{"id":22060,"date":"2020-07-16T08:59:44","date_gmt":"2020-07-16T07:59:44","guid":{"rendered":"https:\/\/aidanfinn.com\/?p=22060"},"modified":"2020-07-16T08:59:44","modified_gmt":"2020-07-16T07:59:44","slug":"azure-virtual-wan-arm-secured-virtual-hub-azure-firewall","status":"publish","type":"post","link":"https:\/\/aidanfinn.com\/?p=22060","title":{"rendered":"Azure Virtual WAN ARM &#8211; Secured Virtual Hub Azure Firewall"},"content":{"rendered":"<p>I have spent quite a few hours figuring out how to deploy Azure&#8217;s new Secured Virtual Hub, an extension of Azure Virtual WAN, deployed using ARM templates (JSON). A lot of the bits are either not documented or incorrectly documented. One of the frustrating bits to deploy was the Azure Firewall resource &#8211; and the online examples <em>did not help<\/em>.<\/p>\n<p>The issue was that the 2 sources I could find did not include public IP addresses on the firewall:<\/p>\n<ul>\n<li>The quick start for Secured Virtual Hub on <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/firewall-manager\/quick-secure-virtual-hub\" target=\"_blank\" rel=\"noopener noreferrer\">docs.microsoft.com<\/a><\/li>\n<li>The new Enterprise-Scale &#8220;well-architected&#8221; Framework, found in Cloud Adoption Framework<\/li>\n<\/ul>\n<p>Digging to solve that uncovered:<\/p>\n<ul>\n<li>The examples used quite an old API version, 2019-08-01, to deploy the Microsoft.Network\/azureFirewalls resource.<\/li>\n<li>There was no example of how to add a public IP address to the firewall in Secured Virtual Hub because it was not possible with that API &#8211; SVH is quite different from a VNet deployment because you do have direct access to the underlying hub virtual network.<\/li>\n<li>Being an old API, we lose features such as SNAT for non-RFC1918 addresses (important in universities and public sector) and the newer custom &amp; proxy DNS features.<\/li>\n<\/ul>\n<p>In my digging, I did uncover that the ARM reference for the Azure Firewall was incorrect, but I did uncover a new, barely-documented property called hubIPAddresses; I knew this property was the key to solving the public IP address issue. So I thought about what was going on and how I was going to solve it.<\/p>\n<p>I ended up doing what I would normally do if I did not have a quick start template to start with:<\/p>\n<ol>\n<li>Deploy the resource(s) by hand in the Azure Portal<\/li>\n<li>Observe the options &#8211; there was a slide control for the quantity of firewall public IP addresses<\/li>\n<li>Export the resulting template<\/li>\n<\/ol>\n<p>And &#8230; there was the solution:<\/p>\n<ol>\n<li>There is a new, undocumented API version for the Azure Firewall resource: 2020-05-01<\/li>\n<li>There is a new object property called hubIPAddresses that contains an object sub-property called publicIps. You can set a string value called count to control how many public IP addresses that Azure will assign (on your behalf) to the firewall &#8211; you do not need to create the public IP address resources.<\/li>\n<\/ol>\n<pre class=\"lang:default decode:true \">        \"hubIPAddresses\": {\r\n          \"publicIPs\": {\r\n            \"count\": \"[parameters('firewallPublicIpQuantity')]\",\r\n          }\r\n        }<\/pre>\n<p>Sorted!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I have spent quite a few hours figuring out how to deploy Azure&#8217;s new Secured Virtual Hub, an extension of Azure Virtual WAN, deployed using ARM templates (JSON). A lot of the bits are either not documented or incorrectly documented. One of the frustrating bits to deploy was the Azure Firewall resource &#8211; and the &hellip; <a href=\"https:\/\/aidanfinn.com\/?p=22060\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Azure Virtual WAN ARM &#8211; Secured Virtual Hub Azure Firewall&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":22061,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[5],"tags":[449,170,306,444],"class_list":["post-22060","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","tag-arm-template","tag-azure","tag-azure-firewall","tag-virtual-wan"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/aidanfinn.com\/wp-content\/uploads\/2020\/07\/SecuredVirtualHub.png","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/22060","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=22060"}],"version-history":[{"count":8,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/22060\/revisions"}],"predecessor-version":[{"id":22069,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/22060\/revisions\/22069"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/media\/22061"}],"wp:attachment":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=22060"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=22060"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=22060"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}