forked from erjosito/azcli
-
Notifications
You must be signed in to change notification settings - Fork 0
/
azfw_stresstest.azcli
190 lines (168 loc) · 11.1 KB
/
azfw_stresstest.azcli
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
# Variables
rg=azfw
location=westeurope
vnet_name=azfw
vnet_prefix=192.168.0.0/16
azfw_subnet_prefix=192.168.0.0/24
client_subnet_name=client
client_subnet_prefix=192.168.1.0/24
client_rt_name=clientrt
client_vm_size=Standard_D4_v4
client_vmss_name=clientvmss
client_vmss_cloudinit=/tmp/cloudinit.txt
server_subnet_name=server
server_subnet_prefix=192.168.2.0/24
server_rt_name=serverrt
server_vm_name=server
server_vm_pip=serverpip
server_vm_size=Standard_B1ms
server_nsg_name=servernsg
azfw_name=myazfw
azfw_policy_name=myazfwpolicy
azfw_pip=myazfwpip
test_vm1_name=test1
test_vm1_pip=test1pip
test_vm2_name=test2
test_vm2_pip=test2pip
test_vm_size=Standard_B1s
# Create RG, VNet, subnets
echo "Creating RG and VNet..."
az group create -n $rg -l $location -o none
az network vnet create -n $vnet_name -g $rg --address-prefixes $vnet_prefix --subnet-name AzureFirewallSubnet --subnet-prefixes $azfw_subnet_prefix -o none
az network vnet subnet create -g $rg -n $client_subnet_name --vnet-name $vnet_name --address-prefix $client_subnet_prefix -o none
az network vnet subnet create -g $rg -n $server_subnet_name --vnet-name $vnet_name --address-prefix $server_subnet_prefix -o none
# Creating Azure Firewall
echo "Creating Azure Firewall..."
az network firewall create -n $azfw_name -g $rg -l $location -o none
az network public-ip create -g $rg -n $azfw_pip --sku standard --allocation-method static -o none
az network firewall ip-config create -f $azfw_name -n azfw-ipconfig -g $rg --public-ip-address $azfw_pip --vnet-name $vnet_name -o none
az network firewall update -n $azfw_name -g $rg -o none
az network firewall policy create -n $azfw_policy_name -g $rg -o none
az network firewall update -n $azfw_name -g $rg --firewall-policy $azfw_policy_name -o none
az network firewall policy rule-collection-group create -n myrcg --policy-name $azfw_policy_name -g $rg --priority 1000 -o none
az network firewall policy rule-collection-group collection add-filter-collection --rule-type NetworkRule -g $rg --rcg-name myrcg --policy-name $azfw_policy_name \
--action Allow --collection-priority 1000 --name syslog --rule-name syslog --source-addresses '*' --destination-addresses $server_subnet_prefix \
--ip-protocols udp --destination-ports 514 -o none
az network firewall policy rule-collection-group collection add-filter-collection --rule-type NetworkRule -g $rg --rcg-name myrcg --policy-name $azfw_policy_name \
--action Allow --collection-priority 1010 --name icmp --rule-name icmp --source-addresses '*' --destination-addresses '*' \
--ip-protocols icmp --destination-ports '*' -o none
# Optional: Stop FW (deallocate IP config)
# echo "Stopping Azure Firewall ${azfw_name}..."
# az network firewall ip-config delete -n azfw-ipconfig -f $azfw_name -g $rg -o none
# Optional: Start FW (allocate IP config)
# echo "Restarting Azure Firewall ${azfw_name}..."
# az network firewall ip-config create -f $azfw_name -n azfw-ipconfig -g $rg --public-ip-address $azfw_pip --vnet-name $vnet_name -o none
# az network firewall update -n $azfw_name -g $rg --firewall-policy $azfw_policy_name -o none
# azfw_private_ip=$(az network firewall show -n $azfw_name -g $rg -o tsv --query 'ipConfigurations[0].privateIpAddress')
# Create RT in client and server subnets
azfw_private_ip=$(az network firewall show -n $azfw_name -g $rg -o tsv --query 'ipConfigurations[0].privateIpAddress')
echo "Creating route table ${client_rt_name}..."
az network route-table create -n $client_rt_name -g $rg -o none
az network route-table route create --route-table-name $client_rt_name -g $rg --address-prefix $vnet_prefix -n vnet \
--next-hop-type VirtualAppliance --next-hop-ip-address $azfw_private_ip -o none
az network vnet subnet update -g $rg --vnet-name $vnet_name -n $client_subnet_name --route-table $client_rt_name -o none
echo "Creating route table ${server_rt_name}..."
az network route-table create -n $server_rt_name -g $rg -o none
az network route-table route create --route-table-name $server_rt_name -g $rg --address-prefix $vnet_prefix -n vnet \
--next-hop-type VirtualAppliance --next-hop-ip-address $azfw_private_ip -o none
az network vnet subnet update -g $rg --vnet-name $vnet_name -n $server_subnet_name --route-table $server_rt_name -o none
# Optional: enable/disable the client route table, to send the syslog traffic thru the FW or bypass it
# echo "Bypassing Firewall..."
# az network vnet subnet update -g $rg --vnet-name $vnet_name -n $client_subnet_name --route-table '' -o none
# echo "Using the Firewall..."
# az network vnet subnet update -g $rg --vnet-name $vnet_name -n $client_subnet_name --route-table $client_rt_name -o none
# Creating server VM with custom NSG allowing UDP 514
az network nsg create -n $server_nsg_name -g $rg -o none
az network nsg rule create --nsg-name $server_nsg_name -g $rg -n syslogInbound --priority 1000 --destination-port-ranges 514 --access Allow --protocol Udp -o none
myip=$(curl -s4 ifconfig.co)
az network nsg rule create --nsg-name $server_nsg_name -g $rg -n sshInbound --priority 1010 --source-address-prefixes "${myip}/32" --destination-port-ranges 22 --access Allow --protocol Tcp -o none
az vm create -n $server_vm_name -g $rg --image UbuntuLTS --generate-ssh-keys --size $server_vm_size \
--vnet-name $vnet_name --subnet $server_subnet_name --nsg $server_nsg_name --public-ip-address "$server_vm_pip" --public-ip-sku Standard -o none
server_vm_nic_id=$(az vm show -n $server_vm_name -g "$rg" --query 'networkProfile.networkInterfaces[0].id' -o tsv)
server_vm_private_ip=$(az network nic show --ids $server_vm_nic_id --query 'ipConfigurations[0].privateIpAddress' -o tsv)
echo "Server VM created with private IP ${server_vm_private_ip}"
# Creating client VMSS
echo "Creating client VMSS..."
cat <<EOF > $client_vmss_cloudinit
#cloud-config
packages:
- hping3
runcmd:
- apt update
- hping3 --udp --destport 514 --flood --numeric --data 50 --rand-source $server_vm_private_ip
#- hping3 --tcp --destport 80 --faster --numeric --data 50 $server_vm_private_ip
EOF
# With PIP/instance you hit pretty quickly the quota limits
# az vmss create -n $client_vmss_name -g $rg -l $location --image UbuntuLTS --generate-ssh-keys --public-ip-per-vm --lb "" \
# --vnet-name $vnet_name --subnet $client_subnet_name --vm-sku $client_vm_size --custom-data $client_vmss_cloudinit -o none \
# --instance-count 1
# Without PIP per instance
az vmss create -n $client_vmss_name -g $rg -l $location --image UbuntuLTS --lb "" --generate-ssh-keys \
--vnet-name $vnet_name --subnet $client_subnet_name --vm-sku $client_vm_size --custom-data $client_vmss_cloudinit -o none \
--instance-count 10
# With PIP per instance, specific private key
public_key="ssh-rsa blahblah"
az vmss create -n $client_vmss_name -g $rg -l $location --image UbuntuLTS --lb "" --public-ip-per-vm --ssh-key-values $public_key \
--vnet-name $vnet_name --subnet $client_subnet_name --vm-sku $client_vm_size --custom-data $client_vmss_cloudinit -o none \
--instance-count 10
# Update existing VMSS
az vmss update -g $rg -n $client_vmss_name --set virtualMachineProfile.networkProfile.networkInterfaceConfigurations\[0\].enableIpForwarding="true" -o none
az vmss update-instances -g $rg --name $client_vmss_name --instance-ids "*" -o none
# Effective routes of server VM
az network nic show-effective-route-table --ids $server_vm_nic_id -o table
# Create test VMs
echo "Creating test VMs..."
az vm create -n $test_vm1_name -g $rg --image UbuntuLTS --generate-ssh-keys --size $test_vm_size \
--vnet-name $vnet_name --subnet $server_subnet_name --public-ip-address "$test_vm1_pip" --public-ip-sku Standard -o none
az vm create -n $test_vm2_name -g $rg --image UbuntuLTS --generate-ssh-keys --size $test_vm_size \
--vnet-name $vnet_name --subnet $server_subnet_name --public-ip-address "$test_vm2_pip" --public-ip-sku Standard -o none
test_vm1_nic_id=$(az vm show -n $test_vm1_name -g "$rg" --query 'networkProfile.networkInterfaces[0].id' -o tsv)
test_vm1_private_ip=$(az network nic show --ids $test_vm1_nic_id --query 'ipConfigurations[0].privateIpAddress' -o tsv)
test_vm2_nic_id=$(az vm show -n $test_vm2_name -g "$rg" --query 'networkProfile.networkInterfaces[0].id' -o tsv)
test_vm2_private_ip=$(az network nic show --ids $test_vm2_nic_id --query 'ipConfigurations[0].privateIpAddress' -o tsv)
echo "Test VMs created with private IPs ${test_vm1_private_ip} and ${test_vm2_private_ip}"
# Test pings between the test VMs
test_vm1_pip_ip=$(az network public-ip show -n $test_vm1_pip -g $rg --query ipAddress -o tsv)
test_vm2_pip_ip=$(az network public-ip show -n $test_vm2_pip -g $rg --query ipAddress -o tsv)
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $test_vm1_pip_ip "ping -c 10 $test_vm2_private_ip"
# Scale up client VMSS
# az vmss scale -n $client_vmss_name -g $rg --new-capacity 10 -o none
# az vmss list-instances -n $client_vmss_name -g $rg -o table
# Restart VMSS images instance
# az vmss reimage -n $client_vmss_name -g $rg -o none
# Azure Firewall throughput
azfw_id=$(az network firewall show -n $azfw_name -g $rg --query id -o tsv)
# az monitor metrics list-definitions --resource $azfw_id
az monitor metrics list --resource $azfw_id --namespace "Microsoft.Network/azureFirewalls" --metric Throughput --interval 1m -o table | tail -5
# Log into the VMSS instance (if it were deployed with PIP, which it isnt)
# client_vmss_pip1=$(az vmss list-instance-public-ips -n $client_vmss_name -g $rg --query '[0].ipAddress' -o tsv)
# ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $client_vmss_pip1 "ps -ef | grep hping"
# Delete VMSS
# az vmss delete -n $client_vmss_name -g $rg
# Create Log Analytics Workspace
logws_name=$(az monitor log-analytics workspace list -g $rg --query '[0].name' -o tsv)
if [[ -z "$logws_name" ]]
then
echo "Creating new Log Analytics workspace..."
logws_name=log$RANDOM
az monitor log-analytics workspace create -n $logws_name -g $rg -o none
else
echo "Log Analytics workspace $logws_name found"
fi
logws_id=$(az resource list -g $rg -n $logws_name --query '[].id' -o tsv)
logws_customerid=$(az monitor log-analytics workspace show -n $logws_name -g $rg --query customerId -o tsv)
azfw_id=$(az network firewall show -n $azfw_name -g $rg --query id -o tsv)
az monitor diagnostic-settings create -n mydiag --resource $azfw_id --workspace $logws_id \
--metrics '[{"category": "AllMetrics", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false }, "timeGrain": null}]' \
--logs '[{"category": "AzureFirewallApplicationRule", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false}},
{"category": "AzureFirewallNetworkRule", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false}}]' -o none
# FW logs
fw_net_logs_query='AzureDiagnostics
| where Category == "AzureFirewallNetworkRule"
| where TimeGenerated >= ago(5m)
| parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int *
| parse msg_s with * ". Action: " Action
| project TimeGenerated, Protocol, SourceIP,SourcePortInt,TargetIP,TargetPortInt,Action // with msg_s
| where Protocol contains "Icmp"
| take 20 '
az monitor log-analytics query -w $logws_customerid --analytics-query $fw_net_logs_query -o tsv