jochenvw · August 12, 2021 12:31
diff --git a/loadbalancer-with-diagnostics.bicep b/loadbalancer-with-diagnostics.bicep
 /*
 Deploys a opinionated network foundation - work in progress
 - Log analytics workspace
 - VNET with default subnets
 - Diagnostics settings for all resources - pushing all logs+metrics to the log analytics workspace
 */
 var resourceNamePrefix = 'jvw-lbspike'
 var resourceLocation = 'westeurope'

 /*
 Main log analytics workspace - will serve a sink for *all* services' diagnostics settings
 Typically referenced as 'workspaceId': workspace.id in Microsoft.Insights/diagnosticSettings resources
 */
 resource workspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = {
  name: '${resourceNamePrefix}-logs'
  location: resourceLocation
 }

 /*
 Virtual network with some defaults
 - NOTE the 'gatewaysubnet', 'AzureBastionSubnet' and 'AzureFirewallSubnet' subnets. 
  Subnets for the VPN gateway, Azure Bastion and Azure Firewall *must* have this name    
 - Adding subnets is easy (given there is still unused IP space). Removing/changing is quite a bit more difficult.
 */

 resource network 'Microsoft.Network/virtualNetworks@2021-02-01' = {
  name: '${resourceNamePrefix}-vnet'
  location: resourceLocation
  properties:{
    addressSpace: {
      addressPrefixes: [       
        '10.0.0.0/16'
      ]
    }
    subnets:[
      {
        name: 'gatewaysubnet'
        properties:{
          addressPrefix: '10.0.0.0/24'
        }
      }
      {
        name: 'AzureBastionSubnet'
        properties:{
          addressPrefix: '10.0.1.0/24'
        }
      }
      {
        name: 'AzureFirewallSubnet'
        properties:{
          addressPrefix: '10.0.2.0/24'
        }
      }
      {
        name: 'LoadBalancerSubnet'
        properties:{
          addressPrefix: '10.0.10.0/24'
        }
      }
      {
        name: 'AppTier'
        properties:{
          addressPrefix: '10.0.11.0/24'
        }
      }
      {
        name: 'DataTier'
        properties:{
          addressPrefix: '10.0.12.0/24'
        }
      }    
    ]
  }
 }

 resource networkDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  scope: network
  name: '${resourceNamePrefix}-vnet-diagnostics'
  properties: {
    'workspaceId': workspace.id
    logs: [
      {
        category: 'VMProtectionAlerts'
        enabled: true
      }
    ]    
    metrics: [
      {
        category: 'AllMetrics'
        enabled: true
      }
    ]
  }
 }

 /*
 Public IP address for the Azure Firewall
 - 'Standard' SKU is required and 'Static' allocation method as well
 */
 resource azureFirewallPIP 'Microsoft.Network/publicIPAddresses@2021-02-01' = {
  name: '${resourceNamePrefix}-fw-pip'
  location: resourceLocation  
  zones: [
    '1'
    '2'
    '3'
  ]
  properties: {
    publicIPAllocationMethod: 'Static'
  }
  sku: {
    name: 'Standard'
    tier: 'Regional'  
  }
 }

 resource azureFirewallPIPDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  scope: azureFirewallPIP
  name: '${resourceNamePrefix}-fw-pip-diagnostics'  
  properties: {
    'workspaceId': workspace.id    
    logs: [
      {
        category: 'DDoSProtectionNotifications'
        enabled: true
      }
      {
        category: 'DDoSMitigationFlowLogs'
        enabled: true
      }
      {
        category: 'DDoSMitigationReports'
        enabled: true
      }
    ]    
    metrics: [
      {
        category: 'AllMetrics'
        enabled: true
      }
    ]
  }
 }

 resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = {
  name: '${resourceNamePrefix}-fw'
  location: resourceLocation  
  zones: [
    '1'
    '2'
    '3'
  ]
  properties: {
    ipConfigurations: [
      {
        name: azureFirewallPIP.name   
        properties: {
          publicIPAddress: {
            id: azureFirewallPIP.id
          }
          subnet: {
            id: '${network.id}/subnets/AzureFirewallSubnet'
          }
        }     
      }      
    ]
  }
 }

 resource azureFirewallDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  scope: azureFirewall
  name: '${resourceNamePrefix}-fw-diagnostics'
  properties: {
    'workspaceId': workspace.id
    logs: [
      {
        category: 'AzureFirewallApplicationRule'
        enabled: true
      }
      {
        category: 'AzureFirewallNetworkRule'
        enabled: true
      }
      {
        category: 'AzureFirewallDnsProxy'
        enabled: true
      }
    ]    
    metrics: [
      {
        category: 'AllMetrics'
        enabled: true
      }
    ]
  }
 }

 /*
 Azure loadbalancer with a private in the LoadBalancer subnet
 No backend pools configured at this point
 */
 resource loadbalancer 'Microsoft.Network/loadBalancers@2021-02-01' = {
  name: '${resourceNamePrefix}-lb'
  location: resourceLocation
  sku: {
    name: 'Standard'
    tier: 'Regional'
  }
  properties: {
    frontendIPConfigurations: [
      {
        name: 'loadbalancerfrontendip'
        properties: {
          privateIPAddressVersion: 'IPv4'
          privateIPAllocationMethod: 'Dynamic'          
          subnet: {            
            id: '${network.id}/subnets/LoadBalancerSubnet'
          }
        }
      }
    ]
  }
 }

 resource azureLoadBalancerDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  scope: loadbalancer
  name: '${resourceNamePrefix}-lb-diagnostics'
  properties: {
    'workspaceId': workspace.id
    logs: [
    ]    
    metrics: [
      {
        category: 'AllMetrics'
        enabled: true
      }
    ]
  }
 }
	/*
	Deploys a opinionated network foundation - work in progress
	- Log analytics workspace
	- VNET with default subnets
	- Diagnostics settings for all resources - pushing all logs+metrics to the log analytics workspace
	*/
	var resourceNamePrefix = 'jvw-lbspike'
	var resourceLocation = 'westeurope'

	/*
	Main log analytics workspace - will serve a sink for all services' diagnostics settings
	Typically referenced as 'workspaceId': workspace.id in Microsoft.Insights/diagnosticSettings resources
	*/
	resource workspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = {
	name: '${resourceNamePrefix}-logs'
	location: resourceLocation
	}

	/*
	Virtual network with some defaults
	- NOTE the 'gatewaysubnet', 'AzureBastionSubnet' and 'AzureFirewallSubnet' subnets.
	Subnets for the VPN gateway, Azure Bastion and Azure Firewall must have this name
	- Adding subnets is easy (given there is still unused IP space). Removing/changing is quite a bit more difficult.
	*/

	resource network 'Microsoft.Network/virtualNetworks@2021-02-01' = {
	name: '${resourceNamePrefix}-vnet'
	location: resourceLocation
	properties:{
	addressSpace: {
	addressPrefixes: [
	'10.0.0.0/16'
	]
	}
	subnets:[
	{
	name: 'gatewaysubnet'
	properties:{
	addressPrefix: '10.0.0.0/24'
	}
	}
	{
	name: 'AzureBastionSubnet'
	properties:{
	addressPrefix: '10.0.1.0/24'
	}
	}
	{
	name: 'AzureFirewallSubnet'
	properties:{
	addressPrefix: '10.0.2.0/24'
	}
	}
	{
	name: 'LoadBalancerSubnet'
	properties:{
	addressPrefix: '10.0.10.0/24'
	}
	}
	{
	name: 'AppTier'
	properties:{
	addressPrefix: '10.0.11.0/24'
	}
	}
	{
	name: 'DataTier'
	properties:{
	addressPrefix: '10.0.12.0/24'
	}
	}
	]
	}
	}

	resource networkDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
	scope: network
	name: '${resourceNamePrefix}-vnet-diagnostics'
	properties: {
	'workspaceId': workspace.id
	logs: [
	{
	category: 'VMProtectionAlerts'
	enabled: true
	}
	]
	metrics: [
	{
	category: 'AllMetrics'
	enabled: true
	}
	]
	}
	}

	/*
	Public IP address for the Azure Firewall
	- 'Standard' SKU is required and 'Static' allocation method as well
	*/
	resource azureFirewallPIP 'Microsoft.Network/publicIPAddresses@2021-02-01' = {
	name: '${resourceNamePrefix}-fw-pip'
	location: resourceLocation
	zones: [
	'1'
	'2'
	'3'
	]
	properties: {
	publicIPAllocationMethod: 'Static'
	}
	sku: {
	name: 'Standard'
	tier: 'Regional'
	}
	}

	resource azureFirewallPIPDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
	scope: azureFirewallPIP
	name: '${resourceNamePrefix}-fw-pip-diagnostics'
	properties: {
	'workspaceId': workspace.id
	logs: [
	{
	category: 'DDoSProtectionNotifications'
	enabled: true
	}
	{
	category: 'DDoSMitigationFlowLogs'
	enabled: true
	}
	{
	category: 'DDoSMitigationReports'
	enabled: true
	}
	]
	metrics: [
	{
	category: 'AllMetrics'
	enabled: true
	}
	]
	}
	}

	resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = {
	name: '${resourceNamePrefix}-fw'
	location: resourceLocation
	zones: [
	'1'
	'2'
	'3'
	]
	properties: {
	ipConfigurations: [
	{
	name: azureFirewallPIP.name
	properties: {
	publicIPAddress: {
	id: azureFirewallPIP.id
	}
	subnet: {
	id: '${network.id}/subnets/AzureFirewallSubnet'
	}
	}
	}
	]
	}
	}

	resource azureFirewallDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
	scope: azureFirewall
	name: '${resourceNamePrefix}-fw-diagnostics'
	properties: {
	'workspaceId': workspace.id
	logs: [
	{
	category: 'AzureFirewallApplicationRule'
	enabled: true
	}
	{
	category: 'AzureFirewallNetworkRule'
	enabled: true
	}
	{
	category: 'AzureFirewallDnsProxy'
	enabled: true
	}
	]
	metrics: [
	{
	category: 'AllMetrics'
	enabled: true
	}
	]
	}
	}

	/*
	Azure loadbalancer with a private in the LoadBalancer subnet
	No backend pools configured at this point
	*/
	resource loadbalancer 'Microsoft.Network/loadBalancers@2021-02-01' = {
	name: '${resourceNamePrefix}-lb'
	location: resourceLocation
	sku: {
	name: 'Standard'
	tier: 'Regional'
	}
	properties: {
	frontendIPConfigurations: [
	{
	name: 'loadbalancerfrontendip'
	properties: {
	privateIPAddressVersion: 'IPv4'
	privateIPAllocationMethod: 'Dynamic'
	subnet: {
	id: '${network.id}/subnets/LoadBalancerSubnet'
	}
	}
	}
	]
	}
	}

	resource azureLoadBalancerDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
	scope: loadbalancer
	name: '${resourceNamePrefix}-lb-diagnostics'
	properties: {
	'workspaceId': workspace.id
	logs: [
	]
	metrics: [
	{
	category: 'AllMetrics'
	enabled: true
	}
	]
	}
	}