feat: add support for deploying Azure Bastion and Jumpbox resources in private networking

Author: Yatish-Microsoft

docs/CustomizingAzdParameters.md

@@ -25,9 +25,10 @@ By default this template will use the environment name as the prefix to prevent
 | `enableScalability`                    | boolean | `false`                    | Enable auto-scaling and higher SKUs (WAF-aligned).                            |
 | `enableRedundancy`                     | boolean | `false`                    | Enable zone redundancy and geo-replication (WAF-aligned).                     |
 | `enablePrivateNetworking`              | boolean | `false`                    | Enable VNet integration and private endpoints (WAF-aligned).                  |
+| `deployBastionAndJumpbox`              | boolean | `false`                    | Deploy Azure Bastion and jumpbox admin-path resources when private networking is enabled. |
 | `AZURE_ENV_VM_SIZE`                    | string  | `""`                       | Overrides the jumpbox VM size (private networking only). Must support accelerated networking and Premium SSD. |
 | `AZURE_ENV_VM_ADMIN_USERNAME`          | string  | `""`                       | Sets the jumpbox VM admin username (private networking only).                 |
-| `AZURE_ENV_VM_ADMIN_PASSWORD`          | string  | `""`                       | Sets the jumpbox VM admin password. Required to deploy the jumpbox when private networking is enabled. |
+| `AZURE_ENV_VM_ADMIN_PASSWORD`          | string  | `""`                       | Sets the jumpbox VM admin password. Required when `deployBastionAndJumpbox=true`. |
 | `ACR_NAME`                             | string  | `contentgencontainerreg`   | Sets the existing Azure Container Registry name (without `.azurecr.io`).      |
 | `IMAGE_TAG`                            | string  | `latest`                   | Sets the container image tag (e.g., `latest`, `dev`, `hotfix`).               |
 

infra/main.bicep

@@ -107,6 +107,9 @@ param existingLogAnalyticsWorkspaceId string = ''
 @description('Optional. Resource ID of an existing Foundry project.')
 param azureExistingAIProjectResourceId string = ''
 
+@description('Optional. Deploy Azure Bastion and Jumpbox resources for private network administration.')
+param deployBastionAndJumpbox bool = false
+
 @description('Optional. Jumpbox VM size. Must support accelerated networking and Premium SSD.')
 param vmSize string = ''
 
@@ -380,6 +383,7 @@ module virtualNetwork 'modules/virtualNetwork.bicep' = if (enablePrivateNetworki
     name: 'vnet-${solutionSuffix}'
     addressPrefixes: ['10.0.0.0/20'] // 4096 addresses (enough for 8 /23 subnets or 16 /24)
     location: location
+    deployBastionAndJumpbox: enablePrivateNetworking && deployBastionAndJumpbox && !empty(vmAdminPassword)
     tags: tags
     logAnalyticsWorkspaceId: logAnalyticsWorkspaceResourceId
     resourceSuffix: solutionSuffix
@@ -401,8 +405,8 @@ var zoneSupportedJumpboxLocations = [
   'uksouth'
   'westus3'
 ]
-var deployJumpbox = enablePrivateNetworking && !empty(vmAdminPassword)
-module bastionHost 'br/public:avm/res/network/bastion-host:0.8.2' = if (enablePrivateNetworking) {
+var deployAdminAccessResources = enablePrivateNetworking && deployBastionAndJumpbox && !empty(vmAdminPassword)
+module bastionHost 'br/public:avm/res/network/bastion-host:0.8.2' = if (deployAdminAccessResources) {
   name: take('avm.res.network.bastion-host.${bastionHostName}', 64)
   params: {
     name: bastionHostName
@@ -431,7 +435,7 @@ module bastionHost 'br/public:avm/res/network/bastion-host:0.8.2' = if (enablePr
 
 // Jumpbox Virtual Machine
 var jumpboxVmName = take('vm-jumpbox-${solutionSuffix}', 15)
-module jumpboxVM 'br/public:avm/res/compute/virtual-machine:0.21.0' = if (deployJumpbox) {
+module jumpboxVM 'br/public:avm/res/compute/virtual-machine:0.21.0' = if (deployAdminAccessResources) {
   name: take('avm.res.compute.virtual-machine.${jumpboxVmName}', 64)
   params: {
     name: take(jumpboxVmName, 15)

infra/main.json

@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.41.2.15936",
-      "templateHash": "17721141165286158425"
+      "templateHash": "11738775177613917473"
     },
     "name": "Intelligent Content Generation Accelerator",
     "description": "Solution Accelerator for multimodal marketing content generation using Microsoft Agent Framework.\n"
@@ -169,6 +169,13 @@
         "description": "Optional. Resource ID of an existing Foundry project."
       }
     },
+    "deployBastionAndJumpbox": {
+      "type": "bool",
+      "defaultValue": false,
+      "metadata": {
+        "description": "Optional. Deploy Azure Bastion and Jumpbox resources for private network administration."
+      }
+    },
     "vmSize": {
       "type": "string",
       "defaultValue": "",
@@ -351,7 +358,7 @@
       "uksouth",
       "westus3"
     ],
-    "deployJumpbox": "[and(parameters('enablePrivateNetworking'), not(empty(parameters('vmAdminPassword'))))]",
+    "deployAdminAccessResources": "[and(and(parameters('enablePrivateNetworking'), parameters('deployBastionAndJumpbox')), not(empty(parameters('vmAdminPassword'))))]",
     "jumpboxVmName": "[take(format('vm-jumpbox-{0}', variables('solutionSuffix')), 15)]",
     "privateDnsZones": [
       "privatelink.cognitiveservices.azure.com",
@@ -4851,6 +4858,9 @@
           "location": {
             "value": "[parameters('location')]"
           },
+          "deployBastionAndJumpbox": {
+            "value": "[and(and(parameters('enablePrivateNetworking'), parameters('deployBastionAndJumpbox')), not(empty(parameters('vmAdminPassword'))))]"
+          },
           "tags": {
             "value": "[parameters('tags')]"
           },
@@ -4869,7 +4879,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.41.2.15936",
-              "templateHash": "1152564857842534701"
+              "templateHash": "11359193981707837191"
             }
           },
           "parameters": {
@@ -4895,6 +4905,13 @@
                 "description": "Required. An Array of 1 or more IP Address Prefixes for the Virtual Network."
               }
             },
+            "deployBastionAndJumpbox": {
+              "type": "bool",
+              "defaultValue": false,
+              "metadata": {
+                "description": "Optional. Deploy Azure Bastion and Jumpbox subnets for VM-based administration."
+              }
+            },
             "tags": {
               "type": "object",
               "defaultValue": {},
@@ -5026,102 +5043,7 @@
                 }
               }
             ],
-            "bastionSubnets": [
-              {
-                "name": "AzureBastionSubnet",
-                "addressPrefixes": [
-                  "10.0.10.0/26"
-                ],
-                "networkSecurityGroup": {
-                  "name": "nsg-bastion",
-                  "securityRules": [
-                    {
-                      "name": "AllowGatewayManager",
-                      "properties": {
-                        "access": "Allow",
-                        "direction": "Inbound",
-                        "priority": 2702,
-                        "protocol": "*",
-                        "sourcePortRange": "*",
-                        "destinationPortRange": "443",
-                        "sourceAddressPrefix": "GatewayManager",
-                        "destinationAddressPrefix": "*"
-                      }
-                    },
-                    {
-                      "name": "AllowHttpsInBound",
-                      "properties": {
-                        "access": "Allow",
-                        "direction": "Inbound",
-                        "priority": 2703,
-                        "protocol": "*",
-                        "sourcePortRange": "*",
-                        "destinationPortRange": "443",
-                        "sourceAddressPrefix": "Internet",
-                        "destinationAddressPrefix": "*"
-                      }
-                    },
-                    {
-                      "name": "AllowSshRdpOutbound",
-                      "properties": {
-                        "access": "Allow",
-                        "direction": "Outbound",
-                        "priority": 100,
-                        "protocol": "*",
-                        "sourcePortRange": "*",
-                        "destinationPortRanges": [
-                          "22",
-                          "3389"
-                        ],
-                        "sourceAddressPrefix": "*",
-                        "destinationAddressPrefix": "VirtualNetwork"
-                      }
-                    },
-                    {
-                      "name": "AllowAzureCloudOutbound",
-                      "properties": {
-                        "access": "Allow",
-                        "direction": "Outbound",
-                        "priority": 110,
-                        "protocol": "Tcp",
-                        "sourcePortRange": "*",
-                        "destinationPortRange": "443",
-                        "sourceAddressPrefix": "*",
-                        "destinationAddressPrefix": "AzureCloud"
-                      }
-                    }
-                  ]
-                }
-              },
-              {
-                "name": "jumpbox",
-                "addressPrefixes": [
-                  "10.0.12.0/23"
-                ],
-                "networkSecurityGroup": {
-                  "name": "nsg-jumpbox",
-                  "securityRules": [
-                    {
-                      "name": "AllowRdpFromBastion",
-                      "properties": {
-                        "access": "Allow",
-                        "direction": "Inbound",
-                        "priority": 100,
-                        "protocol": "Tcp",
-                        "sourcePortRange": "*",
-                        "destinationPortRange": "3389",
-                        "sourceAddressPrefixes": [
-                          "10.0.10.0/26"
-                        ],
-                        "destinationAddressPrefixes": [
-                          "10.0.12.0/23"
-                        ]
-                      }
-                    }
-                  ]
-                }
-              }
-            ],
+            "bastionSubnets": "[if(parameters('deployBastionAndJumpbox'), createArray(createObject('name', 'AzureBastionSubnet', 'addressPrefixes', createArray('10.0.10.0/26'), 'networkSecurityGroup', createObject('name', 'nsg-bastion', 'securityRules', createArray(createObject('name', 'AllowGatewayManager', 'properties', createObject('access', 'Allow', 'direction', 'Inbound', 'priority', 2702, 'protocol', '*', 'sourcePortRange', '*', 'destinationPortRange', '443', 'sourceAddressPrefix', 'GatewayManager', 'destinationAddressPrefix', '*')), createObject('name', 'AllowHttpsInBound', 'properties', createObject('access', 'Allow', 'direction', 'Inbound', 'priority', 2703, 'protocol', '*', 'sourcePortRange', '*', 'destinationPortRange', '443', 'sourceAddressPrefix', 'Internet', 'destinationAddressPrefix', '*')), createObject('name', 'AllowSshRdpOutbound', 'properties', createObject('access', 'Allow', 'direction', 'Outbound', 'priority', 100, 'protocol', '*', 'sourcePortRange', '*', 'destinationPortRanges', createArray('22', '3389'), 'sourceAddressPrefix', '*', 'destinationAddressPrefix', 'VirtualNetwork')), createObject('name', 'AllowAzureCloudOutbound', 'properties', createObject('access', 'Allow', 'direction', 'Outbound', 'priority', 110, 'protocol', 'Tcp', 'sourcePortRange', '*', 'destinationPortRange', '443', 'sourceAddressPrefix', '*', 'destinationAddressPrefix', 'AzureCloud'))))), createObject('name', 'jumpbox', 'addressPrefixes', createArray('10.0.12.0/23'), 'networkSecurityGroup', createObject('name', 'nsg-jumpbox', 'securityRules', createArray(createObject('name', 'AllowRdpFromBastion', 'properties', createObject('access', 'Allow', 'direction', 'Inbound', 'priority', 100, 'protocol', 'Tcp', 'sourcePortRange', '*', 'destinationPortRange', '3389', 'sourceAddressPrefixes', createArray('10.0.10.0/26'), 'destinationAddressPrefixes', createArray('10.0.12.0/23'))))))), createArray())]",
             "vnetSubnets": "[concat(variables('coreSubnets'), variables('bastionSubnets'))]"
           },
           "resources": [
@@ -7504,7 +7426,7 @@
       ]
     },
     "bastionHost": {
-      "condition": "[parameters('enablePrivateNetworking')]",
+      "condition": "[variables('deployAdminAccessResources')]",
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2025-04-01",
       "name": "[take(format('avm.res.network.bastion-host.{0}', variables('bastionHostName')), 64)]",
@@ -9245,7 +9167,7 @@
       ]
     },
     "jumpboxVM": {
-      "condition": "[variables('deployJumpbox')]",
+      "condition": "[variables('deployAdminAccessResources')]",
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2025-04-01",
       "name": "[take(format('avm.res.compute.virtual-machine.{0}', variables('jumpboxVmName')), 64)]",
@@ -24951,8 +24873,8 @@
       },
       "dependsOn": [
         "aiFoundryAiServices",
-        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]",
+        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]",
         "virtualNetwork"
       ]
     },

infra/main.waf.parameters.json

@@ -56,6 +56,9 @@
     "enableScalability": {
       "value": true
     },
+    "deployBastionAndJumpbox": {
+      "value": true
+    },
     "vmAdminUsername": {
       "value": "${AZURE_ENV_VM_ADMIN_USERNAME}"
     },

infra/modules/virtualNetwork.bicep

@@ -2,14 +2,17 @@
 // Networking - NSGs, VNET and Subnets for Content Generation Solution
 /****************************************************************************************************************************/
 @description('Name of the virtual network.')
-param name string 
+param name string
 
 @description('Azure region to deploy resources.')
 param location string = resourceGroup().location
 
 @description('Required. An Array of 1 or more IP Address Prefixes for the Virtual Network.')
 param addressPrefixes array = ['10.0.0.0/20']
 
+@description('Optional. Deploy Azure Bastion and Jumpbox subnets for VM-based administration.')
+param deployBastionAndJumpbox bool = false
+
 @description('An array of subnets to be created within the virtual network.')
 // Core subnets: web (App Service), peps (Private Endpoints), aci (Container Instance)
 // Optional: AzureBastionSubnet and jumpbox (only when deployBastionAndJumpbox is true)
@@ -98,7 +101,7 @@ var coreSubnets = [
   }
 ]
 
-// Bastion and Jumpbox subnets (always deployed with private networking)
+// Bastion and Jumpbox subnets (only deployed when deployBastionAndJumpbox is true)
 // VM Size Notes:
 // 1 B-series VMs (like Standard_B2ms) do not support accelerated networking.
 // 2 Pick a VM size that supports accelerated networking + Premium SSD (the usual jump-box candidates):
@@ -107,7 +110,7 @@ var coreSubnets = [
 //   Standard_D2s_v4  (2 vCPU, 8 GiB RAM, Premium SSD)           // Previous gen, also broadly available.
 //   Standard_DS2_v2  (2 vCPU, 7 GiB RAM, Premium SSD)           // Legacy SKU, being retired from some regions - avoid for new deployments.
 // 3 A-series (Av2) is NOT suitable: no Premium SSD support, no accelerated networking.
-var bastionSubnets = [
+var bastionSubnets = deployBastionAndJumpbox ? [
   {
     name: 'AzureBastionSubnet'
     addressPrefixes: ['10.0.10.0/26']
@@ -191,7 +194,7 @@ var bastionSubnets = [
       ]
     }
   }
-]
+] : []
 
 var vnetSubnets = concat(coreSubnets, bastionSubnets)
 
@@ -270,6 +273,6 @@ output webSubnetResourceId string = contains(map(vnetSubnets, subnet => subnet.n
 output pepsSubnetResourceId string = contains(map(vnetSubnets, subnet => subnet.name), 'peps') ? virtualNetwork.outputs.subnetResourceIds[indexOf(map(vnetSubnets, subnet => subnet.name), 'peps')] : ''
 output aciSubnetResourceId string = contains(map(vnetSubnets, subnet => subnet.name), 'aci') ? virtualNetwork.outputs.subnetResourceIds[indexOf(map(vnetSubnets, subnet => subnet.name), 'aci')] : ''
 
-// Bastion/jumpbox subnet outputs (always present with private networking)
+// Bastion/jumpbox subnet outputs (present only when deployBastionAndJumpbox is true)
 output bastionSubnetResourceId string = contains(map(vnetSubnets, subnet => subnet.name), 'AzureBastionSubnet') ? virtualNetwork.outputs.subnetResourceIds[indexOf(map(vnetSubnets, subnet => subnet.name), 'AzureBastionSubnet')] : ''
 output jumpboxSubnetResourceId string = contains(map(vnetSubnets, subnet => subnet.name), 'jumpbox') ? virtualNetwork.outputs.subnetResourceIds[indexOf(map(vnetSubnets, subnet => subnet.name), 'jumpbox')] : ''