VPN and/or Express Route connectivity",
"name": "GatewaySubnet",
"addressPrefix": "10.18.0.0/27"
},
"firewall": {
"comments": "Azure Firewall",
"name": "AzureFirewallSubnet",
"addressPrefix": "10.18.1.0/24"
},
"firewallManagement": {
"comments": "Azure Firewall Management",
"name": "AzureFirewallManagementSubnet",
"addressPrefix": "10.18.2.0/26"
},
"bastion": {
"comments": "Azure Bastion",
"name": "AzureBastionSubnet",
"addressPrefix": "192.168.0.0/24"
},
"publicAccess": {
"comments": "Public Access Zone (Application Gateway)",
"name": "PAZSubnet",
"addressPrefix": "100.60.1.0/24"
},
"optional": []
}
}
}
},
"networkWatcher": {
"value": {
"resourceGroupName": "NetworkWatcherRG"
}
}
}
} |
Beta Was this translation helpful? Give feedback.
0 replies
-
We are upgrading the parameters layout for Hub Networking with NVA so that related parameters are consolidated into
New Layout: Expand/collapse{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serviceHealthAlerts": {
"value": {
"resourceGroupName": "pubsec-service-health",
"incidentTypes": [
"Incident",
"Security"
],
"regions": [
"Global",
"Canada East",
"Canada Central"
],
"receivers": {
"app": [
"[email protected]"
],
"email": [
"[email protected]"
],
"sms": [
{
"countryCode": "1",
"phoneNumber": "5555555555"
}
],
"voice": [
{
"countryCode": "1",
"phoneNumber": "5555555555"
}
]
},
"actionGroupName": "ALZ action group",
"actionGroupShortName": "alz-alert",
"alertRuleName": "ALZ alert rule",
"alertRuleDescription": "Alert rule for Azure Landing Zone"
}
},
"securityCenter": {
"value": {
"email": "[email protected]",
"phone": "5555555555"
}
},
"subscriptionRoleAssignments": {
"value": [
{
"comments": "Built-in Contributor Role",
"roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"securityGroupObjectIds": [
"38f33f7e-a471-4630-8ce9-c6653495a2ee"
]
}
]
},
"subscriptionBudget": {
"value": {
"createBudget": true,
"name": "MonthlySubscriptionBudget",
"amount": 1000,
"timeGrain": "Monthly",
"contactEmails": [
"[email protected]"
]
}
},
"subscriptionTags": {
"value": {
"ISSO": "isso-tbd"
}
},
"resourceTags": {
"value": {
"ClientOrganization": "client-organization-tag",
"CostCenter": "cost-center-tag",
"DataSensitivity": "data-sensitivity-tag",
"ProjectContact": "project-contact-tag",
"ProjectName": "project-name-tag",
"TechnicalContact": "technical-contact-tag"
}
},
"privateDnsZones": {
"value": {
"enabled": true,
"resourceGroupName": "pubsec-dns-rg"
}
},
"ddosStandard": {
"value": {
"enabled": false,
"resourceGroupName": "pubsec-ddos-rg",
"planName": "ddos-plan"
}
},
"publicAccessZone": {
"value": {
"enabled": true,
"resourceGroupName": "pubsec-public-access-zone-rg"
}
},
"managementRestrictedZone": {
"value": {
"enabled": true,
"resourceGroupName": "pubsec-management-restricted-zone-rg",
"network": {
"name": "management-restricted-vnet",
"addressPrefixes": ["10.18.4.0/22"],
"subnets": [
{
"comments": "Management (Access Zone) Subnet",
"name": "MazSubnet",
"addressPrefix": "10.18.4.0/25",
"nsg": {
"enabled": true
},
"udr": {
"enabled": true
}
},
{
"comments": "Infrastructure Services (Restricted Zone) Subnet",
"name": "InfSubnet",
"addressPrefix": "10.18.4.128/25",
"nsg": {
"enabled": true
},
"udr": {
"enabled": true
}
},
{
"comments": "Security Services (Restricted Zone) Subnet",
"name": "SecSubnet",
"addressPrefix": "10.18.5.0/26",
"nsg": {
"enabled": true
},
"udr": {
"enabled": true
}
},
{
"comments": "Logging Services (Restricted Zone) Subnet",
"name": "LogSubnet",
"addressPrefix": "10.18.5.64/26",
"nsg": {
"enabled": true
},
"udr": {
"enabled": true
}
},
{
"comments": "Core Management Interfaces (Restricted Zone) Subnet",
"name": "MgmtSubnet",
"addressPrefix": "10.18.5.128/26",
"nsg": {
"enabled": true
},
"udr": {
"enabled": true
}
}
]
}
}
},
"hub": {
"value": {
"resourceGroupName": "pubsec-hub-networking-rg",
"bastion": {
"enabled": true,
"name": "bastion",
"sku": "Standard",
"scaleUnits": 2
},
"network": {
"name": "hub-vnet",
"addressPrefixes": [
"10.18.0.0/22",
"100.60.0.0/16"
],
"addressPrefixBastion": "192.168.0.0/16",
"subnets": {
"gateway": {
"comments": "Gateway Subnet used for VPN and/or Express Route connectivity",
"name": "GatewaySubnet",
"addressPrefix": "10.18.1.0/27"
},
"bastion": {
"comments": "Azure Bastion",
"name": "AzureBastionSubnet",
"addressPrefix": "192.168.0.0/24"
},
"public": {
"comments": "Public Subnet Name (External Facing (Internet/Ground))",
"name": "PublicSubnet",
"addressPrefix": "100.60.0.0/24"
},
"publicAccessZone": {
"comments": "Public Access Zone (i.e. Application Gateway)",
"name": "PAZSubnet",
"addressPrefix": "100.60.1.0/24"
},
"externalAccessNetwork": {
"comments": "External Access Network",
"name": "EanSubnet",
"addressPrefix": "10.18.0.0/27"
},
"nonProductionInternal": {
"comments": "Non-production Internal for firewall appliances (Internal Facing Non-Production Traffic)",
"name": "DevIntSubnet",
"addressPrefix": "10.18.0.64/27"
},
"productionInternal": {
"comments": "Production Internal for firewall appliances (Internal Facing Production Traffic)",
"name": "PrdIntSubnet",
"addressPrefix": "10.18.0.32/27"
},
"managementRestrictedZoneInternal": {
"comments": "Management Restricted Zone",
"name": "MrzSubnet",
"addressPrefix": "10.18.0.96/27"
},
"highAvailability": {
"comments": "High Availability (Firewall to Firewall heartbeat)",
"name": "HASubnet",
"addressPrefix": "10.18.0.128/28"
},
"optional": []
}
},
"nvaFirewall": {
"image": {
"publisher": "fortinet",
"offer": "fortinet_fortigate-vm_v5",
"sku": "fortinet_fg-vm",
"version": "6.4.5",
"plan": "fortinet_fg-vm"
},
"nonProduction": {
"internalLoadBalancer": {
"name": "pubsecDevFWILB",
"tcpProbe": {
"name": "lbprobe",
"port": 8008,
"intervalInSeconds": 5,
"numberOfProbes": 2
},
"internalIp": "10.18.0.68",
"externalIp": "100.60.0.7"
},
"deployVirtualMachines": true,
"virtualMachines": [
{
"name": "pubsecDevFW1",
"vmSku": "Standard_D8s_v4",
"internalIp": "10.18.0.69",
"externalIp": "100.60.0.8",
"mrzInternalIp": "10.18.0.104",
"highAvailabilityIp": "10.18.0.134",
"availabilityZone": "2"
},
{
"name": "pubsecDevFW2",
"vmSku": "Standard_D8s_v4",
"internalIp": "10.18.0.70",
"externalIp": "100.60.0.9",
"mrzInternalIp": "10.18.0.105",
"highAvailabilityIp": "10.18.0.135",
"availabilityZone": "3"
}
]
},
"production": {
"internalLoadBalancer": {
"name": "pubsecProdFWILB",
"tcpProbe": {
"name": "lbprobe",
"port": 8008,
"intervalInSeconds": 5,
"numberOfProbes": 2
},
"internalIp": "10.18.0.36",
"externalIp": "100.60.0.4"
},
"deployVirtualMachines": true,
"virtualMachines": [
{
"name": "pubsecProdFW1",
"vmSku": "Standard_F8s_v2",
"internalIp": "10.18.0.37",
"externalIp": "100.60.0.5",
"mrzInternalIp": "10.18.0.101",
"highAvailabilityIp": "10.18.0.132",
"availabilityZone": "1"
},
{
"name": "pubsecProdFW2",
"vmSku": "Standard_F8s_v2",
"internalIp": "10.18.0.38",
"externalIp": "100.60.0.6",
"mrzInternalIp": "10.18.0.102",
"highAvailabilityIp": "10.18.0.133",
"availabilityZone": "2"
}
]
}
}
}
},
"networkWatcher": {
"value": {
"resourceGroupName": "NetworkWatcherRG"
}
}
}
} |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
We have changed the method for configuring hub networking. Previously, networking configs were managed as Azure DevOps Pipeline variables stored in a yaml (previous example) and passed to ARM via Azure CLI as inline values. Our new path is to migrate all relevant configs to ARM JSON Parameter files.
Our goal with this change is to simplify the deployment and configuration of hub networking. This includes easier support for multiple Hub Networks and simplifies deployment through PowerShell, Azure CLI, GitHub Actions, etc.
This change is in effect as of April 20, 2022 and will be part of v0.10.0 release (April 2022).
Migration instructions
See Migrate Hub Networking configuration from Azure DevOps variables to JSON parameters file in Azure DevOps Pipelines Onboarding Guide for step by step instructions.
Change details
Beta Was this translation helpful? Give feedback.
All reactions