Merge pull request #234 from v-fearam/update/azure-hub-spoke

Update/azure hub spoke

solutions/azure-hub-spoke-connected-group/bicep/main.bicep

@@ -71,7 +71,7 @@ module hub 'modules/hub.bicep' = {
 /*** RESOURCES (ALL SPOKES) ***/
 
 @description('Next hop to the regional hub\'s Azure Firewall')
-resource routeNextHopToFirewall 'Microsoft.Network/routeTables@2022-01-01' = {
+resource routeNextHopToFirewall 'Microsoft.Network/routeTables@2023-04-01' = {
   name: 'route-to-${location}-hub-fw'
   location: location
   properties: {
@@ -89,7 +89,7 @@ resource routeNextHopToFirewall 'Microsoft.Network/routeTables@2022-01-01' = {
 }
 
 @description('NSG on the resource subnet (just using a common one for all as an example, but usually would be based on the specific needs of the spoke).')
-resource nsgResourcesSubnet 'Microsoft.Network/networkSecurityGroups@2022-01-01' = {
+resource nsgResourcesSubnet 'Microsoft.Network/networkSecurityGroups@2023-04-01' = {
   name: 'nsg-${location}-spoke-resources'
   location: location
   properties: {
@@ -156,7 +156,7 @@ resource nsgResourcesSubnet 'Microsoft.Network/networkSecurityGroups@2022-01-01'
 }
 
 @description('NSG on the Private Link subnet (just using a common one for all as an example, but usually would be based on the specific needs of the spoke).')
-resource nsgPrivateLinkEndpointsSubnet 'Microsoft.Network/networkSecurityGroups@2022-01-01' = {
+resource nsgPrivateLinkEndpointsSubnet 'Microsoft.Network/networkSecurityGroups@2023-04-01' = {
   name: 'nsg-${location}-spoke-privatelinkendpoint'
   location: location
   properties: {

solutions/azure-hub-spoke-connected-group/bicep/modules/avnm.bicep

@@ -27,7 +27,7 @@ resource networkManager 'Microsoft.Network/networkManagers@2022-05-01' = {
   // for production deployments, consider using Azure Policy to dynamically bring VNETs under 
   // AVNM management. see https://learn.microsoft.com/azure/virtual-network-manager/concept-azure-policy-integration
   @description('This is the static network group for the production spoke VNETs.')
-  resource networkGroupProd 'Microsoft.Network/networkManagers/networkGroups@2022-05-01' = {
+  resource networkGroupProd 'Microsoft.Network/networkManagers/networkGroups@2023-04-01' = {
     name: 'ng-${location}-spokes-prod'
     parent: networkManager
     properties: {
@@ -47,7 +47,7 @@ resource networkManager 'Microsoft.Network/networkManagers@2022-05-01' = {
     }
   }
   @description('This is the static network group for the non-production spoke VNETs.')
-  resource networkGroupNonProd 'Microsoft.Network/networkManagers/networkGroups@2022-05-01' = {
+  resource networkGroupNonProd 'Microsoft.Network/networkManagers/networkGroups@2023-04-01' = {
     name: 'ng-${location}-spokes-nonprod'
     parent: networkManager
     properties: {
@@ -67,7 +67,7 @@ resource networkManager 'Microsoft.Network/networkManagers@2022-05-01' = {
     }
   }
   @description('This is the static network group for all VNETs.')
-  resource networkGroupAll 'Microsoft.Network/networkManagers/networkGroups@2022-05-01' = {
+  resource networkGroupAll 'Microsoft.Network/networkManagers/networkGroups@2023-04-01' = {
     name: 'ng-${location}-all'
     parent: networkManager
     properties: {
@@ -106,7 +106,7 @@ resource networkManager 'Microsoft.Network/networkManagers@2022-05-01' = {
   }
 
 @description('This connectivity configuration defines the connectivity between the spokes.')
-resource connectivityConfigurationNonProd 'Microsoft.Network/networkManagers/connectivityConfigurations@2022-05-01' = {
+resource connectivityConfigurationNonProd 'Microsoft.Network/networkManagers/connectivityConfigurations@2023-04-01' = {
   name: 'cc-${location}-spokesnonprod'
   parent: networkManager
   dependsOn: [
@@ -137,7 +137,7 @@ resource connectivityConfigurationNonProd 'Microsoft.Network/networkManagers/con
 }
 
 @description('This connectivity configuration defines the connectivity between the spokes.')
-resource connectivityConfigurationProd 'Microsoft.Network/networkManagers/connectivityConfigurations@2022-05-01' = {
+resource connectivityConfigurationProd 'Microsoft.Network/networkManagers/connectivityConfigurations@2023-04-01' = {
   name: 'cc-${location}-spokesprod'
   parent: networkManager
   dependsOn: [
@@ -168,13 +168,13 @@ resource connectivityConfigurationProd 'Microsoft.Network/networkManagers/connec
 }
 
 @description('This user assigned identity is used by the Deployment Script resource to interact with Azure resources.')
-resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = {
+resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
   name: 'uai-${location}'
   location: location
 }
 
 @description('This role assignment grants the user assigned identity the Contributor role on the resource group.')
-resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid(resourceGroup().id, userAssignedIdentity.name)
   properties: {
     roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor: b24988ac-6180-42a0-ab88-20f7382dd24c
@@ -184,7 +184,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-prev
 }
 
 @description('This is the securityadmin configuration assigned to the AVNM')
-resource securityConfig 'Microsoft.Network/networkManagers/securityAdminConfigurations@2022-05-01' = {
+resource securityConfig 'Microsoft.Network/networkManagers/securityAdminConfigurations@2023-04-01' = {
   name: 'sg-${location}'
   parent: networkManager
   properties: {
@@ -194,7 +194,7 @@ resource securityConfig 'Microsoft.Network/networkManagers/securityAdminConfigur
 }
 
 @description('This is the rules collection for the security admin config assigned to the AVNM')
-resource rulesCollection 'Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections@2022-05-01' = {
+resource rulesCollection 'Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections@2023-04-01' = {
   name: 'rc-${location}'
   parent: securityConfig
   properties: {
@@ -207,7 +207,7 @@ resource rulesCollection 'Microsoft.Network/networkManagers/securityAdminConfigu
 }
 
 @description('This example rule contains all denied inbound TCP ports')
-resource rule1 'Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules@2022-05-01' = if (deployDefaultDenySecurityAdminRules) {
+resource rule1 'Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules@2023-04-01' = if (deployDefaultDenySecurityAdminRules) {
   name: 'r-tcp-${location}'
   kind: 'Custom'
   parent: rulesCollection
@@ -235,7 +235,7 @@ resource rule1 'Microsoft.Network/networkManagers/securityAdminConfigurations/ru
 }
 
 @description('This example rule contains all denied inbound TCP or UDP ports')
-resource rule2 'Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules@2022-05-01' = {
+resource rule2 'Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules@2023-04-01' = {
   name: 'r-tcp-udp-${location}'
   kind: 'Custom'
   parent: rulesCollection
@@ -263,7 +263,7 @@ resource rule2 'Microsoft.Network/networkManagers/securityAdminConfigurations/ru
 }
 
 @description('This example rule contains all denied inbound UDP ports')
-resource rule3 'Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules@2022-05-01' = {
+resource rule3 'Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules@2023-04-01' = {
   name: 'r-udp-${location}'
   kind: 'Custom'
   parent: rulesCollection
@@ -291,7 +291,7 @@ resource rule3 'Microsoft.Network/networkManagers/securityAdminConfigurations/ru
 }
 
 @description('This example rule always allows outbound traffic to Azure Active Directory, overriding NSG outbound restrictions')
-resource rule4 'Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules@2022-05-01' = {
+resource rule4 'Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules@2023-04-01' = {
   name: 'r-alwaysallow-${location}'
   kind: 'Custom'
   parent: rulesCollection
@@ -319,7 +319,7 @@ resource rule4 'Microsoft.Network/networkManagers/securityAdminConfigurations/ru
 }
 
 @description('This example rule allows outbound traffic to Azure SQL, unless an NSG in the path denies it')
-resource rule5 'Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules@2022-05-01' = {
+resource rule5 'Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules@2023-04-01' = {
   name: 'r-allowsql-${location}'
   kind: 'Custom'
   parent: rulesCollection

solutions/azure-hub-spoke-connected-group/bicep/modules/hub.bicep

@@ -4,7 +4,7 @@ param deployVpnGateway bool
 param deployVirtualMachines bool
 
 @description('This Log Analyics Workspace stores logs from the regional hub network, its spokes, and other related resources. Workspaces are regional resource, as such there would be one workspace per hub (region)')
-resource laHub 'Microsoft.OperationalInsights/workspaces@2021-06-01' = {
+resource laHub 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
   name: 'la-hub-${location}'
   location: location
   properties: {
@@ -46,7 +46,7 @@ resource laHub_diagnosticsSettings 'Microsoft.Insights/diagnosticSettings@2021-0
 }
 
 @description('The NSG around the Azure Bastion subnet. Source: https://learn.microsoft.com/azure/bastion/bastion-nsg')
-resource nsgBastionSubnet 'Microsoft.Network/networkSecurityGroups@2022-01-01' = {
+resource nsgBastionSubnet 'Microsoft.Network/networkSecurityGroups@2023-04-01' = {
   name: 'nsg-${location}-bastion'
   location: location
   properties: {
@@ -230,7 +230,7 @@ resource nsgBastionSubnet_diagnosticSettings 'Microsoft.Insights/diagnosticSetti
 }
 
 @description('The regional hub network.')
-resource vnetHub 'Microsoft.Network/virtualNetworks@2022-01-01' = {
+resource vnetHub 'Microsoft.Network/virtualNetworks@2023-04-01' = {
   name: 'vnet-${location}-hub'
   location: location
   properties: {
@@ -293,7 +293,7 @@ resource vnetHub_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-
 
 // Allocate three IP addresses to the firewall
 var numFirewallIpAddressesToAssign = 3
-resource pipsAzureFirewall 'Microsoft.Network/publicIPAddresses@2022-01-01' = [for i in range(0, numFirewallIpAddressesToAssign): {
+resource pipsAzureFirewall 'Microsoft.Network/publicIPAddresses@2023-04-01' = [for i in range(0, numFirewallIpAddressesToAssign): {
   name: 'pip-fw-${location}-${padLeft(i, 2, '0')}'
   location: location
   sku: {
@@ -332,7 +332,7 @@ resource pipsAzureFirewall_diagnosticSetting 'Microsoft.Insights/diagnosticSetti
 }]
 
 @description('Azure Firewall Policy')
-resource fwPolicy 'Microsoft.Network/firewallPolicies@2022-01-01' = {
+resource fwPolicy 'Microsoft.Network/firewallPolicies@2023-04-01' = {
   name: 'fw-policies-${location}'
   location: location
   properties: {
@@ -354,7 +354,7 @@ resource fwPolicy 'Microsoft.Network/firewallPolicies@2022-01-01' = {
   // This network hub starts out with only supporting external DNS queries. This is only being done for
   // simplicity in this deployment and is not guidance, please ensure all firewall rules are aligned with
   // your security standards.
-  resource defaultNetworkRuleCollectionGroup 'ruleCollectionGroups@2022-01-01' = {
+  resource defaultNetworkRuleCollectionGroup 'ruleCollectionGroups@2023-04-01' = {
     name: 'DefaultNetworkRuleCollectionGroup'
     properties: {
       priority: 200
@@ -394,7 +394,7 @@ resource fwPolicy 'Microsoft.Network/firewallPolicies@2022-01-01' = {
   }
 
   // Network hub starts out with no allowances for appliction rules
-  resource defaultApplicationRuleCollectionGroup 'ruleCollectionGroups@2022-01-01' = {
+  resource defaultApplicationRuleCollectionGroup 'ruleCollectionGroups@2023-04-01' = {
     name: 'DefaultApplicationRuleCollectionGroup'
     dependsOn: [
       defaultNetworkRuleCollectionGroup
@@ -439,7 +439,7 @@ resource fwPolicy 'Microsoft.Network/firewallPolicies@2022-01-01' = {
 }
 
 @description('This is the regional Azure Firewall that all regional spoke networks can egress through.')
-resource fwHub 'Microsoft.Network/azureFirewalls@2022-01-01' = {
+resource fwHub 'Microsoft.Network/azureFirewalls@2023-04-01' = {
   name: 'fw-${location}'
   location: location
   zones: [
@@ -497,7 +497,7 @@ resource fwHub_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05
 
 
 @description('The public IP for the regional hub\'s Azure Bastion service.')
-resource pipAzureBastion 'Microsoft.Network/publicIPAddresses@2022-01-01' = if (deployAzureBastion) {
+resource pipAzureBastion 'Microsoft.Network/publicIPAddresses@2023-04-01' = if (deployAzureBastion) {
   name: 'pip-ab-${location}'
   location: location
   sku: {
@@ -536,7 +536,7 @@ resource pipAzureBastion_diagnosticSetting 'Microsoft.Insights/diagnosticSetting
 }
 
 @description('This regional hub\'s Azure Bastion service. NSGs are configured to allow Bastion to reach any resource subnet in peered spokes.')
-resource azureBastion 'Microsoft.Network/bastionHosts@2022-01-01' = if (deployAzureBastion) {
+resource azureBastion 'Microsoft.Network/bastionHosts@2023-04-01' = if (deployAzureBastion) {
   name: 'ab-${location}'
   location: location
   sku: {
@@ -575,7 +575,7 @@ resource azureBastion_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@
 }
 
 @description('The public IPs for the regional VPN gateway. Only deployed if requested.')
-resource pipVpnGateway 'Microsoft.Network/publicIPAddresses@2022-01-01' = if (deployVpnGateway) {
+resource pipVpnGateway 'Microsoft.Network/publicIPAddresses@2023-04-01' = if (deployVpnGateway) {
   name: 'pip-vgw-${location}'
   location: location
   sku: {
@@ -614,7 +614,7 @@ resource pipVpnGateway_diagnosticSetting 'Microsoft.Insights/diagnosticSettings@
 }
 
 @description('The is the regional VPN gateway, configured with basic settings. Only deployed if requested.')
-resource vgwHub 'Microsoft.Network/virtualNetworkGateways@2022-01-01' = if (deployVpnGateway) {
+resource vgwHub 'Microsoft.Network/virtualNetworkGateways@2023-04-01' = if (deployVpnGateway) {
   name: 'vgw-${location}-hub'
   location: location
   properties: {

solutions/azure-hub-spoke-connected-group/bicep/modules/spoke.bicep

@@ -10,15 +10,15 @@ param nsgPrivateLinkEndpointsSubnetId string
 @secure()
 param adminPassword string
 
-resource hubNet 'Microsoft.Network/virtualNetworks@2022-07-01' existing = {
+resource hubNet 'Microsoft.Network/virtualNetworks@2023-04-01' existing = {
   name: 'vnet-${location}-hub'
 
   resource azureBastionSubnet 'subnets' existing = {
     name: 'AzureBastionSubnet'
   }
 }
 
-resource vnet 'Microsoft.Network/virtualNetworks@2022-01-01' = {
+resource vnet 'Microsoft.Network/virtualNetworks@2023-04-01' = {
   name: 'vnet-${location}-spoke-${spokeName}'
   location: location
   properties: {
@@ -79,7 +79,7 @@ resource vnet_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-
 }
 
 @description('The private Network Interface Card for the Windows VM in spoke.')
-resource nic 'Microsoft.Network/networkInterfaces@2022-01-01' = if (deployVirtualMachines) {
+resource nic 'Microsoft.Network/networkInterfaces@2023-04-01' = if (deployVirtualMachines) {
   name: 'nic-vm-${location}-${spokeName}-ubuntu'
   location: location
   properties: {
@@ -113,7 +113,7 @@ resource nic_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-0
 }
 
 @description('A basic Ubuntu Linux virtual machine that will be attached to spoke.')
-resource vm 'Microsoft.Compute/virtualMachines@2022-03-01' = if (deployVirtualMachines) {
+resource vm 'Microsoft.Compute/virtualMachines@2023-03-01' = if (deployVirtualMachines) {
   name: 'vm-${location}-spoke-${spokeName}-ubuntu'
   location: location
   properties: {