updated

Author: Prekshith-Microsoft

infra/main.bicep

@@ -670,64 +670,7 @@ module virtualNetwork 'modules/virtualNetwork.bicep' = if (enablePrivateNetworki
       }
     ]
 */
-// Jumpbox Virtual Machine
-var jumpboxVmName = take('vm-jumpbox-${solutionSuffix}', 15)
-module jumpboxVM 'br/public:avm/res/compute/virtual-machine:0.15.0' = if (enablePrivateNetworking) {
-  name: take('avm.res.compute.virtual-machine.${jumpboxVmName}', 64)
-  params: {
-    name: take(jumpboxVmName, 15) // Shorten VM name to 15 characters to avoid Azure limits
-    vmSize: 'Standard_DS2_v2'
-    location: location
-    adminUsername: virtualMachineAdminUsername
-    adminPassword: virtualMachineAdminPassword
-    tags: tags
-    zone: 0
-    imageReference: {
-      offer: 'WindowsServer'
-      publisher: 'MicrosoftWindowsServer'
-      sku: '2019-datacenter'
-      version: 'latest'
-    }
-    osType: 'Windows'
-    osDisk: {
-      name: 'osdisk-${jumpboxVmName}'
-      managedDisk: {
-        storageAccountType: 'Standard_LRS'
-      }
-    }
-    encryptionAtHost: false // Some Azure subscriptions do not support encryption at host
-    nicConfigurations: [
-      {
-        name: 'nic-${jumpboxVmName}'
-        ipConfigurations: [
-          {
-            name: 'ipconfig1'
-            subnetResourceId: virtualNetwork!.outputs.jumpboxSubnetResourceId
-          }
-        ]
-        diagnosticSettings: [
-          {
-            name: 'jumpboxDiagnostics'
-            workspaceResourceId: logAnalyticsWorkspaceResourceId
-            logCategoriesAndGroups: [
-              {
-                categoryGroup: 'allLogs'
-                enabled: true
-              }
-            ]
-            metricCategories: [
-              {
-                category: 'AllMetrics'
-                enabled: true
-              }
-            ]
-          }
-        ]
-      }
-    ]
-    enableTelemetry: enableTelemetry
-  }
-}
+
 var bastionResourceName = 'bas-${solutionSuffix}'
 // ========== Bastion host ========== //
 // WAF best practices for virtual networks: https://learn.microsoft.com/en-us/azure/well-architected/service-guides/virtual-network

infra/modules/virtualNetwork.bicep

@@ -13,89 +13,7 @@ param addressPrefixes array
 @description('An array of subnets to be created within the virtual network. Each subnet can have its own configuration and associated Network Security Group (NSG).')
 param subnets subnetType[] = [
 
-  {
-    name: 'AzureBastionSubnet' // Required name for Azure Bastion
-    addressPrefixes: ['10.0.0.64/26']
-    networkSecurityGroup: {
-      name: 'nsg-bastion'
-      securityRules: [
-        {
-          name: 'AllowGatewayManager'
-          properties: {
-            access: 'Allow'
-            direction: 'Inbound'
-            priority: 2702
-            protocol: '*'
-            sourcePortRange: '*'
-            destinationPortRange: '443'
-            sourceAddressPrefix: 'GatewayManager'
-            destinationAddressPrefix: '*'
-          }
-        }
-        {
-          name: 'AllowHttpsInBound'
-          properties: {
-            access: 'Allow'
-            direction: 'Inbound'
-            priority: 2703
-            protocol: '*'
-            sourcePortRange: '*'
-            destinationPortRange: '443'
-            sourceAddressPrefix: 'Internet'
-            destinationAddressPrefix: '*'
-          }
-        }
-        {
-          name: 'AllowSshRdpOutbound'
-          properties: {
-            access: 'Allow'
-            direction: 'Outbound'
-            priority: 100
-            protocol: '*'
-            sourcePortRange: '*'
-            destinationPortRanges: ['22', '3389']
-            sourceAddressPrefix: '*'
-            destinationAddressPrefix: 'VirtualNetwork'
-          }
-        }
-        {
-          name: 'AllowAzureCloudOutbound'
-          properties: {
-            access: 'Allow'
-            direction: 'Outbound'
-            priority: 110
-            protocol: 'Tcp'
-            sourcePortRange: '*'
-            destinationPortRange: '443'
-            sourceAddressPrefix: '*'
-            destinationAddressPrefix: 'AzureCloud'
-          }
-        }
-      ]
-    }
-  }
-  {
-    name: 'jumpbox'
-    addressPrefixes: ['10.0.12.0/23'] // /23 (10.0.12.0 - 10.0.13.255), 512 addresses
-    networkSecurityGroup: {
-      name: 'nsg-jumpbox'
-      securityRules: [
-        {
-          name: 'AllowRdpFromBastion'
-          properties: {
-            access: 'Allow'
-            direction: 'Inbound'
-            priority: 100
-            protocol: 'Tcp'
-            sourcePortRange: '*'
-            destinationPortRange: '3389'
-            sourceAddressPrefixes: ['10.0.10.0/26'] // Azure Bastion subnet
-            destinationAddressPrefixes: ['10.0.12.0/23']
-          }
-        }
-      ]
-    }
-  }
+
   {
    name:'backend'
    addressPrefixes: ['10.0.0.0/27']
@@ -121,11 +39,14 @@ param subnets subnetType[] = [
      ]
    }
   }
-  {
-    name: 'administration'
-    addressPrefixes: ['10.0.0.32/27']
+    {
+    name: 'containers'
+    addressPrefixes: ['10.0.2.0/23']
+    delegation: 'Microsoft.App/environments'
+    privateEndpointNetworkPolicies: 'Enabled'
+    privateLinkServiceNetworkPolicies: 'Enabled'
     networkSecurityGroup: {
-      name: 'nsg-administration'
+      name: 'nsg-containers'
       securityRules: [
               {
         name: 'deny-hop-outbound'
@@ -147,12 +68,15 @@ param subnets subnetType[] = [
     }
   }
   {
-    name: 'containers'
-    addressPrefixes: ['10.0.2.0/23']
+    name: 'webserverfarm'
+    addressPrefixes: ['10.0.4.0/27']
+    delegation: 'Microsoft.Web/serverfarms'
+    privateEndpointNetworkPolicies: 'Enabled'
+    privateLinkServiceNetworkPolicies: 'Enabled'
     networkSecurityGroup: {
-      name: 'nsg-containers'
+      name: 'nsg-webserverfarm'
       securityRules: [
-              {
+             {
         name: 'deny-hop-outbound'
         properties: {
           access: 'Deny'
@@ -172,12 +96,12 @@ param subnets subnetType[] = [
     }
   }
   {
-    name: 'webserverfarm'
-    addressPrefixes: ['10.0.4.0/27']
+    name: 'administration'
+    addressPrefixes: ['10.0.0.32/27']
     networkSecurityGroup: {
-      name: 'nsg-webserverfarm'
+      name: 'nsg-administration'
       securityRules: [
-             {
+              {
         name: 'deny-hop-outbound'
         properties: {
           access: 'Deny'
@@ -197,14 +121,87 @@ param subnets subnetType[] = [
     }
   }
   {
-        name: 'deployment-scripts'
-        addressPrefixes: ['10.0.4.0/24']
-        networkSecurityGroup: {
-          name: 'nsg-deployment-scripts'
-          securityRules: []
+    name: 'AzureBastionSubnet' // Required name for Azure Bastion
+    addressPrefixes: ['10.0.0.64/26']
+    networkSecurityGroup: {
+      name: 'nsg-bastion'
+      securityRules: [
+        {
+          name: 'AllowGatewayManager'
+          properties: {
+            access: 'Allow'
+            direction: 'Inbound'
+            priority: 2702
+            protocol: '*'
+            sourcePortRange: '*'
+            destinationPortRange: '443'
+            sourceAddressPrefix: 'GatewayManager'
+            destinationAddressPrefix: '*'
+          }
+        }
+        {
+          name: 'AllowHttpsInBound'
+          properties: {
+            access: 'Allow'
+            direction: 'Inbound'
+            priority: 2703
+            protocol: '*'
+            sourcePortRange: '*'
+            destinationPortRange: '443'
+            sourceAddressPrefix: 'Internet'
+            destinationAddressPrefix: '*'
+          }
         }
-        delegation: 'Microsoft.ContainerInstance/containerGroups'
-        serviceEndpoints: ['Microsoft.Storage']
+        {
+          name: 'AllowSshRdpOutbound'
+          properties: {
+            access: 'Allow'
+            direction: 'Outbound'
+            priority: 100
+            protocol: '*'
+            sourcePortRange: '*'
+            destinationPortRanges: ['22', '3389']
+            sourceAddressPrefix: '*'
+            destinationAddressPrefix: 'VirtualNetwork'
+          }
+        }
+        {
+          name: 'AllowAzureCloudOutbound'
+          properties: {
+            access: 'Allow'
+            direction: 'Outbound'
+            priority: 110
+            protocol: 'Tcp'
+            sourcePortRange: '*'
+            destinationPortRange: '443'
+            sourceAddressPrefix: '*'
+            destinationAddressPrefix: 'AzureCloud'
+          }
+        }
+      ]
+    }
+  }
+  {
+    name: 'jumpbox'
+    addressPrefixes: ['10.0.12.0/23'] // /23 (10.0.12.0 - 10.0.13.255), 512 addresses
+    networkSecurityGroup: {
+      name: 'nsg-jumpbox'
+      securityRules: [
+        {
+          name: 'AllowRdpFromBastion'
+          properties: {
+            access: 'Allow'
+            direction: 'Inbound'
+            priority: 100
+            protocol: 'Tcp'
+            sourcePortRange: '*'
+            destinationPortRange: '3389'
+            sourceAddressPrefixes: ['10.0.10.0/26'] // Azure Bastion subnet
+            destinationAddressPrefixes: ['10.0.12.0/23']
+          }
+        }
+      ]
+    }
   }
 ]
 
@@ -332,13 +329,12 @@ output subnets subnetOutputType[] = [
 ]
 
 // Dynamic outputs for individual subnets for backward compatibility
-output bastionSubnetResourceId string = contains(map(subnets, subnet => subnet.name), 'AzureBastionSubnet') ? virtualNetwork.outputs.subnetResourceIds[indexOf(map(subnets, subnet => subnet.name), 'AzureBastionSubnet')] : ''
-output jumpboxSubnetResourceId string = contains(map(subnets, subnet => subnet.name), 'jumpbox') ? virtualNetwork.outputs.subnetResourceIds[indexOf(map(subnets, subnet => subnet.name), 'jumpbox')] : ''
-output deploymentScriptsSubnetResourceId string = contains(map(subnets, subnet => subnet.name), 'deployment-scripts') ? virtualNetwork.outputs.subnetResourceIds[indexOf(map(subnets, subnet => subnet.name), 'deployment-scripts')] : ''
 output backendSubnetResourceId string = contains(map(subnets, subnet => subnet.name), 'backend') ? virtualNetwork.outputs.subnetResourceIds[indexOf(map(subnets, subnet => subnet.name), 'backend')] : ''
-output containerSubnetResourceId string = contains(map(subnets, subnet => subnet.name), 'container') ? virtualNetwork.outputs.subnetResourceIds[indexOf(map(subnets, subnet => subnet.name), 'container')] : ''
+output containerSubnetResourceId string = contains(map(subnets, subnet => subnet.name), 'containers') ? virtualNetwork.outputs.subnetResourceIds[indexOf(map(subnets, subnet => subnet.name), 'containers')] : ''
 output administrationSubnetResourceId string = contains(map(subnets, subnet => subnet.name), 'administration') ? virtualNetwork.outputs.subnetResourceIds[indexOf(map(subnets, subnet => subnet.name), 'administration')] : ''
 output webserverfarmSubnetResourceId string = contains(map(subnets, subnet => subnet.name), 'webserverfarm') ? virtualNetwork.outputs.subnetResourceIds[indexOf(map(subnets, subnet => subnet.name), 'webserverfarm')] : ''
+output bastionSubnetResourceId string = contains(map(subnets, subnet => subnet.name), 'AzureBastionSubnet') ? virtualNetwork.outputs.subnetResourceIds[indexOf(map(subnets, subnet => subnet.name), 'AzureBastionSubnet')] : ''
+output jumpboxSubnetResourceId string = contains(map(subnets, subnet => subnet.name), 'jumpbox') ? virtualNetwork.outputs.subnetResourceIds[indexOf(map(subnets, subnet => subnet.name), 'jumpbox')] : ''
 
 @export()
 @description('Custom type definition for subnet resource information as output')