feat (iac): [secure-hybrid-network] add e2e validation and DNAT rules#263
Merged
Conversation
ferantivero
force-pushed
the
feature/421252_add-validation-steps
branch
from
6999314 to
f1f0576
Compare
ferantivero
changed the base branch from
main
to
feature/421252_sol-sec-net-hybrid-use-vmss
ferantivero
force-pushed
the
feature/421252_add-validation-steps
branch
from
f1f0576 to
40dd11d
Compare
ferantivero
changed the title
Base automatically changed from
feature/421252_sol-sec-net-hybrid-use-vmss
to
main
May 27, 2026 17:00
Document how to verify the deployment end-to-end from the mock on-premises VM through the VPN tunnel and firewall DNAT: - Option 1: Bastion RDP + browser to firewall private IP - Option 2: CLI using az vm run-command from on-prem VM Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Azure validates DNAT destinationAddresses against the firewall's assigned IP during resource creation, but the IP isn't available yet on fresh deploys. Extract DNAT into a separate deployment step (v2) that runs after the base infrastructure is provisioned. - Add azure-network-azuredeploy-v2.bicep/json using existing resources - Remove inline DNAT and firewallPrivateIp variable from base template - Update README with v2 deployment step and parameter table Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
ferantivero
force-pushed
the
feature/421252_add-validation-steps
branch
from
40dd11d to
77281b6
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a post-deploy “v2” template and documentation to validate the secure-hybrid-network solution end-to-end, including a separate deployment step to apply Azure Firewall DNAT after the firewall’s private IP is known.
Changes:
- Added a second-stage Bicep/ARM template to apply Azure Firewall DNAT rules after the base infrastructure deployment.
- Updated README with a “Deploy DNAT” step and end-to-end validation instructions (Bastion + browser or CLI run-command).
- Updated CLI query/resource naming in docs to match current Azure CLI output and deployed resource names.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| solutions/secure-hybrid-network/README.md | Documents the post-deploy DNAT step and provides e2e validation instructions via the on-prem VM. |
| solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy-v2.bicep | Introduces the v2 deployment intended to add DNAT rules after the firewall private IP is assigned. |
| solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy-v2.json | Generated ARM template counterpart of the v2 Bicep deployment. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
ckittel
requested changes
May 27, 2026
…N tag - Keep the existing 'all-internet' application rule collection from the base deployment so v2 doesn't overwrite outbound firewall behavior - Add separate 'spoke-windows-update' collection using the WindowsUpdate FQDN tag instead of listing individual target FQDNs - Apply to both Bicep and JSON v2 templates Co-authored-by: GitHub Copilot (Claude Opus 4.6) <noreply@github.com>
ckittel
approved these changes
May 27, 2026
ckittel
approved these changes
May 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The README has deploy and cleanup steps but no way to verify the deployment works end-to-end. The DNAT rule must be deployed separately because the firewall's private IP is dynamically assigned and not known at initial creation time.
What
Test