diff --git a/_sidebar.md b/_sidebar.md index b82e8424..f21f72eb 100644 --- a/_sidebar.md +++ b/_sidebar.md @@ -8,6 +8,7 @@ * [Build Pipeline](/dashboard/installation/dashboard-buildpipeline.md) * [Release Pipeline :rocket:](/dashboard/installation/dashboard-releasepipeline.md) * [Migration Guide](/dashboard/installation/dashboard-migration.md) + * [VNET Support](/dashboard/installation/dashboard-vnet.md) * [Azure Active Directory Setup](/dashboard/azureADSetup.md) * [Group Management Azure Setup](/dashboard/groupmanagement.md) * Frontend Documentation diff --git a/dashboard/installation/dashboard-releasepipeline.md b/dashboard/installation/dashboard-releasepipeline.md index 7bacba80..6417c5fc 100644 --- a/dashboard/installation/dashboard-releasepipeline.md +++ b/dashboard/installation/dashboard-releasepipeline.md @@ -16,7 +16,7 @@ Make sure the Project Collection Build Service has Administrator access to these ## YAML Release Pipeline Add the files and folders from [this](pipelines) location to your DevOps repo. -This contains an example YAML pipeline to release the Invictus for Azure Dashboard, change the [dashboard.release.yaml](https://github.com/invictus-integration/docs-ifa/blob/v2-documentation/dashboard/installation/pipelines/dashboard.release.yaml) file according to your needs, for example change the needed environments and change the name of the build pipeline trigger: +This contains an example YAML pipeline to release the Invictus for Azure Dashboard, change the [dashboard.release.yaml](https://github.com/invictus-integration/docs-ifa/blob/master/dashboard/installation/pipelines/dashboard.release.yaml) file according to your needs, for example change the needed environments and change the name of the build pipeline trigger: ``` yaml resources: pipelines: @@ -29,11 +29,11 @@ resources: **Make sure to replace the `azureSubscription` value with the name of your serviceconnection as this value cannot be parameterized** -Also make sure to change the ARM template parameters. In these example files we are deploying to DEV, TST and ACC using a `B1` service plan SKU and a `P1V2` service plan SKU to PRD. Make sure to change and parameterize this according to your needs. +Also make sure to change the Bicep template parameters. In these example files we are deploying to DEV, TST and ACC using a `B1` service plan SKU and a `P1V2` service plan SKU to PRD. Make sure to change and parameterize this according to your needs. -If you need to overwrite more ARM Template parameters make sure to add this to the `deployScriptParameters`. A complete list of ARM Template parameters can be found [here](#ARM-Template-Parameters). +If you need to overwrite more Bicep Template parameters make sure to add this to the `deployScriptParameters`. A complete list of Bicep Template parameters can be found [here](#Bicep-Template-Parameters). -Afterwards add the [dashboard.release.yaml](https://github.com/invictus-integration/docs-ifa/blob/v2-documentation/dashboard/installation/pipelines/dashboard.release.yaml) in your DevOps environment as a pipeline. +Afterwards add the [dashboard.release.yaml](https://github.com/invictus-integration/docs-ifa/blob/master/dashboard/installation/pipelines/dashboard.release.yaml) in your DevOps environment as a pipeline. ## Classic Release Pipeline Create a new release pipeline, starting with an empty template, with this naming: `{prefix}.Invictus.Dashboard`. @@ -60,7 +60,7 @@ Add an Azure PowerShell task to each stage. This task will take care of the foll - Get the keyvault access policies, so they are preserved in consequent deployments. - Stop any datafactory triggers related to the framework. -- ARM deployment. +- Bicep deployment. - Start any datafactory triggers. - Deployment of the dashboard. - Deployment of the import job. @@ -147,9 +147,9 @@ Always evaluate your application's needs and monitor performance to ensure the c |WorkflowEvent|2000|Yes| -## ARM Template Parameters +## Bicep Template Parameters -The below table lists the parameters accepted by the ARM template. +The below table lists the parameters accepted by the Bicep template. |Parameter Name|Required|Default Value|Description| | --- | :---: | --- | --- | @@ -169,18 +169,21 @@ The below table lists the parameters accepted by the ARM template. |JWTSecretToken|No|Random 40 character string|JWT Secret used for login| |appInsightsName|No|invictus-{resourcePrefix}-appins|Name for the Application Insights resource| |serviceBusNamespaceName|No|invictus-{resourcePrefix}-sbs|Name for the Service Bus Namespace resource| +|serviceBusSkuName|No|Standard or Premium if VNET enabled|Name for the Service Bus SKU| |keyVaultName|No|invictus-{resourcePrefix}-vlt|Name for the Key Vault Service Namespace resource| -|servicePlanName|No|invictus-{resourcePrefix}-appplan|Name for the service plan which will host the APIs| +|keyVaultEnablePurgeProtection|No|null|If true, enables key vault purge protection. Once enabled, this property can never be disabled.| +|servicePlanName|No|invictus-{resourcePrefix}-appplan-linux|Name for the service plan which will host the APIs| |storageAccountName|No|invictus{resourcePrefix}store|Name for the Azure Storage resource. Any dashes (-) will be removed from {resourcePrefix}| |storageAccountType|No|Standard_LRS|The Storage account StorageAccountSkuType| |servicePlanSkuName|No|S1|Size for the App Plan, the value of "I1" needs to be passed to install an isolated plan.| |servicePlanSkuCapacity|No|1|The SKU capacity setting  for the App Plan| |eventHubNamespaceName|No|invictus-{resourcePrefix}-evnm|Name for the Event Hub Namespace resource| |eventHubName|No|invictus-{resourcePrefix}-evhb|Name for the Event Hub created on the Namespace| -|autoscaleForPlanName|No|invictus-{resourcePrefix}-CPU-RAM-Autoscale|Name for the autoscale function| +|eventHubNameV2|No|invictus-{resourcePrefix}-evhb-v2|Name for the Event Hub for standard LA's created on the Namespace| +|autoscaleForPlanName|No|invictus-{resourcePrefix}-CPU-RAM-Autoscale-linux|Name of the autoscale rules for linux app plan| |minPlanInstanceAutoScale|No|1|The minimum number of instances for the AutoScale function| |maxPlanInstanceAutoScale|No|5|The maximum number of instances for the AutoScale function| -|consumptionPlanName|No|invictus-{resourcePrefix}-consumptionplan|Name of consumption app plan used for ImportJob| +|consumptionPlanName|No|invictus-{resourcePrefix}-consumptionplan|Name of consumption app plan used for all functions| |eventHubSkuName|No|Basic|The SKU name of the EventHub Namespace| |eventHubSkuTier|No|Basic|The Tier name for the EventHub Namespace| |eventHubSkuCapacity|No|1|The SKU capacity for the EventHub Namespace| @@ -223,14 +226,27 @@ The below table lists the parameters accepted by the ARM template. |dataCleanupMaxProcessingRows|No|5000|Maximum nr of rows to cleanup| |accessPolicies|No|[]|A list of Azure Key vault access policies| |logicAppsImportJobErrorFilters|No|actionfailed|error filter for the import job| -|enableVnetSupport|No|0|this value is used for conditions within the ARM template to switch between non VNET and VNET installation. The parameters below are ignored if this value is set to 0| -|vnetName|No| |The name of the VNET on Azure| -|vnetResourceGroupName|No| |The name of the resource group on Azure where the VNET is located| -|aseName|No| |The name of the ASE on Azure| -|aseResourceGroupName|No| |The name of the resource group on Azure where the ASE is located| -|keyVaultSubnets|No|[]|An array of string. The values need to match the subnet names on the VNET| -|storageAccountSubnets|No|[]|An array of string. The values need to match the subnet names on the VNET| -|serviceBusSubnets|No|[]|An array of string. The values need to match the subnet names on the VNET| |invictusDataFactoryReceiverFunctionName|No|invictus-{resourcePrefix}-datafactoryreceiver|Name for Azure Function| -|use32BitWorkerProcess |No|false|If set to true, webapps are deployed as 32bit| +|use32BitWorkerProcess|No|false|If set to true, webapps are deployed as 32bit| +|maxHttpHeaderSizeInBytes|No|24576|Maximum allowed HTTP header size for dashboard requests (in bytes)| +### VNET Specific Parameters + +|Parameter Name|Required for VNET|Default Value|Description| +| --- | :---: | --- | --- | +|enableVnetSupport|Yes|false|Used to toggle VNET functionality on or off| +|vnetResourceGroupName|Yes| |The name of the resource group on Azure where the VNET is located| +|vnetName|Yes| |The name of the VNET resource| +|keyVaultSubnets|Yes|[]|An array of string. The values need to match the subnet names on the VNET| +|storageAccountSubnets|Yes|[]|An array of string. The values need to match the subnet names on the VNET| +|serviceBusSubnets|Yes|[]|An array of string. The values need to match the subnet names on the VNET| +|cosmosDbSubnets|Yes|[]|An array of string. The values need to match the subnet names on the VNET| +|eventHubSubnets|Yes|[]|An array of string. The values need to match the subnet names on the VNET| +|dashboardSubnetName|Yes||The name of the subnet to be used to connect the dashboard resource| +|functionsSubnetName|Yes||The name of the subnet to be used to connect the azure function resources| +|privateEndpointSubnetName|Yes||The name of the subnet to be used to connect the private endpoint resources| +|windowsPlanName|No|invictus-{resourcePrefix}-appplan|The name for the windows plan which the azure functions will run on instead of a consumption plan| +|serviceWindowsPlanSkuName|No|S1|Name of the Windows App Plan size| +|serviceWindowsPlanSkuCapacity|No|1|The SKU capacity setting  for the Windows App Plan| +|autoscaleForPlanWindows|No|invictus-{resourcePrefix}-CPU-RAM-Autoscale|Name of the autoscale rules for windows app plan| +|isPrivateDashboardVnet|No|false|If true, the Dashboard and DashboardGateway resources will be connected to a private endpoint and not be accessible from a public network.| diff --git a/dashboard/installation/dashboard-vnet.md b/dashboard/installation/dashboard-vnet.md new file mode 100644 index 00000000..93be646c --- /dev/null +++ b/dashboard/installation/dashboard-vnet.md @@ -0,0 +1,51 @@ +# Invictus Dashboard VNET Support + +Invictus includes functionality which allows all its resources to run within an Azure Virtual Network (VNET). This document will guide you through this process. + +## Prerequisites + +- An Azure Virtual Network + - Including three subnets, one each for: + - Private Endpoints + - Dashboard + - Functions + - The subnets must have the following services enabled + - Microsoft.AzureCosmosDB + - Microsoft.EventHub + - Microsoft.KeyVault + - Microsoft.ServiceBus + - Microsoft.Storage + - Microsoft.Web +- 10 Private DNS Zones + - privatelink.azurecr.io + - privatelink.azurewebsites.net + - privatelink.blob.core.windows.net + - privatelink.file.core.windows.net + - privatelink.mongo.cosmos.azure.com + - privatelink.queue.core.windows.net + - privatelink.servicebus.windows.net + - privatelink.table.core.windows.net + - privatelink.table.cosmos.azure.com + - privatelink.vaultcore.azure.net + + A Bicep template for these DNS Zones can be found [here](scripts/invictusVnetDNSZones.bicep) + +- To be able to deploy the app code from an Azure DevOps pipeline you will need: + - A self hosted agent running on the same VNET with the following software intalled: + - Powershell + - Azure Powershell + - Bicep CLI + +## Role Assignment + +If the Invictus resources and the VNET are on different resource groups, then the Invictus resource group will need to be assigned the role of `Network Contributor` onto the VNET resource group. + +## Release Pipeline Changes + +The release pipeline remains the same as explained [here](dashboard-releasepipeline.md), but with a set of VNET specific parameters. The `enableVnetSupport` parameter must be set to `$true` to enable the functionality. The name of the resource group containing the VNET, as well as the VNET name itself must be passed to the `vnetResourceGroupName` and `vnetName` parameters. An array containing the names of the desired subnets must be passed to the `keyVaultSubnets`, `storageAccountSubnets`, `serviceBusSubnets`, `cosmosDbSubnets`, `eventHubSubnets` parameters. You will also need to pass the subnet names to connect the dashboard, Azure functions and private endpoints. These parameters are `dashboardSubnetName`, `functionsSubnetName`, `privateEndpointSubnetName`. + +A full list of VNET parameters can be found [here](dashboard-releasepipeline.md#vnet-specific-parameters). + +### Full Deploy Script Parameters Example + + `-ArtifactsPath "$(ArtifactsPath)" -ArtifactsPathScripts "$(ArtifactsPathScripts)" -ResourcePrefix "$(Infra.Environment.ResourcePrefix)" -ResourceGroupName "$(Infra.Environment.ResourceGroup)" -VariableGroupName "Software.Infra.$(Infra.Environment.ShortName)" -ResourceGroupLocation "$(Infra.Environment.Region.Primary)" -devOpsObjectId $(Infra.DevOps.Object.Id) -AzureActiveDirectoryClientId "********-****-****-****-********" -AzureActiveDirectoryTenantId "********-****-****-****-********" -use32BitWorkerProcess $false -AzureActiveDirectoryClientSecret "*************************" -AzureActiveDirectoryAudience "api://********-****-****-****-********" -PerformSqlDataMigration 0 -enableVnetSupport $true -vnetName "invictus-vnet" -vnetResourceGroupName "invictus-vnet" -keyVaultSubnets @("snet-privateendpoints", "snet-invictus", "snet-invictusdashboard") -storageAccountSubnets @("snet-privateendpoints", "snet-invictus", "snet-invictusdashboard") -serviceBusSubnets @("snet-privateendpoints", "snet-invictus", "snet-invictusdashboard") -cosmosDbSubnets @("snet-privateendpoints", "snet-invictus", "snet-invictusdashboard") -eventHubSubnets @("snet-privateendpoints", "snet-invictus", "snet-invictusdashboard") -dashboardSubnetName "snet-invictusdashboard" -functionsSubnetName "snet-invictus" -privateEndpointSubnetName "snet-privateendpoints" -isPrivateDashboardVnet $true` diff --git a/dashboard/installation/scripts/invictusVnetDNSZones.bicep b/dashboard/installation/scripts/invictusVnetDNSZones.bicep new file mode 100644 index 00000000..a6105ee4 --- /dev/null +++ b/dashboard/installation/scripts/invictusVnetDNSZones.bicep @@ -0,0 +1,251 @@ +param invictus_vnet_name string = 'invictus-vnet' + +resource privatelink_azurecr_io 'Microsoft.Network/privateDnsZones@2018-09-01' = { + name: 'privatelink.azurecr.io' + location: 'global' + properties: { + maxNumberOfRecordSets: 25000 + maxNumberOfVirtualNetworkLinks: 1000 + maxNumberOfVirtualNetworkLinksWithRegistration: 100 + numberOfRecordSets: 1 + numberOfVirtualNetworkLinks: 1 + numberOfVirtualNetworkLinksWithRegistration: 0 + } +} + +resource privatelink_azurewebsites_net 'Microsoft.Network/privateDnsZones@2018-09-01' = { + name: 'privatelink.azurewebsites.net' + location: 'global' + properties: { + maxNumberOfRecordSets: 25000 + maxNumberOfVirtualNetworkLinks: 1000 + maxNumberOfVirtualNetworkLinksWithRegistration: 100 + numberOfRecordSets: 1 + numberOfVirtualNetworkLinks: 1 + numberOfVirtualNetworkLinksWithRegistration: 0 + } +} + +resource privatelink_blob_core_windows_net 'Microsoft.Network/privateDnsZones@2018-09-01' = { + name: 'privatelink.blob.core.windows.net' + location: 'global' + properties: { + maxNumberOfRecordSets: 25000 + maxNumberOfVirtualNetworkLinks: 1000 + maxNumberOfVirtualNetworkLinksWithRegistration: 100 + numberOfRecordSets: 1 + numberOfVirtualNetworkLinks: 1 + numberOfVirtualNetworkLinksWithRegistration: 0 + } +} + +resource privatelink_file_core_windows_net 'Microsoft.Network/privateDnsZones@2018-09-01' = { + name: 'privatelink.file.core.windows.net' + location: 'global' + properties: { + maxNumberOfRecordSets: 25000 + maxNumberOfVirtualNetworkLinks: 1000 + maxNumberOfVirtualNetworkLinksWithRegistration: 100 + numberOfRecordSets: 1 + numberOfVirtualNetworkLinks: 1 + numberOfVirtualNetworkLinksWithRegistration: 0 + } +} + +resource privatelink_queue_core_windows_net 'Microsoft.Network/privateDnsZones@2018-09-01' = { + name: 'privatelink.queue.core.windows.net' + location: 'global' + properties: { + maxNumberOfRecordSets: 25000 + maxNumberOfVirtualNetworkLinks: 1000 + maxNumberOfVirtualNetworkLinksWithRegistration: 100 + numberOfRecordSets: 1 + numberOfVirtualNetworkLinks: 1 + numberOfVirtualNetworkLinksWithRegistration: 0 + } +} + +resource privatelink_servicebus_windows_net 'Microsoft.Network/privateDnsZones@2018-09-01' = { + name: 'privatelink.servicebus.windows.net' + location: 'global' + properties: { + maxNumberOfRecordSets: 25000 + maxNumberOfVirtualNetworkLinks: 1000 + maxNumberOfVirtualNetworkLinksWithRegistration: 100 + numberOfRecordSets: 1 + numberOfVirtualNetworkLinks: 1 + numberOfVirtualNetworkLinksWithRegistration: 0 + } +} + +resource privatelink_table_core_windows_net 'Microsoft.Network/privateDnsZones@2018-09-01' = { + name: 'privatelink.table.core.windows.net' + location: 'global' + properties: { + maxNumberOfRecordSets: 25000 + maxNumberOfVirtualNetworkLinks: 1000 + maxNumberOfVirtualNetworkLinksWithRegistration: 100 + numberOfRecordSets: 1 + numberOfVirtualNetworkLinks: 1 + numberOfVirtualNetworkLinksWithRegistration: 0 + } +} + +resource privatelink_table_cosmos_azure_com 'Microsoft.Network/privateDnsZones@2018-09-01' = { + name: 'privatelink.table.cosmos.azure.com' + location: 'global' + properties: { + maxNumberOfRecordSets: 25000 + maxNumberOfVirtualNetworkLinks: 1000 + maxNumberOfVirtualNetworkLinksWithRegistration: 100 + numberOfRecordSets: 1 + numberOfVirtualNetworkLinks: 1 + numberOfVirtualNetworkLinksWithRegistration: 0 + } +} + +resource privatelink_vaultcore_azure_net 'Microsoft.Network/privateDnsZones@2018-09-01' = { + name: 'privatelink.vaultcore.azure.net' + location: 'global' + properties: { + maxNumberOfRecordSets: 25000 + maxNumberOfVirtualNetworkLinks: 1000 + maxNumberOfVirtualNetworkLinksWithRegistration: 100 + numberOfRecordSets: 1 + numberOfVirtualNetworkLinks: 1 + numberOfVirtualNetworkLinksWithRegistration: 0 + } +} + +resource privatelink_mongo_cosmos_azure_com 'Microsoft.Network/privateDnsZones@2018-09-01' = { + name: 'privatelink.mongo.cosmos.azure.com' + location: 'global' + properties: { + maxNumberOfRecordSets: 25000 + maxNumberOfVirtualNetworkLinks: 1000 + maxNumberOfVirtualNetworkLinksWithRegistration: 100 + numberOfRecordSets: 1 + numberOfVirtualNetworkLinks: 1 + numberOfVirtualNetworkLinksWithRegistration: 0 + } +} + +resource privatelink_azurecr_io_vnet_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { + parent: privatelink_azurecr_io + name: 'vnet-link' + location: 'global' + properties: { + registrationEnabled: false + virtualNetwork: { + id: resourceId('Microsoft.Network/virtualNetworks', invictus_vnet_name) + } + } +} + +resource privatelink_azurewebsites_net_vnet_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { + parent: privatelink_azurewebsites_net + name: 'vnet-link' + location: 'global' + properties: { + registrationEnabled: false + virtualNetwork: { + id: resourceId('Microsoft.Network/virtualNetworks', invictus_vnet_name) + } + } +} + +resource privatelink_blob_core_windows_net_vnet_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { + parent: privatelink_blob_core_windows_net + name: 'vnet-link' + location: 'global' + properties: { + registrationEnabled: false + virtualNetwork: { + id: resourceId('Microsoft.Network/virtualNetworks', invictus_vnet_name) + } + } +} + +resource privatelink_file_core_windows_net_vnet_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { + parent: privatelink_file_core_windows_net + name: 'vnet-link' + location: 'global' + properties: { + registrationEnabled: false + virtualNetwork: { + id: resourceId('Microsoft.Network/virtualNetworks', invictus_vnet_name) + } + } +} + +resource privatelink_queue_core_windows_net_vnet_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { + parent: privatelink_queue_core_windows_net + name: 'vnet-link' + location: 'global' + properties: { + registrationEnabled: false + virtualNetwork: { + id: resourceId('Microsoft.Network/virtualNetworks', invictus_vnet_name) + } + } +} + +resource privatelink_servicebus_windows_net_vnet_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { + parent: privatelink_servicebus_windows_net + name: 'vnet-link' + location: 'global' + properties: { + registrationEnabled: false + virtualNetwork: { + id: resourceId('Microsoft.Network/virtualNetworks', invictus_vnet_name) + } + } +} + +resource privatelink_table_core_windows_net_vnet_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { + parent: privatelink_table_core_windows_net + name: 'vnet-link' + location: 'global' + properties: { + registrationEnabled: false + virtualNetwork: { + id: resourceId('Microsoft.Network/virtualNetworks', invictus_vnet_name) + } + } +} + +resource privatelink_table_cosmos_azure_com_vnet_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { + parent: privatelink_table_cosmos_azure_com + name: 'vnet-link' + location: 'global' + properties: { + registrationEnabled: false + virtualNetwork: { + id: resourceId('Microsoft.Network/virtualNetworks', invictus_vnet_name) + } + } +} + +resource Microsoft_Network_privateDnsZones_virtualNetworkLinks_privatelink_vaultcore_azure_net_vnet_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { + parent: privatelink_vaultcore_azure_net + name: 'vnet-link' + location: 'global' + properties: { + registrationEnabled: false + virtualNetwork: { + id: resourceId('Microsoft.Network/virtualNetworks', invictus_vnet_name) + } + } +} + +resource Microsoft_Network_privateDnsZones_virtualNetworkLinks_privatelink_mongo_cosmos_azure_net_vnet_link 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { + parent: privatelink_mongo_cosmos_azure_com + name: 'vnet-link' + location: 'global' + properties: { + registrationEnabled: false + virtualNetwork: { + id: resourceId('Microsoft.Network/virtualNetworks', invictus_vnet_name) + } + } +} diff --git a/dashboard/installation/scripts/invictusVnetDNSZones.json b/dashboard/installation/scripts/invictusVnetDNSZones.json new file mode 100644 index 00000000..2a4f5e5c --- /dev/null +++ b/dashboard/installation/scripts/invictusVnetDNSZones.json @@ -0,0 +1,303 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "invictus_vnet_name": { + "defaultValue": "invictus-vnet", + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "privatelink.azurecr.io", + "location": "global", + "properties": { + "maxNumberOfRecordSets": 25000, + "maxNumberOfVirtualNetworkLinks": 1000, + "maxNumberOfVirtualNetworkLinksWithRegistration": 100, + "numberOfRecordSets": 1, + "numberOfVirtualNetworkLinks": 1, + "numberOfVirtualNetworkLinksWithRegistration": 0 + } + }, + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "privatelink.azurewebsites.net", + "location": "global", + "properties": { + "maxNumberOfRecordSets": 25000, + "maxNumberOfVirtualNetworkLinks": 1000, + "maxNumberOfVirtualNetworkLinksWithRegistration": 100, + "numberOfRecordSets": 1, + "numberOfVirtualNetworkLinks": 1, + "numberOfVirtualNetworkLinksWithRegistration": 0 + } + }, + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "privatelink.blob.core.windows.net", + "location": "global", + "properties": { + "maxNumberOfRecordSets": 25000, + "maxNumberOfVirtualNetworkLinks": 1000, + "maxNumberOfVirtualNetworkLinksWithRegistration": 100, + "numberOfRecordSets": 1, + "numberOfVirtualNetworkLinks": 1, + "numberOfVirtualNetworkLinksWithRegistration": 0 + } + }, + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "privatelink.file.core.windows.net", + "location": "global", + "properties": { + "maxNumberOfRecordSets": 25000, + "maxNumberOfVirtualNetworkLinks": 1000, + "maxNumberOfVirtualNetworkLinksWithRegistration": 100, + "numberOfRecordSets": 1, + "numberOfVirtualNetworkLinks": 1, + "numberOfVirtualNetworkLinksWithRegistration": 0 + } + }, + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "privatelink.queue.core.windows.net", + "location": "global", + "properties": { + "maxNumberOfRecordSets": 25000, + "maxNumberOfVirtualNetworkLinks": 1000, + "maxNumberOfVirtualNetworkLinksWithRegistration": 100, + "numberOfRecordSets": 1, + "numberOfVirtualNetworkLinks": 1, + "numberOfVirtualNetworkLinksWithRegistration": 0 + } + }, + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "privatelink.servicebus.windows.net", + "location": "global", + "properties": { + "maxNumberOfRecordSets": 25000, + "maxNumberOfVirtualNetworkLinks": 1000, + "maxNumberOfVirtualNetworkLinksWithRegistration": 100, + "numberOfRecordSets": 1, + "numberOfVirtualNetworkLinks": 1, + "numberOfVirtualNetworkLinksWithRegistration": 0 + } + }, + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "privatelink.table.core.windows.net", + "location": "global", + "properties": { + "maxNumberOfRecordSets": 25000, + "maxNumberOfVirtualNetworkLinks": 1000, + "maxNumberOfVirtualNetworkLinksWithRegistration": 100, + "numberOfRecordSets": 1, + "numberOfVirtualNetworkLinks": 1, + "numberOfVirtualNetworkLinksWithRegistration": 0 + } + }, + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "privatelink.table.cosmos.azure.com", + "location": "global", + "properties": { + "maxNumberOfRecordSets": 25000, + "maxNumberOfVirtualNetworkLinks": 1000, + "maxNumberOfVirtualNetworkLinksWithRegistration": 100, + "numberOfRecordSets": 1, + "numberOfVirtualNetworkLinks": 1, + "numberOfVirtualNetworkLinksWithRegistration": 0 + } + }, + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "privatelink.vaultcore.azure.net", + "location": "global", + "properties": { + "maxNumberOfRecordSets": 25000, + "maxNumberOfVirtualNetworkLinks": 1000, + "maxNumberOfVirtualNetworkLinksWithRegistration": 100, + "numberOfRecordSets": 1, + "numberOfVirtualNetworkLinks": 1, + "numberOfVirtualNetworkLinksWithRegistration": 0 + } + }, + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2018-09-01", + "name": "privatelink.mongo.cosmos.azure.com", + "location": "global", + "properties": { + "maxNumberOfRecordSets": 25000, + "maxNumberOfVirtualNetworkLinks": 1000, + "maxNumberOfVirtualNetworkLinksWithRegistration": 100, + "numberOfRecordSets": 1, + "numberOfVirtualNetworkLinks": 1, + "numberOfVirtualNetworkLinksWithRegistration": 0 + } + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "privatelink.azurecr.io/vnet-link", + "location": "global", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', 'privatelink.azurecr.io')]" + ], + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('invictus_vnet_name'))]" + } + } + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "privatelink.azurewebsites.net/vnet-link", + "location": "global", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', 'privatelink.azurewebsites.net')]" + ], + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('invictus_vnet_name'))]" + } + } + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "privatelink.blob.core.windows.net/vnet-link", + "location": "global", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', 'privatelink.blob.core.windows.net')]" + ], + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('invictus_vnet_name'))]" + } + } + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "privatelink.file.core.windows.net/vnet-link", + "location": "global", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', 'privatelink.file.core.windows.net')]" + ], + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('invictus_vnet_name'))]" + } + } + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "privatelink.queue.core.windows.net/vnet-link", + "location": "global", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', 'privatelink.queue.core.windows.net')]" + ], + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('invictus_vnet_name'))]" + } + } + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "privatelink.servicebus.windows.net/vnet-link", + "location": "global", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', 'privatelink.servicebus.windows.net')]" + ], + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('invictus_vnet_name'))]" + } + } + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "privatelink.table.core.windows.net/vnet-link", + "location": "global", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', 'privatelink.table.core.windows.net')]" + ], + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('invictus_vnet_name'))]" + } + } + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "privatelink.table.cosmos.azure.com/vnet-link", + "location": "global", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', 'privatelink.table.cosmos.azure.com')]" + ], + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('invictus_vnet_name'))]" + } + } + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "privatelink.vaultcore.azure.net/vnet-link", + "location": "global", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', 'privatelink.vaultcore.azure.net')]" + ], + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('invictus_vnet_name'))]" + } + } + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2018-09-01", + "name": "privatelink.vaultcore.azure.net/vnet-link", + "location": "global", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', 'privatelink.mongo.cosmos.azure.com')]" + ], + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('invictus_vnet_name'))]" + } + } + } + ] +} diff --git a/framework/installation/framework-releasepipeline.md b/framework/installation/framework-releasepipeline.md index bd9bd96e..08352fa1 100644 --- a/framework/installation/framework-releasepipeline.md +++ b/framework/installation/framework-releasepipeline.md @@ -29,9 +29,9 @@ resources: **Make sure to replace the `azureSubscription` value with the name of your serviceconnection as this value cannot be parameterized** -Also make sure to change the ARM template parameters. In these example files we are deploying to DEV, TST and ACC using a `B1` service plan SKU and a `P1V2` service plan SKU to PRD. Make sure to change and parameterize this according to your needs. +Also make sure to change the Bicep template parameters. In these example files we are deploying to DEV, TST and ACC using a `B1` service plan SKU and a `P1V2` service plan SKU to PRD. Make sure to change and parameterize this according to your needs. -If you need to overwrite more ARM Template parameters make sure to add this to the `deployScriptParameters`. A complete list of ARM Template parameters can be found [here](#ARM-Template-Parameters). +If you need to overwrite more Bicep Template parameters make sure to add this to the `deployScriptParameters`. A complete list of Bicep Template parameters can be found [here](#Bicep-Template-Parameters). Afterwards add the [framework.release.yaml](./pipelines/framework.release.yaml) in your DevOps environment as a pipeline. @@ -62,7 +62,7 @@ Add an Azure PowerShell task to each stage. This task will take care of the foll - Get the keyvault access policies, so they are preserved in consequent deployments. - Stop any datafactory triggers related to the framework. -- ARM deployment. +- Bicep deployment. - Start any datafactory triggers. - Deployment of the framework components. @@ -81,12 +81,12 @@ Use the following arguments for the fields of the azure powershell task: - ResourceGroupLocation (optional): `$(Infra.Environment.Region.Primary)` or 'West Europe' when not specified. - KeyVaultName (optional): uses `invictus-$ResourcePrefix-vlt` when not specified. - KeyVaultAccessPoliciesVariableName (optional): uses _Infra.KeyVault.AccessPolicies_ when not specified. - - AdditionalTemplateParameters (optional): Additional named parameters for the arm template you wish to override. More on this below. + - AdditionalTemplateParameters (optional): Additional named parameters for the Bicep template you wish to override. More on this below. - **Azure PowerShell Version**: Specify other version : **2.6.0** **NOTE:** When passing the ApiKey1 and ApiKey2 to the Deploy.ps as arguments, please remember to enclose them in single quotes ''. This prevents any operator characters from breaking the ps script. -The AdditionalTemplateParameters argument are named arguments you can use to override the default values used by the ARM template. You simply name the argument as the parameter. For example if you want to use a different servicePlanSku you would add `-servicePlanSkuName "S1"` to the arguments of the powershell script. +The AdditionalTemplateParameters argument are named arguments you can use to override the default values used by the Bicep template. You simply name the argument as the parameter. For example if you want to use a different servicePlanSku you would add `-servicePlanSkuName "S1"` to the arguments of the powershell script. > Note that **accessPolicies** are overridden by the script, so no need to include that in the arguments. @@ -96,11 +96,11 @@ Complete example of the arguments (note the use of -devOpsObjectId as an additio -ArtifactsPath "$(ArtifactsPath)" -ResourcePrefix "$(Infra.Environment.ResourcePrefix)" -ResourceGroupName "$(Infra.Environment.ResourceGroup)" -VariableGroupName "Software.Infra.$(Infra.Environment.ShortName)" -ResourceGroupLocation "$(Infra.Environment.Region.Primary)" -devOpsObjectId $(Infra.DevOps.Object.Id) ``` -A complete list of ARM Template parameters can be found [here](#ARM-Template-Parameters). +A complete list of Bicep Template parameters can be found [here](#Bicep-Template-Parameters). -## ARM Template Parameters +## Bicep Template Parameters -The below table lists the parameters accepted by the ARM template. +The below table lists the parameters accepted by the Bicep template. |Parameter Name|Required|Default Value|Description| | --- | :---: | --- | --- | @@ -116,7 +116,9 @@ The below table lists the parameters accepted by the ARM template. |matrixWebAppName|No|invictus-{resourcePrefix}-matrixapp|Name for the Matrix Web API| |transcoWebAppName|No|invictus-{resourcePrefix}-transcoapp|Name for the Transco Web API| |serviceBusNamespaceName|No|invictus-{resourcePrefix}-sbs|Name for the Service Bus Namespace resource| +|serviceBusSkuName|No|Standard or Premium if VNET enabled|Name for the Service Bus SKU| |keyVaultName|No|invictus-{resourcePrefix}-vlt|Name for the Key Vault Service Namespace resource| +|keyVaultEnablePurgeProtection|No|null|If true, enables key vault purge protection. Once enabled, this property can never be disabled.| |storageAccountName|No|invictus{resourcePrefix}store|Name for the Azure Storage resource. Any dashes (-) will be removed from {resourcePrefix}| |blobContainerPrefix|No|invictus|Prefix set for blob containers for pubsub| |approvedMessageSizeInBytesKey|No|200000|The max allowed message size before pushing message to Blob when using PubSub| @@ -156,13 +158,16 @@ The below table lists the parameters accepted by the ARM template. |transcoWebAppAlwaysOn|No|true|Always on Setting for WebApp| |accessPolicies|No|[]|A list of Azure Key vault access policies| |devOpsObjectId|Yes||The object-id associated with the service principal of the enterprise application that's connected to the service connection on DevOps| -|enableVnetSupport|No|0|this value is used for conditions within the ARM template to switch between non VNET and VNET installation. The parameters below are ignored if this value is set to 0| -|vnetName|No| |The name of the VNET on Azure| -|vnetResourceGroupName|No| |The name of the resource group on Azure where the VNET is located| -|aseName|No| |The name of the ASE on Azure| -|aseResourceGroupName|No| |The name of the resource group on Azure where the ASE is located| -|keyVaultSubnets|No|[]|An array of string. The values need to match the subnet names on the VNET| -|storageAccountSubnets|No|[]|An array of string. The values need to match the subnet names on the VNET| -|serviceBusSubnets|No|[]|An array of string. The values need to match the subnet names on the VNET| -|sqlServerSubnets|No|[]|An array of string. The values need to match the subnet names on the VNET| -|invictusDataFactoryName|No|invictus-{resourcePrefix}-datafactory|The name of the Data factory service.| + +### VNET Specific Parameters + +|Parameter Name|Required for VNET|Default Value|Description| +| --- | :---: | --- | --- | +|enableVnetSupport|Yes|false|Used to toggle VNET functionality on or off| +|vnetResourceGroupName|Yes| |The name of the resource group on Azure where the VNET is located| +|vnetName|Yes| |The name of the VNET resource| +|keyVaultSubnets|Yes|[]|An array of string. The values need to match the subnet names on the VNET| +|storageAccountSubnets|Yes|[]|An array of string. The values need to match the subnet names on the VNET| +|serviceBusSubnets|Yes|[]|An array of string. The values need to match the subnet names on the VNET| +|functionsSubnetName|Yes||The name of the subnet to be used to connect the azure function resources| +|privateEndpointSubnetName|Yes||The name of the subnet to be used to connect the private endpoint resources| diff --git a/framework/installation/framework-vnet.md b/framework/installation/framework-vnet.md new file mode 100644 index 00000000..94e7306a --- /dev/null +++ b/framework/installation/framework-vnet.md @@ -0,0 +1,5 @@ +# Invictus Framework VNET Support + +Enabling Azure Virtual Network support for the Invictus Framework is an identical process as for the Invictus Dashboard. Therefore you can follow the same guide found [here](../../dashboard/installation/dashboard-vnet.md). + +A full list of VNET specific parameters which can be passed to Framework release pipeline can be found [here](framework-releasepipeline.md#vnet-specific-parameters).