Deploy Azure S2S with Bicep

Introduction

Azure VPN Gateway is a service that enables you to establish secure, cross-premises connectivity between your on-premises network and your Azure virtual network. By leveraging Azure VPN Gateway, you can create a reliable and secure connection to your resources in Azure. In this blog post, we will explore how to configure a Site-to-Site VPN connection using Bicep and Azure DevOps, providing a streamlined and automated approach to managing your infrastructure.

Step-by-Step Implementation Guide

Step 1: Set Up Your Azure Environment

Create a Resource Group:

1
2
3
4


resource rg 'Microsoft.Resources/resourceGroups@2021-04-01' = {
  name: 'myResourceGroup'
  location: 'australiaeast'
}

Create a Virtual Network and Subnet:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17


resource vnet 'Microsoft.Network/virtualNetworks@2021-02-01' = {
  name: 'myVNet'
  location: rg.location
  properties: {
    addressSpace: {
      addressPrefixes: ['10.1.0.0/16']
    }
    subnets: [
      {
        name: 'GatewaySubnet'
        properties: {
          addressPrefix: '10.1.0.0/24'
        }
      }
    ]
  }
}

Step 2: Configure the VPN Gateway

Create the Public IP Address:

1
2
3
4
5
6
7


resource publicIP 'Microsoft.Network/publicIPAddresses@2021-02-01' = {
  name: 'myPublicIP'
  location: rg.location
  properties: {
    publicIPAllocationMethod: 'Dynamic'
  }
}

Create the VPN Gateway:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25


resource vpnGateway 'Microsoft.Network/virtualNetworkGateways@2021-02-01' = {
  name: 'myVpnGateway'
  location: rg.location
  properties: {
    ipConfigurations: [
      {
        name: 'vnetGatewayConfig'
        properties: {
          publicIPAddress: {
            id: publicIP.id
          }
          subnet: {
            id: vnet.properties.subnets[0].id
          }
        }
      }
    ]
    gatewayType: 'Vpn'
    vpnType: 'RouteBased'
    enableBgp: false
    sku: {
      name: 'VpnGw1'
    }
  }
}

Step 3: Configure the Local Network Gateway

Create the Local Network Gateway:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


resource localNetworkGateway 'Microsoft.Network/localNetworkGateways@2021-02-01' = {
  name: 'myLocalNetworkGateway'
  location: rg.location
  properties: {
    gatewayIpAddress: 'YOUR_ON_PREMISES_PUBLIC_IP'
    localNetworkAddressSpace: {
      addressPrefixes: ['10.2.0.0/16']
    }
  }
}

Step 4: Create the VPN Connection

Create the Connection:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


resource vpnConnection 'Microsoft.Network/connections@2021-02-01' = {
  name: 'myVpnConnection'
  location: rg.location
  properties: {
    virtualNetworkGateway1: {
      id: vpnGateway.id
    }
    localNetworkGateway2: {
      id: localNetworkGateway.id
    }
    connectionType: 'IPsec'
    sharedKey: 'YOUR_SHARED_KEY'
  }
}

Step 5: Automate Deployment with Azure DevOps

Create a New Pipeline:
- Navigate to your Azure DevOps project.
- Click on “Pipelines” and then “Create Pipeline”.
- Select your repository and choose “YAML” for the pipeline configuration.

Define the Pipeline YAML:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


trigger:
- main

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: AzureCLI@2
  inputs:
    azureSubscription: 'YOUR_AZURE_SUBSCRIPTION'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      az deployment group create --resource-group myResourceGroup --template-file main.bicep      

Conclusion

By following this guide, you can configure a Site-to-Site VPN connection using Bicep and Azure DevOps, ensuring a secure and automated deployment process. This approach not only simplifies the management of your infrastructure but also enhances the reliability and security of your connections.