diff --git a/azure/templates/marketplace-management/createUiDefinition.json b/azure/templates/marketplace-management/createUiDefinition.json index 3d6e29a4..d28d289b 100644 --- a/azure/templates/marketplace-management/createUiDefinition.json +++ b/azure/templates/marketplace-management/createUiDefinition.json @@ -725,6 +725,93 @@ } } }, + { + "name": "enableIpv6", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable IPv6 Support", + "toolTip": "Enable IPv6 support. For a new Virtual Network you must provide IPv6 prefixes and a static IPv6 NIC address; for an existing Virtual Network we do not modify the VNet or subnet and the static IPv6 NIC address you enter must already be valid in the existing subnet prefix. The management VM NIC will get this static IPv6 when enabled.", + "defaultValue": "No (IPv4 only)", + "constraints": { + "allowedValues": [ + { "label": "No (IPv4 only)", "value": false }, + { "label": "Yes (IPv4 + IPv6)", "value": true } + ], + "required": true + }, + "visible": true + }, + { + "name": "ipv6Section", + "type": "Microsoft.Common.Section", + "label": "IPv6 Configuration", + "visible": "[steps('network').enableIpv6]", + "elements": [ + { + "name": "virtualNetworkIpv6AddressPrefix", + "type": "Microsoft.Common.TextBox", + "label": "Virtual Network IPv6 Address Prefix", + "defaultValue": "ace:cab:deca::/48", + "toolTip": "IPv6 address prefix for the virtual network (e.g., ace:cab:deca::/48)", + "constraints": { + "required": "[and(steps('network').enableIpv6, equals(steps('network').virtualNetwork.newOrExisting, 'new'))]", + "regex": "^(([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|([0-9A-Fa-f]{1,4}:){1,7}:|([0-9A-Fa-f]{1,4}:){1,6}:[0-9A-Fa-f]{1,4}|([0-9A-Fa-f]{1,4}:){1,5}(:[0-9A-Fa-f]{1,4}){1,2}|([0-9A-Fa-f]{1,4}:){1,4}(:[0-9A-Fa-f]{1,4}){1,3}|([0-9A-Fa-f]{1,4}:){1,3}(:[0-9A-Fa-f]{1,4}){1,4}|([0-9A-Fa-f]{1,4}:){1,2}(:[0-9A-Fa-f]{1,4}){1,5}|[0-9A-Fa-f]{1,4}:((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){1,7}|:))/(4[8-9]|5[0-9]|6[0-4])$", + "validationMessage": "Enter a valid IPv6 CIDR (e.g., ace:cab:deca::/48)" + }, + "visible": "[and(steps('network').enableIpv6, equals(steps('network').virtualNetwork.newOrExisting, 'new'))]" + }, + { + "name": "Subnet1Ipv6Prefix", + "type": "Microsoft.Common.TextBox", + "label": "Management Subnet IPv6 Prefix", + "defaultValue": "ace:cab:deca:deed::/64", + "toolTip": "IPv6 address prefix for the management subnet (e.g., ace:cab:deca:deed::/64)", + "constraints": { + "required": "[and(steps('network').enableIpv6, equals(steps('network').virtualNetwork.newOrExisting, 'new'))]", + "regex": "^(([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|([0-9A-Fa-f]{1,4}:){1,7}:|([0-9A-Fa-f]{1,4}:){1,6}:[0-9A-Fa-f]{1,4}|([0-9A-Fa-f]{1,4}:){1,5}(:[0-9A-Fa-f]{1,4}){1,2}|([0-9A-Fa-f]{1,4}:){1,4}(:[0-9A-Fa-f]{1,4}){1,3}|([0-9A-Fa-f]{1,4}:){1,3}(:[0-9A-Fa-f]{1,4}){1,4}|([0-9A-Fa-f]{1,4}:){1,2}(:[0-9A-Fa-f]{1,4}){1,5}|[0-9A-Fa-f]{1,4}:((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){1,7}|:))/64$", + "validationMessage": "Enter a valid IPv6 CIDR (e.g., ace:cab:deca:deed::/64)" + }, + "visible": "[and(steps('network').enableIpv6, equals(steps('network').virtualNetwork.newOrExisting, 'new'))]" + }, + { + "name": "Subnet1Ipv6StartAddress", + "type": "Microsoft.Common.TextBox", + "label": "Management NIC IPv6 Address (Static)", + "defaultValue": "ace:cab:deca:deed::a", + "toolTip": "[if(equals(steps('network').virtualNetwork.newOrExisting, 'new'), 'Enter the static IPv6 address for the management NIC (no CIDR) within the Management Subnet IPv6 prefix above.', 'Enter the static IPv6 address for the management NIC (no CIDR) inside your existing subnet IPv6 prefix.')]", + "constraints": { + "required": "[steps('network').enableIpv6]", + "regex": "^(([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|([0-9A-Fa-f]{1,4}:){1,7}:|([0-9A-Fa-f]{1,4}:){1,6}:[0-9A-Fa-f]{1,4}|([0-9A-Fa-f]{1,4}:){1,5}(:[0-9A-Fa-f]{1,4}){1,2}|([0-9A-Fa-f]{1,4}:){1,4}(:[0-9A-Fa-f]{1,4}){1,3}|([0-9A-Fa-f]{1,4}:){1,3}(:[0-9A-Fa-f]{1,4}){1,4}|([0-9A-Fa-f]{1,4}:){1,2}(:[0-9A-Fa-f]{1,4}){1,5}|[0-9A-Fa-f]{1,4}:((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){1,7}|:))$", + "validationMessage": "Enter a valid IPv6 address (no CIDR)" + }, + "visible": "[steps('network').enableIpv6]" + }, + { + "name": "managementGUIClientNetworkIpv6", + "type": "Microsoft.Common.TextBox", + "label": "Allow SmartConsole IPv6 connections from these networks (optional)", + "defaultValue": "::/0", + "toolTip": "Optional IPv6 CIDR(s) for SmartConsole access (e.g., ace:cab:deca:deed::/64). Leave ::/0 to allow all.", + "constraints": { + "required": false, + "regex": "^(([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|([0-9A-Fa-f]{1,4}:){1,7}:|([0-9A-Fa-f]{1,4}:){1,6}:[0-9A-Fa-f]{1,4}|([0-9A-Fa-f]{1,4}:){1,5}(:[0-9A-Fa-f]{1,4}){1,2}|([0-9A-Fa-f]{1,4}:){1,4}(:[0-9A-Fa-f]{1,4}){1,3}|([0-9A-Fa-f]{1,4}:){1,3}(:[0-9A-Fa-f]{1,4}){1,4}|([0-9A-Fa-f]{1,4}:){1,2}(:[0-9A-Fa-f]{1,4}){1,5}|[0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1,6}|:(:[0-9A-Fa-f]{1,4}){1,7}|::)/(12[0-8]|1[01][0-9]|[1-9][0-9]|[0-9])$", + "validationMessage": "Enter a valid IPv6 network CIDR (e.g., ace:cab:deca:deed::/64)" + }, + "visible": "[steps('network').enableIpv6]" + } + ] + }, + { + "name": "managementGUIClientNetwork", + "type": "Microsoft.Common.TextBox", + "label": "Allow SmartConsole connections from these networks", + "toolTip": "Allow SmartConsole connections from the following CIDR networks, for example: 192.168.1.0/26", + "constraints": { + "required": true, + "regex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "validationMessage": "Enter a valid IPv4 network CIDR" + }, + "visible": "[equals(steps('chkp-advanced').installationType, 'management')]" + }, { "name": "NSG", "type": "Microsoft.Common.OptionsGroup", @@ -913,7 +1000,12 @@ "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", - "managementGUIClientNetwork": "[steps('chkp').managementGUIClientNetwork]", + "managementGUIClientNetwork": "[steps('network').managementGUIClientNetwork]", + "enableIpv6": "[steps('network').enableIpv6]", + "virtualNetworkIpv6AddressPrefix": "[if(steps('network').enableIpv6, steps('network').ipv6Section.virtualNetworkIpv6AddressPrefix, '')]", + "Subnet1Ipv6Prefix": "[if(steps('network').enableIpv6, steps('network').ipv6Section.Subnet1Ipv6Prefix, '')]", + "Subnet1Ipv6StartAddress": "[if(steps('network').enableIpv6, steps('network').ipv6Section.Subnet1Ipv6StartAddress, '')]", + "managementGUIClientNetworkIpv6": "[if(steps('network').enableIpv6, steps('network').ipv6Section.managementGUIClientNetworkIpv6, '')]", "installationType": "[steps('chkp-advanced').installationType]", "bootstrapScript": "[steps('chkp-advanced').bootstrapScript]", "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp-advanced').allowUploadDownload, 'true')]", diff --git a/azure/templates/marketplace-management/mainTemplate.json b/azure/templates/marketplace-management/mainTemplate.json index ffc6de3e..c1002b5c 100644 --- a/azure/templates/marketplace-management/mainTemplate.json +++ b/azure/templates/marketplace-management/mainTemplate.json @@ -113,6 +113,34 @@ }, "defaultValue": "10.0.1.10" }, + "enableIpv6": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Enable Ipv6 dual-stack networking support" + } + }, + "virtualNetworkIpv6AddressPrefix": { + "type": "string", + "defaultValue": "ace:cab:deca::/48", + "metadata": { + "description": "The Ipv6 address prefix of the virtual network" + } + }, + "Subnet1Ipv6Prefix": { + "type": "string", + "defaultValue": "ace:cab:deca:deed::/64", + "metadata": { + "description": "The Ipv6 address prefix of the 1st subnet" + } + }, + "Subnet1Ipv6StartAddress": { + "type": "string", + "defaultValue": "ace:cab:deca:deed::a", + "metadata": { + "description": "First Ipv6 address for NIC on Subnet1" + } + }, "vnetNewOrExisting": { "type": "string", "defaultValue": "new", @@ -138,6 +166,13 @@ }, "defaultValue": "0.0.0.0/0" }, + "managementGUIClientNetworkIpv6": { + "type": "string", + "metadata": { + "description": "Allowed Ipv6 GUI clients (optional)" + }, + "defaultValue": "::/0" + }, "installationType": { "type": "string", "metadata": { @@ -1147,16 +1182,224 @@ "identity": "[if(parameters('msi'), json('{\"type\": \"SystemAssigned\"}'), json('null'))]", "publicIPAddressName": "[parameters('vmName')]", "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", + "publicIPAddressNameV6": "[if(parameters('enableIpv6'), concat(parameters('vmName'), '-v6'), json('null'))]", + "publicIPAddressIdV6": "[if(parameters('enableIpv6'), resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '-v6')), json('null'))]", + "nicPublicIpDependency": "[if(parameters('enableIpv6'), variables('publicIPAddressIdV6'), variables('publicIPAddressId'))]", "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/',parameters('_artifactsLocation'))]", "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-1-subnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "networkSetupURLDualstack": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-1-subnet-dualstack-new.json', parameters('_artifactsLocationSasToken')))]", "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]", + "managementGUIClientNetworkIpv6": "[parameters('managementGUIClientNetworkIpv6')]", + "nicIpv4Config": { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName') ,'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('Subnet1Name'))]" + } + } + }, + "nicIpv6Config": { + "name": "ipconfig1-v6", + "properties": { + "privateIPAddress": "[parameters('Subnet1Ipv6StartAddress')]", + "privateIPAllocationMethod": "Static", + "privateIPAddressVersion": "Ipv6", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressIdV6')]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName') ,'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('Subnet1Name'))]" + }, + "primary": false + } + }, + "nicIpConfigurations": "[if(parameters('enableIpv6'), createArray(variables('nicIpv4Config'), variables('nicIpv6Config')), createArray(variables('nicIpv4Config')))]", "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "networkNewDeploymentName": "[if(parameters('enableIpv6'), 'networkNewSetupDualstack', 'networkNewSetup')]", + "networkSetupId": "[if(variables('deployNewVnet'), resourceId('Microsoft.Resources/deployments', variables('networkNewDeploymentName')), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", "vnetRGName": "[if(variables('deployNewVnet'), resourceGroup().name, parameters('virtualNetworkExistingRGName'))]", "NewNsgReference": { "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NewNsgName'))]" - } + }, + "nsgSecurityRulesBase": [ + { + "name": "SSH", + "properties": { + "description": "Allow inbound SSH connection", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "22", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + }, + { + "name": "GAiA-portal", + "properties": { + "description": "Allow inbound HTTPS access to the GAiA portal", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "110", + "direction": "Inbound" + } + }, + { + "name": "SmartConsole-1", + "properties": { + "description": "Allow inbound access using the SmartConsole GUI client", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18190", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "120", + "direction": "Inbound" + } + }, + { + "name": "SmartConsole-2", + "properties": { + "description": "Allow inbound access using the SmartConsole GUI client", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "19009", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "130", + "direction": "Inbound" + } + }, + { + "name": "Logs", + "properties": { + "description": "Allow inbound logging connections from managed gateways", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "257", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "140", + "direction": "Inbound" + } + }, + { + "name": "ICA-pull", + "properties": { + "description": "Allow security gateways to pull a SIC certificate", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18210", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "150", + "direction": "Inbound" + } + }, + { + "name": "CRL-fetch", + "properties": { + "description": "Allow security gateways to fetch CRLs", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18264", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "160", + "direction": "Inbound" + } + }, + { + "name": "Policy-fetch", + "properties": { + "description": "Allow security gateways to fetch policy", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18191", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "170", + "direction": "Inbound" + } + } + ], + "nsgSecurityRulesIPv6Additional": [ + { + "name": "SSH-IPv6", + "properties": { + "description": "Allow inbound SSH connection over IPv6", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "22", + "sourceAddressPrefix": "[variables('managementGUIClientNetworkIpv6')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "200", + "direction": "Inbound" + } + }, + { + "name": "GAiA-portal-IPv6", + "properties": { + "description": "Allow inbound HTTPS access to the GAiA portal over IPv6", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "[variables('managementGUIClientNetworkIpv6')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "210", + "direction": "Inbound" + } + }, + { + "name": "SmartConsole-1-IPv6", + "properties": { + "description": "Allow inbound access using the SmartConsole GUI client over IPv6", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18190", + "sourceAddressPrefix": "[variables('managementGUIClientNetworkIpv6')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "220", + "direction": "Inbound" + } + }, + { + "name": "SmartConsole-2-IPv6", + "properties": { + "description": "Allow inbound access using the SmartConsole GUI client over IPv6", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "19009", + "sourceAddressPrefix": "[variables('managementGUIClientNetworkIpv6')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "230", + "direction": "Inbound" + } + } + ] }, "resources": [ { @@ -1192,11 +1435,11 @@ "name": "[variables('storageAccountType')]" }, "kind": "StorageV2", - "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" + "tags": "[if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}'))]" }, { - "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", - "name": "networkNewSetup", + "condition": "[and(equals(parameters('vnetNewOrExisting'), 'new'), not(parameters('enableIpv6')))]", + "name": "[variables('networkNewDeploymentName')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-06-01", "properties": { @@ -1269,6 +1512,54 @@ } } }, + { + "condition": "[and(equals(parameters('vnetNewOrExisting'), 'new'), parameters('enableIpv6'))]", + "name": "networkNewSetupDualstack", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURLDualstack')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefixes": { + "value": "[createArray(parameters('virtualNetworkAddressPrefix'))]" + }, + "virtualNetworkAddressPrefixV6": { + "value": "[parameters('virtualNetworkIpv6AddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + }, + "Subnet1PrefixV6": { + "value": "[parameters('Subnet1Ipv6Prefix')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "deployNsg": { + "value": false + }, + "NewNsgName": { + "value": "[parameters('NewNsgName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + } + } + } + }, { "type": "Microsoft.Network/publicIPAddresses", "apiVersion": "2020-06-01", @@ -1284,7 +1575,23 @@ "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" } }, - "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + "tags": "[if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}'))]" + }, + { + "condition": "[parameters('enableIpv6')]", + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[variables('publicIPAddressNameV6')]", + "sku": { + "name": "Standard" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "publicIPAddressVersion": "IPv6" + }, + "tags": "[if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}'))]" }, { "condition": "[parameters('deployNewNSG')]", @@ -1294,167 +1601,27 @@ "location": "[variables('location')]", "name": "[parameters('NewNsgName')]", "properties": { - "securityRules": [ - { - "name": "SSH", - "properties": { - "description": "Allow inbound SSH connection", - "protocol": "TCP", - "sourcePortRange": "*", - "destinationPortRange": "22", - "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": "100", - "direction": "Inbound" - } - }, - { - "name": "GAiA-portal", - "properties": { - "description": "Allow inbound HTTPS access to the GAiA portal", - "protocol": "TCP", - "sourcePortRange": "*", - "destinationPortRange": "443", - "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": "110", - "direction": "Inbound" - } - }, - { - "name": "SmartConsole-1", - "properties": { - "description": "Allow inbound access using the SmartConsole GUI client", - "protocol": "TCP", - "sourcePortRange": "*", - "destinationPortRange": "18190", - "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": "120", - "direction": "Inbound" - } - }, - { - "name": "SmartConsole-2", - "properties": { - "description": "Allow inbound access using the SmartConsole GUI client", - "protocol": "TCP", - "sourcePortRange": "*", - "destinationPortRange": "19009", - "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": "130", - "direction": "Inbound" - } - }, - { - "name": "Logs", - "properties": { - "description": "Allow inbound logging connections from managed gateways", - "protocol": "TCP", - "sourcePortRange": "*", - "destinationPortRange": "257", - "sourceAddressPrefix": "*", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": "140", - "direction": "Inbound" - } - }, - { - "name": "ICA-pull", - "properties": { - "description": "Allow security gateways to pull a SIC certificate", - "protocol": "TCP", - "sourcePortRange": "*", - "destinationPortRange": "18210", - "sourceAddressPrefix": "*", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": "150", - "direction": "Inbound" - } - }, - { - "name": "CRL-fetch", - "properties": { - "description": "Allow security gateways to fetch CRLs", - "protocol": "TCP", - "sourcePortRange": "*", - "destinationPortRange": "18264", - "sourceAddressPrefix": "*", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": "160", - "direction": "Inbound" - } - }, - { - "name": "Policy-fetch", - "properties": { - "description": "Allow security gateways to fetch policy", - "protocol": "TCP", - "sourcePortRange": "*", - "destinationPortRange": "18191", - "sourceAddressPrefix": "*", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": "170", - "direction": "Inbound" - } - }, - { - "name": "Allow-self-IP-inbound", - "properties": { - "description": "Allow inbound traffic from the VM's public IP address", - "protocol": "*", - "sourcePortRange": "*", - "destinationPortRange": "*", - "sourceAddressPrefix": "[reference(variables('publicIPAddressId')).IpAddress]", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": "180", - "direction": "Inbound" - } - } - ] + "securityRules": "[concat(if(parameters('enableIpv6'), concat(variables('nsgSecurityRulesBase'), variables('nsgSecurityRulesIPv6Additional')), variables('nsgSecurityRulesBase')), createArray(createObject('name', 'Allow-self-IP-inbound', 'properties', createObject('description', 'Allow inbound traffic from the VM public IP address', 'protocol', '*', 'sourcePortRange', '*', 'destinationPortRange', '*', 'sourceAddressPrefix', reference(variables('publicIPAddressId')).IpAddress, 'destinationAddressPrefix', '*', 'access', 'Allow', 'priority', '180', 'direction', 'Inbound'))), if(parameters('enableIpv6'), createArray(createObject('name', 'Allow-self-IP-inbound-IPv6', 'properties', createObject('description', 'Allow inbound traffic from the VM public IPv6 address', 'protocol', '*', 'sourcePortRange', '*', 'destinationPortRange', '*', 'sourceAddressPrefix', reference(variables('publicIPAddressIdV6')).IpAddress, 'destinationAddressPrefix', '*', 'access', 'Allow', 'priority', '240', 'direction', 'Inbound'))), createArray()))]" }, - "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkSecurityGroups'), parameters('tagsByResource')['Microsoft.Network/networkSecurityGroups'], json('{}')) ]" + "tags": "[if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkSecurityGroups'), parameters('tagsByResource')['Microsoft.Network/networkSecurityGroups'], json('{}'))]" }, { "type": "Microsoft.Network/networkInterfaces", "apiVersion": "2020-06-01", "dependsOn": [ - "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('networkSetupId')]", "[variables('publicIPAddressId')]", - "[coalesce(resourceId('Microsoft.Network/networkSecurityGroups', parameters('NewNsgName')), variables('publicIPAddressId'))]" + "[variables('nicPublicIpDependency')]", + "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NewNsgName'))]" ], "location": "[variables('location')]", "name": "[variables('nic1Name')]", "properties": { "enableIPForwarding": false, "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", - "ipConfigurations": [ - { - "name": "ipconfig1", - "properties": { - "privateIPAddress": "[parameters('Subnet1StartAddress')]", - "privateIPAllocationMethod": "Static", - "PublicIpAddress": { - "Id": "[variables('publicIPAddressId')]" - }, - "subnet": { - "id": "[resourceId(variables('vnetRGName') ,'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('Subnet1Name'))]" - } - } - } - ] + "ipConfigurations": "[variables('nicIpConfigurations')]" }, - "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" + "tags": "[if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}'))]" }, { "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", @@ -1473,7 +1640,7 @@ }, "hyperVGeneration": "V1" }, - "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/images'), parameters('tagsByResource')['Microsoft.Compute/images'], json('{}')) ]" + "tags": "[if(contains(parameters('tagsByResource'), 'Microsoft.Compute/images'), parameters('tagsByResource')['Microsoft.Compute/images'], json('{}'))]" }, { "type": "Microsoft.Compute/virtualMachines", @@ -1525,7 +1692,7 @@ } } }, - "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/virtualMachines'), parameters('tagsByResource')['Microsoft.Compute/virtualMachines'], json('{}')) ]" + "tags": "[if(contains(parameters('tagsByResource'), 'Microsoft.Compute/virtualMachines'), parameters('tagsByResource')['Microsoft.Compute/virtualMachines'], json('{}'))]" } ], "outputs": { @@ -1533,9 +1700,33 @@ "type": "string", "value": "[reference(variables('publicIPAddressId')).IpAddress]" }, + "PublicIpv6": { + "condition": "[parameters('enableIpv6')]", + "type": "string", + "value": "[reference(variables('publicIPAddressIdV6')).IpAddress]" + }, "FQDN": { "type": "string", "value": "[reference(variables('publicIPAddressId')).dnsSettings.fqdn]" + }, + "enableIpv6": { + "type": "bool", + "value": "[parameters('enableIpv6')]" + }, + "managementGUIClientNetworkIpv6": { + "condition": "[parameters('enableIpv6')]", + "type": "string", + "value": "[parameters('managementGUIClientNetworkIpv6')]" + }, + "virtualNetworkIpv6AddressPrefix": { + "condition": "[parameters('enableIpv6')]", + "type": "string", + "value": "[parameters('virtualNetworkIpv6AddressPrefix')]" + }, + "Subnet1Ipv6Prefix": { + "condition": "[parameters('enableIpv6')]", + "type": "string", + "value": "[parameters('Subnet1Ipv6Prefix')]" } } } \ No newline at end of file diff --git a/azure/templates/marketplace-single/createUiDefinition.json b/azure/templates/marketplace-single/createUiDefinition.json index 2eecf67b..a86d5427 100644 --- a/azure/templates/marketplace-single/createUiDefinition.json +++ b/azure/templates/marketplace-single/createUiDefinition.json @@ -1348,6 +1348,110 @@ } } }, + { + "name": "ipv6InfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "true", + "options": { + "icon": "Info", + "text": "Enable IPv6 support to add an IPv6 public load balancer frontend and IPv6 configurations on the gateway network interfaces. Existing VNets/subnets are not modified." + } + }, + { + "name": "enableIpv6", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable IPv6 Support", + "toolTip": "Enable IPv6 support. For a new Virtual Network you must provide IPv6 prefixes and static IPv6 NIC addresses; for an existing Virtual Network we do not modify the VNet or subnets and the static IPv6 NIC addresses you enter must already be valid in those existing subnet prefixes. An IPv6 public load balancer frontend and IPv6 NIC configurations will be created when enabled. For required configuration, see sk170760.", + "defaultValue": "No (IPv4 only)", + "constraints": { + "allowedValues": [ + { + "label": "No (IPv4 only)", + "value": false + }, + { + "label": "Yes (IPv4 + IPv6 dual-stack)", + "value": true + } + ], + "required": true + }, + "visible": true + }, + + { + "name": "ipv6AddressSpace", + "type": "Microsoft.Common.Section", + "label": "IPv6 Address Configuration", + "visible": "[steps('network').enableIpv6]", + "elements": [ + { + "name": "virtualNetworkIpv6AddressPrefix", + "type": "Microsoft.Common.TextBox", + "label": "Virtual Network IPv6 Address Prefix", + "defaultValue": "ace:cab:deca::/48", + "toolTip": "The IPv6 address prefix for the virtual network (e.g., ace:cab:deca::/48)", + "constraints": { + "required": "[and(steps('network').enableIpv6, equals(steps('network').virtualNetwork.newOrExisting, 'new'))]", + "regex": "^(([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|([0-9A-Fa-f]{1,4}:){1,7}:|([0-9A-Fa-f]{1,4}:){1,6}:[0-9A-Fa-f]{1,4}|([0-9A-Fa-f]{1,4}:){1,5}(:[0-9A-Fa-f]{1,4}){1,2}|([0-9A-Fa-f]{1,4}:){1,4}(:[0-9A-Fa-f]{1,4}){1,3}|([0-9A-Fa-f]{1,4}:){1,3}(:[0-9A-Fa-f]{1,4}){1,4}|([0-9A-Fa-f]{1,4}:){1,2}(:[0-9A-Fa-f]{1,4}){1,5}|[0-9A-Fa-f]{1,4}:((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){1,7}|:))/(4[8-9]|5[0-9]|6[0-4])$", + "validationMessage": "Please enter a valid IPv6 CIDR notation (e.g., ace:cab:deca::/48)" + }, + "visible": "[and(steps('network').enableIpv6, equals(steps('network').virtualNetwork.newOrExisting, 'new'))]" + }, + { + "name": "subnet1Ipv6Prefix", + "type": "Microsoft.Common.TextBox", + "label": "Frontend Subnet IPv6 Address Prefix", + "defaultValue": "ace:cab:deca:deed::/64", + "toolTip": "The IPv6 address prefix for the frontend subnet (e.g., ace:cab:deca:deed::/64)", + "constraints": { + "required": "[and(steps('network').enableIpv6, equals(steps('network').virtualNetwork.newOrExisting, 'new'))]", + "regex": "^(([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|([0-9A-Fa-f]{1,4}:){1,7}:|([0-9A-Fa-f]{1,4}:){1,6}:[0-9A-Fa-f]{1,4}|([0-9A-Fa-f]{1,4}:){1,5}(:[0-9A-Fa-f]{1,4}){1,2}|([0-9A-Fa-f]{1,4}:){1,4}(:[0-9A-Fa-f]{1,4}){1,3}|([0-9A-Fa-f]{1,4}:){1,3}(:[0-9A-Fa-f]{1,4}){1,4}|([0-9A-Fa-f]{1,4}:){1,2}(:[0-9A-Fa-f]{1,4}){1,5}|[0-9A-Fa-f]{1,4}:((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){1,7}|:))/64$", + "validationMessage": "Please enter a valid IPv6 CIDR notation (e.g., ace:cab:deca:deed::/64)" + }, + "visible": "[and(steps('network').enableIpv6, equals(steps('network').virtualNetwork.newOrExisting, 'new'))]" + }, + { + "name": "subnet2Ipv6Prefix", + "type": "Microsoft.Common.TextBox", + "label": "Backend Subnet IPv6 Address Prefix", + "defaultValue": "ace:cab:deca:deee::/64", + "toolTip": "The IPv6 address prefix for the backend subnet (e.g., ace:cab:deca:deee::/64)", + "constraints": { + "required": "[and(steps('network').enableIpv6, equals(steps('network').virtualNetwork.newOrExisting, 'new'))]", + "regex": "^(([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|([0-9A-Fa-f]{1,4}:){1,7}:|([0-9A-Fa-f]{1,4}:){1,6}:[0-9A-Fa-f]{1,4}|([0-9A-Fa-f]{1,4}:){1,5}(:[0-9A-Fa-f]{1,4}){1,2}|([0-9A-Fa-f]{1,4}:){1,4}(:[0-9A-Fa-f]{1,4}){1,3}|([0-9A-Fa-f]{1,4}:){1,3}(:[0-9A-Fa-f]{1,4}){1,4}|([0-9A-Fa-f]{1,4}:){1,2}(:[0-9A-Fa-f]{1,4}){1,5}|[0-9A-Fa-f]{1,4}:((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){1,7}|:))/64$", + "validationMessage": "Please enter a valid IPv6 CIDR notation (e.g., ace:cab:deca:deee::/64)" + }, + "visible": "[and(steps('network').enableIpv6, equals(steps('network').virtualNetwork.newOrExisting, 'new'))]" + }, + { + "name": "subnet1Ipv6StartAddress", + "type": "Microsoft.Common.TextBox", + "label": "Frontend NIC IPv6 Address (Static)", + "defaultValue": "ace:cab:deca:deed::a", + "toolTip": "[if(equals(steps('network').virtualNetwork.newOrExisting, 'new'), 'Enter the static IPv6 address for the Frontend NIC (no CIDR) within the Frontend Subnet IPv6 prefix above.', 'Enter the static IPv6 address for the Frontend NIC (no CIDR) inside your existing Frontend subnet IPv6 prefix.')]", + "constraints": { + "required": "[steps('network').enableIpv6]", + "regex": "^([0-9A-Fa-f]{0,4}:){1,7}[0-9A-Fa-f]{0,4}$", + "validationMessage": "Enter a valid IPv6 address (no CIDR suffix)." + }, + "visible": "[steps('network').enableIpv6]" + }, + { + "name": "subnet2Ipv6StartAddress", + "type": "Microsoft.Common.TextBox", + "label": "Backend NIC IPv6 Address (Static)", + "defaultValue": "ace:cab:deca:deee::a", + "toolTip": "[if(equals(steps('network').virtualNetwork.newOrExisting, 'new'), 'Enter the static IPv6 address for the Backend NIC (no CIDR) within the Backend Subnet IPv6 prefix above.', 'Enter the static IPv6 address for the Backend NIC (no CIDR) inside your existing Backend subnet IPv6 prefix.')]", + "constraints": { + "required": "[steps('network').enableIpv6]", + "regex": "^([0-9A-Fa-f]{0,4}:){1,7}[0-9A-Fa-f]{0,4}$", + "validationMessage": "Enter a valid IPv6 address (no CIDR suffix)." + }, + "visible": "[steps('network').enableIpv6]" + } + ] + }, { "name": "NSG", "type": "Microsoft.Common.OptionsGroup", @@ -1557,7 +1661,13 @@ "NewNsgName": "[steps('network').NSGName]", "storageAccountDeployMode": "[steps('network').storageAccountDeployMode]", "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", - "existingStorageAccountId": "[steps('network').existingStorageAccount]" + "existingStorageAccountId": "[steps('network').existingStorageAccount]", + "enableIpv6": "[steps('network').enableIpv6]", + "virtualNetworkIpv6AddressPrefix": "[if(steps('network').enableIpv6, steps('network').ipv6AddressSpace.virtualNetworkIpv6AddressPrefix, '')]", + "Subnet1Ipv6Prefix": "[if(steps('network').enableIpv6, steps('network').ipv6AddressSpace.subnet1Ipv6Prefix, '')]", + "Subnet2Ipv6Prefix": "[if(steps('network').enableIpv6, steps('network').ipv6AddressSpace.subnet2Ipv6Prefix, '')]", + "Subnet1Ipv6StartAddress": "[if(steps('network').enableIpv6, steps('network').ipv6AddressSpace.subnet1Ipv6StartAddress, '')]", + "Subnet2Ipv6StartAddress": "[if(steps('network').enableIpv6, steps('network').ipv6AddressSpace.subnet2Ipv6StartAddress, '')]" } } } diff --git a/azure/templates/marketplace-single/mainTemplate.json b/azure/templates/marketplace-single/mainTemplate.json index f7ece06a..72786701 100644 --- a/azure/templates/marketplace-single/mainTemplate.json +++ b/azure/templates/marketplace-single/mainTemplate.json @@ -164,6 +164,44 @@ }, "defaultValue": "10.0.2.10" }, + "enableIpv6": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Enable IPv6 dual-stack networking support" + } + }, + "virtualNetworkIpv6AddressPrefix": { + "type": "string", + "defaultValue": "ace:cab:deca::/48", + "metadata": { + "description": "The IPv6 address prefix of the virtual network" + } + }, + "Subnet1Ipv6Prefix": { + "type": "string", + "defaultValue": "ace:cab:deca:deed::/64", + "metadata": { + "description": "The IPv6 address prefix of the 1st subnet" + } + }, + "Subnet2Ipv6Prefix": { + "type": "string", + "defaultValue": "ace:cab:deca:deee::/64", + "metadata": { + "description": "The IPv6 address prefix of the 2nd subnet" + } + }, + "Subnet1Ipv6StartAddress": { + "type": "string", + "defaultValue": "ace:cab:deca:deed::a", + "metadata": { "description": "First IPv6 address for NIC1 on Subnet1" } + }, + "Subnet2Ipv6StartAddress": { + "type": "string", + "defaultValue": "ace:cab:deca:deee::a", + "metadata": { "description": "First IPv6 address for NIC2 on Subnet2" } + }, "vnetNewOrExisting": { "type": "string", "defaultValue": "new", @@ -1227,11 +1265,13 @@ }, "plan": "[if(equals(variables('offer'), 'BYOL') , variables('planBYOL'), if(equals(variables('offer'), 'NGTP'), variables('planNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('planNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('planNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('planNGTX-V2'), json('null'))))))]", "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressNameV6": "lb-public-ipv6", "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]", "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/',parameters('_artifactsLocation'))]", "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "networkSetupURLDualstack": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-2-subnet-dualstack-new.json', parameters('_artifactsLocationSasToken')))]", "sicKey": "[parameters('sicKey')]", "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]", "vmID": "[resourceId('Microsoft.Compute/virtualMachines/', parameters('vmName'))]", @@ -1239,10 +1279,73 @@ "identity": "[json('{\"type\": \"SystemAssigned\"}')]", "monitoringMetricsPublisher": "[concat('/subscriptions/', parameters('subscriptionId'), '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "networkNewDeploymentName": "[if(parameters('enableIpv6'), 'networkNewSetupDualstack', 'networkNewSetup')]", "vnetRGName": "[if(variables('deployNewVnet'), resourceGroup().name, parameters('virtualNetworkExistingRGName'))]", + "subnet1ResourceId": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('Subnet1Name'))]", + "subnet2ResourceId": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('Subnet2Name'))]", + "nic1IPv4ConfigWithPublicIP": { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "privateIPAddressVersion": "IPv4", + "primary": true, + "publicIPAddress": { + "id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[variables('subnet1ResourceId')]" + } + } + }, + "nic1IPv6Config": { + "name": "ipconfig1-v6", + "properties": { + "privateIPAddress": "[parameters('Subnet1Ipv6StartAddress')]", + "privateIPAllocationMethod": "Static", + "privateIPAddressVersion": "IPv6", + "subnet": { + "id": "[variables('subnet1ResourceId')]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'loadBalancer', 'LBBAP-v6')]" + } + ] + } + }, + "nic1IPv4OnlyConfigs": "[createArray(variables('nic1IPv4ConfigWithPublicIP'))]", + "nic1IPv6Configs": "[createArray(variables('nic1IPv4ConfigWithPublicIP'), variables('nic1IPv6Config'))]", + "nic1IpConfigurations": "[if(parameters('enableIpv6'), variables('nic1IPv6Configs'), variables('nic1IPv4OnlyConfigs'))]", + "nic2IPv4Config": { + "name": "ipconfig2", + "properties": { + "privateIPAddress": "[parameters('Subnet2StartAddress')]", + "privateIPAllocationMethod": "Static", + "privateIPAddressVersion": "IPv4", + "subnet": { + "id": "[variables('subnet2ResourceId')]" + } + } + }, + "nic2IPv6Config": { + "name": "ipconfig2-v6", + "properties": { + "privateIPAddress": "[parameters('Subnet2Ipv6StartAddress')]", + "privateIPAllocationMethod": "Static", + "privateIPAddressVersion": "IPv6", + "subnet": { + "id": "[variables('subnet2ResourceId')]" + } + } + }, + "nic2IPv4OnlyConfigs": "[createArray(variables('nic2IPv4Config'))]", + "nic2IPv6Configs": "[createArray(variables('nic2IPv4Config'), variables('nic2IPv6Config'))]", + "nic2IpConfigurations": "[if(parameters('enableIpv6'), variables('nic2IPv6Configs'), variables('nic2IPv4OnlyConfigs'))]", "NewNsgReference": { "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NewNsgName'))]" - } + }, + "networkDependency": "[if(equals(parameters('vnetNewOrExisting'), 'new'), resourceId('Microsoft.Resources/deployments', variables('networkNewDeploymentName')), resourceId('Microsoft.Resources/deployments','networkExistingSetup'))]" }, "resources": [ { @@ -1281,8 +1384,8 @@ "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" }, { - "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", - "name": "networkNewSetup", + "condition": "[and(equals(parameters('vnetNewOrExisting'), 'new'), not(parameters('enableIpv6')))]", + "name": "[variables('networkNewDeploymentName')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-06-01", "properties": { @@ -1331,6 +1434,72 @@ } } }, + { + "condition": "[and(equals(parameters('vnetNewOrExisting'), 'new'), parameters('enableIpv6'))]", + "name": "networkNewSetupDualstack", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURLDualstack')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefixes": { + "value": "[createArray(parameters('virtualNetworkAddressPrefix'))]" + }, + "virtualNetworkAddressPrefixV6": { + "value": "[parameters('virtualNetworkIpv6AddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + }, + "Subnet1PrefixV6": { + "value": "[parameters('Subnet1Ipv6Prefix')]" + }, + "Subnet2Name": { + "value": "[parameters('Subnet2Name')]" + }, + "Subnet2Prefix": { + "value": "[parameters('Subnet2Prefix')]" + }, + "Subnet2PrefixV6": { + "value": "[parameters('Subnet2Ipv6Prefix')]" + }, + "Subnet2StartAddress": { + "value": "[parameters('Subnet2StartAddress')]" + }, + "Subnet2Ipv6StartAddress": { + "value": "[parameters('Subnet2Ipv6StartAddress')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "deployNsg": { + "value": "[parameters('deployNewNSG')]" + }, + "NewNsgName": { + "value": "[parameters('NewNsgName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + }, + "deploymentType": { + "value": "single" + } + } + } + }, { "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", "name": "networkExistingSetup", @@ -1382,59 +1551,131 @@ "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" }, { - "type": "Microsoft.Network/networkInterfaces", + "condition": "[parameters('enableIpv6')]", + "type": "Microsoft.Network/publicIPAddresses", "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[variables('publicIPAddressNameV6')]", + "sku": { + "name": "Standard" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "publicIPAddressVersion": "IPv6", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "condition": "[parameters('enableIpv6')]", + "apiVersion": "2020-05-01", + "name": "loadBalancer", + "type": "Microsoft.Network/loadBalancers", + "location": "[variables('location')]", + "sku": { + "name": "Standard" + }, "dependsOn": [ - "[coalesce(resourceId('Microsoft.Resources/deployments/', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", - "[variables('publicIPAddressId')]" + "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressNameV6'))]" ], - "location": "[variables('location')]", - "name": "[variables('nic1Name')]", "properties": { - "enableIPForwarding": true, - "enableAcceleratedNetworking": true, - "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", - "ipConfigurations": [ + "frontendIpConfigurations": [ { - "name": "ipconfig1", + "name": "LB-v6", "properties": { - "privateIPAddress": "[parameters('Subnet1StartAddress')]", - "privateIPAllocationMethod": "Static", - "PublicIpAddress": { - "Id": "[variables('publicIPAddressId')]" - }, - "subnet": { - "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets/', parameters('virtualNetworkName'), parameters('Subnet1Name'))]" + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressNameV6'))]" } } } + ], + "backendAddressPools": [ + { + "name": "LBBAP-v6" + } + ], + "loadBalancingRules": [ + { + "name": "lb-http-v6", + "properties": { + "frontendIPConfiguration": { "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIpConfigurations','loadBalancer','LB-v6')]" }, + "backendAddressPool": { "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools','loadBalancer','LBBAP-v6')]" }, + "probe": { "id": "[resourceId('Microsoft.Network/loadBalancers/probes','loadBalancer','lb-probe')]" }, + "protocol": "Tcp", + "frontendPort": 80, + "backendPort": 80, + "enableFloatingIP": true, + "enableTcpReset": true, + "idleTimeoutInMinutes": 15, + "disableOutboundSnat": true + } + } + ], + "probes": [ + { + "name": "lb-probe", + "properties": { + "protocol": "Tcp", + "port": 8117, + "intervalInSeconds": 5, + "numberOfProbes": 2 + } + } + ], + "outboundRules": [ + { + "name": "ob-v6", + "properties": { + "allocatedOutboundPorts": 8192, + "protocol": "All", + "idleTimeoutInMinutes": 4, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'loadBalancer', 'LBBAP-v6')]" + }, + "frontendIPConfigurations": [ + { + "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIpConfigurations', 'loadBalancer', 'LB-v6')]" + } + ] + } + } ] }, - "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/loadBalancers'), parameters('tagsByResource')['Microsoft.Network/loadBalancers'], json('{}')) ]" }, { "type": "Microsoft.Network/networkInterfaces", "apiVersion": "2020-06-01", + "name": "[variables('nic1Name')]", + "location": "[variables('location')]", "dependsOn": [ - "[coalesce(resourceId('Microsoft.Resources/deployments/', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments/', 'networkExistingSetup'))]" + "[variables('networkDependency')]", + "[variables('publicIPAddressId')]", + "[resourceId('Microsoft.Network/loadBalancers','loadBalancer')]" ], - "location": "[variables('location')]", + "properties": { + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "ipConfigurations": "[variables('nic1IpConfigurations')]" + }, + "tags": "[if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", "name": "[variables('nic2Name')]", + "location": "[variables('location')]", + "dependsOn": [ + "[variables('networkDependency')]" + ], "properties": { "enableIPForwarding": true, "enableAcceleratedNetworking": true, - "ipConfigurations": [ - { - "name": "ipconfig2", - "properties": { - "privateIPAddress": "[parameters('Subnet2StartAddress')]", - "privateIPAllocationMethod": "Static", - "subnet": { - "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets/', parameters('virtualNetworkName'), parameters('Subnet2Name'))]" - } - } - } - ] + "ipConfigurations": "[variables('nic2IpConfigurations')]" }, "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" }, @@ -1471,7 +1712,7 @@ "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", "identity": "[if(equals(variables('customMetrics'), 'yes'), variables('identity'), json('null'))]", "properties": { - "UserData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefix.value, reference('networkExistingSetup').outputs.vnetAddressPrefix.value), '\"', '\n' ))]", + "UserData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), parameters('virtualNetworkAddressPrefix'), reference('networkExistingSetup').outputs.vnetAddressPrefix.value), '\"', '\n' ))]", "diagnosticsProfile": { "bootDiagnostics": "[if(equals(parameters('storageAccountDeployMode'), 'None'), createObject('enabled', false()), if(equals(parameters('storageAccountDeployMode'), 'Managed'), createObject('enabled', true()), createObject('enabled', true(), 'storageUri', if(equals(parameters('storageAccountDeployMode'), 'New'), reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-05-01').primaryEndpoints.blob, reference(parameters('existingStorageAccountId'), '2023-05-01').primaryEndpoints.blob))))]" }, @@ -1498,7 +1739,7 @@ "adminPassword": "[parameters('adminPassword')]", "adminUsername": "[concat('not','used')]", "computerName": "[toLower(parameters('vmName'))]", - "customData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefix.value, reference('networkExistingSetup').outputs.vnetAddressPrefix.value), '\"', '\n' ))]", + "customData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), parameters('virtualNetworkAddressPrefix'), reference('networkExistingSetup').outputs.vnetAddressPrefix.value), '\"', '\n' ))]", "linuxConfiguration": "[variables('linuxConfiguration')]" }, "storageProfile": { @@ -1537,6 +1778,11 @@ "type": "string", "value": "[reference(variables('publicIPAddressId')).IpAddress]" }, + "GatewayIPv6Addr": { + "condition": "[parameters('enableIpv6')]", + "type": "string", + "value": "[reference(resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressNameV6'))).ipAddress]" + }, "GatewayFQDN": { "type": "string", "value": "[reference(variables('publicIPAddressId')).dnsSettings.fqdn]" diff --git a/azure/templates/nestedtemplates/vnet-1-subnet-dualstack-new.json b/azure/templates/nestedtemplates/vnet-1-subnet-dualstack-new.json new file mode 100644 index 00000000..ad5637fc --- /dev/null +++ b/azure/templates/nestedtemplates/vnet-1-subnet-dualstack-new.json @@ -0,0 +1,189 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "(Dual-stack) IPv4 address prefixes array for the virtual network" + } + }, + "virtualNetworkAddressPrefixV6": { + "type": "string", + "defaultValue": "ace:cab:deca::/48", + "metadata": { + "description": "(Dual-stack) IPv6 virtual network prefix (single CIDR)" + } + }, + "Subnet1Name": { + "type": "string", + "defaultValue": "Frontend", + "metadata": { + "description": "The name of the 1st subnet" + } + }, + "Subnet1Prefix": { + "type": "string", + "defaultValue": "10.0.1.0/24", + "metadata": { + "description": "IPv4 address prefix of the 1st subnet" + } + }, + "Subnet1PrefixV6": { + "type": "string", + "defaultValue": "ace:cab:deca:deed::/64", + "metadata": { + "description": "IPv6 address prefix of the 1st subnet" + } + }, + "vmName": { + "type": "string", + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "deployNsg": { + "type": "bool", + "defaultValue": false + }, + "NewNsgName": { + "type": "string", + "defaultValue": "[concat(parameters('vmName'), '-nsg')]" + }, + "deployRouteTable": { + "type": "bool", + "defaultValue": false + }, + "deployGWLB": { + "type": "bool", + "defaultValue": false + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + } + }, + "variables": { + "localSubnetRouteV4": [ + { + "name": "Local-Subnet", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "nextHopType": "VnetLocal" + } + }, + { + "name": "To-Vnet", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefixes')[0]]", + "nextHopType": "None" + } + } + ], + "localSubnetRouteV6": [ + { + "name": "Local-Subnet-V6", + "properties": { + "addressPrefix": "[parameters('subnet1PrefixV6')]", + "nextHopType": "VnetLocal" + } + }, + { + "name": "To-Vnet-V6", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefixV6')]", + "nextHopType": "None" + } + } + ], + "routesArray": "[concat(variables('localSubnetRouteV4'), variables('localSubnetRouteV6'))]", + "nsgProperties": { + "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NewNsgName'))]" + }, + "routeTableID": "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]", + "routeTableProperties": { + "id": "[variables('routeTableID')]" + }, + "deployGWLBVar": "[parameters('deployGWLB')]", + "addressPrefixesUnion": "[union(parameters('virtualNetworkAddressPrefixes'), createArray(parameters('virtualNetworkAddressPrefixV6')))]", + "subnet1AddressPrefixes": "[createArray(parameters('subnet1Prefix'), parameters('subnet1PrefixV6'))]", + "vnetProperties": { + "addressSpace": { + "addressPrefixes": "[variables('addressPrefixesUnion')]" + }, + "subnets": [ + { + "name": "[parameters('subnet1Name')]", + "properties": { + "addressPrefixes": "[variables('subnet1AddressPrefixes')]", + "routeTable": "[if(and(parameters('deployRouteTable'), variables('deployGWLBVar')), variables('routeTableProperties'), json('null'))]" + }} + ] + } + }, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "condition": "[and(parameters('deployRouteTable'), variables('deployGWLBVar'))]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('subnet1Name')]", + "properties": { + "routes": "[variables('routesArray')]" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/routeTables'), parameters('tagsByResource')['Microsoft.Network/routeTables'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "dependsOn": [ "[variables('routeTableID')]" ], + "properties": "[variables('vnetProperties')]", + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/virtualNetworks'), parameters('tagsByResource')['Microsoft.Network/virtualNetworks'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[parameters('deployNsg')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('NewNsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + } + } + ]}, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkSecurityGroups'), parameters('tagsByResource')['Microsoft.Network/networkSecurityGroups'], json('{}')) ]" + } + ], + "outputs": { + "vnetId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" + }, + "vnetAddressPrefix": { + "type": "string", + "value": "[parameters('virtualNetworkAddressPrefixes')[0]]" + }, + "nsgProperties": { + "type": "object", + "value": "[variables('nsgProperties')]" + } + } +} diff --git a/azure/templates/nestedtemplates/vnet-2-subnet-dualstack-new.json b/azure/templates/nestedtemplates/vnet-2-subnet-dualstack-new.json new file mode 100644 index 00000000..b49cd477 --- /dev/null +++ b/azure/templates/nestedtemplates/vnet-2-subnet-dualstack-new.json @@ -0,0 +1,282 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "tagsByResource": { + "type": "object", + "defaultValue": {} + }, + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "IPv4 address prefixes of the virtual network (array)" + } + }, + "virtualNetworkAddressPrefixV6": { + "type": "string", + "defaultValue": "ace:cab:deca::/48", + "metadata": { + "description": "IPv6 virtual network prefix (single CIDR) for dual-stack deployment" + } + }, + "Subnet1Name": { + "type": "string", + "defaultValue": "Frontend", + "metadata": { + "description": "The name of the 1st subnet" + } + }, + "Subnet1Prefix": { + "type": "string", + "defaultValue": "10.0.1.0/24", + "metadata": { + "description": "The IPv4 address prefix of the 1st subnet" + } + }, + "Subnet1PrefixV6": { + "type": "string", + "defaultValue": "ace:cab:deca:deed::/64", + "metadata": { "description": "The IPv6 address prefix of the 1st subnet" + } + }, + "Subnet2Name": { + "type": "string", + "defaultValue": "Backend", + "metadata": { + "description": "The name of the 2nd subnet" + } + }, + "Subnet2Prefix": { + "type": "string", + "defaultValue": "10.0.2.0/24", + "metadata": { + "description": "The IPv4 address prefix of the 2nd subnet" + } + }, + "Subnet2PrefixV6": { + "type": "string", + "defaultValue": "ace:cab:deca:deee::/64", + "metadata": { + "description": "The IPv6 address prefix of the 2nd subnet" + } + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available IPv4 address in the 2nd subnet" + } + }, + "Subnet2Ipv6StartAddress": { + "type": "string", + "metadata": { + "description": "The first available IPv6 address in the 2nd subnet" + } + }, + "vmName": { + "type": "string" + }, + "deployNsg": { + "type": "bool", + "defaultValue": false + }, + "NewNsgName": { + "type": "string", + "defaultValue": "[concat(parameters('vmName'),'-nsg')]" + }, + "deploymentType": { + "type": "string", + "allowedValues": ["single", "vmss"], + "defaultValue": "vmss" + } + }, + "variables": { + "copy": [ + { + "name": "toInternalRoutes", + "count": "[length(parameters('virtualNetworkAddressPrefixes'))]", + "input": { + "name": "To-Internal", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefixes')[copyIndex('toInternalRoutes')]]", + "nextHopType": "None" + } + } + } + ], + "localSubnetRoute": [ + { + "name": "Local-Subnet", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "nextHopType": "VnetLocal" + } + } + ], + "routesArray":"[concat(variables('localSubnetRoute'), variables('toInternalRoutes'))]", + "localSubnetRouteV6": [ + { + "name": "Local-Subnet-V6", + "properties": { + "addressPrefix": "[parameters('subnet1PrefixV6')]", + "nextHopType": "VnetLocal" + } + } + ], + "toInternalRoutesV6": [ + { + "name": "To-Internal-V6", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefixV6')]", + "nextHopType": "None" + } + } + ], + "routesArrayCombined": "[concat(variables('routesArray'), variables('localSubnetRouteV6'), variables('toInternalRoutesV6'))]", + "backendRoutesVirtualAppliance": [ + { + "name": "To-Internet", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('Subnet2StartAddress')]" + } + }, + { + "name": "To-Internet-V6", + "properties": { + "addressPrefix": "::/0", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('Subnet2Ipv6StartAddress')]" + } + } + ], + "backendRoutesNone": [ + { + "name": "To-Internet", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "None" + } + }, + { + "name": "To-Internet-V6", + "properties": { + "addressPrefix": "::/0", + "nextHopType": "None" + } + } + ], + "backendRoutes": "[if(equals(parameters('deploymentType'), 'single'), variables('backendRoutesVirtualAppliance'), variables('backendRoutesNone'))]", + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "nsgProperties": { + "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]" + }, + "addressPrefixesUnion": "[union(parameters('virtualNetworkAddressPrefixes'), createArray(parameters('virtualNetworkAddressPrefixV6')))]", + "subnet1AddressPrefixes": "[createArray(parameters('subnet1Prefix'), parameters('subnet1PrefixV6'))]", + "subnet2AddressPrefixes": "[createArray(parameters('subnet2Prefix'), parameters('subnet2PrefixV6'))]" + }, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('subnet1Name')]", + "properties": { + "routes": "[variables('routesArrayCombined')]" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/routeTables'), parameters('tagsByResource')['Microsoft.Network/routeTables'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('subnet2Name')]", + "properties": { + "routes": "[variables('backendRoutes')]" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/routeTables'), parameters('tagsByResource')['Microsoft.Network/routeTables'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]", + "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + ], + "properties": { + "addressSpace": { + "addressPrefixes": "[variables('addressPrefixesUnion')]" }, + "subnets": [ + { + "name": "[parameters('subnet1Name')]", + "properties": { + "addressPrefixes": "[variables('subnet1AddressPrefixes')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]" + } + } + }, + { + "name": "[parameters('subnet2Name')]", + "properties": { + "addressPrefixes": "[variables('subnet2AddressPrefixes')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + } + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/virtualNetworks'), parameters('tagsByResource')['Microsoft.Network/virtualNetworks'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[parameters('deployNsg')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('NewNsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkSecurityGroups'), parameters('tagsByResource')['Microsoft.Network/networkSecurityGroups'], json('{}')) ]" + } + ], + "outputs": { + "vnetId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" + }, + "vnetAddressPrefixes": { + "type": "array", + "value": "[variables('addressPrefixesUnion')]" + }, + "nsgProperties": { + "type": "object", + "value": "[variables('nsgProperties')]" + } + } +} diff --git a/azure/templates/nestedtemplates/vnet-new.json b/azure/templates/nestedtemplates/vnet-new.json index 4c57eacd..7c6e0059 100644 --- a/azure/templates/nestedtemplates/vnet-new.json +++ b/azure/templates/nestedtemplates/vnet-new.json @@ -91,8 +91,7 @@ "name": "To-Internal", "properties": { "addressPrefix": "[parameters('virtualNetworkAddressPrefix')]", - "nextHopType": "VirtualAppliance", - "nextHopIpAddress": "[parameters('subnet1StartAddress')]" + "nextHopType": "None" } } ]