Allow traffic between spokes by default

[brooke-hamilton]

Benefit/Result/Outcome

So that an IT Administrator does not have to figure out how to allow traffic between spokes, and has reference documentation on how the settings are applied and how to modify them.

Description

The current default is to not allow traffic between spokes. This is done in the vnet configuration and the firewall rules, and both must be modified to enable traffic. We want to change the default so that traffic is allowed and provide documentation on which settings are involved and how to modify them (pointing to docs.microsoft.com for details).

Acceptance Criteria

• The peering setting on all vnets is set to allow traffic forwarded from a remote vnet.
• A firewall group exists that includes all vnets
• Add a firewall rule exists, applied to the firewall group, that allows traffic spoke-to-spoke for ports 80, 443, SSH, and ping.
• Documentation exists on how to configure traffic between spokes. (Not duplicative of documentation on docs.microsoft.com).
• Documentation exists on allowing traffic to/from a remote gateway or VPN.

[Phydeauxman]

There are two settings we made to effect this for MLZ-EDGE:

1. For each spoke Virtual Network, on the peer object...set the setting Traffic forwarded from remote virtual network to Allow
2. Add a rule to the NSG applied to each spoke subnet that allows traffic from the other spokes. Reference the article below to understand the tags used by the rules that currently exist

https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview