Documentation Updates

Azure · Dec 29, 2024 · b2b0ca5 · b2b0ca5
1 parent f4a955e
commit b2b0ca5
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/docs/design.md b/docs/design.md
@@ -21,7 +21,7 @@ Mission LZ has the following scope:
 
 ## Networking
 
-Networking is set up in a hub and spoke design, separated by tiers: T0 (Identity and Authorization), T1 (Infrastructure Operations), T2 (DevSecOps and Shared Services), and multiple T3s (Workloads). Access control can be configured to allow separation of duties between all tiers.
+Networking is set up in a [hub and spoke design](https://learn.microsoft.com/en-us/azure/architecture/networking/architecture/hub-spoke), separated by tiers: T0 (Identity and Authorization), T1 (Infrastructure Operations), T2 (DevSecOps and Shared Services), and multiple T3s (Workloads). Access control can be configured to allow separation of duties between all tiers.
 
 <!-- markdownlint-disable MD033 -->
 <!-- allow html for images so that they can be sized -->
@@ -30,6 +30,8 @@ Networking is set up in a hub and spoke design, separated by tiers: T0 (Identity
 
 Each virtual network has been given a default address prefix to ensure they fall within the default super network. Refer to the [Networking page](./networking.md) for all the default address prefixes.
 
+The deployment of an Azure NAT Gateway in the Hub Network has been implemented to enable explicit outbound connectivity to align with Azure Roadmap guidance that [default outbound access will be retired September 30 2025](https://azure.microsoft.com/en-us/updates?id=default-outbound-access-for-vms-in-azure-will-be-retired-transition-to-a-new-method-of-internet-access).  It is implemented with an [Azure Public IP Prefix to prevent SNAT port exhaustion](https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/configure-public-ip-nat-gateway#add-public-ip-prefix), allowing deployment of 2, 4, 8 or 16 Public IPs in the Prefix via the `natGatewayPublicIpPrefixLength` paramter.
+
 ## Subscriptions
 
 Most customers will deploy each tier to a separate Azure subscription, but multiple subscriptions are not required. A single subscription deployment is good for a testing and evaluation, or possibly a small IT Admin team.

diff --git a/src/bicep/README.md b/src/bicep/README.md
@@ -95,6 +95,8 @@ Parameter name | Required | Description
 `policy`         | No       | [NIST/IL5/CMMC] Built-in policy assignments to assign, it defaults to "NIST". IL5 is only available for AzureUsGovernment and will switch to NIST if tried in AzureCloud.
 `deployDefender`     | No       | When set to "true", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to "false".
 `emailSecurityContact` | No       | Email address of the contact, in the form of john@doe.com
+`deployAzureNATGateway` | No       | When set to "true", provisions Azure NAT Gateway with Private IP Prefix. It defaults to "true" to align to Azure retiring default outbound access September 30 2025.
+`natGatewayPublicIpPrefixLength` | No       | Length of the Public IP Prefix for the Azure NAT Gateway.  A NAT gateway can support the following prefix sizes: /28 (16 addresses), /29 (8 addresses), /30 (4 addresses), and /31 (2 addresses).  Defaults to 31.
 <!-- markdownlint-enable MD034 -->
 
 ## Outputs