update firewall.bicep

kennethcarnes · Feb 5, 2024 · d3fb057 · d3fb057
1 parent ece1b3c
commit d3fb057
Show file tree

Hide file tree

Showing 5 changed files with 262 additions and 155 deletions.
diff --git a/bicep/firewall.bicep b/bicep/firewall.bicep
@@ -0,0 +1,163 @@
+param location string
+param hubVnetName string
+param workloadSubnetId string
+param firewallPrivateIp string
+
+resource firewallPublicIP 'Microsoft.Network/publicIPAddresses@2021-05-01' = {
+  name: '${hubVnetName}-fw-pip'
+  location: location
+  properties: {
+    publicIPAllocationMethod: 'Static'
+  }
+}
+
+resource firewallMgmtPublicIP 'Microsoft.Network/publicIPAddresses@2021-05-01' = {
+  name: '${hubVnetName}-fw-mgmt-pip'
+  location: location
+  properties: {
+    publicIPAllocationMethod: 'Static'
+  }
+}
+
+resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-05-01' = {
+  name: '${hubVnetName}-firewall'
+  location: location
+  properties: {
+    sku: {
+      name: 'AZFW_VNet'
+      tier: 'Basic'
+    }
+    ipConfigurations: [
+      {
+        name: 'configuration'
+        properties: {
+          subnet: {
+            id: resourceId('Microsoft.Network/virtualNetworks/subnets', hubVnetName, 'AzureFirewallSubnet')
+          }
+          publicIPAddress: {
+            id: firewallPublicIP.id
+          }
+        }
+      }
+    ]
+    managementIpConfiguration: {
+      name: 'managementConfiguration'
+      properties: {
+        subnet: {
+          id: resourceId('Microsoft.Network/virtualNetworks/subnets', hubVnetName, 'AzureFirewallManagementSubnet')
+        }
+        publicIPAddress: {
+          id: firewallMgmtPublicIP.id
+        }
+      }
+    }
+  }
+}
+
+resource routeTable 'Microsoft.Network/routeTables@2020-07-01' = {
+  name: '${hubVnetName}-routeTable'
+  location: location
+  properties: {
+    routes: [
+      {
+        name: 'default-route'
+        properties: {
+          addressPrefix: '0.0.0.0/0'
+          nextHopType: 'VirtualAppliance'
+          nextHopIpAddress: firewallPrivateIp
+        }
+      }
+    ]
+  }
+}
+
+resource subnetRouteTableAssociation 'Microsoft.Network/virtualNetworks/subnets@2020-11-01' = {
+  name: '${workloadSubnetId}/routeTable'
+  properties: {
+    routeTable: {
+      id: routeTable.id
+    }
+  }
+}
+
+resource firewallPolicy 'Microsoft.Network/firewallPolicies@2023-06-01' = {
+  name: 'myFirewallPolicy'
+  location: location
+  properties: {
+    threatIntelMode: 'Alert'
+  }
+}
+
+resource applicationRuleCollection 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2023-06-01' = {
+  parent: firewallPolicy
+  name: 'ApplicationRules'
+  properties: {
+    priority: 100
+    ruleCollections: [
+      {
+        name: 'Allow-Google'
+        ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
+        action: {
+          type: 'Allow'
+        }
+        rules: [
+          {
+            name: 'Allow-Google'
+            ruleType: 'ApplicationRule'
+            targetFqdns: [
+              'www.google.com'
+            ]
+            protocols: [
+              {
+                protocolType: 'Http'
+                port: 80
+              }
+              {
+                protocolType: 'Https'
+                port: 443
+              }
+            ]
+            sourceAddresses: [
+              '*'
+            ]
+          }
+        ]
+      }
+    ]
+  }
+}
+
+resource networkRuleCollection 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2023-06-01' = {
+  parent: firewallPolicy
+  name: 'NetworkRules'
+  properties: {
+    priority: 200
+    ruleCollections: [
+      {
+        name: 'DNS-Rules'
+        ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
+        action: {
+          type: 'Allow'
+        }
+        rules: [
+          {
+            name: 'Allow-DNS'
+            ruleType: 'ApplicationRule'
+            sourceAddresses: [
+              '10.0.2.0/24'
+            ]
+            destinationAddresses: [
+              '209.244.0.3'
+              '209.244.0.4'
+            ]
+            protocols: [
+              {
+                protocolType: 'UDP'
+              }
+            ]
+          }
+        ]
+      }
+    ]
+  }
+}
diff --git a/bicep/main.bicep b/bicep/main.bicep
@@ -1,33 +1,38 @@
 param location string = 'eastus'
 param hubVnetName string = 'hubVnet'
+param hubSubnet1Prefix string = '10.0.1.0/24'
+param hubSubnet2Prefix string = '10.0.2.0/24'
 param spokeVnetDetails array = [
   {
     name: 'spokeVnet1'
     addressPrefix: '10.1.0.0/16'
-    subnetPrefix1: '10.1.1.0/24'
-    subnetPrefix2: '10.1.2.0/24'
+    subnet1Prefix: '10.1.1.0/24'
+    subnet2Prefix: '10.1.2.0/24'
   }
   {
     name: 'spokeVnet2'
     addressPrefix: '10.2.0.0/16'
-    subnetPrefix1: '10.2.1.0/24'
-    subnetPrefix2: '10.2.2.0/24'
+    subnet1Prefix: '10.2.1.0/24'
+    subnet2Prefix: '10.2.2.0/24'
   }
   {
     name: 'spokeVnet3'
     addressPrefix: '10.3.0.0/16'
-    subnetPrefix1: '10.3.1.0/24'
-    subnetPrefix2: '10.3.2.0/24'
+    subnet1Prefix: '10.3.1.0/24'
+    subnet2Prefix: '10.3.2.0/24'
   }
 ]
 
-module network './network.bicep' = {
-  name: 'networkDeployment'
+module vnets './vnets.bicep' = {
+  name: 'vnetDeployment'
   params: {
     location: location
     hubVnetName: hubVnetName
+    hubSubnet1Prefix: hubSubnet1Prefix
+    hubSubnet2Prefix: hubSubnet2Prefix
     spokeVnetDetails: spokeVnetDetails
   }
 }
 
-// Outputs can be added as needed
+// Outputs (if any)
+output hubVnetId string = vnets.outputs.hubVnetId
diff --git a/bicep/network.bicep b/bicep/network.bicep