Skip to content

Commit

Permalink
Allow traffic between spokes by default (#622)
Browse files Browse the repository at this point in the history
  • Loading branch information
@Breanna-Stryker
Breanna-Stryker authored Jan 27, 2022
1 parent b7e1d7e commit 568c676
Show file tree
Hide file tree
Showing 6 changed files with 246 additions and 13 deletions.
1 change: 1 addition & 0 deletions src/bicep/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ Parameter name | Required | Description
`firewallClientPublicIPAddressAvailabilityZones` | No | An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or "No-Zone", because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings.
`firewallManagementSubnetServiceEndpoints` | No | An array of Service Endpoints to enable for the Azure Firewall Management Subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings.
`firewallManagementPublicIPAddressAvailabilityZones` | No | An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or "No-Zone", because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings.
`firewallSupernetIPAddress` | No | Supernet CIDR address for the entire network of vnets, this address allows for communication between spokes. Recommended to use a Supernet calculator if modifying vnet addresses
`publicIPAddressDiagnosticsLogs` | No | An array of Public IP Address Diagnostic Logs for the Azure Firewall. See https://docs.microsoft.com/en-us/azure/ddos-protection/diagnostic-logging?tabs=DDoSProtectionNotifications#configure-ddos-diagnostic-logs for valid settings.
`publicIPAddressDiagnosticsMetrics` | No | An array of Public IP Address Diagnostic Metrics for the Azure Firewall. See https://docs.microsoft.com/en-us/azure/ddos-protection/diagnostic-logging?tabs=DDoSProtectionNotifications for valid settings.
`hubVirtualNetworkDiagnosticsLogs` | No | An array of Network Diagnostic Logs to enable for the Hub Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs for valid settings.
Expand Down
82 changes: 79 additions & 3 deletions src/bicep/mlz.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,9 @@ param firewallManagementSubnetServiceEndpoints array = []
@description('An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or "No-Zone", because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings.')
param firewallManagementPublicIPAddressAvailabilityZones array = []

@description('Supernet CIDR address for the entire network of vnets, this address allows for communication between spokes. Recommended to use a Supernet calculator if modifying vnet addresses')
param firewallSupernetIPAddress string = '10.0.96.0/19'

@description('An array of Public IP Address Diagnostic Logs for the Azure Firewall. See https://docs.microsoft.com/en-us/azure/ddos-protection/diagnostic-logging?tabs=DDoSProtectionNotifications#configure-ddos-diagnostic-logs for valid settings.')
param publicIPAddressDiagnosticsLogs array = [
{
Expand Down Expand Up @@ -205,7 +208,31 @@ param identityVirtualNetworkDiagnosticsLogs array = []
param identityVirtualNetworkDiagnosticsMetrics array = []

@description('An array of Network Security Group Rules to apply to the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.')
param identityNetworkSecurityGroupRules array = []
param identityNetworkSecurityGroupRules array = [
{
name: 'Allow-Traffic-From-Spokes'
properties: {
access: 'Allow'
description: 'Allow traffic from spokes'
destinationAddressPrefix: identityVirtualNetworkAddressPrefix
destinationPortRanges: [
'22'
'80'
'443'
'3389'
]
direction: 'Inbound'
priority: 200
protocol: '*'
sourceAddressPrefixes: [
operationsVirtualNetworkAddressPrefix
sharedServicesVirtualNetworkAddressPrefix
]
sourcePortRange: '*'
}
type: 'string'
}
]

@description('An array of Network Security Group diagnostic logs to apply to the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories for valid settings.')
param identityNetworkSecurityGroupDiagnosticsLogs array = [
Expand Down Expand Up @@ -238,7 +265,31 @@ param operationsVirtualNetworkDiagnosticsLogs array = []
param operationsVirtualNetworkDiagnosticsMetrics array = []

@description('An array of Network Security Group rules to apply to the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.')
param operationsNetworkSecurityGroupRules array = []
param operationsNetworkSecurityGroupRules array = [
{
name: 'Allow-Traffic-From-Spokes'
properties: {
access: 'Allow'
description: 'Allow traffic from spokes'
destinationAddressPrefix: operationsVirtualNetworkAddressPrefix
destinationPortRanges: [
'22'
'80'
'443'
'3389'
]
direction: 'Inbound'
priority: 200
protocol: '*'
sourceAddressPrefixes: [
identityVirtualNetworkAddressPrefix
sharedServicesVirtualNetworkAddressPrefix
]
sourcePortRange: '*'
}
type: 'string'
}
]

@description('An array of Network Security Group diagnostic logs to apply to the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories for valid settings.')
param operationsNetworkSecurityGroupDiagnosticsLogs array = [
Expand Down Expand Up @@ -271,7 +322,31 @@ param sharedServicesVirtualNetworkDiagnosticsLogs array = []
param sharedServicesVirtualNetworkDiagnosticsMetrics array = []

@description('An array of Network Security Group rules to apply to the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.')
param sharedServicesNetworkSecurityGroupRules array = []
param sharedServicesNetworkSecurityGroupRules array = [
{
name: 'Allow-Traffic-From-Spokes'
properties: {
access: 'Allow'
description: 'Allow traffic from spokes'
destinationAddressPrefix: sharedServicesVirtualNetworkAddressPrefix
destinationPortRanges: [
'22'
'80'
'443'
'3389'
]
direction: 'Inbound'
priority: 200
protocol: '*'
sourceAddressPrefixes: [
operationsVirtualNetworkAddressPrefix
identityVirtualNetworkAddressPrefix
]
sourcePortRange: '*'
}
type: 'string'
}
]

@description('An array of Network Security Group diagnostic logs to apply to the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories for valid settings.')
param sharedServicesNetworkSecurityGroupDiagnosticsLogs array = [
Expand Down Expand Up @@ -730,6 +805,7 @@ module hubNetwork './modules/hubNetwork.bicep' = {
firewallManagementPublicIPAddressSkuName: firewallPublicIpAddressSkuName
firewallManagementPublicIpAllocationMethod: firewallPublicIpAddressAllocationMethod
firewallManagementPublicIPAddressAvailabilityZones: firewallManagementPublicIPAddressAvailabilityZones
firewallSupernetIPAddress: firewallSupernetIPAddress

publicIPAddressDiagnosticsLogs: publicIPAddressDiagnosticsLogs
publicIPAddressDiagnosticsMetrics: publicIPAddressDiagnosticsMetrics
Expand Down
142 changes: 132 additions & 10 deletions src/bicep/mlz.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.1124.51302",
"templateHash": "1118457920660514703"
"templateHash": "9598620800925226147"
}
},
"parameters": {
Expand Down Expand Up @@ -240,6 +240,13 @@
"description": "An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or \"No-Zone\", because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings."
}
},
"firewallSupernetIPAddress": {
"type": "string",
"defaultValue": "10.0.96.0/19",
"metadata": {
"description": "Supernet CIDR address for the entire network of vnets, this address allows for communication between spokes. Recommended to use a Supernet calculator if modifying vnet addresses"
}
},
"publicIPAddressDiagnosticsLogs": {
"type": "array",
"defaultValue": [
Expand Down Expand Up @@ -343,7 +350,31 @@
},
"identityNetworkSecurityGroupRules": {
"type": "array",
"defaultValue": [],
"defaultValue": [
{
"name": "Allow-Traffic-From-Spokes",
"properties": {
"access": "Allow",
"description": "Allow traffic from spokes",
"destinationAddressPrefix": "[parameters('identityVirtualNetworkAddressPrefix')]",
"destinationPortRanges": [
"22",
"80",
"443",
"3389"
],
"direction": "Inbound",
"priority": 200,
"protocol": "*",
"sourceAddressPrefixes": [
"[parameters('operationsVirtualNetworkAddressPrefix')]",
"[parameters('sharedServicesVirtualNetworkAddressPrefix')]"
],
"sourcePortRange": "*"
},
"type": "string"
}
],
"metadata": {
"description": "An array of Network Security Group Rules to apply to the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings."
}
Expand Down Expand Up @@ -398,7 +429,31 @@
},
"operationsNetworkSecurityGroupRules": {
"type": "array",
"defaultValue": [],
"defaultValue": [
{
"name": "Allow-Traffic-From-Spokes",
"properties": {
"access": "Allow",
"description": "Allow traffic from spokes",
"destinationAddressPrefix": "[parameters('operationsVirtualNetworkAddressPrefix')]",
"destinationPortRanges": [
"22",
"80",
"443",
"3389"
],
"direction": "Inbound",
"priority": 200,
"protocol": "*",
"sourceAddressPrefixes": [
"[parameters('identityVirtualNetworkAddressPrefix')]",
"[parameters('sharedServicesVirtualNetworkAddressPrefix')]"
],
"sourcePortRange": "*"
},
"type": "string"
}
],
"metadata": {
"description": "An array of Network Security Group rules to apply to the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings."
}
Expand Down Expand Up @@ -453,7 +508,31 @@
},
"sharedServicesNetworkSecurityGroupRules": {
"type": "array",
"defaultValue": [],
"defaultValue": [
{
"name": "Allow-Traffic-From-Spokes",
"properties": {
"access": "Allow",
"description": "Allow traffic from spokes",
"destinationAddressPrefix": "[parameters('sharedServicesVirtualNetworkAddressPrefix')]",
"destinationPortRanges": [
"22",
"80",
"443",
"3389"
],
"direction": "Inbound",
"priority": 200,
"protocol": "*",
"sourceAddressPrefixes": [
"[parameters('operationsVirtualNetworkAddressPrefix')]",
"[parameters('identityVirtualNetworkAddressPrefix')]"
],
"sourcePortRange": "*"
},
"type": "string"
}
],
"metadata": {
"description": "An array of Network Security Group rules to apply to the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings."
}
Expand Down Expand Up @@ -1381,6 +1460,9 @@
"firewallManagementPublicIPAddressAvailabilityZones": {
"value": "[parameters('firewallManagementPublicIPAddressAvailabilityZones')]"
},
"firewallSupernetIPAddress": {
"value": "[parameters('firewallSupernetIPAddress')]"
},
"publicIPAddressDiagnosticsLogs": {
"value": "[parameters('publicIPAddressDiagnosticsLogs')]"
},
Expand All @@ -1395,7 +1477,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.1124.51302",
"templateHash": "17051388440557968847"
"templateHash": "11458318329795931964"
}
},
"parameters": {
Expand Down Expand Up @@ -1477,6 +1559,9 @@
"firewallPolicyName": {
"type": "string"
},
"firewallSupernetIPAddress": {
"type": "string"
},
"firewallThreatIntelMode": {
"type": "string",
"allowedValues": [
Expand Down Expand Up @@ -2316,6 +2401,9 @@
"clientIpConfigurationPublicIPAddressResourceId": {
"value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewallClientPublicIPAddress'), '2020-10-01').outputs.id.value]"
},
"firewallSupernetIPAddress": {
"value": "[parameters('firewallSupernetIPAddress')]"
},
"managementIpConfigurationName": {
"value": "[parameters('firewallManagementIpConfigurationName')]"
},
Expand Down Expand Up @@ -2345,7 +2433,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.1124.51302",
"templateHash": "16584291901786360410"
"templateHash": "4253924211133862661"
}
},
"parameters": {
Expand Down Expand Up @@ -2400,6 +2488,9 @@
"firewallPolicyName": {
"type": "string"
},
"firewallSupernetIPAddress": {
"type": "string"
},
"logStorageAccountResourceId": {
"type": "string"
},
Expand Down Expand Up @@ -2511,6 +2602,35 @@
],
"name": "AllowAzureCloud",
"priority": 100
},
{
"ruleCollectionType": "FirewallPolicyFilterRuleCollection",
"action": {
"type": "Allow"
},
"rules": [
{
"ruleType": "NetworkRule",
"name": "AllSpokeTraffic",
"ipProtocols": [
"Any"
],
"sourceAddresses": [
"[parameters('firewallSupernetIPAddress')]"
],
"sourceIpGroups": [],
"destinationAddresses": [
"*"
],
"destinationIpGroups": [],
"destinationFqdns": [],
"destinationPorts": [
"*"
]
}
],
"name": "AllowTrafficBetweenSpokes",
"priority": 200
}
]
},
Expand Down Expand Up @@ -3609,7 +3729,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.1124.51302",
"templateHash": "1767605230483986077"
"templateHash": "485438933319305543"
}
},
"parameters": {
Expand Down Expand Up @@ -3649,7 +3769,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.1124.51302",
"templateHash": "16609137319418689057"
"templateHash": "8767588004842445770"
}
},
"parameters": {
Expand All @@ -3666,6 +3786,7 @@
"apiVersion": "2021-02-01",
"name": "[parameters('name')]",
"properties": {
"allowForwardedTraffic": true,
"remoteVirtualNetwork": {
"id": "[parameters('remoteVirtualNetworkResourceId')]"
}
Expand Down Expand Up @@ -3722,7 +3843,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.1124.51302",
"templateHash": "11446754582894399873"
"templateHash": "13959757217405312631"
}
},
"parameters": {
Expand Down Expand Up @@ -3768,7 +3889,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.1124.51302",
"templateHash": "16609137319418689057"
"templateHash": "8767588004842445770"
}
},
"parameters": {
Expand All @@ -3785,6 +3906,7 @@
"apiVersion": "2021-02-01",
"name": "[parameters('name')]",
"properties": {
"allowForwardedTraffic": true,
"remoteVirtualNetwork": {
"id": "[parameters('remoteVirtualNetworkResourceId')]"
}
Expand Down
Loading

0 comments on commit 568c676

Please sign in to comment.