diff --git a/docs/archetypes/generic-subscription.md b/docs/archetypes/generic-subscription.md index 12b52617..2c650701 100644 --- a/docs/archetypes/generic-subscription.md +++ b/docs/archetypes/generic-subscription.md @@ -374,6 +374,13 @@ The rest of the segments for the **virtualNetworkId** string must also match the in case a different prefix besides **pubsec** was used to conform to a specific and preferred naming convention or organization prefix (item **2**), or the default VNET name of hub-vnet was also changed to something else, (**item 3**) - again based on a specific and preferred naming convention that may have been used before when the actual hub VNET was deployed. +> Each subnet in the spoke virtual network has its own User Defined Route (UDR). This allows for scenarios in which subnets can have different routing rules. It is possible for a single User Defined Route to be associated with many spoke subnets by customizing the automation code. ### Deployment Instructions +### Virtual Appliance IP +To ensure traffic is routed/filtered via the firewall, please validate or update the "egressVirtualApplianceIp" value to the firewall IP in your environment: + - For Azure Firewall, use the firewall IP address + - For Network Virtual Appliances (i.e. Fortigate firewalls), use the internal load-balancer IP (item **1**) +![Generic Subscription:Egress Virtual Appliance IP](../../docs/media/archetypes/egressvirtualApplianceIP.jpg) + Please see [archetype authoring guide for deployment instructions](authoring-guide.md#deployment-instructions). diff --git a/docs/architecture.md b/docs/architecture.md index 1aefc341..d5d852b4 100644 --- a/docs/architecture.md +++ b/docs/architecture.md @@ -328,6 +328,8 @@ Following the nomenclature of [ITSG-22][itsg22], these would be the default subn * App Management Zone (OZ), an optional network for app management servers in the spoke. * All zones would allow management traffic from the Management Access Zone (OZ). +> Automation code deploys generic network security groups (NSGs) without the above traffic flow restrictions as they are dependent on the application architecture. The NSG rules can be customized to control subnet-to-subnet traffic within a virtual network by customizing the automation code. Each subnet in the spoke virtual network has its own User Defined Route (UDR). This allows for scenarios in which subnets can have different routing rules. It is possible for a single User Defined Route to be associated with many spoke subnets by customizing the automation code. + --- ## 6. Logging diff --git a/docs/media/archetypes/egressvirtualApplianceIP.jpg b/docs/media/archetypes/egressvirtualApplianceIP.jpg new file mode 100644 index 00000000..7ff5aa33 Binary files /dev/null and b/docs/media/archetypes/egressvirtualApplianceIP.jpg differ