Azure
/
dev-spaces
зеркало из https://github.com/Azure/dev-spaces.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

advanced networking arm templates

This commit is contained in:
Rakesh Reddy Vanga 2020-04-01 14:11:06 -07:00
Родитель e780ef5e23
Коммит 393eefba4b
4 изменённых файлов: 685 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

31
advanced networking/README.md Normal file
Просмотреть файл

@ -0,0 +1,31 @@
This directory contains scripts and ARM templates to deploy resources which would show how to securely debug your projects using Azure Dev Spaces in a secured virtual network.
## Overview
These templates deploy a virtual network with an Azure firewall where the traffic from/to the vnet is secured/monitored by the firewall. The Azure Kubernetes cluster is deployed into a private virutal network in it's own subnet `aks-subnet`. An Azure Dev Spaces controller with `private` endpoint is created on this AKS cluster so that the endpoint is only available in the vnet where AKS is deployed. Further, to start debugging your projects, the arm templates deploy a windows 10 virtual machine in the subnet `vm-subnet` of the same virutal network.
The routing features enabled by Dev Spaces & the endpoint of your services are only available to the resources deployed in your virtual network which ensures the security of your services & development environment.
To learn further about configuring the endpoint types & newtork architecture of an Azure Dev Spaces controller, please look at the documentation here: https://aka.ms/azds-networking
## Deployment
This folder contains following files which would help in deploying resources:
* deploy.sh
* devspaces-vnet-parameters.json
* devspaces-vnet-template.json
The script `deploy.sh` would automate the process of deploying the resources using the arm templates.
It requires following inputs:
```
This script will deploy resouces which will enable you to work securely in a private virtual network.
Enter the Resource Group name:
< Enter a resource group name >
Enter the managed identity name:
< Enter a name for managed identity >
Enter a password for connecting to vm:
< Enter password for the windows VM that is used as a development machine to debug your projects >
```
## Secure Development
Connect to the VM using the ipaddress & password from the deployment script and start developing projects using Azure Dev Spaces by following this [documentation.](https://aka.ms/azds-quickstart-netcore)
## Note
The resources deployed using this templates should be used only as a starting point to secure your virtual network.

35
advanced networking/deploy.sh Normal file
Просмотреть файл

@ -0,0 +1,35 @@
#!/bin/bash
echo "This script will deploy resouces which will enable you to work securely in a private virtual network".
echo "Enter the Resource Group name:" &&
read resourceGroupName &&
echo "Enter the managed identity name:" &&
read idName &&
echo "Enter a password for connecting to vm:" &&
read password &&
# 1. Create resource group
az group create -n $resourceGroupName -l southcentralus
# 2. Create user assigned MI for running scripts in ARM templates
identity=$(az identity create -g $resourceGroupName -n $idName --query id -o tsv)
# 3. Assign contributor role for the MI on the RG
az role assignment create --role 'Contributor' -g $resourceGroupName --assignee $(az identity show -g $resourceGroupName -n $idName --query principalId -o tsv)
# 4. Create Service principal to be used by the AKS cluster
aks_sp_secret=$(az ad sp create-for-rbac --name "http://private-aks-sp" -o tsv --query password)
aks_sp_id=$(az ad sp show --id http://private-aks-sp -o tsv --query appId)
# 5. Updating the parameters of the ARM template
sed -i "s/{identity}/$identity/g" devspaces-vnet-parameters.json
sed -i "s/{aks_sp_secret}/$aks_sp_secret/g" devspaces-vnet-parameters.json
sed -i "s/{aks_sp_id}/$aks_sp_id/g" devspaces-vnet-parameters.json
sed -i "s/{password}/$password/g" devspaces-vnet-parameters.json
# 6. Deploy the resources
az group deployment create -g $resourceGroupName --template-file deployScripts.json --parameters @devspaces-vnet-parameters.json
# 7. Get the Public IP of the VM
ip=$(az network public-ip show -g $resourceGroupName -n "private-vm_ip" --query ipAddress -o tsv)
echo "Use '$password' password to connect to the '$ip' windows VM created in the Resource group '$resourceGroupName' to securely debug your projects with Azure Dev Spaces."
echo "Please follow the documentation here https://aka.ms/azds-networking to try out different endpoint scenarios."

21
advanced networking/devspaces-vnet-parameters.json Normal file
Просмотреть файл

@ -0,0 +1,21 @@
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"identity": {
"value": "{identity}"
},
"endpointType": {
"value": "Private"
},
"vm_password": {
"value": "{password}"
},
"aks_sp_id": {
"value": "{aks_sp_id}"
},
"aks_sp_secret": {
"value": "{aks_sp_secret}"
}
}
}

598
advanced networking/devspaces-vnet-template.json Normal file
Просмотреть файл

@ -0,0 +1,598 @@
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"identity": {
"type": "string"
},
"endpointType": {
"type": "string"
},
"vm_password": {
"type": "string"
},
"aks_sp_ip": {
"type": "string"
},
"aks_sp_secret": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2019-11-01",
"name": "firewall_piblic_ip",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard"
},
"properties": {
"publicIPAddressVersion": "IPv4",
"publicIPAllocationMethod": "Static",
"ipTags": []
}
},
{
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2019-11-01",
"name": "private-vm_ip",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard"
},
"properties": {
"publicIPAddressVersion": "IPv4",
"publicIPAllocationMethod": "Dynamic",
"ipTags": []
}
},
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2019-11-01",
"name": "private-vnet",
"location": "[resourceGroup().location]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"dhcpOptions": {
"dnsServers": []
},
"subnets": [
{
"name": "AzureFirewallSubnet",
"properties": {
"addressPrefix": "10.0.3.0/24",
"delegations": [],
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
},
{
"name": "vm-subnet",
"properties": {
"addressPrefix": "10.0.4.0/24",
"delegations": [],
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
},
{
"name": "aks-subnet",
"properties": {
"addressPrefix": "10.0.5.0/24",
"serviceEndpoints": [
{
"service": "Microsoft.Sql",
"locations": [
"[resourceGroup().location]"
]
},
{
"service": "Microsoft.AzureCosmosDB",
"locations": [
"*"
]
},
{
"service": "Microsoft.KeyVault",
"locations": [
"*"
]
},
{
"service": "Microsoft.Storage",
"locations": [
"[resourceGroup().location]",
"westus2"
]
}
],
"delegations": [],
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
}
],
"virtualNetworkPeerings": [],
"enableDdosProtection": false,
"enableVmProtection": false
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2018-11-01",
"name": "vm-storage",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS"
},
"kind": "Storage",
"properties": {}
},
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2019-07-01",
"name": "private-vm",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', 'private-nic')]",
"[resourceId('Microsoft.Storage/storageAccounts/', 'vm-storage')]"
],
"properties": {
"hardwareProfile": {
"vmSize": "Standard_D2_v2"
},
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftWindowsDesktop",
"offer": "Windows-10",
"sku": "19h2-pro",
"version": "latest"
},
"osDisk": {
"osType": "Windows",
"name": "private-vm_OsDisk",
"createOption": "FromImage",
"caching": "ReadWrite",
"managedDisk": {
"storageAccountType": "Standard_LRS",
"id": "[resourceId('Microsoft.Compute/disks', 'vm-storage'))]"
},
"diskSizeGB": 127
},
"dataDisks": []
},
"osProfile": {
"computerName": "private-vm",
"adminUsername": "azureuser",
"adminPassword": "[parameters('vm_password')]",
"windowsConfiguration": {
"provisionVMAgent": true,
"enableAutomaticUpdates": true
},
"secrets": [],
"allowExtensionOperations": true,
"requireGuestProvisionSignal": true
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', 'private-nic')]"
}
]
}
}
},
{
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2018-03-31",
"name": "private-aks-cluster",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks/subnets', 'private-vnet', 'aks-subnet')]"
],
"properties": {
"kubernetesVersion": "1.14.8",
"dnsPrefix": "[concat(resourceGroup().name, 'aks-269c04')]",
"agentPoolProfiles": [
{
"name": "nodepool1",
"count": 2,
"vmSize": "Standard_DS2_v2",
"osDiskSizeGB": 100,
"vnetSubnetID": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'private-vnet', 'aks-subnet')]",
"maxPods": 110,
"type": "VirtualMachineScaleSets",
"orchestratorVersion": "1.14.8",
"osType": "Linux"
}
],
"servicePrincipalProfile": {
"clientId": "[parameters('aks_sp_ip')]",
"secret": "[parameters('aks_sp_secret')]"
},
"enableRBAC": true,
"networkProfile": {
"networkPlugin": "kubenet",
"loadBalancerSku": "Standard",
"loadBalancerProfile": {
"managedOutboundIPs": {
"count": 1
}
},
"podCidr": "10.244.0.0/16",
"serviceCidr": "10.2.0.0/24",
"dnsServiceIP": "10.2.0.10",
"dockerBridgeCidr": "172.17.0.1/16",
"outboundType": "loadBalancer"
}
}
},
{
"type": "Microsoft.Resources/deploymentScripts",
"apiVersion": "2019-10-01-preview",
"name": "runBashWithOutputs",
"location": "[resourceGroup().location]",
"kind": "AzureCLI",
"dependsOn": [
"[resourceId('Microsoft.ContainerService/managedClusters', 'private-aks-cluster')]"
],
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[parameters('identity')]": {}
}
},
"properties": {
"forceUpdateTag": "1",
"AzCliVersion": "2.0.80",
"timeout": "PT30M",
"arguments": "'[resourceGroup().name]'",
"scriptContent": "az aks get-credentials -n private-aks-cluster -g $1 -f /tmp/kube-config;base64Config=$(base64 /tmp/kube-config); echo {\"base64Config\": \"$base64Config\"} > $AZ_SCRIPTS_OUTPUT_PATH",
"cleanupPreference": "OnSuccess",
"retentionInterval": "P1D"
}
},
{
"type": "Microsoft.DevSpaces/controllers",
"apiVersion": "2019-04-01",
"name": "private_controller",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.ContainerService/managedClusters', 'private-aks-cluster')]",
"[resourceId('Microsoft.Resources/deploymentScripts', 'runBashWithOutputs')]"
],
"sku": {
"name": "S1",
"tier": "Standard"
},
"properties": {
"targetContainerHostResourceId": "[resourceId('Microsoft.ContainerService/managedClusters', 'private-aks-cluster')]",
"targetContainerHostCredentialsBase64": "[reference('runBashWithOutputs').outputs.base64Config]",
"endpointType": "[parameters('endpointType')]"
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2019-11-01",
"name": "[concat('private-vnet', '/aks-subnet')]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', 'private-vnet')]"
],
"properties": {
"addressPrefix": "10.0.5.0/24",
"serviceEndpoints": [
{
"service": "Microsoft.Sql",
"locations": [
"[resourceGroup().location]"
]
},
{
"service": "Microsoft.AzureCosmosDB",
"locations": [
"*"
]
},
{
"service": "Microsoft.KeyVault",
"locations": [
"*"
]
},
{
"service": "Microsoft.Storage",
"locations": [
"[resourceGroup().location]",
"westus2"
]
}
],
"delegations": [],
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2019-11-01",
"name": "[concat('private-vnet', '/AzureFirewallSubnet')]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', 'private-vnet')]"
],
"properties": {
"addressPrefix": "10.0.3.0/24",
"delegations": [],
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2019-11-01",
"name": "[concat('private-vnet', '/vm-subnet')]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', 'private-vnet')]"
],
"properties": {
"addressPrefix": "10.0.4.0/24",
"delegations": [],
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
},
{
"type": "Microsoft.Network/azureFirewalls",
"apiVersion": "2019-11-01",
"name": "private-firewall",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/publicIPAddresses', 'firewall_piblic_ip')]",
"[resourceId('Microsoft.Network/virtualNetworks/subnets', 'private-vnet', 'AzureFirewallSubnet')]"
],
"properties": {
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"additionalProperties": {},
"ipConfigurations": [
{
"name": "azureFirewalls-ip",
"properties": {
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', 'firewall_piblic_ip')]"
},
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'private-vnet', 'AzureFirewallSubnet')]"
}
}
}
],
"networkRuleCollections": [
{
"name": "aksnetwork",
"properties": {
"priority": 100,
"action": {
"type": "Allow"
},
"rules": [
{
"name": "allow network",
"description": "aks network rule",
"protocols": [
"TCP"
],
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"52.161.186.207"
],
"sourceIpGroups": [],
"destinationIpGroups": [],
"destinationFqdns": [],
"destinationPorts": [
"22",
"443",
"9000"
]
}
]
}
},
{
"name": "azdsnetwork",
"properties": {
"priority": 101,
"action": {
"type": "Allow"
},
"rules": [
{
"name": "allow azds network",
"description": "azds network rule",
"protocols": [
"TCP"
],
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"AzureDevSpaces"
],
"sourceIpGroups": [],
"destinationIpGroups": [],
"destinationFqdns": [],
"destinationPorts": [
"*"
]
}
]
}
}
],
"applicationRuleCollections": [
{
"name": "aksbasics",
"properties": {
"priority": 100,
"action": {
"type": "Allow"
},
"rules": [
{
"name": "allow network",
"protocols": [
{
"protocolType": "Http",
"port": 80
},
{
"protocolType": "Https",
"port": 443
}
],
"fqdnTags": [],
"targetFqdns": [
"*.azmk8s.io",
"aksrepos.azurecr.io",
"*.blob.core.windows.net",
"mcr.microsoft.com",
"*.cdn.mscr.io",
"management.azure.com",
"login.microsoftonline.com",
"api.snapcraft.io",
"*auth.docker.io",
"*cloudflare.docker.io",
"*cloudflare.docker.com",
"*registry-1.docker.io"
],
"sourceAddresses": [
"*"
],
"sourceIpGroups": []
}
]
}
},
{
"name": "osupdates",
"properties": {
"priority": 102,
"action": {
"type": "Allow"
},
"rules": [
{
"name": "allow network",
"protocols": [
{
"protocolType": "Http",
"port": 80
},
{
"protocolType": "Https",
"port": 443
}
],
"fqdnTags": [],
"targetFqdns": [
"download.opensuse.org",
"*.ubuntu.com",
"packages.microsoft.com",
"snapcraft.io",
"api.snapcraft.io"
],
"sourceAddresses": [
"*"
],
"sourceIpGroups": []
}
]
}
},
{
"name": "azdsbasics",
"properties": {
"priority": 103,
"action": {
"type": "Allow"
},
"rules": [
{
"name": "allow network",
"protocols": [
{
"protocolType": "Http",
"port": 80
},
{
"protocolType": "Https",
"port": 443
}
],
"fqdnTags": [],
"targetFqdns": [
"cloudflare.docker.com",
"gcr.io",
"storage.googleapis.com"
],
"sourceAddresses": [
"*"
],
"sourceIpGroups": []
}
]
}
}
],
"natRuleCollections": []
}
},
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2019-11-01",
"name": "private-nic",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/publicIPAddresses', 'private-vm_ip')]",
"[resourceId('Microsoft.Network/virtualNetworks/subnets', 'private-vnet', 'vm-subnet')]"
],
"tags": {
"fw-svc": "true"
},
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAddress": "10.0.4.4",
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', 'private-vm_ip')]"
},
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'private-vnet', 'vm-subnet')]"
},
"primary": true,
"privateIPAddressVersion": "IPv4"
}
}
],
"dnsSettings": {
"dnsServers": []
},
"enableAcceleratedNetworking": false,
"enableIPForwarding": false
}
}
]
}