Bicep Module Documentation
← Back to Overview
Module virtual-network
virtualNetwork
| Property | Value | Description |
|---|---|---|
| general (required) | general | |
| addressPrefixes (required) | string[] | AddressPrefixes of the virtual network [array of CIDR notations] |
| dnsServers | string[] | DNS Servers of the virtual network (default: Azure DNS) [array of CIDR notations] |
| subnets | subnet[] | Subnets contained in the virtual network [Array of subnet objects] |
| ddosProtectionPlanId | string | DDoS protection plan associated with this virtual network [ResourceId] |
| bgpCommunity | string | BGP Community associated with this virtual network [xxxxx:xxxxx] |
| routeTableNaming | naming | Override the name of the route table associated to the subnets in the virtual network |
| routes | route[] | The default routes to be associated to all subnets which do not have a specific route table |
| disableBgpRoutePropagation | bool | Whether to disable the routes learned by BGP on the VNet route table |
| peerings | peerings[] | List of peerings, |
peerings
| Property | Value | Description |
|---|---|---|
| remoteVirtualNetworkId (required) | string | Resource id of the remote virtual network ID |
| remoteFullName | string | Override the name of the peering from the local to the remote virtual network |
| remoteAllowVirtualNetworkAccess | bool | Allow VMs in the remote virtual network to access VMs in the local virtual network (default: true) |
| remoteAllowForwardedTraffic | bool | Allow forwarded traffic from VMs in the local virtual network into the remote virtual network (default: false) |
| remoteAllowGatewayTransit | bool | Allow the local virtual network to use the VPN gateway in the remote virtual network (default: false) |
| remoteUseRemoteGateways | bool | Allow the remote virtual network to use the VPN gateway in the local virtual network (default: false) |
| remoteBGPCommunity | string | BGP Community associated with the virtual network [xxxxx:xxxxx] |
| localFullName | string | Override the name of the peering from the remote to the local virtual network |
| localAllowVirtualNetworkAccess | bool | Allow VMs in the local virtual network to access VMs in the remote virtual network (default: true) |
| localAllowForwardedTraffic | bool | Allow forwarded traffic from VMs in the remote virtual network into the local virtual network (default: true) |
| localAllowGatewayTransit | bool | Allow the remote virtual network to use the VPN gateway in the local network (default: false) |
| localUseRemoteGateways | bool | Allow the local virtual network to use the VPN gateway in the remote virtual network (default: false) |
| localBGPCommunity | string | BGP Community associated with the virtual network [xxxxx:xxxxx] |
subnet
| Property | Value | Description |
|---|---|---|
| naming (required) | naming | |
| disableNetworkSecurityGroupDefaultRules | bool | Disable the default networking rules (default: false) |
| networkSecurityGroupNaming | naming | Override the name of the network security group associated to this subnet |
| disableNetworkSecurityGroup | bool | Disable network security group deployment |
| securityRules | securityRule[] | The network security group rules to be associated with this subnet which overrides the default setting |
| bastionSubnetPrefix | string | Enable the bastion networking rules and allow traffic from bastion subnet (default: false) |
| enableApplicationGatewayIngressRules | bool | Enable the application gateway networking rules and allow traffic from external on 443 and 80 (default: false) |
| routeTableNaming | naming | Override the name of the route table associated to this subnet |
| routes | route[] | The routes to be associated with this subnet which overrides the default setting |
| addressPrefix (required) | string | AddressPrefix of the subnet [CIDR notation] |
| delegation | string | Delegation to enable for the subnet (for example: "Microsoft.Sql/managedInstances") [Namespace & resource type] |
| serviceEndpoints | serviceEndpoint[] | Service endpoints to enable for the subnet [Array of service endpoint objects] |
| serviceEndpointPolicyIds | string[] | Service endpoints policies to assign to the subnet [Array of ResourceIds] |
| networkSecurityGroupId | string | Network Security Group to assign to subnet [ResourceId] |
| natGatewayId | string | NAT Gateway to assign to subnet [ResourceId] |
| routeTableId | string | Route table to assign to subnet [ResourceId] |
| privateEndpointNetworkPolicies | bool | Apply network policies on private endpoint for the subnet (default: Enabled) |
| privateLinkServiceNetworkPolicies | bool | Apply network polcies on private link service for the subnet (default: Enabled) |
| disableBgpRoutePropagation | bool | Whether to disable the routes learned by BGP on that route table |
| defaultOutboundAccess | bool | Whether to disable subnet default outbound access or not (disabled = private subnet) |
serviceEndpoint
| Property | Value | Description |
|---|---|---|
| namespace (required) | string | Namespace where for which to enable a service endpoint (for example: "Microsoft.Storage") [Namespace] |
| location | string[] | Location where the service endpoint is active (default: *) [Array of locations] |
virtualNetworkPeering
| Property | Value | Description |
|---|---|---|
| sharedNaming (required) | naming | The shared naming |
| hubFullName | string | Override the name of the peering from the local to the remote virtual network |
| hubVirtualNetworkId (required) | string | ResourceId of the hub virtual network |
| hubAllowVirtualNetworkAccess | bool | Allow VMs in the hub virtual network to access VMs in the spoke virtual network (default: true) |
| hubAllowForwardedTraffic | bool | Allow forwarded traffic from VMs in the spoke virtual network into the hub virtual network (default: false) |
| hubAllowGatewayTransit | bool | Allow the spoke virtual network to use the VPN gateway in the hub virtual network (default: false) |
| hubUseRemoteGateways | bool | Allow the hub virtual network to use the VPN gateway in the spoke virtual network (default: false) |
| hubBGPCommunity | string | BGP Community associated with the virtual network [xxxxx:xxxxx] |
| spokeFullName | string | Override the name of the peering from the remote to the local virtual network |
| spokeVirtualNetworkId (required) | string | ResourceId of the spoke virtual network |
| spokeAllowVirtualNetworkAccess | bool | Allow VMs in the spoke virtual network to access VMs in the hub virtual network (default: true) |
| spokeAllowForwardedTraffic | bool | Allow forwarded traffic from VMs in the hub virtual network into the spoke virtual network (default: true) |
| spokeAllowGatewayTransit | bool | Allow the hub virtual network to use the VPN gateway in the spoke network (default: false) |
| spokeUseRemoteGateways | bool | Allow the spoke virtual network to use the VPN gateway in the hub virtual network (default: false) |
| spokeBGPCommunity | string | BGP Community associated with the virtual network [xxxxx:xxxxx] |
resourceLock
| Property | Value | Description |
|---|---|---|
| name | string | Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Can't end in period. |
| level (required) | 'CanNotDelete' 'ReadOnly' |
The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. Read-Only locks must be commented to be able to deploy again |
| notes | string | Notes about the lock. Maximum of 512 characters. |
| owners | resourceLockOwner[] | The owners of the lock |
resourceLockOwner
| Property | Value | Description |
|---|---|---|
| applicationId (required) | string | The application ID of the lock owner. |
roleAssignment
| Property | Value | Description |
|---|---|---|
| principalId (required) | string | The principal ID |
| roleDefinitionId (required) | string | The role definition ID, data file can be used for this |
| condition | string | Condition on the role assignment |
| conditionVersion | string | Version of the condition. Currently the only accepted value is "2.0" |
| delegatedManagedIdentityResourceId | string | Id of the delegated managed identity resource |
| description | string | Description of role assignment |
general
| Property | Value | Description |
|---|---|---|
| tags | object | Tags of the resource [hashtable] |
| location (required) | string | Location of the resource |
| naming (required) | naming | Naming module of the resource |
| resourceGroupName (required) | string | Name of the resource group where the resource should be located |
| sharedNaming (required) | naming | Reference to the default naming |
| roleAssignments | roleAssignment[] | Role assignments on the resource |
| resourceLocks | resourceLock[] | Resource Locks on the resource |
naming
| Property | Value | Description |
|---|---|---|
| forceFunctionAsFullName | bool | Use the function value as the full name of the resource |
| abbreviation | string | Override the abbreviation of this resource with this parameter |
| environment | string | The resource environment (for example: dev, tst, acc, prd) |
| location | string | The resource location (for example: weu, we, westeurope) |
| customer | string | The name of the customer |
| delimiter | string | The delimiter between resources (default: -) |
| nameFormat | Array containing any of: 'abbreviation' 'customer' 'environment' 'function' 'location' 'param1' 'param2' 'param3' 'useCaseName' |
The order of the array defines the order of elements in the naming scheme |
| param1 | string | Extra parameter self defined |
| param2 | string | Extra parameter self defined |
| param3 | string | Extra parameter self defined |
| function (required) | string | Function of the resource [can be app, db, security,...] |
| useCaseName | string | Name of the use case [can be hub, spoke,...] |
| suffix | string | Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...] |
| forceDefaultNaming | bool | Force the CAF naming instead of default company naming |
route
| Property | Value | Description |
|---|---|---|
| naming (required) | naming | |
| addressPrefix (required) | string | AddressPrefix of the route table, [CIDR notation |
| nextHopType (required) | 'Internet' 'None' 'VirtualAppliance' 'VirtualNetworkGateway' 'VnetLocal' |
The next hop type of the route table |
| nextHopIpAddress | string | The next hop IP of the route table only allowed when using "VirtualAppliance" as next hop type |
securityRule
| Property | Value | Description |
|---|---|---|
| naming (required) | naming | |
| priority | int | The priority of the rule, the priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule (default: 1000+index of rule) [integer 100-4096] |
| direction (required) | 'Inbound' 'Outbound' |
The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic |
| access | 'Allow' 'Deny' |
The network traffic is allowed or denied (default: Allow) |
| protocol | '*' 'Ah' 'Esp' 'Icmp' 'Tcp' 'Udp' |
Network protocol this rule applies to (default: *) |
| sourceAddressPrefix | string | The source IP range (default: Any) [CIDR notation |
| sourceAddressPrefixes | string[] | The source IP ranges [Array of CIDR notations] |
| sourceApplicationSecurityGroups | string[] | The array of application security groups specified as source [Array of ResourceIds] |
| sourcePortRange | string | The source port range (default: Any) [string 0-65535] |
| sourcePortRanges | string[] | The source port ranges [array of strings 0-65535] |
| destinationAddressPrefix | string | The destination IP range (default: Any) [CIDR notation |
| destinationAddressPrefixes | string[] | The destination IP ranges [Array of CIDR notations or ServiceTags] |
| destinationApplicationSecurityGroups | string[] | The array of application security groups specified as destination [Array of ResourceIds] |
| destinationPortRange | string | The destination port range (default: Any) [string 0-65535] |
| destinationPortRanges | string[] | The destination port ranges [array of strings 0-65535] |
Changelog
7.1.0 (2025-10-20)
Features
- update resource api versions
7.0.1 (2025-09-24)
Bug Fixes
- remove deployment name + cleanup
7.0.0 (2025-09-24)
⚠ BREAKING CHANGES
- remove deprecated outputs
Bug Fixes
- remove deprecated outputs
6.1.2 (2025-08-06)
Bug Fixes
- add correct destinationPortRange for defaultBastionSubnetRuleset
6.1.1 (2025-06-25)
Bug Fixes
- remove deployment names
6.1.0 (2025-03-26)
Features
- add resourceName output
6.0.1 (2025-02-24)
Bug Fixes
- update deployment names to uniqueDeploymentNames