forked from erjosito/azcli
-
Notifications
You must be signed in to change notification settings - Fork 0
/
vnet.azcli
198 lines (179 loc) · 8.72 KB
/
vnet.azcli
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
######################################
# Created by Jose Moreno
# November 2022
#
# Some useful commands around Virtual
# Networks in Azure
######################################
# Control
location=eastus2euap
create_spokes=no
number_of_spokes=2
simulate_onprem=no
enable_encryption=true
encryption_policy=dropUnencrypted # Can be allowUnencrypted or dropUnencrypted
create_azfw=yes
# Variables
rg=vnettest
hub_vnet_name=hub
vnet_prefix=192.168.0.0/24
hub_vm_subnet_name=vm
hub_vm_subnet_prefix=192.168.0.64/26
gw_subnet_prefix=192.168.0.0/26
azfw_name=myazfw
azfw_pip_name=myazfw-pip
azfw_subnet_name=AzureFirewallSubnet
azfw_subnet_prefix=192.168.0.128/26
# vm_size=Standard_B1s # Note that a size with accelerated networking is required to support encryption
vm_size=Standard_D4a_v4 # Note that a size with accelerated networking is required to support encryption
###################
# Enable features #
###################
function enable_nw_feature () {
feature_name=$1
state=$(az feature list -o table --query "[?contains(name, 'microsoft.network/$feature_name')].properties.state" -o tsv)
if [[ "$state" == "Registered" ]]
then
echo "$feature_name is already registered"
else
echo "Registering feature $feature_name..."
az feature register --name "$feature_name" --namespace microsoft.network
state=$(az feature list -o table --query "[?contains(name, 'microsoft.network/$feature_name')].properties.state" -o tsv)
echo "Waiting for feature $feature_name to finish registering..."
wait_interval=15
until [[ "$state" == "Registered" ]]
do
sleep $wait_interval
state=$(az feature list -o table --query "[?contains(name, 'microsoft.network/$feature_name')].properties.state" -o tsv)
echo "Current registration status for feature $feature_name is $state"
done
echo "Registering resource provider Microsoft.Network now..."
az provider register --namespace Microsoft.Network
fi
}
###################
# Start #
###################
# Create RG
echo "Creating resource group..."
az group create -n $rg -l $location -o none
# Create hub VNet and test VMs in the same or different AZs
echo "Creating VNet and VMs..."
az network vnet create -g $rg -n $hub_vnet_name --address-prefix $vnet_prefix --subnet-name $hub_vm_subnet_name --subnet-prefix $hub_vm_subnet_prefix -l $location \
--enable-encryption $enable_encryption --encryption-policy $encryption_policy -o none
vm_name=hubvm1
zone=1
echo "Creating VM $vm_name in AZ $zone..."
az vm create -n $vm_name -g $rg -l $location --image ubuntuLTS --generate-ssh-keys --nsg "${vm_name}-nsg" -o none -l $location --zone $zone \
--public-ip-address "${vm_name}-pip" --vnet-name $hub_vnet_name --size $vm_size --subnet $hub_vm_subnet_name --accelerated-networking
vm_name=hubvm2
zone=1
echo "Creating VM $vm_name in AZ $zone..."
az vm create -n $vm_name -g $rg -l $location --image ubuntuLTS --generate-ssh-keys --nsg "${vm_name}-nsg" -o none -l $location --zone $zone \
--public-ip-address "${vm_name}-pip" --vnet-name $hub_vnet_name --size $vm_size --subnet $hub_vm_subnet_name --accelerated-networking
# Optionally create Azure Firewall
if [[ "$create_azfw" == "yes" ]]; then
az network vnet subnet create --vnet-name $hub_vnet_name --name AzureFirewallSubnet -g $rg --address-prefixes $azfw_subnet_prefix -o none
az network public-ip create -g $rg -n $azfw_pip_name --sku standard --allocation-method static -l $location -o none
azfw_ip=$(az network public-ip show -g $rg -n $azfw_pip_name --query ipAddress -o tsv)
azfw_policy_name="${azfw_name}-policy"
az network firewall policy create -n $azfw_policy_name -g $rg -o none
az network firewall policy rule-collection-group create -n ruleset01 --policy-name $azfw_policy_name -g $rg --priority 1000 -o none
# Any-to-any network rule
echo "Creating network rule to allow all traffic..."
az network firewall policy rule-collection-group collection add-filter-collection --policy-name $azfw_policy_name --rule-collection-group-name ruleset01 -g $rg \
--name mgmt --collection-priority 101 --action Allow --rule-name allowAny --rule-type NetworkRule --description "Allow any to any" \
--destination-addresses '*' --source-addresses '*' --ip-protocols Any --destination-ports '*' -o none
# Create Azure Firewall
echo "Creating Azure Firewall..."
az network firewall create -n $azfw_name -g $rg --policy $azfw_policy_name -l $location -o none
# Configure routing (ToDo)
fi
# Flow logs - create storage account
storage_account_name=$(az storage account list -g $rg -o tsv --query "[?location=='$location'].name" | head -1) # Retrieve the storage account name if it already existed
if [[ -z "$storage_account_name" ]]; then
storage_account_name=$(echo "logs$RANDOM${location}" | cut -c1-24) # max 24 characters
echo "No storage account found in $location, creating one..."
az storage account create -n $storage_account_name -g $rg --sku Standard_LRS --kind StorageV2 -l $location -o none
else
echo "Storage account $storage_account_name created in $location, using it for NSG flow flogs"
fi
# Create Log Analytics workspace
logws_name=$(az monitor log-analytics workspace list -g $rg --query '[].name' -o tsv 2>/dev/null) # Retrieve the WS name if it already existed
if [[ -z "$logws_name" ]]
then
logws_name=log$RANDOM
az monitor log-analytics workspace create -n $logws_name -g $rg -o none
fi
logws_id=$(az resource list -g $rg -n $logws_name --query '[].id' -o tsv)
logws_customerid=$(az monitor log-analytics workspace show -n $logws_name -g $rg --query customerId -o tsv)
# Enable flow logs in the VNet
echo "Registering Microsoft.Insights RP..."
az provider register --namespace Microsoft.Insights -o none
vnet_id=$(az network vnet show -n $hub_vnet_name -g $rg --query id -o tsv)
echo "Configuring VNet Flow Logs..."
az network watcher flow-log create -l $location -n "flowlog-$location" -g $rg \
--vnet $vnet_id --storage-account $storage_account_name --log-version 2 --retention 7 \
--workspace $logws_id --interval 10 --traffic-analytics true -o none
######################
# Performance test #
######################
# iperf (hubvm2 will be the server)
# Getting IPs...
hubvm1_pip=$(az network public-ip show -n hubvm1-pip -g $rg --query ipAddress -o tsv) && echo $hubvm1_pip
hubvm1_private_ip=$(az vm show -g $rg -n hubvm1 -d --query privateIps -o tsv) && echo $hubvm1_private_ip
hubvm2_pip=$(az network public-ip show -n hubvm2-pip -g $rg --query ipAddress -o tsv) && echo $hubvm2_pip
hubvm2_private_ip=$(az vm show -g $rg -n hubvm2 -d --query privateIps -o tsv) && echo $hubvm2_private_ip
# Enable iperf server on hubvm1
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $hubvm1_pip "sudo apt update && sudo apt install -y iperf3"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $hubvm2_pip "sudo apt update && sudo apt install -y iperf3"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $hubvm1_pip "iperf3 -s -D"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $hubvm2_pip "iperf3 -c $hubvm1_private_ip"
#################
# Diagnostics #
#################
# Encryption settings
az network vnet show -n $hub_vnet_name -g $rg --query encryption
az network nic list -g $rg --query '[].{Name:name, EncryptionSupported:vnetEncryptionSupported,Location:location}' -o table
# Flow logs
az network watcher flow-log list -l $location -o table
##################
# Start/Stop #
##################
function stop_firewall() {
echo "Stoping Azure Firewall ${azfw_name}..."
az network firewall ip-config delete -f $azfw_name -n azfw-ipconfig -g $rg -o none
az network firewall update -n $azfw_name -g $rg -o none
}
function start_firewall() {
echo "Starting Azure Firewall ${azfw_name}..."
az network firewall ip-config create -f $azfw_name -n azfw-ipconfig -g $rg --public-ip-address $azfw_pip_name --vnet-name $vnet_name -o none
az network firewall update -n $azfw_name -g $rg -o none
}
function stop_vms() {
vm_list=$(az vm list -o tsv -g "$rg" --query "[].name")
while IFS= read -r vm_name; do
echo "Deallocating Virtual Machine ${vm_name}..."
az vm deallocate -g $rg -n "$vm_name" --no-wait -o none
done <<< "$vm_list"
}
function start_vms() {
vm_list=$(az vm list -o tsv -g "$rg" --query "[].name")
while IFS= read -r vm_name; do
echo "Starting Virtual Machine ${vm_name}..."
az vm start -g $rg -n "$vm_name" --no-wait -o none
done <<< "$vm_list"
}
function start_lab() {
start_vms
start_firewall
}
function stop_lab() {
stop_vms
stop_firewall
}
#################
# CLEANUP #
#################
az network watcher flow-log delete -l $location -n flowlog-$location
az group delete -y --no-wait -n $rg