Add VWAN Hub Connection Support for enableInternetSecurity & Add Ne…

…w Example for Multiple VNets (#30) * add vwan enableInternetSecurity support * update version for BRM and add new example, plus fix to 3 * Auto-update Bicep Module Docs for PR 30 [jtracey93/1afaa6e4] * update PR template Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Azure · Dec 19, 2022 · 9841c2a · 9841c2a
1 parent 1afaa6e
commit 9841c2a
Show file tree

Hide file tree

Showing 10 changed files with 114 additions and 9 deletions.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -23,7 +23,7 @@ Replace this with any testing evidence to show that your Pull Request works/fixe
 - [ ] Read the [Contribution Guide](https://github.com/Azure/bicep-lz-vending/wiki/contributing) and ensured this PR is compliant with the guide
 - [ ] Checked for duplicate [Pull Requests](https://github.com/Azure/bicep-lz-vending/pulls)
 - [ ] Associated it with relevant [GitHub Issues](https://github.com/Azure/bicep-lz-vending/issues)
-- [ ] *(ALZ Bicep Core Team Only)* Associated it with relevant [ADO Items](https://aka.ms/alz/bicep/backlog)
+- [ ] *(LZ-Vending Core Team Only)* Associated it with relevant [ADO Items](https://aka.ms/lz-vending/backlog)
 - [ ] Ensured my code/branch is up-to-date with the latest changes in the `main` [branch](https://github.com/Azure/bicep-lz-vending/tree/main)
 - [ ] Performed testing and provided evidence.
 - [ ] Updated one or more of the following tests *(if required)*

diff --git a/docs/wiki/Example-1-Hub-and-Spoke.md b/docs/wiki/Example-1-Hub-and-Spoke.md
@@ -11,7 +11,7 @@ targetScope = 'managementGroup'
 @description('Specifies the location for resources.')
 param location string = 'uksouth'
 
-module sub003 'br/public:lz/sub-vending:1.1.2' = {
+module sub003 'br/public:lz/sub-vending:1.2.1' = {
   name: 'sub-bicep-lz-vending-example-001'
   params: {
     subscriptionAliasEnabled: true

diff --git a/docs/wiki/Example-2-Virtual-WAN.md b/docs/wiki/Example-2-Virtual-WAN.md
@@ -11,7 +11,7 @@ targetScope = 'managementGroup'
 @description('Specifies the location for resources.')
 param location string = 'uksouth'
 
-module sub002 'br/public:lz/sub-vending:1.1.2' = {
+module sub002 'br/public:lz/sub-vending:1.2.1' = {
   name: 'sub-bicep-lz-vending-example-002'
   params: {
     subscriptionAliasEnabled: true

diff --git a/docs/wiki/Example-3-Use-With-Existing-Subscriptions.md b/docs/wiki/Example-3-Use-With-Existing-Subscriptions.md
@@ -11,10 +11,11 @@ targetScope = 'managementGroup'
 @description('Specifies the location for resources.')
 param location string = 'uksouth'
 
-module sub003 'br/public:lz/sub-vending:1.1.2' = {
+module sub003 'br/public:lz/sub-vending:1.2.1' = {
   name: 'sub003'
   params: {
     subscriptionAliasEnabled: false
+    existingSubscriptionId: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
     subscriptionTags: {
       test: 'true'
     }

diff --git a/docs/wiki/Example-4-Multiple-VNets-In-Same-Subscription.md b/docs/wiki/Example-4-Multiple-VNets-In-Same-Subscription.md
@@ -0,0 +1,62 @@
+<!-- markdownlint-disable MD041 -->
+## Example 4 - Landing Zone (Subscription) with Multiple VNets
+
+### Bicep Module Registry
+
+Here is a simple example Bicep file for deploying a landing zone (Subscription) with multiple spoke Virtual Networks peered to a Virtual WAN Hub using the [Bicep Module Registry](https://github.com/Azure/bicep-registry-modules):
+
+```bicep
+targetScope = 'managementGroup'
+
+@description('Specifies the location for resources.')
+param location string = 'uksouth'
+
+module createSubAndFirstVnet 'br/public:lz/sub-vending:1.2.1' = {
+  name: 'sub-with-multiple-vnets'
+  params: {
+    subscriptionAliasEnabled: true
+    subscriptionBillingScope: '/providers/Microsoft.Billing/billingAccounts/1234567/enrollmentAccounts/123456'
+    subscriptionAliasName: 'sub-bicep-lz-vending-example-004'
+    subscriptionDisplayName: 'sub-bicep-lz-vending-example-004'
+    subscriptionTags: {
+      test: 'true'
+    }
+    subscriptionWorkload: 'Production'
+    subscriptionManagementGroupAssociationEnabled: true
+    subscriptionManagementGroupId: 'alz-landingzones-corp'
+    virtualNetworkEnabled: true
+    virtualNetworkLocation: location
+    virtualNetworkResourceGroupName: 'rsg-${location}-net-001'
+    virtualNetworkName: 'vnet-${location}-001'
+    virtualNetworkAddressSpace: [
+      '10.0.0.0/16'
+    ]
+    virtualNetworkResourceGroupLockEnabled: false
+    virtualNetworkPeeringEnabled: true
+    hubNetworkResourceId: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rsg-uks-net-vwan-001/providers/Microsoft.Network/virtualHubs/vhub-uks-001'
+  }
+}
+
+module createSubAndFirstVnet 'br/public:lz/sub-vending:1.2.1' = {
+  name: 'additional-vnet'
+  params: {
+    subscriptionAliasEnabled: false
+    existingSubscriptionId: createSubAndFirstVnet.outputs.subscriptionId
+    subscriptionManagementGroupAssociationEnabled: true
+    subscriptionManagementGroupId: 'alz-landingzones-corp'
+    virtualNetworkEnabled: true
+    virtualNetworkLocation: location
+    virtualNetworkResourceGroupName: 'rsg-${location}-net-001'
+    virtualNetworkName: 'vnet-${location}-002'
+    virtualNetworkAddressSpace: [
+      '10.1.0.0/16'
+    ]
+    virtualNetworkResourceGroupLockEnabled: false
+    virtualNetworkPeeringEnabled: true
+    hubNetworkResourceId: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rsg-uks-net-vwan-001/providers/Microsoft.Network/virtualHubs/vhub-uks-001'
+  }
+}
+```
+
+
+Back to [Examples](Examples)
diff --git a/docs/wiki/Examples.md b/docs/wiki/Examples.md
@@ -3,10 +3,11 @@ Here are some example configurations that demonstrate the module usage.
 
 > If there is an example missing from here that you would like to see then please [raise an issue](https://github.com/Azure/bicep-lz-vending/issues/new/choose) on the repo 👍
 
-| Example                                                                      | Description                                                                                                              |
-| ---------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ |
-| [Hub & Spoke](Example-1-Hub-and-Spoke)                                       | Example of how to create a landing zone (Subscription) with with a spoke Virtual Network peered to a Hub Virtual Network |
-| [Virtual WAN](Example-2-Virtual-WAN)                                         | Example of how to create a landing zone (Subscription) with a spoke Virtual Network connected to a Virtual WAN Hub       |
-| [Use with existing subscriptions](Example-3-Use-With-Existing-Subscriptions) | Example of how to use this module with existing landing zone Subscriptions                                               |
+| Example                                                                                           | Description                                                                                                              |
+| ------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ |
+| [Hub & Spoke](Example-1-Hub-and-Spoke)                                                            | Example of how to create a landing zone (Subscription) with with a spoke Virtual Network peered to a Hub Virtual Network |
+| [Virtual WAN](Example-2-Virtual-WAN)                                                              | Example of how to create a landing zone (Subscription) with a spoke Virtual Network connected to a Virtual WAN Hub       |
+| [Use with existing subscriptions](Example-3-Use-With-Existing-Subscriptions)                      | Example of how to use this module with existing landing zone Subscriptions                                               |
+| [Multiple Virtual Networks in Single Subscription](Example-4-Multiple-VNets-In-Same-Subscription) | Example of how to create a landing zone (Subscription) with multiple spoke Virtual Networks                              |
 
 Before deploying, review the [Consumer Guide](https://github.com/azure/bicep-lz-vending/wiki/consumerguide) for guidance on how to consume this module.
diff --git a/main.bicep b/main.bicep
@@ -298,6 +298,15 @@ param hubNetworkResourceId string = ''
 ''')
 param virtualNetworkUseRemoteGateways bool = true
 
+@metadata({
+  example: true
+})
+@sys.description('''Enables the ability for the Virtual WAN Hub Connection to learn the default route 0.0.0.0/0 from the Hub.
+
+- Type: Boolean
+''')
+param virtualNetworkVwanEnableInternetSecurity bool = true
+
 @metadata({
   example: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/virtualHubs/xxxxxxxxx/hubRouteTables/xxxxxxxxx'
 })
@@ -462,6 +471,7 @@ module createSubscriptionResources 'src/self/subResourceWrapper/deploy.bicep' =
     virtualNetworkPeeringEnabled: virtualNetworkPeeringEnabled
     hubNetworkResourceId: hubNetworkResourceId
     virtualNetworkUseRemoteGateways: virtualNetworkUseRemoteGateways
+    virtualNetworkVwanEnableInternetSecurity: virtualNetworkVwanEnableInternetSecurity
     virtualNetworkVwanAssociatedRouteTableResourceId: virtualNetworkVwanAssociatedRouteTableResourceId
     virtualNetworkVwanPropagatedRouteTablesResourceIds: virtualNetworkVwanPropagatedRouteTablesResourceIds
     virtualNetworkVwanPropagatedLabels: virtualNetworkVwanPropagatedLabels

diff --git a/main.bicep.parameters.md b/main.bicep.parameters.md
@@ -32,6 +32,7 @@ virtualNetworkDdosPlanId | No       | The resource ID of an existing DDoS Networ
 virtualNetworkPeeringEnabled | No       | Whether to enable peering/connection with the supplied hub Virtual Network or Virtual WAN Virtual Hub.  - Type: Boolean 
 hubNetworkResourceId | No       | The resource ID of the Virtual Network or Virtual WAN Hub in the hub to which the created Virtual Network, by this module, will be peered/connected to via Virtual Network Peering or a Virtual WAN Virtual Hub Connection.  **Example Expected Values:** - `''` (empty string) - Hub Virtual Network Resource ID: `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxxxxxxx` - Virtual WAN Virtual Hub Resource ID: `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/virtualHubs/xxxxxxxxxx`  - Type: String - Default value: `''` *(empty string)* 
 virtualNetworkUseRemoteGateways | No       | Enables the use of remote gateways in the specified hub virtual network.  > **IMPORTANT:** If no gateways exist in the hub virtual network, set this to `false`, otherwise peering will fail to create.  - Type: Boolean 
+virtualNetworkVwanEnableInternetSecurity | No       | Enables the ability for the Virtual WAN Hub Connection to learn the default route 0.0.0.0/0 from the Hub.  - Type: Boolean 
 virtualNetworkVwanAssociatedRouteTableResourceId | No       | The resource ID of the virtual hub route table to associate to the virtual hub connection (this virtual network). If left blank/empty the `defaultRouteTable` will be associated.  - Type: String - Default value: `''` *(empty string)* = Which means if the parameter `virtualNetworkPeeringEnabled` is `true` and also the parameter `hubNetworkResourceId` is not empty then the `defaultRouteTable` will be associated of the provided Virtual Hub in the parameter `hubNetworkResourceId`.     - e.g. `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/virtualHubs/xxxxxxxxx/hubRouteTables/defaultRouteTable` 
 virtualNetworkVwanPropagatedRouteTablesResourceIds | No       | An array of of objects of virtual hub route table resource IDs to propagate routes to. If left blank/empty the `defaultRouteTable` will be propagated to only.  Each object must contain the following `key`: - `id` = The Resource ID of the Virtual WAN Virtual Hub Route Table IDs you wish to propagate too  > See below [example in parameter file](#parameter-file)  > **IMPORTANT:** If you provide any Route Tables in this array of objects you must ensure you include also the `defaultRouteTable` Resource ID as an object in the array as it is not added by default when a value is provided for this parameter.  - Type: `[]` Array - Default value: `[]` *(empty array)* 
 virtualNetworkVwanPropagatedLabels | No       | An array of virtual hub route table labels to propagate routes to. If left blank/empty the default label will be propagated to only.  - Type: `[]` Array - Default value: `[]` *(empty array)* 
@@ -316,6 +317,17 @@ Enables the use of remote gateways in the specified hub virtual network.
 - Type: Boolean
 
 
+- Default value: `True`
+
+### virtualNetworkVwanEnableInternetSecurity
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Enables the ability for the Virtual WAN Hub Connection to learn the default route 0.0.0.0/0 from the Hub.
+
+- Type: Boolean
+
+
 - Default value: `True`
 
 ### virtualNetworkVwanAssociatedRouteTableResourceId
@@ -496,6 +508,9 @@ subscriptionResourceId | string | The Subscription Resource ID that has been cre
         "virtualNetworkUseRemoteGateways": {
             "value": true
         },
+        "virtualNetworkVwanEnableInternetSecurity": {
+            "value": true
+        },
         "virtualNetworkVwanAssociatedRouteTableResourceId": {
             "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/virtualHubs/xxxxxxxxx/hubRouteTables/xxxxxxxxx"
         },

diff --git a/src/self/subResourceWrapper/deploy.bicep b/src/self/subResourceWrapper/deploy.bicep
@@ -65,6 +65,9 @@ param hubNetworkResourceId string = ''
 @sys.description('Enables the use of remote gateways in the spefcified hub virtual network. If no gateways exsit in the hub virtual network, set this to `false`, otherwise peering will fail to create. Set this to `false` for virtual wan hub connections.')
 param virtualNetworkUseRemoteGateways bool = true
 
+@sys.description('Enables the ability for the Virtual WAN Hub Connection to learn the default route 0.0.0.0/0 from the Hub.')
+param virtualNetworkVwanEnableInternetSecurity bool = true
+
 @sys.description('The resource ID of the virtual hub route table to associate to the virtual hub connection (this virtual network). If left blank/empty default route table will be associated.')
 param virtualNetworkVwanAssociatedRouteTableResourceId string = ''
 
@@ -206,6 +209,7 @@ module createLzVirtualWanConnection '../../carml/v0.6.0/Microsoft.Network/virtua
     name: virtualWanHubConnectionName
     virtualHubName: virtualWanHubName
     remoteVirtualNetworkId: '/subscriptions/${subscriptionId}/resourceGroups/${virtualNetworkResourceGroupName}/providers/Microsoft.Network/virtualNetworks/${virtualNetworkName}'
+    enableInternetSecurity: virtualNetworkVwanEnableInternetSecurity
     routingConfiguration: {
       associatedRouteTable: {
         id: virtualWanHubConnectionAssociatedRouteTable

diff --git a/src/self/subResourceWrapper/readme.md b/src/self/subResourceWrapper/readme.md
@@ -27,6 +27,7 @@ virtualNetworkDdosPlanId | No       | The resoruce ID of an existing DDoS Networ
 virtualNetworkPeeringEnabled | No       | Whether to enable peering/connection with the supplied hub virtual network or virtual hub.
 hubNetworkResourceId | No       | The resource ID of the virtual network or virtual wan hub in the hub to which the created virtual network will be peered/connected to via vitrual network peering or a vitrual hub connection.
 virtualNetworkUseRemoteGateways | No       | Enables the use of remote gateways in the spefcified hub virtual network. If no gateways exsit in the hub virtual network, set this to `false`, otherwise peering will fail to create. Set this to `false` for virtual wan hub connections.
+virtualNetworkVwanEnableInternetSecurity | No       | Enables the ability for the Virtual WAN Hub Connection to learn the default route 0.0.0.0/0 from the Hub.
 virtualNetworkVwanAssociatedRouteTableResourceId | No       | The resource ID of the virtual hub route table to associate to the virtual hub connection (this virtual network). If left blank/empty default route table will be associated.
 virtualNetworkVwanPropagatedRouteTablesResourceIds | No       | An array of virtual hub route table resource IDs to propogate routes to. If left blank/empty default route table will be propogated to only.
 virtualNetworkVwanPropagatedLabels | No       | An array of virtual hub route table labels to propogate routes to. If left blank/empty default label will be propogated to only.
@@ -148,6 +149,14 @@ Enables the use of remote gateways in the spefcified hub virtual network. If no
 
 - Default value: `True`
 
+### virtualNetworkVwanEnableInternetSecurity
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Enables the ability for the Virtual WAN Hub Connection to learn the default route 0.0.0.0/0 from the Hub.
+
+- Default value: `True`
+
 ### virtualNetworkVwanAssociatedRouteTableResourceId
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
@@ -251,6 +260,9 @@ Disable telemetry collection by this module. For more information on the telemet
         "virtualNetworkUseRemoteGateways": {
             "value": true
         },
+        "virtualNetworkVwanEnableInternetSecurity": {
+            "value": true
+        },
         "virtualNetworkVwanAssociatedRouteTableResourceId": {
             "value": ""
         },