From 6070245e69c63640a6839abcae320595e2b80632 Mon Sep 17 00:00:00 2001 From: Simon Kurtz Date: Thu, 31 Oct 2024 10:20:58 -0400 Subject: [PATCH 1/7] Add UDR option to route spoke traffic internally --- .../azure-resource-manager/main.json | 7 +++++++ scenarios/aca-internal/bicep/main.bicep | 4 ++++ .../aca-internal/bicep/main.parameters.json | 3 +++ .../aca-internal/bicep/main.parameters.jsonc | 4 ++++ .../bicep/modules/02-spoke/deploy.spoke.bicep | 16 ++++++++++++++-- .../02-spoke/deploy.spoke.parameters.jsonc | 3 +++ 6 files changed, 35 insertions(+), 2 deletions(-) diff --git a/scenarios/aca-internal/azure-resource-manager/main.json b/scenarios/aca-internal/azure-resource-manager/main.json index d925e6b2..b2fcef83 100644 --- a/scenarios/aca-internal/azure-resource-manager/main.json +++ b/scenarios/aca-internal/azure-resource-manager/main.json @@ -3469,6 +3469,13 @@ "description": "CIDR of the spoke infrastructure subnet." } }, + "routeSpokeTrafficInternally": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional, default value is false. If true, the spoke network will route spoke-internal traffic within the spoke network. If false, traffic will be sent to the hub network." + } + }, "spokePrivateEndpointsSubnetName": { "type": "string", "defaultValue": "snet-pep", diff --git a/scenarios/aca-internal/bicep/main.bicep b/scenarios/aca-internal/bicep/main.bicep index f37dbf24..a8569e9a 100644 --- a/scenarios/aca-internal/bicep/main.bicep +++ b/scenarios/aca-internal/bicep/main.bicep @@ -98,6 +98,9 @@ param spokePrivateEndpointsSubnetAddressPrefix string @description('CIDR of the Spoke Application Gateway Subnet.') param spokeApplicationGatewaySubnetAddressPrefix string +@description('Optional, default value is false. If true, the spoke network will route spoke-internal traffic within the spoke network. If false, traffic will be sent to the hub network.') +param routeSpokeTrafficInternally bool = false + @description('Enable or disable the createion of Application Insights.') param enableApplicationInsights bool @@ -193,6 +196,7 @@ module spoke 'modules/02-spoke/deploy.spoke.bicep' = { spokePrivateEndpointsSubnetAddressPrefix: spokePrivateEndpointsSubnetAddressPrefix spokeVNetAddressPrefixes: spokeVNetAddressPrefixes networkApplianceIpAddress: deployHub ? hub.outputs.networkApplianceIpAddress : '' + routeSpokeTrafficInternally: routeSpokeTrafficInternally vmSize: vmSize vmAdminUsername: vmAdminUsername vmAdminPassword: vmAdminPassword diff --git a/scenarios/aca-internal/bicep/main.parameters.json b/scenarios/aca-internal/bicep/main.parameters.json index 12660aab..08a098e4 100644 --- a/scenarios/aca-internal/bicep/main.parameters.json +++ b/scenarios/aca-internal/bicep/main.parameters.json @@ -71,6 +71,9 @@ "spokeApplicationGatewaySubnetAddressPrefix": { "value": "10.1.3.0/24" }, + "routeSpokeTrafficInternally": { + "value": false + }, "enableApplicationInsights": { "value": true }, diff --git a/scenarios/aca-internal/bicep/main.parameters.jsonc b/scenarios/aca-internal/bicep/main.parameters.jsonc index cfdb8cae..feb956f2 100644 --- a/scenarios/aca-internal/bicep/main.parameters.jsonc +++ b/scenarios/aca-internal/bicep/main.parameters.jsonc @@ -79,6 +79,10 @@ "spokeApplicationGatewaySubnetAddressPrefix": { "value": "10.1.3.0/24" }, + // If you want to keep spoke-internal traffic for the container apps within the spoke, set this to true + "routeSpokeTrafficInternally": { + "value": false + }, // If you want to deploy Application Insights, set this to true "enableApplicationInsights": { "value": true diff --git a/scenarios/aca-internal/bicep/modules/02-spoke/deploy.spoke.bicep b/scenarios/aca-internal/bicep/modules/02-spoke/deploy.spoke.bicep index 0108ebec..2b2c9556 100644 --- a/scenarios/aca-internal/bicep/modules/02-spoke/deploy.spoke.bicep +++ b/scenarios/aca-internal/bicep/modules/02-spoke/deploy.spoke.bicep @@ -51,6 +51,9 @@ param spokeApplicationGatewaySubnetAddressPrefix string @description('The IP address of the network appliance (e.g. firewall) that will be used to route traffic to the internet.') param networkApplianceIpAddress string +@description('Optional, default value is false. If true, the spoke network will route spoke-internal traffic within the spoke network. If false, traffic will be sent to the hub network.') +param routeSpokeTrafficInternally bool = false + @description('The size of the jump box virtual machine to create. See https://learn.microsoft.com/azure/virtual-machines/sizes for more information.') param vmSize string @@ -299,6 +302,7 @@ module peerHubToSpoke '../../../../shared/bicep/network/peering.bicep' = if (!em remoteVnetName: vnetSpoke.outputs.vnetName } } + @description('The Route Table deployment') module egressLockdownUdr '../../../../shared/bicep/routeTables/main.bicep' = if (networkApplianceIpAddress != '') { name: take('egressLockdownUdr-${uniqueString(spokeResourceGroup.id)}', 64) @@ -307,7 +311,7 @@ module egressLockdownUdr '../../../../shared/bicep/routeTables/main.bicep' = if name: naming.outputs.resourcesNames.routeTable location: location tags: tags - routes: [ + routes: concat([ { name: 'defaultEgressLockdown' properties: { @@ -316,7 +320,15 @@ module egressLockdownUdr '../../../../shared/bicep/routeTables/main.bicep' = if nextHopIpAddress: networkApplianceIpAddress } } - ] + ], routeSpokeTrafficInternally ? [ + { + name: 'spokeInternalTraffic' + properties: { + addressPrefix: spokeVNetAddressPrefixes[0] + nextHopType: 'VnetLocal' + } + } + ] : []) } } diff --git a/scenarios/aca-internal/bicep/modules/02-spoke/deploy.spoke.parameters.jsonc b/scenarios/aca-internal/bicep/modules/02-spoke/deploy.spoke.parameters.jsonc index bbcc77eb..affc8162 100644 --- a/scenarios/aca-internal/bicep/modules/02-spoke/deploy.spoke.parameters.jsonc +++ b/scenarios/aca-internal/bicep/modules/02-spoke/deploy.spoke.parameters.jsonc @@ -36,6 +36,9 @@ "networkApplianceIpAddress": { "value": "[IP OF THE NETWORK APPLIANCE]" }, + "routeSpokeTrafficInternally": { + "value": false + }, "vmSize": { "value": "Standard_B2ms" }, From ca1f228a106c0a0845cccd92cc65654234869901 Mon Sep 17 00:00:00 2001 From: Simon Kurtz Date: Mon, 4 Nov 2024 13:18:02 -0500 Subject: [PATCH 2/7] Add routeSpokeTrafficInternally parameter --- scenarios/aca-internal/bicep/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/scenarios/aca-internal/bicep/README.md b/scenarios/aca-internal/bicep/README.md index b7a0b683..0af0c4ed 100644 --- a/scenarios/aca-internal/bicep/README.md +++ b/scenarios/aca-internal/bicep/README.md @@ -115,6 +115,7 @@ This is the starting point for the instructions on deploying this reference impl | `spokeInfraSubnetAddressPrefix` | CIDR of the spoke infrastructure subnet. Must be a subset of the spoke CIDR ranges. | **10.1.0.0/23** | **10.101.0.0/23** | | `spokePrivateEndpointsSubnetAddressPrefix` | CIDR of the spoke private endpoint subnet. Must be a subset of the spoke CIDR ranges. | **10.1.2.0/27** | **10.101.2.0/27** | | `spokeApplicationGatewaySubnetAddressPrefix` | CIDR of the spoke Application Gateway subnet. Must be a subset of the spoke CIDR ranges. | **10.1.3.0/24** | **10.101.3.0/24** | + | `routeSpokeTrafficInternally` | If true, the spoke network will route spoke-internal traffic within the spoke network. If false, traffic will be sent to the hub network. | **false** | **true** | | `enableApplicationInsights` | Controls if Application Insights is deployed and configured. | **true** | **false** | | `enableDaprInstrumentation` | Enable Dapr's telemetry. enableApplicationInsights` must also be set to **true** for this to work. | **true** | **false** | | `deployHelloWorldSample` | Deploy a simple, sample application to the infrastructure. If you prefer to deploy the more comprehensive, Dapr-enabled sample app, this needs to be disabled | **true** | **false**, because you plan on deploying the Dapr-enabled application instead. | From d6c8b5fb63248304341124676ee94efb3cded4b0 Mon Sep 17 00:00:00 2001 From: Konstantinos Pantos Date: Thu, 14 Nov 2024 03:09:53 +0200 Subject: [PATCH 3/7] added the terraform implementation for rouring traffic internally in spoke --- .../terraform/modules/02-spoke/main.tf | 20 ++++++++++++------- .../terraform/modules/02-spoke/variables.tf | 6 ++++++ 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/scenarios/aca-internal/terraform/modules/02-spoke/main.tf b/scenarios/aca-internal/terraform/modules/02-spoke/main.tf index 30d8ccb3..c13965b0 100644 --- a/scenarios/aca-internal/terraform/modules/02-spoke/main.tf +++ b/scenarios/aca-internal/terraform/modules/02-spoke/main.tf @@ -189,11 +189,17 @@ module "routeTable" { subnetId = data.azurerm_subnet.infraSubnet.id tags = var.tags - routes = [{ - name = "defaultEgressLockdown" - addressPrefix = "0.0.0.0/0" - nextHopType = "VirtualAppliance" - nextHopIpAddress = var.firewallPrivateIp - } - ] + routes = concat( + [{ + name = "defaultEgressLockdown" + addressPrefix = "0.0.0.0/0" + nextHopType = "VirtualAppliance" + nextHopIpAddress = var.firewallPrivateIp + }, + var.routeSpokeTrafficInternally ? [for prefix in var.vnetAddressPrefixes : { + name = "intTraffic-${prefix}" + addressPrefix = prefix + nextHopType = "VnetLocal" + }] : [] + ]) } diff --git a/scenarios/aca-internal/terraform/modules/02-spoke/variables.tf b/scenarios/aca-internal/terraform/modules/02-spoke/variables.tf index 65e0e060..4f3163c5 100644 --- a/scenarios/aca-internal/terraform/modules/02-spoke/variables.tf +++ b/scenarios/aca-internal/terraform/modules/02-spoke/variables.tf @@ -243,3 +243,9 @@ variable "appGatewaySecurityRules" { variable "firewallPrivateIp" { type = string } + +variable "routeSpokeTrafficInternally" { + type = bool + default = false + description = "Optional, default value is false. If true, the spoke network will route spoke-internal traffic within the spoke network. If false, traffic will be sent to the hub network." +} \ No newline at end of file From f9a5923ad6665557860603b001d35e943ce684cb Mon Sep 17 00:00:00 2001 From: Konstantinos Pantos Date: Thu, 14 Nov 2024 03:15:48 +0200 Subject: [PATCH 4/7] exposed internal routing through the main deployment --- scenarios/aca-internal/terraform/main.tf | 1 + scenarios/aca-internal/terraform/variables.tf | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/scenarios/aca-internal/terraform/main.tf b/scenarios/aca-internal/terraform/main.tf index 46e5b60e..62d3cbec 100644 --- a/scenarios/aca-internal/terraform/main.tf +++ b/scenarios/aca-internal/terraform/main.tf @@ -35,6 +35,7 @@ module "spoke" { jumpboxSubnetAddressPrefix = var.vmJumpBoxSubnetAddressPrefix firewallPrivateIp = module.hub.firewallPrivateIp tags = var.tags + routeSpokeTrafficInternally = var.routeSpokeTrafficInternally } module "supportingServices" { diff --git a/scenarios/aca-internal/terraform/variables.tf b/scenarios/aca-internal/terraform/variables.tf index 797cb04b..e8ec58c5 100644 --- a/scenarios/aca-internal/terraform/variables.tf +++ b/scenarios/aca-internal/terraform/variables.tf @@ -304,4 +304,10 @@ variable "workloadProfiles" { minimum_count = number maximum_count = number })) +} + +variable "routeSpokeTrafficInternally" { + type = bool + default = false + description = "Optional, default value is false. If true, the spoke network will route spoke-internal traffic within the spoke network. If false, traffic will be sent to the hub network." } \ No newline at end of file From 23afdc800ac357fe6da1ee29cd6d35169e08357b Mon Sep 17 00:00:00 2001 From: Simon Kurtz Date: Thu, 14 Nov 2024 07:34:47 -0500 Subject: [PATCH 5/7] Add routeSpokeTrafficInternally to Portal Network parameters --- .../azure-resource-manager/main-portal-ux.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/scenarios/aca-internal/azure-resource-manager/main-portal-ux.json b/scenarios/aca-internal/azure-resource-manager/main-portal-ux.json index 6efb74fc..0167aaeb 100644 --- a/scenarios/aca-internal/azure-resource-manager/main-portal-ux.json +++ b/scenarios/aca-internal/azure-resource-manager/main-portal-ux.json @@ -420,6 +420,22 @@ }, "infoMessages": [], "visible": true + }, + { + "name": "routeSpokeTrafficInternally", + "type": "Microsoft.Common.CheckbBox", + "label": "Route Spoke Traffic Internally", + "subLabel": "", + "defaultValue": false, + "toolTip": "Enable this if you would like to keep traffic that is internal to the spoke (e.g. container app to database) from being routed to the hub. This can significantly alleviate load on components such as hub firewalls and decrease excess traffic.", + "constraints": { + "required": true, + "regex": "", + "validationMessage": "", + "validations": [] + }, + "infoMessages": [], + "visible": true } ] }, From b2a694c3948fb6b64317e63c6f4c87553e425025 Mon Sep 17 00:00:00 2001 From: Simon Kurtz Date: Thu, 5 Dec 2024 14:54:37 -0600 Subject: [PATCH 6/7] Add internal routes for all VNet prefixes --- .../bicep/modules/02-spoke/deploy.spoke.bicep | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/scenarios/aca-internal/bicep/modules/02-spoke/deploy.spoke.bicep b/scenarios/aca-internal/bicep/modules/02-spoke/deploy.spoke.bicep index 2b2c9556..94df6249 100644 --- a/scenarios/aca-internal/bicep/modules/02-spoke/deploy.spoke.bicep +++ b/scenarios/aca-internal/bicep/modules/02-spoke/deploy.spoke.bicep @@ -320,15 +320,15 @@ module egressLockdownUdr '../../../../shared/bicep/routeTables/main.bicep' = if nextHopIpAddress: networkApplianceIpAddress } } - ], routeSpokeTrafficInternally ? [ - { - name: 'spokeInternalTraffic' + ], routeSpokeTrafficInternally ? map(spokeVNetAddressPrefixes, (prefix, i) => + { + name: 'spokeInternalTraffic-${i}' properties: { - addressPrefix: spokeVNetAddressPrefixes[0] + addressPrefix: prefix nextHopType: 'VnetLocal' } } - ] : []) + ) : []) } } From c657829d01a2c18635d83d4cdeb917f69866f0ba Mon Sep 17 00:00:00 2001 From: Simon Kurtz Date: Thu, 5 Dec 2024 15:06:13 -0600 Subject: [PATCH 7/7] Match name to bicep --- scenarios/aca-internal/terraform/modules/02-spoke/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scenarios/aca-internal/terraform/modules/02-spoke/main.tf b/scenarios/aca-internal/terraform/modules/02-spoke/main.tf index c13965b0..0afd4d6d 100644 --- a/scenarios/aca-internal/terraform/modules/02-spoke/main.tf +++ b/scenarios/aca-internal/terraform/modules/02-spoke/main.tf @@ -196,8 +196,8 @@ module "routeTable" { nextHopType = "VirtualAppliance" nextHopIpAddress = var.firewallPrivateIp }, - var.routeSpokeTrafficInternally ? [for prefix in var.vnetAddressPrefixes : { - name = "intTraffic-${prefix}" + var.routeSpokeTrafficInternally ? [for i, prefix in var.vnetAddressPrefixes : { + name = "spokeInternalTraffic-${i}" addressPrefix = prefix nextHopType = "VnetLocal" }] : []