Azure / ALZ-Bicep

This repository contains the Azure Landing Zones (ALZ) Bicep modules that help deliver and deploy the Azure Landing Zone conceptual architecture in a modular approach. https://aka.ms/alz/docs
MIT License
757 stars 511 forks source link

Feature request - Support third party NVA appliances in the Virtual WAN hub #676

Closed MilesCameron-DMs closed 6 months ago

MilesCameron-DMs commented 11 months ago

Describe the feature end to end, including deployment scenario details under which the feature would occur.

The current code supports Azure Firewall in the Virtual WAN hub but not other supported third parties.

I have changed our code to support another vendor, however i have found a property in the Microsoft.Network/virtualHubs API that is not configurable (or listed even!) at the moment - namely networkVirtualAppliances

Why is this feature important. Describe why this would be important for your organization and others. Would this impact similar orgs in the same way?

Any companies looking to use a third party NVA in the virtual WAN hub at this point will not be able to run the code as, from what i can see, it will remove the appliance.

I am looking for a way to test this at the moment without breaking our environment.

Please provide the correlation id associated with your error or bug.

xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Can you describe any alternatives that you have taken since this feature does not exist?

I am looking at a workaround, possibly where the code ignores certain properties - i can see there is a bool for ignoring it but this means we cant change the tags or any properties so is not clean.

Feature Implementation

No response

Check previous GitHub issues

Code of Conduct

oZakari commented 11 months ago

Hey @MilesCameron-DMs! This sounds like something that they VWAN product group may have to incorporate as it's specific to the resource provider.

Could you possibly share what 3rd party NVA you are utilizing? Also, were you able to configure this manually and if so, could you possibly export to ARM?

MilesCameron-DMs commented 11 months ago

Agreed - it should be one for the vWAN product group - i thought it wise to post in here for anyone following ALZ that did want to use a third party appliance as a way to track it.

The NVA is Checkpoint but i see Fortinet is also supported:

https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-locations-partners#partners-with-integrated-virtual-hub-offerings

It seems that when the third party appliance is installed, it populates this property but if you then run the vWAN code for ALZ, specifically the VWAN hub resource type, is removes this property. It would be worth testing as i didn't want to chance deploying, i have just done a whatif.

I can export the ARM if you like, it needs to use a later version of the API to support this property - let me know how i can share is with you if you need it.

Even if you we don't solve this via the code for now, it would be good to provide guidance for others looking to deploy an NVA in the vWAN hub.

Happy to help if you need anything further from me πŸ‘

oZakari commented 11 months ago

Thanks for the clarification @MilesCameron-DMs, I have created a spike for next sprint to investigate this and determine if there is anything we can do to help with incorporating into the VWAN module. Otherwise, we can at least update the documentation to give people a heads up. Will link to PR when we get it sorted out.

MilesCameron-DMs commented 11 months ago

Thats great, thanks @oZakari

More than happy to help further if you need me πŸ‘

oZakari commented 8 months ago

Linking ADO work item AB#31398 which is just waiting to be picked up by someone.

azure-boards[bot] commented 8 months ago

βœ… Successfully linked to Azure Boards work item(s):

oZakari commented 6 months ago

Hi @MilesCameron-DMs, @marcosgm went through and validated in his test environment that you can manually install a 3rd party NVA after deploying the ALZ-Bicep VWAN module as you noted. He did confirm that re-running the module after the installation of the 3rd party NVA does not break the integration.

He also investigated and determined that there doesn't appear to be any Bicep/ARM for the NVAs within VWAN Hub . Instead, it appears the NVA type points to the VWAN Hub resource ID. As such, we won't be able to incorporate the 3rd party NVAs, as it involves calling for Marketplace solutions and configuring the purchase options for each NVA.