Azure
/
missionlz
зеркало из https://github.com/Azure/missionlz.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Updated deployment guides (#1107) 

* Renamed files, Updated links, headers, & content

* Added PowerShell cmds & table alignment, Fixed link & content

* Replaced Quickstart with Deployment Options

* Revamped the content to align as a deployment guide

* Fixed references

* Removed references

* Fixed alert & references, Updated prereqs,

* Fixed table of contents & missing colons

* Updated header value

* Revamped content

* Revamped content

* Fixed alert type & syntax
This commit is contained in:
Jason Masten 2024-10-15 14:35:44 -04:00 коммит произвёл GitHub
Родитель 9a73525708
Коммит bc51f17e83
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
6 изменённых файлов: 447 добавлений и 626 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

74
README.md
Просмотреть файл

@ -30,69 +30,15 @@ Our intent is to enable IT Admins to use this software to:
- Customize the deployment configuration to suit specific needs
- Deploy multiple customer workloads in production.
## Deployment Options
Mission Landing Zone can be deployed from the Azure Portal, or with Azure command line tools. Choose the desired option below for detailed deployment documentation.
| Method | Supported Clouds |
| :----- | :--------------- |
| [Azure Portal](./docs/deployment-guides/portal.md) | Azure Commercial, Azure Government |
| [Template Spec](./docs/deployment-guides/template-spec.md) | Azure Commercial, Azure Government, Azure Government Secret, & Azure Government Top Secret |
| [Command Line Tools](./docs/deployment-guides/command-line-tools.md) | Azure Commercial, Azure Government, Azure Government Secret, & Azure Government Top Secret |
> [!NOTE]
> Be sure to check out our **[add-ons](./src/bicep/add-ons/README.md)** to accelerate workload deployments.
## Quickstart
Mission Landing Zone can be deployed from the Azure Portal, or with Azure command line tools.
### Prerequistes
The following prerequisites are required on the target subscription(s):
- [Owner RBAC permissions](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#owner)
- [Enable Encryption At Host](https://learn.microsoft.com/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell#prerequisites)
### Deployment Options
- [Azure Portal](#deploy-from-the-azure-portal)
- [Template Spec](#deploy-using-a-templatespec-in-azure-secret-or-azure-top-secret)
- [Azure CLI](#deploy-using-the-azure-cli)
#### Deploy from the Azure Portal
Deploy Mission Landing Zone into **Azure Commercial** or **Azure Government** from the Azure Portal:
| Cloud | Deployment Button |
| :----- | :----- |
| Azure Commercial | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fmlz.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fform%2Fmlz.portal.json) |
| Azure Government | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fmlz.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fform%2Fmlz.portal.json) |
> [!NOTE]
> [Click here to learn about each step and element in the user interface.](./docs/deployment-guides/walkthrough.md)
#### Deploy using a TemplateSpec in Azure Secret or Azure Top Secret
[Click here to learn how to create a templatespec.](./docs/deployment-guides/templatespec.md)
#### Deploy using the Azure CLI
1. Clone the repository and change directory to the root of the repository:
```plaintext
git clone https://github.com/Azure/missionlz.git
cd missionlz
```
1. Deploy Mission Landing Zone with the [`az deployment sub create`](https://docs.microsoft.com/en-us/cli/azure/deployment/sub?view=azure-cli-latest#az_deployment_sub_create) command. For a quickstart, we suggest a test deployment into the current AZ CLI subscription setting these parameters:
- `--name`: (optional) The deployment name, which is visible in the Azure Portal under Subscription/Deployments.
- `--location`: (required) The Azure region to store the deployment metadata.
- `--template-file`: (required) The file path to the `mlz.bicep` template.
- `--parameters resourcePrefix=<value>`: (required) The `resourcePrefix` Bicep parameter is used to generate names for your resources. It is the only required parameter in the Bicep file. You can set it to any alphanumeric value (without whitespace) that is between 3-10 characters. You can omit this parameter and the `az deployment sub create` command will prompt you to enter a value.
Here's an example:
```plaintext
az deployment sub create \
--name myMlzDeployment \
--location eastus \
--template-file ./src/bicep/mlz.bicep \
--parameters resourcePrefix="myMlz"
```
1. Once the MLZ deployment is complete, see our [add-ons](./src/bicep/add-ons/) directory to extend the capabilities of your landing zone.
> [!NOTE]
> For more detailed deployment instructions, see the **[Deployment Guide for Bicep](./docs/deployment-guides/bicep.md)** in the **[docs](docs)** folder.

361
docs/deployment-guides/bicep.md → docs/deployment-guides/command-line-tools.md
Просмотреть файл

@ -1,4 +1,4 @@
# Mission Landing Zone - Deployment Guide for Bicep
# Mission Landing Zone - Deployment Guide using Command Line Tools
[**Home**](../../README.md) | [**Design**](../design.md) | [**Add-Ons**](../../src/bicep/add-ons/README.md) | [**Resources**](../resources.md)
@ -6,48 +6,33 @@
- [Prerequisites](#prerequisites)
- [Planning](#planning)
- [Deployment](#deployment)
- [Cleanup](#cleanup)
- [Development Setup](#development-setup)
- [See Also](#see-also)
- [Deploy MLZ](#deploy-mlz)
- [Remove MLZ](#remove-mlz)
- [References](#references)
This guide describes how to deploy Mission Landing Zone (MLZ) using the Bicep template at [src/bicep/mlz.bicep](../src/bicep/mlz.bicep). The template can be deployed using the Azure Portal, the Azure CLI, or PowerShell. Supported clouds include the Azure Commercial, Azure Government, Azure Government Secret, and Azure Government Top Secret.
MLZ also provides the ARM template compiled from the Bicep file at [src/bicep/mlz.json](../src/bicep/mlz.json).
This guide describes how to deploy Mission Landing Zone (MLZ) using the ARM template at [src/bicep/mlz.json](../src/bicep/mlz.json) using either Azure CLI or Azure PowerShell. The supported clouds for this guide include the Azure Commercial, Azure Government, Azure Government Secret, and Azure Government Top Secret.
MLZ has only one required parameter and provides sensible defaults for the rest, allowing for simple deployments that specify only the parameters that need to differ from the defaults. See the [README.md](../src/bicep/README.md) document in the **src/bicep** folder for a complete list of parameters.
Below is an example of an Azure CLI deployment that uses all the defaults, and sets the **resourcePrefix** parameter, which is the only required parameter.
```BASH
az deployment sub create \
--name myMlzDeployment \
--location eastus \
--template-file ./mlz.bicep \
--parameters resourcePrefix=myMlz
```
## Prerequisites
- **Permissions:** One or more Azure subscriptions where you or an identity you manage has [Owner RBAC permissions](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#owner)
- **Encryption At Host:** To adhere to zero trust principles, the virtual machine disks deployed in this solution must be encrypted. The Encryption at Host feature enables disk encryption on virtual machine temp and cache disks. To use this feature, a resource provider feature must enabled on your Azure subscription. Use the following PowerShell script to enable the feature:
The following prerequisites are required on the target Azure subscription(s):
```powershell
Register-AzProviderFeature -FeatureName "EncryptionAtHost" -ProviderNamespace "Microsoft.Compute"
```
- **Deployment Tools:**
- **Azure PowerShell:** For PowerShell deployments you need a PowerShell terminal with the [Azure Az PowerShell module](https://learn.microsoft.com/powershell/azure/what-is-azure-powershell) installed.
- **Azure CLI:** For deployments in BASH or a Windows shell, AZ CLI is required. Examples for using Azure CLI are [Azure Cloud Shell](https://learn.microsoft.com/azure/cloud-shell/overview) or a command shell on your local machine with the [AZ CLI](https://learn.microsoft.com/cli/azure/install-azure-cli) installed.
> [!NOTE]
> The AZ CLI will automatically install the Bicep tools when a command is run that needs them, or you can manually install them following the **[instructions here.](https://learn.microsoft.com/azure/azure-resource-manager/bicep/install#azure-cli)**
- [Owner RBAC permissions](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#owner)
- [Enable Encryption At Host](https://learn.microsoft.com/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell#prerequisites)
- Command Line Tools:
- **Azure PowerShell:** for PowerShell deployments you need a PowerShell terminal with the [Az PowerShell module](https://learn.microsoft.com/powershell/azure/what-is-azure-powershell).
- [**Azure Cloud Shell:**](https://learn.microsoft.com/azure/cloud-shell/overview) already has the necessary module and can be used without the installation of software.
- **Local:** you would need to install [Az PowerShell module](https://learn.microsoft.com/powershell/azure/install-azps-windows?view=azps-12.4.0&tabs=powershell&pivots=windows-msi) to execute the deployment on your workstation.
- **Azure CLI:** for deployments in BASH or a Windows shell, AZ CLI is required.
- [**Azure Cloud Shell:**](https://learn.microsoft.com/azure/cloud-shell/overview) already has Azure CLI and can be used without the installation of software.
- **Local:** you would need to install [AZ CLI](https://learn.microsoft.com/cli/azure/install-azure-cli) to execute the deployment on your workstation.
## Planning
### Decide on a Resource Prefix
Resource Groups and resource names are derived from the required parameter `resourcePrefix`. Pick a unqiue resource prefix that is 3-10 alphanumeric characters in length without whitespaces.
Resource Groups and resource names are derived from the required parameter `resourcePrefix`. Pick a unqiue resource prefix that is 3-6 alphanumeric characters in length without whitespaces.
### One Subscription or Multiple
@ -56,7 +41,7 @@ MLZ can deploy to a single subscription or multiple subscriptions. A test and ev
The optional parameters related to subscriptions are below. They default to the subscription used for deployment.
Parameter name | Default Value | Description
-------------- | ------------- | -----------
:------------- | :------------ | :----------
`hubSubscriptionId` | Deployment subscription | Subscription containing the firewall and network hub
`identitySubscriptionId` | Deployment subscription | Tier 0 for identity solutions
`operationsSubscriptionId` | Deployment subscription | Tier 1 for network operations and security tools
@ -64,7 +49,7 @@ Parameter name | Default Value | Description
### Networking
The following parameters affect networking. Each virtual network and subnet has been given a default address prefix to ensure they fall within the default super network. Refer to the [Networking page](docs/networking.md) for all the default address prefixes.
The following parameters affect networking. Each virtual network and subnet has been given a default address prefix to ensure they fall within the default super network. Refer to the [Networking page](../networking.md) for all the default address prefixes.
Parameter name | Default Value | Description
-------------- | ------------- | -----------
@ -105,11 +90,10 @@ Microsoft Defender for Cloud offers a standard/defender sku which enables a grea
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`deployDefender` | 'false' | When set to "true", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to "false".
`deployDefenderPlans` | '['VirtualMachines']' | Paid Workload Protection plans for Defender for Cloud. It defaults to "VirtualMachines".
`emailSecurityContact` | '' | Email address of the contact, in the form of <john@doe.com>
The Defender plan by resource type for Microsoft Defender for Cloud is enabled by default in the following [Azure Environments](https://docs.microsoft.com/en-us/powershell/module/servicemanagement/azure.service/get-azureenvironment?view=azuresmps-4.0.0): `AzureCloud` and `AzureUSGovernment`. To enable this for other Azure Cloud environments, this will need to executed manually.
Documentation on how to do this can be found
[here](https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhanced-security)
The Defender plan for Microsoft Defender for Cloud is enabled by default in the following [Azure Environments](https://learn.microsoft.com/powershell/module/servicemanagement/azure.service/get-azureenvironment?view=azuresmps-4.0.0): `AzureCloud`. To enable this for other Azure Cloud environments, this will need to executed manually. Documentation on how to do this can be found [here](https://learn.microsoft.com/azure/defender-for-cloud/enable-enhanced-security).
#### Azure Sentinel
@ -119,20 +103,38 @@ Parameter name | Default Value | Description
-------------- | ------------- | -----------
`deploySentinel` | 'false' | When set to "true", enables Microsoft Sentinel within the Log Analytics Workspace created in this deployment. It defaults to "false".
#### Remote access with a Bastion Host
#### Remote Access
If you want to remotely access the network and the resources you've deployed you can use [Azure Bastion](https://learn.microsoft.com/azure/bastion/) to remotely access virtual machines within the network without exposing them via Public IP Addresses.
If you want to remotely access the network and the resources you've deployed, you can use [Azure Bastion](https://learn.microsoft.com/azure/bastion/) to remotely access virtual machines within the network without exposing them via Public IP Addresses.
Deploy a Linux and Windows virtual machine as jumpboxes into the network without a Public IP Address using Azure Bastion Host by providing values for these parameters:
Deploy a Linux or Windows virtual machine as jumpboxes into the network without a Public IP Address using Azure Bastion Host by providing values for these parameters:
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`deployRemoteAccess` | 'false' | When set to "true", provisions Azure Bastion Host and virtual machine jumpboxes. It defaults to "false".
`windowsVmAdminPassword` | new guid | The administrator password the Windows Virtual Machine to Azure Bastion remote into. It must be > 12 characters in length. See [password requirements for creating a Windows VM](https://learn.microsoft.com/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm-).
`linuxVmAuthenticationType` | 'password' | [sshPublicKey/password] The authentication type for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "password".
`bastionDiagnosticsLogs` | BastionAuditLogs | The logs enabled in the diagnostic setting for Bastion.
`bastionHostPublicIPAddressAvailabilityZones` | null | The availability zones for the public IP address for Bastion.
`bastionHostSubnetAddressPrefix` | 10.0.128.192/26 | The address prefix for the subnet for Bastion.
`deployBastion` | false | When set to 'true', provisions Azure Bastion Host and virtual machine jumpboxes. It defaults to "false".
`deployLinuxVirtualMachine` | false | When set to 'true', a Linux virtual machine is deployed.
`deployWindowsVirtualMachine` | false | When set to 'true', a Windows virtual machine is deployed.
`linuxNetworkInterfacePrivateIPAddressAllocationMethod` | Dynamic | The allocation method for the private IP address on the Linux virtual machine.
`linuxVmImageOffer` | 0001-com-ubuntu-server-focal | The marketplace image offer for Linux images.
`linuxVmImagePublisher` | Canonical | The marketplace image publisher for Linux images.
`linuxVmImageSku` | 20_04-lts-gen2 | The marketplace image SKU for Linux images.
`linuxVmOsDiskType` | Standard_LRS | The disk SKU of the Linux Virtual Machine.
`linuxVmAdminPasswordOrKey` | new guid | The administrator password or public SSH key for the Linux Virtual Machine to Azure Bastion remote into. See [password requirements for creating a Linux VM](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/faq#what-are-the-password-requirements-when-creating-a-vm-).
`windowsVmAdminUsername` | 'azureuser' | The administrator username for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "azureuser".
`linuxVmAdminUsername` | 'azureuser' | The administrator username for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "azureuser".
`linuxVmAuthenticationType` | 'password' | [sshPublicKey/password] The authentication type for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "password".
`linuxVmSize` | Standard_D2s_v3 | The size for the Linux virtual machine.
`windowsVmAdminPassword` | new guid | The administrator password the Windows Virtual Machine to Azure Bastion remote into. It must be > 12 characters in length. See [password requirements for creating a Windows VM](https://learn.microsoft.com/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm-).
`windowsVmAdminUsername` | 'azureuser' | The administrator username for the Linux Virtual Machine to Azure Bastion remote into. It defaults to "azureuser".
`windowsVmCreateOption` | FromImage | The create option for the disk on the Windows virtual machine.
`windowsVmOffer` | WindowsServer | The marketplace image offer for the Windows virtual machine.
`windowsVmPublisher` | MicrosoftWindowsServer | The marketplace image publisher for the Windows virtual machine.
`windowsVmSize` | Standard_D2s_v3 | The size for the Windows virtual machine.
`windowsVmSku` | 2019-datacenter-gensecond | The marketplace image SKU for the Windows virtual machine.
`windowsVmStorageAccountType` | StandardSSD_LRS | The disk SKU for the Windows virtual machine.
`windowsVmVersion` | latest | The marketplace image version for the Windows virtual machine.
#### Azure Firewall Premium
@ -149,219 +151,101 @@ If you'd like to specify a different region to deploy your resources into, chang
### Naming Conventions
<!-- markdownlint-disable MD013 -->
Mission Landing Zone resources are named according to the naming convention defined in the **src/bicep/modules/naming-convention.bicep** file. There are two different conventions used, depending on the type of resource. One convention is used to signify the relationship between itself and other resources so the name contains a service token. The other convention is essentially the same, minus the service token.
Mission Landing Zone resources are named according to the naming convention defined in the [src/bicep/modules/naming-convention.bicep](../../src/bicep/modules/naming-convention.bicep) file. There are two different conventions used, depending on the type of resource. One convention is used to signify the relationship between itself and parent resources so the name contains a service token. The other convention is essentially the same, minus the service token. For global resources, like storage accounts, the unique string function is used to create names that will prevent collisions with other Azure customers.
<!-- markdownlint-enable MD013 -->
#### Default Naming Convention Example
Let's look at an example using `--parameters resourcePrefix=FOO` and `--parameters resourceSuffix=BAR`
In `mlz.bicep` you will find a variable titled `namingConvention`:
```bicep
var namingConvention = '${toLower(resourcePrefix)}-${resourceToken}-${nameToken}-${toLower(resourceSuffix)}'
# this generates a value of: foo-${resourceToken}-${nameToken}-bar
```
This naming convention uses Bicep's `replace()` function to substitute resource abbreviations for `resourceToken` and resource names for `nameToken`.
For example, when naming the Hub Resource Group, first the `resourceToken` is substituted with the recommended abbreviation `rg`:
```bicep
var resourceGroupNamingConvention = replace(namingConvention, resourceToken, 'rg')
# this generates a value of: foo-rg-${nameToken}-bar
```
Then, the `nameToken` is substituted with the Mission LZ name `hub`:
```bicep
var hubResourceGroupName = replace(resourceGroupNamingConvention, nameToken, 'hub')
# this generates a value of: foo-rg-hub-bar
```
Finally, the `hubResourceGroupName` is assigned to the resource group `name` parameter:
```bicep
params: {
name: hubResourceGroupName # this is the calculated value 'foo-rg-hub-bar'
location: location
tags: calculatedTags
}
```
#### Modifying the Naming Convention
You can modify this naming convention to suit your needs.
You can modify MLZ's default naming convention to suit your needs by updating the [src/bicep/modules/naming-convention.bicep](../../src/bicep/modules/naming-convention.bicep) file. To avoid breaking the code, be sure to only reorder the components or remove components for the `namingConvention` and `namingConvention_Service` variables.
In `mlz.bicep` you can modify the root naming convention. This is the default convention:
> [!WARNING]
> If you change a bicep file in the repository, be sure to compile the changes to JSON when you're done.
```bicep
var namingConvention = '${toLower(resourcePrefix)}-${resourceToken}-${nameToken}-${toLower(resourceSuffix)}'
## Deploy MLZ
Use the `New-AzSubscriptionDeployment` PowerShell cmdlet or the `az deployment sub` AZ CLI command to deploy MLZ across one or many subscriptions.
### Connect to Azure
Before deploying to Azure, you first need to ensure your session is connected to Azure. Use the following examples to connect to any of the supported Azure clouds:
```PowerShell
# PowerShell
Connect-AzAccount -Environment '<Azure Cloud Name>'
```
Say you did not want to use the `resourceSuffix` value, but instead wanted to add your own token to the naming convention like `team`:
First, you added the new parameter `team`:
```bicep
@allowedValues([
'admin'
'marketing'
'sales'
])
param team
```
Then, you modified the naming convention to allow for mixed case `resourcePrefix` values and your new `team` value (while retaining the token identifiers `resourceToken` and `nameToken`):
```bicep
var namingConvention = '${resourcePrefix}-${team}-${resourceToken}-${nameToken}'
```
Now, given a `--parameters resourcePrefix=FOO` and `--parameters team=sales` the generated Hub Resource Group Name would be:
```bicep
params: {
name: hubResourceGroupName # this is the calculated value 'FOO-sales-rg-hub'
location: location
tags: calculatedTags
}
```
### Planning for Workloads
MLZ allows for deploying one or many workloads that are peered to the hub network. Each workload can be in its own subscription or multiple workloads may be combined into a single subscription.
A separate Bicep template is provided for deploying an empty workload. It deploys a virtual network, a route table, a network security group, a storage account (for logs), and a network peering to the hub network. The template is at [src/bicep/add-ons/tier3](../src/bicep/add-ons/tier3). You can use this template as a starting point to create and customize specific workload deployments.
The `tier3` template contains defaults for IP address ranges, but additional workloads will require planning for additional ranges. The following parameters affect `tier3` networking:
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`virtualNetworkAddressPrefix` | '10.0.125.0/26' | The address prefix for the network spoke vnet.
`subnetAddressPrefix` | '10.0.125.0/27' | The subnet address prefix for the network spoke vnet.
## Deployment
Mission Landing Zone can be deployed using the Azure Portal or with command-line tools provided with the AZ CLI or PowerShell.
### Deploy Using the Azure Portal
The Azure Portal can be used to deploy Mission Landing Zone. The buttons below invoke an Azure Portal input form that maps user input values to the MLZ ARM template that was compiled from the Bicep template.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fmlz.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fform%2Fmlz.portal.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fmlz.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fform%2Fmlz.portal.json)
### Command Line Deployment Using the Azure CLI or PowerShell
Use the AZ CLI command `az deployment sub` to deploy MLZ across one or many subscriptions or use the PowerShell cmdlet `New-AzSubscriptionDeployment`.
#### Single Subscription Deployment
To deploy Mission LZ into a single subscription, give your deployment a name and a location and specify the `./mlz.bicep` template file.
```BASH
# AZ CLI
az deployment sub create \
--name myMlzDeployment \
--location eastus \
--template-file ./mlz.bicep \
--parameters resourcePrefix="myMlz"
az cloud set -n '<Azure Cloud Name>'
az login
```
### Single Subscription Deployment
To deploy Mission LZ into a single subscription, give your deployment a name and a location and specify the `./mlz.json` template file.
```PowerShell
# PowerShell
New-AzSubscriptionDeployment `
-Name myMlzDeployment `
-Location 'eastus' `
-TemplateFile .\mlz.bicep `
-resourcePrefix 'myMlz'
-TemplateFile '.\mlz.json' `
-resourcePrefix 'mlz'
```
#### Multiple Subscription Deployment
```BASH
# AZ CLI
az deployment sub create \
--location 'eastus' \
--template-file './mlz.json' \
--parameters resourcePrefix='mlz'
```
### Multiple Subscription Deployment
Deployment to multiple subscriptions requires specifying the subscription IDs for each tier:
```BASH
# AZ CLI
az deployment sub create \
--subscription $deploymentSubscription \
--location eastus \
--name multiSubscriptionTest \
--template-file ./mlz.bicep \
--parameters \
resourcePrefix='myMlz' \
hubSubscriptionId=$hubSubscriptionId \
identitySubscriptionId=$identitySubscriptionId \
operationsSubscriptionId=$operationsSubscriptionId \
sharedServicesSubscriptionId=$sharedServicesSubscriptionId
```
```PowerShell
# PowerShell
New-AzSubscriptionDeployment `
-Name myMlzDeployment `
-Location 'eastus' `
-TemplateFile .\mlz.bicep `
-resourcePrefix "myMlz" `
-TemplateFile '.\mlz.json' `
-resourcePrefix 'mlz' `
-hubSubscriptionId $hubSubscriptionId `
-identitySubscriptionId $identitySubscriptionId `
-operationsSubscriptionId $operationsSubscriptionId `
-sharedServicesSubscriptionId $sharedServicesSubscriptionId
```
#### Deploying to Other Clouds
When deploying to another cloud, like Azure US Government, first set the cloud and log in.
Logging into `AzureUSGovernment`:
```BASH
# AZ CLI
az cloud set -n AzureUsGovernment
az login
```
```PowerShell
# PowerShell
Connect-AzAccount -Environment AzureUSGovernment
```
...and supply a different value for the deployment `--location` argument:
```BASH
```Bash
# AZ CLI
az deployment sub create \
--name myMlzDeployment \
--location usgovvirginia \
--template-file ./mlz.bicep \
--parameters resourcePrefix=myMlz
--subscription $deploymentSubscription \
--location 'eastus' \
--template-file './mlz.json' \
--parameters \
resourcePrefix='mlz' \
hubSubscriptionId=$hubSubscriptionId \
identitySubscriptionId=$identitySubscriptionId \
operationsSubscriptionId=$operationsSubscriptionId \
sharedServicesSubscriptionId=$sharedServicesSubscriptionId
```
```PowerShell
# PowerShell
New-AzSubscriptionDeployment `
-Name myMlzDeployment `
-Location 'usgovvirginia' `
-TemplateFile .\mlz.bicep `
-resourcePrefix 'myMlz'
```
#### Air-Gapped Clouds
For air-gapped clouds it may be convenient to transfer and deploy the compiled ARM template instead of the Bicep template if the Bicep CLI tools are not available or if it is desirable to transfer only one file into the air gap.
The ARM template is at [src/bicep/mlz.json](../src/bicep/mlz.json). The AZ CLI command for deploying the ARM template is the same as for deploying Bicep: use `az deployment sub create` and supply `mlz.json` as the template file name instead of `mlz.bicep`.
#### Reference Deployment Output
After you've deployed Mission Landing Zone you can integrate additional services or infrastructure. Bicep templates, the Azure CLI, and JMESpath queries allow you to retrieve outputs from a deployment and pass them as parameters into another deployment.
After you've deployed Mission Landing Zone you can integrate [add-ons](../../src/bicep/add-ons/README.md) with the output of MLZ. PowerShell, Azure CLI, and JMESpath queries allow you to retrieve outputs from a deployment and pass them as parameters into another deployment.
You can use the `az deployment sub show` command with a `--query` argument to retrieve information about the resources you deployed. In PowerShell use the `Get-AzSubscriptionDeployment` cmdlet.
- **PowerShell:** use the `Get-AzSubscriptionDeployment` cmdlet.
- **Azure CLI:** use the `az deployment sub show` command with a `--query` argument to retrieve information about the resources you deployed.
In this example, MLZ was deployed using a deployment name of `myMissionLandingZone`. (The deployment name is the `name` parameter you set on `az deployment sub create` or `New-AzSubscriptionDeployment`.)
In this example, MLZ was deployed using a deployment name of `myMissionLandingZone`. The deployment name is the `name` parameter you set on `az deployment sub create` or `New-AzSubscriptionDeployment`.
When an MLZ deployment is complete, you can see all the resources provisioned in that deployment by querying the `outputs` property:
```PowerShell
# PowerShell
(Get-AzSubscriptionDeployment -Name myMissionLandingZone).outputs | ConvertTo-Json
```
```BASH
# AZ CLI
az deployment sub show \
@ -369,11 +253,6 @@ az deployment sub show \
--query "properties.outputs"
```
```PowerShell
# PowerShell
(Get-AzSubscriptionDeployment -Name myMissionLandingZone).outputs | ConvertTo-Json
```
If you need a single property value you can retrieve it like this:
```BASH
@ -388,14 +267,7 @@ az deployment sub show \
(Get-AzSubscriptionDeployment -Name myMissionLandingZone).outputs.firewallPrivateIPAddress
```
If you want to export the data for use by other Bicep deployments, like the [shared variable file pattern](https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/patterns-shared-variable-file), you can export the outputs to a json file.
```BASH
# AZ CLI
az deployment sub show \
--name "myMissionLandingZone" \
--query "properties.outputs" > ./deploymentVariables.json
```
If you want to export the data for use in other ARM template deployments, like the [shared variable file pattern](https://learn.microsoft.com/azure/azure-resource-manager/bicep/patterns-shared-variable-file), you can export the outputs to a json file.
```PowerShell
# PowerShell
@ -404,7 +276,14 @@ az deployment sub show \
| Out-File -FilePath .\deploymentVariables.json
```
## Cleanup
```BASH
# AZ CLI
az deployment sub show \
--name "myMissionLandingZone" \
--query "properties.outputs" > ./deploymentVariables.json
```
## Remove MLZ
The Bicep/ARM deployment of Mission Landing Zone can be deleted with these steps:
@ -412,7 +291,8 @@ The Bicep/ARM deployment of Mission Landing Zone can be deleted with these steps
1. Delete the diagnostic settings deployed at the subscription level.
1. If Microsoft Defender for Cloud was deployed (parameter `deployDefender=true` was used) then remove subscription-level policy assignments and downgrade the Microsoft Defender for Cloud pricing tiers.
> NOTE: If you deploy and delete Mission Landing Zone in the same subscription multiple times without deleting the subscription-level diagnostic settings, the sixth deployment will fail. Azure has a limit of five diagnostic settings per subscription. The error will be similar to this: `"The limit of 5 diagnostic settings was reached."`
> [!WARNING]
> If you deploy and delete Mission Landing Zone in the same subscription multiple times without deleting the subscription-level diagnostic settings, the sixth deployment will fail. Azure has a limit of five diagnostic settings per subscription. The error will be similar to this: `"The limit of 5 diagnostic settings was reached."`
To delete the diagnostic settings from the Azure Portal: choose the subscription blade, then Activity log in the left panel. At the top of the Activity log screen click the Diagnostics settings button. From there you can click the Edit setting link and delete the diagnostic setting.
@ -459,21 +339,12 @@ az security pricing list -o table --query "value[].{Name:name, Tier:pricingTier}
az security pricing create --name "<name of tier>" --tier Free
```
> NOTE: The Azure portal allows changing all pricing tiers with a single setting, but the AZ CLI requires each setting to be managed individually.
> [!NOTE]
> The Azure portal allows changing all pricing tiers with a single setting, but the AZ CLI requires each setting to be managed individually.
## Development Setup
## References
If you want to develop with Bicep you'll need these:
1. Install the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli#install).
1. If using Visual Studio Code, install the [Bicep extension](https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#vs-code-and-bicep-extension).
## See Also
[Bicep documentation](https://aka.ms/bicep/)
[`az deployment` documentation](https://docs.microsoft.com/en-us/cli/azure/deployment?view=azure-cli-latest)
[JMESPath queries](https://jmespath.org/)
[Azure Az PowerShell module](https://docs.microsoft.com/en-us/powershell/azure/what-is-azure-powershell)
- [Azure CLI - az deployment](https://learn.microsoft.com/cli/azure/deployment?view=azure-cli-latest)
- [Azure PowerShell](https://learn.microsoft.com/powershell/azure/what-is-azure-powershell)
- [Bicep documentation](https://aka.ms/bicep/)
- [JMESPath queries](https://jmespath.org/)

176
docs/deployment-guides/portal.md Normal file
Просмотреть файл

@ -0,0 +1,176 @@
# Mission Landing Zone - Deployment Guide using the Azure Portal
[**Home**](../../README.md) | [**Design**](../design.md) | [**Add-Ons**](../../src/bicep/add-ons/README.md) | [**Resources**](../resources.md)
## Table of Contents
- [Deploy MLZ in the Azure Portal](#deploy-mlz-in-the-azure-portal)
- [Remove MLZ in the Azure Portal](#remove-mlz-in-the-azure-portal)
This guide provides the steps to deploy MLZ and remove an MLZ deployment in the Azure Portal. Azure Commercial and Azure Government are the only supported clouds for Azure Portal deployments of MLZ.
## Deploy MLZ in the Azure Portal
### Prerequisites
The following prerequisites are required on the target Azure subscription(s):
- [Owner RBAC permissions](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#owner)
- [Enable the Encryption At Host feature](https://learn.microsoft.com/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell#prerequisites)
### Open the deployment UI
Click the appropriate button below to open the deployment UI.
| Cloud | Deployment Button |
| :----- | :----- |
| Azure Commercial | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fmlz.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fform%2Fmlz.portal.json) |
| Azure Government | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fmlz.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fform%2Fmlz.portal.json) |
### STEP 1: Basics
The first step in the deployment UI is the Basics step. This requires basic information for your MLZ deployment: Subscription(s), Location, Resource Naming Prefix, and Environment Abbreviation.
#### Project Details
The project details provide the scope of the deployment. These elements also help inform other elements in the UI like the VM size for the remote access VMs.
- **Subscriptions:** select the subscription you plan to use for the hub.
- **Region:** select the location you plan to use for the resources.
#### Select Subscription(s)
MLZ can deploy to a single subscription or multiple subscriptions. Microsoft recommends for test and evaluation deployments use a single subscription. For a production deployment a single subscription maybe used or multiple if you wish to keep billing of resources separate.
Select subscription(s) for each: Hub, Identity, Operations, and Shared Services.
> [!NOTE]
> The Identity option is not required. This is intended for customers that need to deploy domain controllers in Azure.
#### Location
- **Location:** Select the desired location to deploy your MLZ resources. The drop down menu will be populated with locations that support all the resources in the deployment.
#### Naming Components
- **Resource Naming Prefix:** Specify a prefix for your MLZ resources. This prefix can help distinguish your MLZ resources and resource groups from other Azure resources. Ideally, the prefix would be an abbreviation for your organization or the department governing these resources. The value must be between 3 to 6 alphanumeric characters.
- **Environment Abbreviation:** Select the abbreviation for the target environment: `dev` = development, `test` = test, or `prod` = production.
### STEP 2: Networking
The following parameters affect networking. Each virtual network and subnet has been given a default address prefix to ensure they fall within the default super network. Refer to the [Networking page](docs/networking.md) for all the default address prefixes.
#### Hub Virtual Network
- **Super Network CIDR Range:** the full address space that will be allowed by the Azure Firewall network rule.
- **Hub Virtual Network CIDR Range:** the address space for the default subnet, firewall subnets, bastion subnet (optional), and gateway subnet (optional).
- **Hub Subnet CIDR Range:** the default subnet for the Hub virtual network. The range must fit in the Hub virtual network.
- **Firewall Client Subnet CIDR Range:** the address space for the Azure Firewall Client subnet. The range must fit in the Hub Virtual Network CIDR range. The network mask must be a /26. |
- **Firewall Management Subnet CIDR Range:** the address space for the Azure Firewall Management subnet. The range must fit in the Hub Virtual Network CIDR range. The network mask must be a /26.
- **Firewall SKU:** the SKU for the Azure Firewall. For SCCA compliance, Azure Firewall Premium should be deployed for production. If necessary you can set a different firewall SKU, Standard or Basic. Please [validate the SKU availability in your region](https://learn.microsoft.com/azure/firewall/premium-features#supported-regions) before deploying as there can be differences between clouds.
#### Identity Virtual Network (Optional)
- **Identity Virtual Network CIDR Range:** the address space for the Identity virtual network.
- **Identity Subnet CIDR Range:** the address space for the default Identity subnet. The range must fit in the Identity virtual network.
#### Operations Virtual Network
- **Operations Virtual Network CIDR Range:** the CIDR range for the Operations virtual network.
- **Operations Subnet CIDR Range:** the CIDR range for the default Operations subnet. The range must fit in the Operations virtual network.
#### Shared Services Virtual Network
- **Shared Services Virtual Network CIDR Range:** the CIDR range for the Shared Services virtual network.
- **Shared Services Subnet CIDR Range:** the CIDR range for the default Shared Services subnet. The range must fit in the Shared Services virtual network.
### STEP 3: Security and Compliance
MLZ has optional features that can be enabled in the Security and Compliance step.
#### Microsoft Defender for Cloud - Cloud Security Posture Management
By default [Microsoft Defender for Cloud](https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction) offers a free set of monitoring capabilities that are enabled via an Azure policy when you first set up a subscription and view the Microsoft Defender for Cloud portal blade.
#### Microsoft Defender for Cloud - Workload Protection Plans and other advanced management features
- **Enable additional features for Microsoft Defender for Cloud:** Microsoft Defender for Cloud (DfC) offers a standard / defender SKU which enables a greater depth of awareness including more recommendations and threat analytics.
- **Defender for Cloud Additional Features:** enable cloud workload protections to surface workload-specific recommendations to enhance security controls.
- **Security Contact E-Mail Address:** setup email notifications for alerts and attack paths in DfC.
#### Assign Regulatory Compliance Policies
Azure Policy can be applied to your MLZ deployment. The policies are assigned to each resource group deployed by MLZ and can be viewed in the 'Compliance' view of Azure Policy in the Azure Portal.
- **Create policy assignments:** choose whether to enable Azure Policy assignments on your MLZ resource groups.
- **Policy Assignment:** select the desired Azure policy initiative. Please validate the availability of the policies in your target Azure cloud before deploying as there can be differences between clouds.
#### Microsoft Sentinel
- **Enable Microsoft Sentinel:** enable a basic Sentinel deployment which adds several security solutions to the log analytics workspace in the Operations resource group.
### STEP 4: Remote Access
#### Azure Bastion
- **Deploy Bastion:** enable [Azure Bastion](https://docs.microsoft.com/en-us/azure/bastion/) in the Hub virtual network to remotely access the network and the resources deployed with and on MLZ.
- **Azure Bastion Subnet CIDR Range:** the address space for the Azure Bastion subnet. The network mask must be a /26 or larger.
#### Azure Gateway Subnet
- **Deploy Azure Gateway Subnet:** enable the deployment of a Gateway subnet in the Hub virtual network. This simplifies the integration of a site-to-site VPN or Express Route connectivity post deployment.
- **Azure Gateway Subnet CIDR Range:** the address space for the Gateway subnet. The network mask must be a /27 or larger.
#### Windows Virtual Machine
- **Deploy Windows Virtual Machine:** choose whether to deploy a management Windows Server virtual machine in the Hub.
- **Windows Server Version:** select the desired version of Windows Server.
- **Size:** select the size for your virtual machine, ensuring your subscription has enough quota.
- **Username:** input the username for the local administrator account on the virtual machine.
- **Password:** input the password for the local administrator account on the virtual machine.
- **Confirm password:** input the password again for the local administrator account on the virtual machine.
- **Enable Hybrid Use Benefit:** choose whether to enable the [Azure Hybrid Use Benefit](https://learn.microsoft.com/windows-server/get-started/azure-hybrid-benefit) on the Windows virtual machine.
#### Linux Virtual Machine
- **Deploy Linux Virtual Machine:** choose whether to deploy a management Linux virtual machine in Hub.
- **Linux Image Publisher:** select the desired Linux image publisher from the Azure marketplace.
- **Linux Image Offer:** select the desired Linux image offer from the Azure marketplace.
- **Linux Image SKU:** select the desired Linux image SKU from the Azure marketplace. Please note, some distributions of Linux have additional license fees.
- **Size:** select the size for your virtual machine, ensuring your subscription has enough quota.
- **Username:** input the username for the local administrator account on the virtual machine.
- **Password:** input the password for the local administrator account on the virtual machine.
- **Confirm password:** input the password again for the local administrator account on the virtual machine.
### STEP 5: Tags
Tags are key / value pairs that enable you to categorize resources and view consolidated billing by applying the same tag to multiple resources and resource groups. Please refer to [Microsoft's best practices for resource tagging](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-tagging).
### STEP 6: Review + Create
Review and validate the values selected for element in the UI. Once the values have been confirmed, click the Create button to start the deployment.
> [!NOTE]
> Deployment time can vary depending on options selected.
## Remove MLZ in the Azure Portal
If necessary, the deployment of a Mission Landing Zone can be deleted with these steps:
1. Delete the resource groups for the Hub, Identity (if applicable), Shared Services, and Operations.
1. Delete the diagnostic setting for the Activity Log deployed.
1. On the Home blade, click the Subscriptions icon
1. Click on the target subscription name
1. Click the "Activity log" option in the left menu
1. Click the "Export Activity Logs" option from the top menu
1. Click the "Edit setting" link next to the diagnostic setting
1. Click the "Delete" option from the top menu
1. Delete the subscription-level Azure Policy assignments
1. Navigate to the Policy page and select the Assignments tab in the left navigation bar.
1. At the top, in the Scope box, choose the subscription(s) that contain the policy assignments you want to remove.
1. In the table click the ellipsis menu ("...") and choose "Delete assignment".
1. Downgrade the Microsoft Defender for Cloud pricing tier(s).
1. Navigate to the Microsoft Defender for Cloud page, then click the "Environment settings" tab in the left navigation panel.
1. In the tree/grid select the subscription you want to manage.
1. Click the large box near the top of the page that says "Enhanced security off".
1. Click the save button.

145
docs/deployment-guides/template-spec.md Normal file
Просмотреть файл

@ -0,0 +1,145 @@
# Mission Landing Zone - Deployment Guide using a Template Spec
[**Home**](../../README.md) | [**Design**](../design.md) | [**Add-Ons**](../../src/bicep/add-ons/README.md) | [**Resources**](../resources.md)
## Table of Contents
- [Deploy using a Template Spec](#deploy-using-a-template-spec)
- [References](#references)
This guide provides the steps to create a template spec to deploy Mission Landing Zone (MLZ). The template spec deployment option may used in Azure Commercial, Azure Government, Azure Government Secret, and Azure Government Top Secret. For simplicity, this guide uses Cloud Shell to create the template spec, negating the need to download and install software on your workstation.
For more information on Template Specs, go to the [References](#references) section.
## Deploy using a Template Spec
### Prerequisites
The following prerequisites are required on the target Azure subscription(s):
- [Owner RBAC permissions](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#owner)
- [Enable Encryption At Host](https://learn.microsoft.com/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell#prerequisites)
### Create the Template Spec
Use the following steps to create the Template Spec resource using CloudShell:
1. Download the following files to your local workstation:
1. [src/bicep/mlz.json](../../src/bicep/mlz.json)
1. [src/bicep/form/mlz.portal.json](../../src/bicep/form/mlz.portal.json)
1. If applicable, transfer the files to a workstation in the target network.
1. Login to the Azure Portal.
1. Create a storage account for CloudShell using the following settings:
1. **Basics**
- **Subscription:** select the appropriate subscription. Ideally, select the subscription that will be used for the Hub resources.
- **Resource group:** click the "Create new" link and input a name that follows your naming convention and alludes to the purpose of it, e.g. rg-cloudShell-dev-east.
- **Storage account name:** input a globally unique name between 3 and 24 characters following your naming convention. The value can contain only lowercase letters and numbers.
- **Region:** select the appropriate location. Ideally, select the location that will be used for the MLZ resources.
- **Primary service:** select the "Azure Files" option.
- **Performance:** select the "Standard: Recommended for general purpose file share and cost sensitive applications, such as HDD file shares" option.
- **Redundancy:** leave the "Geo-redundant storage (GRS)" option selected.
1. **Advanced**
- **Require secure transfer for REST API operations:** leave check box checked.
- **Allow enabling anonymous access on individual containers:** leave check box unchecked.
- **Enable storage account key access:** uncheck the check box.
- **Default to Microsoft Entra authorization in the Azure portal:** check the check box.
- **Minimum TLS version:** leave the default option, Version 1.2.
- **Permitted scope for copy operations (preview):** select the "From storage accounts that have a private endpoint to the same virtual network" option.
- **Enable hierarchical namespace:** leave the check box unchecked.
- **Allow cross-tenant replication:** leave the check box unchecked.
- **Access tier:** select the "Cool: Optimized for infrequently accessed data and backup scenarios" option.
1. **Networking**
- **Network access:** select the "Enable public access from all networks" option.
- **Routing preference:** leave the "Microsoft network routing" option selected.
1. **Data Protection**
- **Enable point-in-time restore for containers:** leave the check box unchecked.
- **Enable soft delete for blobs:** uncheck the check box.
- **Enable soft delete for containers:** uncheck the check box.
- **Enable soft delete for file shares:** uncheck the check box.
- **Enable versioning for blobs:** leave the check box unchecked.
- **Enable blob change feed:** leave the check box unchecked.
- **Enable version-level immutability support:** leave the check box unchecked.
1. **Encryption**
- **Encryption type:** leave the "Microsoft-managed keys (MMK)" option selected.
- **Enable support for customer-managed keys:** select the "All service types (blobs, files, tables, and queues)" option.
- **Enable infrastructure encryption:** check the check box.
1. **Tags:** the key / value pairs that enable you to categorize resources and view consolidated billing by applying the same tag to multiple resources and resource groups. Please refer to [Microsoft's best practices for resource tagging](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-tagging).
1. **Review + Create:** review and validate the selected values before creating the deployment.
1. Setup a file share on the storage account using the following settings:
1. **Basics**
- **Name:** input a value for the file share name. Ideally, this should be your username.
- **Access tier:** select the "Cool" option.
1. **Backup**
- **Enable backup:** uncheck the check box.
1. **Review + create:** review and validate the selected values before creating the deployment.
1. Click the CloudShell button from the top Portal menu to setup the service:
1. **Welcome to Azure Cloud Shell**
1. Click on the desired command line tool.
1. **Getting started**
1. Select the "Mount storage account" option.
1. Select the subscription that will be used for the Hub resources.
1. Leave the check box uncheck for the "Use an existing private virtual network".
1. Click the Apply button
1. **Mount storage account**
1. Choose the "Select existing storage account" option.
1. Click the Next button
1. **Select storage account**
1. **Subscription:** select the subscription used for the storage account.
1. **Resource group:** select the resource group used for the storage account.
1. **Storage account name:** select the storage account created in the previous step.
1. **File share:** select the file share created in the previous step.
1. Click the Select button
1. Upload the files to your file share.
1. Click the "Manage files" menu option.
1. Click the "Upload" option.
1. Select the JSON files
1. Click the Open button
1. Deploy the template spec using CloudShell.
1. Check your directory to ensure the JSON files are present: `ls`
1. Copy one of the following commands below and paste it into CloudShell. The command must be updated with the values for your environment before it is executed.
```PowerShell
# PowerShell
New-AzTemplateSpec `
-ResourceGroupName '<resource group name>' `
-Name '<template spec name>' `
-Version '1.0' `
-Location '<location>' `
-TemplateFile 'mlz.json' `
-UIFormDefinitionFile 'mlz.portal.json' `
-Force
```
```Bash
# Azure CLI
az ts create \
--resource-group '<resource group name>' \
--name '<template spec name>' \
--version '1.0' \
--location '<location>' \
--template-file 'mlz.json' \
--ui-form-definition 'mlz.portal.json' \
--yes
```
#### Parameter Explanations
- **ResourceGroupName | resource-group:** the name of the resource group to host the template spec resource.
- **Name | name:** the name for the template spec resource using your naming convention for Azure, e.g. ts-mlz-dev-east.
- **Version | version:** the version number of the mlz code that will be stored in the template spec, e.g. 1.0.
- **Location | location:** the Azure location for the template spec resource.
- **TemplateFile | template-file:** the file path to the ARM template in the Azure Files share used by CloudShell.
- **UIFormDefinitionFile | ui-form-definition:** the file path to the ARM template in the Azure Files share used by CloudShell.
- **Force | yes:** this switch ensures the template spec is forcibly updated without confirmation if the resource and version already exist.
### Deploy MLZ
1. Open the template spec resource in the Azure Portal.
1. Click the Deploy button from the top menu.
1. Use the deployment guide for the [Azure Portal](./portal.md#step-1-basics) deployment option to complete the MLZ deployment.
## References
- [Azure CLI - az ts create](https://learn.microsoft.com/cli/azure/ts?view=azure-cli-latest#az-ts-create)
- [Azure PowerShell - New-AzTemplateSpec](https://learn.microsoft.com/powershell/module/az.resources/new-aztemplatespec?view=azps-12.4.0)
- [Template Specs documentation](https://learn.microsoft.com/azure/azure-resource-manager/templates/template-specs?tabs=azure-powershell)

95
docs/deployment-guides/templatespec.md
Просмотреть файл

@ -1,95 +0,0 @@
# Mission Landing Zone - Deployment Guide using a TemplateSpec
[**Home**](../../README.md) | [**Design**](../design.md) | [**Add-Ons**](../../src/bicep/add-ons/README.md) | [**Resources**](../resources.md)
To mimic the Quickstart experience of an Azure Commercial or Azure Government MLZ deployment available at [Quickstart](https://github.com/Azure/missionlz) in Azure Secret or Azure Top Secret.
## Table of Contents
- [Prerequisites](#prerequisites)
- [Create the TemplateSpecFile](#create-the-templatespecfile)
- [MLZ-Core resources deployed](#mlz-core-resources-deployed)
- [See Also](#see-also)
This guide describes how to create an Azure TemplateSpecFile. The TemplateSpecFile is used to execute a user-friendly MLZ deployment GUI. This GUI is the same Quickstart experience available in Azure Commercial and Azure Government. The TemplateSpec File is created via Powershell and requires only 2 files, [src/bicep/mlz.json](../../src/bicep/mlz.json) and [src/bicep/form/mlz.portal.json](../../src/bicep/form/mlz.portal.json).
The TemplateSpecFile is created and deployed using the Azure Portal in Azure Secret and Azure Top Secret environments.
>Note: Microsoft recommends using the CloudShell tool in the Azure Portal with Powershell since it will be populated with the necessary Powershell cmdlets.
## Prerequisites
- One or more Azure subscriptions where you or an identity you manage has `Owner` [RBAC permissions](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner)
- Azure Resource Provider Feature 'Encryption At Host' enabled.
To adhere to zero trust principles, the virtual machine disks deployed in this solution must be encrypted. The 'Encryption at Host' feature enables disk encryption on virtual machine's temp and cache disks. To use this feature, the resource provider feature must be enabled on your Azure subscription. Use the following PowerShell script to enable the feature:
```powershell
Register-AzProviderFeature -FeatureName "EncryptionAtHost" -ProviderNamespace "Microsoft.Compute"
```
- For PowerShell deployments you need a PowerShell terminal with the [Azure Az PowerShell module](https://docs.microsoft.com/en-us/powershell/azure/what-is-azure-powershell) installed. Or simply use CloudShell in the Azure Portal.
## Create the TemplateSpecFile
To create the TemplateSpecFile follow the steps below:
1. Download [src/bicep/mlz.json](../../src/bicep/mlz.json) and [src/bicep/form/mlz.portal.json](../../src/bicep/form/mlz.portal.json) to your local workstation.
2. Upload the mlz.json and mlz.portal.json files to your Secret or Top Secret environment following any and all required Security regulations and procedures.
3. Login to your Secret or Top Secret Azure portal environment.
4. You will need to create or use an available Azure StorageAccount with a File Share to store the mlz.json and mlz.portal.json files.
1. Create or designate an available storageaccount.
1. Create or designate an available file share in the storageaccount.
1. Upload the mlz.json and mlz.portal.json files into the Azure file share.
1. Open CloudShell in the Portal (Use CloudShell because it will have all the necessary PS cmdlets). If your current CloudShell already defaults to the FileShare containing the mlz.json and mlz.portal.json files then skip steps v - xi.
1. Click the Gear icon and select 'Reset user settings.'
1. Click 'Reset' button.
1. Click 'Powershell' when prompted.
1. Click 'Subscription' and select the correct subscription for your FileShare.
1. Click 'Show advanced settings'
1. Select the 'use existing' radio buttons for your Resource Group, Storage account, and FileShare.
1. Click 'attach storage' (This will mount the file share with mlz.json and mlz.portal.json files to your CloudShell terminal)
1. CD to ./clouddrive and type 'ls' to verify the mlz.json and mlz.portal.json file are present.
1. Run the following PS command to create the TemplateSpec File
```PowerShell
# PowerShell
New-AzTemplateSpec -ResourceGroupName <rg-name> -Name <templatespecfilename> -Version 1.0 -Location <shortnameregion> -TemplateFile /home/<user>/clouddrive/mlz.json -UIFormDefinitionFile /home/<user>/clouddrive/mlz.portal.json
```
The parameters explained:
ResourceGroupName - any available ResourceGroup to host the TemplateSpecFile
Name - An arbitrary name for the TemplateSpecFile using Standard Naming Conventions for Azure, ie mlz-dev-tsf-1
Version - Version control of the tsf created.
Location - This is the short name of the region where the RG exists. Note, to get your location use the PS command below:
File locations - You must use the complete path to the file names.
```PowerShell
# PowerShell
Get-AzLocation | select displayname,location
```
5. After running the command verify the templatespecfile was created and exists in the ResourceGroup listed in the command.
6. To execute the MLZ deployment, simply click the templatespecfile.
7. A custom template deployment is triggered. Click the 'deploy' icon in the upper left hand corner of the 2nd blade. (This will begin the MLZ template wizard).
To follow a walkthrough of the MLZ deployment click [Walkthrough](./deployment-guide-walkthrough.md).
## MLZ-Core resources deployed
Once deployed MLZ will deploy a number of resources into 4 Resource Groups:
1. Hub
2. Operations
3. Shared Services
4. Identity, if selected.
The majority of resources will exist in the Hub resource group, mostly Private DNS Zones. All resource groups will contain VNETS, Route Tables, and Storage Accounts. The Operations hub will include additional logging Solutions. The items listed here are not a complete list of resources.
## See Also
[Bicep documentation](https://aka.ms/bicep/)
[`az deployment` documentation](https://docs.microsoft.com/en-us/cli/azure/deployment?view=azure-cli-latest)
[Azure Az PowerShell module](https://docs.microsoft.com/en-us/powershell/azure/what-is-azure-powershell)

222
docs/deployment-guides/walkthrough.md
Просмотреть файл

@ -1,222 +0,0 @@
# Mission Landing Zone - Walkthrough Guide
[**Home**](../../README.md) | [**Design**](../design.md) | [**Add-Ons**](../../src/bicep/add-ons/README.md) | [**Resources**](../resources.md)
A walkthrough guide to the Quickstart MLZ deployment available at [Quickstart](https://github.com/Azure/missionlz)
## Table of Contents
- [MLZ Deployment Walkthrough](#mlz-deployment-walkthrough)
- [Delete an MLZ-Core deployment](#delete-an-mlz-core-deployment)
- [See Also](#see-also)
This guide describes each tab and the components of an MLZ deployment.
## MLZ Deployment Walkthrough
### Basics step
The first tab will prompt you for basic information regarding your MLZ deployment: Subscription(s), Location, Resource Naming Prefix, and Environment Abbreviation.
#### One Subscription or Multiple
MLZ can deploy to a single subscription or multiple subscriptions. Microsoft recommends for test and evaluation deployments use a single subscription. For a production deployment a single subscription maybe used or multiple if you wish to keep billing of resources separate.
Select subscription(s) for each: Hub, Identity, Operations, and Shared Services.
>Note: Identity is optional and includes a check box to deploy it or not.
#### Location
Select the necessary region in your Environment to deploy your MLZ resources.
#### Resource Naming Prefix
Specify a prefix for your MLZ resources. This prefix can help distinguish your MLZ resources and resource groups from other Azure resources. Ideally, the prefix would be an abbreviation for your organization or the department governing these resources. The value must be a minimum of 3 letters and/or numbers to a maximum of 6.
#### Environment Abbreviation
Available options include dev, test, or prod.
Click the 'Next' button.
### Networking step
#### Networks
The following parameters affect networking. Each virtual network and subnet has been given a default address prefix to ensure they fall within the default super network. Refer to the [Networking page](docs/networking.md) for all the default address prefixes.
Parameter name | Default Value | Description
-------------- | ------------- | -----------
`hubVirtualNetworkAddressPrefix` | '10.0.128.0/23' | The CIDR Virtual Network Address Prefix for the Hub Virtual Network.
`hubSubnetAddressPrefix` | '10.0.128.128/26' | The CIDR Subnet Address Prefix for the default Hub subnet. It must be in the Hub Virtual Network space.
`firewallClientSubnetAddressPrefix` | '10.0.128.0/26' | The CIDR Subnet Address Prefix for the Azure Firewall Subnet. It must be in the Hub Virtual Network space. It must be /26.
`firewallManagementSubnetAddressPrefix` | '10.0.128.64/26' | The CIDR Subnet Address Prefix for the Azure Firewall Management Subnet. It must be in the Hub Virtual Network space. It must be /26.
`identityVirtualNetworkAddressPrefix` | '10.0.130.0/24' | The CIDR Virtual Network Address Prefix for the Identity Virtual Network.
`identitySubnetAddressPrefix` | '10.0.130.0/24' | The CIDR Subnet Address Prefix for the default Identity subnet. It must be in the Identity Virtual Network space.
`operationsVirtualNetworkAddressPrefix` | '10.0.131.0/24' | The CIDR Virtual Network Address Prefix for the Operations Virtual Network.
`operationsSubnetAddressPrefix` | '10.0.131.0/24' | The CIDR Subnet Address Prefix for the default Operations subnet. It must be in the Operations Virtual Network space.
`sharedServicesVirtualNetworkAddressPrefix` | '10.0.132.0/24' | The CIDR Virtual Network Address Prefix for the Shared Services Virtual Network.
`sharedServicesSubnetAddressPrefix` | '10.0.132.0/24' | The CIDR Subnet Address Prefix for the default Shared Services subnet. It must be in the Shared Services Virtual Network space.
>Note: The SuperCIDR range of /18 will allow for future expansion tiers such as: AVD, ESRI, and any future Tier3 add-ons.
#### Firewall SKUs
By default, MLZ deploys **[Azure Firewall Premium](https://docs.microsoft.com/azure/firewall/premium-features). Not all regions support Azure Firewall Premium.** Check here to [see if the region you're deploying to supports Azure Firewall Premium](https://docs.microsoft.com/azure/firewall/premium-features#supported-regions). If necessary you can set a different firewall SKU (Standard or Basic).
Please validate the SKU availability in your region before deploying as there can be differences between clouds.
Click the 'Next' button.
### Security and Compliance step
MLZ has optional features that can be enabled by setting parameters during the MLZ deployment.
#### Microsoft Defender for Cloud
By default [Microsoft Defender for Cloud](https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction) offers a free set of monitoring capabilities that are enabled via an Azure policy when you first set up a subscription and view the Microsoft Defender for Cloud portal blade.
Microsoft Defender for Cloud (DfC) offers a standard / defender SKU which enables a greater depth of awareness including more recommendations and threat analytics. You can enable this higher depth level of security in MLZ by clicking the box 'Enable additional features for Microsoft Defender for Cloud.' Then use the pulldown menu to select additional DfC features.
If additional features are enabled then a Security Contact E-mail Address will also be prompted.
To manually enable DfC, if not enabled during the MLZ deployment, see the following documentation,
[here](https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhanced-security)
#### Assign Regulatory Compliance Policies
Optionally, Azure Policy can be applied to your MLZ deployment.
Simply check the 'Create policy assignments' checkbox and select your desired Regulatory Compliance option. The result will be a policy assignment created for each resource group deployed by MLZ that can be viewed in the 'Compliance' view of Azure Policy in the Azure Portal.
#### Available Regulatory Compliances and Policies
Please validate the availability of Regulatory Compliances and Policies in your region before deploying as there can be differences between clouds.
Under the [src/bicep/modules/policies](../src/bicep/modules/policies) directory are JSON files named for the initiatives with default parameters (except for a Log Analytics workspace ID value `<LAWORKSPACE>` that we substitute at deployment time -- any other parameter can be modified as needed).
#### Azure Sentinel
[Sentinel](https://docs.microsoft.com/en-us/azure/sentinel/overview) is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution.
A basic Sentinel deployment can be initiated by MLZ by simply clicking the checkbox 'Enable Microsoft Sentinel.'
Further configuration of Sentinel post MLZ deployment is required to take full advantage of threat detection, log retention, and response capabilities.
Click the 'Next' button.
### Remote Access step
#### Remote access with a Bastion Host
If you wish to remotely access the network and the resources you've deployed you can use [Azure Bastion](https://docs.microsoft.com/en-us/azure/bastion/) to remotely access 2 virtual machines (jumpboxes), one Windows and/or one Linux, within the hub network without exposing them via Public IP Addresses.
#### Enable Remote Access
You will see check boxes for:
- Azure Bastion
- Azure Gateway Subnet
- Windows Virtual Machine
- Linux Virtual Machine
Any or all 4 resources may be deployed. See below for options for each resource.
1. Azure Bastion subnet CIDR range.
2. Azure Gateway subnet CIDR range.
>Note: GatewaySubnet is a reserved name in Azure and is required only if you plan to implement a Site-to-Site or ExpressRoute VPN.
3. Windows VM:
1. Windows Server Version
1. VM size selector
1. Username
1. Password
1. Password confirmation
1. Option for Hybrid Use Benefit for Windows [Azure Hybrid Benefit](https://learn.microsoft.com/en-us/windows-server/get-started/azure-hybrid-benefit?tabs=azure)
1. Linux VM:
1. Linux Image Publisher. MLZ offers 3 Linux distributions; Ubuntu, RHEL, and Debian
1. Linux Image Offer.
1. Linux Image SKU. *Note, some distributions of Linux have additional license fees.*
1. VM size selector
1. Username
1. Password
1. Password confirmation
Click the 'Next' button.
### Tags step
#### Best Practices for Azure Tags
Tags are name/value pairs that enable you to categorize resources and view consolidated billing by applying the same tag to multiple resources and resource groups.
Microsoft recommends the following documentation for best practices regarding [Azure Tags](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-tagging).
Click 'Next' to Validate Settings and finally, 'Create.'
>Note: Deployment time can vary depending on options selected.
## Delete an MLZ-Core deployment
If necessary, the deployment of a Mission Landing Zone can be deleted with these steps:
1. Delete the 4 default resource groups: Hub, Identity, Shared Services, and Operations. Delete any add-on tier resource groups that were added in addition to MLZ-Core.
2. Delete the diagnostic setting for the Activity Log deployed at the subscription level.
3. If Microsoft Defender for Cloud was deployed (parameter `deployDefender=true` was used) then remove subscription-level policy assignments and downgrade the Microsoft Defender for Cloud pricing tiers.
To delete the diagnostic settings from the Azure Portal: choose the subscription blade, then Activity log in the left panel. At the top of the Activity log screen click the Diagnostics settings button. From there you can click the Edit setting link and delete the diagnostic setting.
To delete the diagnotic settings in script, use the AZ CLI or PowerShell. An AZ CLI example is below:
```BASH
# View diagnostic settings in the current subscription
az monitor diagnostic-settings subscription list --query value[] --output table
# Delete a diagnostic setting
az monitor diagnostic-settings subscription delete --name <diagnostic setting name>
```
To delete the subscription-level policy assignments in the Azure portal:
1. Navigate to the Policy page and select the Assignments tab in the left navigation bar.
1. At the top, in the Scope box, choose the subscription(s) that contain the policy assignments you want to remove.
1. In the table click the ellipsis menu ("...") and choose "Delete assignment".
To delete the subscription-level policy assignments using the AZ CLI:
```BASH
# View the policy assignments for the current subscription
az policy assignment list -o table --query "[].{Name:name, DisplayName:displayName, Scope:scope}"
# Remove a policy assignment in the current subscription scope.
az policy assignment delete --name "<name of policy assignment>"
```
To downgrade the Microsoft Defender for Cloud pricing level in the Azure portal:
1. Navigate to the Microsoft Defender for Cloud page, then click the "Environment settings" tab in the left navigation panel.
1. In the tree/grid select the subscription you want to manage.
1. Click the large box near the top of the page that says "Enhanced security off".
1. Click the save button.
To downgrade the Microsoft Defender for Cloud pricing level using the AZ CLI:
```BASH
# List the pricing tiers
az security pricing list -o table --query "value[].{Name:name, Tier:pricingTier}"
# Change a pricing tier to the default free tier
az security pricing create --name "<name of tier>" --tier Free
```
> NOTE: The Azure portal allows changing all pricing tiers with a single setting, but the AZ CLI requires each setting to be managed individually.
## See Also
[Bicep documentation](https://aka.ms/bicep/)
[`az deployment` documentation](https://docs.microsoft.com/en-us/cli/azure/deployment?view=azure-cli-latest)
[Azure Az PowerShell module](https://docs.microsoft.com/en-us/powershell/azure/what-is-azure-powershell)