Merge pull request #110 from Azure/updates-to-parameters

Updates to parameters, Peering Enablement, Private DNS Zones Enablement, Added Hub 4 Spoke (TMN)

README.md

@@ -46,28 +46,22 @@ For a quickstart, we suggest a test deployment into the current AZ CLI subscript
     * `--subscription`: The GUID for the subscription to deploy into.
         Multiple subscriptions may be configured (*i.e.*, to have separate subscriptions for each 'tier' in the MLZ architecture) in the `parameters/deploy.parameters.json`
 
+> **IMPORTANT**: All values will need to be updates in the `parameters/deploy.parameters.json`. This allows for consistency in the parameters.  
+
     Here is an example that deploys into a single subscription in the EastUS region of Azure Commercial:
 
     ```plaintext
-    # These will be used in the naming of your resources
-    # e.g., anoa-eastus-dev-hub-rg
-    ORG_PREFIX="anoa"
-    DEPLOY_ENV="dev"
-
     # Replace with your test Azure Subscription ID
     AZ_SUBSCRIPTION="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
 
     az login
+    cd src/bicep
+    cd platforms/lz-platform-scca-hub-3spoke
     az deployment sub create \
         --name deploy-scca-hub-with-3-spokes \
         --location EastUS \
         --template-file deploy.bicep \
         --parameters @parameters/deploy.parameters.json \
-        --parameters parRequired="{ \"orgPrefix\":\"$ORG_PREFIX\", \"templateVersion\":\"v1.0\", \"deployEnvironment\":\"$DEPLOY_ENV\" }" \
-        --parameters parHubSubscriptionId=$AZ_SUBSCRIPTION \
-        --parameters parIdentitySubscriptionId=$AZ_SUBSCRIPTION \
-        --parameters parOperationsSubscriptionId=$AZ_SUBSCRIPTION \
-        --parameters parSharedServicesSubscriptionId=$AZ_SUBSCRIPTION \
         --subscription $AZ_SUBSCRIPTION
     ```
 

src/bicep/azresources/hub-spoke-core/peering/spoke/anoa.lz.spoke.network.peering.bicep

@@ -15,6 +15,8 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT license.
 param parSpokeName string
 param parSpokeResourceGroupName string
 param parSpokeVirtualNetworkName string
+param parUseRemoteGateways bool
+param parAllowVirtualNetworkAccess bool
 
 param parHubVirtualNetworkName string
 param parHubVirtualNetworkResourceId string
@@ -26,5 +28,7 @@ module spokeNetworkPeering '../../../Modules/Microsoft.Network/virtualNetworks/v
     name: '${parSpokeVirtualNetworkName}/to-${parHubVirtualNetworkName}'
     remoteVirtualNetworkId: parHubVirtualNetworkResourceId
     localVnetName: parSpokeVirtualNetworkName
+    useRemoteGateways: parUseRemoteGateways
+    allowVirtualNetworkAccess: parAllowVirtualNetworkAccess
   }
 }

src/bicep/azresources/hub-spoke-core/vdms/dataSharedServices/README.md

@@ -0,0 +1,177 @@
+# Hub/Spoke Core Module:   NoOps Accelerator - Data Shared Services Spoke Network
+
+## Overview
+
+This module defines Data Shared Services spoke network deployment based on the recommendations from the Azure Mission Landing Zone Conceptual Architecture.  
+
+Module deploys the following resources:
+
+* Virtual Network (VNet)
+* Subnets
+* Network Security Group
+* Storage Account
+
+## Required Parameters
+
+The module requires the following inputs:
+
+| Parameter                         | Type   | Default                                                                                              | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Required                   | Example                                        |
+ | --------------------------------- | ------ | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------- | ---------------------------------------------- |
+| parOrgPrefix                       | string | `aona`                                                                           | Prefix value which will be prepended to all resource names. Default: anoa                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Yes                          | `aona`
+| parLocation                       | string | `resourceGroup().location`                                                                           | The Azure Region to deploy the resources into                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | Yes                          | `eastus`
+| parTemplateVersion                       | string | `1.0`                                                                           | The ANOA template version                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | Yes                          | `1.o`
+| parDeployEnvironment                       | string | None                                                                           | A suffix, 3 to 15 characters in length, to append to resource names (e.g. "dev", "test", "prod", "platforms"). It defaults to "platforms".'                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | Yes                          | `platforms`
+| parResourcePrefix                       | string | None                       | A prefix, 3-15 alphanumeric characters without whitespace, used to prefix resources and generate uniqueness for resources with globally unique naming requirements like Storage Accounts and Log Analytics Workspaces.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | Yes                          | None
+
+## Data Shared Services Network Parameters
+
+The module requires the following inputs for Data Shared Services Network:
+
+| Parameter                                | Type   | Default                    | Description                                                                                                                                                                                                                          | Required | Example                    |
+|------------------------------------------|--------|----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|----------------------------|
+| parData SharedServicesSubscriptionId                     | string | `guid`                     | The subscription ID for the Data SharedServices Network and resources. It defaults to the deployment subscription                                                                                                                                    | No       | `xxxx-xxxx-xxxx-xxxx-xxxx` | Yes| None |
+parData SharedServicesVirtualNetworkAddressPrefix | string | No       | The CIDR Virtual Network Address Prefix for the Data SharedServices Virtual Network. | Yes| None |
+parData SharedServicesSubnetAddressPrefix | string | No       | The CIDR Subnet Address Prefix for the default Data SharedServices subnet. It must be in the Data SharedServices Virtual Network space.| Yes| None |
+parSourceAddressPrefixes | string | No       | The CIDR Virtual Network Address Prefix for the Identity/Data SharedServices Virtual Network. Leave blank if no spokes are needed. | Yes| None |
+parLogStorageSkuName | string | No       | The Storage Account SKU to use for log storage. It defaults to "Standard_GRS". See <https://docs.microsoft.com/en-us/rest/api/storagerp/srp_sku_types> for valid settings.. | Yes| None |
+parData SharedServicesVirtualNetworkDiagnosticsLogs | array | No       | An array of Network Diagnostic Logs to enable for the Data SharedServices Virtual Network. See <https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs> for valid settings. | Yes| None |
+parData SharedServicesVirtualNetworkDiagnosticsMetrics | array | No       | An array of Network Diagnostic Metrics to enable for the Data SharedServices Virtual Network. See <https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/> diagnostic-settings?tabs=CMD#metrics for valid settings. | Yes| None |
+parData SharedServicesNetworkSecurityGroupRules | array | No       | An array of Network Security Group rules to apply to the Data SharedServices Virtual Network. See <https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat> for valid settings. | Yes| None |
+parData SharedServicesNetworkSecurityGroupDiagnosticsLogs | array | No       | An array of Network Security Group diagnostic logs to apply to the Data SharedServices Virtual Network. See <https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories> for valid settings. | Yes| None |
+parData SharedServicesNetworkSecurityGroupDiagnosticsMetrics | array | No       | An array of Network Security Group Diagnostic Metrics to enable for the Data SharedServices Virtual Network. See <https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics> for valid settings. | Yes| None |
+parData SharedServicesSubnetServiceEndpoints | array | No       | An array of Service Endpoints to enable for the Data SharedServices subnet. See <https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview> for valid settings. | Yes| None |
+parLogAnalyticsWorkspaceResourceId | string | No       | . | Yes| None |
+parFirewallPrivateIPAddress | string | No       | . | Yes| None |
+parRouteTableRouteName | string | No       | . | Yes| None |
+parRouteTableRouteAddressPrefix | string | No       | . | Yes| None |
+parRouteTableRouteNextHopIpAddress | string | No       | . | Yes| None |
+parRouteTableRouteNextHopType | string | No       | . | Yes| None |
+parStorageAccountAccessObjectId | string | No       | . | Yes| None |
+parStorageAccountAccessType | string | No       | . | Yes| None |
+parAddRoleAssignmentForStorageAccount | bool | No       | . | Yes| None |
+
+Parameters file located in the [Deployments](../../../../deployments/HubSpoke/networking/sharedservices/) folder under hub/spoke.
+
+## Outputs
+
+The module will generate the following outputs:
+
+table
+
+## Deployment
+
+> **Note:** `bicepconfig.json` file is included in the module directory.  This file allows us to override Bicep Linters.  Currently there are two URLs which were removed because of linter warnings.  URLs removed are the following: database.windows.net and core.windows.net
+
+In this example, the Data Shared Services (Tier 2) resources will be deployed to the resource group specified. According to the Azure Mission Landing Zone Conceptual Architecture, the Data SharedServices resources should be deployed into the Platform Management subscription. During the deployment step, we will take the default values and not pass any parameters.
+
+Other differences in Azure IL regions are as follow:
+
+ | Azure Cloud    | Bicep template      | Input parameters file                    |
+ | -------------- | ------------------- | ---------------------------------------- |
+ | Global regions | anoa.lz.svcs.bicep | anoa.lz.svcs.parameters.json    |
+ | IL regions  | anoa.lz.svcs.bicep | anoa.lz.svcs.parameters.json |
+
+> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice.
+
+### Azure CLI
+
+```bash
+# For Azure Commerical regions
+
+# When deploying to Azure cloud, first set the cloud.
+az cloudset --name AzureGovernment
+
+# Set Platform connectivity subscription ID as the the current subscription 
+ConnectivitySubscriptionId="[your platform management subscription ID]"
+az account set --subscription $ConnectivitySubscriptionId
+
+# Log in
+az login
+cd src/bicep
+cd azresources/hub-spoke-core
+az deployment sub create \
+   --name anoa-dataSharedServices-deploy \
+   --location eastus \
+   --template-file vdms/dataSharedServices/anoa.lz.data.svcs.network.network.bicep \
+   --parameters @parmeters/dataSharedServices/anoa.lz.data.svcs.network.parameters.json
+   --subscription $ConnectivitySubscriptionId
+```
+
+OR
+
+```bash
+
+# For Azure Government regions
+
+# When deploying to another cloud, like Azure US Government, first set the cloud.
+az cloudset --name AzureGovernment
+
+# Set Platform connectivity subscription ID as the the current subscription 
+ConnectivitySubscriptionId="[your platform management subscription ID]"
+az account set --subscription $ConnectivitySubscriptionId
+
+# Log in
+az login
+cd src/bicep
+cd azresources/hub-spoke-core
+az deployment sub create \
+   --name anoa-dataSharedServices-deploy \
+   --location usgovvirginia \
+   --template-file vdms/dataSharedServices/anoa.lz.data.svcs.network.bicep \
+   --parameters @parmeters/dataSharedServices/anoa.lz.data.svcs.network.parameters.json
+   --subscription $ConnectivitySubscriptionId
+```
+
+### PowerShell
+
+```powershell
+# For Azure Commerical regions
+# When deploying to Azure cloud, first set the cloud and log in.
+Connect-AzAccount -EnvironmentName AzureCloud
+
+# Set Platform connectivity subscription ID as the the current subscription 
+$ConnectivitySubscriptionId = "[your platform management subscription ID]"
+Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
+
+cd src/bicep
+cd azresources/hub-spoke-core
+New-AzDeployment `
+  -TemplateFile vdms/dataSharedServices/anoa.lz.data.svcs.network.bicep `
+  -TemplateParameterFile parmeters/dataSharedServices/anoa.lz.data.svcs.network.parameters.json `
+  -Location 'eastus'
+  -Name 'anoa-dataSharedServices-deploy'
+```
+
+OR
+
+```powershell
+
+# For Azure Government regions
+# When deploying to another cloud, like Azure US Government, first set the cloud and log in.
+Connect-AzAccount -EnvironmentName AzureCloud
+
+# Set Platform connectivity subscription ID as the the current subscription 
+$ConnectivitySubscriptionId = "[your platform management subscription ID]"
+Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId  
+
+
+cd src/bicep
+cd azresources/hub-spoke-core
+New-AzDeployment `
+  --TemplateFile vdms/dataSharedServices/anoa.lz.data.svcs.network.bicep `
+  -TemplateParameterFile parmeters/dataSharedServices/anoa.lz.data.svcs.network.parameters.json `
+  -Location 'usgovvirginia'
+  -Name 'anoa-dataSharedServices-deploy'
+```
+
+## Air-Gapped Clouds
+
+For air-gapped clouds it may be convenient to transfer and deploy the compiled ARM template instead of the Bicep template if the Bicep CLI tools are not available or if it is desirable to transfer only one file into the air gap.
+
+## Cleanup
+
+The Bicep/ARM deployment of NoOps Accelerator Data Shared Services network deployment can be deleted with these steps:
+
+## Example Output in Azure
+
+![Example Deployment Output](images/sharedServucesExampleDeploymentOutput.png "Example Deployment Output in Azure global regions")

src/bicep/azresources/hub-spoke-core/vdms/dataSharedServices/anoa.lz.data.svcs.network.bicep

@@ -1,7 +1,7 @@
 /*
-SUMMARY: Module to deploy the Shared Services Network and it's components based on the Azure Mission Landing Zone conceptual architecture 
+SUMMARY: Module to deploy the Data Shared Services Network and it's components based on the Azure Tactical Mission Network (TMN) conceptual architecture 
 DESCRIPTION: The following components will be options in this deployment
-              Shared Services Virtual Network (Vnet)
+              Data Shared Services Virtual Network (Vnet)
               Subnets  
               Route Table
               Network Security Group
@@ -24,14 +24,13 @@ targetScope = 'subscription'
 param parOrgPrefix string = 'org'
 
 @description('The subscription ID for the Hub Network and resources. It defaults to the deployment subscription.')
-param parDataServicesSubscriptionId string = subscription().subscriptionId
+param parDataSharedServicesSubscriptionId string = subscription().subscriptionId
 
 @description('The region to deploy resources into. It defaults to the deployment location.')
 param parLocation string = deployment().location
 
-@description('The MLZ template version')
+@description('Tags')
-@minLength(3)
+param parTags object
-param parTemplateVersion string
 
 @minLength(3)
 @maxLength(15)
@@ -53,27 +52,30 @@ param parResourceGroupModuleCreate bool = true
 
 // NETWORK ADDRESS SPACE PARAMETERS
 @description('The CIDR Virtual Network Address Prefix for the Shared Services Virtual Network.')
-param parDataServicesVirtualNetworkAddressPrefix string = '10.0.120.0/26'
+param parDataSharedServicesVirtualNetworkAddressPrefix string = '10.0.130.0/26'
 
 @description('The CIDR Subnet Address Prefix for the default Shared Services subnet. It must be in the Shared Services Virtual Network space.')
-param parDataServicesSubnetAddressPrefix string = '10.0.120.0/27'
+param parDataSharedServicesSubnetAddressPrefix string = '10.0.130.0/27'
+
+@description('Array of Subnet Address Prefix for the default Shared Services network. These will be Spoke Subnet Address Prefixes, if exists.')
+param parDataSharedServicesSourceAddressPrefixes array = []
 
 // SHARED SERVICES NETWORK PARAMETERS
 
-@description('An array of Network Diagnostic Logs to enable for the DataServices Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs for valid settings.')
+@description('An array of Network Diagnostic Logs to enable for the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs for valid settings.')
-param parDataServicesVirtualNetworkDiagnosticsLogs array = []
+param parDataSharedServicesVirtualNetworkDiagnosticsLogs array = []
 
-@description('An array of Network Diagnostic Metrics to enable for the DataServices Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings.')
+@description('An array of Network Diagnostic Metrics to enable for the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings.')
-param parDataServicesVirtualNetworkDiagnosticsMetrics array = []
+param parDataSharedServicesVirtualNetworkDiagnosticsMetrics array = []
 
-@description('An array of Network Security Group rules to apply to the DataServices Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.')
+@description('An array of Network Security Group rules to apply to the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.')
-param parDataServicesNetworkSecurityGroupRules array = [
+param parDataSharedServicesNetworkSecurityGroupRules array = [
   {
     name: 'Allow-Traffic-From-Spokes'
     properties: {
       access: 'Allow'
       description: 'Allow traffic from spokes'
-      destinationAddressPrefix: parDataServicesVirtualNetworkAddressPrefix
+      destinationAddressPrefix: parDataSharedServicesVirtualNetworkAddressPrefix
       destinationPortRanges: [
         '22'
         '80'
@@ -83,24 +85,21 @@ param parDataServicesNetworkSecurityGroupRules array = [
       direction: 'Inbound'
       priority: 200
       protocol: '*'
-      sourceAddressPrefixes: [
+      sourceAddressPrefixes: parDataSharedServicesSourceAddressPrefixes
-        '10.0.110.0/26'
-        '10.0.115.0/26'
-      ]
       sourcePortRange: '*'
     }
     type: 'string'
   }
 ]
 
-@description('An array of Network Security Group diagnostic logs to apply to the DataServices Virtual Network. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories for valid settings.')
+@description('An array of Network Security Group diagnostic logs to apply to the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories for valid settings.')
-param parDataServicesNetworkSecurityGroupDiagnosticsLogs array = [
+param parDataSharedServicesNetworkSecurityGroupDiagnosticsLogs array = [
   'NetworkSecurityGroupEvent'
   'NetworkSecurityGroupRuleCounter'
 ]
 
-@description('An array of Service Endpoints to enable for the DataServices subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings.')
+@description('An array of Service Endpoints to enable for the SharedServices subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings.')
-param parDataServicesSubnetServiceEndpoints array = [
+param parDataSharedServicesSubnetServiceEndpoints array = [
   {
     service: 'Microsoft.Storage'
   }
@@ -108,10 +107,21 @@ param parDataServicesSubnetServiceEndpoints array = [
 
 // ROUTE TABLE 
 
+@description(' An Array of Routes to be established within the hub route table.')
+param parRouteTableRoutes array = [
+  {
+    name: 'svcs-routetable'
+    properties: {
+      addressPrefix: '0.0.0.0/0'
+      nextHopIpAddress: parFirewallPrivateIPAddress
+      nextHopType: 'VirtualAppliance'
+    }
+  }
+]
+
+@description('Firewall private IP address within the hub route table.')
 param parFirewallPrivateIPAddress string
-param parRouteTableRouteAddressPrefix string = '0.0.0.0/0'
+
-param parRouteTableRouteNextHopIpAddress string = parFirewallPrivateIPAddress
-param parRouteTableRouteNextHopType string = 'VirtualAppliance'
 param parDisableBgpRoutePropagation bool
 
 // LOGGING PARAMETERS
@@ -128,12 +138,9 @@ param parLogAnalyticsWorkspaceName string
 @description('Enable this setting if this network is on a different subscriptiom as the Hub. Will give conflict errors if on same sub as the Hub')
 param enableActivityLogging bool = false
 
-//STORAGE ACCOUNTS
+// STORAGE ACCOUNTS RBAC
 @description('Account for access to Storage')
-param parStorageAccountAccessObjectId string
+param parStorageAccountAccess object
-
-@description('Switch which allows Role Assignment for the Storage Account. Default: true')
-param parAddRoleAssignmentForStorageAccount bool = true
 
 /*
   NAMING CONVENTION
@@ -157,60 +164,54 @@ var varDdosNamingConvention = replace(varNamingConvention, varResourceToken, 'dd
 
 // SHARED SERVICES NAMES
 
-var varDataServicesName = 'dataservices'
+var varDataSharedServicesName = 'datasharedservices'
-var varDataServicesShortName = 'datasvcs'
+var varDataSharedServicesShortName = 'datasvcs'
-var varDataServicesResourceGroupName = replace(varResourceGroupNamingConvention, varNameToken, varDataServicesName)
+var varDataSharedServicesResourceGroupName = replace(varResourceGroupNamingConvention, varNameToken, varDataSharedServicesName)
-var varDataServicesLogStorageAccountShortName = replace(varStorageAccountNamingConvention, varNameToken, varDataServicesShortName)
+var varDataSharedServicesLogStorageAccountShortName = replace(varStorageAccountNamingConvention, varNameToken, varDataSharedServicesShortName)
-var varDataServicesLogStorageAccountUniqueName = replace(varDataServicesLogStorageAccountShortName, 'unique_storage_token', uniqueString(parDataServicesSubscriptionId, parLocation, parDeployEnvironment, parOrgPrefix))
+var varDataSharedServicesLogStorageAccountUniqueName = replace(varDataSharedServicesLogStorageAccountShortName, 'unique_storage_token', uniqueString(parDataSharedServicesSubscriptionId, parLocation, parDeployEnvironment, parOrgPrefix))
-var varDataServicesLogStorageAccountName = take(varDataServicesLogStorageAccountUniqueName, 23)
+var varDataSharedServicesLogStorageAccountName = take(varDataSharedServicesLogStorageAccountUniqueName, 23)
-var varDataServicesVirtualNetworkName = replace(varVirtualNetworkNamingConvention, varNameToken, varDataServicesName)
+var varDataSharedServicesVirtualNetworkName = replace(varVirtualNetworkNamingConvention, varNameToken, varDataSharedServicesName)
-var varDataServicesNetworkSecurityGroupName = replace(varNetworkSecurityGroupNamingConvention, varNameToken, varDataServicesName)
+var varDataSharedServicesNetworkSecurityGroupName = replace(varNetworkSecurityGroupNamingConvention, varNameToken, varDataSharedServicesName)
-var varDataServicesSubnetName = replace(varSubnetNamingConvention, varNameToken, varDataServicesName)
+var varDataSharedServicesSubnetName = replace(varSubnetNamingConvention, varNameToken, varDataSharedServicesName)
-var svcsddosName = replace(varDdosNamingConvention, varNameToken, varDataServicesName)
+var svcsddosName = replace(varDdosNamingConvention, varNameToken, varDataSharedServicesName)
 
 // ROUTETABLE VALUES
-var varRouteTableName = '${varDataServicesSubnetName}-routetable'
+var varRouteTableName = '${varDataSharedServicesSubnetName}-routetable'
 
 // TAGS
 
 @description('Resource group tags')
 module modTags '../../../Modules/Microsoft.Resources/tags/az.resources.tags.bicep' = {
-  name: 'deploy-${varDataServicesShortName}-tags-${parLocation}-${parDeploymentNameSuffix}'
+  name: 'deploy-${varDataSharedServicesShortName}-tags-${parLocation}-${parDeploymentNameSuffix}'
   params: {
-    onlyUpdate: true
+    tags: parTags
-    tags: {
-      organizationName: parOrgPrefix
-      hostName: parDeployEnvironment
-      regionName: parLocation
-      templateVersion: parTemplateVersion
-    }
   }
 }
 
 // RESOURCE GROUPS
 
 module modDataServicesResourceGroup '../../../Modules/Microsoft.Resources/resourceGroups/az.resource.groups.bicep' = if(parResourceGroupModuleCreate) {
-  name: 'deploy-${varDataServicesShortName}-rg-${parLocation}-${parDeploymentNameSuffix}'
+  name: 'deploy-${varDataSharedServicesShortName}-rg-${parLocation}-${parDeploymentNameSuffix}'
-  scope: subscription(parDataServicesSubscriptionId)
+  scope: subscription(parDataSharedServicesSubscriptionId)
   params: {
-    name: varDataServicesResourceGroupName
+    name: varDataSharedServicesResourceGroupName
     location: parLocation
     tags: modTags.outputs.tags
   }
 }
 
 module modSvcsLogStorage '../../../Modules/Microsoft.Storage/storageAccounts/az.data.storage.bicep' = {
-  name: 'deploy-${varDataServicesShortName}-logStorage-${parLocation}-${parDeploymentNameSuffix}'
+  name: 'deploy-${varDataSharedServicesShortName}-logStorage-${parLocation}-${parDeploymentNameSuffix}'
-  scope: resourceGroup(varDataServicesResourceGroupName)
+  scope: resourceGroup(varDataSharedServicesResourceGroupName)
   params: {
-    name: varDataServicesLogStorageAccountName
+    name: varDataSharedServicesLogStorageAccountName
     location: parLocation   
     storageAccountSku: parLogStorageSkuName
     tags: modTags.outputs.tags
-    roleAssignments: (parAddRoleAssignmentForStorageAccount) ? [
+    roleAssignments: (parStorageAccountAccess.enableRoleAssignmentForStorageAccount) ? [
       {
-        principalIds: parStorageAccountAccessObjectId
+        principalIds: parStorageAccountAccess.principalIds
-        roleDefinitionIdOrName: 'Contributor'
+        roleDefinitionIdOrName: parStorageAccountAccess.roleDefinitionIdOrName
       }
     ] : []
     lock: 'CanNotDelete'  
@@ -221,40 +222,31 @@ module modSvcsLogStorage '../../../Modules/Microsoft.Storage/storageAccounts/az.
 }
 
 module modDataServicesNetworkSecurityGroup '../../../Modules/Microsoft.Network/networkSecurityGroups/az.net.network.security.group.with.diagnostics.bicep' = {
-  name: 'deploy-${varDataServicesShortName}-nsg-${parLocation}-${parDeploymentNameSuffix}'
+  name: 'deploy-${varDataSharedServicesShortName}-nsg-${parLocation}-${parDeploymentNameSuffix}'
-  scope: resourceGroup(varDataServicesResourceGroupName)
+  scope: resourceGroup(varDataSharedServicesResourceGroupName)
   params: {
-    name: varDataServicesNetworkSecurityGroupName
+    name: varDataSharedServicesNetworkSecurityGroupName
     location: parLocation
     tags: modTags.outputs.tags
 
-    securityRules: parDataServicesNetworkSecurityGroupRules
+    securityRules: parDataSharedServicesNetworkSecurityGroupRules
 
     diagnosticWorkspaceId: parLogAnalyticsWorkspaceResourceId
     diagnosticStorageAccountId: modSvcsLogStorage.outputs.resourceId
 
-    diagnosticLogCategoriesToEnable: parDataServicesNetworkSecurityGroupDiagnosticsLogs   
+    diagnosticLogCategoriesToEnable: parDataSharedServicesNetworkSecurityGroupDiagnosticsLogs   
   }
 }
 
 module modDataServicesRouteTable '../../../Modules/Microsoft.Network/routeTable/az.net.route.table.bicep' = {
-  name: 'deploy-${varDataServicesShortName}-routeTable-${parLocation}-${parDeploymentNameSuffix}'
+  name: 'deploy-${varDataSharedServicesShortName}-routeTable-${parLocation}-${parDeploymentNameSuffix}'
-  scope: resourceGroup(varDataServicesResourceGroupName)
+  scope: resourceGroup(varDataSharedServicesResourceGroupName)
   params: {
     name: varRouteTableName
     location: parLocation
     tags: modTags.outputs.tags
 
-    routes: [
+    routes: parRouteTableRoutes
-      {
-        name: varRouteTableName
-        properties: {
-          addressPrefix: parRouteTableRouteAddressPrefix
-          nextHopIpAddress: parRouteTableRouteNextHopIpAddress
-          nextHopType: parRouteTableRouteNextHopType
-        }
-      }
-    ]   
     disableBgpRoutePropagation: parDisableBgpRoutePropagation
   }
   dependsOn: [
@@ -263,39 +255,39 @@ module modDataServicesRouteTable '../../../Modules/Microsoft.Network/routeTable/
 }
 
 module modDataServicesVirtualNetwork '../../../Modules/Microsoft.Network/virtualNetworks/az.net.virtual.network.with.diagnostics.bicep' = {
-  name: 'deploy-${varDataServicesShortName}-virtualNetwork-${parLocation}-${parDeploymentNameSuffix}'
+  name: 'deploy-${varDataSharedServicesShortName}-virtualNetwork-${parLocation}-${parDeploymentNameSuffix}'
-  scope: resourceGroup(varDataServicesResourceGroupName)
+  scope: resourceGroup(varDataSharedServicesResourceGroupName)
   params: {
-    name: varDataServicesVirtualNetworkName
+    name: varDataSharedServicesVirtualNetworkName
     location: parLocation
     tags: modTags.outputs.tags
 
     addressPrefixes: [
-      parDataServicesVirtualNetworkAddressPrefix
+      parDataSharedServicesVirtualNetworkAddressPrefix
     ]
 
     subnets: [     
       {
-        addressPrefix: parDataServicesSubnetAddressPrefix
+        addressPrefix: parDataSharedServicesSubnetAddressPrefix
-        name: varDataServicesSubnetName
+        name: varDataSharedServicesSubnetName
         networkSecurityGroupId: modDataServicesNetworkSecurityGroup.outputs.resourceId  
         routeTableId: modDataServicesRouteTable.outputs.resourceId
-        serviceEndpoints: parDataServicesSubnetServiceEndpoints
+        serviceEndpoints: parDataSharedServicesSubnetServiceEndpoints
       } 
     ]
 
     diagnosticWorkspaceId: parLogAnalyticsWorkspaceResourceId
     diagnosticStorageAccountId: modSvcsLogStorage.outputs.resourceId
 
-    diagnosticLogCategoriesToEnable: parDataServicesVirtualNetworkDiagnosticsLogs
+    diagnosticLogCategoriesToEnable: parDataSharedServicesVirtualNetworkDiagnosticsLogs
-    diagnosticMetricsToEnable: parDataServicesVirtualNetworkDiagnosticsMetrics
+    diagnosticMetricsToEnable: parDataSharedServicesVirtualNetworkDiagnosticsMetrics
     ddosProtectionPlanEnabled: parDeployddosProtectionPlan
     ddosProtectionPlanId: svcsddosName
   }
 }
 
 module spokeDataServicesSubscriptionActivityLogging '../../../Modules/Microsoft.Insights/diagnosticSettings/az.insights.diagnostic.setting.bicep' = if (enableActivityLogging) {
-  name: 'deploy-activity-logs-${varDataServicesShortName}-${parLocation}-${parDeploymentNameSuffix}'
+  name: 'deploy-activity-logs-${varDataSharedServicesShortName}-${parLocation}-${parDeploymentNameSuffix}'
   params: {
     diagnosticEventHubName: 'log-dataservices-sub-activity-to-${parLogAnalyticsWorkspaceName}'
     diagnosticWorkspaceId: parLogAnalyticsWorkspaceResourceId

src/bicep/azresources/hub-spoke-core/vdms/logging/README.md

@@ -38,17 +38,16 @@ The module requires the following inputs:
 
 The module requires the following inputs:
 
-| Parameter                         | Type   | Default                                                                                              | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Required                   | Example                                        |
+Parameter name | Default Value | Description
- | --------------------------------- | ------ | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------- | ---------------------------------------------- |
+-------------- | ------------- | -----------
-| parDeployAutomationAccount | bool | `aona`                                                                          | Prefix value which will be prepended to all resource names. Default: anoa   | Yes  | `aona` |
+`parOperationsSubscriptionId` | Deployment subscription | The subscription ID for the Hub Network and resources. It defaults to the deployment subscription.
-| parLogAnalyticsWorkspaceCappingDailyQuotaGb | int | `-1`                                                                          | Prefix value which will be prepended to all resource names. Default: anoa   | Yes  | `aona` |
+`parDeploymentNameSuffix` | utcNow()  | A suffix to use for naming deployments uniquely. It defaults to the Bicep resolution of the "utcNow()" function.
-| parLogAnalyticsWorkspaceRetentionInDays | int | `30`                                                                          | Prefix value which will be prepended to all resource names. Default: anoa   | Yes  | `aona` |
+`parLogAnalyticsWorkspaceCappingDailyQuotaGb` | -1  | The daily quota for Log Analytics Workspace logs in Gigabytes. It defaults to "-1" for no quota.
-| parLogAnalyticsWorkspaceSkuName | string | `PerGB2018`                                                                          | Prefix value which will be prepended to all resource names. Default: anoa   | Yes  | `PerGB2018` |
+`parLogAnalyticsWorkspaceRetentionInDays` | 30  | Number of days of log retention for Log Analytics Workspace. - DEFAULT VALUE: 30
-| parDeploySentinel | bool | `false`                                                                          | Prefix value which will be prepended to all resource names. Default: anoa   | Yes  | `false` |
+`parLogAnalyticsWorkspaceSkuName` | 'PerGB2018'  | [Free/Standard/Premium/PerNode/PerGB2018/Standalone] The SKU for the Log Analytics Workspace. It defaults to "PerGB2018". See <https://docs.microsoft.com/en-us/azure/azure-monitor/logs/resource-manager-workspace> for valid settings.
-| parLogStorageSkuName | string | `Standard_GRS`                                                                          | Prefix value which will be prepended to all resource names. Default: anoa   | Yes  | `Standard_GRS` |
+`parDeploySentinel` | false  | Switch which allows Sentinel deployment to be disabled. Default: false
-| parAddRoleAssignmentForStorageAccount | bool | `false`                                                                          | Prefix value which will be prepended to all resource names. Default: anoa   | Yes  | `false` |
+`parLogStorageSkuName` | 'Standard_GRS'  | The Storage Account SKU to use for log storage. It defaults to "Standard_GRS". See <https://docs.microsoft.com/en-us/rest/api/storagerp/srp_sku_types> for valid settings.
-| parStorageAccountAccessObjectId | string | `xxxx-xxxx-xxxx-xxxx-xxxx`                                                                          | Prefix value which will be prepended to all resource names. Default: anoa   | No  | `xxxx-xxxx-xxxx-xxxx-xxxx` |
+`parLoggingStorageAccountAccess` | object | Account settings for role assignement to Storage Account
-| parStorageAccountAccessType | string | `Group`                                                                          | Prefix value which will be prepended to all resource names. Default: anoa   | No  | `Group` |
 
 Parameters file located in the [Deployments](../../../../deployments/HubSpoke/logging/) folder under hub/spoke.
 
@@ -56,9 +55,12 @@ Parameters file located in the [Deployments](../../../../deployments/HubSpoke/lo
 
 The module will generate the following outputs:
 
-Parameters | Type | Allowed Values | Description
+Parameter name | Default Value | Description
-| :-- | :-- | :-- | :-- |
+-------------- | ------------- | -----------
-None
+`outLogAnalyticsWorkspaceName` | 'guid' | Out value for Log Analytics Workspace Name
+`outLogAnalyticsWorkspaceResourceId` | '/subscriptions/<<subscriptionId>>/resourcegroups/anoa-usgovvirginia-dev-logging-rg/providers/microsoft.operationalinsights/workspaces/anoa-usgovvirginia-dev-logging-log' | Out value for Log Analytics ResourceId
+`outLogAnalyticsWorkspaceId` | 'guid' | Out value for Log Analytics Workspace Id
+`outLogAnalyticsSolutions` | array | Out value for Log Analytics Solutions in array format
 
 ## Deployment
 
@@ -80,16 +82,22 @@ Other differences in Azure IL regions are as follow:
 ```bash
 # For Azure Commerical regions
 
-# Set Platform connectivity subscription ID as the the current subscription 
+# When deploying to Azure cloud, first set the cloud.
+az cloudset --name AzureGovernment
 
+# Set Platform connectivity subscription ID as the the current subscription 
 ConnectivitySubscriptionId="[your platform management subscription ID]"
 az account set --subscription $ConnectivitySubscriptionId
 
+# Log in
+az login
+cd src/bicep
+cd azresources/hub-spoke-core
 az deployment sub create \
    --name anoa-logging-deploy \
    --location eastus \
-   --template-file src/bicep/common/landingzone/core/vdms/logging/anoa.lz.logging.bicep \
+   --template-file vdms/logging/anoa.lz.logging.bicep \
-   --parameters @src/bicep/common/landingzone/core/vdms/logging/anoa.lz.logging.parameters.json
+   --parameters @parmeters/logging/anoa.lz.logging.parameters.json
    --subscription $ConnectivitySubscriptionId
 ```
 
@@ -99,30 +107,41 @@ OR
 
 # For Azure Government regions
 
-# Set Platform connectivity subscription ID as the the current subscription 
+# When deploying to another cloud, like Azure US Government, first set the cloud.
+az cloudset --name AzureGovernment
 
+# Set Platform connectivity subscription ID as the the current subscription 
 ConnectivitySubscriptionId="[your platform management subscription ID]"
 az account set --subscription $ConnectivitySubscriptionId
 
+# Log in
+az login
+cd src/bicep
+cd azresources/hub-spoke-core
 az deployment sub create \
    --name anoa-logging-deploy \
-   --location virginiaus \
+   --location usgovvirginia \
-   --template-file src/bicep/common/landingzone/core/vdms/logging/anoa.lz.logging.bicep \
+   --template-file vdms/logging/anoa.lz.logging.bicep \
-   --parameters @src/bicep/common/landingzone/core/vdms/logging/anoa.lz.logging.parameters.json
+   --parameters @parmeters/logging/anoa.lz.logging.parameters.json
+   --subscription $ConnectivitySubscriptionId
 ```
 
 ### PowerShell
 
 ```powershell
 # For Azure Commerical regions
+# When deploying to Azure cloud, first set the cloud and log in.
+Connect-AzAccount -EnvironmentName AzureCloud
+
 # Set Platform connectivity subscription ID as the the current subscription 
 $ConnectivitySubscriptionId = "[your platform management subscription ID]"
-
 Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
 
+cd src/bicep
+cd azresources/hub-spoke-core
 New-AzDeployment `
-  -TemplateFile src/bicep/common/landingzone/core/network/vdms/logging/anoa.lz.logging.bicep `
+  -TemplateFile vdms/logging/anoa.lz.logging.bicep `
-  -TemplateParameterFile src/bicep/common/landingzone/core/vdms/logging/anoa.lz.logging.parameters.json `
+  -TemplateParameterFile parmeters/logging/anoa.lz.logging.parameters.json `
   -Location 'eastus'
   -Name 'anoa-logging-deploy'
 ```
@@ -132,15 +151,20 @@ OR
 ```powershell
 
 # For Azure Government regions
+# When deploying to another cloud, like Azure US Government, first set the cloud and log in.
+Connect-AzAccount -EnvironmentName AzureCloud
+
 # Set Platform connectivity subscription ID as the the current subscription 
 $ConnectivitySubscriptionId = "[your platform management subscription ID]"
-
 Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId  
 
+
+cd src/bicep
+cd azresources/hub-spoke-core
 New-AzDeployment `
-  -TemplateFile src/bicep/common/landingzone/core/vdms/logging/anoa.lz.logging.bicep `
+  --TemplateFile vdms/logging/anoa.lz.logging.bicep `
-  -TemplateParameterFile src/bicep/common/landingzone/core/logging/vdms/logging/anoa.lz.logging.parameters.json `
+  -TemplateParameterFile parmeters/logging/anoa.lz.logging.parameters.json `
-  -Location 'virginiaus'
+  -Location 'usgovvirginia'
   -Name 'anoa-logging-deploy'
 ```
 

src/bicep/azresources/hub-spoke-core/vdms/logging/anoa.lz.logging.bicep

@@ -82,7 +82,7 @@ param parDeploySentinel bool = false
 param parLogStorageSkuName string = 'Standard_GRS'
 
 // STORAGE ACCOUNTS RBAC
-@description('Account for access to Storage')
+@description('Account settings for role assignement to Storage Account')
 param parLoggingStorageAccountAccess object
 
 /*

src/bicep/azresources/hub-spoke-core/vdms/operations/README.md

@@ -9,7 +9,7 @@ Module deploys the following resources:
 * Virtual Network (VNet)
 * Subnets
 * Network Security Group
-* Storage Account
+* Diagnostics Storage Account
 
 ## Required Parameters
 
@@ -32,7 +32,6 @@ The module requires the following inputs for Operations Network:
 | parOperationsSubscriptionId                     | string | `guid`                     | The subscription ID for the Operations Network and resources. It defaults to the deployment subscription                                                                                                                                    | No       | `xxxx-xxxx-xxxx-xxxx-xxxx` | Yes| None |
 parOperationsVirtualNetworkAddressPrefix | string | No       | The CIDR Virtual Network Address Prefix for the Operations Virtual Network. | Yes| None |
 parOperationsSubnetAddressPrefix | string | No       | The CIDR Subnet Address Prefix for the default Operations subnet. It must be in the Operations Virtual Network space.| Yes| None |
-parSourceAddressPrefixes | string | No       | The CIDR Virtual Network Address Prefix for the Identity/SharedServices Virtual Network. Leave blank if no spokes are needed. | Yes| None |
 parLogStorageSkuName | string | No       | The Storage Account SKU to use for log storage. It defaults to "Standard_GRS". See <https://docs.microsoft.com/en-us/rest/api/storagerp/srp_sku_types> for valid settings.. | Yes| None |
 parOperationsVirtualNetworkDiagnosticsLogs | array | No       | An array of Network Diagnostic Logs to enable for the Operations Virtual Network. See <https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs> for valid settings. | Yes| None |
 parOperationsVirtualNetworkDiagnosticsMetrics | array | No       | An array of Network Diagnostic Metrics to enable for the Operations Virtual Network. See <https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/> diagnostic-settings?tabs=CMD#metrics for valid settings. | Yes| None |
@@ -40,15 +39,13 @@ parOperationsNetworkSecurityGroupRules | array | No       | An array of Network
 parOperationsNetworkSecurityGroupDiagnosticsLogs | array | No       | An array of Network Security Group diagnostic logs to apply to the Operations Virtual Network. See <https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories> for valid settings. | Yes| None |
 parOperationsNetworkSecurityGroupDiagnosticsMetrics | array | No       | An array of Network Security Group Diagnostic Metrics to enable for the Operations Virtual Network. See <https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics> for valid settings. | Yes| None |
 parOperationsSubnetServiceEndpoints | array | No       | An array of Service Endpoints to enable for the Operations subnet. See <https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview> for valid settings. | Yes| None |
-parLogAnalyticsWorkspaceResourceId | string | No       | . | Yes| None |
+parLogAnalyticsWorkspaceResourceId | string | No       | Log Analytics Workspace Resource Id Needed for NSG, VNet and Activity Logging | Yes| None |
-parFirewallPrivateIPAddress | string | No       | . | Yes| None |
+parLogAnalyticsWorkspaceName | string | No       | Log Analytics Workspace Name Needed Activity Logging | Yes| None |
-parRouteTableRouteName | string | No       | . | Yes| None |
+enableActivityLogging | bool | No       | Enable this setting if this network is on a different subscriptiom as the Hub. Will give conflict errors if on same sub as the Hub | Yes| None |
-parRouteTableRouteAddressPrefix | string | No       | . | Yes| None |
+parRouteTableRoutes | array | No       | An Array of Routes to be established within the hub route table. | Yes| None |
-parRouteTableRouteNextHopIpAddress | string | No       | . | Yes| None |
+parFirewallPrivateIPAddress | string | No       | Firewall private IP address within the hub route table. | Yes| None |
-parRouteTableRouteNextHopType | string | No       | . | Yes| None |
+parDeployddosProtectionPlan | bool | No       | Switch which allows DDOS deployment to be disabled. Default: false | Yes| None |
-parStorageAccountAccessObjectId | string | No       | . | Yes| None |
+parOperationsStorageAccountAccess | object | No       | Account Setting for role assignment to Storage Account | Yes| None |
-parStorageAccountAccessType | string | No       | . | Yes| None |
-parAddRoleAssignmentForStorageAccount | bool | No       | . | Yes| None |
 
 Parameters file located in the [Deployments](../../../../deployments/HubSpoke/networking/operations/) folder under hub/spoke.
 
@@ -93,15 +90,23 @@ Other differences in Azure IL regions are as follow:
 ```bash
 # For Azure Commerical regions
 
-# Set Platform connectivity subscription ID as the the current subscription 
+# When deploying to Azure cloud, first set the cloud.
+az cloudset --name AzureGovernment
 
+# Set Platform connectivity subscription ID as the the current subscription 
 ConnectivitySubscriptionId="[your platform management subscription ID]"
 az account set --subscription $ConnectivitySubscriptionId
 
+# Log in
+az login
+cd src/bicep
+cd azresources/hub-spoke-core
 az deployment sub create \
+   --name anoa-operations-deploy \
    --location eastus \
-   --template-file src/bicep/common/landingzone/core/vdms/operations/anoa.lz.ops.network.bicep \
+   --template-file vdms/operations/anoa.lz.ops.network.bicep \
-   --parameters @src/bicep/common/landingzone/core/vdms/operations/anoa.lz.ops.network.parameters.json
+   --parameters @parmeters/operations/anoa.lz.ops.network.parameters.json
+   --subscription $ConnectivitySubscriptionId
 ```
 
 OR
@@ -110,30 +115,43 @@ OR
 
 # For Azure Government regions
 
-# Set Platform connectivity subscription ID as the the current subscription 
+# When deploying to another cloud, like Azure US Government, first set the cloud.
+az cloudset --name AzureGovernment
 
+# Set Platform connectivity subscription ID as the the current subscription 
 ConnectivitySubscriptionId="[your platform management subscription ID]"
 az account set --subscription $ConnectivitySubscriptionId
 
+# Log in
+az login
+cd src/bicep
+cd azresources/hub-spoke-core
 az deployment sub create \
-   --location virginiaus \
+   --name anoa-operations-deploy \
-   --template-file src/bicep/common/landingzone/core/vdms/operations/anoa.lz.ops.network.bicep \
+   --location usgovvirginia \
-   --parameters @src/bicep/common/landingzone/core/vdms/operations/anoa.lz.ops.network.parameters.json
+   --template-file vdms/operations/anoa.lz.ops.network.bicep \
+   --parameters @parmeters/operations/anoa.lz.ops.network.parameters.json
+   --subscription $ConnectivitySubscriptionId
 ```
 
 ### PowerShell
 
 ```powershell
 # For Azure Commerical regions
+# When deploying to Azure cloud, first set the cloud and log in.
+Connect-AzAccount -EnvironmentName AzureCloud
+
 # Set Platform connectivity subscription ID as the the current subscription 
 $ConnectivitySubscriptionId = "[your platform management subscription ID]"
-
 Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
 
+cd src/bicep
+cd azresources/hub-spoke-core
 New-AzDeployment `
-  -TemplateFile src/bicep/common/landingzone/core/vdms/operations/anoa.lz.ops.network.bicep `
+  -TemplateFile vdms/operations/anoa.lz.ops.network.bicep `
-  -TemplateParameterFile src/bicep/common/landingzone/core/vdms/operations/anoa.lz.ops.network.parameters.json `
+  -TemplateParameterFile parmeters/operations/anoa.lz.ops.network.parameters.json `
   -Location 'eastus'
+  -Name 'anoa-operations-deploy'
 ```
 
 OR
@@ -141,15 +159,21 @@ OR
 ```powershell
 
 # For Azure Government regions
+# When deploying to another cloud, like Azure US Government, first set the cloud and log in.
+Connect-AzAccount -EnvironmentName AzureCloud
+
 # Set Platform connectivity subscription ID as the the current subscription 
 $ConnectivitySubscriptionId = "[your platform management subscription ID]"
-
 Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId  
 
+
+cd src/bicep
+cd azresources/hub-spoke-core
 New-AzDeployment `
-  -TemplateFile src/bicep/common/landingzone/core/vdms/operations/anoa.lz.ops.network.bicep `
+  --TemplateFile vdms/operations/anoa.lz.ops.network.bicep `
-  -TemplateParameterFile src/bicep/common/landingzone/core/vdms/operations/anoa.lz.ops.network.parameters.json `
+  -TemplateParameterFile parmeters/operations/anoa.lz.ops.network.parameters.json `
-  -Location 'virginiaus'
+  -Location 'usgovvirginia'
+  -Name 'anoa-operations-deploy'
 ```
 
 ## Air-Gapped Clouds

src/bicep/azresources/hub-spoke-core/vdms/sharedServices/README.md

@@ -78,15 +78,23 @@ Other differences in Azure IL regions are as follow:
 ```bash
 # For Azure Commerical regions
 
-# Set Platform connectivity subscription ID as the the current subscription 
+# When deploying to Azure cloud, first set the cloud.
+az cloudset --name AzureGovernment
 
+# Set Platform connectivity subscription ID as the the current subscription 
 ConnectivitySubscriptionId="[your platform management subscription ID]"
 az account set --subscription $ConnectivitySubscriptionId
 
+# Log in
+az login
+cd src/bicep
+cd azresources/hub-spoke-core
 az deployment sub create \
+   --name anoa-sharedServices-deploy \
    --location eastus \
-   --template-file src/bicep/common/landingzone/core/vdms/sharedservices/anoa.lz.svcs.bicep \
+   --template-file vdms/sharedServices/anoa.lz.svcs.network.network.bicep \
-   --parameters @src/bicep/common/landingzone/core/vdms/sharedservices/anoa.lz.svcs.parameters.json
+   --parameters @parmeters/sharedServices/anoa.lz.svcs.network.parameters.json
+   --subscription $ConnectivitySubscriptionId
 ```
 
 OR
@@ -95,30 +103,43 @@ OR
 
 # For Azure Government regions
 
-# Set Platform connectivity subscription ID as the the current subscription 
+# When deploying to another cloud, like Azure US Government, first set the cloud.
+az cloudset --name AzureGovernment
 
+# Set Platform connectivity subscription ID as the the current subscription 
 ConnectivitySubscriptionId="[your platform management subscription ID]"
 az account set --subscription $ConnectivitySubscriptionId
 
+# Log in
+az login
+cd src/bicep
+cd azresources/hub-spoke-core
 az deployment sub create \
-   --location virginiaus \
+   --name anoa-sharedServices-deploy \
-   --template-file src/bicep/common/landingzone/core/vdms/sharedservices/anoa.lz.svcs.bicep \
+   --location usgovvirginia \
-   --parameters @src/bicep/common/landingzone/core/vdms/sharedservices/anoa.lz.svcs.parameters.json
+   --template-file vdms/sharedServices/anoa.lz.svcs.network.bicep \
+   --parameters @parmeters/sharedServices/anoa.lz.svcs.network.parameters.json
+   --subscription $ConnectivitySubscriptionId
 ```
 
 ### PowerShell
 
 ```powershell
 # For Azure Commerical regions
+# When deploying to Azure cloud, first set the cloud and log in.
+Connect-AzAccount -EnvironmentName AzureCloud
+
 # Set Platform connectivity subscription ID as the the current subscription 
 $ConnectivitySubscriptionId = "[your platform management subscription ID]"
-
 Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
 
+cd src/bicep
+cd azresources/hub-spoke-core
 New-AzDeployment `
-  -TemplateFile src/bicep/common/landingzone/core/vdms/sharedservices/anoa.lz.svcs.bicep `
+  -TemplateFile vdms/sharedServices/anoa.lz.svcs.network.bicep `
-  -TemplateParameterFile src/bicep/common/landingzone/core/vdms/sharedservices/anoa.lz.svcs.parameters.json `
+  -TemplateParameterFile parmeters/sharedServices/anoa.lz.svcs.network.parameters.json `
   -Location 'eastus'
+  -Name 'anoa-sharedServices-deploy'
 ```
 
 OR
@@ -126,15 +147,21 @@ OR
 ```powershell
 
 # For Azure Government regions
+# When deploying to another cloud, like Azure US Government, first set the cloud and log in.
+Connect-AzAccount -EnvironmentName AzureCloud
+
 # Set Platform connectivity subscription ID as the the current subscription 
 $ConnectivitySubscriptionId = "[your platform management subscription ID]"
-
 Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId  
 
+
+cd src/bicep
+cd azresources/hub-spoke-core
 New-AzDeployment `
-  -TemplateFile src/bicep/common/landingzone/core/vdms/sharedservices/anoa.lz.svcs.bicep `
+  --TemplateFile vdms/sharedServices/anoa.lz.svcs.network.bicep `
-  -TemplateParameterFile src/bicep/common/landingzone/core/vdms/sharedservices/anoa.lz.svcs.parameters.json `
+  -TemplateParameterFile parmeters/sharedServices/anoa.lz.svcs.network.parameters.json `
-  -Location 'virginiaus'
+  -Location 'usgovvirginia'
+  -Name 'anoa-sharedServices-deploy'
 ```
 
 ## Air-Gapped Clouds
@@ -147,4 +174,4 @@ The Bicep/ARM deployment of NoOps Accelerator Shared Services network deployment
 
 ## Example Output in Azure
 
-![Example Deployment Output](media/sharedservicesNetworkExampleDeploymentOutput.png "Example Deployment Output in Azure global regions")
+![Example Deployment Output](images/sharedServucesExampleDeploymentOutput.png "Example Deployment Output in Azure global regions")

src/bicep/azresources/hub-spoke-core/vdss/hub/anoa.lz.hub.network.bicep

@@ -239,6 +239,10 @@ param parHubSubnetServiceEndpoints array = [
 // ROUTETABLE PARAMETERS
 param parDisableBgpRoutePropagation bool = false
 
+// PRIVATE DNS ZONE PARAMETERS
+
+param parEnablePrivateDnsZones bool = false
+
 // LOGGING PARAMETERS
 
 @description('The Storage Account SKU to use for log storage. It defaults to "Standard_GRS". See https://docs.microsoft.com/en-us/rest/api/storagerp/srp_sku_types for valid settings.')
@@ -300,6 +304,7 @@ var varSubnetNamingConvention = replace(varNamingConvention, varResourceToken, '
 var varPublicIpAddressNamingConvention = replace(varNamingConvention, varResourceToken, 'pip')
 var varVirtualNetworkNamingConvention = replace(varNamingConvention, varResourceToken, 'vnet')
 var varDdosNamingConvention = replace(varNamingConvention, varResourceToken, 'ddos')
+var varPrivateDNSZoneNamingConvention = replace(varNamingConvention, varResourceToken, 'pdz-rg')
 
 // HUB NAMES
 
@@ -312,6 +317,7 @@ var varHubLogStorageAccountName = take(varHubLogStorageAccountUniqueName, 23)
 var varHubVirtualNetworkName = replace(varVirtualNetworkNamingConvention, varNameToken, varHubName)
 var varHubNetworkSecurityGroupName = replace(varNetworkSecurityGroupNamingConvention, varNameToken, varHubName)
 var varHubSubnetName = replace(varSubnetNamingConvention, varNameToken, varHubName)
+var varHubPDZResourceGroupName = replace(varPrivateDNSZoneNamingConvention, varNameToken, varHubName)
 var hubddosName = replace(varDdosNamingConvention, varNameToken, varHubName)
 
 // FIREWALL NAMES
@@ -351,6 +357,17 @@ module modHubResourceGroup '../../../Modules/Microsoft.Resources/resourceGroups/
   }
 }
 
+// Create Private DNS Zone Resource Group - optional
+module modPrivateDnsZonesResourceGroup '../../../Modules/Microsoft.Resources/resourceGroups/az.resource.groups.bicep' = if (parEnablePrivateDnsZones) {
+  name: 'deploy-hub-rg-${parLocation}-${parDeploymentNameSuffix}'
+  scope: subscription(parHubSubscriptionId)
+  params: {
+    name: varHubPDZResourceGroupName
+    location: parLocation
+    tags: modTags.outputs.tags
+  }
+}
+
 // HUB STORAGE - VDMS
 
 module modHubLogStorage '../../../Modules/Microsoft.Storage/storageAccounts/az.data.storage.bicep' = {
@@ -562,9 +579,9 @@ module modAzureFirewallPolicy '../../../Modules/Microsoft.Network/firewallPolici
 
 // HUB PRIVATE LINK - VDMS
 
-module modAzureMonitorPrivateLink '../../../Modules/Microsoft.Network/privateEndPoints/privateLinks/az.net.private.link.bicep' = if (contains(parSupportedClouds, environment().name)) {
+module modAzureMonitorPrivateLink '../../../Modules/Microsoft.Network/privateEndPoints/privateLinks/az.net.private.link.bicep' = if (contains(parSupportedClouds, environment().name) && parEnablePrivateDnsZones) {
   name: 'deploy-hub-az-monitor-prvt-link-${parLocation}-${parDeploymentNameSuffix}'
-  scope: resourceGroup(parHubSubscriptionId, varHubResourceGroupName)
+  scope: resourceGroup(parHubSubscriptionId, varHubPDZResourceGroupName)
   params: {
     logAnalyticsWorkspaceName: parLogAnalyticsWorkspaceName
     logAnalyticsWorkspaceResourceId: parLogAnalyticsWorkspaceResourceId

src/bicep/platforms/lz-platform-scca-hub-1spoke/deploy.bicep

@@ -461,10 +461,11 @@ module modHubNetwork '../../azresources/hub-spoke-core/vdss/hub/anoa.lz.hub.netw
     parHubVirtualNetworkDiagnosticsLogs: parHub.virtualNetworkDiagnosticsLogs
     parHubVirtualNetworkDiagnosticsMetrics: parHub.virtualNetworkDiagnosticsMetrics
     parHubSubnets: parHub.subnets
+    parEnablePrivateDnsZones: parHub.enablePrivateDnsZones
 
     // Enable Azure FireWall
     parAzureFirewallEnabled: parAzureFirewall.enable
-    parDisableBgpRoutePropagation: false
+    parDisableBgpRoutePropagation: parAzureFirewall.disableBgpRoutePropagation
  
     // Hub Firewall Parameters
     parFirewallSupernetIPAddress: parAzureFirewall.supernetIPAddress
@@ -525,7 +526,7 @@ module modOperationsNetwork '../../azresources/hub-spoke-core/vdms/operations/an
 
 // VIRTUAL NETWORK PEERINGS
 
-module modHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/hub/anoa.lz.hub.network.peerings.bicep' = {
+module modHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/hub/anoa.lz.hub.network.peerings.bicep' = if (parHub.peerToSpokeVirtualNetwork) {
   name: 'deploy-vnet-peerings-hub-${parLocation}-${parDeploymentNameSuffix}'
   scope: resourceGroup(parHub.subscriptionId, varHubResourceGroupName)
   params: {
@@ -540,7 +541,7 @@ module modHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/hu
   }
 }
 
-module modSpokeOpsToHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/spoke/anoa.lz.spoke.network.peering.bicep' = {
+module modSpokeOpsToHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/spoke/anoa.lz.spoke.network.peering.bicep' = if (parOperationsSpoke.peerToHubVirtualNetwork) {
   name: 'deploy-vnet-spoke-peerings-ops-${parLocation}-${parDeploymentNameSuffix}'
   scope: resourceGroup(parOperationsSpoke.subscriptionId, varOperationsResourceGroupName)
   params: {
@@ -551,6 +552,8 @@ module modSpokeOpsToHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/
     // Hub Paramters
     parHubVirtualNetworkName: modHubNetwork.outputs.virtualNetworkName
     parHubVirtualNetworkResourceId: modHubNetwork.outputs.virtualNetworkResourceId
+    parAllowVirtualNetworkAccess: parOperationsSpoke.allowVirtualNetworkAccess
+    parUseRemoteGateways: parOperationsSpoke.useRemoteGateways
   }
 }
 

src/bicep/platforms/lz-platform-scca-hub-1spoke/deployment.azcli

@@ -1,10 +1,10 @@
 
 # AZ CLI Examples
 
-# Create Base64 script value
-script64=$(cat script.sh | base64)
-
 # Hub/Spoke - Change variables to match your deployment
+az login
+cd src/bicep
+cd platforms/lz-platform-scca-hub-1spoke
 az deployment sub create --name deploy-hub1spoke-network --location EastUS --template-file deploy.bicep  --parameters @parameters/deploy.parameters.json --subscription <<subscriptionId>>
 
 # Clean Up
@@ -19,27 +19,30 @@ az monitor diagnostic-settings subscription list --query value[] --output table
 az monitor diagnostic-settings subscription delete --name <diagnostic setting name>
 
 # Delete Resource Groups - Change variables to match your deployment
-az group delete -n anoa-eastus-aks-logging-rg -y
+az group delete -n anoa-eastus-dev-logging-rg -y
-az group delete -n anoa-eastus-aks-hub-rg -y
+az group delete -n anoa-eastus-dev-hub-rg -y
-az group delete -n anoa-eastus-aks-operations-rg -y
+az group delete -n anoa-eastus-dev-operations-rg -y
-az group delete -n anoa-eastus-aks-sharedservices-rg -y
+az group delete -n anoa-eastus-dev-sharedservices-rg -y
-az group delete -n anoa-eastus-aks-artifacts-rg -y
+az group delete -n anoa-eastus-dev-artifacts-rg -y
 
 # Delete Deployments - Change variables to match your deployment
 az deployment sub delete -n deploy-hub1spoke-network
 
 # AZ PowerShell
 # Hub/Spoke - Change variables to match your deployment
+Connect-AzAccount -EnvironmentName AzureCloud
+cd src/bicep
+cd platforms/lz-platform-scca-hub-1spoke
 New-AzSubscriptionDeployment -TemplateFile .\anoa.hubspoke.bicep -TemplateParameterFile .\parameters\anoa.hubspoke.parameters.example.json -Location "EastUS" -Name deploy-hubspoke-network
 
 # Clean Up
 # Delete Resource Groups - Change variables to match your deployment
-Remove-AzResourceGroup -Name anoa-eastus-aks-logging-rg
+Remove-AzResourceGroup -Name anoa-eastus-dev-logging-rg
-Remove-AzResourceGroup -Name anoa-eastus-aks-hub-rg
+Remove-AzResourceGroup -Name anoa-eastus-dev-hub-rg
-Remove-AzResourceGroup -Name anoa-eastus-aks-identity-rg
+Remove-AzResourceGroup -Name anoa-eastus-dev-identity-rg
-Remove-AzResourceGroup -Name anoa-eastus-aks-operations-rg
+Remove-AzResourceGroup -Name anoa-eastus-dev-operations-rg
-Remove-AzResourceGroup -Name anoa-eastus-aks-sharedservices-rg
+Remove-AzResourceGroup -Name anoa-eastus-dev-sharedservices-rg
-Remove-AzResourceGroup -Name anoa-eastus-aks-artifacts-rg
+Remove-AzResourceGroup -Name anoa-eastus-dev-artifacts-rg
 
 # Delete Deployments - Change variables to match your deployment
 Remove-AzSubscriptionDeployment -Name deploy-hub1spoke-network

src/bicep/platforms/lz-platform-scca-hub-1spoke/parameters/deploy.parameters.json

@@ -23,6 +23,8 @@
         "subscriptionId": "<<subscriptionId>>",
         "virtualNetworkAddressPrefix": "10.0.100.0/24",
         "subnetAddressPrefix": "10.0.100.128/27",
+        "peerToSpokeVirtualNetwork": true,
+        "enablePrivateDnsZones": true,
         "subnets": [
           {
             "name": "AzureFirewallSubnet",
@@ -61,6 +63,9 @@
         "subscriptionId": "<<subscriptionId>>",
         "virtualNetworkAddressPrefix": "10.0.115.0/26",
         "subnetAddressPrefix": "10.0.115.0/27",
+        "peerToHubVirtualNetwork": true,
+        "useRemoteGateway": false,
+        "allowVirtualNetworkAccess": true,
         "virtualNetworkDiagnosticsLogs": [],
         "virtualNetworkDiagnosticsMetrics": [],
         "networkSecurityGroupRules": [],
@@ -123,6 +128,7 @@
     "parAzureFirewall": {
       "value": {
         "enable": true,
+        "disableBgpRoutePropagation": false,
         "clientPublicIPAddressAvailabilityZones": [],     
         "managementPublicIPAddressAvailabilityZones": [],
         "supernetIPAddress": "10.0.96.0/19",

src/bicep/platforms/lz-platform-scca-hub-1spoke/readme.md

@@ -1,8 +1,8 @@
-# NoOps Accelerator - Platforms - SCCA Compliant Hub - 1 Spoke
+# NoOps Accelerator - Platforms - SCCA Compliant Hub - 1 Spoke Landing Zone
 
 ## Overview
 
-This platform module deploys Hub 1 Spoke landing zone.
+This platform module deploys Hub 1 Spoke landing zone. This landing zone can be used in AKS workload deployments for example. This also can be used for other smaller networks that do not require a Identity or Shared Service Spoke.
 
 > NOTE: This is only the landing zone deployment. The workloads will be deployed with the enclave or can be deployed after the landing zone is created.
 
@@ -36,6 +36,47 @@ All network traffic is directed through the firewall residing in the Network Hub
 
 *-example IP for firewall
 
+### Naming Conventions
+
+By default, Hub - 3 Spoke Platform resources are named according to a naming convention that uses the mandatory `orgPrefix` (that is defaulted to `anoa`), `templateVersion` & `deployEnvironment`.
+
+#### Default Naming Convention Example
+
+Let's look at an example using `parRequired="{ \"orgPrefix\":\"$ORG_PREFIX\", \"templateVersion\":\"v1.0\", \"deployEnvironment\":\"$DEPLOY_ENV\" }"`
+
+In `deploy.bicep` you will find a variable titled `namingConvention`:
+
+```bicep
+var varNamingConvention = '${toLower(parRequired.orgPrefix)}-${toLower(parLocation)}-${toLower(parRequired.deployEnvironment)}-${varNameToken}-${toLower(varResourceToken)}'
+
+# this generates a value of: ${orgPrefix}-${location}-${deployEnvironment}-${nameToken}-${resourceToken}
+```
+
+This naming convention uses Bicep's `replace()` function to substitute resource abbreviations for `resourceToken` and resource names for `nameToken`.
+
+For example, when naming the Hub Resource Group, first the `resourceToken` is substituted with the recommended abbreviation `rg`:
+
+```bicep
+var resourceGroupNamingConvention = replace(namingConvention, resourceToken, 'rg')
+# this generates a value of: anoa-eastus-${nameToken}-dev-rg
+```
+
+Then, the `nameToken` is substituted with the Azure NoOps Accelerator name `hub`:
+
+```bicep
+var hubResourceGroupName =  replace(resourceGroupNamingConvention, nameToken, 'hub')
+# this generates a value of: anoa-eastus-hub-dev-rg
+```
+
+Finally, the `hubResourceGroupName` is assigned to the resource group `varHubName` variable:
+
+```bicep
+var varHubName = 'hub'
+var varHubResourceGroupName = replace(varResourceGroupNamingConvention, varNameToken, varHubName)
+
+# this is the calculated value 'anoa-eastus-hub-dev-rg'
+```
+
 ### Tagging
 
 Organize cloud resources to meet the needs of governance, operational management, and accounting. Resources can be managed and found more quickly with the aid of well-defined metadata tagging protocols. By using charge back and show back accounting procedures, these conventions also assist in tying cloud usage charges to specific business teams.
@@ -51,13 +92,94 @@ A tagging strategy include business and operational details:
 
 Most customers will deploy each tier to a separate Azure subscription, but multiple subscriptions are not required. A single subscription deployment is good for a testing and evaluation, or possibly a small IT Admin team.
 
+Hub - 1 Spoke Platform can deploy to a single subscription or multiple subscriptions. A test and evaluation deployment may deploy everything to a single subscription, and a production deployment may place each tier into its own subscription.
+
+The optional parameters related to subscriptions are below. They releated to each tier object used for deployment.
+
+Parameter name | Default Value | Description
+-------------- | ------------- | -----------
+`parHub.subscriptionId` | Deployment subscription | Subscription containing the firewall and network hub
+`parOperationsSpoke.subscriptionId` | Deployment subscription | Tier 1 for network operations, logging and security tools
+
+### Networking
+
+The following parameters affect networking. They releated to each tier object used for deployment.
+
+Parameter name | Default Value | Description
+-------------- | ------------- | -----------
+`parHub.virtualNetworkAddressPrefix` | '10.0.100.0/24' | The CIDR Virtual Network Address Prefix for the Hub Virtual Network.
+`parHub.subnetAddressPrefix` | '10.0.100.128/27' | The CIDR Subnet Address Prefix for the default Hub subnet. It must be in the Hub Virtual Network space.
+`parHub.peerToSpokeVirtualNetwork` | true | This is a switch for peering to an Spoke Network. This is used with the spoke network peering as well. Both parameters either need to be true or false.
+`parHub.subnets.addressPrefix` (Firewall Client Subnet Address Prefix)| '10.0.100.0/26' | The CIDR Subnet Address Prefix for the Azure Firewall Subnet. It must be in the Hub Virtual Network space. It must be /26.
+`parHub.subnets.addressPrefix` (Firewall Management Subnet Address Prefix) | '10.0.100.64/26' | The CIDR Subnet Address Prefix for the Azure Firewall Management Subnet. It must be in the Hub Virtual Network space. It must be /26.
+`parOperationsSpoke.virtualNetworkAddressPrefix` | '10.0.115.0/26' | The CIDR Virtual Network Address Prefix for the Operations Virtual Network.
+`parOperationsSpoke.subnetAddressPrefix` | '10.0.115.0/27' | The CIDR Subnet Address Prefix for the default Operations subnet. It must be in the Operations Virtual Network space.
+`parOperationsSpoke.peerToHubVirtualNetwork` | true | This is a switch for peering to an Hub Network from a Spoke. This is used with the hub network peering as well. Both parameters either need to be true or false.
+
+## Optional Features
+
+Hub - 1 Spoke Platform has optional features that can be enabled by setting parameters on the deployment.
+
+### Microsoft Defender for Cloud
+
+By default [Microsoft Defender for Cloud](https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction) offers a free set of monitoring capabilities that are enabled via an Azure policy when you first set up a subscription and view the Microsoft Defender for Cloud portal blade.
+
+Microsoft Defender for Cloud offers a standard/defender sku which enables a greater depth of awareness including more recomendations and threat analytics. You can enable this higher depth level of security in Hub - 1 Spoke Platform by setting the parameter `parSecurityCenter.enableDefender` during deployment. In addition you can include the `parSecurityCenter.emailSecurityContact` parameter to set a contact email for alerts and `parSecurityCenter.phoneSecurityContact` parameter to set a contact phone for alerts.
+
+Parameter name | Default Value | Description
+-------------- | ------------- | -----------
+`parSecurityCenter.enableDefender` | 'false' | When set to "true", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to "false".
+`parSecurityCenter.emailSecurityContact` | '' | Email address of the contact, in the form of john@doe.com
+`parSecurityCenter.phoneSecurityContact` | '' | Phone of the contact, in the form of 5555555555
+`parSecurityCenter.alertNotifications` | '' | alert notifications for contact
+`parSecurityCenter.alertsToAdminsNotifications` | '' | alert notifications for contact admin
+
+The Defender plan by resource type for Microsoft Defender for Cloud is enabled by default in the following [Azure Environments](https://docs.microsoft.com/en-us/powershell/module/servicemanagement/azure.service/get-azureenvironment?view=azuresmps-4.0.0): `AzureCloud` and `AzureUSGovernment`. To enable this for other Azure Cloud environments, this will need to executed manually.
+Documentation on how to do this can be found
+[here](https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhanced-security)
+
+### Azure Sentinel
+
+[Sentinel](https://docs.microsoft.com/en-us/azure/sentinel/overview) is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Sentinel can be enabled by setting the `parLogging.enableSentinel` parameter.
+
+Parameter name | Default Value | Description
+-------------- | ------------- | -----------
+`parLogging.enableSentinel` | 'false' | When set to "true", enables Microsoft Sentinel within the Log Analytics Workspace created in this deployment. It defaults to "false".
+
+### Remote access with a Bastion Host
+
+If you want to remotely access the network and the resources you've deployed you can use [Azure Bastion](https://docs.microsoft.com/en-us/azure/bastion/) to remotely access virtual machines within the network without exposing them via Public IP Addresses.
+
+Deploy a Linux and Windows virtual machine as jumpboxes into the network without a Public IP Address using Azure Bastion Host by providing values for these parameters:
+
+Parameter name | Default Value | Description
+-------------- | ------------- | -----------
+`parRemoteAccess.enable` | 'false' | When set to "true", provisions Azure Bastion Host and virtual machine jumpboxes. It defaults to "false".
+`parRemoteAccess.windows.vmAdminPassword` | 'Rem0te@2020246' | The administrator password the Windows Virtual Machine to Azure Bastion remote into. It must be > 12 characters in length. See [password requirements for creating a Windows VM](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm-).
+`parRemoteAccess.linux.vmAuthenticationType` | 'Rem0te@2020246' | [sshPublicKey/password] The authentication type for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "Rem0te@2020246".
+`parRemoteAccess.linux.vmAdminPasswordOrKey` | new guid | The administrator password or public SSH key for the Linux Virtual Machine to Azure Bastion remote into. See [password requirements for creating a Linux VM](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/faq#what-are-the-password-requirements-when-creating-a-vm-).
+`parRemoteAccess.windows.vmAdminUsername` | 'azureuser' | The administrator username for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "azureuser".
+`parRemoteAccess.linux.vmAdminUsername` | 'azureuser' | The administrator username for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "azureuser".
+
+### Azure Firewall Premium
+
+By default, Hub - 1 Spoke Platform deploys **[Azure Firewall Premium](https://docs.microsoft.com/en-us/azure/firewall/premium-features). Not all regions support Azure Firewall Premium.** Check here to [see if the region you're deploying to supports Azure Firewall Premium](https://docs.microsoft.com/en-us/azure/firewall/premium-features#supported-regions). If necessary you can set a different firewall SKU or location.
+
+You can manually specify which SKU of Azure Firewall to use for your deployment by specifying the `parAzureFirewall.skuTier` parameter. This parameter only accepts values of `Standard` or `Premium`.
+
+Parameter name | Default Value | Description
+-------------- | ------------- | -----------
+`parAzureFirewall.skuTier` | 'Premium' | [Standard/Premium] The SKU for Azure Firewall. It defaults to "Premium".
+
+If you'd like to specify a different region to deploy your resources into, change the location of the deployment. For example, when using the AZ CLI set the deployment command's `--location` argument.
+
 ### Operational Network Artifacts
 
 If needed, The Operational Network Artifacts are used when operations wants to seperate all key, secrets and operations storage from the hub/spoke model.
 
 ### DDOS
 
-If needed, You can dpeloy an DDOS Standard configuration if a firewall is not needed.
+If needed, You can deploy an DDOS Standard configuration if a firewall is not needed.
 
 ## Parameters
 
@@ -80,7 +202,7 @@ parNetworkArtifacts | object | {object} | Optional. Enables Operations Network A
 parSecurityCenter | object | {object} | Microsoft Defender for Cloud.  It includes email and phone. See [overlays/management-services/defender/readme.md](../../overlays/management-services/defender/readme.md)
 parDdosStandard | bool | `false` | DDOS Standard configuration.
 
-## Deploy the Landing Zone
+## Deploy the Platform Landing Zone
 
 Connect to the appropriate Azure Environment and set appropriate context, see getting started with Azure PowerShell or Azure CLI for help if needed. The commands below assume you are deploying in Azure Commercial and show the entire process deploying Platform Hub/Spoke Design.
 
@@ -90,26 +212,46 @@ For example, deploying using the `az deployment sub create` command in the Azure
 
 ```bash
 # For Azure Commerical regions
+
+# When deploying to Azure cloud, first set the cloud.
+az cloudset --name AzureCloud
+
+# Set Platform connectivity subscription ID as the the current subscription 
+$ConnectivitySubscriptionId="[your platform management subscription ID]"
+az account set --subscription $ConnectivitySubscriptionId
+
+#log in
 az login
 cd src/bicep
 cd platforms/lz-platform-scca-hub-1spoke
 az deployment sub create \ 
---name contoso \
+--name deploy-hub1spoke-network \
---subscription xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx \
+--subscription $ConnectivitySubscriptionId \
---template-file platforms/lz-platform-scca-hub-1spoke/deploy.bicep \
+--template-file deploy.bicep \
 --location eastus \
---parameters @platforms/lz-platform-scca-hub-1spoke/parameters/deploy.parameters.json
+--parameters @parameters/deploy.parameters.json
 ```
 
 OR
 
 ```bash
 # For Azure Government regions
+
+# When deploying to another cloud, like Azure US Government, first set the cloud and log in.
+az cloudset --name AzureGovernment
+
+# Set Platform connectivity subscription ID as the the current subscription
+$ConnectivitySubscriptionId="[your platform management subscription ID]"
+az account set --subscription $ConnectivitySubscriptionId
+
+az login
+cd src/bicep
+cd platforms/lz-platform-scca-hub-1spoke
 az deployment sub create \
-  --template-file platforms/lz-platform-scca-hub-1spoke/deploy.bicep \
+  --name deploy-hub1spoke-network \
-  --parameters @platforms/lz-platform-scca-hub-1spoke/parameters/deploy.parameters.json \
+  --template-file deploy.bicep \
-  --subscription xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx \
+  --parameters @parameters/deploy.parameters.json \
-  --resource-group anoa-usgovvirginia-platforms-hub-rg \
+  --subscription $ConnectivitySubscriptionId \
   --location 'usgovvirginia'
 ```
 
@@ -117,10 +259,20 @@ az deployment sub create \
 
 ```powershell
 # For Azure Commerical regions
+# When deploying to Azure cloud, first set the cloud and log in.
+Connect-AzAccount -EnvironmentName AzureCloud
+
+# Set Platform connectivity subscription ID as the the current subscription
+$ConnectivitySubscriptionId = "[your platform management subscription ID]"
+Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
+
+cd src/bicep
+cd platforms/lz-platform-scca-hub-1spoke
 New-AzSubscriptionDeployment `
-  -TemplateFile platforms/lz-platform-scca-hub-1spoke/deploy.bicepp `
+  -Name deploy-hub1spoke-network `
-  -TemplateParameterFile platforms/lz-platform-scca-hub-1spoke/parameters/deploy.parameters.json `
+  -TemplateFile deploy.bicep `
-  -Subscription xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx `
+  -TemplateParameterFile deploy.parameters.json `
+  -Subscription $ConnectivitySubscriptionId `
   -Location 'eastus'
 ```
 
@@ -128,10 +280,21 @@ OR
 
 ```powershell
 # For Azure Government regions
+
+# When deploying to another cloud, like Azure US Government, first set the cloud and log in.
+Connect-AzAccount -EnvironmentName AzureUSGovernment
+
+# Set Platform connectivity subscription ID as the the current subscription
+$ConnectivitySubscriptionId = "[your platform management subscription ID]"
+Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
+
+cd src/bicep
+cd platforms/lz-platform-scca-hub-1spoke
 New-AzSubscriptionDeployment `
-  -TemplateFile platforms/lz-platform-scca-hub-1spoke/deploy.bicepp `
+  -Name deploy-hub1spoke-network `
-  -TemplateParameterFile platforms/lz-platform-scca-hub-1spoke/parameters/deploy.parameters.json `
+  -TemplateFile deploy.bicep `
-  -Subscription xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx `
+  -TemplateParameterFile deploy.parameters.json `
+  -Subscription $ConnectivitySubscriptionId `
   -Location  'usgovvirginia'
 ```
 
@@ -165,6 +328,41 @@ Get-AzResource -ResourceGroupName anoa-eastus-platforms-hub-rg
 
 The Bicep/ARM deployment of NoOps Accelerator - Hub/Spoke deployment can be deleted with these steps:
 
+### Delete the diagnostic settings deployed at the subscription level
+
+To delete the diagnostic settings from the Azure Portal: choose the subscription blade, then Activity log in the left panel. At the top of the Activity log screen click the Diagnostics settings button. From there you can click the Edit setting link and delete the diagnostic setting.
+
+> NOTE: If you deploy and delete Mission Landing Zone in the same subscription multiple times without deleting the subscription-level diagnostic settings, the sixth deployment will fail. Azure has a limit of five diagnostic settings per subscription. The error will be similar to this: `"The limit of 5 diagnostic settings was reached."`
+
+To delete the diagnotic settings in script, use the AZ CLI or PowerShell. An AZ CLI example is below:
+
+```BASH
+# View diagnostic settings in the current subscription
+az monitor diagnostic-settings subscription list --query value[] --output table
+
+# Delete a diagnostic setting
+az monitor diagnostic-settings subscription delete --name <diagnostic setting name>
+```
+
+### Downgrade the Microsoft Defender for Cloud
+
+To downgrade the Microsoft Defender for Cloud pricing level in the Azure portal:
+
+1. Navigate to the Microsoft Defender for Cloud page, then click the "Environment settings" tab in the left navigation panel.
+1. In the tree/grid select the subscription you want to manage.
+1. Click the large box near the top of the page that says "Enhanced security off".
+1. Click the save button.
+
+To downgrade the Microsoft Defender for Cloud pricing level using the AZ CLI:
+
+```BASH
+# List the pricing tiers
+az security pricing list -o table --query "value[].{Name:name, Tier:pricingTier}"
+
+# Change a pricing tier to the default free tier
+az security pricing create --name "<name of tier>" --tier Free
+```
+
 ### Delete Resource Groups
 
 ```bash
@@ -184,9 +382,19 @@ Remove-AzResourceGroup -Name anoa-eastus-platforms-artifacts-rg
 ### Delete Deployments
 
 ```bash
-az deployment sub delete -n deploy-hubspoke-network
+az deployment sub delete -n deploy-hub1spoke-network
 ```
 
 ```powershell
-Remove-AzSubscriptionDeployment -Name deploy-hubspoke-network
+Remove-AzSubscriptionDeployment -Name deploy-hub1spoke-network
 ```
+
+## Resources
+
+[Bicep documentation](https://aka.ms/bicep/)
+
+[`az deployment` documentation](https://docs.microsoft.com/en-us/cli/azure/deployment?view=azure-cli-latest)
+
+[JMESPath queries](https://jmespath.org/)
+
+[Azure Az PowerShell module](https://docs.microsoft.com/en-us/powershell/azure/what-is-azure-powershell)

src/bicep/platforms/lz-platform-scca-hub-3spoke/deploy.bicep

@@ -613,10 +613,11 @@ module modHubNetwork '../../azresources/hub-spoke-core/vdss/hub/anoa.lz.hub.netw
     parHubVirtualNetworkDiagnosticsLogs: parHub.virtualNetworkDiagnosticsLogs
     parHubVirtualNetworkDiagnosticsMetrics: parHub.virtualNetworkDiagnosticsMetrics
     parHubSubnets: parHub.subnets
+    parEnablePrivateDnsZones: parHub.enablePrivateDnsZones
 
     // Enable Azure FireWall
     parAzureFirewallEnabled: parAzureFirewall.enable
-    parDisableBgpRoutePropagation: false
+    parDisableBgpRoutePropagation: parAzureFirewall.disableBgpRoutePropagation
 
     // Hub Firewall Parameters
     parFirewallSupernetIPAddress: parAzureFirewall.supernetIPAddress
@@ -628,8 +629,7 @@ module modHubNetwork '../../azresources/hub-spoke-core/vdss/hub/anoa.lz.hub.netw
     parFirewallDiagnosticsMetrics: parAzureFirewall.diagnosticsMetrics
     parFirewallManagementPublicIPAddressAvailabilityZones: parAzureFirewall.managementPublicIPAddressAvailabilityZones
     parPublicIPAddressDiagnosticsLogs: parAzureFirewall.publicIPAddressDiagnosticsLogs
-    parPublicIPAddressDiagnosticsMetrics: parAzureFirewall.parPublicIPAddressDiagnosticsMetrics    
+    parPublicIPAddressDiagnosticsMetrics: parAzureFirewall.publicIPAddressDiagnosticsMetrics    
-    parFirewallPolicyRuleCollectionGroups: parAzureFirewall.ruleCollectionGroups
 
     // RBAC for Storage Parameters
     parHubStorageAccountAccess: parHub.storageAccountAccess
@@ -751,7 +751,7 @@ module modSharedServicesNetwork '../../azresources/hub-spoke-core/vdms/sharedser
 
 // VIRTUAL NETWORK PEERINGS
 
-module modHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/hub/anoa.lz.hub.network.peerings.bicep' = {
+module modHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/hub/anoa.lz.hub.network.peerings.bicep' = if (parHub.peerToSpokeVirtualNetwork) {
   name: 'deploy-vnet-peerings-hub-${parLocation}-${parDeploymentNameSuffix}'
   scope: resourceGroup(parHub.subscriptionId, varHubResourceGroupName)
   params: {
@@ -776,7 +776,7 @@ module modHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/hu
   }
 }
 
-module modSpokeOpsToHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/spoke/anoa.lz.spoke.network.peering.bicep' = {
+module modSpokeOpsToHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/spoke/anoa.lz.spoke.network.peering.bicep' = if (parOperationsSpoke.peerToHubVirtualNetwork){
   name: 'deploy-vnet-spoke-peerings-ops-${parLocation}-${parDeploymentNameSuffix}'
   scope: resourceGroup(parOperationsSpoke.subscriptionId, varOperationsResourceGroupName)
   params: {
@@ -787,10 +787,12 @@ module modSpokeOpsToHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/
     // Hub Paramters
     parHubVirtualNetworkName: modHubNetwork.outputs.virtualNetworkName
     parHubVirtualNetworkResourceId: modHubNetwork.outputs.virtualNetworkResourceId
+    parAllowVirtualNetworkAccess: parOperationsSpoke.allowVirtualNetworkAccess
+    parUseRemoteGateways: parOperationsSpoke.useRemoteGateways
   }
 }
 
-module modSpokeIdToHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/spoke/anoa.lz.spoke.network.peering.bicep' = {
+module modSpokeIdToHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/spoke/anoa.lz.spoke.network.peering.bicep' = if (parIdentitySpoke.peerToHubVirtualNetwork) {
   name: 'deploy-vnet-spoke-peerings-id-${parLocation}-${parDeploymentNameSuffix}'
   scope: resourceGroup(parIdentitySpoke.subscriptionId, varIdentityResourceGroupName)
   params: {
@@ -801,10 +803,12 @@ module modSpokeIdToHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/p
     // Hub Paramters
     parHubVirtualNetworkName: modHubNetwork.outputs.virtualNetworkName
     parHubVirtualNetworkResourceId: modHubNetwork.outputs.virtualNetworkResourceId
+    parAllowVirtualNetworkAccess: parIdentitySpoke.allowVirtualNetworkAccess
+    parUseRemoteGateways: parIdentitySpoke.useRemoteGateways
   }
 }
 
-module modSpokeSharedServicesToHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/spoke/anoa.lz.spoke.network.peering.bicep' = {
+module modSpokeSharedServicesToHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/spoke/anoa.lz.spoke.network.peering.bicep' = if (parIdentitySpoke.peerToHubVirtualNetwork) {
   name: 'deploy-vnet-spoke-peerings-svcs-${parLocation}-${parDeploymentNameSuffix}'
   scope: resourceGroup(parSharedServicesSpoke.subscriptionId, varSharedServicesResourceGroupName)
   params: {
@@ -815,6 +819,8 @@ module modSpokeSharedServicesToHubVirtualNetworkPeerings '../../azresources/hub-
     // Hub Parameters
     parHubVirtualNetworkName: modHubNetwork.outputs.virtualNetworkName
     parHubVirtualNetworkResourceId: modHubNetwork.outputs.virtualNetworkResourceId
+    parAllowVirtualNetworkAccess: parSharedServicesSpoke.allowVirtualNetworkAccess
+    parUseRemoteGateways: parSharedServicesSpoke.useRemoteGateways
   }
 }
 

src/bicep/platforms/lz-platform-scca-hub-3spoke/deployment.azcli

@@ -0,0 +1,48 @@
+
+# AZ CLI Examples
+
+# Hub/Spoke - Change variables to match your deployment
+az login
+cd src/bicep
+cd platforms/lz-platform-scca-hub-3spoke
+az deployment sub create --name deploy-hub3spoke-network --location EastUS --template-file deploy.bicep  --parameters @parameters/deploy.parameters.json --subscription <<subscriptionId>>
+
+# Clean Up
+# Delete Resource Locks - Change variables to match your deployment
+az resource lock delete --name lockName -g storageAccount --resource myvnet --resource-type Microsoft.Storage/storageAccounts
+
+# Delete Diagnostic Settings - Change variables to match your deployment
+# View diagnostic settings in the current subscription
+az monitor diagnostic-settings subscription list --query value[] --output table
+
+# Delete a diagnostic setting
+az monitor diagnostic-settings subscription delete --name <diagnostic setting name>
+
+# Delete Resource Groups - Change variables to match your deployment
+az group delete -n anoa-eastus-dev-logging-rg -y
+az group delete -n anoa-eastus-dev-hub-rg -y
+az group delete -n anoa-eastus-dev-operations-rg -y
+az group delete -n anoa-eastus-dev-sharedservices-rg -y
+az group delete -n anoa-eastus-dev-artifacts-rg -y
+
+# Delete Deployments - Change variables to match your deployment
+az deployment sub delete -n deploy-hub3spoke-network
+
+# AZ PowerShell
+# Hub/Spoke - Change variables to match your deployment
+Connect-AzAccount -EnvironmentName AzureCloud
+cd src/bicep
+cd platforms/lz-platform-scca-hub-3spoke
+New-AzSubscriptionDeployment -TemplateFile .\anoa.hubspoke.bicep -TemplateParameterFile .\parameters\anoa.hubspoke.parameters.example.json -Location "EastUS" -Name deploy-hub3spoke-network
+
+# Clean Up
+# Delete Resource Groups - Change variables to match your deployment
+Remove-AzResourceGroup -Name anoa-eastus-dev-logging-rg
+Remove-AzResourceGroup -Name anoa-eastus-dev-hub-rg
+Remove-AzResourceGroup -Name anoa-eastus-dev-identity-rg
+Remove-AzResourceGroup -Name anoa-eastus-dev-operations-rg
+Remove-AzResourceGroup -Name anoa-eastus-dev-sharedservices-rg
+Remove-AzResourceGroup -Name anoa-eastus-dev-artifacts-rg
+
+# Delete Deployments - Change variables to match your deployment
+Remove-AzSubscriptionDeployment -Name deploy-hub3spoke-network

src/bicep/platforms/lz-platform-scca-hub-3spoke/parameters/deploy.parameters.json

@@ -12,7 +12,7 @@
     "parTags": {
       "value": {
         "organization": "anoa",
-        "region": "eastus",
+        "region": "usgovvirginia",
         "templateVersion": "v1.0",
         "deployEnvironment": "dev",
         "deploymentType": "NoOpsBicep"
@@ -23,6 +23,8 @@
         "subscriptionId": "<<subscriptionId>>",
         "virtualNetworkAddressPrefix": "10.0.100.0/24",
         "subnetAddressPrefix": "10.0.100.128/27",
+        "peerToSpokeVirtualNetwork": true,
+        "enablePrivateDnsZones": true,
         "subnets": [
           {
             "name": "AzureFirewallSubnet",
@@ -65,6 +67,9 @@
           "10.0.115.0/26",
           "10.0.120.0/26"
         ],
+        "peerToHubVirtualNetwork": true,
+        "useRemoteGateway": false,
+        "allowVirtualNetworkAccess": true,
         "virtualNetworkDiagnosticsLogs": [],
         "virtualNetworkDiagnosticsMetrics": [],
         "networkSecurityGroupRules": [
@@ -124,6 +129,9 @@
           "10.0.110.0/26",
           "10.0.120.0/26"
         ],
+        "peerToHubVirtualNetwork": true,
+        "useRemoteGateway": false,
+        "allowVirtualNetworkAccess": true,
         "virtualNetworkDiagnosticsLogs": [],
         "virtualNetworkDiagnosticsMetrics": [],
         "networkSecurityGroupRules": [
@@ -183,6 +191,9 @@
           "10.0.115.0/26",
           "10.0.110.0/26"
         ],
+        "peerToHubVirtualNetwork": true,
+        "useRemoteGateway": false,
+        "allowVirtualNetworkAccess": true,
         "virtualNetworkDiagnosticsLogs": [],
         "virtualNetworkDiagnosticsMetrics": [],
         "networkSecurityGroupRules": [
@@ -269,6 +280,7 @@
     "parAzureFirewall": {
       "value": {
         "enable": true,
+        "disableBgpRoutePropagation": false,
         "clientPublicIPAddressAvailabilityZones": [],
         "managementPublicIPAddressAvailabilityZones": [],
         "supernetIPAddress": "10.0.96.0/19",

src/bicep/platforms/lz-platform-scca-hub-3spoke/readme.md

@@ -1,4 +1,4 @@
-# NoOps Accelerator - Platforms - SCCA Compliant Hub - 3 Spoke
+# NoOps Accelerator - Platforms - SCCA Compliant Hub - 3 Spoke Landing Zone
 
 ## Overview
 
@@ -14,7 +14,7 @@ Read on to understand what this landing zone does, and when you're ready, collec
 
 ## About Hub 3 Spoke Landing Zone
 
-The docs on Hub/Spoke Landing Zone: <https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans>.
+The docs on Hub/Spoke Landing Zone: <https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli>
 
 ### What is a Landing Zone?
 
@@ -45,6 +45,47 @@ Presently, there are two firewall rules configured to ensure access to the Azure
 |100                      | AllowAzureCloud      | AzureCloud|*       |   *      |Any                                     |
 |110                      | AzureAuth            | msftauth  |  *     | Https:443| aadcdn.msftauth.net, aadcdn.msauth.net |
 
+### Naming Conventions
+
+By default, Hub - 3 Spoke Platform resources are named according to a naming convention that uses the mandatory `orgPrefix` (that is defaulted to `anoa`), `templateVersion` & `deployEnvironment`.
+
+#### Default Naming Convention Example
+
+Let's look at an example using `parRequired="{ \"orgPrefix\":\"$ORG_PREFIX\", \"templateVersion\":\"v1.0\", \"deployEnvironment\":\"$DEPLOY_ENV\" }"`
+
+In `deploy.bicep` you will find a variable titled `namingConvention`:
+
+```bicep
+var varNamingConvention = '${toLower(parRequired.orgPrefix)}-${toLower(parLocation)}-${toLower(parRequired.deployEnvironment)}-${varNameToken}-${toLower(varResourceToken)}'
+
+# this generates a value of: ${orgPrefix}-${location}-${deployEnvironment}-${nameToken}-${resourceToken}
+```
+
+This naming convention uses Bicep's `replace()` function to substitute resource abbreviations for `resourceToken` and resource names for `nameToken`.
+
+For example, when naming the Hub Resource Group, first the `resourceToken` is substituted with the recommended abbreviation `rg`:
+
+```bicep
+var resourceGroupNamingConvention = replace(namingConvention, resourceToken, 'rg')
+# this generates a value of: anoa-eastus-${nameToken}-dev-rg
+```
+
+Then, the `nameToken` is substituted with the Azure NoOps Accelerator name `hub`:
+
+```bicep
+var hubResourceGroupName =  replace(resourceGroupNamingConvention, nameToken, 'hub')
+# this generates a value of: anoa-eastus-hub-dev-rg
+```
+
+Finally, the `hubResourceGroupName` is assigned to the resource group `varHubName` variable:
+
+```bicep
+var varHubName = 'hub'
+var varHubResourceGroupName = replace(varResourceGroupNamingConvention, varNameToken, varHubName)
+
+# this is the calculated value 'anoa-eastus-hub-dev-rg'
+```
+
 ### Tagging
 
 Organize cloud resources to meet the needs of governance, operational management, and accounting. Resources can be managed and found more quickly with the aid of well-defined metadata tagging protocols. By using charge back and show back accounting procedures, these conventions also assist in tying cloud usage charges to specific business teams.
@@ -60,13 +101,102 @@ A tagging strategy include business and operational details:
 
 Most customers will deploy each tier to a separate Azure subscription, but multiple subscriptions are not required. A single subscription deployment is good for a testing and evaluation, or possibly a small IT Admin team.
 
+Hub - 3 Spoke Platform can deploy to a single subscription or multiple subscriptions. A test and evaluation deployment may deploy everything to a single subscription, and a production deployment may place each tier into its own subscription.
+
+The optional parameters related to subscriptions are below. They releated to each tier object used for deployment.
+
+Parameter name | Default Value | Description
+-------------- | ------------- | -----------
+`parHub.subscriptionId` | Deployment subscription | Subscription containing the firewall and network hub
+`parIdentitySpoke.subscriptionId` | Deployment subscription | Tier 0 for identity solutions
+`parOperationsSpoke.subscriptionId` | Deployment subscription | Tier 1 for network operations, logging and security tools
+`parSharedServicesSpoke.subscriptionId` | Deployment subscription | Tier 2 for shared services
+
+### Networking
+
+The following parameters affect networking. They releated to each tier object used for deployment.
+
+Parameter name | Default Value | Description
+-------------- | ------------- | -----------
+`parHub.virtualNetworkAddressPrefix` | '10.0.100.0/24' | The CIDR Virtual Network Address Prefix for the Hub Virtual Network.
+`parHub.subnetAddressPrefix` | '10.0.100.128/27' | The CIDR Subnet Address Prefix for the default Hub subnet. It must be in the Hub Virtual Network space.
+`parHub.peerToSpokeVirtualNetwork` | true | This is a switch for peering to an Spoke Network. This is used with the spoke network peering as well. Both parameters either need to be true or false.
+`parHub.subnets.addressPrefix` (Firewall Client Subnet Address Prefix)| '10.0.100.0/26' | The CIDR Subnet Address Prefix for the Azure Firewall Subnet. It must be in the Hub Virtual Network space. It must be /26.
+`parHub.subnets.addressPrefix` (Firewall Management Subnet Address Prefix) | '10.0.100.64/26' | The CIDR Subnet Address Prefix for the Azure Firewall Management Subnet. It must be in the Hub Virtual Network space. It must be /26.
+`parIdentitySpoke.virtualNetworkAddressPrefix` | '10.0.110.0/26' | The CIDR Virtual Network Address Prefix for the Identity Virtual Network.
+`parIdentitySpoke.subnetAddressPrefix` | '10.0.110.0/27' | The CIDR Subnet Address Prefix for the default Identity subnet. It must be in the Identity Virtual Network space.
+`parIdentitySpoke.peerToHubVirtualNetwork` | true | This is a switch for peering to an Hub Network from a Identity Spoke. This is used with the hub network peering as well. Both parameters either need to be true or false.
+`parOperationsSpoke.virtualNetworkAddressPrefix` | '10.0.115.0/26' | The CIDR Virtual Network Address Prefix for the Operations Virtual Network.
+`parOperationsSpoke.subnetAddressPrefix` | '10.0.115.0/27' | The CIDR Subnet Address Prefix for the default Operations subnet. It must be in the Operations Virtual Network space.
+`parOperationsSpoke.peerToHubVirtualNetwork` | true | This is a switch for peering to an Hub Network from a Operations Spoke. This is used with the hub network peering as well. Both parameters either need to be true or false.
+`parSharedServicesSpoke.virtualNetworkAddressPrefix` | '10.0.120.0/26' | The CIDR Virtual Network Address Prefix for the Shared Services Virtual Network.
+`parSharedServicesSpoke.subnetAddressPrefix` | '10.0.120.0/27' | The CIDR Subnet Address Prefix for the default Shared Services subnet. It must be in the Shared Services Virtual Network space.
+`parSharedServicesSpoke.peerToHubVirtualNetwork` | true | This is a switch for peering to an Hub Network from a SharedServices Spoke. This is used with the hub network peering as well. Both parameters either need to be true or false.
+
+## Optional Features
+
+Hub - 3 Spoke Platform has optional features that can be enabled by setting parameters on the deployment.
+
+### Microsoft Defender for Cloud
+
+By default [Microsoft Defender for Cloud](https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction) offers a free set of monitoring capabilities that are enabled via an Azure policy when you first set up a subscription and view the Microsoft Defender for Cloud portal blade.
+
+Microsoft Defender for Cloud offers a standard/defender sku which enables a greater depth of awareness including more recomendations and threat analytics. You can enable this higher depth level of security in Hub - 3 Spoke Platform by setting the parameter `parSecurityCenter.enableDefender` during deployment. In addition you can include the `parSecurityCenter.emailSecurityContact` parameter to set a contact email for alerts and `parSecurityCenter.phoneSecurityContact` parameter to set a contact phone for alerts.
+
+Parameter name | Default Value | Description
+-------------- | ------------- | -----------
+`parSecurityCenter.enableDefender` | 'false' | When set to "true", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to "false".
+`parSecurityCenter.emailSecurityContact` | '' | Email address of the contact, in the form of john@doe.com
+`parSecurityCenter.phoneSecurityContact` | '' | Phone of the contact, in the form of 5555555555
+`parSecurityCenter.alertNotifications` | '' | alert notifications for contact
+`parSecurityCenter.alertsToAdminsNotifications` | '' | alert notifications for contact admin
+
+The Defender plan by resource type for Microsoft Defender for Cloud is enabled by default in the following [Azure Environments](https://docs.microsoft.com/en-us/powershell/module/servicemanagement/azure.service/get-azureenvironment?view=azuresmps-4.0.0): `AzureCloud` and `AzureUSGovernment`. To enable this for other Azure Cloud environments, this will need to executed manually.
+Documentation on how to do this can be found
+[here](https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhanced-security)
+
+### Azure Sentinel
+
+[Sentinel](https://docs.microsoft.com/en-us/azure/sentinel/overview) is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Sentinel can be enabled by setting the `parLogging.enableSentinel` parameter.
+
+Parameter name | Default Value | Description
+-------------- | ------------- | -----------
+`parLogging.enableSentinel` | 'false' | When set to "true", enables Microsoft Sentinel within the Log Analytics Workspace created in this deployment. It defaults to "false".
+
+### Remote access with a Bastion Host
+
+If you want to remotely access the network and the resources you've deployed you can use [Azure Bastion](https://docs.microsoft.com/en-us/azure/bastion/) to remotely access virtual machines within the network without exposing them via Public IP Addresses.
+
+Deploy a Linux and Windows virtual machine as jumpboxes into the network without a Public IP Address using Azure Bastion Host by providing values for these parameters:
+
+Parameter name | Default Value | Description
+-------------- | ------------- | -----------
+`parRemoteAccess.enable` | 'false' | When set to "true", provisions Azure Bastion Host and virtual machine jumpboxes. It defaults to "false".
+`parRemoteAccess.windows.vmAdminPassword` | 'Rem0te@2020246' | The administrator password the Windows Virtual Machine to Azure Bastion remote into. It must be > 12 characters in length. See [password requirements for creating a Windows VM](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm-).
+`parRemoteAccess.linux.vmAuthenticationType` | 'Rem0te@2020246' | [sshPublicKey/password] The authentication type for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "Rem0te@2020246".
+`parRemoteAccess.linux.vmAdminPasswordOrKey` | new guid | The administrator password or public SSH key for the Linux Virtual Machine to Azure Bastion remote into. See [password requirements for creating a Linux VM](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/faq#what-are-the-password-requirements-when-creating-a-vm-).
+`parRemoteAccess.windows.vmAdminUsername` | 'azureuser' | The administrator username for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "azureuser".
+`parRemoteAccess.linux.vmAdminUsername` | 'azureuser' | The administrator username for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "azureuser".
+
+### Azure Firewall Premium
+
+By default, Hub - 3 Spoke Platform deploys **[Azure Firewall Premium](https://docs.microsoft.com/en-us/azure/firewall/premium-features). Not all regions support Azure Firewall Premium.** Check here to [see if the region you're deploying to supports Azure Firewall Premium](https://docs.microsoft.com/en-us/azure/firewall/premium-features#supported-regions). If necessary you can set a different firewall SKU or location.
+
+You can manually specify which SKU of Azure Firewall to use for your deployment by specifying the `parAzureFirewall.skuTier` parameter. This parameter only accepts values of `Standard` or `Premium`.
+
+Parameter name | Default Value | Description
+-------------- | ------------- | -----------
+`parAzureFirewall.skuTier` | 'Premium' | [Standard/Premium] The SKU for Azure Firewall. It defaults to "Premium".
+
+If you'd like to specify a different region to deploy your resources into, change the location of the deployment. For example, when using the AZ CLI set the deployment command's `--location` argument.
+
 ### Operational Network Artifacts
 
 If needed, The Operational Network Artifacts are used when operations wants to seperate all key, secrets and operations storage from the hub/spoke model.
 
 ### DDOS
 
-If needed, You can dpeloy an DDOS Standard configuration if a firewall is not needed.
+If needed, You can deploy an DDOS Standard configuration if a firewall is not needed.
 
 ## Parameters
 
@@ -83,7 +213,7 @@ parIdentitySpoke | object | {object} | Identity Spoke Virtual network configurat
 parSharedServicesSpoke | object | {object} | Shared Services Spoke Virtual network configuration. See [See azresources/hub-spoke-core/vdms/sharedservices/readme.md](../../azresources/hub-spoke-core/vdms/sharedservices/readme.md)
 parAzureFirewall | object | {object} | Azure Firewall configuration. Azure Firewall is deployed in Forced Tunneling mode where a route table must be added as the next hop.
 parLogging | object | {object} | Enables logging parmeters and Microsoft Sentinel within the Log Analytics Workspace created in this deployment. See [azresources/hub-spoke-core/vdms/logging/readme.md](../../azresources/hub-spoke-core/vdms/logging/readme.md)
-parRemoteAccess | object | {object} | When set to "true", provisions Azure Bastion Host. It defaults to "false". See [overlays/management-services/bastion/readme.md](../../overlays/management-services/bastion/readme.md)
+parRemoteAccess | object | {object} | Provisions Azure Bastion Host. See [overlays/management-services/bastion/readme.md](../../overlays/management-services/bastion/readme.md)
 
 Optional Parameters | Type | Allowed Values | Description
 | :-- | :-- | :-- | :-- |
@@ -91,7 +221,7 @@ parNetworkArtifacts | object | {object} | Optional. Enables Operations Network A
 parSecurityCenter | object | {object} | Microsoft Defender for Cloud.  It includes email and phone. See [overlays/management-services/defender/readme.md](../../overlays/management-services/defender/readme.md)
 parDdosStandard | bool | `false` | DDOS Standard configuration.
 
-## Deploy the Landing Zone
+## Deploy the Platform Landing Zone
 
 Connect to the appropriate Azure Environment and set appropriate context, see getting started with Azure PowerShell or Azure CLI for help if needed. The commands below assume you are deploying in Azure Commercial and show the entire process deploying Platform Hub/Spoke Design.
 
@@ -101,29 +231,46 @@ For example, deploying using the `az deployment sub create` command in the Azure
 
 ```bash
 # For Azure Commerical regions
+
+# When deploying to Azure cloud, first set the cloud.
+az cloudset --name AzureCloud
+
+# Set Platform connectivity subscription ID as the the current subscription 
+$ConnectivitySubscriptionId="[your platform management subscription ID]"
+az account set --subscription $ConnectivitySubscriptionId
+
+#log in
 az login
 cd src/bicep
 cd platforms/lz-platform-scca-hub-3spoke
 az deployment sub create \ 
---name contoso \
+--name deploy-hub1spoke-network \
---subscription xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx \
+--subscription $ConnectivitySubscriptionId \
---template-file platforms/lz-platform-scca-hub-3spoke/deploy.bicep \
+--template-file deploy.bicep \
 --location eastus \
---parameters @platforms/lz-platform-scca-hub-3spoke/parameters/deploy.parameters.json
+--parameters @parameters/deploy.parameters.json
 ```
 
 OR
 
 ```bash
 # For Azure Government regions
+
+# When deploying to another cloud, like Azure US Government, first set the cloud and log in.
 az cloudset --name AzureGovernment
+
+# Set Platform connectivity subscription ID as the the current subscription
+$ConnectivitySubscriptionId="[your platform management subscription ID]"
+az account set --subscription $ConnectivitySubscriptionId
+
 az login
 cd src/bicep
 cd platforms/lz-platform-scca-hub-3spoke
 az deployment sub create \
-  --template-file platforms/lz-platform-scca-hub-3spoke/deploy.bicep \
+  --name deploy-hub1spoke-network \
-  --parameters @platforms/lz-platform-scca-hub-3spoke/parameters/deploy.parameters.json \
+  --template-file deploy.bicep \
-  --subscription xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx \
+  --parameters @parameters/deploy.parameters.json \
+  --subscription $ConnectivitySubscriptionId \
   --location 'usgovvirginia'
 ```
 
@@ -131,10 +278,20 @@ az deployment sub create \
 
 ```powershell
 # For Azure Commerical regions
+# When deploying to Azure cloud, first set the cloud and log in.
+Connect-AzAccount -EnvironmentName AzureCloud
+
+# Set Platform connectivity subscription ID as the the current subscription
+$ConnectivitySubscriptionId = "[your platform management subscription ID]"
+Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
+
+cd src/bicep
+cd platforms/lz-platform-scca-hub-3spoke
 New-AzSubscriptionDeployment `
-  -TemplateFile platforms/lz-platform-scca-hub-3spoke/deploy.bicep `
+  -Name deploy-hub1spoke-network `
-  -TemplateParameterFile platforms/lz-platform-scca-hub-3spoke/parameters/deploy.parameters.example.json `
+  -TemplateFile deploy.bicep `
-  -Subscription xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx `
+  -TemplateParameterFile deploy.parameters.json `
+  -Subscription $ConnectivitySubscriptionId `
   -Location 'eastus'
 ```
 
@@ -142,10 +299,21 @@ OR
 
 ```powershell
 # For Azure Government regions
+
+# When deploying to another cloud, like Azure US Government, first set the cloud and log in.
+Connect-AzAccount -EnvironmentName AzureUSGovernment
+
+# Set Platform connectivity subscription ID as the the current subscription
+$ConnectivitySubscriptionId = "[your platform management subscription ID]"
+Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
+
+cd src/bicep
+cd platforms/lz-platform-scca-hub-3spoke
 New-AzSubscriptionDeployment `
-  -TemplateFile platforms/lz-platform-scca-hub-3spoke/deploy.bicep `
+  -Name deploy-hub1spoke-network `
-  -TemplateParameterFile platforms/lz-platform-scca-hub-3spoke/parameters/deploy.parameters.example.json `
+  -TemplateFile deploy.bicep `
-  -Subscription xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx `
+  -TemplateParameterFile deploy.parameters.json `
+  -Subscription $ConnectivitySubscriptionId `
   -Location  'usgovvirginia'
 ```
 
@@ -179,6 +347,41 @@ Get-AzResource -ResourceGroupName anoa-eastus-platforms-hub-rg
 
 The Bicep/ARM deployment of NoOps Accelerator - Hub/Spoke deployment can be deleted with these steps:
 
+### Delete the diagnostic settings deployed at the subscription level
+
+To delete the diagnostic settings from the Azure Portal: choose the subscription blade, then Activity log in the left panel. At the top of the Activity log screen click the Diagnostics settings button. From there you can click the Edit setting link and delete the diagnostic setting.
+
+> NOTE: If you deploy and delete Mission Landing Zone in the same subscription multiple times without deleting the subscription-level diagnostic settings, the sixth deployment will fail. Azure has a limit of five diagnostic settings per subscription. The error will be similar to this: `"The limit of 5 diagnostic settings was reached."`
+
+To delete the diagnotic settings in script, use the AZ CLI or PowerShell. An AZ CLI example is below:
+
+```BASH
+# View diagnostic settings in the current subscription
+az monitor diagnostic-settings subscription list --query value[] --output table
+
+# Delete a diagnostic setting
+az monitor diagnostic-settings subscription delete --name <diagnostic setting name>
+```
+
+### Downgrade the Microsoft Defender for Cloud
+
+To downgrade the Microsoft Defender for Cloud pricing level in the Azure portal:
+
+1. Navigate to the Microsoft Defender for Cloud page, then click the "Environment settings" tab in the left navigation panel.
+1. In the tree/grid select the subscription you want to manage.
+1. Click the large box near the top of the page that says "Enhanced security off".
+1. Click the save button.
+
+To downgrade the Microsoft Defender for Cloud pricing level using the AZ CLI:
+
+```BASH
+# List the pricing tiers
+az security pricing list -o table --query "value[].{Name:name, Tier:pricingTier}"
+
+# Change a pricing tier to the default free tier
+az security pricing create --name "<name of tier>" --tier Free
+```
+
 ### Delete Resource Groups
 
 ```bash
@@ -202,9 +405,19 @@ Remove-AzResourceGroup -Name anoa-eastus-platforms-artifacts-rg
 ### Delete Deployments
 
 ```bash
-az deployment sub delete -n deploy-hubspoke-network
+az deployment sub delete -n deploy-hub3spoke-network
 ```
 
 ```powershell
-Remove-AzSubscriptionDeployment -Name deploy-hubspoke-network
+Remove-AzSubscriptionDeployment -Name deploy-hub3spoke-network
 ```
+
+## Resources
+
+[Bicep documentation](https://aka.ms/bicep/)
+
+[`az deployment` documentation](https://docs.microsoft.com/en-us/cli/azure/deployment?view=azure-cli-latest)
+
+[JMESPath queries](https://jmespath.org/)
+
+[Azure Az PowerShell module](https://docs.microsoft.com/en-us/powershell/azure/what-is-azure-powershell)

src/bicep/platforms/lz-platform-scca-hub-4spoke/bicepconfig.json

@@ -0,0 +1,13 @@
+{
+    "analyzers": {
+        "core": {
+            "verbose": false,
+            "enabled": true,
+            "rules": {
+                "no-hardcoded-env-urls": {
+                    "level": "off"
+                }
+            }
+        }
+    }
+}

src/bicep/platforms/lz-platform-scca-hub-4spoke/deployment.azcli

@@ -0,0 +1,48 @@
+
+# AZ CLI Examples
+
+# Hub/Spoke - Change variables to match your deployment
+az login
+cd src/bicep
+cd platforms/lz-platform-scca-hub-3spoke
+az deployment sub create --name deploy-hub3spoke-network --location EastUS --template-file deploy.bicep  --parameters @parameters/deploy.parameters.json --subscription <<subscriptionId>>
+
+# Clean Up
+# Delete Resource Locks - Change variables to match your deployment
+az resource lock delete --name lockName -g storageAccount --resource myvnet --resource-type Microsoft.Storage/storageAccounts
+
+# Delete Diagnostic Settings - Change variables to match your deployment
+# View diagnostic settings in the current subscription
+az monitor diagnostic-settings subscription list --query value[] --output table
+
+# Delete a diagnostic setting
+az monitor diagnostic-settings subscription delete --name <diagnostic setting name>
+
+# Delete Resource Groups - Change variables to match your deployment
+az group delete -n anoa-eastus-dev-logging-rg -y
+az group delete -n anoa-eastus-dev-hub-rg -y
+az group delete -n anoa-eastus-dev-operations-rg -y
+az group delete -n anoa-eastus-dev-sharedservices-rg -y
+az group delete -n anoa-eastus-dev-artifacts-rg -y
+
+# Delete Deployments - Change variables to match your deployment
+az deployment sub delete -n deploy-hub3spoke-network
+
+# AZ PowerShell
+# Hub/Spoke - Change variables to match your deployment
+Connect-AzAccount -EnvironmentName AzureCloud
+cd src/bicep
+cd platforms/lz-platform-scca-hub-3spoke
+New-AzSubscriptionDeployment -TemplateFile .\anoa.hubspoke.bicep -TemplateParameterFile .\parameters\anoa.hubspoke.parameters.example.json -Location "EastUS" -Name deploy-hub3spoke-network
+
+# Clean Up
+# Delete Resource Groups - Change variables to match your deployment
+Remove-AzResourceGroup -Name anoa-eastus-dev-logging-rg
+Remove-AzResourceGroup -Name anoa-eastus-dev-hub-rg
+Remove-AzResourceGroup -Name anoa-eastus-dev-identity-rg
+Remove-AzResourceGroup -Name anoa-eastus-dev-operations-rg
+Remove-AzResourceGroup -Name anoa-eastus-dev-sharedservices-rg
+Remove-AzResourceGroup -Name anoa-eastus-dev-artifacts-rg
+
+# Delete Deployments - Change variables to match your deployment
+Remove-AzSubscriptionDeployment -Name deploy-hub3spoke-network

src/bicep/platforms/lz-platform-scca-hub-4spoke/parameters/deploy.parameters.json

@@ -0,0 +1,457 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "parRequired": {
+      "value": {
+        "orgPrefix": "anoa",
+        "templateVersion": "v1.0",
+        "deployEnvironment": "dev"
+      }
+    },
+    "parTags": {
+      "value": {
+        "organization": "anoa",
+        "region": "usgovvirginia",
+        "templateVersion": "v1.0",
+        "deployEnvironment": "dev",
+        "deploymentType": "NoOpsBicep"
+      }
+    },
+    "parHub": {
+      "value": {
+        "subscriptionId": "<<subscriptionId>>",
+        "virtualNetworkAddressPrefix": "10.0.100.0/24",
+        "subnetAddressPrefix": "10.0.100.128/27",
+        "peerToSpokeVirtualNetwork": true,
+        "enablePrivateDnsZones": true,
+        "subnets": [
+          {
+            "name": "AzureFirewallSubnet",
+            "addressPrefix": "10.0.100.0/26",
+            "serviceEndpoints": []
+          },
+          {
+            "name": "AzureFirewallManagementSubnet",
+            "addressPrefix": "10.0.100.64/26",
+            "serviceEndpoints": []
+          }
+        ],
+        "virtualNetworkDiagnosticsLogs": [],
+        "virtualNetworkDiagnosticsMetrics": [],
+        "networkSecurityGroupRules": [],
+        "networkSecurityGroupDiagnosticsLogs": [
+          "NetworkSecurityGroupEvent",
+          "NetworkSecurityGroupRuleCounter"
+        ],
+        "subnetServiceEndpoints": [
+          {
+            "service": "Microsoft.Storage"
+          }
+        ],
+        "storageAccountAccess": {
+          "enableRoleAssignmentForStorageAccount": false,
+          "principalIds": [
+            "<<principalId>>"
+          ],
+          "roleDefinitionIdOrName": "Contributor"
+        }
+      }
+    },
+    "parIdentitySpoke": {
+      "value": {
+        "subscriptionId": "<<subscriptionId>>",
+        "virtualNetworkAddressPrefix": "10.0.110.0/26",
+        "subnetAddressPrefix": "10.0.110.0/27",
+        "sourceAddressPrefixes": [
+          "10.0.115.0/26",
+          "10.0.120.0/26",
+          "10.0.130.0/26"
+        ],
+        "peerToHubVirtualNetwork": true,
+        "useRemoteGateway": false,
+        "allowVirtualNetworkAccess": true,
+        "virtualNetworkDiagnosticsLogs": [],
+        "virtualNetworkDiagnosticsMetrics": [],
+        "networkSecurityGroupRules": [
+          {
+            "name": "Allow-Traffic-From-Spokes",
+            "properties": {
+              "access": "Allow",
+              "description": "Allow traffic from spokes",
+              "destinationAddressPrefix": "10.0.110.0/26",
+              "destinationPortRanges": [
+                "22",
+                "80",
+                "443",
+                "3389"
+              ],
+              "direction": "Inbound",
+              "priority": 200,
+              "protocol": "*",
+              "sourceAddressPrefixes": [
+                "10.0.115.0/26",
+                "10.0.120.0/26",
+                "10.0.130.0/26"
+              ],
+              "sourcePortRange": "*"
+            },
+            "type": "string"
+          }
+        ],
+        "publicIPAddressDiagnosticsLogs": [
+          "DDoSProtectionNotifications",
+          "DDoSMitigationFlowLogs",
+          "DDoSMitigationReports"
+        ],
+        "networkSecurityGroupDiagnosticsLogs": [
+          "NetworkSecurityGroupEvent",
+          "NetworkSecurityGroupRuleCounter"
+        ],
+        "subnetServiceEndpoints": [
+          {
+            "service": "Microsoft.Storage"
+          }
+        ],
+        "storageAccountAccess": {
+          "enableRoleAssignmentForStorageAccount": false,
+          "principalIds": [
+            "<<principalId>>"
+          ],
+          "roleDefinitionIdOrName": "Contributor"
+        }
+      }
+    },
+    "parOperationsSpoke": {
+      "value": {
+        "subscriptionId": "<<subscriptionId>>",
+        "virtualNetworkAddressPrefix": "10.0.115.0/26",
+        "subnetAddressPrefix": "10.0.115.0/27",
+        "sourceAddressPrefixes": [
+          "10.0.110.0/26",
+          "10.0.120.0/26",
+          "10.0.130.0/26"
+        ],
+        "peerToHubVirtualNetwork": true,
+        "useRemoteGateway": false,
+        "allowVirtualNetworkAccess": true,
+        "virtualNetworkDiagnosticsLogs": [],
+        "virtualNetworkDiagnosticsMetrics": [],
+        "networkSecurityGroupRules": [
+          {
+            "name": "Allow-Traffic-From-Spokes",
+            "properties": {
+              "access": "Allow",
+              "description": "Allow traffic from spokes",
+              "destinationAddressPrefix": "10.0.115.0/26",
+              "destinationPortRanges": [
+                "22",
+                "80",
+                "443",
+                "3389"
+              ],
+              "direction": "Inbound",
+              "priority": 200,
+              "protocol": "*",
+              "sourceAddressPrefixes": [
+                "10.0.110.0/26",
+                "10.0.120.0/26",
+                "10.0.130.0/26"
+              ],
+              "sourcePortRange": "*"
+            },
+            "type": "string"
+          }
+        ],
+        "publicIPAddressDiagnosticsLogs": [
+          "DDoSProtectionNotifications",
+          "DDoSMitigationFlowLogs",
+          "DDoSMitigationReports"
+        ],
+        "networkSecurityGroupDiagnosticsLogs": [
+          "NetworkSecurityGroupEvent",
+          "NetworkSecurityGroupRuleCounter"
+        ],
+        "subnetServiceEndpoints": [
+          {
+            "service": "Microsoft.Storage"
+          }
+        ],
+        "storageAccountAccess": {
+          "enableRoleAssignmentForStorageAccount": false,
+          "principalIds": [
+            "<<principalId>>"
+          ],
+          "roleDefinitionIdOrName": "Contributor"
+        }
+      }
+    },
+    "parSharedServicesSpoke": {
+      "value": {
+        "subscriptionId": "<<subscriptionId>>",
+        "virtualNetworkAddressPrefix": "10.0.120.0/26",
+        "subnetAddressPrefix": "10.0.120.0/27",
+        "sourceAddressPrefixes": [
+          "10.0.115.0/26",
+          "10.0.110.0/26",
+          "10.0.130.0/26"
+        ],
+        "peerToHubVirtualNetwork": true,
+        "useRemoteGateway": false,
+        "allowVirtualNetworkAccess": true,
+        "virtualNetworkDiagnosticsLogs": [],
+        "virtualNetworkDiagnosticsMetrics": [],
+        "networkSecurityGroupRules": [
+          {
+            "name": "Allow-Traffic-From-Spokes",
+            "properties": {
+              "access": "Allow",
+              "description": "Allow traffic from spokes",
+              "destinationAddressPrefix": "10.0.120.0/26",
+              "destinationPortRanges": [
+                "22",
+                "80",
+                "443",
+                "3389"
+              ],
+              "direction": "Inbound",
+              "priority": 200,
+              "protocol": "*",
+              "sourceAddressPrefixes": [
+                "10.0.115.0/26",
+                "10.0.110.0/26",
+                "10.0.130.0/26"
+              ],
+              "sourcePortRange": "*"
+            },
+            "type": "string"
+          }
+        ],
+        "publicIPAddressDiagnosticsLogs": [
+          "DDoSProtectionNotifications",
+          "DDoSMitigationFlowLogs",
+          "DDoSMitigationReports"
+        ],
+        "networkSecurityGroupDiagnosticsLogs": [
+          "NetworkSecurityGroupEvent",
+          "NetworkSecurityGroupRuleCounter"
+        ],
+        "subnetServiceEndpoints": [
+          {
+            "service": "Microsoft.Storage"
+          }
+        ],
+        "storageAccountAccess": {
+          "enableRoleAssignmentForStorageAccount": false,
+          "principalIds": [
+            "<<principalId>>"
+          ],
+          "roleDefinitionIdOrName": "Contributor"
+        }
+      }
+    },
+    "parDataSharedServicesSpoke": {
+      "value": {
+        "subscriptionId": "<<subscriptionId>>",
+        "virtualNetworkAddressPrefix": "10.0.130.0/26",
+        "subnetAddressPrefix": "10.0.130.0/27",
+        "sourceAddressPrefixes": [
+          "10.0.115.0/26",
+          "10.0.110.0/26",
+          "10.0.120.0/26"
+        ],
+        "peerToHubVirtualNetwork": true,
+        "useRemoteGateway": false,
+        "allowVirtualNetworkAccess": true,
+        "virtualNetworkDiagnosticsLogs": [],
+        "virtualNetworkDiagnosticsMetrics": [],
+        "networkSecurityGroupRules": [
+          {
+            "name": "Allow-Traffic-From-Spokes",
+            "properties": {
+              "access": "Allow",
+              "description": "Allow traffic from spokes",
+              "destinationAddressPrefix": "10.0.130.0/26",
+              "destinationPortRanges": [
+                "22",
+                "80",
+                "443",
+                "3389"
+              ],
+              "direction": "Inbound",
+              "priority": 200,
+              "protocol": "*",
+              "sourceAddressPrefixes": [
+                "10.0.115.0/26",
+                "10.0.120.0/26",
+                "10.0.110.0/26"
+              ],
+              "sourcePortRange": "*"
+            },
+            "type": "string"
+          }
+        ],
+        "publicIPAddressDiagnosticsLogs": [
+          "DDoSProtectionNotifications",
+          "DDoSMitigationFlowLogs",
+          "DDoSMitigationReports"
+        ],
+        "networkSecurityGroupDiagnosticsLogs": [
+          "NetworkSecurityGroupEvent",
+          "NetworkSecurityGroupRuleCounter"
+        ],
+        "subnetServiceEndpoints": [
+          {
+            "service": "Microsoft.Storage"
+          }
+        ],
+        "storageAccountAccess": {
+          "enableRoleAssignmentForStorageAccount": false,
+          "principalIds": [
+            "<<principalId>>"
+          ],
+          "roleDefinitionIdOrName": "Contributor"
+        }
+      }
+    },
+    "parNetworkArtifacts": {
+      "value": {
+        "enable": false,
+        "artifactsKeyVault": {
+          "keyVaultPolicies": {
+            "objectId": "<<objectId>>",
+            "permissions": {
+              "keys": [
+                "get",
+                "list",
+                "update"
+              ],
+              "secrets": [
+                "all"
+              ]
+            },
+            "tenantId": "<<tenantId>>"
+          }
+        },
+        "storageAccountAccess": {
+          "enableRoleAssignmentForStorageAccount": false,
+          "principalIds": [
+            "<<principalId>>"
+          ],
+          "roleDefinitionIdOrName": "Contributor"
+        }
+      }
+    },
+    "parDdosStandard": {
+      "value": {
+        "enable": false
+      }
+    },
+    "parAzureFirewall": {
+      "value": {
+        "enable": true,
+        "disableBgpRoutePropagation": false,
+        "clientPublicIPAddressAvailabilityZones": [],
+        "managementPublicIPAddressAvailabilityZones": [],
+        "supernetIPAddress": "10.0.96.0/19",
+        "skuTier": "Premium",
+        "threatIntelMode": "Alert",
+        "intrusionDetectionMode": "Alert",
+        "publicIPAddressDiagnosticsLogs": [
+          "DDoSProtectionNotifications",
+          "DDoSMitigationFlowLogs",
+          "DDoSMitigationReports"
+        ],
+        "publicIPAddressDiagnosticsMetrics": [
+          "AllMetrics"
+        ],
+        "diagnosticsLogs": [
+          "AzureFirewallApplicationRule",
+          "AzureFirewallNetworkRule",
+          "AzureFirewallDnsProxy"
+        ],
+        "diagnosticsMetrics": [
+          "AllMetrics"
+        ],
+        "storageAccountAccess": {
+          "value": {
+            "enableRoleAssignmentForStorageAccount": false,
+            "principalIds": [
+              "<<principalId>>"
+            ],
+            "roleDefinitionIdOrName": "Contributor"
+          }
+        }
+      }
+    },
+    "parLogging": {
+      "value": {
+        "enableSentinel": true,
+        "logAnalyticsWorkspaceCappingDailyQuotaGb": -1,
+        "logAnalyticsWorkspaceRetentionInDays": 30,
+        "logAnalyticsWorkspaceSkuName": "PerGB2018",
+        "logStorageSkuName": "Standard_GRS",
+        "storageAccountAccess": {
+          "enableRoleAssignmentForStorageAccount": false,
+          "principalIds": [
+            "<<principalId>>"
+          ],
+          "roleDefinitionIdOrName": "Contributor"
+        }
+      }
+    },
+    "parRemoteAccess": {
+      "value": {
+        "enable": true,
+        "bastion": {
+          "sku": "Standard",
+          "subnetAddressPrefix": "10.0.100.160/27",
+          "publicIPAddressAvailabilityZones": [],
+          "encryptionAtHost": false,
+          "linux": {
+            "enable": true,
+            "vmName": "bastion-linux",
+            "vmAdminUsername": "azureuser",
+            "disablePasswordAuthentication": false,
+            "vmAdminPasswordOrKey": "Rem0te@2020246",
+            "vmSize": "Standard_DS1_v2",
+            "vmOsDiskCreateOption": "FromImage",
+            "vmOsDiskType": "Standard_LRS",
+            "vmImagePublisher": "Canonical",
+            "vmImageOffer": "UbuntuServer",
+            "vmImageSku": "18.04-LTS",
+            "vmImageVersion": "latest",
+            "networkInterfacePrivateIPAddressAllocationMethod": "Dynamic"
+          },
+          "windows": {
+            "enable": true,
+            "vmName": "bastion-windows",
+            "vmAdminUsername": "azureuser",
+            "vmAdminPassword": "Rem0te@2020246",
+            "vmSize": "Standard_DS1_v2",
+            "vmOsDiskCreateOption": "FromImage",
+            "vmStorageAccountType": "StandardSSD_LRS",
+            "vmImagePublisher": "MicrosoftWindowsServer",
+            "vmImageOffer": "WindowsServer",
+            "vmImageSku": "2019-datacenter",
+            "vmImageVersion": "latest",
+            "networkInterfacePrivateIPAddressAllocationMethod": "Dynamic"
+          },
+          "customScriptExtension": {
+            "install": false,
+            "script64": ""
+          }
+        }
+      }
+    },
+    "parSecurityCenter": {
+      "value": {
+        "enableDefender": true,
+        "alertNotifications": "Off",
+        "alertsToAdminsNotifications": "Off",
+        "emailSecurityContact": "anoa@microsoft.com",
+        "phoneSecurityContact": "5555555555"
+      }
+    }
+  }
+}

src/bicep/platforms/lz-platform-scca-hub-4spoke/readme.md

@@ -0,0 +1,427 @@
+# NoOps Accelerator - Platforms - SCCA Compliant Hub - 4 Spoke Landing Zone
+
+## Overview
+
+This platform module deploys Hub 4 Spoke landing zone.
+
+> NOTE: This is only the landing zone deployment. The workloads will be deployed with the enclave or can be deployed after the landing zone is created.
+
+Read on to understand what this landing zone does, and when you're ready, collect all of the pre-requisites, then deploy the landing zone.
+
+## Architecture
+
+ ![Hub/Spoke landing zone Architecture](./media/hub-4spoke-network-topology-architecture.jpg)
+
+## About Hub 4 Spoke Landing Zone
+
+The docs on Hub/Spoke Landing Zone: <https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli>
+
+### What is a Landing Zone?
+
+A **landing zone** is networking infrastructure configured to provide a secure environment for hosting workloads.
+
+[![Landing Zones Azure Academy Video](https://img.youtube.com/vi/9BKgz9Rl1eo/0.jpg)](https://youtu.be/9BKgz9Rl1eo "Don't let this happen to you 😮 Build A Landing Zone 👍 - Click to Watch!")
+
+### Hub/Spoke Networking
+
+Hub/ 4 Spoke Networking (like TMN) is set up in a hub and spoke design, separated by tiers: T0 (Identity and Authorization), T1 (Infrastructure Operations), T2 (DevSecOps and Shared Services), multiple T3s (Workloads), and T4 (Data Shared Services). Access control can be configured to allow separation of duties between all tiers.
+
+### Firewall
+
+All network traffic is directed through the firewall residing in the Network Hub resource group. The firewall is configured as the default route for all the T0 (Identity and Authorization) through T3 (workload/team environments) resource groups as follows:
+
+|Name         |Address prefix| Next hop type| Next hop IP address|
+|-------------|--------------|-----------------|-----------------|
+|default_route| 0.0.0.0/0    |Virtual Appliance|10.0.100.4*       |
+
+*-example IP for firewall
+
+The default firewall configured for Hub/ 1 Spoke Landing Zone is [Azure Firewall Premium](https://docs.microsoft.com/en-us/azure/firewall/premium-features).
+
+Presently, there are two firewall rules configured to ensure access to the Azure Portal and to facilitate interactive logon via PowerShell and Azure CLI, all other traffic is restricted by default. Below are the collection of rules configured for Azure Commercial and Azure Government clouds:
+
+|Rule Collection Priority | Rule Collection Name | Rule name | Source | Port     | Protocol                               |
+|-------------------------|----------------------|-----------|--------|----------|----------------------------------------|
+|100                      | AllowAzureCloud      | AzureCloud|*       |   *      |Any                                     |
+|110                      | AzureAuth            | msftauth  |  *     | Https:443| aadcdn.msftauth.net, aadcdn.msauth.net |
+
+### Naming Conventions
+
+By default, Hub - 4 Spoke Platform resources are named according to a naming convention that uses the mandatory `orgPrefix` (that is defaulted to `anoa`), `templateVersion` & `deployEnvironment`.
+
+#### Default Naming Convention Example
+
+Let's look at an example using `parRequired="{ \"orgPrefix\":\"$ORG_PREFIX\", \"templateVersion\":\"v1.0\", \"deployEnvironment\":\"$DEPLOY_ENV\" }"`
+
+In `deploy.bicep` you will find a variable titled `namingConvention`:
+
+```bicep
+var varNamingConvention = '${toLower(parRequired.orgPrefix)}-${toLower(parLocation)}-${toLower(parRequired.deployEnvironment)}-${varNameToken}-${toLower(varResourceToken)}'
+
+# this generates a value of: ${orgPrefix}-${location}-${deployEnvironment}-${nameToken}-${resourceToken}
+```
+
+This naming convention uses Bicep's `replace()` function to substitute resource abbreviations for `resourceToken` and resource names for `nameToken`.
+
+For example, when naming the Hub Resource Group, first the `resourceToken` is substituted with the recommended abbreviation `rg`:
+
+```bicep
+var resourceGroupNamingConvention = replace(namingConvention, resourceToken, 'rg')
+# this generates a value of: anoa-eastus-${nameToken}-dev-rg
+```
+
+Then, the `nameToken` is substituted with the Azure NoOps Accelerator name `hub`:
+
+```bicep
+var hubResourceGroupName =  replace(resourceGroupNamingConvention, nameToken, 'hub')
+# this generates a value of: anoa-eastus-hub-dev-rg
+```
+
+Finally, the `hubResourceGroupName` is assigned to the resource group `varHubName` variable:
+
+```bicep
+var varHubName = 'hub'
+var varHubResourceGroupName = replace(varResourceGroupNamingConvention, varNameToken, varHubName)
+
+# this is the calculated value 'anoa-eastus-hub-dev-rg'
+```
+
+### Tagging
+
+Organize cloud resources to meet the needs of governance, operational management, and accounting. Resources can be managed and found more quickly with the aid of well-defined metadata tagging protocols. By using charge back and show back accounting procedures, these conventions also assist in tying cloud usage charges to specific business teams.
+
+A tagging strategy include business and operational details:
+
+* The business side of this strategy ensures that tags include the organizational information needed to identify the teams. Use a resource along with the business owners who are responsible for resource costs.
+* The operational side ensures that tags include information that IT teams use to identify the workload, application, environment, criticality, and other information useful for managing resources.
+
+## Pre-requisites
+
+### Subscriptions
+
+Most customers will deploy each tier to a separate Azure subscription, but multiple subscriptions are not required. A single subscription deployment is good for a testing and evaluation, or possibly a small IT Admin team.
+
+Hub - 4 Spoke Platform can deploy to a single subscription or multiple subscriptions. A test and evaluation deployment may deploy everything to a single subscription, and a production deployment may place each tier into its own subscription.
+
+The optional parameters related to subscriptions are below. They releated to each tier object used for deployment.
+
+Parameter name | Default Value | Description
+-------------- | ------------- | -----------
+`parHub.subscriptionId` | Deployment subscription | Subscription containing the firewall and network hub
+`parIdentitySpoke.subscriptionId` | Deployment subscription | Tier 0 for identity solutions
+`parOperationsSpoke.subscriptionId` | Deployment subscription | Tier 1 for network operations, logging and security tools
+`parSharedServicesSpoke.subscriptionId` | Deployment subscription | Tier 2 for shared services
+
+### Networking
+
+The following parameters affect networking. They releated to each tier object used for deployment.
+
+Parameter name | Default Value | Description
+-------------- | ------------- | -----------
+`parHub.virtualNetworkAddressPrefix` | '10.0.100.0/24' | The CIDR Virtual Network Address Prefix for the Hub Virtual Network.
+`parHub.subnetAddressPrefix` | '10.0.100.128/27' | The CIDR Subnet Address Prefix for the default Hub subnet. It must be in the Hub Virtual Network space.
+`parHub.peerToSpokeVirtualNetwork` | true | This is a switch for peering to an Spoke Network. This is used with the spoke network peering as well. Both parameters either need to be true or false.
+`parHub.subnets.addressPrefix` (Firewall Client Subnet Address Prefix)| '10.0.100.0/26' | The CIDR Subnet Address Prefix for the Azure Firewall Subnet. It must be in the Hub Virtual Network space. It must be /26.
+`parHub.subnets.addressPrefix` (Firewall Management Subnet Address Prefix) | '10.0.100.64/26' | The CIDR Subnet Address Prefix for the Azure Firewall Management Subnet. It must be in the Hub Virtual Network space. It must be /26.
+`parIdentitySpoke.virtualNetworkAddressPrefix` | '10.0.110.0/26' | The CIDR Virtual Network Address Prefix for the Identity Virtual Network.
+`parIdentitySpoke.subnetAddressPrefix` | '10.0.110.0/27' | The CIDR Subnet Address Prefix for the default Identity subnet. It must be in the Identity Virtual Network space.
+`parIdentitySpoke.peerToHubVirtualNetwork` | true | This is a switch for peering to an Hub Network from a Identity Spoke. This is used with the hub network peering as well. Both parameters either need to be true or false.
+`parOperationsSpoke.virtualNetworkAddressPrefix` | '10.0.115.0/26' | The CIDR Virtual Network Address Prefix for the Operations Virtual Network.
+`parOperationsSpoke.subnetAddressPrefix` | '10.0.115.0/27' | The CIDR Subnet Address Prefix for the default Operations subnet. It must be in the Operations Virtual Network space.
+`parOperationsSpoke.peerToHubVirtualNetwork` | true | This is a switch for peering to an Hub Network from a Operations Spoke. This is used with the hub network peering as well. Both parameters either need to be true or false.
+`parSharedServicesSpoke.virtualNetworkAddressPrefix` | '10.0.120.0/26' | The CIDR Virtual Network Address Prefix for the Shared Services Virtual Network.
+`parSharedServicesSpoke.subnetAddressPrefix` | '10.0.120.0/27' | The CIDR Subnet Address Prefix for the default Shared Services subnet. It must be in the Shared Services Virtual Network space.
+`parSharedServicesSpoke.peerToHubVirtualNetwork` | true | This is a switch for peering to an Hub Network from a Shared Services Spoke. This is used with the hub network peering as well. Both parameters either need to be true or false.
+`parDataSharedServicesSpoke.virtualNetworkAddressPrefix` | '10.0.130.0/26' | The CIDR Virtual Network Address Prefix for the Shared Services Virtual Network.
+`parDataSharedServicesSpoke.subnetAddressPrefix` | '10.0.130.0/27' | The CIDR Subnet Address Prefix for the default Shared Services subnet. It must be in the Shared Services Virtual Network space.
+`parDataSharedServicesSpoke.peerToHubVirtualNetwork` | true | This is a switch for peering to an Hub Network from a Data Shared Services Spoke. This is used with the hub network peering as well. Both parameters either need to be true or false.
+
+## Optional Features
+
+Hub - 4 Spoke Platform has optional features that can be enabled by setting parameters on the deployment.
+
+### Microsoft Defender for Cloud
+
+By default [Microsoft Defender for Cloud](https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction) offers a free set of monitoring capabilities that are enabled via an Azure policy when you first set up a subscription and view the Microsoft Defender for Cloud portal blade.
+
+Microsoft Defender for Cloud offers a standard/defender sku which enables a greater depth of awareness including more recomendations and threat analytics. You can enable this higher depth level of security in Hub - 4 Spoke Platform by setting the parameter `parSecurityCenter.enableDefender` during deployment. In addition you can include the `parSecurityCenter.emailSecurityContact` parameter to set a contact email for alerts and `parSecurityCenter.phoneSecurityContact` parameter to set a contact phone for alerts.
+
+Parameter name | Default Value | Description
+-------------- | ------------- | -----------
+`parSecurityCenter.enableDefender` | 'false' | When set to "true", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to "false".
+`parSecurityCenter.emailSecurityContact` | '' | Email address of the contact, in the form of john@doe.com
+`parSecurityCenter.phoneSecurityContact` | '' | Phone of the contact, in the form of 5555555555
+`parSecurityCenter.alertNotifications` | '' | alert notifications for contact
+`parSecurityCenter.alertsToAdminsNotifications` | '' | alert notifications for contact admin
+
+The Defender plan by resource type for Microsoft Defender for Cloud is enabled by default in the following [Azure Environments](https://docs.microsoft.com/en-us/powershell/module/servicemanagement/azure.service/get-azureenvironment?view=azuresmps-4.0.0): `AzureCloud` and `AzureUSGovernment`. To enable this for other Azure Cloud environments, this will need to executed manually.
+Documentation on how to do this can be found
+[here](https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhanced-security)
+
+### Azure Sentinel
+
+[Sentinel](https://docs.microsoft.com/en-us/azure/sentinel/overview) is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Sentinel can be enabled by setting the `parLogging.enableSentinel` parameter.
+
+Parameter name | Default Value | Description
+-------------- | ------------- | -----------
+`parLogging.enableSentinel` | 'false' | When set to "true", enables Microsoft Sentinel within the Log Analytics Workspace created in this deployment. It defaults to "false".
+
+### Remote access with a Bastion Host
+
+If you want to remotely access the network and the resources you've deployed you can use [Azure Bastion](https://docs.microsoft.com/en-us/azure/bastion/) to remotely access virtual machines within the network without exposing them via Public IP Addresses.
+
+Deploy a Linux and Windows virtual machine as jumpboxes into the network without a Public IP Address using Azure Bastion Host by providing values for these parameters:
+
+Parameter name | Default Value | Description
+-------------- | ------------- | -----------
+`parRemoteAccess.enable` | 'false' | When set to "true", provisions Azure Bastion Host and virtual machine jumpboxes. It defaults to "false".
+`parRemoteAccess.windows.vmAdminPassword` | 'Rem0te@2020246' | The administrator password the Windows Virtual Machine to Azure Bastion remote into. It must be > 12 characters in length. See [password requirements for creating a Windows VM](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm-).
+`parRemoteAccess.linux.vmAuthenticationType` | 'Rem0te@2020246' | [sshPublicKey/password] The authentication type for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "Rem0te@2020246".
+`parRemoteAccess.linux.vmAdminPasswordOrKey` | new guid | The administrator password or public SSH key for the Linux Virtual Machine to Azure Bastion remote into. See [password requirements for creating a Linux VM](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/faq#what-are-the-password-requirements-when-creating-a-vm-).
+`parRemoteAccess.windows.vmAdminUsername` | 'azureuser' | The administrator username for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "azureuser".
+`parRemoteAccess.linux.vmAdminUsername` | 'azureuser' | The administrator username for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "azureuser".
+
+### Azure Firewall Premium
+
+By default, Hub - 4 Spoke Platform deploys **[Azure Firewall Premium](https://docs.microsoft.com/en-us/azure/firewall/premium-features). Not all regions support Azure Firewall Premium.** Check here to [see if the region you're deploying to supports Azure Firewall Premium](https://docs.microsoft.com/en-us/azure/firewall/premium-features#supported-regions). If necessary you can set a different firewall SKU or location.
+
+You can manually specify which SKU of Azure Firewall to use for your deployment by specifying the `parAzureFirewall.skuTier` parameter. This parameter only accepts values of `Standard` or `Premium`.
+
+Parameter name | Default Value | Description
+-------------- | ------------- | -----------
+`parAzureFirewall.skuTier` | 'Premium' | [Standard/Premium] The SKU for Azure Firewall. It defaults to "Premium".
+
+If you'd like to specify a different region to deploy your resources into, change the location of the deployment. For example, when using the AZ CLI set the deployment command's `--location` argument.
+
+### Operational Network Artifacts
+
+If needed, The Operational Network Artifacts are used when operations wants to seperate all key, secrets and operations storage from the hub/spoke model.
+
+### DDOS
+
+If needed, You can deploy an DDOS Standard configuration if a firewall is not needed.
+
+## Parameters
+
+See below for information on how to use the appropriate deployment parameters for use with this landing zone:
+
+Required Parameters | Type | Allowed Values | Description
+| :-- | :-- | :-- | :-- |
+parRequired | object | {object} | Required values used with all resources.
+parTags | object | {object} | Required tags values used with all resources.
+parLocation | string | `[deployment().location]` | The region to deploy resources into. It defaults to the deployment location.
+parHub | object | {object} | Hub Virtual network configuration. See [azresources/hub-spoke-core/vdss/hub/readme.md](../../azresources/hub-spoke-core/vdss/hub/readme.md)
+parOperationsSpoke | object | {object} | Operations Spoke Virtual network configuration. See [See azresources/hub-spoke-core/vdms/operations/readme.md](../../azresources/hub-spoke-core/vdms/operations/readme.md)
+parIdentitySpoke | object | {object} | Identity Spoke Virtual network configuration. See [See azresources/hub-spoke-core/vdss/identity/readme.md](../../azresources/hub-spoke-core/vdss/identity/readme.md)
+parSharedServicesSpoke | object | {object} | Shared Services Spoke Virtual network configuration. See [See azresources/hub-spoke-core/vdms/sharedservices/readme.md](../../azresources/hub-spoke-core/vdms/sharedservices/readme.md)
+parDataSharedServicesSpoke | object | {object} | Data Shared Services Spoke Virtual network configuration. See [See azresources/hub-spoke-core/vdms/dataSharedservices/readme.md](../../azresources/hub-spoke-core/vdms/dataSharedservices/readme.md)
+parAzureFirewall | object | {object} | Azure Firewall configuration. Azure Firewall is deployed in Forced Tunneling mode where a route table must be added as the next hop.
+parLogging | object | {object} | Enables logging parmeters and Microsoft Sentinel within the Log Analytics Workspace created in this deployment. See [azresources/hub-spoke-core/vdms/logging/readme.md](../../azresources/hub-spoke-core/vdms/logging/readme.md)
+parRemoteAccess | object | {object} | Provisions Azure Bastion Host. See [overlays/management-services/bastion/readme.md](../../overlays/management-services/bastion/readme.md)
+
+Optional Parameters | Type | Allowed Values | Description
+| :-- | :-- | :-- | :-- |
+parNetworkArtifacts | object | {object} | Optional. Enables Operations Network Artifacts Resource Group with KV and Storage account for the ops subscriptions used in the deployment. This overlay allows Bastion keys to be added if Basion Host is enabled. See [azresources/hub-spoke-core/vdss/networkArtifacts/readme.md](../../azresources/hub-spoke-core/vdss/networkArtifacts/readme.md)
+parSecurityCenter | object | {object} | Microsoft Defender for Cloud.  It includes email and phone. See [overlays/management-services/defender/readme.md](../../overlays/management-services/defender/readme.md)
+parDdosStandard | bool | `false` | DDOS Standard configuration.
+
+## Deploy the Platform Landing Zone
+
+Connect to the appropriate Azure Environment and set appropriate context, see getting started with Azure PowerShell or Azure CLI for help if needed. The commands below assume you are deploying in Azure Commercial and show the entire process deploying Platform Hub/Spoke Design.
+
+For example, deploying using the `az deployment sub create` command in the Azure CLI:
+
+### Azure CLI
+
+```bash
+# For Azure Commerical regions
+
+# When deploying to Azure cloud, first set the cloud.
+az cloudset --name AzureCloud
+
+# Set Platform connectivity subscription ID as the the current subscription 
+$ConnectivitySubscriptionId="[your platform management subscription ID]"
+az account set --subscription $ConnectivitySubscriptionId
+
+#log in
+az login
+cd src/bicep
+cd platforms/lz-platform-scca-hub-4spoke
+az deployment sub create \ 
+--name deploy-hub1spoke-network \
+--subscription $ConnectivitySubscriptionId \
+--template-file deploy.bicep \
+--location eastus \
+--parameters @parameters/deploy.parameters.json
+```
+
+OR
+
+```bash
+# For Azure Government regions
+
+# When deploying to another cloud, like Azure US Government, first set the cloud and log in.
+az cloudset --name AzureGovernment
+
+# Set Platform connectivity subscription ID as the the current subscription
+$ConnectivitySubscriptionId="[your platform management subscription ID]"
+az account set --subscription $ConnectivitySubscriptionId
+
+az login
+cd src/bicep
+cd platforms/lz-platform-scca-hub-4spoke
+az deployment sub create \
+  --name deploy-hub1spoke-network \
+  --template-file deploy.bicep \
+  --parameters @parameters/deploy.parameters.json \
+  --subscription $ConnectivitySubscriptionId \
+  --location 'usgovvirginia'
+```
+
+### PowerShell
+
+```powershell
+# For Azure Commerical regions
+# When deploying to Azure cloud, first set the cloud and log in.
+Connect-AzAccount -EnvironmentName AzureCloud
+
+# Set Platform connectivity subscription ID as the the current subscription
+$ConnectivitySubscriptionId = "[your platform management subscription ID]"
+Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
+
+cd src/bicep
+cd platforms/lz-platform-scca-hub-4spoke
+New-AzSubscriptionDeployment `
+  -Name deploy-hub1spoke-network `
+  -TemplateFile deploy.bicep `
+  -TemplateParameterFile deploy.parameters.json `
+  -Subscription $ConnectivitySubscriptionId `
+  -Location 'eastus'
+```
+
+OR
+
+```powershell
+# For Azure Government regions
+
+# When deploying to another cloud, like Azure US Government, first set the cloud and log in.
+Connect-AzAccount -EnvironmentName AzureUSGovernment
+
+# Set Platform connectivity subscription ID as the the current subscription
+$ConnectivitySubscriptionId = "[your platform management subscription ID]"
+Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
+
+cd src/bicep
+cd platforms/lz-platform-scca-hub-4spoke
+New-AzSubscriptionDeployment `
+  -Name deploy-hub1spoke-network `
+  -TemplateFile deploy.bicep `
+  -TemplateParameterFile deploy.parameters.json `
+  -Subscription $ConnectivitySubscriptionId `
+  -Location  'usgovvirginia'
+```
+
+## Extending the Landing Zone
+
+By default, this Landing Zone has the minium parmeters needed to deploy the service. If you like to add addtional parmeters to the Landing Zone, please refer to the Landing Zone description located in AzResources here: [`Hub-Spoke-Core`](../../azresources/hub-spoke-core/readme.md)
+
+## Air-Gapped Clouds
+
+For air-gapped clouds it may be convenient to transfer and deploy the compiled ARM template instead of the Bicep template if the Bicep CLI tools are not available or if it is desirable to transfer only one file into the air gap.
+
+## Validate the deployment
+
+Use the Azure portal, Azure CLI, or Azure PowerShell to list the deployed resources in the resource group.
+
+Configure the default group using:
+
+```bash
+az configure --defaults group=anoa-eastus-platforms-hub-rg.
+```
+
+```bash
+az resource list --location eastus --subscription xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx --resource-group anoa-eastus-platforms-hub-rg
+```
+
+```powershell
+Get-AzResource -ResourceGroupName anoa-eastus-platforms-hub-rg
+```
+
+## Cleanup
+
+The Bicep/ARM deployment of NoOps Accelerator - Hub/Spoke deployment can be deleted with these steps:
+
+### Delete the diagnostic settings deployed at the subscription level
+
+To delete the diagnostic settings from the Azure Portal: choose the subscription blade, then Activity log in the left panel. At the top of the Activity log screen click the Diagnostics settings button. From there you can click the Edit setting link and delete the diagnostic setting.
+
+> NOTE: If you deploy and delete Mission Landing Zone in the same subscription multiple times without deleting the subscription-level diagnostic settings, the sixth deployment will fail. Azure has a limit of five diagnostic settings per subscription. The error will be similar to this: `"The limit of 5 diagnostic settings was reached."`
+
+To delete the diagnotic settings in script, use the AZ CLI or PowerShell. An AZ CLI example is below:
+
+```BASH
+# View diagnostic settings in the current subscription
+az monitor diagnostic-settings subscription list --query value[] --output table
+
+# Delete a diagnostic setting
+az monitor diagnostic-settings subscription delete --name <diagnostic setting name>
+```
+
+### Downgrade the Microsoft Defender for Cloud
+
+To downgrade the Microsoft Defender for Cloud pricing level in the Azure portal:
+
+1. Navigate to the Microsoft Defender for Cloud page, then click the "Environment settings" tab in the left navigation panel.
+1. In the tree/grid select the subscription you want to manage.
+1. Click the large box near the top of the page that says "Enhanced security off".
+1. Click the save button.
+
+To downgrade the Microsoft Defender for Cloud pricing level using the AZ CLI:
+
+```BASH
+# List the pricing tiers
+az security pricing list -o table --query "value[].{Name:name, Tier:pricingTier}"
+
+# Change a pricing tier to the default free tier
+az security pricing create --name "<name of tier>" --tier Free
+```
+
+### Delete Resource Groups
+
+```bash
+az group delete -n anoa-eastus-platforms-logging-rg -y
+az group delete -n anoa-eastus-platforms-hub-rg -y
+az group delete -n anoa-eastus-platforms-identity-rg -y
+az group delete -n anoa-eastus-platforms-operations-rg -y
+az group delete -n anoa-eastus-platforms-sharedservices-rg -y
+az group delete -n anoa-eastus-platforms-artifacts-rg -y
+```
+
+```powershell
+Remove-AzResourceGroup -Name anoa-eastus-platforms-logging-rg
+Remove-AzResourceGroup -Name anoa-eastus-platforms-hub-rg
+Remove-AzResourceGroup -Name anoa-eastus-platforms-identity-rg
+Remove-AzResourceGroup -Name anoa-eastus-platforms-operations-rg
+Remove-AzResourceGroup -Name anoa-eastus-platforms-sharedservices-rg
+Remove-AzResourceGroup -Name anoa-eastus-platforms-artifacts-rg
+```
+
+### Delete Deployments
+
+```bash
+az deployment sub delete -n deploy-hub4spoke-network
+```
+
+```powershell
+Remove-AzSubscriptionDeployment -Name deploy-hub4spoke-network
+```
+
+## Resources
+
+[Bicep documentation](https://aka.ms/bicep/)
+
+[`az deployment` documentation](https://docs.microsoft.com/en-us/cli/azure/deployment?view=azure-cli-latest)
+
+[JMESPath queries](https://jmespath.org/)
+
+[Azure Az PowerShell module](https://docs.microsoft.com/en-us/powershell/azure/what-is-azure-powershell)