-
Notifications
You must be signed in to change notification settings - Fork 26
Expand file tree
/
Copy pathirbgp-azfw-ri.azcli
More file actions
268 lines (236 loc) · 10.8 KB
/
irbgp-azfw-ri.azcli
File metadata and controls
268 lines (236 loc) · 10.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
# Parameters (make changes based on your requirements)
rg=lab-vwan-nvabgp
vwanname=vwan-nvabgp
hub1name=hub1
region1=$(az network vhub show -g $rg -n $hub1name --query location -o tsv)
hub2name=hub2
region2=$(az network vhub show -g $rg -n $hub2name --query location -o tsv)
# Adding script starting time and finish time
start=`date +%s`
echo "Script started at $(date)"
# Pre-Requisites
# Install lastes Virtual WAN extension
echo "Installing latest Virtual WAN extension"
az extension update --name virtual-wan --only-show-errors
# Install latest azure firewall extension
echo "Installing latest Azure Firewall extension"
az extension update --name azure-firewall --only-show-errors
# Validate Firewall SKU
if [ "$1" == "basic" ]; then
firewalltier=basic
elif [ "$1" == "standard" ]; then
firewalltier=standard
elif [ "$1" == "premium" ]; then
firewalltier=premium
elif [ "$1" == "help" ]; then
echo "Usage: ./vwan-irazfw.sh [basic|standard|premium]"
exit 0
elif [ -z "$1" ]; then
echo "No parameter passed, setting Azure Firewall to Basic tier"
firewalltier=basic
fi
# Loop script to check if resource group exists if not wait for 5 seconds and check again
while [[ $(az group exists -n $rg) == false ]]; do
echo "Resource group $rg does not exist, waiting for 5 seconds..."
sleep 5
done
echo Checking Hub1 provisioning status...
# Checking Hub1 and Hub2 provisioning and routing state
prState=''
rtState=''
while [[ $prState != 'Succeeded' ]];
do
prState=$(az network vhub show -g $rg -n $hub1name --query 'provisioningState' -o tsv)
echo "$hub1name provisioningState="$prState
sleep 5
done
while [[ $rtState != 'Provisioned' ]];
do
rtState=$(az network vhub show -g $rg -n $hub1name --query 'routingState' -o tsv)
echo "$hub1name routingState="$rtState
sleep 5
done
echo Checking Hub2 provisioning status...
# Checking Hub2 provisioning and routing state
prState=''
rtState=''
while [[ $prState != 'Succeeded' ]];
do
prState=$(az network vhub show -g $rg -n $hub2name --query 'provisioningState' -o tsv)
echo "$hub2name provisioningState="$prState
sleep 5
done
while [[ $rtState != 'Provisioned' ]];
do
rtState=$(az network vhub show -g $rg -n $hub2name --query 'routingState' -o tsv)
echo "$hub2name routingState="$rtState
sleep 5
done
echo Creating $hub1name Azure Firewall Policy
#Create firewall rules
fwpolicyname1=$hub1name-fwpolicy #Firewall Policy Name
az network firewall policy create --name $fwpolicyname1 --resource-group $rg --sku $firewalltier --output none --only-show-errors
az network firewall policy rule-collection-group create --name NetworkRuleCollectionGroup --priority 200 --policy-name $fwpolicyname1 --resource-group $rg --output none --only-show-errors
#Adding any-to-any firewall rule
az network firewall policy rule-collection-group collection add-filter-collection \
--resource-group $rg \
--policy-name $fwpolicyname1 \
--name GenericCollection \
--rcg-name NetworkRuleCollectionGroup \
--rule-type NetworkRule \
--rule-name AnytoAny \
--action Allow \
--ip-protocols "Any" \
--source-addresses "*" \
--destination-addresses "*" \
--destination-ports "*" \
--collection-priority 100 \
--output none
echo Deploying Azure Firewall inside $hub1name vHub ...
fwpolid1=$(az network firewall policy show --resource-group $rg --name $fwpolicyname1 --query id --output tsv)
az network firewall create -g $rg -n $hub1name-azfw --sku AZFW_Hub --tier $firewalltier --virtual-hub $hub1name --public-ip-count 1 --firewall-policy $fwpolid1 --location $region1 --output none &>/dev/null &
echo Creating $hub2name Azure Firewall Policy
#Create firewall rules
fwpolicyname2=$hub2name-fwpolicy #Firewall Policy Name
az network firewall policy create --name $fwpolicyname2 --resource-group $rg --sku $firewalltier --output none --only-show-errors
az network firewall policy rule-collection-group create --name NetworkRuleCollectionGroup --priority 200 --policy-name $fwpolicyname2 --resource-group $rg --output none --only-show-errors
#Adding any-to-any firewall rule
az network firewall policy rule-collection-group collection add-filter-collection \
--resource-group $rg \
--policy-name $fwpolicyname2 \
--name GenericCollection \
--rcg-name NetworkRuleCollectionGroup \
--rule-type NetworkRule \
--rule-name AnytoAny \
--action Allow \
--ip-protocols "Any" \
--source-addresses "*" \
--destination-addresses "*" \
--destination-ports "*" \
--collection-priority 100 \
--output none
echo Deploying Azure Firewall inside $hub2name vHub...
fwpolid2=$(az network firewall policy show --resource-group $rg --name $fwpolicyname2 --query id --output tsv)
az network firewall create -g $rg -n $hub2name-azfw --sku AZFW_Hub --tier $firewalltier --virtual-hub $hub2name --public-ip-count 1 --firewall-policy $fwpolid2 --location $region2 --output none &>/dev/null &
# Only continue if Firewall if $hub1name-azfw is provisioned
prState=''
while [[ $prState != 'Succeeded' ]];
do
prState=$(az network firewall show -g $rg -n $hub1name-azfw --query 'provisioningState' -o tsv)
echo "$hub1name-azfw provisioningState="$prState
sleep 5
done
echo Enabling $hub1name Azure Firewall diagnostics...
echo Checking MS Insights subscription registration state
msinsights=$(az provider show -n microsoft.insights --query registrationState -o tsv)
if [ $msinsights == 'NotRegistered' ] || [ $msinsights == 'Unregistered' ]; then
az provider register -n microsoft.insights --accept-terms
prState=''
while [[ $prState != 'Registered' ]];
do
prState=$(az provider show -n microsoft.insights --query registrationState -o tsv)
echo "MS Insights State="$prState
sleep 5
done
fi
## Log Analytics workspace name.
Workspacename=azfw-$region1-Logs
#Creating Log Analytics Workspaces
az monitor log-analytics workspace create -g $rg --workspace-name $Workspacename --location $region1 --output none
#EnablingAzure Firewall diagnostics
az monitor diagnostic-settings create -n 'toLogAnalytics' \
--resource $(az network firewall show --name $hub1name-azfw --resource-group $rg --query id -o tsv) \
--workspace $(az monitor log-analytics workspace show -g $rg --workspace-name $Workspacename --query id -o tsv) \
--logs '[{"category":"AzureFirewallApplicationRule","Enabled":true}, {"category":"AzureFirewallNetworkRule","Enabled":true}, {"category":"AzureFirewallDnsProxy","Enabled":true}]' \
--metrics '[{"category": "AllMetrics","enabled": true}]' \
--output none
# Only continue if Firewall if $hub2name-azfw is provisioned
prState=''
while [[ $prState != 'Succeeded' ]];
do
prState=$(az network firewall show -g $rg -n $hub2name-azfw --query 'provisioningState' -o tsv)
echo "$hub2name-azfw provisioningState="$prState
sleep 5
done
echo Enabling $hub2name Azure Firewall diagnostics...
## Log Analytics workspace name.
Workspacename=azfw-$region2-Logs
#Creating Log Analytics Workspaces
az monitor log-analytics workspace create -g $rg --workspace-name $Workspacename --location $region2 --output none
echo Enabling Azure Firewall diagnostics
az monitor diagnostic-settings create -n 'toLogAnalytics' \
--resource $(az network firewall show --name $hub2name-azfw --resource-group $rg --query id -o tsv) \
--workspace $(az monitor log-analytics workspace show -g $rg --workspace-name $Workspacename --query id -o tsv) \
--logs '[{"category":"AzureFirewallApplicationRule","Enabled":true}, {"category":"AzureFirewallNetworkRule","Enabled":true}, {"category":"AzureFirewallDnsProxy","Enabled":true}]' \
--metrics '[{"category": "AllMetrics","enabled": true}]' \
--output none
echo Validating vHubs VPN Gateways provisioning...
#vWAN Hubs VPN Gateway Status
prState=$(az network vpn-gateway show -g $rg -n $hub1name-vpngw --query provisioningState -o tsv)
if [[ $prState == 'Failed' ]];
then
echo VPN Gateway is in fail state. Deleting and rebuilding.
az network vpn-gateway delete -n $hub1name-vpngw -g $rg
az network vpn-gateway create -n $hub1name-vpngw -g $rg --location $region1 --vhub $hub1name --no-wait
sleep 5
else
prState=''
while [[ $prState != 'Succeeded' ]];
do
prState=$(az network vpn-gateway show -g $rg -n $hub1name-vpngw --query provisioningState -o tsv)
echo $hub1name-vpngw "provisioningState="$prState
sleep 5
done
fi
prState=$(az network vpn-gateway show -g $rg -n $hub2name-vpngw --query provisioningState -o tsv)
if [[ $prState == 'Failed' ]];
then
echo VPN Gateway is in fail state. Deleting and rebuilding.
az network vpn-gateway delete -n $hub2name-vpngw -g $rg
az network vpn-gateway create -n $hub2name-vpngw -g $rg --location $region2 --vhub $hub2name --no-wait
sleep 5
else
prState=''
while [[ $prState != 'Succeeded' ]];
do
prState=$(az network vpn-gateway show -g $rg -n $hub2name-vpngw --query provisioningState -o tsv)
echo $hub2name-vpngw "provisioningState="$prState
sleep 5
done
fi
#Enabling Secured-vHUB + Routing intenet
echo "Enabling Secured-vHUB + Routing intent (Private and Internet Traffic)"
nexthophub1=$(az network vhub show -g $rg -n $hub1name --query azureFirewall.id -o tsv)
az deployment group create --name $hub1name-ri \
--resource-group $rg \
--template-uri https://raw.githubusercontent.com/dmauser/azure-virtualwan/main/svh-ri-inter-region/bicep/main.json \
--parameters scenarioOption=Private-and-Internet hubname=$hub1name nexthop=$nexthophub1 \
--no-wait
nexthophub2=$(az network vhub show -g $rg -n $hub2name --query azureFirewall.id -o tsv)
az deployment group create --name $hub2name-ri \
--resource-group $rg \
--template-uri https://raw.githubusercontent.com/dmauser/azure-virtualwan/main/svh-ri-inter-region/bicep/main.json \
--parameters scenarioOption=Private-and-Internet hubname=$hub2name nexthop=$nexthophub2 \
--no-wait
echo "Waiting for Routing Intent to complete..."
subid=$(az account list --query "[?isDefault == \`true\`].id" --all -o tsv)
prState=''
while [[ $prState != 'Succeeded' ]];
do
prState=$(az rest --method get --uri /subscriptions/$subid/resourceGroups/$rg/providers/Microsoft.Network/virtualHubs/$hub1name/routingIntent/$hub1name_RoutingIntent?api-version=2022-01-01 --query 'value[].properties.provisioningState' -o tsv)
echo "$hub1name routing intent provisioningState="$prState
sleep 5
done
prState=''
while [[ $prState != 'Succeeded' ]];
do
prState=$(az rest --method get --uri /subscriptions/$subid/resourceGroups/$rg/providers/Microsoft.Network/virtualHubs/$hub2name/routingIntent/$hub2name_RoutingIntent?api-version=2022-01-01 --query 'value[].properties.provisioningState' -o tsv)
echo "$hub2name routing intent provisioningState="$prState
sleep 5
done
echo Base Deployment has finished
# Add script ending time but hours, minutes and seconds
end=`date +%s`
runtime=$((end-start))
echo "Script finished at $(date)"
echo "Total script execution time: $(($runtime / 3600)) hours $((($runtime / 60) % 60)) minutes and $(($runtime % 60)) seconds."