-
Notifications
You must be signed in to change notification settings - Fork 34
/
Copy pathavnm.azcli
287 lines (268 loc) · 21 KB
/
avnm.azcli
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
################################################
#
# Script to create VNets and play with AVNM
# peering and NSG locations
#
################################################
# Control
max_vnet_id=5
hub_vnet_id=0
ip_version=ipv4 # Can be 'ipv4' or 'ipv6'
create_vwan=no # Can be 'vwan' or 'hns'
overload_ipv4=no # If yes, the same spoke IPv4 prefix will be used for all spokes
public_ips=yes # If yes, public IPs will be added to the VMs
create_vpngw=no # If yes, create VPNGW in the hub
create_ergw=no # If yes, create ERGW in the hub
# Variables
rg=avnm
location=eastus
ip_prefix="10.1"
ipv6_prefix=ace:cab:de
nsg_name=avnmnsg
avnm_name=myavnm
avnm_description="Test AVNM"
avnm_vnetgroup_name=myvnets
avnm_vnetgroup_description="All VNets in the RG"
avnm_config_name=myconfig
vwan_name=avnmvwan
vhub_name=hub
vhub_prefix=192.168.0.0/23
# Create RG, NSG and VNets
echo "Creating resource group..."
az group create -n $rg -l $location -o none
echo "Creating NSG..."
az network nsg create -n "$nsg_name" -g $rg -o none
az network nsg rule create -n SSH --nsg-name $nsg_name -g $rg --priority 1000 --destination-port-ranges 22 --access Allow --protocol Tcp -o none
az network nsg rule create -n ICMP --nsg-name $nsg_name -g $rg --priority 1010 --source-address-prefixes '*' --destination-address-prefixes '*' --destination-port-ranges '*' --access Allow --protocol Icmp -o none
for vnet_id in {0..$max_vnet_id}
do
if [[ "$overload_ipv4" == "yes" ]]; then
ipv4_vnet="10.1.0.0/24"
ipv4_subnet="10.1.0.0/26"
else
ipv4_vnet="${ip_prefix}.${vnet_id}.0/24"
ipv4_subnet="${ip_prefix}.${vnet_id}.0/26"
fi
vnet_id_hex=$(printf "%02x" "$vnet_id")
if [[ "$ip_version" == "ipv4" ]]; then
echo "Creating VNet vnet${vnet_id} with prefix ${ipv4_vnet}..."
az network vnet create -n "vnet${vnet_id}" -g $rg --address-prefixes $ipv4_vnet --subnet-name vm --subnet-prefixes $ipv4_subnet -o none
if [[ "$public_ips" == "yes" ]]; then
az vm create -n "vnet${vnet_id}vm" -g $rg --image UbuntuLTS --generate-ssh-keys --size Standard_B1ms --vnet-name "vnet${vnet_id}" --subnet vm --nsg $nsg_name --public-ip-address "vnet${vnet_id}vm-pip" --public-ip-sku Standard --no-wait -o none
else
az vm create -n "vnet${vnet_id}vm" -g $rg --image UbuntuLTS --generate-ssh-keys --size Standard_B1ms --vnet-name "vnet${vnet_id}" --subnet vm --nsg $nsg_name --public-ip-address '' --public-ip-sku Standard --no-wait -o none
fi
else
ipv6_vnet="${ipv6_prefix}${vnet_id_hex}::/48"
ipv6_subnet="${ipv6_prefix}${vnet_id_hex}:11::/64"
echo "Creating VNet vnet${vnet_id} with prefixes ${ipv4_vnet} and ${ipv6_vnet}..."
az network vnet create -n "vnet${vnet_id}" -g $rg --address-prefixes $ipv4_vnet $ipv6_vnet --subnet-name vm --subnet-prefixes $ipv4_subnet $ipv6_subnet -o none
if [[ "$public_ips" == "yes" ]]; then
az network public-ip create -n "vnet${vnet_id}vm-pipv4" -g $rg -l $location --sku Standard --allocation-method static --version IPv4 -z 1 2 3 -o none
az network public-ip create -n "vnet${vnet_id}vm-pipv6" -g $rg -l $location --sku Standard --allocation-method static --version IPv6 -z 1 2 3 -o none
az network nic create -g $rg -n "vnet${vnet_id}-nic0" --vnet-name "vnet${vnet_id}" --subnet vm --network-security-group $nsg_name --public-ip-address "vnet${vnet_id}vm-pipv4" -o none
az network nic ip-config create -g $rg -n myIPv6config --nic-name "vnet${vnet_id}-nic0" --private-ip-address-version IPv6 --vnet-name "vnet${vnet_id}" --subnet vm --public-ip-address "vnet${vnet_id}vm-pipv6" -o none
az vm create -n "vnet${vnet_id}vm" -g $rg --image UbuntuLTS --generate-ssh-keys --size Standard_B1ms --nics "vnet${vnet_id}-nic0" --no-wait -o none
else
az network nic create -g $rg -n "vnet${vnet_id}-nic0" --vnet-name "vnet${vnet_id}" --subnet vm --network-security-group $nsg_name --public-ip-address '' -o none
az network nic ip-config create -g $rg -n myIPv6config --nic-name "vnet${vnet_id}-nic0" --private-ip-address-version IPv6 --vnet-name "vnet${vnet_id}" --subnet vm --public-ip-address '' -o none
az vm create -n "vnet${vnet_id}vm" -g $rg --image UbuntuLTS --generate-ssh-keys --size Standard_B1ms --nics "vnet${vnet_id}-nic0" --no-wait -o none
fi
fi
# Optionally, create additional VPN GW in hub (vnet_id=0)
if [[ "$vnet_id" == "$hub_vnet_id" ]] && [[ "$create_vpngw" == "yes" ]]; then
if [[ "$ip_version" == "ipv4" ]]; then
echo "Creating Basic VPN VNG in hub VNet vnet${vnet_id}..."
ipv4_subnet="${ip_prefix}.${vnet_id}.64/26"
az network vnet subnet create -g $rg -n GatewaySubnet --vnet-name "vnet${vnet_id}" --address-prefixes $ipv4_subnet -o none
az network public-ip create -g $rg -n vpngw-pip --sku Basic --allocation-method Dynamic -o none
az network vnet-gateway create --gateway-type Vpn -n hub-vpngw --public-ip-addresses vngpip -g $rg --sku Basic --vnet "vnet${vnet_id}" --vpn-type PolicyBased
fi
fi
# Optionally, create additional ER GW in hub (vnet_id=0)
if [[ "$vnet_id" == "$hub_vnet_id" ]] && [[ "$create_ergw" == "yes" ]]; then
if [[ "$ip_version" == "ipv4" ]]; then
echo "Creating ExpressRoute gateway in hub VNet vnet${vnet_id}..."
ipv4_subnet="${ip_prefix}.${vnet_id}.64/26"
az network vnet subnet create -g $rg -n GatewaySubnet --vnet-name "vnet${vnet_id}" --address-prefixes $ipv4_subnet -o none
az network public-ip create -g $rg -n ergw-pip --sku Standard --allocation-method Static -o none
az network vnet-gateway create -g $rg -n hub-ergw --gateway-type ExpressRoute --sku Standard -l $location --vnet "vnet${vnet_id}" --public-ip-addresses ergw-pip --no-wait -o none
else
echo "Creating ExpressRoute gateway in hub VNet vnet${vnet_id}..."
ipv4_subnet="${ip_prefix}.${vnet_id}.64/26"
ipv6_subnet="${ipv6_prefix}${vnet_id_hex}:12::/64"
az network vnet subnet create -g $rg -n GatewaySubnet --vnet-name "vnet${vnet_id}" --address-prefixes $ipv4_subnet $ipv6_subnet -o none
az network public-ip create -g $rg -n ergw-pip --sku Standard --allocation-method Static -o none
az network vnet-gateway create -g $rg -n hub-ergw --gateway-type ExpressRoute --sku Standard -l $location --vnet "vnet${vnet_id}" --public-ip-addresses ergw-pip --no-wait -o none
fi
fi
done
# Optionally create ER circuit and Megaport configuration
if [[ "$create_ergw" == "yes" ]]; then
er_location=germanywestcentral
er_pop=Frankfurt
er_circuit_sku=Standard
er_provider=Megaport
er_circuit_name="er-$er_pop"
ergw_name=hub-ergw
ergw_pip=ergw-pip
mcr_asn=65001
az network express-route create -n $er_circuit_name --peering-location $er_pop -g $rg -o none \
--bandwidth 50 Mbps --provider $er_provider -l $er_location --sku-family MeteredData --sku-tier $er_circuit_sku
service_key=$(az network express-route show -n $er_circuit_name -g $rg --query serviceKey -o tsv)
megaport_script_path="/home/jose/repos/azcli/megaport.sh"
if [[ -e "$megaport_script_path" ]]
then
echo "Creating Megaport Cloud Router and configuring circuit..."
$megaport_script_path -q -s=jomore-${er_pop} -a=create_mcr -k=$service_key --asn=$mcr_asn
# sleep 60 # Wait 1 minute before creating the connections. This could be replaced with a loop checking ./megaport.sh -a=list_live
# $megaport_script_path -q -s=jomore-${er_pop} -a=create_vxc -k=$service_key
else
echo "Sorry, I cannot seem to find the script $megaport_script_path to interact with the Megaport API"
fi
fi
# Add/remove tags to all or some VNets
echo "Tagging VNets..."
for vnet_id in {0..$max_vnet_id}
do
if [[ "$vnet_id" == "$hub_vnet_id" ]]; then
role=hub
else
role=spoke
fi
vnet_arm_id=$(az network vnet show -n "vnet${vnet_id}" -g $rg --query id -o tsv)
az resource tag --ids $vnet_arm_id --tags "avnmtest=yes" "role=$role" -o none
# az resource tag --ids $vnet_arm_id --tags "avnmtest=no" -o none
done
# Create AVNM instance and VNet groups
echo "Creating AVNM instance scoped to subscription..."
subscription_id=$(az account show --query id -o tsv)
# The scope-access "SecurityUser" not available yet (Dec'21). Still not there in Dec'22
az network manager create -n $avnm_name -g $rg -l $location --description $avnm_description --display-name $avnm_name \
--scope-access SecurityAdmin Connectivity \
--network-manager-scopes subscriptions="/subscriptions/${subscription_id}" -o none
condition_all="{ \"allOf\": [ {\"field\": \"tags['avnmtest']\", \"equals\": \"yes\" } ] }"
condition_hubs="{ \"allOf\": [ {\"field\": \"tags['avnmtest']\", \"equals\": \"yes\" }, {\"field\": \"tags['role']\", \"equals\": \"hub\" } ] }"
condition_spokes="{ \"allOf\": [ {\"field\": \"tags['avnmtest']\", \"equals\": \"yes\" }, {\"field\": \"tags['role']\", \"equals\": \"spoke\" } ] }"
# Three groups are created, although actually only the spoke group is requried (DOES NOT WORK!!!!!)
# NEW
az network manager group create -n ${avnm_vnetgroup_name}-all --network-manager-name $avnm_name -g $rg --description ${avnm_vnetgroup_name}-all -o none
az network manager group create -n ${avnm_vnetgroup_name}-hub --network-manager-name $avnm_name -g $rg --description ${avnm_vnetgroup_name}-all -o none
az network manager group create -n ${avnm_vnetgroup_name}-spokes --network-manager-name $avnm_name -g $rg --description ${avnm_vnetgroup_name}-all -o none
# OLD
az network manager group create -n ${avnm_vnetgroup_name}-all --network-manager-name $avnm_name -g $rg \
--member-type Microsoft.Network/virtualNetworks --description ${avnm_vnetgroup_name}-all \
--conditional-membership $condition_all -o none
az network manager group create -n ${avnm_vnetgroup_name}-hub --network-manager-name $avnm_name -g $rg \
--member-type Microsoft.Network/virtualNetworks --description ${avnm_vnetgroup_name}-hub \
--conditional-membership $condition_hubs -o none
az network manager group create -n ${avnm_vnetgroup_name}-spokes --network-manager-name $avnm_name -g $rg \
--member-type Microsoft.Network/virtualNetworks --description ${avnm_vnetgroup_name}-spokes \
--conditional-membership $condition_spokes -o none
# Optional: Test subnet group (NOT WORKING WITH THE NEW VERSION Dec'22)
subnet_condition="{ \"allOf\": [ {\"field\": \"name\", \"equals\": \"vm\" } ] }"
az network manager group create -n subnetgroup --network-manager-name $avnm_name -g $rg \
--member-type "Microsoft.Network/virtualNetworks/subnets" --description "test subnet group" \
--conditional-membership $subnet_condition -o none
# Create connectivity configs
avnm_hubs_group_id=$(az network manager group show -n ${avnm_vnetgroup_name}-hub --network-manager-name $avnm_name -g $rg --query id -o tsv)
avnm_spokes_group_id=$(az network manager group show -n ${avnm_vnetgroup_name}-spokes --network-manager-name $avnm_name -g $rg --query id -o tsv)
hub_vnet_id=$(az network vnet show -n "vnet${hub_vnet_id}" -g $rg --query id -o tsv)
# Hub and spoke #### NOT WORKING! ####
# az network manager connect-config delete --configuration-name "${avnm_config_name}-hns" -n "$avnm_name" -g "$rg" -y
az network manager connect-config create --configuration-name "${avnm_config_name}-hns" -n "$avnm_name" -g "$rg" --description "${avnm_config_name}-hns" \
--applies-to-groups group-connectivity="DirectlyConnected" is-global="False" network-group-id="$avnm_spokes_group_id" use-hub-gateway="False" \
--connectivity-topology "HubAndSpoke" --delete-existing-peering true --display-name "${avnm_config_name}-hns" --hub resource-id="$hub_vnet_id" --is-global false -o none
hns_config_id=$(az network manager connect-config show --configuration-name "${avnm_config_name}-hns" -n "$avnm_name" -g "$rg" --query id -o tsv)
# az network manager connect-config delete --configuration-name "${avnm_config_name}-hns" -n "$avnm_name" -g $rg -y
# Full mesh
az network manager connect-config create --configuration-name "${avnm_config_name}-fullmesh" -n "$avnm_name" -g "$rg" --description "${avnm_config_name}-fullmesh" \
--applies-to-groups group-connectivity="DirectlyConnected" is-global="False" network-group-id="$avnm_spokes_group_id" use-hub-gateway="false" \
--connectivity-topology "Mesh" --delete-existing-peering true --display-name "${avnm_config_name}-fullmesh" --is-global false -o none
mesh_config_id=$(az network manager connect-config show --configuration-name "${avnm_config_name}-fullmesh" -n "$avnm_name" -g "$rg" --query id -o tsv)
# Deploy connectivity configs
echo "Deployging mesh configuration..."
# az network manager post-commit --network-manager-name $avnm_name -g $rg --commit-type "Connectivity" --target-locations $location --configuration-ids $hns_config_id -o none
az network manager post-commit --network-manager-name $avnm_name -g $rg --commit-type "Connectivity" --target-locations $location --configuration-ids $mesh_config_id -o none
# Remove all deployments ##### NOT WORKING
# az network manager post-commit --network-manager-name $avnm_name -g $rg --commit-type "Connectivity" --target-locations $location --configuration-ids ''
# Optional: create Virtual WAN
if [[ "$create_vwan" == "yes" ]]; then
az network vwan create -n $vwan_name -g $rg -l $location -o none
az network vhub create --vwan $vwan_name -n $vhub_name --address-prefix $vhub_prefix -l $location -g $rg -o none --no-wait
# Connect all VNets to virtual hub
echo "Connecting VNets to Virtual Hub"
for vnet_id in {0..$max_vnet_id}
do
if [[ "$vnet_id" == "$hub_vnet_id" ]]; then
echo "Skipping VNet vnet${vnet_id}, since it is a hub"
else
echo "Connecting VNet vnet${vnet_id} to Virtual WAN hub ${vhub_name}..."
az network vhub connection create -n "vnet${vnet_id}" -g $rg --vhub-name ${vhub_name} --remote-vnet "vnet${vnet_id}" --internet-security true -o none
fi
done
fi
# Create Security Admin Config
sec_config_name="${avnm_config_name}-denyIcmp"
az network manager security-admin-config create --configuration-name "$sec_config_name" --network-manager-name "$avnm_name" -g "$rg" --description "Deny ICMP" --delete-existing-ns-gs true -o none
avnm_spokes_group_id=$(az network manager group show -n ${avnm_vnetgroup_name}-spokes --network-manager-name $avnm_name -g $rg --query id -o tsv)
az network manager security-admin-config rule-collection create --configuration-name "$sec_config_name" --network-manager-name "$avnm_name" -g "$rg" -o none \
--rule-collection-name "AllowedTraffic" --description "Allowed Traffic" --display-name "Allowed Traffic" --applies-to-groups network-group-id="$avnm_spokes_group_id"
# Supported actions: Allow, AlwaysAllow, Deny. Not that not all service tags are supported ('Internet' is not)
az network manager security-admin-config rule-collection rule create --configuration-name $sec_config_name --network-manager-name "$avnm_name" -g "$rg" -o none \
--rule-collection-name "AllowedTraffic" --rule-name "DropICMP" --kind "Custom" --protocol "Icmp" --access "Deny" --priority 32 --direction "Inbound" \
--destinations address-prefix="*" address-prefix-type="IPPrefix" --sources address-prefix="10.0.0.0/8" address-prefix-type="IPPrefix" --sources address-prefix="192.168.0.0/16" address-prefix-type="IPPrefix"
# Deploy security configs
# SecurityAdmin supported (SecurityUser not yet)
echo "Deploying security config..."
sec_config_id=$(az network manager security-admin-config show --configuration-name "${sec_config_name}" -n "$avnm_name" -g "$rg" --query id -o tsv)
az network manager post-commit --network-manager-name $avnm_name -g $rg --commit-type "SecurityAdmin" --target-locations $location --configuration-ids $sec_config_id -o none
# Optional: new security configurations
no_of_configs=10
avnm_spokes_group_id=$(az network manager group show -n ${avnm_vnetgroup_name}-spokes --network-manager-name $avnm_name -g $rg --query id -o tsv)
for i in {1..$no_of_configs}; do
sec_config_name="${avnm_config_name}-port$i"
echo "Creating $sec_config_name..."
az network manager security-admin-config create --configuration-name "$sec_config_name" --network-manager-name "$avnm_name" -g "$rg" --description "Test $i" --delete-existing-ns-gs false -o none
az network manager security-admin-config rule-collection create --configuration-name "$sec_config_name" --network-manager-name "$avnm_name" -g "$rg" -o none \
--rule-collection-name "AllowedTraffic" --description "Allowed Traffic" --display-name "Allowed Traffic" --applies-to-groups network-group-id="$avnm_spokes_group_id"
az network manager security-admin-config rule-collection rule create --configuration-name $sec_config_name --network-manager-name "$avnm_name" -g "$rg" -o none \
--rule-collection-name "AllowedTraffic" --rule-name "Rule$i" --kind "Custom" --protocol "Tcp" --dest-port-ranges $i --access "Deny" --priority $i --direction "Inbound" \
--destinations address-prefix="*" address-prefix-type="IPPrefix" --sources address-prefix="10.0.0.0/8" address-prefix-type="IPPrefix" --sources address-prefix="192.168.0.0/16" address-prefix-type="IPPrefix"
echo "Deploying security config $sec_config_name..."
sec_config_id=$(az network manager security-admin-config show --configuration-name "${sec_config_name}" -n "$avnm_name" -g "$rg" --query id -o tsv)
az network manager post-commit --network-manager-name $avnm_name -g $rg --commit-type "SecurityAdmin" --target-locations $location --configuration-ids $sec_config_id -o none
done
# Optional: testing subnet groups
sec_config_name="${avnm_config_name}-allowTelnet"
avnm_subnets_group_id=$(az network manager group show -n "subnetgroup" --network-manager-name $avnm_name -g $rg --query id -o tsv)
az network manager security-admin-config create --configuration-name "$sec_config_name" --network-manager-name "$avnm_name" -g "$rg" --description "Allow Telnet" --delete-existing-ns-gs true -o none
az network manager security-admin-config rule-collection create --configuration-name "$sec_config_name" --network-manager-name "$avnm_name" -g "$rg" -o none \
--rule-collection-name "AllowedSubnetTraffic" --description "Allowed Subnet Traffic" --display-name "Allowed Subnet Traffic" --applies-to-groups network-group-id="$avnm_subnets_group_id"
az network manager security-admin-config rule-collection rule create --configuration-name $sec_config_name --network-manager-name "$avnm_name" -g "$rg" -o none \
--rule-collection-name "AllowedSubnetTraffic" --rule-name "AllowTelnet" --kind "Custom" --protocol "Tcp" --dest-port-ranges 23 --access "AlwaysAllow" --priority 40 --direction "Inbound"
sec_config_id=$(az network manager security-admin-config show --configuration-name "${sec_config_name}" -n "$avnm_name" -g "$rg" --query id -o tsv)
az network manager post-commit --network-manager-name $avnm_name -g $rg --commit-type "SecurityAdmin" --target-locations $location --configuration-ids $sec_config_id -o none
# Diagnostics
az network manager list -g $rg -o table
az network vnet list -g $rg -o table
az network vnet list -g $rg --query '[].{Name:name,Prefix:addressSpace.addressPrefixes[0]}' -o table
az network manager group list --network-manager-name ${avnm_name} -g $rg -o table
### Not working
az network manager group list-effect-vnet --network-group-name "${avnm_vnetgroup_name}-all" -n $avnm_name -g $rg --query 'value[].{Id:id, MembershipType:membershipType}' -o table
az network manager group list-effect-vnet --network-group-name "${avnm_vnetgroup_name}-hub" -n $avnm_name -g $rg --query 'value[].{Id:id, MembershipType:membershipType}' -o table
az network manager group list-effect-vnet --network-group-name "${avnm_vnetgroup_name}-spokes" -n $avnm_name -g $rg --query 'value[].{Id:id, MembershipType:membershipType}' -o table
###
az network manager connect-config list --network-manager-name $avnm_name -g $rg -o table
az network manager security-admin-config list --network-manager-name $avnm_name -g $rg -o table
az network manager security-admin-config rule-collection list --configuration-name $sec_config_name --network-manager-name $avnm_name -g $rg -o table
az network manager security-admin-config rule-collection rule list --configuration-name $sec_config_name --rule-collection-name "AllowedTraffic" --network-manager-name $avnm_name -g $rg -o table
az network manager list-deploy-status --network-manager-name $avnm_name --deployment-types "Connectivity" "SecurityAdmin" --regions $location -g $rg
az network manager list-deploy-status --network-manager-name $avnm_name --deployment-types "Connectivity" "SecurityAdmin" --regions $location -g $rg --query 'value[].{ConfigId:configurationIds[0], Status:deploymentStatus, Type:deploymentType}' -o table
az network vnet peering list -g $rg -o table --vnet-name vnet1
az vm list-ip-addresses -g $rg -o table
az network nic list -g $rg -o table
az network nic show-effective-route-table -g $rg -o table -n vnet1vmVMNIC
az network vhub list -g $rg -o table
az network nsg list -o table -g $rg
az network nic list-effective-nsg -g $rg -n vnet1vmVMNIC