Skip to content

feat (iac): [secure-hybrid-network] add e2e validation and DNAT rules#263

Draft
ferantivero wants to merge 2 commits into
feature/421252_sol-sec-net-hybrid-use-vmssfrom
feature/421252_add-validation-steps
Draft

feat (iac): [secure-hybrid-network] add e2e validation and DNAT rules#263
ferantivero wants to merge 2 commits into
feature/421252_sol-sec-net-hybrid-use-vmssfrom
feature/421252_add-validation-steps

Conversation

@ferantivero
Copy link
Copy Markdown
Contributor

@ferantivero ferantivero commented May 13, 2026
edited
Loading

Why

The README has deploy and cleanup steps but no way to verify the deployment works end-to-end. The DNAT rule must be deployed separately because the firewall's private IP is dynamically assigned and not known at initial creation time.

What

  • Add azure-network-azuredeploy-v2.bicep — deploys DNAT rule using runtime-queried FW/ILB private IPs
  • Add "Deploy DNAT" and "Validate deployment" sections to README
  • Fix CLI query casing: privateIpAddress → privateIPAddress
  • Fix LB resource name: InternalLoadBalancer → lb-internal
  • Fix az network lb show → az network lb frontend-ip list

Test

  • v2 deploys without wiping existing FW configuration
  • Private DNAT flow: on-prem VM → VPN → FW private IP → ILB → VMSS returns HTTP 200
  • CLI queries return correct IP values

@ferantivero ferantivero marked this pull request as draft May 13, 2026 17:28
@ferantivero ferantivero force-pushed the feature/421252_add-validation-steps branch from 6999314 to f1f0576 Compare May 13, 2026 22:27
@ferantivero ferantivero changed the base branch from main to feature/421252_sol-sec-net-hybrid-use-vmss May 13, 2026 22:28
ferantivero and others added 2 commits May 15, 2026 16:53
@ferantivero
add e2e validation steps via VPN tunnel
0d307a1 
Document how to verify the deployment end-to-end from the mock
on-premises VM through the VPN tunnel and firewall DNAT:

- Option 1: Bastion RDP + browser to firewall private IP
- Option 2: CLI using az vm run-command from on-prem VM

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@ferantivero
fix DNAT validation with separate v2 deployment step
40dd11d 
Azure validates DNAT destinationAddresses against the firewall's
assigned IP during resource creation, but the IP isn't available yet
on fresh deploys. Extract DNAT into a separate deployment step (v2)
that runs after the base infrastructure is provisioned.

- Add azure-network-azuredeploy-v2.bicep/json using existing resources
- Remove inline DNAT and firewallPrivateIp variable from base template
- Update README with v2 deployment step and parameter table

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@ferantivero ferantivero force-pushed the feature/421252_add-validation-steps branch from f1f0576 to 40dd11d Compare May 18, 2026 14:00
@ferantivero ferantivero changed the title feat (docs): [secure-hybrid-network] add validation steps to README feat (iac): [secure-hybrid-network] add e2e validation and DNAT rules May 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ferantivero