/lzvendingipam

Bicep landing zone vending module for Azure + Azure IPAM example

Primary LanguageBicepMIT LicenseMIT

Bicep landing zone vending module + Azure IPAM example

This is a simple example of the Cloud Adoption Framework subscription vending guidance to show how you can automate the deployment of new application landing zones with an integration to the platform team operated IPAM tool. In this example we are using Azure IPAM but it could be any IPAM tool with an accessible API to reserve/get an unused address space. Read more about Subscription vending at https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/subscription-vending

Subscription vending

Concept overview

lzvendingflow

Links

Prerequisites

  • Azure IPAM or any other IPAM with an API to request an unused address space
  • Service Principal with permission to access the IPAM and to deploy new landing zones Bicep lz vending module permissions
  • Change workflow environment variables to fit your environment

Screenshots

Azure IPAM blocks

Azure IPAM with the concept of Spaces and Blocks for IP address management. Here we have configured a simple block for 10.50.0.0/16 to be further segmented into smaller landing zones.

Azure IPAM Block view

Example parameters for new landing zone (subscription) deployment

Fill in details like subscription name, management group placement, virtual network name for the new landing zone. Notice that we are not setting the address space for the virtual network here. We will get the address space from Azure IPAM to not conflict with other address spaces in our Azure environment.

parameters

Github Actions workflow

Single workflow combining the IPAM API call and the landing zone deployment with Bicep landing zone vending module.

Github workflow

Deployed spoke vnet in the new landing zone

The new landing zone has been provisioned with a virtual network having the next available address space from the Azure IPAM block 10.50.0.0/16. Notice the tag on the virtual network which Azure IPAM uses to map the address space reservation to the new virtual network for documentation.

vnet

Peering to hub

Peering

Azure IPAM vnet view

Azure IPAM documents all our virtual networks and the mapping to the configured address space blocks.

Azure IPAM Vnet view

Future Updates

  • Input validations
  • Workflow improvements
  • vWAN and hub-spoke flexibility
  • Multiple vnets in one landing zone
  • Multiple landing zones (parameter files) in one deployment

Support

Contributions, issues, and feature requests are welcome! 🤝

Give a ⭐️ if you like this project!

Credits

Thanks to the maintainers of Bicep lz vending module and the Azure IPAM project for inspiration and code examples!