Skip to content

feat: Add VM size recommendations for Bastion and Jumpbox subnets#777

Merged
Avijit-Microsoft merged 12 commits intodevfrom
dev-yat
Apr 8, 2026
Merged

feat: Add VM size recommendations for Bastion and Jumpbox subnets#777
Avijit-Microsoft merged 12 commits intodevfrom
dev-yat

Conversation

@Yatish-Microsoft
Copy link
Copy Markdown
Contributor

@Yatish-Microsoft Yatish-Microsoft commented Mar 17, 2026

…virtualNetwork.bicep

Purpose

  • Upgraded VM Size...

Does this introduce a breaking change?

  • Yes
  • No

Golden Path Validation

  • I have tested the primary workflows (the "golden path") to ensure they function correctly without errors.

Deployment Validation

  • I have validated the deployment process successfully and all services are running as expected with this change.

What to Check

Verify that the following are valid

  • ...

Other Information

Copilot AI reviewed Mar 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the infrastructure templates to support (and document) VM administration in private-networking deployments by adding Bastion/Jumpbox-related networking and configuration parameters.

Changes:

  • Renames VNet module parameters (vnetName/vnetLocation/vnetAddressPrefixesname/location/addressPrefixes) and makes Bastion/Jumpbox subnets always included when the VNet module is deployed.
  • Adds Azure Bastion Host + a Windows Jumpbox VM deployment (when enablePrivateNetworking is enabled), including new parameters for VM size and admin credentials.
  • Updates WAF parameters and documentation to expose jumpbox configuration via azd environment variables/parameters.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 5 comments.

File Description
infra/modules/virtualNetwork.bicep Renames params and makes Bastion/Jumpbox subnets unconditional within the module.
infra/main.bicep Adds Bastion Host + Jumpbox VM modules and new input params for VM sizing/credentials.
infra/main.waf.parameters.json Adds parameter wiring for jumpbox admin username/password and VM size.
docs/CustomizingAzdParameters.md Documents new/expanded parameters for private networking + jumpbox configuration.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread infra/modules/virtualNetwork.bicep Outdated
Comment thread infra/modules/virtualNetwork.bicep Outdated
Comment thread infra/main.bicep
Comment thread infra/main.bicep Outdated
Comment thread infra/main.bicep
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread infra/modules/virtualNetwork.bicep Outdated
Comment thread infra/main.bicep
Comment thread infra/main.bicep
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 6 changed files in this pull request and generated 4 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread infra/main.bicep Outdated
Comment thread infra/modules/virtualNetwork.bicep Outdated
Comment thread docs/CustomizingAzdParameters.md Outdated
Comment thread infra/main.bicep
@Yatish-Microsoft
Copy link
Copy Markdown
Contributor Author

Yatish-Microsoft commented Mar 26, 2026

@copilot open a new pull request to apply changes based on the comments in this thread

Copilot AI requested a review from Rafi-Microsoft March 27, 2026 07:38
@Yatish-Microsoft Yatish-Microsoft requested a review from Copilot April 2, 2026 15:11
Copilot AI reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread infra/modules/virtualNetwork.bicep Outdated
/****************************************************************************************************************************/
@description('Name of the virtual network.')
param vnetName string
param name string
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

param name introduces a symbol collision with the existing output name declared later in this module. Bicep does not allow a parameter and an output to share the same identifier, so this will fail compilation. Rename either the parameter (e.g., vnetName) or the output (e.g., virtualNetworkName) and update the call sites accordingly.

Suggested change
param name string
param vnetName string

Copilot uses AI. Check for mistakes.
Comment thread infra/modules/virtualNetwork.bicep
Comment on lines 214 to 221
@batchSize(1)
module nsgs 'br/public:avm/res/network/network-security-group:0.5.2' = [
for (subnet, i) in vnetSubnets: if (!empty(subnet.?networkSecurityGroup)) {
name: take('avm.res.network.network-security-group.${subnet.?networkSecurityGroup.name}.${resourceSuffix}', 64)
params: {
name: '${subnet.?networkSecurityGroup.name}-${resourceSuffix}'
location: vnetLocation
location: location
securityRules: subnet.?networkSecurityGroup.securityRules
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The nsgs module is declared as an array comprehension with an if filter, but later the subnet loop indexes into nsgs[i] using the original vnetSubnets index. If any subnet ever omits networkSecurityGroup, the nsgs array indices will no longer align with vnetSubnets, causing wrong NSG attachments or index errors. Consider removing the if filter (since you already set networkSecurityGroupResourceId to null when absent) or build an explicit map from subnet name to NSG resourceId.

Copilot uses AI. Check for mistakes.
Comment thread infra/main.bicep
Comment on lines +395 to +401
// Azure Bastion Host
var bastionHostName = 'bas-${solutionSuffix}'
var zoneSupportedJumpboxLocations = [
'australiaeast'
'centralus'
'eastus'
'eastus2'
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR title/description suggests this change is limited to VM size recommendations, but this diff actually adds new deployable infrastructure (Azure Bastion Host + a Windows jumpbox VM) gated by parameters. Please update the PR description/title to reflect the real scope (new Bastion/jumpbox resources and associated parameters) so reviewers understand the cost/behavior impact.

Copilot uses AI. Check for mistakes.
@Yatish-Microsoft
Copy link
Copy Markdown
Contributor Author

Yatish-Microsoft commented Apr 2, 2026

@copilot apply changes based on the comments in this thread

@Yatish-Microsoft
fix: rename param name to vnetName to avoid collision with output nam…
dafa23d 
…e in virtualNetwork.bicep

Agent-Logs-Url: https://github.com/microsoft/content-generation-solution-accelerator/sessions/738e0d94-7901-44a8-a7a0-da1bf0928444

Co-authored-by: Yatish-Microsoft <234036280+Yatish-Microsoft@users.noreply.github.com>
Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 2, 2026

@copilot apply changes based on the comments in this thread

Applied in commit dafa23d. Renamed param name to param vnetName in infra/modules/virtualNetwork.bicep to fix the symbol collision with output name — updated all internal references and the main.bicep call site accordingly. The if filter in the NSG loop was retained since Bicep conditional loops maintain index alignment, and removing it would risk runtime errors if any subnet without a networkSecurityGroup were ever added.

@Avijit-Microsoft Avijit-Microsoft merged commit 8a74f59 into dev Apr 8, 2026
3 checks passed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 13, 2026

🎉 This PR is included in version 2.4.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Prajwal-Microsoft Prajwal-Microsoft Prajwal-Microsoft approved these changes

@Avijit-Microsoft Avijit-Microsoft Avijit-Microsoft approved these changes

@Roopan-Microsoft Roopan-Microsoft Awaiting requested review from Roopan-Microsoft Roopan-Microsoft is a code owner

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft is a code owner

@Vinay-Microsoft Vinay-Microsoft Awaiting requested review from Vinay-Microsoft Vinay-Microsoft is a code owner

@malrose07 malrose07 Awaiting requested review from malrose07 malrose07 is a code owner

@toherman-msft toherman-msft Awaiting requested review from toherman-msft toherman-msft is a code owner

@nchandhi nchandhi Awaiting requested review from nchandhi nchandhi is a code owner

@Rafi-Microsoft Rafi-Microsoft Awaiting requested review from Rafi-Microsoft

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@Yatish-Microsoft @Rafi-Microsoft @Prajwal-Microsoft @Avijit-Microsoft