targetScope = 'resourceGroup' @minLength(1) @description('Primary location for all resources') param location string = resourceGroup().location @description('AAD Tenant Id') param aadTenantId string @description('AAD VPN Client Application Id') param aadAudienceId string @description('AAD Group DatabaseAdmin Object Id') param dbAdminSid string param guidValue string = newGuid() param dbServerName string = 'dbsvr-vnetdemo-${uniqueString(guidValue)}' param dbName string = 'db-${uniqueString(guidValue)}' param privateEndpointForDbName string = 'pe-db-vnetdemo' param dnsPrivateResolverName string = 'dnspr-vnetdemo' param networkInterfaceForDbPeName string = 'nic-dbpe-vnetdemo' param privateDnsZonesDatabaseWindowsNetName string = 'privatelink.database.windows.net' param publicIPAddressesForVpnGatewayName string = 'pip-vgw-vnetdemo' param virtualNetworkGatewayName string = 'vgtw-vnetdemo' param virtualNetworkSpokeName string = 'vnet-spoke-vnetdemo' param virtualNetworkHubName string = 'vnet-hub-vnetdemo' resource privateDnsZonesDatabaseWindowsNetResource 'Microsoft.Network/privateDnsZones@2018-09-01' = { name: privateDnsZonesDatabaseWindowsNetName location: 'global' } resource publicIPAddressesForVpnGatewayResource 'Microsoft.Network/publicIPAddresses@2022-07-01' = { name: publicIPAddressesForVpnGatewayName location: location sku: { name: 'Standard' tier: 'Regional' } properties: { publicIPAddressVersion: 'IPv4' publicIPAllocationMethod: 'Static' idleTimeoutInMinutes: 4 ipTags: [] } } resource dbServerNameResource 'Microsoft.Sql/servers@2022-08-01-preview' = { name: dbServerName location: location properties: { version: '12.0' minimalTlsVersion: '1.2' publicNetworkAccess: 'Disabled' restrictOutboundNetworkAccess: 'Disabled' administrators: { administratorType: 'ActiveDirectory' principalType: 'Group' login: 'DatabaseAdmin' sid: dbAdminSid tenantId: aadTenantId azureADOnlyAuthentication: true } } } resource dbServerAdminActiveDirectory 'Microsoft.Sql/servers/administrators@2022-08-01-preview' = { parent: dbServerNameResource name: 'ActiveDirectory' properties: { administratorType: 'ActiveDirectory' login: 'DatabaseAdmin' sid: dbAdminSid tenantId: aadTenantId } } resource azureADOnlyAuthenticationsdbServerNameDefault 'Microsoft.Sql/servers/azureADOnlyAuthentications@2022-08-01-preview' = { parent: dbServerNameResource name: 'Default' properties: { azureADOnlyAuthentication: true } } resource dbServerConnectionPolicy 'Microsoft.Sql/servers/connectionPolicies@2022-08-01-preview' = { parent: dbServerNameResource name: 'default' location: location properties: { connectionType: 'Default' } } resource dbResource 'Microsoft.Sql/servers/databases@2022-08-01-preview' = { parent:dbServerNameResource name: dbName location: location sku: { name: 'Basic' tier: 'Basic' capacity: 5 } properties: { collation: 'SQL_Latin1_General_CP1_CI_AS' maxSizeBytes: 2147483648 catalogCollation: 'SQL_Latin1_General_CP1_CI_AS' readScale: 'Disabled' requestedBackupStorageRedundancy: 'Geo' isLedgerOn: false } } resource virtualNetworkHubResource 'Microsoft.Network/virtualNetworks@2022-07-01' = { name: virtualNetworkHubName location: location properties: { addressSpace: { addressPrefixes: [ '10.2.0.0/16' ] } subnets: [ { name: 'GatewaySubnet' properties: { addressPrefix: '10.2.0.0/24' serviceEndpoints: [] delegations: [] privateEndpointNetworkPolicies: 'Disabled' privateLinkServiceNetworkPolicies: 'Enabled' } type: 'Microsoft.Network/virtualNetworks/subnets' } { name: 'ResolverSubnet' properties: { addressPrefix: '10.2.3.0/28' delegations: [ { name: 'Microsoft.Network.dnsResolvers' properties: { serviceName: 'Microsoft.Network/dnsResolvers' } type: 'Microsoft.Network/virtualNetworks/subnets/delegations' } ] privateEndpointNetworkPolicies: 'Disabled' privateLinkServiceNetworkPolicies: 'Enabled' } type: 'Microsoft.Network/virtualNetworks/subnets' } ] virtualNetworkPeerings: [ { name: 'peering-to-spoke' properties: { peeringState: 'Connected' peeringSyncLevel: 'FullyInSync' remoteVirtualNetwork: { id: resourceId('Microsoft.Network/virtualNetworks', virtualNetworkSpokeName) } allowVirtualNetworkAccess: true allowForwardedTraffic: true allowGatewayTransit: true useRemoteGateways: false doNotVerifyRemoteGateways: false remoteAddressSpace: { addressPrefixes: [ '10.1.0.0/16' ] } remoteVirtualNetworkAddressSpace: { addressPrefixes: [ '10.1.0.0/16' ] } } type: 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings' } ] enableDdosProtection: false } dependsOn: [ ] } resource dnsPrivateResolverResource 'Microsoft.Network/dnsResolvers@2022-07-01' = { name: dnsPrivateResolverName location: location properties: { virtualNetwork: { id: resourceId('Microsoft.Network/virtualNetworks', virtualNetworkHubName) } } dependsOn: [ virtualNetworkHubResource ] } resource dnsPrivateResolverInbound 'Microsoft.Network/dnsResolvers/inboundEndpoints@2022-07-01' = { parent: dnsPrivateResolverResource name: 'Inbound' location: location properties: { ipConfigurations: [ { subnet: { id: '${virtualNetworkHubResource.id}/subnets/ResolverSubnet' } //privateIpAddress: '10.2.3.4' privateIpAllocationMethod: 'Dynamic' } ] } dependsOn: [ virtualNetworkHubResource ] } resource privateDnsZonesDatabaseWindowsNetSOAName 'Microsoft.Network/privateDnsZones/SOA@2018-09-01' = { parent: privateDnsZonesDatabaseWindowsNetResource name: '@' properties: { ttl: 3600 soaRecord: { email: 'azureprivatedns-host.microsoft.com' expireTime: 2419200 host: 'azureprivatedns.net' minimumTtl: 10 refreshTime: 3600 retryTime: 300 serialNumber: 1 } } } resource privateDnsZonesPrivatelinkVnetLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = { parent: privateDnsZonesDatabaseWindowsNetResource name: '${privateDnsZonesDatabaseWindowsNetName}-hub-vnet-link' location: 'global' properties: { registrationEnabled: true virtualNetwork: { id: resourceId('Microsoft.Network/virtualNetworks', virtualNetworkHubName) } } dependsOn: [ virtualNetworkHubResource ] } resource privateEndpointForDbNameResource 'Microsoft.Network/privateEndpoints@2022-07-01' = { name: privateEndpointForDbName location: location properties: { privateLinkServiceConnections: [ { name: privateEndpointForDbName properties: { privateLinkServiceId: dbServerNameResource.id groupIds: [ 'sqlServer' ] } } ] manualPrivateLinkServiceConnections: [] customNetworkInterfaceName: networkInterfaceForDbPeName subnet: { id: resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworkSpokeName, 'PrivateLinkSubnet') } ipConfigurations: [] customDnsConfigs: [] } } resource privateEndpointDnzZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2022-07-01' = { parent: privateEndpointForDbNameResource name: 'default' properties: { privateDnsZoneConfigs: [ { name: 'privatelink-database-windows-net' properties: { privateDnsZoneId: privateDnsZonesDatabaseWindowsNetResource.id } } ] } dependsOn: [ privateDnsZonesDatabaseWindowsNetResource ] } resource virtualNetworkGatewayResource 'Microsoft.Network/virtualNetworkGateways@2022-07-01' = { name: virtualNetworkGatewayName location: location properties: { enablePrivateIpAddress: false ipConfigurations: [ { name: 'default' //id: resourceId('Microsoft.Network/virtualNetworkGateways',virtualNetworkGatewayName, 'ipConfigurations/default' ) properties: { privateIPAllocationMethod: 'Dynamic' publicIPAddress: { id: publicIPAddressesForVpnGatewayResource.id } subnet: { id: resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworkHubName, 'GatewaySubnet') } } } ] natRules: [] virtualNetworkGatewayPolicyGroups: [] enableBgpRouteTranslationForNat: false disableIPSecReplayProtection: false sku: { name: 'VpnGw1' tier: 'VpnGw1' } gatewayType: 'Vpn' vpnType: 'RouteBased' enableBgp: false activeActive: false vpnClientConfiguration: { vpnClientAddressPool: { addressPrefixes: [ '172.16.201.0/24' ] } vpnClientProtocols: [ 'OpenVPN' ] vpnAuthenticationTypes: [ 'AAD' ] vpnClientRootCertificates: [] vpnClientRevokedCertificates: [] vngClientConnectionConfigurations: [] radiusServers: [] vpnClientIpsecPolicies: [] aadTenant: 'https://login.microsoftonline.com/${aadTenantId}/' aadAudience: '${aadAudienceId}' aadIssuer: 'https://sts.windows.net/${aadTenantId}/' } bgpSettings: { asn: 65515 bgpPeeringAddress: '10.2.0.254' peerWeight: 0 bgpPeeringAddresses: [ { ipconfigurationId: resourceId('Microsoft.Network/virtualNetworkGateways/ipConfigurations', virtualNetworkGatewayName, 'default' ) customBgpIpAddresses: [] } ] } customRoutes: { addressPrefixes: [] } vpnGatewayGeneration: 'Generation1' allowRemoteVnetTraffic: false allowVirtualWanTraffic: false } dependsOn: [ virtualNetworkHubResource ] } resource virtualNetworkSpokeResource 'Microsoft.Network/virtualNetworks@2022-07-01' = { name: virtualNetworkSpokeName location: location properties: { addressSpace: { addressPrefixes: [ '10.1.0.0/16' ] } subnets: [ { name: 'PrivateLinkSubnet' properties: { addressPrefix: '10.1.1.0/24' serviceEndpoints: [ { service: 'Microsoft.Sql' locations: [ location ] } ] delegations: [] privateEndpointNetworkPolicies: 'Disabled' privateLinkServiceNetworkPolicies: 'Enabled' } type: 'Microsoft.Network/virtualNetworks/subnets' } ] virtualNetworkPeerings: [ { name: 'peering-to-hub' properties: { peeringState: 'Connected' peeringSyncLevel: 'FullyInSync' remoteVirtualNetwork: { id: resourceId('Microsoft.Network/virtualNetworks', virtualNetworkHubName) } allowVirtualNetworkAccess: true allowForwardedTraffic: true allowGatewayTransit: false useRemoteGateways: true doNotVerifyRemoteGateways: false remoteAddressSpace: { addressPrefixes: [ '10.2.0.0/16' ] } remoteVirtualNetworkAddressSpace: { addressPrefixes: [ '10.2.0.0/16' ] } } type: 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings' } ] enableDdosProtection: false } } resource virtualNetworkHubPeeringToSpoke 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2022-07-01' = { parent: virtualNetworkHubResource name: 'peering-to-spoke' properties: { peeringState: 'Connected' peeringSyncLevel: 'FullyInSync' remoteVirtualNetwork: { id: resourceId('Microsoft.Network/virtualNetworks', virtualNetworkSpokeName) } allowVirtualNetworkAccess: true allowForwardedTraffic: true allowGatewayTransit: true useRemoteGateways: false doNotVerifyRemoteGateways: false remoteAddressSpace: { addressPrefixes: [ '10.1.0.0/16' ] } remoteVirtualNetworkAddressSpace: { addressPrefixes: [ '10.1.0.0/16' ] } } dependsOn:[ virtualNetworkSpokeResource ] } resource virtualNetworkSpokePeeringToHub 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2022-07-01' = { parent: virtualNetworkSpokeResource name: 'peering-to-hub' properties: { peeringState: 'Connected' peeringSyncLevel: 'FullyInSync' remoteVirtualNetwork: { id: resourceId('Microsoft.Network/virtualNetworks', virtualNetworkHubName) } allowVirtualNetworkAccess: true allowForwardedTraffic: true allowGatewayTransit: false useRemoteGateways: true doNotVerifyRemoteGateways: false remoteAddressSpace: { addressPrefixes: [ '10.2.0.0/16' ] } remoteVirtualNetworkAddressSpace: { addressPrefixes: [ '10.2.0.0/16' ] } } dependsOn:[ virtualNetworkHubResource ] }