Azure
/
NoOpsAccelerator
зеркало из https://github.com/Azure/NoOpsAccelerator.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #110 from Azure/updates-to-parameters 

Updates to parameters, Peering Enablement, Private DNS Zones Enablement, Added Hub 4 Spoke (TMN)
This commit is contained in:
Matthew Ross 2022-10-20 10:05:34 -05:00 коммит произвёл GitHub
Родитель d7f6e113f4 e5d2be41c3
Коммит c4be30f249
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
26 изменённых файлов: 3003 добавлений и 242 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

14
README.md
Просмотреть файл

@ -46,28 +46,22 @@ For a quickstart, we suggest a test deployment into the current AZ CLI subscript
* `--subscription`: The GUID for the subscription to deploy into.
Multiple subscriptions may be configured (*i.e.*, to have separate subscriptions for each 'tier' in the MLZ architecture) in the `parameters/deploy.parameters.json`
> **IMPORTANT**: All values will need to be updates in the `parameters/deploy.parameters.json`. This allows for consistency in the parameters.
Here is an example that deploys into a single subscription in the EastUS region of Azure Commercial:
```plaintext
# These will be used in the naming of your resources
# e.g., anoa-eastus-dev-hub-rg
ORG_PREFIX="anoa"
DEPLOY_ENV="dev"
# Replace with your test Azure Subscription ID
AZ_SUBSCRIPTION="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
az login
cd src/bicep
cd platforms/lz-platform-scca-hub-3spoke
az deployment sub create \
--name deploy-scca-hub-with-3-spokes \
--location EastUS \
--template-file deploy.bicep \
--parameters @parameters/deploy.parameters.json \
--parameters parRequired="{ \"orgPrefix\":\"$ORG_PREFIX\", \"templateVersion\":\"v1.0\", \"deployEnvironment\":\"$DEPLOY_ENV\" }" \
--parameters parHubSubscriptionId=$AZ_SUBSCRIPTION \
--parameters parIdentitySubscriptionId=$AZ_SUBSCRIPTION \
--parameters parOperationsSubscriptionId=$AZ_SUBSCRIPTION \
--parameters parSharedServicesSubscriptionId=$AZ_SUBSCRIPTION \
--subscription $AZ_SUBSCRIPTION
```

4
src/bicep/azresources/hub-spoke-core/peering/spoke/anoa.lz.spoke.network.peering.bicep
Просмотреть файл

@ -15,6 +15,8 @@ Copyright (c) Microsoft Corporation. Licensed under the MIT license.
param parSpokeName string
param parSpokeResourceGroupName string
param parSpokeVirtualNetworkName string
param parUseRemoteGateways bool
param parAllowVirtualNetworkAccess bool
param parHubVirtualNetworkName string
param parHubVirtualNetworkResourceId string
@ -26,5 +28,7 @@ module spokeNetworkPeering '../../../Modules/Microsoft.Network/virtualNetworks/v
name: '${parSpokeVirtualNetworkName}/to-${parHubVirtualNetworkName}'
remoteVirtualNetworkId: parHubVirtualNetworkResourceId
localVnetName: parSpokeVirtualNetworkName
useRemoteGateways: parUseRemoteGateways
allowVirtualNetworkAccess: parAllowVirtualNetworkAccess
}
}

177
src/bicep/azresources/hub-spoke-core/vdms/dataSharedServices/README.md Normal file
Просмотреть файл

@ -0,0 +1,177 @@
# Hub/Spoke Core Module: NoOps Accelerator - Data Shared Services Spoke Network
## Overview
This module defines Data Shared Services spoke network deployment based on the recommendations from the Azure Mission Landing Zone Conceptual Architecture.
Module deploys the following resources:
* Virtual Network (VNet)
* Subnets
* Network Security Group
* Storage Account
## Required Parameters
The module requires the following inputs:
| Parameter | Type | Default | Description | Required | Example |
| --------------------------------- | ------ | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------- | ---------------------------------------------- |
| parOrgPrefix | string | `aona` | Prefix value which will be prepended to all resource names. Default: anoa | Yes | `aona`
| parLocation | string | `resourceGroup().location` | The Azure Region to deploy the resources into | Yes | `eastus`
| parTemplateVersion | string | `1.0` | The ANOA template version | Yes | `1.o`
| parDeployEnvironment | string | None | A suffix, 3 to 15 characters in length, to append to resource names (e.g. "dev", "test", "prod", "platforms"). It defaults to "platforms".' | Yes | `platforms`
| parResourcePrefix | string | None | A prefix, 3-15 alphanumeric characters without whitespace, used to prefix resources and generate uniqueness for resources with globally unique naming requirements like Storage Accounts and Log Analytics Workspaces. | Yes | None
## Data Shared Services Network Parameters
The module requires the following inputs for Data Shared Services Network:
| Parameter | Type | Default | Description | Required | Example |
|------------------------------------------|--------|----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|----------------------------|
| parData SharedServicesSubscriptionId | string | `guid` | The subscription ID for the Data SharedServices Network and resources. It defaults to the deployment subscription | No | `xxxx-xxxx-xxxx-xxxx-xxxx` | Yes| None |
parData SharedServicesVirtualNetworkAddressPrefix | string | No | The CIDR Virtual Network Address Prefix for the Data SharedServices Virtual Network. | Yes| None |
parData SharedServicesSubnetAddressPrefix | string | No | The CIDR Subnet Address Prefix for the default Data SharedServices subnet. It must be in the Data SharedServices Virtual Network space.| Yes| None |
parSourceAddressPrefixes | string | No | The CIDR Virtual Network Address Prefix for the Identity/Data SharedServices Virtual Network. Leave blank if no spokes are needed. | Yes| None |
parLogStorageSkuName | string | No | The Storage Account SKU to use for log storage. It defaults to "Standard_GRS". See <https://docs.microsoft.com/en-us/rest/api/storagerp/srp_sku_types> for valid settings.. | Yes| None |
parData SharedServicesVirtualNetworkDiagnosticsLogs | array | No | An array of Network Diagnostic Logs to enable for the Data SharedServices Virtual Network. See <https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs> for valid settings. | Yes| None |
parData SharedServicesVirtualNetworkDiagnosticsMetrics | array | No | An array of Network Diagnostic Metrics to enable for the Data SharedServices Virtual Network. See <https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/> diagnostic-settings?tabs=CMD#metrics for valid settings. | Yes| None |
parData SharedServicesNetworkSecurityGroupRules | array | No | An array of Network Security Group rules to apply to the Data SharedServices Virtual Network. See <https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat> for valid settings. | Yes| None |
parData SharedServicesNetworkSecurityGroupDiagnosticsLogs | array | No | An array of Network Security Group diagnostic logs to apply to the Data SharedServices Virtual Network. See <https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories> for valid settings. | Yes| None |
parData SharedServicesNetworkSecurityGroupDiagnosticsMetrics | array | No | An array of Network Security Group Diagnostic Metrics to enable for the Data SharedServices Virtual Network. See <https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics> for valid settings. | Yes| None |
parData SharedServicesSubnetServiceEndpoints | array | No | An array of Service Endpoints to enable for the Data SharedServices subnet. See <https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview> for valid settings. | Yes| None |
parLogAnalyticsWorkspaceResourceId | string | No | . | Yes| None |
parFirewallPrivateIPAddress | string | No | . | Yes| None |
parRouteTableRouteName | string | No | . | Yes| None |
parRouteTableRouteAddressPrefix | string | No | . | Yes| None |
parRouteTableRouteNextHopIpAddress | string | No | . | Yes| None |
parRouteTableRouteNextHopType | string | No | . | Yes| None |
parStorageAccountAccessObjectId | string | No | . | Yes| None |
parStorageAccountAccessType | string | No | . | Yes| None |
parAddRoleAssignmentForStorageAccount | bool | No | . | Yes| None |
Parameters file located in the [Deployments](../../../../deployments/HubSpoke/networking/sharedservices/) folder under hub/spoke.
## Outputs
The module will generate the following outputs:
table
## Deployment
> **Note:** `bicepconfig.json` file is included in the module directory. This file allows us to override Bicep Linters. Currently there are two URLs which were removed because of linter warnings. URLs removed are the following: database.windows.net and core.windows.net
In this example, the Data Shared Services (Tier 2) resources will be deployed to the resource group specified. According to the Azure Mission Landing Zone Conceptual Architecture, the Data SharedServices resources should be deployed into the Platform Management subscription. During the deployment step, we will take the default values and not pass any parameters.
Other differences in Azure IL regions are as follow:
| Azure Cloud | Bicep template | Input parameters file |
| -------------- | ------------------- | ---------------------------------------- |
| Global regions | anoa.lz.svcs.bicep | anoa.lz.svcs.parameters.json |
| IL regions | anoa.lz.svcs.bicep | anoa.lz.svcs.parameters.json |
> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice.
### Azure CLI
```bash
# For Azure Commerical regions
# When deploying to Azure cloud, first set the cloud.
az cloudset --name AzureGovernment
# Set Platform connectivity subscription ID as the the current subscription
ConnectivitySubscriptionId="[your platform management subscription ID]"
az account set --subscription $ConnectivitySubscriptionId
# Log in
az login
cd src/bicep
cd azresources/hub-spoke-core
az deployment sub create \
--name anoa-dataSharedServices-deploy \
--location eastus \
--template-file vdms/dataSharedServices/anoa.lz.data.svcs.network.network.bicep \
--parameters @parmeters/dataSharedServices/anoa.lz.data.svcs.network.parameters.json
--subscription $ConnectivitySubscriptionId
```
OR
```bash
# For Azure Government regions
# When deploying to another cloud, like Azure US Government, first set the cloud.
az cloudset --name AzureGovernment
# Set Platform connectivity subscription ID as the the current subscription
ConnectivitySubscriptionId="[your platform management subscription ID]"
az account set --subscription $ConnectivitySubscriptionId
# Log in
az login
cd src/bicep
cd azresources/hub-spoke-core
az deployment sub create \
--name anoa-dataSharedServices-deploy \
--location usgovvirginia \
--template-file vdms/dataSharedServices/anoa.lz.data.svcs.network.bicep \
--parameters @parmeters/dataSharedServices/anoa.lz.data.svcs.network.parameters.json
--subscription $ConnectivitySubscriptionId
```
### PowerShell
```powershell
# For Azure Commerical regions
# When deploying to Azure cloud, first set the cloud and log in.
Connect-AzAccount -EnvironmentName AzureCloud
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId = "[your platform management subscription ID]"
Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
cd src/bicep
cd azresources/hub-spoke-core
New-AzDeployment `
-TemplateFile vdms/dataSharedServices/anoa.lz.data.svcs.network.bicep `
-TemplateParameterFile parmeters/dataSharedServices/anoa.lz.data.svcs.network.parameters.json `
-Location 'eastus'
-Name 'anoa-dataSharedServices-deploy'
```
OR
```powershell
# For Azure Government regions
# When deploying to another cloud, like Azure US Government, first set the cloud and log in.
Connect-AzAccount -EnvironmentName AzureCloud
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId = "[your platform management subscription ID]"
Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
cd src/bicep
cd azresources/hub-spoke-core
New-AzDeployment `
--TemplateFile vdms/dataSharedServices/anoa.lz.data.svcs.network.bicep `
-TemplateParameterFile parmeters/dataSharedServices/anoa.lz.data.svcs.network.parameters.json `
-Location 'usgovvirginia'
-Name 'anoa-dataSharedServices-deploy'
```
## Air-Gapped Clouds
For air-gapped clouds it may be convenient to transfer and deploy the compiled ARM template instead of the Bicep template if the Bicep CLI tools are not available or if it is desirable to transfer only one file into the air gap.
## Cleanup
The Bicep/ARM deployment of NoOps Accelerator Data Shared Services network deployment can be deleted with these steps:
## Example Output in Azure
![Example Deployment Output](images/sharedServucesExampleDeploymentOutput.png "Example Deployment Output in Azure global regions")

164
src/bicep/azresources/hub-spoke-core/vdms/sharedServices/anoa.lz.data.svcs.network.bicep → src/bicep/azresources/hub-spoke-core/vdms/dataSharedServices/anoa.lz.data.svcs.network.bicep
Просмотреть файл

@ -1,7 +1,7 @@
/*
SUMMARY: Module to deploy the Shared Services Network and it's components based on the Azure Mission Landing Zone conceptual architecture
SUMMARY: Module to deploy the Data Shared Services Network and it's components based on the Azure Tactical Mission Network (TMN) conceptual architecture
DESCRIPTION: The following components will be options in this deployment
Shared Services Virtual Network (Vnet)
Data Shared Services Virtual Network (Vnet)
Subnets
Route Table
Network Security Group
@ -24,14 +24,13 @@ targetScope = 'subscription'
param parOrgPrefix string = 'org'
@description('The subscription ID for the Hub Network and resources. It defaults to the deployment subscription.')
param parDataServicesSubscriptionId string = subscription().subscriptionId
param parDataSharedServicesSubscriptionId string = subscription().subscriptionId
@description('The region to deploy resources into. It defaults to the deployment location.')
param parLocation string = deployment().location
@description('The MLZ template version')
@minLength(3)
param parTemplateVersion string
@description('Tags')
param parTags object
@minLength(3)
@maxLength(15)
@ -53,27 +52,30 @@ param parResourceGroupModuleCreate bool = true
// NETWORK ADDRESS SPACE PARAMETERS
@description('The CIDR Virtual Network Address Prefix for the Shared Services Virtual Network.')
param parDataServicesVirtualNetworkAddressPrefix string = '10.0.120.0/26'
param parDataSharedServicesVirtualNetworkAddressPrefix string = '10.0.130.0/26'
@description('The CIDR Subnet Address Prefix for the default Shared Services subnet. It must be in the Shared Services Virtual Network space.')
param parDataServicesSubnetAddressPrefix string = '10.0.120.0/27'
param parDataSharedServicesSubnetAddressPrefix string = '10.0.130.0/27'
@description('Array of Subnet Address Prefix for the default Shared Services network. These will be Spoke Subnet Address Prefixes, if exists.')
param parDataSharedServicesSourceAddressPrefixes array = []
// SHARED SERVICES NETWORK PARAMETERS
@description('An array of Network Diagnostic Logs to enable for the DataServices Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs for valid settings.')
param parDataServicesVirtualNetworkDiagnosticsLogs array = []
@description('An array of Network Diagnostic Logs to enable for the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs for valid settings.')
param parDataSharedServicesVirtualNetworkDiagnosticsLogs array = []
@description('An array of Network Diagnostic Metrics to enable for the DataServices Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings.')
param parDataServicesVirtualNetworkDiagnosticsMetrics array = []
@description('An array of Network Diagnostic Metrics to enable for the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings.')
param parDataSharedServicesVirtualNetworkDiagnosticsMetrics array = []
@description('An array of Network Security Group rules to apply to the DataServices Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.')
param parDataServicesNetworkSecurityGroupRules array = [
@description('An array of Network Security Group rules to apply to the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.')
param parDataSharedServicesNetworkSecurityGroupRules array = [
{
name: 'Allow-Traffic-From-Spokes'
properties: {
access: 'Allow'
description: 'Allow traffic from spokes'
destinationAddressPrefix: parDataServicesVirtualNetworkAddressPrefix
destinationAddressPrefix: parDataSharedServicesVirtualNetworkAddressPrefix
destinationPortRanges: [
'22'
'80'
@ -83,24 +85,21 @@ param parDataServicesNetworkSecurityGroupRules array = [
direction: 'Inbound'
priority: 200
protocol: '*'
sourceAddressPrefixes: [
'10.0.110.0/26'
'10.0.115.0/26'
]
sourceAddressPrefixes: parDataSharedServicesSourceAddressPrefixes
sourcePortRange: '*'
}
type: 'string'
}
]
@description('An array of Network Security Group diagnostic logs to apply to the DataServices Virtual Network. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories for valid settings.')
param parDataServicesNetworkSecurityGroupDiagnosticsLogs array = [
@description('An array of Network Security Group diagnostic logs to apply to the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories for valid settings.')
param parDataSharedServicesNetworkSecurityGroupDiagnosticsLogs array = [
'NetworkSecurityGroupEvent'
'NetworkSecurityGroupRuleCounter'
]
@description('An array of Service Endpoints to enable for the DataServices subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings.')
param parDataServicesSubnetServiceEndpoints array = [
@description('An array of Service Endpoints to enable for the SharedServices subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings.')
param parDataSharedServicesSubnetServiceEndpoints array = [
{
service: 'Microsoft.Storage'
}
@ -108,10 +107,21 @@ param parDataServicesSubnetServiceEndpoints array = [
// ROUTE TABLE
@description(' An Array of Routes to be established within the hub route table.')
param parRouteTableRoutes array = [
{
name: 'svcs-routetable'
properties: {
addressPrefix: '0.0.0.0/0'
nextHopIpAddress: parFirewallPrivateIPAddress
nextHopType: 'VirtualAppliance'
}
}
]
@description('Firewall private IP address within the hub route table.')
param parFirewallPrivateIPAddress string
param parRouteTableRouteAddressPrefix string = '0.0.0.0/0'
param parRouteTableRouteNextHopIpAddress string = parFirewallPrivateIPAddress
param parRouteTableRouteNextHopType string = 'VirtualAppliance'
param parDisableBgpRoutePropagation bool
// LOGGING PARAMETERS
@ -128,12 +138,9 @@ param parLogAnalyticsWorkspaceName string
@description('Enable this setting if this network is on a different subscriptiom as the Hub. Will give conflict errors if on same sub as the Hub')
param enableActivityLogging bool = false
//STORAGE ACCOUNTS
// STORAGE ACCOUNTS RBAC
@description('Account for access to Storage')
param parStorageAccountAccessObjectId string
@description('Switch which allows Role Assignment for the Storage Account. Default: true')
param parAddRoleAssignmentForStorageAccount bool = true
param parStorageAccountAccess object
/*
NAMING CONVENTION
@ -157,60 +164,54 @@ var varDdosNamingConvention = replace(varNamingConvention, varResourceToken, 'dd
// SHARED SERVICES NAMES
var varDataServicesName = 'dataservices'
var varDataServicesShortName = 'datasvcs'
var varDataServicesResourceGroupName = replace(varResourceGroupNamingConvention, varNameToken, varDataServicesName)
var varDataServicesLogStorageAccountShortName = replace(varStorageAccountNamingConvention, varNameToken, varDataServicesShortName)
var varDataServicesLogStorageAccountUniqueName = replace(varDataServicesLogStorageAccountShortName, 'unique_storage_token', uniqueString(parDataServicesSubscriptionId, parLocation, parDeployEnvironment, parOrgPrefix))
var varDataServicesLogStorageAccountName = take(varDataServicesLogStorageAccountUniqueName, 23)
var varDataServicesVirtualNetworkName = replace(varVirtualNetworkNamingConvention, varNameToken, varDataServicesName)
var varDataServicesNetworkSecurityGroupName = replace(varNetworkSecurityGroupNamingConvention, varNameToken, varDataServicesName)
var varDataServicesSubnetName = replace(varSubnetNamingConvention, varNameToken, varDataServicesName)
var svcsddosName = replace(varDdosNamingConvention, varNameToken, varDataServicesName)
var varDataSharedServicesName = 'datasharedservices'
var varDataSharedServicesShortName = 'datasvcs'
var varDataSharedServicesResourceGroupName = replace(varResourceGroupNamingConvention, varNameToken, varDataSharedServicesName)
var varDataSharedServicesLogStorageAccountShortName = replace(varStorageAccountNamingConvention, varNameToken, varDataSharedServicesShortName)
var varDataSharedServicesLogStorageAccountUniqueName = replace(varDataSharedServicesLogStorageAccountShortName, 'unique_storage_token', uniqueString(parDataSharedServicesSubscriptionId, parLocation, parDeployEnvironment, parOrgPrefix))
var varDataSharedServicesLogStorageAccountName = take(varDataSharedServicesLogStorageAccountUniqueName, 23)
var varDataSharedServicesVirtualNetworkName = replace(varVirtualNetworkNamingConvention, varNameToken, varDataSharedServicesName)
var varDataSharedServicesNetworkSecurityGroupName = replace(varNetworkSecurityGroupNamingConvention, varNameToken, varDataSharedServicesName)
var varDataSharedServicesSubnetName = replace(varSubnetNamingConvention, varNameToken, varDataSharedServicesName)
var svcsddosName = replace(varDdosNamingConvention, varNameToken, varDataSharedServicesName)
// ROUTETABLE VALUES
var varRouteTableName = '${varDataServicesSubnetName}-routetable'
var varRouteTableName = '${varDataSharedServicesSubnetName}-routetable'
// TAGS
@description('Resource group tags')
module modTags '../../../Modules/Microsoft.Resources/tags/az.resources.tags.bicep' = {
name: 'deploy-${varDataServicesShortName}-tags-${parLocation}-${parDeploymentNameSuffix}'
name: 'deploy-${varDataSharedServicesShortName}-tags-${parLocation}-${parDeploymentNameSuffix}'
params: {
onlyUpdate: true
tags: {
organizationName: parOrgPrefix
hostName: parDeployEnvironment
regionName: parLocation
templateVersion: parTemplateVersion
}
tags: parTags
}
}
// RESOURCE GROUPS
module modDataServicesResourceGroup '../../../Modules/Microsoft.Resources/resourceGroups/az.resource.groups.bicep' = if(parResourceGroupModuleCreate) {
name: 'deploy-${varDataServicesShortName}-rg-${parLocation}-${parDeploymentNameSuffix}'
scope: subscription(parDataServicesSubscriptionId)
name: 'deploy-${varDataSharedServicesShortName}-rg-${parLocation}-${parDeploymentNameSuffix}'
scope: subscription(parDataSharedServicesSubscriptionId)
params: {
name: varDataServicesResourceGroupName
name: varDataSharedServicesResourceGroupName
location: parLocation
tags: modTags.outputs.tags
}
}
module modSvcsLogStorage '../../../Modules/Microsoft.Storage/storageAccounts/az.data.storage.bicep' = {
name: 'deploy-${varDataServicesShortName}-logStorage-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(varDataServicesResourceGroupName)
name: 'deploy-${varDataSharedServicesShortName}-logStorage-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(varDataSharedServicesResourceGroupName)
params: {
name: varDataServicesLogStorageAccountName
name: varDataSharedServicesLogStorageAccountName
location: parLocation
storageAccountSku: parLogStorageSkuName
tags: modTags.outputs.tags
roleAssignments: (parAddRoleAssignmentForStorageAccount) ? [
roleAssignments: (parStorageAccountAccess.enableRoleAssignmentForStorageAccount) ? [
{
principalIds: parStorageAccountAccessObjectId
roleDefinitionIdOrName: 'Contributor'
principalIds: parStorageAccountAccess.principalIds
roleDefinitionIdOrName: parStorageAccountAccess.roleDefinitionIdOrName
}
] : []
lock: 'CanNotDelete'
@ -221,40 +222,31 @@ module modSvcsLogStorage '../../../Modules/Microsoft.Storage/storageAccounts/az.
}
module modDataServicesNetworkSecurityGroup '../../../Modules/Microsoft.Network/networkSecurityGroups/az.net.network.security.group.with.diagnostics.bicep' = {
name: 'deploy-${varDataServicesShortName}-nsg-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(varDataServicesResourceGroupName)
name: 'deploy-${varDataSharedServicesShortName}-nsg-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(varDataSharedServicesResourceGroupName)
params: {
name: varDataServicesNetworkSecurityGroupName
name: varDataSharedServicesNetworkSecurityGroupName
location: parLocation
tags: modTags.outputs.tags
securityRules: parDataServicesNetworkSecurityGroupRules
securityRules: parDataSharedServicesNetworkSecurityGroupRules
diagnosticWorkspaceId: parLogAnalyticsWorkspaceResourceId
diagnosticStorageAccountId: modSvcsLogStorage.outputs.resourceId
diagnosticLogCategoriesToEnable: parDataServicesNetworkSecurityGroupDiagnosticsLogs
diagnosticLogCategoriesToEnable: parDataSharedServicesNetworkSecurityGroupDiagnosticsLogs
}
}
module modDataServicesRouteTable '../../../Modules/Microsoft.Network/routeTable/az.net.route.table.bicep' = {
name: 'deploy-${varDataServicesShortName}-routeTable-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(varDataServicesResourceGroupName)
name: 'deploy-${varDataSharedServicesShortName}-routeTable-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(varDataSharedServicesResourceGroupName)
params: {
name: varRouteTableName
location: parLocation
tags: modTags.outputs.tags
routes: [
{
name: varRouteTableName
properties: {
addressPrefix: parRouteTableRouteAddressPrefix
nextHopIpAddress: parRouteTableRouteNextHopIpAddress
nextHopType: parRouteTableRouteNextHopType
}
}
]
routes: parRouteTableRoutes
disableBgpRoutePropagation: parDisableBgpRoutePropagation
}
dependsOn: [
@ -263,39 +255,39 @@ module modDataServicesRouteTable '../../../Modules/Microsoft.Network/routeTable/
}
module modDataServicesVirtualNetwork '../../../Modules/Microsoft.Network/virtualNetworks/az.net.virtual.network.with.diagnostics.bicep' = {
name: 'deploy-${varDataServicesShortName}-virtualNetwork-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(varDataServicesResourceGroupName)
name: 'deploy-${varDataSharedServicesShortName}-virtualNetwork-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(varDataSharedServicesResourceGroupName)
params: {
name: varDataServicesVirtualNetworkName
name: varDataSharedServicesVirtualNetworkName
location: parLocation
tags: modTags.outputs.tags
addressPrefixes: [
parDataServicesVirtualNetworkAddressPrefix
parDataSharedServicesVirtualNetworkAddressPrefix
]
subnets: [
{
addressPrefix: parDataServicesSubnetAddressPrefix
name: varDataServicesSubnetName
addressPrefix: parDataSharedServicesSubnetAddressPrefix
name: varDataSharedServicesSubnetName
networkSecurityGroupId: modDataServicesNetworkSecurityGroup.outputs.resourceId
routeTableId: modDataServicesRouteTable.outputs.resourceId
serviceEndpoints: parDataServicesSubnetServiceEndpoints
serviceEndpoints: parDataSharedServicesSubnetServiceEndpoints
}
]
diagnosticWorkspaceId: parLogAnalyticsWorkspaceResourceId
diagnosticStorageAccountId: modSvcsLogStorage.outputs.resourceId
diagnosticLogCategoriesToEnable: parDataServicesVirtualNetworkDiagnosticsLogs
diagnosticMetricsToEnable: parDataServicesVirtualNetworkDiagnosticsMetrics
diagnosticLogCategoriesToEnable: parDataSharedServicesVirtualNetworkDiagnosticsLogs
diagnosticMetricsToEnable: parDataSharedServicesVirtualNetworkDiagnosticsMetrics
ddosProtectionPlanEnabled: parDeployddosProtectionPlan
ddosProtectionPlanId: svcsddosName
}
}
module spokeDataServicesSubscriptionActivityLogging '../../../Modules/Microsoft.Insights/diagnosticSettings/az.insights.diagnostic.setting.bicep' = if (enableActivityLogging) {
name: 'deploy-activity-logs-${varDataServicesShortName}-${parLocation}-${parDeploymentNameSuffix}'
name: 'deploy-activity-logs-${varDataSharedServicesShortName}-${parLocation}-${parDeploymentNameSuffix}'
params: {
diagnosticEventHubName: 'log-dataservices-sub-activity-to-${parLogAnalyticsWorkspaceName}'
diagnosticWorkspaceId: parLogAnalyticsWorkspaceResourceId

Двоичные данные
src/bicep/azresources/hub-spoke-core/vdms/dataSharedServices/images/sharedServucesExampleDeploymentOutput.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 28 KiB

80
src/bicep/azresources/hub-spoke-core/vdms/logging/README.md
Просмотреть файл

@ -38,17 +38,16 @@ The module requires the following inputs:
The module requires the following inputs:
| Parameter | Type | Default | Description | Required | Example |
| --------------------------------- | ------ | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------- | ---------------------------------------------- |
| parDeployAutomationAccount | bool | `aona` | Prefix value which will be prepended to all resource names. Default: anoa | Yes | `aona` |
| parLogAnalyticsWorkspaceCappingDailyQuotaGb | int | `-1` | Prefix value which will be prepended to all resource names. Default: anoa | Yes | `aona` |
| parLogAnalyticsWorkspaceRetentionInDays | int | `30` | Prefix value which will be prepended to all resource names. Default: anoa | Yes | `aona` |
| parLogAnalyticsWorkspaceSkuName | string | `PerGB2018` | Prefix value which will be prepended to all resource names. Default: anoa | Yes | `PerGB2018` |
| parDeploySentinel | bool | `false` | Prefix value which will be prepended to all resource names. Default: anoa | Yes | `false` |
| parLogStorageSkuName | string | `Standard_GRS` | Prefix value which will be prepended to all resource names. Default: anoa | Yes | `Standard_GRS` |
| parAddRoleAssignmentForStorageAccount | bool | `false` | Prefix value which will be prepended to all resource names. Default: anoa | Yes | `false` |
| parStorageAccountAccessObjectId | string | `xxxx-xxxx-xxxx-xxxx-xxxx` | Prefix value which will be prepended to all resource names. Default: anoa | No | `xxxx-xxxx-xxxx-xxxx-xxxx` |
| parStorageAccountAccessType | string | `Group` | Prefix value which will be prepended to all resource names. Default: anoa | No | `Group` |
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`parOperationsSubscriptionId` | Deployment subscription | The subscription ID for the Hub Network and resources. It defaults to the deployment subscription.
`parDeploymentNameSuffix` | utcNow() | A suffix to use for naming deployments uniquely. It defaults to the Bicep resolution of the "utcNow()" function.
`parLogAnalyticsWorkspaceCappingDailyQuotaGb` | -1 | The daily quota for Log Analytics Workspace logs in Gigabytes. It defaults to "-1" for no quota.
`parLogAnalyticsWorkspaceRetentionInDays` | 30 | Number of days of log retention for Log Analytics Workspace. - DEFAULT VALUE: 30
`parLogAnalyticsWorkspaceSkuName` | 'PerGB2018' | [Free/Standard/Premium/PerNode/PerGB2018/Standalone] The SKU for the Log Analytics Workspace. It defaults to "PerGB2018". See <https://docs.microsoft.com/en-us/azure/azure-monitor/logs/resource-manager-workspace> for valid settings.
`parDeploySentinel` | false | Switch which allows Sentinel deployment to be disabled. Default: false
`parLogStorageSkuName` | 'Standard_GRS' | The Storage Account SKU to use for log storage. It defaults to "Standard_GRS". See <https://docs.microsoft.com/en-us/rest/api/storagerp/srp_sku_types> for valid settings.
`parLoggingStorageAccountAccess` | object | Account settings for role assignement to Storage Account
Parameters file located in the [Deployments](../../../../deployments/HubSpoke/logging/) folder under hub/spoke.
@ -56,9 +55,12 @@ Parameters file located in the [Deployments](../../../../deployments/HubSpoke/lo
The module will generate the following outputs:
Parameters | Type | Allowed Values | Description
| :-- | :-- | :-- | :-- |
None
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`outLogAnalyticsWorkspaceName` | 'guid' | Out value for Log Analytics Workspace Name
`outLogAnalyticsWorkspaceResourceId` | '/subscriptions/<<subscriptionId>>/resourcegroups/anoa-usgovvirginia-dev-logging-rg/providers/microsoft.operationalinsights/workspaces/anoa-usgovvirginia-dev-logging-log' | Out value for Log Analytics ResourceId
`outLogAnalyticsWorkspaceId` | 'guid' | Out value for Log Analytics Workspace Id
`outLogAnalyticsSolutions` | array | Out value for Log Analytics Solutions in array format
## Deployment
@ -80,16 +82,22 @@ Other differences in Azure IL regions are as follow:
```bash
# For Azure Commerical regions
# Set Platform connectivity subscription ID as the the current subscription
# When deploying to Azure cloud, first set the cloud.
az cloudset --name AzureGovernment
# Set Platform connectivity subscription ID as the the current subscription
ConnectivitySubscriptionId="[your platform management subscription ID]"
az account set --subscription $ConnectivitySubscriptionId
# Log in
az login
cd src/bicep
cd azresources/hub-spoke-core
az deployment sub create \
--name anoa-logging-deploy \
--location eastus \
--template-file src/bicep/common/landingzone/core/vdms/logging/anoa.lz.logging.bicep \
--parameters @src/bicep/common/landingzone/core/vdms/logging/anoa.lz.logging.parameters.json
--template-file vdms/logging/anoa.lz.logging.bicep \
--parameters @parmeters/logging/anoa.lz.logging.parameters.json
--subscription $ConnectivitySubscriptionId
```
@ -99,30 +107,41 @@ OR
# For Azure Government regions
# Set Platform connectivity subscription ID as the the current subscription
# When deploying to another cloud, like Azure US Government, first set the cloud.
az cloudset --name AzureGovernment
# Set Platform connectivity subscription ID as the the current subscription
ConnectivitySubscriptionId="[your platform management subscription ID]"
az account set --subscription $ConnectivitySubscriptionId
# Log in
az login
cd src/bicep
cd azresources/hub-spoke-core
az deployment sub create \
--name anoa-logging-deploy \
--location virginiaus \
--template-file src/bicep/common/landingzone/core/vdms/logging/anoa.lz.logging.bicep \
--parameters @src/bicep/common/landingzone/core/vdms/logging/anoa.lz.logging.parameters.json
--location usgovvirginia \
--template-file vdms/logging/anoa.lz.logging.bicep \
--parameters @parmeters/logging/anoa.lz.logging.parameters.json
--subscription $ConnectivitySubscriptionId
```
### PowerShell
```powershell
# For Azure Commerical regions
# When deploying to Azure cloud, first set the cloud and log in.
Connect-AzAccount -EnvironmentName AzureCloud
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId = "[your platform management subscription ID]"
Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
cd src/bicep
cd azresources/hub-spoke-core
New-AzDeployment `
-TemplateFile src/bicep/common/landingzone/core/network/vdms/logging/anoa.lz.logging.bicep `
-TemplateParameterFile src/bicep/common/landingzone/core/vdms/logging/anoa.lz.logging.parameters.json `
-TemplateFile vdms/logging/anoa.lz.logging.bicep `
-TemplateParameterFile parmeters/logging/anoa.lz.logging.parameters.json `
-Location 'eastus'
-Name 'anoa-logging-deploy'
```
@ -132,15 +151,20 @@ OR
```powershell
# For Azure Government regions
# When deploying to another cloud, like Azure US Government, first set the cloud and log in.
Connect-AzAccount -EnvironmentName AzureCloud
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId = "[your platform management subscription ID]"
Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
cd src/bicep
cd azresources/hub-spoke-core
New-AzDeployment `
-TemplateFile src/bicep/common/landingzone/core/vdms/logging/anoa.lz.logging.bicep `
-TemplateParameterFile src/bicep/common/landingzone/core/logging/vdms/logging/anoa.lz.logging.parameters.json `
-Location 'virginiaus'
--TemplateFile vdms/logging/anoa.lz.logging.bicep `
-TemplateParameterFile parmeters/logging/anoa.lz.logging.parameters.json `
-Location 'usgovvirginia'
-Name 'anoa-logging-deploy'
```

2
src/bicep/azresources/hub-spoke-core/vdms/logging/anoa.lz.logging.bicep
Просмотреть файл

@ -82,7 +82,7 @@ param parDeploySentinel bool = false
param parLogStorageSkuName string = 'Standard_GRS'
// STORAGE ACCOUNTS RBAC
@description('Account for access to Storage')
@description('Account settings for role assignement to Storage Account')
param parLoggingStorageAccountAccess object
/*

74
src/bicep/azresources/hub-spoke-core/vdms/operations/README.md
Просмотреть файл

@ -9,7 +9,7 @@ Module deploys the following resources:
* Virtual Network (VNet)
* Subnets
* Network Security Group
* Storage Account
* Diagnostics Storage Account
## Required Parameters
@ -32,7 +32,6 @@ The module requires the following inputs for Operations Network:
| parOperationsSubscriptionId | string | `guid` | The subscription ID for the Operations Network and resources. It defaults to the deployment subscription | No | `xxxx-xxxx-xxxx-xxxx-xxxx` | Yes| None |
parOperationsVirtualNetworkAddressPrefix | string | No | The CIDR Virtual Network Address Prefix for the Operations Virtual Network. | Yes| None |
parOperationsSubnetAddressPrefix | string | No | The CIDR Subnet Address Prefix for the default Operations subnet. It must be in the Operations Virtual Network space.| Yes| None |
parSourceAddressPrefixes | string | No | The CIDR Virtual Network Address Prefix for the Identity/SharedServices Virtual Network. Leave blank if no spokes are needed. | Yes| None |
parLogStorageSkuName | string | No | The Storage Account SKU to use for log storage. It defaults to "Standard_GRS". See <https://docs.microsoft.com/en-us/rest/api/storagerp/srp_sku_types> for valid settings.. | Yes| None |
parOperationsVirtualNetworkDiagnosticsLogs | array | No | An array of Network Diagnostic Logs to enable for the Operations Virtual Network. See <https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs> for valid settings. | Yes| None |
parOperationsVirtualNetworkDiagnosticsMetrics | array | No | An array of Network Diagnostic Metrics to enable for the Operations Virtual Network. See <https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/> diagnostic-settings?tabs=CMD#metrics for valid settings. | Yes| None |
@ -40,15 +39,13 @@ parOperationsNetworkSecurityGroupRules | array | No | An array of Network
parOperationsNetworkSecurityGroupDiagnosticsLogs | array | No | An array of Network Security Group diagnostic logs to apply to the Operations Virtual Network. See <https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories> for valid settings. | Yes| None |
parOperationsNetworkSecurityGroupDiagnosticsMetrics | array | No | An array of Network Security Group Diagnostic Metrics to enable for the Operations Virtual Network. See <https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics> for valid settings. | Yes| None |
parOperationsSubnetServiceEndpoints | array | No | An array of Service Endpoints to enable for the Operations subnet. See <https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview> for valid settings. | Yes| None |
parLogAnalyticsWorkspaceResourceId | string | No | . | Yes| None |
parFirewallPrivateIPAddress | string | No | . | Yes| None |
parRouteTableRouteName | string | No | . | Yes| None |
parRouteTableRouteAddressPrefix | string | No | . | Yes| None |
parRouteTableRouteNextHopIpAddress | string | No | . | Yes| None |
parRouteTableRouteNextHopType | string | No | . | Yes| None |
parStorageAccountAccessObjectId | string | No | . | Yes| None |
parStorageAccountAccessType | string | No | . | Yes| None |
parAddRoleAssignmentForStorageAccount | bool | No | . | Yes| None |
parLogAnalyticsWorkspaceResourceId | string | No | Log Analytics Workspace Resource Id Needed for NSG, VNet and Activity Logging | Yes| None |
parLogAnalyticsWorkspaceName | string | No | Log Analytics Workspace Name Needed Activity Logging | Yes| None |
enableActivityLogging | bool | No | Enable this setting if this network is on a different subscriptiom as the Hub. Will give conflict errors if on same sub as the Hub | Yes| None |
parRouteTableRoutes | array | No | An Array of Routes to be established within the hub route table. | Yes| None |
parFirewallPrivateIPAddress | string | No | Firewall private IP address within the hub route table. | Yes| None |
parDeployddosProtectionPlan | bool | No | Switch which allows DDOS deployment to be disabled. Default: false | Yes| None |
parOperationsStorageAccountAccess | object | No | Account Setting for role assignment to Storage Account | Yes| None |
Parameters file located in the [Deployments](../../../../deployments/HubSpoke/networking/operations/) folder under hub/spoke.
@ -93,15 +90,23 @@ Other differences in Azure IL regions are as follow:
```bash
# For Azure Commerical regions
# Set Platform connectivity subscription ID as the the current subscription
# When deploying to Azure cloud, first set the cloud.
az cloudset --name AzureGovernment
# Set Platform connectivity subscription ID as the the current subscription
ConnectivitySubscriptionId="[your platform management subscription ID]"
az account set --subscription $ConnectivitySubscriptionId
# Log in
az login
cd src/bicep
cd azresources/hub-spoke-core
az deployment sub create \
--name anoa-operations-deploy \
--location eastus \
--template-file src/bicep/common/landingzone/core/vdms/operations/anoa.lz.ops.network.bicep \
--parameters @src/bicep/common/landingzone/core/vdms/operations/anoa.lz.ops.network.parameters.json
--template-file vdms/operations/anoa.lz.ops.network.bicep \
--parameters @parmeters/operations/anoa.lz.ops.network.parameters.json
--subscription $ConnectivitySubscriptionId
```
OR
@ -110,30 +115,43 @@ OR
# For Azure Government regions
# Set Platform connectivity subscription ID as the the current subscription
# When deploying to another cloud, like Azure US Government, first set the cloud.
az cloudset --name AzureGovernment
# Set Platform connectivity subscription ID as the the current subscription
ConnectivitySubscriptionId="[your platform management subscription ID]"
az account set --subscription $ConnectivitySubscriptionId
# Log in
az login
cd src/bicep
cd azresources/hub-spoke-core
az deployment sub create \
--location virginiaus \
--template-file src/bicep/common/landingzone/core/vdms/operations/anoa.lz.ops.network.bicep \
--parameters @src/bicep/common/landingzone/core/vdms/operations/anoa.lz.ops.network.parameters.json
--name anoa-operations-deploy \
--location usgovvirginia \
--template-file vdms/operations/anoa.lz.ops.network.bicep \
--parameters @parmeters/operations/anoa.lz.ops.network.parameters.json
--subscription $ConnectivitySubscriptionId
```
### PowerShell
```powershell
# For Azure Commerical regions
# When deploying to Azure cloud, first set the cloud and log in.
Connect-AzAccount -EnvironmentName AzureCloud
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId = "[your platform management subscription ID]"
Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
cd src/bicep
cd azresources/hub-spoke-core
New-AzDeployment `
-TemplateFile src/bicep/common/landingzone/core/vdms/operations/anoa.lz.ops.network.bicep `
-TemplateParameterFile src/bicep/common/landingzone/core/vdms/operations/anoa.lz.ops.network.parameters.json `
-TemplateFile vdms/operations/anoa.lz.ops.network.bicep `
-TemplateParameterFile parmeters/operations/anoa.lz.ops.network.parameters.json `
-Location 'eastus'
-Name 'anoa-operations-deploy'
```
OR
@ -141,15 +159,21 @@ OR
```powershell
# For Azure Government regions
# When deploying to another cloud, like Azure US Government, first set the cloud and log in.
Connect-AzAccount -EnvironmentName AzureCloud
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId = "[your platform management subscription ID]"
Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
cd src/bicep
cd azresources/hub-spoke-core
New-AzDeployment `
-TemplateFile src/bicep/common/landingzone/core/vdms/operations/anoa.lz.ops.network.bicep `
-TemplateParameterFile src/bicep/common/landingzone/core/vdms/operations/anoa.lz.ops.network.parameters.json `
-Location 'virginiaus'
--TemplateFile vdms/operations/anoa.lz.ops.network.bicep `
-TemplateParameterFile parmeters/operations/anoa.lz.ops.network.parameters.json `
-Location 'usgovvirginia'
-Name 'anoa-operations-deploy'
```
## Air-Gapped Clouds

Двоичные данные
src/bicep/azresources/hub-spoke-core/vdms/operations/images/operationsNetworkExampleDeploymentOutput.png
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом" Свайп Оверлей

До

Ширина:  |  Высота:  |  Размер: 43 KiB

После

Ширина:  |  Высота:  |  Размер: 26 KiB

57
src/bicep/azresources/hub-spoke-core/vdms/sharedServices/README.md
Просмотреть файл

@ -78,15 +78,23 @@ Other differences in Azure IL regions are as follow:
```bash
# For Azure Commerical regions
# Set Platform connectivity subscription ID as the the current subscription
# When deploying to Azure cloud, first set the cloud.
az cloudset --name AzureGovernment
# Set Platform connectivity subscription ID as the the current subscription
ConnectivitySubscriptionId="[your platform management subscription ID]"
az account set --subscription $ConnectivitySubscriptionId
# Log in
az login
cd src/bicep
cd azresources/hub-spoke-core
az deployment sub create \
--name anoa-sharedServices-deploy \
--location eastus \
--template-file src/bicep/common/landingzone/core/vdms/sharedservices/anoa.lz.svcs.bicep \
--parameters @src/bicep/common/landingzone/core/vdms/sharedservices/anoa.lz.svcs.parameters.json
--template-file vdms/sharedServices/anoa.lz.svcs.network.network.bicep \
--parameters @parmeters/sharedServices/anoa.lz.svcs.network.parameters.json
--subscription $ConnectivitySubscriptionId
```
OR
@ -95,30 +103,43 @@ OR
# For Azure Government regions
# Set Platform connectivity subscription ID as the the current subscription
# When deploying to another cloud, like Azure US Government, first set the cloud.
az cloudset --name AzureGovernment
# Set Platform connectivity subscription ID as the the current subscription
ConnectivitySubscriptionId="[your platform management subscription ID]"
az account set --subscription $ConnectivitySubscriptionId
# Log in
az login
cd src/bicep
cd azresources/hub-spoke-core
az deployment sub create \
--location virginiaus \
--template-file src/bicep/common/landingzone/core/vdms/sharedservices/anoa.lz.svcs.bicep \
--parameters @src/bicep/common/landingzone/core/vdms/sharedservices/anoa.lz.svcs.parameters.json
--name anoa-sharedServices-deploy \
--location usgovvirginia \
--template-file vdms/sharedServices/anoa.lz.svcs.network.bicep \
--parameters @parmeters/sharedServices/anoa.lz.svcs.network.parameters.json
--subscription $ConnectivitySubscriptionId
```
### PowerShell
```powershell
# For Azure Commerical regions
# When deploying to Azure cloud, first set the cloud and log in.
Connect-AzAccount -EnvironmentName AzureCloud
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId = "[your platform management subscription ID]"
Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
cd src/bicep
cd azresources/hub-spoke-core
New-AzDeployment `
-TemplateFile src/bicep/common/landingzone/core/vdms/sharedservices/anoa.lz.svcs.bicep `
-TemplateParameterFile src/bicep/common/landingzone/core/vdms/sharedservices/anoa.lz.svcs.parameters.json `
-TemplateFile vdms/sharedServices/anoa.lz.svcs.network.bicep `
-TemplateParameterFile parmeters/sharedServices/anoa.lz.svcs.network.parameters.json `
-Location 'eastus'
-Name 'anoa-sharedServices-deploy'
```
OR
@ -126,15 +147,21 @@ OR
```powershell
# For Azure Government regions
# When deploying to another cloud, like Azure US Government, first set the cloud and log in.
Connect-AzAccount -EnvironmentName AzureCloud
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId = "[your platform management subscription ID]"
Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
cd src/bicep
cd azresources/hub-spoke-core
New-AzDeployment `
-TemplateFile src/bicep/common/landingzone/core/vdms/sharedservices/anoa.lz.svcs.bicep `
-TemplateParameterFile src/bicep/common/landingzone/core/vdms/sharedservices/anoa.lz.svcs.parameters.json `
-Location 'virginiaus'
--TemplateFile vdms/sharedServices/anoa.lz.svcs.network.bicep `
-TemplateParameterFile parmeters/sharedServices/anoa.lz.svcs.network.parameters.json `
-Location 'usgovvirginia'
-Name 'anoa-sharedServices-deploy'
```
## Air-Gapped Clouds
@ -147,4 +174,4 @@ The Bicep/ARM deployment of NoOps Accelerator Shared Services network deployment
## Example Output in Azure
![Example Deployment Output](media/sharedservicesNetworkExampleDeploymentOutput.png "Example Deployment Output in Azure global regions")
![Example Deployment Output](images/sharedServucesExampleDeploymentOutput.png "Example Deployment Output in Azure global regions")

Двоичные данные
src/bicep/azresources/hub-spoke-core/vdms/sharedServices/images/sharedServucesExampleDeploymentOutput.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 28 KiB

21
src/bicep/azresources/hub-spoke-core/vdss/hub/anoa.lz.hub.network.bicep
Просмотреть файл

@ -239,6 +239,10 @@ param parHubSubnetServiceEndpoints array = [
// ROUTETABLE PARAMETERS
param parDisableBgpRoutePropagation bool = false
// PRIVATE DNS ZONE PARAMETERS
param parEnablePrivateDnsZones bool = false
// LOGGING PARAMETERS
@description('The Storage Account SKU to use for log storage. It defaults to "Standard_GRS". See https://docs.microsoft.com/en-us/rest/api/storagerp/srp_sku_types for valid settings.')
@ -300,6 +304,7 @@ var varSubnetNamingConvention = replace(varNamingConvention, varResourceToken, '
var varPublicIpAddressNamingConvention = replace(varNamingConvention, varResourceToken, 'pip')
var varVirtualNetworkNamingConvention = replace(varNamingConvention, varResourceToken, 'vnet')
var varDdosNamingConvention = replace(varNamingConvention, varResourceToken, 'ddos')
var varPrivateDNSZoneNamingConvention = replace(varNamingConvention, varResourceToken, 'pdz-rg')
// HUB NAMES
@ -312,6 +317,7 @@ var varHubLogStorageAccountName = take(varHubLogStorageAccountUniqueName, 23)
var varHubVirtualNetworkName = replace(varVirtualNetworkNamingConvention, varNameToken, varHubName)
var varHubNetworkSecurityGroupName = replace(varNetworkSecurityGroupNamingConvention, varNameToken, varHubName)
var varHubSubnetName = replace(varSubnetNamingConvention, varNameToken, varHubName)
var varHubPDZResourceGroupName = replace(varPrivateDNSZoneNamingConvention, varNameToken, varHubName)
var hubddosName = replace(varDdosNamingConvention, varNameToken, varHubName)
// FIREWALL NAMES
@ -351,6 +357,17 @@ module modHubResourceGroup '../../../Modules/Microsoft.Resources/resourceGroups/
}
}
// Create Private DNS Zone Resource Group - optional
module modPrivateDnsZonesResourceGroup '../../../Modules/Microsoft.Resources/resourceGroups/az.resource.groups.bicep' = if (parEnablePrivateDnsZones) {
name: 'deploy-hub-rg-${parLocation}-${parDeploymentNameSuffix}'
scope: subscription(parHubSubscriptionId)
params: {
name: varHubPDZResourceGroupName
location: parLocation
tags: modTags.outputs.tags
}
}
// HUB STORAGE - VDMS
module modHubLogStorage '../../../Modules/Microsoft.Storage/storageAccounts/az.data.storage.bicep' = {
@ -562,9 +579,9 @@ module modAzureFirewallPolicy '../../../Modules/Microsoft.Network/firewallPolici
// HUB PRIVATE LINK - VDMS
module modAzureMonitorPrivateLink '../../../Modules/Microsoft.Network/privateEndPoints/privateLinks/az.net.private.link.bicep' = if (contains(parSupportedClouds, environment().name)) {
module modAzureMonitorPrivateLink '../../../Modules/Microsoft.Network/privateEndPoints/privateLinks/az.net.private.link.bicep' = if (contains(parSupportedClouds, environment().name) && parEnablePrivateDnsZones) {
name: 'deploy-hub-az-monitor-prvt-link-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(parHubSubscriptionId, varHubResourceGroupName)
scope: resourceGroup(parHubSubscriptionId, varHubPDZResourceGroupName)
params: {
logAnalyticsWorkspaceName: parLogAnalyticsWorkspaceName
logAnalyticsWorkspaceResourceId: parLogAnalyticsWorkspaceResourceId

9
src/bicep/platforms/lz-platform-scca-hub-1spoke/deploy.bicep
Просмотреть файл

@ -461,10 +461,11 @@ module modHubNetwork '../../azresources/hub-spoke-core/vdss/hub/anoa.lz.hub.netw
parHubVirtualNetworkDiagnosticsLogs: parHub.virtualNetworkDiagnosticsLogs
parHubVirtualNetworkDiagnosticsMetrics: parHub.virtualNetworkDiagnosticsMetrics
parHubSubnets: parHub.subnets
parEnablePrivateDnsZones: parHub.enablePrivateDnsZones
// Enable Azure FireWall
parAzureFirewallEnabled: parAzureFirewall.enable
parDisableBgpRoutePropagation: false
parDisableBgpRoutePropagation: parAzureFirewall.disableBgpRoutePropagation
// Hub Firewall Parameters
parFirewallSupernetIPAddress: parAzureFirewall.supernetIPAddress
@ -525,7 +526,7 @@ module modOperationsNetwork '../../azresources/hub-spoke-core/vdms/operations/an
// VIRTUAL NETWORK PEERINGS
module modHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/hub/anoa.lz.hub.network.peerings.bicep' = {
module modHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/hub/anoa.lz.hub.network.peerings.bicep' = if (parHub.peerToSpokeVirtualNetwork) {
name: 'deploy-vnet-peerings-hub-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(parHub.subscriptionId, varHubResourceGroupName)
params: {
@ -540,7 +541,7 @@ module modHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/hu
}
}
module modSpokeOpsToHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/spoke/anoa.lz.spoke.network.peering.bicep' = {
module modSpokeOpsToHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/spoke/anoa.lz.spoke.network.peering.bicep' = if (parOperationsSpoke.peerToHubVirtualNetwork) {
name: 'deploy-vnet-spoke-peerings-ops-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(parOperationsSpoke.subscriptionId, varOperationsResourceGroupName)
params: {
@ -551,6 +552,8 @@ module modSpokeOpsToHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/
// Hub Paramters
parHubVirtualNetworkName: modHubNetwork.outputs.virtualNetworkName
parHubVirtualNetworkResourceId: modHubNetwork.outputs.virtualNetworkResourceId
parAllowVirtualNetworkAccess: parOperationsSpoke.allowVirtualNetworkAccess
parUseRemoteGateways: parOperationsSpoke.useRemoteGateways
}
}

31
src/bicep/platforms/lz-platform-scca-hub-1spoke/deployment.azcli
Просмотреть файл

@ -1,10 +1,10 @@
# AZ CLI Examples
# Create Base64 script value
script64=$(cat script.sh | base64)
# Hub/Spoke - Change variables to match your deployment
az login
cd src/bicep
cd platforms/lz-platform-scca-hub-1spoke
az deployment sub create --name deploy-hub1spoke-network --location EastUS --template-file deploy.bicep --parameters @parameters/deploy.parameters.json --subscription <<subscriptionId>>
# Clean Up
@ -19,27 +19,30 @@ az monitor diagnostic-settings subscription list --query value[] --output table
az monitor diagnostic-settings subscription delete --name <diagnostic setting name>
# Delete Resource Groups - Change variables to match your deployment
az group delete -n anoa-eastus-aks-logging-rg -y
az group delete -n anoa-eastus-aks-hub-rg -y
az group delete -n anoa-eastus-aks-operations-rg -y
az group delete -n anoa-eastus-aks-sharedservices-rg -y
az group delete -n anoa-eastus-aks-artifacts-rg -y
az group delete -n anoa-eastus-dev-logging-rg -y
az group delete -n anoa-eastus-dev-hub-rg -y
az group delete -n anoa-eastus-dev-operations-rg -y
az group delete -n anoa-eastus-dev-sharedservices-rg -y
az group delete -n anoa-eastus-dev-artifacts-rg -y
# Delete Deployments - Change variables to match your deployment
az deployment sub delete -n deploy-hub1spoke-network
# AZ PowerShell
# Hub/Spoke - Change variables to match your deployment
Connect-AzAccount -EnvironmentName AzureCloud
cd src/bicep
cd platforms/lz-platform-scca-hub-1spoke
New-AzSubscriptionDeployment -TemplateFile .\anoa.hubspoke.bicep -TemplateParameterFile .\parameters\anoa.hubspoke.parameters.example.json -Location "EastUS" -Name deploy-hubspoke-network
# Clean Up
# Delete Resource Groups - Change variables to match your deployment
Remove-AzResourceGroup -Name anoa-eastus-aks-logging-rg
Remove-AzResourceGroup -Name anoa-eastus-aks-hub-rg
Remove-AzResourceGroup -Name anoa-eastus-aks-identity-rg
Remove-AzResourceGroup -Name anoa-eastus-aks-operations-rg
Remove-AzResourceGroup -Name anoa-eastus-aks-sharedservices-rg
Remove-AzResourceGroup -Name anoa-eastus-aks-artifacts-rg
Remove-AzResourceGroup -Name anoa-eastus-dev-logging-rg
Remove-AzResourceGroup -Name anoa-eastus-dev-hub-rg
Remove-AzResourceGroup -Name anoa-eastus-dev-identity-rg
Remove-AzResourceGroup -Name anoa-eastus-dev-operations-rg
Remove-AzResourceGroup -Name anoa-eastus-dev-sharedservices-rg
Remove-AzResourceGroup -Name anoa-eastus-dev-artifacts-rg
# Delete Deployments - Change variables to match your deployment
Remove-AzSubscriptionDeployment -Name deploy-hub1spoke-network

6
src/bicep/platforms/lz-platform-scca-hub-1spoke/parameters/deploy.parameters.json
Просмотреть файл

@ -23,6 +23,8 @@
"subscriptionId": "<<subscriptionId>>",
"virtualNetworkAddressPrefix": "10.0.100.0/24",
"subnetAddressPrefix": "10.0.100.128/27",
"peerToSpokeVirtualNetwork": true,
"enablePrivateDnsZones": true,
"subnets": [
{
"name": "AzureFirewallSubnet",
@ -61,6 +63,9 @@
"subscriptionId": "<<subscriptionId>>",
"virtualNetworkAddressPrefix": "10.0.115.0/26",
"subnetAddressPrefix": "10.0.115.0/27",
"peerToHubVirtualNetwork": true,
"useRemoteGateway": false,
"allowVirtualNetworkAccess": true,
"virtualNetworkDiagnosticsLogs": [],
"virtualNetworkDiagnosticsMetrics": [],
"networkSecurityGroupRules": [],
@ -123,6 +128,7 @@
"parAzureFirewall": {
"value": {
"enable": true,
"disableBgpRoutePropagation": false,
"clientPublicIPAddressAvailabilityZones": [],
"managementPublicIPAddressAvailabilityZones": [],
"supernetIPAddress": "10.0.96.0/19",

248
src/bicep/platforms/lz-platform-scca-hub-1spoke/readme.md
Просмотреть файл

@ -1,8 +1,8 @@
# NoOps Accelerator - Platforms - SCCA Compliant Hub - 1 Spoke
# NoOps Accelerator - Platforms - SCCA Compliant Hub - 1 Spoke Landing Zone
## Overview
This platform module deploys Hub 1 Spoke landing zone.
This platform module deploys Hub 1 Spoke landing zone. This landing zone can be used in AKS workload deployments for example. This also can be used for other smaller networks that do not require a Identity or Shared Service Spoke.
> NOTE: This is only the landing zone deployment. The workloads will be deployed with the enclave or can be deployed after the landing zone is created.
@ -36,6 +36,47 @@ All network traffic is directed through the firewall residing in the Network Hub
*-example IP for firewall
### Naming Conventions
By default, Hub - 3 Spoke Platform resources are named according to a naming convention that uses the mandatory `orgPrefix` (that is defaulted to `anoa`), `templateVersion` & `deployEnvironment`.
#### Default Naming Convention Example
Let's look at an example using `parRequired="{ \"orgPrefix\":\"$ORG_PREFIX\", \"templateVersion\":\"v1.0\", \"deployEnvironment\":\"$DEPLOY_ENV\" }"`
In `deploy.bicep` you will find a variable titled `namingConvention`:
```bicep
var varNamingConvention = '${toLower(parRequired.orgPrefix)}-${toLower(parLocation)}-${toLower(parRequired.deployEnvironment)}-${varNameToken}-${toLower(varResourceToken)}'
# this generates a value of: ${orgPrefix}-${location}-${deployEnvironment}-${nameToken}-${resourceToken}
```
This naming convention uses Bicep's `replace()` function to substitute resource abbreviations for `resourceToken` and resource names for `nameToken`.
For example, when naming the Hub Resource Group, first the `resourceToken` is substituted with the recommended abbreviation `rg`:
```bicep
var resourceGroupNamingConvention = replace(namingConvention, resourceToken, 'rg')
# this generates a value of: anoa-eastus-${nameToken}-dev-rg
```
Then, the `nameToken` is substituted with the Azure NoOps Accelerator name `hub`:
```bicep
var hubResourceGroupName = replace(resourceGroupNamingConvention, nameToken, 'hub')
# this generates a value of: anoa-eastus-hub-dev-rg
```
Finally, the `hubResourceGroupName` is assigned to the resource group `varHubName` variable:
```bicep
var varHubName = 'hub'
var varHubResourceGroupName = replace(varResourceGroupNamingConvention, varNameToken, varHubName)
# this is the calculated value 'anoa-eastus-hub-dev-rg'
```
### Tagging
Organize cloud resources to meet the needs of governance, operational management, and accounting. Resources can be managed and found more quickly with the aid of well-defined metadata tagging protocols. By using charge back and show back accounting procedures, these conventions also assist in tying cloud usage charges to specific business teams.
@ -51,13 +92,94 @@ A tagging strategy include business and operational details:
Most customers will deploy each tier to a separate Azure subscription, but multiple subscriptions are not required. A single subscription deployment is good for a testing and evaluation, or possibly a small IT Admin team.
Hub - 1 Spoke Platform can deploy to a single subscription or multiple subscriptions. A test and evaluation deployment may deploy everything to a single subscription, and a production deployment may place each tier into its own subscription.
The optional parameters related to subscriptions are below. They releated to each tier object used for deployment.
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`parHub.subscriptionId` | Deployment subscription | Subscription containing the firewall and network hub
`parOperationsSpoke.subscriptionId` | Deployment subscription | Tier 1 for network operations, logging and security tools
### Networking
The following parameters affect networking. They releated to each tier object used for deployment.
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`parHub.virtualNetworkAddressPrefix` | '10.0.100.0/24' | The CIDR Virtual Network Address Prefix for the Hub Virtual Network.
`parHub.subnetAddressPrefix` | '10.0.100.128/27' | The CIDR Subnet Address Prefix for the default Hub subnet. It must be in the Hub Virtual Network space.
`parHub.peerToSpokeVirtualNetwork` | true | This is a switch for peering to an Spoke Network. This is used with the spoke network peering as well. Both parameters either need to be true or false.
`parHub.subnets.addressPrefix` (Firewall Client Subnet Address Prefix)| '10.0.100.0/26' | The CIDR Subnet Address Prefix for the Azure Firewall Subnet. It must be in the Hub Virtual Network space. It must be /26.
`parHub.subnets.addressPrefix` (Firewall Management Subnet Address Prefix) | '10.0.100.64/26' | The CIDR Subnet Address Prefix for the Azure Firewall Management Subnet. It must be in the Hub Virtual Network space. It must be /26.
`parOperationsSpoke.virtualNetworkAddressPrefix` | '10.0.115.0/26' | The CIDR Virtual Network Address Prefix for the Operations Virtual Network.
`parOperationsSpoke.subnetAddressPrefix` | '10.0.115.0/27' | The CIDR Subnet Address Prefix for the default Operations subnet. It must be in the Operations Virtual Network space.
`parOperationsSpoke.peerToHubVirtualNetwork` | true | This is a switch for peering to an Hub Network from a Spoke. This is used with the hub network peering as well. Both parameters either need to be true or false.
## Optional Features
Hub - 1 Spoke Platform has optional features that can be enabled by setting parameters on the deployment.
### Microsoft Defender for Cloud
By default [Microsoft Defender for Cloud](https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction) offers a free set of monitoring capabilities that are enabled via an Azure policy when you first set up a subscription and view the Microsoft Defender for Cloud portal blade.
Microsoft Defender for Cloud offers a standard/defender sku which enables a greater depth of awareness including more recomendations and threat analytics. You can enable this higher depth level of security in Hub - 1 Spoke Platform by setting the parameter `parSecurityCenter.enableDefender` during deployment. In addition you can include the `parSecurityCenter.emailSecurityContact` parameter to set a contact email for alerts and `parSecurityCenter.phoneSecurityContact` parameter to set a contact phone for alerts.
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`parSecurityCenter.enableDefender` | 'false' | When set to "true", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to "false".
`parSecurityCenter.emailSecurityContact` | '' | Email address of the contact, in the form of john@doe.com
`parSecurityCenter.phoneSecurityContact` | '' | Phone of the contact, in the form of 5555555555
`parSecurityCenter.alertNotifications` | '' | alert notifications for contact
`parSecurityCenter.alertsToAdminsNotifications` | '' | alert notifications for contact admin
The Defender plan by resource type for Microsoft Defender for Cloud is enabled by default in the following [Azure Environments](https://docs.microsoft.com/en-us/powershell/module/servicemanagement/azure.service/get-azureenvironment?view=azuresmps-4.0.0): `AzureCloud` and `AzureUSGovernment`. To enable this for other Azure Cloud environments, this will need to executed manually.
Documentation on how to do this can be found
[here](https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhanced-security)
### Azure Sentinel
[Sentinel](https://docs.microsoft.com/en-us/azure/sentinel/overview) is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Sentinel can be enabled by setting the `parLogging.enableSentinel` parameter.
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`parLogging.enableSentinel` | 'false' | When set to "true", enables Microsoft Sentinel within the Log Analytics Workspace created in this deployment. It defaults to "false".
### Remote access with a Bastion Host
If you want to remotely access the network and the resources you've deployed you can use [Azure Bastion](https://docs.microsoft.com/en-us/azure/bastion/) to remotely access virtual machines within the network without exposing them via Public IP Addresses.
Deploy a Linux and Windows virtual machine as jumpboxes into the network without a Public IP Address using Azure Bastion Host by providing values for these parameters:
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`parRemoteAccess.enable` | 'false' | When set to "true", provisions Azure Bastion Host and virtual machine jumpboxes. It defaults to "false".
`parRemoteAccess.windows.vmAdminPassword` | 'Rem0te@2020246' | The administrator password the Windows Virtual Machine to Azure Bastion remote into. It must be > 12 characters in length. See [password requirements for creating a Windows VM](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm-).
`parRemoteAccess.linux.vmAuthenticationType` | 'Rem0te@2020246' | [sshPublicKey/password] The authentication type for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "Rem0te@2020246".
`parRemoteAccess.linux.vmAdminPasswordOrKey` | new guid | The administrator password or public SSH key for the Linux Virtual Machine to Azure Bastion remote into. See [password requirements for creating a Linux VM](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/faq#what-are-the-password-requirements-when-creating-a-vm-).
`parRemoteAccess.windows.vmAdminUsername` | 'azureuser' | The administrator username for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "azureuser".
`parRemoteAccess.linux.vmAdminUsername` | 'azureuser' | The administrator username for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "azureuser".
### Azure Firewall Premium
By default, Hub - 1 Spoke Platform deploys **[Azure Firewall Premium](https://docs.microsoft.com/en-us/azure/firewall/premium-features). Not all regions support Azure Firewall Premium.** Check here to [see if the region you're deploying to supports Azure Firewall Premium](https://docs.microsoft.com/en-us/azure/firewall/premium-features#supported-regions). If necessary you can set a different firewall SKU or location.
You can manually specify which SKU of Azure Firewall to use for your deployment by specifying the `parAzureFirewall.skuTier` parameter. This parameter only accepts values of `Standard` or `Premium`.
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`parAzureFirewall.skuTier` | 'Premium' | [Standard/Premium] The SKU for Azure Firewall. It defaults to "Premium".
If you'd like to specify a different region to deploy your resources into, change the location of the deployment. For example, when using the AZ CLI set the deployment command's `--location` argument.
### Operational Network Artifacts
If needed, The Operational Network Artifacts are used when operations wants to seperate all key, secrets and operations storage from the hub/spoke model.
### DDOS
If needed, You can dpeloy an DDOS Standard configuration if a firewall is not needed.
If needed, You can deploy an DDOS Standard configuration if a firewall is not needed.
## Parameters
@ -80,7 +202,7 @@ parNetworkArtifacts | object | {object} | Optional. Enables Operations Network A
parSecurityCenter | object | {object} | Microsoft Defender for Cloud. It includes email and phone. See [overlays/management-services/defender/readme.md](../../overlays/management-services/defender/readme.md)
parDdosStandard | bool | `false` | DDOS Standard configuration.
## Deploy the Landing Zone
## Deploy the Platform Landing Zone
Connect to the appropriate Azure Environment and set appropriate context, see getting started with Azure PowerShell or Azure CLI for help if needed. The commands below assume you are deploying in Azure Commercial and show the entire process deploying Platform Hub/Spoke Design.
@ -90,26 +212,46 @@ For example, deploying using the `az deployment sub create` command in the Azure
```bash
# For Azure Commerical regions
# When deploying to Azure cloud, first set the cloud.
az cloudset --name AzureCloud
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId="[your platform management subscription ID]"
az account set --subscription $ConnectivitySubscriptionId
#log in
az login
cd src/bicep
cd platforms/lz-platform-scca-hub-1spoke
az deployment sub create \
--name contoso \
--subscription xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx \
--template-file platforms/lz-platform-scca-hub-1spoke/deploy.bicep \
--name deploy-hub1spoke-network \
--subscription $ConnectivitySubscriptionId \
--template-file deploy.bicep \
--location eastus \
--parameters @platforms/lz-platform-scca-hub-1spoke/parameters/deploy.parameters.json
--parameters @parameters/deploy.parameters.json
```
OR
```bash
# For Azure Government regions
# When deploying to another cloud, like Azure US Government, first set the cloud and log in.
az cloudset --name AzureGovernment
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId="[your platform management subscription ID]"
az account set --subscription $ConnectivitySubscriptionId
az login
cd src/bicep
cd platforms/lz-platform-scca-hub-1spoke
az deployment sub create \
--template-file platforms/lz-platform-scca-hub-1spoke/deploy.bicep \
--parameters @platforms/lz-platform-scca-hub-1spoke/parameters/deploy.parameters.json \
--subscription xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx \
--resource-group anoa-usgovvirginia-platforms-hub-rg \
--name deploy-hub1spoke-network \
--template-file deploy.bicep \
--parameters @parameters/deploy.parameters.json \
--subscription $ConnectivitySubscriptionId \
--location 'usgovvirginia'
```
@ -117,10 +259,20 @@ az deployment sub create \
```powershell
# For Azure Commerical regions
# When deploying to Azure cloud, first set the cloud and log in.
Connect-AzAccount -EnvironmentName AzureCloud
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId = "[your platform management subscription ID]"
Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
cd src/bicep
cd platforms/lz-platform-scca-hub-1spoke
New-AzSubscriptionDeployment `
-TemplateFile platforms/lz-platform-scca-hub-1spoke/deploy.bicepp `
-TemplateParameterFile platforms/lz-platform-scca-hub-1spoke/parameters/deploy.parameters.json `
-Subscription xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx `
-Name deploy-hub1spoke-network `
-TemplateFile deploy.bicep `
-TemplateParameterFile deploy.parameters.json `
-Subscription $ConnectivitySubscriptionId `
-Location 'eastus'
```
@ -128,10 +280,21 @@ OR
```powershell
# For Azure Government regions
# When deploying to another cloud, like Azure US Government, first set the cloud and log in.
Connect-AzAccount -EnvironmentName AzureUSGovernment
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId = "[your platform management subscription ID]"
Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
cd src/bicep
cd platforms/lz-platform-scca-hub-1spoke
New-AzSubscriptionDeployment `
-TemplateFile platforms/lz-platform-scca-hub-1spoke/deploy.bicepp `
-TemplateParameterFile platforms/lz-platform-scca-hub-1spoke/parameters/deploy.parameters.json `
-Subscription xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx `
-Name deploy-hub1spoke-network `
-TemplateFile deploy.bicep `
-TemplateParameterFile deploy.parameters.json `
-Subscription $ConnectivitySubscriptionId `
-Location 'usgovvirginia'
```
@ -165,6 +328,41 @@ Get-AzResource -ResourceGroupName anoa-eastus-platforms-hub-rg
The Bicep/ARM deployment of NoOps Accelerator - Hub/Spoke deployment can be deleted with these steps:
### Delete the diagnostic settings deployed at the subscription level
To delete the diagnostic settings from the Azure Portal: choose the subscription blade, then Activity log in the left panel. At the top of the Activity log screen click the Diagnostics settings button. From there you can click the Edit setting link and delete the diagnostic setting.
> NOTE: If you deploy and delete Mission Landing Zone in the same subscription multiple times without deleting the subscription-level diagnostic settings, the sixth deployment will fail. Azure has a limit of five diagnostic settings per subscription. The error will be similar to this: `"The limit of 5 diagnostic settings was reached."`
To delete the diagnotic settings in script, use the AZ CLI or PowerShell. An AZ CLI example is below:
```BASH
# View diagnostic settings in the current subscription
az monitor diagnostic-settings subscription list --query value[] --output table
# Delete a diagnostic setting
az monitor diagnostic-settings subscription delete --name <diagnostic setting name>
```
### Downgrade the Microsoft Defender for Cloud
To downgrade the Microsoft Defender for Cloud pricing level in the Azure portal:
1. Navigate to the Microsoft Defender for Cloud page, then click the "Environment settings" tab in the left navigation panel.
1. In the tree/grid select the subscription you want to manage.
1. Click the large box near the top of the page that says "Enhanced security off".
1. Click the save button.
To downgrade the Microsoft Defender for Cloud pricing level using the AZ CLI:
```BASH
# List the pricing tiers
az security pricing list -o table --query "value[].{Name:name, Tier:pricingTier}"
# Change a pricing tier to the default free tier
az security pricing create --name "<name of tier>" --tier Free
```
### Delete Resource Groups
```bash
@ -184,9 +382,19 @@ Remove-AzResourceGroup -Name anoa-eastus-platforms-artifacts-rg
### Delete Deployments
```bash
az deployment sub delete -n deploy-hubspoke-network
az deployment sub delete -n deploy-hub1spoke-network
```
```powershell
Remove-AzSubscriptionDeployment -Name deploy-hubspoke-network
Remove-AzSubscriptionDeployment -Name deploy-hub1spoke-network
```
## Resources
[Bicep documentation](https://aka.ms/bicep/)
[`az deployment` documentation](https://docs.microsoft.com/en-us/cli/azure/deployment?view=azure-cli-latest)
[JMESPath queries](https://jmespath.org/)
[Azure Az PowerShell module](https://docs.microsoft.com/en-us/powershell/azure/what-is-azure-powershell)

20
src/bicep/platforms/lz-platform-scca-hub-3spoke/deploy.bicep
Просмотреть файл

@ -613,10 +613,11 @@ module modHubNetwork '../../azresources/hub-spoke-core/vdss/hub/anoa.lz.hub.netw
parHubVirtualNetworkDiagnosticsLogs: parHub.virtualNetworkDiagnosticsLogs
parHubVirtualNetworkDiagnosticsMetrics: parHub.virtualNetworkDiagnosticsMetrics
parHubSubnets: parHub.subnets
parEnablePrivateDnsZones: parHub.enablePrivateDnsZones
// Enable Azure FireWall
parAzureFirewallEnabled: parAzureFirewall.enable
parDisableBgpRoutePropagation: false
parDisableBgpRoutePropagation: parAzureFirewall.disableBgpRoutePropagation
// Hub Firewall Parameters
parFirewallSupernetIPAddress: parAzureFirewall.supernetIPAddress
@ -628,8 +629,7 @@ module modHubNetwork '../../azresources/hub-spoke-core/vdss/hub/anoa.lz.hub.netw
parFirewallDiagnosticsMetrics: parAzureFirewall.diagnosticsMetrics
parFirewallManagementPublicIPAddressAvailabilityZones: parAzureFirewall.managementPublicIPAddressAvailabilityZones
parPublicIPAddressDiagnosticsLogs: parAzureFirewall.publicIPAddressDiagnosticsLogs
parPublicIPAddressDiagnosticsMetrics: parAzureFirewall.parPublicIPAddressDiagnosticsMetrics
parFirewallPolicyRuleCollectionGroups: parAzureFirewall.ruleCollectionGroups
parPublicIPAddressDiagnosticsMetrics: parAzureFirewall.publicIPAddressDiagnosticsMetrics
// RBAC for Storage Parameters
parHubStorageAccountAccess: parHub.storageAccountAccess
@ -751,7 +751,7 @@ module modSharedServicesNetwork '../../azresources/hub-spoke-core/vdms/sharedser
// VIRTUAL NETWORK PEERINGS
module modHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/hub/anoa.lz.hub.network.peerings.bicep' = {
module modHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/hub/anoa.lz.hub.network.peerings.bicep' = if (parHub.peerToSpokeVirtualNetwork) {
name: 'deploy-vnet-peerings-hub-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(parHub.subscriptionId, varHubResourceGroupName)
params: {
@ -776,7 +776,7 @@ module modHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/hu
}
}
module modSpokeOpsToHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/spoke/anoa.lz.spoke.network.peering.bicep' = {
module modSpokeOpsToHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/spoke/anoa.lz.spoke.network.peering.bicep' = if (parOperationsSpoke.peerToHubVirtualNetwork){
name: 'deploy-vnet-spoke-peerings-ops-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(parOperationsSpoke.subscriptionId, varOperationsResourceGroupName)
params: {
@ -787,10 +787,12 @@ module modSpokeOpsToHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/
// Hub Paramters
parHubVirtualNetworkName: modHubNetwork.outputs.virtualNetworkName
parHubVirtualNetworkResourceId: modHubNetwork.outputs.virtualNetworkResourceId
parAllowVirtualNetworkAccess: parOperationsSpoke.allowVirtualNetworkAccess
parUseRemoteGateways: parOperationsSpoke.useRemoteGateways
}
}
module modSpokeIdToHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/spoke/anoa.lz.spoke.network.peering.bicep' = {
module modSpokeIdToHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/spoke/anoa.lz.spoke.network.peering.bicep' = if (parIdentitySpoke.peerToHubVirtualNetwork) {
name: 'deploy-vnet-spoke-peerings-id-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(parIdentitySpoke.subscriptionId, varIdentityResourceGroupName)
params: {
@ -801,10 +803,12 @@ module modSpokeIdToHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/p
// Hub Paramters
parHubVirtualNetworkName: modHubNetwork.outputs.virtualNetworkName
parHubVirtualNetworkResourceId: modHubNetwork.outputs.virtualNetworkResourceId
parAllowVirtualNetworkAccess: parIdentitySpoke.allowVirtualNetworkAccess
parUseRemoteGateways: parIdentitySpoke.useRemoteGateways
}
}
module modSpokeSharedServicesToHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/spoke/anoa.lz.spoke.network.peering.bicep' = {
module modSpokeSharedServicesToHubVirtualNetworkPeerings '../../azresources/hub-spoke-core/peering/spoke/anoa.lz.spoke.network.peering.bicep' = if (parIdentitySpoke.peerToHubVirtualNetwork) {
name: 'deploy-vnet-spoke-peerings-svcs-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(parSharedServicesSpoke.subscriptionId, varSharedServicesResourceGroupName)
params: {
@ -815,6 +819,8 @@ module modSpokeSharedServicesToHubVirtualNetworkPeerings '../../azresources/hub-
// Hub Parameters
parHubVirtualNetworkName: modHubNetwork.outputs.virtualNetworkName
parHubVirtualNetworkResourceId: modHubNetwork.outputs.virtualNetworkResourceId
parAllowVirtualNetworkAccess: parSharedServicesSpoke.allowVirtualNetworkAccess
parUseRemoteGateways: parSharedServicesSpoke.useRemoteGateways
}
}

48
src/bicep/platforms/lz-platform-scca-hub-3spoke/deployment.azcli Normal file
Просмотреть файл

@ -0,0 +1,48 @@
# AZ CLI Examples
# Hub/Spoke - Change variables to match your deployment
az login
cd src/bicep
cd platforms/lz-platform-scca-hub-3spoke
az deployment sub create --name deploy-hub3spoke-network --location EastUS --template-file deploy.bicep --parameters @parameters/deploy.parameters.json --subscription <<subscriptionId>>
# Clean Up
# Delete Resource Locks - Change variables to match your deployment
az resource lock delete --name lockName -g storageAccount --resource myvnet --resource-type Microsoft.Storage/storageAccounts
# Delete Diagnostic Settings - Change variables to match your deployment
# View diagnostic settings in the current subscription
az monitor diagnostic-settings subscription list --query value[] --output table
# Delete a diagnostic setting
az monitor diagnostic-settings subscription delete --name <diagnostic setting name>
# Delete Resource Groups - Change variables to match your deployment
az group delete -n anoa-eastus-dev-logging-rg -y
az group delete -n anoa-eastus-dev-hub-rg -y
az group delete -n anoa-eastus-dev-operations-rg -y
az group delete -n anoa-eastus-dev-sharedservices-rg -y
az group delete -n anoa-eastus-dev-artifacts-rg -y
# Delete Deployments - Change variables to match your deployment
az deployment sub delete -n deploy-hub3spoke-network
# AZ PowerShell
# Hub/Spoke - Change variables to match your deployment
Connect-AzAccount -EnvironmentName AzureCloud
cd src/bicep
cd platforms/lz-platform-scca-hub-3spoke
New-AzSubscriptionDeployment -TemplateFile .\anoa.hubspoke.bicep -TemplateParameterFile .\parameters\anoa.hubspoke.parameters.example.json -Location "EastUS" -Name deploy-hub3spoke-network
# Clean Up
# Delete Resource Groups - Change variables to match your deployment
Remove-AzResourceGroup -Name anoa-eastus-dev-logging-rg
Remove-AzResourceGroup -Name anoa-eastus-dev-hub-rg
Remove-AzResourceGroup -Name anoa-eastus-dev-identity-rg
Remove-AzResourceGroup -Name anoa-eastus-dev-operations-rg
Remove-AzResourceGroup -Name anoa-eastus-dev-sharedservices-rg
Remove-AzResourceGroup -Name anoa-eastus-dev-artifacts-rg
# Delete Deployments - Change variables to match your deployment
Remove-AzSubscriptionDeployment -Name deploy-hub3spoke-network

14
src/bicep/platforms/lz-platform-scca-hub-3spoke/parameters/deploy.parameters.json
Просмотреть файл

@ -12,7 +12,7 @@
"parTags": {
"value": {
"organization": "anoa",
"region": "eastus",
"region": "usgovvirginia",
"templateVersion": "v1.0",
"deployEnvironment": "dev",
"deploymentType": "NoOpsBicep"
@ -23,6 +23,8 @@
"subscriptionId": "<<subscriptionId>>",
"virtualNetworkAddressPrefix": "10.0.100.0/24",
"subnetAddressPrefix": "10.0.100.128/27",
"peerToSpokeVirtualNetwork": true,
"enablePrivateDnsZones": true,
"subnets": [
{
"name": "AzureFirewallSubnet",
@ -65,6 +67,9 @@
"10.0.115.0/26",
"10.0.120.0/26"
],
"peerToHubVirtualNetwork": true,
"useRemoteGateway": false,
"allowVirtualNetworkAccess": true,
"virtualNetworkDiagnosticsLogs": [],
"virtualNetworkDiagnosticsMetrics": [],
"networkSecurityGroupRules": [
@ -124,6 +129,9 @@
"10.0.110.0/26",
"10.0.120.0/26"
],
"peerToHubVirtualNetwork": true,
"useRemoteGateway": false,
"allowVirtualNetworkAccess": true,
"virtualNetworkDiagnosticsLogs": [],
"virtualNetworkDiagnosticsMetrics": [],
"networkSecurityGroupRules": [
@ -183,6 +191,9 @@
"10.0.115.0/26",
"10.0.110.0/26"
],
"peerToHubVirtualNetwork": true,
"useRemoteGateway": false,
"allowVirtualNetworkAccess": true,
"virtualNetworkDiagnosticsLogs": [],
"virtualNetworkDiagnosticsMetrics": [],
"networkSecurityGroupRules": [
@ -269,6 +280,7 @@
"parAzureFirewall": {
"value": {
"enable": true,
"disableBgpRoutePropagation": false,
"clientPublicIPAddressAvailabilityZones": [],
"managementPublicIPAddressAvailabilityZones": [],
"supernetIPAddress": "10.0.96.0/19",

253
src/bicep/platforms/lz-platform-scca-hub-3spoke/readme.md
Просмотреть файл

@ -1,4 +1,4 @@
# NoOps Accelerator - Platforms - SCCA Compliant Hub - 3 Spoke
# NoOps Accelerator - Platforms - SCCA Compliant Hub - 3 Spoke Landing Zone
## Overview
@ -14,7 +14,7 @@ Read on to understand what this landing zone does, and when you're ready, collec
## About Hub 3 Spoke Landing Zone
The docs on Hub/Spoke Landing Zone: <https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans>.
The docs on Hub/Spoke Landing Zone: <https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli>
### What is a Landing Zone?
@ -45,6 +45,47 @@ Presently, there are two firewall rules configured to ensure access to the Azure
|100 | AllowAzureCloud | AzureCloud|* | * |Any |
|110 | AzureAuth | msftauth | * | Https:443| aadcdn.msftauth.net, aadcdn.msauth.net |
### Naming Conventions
By default, Hub - 3 Spoke Platform resources are named according to a naming convention that uses the mandatory `orgPrefix` (that is defaulted to `anoa`), `templateVersion` & `deployEnvironment`.
#### Default Naming Convention Example
Let's look at an example using `parRequired="{ \"orgPrefix\":\"$ORG_PREFIX\", \"templateVersion\":\"v1.0\", \"deployEnvironment\":\"$DEPLOY_ENV\" }"`
In `deploy.bicep` you will find a variable titled `namingConvention`:
```bicep
var varNamingConvention = '${toLower(parRequired.orgPrefix)}-${toLower(parLocation)}-${toLower(parRequired.deployEnvironment)}-${varNameToken}-${toLower(varResourceToken)}'
# this generates a value of: ${orgPrefix}-${location}-${deployEnvironment}-${nameToken}-${resourceToken}
```
This naming convention uses Bicep's `replace()` function to substitute resource abbreviations for `resourceToken` and resource names for `nameToken`.
For example, when naming the Hub Resource Group, first the `resourceToken` is substituted with the recommended abbreviation `rg`:
```bicep
var resourceGroupNamingConvention = replace(namingConvention, resourceToken, 'rg')
# this generates a value of: anoa-eastus-${nameToken}-dev-rg
```
Then, the `nameToken` is substituted with the Azure NoOps Accelerator name `hub`:
```bicep
var hubResourceGroupName = replace(resourceGroupNamingConvention, nameToken, 'hub')
# this generates a value of: anoa-eastus-hub-dev-rg
```
Finally, the `hubResourceGroupName` is assigned to the resource group `varHubName` variable:
```bicep
var varHubName = 'hub'
var varHubResourceGroupName = replace(varResourceGroupNamingConvention, varNameToken, varHubName)
# this is the calculated value 'anoa-eastus-hub-dev-rg'
```
### Tagging
Organize cloud resources to meet the needs of governance, operational management, and accounting. Resources can be managed and found more quickly with the aid of well-defined metadata tagging protocols. By using charge back and show back accounting procedures, these conventions also assist in tying cloud usage charges to specific business teams.
@ -60,13 +101,102 @@ A tagging strategy include business and operational details:
Most customers will deploy each tier to a separate Azure subscription, but multiple subscriptions are not required. A single subscription deployment is good for a testing and evaluation, or possibly a small IT Admin team.
Hub - 3 Spoke Platform can deploy to a single subscription or multiple subscriptions. A test and evaluation deployment may deploy everything to a single subscription, and a production deployment may place each tier into its own subscription.
The optional parameters related to subscriptions are below. They releated to each tier object used for deployment.
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`parHub.subscriptionId` | Deployment subscription | Subscription containing the firewall and network hub
`parIdentitySpoke.subscriptionId` | Deployment subscription | Tier 0 for identity solutions
`parOperationsSpoke.subscriptionId` | Deployment subscription | Tier 1 for network operations, logging and security tools
`parSharedServicesSpoke.subscriptionId` | Deployment subscription | Tier 2 for shared services
### Networking
The following parameters affect networking. They releated to each tier object used for deployment.
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`parHub.virtualNetworkAddressPrefix` | '10.0.100.0/24' | The CIDR Virtual Network Address Prefix for the Hub Virtual Network.
`parHub.subnetAddressPrefix` | '10.0.100.128/27' | The CIDR Subnet Address Prefix for the default Hub subnet. It must be in the Hub Virtual Network space.
`parHub.peerToSpokeVirtualNetwork` | true | This is a switch for peering to an Spoke Network. This is used with the spoke network peering as well. Both parameters either need to be true or false.
`parHub.subnets.addressPrefix` (Firewall Client Subnet Address Prefix)| '10.0.100.0/26' | The CIDR Subnet Address Prefix for the Azure Firewall Subnet. It must be in the Hub Virtual Network space. It must be /26.
`parHub.subnets.addressPrefix` (Firewall Management Subnet Address Prefix) | '10.0.100.64/26' | The CIDR Subnet Address Prefix for the Azure Firewall Management Subnet. It must be in the Hub Virtual Network space. It must be /26.
`parIdentitySpoke.virtualNetworkAddressPrefix` | '10.0.110.0/26' | The CIDR Virtual Network Address Prefix for the Identity Virtual Network.
`parIdentitySpoke.subnetAddressPrefix` | '10.0.110.0/27' | The CIDR Subnet Address Prefix for the default Identity subnet. It must be in the Identity Virtual Network space.
`parIdentitySpoke.peerToHubVirtualNetwork` | true | This is a switch for peering to an Hub Network from a Identity Spoke. This is used with the hub network peering as well. Both parameters either need to be true or false.
`parOperationsSpoke.virtualNetworkAddressPrefix` | '10.0.115.0/26' | The CIDR Virtual Network Address Prefix for the Operations Virtual Network.
`parOperationsSpoke.subnetAddressPrefix` | '10.0.115.0/27' | The CIDR Subnet Address Prefix for the default Operations subnet. It must be in the Operations Virtual Network space.
`parOperationsSpoke.peerToHubVirtualNetwork` | true | This is a switch for peering to an Hub Network from a Operations Spoke. This is used with the hub network peering as well. Both parameters either need to be true or false.
`parSharedServicesSpoke.virtualNetworkAddressPrefix` | '10.0.120.0/26' | The CIDR Virtual Network Address Prefix for the Shared Services Virtual Network.
`parSharedServicesSpoke.subnetAddressPrefix` | '10.0.120.0/27' | The CIDR Subnet Address Prefix for the default Shared Services subnet. It must be in the Shared Services Virtual Network space.
`parSharedServicesSpoke.peerToHubVirtualNetwork` | true | This is a switch for peering to an Hub Network from a SharedServices Spoke. This is used with the hub network peering as well. Both parameters either need to be true or false.
## Optional Features
Hub - 3 Spoke Platform has optional features that can be enabled by setting parameters on the deployment.
### Microsoft Defender for Cloud
By default [Microsoft Defender for Cloud](https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction) offers a free set of monitoring capabilities that are enabled via an Azure policy when you first set up a subscription and view the Microsoft Defender for Cloud portal blade.
Microsoft Defender for Cloud offers a standard/defender sku which enables a greater depth of awareness including more recomendations and threat analytics. You can enable this higher depth level of security in Hub - 3 Spoke Platform by setting the parameter `parSecurityCenter.enableDefender` during deployment. In addition you can include the `parSecurityCenter.emailSecurityContact` parameter to set a contact email for alerts and `parSecurityCenter.phoneSecurityContact` parameter to set a contact phone for alerts.
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`parSecurityCenter.enableDefender` | 'false' | When set to "true", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to "false".
`parSecurityCenter.emailSecurityContact` | '' | Email address of the contact, in the form of john@doe.com
`parSecurityCenter.phoneSecurityContact` | '' | Phone of the contact, in the form of 5555555555
`parSecurityCenter.alertNotifications` | '' | alert notifications for contact
`parSecurityCenter.alertsToAdminsNotifications` | '' | alert notifications for contact admin
The Defender plan by resource type for Microsoft Defender for Cloud is enabled by default in the following [Azure Environments](https://docs.microsoft.com/en-us/powershell/module/servicemanagement/azure.service/get-azureenvironment?view=azuresmps-4.0.0): `AzureCloud` and `AzureUSGovernment`. To enable this for other Azure Cloud environments, this will need to executed manually.
Documentation on how to do this can be found
[here](https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhanced-security)
### Azure Sentinel
[Sentinel](https://docs.microsoft.com/en-us/azure/sentinel/overview) is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Sentinel can be enabled by setting the `parLogging.enableSentinel` parameter.
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`parLogging.enableSentinel` | 'false' | When set to "true", enables Microsoft Sentinel within the Log Analytics Workspace created in this deployment. It defaults to "false".
### Remote access with a Bastion Host
If you want to remotely access the network and the resources you've deployed you can use [Azure Bastion](https://docs.microsoft.com/en-us/azure/bastion/) to remotely access virtual machines within the network without exposing them via Public IP Addresses.
Deploy a Linux and Windows virtual machine as jumpboxes into the network without a Public IP Address using Azure Bastion Host by providing values for these parameters:
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`parRemoteAccess.enable` | 'false' | When set to "true", provisions Azure Bastion Host and virtual machine jumpboxes. It defaults to "false".
`parRemoteAccess.windows.vmAdminPassword` | 'Rem0te@2020246' | The administrator password the Windows Virtual Machine to Azure Bastion remote into. It must be > 12 characters in length. See [password requirements for creating a Windows VM](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm-).
`parRemoteAccess.linux.vmAuthenticationType` | 'Rem0te@2020246' | [sshPublicKey/password] The authentication type for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "Rem0te@2020246".
`parRemoteAccess.linux.vmAdminPasswordOrKey` | new guid | The administrator password or public SSH key for the Linux Virtual Machine to Azure Bastion remote into. See [password requirements for creating a Linux VM](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/faq#what-are-the-password-requirements-when-creating-a-vm-).
`parRemoteAccess.windows.vmAdminUsername` | 'azureuser' | The administrator username for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "azureuser".
`parRemoteAccess.linux.vmAdminUsername` | 'azureuser' | The administrator username for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "azureuser".
### Azure Firewall Premium
By default, Hub - 3 Spoke Platform deploys **[Azure Firewall Premium](https://docs.microsoft.com/en-us/azure/firewall/premium-features). Not all regions support Azure Firewall Premium.** Check here to [see if the region you're deploying to supports Azure Firewall Premium](https://docs.microsoft.com/en-us/azure/firewall/premium-features#supported-regions). If necessary you can set a different firewall SKU or location.
You can manually specify which SKU of Azure Firewall to use for your deployment by specifying the `parAzureFirewall.skuTier` parameter. This parameter only accepts values of `Standard` or `Premium`.
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`parAzureFirewall.skuTier` | 'Premium' | [Standard/Premium] The SKU for Azure Firewall. It defaults to "Premium".
If you'd like to specify a different region to deploy your resources into, change the location of the deployment. For example, when using the AZ CLI set the deployment command's `--location` argument.
### Operational Network Artifacts
If needed, The Operational Network Artifacts are used when operations wants to seperate all key, secrets and operations storage from the hub/spoke model.
### DDOS
If needed, You can dpeloy an DDOS Standard configuration if a firewall is not needed.
If needed, You can deploy an DDOS Standard configuration if a firewall is not needed.
## Parameters
@ -83,7 +213,7 @@ parIdentitySpoke | object | {object} | Identity Spoke Virtual network configurat
parSharedServicesSpoke | object | {object} | Shared Services Spoke Virtual network configuration. See [See azresources/hub-spoke-core/vdms/sharedservices/readme.md](../../azresources/hub-spoke-core/vdms/sharedservices/readme.md)
parAzureFirewall | object | {object} | Azure Firewall configuration. Azure Firewall is deployed in Forced Tunneling mode where a route table must be added as the next hop.
parLogging | object | {object} | Enables logging parmeters and Microsoft Sentinel within the Log Analytics Workspace created in this deployment. See [azresources/hub-spoke-core/vdms/logging/readme.md](../../azresources/hub-spoke-core/vdms/logging/readme.md)
parRemoteAccess | object | {object} | When set to "true", provisions Azure Bastion Host. It defaults to "false". See [overlays/management-services/bastion/readme.md](../../overlays/management-services/bastion/readme.md)
parRemoteAccess | object | {object} | Provisions Azure Bastion Host. See [overlays/management-services/bastion/readme.md](../../overlays/management-services/bastion/readme.md)
Optional Parameters | Type | Allowed Values | Description
| :-- | :-- | :-- | :-- |
@ -91,7 +221,7 @@ parNetworkArtifacts | object | {object} | Optional. Enables Operations Network A
parSecurityCenter | object | {object} | Microsoft Defender for Cloud. It includes email and phone. See [overlays/management-services/defender/readme.md](../../overlays/management-services/defender/readme.md)
parDdosStandard | bool | `false` | DDOS Standard configuration.
## Deploy the Landing Zone
## Deploy the Platform Landing Zone
Connect to the appropriate Azure Environment and set appropriate context, see getting started with Azure PowerShell or Azure CLI for help if needed. The commands below assume you are deploying in Azure Commercial and show the entire process deploying Platform Hub/Spoke Design.
@ -101,29 +231,46 @@ For example, deploying using the `az deployment sub create` command in the Azure
```bash
# For Azure Commerical regions
# When deploying to Azure cloud, first set the cloud.
az cloudset --name AzureCloud
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId="[your platform management subscription ID]"
az account set --subscription $ConnectivitySubscriptionId
#log in
az login
cd src/bicep
cd platforms/lz-platform-scca-hub-3spoke
az deployment sub create \
--name contoso \
--subscription xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx \
--template-file platforms/lz-platform-scca-hub-3spoke/deploy.bicep \
--name deploy-hub1spoke-network \
--subscription $ConnectivitySubscriptionId \
--template-file deploy.bicep \
--location eastus \
--parameters @platforms/lz-platform-scca-hub-3spoke/parameters/deploy.parameters.json
--parameters @parameters/deploy.parameters.json
```
OR
```bash
# For Azure Government regions
# When deploying to another cloud, like Azure US Government, first set the cloud and log in.
az cloudset --name AzureGovernment
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId="[your platform management subscription ID]"
az account set --subscription $ConnectivitySubscriptionId
az login
cd src/bicep
cd platforms/lz-platform-scca-hub-3spoke
az deployment sub create \
--template-file platforms/lz-platform-scca-hub-3spoke/deploy.bicep \
--parameters @platforms/lz-platform-scca-hub-3spoke/parameters/deploy.parameters.json \
--subscription xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx \
--name deploy-hub1spoke-network \
--template-file deploy.bicep \
--parameters @parameters/deploy.parameters.json \
--subscription $ConnectivitySubscriptionId \
--location 'usgovvirginia'
```
@ -131,10 +278,20 @@ az deployment sub create \
```powershell
# For Azure Commerical regions
# When deploying to Azure cloud, first set the cloud and log in.
Connect-AzAccount -EnvironmentName AzureCloud
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId = "[your platform management subscription ID]"
Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
cd src/bicep
cd platforms/lz-platform-scca-hub-3spoke
New-AzSubscriptionDeployment `
-TemplateFile platforms/lz-platform-scca-hub-3spoke/deploy.bicep `
-TemplateParameterFile platforms/lz-platform-scca-hub-3spoke/parameters/deploy.parameters.example.json `
-Subscription xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx `
-Name deploy-hub1spoke-network `
-TemplateFile deploy.bicep `
-TemplateParameterFile deploy.parameters.json `
-Subscription $ConnectivitySubscriptionId `
-Location 'eastus'
```
@ -142,10 +299,21 @@ OR
```powershell
# For Azure Government regions
# When deploying to another cloud, like Azure US Government, first set the cloud and log in.
Connect-AzAccount -EnvironmentName AzureUSGovernment
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId = "[your platform management subscription ID]"
Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
cd src/bicep
cd platforms/lz-platform-scca-hub-3spoke
New-AzSubscriptionDeployment `
-TemplateFile platforms/lz-platform-scca-hub-3spoke/deploy.bicep `
-TemplateParameterFile platforms/lz-platform-scca-hub-3spoke/parameters/deploy.parameters.example.json `
-Subscription xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx `
-Name deploy-hub1spoke-network `
-TemplateFile deploy.bicep `
-TemplateParameterFile deploy.parameters.json `
-Subscription $ConnectivitySubscriptionId `
-Location 'usgovvirginia'
```
@ -179,6 +347,41 @@ Get-AzResource -ResourceGroupName anoa-eastus-platforms-hub-rg
The Bicep/ARM deployment of NoOps Accelerator - Hub/Spoke deployment can be deleted with these steps:
### Delete the diagnostic settings deployed at the subscription level
To delete the diagnostic settings from the Azure Portal: choose the subscription blade, then Activity log in the left panel. At the top of the Activity log screen click the Diagnostics settings button. From there you can click the Edit setting link and delete the diagnostic setting.
> NOTE: If you deploy and delete Mission Landing Zone in the same subscription multiple times without deleting the subscription-level diagnostic settings, the sixth deployment will fail. Azure has a limit of five diagnostic settings per subscription. The error will be similar to this: `"The limit of 5 diagnostic settings was reached."`
To delete the diagnotic settings in script, use the AZ CLI or PowerShell. An AZ CLI example is below:
```BASH
# View diagnostic settings in the current subscription
az monitor diagnostic-settings subscription list --query value[] --output table
# Delete a diagnostic setting
az monitor diagnostic-settings subscription delete --name <diagnostic setting name>
```
### Downgrade the Microsoft Defender for Cloud
To downgrade the Microsoft Defender for Cloud pricing level in the Azure portal:
1. Navigate to the Microsoft Defender for Cloud page, then click the "Environment settings" tab in the left navigation panel.
1. In the tree/grid select the subscription you want to manage.
1. Click the large box near the top of the page that says "Enhanced security off".
1. Click the save button.
To downgrade the Microsoft Defender for Cloud pricing level using the AZ CLI:
```BASH
# List the pricing tiers
az security pricing list -o table --query "value[].{Name:name, Tier:pricingTier}"
# Change a pricing tier to the default free tier
az security pricing create --name "<name of tier>" --tier Free
```
### Delete Resource Groups
```bash
@ -202,9 +405,19 @@ Remove-AzResourceGroup -Name anoa-eastus-platforms-artifacts-rg
### Delete Deployments
```bash
az deployment sub delete -n deploy-hubspoke-network
az deployment sub delete -n deploy-hub3spoke-network
```
```powershell
Remove-AzSubscriptionDeployment -Name deploy-hubspoke-network
Remove-AzSubscriptionDeployment -Name deploy-hub3spoke-network
```
## Resources
[Bicep documentation](https://aka.ms/bicep/)
[`az deployment` documentation](https://docs.microsoft.com/en-us/cli/azure/deployment?view=azure-cli-latest)
[JMESPath queries](https://jmespath.org/)
[Azure Az PowerShell module](https://docs.microsoft.com/en-us/powershell/azure/what-is-azure-powershell)

13
src/bicep/platforms/lz-platform-scca-hub-4spoke/bicepconfig.json Normal file
Просмотреть файл

@ -0,0 +1,13 @@
{
"analyzers": {
"core": {
"verbose": false,
"enabled": true,
"rules": {
"no-hardcoded-env-urls": {
"level": "off"
}
}
}
}
}

1058
src/bicep/platforms/lz-platform-scca-hub-4spoke/deploy.bicep Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

48
src/bicep/platforms/lz-platform-scca-hub-4spoke/deployment.azcli Normal file
Просмотреть файл

@ -0,0 +1,48 @@
# AZ CLI Examples
# Hub/Spoke - Change variables to match your deployment
az login
cd src/bicep
cd platforms/lz-platform-scca-hub-3spoke
az deployment sub create --name deploy-hub3spoke-network --location EastUS --template-file deploy.bicep --parameters @parameters/deploy.parameters.json --subscription <<subscriptionId>>
# Clean Up
# Delete Resource Locks - Change variables to match your deployment
az resource lock delete --name lockName -g storageAccount --resource myvnet --resource-type Microsoft.Storage/storageAccounts
# Delete Diagnostic Settings - Change variables to match your deployment
# View diagnostic settings in the current subscription
az monitor diagnostic-settings subscription list --query value[] --output table
# Delete a diagnostic setting
az monitor diagnostic-settings subscription delete --name <diagnostic setting name>
# Delete Resource Groups - Change variables to match your deployment
az group delete -n anoa-eastus-dev-logging-rg -y
az group delete -n anoa-eastus-dev-hub-rg -y
az group delete -n anoa-eastus-dev-operations-rg -y
az group delete -n anoa-eastus-dev-sharedservices-rg -y
az group delete -n anoa-eastus-dev-artifacts-rg -y
# Delete Deployments - Change variables to match your deployment
az deployment sub delete -n deploy-hub3spoke-network
# AZ PowerShell
# Hub/Spoke - Change variables to match your deployment
Connect-AzAccount -EnvironmentName AzureCloud
cd src/bicep
cd platforms/lz-platform-scca-hub-3spoke
New-AzSubscriptionDeployment -TemplateFile .\anoa.hubspoke.bicep -TemplateParameterFile .\parameters\anoa.hubspoke.parameters.example.json -Location "EastUS" -Name deploy-hub3spoke-network
# Clean Up
# Delete Resource Groups - Change variables to match your deployment
Remove-AzResourceGroup -Name anoa-eastus-dev-logging-rg
Remove-AzResourceGroup -Name anoa-eastus-dev-hub-rg
Remove-AzResourceGroup -Name anoa-eastus-dev-identity-rg
Remove-AzResourceGroup -Name anoa-eastus-dev-operations-rg
Remove-AzResourceGroup -Name anoa-eastus-dev-sharedservices-rg
Remove-AzResourceGroup -Name anoa-eastus-dev-artifacts-rg
# Delete Deployments - Change variables to match your deployment
Remove-AzSubscriptionDeployment -Name deploy-hub3spoke-network

Двоичные данные
src/bicep/platforms/lz-platform-scca-hub-4spoke/media/hub-4spoke-network-topology-architecture.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 112 KiB

457
src/bicep/platforms/lz-platform-scca-hub-4spoke/parameters/deploy.parameters.json Normal file
Просмотреть файл

@ -0,0 +1,457 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"parRequired": {
"value": {
"orgPrefix": "anoa",
"templateVersion": "v1.0",
"deployEnvironment": "dev"
}
},
"parTags": {
"value": {
"organization": "anoa",
"region": "usgovvirginia",
"templateVersion": "v1.0",
"deployEnvironment": "dev",
"deploymentType": "NoOpsBicep"
}
},
"parHub": {
"value": {
"subscriptionId": "<<subscriptionId>>",
"virtualNetworkAddressPrefix": "10.0.100.0/24",
"subnetAddressPrefix": "10.0.100.128/27",
"peerToSpokeVirtualNetwork": true,
"enablePrivateDnsZones": true,
"subnets": [
{
"name": "AzureFirewallSubnet",
"addressPrefix": "10.0.100.0/26",
"serviceEndpoints": []
},
{
"name": "AzureFirewallManagementSubnet",
"addressPrefix": "10.0.100.64/26",
"serviceEndpoints": []
}
],
"virtualNetworkDiagnosticsLogs": [],
"virtualNetworkDiagnosticsMetrics": [],
"networkSecurityGroupRules": [],
"networkSecurityGroupDiagnosticsLogs": [
"NetworkSecurityGroupEvent",
"NetworkSecurityGroupRuleCounter"
],
"subnetServiceEndpoints": [
{
"service": "Microsoft.Storage"
}
],
"storageAccountAccess": {
"enableRoleAssignmentForStorageAccount": false,
"principalIds": [
"<<principalId>>"
],
"roleDefinitionIdOrName": "Contributor"
}
}
},
"parIdentitySpoke": {
"value": {
"subscriptionId": "<<subscriptionId>>",
"virtualNetworkAddressPrefix": "10.0.110.0/26",
"subnetAddressPrefix": "10.0.110.0/27",
"sourceAddressPrefixes": [
"10.0.115.0/26",
"10.0.120.0/26",
"10.0.130.0/26"
],
"peerToHubVirtualNetwork": true,
"useRemoteGateway": false,
"allowVirtualNetworkAccess": true,
"virtualNetworkDiagnosticsLogs": [],
"virtualNetworkDiagnosticsMetrics": [],
"networkSecurityGroupRules": [
{
"name": "Allow-Traffic-From-Spokes",
"properties": {
"access": "Allow",
"description": "Allow traffic from spokes",
"destinationAddressPrefix": "10.0.110.0/26",
"destinationPortRanges": [
"22",
"80",
"443",
"3389"
],
"direction": "Inbound",
"priority": 200,
"protocol": "*",
"sourceAddressPrefixes": [
"10.0.115.0/26",
"10.0.120.0/26",
"10.0.130.0/26"
],
"sourcePortRange": "*"
},
"type": "string"
}
],
"publicIPAddressDiagnosticsLogs": [
"DDoSProtectionNotifications",
"DDoSMitigationFlowLogs",
"DDoSMitigationReports"
],
"networkSecurityGroupDiagnosticsLogs": [
"NetworkSecurityGroupEvent",
"NetworkSecurityGroupRuleCounter"
],
"subnetServiceEndpoints": [
{
"service": "Microsoft.Storage"
}
],
"storageAccountAccess": {
"enableRoleAssignmentForStorageAccount": false,
"principalIds": [
"<<principalId>>"
],
"roleDefinitionIdOrName": "Contributor"
}
}
},
"parOperationsSpoke": {
"value": {
"subscriptionId": "<<subscriptionId>>",
"virtualNetworkAddressPrefix": "10.0.115.0/26",
"subnetAddressPrefix": "10.0.115.0/27",
"sourceAddressPrefixes": [
"10.0.110.0/26",
"10.0.120.0/26",
"10.0.130.0/26"
],
"peerToHubVirtualNetwork": true,
"useRemoteGateway": false,
"allowVirtualNetworkAccess": true,
"virtualNetworkDiagnosticsLogs": [],
"virtualNetworkDiagnosticsMetrics": [],
"networkSecurityGroupRules": [
{
"name": "Allow-Traffic-From-Spokes",
"properties": {
"access": "Allow",
"description": "Allow traffic from spokes",
"destinationAddressPrefix": "10.0.115.0/26",
"destinationPortRanges": [
"22",
"80",
"443",
"3389"
],
"direction": "Inbound",
"priority": 200,
"protocol": "*",
"sourceAddressPrefixes": [
"10.0.110.0/26",
"10.0.120.0/26",
"10.0.130.0/26"
],
"sourcePortRange": "*"
},
"type": "string"
}
],
"publicIPAddressDiagnosticsLogs": [
"DDoSProtectionNotifications",
"DDoSMitigationFlowLogs",
"DDoSMitigationReports"
],
"networkSecurityGroupDiagnosticsLogs": [
"NetworkSecurityGroupEvent",
"NetworkSecurityGroupRuleCounter"
],
"subnetServiceEndpoints": [
{
"service": "Microsoft.Storage"
}
],
"storageAccountAccess": {
"enableRoleAssignmentForStorageAccount": false,
"principalIds": [
"<<principalId>>"
],
"roleDefinitionIdOrName": "Contributor"
}
}
},
"parSharedServicesSpoke": {
"value": {
"subscriptionId": "<<subscriptionId>>",
"virtualNetworkAddressPrefix": "10.0.120.0/26",
"subnetAddressPrefix": "10.0.120.0/27",
"sourceAddressPrefixes": [
"10.0.115.0/26",
"10.0.110.0/26",
"10.0.130.0/26"
],
"peerToHubVirtualNetwork": true,
"useRemoteGateway": false,
"allowVirtualNetworkAccess": true,
"virtualNetworkDiagnosticsLogs": [],
"virtualNetworkDiagnosticsMetrics": [],
"networkSecurityGroupRules": [
{
"name": "Allow-Traffic-From-Spokes",
"properties": {
"access": "Allow",
"description": "Allow traffic from spokes",
"destinationAddressPrefix": "10.0.120.0/26",
"destinationPortRanges": [
"22",
"80",
"443",
"3389"
],
"direction": "Inbound",
"priority": 200,
"protocol": "*",
"sourceAddressPrefixes": [
"10.0.115.0/26",
"10.0.110.0/26",
"10.0.130.0/26"
],
"sourcePortRange": "*"
},
"type": "string"
}
],
"publicIPAddressDiagnosticsLogs": [
"DDoSProtectionNotifications",
"DDoSMitigationFlowLogs",
"DDoSMitigationReports"
],
"networkSecurityGroupDiagnosticsLogs": [
"NetworkSecurityGroupEvent",
"NetworkSecurityGroupRuleCounter"
],
"subnetServiceEndpoints": [
{
"service": "Microsoft.Storage"
}
],
"storageAccountAccess": {
"enableRoleAssignmentForStorageAccount": false,
"principalIds": [
"<<principalId>>"
],
"roleDefinitionIdOrName": "Contributor"
}
}
},
"parDataSharedServicesSpoke": {
"value": {
"subscriptionId": "<<subscriptionId>>",
"virtualNetworkAddressPrefix": "10.0.130.0/26",
"subnetAddressPrefix": "10.0.130.0/27",
"sourceAddressPrefixes": [
"10.0.115.0/26",
"10.0.110.0/26",
"10.0.120.0/26"
],
"peerToHubVirtualNetwork": true,
"useRemoteGateway": false,
"allowVirtualNetworkAccess": true,
"virtualNetworkDiagnosticsLogs": [],
"virtualNetworkDiagnosticsMetrics": [],
"networkSecurityGroupRules": [
{
"name": "Allow-Traffic-From-Spokes",
"properties": {
"access": "Allow",
"description": "Allow traffic from spokes",
"destinationAddressPrefix": "10.0.130.0/26",
"destinationPortRanges": [
"22",
"80",
"443",
"3389"
],
"direction": "Inbound",
"priority": 200,
"protocol": "*",
"sourceAddressPrefixes": [
"10.0.115.0/26",
"10.0.120.0/26",
"10.0.110.0/26"
],
"sourcePortRange": "*"
},
"type": "string"
}
],
"publicIPAddressDiagnosticsLogs": [
"DDoSProtectionNotifications",
"DDoSMitigationFlowLogs",
"DDoSMitigationReports"
],
"networkSecurityGroupDiagnosticsLogs": [
"NetworkSecurityGroupEvent",
"NetworkSecurityGroupRuleCounter"
],
"subnetServiceEndpoints": [
{
"service": "Microsoft.Storage"
}
],
"storageAccountAccess": {
"enableRoleAssignmentForStorageAccount": false,
"principalIds": [
"<<principalId>>"
],
"roleDefinitionIdOrName": "Contributor"
}
}
},
"parNetworkArtifacts": {
"value": {
"enable": false,
"artifactsKeyVault": {
"keyVaultPolicies": {
"objectId": "<<objectId>>",
"permissions": {
"keys": [
"get",
"list",
"update"
],
"secrets": [
"all"
]
},
"tenantId": "<<tenantId>>"
}
},
"storageAccountAccess": {
"enableRoleAssignmentForStorageAccount": false,
"principalIds": [
"<<principalId>>"
],
"roleDefinitionIdOrName": "Contributor"
}
}
},
"parDdosStandard": {
"value": {
"enable": false
}
},
"parAzureFirewall": {
"value": {
"enable": true,
"disableBgpRoutePropagation": false,
"clientPublicIPAddressAvailabilityZones": [],
"managementPublicIPAddressAvailabilityZones": [],
"supernetIPAddress": "10.0.96.0/19",
"skuTier": "Premium",
"threatIntelMode": "Alert",
"intrusionDetectionMode": "Alert",
"publicIPAddressDiagnosticsLogs": [
"DDoSProtectionNotifications",
"DDoSMitigationFlowLogs",
"DDoSMitigationReports"
],
"publicIPAddressDiagnosticsMetrics": [
"AllMetrics"
],
"diagnosticsLogs": [
"AzureFirewallApplicationRule",
"AzureFirewallNetworkRule",
"AzureFirewallDnsProxy"
],
"diagnosticsMetrics": [
"AllMetrics"
],
"storageAccountAccess": {
"value": {
"enableRoleAssignmentForStorageAccount": false,
"principalIds": [
"<<principalId>>"
],
"roleDefinitionIdOrName": "Contributor"
}
}
}
},
"parLogging": {
"value": {
"enableSentinel": true,
"logAnalyticsWorkspaceCappingDailyQuotaGb": -1,
"logAnalyticsWorkspaceRetentionInDays": 30,
"logAnalyticsWorkspaceSkuName": "PerGB2018",
"logStorageSkuName": "Standard_GRS",
"storageAccountAccess": {
"enableRoleAssignmentForStorageAccount": false,
"principalIds": [
"<<principalId>>"
],
"roleDefinitionIdOrName": "Contributor"
}
}
},
"parRemoteAccess": {
"value": {
"enable": true,
"bastion": {
"sku": "Standard",
"subnetAddressPrefix": "10.0.100.160/27",
"publicIPAddressAvailabilityZones": [],
"encryptionAtHost": false,
"linux": {
"enable": true,
"vmName": "bastion-linux",
"vmAdminUsername": "azureuser",
"disablePasswordAuthentication": false,
"vmAdminPasswordOrKey": "Rem0te@2020246",
"vmSize": "Standard_DS1_v2",
"vmOsDiskCreateOption": "FromImage",
"vmOsDiskType": "Standard_LRS",
"vmImagePublisher": "Canonical",
"vmImageOffer": "UbuntuServer",
"vmImageSku": "18.04-LTS",
"vmImageVersion": "latest",
"networkInterfacePrivateIPAddressAllocationMethod": "Dynamic"
},
"windows": {
"enable": true,
"vmName": "bastion-windows",
"vmAdminUsername": "azureuser",
"vmAdminPassword": "Rem0te@2020246",
"vmSize": "Standard_DS1_v2",
"vmOsDiskCreateOption": "FromImage",
"vmStorageAccountType": "StandardSSD_LRS",
"vmImagePublisher": "MicrosoftWindowsServer",
"vmImageOffer": "WindowsServer",
"vmImageSku": "2019-datacenter",
"vmImageVersion": "latest",
"networkInterfacePrivateIPAddressAllocationMethod": "Dynamic"
},
"customScriptExtension": {
"install": false,
"script64": ""
}
}
}
},
"parSecurityCenter": {
"value": {
"enableDefender": true,
"alertNotifications": "Off",
"alertsToAdminsNotifications": "Off",
"emailSecurityContact": "anoa@microsoft.com",
"phoneSecurityContact": "5555555555"
}
}
}
}

427
src/bicep/platforms/lz-platform-scca-hub-4spoke/readme.md Normal file
Просмотреть файл

@ -0,0 +1,427 @@
# NoOps Accelerator - Platforms - SCCA Compliant Hub - 4 Spoke Landing Zone
## Overview
This platform module deploys Hub 4 Spoke landing zone.
> NOTE: This is only the landing zone deployment. The workloads will be deployed with the enclave or can be deployed after the landing zone is created.
Read on to understand what this landing zone does, and when you're ready, collect all of the pre-requisites, then deploy the landing zone.
## Architecture
![Hub/Spoke landing zone Architecture](./media/hub-4spoke-network-topology-architecture.jpg)
## About Hub 4 Spoke Landing Zone
The docs on Hub/Spoke Landing Zone: <https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli>
### What is a Landing Zone?
A **landing zone** is networking infrastructure configured to provide a secure environment for hosting workloads.
[![Landing Zones Azure Academy Video](https://img.youtube.com/vi/9BKgz9Rl1eo/0.jpg)](https://youtu.be/9BKgz9Rl1eo "Don't let this happen to you 😮 Build A Landing Zone 👍 - Click to Watch!")
### Hub/Spoke Networking
Hub/ 4 Spoke Networking (like TMN) is set up in a hub and spoke design, separated by tiers: T0 (Identity and Authorization), T1 (Infrastructure Operations), T2 (DevSecOps and Shared Services), multiple T3s (Workloads), and T4 (Data Shared Services). Access control can be configured to allow separation of duties between all tiers.
### Firewall
All network traffic is directed through the firewall residing in the Network Hub resource group. The firewall is configured as the default route for all the T0 (Identity and Authorization) through T3 (workload/team environments) resource groups as follows:
|Name |Address prefix| Next hop type| Next hop IP address|
|-------------|--------------|-----------------|-----------------|
|default_route| 0.0.0.0/0 |Virtual Appliance|10.0.100.4* |
*-example IP for firewall
The default firewall configured for Hub/ 1 Spoke Landing Zone is [Azure Firewall Premium](https://docs.microsoft.com/en-us/azure/firewall/premium-features).
Presently, there are two firewall rules configured to ensure access to the Azure Portal and to facilitate interactive logon via PowerShell and Azure CLI, all other traffic is restricted by default. Below are the collection of rules configured for Azure Commercial and Azure Government clouds:
|Rule Collection Priority | Rule Collection Name | Rule name | Source | Port | Protocol |
|-------------------------|----------------------|-----------|--------|----------|----------------------------------------|
|100 | AllowAzureCloud | AzureCloud|* | * |Any |
|110 | AzureAuth | msftauth | * | Https:443| aadcdn.msftauth.net, aadcdn.msauth.net |
### Naming Conventions
By default, Hub - 4 Spoke Platform resources are named according to a naming convention that uses the mandatory `orgPrefix` (that is defaulted to `anoa`), `templateVersion` & `deployEnvironment`.
#### Default Naming Convention Example
Let's look at an example using `parRequired="{ \"orgPrefix\":\"$ORG_PREFIX\", \"templateVersion\":\"v1.0\", \"deployEnvironment\":\"$DEPLOY_ENV\" }"`
In `deploy.bicep` you will find a variable titled `namingConvention`:
```bicep
var varNamingConvention = '${toLower(parRequired.orgPrefix)}-${toLower(parLocation)}-${toLower(parRequired.deployEnvironment)}-${varNameToken}-${toLower(varResourceToken)}'
# this generates a value of: ${orgPrefix}-${location}-${deployEnvironment}-${nameToken}-${resourceToken}
```
This naming convention uses Bicep's `replace()` function to substitute resource abbreviations for `resourceToken` and resource names for `nameToken`.
For example, when naming the Hub Resource Group, first the `resourceToken` is substituted with the recommended abbreviation `rg`:
```bicep
var resourceGroupNamingConvention = replace(namingConvention, resourceToken, 'rg')
# this generates a value of: anoa-eastus-${nameToken}-dev-rg
```
Then, the `nameToken` is substituted with the Azure NoOps Accelerator name `hub`:
```bicep
var hubResourceGroupName = replace(resourceGroupNamingConvention, nameToken, 'hub')
# this generates a value of: anoa-eastus-hub-dev-rg
```
Finally, the `hubResourceGroupName` is assigned to the resource group `varHubName` variable:
```bicep
var varHubName = 'hub'
var varHubResourceGroupName = replace(varResourceGroupNamingConvention, varNameToken, varHubName)
# this is the calculated value 'anoa-eastus-hub-dev-rg'
```
### Tagging
Organize cloud resources to meet the needs of governance, operational management, and accounting. Resources can be managed and found more quickly with the aid of well-defined metadata tagging protocols. By using charge back and show back accounting procedures, these conventions also assist in tying cloud usage charges to specific business teams.
A tagging strategy include business and operational details:
* The business side of this strategy ensures that tags include the organizational information needed to identify the teams. Use a resource along with the business owners who are responsible for resource costs.
* The operational side ensures that tags include information that IT teams use to identify the workload, application, environment, criticality, and other information useful for managing resources.
## Pre-requisites
### Subscriptions
Most customers will deploy each tier to a separate Azure subscription, but multiple subscriptions are not required. A single subscription deployment is good for a testing and evaluation, or possibly a small IT Admin team.
Hub - 4 Spoke Platform can deploy to a single subscription or multiple subscriptions. A test and evaluation deployment may deploy everything to a single subscription, and a production deployment may place each tier into its own subscription.
The optional parameters related to subscriptions are below. They releated to each tier object used for deployment.
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`parHub.subscriptionId` | Deployment subscription | Subscription containing the firewall and network hub
`parIdentitySpoke.subscriptionId` | Deployment subscription | Tier 0 for identity solutions
`parOperationsSpoke.subscriptionId` | Deployment subscription | Tier 1 for network operations, logging and security tools
`parSharedServicesSpoke.subscriptionId` | Deployment subscription | Tier 2 for shared services
### Networking
The following parameters affect networking. They releated to each tier object used for deployment.
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`parHub.virtualNetworkAddressPrefix` | '10.0.100.0/24' | The CIDR Virtual Network Address Prefix for the Hub Virtual Network.
`parHub.subnetAddressPrefix` | '10.0.100.128/27' | The CIDR Subnet Address Prefix for the default Hub subnet. It must be in the Hub Virtual Network space.
`parHub.peerToSpokeVirtualNetwork` | true | This is a switch for peering to an Spoke Network. This is used with the spoke network peering as well. Both parameters either need to be true or false.
`parHub.subnets.addressPrefix` (Firewall Client Subnet Address Prefix)| '10.0.100.0/26' | The CIDR Subnet Address Prefix for the Azure Firewall Subnet. It must be in the Hub Virtual Network space. It must be /26.
`parHub.subnets.addressPrefix` (Firewall Management Subnet Address Prefix) | '10.0.100.64/26' | The CIDR Subnet Address Prefix for the Azure Firewall Management Subnet. It must be in the Hub Virtual Network space. It must be /26.
`parIdentitySpoke.virtualNetworkAddressPrefix` | '10.0.110.0/26' | The CIDR Virtual Network Address Prefix for the Identity Virtual Network.
`parIdentitySpoke.subnetAddressPrefix` | '10.0.110.0/27' | The CIDR Subnet Address Prefix for the default Identity subnet. It must be in the Identity Virtual Network space.
`parIdentitySpoke.peerToHubVirtualNetwork` | true | This is a switch for peering to an Hub Network from a Identity Spoke. This is used with the hub network peering as well. Both parameters either need to be true or false.
`parOperationsSpoke.virtualNetworkAddressPrefix` | '10.0.115.0/26' | The CIDR Virtual Network Address Prefix for the Operations Virtual Network.
`parOperationsSpoke.subnetAddressPrefix` | '10.0.115.0/27' | The CIDR Subnet Address Prefix for the default Operations subnet. It must be in the Operations Virtual Network space.
`parOperationsSpoke.peerToHubVirtualNetwork` | true | This is a switch for peering to an Hub Network from a Operations Spoke. This is used with the hub network peering as well. Both parameters either need to be true or false.
`parSharedServicesSpoke.virtualNetworkAddressPrefix` | '10.0.120.0/26' | The CIDR Virtual Network Address Prefix for the Shared Services Virtual Network.
`parSharedServicesSpoke.subnetAddressPrefix` | '10.0.120.0/27' | The CIDR Subnet Address Prefix for the default Shared Services subnet. It must be in the Shared Services Virtual Network space.
`parSharedServicesSpoke.peerToHubVirtualNetwork` | true | This is a switch for peering to an Hub Network from a Shared Services Spoke. This is used with the hub network peering as well. Both parameters either need to be true or false.
`parDataSharedServicesSpoke.virtualNetworkAddressPrefix` | '10.0.130.0/26' | The CIDR Virtual Network Address Prefix for the Shared Services Virtual Network.
`parDataSharedServicesSpoke.subnetAddressPrefix` | '10.0.130.0/27' | The CIDR Subnet Address Prefix for the default Shared Services subnet. It must be in the Shared Services Virtual Network space.
`parDataSharedServicesSpoke.peerToHubVirtualNetwork` | true | This is a switch for peering to an Hub Network from a Data Shared Services Spoke. This is used with the hub network peering as well. Both parameters either need to be true or false.
## Optional Features
Hub - 4 Spoke Platform has optional features that can be enabled by setting parameters on the deployment.
### Microsoft Defender for Cloud
By default [Microsoft Defender for Cloud](https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction) offers a free set of monitoring capabilities that are enabled via an Azure policy when you first set up a subscription and view the Microsoft Defender for Cloud portal blade.
Microsoft Defender for Cloud offers a standard/defender sku which enables a greater depth of awareness including more recomendations and threat analytics. You can enable this higher depth level of security in Hub - 4 Spoke Platform by setting the parameter `parSecurityCenter.enableDefender` during deployment. In addition you can include the `parSecurityCenter.emailSecurityContact` parameter to set a contact email for alerts and `parSecurityCenter.phoneSecurityContact` parameter to set a contact phone for alerts.
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`parSecurityCenter.enableDefender` | 'false' | When set to "true", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to "false".
`parSecurityCenter.emailSecurityContact` | '' | Email address of the contact, in the form of john@doe.com
`parSecurityCenter.phoneSecurityContact` | '' | Phone of the contact, in the form of 5555555555
`parSecurityCenter.alertNotifications` | '' | alert notifications for contact
`parSecurityCenter.alertsToAdminsNotifications` | '' | alert notifications for contact admin
The Defender plan by resource type for Microsoft Defender for Cloud is enabled by default in the following [Azure Environments](https://docs.microsoft.com/en-us/powershell/module/servicemanagement/azure.service/get-azureenvironment?view=azuresmps-4.0.0): `AzureCloud` and `AzureUSGovernment`. To enable this for other Azure Cloud environments, this will need to executed manually.
Documentation on how to do this can be found
[here](https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhanced-security)
### Azure Sentinel
[Sentinel](https://docs.microsoft.com/en-us/azure/sentinel/overview) is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Sentinel can be enabled by setting the `parLogging.enableSentinel` parameter.
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`parLogging.enableSentinel` | 'false' | When set to "true", enables Microsoft Sentinel within the Log Analytics Workspace created in this deployment. It defaults to "false".
### Remote access with a Bastion Host
If you want to remotely access the network and the resources you've deployed you can use [Azure Bastion](https://docs.microsoft.com/en-us/azure/bastion/) to remotely access virtual machines within the network without exposing them via Public IP Addresses.
Deploy a Linux and Windows virtual machine as jumpboxes into the network without a Public IP Address using Azure Bastion Host by providing values for these parameters:
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`parRemoteAccess.enable` | 'false' | When set to "true", provisions Azure Bastion Host and virtual machine jumpboxes. It defaults to "false".
`parRemoteAccess.windows.vmAdminPassword` | 'Rem0te@2020246' | The administrator password the Windows Virtual Machine to Azure Bastion remote into. It must be > 12 characters in length. See [password requirements for creating a Windows VM](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm-).
`parRemoteAccess.linux.vmAuthenticationType` | 'Rem0te@2020246' | [sshPublicKey/password] The authentication type for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "Rem0te@2020246".
`parRemoteAccess.linux.vmAdminPasswordOrKey` | new guid | The administrator password or public SSH key for the Linux Virtual Machine to Azure Bastion remote into. See [password requirements for creating a Linux VM](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/faq#what-are-the-password-requirements-when-creating-a-vm-).
`parRemoteAccess.windows.vmAdminUsername` | 'azureuser' | The administrator username for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "azureuser".
`parRemoteAccess.linux.vmAdminUsername` | 'azureuser' | The administrator username for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "azureuser".
### Azure Firewall Premium
By default, Hub - 4 Spoke Platform deploys **[Azure Firewall Premium](https://docs.microsoft.com/en-us/azure/firewall/premium-features). Not all regions support Azure Firewall Premium.** Check here to [see if the region you're deploying to supports Azure Firewall Premium](https://docs.microsoft.com/en-us/azure/firewall/premium-features#supported-regions). If necessary you can set a different firewall SKU or location.
You can manually specify which SKU of Azure Firewall to use for your deployment by specifying the `parAzureFirewall.skuTier` parameter. This parameter only accepts values of `Standard` or `Premium`.
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`parAzureFirewall.skuTier` | 'Premium' | [Standard/Premium] The SKU for Azure Firewall. It defaults to "Premium".
If you'd like to specify a different region to deploy your resources into, change the location of the deployment. For example, when using the AZ CLI set the deployment command's `--location` argument.
### Operational Network Artifacts
If needed, The Operational Network Artifacts are used when operations wants to seperate all key, secrets and operations storage from the hub/spoke model.
### DDOS
If needed, You can deploy an DDOS Standard configuration if a firewall is not needed.
## Parameters
See below for information on how to use the appropriate deployment parameters for use with this landing zone:
Required Parameters | Type | Allowed Values | Description
| :-- | :-- | :-- | :-- |
parRequired | object | {object} | Required values used with all resources.
parTags | object | {object} | Required tags values used with all resources.
parLocation | string | `[deployment().location]` | The region to deploy resources into. It defaults to the deployment location.
parHub | object | {object} | Hub Virtual network configuration. See [azresources/hub-spoke-core/vdss/hub/readme.md](../../azresources/hub-spoke-core/vdss/hub/readme.md)
parOperationsSpoke | object | {object} | Operations Spoke Virtual network configuration. See [See azresources/hub-spoke-core/vdms/operations/readme.md](../../azresources/hub-spoke-core/vdms/operations/readme.md)
parIdentitySpoke | object | {object} | Identity Spoke Virtual network configuration. See [See azresources/hub-spoke-core/vdss/identity/readme.md](../../azresources/hub-spoke-core/vdss/identity/readme.md)
parSharedServicesSpoke | object | {object} | Shared Services Spoke Virtual network configuration. See [See azresources/hub-spoke-core/vdms/sharedservices/readme.md](../../azresources/hub-spoke-core/vdms/sharedservices/readme.md)
parDataSharedServicesSpoke | object | {object} | Data Shared Services Spoke Virtual network configuration. See [See azresources/hub-spoke-core/vdms/dataSharedservices/readme.md](../../azresources/hub-spoke-core/vdms/dataSharedservices/readme.md)
parAzureFirewall | object | {object} | Azure Firewall configuration. Azure Firewall is deployed in Forced Tunneling mode where a route table must be added as the next hop.
parLogging | object | {object} | Enables logging parmeters and Microsoft Sentinel within the Log Analytics Workspace created in this deployment. See [azresources/hub-spoke-core/vdms/logging/readme.md](../../azresources/hub-spoke-core/vdms/logging/readme.md)
parRemoteAccess | object | {object} | Provisions Azure Bastion Host. See [overlays/management-services/bastion/readme.md](../../overlays/management-services/bastion/readme.md)
Optional Parameters | Type | Allowed Values | Description
| :-- | :-- | :-- | :-- |
parNetworkArtifacts | object | {object} | Optional. Enables Operations Network Artifacts Resource Group with KV and Storage account for the ops subscriptions used in the deployment. This overlay allows Bastion keys to be added if Basion Host is enabled. See [azresources/hub-spoke-core/vdss/networkArtifacts/readme.md](../../azresources/hub-spoke-core/vdss/networkArtifacts/readme.md)
parSecurityCenter | object | {object} | Microsoft Defender for Cloud. It includes email and phone. See [overlays/management-services/defender/readme.md](../../overlays/management-services/defender/readme.md)
parDdosStandard | bool | `false` | DDOS Standard configuration.
## Deploy the Platform Landing Zone
Connect to the appropriate Azure Environment and set appropriate context, see getting started with Azure PowerShell or Azure CLI for help if needed. The commands below assume you are deploying in Azure Commercial and show the entire process deploying Platform Hub/Spoke Design.
For example, deploying using the `az deployment sub create` command in the Azure CLI:
### Azure CLI
```bash
# For Azure Commerical regions
# When deploying to Azure cloud, first set the cloud.
az cloudset --name AzureCloud
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId="[your platform management subscription ID]"
az account set --subscription $ConnectivitySubscriptionId
#log in
az login
cd src/bicep
cd platforms/lz-platform-scca-hub-4spoke
az deployment sub create \
--name deploy-hub1spoke-network \
--subscription $ConnectivitySubscriptionId \
--template-file deploy.bicep \
--location eastus \
--parameters @parameters/deploy.parameters.json
```
OR
```bash
# For Azure Government regions
# When deploying to another cloud, like Azure US Government, first set the cloud and log in.
az cloudset --name AzureGovernment
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId="[your platform management subscription ID]"
az account set --subscription $ConnectivitySubscriptionId
az login
cd src/bicep
cd platforms/lz-platform-scca-hub-4spoke
az deployment sub create \
--name deploy-hub1spoke-network \
--template-file deploy.bicep \
--parameters @parameters/deploy.parameters.json \
--subscription $ConnectivitySubscriptionId \
--location 'usgovvirginia'
```
### PowerShell
```powershell
# For Azure Commerical regions
# When deploying to Azure cloud, first set the cloud and log in.
Connect-AzAccount -EnvironmentName AzureCloud
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId = "[your platform management subscription ID]"
Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
cd src/bicep
cd platforms/lz-platform-scca-hub-4spoke
New-AzSubscriptionDeployment `
-Name deploy-hub1spoke-network `
-TemplateFile deploy.bicep `
-TemplateParameterFile deploy.parameters.json `
-Subscription $ConnectivitySubscriptionId `
-Location 'eastus'
```
OR
```powershell
# For Azure Government regions
# When deploying to another cloud, like Azure US Government, first set the cloud and log in.
Connect-AzAccount -EnvironmentName AzureUSGovernment
# Set Platform connectivity subscription ID as the the current subscription
$ConnectivitySubscriptionId = "[your platform management subscription ID]"
Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
cd src/bicep
cd platforms/lz-platform-scca-hub-4spoke
New-AzSubscriptionDeployment `
-Name deploy-hub1spoke-network `
-TemplateFile deploy.bicep `
-TemplateParameterFile deploy.parameters.json `
-Subscription $ConnectivitySubscriptionId `
-Location 'usgovvirginia'
```
## Extending the Landing Zone
By default, this Landing Zone has the minium parmeters needed to deploy the service. If you like to add addtional parmeters to the Landing Zone, please refer to the Landing Zone description located in AzResources here: [`Hub-Spoke-Core`](../../azresources/hub-spoke-core/readme.md)
## Air-Gapped Clouds
For air-gapped clouds it may be convenient to transfer and deploy the compiled ARM template instead of the Bicep template if the Bicep CLI tools are not available or if it is desirable to transfer only one file into the air gap.
## Validate the deployment
Use the Azure portal, Azure CLI, or Azure PowerShell to list the deployed resources in the resource group.
Configure the default group using:
```bash
az configure --defaults group=anoa-eastus-platforms-hub-rg.
```
```bash
az resource list --location eastus --subscription xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx --resource-group anoa-eastus-platforms-hub-rg
```
```powershell
Get-AzResource -ResourceGroupName anoa-eastus-platforms-hub-rg
```
## Cleanup
The Bicep/ARM deployment of NoOps Accelerator - Hub/Spoke deployment can be deleted with these steps:
### Delete the diagnostic settings deployed at the subscription level
To delete the diagnostic settings from the Azure Portal: choose the subscription blade, then Activity log in the left panel. At the top of the Activity log screen click the Diagnostics settings button. From there you can click the Edit setting link and delete the diagnostic setting.
> NOTE: If you deploy and delete Mission Landing Zone in the same subscription multiple times without deleting the subscription-level diagnostic settings, the sixth deployment will fail. Azure has a limit of five diagnostic settings per subscription. The error will be similar to this: `"The limit of 5 diagnostic settings was reached."`
To delete the diagnotic settings in script, use the AZ CLI or PowerShell. An AZ CLI example is below:
```BASH
# View diagnostic settings in the current subscription
az monitor diagnostic-settings subscription list --query value[] --output table
# Delete a diagnostic setting
az monitor diagnostic-settings subscription delete --name <diagnostic setting name>
```
### Downgrade the Microsoft Defender for Cloud
To downgrade the Microsoft Defender for Cloud pricing level in the Azure portal:
1. Navigate to the Microsoft Defender for Cloud page, then click the "Environment settings" tab in the left navigation panel.
1. In the tree/grid select the subscription you want to manage.
1. Click the large box near the top of the page that says "Enhanced security off".
1. Click the save button.
To downgrade the Microsoft Defender for Cloud pricing level using the AZ CLI:
```BASH
# List the pricing tiers
az security pricing list -o table --query "value[].{Name:name, Tier:pricingTier}"
# Change a pricing tier to the default free tier
az security pricing create --name "<name of tier>" --tier Free
```
### Delete Resource Groups
```bash
az group delete -n anoa-eastus-platforms-logging-rg -y
az group delete -n anoa-eastus-platforms-hub-rg -y
az group delete -n anoa-eastus-platforms-identity-rg -y
az group delete -n anoa-eastus-platforms-operations-rg -y
az group delete -n anoa-eastus-platforms-sharedservices-rg -y
az group delete -n anoa-eastus-platforms-artifacts-rg -y
```
```powershell
Remove-AzResourceGroup -Name anoa-eastus-platforms-logging-rg
Remove-AzResourceGroup -Name anoa-eastus-platforms-hub-rg
Remove-AzResourceGroup -Name anoa-eastus-platforms-identity-rg
Remove-AzResourceGroup -Name anoa-eastus-platforms-operations-rg
Remove-AzResourceGroup -Name anoa-eastus-platforms-sharedservices-rg
Remove-AzResourceGroup -Name anoa-eastus-platforms-artifacts-rg
```
### Delete Deployments
```bash
az deployment sub delete -n deploy-hub4spoke-network
```
```powershell
Remove-AzSubscriptionDeployment -Name deploy-hub4spoke-network
```
## Resources
[Bicep documentation](https://aka.ms/bicep/)
[`az deployment` documentation](https://docs.microsoft.com/en-us/cli/azure/deployment?view=azure-cli-latest)
[JMESPath queries](https://jmespath.org/)
[Azure Az PowerShell module](https://docs.microsoft.com/en-us/powershell/azure/what-is-azure-powershell)