Azure Blueprint Automation: Three Tier Web Applications for UK-OFFICIAL
Перейти к файлу
microsoft-github-policy-service[bot] 72e7de89e0
Auto merge mandatory file pr
This pr is auto merged as it contains a mandatory file and is opened for more than 10 days.
2022-11-28 19:35:41 +00:00
extensions Initial commit 2017-11-08 10:22:06 -05:00
images updated content, links and spelling 2018-10-12 14:04:04 +02:00
parameters/azure WAF Fix 2017-11-08 10:53:10 -08:00
templates WAF Fix 2017-11-08 10:53:10 -08:00
Deploy-ReferenceArchitecture.ps1 WAF Fix 2017-11-08 10:53:10 -08:00
LICENSE Initial commit 2017-10-30 11:26:09 -07:00
README.md Update README.md 2019-11-07 11:17:52 -05:00
SECURITY.md Microsoft mandatory file 2022-07-28 16:56:36 +00:00

README.md

NOTE: This content is no longer being maintained or supported.

Please see updated blueprints here: https://docs.microsoft.com/en-us/azure/governance/blueprints/samples/

Solution Overview

For more information about this solution, see Azure Security and Compliance Blueprint - UK-OFFICAL Three-Tier Web Applications Automation.

Deploy the Solution

These templates automatically deploy the Azure resources for a Windows based three-tier application with an Active Directory Domain architecture. As this is a complex deployment that delivers the full infrastructure and environment, it can take up to two hours to deploy using the Azure Portal (Method 2). Progress can be monitored from the Resource Group blade and Deployment output blade in the Azure Portal.

Rather than developing the templates for this environment from scratch, some templates used are drawn from the Microsoft Patterns and Practices GitHub Repository as well as Template Building Blocks. There are two methods that can be used to deploy this reference architecture. The first method uses a Azure PowerShell script, whereas the second method utilises the Azure Portal. Both methods are detailed in the sections below.

Pre-requisites

In order to use these templates, users should ensure that they have:

Additional Resources

Many supporting resources exist that will assist in the creation of a suitable architecture for your workload, these include:

Method 1: PowerShell Deployment Process

To deploy this solution through Azure PowerShell, you will need the latest version of the Azure Resource Manager module to run the PowerShell script that deploys the solution. To deploy the reference architecture, follow these steps:

  1. Download or clone the solution folder from GitHub to your local machine.
  2. Open a PowerShell Window and navigate to the \compliance\uk-official\three-tier-web-with-adds\ folder.
  3. Run the following command: .\Deploy-ReferenceArchitecture.ps1 <subscription id> <location> <mode>
  4. Replace <subscription id> with your Azure subscription ID.
  5. For <location>, specify an Azure region, such as UKSouth or UKWest.
  6. The parameter controls the granularity of the deployment. The default value is DeployAll if no is selected. The can be one of the following values:
  • Infrastructure: deploys only the networking infrastructure including virtual networks, subnets, network security group and vpn gateway resources
  • ADDS: deploys the VMs acting as Active Directory Domains Services servers, deploys Active Directory to these VMs, and deploys the domain in Azure.
  • Operational: deploys the web, business and data tier VMs and load balancers
  • DeployAll: deploys all the preceding deployments.

The parameter files include hard-coded passwords in various places. It is strongly recommended that you change these values. If the parameters files are not updated, the default values will be used which may not be compatible with your on-premises environment. For production scenarios it is recommended to investigate using Azure Key Vault to store secure values and only pass these during the deployment process, for more information see Use Azure Key Vault to pass secure parameter value during deployment.

Method 2: Azure Portal Deployment Process

A deployment for this reference architecture is available on GitHub. The templates can be cloned or downloaded if customisation of parameters is required. The reference architecture is deployed in three stages: Networking -> Active Directory -> Workload. To deploy the architecture, follow the steps below for each deployment stage.

For virtual machines, the parameter files include hard-coded administrator user names and passwords. These values can be changed in the parameter files if required. It is strongly recommended that you immediately change both on all the VMs. Click on each VM in the Azure portal then click on Reset password in the Support troubleshooting blade.

Stage 1: Deploy Networking Infrastructure

  1. Click on the Deploy to Azure button to begin the first stage of the deployment. The link takes you to the Azure Portal.
  2. In the Basic section, in the Resource group textbox, select Create New and enter a value such as uk-official-networking-rg.
  3. Select a region such as UKSouth or UKWest, from the Location drop down box. All Resource Groups required for this architecture should be in the same Azure region (e.g., UKSouth or UKWest).
  4. Some parameters can be edited in the deployment page. For full compatibility with your on-premises environment, review the network parameters and customise your deployment, if necessary. If greater customisation is required, this can be done through cloning and editing the templates directly, or in situ by editing the templates by clicking Edit template (in the Template section at the top of the page).
  5. Review the terms and conditions, then click the I agree to the terms and conditions stated above checkbox.
  6. Click on the Purchase button.
  7. Check the Azure Portal notifications for a message stating that this stage of deployment is complete and proceed to the next deployment stage.

alt text

If for some reason your deployment fails, it is advisable to delete the resource group in its entirety to avoid incurring cost and orphan resources, fix the issue, and redeploy the resource groups and template.

Stage 2: Deploy Active Directory Domain

  1. Click on the Deploy to Azure button to begin the second stage of the deployment. The link takes you to the Azure Portal.
  2. In the Basic section, in the Resource group textbox, select Create New and enter a value such as uk-official-adds-rg.
  3. Select a region such as UKSouth or UKWest, from the Location drop down box. All Resource Groups required for this architecture should be in the same Azure region (e.g., UKSouth or UKWest).
  4. Some domain parameters will need to be edited in the deployment page, otherwise default example values will be used. For full compatibility with your on-premises environment, review the domain parameters and customise your deployment, if necessary. If greater customisation is required, this can be done through cloning and editing the templates directly, or in situ by editing the templates by clicking Edit template or Edit parameters (in the Template section at the top of the page).
  5. In the Settings textboxes, enter the networking resource group as entered when creating the networking infrastructure in deployment step 1 (e.g. uk-official-networking-rg).
  6. Enter the Domain settings and Admin credentials.
  7. Review the terms and conditions, then click the I agree to the terms and conditions stated above checkbox.
  8. Click on the Purchase button.
  9. Check Azure Portal notifications for a message stating that this stage of deployment is complete and proceed to the next deployment stage if completed.

alt text

If for some reason your deployment fails, it is advisable to delete the resource group in its entirety to avoid incurring cost and orphan resources, fix the issue, and redeploy the resource groups and template.

Note: The deployment includes default passwords if left unchanged. It is strongly recommended that you change these values.

Stage 3: Deploy Operational Workload Infrastructure

  1. Click on the Deploy to Azure button to begin the third stage of the deployment. The link takes you to the Azure Portal.
  2. In the Basic section, in the Resource group textbox, select Create New and enter a value such as uk-official-operational-rg.
  3. Select a region, such as UKSouth or UKWest, from the Location drop down box. All Resource Groups required for this architecture should be in the same Azure region (e.g., UKSouth or UKWest).
  4. Some parameters can be edited in the deployment page. If greater customisation is required, this can be done through cloning and editing the templates directly, or in situ by editing the templates by clicking Edit template or Edit parameters (in the Template section at the top of the page).
  5. In the Settings textboxes, enter the operational network resource group as entered when creating the networking infrastructure in deployment step 1 (e.g. uk-official-networking-rg).
  6. Enter the Virtual Machine Admin credentials.
  7. Review the terms and conditions, then click the I agree to the terms and conditions stated above checkbox.
  8. Click on the Purchase button.
  9. Check Azure Portal notifications for a message stating that this stage of deployment is complete.

alt text

If for some reason your deployment fails, it is advisable to delete the resource group in its entirety to avoid incurring cost and orphan resources, fix the issue, and redeploy the resource groups and template.

Note: The deployment includes default passwords if left unchanged. It is strongly recommended that you change these values.

Deployment and Configuration Activities

The table below provides additional information about deployment parameters, as well as other configuration steps related to the deployment activities.

Activity Configuration
Create Management VNet Resource Groups Enter resource group name during deployment .
Create Operational VNet Resource Groups Enter resource group name during deployment.
Deploy VNet network infrastructure Enter resource group name during deployment.
Create VNet Peerings None required.
Deploy VPN Gateway The template deploys an Azure environment with a public facing endpoint and an Azure Gateway to allow site-to-site VPN setup between the Azure environment and your on-premises environment. To complete this VPN connection, you will need to provide the Local Gateway (your on-premises VPN public IP address) and complete the VPN connection set up locally. VPN Gateway requires local gateway configuration in the /parameters/azure/ops-network.parameters.json template parameters file or through the Azure Portal.
Deploying internet facing Application Gateway For SSL termination, Application Gateway requires you SSL certificates to be uploaded. When provisioned, the Application Gateway will instantiate a public IP address and domain name to allow access to the web application.
Create Network Security Groups for VNETs RDP access to the management VNet Jumpbox must be secured to a trusted IP address range. It is important to amend the "sourceAddressPrefix" parameter with your own trusted source IP address range in the /parameters/azure/nsg-rules.parameters.json template parameters file. NSG configuration for the operational VNet can be found at /parameters/azure/ops-vent-nsgs.json.
Create ADDS resource group Enter resource group name during deployment and edit the configuration fields if required.
Deploying ADDS servers None required.
Updating DNS servers None required.
Create ADDS domain The provided templates create a demo 'treyresearch' domain. To ensure that the required Active Directory Domain is created with the desired domain name and administrative user the fields can be configured in the deployment screen or the /parameters/azure/add-adds-domain-controller.parameters.json template parameters file must be edited with the required values.
Create ADDS domain controller None required.
Create operational workload Resource Group Enter resource group name during deployment.
Deploy operational VM tiers and load balancers None required.
Set up IIS web server role for web tier None required.
Enable Windows Auth for VMs None required.
Deploy Microsoft Anti-malware to VMs None required.
Domain Join VMs Domain joining the Virtual Machines is a post deployment step and must be manually completed.

UK Government Private Network Connectivity

Microsoft's customers are now able to use private connections to the Microsoft UK datacentres (UK West and UK South). Microsoft's partners benefit by providing a gateway from PSN/N3 to ExpressRoute and into Azure, and this is just one of the new services the group has unveiled since Microsoft launched its Azure and Office 365 cloud offering in the UK. (https://news.microsoft.com/en-gb/2016/09/07/not-publish-microsoft-becomes-first-company-open-data-centres-uk/). Since then, thousands of customers, including the Ministry of Defence, the Met Police, and parts of the NHS, have signed up to take advantage of the sites. These UK datacentres offer UK data residency, security and reliability.

Cost

Deploying this template will create one or more Azure resources. You will be responsible for the costs generated by these resources, so it is important that you review the applicable pricing and legal terms associated with all resources and offerings deployed as part of this template. For cost estimates, you can use the Azure Pricing Calculator.

Further Reading

Further best practice information and recommendations for configuring and securing a multi-tier application in Azure can be found in Running Windows VMs for an N-tier architecture on Azure.

Best practices on Azure Network Security and a decision-making matrix can be found in Microsoft cloud services and network security.

Additional security, compliance and governance information as well as specific guidance on regularity compliance control that can be added to your architecture can be found in the Azure Security Documentation library, under the Governance and Compliance section. This includes specific guidance on topics such as PCI DSS, GDPR, UKS NHS and NIST SP 800-171.

Disclaimer

  • This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet website references, may change without notice. Customers reading this document bear the risk of using it.
  • This document does not provide customers with any legal rights to any intellectual property in any Microsoft product or solutions.
  • Customers may copy and use this document for internal reference purposes.
  • Certain recommendations in this document may result in increased data, network, or compute resource usage in Azure, and may increase a customer's Azure license or subscription costs.
  • This architecture is intended to serve as a foundation for customers to adjust to their specific requirements and should not be used as-is in a production environment.
  • This document is developed as a reference and should not be used to define all means by which a customer can meet specific compliance requirements and regulations. Customers should seek legal support from their organization on approved customer implementations.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.