Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding Multi-Region Network Deployment #1608

Merged
merged 233 commits into from
Jun 18, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
233 commits
Select commit Hold shift + click to select a range
6fa091e
Duplicated Test Parameters
brsteph Mar 11, 2024
3e8fbac
Initial parallel breakout
brsteph Mar 14, 2024
2c28d31
Updated text naming for portal network item
brsteph Mar 14, 2024
b25924f
Merge branch 'Azure:main' into main
brsteph Mar 14, 2024
714679f
Bracket issue fix
brsteph Mar 14, 2024
cd64f6a
Merge branch 'main' of https://github.com/brsteph/Enterprise-Scale
brsteph Mar 14, 2024
54bc696
Portal change tests
brsteph Mar 14, 2024
cf9ad60
Portal Tweak
brsteph Mar 14, 2024
b3de4cd
Continue portal adjustment
brsteph Mar 14, 2024
af25f7f
Tweak
brsteph Mar 14, 2024
bf8218e
Completed initial UI adjustment for Hub
brsteph Mar 14, 2024
74cce08
Checking compounding logic on one widget
brsteph Mar 14, 2024
87a449a
Adjusting logic for secondary region displays
brsteph Mar 14, 2024
e6eb22d
Another conditional logic test
brsteph Mar 14, 2024
5885926
Another conditional logic test
brsteph Mar 14, 2024
c57e4be
Display logic update
brsteph Mar 14, 2024
b46d017
Portal logic
brsteph Mar 14, 2024
5bc568d
adj
brsteph Mar 14, 2024
f951036
Breaking out VWAN options test 1
brsteph Mar 14, 2024
9f03f6b
Revisiting phrasing of secondary enablement
brsteph Mar 14, 2024
b2db202
Portal updates and some parameter fixes
brsteph Mar 14, 2024
df30fd2
More of that logic stuff
brsteph Mar 14, 2024
e76e05f
fix trailing comma
brsteph Mar 14, 2024
aaa5cd7
Fixing trailing commav2
brsteph Mar 14, 2024
eab9951
Test
brsteph Mar 14, 2024
16c0780
Fix 2
brsteph Mar 14, 2024
5c1315e
Double quoted issue
brsteph Mar 14, 2024
8d9e4d1
Conditional logic and-and check
brsteph Mar 14, 2024
b948b21
And and test 2
brsteph Mar 14, 2024
600a195
Not equals null logic test
brsteph Mar 14, 2024
373c281
brute force visibility logic I Guess
brsteph Mar 14, 2024
520d8cd
Second region text and new display logic
brsteph Mar 14, 2024
c1e0f47
Fix subnet evaluation
brsteph Mar 14, 2024
e3f812a
Added ES Lite Network Multiregion
brsteph Mar 15, 2024
2517b07
Updating DNS Zone reuse.
brsteph Mar 15, 2024
5583e01
Created infobox for DNS regions with link to guidance.
brsteph Mar 15, 2024
a14057a
oh commas
brsteph Mar 15, 2024
16d0f87
Updated outputs
brsteph Mar 15, 2024
a61d763
Removing textbox to troubleshoot
brsteph Mar 15, 2024
4bca162
Cleanup
brsteph Mar 15, 2024
ea9b777
Typo fix
brsteph Mar 15, 2024
586869b
Updating deployment name logic
brsteph Mar 15, 2024
87277cb
Fixing missed deployment name
brsteph Mar 15, 2024
79924b1
Updating light DNS deployment
brsteph Mar 15, 2024
33224a8
Deployment naming testing.
brsteph Mar 15, 2024
99dd1ad
Commenting out Lite Vwan hub deployment name.
brsteph Mar 15, 2024
58b6a3c
Fixing DNS deployment names
brsteph Mar 15, 2024
6d22099
Updating DNS module with fixes, and addressing dependencies
brsteph Mar 15, 2024
289da28
Updating default value
brsteph Mar 15, 2024
76a2a57
Default value updates for DNS module params
brsteph Mar 15, 2024
cea9095
Parallel 2ndary region for eslite
brsteph Mar 15, 2024
649ec14
Fixing deployment name for DNS RGs
brsteph Mar 15, 2024
5e1f367
Adding ESLITE hub peering
brsteph Mar 18, 2024
0f6798c
Fix issue with resource ID for vnets not populating
brsteph Mar 18, 2024
241bd8c
Deployment name tracking
brsteph Mar 18, 2024
2509576
Fixing template parameter naming and commenting out peering for testing
brsteph Mar 18, 2024
1accad4
Update to peering.
brsteph Mar 18, 2024
8fb8398
Updated peering at orch level for ES LITE
brsteph Mar 18, 2024
ed07129
Updated URI
brsteph Mar 18, 2024
268be64
Fix scoping on peering call
brsteph Mar 18, 2024
5fdb8b9
Fix DNS secondary parameter call
brsteph Mar 18, 2024
e103404
Fix peering conditional logic for ES LIte
brsteph Mar 18, 2024
c800e1f
DNS naming for connection
brsteph Mar 18, 2024
1c694ce
Fixed logic in DNS zones module
brsteph Mar 18, 2024
b52f8d4
parameter passing for ESLITE DNS
brsteph Mar 18, 2024
6fb8b06
Updating infobx
brsteph Mar 18, 2024
88d26b9
Fix parenth
brsteph Mar 18, 2024
7ef5451
Fixing IDing issue and logic for DNS
brsteph Mar 18, 2024
814edf1
Conditional for the second DNS zone deployment set
brsteph Mar 18, 2024
7ff0ddd
DNS logic adjustments
brsteph Mar 18, 2024
ca258e3
Fix logic for peering
brsteph Mar 18, 2024
0e9fff2
local name edit for peering
brsteph Mar 18, 2024
085cfb2
Fixing hub RG naming for ES Lite peering
brsteph Mar 19, 2024
cf8c1d5
Fixing deployment URI issue for hubVnetpeering.
brsteph Mar 19, 2024
cb2b2f0
Commenting out peering for future investigation, to test other items.
brsteph Mar 19, 2024
2666149
Pausing Peering tests
brsteph Mar 19, 2024
ede6648
Updated comments on ESLITE Peering
brsteph Mar 19, 2024
de1729a
Fixing DNS RG creation and DNS module
brsteph Mar 19, 2024
f1a1eba
Fixing logic on DNS deployment
brsteph Mar 19, 2024
ec625a1
Fixed secondary region DNS RG deployment, and applied additional para…
brsteph Mar 19, 2024
1c8f7fa
Initial V-wan Draft
brsteph Mar 19, 2024
b9bf037
parameters and variables for vwan
brsteph Mar 19, 2024
5a5baeb
ESLITE Vwan
brsteph Mar 19, 2024
44fcc7d
Cleaning up VWAN deployment
brsteph Mar 19, 2024
7442961
ES LITE parameters
brsteph Mar 19, 2024
e0f8ea2
Was giving bad parameters to secondary rg for DNS zones
brsteph Mar 19, 2024
2c57f8e
Correcting parameters for vhub
brsteph Mar 19, 2024
fbf4eb1
Fix DNS parameters
brsteph Mar 19, 2024
f4256bc
vwan variable naming
brsteph Mar 19, 2024
f8e4708
Initial multi-region identity
brsteph Mar 19, 2024
c90651d
Fixed nesting for UI
brsteph Mar 19, 2024
a7c9c64
Fixing display logic for secondary option
brsteph Mar 20, 2024
2ad9249
Fixing location string issue on identity peering
brsteph Mar 20, 2024
c730c13
Fixing naming on vwan identity peering
brsteph Mar 20, 2024
df56d34
Fixing parameter pass for DDoS
brsteph Mar 20, 2024
32c5ea2
Re-Enabling peering for testing
brsteph Mar 20, 2024
6fd0f5a
Testing peering as a subscription deployment
brsteph Mar 20, 2024
aeb6688
Update SubscriptionID
brsteph Mar 20, 2024
0a2b79d
Added full version of the peering
brsteph Mar 20, 2024
6061e2e
Updating logic on ESLITE peering conditions
brsteph Mar 20, 2024
abc60f6
Identity platform resource name correction
brsteph Mar 20, 2024
02fc747
Identity peering/creation needed to create a region unique network wa…
brsteph Mar 20, 2024
5d19b02
Added network watcher RG name into VWAN
brsteph Mar 20, 2024
892910e
parenth
brsteph Mar 20, 2024
7af1f3a
Making Hub peering wait for identity peering
brsteph Mar 21, 2024
46a4670
Typo
brsteph Mar 21, 2024
869071b
Updating conditional logic for single region deployments
brsteph Mar 21, 2024
0d1705d
Updating conditional logic for DNS scenarios
brsteph Mar 21, 2024
142011f
Updating DNS conditions
brsteph Mar 21, 2024
d726f62
Fixing spacing on dns logic
brsteph Mar 21, 2024
f5da2df
Typo is param name
brsteph Mar 21, 2024
2db826b
Added conditional logic in the private DNS zones module
brsteph Mar 21, 2024
837a7cd
Portal bug for secondary identity zone
brsteph Mar 21, 2024
487f55b
Updating ID UI
brsteph Mar 21, 2024
ac30ce8
Identity UI experience
brsteph Mar 21, 2024
0bf87bd
Trying simplified conditional
brsteph Mar 21, 2024
3f5c3e5
Remove commented line
brsteph Mar 21, 2024
4acb0d4
DNS logic
brsteph Mar 21, 2024
1f93918
Adjusting logic for noneslite dns
brsteph Mar 21, 2024
29a7140
Updated conditionals on eslite zone
brsteph Mar 21, 2024
621ad27
Trying to simplify logic for testing
brsteph Mar 21, 2024
6893c1b
Adjustment to simplify logic
brsteph Mar 21, 2024
5827c1f
Applying streamlined logic for DNS
brsteph Mar 21, 2024
c34c3ab
Updating secondary DNS site regional names
brsteph Mar 22, 2024
940e234
Merge branch 'Azure:main' into main
brsteph Mar 22, 2024
c3645f9
Module for Route Table Creation, no orchestration
brsteph Apr 5, 2024
7e411fa
Orchestration test build with regression updates
brsteph Apr 5, 2024
ded53a4
Updating variables
brsteph Apr 5, 2024
4900818
Correcting deployment name
brsteph Apr 5, 2024
19c3385
Deployment string
brsteph Apr 5, 2024
2ee654b
Deployment name structure
brsteph Apr 5, 2024
c401c94
Fixing missing parameter
brsteph Apr 5, 2024
3a17b19
Corrected typo in parameter for sourcecidr
brsteph Apr 8, 2024
4f88f87
Fixing parameter mismatch
brsteph Apr 8, 2024
f6e074b
Adding default internet route for FW rt
brsteph Apr 8, 2024
bc78194
Baseline FW Policy + scale out of route
brsteph Apr 9, 2024
c5ed086
Updating with validation and scaling out
brsteph Apr 9, 2024
fbfd539
Fixing variable values
brsteph Apr 9, 2024
d5bbf26
Fix error comma
brsteph Apr 9, 2024
9aefc83
Fixing dependency name values
brsteph Apr 9, 2024
92c2ee3
Fixed line termination
brsteph Apr 9, 2024
f820fb2
Line terms
brsteph Apr 9, 2024
e7c8763
Fixing line errors
brsteph Apr 9, 2024
0f65d14
Assigning location to routing adds
brsteph Apr 9, 2024
cdaaff0
Fix hub-spoke parameter
brsteph Apr 9, 2024
75149b3
Auto-Complete threw errors.
brsteph Apr 9, 2024
8b83aed
Testing resolution of scope issue
brsteph Apr 9, 2024
9907646
Remove test
brsteph Apr 9, 2024
9789823
Testing the extent of issue
brsteph Apr 9, 2024
894018b
Continue separation testing
brsteph Apr 9, 2024
c063aa1
Trying base policy null test
brsteph Apr 10, 2024
e102681
Dependency setup
brsteph Apr 10, 2024
bb85198
Testing location inputs
brsteph Apr 10, 2024
72e5ae6
vwan adjust
brsteph Apr 10, 2024
1f60b55
Added eslite policy
brsteph Apr 10, 2024
e17e440
Fixing spacing
brsteph Apr 10, 2024
3ae1375
Name addressing
brsteph Apr 11, 2024
61e61c2
Removing baseline policy from hubspoke connectivity
brsteph Apr 11, 2024
4e7a5a1
reactivating secondary region for esLite routing
brsteph Apr 11, 2024
b1ae644
Fix dependencies for second region DNS on eslite
brsteph Apr 11, 2024
4596dd8
Trying to resolve location error for hub route 2
brsteph Apr 11, 2024
85f8d3d
Renabling non-Lite Routing deployment for testing
brsteph Apr 11, 2024
b63bf74
Cleanup of comments
brsteph Apr 11, 2024
51681e4
Commenting out base policy creation for now
brsteph Apr 12, 2024
904a661
Removing mentions of base policy
brsteph Apr 12, 2024
68afda9
Fixing secondary region deployment of rt.
brsteph Apr 12, 2024
0567a5d
Rolling back base policy function
brsteph Apr 12, 2024
f1b707c
trailing commas
brsteph Apr 12, 2024
8133d24
Adding hub and spoke instructions
brsteph Apr 12, 2024
b789711
Added VWAN instructions and adds to hub and spoke
brsteph Apr 12, 2024
70910b3
Updated what's new
brsteph Apr 12, 2024
4257543
Documentation revisions
brsteph Apr 12, 2024
1c7e39b
Added test parameters
brsteph Apr 18, 2024
4482d1f
Merge branches 'main' and 'main' of https://github.com/brsteph/Enterp…
brsteph Apr 25, 2024
a3936b3
Updates from feedback.
brsteph Apr 29, 2024
1b83a1a
Updated Basic how-to to include new screenshots
brsteph May 3, 2024
7a3ff4a
Testing portal UI without default secondary location
brsteph May 3, 2024
c154baa
Tweaking default value control
brsteph May 3, 2024
79d1cd7
Attempt null
brsteph May 3, 2024
9c92a6a
Adding section header
brsteph May 3, 2024
c88ff34
Updating UI for grouping
brsteph May 3, 2024
b016660
Fixing Identity parameter pathing
brsteph May 3, 2024
69d145e
Updating conditional logic for displays - 1
brsteph May 3, 2024
1276313
Updating conditional views 2
brsteph May 3, 2024
ffe797c
Fix 3
brsteph May 3, 2024
94c5955
Update to make subsection header hidden by default
brsteph May 3, 2024
f77fcc5
Correcting infoblox display
brsteph May 3, 2024
8977187
Attempting to blank default drop downs
brsteph May 3, 2024
5644e5b
Fixed validation for secondary region CIDRs
brsteph May 9, 2024
e2a02d0
Adding button for Deploy in Secondary Region
brsteph May 9, 2024
3af77ea
Updating text to get a single line.
brsteph May 9, 2024
edbb29c
Tweak for octets
brsteph May 9, 2024
43d10e9
Test of displaying network secondary area
brsteph May 9, 2024
60f87df
Test 2
brsteph May 9, 2024
e44a6a7
Removed secondary topology picker, now uses main picker
brsteph May 10, 2024
adfae3b
Removing DNS option
brsteph May 10, 2024
9759378
Removed DNS parameter passing
brsteph May 10, 2024
f0a1521
Subsection for Identity - initial test
brsteph May 10, 2024
c78aeba
Update route table logic for vhub only
brsteph May 13, 2024
08535c9
Changes route table logic to handle pure values
brsteph May 13, 2024
49ad5cf
Case adjustment test
brsteph May 13, 2024
f398eb4
Updated basic cidr
brsteph May 13, 2024
79cb7f3
Updating ESLITE for Routing
brsteph May 13, 2024
bedb3d0
Updated esErNoAzSkuSecondary display logic
brsteph May 15, 2024
30f0430
Merge branch 'Azure:main' into main
brsteph May 16, 2024
40548aa
Adding display box for NVA
brsteph May 16, 2024
f25170f
Merge branch 'main' of https://github.com/brsteph/Enterprise-Scale
brsteph May 16, 2024
42341b9
Updating display logic
brsteph May 16, 2024
9d0015f
Update wording for feedback
brsteph May 16, 2024
7b5219b
Updated What's New
brsteph May 16, 2024
57bc917
Address conditionals for route tables.
brsteph May 20, 2024
8718248
Fixed missing space on dependencies
brsteph May 20, 2024
e966740
Fixed consistent typo in naming
brsteph May 20, 2024
a9f9094
Fixed dependency mapping for Routing Intent Azure Firewall
brsteph May 20, 2024
6fd9fce
Case Standardization
brsteph May 20, 2024
1cdae8b
Case Matching, dependency test
brsteph May 20, 2024
4a219d5
Updating Location Issue with Vwan Secondary Region
brsteph May 20, 2024
b83f054
Updated SKU for VPN Gateway to always be Standard
brsteph May 24, 2024
6dcbd16
Updating route table conditional logic
brsteph May 24, 2024
0469f0a
Updating IP assignment
brsteph May 24, 2024
78abb48
Updating basic IP static assignments
brsteph May 24, 2024
9fe6a75
Updated ER Gateway IP Behavior
brsteph May 24, 2024
4f92799
Updating howto documentation and screenshots, and removing uneeded te…
brsteph May 24, 2024
ea4ad20
added mdfc subplan update
brsteph May 31, 2024
7180f14
Merge branch 'Azure:main' into main
brsteph Jun 6, 2024
858b332
Merge branch 'main' into main
brsteph Jun 7, 2024
6b145fa
Updated doc headers
brsteph Jun 7, 2024
da37d77
Merge branch 'main' of https://github.com/brsteph/Enterprise-Scale
brsteph Jun 7, 2024
5cb5952
Merge branch 'main' into main
brsteph Jun 13, 2024
50de9b7
Add Telemetry
brsteph Jun 13, 2024
3d17a0c
Merge branch 'main' of https://github.com/brsteph/Enterprise-Scale
brsteph Jun 13, 2024
33547c9
Update guid for secondary region telem/naming
brsteph Jun 14, 2024
59dea9f
Merge branch 'main' into main
jtracey93 Jun 18, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions docs/wiki/Deploying-ALZ-BasicSetup.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,13 +46,18 @@ On the *Azure Core setup* blade you will:

- **Provide a prefix** that will be used to name your management group hierarchy **and** platform resources.
- Choose between using dedicated subscriptions or a single subscription to host platform resources.
- Choose between deploying in a single region, or in two regions.

**Please Note:** A dedicated platform subscriptions is in general recommended. However, some Customers have the requirement to host their platform and applications within a single subscription. This tutorial is aimed at Customers with this requirement.

Select **Single** and **provide a dedicated (empty) subscription** that will be used to host your Platform resources.

![ESLZ-Company-Prefix](./media/ESLZ-Company-Prefix-singlesubscription.jpg)

Next, select if you wish to **Deploy in a secondary region**. If this is left as *Yes*, then you will receive additional inputs later in the process to deploy resources in a secondary region.

![ALZ-Secondary-Region](./media/ALZ-secondaryregion-singlesubscription.jpg)

Click **Next: Platform management, security, and governance>**.

![coreSetupTab-next](./media/ESLZ-Company-Prefix-2-singlesubscription.jpg)
Expand Down Expand Up @@ -208,6 +213,24 @@ On the *Network topology and connectivity* blade you will configure your core ne

![networkTab-fwSubnet](./media/clip_image036b-10-singlesubscription.png)

### Deploying networking resources in a second region

If you selected **Deploy in a secondary region** in the Core steps, you will also configure a secondary region for networking platform resource in this blade. This secondary platform network deployment prepares you you to take advantage of capacity in multiple regions, and for recovery or multi-region high availability.

The deployment will use the same deployment type as the primary region - either two hub and spokes with Azure firewall, two hub and spokes with your own-third party NVA, or an additional virtual WAN hub.

![img](./media/clip_image080.png)

You will need to specify the additional region to deploy to, and then you will be given the option to deploy and configure your gateways and (if applicable) your Azure firewall.

![img](./media/clip_image081.png)

For best results, use similar inputs to make sure that your regional deployments can both support the same architecture. However, if you want to forgo deploying a gateway or firewall in the second region, you can select the appropriate options.

Once deployed, your regional hubs will be peered together and have routing tables assigned to the firewall subnets to handle routing to each other. You can add routes to this route table later, as you add spoke networks. If you have deployed DDoS protection in the primary region, it will be applied to the secondary region as well.

Your Private DNS zones will be deployed in a resource group linked to your primary region, and will be assigned to both regions. See [Private Link and DNS integration at scale](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale) for more information.

Click **Next: Identity>** once you had configured your network setup.

![networkTab-next](./media/clip_image036b-13-singlesubscription.png)
Expand Down
27 changes: 26 additions & 1 deletion docs/wiki/Deploying-ALZ-HubAndSpoke.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@ Provide a prefix that will be used to create the management group hierarchy and

![ESLZ-Company-Prefix](./media/ESLZ-Company-Prefix.JPG)

Next, select if you wish to **Deploy in a secondary region**. If this is left as *Yes*, then you will receive additional inputs later in the process to deploy resources in a secondary region.

![ALZ-Secondary-Region](./media/ALZ-secondaryregion-multisubscription.jpg)

## 5. Platform management, security, and governance

On the *Platform management, security, and governance* blade, you will configure the core components to enable platform monitoring and security. The options you enable will also be enforced using Azure Policy to ensure resources, landing zones, and configuration are continuously compliant as your deployments scales with business demand. To enable this, you must provide a dedicated (empty) subscription that will be used to host the requisite infrastructure.
Expand Down Expand Up @@ -74,12 +78,33 @@ Depending on your requirements, you may choose to deploy additional network infr

![img](./media/clip_image036b.png)

### Deploying networking resources in a second region

If you selected **Deploy in a secondary region** in the Core steps, you will also configure a secondary region for networking platform resource in this blade. This secondary platform network deployment prepares you you to take advantage of capacity in multiple regions, and for recovery or multi-region high availability.

The deployment will use the same deployment type as the primary region - either two hub and spokes with Azure firewall, two hub and spokes with your own-third party NVA, or an additional virtual WAN hub.

![img](./media/clip_image080.png)

You will need to specify the additional region to deploy to, and then you will be given the option to deploy and configure your gateways and (if applicable) your Azure firewall.

![img](./media/clip_image081.png)

For best results, use similar inputs to make sure that your regional deployments can both support the same architecture. However, if you want to forgo deploying a gateway or firewall in the second region, you can select the appropriate options.

Once deployed, your regional hubs will be peered together and have routing tables assigned to the firewall subnets to handle routing to each other. You can add routes to this route table later, as you add spoke networks. If you have deployed DDoS protection in the primary region, it will be applied to the secondary region as well.

Your Private DNS zones will be deployed in a resource group linked to your primary region, and will be assigned to both regions. See [Private Link and DNS integration at scale](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale) for more information.

## 8. Identity
On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned, and you will need to provide the address space for the virtual network that will be deployed on this subscription. Please note that this virtual network will be connected to the hub virtual network via VNet peering.
On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned, and you will need to provide the address space for the virtual network that will be deployed on this subscription. Please note that this virtual network will be connected to the hub virtual network via VNet peering.

![img](./media/clip_image036c.png)

In addition, you selected **Deploy in a secondary region** and deployed a network topology, you also have the option to deploy an additional Identity virtual network in that region. It will be peered to the hub in your secondary region.

![img](./media/clip_image085.png)

## 9. Landing zone configuration

In the top section you can select which policies you want to assign broadly to all of your application landing zones. You also have the ability to set policies to *Audit only* which will assign the policies for Audit.
Expand Down
18 changes: 18 additions & 0 deletions docs/wiki/Deploying-ALZ-VWAN.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@ Provide a prefix that will be used to create the management group hierarchy and

![ESLZ-Company-Prefix](./media/ESLZ-Company-Prefix.JPG)

Next, select if you wish to **Deploy in a secondary region**. If this is left as *Yes*, then you will receive additional inputs later in the process to deploy resources in a secondary region.

![ALZ-Secondary-Region](./media/ALZ-secondaryregion-multisubscription.jpg)

## 5. Platform management, security, and governance

On the *Platform management, security, and governance* blade, you will configure the core components to enable platform monitoring and security. The options you enable will also be enforced using Azure Policy to ensure resources, landing zones, and more are continuously compliant as your deployments scales and grows. To enable this, you must provide a dedicated (empty) subscription that will be used to host the requisite infrastructure.
Expand Down Expand Up @@ -69,12 +73,26 @@ Depending on your requirements, you may choose to deploy additional network infr

![vwan](./media/clip_image078.jpg)

### Deploying networking resources in a second region

If you selected **Deploy in a secondary region** in the Core steps, you will also configure a secondary region for networking platform resource in this blade. This secondary platform network deployment prepares you you to take advantage of capacity in multiple regions, and for recovery or multi-region high availability.

The deployment will deploy an additional virtual hub in the secondary region that you specify.

You will need to provide the configuration for the virtual hub, same as the primary region.

![img](./media/clip_image084.png)

## 8. Identity

On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned, and you will need to provide the address space for the virtual network that will be deployed on this subscription. Please note that this virtual network will be connected to the hub virtual network via VNet peering.

![img](./media/clip_image036c.png)

In addition, you selected **Deploy in a secondary region** and deployed a network topology, you also have the option to deploy an additional Identity virtual network in that region. It will be connected to the hub in your secondary region.

![img](./media/clip_image085.png)

## 9. Landing zone configuration

In the top section you can select which policies you want to assign broadly to all of your application landing zones. You also have the ability to set policies to *Audit only* which will assign the policies for Audit.
Expand Down
11 changes: 11 additions & 0 deletions docs/wiki/Whats-new.md
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,17 @@ Special Note: Existing consumers of ALZ will notice that some "assigned by defau
#### Documentation

- Archived the readme content in the eslzArm folder as it is no longer relevant. Please refer to the [ALZ Wiki](https://aka.ms/alz/wiki) for the latest information on how to deploy Enterprise-Scale Landing Zones. To view the content that was previously here, refer to the [archive](https://github.com/Azure/Enterprise-Scale/blob/45d5c2bd8c1a9e19b1a46a3a0dabb311e5320b64/eslzArm/README.md).
- Added new instructions for deploying hub and spoke network topology in [multiple regions](./Deploying-ALZ-HubAndSpoke#deploying-networking-resources-in-an-additional-region).
- Added new instructions for deploying additional vWAN hubs in [multiple regions](./Deploying-ALZ-HubAndSpoke#deploying-networking-resources-in-an-additional-region).

#### Tooling

- Added functionality to deploy platform resources into multiple regions. In the Core settings, you will have the option to deploy resources in a secondary region. If you select **Yes** you will have new options:
- In the **Networking topology and connectivity** tab:
- If you select *Hub and spoke with Azure Firewall* you will deploy a second hub in a secondary region. You can configure the IP space, VPN Gateway settings, ExpressRoute Gateway settings, and Azure Firewall settings for this region. Both of the hubs will be peered, with routing for the hubs to the Azure Firewalls being deployed. If you select DDoS protection or to select the creation of Azure Private DNS Zones, these will be linked to the second hub as well.
- If you select *Hub and spoke with your third-party NVA* you will deploy a second hub in a secondary region. You can configure the IP space, VPN Gateway settings, and ExpressRoute Gateway settings for this region. Both of the hubs will be peered, but no routing configured. If you select DDoS protection or to select the creation of Azure Private DNS Zones, these will be linked to the second hub as well.
- If you select *Virtual WAN* you will deploy a second virtual hub in a secondary region, as part of your virtual WAN deployment. You can configure the IP space, VPN Gateway settings, ExpressRoute Gateway settings, and Azure Firewall settings for this region. Both of the hubs will be peered, with routing for the hubs to the Azure Firewalls being deployed.
- In the **Identity** tab, if you have selected a topology to deploy, you will have the option to deploy an Identity virtual network to the secondary region, peered to the hub in that region.

### April 2024

Expand Down
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/wiki/media/clip_image080.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/wiki/media/clip_image081.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/wiki/media/clip_image082.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/wiki/media/clip_image083.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/wiki/media/clip_image084.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/wiki/media/clip_image085.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Loading