Update/azure hub spoke connected group

solutions/azure-hub-spoke-connected-group/README.md

@@ -27,8 +27,7 @@ Where applicable, each resource is configured to send diagnostics to an Azure Lo
 
 For detailed information, see the Azure Hub and Spoke reference architecture in the Azure Architecture Center:
 
-> [!div class="nextstepaction"]
-> [Hub-spoke network topology in Azure](https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke)
+> [!div class="nextstepaction"] > [Hub-spoke network topology in Azure](https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke)
 
 ## Deploying Azure Virtual Network Manager with Infrastructure-as-Code
 
@@ -53,71 +52,83 @@ Because the PowerShell script runs within the Deployment Script resource, troubl
 
 Create a resource group for the deployment.
 
-```azurecli-interactive
-az group create --name hub-spoke --location eastus
+```bash
+LOCATION=eastus
+RESOURCEGROUP_NAME=rg-hub-spoke-${LOCATION}
+
+az group create --name ${RESOURCEGROUP_NAME} --location ${LOCATION}
+
+curl -o main.bicep https://raw.githubusercontent.com/mspnp/samples/main/solutions/azure-hub-spoke-connected-group/bicep/main.bicep
+mkdir modules
+cd modules
+curl -o avnm.bicep https://raw.githubusercontent.com/mspnp/samples/main/solutions/azure-hub-spoke-connected-group/bicep/modules/avnm.bicep
+curl -o avnmDeploymentScript.bicep https://raw.githubusercontent.com/mspnp/samples/main/solutions/azure-hub-spoke-connected-group/bicep/modules/avnmDeploymentScript.bicep
+curl -o hub.bicep https://raw.githubusercontent.com/mspnp/samples/main/solutions/azure-hub-spoke-connected-group/bicep/modules/hub.bicep
+curl -o spoke.bicep https://raw.githubusercontent.com/mspnp/samples/main/solutions/azure-hub-spoke-connected-group/bicep/modules/spoke.bicep
+cd ..
 ```
 
-> The location for the deployed resources defaults to the location used for the target resource group. This deployment uses availability zones for all resources that support it, as hub networks are usually business critical. This means  if the resource group's location does not support availability zones, you must provide an additional parameter to your chosen command below of `location=value` with a value supports availability zones. See [Azure regions with availability zones](https://learn.microsoft.com/azure/availability-zones/az-overview#azure-regions-with-availability-zones).
+> The location for the deployed resources defaults to the location used for the target resource group. This deployment uses availability zones for all resources that support it, as hub networks are usually business critical. This means if the resource group's location does not support availability zones, you must provide an additional parameter to your chosen command below of `location=value` with a value supports availability zones. See [Azure regions with availability zones](https://learn.microsoft.com/azure/availability-zones/az-overview#azure-regions-with-availability-zones).
 
 **Basic deployment**
 
 Run the following command to initiate the deployment. If you would like to also deploy this sample with virtual machines and / or an Azure VPN gateway, see the `az deployment group create` examples found later in this document.
 
-```azurecli-interactive
+```bash
 az deployment group create \
-    --resource-group hub-spoke \
-    --template-uri https://raw.githubusercontent.com/mspnp/samples/main/solutions/azure-hub-spoke-connected-group/azuredeploy.json
+    --resource-group ${RESOURCEGROUP_NAME} \
+    --template-file main.bicep
 ```
 
 **Deploy with virtual machines**
 
 Run the following command to initiate the deployment with a Linux VM deployed to the first spoke network and a Windows VM deployed to the second spoke network.
 
-| :warning: | This deploys these VMs with basic configuration, they are not Internet facing, but security should always be top of mind.  Please update the `adminUsername` and `adminPassword` to a value of your choosing. |
-|-----------|:--------------------------|
+| :warning: | This deploys these VMs with basic configuration, they are not Internet facing, but security should always be top of mind. Please update the `adminUsername` and `adminPassword` to a value of your choosing. |
+| --------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 
-```azurecli-interactive
+```bash
 az deployment group create \
-    --resource-group hub-spoke \
-    --template-uri https://raw.githubusercontent.com/mspnp/samples/main/solutions/azure-hub-spoke-connected-group/azuredeploy.json \
+    --resource-group ${RESOURCEGROUP_NAME} \
+    --template-file main.bicep \
     --parameters deployVirtualMachines=true adminUsername=azureadmin adminPassword=Password2023!
 ```
 
 **Deploy with VPN gateway**
 
 Run the following command to initiate the deployment with a virtual network gateway deployed into the hub virtual network. Note, VPN gateways take a significant time to deploy.
 
-```azurecli-interactive
+```bash
 az deployment group create \
-    --resource-group hub-spoke \
-    --template-uri https://raw.githubusercontent.com/mspnp/samples/main/solutions/azure-hub-spoke-connected-group/azuredeploy.json \
+    --resource-group ${RESOURCEGROUP_NAME} \
+    --template-file main.bicep \
     --parameters deployVpnGateway=true
 ```
 
 **Deploy with virtual machines and a VPN gateway**
 
 Run the following command to initiate the deployment with a Linux VM deployed to the first spoke network and a Windows VM deployed to the second spoke network.
 
-| :warning: | This deploys these VMs with basic configuration, they are not Internet facing, but security should always be top of mind.  Please update the `adminUsername` and `adminPassword` to a value of your choosing. |
-|-----------|:--------------------------|
+| :warning: | This deploys these VMs with basic configuration, they are not Internet facing, but security should always be top of mind. Please update the `adminUsername` and `adminPassword` to a value of your choosing. |
+| --------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 
-```azurecli-interactive
+```bash
 az deployment group create \
-    --resource-group hub-spoke \
-    --template-uri https://raw.githubusercontent.com/mspnp/samples/main/solutions/azure-hub-spoke-connected-group/azuredeploy.json \
+    --resource-group ${RESOURCEGROUP_NAME} \
+    --template-file main.bicep \
     --parameters deployVirtualMachines=true adminUsername=azureadmin adminPassword=Password2023! deployVpnGateway=true
 ```
 
 ## Solution deployment parameters
 
-| Parameter | Type | Description | Default |
-|---|---|---|--|
-| `location` | string | Deployment location. Location must support availability zones. | `resourceGroup().location` | 
-| `deployVirtualMachines` | bool | If true, deploys one basic Linux virtual machine to spoke one and one basic Windows virtual machine to spoke two. | `false` |
-| `adminUserName` | string | If deploying virtual machines, the admin user name for both VMs. | `azureadmin` |
-| `adminPassword` | securestring | If deploying virtual machines, the admin password for both VMs. | `null` |
-| `deployVpnGateway` | bool | If true, a virtual network gateway is deployed into the hub network (+30 min deployment). | `false` |
-| `deployDefaultDenySecurityAdminRules`| bool | If false, the Azure Virtual Network Manager security rule collection is left empty | `true` |
+| Parameter                             | Type         | Description                                                                                                       | Default                    |
+| ------------------------------------- | ------------ | ----------------------------------------------------------------------------------------------------------------- | -------------------------- |
+| `location`                            | string       | Deployment location. Location must support availability zones.                                                    | `resourceGroup().location` |
+| `deployVirtualMachines`               | bool         | If true, deploys one basic Linux virtual machine to spoke one and one basic Windows virtual machine to spoke two. | `false`                    |
+| `adminUserName`                       | string       | If deploying virtual machines, the admin user name for both VMs.                                                  | `azureadmin`               |
+| `adminPassword`                       | securestring | If deploying virtual machines, the admin password for both VMs.                                                   | `null`                     |
+| `deployVpnGateway`                    | bool         | If true, a virtual network gateway is deployed into the hub network (+30 min deployment).                         | `false`                    |
+| `deployDefaultDenySecurityAdminRules` | bool         | If false, the Azure Virtual Network Manager security rule collection is left empty                                | `true`                     |
 
 ## Diagnostic configurations
 
@@ -131,9 +142,11 @@ The following resources are configured to send diagnostic logs to the included L
 
 Note, this deployment includes optional basic virtual machines. These are not configured with a Log Analytics workspace, however, can be with the Log Analytics virtual machine extension for [Windows](https://learn.microsoft.com/azure/virtual-machines/extensions/oms-windows) and [Linux](https://learn.microsoft.com/azure/virtual-machines/extensions/oms-linux).
 
-## Bicep implementation
+## Step 5: Clean Up
 
-The links above use JSON Azure Resource Manager (ARM) templates to support network referencing. The ARM templates were generated from the following [source bicep file](https://github.com/mspnp/samples/blob/main/solutions/azure-hub-spoke/bicep/main.bicep), which has additional comments and considerations.
+```bash
+az group delete --name ${RESOURCEGROUP_NAME} --yes
+```
 
 ## Microsoft Open Source Code of Conduct
 

solutions/azure-hub-spoke-connected-group/bicep/main.bicep

@@ -204,6 +204,12 @@ resource nsgPrivateLinkEndpointsSubnet 'Microsoft.Network/networkSecurityGroups@
   }
 }
 
+// Azure DDoS Protection Standard should be enabled
+resource ddosProtectionPlan 'Microsoft.Network/ddosProtectionPlans@2021-05-01' = {
+  name: 'vnet-${location}-ddos'
+  location: location
+}
+
 /*** RESOURCES (SPOKE ONE) ***/
 module spokenonprod1 'modules/spoke.bicep' = {
   name: 'spokenonprod1'

solutions/azure-hub-spoke-connected-group/bicep/modules/hub.bicep

@@ -3,6 +3,11 @@ param deployAzureBastion bool
 param deployVpnGateway bool
 param deployVirtualMachines bool
 
+// Azure DDoS Protection Standard should be enabled
+resource ddosProtectionPlan 'Microsoft.Network/ddosProtectionPlans@2021-05-01'  existing = {
+  name: 'vnet-${location}-ddos'
+}
+
 @description('This Log Analyics Workspace stores logs from the regional hub network, its spokes, and other related resources. Workspaces are regional resource, as such there would be one workspace per hub (region)')
 resource laHub 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
   name: 'la-hub-${location}'
@@ -262,6 +267,10 @@ resource vnetHub 'Microsoft.Network/virtualNetworks@2023-04-01' = {
         }
       }
     ]
+    enableDdosProtection: true
+    ddosProtectionPlan: {
+      id: ddosProtectionPlan.id
+    }
   }
 
   resource azureBastionSubnet 'subnets' existing = {

solutions/azure-hub-spoke-connected-group/bicep/modules/spoke.bicep

@@ -10,6 +10,11 @@ param nsgPrivateLinkEndpointsSubnetId string
 @secure()
 param adminPassword string
 
+// Azure DDoS Protection Standard should be enabled
+resource ddosProtectionPlan 'Microsoft.Network/ddosProtectionPlans@2021-05-01'  existing = {
+  name: 'vnet-${location}-ddos'
+}
+
 resource hubNet 'Microsoft.Network/virtualNetworks@2023-04-01' existing = {
   name: 'vnet-${location}-hub'
 
@@ -57,6 +62,10 @@ resource vnet 'Microsoft.Network/virtualNetworks@2023-04-01' = {
         }
       }
     ]
+    enableDdosProtection: true
+    ddosProtectionPlan: {
+      id: ddosProtectionPlan.id
+    }
   }
 
   resource snetResources 'subnets' existing = {