Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add diagnostics settings for firewall, public IP, and network security groups #473

Merged
merged 7 commits into from
Oct 21, 2021
Merged

add diagnostics settings for firewall, public IP, and network security groups #473

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
f808eb7
work in progress stash from codespace
glennmusa Oct 20, 2021
419218b
add public ip and firewall logs and metrics
glennmusa Oct 20, 2021
b070fe2
add built ARM template
glennmusa Oct 20, 2021
d545a07
remove unsupported AllMetrics from NSG diagnostics
glennmusa Oct 20, 2021
60e49cb
Merge branch 'main' into glenn/addDiagnosticsBicep
glennmusa Oct 20, 2021
0d6fb40
Merge branch 'main' into glenn/addDiagnosticsBicep
glennmusa Oct 21, 2021
b7263dc
remove all metrics from vnet diagnostics
glennmusa Oct 21, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
131 changes: 117 additions & 14 deletions src/bicep/mlz.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,8 @@ module hub './modules/hubNetwork.bicep' = {

networkSecurityGroupName: hubNetworkSecurityGroupName
networkSecurityGroupRules: hubNetworkSecurityGroupRules
networkSecurityGroupDiagnosticsLogs: hubNetworkSecurityGroupDiagnosticsLogs
networkSecurityGroupDiagnosticsMetrics: hubNetworkSecurityGroupDiagnosticsMetrics

subnetName: hubSubnetName
subnetAddressPrefix: hubSubnetAddressPrefix
Expand All @@ -95,6 +97,8 @@ module hub './modules/hubNetwork.bicep' = {
firewallSkuTier: firewallSkuTier
firewallPolicyName: firewallPolicyName
firewallThreatIntelMode: firewallThreatIntelMode
firewallDiagnosticsLogs: firewallDiagnosticsLogs
firewallDiagnosticsMetrics: firewallDiagnosticsMetrics
firewallClientIpConfigurationName: firewallClientIpConfigurationName
firewallClientSubnetName: firewallClientSubnetName
firewallClientSubnetAddressPrefix: firewallClientSubnetAddressPrefix
Expand All @@ -111,6 +115,9 @@ module hub './modules/hubNetwork.bicep' = {
firewallManagementPublicIPAddressSkuName: firewallManagementPublicIPAddressSkuName
firewallManagementPublicIpAllocationMethod: firewallManagementPublicIpAllocationMethod
firewallManagementPublicIPAddressAvailabilityZones: firewallManagementPublicIPAddressAvailabilityZones

publicIPAddressDiagnosticsLogs: publicIPAddressDiagnosticsLogs
publicIPAddressDiagnosticsMetrics: publicIPAddressDiagnosticsMetrics
}
}

Expand All @@ -135,6 +142,8 @@ module identity './modules/spokeNetwork.bicep' = {

networkSecurityGroupName: identityNetworkSecurityGroupName
networkSecurityGroupRules: identityNetworkSecurityGroupRules
networkSecurityGroupDiagnosticsLogs: identityNetworkSecurityGroupDiagnosticsLogs
networkSecurityGroupDiagnosticsMetrics: identityNetworkSecurityGroupDiagnosticsMetrics

subnetName: identitySubnetName
subnetAddressPrefix: identitySubnetAddressPrefix
Expand Down Expand Up @@ -163,6 +172,8 @@ module operations './modules/spokeNetwork.bicep' = {

networkSecurityGroupName: operationsNetworkSecurityGroupName
networkSecurityGroupRules: operationsNetworkSecurityGroupRules
networkSecurityGroupDiagnosticsLogs: operationsNetworkSecurityGroupDiagnosticsLogs
networkSecurityGroupDiagnosticsMetrics: operationsNetworkSecurityGroupDiagnosticsMetrics

subnetName: operationsSubnetName
subnetAddressPrefix: operationsSubnetAddressPrefix
Expand Down Expand Up @@ -191,6 +202,8 @@ module sharedServices './modules/spokeNetwork.bicep' = {

networkSecurityGroupName: sharedServicesNetworkSecurityGroupName
networkSecurityGroupRules: sharedServicesNetworkSecurityGroupRules
networkSecurityGroupDiagnosticsLogs: sharedServicesNetworkSecurityGroupDiagnosticsLogs
networkSecurityGroupDiagnosticsMetrics: sharedServicesNetworkSecurityGroupDiagnosticsMetrics

subnetName: sharedServicesSubnetName
subnetAddressPrefix: sharedServicesSubnetAddressPrefix
Expand Down Expand Up @@ -469,8 +482,52 @@ param hubSubnetAddressPrefix string = '10.0.100.128/27'
param hubVirtualNetworkDiagnosticsLogs array = []
param hubVirtualNetworkDiagnosticsMetrics array = []
param hubNetworkSecurityGroupName string = 'hub-nsg'
param hubNetworkSecurityGroupRules array = []
param hubSubnetServiceEndpoints array = []
param hubNetworkSecurityGroupRules array = [
{
name: 'allow_ssh'
properties: {
description: 'Allow SSH access from anywhere'
access: 'Allow'
priority: 100
protocol: 'Tcp'
direction: 'Inbound'
sourcePortRange: '*'
sourceAddressPrefix: '*'
destinationPortRange: '22'
destinationAddressPrefix: '*'
}
}
{
name: 'allow_rdp'
properties: {
description: 'Allow RDP access from anywhere'
access: 'Allow'
priority: 200
protocol: 'Tcp'
direction: 'Inbound'
sourcePortRange: '*'
sourceAddressPrefix: '*'
destinationPortRange: '3389'
destinationAddressPrefix: '*'
}
}
]
param hubNetworkSecurityGroupDiagnosticsLogs array = [
{
category: 'NetworkSecurityGroupEvent'
enabled: true
}
{
category: 'NetworkSecurityGroupRuleCounter'
enabled: true
}
]
param hubNetworkSecurityGroupDiagnosticsMetrics array = []
param hubSubnetServiceEndpoints array = [
{
service: 'Microsoft.Storage'
}
]
param hubLogStorageAccountName string = toLower(take('hublogs${uniqueId}', 24))
param hubLogStorageSkuName string = 'Standard_GRS'

Expand All @@ -479,6 +536,26 @@ param firewallManagementSubnetAddressPrefix string = '10.0.100.64/26'
param firewallClientSubnetAddressPrefix string = '10.0.100.0/26'
param firewallPolicyName string = 'firewall-policy'
param firewallThreatIntelMode string = 'Alert'
param firewallDiagnosticsLogs array = [
{
category: 'AzureFirewallApplicationRule'
enabled: true
}
{
category: 'AzureFirewallNetworkRule'
enabled: true
}
{
category: 'AzureFirewallDnsProxy'
enabled: true
}
]
param firewallDiagnosticsMetrics array = [
{
category: 'AllMetrics'
enabled: true
}
]
var firewallClientSubnetName = 'AzureFirewallSubnet' //this must be 'AzureFirewallSubnet'
param firewallClientIpConfigurationName string = 'firewall-client-ip-config'
param firewallClientSubnetServiceEndpoints array = []
Expand All @@ -493,32 +570,56 @@ param firewallManagementPublicIPAddressName string = 'firewall-management-public
param firewallManagementPublicIPAddressSkuName string = 'Standard'
param firewallManagementPublicIpAllocationMethod string = 'Static'
param firewallManagementPublicIPAddressAvailabilityZones array = []
param publicIPAddressDiagnosticsLogs array = [
{
category: 'DDoSProtectionNotifications'
enabled: true
}
{
category: 'DDoSMitigationFlowLogs'
enabled: true
}
{
category: 'DDoSMitigationReports'
enabled: true
}
]
param publicIPAddressDiagnosticsMetrics array = [
{
category: 'AllMetrics'
enabled: true
}
]

param identityResourceGroupName string = replace(hubResourceGroupName, 'hub', 'identity')
param identityLocation string = hubLocation
param identityVirtualNetworkName string = replace(hubVirtualNetworkName, 'hub', 'identity')
param identitySubnetName string = replace(hubSubnetName, 'hub', 'identity')
param identityVirtualNetworkAddressPrefix string = '10.0.110.0/26'
param identitySubnetAddressPrefix string = '10.0.110.0/27'
param identityVirtualNetworkDiagnosticsLogs array = []
param identityVirtualNetworkDiagnosticsMetrics array = []
param identityVirtualNetworkDiagnosticsLogs array = hubVirtualNetworkDiagnosticsLogs
param identityVirtualNetworkDiagnosticsMetrics array = hubVirtualNetworkDiagnosticsMetrics
param identityNetworkSecurityGroupName string = replace(hubNetworkSecurityGroupName, 'hub', 'identity')
param identityNetworkSecurityGroupRules array = []
param identitySubnetServiceEndpoints array = []
param identityNetworkSecurityGroupRules array = hubNetworkSecurityGroupRules
param identityNetworkSecurityGroupDiagnosticsLogs array = hubNetworkSecurityGroupDiagnosticsLogs
param identityNetworkSecurityGroupDiagnosticsMetrics array = hubNetworkSecurityGroupDiagnosticsMetrics
param identitySubnetServiceEndpoints array = hubSubnetServiceEndpoints
param identityLogStorageAccountName string = toLower(take('idlogs${uniqueId}', 24))
param identityLogStorageSkuName string = hubLogStorageSkuName

param operationsResourceGroupName string = replace(hubResourceGroupName, 'hub', 'operations')
param operationsLocation string = hubLocation
param operationsVirtualNetworkName string = replace(hubVirtualNetworkName, 'hub', 'operations')
param operationsVirtualNetworkAddressPrefix string = '10.0.115.0/26'
param operationsVirtualNetworkDiagnosticsLogs array = []
param operationsVirtualNetworkDiagnosticsMetrics array = []
param operationsVirtualNetworkDiagnosticsLogs array = hubVirtualNetworkDiagnosticsLogs
param operationsVirtualNetworkDiagnosticsMetrics array = hubVirtualNetworkDiagnosticsMetrics
param operationsNetworkSecurityGroupName string = replace(hubNetworkSecurityGroupName, 'hub', 'operations')
param operationsNetworkSecurityGroupRules array = []
param operationsNetworkSecurityGroupRules array = hubNetworkSecurityGroupRules
param operationsNetworkSecurityGroupDiagnosticsLogs array = hubNetworkSecurityGroupDiagnosticsLogs
param operationsNetworkSecurityGroupDiagnosticsMetrics array = hubNetworkSecurityGroupDiagnosticsMetrics
param operationsSubnetName string = replace(hubSubnetName, 'hub', 'operations')
param operationsSubnetAddressPrefix string = '10.0.115.0/27'
param operationsSubnetServiceEndpoints array = []
param operationsSubnetServiceEndpoints array = hubSubnetServiceEndpoints
param operationsLogStorageAccountName string = toLower(take('opslogs${uniqueId}', 24))
param operationsLogStorageSkuName string = hubLogStorageSkuName

Expand All @@ -528,11 +629,13 @@ param sharedServicesVirtualNetworkName string = replace(hubVirtualNetworkName, '
param sharedServicesSubnetName string = replace(hubSubnetName, 'hub', 'sharedServices')
param sharedServicesVirtualNetworkAddressPrefix string = '10.0.120.0/26'
param sharedServicesSubnetAddressPrefix string = '10.0.120.0/27'
param sharedServicesVirtualNetworkDiagnosticsLogs array = []
param sharedServicesVirtualNetworkDiagnosticsMetrics array = []
param sharedServicesVirtualNetworkDiagnosticsLogs array = hubVirtualNetworkDiagnosticsLogs
param sharedServicesVirtualNetworkDiagnosticsMetrics array = hubVirtualNetworkDiagnosticsMetrics
param sharedServicesNetworkSecurityGroupName string = replace(hubNetworkSecurityGroupName, 'hub', 'sharedServices')
param sharedServicesNetworkSecurityGroupRules array = []
param sharedServicesSubnetServiceEndpoints array = []
param sharedServicesNetworkSecurityGroupRules array = hubNetworkSecurityGroupRules
param sharedServicesNetworkSecurityGroupDiagnosticsLogs array = hubNetworkSecurityGroupDiagnosticsLogs
param sharedServicesNetworkSecurityGroupDiagnosticsMetrics array = hubNetworkSecurityGroupDiagnosticsMetrics
param sharedServicesSubnetServiceEndpoints array = hubSubnetServiceEndpoints
param sharedServicesLogStorageAccountName string = toLower(take('shrdSvclogs${uniqueId}', 24))
param sharedServicesLogStorageSkuName string = hubLogStorageSkuName

Expand Down
Loading