From 7e62f44572c3cc133350a49c4a4fa884faab2973 Mon Sep 17 00:00:00 2001 From: Yasuhiro Handa Date: Wed, 25 Oct 2023 22:41:19 +0900 Subject: [PATCH] update ui on placement of firewall --- workload/arm/deploy-baseline.json | 18 ++--- workload/bicep/deploy-baseline.bicep | 4 +- .../bicep/modules/networking/deploy.bicep | 12 ++-- workload/portal-ui/portal-ui-baseline.json | 68 +++++++++---------- 4 files changed, 51 insertions(+), 51 deletions(-) diff --git a/workload/arm/deploy-baseline.json b/workload/arm/deploy-baseline.json index 11089504e..b89f06b73 100644 --- a/workload/arm/deploy-baseline.json +++ b/workload/arm/deploy-baseline.json @@ -312,7 +312,7 @@ "description": "Does the hub contains a virtual network gateway. (Default: false)" } }, - "deployAvdFirewall": { + "deployFirewall": { "type": "bool", "defaultValue": false, "metadata": { @@ -8037,8 +8037,8 @@ }, "tags": "[if(parameters('createResourceTags'), createObject('value', union(variables('varCustomResourceTags'), variables('varAvdDefaultTags'))), createObject('value', variables('varAvdDefaultTags')))]", "alaWorkspaceResourceId": "[if(parameters('avdDeployMonitoring'), if(parameters('deployAlaWorkspace'), createObject('value', reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Monitoring-{0}', parameters('time'))), '2022-09-01').outputs.avdAlaWorkspaceResourceId.value), createObject('value', parameters('alaExistingWorkspaceResourceId'))), createObject('value', ''))]", - "deployAvdFirewall": { - "value": "[parameters('deployAvdFirewall')]" + "deployFirewall": { + "value": "[parameters('deployFirewall')]" }, "firewallName": { "value": "[variables('varFiwewallName')]" @@ -8179,7 +8179,7 @@ "description": "Create virtual network peering to hub." } }, - "deployAvdFirewall": { + "deployFirewall": { "type": "bool", "metadata": { "description": "Create firewall and firewall policy to hub virtual network." @@ -12585,7 +12585,7 @@ ] }, { - "condition": "[parameters('deployAvdFirewall')]", + "condition": "[parameters('deployFirewall')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('Fw-Policy-{0}', parameters('time'))]", @@ -13027,7 +13027,7 @@ } }, { - "condition": "[parameters('deployAvdFirewall')]", + "condition": "[parameters('deployFirewall')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('Fw-Policy-Rcg-{0}', parameters('time'))]", @@ -13337,7 +13337,7 @@ ] }, { - "condition": "[parameters('deployAvdFirewall')]", + "condition": "[parameters('deployFirewall')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('Fw-Policy-Rcg-Optional-{0}', parameters('time'))]", @@ -13657,7 +13657,7 @@ ] }, { - "condition": "[parameters('deployAvdFirewall')]", + "condition": "[parameters('deployFirewall')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('Fw-Subnet-{0}', parameters('time'))]", @@ -14063,7 +14063,7 @@ } }, { - "condition": "[parameters('deployAvdFirewall')]", + "condition": "[parameters('deployFirewall')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('Fw-{0}', parameters('time'))]", diff --git a/workload/bicep/deploy-baseline.bicep b/workload/bicep/deploy-baseline.bicep index f0107d5ba..24c396768 100644 --- a/workload/bicep/deploy-baseline.bicep +++ b/workload/bicep/deploy-baseline.bicep @@ -157,7 +157,7 @@ param avdVnetPrivateDnsZoneKeyvaultId string = '' param vNetworkGatewayOnHub bool = false @sys.description('Create Azure Firewall and Azure Firewall Policy. (Default: false)') -param deployAvdFirewall bool = false +param deployFirewall bool = false @sys.description('AzureFirewallSubnet prefixes. (Default: 10.0.2.0/24)') param firewallSubnetAddressPrefix string = '10.0.2.0/24' @@ -938,7 +938,7 @@ module networking './modules/networking/deploy.bicep' = if (createAvdVnet || cre dnsServers: varDnsServers tags: createResourceTags ? union(varCustomResourceTags, varAvdDefaultTags) : varAvdDefaultTags alaWorkspaceResourceId: avdDeployMonitoring ? (deployAlaWorkspace ? monitoringDiagnosticSettings.outputs.avdAlaWorkspaceResourceId : alaExistingWorkspaceResourceId) : '' - deployAvdFirewall: deployAvdFirewall + deployFirewall: deployFirewall firewallName: varFiwewallName firewallPolicyName: varFiwewallPolicyName firewallPolicyRuleCollectionGroupName: varFiwewallPolicyRuleCollectionGroupName diff --git a/workload/bicep/modules/networking/deploy.bicep b/workload/bicep/modules/networking/deploy.bicep index a8fd4c8b7..bea41c9b5 100644 --- a/workload/bicep/modules/networking/deploy.bicep +++ b/workload/bicep/modules/networking/deploy.bicep @@ -55,7 +55,7 @@ param remoteVnetPeeringName string param createVnetPeering bool @sys.description('Create firewall and firewall policy to hub virtual network.') -param deployAvdFirewall bool +param deployFirewall bool @sys.description('Firewall name') param firewallName string @@ -437,7 +437,7 @@ module privateDnsZoneKeyVaultGov '.bicep/privateDnsZones.bicep' = if (createPriv } // Firewall policy -module firewallPolicy '../../../../carml/1.3.0/Microsoft.Network/firewallPolicies/deploy.bicep' = if (deployAvdFirewall) { +module firewallPolicy '../../../../carml/1.3.0/Microsoft.Network/firewallPolicies/deploy.bicep' = if (deployFirewall) { scope: resourceGroup('${varExistingHubSubId}', '${varExistingHubSubRgName}') name: 'Fw-Policy-${time}' params: { @@ -447,7 +447,7 @@ module firewallPolicy '../../../../carml/1.3.0/Microsoft.Network/firewallPolicie } // Firewall policy rule collection group -module firewallPolicyRuleCollectionGroup '../../../../carml/1.3.0/Microsoft.Network/firewallPolicies/ruleCollectionGroups/deploy.bicep' = if (deployAvdFirewall) { +module firewallPolicyRuleCollectionGroup '../../../../carml/1.3.0/Microsoft.Network/firewallPolicies/ruleCollectionGroups/deploy.bicep' = if (deployFirewall) { scope: resourceGroup('${varExistingHubSubId}', '${varExistingHubSubRgName}') name: 'Fw-Policy-Rcg-${time}' params: { @@ -648,7 +648,7 @@ module firewallPolicyRuleCollectionGroup '../../../../carml/1.3.0/Microsoft.Netw } // Firewall policy optional rule collection group -module firewallPolicyOptionalRuleCollectionGroup '../../../../carml/1.3.0/Microsoft.Network/firewallPolicies/ruleCollectionGroups/deploy.bicep' = if (deployAvdFirewall) { +module firewallPolicyOptionalRuleCollectionGroup '../../../../carml/1.3.0/Microsoft.Network/firewallPolicies/ruleCollectionGroups/deploy.bicep' = if (deployFirewall) { scope: resourceGroup('${varExistingHubSubId}', '${varExistingHubSubRgName}') name: 'Fw-Policy-Rcg-Optional-${time}' params: { @@ -859,7 +859,7 @@ module firewallPolicyOptionalRuleCollectionGroup '../../../../carml/1.3.0/Micros } // Azure Firewall subnet -module hubVirtualNetworkAzureFirewallSubnet '../../../../carml/1.3.0/Microsoft.Network/virtualNetworks/subnets/deploy.bicep' = if (deployAvdFirewall) { +module hubVirtualNetworkAzureFirewallSubnet '../../../../carml/1.3.0/Microsoft.Network/virtualNetworks/subnets/deploy.bicep' = if (deployFirewall) { scope: resourceGroup('${varExistingHubSubId}', '${varExistingHubSubRgName}') name: 'Fw-Subnet-${time}' params: { @@ -870,7 +870,7 @@ module hubVirtualNetworkAzureFirewallSubnet '../../../../carml/1.3.0/Microsoft.N } // Azure Firewall -module azureFirewall '../../../../carml/1.3.0/Microsoft.Network/azureFirewalls/deploy.bicep' = if (deployAvdFirewall) { +module azureFirewall '../../../../carml/1.3.0/Microsoft.Network/azureFirewalls/deploy.bicep' = if (deployFirewall) { scope: resourceGroup('${varExistingHubSubId}', '${varExistingHubSubRgName}') name: 'Fw-${time}' params: { diff --git a/workload/portal-ui/portal-ui-baseline.json b/workload/portal-ui/portal-ui-baseline.json index 234b628fc..712095abd 100644 --- a/workload/portal-ui/portal-ui-baseline.json +++ b/workload/portal-ui/portal-ui-baseline.json @@ -1441,15 +1441,24 @@ "label": "Firewall options for AVD deployments", "elements": [ { - "name": "deployAvdFirewall", + "name": "deployFirewall", "type": "Microsoft.Common.CheckBox", "label": "Deploy Azure Firewall", "defaultValue": false, "toolTip": "Create Azure Firewall and Azure Firewall Policy for protection of AVD deployments." }, - { - "name": "avdFirewallSubs", + "name": "firewallVirtualNetworkInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[steps('network').firewallOptions.deployFirewall]", + "options": { + "text": "vNet peering will be created to firewall vNet with access to host pool", + "uri": "https://learn.microsoft.com/azure/firewall/protect-azure-virtual-desktop", + "style": "info" + } + }, + { + "name": "firewallVirtualNetworkSubs", "type": "Microsoft.Solutions.ArmApiControl", "request": { "method": "GET", @@ -1457,10 +1466,10 @@ } }, { - "name": "avdFirewallSub", + "name": "firewallVirtualNetworkSub", "type": "Microsoft.Common.DropDown", - "visible": "[steps('network').firewallOptions.deployAvdFirewall]", - "label": "Firewall Subscription", + "visible": "[steps('network').firewallOptions.deployFirewall]", + "label": "Firewall vNet Subscription", "toolTip": "", "multiselect": false, "selectAll": false, @@ -1468,15 +1477,15 @@ "filterPlaceholder": "Filter items ...", "multiLine": true, "constraints": { - "allowedValues": "[map(steps('network').firewallOptions.avdFirewallSubs.value, (sub) => parse(concat('{\"label\":\"', sub.displayName, '\",\"description\":\"', sub.subscriptionId, '\",\"value\":\"', toLower(sub.subscriptionId), '\"}')) )]", + "allowedValues": "[map(steps('network').firewallOptions.firewallVirtualNetworkSubs.value, (sub) => parse(concat('{\"label\":\"', sub.displayName, '\",\"description\":\"', sub.subscriptionId, '\",\"value\":\"', toLower(sub.subscriptionId), '\"}')) )]", "required": true } }, { - "name": "createAvdFirewallVirtualNetwork", + "name": "createFirewallVirtualNetwork", "type": "Microsoft.Common.OptionsGroup", - "visible": "[steps('network').firewallOptions.deployAvdFirewall]", - "label": "Firewall Virtual network", + "visible": "[steps('network').firewallOptions.deployFirewall]", + "label": "Firewall vNet", "defaultValue": "New", "toolTip": "", "constraints": { @@ -1494,9 +1503,9 @@ } }, { - "name": "avdFirewallVirtualNetworkSize", + "name": "firewallVirtualNetworkSize", "type": "Microsoft.Common.TextBox", - "visible": "[and(steps('network').firewallOptions.deployAvdFirewall, steps('network').firewallOptions.createAvdFirewallVirtualNetwork)]", + "visible": "[and(steps('network').firewallOptions.deployFirewall, steps('network').firewallOptions.createFirewallVirtualNetwork)]", "label": "Firewall vNet address range", "toolTip": "Virtual network CIDR for Azure Firewall", "placeholder": "Example: 10.0.2.0/23", @@ -1507,27 +1516,17 @@ } }, { - "name": "existingAvdFirewallVirtualNetworkInfoBox", - "type": "Microsoft.Common.InfoBox", - "visible": "[and(steps('network').firewallOptions.deployAvdFirewall, not(steps('network').firewallOptions.createAvdFirewallVirtualNetwork))]", - "options": { - "text": "Existing network must has connectivity to xxxxxxxxxxxxx.", - "uri": "https://docs.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop?context=/azure/virtual-desktop/context/context", - "style": "info" - } - }, - { - "name": "existingAvdFirewallVirtualNetworks", + "name": "existingFirewallVirtualNetworks", "type": "Microsoft.Solutions.ArmApiControl", "request": { "method": "GET", - "path": "[concat('subscriptions/', steps('network').firewallOptions.avdFirewallSub, '/providers/Microsoft.Network/virtualNetworks?api-version=2021-08-01')]" + "path": "[concat('subscriptions/', steps('network').firewallOptions.firewallVirtualNetworkSub, '/providers/Microsoft.Network/virtualNetworks?api-version=2021-08-01')]" } }, { - "name": "existingAvdFirewallbVirtualNetwork", + "name": "existingFirewallVirtualNetwork", "type": "Microsoft.Common.DropDown", - "visible": "[and(steps('network').firewallOptions.deployAvdFirewall, not(steps('network').firewallOptions.createAvdFirewallVirtualNetwork))]", + "visible": "[and(steps('network').firewallOptions.deployFirewall, not(steps('network').firewallOptions.createFirewallVirtualNetwork))]", "label": "Firewall virtual network", "toolTip": "", "multiselect": false, @@ -1536,16 +1535,17 @@ "filterPlaceholder": "Filter items ...", "multiLine": true, "constraints": { - "allowedValues": "[map(steps('network').firewallOptions.existingAvdFirewallVirtualNetworks.value, (vnet) => parse(concat('{\"label\":\"', vnet.name, '\",\"description\":\"', vnet.location, '\",\"value\":\"', toLower(vnet.id), '\"}')) )]", + "allowedValues": "[map(steps('network').firewallOptions.existingFirewallVirtualNetworks.value, (vnet) => parse(concat('{\"label\":\"', vnet.name, '\",\"description\":\"', vnet.location, '\",\"value\":\"', toLower(vnet.id), '\"}')) )]", "required": true } }, { - "name": "avdFirewallVirtualNetworkAvdSubnetSize", + "name": "firewallVirtualNetworkSubnetSize", "type": "Microsoft.Common.TextBox", - "visible": "[steps('network').firewallOptions.deployAvdFirewall]", + "visible": "[steps('network').firewallOptions.deployFirewall]", "label": "Firewall subnet address prefix", "toolTip": "Virtual network subnet CIDR for Azure Firewall (AzureFirewallSubnet)", + "uri": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal#create-a-vnet", "placeholder": "Example: 10.0.2.0/24", "constraints": { "required": true, @@ -1554,11 +1554,11 @@ } }, { - "name": "firewallInfoBox", + "name": "firewallVirtualNetworkInfoBox2", "type": "Microsoft.Common.InfoBox", - "visible": "[steps('network').firewallOptions.deployAvdFirewall]", + "visible": "[steps('network').firewallOptions.deployFirewall]", "options": { - "text": "Azure Firewall, Azure Firewall Policy, and Azure Firewall subnet will be created in the existing vNet hub for protection of AVD deployments.", + "text": "Azure Firewall, Azure Firewall Policy, and Azure Firewall subnet will be created in the vNet for protection of AVD deployments.", "uri": "https://learn.microsoft.com/azure/firewall/protect-azure-virtual-desktop", "style": "info" } @@ -2449,8 +2449,8 @@ "vNetworkGatewayOnHub": "[if(equals(steps('network').createAvdVirtualNetwork, true), steps('network').hubVirtualNetworkPeering.hubVirtualNetworkGateway, false)]", "existingVnetAvdSubnetResourceId": "[if(equals(steps('network').createAvdVirtualNetwork, false), steps('network').virtualNetworkAvdSubnetSelectorName, 'no')]", "existingVnetPrivateEndpointSubnetResourceId": "[if(equals(steps('network').createAvdVirtualNetwork, false), steps('network').virtualNetworkPrivateEndpointSubnetSelectorName, 'no')]", - "deployAvdFirewall": "[steps('network').firewallOptions.deployAvdFirewall]", - "firewallSubnetAddressPrefix": "[if(equals(steps('network').firewallOptions.deployAvdFirewall, true), steps('network').firewallOptions.avdFirewallVirtualNetworkAvdSubnetSize, '10.0.2.0/24')]", + "deployFirewall": "[steps('network').firewallOptions.deployFirewall]", + "firewallSubnetAddressPrefix": "[if(equals(steps('network').firewallOptions.deployFirewall, true), steps('network').firewallOptions.firewallVirtualNetworkSubnetSize, '10.0.2.0/24')]", "avdDeploySessionHosts": "[steps('sessionHosts').deploySessionHosts]", "avdStartVmOnConnect": "[if(equals(steps('managementPlane').managementPlaneHostPoolSettings.hostPoolType, 'Personal'), steps('managementPlane').managementPlaneHostPoolScaling.startVmOnConnect, false)]", "avdDeployScalingPlan": "[if(equals(steps('managementPlane').managementPlaneHostPoolSettings.hostPoolType, 'Pooled'), steps('managementPlane').managementPlaneHostPoolScaling.scalingPlan, false)]",