Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow traffic between spokes by default #622

Merged
merged 12 commits into from
Jan 27, 2022
Merged

Allow traffic between spokes by default #622

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
1f25e6f
Rules and flags
Jan 27, 2022
c209799
Allow remote traffic parameter
Jan 27, 2022
ccb92d0
Parameterize supernet addy.
Jan 27, 2022
80dfb97
Update parameter docs
Jan 27, 2022
150bffd
Merge branch 'main' into breestryker/spoketraffic
Breanna-Stryker Jan 27, 2022
fbe5a5a
GitHub Action: Build Bicep to JSON
invalid-email-address Jan 27, 2022
0b4c006
Update src/bicep/mlz.bicep
Breanna-Stryker Jan 27, 2022
471ef3c
Update src/bicep/modules/firewall.bicep
Breanna-Stryker Jan 27, 2022
75ce313
Update src/bicep/modules/firewall.bicep
Breanna-Stryker Jan 27, 2022
857130e
GitHub Action: Build Bicep to JSON
invalid-email-address Jan 27, 2022
ef9eae8
Set port ranges
Jan 27, 2022
c4038ad
GitHub Action: Build Bicep to JSON
invalid-email-address Jan 27, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/bicep/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ Parameter name | Required | Description
`firewallClientPublicIPAddressAvailabilityZones` | No | An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or "No-Zone", because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings.
`firewallManagementSubnetServiceEndpoints` | No | An array of Service Endpoints to enable for the Azure Firewall Management Subnet. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview for valid settings.
`firewallManagementPublicIPAddressAvailabilityZones` | No | An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or "No-Zone", because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings.
`firewallSupernetIPAddress` | No | Supernet CIDR address for the entire network of vnets, this address allows for communication between spokes. Recommended to use a Supernet calculator if modifying vnet addresses
`publicIPAddressDiagnosticsLogs` | No | An array of Public IP Address Diagnostic Logs for the Azure Firewall. See https://docs.microsoft.com/en-us/azure/ddos-protection/diagnostic-logging?tabs=DDoSProtectionNotifications#configure-ddos-diagnostic-logs for valid settings.
`publicIPAddressDiagnosticsMetrics` | No | An array of Public IP Address Diagnostic Metrics for the Azure Firewall. See https://docs.microsoft.com/en-us/azure/ddos-protection/diagnostic-logging?tabs=DDoSProtectionNotifications for valid settings.
`hubVirtualNetworkDiagnosticsLogs` | No | An array of Network Diagnostic Logs to enable for the Hub Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs for valid settings.
Expand Down
82 changes: 79 additions & 3 deletions src/bicep/mlz.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,9 @@ param firewallManagementSubnetServiceEndpoints array = []
@description('An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or "No-Zone", because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings.')
param firewallManagementPublicIPAddressAvailabilityZones array = []

@description('Supernet CIDR address for the entire network of vnets, this address allows for communication between spokes. Recommended to use a Supernet calculator if modifying vnet addresses')
param firewallSupernetIPAddress string = '10.0.96.0/19'

@description('An array of Public IP Address Diagnostic Logs for the Azure Firewall. See https://docs.microsoft.com/en-us/azure/ddos-protection/diagnostic-logging?tabs=DDoSProtectionNotifications#configure-ddos-diagnostic-logs for valid settings.')
param publicIPAddressDiagnosticsLogs array = [
{
Expand Down Expand Up @@ -205,7 +208,31 @@ param identityVirtualNetworkDiagnosticsLogs array = []
param identityVirtualNetworkDiagnosticsMetrics array = []

@description('An array of Network Security Group Rules to apply to the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.')
param identityNetworkSecurityGroupRules array = []
param identityNetworkSecurityGroupRules array = [
{
name: 'Allow-Traffic-From-Spokes'
properties: {
access: 'Allow'
description: 'Allow traffic from spokes'
destinationAddressPrefix: identityVirtualNetworkAddressPrefix
destinationPortRanges: [
'22'
'80'
'443'
'3389'
]
direction: 'Inbound'
priority: 200
protocol: '*'
sourceAddressPrefixes: [
operationsVirtualNetworkAddressPrefix
sharedServicesVirtualNetworkAddressPrefix
]
sourcePortRange: '*'
}
type: 'string'
}
]

@description('An array of Network Security Group diagnostic logs to apply to the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories for valid settings.')
param identityNetworkSecurityGroupDiagnosticsLogs array = [
Expand Down Expand Up @@ -238,7 +265,31 @@ param operationsVirtualNetworkDiagnosticsLogs array = []
param operationsVirtualNetworkDiagnosticsMetrics array = []

@description('An array of Network Security Group rules to apply to the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.')
param operationsNetworkSecurityGroupRules array = []
param operationsNetworkSecurityGroupRules array = [
{
name: 'Allow-Traffic-From-Spokes'
properties: {
access: 'Allow'
description: 'Allow traffic from spokes'
destinationAddressPrefix: operationsVirtualNetworkAddressPrefix
destinationPortRanges: [
'22'
'80'
'443'
'3389'
]
direction: 'Inbound'
priority: 200
protocol: '*'
sourceAddressPrefixes: [
identityVirtualNetworkAddressPrefix
sharedServicesVirtualNetworkAddressPrefix
]
sourcePortRange: '*'
}
type: 'string'
}
]

@description('An array of Network Security Group diagnostic logs to apply to the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories for valid settings.')
param operationsNetworkSecurityGroupDiagnosticsLogs array = [
Expand Down Expand Up @@ -271,7 +322,31 @@ param sharedServicesVirtualNetworkDiagnosticsLogs array = []
param sharedServicesVirtualNetworkDiagnosticsMetrics array = []

@description('An array of Network Security Group rules to apply to the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings.')
param sharedServicesNetworkSecurityGroupRules array = []
param sharedServicesNetworkSecurityGroupRules array = [
{
name: 'Allow-Traffic-From-Spokes'
properties: {
access: 'Allow'
description: 'Allow traffic from spokes'
destinationAddressPrefix: sharedServicesVirtualNetworkAddressPrefix
destinationPortRanges: [
'22'
'80'
'443'
'3389'
]
direction: 'Inbound'
priority: 200
protocol: '*'
sourceAddressPrefixes: [
operationsVirtualNetworkAddressPrefix
identityVirtualNetworkAddressPrefix
]
sourcePortRange: '*'
}
type: 'string'
}
]

@description('An array of Network Security Group diagnostic logs to apply to the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log#log-categories for valid settings.')
param sharedServicesNetworkSecurityGroupDiagnosticsLogs array = [
Expand Down Expand Up @@ -730,6 +805,7 @@ module hubNetwork './modules/hubNetwork.bicep' = {
firewallManagementPublicIPAddressSkuName: firewallPublicIpAddressSkuName
firewallManagementPublicIpAllocationMethod: firewallPublicIpAddressAllocationMethod
firewallManagementPublicIPAddressAvailabilityZones: firewallManagementPublicIPAddressAvailabilityZones
firewallSupernetIPAddress: firewallSupernetIPAddress

publicIPAddressDiagnosticsLogs: publicIPAddressDiagnosticsLogs
publicIPAddressDiagnosticsMetrics: publicIPAddressDiagnosticsMetrics
Expand Down
142 changes: 132 additions & 10 deletions src/bicep/mlz.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.1124.51302",
"templateHash": "1118457920660514703"
"templateHash": "9598620800925226147"
}
},
"parameters": {
Expand Down Expand Up @@ -240,6 +240,13 @@
"description": "An array of Azure Firewall Public IP Address Availability Zones. It defaults to empty, or \"No-Zone\", because Availability Zones are not available in every cloud. See https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku for valid settings."
}
},
"firewallSupernetIPAddress": {
"type": "string",
"defaultValue": "10.0.96.0/19",
"metadata": {
"description": "Supernet CIDR address for the entire network of vnets, this address allows for communication between spokes. Recommended to use a Supernet calculator if modifying vnet addresses"
}
},
"publicIPAddressDiagnosticsLogs": {
"type": "array",
"defaultValue": [
Expand Down Expand Up @@ -343,7 +350,31 @@
},
"identityNetworkSecurityGroupRules": {
"type": "array",
"defaultValue": [],
"defaultValue": [
{
"name": "Allow-Traffic-From-Spokes",
"properties": {
"access": "Allow",
"description": "Allow traffic from spokes",
"destinationAddressPrefix": "[parameters('identityVirtualNetworkAddressPrefix')]",
"destinationPortRanges": [
"22",
"80",
"443",
"3389"
],
"direction": "Inbound",
"priority": 200,
"protocol": "*",
"sourceAddressPrefixes": [
"[parameters('operationsVirtualNetworkAddressPrefix')]",
"[parameters('sharedServicesVirtualNetworkAddressPrefix')]"
],
"sourcePortRange": "*"
},
"type": "string"
}
],
"metadata": {
"description": "An array of Network Security Group Rules to apply to the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings."
}
Expand Down Expand Up @@ -398,7 +429,31 @@
},
"operationsNetworkSecurityGroupRules": {
"type": "array",
"defaultValue": [],
"defaultValue": [
{
"name": "Allow-Traffic-From-Spokes",
"properties": {
"access": "Allow",
"description": "Allow traffic from spokes",
"destinationAddressPrefix": "[parameters('operationsVirtualNetworkAddressPrefix')]",
"destinationPortRanges": [
"22",
"80",
"443",
"3389"
],
"direction": "Inbound",
"priority": 200,
"protocol": "*",
"sourceAddressPrefixes": [
"[parameters('identityVirtualNetworkAddressPrefix')]",
"[parameters('sharedServicesVirtualNetworkAddressPrefix')]"
],
"sourcePortRange": "*"
},
"type": "string"
}
],
"metadata": {
"description": "An array of Network Security Group rules to apply to the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings."
}
Expand Down Expand Up @@ -453,7 +508,31 @@
},
"sharedServicesNetworkSecurityGroupRules": {
"type": "array",
"defaultValue": [],
"defaultValue": [
{
"name": "Allow-Traffic-From-Spokes",
"properties": {
"access": "Allow",
"description": "Allow traffic from spokes",
"destinationAddressPrefix": "[parameters('sharedServicesVirtualNetworkAddressPrefix')]",
"destinationPortRanges": [
"22",
"80",
"443",
"3389"
],
"direction": "Inbound",
"priority": 200,
"protocol": "*",
"sourceAddressPrefixes": [
"[parameters('operationsVirtualNetworkAddressPrefix')]",
"[parameters('identityVirtualNetworkAddressPrefix')]"
],
"sourcePortRange": "*"
},
"type": "string"
}
],
"metadata": {
"description": "An array of Network Security Group rules to apply to the SharedServices Virtual Network. See https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules?tabs=bicep#securityrulepropertiesformat for valid settings."
}
Expand Down Expand Up @@ -1381,6 +1460,9 @@
"firewallManagementPublicIPAddressAvailabilityZones": {
"value": "[parameters('firewallManagementPublicIPAddressAvailabilityZones')]"
},
"firewallSupernetIPAddress": {
"value": "[parameters('firewallSupernetIPAddress')]"
},
"publicIPAddressDiagnosticsLogs": {
"value": "[parameters('publicIPAddressDiagnosticsLogs')]"
},
Expand All @@ -1395,7 +1477,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.1124.51302",
"templateHash": "17051388440557968847"
"templateHash": "11458318329795931964"
}
},
"parameters": {
Expand Down Expand Up @@ -1477,6 +1559,9 @@
"firewallPolicyName": {
"type": "string"
},
"firewallSupernetIPAddress": {
"type": "string"
},
"firewallThreatIntelMode": {
"type": "string",
"allowedValues": [
Expand Down Expand Up @@ -2316,6 +2401,9 @@
"clientIpConfigurationPublicIPAddressResourceId": {
"value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewallClientPublicIPAddress'), '2020-10-01').outputs.id.value]"
},
"firewallSupernetIPAddress": {
"value": "[parameters('firewallSupernetIPAddress')]"
},
"managementIpConfigurationName": {
"value": "[parameters('firewallManagementIpConfigurationName')]"
},
Expand Down Expand Up @@ -2345,7 +2433,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.1124.51302",
"templateHash": "16584291901786360410"
"templateHash": "4253924211133862661"
}
},
"parameters": {
Expand Down Expand Up @@ -2400,6 +2488,9 @@
"firewallPolicyName": {
"type": "string"
},
"firewallSupernetIPAddress": {
"type": "string"
},
"logStorageAccountResourceId": {
"type": "string"
},
Expand Down Expand Up @@ -2511,6 +2602,35 @@
],
"name": "AllowAzureCloud",
"priority": 100
},
{
"ruleCollectionType": "FirewallPolicyFilterRuleCollection",
"action": {
"type": "Allow"
},
"rules": [
{
"ruleType": "NetworkRule",
"name": "AllSpokeTraffic",
"ipProtocols": [
"Any"
],
"sourceAddresses": [
"[parameters('firewallSupernetIPAddress')]"
],
"sourceIpGroups": [],
"destinationAddresses": [
"*"
],
"destinationIpGroups": [],
"destinationFqdns": [],
"destinationPorts": [
"*"
]
}
],
"name": "AllowTrafficBetweenSpokes",
"priority": 200
}
]
},
Expand Down Expand Up @@ -3609,7 +3729,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.1124.51302",
"templateHash": "1767605230483986077"
"templateHash": "485438933319305543"
}
},
"parameters": {
Expand Down Expand Up @@ -3649,7 +3769,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.1124.51302",
"templateHash": "16609137319418689057"
"templateHash": "8767588004842445770"
}
},
"parameters": {
Expand All @@ -3666,6 +3786,7 @@
"apiVersion": "2021-02-01",
"name": "[parameters('name')]",
"properties": {
"allowForwardedTraffic": true,
"remoteVirtualNetwork": {
"id": "[parameters('remoteVirtualNetworkResourceId')]"
}
Expand Down Expand Up @@ -3722,7 +3843,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.1124.51302",
"templateHash": "11446754582894399873"
"templateHash": "13959757217405312631"
}
},
"parameters": {
Expand Down Expand Up @@ -3768,7 +3889,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.1124.51302",
"templateHash": "16609137319418689057"
"templateHash": "8767588004842445770"
}
},
"parameters": {
Expand All @@ -3785,6 +3906,7 @@
"apiVersion": "2021-02-01",
"name": "[parameters('name')]",
"properties": {
"allowForwardedTraffic": true,
"remoteVirtualNetwork": {
"id": "[parameters('remoteVirtualNetworkResourceId')]"
}
Expand Down
Loading