Merge branch 'feature/avm-waf-aligned' of https://github.com/microsoft/Modernize-your-code-solution-accelerator into feature/avm-waf-aligned

Seth · Seth · commit cb250d1de5de · 2025-06-11T13:13:09.000-04:00
diff --git a/infra/Deployment_Plan.md b/infra/Deployment_Plan.md
@@ -1,4 +1,4 @@
-# Deployment Plan
+# Deployment Plan 
 
 The deployment code will be in the **infra** folder. The **modules** subfolder contains reusable, parameterized modules. 
 
@@ -9,11 +9,9 @@ Creates a Virtual Network with subnets, private endpoints for all solution resou
 
 If you are new to AVM BICEP implementation, refer to [AVM Bicep Quickstart Guide](https://azure.github.io/Azure-Verified-Modules/usage/quickstart/bicep/).
 
+## Network & Subnets for Components  
 
-
-Below is an example deployment design. The Group (module) Name column shows how to group code in BICEP modules.
-
-**Solution Components and placements the Vnet/Subnets**
+**Solution Components and placements in the Vnet/Subnets**
 
 | #                           | Component Name                            | Notes                                   | Subnet            |
 | ----------------------------------------- | ------------------------------------------------------------ | ----------------- | ----------------- |
@@ -56,36 +54,32 @@ Below is an example deployment design. The Group (module) Name column shows how
 
 #### Network Design 
 
-addressPrefixes = [
-
- '10.0.0.0/21' // /21: **2048 addresses, good for up to 8-16 subnets**. Other options: /23:512, /22:1024, /21:2048, /20:4096, /16: 65,536 (max for a VNet)
+**addressPrefixes** = ['10.0.0.0/20' ] // 4096 addresses (enough for 8 /23 subnets or 16 /24)
 
-]
+512 x 7 = 3584 allocated 
 
-256 x 7 = 1792 allocated 
-
-| Subnet      | Address Prefix | IP Range              | Total IPs | Usable IPs* |
-| ----------- | -------------- | --------------------- | --------- | ----------- |
-| web         | 10.0.0.0/24    | 10.0.0.0 – 10.0.0.255 | 256       | 251         |
-| app         | 10.0.1.0/24    | 10.0.1.0 – 10.0.1.255 | 256       | 251         |
-| ai          | 10.0.2.0/24    | 10.0.2.0 – 10.0.2.255 | 256       | 251         |
-| data        | 10.0.3.0/24    | 10.0.3.0 – 10.0.3.255 | 256       | 251         |
-| services    | 10.0.4.0/24    | 10.0.4.0 – 10.0.4.255 | 256       | 251         |
-| jumpbox     | 10.0.5.0/24    | 10.0.5.0 – 10.0.5.255 | 256       | 251         |
-| bastionHost | 10.0.6.0/27    | 10.0.6.0 – 10.0.6.255 | 256       | 251         |
+| Subnet      | Address Prefix | IP Range                  | Total IPs | Usable IPs* |
+| ----------- | -------------- | ------------------------- | --------- | ----------- |
+| web         | 10.0.0.0/23    | (10.0.0.0 - 10.0.1.255)   | 512       | 507         |
+| app         | 10.0.2.0/23    | (10.0.2.0 - 10.0.3.255)   | 512       | 507         |
+| ai          | 10.0.4.0/23    | (10.0.4.0 - 10.0.5.255)   | 512       | 507         |
+| data        | 10.0.6.0/23    | (10.0.6.0 - 10.0.7.255)   | 512       | 507         |
+| services    | 10.0.8.0/23    | (10.0.8.0 - 10.0.9.255)   | 512       | 507         |
+| bastionHost | 10.0.10.0/23   | (10.0.10.0 - 10.0.11.255) | 512       | 507         |
+| jumpbox     | 10.0.12.0/23   | (10.0.12.0 - 10.0.13.255) | 512       | 507         |
 
 *Usable IPs = Total IPs minus 5 reserved by Azure per subnet.
 
 ### **Example Subnet/NSG Table**
 
-| Subnet   | NSG Rules (Inbound)                                 | NSG Rules (Outbound)        |
-|----------|-----------------------------------------------------|-----------------------------|
-| web      | 80/443 from internet or allowed IPs                 | To app, internet            |
-| app      | From web subnet only                                | To data, PaaS               |
-| ai       | From app subnet only                                | To data, PaaS               |
-| data     | From app/ai/private endpoints                       | To PaaS, as needed          |
-| jumpbox  | RDP/SSH from allowed IPs or Bastion                 | To internet, as needed      |
-| bastion  | Platform-managed (Bastion Host only, no direct NSG) | To VMs for RDP/SSH          |
+| Subnet  | NSG Rules (Inbound)                                 | NSG Rules (Outbound)   |
+| ------- | --------------------------------------------------- | ---------------------- |
+| web     | 80/443 from internet or allowed IPs                 | To app, internet       |
+| app     | From web subnet only                                | To data, PaaS          |
+| ai      | From web and app subnets only                       | To data, PaaS          |
+| data    | From web/app/ai/private endpoints                   | To PaaS, as needed     |
+| bastion | Platform-managed (Bastion Host only, no direct NSG) | To VMs for RDP/SSH     |
+| jumpbox | RDP/SSH from allowed IPs or Bastion                 | To internet, as needed |
 
 ## **Monitoring & Logging**
 - Enable diagnostic logs for all resources, send to Log Analytics Workspace.
@@ -94,9 +88,6 @@ addressPrefixes = [
 ## **DDoS Protection**
 - Enable at the VNet level for public-facing workloads.
 
-## **Route Tables (UDRs)**
-- Optional, but recommended for advanced routing (e.g., force tunneling through Azure Firewall if used).
-
 ## Azure Bastion Host
 
 **Function:**
diff --git a/infra/modules/network.bicep b/infra/modules/network.bicep
@@ -4,21 +4,35 @@ param location string
 param tags object = {}
 
 
-// The address prefixes for the subnets - use below CIDR as a reference 
-// /24 subnet = 256 addresses
-// /23 = 512 addresses (enough for 2 /24 subnets)
-// /22 = 1024 addresses (enough for 4 /24 subnets)
-// /21 = 2048 addresses (enough for 8 /24 subnets)
-// /20 = 4096 addresses (enough for 16 /24 subnets)  // This was used for the default VNet address prefix
-// /19 = 8192 addresses (enough for 32 /24 subnets)
-// /18 = 16,384 addresses (enough for 64 /24 subnets)
-// /17 = 32,768 addresses (enough for 128 /24 subnets)
-// /16 = 65,536 addresses (enough for 256 /24 subnets)
-// /15 = 131,072 addresses (enough for 512 /24 subnets)
-// /14 = 262,144 addresses (enough for 1024 /24 subnets)
-// /13 = 524,288 addresses (enough for 2048 /24 subnets)
-// /12 = 1,048,576 addresses (enough for 4096 /24 subnets)
-
+// Subnet Classless Inter-Doman Routing (CIDR)  Sizing Reference Table (Best Practices)
+// | CIDR      | # of Addresses | # of /24s | Notes                                 |
+// |-----------|---------------|-----------|----------------------------------------|
+// | /24       | 256           | 1         | Smallest recommended for Azure subnets |
+// | /23       | 512           | 2         | Good for 1-2 workloads per subnet      |
+// | /22       | 1024          | 4         | Good for 2-4 workloads per subnet      |
+// | /21       | 2048          | 8         |                                        |
+// | /20       | 4096          | 16        | Used for default VNet in this solution |
+// | /19       | 8192          | 32        |                                        |
+// | /18       | 16384         | 64        |                                        |
+// | /17       | 32768         | 128       |                                        |
+// | /16       | 65536         | 256       |                                        |
+// | /15       | 131072        | 512       |                                        |
+// | /14       | 262144        | 1024      |                                        |
+// | /13       | 524288        | 2048      |                                        |
+// | /12       | 1048576       | 4096      |                                        |
+// | /11       | 2097152       | 8192      |                                        |
+// | /10       | 4194304       | 16384     |                                        |
+// | /9        | 8388608       | 32768     |                                        |
+// | /8        | 16777216      | 65536     |                                        |
+//
+// Best Practice Notes:
+// - Use /24 as the minimum subnet size for Azure (smaller subnets are not supported for most services).
+// - Plan for future growth: allocate larger address spaces (e.g., /20 or /21 for VNets) to allow for new subnets.
+// - Avoid overlapping address spaces with on-premises or other VNets.
+// - Use contiguous, non-overlapping ranges for subnets.
+// - Document subnet usage and purpose in code comments.
+// - For AVM modules, ensure only one delegation per subnet and leave delegations empty if not required.
+//
 
 module network 'network/main.bicep' =  {
   name: take('network-${resourcesName}-create', 64)
