Support for optional subnets in Machine Learning & Healthcare archetypes (Azure#264)

Author: SenthuranSivananthan

config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/82f7705e-3386-427b-95b7-cbed91ab29a7_healthcare_canadacentral.json

@@ -144,7 +144,34 @@
                         "comments": "Azure Web App Delegated Subnet",
                         "name": "webapp",
                         "addressPrefix": "10.5.8.0/25"
-                    }
+                    },
+                    "optional": [
+                        {
+                            "comments": "Optional Subnet 1",
+                            "name": "virtualMachines",
+                            "addressPrefix": "10.5.9.0/25",
+                            "nsg": {
+                            "enabled": true
+                            },
+                            "udr": {
+                            "enabled": true
+                            }
+                        },
+                        {
+                            "comments": "Optional Subnet 2 with delegation for NetApp Volumes",
+                            "name": "NetappVolumes",
+                            "addressPrefix": "10.5.10.0/25",
+                            "nsg": {
+                            "enabled": false
+                            },
+                            "udr": {
+                            "enabled": false
+                            },
+                            "delegations": {
+                                "serviceName": "Microsoft.NetApp/volumes"
+                            }
+                        }
+                    ]
                 }
             }
         }

config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/8c6e48a4-4c73-4a1f-9f95-9447804f2c98_machinelearning_canadacentral.json

@@ -172,7 +172,34 @@
             "comments": "App Service Subnet",
             "name": "appService",
             "addressPrefix": "10.6.10.0/25"
-          }
+          },
+          "optional": [
+            {
+              "comments": "Optional Subnet 1",
+              "name": "virtualMachines",
+              "addressPrefix": "10.6.11.0/25",
+              "nsg": {
+                "enabled": true
+              },
+              "udr": {
+                "enabled": true
+              }
+            },
+            {
+              "comments": "Optional Subnet 2 with delegation for NetApp Volumes",
+              "name": "NetappVolumes",
+              "addressPrefix": "10.6.12.0/25",
+              "nsg": {
+                "enabled": false
+              },
+              "udr": {
+                "enabled": false
+              },
+              "delegations": {
+                  "serviceName": "Microsoft.NetApp/volumes"
+              }
+            }
+          ]
         }
       }
     }

config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/ec6c5689-db04-4f1e-b76d-834a51dd0e27_machinelearning_canadacentral.json

@@ -176,7 +176,8 @@
             "comments": "App Service Subnet",
             "name": "appService",
             "addressPrefix": "10.1.10.0/25"
-          }
+          },
+          "optional": []
         }
       }
     }

config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/f08c3057-1713-4a6f-b7e6-0df355b60c30_machinelearning_canadacentral.json

@@ -176,7 +176,8 @@
             "comments": "App Service Subnet",
             "name": "appService",
             "addressPrefix": "10.3.10.0/25"
-          }
+          },
+          "optional": []
         }
       }
     }

config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/f459218a-e8bb-49c9-b768-ee6828a144aa_machinelearning_canadacentral.json

@@ -177,7 +177,8 @@
             "comments": "App Service Subnet",
             "name": "appService",
             "addressPrefix": "10.4.10.0/25"
-          }
+          },
+          "optional": []
         }
       }
     }

docs/archetypes/healthcare.md

@@ -265,6 +265,7 @@ As an administrator, you can lock a subscription, resource group, or resource to
 | Deployment with Hub Virtual Network | [tests/schemas/lz-healthcare/FullDeployment-With-Hub.json](../../tests/schemas/lz-healthcare/FullDeployment-With-Hub.json) | - |
 | Deployment with Location | [tests/schemas/lz-healthcare/FullDeployment-With-Location.json](../../tests/schemas/lz-healthcare/FullDeployment-With-Location.json) | `parameters.location.value` is `canadacentral` |
 | Deployment without Hub Virtual Network | [tests/schemas/lz-healthcare/FullDeployment-Without-Hub.json](../../tests/schemas/lz-healthcare/FullDeployment-Without-Hub.json) | `parameters.hubNetwork.value.*` fields are empty & `parameters.network.value.peerToHubVirtualNetwork` is false. |
+| Deployment with optional subnets | [tests/schemas/lz-healthcare/FullDeployment-With-OptionalSubnets.json](../../tests/schemas/lz-healthcare/FullDeployment-With-OptionalSubnets.json) | `parameters.network.subnets.optional` array is set with optional subnets. |
 | Deployment with subscription budget | [tests/schemas/lz-healthcare/BudgetIsTrue.json](../../tests/schemas/lz-healthcare/BudgetIsTrue.json) | `parameters.subscriptionBudget.value.createBudget` is set to `true` and budget information filled in. |
 | Deployment without subscription budget | [tests/schemas/lz-healthcare/BudgetIsFalse.json](../../tests/schemas/lz-healthcare/BudgetIsFalse.json) | `parameters.subscriptionBudget.value.createBudget` is set to `false` and budget information removed. |
 | Deployment without resource tags | [tests/schemas/lz-healthcare/EmptyResourceTags.json](../../tests/schemas/lz-healthcare/EmptyResourceTags.json) | `parameters.resourceTags.value` is an empty object. |
@@ -290,7 +291,7 @@ This example configures:
 6. Resource Tags (aligned to the default tags defined in [Policies](../../policy/custom/definitions/policyset/Tags.parameters.json))
 7. Log Analytics Workspace integration through Azure Defender for Cloud
 8. Automation Account
-9. Spoke Virtual Network with Hub-managed DNS, Hub-managed private endpoint DNS Zones, Virtual Network Peering and all required subnets (zones).
+9. Spoke Virtual Network with Hub-managed DNS, Hub-managed private endpoint DNS Zones, Virtual Network Peering and all required subnets and 2 optional subnets.
 10. Deploys Azure resources with Customer Managed Keys.
 
 > **Note 1:**  Azure Automation Account is not deployed with Customer Managed Key as it requires an Azure Key Vault instance with public network access.
@@ -454,7 +455,34 @@ This example configures:
                         "comments": "Azure Web App Delegated Subnet",
                         "name": "webapp",
                         "addressPrefix": "10.5.8.0/25"
-                    }
+                    },
+                    "optional": [
+                        {
+                            "comments": "Optional Subnet 1",
+                            "name": "virtualMachines",
+                            "addressPrefix": "10.5.9.0/25",
+                            "nsg": {
+                            "enabled": true
+                            },
+                            "udr": {
+                            "enabled": true
+                            }
+                        },
+                        {
+                            "comments": "Optional Subnet 2 with delegation for NetApp Volumes",
+                            "name": "NetappVolumes",
+                            "addressPrefix": "10.5.10.0/25",
+                            "nsg": {
+                            "enabled": false
+                            },
+                            "udr": {
+                            "enabled": false
+                            },
+                            "delegations": {
+                                "serviceName": "Microsoft.NetApp/volumes"
+                            }
+                        }
+                    ]
                 }
             }
         }

docs/archetypes/machinelearning.md

@@ -266,6 +266,7 @@ As an administrator, you can lock a subscription, resource group, or resource to
 | Deployment with Hub Virtual Network | [tests/schemas/lz-machinelearning/FullDeployment-With-Hub.json](../../tests/schemas/lz-machinelearning/FullDeployment-With-Hub.json) | - |
 | Deployment with Location | [tests/schemas/lz-machinelearning/FullDeployment-With-Location.json](../../tests/schemas/lz-machinelearning/FullDeployment-With-Location.json) | `parameters.location.value` is `canadacentral` |
 | Deployment without Hub Virtual Network | [tests/schemas/lz-machinelearning/FullDeployment-Without-Hub.json](../../tests/schemas/lz-machinelearning/FullDeployment-Without-Hub.json) | `parameters.hubNetwork.value.*` fields are empty & `parameters.network.value.peerToHubVirtualNetwork` is false. |
+| Deployment with optional subnets | [tests/schemas/lz-machinelearning/FullDeployment-With-OptionalSubnets.json](../../tests/schemas/lz-machinelearning/FullDeployment-With-OptionalSubnets.json) | `parameters.network.subnets.optional` array is set with optional subnets. |
 | Deployment with subscription budget | [tests/schemas/lz-machinelearning/BudgetIsTrue.json](../../tests/schemas/lz-machinelearning/BudgetIsTrue.json) | `parameters.subscriptionBudget.value.createBudget` is set to `true` and budget information filled in. |
 | Deployment without subscription budget | [tests/schemas/lz-machinelearning/BudgetIsFalse.json](../../tests/schemas/lz-machinelearning/BudgetIsFalse.json) | `parameters.subscriptionBudget.value.createBudget` is set to `false` and budget information removed. |
 | Deployment without resource tags | [tests/schemas/lz-machinelearning/EmptyResourceTags.json](../../tests/schemas/lz-machinelearning/EmptyResourceTags.json) | `parameters.resourceTags.value` is an empty object. |
@@ -295,7 +296,7 @@ This example configures:
 6. Resource Tags (aligned to the default tags defined in [Policies](../../policy/custom/definitions/policyset/Tags.parameters.json))
 7. Log Analytics Workspace integration through Azure Defender for Cloud
 8. Automation Account
-9. Spoke Virtual Network with Hub-managed DNS, Hub-managed private endpoint DNS Zones, Virtual Network Peering and all required subnets (zones).
+9. Spoke Virtual Network with Hub-managed DNS, Hub-managed private endpoint DNS Zones, Virtual Network Peering and all required subnets and 2 optional subnets.
 10. Deploys Azure resources with Customer Managed Keys.
 
 > **Note 1:**  Azure Automation Account is not deployed with Customer Managed Key as it requires an Azure Key Vault instance with public network access.
@@ -488,12 +489,39 @@ This example configures:
             "comments": "AKS Subnet",
             "name": "aks",
             "addressPrefix": "10.4.9.0/25"
-          }
+          },
           "appService": {
             "comments": "App Service Subnet",
             "name": "appService",
             "addressPrefix": "10.4.10.0/25"
-          }
+          },
+          "optional": [
+            {
+              "comments": "Optional Subnet 1",
+              "name": "virtualMachines",
+              "addressPrefix": "10.4.11.0/25",
+              "nsg": {
+                "enabled": true
+              },
+              "udr": {
+                "enabled": true
+              }
+            },
+            {
+              "comments": "Optional Subnet 2 with delegation for NetApp Volumes",
+              "name": "NetappVolumes",
+              "addressPrefix": "10.4.12.0/25",
+              "nsg": {
+                "enabled": false
+              },
+              "udr": {
+                "enabled": false
+              },
+              "delegations": {
+                  "serviceName": "Microsoft.NetApp/volumes"
+              }
+            }
+          ]
         }
       }
     }

landingzones/lz-healthcare/main.bicep

@@ -76,7 +76,7 @@ param synapse object
 @description('Hub Network configuration that includes virtualNetworkId, rfc1918IPRange, rfc6598IPRange, egressVirtualApplianceIp, privateDnsManagedByHub flag, privateDnsManagedByHubSubscriptionId and privateDnsManagedByHubResourceGroupName.')
 param hubNetwork object
 
-@description('Network configuration.  Includes peerToHubVirtualNetwork flag, useRemoteGateway flag, name, dnsServers, addressPrefixes and subnets (privateEndpoints, databricksPublic, databricksPrivate, web) ')
+@description('Network configuration.  Includes peerToHubVirtualNetwork flag, useRemoteGateway flag, name, dnsServers, addressPrefixes and subnets (privateEndpoints, databricksPublic, databricksPrivate, web, optional [array of optional subnets]) ')
 param network object
 
 // Telemetry - Azure customer usage attribution