From 82618e98f141b35fb113e3a6facd3d5a71634f2d Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 10:17:09 +0200
Subject: [PATCH 01/50] adding checkbox for NAT gateway
---
eslzArm/eslz-portal.json | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index 40d885676e..cb183869ed 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -5224,6 +5224,18 @@
]
}
}
+ },
+ {
+ "id": "corpDeployNATGateway",
+ "header": "Deploy a NAT gateway into the virtual network",
+ "width": "1fr",
+ "element": {
+ "type": "Microsoft.Common.CheckBox",
+ "label": "Deploy a NAT gateway",
+ "constraints": {
+ "required": false
+ }
+ }
}
]
}
From 78624f2d1f81f7ed5f1b769a98762f1bb4001140 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 10:17:53 +0200
Subject: [PATCH 02/50] fix: Remove width property from NAT gateway deployment
checkbox
---
eslzArm/eslz-portal.json | 1 -
1 file changed, 1 deletion(-)
diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index cb183869ed..aad4e26843 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -5228,7 +5228,6 @@
{
"id": "corpDeployNATGateway",
"header": "Deploy a NAT gateway into the virtual network",
- "width": "1fr",
"element": {
"type": "Microsoft.Common.CheckBox",
"label": "Deploy a NAT gateway",
From 3cba444a4eb59ec8a158a3fbe20894afa1c3b9fd Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 10:18:56 +0200
Subject: [PATCH 03/50] fix: Update NAT gateway deployment checkbox header and
make it required
---
eslzArm/eslz-portal.json | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index aad4e26843..b072ffea05 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -5227,12 +5227,13 @@
},
{
"id": "corpDeployNATGateway",
- "header": "Deploy a NAT gateway into the virtual network",
+ "header": "Deploy a NAT gateway",
"element": {
"type": "Microsoft.Common.CheckBox",
"label": "Deploy a NAT gateway",
"constraints": {
- "required": false
+ "required": true,
+ "validationMessage": ""
}
}
}
From aea540543effb0e9cc9fb929b188f6f783bbc008 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 10:24:46 +0200
Subject: [PATCH 04/50] fix: Refactor NAT gateway deployment checkbox
properties and add tooltip
---
eslzArm/eslz-portal.json | 14 ++++----------
1 file changed, 4 insertions(+), 10 deletions(-)
diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index b072ffea05..cfe8bc91a8 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -5226,16 +5226,10 @@
}
},
{
- "id": "corpDeployNATGateway",
- "header": "Deploy a NAT gateway",
- "element": {
- "type": "Microsoft.Common.CheckBox",
- "label": "Deploy a NAT gateway",
- "constraints": {
- "required": true,
- "validationMessage": ""
- }
- }
+ "name": "corpDeployNATGateway",
+ "type": "Microsoft.Common.CheckBox",
+ "label": "Deploy a NAT gateway",
+ "toolTip": "If 'Yes' is selected, a NAT gateway will be deployed to the virtual network."
}
]
}
From cb600ab01687eefa15d5b607b512319406ba5869 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 10:26:30 +0200
Subject: [PATCH 05/50] fix: Update NAT gateway deployment checkbox to make it
optional
---
eslzArm/eslz-portal.json | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index cfe8bc91a8..a79a083e49 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -5229,7 +5229,9 @@
"name": "corpDeployNATGateway",
"type": "Microsoft.Common.CheckBox",
"label": "Deploy a NAT gateway",
- "toolTip": "If 'Yes' is selected, a NAT gateway will be deployed to the virtual network."
+ "constraints": {
+ "required": false
+ }
}
]
}
From f505bf31c5e6fb1e7b2e1e141ee516d6eb5e9caf Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 10:30:32 +0200
Subject: [PATCH 06/50] fix: Update NAT gateway deployment checkbox properties
and add validation message
---
eslzArm/eslz-portal.json | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index a79a083e49..6db50fb4c3 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -5226,11 +5226,15 @@
}
},
{
- "name": "corpDeployNATGateway",
- "type": "Microsoft.Common.CheckBox",
- "label": "Deploy a NAT gateway",
- "constraints": {
- "required": false
+ "id": "corpDeployNATGateway",
+ "header": "Deploy a NAT gateway",
+ "element": {
+ "type": "Microsoft.Common.CheckBox",
+ "label": "Deploy a NAT gateway",
+ "constraints": {
+ "required": false,
+ "validationMessage": ""
+ }
}
}
]
From 4374bfd8533ddf6aa0291fe066a1540ef5b4b9fd Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 10:36:17 +0200
Subject: [PATCH 07/50] fix: Update NAT gateway deployment to use dropdown and
enforce required selection
---
eslzArm/eslz-portal.json | 28 ++++++++++++++++++++++------
1 file changed, 22 insertions(+), 6 deletions(-)
diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index 6db50fb4c3..3ce1bbdf04 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -5226,14 +5226,30 @@
}
},
{
- "id": "corpDeployNATGateway",
- "header": "Deploy a NAT gateway",
+ "id": "corpNatGw",
+ "header": "Deploy a NAT Gateway",
+ "width": "1fr",
"element": {
- "type": "Microsoft.Common.CheckBox",
- "label": "Deploy a NAT gateway",
+ "name": "corpDeployNATGateway",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Corp NAT Gateway",
+ "defaultValue": ["Yes"],
+ "toolTip": "",
+ "multiselect": false,
+ "selectAll": false,
+ "filter": true,
+ "filterPlaceholder": "Filter items ...",
+ "multiLine": false,
"constraints": {
- "required": false,
- "validationMessage": ""
+ "allowedValues": [{
+ "label": "Yes",
+ "value": "Yes"
+ },
+ {
+ "label": "No",
+ "value": "No"
+ }],
+ "required": true
}
}
}
From 8b57c99a62f83f1a3cb10b8b4c9d5d14d8f78f05 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 11:08:30 +0200
Subject: [PATCH 08/50] feat: Add NAT gateway deployment template and integrate
into Corp subscription
---
eslzArm/eslzArm.json | 48 ++++++++++++++
.../corp-nat-gateway.json | 65 +++++++++++++++++++
2 files changed, 113 insertions(+)
create mode 100644 eslzArm/subscriptionTemplates/corp-nat-gateway.json
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 962ec7e7bf..6e643fd06b 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -1770,6 +1770,7 @@
"sandboxPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-ALZ-SandboxPolicyAssignment.json')]",
"ddosPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json')]",
"corpVnetPeering": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vnetPeering.json')]",
+ "corpNatGateway": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/corp-nat-gateway.json')]",
"corpVwanPeering": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vnetPeeringVwan.json')]",
"hubVnetPeering": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vnetPeeringHub.json')]",
"hubVnetRouting": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/vnetRouteTable.json')]",
@@ -1830,6 +1831,7 @@
"mgmtGroupDeploymentName": "[take(concat('alz-Mgs', variables('deploymentSuffix')), 64)]",
"mgmtSubscriptionPlacement": "[take(concat('alz-MgmtSub', variables('deploymentSuffix')), 64)]",
"corpPeeringDeploymentName": "[take(concat('alz-CorpPeering', variables('deploymentSuffix')), 60)]",
+ "corpNatGWDeploymentName": "[take(concat('alz-CorpNatGw', variables('deploymentSuffix')), 60)]",
"hubPeeringDeploymentName": "[take(concat('alz-HubPeering', variables('deploymentSuffix')), 60)]",
"hubPeering2DeploymentName": "[take(concat('alz-HubPeering2', variables('deploymentSuffix')), 60)]",
"connectivitySubscriptionPlacement": "[take(concat('alz-ConnectivitySub', variables('deploymentSuffix')), 64)]",
@@ -7850,6 +7852,52 @@
}
}
},
+ {
+ // Deploy a NAT gateway into the Corp subscription's virtual network
+ "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('corpConnectedLzSubscriptionId'))),map(parameters('corpConnectedLzSubscriptionId'), lambda('natGw', lambdaVariables('natGw').corpNatGw)))]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-06-01",
+ "name": "[concat(variables('deploymentNames').corpNatGWDeploymentName, copyIndex())]",
+ "subscriptionId": "[if(not(empty(parameters('corpConnectedLzSubscriptionId'))), parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs, '')]",
+ "location": "[parameters('connectivityLocation')]",
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]",
+ "corpConnectedMoveLzs"
+ ],
+ "copy": {
+ "name": "deployNatGw",
+ "count": "[length(parameters('corpConnectedLzSubscriptionId'))]"
+ },
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "contentVersion": "1.0.0.0",
+ "uri": "[variables('deploymentUris').corpNatGateway]"
+ },
+ "parameters": {
+ "vNetRgName": {
+ "value": "[variables('platformRgNames').lzVnetRg]"
+ },
+ "vNetName": {
+ "value": "[take(concat(variables('platformResourceNames').lzVnet, '-', parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs), 64)]"
+ },
+ "vNetLocation": {
+ "value": "[parameters('connectivityLocation')]"
+ }
+ }
+ }
+ },
/*{
// Peering corp connected lz vnet to connectivity sub (when vwan is selected)
"condition": "[and(equals(parameters('enableHub'), 'vwan'), not(empty(parameters('corpConnectedLzSubscriptionId'))))]",
diff --git a/eslzArm/subscriptionTemplates/corp-nat-gateway.json b/eslzArm/subscriptionTemplates/corp-nat-gateway.json
new file mode 100644
index 0000000000..d8164b152e
--- /dev/null
+++ b/eslzArm/subscriptionTemplates/corp-nat-gateway.json
@@ -0,0 +1,65 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "natGatewayName": {
+ "type": "string",
+ "metadata": {
+ "description": "Name of the NAT Gateway."
+ }
+ },
+ "natGatewayPublicIpName": {
+ "type": "string",
+ "metadata": {
+ "description": "Name of the NAT Gateway Public IP."
+ }
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "displayName": "location",
+ "description": "Location of the NAT gateway"
+ },
+ "defaultValue": "[deployment().location]"
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Network/publicIPAddresses",
+ "apiVersion": "2024-05-01",
+ "name": "[parameters('natGatewayPublicIpName')]",
+ "sku": {
+ "name": "Standard"
+ },
+ "zones": [
+ "1"
+ ],
+ "location": "[parameters('location')]",
+ "properties": {
+ "publicIPAllocationMethod": "Static"
+ }
+ },
+ {
+ "type": "Microsoft.Network/natGateways",
+ "apiVersion": "2024-05-01",
+ "name": "[parameters('natGatewayName')]",
+ "sku": {
+ "name": "Standard"
+ },
+ "zones": [
+ "1"
+ ],
+ "location": "[parameters('location')]",
+ "properties": {
+ "publicIpAddresses": [
+ {
+ "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('natGatewayPublicIpName'))]"
+ }
+ ]
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Network/publicIPAddresses', parameters('natGatewayPublicIpName'))]"
+ ]
+ }
+ ]
+}
\ No newline at end of file
From abe74c6e9e069399ba468cf13e4df80b00eb9c49 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 11:13:37 +0200
Subject: [PATCH 09/50] fix: Update NAT gateway deployment condition to ensure
correct evaluation of subscription ID
---
eslzArm/eslzArm.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 6e643fd06b..bd2a44d8ff 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7854,7 +7854,7 @@
},
{
// Deploy a NAT gateway into the Corp subscription's virtual network
- "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('corpConnectedLzSubscriptionId'))),map(parameters('corpConnectedLzSubscriptionId'), lambda('natGw', lambdaVariables('natGw').corpNatGw)))]",
+ "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('corpConnectedLzSubscriptionId'))),equals(map(parameters('corpConnectedLzSubscriptionId'), lambda('natGw', lambdaVariables('natGw').corpNatGw)),'true'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "[concat(variables('deploymentNames').corpNatGWDeploymentName, copyIndex())]",
From 00bbb1e4cd9a301d00ab39d3f6db6559aa1ee588 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 11:25:10 +0200
Subject: [PATCH 10/50] feat: Add corp peering deployment reference to ARM
template
---
eslzArm/eslzArm.json | 1 +
1 file changed, 1 insertion(+)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index bd2a44d8ff..0f8bb97da7 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7870,6 +7870,7 @@
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').corpPeeringDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]",
From 5bce0a6df05e1b408b0a70e0cd01ea89a7722ae2 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 11:26:28 +0200
Subject: [PATCH 11/50] fix: Update NAT gateway deployment conditions to use
boolean values for clarity
---
eslzArm/eslz-portal.json | 4 ++--
eslzArm/eslzArm.json | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index 3ce1bbdf04..ae34e1c6ce 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -5243,11 +5243,11 @@
"constraints": {
"allowedValues": [{
"label": "Yes",
- "value": "Yes"
+ "value": "true"
},
{
"label": "No",
- "value": "No"
+ "value": "false"
}],
"required": true
}
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 0f8bb97da7..09d8781163 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7854,7 +7854,7 @@
},
{
// Deploy a NAT gateway into the Corp subscription's virtual network
- "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('corpConnectedLzSubscriptionId'))),equals(map(parameters('corpConnectedLzSubscriptionId'), lambda('natGw', lambdaVariables('natGw').corpNatGw)),'true'))]",
+ "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('corpConnectedLzSubscriptionId'))),equals(map(parameters('corpConnectedLzSubscriptionId'), lambda('sub', lambdaVariables('sub').corpNatGw)),'true'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "[concat(variables('deploymentNames').corpNatGWDeploymentName, copyIndex())]",
From f822f20c0984f966e4968fa275ebdb81e3306198 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 11:36:24 +0200
Subject: [PATCH 12/50] fix: Update default value and condition evaluation for
NAT gateway deployment
---
eslzArm/eslz-portal.json | 2 +-
eslzArm/eslzArm.json | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index ae34e1c6ce..3b4af1c6a5 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -5233,7 +5233,7 @@
"name": "corpDeployNATGateway",
"type": "Microsoft.Common.DropDown",
"label": "Corp NAT Gateway",
- "defaultValue": ["Yes"],
+ "defaultValue": ["true"],
"toolTip": "",
"multiselect": false,
"selectAll": false,
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 09d8781163..ced4390744 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7854,7 +7854,7 @@
},
{
// Deploy a NAT gateway into the Corp subscription's virtual network
- "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('corpConnectedLzSubscriptionId'))),equals(map(parameters('corpConnectedLzSubscriptionId'), lambda('sub', lambdaVariables('sub').corpNatGw)),'true'))]",
+ "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('corpConnectedLzSubscriptionId'))), equals(parameters('corpConnectedLzSubscriptionId')[copyIndex()].corpNatGw, 'true'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "[concat(variables('deploymentNames').corpNatGWDeploymentName, copyIndex())]",
From 88445c653381d0be751423934e811aebdd71e3e1 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 11:38:59 +0200
Subject: [PATCH 13/50] fix: Remove corp peering deployment reference from ARM
template
---
eslzArm/eslzArm.json | 1 -
1 file changed, 1 deletion(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index ced4390744..84206e47be 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7870,7 +7870,6 @@
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]",
- "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').corpPeeringDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]",
From 32b3f8ac8f8c855b068fdb3492efda716c645fe9 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 11:45:10 +0200
Subject: [PATCH 14/50] feat: Add NAT gateway name and public IP name to ARM
template
---
eslzArm/eslzArm.json | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 84206e47be..68cd35f30f 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -2039,7 +2039,9 @@
"azFwIpName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-fwpip-', parameters('connectivityLocation'))]",
"identityVnet": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]",
"identityVnetSecondary": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocationSecondary'))]",
- "lzVnet": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]"
+ "lzVnet": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]",
+ "natGatewayName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-natgw-', parameters('connectivityLocation'))]",
+ "natGatewayPublicIpName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-natgwpip-', parameters('connectivityLocationSecondary'))]"
},
// Declaring deterministic resourceId's for platform resources that will be created
"singleVsDedicatedMgmtSub": "[if(empty(parameters('managementSubscriptionId')), parameters('singlePlatformSubscriptionId'), parameters('managementSubscriptionId'))]",
@@ -7873,6 +7875,7 @@
"[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]",
+ "[concat(variables('deploymentNames').corpPeeringDeploymentName, copyIndex())]",
"corpConnectedMoveLzs"
],
"copy": {
@@ -7886,13 +7889,13 @@
"uri": "[variables('deploymentUris').corpNatGateway]"
},
"parameters": {
- "vNetRgName": {
- "value": "[variables('platformRgNames').lzVnetRg]"
+ "natGatewayName": {
+ "value": "[take(concat(variables('platformResourceNames').natGatewayName, '-', parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs), 64)]"
},
- "vNetName": {
- "value": "[take(concat(variables('platformResourceNames').lzVnet, '-', parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs), 64)]"
+ "natGatewayPublicIpName": {
+ "value": "[take(concat(variables('platformResourceNames').natGatewayPublicIpName, '-', parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs), 64)]"
},
- "vNetLocation": {
+ "location": {
"value": "[parameters('connectivityLocation')]"
}
}
From 6218c1a2ef7411d65c39598443a595faef8badd8 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 11:50:36 +0200
Subject: [PATCH 15/50] fix: Add resource group reference for NAT gateway
deployment in ARM template
---
eslzArm/eslzArm.json | 1 +
1 file changed, 1 insertion(+)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 68cd35f30f..db85622e55 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7861,6 +7861,7 @@
"apiVersion": "2020-06-01",
"name": "[concat(variables('deploymentNames').corpNatGWDeploymentName, copyIndex())]",
"subscriptionId": "[if(not(empty(parameters('corpConnectedLzSubscriptionId'))), parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs, '')]",
+ "resourceGroup": "[variables('platformRgNames').lzVnetRg]",
"location": "[parameters('connectivityLocation')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]",
From 5f0d58846e75ced804fdab3462475be537bc7b05 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 11:53:05 +0200
Subject: [PATCH 16/50] fix: Remove location parameter from NAT gateway
deployment in ARM template
---
eslzArm/eslzArm.json | 1 -
1 file changed, 1 deletion(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index db85622e55..692d479ad2 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7862,7 +7862,6 @@
"name": "[concat(variables('deploymentNames').corpNatGWDeploymentName, copyIndex())]",
"subscriptionId": "[if(not(empty(parameters('corpConnectedLzSubscriptionId'))), parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs, '')]",
"resourceGroup": "[variables('platformRgNames').lzVnetRg]",
- "location": "[parameters('connectivityLocation')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]",
From 881b0f89f2a951d00ec930e8be49979d66466642 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 12:03:41 +0200
Subject: [PATCH 17/50] fix: Remove zones parameter from NAT gateway deployment
in ARM template
---
eslzArm/subscriptionTemplates/corp-nat-gateway.json | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/eslzArm/subscriptionTemplates/corp-nat-gateway.json b/eslzArm/subscriptionTemplates/corp-nat-gateway.json
index d8164b152e..f6c53bd973 100644
--- a/eslzArm/subscriptionTemplates/corp-nat-gateway.json
+++ b/eslzArm/subscriptionTemplates/corp-nat-gateway.json
@@ -31,9 +31,6 @@
"sku": {
"name": "Standard"
},
- "zones": [
- "1"
- ],
"location": "[parameters('location')]",
"properties": {
"publicIPAllocationMethod": "Static"
@@ -46,9 +43,7 @@
"sku": {
"name": "Standard"
},
- "zones": [
- "1"
- ],
+ "zones": [],
"location": "[parameters('location')]",
"properties": {
"publicIpAddresses": [
From 77dc46d74621d53e177a4ad37068de101b4cce97 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 13:15:17 +0200
Subject: [PATCH 18/50] feat: Add option to deploy NAT Gateway in Corp
subscriptions and update related parameters
---
eslzArm/eslz-portal.json | 49 +++++++++++++++++-----------------------
eslzArm/eslzArm.json | 8 ++++++-
2 files changed, 28 insertions(+), 29 deletions(-)
diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index 3b4af1c6a5..660089b0f9 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -5154,6 +5154,26 @@
},
"visible": "[or(equals(steps('connectivity').enableHub, 'nva'), equals(steps('connectivity').enableHub, 'vhub'))]"
},
+ {
+ "name": "corpNatGteway",
+ "type": "Microsoft.Common.OptionsGroup",
+ "label": "Deploy NAT Gateway into corp landing zones (optional)?",
+ "defaultValue": "Yes",
+ "toolTip": "If 'Yes' is selected for corp landing zones, ARM will deploy a NAT gateway into the Corp subscriptions.",
+ "constraints": {
+ "allowedValues": [
+ {
+ "label": "Yes (recommended)",
+ "value": "Yes"
+ },
+ {
+ "label": "No",
+ "value": "No"
+ }
+ ]
+ },
+ "visible": "[or(equals(steps('connectivity').enableHub, 'nva'), equals(steps('connectivity').enableHub, 'vhub'))]"
+ },
{
"name": "esCorpLzSub",
"type": "Microsoft.Common.DropDown",
@@ -5224,34 +5244,6 @@
]
}
}
- },
- {
- "id": "corpNatGw",
- "header": "Deploy a NAT Gateway",
- "width": "1fr",
- "element": {
- "name": "corpDeployNATGateway",
- "type": "Microsoft.Common.DropDown",
- "label": "Corp NAT Gateway",
- "defaultValue": ["true"],
- "toolTip": "",
- "multiselect": false,
- "selectAll": false,
- "filter": true,
- "filterPlaceholder": "Filter items ...",
- "multiLine": false,
- "constraints": {
- "allowedValues": [{
- "label": "Yes",
- "value": "true"
- },
- {
- "label": "No",
- "value": "false"
- }],
- "required": true
- }
- }
}
]
}
@@ -9901,6 +9893,7 @@
"enableVmBackupForIdentity": "[steps('identity').enableVmBackupForIdentity]",
"identityAddressPrefix": "[steps('identity').identityAddressPrefix]",
"identityAddressPrefixSecondary": "[steps('identity').esIdentitySecondarySubSection.identityAddressPrefixSecondary]",
+ "corpDeployNATGateway": "[if(or(not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').corpSection.corpNatGteway,'')]",
"corpConnectedLzSubscriptionId": "[if(or(not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').corpSection.lzConnectedSubs,'')]",
"corpLzSubscriptionId": "[if(or(not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').corpSection.esCorpLzSub,'')]",
"onlineLzSubscriptionId": "[if(or(not(contains(steps('landingZones').onlineSection.esOnlineLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').onlineSection.esOnlineLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').onlineSection.esOnlineLzSub,'')]",
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 692d479ad2..be397434a2 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -778,6 +778,12 @@
"description": "Provide the subscription ids for existing, empty subscriptions you want to move in as your first corp landing zones and connect to virtual networking hub."
}
},
+ "corpDeployNATGateway": {
+ "type": "string",
+ "metadata": {
+ "description": "An option to deploy a NAT gateway into the Corp subscriptions to provide secure outbound internet access."
+ }
+ },
"corpLzSubscriptionId": {
"type": "array",
"defaultValue": [],
@@ -7856,7 +7862,7 @@
},
{
// Deploy a NAT gateway into the Corp subscription's virtual network
- "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('corpConnectedLzSubscriptionId'))), equals(parameters('corpConnectedLzSubscriptionId')[copyIndex()].corpNatGw, 'true'))]",
+ "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('corpConnectedLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'true'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "[concat(variables('deploymentNames').corpNatGWDeploymentName, copyIndex())]",
From d023520e42e38fdbf24e02c9d81f7f343b929f0e Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 13:24:15 +0200
Subject: [PATCH 19/50] fix: Update tooltip for NAT Gateway deployment option
to clarify secure outbound access
---
eslzArm/eslz-portal.json | 2 +-
eslzArm/eslzArm.json | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index 660089b0f9..4b5aa47d32 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -5159,7 +5159,7 @@
"type": "Microsoft.Common.OptionsGroup",
"label": "Deploy NAT Gateway into corp landing zones (optional)?",
"defaultValue": "Yes",
- "toolTip": "If 'Yes' is selected for corp landing zones, ARM will deploy a NAT gateway into the Corp subscriptions.",
+ "toolTip": "If 'Yes' is selected for corp landing zones, ARM will deploy a NAT gateway into the Corp subscriptions to provide secure outbound internet access to the workloads in this subscription.",
"constraints": {
"allowedValues": [
{
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index be397434a2..7d1c6def7a 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7862,7 +7862,7 @@
},
{
// Deploy a NAT gateway into the Corp subscription's virtual network
- "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('corpConnectedLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'true'))]",
+ "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('corpConnectedLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "[concat(variables('deploymentNames').corpNatGWDeploymentName, copyIndex())]",
From 8d36a1bf7c1fcf245e84da13c39f12c428a67a4f Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 13:34:52 +0200
Subject: [PATCH 20/50] fix: Update visibility condition for connectivity
options in eslz-portal.json
---
eslzArm/eslz-portal.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index 4b5aa47d32..b7dce4748f 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -5172,7 +5172,7 @@
}
]
},
- "visible": "[or(equals(steps('connectivity').enableHub, 'nva'), equals(steps('connectivity').enableHub, 'vhub'))]"
+ "visible": "[or(or(equals(steps('landingZones').corpSection.esLzConnectivity, 'No'), equals(steps('connectivity').enableHub, 'No')), equals(steps('connectivity').enableHub, 'vwan'), equals(steps('landingZones').corpSection.esLzConnectivity, 'No'))]"
},
{
"name": "esCorpLzSub",
From 5c64f7f285a8b9da732779c9f1a3d7a7ef5445d3 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 13:42:18 +0200
Subject: [PATCH 21/50] feat: Add deployment for NAT gateway in Corp connected
subscriptions
---
eslzArm/eslzArm.json | 50 +++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 49 insertions(+), 1 deletion(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 7d1c6def7a..43b912db3a 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -1837,6 +1837,7 @@
"mgmtGroupDeploymentName": "[take(concat('alz-Mgs', variables('deploymentSuffix')), 64)]",
"mgmtSubscriptionPlacement": "[take(concat('alz-MgmtSub', variables('deploymentSuffix')), 64)]",
"corpPeeringDeploymentName": "[take(concat('alz-CorpPeering', variables('deploymentSuffix')), 60)]",
+ "corpConnectedNatGWDeploymentName": "[take(concat('alz-CorpConnectedNatGw', variables('deploymentSuffix')), 60)]",
"corpNatGWDeploymentName": "[take(concat('alz-CorpNatGw', variables('deploymentSuffix')), 60)]",
"hubPeeringDeploymentName": "[take(concat('alz-HubPeering', variables('deploymentSuffix')), 60)]",
"hubPeering2DeploymentName": "[take(concat('alz-HubPeering2', variables('deploymentSuffix')), 60)]",
@@ -7862,10 +7863,57 @@
},
{
// Deploy a NAT gateway into the Corp subscription's virtual network
- "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('corpConnectedLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'Yes'))]",
+ "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')),not(empty(parameters('corpLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "[concat(variables('deploymentNames').corpNatGWDeploymentName, copyIndex())]",
+ "subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()].subs, '')]",
+ "resourceGroup": "[variables('platformRgNames').lzVnetRg]",
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]",
+ "[concat(variables('deploymentNames').corpPeeringDeploymentName, copyIndex())]",
+ "corpConnectedMoveLzs"
+ ],
+ "copy": {
+ "name": "deployNatGw",
+ "count": "[length(parameters('corpLzSubscriptionId'))]"
+ },
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "contentVersion": "1.0.0.0",
+ "uri": "[variables('deploymentUris').corpNatGateway]"
+ },
+ "parameters": {
+ "natGatewayName": {
+ "value": "[take(concat(variables('platformResourceNames').natGatewayName, '-', parameters('corpLzSubscriptionId')[copyIndex()].subs), 64)]"
+ },
+ "natGatewayPublicIpName": {
+ "value": "[take(concat(variables('platformResourceNames').natGatewayPublicIpName, '-', parameters('corpLzSubscriptionId')[copyIndex()].subs), 64)]"
+ },
+ "location": {
+ "value": "[parameters('connectivityLocation')]"
+ }
+ }
+ }
+ },
+ {
+ // Deploy a NAT gateway into the Corp connected subscription's virtual network
+ "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('corpConnectedLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'Yes'))]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-06-01",
+ "name": "[concat(variables('deploymentNames').corpConnectedNatGWDeploymentName, copyIndex())]",
"subscriptionId": "[if(not(empty(parameters('corpConnectedLzSubscriptionId'))), parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs, '')]",
"resourceGroup": "[variables('platformRgNames').lzVnetRg]",
"dependsOn": [
From b1a103f5de5d5c599caeef18b4ef6e41ca8b4775 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 13:54:07 +0200
Subject: [PATCH 22/50] fix: Correct subscriptionId parameter indexing in ARM
template for NAT Gateway deployment
---
eslzArm/eslzArm.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 43b912db3a..5440994032 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7867,7 +7867,7 @@
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "[concat(variables('deploymentNames').corpNatGWDeploymentName, copyIndex())]",
- "subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()].subs, '')]",
+ "subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
"resourceGroup": "[variables('platformRgNames').lzVnetRg]",
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]",
From a44af7761eef04faa2313b87c14d8c434fcaa7d1 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 13:59:37 +0200
Subject: [PATCH 23/50] fix: Remove unnecessary concat for corp peering
deployment name in eslzArm.json
---
eslzArm/eslzArm.json | 1 -
1 file changed, 1 deletion(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 5440994032..d624aaa80a 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7882,7 +7882,6 @@
"[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]",
- "[concat(variables('deploymentNames').corpPeeringDeploymentName, copyIndex())]",
"corpConnectedMoveLzs"
],
"copy": {
From 3cb5aa12b50832da61f1ea1c580a7e51befdca06 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 14:11:10 +0200
Subject: [PATCH 24/50] fix: Remove redundant visibility condition in
eslz-portal.json
---
eslzArm/eslz-portal.json | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index b7dce4748f..65ec472737 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -5171,8 +5171,7 @@
"value": "No"
}
]
- },
- "visible": "[or(or(equals(steps('landingZones').corpSection.esLzConnectivity, 'No'), equals(steps('connectivity').enableHub, 'No')), equals(steps('connectivity').enableHub, 'vwan'), equals(steps('landingZones').corpSection.esLzConnectivity, 'No'))]"
+ }
},
{
"name": "esCorpLzSub",
From dc968bed7ca08a05ecb6fb2fe7a412a51508d76e Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 14:32:01 +0200
Subject: [PATCH 25/50] fix: Simplify condition for NAT gateway deployment in
eslzArm.json
---
eslzArm/eslzArm.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index d624aaa80a..a0b661d566 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7863,7 +7863,7 @@
},
{
// Deploy a NAT gateway into the Corp subscription's virtual network
- "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')),not(empty(parameters('corpLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'Yes'))]",
+ "condition": "[and(not(empty(parameters('corpLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "[concat(variables('deploymentNames').corpNatGWDeploymentName, copyIndex())]",
From 1db3ba85c2b321b44f0b2f4de2b23be10d17308d Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 14:36:53 +0200
Subject: [PATCH 26/50] fix: Remove unnecessary concat for subscriptionId in
NAT gateway parameters in eslzArm.json
---
eslzArm/eslzArm.json | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index a0b661d566..a04cf82ad9 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7896,10 +7896,10 @@
},
"parameters": {
"natGatewayName": {
- "value": "[take(concat(variables('platformResourceNames').natGatewayName, '-', parameters('corpLzSubscriptionId')[copyIndex()].subs), 64)]"
+ "value": "[take(concat(variables('platformResourceNames').natGatewayName, '-', parameters('corpLzSubscriptionId')[copyIndex()]), 64)]"
},
"natGatewayPublicIpName": {
- "value": "[take(concat(variables('platformResourceNames').natGatewayPublicIpName, '-', parameters('corpLzSubscriptionId')[copyIndex()].subs), 64)]"
+ "value": "[take(concat(variables('platformResourceNames').natGatewayPublicIpName, '-', parameters('corpLzSubscriptionId')[copyIndex()]), 64)]"
},
"location": {
"value": "[parameters('connectivityLocation')]"
From 7346b20e7f74680fe136ae2eed91d9a2e1e9472e Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 14:44:26 +0200
Subject: [PATCH 27/50] fix: Remove unnecessary dependencies from NAT gateway
parameters in eslzArm.json
---
eslzArm/eslzArm.json | 7 -------
1 file changed, 7 deletions(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index a04cf82ad9..df29336b98 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7870,18 +7870,11 @@
"subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
"resourceGroup": "[variables('platformRgNames').lzVnetRg]",
"dependsOn": [
- "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]",
- "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]",
- "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]",
- "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]",
- "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]",
- "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]",
- "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]",
"corpConnectedMoveLzs"
],
"copy": {
From 937b21b49646e3c8c22523f6c8484768ec89f483 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 15:07:38 +0200
Subject: [PATCH 28/50] fix: Add resource group deployment for Corp NAT gateway
in eslzArm.json
---
eslzArm/eslzArm.json | 40 ++++++++++++++++++++++++++++++++++++++--
1 file changed, 38 insertions(+), 2 deletions(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index df29336b98..f6397806d3 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -1839,6 +1839,7 @@
"corpPeeringDeploymentName": "[take(concat('alz-CorpPeering', variables('deploymentSuffix')), 60)]",
"corpConnectedNatGWDeploymentName": "[take(concat('alz-CorpConnectedNatGw', variables('deploymentSuffix')), 60)]",
"corpNatGWDeploymentName": "[take(concat('alz-CorpNatGw', variables('deploymentSuffix')), 60)]",
+ "corpRgDeploymentName": "[take(concat('alz-NatGwRg', variables('deploymentSuffix')), 64)]",
"hubPeeringDeploymentName": "[take(concat('alz-HubPeering', variables('deploymentSuffix')), 60)]",
"hubPeering2DeploymentName": "[take(concat('alz-HubPeering2', variables('deploymentSuffix')), 60)]",
"connectivitySubscriptionPlacement": "[take(concat('alz-ConnectivitySub', variables('deploymentSuffix')), 64)]",
@@ -2023,7 +2024,8 @@
"privateDnsRg2": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-privatedns-02')]",
"identityVnetRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]",
"identityVnetRgSecondary": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocationSecondary'))]",
- "lzVnetRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]"
+ "lzVnetRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]",
+ "natGwRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-natgw-', parameters('connectivityLocation'))]"
},
// Declaring deterministic names for platform resources that will be created
"platformResourceNames": {
@@ -7861,6 +7863,40 @@
}
}
},
+ {
+ // Creating resource group for Corp Nat gateway deployment
+ "condition": "[and(not(empty(parameters('corpLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'Yes'))]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-10-01",
+ "name": "[concat(variables('deploymentNames').corpRgDeploymentName, copyIndex())]",
+ "subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
+ "location": "[deployment().location]",
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]"
+ ],
+ "copy": {
+ "name": "deployNatGwRg",
+ "count": "[length(parameters('corpLzSubscriptionId'))]"
+ },
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "contentVersion": "1.0.0.0",
+ "uri": "[variables('deploymentUris').resourceGroup]"
+ },
+ "parameters": {
+ "rgName": {
+ "value": "[variables('platformRgNames').natGwRg]"
+ },
+ "location": {
+ "value": "[parameters('connectivityLocation')]"
+ }
+ }
+ }
+ },
{
// Deploy a NAT gateway into the Corp subscription's virtual network
"condition": "[and(not(empty(parameters('corpLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'Yes'))]",
@@ -7868,7 +7904,7 @@
"apiVersion": "2020-06-01",
"name": "[concat(variables('deploymentNames').corpNatGWDeploymentName, copyIndex())]",
"subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
- "resourceGroup": "[variables('platformRgNames').lzVnetRg]",
+ "resourceGroup": "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').corpRgDeploymentName, copyIndex())]",
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
From 9b1246ff149b3011b98223d6e0a598ae84964c72 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 15:09:37 +0200
Subject: [PATCH 29/50] fix: Update resource group reference for Corp NAT
gateway in eslzArm.json
---
eslzArm/eslzArm.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index f6397806d3..8118d1e77b 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7904,7 +7904,7 @@
"apiVersion": "2020-06-01",
"name": "[concat(variables('deploymentNames').corpNatGWDeploymentName, copyIndex())]",
"subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
- "resourceGroup": "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').corpRgDeploymentName, copyIndex())]",
+ "resourceGroup": "[concat(variables('deploymentNames').corpRgDeploymentName, copyIndex())]",
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
From 8be57ace7b960e0840af88c05ce97fd27f6c3a0c Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 15:20:37 +0200
Subject: [PATCH 30/50] fix: Update resource group references for NAT gateway
in eslzArm.json
---
eslzArm/eslzArm.json | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 8118d1e77b..aa6b1d5005 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -1839,7 +1839,6 @@
"corpPeeringDeploymentName": "[take(concat('alz-CorpPeering', variables('deploymentSuffix')), 60)]",
"corpConnectedNatGWDeploymentName": "[take(concat('alz-CorpConnectedNatGw', variables('deploymentSuffix')), 60)]",
"corpNatGWDeploymentName": "[take(concat('alz-CorpNatGw', variables('deploymentSuffix')), 60)]",
- "corpRgDeploymentName": "[take(concat('alz-NatGwRg', variables('deploymentSuffix')), 64)]",
"hubPeeringDeploymentName": "[take(concat('alz-HubPeering', variables('deploymentSuffix')), 60)]",
"hubPeering2DeploymentName": "[take(concat('alz-HubPeering2', variables('deploymentSuffix')), 60)]",
"connectivitySubscriptionPlacement": "[take(concat('alz-ConnectivitySub', variables('deploymentSuffix')), 64)]",
@@ -7868,7 +7867,7 @@
"condition": "[and(not(empty(parameters('corpLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
- "name": "[concat(variables('deploymentNames').corpRgDeploymentName, copyIndex())]",
+ "name": "[concat(variables('platformRgNames').natGwRg, copyIndex())]",
"subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
"location": "[deployment().location]",
"dependsOn": [
@@ -7904,7 +7903,7 @@
"apiVersion": "2020-06-01",
"name": "[concat(variables('deploymentNames').corpNatGWDeploymentName, copyIndex())]",
"subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
- "resourceGroup": "[concat(variables('deploymentNames').corpRgDeploymentName, copyIndex())]",
+ "resourceGroup": "[concat(variables('platformRgNames').natGwRg, copyIndex())]",
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
From 7d6f54d7b39d67a8d4006822c14dc0305291bee1 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 15:52:45 +0200
Subject: [PATCH 31/50] fix: Add missing dependency for NAT gateway resource
group in eslzArm.json
---
eslzArm/eslzArm.json | 1 +
1 file changed, 1 insertion(+)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index aa6b1d5005..ca3dd490c3 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7905,6 +7905,7 @@
"subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
"resourceGroup": "[concat(variables('platformRgNames').natGwRg, copyIndex())]",
"dependsOn": [
+ "[resourceId('Microsoft.Resources/resourceGroups', variables('platformRgNames').natGwRg)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]",
From 03060c6094d9d4f83d1e8319e44c75a82200b01b Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 15:54:36 +0200
Subject: [PATCH 32/50] fix: Correct NAT gateway resource group name
concatenation in eslzArm.json
---
eslzArm/eslzArm.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index ca3dd490c3..16b66920b4 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7867,7 +7867,7 @@
"condition": "[and(not(empty(parameters('corpLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
- "name": "[concat(variables('platformRgNames').natGwRg, copyIndex())]",
+ "name": "[concat(variables('platformRgNames').natGwRg)]",
"subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
"location": "[deployment().location]",
"dependsOn": [
From a5c862835f8bc8737905a13bef7d213515b2c47e Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 15:58:04 +0200
Subject: [PATCH 33/50] fix: Update NAT gateway resource group name
concatenation to include copy index in eslzArm.json
---
eslzArm/eslzArm.json | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 16b66920b4..1a87b28b1f 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7867,7 +7867,7 @@
"condition": "[and(not(empty(parameters('corpLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
- "name": "[concat(variables('platformRgNames').natGwRg)]",
+ "name": "[concat(variables('platformRgNames').natGwRg, copyIndex())]",
"subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
"location": "[deployment().location]",
"dependsOn": [
@@ -7905,7 +7905,7 @@
"subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
"resourceGroup": "[concat(variables('platformRgNames').natGwRg, copyIndex())]",
"dependsOn": [
- "[resourceId('Microsoft.Resources/resourceGroups', variables('platformRgNames').natGwRg)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('platformRgNames').natGwRg)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]",
From 60ec892e62da8f135f98f0372312ddddadca3a5f Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 17:12:38 +0200
Subject: [PATCH 34/50] fix: Update API version and correct dependency
reference for Corp NAT gateway in eslzArm.json
---
eslzArm/eslzArm.json | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 1a87b28b1f..d1c1701f73 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7866,7 +7866,7 @@
// Creating resource group for Corp Nat gateway deployment
"condition": "[and(not(empty(parameters('corpLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
- "apiVersion": "2020-10-01",
+ "apiVersion": "2020-06-01",
"name": "[concat(variables('platformRgNames').natGwRg, copyIndex())]",
"subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
"location": "[deployment().location]",
@@ -7905,7 +7905,7 @@
"subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
"resourceGroup": "[concat(variables('platformRgNames').natGwRg, copyIndex())]",
"dependsOn": [
- "[resourceId('Microsoft.Resources/deployments', variables('platformRgNames').natGwRg)]",
+ "[resourceId('Microsoft.Resources/resourceGroups', variables('platformRgNames').natGwRg[copyIndex()])]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]",
From 8fa4ab8698be1639d52d15acfbc8054510b39833 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 17:16:12 +0200
Subject: [PATCH 35/50] fix: Correct dependency reference for NAT gateway
resource group in eslzArm.json
---
eslzArm/eslzArm.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index d1c1701f73..ee14f98a8a 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7905,7 +7905,7 @@
"subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
"resourceGroup": "[concat(variables('platformRgNames').natGwRg, copyIndex())]",
"dependsOn": [
- "[resourceId('Microsoft.Resources/resourceGroups', variables('platformRgNames').natGwRg[copyIndex()])]",
+ "[resourceId('Microsoft.Resources/resourceGroups', concat(variables('platformRgNames').natGwRg),copyIndex())]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]",
From e72db341324758e99a02203c9a7b5dfa760668cb Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 17:20:38 +0200
Subject: [PATCH 36/50] fix: Update resource group reference and dependencies
for Corp NAT gateway in eslzArm.json
---
eslzArm/eslzArm.json | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index ee14f98a8a..8a91e28890 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7903,9 +7903,9 @@
"apiVersion": "2020-06-01",
"name": "[concat(variables('deploymentNames').corpNatGWDeploymentName, copyIndex())]",
"subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
- "resourceGroup": "[concat(variables('platformRgNames').natGwRg, copyIndex())]",
+ "resourceGroup": "[concat(variables('platformRgNames').natGwRg)]",
"dependsOn": [
- "[resourceId('Microsoft.Resources/resourceGroups', concat(variables('platformRgNames').natGwRg),copyIndex())]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').corpNatGWDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]",
From 468cb7ca708e9fb2f452ff7eb2b1beb903102e33 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 17:24:31 +0200
Subject: [PATCH 37/50] fix: Update dependency reference for NAT gateway to use
resource group in eslzArm.json
---
eslzArm/eslzArm.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 8a91e28890..d7daebf851 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7905,7 +7905,7 @@
"subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
"resourceGroup": "[concat(variables('platformRgNames').natGwRg)]",
"dependsOn": [
- "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').corpNatGWDeploymentName)]",
+ "[resourceId('Microsoft.Resources/resourceGroups', variables('platformRgNames').natGwRg)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]",
From f00126c030ce0cffcfff20b90800e412638d0da9 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 17:28:11 +0200
Subject: [PATCH 38/50] fix: Remove copy index from NAT gateway resource group
name in eslzArm.json
---
eslzArm/eslzArm.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index d7daebf851..4ef69e784b 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7867,7 +7867,7 @@
"condition": "[and(not(empty(parameters('corpLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
- "name": "[concat(variables('platformRgNames').natGwRg, copyIndex())]",
+ "name": "[variables('platformRgNames').natGwRg]",
"subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
"location": "[deployment().location]",
"dependsOn": [
From 9431771b3505168ade2bcc3dab52e0ff583bee8f Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 17:34:22 +0200
Subject: [PATCH 39/50] fix: Add deployment name for Corp NAT gateway resource
group in eslzArm.json
---
eslzArm/eslzArm.json | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 4ef69e784b..91d1250706 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -1839,6 +1839,7 @@
"corpPeeringDeploymentName": "[take(concat('alz-CorpPeering', variables('deploymentSuffix')), 60)]",
"corpConnectedNatGWDeploymentName": "[take(concat('alz-CorpConnectedNatGw', variables('deploymentSuffix')), 60)]",
"corpNatGWDeploymentName": "[take(concat('alz-CorpNatGw', variables('deploymentSuffix')), 60)]",
+ "corpNatGWRgDeploymentName": "[take(concat('alz-CorpNatGwRg', variables('deploymentSuffix')), 60)]",
"hubPeeringDeploymentName": "[take(concat('alz-HubPeering', variables('deploymentSuffix')), 60)]",
"hubPeering2DeploymentName": "[take(concat('alz-HubPeering2', variables('deploymentSuffix')), 60)]",
"connectivitySubscriptionPlacement": "[take(concat('alz-ConnectivitySub', variables('deploymentSuffix')), 64)]",
@@ -7867,7 +7868,7 @@
"condition": "[and(not(empty(parameters('corpLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
- "name": "[variables('platformRgNames').natGwRg]",
+ "name": "[concat(variables('deploymentNames').corpNatGWRgDeploymentName, copyIndex())]",
"subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
"location": "[deployment().location]",
"dependsOn": [
@@ -7905,7 +7906,7 @@
"subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
"resourceGroup": "[concat(variables('platformRgNames').natGwRg)]",
"dependsOn": [
- "[resourceId('Microsoft.Resources/resourceGroups', variables('platformRgNames').natGwRg)]",
+ "[resourceId('Microsoft.Resources/deployments', concat(variables('deploymentNames').corpNatGWRgDeploymentName),copyIndex())]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]",
From 865a5dcb07199acafe1027650ccbbad9ab4d5e21 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 17:35:58 +0200
Subject: [PATCH 40/50] fix: Update dependency reference for Corp NAT gateway
resource group in eslzArm.json
---
eslzArm/eslzArm.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 91d1250706..1a63ef7025 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7906,7 +7906,7 @@
"subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
"resourceGroup": "[concat(variables('platformRgNames').natGwRg)]",
"dependsOn": [
- "[resourceId('Microsoft.Resources/deployments', concat(variables('deploymentNames').corpNatGWRgDeploymentName),copyIndex())]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').corpNatGWRgDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]",
From 16b511d730332ff1815d5c7decb83ee2fc85f53f Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 17:37:51 +0200
Subject: [PATCH 41/50] fix: Remove copy index from deployment name for Corp
NAT gateway in eslzArm.json
---
eslzArm/eslzArm.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 1a63ef7025..3b6e997709 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7868,7 +7868,7 @@
"condition": "[and(not(empty(parameters('corpLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
- "name": "[concat(variables('deploymentNames').corpNatGWRgDeploymentName, copyIndex())]",
+ "name": "[variables('deploymentNames').corpNatGWRgDeploymentName]",
"subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
"location": "[deployment().location]",
"dependsOn": [
From 0dbb08697692d45ca8bf581d18b5d6d16e5dac4a Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 17:43:20 +0200
Subject: [PATCH 42/50] fix: Append copy index to deployment name for Corp NAT
gateway in eslzArm.json
---
eslzArm/eslzArm.json | 4 ++--
resourceGroups.json | 0
2 files changed, 2 insertions(+), 2 deletions(-)
create mode 100644 resourceGroups.json
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 3b6e997709..cec28c6a56 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -7868,7 +7868,7 @@
"condition": "[and(not(empty(parameters('corpLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
- "name": "[variables('deploymentNames').corpNatGWRgDeploymentName]",
+ "name": "[concat(variables('deploymentNames').corpNatGWRgDeploymentName, copyIndex())]",
"subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
"location": "[deployment().location]",
"dependsOn": [
@@ -7906,7 +7906,7 @@
"subscriptionId": "[if(not(empty(parameters('corpLzSubscriptionId'))), parameters('corpLzSubscriptionId')[copyIndex()], '')]",
"resourceGroup": "[concat(variables('platformRgNames').natGwRg)]",
"dependsOn": [
- "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').corpNatGWRgDeploymentName)]",
+ "deployNatGwRg",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]",
diff --git a/resourceGroups.json b/resourceGroups.json
new file mode 100644
index 0000000000..e69de29bb2
From c256b5bdf1d22ecc57a07f9adc5d1b67b6c2c6df Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Tue, 11 Mar 2025 17:43:42 +0200
Subject: [PATCH 43/50] fix: Remove resourceGroups.json file
---
resourceGroups.json | 0
1 file changed, 0 insertions(+), 0 deletions(-)
delete mode 100644 resourceGroups.json
diff --git a/resourceGroups.json b/resourceGroups.json
deleted file mode 100644
index e69de29bb2..0000000000
From 8beeffb45127504f179fa63e7d14b42be1155541 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Wed, 12 Mar 2025 16:45:31 +0200
Subject: [PATCH 44/50] fix: Rename corpNatGteway to corpNatGateway and add
online NAT gateway deployment options
---
eslzArm/eslz-portal.json | 24 +++++++++++-
eslzArm/eslzArm.json | 85 +++++++++++++++++++++++++++++++++++++++-
2 files changed, 105 insertions(+), 4 deletions(-)
diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index 65ec472737..b6ac408ae0 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -5155,7 +5155,7 @@
"visible": "[or(equals(steps('connectivity').enableHub, 'nva'), equals(steps('connectivity').enableHub, 'vhub'))]"
},
{
- "name": "corpNatGteway",
+ "name": "corpNatGateway",
"type": "Microsoft.Common.OptionsGroup",
"label": "Deploy NAT Gateway into corp landing zones (optional)?",
"defaultValue": "Yes",
@@ -5359,6 +5359,25 @@
}
}
},
+ {
+ "name": "onlineNatGateway",
+ "type": "Microsoft.Common.OptionsGroup",
+ "label": "Deploy NAT Gateway into online landing zones (optional)?",
+ "defaultValue": "Yes",
+ "toolTip": "If 'Yes' is selected for online landing zones, ARM will deploy a NAT gateway into the online subscriptions to provide secure outbound internet access to the workloads in this subscription.",
+ "constraints": {
+ "allowedValues": [
+ {
+ "label": "Yes (recommended)",
+ "value": "Yes"
+ },
+ {
+ "label": "No",
+ "value": "No"
+ }
+ ]
+ }
+ },
{
"name": "esOnlineLzSub",
"type": "Microsoft.Common.DropDown",
@@ -9892,10 +9911,11 @@
"enableVmBackupForIdentity": "[steps('identity').enableVmBackupForIdentity]",
"identityAddressPrefix": "[steps('identity').identityAddressPrefix]",
"identityAddressPrefixSecondary": "[steps('identity').esIdentitySecondarySubSection.identityAddressPrefixSecondary]",
- "corpDeployNATGateway": "[if(or(not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').corpSection.corpNatGteway,'')]",
+ "corpDeployNATGateway": "[if(or(not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').corpSection.corpNatGateway,'')]",
"corpConnectedLzSubscriptionId": "[if(or(not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').corpSection.lzConnectedSubs,'')]",
"corpLzSubscriptionId": "[if(or(not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').corpSection.esCorpLzSub,'')]",
"onlineLzSubscriptionId": "[if(or(not(contains(steps('landingZones').onlineSection.esOnlineLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').onlineSection.esOnlineLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').onlineSection.esOnlineLzSub,'')]",
+ "onlineDeployNATGateway": "[if(or(not(contains(steps('landingZones').onlineSection.esOnlineLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').onlineSection.esOnlineLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').onlineSection.onlineNatGateway,'')]",
"enableLzDdoS": "[steps('landingZones').lzSection.enableLzDdoS]",
"denyPublicEndpoints": "[steps('landingZones').corpSection.denyPublicEndpoints]",
"denyPipOnNicForCorp": "[steps('landingZones').corpSection.denyPipOnNicForCorp]",
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index cec28c6a56..2a494d0923 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -798,6 +798,12 @@
"description": "Provide the subscription ids for existing, empty subscriptions you want to move in as your first online landing zones."
}
},
+ "onlineDeployNATGateway": {
+ "type": "string",
+ "metadata": {
+ "description": "An option to deploy a NAT gateway into the online subscriptions to provide secure outbound internet access."
+ }
+ },
"enableLzDdoS": {
"type": "string",
"defaultValue": "No",
@@ -1839,6 +1845,7 @@
"corpPeeringDeploymentName": "[take(concat('alz-CorpPeering', variables('deploymentSuffix')), 60)]",
"corpConnectedNatGWDeploymentName": "[take(concat('alz-CorpConnectedNatGw', variables('deploymentSuffix')), 60)]",
"corpNatGWDeploymentName": "[take(concat('alz-CorpNatGw', variables('deploymentSuffix')), 60)]",
+ "onlineNatGWDeploymentName": "[take(concat('alz-onlineNatGw', variables('deploymentSuffix')), 60)]",
"corpNatGWRgDeploymentName": "[take(concat('alz-CorpNatGwRg', variables('deploymentSuffix')), 60)]",
"hubPeeringDeploymentName": "[take(concat('alz-HubPeering', variables('deploymentSuffix')), 60)]",
"hubPeering2DeploymentName": "[take(concat('alz-HubPeering2', variables('deploymentSuffix')), 60)]",
@@ -7738,6 +7745,80 @@
}
}
},
+ {
+ // Creating resource group for online Nat gateway deployment
+ "condition": "[and(not(empty(parameters('onlineLzSubscriptionId'))), equals(parameters('onlineDeployNATGateway'), 'Yes'))]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-06-01",
+ "name": "[concat(variables('deploymentNames').corpNatGWRgDeploymentName, copyIndex())]",
+ "subscriptionId": "[if(not(empty(parameters('onlineLzSubscriptionId'))), parameters('onlineLzSubscriptionId')[copyIndex()], '')]",
+ "location": "[deployment().location]",
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]"
+ ],
+ "copy": {
+ "name": "deployOnlineNatGwRg",
+ "count": "[length(parameters('onlineLzSubscriptionId'))]"
+ },
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "contentVersion": "1.0.0.0",
+ "uri": "[variables('deploymentUris').resourceGroup]"
+ },
+ "parameters": {
+ "rgName": {
+ "value": "[variables('platformRgNames').natGwRg]"
+ },
+ "location": {
+ "value": "[parameters('connectivityLocation')]"
+ }
+ }
+ }
+ },
+ {
+ // Deploy a NAT gateway into the Online subscriptions
+ "condition": "[and(not(empty(parameters('onlineLzSubscriptionId'))), equals(parameters('onlineDeployNATGateway'), 'Yes'))]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-06-01",
+ "name": "[concat(variables('deploymentNames').onlineNatGWDeploymentName, copyIndex())]",
+ "subscriptionId": "[if(not(empty(parameters('onlineLzSubscriptionId'))), parameters('onlineLzSubscriptionId')[copyIndex()], '')]",
+ "resourceGroup": "[concat(variables('platformRgNames').natGwRg)]",
+ "dependsOn": [
+ "deployOnlineNatGwRg",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]",
+ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]",
+ "corpConnectedMoveLzs"
+ ],
+ "copy": {
+ "name": "deployNatGw",
+ "count": "[length(parameters('onlineLzSubscriptionId'))]"
+ },
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "contentVersion": "1.0.0.0",
+ "uri": "[variables('deploymentUris').corpNatGateway]"
+ },
+ "parameters": {
+ "natGatewayName": {
+ "value": "[take(concat(variables('platformResourceNames').natGatewayName, '-', parameters('corpLzSubscriptionId')[copyIndex()]), 64)]"
+ },
+ "natGatewayPublicIpName": {
+ "value": "[take(concat(variables('platformResourceNames').natGatewayPublicIpName, '-', parameters('corpLzSubscriptionId')[copyIndex()]), 64)]"
+ },
+ "location": {
+ "value": "[parameters('connectivityLocation')]"
+ }
+ }
+ }
+ },
{
// Placing subscriptions into corp landing zone management group
"condition": "[not(empty(parameters('corpLzSubscriptionId')))]",
@@ -7898,7 +7979,7 @@
}
},
{
- // Deploy a NAT gateway into the Corp subscription's virtual network
+ // Deploy a NAT gateway into the Corp subscriptions
"condition": "[and(not(empty(parameters('corpLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
@@ -7938,7 +8019,7 @@
}
},
{
- // Deploy a NAT gateway into the Corp connected subscription's virtual network
+ // Deploy a NAT gateway into the Corp connected subscriptions
"condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('corpConnectedLzSubscriptionId'))), equals(parameters('corpDeployNATGateway'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
From fe23e23bfa99c9f6a95847dea4ad7c2539c85de9 Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Thu, 13 Mar 2025 06:06:13 +0200
Subject: [PATCH 45/50] fix: Update tooltips for NAT Gateway deployment options
to include links for default outbound access
---
eslzArm/eslz-portal.json | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index b6ac408ae0..66d5bb7877 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -5159,7 +5159,7 @@
"type": "Microsoft.Common.OptionsGroup",
"label": "Deploy NAT Gateway into corp landing zones (optional)?",
"defaultValue": "Yes",
- "toolTip": "If 'Yes' is selected for corp landing zones, ARM will deploy a NAT gateway into the Corp subscriptions to provide secure outbound internet access to the workloads in this subscription.",
+ "toolTip": "If 'Yes' is selected for corp landing zones, ARM will deploy a NAT gateway into the Corp subscriptions to provide secure outbound internet access to the workloads in this subscription.
Default outbound access in Azure.",
"constraints": {
"allowedValues": [
{
@@ -5364,7 +5364,7 @@
"type": "Microsoft.Common.OptionsGroup",
"label": "Deploy NAT Gateway into online landing zones (optional)?",
"defaultValue": "Yes",
- "toolTip": "If 'Yes' is selected for online landing zones, ARM will deploy a NAT gateway into the online subscriptions to provide secure outbound internet access to the workloads in this subscription.",
+ "toolTip": "If 'Yes' is selected for online landing zones, ARM will deploy a NAT gateway into the online subscriptions to provide secure outbound internet access to the workloads in this subscription.
Default outbound access in Azure.",
"constraints": {
"allowedValues": [
{
From f34d13237e46636805353715aa9f31b457d16b0b Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Thu, 13 Mar 2025 06:07:20 +0200
Subject: [PATCH 46/50] fix: Update tooltips for NAT Gateway deployment options
to remove line breaks for better formatting
---
eslzArm/eslz-portal.json | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index 66d5bb7877..29335b8d17 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -5159,7 +5159,7 @@
"type": "Microsoft.Common.OptionsGroup",
"label": "Deploy NAT Gateway into corp landing zones (optional)?",
"defaultValue": "Yes",
- "toolTip": "If 'Yes' is selected for corp landing zones, ARM will deploy a NAT gateway into the Corp subscriptions to provide secure outbound internet access to the workloads in this subscription.
Default outbound access in Azure.",
+ "toolTip": "If 'Yes' is selected for corp landing zones, ARM will deploy a NAT gateway into the Corp subscriptions to provide secure outbound internet access to the workloads in this subscription.Default outbound access in Azure.",
"constraints": {
"allowedValues": [
{
@@ -5364,7 +5364,7 @@
"type": "Microsoft.Common.OptionsGroup",
"label": "Deploy NAT Gateway into online landing zones (optional)?",
"defaultValue": "Yes",
- "toolTip": "If 'Yes' is selected for online landing zones, ARM will deploy a NAT gateway into the online subscriptions to provide secure outbound internet access to the workloads in this subscription.
Default outbound access in Azure.",
+ "toolTip": "If 'Yes' is selected for online landing zones, ARM will deploy a NAT gateway into the online subscriptions to provide secure outbound internet access to the workloads in this subscription.Default outbound access in Azure.",
"constraints": {
"allowedValues": [
{
From e1074c3ae67d76da0b7134b6264f5856e06b4d8f Mon Sep 17 00:00:00 2001
From: Seif Bassem <38246040+sebassem@users.noreply.github.com>
Date: Thu, 13 Mar 2025 21:36:59 +0200
Subject: [PATCH 47/50] docs: Add NAT Gateway deployment capability for secure
outbound internet access
---
docs/wiki/Whats-new.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
index 3dfc85466b..aedc939528 100644
--- a/docs/wiki/Whats-new.md
+++ b/docs/wiki/Whats-new.md
@@ -59,6 +59,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
#### Tooling
- Updated the ***Baseline alerts and monitoring*** integration section in the portal accelerator to deploy the latest release of AMBA (2025-03-03). To read more on the changes, see the [What's new](https://aka.ms/amba/alz/whatsnew) page in the AMBA documentation.
+- Added the ability to deploy a NAT Gateway into the Corp and Online subscriptions to provide [secure and scalable outbound internet access](https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access) for workloads.
### February 2025
From 62f214bb4d3311aa1c3ae6eb8cdf914a322b3045 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 20 Mar 2025 10:38:43 +0100
Subject: [PATCH 48/50] Bump actions/upload-artifact from 4.6.1 to 4.6.2
(#1956)
Signed-off-by: dependabot[bot]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
.github/workflows/scorecard.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 4d23cdb72c..8550377fe5 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -59,7 +59,7 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
- uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+ uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: SARIF file
path: results.sarif
From c540e4cf173d5413a575dda3fb315bf526a53256 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 20 Mar 2025 10:43:33 +0100
Subject: [PATCH 49/50] Bump github/codeql-action from 3.28.11 to 3.28.12
(#1955)
Signed-off-by: dependabot[bot]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Arjen Huitema
---
.github/workflows/scorecard.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 8550377fe5..c342cf7130 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -68,6 +68,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard (optional).
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
- name: "Upload to code-scanning"
- uses: github/codeql-action/upload-sarif@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
+ uses: github/codeql-action/upload-sarif@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
with:
sarif_file: results.sarif
From ae7da9c2aabb6750ab9582666a4757ea39f949b2 Mon Sep 17 00:00:00 2001
From: Sacha Narinx
Date: Fri, 21 Mar 2025 13:47:28 +0400
Subject: [PATCH 50/50] Workload Specific Compliance Update (#1947)
Co-authored-by: Arjen Huitema
---
.../wiki/media/ALZ Policy Assignments v2.xlsx | Bin 27211 -> 53854 bytes
eslzArm/eslz-portal.json | 218 +++++++++---------
2 files changed, 109 insertions(+), 109 deletions(-)
diff --git a/docs/wiki/media/ALZ Policy Assignments v2.xlsx b/docs/wiki/media/ALZ Policy Assignments v2.xlsx
index 977f4aba41b34205c15b6958ffabcc303aa7ebb3..d42d6faf18bf6acd18111fe87247b83a16481719 100644
GIT binary patch
literal 53854
zcmeFYbyFSfw=D`R+%34fJHcV$ws3cMcMa|k+$}(G5AN>n?hxDp!R_+CzkP1)duyLh
za8CcxUDY+a=6t4%@$_1w6=eaCm|)OguwY3R5HxvU5TEw{_xL|J0~4uwHtQ^yVOKCOC=$)&>TBOwB@*>r
z@e%KpEMeN!Dou30cg^rvCHV_UJBiZTEARJs@2@0GzXK#g0
zgCeI93=8v7suBad`trVw&|APU$kABU4xS?{7*~}&wnh41Nu`d}?KwZ_*JZNrcB-f3
z!H!*3`Wmx2xmD4{S8Hd{=oO%lP&9#=x}F3_#qQ!o>rvv?2U}hCNd31_LjK8w
z72|is`@oj~e?MHWcOE`gsZ0Ybq7kQe8Sbra^jMUS$YA46u-uw`q3;YX2cp0=>mC({
za0c&*)-T`(oP#n8*#tYk?$MBO2fm5yY)(FQc!-4iR&XY=`+q-->d}Qda_YF!=Qt52
zfqG$E(}?xP8A=QMgSao-0}NXs^M`<=mAWQ2hI?+W+C*><>8&14O~HzwYg*svcAeu+
ze>zT2wnl1?FY?bd=xZp@ePUgA5S8msFDdI-)&WmTfXFg;&`SdYX^ls`}^Yq
z0H*l=0f|0>X=Bz;kZ=NkfgyZ?gn_e}tqU{LKj;4o4*v%u!hc(O<@}@!fE5*Nr+tSn
zWTSnxS}4MGJsK7YD&ZMy-qf9oV>E)Zp9>V^dJkDEyJ$Ts0OEiO5@f^
z$vI3uajv@RX?)MmwO-p59VP)y#{r?}5N~ZG7~w{LrYHiCf3^o8OaAYv>>(JUXm2xTK(|
zmK5)D9~P=Mh*N{&$Bp}jB&OEnpp)VqV8j}iMmY&yT3vD8vX#D`PF(Ab{>vONh8O0X
z&(bimnAwZpk=WhBWqBsv^7R4hTkWM(HDjBrDg2LX(E$zruM!gcT&%sl;Pf{9u{uPZft
zbb4Hq%Xi?nu4>=+@N++GEcaRvYnbIT!eS?@=@I5=w@H-8{BCHwI`xlLA)nzSbxPR}
zQY)+wLeKZ-|F}!5r`$(T86x5UD;3lDA*&@>Ok2l8`-|I*v&_(9$TN}>^wddfE$_&5
z7&21FVmE#>i9Ro5KrZ%*gZMRTHim-1Mn-v*6P6k(6=?8@j7^qi?ufdPPogULxb!vw
z>2pD2!&s`zV+?IAH8{ib5F7fW3OY`Y&)1?@i1$nAwuI?)Rzn$v>|XFQhnar^KStQl
zywQRdjSyo+o#o`QRDU}TN4;E`{=TYxwO}!Q4=v$mlO+UdlYTz9I!yRFA%9GPr$
z<iB{)z`?5OZC97{bIgm5_37e!cU1S})F-TG=wi6Uc+eAAWcqi2x*
zp@uGFC;DbFUOsp^jf?r~E7=D}GR83>4XGoHM7FpmU6|%nV;HucKqS?V($@`;WTCmS
zv!2VbENMOlH6U-$h$+G;XEzAsoEkZrC^#c6?Honza~Fw{wJW4bGo=~;f*s3ze13Ne
z2oQ>EQsYk64StC}KxcFMjvbFZBFJL9eh&c=m)%ackJjdMv%!4_oilSxKKylK<2=p`00s)J2behaJR+pE0`!vjoNF{Kc4-P9m{-%J6~IQGzPC
zP^(yzcm$|^0}m1IPB|#g3r@Y2(%Qx5Q5L-X5y$+ogwED4N7_hAZ+TxjC^GXRL(6!4
ziVQ{8CHkv7-1)J=oae2ksUD`_lCl9C7JSkLqOGytb*qQK*_gnvRcOe0eQq<1nwniZ
zK^G1R(#D|)ZgsP~bZovox%^O}c0h$8Vh+W!_RJ2IRL5qF&gqDF3wb?!TYe7%Gw0QB
z?$`8$K=jpDl&hTOLw}qri?idDKi}w3;jfwTo#ph_4iOW~VCY;;DValUYx1NpPcd56
zH-3pM*Fwiyvp+%y1~7l4s@V9^c{_=jelZU@
z4o#s~=EWDckZ!N;5nX@RSA423<-{SAOrBM;&FhJ@g?%v6e=?Z>^I}jvq#>ExNf2{o
zKW~CEtkFp!`0mS(H)t>%+}%VqaRu#~ql)%IRM==uUgWb8CX%
z!9(t~3wBQr>^u|*m{;h|tWrZYL=>G{#D1>$-vaxG@OtOCjnHt+qK8z2zGdrQ5ov``
z$bI%Fu$CyE@Mb;h4Zk7rmAo|tzZjsGd1!IQt8PU`m{>FAsaXboF7V1QQB8#Rh%pf0+kXLqq`3Wkh$=RX~71YKC
za%UmqY%v@cV|GlvOLu%Pcat=RPP{Xe1?}RkF
zf}f(&3gYQ#Mb>rH8rSPhK(#@3rdd?8)*mm(VsaW|l;t74Ecdrlp8BaMl8Zl4jB+^I
z2Apt=C^)#jFSMg~cPzK
zK`r-3$1!U4jT>^K6dYA&Rn|WOCvO8b
z3Fy;G$s+o@6Pp}j05v7~YyXvhWXOZEn4^#*+On=EB5n%*&JTIOh3fX*|KAG#drF>>
zh3_Xp4cM(1A;`04kj9h1ro=|0H%&>6IdFQ3-3);ZbR`{myk(8x7)ba2(b0d>88IqS
z1e_U;8(6M}_;uQjvT1Wh9?DIHaBALTG;(o^tuuoM*^N4FVWIln*_{SJEa8z+apoM$
z*Z|YQ6X-R0<`^s6A`mz!^m%<$>T&+K{!hdG8;-4#l1(rR&MQ6X%y1>%&sk-Jp|6T7
zhSNT{)e=aPF$1=GxGz^P8%x!pA|xIUjvgD$=dr=g5)UsSzRia`;SotR62Yhtx*)Qx-LKg=dTWqN
z5ZnLxD(+hyx*?U}C}Nh4h6M#RDl-*ePH7_INc)7HyIm^HYz@&h=G`E1^;b=Cpg&+Z
zlEezH8ZL>S+z^>#mBK26GIV0#BJY?C_PW(O9yWfhkw)c|9_?H-`Y;zAprxMYyRI3Dciq8nylxr_RmW{^@WgF
z7jgo=Q
z>V|l^*ji$;I4%%Yf!6Qim*)0aNUyb-;=B}F&)9q2pJx>hSLQlpxqmZV_QCUKd9?B8
z<%5CsoHb?lX5;uRDl%#+0RKh0nX0`8N0dc1V4owwf+|NTIcSjwQ7bj*PpD~DCRcGV
zjlL4#?yS-B4p_0u(~?XicnmbTJ$H7z?HK*^#_y|a5eC+_J#RR7Vv>Hi6~=Z1ff^KC$6_
z%YrL;6v11UbU#C@+?51{{zmMcWfzXwEd}8q1*I0cS&GgJ~@)~Y-f<(guEq|sW-#YxOU1ivj)UO-sLQOMf&BG)22+Wh&
z8eb?#t})Fd_-|oW(tZ|kNG!Pr#Eq7CG9RVUNTmx4-=D`gy
zU?&+7K`c%Y!@`pWUhIe%ArNeurUo8G2yU#B03LRpQ7jhs!;<}D(NZ|8k#GfL`
zgnPt@;CKXlh#IRBz@DP`d5IO?;1L(+87?Xe^y5)ov2m@>5u+xeb_DS-H}Wv`Qo!wd
zT<3Lf{=TL2`Q<1iL8cAN*y_uFLxAj@3+MF_G;xE$BA8mZ0E4wUy)Q<#Q5z+WJk@JL
z?OEDfx+U(V1WMy)5|Eh|Vq;}_Yay2%W&DRdK1cEtBSgIA65gy~%ZY;=EeNB=5@iR7lQxqlCax9z))#{>3cO;T$YR
zM%1XGfy!K9*}Pyv;71|RRlf%+IaS2Ly@gGv
zxdY2kC4?uRa56qT{cEFUVeD64fB9S8FO)y)C_j&`28p&soAd0=PN
z(?9+3K1VHpkzf8qx$4zTwZM)&s`E}CF62=VlW?Nz@&pU
z94Tx;0dy5{Hf8LdSBOpLKoy4+ILlyrkAV1>EuM_QF0%vtPmqWd>{C98pEHwqZ
zP-lFE-#iZ@epEEjwJc=RRTE%IPba9HSHr!7VXsa
zd}xdnFE8{bJrG`)w-3#PSI*}3NzOxuaQ`?-8jXKXFB)<PfF_O(FZ
z{0Uu$@K5a0O|dcr9qOps4KODKgR2Ic^fpJ+xZZpDr_BYbR`rci{XMjpJLs2&QnZj4HdL9=Z6JM
zKB&JOm{VB(ZlP*a0|?1CP_6Xh_W>6;RC#lh9k9lgBQzOqr^sFjN+fsWd$CLPWEB_T
zMoXtl<*M(ZrE^3NhP3vJfXg5|Xm_|$ume4>zR(`iQ&AF%J^`}AEPU|E3X9`~@36-f
zcedsiQk^C`t7uv|&sIeO2F%rF0e&PBMwqb>EbqCzb_%6>
zcMzPa44lmEsL75%rE_`iUEZtzK6Eyk`k4;xiB;SfdUka3Z5i;PFn+_1^qt(s#b9pp
z&N%^_5^Rtfh%G)l$O>EKw@61`y07#V9?$%l;MNNDr!Q=kzK9-EDh$Xv?vQb^*<#756|(nOgspxAPHLNr%PxrFWV
z=`i-7M4m)8LY>X&#f9$eioy2TD0N}S%tVPc;+RZnV<$l>+2!e=pOIEJVqv1iKG#sq
zHU}|02j8-2ds-wS`;n7n-<%9Pe6DrP<0P|NC3s^$muVxWE?WHMp|QyZ^32JueMk`e
zOF)MY7+)VWzfAEkEp3Jy3aZq!3jw*}rhwFLE`)XS-hrTL)TqV_-;*|xx1lK>&L?yX
znFY-wP+@Gu*~87fjd;9B#UOe5Asbr&^uM7RxBJVh{*b0RBHgV;z7$B8=y6>VF#Sv>
zk{70wTA%5f0GR0}0DA6{H1Brdwqx0JQxrI<C;`M*INll>C__sU7H%nA;5JRmUSI
zU5ZCtZ+S{*HL{amHHK?s30LvB=e|gv-B7O~>1)aU=>vA^Yq~_dETPkgnH~3LJ#SU-
z1ZUfF|33kdZIe1t`Cf;9R$!vGPDBO>Ro5!xNYtxZV5%;&Lu-kT%;j3+BilRCer;q1
z(4TY18F80#-CaIAh1+(!p?vLJc!hPkEZTx+sYcJ1WJ%fat4!_bVo4xLv%e(VFFqPv
zSbg^bDlBrWgIB*evJtVN!1V3uEXx4W!P`b~*%iS@++;LS(m@YtU^l|kNhhl_CIe+t
zJeGMX|Dd1m$ONeC`QF-j2sswTt{C;FPh*c~G|YWSY#)qFaaLo`in$%jt##exn&FxX
z1}@6cnyrv^mLn0gBS78y-`Z)Y>>U88RBpjZ9Bz+)YW+C66ty^dA=gnU<6K248@9)I
z@8@jEzMi{#_{48uF(!+;QaXs5CICc>Sh%SVT!b{Eeg#<5i@%E&Z0bh~F#SoN
zSWDY&vV<6NU;JlK5a^7Af!Rhylia|jh9Z<2g&ZgqLJ|EF_s=C}j09N{VHr>(!Wu&J
zG30(Gu3EV-pvTl(lYq1=Su$i{2BCCr6ge8^uS!W)_~3F)14;GrsB>u&@i;)l`ot_R
zD88fMJI>j4Pv{Ia77FT!juSiu`7tZRVpWTv9lm0F0UhyP2fCDCXIGe83%z&=`rn+d
zn9{@^4C(SIGTDJWrs}GwBfR`F<|>$vsNORVn9U2S)+$e^`KkqJE&9vlv_VU4S%L9_
zy~y!M{ymTQg&P7Ve{)P>U`;tgJ*srh!6zlV<%w^2p%&E3Z%9STLX^7lLtA3~!0vdx
z;&4BiL54C0w$1L_;SN~*-De?=$^uT`bzdR_)?_+wa!~O->4U!eLE0V24dsTZ4$3)!LIR7cq$Jag|XFdTZ@i{RHqJ=wD
z33|#lM20(L?IpmNpiOV$NWn+z*XwiN>{;869?7?_CHox4xu*&w()h1Fn3BsmFd>CN
zBD6Vs<~;9?`S14uYszYVVp5B`LUudX!X*k$5DQ4pwIFCZ$g(S$7&vkHU_mB8pl`!Z
zptIyKtm@fcU)ehwAbs;L)R+BeA0PB@0O){Gu!-|d%w-HaCA_l4;S_=r
zPi(SLk|!EM6wC#l1{SonOSps)wEKqJ%FN7kI)Jj=e+)OF`PXZI^+8Hi_0^Fk0hjuE
z9^nxZFa9F3Q?j#?&TK7Y=V{BGK~q}_%ROT`e6KULGkr!kSo1OK%YfOG!Qq08Jb)r$
zo*aNfkSUJSC7{VDgBx`%bB_TwW-g_G60jCRRGY0`WbY+KCePe%+yPZ`hTcBYWWvv=
zTHqrF-RDzbi&RweRhTlx*2;OS!C&Wh?*gnj&6N3}Ty^AR+*IW1q}Z(6h>aRsp{7N)
zm3Yt#QQk2FbSFbZgGOCpk`gmA<85nR#?VUDRXkV#+KL#;o2p5+$%l2uXH-EpaMfXg
zVS*xg`dqu817X%Dns55dF%p=Vks1$Dcp@fOtSTZ3N3j%^m2y*&<kpWXA@{YfnXJ3C9MMFD{hm{u5%?V3u{Fe-iD~fL9`8
z3xAs+=}-(HKzCx`mLYi}1|VZj&d87RQ^yU>VwD^AGq^`hu14P?xCXcBLHTSjlOb@H
zPF$FODvS}4nBfE*1<5KDAD*%9G2p|1Gg`tCpB1Opa0E6*Ceil%H77td9Rde3nfE~z
zn3@wPvSDC+K7$&V`aL)RYr!`Vso`4@l51zRQwMtbRtz9yfg5aO5wd+io1`w#6pK%h
zO(n^eBrq1u^50M5KV;5j8|Dsd1QnU0drSCfP!@i`Yi
zP3;Llt9V1g@C}4>O}OCvh+nvCQ#VUQ
zDl7pbiLc=Rcjnx6jkae}VbigKD6DbtF9bHtAzFGB;m!nQ;^H4~-gbAs{4O4po0Cu9G=EH$R);fgpD<|Z*C=5GD-DXzD)Nq3i(hVaSh
zyPJE54*9!1--pnxB6Qlzrv1bDiu(SeTdjj%e@I6PB2y%i&{I|RlMAWDiaeW&U_H2Q
zYGyOF8X|nZTRzdOJK+c*RX!AY^TeyTQyhgaIchQ5Y%0A*%(57jp=rglktWg0kr`+z
zZ)q1NYsPF(@1-ex_jexKxpoJe=ZQ(!M?4Kq*!W7b~n;T+%pRvL_1Y$Zd=
zX5Z#|c_Sx#JYJf9m;6?3F!rvAr<>*wVP;b@6myTNDoT}J
z>I%o|)t#+>`yNoUeC*)GcX|J?nfC>4d$)PzdtN$%(W{8ith^kjybc|9yc0H_v
zeYQ?lCUG2!UKr0F4w84!>dT9Nn%LhwE;$Hvi;#*$n-TF78kVzf>J!wR8$Q1Y%WqAq
z+554MycY&$lnpvb7xPQJgAFBib(rnG0zrNzFp_#nX*sn*%1IazgA-$S@gSZzEOxC_9S4ki
z)@=*{el?p8jSgYH5mW5VR1J2hiuzTE6Vo`p{MEtn6|;_dGSAnoM`)RRT|%j>!Y!{F
z%E!2%-uHE?;pDR?I*OPpW{V~LF2z=;+P?mjD-gS=LP*x_YYfHAJI16Y{Dw$rb#ee$
z4#Vf
z0rM#Cc-)#N=
z9uev3?C94ciaFE`HF7c})bEh;W8u3=44aRu%5CObmqb8pogy#Ki=gAH>Im(vrC%t0
zBxY3~Z9b}v_;=g*h(T_PV)7r3)(AZuui+7aFvLkB0EN${u}}y-b3Bg0&^S?RA
ztGi-tUvUXFhs&Hy6CX3T+X+PR9vfFd%QX%KHkv2F3Za{ZqHBjFHg+Aw_}yV2m1|X+
zhO6619z#k0tV-%FCCnG2xXW3rL$0P%i91M#mow)D9)P8&EufK6)78!JBNAENqjY~x}6n0&iZm*~Ep74zjHh84F<(Avu?F`SlzlQ}(r-STCoDglT&^*Pq#3beWhNb$<
zf7Br(=}h4ZTruupZtj?#f#?yl5d@VWb}%~Hz>Qo+;EXVjxRMRAny^8qh;9eEeR{b2
zJ*Jve2VOB+*l*DmG@YByYGkR&*)(}m1UgXQ`Ww_%i-QV5@(9jAZ
z`lk~KXp1o|P1!laY49h}cO;L^&V(lye|fS6>-q(4cZBc4ZDt$H5uc^`JJd|Y
zA;P-W7=t7x5HG8ZvsD6AMEbDxjT0OXQWf;4LyJAx!e6%mDE`j~Mewo@x4*J-^AAMH
z0LN5nID2=civ=a%0efUwE$Os)7BAn+6~1m}QcYuCg}d{)ws#Yew%Qv0@q~MebsB6;
z*wRccVwwe7ao`P|vn6ix?5J1b8Y%}1>#A-uzTPmw2{|fuMyZHBTNH!Y)SD%WF
z7Aeh63Bv%kZK<$khE?c92UqVq<w5^R_L@FZQ%(@oC{?=p
z*ltAU_XV-32&fB)Tba67p!`I%LauQ^My?BMsSKV838I(wLiKhgMG(^t9?&UiT*$tL>Fm1Z&e;RX=8^4^3FX7tX~lQzHOlDH-sfYW
z(?g3O!6_--ig5@zrUTMn**7spGlJb*8Os^r}!%WA_P5Ig-<_%I&5iE+tJ)VnQeSI
z&xf|_-=nxwD}k95g%?0-R0lzVvKHOZk<3;j+L#Dxz-r6ZkX`}dq9Pue$h(t2D#lSF
zN_otW{ls*DNQ9Uqz(s;pB>*e0&ky+{+LTFe`Cz6lFnyiEOYS1yD7u^&fD~p((zagh
zj>7{#+w8UjBC<1NO~HrF5P@11FybC6gZ7Jr_zBNy0kdxO2Yezsu{7miPZ1XeZWqU1
z4htp51qb#q&CT4^Z-4+q0Ea)ZAEe6S5G)Qes2@X0T?@cwFXq?A!Vws!`FS*zsVxok
z4qW_|U=>snKz;0pKM#gBxzH3`T9y1f!hk0Kg)&9r^5+S?{Vt~%&}U&(cDZ)w#LSY*
z18YqE^k=6vV%y}6kHQDPkBCGz5gZl4yqU&f`NK-Bj(0oz(H!q>t;x{Yrpky_%dmUR*
z;BbF53$G*<-qk!naNT!?FT>sj*o_UpLaXyw4Uvjpp~=e84+ItzNXV^c?Nn|i0K22>gLb=`WU;Xb>aW~
z$2ef!-}J_3RAme-C)+sF5)zs&-tAh-qz7C|D&7pw=#ay%4&}!M0HhO(*aPQ$W@!0@
z6^3;kHc)CK)T#$I_p(aXDUW{E6rZ1$9`FsMcWa8$vp_>CjX|^`(BLwWp*z4ych8f9
zFrXKiMSM-3ez*pa{y{S1Yiyps;yXMI1{HZr9KIq?g+
z;8zdakgEp-Sy=9;*eJ(@m3?Ns(C&uJAz1JP3SFSVy$6fZ5VA`v`pkiFi5s&YqPA*(
z2a6Y5)w{QvaRn(`&}^5*Gwv%%o^fsescpwc*X(lHGey09zu*Z{;;{YCX@jpfY@wwH
z0bxdU5pP~AJOu6FtT(nCHkmMaiPODX*>$QG?Oi!ygz4#!_1Jk2xwKLYq&?HuypZ?L
zm$#6fCRD);_(0$7yLz)6=C9rqQ8cib-CvM4O3(fbWu;-Kvl$V5OD`$P
z*-G|#8@KKdK^-@2;bYalybkBmcLm2=@P|A`JdfMGS6JU+{_fQAe6k
zql%T%6lpgKfac%%@rS`HoU&Jo1B$;rY^Fofsb%J&J0h}n`&3^^n|r{h!7%q}mSsWg
zvPcA4wlJC1)6T?Q#r=eXuQZVxwcd00^%l`$n#=9*4bL6H<
zaU!hk3zBYGgVIE=Mt!8M4J7^B4^=`+r)=@4QRp046&EB?jZfedzRf}Z&LI!IRDs1lg4%xgPW3k;E|T7Sd8LlnCH-9-0QX!q^AV6oYAoq(9J+72$f)p-)5l9
zDA3;DFY-FJy^+y1W4h_(QA!A7&onMgZ%$Fu5CG<*w6B@yzyV%pZ}#xG9~Tu2-$IXd
zjRo5)!=2*<=M3Z&qoOXXn-}hwwc6|gsf;q`Y}w>z9WS!B{L!83-5eceQBNN`K;!$t
zwFD4|O(JuggKkK^kBG_V_F^N%e4d*>Rz|r8oaA|%+=iJFYs0T9=gVtieWoJ8Zf_xH
za)F8Q@f1|tt*PK9w}>;n;(l2O$14~>ABb4ya91^Q!zFSc48|Wjs=8dTH4K`rJDMQ@
zfUD)fP+(8+!UH&OOWv+0Kh@vo{KL=NhCn}ie7Z2nS6ZD~9B*k68P@Oh8nd4w2ZfGn
zo_yR4-Qt&1WNsAfIl?E;&kry@zry&pL$kAYo!7r&g&I)q!$?6UCSJ&AW_(E)G5$f8
zGzt2gk;rOo#gxL{%!cfcK6%c;Y$tI
z$>HR_zu?Cc_s3b9>+=r-hqf#(gZG!m{dM9WUEehl(+u9<
zx?k`9j4ulv2{~-ta}jU(^FX~Uy97L4#oZcwJlA@CT-KmmZGVF^z7nI0oQgnRVpAu(_Q!;c)%kmifoyX5~SBcD;LO
zHuYvxv)ZP7T8^7v*Qdat6GOU?@JtF??BD}7;`jp&)e8(cU1soSc2VdQ{l
z$Vu4pO(j7>5e0W>sCIl{vt0nxs#t`&+*V$>Zm2S>;q_%V%#!iyvpq3tY4)Xr^N14&
zB~@%mZ?7ek04X>>FtOZ*{h&&>li$)=ScT=|8@wIXbN@t#L+yP*b1LON5aKj&N{Cnp
z2Z(?NL>w$Q3BwyvloUgi!LvWyP)%%JUg%2Ke8u>Wi#Z+_TSGRMH4wM)*o>62F>=o_
z2r{C0%gN}_+f9qysw^F=m`*;^LPO=KY3Vqpri}@iq^!BxKzFLKDt76<2ck-6Fg{G{;*xx@>PA#?_tAjCc$WAw`%
zBTB(N_#OoY+}`m4hSQR`{md$LdYjk*2S=r)%BD3K1(I^iFcuBqfQ%CdnL8beFTkA_
zO(`!YLt>n;>P)X$X`7U6(T(gVzZXr$?F>A=@Q0^uAe*rIO%JA`2`o%~BFqm^-3~aw
zY8+KDKPl5#1?ZMD5`yzw4wG<71xaE>{jWVRS7C=FUB2hs6&E4cOHhf#?GKq^hJx~R
zNx&&@!lI%B$*F{BklD+Wc`-DN3dJ}TtSQ~B;Y}x@VJ%-)7RgN2GZI><>gdMJoRjCQ
zy__j^!-TvW-!4Jh`EHwOJqE+w1in9eA
z_+#3vxlJe<-5+9?B5fDtLz_>1GLpz=?^_|(0c?neBAhLVs3r42uO{4Bl;gkIPF
zDW6~~&iQ}BQoeT>lmoP~NHkAVa<9t4F(FjsNI-X{iuX?HHLr%Lp(*&^6@G*f3eKMgVu3Sp4a;
zgiMxBmf?CvmhR1#fG}HYf9gwkiP!7rXF>LvH;G$Q>snG0`Q;1{suZ?7=7>8h1YMFe
znH;!Y;z@xi4|4+2ELk%1;2n2=7eKU1>DKKjZZe_-gUrI7JGs>V}UL!
zsEisT1C^05hq+&mTytuBZDIlJ_Y|oH9E6snWbo=Q{_u(UVEjx%a2`!u#S<*8MIDI>
z1aT&@XvHo>kNj+<5|{H+5cH7Q4fm*N(67n^aFbEUm`RY|nlKk%@uRNW_mKcgp4HQ6
z$K?@R7yWkLq(GR&biY``r6j&vmMbRzen-b$Z<_NAYI&wusYQ4(8JfQ#xK)HV5}8B@zCRW0g=0<3Gl
zIazRVk|J>!JvmbCInl_sFFr*G*Fm(2($qzU<)aHpw=*oXIW-kl2k&Bam*5b%$>4Q~
zl7S$~Hu6s;LcANwr#wXf(zVkEwv-7I7nM=u34SAK6!(ni`Jc!$@XlfIWZPkk8+=HH
z60KT)6ntqm)lP4d2z_AD=pF)ych>CdksG>hr|!Z2vru0Ke;B}}WIGJbIQ!^+Wz(Oj
zu5s4AO3pTnsuIIfyf0g#mdSXr0S{dw9tqj4N#!ge1ZHe3Oz56CYkRYr>X-bn(U3o6
zr-cSIL#4d4Y0}%ILa$KC8Zr3{j@l)rHp03cbObs>wcA
z*c5I3^^nkJ{*)J@7%;t^7)C|t5jX2vLPr)^DwG4LY20rmPdLF}e2(xe;Y+JkjQC&0
z25(cEEike}YPHIy4v26zOQ446i8L|rRp6lKziZ=6e6m
zSMO3z-iD@pVPvuT*(8eaSvy;ZA=kd%1y8UMZGOZ;0ezs^>O2*5-su4c=2Cx>G9$Ct
z3*FYu34yLWk{w6B_UCZY|MobL34ExXg@cE7DWZvY_eLvK9FzYJqpDGUO(aqlmNpp%
zeFdIwilO@Hz&U@1KZq&Qk%jRaSgWF;n_lVvR{!=&lc3p5FcBmnho^tRg(!h`?-cJ;6pGF3E>@L>M_LcX|Dx|_f3W{;<1H>IopsZIL|%mVeCi-<%~`IA^et9!kAdKdZuBl42U
zBm#U+h^4Omcbz=}qq>3eE!6-
ziIi?-b_|K40C-Rt-H_E!rPpTPcv?8Tqy-|dXvitL@5N)}q+QqN+&{Oh3!dA7?eBhK)E69ptl4h5^UG@gqRXozz9BJ+X8
z?e^6cgE*iMH89F#?eIN03mrRVGKIs7H50T<(x<*Q+%X=7XYmdS~j7kPOF`
z|A`h+Kg~YbP=gN#wC%_*k*8cTUSDtf*4h3lar5!{ZPS14tvj@>9PmfKywZmS9IV&B
z2xi|w3v3ER)}MVxI|93pW|fQ^tQ3Q%FsmUr=q{0{D@x#&p-4bBg)OjkiK^LFQmg5<
znQE@^cB*4Mvp8ex;Dvwvjq-ZDT630m6#c$9+wHjoQV&a75Kc(kQ2AYymt7B1vPl5E
zJj_O4b@O#`)1M^`-lR<)992B{GREds8N@m?`)%$|z6>6o7q)u3xpr*k+Ua+B{yCX1
zIhs5w{?J@nA3Un_>ta~Po;<2w94%LjU0_K
z9oJk!-5jsO98@vNo+4$2MjO#X`#dIT7gQ;ARIUjvx@k(Q)ZDvy*Qei
zT?gRV<_a4(*4n?^(*T9_=!ut=^OT_ysL}22Lo#wt37ZSWZOdPe_wOuw#~0BvTG>&S
z1@het*`W7%((}&iEN%?`_(o_#NXTk|c#W?hEH1CU3s?lDj||wpZbEkRBKlP@YRti&
zW*SSg8jLh=sq9CYt2et_KDR##Ah6NvB+bHST!j?xh)a-KQV7;Sb;AfrMj4c}`<=t2
zAG9b+*ia*s857op*;vczlqMA0@U6F|B6%pS>qbtfkSP@fcvtZ!R*tFedJMHD2kq1=
zVXG|A1P&LyK{jf9Lz81Jt3~!&=LB#HT%YN$HeF<&|CX=RI^<=ch7~p|EYMJmlqoP&
zNlE`ZTF()O2j@pgwM-)ZJ3V__FTTf5W6vc!KR|r>|UeQhxADXst8b>|*gSe|sQU%8BjuXZ(WB}?Lrh)BdaXqBg+r?j@ip)1OjzOAUi
zj{_Q~Ad!*_zW$!p1UtR535HM0HYbcB3#<%*Ij7T!YI7fAziLpqtrd2&Pu!dBuz=8E
zMFkyluY8AgQd(11p&&O3XhW13?cENo5?aJ`r;{7UozkG(<0`nug6*c5oGv>pShJ{!#Q)Noy${5q9q+$W_B
zu-35<&M#*Ogf^!x8jG4tQsv2+@Fnh|maFk~LIqR<&V@0pWlsVL8{#6DZg%l+JHtsl
z{rlUIhaQL?HxjI3`Ca-Rj1k?cts9_W#PivnMGY0jgcnhjXn!Riekp^DY&)@gLG3Du
zKw#;Ncq$$#Qj$=cHI$c>gC-caw8@cjZjxH4;^{;|``h-n3M2cO$XP01G?)@-fn$h`RdaYTFSsU!-CFODD})j9I9i$M?flM7
z4MPXH1^xCL7sOk{!)-qEg=Y5kmmKclu>`-?mm7&@?p$c?t-Q51@Zlj_$u%kawbI@plcmg6NN}p(PSzhCzw=FeR
z!5PD%U4~2GOajvuv&NEvBPFV^u1PI%7tL^Dzhn)k&2SN|-anlI+S&ci7vhBs@t@@v{H{JQ)t>hs4jOLe>%&x&kl_o
z`>jCdqlc4!jZrSCEo^{=Bo-qchEB*?Q?4adOl%PNc1BEZ2k6TJ>2)VC9N)iG#Xu}?
z8`dRild9Yc=oHErBX&d+Kfg3Mo=hX`=H8=>Z|GD7*Xa9^b(VPBeX7x3z3&=>+|||u
zv^p-nlBU1NX)VYr_Q#}_jjA}Kez+Kz@O}$syQrWQ6Ys_VYeuk{tky!?ptl>1zK}tU
z?4p#&su5c;#|aXhAHj;CE<;?9+yaA5WOvEy$!Hr|)b(W2i9G#2oZ2gsgWnJ+J2`c^
zS+S?S43h_61Ijr7{7WYQYvOU0x4nO7+FRLcqWp+2HS>%Ey@$#Hnk&1}wtmVeO4(B6
z=Dl{1$Z?eRmJy>AlM8f&xZAS%$)J8kG~SIaCc52Q%3dby!jky8VUg~2EDOGDqpj-E
zP59BvRjMvcBXe+Vr(xa*ij{3fh5L{J3zQ2K8yRE?g9ygB>{zw&=gqXJu60N2Fwns_
zP7Fe$pU4R#l}2bWdL6mEv(ow^#^HW4eD1O<^16t8&&RlH;;4^yhP~uldaZie(9(Y2
zs_FB7&CRj%CB_?|>S!y1+few50XijM1@a!Lhi;#=O{WnDMahh>?zKj*Ek0*R#<+pr
z&_bO+p}uFfJ>=5Dg7yRLOr*#yHCGE9j|Kw3Ew>+!R4aVmfVkb+uxWl^>mVq$^hx#*
zo(EdkNBwH{G9k%q0LeZ5hUzzjcv&rkG_|D_x^nfga;7}%)+rD#XGz{XhrC(K
z2TQUhOm&(D%-(aiE?8Q`-Mk=jU1BlSGgC_jOUj0yjKbGV%^ZUz5gW05f!h?vM%NSn
zND6|3(@%Au;*uW7ro$KG*AezvrcQ-BX{B-_BT_0F*F|uf2ocU2U`m`u;F=g|6qq6=
zW#7!~s|n#t(CGpDZ2@1%_)u5HD5%P+g8qi-(?~X6jWRAHOOgbNImmTnY7trtBqI`A
zo#kTx@laP8gQ2-`qYNP(Dm|pSxAtkN$k3aCFvNnmDnZ^NI9S?v1`k}p01sS)3MXzC
z*_A;$5oB1AVIxsUqP
zcSfzn9Qf+>$nf_Ek`X(@S=Y1%N*oob8{n{Bd7#Td2ELo{nme7`>A9`yy*myL*RLq8
z9e`94P%M*qjy6}HQ*&PpKWrajLY>MsebsB&t&``|P-zdiy=uwCE9>(Q7VN6)`7hmTzCNnE7>2
zzV0treNG;?|GIkq_apxQ%y_-Da)!1;007uk```L@SpMzX*@)WsCoLV?7re+@J2k!`
zvdN|~!e-p5Y$3;W+9tZQ3+^AVR2w?0vF1Q8@5aN7>v%n-6n;-H3u}-RrjrXY^t~{jbud`md+@$p8
zgpK{n7ue}qTSAeMJrPk>T*dYDa@!4OQxmqJxoMPP8FtSk=5Xmxsl2WaB!9KiDF}2k
zzXD-YqIJaA8G-^uv559Z&Fm@Hkp0}h0c
zI;0nXR*6?}EDpfsLfSJ7LAHLLDVmXi%j+xkq?S|-RVHjdOqd{f*^=ljlf;R?Z=d(~
z)ZP9)eYpOgAMZyi7ZWvlwf;Td?QY-iYPEX3{ynu$ZBJEc{+myq2OD|cVKWz_C-K*#
zYh3z0xcqP7U#EFqx~?kE_twt~JN9di_wQHjuNaZY$aG{>WIi$=WOwNt%nh-T(8yis
zt!Va4>Psz>-o84hbeY42TJ--(Znwj?utWX|?K!XLCYMExI-lctr@4{w<`p49%nS{N47Wv5E*XFZ
z(1;N(8G#1KoP`U!>0L6mlyyt}&mGq@ZW)FvS&%RanxiSw-Nc;I%Uc8lcEku664$Yr
z)(m8ZSJ`@$Xzur$nQg6lw(XPOOgcb#*)N>1RQ0U
z1)Q{n0=`Q?fp1nAYkP4=VSi2@>O${4Wf`U+YCxC=eKqzVe18bt%Zx0gL74Sw9
zgi!-nj4PT_br>d5Z3b!IHXoRa5e0K|;HCmGdulJh35!1xA%h4LMJP>%66}U=AsR>k
z3o1}^F)kF+uoC^i!MNK1*NzqMcnpP;
zntE`O{X_oeo`0ml(2P@-K`=t3U4l^w$cVORQsYNoo-D?w0(@x+FU?9IQ&R%nFklQC
zLU=UX4*)ufpdJVzf(239-z3e5K@UcSKnr&1kcJ+7!c%KJILgE@7%i9yX+(o2=%Ion
z7$X`TXkfvJ0D}tDwe_h)7_fC^FGUj#m?fYlz|f3QoUt3SC!$S;;Ra?zqXm<`M`Zxk
zrgrthcRy^_LGC>~6P20;cAfCCDMxmiE3UZ;?`UFtk
zHX8A~8;UO3FLrAOc
zf&#f9gA74A;HU{k3bE=pkD@qKfcM$hwW)v%W1~Mi@A2T_3wSq#Qw206bfQIZn9PC<
zAw6hP1y)aBPc)$+Jd->wE2v&!P%Il(rfYy3rqFWL7ol)L
zK=dJ2bpt{{{f4hMA$S>4W@;8kvKNt+>|xz5jx7@9dI_y+{^0E6;Q^bZUkVPYpHf2#
znt%c->@5Z|A9%GUAO1B*L92@j}>MbLhx}jvs#{$VakgRV_|B4oM#F|
zIJ+sZOykym%J!nxAFyF)*1>dNTV?tLL%zgFKy
z%HQ!xE4yd4TgwIAJZlA)-+PX>^8h|tp9X!f5DyK1;^{&^yR5NScWZE_A__r$($Dep&dkH#`)NNfOWplI@q0dz
zvD62kv=G>YD4<3Lq&8;2LPza~4M^pIR63+?gIsRbA93hk@8^J((!$fI+&T;jSu#m?)`v!2t-@)(B<(z236#3iqjow4seDIGQZ{vTMt6
zBZk^W_)7{5UX#Rb2+2n}B8@aou`1X29~d$AXnon+g`RAnKBXQSTT1~-VnA=Z0Y%UN
zgmuih^J#-mgg$f3PUnvO5#tUi-+alX>32LMC=jHZ1sOO#uqS&t)58n*pU(kmQBp(eH=;p>
zRi8aA6`*z9XfADmy}%Db`xAljE0jucp)g+ML6NvTo60uEaa^TI&>eZ!1y~;Js-C*=
zngnH8X?deFyp#B)Qh0%-CM9Pxngu--sTf5iQ`vp!7lDL)C~;MJie%6k3v^}^q?I>_
zmA1)TcVa&lWqBpHsNjtk)$?{{uk|lwEA(@I7t;;B=BnolFXgXxU0Q$jKK<{n)`!92
zxN!f3FL1@V6CCV?c>kk=I?FHcPvo~@LWtTIX)*i*Znsf8v=#Qg@s9n;j^w$3Ku$#D
z;4vq#!_;&s&=4CUs~jVPxoPv*(v>txG1uoqtses?e40BfZ2L-@_rpyPJR4<%S+V~y
ztws(4k7J*_5J>9DMw&mfMaA#9!RHef$R)E!JU#mG#)6D)b|X^P4m7Y3bYq-kfX-P0
z#=^tJNxgnQfoo&_-xUW`>AGS5%?zQX4K&V*p92^Vjt;pX@^*qjF
zgdP16=b*=)#S4jCBhP0KM%>Ho+d?~>V5b(DTG}8kjTPQ&^|eiJp4dyc0lO2qy^8Q$
zD^sji&GS-`fFNX442iTMQl3aoNhcHDFi|sQwv{9=k;MvnPgSzo1oRtIpI$GMrFwSg
z-m-x@>NMbmhFCC*Jwp>D-as7I=|@T2&G((j@=L(}%^#ktDBn%qv}M2H*8$LJfR3qx
z?-z;EV`PCCwcc}b(KVV?&qS@pqKH2b*X
zjZtD-XkG2qg|)N6Y|=?EDN!GOFUe&R;TXf8&5_;cm`buEIRay)_G3?5NH7!nMx?&p
z+`g#H-x{;PGAUiExRIbs_7SC!EQ%t5$d*gjDL&cBM?~TfA;pHD@*r3{IUE)cSgJCf
zslsf}h-u5P!t(#j?(J9JB2Jh!$cqv+BxkGai^8dzWL&mZ_uV?45JA+QUbQ@@I@w23
zOe}%oR_2qEy=0P>%!0wmlnRg#=SiVJg{R;JO!~bdFil$Nz@0)C~`*T*j0@AnU3FtjGfXU$uS--VyHwtRS`m1S6wik(GjQDyDf->*o
zl-XSG#_y~p`uCwnVd1puX(mc2#w%rtA+`ixGpu&yKS@saU?;FS*<8Sm553MnPgh-C
zJ*GrOlyS{(>bXFXbe>UU^Z9LL$yo)wIbU)TWnu;~H;&pfkQ04$Y=gSK@1-#K>RIma
zfYN)kRXF&eHx@UgGr*UL6Wiw(ckFKvB+dA~A8|Ym}@0i}4^T&3C
zU$0&oHS{CYM6+hBFjdcey`7Y<>TCzpN=%|4z{SpEioW
zCS4fSKeTzTSpTrG|BE`$#lqCql>T4e|6qiYZ?bj_jaq0RTFp!i7EY}!~)p^yPR|Y@{bAVdt0v>gQvVkn7
zU$M0J1Ri~)enI*?=9=+CaH;eFoqy1_eo5R2GFCgKP8j)Nv)T#OPw54+^zqK=U9n^5
zLVbfmQBK0EcE0fl{!$Cn6C#VzWB$D%xM4}ZOO0aTZ^?Owikup?a7iKPj)@N_07QvI
z(lW#|h>Y^X>k<>s*ir*iLKE&i>iQOU!m?L)(fsh8q}d#(Xqlx4b>Bid9+48BZBl6N
z52A8~bhvb%r^oAWh0E{b_Hny%ARZrw|5XU7>ZU7v*4%w@1h4;fzh%C>Bj4x$`eMz@
zM}P4B@_N7H|2_eOV!9h`pZoE8IUa4__i`~h3ig5~e!%1dKTIP?*6HzQvcHNXUbejl
zBaz8YfMS?Zu+9CKxHTNhWC#l|wz}zSwbjkoR~ZE0Td{1F
z0ALnrcL%Jj{5w@r*qf>Oiq|b4wUI5M)7gh}fD%+)ICD%8aU&wkq4wWLaH16g%GpMS
zUCsgd
zs)+`G5m*`e!YxH()aPXKheVv-^M2cj>5hOs8C!9Bz#93KoB%Z2KPSfm%~ct3S3^PA4lz-$O12bQ#J0ozhu4
z;WR0=0Ew=2RLI$De4R9Er$G`0Wj~U*YT!W5Lqfb6p#X-rEKhaLL@zGuNNK>4@@c8o
z()0;xwNivsxvgBY@fO7gm!&}3pqZb9wQz9t2frGk(X8RlQQc`HspDFzICn*dk!UnG
z6Pj0+r#Oq103lW2&@?Gf^r#U*%mr$&
zUcmtuY@1};ga;k?*XX*83I&x-N~zUYe!4~bZr4o?wEEkU_W{s@>Jogej04347IjTI
zV>FP!*z&Z!Pi3om|6SM=$Z?mW%M8{6W?!hlUM?`5jW*(VL6n_`A9ytpQ8$W>+Oh+Y
zCrUvBkB`b<$vWc9;qo!0XbM8%oUp3&J`?e+Gv{&{koGq2lpA;TGAHh>RIYt)K2^@t
zp7DyxG8&~@4=Uw%?UQ##(hL%lKhJlDjO}2FAJ4m)vScJfz-ZHl3R?1YoT<)2smF}t
z26%()4os<(k^1p2iilI`0g0~{QNNV-7s3iB(OXJ>8Jl1%cN8lb(-ggH0qOQ)<&HI-
zXNDR{-!h){@tkn3wf`5TQV^T2hwNO4T__HG`sCUF^mq<7zTT+Dfv(giMnhBz|9+8~sz46el>3TO%9w)NC&Vtl}w&cERc*d*UC
z-aEVDAxm-&Hsvnvfc@e(i}M>WGZ5wx1O1+8Uah
zGSXQ&n3{jDe(wSxNQp^`0RRF50vP;!0KPW>gaLp60slGvBfy}*{|Fce2rwu(7&!Pp
z1p*Qp5&{AW0vsF)777X)=10IG;oxCm;Qp!qbCG|#|I_Q|fPnyq_@~AHoqYELAVU0*
zBSQfL5&-}q0s)ApEEg3=H(6EGWni
z$vdF$&v^h4L{KC`MnN!SMMH2RM--;O!~zInp@soerMX)YW+SH{NGLRP3`{IiGI9z^
zDi&5Yb`DN1VG&U=aS2H&WffI5bq!4|V-r&|a|=r=XBSsDcMngm;E>R;@QBE$q~u>I
zscGpMnT18gC8cHM6_t%m%`L5M?H!%J2Zx47M#sh{<`)*1mRDBS*7x=g4v&scPS4K&
z-rYYuK0Uv@zWsv>5CHh!u>K3#|GJ49RLOx@MrLV
z5druCKEA#If_40lxV`~^`LFrE0m`4s^jEG>6u`gN{{LHG?DsD~AN{0dSik`Q!2bKk
z>+IrbW9s~m%jl1~wEYGLLN9&&x8SVq9C7N38)=IxP624AXkc+ao>u|s1ljL!fw_v!
z!f)U3Vv|Wr+^#b-MSK&-Ay0?ijChl~M$^TP(MH0cGCL2%cDUnE3P}Bu>(PzPtaiB~
z1bReNoU&^)_Up;Z8U7?OTgqNd<7ym+fviPcYSkH^KFa0vf@7h@^uaVKi7*tHqX~Pf
zNX0b^Qn618h!H;Fkgnz5F{mdPh7#MhR&@x~Vo@}Zq*m589dOiU_Ubwk&BX{-*l`Mb
z&3hVRa@5}BVsAP4Vo;P=iWSiH7txhOpkI8O75tBi4Q(K)d1jO`p9EYQ-qd*(mWR?l
z@+>}fskg9`8CKasHtj$h?nI-0p4veUJWjaL6Dbs|#kcQ=j8Eg#ljwCi{L&xOa;Yjo
zH&cPReA;e)F1iLMj>`J
zEb~Chyjv_{0Mf|ut_FG7ycdY-fy*!PKD6PzGCnh{)xhdADS|t@ke1}Xt}97`sOExb
z0>hLv?r^~5p8dLN0Qup1>;oC@<^JeNHp3Qq8noQCV?$_Zv*rI1W>ag(hC|
zxDt0xKKOiLC8eIOKL(B%r|?M-+7rT@V87ajS2thb(l9G`e0z1}vUPPD7;S1^XeESK
zE6{{}jGp&SBMLpnrNCTyrBU>a))w}|+HB>*^Kv2C2oS>WbgiwBOHRjqguEV|L0l&e
zH4whY(Z2MLR){;^BO%*Lb*Xg3%XeCZ>2rtjE0CI@`Mcir98KQa2g
z`&Q`Uldp|gZgFhC7YZyGSlxlO;akgtVXefk;`mTXuCZ6=NJ&3x%{c*lItWz|YtOul
z;OsxmR?fOtxZ!YT_XYL_z}uUYrvW)f2gZ`&OkqK(gRjxHLVuajOK%PIhuOmsB0MoXS+cFX;=vom=XrQSd@wYxAmIA&D2EtQ#Nt)q6%?Qd
z1nm(=-+GgLe4;YG|9=*<|K2w%Bxb4}0tWz~+vUF&GiM7!CsPw;7biX1mHN=PY=Orp_^MNuTyGUK@>*3?TNnJ7j`1^^0;A1wDY???IS
z1I&ozOt*(TFpJMKcq$*4H~b&(eLXP;BD-4zUtepsNi=;M8_`?ZEeU_^+EoC*m|%-S
zWo~CITG8o=Nqb(@Dohx6F5I}ny`j&*XF{-RgFx<|;u-!@-TLcSAb%>`fA6lr(;I(>
zr;Wo8ay*$22!TdobYbZ6^m*LxAL-o;h>42fVov#@MUyepf>~d{O*g
zrB2vx0Tiw*y|D2!a(=n}^|f5xT&`yDo|Yn`}$fvYdH6?k9k#^{r~ra#kO>hBp0Yrl{RT6vXrKYxdD{X!>somUMw0n#f
zLp~v-Xpy2Es7@Uqxap>U+7mS~wjmYGNBhzM;H2_;zM+fOZNfa>R%BX-uPzE3XT>^${I~
zL4Tb8MI7A)i;y{DwPDomX}_2URsFuFR{~;e4)~yONB^7q5o1Umtvf(NcH%gOo{3h7
zuC^9Uh9yg>eot~V?xWwef8s!@!w`RBoHPCb2%M+}P!|+_5AF^UvMB`SR2l+LqyiBT
z`_ANmdWvF91ObT;+?;I~iyBTnBkuKi0`=K2ICk_j1-AiVI(F6!B!`-dMg(h=_ttj|Lr#y)87(HtWS3C>VSseiQ9ho`(wK8HO%
z9yS;J>{{6XN#t~Ql6~1-4BHc1MA-jqlT6rf6qz&{YJ?hRa|A;6qv
zN(JzcveF*@S<)dpv{PO2>tL_``o-57P6{?#^oM#WT&V*n`IoH);!bIsIp$ti7o;5(
zT`phl90g7^^(Xh%5@T1iqAYr*c(aAXqYPVU_5fjsyeIm!`nr}$a_BMimIIv$(8hPs
z@(MQDHfr5C7=+==TcDe8LoM!U>#Dp}YSc-ngS@A@#{~3NCrNt%KaX#@(%Jsi>E+`L
zob65&Wo}rdcKx6p-DMVi9?M;U*i*G@#HnnI0U*nWs);T!<$wk
zd;;baEuGAo%Iq~B47bFSnl&JF!09)Ho6jGvOi@0vNsGoKTm81_Q5uJ=LB9L3TzM-S
zE~UWbQaTWh1AK?0)GA0FPDeLY-l#(H2*7b?ieC4WUhvQH1R!fuwjt%BdN~!Ee7F6w
zG=6Tc`lh4VdxwYCug%UajalepI1@M+1loDKBU~9E#|lzh8HNMx9zyHoAdcp5qCgT$
zG?{)s(RL}V(Xbj8KVrKjAIaxo2!cRq=A3;45<_+klK7HG<(yg(;hr3L2P1|xQ=78f
z)`CD#NoQO3zz99sae%5<#6xpSuRj1Z1479*xf1EV&kjhN2>C0*P;W!~aa#gjkSH|X
zp-ak~q?qvW(=u{m2y2lor~-zTKEWhWHaX0$uDihkZkX-Chw7p{nEb6wvRSCFQIt(3
z9Is@D%^bVVHhB?G&;+}kfg*RHEbK4nicn}g3LuWYd|-2a`U8gK;ljoU2Y)#c%=j3e
zg!-vDqkb`sTkeX%!_+iZ;7fV{vS#1EElH-Ju75g%wNB7^XK7#|zOZ+9a`oVFt_B68
za;Iu6uos35Czb$Bk<(Z~!LTHI!PUq)NLQ|vV=GZa9eN?i13EN8Ba4N|VLDTCW4x4x#l+g^c1wwnsHuh~61Fuj
zz#23%eAs;oc192_u26TR^v_EAjl|Y9314?wW!!#nKne^1emIY8VRD54vGj^y0MNhv
zeS5Ql$vz=dYnJ&UXG05yIjq>TF)YPs;2PkhQUd!!j;I2F@9`$z|DAyhPzD@PEMp=_
zbShf>hanCAq4zKHd;%~6)yoT9mw;C`1&vR!SCIq0{T#YjY1t=KdZ^hOoy{@3z4f$lL~kU%bxxJ4y7w
z$-(syzj36*6%O{OaFRhq98a7ox(pML(6VC#BB8T$@<_rvdGzop;NUS0)g$^oPATRk
zl@c5#4N#Gf<m!Q?rR2;
zoUG3kcT-SXs%LNclXK|A2v!bTy^fZUQ3&-iSQStSI1
zuL0oC-f}QHp^ZVSp$r5pQgg$sf5-~j5pz3IeoBNq2maN25cWWnDgjLTazoHkg+*Zr
zn?tFnh7y{E%<2nAhVEcdXPylZevH6hdK{-f!QLMGv`kVfMQV~ThRR+xNO1PIZVm?tConYLRF?9El
zJ<54F!9gQCXclZ~bXxcclWB72!_gBv_s1gcX8}%mImWK$c49W>!mnKGCJjwb+&s79
ze?y_Ib@#pe(>Mjsa}b@a8B)lgXiOv(sqU0Y#EDS@6sCbSx(A+sIe308jd8k5KOj)H
z2FQ~X*~)iHZ%hug-+=W%i5}d8C=}mZHD}Ui=OnE0_Z%T0C0@~qKq-Du0z#ecXedt^
z1WpO)cPI+vuh)Y^P?BBc=$IPZ6jpTaD@hw@8bT7(B?5I|jxxSnMt>*fwEze_=|yVF
zQOuBbxOs}h$=!tFX<34)fx8?U>!;|*2N)exM7;w=l(PAx2&8!<3yk0z;Vl|NBNh=9
z=gap+9%I)VJo%^^hRxDX!QI~iMw-%LQ>RWeeC&pS!>56yvC1X^G2mF-#M-$%YFuiB
zoYiR*Bq#|j!w3zUO_+tQo-vn+6GK@Z5qp2cGlq^(TNKSNpl{g(7^+fhG=%h@#j=Z!
zm~|9q*s1ur!wj-Q@+#R2cHunTf4u{gt8uG@QrJzg7B=gNpAi0TT!O-ulRoxaH1uqZ
zOqg0{6Fuh!1<=zQ$1sHFXsHilml28i8_P@Gej=s9v>BEsUcbL>)L!
zy1r7-8e8{=!>!Q=d$ed={q}>!#8AOk0E25C28Ls*-0}coI;7fjR&*x=h3T`4?GWGL
ziFI}+!S&<)BcAXAt@i2m13iG`*HQ))%wIE59-g3|=w}$6g!N}W15!AJOb^&DN@k{(
zAf>OExm1$$H0KbkW(77!mO36^!tWU2YO=lfEjHLN)P=by`s6mazSv#(-_6#~iqrfz
zrsr87RaQU}#s*jwSxd7Dv9|R3eZKBN3A3;CavAArX;iTC^O_ieA5-vw$FSsie|-1b
zv6a6gAw0G66V?hz#i9c=g=HWGJ#mYs=20lt*j*|P3sTh<@tO$Rk`La`7$&i1?El`O
z8ewB2KVi?4V?B*FB)4RdaDv;+@QoG{=Iz@$c)A(+!=bp${dL4m%K?fjL$PL$pIH_u
zkVDY?PL)v5Y7*^~@X}}U2v^9`Bx`~44CJo>|C@UUf+hPIM6!^v-%T4kK8o{sqT>!D
z$L{(L_pqaJ5DUImCtAmNvOU+RTP9%s;xNgY?bOV5&`%TL{aZ`+cdH
z3!qHD$N%w
ze*puM?iDrCi5;~(t4N;Mw1(VkVKx&|PI7sPc+3#J;bODxIA(5SQ=FC{oZ}ZQCd4ze
z&rY$sic89`h+p?2WsIlTHeX_cNmoHo?EONImlRq+{K4~49V-cuax$M^`(zX`=I)0T
zMsCL3@Bwu*k*V*N!Ho|2xCD!Q}>=cL1ltQ=%JRN(`oJn@Dt&hD?sIsOZ
zBOf`|$?e$-8hJM5N=k!4NphY-axeQ31(1!3%S=jlIv~qtQ9TPb6=GE+XeCmd
zGbl)jjy2Xm5UGkMmYX>oSB7m8bqaEs{9?T(9(1YktQkB_2C65kCe;9}G1U$%6m6oK
zHF|2c1h>xfgT#NCm!4`)Rle6z5)eg67nH6zvXSQD|0wO#nzU-qO##Pokv51;FbDDo@!Vdj1Y$xe_vvldYSuCzQfmz8!#NTI9~L
z?h4kjhw$n#>0Z|k~;X^%aS`4SgR|zot{6uIEgOJ
zyn)4s#R?x{XO`GQGS?CyAs4i
z)9K4LW&j4<=CNbRA3^rKLAF|y)vFUP$6m~cR@2JzG~wM{Y^iG{wZRg&iVkEoc)}6g?1Ed1w_Go;i`?l;H;!
z4s&w5-lCauEcFeMN8eEsm)kZqr%1KEbi2RAFxjwtL#Q1m9-_6PoGHgXRWfQO_gSe6
zooUM+BnI9sdFo!qlEb@Wo9m?8C0(XO#x(SwSkd-8qo^y{y2fd%2)kU#^^I5@{w7*1P#YZrM1jo$Xq<%%9T_1xMY5V{7{$G4}0$&6+;;phF^Q_4)=
zu$HLIHkWSj0tx|}nerP4|>=xmTIPh8LY8s)0
zbSoXrqx&T*!ZLq8>#b)G2RD%+!mnx`k8C9RaB)e01RE-)b*yJ^Z9#FDjkUJ4=L%+`
zSC7&OnQ|9|w@m#YG~yf4Ku!;cEp(MPqMxMj%MN6mXc;m+P2?Tr>O22gRxx~fr_@MS
zSgG2tcfT+5O1_*sZ;e4mJ*KCWTFz2)w(l+UC+RJDz44k!1rVnKlXe(|Xhs+k0&{Ib
zA~ULft+Y8`fBr!HuNEb20q6%Qk~vNjEkSz*c){kgcg~p!LpoPZh4q@)jC-%Q_Dof_j1J5M!1P8PH9UQoHb%Xu0G7QPWI|aWEkeW7oPSLXwh=
z9+2SX<~(3L2OVqMCiUzTQOlw5Y4Gb(516Tu{q&7RlRJsHJ*!<&{`ze{r*x?A^p*+
zYDuygF5ny0f`E!ESa9zH+5FklQ@0Z7Ut=p_Ohi~7rDQk6ROC-X9XbVbq^#M+Nz~`>sVmy!nU%}u+Yd1jbLX-#
z{+(;%zYo3%(I@-n`lczmM_L{-y~q7LzQ9Vnb*&gMetdacfC_RHUkU^I
z!p?e5(XDL2hT7LPDNY6m)8qQUteH8=cGpt48JFGw=R9dts2kh-hHOB820^c@g?<>m
zG?EaC4XY&KXjl9;9HBJP<8d7^I^@=kemkX^iG}#1u+v*NAg|gkIiM3u9_$D84a5^?IX?snY1U`@)E5x
zxaQ_+7SE>XrNvEywxFp3>)q_Gu-U2rk7M|}f&dKV=|)_E#%^xTS}HpT0x}P~Qo~2M
zEPzfobgEREseVyk4OwoVmMwE$l@8P!3|*!#pkEZ*fI_2+;&CHP*-NiwJN!%P=dD1O
zy@fC=*3&ibn@A1?oSfELr%8%M*z-!kHs@kRO(`9eT5a(l(W<|e^PTy!CwIswO2-Lp
z0~-)ry2d9kY}Z(NG_;|WH*z`3fVk2;JI$?#8AcHrz6S52rbwga#q%;ZYiQdn(=_Nk<5Kyt~
zj=%G^v@Jxrshw!=OVVP!^pIDaseyiqQ&Sr6D=S@=@wqmH5;*d
zE`#Pp!xQ#(48*SK!eTi$7FRmzhU>%zy_~7$E_{L)Waj}=
ze|_}KX^?kZGD;ud{I0t3@^$gT87{tO+{Q(KW&Bnz@ll{lX^!LyZ+d%pPwf=pq0=rl
zA+AQ}D~*z>-CA+g>Huf@0Ytku_{uuxDGbRN@%uCg`skS){4Z~Z)x7;5Yt*Pf?6S@}
zY>VWD(^RE|vR%_Dz4y_hj;%fhmGt#uPte3lPyK?KFXgt{U@$XCK>BHaviP>kz6%^Y
zd`|Bszr&${7XaDywR`;HBDRL&*?6i-aDniG*DvEql>pOTTN58&4z#my@J6+mLx064
zBMwrFV`0kcZMlL0;}TboP#uP_zXjC~;u?Y|&uqn;lpUcudhtp`UvSvi&N|oErF@ETzJuY3M{Smsc;5_69}F-wi^h(Ego)U0O@gV^^&~mh@SRgbKBMnm<}X
zeAQ;Jg^Hz3TTn8IIz(eball=wc$bcMWE_8yogzVk^n2DQ$LkdoK%Qj>5k|
z|2qukzdeVq!(;IDKWFrR!U+DeJ+g_Dq5D5hL;C+z{uSu?M_oI9fdj=)-|~AP?aP~TNk2Z%DGJWhUCLdm!~yKqN|LljMXstT<*r{+QUuXw0j1o{Z$GfhJstn
zhGer#Esi@Eo9PuPWt)qSe
zS_2_brG!jvOU!gfp;Bq&#tnh0puY0_xIzk6()J*GgFNunu
zbVztE&{+IrfI<$#I{IN{Prr@(_^q8!?+aG3W5j5ssrR&_&b$RTUH`B4-ZH9=WnCM^
zo#5^kChqR;?he7--2wy%PH>0d65K7gC%C&yu;3c_=E^$v%UZ1Lea;!<{qf3
zHucQv>Zhw-t@nsF6>)P+$=qudc7o%XB%<^i|6U7yB^c(m+aNYL^0bfn^1vWe-MmLK
zUL7(X8UK0rM=jDtV=ig&yb6t1^i+L^Q+EEW`)_iTVJ_qHlM#X-a;*>&`&;&Ov9__|
z2ft54ep!I(Qio+FU9Fi>HgP7IsBJn^={KJo4;hjo*TZX^SQxAUeZ#+ZYbuS?_d~%K_{%Snqn4XL
z%*CkgV8u@BwWPi>d+D638kXg!_S1mA24P!AXx}Y>ofHkJz0{V2bH@Xh_QfWYa$~*A>!f_fyZUR-@Ix6
zKAqrX&BwvUr(`j{Frjo|E9`oOxCZkXvCVCYF;hLNo$|AxT6>ls=(xLk1$4S%A7BGv
z>S*>Vppc(g8dSOCP4u0J^!zlDpY1#IrzMMf0bnrJ{}XHYYm!Z~%Uz%chU0kwL$=8N
z4A*kEce4Jk8uSKErZ#`AL{I<6`ImSlnI1;ufi=huk)hThZZXkWM4{k-&x1Z^V$r*^
zA%#*>qprtAH@mN$6|uol*5X>X-JkuPI8w{4(?2naZt1;N=0b&SS+?E^mu;gbWUv!O
zh0TCEBrwbE0hmo))DFRG6MsgRnd*H?kae#VYo8qgL9
zHsitCqP{^XB8!wVq-#$4<*GmuQ?Dm6ruK)ErBmC@okUbLlyq^NR2QxW6S{CfU7z?Y
z0>&UWbyd4n8(XtcUaQEMzVnYzHX{eaU|dY@C$f*WOVay77eyZqm?T5irnjPSp^r+qA2W6cMz;{`mJ#VH@ZIrIJ?o%L33
ztT-qv)ejiF`Oo1V`|*wABQywzo9KTt+&^oI{~YdVT^$AdAq>Bmgy*;7i){pjC&^#m
zL|}W1)EwpZ$>;kDxpF}gj9o^y;4R(G?IB=)(Qa@9Fe!->SuQpLC~$#|Q9rN>`*E4bwVTX3S+#%P$ZCO2@6bZvmLK8w
z{Pe@`7MuA8Q{f5Os|P;$i|>x@+Aaqzhpi=fUTYh-cO1J6-qds?_)nL3_(s}v$q&g>
zPL3ScL)25I9gmC~vPf=i=t&q9(6xD!_nwL3oZpdiKvAHv-wIZffxh5srfV-|J
zlh>M|fdR>?xtl{lSj<9U>S?r@Fw`2;C8Dj3*ACTMdp{uY%@=7_T=Z13Z5#O+0$GDC
zJ0;y!`mj5lg$^|qVj-cZ>PrDyXo3xJ68goOicr8J5Q+$NobfFC+qrYtsS+wGHFk~L
zk&#nR+sHjoIgzI8_`cPn=z9_804r(s8m70X+|cPV5N45}7)>GT;f3k6O;wsT5!IWs
z?A886>)%nX=N#NH4)%ln-KTcGSp{YfM5L+Iudt0oAW&c-rP{_)4I#)cfQ{}MHi?b|
zmKCRP2qh3M%LZoPXRgOO6LTud1~e*zlp7YZGTUy_feDOp7J}z095Sv8^s7B5SLr^x
z2AFcsJA6Ll@x0CS5X&~mv$)*iiM#eZc^)Ue>}J<+IJv>`wOMs!IUd*3eHz={;ke+B
zW4Q0HI`~fQj+XIirIm3*p|?Ed{)__^-uNr2T_A#hX74Dfj1;jO&$UxSL(6&G}s>d7T#VU4T3ef6#;m6YkV_7skPcoOdHSTO1FIBq
z54KN94$JnvxbkdQ^=>KLXz$N3!TA}rTYBHUf24-bkg$8>ApW2%a*t=$d6T=_S9;3y
zLBA569Z^MpHv=wpJ2F;xyxI!?-FuWeR8q(<8AG`DIq5lV1`_#Xx(w=b4!64y`nqqt
z9?UWiic7c*SQoU)hdJmHox*zIo%sW)wcpZAqA+Z)n&^m%>sK4dS+|Y%qi0N`3dgDz
z<-FljAs-9=E+tizS;xj)&!oMrn7gr^`N99S;CopsL}$?Qh&&Zm;AVGnsXTcdOS)ZL
zTAvl<{2S9Wmd74A@2zngWW-Elz0ygf#D}BRS;`#=a;gAv(L<6-wLzX}kp>$7LTT3ehx2
zzwDa{#l4z(N9~bwBD<+;5-ivx!!r-{t`i*^f%G9mxnX#2dZCKBsUx0Y^hurU2v;3M
zw+1znrgONTg)J#CBM_h5y!R8W0{fcq*;bAu8!dDkToRXjVM&-I#f9iZ2m^6$m1r7Q
zGcXuC(vDMMP07q$n+$W+lo=x;D2{LGyQo4VCZq|D$cGO*M^?&ZuQ4xrKn$0d-LXJy
z93l7Ypg}v?FZ^B+5<+XY7(uGK(Ds)>P(gCLrX~nh(FsA36cER%S3nh|M;H$wQKknP
z;vA4Ghi%R`30YckNs4j+?9JI`sqMd#7JZ4%r|moJvQ!q7)`0=wz|WkSMjW
zm1R%{>D#pU`H%>TmvX}+-Ke<cyG$*I&!ilhi4vzZk58jCiStX
zxwX`2v@P!yV5MrWDUYAyBEM+Tix>|*lqG{*FKLUQk0<5$bgaYUc;xiX@95sX0iFZD
z!*BS2zdo>YV$57|2__f!b@L6?h17mYvhS3&e!NC~p>(-Q2ucv-S6yN?Ty#-pJVEp*
zDLl2}u!h(EHuERGEr!h-JNG4n@p&2yZ|_N^HKr66wBP$oQF*2F5MNtlxN
z!&Jv4CoIVhP~v-y@5r^?lhbV-AzLMH8%rL|R@0Vc*%7pFcK2{zo$hzoJ`(i2X?X-^
zXM0}phxfcT_^m*tG}j!L4IF$FHgPz-|5m=8xU4
z>COIoXe*H=zM(yBJ(e45$EPRqQqEaiQ-=-@?fTvM7sSj`A$zI7EJ}ESx#N
zq0+w&Q-3}>ekZb*T-ztHnUANZmLX4p&Mzg1$yL11ayzX#F2zP7N)s;&=?JH?U1M=fy*l2RdA8N}V>#_Pk5^4RzJPU``+n}k
zmU-2~+I{iSpv$sRu7(qXcR+d?*;yqgOOd#NTIYNNf<-+$lk8*>PRpirm4
z(}E1VKLp8kb^POfgj$QTmGZ<;>kNGe>Mb0ao{}0wv_k^$b-zQS=pDBR8_H$YoCH<<
z5P#DBUe1b=6K`?OuN!L`BHLwaYnfV?d03otNw$w8Rl{x(;kFU=h#Cw0?wQP|+Xk`wc5f`IP(|YLZN!Q=8SUWy350Ldl6_;Jxnzx5Jk5+haytm`4FS}ledZnoBd>wu?C(>%_
zKkB%s3@lR;=+AHPc(9l)5aDUj8iRUKPXc0&28+CaY6RTHMM81_^*n$)XpFfk;S-mQ
z^ol8DC^4sd+8joqsy?34DQlr2WN3nN#>Gt$;)DkKgKD%nX1C
z-Z1NM=t_|hdy!X1aY0~ZfP)36v2n95B)jC*7Zl?m?)sofIt64e9+a-hen0lm5)Pbs
z&7jm06{jVyBMz-hwenViJ3sK=K5PMy8ZrMRJnUQg3hxpGGjE2c|I;U#!z@NMSUz%U
z%(VC9(qF_8U*m|K$4MC$BQie
zIi=a1`V6e^Dy-WdR1(f(Wky#b-W3#^(L`!Wd;1o&4mI$b#inc$jA=bi*-8GwRBfEG
zCc_a4iq4y5yHq>!;xBZbTN$rYmzu;yMF`0Zz+PFYC||$#wwh9sq*Z!F7od&@dt(xS
zjEpALY@%XF%F0VLpItQqN6&u?aXssL!g)H2Q(bS%H=eCn{dtqL+4{{^00L(KetG^v
ze86#!s1K@W%nF)KxHQuPcFN29VRVy)@B}eW
zVGtR>7bDz>8~4%2S^jdp*wPl~sEyi)Ra1n8lke_2y^+YsPRFM>6=P%`>
zm6+fI$03FG
z)BU1aWN@hCjs`qniQshzi*894)(#!L)ge_~%n1Ab#g899s(q_K*Ti&q1$}jedFqfx
ztn_cMF2+O<@l|&@KSr~3YsQKSz84)XzQE34RVEx;?0aMt+>-dLO>2uNz^-4n(QgtE6!@y+pi6D+Bz(j2J+iWNgM!$vx-HP`o_
z5JpM?)jalIvxk#h8*yJr8<|8!z^+1I#=s{?fo9{b(nt~c@{?-gBnmfN9D-sNrFd)v
zitcr@dMI%)cXlTUk@0U;kjs5RVXOY2?lsn4m=0OmDPkaI;FN;CAqO^O)g*JGP#<{q
z*pPTHxnky@4<2z&`2xzGO}NcVc4~9x<4Q)~&nP34n8?#QNT<|}E;!vF!NlZmO&hM$)>Rts@^d*RI&eDC##!jJHg{tuU0BKW
z2WKX!O<{f}5m1|QAM}|`kKmW%hGo2q1GSDxA=BLK0+8bG^aALmOrXj*pv?fsDs2Eh
z^1jPvxbC;3VdI49swRT?g2bbw8%1Asw0Ie(PB*)@QyovE4&3WnC$QNEc4;E!$T9cm
z$Z(ftTUx$1A~t{4yP}#(pjvC7^u^BZpgb*O#+)L2kST{}`j|hBujng6OzZPHOy!kg
zhvMqpvbBV9He+G`_l5<}b|-*DoI!+}dbzgK!etmSTFFPU%1*}oPyM3gmBc6ncY`oj
zkz`h=+-VX(HO*zZD@f|I|9P5g{Sq_*1!$mqUY_o5>UubeJ?NO4)mveYV5#^_T=K#R%Bqq%%3O|yeI-HA@#Z_`_Qk~`
zqm6FfN@>&L;QnG_$uoHtKGjFgrG+8Kjja!ypGo&z>xr>;%s3(2#kos9YL(@p>E^QU
zlh$A+z<#K*$WXoS%pK&F+$Sq14#0q_B`z|#2@>BO^bDfKoRF@G9Y-#>zi;{rJ;P`D^cw
zpVQX6n2~TWCSCsPx(aN
zFF6TXz8F
z&$*a7shGOB{Pc;vIA@}NV`+D!`c-;a5u1;t`gp(a75cJ^Qa+92K0#_wvWWi|up_FnzAp|pm05%mAFK(1^a{&n3;MQNabpi7*N$ziq9>N}L{Nmd;ckj3rTx&AeaB|-Qh~eIY{pRCKZYSOUOEh5q4-NjmM+5Nf7!7cE5D-}Y
zKej&tfEc?vyV%=m+S)K!x|rJj^okSbl7j$ph=DBn_s5aWq4N?u>ho&q6B7Q4d0Osm
z!fR<@fH;pr{A(4S_J^bZ!ST&hQVi6(orC3PKlrz&p%BWJz&bb=A2Iv%XfY#vf2ddb
zaUTiqd?2?(mN-oHW6Gu?@2;A!+bqL
z&joFrqwJg;f{cN7@7j8>9c{AajTsz(URooi!dyrChDJ`NS$i@G)bIG5}D0U~_@WqXQzWq|Yv
ztZ8W62}%fJ3|5PF1Px7?@jQ=Q@?!y7Do9A+u9TBB!7&%f4RiQezTyjLh^uWF;yV7KQ
zEMsL?V|CUHLM1Y?-7G&j^lp^22&DmwgWk^G>zK_ae?gR%y)QC}SKoz=G^^<5$$JgP
zQri89_21e_ox{xCi}-!qfP$Eih^&RMapXTd%1gc_kUp@0BDp45nxlh98@uFfW7?CE
z;E-M8s4}AUk&=p>A>h^}32#g`;*`3N(ddxRec%a`3``0A4Da^EHBw`FNunysKgY!z
z!@CAQa)z$;!>Ryy%a06Uh!5(jV(y4V1n+7RfX^~S(Iu2nlGSn`87IpB^;mX_Kx)I2
z=k%%Zml&Ij@265O3XL2SbO9cFL&Jz4N#_0U@F9_v+GyOyz#-=DRq&y1?^JM3$;G&a
zk1xJbm?d!@$lAe5e|M`Bq^o^@M$mGq7S*5Ye)9fyjZUC1duKI_i{^=|oJ+`)G^;5i
zk+H5@kAAk5b3qS{$dtqc&VU8|oTYs8nh1TnT`v(OLw>mBgHRr_`ns$r!m4p|2Fd$J
zkC^==Q>y4|SPFFf6%3QFQV9IUoHf#vZ-N2|VOyEM#K7|-$D5u4v>`tLiy1C})#LzR
zMCxEk9%!e;86oLc9taB_mEmx4_(yk$gPOu4B#TXd5*Z*2YRxjSQLvWb<
z-a$>{?(3`JDP9WEGI5t}1F9YOM1EiN!ur==5cAbKbUZVQYlM|d6LW{9#p?BGov3CEdsK-f;w!mE2F_t
zZC;#oj5