Move Dev Environment VPN to Enable Connection to RP and Cluster Private IPs Simultaneously (#2238)

* feat: dev environment vpn now peered to rp and dev vnets * update address ranges (#8) Signed-off-by: Karan <kmagdani@redhat.com> * feat: updated cidr range for dev-vnet Signed-off-by: Karan <kmagdani@redhat.com> Co-authored-by: Karan Magdani <kmagdani@redhat.com>
2022-08-10 11:36:51 -06:00 · 2022-08-10 11:36:51 -06:00 · e5453d7718
--- a/pkg/deploy/assets/env-development.json
+++ b/pkg/deploy/assets/env-development.json
@ -59,23 +59,16 @@
            "name": "dev-vpn-pip",
            "type": "Microsoft.Network/publicIPAddresses",
            "location": "[resourceGroup().location]",
-            "condition": "[equals(parameters('ciCapacity'), 0)]",
            "apiVersion": "2020-08-01"
        },
        {
            "properties": {
                "addressSpace": {
                    "addressPrefixes": [
-                        "10.0.0.0/9"
+                        "10.0.0.0/16"
                    ]
                },
                "subnets": [
-                    {
-                        "properties": {
-                            "addressPrefix": "10.0.0.0/24"
-                        },
-                        "name": "GatewaySubnet"
-                    },
                    {
                        "properties": {
                            "addressPrefix": "10.0.1.0/24",
@ -93,13 +86,34 @@
            "location": "[resourceGroup().location]",
            "apiVersion": "2020-08-01"
        },
+        {
+            "properties": {
+                "addressSpace": {
+                    "addressPrefixes": [
+                        "10.2.0.0/24"
+                    ]
+                },
+                "subnets": [
+                    {
+                        "properties": {
+                            "addressPrefix": "10.2.0.0/24"
+                        },
+                        "name": "GatewaySubnet"
+                    }
+                ]
+            },
+            "name": "dev-vpn-vnet",
+            "type": "Microsoft.Network/virtualNetworks",
+            "location": "[resourceGroup().location]",
+            "apiVersion": "2020-08-01"
+        },
        {
            "properties": {
                "ipConfigurations": [
                    {
                        "properties": {
                            "subnet": {
-                                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'dev-vnet', 'GatewaySubnet')]"
+                                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'dev-vpn-vnet', 'GatewaySubnet')]"
                            },
                            "publicIPAddress": {
                                "id": "[resourceId('Microsoft.Network/publicIPAddresses', 'dev-vpn-pip')]"
@ -135,11 +149,10 @@
            "name": "dev-vpn",
            "type": "Microsoft.Network/virtualNetworkGateways",
            "location": "[resourceGroup().location]",
-            "condition": "[equals(parameters('ciCapacity'), 0)]",
            "apiVersion": "2020-08-01",
            "dependsOn": [
                "[resourceId('Microsoft.Network/publicIPAddresses', 'dev-vpn-pip')]",
-                "[resourceId('Microsoft.Network/virtualNetworks', 'dev-vnet')]"
+                "[resourceId('Microsoft.Network/virtualNetworks', 'dev-vpn-vnet')]"
            ]
        },
        {
@ -407,6 +420,84 @@
            "type": "Microsoft.Compute/virtualMachineScaleSets",
            "location": "[resourceGroup().location]",
            "apiVersion": "2020-12-01"
+        },
+        {
+            "properties": {
+                "allowVirtualNetworkAccess": true,
+                "allowForwardedTraffic": true,
+                "allowGatewayTransit": true,
+                "useRemoteGateways": false,
+                "remoteVirtualNetwork": {
+                    "id": "[resourceId('Microsoft.Network/virtualNetworks', 'dev-vnet')]"
+                }
+            },
+            "name": "dev-vpn-vnet/peering-dev-vnet",
+            "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
+            "apiVersion": "2020-08-01",
+            "dependsOn": [
+                "[resourceId('Microsoft.Network/virtualNetworks', 'dev-vnet')]",
+                "[resourceId('Microsoft.Network/virtualNetworks', 'dev-vpn-vnet')]",
+                "[resourceId('Microsoft.Network/virtualNetworkGateways', 'dev-vpn')]"
+            ],
+            "location": "[resourceGroup().location]"
+        },
+        {
+            "properties": {
+                "allowVirtualNetworkAccess": true,
+                "allowForwardedTraffic": true,
+                "allowGatewayTransit": false,
+                "useRemoteGateways": true,
+                "remoteVirtualNetwork": {
+                    "id": "[resourceId('Microsoft.Network/virtualNetworks', 'dev-vpn-vnet')]"
+                }
+            },
+            "name": "dev-vnet/peering-dev-vpn-vnet",
+            "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
+            "apiVersion": "2020-08-01",
+            "dependsOn": [
+                "[resourceId('Microsoft.Network/virtualNetworks', 'dev-vnet')]",
+                "[resourceId('Microsoft.Network/virtualNetworks', 'dev-vpn-vnet')]",
+                "[resourceId('Microsoft.Network/virtualNetworkGateways', 'dev-vpn')]"
+            ],
+            "location": "[resourceGroup().location]"
+        },
+        {
+            "properties": {
+                "allowVirtualNetworkAccess": true,
+                "allowForwardedTraffic": true,
+                "allowGatewayTransit": true,
+                "useRemoteGateways": false,
+                "remoteVirtualNetwork": {
+                    "id": "[resourceId('Microsoft.Network/virtualNetworks', 'rp-vnet')]"
+                }
+            },
+            "name": "dev-vpn-vnet/peering-rp-vnet",
+            "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
+            "apiVersion": "2020-08-01",
+            "dependsOn": [
+                "[resourceId('Microsoft.Network/virtualNetworks', 'dev-vpn-vnet')]",
+                "[resourceId('Microsoft.Network/virtualNetworkGateways', 'dev-vpn')]"
+            ],
+            "location": "[resourceGroup().location]"
+        },
+        {
+            "properties": {
+                "allowVirtualNetworkAccess": true,
+                "allowForwardedTraffic": true,
+                "allowGatewayTransit": false,
+                "useRemoteGateways": true,
+                "remoteVirtualNetwork": {
+                    "id": "[resourceId('Microsoft.Network/virtualNetworks', 'dev-vpn-vnet')]"
+                }
+            },
+            "name": "rp-vnet/peering-dev-vpn-vnet",
+            "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
+            "apiVersion": "2020-08-01",
+            "dependsOn": [
+                "[resourceId('Microsoft.Network/virtualNetworks', 'dev-vpn-vnet')]",
+                "[resourceId('Microsoft.Network/virtualNetworkGateways', 'dev-vpn')]"
+            ],
+            "location": "[resourceGroup().location]"
        }
    ]
 }
--- a/pkg/deploy/assets/rp-development-predeploy.json
+++ b/pkg/deploy/assets/rp-development-predeploy.json
@ -64,13 +64,13 @@
            "properties": {
                "addressSpace": {
                    "addressPrefixes": [
-                        "10.0.0.0/24"
+                        "10.1.0.0/24"
                    ]
                },
                "subnets": [
                    {
                        "properties": {
-                            "addressPrefix": "10.0.0.0/24",
+                            "addressPrefix": "10.1.0.0/24",
                            "networkSecurityGroup": {
                                "id": "[resourceId('Microsoft.Network/networkSecurityGroups', 'rp-nsg')]",
                                "tags": null
--- a/pkg/deploy/assets/rp-production-predeploy.json
+++ b/pkg/deploy/assets/rp-production-predeploy.json
@ -194,6 +194,12 @@
                                "tags": null
                            },
                            "serviceEndpoints": [
+                                {
+                                    "service": "Microsoft.Storage",
+                                    "locations": [
+                                        "*"
+                                    ]
+                                },
                                {
                                    "service": "Microsoft.KeyVault",
                                    "locations": [
@ -205,12 +211,6 @@
                                    "locations": [
                                        "*"
                                    ]
-                                },
-                                {
-                                    "service": "Microsoft.Storage",
-                                    "locations": [
-                                        "*"
-                                    ]
                                }
                            ]
                        },
--- a/pkg/deploy/generator/resources.go
+++ b/pkg/deploy/generator/resources.go
@ -113,14 +113,14 @@ func (g *generator) virtualNetwork(name, addressPrefix string, subnets *[]mgmtne

 // virtualNetworkPeering configures vnetA to peer with vnetB, two symmetrical
 // configurations have to be applied for a peering to work
-func (g *generator) virtualNetworkPeering(name, vnetB string) *arm.Resource {
+func (g *generator) virtualNetworkPeering(name, vnetB string, allowGatewayTransit, useRemoteGateways bool, dependsOn []string) *arm.Resource {
 	return &arm.Resource{
 		Resource: &mgmtnetwork.VirtualNetworkPeering{
 			VirtualNetworkPeeringPropertiesFormat: &mgmtnetwork.VirtualNetworkPeeringPropertiesFormat{
 				AllowVirtualNetworkAccess: to.BoolPtr(true),
 				AllowForwardedTraffic:     to.BoolPtr(true),
-				AllowGatewayTransit:       to.BoolPtr(false),
-				UseRemoteGateways:         to.BoolPtr(false),
+				AllowGatewayTransit:       to.BoolPtr(allowGatewayTransit),
+				UseRemoteGateways:         to.BoolPtr(useRemoteGateways),
 				RemoteVirtualNetwork: &mgmtnetwork.SubResource{
 					ID: &vnetB,
 				},
@ -130,6 +130,7 @@ func (g *generator) virtualNetworkPeering(name, vnetB string) *arm.Resource {
 		APIVersion: azureclient.APIVersion("Microsoft.Network"),
 		Type:       "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
 		Location:   "[resourceGroup().location]",
+		DependsOn:  dependsOn,
 	}
 }

--- a/pkg/deploy/generator/resources_dev.go
+++ b/pkg/deploy/generator/resources_dev.go
@ -212,19 +212,12 @@ func (g *generator) devVPNPip() *arm.Resource {
 			Type:     to.StringPtr("Microsoft.Network/publicIPAddresses"),
 			Location: to.StringPtr("[resourceGroup().location]"),
 		},
-		Condition:  "[equals(parameters('ciCapacity'), 0)]", // TODO(mj): Refactor g.conditionStanza for better usage
 		APIVersion: azureclient.APIVersion("Microsoft.Network"),
 	}
 }

 func (g *generator) devVnet() *arm.Resource {
-	return g.virtualNetwork("dev-vnet", "10.0.0.0/9", &[]mgmtnetwork.Subnet{
-		{
-			SubnetPropertiesFormat: &mgmtnetwork.SubnetPropertiesFormat{
-				AddressPrefix: to.StringPtr("10.0.0.0/24"),
-			},
-			Name: to.StringPtr("GatewaySubnet"),
-		},
+	return g.virtualNetwork("dev-vnet", "10.0.0.0/16", &[]mgmtnetwork.Subnet{
 		{
 			SubnetPropertiesFormat: &mgmtnetwork.SubnetPropertiesFormat{
 				AddressPrefix: to.StringPtr("10.0.1.0/24"),
@ -237,6 +230,17 @@ func (g *generator) devVnet() *arm.Resource {
 	}, nil, nil)
 }

+func (g *generator) devVPNVnet() *arm.Resource {
+	return g.virtualNetwork("dev-vpn-vnet", "10.2.0.0/24", &[]mgmtnetwork.Subnet{
+		{
+			SubnetPropertiesFormat: &mgmtnetwork.SubnetPropertiesFormat{
+				AddressPrefix: to.StringPtr("10.2.0.0/24"),
+			},
+			Name: to.StringPtr("GatewaySubnet"),
+		},
+	}, nil, nil)
+}
+
 func (g *generator) devVPN() *arm.Resource {
 	return &arm.Resource{
 		Resource: &mgmtnetwork.VirtualNetworkGateway{
@ -245,7 +249,7 @@ func (g *generator) devVPN() *arm.Resource {
 					{
 						VirtualNetworkGatewayIPConfigurationPropertiesFormat: &mgmtnetwork.VirtualNetworkGatewayIPConfigurationPropertiesFormat{
 							Subnet: &mgmtnetwork.SubResource{
-								ID: to.StringPtr("[resourceId('Microsoft.Network/virtualNetworks/subnets', 'dev-vnet', 'GatewaySubnet')]"),
+								ID: to.StringPtr("[resourceId('Microsoft.Network/virtualNetworks/subnets', 'dev-vpn-vnet', 'GatewaySubnet')]"),
 							},
 							PublicIPAddress: &mgmtnetwork.SubResource{
 								ID: to.StringPtr("[resourceId('Microsoft.Network/publicIPAddresses', 'dev-vpn-pip')]"),
@ -280,11 +284,10 @@ func (g *generator) devVPN() *arm.Resource {
 			Type:     to.StringPtr("Microsoft.Network/virtualNetworkGateways"),
 			Location: to.StringPtr("[resourceGroup().location]"),
 		},
-		Condition:  "[equals(parameters('ciCapacity'), 0)]", // TODO(mj): Refactor g.conditionStanza for better usage
 		APIVersion: azureclient.APIVersion("Microsoft.Network"),
 		DependsOn: []string{
 			"[resourceId('Microsoft.Network/publicIPAddresses', 'dev-vpn-pip')]",
-			"[resourceId('Microsoft.Network/virtualNetworks', 'dev-vnet')]",
+			"[resourceId('Microsoft.Network/virtualNetworks', 'dev-vpn-vnet')]",
 		},
 	}
 }
--- a/pkg/deploy/generator/resources_rp.go
+++ b/pkg/deploy/generator/resources_rp.go
@ -136,18 +136,29 @@ func (g *generator) rpPESecurityGroup() *arm.Resource {
 }

 func (g *generator) rpVnet() *arm.Resource {
+	addressPrefix := "10.1.0.0/24"
+	if g.production {
+		addressPrefix = "10.0.0.0/24"
+	}
+
 	subnet := mgmtnetwork.Subnet{
 		SubnetPropertiesFormat: &mgmtnetwork.SubnetPropertiesFormat{
-			AddressPrefix: to.StringPtr("10.0.0.0/24"),
+			AddressPrefix: to.StringPtr(addressPrefix),
 			NetworkSecurityGroup: &mgmtnetwork.SecurityGroup{
 				ID: to.StringPtr("[resourceId('Microsoft.Network/networkSecurityGroups', 'rp-nsg')]"),
 			},
+			ServiceEndpoints: &[]mgmtnetwork.ServiceEndpointPropertiesFormat{
+				{
+					Service:   to.StringPtr("Microsoft.Storage"),
+					Locations: &[]string{"*"},
+				},
+			},
 		},
 		Name: to.StringPtr("rp-subnet"),
 	}

 	if g.production {
-		subnet.ServiceEndpoints = &[]mgmtnetwork.ServiceEndpointPropertiesFormat{
+		*subnet.ServiceEndpoints = append(*subnet.ServiceEndpoints, []mgmtnetwork.ServiceEndpointPropertiesFormat{
 			{
 				Service:   to.StringPtr("Microsoft.KeyVault"),
 				Locations: &[]string{"*"},
@ -156,21 +167,10 @@ func (g *generator) rpVnet() *arm.Resource {
 				Service:   to.StringPtr("Microsoft.AzureCosmosDB"),
 				Locations: &[]string{"*"},
 			},
-			{
-				Service:   to.StringPtr("Microsoft.Storage"),
-				Locations: &[]string{"*"},
-			},
-		}
-	} else {
-		subnet.ServiceEndpoints = &[]mgmtnetwork.ServiceEndpointPropertiesFormat{
-			{
-				Service:   to.StringPtr("Microsoft.Storage"),
-				Locations: &[]string{"*"},
-			},
-		}
+		}...)
 	}

-	return g.virtualNetwork("rp-vnet", "10.0.0.0/24", &[]mgmtnetwork.Subnet{subnet}, nil, []string{"[resourceId('Microsoft.Network/networkSecurityGroups', 'rp-nsg')]"})
+	return g.virtualNetwork("rp-vnet", addressPrefix, &[]mgmtnetwork.Subnet{subnet}, nil, []string{"[resourceId('Microsoft.Network/networkSecurityGroups', 'rp-nsg')]"})
 }

 func (g *generator) rpPEVnet() *arm.Resource {
--- a/pkg/deploy/generator/templates_dev.go
+++ b/pkg/deploy/generator/templates_dev.go
@ -31,6 +31,7 @@ func (g *generator) devSharedTemplate() *arm.Template {
 	t.Resources = append(t.Resources,
 		g.devVPNPip(),
 		g.devVnet(),
+		g.devVPNVnet(),
 		g.devVPN(),
 		g.devCIPool(),
 		g.devDiskEncryptionKeyvault(),
@ -39,6 +40,46 @@ func (g *generator) devSharedTemplate() *arm.Template {
 		g.devDiskEncryptionSet(),
 		g.devProxyVMSS())

+	t.Resources = append(t.Resources,
+		g.virtualNetworkPeering("dev-vpn-vnet/peering-dev-vnet",
+			"[resourceId('Microsoft.Network/virtualNetworks', 'dev-vnet')]",
+			true,
+			false,
+			[]string{
+				"[resourceId('Microsoft.Network/virtualNetworks', 'dev-vnet')]",
+				"[resourceId('Microsoft.Network/virtualNetworks', 'dev-vpn-vnet')]",
+				"[resourceId('Microsoft.Network/virtualNetworkGateways', 'dev-vpn')]",
+			},
+		),
+		g.virtualNetworkPeering("dev-vnet/peering-dev-vpn-vnet",
+			"[resourceId('Microsoft.Network/virtualNetworks', 'dev-vpn-vnet')]",
+			false,
+			true,
+			[]string{
+				"[resourceId('Microsoft.Network/virtualNetworks', 'dev-vnet')]",
+				"[resourceId('Microsoft.Network/virtualNetworks', 'dev-vpn-vnet')]",
+				"[resourceId('Microsoft.Network/virtualNetworkGateways', 'dev-vpn')]",
+			},
+		),
+		g.virtualNetworkPeering("dev-vpn-vnet/peering-rp-vnet",
+			"[resourceId('Microsoft.Network/virtualNetworks', 'rp-vnet')]",
+			true,
+			false,
+			[]string{
+				"[resourceId('Microsoft.Network/virtualNetworks', 'dev-vpn-vnet')]",
+				"[resourceId('Microsoft.Network/virtualNetworkGateways', 'dev-vpn')]",
+			},
+		),
+		g.virtualNetworkPeering("rp-vnet/peering-dev-vpn-vnet",
+			"[resourceId('Microsoft.Network/virtualNetworks', 'dev-vpn-vnet')]",
+			false,
+			true,
+			[]string{
+				"[resourceId('Microsoft.Network/virtualNetworks', 'dev-vpn-vnet')]",
+				"[resourceId('Microsoft.Network/virtualNetworkGateways', 'dev-vpn')]",
+			},
+		))
+
 	for _, param := range []string{
 		"ciAzpToken",
 		"ciCapacity",
--- a/pkg/deploy/generator/templates_gateway.go
+++ b/pkg/deploy/generator/templates_gateway.go
@ -91,7 +91,7 @@ func (g *generator) gatewayTemplate() *arm.Template {
 	)

 	t.Resources = append(t.Resources,
-		g.virtualNetworkPeering("gateway-vnet/peering-rp-vnet", "[resourceId(parameters('rpResourceGroupName'), 'Microsoft.Network/virtualNetworks', 'rp-vnet')]"),
+		g.virtualNetworkPeering("gateway-vnet/peering-rp-vnet", "[resourceId(parameters('rpResourceGroupName'), 'Microsoft.Network/virtualNetworks', 'rp-vnet')]", false, false, nil),
 	)

 	t.Resources = append(t.Resources, g.gatewayRBAC()...)
--- a/pkg/deploy/generator/templates_rp.go
+++ b/pkg/deploy/generator/templates_rp.go
@ -55,6 +55,7 @@ func (g *generator) rpTemplate() *arm.Template {
 			"gatewayDomains",
 			"gatewayResourceGroupName",
 			"gatewayServicePrincipalId",
+			"ipRules",
 			"mdmFrontendUrl",
 			"mdsdEnvironment",
 			"nonZonalRegions",
@ -138,13 +139,13 @@ func (g *generator) rpTemplate() *arm.Template {
 		t.Resources = append(t.Resources, g.rpBillingContributorRbac()...)

 		t.Resources = append(t.Resources,
-			g.virtualNetworkPeering("rp-vnet/peering-gateway-vnet", "[resourceId(parameters('gatewayResourceGroupName'), 'Microsoft.Network/virtualNetworks', 'gateway-vnet')]"),
+			g.virtualNetworkPeering("rp-vnet/peering-gateway-vnet", "[resourceId(parameters('gatewayResourceGroupName'), 'Microsoft.Network/virtualNetworks', 'gateway-vnet')]", false, false, nil),
 		)
 	}

 	t.Resources = append(t.Resources, g.rpDNSZone(),
-		g.virtualNetworkPeering("rp-vnet/peering-rp-pe-vnet-001", "[resourceId('Microsoft.Network/virtualNetworks', 'rp-pe-vnet-001')]"),
-		g.virtualNetworkPeering("rp-pe-vnet-001/peering-rp-vnet", "[resourceId('Microsoft.Network/virtualNetworks', 'rp-vnet')]"))
+		g.virtualNetworkPeering("rp-vnet/peering-rp-pe-vnet-001", "[resourceId('Microsoft.Network/virtualNetworks', 'rp-pe-vnet-001')]", false, false, nil),
+		g.virtualNetworkPeering("rp-pe-vnet-001/peering-rp-vnet", "[resourceId('Microsoft.Network/virtualNetworks', 'rp-vnet')]", false, false, nil))
 	t.Resources = append(t.Resources, g.rpCosmosDB()...)
 	t.Resources = append(t.Resources, g.rpRBAC()...)