diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep index d630330e..2fc0efe9 100644 --- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep +++ b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep @@ -5,7 +5,7 @@ param adminPassword string @description('The count of Windows virtual machines to create.') param webServerInstanceCount int = 2 -param vmSize string = 'Standard_A4_v2' +param vmSize string = 'Standard_D2s_v3' param configureSitetosite bool = true param hubNetwork object = { name: 'vnet-hub' @@ -55,7 +55,7 @@ param location string = resourceGroup().location var logAnalyticsWorkspaceName = 'la-${uniqueString(subscription().subscriptionId, resourceGroup().id)}' var vmssName = 'vmss-web-server' -var windowsOSVersion = '2016-Datacenter' +var windowsOSVersion = '2025-datacenter-core-smalldisk-g2' resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2025-02-01' = { name: logAnalyticsWorkspaceName @@ -533,22 +533,20 @@ resource azureFirewallResource 'Microsoft.Network/azureFirewalls@2024-05-01' = { } rules: [ { - name: 'all-internet' + name: 'windows-update' protocols: [ - { - protocolType: 'Http' - port: 80 - } { protocolType: 'Https' port: 443 } ] targetFqdns: [ - '*' + '*.update.microsoft.com' + '*.windowsupdate.com' + '*.download.windowsupdate.com' ] sourceAddresses: [ - '*' + spokeNetwork.addressPrefix ] } ] diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json index bf2082da..552fb296 100644 --- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json +++ b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json @@ -18,7 +18,7 @@ }, "vmSize": { "type": "string", - "defaultValue": "Standard_DS1_v2" + "defaultValue": "Standard_D2s_v3" }, "configureSitetosite": { "type": "bool", @@ -101,7 +101,7 @@ "vmssName": "vmss-web-server", "peering-name-hub-to-spoke": "hub-to-spoke", "peering-name-spoke-to-hub": "spoke-to-hub", - "windowsOSVersion": "2022-datacenter-g2" + "windowsOSVersion": "2025-datacenter-core-smalldisk-g2" }, "resources": [ { @@ -620,22 +620,20 @@ }, "rules": [ { - "name": "all-internet", + "name": "windows-update", "protocols": [ - { - "protocolType": "Http", - "port": 80 - }, { "protocolType": "Https", "port": 443 } ], "targetFqdns": [ - "*" + "*.update.microsoft.com", + "*.windowsupdate.com", + "*.download.windowsupdate.com" ], "sourceAddresses": [ - "*" + "[parameters('spokeNetwork').addressPrefix]" ] } ] diff --git a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.bicep b/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.bicep index 7088762e..46939058 100644 --- a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.bicep +++ b/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.bicep @@ -21,13 +21,13 @@ param bastionHost object = { publicIPAddressName: 'pip-bastion' nsgName: 'nsg-hub-bastion' } -param vmSize string = 'Standard_A4_v2' +param vmSize string = 'Standard_D2s_v3' param configureSitetosite bool = true param location string = resourceGroup().location var nicNameWindowsName = 'nic-windows' var vmNameWindowsName = 'vm-windows' -var windowsOSVersion = '2016-Datacenter' +var windowsOSVersion = '2025-datacenter-smalldisk-g2' resource mocOnpremNetworkResource 'Microsoft.Network/virtualNetworks@2024-05-01' = { name: mocOnpremNetwork.name @@ -283,11 +283,6 @@ resource windowsVM 'Microsoft.Compute/virtualMachines@2024-11-01' = { adminPassword: adminPassword windowsConfiguration: { enableAutomaticUpdates: true - patchSettings: { - //Machines should be configured to periodically check for missing system updates - assessmentMode: 'AutomaticByPlatform' - patchMode: 'AutomaticByPlatform' - } } } storageProfile: { diff --git a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.json b/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.json index 6099673d..2c017308 100644 --- a/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.json +++ b/solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.json @@ -38,7 +38,7 @@ }, "vmSize": { "type": "string", - "defaultValue": "Standard_DS1_v2" + "defaultValue": "Standard_D2s_v3" }, "configureSitetosite": { "type": "bool", @@ -51,7 +51,7 @@ "variables": { "nicNameWindows": "nic-windows", "vmNameWindows": "vm-windows", - "windowsOSVersion": "2016-Datacenter" + "windowsOSVersion": "2025-datacenter-smalldisk-g2" }, "resources": [ {