Add UDR option to route spoke traffic internally

Azure · Oct 31, 2024 · 6070245 · 6070245
1 parent 1407ca0
commit 6070245
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 2 deletions.
diff --git a/scenarios/aca-internal/azure-resource-manager/main.json b/scenarios/aca-internal/azure-resource-manager/main.json
@@ -3469,6 +3469,13 @@
                 "description": "CIDR of the spoke infrastructure subnet."
               }
             },
+            "routeSpokeTrafficInternally": {
+              "type": "bool",
+              "defaultValue": false,
+              "metadata": {
+                "description": "Optional, default value is false. If true, the spoke network will route spoke-internal traffic within the spoke network. If false, traffic will be sent to the hub network."
+              }
+            },
             "spokePrivateEndpointsSubnetName": {
               "type": "string",
               "defaultValue": "snet-pep",

diff --git a/scenarios/aca-internal/bicep/main.bicep b/scenarios/aca-internal/bicep/main.bicep
@@ -98,6 +98,9 @@ param spokePrivateEndpointsSubnetAddressPrefix string
 @description('CIDR of the Spoke Application Gateway Subnet.')
 param spokeApplicationGatewaySubnetAddressPrefix string
 
+@description('Optional, default value is false. If true, the spoke network will route spoke-internal traffic within the spoke network. If false, traffic will be sent to the hub network.')
+param routeSpokeTrafficInternally bool = false
+
 @description('Enable or disable the createion of Application Insights.')
 param enableApplicationInsights bool
 
@@ -193,6 +196,7 @@ module spoke 'modules/02-spoke/deploy.spoke.bicep' = {
     spokePrivateEndpointsSubnetAddressPrefix: spokePrivateEndpointsSubnetAddressPrefix
     spokeVNetAddressPrefixes: spokeVNetAddressPrefixes
     networkApplianceIpAddress: deployHub ? hub.outputs.networkApplianceIpAddress : ''
+    routeSpokeTrafficInternally: routeSpokeTrafficInternally
     vmSize: vmSize
     vmAdminUsername: vmAdminUsername
     vmAdminPassword: vmAdminPassword

diff --git a/scenarios/aca-internal/bicep/main.parameters.json b/scenarios/aca-internal/bicep/main.parameters.json
@@ -71,6 +71,9 @@
     "spokeApplicationGatewaySubnetAddressPrefix": {
       "value":  "10.1.3.0/24"
     },
+    "routeSpokeTrafficInternally": {
+      "value":  false
+    },
     "enableApplicationInsights": {
       "value": true
     },

diff --git a/scenarios/aca-internal/bicep/main.parameters.jsonc b/scenarios/aca-internal/bicep/main.parameters.jsonc
@@ -79,6 +79,10 @@
     "spokeApplicationGatewaySubnetAddressPrefix": {
       "value":  "10.1.3.0/24"
     },
+    // If you want to keep spoke-internal traffic for the container apps within the spoke, set this to true
+    "routeSpokeTrafficInternally": {
+      "value":  false
+    },
     // If you want to deploy Application Insights, set this to true
     "enableApplicationInsights": {
       "value": true

diff --git a/scenarios/aca-internal/bicep/modules/02-spoke/deploy.spoke.bicep b/scenarios/aca-internal/bicep/modules/02-spoke/deploy.spoke.bicep
@@ -51,6 +51,9 @@ param spokeApplicationGatewaySubnetAddressPrefix string
 @description('The IP address of the network appliance (e.g. firewall) that will be used to route traffic to the internet.')
 param networkApplianceIpAddress string
 
+@description('Optional, default value is false. If true, the spoke network will route spoke-internal traffic within the spoke network. If false, traffic will be sent to the hub network.')
+param routeSpokeTrafficInternally bool = false
+
 @description('The size of the jump box virtual machine to create. See https://learn.microsoft.com/azure/virtual-machines/sizes for more information.')
 param vmSize string
 
@@ -299,6 +302,7 @@ module peerHubToSpoke '../../../../shared/bicep/network/peering.bicep' = if (!em
     remoteVnetName: vnetSpoke.outputs.vnetName
   }
 }
+
 @description('The Route Table deployment')
 module egressLockdownUdr '../../../../shared/bicep/routeTables/main.bicep' = if (networkApplianceIpAddress != '') {
   name: take('egressLockdownUdr-${uniqueString(spokeResourceGroup.id)}', 64)
@@ -307,7 +311,7 @@ module egressLockdownUdr '../../../../shared/bicep/routeTables/main.bicep' = if
     name: naming.outputs.resourcesNames.routeTable
     location: location
     tags: tags
-    routes: [
+    routes: concat([
       {
         name: 'defaultEgressLockdown'
         properties: {
@@ -316,7 +320,15 @@ module egressLockdownUdr '../../../../shared/bicep/routeTables/main.bicep' = if
           nextHopIpAddress: networkApplianceIpAddress
         }
       }
-    ]
+    ], routeSpokeTrafficInternally ? [
+      {
+        name: 'spokeInternalTraffic'
+        properties: {
+          addressPrefix: spokeVNetAddressPrefixes[0]
+          nextHopType: 'VnetLocal'
+        }
+      }
+    ] : [])
   }
 }
 

diff --git a/scenarios/aca-internal/bicep/modules/02-spoke/deploy.spoke.parameters.jsonc b/scenarios/aca-internal/bicep/modules/02-spoke/deploy.spoke.parameters.jsonc
@@ -36,6 +36,9 @@
     "networkApplianceIpAddress": {
       "value": "[IP OF THE NETWORK APPLIANCE]"
     },
+    "routeSpokeTrafficInternally": {
+      "value":  false
+    },
     "vmSize": {
       "value": "Standard_B2ms"
     },