Add UDR option to route spoke traffic internally (#171)

* Add UDR option to route spoke traffic internally

* Add routeSpokeTrafficInternally parameter

* added the terraform implementation for rouring traffic internally in spoke

* exposed internal routing through the main deployment

* Add routeSpokeTrafficInternally to Portal Network parameters

* Add internal routes for all VNet prefixes

* Match name to bicep

---------

Co-authored-by: Konstantinos Pantos <[email protected]>

scenarios/aca-internal/azure-resource-manager/main-portal-ux.json

@@ -420,6 +420,22 @@
                             },
                             "infoMessages": [],
                             "visible": true
+                        },
+                        {
+                            "name": "routeSpokeTrafficInternally",
+                            "type": "Microsoft.Common.CheckbBox",
+                            "label": "Route Spoke Traffic Internally",
+                            "subLabel": "",
+                            "defaultValue": false,
+                            "toolTip": "Enable this if you would like to keep traffic that is internal to the spoke (e.g. container app to database) from being routed to the hub. This can significantly alleviate load on components such as hub firewalls and decrease excess traffic.",
+                            "constraints": {
+                                "required": true,
+                                "regex": "",
+                                "validationMessage": "",
+                                "validations": []
+                            },
+                            "infoMessages": [],
+                            "visible": true
                         }
                     ]
                 },

scenarios/aca-internal/azure-resource-manager/main.json

@@ -3469,6 +3469,13 @@
                 "description": "CIDR of the spoke infrastructure subnet."
               }
             },
+            "routeSpokeTrafficInternally": {
+              "type": "bool",
+              "defaultValue": false,
+              "metadata": {
+                "description": "Optional, default value is false. If true, the spoke network will route spoke-internal traffic within the spoke network. If false, traffic will be sent to the hub network."
+              }
+            },
             "spokePrivateEndpointsSubnetName": {
               "type": "string",
               "defaultValue": "snet-pep",

scenarios/aca-internal/bicep/README.md

@@ -115,6 +115,7 @@ This is the starting point for the instructions on deploying this reference impl
    | `spokeInfraSubnetAddressPrefix` | CIDR of the spoke infrastructure subnet. Must be a subset of the spoke CIDR ranges. | **10.1.0.0/23** | **10.101.0.0/23** |
    | `spokePrivateEndpointsSubnetAddressPrefix` | CIDR of the spoke private endpoint subnet. Must be a subset of the spoke CIDR ranges. | **10.1.2.0/27** | **10.101.2.0/27** |
    | `spokeApplicationGatewaySubnetAddressPrefix` | CIDR of the spoke Application Gateway subnet. Must be a subset of the spoke CIDR ranges. | **10.1.3.0/24** | **10.101.3.0/24** |
+   | `routeSpokeTrafficInternally` | If true, the spoke network will route spoke-internal traffic within the spoke network. If false, traffic will be sent to the hub network. | **false** | **true** |
    | `enableApplicationInsights` | Controls if Application Insights is deployed and configured. | **true** | **false** |
    | `enableDaprInstrumentation` | Enable Dapr's telemetry. enableApplicationInsights` must also be set to **true** for this to work. | **true** | **false** |
    | `deployHelloWorldSample` | Deploy a simple, sample application to the infrastructure. If you prefer to deploy the more comprehensive, Dapr-enabled sample app, this needs to be disabled | **true** | **false**, because you plan on deploying the Dapr-enabled application instead. |

scenarios/aca-internal/bicep/main.bicep

@@ -98,6 +98,9 @@ param spokePrivateEndpointsSubnetAddressPrefix string
 @description('CIDR of the Spoke Application Gateway Subnet.')
 param spokeApplicationGatewaySubnetAddressPrefix string
 
+@description('Optional, default value is false. If true, the spoke network will route spoke-internal traffic within the spoke network. If false, traffic will be sent to the hub network.')
+param routeSpokeTrafficInternally bool = false
+
 @description('Enable or disable the createion of Application Insights.')
 param enableApplicationInsights bool
 
@@ -193,6 +196,7 @@ module spoke 'modules/02-spoke/deploy.spoke.bicep' = {
     spokePrivateEndpointsSubnetAddressPrefix: spokePrivateEndpointsSubnetAddressPrefix
     spokeVNetAddressPrefixes: spokeVNetAddressPrefixes
     networkApplianceIpAddress: deployHub ? hub.outputs.networkApplianceIpAddress : ''
+    routeSpokeTrafficInternally: routeSpokeTrafficInternally
     vmSize: vmSize
     vmAdminUsername: vmAdminUsername
     vmAdminPassword: vmAdminPassword

scenarios/aca-internal/bicep/main.parameters.json

@@ -71,6 +71,9 @@
     "spokeApplicationGatewaySubnetAddressPrefix": {
       "value":  "10.1.3.0/24"
     },
+    "routeSpokeTrafficInternally": {
+      "value":  false
+    },
     "enableApplicationInsights": {
       "value": true
     },

scenarios/aca-internal/bicep/main.parameters.jsonc

@@ -79,6 +79,10 @@
     "spokeApplicationGatewaySubnetAddressPrefix": {
       "value":  "10.1.3.0/24"
     },
+    // If you want to keep spoke-internal traffic for the container apps within the spoke, set this to true
+    "routeSpokeTrafficInternally": {
+      "value":  false
+    },
     // If you want to deploy Application Insights, set this to true
     "enableApplicationInsights": {
       "value": true

scenarios/aca-internal/bicep/modules/02-spoke/deploy.spoke.bicep

@@ -51,6 +51,9 @@ param spokeApplicationGatewaySubnetAddressPrefix string
 @description('The IP address of the network appliance (e.g. firewall) that will be used to route traffic to the internet.')
 param networkApplianceIpAddress string
 
+@description('Optional, default value is false. If true, the spoke network will route spoke-internal traffic within the spoke network. If false, traffic will be sent to the hub network.')
+param routeSpokeTrafficInternally bool = false
+
 @description('The size of the jump box virtual machine to create. See https://learn.microsoft.com/azure/virtual-machines/sizes for more information.')
 param vmSize string
 
@@ -299,6 +302,7 @@ module peerHubToSpoke '../../../../shared/bicep/network/peering.bicep' = if (!em
     remoteVnetName: vnetSpoke.outputs.vnetName
   }
 }
+
 @description('The Route Table deployment')
 module egressLockdownUdr '../../../../shared/bicep/routeTables/main.bicep' = if (networkApplianceIpAddress != '') {
   name: take('egressLockdownUdr-${uniqueString(spokeResourceGroup.id)}', 64)
@@ -307,7 +311,7 @@ module egressLockdownUdr '../../../../shared/bicep/routeTables/main.bicep' = if
     name: naming.outputs.resourcesNames.routeTable
     location: location
     tags: tags
-    routes: [
+    routes: concat([
       {
         name: 'defaultEgressLockdown'
         properties: {
@@ -316,7 +320,15 @@ module egressLockdownUdr '../../../../shared/bicep/routeTables/main.bicep' = if
           nextHopIpAddress: networkApplianceIpAddress
         }
       }
-    ]
+    ], routeSpokeTrafficInternally ? map(spokeVNetAddressPrefixes, (prefix, i) => 
+      {     
+        name: 'spokeInternalTraffic-${i}'
+        properties: {
+          addressPrefix: prefix
+          nextHopType: 'VnetLocal'
+        }
+      }
+    ) : [])
   }
 }
 

scenarios/aca-internal/bicep/modules/02-spoke/deploy.spoke.parameters.jsonc

@@ -36,6 +36,9 @@
     "networkApplianceIpAddress": {
       "value": "[IP OF THE NETWORK APPLIANCE]"
     },
+    "routeSpokeTrafficInternally": {
+      "value":  false
+    },
     "vmSize": {
       "value": "Standard_B2ms"
     },

scenarios/aca-internal/terraform/main.tf

@@ -35,6 +35,7 @@ module "spoke" {
   jumpboxSubnetAddressPrefix            = var.vmJumpBoxSubnetAddressPrefix
   firewallPrivateIp                     = module.hub.firewallPrivateIp
   tags                                  = var.tags
+  routeSpokeTrafficInternally           = var.routeSpokeTrafficInternally
 }
 
 module "supportingServices" {

scenarios/aca-internal/terraform/modules/02-spoke/main.tf

@@ -189,11 +189,17 @@ module "routeTable" {
   subnetId          = data.azurerm_subnet.infraSubnet.id
   tags              = var.tags
 
-  routes = [{
-    name             = "defaultEgressLockdown"
-    addressPrefix    = "0.0.0.0/0"
-    nextHopType      = "VirtualAppliance"
-    nextHopIpAddress = var.firewallPrivateIp
-    }
-  ]
+  routes = concat(
+    [{
+      name             = "defaultEgressLockdown"
+      addressPrefix    = "0.0.0.0/0"
+      nextHopType      = "VirtualAppliance"
+      nextHopIpAddress = var.firewallPrivateIp
+    },
+    var.routeSpokeTrafficInternally ? [for i, prefix in var.vnetAddressPrefixes : {
+      name            = "spokeInternalTraffic-${i}"
+      addressPrefix   = prefix
+      nextHopType     = "VnetLocal"
+    }] : []
+  ])
 }

scenarios/aca-internal/terraform/modules/02-spoke/variables.tf

@@ -244,3 +244,9 @@ variable "appGatewaySecurityRules" {
 variable "firewallPrivateIp" {
   type = string
 }
+
+variable "routeSpokeTrafficInternally" {
+  type = bool
+  default = false
+  description = "Optional, default value is false. If true, the spoke network will route spoke-internal traffic within the spoke network. If false, traffic will be sent to the hub network."
+}

scenarios/aca-internal/terraform/variables.tf

@@ -305,4 +305,10 @@ variable "workloadProfiles" {
     minimum_count         = number
     maximum_count         = number
   }))
+}
+
+variable "routeSpokeTrafficInternally" {
+  type = bool
+  default = false
+  description = "Optional, default value is false. If true, the spoke network will route spoke-internal traffic within the spoke network. If false, traffic will be sent to the hub network."
 }