Add support for creating custom static routes (#726)

* Automated update for ARM templates

* Add support for specifying custom static routes
Some automatic Bicep linting

* Update deploy.bicep

---------

Co-authored-by: SvenAelterman <SvenAelterman@users.noreply.github.com>
Co-authored-by: Dany Contreras <78437433+danycontre@users.noreply.github.com>

Author: SvenAelterman

workload/bicep/deploy-baseline.bicep

@@ -27,10 +27,10 @@ param deploymentEnvironment string = 'Dev'
 param diskEncryptionKeyExpirationInDays int = 60
 
 @sys.description('Required. Location where to deploy compute services.')
-param avdSessionHostLocation string 
+param avdSessionHostLocation string
 
 @sys.description('Required. Location where to deploy AVD management plane.')
-param avdManagementPlaneLocation string 
+param avdManagementPlaneLocation string
 
 @sys.description('AVD workload subscription ID, multiple subscriptions scenario. (Default: "")')
 param avdWorkloadSubsId string = ''
@@ -107,7 +107,7 @@ param hostPoolPublicNetworkAccess string = 'Enabled'
 ])
 @sys.description('Default to Enabled. Enables or Disables public network access on the workspace.')
 param workspacePublicNetworkAccess string = 'Enabled'
-  
+
 @allowed([
   'Automatic'
   'Direct'
@@ -511,6 +511,9 @@ param enableKvPurgeProtection bool = true
 @sys.description('Deploys anti malware extension on session hosts. (Default: true)')
 param deployAntiMalwareExt bool = true
 
+@sys.description('Additional customer-provided static routes to be added to the route tables.')
+param customStaticRoutes array = []
+
 // =========== //
 // Variable declaration //
 // =========== //
@@ -1093,7 +1096,9 @@ module networking './modules/networking/deploy.bicep' = if (createAvdVnet || cre
     createVnet: createAvdVnet
     deployAsg: (avdDeploySessionHosts || createAvdFslogixDeployment || varCreateMsixDeployment) ? true : false
     existingAvdSubnetResourceId: existingVnetAvdSubnetResourceId
-    createPrivateDnsZones: (deployPrivateEndpointKeyvaultStorage || deployAvdPrivateLinkService) ? createPrivateDnsZones : false
+    createPrivateDnsZones: (deployPrivateEndpointKeyvaultStorage || deployAvdPrivateLinkService)
+      ? createPrivateDnsZones
+      : false
     applicationSecurityGroupName: varApplicationSecurityGroupName
     computeObjectsRgName: varComputeObjectsRgName
     networkObjectsRgName: varNetworkObjectsRgName
@@ -1125,6 +1130,7 @@ module networking './modules/networking/deploy.bicep' = if (createAvdVnet || cre
           ? monitoringDiagnosticSettings.outputs.avdAlaWorkspaceResourceId
           : alaExistingWorkspaceResourceId)
       : ''
+    customStaticRoutes: customStaticRoutes
   }
   dependsOn: [
     baselineNetworkResourceGroup
@@ -1152,7 +1158,9 @@ module managementPLane './modules/avdManagementPlane/deploy.bicep' = {
     preferredAppGroupType: (hostPoolPreferredAppGroupType == 'RemoteApp') ? 'RailApplications' : 'Desktop'
     deployScalingPlan: varDeployScalingPlan
     scalingPlanExclusionTag: varScalingPlanExclusionTag
-    scalingPlanSchedules: (avdHostPoolType == 'Pooled') ? varPooledScalingPlanSchedules : varPersonalScalingPlanSchedules
+    scalingPlanSchedules: (avdHostPoolType == 'Pooled')
+      ? varPooledScalingPlanSchedules
+      : varPersonalScalingPlanSchedules
     scalingPlanName: varScalingPlanName
     hostPoolMaxSessions: hostPoolMaxSessions
     personalAssignType: avdPersonalAssignType
@@ -1172,9 +1180,19 @@ module managementPLane './modules/avdManagementPlane/deploy.bicep' = {
     deployAvdPrivateLinkService: deployAvdPrivateLinkService
     hostPoolPublicNetworkAccess: hostPoolPublicNetworkAccess
     workspacePublicNetworkAccess: workspacePublicNetworkAccess
-    privateEndpointSubnetResourceId: createAvdVnet ? '${networking.outputs.virtualNetworkResourceId}/subnets/${varVnetPrivateEndpointSubnetName}' : existingVnetPrivateEndpointSubnetResourceId
-    avdVnetPrivateDnsZoneDiscoveryResourceId: deployAvdPrivateLinkService ? (createPrivateDnsZones ? networking.outputs.avdDnsDiscoveryZoneResourceId : avdVnetPrivateDnsZoneDiscoveryResourceId) : ''
-    avdVnetPrivateDnsZoneConnectionResourceId: deployAvdPrivateLinkService ? (createPrivateDnsZones ? networking.outputs.avdDnsConnectionZoneResourceId : avdVnetPrivateDnsZoneConnectionResourceId) : ''
+    privateEndpointSubnetResourceId: createAvdVnet
+      ? '${networking.outputs.virtualNetworkResourceId}/subnets/${varVnetPrivateEndpointSubnetName}'
+      : existingVnetPrivateEndpointSubnetResourceId
+    avdVnetPrivateDnsZoneDiscoveryResourceId: deployAvdPrivateLinkService
+      ? (createPrivateDnsZones
+          ? networking.outputs.avdDnsDiscoveryZoneResourceId
+          : avdVnetPrivateDnsZoneDiscoveryResourceId)
+      : ''
+    avdVnetPrivateDnsZoneConnectionResourceId: deployAvdPrivateLinkService
+      ? (createPrivateDnsZones
+          ? networking.outputs.avdDnsConnectionZoneResourceId
+          : avdVnetPrivateDnsZoneConnectionResourceId)
+      : ''
     privateEndpointConnectionName: varPrivateEndPointConnectionName
     privateEndpointDiscoveryName: varPrivateEndPointDiscoveryName
     privateEndpointWorkspaceName: varPrivateEndPointWorkspaceName
@@ -1267,20 +1285,23 @@ module wrklKeyVault '../../avm/1.0.0/res/key-vault/vault/main.bicep' = {
           ipRules: []
         }
       : {}
-    privateEndpoints: deployPrivateEndpointKeyvaultStorage? [
+    privateEndpoints: deployPrivateEndpointKeyvaultStorage
+      ? [
           {
             name: varWrklKvPrivateEndpointName
             subnetResourceId: createAvdVnet
               ? '${networking.outputs.virtualNetworkResourceId}/subnets/${varVnetPrivateEndpointSubnetName}'
               : existingVnetPrivateEndpointSubnetResourceId
             customNetworkInterfaceName: 'nic-01-${varWrklKvPrivateEndpointName}'
             service: 'vault'
-            privateDnsZoneGroupName: createPrivateDnsZones ? split(networking.outputs.keyVaultDnsZoneResourceId, '/')[8] : split(avdVnetPrivateDnsZoneKeyvaultId, '/')[8]
+            privateDnsZoneGroupName: createPrivateDnsZones
+              ? split(networking.outputs.keyVaultDnsZoneResourceId, '/')[8]
+              : split(avdVnetPrivateDnsZoneKeyvaultId, '/')[8]
             privateDnsZoneResourceIds: [
-                createPrivateDnsZones ? networking.outputs.keyVaultDnsZoneResourceId : avdVnetPrivateDnsZoneKeyvaultId
+              createPrivateDnsZones ? networking.outputs.keyVaultDnsZoneResourceId : avdVnetPrivateDnsZoneKeyvaultId
             ]
           }
-      ]
+        ]
       : []
     secrets: (avdIdentityServiceProvider != 'EntraID')
       ? [
@@ -1483,7 +1504,7 @@ module msixAzureFilesStorage './modules/storageAzureFiles/deploy.bicep' = if (va
 }
 
 // VMSS Flex
-module vmScaleSetFlex './modules/avdSessionHosts/.bicep/vmScaleSet.bicep' =  if (avdDeploySessionHosts && deployVmssFlex) {
+module vmScaleSetFlex './modules/avdSessionHosts/.bicep/vmScaleSet.bicep' = if (avdDeploySessionHosts && deployVmssFlex) {
   name: 'AVD-VMSS-Flex-${time}'
   scope: resourceGroup('${avdWorkloadSubsId}', '${varComputeObjectsRgName}')
   params: {

workload/bicep/modules/networking/deploy.bicep

@@ -103,6 +103,9 @@ param alaWorkspaceResourceId string
 @sys.description('Do not modify, used to set unique value for resource deployment')
 param time string = utcNow()
 
+@sys.description('Additional customer-provided static routes to be added to the route tables.')
+param customStaticRoutes array = []
+
 // =========== //
 // Variable declaration //
 // =========== //
@@ -153,7 +156,7 @@ var varWindowsActivationKMSPrefixesNsg = (varAzureCloudName == 'AzureCloud')
             ]
           : []
 // https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/windows/custom-routes-enable-kms-activation#solution
-var varStaticRoutes = (varAzureCloudName == 'AzureCloud')
+var varDefaultStaticRoutes = (varAzureCloudName == 'AzureCloud')
   ? [
       {
         name: 'AVDServiceTraffic'
@@ -283,6 +286,9 @@ var varStaticRoutes = (varAzureCloudName == 'AzureCloud')
               }
             ]
           : []
+
+var varStaticRoutes = union(varDefaultStaticRoutes, customStaticRoutes)
+
 var privateDnsZoneNames = {
   AutomationAgentService: 'privatelink.agentsvc.azure-automation.${privateDnsZoneSuffixes_AzureAutomation[environment().name]}'
   Automation: 'privatelink.azure-automation.${privateDnsZoneSuffixes_AzureAutomation[environment().name]}'