diff --git a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md index 44f1b0c64..845ee0c05 100644 --- a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md +++ b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md @@ -30,6 +30,8 @@ parAzFirewallEnabled | No | Switch to enable/disable Azure Firewall deploy parAzFirewallName | No | Azure Firewall Name. parAzFirewallPoliciesEnabled | No | Set this to true for the initial deployment as one firewall policy is required. Set this to false in subsequent deployments if using custom policies. parAzFirewallPoliciesName | No | Azure Firewall Policies Name. +parAzFirewallPoliciesAutoLearn | No | The operation mode for automatically learning private ranges to not be SNAT. +parAzFirewallPoliciesPrivateRanges | No | Private IP addresses/IP ranges to which traffic will not be SNAT. parAzFirewallTier | No | Azure Firewall Tier associated with the Firewall to deploy. parAzFirewallIntelMode | No | The Azure Firewall Threat Intelligence Mode. If not set, the default value is Alert. parAzFirewallCustomPublicIps | No | Optional List of Custom Public IPs, which are assigned to firewalls ipConfigurations. @@ -269,6 +271,22 @@ Azure Firewall Policies Name. - Default value: `[format('{0}-azfwpolicy-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]` +### parAzFirewallPoliciesAutoLearn + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The operation mode for automatically learning private ranges to not be SNAT. + +- Default value: `Disabled` + +### parAzFirewallPoliciesPrivateRanges + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Private IP addresses/IP ranges to which traffic will not be SNAT. + +- Allowed values: `Disabled`, `Enabled` + ### parAzFirewallTier ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -630,6 +648,12 @@ outBastionNsgName | string | "parAzFirewallPoliciesName": { "value": "[format('{0}-azfwpolicy-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]" }, + "parAzFirewallPoliciesAutoLearn": { + "value": "Disabled" + }, + "parAzFirewallPoliciesPrivateRanges": { + "value": [] + }, "parAzFirewallTier": { "value": "Standard" }, diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep index 88eec9362..839b2a404 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -49,6 +49,7 @@ param parGlobalResourceLock lockType = { notes: 'This lock was created by the ALZ Bicep Hub Networking Module.' } + @sys.description('The IP address range for Hub Network.') param parHubNetworkAddressPrefix string = '10.10.0.0/16' @@ -166,6 +167,18 @@ param parAzFirewallPoliciesEnabled bool = true @sys.description('Azure Firewall Policies Name.') param parAzFirewallPoliciesName string = '${parCompanyPrefix}-azfwpolicy-${parLocation}' +@description('The operation mode for automatically learning private ranges to not be SNAT.') +param parAzFirewallPoliciesAutoLearn string = 'Disabled' +@allowed([ + 'Disabled' + 'Enabled' +]) + +@description('Private IP addresses/IP ranges to which traffic will not be SNAT.') +param parAzFirewallPoliciesPrivateRanges array = [] + +@sys.description('Private IP addresses/IP ranges to which traffic will not be SNAT.') + @sys.description('Azure Firewall Tier associated with the Firewall to deploy.') @allowed([ 'Basic' @@ -863,6 +876,12 @@ resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2023-02-01' = i sku: { tier: parAzFirewallTier } + snat: !empty(parAzFirewallPoliciesPrivateRanges) + ? { + autoLearnPrivateRanges: parAzFirewallPoliciesAutoLearn + privateRanges: parAzFirewallPoliciesPrivateRanges + } + : null threatIntelMode: 'Alert' } : { dnsSettings: { diff --git a/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md b/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md index 8dcc9a066..c4046009d 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md +++ b/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md @@ -22,6 +22,8 @@ parVpnGatewayName | No | VPN Gateway Name. parExpressRouteGatewayName | No | ExpressRoute Gateway Name. parAzFirewallName | No | Azure Firewall Name. parAzFirewallPoliciesName | No | Azure Firewall Policies Name. +parAzFirewallPoliciesAutoLearn | No | The operation mode for automatically learning private ranges to not be SNAT. +parAzFirewallPoliciesPrivateRanges | No | Private IP addresses/IP ranges to which traffic will not be SNAT. parAzureFirewallLock | No | Resource Lock Configuration for Azure Firewall. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock. parVpnGatewayScaleUnit | No | The scale unit for this VPN Gateway. parExpressRouteGatewayScaleUnit | No | The scale unit for this ExpressRoute Gateway. @@ -200,6 +202,22 @@ Azure Firewall Policies Name. - Default value: `[format('{0}-azfwpolicy', parameters('parCompanyPrefix'))]` +### parAzFirewallPoliciesAutoLearn + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The operation mode for automatically learning private ranges to not be SNAT. + +- Default value: `Disabled` + +### parAzFirewallPoliciesPrivateRanges + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Private IP addresses/IP ranges to which traffic will not be SNAT. + +- Allowed values: `Disabled`, `Enabled` + ### parAzureFirewallLock ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -433,6 +451,12 @@ outAzFwPrivateIps | array | "parAzFirewallPoliciesName": { "value": "[format('{0}-azfwpolicy', parameters('parCompanyPrefix'))]" }, + "parAzFirewallPoliciesAutoLearn": { + "value": "Disabled" + }, + "parAzFirewallPoliciesPrivateRanges": { + "value": [] + }, "parAzureFirewallLock": { "value": { "kind": "None", diff --git a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep index cee3c6b56..ef8ff1baa 100644 --- a/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep +++ b/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep @@ -187,6 +187,16 @@ param parAzFirewallName string = '${parCompanyPrefix}-fw' @sys.description('Azure Firewall Policies Name.') param parAzFirewallPoliciesName string = '${parCompanyPrefix}-azfwpolicy' +@description('The operation mode for automatically learning private ranges to not be SNAT.') +param parAzFirewallPoliciesAutoLearn string = 'Disabled' +@allowed([ + 'Disabled' + 'Enabled' +]) + +@description('Private IP addresses/IP ranges to which traffic will not be SNAT.') +param parAzFirewallPoliciesPrivateRanges array = [] + @sys.description('''Resource Lock Configuration for Azure Firewall. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. @@ -487,6 +497,12 @@ resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2023-02-01' = [ sku: { tier: hub.parAzFirewallTier } + snat: !empty(parAzFirewallPoliciesPrivateRanges) + ? { + autoLearnPrivateRanges: parAzFirewallPoliciesAutoLearn + privateRanges: parAzFirewallPoliciesPrivateRanges + } + : null threatIntelMode: 'Alert' } : { dnsSettings: {