From d3d97b3cade09206dc92da99f4b652c68bb17545 Mon Sep 17 00:00:00 2001 From: Fernando Antivero Date: Wed, 13 May 2026 13:20:28 -0300 Subject: [PATCH 1/6] fix typo fontendName to frontendName Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- solutions/secure-hybrid-network/README.md | 2 +- .../nestedtemplates/azure-network-azuredeploy.bicep | 6 +++--- .../nestedtemplates/azure-network-azuredeploy.json | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/solutions/secure-hybrid-network/README.md b/solutions/secure-hybrid-network/README.md index 8cd2ec97..4c32be81 100644 --- a/solutions/secure-hybrid-network/README.md +++ b/solutions/secure-hybrid-network/README.md @@ -78,7 +78,7 @@ az deployment group create -n firewallDnat -g rg-site-to-site-azure-network-east | azureFirewall | object | Object representing the configuration of the Azure Firewall. | name, subnetName, subnetPrefix, publicIPAddressName | | spokeRoutes | object | Object representing user-defined routes for the spoke subnet. | tableName, routeNameFirewall | | gatewayRoutes | object | Object representing user-defined routes for the gateway network. | tableName, routeNameFirewall | -| internalLoadBalancer | object | Object representing the configuration of the application load balancer. | name, backendName, fontendName, probeName | +| internalLoadBalancer | object | Object representing the configuration of the application load balancer. | name, backendName, frontendName, probeName | | location | string | Location to be used for all resources. | rg location | **nestedtemplates/azure-network-local-gateway.bicep** diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep index 5d08c7c8..cda67f83 100644 --- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep +++ b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep @@ -48,7 +48,7 @@ param gatewayRoutes object = { param internalLoadBalancer object = { name: 'lb-internal' backendName: 'lb-backend' - fontendName: 'lb-frontend' + frontendName: 'lb-frontend' probeName: 'lb-probe' } param location string = resourceGroup().location @@ -609,7 +609,7 @@ resource internalLoadBalancerResource 'Microsoft.Network/loadBalancers@2024-05-0 properties: { frontendIPConfigurations: [ { - name: internalLoadBalancer.fontendName + name: internalLoadBalancer.frontendName properties: { subnet: { id: resourceId('Microsoft.Network/virtualNetworks/subnets', spokeNetworkResource.name, spokeNetwork.subnetName) @@ -628,7 +628,7 @@ resource internalLoadBalancerResource 'Microsoft.Network/loadBalancers@2024-05-0 name: internalLoadBalancer.probeName properties: { frontendIPConfiguration: { - id: resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', internalLoadBalancer.name, internalLoadBalancer.fontendName) + id: resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', internalLoadBalancer.name, internalLoadBalancer.frontendName) } frontendPort: 80 backendPort: 80 diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json index ac009c00..0fce5770 100644 --- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json +++ b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json @@ -88,7 +88,7 @@ "defaultValue": { "name": "lb-internal", "backendName": "lb-backend", - "fontendName": "lb-frontend", + "frontendName": "lb-frontend", "probeName": "lb-probe" } }, @@ -896,7 +896,7 @@ "properties": { "frontendIPConfigurations": [ { - "name": "[parameters('internalLoadBalancer').fontendName]", + "name": "[parameters('internalLoadBalancer').frontendName]", "properties": { "subnet": { "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('spokeNetwork').name, parameters('spokeNetwork').subnetName)]" @@ -915,7 +915,7 @@ "name": "[parameters('internalLoadBalancer').probeName]", "properties": { "frontendIPConfiguration": { - "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', parameters('internalLoadBalancer').name, parameters('internalLoadBalancer').fontendName)]" + "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', parameters('internalLoadBalancer').name, parameters('internalLoadBalancer').frontendName)]" }, "frontendPort": 80, "backendPort": 80, From eb5708573e1ef8175700c7bec6cf5fe705d81fb2 Mon Sep 17 00:00:00 2001 From: Fernando Antivero Date: Wed, 13 May 2026 13:23:12 -0300 Subject: [PATCH 2/6] replace hardcoded VPN shared key with secure parameter The VPN connection shared key was hardcoded as '123secret' in both local gateway templates. Now passed as a @secure() parameter from the main deployment template. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- solutions/secure-hybrid-network/azuredeploy.bicep | 6 ++++++ solutions/secure-hybrid-network/azuredeploy.json | 12 ++++++++++++ .../azure-network-local-gateway.bicep | 6 +++++- .../nestedtemplates/azure-network-local-gateway.json | 5 ++++- .../nestedtemplates/mock-onprem-local-gateway.bicep | 6 +++++- .../nestedtemplates/mock-onprem-local-gateway.json | 5 ++++- 6 files changed, 36 insertions(+), 4 deletions(-) diff --git a/solutions/secure-hybrid-network/azuredeploy.bicep b/solutions/secure-hybrid-network/azuredeploy.bicep index 12a1d2e1..557c211c 100644 --- a/solutions/secure-hybrid-network/azuredeploy.bicep +++ b/solutions/secure-hybrid-network/azuredeploy.bicep @@ -15,6 +15,10 @@ param adminUserName string @secure() param adminPassword string +@description('The shared key used for VPN site-to-site connections.') +@secure() +param sharedKey string + @description('Azure Virtual Machines, and supporting services region. This defaults to the resource group\'s location for higher reliability.') param location string = deployment().location @@ -57,6 +61,7 @@ module mockOnPremLocalGateway 'nestedtemplates/mock-onprem-local-gateway.bicep' azureCloudVnetPrefix: azureNetwork.outputs.mocOnpremNetwork spokeNetworkAddressPrefix: azureNetwork.outputs.spokeNetworkAddressPrefix mocOnpremGatewayName: onPremMock.outputs.mocOnpremGatewayName + sharedKey: sharedKey } } @@ -67,5 +72,6 @@ module azureNetworkLocalGateway 'nestedtemplates/azure-network-local-gateway.bic azureCloudVnetPrefix: onPremMock.outputs.mocOnpremNetworkPrefix gatewayIpAddress: onPremMock.outputs.vpnIp azureNetworkGatewayName: azureNetwork.outputs.azureGatewayName + sharedKey: sharedKey } } diff --git a/solutions/secure-hybrid-network/azuredeploy.json b/solutions/secure-hybrid-network/azuredeploy.json index 9e4f66ad..62fcda40 100644 --- a/solutions/secure-hybrid-network/azuredeploy.json +++ b/solutions/secure-hybrid-network/azuredeploy.json @@ -22,6 +22,12 @@ "description": "The admin password for both the Windows and Linux virtual machines." } }, + "sharedKey": { + "type": "securestring", + "metadata": { + "description": "The shared key used for VPN site-to-site connections." + } + }, "resourceGrouplocation": { "type": "string", "defaultValue": "eastus" @@ -129,6 +135,9 @@ "mocOnpremGatewayName": { "value": "[reference('onPremMock').outputs.mocOnpremGatewayName.value]" }, + "sharedKey": { + "value": "[parameters('sharedKey')]" + }, "location": { "value": "[parameters('resourceGrouplocation')]" } @@ -160,6 +169,9 @@ "azureNetworkGatewayName": { "value": "[reference('azureNetwork').outputs.azureGatewayName.value]" }, + "sharedKey": { + "value": "[parameters('sharedKey')]" + }, "location": { "value": "[parameters('resourceGrouplocation')]" } diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-local-gateway.bicep b/solutions/secure-hybrid-network/nestedtemplates/azure-network-local-gateway.bicep index 206f0c6d..59d0785a 100644 --- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-local-gateway.bicep +++ b/solutions/secure-hybrid-network/nestedtemplates/azure-network-local-gateway.bicep @@ -3,6 +3,10 @@ param gatewayIpAddress string param azureCloudVnetPrefix string param azureNetworkGatewayName string param localNetworkGatewayName string = 'local-gateway-azure-network' + +@secure() +param sharedKey string + param location string = resourceGroup().location resource localNetworkGateway 'Microsoft.Network/localNetworkGateways@2024-05-01' = { @@ -37,7 +41,7 @@ resource connection 'Microsoft.Network/connections@2024-05-01' = { connectionType: 'IPsec' connectionProtocol: 'IKEv2' routingWeight: 100 - sharedKey: '123secret' + sharedKey: sharedKey enableBgp: false useLocalAzureIpAddress: false usePolicyBasedTrafficSelectors: false diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-local-gateway.json b/solutions/secure-hybrid-network/nestedtemplates/azure-network-local-gateway.json index 7a7026c9..5fe715dc 100644 --- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-local-gateway.json +++ b/solutions/secure-hybrid-network/nestedtemplates/azure-network-local-gateway.json @@ -19,6 +19,9 @@ "type": "string", "defaultValue": "local-gateway-azure-network" }, + "sharedKey": { + "type": "securestring" + }, "location": { "type": "string" } @@ -60,7 +63,7 @@ "connectionType": "IPsec", "connectionProtocol": "IKEv2", "routingWeight": 100, - "sharedKey": "123secret", + "sharedKey": "[parameters('sharedKey')]", "enableBgp": false, "useLocalAzureIpAddress": false, "usePolicyBasedTrafficSelectors": false, diff --git a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-local-gateway.bicep b/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-local-gateway.bicep index 96bdcfa0..3fe6b7bb 100644 --- a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-local-gateway.bicep +++ b/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-local-gateway.bicep @@ -4,6 +4,10 @@ param spokeNetworkAddressPrefix string param gatewayIpAddress string param mocOnpremGatewayName string param localNetworkGateway string = 'local-gateway-moc-prem' + +@secure() +param sharedKey string + param location string = resourceGroup().location resource localNetworkGateway_resource 'Microsoft.Network/localNetworkGateways@2024-05-01' = { @@ -39,7 +43,7 @@ resource connection 'Microsoft.Network/connections@2024-05-01' = { connectionType: 'IPsec' connectionProtocol: 'IKEv2' routingWeight: 100 - sharedKey: '123secret' + sharedKey: sharedKey enableBgp: false useLocalAzureIpAddress: false usePolicyBasedTrafficSelectors: false diff --git a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-local-gateway.json b/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-local-gateway.json index 9365b96f..c7fbfa04 100644 --- a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-local-gateway.json +++ b/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-local-gateway.json @@ -22,6 +22,9 @@ "type": "string", "defaultValue": "local-gateway-moc-prem" }, + "sharedKey": { + "type": "securestring" + }, "location": { "type": "string" } @@ -64,7 +67,7 @@ "connectionType": "IPsec", "connectionProtocol": "IKEv2", "routingWeight": 100, - "sharedKey": "123secret", + "sharedKey": "[parameters('sharedKey')]", "enableBgp": false, "useLocalAzureIpAddress": false, "usePolicyBasedTrafficSelectors": false, From 2116ce06cf1098b7236ac90bf8bddce48caa8731 Mon Sep 17 00:00:00 2001 From: Fernando Antivero Date: Wed, 13 May 2026 13:24:43 -0300 Subject: [PATCH 3/6] fix legacy diagnostic settings to use scope property Replace the deprecated /providers/ segment pattern with the proper scope property for the spoke NSG diagnostic settings resource. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../nestedtemplates/azure-network-azuredeploy.bicep | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep index cda67f83..aaeddf20 100644 --- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep +++ b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep @@ -579,8 +579,9 @@ resource azureFirewallResource_Microsoft_Insights_default_logAnalyticsWorkspace } } -resource spokeNetwork_subnetNsgName_Microsoft_Insights_default_logAnalyticsWorkspace 'Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings@2021-05-01-preview' = { - name: '${spokeNetwork.subnetNsgName}/Microsoft.Insights/default${logAnalyticsWorkspaceName}' +resource spokeNetwork_subnetNsgName_Microsoft_Insights_default_logAnalyticsWorkspace 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = { + scope: spokeNetwork_subnetNsg + name: logAnalyticsWorkspaceName properties: { workspaceId: logAnalyticsWorkspace.id logs: [ @@ -594,10 +595,6 @@ resource spokeNetwork_subnetNsgName_Microsoft_Insights_default_logAnalyticsWorks } ] } - dependsOn: [ - spokeNetwork_subnetNsg - - ] } resource internalLoadBalancerResource 'Microsoft.Network/loadBalancers@2024-05-01' = { From 38028709b17b405b9ae93f10896bfbca9d4c6ff0 Mon Sep 17 00:00:00 2001 From: Fernando Antivero Date: Wed, 13 May 2026 13:26:45 -0300 Subject: [PATCH 4/6] replace hardcoded reference() with symbolic property access Use azureFirewallResource.properties.ipConfigurations[0] instead of the legacy reference(id, apiVersion) pattern for route next-hop IP. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../nestedtemplates/azure-network-azuredeploy.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep index aaeddf20..f8da5d94 100644 --- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep +++ b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep @@ -679,7 +679,7 @@ resource gatewayRoutes_tableName_gatewayRoutes_routeNameFirewall 'Microsoft.Netw properties: { addressPrefix: spokeNetwork.addressPrefix nextHopType: 'VirtualAppliance' - nextHopIpAddress: reference(azureFirewallResource.id, '2020-05-01').ipConfigurations[0].properties.privateIpAddress + nextHopIpAddress: azureFirewallResource.properties.ipConfigurations[0].properties.privateIPAddress } } @@ -689,7 +689,7 @@ resource spokeRoutes_tableName_spokeRoutes_routeNameFirewall 'Microsoft.Network/ properties: { addressPrefix: '0.0.0.0/0' nextHopType: 'VirtualAppliance' - nextHopIpAddress: reference(azureFirewallResource.id, '2020-05-01').ipConfigurations[0].properties.privateIpAddress + nextHopIpAddress: azureFirewallResource.properties.ipConfigurations[0].properties.privateIPAddress } } From 2c9735d7fc9c43efb06ebca79ad83bc521269920 Mon Sep 17 00:00:00 2001 From: Fernando Antivero Date: Wed, 13 May 2026 13:28:07 -0300 Subject: [PATCH 5/6] add defaultOutboundAccess: false to Bastion subnets Disable default outbound internet access on the Bastion subnets in both azure-network and mock-onprem templates, consistent with other subnets in this deployment. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../nestedtemplates/azure-network-azuredeploy.bicep | 1 + .../nestedtemplates/azure-network-azuredeploy.json | 1 + .../nestedtemplates/mock-onprem-azuredeploy.bicep | 1 + .../nestedtemplates/mock-onprem-azuredeploy.json | 3 ++- 4 files changed, 5 insertions(+), 1 deletion(-) diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep index f8da5d94..27e2448f 100644 --- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep +++ b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep @@ -226,6 +226,7 @@ resource hubNetworkResource 'Microsoft.Network/virtualNetworks@2024-05-01' = { name: bastionHost.subnetName properties: { addressPrefix: bastionHost.subnetPrefix + defaultOutboundAccess: false networkSecurityGroup: { id: bastionHost_nsg.id } diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json index 0fce5770..6acc540d 100644 --- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json +++ b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json @@ -155,6 +155,7 @@ "name": "[parameters('bastionHost').subnetName]", "properties": { "addressPrefix": "[parameters('bastionHost').subnetPrefix]", + "defaultOutboundAccess": false, "networkSecurityGroup": { "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('bastionHost').nsgName)]" } diff --git a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.bicep b/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.bicep index d0c18ee5..4c74e592 100644 --- a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.bicep +++ b/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.bicep @@ -57,6 +57,7 @@ resource mocOnpremNetworkResource 'Microsoft.Network/virtualNetworks@2024-05-01' name: bastionHost.subnetName properties: { addressPrefix: bastionHost.subnetPrefix + defaultOutboundAccess: false } } ] diff --git a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.json b/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.json index a39754b6..8adc0187 100644 --- a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.json +++ b/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.json @@ -82,7 +82,8 @@ { "name": "[parameters('bastionHost').subnetName]", "properties": { - "addressPrefix": "[parameters('bastionHost').subnetPrefix]" + "addressPrefix": "[parameters('bastionHost').subnetPrefix]", + "defaultOutboundAccess": false } } ] From d121d4f8c53f8c91a3461dff304d773820bb6678 Mon Sep 17 00:00:00 2001 From: Fernando Antivero Date: Wed, 13 May 2026 13:33:53 -0300 Subject: [PATCH 6/6] update README parameter documentation Fix incorrect 'Azure SQL instance' descriptions (these are VMs), add new sharedKey parameter, fix descriptions and defaults to match current template state. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- solutions/secure-hybrid-network/README.md | 31 +++++++++++++---------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/solutions/secure-hybrid-network/README.md b/solutions/secure-hybrid-network/README.md index 4c32be81..056ea966 100644 --- a/solutions/secure-hybrid-network/README.md +++ b/solutions/secure-hybrid-network/README.md @@ -57,17 +57,18 @@ az deployment group create -n firewallDnat -g rg-site-to-site-azure-network-east | Parameter | Type | Description | Default and properties | |---|---|---|--| -| mocOnPremResourceGroup | string | The name of the moc on-prem resource group. | null | +| mocOnPremResourceGroup | string | The name of the mock on-prem resource group. | null | | azureNetworkResourceGroup | string | The name of the Azure network resource group. | null | -| adminUserName | string | The admin user name for the Azure SQL instance. | null | -| adminPassword | securestring | The admin password for the Azure SQL instance. | null | +| adminUserName | string | The admin user name for the virtual machines. | null | +| adminPassword | securestring | The admin password for the virtual machines. | null | +| sharedKey | securestring | The shared key used for VPN site-to-site connections. | null | **nestedtemplates/azure-network-azuredeploy.bicep** | Parameter | Type | Description | Default and properties | |---|---|---|--| -| adminUserName | string | The admin user name for the Azure SQL instance. | null | -| adminPassword | securestring | The admin password for the Azure SQL instance. | null | +| adminUserName | string | The admin user name for the virtual machines. | azureadmin | +| adminPassword | securestring | The admin password for the virtual machines. | null | | windowsVMCount | int | The number of load-balanced virtual machines running IIS. | 2 | | vmSize | string | Size of the load-balanced virtual machines. | Standard_A4_v2 | | configureSitetosite | bool | Condition for configuring a site-to-site VPN connection. | true | @@ -87,20 +88,21 @@ az deployment group create -n firewallDnat -g rg-site-to-site-azure-network-east |---|---|---|--| | connectionName | string | Name of the Azure connection resource. | hub-to-mock-prem | | gatewayIpAddress | string | Public IP address of the mock on-prem virtual network gateway. | null | -| azureCloudVnetPrefix | string | Subnet prefix of the management subnet found in the hub network. | null | +| azureCloudVnetPrefix | string | Address prefix of the hub network. | null | | azureNetworkGatewayName | string | Name of the Azure virtual network gateway. | null | -| localNetworkGatewayName | string | Name of the Azure local network gateway. | local-gateway-azure-network | +| localNetworkGatewayName | string | Name of the Azure local network gateway. | local-gateway-azure-network | +| sharedKey | securestring | The shared key for the VPN connection. | null | **nestedtemplates/mock-onprem-azuredeploy.bicep** | Parameter | Type | Description | Default | |---|---|---|--| -| adminUserName | string | The admin user name for the Azure SQL instance. | null | -| adminPassword | securestring | The admin password for the Azure SQL instance. | null | +| adminUserName | string | The admin user name for the virtual machine. | azureadmin | +| adminPassword | securestring | The admin password for the virtual machine. | null | | mocOnpremNetwork | object | Object representing the configuration of the mock on-prem network. | name, addressPrefix, mgmt, subnetPrefix | | mocOnpremGateway | object | Object representing the configuration of the VPN gateway. | name, subnetName, subnetPrefix, publicIPAddressName | | bastionHost | object | Object representing the configuration of the Bastion host. | name, subnetName, subnetPrefix, publicIPAddressName, nsgName | -| vmSize | string | Size of the load-balanced virtual machines. | Standard_A4_v2 | +| vmSize | string | Size of the virtual machine. | Standard_A4_v2 | | configureSitetosite | bool | Condition for configuring a site-to-site VPN connection. | true | | location | string | Location to be used for all resources. | rg location | @@ -108,12 +110,13 @@ az deployment group create -n firewallDnat -g rg-site-to-site-azure-network-east | Parameter | Type | Description | Default | |---|---|---|--| -| connectionName | string | Name of the mock on-prem connection resource. | hub-to-mock-prem | -| azureCloudVnetPrefix | string | Subnet prefix of the management subnet found in the hub network. | hub-to-mock-prem | -| spokeNetworkAddressPrefix | string | Subnet prefix of the resource subnet found in the spoke network. | hub-to-mock-prem | +| connectionName | string | Name of the mock on-prem connection resource. | mock-prem-to-hub | +| azureCloudVnetPrefix | string | Address prefix of the hub network. | null | +| spokeNetworkAddressPrefix | string | Address prefix of the spoke network. | null | | gatewayIpAddress | string | Public IP address of the Azure virtual network gateway. | null | -| mocOnpremGatewayName | string | Name of the mock on-prem local network gateway. | null | +| mocOnpremGatewayName | string | Name of the mock on-prem virtual network gateway. | null | | localNetworkGateway | string | Name of the mock on-prem local network gateway. | local-gateway-moc-prem | +| sharedKey | securestring | The shared key for the VPN connection. | null | | location | string | Location to be used for all resources. | rg location | **nestedtemplates/azure-network-azuredeploy-v2.bicep**