Add capability for active-active vnet gateway

Azure · Sep 24, 2024 · 52733e0 · 52733e0
1 parent 80eccf1
commit 52733e0
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 20 deletions.
diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep
@@ -764,6 +764,26 @@ module modGatewayPublicIp '../publicIp/publicIp.bicep' = [for (gateway, i) in va
   }
 }]
 
+// If the gateway is active-active, create a second public IP
+module modGatewayPublicIpActiveActive '../publicIp/publicIp.bicep' = [for (gateway, i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr') && gateway.activeActive) {
+  name: 'deploy-Gateway-Public-IP-ActiveActive-${i}'
+  params: {
+    parLocation: parLocation
+    parAvailabilityZones: toLower(gateway.gatewayType) == 'expressroute' ? parAzErGatewayAvailabilityZones : toLower(gateway.gatewayType) == 'vpn' ? parAzVpnGatewayAvailabilityZones : []
+    parPublicIpName: '${parPublicIpPrefix}${gateway.name}${parPublicIpSuffix}-aa'
+    parPublicIpProperties: {
+      publicIpAddressVersion: 'IPv4'
+      publicIpAllocationMethod: 'Static'
+    }
+    parPublicIpSku: {
+      name: parPublicIpSku
+    }
+    parResourceLockConfig: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock : parVirtualNetworkGatewayLock
+    parTags: parTags
+    parTelemetryOptOut: parTelemetryOptOut
+  }
+}]
+
 //Minumum subnet size is /27 supporting documentation https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub
 resource resGateway 'Microsoft.Network/virtualNetworkGateways@2023-02-01' = [for (gateway, i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) {
   name: gateway.name
@@ -793,23 +813,43 @@ resource resGateway 'Microsoft.Network/virtualNetworkGateways@2023-02-01' = [for
       radiusServerAddress: gateway.vpnClientConfiguration.?radiusServerAddress ?? ''
       radiusServerSecret: gateway.vpnClientConfiguration.?radiusServerSecret ?? ''
     } : null
-    ipConfigurations: [
-      {
-        id: resHubVnet.id
-        name: 'vnetGatewayConfig'
-        properties: {
-          publicIPAddress: {
-            id: (((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) ? modGatewayPublicIp[i].outputs.outPublicIpId : 'na')
+
+    ipConfigurations: concat(
+      // Primary IP configuration
+      [
+        {
+          id: resHubVnet.id
+          name: 'vnetGatewayConfig1'
+          properties: {
+            publicIPAddress: {
+              id: modGatewayPublicIp[i].outputs.outPublicIpId // Primary Public IP
+            }
+            subnet: {
+              id: resGatewaySubnetRef.id
+            }
           }
-          subnet: {
-            id: resGatewaySubnetRef.id
+        }
+      ],
+      // Add second IP configuration if activeActive is true
+      gateway.activeActive ? [
+        {
+          id: resHubVnet.id
+          name: 'vnetGatewayConfig2'
+          properties: {
+            publicIPAddress: {
+              id: modGatewayPublicIpActiveActive[i].outputs.outPublicIpId // Secondary Public IP
+            }
+            subnet: {
+              id: resGatewaySubnetRef.id
+            }
           }
         }
-      }
-    ]
+      ] : []
+    )
   }
 }]
 
+
 // Create a Virtual Network Gateway resource lock if gateway.name is not equal to noconfigVpn or noconfigEr and parGlobalResourceLock.kind != 'None' or if parVirtualNetworkGatewayLock.kind != 'None'
 resource resVirtualNetworkGatewayLock 'Microsoft.Authorization/locks@2020-05-01' = [for (gateway, i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr') && (parVirtualNetworkGatewayLock.kind != 'None' || parGlobalResourceLock.kind != 'None')) {
   scope: resGateway[i]

diff --git a/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json b/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json
@@ -6,7 +6,7 @@
       "value": "eastus"
     },
     "parCompanyPrefix": {
-      "value": "alz"
+      "value": "test"
     },
     "parHubNetworkName": {
       "value": "alz-hub-eastus"
@@ -55,7 +55,7 @@
       "value": "-PublicIP"
     },
     "parAzBastionEnabled": {
-      "value": true
+      "value": false
     },
     "parAzBastionName": {
       "value": "alz-bastion"
@@ -70,13 +70,13 @@
       "value": "nsg-AzureBastionSubnet"
     },
     "parDdosEnabled": {
-      "value": true
+      "value": false
     },
     "parDdosPlanName": {
       "value": "alz-ddos-plan"
     },
     "parAzFirewallEnabled": {
-      "value": true
+      "value": false
     },
     "parAzFirewallName": {
       "value": "alz-azfw-eastus"
@@ -100,7 +100,7 @@
       "value": []
     },
     "parAzFirewallDnsProxyEnabled": {
-      "value": true
+      "value": false
     },
     "parAzFirewallDnsServers": {
       "value": []
@@ -112,7 +112,7 @@
       "value": false
     },
     "parPrivateDnsZonesEnabled": {
-      "value": true
+      "value": false
     },
     "parPrivateDnsZones": {
       "value": [
@@ -200,7 +200,7 @@
         "vpnType": "RouteBased",
         "generation": "Generation1",
         "enableBgp": false,
-        "activeActive": false,
+        "activeActive": true,
         "enableBgpRouteTranslationForNat": false,
         "enableDnsForwarding": false,
         "bgpPeeringAddress": "",
@@ -213,7 +213,7 @@
       }
     },
     "parExpressRouteGatewayEnabled": {
-      "value": true
+      "value": false
     },
     "parExpressRouteGatewayConfig": {
       "value": {
@@ -223,7 +223,7 @@
         "vpnType": "RouteBased",
         "generation": "None",
         "enableBgp": false,
-        "activeActive": false,
+        "activeActive": true,
         "enableBgpRouteTranslationForNat": false,
         "enableDnsForwarding": false,
         "bgpPeeringAddress": "",