forked from erjosito/azcli
-
Notifications
You must be signed in to change notification settings - Fork 0
/
azfw-appgw.azcli
826 lines (752 loc) · 46.5 KB
/
azfw-appgw.azcli
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
############################################################################
# Created by Jose Moreno
# April 2020
#
# The script creates AzFW and AppGW, plus some VMs for testing:
#
############################################################################
# Control
nginx_vm=yes # Whether an NGINX VM should be created to compare it to the app gw
nginx_aas=no # Whether an NGINX-aaS should be created to compare it to the app gw (doesnt work in AIRS subs)
windows_vm=no # Whether a Windows VM should be created
file_uploads=no # Whether to upload files to the VMs to test the AzFW IDPS functionality
# Variables
rg=azfwappgw
location=eastus
vnet_name=azfw
vnet_prefix=192.168.0.0/16
vm_name=testvmlinux
vm_pip_name=testvmlinux-pip
vm_sku=Standard_B1s
vm_subnet_name=vm
vm_subnet_prefix=192.168.1.0/24
vm_cloudinit_filename=/tmp/cloudinit-whoami.txt
vm_cloudinit_url=https://raw.githubusercontent.com/erjosito/azcli/master/cloudinit-whoami.txt
vm_rt_name=vm
vm_nsg_name=vm-nsg
azfw_name=myazfw
azfw_pip_name=myazfw-pip
azfw_subnet_name=AzureFirewallSubnet
azfw_subnet_prefix=192.168.100.0/24
azfw_policy_name=myazfw_policy
appgw_subnet_name=ApplicationGatewaySubnet
appgw_subnet_prefix=192.168.200.0/24
appgw_name=appgw
appgw_pip_name=appgw-pip
appgw_sku=Standard_v2
appgw_cookie=Disabled
appgw_backenddnsname=kuard
appgw_backendfqdn="$backenddnsname"."$dnszone"
appgw_rt_name=appgw
logws_name=log$RANDOM
win_user=$(whoami)
win_password=Microsoft123!
win_vm_name=testvmwin
win_vm_sku=Standard_B2ms
win_pip_name=testvmwin-pip
nginx_aas_name=nginx-aas
nginx_aas_sku=standard_Monthly
nginx_aas_pip_name=nginx-aas-pip
nginx_aas_subnet_name=nginx-aas
nginx_aas_subnet_prefix=192.168.210.0/24
nginx_vm_name=nginx
nginx_pip_name=nginx-pip
nginx_nsg_name=nginx-nsg
nginx_subnet_name=nginx
nginx_subnet_prefix=192.168.211.0/24
nginx_cloudinit_filename=/tmp/cloudinit-nginx.txt
nginx_vm_sku=Standard_B1s
# RG and vnet
az group create -n $rg -l $location -o none --only-show-errors
az network vnet create -n $vnet_name -g $rg --address-prefixes $vnet_prefix --subnet-name $azfw_subnet_name --subnet-prefixes $azfw_subnet_prefix -o none --only-show-errors
az network vnet subnet create -n $vm_subnet_name --vnet-name $vnet_name -g $rg --address-prefixes $vm_subnet_prefix -o none --only-show-errors
az network vnet subnet create --vnet-name $vnet_name --name $appgw_subnet_name -g $rg --address-prefixes $appgw_subnet_prefix -o none --only-show-errors
# Create Log Analytics workspace
# logws_name=$(az monitor log-analytics workspace list -g $rg --query '[].name' -o tsv) # Retrieve the WS name if it already existed
az monitor log-analytics workspace create -n $logws_name -g $rg
logws_id=$(az resource list -g $rg -n $logws_name --query '[].id' -o tsv)
logws_customerid=$(az monitor log-analytics workspace show -n $logws_name -g $rg --query customerId -o tsv)
# Deploy a Linux VM with a troubleshooting web page
az network public-ip create -g $rg -n $vm_pip_name --sku standard --allocation-method static -l $location
az network nsg create -n $vm_nsg_name -g $rg
az network nsg rule create -n ssh --nsg-name $vm_nsg_name -g $rg --priority 500 --destination-port-ranges 22 --access Allow --protocol Tcp
az network nsg rule create -n web --nsg-name $vm_nsg_name -g $rg --priority 510 --destination-port-ranges 8080 --access Allow --protocol Tcp
az network nsg rule create -n https --nsg-name $vm_nsg_name -g $rg --priority 520 --destination-port-ranges 443 --access Allow --protocol Tcp
#wget $vm_cloudinit_url -O $vm_cloudinit_filename
cat <<EOF > $vm_cloudinit_filename
#cloud-config
runcmd:
- apt update && apt install -y python3-pip
- pip3 install flask
- wget https://raw.githubusercontent.com/erjosito/azcli/master/myip.py -O /root/myip.py
- python3 /root/myip.py >/root/myip.log 2>&1 &
EOF
az vm create -n $vm_name -g $rg --image UbuntuLTS --generate-ssh-keys --size $vm_sku \
--vnet-name $vnet_name --subnet $vm_subnet_name --nsg $vm_nsg_name --public-ip-address $vm_pip_name \
--custom-data $vm_cloudinit_filename
vm_private_ip=$(az vm show -g $rg -n $vm_name -d --query privateIps -o tsv) && echo $vm_private_ip
# Generate certificates
# Create openssl.cnf
cnf_filename=/tmp/openssl.cnf
rootCA_cert=/tmp/rootCA.crt
rootCA_key=/tmp/rootCA.key
interCA_key=/tmp/interCA.key
interCA_csr=/tmp/interCA.csr
interCA_cert=/tmp/interCA.crt
interCA_pfx=/tmp/interCA.pfx
interCA_base64=/tmp/interCA.pfx.base64
cat <<EOF > $cnf_filename
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha512
[ req_distinguished_name ]
countryName = DE
stateOrProvinceName = BY
localityName = Munich
0.organizationName = Contoso
organizationalUnitName = Contoso
commonName = contoso.com
emailAddress = [email protected]
[ rootCA_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ interCA_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:1
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
EOF
# Create root CA
openssl req -x509 -new -nodes -newkey rsa:4096 -keyout $rootCA_key -sha256 -days 1024 -out $rootCA_cert -subj "/C=US/ST=US/O=Self Signed/CN=Self Signed Root CA" -config $cnf_filename -extensions rootCA_ext
# Create intermediate CA request
openssl req -new -nodes -newkey rsa:4096 -keyout $interCA_key -sha256 -out $interCA_csr -subj "/C=US/ST=US/O=Self Signed/CN=Self Signed Intermediate CA"
# Sign on the intermediate CA
openssl x509 -req -in $interCA_csr -CA $rootCA_cert -CAkey $rootCA_key -CAcreateserial -out $interCA_cert -days 1024 -extfile $cnf_filename -extensions interCA_ext
# Export the intermediate CA into PFX
openssl pkcs12 -export -out $interCA_pfx -inkey $interCA_key -in $interCA_cert -password "pass:"
# Convert the PFX into base64
cat $interCA_pfx | base64 > $interCA_base64
# echo ""
# echo "================"
# echo "Successfully generated root and intermediate CA certificates"
# echo " - rootCA.crt/rootCA.key - Root CA public certificate and private key"
# echo " - interCA.crt/interCA.key - Intermediate CA public certificate and private key"
# echo " - interCA.pfx.base64 - Intermediate CA pkcs12 package to be consumed by CACertificate template"
# echo "================"
# Upload to AKV
akv_name=erjositoKeyvault
akv_secret_name=azfwca
akv_secret_value=$(cat $interCA_base64)
az keyvault secret set -n $akv_secret_name --value $akv_secret_value --vault-name $akv_name -o none
akv_secret_id=$(az keyvault secret show --vault-name $akv_name -n $akv_secret_name --query id -o tsv)
# Create identity so that the AzFW can read from AKV
id_name=azfwid
az identity create -n $id_name -g $rg -o none
id_principal_id=$(az identity show -n $id_name -g $rg --query principalId -o tsv)
az keyvault set-policy -n "$akv_name" --object-id "$id_principal_id" --secret-permissions get list -o none
id_id=$(az identity show -n $id_name -g $rg --query id -o tsv)
# Create AzFw policy with TLS
az network firewall policy create -n "$azfw_policy_name" -g $rg --sku Premium --idps-mode Deny --cert-name "$akv_secret_name" --key-vault-secret-id "$akv_secret_id" --identity "$id_id" -o none
# Deploy AzFW Premium
az network public-ip create -g $rg -n $azfw_pip_name --sku standard --allocation-method static -l $location -o none
azfw_pip_address=$(az network public-ip show -g $rg -n $azfw_pip_name --query ipAddress -o tsv)
azfw_policy_id=$(az network firewall policy show -n $azfw_policy_name -g $rg --query id -o tsv)
az network firewall create -n $azfw_name -g $rg -l $location --tier Premium --policy $azfw_policy_id -o none # Not working yet (Feb 11 2022)...
azfw_id=$(az network firewall show -n $azfw_name -g $rg -o tsv --query id) && echo $azfw_id
az monitor diagnostic-settings create -n mydiag$RANDOM --resource $azfw_id --workspace $logws_id \
--metrics '[{"category": "AllMetrics", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false }, "timeGrain": null}]' \
--logs '[{"category": "AzureFirewallApplicationRule", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false}},
{"category": "AzureFirewallDnsProxy", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false}},
{"category": "AzureFirewallNetworkRule", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false}}]'
az network firewall ip-config create -f $azfw_name -n azfw-ipconfig -g $rg --public-ip-address $azfw_pip_name --vnet-name $vnet_name
az network firewall update -n $azfw_name -g $rg
azfw_private_ip=$(az network firewall show -n $azfw_name -g $rg -o tsv --query 'ipConfigurations[0].privateIpAddress')
# Outgoing app rule for all FQDNs
az network firewall policy rule-collection-group create -n ruleset01 --policy-name $azfw_policy_name -g $rg --priority 100
az network firewall policy rule-collection-group collection add-filter-collection --policy-name $azfw_policy_name --rule-collection-group-name ruleset01 -g $rg \
--name permitVnet --collection-priority 200 --action Allow --rule-name permitVnet --rule-type ApplicationRule --description "Permit HTTP traffic from VNet" \
--target-fqdns '*' --source-addresses $vnet_prefix --protocols Http=8080 Https=443 --enable-tls-inspection
az network firewall policy rule-collection-group collection rule add --policy-name $azfw_policy_name --rule-collection-group-name ruleset01 -g $rg \
--collection-name permitVnet --name permitDnatTraffic --rule-type ApplicationRule --description "Permit HTTP traffic from Internet" \
--target-fqdns '*' --source-addresses '*' --protocols Http=8080 Https=443 --enable-tls-inspection
az network firewall policy rule-collection-group collection add-filter-collection --policy-name $azfw_policy_name --rule-collection-group-name ruleset01 -g $rg \
--name NetworkTraffic --collection-priority 150 --action Allow --rule-name permitIcmp --rule-type NetworkRule --description "Permit intra-vnet ICMP traffic" \
--destination-addresses "$vnet_prefix" --destination-ports '*' --source-addresses "$vnet_prefix" --ip-protocols 'Icmp'
az network firewall policy rule-collection-group collection rule add --policy-name $azfw_policy_name --rule-collection-group-name ruleset01 -g $rg \
--collection-name NetworkTraffic --name permit8080 --description "Permit HTTP traffic on TCP8080" --rule-type NetworkRule \
--destination-addresses "$vnet_prefix" --destination-ports 8080 --source-addresses "$vnet_prefix" --ip-protocols 'TCP'
# az network firewall policy rule-collection-group collection rule remove --policy-name $azfw_policy_name --rule-collection-group-name ruleset01 -g $rg \
# --collection-name NetworkTraffic --name permit8080
# Disable lower case header IDPS signatures in AzFW
az network firewall policy intrusion-detection add --policy-name $azfw_policy_name -g $rg --mode Off --signature-id 2845390
az network firewall policy intrusion-detection add --policy-name $azfw_policy_name -g $rg --mode Off --signature-id 2845391
# Disable signatures for ifconfig.co
az network firewall policy intrusion-detection add --policy-name $azfw_policy_name -g $rg --mode Off --signature-id 2834195
az network firewall policy intrusion-detection add --policy-name $azfw_policy_name -g $rg --mode Off --signature-id 2013028
# DNAT rules for the test VM
az network firewall policy rule-collection-group collection add-nat-collection --policy-name $azfw_policy_name --rule-collection-group-name ruleset01 -g $rg \
--name NATSSL --collection-priority 110 --action DNAT --rule-name DnatSSL --description "Permit intra-vnet ICMP traffic" \
--source-addresses '*' --destination-addresses "$azfw_pip_address" --destination-ports 443 --ip-protocols TCP \
--translated-address "$vm_private_ip" --translated-port 443
# Create public DNS record
public_domain=cloudtrooper.net
fw_dns_name='appgwfw-fw'
public_dns_rg=$(az network dns zone list --query "[?name=='$public_domain'].resourceGroup" -o tsv)
if [[ -z "$public_dns_rg" ]]
then
echo "ERROR: I could not find the public DNS zone $public_domain in subscription $sub_name"
else
# First, remove any existing A-record if already exists
a_record_set=$(az network dns record-set a show -n "$fw_dns_name" -z "$public_domain" -g "$public_dns_rg" -o tsv --query id 2>/dev/null)
if [[ -n "$a_record_set" ]]
then
echo "Deleting existing A record for ${fw_dns_name}.${public_domain}..."
az network dns record-set a delete -n "$fw_dns_name" -z "$public_domain" -g "$public_dns_rg" -y
else
echo "No conflicting A records found in ${public_domain}"
fi
# Now create new A record
az network dns record-set a create -g $public_dns_rg -z cloudtrooper.net -n $fw_dns_name
az network dns record-set a add-record -g $public_dns_rg -z cloudtrooper.net -n $fw_dns_name -a $azfw_pip_address
fi
# Verify Linux VM deployed correctly and SSH is working fine (not going through the AzFW yet)
vm_pip_address=$(az network public-ip show -n $vm_pip_name -g $rg --query ipAddress -o tsv) && echo $vm_pip_address
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "ip a"
curl ${vm_pip_address}:8080/api/healthcheck
curl ${vm_pip_address}:8080/api/ip
# Install nginx for SSL termination
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "sudo apt install -y nginx"
nginx_config_file=/tmp/nginx.conf
cat <<EOF > $nginx_config_file
worker_processes auto;
events {
worker_connections 1024;
}
pid /var/run/nginx.pid;
http {
server {
listen [::]:443 ssl;
listen 443 ssl;
server_name localhost;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
ssl_session_timeout 24h;
keepalive_timeout 75; # up from 75 secs default
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
ssl_certificate /etc/nginx/ssl.crt;
ssl_certificate_key /etc/nginx/ssl.key;
location /api/ {
proxy_pass http://127.0.0.1:8080 ;
proxy_set_header Connection "";
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-For \$remote_addr;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}
}
}
EOF
scp "$nginx_config_file" "${vm_pip_address}:~/"
# Put public certs in NGINX. Note: you need to have some public certs in advance
cert_file="${HOME}/onedrive/Admin/Certs/cloudtrooper.net/2023/star_cloudtrooper_net_fullchain.pem"
key_file="${HOME}/onedrive/Admin/Certs/cloudtrooper.net/2023/CSR/star_cloudtrooper_net.key"
scp "$cert_file" "${vm_pip_address}:~/ssl.crt"
scp "$key_file" "${vm_pip_address}:~/ssl.key"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "sudo mv ./* /etc/nginx/"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "systemctl status nginx"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "sudo systemctl restart nginx"
# Create A record in public domain
public_domain=cloudtrooper.net
vm_dns_name='appgwfw-vm'
vm_fqdn="${vm_dns_name}.${public_domain}" && echo $vm_fqdn
public_dns_rg=$(az network dns zone list --query "[?name=='$public_domain'].resourceGroup" -o tsv)
if [[ -z "$public_dns_rg" ]]
then
echo "ERROR: I could not find the public DNS zone $public_domain in subscription $sub_name"
else
# First, remove any existing A-record if already exists
a_record_set=$(az network dns record-set a show -n "$vm_dns_name" -z "$public_domain" -g "$public_dns_rg" -o tsv --query id 2>/dev/null)
if [[ -n "$a_record_set" ]]
then
echo "Deleting existing A record for ${vm_dns_name}.${public_domain}..."
az network dns record-set a delete -n "$vm_dns_name" -z "$public_domain" -g "$public_dns_rg" -y
else
echo "No conflicting A records found in ${public_domain}"
fi
# Now create new A record
az network dns record-set a create -g $public_dns_rg -z cloudtrooper.net -n $vm_dns_name
az network dns record-set a add-record -g $public_dns_rg -z cloudtrooper.net -n $vm_dns_name -a $vm_pip_address
fi
curl "https://${vm_fqdn}/api/healthcheck"
######################
# Deploy App Gateway #
######################
# Split DNS
az network private-dns zone create -n $public_domain -g $rg
az network private-dns record-set a add-record --record-set-name $vm_dns_name -z $public_domain -g $rg -a $vm_private_ip
az network private-dns record-set a add-record --record-set-name "${vm_dns_name}-private" -z $public_domain -g $rg -a $vm_private_ip
az network private-dns link vnet create -g $rg -z $public_domain -n myDnsLink --virtual-network $vnet_name --registration-enabled false
# Create GW with sample config for port 8080
az network public-ip create -g $rg -n $appgw_pip_name --sku standard --allocation-method static -l $location
appgw_pip_address=$(az network public-ip show -g $rg -n $appgw_pip_name --query ipAddress -o tsv)
az network application-gateway create -g $rg -n $appgw_name --capacity 2 --sku $appgw_sku \
--frontend-port 8080 --routing-rule-type basic --priority 100 \
--servers $vm_fqdn --http-settings-port 8080 --http-settings-protocol Http \
--sku Standard_v2 --min-capacity 1 --max-capacity 2 \
--public-ip-address $appgw_pip_name --vnet-name $vnet_name --subnet $appgw_subnet_name
# Import certs from AKV
cert_name=cloudtroopernet
cert_id=$(az network application-gateway ssl-cert show -n "$cert_name" --gateway-name "$appgw_name" -g "$rg" --query id -o tsv 2>/dev/null)
if [[ -z "$cert_id" ]]
then
echo "Adding SSL certificate to Application Gateway from Key Vault..."
# The --keyvault-secret-id parameter doesnt seem to be working in Github's action CLI version (Feb 2021)
# cert_sid=$(az keyvault certificate show -n "$cert_name" --vault-name "$akv_name" --query sid -o tsv)
# az network application-gateway ssl-cert create -n "$cert_name" --gateway-name "$appgw_name" -g "$rg" --keyvault-secret-id "$cert_sid"
pfx_file="/tmp/appgwcert.pfx"
if [[ -e "$pfx_file" ]]; then
rm $pfx_file
fi
az keyvault secret download -n "$cert_name" --vault-name "$akv_name" --encoding base64 --file "$pfx_file"
cert_passphrase=''
az network application-gateway ssl-cert create -g "$rg" --gateway-name "$appgw_name" -n "$cert_name" --cert-file "$pfx_file" --cert-password "$cert_passphrase" -o none
else
echo "Cert $cert_name already exists in application gateway $appgw_name"
fi
# Add custom probe (with path /api/healthcheck) to initial config (port 8080)
echo "Creating custom probe for port 8080..."
az network application-gateway probe create -g "$rg" --gateway-name "$appgw_name" \
--name vmprobe8080 --protocol Http --host-name-from-http-settings --match-status-codes 200-399 --port 8080 --path "/api/healthcheck" -o none
http_settings_name=$(az network application-gateway http-settings list -g $rg --gateway-name $appgw_name -o tsv --query '[0].name')
az network application-gateway http-settings update -g $rg --gateway-name $appgw_name -n $http_settings_name --probe vmprobe8080 --host-name-from-backend-pool -o none
# Root cert from firewall
root_cert_id=$(az network application-gateway ssl-cert show -n azfwroot --gateway-name "$appgw_name" -g "$rg" --query id -o tsv 2>/dev/null)
if [[ -z "$root_cert_id" ]]
then
az network application-gateway root-cert create -g "$rg" --gateway-name "$appgw_name" --name azfwroot --cert-file "$rootCA_cert" -o none
else
echo "Root certificate already present in Application Gateway $appgw_name"
fi
# Intermediate CA cert from firewall
# root_cert_id=$(az network application-gateway ssl-cert show -n azfwinter --gateway-name "$appgw_name" -g "$rg" --query id -o tsv 2>/dev/null)
# if [[ -z "$root_cert_id" ]]
# then
# az network application-gateway root-cert create -g "$rg" --gateway-name "$appgw_name" --name azfwinter --cert-file "$interCA_cert" -o none
# else
# echo "Intermediate certificate already present in Application Gateway $appgw_name"
# fi
# HTTP Settings and probe for HTTPS
echo "Creating probe and HTTP settings..."
az network application-gateway probe create -g "$rg" --gateway-name "$appgw_name" \
--name testvmprobe --protocol Https --host-name-from-http-settings --match-status-codes 200-399 --port 443 --path "/api/healthcheck" -o none
az network application-gateway http-settings create -g "$rg" --gateway-name "$appgw_name" --port 443 \
--name testvmsettings --protocol https --host-name ${vm_fqdn} --probe testvmprobe --root-certs azfwroot -o none
# Create rule
az network application-gateway address-pool create -n testvmpool -g "$rg" --gateway-name "$appgw_name" --servers "$vm_private_ip" -o none
frontend_name=$(az network application-gateway frontend-ip list -g "$rg" --gateway-name "$appgw_name" --query '[0].name' -o tsv)
az network application-gateway frontend-port create -n testvmport -g "$rg" --gateway-name "$appgw_name" --port 443 -o none
az network application-gateway http-listener create -n testvmlistener -g "$rg" --gateway-name "$appgw_name" \
--frontend-port testvmport --frontend-ip "$frontend_name" --ssl-cert "$cert_name" -o none
az network application-gateway rule create -g "$rg" --gateway-name "$appgw_name" -n testvmrule --priority 110 \
--http-listener testvmlistener --rule-type Basic --address-pool testvmpool --http-settings testvmsettings -o none
# Connect app gw to Azure Monitor
appgw_id=$(az network application-gateway show -n $appgw_name -g $rg --query id -o tsv)
az monitor diagnostic-settings create -n "mydiag$RANDOM" --resource $appgw_id --workspace $logws_id \
--metrics '[{"category": "AllMetrics", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false }, "timeGrain": null}]' \
--logs '[{"category": "ApplicationGatewayAccessLog", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false}},
{"category": "ApplicationGatewayPerformanceLog", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false}},
{"category": "ApplicationGatewayFirewallLog", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false}}]'
# Implement routing to AzFW
# RT for the AppGW subnet
azfw_private_ip=$(az network firewall show -n $azfw_name -g $rg -o tsv --query 'ipConfigurations[0].privateIpAddress') && echo $azfw_private_ip
appgw_rt_name=appgwrt
az network route-table create --name "$appgw_rt_name" --resource-group "$rg" --location "$location"
az network route-table route create --route-table-name $appgw_rt_name -g $rg --address-prefix $vm_subnet_prefix --name "ToVMSubnet" --next-hop-type VirtualAppliance --next-hop-ip-address "$azfw_private_ip"
az network vnet subnet update --name $appgw_subnet_name --route-table $appgw_rt_name --vnet-name $vnet_name --resource-group $rg
# RT in the VM subnet required if using network rules
rt_name=vmrt
az network route-table create --name "$rt_name" --resource-group "$rg" --location "$location"
az network route-table route create --route-table-name $rt_name -g $rg --address-prefix $appgw_subnet_prefix --name "ToAppGWSubnet" --next-hop-type VirtualAppliance --next-hop-ip-address "$azfw_private_ip"
az network route-table route create --route-table-name $rt_name -g $rg --address-prefix $vm_subnet_prefix --name "intrasubnet" --next-hop-type VirtualAppliance --next-hop-ip-address "$azfw_private_ip"
az network vnet subnet update --name $vm_subnet_name --route-table $rt_name --vnet-name $vnet_name --resource-group $rg
# Create A record in public domain for AppGW
public_domain=cloudtrooper.net
appgw_dns_name='appgwfw-gw'
appgw_fqdn="${appgw_dns_name}.${public_domain}" && echo $appgw_fqdn
public_dns_rg=$(az network dns zone list --query "[?name=='$public_domain'].resourceGroup" -o tsv)
if [[ -z "$public_dns_rg" ]]
then
echo "ERROR: I could not find the public DNS zone $public_domain in subscription $sub_name"
else
# First, remove any existing A-record if already exists
a_record_set=$(az network dns record-set a show -n "$appgw_dns_name" -z "$public_domain" -g "$public_dns_rg" -o tsv --query id 2>/dev/null)
if [[ -n "$a_record_set" ]]
then
echo "Deleting existing A record for ${appgw_dns_name}.${public_domain}..."
az network dns record-set a delete -n "$appgw_dns_name" -z "$public_domain" -g "$public_dns_rg" -y
else
echo "No conflicting A records found in ${public_domain}"
fi
# Now create new A record
echo "Creating record for "$appgw_dns_name" in zone $public_domain with IP address $appgw_pip_address..."
az network dns record-set a create -g $public_dns_rg -z $public_domain -n $appgw_dns_name -o none
az network dns record-set a add-record -g $public_dns_rg -z $public_domain -n $appgw_dns_name -a $appgw_pip_address -o none
fi
# Verify access to the app over the App Gateway
curl -k "https://${appgw_fqdn}/api/healthcheck"
# NGINX VM (optional)
if [[ "$nginx_vm" == "yes" ]]; then
# Create subnet and public IP
az network public-ip create -n $nginx_pip_name -g $rg -l $location --sku Standard -o none --only-show-errors
az network vnet subnet create -g $rg --vnet-name $vnet_name -n $nginx_subnet_name --address-prefixes $nginx_subnet_prefix -o none --only-show-errors
appgw_rt_name=appgwrt # Attach same RT as in the AppGW subnet
az network vnet subnet update --name $nginx_subnet_name --route-table $appgw_rt_name --vnet-name $vnet_name --resource-group $rg -o none --only-show-errors
# Create an Ubuntu VM with NGINX
cat <<EOF > $nginx_cloudinit_filename
#cloud-config
runcmd:
- apt update && apt install -y nginx
EOF
az network nsg create -n $nginx_nsg_name -g $rg -o none --only-show-errors
az network nsg rule create -n ssh --nsg-name $nginx_nsg_name -g $rg --priority 500 --destination-port-ranges 22 --access Allow --protocol Tcp -o none --only-show-errors
az network nsg rule create -n http80 --nsg-name $nginx_nsg_name -g $rg --priority 510 --destination-port-ranges 80 --access Allow --protocol Tcp -o none --only-show-errors
az network nsg rule create -n http8080 --nsg-name $nginx_nsg_name -g $rg --priority 520 --destination-port-ranges 8080 --access Allow --protocol Tcp -o none --only-show-errors
az network nsg rule create -n https443 --nsg-name $nginx_nsg_name -g $rg --priority 530 --destination-port-ranges 443 --access Allow --protocol Tcp -o none --only-show-errors
az network nsg rule create -n https8443 --nsg-name $nginx_nsg_name -g $rg --priority 540 --destination-port-ranges 8443 --access Allow --protocol Tcp -o none --only-show-errors
az vm create -n $nginx_name -g $rg --image UbuntuLTS --generate-ssh-keys --size $vm_sku \
--vnet-name $vnet_name --subnet $nginx_subnet_name --nsg $nginx_nsg_name --public-ip-address $nginx_pip_name \
--custom-data $nginx_cloudinit_filename -o none --only-show-errors
nginx_pip=$(az network public-ip show -n $nginx_pip_name -g $rg -o tsv --query ipAddress)
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $nginx_pip "ip a"
nginx_vm_config_file=/tmp/nginx.conf
cat <<EOF > $nginx_vm_config_file
worker_processes auto;
events {
worker_connections 1024;
}
pid /var/run/nginx.pid;
http {
server {
listen [::]:443 ssl;
listen 443 ssl;
server_name localhost;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
ssl_session_timeout 24h;
keepalive_timeout 75; # up from 75 secs default
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
ssl_certificate /etc/nginx/ssl.crt;
ssl_certificate_key /etc/nginx/ssl.key;
proxy_ssl_verify off; # Important, since the AzFW will return self signed certs!
location /api/ {
proxy_pass https://$azfw_private_ip:443 ;
proxy_set_header Connection "";
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-For \$remote_addr;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}
}
}
EOF
scp "$nginx_vm_config_file" "${nginx_pip}:~/"
# Put public certs in NGINX. Note: you need to have some public certs in advance
cert_file="${HOME}/onedrive/Admin/Certs/cloudtrooper.net/2023/star_cloudtrooper_net_fullchain.pem"
key_file="${HOME}/onedrive/Admin/Certs/cloudtrooper.net/2023/CSR/star_cloudtrooper_net.key"
scp "$cert_file" "${nginx_pip}:~/ssl.crt"
scp "$key_file" "${nginx_pip}:~/ssl.key"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $nginx_pip "sudo mv ./* /etc/nginx/"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $nginx_pip "systemctl status nginx"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $nginx_pip "sudo systemctl restart nginx"
# Create A record in public domain for NGINX VM
public_domain=cloudtrooper.net
nginx_dns_name='appgwfw-nginx'
nginx_fqdn="${nginx_dns_name}.${public_domain}" && echo $nginx_fqdn
public_dns_rg=$(az network dns zone list --query "[?name=='$public_domain'].resourceGroup" -o tsv)
if [[ -z "$public_dns_rg" ]]
then
echo "ERROR: I could not find the public DNS zone $public_domain in subscription $sub_name"
else
# First, remove any existing A-record if already exists
a_record_set=$(az network dns record-set a show -n "$nginx_dns_name" -z "$public_domain" -g "$public_dns_rg" -o tsv --query id 2>/dev/null)
if [[ -n "$a_record_set" ]]
then
echo "Deleting existing A record for ${nginx_dns_name}.${public_domain}..."
az network dns record-set a delete -n "$nginx_dns_name" -z "$public_domain" -g "$public_dns_rg" -y
else
echo "No conflicting A records found in ${public_domain}"
fi
# Now create new A record
echo "Creating record for "$nginx_dns_name" in zone $public_domain with IP address $nginx_pip..."
az network dns record-set a create -g $public_dns_rg -z $public_domain -n $nginx_dns_name -o none
az network dns record-set a add-record -g $public_dns_rg -z $public_domain -n $nginx_dns_name -a $nginx_pip -o none
fi
# Verify access to the app over the NGINX proxy
curl -k "https://${nginx_fqdn}/api/healthcheck"
fi
# NGNIXaaS (optional)
if [[ "$nginx_aas" == "yes" ]]; then
# Create subnet and public IP
az network public-ip create -n $nginx_aas_pip_name -g $rg -l $location --sku Standard -o none --only-show-errors
nginx_aas_pip_id=$(az network public-ip show -n $nginx_aas_pip_name -g $rg -o tsv --query id)
az network vnet subnet create -g $rg --vnet-name $vnet_name -n $nginx_aas_subnet_name --address-prefixes $nginx_aas_subnet_prefix -o none --only-show-errors
az network vnet subnet update -g $rg --vnet-name $vnet_name -n $nginx_aas_subnet_name --delegations NGINX.NGINXPLUS/nginxDeployments -o none --only-show-errors
nginx_aas_subnet_id=$(az network vnet subnet show -g $rg --vnet-name $vnet_name -n $nginx_aas_subnet_name -o tsv --query id)
nginx_aas_frontend_config="{public-ip-addresses:[{id:$nginx_aas_pip_id}]}"
nginx_aas_nic_config="{subnet-id:$nginx_aas_subnet_id}"
# Create the NGINXaaS deployment
az nginx deployment create -n nginxaasdeployment -g $rg -l $location --sku name=$nginx_aas_sku -o none --only-show-errors \
--network-profile "front-end-ip-configuration=$nginx_aas_frontend_config" "network-interface-configuration=$nginx_aas_nic_config"
fi
########################
# File Uploads #
########################
if [[ "$file_uploads" == "yes" ]]; then
# Verify IDPS is blocking traffic
curl -A "BlackSun" -k "https://${appgw_fqdn}/api/healthcheck"
# Test file upload - legit file
test_file="/tmp/testfile"
echo $(tr -dc a-zA-Z0-9 </dev/urandom 2>/dev/null| head -c 25) >$test_file
curl -k -F "data=@${test_file}" "https://${appgw_fqdn}/api/filesize"
# Test file upload - bad file (should be blocked)
bad_file="/tmp/badfile"
echo 'uid=0(root) gid=0(root) groups=0(root)' >$bad_file
curl -k -F "data=@${bad_file}" "https://${appgw_fqdn}/api/filesize"
# Other bad files, check https://github.com/wicar/malware.wicar.org/tree/master/data
# bad_file_url="https://secure.eicar.org/eicar.com"
# bad_file_url=https://raw.githubusercontent.com/wicar/malware.wicar.org/master/data/adobe_flash_hacking_team_uaf.html
# bad_file_url=https://github.com/wicar/malware.wicar.org/raw/master/data/vlc_amv.amv
bad_file_url=https://raw.githubusercontent.com/wicar/malware.wicar.org/master/data/ms10_090_ie_css_clip_ie6.html
wget -q $bad_file_url -O $bad_file
curl -k -F "data=@${bad_file}" "https://${appgw_fqdn}/api/filesize"
fi
############################################################################################
# Verify AzFW DNS requirement (host HTTP header must resolve to the packet destination IP) #
############################################################################################
# Verify everything is working
curl "https://${appgw_fqdn}/api/healthcheck"
# Remove private DNS records
az network private-dns record-set a remove-record --record-set-name "${vm_dns_name}" -z $public_domain -g $rg -a $vm_private_ip -o none
az network private-dns record-set a remove-record --record-set-name "${vm_dns_name}-private" -z $public_domain -g $rg -a $vm_private_ip -o none
# The app should stop working after a while (everything keeps working!!!!!)
curl "https://${appgw_fqdn}/api/healthcheck"
# Get AzFW raw messages (all)
query='AzureDiagnostics
| where TimeGenerated >= ago(5m)
| where ResourceType == "AZUREFIREWALLS"
| project TimeGenerated, msg_s
| order by TimeGenerated'
az monitor log-analytics query -w $logws_customerid --analytics-query $query -o tsv
# Re-add records for split DNS
az network private-dns record-set a add-record --record-set-name "${vm_dns_name}" -z $public_domain -g $rg -a $vm_private_ip -o none
az network private-dns record-set a add-record --record-set-name "${vm_dns_name}-private" -z $public_domain -g $rg -a $vm_private_ip -o none
########################
# Query AzMonitor logs #
########################
# AzFW Log Categories
query='AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| distinct Category '
az monitor log-analytics query -w $logws_customerid --analytics-query $query -o tsv
# AzFW Net rules
query_net='AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallNetworkRule"
| where TimeGenerated >= ago(5m)
| project TimeGenerated, msg_s
| take 100 '
az monitor log-analytics query -w $logws_customerid --analytics-query $query_net -o tsv
# AzFW App rules
query_app='AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| where TimeGenerated >= ago(5m)
| project TimeGenerated, msg_s
| take 100'
az monitor log-analytics query -w $logws_customerid --analytics-query $query_app -o tsv
# AzFW unified query
query='AzureDiagnostics
| where Category == "AzureFirewallNetworkRule" or Category == "AzureFirewallApplicationRule"
| where TimeGenerated >= ago(5m)
| extend msg_original = msg_s
| extend msg_s = replace(@". Action: Deny. Reason: SNI TLS extension was missing.", @" to no_data:no_data. Action: Deny. Rule Collection: default behavior. Rule: SNI TLS extension missing", msg_s)
| extend msg_s = replace(@"No rule matched. Proceeding with default action", @"Rule Collection: default behavior. Rule: no rule matched", msg_s)
| parse msg_s with * " Web Category: " WebCategory
| extend msg_s = replace(@"(. Web Category:).*","", msg_s)
| parse msg_s with * ". Rule Collection: " RuleCollection ". Rule: " Rule
| extend msg_s = replace(@"(. Rule Collection:).*","", msg_s)
| parse msg_s with * ". Signature: " IDSSignatureIDInt ". IDS: " IDSSignatureDescription ". Priority: " IDSPriorityInt ". Classification: " IDSClassification
| extend msg_s = replace(@"(. Signature:).*","", msg_s)
| parse msg_s with * " was DNAT'"'"'ed to " NatDestination
| extend msg_s = replace(@"( was DNAT'"'"'ed to ).*",". Action: DNAT", msg_s)
| parse msg_s with * ". ThreatIntel: " ThreatIntel
| extend msg_s = replace(@"(. ThreatIntel:).*","", msg_s)
| extend URL = extract(@"(Url: )(.*)(\. Action)",2,msg_s)
| extend msg_s=replace(@"(Url: .*)(Action)",@"\2",msg_s)
| parse msg_s with Protocol " request from " SourceIP " to " Target ". Action: " Action
| extend
SourceIP = iif(SourceIP contains ":",strcat_array(split(SourceIP,":",0),""),SourceIP),
SourcePort = iif(SourceIP contains ":",strcat_array(split(SourceIP,":",1),""),""),
Target = iif(Target contains ":",strcat_array(split(Target,":",0),""),Target),
TargetPort = iif(SourceIP contains ":",strcat_array(split(Target,":",1),""),""),
IDSSignatureID = tostring(IDSSignatureIDInt),
IDSPriority = tostring(IDSPriorityInt)
| project msg_original,TimeGenerated,Protocol,SourceIP,SourcePort,Target,TargetPort,URL,Action, NatDestination, OperationName,ThreatIntel,IDSSignatureID,IDSSignatureDescription,IDSPriority,IDSClassification,RuleCollection,Rule,WebCategory
| project-away msg_original
| order by TimeGenerated'
az monitor log-analytics query -w $logws_customerid --analytics-query $query -o tsv
# AzFW raw messages (all)
query='AzureDiagnostics
| where TimeGenerated >= ago(5m)
| where ResourceType == "AZUREFIREWALLS"
| project TimeGenerated, msg_s
| order by TimeGenerated'
az monitor log-analytics query -w $logws_customerid --analytics-query $query -o tsv
# AppGW Log Categories
query='AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS"
| distinct Category '
az monitor log-analytics query -w $logws_customerid --analytics-query $query -o tsv
# AppGW Access Logs
query_acc='AzureDiagnostics
| where TimeGenerated >= ago(1d)
| where ResourceType == "APPLICATIONGATEWAYS"
| where Category == "ApplicationGatewayAccessLog"
//| project TimeStamp_s, ClientIP_s, Host_s
| take 20'
az monitor log-analytics query -w $logws_customerid --analytics-query $query_acc -o tsv
###################
# Test Windows VM #
###################
# You can use this VM to connect to the linux VM over HTTPS and test certificates
if [[ "$windows_vm == "yes" ]]; then
az vm create -n $win_vm_name -g $rg --image win2019datacenter --admin-username $win_user --admin-password $win_password --size $win_vm_sku \
--vnet-name $vnet_name --subnet $vm_subnet_name --public-ip-address $win_pip_name -o none --only-show-errors
fi
#################
# Test Analyzer #
#################
# Create peered vnet with Ubuntu VM
nva_subnet_name=nva
nva_subnet_prefix=192.168.10.0/24
nva_name=ubuntufw
nva_pip=${nva_name}-pip
nva_size=Standard_B1s
az network vnet subnet create --vnet-name $vnet_name --name $nva_subnet_name -g $rg --address-prefixes $nva_subnet_prefix
az vm create -n $nva_name -g $rg -l $location --image ubuntuLTS --generate-ssh-keys \
--public-ip-address $nva_pip --vnet-name $vnet_name --size $nva_size --subnet $nva_subnet_name
nva_nic_id=$(az vm show -n $nva_name -g "$rg" --query 'networkProfile.networkInterfaces[0].id' -o tsv)
az network nic update --ids $nva_nic_id --ip-forwarding
nva_pip_ip=$(az network public-ip show -n $nva_pip -g $rg --query ipAddress -o tsv) && echo $nva_pip_ip
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $nva_pip_ip "sudo sysctl -w net.ipv4.ip_forward=1"
nva_private_ip=$(az network nic show --ids $nva_nic_id --query 'ipConfigurations[0].privateIpAddress' -o tsv) && echo $nva_private_ip
# Send traffic between AppGW and AzFW to the NVA
# RT in the AzFW Subnet
azfw_rt_name=azfwrt
az network route-table create --name "$azfw_rt_name" --resource-group "$rg" --location "$location"
az network route-table route create --route-table-name $azfw_rt_name -g $rg --address-prefix $appgw_subnet_prefix --name "ToAppGWSubnet" --next-hop-type VirtualAppliance --next-hop-ip-address "$nva_private_ip"
az network route-table route create --route-table-name $azfw_rt_name -g $rg --address-prefix '0.0.0.0/0' --name "Defaultroute" --next-hop-type Internet
az network vnet subnet update --name $azfw_subnet_name --route-table $azfw_rt_name --vnet-name $vnet_name --resource-group $rg
# Change AppGW RT
appgw_rt_name=appgwrt
az network route-table route update --route-table-name $appgw_rt_name -g $rg --address-prefix $vm_subnet_prefix --name "ToVMSubnet" --next-hop-type VirtualAppliance --next-hop-ip-address "$nva_private_ip"
# RT in the NVA Subnet
nva_rt_name=nvart
az network route-table create --name "$nva_rt_name" --resource-group "$rg" --location "$location"
az network route-table route create --route-table-name $nva_rt_name -g $rg --address-prefix $vm_subnet_prefix --name "ToVMSubnet" --next-hop-type VirtualAppliance --next-hop-ip-address "$azfw_private_ip"
az network vnet subnet update --name $nva_subnet_name --route-table $nva_rt_name --vnet-name $vnet_name --resource-group $rg
# Capture traffic on port 8080
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $nva_pip_ip "sudo tcpdump -n port 8080"
# Restablish normal traffic flow
az network vnet subnet update --name $azfw_subnet_name --route-table '' --vnet-name $vnet_name --resource-group $rg
az network route-table route update --route-table-name $appgw_rt_name -g $rg --address-prefix $vm_subnet_prefix --name "ToVMSubnet" --next-hop-type VirtualAppliance --next-hop-ip-address "$azfw_private_ip"
###############
# Diagnostics #
###############
# Public IPs
az network public-ip list -g $rg -o table
# Virtual Machines
az vm list -g $rg -o table
# Subnets
az network vnet subnet list --vnet-name $vnet_name -g $rg -o table
# Azure Firewall
az network firewall nat-rule collection list -f $azfw_name -g $rg -o table
az network firewall nat-rule list -c VMTraffic -f $azfw_name -g $rg --query rules -o table
az network firewall network-rule collection list -f $azfw_name -g $rg -o table
az network firewall application-rule collection list -f $azfw_name -g $rg -o table
az network firewall application-rule list -c AllowAll -f $azfw_name -g $rg --query rules -o table
az network firewall application-rule list -c AllowAll -f $azfw_name -g $rg --query rules --query '[].{Name:name,Protocols:protocols[],SourceAddresses:sourceAddresses[],TargetFQDNs:targetFqdns[]}'
# Azure Firewall: SNAT configuration
# No yet supported with CLI (https://docs.microsoft.com/en-us/azure/firewall/snat-private-range)
# Records in private DNS zone
az network private-dns record-set a list -z $public_domain -g $rg --query '[].{RecordName:name,IPv4Address:aRecords[0].ipv4Address}' -o table
az network private-dns record-set list -z $public_domain -g $rg -o table
az network private-dns record-set a list -z $public_domain -g $rg -o table
az network private-dns record-set a show -n $vm_dns_name -z $public_domain -g $rg -o table
az network private-dns record-set a show -n "${vm_dns_name}-private" -z $public_domain -g $rg -o table
# App Gateway
az network application-gateway list -g $rg -o table
az network application-gateway http-listener list -g $rg --gateway-name $appgw_name -o table
az network application-gateway frontend-ip list -g $rg --gateway-name $appgw_name -o table
az network application-gateway probe list -g $rg --gateway-name $appgw_name -o table
az network application-gateway address-pool list -g $rg --gateway-name $appgw_name -o table
az network application-gateway rule list -g $rg --gateway-name $appgw_name -o table
az network application-gateway rule show -g $rg --gateway-name $appgw_name -n rule1
az network application-gateway rule list -g $rg --gateway-name $appgw_name -o table
rule=$(az network application-gateway rule list -g $rg --gateway-name $appgw_name --query '[0].name' -o tsv)
az network application-gateway rule show -g $rg --gateway-name $appgw_name -n $rule
az network application-gateway url-path-map list -g $rg --gateway-name $appgw_name -o table
az network application-gateway http-settings list -g $rg --gateway-name $appgw_name -o table
# Delete VM
vm_nic_id=$(az vm show -n $vm_name -g $rg --query 'networkProfile.networkInterfaces[0].id' -o tsv)
vm_disk_id=$(az vm show -n $vm_name -g $rg --query 'storageProfile.osDisk.managedDisk.id' -o tsv)
az vm delete -n $vm_name -g $rg -y
az disk delete --ids $vm_disk_id -y
az network nic delete --ids $vm_nic_id
########
# Stop #
########
# VM (server)
function stop_vms() {
vm_list=$(az vm list -o tsv -g "$rg" --query "[].name")
while IFS= read -r vm_name; do
az vm deallocate -g $rg -n "$vm_name" --no-wait -o none --only-show-errors
done <<< "$vm_list"
}
stop_vms
# App GW
az network application-gateway stop -g $rg -n $appgw_name -o none --only-show-errors
# Az FW
ipconfig_name=$(az network firewall ip-config list -f $azfw_name -g $rg --query '[0].name' -o tsv)
az network firewall ip-config delete -f $azfw_name -g $rg -n $ipconfig_name -o none --only-show-errors
#########
# Start #
#########
# VM (server)
az vm start -n $vm_name -g $rg -o none
vm_pip_address=$(az network public-ip show -n $vm_pip_name -g $rg --query ipAddress -o tsv) && echo $vm_pip_address
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "python3 /root/myip.py &"
# AppGW
az network application-gateway start -g $rg -n $appgw_name --no-wait -o none
# AzFW
az network firewall ip-config create -f $azfw_name -n azfw-ipconfig -g $rg --public-ip-address $azfw_pip_name --vnet-name $vnet_name -o none
az network firewall update -n $azfw_name -g $rg -o none
azfw_private_ip=$(az network firewall show -n $azfw_name -g $rg -o tsv --query 'ipConfigurations[0].privateIpAddress') && echo $azfw_private_ip
###############
# Cleanup all #
###############
# az group delete -n $rg -y --no-wait