feat (iac): [secure-hybrid-network] replace individual VMs with VMSS#262
Open
ferantivero wants to merge 7 commits into
Open
feat (iac): [secure-hybrid-network] replace individual VMs with VMSS#262ferantivero wants to merge 7 commits into
ferantivero wants to merge 7 commits into
Conversation
Remove the VM loop, NIC loop, IIS extension loop, and guest config extension loop resources. These are being replaced by a VMSS in the next commit. - Remove nicNameWeb NIC resource loop - Remove vmNameWeb VM resource loop - Remove vmNameWeb_installIIS extension loop - Remove guestConfigExtensionWindows extension loop - Remove unused variables: nicNameWebName, vmNameWebName Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add a single virtualMachineScaleSets resource that replaces the previous VM and NIC loops with equivalent functionality: - Uniform orchestration with Manual upgrade policy - SystemAssigned identity for Guest Configuration - computerNamePrefix 'websvr' (Windows 9-char limit) - NIC config wired to spoke subnet and LB backend pool - IIS CustomScriptExtension in extension profile - Guest Configuration extension in extension profile Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
ferantivero
force-pushed
the
feature/421252_sol-sec-net-hybrid-use-vmss
branch
from
bef4389 to
962aa1d
Compare
Better reflects VMSS semantics after the VM-to-VMSS migration. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The hub and spoke VNets require peering for traffic to flow between the VPN gateway and the spoke workloads. The JSON template already had peering but the Bicep source (used for deployment) did not: - Add hub-to-spoke peering with allowGatewayTransit - Add spoke-to-hub peering with useRemoteGateways (when VPN enabled) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Add properties: {} to gateway reference objects in connections
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Azure deprecated non-AZ VPN gateway SKUs (VpnGw1-5). Upgrade to VpnGw2AZ and add required zones on associated public IPs. - VpnGw2 → VpnGw2AZ in both hub and mock on-prem gateways - Add zones: ['1', '2', '3'] to VPN gateway public IPs Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
ferantivero
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Individual VMs via copy loops lack autoscaling, health monitoring, and rolling upgrades. VMSS is the recommended compute model for load-balanced workloads. The hub-spoke topology was also missing VNet peering, and VPN gateway non-AZ SKUs are deprecated since Dec 2024.
What
Test