diff --git a/docs/reference/treyresearch/armTemplates/auxiliary/hubspoke-connectivity.json b/docs/reference/treyresearch/armTemplates/auxiliary/hubspoke-connectivity.json index 4f47621256..511f5711f9 100644 --- a/docs/reference/treyresearch/armTemplates/auxiliary/hubspoke-connectivity.json +++ b/docs/reference/treyresearch/armTemplates/auxiliary/hubspoke-connectivity.json @@ -107,6 +107,10 @@ "type": "string", "defaultValue": "" }, + "enableVpnActiveActive": { + "type": "string", + "defaultValue": "" + }, "gwAzSku": { "type": "string", "defaultValue": "" @@ -147,10 +151,12 @@ "azFwPolicyName": "[concat(parameters('topLevelManagementGroupPrefix'), '-azfwpolicy-', parameters('location'))]", "hubName": "[concat(parameters('topLevelManagementGroupPrefix'), '-hub-', parameters('location'))]", "azVpnGwIpName": "[concat(variables('vpngwname'), '-pip')]", + "azVpnGwAAIpName": "[concat(variables('vpngwname'), '-pip-002')]", "azVpnGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", "azFwName": "[concat(parameters('topLevelManagementGroupPrefix'), '-fw-', parameters('location'))]", "azErGwIpName": "[concat(variables('erGwName'), '-pip')]", "azVpnGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "azVpnGwAAPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azVpnGwAAIpName'))]", "azFwIpName": "[concat(variables('azFwName'), '-pip')]", "azErGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", "azErGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azErGwIpName'))]", @@ -347,7 +353,20 @@ } }, { - "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIpAddresses", + "location": "[parameters('location')]", + "name": "[variables('azVpnGwAAIpName')]", + "sku": { + "name": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Standard', 'Basic')]" + }, + "properties": { + "publicIPAllocationMethod": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" + } + }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'No'), not(empty(parameters('subnetMaskForGw'))))]", "apiVersion": "2020-05-01", "name": "[variables('vpngwname')]", "type": "Microsoft.Network/virtualNetworkGateways", @@ -357,6 +376,7 @@ "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" ], "properties": { + "activeActive": false, "gatewayType": "Vpn", "vpnGatewayGeneration": "Generation2", "vpnType": "[parameters('vpnGwType')]", @@ -396,6 +416,70 @@ } } }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "name": "[variables('vpngwname')]", + "type": "Microsoft.Network/virtualNetworkGateways", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwAAIpName'))]", + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "activeActive": true, + "gatewayType": "Vpn", + "vpnGatewayGeneration": "Generation2", + "vpnType": "[parameters('vpnGwType')]", + "ipConfigurations": [ + { + "name": "default", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('azVpnGwSubnetId')]" + }, + "publicIpAddress": { + "id": "[variables('azVpnGwPipId')]" + } + } + }, + { + "name": "activeactive", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('azVpnGwSubnetId')]" + }, + "publicIpAddress": { + "id": "[variables('azVpnGwAAPipId')]" + } + } + } + ], + "sku": { + "name": "[if( + and( + or( + empty(parameters('gwRegionalSku')), + empty(parameters('gwAzSku'))), + not( + empty(parameters('gwRegionalSku')))), + parameters('gwRegionalSku'), + parameters('gwAzSku'))]", + "tier": "[if( + and( + or( + empty(parameters('gwRegionalSku')), + empty(parameters('gwAzSku'))), + not( + empty(parameters('gwRegionalSku')))), + parameters('gwRegionalSku'), + parameters('gwAzSku'))]" + } + } + }, { "condition": "[and(equals(parameters('enableErGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", "apiVersion": "2020-05-01", diff --git a/docs/reference/treyresearch/armTemplates/es-lite.json b/docs/reference/treyresearch/armTemplates/es-lite.json index 4a197ab0d9..c6babdfddf 100644 --- a/docs/reference/treyresearch/armTemplates/es-lite.json +++ b/docs/reference/treyresearch/armTemplates/es-lite.json @@ -350,6 +350,14 @@ "type": "string", "defaultValue": "" }, + "enableVpnActiveActive": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, "gwAzSku": { "type": "string", "defaultValue": "" @@ -825,6 +833,9 @@ "gwRegionalOrAz": { "value": "[parameters('gwRegionalOrAz')]" }, + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActive')]" + }, "gwAzSku": { "value": "[parameters('gwAzSku')]" }, diff --git a/docs/reference/treyresearch/armTemplates/es-portal.json b/docs/reference/treyresearch/armTemplates/es-portal.json index eb35638fa7..df714983ef 100644 --- a/docs/reference/treyresearch/armTemplates/es-portal.json +++ b/docs/reference/treyresearch/armTemplates/es-portal.json @@ -549,6 +549,26 @@ ] } }, + { + "name": "enableVpnActiveActive", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy VPN Gateway in Active/Active mode", + "defaultValue": "No", + "visible": "[and(equals(steps('connectivity').enableVpnGw,'Yes'), not(equals(steps('connectivity').enableHub, 'vwan')), equals(steps('connectivity').enableVpnGw,'Yes'))]", + "toolTip": "Deploy the VPN gateway in Active/Active mode", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, { "name": "esGwNoAzSku", "type": "Microsoft.Common.DropDown", @@ -1254,6 +1274,7 @@ "vpnOrErZones": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", "firewallZones": "[steps('esConnectivityGoalState').esFwAz]", "gwRegionalOrAz": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", + "enableVpnActiveActive": "[steps('esConnectivityGoalState').enableVpnActiveActive]", "gwAzSku": "[steps('esConnectivityGoalState').esGwAzSku]", "gwRegionalSku": "[if(empty(steps('esConnectivityGoalState').esGwRegionalSku), steps('esConnectivityGoalState').esGwNoAzSku, steps('esConnectivityGoalState').esGwRegionalSku)]", "erRegionalOrAz": "[steps('esConnectivityGoalState').esErRegionalOrAz]", diff --git a/docs/reference/treyresearch/armTemplates/portal-es-lite.json b/docs/reference/treyresearch/armTemplates/portal-es-lite.json index cc28b9e4a8..b068438eff 100644 --- a/docs/reference/treyresearch/armTemplates/portal-es-lite.json +++ b/docs/reference/treyresearch/armTemplates/portal-es-lite.json @@ -540,6 +540,26 @@ ] } }, + { + "name": "enableVpnActiveActive", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy VPN Gateway in Active/Active mode", + "defaultValue": "No", + "visible": "[and(equals(steps('connectivity').enableVpnGw,'Yes'), not(equals(steps('connectivity').enableHub, 'vwan')), equals(steps('connectivity').enableVpnGw,'Yes'))]", + "toolTip": "Deploy the VPN gateway in Active/Active mode", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, { "name": "esGwNoAzSku", "type": "Microsoft.Common.DropDown", @@ -1243,6 +1263,7 @@ "vpnOrErZones": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", "firewallZones": "[steps('esConnectivityGoalState').esFwAz]", "gwRegionalOrAz": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", + "enableVpnActiveActive": "[steps('esConnectivityGoalState').enableVpnActiveActive]", "gwAzSku": "[steps('esConnectivityGoalState').esGwAzSku]", "gwRegionalSku": "[if(empty(steps('esConnectivityGoalState').esGwRegionalSku), steps('esConnectivityGoalState').esGwNoAzSku, steps('esConnectivityGoalState').esGwRegionalSku)]", "erRegionalOrAz": "[steps('esConnectivityGoalState').esErRegionalOrAz]", diff --git a/docs/wiki/Deploying-ALZ-BasicSetup.md b/docs/wiki/Deploying-ALZ-BasicSetup.md index 647e57f8f4..e49bbc9779 100644 --- a/docs/wiki/Deploying-ALZ-BasicSetup.md +++ b/docs/wiki/Deploying-ALZ-BasicSetup.md @@ -148,7 +148,7 @@ On the *Network topology and connectivity* blade you will configure your core ne Set **Deploy VPN Gateway** to **Yes**: - ![networkTab-topology](./media/clip_image036b-2-singlesubscription.png) + ![networkTab-topology](./media/ActiveActive.png) - **Deploy zone redundant or regional VPN Gateway** and **Deploy zone redundant or regional ExpressRoute Gateway**: Zone-redundant gateways are recommended and enabled by default (as per the capabilities of the Region you are deploying your hub virtual network) as they provide higher resiliency and availability. You might opt for a regional deployment depending on your availability requirements and budget. In this tutorial you will deploy a zone-redundant VPN Gateway: @@ -156,6 +156,8 @@ On the *Network topology and connectivity* blade you will configure your core ne ![networkTab-gwDeploy](./media/clip_image036b-3-singlesubscription.png) + - **Deploy VPN Gateway in Active/Active mode**: You can create an Azure VPN gateway in an active-active configuration, where both instances of the gateway VMs establish S2S VPN tunnels to your on-premises VPN device. In this configuration, each Azure gateway instance has a unique public IP address, and each will establish an IPsec/IKE S2S VPN tunnel to your on-premises VPN device specified in your local network gateway and connection. See [Active-active VPN gateways](https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#active-active-vpn-gateways). + - **Select the VPN Gateway SKU** and **Select the ExpressRoute Gateway VPN**: choose the right SKU based on your requirements (capabilities, throughput and availability). See [VPN Gateway SKUs](https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsku) and [ExpressRoute Gateway SKUs](https://learn.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways#gwsku) for further details on the virtual gateway's SKUs you have available in Azure. In this tutorial you will deploy a VpnGw2AZ which provides an aggregated throughput of up to 1 Gbps: ![networkTab-gwSku](./media/clip_image036b-4-singlesubscription.png) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index a904a82492..fcd76cd464 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -72,9 +72,13 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: - Deploy-VM-Monitoring (Management Group: Intermediate Root) - Deploy-VMSS-Monitoring (Management Group: Intermediate Root) +#### Tooling + +- Enhanced the ALZ Portal Accelerator to provide the ability to deploy the Azure VPN Gateway in Active/Active mode as per feedback from [#655](https://github.com/Azure/Enterprise-Scale/issues/655). + #### Other -- [Azure Landing Zone External Community Call - September 2023 - Hosted & Published](https://github.com/Azure/Enterprise-Scale/wiki/Community-Calls#25th-september-2023-25092023)) +- [Azure Landing Zone External Community Call - September 2023 - Hosted & Published](https://github.com/Azure/Enterprise-Scale/wiki/Community-Calls#25th-september-2023-25092023) ### August 2023 diff --git a/docs/wiki/media/ActiveActive.png b/docs/wiki/media/ActiveActive.png new file mode 100644 index 0000000000..9e6d903a2d Binary files /dev/null and b/docs/wiki/media/ActiveActive.png differ diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 9c5ab81928..efd1235f2a 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -1333,6 +1333,26 @@ ] } }, + { + "name": "enableVpnActiveActive", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy VPN Gateway in Active/Active mode", + "defaultValue": "No", + "visible": "[and(equals(steps('connectivity').enableVpnGw,'Yes'), not(equals(steps('connectivity').enableHub, 'vwan')), equals(steps('connectivity').enableVpnGw,'Yes'))]", + "toolTip": "Deploy the VPN gateway in Active/Active mode", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, { "name": "esGwNoAzSku", "type": "Microsoft.Common.DropDown", @@ -3112,6 +3132,7 @@ "enablePrivateDnsZones": "[steps('connectivity').enablePrivateDnsZones]", "enableVpnGw": "[steps('connectivity').enableVpnGw]", "gwRegionalOrAz": "[steps('connectivity').gwRegionalOrAz]", + "enableVpnActiveActive": "[steps('connectivity').enableVpnActiveActive]", "gwRegionalSku": "[coalesce(steps('connectivity').gwRegionalSku, steps('connectivity').esGwNoAzSku)]", "gwAzSku": "[steps('connectivity').gwAzSku]", "vpnGateWayScaleUnit": "[steps('connectivity').vpnGateWayScaleUnit]", diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index e034814a14..1cd1b6e560 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -356,6 +356,14 @@ "No" ] }, + "enableVpnActiveActive": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, "gwRegionalOrAz": { "type": "string", "defaultValue": "" @@ -2230,6 +2238,9 @@ "enableAzFwDnsProxy": { "value": "[parameters('enableAzFwDnsProxy')]" }, + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActive')]" + }, "gwRegionalOrAz": { "value": "[parameters('gwRegionalOrAz')]" }, @@ -2305,6 +2316,9 @@ "subnetMaskForGw": { "value": "[parameters('subnetMaskForGw')]" }, + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActive')]" + }, "gwRegionalOrAz": { "value": "[parameters('gwRegionalOrAz')]" }, @@ -4164,6 +4178,9 @@ "enableAzFwDnsProxy": { "value": "[parameters('enableAzFwDnsProxy')]" }, + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActive')]" + }, "gwRegionalOrAz": { "value": "[parameters('gwRegionalOrAz')]" }, @@ -4240,6 +4257,9 @@ "subnetMaskForGw": { "value": "[parameters('subnetMaskForGw')]" }, + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActive')]" + }, "gwRegionalOrAz": { "value": "[parameters('gwRegionalOrAz')]" }, diff --git a/eslzArm/eslzArm.terraform-sync.param.json b/eslzArm/eslzArm.terraform-sync.param.json index 95c9d30447..c0542cda1f 100644 --- a/eslzArm/eslzArm.terraform-sync.param.json +++ b/eslzArm/eslzArm.terraform-sync.param.json @@ -116,6 +116,9 @@ "enableVpnGw": { "value": "No" }, + "enableVpnActiveActive": { + "value": "" + }, "gwRegionalOrAz": { "value": "" }, diff --git a/eslzArm/eslzArm.test.param.json b/eslzArm/eslzArm.test.param.json index 5026f4a05d..c83eb04fc8 100644 --- a/eslzArm/eslzArm.test.param.json +++ b/eslzArm/eslzArm.test.param.json @@ -125,6 +125,9 @@ "enableVpnGw": { "value": "No" }, + "enableVpnActiveActive": { + "value": "Yes" + }, "gwRegionalOrAz": { "value": "" }, diff --git a/eslzArm/subscriptionTemplates/hubspoke-connectivity.json b/eslzArm/subscriptionTemplates/hubspoke-connectivity.json index 6f1aedaf86..9a0068fcd5 100644 --- a/eslzArm/subscriptionTemplates/hubspoke-connectivity.json +++ b/eslzArm/subscriptionTemplates/hubspoke-connectivity.json @@ -135,6 +135,10 @@ "type": "string", "defaultValue": "" }, + "enableVpnActiveActive": { + "type": "string", + "defaultValue": "" + }, "gwAzSku": { "type": "string", "defaultValue": "" @@ -167,10 +171,12 @@ "azFwPolicyName": "[concat(parameters('topLevelManagementGroupPrefix'), '-azfwpolicy-', parameters('location'))]", "hubName": "[concat(parameters('topLevelManagementGroupPrefix'), '-hub-', parameters('location'))]", "azVpnGwIpName": "[concat(variables('vpngwname'), '-pip')]", + "azVpnGwAAIpName": "[concat(variables('vpngwname'), '-pip-002')]", "azVpnGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", "azFwName": "[concat(parameters('topLevelManagementGroupPrefix'), '-fw-', parameters('location'))]", "azErGwIpName": "[concat(variables('erGwName'), '-pip')]", "azVpnGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "azVpnGwAAPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azVpnGwAAIpName'))]", "azFwIpName": "[concat(variables('azFwName'), '-pip')]", "azFwMgmtIpName": "[concat(variables('azFwName'), '-mgmtpip')]", "azErGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", @@ -304,16 +310,82 @@ } }, { - "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIpAddresses", + "location": "[parameters('location')]", + "name": "[variables('azVpnGwAAIpName')]", + "sku": { + "name": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Standard', 'Basic')]" + }, + "properties": { + "publicIPAllocationMethod": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" + } + }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'No'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "name": "[variables('vpngwname')]", + "type": "Microsoft.Network/virtualNetworkGateways", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "activeActive": false, + "gatewayType": "Vpn", + "vpnGatewayGeneration": "Generation2", + "vpnType": "RouteBased", + "ipConfigurations": [ + { + "name": "default", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('azVpnGwSubnetId')]" + }, + "publicIpAddress": { + "id": "[variables('azVpnGwPipId')]" + } + } + } + ], + "sku": { + "name": "[if( + and( + or( + empty(parameters('gwRegionalSku')), + empty(parameters('gwAzSku'))), + not( + empty(parameters('gwRegionalSku')))), + parameters('gwRegionalSku'), + parameters('gwAzSku'))]", + "tier": "[if( + and( + or( + empty(parameters('gwRegionalSku')), + empty(parameters('gwAzSku'))), + not( + empty(parameters('gwRegionalSku')))), + parameters('gwRegionalSku'), + parameters('gwAzSku'))]" + } + } + }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'Yes'), not(empty(parameters('subnetMaskForGw'))))]", "apiVersion": "2020-05-01", "name": "[variables('vpngwname')]", "type": "Microsoft.Network/virtualNetworkGateways", "location": "[parameters('location')]", "dependsOn": [ "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwAAIpName'))]", "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" ], "properties": { + "activeActive": true, "gatewayType": "Vpn", "vpnGatewayGeneration": "Generation2", "vpnType": "RouteBased", @@ -329,6 +401,18 @@ "id": "[variables('azVpnGwPipId')]" } } + }, + { + "name": "activeactive", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('azVpnGwSubnetId')]" + }, + "publicIpAddress": { + "id": "[variables('azVpnGwAAPipId')]" + } + } } ], "sku": { diff --git a/eslzArm/subscriptionTemplates/nvahubspoke-connectivity.json b/eslzArm/subscriptionTemplates/nvahubspoke-connectivity.json index f524364fb3..631f20d388 100644 --- a/eslzArm/subscriptionTemplates/nvahubspoke-connectivity.json +++ b/eslzArm/subscriptionTemplates/nvahubspoke-connectivity.json @@ -93,6 +93,10 @@ "type": "string", "defaultValue": "" }, + "enableVpnActiveActive": { + "type": "string", + "defaultValue": "" + }, "gwAzSku": { "type": "string", "defaultValue": "" @@ -123,9 +127,11 @@ "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-vnethub-', parameters('location'))]", "hubName": "[concat(parameters('topLevelManagementGroupPrefix'), '-hub-', parameters('location'))]", "azVpnGwIpName": "[concat(variables('vpngwname'), '-pip')]", + "azVpnGwAAIpName": "[concat(variables('vpngwname'), '-pip-002')]", "azVpnGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", "azErGwIpName": "[concat(variables('erGwName'), '-pip')]", "azVpnGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "azVpnGwAAPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azVpnGwAAIpName'))]", "azErGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", "azErGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azErGwIpName'))]", "resourceDeploymentName": "[take(concat(deployment().name, '-hubspoke', parameters('location')), 64)]", @@ -225,7 +231,20 @@ } }, { - "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIpAddresses", + "location": "[parameters('location')]", + "name": "[variables('azVpnGwAAIpName')]", + "sku": { + "name": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Standard', 'Basic')]" + }, + "properties": { + "publicIPAllocationMethod": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" + } + }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'No'), not(empty(parameters('subnetMaskForGw'))))]", "apiVersion": "2020-05-01", "name": "[variables('vpngwname')]", "type": "Microsoft.Network/virtualNetworkGateways", @@ -235,6 +254,7 @@ "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" ], "properties": { + "activeActive": false, "gatewayType": "Vpn", "vpnGatewayGeneration": "Generation2", "vpnType": "RouteBased", @@ -274,6 +294,70 @@ } } }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "name": "[variables('vpngwname')]", + "type": "Microsoft.Network/virtualNetworkGateways", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwAAIpName'))]", + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "activeActive": true, + "gatewayType": "Vpn", + "vpnGatewayGeneration": "Generation2", + "vpnType": "RouteBased", + "ipConfigurations": [ + { + "name": "default", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('azVpnGwSubnetId')]" + }, + "publicIpAddress": { + "id": "[variables('azVpnGwPipId')]" + } + } + }, + { + "name": "activeactive", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('azVpnGwSubnetId')]" + }, + "publicIpAddress": { + "id": "[variables('azVpnGwAAPipId')]" + } + } + } + ], + "sku": { + "name": "[if( + and( + or( + empty(parameters('gwRegionalSku')), + empty(parameters('gwAzSku'))), + not( + empty(parameters('gwRegionalSku')))), + parameters('gwRegionalSku'), + parameters('gwAzSku'))]", + "tier": "[if( + and( + or( + empty(parameters('gwRegionalSku')), + empty(parameters('gwAzSku'))), + not( + empty(parameters('gwRegionalSku')))), + parameters('gwRegionalSku'), + parameters('gwAzSku'))]" + } + } + }, { "condition": "[and(equals(parameters('enableErGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", "apiVersion": "2020-05-01",