diff --git a/docs/reference/treyresearch/armTemplates/auxiliary/hubspoke-connectivity.json b/docs/reference/treyresearch/armTemplates/auxiliary/hubspoke-connectivity.json index 4f47621256..511f5711f9 100644 --- a/docs/reference/treyresearch/armTemplates/auxiliary/hubspoke-connectivity.json +++ b/docs/reference/treyresearch/armTemplates/auxiliary/hubspoke-connectivity.json @@ -107,6 +107,10 @@ "type": "string", "defaultValue": "" }, + "enableVpnActiveActive": { + "type": "string", + "defaultValue": "" + }, "gwAzSku": { "type": "string", "defaultValue": "" @@ -147,10 +151,12 @@ "azFwPolicyName": "[concat(parameters('topLevelManagementGroupPrefix'), '-azfwpolicy-', parameters('location'))]", "hubName": "[concat(parameters('topLevelManagementGroupPrefix'), '-hub-', parameters('location'))]", "azVpnGwIpName": "[concat(variables('vpngwname'), '-pip')]", + "azVpnGwAAIpName": "[concat(variables('vpngwname'), '-pip-002')]", "azVpnGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", "azFwName": "[concat(parameters('topLevelManagementGroupPrefix'), '-fw-', parameters('location'))]", "azErGwIpName": "[concat(variables('erGwName'), '-pip')]", "azVpnGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "azVpnGwAAPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azVpnGwAAIpName'))]", "azFwIpName": "[concat(variables('azFwName'), '-pip')]", "azErGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", "azErGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azErGwIpName'))]", @@ -347,7 +353,20 @@ } }, { - "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIpAddresses", + "location": "[parameters('location')]", + "name": "[variables('azVpnGwAAIpName')]", + "sku": { + "name": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Standard', 'Basic')]" + }, + "properties": { + "publicIPAllocationMethod": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" + } + }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'No'), not(empty(parameters('subnetMaskForGw'))))]", "apiVersion": "2020-05-01", "name": "[variables('vpngwname')]", "type": "Microsoft.Network/virtualNetworkGateways", @@ -357,6 +376,7 @@ "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" ], "properties": { + "activeActive": false, "gatewayType": "Vpn", "vpnGatewayGeneration": "Generation2", "vpnType": "[parameters('vpnGwType')]", @@ -396,6 +416,70 @@ } } }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "name": "[variables('vpngwname')]", + "type": "Microsoft.Network/virtualNetworkGateways", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwAAIpName'))]", + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "activeActive": true, + "gatewayType": "Vpn", + "vpnGatewayGeneration": "Generation2", + "vpnType": "[parameters('vpnGwType')]", + "ipConfigurations": [ + { + "name": "default", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('azVpnGwSubnetId')]" + }, + "publicIpAddress": { + "id": "[variables('azVpnGwPipId')]" + } + } + }, + { + "name": "activeactive", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('azVpnGwSubnetId')]" + }, + "publicIpAddress": { + "id": "[variables('azVpnGwAAPipId')]" + } + } + } + ], + "sku": { + "name": "[if( + and( + or( + empty(parameters('gwRegionalSku')), + empty(parameters('gwAzSku'))), + not( + empty(parameters('gwRegionalSku')))), + parameters('gwRegionalSku'), + parameters('gwAzSku'))]", + "tier": "[if( + and( + or( + empty(parameters('gwRegionalSku')), + empty(parameters('gwAzSku'))), + not( + empty(parameters('gwRegionalSku')))), + parameters('gwRegionalSku'), + parameters('gwAzSku'))]" + } + } + }, { "condition": "[and(equals(parameters('enableErGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", "apiVersion": "2020-05-01", diff --git a/docs/reference/treyresearch/armTemplates/es-lite.json b/docs/reference/treyresearch/armTemplates/es-lite.json index 4a197ab0d9..c6babdfddf 100644 --- a/docs/reference/treyresearch/armTemplates/es-lite.json +++ b/docs/reference/treyresearch/armTemplates/es-lite.json @@ -350,6 +350,14 @@ "type": "string", "defaultValue": "" }, + "enableVpnActiveActive": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, "gwAzSku": { "type": "string", "defaultValue": "" @@ -825,6 +833,9 @@ "gwRegionalOrAz": { "value": "[parameters('gwRegionalOrAz')]" }, + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActive')]" + }, "gwAzSku": { "value": "[parameters('gwAzSku')]" }, diff --git a/docs/reference/treyresearch/armTemplates/es-portal.json b/docs/reference/treyresearch/armTemplates/es-portal.json index eb35638fa7..df714983ef 100644 --- a/docs/reference/treyresearch/armTemplates/es-portal.json +++ b/docs/reference/treyresearch/armTemplates/es-portal.json @@ -549,6 +549,26 @@ ] } }, + { + "name": "enableVpnActiveActive", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy VPN Gateway in Active/Active mode", + "defaultValue": "No", + "visible": "[and(equals(steps('connectivity').enableVpnGw,'Yes'), not(equals(steps('connectivity').enableHub, 'vwan')), equals(steps('connectivity').enableVpnGw,'Yes'))]", + "toolTip": "Deploy the VPN gateway in Active/Active mode", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, { "name": "esGwNoAzSku", "type": "Microsoft.Common.DropDown", @@ -1254,6 +1274,7 @@ "vpnOrErZones": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", "firewallZones": "[steps('esConnectivityGoalState').esFwAz]", "gwRegionalOrAz": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", + "enableVpnActiveActive": "[steps('esConnectivityGoalState').enableVpnActiveActive]", "gwAzSku": "[steps('esConnectivityGoalState').esGwAzSku]", "gwRegionalSku": "[if(empty(steps('esConnectivityGoalState').esGwRegionalSku), steps('esConnectivityGoalState').esGwNoAzSku, steps('esConnectivityGoalState').esGwRegionalSku)]", "erRegionalOrAz": "[steps('esConnectivityGoalState').esErRegionalOrAz]", diff --git a/docs/reference/treyresearch/armTemplates/portal-es-lite.json b/docs/reference/treyresearch/armTemplates/portal-es-lite.json index cc28b9e4a8..b068438eff 100644 --- a/docs/reference/treyresearch/armTemplates/portal-es-lite.json +++ b/docs/reference/treyresearch/armTemplates/portal-es-lite.json @@ -540,6 +540,26 @@ ] } }, + { + "name": "enableVpnActiveActive", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy VPN Gateway in Active/Active mode", + "defaultValue": "No", + "visible": "[and(equals(steps('connectivity').enableVpnGw,'Yes'), not(equals(steps('connectivity').enableHub, 'vwan')), equals(steps('connectivity').enableVpnGw,'Yes'))]", + "toolTip": "Deploy the VPN gateway in Active/Active mode", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, { "name": "esGwNoAzSku", "type": "Microsoft.Common.DropDown", @@ -1243,6 +1263,7 @@ "vpnOrErZones": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", "firewallZones": "[steps('esConnectivityGoalState').esFwAz]", "gwRegionalOrAz": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", + "enableVpnActiveActive": "[steps('esConnectivityGoalState').enableVpnActiveActive]", "gwAzSku": "[steps('esConnectivityGoalState').esGwAzSku]", "gwRegionalSku": "[if(empty(steps('esConnectivityGoalState').esGwRegionalSku), steps('esConnectivityGoalState').esGwNoAzSku, steps('esConnectivityGoalState').esGwRegionalSku)]", "erRegionalOrAz": "[steps('esConnectivityGoalState').esErRegionalOrAz]", diff --git a/docs/wiki/Deploying-ALZ-BasicSetup.md b/docs/wiki/Deploying-ALZ-BasicSetup.md index be073d7524..44d45118cd 100644 --- a/docs/wiki/Deploying-ALZ-BasicSetup.md +++ b/docs/wiki/Deploying-ALZ-BasicSetup.md @@ -160,7 +160,7 @@ On the *Network topology and connectivity* blade you will configure your core ne Set **Deploy VPN Gateway** to **Yes**: - ![networkTab-topology](./media/clip_image036b-2-singlesubscription.png) + ![networkTab-topology](./media/ActiveActive.png) - **Deploy zone redundant or regional VPN Gateway** and **Deploy zone redundant or regional ExpressRoute Gateway**: Zone-redundant gateways are recommended and enabled by default (as per the capabilities of the Region you are deploying your hub virtual network) as they provide higher resiliency and availability. You might opt for a regional deployment depending on your availability requirements and budget. In this tutorial you will deploy a zone-redundant VPN Gateway: @@ -168,6 +168,8 @@ On the *Network topology and connectivity* blade you will configure your core ne ![networkTab-gwDeploy](./media/clip_image036b-3-singlesubscription.png) + - **Deploy VPN Gateway in Active/Active mode**: You can create an Azure VPN gateway in an active-active configuration, where both instances of the gateway VMs establish S2S VPN tunnels to your on-premises VPN device. In this configuration, each Azure gateway instance has a unique public IP address, and each will establish an IPsec/IKE S2S VPN tunnel to your on-premises VPN device specified in your local network gateway and connection. See [Active-active VPN gateways](https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#active-active-vpn-gateways). + - **Select the VPN Gateway SKU** and **Select the ExpressRoute Gateway VPN**: choose the right SKU based on your requirements (capabilities, throughput and availability). See [VPN Gateway SKUs](https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsku) and [ExpressRoute Gateway SKUs](https://learn.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways#gwsku) for further details on the virtual gateway's SKUs you have available in Azure. In this tutorial you will deploy a VpnGw2AZ which provides an aggregated throughput of up to 1 Gbps: ![networkTab-gwSku](./media/clip_image036b-4-singlesubscription.png) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 2312e87574..231f45287e 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -1,6 +1,7 @@ ## In this Section - [Updates](#updates) + - [October 2023](#october-2023) - [September 2023](#september-2023) - [August 2023](#august-2023) - [July 2023](#july-2023) @@ -38,6 +39,12 @@ This article will be updated as and when changes are made to the above and anyth Here's what's changed in Enterprise Scale/Azure Landing Zones: +### October 2023 + +#### Tooling +- Added vWAN Hub Routing Intent support to Portal Accelerator for scenarios that include Azure Firewall deployment +- Enhanced the ALZ Portal Accelerator to provide the ability to deploy the Azure VPN Gateway in Active/Active mode as per feedback from [#655](https://github.com/Azure/Enterprise-Scale/issues/655). + ### September 2023 #### Policy @@ -64,13 +71,9 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: - Deploy-VM-Monitoring (Management Group: Intermediate Root) - Deploy-VMSS-Monitoring (Management Group: Intermediate Root) -#### Tooling - -- Added vWAN Hub Routing Intent support to Portal Accelerator for scenarios that include Azure Firewall deployment - #### Other -- [Azure Landing Zone External Community Call - September 2023 - Hosted & Published](https://github.com/Azure/Enterprise-Scale/wiki/Community-Calls#25th-september-2023-25092023)) +- [Azure Landing Zone External Community Call - September 2023 - Hosted & Published](https://github.com/Azure/Enterprise-Scale/wiki/Community-Calls#25th-september-2023-25092023) ### August 2023 diff --git a/docs/wiki/media/ActiveActive.png b/docs/wiki/media/ActiveActive.png new file mode 100644 index 0000000000..9e6d903a2d Binary files /dev/null and b/docs/wiki/media/ActiveActive.png differ diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index f0e8ec91ab..4284bcfdba 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -1186,6 +1186,26 @@ ] } }, + { + "name": "enableVpnActiveActive", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy VPN Gateway in Active/Active mode", + "defaultValue": "No", + "visible": "[and(equals(steps('connectivity').enableVpnGw,'Yes'), not(equals(steps('connectivity').enableHub, 'vwan')), equals(steps('connectivity').enableVpnGw,'Yes'))]", + "toolTip": "Deploy the VPN gateway in Active/Active mode", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, { "name": "esGwNoAzSku", "type": "Microsoft.Common.DropDown", @@ -3018,6 +3038,7 @@ "enablePrivateDnsZones": "[steps('connectivity').enablePrivateDnsZones]", "enableVpnGw": "[steps('connectivity').enableVpnGw]", "gwRegionalOrAz": "[steps('connectivity').gwRegionalOrAz]", + "enableVpnActiveActive": "[steps('connectivity').enableVpnActiveActive]", "gwRegionalSku": "[coalesce(steps('connectivity').gwRegionalSku, steps('connectivity').esGwNoAzSku)]", "gwAzSku": "[steps('connectivity').gwAzSku]", "vpnGateWayScaleUnit": "[steps('connectivity').vpnGateWayScaleUnit]", diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 30eb64992d..2950191360 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -300,6 +300,14 @@ "No" ] }, + "enableVpnActiveActive": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, "gwRegionalOrAz": { "type": "string", "defaultValue": "" @@ -2026,6 +2034,9 @@ "enableAzFwDnsProxy": { "value": "[parameters('enableAzFwDnsProxy')]" }, + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActive')]" + }, "gwRegionalOrAz": { "value": "[parameters('gwRegionalOrAz')]" }, @@ -2101,6 +2112,9 @@ "subnetMaskForGw": { "value": "[parameters('subnetMaskForGw')]" }, + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActive')]" + }, "gwRegionalOrAz": { "value": "[parameters('gwRegionalOrAz')]" }, @@ -3969,6 +3983,9 @@ "enableAzFwDnsProxy": { "value": "[parameters('enableAzFwDnsProxy')]" }, + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActive')]" + }, "gwRegionalOrAz": { "value": "[parameters('gwRegionalOrAz')]" }, @@ -4045,6 +4062,9 @@ "subnetMaskForGw": { "value": "[parameters('subnetMaskForGw')]" }, + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActive')]" + }, "gwRegionalOrAz": { "value": "[parameters('gwRegionalOrAz')]" }, diff --git a/eslzArm/eslzArm.terraform-sync.param.json b/eslzArm/eslzArm.terraform-sync.param.json index 95c9d30447..c0542cda1f 100644 --- a/eslzArm/eslzArm.terraform-sync.param.json +++ b/eslzArm/eslzArm.terraform-sync.param.json @@ -116,6 +116,9 @@ "enableVpnGw": { "value": "No" }, + "enableVpnActiveActive": { + "value": "" + }, "gwRegionalOrAz": { "value": "" }, diff --git a/eslzArm/eslzArm.test.param.json b/eslzArm/eslzArm.test.param.json index 863a77b327..e4333210f6 100644 --- a/eslzArm/eslzArm.test.param.json +++ b/eslzArm/eslzArm.test.param.json @@ -104,6 +104,9 @@ "enableVpnGw": { "value": "No" }, + "enableVpnActiveActive": { + "value": "Yes" + }, "gwRegionalOrAz": { "value": "" }, diff --git a/eslzArm/subscriptionTemplates/hubspoke-connectivity.json b/eslzArm/subscriptionTemplates/hubspoke-connectivity.json index 6f1aedaf86..9a0068fcd5 100644 --- a/eslzArm/subscriptionTemplates/hubspoke-connectivity.json +++ b/eslzArm/subscriptionTemplates/hubspoke-connectivity.json @@ -135,6 +135,10 @@ "type": "string", "defaultValue": "" }, + "enableVpnActiveActive": { + "type": "string", + "defaultValue": "" + }, "gwAzSku": { "type": "string", "defaultValue": "" @@ -167,10 +171,12 @@ "azFwPolicyName": "[concat(parameters('topLevelManagementGroupPrefix'), '-azfwpolicy-', parameters('location'))]", "hubName": "[concat(parameters('topLevelManagementGroupPrefix'), '-hub-', parameters('location'))]", "azVpnGwIpName": "[concat(variables('vpngwname'), '-pip')]", + "azVpnGwAAIpName": "[concat(variables('vpngwname'), '-pip-002')]", "azVpnGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", "azFwName": "[concat(parameters('topLevelManagementGroupPrefix'), '-fw-', parameters('location'))]", "azErGwIpName": "[concat(variables('erGwName'), '-pip')]", "azVpnGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "azVpnGwAAPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azVpnGwAAIpName'))]", "azFwIpName": "[concat(variables('azFwName'), '-pip')]", "azFwMgmtIpName": "[concat(variables('azFwName'), '-mgmtpip')]", "azErGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", @@ -304,16 +310,82 @@ } }, { - "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIpAddresses", + "location": "[parameters('location')]", + "name": "[variables('azVpnGwAAIpName')]", + "sku": { + "name": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Standard', 'Basic')]" + }, + "properties": { + "publicIPAllocationMethod": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" + } + }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'No'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "name": "[variables('vpngwname')]", + "type": "Microsoft.Network/virtualNetworkGateways", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "activeActive": false, + "gatewayType": "Vpn", + "vpnGatewayGeneration": "Generation2", + "vpnType": "RouteBased", + "ipConfigurations": [ + { + "name": "default", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('azVpnGwSubnetId')]" + }, + "publicIpAddress": { + "id": "[variables('azVpnGwPipId')]" + } + } + } + ], + "sku": { + "name": "[if( + and( + or( + empty(parameters('gwRegionalSku')), + empty(parameters('gwAzSku'))), + not( + empty(parameters('gwRegionalSku')))), + parameters('gwRegionalSku'), + parameters('gwAzSku'))]", + "tier": "[if( + and( + or( + empty(parameters('gwRegionalSku')), + empty(parameters('gwAzSku'))), + not( + empty(parameters('gwRegionalSku')))), + parameters('gwRegionalSku'), + parameters('gwAzSku'))]" + } + } + }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'Yes'), not(empty(parameters('subnetMaskForGw'))))]", "apiVersion": "2020-05-01", "name": "[variables('vpngwname')]", "type": "Microsoft.Network/virtualNetworkGateways", "location": "[parameters('location')]", "dependsOn": [ "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwAAIpName'))]", "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" ], "properties": { + "activeActive": true, "gatewayType": "Vpn", "vpnGatewayGeneration": "Generation2", "vpnType": "RouteBased", @@ -329,6 +401,18 @@ "id": "[variables('azVpnGwPipId')]" } } + }, + { + "name": "activeactive", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('azVpnGwSubnetId')]" + }, + "publicIpAddress": { + "id": "[variables('azVpnGwAAPipId')]" + } + } } ], "sku": { diff --git a/eslzArm/subscriptionTemplates/nvahubspoke-connectivity.json b/eslzArm/subscriptionTemplates/nvahubspoke-connectivity.json index f524364fb3..631f20d388 100644 --- a/eslzArm/subscriptionTemplates/nvahubspoke-connectivity.json +++ b/eslzArm/subscriptionTemplates/nvahubspoke-connectivity.json @@ -93,6 +93,10 @@ "type": "string", "defaultValue": "" }, + "enableVpnActiveActive": { + "type": "string", + "defaultValue": "" + }, "gwAzSku": { "type": "string", "defaultValue": "" @@ -123,9 +127,11 @@ "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-vnethub-', parameters('location'))]", "hubName": "[concat(parameters('topLevelManagementGroupPrefix'), '-hub-', parameters('location'))]", "azVpnGwIpName": "[concat(variables('vpngwname'), '-pip')]", + "azVpnGwAAIpName": "[concat(variables('vpngwname'), '-pip-002')]", "azVpnGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", "azErGwIpName": "[concat(variables('erGwName'), '-pip')]", "azVpnGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "azVpnGwAAPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azVpnGwAAIpName'))]", "azErGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", "azErGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azErGwIpName'))]", "resourceDeploymentName": "[take(concat(deployment().name, '-hubspoke', parameters('location')), 64)]", @@ -225,7 +231,20 @@ } }, { - "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIpAddresses", + "location": "[parameters('location')]", + "name": "[variables('azVpnGwAAIpName')]", + "sku": { + "name": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Standard', 'Basic')]" + }, + "properties": { + "publicIPAllocationMethod": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" + } + }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'No'), not(empty(parameters('subnetMaskForGw'))))]", "apiVersion": "2020-05-01", "name": "[variables('vpngwname')]", "type": "Microsoft.Network/virtualNetworkGateways", @@ -235,6 +254,7 @@ "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" ], "properties": { + "activeActive": false, "gatewayType": "Vpn", "vpnGatewayGeneration": "Generation2", "vpnType": "RouteBased", @@ -274,6 +294,70 @@ } } }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "name": "[variables('vpngwname')]", + "type": "Microsoft.Network/virtualNetworkGateways", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwAAIpName'))]", + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "activeActive": true, + "gatewayType": "Vpn", + "vpnGatewayGeneration": "Generation2", + "vpnType": "RouteBased", + "ipConfigurations": [ + { + "name": "default", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('azVpnGwSubnetId')]" + }, + "publicIpAddress": { + "id": "[variables('azVpnGwPipId')]" + } + } + }, + { + "name": "activeactive", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('azVpnGwSubnetId')]" + }, + "publicIpAddress": { + "id": "[variables('azVpnGwAAPipId')]" + } + } + } + ], + "sku": { + "name": "[if( + and( + or( + empty(parameters('gwRegionalSku')), + empty(parameters('gwAzSku'))), + not( + empty(parameters('gwRegionalSku')))), + parameters('gwRegionalSku'), + parameters('gwAzSku'))]", + "tier": "[if( + and( + or( + empty(parameters('gwRegionalSku')), + empty(parameters('gwAzSku'))), + not( + empty(parameters('gwRegionalSku')))), + parameters('gwRegionalSku'), + parameters('gwAzSku'))]" + } + } + }, { "condition": "[and(equals(parameters('enableErGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", "apiVersion": "2020-05-01",