Allow traffic between spokes by default

[Breanna-Stryker]

Description

Changes include:
Allowing forwarded traffic by default
NSG allows traffic from peer spoke CIDR ranges
Firewall includes supernet rule to route traffic between spokes
Supernet parameter added for ease of use for end users

To test functionality, deploy MLZ, create VMs in two separate spokes, bastion into one and ping/ssh into the other VM.

Issue reference

The issue this PR will close: #608

Checklist

Please make sure you've completed the relevant tasks for this PR out of the following list:

• All acceptance criteria in the backlog item are met
• The documentation is updated to cover any new or changed features
• Manual tests have passed
• Relevant issues are linked to this PR

[glennmusa]

some naming nits

[glennmusa]

Works as described. I was able to Bastion into a hub jumpbox, then SSH into a VM in the Identity VNet, then from there SSH into a VM in the Operations VNet.

[haithamshahin333]

Shoud this be the suprnetIpAddress range versus '*'? I believe right now this would technically allow all outbound traffic from the spokes, no?

[Naishy]

My thoughts exactly - this change allows all traffic within the VNets to access any address, including external, which breaks the "all other traffic is restricted by default" statement in https://github.com/Azure/missionlz/blob/main/README.md
@glennmusa @haithamshahin333 this looks like an unintended consequence of this change.

[brooke-hamilton]

Tagging @kyle-hoyer on this

[kyle-hoyer]

This does need to be changed. I will update. Thank you