Bicep scripts to create Azure VWAN & Azure Firewall
The script deploys:
- One Log Analytics workspace
- Four VETS, two on each Azure Region.
- one VWAN with two VWAN HUBs, each on a different Azure Region.
- Two Azure Firewalls inside the VWAN Hubs, each on a different Azure Region. The Azure Firewalls have diagnostic settings sending all logs to a log analytics workspace.
- Two Azure Firewalls outside the VWAN Hubs, each on a different Azure Region. The Azure Firewalls have diagnostic settings sending all logs to a log analytics workspace.
- Four VMs, Ubuntu, one in each VNET
You can choose to:
- deploy VWAN or not
- deploy Azure Firewall inside the VWAN Hubs
- deploy VMs or not
- deploy Azure Firewall outside the VWAN Hubs or not
- how many Public IPs will be created and attached to the Azure Firewalls
- The Azure Firewall SKU between Basic and Standard
The script does NOT deploy the connections between the VWAN Hubs & the VNETS. Once the VWAN Hubs are ready, with Hub Status "Succeeded" and Router Status "Provisioned", create the connections manually. This is because to create a connection the VWAN Hub Router Status must be "Provisioned" and currently, the is no way of getting this Status.
The VMs are for testing & troubleshooting. Ubuntu Linux, without Public IP. I usually use the Serial console.
create the Resource Group az group create --name ResourceGroupName --location PreferedLocation
deploy the bicep script and answer the questions interactively az deployment group create --resource-group ResourceGroupName --template-file main.bicep
deploy the bicep script with the required parameters and choose true false az deployment group create --resource-group ResourceGroupName --template-file main.bicep --parameters numberOfFirewallPublicIPAddresses=1 adminPassword='#########' adminUserName='######' deployVWAN=true addFirewallToVWAN=true deployFirewall=true deployFirewallBasic=true deployVMs=true
