This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering.
This Azure Resource Manager (ARM) template was created by a member of the community and not by Microsoft. Each ARM template is licensed to you under a licence agreement by its owner, not Microsoft. Microsoft is not responsible for ARM templates provided and licensed by community members and does not screen for security, compatibility or performance. Community ARM templates are not supported under any Microsoft support programme or service and are made available AS IS without warranty of any kind.
Parameters
| Parameter Name | Description |
|---|---|
| adlsStorageAccountName | Specifies the globally unique DNS Name for the ADLS Gen 2 storage account. |
| blobStorageAccountName | Specifies the globally unique name for the storage account used to store the test file system and the boot diagnostics logs of the virtual machines. |
| adlsStorageAccountNetworkAclsDefaultAction | Specifies the default action of allow or deny when no other rules match for the ADLS storage account. |
| blobStorageAccountNetworkAclsDefaultAction | Allow or disallow public access to all blobs or containers in the Blob storage account. The default interpretation is true for this property. |
| adlsStorageAccountAllowBlobPublicAccess | Allow or disallow public access to all blobs or containers in the ADLS storage account. The default interpretation is true for this property. |
| blobStorageAccountAllowBlobPublicAccess | Allow or disallow public access to all blobs or containers in the Blob storage account. The default interpretation is true for this property. |
| deployCustomDnsForwarder | Specify whether deploy a custom DNS forwarder in the Hub Virtual Network. Default value is false. |
| dnsAvailabilitySetName | Name of the Availability Set used by the DNS virtual machine. |
| dnsVmName | Specifies the name of the DNS virtual machine. |
| devVmName | Specifies the name of the virtual machine in the Development Virtual Network. |
| prodVmName | Specifies the name of the virtual machine in the Production Virtual Network. |
| vmSize | Specifies the size of the virtual machine. |
| imagePublisher | Specifies the image publisher of the disk image used to create the virtual machine. |
| imageOffer | Specifies the offer of the platform image or marketplace image used to create the virtual machine. |
| imageSku | Specifies the Ubuntu version for the VM. This will pick a fully patched image of this given Ubuntu version. |
| authenticationType | Specifies the type of authentication when accessing the Virtual Machine. SSH key is recommended. |
| adminUsername | Specifies the name of the administrator account of the virtual machine. |
| adminPasswordOrKey | Specifies the SSH Key or password for the virtual machine. SSH key is recommended. |
| diskStorageAccounType | Defines the storage account type for OS and data disk. |
| numDataDisks | Specifies the number of data disks of the virtual machine. |
| osDiskSize | The size in GB of the OS disk of the VM. |
| dataDiskSize | Specifies the size in GB of the OS disk of the virtual machine. |
| dataDiskCaching | Specifies the caching requirements for the data disks. |
| _artifactsLocation | Specifies the base URI where artifacts required by this template are located including a trailing '/' |
| _artifactsLocationSasToken | Specifies the sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured. |
| adlsStorageAccountAdlsPrivateEndpointName | Specifies the name of the adls private endpoint to the adls storage account. |
| adlsStorageAccountBlobPrivateEndpointName | Specifies the name of the blob private endpoint to the adls storage account. |
| blobStorageAccountBlobPrivateEndpointName | Specifies the name of the blob private endpoint to the boot diagnostics storage account. |
| privateDnsZoneName | Private DNS Zone name. |
| workspaceName | the name of the Log Analytics workspace. |
| workspaceSku | The sku of the Log Analytics workspace. |
| firewallName | The name of the Azure Firewall. |
| firewallAvailabilityZones | Zone numbers e.g. 1,2,3. |
| numberOfFirewallPublicIPAddresses | Number of public IP addresses for the Azure Firewall |
| createDnatRuleCollection | Specifies whether create DNAT rule collection in the Azure Firewall policy or not. |
| deployVpnGateway | Specifies whether deploy a VPN Gateway in the Hub or not. |
| gatewaySku | The SKU of the Gateway, if deployed |
| gatewayType | The type of this virtual network gateway. - Vpn or ExpressRoute |
| vpnType | The type of this virtual network gateway. - PolicyBased or RouteBased |
| enableBgp | Whether BGP is enabled for this virtual network gateway or not. |
| location | Location for all resources. |
| hubVnetName | (no description available) |
| hubVnetAddressPrefix | (no description available) |
| hubVnetFirewallSubnetName | The name of the Firewall subnet. |
| hubVnetFirewallSubnetPrefix | The address prefix of the Firewall subnet. |
| hubVnetCommonSubnetName | The name of the Management subnet. |
| hubVnetCommonSubnetPrefix | The address prefix of the Management subnet. |
| hubVnetGatewaySubnetName | The name of the Development Virtual Network. |
| hubVnetGatewaySubnetPrefix | The address prefix of the Gateway subnet. |
| gatewayName | The name of gateway. |
| devVnetName | The name of the Development Virtual Network. |
| devVnetAddressPrefix | The address prefix of the Development Virtual Network. |
| prodVnetName | The name of the Production Virtual Network. |
| prodVnetAddressPrefix | The address prefix of the Production Virtual Network. |
| devVnetDefaultSubnetName | The name of the Workload subnet. |
| devVNetDefaultSubnetPrefix | The address prefix of the Workload subnet in the Development Virtual Network. |
| prodVnetDefaultSubnetName | The name of the Workload subnet. |
| prodVNetDefaultSubnetPrefix | The address prefix of the Workload subnet in the Production Virtual Network. |
| hubVnetBastionSubnetPrefix | Specifies the Bastion subnet IP prefix. This prefix must be within vnet IP prefix address space. |
| bastionHostName | Specifies the name of the Azure Bastion resource. |
| firewallPolicyName | The name of the Firewall Policy uased by the Azure Firewall |
Use the template
PowerShell
New-AzResourceGroup -Name <resource-group-name> -Location <resource-group-location> #use this command when you need to create a new resource group for your deploymentInstall and configure Azure PowerShell
New-AzResourceGroupDeployment -ResourceGroupName <resource-group-name> -TemplateUri https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.network/azure-firewall-dns-proxy/azuredeploy.json
Command line
az group create --name <resource-group-name> --location <resource-group-location> #use this command when you need to create a new resource group for your deploymentInstall and Configure the Azure Cross-Platform Command-Line Interface
az group deployment create --resource-group <my-resource-group> --template-uri https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.network/azure-firewall-dns-proxy/azuredeploy.json