Added vwan sample.

deploy_vwan/README.md

@@ -0,0 +1,39 @@
+# Sample
+
+## Getting started
+
+This sample uses [Bicep](https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview) to deploy a specific Virtual WAN topology.
+
+### Install
+
+1. Install the Azure CLI by following the [docs](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli) article.
+
+1. Install Bicep from within the Azure CLI:
+
+```
+az bicep install
+
+az bicep upgrade
+```
+
+### Login
+
+1. Login and select your subscription
+
+```
+az login
+
+az account set --subscription <your_subscription_id>
+```
+
+### Deploy
+
+1. Deploy the `main.bicep` file from the `src` directory of this sample:
+
+```
+cd deploy_vwan/src/
+
+az deployment sub create --location <your_preferred_location> --template-file .\main.bicep --name vwan --parameters vmusername=localadmin
+```
+
+> Note: Type the VM password when prompted. 

deploy_vwan/src/compute/main.bicep

@@ -0,0 +1,59 @@
+param location string
+param shortLocation string
+param net_nva_id string
+param net_spoke1_id string
+param net_spoke2_id string
+
+@secure()
+param password string
+param username string
+
+resource store 'Microsoft.Storage/storageAccounts@2021-06-01' = {
+  name: uniqueString(resourceGroup().id, shortLocation)
+  location: location
+  kind: 'Storage'
+  sku: {
+    name: 'Standard_LRS'
+  }
+}
+
+// module vm_hub 'vm.bicep' = {
+//   name: 'vm_hub'
+//   params: {
+//     location: location
+//     shortLocation: shortLocation
+//     name: 'hubvm'
+//     username: username
+//     password: password
+//     net_id: net_nva_id
+//     store_id: store.id
+//   }
+// }
+
+module vm_spoke1 'vm.bicep' = {
+  name: 'vm_spoke1'
+  params: {
+    location: location
+    shortLocation: shortLocation
+    name: 'spoke1vm'
+    username: username
+    password: password
+    net_id: net_spoke1_id
+    store_id: store.id
+  }
+}
+
+module vm_spoke2 'vm.bicep' = {
+  name: 'vm_spoke2'
+  params: {
+    location: location
+    shortLocation: shortLocation
+    name: 'spoke2vm'
+    username: username
+    password: password
+    net_id: net_spoke2_id
+    store_id: store.id
+  }
+}
+
+output rg_id string = resourceGroup().id

deploy_vwan/src/compute/vm.bicep

@@ -0,0 +1,89 @@
+param location string
+param shortLocation string
+param name string
+
+param net_id string
+param store_id string
+
+@secure()
+param password string
+param username string
+
+resource existing_store 'Microsoft.Storage/storageAccounts@2021-06-01' existing = {
+  name: last(split(store_id,'/'))
+}
+
+resource nic 'Microsoft.Network/networkInterfaces@2021-03-01' = {
+  name: '${shortLocation}-${name}-nic'
+  location: location
+  properties: {
+    ipConfigurations: [
+      {
+        name: 'ipconfig'
+        properties: {
+          subnet:{
+            id: '${net_id}/subnets/VmSubnet'
+          }
+        }
+      }
+    ]
+  }
+}
+
+resource vm 'Microsoft.Compute/virtualMachines@2021-07-01' = {
+  name: '${shortLocation}-${name}'
+  location: location
+  properties: {
+    hardwareProfile: {
+      vmSize: 'Standard_B2s'
+    }
+    storageProfile: {
+      imageReference: {
+        publisher: 'canonical'
+        offer: '0001-com-ubuntu-server-focal'
+        sku: '20_04-lts-gen2'
+        version: 'latest'
+      }
+      osDisk: {
+        osType: 'Linux'
+        name: '${shortLocation}-${name}-disk'
+        createOption: 'FromImage'
+        caching: 'ReadWrite'
+        managedDisk: {
+          storageAccountType: 'Premium_LRS'
+        }
+        deleteOption: 'Detach'
+        diskSizeGB: 30
+      }
+      dataDisks: []
+    }
+    osProfile: {
+      computerName: '${shortLocation}-${name}'
+      adminUsername: username
+      adminPassword: password
+      linuxConfiguration: {
+        disablePasswordAuthentication: false
+        provisionVMAgent: true
+        patchSettings: {
+          patchMode: 'ImageDefault'
+          assessmentMode: 'ImageDefault'
+        }
+      }
+    }
+    networkProfile: {
+      networkInterfaces: [
+        {
+          id: nic.id
+        }
+      ]
+    }
+    diagnosticsProfile: {
+      bootDiagnostics: {
+        enabled: true
+        storageUri: 'https://${existing_store.name}.blob.core.windows.net/'
+      }
+    }
+  }
+}
+
+output rg_id string = resourceGroup().id

deploy_vwan/src/firewall/main.bicep

@@ -0,0 +1,56 @@
+param location string
+param shortLocation string
+
+param net_nva_id string
+
+module policy 'policy.bicep' = {
+  name: 'policy'
+  params: {
+    location: location
+    shortLocation: shortLocation
+  }
+}
+
+resource pip 'Microsoft.Network/publicIPAddresses@2021-03-01' = {
+  name: '${shortLocation}-firewall-ip'
+  location: location
+  sku: {
+    name: 'Standard'
+  }
+  properties: {
+    publicIPAllocationMethod: 'Static'
+  }
+}
+
+resource firewall 'Microsoft.Network/azureFirewalls@2021-03-01' = {
+  name: '${shortLocation}-firewall'
+  location: location
+  properties: {
+    sku: {
+      name: 'AZFW_VNet'
+      tier: 'Standard'
+    }
+    firewallPolicy: {
+      id: policy.outputs.policy_id
+    }
+    applicationRuleCollections: []
+    natRuleCollections: []
+    networkRuleCollections: []
+    threatIntelMode: 'Alert'    
+    ipConfigurations: [
+      {
+        name: '${shortLocation}-firewall-ip'
+        properties: {
+          publicIPAddress: {
+            id: pip.id
+          }
+          subnet: {
+            id: '${net_nva_id}/subnets/AzureFirewallSubnet'
+          }
+        }
+      }
+    ]
+  }
+}
+
+output rg_id string = resourceGroup().id

deploy_vwan/src/firewall/policy.bicep

@@ -0,0 +1,92 @@
+param location string
+param shortLocation string
+
+resource policy 'Microsoft.Network/firewallPolicies@2021-03-01' = {
+  name: '${shortLocation}-open'
+  location: location
+  properties: {
+    sku: {
+      tier: 'Standard'
+    }
+  }
+}
+
+resource ruleCollectionGroups 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2020-11-01' = {
+  parent: policy
+  name: 'DefaultNetworkRuleCollectionGroup'
+  properties: {
+    priority: 200
+    ruleCollections: [
+      {
+        ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
+        action: {
+          type: 'Allow'
+        }
+        rules: [
+          {
+            ruleType: 'NetworkRule'
+            name: 'RFC1918A'
+            ipProtocols: [
+              'Any'
+            ]
+            sourceAddresses: [
+              '10.0.0.0/8'
+            ]
+            sourceIpGroups: []
+            destinationAddresses: [
+              '*'
+            ]
+            destinationIpGroups: []
+            destinationFqdns: []
+            destinationPorts: [
+              '*'
+            ]
+          }
+          {
+            ruleType: 'NetworkRule'
+            name: 'RFC1918B'
+            ipProtocols: [
+              'Any'
+            ]
+            sourceAddresses: [
+              '172.16.0.0/12'
+            ]
+            sourceIpGroups: []
+            destinationAddresses: [
+              '*'
+            ]
+            destinationIpGroups: []
+            destinationFqdns: []
+            destinationPorts: [
+              '*'
+            ]
+          }
+          {
+            ruleType: 'NetworkRule'
+            name: 'RFC1918C'
+            ipProtocols: [
+              'Any'
+            ]
+            sourceAddresses: [
+              '192.168.0.0/16'
+            ]
+            sourceIpGroups: []
+            destinationAddresses: [
+              '*'
+            ]
+            destinationIpGroups: []
+            destinationFqdns: []
+            destinationPorts: [
+              '*'
+            ]
+          }
+        ]
+        name: 'Allow-RFC1918'
+        priority: 1000
+      }
+    ]
+  }
+}
+
+output rg_id string = resourceGroup().id
+output policy_id string = policy.id

deploy_vwan/src/main.bicep

@@ -0,0 +1,132 @@
+targetScope = 'subscription'
+
+@secure()
+param vmpassword string
+param vmusername string
+
+var primaryRegionLocation = 'australiaeast'
+var secondaryRegionLocation = 'australiasoutheast'
+
+var version = '211129'
+// var location = deployment().location
+
+// Lookup region code based on location parameter
+var regionCodeLookup = {
+  australiaeast: 'aue'
+  australiasoutheast: 'ase'
+}
+// var shortLocation = regionCodeLookup[location]
+var primaryRegionShortLocation = regionCodeLookup[primaryRegionLocation]
+var secondaryRegionShortLocation = regionCodeLookup[secondaryRegionLocation]
+
+// Lookup region prefix based on location parameter
+var regionPrefixLookup = {
+  australiaeast: '10.101.0.0/16'
+  australiasoutheast: '10.102.0.0/16'
+}
+// var regionAddressPrefix = regionPrefixLookup[location]
+var primaryRegionAddressPrefix = regionPrefixLookup[primaryRegionLocation]
+var secondaryRegionAddressPrefix = regionPrefixLookup[secondaryRegionLocation]
+
+// Get the needed octets to handle different address spaces for each region
+// var octet2 = int(split(regionAddressPrefix, '.')[1])
+var primaryRegionOctet2 = int(split(primaryRegionAddressPrefix, '.')[1])
+var secondaryRegionOctet2 = int(split(secondaryRegionAddressPrefix, '.')[1])
+
+resource rg_network_1 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: '${version}-${primaryRegionShortLocation}-network'
+  location: primaryRegionLocation
+}
+resource rg_network_2 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: '${version}-${secondaryRegionShortLocation}-network'
+  location: secondaryRegionLocation
+}
+
+module network_1 'network/main.bicep' = {
+  name: 'network-${primaryRegionShortLocation}'
+  scope: rg_network_1
+  params: {
+    location: primaryRegionLocation
+    shortLocation: primaryRegionShortLocation
+    octet2: primaryRegionOctet2
+  }
+}
+module network_2 'network/main.bicep' = {
+  name: 'network-${secondaryRegionShortLocation}'
+  scope: rg_network_2
+  params: {
+    location: secondaryRegionLocation
+    shortLocation: secondaryRegionShortLocation
+    octet2: secondaryRegionOctet2
+  }
+}
+
+module firewall_1 'firewall/main.bicep' = {
+  name: 'firewall-${primaryRegionShortLocation}'
+  scope: rg_network_1
+  params: {
+    location: primaryRegionLocation
+    shortLocation: primaryRegionShortLocation
+    net_nva_id: network_1.outputs.net_nva_id
+  }
+}
+module firewall_2 'firewall/main.bicep' = {
+  name: 'firewall-${secondaryRegionShortLocation}'
+  scope: rg_network_2
+  params: {
+    location: secondaryRegionLocation
+    shortLocation: secondaryRegionShortLocation
+    net_nva_id: network_2.outputs.net_nva_id
+  }
+}
+
+resource rg_compute_1 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: '${version}-${primaryRegionShortLocation}-compute'
+  location: primaryRegionLocation
+}
+resource rg_compute_2 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: '${version}-${secondaryRegionShortLocation}-compute'
+  location: secondaryRegionLocation
+}
+
+module compute_1 'compute/main.bicep' = {
+  name: 'compute-${primaryRegionShortLocation}'
+  scope: rg_compute_1
+  params: {
+    location: primaryRegionLocation
+    shortLocation: primaryRegionShortLocation
+    net_nva_id: network_1.outputs.net_nva_id
+    net_spoke1_id: network_1.outputs.net_spoke1_id
+    net_spoke2_id: network_1.outputs.net_spoke2_id
+    username: vmusername
+    password: vmpassword
+  }
+}
+module compute_2 'compute/main.bicep' = {
+  name: 'compute-${secondaryRegionShortLocation}'
+  scope: rg_compute_2
+  params: {
+    location: secondaryRegionLocation
+    shortLocation: secondaryRegionShortLocation
+    net_nva_id: network_2.outputs.net_nva_id
+    net_spoke1_id: network_2.outputs.net_spoke1_id
+    net_spoke2_id: network_2.outputs.net_spoke2_id
+    username: vmusername
+    password: vmpassword
+  }
+}
+
+module wan 'wan/main.bicep' = {
+  name: 'wan'
+  scope: resourceGroup('${version}-${primaryRegionShortLocation}-network')
+  params: {
+    primaryRegionLocation: primaryRegionLocation
+    secondaryRegionLocation: secondaryRegionLocation
+    primaryRegionShortLocation: primaryRegionShortLocation
+    secondaryRegionShortLocation: secondaryRegionShortLocation
+    primaryRegionOctet2: primaryRegionOctet2
+    secondaryRegionOctet2: secondaryRegionOctet2
+    net_nva_id_1: network_1.outputs.net_nva_id
+    net_nva_id_2: network_2.outputs.net_nva_id
+  }
+}

deploy_vwan/src/network/main.bicep

@@ -0,0 +1,45 @@
+param location string
+param shortLocation string
+param octet2 int
+
+module nsgs 'nsgs.bicep' = {
+  name: 'nsgs'
+  params: {
+    location: location
+    shortLocation: shortLocation
+  }
+}
+
+module udrs 'udrs.bicep' = {
+  name: 'udrs'
+  params: {
+    location: location
+    shortLocation: shortLocation
+    octet2: octet2
+  }
+}
+
+module vnets 'vnets.bicep' = {
+  name: 'vnets'
+  params: {
+    location: location
+    shortLocation: shortLocation
+    octet2: octet2
+    nsg_basic_id: nsgs.outputs.nsg_basic_id
+    udr_default_id: udrs.outputs.udr_default_id
+  }
+}
+
+module peering 'peerings.bicep' = {
+  name: 'peerings'
+  params: {
+    net_nva_id: vnets.outputs.net_nva_id
+    net_spoke1_id: vnets.outputs.net_spoke1_id
+    net_spoke2_id: vnets.outputs.net_spoke2_id
+  }
+}
+
+output rg_id string = resourceGroup().id
+output net_nva_id string = vnets.outputs.net_nva_id
+output net_spoke1_id string = vnets.outputs.net_spoke1_id
+output net_spoke2_id string = vnets.outputs.net_spoke2_id

deploy_vwan/src/network/nsgs.bicep

@@ -0,0 +1,10 @@
+param location string
+param shortLocation string
+
+resource nsg_basic 'Microsoft.Network/networkSecurityGroups@2021-03-01' = {
+  name: '${shortLocation}-basic'
+  location: location 
+}
+
+output rg_id string = resourceGroup().id
+output nsg_basic_id string = nsg_basic.id

deploy_vwan/src/network/peerings.bicep

@@ -0,0 +1,64 @@
+param net_nva_id string
+param net_spoke1_id string
+param net_spoke2_id string
+
+resource existing_net_nva  'Microsoft.Network/virtualNetworks@2021-03-01' existing = {
+  name: last(split(net_nva_id,'/'))
+}
+
+resource existing_net_spoke1 'Microsoft.Network/virtualNetworks@2021-03-01' existing = {
+  name: last(split(net_spoke1_id,'/'))
+}
+
+resource existing_net_spoke2 'Microsoft.Network/virtualNetworks@2021-03-01' existing = {
+  name: last(split(net_spoke2_id,'/'))
+}
+
+resource peer_nvaTOspoke1 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2021-03-01' = {
+  name: '${existing_net_nva.name}-TO-${existing_net_spoke1.name}'
+  parent: existing_net_nva
+  properties: {
+    remoteVirtualNetwork: {
+      id: existing_net_spoke1.id
+    }
+    allowForwardedTraffic: true
+    allowVirtualNetworkAccess: true
+  }
+}
+
+resource peer_spoke1TOnva 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2021-03-01' = {
+  name: '${existing_net_spoke1.name}-TO-${existing_net_nva.name}'
+  parent: existing_net_spoke1
+  properties: {
+    remoteVirtualNetwork: {
+      id: existing_net_nva.id
+    }
+    allowForwardedTraffic: true
+    allowVirtualNetworkAccess: true
+  }
+}
+
+resource peer_nvaTOspoke2 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2021-03-01' = {
+  name: '${existing_net_nva.name}-TO-${existing_net_spoke2.name}'
+  parent: existing_net_nva
+  properties: {
+    remoteVirtualNetwork: {
+      id: existing_net_spoke2.id
+    }
+    allowForwardedTraffic: true
+    allowVirtualNetworkAccess: true
+  }
+}
+resource peer_spoke2TOnva 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2021-03-01' = {
+  name: '${existing_net_spoke2.name}-TO-${existing_net_nva.name}'
+  parent: existing_net_spoke2
+  properties: {
+    remoteVirtualNetwork: {
+      id: existing_net_nva.id
+    }
+    allowForwardedTraffic: true
+    allowVirtualNetworkAccess: true
+  }
+}
+
+output rg_id string = resourceGroup().id

deploy_vwan/src/network/udrs.bicep

@@ -0,0 +1,23 @@
+param location string
+param shortLocation string
+param octet2 int
+
+resource udr_default 'Microsoft.Network/routeTables@2021-03-01' = {
+  name: '${shortLocation}-default'
+  location: location
+  properties: {
+    routes: [
+      {
+        name: 'Default'
+        properties: {
+          addressPrefix: '0.0.0.0/0'
+          nextHopType: 'VirtualAppliance'
+          nextHopIpAddress: '10.${octet2}.255.4'
+        }
+      }           
+    ]
+  }
+}
+  
+output rg_id string = resourceGroup().id
+output udr_default_id string = udr_default.id

deploy_vwan/src/network/vnets.bicep

@@ -0,0 +1,92 @@
+param location string
+param shortLocation string
+param octet2 int
+
+param nsg_basic_id string
+param udr_default_id string
+
+resource net_nva 'Microsoft.Network/virtualNetworks@2021-03-01' = {
+  name: '${shortLocation}-nva'
+  location: location
+  properties: {
+    addressSpace: {
+      addressPrefixes: [
+        '10.${octet2}.255.0/24'
+      ]
+    }
+    subnets: [
+      {
+        name: 'AzureFirewallSubnet'
+        properties: {
+          addressPrefix: '10.${octet2}.255.0/26'
+        }
+      }
+      {
+        name: 'VmSubnet'
+        properties: {
+          addressPrefix: '10.${octet2}.255.128/28'
+          networkSecurityGroup: {
+            id: nsg_basic_id
+          }          
+        }
+      }      
+    ]
+  }
+}
+
+resource net_spoke1 'Microsoft.Network/virtualNetworks@2021-03-01' = {
+  name: '${shortLocation}-spoke1'
+  location: location
+  properties: {
+    addressSpace: {
+      addressPrefixes: [
+        '10.${octet2}.1.0/24'
+      ]
+    }
+    subnets: [
+      {
+        name: 'VmSubnet'
+        properties: {
+          addressPrefix: '10.${octet2}.1.0/28'
+          networkSecurityGroup: {
+            id: nsg_basic_id
+          }
+          routeTable: {
+            id: udr_default_id
+          }
+        }
+      }
+    ]
+  }
+}
+
+resource net_spoke2 'Microsoft.Network/virtualNetworks@2021-03-01' = {
+  name: '${shortLocation}-spoke2'
+  location: location
+  properties: {
+    addressSpace: {
+      addressPrefixes: [
+        '10.${octet2}.2.0/24'
+      ]
+    }
+    subnets: [
+      {
+        name: 'VmSubnet'
+        properties: {
+          addressPrefix: '10.${octet2}.2.0/28'
+          networkSecurityGroup: {
+            id: nsg_basic_id
+          }
+          routeTable: {
+            id: udr_default_id
+          }
+        }
+      }
+    ]
+  }
+}
+
+output rg_id string = resourceGroup().id
+output net_nva_id string = net_nva.id
+output net_spoke1_id string = net_spoke1.id
+output net_spoke2_id string = net_spoke2.id

deploy_vwan/src/wan/connections.bicep

@@ -0,0 +1,31 @@
+param shortLocation string
+param octet2 int
+
+param net_nva_id string
+
+resource connection_nva 'Microsoft.Network/virtualHubs/hubVirtualNetworkConnections@2020-08-01' = {
+  name: '${shortLocation}/${last(split(net_nva_id,'/'))}'
+  properties: {
+    remoteVirtualNetwork: {
+      id: net_nva_id
+    }
+    allowHubToRemoteVnetTransit: true
+    allowRemoteVnetToUseHubVnetGateways: false
+    routingConfiguration: {
+      vnetRoutes: {
+        staticRoutes: [
+          {
+            name: shortLocation
+            addressPrefixes: [
+              '10.${octet2}.0.0/16'
+            ]
+            nextHopIpAddress: '10.${octet2}.255.4'
+          }         
+        ]
+      }
+    }
+  }
+}
+
+output rg_id string = resourceGroup().id
+output connection_nva_id string = connection_nva.id

deploy_vwan/src/wan/hub.bicep

@@ -0,0 +1,19 @@
+param location string
+param shortLocation string
+param octet2 int
+
+param vwan_id string
+
+resource hub 'Microsoft.Network/virtualHubs@2020-06-01' = {
+  name: shortLocation
+  location: location
+  properties: {
+    addressPrefix: '10.${octet2}.0.0/24'
+    virtualWan: {
+      id: vwan_id
+    }
+  }
+}
+
+output rg_id string = resourceGroup().id
+output hub_id string = hub.id

deploy_vwan/src/wan/main.bicep

@@ -0,0 +1,99 @@
+param primaryRegionLocation string
+param secondaryRegionLocation string 
+
+param primaryRegionShortLocation string 
+param secondaryRegionShortLocation string
+
+param primaryRegionOctet2 int
+param secondaryRegionOctet2 int
+
+param net_nva_id_1 string
+param net_nva_id_2 string
+
+resource vwan 'Microsoft.Network/virtualWans@2020-11-01' = {
+  name: 'au-vwan'
+  location: primaryRegionLocation
+  properties: {
+    disableVpnEncryption: false
+    allowBranchToBranchTraffic: true
+    type: 'Standard'
+  }
+}
+
+module hub_1 'hub.bicep' = {
+  name: 'hub-${primaryRegionShortLocation}'
+  params: {
+    location: primaryRegionLocation
+    shortLocation: primaryRegionShortLocation
+    octet2: primaryRegionOctet2
+    vwan_id: vwan.id
+  }
+}
+module hub_2 'hub.bicep' = {
+  name: 'hub-${secondaryRegionShortLocation}'
+  params: {
+    location: secondaryRegionLocation
+    shortLocation: secondaryRegionShortLocation
+    octet2: secondaryRegionOctet2
+    vwan_id: vwan.id
+  }
+}
+
+module connections_1 'connections.bicep' = {
+  name: 'connections-${primaryRegionShortLocation}'
+  params: {
+    shortLocation: primaryRegionShortLocation
+    octet2: primaryRegionOctet2
+    net_nva_id: net_nva_id_1
+  }
+  dependsOn: [
+    hub_1
+  ]
+}
+module connections_2 'connections.bicep' = {
+  name: 'connections-${secondaryRegionShortLocation}'
+  params: {
+    shortLocation: secondaryRegionShortLocation
+    octet2: secondaryRegionOctet2
+    net_nva_id: net_nva_id_2
+  }
+  dependsOn: [
+    hub_2
+  ]
+}
+
+module routes_1 'routes.bicep' = {
+  name: 'routes-${primaryRegionShortLocation}'
+  params: {
+    shortLocation: primaryRegionShortLocation
+    primaryRegionShortLocation: primaryRegionShortLocation
+    secondaryRegionShortLocation: secondaryRegionShortLocation
+    primaryRegionOctet2: primaryRegionOctet2
+    secondaryRegionOctet2: secondaryRegionOctet2
+    connection_id_1: connections_1.outputs.connection_nva_id
+    connection_id_2: connections_2.outputs.connection_nva_id
+  }
+  dependsOn: [
+    connections_1
+    connections_2
+  ]
+}
+module routes_2 'routes.bicep' = {
+  name: 'routes-${secondaryRegionShortLocation}'
+  params: {
+    shortLocation: secondaryRegionShortLocation
+    primaryRegionShortLocation: primaryRegionShortLocation
+    secondaryRegionShortLocation: secondaryRegionShortLocation
+    primaryRegionOctet2: primaryRegionOctet2
+    secondaryRegionOctet2: secondaryRegionOctet2    
+    connection_id_1: connections_1.outputs.connection_nva_id
+    connection_id_2: connections_2.outputs.connection_nva_id
+  }
+  dependsOn: [
+    connections_1
+    connections_2
+  ]
+}
+
+output rg_id string = resourceGroup().id
+output vwan_id string = vwan.id

deploy_vwan/src/wan/routes.bicep

@@ -0,0 +1,48 @@
+param shortLocation string
+
+param primaryRegionShortLocation string 
+param secondaryRegionShortLocation string
+
+param primaryRegionOctet2 int
+param secondaryRegionOctet2 int
+
+param connection_id_1 string
+param connection_id_2 string
+
+resource hub 'Microsoft.Network/virtualHubs@2020-06-01' existing = {
+  name: shortLocation
+}
+
+resource routes 'Microsoft.Network/virtualHubs/hubRouteTables@2021-03-01' = {
+  name: 'defaultRouteTable'
+  parent: hub
+  properties: {
+    routes: [
+      {
+        name: primaryRegionShortLocation
+        destinationType: 'CIDR'
+        destinations: [
+          '10.${primaryRegionOctet2}.0.0/16'
+        ]
+        nextHopType: 'ResourceId'      
+        nextHop: connection_id_1
+      }   
+      {
+        name: secondaryRegionShortLocation
+        destinationType: 'CIDR'
+        destinations: [
+          '10.${secondaryRegionOctet2}.0.0/16'
+        ]
+        nextHopType: 'ResourceId'      
+        nextHop: connection_id_2
+      }                    
+    ]
+    labels: [
+      'default'
+    ]
+  }
+}
+
+output rg_id string = resourceGroup().id
+output routes_id string = routes.id
+