Deploying Azure Virtual Network Infrastructure Using Infrastructure as Code (IaC)
As a lead enterprise architect, effectively designing and automating cloud infrastructure is crucial to ensure efficient deployment, scalability, and secure management. Azure Virtual Network (VNet) is a core component that enables secure communication and network isolation for resources within the Azure environment. This guide will cover the essentials of Azure VNet, Subnets, Route Tables, and Network Security Groups (NSGs) and walk through the steps to deploy these resources using Infrastructure as Code (IaC) with Azure Bicep and PowerShell.
Key Components of Azure Network Infrastructure
- Azure Virtual Network (VNet):
- Purpose: Provides an isolated network space within the Azure cloud.
- Address Space: The VNet uses an IP address range (CIDR) defined by the user and hosts various Azure resources like Virtual Machines, App Services, etc.
- Key Considerations:
- Should be carefully planned to avoid IP conflicts.
- Can be segmented using subnets.
- Subnets:
- Purpose: Allows for segmentation within a VNet by logically grouping resources based on function or access needs.
- Configuration: Each subnet has its own address prefix, and resources in the same subnet can communicate freely.
- Benefits:
- Simplifies network organization.
- Enables fine-grained access control with Network Security Groups (NSGs).
- Route Tables:
- Purpose: Defines the routes for outgoing traffic from subnets within a VNet.
- Usage: Essential for directing traffic to secure paths, like firewalls or virtual appliances.
- Example Routes:
- Sending all internet-bound traffic through a firewall.
- Routing internal traffic through a secure network path.
- Network Security Groups (NSGs):
- Purpose: Provides access control to and from subnets and VM network interfaces.
- Functionality: Controls inbound and outbound traffic based on rules (e.g., IP ranges, ports).
- Use Cases:
- Securing sensitive data resources.
- Restricting access to specific services or IP ranges.
Automating Azure Network Deployment with IaC
To deploy this network infrastructure, we’ll use the following files:
- PowerShell Deployment Script (deploy-vnet.ps1): Orchestrates the deployment by using Bicep files and parameters.
- Bicep Template (main-vnet.bicep): Defines the Azure resources, including VNet, subnets, route table, and NSGs.
- Parameter File (parameter-vnet.json): Stores configurable parameters for location, VNet name, IP addresses, etc.
Deployment Files Overview
File 1: PowerShell Deployment Script (deploy-vnet.ps1)
This script simplifies the deployment process by loading the required files and executing the deployment.
# Define Bicep file and parameters
$bicepFilePath = 'main-vnet.bicep'
$parametersFilePath = 'parameter-vnet.json'
$deploymentName = 'VNet-Deployment'
# Login to Azure if not already logged in
if (!(Get-AzContext)) {
Connect-AzAccount
}
# Select the subscription
$subscription = Get-AzSubscription | Out-GridView -Title "Select the Subscription" -OutputMode Single
Set-AzContext -SubscriptionId $subscription.Id
# Select the resource group
$resourceGroup = Get-AzResourceGroup | Select-Object -Property ResourceGroupName | Out-GridView -Title "Select the Resource Group" -OutputMode Single
$resourceGroupName = $resourceGroup.ResourceGroupName
# Deploy the VNet with subnets, route table, and NSG
New-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName `
-TemplateFile $bicepFilePath `
-TemplateParameterFile $parametersFilePath `
-Name $deploymentName `
-Verbose
File 2: Bicep Template (main-vnet.bicep)
This template defines all the necessary components: VNet, subnets, route table, and optionally, NSGs.
// Parameters
param location string
param vnetName string
param vnetAddressPrefix string
param subnetNames array
param subnetPrefixes array
param deployNSGs bool
param tags object
// Define Route Table
resource routeTable 'Microsoft.Network/routeTables@2023-04-01' = {
name: '${vnetName}-RouteTable'
location: location
tags: tags
properties: {
routes: [
{
name: 'Internet'
properties: {
addressPrefix: '0.0.0.0/0'
nextHopType: 'VirtualAppliance'
nextHopIpAddress: '10.100.1.4'
}
},
{
name: 'InternalTraffic'
properties: {
addressPrefix: '10.100.0.0/16'
nextHopType: 'VirtualAppliance'
nextHopIpAddress: '10.100.1.4'
}
}
]
}
}
// Define NSGs if required
resource nsgs 'Microsoft.Network/networkSecurityGroups@2023-04-01' = [for i in range(0, length(subnetNames)): if (deployNSGs) {
name: '${vnetName}-${subnetNames[i]}-NSG'
location: location
tags: tags
properties: {}
}]
// Define VNet with Subnets
resource vnet 'Microsoft.Network/virtualNetworks@2023-04-01' = {
name: vnetName
location: location
tags: tags
properties: {
addressSpace: {
addressPrefixes: [
vnetAddressPrefix
]
}
subnets: [for i in range(0, length(subnetNames)): {
name: subnetNames[i]
properties: {
addressPrefix: subnetPrefixes[i]
routeTable: {
id: routeTable.id
}
networkSecurityGroup: deployNSGs ? {
id: resourceId('Microsoft.Network/networkSecurityGroups', '${vnetName}-${subnetNames[i]}-NSG')
} : null
}
}]
}
}
File 3: Parameter File (parameter-vnet.json)
This file provides configurable values for VNet properties, making it easier to customize and reuse the deployment for different environments.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"value": "eastus"
},
"vnetName": {
"value": "myVnet"
},
"vnetAddressPrefix": {
"value": "10.100.0.0/16"
},
"subnetNames": {
"value": [
"WebSubnet",
"AppSubnet",
"DatabaseSubnet"
]
},
"subnetPrefixes": {
"value": [
"10.100.1.0/24",
"10.100.2.0/24",
"10.100.3.0/24"
]
},
"deployNSGs": {
"value": true
},
"tags": {
"value": {
"Project": "MyProject",
"Environment": "Staging",
"Department": "IT"
}
}
}
}
Steps to Deploy
- Prepare the Parameter File:
Customizeparameter-vnet.json
with your preferredvnetName
,location
, and subnet information. - Execute PowerShell Script:
Rundeploy-vnet.ps1
from PowerShell. This will:- Prompt for Azure login (if not already logged in).
- Allow selection of the desired subscription and resource group.
- Deploy the VNet, subnets, route table, and NSGs as defined in the Bicep file.
- Verification:
After deployment, verify the resources in the Azure Portal:- VNet with the specified subnets.
- Route Table with routes associated with each subnet.
- NSGs (if deployed) linked to the respective subnets.
Conclusion
Using IaC for network deployment provides consistency and repeatability while minimizing the risk of human error. This setup is highly customizable and can be extended with additional components as needed, such as Azure Firewall or ExpressRoute for hybrid networking. The modular nature of Bicep and JSON parameters ensures easy maintenance and scalability across environments.