Source from repo

Microsoft Foundry Skill

Deploy, evaluate, and manage AI agents end-to-end on Microsoft Azure AI Foundry

microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

546.6 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

resource/private-network/references/vpn-dns-setup.bicep

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

text159 linesFree

resource/private-network/references/vpn-dns-setup.bicep

1/*
2  VPN Gateway + DNS Private Resolver
3  ------------------------------------
4  Post-deployment add-on for private network templates (T10, T15–T19).
5  Creates a P2S VPN Gateway (AAD auth, OpenVPN) and a DNS Private Resolver
6  so the user can connect from their dev machine and resolve private DNS zones.
7 
8  Note: VPN Gateway deployment takes 30-45 minutes.
9*/
10 
11@description('Name of the existing VNet from the Foundry deployment')
12param vnetName string
13 
14@description('Resource group of the existing VNet. Defaults to the deployment resource group.')
15param vnetResourceGroup string = resourceGroup().name
16 
17// ── Existing VNet ──
18resource vnet 'Microsoft.Network/virtualNetworks@2024-05-01' existing = {
19  name: vnetName
20  scope: resourceGroup(vnetResourceGroup)
21}
22 
23var location = vnet.location
24 
25@description('CIDR for GatewaySubnet — agent must compute from available VNet space')
26param gatewaySubnetCidr string
27 
28@description('CIDR for DNS resolver inbound subnet — agent must compute from available VNet space')
29param dnsResolverSubnetCidr string
30 
31@description('VPN client address pool — must not overlap with VNet')
32param vpnClientAddressPool string = '172.16.201.0/24'
33 
34@description('Azure AD tenant ID for VPN authentication')
35param aadTenantId string
36 
37@description('Unique suffix for resource naming')
38param suffix string
39 
40// AAD constants for Azure Public cloud only.
41// Sovereign clouds (AzureUSGovernment, AzureChinaCloud) require different audience/issuer values.
42// The intake step (az cloud show) warns users before reaching this template.
43var aadAudience = 'c632b3df-fb67-4d84-bdcf-b95ad541b5c8'
44var aadIssuer = 'https://sts.windows.net/${aadTenantId}/'
45var aadTenant = 'https://login.microsoftonline.com/${aadTenantId}/'
46 
47// ── Add subnets ──
48resource gatewaySubnet 'Microsoft.Network/virtualNetworks/subnets@2024-05-01' = {
49  parent: vnet
50  name: 'GatewaySubnet'
51  properties: {
52    addressPrefix: gatewaySubnetCidr
53    defaultOutboundAccess: false
54  }
55}
56 
57// NOTE: NRMS policy may auto-deploy an NSG on this subnet.
58// Ensure the NSG allows inbound UDP/TCP port 53 (DNS) from the VPN client address pool.
59resource dnsResolverSubnet 'Microsoft.Network/virtualNetworks/subnets@2024-05-01' = {
60  parent: vnet
61  name: 'dns-resolver-inbound'
62  properties: {
63    addressPrefix: dnsResolverSubnetCidr
64    defaultOutboundAccess: false
65    delegations: [
66      {
67        name: 'dns-resolver-delegation'
68        properties: {
69          serviceName: 'Microsoft.Network/dnsResolvers'
70        }
71      }
72    ]
73  }
74  dependsOn: [gatewaySubnet] // serialize subnet updates
75}
76 
77// ── Public IP for VPN Gateway ──
78resource vpnGatewayPip 'Microsoft.Network/publicIPAddresses@2024-05-01' = {
79  name: 'vpn-gateway-pip-${suffix}'
80  location: location
81  sku: {
82    name: 'Standard'
83  }
84  zones: ['1', '2', '3']
85  properties: {
86    publicIPAllocationMethod: 'Static'
87  }
88}
89 
90// ── VPN Gateway ──
91resource vpnGateway 'Microsoft.Network/virtualNetworkGateways@2024-05-01' = {
92  name: 'vpn-gateway-${suffix}'
93  location: location
94  properties: {
95    gatewayType: 'Vpn'
96    vpnType: 'RouteBased'
97    sku: {
98      name: 'VpnGw1AZ'
99      tier: 'VpnGw1AZ'
100    }
101    ipConfigurations: [
102      {
103        name: 'default'
104        properties: {
105          publicIPAddress: {
106            id: vpnGatewayPip.id
107          }
108          subnet: {
109            id: gatewaySubnet.id
110          }
111        }
112      }
113    ]
114    vpnClientConfiguration: {
115      vpnClientAddressPool: {
116        addressPrefixes: [vpnClientAddressPool]
117      }
118      vpnClientProtocols: ['OpenVPN']
119      vpnAuthenticationTypes: ['AAD']
120      aadTenant: aadTenant
121      aadAudience: aadAudience
122      aadIssuer: aadIssuer
123    }
124  }
125}
126 
127// ── DNS Private Resolver ──
128resource dnsResolver 'Microsoft.Network/dnsResolvers@2022-07-01' = {
129  name: 'dns-resolver-${suffix}'
130  location: location
131  properties: {
132    virtualNetwork: {
133      id: vnet.id
134    }
135  }
136}
137 
138resource dnsInboundEndpoint 'Microsoft.Network/dnsResolvers/inboundEndpoints@2022-07-01' = {
139  parent: dnsResolver
140  name: 'inbound'
141  location: location
142  properties: {
143    ipConfigurations: [
144      {
145        privateIpAllocationMethod: 'Dynamic'
146        subnet: {
147          id: dnsResolverSubnet.id
148        }
149      }
150    ]
151  }
152}
153 
154// ── Outputs ──
155output vpnGatewayName string = vpnGateway.name
156output vpnGatewayId string = vpnGateway.id
157output vpnPublicIpAddress string = vpnGatewayPip.properties.ipAddress
158output dnsResolverInboundIp string = dnsInboundEndpoint.properties.ipConfigurations[0].privateIpAddress
159

Marketplace

Source from repo

Microsoft Foundry Skill

Deploy, evaluate, and manage AI agents end-to-end on Microsoft Azure AI Foundry

microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

546.6 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

resource/private-network/references/vpn-dns-setup.bicep

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

text159 linesFree

resource/private-network/references/vpn-dns-setup.bicep

1/*
2  VPN Gateway + DNS Private Resolver
3  ------------------------------------
4  Post-deployment add-on for private network templates (T10, T15–T19).
5  Creates a P2S VPN Gateway (AAD auth, OpenVPN) and a DNS Private Resolver
6  so the user can connect from their dev machine and resolve private DNS zones.
7 
8  Note: VPN Gateway deployment takes 30-45 minutes.
9*/
10 
11@description('Name of the existing VNet from the Foundry deployment')
12param vnetName string
13 
14@description('Resource group of the existing VNet. Defaults to the deployment resource group.')
15param vnetResourceGroup string = resourceGroup().name
16 
17// ── Existing VNet ──
18resource vnet 'Microsoft.Network/virtualNetworks@2024-05-01' existing = {
19  name: vnetName
20  scope: resourceGroup(vnetResourceGroup)
21}
22 
23var location = vnet.location
24 
25@description('CIDR for GatewaySubnet — agent must compute from available VNet space')
26param gatewaySubnetCidr string
27 
28@description('CIDR for DNS resolver inbound subnet — agent must compute from available VNet space')
29param dnsResolverSubnetCidr string
30 
31@description('VPN client address pool — must not overlap with VNet')
32param vpnClientAddressPool string = '172.16.201.0/24'
33 
34@description('Azure AD tenant ID for VPN authentication')
35param aadTenantId string
36 
37@description('Unique suffix for resource naming')
38param suffix string
39 
40// AAD constants for Azure Public cloud only.
41// Sovereign clouds (AzureUSGovernment, AzureChinaCloud) require different audience/issuer values.
42// The intake step (az cloud show) warns users before reaching this template.
43var aadAudience = 'c632b3df-fb67-4d84-bdcf-b95ad541b5c8'
44var aadIssuer = 'https://sts.windows.net/${aadTenantId}/'
45var aadTenant = 'https://login.microsoftonline.com/${aadTenantId}/'
46 
47// ── Add subnets ──
48resource gatewaySubnet 'Microsoft.Network/virtualNetworks/subnets@2024-05-01' = {
49  parent: vnet
50  name: 'GatewaySubnet'
51  properties: {
52    addressPrefix: gatewaySubnetCidr
53    defaultOutboundAccess: false
54  }
55}
56 
57// NOTE: NRMS policy may auto-deploy an NSG on this subnet.
58// Ensure the NSG allows inbound UDP/TCP port 53 (DNS) from the VPN client address pool.
59resource dnsResolverSubnet 'Microsoft.Network/virtualNetworks/subnets@2024-05-01' = {
60  parent: vnet
61  name: 'dns-resolver-inbound'
62  properties: {
63    addressPrefix: dnsResolverSubnetCidr
64    defaultOutboundAccess: false
65    delegations: [
66      {
67        name: 'dns-resolver-delegation'
68        properties: {
69          serviceName: 'Microsoft.Network/dnsResolvers'
70        }
71      }
72    ]
73  }
74  dependsOn: [gatewaySubnet] // serialize subnet updates
75}
76 
77// ── Public IP for VPN Gateway ──
78resource vpnGatewayPip 'Microsoft.Network/publicIPAddresses@2024-05-01' = {
79  name: 'vpn-gateway-pip-${suffix}'
80  location: location
81  sku: {
82    name: 'Standard'
83  }
84  zones: ['1', '2', '3']
85  properties: {
86    publicIPAllocationMethod: 'Static'
87  }
88}
89 
90// ── VPN Gateway ──
91resource vpnGateway 'Microsoft.Network/virtualNetworkGateways@2024-05-01' = {
92  name: 'vpn-gateway-${suffix}'
93  location: location
94  properties: {
95    gatewayType: 'Vpn'
96    vpnType: 'RouteBased'
97    sku: {
98      name: 'VpnGw1AZ'
99      tier: 'VpnGw1AZ'
100    }
101    ipConfigurations: [
102      {
103        name: 'default'
104        properties: {
105          publicIPAddress: {
106            id: vpnGatewayPip.id
107          }
108          subnet: {
109            id: gatewaySubnet.id
110          }
111        }
112      }
113    ]
114    vpnClientConfiguration: {
115      vpnClientAddressPool: {
116        addressPrefixes: [vpnClientAddressPool]
117      }
118      vpnClientProtocols: ['OpenVPN']
119      vpnAuthenticationTypes: ['AAD']
120      aadTenant: aadTenant
121      aadAudience: aadAudience
122      aadIssuer: aadIssuer
123    }
124  }
125}
126 
127// ── DNS Private Resolver ──
128resource dnsResolver 'Microsoft.Network/dnsResolvers@2022-07-01' = {
129  name: 'dns-resolver-${suffix}'
130  location: location
131  properties: {
132    virtualNetwork: {
133      id: vnet.id
134    }
135  }
136}
137 
138resource dnsInboundEndpoint 'Microsoft.Network/dnsResolvers/inboundEndpoints@2022-07-01' = {
139  parent: dnsResolver
140  name: 'inbound'
141  location: location
142  properties: {
143    ipConfigurations: [
144      {
145        privateIpAllocationMethod: 'Dynamic'
146        subnet: {
147          id: dnsResolverSubnet.id
148        }
149      }
150    ]
151  }
152}
153 
154// ── Outputs ──
155output vpnGatewayName string = vpnGateway.name
156output vpnGatewayId string = vpnGateway.id
157output vpnPublicIpAddress string = vpnGatewayPip.properties.ipAddress
158output dnsResolverInboundIp string = dnsInboundEndpoint.properties.ipConfigurations[0].privateIpAddress
159

Microsoft Foundry Skill

resource/private-network/references/vpn-dns-setup.bicep

Preparing the source view

Microsoft Foundry Skill

resource/private-network/references/vpn-dns-setup.bicep