-
Notifications
You must be signed in to change notification settings - Fork 1k
/
Copy pathDeploy-Default-Udr.AzureChinaCloud.json
133 lines (133 loc) · 4.12 KB
/
Deploy-Default-Udr.AzureChinaCloud.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
{
"name": "Deploy-Default-Udr",
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2021-06-01",
"scope": null,
"properties": {
"policyType": "Custom",
"mode": "Indexed",
"displayName": "Deploy a user-defined route to a VNET with specific routes.",
"description": "Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.",
"metadata": {
"version": "1.0.0",
"category": "Network",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
"AzureChinaCloud"
]
},
"parameters": {
"defaultRoute": {
"type": "String",
"metadata": {
"displayName": "Default route to add into UDR",
"description": "Policy will deploy a default route table to a vnet"
}
},
"vnetRegion": {
"type": "String",
"metadata": {
"displayName": "VNet Region",
"description": "Regional VNet hub location",
"strongType": "location"
}
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"field": "location",
"equals": "[[parameters('vnetRegion')]"
}
]
},
"then": {
"effect": "[[parameters('effect')]",
"details": {
"type": "Microsoft.Network/routeTables",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Network/routeTables/routes[*].nextHopIpAddress",
"equals": "[[parameters('defaultRoute')]"
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"parameters": {
"udrName": {
"value": "[[concat(field('name'),'-udr')]"
},
"udrLocation": {
"value": "[[field('location')]"
},
"defaultRoute": {
"value": "[[parameters('defaultRoute')]"
}
},
"template": {
"$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"udrName": {
"type": "string"
},
"udrLocation": {
"type": "string"
},
"defaultRoute": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Network/routeTables",
"name": "[[parameters('udrName')]",
"apiVersion": "2020-08-01",
"location": "[[parameters('udrLocation')]",
"properties": {
"routes": [
{
"name": "AzureFirewallRoute",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "[[parameters('defaultRoute')]"
}
}
]
}
}
],
"outputs": {}
}
}
}
}
}
}
}
}