From 1f25e6f09cbdea2a8acf693bb61806ad2ccffa82 Mon Sep 17 00:00:00 2001 From: Bree Stryker Date: Thu, 27 Jan 2022 11:40:36 -0500 Subject: [PATCH 01/11] Rules and flags --- src/bicep/mlz.bicep | 63 ++++++++++++++++++++++++++++++-- src/bicep/modules/firewall.bicep | 29 +++++++++++++++ 2 files changed, 89 insertions(+), 3 deletions(-) diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 6465dad41..7f2336479 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -205,7 +205,26 @@ param identityVirtualNetworkDiagnosticsLogs array = [] param identityVirtualNetworkDiagnosticsMetrics array = [] @description('An array of Network Security Group Rules to apply to the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.') -param identityNetworkSecurityGroupRules array = [] +param identityNetworkSecurityGroupRules array = [ + { + name: 'Identity-East-West' + properties: { + access: 'Allow' + description: 'Allow traffic from spokes' + destinationAddressPrefix: identityVirtualNetworkAddressPrefix + destinationPortRange: '*' + direction: 'Inbound' + priority: 200 + protocol: '*' + sourceAddressPrefixes: [ + operationsVirtualNetworkAddressPrefix + sharedServicesVirtualNetworkAddressPrefix + ] + sourcePortRange: '*' + } + type: 'string' + } +] @description('An array of Network Security Group diagnostic logs to apply to the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories for valid settings.') param identityNetworkSecurityGroupDiagnosticsLogs array = [ @@ -238,7 +257,26 @@ param operationsVirtualNetworkDiagnosticsLogs array = [] param operationsVirtualNetworkDiagnosticsMetrics array = [] @description('An array of Network Security Group rules to apply to the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.') -param operationsNetworkSecurityGroupRules array = [] +param operationsNetworkSecurityGroupRules array = [ + { + name: 'Operations-East-West' + properties: { + access: 'Allow' + description: 'Allow traffic from spokes' + destinationAddressPrefix: operationsVirtualNetworkAddressPrefix + destinationPortRange: '*' + direction: 'Inbound' + priority: 200 + protocol: '*' + sourceAddressPrefixes: [ + identityVirtualNetworkAddressPrefix + sharedServicesVirtualNetworkAddressPrefix + ] + sourcePortRange: '*' + } + type: 'string' +} +] @description('An array of Network Security Group diagnostic logs to apply to the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories for valid settings.') param operationsNetworkSecurityGroupDiagnosticsLogs array = [ @@ -271,7 +309,26 @@ param sharedServicesVirtualNetworkDiagnosticsLogs array = [] param sharedServicesVirtualNetworkDiagnosticsMetrics array = [] @description('An array of Network Security Group rules to apply to the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.') -param sharedServicesNetworkSecurityGroupRules array = [] +param sharedServicesNetworkSecurityGroupRules array = [ + { + name: 'SharedServices-East-West' + properties: { + access: 'Allow' + description: 'Allow traffic from spokes' + destinationAddressPrefix: sharedServicesVirtualNetworkAddressPrefix + destinationPortRange: '*' + direction: 'Inbound' + priority: 200 + protocol: '*' + sourceAddressPrefixes: [ + operationsVirtualNetworkAddressPrefix + identityVirtualNetworkAddressPrefix + ] + sourcePortRange: '*' + } + type: 'string' + } +] @description('An array of Network Security Group diagnostic logs to apply to the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories for valid settings.') param sharedServicesNetworkSecurityGroupDiagnosticsLogs array = [ diff --git a/src/bicep/modules/firewall.bicep b/src/bicep/modules/firewall.bicep index a0089f6b5..721079cb6 100644 --- a/src/bicep/modules/firewall.bicep +++ b/src/bicep/modules/firewall.bicep @@ -132,6 +132,35 @@ resource firewallNetworkRuleCollectionGroup 'Microsoft.Network/firewallPolicies/ name: 'AllowAzureCloud' priority: 100 } + { + ruleCollectionType: 'FirewallPolicyFilterRuleCollection' + action: { + type: 'Allow' + } + rules: [ + { + ruleType: 'NetworkRule' + name: 'MLZVnetRouting' + ipProtocols: [ + 'Any' + ] + sourceAddresses: [ + '10.0.96.0/19' + ] + sourceIpGroups: [] + destinationAddresses: [ + '*' + ] + destinationIpGroups: [] + destinationFqdns: [] + destinationPorts: [ + '*' + ] + } + ] + name: 'MLZSpecificNetworking' + priority: 100 + } ] } } From c209799e4bfbd84fda0127693e0cf57d13bcd15f Mon Sep 17 00:00:00 2001 From: Bree Stryker Date: Thu, 27 Jan 2022 13:07:22 -0500 Subject: [PATCH 02/11] Allow remote traffic parameter --- src/bicep/modules/firewall.bicep | 2 +- src/bicep/modules/virtualNetworkPeering.bicep | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/bicep/modules/firewall.bicep b/src/bicep/modules/firewall.bicep index 721079cb6..62ce7b6b2 100644 --- a/src/bicep/modules/firewall.bicep +++ b/src/bicep/modules/firewall.bicep @@ -159,7 +159,7 @@ resource firewallNetworkRuleCollectionGroup 'Microsoft.Network/firewallPolicies/ } ] name: 'MLZSpecificNetworking' - priority: 100 + priority: 200 } ] } diff --git a/src/bicep/modules/virtualNetworkPeering.bicep b/src/bicep/modules/virtualNetworkPeering.bicep index a26b4f861..6142ac788 100644 --- a/src/bicep/modules/virtualNetworkPeering.bicep +++ b/src/bicep/modules/virtualNetworkPeering.bicep @@ -4,6 +4,7 @@ param remoteVirtualNetworkResourceId string resource virtualNetworkPeering 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2021-02-01' = { name: name properties: { + allowForwardedTraffic: true remoteVirtualNetwork: { id: remoteVirtualNetworkResourceId } From ccb92d05a8c8e699bc4f165ae318d5411cf711e1 Mon Sep 17 00:00:00 2001 From: Bree Stryker Date: Thu, 27 Jan 2022 13:15:14 -0500 Subject: [PATCH 03/11] Parameterize supernet addy. --- src/bicep/mlz.bicep | 4 ++++ src/bicep/modules/firewall.bicep | 4 +++- src/bicep/modules/hubNetwork.bicep | 2 ++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 7f2336479..61bce2a76 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -139,6 +139,9 @@ param firewallManagementSubnetServiceEndpoints array = [] @description('An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or "No-Zone", because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings.') param firewallManagementPublicIPAddressAvailabilityZones array = [] +@description('Supernet CIDR address for the entire network of vnets, this address allows for communication between spokes. Recommended to use a Supernet calculator if modifying vnet addresses') +param firewallSupernetIPAddress string = '10.0.96.0/19' + @description('An array of Public IP Address Diagnostic Logs for the Azure Firewall. See https://docs.microsoft.com/en-us/azure/ddos-protection/diagnostic-logging?tabs=DDoSProtectionNotifications#configure-ddos-diagnostic-logs for valid settings.') param publicIPAddressDiagnosticsLogs array = [ { @@ -787,6 +790,7 @@ module hubNetwork './modules/hubNetwork.bicep' = { firewallManagementPublicIPAddressSkuName: firewallPublicIpAddressSkuName firewallManagementPublicIpAllocationMethod: firewallPublicIpAddressAllocationMethod firewallManagementPublicIPAddressAvailabilityZones: firewallManagementPublicIPAddressAvailabilityZones + firewallSupernetIPAddress: firewallSupernetIPAddress publicIPAddressDiagnosticsLogs: publicIPAddressDiagnosticsLogs publicIPAddressDiagnosticsMetrics: publicIPAddressDiagnosticsMetrics diff --git a/src/bicep/modules/firewall.bicep b/src/bicep/modules/firewall.bicep index 62ce7b6b2..85ecf77af 100644 --- a/src/bicep/modules/firewall.bicep +++ b/src/bicep/modules/firewall.bicep @@ -28,6 +28,8 @@ param managementIpConfigurationPublicIPAddressResourceId string param firewallPolicyName string +param firewallSupernetIPAddress string + param logStorageAccountResourceId string param logAnalyticsWorkspaceResourceId string @@ -145,7 +147,7 @@ resource firewallNetworkRuleCollectionGroup 'Microsoft.Network/firewallPolicies/ 'Any' ] sourceAddresses: [ - '10.0.96.0/19' + firewallSupernetIPAddress ] sourceIpGroups: [] destinationAddresses: [ diff --git a/src/bicep/modules/hubNetwork.bicep b/src/bicep/modules/hubNetwork.bicep index 3783aea53..27769cabb 100644 --- a/src/bicep/modules/hubNetwork.bicep +++ b/src/bicep/modules/hubNetwork.bicep @@ -29,6 +29,7 @@ param routeTableRouteNextHopType string = 'VirtualAppliance' param firewallName string param firewallSkuTier string param firewallPolicyName string +param firewallSupernetIPAddress string @allowed([ 'Alert' @@ -218,6 +219,7 @@ module firewall './firewall.bicep' = { clientIpConfigurationName: firewallClientIpConfigurationName clientIpConfigurationSubnetResourceId: '${virtualNetwork.outputs.id}/subnets/${firewallClientSubnetName}' clientIpConfigurationPublicIPAddressResourceId: firewallClientPublicIPAddress.outputs.id + firewallSupernetIPAddress: firewallSupernetIPAddress managementIpConfigurationName: firewallManagementIpConfigurationName managementIpConfigurationSubnetResourceId: '${virtualNetwork.outputs.id}/subnets/${firewallManagementSubnetName}' From 80dfb97e3b302f3b438cccc8f721199d4e000ac1 Mon Sep 17 00:00:00 2001 From: Bree Stryker Date: Thu, 27 Jan 2022 13:53:06 -0500 Subject: [PATCH 04/11] Update parameter docs --- src/bicep/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/src/bicep/README.md b/src/bicep/README.md index 8f7770785..99c0ccf89 100644 --- a/src/bicep/README.md +++ b/src/bicep/README.md @@ -35,6 +35,7 @@ Parameter name | Required | Description `firewallClientPublicIPAddressAvailabilityZones` | No | An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or "No-Zone", because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings. `firewallManagementSubnetServiceEndpoints` | No | An array of Service Endpoints to enable for the Azure Firewall Management Subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings. `firewallManagementPublicIPAddressAvailabilityZones` | No | An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or "No-Zone", because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings. +`firewallSupernetIPAddress` | No | Supernet CIDR address for the entire network of vnets, this address allows for communication between spokes. Recommended to use a Supernet calculator if modifying vnet addresses `publicIPAddressDiagnosticsLogs` | No | An array of Public IP Address Diagnostic Logs for the Azure Firewall. See https://docs.microsoft.com/en-us/azure/ddos-protection/diagnostic-logging?tabs=DDoSProtectionNotifications#configure-ddos-diagnostic-logs for valid settings. `publicIPAddressDiagnosticsMetrics` | No | An array of Public IP Address Diagnostic Metrics for the Azure Firewall. See https://docs.microsoft.com/en-us/azure/ddos-protection/diagnostic-logging?tabs=DDoSProtectionNotifications for valid settings. `hubVirtualNetworkDiagnosticsLogs` | No | An array of Network Diagnostic Logs to enable for the Hub Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs for valid settings. From fbe5a5a9480edd1c7b655de84eba96b9e313bb29 Mon Sep 17 00:00:00 2001 From: github-actions Date: Thu, 27 Jan 2022 18:54:13 +0000 Subject: [PATCH 05/11] GitHub Action: Build Bicep to JSON --- src/bicep/mlz.json | 127 +++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 117 insertions(+), 10 deletions(-) diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 1c32a91c0..99e5ff057 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "1118457920660514703" + "templateHash": "14304357202178630181" } }, "parameters": { @@ -240,6 +240,13 @@ "description": "An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or \"No-Zone\", because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings." } }, + "firewallSupernetIPAddress": { + "type": "string", + "defaultValue": "10.0.96.0/19", + "metadata": { + "description": "Supernet CIDR address for the entire network of vnets, this address allows for communication between spokes. Recommended to use a Supernet calculator if modifying vnet addresses" + } + }, "publicIPAddressDiagnosticsLogs": { "type": "array", "defaultValue": [ @@ -343,7 +350,26 @@ }, "identityNetworkSecurityGroupRules": { "type": "array", - "defaultValue": [], + "defaultValue": [ + { + "name": "Identity-East-West", + "properties": { + "access": "Allow", + "description": "Allow traffic from spokes", + "destinationAddressPrefix": "[parameters('identityVirtualNetworkAddressPrefix')]", + "destinationPortRange": "*", + "direction": "Inbound", + "priority": 200, + "protocol": "*", + "sourceAddressPrefixes": [ + "[parameters('operationsVirtualNetworkAddressPrefix')]", + "[parameters('sharedServicesVirtualNetworkAddressPrefix')]" + ], + "sourcePortRange": "*" + }, + "type": "string" + } + ], "metadata": { "description": "An array of Network Security Group Rules to apply to the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings." } @@ -398,7 +424,26 @@ }, "operationsNetworkSecurityGroupRules": { "type": "array", - "defaultValue": [], + "defaultValue": [ + { + "name": "Operations-East-West", + "properties": { + "access": "Allow", + "description": "Allow traffic from spokes", + "destinationAddressPrefix": "[parameters('operationsVirtualNetworkAddressPrefix')]", + "destinationPortRange": "*", + "direction": "Inbound", + "priority": 200, + "protocol": "*", + "sourceAddressPrefixes": [ + "[parameters('identityVirtualNetworkAddressPrefix')]", + "[parameters('sharedServicesVirtualNetworkAddressPrefix')]" + ], + "sourcePortRange": "*" + }, + "type": "string" + } + ], "metadata": { "description": "An array of Network Security Group rules to apply to the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings." } @@ -453,7 +498,26 @@ }, "sharedServicesNetworkSecurityGroupRules": { "type": "array", - "defaultValue": [], + "defaultValue": [ + { + "name": "SharedServices-East-West", + "properties": { + "access": "Allow", + "description": "Allow traffic from spokes", + "destinationAddressPrefix": "[parameters('sharedServicesVirtualNetworkAddressPrefix')]", + "destinationPortRange": "*", + "direction": "Inbound", + "priority": 200, + "protocol": "*", + "sourceAddressPrefixes": [ + "[parameters('operationsVirtualNetworkAddressPrefix')]", + "[parameters('identityVirtualNetworkAddressPrefix')]" + ], + "sourcePortRange": "*" + }, + "type": "string" + } + ], "metadata": { "description": "An array of Network Security Group rules to apply to the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings." } @@ -1381,6 +1445,9 @@ "firewallManagementPublicIPAddressAvailabilityZones": { "value": "[parameters('firewallManagementPublicIPAddressAvailabilityZones')]" }, + "firewallSupernetIPAddress": { + "value": "[parameters('firewallSupernetIPAddress')]" + }, "publicIPAddressDiagnosticsLogs": { "value": "[parameters('publicIPAddressDiagnosticsLogs')]" }, @@ -1395,7 +1462,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "17051388440557968847" + "templateHash": "17184391349319104649" } }, "parameters": { @@ -1477,6 +1544,9 @@ "firewallPolicyName": { "type": "string" }, + "firewallSupernetIPAddress": { + "type": "string" + }, "firewallThreatIntelMode": { "type": "string", "allowedValues": [ @@ -2316,6 +2386,9 @@ "clientIpConfigurationPublicIPAddressResourceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewallClientPublicIPAddress'), '2020-10-01').outputs.id.value]" }, + "firewallSupernetIPAddress": { + "value": "[parameters('firewallSupernetIPAddress')]" + }, "managementIpConfigurationName": { "value": "[parameters('firewallManagementIpConfigurationName')]" }, @@ -2345,7 +2418,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "16584291901786360410" + "templateHash": "9370873473870563599" } }, "parameters": { @@ -2400,6 +2473,9 @@ "firewallPolicyName": { "type": "string" }, + "firewallSupernetIPAddress": { + "type": "string" + }, "logStorageAccountResourceId": { "type": "string" }, @@ -2511,6 +2587,35 @@ ], "name": "AllowAzureCloud", "priority": 100 + }, + { + "ruleCollectionType": "FirewallPolicyFilterRuleCollection", + "action": { + "type": "Allow" + }, + "rules": [ + { + "ruleType": "NetworkRule", + "name": "MLZVnetRouting", + "ipProtocols": [ + "Any" + ], + "sourceAddresses": [ + "[parameters('firewallSupernetIPAddress')]" + ], + "sourceIpGroups": [], + "destinationAddresses": [ + "*" + ], + "destinationIpGroups": [], + "destinationFqdns": [], + "destinationPorts": [ + "*" + ] + } + ], + "name": "MLZSpecificNetworking", + "priority": 200 } ] }, @@ -3609,7 +3714,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "1767605230483986077" + "templateHash": "485438933319305543" } }, "parameters": { @@ -3649,7 +3754,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "16609137319418689057" + "templateHash": "8767588004842445770" } }, "parameters": { @@ -3666,6 +3771,7 @@ "apiVersion": "2021-02-01", "name": "[parameters('name')]", "properties": { + "allowForwardedTraffic": true, "remoteVirtualNetwork": { "id": "[parameters('remoteVirtualNetworkResourceId')]" } @@ -3722,7 +3828,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "11446754582894399873" + "templateHash": "13959757217405312631" } }, "parameters": { @@ -3768,7 +3874,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "16609137319418689057" + "templateHash": "8767588004842445770" } }, "parameters": { @@ -3785,6 +3891,7 @@ "apiVersion": "2021-02-01", "name": "[parameters('name')]", "properties": { + "allowForwardedTraffic": true, "remoteVirtualNetwork": { "id": "[parameters('remoteVirtualNetworkResourceId')]" } From 0b4c006884154f4b195b3695efdb373d8b6acbbc Mon Sep 17 00:00:00 2001 From: Breanna-Stryker <74314422+Breanna-Stryker@users.noreply.github.com> Date: Thu, 27 Jan 2022 16:08:53 -0500 Subject: [PATCH 06/11] Update src/bicep/mlz.bicep Co-authored-by: Glenn Musa <4622125+glennmusa@users.noreply.github.com> --- src/bicep/mlz.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 61bce2a76..ea7008a10 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -210,7 +210,7 @@ param identityVirtualNetworkDiagnosticsMetrics array = [] @description('An array of Network Security Group Rules to apply to the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.') param identityNetworkSecurityGroupRules array = [ { - name: 'Identity-East-West' + name: 'Allow-Traffic-From-Spokes' properties: { access: 'Allow' description: 'Allow traffic from spokes' From 471ef3c22adeb7d80c7a3ab853b7482abcd2718a Mon Sep 17 00:00:00 2001 From: Breanna-Stryker <74314422+Breanna-Stryker@users.noreply.github.com> Date: Thu, 27 Jan 2022 16:09:00 -0500 Subject: [PATCH 07/11] Update src/bicep/modules/firewall.bicep Co-authored-by: Glenn Musa <4622125+glennmusa@users.noreply.github.com> --- src/bicep/modules/firewall.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/bicep/modules/firewall.bicep b/src/bicep/modules/firewall.bicep index 85ecf77af..904c0c0bc 100644 --- a/src/bicep/modules/firewall.bicep +++ b/src/bicep/modules/firewall.bicep @@ -160,7 +160,7 @@ resource firewallNetworkRuleCollectionGroup 'Microsoft.Network/firewallPolicies/ ] } ] - name: 'MLZSpecificNetworking' + name: 'AllowTrafficBetweenSpokes' priority: 200 } ] From 75ce3138573634ea38f1e4b1056f4411bab07e8e Mon Sep 17 00:00:00 2001 From: Breanna-Stryker <74314422+Breanna-Stryker@users.noreply.github.com> Date: Thu, 27 Jan 2022 16:09:06 -0500 Subject: [PATCH 08/11] Update src/bicep/modules/firewall.bicep Co-authored-by: Glenn Musa <4622125+glennmusa@users.noreply.github.com> --- src/bicep/modules/firewall.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/bicep/modules/firewall.bicep b/src/bicep/modules/firewall.bicep index 904c0c0bc..14cba54bd 100644 --- a/src/bicep/modules/firewall.bicep +++ b/src/bicep/modules/firewall.bicep @@ -142,7 +142,7 @@ resource firewallNetworkRuleCollectionGroup 'Microsoft.Network/firewallPolicies/ rules: [ { ruleType: 'NetworkRule' - name: 'MLZVnetRouting' + name: 'AllSpokeTraffic' ipProtocols: [ 'Any' ] From 857130e508802a965e25be39e1c22df99a5c0eab Mon Sep 17 00:00:00 2001 From: github-actions Date: Thu, 27 Jan 2022 21:09:48 +0000 Subject: [PATCH 09/11] GitHub Action: Build Bicep to JSON --- src/bicep/mlz.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 99e5ff057..ab33ee2b3 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "14304357202178630181" + "templateHash": "554527513249452863" } }, "parameters": { @@ -352,7 +352,7 @@ "type": "array", "defaultValue": [ { - "name": "Identity-East-West", + "name": "Allow-Traffic-From-Spokes", "properties": { "access": "Allow", "description": "Allow traffic from spokes", @@ -1462,7 +1462,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "17184391349319104649" + "templateHash": "11458318329795931964" } }, "parameters": { @@ -2418,7 +2418,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "9370873473870563599" + "templateHash": "4253924211133862661" } }, "parameters": { @@ -2596,7 +2596,7 @@ "rules": [ { "ruleType": "NetworkRule", - "name": "MLZVnetRouting", + "name": "AllSpokeTraffic", "ipProtocols": [ "Any" ], @@ -2614,7 +2614,7 @@ ] } ], - "name": "MLZSpecificNetworking", + "name": "AllowTrafficBetweenSpokes", "priority": 200 } ] From ef9eae8e6d1537afe0158919a3829ed40c3b5356 Mon Sep 17 00:00:00 2001 From: Bree Stryker Date: Thu, 27 Jan 2022 16:14:30 -0500 Subject: [PATCH 10/11] Set port ranges --- src/bicep/mlz.bicep | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index ea7008a10..17af5b6a1 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -215,7 +215,12 @@ param identityNetworkSecurityGroupRules array = [ access: 'Allow' description: 'Allow traffic from spokes' destinationAddressPrefix: identityVirtualNetworkAddressPrefix - destinationPortRange: '*' + destinationPortRanges: [ + '22' + '80' + '443' + '3389' + ] direction: 'Inbound' priority: 200 protocol: '*' @@ -262,12 +267,17 @@ param operationsVirtualNetworkDiagnosticsMetrics array = [] @description('An array of Network Security Group rules to apply to the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.') param operationsNetworkSecurityGroupRules array = [ { - name: 'Operations-East-West' + name: 'Allow-Traffic-From-Spokes' properties: { access: 'Allow' description: 'Allow traffic from spokes' destinationAddressPrefix: operationsVirtualNetworkAddressPrefix - destinationPortRange: '*' + destinationPortRanges: [ + '22' + '80' + '443' + '3389' + ] direction: 'Inbound' priority: 200 protocol: '*' @@ -314,12 +324,17 @@ param sharedServicesVirtualNetworkDiagnosticsMetrics array = [] @description('An array of Network Security Group rules to apply to the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.') param sharedServicesNetworkSecurityGroupRules array = [ { - name: 'SharedServices-East-West' + name: 'Allow-Traffic-From-Spokes' properties: { access: 'Allow' description: 'Allow traffic from spokes' destinationAddressPrefix: sharedServicesVirtualNetworkAddressPrefix - destinationPortRange: '*' + destinationPortRanges: [ + '22' + '80' + '443' + '3389' + ] direction: 'Inbound' priority: 200 protocol: '*' From c4038adf0bcefe4a8a3e83beda9b87743b14d288 Mon Sep 17 00:00:00 2001 From: github-actions Date: Thu, 27 Jan 2022 22:06:09 +0000 Subject: [PATCH 11/11] GitHub Action: Build Bicep to JSON --- src/bicep/mlz.json | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index ab33ee2b3..9f7e3c48f 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "554527513249452863" + "templateHash": "9598620800925226147" } }, "parameters": { @@ -357,7 +357,12 @@ "access": "Allow", "description": "Allow traffic from spokes", "destinationAddressPrefix": "[parameters('identityVirtualNetworkAddressPrefix')]", - "destinationPortRange": "*", + "destinationPortRanges": [ + "22", + "80", + "443", + "3389" + ], "direction": "Inbound", "priority": 200, "protocol": "*", @@ -426,12 +431,17 @@ "type": "array", "defaultValue": [ { - "name": "Operations-East-West", + "name": "Allow-Traffic-From-Spokes", "properties": { "access": "Allow", "description": "Allow traffic from spokes", "destinationAddressPrefix": "[parameters('operationsVirtualNetworkAddressPrefix')]", - "destinationPortRange": "*", + "destinationPortRanges": [ + "22", + "80", + "443", + "3389" + ], "direction": "Inbound", "priority": 200, "protocol": "*", @@ -500,12 +510,17 @@ "type": "array", "defaultValue": [ { - "name": "SharedServices-East-West", + "name": "Allow-Traffic-From-Spokes", "properties": { "access": "Allow", "description": "Allow traffic from spokes", "destinationAddressPrefix": "[parameters('sharedServicesVirtualNetworkAddressPrefix')]", - "destinationPortRange": "*", + "destinationPortRanges": [ + "22", + "80", + "443", + "3389" + ], "direction": "Inbound", "priority": 200, "protocol": "*",