Source from repo

Microsoft Foundry Skill

Build and deploy AI applications on Azure AI Foundry using Microsoft's model catalog and AI services

microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

546.7 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

resource/private-network/references/vpn-dns-setup.bicep

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

text159 linesFree

resource/private-network/references/vpn-dns-setup.bicep

1/*
2  VPN Gateway + DNS Private Resolver
3  ------------------------------------
4  Post-deployment add-on for private network templates (T10, T15–T19).
5  Creates a P2S VPN Gateway (AAD auth, OpenVPN) and a DNS Private Resolver
6  so the user can connect from their dev machine and resolve private DNS zones.
7 
8  Note: VPN Gateway deployment takes 30-45 minutes.
9*/
10 
11@description('Name of the existing VNet from the Foundry deployment')
12param vnetName string
13 
14@description('Resource group of the existing VNet. Defaults to the deployment resource group.')
15param vnetResourceGroup string = resourceGroup().name
16 
17// ── Existing VNet ──
18resource vnet 'Microsoft.Network/virtualNetworks@2024-05-01' existing = {
19  name: vnetName
20  scope: resourceGroup(vnetResourceGroup)
21}
22 
23var location = vnet.location
24 
25@description('CIDR for GatewaySubnet — agent must compute from available VNet space')
26param gatewaySubnetCidr string
27 
28@description('CIDR for DNS resolver inbound subnet — agent must compute from available VNet space')
29param dnsResolverSubnetCidr string
30 
31@description('VPN client address pool — must not overlap with VNet')
32param vpnClientAddressPool string = '172.16.201.0/24'
33 
34@description('Azure AD tenant ID for VPN authentication')
35param aadTenantId string
36 
37@description('Unique suffix for resource naming')
38param suffix string
39 
40// AAD constants for Azure Public cloud only.
41// Sovereign clouds (AzureUSGovernment, AzureChinaCloud) require different audience/issuer values.
42// The intake step (az cloud show) warns users before reaching this template.
43var aadAudience = 'c632b3df-fb67-4d84-bdcf-b95ad541b5c8'
44var aadIssuer = 'https://sts.windows.net/${aadTenantId}/'
45var aadTenant = 'https://login.microsoftonline.com/${aadTenantId}/'
46 
47// ── Add subnets ──
48resource gatewaySubnet 'Microsoft.Network/virtualNetworks/subnets@2024-05-01' = {
49  parent: vnet
50  name: 'GatewaySubnet'
51  properties: {
52    addressPrefix: gatewaySubnetCidr
53    defaultOutboundAccess: false
54  }
55}
56 
57// NOTE: NRMS policy may auto-deploy an NSG on this subnet.
58// Ensure the NSG allows inbound UDP/TCP port 53 (DNS) from the VPN client address pool.
59resource dnsResolverSubnet 'Microsoft.Network/virtualNetworks/subnets@2024-05-01' = {
60  parent: vnet
61  name: 'dns-resolver-inbound'
62  properties: {
63    addressPrefix: dnsResolverSubnetCidr
64    defaultOutboundAccess: false
65    delegations: [
66      {
67        name: 'dns-resolver-delegation'
68        properties: {
69          serviceName: 'Microsoft.Network/dnsResolvers'
70        }
71      }
72    ]
73  }
74  dependsOn: [gatewaySubnet] // serialize subnet updates
75}
76 
77// ── Public IP for VPN Gateway ──
78resource vpnGatewayPip 'Microsoft.Network/publicIPAddresses@2024-05-01' = {
79  name: 'vpn-gateway-pip-${suffix}'
80  location: location
81  sku: {
82    name: 'Standard'
83  }
84  zones: ['1', '2', '3']
85  properties: {
86    publicIPAllocationMethod: 'Static'
87  }
88}
89 
90// ── VPN Gateway ──
91resource vpnGateway 'Microsoft.Network/virtualNetworkGateways@2024-05-01' = {
92  name: 'vpn-gateway-${suffix}'
93  location: location
94  properties: {
95    gatewayType: 'Vpn'
96    vpnType: 'RouteBased'
97    sku: {
98      name: 'VpnGw1AZ'
99      tier: 'VpnGw1AZ'
100    }
101    ipConfigurations: [
102      {
103        name: 'default'
104        properties: {
105          publicIPAddress: {
106            id: vpnGatewayPip.id
107          }
108          subnet: {
109            id: gatewaySubnet.id
110          }
111        }
112      }
113    ]
114    vpnClientConfiguration: {
115      vpnClientAddressPool: {
116        addressPrefixes: [vpnClientAddressPool]
117      }
118      vpnClientProtocols: ['OpenVPN']
119      vpnAuthenticationTypes: ['AAD']
120      aadTenant: aadTenant
121      aadAudience: aadAudience
122      aadIssuer: aadIssuer
123    }
124  }
125}
126 
127// ── DNS Private Resolver ──
128resource dnsResolver 'Microsoft.Network/dnsResolvers@2022-07-01' = {
129  name: 'dns-resolver-${suffix}'
130  location: location
131  properties: {
132    virtualNetwork: {
133      id: vnet.id
134    }
135  }
136}
137 
138resource dnsInboundEndpoint 'Microsoft.Network/dnsResolvers/inboundEndpoints@2022-07-01' = {
139  parent: dnsResolver
140  name: 'inbound'
141  location: location
142  properties: {
143    ipConfigurations: [
144      {
145        privateIpAllocationMethod: 'Dynamic'
146        subnet: {
147          id: dnsResolverSubnet.id
148        }
149      }
150    ]
151  }
152}
153 
154// ── Outputs ──
155output vpnGatewayName string = vpnGateway.name
156output vpnGatewayId string = vpnGateway.id
157output vpnPublicIpAddress string = vpnGatewayPip.properties.ipAddress
158output dnsResolverInboundIp string = dnsInboundEndpoint.properties.ipConfigurations[0].privateIpAddress
159

Preparing the source view

Microsoft Foundry Skill

resource/private-network/references/vpn-dns-setup.bicep