Azure · jaredfholgate · Dec 13, 2024 · Dec 2, 2024 · Dec 9, 2024 · Dec 9, 2024
diff --git a/DEVELOPER.md b/DEVELOPER.md
@@ -7,19 +7,24 @@ Make sure you install the same version as the one specified in the `.github/work
 
 ## Creating a local HTTP server
 
-To create a local HTTP server, if you have GNU make installed, run the following command:
+To create a local HTTP server, if you are on Linux and have GNU make installed, run the following command:
 
 ```bash
 make server
 ```
 
-Alternatively, you can run the following commands:
+Alternatively, you can run the following commands on Linux or Windows:
 
 ```bash
 cd docs
 hugo server
 ```
 
+```pwsh
+cd docs
+hugo server
+```
+
 The server will start and you can access the documentation at <http://localhost:1313/Azure-Landing-Zones/>.
 
 You can stop the server by pressing `Ctrl+C`.
diff --git a/docs/content/accelerator/_index.md b/docs/content/accelerator/_index.md
@@ -35,7 +35,7 @@ The accelerator follows a 3 phase approach:
 
 1. Pre-requisites: Instructions to configure credentials and subscriptions.
 2. Bootstrap: Run the PowerShell module to generate the continuous delivery environment.
-3. Run: Update the module (if needed) to suit the needs of your organisation and deploy via continuous delivery.
+3. Run: Update the module (if needed) to suit the needs of your organization and deploy via continuous delivery.
 
 {{< img name="overview" size="origin" lazy=true >}}
 
@@ -66,7 +66,7 @@ The components of the environment are similar, but differ depending on your choi
   - Environment for Apply
   - Action Variables for Backend and Plan / Apply
   - Team and Members for Apply Approval
-  - Customised OIDC Token Subject for governed Actions
+  - Customized OIDC Token Subject for governed Actions
   - [Optional] Runner Group
 
 ### Azure DevOps

diff --git a/docs/content/accelerator/startermodules/_index.md b/docs/content/accelerator/startermodules/_index.md
@@ -1,6 +1,6 @@
 ---
 title: Starter modules
-weight: 15
+weight: 10
 geekdocCollapseSection: true
 ---
 
@@ -11,8 +11,6 @@ These are called starter modules because the expectation is you'll update these
 Each starter module expects different inputs and the following pages detail those inputs. You'll be prompted for these inputs when you run the Accelerator PowerShell module.
 
 - [Bicep Complete Starter Module]({{< relref "bicepcomplete" >}}): Management groups, policies and hub networking.
-- [Terraform Basic Starter Module]({{< relref "terraformbasic" >}}): Management groups and policies.
-- [Terraform Hub Networking Starter Module]({{< relref "terraformhubnetworking" >}}): Management groups, policies and hub networking.
-- [Terraform Complete Starter Module]({{< relref "terraformcomplete" >}}): Management groups, policies, hub networking with fully custom configuration.
+- [Terraform Azure Verified Modules for Platform Landing Zone (ALZ)]({{< relref "terraform-platform-landing-zone" >}}): Management groups, policies, hub networking with fully custom configuration.
 - [Terraform FSI Starter Module]({{< relref "terraformfsi" >}}): Management groups, policies, hub networking and financial services industry (FSI) specific configurations.
 - [Terraform Sovereign Starter Module]({{< relref "terraformsovereign" >}}): Management groups, policies, hub networking and sovereign cloud specific configurations.
diff --git a/docs/content/accelerator/startermodules/bicepcomplete.md b/docs/content/accelerator/startermodules/bicepcomplete.md
@@ -1,5 +1,5 @@
 ---
-title: Bicep complete
+title: Bicep - Complete
 ---
 
 The `complete` starter module is currently the only option available for Bicep.

diff --git a/docs/content/accelerator/startermodules/terraform-platform-landing-zone/_index.md b/docs/content/accelerator/startermodules/terraform-platform-landing-zone/_index.md
diff --git a/...t/accelerator/startermodules/terraform-platform-landing-zone/management_only.md b/...t/accelerator/startermodules/terraform-platform-landing-zone/management_only.md
@@ -0,0 +1,29 @@
+---
+title: Scenario - Management Groups, Policy and Management Resources Only
+weight: 20
+---
+
+A platform landing zone deployment without any connectivity resources.
+
+* Example Platform landing zone configuration file: [management_only/management.tfvars](https://raw.githubusercontent.com/Azure/alz-terraform-accelerator/refs/heads/main/templates/platform_landing_zone/examples/management_only/management.tfvars)
+
+## Resources
+
+The following resources are deployed by default in this scenario:
+
+### Management
+
+#### Management Groups
+
+- Management Groups
+- Policy Definitions
+- Policy Set Definitions
+- Policy Assignments (not those related to connectivity)
+- Policy Assignment Role Assignments
+
+#### Management Resources
+
+- Log Analytics Workspace
+- Log Analytics Data Collection Rules for AMA
+- User Assigned Managed Identity for AMA
+- Automation Account
diff --git a/...rm-platform-landing-zone/multi-region-hub-and-spoke-vnet-with-azure-firewall.md b/...rm-platform-landing-zone/multi-region-hub-and-spoke-vnet-with-azure-firewall.md
@@ -0,0 +1,86 @@
+---
+title: Scenario - Multi-Region Hub and Spoke Virtual Network with Azure Firewall
+weight: 5
+---
+
+A full platform landing zone deployment with hub and spoke Virtual Network connectivity using Azure Firewall in multiple regions.
+
+* Example Platform landing zone configuration file: [full-multi-region/hub-and-spoke-vnet.tfvars](https://raw.githubusercontent.com/Azure/alz-terraform-accelerator/refs/heads/main/templates/platform_landing_zone/examples/full-multi-region/hub-and-spoke-vnet.tfvars)
+
+## Resources
+
+The following resources are deployed by default in this scenario:
+
+### Management
+
+#### Management Groups
+
+- Management Groups
+- Policy Definitions
+- Policy Set Definitions
+- Policy Assignments
+- Policy Assignment Role Assignments
+
+#### Management Resources
+
+- Log Analytics Workspace
+- Log Analytics Data Collection Rules for AMA
+- User Assigned Managed Identity for AMA
+- Automation Account
+
+### Connectivity
+
+#### Azure DDOS Protection Plan
+
+- DDOS Protection Plan
+
+#### Azure Virtual Networks
+
+- Hub virtual networks in each region
+- Hub virtual network peering
+- Subnets for Firewall, Gateway, Bastion, and Private DNS Resolver in each region
+- Azure Route table for Firewall per region
+- Azure Route table for other subnets and spokes per region
+
+#### Azure Firewall
+
+- Azure Firewall per region
+- Azure Firewall public IP per region
+- Azure Firewall policy per region
+
+#### Azure Bastion
+
+- Azure Bastion per region
+- Azure Bastion public ip per region
+
+#### Azure Private DNS
+
+- Azure Private DNS Resolver per region
+- Azure non-regional Private Link Private DNS zones in primary region
+- Azure regional Private Link Private DNS zones per region
+- Azure Virtual Machine auto-registration Private DNS zone per region
+- Azure Private Link DNS zone virtual network links per region
+
+#### Azure Virtual Network Gateways
+
+- Azure ExpressRoute Virtual Network Gateway per region
+- Azure VPN Virtual Network Gateway per region
+
+## Configuration
+
+The following relevant configuration is applied:
+
+### Azure DNS
+
+Private DNS is configured ready for using Private Link and Virtual Machine Auto-registration. Spoke Virtual Networks should use the Azure Firewall IP Address in the same region as their DNS configuration.
+
+- Azure Firewall is configured as DNS proxy
+- Azure Firewall forwards DNS traffic to the Private DNS resolver
+- Azure Private DNS Resolver has an inbound endpoint from the hub network
+- Azure Private Link DNS zones are linked to the all hub Virtual Networks
+
+### Azure Routing
+
+Route tables are pre-configured for spoke virtual networks in each region. Assign the user subnet route table to any subnets created in spokes.
+
+- Azure Firewall in relevant region as next hop in Route Table
diff --git a/...les/terraform-platform-landing-zone/multi-region-hub-and-spoke-vnet-with-nva.md b/...les/terraform-platform-landing-zone/multi-region-hub-and-spoke-vnet-with-nva.md
@@ -0,0 +1,80 @@
+---
+title: Scenario - Multi-Region Hub and Spoke Virtual Network with Network Virtual Appliance (NVA)
+weight: 7
+---
+
+A full platform landing zone deployment with hub and spoke Virtual Network connectivity in multiple regions, ready for a third party Network Virtual Appliance (NVA).
+
+* Example platform landing zone configuration file: [full-multi-region-nva/virtual-wan.tfvars](https://raw.githubusercontent.com/Azure/alz-terraform-accelerator/refs/heads/main/templates/platform_landing_zone/examples/full-multi-region-nva/virtual-wan.tfvars)
+
+## Resources
+
+The following resources are deployed by default in this scenario:
+
+### Management
+
+#### Management Groups
+
+- Management Groups
+- Policy Definitions
+- Policy Set Definitions
+- Policy Assignments
+- Policy Assignment Role Assignments
+
+#### Management Resources
+
+- Log Analytics Workspace
+- Log Analytics Data Collection Rules for AMA
+- User Assigned Managed Identity for AMA
+- Automation Account
+
+### Connectivity
+
+#### Azure DDOS Protection Plan
+
+- DDOS Protection Plan
+
+#### Azure Virtual Networks
+
+- Hub virtual networks in each region
+- Hub virtual network peering
+- Subnets for Network Virtual Appliance, Gateway, Bastion, and Private DNS Resolver in each region
+- Azure Route table for Network Virtual Appliance per region
+- Azure Route table for other subnets and spokes per region
+
+#### Azure Bastion
+
+- Azure Bastion per region
+- Azure Bastion public ip per region
+
+#### Azure Private DNS
+
+- Azure Private DNS Resolver per region
+- Azure non-regional Private Link Private DNS zones in primary region
+- Azure regional Private Link Private DNS zones per region
+- Azure Virtual Machine auto-registration Private DNS zone per region
+- Azure Private Link DNS zone virtual network links per region
+
+#### Azure Virtual Network Gateways
+
+- Azure ExpressRoute Virtual Network Gateway per region
+- Azure VPN Virtual Network Gateway per region
+
+## Configuration
+
+The following relevant configuration is applied:
+
+### Azure DNS
+
+Private DNS is configured ready for using Private Link and Virtual Machine Auto-registration. Spoke Virtual Networks should use the Network Virtual Appliance IP Address in the same region as their DNS configuration.
+
+- Network Virtual Appliance should be configured as DNS proxy
+- Network Virtual Appliance should be forward DNS traffic to the Private DNS resolver
+- Azure Private DNS Resolver has an inbound endpoint from the hub network
+- Azure Private Link DNS zones are linked to the all hub Virtual Networks
+
+### Azure Routing
+
+Route tables are pre-configured for spoke virtual networks in each region. Assign the user subnet route table to any subnets created in spokes.
+
+- Network Virtual Appliance in relevant region as next hop in Route Table
diff --git a/...terraform-platform-landing-zone/multi-region-virtual-wan-with-azure-firewall.md b/...terraform-platform-landing-zone/multi-region-virtual-wan-with-azure-firewall.md
@@ -0,0 +1,83 @@
+---
+title: Scenario - Multi-Region Virtual WAN with Azure Firewall
+weight: 6
+---
+
+A full platform landing zone deployment with Virtual WAN network connectivity using Azure Firewall in multiple regions.
+
+* Example platform landing zone configuration file: [full-multi-region/virtual-wan.tfvars](https://raw.githubusercontent.com/Azure/alz-terraform-accelerator/refs/heads/main/templates/platform_landing_zone/examples/full-multi-region/virtual-wan.tfvars)
+
+## Resources
+
+The following resources are deployed by default in this scenario:
+
+### Management
+
+#### Management Groups
+
+- Management Groups
+- Policy Definitions
+- Policy Set Definitions
+- Policy Assignments
+- Policy Assignment Role Assignments
+
+#### Management Resources
+
+- Log Analytics Workspace
+- Log Analytics Data Collection Rules for AMA
+- User Assigned Managed Identity for AMA
+- Automation Account
+
+### Connectivity
+
+#### Azure DDOS Protection Plan
+
+- DDOS Protection Plan
+
+#### Azure Virtual WAN
+
+- Virtual WAN homed in the primary region
+- Virtual Hubs in each region
+
+#### Azure Virtual Networks
+
+- Sidecar Virtual Networks
+- Sidecar to Virtual Hub peering
+- Subnets for Bastion, and Private DNS Resolver in each region
+
+#### Azure Firewall
+
+- Azure Firewall per region
+- Azure Firewall public IP per region
+- Azure Firewall policy per region
+
+#### Azure Bastion
+
+- Azure Bastion per region
+- Azure Bastion public ip per region
+
+#### Azure Private DNS
+
+- Azure Private DNS Resolver per region
+- Azure non-regional Private Link Private DNS zones in primary region
+- Azure regional Private Link Private DNS zones per region
+- Azure Virtual Machine auto-registration Private DNS zone per region
+- Azure Private Link DNS zone virtual network links per region
+
+#### Azure Virtual Network Gateways
+
+- Azure ExpressRoute Virtual Network Gateway per region
+- Azure VPN Virtual Network Gateway per region
+
+## Configuration
+
+The following relevant configuration is applied:
+
+### Azure DNS
+
+Private DNS is configured ready for using Private Link and Virtual Machine Auto-registration. Spoke Virtual Networks should use the Azure Firewall IP Address in the same region as their DNS configuration.
+
+- Azure Firewall is configured as DNS proxy
+- Azure Firewall forwards DNS traffic to the Private DNS resolver
+- Azure Private DNS Resolver has an inbound endpoint from the sidecar network
+- Azure Private Link DNS zones are linked to the all hub sidecar Virtual Networks