Azure
/
data-management-zone
зеркало из https://github.com/Azure/data-management-zone.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

updated network, added firewall, removed vm forwar

This commit is contained in:
Marvin Buss 2020-09-11 18:12:44 +02:00
Родитель d34a0fea23
Коммит c297299f0f
8 изменённых файлов: 178 добавлений и 467 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

36
.ado/workflows/networkDeployment.yml
Просмотреть файл

@ -57,6 +57,24 @@ stages:
csmParametersFile: 'infra/VirtualNetwork/params.vnet.json'
deploymentMode: 'Validation'
# Deploy firewall - validation
- task: AzureResourceManagerTemplateDeployment@3
name: firewall_validation
displayName: Deploy firewall - validation
enabled: true
continueOnError: false
inputs:
deploymentScope: 'Resource Group'
azureResourceManagerConnection: '$(AZURE_RESOURCE_MANAGER_CONNECTION_NAME)'
subscriptionId: '$(AZURE_SUBSCRIPTION_ID)'
action: 'Create Or Update Resource Group'
resourceGroupName: '$(AZURE_RESOURCE_GROUP_NAME_NETWORK)'
location: '$(AZURE_LOCATION)'
templateLocation: 'Linked artifact'
csmFile: 'infra/Firewall/deploy.firewall.json'
csmParametersFile: 'infra/Firewall/params.firewall.json'
deploymentMode: 'Validation'
# Deploy private DNS zone for blob storage - validation
- task: AzureResourceManagerTemplateDeployment@3
name: private_dns_blob_validation
@ -313,6 +331,24 @@ stages:
csmParametersFile: 'infra/VirtualNetwork/params.vnet.json'
deploymentMode: 'Incremental'
# Deploy firewall
- task: AzureResourceManagerTemplateDeployment@3
name: firewall_deployment
displayName: Deploy firewall
enabled: true
continueOnError: false
inputs:
deploymentScope: 'Resource Group'
azureResourceManagerConnection: '$(AZURE_RESOURCE_MANAGER_CONNECTION_NAME)'
subscriptionId: '$(AZURE_SUBSCRIPTION_ID)'
action: 'Create Or Update Resource Group'
resourceGroupName: '$(AZURE_RESOURCE_GROUP_NAME_NETWORK)'
location: '$(AZURE_LOCATION)'
templateLocation: 'Linked artifact'
csmFile: 'infra/Firewall/deploy.firewall.json'
csmParametersFile: 'infra/Firewall/params.firewall.json'
deploymentMode: 'Incremental'
# Deploy private DNS zone for blob storage
- task: AzureResourceManagerTemplateDeployment@3
name: private_dns_blob_deployment

28
.github/workflows/networkDeployment.yml поставляемый
Просмотреть файл

@ -89,6 +89,20 @@ jobs:
--template-file $GITHUB_WORKSPACE/infra/VirtualNetwork/deploy.vnet.json \
--parameters $GITHUB_WORKSPACE/infra/VirtualNetwork/params.vnet.json
# Deploy firewall - validation
- name: Deploy firewall - validation
id: firewall_validation
uses: azure/cli@v1
with:
azcliversion: latest
inlineScript: |
echo "Creating deployment in resource group"
az deployment group validate \
--mode Incremental \
--resource-group ${{ env.AZURE_RESOURCE_GROUP_NAME_NETWORK }} \
--template-file $GITHUB_WORKSPACE/infra/Firewall/deploy.firewall.json \
--parameters $GITHUB_WORKSPACE/infra/Firewall/params.firewall.json
# Deploy private DNS zone for blob storage - validation
- name: Deploy private DNS zone for blob storage - validation
id: private_dns_blob_storage_validation
@ -299,6 +313,20 @@ jobs:
--template-file $GITHUB_WORKSPACE/infra/VirtualNetwork/deploy.vnet.json \
--parameters $GITHUB_WORKSPACE/infra/VirtualNetwork/params.vnet.json
# Deploy firewall
- name: Deploy firewall
id: firewall_deplyoment
uses: azure/cli@v1
with:
azcliversion: latest
inlineScript: |
echo "Creating deployment in resource group"
az deployment group create \
--mode Incremental \
--resource-group ${{ env.AZURE_RESOURCE_GROUP_NAME_NETWORK }} \
--template-file $GITHUB_WORKSPACE/infra/Firewall/deploy.firewall.json \
--parameters $GITHUB_WORKSPACE/infra/Firewall/params.firewall.json
# Deploys private DNS zone for blob storage
- name: Deploy private DNS zone for blob storage
id: private_dns_blob_storage_deplyoment

369
infra/DnsForwarder/deploy.dnsForwarder_new.json
Просмотреть файл

@ -1,369 +0,0 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Specifies the location for all resources."
}
},
"vmssName": {
"type": "string",
"metadata": {
"description": "Specifies the name of the virtual machine scale set."
}
},
"vmssSkuTier": {
"type": "string",
"allowedValues": [
"Standard",
"Basic"
],
"defaultValue": "Standard",
"metadata": {
"description": "Specifies the SKU tier of the virtual machine scale set."
}
},
"vmssSkuName": {
"type": "string",
"metadata": {
"description": "Specifies the SKU name of the virtual machine scale set."
}
},
"vmssAdminUsername": {
"type": "string",
"metadata": {
"description": "Specifies the admin username of the virtual machine scale set."
}
},
"vmssAdminKey": {
"type": "securestring",
"metadata": {
"description": "Specifies the admin ssh key of the virtual machine scale set."
}
},
"storageAccountContainerId": {
"type": "string",
"metadata": {
"description": "Specifies the resource id of an existing storage account."
}
},
"storageAccountKey": {
"type": "string",
"metadata": {
"description": "Specifies the ID of the existing storage account where the powershell script is stored."
}
},
"subnetId": {
"type": "string",
"metadata": {
"description": "Specifies the resource Id of the subnet to which the virtual machine should connect."
}
}
},
"variables": {
"location": "[parameters('location')]",
"vmssName": "[parameters('vmssName')]",
"vmssSkuTier": "[parameters('vmssSkuTier')]",
"vmssSkuName": "[parameters('vmssSkuName')]",
"vmssAdminUsername": "[parameters('vmssAdminUsername')]",
"vmssAdminKey": "[parameters('vmssAdminKey')]",
"storageAccountContainerId": "[parameters('storageAccountContainerId')]",
"storageAccountName": "[split(variables('storageAccountContainerId'), '/')[8]]",
"storageAccountContainerName": "[last(split(variables('storageAccountContainerId'), '/'))]",
"storageAccountKey": "[parameters('storageAccountKey')]",
"subnetId": "[parameters('subnetId')]"
},
"resources": [
{
"name": "[concat(variables('vmssName'), '-nsg')]",
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2020-05-01",
"location": "[variables('location')]",
"properties": {
"securityRules": [
{
"name": "AllowSSH",
"properties": {
"access": "Allow",
"direction": "Inbound",
"priority": 1000,
"protocol": "Tcp",
"sourceAddressPrefix": "*",
"sourcePortRange": "*",
"destinationAddressPrefix": "*",
"destinationPortRange": "22"
}
},
{
"name": "AllowHTTPInBound",
"properties": {
"priority": 1010,
"access": "Allow",
"direction": "Inbound",
"destinationPortRange": "80",
"protocol": "Tcp",
"sourcePortRange": "*",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*"
}
}
]
}
},
{
"name": "[concat(variables('vmssName'), '-publicip')]",
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2020-05-01",
"location": "[variables('location')]",
"sku": {
"name": "Standard"
},
"properties": {
"publicIPAllocationMethod": "Static",
"publicIPAddressVersion": "IPv4",
"dnsSettings": {
"domainNameLabel": "[toLower(variables('vmssName'))]"
},
// "ddosSettings": {
// "protectionCoverage": "Standard",
// "protectedIP": true
// },
"ipTags": []
}
},
{
"name": "[concat(variables('vmssName'), '-lb')]",
"type": "Microsoft.Network/loadBalancers",
"apiVersion": "2020-05-01",
"location": "[variables('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/publicIPAddresses', concat(variables('vmssName'), '-publicip'))]"
],
"sku": {
"name": "Standard"
},
"properties": {
"frontendIPConfigurations": [
{
"name": "loadBalancerFrontEnd",
"properties": {
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', concat(variables('vmssName'), '-publicip'))]"
}
}
}
],
"backendAddressPools": [
{
"name": "[concat(variables('vmssName'), '-backendPool')]"
}
],
"inboundNatPools": [
{
"name": "[concat(variables('vmssName'), '-natPool')]",
"properties": {
"frontendIPConfiguration": {
"id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', concat(variables('vmssName'), '-lb'), 'loadBalancerFrontEnd')]"
},
"protocol": "Tcp",
"frontendPortRangeStart": 50000,
"frontendPortRangeEnd": 50099,
"backendPort": 22,
"idleTimeoutInMinutes": 4
}
}
],
"loadBalancingRules": [
{
"name": "roundRobinLBRule",
"properties": {
"frontendIPConfiguration": {
"id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', concat(variables('vmssName'), '-lb'), 'loadBalancerFrontEnd')]"
},
"backendAddressPool": {
"id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', concat(variables('vmssName'), '-lb'), concat(variables('vmssName'), '-backendPool'))]"
},
"protocol": "Udp",
"frontendPort": 53,
"backendPort": 53,
"enableFloatingIP": false,
"probe": {
"id": "[resourceId('Microsoft.Network/loadBalancers/probes', concat(variables('vmssName'), '-lb'), concat(variables('vmssName'), '-probe'))]"
}
}
}
],
"probes": [
{
"name": "[concat(variables('vmssName'), '-probe')]",
"properties": {
"protocol": "Tcp",
"port": 22,
"intervalInSeconds": 5,
"numberOfProbes": 2
}
}
]
}
},
{
"name": "[variables('vmssName')]",
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2019-07-01",
"location": "[variables('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/loadBalancers', concat(variables('vmssName'), '-lb'))]",
"[resourceId('Microsoft.Network/networkSecurityGroups', concat(variables('vmssName'), '-nsg'))]"
],
"identity": {
"type": "SystemAssigned"
},
"sku": {
"name": "[variables('vmssSkuName')]",
"tier": "[variables('vmssSkuTier')]",
"capacity": 1
},
"zones": [
"1",
"2"
],
"properties": {
"additionalCapabilities": {},
"automaticRepairsPolicy": {},
"doNotRunExtensionsOnOverprovisionedVMs": true,
"overprovision": true,
"platformFaultDomainCount": 1,
"zoneBalance": true,
"scaleInPolicy": {
"rules": [
"Default"
]
},
"singlePlacementGroup": false,
"upgradePolicy": {
"mode": "Manual" // Maybe set to Automatic
},
"virtualMachineProfile": {
"priority": "Regular",
"osProfile": {
"computerNamePrefix": "[take(variables('vmssName'), 9)]",
"adminUsername": "[variables('vmssAdminUsername')]",
"linuxConfiguration": {
"disablePasswordAuthentication": true,
"ssh": {
"publicKeys": [
{
"path": "[concat('/home/', variables('vmssAdminUsername'), '/.ssh/authorized_keys')]",
"keyData": "[variables('vmssAdminKey')]"
}
]
}
}
},
"networkProfile": {
"networkInterfaceConfigurations": [
{
"name": "[concat(variables('vmssName'), '-nic')]",
"properties": {
"primary": true,
"enableAcceleratedNetworking": false,
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', concat(variables('vmssName'), '-nsg'))]"
},
"dnsSettings": {},
"enableIPForwarding": false,
"ipConfigurations": [
{
"name": "[concat(variables('vmssName'), '-ipConfig')]",
"properties": {
"primary": true,
"privateIPAddressVersion": "IPv4",
"subnet": {
"id": "[variables('subnetId')]"
},
"loadBalancerBackendAddressPools": [
{
"id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', concat(variables('vmssName'), '-lb'), concat(variables('vmssName'), '-backendPool'))]"
}
],
"loadBalancerInboundNatPools": [
{
"id": "[resourceId('Microsoft.Network/loadBalancers/inboundNatPools', concat(variables('vmssName'), '-lb'), concat(variables('vmssName'), '-natPool'))]"
}
]
}
}
]
}
}
]
},
"storageProfile": {
"osDisk": {
"createOption": "FromImage",
"caching": "ReadWrite"
},
"imageReference": {
"publisher": "Canonical",
"offer": "UbuntuServer",
"sku": "18.04-LTS",
"version": "latest"
}
},
"extensionProfile": {
"extensions": [
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('vmssName'),'-LinuxCustomScriptExtension')]",
"properties": {
"publisher": "Microsoft.OSTCExtensions",
"type": "CustomScriptForLinux",
"typeHandlerVersion": "1.3",
"autoUpgradeMinorVersion": true,
"settings": {
"fileUris": [
"[concat('https://', variables('storageAccountName'), '.blob.core.windows.net/', variables('storageAccountContainerName'), '/forwarderSetup_new.sh')]"
]
},
"protectedSettings": {
"commandToExecute": "sh forwarderSetup_new.sh",
"storageAccountName": "[variables('storageAccountName')]",
"storageAccountKey": "[variables('storageAccountKey')]"
}
}
}
]
}
}
}
}
// {
// "name": "[concat(variables('vmssName'), '/' , 'setupscript')]",
// "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
// "apiVersion": "2019-07-01",
// "location": "[variables('location')]",
// "dependsOn": [
// "[resourceId('Microsoft.Compute/virtualMachineScaleSets', variables('vmssName'))]"
// ],
// "properties": {
// "publisher": "Microsoft.OSTCExtensions",
// "type": "CustomScriptForLinux",
// "typeHandlerVersion": "1.3",
// "autoUpgradeMinorVersion": true,
// "settings": {
// "fileUris": [
// "[concat('https://', variables('storageAccountName'), '.blob.core.windows.net/', variables('storageAccountContainerName'), '/forwarderSetup_new.sh')]"
// ]
// },
// "protectedSettings": {
// "commandToExecute": "bash forwarderSetup_new.sh",
// "storageAccountName": "[variables('storageAccountName')]",
// "storageAccountKey": "[variables('storageAccountKey')]"
// }
// }
// }
]
}

50
infra/DnsForwarder/forwarderSetup_new.sh
Просмотреть файл

@ -1,50 +0,0 @@
#!/bin/bash
# The MIT License (MIT)
#
# Copyright (c) 2015 Microsoft Azure
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
apt-get update -y && apt-get upgrade -y
apt-get install -y nginx
echo "Hello World from host" $HOSTNAME "!" | sudo tee -a /var/www/html/index.html
touch /etc/nginx/nginx.conf
cat >> /etc/nginx/nginx.conf <<EOF
stream {
upstream dns_servers {
server 168.63.129.16:53;
}
server {
listen x.x.x.x:53 udp;
listen x.x.x.x:53; #tcp
proxy_pass dns_servers;
proxy_responses 1;
error_log /var/log/nginx/dns.log info;
}
}
EOF
myip=`hostname -i`
sed -i "s/x.x.x.x/$myip/" /etc/nginx/nginx.conf
sudo nginx -t && sudo service nginx reload

48
infra/DnsForwarder/params.dnsForwarder_new001.json
Просмотреть файл

@ -1,48 +0,0 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"value": "northeurope"
},
"vmssName": {
"value": "dhdnsproxy"
},
"vmssSkuTier": {
"value": "Standard"
},
"vmssSkuName": {
"value": "Standard_A1_v2"
},
"vmssAdminUsername": {
"reference": {
"keyVault": {
"id": "/subscriptions/feab2d15-66b4-438b-accf-51f889b30ec3/resourceGroups/dh-mgmt/providers/Microsoft.KeyVault/vaults/dh-keyvault001"
},
"secretName": "vmssAdminUsername"
}
},
"vmssAdminKey": {
"reference": {
"keyVault": {
"id": "/subscriptions/feab2d15-66b4-438b-accf-51f889b30ec3/resourceGroups/dh-mgmt/providers/Microsoft.KeyVault/vaults/dh-keyvault001"
},
"secretName": "vmAdminKey"
}
},
"storageAccountContainerId": {
"value": "/subscriptions/feab2d15-66b4-438b-accf-51f889b30ec3/resourceGroups/dh-mgmt/providers/Microsoft.Storage/storageAccounts/dhshirsa/blobServices/default/containers/shir"
},
"storageAccountKey": {
"reference": {
"keyVault": {
"id": "/subscriptions/feab2d15-66b4-438b-accf-51f889b30ec3/resourceGroups/dh-mgmt/providers/Microsoft.KeyVault/vaults/dh-keyvault001"
},
"secretName": "storageAccountKey"
}
},
"subnetId": {
"value": "/subscriptions/feab2d15-66b4-438b-accf-51f889b30ec3/resourceGroups/dh-network/providers/Microsoft.Network/virtualNetworks/dh-vnet/subnets/dh-testproxy-subnet"
}
}
}

90
infra/Firewall/deploy.firewall.json Normal file
Просмотреть файл

@ -0,0 +1,90 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Specifies the location for all resources."
}
},
"firewallName": {
"type": "string",
"metadata": {
"description": "Specifies the name of the firewall."
}
},
"subnetId": {
"type": "string",
"metadata": {
"description": "Specifies the id of the subnet which the private endpoint uses."
}
}
},
"functions": [],
"variables": {
"location": "[parameters('location')]",
"firewallName": "[parameters('firewallName')]",
"publicIpName": "[concat(variables('firewallName'), '-publicip')]",
"subnetId": "[parameters('subnetId')]"
},
"resources": [
{
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2020-05-01",
"name": "[variables('publicIpName')]",
"location": "[variables('location')]",
"sku": {
"name": "Standard"
},
"properties": {
"publicIPAllocationMethod": "Static",
"dnsSettings": {
"domainNameLabel": "[variables('firewallName')]"
}
}
},
{
"type": "Microsoft.Network/azureFirewalls",
"apiVersion": "2020-05-01",
"name": "[variables('firewallName')]",
"dependsOn": [
"[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIpName'))]"
],
"location": "[variables('location')]",
// "zones": [
// "1",
// "2",
// "3"
// ],
"properties": {
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"additionalProperties": {
"Network.DNS.EnableProxy": "true"
},
"applicationRuleCollections": [],
"natRuleCollections": [],
"networkRuleCollections": [],
"ipConfigurations": [
{
"name": "ipConfigName",
"properties": {
"subnet": {
"id": "[variables('subnetId')]"
},
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIpName'))]"
}
}
}
]
}
}
],
"outputs": {}
}

15
infra/Firewall/params.firewall.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"value": "northeurope"
},
"firewallName": {
"value": "dh-firewall"
},
"subnetId": {
"value": "/subscriptions/feab2d15-66b4-438b-accf-51f889b30ec3/resourceGroups/dh-network/providers/Microsoft.Network/virtualNetworks/dh-vnet/subnets/AzureFirewallSubnet"
}
}
}

9
infra/VirtualNetwork/deploy.vnet.json
Просмотреть файл

@ -72,6 +72,15 @@
]
},
"subnets": [
{
"name": "AzureFirewallSubnet",
"properties": {
"addressPrefix": "10.0.3.0/24",
"delegations": [],
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
},
{
"name": "dh-subnet",
"properties": {