Azure Front Door | Rules Engine
Azure Front Door | Rules Engine
Azure Front Door Rules Engine is a new feature that gives you more control in how you define and enforce what content gets served from where. Rules Engine allows you to specify how HTTP requests are handled from the AFD. Different combinations of match conditions and actions give you fine-grained control over which users get which content and make the possible scenarios that you can accomplish with Rules Engine endless.
For example, you can use a match condition to:
- Filter requests based on a specific IP address, country, or region.
- Filter requests by header information.
- Filter requests from mobile devices or desktop devices.
The following match conditions are available to use in Front Door Rules engine:
- Device type
- Post argument
- Query string
- Remote address
- Request body
- Request header
- Request method
- Request protocol
- Request URL
- Request file extension
- Request file name
- Request path
- Standard operator list
How Rules Engine Works
The Rules Engine applies the routing roules at the Edge. Once the request is received from the AFD edge location, the Rules Engine routes it first through the WAF rules and right after it applies the route configuration. In the next picture, the Rules Engine desides if the request will redirected to the mobile site or it will be forwarded to the desktop site.
How to create a rules engine and add a rule
We will create a rule to redirect the requests to the Desktop or to the Mobile site, based on the clients device type.
Go to the Front Door, and select the “Rules engine configuration” at the Settings section. Press “+ Add” to create a rules engine.
Type a name for the Rules engine, and a name for the first rule. Once you press the “+Add a condition” a drop down menu will open with all the available condition types.
For our example I selected the “Device type” condition and I selected that the request is Equal to Mobile.
Then press the “+ Add an action” to view the available actions.
for our example I selected to forward the request to the /mobile.html, where is the mobile site.
Finally, you need to Associate the routing rule, by selecting the three dots at the right of the rule.
and select the front door that you want this rule to be applied.
References:
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-rules-engine-match-conditions
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-rules-engine-actions
You can find more AFD posts at my blog, like create an Azure Front Door to scale and secure our web apps, Azure Front Door add custom domain & certificate and we use Web Application Firewall (WAF) rules to protect our web apps.
The post Azure Front Door | Rules Engine appeared first on Apostolidis Cloud Corner.
Source: e-apostolidis.gr
- Published in Azure
Οptimize your Azure environment
Οptimize your Azure environment
Cloud optimization is the process of correctly selecting and assigning the right resources to a workload or application. When workload performance, compliance, and cost are correctly and continually balanced against the best-fit infrastructure in real time, efficiency is achieved to optimize your Azure environment.
Azure offers many ways to help ensure that you’re running your workloads optimally and getting the most out of your investment. There are many ways to get started optimizing your Azure environment. You can align as an organization on your cloud adoption strategy, you can review your workload architecture against the reference architectures we provide, or you can open up Advisor and see which of your resources have best practice recommendations. Those are just a few examples, ultimately it’s a choice only you and your organization can make.
Azure Advisor
Azure Advisor, a free Azure service that helps you optimize your Azure resources for high availability, security, performance, and cost. Advisor scans your resource usage and configuration and provides over 100 personalized recommendations. Each recommendation includes inline actions to make remediating your cloud resource optimizations fast and easy.
How to get Azure Advisor recommendations? Go to the Azure Portal and in the left pane, click Advisor.
If you do not see Advisor in the left pane, click All services. In the service menu pane, under Monitoring and Management, click Advisor.
The Advisor dashboard is displayed & automatically scans your Azure configuration and recommends changes to optimize deployments, increase security, and save you money. Wait untill the recommandations are updated.
You can download the recommendations in PDF and CSV. This way you can send the recommendations to the relevant teams for review and remediation.
The recommendations are seperated in five sections, Cost, Security, High Availability, Operational Excellence, Performance
Cost recommendation helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources, like correct sizing of VMs, deleting non used resources, reserve instances, etc.
More about cost recommendations: https://www.e-apostolidis.gr/microsoft/save-money-following-the-azure-advisor-recommendations/ & here
Security recommendation integrates with Azure Security Center to bring you security recommendations. Security Center helps you prevent, detect, and respond to threats with increased visibility into and control over the security of your Azure resources
More about security Azure Security Center: https://www.e-apostolidis.gr/?s=security+center & here
High Availability recommendation helps you ensure and improve the continuity of your business-critical applications. Advisor identifies virtual machines that are not part of an availability set and recommends moving them into an availability set, identifies availability sets that contain a single virtual machine and recommends adding one or more virtual machines to it and many more.
More about high availability here
Operational Excellence recommendations help customer with process and workflow efficiency, resource manageability and deployment best practices.
More about operational excellence here
Performance recommendations help improve the speed and responsiveness of your business-critical applications.
More about performance recommendations here
Azure Architecture Center
Azure Architecture Center is a collection of free guides created by Azure experts to help you understand organizational and architectural best practices and optimize your workloads. This guidance is especially useful when you’re designing a new workload for the cloud or migrating an existing workload from on-premises to the cloud.
The guides in the Azure Architecture Center range from the Microsoft Cloud Adoption Framework for Azure, which can help guide your organization’s approach to cloud adoption and strategy, to Azure Reference Architectures, which provides recommended architectures and practices for common scenarios like AI, IoT, microservices, serverless, SAP, web apps, and more.
The post Οptimize your Azure environment appeared first on Apostolidis Cloud Corner.
Source: e-apostolidis.gr
- Published in Azure
Azure Client VPN with Azure AD auth & MFA | Step by step guide
Azure Client VPN using Azure AD & MFA
Azure Virtual Network Gateway provides the ability to connect to your Azure Virtual Network with Azure Client VPN (SSL) connections using your Azure AD or hybrid identity, with Multi Factor Authentication (MFA) and your Conditional Access policies.
We can have an Enterprise grade SSL VPN, with Active Directory authentication and Single Sign on (SSO) from your corporate laptops and apply all your conditional access policies, like MFA, Compliance devices, trused locations, etc.
How to create the VPN Gateway
Go to your Virtual Network’s subnets and create a Gateway subnet by clicking the “+ Gateway subnet”
Create a Virtual network gateway, by searching for the “Virtual network gateways” service and press Add.
Select “VPN”, “Route-based” and at the SKU select any size except the Basic. Basic SKU does not support Azure AD authentication.
Create a Public IP and leave all other settings default and create the Gateway.
After about 20 minutes the VPN Gateway is ready. In the meantime we will prepare the Azure AD and give concern to use the Azure AD with the Azure client VPN. Using a Global Admin account, go to the “Azure Active Directory” and copy the “Tenant ID” from the Overview blade, and keep it on a notepad.
Then copy the url and paste the below url to your browser’s address bar. You need to log in with a Global Admin non guest non Microsoft account.
With a guest or Microsoft account, even if it is Global Admin, you will be propted to login with an admin account, meaning a member work account.
Once you login with a member work Global Admin account, you can accept the permissions to create the Azure VPN application
You can navigate to the Azure Active Directory / Enterprise Application and view / manage the Azure AD application.
Open the Azure VPN enterprise application and copy the “Application ID” to a notepad.
Go to the VPN Gateway, select the “Point to site configuration” and click the “Configure now”
Add the Address Pool that you want the VPN clients to have, for Tunnel type select “OpenVPN (SSL) as it is the only type that supports Azure AD authentication.
Then use the details that you have copied to the notepad, the Tenant ID and the Application ID, and add them to the required fields and press save.
- Tenant: https://login.microsoftonline.com/paste-your-tenant-id-here
- Audience: paste-the-azure-vpn-application-id-here
- Issuer: https://sts.windows.net/paste-your-tenant-id-here/
How to Download the VPN Client and Connect to the Gateway
Download the VPN client, using the button.
Extrack the downloadded zip file
And at the AzureVPN folder you will find the configuration xml.
Open the Microsoft Store and get the Azure VPN Client
Open the Azure VPN Client and at the lower left corner, press the + and Import the xml configuration file
accept all the settings and press save
The Azure VPN connection will appear at the Azure VPN client and also at the Windows 10 network connections, like any other VPN
Azure VPN Client:
Windows 10 Network Connections:
Once you press connect, it will prompt you to connect using the account(s) that you are already using at your Windows 10 machine, or use a different account
You will be prompted for MFA or any other conditional access policy you have applied, and the you will be connected.
Conditional Access & Multi-Factor Authentication (MFA)
You can add Conditional Access to the Azure client VPN connection. Go to Azure Active Directory / Security / Conditional Access and create a new Policy.
Select the “Azure VPN” at the “Cloud apps or actions” section
At the Access Controls / Grand section, you can require multi-factor authentication, or AD Joined device, or compliant device, or all of that
At the “Conditions” section you can controll the location that the policy will apply. Lets say, you can apply the MFA requirement at “Any location” and exclude the “Trusted locations”, in order to not require MFA when the device is at a trusted location, like your company’s network.
The post Azure Client VPN with Azure AD auth & MFA | Step by step guide appeared first on Apostolidis Cloud Corner.
Source: e-apostolidis.gr
- Published in Azure
Quickstart your Azure jurney!
Quickstart your Azure jurney!
Are you new to Azure? You don’t know how where to start? Get started with the Azure Quickstart Center, full of guides, best practices and learning guides without leaving the Azure Portal!
How to open the Azure Quickstart Center? You can use the global search box at the top of the Azure Portal, or using the All services menu.
The user friendly environment of the Quickstart Center opens and you can start your jurney to the Azure! The Quickstart Center has two basic sections. The “Get started” and the “Take an online course”.
The “Get started” section has two sub-sections. The “Start a project”, sub-section, where you will be able to discover many options, architecture, cost and prerequisites for creating resources, and the “Setup guides” where you will have access to steped guides on how build you environment based to best practices and the Cloud Adoption Framework.
examples:
The Get Strated / Create a virtual machine option will ask you to choose between Windows or Linux VM
If you press Create, information about options, benefits, architecture references, prising and free account options.
The Start a project / Azure setup guide will provide you with all the required information to build your Azure environment using Microsoft’s best practices and the Cloud Adoption Framework.
At the Take an online course section, you will find the learning path that Microsoft has prepared about Microsoft Azure. At the Microsoft Learn site you can learn new skills and discover the power of Microsoft products with step-by-step guidance.
You can learn more about Azure setup and migration in the Microsoft Cloud Adoption Framework for Azure.
More basic level guides: https://www.e-apostolidis.gr/tag/azure-start-point/
The post Quickstart your Azure jurney! appeared first on Apostolidis Cloud Corner.
Source: e-apostolidis.gr
- Published in Azure
VirtualBox on Azure VM for testing or run Old apps
VirtualBox on Azure VM for testing or run Old apps
This article is about testing VirtualBox on Azure VM, the open-ource virtualization platform of Oracle. For the official nested virtualization support in Microsoft Azure please use the Nested Virtualization feature. You can find more info at my post serries about Nested Virtualization here: https://www.e-apostolidis.gr/tag/nested-virtualization/
Virtualization has great interest and value to the information systems ecosystem. As a sence, Virtualization, refers to running two or more operating systems one one physical PC. Either the multiple operating systems run side-by-side, with a separate piece of software called a hypervisor used to manage them, or one operating system runs the other operating systems within program windows. The former is usually limited to servers, with the latter finding common use on desktop computers.
Microsoft Azure offers virtualization layer access at the following series Virtual Machines:
D_v3
Ds_v3
E_v3
Es_v3
F2s_v2
M 160
You can find out excactly the VM sizes that supports Virtualization at the official documentation: https://docs.microsoft.com/en-us/azure/virtual-machines/acu
Why VM virtualization on Azure?
Virtualization allows to run Old Applications, that need Operating Systems that are not officialy supported on Azure. If you have an old app that is preventing your jurney to Microsoft Azure then you can transfer your old machine that runs this application directly on Azure. Of cource you can use it for testing purposes!
Step by Step Guide
For my test I am using a Standard D2s v3 (2 vcpus, 8 GiB memory) Azure VM running Windows Server 2012 R2, as it is the most ligh Windows OS to run virtualization on Azure. You can also use Windows 10, WIndows Server 2016 & WIndows Server 2019.
Download the latest VirtualBox from the Official site, https://www.virtualbox.org/, currently 6.1
Install it with all default settings. Press yes at the Network Interfaces warning and proceed.
After the installation open the VirtualBox interface. You can add a previous created Virtual Machine from your on-premises VM, or you can create a New one. 
For my test I downloaded a Windows Server 2003 Standard x86 image from my Visual Studio Subscription. Yes you can still download official Windows Server 2003 
Create a new VirtualBox Virtual Machine, and select Microsoft Windows 2003 32-bit. I provided 4096 GB Ram, since it is 32-bit.
My VMs Hardware details:
Open the VM and at the “Optical Disk Selector” promt press Add and select the OS iso
And a tear droped… Windows Server 2003 setup screen, on a Virtual Machine on Azure… That runs Windows Server 2012 R2…
Networking
VirtualBox has already created a new Network Interface Card to use for the VirtualBox Virtual Machines.
You will see two IP configuration. The Ethernet adapter “Ehternet” shows the IP address of the Azure VM and the “VirtualBox Host-Only Network” shows the IP subnet that will be used for the nested VMs
Since we are inside an Azure Virtual Machine we need to use Network Address Translation to forward the traffic inside our VM. This will allow you to conenct directly to the VirtualBox VM directly from internet. This can be used for publishing a Web Service, Web Site, RDP or any other service that needs to be published from the VirtualBox nested VM.
To manage the Port Forwarding from the Host VM (Azure VM) to the Guest VM (VirtualBox VM) open the VirtualBox Preferences and go to Network
Add an Interface, add a Nertwork CIDR (the network subnet that you want the guest VMs to have) and press Port Forwarding
Now, close the VirtualBox preferences and open the VM settings and go to Network. At the Adapter 1 go select “NAT Network” and select the “NATNetwork”
After this close the VM’s settings and login to the VM. Check the IP configuration (for windows use the cms ipconfig) and you will see that the VM has been assigned an IP from the 172.16.1.0/24 range that we added at the VirtualBox NAT network. My VM has the 172.16.1.4 IP address. Note this.
Lets go back to the VirtualBox Preferences -> Network -> Edit the NatNetwork -> Port Forwarding and add a rule to forward the 443 port from the Host VM (Azure VM) to the Guest VM (VirtualBox VM).
in my example I use Prt Forward for HTTP, HTTPS & RDP. I forward HTTP & HTTPS directly but since the RDP port 3389 is already used by the Azure VM, I use 43389 Port from Azure VM to the 3389 port of the Guest VM.
Those are my rules:
There are three places that you need to open the spesified ports in order to allow the conenction to reach the VirtualBox VM. Below I will go trough the process of opening the HTTPS port 443. The same is for all other ports.
- Azure Network Security Group (NSG)
- Azure VM Windows Firewall
- VirtualBox VM Windows Firewall
1. Go to the Azure Portal, find the Network Security Group that protects the Public IP of the Azure VM and add an inbound security rule to allow access from Any source, any port, to the IP address of the Azure VM that hosts the VirutalBox and destination port 443 (for the HTTPS Web Service)
2. At the Azure VM open the Windows Firewall and add an inbound rule to allow port 443 any to any.
3. At the VirtualBox VM open the Windows Firewall and add an exception for Port 443
To test the conenctivity I just added the Application server role at my VirtualBox VM. This will publish the default IIS web page
Once the web server is ready, from my laptop I try to access the web page, usign the Public IP address of the Azure VM using https using my browser
https://104.214.233.164/
The “Under Construction” default page of Windows Server 2003 IIS
The post VirtualBox on Azure VM for testing or run Old apps appeared first on Apostolidis Cloud Corner.
Source: e-apostolidis.gr
- Published in Azure
Azureheads #23 | Clusters in the Cloud
Azureheads #23 | Clusters in the Cloud
My virtual presentation at the #23 Azureheads virtual metup about the Azure Shared Disks feature.
You can view my PowerPoint presentation here
And the video recording at my youtube channel
The post Azureheads #23 | Clusters in the Cloud appeared first on Apostolidis Cloud Corner.
Source: e-apostolidis.gr
- Published in Azure
Azure Failover Cluster with Shared Disk – Step by Step
Azure Failover Cluster with Shared Disk
Recently MIcrosoft Azure anounched the preview feature “Shared Disk”. The Shared Disk can be attached at two Azure MVs at the same time. The purpose is to create SQL Server Failover Cluster Instances (FCI), Scale-out File Server (SoFS), File Server for General Use (IW workload), Remote Desktop Server User Profile Disk (RDS UPD) and SAP ASCS/SCS. More or less we can have a failover cluster at Azure VMs like haveing an on-premises failover cluster with shared storage.
At this post I will demostrate step-by-step how to create a Failover Cluster in Azure with two Azure VMs and a Shared Disk.
Since this is a preview feature at the time I am wroting this post, we need to sign up for our preview.
Once we have the confiration that the Shared Disk preview is enabled at our Subscription, we can proceed and create our Shared Disk. Currently this can be done only by using an ARM Template, in order to define the “maxShares”: “[parameters(‘maxShares’)]” disk property. This property defines in how VMs can this Disk be attached.
| Disk sizes | maxShares limit |
|---|---|
| P15, P20 | 2 |
| P30, P40, P50 | 5 |
| P60, P70, P80 | 10 |
Other limitations of the preview are:
- Currently only available with premium SSDs.
- Currently only supported in the West Central US region.
- All virtual machines sharing a disk must be deployed in the same proximity placement groups.
- Can only be enabled on data disks, not OS disks.
- Only basic disks can be used with some versions of Windows Server Failover Cluster, for details see
- Failover clustering hardware requirements and storage options.
- ReadOnly host caching is not available for premium SSDs with maxShares>1.
- Availability sets and virtual machine scale sets can only be used with FaultDomainCount set to 1.
- Azure Backup and Azure Site Recovery support is not yet available.
From the Azure Portal search and open the “Template Deployment”
Select the “Build your own template in the editor”
And paste the Shared Disk Json at the template
The Shared Disk Json:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"dataDiskName": {
"type": "string",
"defaultValue": "mySharedDisk"
},
"dataDiskSizeGB": {
"type": "int",
"defaultValue": 1024
},
"maxShares": {
"type": "int",
"defaultValue": 2
}
},
"resources": [
{
"type": "Microsoft.Compute/disks",
"name": "[parameters('dataDiskName')]",
"location": "[resourceGroup().location]",
"apiVersion": "2019-07-01",
"sku": {
"name": "Premium_LRS"
},
"properties": {
"creationData": {
"createOption": "Empty"
},
"diskSizeGB": "[parameters('dataDiskSizeGB')]",
"maxShares": "[parameters('maxShares')]"
}
}
]
}
After the Template Deployment is comleted you will see a normal disk at the Resoruce Group.
Create the VMs
Create both VMs like any normal Azure VM creation. I created wto Windows Server 2016 VMs. Both VMs must be added to the same availability set (Fault Domain = 1), in order to add them behing an internal load balancer and they must be added to the same Proximity Placement Group.
To create a Proximity Placement Group, just create a new resource, search for “Proximity Placement Group” and press create. Just provide a name for the PPG and the location, that must be the same as the Disk.
And select it at the VM creation wizard:
Attach the Sahred Disk to Both VMs
When attaching the Shared Disk to the VMs you will see the “disk shares used” This reports in how many VMs this disk is attached.
Once the VMs are ready we can start the Failover Cluster process. We need to add both VMs to the Domain. Then go tot he Disk Management and bring the disks online, GTP on both servers. The next step is to enable the Failover Clustering feature on both VMs. This can be easily acomplished using the below command:
Install-WindowsFeature -Name Failover-Clustering –IncludeManagementTools –ComputerName SDVM01
Install-WindowsFeature -Name Failover-Clustering –IncludeManagementTools –ComputerName SDVM02
Restart both VMs
Lets start the Failover Cluster Wizard. Select both Azure VMs and validate with running all tests.
The report should have sucess to all Storage Related Stuff. Only the Cluster IP will fail, since it cannot allocate an Azure IP.
So we will not create the Cluster uning the GUI wizard. We will create the cluster unsing the new-cluster command to spesify the cluter IP. But first lets create the Cluster IP Load Balancer.
To enable the Cluster IP we need to create an Internal StandardLoad Balancer with Static IP. Add both VMs to the Backend pool of the load balancer.
And Run this command to one of the two VMs:
New-Cluster -Name cluster1 -Node SDVM01,SDVM02 -StaticAddress 192.168.0.10
The cluster is ready and we can now we can add the Disk to the Cluster
righ click at the Cluster Disk 1 and select “Add to cluster shared volumes”
Wait untill the disk is online
‘
and check the C:ClusterStorage path for the “Volume1” link.
open the Volume1 and create a file, just to cehck that it is working
To have a more stable cluster, add a Quorum. At the cluster name, right click and select More Actions / Configure Quorum settings.
Since we are on Azure we will configure an Azure Storage account for quorum. Select the “Advanced Configuration”
and select the “Configure CLoud Witness”.
Create an Azure Storage Account
add the Storage Account to the Virtual Network of the VMs, to secure it
And once the Storage Account is ready, copy/paste the name and the Key to the Culster Quorum wizard.
Now we have a full failover cluster
Server 1:
Server 2:
Now we can deploy SQL Server FCI, File Server, etc.. !!!!
More info abuot the Shared Disk: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-shared-enable
The post Azure Failover Cluster with Shared Disk – Step by Step appeared first on Apostolidis Cloud Corner.
Source: e-apostolidis.gr
- Published in Azure
Greek MVPs in Action | Accelerate your web applications with Azure Front Door
Greek MVPs in Action | Accelerate your web applications with Azure Front Door
Thank you all who attented my presentation at Sunday’s 29/3/2020 virtual Greek MVPs in Actions event.
My presentation was about the Azure Front Door Service and how you can use it to accelerate and protect your web applications.
You can donwload my presentation here
The post Greek MVPs in Action | Accelerate your web applications with Azure Front Door appeared first on Apostolidis Cloud Corner.
Source: e-apostolidis.gr
- Published in Azure
Azure Front Door add custom domain & certificate
Azure Front Door add custom domain & certificate
This is my third Azure Front Door Post. Already we created an Azure Front Door to scale and secure our web apps, and we used Web Application Firewall (WAF) rules to protect our web apps. At this post we will see how to add a custom domain name and our certificate to the Azure Front Door.
Azure Front Door provides ssl certificates and management for the .azurefd.net domain. But in most cases we will need to add our custom domain name and of cource our certificate.
To add a custom domain name and our certificate we need:
- The public certificate in PFX format
- Register the Azure Front Door Service Principal
- An Azure Key Vault
- Access to the Public DNS of our custom domain
Azure Key Vault
Azure Front Door imports custom certifiated only from Azure key Vault. So we need to create a Key Vault and provide access to the Azure Front Door Service Principal. First register the Azure Front Door Service Principal using this script: (I prefer cloud Shell)
New-AzADServicePrincipal -ApplicationId "ad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037"
Result:
Then search the Marketplace and create a key Vault
At the first page fill the name and region and go to the Next Page, Access Policy and press “+ Add Access Policy” to add a new access policy. At the certificate permissions select the get secret & get & list certificates and authorities. For principal select the “Microsoft.Azure.Frontdoor” and add.
Next at the Network Connectivity method select all networks, or if you select selected networks remember to allow the Azure Front Door Bckend IP Range, 147.243.0.0/16. For updated IP range check the https://www.microsoft.com/download/details.aspx?id=56519
Once the Key Vault is ready, open it, go to Certificatess -> Generate/Import
Slect Import and upload your certificate.
Edit the Front Door
Once the certificate is uploaded successfully, go to the Azure Front Door designer. At the Frontend/domains press the + to add the custom domain
Write your custom host name and the form will inform you to create a CNAME to point to the front door. You need to do this first to proceed.
After that enable the Custom Domain HTTPS and select use my own certificate
Select the KeyVault, the certificate and the version and press add adn then Save.
The process will start, it will check the certificate and it will import it to the Front Door.
Now, since we have the SSL termination at the Azure Front Door, we can forward the request unencripted to our backend, this is called SSL Offload. To do this update routing rule to accept HTTPS only requests, select for frontends the custom domain and for backend forwarding protocol HTTP only
Then go to the Web App and turn off the HTTPs Only.
We can now check our web app at the custom domain: https://myapp.funniest.gr
Don’t forget, we have locked our backend web apps with access restriction to allow only the Front Doors backend IP range 147.243.0.0/16
The post Azure Front Door add custom domain & certificate appeared first on Apostolidis Cloud Corner.
Source: e-apostolidis.gr
- Published in Azure
Infrastructure as Code | Deploy a VNET & NSG & UDR
Infrastructure as Code | Deploy a VNET with NSG and UDRs
Infrastructure as Code, or just IaC, provides three three main advantages: cost reduction, faster execution and risk reduction, the attributes of the DevOps culture.
Microsoft Azure Resource Manager allows the managing and provisioning of Azure Resources, that can be Virtual Machines, Virtual Networks, Storage Accounts, Apps, SQL Databases and everything that a computer data center includes, through machine-readable definition files, known as JSON templates, without the need of physical hardware configuration or interactive configuration tools.
I am starting a series of posts about building infrastructure with JSON templates.
The tool I use to build my Azure Json templates is the Visual Studio Code. You can download it from https://code.visualstudio.com/ for every platform.
To work with Azure Resource Manager you need the Azure Resource Manager Tools extension. Open the VS Code, go to the Extensions Section, search and install the Azure Resource Manager Tools extension.
The extension is very helpful since it highlights the code, it provides references and intellisense.
At this post I am sharing & explaining my Azure json template for deploying a Virtual Network, a Network Security Group and a Route Table.
You can find and download my working template at my Git account :
https://github.com/proximagr/ARMTemplates/tree/master/VNET-2sub-NSG-UDR
Json Template Guide
Below you can find my template with comments, for better understanding.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
//** Define the Virtual Network Name */
"vnetName": {
"type": "string",
"defaultValue": "Cloud-Corner-VNET",
"metadata": {
"description": "Cloud Corner VNET"
}
//** Define the Address Space of the Virtual Network */
},
"vnetAddressPrefix": {
"type": "string",
"defaultValue": "10.0.0.0/24",
"metadata": {
"description": "Address prefix"
}
//** Define the Address Space of the the First Subnet */
},
"subnet1Prefix": {
"type": "string",
"defaultValue": "10.0.0.0/27",
"metadata": {
"description": "Subnet 1 Prefix"
}
//** Define the Name of the the First Subnet */
},
"subnet1Name": {
"type": "string",
"defaultValue": "Subnet1",
"metadata": {
"description": "Subnet 1 Name"
}
//** Define the Address Space of the the Second Subnet */
},
"subnet2Prefix": {
"type": "string",
"defaultValue": "10.0.0.32/27",
"metadata": {
"description": "Subnet 2 Prefix"
}
//** Define the Name of the the First Subnet */
},
"subnet2Name": {
"type": "string",
"defaultValue": "Subnet2",
"metadata": {
"description": "Subnet 2 Name"
}
},
//** Define the Name of the the Network Security Group */
"networkSecurityGroup01Name": {
"type": "string",
"defaultValue": "Cloud-Corner-NSG-01",
"metadata": {
"description": "This is the name of the network security group"
}
},
//** Define the Name of the the First Route Table */
"RouteTable01Name": {
"type": "string",
"defaultValue": "Cloud-Corner-UDR-01",
"metadata": {
"description": "Route Table 01 Name."
}
},
//** Define the Name of the the First Route of the First Route Table */
"Route01Name": {
"type": "string",
"defaultValue": "To-internet",
"metadata": {
"description": "Route 01 Name."
}
},
//** Define the Next Hop Type of the the First Route of the First Route Table */
"Route01NextHopType": {
"type": "string",
"allowedValues": [
"VirtualNetworkGateway",
"VnetLocal",
"Internet",
"VirtualAppliance",
"None"
],
"defaultValue": "VirtualAppliance",
"metadata": {
"description": "Route 01 Next Hop Type."
}
},
//** Define the Address Prefix of the First Route of the First Route Table */
"Route01AddressPrefix": {
"type": "string",
"defaultValue": "0.0.0.0/0",
"metadata": {
"description": "Route 01 Address Prefix."
}
},
//** If you set "Virtyal Appliance for Next Hop Type, then you need to define the Next Hop IP Address, */
//** meaning the appliance's IP address. Here you define it for the First Route of the First Route Table */
"RT01Route01NextHopIPAddress": {
"type": "string",
"defaultValue": "10.0.0.40",
"metadata": {
"description": "Next Hop IP Addess."
}
},
//** Define the Name of the Second Route Table */
"RouteTable02Name": {
"type": "string",
"defaultValue": "Cloud-Corner-UDR-02",
"metadata": {
"description": "Route Table 02 Name."
}
},
//** Define the Name of the the First Route of the Second Route Table */
"RT02Route01Name": {
"type": "string",
"defaultValue": "Local-Subnet",
"metadata": {
"description": "Route Table 02 Route 01 Name."
}
},
//** Define the Next Hop Type of the the First Route of the Second Route Table */
"RT02Route01NextHopType": {
"type": "string",
"allowedValues": [
"VirtualNetworkGateway",
"VnetLocal",
"Internet",
"VirtualAppliance",
"None"
],
"defaultValue": "VnetLocal",
"metadata": {
"description": "Route 02 Next Hop Type."
}
},
//** Define the Address Prefix of the the First Route of the Second Route Table */
"RT02Route01AddressPrefix": {
"type": "string",
"defaultValue": "10.0.0.0/27",
"metadata": {
"description": "Route Table 02 Route 01 Address Prefix."
}
},
//** Define the Name of the the Second Route of the Second Route Table */
"RT02Route02Name": {
"type": "string",
"defaultValue": "To-subnet-1",
"metadata": {
"description": "Route Table 02 Route 01 Name."
}
},
//** Define the Next Hop Type of the the Second Route of the Second Route Table */
"RT02Route02NextHopType": {
"type": "string",
"allowedValues": [
"VirtualNetworkGateway",
"VnetLocal",
"Internet",
"VirtualAppliance",
"None"
],
"defaultValue": "VirtualAppliance",
"metadata": {
"description": "Route 02 Next Hop Type."
}
},
//** Define the address prefix of the the Second Route of the Second Route Table */
"RT02Route02AddressPrefix": {
"type": "string",
"defaultValue": "10.0.0.32/27",
"metadata": {
"description": "Route Table 02 Route 01 Address Prefix."
}
},
//** Define the next hop IP address (the virtual appliance's address) of the the Second Route of the Second Route Table */
"RT02Route02NextHopIPAddress": {
"type": "string",
"defaultValue": "10.0.0.40",
"metadata": {
"description": "Next Hop IP Addess."
}
}
},
//** I dont use any variables, you can exclude this section*/
"variables": {},
"resources": [
//* create the First Route Table & Route*/
{
"apiVersion": "2017-10-01",
"type": "Microsoft.Network/routeTables",
"name": "[parameters('RouteTable01Name')]",
"location": "[resourceGroup().location]",
"properties": {
"disableBgpRoutePropagation": true,
"routes": [
{
"name": "[parameters('Route01Name')]",
"properties": {
"addressPrefix": "[parameters('Route01AddressPrefix')]",
"nextHopType": "[parameters('Route01NextHopType')]",
"nextHopIpAddress": "[parameters('RT01Route01NextHopIPAddress')]"
}
}
]
}
},
//* create the Second Route Table & Routes*/
{
"apiVersion": "2017-10-01",
"type": "Microsoft.Network/routeTables",
"name": "[parameters('RouteTable02Name')]",
"location": "[resourceGroup().location]",
"properties": {
"disableBgpRoutePropagation": true,
"routes": [
{
"name": "[parameters('RT02Route01Name')]",
"properties": {
"addressPrefix": "[parameters('RT02Route01AddressPrefix')]",
"nextHopType": "[parameters('RT02Route01NextHopType')]"
}
},
{
"name": "[parameters('RT02Route02Name')]",
"properties": {
"addressPrefix": "[parameters('RT02Route02AddressPrefix')]",
"nextHopType": "[parameters('RT02Route02NextHopType')]",
"nextHopIpAddress": "[parameters('RT02Route02NextHopIPAddress')]"
}
}
]
}
},
//* create teh Network Security Group */
{
"apiVersion": "2019-02-01",
"type": "Microsoft.Network/networkSecurityGroups",
"name": "[parameters('networkSecurityGroup01Name')]",
"location": "[resourceGroup().location]",
"properties": {
"securityRules": [
{
"name": "HTTPS",
"properties": {
"description": "Open HTTPS to Public",
"protocol": "Tcp",
"sourcePortRange": "443",
"destinationPortRange": "443",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 101,
"direction": "Inbound"
}
}
]
}
},
//* create the Virtual Network */
{
"apiVersion": "2018-10-01",
"type": "Microsoft.Network/virtualNetworks",
"name": "[parameters('vnetName')]",
"location": "[resourceGroup().location]",
//*add a dependency in order to ensure that the NSG is created before the VNET, in order to be able to attach it*/
"dependsOn": [
"[parameters('networkSecurityGroup01Name')]"
],
"properties": {
"AddressSpace": {
"AddressPrefixes": [
"[parameters('vnetAddressPrefix')]"
]
}
},
"resources": [
//* create the first subnet */
{
"apiVersion": "2018-10-01",
"type": "subnets",
"location": "[resourceGroup().location]",
"name": "[parameters('subnet1Name')]",
//* add dependencies to create the resources with an order, because you need to ensure that the VNET is ready before creating the Subnet and also the Route Table*/
"dependsOn": [
"[parameters('vnetName')]",
"[resourceId('Microsoft.Network/routeTables', parameters('RouteTable01Name'))]"
],
"properties": {
"AddressPrefix": "[parameters('subnet1Prefix')]",
//*attach the Newtork Securoty Group to the Subnet*/
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroup01Name'))]"},
//*attacht the First route table to the Subnet*/
"routeTable": {
"id": "[resourceId('Microsoft.Network/routeTables', parameters('RouteTable01Name'))]"
}
}
},
//*create the second subnet*/
{
"apiVersion": "2018-10-01",
"type": "subnets",
"location": "[resourceGroup().location]",
"name": "[parameters('subnet2Name')]",
"dependsOn": [
"[parameters('vnetName')]",
"[parameters('subnet1Name')]",
"[parameters('RouteTable02Name')]"
],
"properties": {
"AddressPrefix": "[parameters('subnet2Prefix')]",
//*attach the Newtork Securoty Group to the Subnet*/
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroup01Name'))]"},
//*attacht the second route table to the Subnet*/
"routeTable": {
"id": "[resourceId('Microsoft.Network/routeTables', parameters('RouteTable02Name'))]"
}
}
}
]
}
]
}
Deploy the template
Deploy the template directly from here:
More Azure Resource Manager Templates: https://www.e-apostolidis.gr/microsoft/azure/create-azure-file-shares-using-arm-template-powershell/
The post Infrastructure as Code | Deploy a VNET & NSG & UDR appeared first on Apostolidis Cloud Corner.
Source: e-apostolidis.gr
- Published in Azure