diff --git a/aksarc_jumpstart/configuration/vm-template.json b/aksarc_jumpstart/configuration/vm-template.json index 7b4146fc..5ca77b14 100644 --- a/aksarc_jumpstart/configuration/vm-template.json +++ b/aksarc_jumpstart/configuration/vm-template.json @@ -57,6 +57,9 @@ "dependsOn": [ "[concat('Microsoft.Network/networkInterfaces/', parameters('vmName'), '-nic')]" ], + "identity": { + "type": "SystemAssigned" + }, "properties": { "hardwareProfile": { "vmSize": "[parameters('vmSize')]" @@ -99,15 +102,36 @@ } } }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2019-03-01", + "name": "[concat(parameters('vmName'), '/Microsoft.Azure.Geneva.GenevaMonitoring')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]" + ], + "properties": { + "publisher": "Microsoft.Azure.Geneva", + "type": "GenevaMonitoring", + "typeHandlerVersion": "2.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": {}, + "protectedSettings": {} + } + }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "name": "[guid(resourceGroup().id, parameters('vmName'), 'Contributor')]", + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]" + ], "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines', parameters('vmName')), '2022-03-01', 'Full').identity.principalId ]", + "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines', parameters('vmName')), '2022-08-01', 'Full').identity.principalId]", "scope": "[resourceGroup().id]" } } ] -} +} \ No newline at end of file diff --git a/aksarc_jumpstart/configuration/vnet-fw-rt-template.json b/aksarc_jumpstart/configuration/vnet-fw-rt-template.json new file mode 100644 index 00000000..a368e79c --- /dev/null +++ b/aksarc_jumpstart/configuration/vnet-fw-rt-template.json @@ -0,0 +1,630 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "defaultValue": "eastus2" + }, + "vnetName": { + "type": "string", + "defaultValue": "jumpstartVNet" + }, + "vNetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/16" + }, + "subnetName": { + "type": "string", + "defaultValue": "jumpstartSubnet" + }, + "subnetPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/24" + }, + "firewallSubnetPrefix": { + "type": "string", + "defaultValue": "10.0.1.0/26" + }, + "bastionSubnetPrefix": { + "type": "string", + "defaultValue": "10.0.2.0/26" + }, + "nsgName": { + "type": "string", + "defaultValue": "bastion-nsg" + }, + "firewallName": { + "type": "string", + "defaultValue": "jumpstartFirewall" + }, + "firewallPolicyName": { + "type": "string", + "defaultValue": "jumpstartFirewallPolicy" + }, + "routeTableName": { + "type": "string", + "defaultValue": "jumpstartRouteTable" + }, + "bastionName": { + "type": "string", + "defaultValue": "jumpstartBastion" + }, + "bastionPublicIpName": { + "type": "string", + "defaultValue": "jumpstartVNet-IPv4" + } + }, + "variables": { + "firewallPublicIpName": "[concat(parameters('firewallName'), '-pip')]" + }, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2022-09-01", + "name": "[parameters('nsgName')]", + "location": "[parameters('location')]", + "properties": { + "securityRules": [ + { + "name": "AllowHttpsInbound", + "properties": { + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "Internet", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 115, + "direction": "Inbound" + } + }, + { + "name": "AllowAzureCloudOutbound", + "properties": { + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "AzureCloud", + "access": "Allow", + "priority": 101, + "direction": "Outbound" + } + }, + { + "name": "AllowRdpOutbound", + "properties": { + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "3389", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "VirtualNetwork", + "access": "Allow", + "priority": 102, + "direction": "Outbound" + } + }, + { + "name": "AllowSshOutbound", + "properties": { + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "22", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "VirtualNetwork", + "access": "Allow", + "priority": 103, + "direction": "Outbound" + } + }, + { + "name": "AllowSshInboundForBastion", + "properties": { + "priority": 102, + "access": "Allow", + "direction": "Inbound", + "protocol": "Tcp", + "sourceAddressPrefix": "168.63.129.16", + "sourcePortRange": "*", + "destinationAddressPrefix": "*", + "destinationPortRange": "22" + } + }, + { + "name": "AllowRdpInboundForBastion", + "properties": { + "priority": 100, + "access": "Allow", + "direction": "Inbound", + "protocol": "Tcp", + "sourceAddressPrefix": "168.63.129.16", + "sourcePortRange": "*", + "destinationAddressPrefix": "*", + "destinationPortRange": "3389" + } + } + ] + } + }, + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2022-09-01", + "name": "[parameters('routeTableName')]", + "location": "[parameters('location')]", + "properties": { + "disableBgpRoutePropagation": false, + "routes": [ + { + "name": "RouteToFirewall", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "10.0.1.4" + } + } + ] + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2022-09-01", + "name": "[variables('firewallPublicIpName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static", + "publicIPAddressVersion": "IPv4", + "ipTags": [ + { + "ipTagType": "FirstPartyUsage", + "tag": "/NonProd" + } + ] + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2022-09-01", + "name": "[parameters('bastionPublicIpName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static", + "publicIPAddressVersion": "IPv4", + "ipTags": [ + { + "ipTagType": "FirstPartyUsage", + "tag": "/NonProd" + } + ] + } + }, + { + "type": "Microsoft.Network/firewallPolicies", + "apiVersion": "2022-09-01", + "name": "[parameters('firewallPolicyName')]", + "location": "[parameters('location')]", + "properties": { + "sku": { + "tier": "Standard" + }, + "threatIntelMode": "Alert", + "explicitProxy": { + "enableExplicitProxy": true, + "httpPort": 8080, + "httpsPort": 8443, + "enablePacFile": false + } + } + }, + { + "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", + "apiVersion": "2022-09-01", + "name": "[concat(parameters('firewallPolicyName'), '/DefaultNetworkRuleCollectionGroup')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]" + ], + "properties": { + "priority": 200, + "ruleCollections": [ + { + "ruleCollectionType": "FirewallPolicyFilterRuleCollection", + "action": { + "type": "Allow" + }, + "rules": [ + { + "ruleType": "NetworkRule", + "name": "AllowAzureCloudTCP", + "ipProtocols": [ + "TCP" + ], + "sourceAddresses": [ + "*" + ], + "sourceIpGroups": [], + "destinationAddresses": [ + "AzureCloud" + ], + "destinationIpGroups": [], + "destinationFqdns": [], + "destinationPorts": [ + "443", + "9000" + ] + }, + { + "ruleType": "NetworkRule", + "name": "AllowAzureCloudUDP", + "ipProtocols": [ + "UDP" + ], + "sourceAddresses": [ + "*" + ], + "sourceIpGroups": [], + "destinationAddresses": [ + "AzureCloud" + ], + "destinationIpGroups": [], + "destinationFqdns": [], + "destinationPorts": [ + "123", + "1194" + ] + }, + { + "ruleType": "NetworkRule", + "name": "AllowDNS", + "ipProtocols": [ + "UDP" + ], + "sourceAddresses": [ + "*" + ], + "sourceIpGroups": [], + "destinationAddresses": [ + "*" + ], + "destinationIpGroups": [], + "destinationFqdns": [], + "destinationPorts": [ + "53" + ] + } + ], + "name": "NetworkRuleCollection", + "priority": 200 + } + ] + } + }, + { + "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", + "apiVersion": "2022-09-01", + "name": "[concat(parameters('firewallPolicyName'), '/DefaultApplicationRuleCollectionGroup')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]", + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', parameters('firewallPolicyName'), 'DefaultNetworkRuleCollectionGroup')]" + ], + "properties": { + "priority": 300, + "ruleCollections": [ + { + "ruleCollectionType": "FirewallPolicyFilterRuleCollection", + "action": { + "type": "Allow" + }, + "rules": [ + { + "ruleType": "ApplicationRule", + "name": "AllowAzureServices", + "protocols": [ + { + "protocolType": "Https", + "port": 443 + }, + { + "protocolType": "Http", + "port": 80 + } + ], + "fqdnTags": [ + "AzureKubernetesService" + ], + "targetFqdns": [], + "targetUrls": [], + "terminateTLS": false, + "sourceAddresses": [ + "*" + ], + "destinationAddresses": [], + "sourceIpGroups": [] + }, + { + "ruleType": "ApplicationRule", + "name": "AllowGitHubRaw", + "protocols": [ + { + "protocolType": "Https", + "port": 443 + } + ], + "fqdnTags": [], + "targetFqdns": [ + "raw.githubusercontent.com" + ], + "targetUrls": [], + "terminateTLS": false, + "sourceAddresses": [ + "*" + ], + "destinationAddresses": [], + "sourceIpGroups": [] + }, + { + "ruleType": "ApplicationRule", + "name": "AllowAzCli", + "protocols": [ + { + "protocolType": "Https", + "port": 443 + }, + { + "protocolType": "Http", + "port": 80 + } + ], + "fqdnTags": [], + "webCategories": [], + "targetFqdns": [ + "management.core.windows.net", + "management.azure.com", + "batch.core.windows.net", + "gallery.azure.com", + "login.microsoftonline.com", + "graph.windows.net", + "graph.microsoft.com", + "datalake.azure.net", + "raw.githubusercontent.com", + "rest.media.azure.net", + "ossrdbms-aad.database.windows.net", + "api.applicationinsights.io", + "api.loganalytics.io", + "dc.applicationinsights.azure.com", + "dev.azuresynapse.net", + "attest.azure.net", + "portal.azure.com", + "*.core.windows.net", + "*.afs.azure.net", + "*.vault.azure.net", + "*.managedhsm.azure.net", + "*.database.windows.net", + "*.mysql.database.azure.com", + "*.postgres.database.azure.com", + "*.mariadb.database.azure.com", + "*.azuredatalakestore.net", + "*.azuredatalakeanalytics.net", + "*.azurecr.io", + "*.dev.azuresynapse.net", + "*.attest.azure.net", + "aka.ms", + "azcliextensionsync.blob.core.windows.net", + "azcliprod.blob.core.windows.net", + "azurecliextensionsync.blob.core.windows.net", + "go.microsoft.com", + "cdn.oneget.org", + "powershellgallery.com", + "*.powershellgallery.com" + ], + "targetUrls": [], + "terminateTLS": false, + "sourceAddresses": [ + "*" + ], + "destinationAddresses": [], + "sourceIpGroups": [], + "httpHeadersToInsert": [] + }, + { + "ruleType": "ApplicationRule", + "name": "AllowARB", + "protocols": [ + { + "protocolType": "Https", + "port": 443 + }, + { + "protocolType": "Http", + "port": 80 + } + ], + "fqdnTags": [], + "webCategories": [], + "targetFqdns": [ + "msk8s.api.cdp.microsoft.com", + "msk8s.sb.tlu.dl.delivery.mp.microsoft.com", + "mcr.microsoft.com", + "*.data.mcr.microsoft.com", + "time.windows.com", + "management.azure.com", + "graph.microsoft.com", + "login.microsoftonline.com", + "*.login.microsoft.com", + "login.windows.net", + "*.dp.prod.appliances.azure.com", + "*.blob.core.windows.net", + "ecpacr.azurecr.io", + "*.his.arc.azure.com", + "azurearcfork8s.azurecr.io", + "adhs.events.data.microsoft.com", + "v20.events.data.microsoft.com", + "linuxgeneva-microsoft.azurecr.io", + "kvamanagementoperator.azurecr.io", + "packages.microsoft.com", + "sts.windows.net", + "guestnotificationservice.azure.com", + "gcs.prod.monitoring.core.windows.net", + "*.prod.microsoftmetrics.com", + "*.prod.hot.ingest.monitor.core.windows.net", + "*.prod.warm.ingest.monitor.core.windows.net", + "*.arc.azure.net", + "*.servicebus.windows.net", + "*.web.core.windows.net", + "*.dp.kubernetesconfiguration.azure.com", + "pypi.org", + "*.pypi.org", + "pythonhosted.org", + "*.pythonhosted.org" + ], + "targetUrls": [], + "terminateTLS": false, + "sourceAddresses": [ + "*" + ], + "destinationAddresses": [], + "sourceIpGroups": [], + "httpHeadersToInsert": [] + } + ], + "name": "ApplicationRuleCollection", + "priority": 300 + } + ] + } + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2022-09-01", + "name": "[parameters('vnetName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]", + "[resourceId('Microsoft.Network/routeTables', parameters('routeTableName'))]" + ], + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('vNetAddressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[parameters('subnetName')]", + "properties": { + "addressPrefix": "[parameters('subnetPrefix')]", + "networkSecurityGroup": { + "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]" + }, + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('routeTableName'))]" + } + } + }, + { + "name": "AzureFirewallSubnet", + "properties": { + "addressPrefix": "[parameters('firewallSubnetPrefix')]" + } + }, + { + "name": "AzureBastionSubnet", + "properties": { + "addressPrefix": "[parameters('bastionSubnetPrefix')]" + } + } + ] + } + }, + { + "type": "Microsoft.Network/azureFirewalls", + "apiVersion": "2022-09-01", + "name": "[parameters('firewallName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/virtualNetworks', parameters('vnetName'))]", + "[resourceId('Microsoft.Network/publicIPAddresses', variables('firewallPublicIpName'))]", + "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]", + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', parameters('firewallPolicyName'), 'DefaultNetworkRuleCollectionGroup')]", + "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', parameters('firewallPolicyName'), 'DefaultApplicationRuleCollectionGroup')]" + ], + "properties": { + "sku": { + "name": "AZFW_VNet", + "tier": "Standard" + }, + "threatIntelMode": "Alert", + "ipConfigurations": [ + { + "name": "firewallConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('firewallPublicIpName'))]" + }, + "subnet": { + "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('vnetName'), 'AzureFirewallSubnet')]" + } + } + } + ], + "firewallPolicy": { + "id": "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]" + } + } + }, + { + "type": "Microsoft.Network/bastionHosts", + "apiVersion": "2023-09-01", + "name": "[parameters('bastionName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/virtualNetworks', parameters('vnetName'))]", + "[resourceId('Microsoft.Network/publicIPAddresses', parameters('bastionPublicIpName'))]" + ], + "sku": { + "name": "Standard" + }, + "properties": { + "scaleUnits": 2, + "enableTunneling": false, + "enableIpConnect": false, + "disableCopyPaste": false, + "enableShareableLink": false, + "enableKerberos": false, + "enableSessionRecording": false, + "enablePrivateOnlyBastion": false, + "ipConfigurations": [ + { + "name": "bastionConfig", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('vnetName'), 'AzureBastionSubnet')]" + }, + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('bastionPublicIpName'))]" + } + } + } + ] + } + } + ], + "outputs": { + "firewallPrivateIp": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Network/azureFirewalls', parameters('firewallName'))).ipConfigurations[0].properties.privateIPAddress]" + }, + "firewallPublicIp": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Network/publicIPAddresses', variables('firewallPublicIpName'))).ipAddress]" + } + } +} \ No newline at end of file diff --git a/aksarc_jumpstart/configuration/vnet-template.json b/aksarc_jumpstart/configuration/vnet-template.json index 88069661..006c3824 100644 --- a/aksarc_jumpstart/configuration/vnet-template.json +++ b/aksarc_jumpstart/configuration/vnet-template.json @@ -44,7 +44,7 @@ "sourceAddressPrefix": "Internet", "destinationAddressPrefix": "*", "access": "Allow", - "priority": 100, + "priority": 115, "direction": "Inbound" } }, @@ -90,7 +90,7 @@ { "name": "AllowSshInboundForBastion", "properties": { - "priority": 101, + "priority": 102, "access": "Allow", "direction": "Inbound", "protocol": "Tcp", @@ -103,7 +103,7 @@ { "name": "AllowRdpInboundForBastion", "properties": { - "priority": 102, + "priority": 100, "access": "Allow", "direction": "Inbound", "protocol": "Tcp", diff --git a/aksarc_jumpstart/deployaksarc.ps1 b/aksarc_jumpstart/deployaksarc.ps1 index f0a0f16b..51f2ce3f 100644 --- a/aksarc_jumpstart/deployaksarc.ps1 +++ b/aksarc_jumpstart/deployaksarc.ps1 @@ -21,7 +21,9 @@ param ( [Parameter()] [string] $customLocationName, [Parameter()] - [string] $workingDir + [string] $workingDir, + [Parameter()] + [switch] $lockdown ) if ([string]::IsNullOrEmpty($workingDir)) { @@ -48,9 +50,12 @@ $branch = (git branch --show-current) $scriptLocation = "$gitSource/refs/heads/$branch/aksarc_jumpstart/scripts" $applianceName = "$vmName-appliance" + +$lockdownFlag = if ($lockdown) { "-useLockdown" } else { "" } + $scriptToExecute = [ordered] @{ "$scriptLocation/installazmodules.ps1" = "installazmodules.ps1 -arcHciVersion ""1.3.15"" "; - "$scriptLocation/deployappliance.ps1" = "deployappliance.ps1 -resource_group ""$GroupName"" -appliance_name ""$applianceName"" -location ""$Location"" -subscription ""$subscription"" "; + "$scriptLocation/deployappliance.ps1" = "deployappliance.ps1 -resource_group ""$GroupName"" -appliance_name ""$applianceName"" -location ""$Location"" -subscription ""$subscription"" $lockdownFlag"; "$scriptLocation/deployaksarcextension.ps1" = "deployaksarcextension.ps1 -resource_group ""$GroupName"" -appliance_name ""$applianceName"" -location ""$Location"" -subscription ""$subscription"""; "$scriptLocation/deployvmssextension.ps1" = "deployvmssextension.ps1 -resource_group ""$GroupName"" -appliance_name ""$applianceName"" -location ""$Location"" -subscription ""$subscription"""; "$scriptLocation/deploycustomlocation.ps1" = "deploycustomlocation.ps1 -resource_group ""$GroupName"" -appliance_name ""$applianceName"" -customLocationName ""$customLocationName"" -subscription ""$subscription"""; diff --git a/aksarc_jumpstart/jumpstart.ps1 b/aksarc_jumpstart/jumpstart.ps1 index 97cd0494..9afdb480 100644 --- a/aksarc_jumpstart/jumpstart.ps1 +++ b/aksarc_jumpstart/jumpstart.ps1 @@ -23,13 +23,22 @@ param ( $subnetName = "jumpstartSubnet", [Parameter()] [string] - $subscriptionId + $subscriptionId, + [Parameter()] + [switch] + $lockdown ) # Create Resource Group az group create --name $GroupName --location $Location # Create Vnet and VM -az deployment group create --resource-group $GroupName --template-file ./configuration/vnet-template.json --parameters vnetName=$vnetName location=$Location subnetName=$subnetName +if ($lockdown) { + Write-Host "Deploying with firewall and network isolation..." + az deployment group create --resource-group $GroupName --template-file ./configuration/vnet-fw-rt-template.json --parameters location=$Location vnetName=$vnetName vNetAddressPrefix="10.0.0.0/16" subnetName=$subnetName subnetPrefix="10.0.0.0/24" firewallSubnetPrefix="10.0.1.0/26" bastionSubnetPrefix="10.0.2.0/26" nsgName="$($vnetName)-nsg" firewallName="$($vnetName)-firewall" firewallPolicyName="$($vnetName)-firewall-policy" routeTableName="$($vnetName)-rt" bastionName="$($vnetName)-bastion" bastionPublicIpName="$($vnetName)-bastion-pip" +} else { + Write-Host "Deploying with standard network configuration..." + az deployment group create --resource-group $GroupName --template-file ./configuration/vnet-template.json --parameters location=$Location vnetName=$vnetName subnetName=$subnetName +} az deployment group create --resource-group $GroupName --template-file ./configuration/vm-template.json --parameters adminUsername=$userName adminPassword=$password vmName=$vmName location=$Location vnetName=$vnetName vmSize="Standard_E16s_v4" subnetName=$subnetName if ($LASTEXITCODE -ne 0) { @@ -42,7 +51,7 @@ az vm identity assign --resource-group $GroupName --name $vmName $principalId = az vm show --resource-group $GroupName --name $vmName --query identity.principalId -o tsv az role assignment create --assignee $principalId --role Contributor --scope /subscriptions/$subscriptionId -#az deployment group create --resource-group $GroupName --template-file a4s-template.json --parameters location=$Location vmName=$vmName arcResourceGroup=$GroupName subscriptionId=$subscriptionId tenantId=$tenantId +az deployment group create --resource-group $GroupName --template-file ./configuration/a4s-template.json --parameters location=$Location vmName=$vmName arcResourceGroup=$GroupName subscriptionId=$subscriptionId tenantId=$tenantId # Enable Nested Virtualization az vm update --resource-group $GroupName --name $vmName --set additionalCapabilities.enableNestedVirtualization=true diff --git a/aksarc_jumpstart/scripts/1.ps1 b/aksarc_jumpstart/scripts/1.ps1 index f0492275..760d19ad 100644 --- a/aksarc_jumpstart/scripts/1.ps1 +++ b/aksarc_jumpstart/scripts/1.ps1 @@ -35,8 +35,8 @@ netsh dhcp add securitygroups; Restart-Service dhcpserver Set-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 -Name ConfigurationState -Value 2 Set-DhcpServerv4DnsSetting -DynamicUpdates "Always" -DeleteDnsRRonLeaseExpiry $True -UpdateDnsRRForOlderClients $True -DisableDnsPtrRRUpdate $false; -Add-DhcpServerv4Scope -name "172.16.0.0" -StartRange 172.16.100.0 -EndRange 172.16.100.255 -SubnetMask 255.255.255.0 -State Active -LeaseDuration 1.00:00:00; -Set-DhcpServerv4OptionValue -OptionID 3 -Value 172.16.0.1 -ScopeID 172.16.0.0; +Add-DhcpServerv4Scope -name "172.16.0.0" -StartRange 172.16.100.1 -EndRange 172.16.100.254 -SubnetMask 255.255.255.0 -State Active -LeaseDuration 1.00:00:00; +Set-DhcpServerv4OptionValue -OptionID 3 -Value 172.16.0.1 -ScopeID 172.16.100.0; Set-DhcpServerv4OptionValue -DnsDomain aksarc.local -DnsServer 172.16.0.1 Stop-Transcript \ No newline at end of file diff --git a/aksarc_jumpstart/scripts/deployaksarccluster.ps1 b/aksarc_jumpstart/scripts/deployaksarccluster.ps1 index 8980f9fb..9aeb484b 100644 --- a/aksarc_jumpstart/scripts/deployaksarccluster.ps1 +++ b/aksarc_jumpstart/scripts/deployaksarccluster.ps1 @@ -3,7 +3,8 @@ param( [string] $aksArcClusterName, [string] $lnetName, [string] $customLocationName, - [string] $subscription + [string] $subscription, + [string] $location ) Start-Transcript -Path "$env:LogDirectory\deployaksarccluster.ps1.log" -Append @@ -14,6 +15,6 @@ az account set -s $subscription $clId = az customlocation show --name $customLocationName --resource-group $resource_group --query "id" -o tsv $lnetId = az stack-hci-vm network lnet show --name $lnetName -g $resource_group --query id -o tsv -az aksarc create --name $aksArcClusterName --resource-group $resource_group --custom-location $clId --vnet-ids $lnetId --generate-ssh-keys +az aksarc create --name $aksArcClusterName --resource-group $resource_group --custom-location $clId --vnet-ids $lnetId --generate-ssh-keys --location $location Stop-Transcript \ No newline at end of file diff --git a/aksarc_jumpstart/scripts/deployappliance.ps1 b/aksarc_jumpstart/scripts/deployappliance.ps1 index 3046bb56..1e518b42 100644 --- a/aksarc_jumpstart/scripts/deployappliance.ps1 +++ b/aksarc_jumpstart/scripts/deployappliance.ps1 @@ -3,7 +3,8 @@ param( [string]$appliance_name = "aks_arc_appliance", [string] $workDirectory, [string] $location = "eastus2", - [string] $subscription + [string] $subscription, + [switch] $useLockdown ) if ([string]::IsNullOrEmpty($workDirectory)) { @@ -16,10 +17,20 @@ $VerbosePreference = "Continue" md $workDirectory -ErrorAction SilentlyContinue # Below dns server is used from Corp -New-ArcHciAksConfigFiles -subscriptionID $subscription -location $location -resourceGroup $resource_group ` - -resourceName $appliance_name -workDirectory $workDirectory -vnetName "appliance-vnet" ` - -vSwitchName "InternalNAT" -gateway "172.16.0.1" -dnsservers "172.16.0.1" -ipaddressprefix "172.16.0.0/16" ` - -k8snodeippoolstart "172.16.255.0" -k8snodeippoolend "172.16.255.12" -controlPlaneIP "172.16.255.250" +if ($useLockdown) { + Write-Host "Configuring appliance with proxy settings for network isolation..." + New-ArcHciAksConfigFiles -subscriptionID $subscription -location $location -resourceGroup $resource_group ` + -resourceName $appliance_name -workDirectory $workDirectory -vnetName "appliance-vnet" ` + -vSwitchName "InternalNAT" -gateway "172.16.0.1" -dnsservers "172.16.0.1" -ipaddressprefix "172.16.0.0/16" ` + -k8snodeippoolstart "172.16.255.0" -k8snodeippoolend "172.16.255.12" -controlPlaneIP "172.16.255.250" ` + -proxyServerHTTP "http://10.0.1.4:8080" -proxyServerHTTPS "http://10.0.1.4:8443" -proxyServerNoProxy "localhost,127.0.0.1,.svc,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" +} else { + Write-Host "Configuring appliance without proxy settings..." + New-ArcHciAksConfigFiles -subscriptionID $subscription -location $location -resourceGroup $resource_group ` + -resourceName $appliance_name -workDirectory $workDirectory -vnetName "appliance-vnet" ` + -vSwitchName "InternalNAT" -gateway "172.16.0.1" -dnsservers "172.16.0.1" -ipaddressprefix "172.16.0.0/16" ` + -k8snodeippoolstart "172.16.255.0" -k8snodeippoolend "172.16.255.12" -controlPlaneIP "172.16.255.250" +} $configFilePath = $workDirectory + "\hci-appliance.yaml" diff --git a/aksarc_jumpstart/scripts/deployazcli.ps1 b/aksarc_jumpstart/scripts/deployazcli.ps1 index 1395f6f2..97924c72 100644 --- a/aksarc_jumpstart/scripts/deployazcli.ps1 +++ b/aksarc_jumpstart/scripts/deployazcli.ps1 @@ -2,9 +2,14 @@ Start-Transcript -Path "$env:LogDirectory\deployazcli.ps1.log" -Append Write-Host "Installing Azure CLI... " +Install-PackageProvider -Name NuGet -Force + +Register-PSRepository -Default -ErrorAction SilentlyContinue + Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -ArgumentList '/I AzureCLI.msi /quiet' -NoNewWindow -Wait; Remove-Item .\AzureCLI.msi -Install-Module -Name Az.AksArc -Repository PSGallery -AcceptLicense -Force -RequiredVersion 0.1.1 +Write-Host "Installing Az.AksArc module... " +Install-Module -Name Az.AksArc -Repository PSGallery -Force -AllowClobber Stop-Transcript \ No newline at end of file diff --git a/aksarc_jumpstart/scripts/deploycustomlocation.ps1 b/aksarc_jumpstart/scripts/deploycustomlocation.ps1 index 074550bf..097d4036 100644 --- a/aksarc_jumpstart/scripts/deploycustomlocation.ps1 +++ b/aksarc_jumpstart/scripts/deploycustomlocation.ps1 @@ -2,7 +2,8 @@ param( [string]$resource_group = "jumpstart-rg", [string]$appliance_name = "aks_arc_appliance", [string] $subscription, - [string] $customLocationName + [string] $customLocationName, + [string] $location ) Start-Transcript -Path "$env:LogDirectory\deploycustomlocation.ps1.log" -Append @@ -10,15 +11,17 @@ Start-Transcript -Path "$env:LogDirectory\deploycustomlocation.ps1.log" -Append $aksarcExtName = "hybridaksextension" $arcvmExtName = "vmss-hci" +az login --identity +az account set -s $subscription + +az config set extension.dynamic_install_allow_preview=true +az config set extension.use_dynamic_install=yes_without_prompt $ArcApplianceResourceId=az arcappliance show -g $resource_group -n $appliance_name --query id -o tsv $AksarcClusterExtensionResourceId=az k8s-extension show -g $resource_group -c $appliance_name --cluster-type appliances --name $aksarcExtName --query id -o tsv $ArcvmClusterExtensionResourceId=az k8s-extension show -g $resource_group -c $appliance_name --cluster-type appliances --name $arcvmExtName --query id -o tsv -az login --identity -az account set -s $subscription - -az customlocation create -g $resource_group -n $customLocationName --namespace "default" --host-resource-id $ArcApplianceResourceId --cluster-extension-ids $AksarcClusterExtensionResourceId $ArcvmClusterExtensionResourceId +az customlocation create -g $resource_group -n $customLocationName --namespace "default" --host-resource-id $ArcApplianceResourceId --cluster-extension-ids $AksarcClusterExtensionResourceId $ArcvmClusterExtensionResourceId --location $location $clId = az customlocation show --name $customLocationName --resource-group $resource_group --query "id" -o tsv Stop-Transcript \ No newline at end of file diff --git a/aksarc_jumpstart/scripts/installazmodules.ps1 b/aksarc_jumpstart/scripts/installazmodules.ps1 index f3c639c1..6d9fb687 100644 --- a/aksarc_jumpstart/scripts/installazmodules.ps1 +++ b/aksarc_jumpstart/scripts/installazmodules.ps1 @@ -6,6 +6,7 @@ Start-Transcript -Path "$env:LogDirectory\installazmodules.ps1.log" -Append $VerbosePreference = "Continue" Install-Module -Name ArcHci -Repository PSGallery -AcceptLicense -Force -RequiredVersion $arcHciVersion +az login --identity az provider register --namespace Microsoft.Kubernetes --wait az provider register --namespace Microsoft.KubernetesConfiguration --wait