From e2d7f1f97b45edca615c540ae733133c87dd75e9 Mon Sep 17 00:00:00 2001 From: Breanna-Stryker <74314422+Breanna-Stryker@users.noreply.github.com> Date: Thu, 27 Jan 2022 17:44:43 -0500 Subject: [PATCH] Allow traffic between spokes by default (#622) --- src/bicep/README.md | 1 + src/bicep/mlz.bicep | 82 +++++++++- src/bicep/mlz.json | 142 ++++++++++++++++-- src/bicep/modules/firewall.bicep | 31 ++++ src/bicep/modules/hubNetwork.bicep | 2 + src/bicep/modules/virtualNetworkPeering.bicep | 1 + 6 files changed, 246 insertions(+), 13 deletions(-) diff --git a/src/bicep/README.md b/src/bicep/README.md index 8f7770785..99c0ccf89 100644 --- a/src/bicep/README.md +++ b/src/bicep/README.md @@ -35,6 +35,7 @@ Parameter name | Required | Description `firewallClientPublicIPAddressAvailabilityZones` | No | An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or "No-Zone", because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings. `firewallManagementSubnetServiceEndpoints` | No | An array of Service Endpoints to enable for the Azure Firewall Management Subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings. `firewallManagementPublicIPAddressAvailabilityZones` | No | An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or "No-Zone", because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings. +`firewallSupernetIPAddress` | No | Supernet CIDR address for the entire network of vnets, this address allows for communication between spokes. Recommended to use a Supernet calculator if modifying vnet addresses `publicIPAddressDiagnosticsLogs` | No | An array of Public IP Address Diagnostic Logs for the Azure Firewall. See https://docs.microsoft.com/en-us/azure/ddos-protection/diagnostic-logging?tabs=DDoSProtectionNotifications#configure-ddos-diagnostic-logs for valid settings. `publicIPAddressDiagnosticsMetrics` | No | An array of Public IP Address Diagnostic Metrics for the Azure Firewall. See https://docs.microsoft.com/en-us/azure/ddos-protection/diagnostic-logging?tabs=DDoSProtectionNotifications for valid settings. `hubVirtualNetworkDiagnosticsLogs` | No | An array of Network Diagnostic Logs to enable for the Hub Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs for valid settings. diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 6465dad41..17af5b6a1 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -139,6 +139,9 @@ param firewallManagementSubnetServiceEndpoints array = [] @description('An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or "No-Zone", because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings.') param firewallManagementPublicIPAddressAvailabilityZones array = [] +@description('Supernet CIDR address for the entire network of vnets, this address allows for communication between spokes. Recommended to use a Supernet calculator if modifying vnet addresses') +param firewallSupernetIPAddress string = '10.0.96.0/19' + @description('An array of Public IP Address Diagnostic Logs for the Azure Firewall. See https://docs.microsoft.com/en-us/azure/ddos-protection/diagnostic-logging?tabs=DDoSProtectionNotifications#configure-ddos-diagnostic-logs for valid settings.') param publicIPAddressDiagnosticsLogs array = [ { @@ -205,7 +208,31 @@ param identityVirtualNetworkDiagnosticsLogs array = [] param identityVirtualNetworkDiagnosticsMetrics array = [] @description('An array of Network Security Group Rules to apply to the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.') -param identityNetworkSecurityGroupRules array = [] +param identityNetworkSecurityGroupRules array = [ + { + name: 'Allow-Traffic-From-Spokes' + properties: { + access: 'Allow' + description: 'Allow traffic from spokes' + destinationAddressPrefix: identityVirtualNetworkAddressPrefix + destinationPortRanges: [ + '22' + '80' + '443' + '3389' + ] + direction: 'Inbound' + priority: 200 + protocol: '*' + sourceAddressPrefixes: [ + operationsVirtualNetworkAddressPrefix + sharedServicesVirtualNetworkAddressPrefix + ] + sourcePortRange: '*' + } + type: 'string' + } +] @description('An array of Network Security Group diagnostic logs to apply to the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories for valid settings.') param identityNetworkSecurityGroupDiagnosticsLogs array = [ @@ -238,7 +265,31 @@ param operationsVirtualNetworkDiagnosticsLogs array = [] param operationsVirtualNetworkDiagnosticsMetrics array = [] @description('An array of Network Security Group rules to apply to the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.') -param operationsNetworkSecurityGroupRules array = [] +param operationsNetworkSecurityGroupRules array = [ + { + name: 'Allow-Traffic-From-Spokes' + properties: { + access: 'Allow' + description: 'Allow traffic from spokes' + destinationAddressPrefix: operationsVirtualNetworkAddressPrefix + destinationPortRanges: [ + '22' + '80' + '443' + '3389' + ] + direction: 'Inbound' + priority: 200 + protocol: '*' + sourceAddressPrefixes: [ + identityVirtualNetworkAddressPrefix + sharedServicesVirtualNetworkAddressPrefix + ] + sourcePortRange: '*' + } + type: 'string' +} +] @description('An array of Network Security Group diagnostic logs to apply to the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories for valid settings.') param operationsNetworkSecurityGroupDiagnosticsLogs array = [ @@ -271,7 +322,31 @@ param sharedServicesVirtualNetworkDiagnosticsLogs array = [] param sharedServicesVirtualNetworkDiagnosticsMetrics array = [] @description('An array of Network Security Group rules to apply to the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.') -param sharedServicesNetworkSecurityGroupRules array = [] +param sharedServicesNetworkSecurityGroupRules array = [ + { + name: 'Allow-Traffic-From-Spokes' + properties: { + access: 'Allow' + description: 'Allow traffic from spokes' + destinationAddressPrefix: sharedServicesVirtualNetworkAddressPrefix + destinationPortRanges: [ + '22' + '80' + '443' + '3389' + ] + direction: 'Inbound' + priority: 200 + protocol: '*' + sourceAddressPrefixes: [ + operationsVirtualNetworkAddressPrefix + identityVirtualNetworkAddressPrefix + ] + sourcePortRange: '*' + } + type: 'string' + } +] @description('An array of Network Security Group diagnostic logs to apply to the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories for valid settings.') param sharedServicesNetworkSecurityGroupDiagnosticsLogs array = [ @@ -730,6 +805,7 @@ module hubNetwork './modules/hubNetwork.bicep' = { firewallManagementPublicIPAddressSkuName: firewallPublicIpAddressSkuName firewallManagementPublicIpAllocationMethod: firewallPublicIpAddressAllocationMethod firewallManagementPublicIPAddressAvailabilityZones: firewallManagementPublicIPAddressAvailabilityZones + firewallSupernetIPAddress: firewallSupernetIPAddress publicIPAddressDiagnosticsLogs: publicIPAddressDiagnosticsLogs publicIPAddressDiagnosticsMetrics: publicIPAddressDiagnosticsMetrics diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 1c32a91c0..9f7e3c48f 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "1118457920660514703" + "templateHash": "9598620800925226147" } }, "parameters": { @@ -240,6 +240,13 @@ "description": "An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or \"No-Zone\", because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings." } }, + "firewallSupernetIPAddress": { + "type": "string", + "defaultValue": "10.0.96.0/19", + "metadata": { + "description": "Supernet CIDR address for the entire network of vnets, this address allows for communication between spokes. Recommended to use a Supernet calculator if modifying vnet addresses" + } + }, "publicIPAddressDiagnosticsLogs": { "type": "array", "defaultValue": [ @@ -343,7 +350,31 @@ }, "identityNetworkSecurityGroupRules": { "type": "array", - "defaultValue": [], + "defaultValue": [ + { + "name": "Allow-Traffic-From-Spokes", + "properties": { + "access": "Allow", + "description": "Allow traffic from spokes", + "destinationAddressPrefix": "[parameters('identityVirtualNetworkAddressPrefix')]", + "destinationPortRanges": [ + "22", + "80", + "443", + "3389" + ], + "direction": "Inbound", + "priority": 200, + "protocol": "*", + "sourceAddressPrefixes": [ + "[parameters('operationsVirtualNetworkAddressPrefix')]", + "[parameters('sharedServicesVirtualNetworkAddressPrefix')]" + ], + "sourcePortRange": "*" + }, + "type": "string" + } + ], "metadata": { "description": "An array of Network Security Group Rules to apply to the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings." } @@ -398,7 +429,31 @@ }, "operationsNetworkSecurityGroupRules": { "type": "array", - "defaultValue": [], + "defaultValue": [ + { + "name": "Allow-Traffic-From-Spokes", + "properties": { + "access": "Allow", + "description": "Allow traffic from spokes", + "destinationAddressPrefix": "[parameters('operationsVirtualNetworkAddressPrefix')]", + "destinationPortRanges": [ + "22", + "80", + "443", + "3389" + ], + "direction": "Inbound", + "priority": 200, + "protocol": "*", + "sourceAddressPrefixes": [ + "[parameters('identityVirtualNetworkAddressPrefix')]", + "[parameters('sharedServicesVirtualNetworkAddressPrefix')]" + ], + "sourcePortRange": "*" + }, + "type": "string" + } + ], "metadata": { "description": "An array of Network Security Group rules to apply to the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings." } @@ -453,7 +508,31 @@ }, "sharedServicesNetworkSecurityGroupRules": { "type": "array", - "defaultValue": [], + "defaultValue": [ + { + "name": "Allow-Traffic-From-Spokes", + "properties": { + "access": "Allow", + "description": "Allow traffic from spokes", + "destinationAddressPrefix": "[parameters('sharedServicesVirtualNetworkAddressPrefix')]", + "destinationPortRanges": [ + "22", + "80", + "443", + "3389" + ], + "direction": "Inbound", + "priority": 200, + "protocol": "*", + "sourceAddressPrefixes": [ + "[parameters('operationsVirtualNetworkAddressPrefix')]", + "[parameters('identityVirtualNetworkAddressPrefix')]" + ], + "sourcePortRange": "*" + }, + "type": "string" + } + ], "metadata": { "description": "An array of Network Security Group rules to apply to the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings." } @@ -1381,6 +1460,9 @@ "firewallManagementPublicIPAddressAvailabilityZones": { "value": "[parameters('firewallManagementPublicIPAddressAvailabilityZones')]" }, + "firewallSupernetIPAddress": { + "value": "[parameters('firewallSupernetIPAddress')]" + }, "publicIPAddressDiagnosticsLogs": { "value": "[parameters('publicIPAddressDiagnosticsLogs')]" }, @@ -1395,7 +1477,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "17051388440557968847" + "templateHash": "11458318329795931964" } }, "parameters": { @@ -1477,6 +1559,9 @@ "firewallPolicyName": { "type": "string" }, + "firewallSupernetIPAddress": { + "type": "string" + }, "firewallThreatIntelMode": { "type": "string", "allowedValues": [ @@ -2316,6 +2401,9 @@ "clientIpConfigurationPublicIPAddressResourceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewallClientPublicIPAddress'), '2020-10-01').outputs.id.value]" }, + "firewallSupernetIPAddress": { + "value": "[parameters('firewallSupernetIPAddress')]" + }, "managementIpConfigurationName": { "value": "[parameters('firewallManagementIpConfigurationName')]" }, @@ -2345,7 +2433,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "16584291901786360410" + "templateHash": "4253924211133862661" } }, "parameters": { @@ -2400,6 +2488,9 @@ "firewallPolicyName": { "type": "string" }, + "firewallSupernetIPAddress": { + "type": "string" + }, "logStorageAccountResourceId": { "type": "string" }, @@ -2511,6 +2602,35 @@ ], "name": "AllowAzureCloud", "priority": 100 + }, + { + "ruleCollectionType": "FirewallPolicyFilterRuleCollection", + "action": { + "type": "Allow" + }, + "rules": [ + { + "ruleType": "NetworkRule", + "name": "AllSpokeTraffic", + "ipProtocols": [ + "Any" + ], + "sourceAddresses": [ + "[parameters('firewallSupernetIPAddress')]" + ], + "sourceIpGroups": [], + "destinationAddresses": [ + "*" + ], + "destinationIpGroups": [], + "destinationFqdns": [], + "destinationPorts": [ + "*" + ] + } + ], + "name": "AllowTrafficBetweenSpokes", + "priority": 200 } ] }, @@ -3609,7 +3729,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "1767605230483986077" + "templateHash": "485438933319305543" } }, "parameters": { @@ -3649,7 +3769,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "16609137319418689057" + "templateHash": "8767588004842445770" } }, "parameters": { @@ -3666,6 +3786,7 @@ "apiVersion": "2021-02-01", "name": "[parameters('name')]", "properties": { + "allowForwardedTraffic": true, "remoteVirtualNetwork": { "id": "[parameters('remoteVirtualNetworkResourceId')]" } @@ -3722,7 +3843,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "11446754582894399873" + "templateHash": "13959757217405312631" } }, "parameters": { @@ -3768,7 +3889,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "16609137319418689057" + "templateHash": "8767588004842445770" } }, "parameters": { @@ -3785,6 +3906,7 @@ "apiVersion": "2021-02-01", "name": "[parameters('name')]", "properties": { + "allowForwardedTraffic": true, "remoteVirtualNetwork": { "id": "[parameters('remoteVirtualNetworkResourceId')]" } diff --git a/src/bicep/modules/firewall.bicep b/src/bicep/modules/firewall.bicep index a0089f6b5..14cba54bd 100644 --- a/src/bicep/modules/firewall.bicep +++ b/src/bicep/modules/firewall.bicep @@ -28,6 +28,8 @@ param managementIpConfigurationPublicIPAddressResourceId string param firewallPolicyName string +param firewallSupernetIPAddress string + param logStorageAccountResourceId string param logAnalyticsWorkspaceResourceId string @@ -132,6 +134,35 @@ resource firewallNetworkRuleCollectionGroup 'Microsoft.Network/firewallPolicies/ name: 'AllowAzureCloud' priority: 100 } + { + ruleCollectionType: 'FirewallPolicyFilterRuleCollection' + action: { + type: 'Allow' + } + rules: [ + { + ruleType: 'NetworkRule' + name: 'AllSpokeTraffic' + ipProtocols: [ + 'Any' + ] + sourceAddresses: [ + firewallSupernetIPAddress + ] + sourceIpGroups: [] + destinationAddresses: [ + '*' + ] + destinationIpGroups: [] + destinationFqdns: [] + destinationPorts: [ + '*' + ] + } + ] + name: 'AllowTrafficBetweenSpokes' + priority: 200 + } ] } } diff --git a/src/bicep/modules/hubNetwork.bicep b/src/bicep/modules/hubNetwork.bicep index 3783aea53..27769cabb 100644 --- a/src/bicep/modules/hubNetwork.bicep +++ b/src/bicep/modules/hubNetwork.bicep @@ -29,6 +29,7 @@ param routeTableRouteNextHopType string = 'VirtualAppliance' param firewallName string param firewallSkuTier string param firewallPolicyName string +param firewallSupernetIPAddress string @allowed([ 'Alert' @@ -218,6 +219,7 @@ module firewall './firewall.bicep' = { clientIpConfigurationName: firewallClientIpConfigurationName clientIpConfigurationSubnetResourceId: '${virtualNetwork.outputs.id}/subnets/${firewallClientSubnetName}' clientIpConfigurationPublicIPAddressResourceId: firewallClientPublicIPAddress.outputs.id + firewallSupernetIPAddress: firewallSupernetIPAddress managementIpConfigurationName: firewallManagementIpConfigurationName managementIpConfigurationSubnetResourceId: '${virtualNetwork.outputs.id}/subnets/${firewallManagementSubnetName}' diff --git a/src/bicep/modules/virtualNetworkPeering.bicep b/src/bicep/modules/virtualNetworkPeering.bicep index a26b4f861..6142ac788 100644 --- a/src/bicep/modules/virtualNetworkPeering.bicep +++ b/src/bicep/modules/virtualNetworkPeering.bicep @@ -4,6 +4,7 @@ param remoteVirtualNetworkResourceId string resource virtualNetworkPeering 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2021-02-01' = { name: name properties: { + allowForwardedTraffic: true remoteVirtualNetwork: { id: remoteVirtualNetworkResourceId }