From ecde06a4f8bf5b7f7dea44a7b2be62170dbefcc6 Mon Sep 17 00:00:00 2001 From: HolgerR <48099512+HolgerReiners@users.noreply.github.com> Date: Wed, 16 Dec 2020 17:23:27 +0100 Subject: [PATCH 1/7] ASN changed to comply with RFC6996 --- vnet-gw.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vnet-gw.tf b/vnet-gw.tf index c59b6eb..5018cf3 100644 --- a/vnet-gw.tf +++ b/vnet-gw.tf @@ -22,7 +22,7 @@ resource "azurerm_public_ip" "vnet-gw-onprem-pubip" { sku = "VpnGw1" bgp_settings{ - asn = 64000 + asn = 64512 } ip_configuration { From b3a0522c15ac66a55a447aca281f6ffcd968d4c1 Mon Sep 17 00:00:00 2001 From: HolgerR <48099512+HolgerReiners@users.noreply.github.com> Date: Mon, 21 Dec 2020 18:13:58 +0100 Subject: [PATCH 2/7] adding tools --- .gitignore | 68 +- README.md | 1474 +++++++++++++++++----------------- add-udrs-scenario5.sh | 14 +- bastions.tf | 306 +++---- branch-routes.sh | 22 +- clean-up-after-scenario-4.sh | 150 ++-- connect-branch.sh | 64 +- connect-services-spoke.sh | 2 +- connect-us-east-spokes.sh | 8 +- emptyrtbody.json | 10 +- emptyspokeconnection.json | 38 +- enable-routing-nva.sh | 6 +- main.tf | 52 +- onpremconnection.json | 68 +- prep-for-scenario-5.sh | 170 ++-- prep-for-scenario-6.sh | 72 +- spoke.tf | 1426 ++++++++++++++++---------------- tools/route-tables.sh | 9 + variables.tf | 132 +-- vm-extensions.tf | 296 +++---- vnet-gw.tf | 66 +- vwan.tf | 40 +- 22 files changed, 2251 insertions(+), 2242 deletions(-) create mode 100644 tools/route-tables.sh diff --git a/.gitignore b/.gitignore index 9961612..ade8300 100644 --- a/.gitignore +++ b/.gitignore @@ -1,35 +1,35 @@ -# Local .terraform directories -**/.terraform/* - -# Local lock -.terraform.lock.hcl - -# .tfstate files -*.tfstate -*.tfstate.* - -# tfvars -*.auto.tfvars - -# Crash log files -crash.log - -# Ignore any .tfvars files that are generated automatically for each Terraform run. Most -# .tfvars files are managed as part of configuration and so should be included in -# version control. -# -# example.tfvars - -# Ignore override files as they are usually used to override resources locally and so -# are not checked in -override.tf -override.tf.json -*_override.tf -*_override.tf.json - -# Include override files you do wish to add to version control using negated pattern -# -# !example_override.tf - -# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# Local .terraform directories +**/.terraform/* + +# Local lock +.terraform.lock.hcl + +# .tfstate files +*.tfstate +*.tfstate.* + +# tfvars +*.auto.tfvars + +# Crash log files +crash.log + +# Ignore any .tfvars files that are generated automatically for each Terraform run. Most +# .tfvars files are managed as part of configuration and so should be included in +# version control. +# +# example.tfvars + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan # example: *tfplan* \ No newline at end of file diff --git a/README.md b/README.md index c53c1b4..693cf15 100644 --- a/README.md +++ b/README.md @@ -1,737 +1,737 @@ -# **Routing in Azure Virtual WAN MicroHack** - -# Contents -[Introduction](#introduction) - -[Objectives](#objectives) - -[Scenario](#scenario) - -[Lab](#lab) - -[Prerequisites](#prerequisites) - -[Scenario 1: Single region Virtual WAN with Default Routing](#scenario-1-single-region-virtual-wan-with-default-routing) - -[Scenario 2: Add a branch connection](#scenario-2-add-a-branch-connection) - -[Scenario 3: Multi-regional Virtual WAN](#scenario-3-multi-regional-virtual-wan) - -[Scenario 4: Isolated Spokes and Shared Services Spoke](#scenario-4-isolated-spokes-and-shared-services-spoke) - -[Scenario 5 (Optional): Filter traffic through a Network Virtual Appliance](#scenario-5-optional-filter-traffic-through-a-network-virtual-appliance) - -[Scenario 6 (Optional): Secured Hubs](#scenario-6-optional-secured-hubs) - -[Close out](#close-out) - -# Introduction -This MicroHack explores some of the advanced routing capabilities recently introduced into Azure Virtual WAN. - -The lab starts with a single Hub with Spoke VNETs and default routing. We then connect a simulated on-premise location via S2S VPN. Then we add another regional Hub with Spokes and observe how routing extends across multiple Hubs. Next we implement custom routing patterns for Shared Services- and Isolated Spokes. - -At the end of the MicroHack, there is optional content on network security in Virtual WAN with Network Virtual Appliances and with Secured Hubs. - -Prior to starting this MicroHack, please familiarize yourself with routing in Virtual WAN by reviewing the documentation at https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about and https://docs.microsoft.com/en-us/azure/virtual-wan/about-virtual-hub-routing. - -# Objectives -After completing this MicroHack you will: -- Know how to build a hub-and-spoke topology with Virtual WAN -- Understand default routing in Virtual WAN and how this differs from the classic virtual data center hub-and-spoke spoke architecture -- Understand how custom routing works and know how to build some custom routing scenarios - -# Lab - -The lab consists of a Virtual WAN with Hubs in West Europe and US East, 4 Spoke VNETs (2 in West Europe, 1 in US East and 1 US West), a Shared Services VNET in West-Europe and a simulated On-premise location in North Europe. - -Each of the Spoke and On-prem VNETs contains a Virtual Machine running a basic web site. The Shared Services VNET contains an Active Directory Domain Controller. the NVA VNET contains a Linux VM with Iptables. - -An additional VNET containing a Network Virtual Appliance Linux-based firewall is also deployed. This NVA VNET is used in the optional advanced scenario's on network security. - -During the course of the MicroHack you will connect the Spoke and Shared Services VNETs and the On-premise site to Virtual WAN, deploy an additional Virtual WAN Hub, and manipulate and observe routing. - -At the end of the lab your deployment looks like this: - -![image](images/microhack-vwan.png) - - -Although a Branch (site-to-site VPN) connection is part of this MicroHack, it does not cover the integration with products from SDWAN partners. -# Prerequisites -To make the most of your time on this MircoHack, the green elements in the diagram above are deployed and configured for you through Terraform. You will focus on deploying and configuring the blue items using the Azure portal and Cloud Shell. -## Task 1: Deploy -Steps: -- Log in to Azure Cloud Shell at https://shell.azure.com/ and select Bash -- Ensure Azure CLI and extensions are up to date: - - `az upgrade --yes` - -- If necessary select your target subscription: - - `az account set --subscription ` - -- Clone the GitHub repository: - - `git clone https://github.com/mddazure/azure-vwan-microhack` - - - Change directory: - - `cd ./azure-vwan-microhack` - - Initialize terraform and download the azurerm resource provider: - - `terraform init` - -- Now start the deployment (when prompted, confirm with **yes** to start the deployment): - - `terraform apply` - -Deployment takes approximately 30 minutes. -## Task 2: Explore and verify - -After the Terraform deployment concludes successfully, the following has been deployed into your subscription: -- A resource group named **vwan-microhack-spoke-rg** containing - - Four Spoke VNETs, each containing a Virtual Machine running a simple web site, and a Bastion Host. - - An Onprem VNET containing a Virtual Machine running a simple web site, a VNET Gateway and a Bastion Host. - - A Services VNET containing and a Virtual Machine configured as an Active Directory Domain Controller, and a Bastion Host. - - An NVA VNET containing a Virtual Machine with Linux (Ubuntu 18.4) and Iptables installed, and a Bastion Host. -- A resource group named **vwan-microhack-hub-rg** containing a Virtual WAN resource with one Hub and one VPN Gateway. You will deploy another Hub into this resource group manually later on. - -Verify these resources are present in the portal. - -Credentials are identical for all VMs, as follows: -- User name: AzureAdmin -- Password: Microhack2020 -- Domain: micro-hack.local (this is on the ADDC VM only, the other VMs are not joined to this domain yet) - -You may log on to each VM through Bastion. Disable IE Enhanced Security Configuration in Server Manager, open Internet Explorer and access http://localhost. You will see a blank page with the VM name in the upper left corner. When logging on to the ADDC VM before it is ready, you will see "Waiting for the Group Policy Client". That is OK, just let it run while you proceed with the lab. -# Scenario 1: Single Region Virtual WAN with Default Routing - -In this scenario you connect in-region VNETs to the pre-deployed Hub, and establish VNET-to-VNET communication. You will then inspect effective routes on the spoke VMs and take a look at the VWAN Default routing table. -## Task 1: Baseline -Connect to spoke-1-vm via Bastion, turn off IE Enhanced Security Configuration in Server Manager, open Internet Explorer and attempt to connect to spoke-2-vm at 172.16.2.4. - -:question: Does it connect? - -Check the routing on spoke-1-vm, as follows: - -In the portal, in the Properties view of the VM Overview blade, click on Networking. Then click on the name of the Network Interface. The NIC overview shows, under Support + troubleshooting click Effective routes. - -Alternatively, in Cloud Shell, issue this command: - -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` - -:question: Is there a specific route for spoke-2-vnet (172.16.2.0/24)? - -## Task 2: Connect VNETs -In the portal, navigate to the Virtual WAN named **microhack-vwan** in resource group **vwan-microhack-hub-rg**. - -Click "Virtual network connections" under "Connectivity" and click "+ Add connection" at the top of the page. - -Name your connection **spoke-1-we**, select the hub (microhack-we-hub) and in the Resource group drop down select **vwan-microhack-spoke-rg**. In the Virtual network drop down, select **spoke-1-vnet**. - -Under Routing configuration, select: -- Associate Route Table: Default -- Propagate to Route Tables: Default -- Propgate to labels: default - -Wait for the connection to reach status Succeeded, and do the same for **spoke-2-vnet**. -![image](images/vwan-with-connections.png) - -Your Virtual WAN now looks like this: - - -![image](images/scenario1.png) - -:question: Can you now browse from spoke-1-vm to spoke-2-vm and vice versa? - -### :point_right: Spoke routes -Again observe Effective routes for spoke-1-vm. - -:exclamation: Notice it now has a route for spoke-2-vnet (172.16.2.0/24), pointing to a public address. This is the address of the Route Service, deployed into the Hub to enable routing between peered VNETs, branch connections and other Hubs. The fact that this is a public IP address does not present a security risk, it is not reachable from the internet. - -:exclamation: Notice that the routes that enable spoke-to-spoke communication were plumbed into the spoke VNETs automatically. Contrast this with a "classic" hub-and-spoke architecture, where you would need to set up a routing device in the hub VNET and then put UDRs in each of the spokes manually. - -### :point_right: Hub routes -Navigate to the blade for the microhack-we-hub in your Virtual WAN and select Routing under Connectivity. Notice there are two Route tables present now: Default and None. - -Click on Effective Routes. In the drop downs on the next page, select Route Table and Default respectively. This brings up the Default route table. - -:exclamation: Note that routes for the prefixes of both connected VNETs are present, pointing to the respective VNET connections. - -Go back up to the microhack-vwan overview page, and click Virtual network connections under Connectivity. In the table, under Virtual network, click ">" to view the individual VNET connections. - -A Virtual WAN can contain multiple Route tables, and we'll add some in the course of this MicroHack. Each Connection (Hub-to-Spoke VNET, ExpressRoute, S2S (Branch) VPN or P2S (User) VPN) can be *Associated* with a single table and be *Propagating* to multiple tables. - -:exclamation: The Default table has Associated Connections and Propagating Connections. Both Spoke VNETs are Associated with and Propagating to the Default table. - -*Associated* means that traffic from the Connections listed is governed by this table, in this case the Default route table. This table decides where traffic sent from the connection to the VWAN Route Service (remember the route entry pointing to the public IP address in the Spoke VM's Effective Routes) goes. - -*Propagating* means that the Connection's destinations are entered into this Routing table: the table learns the Connection's routes. - -The None Route table is also present for each Hub; traffic from Connections Associated with this Route table is dropped. - -# Scenario 2: Add a branch connection - -Now connect a branch site via a BGP-enabled VPN connection and explore the routing between spokes and the branch. The branch site is simulated through a VNET with a VNET Gateway which was deployed through Terraform as part of the Prerequisites. - -## Task 1: Connect a simulated branch site - -In Cloud Shell, in the azure-vwan-microhack directory -- Run the connect-branch shell script: - -`./connect-branch.sh` - -The script contains Azure CLI commands that create following resources: -- A VPN Site named "onprem" in the Virtual WAN -- A BGP-enabled VPN connection from the "onprem" site to the West Europe Hub -- A Local Network Gateway named "lng" to represent the West Europe Hub -- A BGP-enabled VPN connection from the Gateway in "onprem-vnet" to the Local Network Gateway - -After the script completes, it may take a few minutes for the connection to show "Connected" in the portal. - -Your Virtual WAN now looks like this: - -![image](images/scenario2.png) - -## Task 2: Verify connectivity -Connect to onprem-vm via Bastion and turn off IE Enhanced Security Configuration in Server Manager. - -Open Internet Explorer and browse to spoke-1-vm at 172.16.1.4 and spoke-2-vm at 172.16.2.4. - -:question: Does it connect? -## Task 3: Inspect routing -### :point_right: BGP routing exchange over VPN -In Cloud Shell, in the azure-vwan-microhack directory, run the branch-routes script: - -`./branch-routes.sh` - -This scripts pulls information on the BGP session from the VNET Gateway vnet-onprem-gw. - -:exclamation: Note that the "routes learned" output contains all routes the Gateway knows: those that are in the same VNET, with "origin" indicating "Network", as well as routes learned from the Virtual WAN Hub via BGP with "origin" indicating "EBgp". - -### :point_right: Branch routes -Now observe Effective Routes for onprem-vm. - - In the portal, in the Properties view of the VM Overview blade, click on Networking. Then click on the name of the Network Interface. The NIC overview shows, under Support + troubleshooting click Effective routes. - - Alternatively, in Cloud Shell, issue this command: - -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n onprem-nic --output table` - -:exclamation: Note that routes are present for the Spoke VNETs, pointing to the local VNET VPN Gateway. - -The VNET Gateway learned the routes for the Spoke VNETs via BGP and programmed them into the vm route table automatically, without the need to install UDRs. - -### :point_right: Spoke routes -Observe Effective Routes for spoke-1-vm: - -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` - -:exclamation: Notice that spoke-vm-1 now has routes for the IP ranges of the onprem site, 10.0.1.0/24 and 10.0.2.0/24. This site is connected via VPN, and although "Source" and "Next Hop Type" are the same as for peered VNET spoke-2-vnet, the next hop address is different. - -Whereas the next hop for spoke-vnet-2 is the Hub routing engine, the next hop for VPN connection is the VPN Gateway, which has a private IP address from the range assigned to Hub. - -The routes for the VPN connection where plumbed into the spoke automatically and there is no need to place User Defined Routes in the spoke VNETs. - -### :point_right: Hub routes -Observe the Effective routes of the Default route table. - -:exclamation: Note that routes for the on-prem site's prefixes are now present, pointing to S2S VPN Gateway. - -Realize that the Route Service itself is not in the data path for branch traffic. The Route Service acts as a route reflector, traffic flows directly between the VM in the spoke and VPN Gateway. - -# Scenario 3: Multi-regional Virtual WAN -We will now expand the Virtual WAN across regions by adding a Hub with Spokes in the US East region. - -A key take away from this scenario is that each hub runs its own routing instance and contains its own routing tables. - -Although tables may be called the same across Hubs, Default for example, it is important to realize that these are independent and there is no "global" routing table spanning the entire VWAN. - -At the end of this scenario, your lab looks like this: - -![image](images/scenario3.png) - -## Task 1: Add a Hub - -In the portal, Select your **microhack-vwan**. Under Connectivity, select Hubs, then +New Hub at the top of the page and complete the Basics dialog as follows: -- Region: East US -- Name: microhack-useast-hub -- Hub private address space: 192.168.1.0/24 - -As this Hub will not contain any gateways, skip the other tabs, click Review + create and then Create. - -Alternatively, in Cloud Shell, issue this command: - -`az network vhub create --address-prefix 192.168.1.0/24 --name microhack-useast-hub --vwan microhack-vwan --resource-group vwan-microhack-hub-rg --location eastus --sku Standard` - - This will take a few minutes to complete. - -## Task 2: Connect VNETs -Connect spoke-3-vnet and spoke-4-vnet to the new Hub. We connected VNETs through the portal in Scenario 1, so to save time we'll do this through a prepared shell script. - -In Cloud Shell, enter - -`./connect-us-east-spokes.sh` - -This will take a few minutes to complete. While the script runs, you can see the connections being added in the portal, in your microhack-vwan under Connectivity, Virtual network connections. Wait for both Connections to show status Succeeded, and for the Hub's Routing status to change from Provisioning to Succeeded. - -## Task 3: Verifiy connectivity and inspect routing -Connect to spoke-1-vm via Bastion. Open Internet Explorer, browse to spoke-3-vm at 172.16.3.4 and to spoke-4-vm at 172.16.4.4. - -Do the same from on-prem-vm. - -:question: Do you see the web pages from spoke-3-vm and spoke--4vm? - -:point_right: Spoke routes - -Observe Effective Routes for spoke-1-vm, either in the portal or in Cloud Shell through - -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` - -:question: Which routes have been added to spoke-1-vm's route table? - -:question: What is the next hop for the new routes? - -:exclamation: Realize that Virtual WAN installed these routes into the Spoke 1 VNET automatically! - -Now observe Effective Routes for spoke-3-vm, which is in Spoke 3 connected to the US East Hub: - -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-3-nic --output table` - -:exclamation: Note all routes, both for the US East "local" Spoke 4 and "remote" West Europe destinations, have the address of the Route Service in the US East Hub as their next hop. - -Again, realize that Virtual WAN installed these routes in the Spoke VNETs automatically! - -### :point_right: BGP routing exchange over VPN -In Cloud Shell, run the branch-routes script: - -`./branch-routes.sh` - -:question: Compare the AS path of the new routes for Spokes 3 and 4, to the AS path of the routes for Spokes 1 and 2. Why are they different? - -:point_right: Hub routes - -Observe Effective Routes of the Default route table on the microhack-we-hub, as you did in Scenario 1. - -:question: Which routes have been added and where do they point? - -:question: What is the meaning of the AS path? - -Then go to Effective Routes of the Default route table on the newly added microhack-eastus-hub. - -:question: Where do the routes for Spoke 1 and Spoke 2 (172.16.(1)(2).0/24) and the Branch (10.0.(1)(2).0/24) point? - -:question: What is their AS path and how does this compare to what you saw on the West Europe hub? - -:point_right: Association and Propagation - -In the portal, in the microhack-vwan blade under Connectivity click Virtual network connections and expand Virtual networks for both Hubs. - -:exclamation: Note that for all 4 connections across both Hubs, under Associated to Route Table it says "defaultRouteTable". - -This means that each connection takes its routing information from the default route table of its *local* hub. This is always the case: the route service in a Hub only programs routing information to its directly connected Spokes. - -:exclamation: Under Propagation to Route Tables, it also says "defaultRouteTable". This means that this connection sends its reachability information (i.e. the prefixes behind it) to its *local* default route table only, but *not* to the other Hub. - -However, we observed that the defaultRouteTable of the West Europe Hub does have routes for the Spokes in US East and vice versa. - -This happens because under Propagating to labels, there is the entry "default". - -Labels are a method of grouping Route Tables across Hubs, so that they do not have to be specified individually. The defaultRouteTables in all Hubs in a VWAN are automatically included in the "default" label, and Propagation to this label is automatically enabled. It is possible to change this after deployment to implement custom routing patterns. - -# Scenario 4: Isolated Spokes and Shared Services Spoke -Imagine an IT department that must facilitate DevOps teams. IT operates a number of central services, such as the networks in and between Azure and on-premise, and the Active Directory domain. - -DevOps teams are given their own VNETs in Azure, connected to a central hub that provides connectivity and the domain. The DevOps teams operate independently and their environments must remain isolated from each other. - -This scenario adds a Shared Services Spoke with a Domain Controller, and changes the routing so that the Spokes can only reach the Branch and the Shared Services Spoke, but remain isolated from each other. - -See https://docs.microsoft.com/en-us/azure/virtual-wan/scenario-shared-services-vnet for background. - -At the end of this Scenario your lab, with enabled and disabled traffic flows, looks like this: - -![image](images/scenario4.png) - -## Task 1: Connect Services Spoke - -Run the following in Cloud Shell to connect services-vnet to microhack-we-hub: - -`./connect-services-spoke.sh` - -Wait for the connection to complete and show status Succeeded in the portal. - -## Task 2: Create custom Route Tables - -## :hand: West Europe Hub - -In the microhack-we-hub, under Connectivity select Routing and then +Create route table. Complete the configuration as follows: -- Tab Basics - - Name: RT-Shared-we -- Tab Labels - - Label Name: Shared -- Tab Associations - - In the drop down under Virtual Networks, select both Spokes but do *not* select services-vnet -- Tab Propagations - - Under Branches, at Propagate routes from connections to this route table?, select Yes - - Under Virtual Networks, select services-vnet but do *not* select the Spokes -- Click Create - -The Routing view of the West Europe Hub hub now shows 2 connections associated to the Default table (Shared Service Spoke and Branch), and 4 connections propagating to the Default table (both Spokes, Shared Services and Branch). - -The RT-Shared-we table has 2 connections associated (both Spokes), and 2 connections propagating (Shared Services and Branch). - -![image](images/scenario-4-we-routetables.png) - -:exclamation: It may take a few minutes for the changes to complete. If RT-Shared-does not look as expected, edit the table and correct the Associations and Propagations settings per the instructions above. - -Before proceeding, ensure that the routing view of microhack-we-hub look as above, and that microhack-we-hub shows Succeeded for Hub status and Routing status. - -## :hand: US East Hub - -For microhack-useast-hub, under Connectivity select Routing and then +Create route table and complete as follows: -Tab Basics - - Name: RT-Shared-useast -- Tab Labels - - Label Name: Shared -- Tab Associations - - In the drop down under Virtual Networks, select both Spokes. -- Tab Propagations - - Enter *nothing* because: - - We do not want the local Spokes to propagate to this table, as they should not learn each other's routes - - The RT-Shared-useast table must only contain routes to the Shared Services Spoke- and the Branch connections, and it will learn these from the West Europe hub via the inter-hub link - - Click Create - -Routing for the US East Hub shows both Spoke VNET connections propagating to the Default route table, and both are associated with the RT-Shared-useast table. - -![image](images/scenario-4-useast-routetables.png) - -## :handshake: Cross-region - -:exclamation: We must also ensure that the Shared Services VNET connection and the Branch connection, which are connected to the West Europe Hub, *also* propagate to the RT-Shared-useast table. - -For the **Shared Services VNET**, this is configured on the connection, and we will use the Shared label which groups the RT-Shared tables in both hubs. - -In the microhack-vwan view, select Virtual network connections. Expand the connections on microhack-we-hub, click the elipsis at the end of the services-vnet row and select Edit. In the Propagate to labels drop-down, select both default and Shared labels, and click Confirm. - -![image](images/scenario-4-edit-shared.png) - -To let the **Branch** route propagate accross to the East US Hub, the Branches setting in the Propagations tab of RT-Shared-we, the Shared table in the **West Europe** hub, must be updated. Edit RT-Shared-we, click the Propgations tab. Under Branches (Site VPN/ExpressRoute/User VPN) ensure both default and Shared are selected. Click Create. - -![image](images/scenario-4-edit-branch.png) - -:beetle: **Bug alert** You may see an error message similar to this: - -"Deployment template validation failed: 'The resource 'Microsoft.Network/vpnGateways/microhack-we-hub-vng/vpnConnections/onprem' at line '183' and column '9' is defined multiple times in a template." - -This is caused by a bug. The work around is to close the portal browser tab, log in to the portal from a fresh tab and redo the operation. - -## Task 3: Verify connectivity - -Clear the browser cache on spoke-1-vm by pressing CRTL+Shift+Del. From spoke-1-vm, try to browse to any of the other Spokes (172.16.2/3/4.4), and the Branch (10.0.1.4). - -:question: Do the web pages of the Spokes and the Branch display? - -Try to ping spoke-addc-vm (172.16.10.4). - -:question: Does ping succeed? - -## Task 4 (Optional): Join Spoke vm to Domain -The Shared Service VNET contains an AD domain controller. - -To demonstrate connectivity from the Spokes to the Shared Services VNET, you can optionally join one or more spoke vm's to the domain. -- Point the DNS in spoke-vnet-1 to spoke-addc-vm, in Cloud Shell: - -`az network vnet update --name spoke-1-vnet --resource-group vwan-microhack-spoke-rg --dns-servers 172.16.10.4` - -- On spoke-1-vm, open a command prompt and enter: - -`ipconfig /renew` - -- On spoke-1-vm, open Server Manager and click Local Server. -- Then click WORKGROUP, click the Change ... button, select the Domain radio button under Member of and enter micro-hack.local, click OK. -- Enter credentials - - User name: AzureAdmin - - Password: Microhack2020 - -The machine will now join the domain and will need to be restarted for this change to take effect. - -## Task 5: Inspect routing - -:point_right: Spoke routes - -View Effective Routes for spoke-1-vm, in the portal or in Cloud Shell: - -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` - -:question: Identify the routes that you see. Which routes are not there and is that as expected? - -View Effective Routes for spoke-addc-vm: - -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-addc-1-nic --output table` - -:question: Again identify the routes that you see. What is different here from the routes at spoke-vm-1? - -:point_right: Hub routes - -View Effective Routes for the Default table of the West Europe hub: in the portal from microhack-vwan select Hubs, microhack-we-hub, Routing, click Default and View effective routes for this table. - -:question: Are routes for the Spokes (172.16.(1)(2)(3)(4).0/24) present? What does that mean for connections Associated with this table? - -:exclamation: Click Associations and under Current settings (Routing Configuration), note that spoke-1-vnet and spoke-2-vnet are *not* associated with the defaultRouteTable table, but they *are* propagating to defaultRouteTable. - -Go back to the Route Tables view of microhack-we-hub, click RT-Shared-we and then View effective routes for this table. - -:question: Are routes for the Spokes (172.16.(1)(2)(3)(4).0/24) present? - -:question: Are routes for the Shared Services VNET (172.16.10.0/24) and the Branch (10.0.(1)(2).0/24) present? - -:question: As the Spokes are associated with RT-Shared-we, what does this mean for destinations that the Spokes can reach? - -Now view RT-Shared-useast and Default tables for the US East Hub. - -:question: what does RT-Shared-useast contain? Why and what does this mean for the Spokes connected to the US East Hub? - -:exclamation: Note that the Default table does not contain routes. The Default route table of the US East Hub does not have any connections Associated with it. It does have connections Propagating into it, so should contain routing information. *Apparently* a route table shows empty when it has no connections Associated, i.e. nothing to consume its routing information. - -# Close out -You have explored VWAN routing to a good level of detail. As Virtual WAN grows and matures, it is important you have a good understanding of this topic to guide and help customers in a variety of use cases. This MicroHack is available for you to use with your teams, your customers and partners to reinforce their understanding. - -Below are optional challenges on network security in Virtual WAN with Network Virtual Appliances and Secured Hubs. Use this content at your own pace to expand your knowledge and skills. If you decide to continue now, skip the clean-up task below and start the optional Scenario 5. - -## Final Task: Delete all resources - -Run this script to delete all resources: - -`./clean-up-after-scenario-4.sh` - -This may take up to 30 minutes to compete. Remember to verify that all resources have indeed been deleted. - -In Cloud Shell, delete the azure-vwan-microhack directory: - -`rm -rf azure-vwan-microhack` - - -# Scenario 5 (Optional): Filter traffic through a Network Virtual Appliance -Virtual WAN today does not support third party NVA firewalls in the Hub. Third party SD-WAN concentrators from Barracuda and Cisco Viptella are now supported, but that capability does not yet exist for firewall products. - -Third party NVA firewalls must therefore be placed in a Spoke, with protected VNETs peered behind. -See https://docs.microsoft.com/en-us/azure/virtual-wan/scenario-route-through-nva for background on this pattern. - -This scenario demonstrates how to route traffic through a third party Network Virtual Appliance. We use a single Linux VM with IPTables, with a rule set allowing all traffic. - -At the end of this Scenario your VWAN looks like this: - -![image](images/scenario5.png) - -:exclamation: Note that spoke-1-vnet and spoke-2-vnet are now disconnected from the West Europe Hub, and are peered behind a new Spoke containing the NVA. This nva-vnet is connected to Hub. - -In this scenario we will manipulate routing to direct traffic to and from spoke-1-vnet and spoke-2-vnet through the NVA. Outbound internet traffic from spoke-1-vnet and spoke-2-vnet will also be directed through the NVA, but we will discover that it is not possible to do so for spoke-3-vnet and spoke-4-vnet. - -## Task 1: Prepare the environment -A number of changes must be made to prepare the Virtual WAN for this scenario: -- Reconfigure for Default routing -- Disconnect Spoke 1 and Spoke 2 from the Hub -- Connect the NVA Spoke to the Hub -- Peer Spoke 1 and Spoke 2 with the NVA Spoke - -To implement these changes, run this script in Cloud Shell: - -`./prep-for-scenario-5.sh` - -This will take a few minutes to complete. - -## Task 2: Add User Defined Routes -We must now add UDRs to the subnet vmSubnet in both Spoke 1 and Spoke 2 VNETs, to direct all traffic to the NVA in nva-vnet. - -Run this script in Cloud Shell: - -`./add-udrs-scenario5.sh` - -In the portal, verify that a Route table (UDR) named "default-to-nva" has been created, and is associated subnet vmSubnet in both spoke-1-vnet and spoke-2-vnet. - -All traffic outbound from spoke-1-vm and spoke-2-vm is now directed to the NVA in nva-vnet. - -:exclamation: nva-vnet is already connected to West Europe Hub and has routes programmed by the Route Service, so we do not need to add a UDR manually. - -## Task 3: Modify VWAN routing -The Virtual WAN is not aware that Spoke 1 and Spoke 2 are now behind the NVA, so we must update the routing by adding static custom routes for Spoke 1 and Spoke 2 pointing to the NVA. - -:exclamation: Note that a static custom route must be added to the Default route table of *both* the West Europe *and* the US East Hubs. It is not sufficient to only a static route to the West Europe Hub, as this route will not propagate to remote hubs. - -In the portal, go to the Routing blade of microhack-we-hub. Click the Default route table, and in Basics at the bottom, create a custom route: -- Route name: spoke1-via-nva -- Destination type: leave at CIDR -- Destination prefix: 172.16.1.0/24 -- Next hop: select nva-we -- Next Hop IP: now Configure appears, click this and enter 172.16.20.4 under Next Hop IP (this is the IP address of the NVA) - -Create a similar entry for Spoke 2 (172.16.2.0/24). - -Click Review+create and then Create. - -Then go the Routing blade of microhack-useast-hub and do the same. You can skip adding the Next Hop IP as the connection to nva-vnet already has this configuration applied. - -## Task 4: Verify connectivity -:point_right: From "protected" VNETs Spoke 1 and Spoke 2 - -On spoke-1-vm, traceroute and browse to each of the Spokes (172.16.(2)(3)(4).4) and to the Branch (10.0.1.4). - -:question: Do all browser connections succeed, what are the first hop addresses? - -On spoke-1-vm, traceroute and browse to www.bing.com. - -:question: Does the browser connection succeed, what is the first hop address? - -:point_right: From "unprotected" VNETs Spoke 3 and Spoke 4 - -On spoke-3-vm, traceroute and browse to each of the Spokes (172.16.(1)(2)(4).4) and to the Branch (10.0.1.4). - -:question: Do all browser connections succeed, what are the first hop addresses? - -On spoke-3-vm, traceroute and browse to www.bing.com. - -:question: Does the browser connection succeed, what is the first hop address? - -## Task 5: Inspect routing - -:point_right: Spoke routes - -We will first look at the routes of one of the tiered Spokes. This is one of the Spokes connected behind the NVA VNET, no longer connected directlty to the Hub. - -View Effective Routes for spoke-1-vm, in the portal or in Cloud Shell: - -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` - -:question: Identify the routes that you see. Comparing to Spoke routes we saw in previous scenario's, which routes are not there and is that as expected? Which route is now present and why? - -:exclamation: Realize that VWAN does not have visibility of tiered Spokes and cannot program the routing in the VNET. That is why we had to place UDRs in the tiered Spokes. - -View Effective Routes for spoke-3-vm, in the portal or in Cloud Shell: - -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` - -:question: Identify the routes that you see. Comparing to Spoke routes we saw in previous scenario's, is this now different and why (not)?. From the perspective of Spoke 3, has placing Spokes 1 and 2 behind an NVA VNET on the *remote* hub changed its view of the network? - -:point_right: Hub routes - -View Effective Routes for the Default table of the West Europe hub: in the portal from microhack-vwan select Hubs, microhack-we-hub, Routing, click Default and View effective routes for this table. - -:question: Identify the routes for Spokes 1 and 2 (172.16.(1)(2).0/24). Where do they point and how did they get into the table? - -Now view Effective Routes for the Default table of the US East hub. - -:question: Again identify the routes for Spokes 1 and 2 (172.16.(1)(2).0/24). Where do they point and how did they get into the table? - -:exclamation: Note that the routes for the tiered Spokes 1 and 2 in the US East Hub's Default table have the connection to the nva-we VNET listed as next hop. This is somewhat confusing, because the nva-we connection exists on the *remote* West Europe Hub! From perspective of the US East Hub, the next hop for these prefixes really is the West Europe Hub's route service. - -:point_right: Outbound internet access - -Traffic outbound to the internet from Spokes 1 and 2 is directed to the NVA, and it goes out via the NVA's public IP address. Verify this by browsing to www.whatismyipaddress.com from spoke-1-vm, check that the ip address reported is the public ip of the NVA shown in the portal. - -It would be ideal if outbound internet from spoke vnets directly connected to the VWAN, such as Spokes 3 and 4, could be forced through the NVA as well. This requires a custom route in the Hub default route tables, for destination prefix 0.0.0.0/0 pointing to the nva-vnet connection. This is not possible today as VWAN does not support the default route as a custom route entry. - -:exclamation: Using a Network Virtual Appliance firewall for outbound internet access from Spokes directly connected to the VWAN is not supported. - -# Scenario 6 (Optional): Secured Hubs - -This final and optional scenario converts the Hubs into Secured Hubs through Azure Firewall Manager. This operation deploys Azure Firewall into the Hubs. - -## Task #1: Restore the Virtual WAN - -To put the VWAN back into "default" state, a number of changes must be made: - -- Disconnect Spoke 1 and Spoke 2 from the the NVA Spoke -- Remove UDRs from Spoke 1 and Spoke 2 -- Remove custom routes -- Disconnect the NVA Spoke to the Hub -- Connect Spoke 1 and Spoke 2 to the West Europe Hub - -To implement these changes, run this script in Cloud Shell: - -`./prep-for-scenario-6.sh` - -This will take a few minutes to complete. - -## Task #2: Convert to Secure Hubs - -We are now ready to convert our Virtual Hubs into Secured Hubs through Azure Firewall Manager. We will create a Firewall Policy in the same flow. - -:exclamation: Note that Firewall Manager is a separate top-level Azure service; it is not part of Virtual WAN. If you don't have it bookmarked already, find Firewall Manager using the search bar at the top of the portal. - -In the Firewall Mananger blade, click Azure Firewall Policies and + Create Azure Firewall Policy. - -**Basics** -- Resource group: select vwan-microhack-hub-rg -- Name: microhack-fw-policy -- Region: West Europe - -**Rules** -- Click + Add a rule collection - - Name: default-policy - - Rule collection type: Network - - Priority: 100 - - Action: Allow - - Rules: - - Name: Allow-all - - Source type: IP Address - - Source: * - - Protocol: Any - - Destination Ports: * - - Destination Type: IP Address - - Destination: * - - Click Add - -**Hubs** -- Click +Associate virtual hubs -- Select both your hubs -- Click Add - -**Review+create** - -**Create** - -This deploys Azure Firewall into your Hubs and applies the Allow-all policy to both. This operation will take a few minutes to complete. - -## Task 3: Secure Internet traffic - -Route settings for your Secured Hubs are managed in Firewall Manager. - -In the Firewall Manager blade, click Secured virtual hubs, select microhack-we-hub and then Security configuration. - -In the drop downs under Internet traffic and Private traffic, select Azure Firewall and Send via Azure Firewall and click Save. This sets up Azure Firewall as the security provider, and inserts routes pointing to the Azure Firewall for the prefixes listed as Private traffic prefixes (link next to the drop down. Default this is set to the RFC1918 ranges of 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/24. - -Select all Connections, in the drop down under **Internet traffic** select Azure Firewall and click Save. - -:point_right: Spoke routes - -In Cloud Shell, pull up Effective routes of spoke-1-vm: - -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` - -:question: where does the default route (0.0.0.0/0) point? - -Display the ip addresses of the he Azure Firewall in the secured hub: - -`az network firewall show -g vwan-microhack-hub-rg -n AzureFirewall_microhack-we-hub --query hubIpAddresses` - -:exclamation: Note that the default route now points to the private (inside) address of the Azure Firewall instance in the secured hub. - -On spoke-1-vm, browse to www.whatismyipaddress.com. - -:exclamation: Note that the outbound ip address is now the public ip address of the Azure Firewall instance. - -## Task 4: Secure Private traffic - -To be added, this is pending service update enabling V-SH-SH-V pattern. - -# Close out -You have explored VWAN routing to a good level of detail. As Virtual WAN grows and matures, it is important you have a good understanding of the subject, to guide and help customers in a variety of use cases. - -This MicroHack is available for you to use with your teams, your customers and partners to reinforce their understanding. - -## Final Task: Delete all resources - -Delete the vwan-microhack-hub-rg and vwan-microhack-spoke-rg resource groups. This may take up to 30 minutes to compete. Check back to verify that all resources have indeed been deleted. - -In Cloud Shell, delete the azure-vwan-microhack directory: - -`rm -rf azure-vwan-microhack` +# **Routing in Azure Virtual WAN MicroHack** + +# Contents +[Introduction](#introduction) + +[Objectives](#objectives) + +[Scenario](#scenario) + +[Lab](#lab) + +[Prerequisites](#prerequisites) + +[Scenario 1: Single region Virtual WAN with Default Routing](#scenario-1-single-region-virtual-wan-with-default-routing) + +[Scenario 2: Add a branch connection](#scenario-2-add-a-branch-connection) + +[Scenario 3: Multi-regional Virtual WAN](#scenario-3-multi-regional-virtual-wan) + +[Scenario 4: Isolated Spokes and Shared Services Spoke](#scenario-4-isolated-spokes-and-shared-services-spoke) + +[Scenario 5 (Optional): Filter traffic through a Network Virtual Appliance](#scenario-5-optional-filter-traffic-through-a-network-virtual-appliance) + +[Scenario 6 (Optional): Secured Hubs](#scenario-6-optional-secured-hubs) + +[Close out](#close-out) + +# Introduction +This MicroHack explores some of the advanced routing capabilities recently introduced into Azure Virtual WAN. + +The lab starts with a single Hub with Spoke VNETs and default routing. We then connect a simulated on-premise location via S2S VPN. Then we add another regional Hub with Spokes and observe how routing extends across multiple Hubs. Next we implement custom routing patterns for Shared Services- and Isolated Spokes. + +At the end of the MicroHack, there is optional content on network security in Virtual WAN with Network Virtual Appliances and with Secured Hubs. + +Prior to starting this MicroHack, please familiarize yourself with routing in Virtual WAN by reviewing the documentation at https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about and https://docs.microsoft.com/en-us/azure/virtual-wan/about-virtual-hub-routing. + +# Objectives +After completing this MicroHack you will: +- Know how to build a hub-and-spoke topology with Virtual WAN +- Understand default routing in Virtual WAN and how this differs from the classic virtual data center hub-and-spoke spoke architecture +- Understand how custom routing works and know how to build some custom routing scenarios + +# Lab + +The lab consists of a Virtual WAN with Hubs in West Europe and US East, 4 Spoke VNETs (2 in West Europe, 1 in US East and 1 US West), a Shared Services VNET in West-Europe and a simulated On-premise location in North Europe. + +Each of the Spoke and On-prem VNETs contains a Virtual Machine running a basic web site. The Shared Services VNET contains an Active Directory Domain Controller. the NVA VNET contains a Linux VM with Iptables. + +An additional VNET containing a Network Virtual Appliance Linux-based firewall is also deployed. This NVA VNET is used in the optional advanced scenario's on network security. + +During the course of the MicroHack you will connect the Spoke and Shared Services VNETs and the On-premise site to Virtual WAN, deploy an additional Virtual WAN Hub, and manipulate and observe routing. + +At the end of the lab your deployment looks like this: + +![image](images/microhack-vwan.png) + + +Although a Branch (site-to-site VPN) connection is part of this MicroHack, it does not cover the integration with products from SDWAN partners. +# Prerequisites +To make the most of your time on this MircoHack, the green elements in the diagram above are deployed and configured for you through Terraform. You will focus on deploying and configuring the blue items using the Azure portal and Cloud Shell. +## Task 1: Deploy +Steps: +- Log in to Azure Cloud Shell at https://shell.azure.com/ and select Bash +- Ensure Azure CLI and extensions are up to date: + + `az upgrade --yes` + +- If necessary select your target subscription: + + `az account set --subscription ` + +- Clone the GitHub repository: + + `git clone https://github.com/mddazure/azure-vwan-microhack` + + - Change directory: + + `cd ./azure-vwan-microhack` + - Initialize terraform and download the azurerm resource provider: + + `terraform init` + +- Now start the deployment (when prompted, confirm with **yes** to start the deployment): + + `terraform apply` + +Deployment takes approximately 30 minutes. +## Task 2: Explore and verify + +After the Terraform deployment concludes successfully, the following has been deployed into your subscription: +- A resource group named **vwan-microhack-spoke-rg** containing + - Four Spoke VNETs, each containing a Virtual Machine running a simple web site, and a Bastion Host. + - An Onprem VNET containing a Virtual Machine running a simple web site, a VNET Gateway and a Bastion Host. + - A Services VNET containing and a Virtual Machine configured as an Active Directory Domain Controller, and a Bastion Host. + - An NVA VNET containing a Virtual Machine with Linux (Ubuntu 18.4) and Iptables installed, and a Bastion Host. +- A resource group named **vwan-microhack-hub-rg** containing a Virtual WAN resource with one Hub and one VPN Gateway. You will deploy another Hub into this resource group manually later on. + +Verify these resources are present in the portal. + +Credentials are identical for all VMs, as follows: +- User name: AzureAdmin +- Password: Microhack2020 +- Domain: micro-hack.local (this is on the ADDC VM only, the other VMs are not joined to this domain yet) + +You may log on to each VM through Bastion. Disable IE Enhanced Security Configuration in Server Manager, open Internet Explorer and access http://localhost. You will see a blank page with the VM name in the upper left corner. When logging on to the ADDC VM before it is ready, you will see "Waiting for the Group Policy Client". That is OK, just let it run while you proceed with the lab. +# Scenario 1: Single Region Virtual WAN with Default Routing + +In this scenario you connect in-region VNETs to the pre-deployed Hub, and establish VNET-to-VNET communication. You will then inspect effective routes on the spoke VMs and take a look at the VWAN Default routing table. +## Task 1: Baseline +Connect to spoke-1-vm via Bastion, turn off IE Enhanced Security Configuration in Server Manager, open Internet Explorer and attempt to connect to spoke-2-vm at 172.16.2.4. + +:question: Does it connect? + +Check the routing on spoke-1-vm, as follows: + +In the portal, in the Properties view of the VM Overview blade, click on Networking. Then click on the name of the Network Interface. The NIC overview shows, under Support + troubleshooting click Effective routes. + +Alternatively, in Cloud Shell, issue this command: + +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` + +:question: Is there a specific route for spoke-2-vnet (172.16.2.0/24)? + +## Task 2: Connect VNETs +In the portal, navigate to the Virtual WAN named **microhack-vwan** in resource group **vwan-microhack-hub-rg**. + +Click "Virtual network connections" under "Connectivity" and click "+ Add connection" at the top of the page. + +Name your connection **spoke-1-we**, select the hub (microhack-we-hub) and in the Resource group drop down select **vwan-microhack-spoke-rg**. In the Virtual network drop down, select **spoke-1-vnet**. + +Under Routing configuration, select: +- Associate Route Table: Default +- Propagate to Route Tables: Default +- Propgate to labels: default + +Wait for the connection to reach status Succeeded, and do the same for **spoke-2-vnet**. +![image](images/vwan-with-connections.png) + +Your Virtual WAN now looks like this: + + +![image](images/scenario1.png) + +:question: Can you now browse from spoke-1-vm to spoke-2-vm and vice versa? + +### :point_right: Spoke routes +Again observe Effective routes for spoke-1-vm. + +:exclamation: Notice it now has a route for spoke-2-vnet (172.16.2.0/24), pointing to a public address. This is the address of the Route Service, deployed into the Hub to enable routing between peered VNETs, branch connections and other Hubs. The fact that this is a public IP address does not present a security risk, it is not reachable from the internet. + +:exclamation: Notice that the routes that enable spoke-to-spoke communication were plumbed into the spoke VNETs automatically. Contrast this with a "classic" hub-and-spoke architecture, where you would need to set up a routing device in the hub VNET and then put UDRs in each of the spokes manually. + +### :point_right: Hub routes +Navigate to the blade for the microhack-we-hub in your Virtual WAN and select Routing under Connectivity. Notice there are two Route tables present now: Default and None. + +Click on Effective Routes. In the drop downs on the next page, select Route Table and Default respectively. This brings up the Default route table. + +:exclamation: Note that routes for the prefixes of both connected VNETs are present, pointing to the respective VNET connections. + +Go back up to the microhack-vwan overview page, and click Virtual network connections under Connectivity. In the table, under Virtual network, click ">" to view the individual VNET connections. + +A Virtual WAN can contain multiple Route tables, and we'll add some in the course of this MicroHack. Each Connection (Hub-to-Spoke VNET, ExpressRoute, S2S (Branch) VPN or P2S (User) VPN) can be *Associated* with a single table and be *Propagating* to multiple tables. + +:exclamation: The Default table has Associated Connections and Propagating Connections. Both Spoke VNETs are Associated with and Propagating to the Default table. + +*Associated* means that traffic from the Connections listed is governed by this table, in this case the Default route table. This table decides where traffic sent from the connection to the VWAN Route Service (remember the route entry pointing to the public IP address in the Spoke VM's Effective Routes) goes. + +*Propagating* means that the Connection's destinations are entered into this Routing table: the table learns the Connection's routes. + +The None Route table is also present for each Hub; traffic from Connections Associated with this Route table is dropped. + +# Scenario 2: Add a branch connection + +Now connect a branch site via a BGP-enabled VPN connection and explore the routing between spokes and the branch. The branch site is simulated through a VNET with a VNET Gateway which was deployed through Terraform as part of the Prerequisites. + +## Task 1: Connect a simulated branch site + +In Cloud Shell, in the azure-vwan-microhack directory +- Run the connect-branch shell script: + +`./connect-branch.sh` + +The script contains Azure CLI commands that create following resources: +- A VPN Site named "onprem" in the Virtual WAN +- A BGP-enabled VPN connection from the "onprem" site to the West Europe Hub +- A Local Network Gateway named "lng" to represent the West Europe Hub +- A BGP-enabled VPN connection from the Gateway in "onprem-vnet" to the Local Network Gateway + +After the script completes, it may take a few minutes for the connection to show "Connected" in the portal. + +Your Virtual WAN now looks like this: + +![image](images/scenario2.png) + +## Task 2: Verify connectivity +Connect to onprem-vm via Bastion and turn off IE Enhanced Security Configuration in Server Manager. + +Open Internet Explorer and browse to spoke-1-vm at 172.16.1.4 and spoke-2-vm at 172.16.2.4. + +:question: Does it connect? +## Task 3: Inspect routing +### :point_right: BGP routing exchange over VPN +In Cloud Shell, in the azure-vwan-microhack directory, run the branch-routes script: + +`./branch-routes.sh` + +This scripts pulls information on the BGP session from the VNET Gateway vnet-onprem-gw. + +:exclamation: Note that the "routes learned" output contains all routes the Gateway knows: those that are in the same VNET, with "origin" indicating "Network", as well as routes learned from the Virtual WAN Hub via BGP with "origin" indicating "EBgp". + +### :point_right: Branch routes +Now observe Effective Routes for onprem-vm. + + In the portal, in the Properties view of the VM Overview blade, click on Networking. Then click on the name of the Network Interface. The NIC overview shows, under Support + troubleshooting click Effective routes. + + Alternatively, in Cloud Shell, issue this command: + +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n onprem-nic --output table` + +:exclamation: Note that routes are present for the Spoke VNETs, pointing to the local VNET VPN Gateway. + +The VNET Gateway learned the routes for the Spoke VNETs via BGP and programmed them into the vm route table automatically, without the need to install UDRs. + +### :point_right: Spoke routes +Observe Effective Routes for spoke-1-vm: + +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` + +:exclamation: Notice that spoke-vm-1 now has routes for the IP ranges of the onprem site, 10.0.1.0/24 and 10.0.2.0/24. This site is connected via VPN, and although "Source" and "Next Hop Type" are the same as for peered VNET spoke-2-vnet, the next hop address is different. + +Whereas the next hop for spoke-vnet-2 is the Hub routing engine, the next hop for VPN connection is the VPN Gateway, which has a private IP address from the range assigned to Hub. + +The routes for the VPN connection where plumbed into the spoke automatically and there is no need to place User Defined Routes in the spoke VNETs. + +### :point_right: Hub routes +Observe the Effective routes of the Default route table. + +:exclamation: Note that routes for the on-prem site's prefixes are now present, pointing to S2S VPN Gateway. + +Realize that the Route Service itself is not in the data path for branch traffic. The Route Service acts as a route reflector, traffic flows directly between the VM in the spoke and VPN Gateway. + +# Scenario 3: Multi-regional Virtual WAN +We will now expand the Virtual WAN across regions by adding a Hub with Spokes in the US East region. + +A key take away from this scenario is that each hub runs its own routing instance and contains its own routing tables. + +Although tables may be called the same across Hubs, Default for example, it is important to realize that these are independent and there is no "global" routing table spanning the entire VWAN. + +At the end of this scenario, your lab looks like this: + +![image](images/scenario3.png) + +## Task 1: Add a Hub + +In the portal, Select your **microhack-vwan**. Under Connectivity, select Hubs, then +New Hub at the top of the page and complete the Basics dialog as follows: +- Region: East US +- Name: microhack-useast-hub +- Hub private address space: 192.168.1.0/24 + +As this Hub will not contain any gateways, skip the other tabs, click Review + create and then Create. + +Alternatively, in Cloud Shell, issue this command: + +`az network vhub create --address-prefix 192.168.1.0/24 --name microhack-useast-hub --vwan microhack-vwan --resource-group vwan-microhack-hub-rg --location eastus --sku Standard` + + This will take a few minutes to complete. + +## Task 2: Connect VNETs +Connect spoke-3-vnet and spoke-4-vnet to the new Hub. We connected VNETs through the portal in Scenario 1, so to save time we'll do this through a prepared shell script. + +In Cloud Shell, enter + +`./connect-us-east-spokes.sh` + +This will take a few minutes to complete. While the script runs, you can see the connections being added in the portal, in your microhack-vwan under Connectivity, Virtual network connections. Wait for both Connections to show status Succeeded, and for the Hub's Routing status to change from Provisioning to Succeeded. + +## Task 3: Verifiy connectivity and inspect routing +Connect to spoke-1-vm via Bastion. Open Internet Explorer, browse to spoke-3-vm at 172.16.3.4 and to spoke-4-vm at 172.16.4.4. + +Do the same from on-prem-vm. + +:question: Do you see the web pages from spoke-3-vm and spoke--4vm? + +:point_right: Spoke routes + +Observe Effective Routes for spoke-1-vm, either in the portal or in Cloud Shell through + +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` + +:question: Which routes have been added to spoke-1-vm's route table? + +:question: What is the next hop for the new routes? + +:exclamation: Realize that Virtual WAN installed these routes into the Spoke 1 VNET automatically! + +Now observe Effective Routes for spoke-3-vm, which is in Spoke 3 connected to the US East Hub: + +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-3-nic --output table` + +:exclamation: Note all routes, both for the US East "local" Spoke 4 and "remote" West Europe destinations, have the address of the Route Service in the US East Hub as their next hop. + +Again, realize that Virtual WAN installed these routes in the Spoke VNETs automatically! + +### :point_right: BGP routing exchange over VPN +In Cloud Shell, run the branch-routes script: + +`./branch-routes.sh` + +:question: Compare the AS path of the new routes for Spokes 3 and 4, to the AS path of the routes for Spokes 1 and 2. Why are they different? + +:point_right: Hub routes + +Observe Effective Routes of the Default route table on the microhack-we-hub, as you did in Scenario 1. + +:question: Which routes have been added and where do they point? + +:question: What is the meaning of the AS path? + +Then go to Effective Routes of the Default route table on the newly added microhack-eastus-hub. + +:question: Where do the routes for Spoke 1 and Spoke 2 (172.16.(1)(2).0/24) and the Branch (10.0.(1)(2).0/24) point? + +:question: What is their AS path and how does this compare to what you saw on the West Europe hub? + +:point_right: Association and Propagation + +In the portal, in the microhack-vwan blade under Connectivity click Virtual network connections and expand Virtual networks for both Hubs. + +:exclamation: Note that for all 4 connections across both Hubs, under Associated to Route Table it says "defaultRouteTable". + +This means that each connection takes its routing information from the default route table of its *local* hub. This is always the case: the route service in a Hub only programs routing information to its directly connected Spokes. + +:exclamation: Under Propagation to Route Tables, it also says "defaultRouteTable". This means that this connection sends its reachability information (i.e. the prefixes behind it) to its *local* default route table only, but *not* to the other Hub. + +However, we observed that the defaultRouteTable of the West Europe Hub does have routes for the Spokes in US East and vice versa. + +This happens because under Propagating to labels, there is the entry "default". + +Labels are a method of grouping Route Tables across Hubs, so that they do not have to be specified individually. The defaultRouteTables in all Hubs in a VWAN are automatically included in the "default" label, and Propagation to this label is automatically enabled. It is possible to change this after deployment to implement custom routing patterns. + +# Scenario 4: Isolated Spokes and Shared Services Spoke +Imagine an IT department that must facilitate DevOps teams. IT operates a number of central services, such as the networks in and between Azure and on-premise, and the Active Directory domain. + +DevOps teams are given their own VNETs in Azure, connected to a central hub that provides connectivity and the domain. The DevOps teams operate independently and their environments must remain isolated from each other. + +This scenario adds a Shared Services Spoke with a Domain Controller, and changes the routing so that the Spokes can only reach the Branch and the Shared Services Spoke, but remain isolated from each other. + +See https://docs.microsoft.com/en-us/azure/virtual-wan/scenario-shared-services-vnet for background. + +At the end of this Scenario your lab, with enabled and disabled traffic flows, looks like this: + +![image](images/scenario4.png) + +## Task 1: Connect Services Spoke + +Run the following in Cloud Shell to connect services-vnet to microhack-we-hub: + +`./connect-services-spoke.sh` + +Wait for the connection to complete and show status Succeeded in the portal. + +## Task 2: Create custom Route Tables + +## :hand: West Europe Hub + +In the microhack-we-hub, under Connectivity select Routing and then +Create route table. Complete the configuration as follows: +- Tab Basics + - Name: RT-Shared-we +- Tab Labels + - Label Name: Shared +- Tab Associations + - In the drop down under Virtual Networks, select both Spokes but do *not* select services-vnet +- Tab Propagations + - Under Branches, at Propagate routes from connections to this route table?, select Yes + - Under Virtual Networks, select services-vnet but do *not* select the Spokes +- Click Create + +The Routing view of the West Europe Hub hub now shows 2 connections associated to the Default table (Shared Service Spoke and Branch), and 4 connections propagating to the Default table (both Spokes, Shared Services and Branch). + +The RT-Shared-we table has 2 connections associated (both Spokes), and 2 connections propagating (Shared Services and Branch). + +![image](images/scenario-4-we-routetables.png) + +:exclamation: It may take a few minutes for the changes to complete. If RT-Shared-does not look as expected, edit the table and correct the Associations and Propagations settings per the instructions above. + +Before proceeding, ensure that the routing view of microhack-we-hub look as above, and that microhack-we-hub shows Succeeded for Hub status and Routing status. + +## :hand: US East Hub + +For microhack-useast-hub, under Connectivity select Routing and then +Create route table and complete as follows: +Tab Basics + - Name: RT-Shared-useast +- Tab Labels + - Label Name: Shared +- Tab Associations + - In the drop down under Virtual Networks, select both Spokes. +- Tab Propagations + - Enter *nothing* because: + - We do not want the local Spokes to propagate to this table, as they should not learn each other's routes + - The RT-Shared-useast table must only contain routes to the Shared Services Spoke- and the Branch connections, and it will learn these from the West Europe hub via the inter-hub link + - Click Create + +Routing for the US East Hub shows both Spoke VNET connections propagating to the Default route table, and both are associated with the RT-Shared-useast table. + +![image](images/scenario-4-useast-routetables.png) + +## :handshake: Cross-region + +:exclamation: We must also ensure that the Shared Services VNET connection and the Branch connection, which are connected to the West Europe Hub, *also* propagate to the RT-Shared-useast table. + +For the **Shared Services VNET**, this is configured on the connection, and we will use the Shared label which groups the RT-Shared tables in both hubs. + +In the microhack-vwan view, select Virtual network connections. Expand the connections on microhack-we-hub, click the elipsis at the end of the services-vnet row and select Edit. In the Propagate to labels drop-down, select both default and Shared labels, and click Confirm. + +![image](images/scenario-4-edit-shared.png) + +To let the **Branch** route propagate accross to the East US Hub, the Branches setting in the Propagations tab of RT-Shared-we, the Shared table in the **West Europe** hub, must be updated. Edit RT-Shared-we, click the Propgations tab. Under Branches (Site VPN/ExpressRoute/User VPN) ensure both default and Shared are selected. Click Create. + +![image](images/scenario-4-edit-branch.png) + +:beetle: **Bug alert** You may see an error message similar to this: + +"Deployment template validation failed: 'The resource 'Microsoft.Network/vpnGateways/microhack-we-hub-vng/vpnConnections/onprem' at line '183' and column '9' is defined multiple times in a template." + +This is caused by a bug. The work around is to close the portal browser tab, log in to the portal from a fresh tab and redo the operation. + +## Task 3: Verify connectivity + +Clear the browser cache on spoke-1-vm by pressing CRTL+Shift+Del. From spoke-1-vm, try to browse to any of the other Spokes (172.16.2/3/4.4), and the Branch (10.0.1.4). + +:question: Do the web pages of the Spokes and the Branch display? + +Try to ping spoke-addc-vm (172.16.10.4). + +:question: Does ping succeed? + +## Task 4 (Optional): Join Spoke vm to Domain +The Shared Service VNET contains an AD domain controller. + +To demonstrate connectivity from the Spokes to the Shared Services VNET, you can optionally join one or more spoke vm's to the domain. +- Point the DNS in spoke-vnet-1 to spoke-addc-vm, in Cloud Shell: + +`az network vnet update --name spoke-1-vnet --resource-group vwan-microhack-spoke-rg --dns-servers 172.16.10.4` + +- On spoke-1-vm, open a command prompt and enter: + +`ipconfig /renew` + +- On spoke-1-vm, open Server Manager and click Local Server. +- Then click WORKGROUP, click the Change ... button, select the Domain radio button under Member of and enter micro-hack.local, click OK. +- Enter credentials + - User name: AzureAdmin + - Password: Microhack2020 + +The machine will now join the domain and will need to be restarted for this change to take effect. + +## Task 5: Inspect routing + +:point_right: Spoke routes + +View Effective Routes for spoke-1-vm, in the portal or in Cloud Shell: + +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` + +:question: Identify the routes that you see. Which routes are not there and is that as expected? + +View Effective Routes for spoke-addc-vm: + +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-addc-1-nic --output table` + +:question: Again identify the routes that you see. What is different here from the routes at spoke-vm-1? + +:point_right: Hub routes + +View Effective Routes for the Default table of the West Europe hub: in the portal from microhack-vwan select Hubs, microhack-we-hub, Routing, click Default and View effective routes for this table. + +:question: Are routes for the Spokes (172.16.(1)(2)(3)(4).0/24) present? What does that mean for connections Associated with this table? + +:exclamation: Click Associations and under Current settings (Routing Configuration), note that spoke-1-vnet and spoke-2-vnet are *not* associated with the defaultRouteTable table, but they *are* propagating to defaultRouteTable. + +Go back to the Route Tables view of microhack-we-hub, click RT-Shared-we and then View effective routes for this table. + +:question: Are routes for the Spokes (172.16.(1)(2)(3)(4).0/24) present? + +:question: Are routes for the Shared Services VNET (172.16.10.0/24) and the Branch (10.0.(1)(2).0/24) present? + +:question: As the Spokes are associated with RT-Shared-we, what does this mean for destinations that the Spokes can reach? + +Now view RT-Shared-useast and Default tables for the US East Hub. + +:question: what does RT-Shared-useast contain? Why and what does this mean for the Spokes connected to the US East Hub? + +:exclamation: Note that the Default table does not contain routes. The Default route table of the US East Hub does not have any connections Associated with it. It does have connections Propagating into it, so should contain routing information. *Apparently* a route table shows empty when it has no connections Associated, i.e. nothing to consume its routing information. + +# Close out +You have explored VWAN routing to a good level of detail. As Virtual WAN grows and matures, it is important you have a good understanding of this topic to guide and help customers in a variety of use cases. This MicroHack is available for you to use with your teams, your customers and partners to reinforce their understanding. + +Below are optional challenges on network security in Virtual WAN with Network Virtual Appliances and Secured Hubs. Use this content at your own pace to expand your knowledge and skills. If you decide to continue now, skip the clean-up task below and start the optional Scenario 5. + +## Final Task: Delete all resources + +Run this script to delete all resources: + +`./clean-up-after-scenario-4.sh` + +This may take up to 30 minutes to compete. Remember to verify that all resources have indeed been deleted. + +In Cloud Shell, delete the azure-vwan-microhack directory: + +`rm -rf azure-vwan-microhack` + + +# Scenario 5 (Optional): Filter traffic through a Network Virtual Appliance +Virtual WAN today does not support third party NVA firewalls in the Hub. Third party SD-WAN concentrators from Barracuda and Cisco Viptella are now supported, but that capability does not yet exist for firewall products. + +Third party NVA firewalls must therefore be placed in a Spoke, with protected VNETs peered behind. +See https://docs.microsoft.com/en-us/azure/virtual-wan/scenario-route-through-nva for background on this pattern. + +This scenario demonstrates how to route traffic through a third party Network Virtual Appliance. We use a single Linux VM with IPTables, with a rule set allowing all traffic. + +At the end of this Scenario your VWAN looks like this: + +![image](images/scenario5.png) + +:exclamation: Note that spoke-1-vnet and spoke-2-vnet are now disconnected from the West Europe Hub, and are peered behind a new Spoke containing the NVA. This nva-vnet is connected to Hub. + +In this scenario we will manipulate routing to direct traffic to and from spoke-1-vnet and spoke-2-vnet through the NVA. Outbound internet traffic from spoke-1-vnet and spoke-2-vnet will also be directed through the NVA, but we will discover that it is not possible to do so for spoke-3-vnet and spoke-4-vnet. + +## Task 1: Prepare the environment +A number of changes must be made to prepare the Virtual WAN for this scenario: +- Reconfigure for Default routing +- Disconnect Spoke 1 and Spoke 2 from the Hub +- Connect the NVA Spoke to the Hub +- Peer Spoke 1 and Spoke 2 with the NVA Spoke + +To implement these changes, run this script in Cloud Shell: + +`./prep-for-scenario-5.sh` + +This will take a few minutes to complete. + +## Task 2: Add User Defined Routes +We must now add UDRs to the subnet vmSubnet in both Spoke 1 and Spoke 2 VNETs, to direct all traffic to the NVA in nva-vnet. + +Run this script in Cloud Shell: + +`./add-udrs-scenario5.sh` + +In the portal, verify that a Route table (UDR) named "default-to-nva" has been created, and is associated subnet vmSubnet in both spoke-1-vnet and spoke-2-vnet. + +All traffic outbound from spoke-1-vm and spoke-2-vm is now directed to the NVA in nva-vnet. + +:exclamation: nva-vnet is already connected to West Europe Hub and has routes programmed by the Route Service, so we do not need to add a UDR manually. + +## Task 3: Modify VWAN routing +The Virtual WAN is not aware that Spoke 1 and Spoke 2 are now behind the NVA, so we must update the routing by adding static custom routes for Spoke 1 and Spoke 2 pointing to the NVA. + +:exclamation: Note that a static custom route must be added to the Default route table of *both* the West Europe *and* the US East Hubs. It is not sufficient to only a static route to the West Europe Hub, as this route will not propagate to remote hubs. + +In the portal, go to the Routing blade of microhack-we-hub. Click the Default route table, and in Basics at the bottom, create a custom route: +- Route name: spoke1-via-nva +- Destination type: leave at CIDR +- Destination prefix: 172.16.1.0/24 +- Next hop: select nva-we +- Next Hop IP: now Configure appears, click this and enter 172.16.20.4 under Next Hop IP (this is the IP address of the NVA) + +Create a similar entry for Spoke 2 (172.16.2.0/24). + +Click Review+create and then Create. + +Then go the Routing blade of microhack-useast-hub and do the same. You can skip adding the Next Hop IP as the connection to nva-vnet already has this configuration applied. + +## Task 4: Verify connectivity +:point_right: From "protected" VNETs Spoke 1 and Spoke 2 + +On spoke-1-vm, traceroute and browse to each of the Spokes (172.16.(2)(3)(4).4) and to the Branch (10.0.1.4). + +:question: Do all browser connections succeed, what are the first hop addresses? + +On spoke-1-vm, traceroute and browse to www.bing.com. + +:question: Does the browser connection succeed, what is the first hop address? + +:point_right: From "unprotected" VNETs Spoke 3 and Spoke 4 + +On spoke-3-vm, traceroute and browse to each of the Spokes (172.16.(1)(2)(4).4) and to the Branch (10.0.1.4). + +:question: Do all browser connections succeed, what are the first hop addresses? + +On spoke-3-vm, traceroute and browse to www.bing.com. + +:question: Does the browser connection succeed, what is the first hop address? + +## Task 5: Inspect routing + +:point_right: Spoke routes + +We will first look at the routes of one of the tiered Spokes. This is one of the Spokes connected behind the NVA VNET, no longer connected directlty to the Hub. + +View Effective Routes for spoke-1-vm, in the portal or in Cloud Shell: + +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` + +:question: Identify the routes that you see. Comparing to Spoke routes we saw in previous scenario's, which routes are not there and is that as expected? Which route is now present and why? + +:exclamation: Realize that VWAN does not have visibility of tiered Spokes and cannot program the routing in the VNET. That is why we had to place UDRs in the tiered Spokes. + +View Effective Routes for spoke-3-vm, in the portal or in Cloud Shell: + +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` + +:question: Identify the routes that you see. Comparing to Spoke routes we saw in previous scenario's, is this now different and why (not)?. From the perspective of Spoke 3, has placing Spokes 1 and 2 behind an NVA VNET on the *remote* hub changed its view of the network? + +:point_right: Hub routes + +View Effective Routes for the Default table of the West Europe hub: in the portal from microhack-vwan select Hubs, microhack-we-hub, Routing, click Default and View effective routes for this table. + +:question: Identify the routes for Spokes 1 and 2 (172.16.(1)(2).0/24). Where do they point and how did they get into the table? + +Now view Effective Routes for the Default table of the US East hub. + +:question: Again identify the routes for Spokes 1 and 2 (172.16.(1)(2).0/24). Where do they point and how did they get into the table? + +:exclamation: Note that the routes for the tiered Spokes 1 and 2 in the US East Hub's Default table have the connection to the nva-we VNET listed as next hop. This is somewhat confusing, because the nva-we connection exists on the *remote* West Europe Hub! From perspective of the US East Hub, the next hop for these prefixes really is the West Europe Hub's route service. + +:point_right: Outbound internet access + +Traffic outbound to the internet from Spokes 1 and 2 is directed to the NVA, and it goes out via the NVA's public IP address. Verify this by browsing to www.whatismyipaddress.com from spoke-1-vm, check that the ip address reported is the public ip of the NVA shown in the portal. + +It would be ideal if outbound internet from spoke vnets directly connected to the VWAN, such as Spokes 3 and 4, could be forced through the NVA as well. This requires a custom route in the Hub default route tables, for destination prefix 0.0.0.0/0 pointing to the nva-vnet connection. This is not possible today as VWAN does not support the default route as a custom route entry. + +:exclamation: Using a Network Virtual Appliance firewall for outbound internet access from Spokes directly connected to the VWAN is not supported. + +# Scenario 6 (Optional): Secured Hubs + +This final and optional scenario converts the Hubs into Secured Hubs through Azure Firewall Manager. This operation deploys Azure Firewall into the Hubs. + +## Task #1: Restore the Virtual WAN + +To put the VWAN back into "default" state, a number of changes must be made: + +- Disconnect Spoke 1 and Spoke 2 from the the NVA Spoke +- Remove UDRs from Spoke 1 and Spoke 2 +- Remove custom routes +- Disconnect the NVA Spoke to the Hub +- Connect Spoke 1 and Spoke 2 to the West Europe Hub + +To implement these changes, run this script in Cloud Shell: + +`./prep-for-scenario-6.sh` + +This will take a few minutes to complete. + +## Task #2: Convert to Secure Hubs + +We are now ready to convert our Virtual Hubs into Secured Hubs through Azure Firewall Manager. We will create a Firewall Policy in the same flow. + +:exclamation: Note that Firewall Manager is a separate top-level Azure service; it is not part of Virtual WAN. If you don't have it bookmarked already, find Firewall Manager using the search bar at the top of the portal. + +In the Firewall Mananger blade, click Azure Firewall Policies and + Create Azure Firewall Policy. + +**Basics** +- Resource group: select vwan-microhack-hub-rg +- Name: microhack-fw-policy +- Region: West Europe + +**Rules** +- Click + Add a rule collection + - Name: default-policy + - Rule collection type: Network + - Priority: 100 + - Action: Allow + - Rules: + - Name: Allow-all + - Source type: IP Address + - Source: * + - Protocol: Any + - Destination Ports: * + - Destination Type: IP Address + - Destination: * + - Click Add + +**Hubs** +- Click +Associate virtual hubs +- Select both your hubs +- Click Add + +**Review+create** + +**Create** + +This deploys Azure Firewall into your Hubs and applies the Allow-all policy to both. This operation will take a few minutes to complete. + +## Task 3: Secure Internet traffic + +Route settings for your Secured Hubs are managed in Firewall Manager. + +In the Firewall Manager blade, click Secured virtual hubs, select microhack-we-hub and then Security configuration. + +In the drop downs under Internet traffic and Private traffic, select Azure Firewall and Send via Azure Firewall and click Save. This sets up Azure Firewall as the security provider, and inserts routes pointing to the Azure Firewall for the prefixes listed as Private traffic prefixes (link next to the drop down. Default this is set to the RFC1918 ranges of 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/24. + +Select all Connections, in the drop down under **Internet traffic** select Azure Firewall and click Save. + +:point_right: Spoke routes + +In Cloud Shell, pull up Effective routes of spoke-1-vm: + +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` + +:question: where does the default route (0.0.0.0/0) point? + +Display the ip addresses of the he Azure Firewall in the secured hub: + +`az network firewall show -g vwan-microhack-hub-rg -n AzureFirewall_microhack-we-hub --query hubIpAddresses` + +:exclamation: Note that the default route now points to the private (inside) address of the Azure Firewall instance in the secured hub. + +On spoke-1-vm, browse to www.whatismyipaddress.com. + +:exclamation: Note that the outbound ip address is now the public ip address of the Azure Firewall instance. + +## Task 4: Secure Private traffic + +To be added, this is pending service update enabling V-SH-SH-V pattern. + +# Close out +You have explored VWAN routing to a good level of detail. As Virtual WAN grows and matures, it is important you have a good understanding of the subject, to guide and help customers in a variety of use cases. + +This MicroHack is available for you to use with your teams, your customers and partners to reinforce their understanding. + +## Final Task: Delete all resources + +Delete the vwan-microhack-hub-rg and vwan-microhack-spoke-rg resource groups. This may take up to 30 minutes to compete. Check back to verify that all resources have indeed been deleted. + +In Cloud Shell, delete the azure-vwan-microhack directory: + +`rm -rf azure-vwan-microhack` diff --git a/add-udrs-scenario5.sh b/add-udrs-scenario5.sh index 046dd2a..f8d45c0 100755 --- a/add-udrs-scenario5.sh +++ b/add-udrs-scenario5.sh @@ -1,8 +1,8 @@ -echo "# creating UDR" -az network route-table create --name default-to-nva --resource-group vwan-microhack-spoke-rg --location westeurope -echo "# creating default route" -az network route-table route create --address-prefix 0.0.0.0/0 --name default-route --next-hop-type VirtualAppliance --next-hop-ip-address 172.16.20.4 --resource-group vwan-microhack-spoke-rg --route-table-name default-to-nva -echo "# associating with vmSubnet in spoke-1-vnet" -az network vnet subnet update --resource-group vwan-microhack-spoke-rg --name vmSubnet --vnet-name spoke-1-vnet --route-table default-to-nva -echo "# associating with vmSubnet in spoke-2-vnet" +echo "# creating UDR" +az network route-table create --name default-to-nva --resource-group vwan-microhack-spoke-rg --location westeurope +echo "# creating default route" +az network route-table route create --address-prefix 0.0.0.0/0 --name default-route --next-hop-type VirtualAppliance --next-hop-ip-address 172.16.20.4 --resource-group vwan-microhack-spoke-rg --route-table-name default-to-nva +echo "# associating with vmSubnet in spoke-1-vnet" +az network vnet subnet update --resource-group vwan-microhack-spoke-rg --name vmSubnet --vnet-name spoke-1-vnet --route-table default-to-nva +echo "# associating with vmSubnet in spoke-2-vnet" az network vnet subnet update --resource-group vwan-microhack-spoke-rg --name vmSubnet --vnet-name spoke-2-vnet --route-table default-to-nva \ No newline at end of file diff --git a/bastions.tf b/bastions.tf index 72b6a36..5dfb1d9 100644 --- a/bastions.tf +++ b/bastions.tf @@ -1,154 +1,154 @@ -####################################################################### -## Create Bastion spoke-1 -####################################################################### -resource "azurerm_public_ip" "bastion-spoke-1-pubip" { - name = "bastion-spoke-1-pubip" - location = var.location-spoke-1 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - allocation_method = "Static" - sku = "Standard" -} - -resource "azurerm_bastion_host" "bastion-spoke-1" { - name = "bastion-spoke-1" - location = var.location-spoke-1 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - - ip_configuration { - name = "bastion-spoke-1-configuration" - subnet_id = azurerm_subnet.bastion-spoke-1-subnet.id - public_ip_address_id = azurerm_public_ip.bastion-spoke-1-pubip.id - } -} -####################################################################### -## Create Bastion spoke-2 -####################################################################### -resource "azurerm_public_ip" "bastion-spoke-2-pubip" { - name = "bastion-spoke-2-pubip" - location = var.location-spoke-2 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - allocation_method = "Static" - sku = "Standard" -} - -resource "azurerm_bastion_host" "bastion-spoke-2" { - name = "bastion-spoke-2" - location = var.location-spoke-2 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - - ip_configuration { - name = "bastion-spoke-2-configuration" - subnet_id = azurerm_subnet.bastion-spoke-2-subnet.id - public_ip_address_id = azurerm_public_ip.bastion-spoke-2-pubip.id - } -} -####################################################################### -## Create Bastion spoke-3 -####################################################################### -resource "azurerm_public_ip" "bastion-spoke-3-pubip" { - name = "bastion-spoke-3-pubip" - location = var.location-spoke-3 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - allocation_method = "Static" - sku = "Standard" -} - -resource "azurerm_bastion_host" "bastion-spoke-3" { - name = "bastion-spoke-3" - location = var.location-spoke-3 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - - ip_configuration { - name = "bastion-spoke-3-configuration" - subnet_id = azurerm_subnet.bastion-spoke-3-subnet.id - public_ip_address_id = azurerm_public_ip.bastion-spoke-3-pubip.id - } -} -####################################################################### -## Create Bastion spoke-4 -####################################################################### -resource "azurerm_public_ip" "bastion-spoke-4-pubip" { - name = "bastion-spoke-4-pubip" - location = var.location-spoke-4 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - allocation_method = "Static" - sku = "Standard" -} - -resource "azurerm_bastion_host" "bastion-spoke-4" { - name = "bastion-spoke-4" - location = var.location-spoke-4 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - - ip_configuration { - name = "bastion-spoke-4-configuration" - subnet_id = azurerm_subnet.bastion-spoke-4-subnet.id - public_ip_address_id = azurerm_public_ip.bastion-spoke-4-pubip.id - } -} -####################################################################### -## Create Bastion onprem -####################################################################### -resource "azurerm_public_ip" "bastion-onprem-pubip" { - name = "bastion-onprem-pubip" - location = var.location-onprem - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - allocation_method = "Static" - sku = "Standard" -} - -resource "azurerm_bastion_host" "bastion-onprem" { - name = "bastion-onprem" - location = var.location-onprem - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - - ip_configuration { - name = "bastion-onprem-configuration" - subnet_id = azurerm_subnet.bastion-onprem-subnet.id - public_ip_address_id = azurerm_public_ip.bastion-onprem-pubip.id - } -} -####################################################################### -## Create Bastion Services -####################################################################### -resource "azurerm_public_ip" "bastion-services-pubip" { - name = "bastion-services-pubip" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - allocation_method = "Static" - sku = "Standard" -} - -resource "azurerm_bastion_host" "bastion-services" { - name = "bastion-services" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - - ip_configuration { - name = "bastion-services-configuration" - subnet_id = azurerm_subnet.bastion-services-subnet.id - public_ip_address_id = azurerm_public_ip.bastion-services-pubip.id - } -} -####################################################################### -## Create Bastion NVA -####################################################################### -resource "azurerm_public_ip" "bastion-nva-pubip" { - name = "bastion-services-nva" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - allocation_method = "Static" - sku = "Standard" -} - -resource "azurerm_bastion_host" "bastion-nva" { - name = "bastion-nva" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - - ip_configuration { - name = "bastion-nva-configuration" - subnet_id = azurerm_subnet.bastion-nva-subnet.id - public_ip_address_id = azurerm_public_ip.bastion-nva-pubip.id - } +####################################################################### +## Create Bastion spoke-1 +####################################################################### +resource "azurerm_public_ip" "bastion-spoke-1-pubip" { + name = "bastion-spoke-1-pubip" + location = var.location-spoke-1 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_bastion_host" "bastion-spoke-1" { + name = "bastion-spoke-1" + location = var.location-spoke-1 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + + ip_configuration { + name = "bastion-spoke-1-configuration" + subnet_id = azurerm_subnet.bastion-spoke-1-subnet.id + public_ip_address_id = azurerm_public_ip.bastion-spoke-1-pubip.id + } +} +####################################################################### +## Create Bastion spoke-2 +####################################################################### +resource "azurerm_public_ip" "bastion-spoke-2-pubip" { + name = "bastion-spoke-2-pubip" + location = var.location-spoke-2 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_bastion_host" "bastion-spoke-2" { + name = "bastion-spoke-2" + location = var.location-spoke-2 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + + ip_configuration { + name = "bastion-spoke-2-configuration" + subnet_id = azurerm_subnet.bastion-spoke-2-subnet.id + public_ip_address_id = azurerm_public_ip.bastion-spoke-2-pubip.id + } +} +####################################################################### +## Create Bastion spoke-3 +####################################################################### +resource "azurerm_public_ip" "bastion-spoke-3-pubip" { + name = "bastion-spoke-3-pubip" + location = var.location-spoke-3 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_bastion_host" "bastion-spoke-3" { + name = "bastion-spoke-3" + location = var.location-spoke-3 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + + ip_configuration { + name = "bastion-spoke-3-configuration" + subnet_id = azurerm_subnet.bastion-spoke-3-subnet.id + public_ip_address_id = azurerm_public_ip.bastion-spoke-3-pubip.id + } +} +####################################################################### +## Create Bastion spoke-4 +####################################################################### +resource "azurerm_public_ip" "bastion-spoke-4-pubip" { + name = "bastion-spoke-4-pubip" + location = var.location-spoke-4 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_bastion_host" "bastion-spoke-4" { + name = "bastion-spoke-4" + location = var.location-spoke-4 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + + ip_configuration { + name = "bastion-spoke-4-configuration" + subnet_id = azurerm_subnet.bastion-spoke-4-subnet.id + public_ip_address_id = azurerm_public_ip.bastion-spoke-4-pubip.id + } +} +####################################################################### +## Create Bastion onprem +####################################################################### +resource "azurerm_public_ip" "bastion-onprem-pubip" { + name = "bastion-onprem-pubip" + location = var.location-onprem + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_bastion_host" "bastion-onprem" { + name = "bastion-onprem" + location = var.location-onprem + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + + ip_configuration { + name = "bastion-onprem-configuration" + subnet_id = azurerm_subnet.bastion-onprem-subnet.id + public_ip_address_id = azurerm_public_ip.bastion-onprem-pubip.id + } +} +####################################################################### +## Create Bastion Services +####################################################################### +resource "azurerm_public_ip" "bastion-services-pubip" { + name = "bastion-services-pubip" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_bastion_host" "bastion-services" { + name = "bastion-services" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + + ip_configuration { + name = "bastion-services-configuration" + subnet_id = azurerm_subnet.bastion-services-subnet.id + public_ip_address_id = azurerm_public_ip.bastion-services-pubip.id + } +} +####################################################################### +## Create Bastion NVA +####################################################################### +resource "azurerm_public_ip" "bastion-nva-pubip" { + name = "bastion-services-nva" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_bastion_host" "bastion-nva" { + name = "bastion-nva" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + + ip_configuration { + name = "bastion-nva-configuration" + subnet_id = azurerm_subnet.bastion-nva-subnet.id + public_ip_address_id = azurerm_public_ip.bastion-nva-pubip.id + } } \ No newline at end of file diff --git a/branch-routes.sh b/branch-routes.sh index c99bdba..5356a32 100755 --- a/branch-routes.sh +++ b/branch-routes.sh @@ -1,11 +1,11 @@ -hubgwbgpaddress=$(az network vpn-gateway show --name microhack-we-hub-vng -g vwan-microhack-hub-rg --query "bgpSettings.bgpPeeringAddresses[?ipconfigurationId == 'Instance0'].defaultBgpIpAddresses" --output tsv) -echo "Hub GW BGP address:" $hubgwbgpaddress - -echo "# VNETGW: Verify BGP peer status" -az network vnet-gateway list-bgp-peer-status -n vnet-gw-onprem -g vwan-microhack-spoke-rg --output table - -echo "# VNETGW: Display routes advertised from onprem gw to hub" -az network vnet-gateway list-advertised-routes -n vnet-gw-onprem -g vwan-microhack-spoke-rg --peer $hubgwbgpaddress --output table - -echo "# VNETGW: Display routes learned by onprem gw from hub" -az network vnet-gateway list-learned-routes -n vnet-gw-onprem -g vwan-microhack-spoke-rg --output table +hubgwbgpaddress=$(az network vpn-gateway show --name microhack-we-hub-vng -g vwan-microhack-hub-rg --query "bgpSettings.bgpPeeringAddresses[?ipconfigurationId == 'Instance0'].defaultBgpIpAddresses" --output tsv) +echo "Hub GW BGP address:" $hubgwbgpaddress + +echo "# VNETGW: Verify BGP peer status" +az network vnet-gateway list-bgp-peer-status -n vnet-gw-onprem -g vwan-microhack-spoke-rg --output table + +echo "# VNETGW: Display routes advertised from onprem gw to hub" +az network vnet-gateway list-advertised-routes -n vnet-gw-onprem -g vwan-microhack-spoke-rg --peer $hubgwbgpaddress --output table + +echo "# VNETGW: Display routes learned by onprem gw from hub" +az network vnet-gateway list-learned-routes -n vnet-gw-onprem -g vwan-microhack-spoke-rg --output table diff --git a/clean-up-after-scenario-4.sh b/clean-up-after-scenario-4.sh index 21d4982..e145167 100755 --- a/clean-up-after-scenario-4.sh +++ b/clean-up-after-scenario-4.sh @@ -1,76 +1,76 @@ -spoke1vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-1-vnet --query "id" --output tsv) -spoke2vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-2-vnet --query "id" --output tsv) -spoke3vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-3-vnet --query "id" --output tsv) -spoke4vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-4-vnet --query "id" --output tsv) -servicesvnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n services-vnet --query "id" --output tsv) -nvavnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n nva-vnet --query "id" --output tsv) -wedefaultrtid=$(az network vhub route-table show --name defaultRouteTable --resource-group vwan-microhack-hub-rg --vhub-name microhack-we-hub --query id --output tsv) - -echo "Removing associations and propagations from rt-shared-we" - -wesharedrtid=$(az network vhub route-table show --name "RT-Shared-we" --resource-group "vwan-microhack-hub-rg" --vhub-name microhack-we-hub --query id --output tsv) -WERESTEP="https://management.azure.com${wesharedrtid}?api-version=2020-05-01" -az rest --method put --uri "$WERESTEP" --body @emptyrtbody.json -while [[ $(az rest --uri $WERESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done -spoke1connection=$(az network vhub connection show -n spoke-1-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) -spoke2connection=$(az network vhub connection show -n spoke-2-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) -servicesvnetconnection=$(az network vhub connection show -n services-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) -WEVNETCONNECTIONSPOKE1="https://management.azure.com${spoke1connection}?api-version=2020-05-01" -WEVNETCONNECTIONSPOKE2="https://management.azure.com${spoke2connection}?api-version=2020-05-01" -WEVNETCONNECTIONSERVICES="https://management.azure.com${servicesvnetconnection}?api-version=2020-05-01" -sed "s#spokevnetid#$spoke1vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke1.json -sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-spoke1.json -sed "s#spokevnetid#$spoke2vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke2.json -sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-spoke2.json -sed "s#spokevnetid#$servicesvnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-services.json -sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-services.json -az rest --method put --uri $WEVNETCONNECTIONSPOKE1 --body @emptyspokeconnection-spoke1.json -while [[ $(az rest --uri $WEVNETCONNECTIONSPOKE1 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done -az rest --method put --uri $WEVNETCONNECTIONSPOKE2 --body @emptyspokeconnection-spoke2.json -while [[ $(az rest --uri $WEVNETCONNECTIONSPOKE2 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done -az rest --method put --uri $WEVNETCONNECTIONSERVICES --body @emptyspokeconnection-services.json -while [[ $(az rest --uri $WEVNETCONNECTIONSERVICES | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done - -echo "Removing associations and propagations from rt-shared-useast" -useastdefaultrtid=$(az network vhub route-table show --name defaultRouteTable --resource-group vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query id --output tsv) -useastsharedrtid=$(az network vhub route-table show --name "rt-shared-useast" --resource-group "vwan-microhack-hub-rg" --vhub-name microhack-useast-hub --query id --output tsv) -USEASTRESTEP="https://management.azure.com${useastsharedrtid}?api-version=2020-05-01" -az rest --method put --uri "$USEASTRESTEP" --body @emptyrtbody.json -while [[ $(az rest --uri $USEASTRESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done -spoke3connection=$(az network vhub connection show -n spoke-3-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query "id" -o tsv) -spoke4connection=$(az network vhub connection show -n spoke-4-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query "id" -o tsv) -USEASTVNETCONNECTIONSPOKE3="https://management.azure.com${spoke3connection}?api-version=2020-05-01" -USEASTVNETCONNECTIONSPOKE4="https://management.azure.com${spoke4connection}?api-version=2020-05-01" -sed "s#spokevnetid#$spoke3vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke3.json -sed -i "s#wedefaultrtid#$useastdefaultrtid#g" emptyspokeconnection-spoke3.json -sed "s#spokevnetid#$spoke4vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke4.json -sed -i "s#wedefaultrtid#$useastdefaultrtid#g" emptyspokeconnection-spoke4.json -az rest --method put --uri $USEASTVNETCONNECTIONSPOKE3 --body @emptyspokeconnection-spoke3.json -while [[ $(az rest --uri $USEASTVNETCONNECTIONSPOKE3 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done -az rest --method put --uri $USEASTVNETCONNECTIONSPOKE4 --body @emptyspokeconnection-spoke4.json -while [[ $(az rest --uri $USEASTVNETCONNECTIONSPOKE4 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done - - -ONPREMCONNECTIONID=$(az network vpn-gateway list -g vwan-microhack-hub-rg --query [].connections[].id -o tsv) -ONPREMCONNECTIONRESTEP="https://management.azure.com${ONPREMCONNECTIONID}?api-version=2020-05-01" -ONPREMCONNECTIONVPNSITE=$(az network vpn-gateway list -g vwan-microhack-hub-rg --query [].connections[].remoteVpnSite.id -o tsv) -sed "s#wedefaultrtid#$wedefaultrtid#g" onpremconnection.json | tee onpremconnection-values.json -sed -i "s#ONPREMCONNECTIONVPNSITE#$ONPREMCONNECTIONVPNSITE#g" onpremconnection-values.json -az rest --method put --uri $ONPREMCONNECTIONRESTEP --body @onpremconnection-values.json -while [[ $(az rest --uri $ONPREMCONNECTIONRESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done - -echo "Deleting rt-shared-useast" -az network vhub route-table delete --name rt-shared-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub -echo "Deleting rt-shared-we" -az network vhub route-table delete --name rt-shared-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub - -echo "Disconnecting Branch" -az network vpn-gateway connection delete --gateway-name microhack-we-hub-vng --name onprem -g vwan-microhack-hub-rg -az network vpn-site delete --name onprem -g vwan-microhack-hub-rg - -echo "Deleting VPN Gateway" -az network vpn-gateway delete --name microhack-we-hub-vng -g vwan-microhack-hub-rg - -echo "Deleting resource groups" -az group delete --resource-group vwan-microhack-hub-rg --no-wait --yes +spoke1vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-1-vnet --query "id" --output tsv) +spoke2vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-2-vnet --query "id" --output tsv) +spoke3vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-3-vnet --query "id" --output tsv) +spoke4vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-4-vnet --query "id" --output tsv) +servicesvnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n services-vnet --query "id" --output tsv) +nvavnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n nva-vnet --query "id" --output tsv) +wedefaultrtid=$(az network vhub route-table show --name defaultRouteTable --resource-group vwan-microhack-hub-rg --vhub-name microhack-we-hub --query id --output tsv) + +echo "Removing associations and propagations from rt-shared-we" + +wesharedrtid=$(az network vhub route-table show --name "RT-Shared-we" --resource-group "vwan-microhack-hub-rg" --vhub-name microhack-we-hub --query id --output tsv) +WERESTEP="https://management.azure.com${wesharedrtid}?api-version=2020-05-01" +az rest --method put --uri "$WERESTEP" --body @emptyrtbody.json +while [[ $(az rest --uri $WERESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done +spoke1connection=$(az network vhub connection show -n spoke-1-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) +spoke2connection=$(az network vhub connection show -n spoke-2-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) +servicesvnetconnection=$(az network vhub connection show -n services-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) +WEVNETCONNECTIONSPOKE1="https://management.azure.com${spoke1connection}?api-version=2020-05-01" +WEVNETCONNECTIONSPOKE2="https://management.azure.com${spoke2connection}?api-version=2020-05-01" +WEVNETCONNECTIONSERVICES="https://management.azure.com${servicesvnetconnection}?api-version=2020-05-01" +sed "s#spokevnetid#$spoke1vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke1.json +sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-spoke1.json +sed "s#spokevnetid#$spoke2vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke2.json +sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-spoke2.json +sed "s#spokevnetid#$servicesvnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-services.json +sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-services.json +az rest --method put --uri $WEVNETCONNECTIONSPOKE1 --body @emptyspokeconnection-spoke1.json +while [[ $(az rest --uri $WEVNETCONNECTIONSPOKE1 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done +az rest --method put --uri $WEVNETCONNECTIONSPOKE2 --body @emptyspokeconnection-spoke2.json +while [[ $(az rest --uri $WEVNETCONNECTIONSPOKE2 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done +az rest --method put --uri $WEVNETCONNECTIONSERVICES --body @emptyspokeconnection-services.json +while [[ $(az rest --uri $WEVNETCONNECTIONSERVICES | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done + +echo "Removing associations and propagations from rt-shared-useast" +useastdefaultrtid=$(az network vhub route-table show --name defaultRouteTable --resource-group vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query id --output tsv) +useastsharedrtid=$(az network vhub route-table show --name "rt-shared-useast" --resource-group "vwan-microhack-hub-rg" --vhub-name microhack-useast-hub --query id --output tsv) +USEASTRESTEP="https://management.azure.com${useastsharedrtid}?api-version=2020-05-01" +az rest --method put --uri "$USEASTRESTEP" --body @emptyrtbody.json +while [[ $(az rest --uri $USEASTRESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done +spoke3connection=$(az network vhub connection show -n spoke-3-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query "id" -o tsv) +spoke4connection=$(az network vhub connection show -n spoke-4-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query "id" -o tsv) +USEASTVNETCONNECTIONSPOKE3="https://management.azure.com${spoke3connection}?api-version=2020-05-01" +USEASTVNETCONNECTIONSPOKE4="https://management.azure.com${spoke4connection}?api-version=2020-05-01" +sed "s#spokevnetid#$spoke3vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke3.json +sed -i "s#wedefaultrtid#$useastdefaultrtid#g" emptyspokeconnection-spoke3.json +sed "s#spokevnetid#$spoke4vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke4.json +sed -i "s#wedefaultrtid#$useastdefaultrtid#g" emptyspokeconnection-spoke4.json +az rest --method put --uri $USEASTVNETCONNECTIONSPOKE3 --body @emptyspokeconnection-spoke3.json +while [[ $(az rest --uri $USEASTVNETCONNECTIONSPOKE3 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done +az rest --method put --uri $USEASTVNETCONNECTIONSPOKE4 --body @emptyspokeconnection-spoke4.json +while [[ $(az rest --uri $USEASTVNETCONNECTIONSPOKE4 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done + + +ONPREMCONNECTIONID=$(az network vpn-gateway list -g vwan-microhack-hub-rg --query [].connections[].id -o tsv) +ONPREMCONNECTIONRESTEP="https://management.azure.com${ONPREMCONNECTIONID}?api-version=2020-05-01" +ONPREMCONNECTIONVPNSITE=$(az network vpn-gateway list -g vwan-microhack-hub-rg --query [].connections[].remoteVpnSite.id -o tsv) +sed "s#wedefaultrtid#$wedefaultrtid#g" onpremconnection.json | tee onpremconnection-values.json +sed -i "s#ONPREMCONNECTIONVPNSITE#$ONPREMCONNECTIONVPNSITE#g" onpremconnection-values.json +az rest --method put --uri $ONPREMCONNECTIONRESTEP --body @onpremconnection-values.json +while [[ $(az rest --uri $ONPREMCONNECTIONRESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done + +echo "Deleting rt-shared-useast" +az network vhub route-table delete --name rt-shared-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub +echo "Deleting rt-shared-we" +az network vhub route-table delete --name rt-shared-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub + +echo "Disconnecting Branch" +az network vpn-gateway connection delete --gateway-name microhack-we-hub-vng --name onprem -g vwan-microhack-hub-rg +az network vpn-site delete --name onprem -g vwan-microhack-hub-rg + +echo "Deleting VPN Gateway" +az network vpn-gateway delete --name microhack-we-hub-vng -g vwan-microhack-hub-rg + +echo "Deleting resource groups" +az group delete --resource-group vwan-microhack-hub-rg --no-wait --yes az group delete --resource-group vwan-microhack-spoke-rg --no-wait --yes \ No newline at end of file diff --git a/connect-branch.sh b/connect-branch.sh index 98d50ce..17c566b 100755 --- a/connect-branch.sh +++ b/connect-branch.sh @@ -1,32 +1,32 @@ -az extension add --name virtual-wan - -echo "# VNETGW: Get parameters from onprem vnet gateway" -vnetgwtunnelip=$(az network vnet-gateway show -n vnet-gw-onprem -g vwan-microhack-spoke-rg --query "bgpSettings.bgpPeeringAddresses[0].tunnelIpAddresses[0]" --output tsv) -echo "VNET GW Tunnel address:" $vnetgwtunnelip -vnetgwbgpip=$(az network vnet-gateway show -n vnet-gw-onprem -g vwan-microhack-spoke-rg --query "bgpSettings.bgpPeeringAddress" --output tsv) -echo "VNET GW BGP address:" $vnetgwbgpip -vnetgwasn=$(az network vnet-gateway show -n vnet-gw-onprem -g vwan-microhack-spoke-rg --query "bgpSettings.asn" --output tsv) -echo "VNET GW BGP ASN:" $vnetgwasn -sharedkey="m1cr0hack" - -echo "# VWAN: Create remote site" -az network vpn-site create --ip-address $vnetgwtunnelip --name onprem -g vwan-microhack-hub-rg --asn $vnetgwasn --bgp-peering-address $vnetgwbgpip --virtual-wan microhack-vwan --location northeurope --device-model VNETGW --device-vendor Azure --link-speed 100 - -echo "# VWAN: Create connection - remote site to hub gw" -az network vpn-gateway connection create --gateway-name microhack-we-hub-vng --name onprem --remote-vpn-site onprem -g vwan-microhack-hub-rg --shared-key $sharedkey --enable-bgp true --no-wait - -echo "# VWAN: Get parameters from VWAN Hub GW" -hubgwtunneladdress=$(az network vpn-gateway show --name microhack-we-hub-vng -g vwan-microhack-hub-rg --query "bgpSettings.bgpPeeringAddresses[?ipconfigurationId == 'Instance0'].tunnelIpAddresses[0]" --output tsv) -echo "Hub GW Tunnel address:" $hubgwtunneladdress -hubgwbgpaddress=$(az network vpn-gateway show --name microhack-we-hub-vng -g vwan-microhack-hub-rg --query "bgpSettings.bgpPeeringAddresses[?ipconfigurationId == 'Instance0'].defaultBgpIpAddresses" --output tsv) -echo "Hub GW BGP address:" $hubgwbgpaddress -hubgwasn=$(az network vpn-gateway show --name microhack-we-hub-vng -g vwan-microhack-hub-rg --query "bgpSettings.asn" --output tsv) -echo "Hub GW BGP ASN:" $hubgwasn -hubgwkey=$(az network vpn-gateway connection show --gateway-name microhack-we-hub-vng --name onprem -g vwan-microhack-hub-rg --query "sharedKey" --output tsv) - -echo "# create local network gateway" -az network local-gateway create -g vwan-microhack-spoke-rg -n lng --gateway-ip-address $hubgwtunneladdress --location westeurope --asn $hubgwasn --bgp-peering-address $hubgwbgpaddress - -echo "# VNET GW: connect from vnet gw to local network gateway" -az network vpn-connection create -n to-we-hub --vnet-gateway1 vnet-gw-onprem -g vwan-microhack-spoke-rg --local-gateway2 lng -l northeurope --shared-key $sharedkey --enable-bgp - +az extension add --name virtual-wan + +echo "# VNETGW: Get parameters from onprem vnet gateway" +vnetgwtunnelip=$(az network vnet-gateway show -n vnet-gw-onprem -g vwan-microhack-spoke-rg --query "bgpSettings.bgpPeeringAddresses[0].tunnelIpAddresses[0]" --output tsv) +echo "VNET GW Tunnel address:" $vnetgwtunnelip +vnetgwbgpip=$(az network vnet-gateway show -n vnet-gw-onprem -g vwan-microhack-spoke-rg --query "bgpSettings.bgpPeeringAddress" --output tsv) +echo "VNET GW BGP address:" $vnetgwbgpip +vnetgwasn=$(az network vnet-gateway show -n vnet-gw-onprem -g vwan-microhack-spoke-rg --query "bgpSettings.asn" --output tsv) +echo "VNET GW BGP ASN:" $vnetgwasn +sharedkey="m1cr0hack" + +echo "# VWAN: Create remote site" +az network vpn-site create --ip-address $vnetgwtunnelip --name onprem -g vwan-microhack-hub-rg --asn $vnetgwasn --bgp-peering-address $vnetgwbgpip --virtual-wan microhack-vwan --location northeurope --device-model VNETGW --device-vendor Azure --link-speed 100 + +echo "# VWAN: Create connection - remote site to hub gw" +az network vpn-gateway connection create --gateway-name microhack-we-hub-vng --name onprem --remote-vpn-site onprem -g vwan-microhack-hub-rg --shared-key $sharedkey --enable-bgp true --no-wait + +echo "# VWAN: Get parameters from VWAN Hub GW" +hubgwtunneladdress=$(az network vpn-gateway show --name microhack-we-hub-vng -g vwan-microhack-hub-rg --query "bgpSettings.bgpPeeringAddresses[?ipconfigurationId == 'Instance0'].tunnelIpAddresses[0]" --output tsv) +echo "Hub GW Tunnel address:" $hubgwtunneladdress +hubgwbgpaddress=$(az network vpn-gateway show --name microhack-we-hub-vng -g vwan-microhack-hub-rg --query "bgpSettings.bgpPeeringAddresses[?ipconfigurationId == 'Instance0'].defaultBgpIpAddresses" --output tsv) +echo "Hub GW BGP address:" $hubgwbgpaddress +hubgwasn=$(az network vpn-gateway show --name microhack-we-hub-vng -g vwan-microhack-hub-rg --query "bgpSettings.asn" --output tsv) +echo "Hub GW BGP ASN:" $hubgwasn +hubgwkey=$(az network vpn-gateway connection show --gateway-name microhack-we-hub-vng --name onprem -g vwan-microhack-hub-rg --query "sharedKey" --output tsv) + +echo "# create local network gateway" +az network local-gateway create -g vwan-microhack-spoke-rg -n lng --gateway-ip-address $hubgwtunneladdress --location westeurope --asn $hubgwasn --bgp-peering-address $hubgwbgpaddress + +echo "# VNET GW: connect from vnet gw to local network gateway" +az network vpn-connection create -n to-we-hub --vnet-gateway1 vnet-gw-onprem -g vwan-microhack-spoke-rg --local-gateway2 lng -l northeurope --shared-key $sharedkey --enable-bgp + diff --git a/connect-services-spoke.sh b/connect-services-spoke.sh index e3e776d..a80e619 100755 --- a/connect-services-spoke.sh +++ b/connect-services-spoke.sh @@ -1,2 +1,2 @@ -servicesid=$(az network vnet show -g vwan-microhack-spoke-rg --name services-vnet --query "id" --output tsv) +servicesid=$(az network vnet show -g vwan-microhack-spoke-rg --name services-vnet --query "id" --output tsv) az network vhub connection create --name services-we --resource-group vwan-microhack-hub-rg --vhub-name microhack-we-hub --remote-vnet $servicesid --labels default \ No newline at end of file diff --git a/connect-us-east-spokes.sh b/connect-us-east-spokes.sh index 5fe8f44..0da6bf1 100755 --- a/connect-us-east-spokes.sh +++ b/connect-us-east-spokes.sh @@ -1,4 +1,4 @@ -spoke3id=$(az network vnet show -g vwan-microhack-spoke-rg --name spoke-3-vnet --query "id" --output tsv) -spoke4id=$(az network vnet show -g vwan-microhack-spoke-rg --name spoke-4-vnet --query "id" --output tsv) -az network vhub connection create --name spoke-3-useast --resource-group vwan-microhack-hub-rg --vhub-name microhack-useast-hub --remote-vnet $spoke3id --labels default -az network vhub connection create --name spoke-4-useast --resource-group vwan-microhack-hub-rg --vhub-name microhack-useast-hub --remote-vnet $spoke4id --labels default +spoke3id=$(az network vnet show -g vwan-microhack-spoke-rg --name spoke-3-vnet --query "id" --output tsv) +spoke4id=$(az network vnet show -g vwan-microhack-spoke-rg --name spoke-4-vnet --query "id" --output tsv) +az network vhub connection create --name spoke-3-useast --resource-group vwan-microhack-hub-rg --vhub-name microhack-useast-hub --remote-vnet $spoke3id --labels default +az network vhub connection create --name spoke-4-useast --resource-group vwan-microhack-hub-rg --vhub-name microhack-useast-hub --remote-vnet $spoke4id --labels default diff --git a/emptyrtbody.json b/emptyrtbody.json index 90f562e..009a89f 100644 --- a/emptyrtbody.json +++ b/emptyrtbody.json @@ -1,6 +1,6 @@ -{ - "properties": { - "labels": [], - "routes": [] - } +{ + "properties": { + "labels": [], + "routes": [] + } } \ No newline at end of file diff --git a/emptyspokeconnection.json b/emptyspokeconnection.json index c16c0e7..0de38a3 100644 --- a/emptyspokeconnection.json +++ b/emptyspokeconnection.json @@ -1,20 +1,20 @@ -{ - "properties": { - "allowHubToRemoteVnetTransit": true, - "allowRemoteVnetToUseHubVnetGateways": true, - "enableInternetSecurity": false, - "remoteVirtualNetwork": { - "id": "spokevnetid", - "resourceGroup": "vwan-microhack-spoke-rg" - }, - "routingConfiguration": { - "associatedRouteTable": { - "id": "wedefaultrtid" - }, - "propagatedRouteTables": {}, - "vnetRoutes": { - "staticRoutes": [] - } - } - } +{ + "properties": { + "allowHubToRemoteVnetTransit": true, + "allowRemoteVnetToUseHubVnetGateways": true, + "enableInternetSecurity": false, + "remoteVirtualNetwork": { + "id": "spokevnetid", + "resourceGroup": "vwan-microhack-spoke-rg" + }, + "routingConfiguration": { + "associatedRouteTable": { + "id": "wedefaultrtid" + }, + "propagatedRouteTables": {}, + "vnetRoutes": { + "staticRoutes": [] + } + } + } } \ No newline at end of file diff --git a/enable-routing-nva.sh b/enable-routing-nva.sh index 5052f02..d243bb9 100644 --- a/enable-routing-nva.sh +++ b/enable-routing-nva.sh @@ -1,4 +1,4 @@ -sudo chmod 777 /etc/sysctl.conf -echo "net.ipv4.ip_forward = 1" > /etc/sysctl.conf -sudo sysctl -p /etc/sysctl.conf +sudo chmod 777 /etc/sysctl.conf +echo "net.ipv4.ip_forward = 1" > /etc/sysctl.conf +sudo sysctl -p /etc/sysctl.conf sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE \ No newline at end of file diff --git a/main.tf b/main.tf index 307b993..06c33fc 100644 --- a/main.tf +++ b/main.tf @@ -1,26 +1,26 @@ -provider "azurerm" { - features {} -} -####################################################################### -## Create Resource Group -####################################################################### - -resource "azurerm_resource_group" "vwan-microhack-spoke-rg" { - name = "vwan-microhack-spoke-rg" - location = var.location-spoke-1 - tags = { - environment = "spoke" - deployment = "terraform" - microhack = "vwan" - } -} - -resource "azurerm_resource_group" "vwan-microhack-hub-rg" { - name = "vwan-microhack-hub-rg" - location = var.location-vwan - tags = { - environment = "hub" - deployment = "terraform" - microhack = "vwan" - } -} +provider "azurerm" { + features {} +} +####################################################################### +## Create Resource Group +####################################################################### + +resource "azurerm_resource_group" "vwan-microhack-spoke-rg" { + name = "vwan-microhack-spoke-rg" + location = var.location-spoke-1 + tags = { + environment = "spoke" + deployment = "terraform" + microhack = "vwan" + } +} + +resource "azurerm_resource_group" "vwan-microhack-hub-rg" { + name = "vwan-microhack-hub-rg" + location = var.location-vwan + tags = { + environment = "hub" + deployment = "terraform" + microhack = "vwan" + } +} diff --git a/onpremconnection.json b/onpremconnection.json index dc4ff86..2d98d6c 100644 --- a/onpremconnection.json +++ b/onpremconnection.json @@ -1,35 +1,35 @@ -{ - "properties": { - "remoteVpnSite": { - "id": "ONPREMCONNECTIONVPNSITE" - }, - "routingConfiguration": { - "associatedRouteTable": { - "id": "wedefaultrtid" - }, - "propagatedRouteTables": { - "ids": [ - { - "id": "wedefaultrtid" - } - ], - "labels": [ - "default" - ] - }, - "vnetRoutes": { - "staticRoutes": [] - } - }, - "connectionBandwidth": 10, - "enableBgp": true, - "enableInternetSecurity": false, - "enableRateLimiting": false, - "ipsecPolicies": [], - "routingWeight": 0, - "sharedKey": "m1cr0hack", - "useLocalAzureIpAddress": false, - "usePolicyBasedTrafficSelectors": false, - "vpnConnectionProtocolType": "IKEv2" - } +{ + "properties": { + "remoteVpnSite": { + "id": "ONPREMCONNECTIONVPNSITE" + }, + "routingConfiguration": { + "associatedRouteTable": { + "id": "wedefaultrtid" + }, + "propagatedRouteTables": { + "ids": [ + { + "id": "wedefaultrtid" + } + ], + "labels": [ + "default" + ] + }, + "vnetRoutes": { + "staticRoutes": [] + } + }, + "connectionBandwidth": 10, + "enableBgp": true, + "enableInternetSecurity": false, + "enableRateLimiting": false, + "ipsecPolicies": [], + "routingWeight": 0, + "sharedKey": "m1cr0hack", + "useLocalAzureIpAddress": false, + "usePolicyBasedTrafficSelectors": false, + "vpnConnectionProtocolType": "IKEv2" + } } \ No newline at end of file diff --git a/prep-for-scenario-5.sh b/prep-for-scenario-5.sh index e14a9cb..10144e9 100755 --- a/prep-for-scenario-5.sh +++ b/prep-for-scenario-5.sh @@ -1,85 +1,85 @@ -spoke1vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-1-vnet --query "id" --output tsv) -spoke2vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-2-vnet --query "id" --output tsv) -spoke3vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-3-vnet --query "id" --output tsv) -spoke4vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-4-vnet --query "id" --output tsv) -servicesvnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n services-vnet --query "id" --output tsv) -nvavnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n nva-vnet --query "id" --output tsv) -wedefaultrtid=$(az network vhub route-table show --name defaultRouteTable --resource-group vwan-microhack-hub-rg --vhub-name microhack-we-hub --query id --output tsv) - -echo "Removing associations and propagations from rt-shared-we" - -wesharedrtid=$(az network vhub route-table show --name "RT-Shared-we" --resource-group "vwan-microhack-hub-rg" --vhub-name microhack-we-hub --query id --output tsv) -WERESTEP="https://management.azure.com${wesharedrtid}?api-version=2020-05-01" -az rest --method put --uri "$WERESTEP" --body @emptyrtbody.json -while [[ $(az rest --uri $WERESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done -spoke1connection=$(az network vhub connection show -n spoke-1-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) -spoke2connection=$(az network vhub connection show -n spoke-2-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) -servicesvnetconnection=$(az network vhub connection show -n services-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) -WEVNETCONNECTIONSPOKE1="https://management.azure.com${spoke1connection}?api-version=2020-05-01" -WEVNETCONNECTIONSPOKE2="https://management.azure.com${spoke2connection}?api-version=2020-05-01" -WEVNETCONNECTIONSERVICES="https://management.azure.com${servicesvnetconnection}?api-version=2020-05-01" -sed "s#spokevnetid#$spoke1vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke1.json -sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-spoke1.json -sed "s#spokevnetid#$spoke2vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke2.json -sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-spoke2.json -sed "s#spokevnetid#$servicesvnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-services.json -sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-services.json -az rest --method put --uri $WEVNETCONNECTIONSPOKE1 --body @emptyspokeconnection-spoke1.json -while [[ $(az rest --uri $WEVNETCONNECTIONSPOKE1 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done -az rest --method put --uri $WEVNETCONNECTIONSPOKE2 --body @emptyspokeconnection-spoke2.json -while [[ $(az rest --uri $WEVNETCONNECTIONSPOKE2 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done -az rest --method put --uri $WEVNETCONNECTIONSERVICES --body @emptyspokeconnection-services.json -while [[ $(az rest --uri $WEVNETCONNECTIONSERVICES | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done - - - -echo "# removing connection spoke-1-we" -az network vhub connection delete -n spoke-1-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --yes -echo "# removing connection spoke-2-we" -az network vhub connection delete -n spoke-2-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --yes - - - -echo "Removing associations and propagations from rt-shared-useast" -useastdefaultrtid=$(az network vhub route-table show --name defaultRouteTable --resource-group vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query id --output tsv) -useastsharedrtid=$(az network vhub route-table show --name "rt-shared-useast" --resource-group "vwan-microhack-hub-rg" --vhub-name microhack-useast-hub --query id --output tsv) -USEASTRESTEP="https://management.azure.com${useastsharedrtid}?api-version=2020-05-01" -az rest --method put --uri "$USEASTRESTEP" --body @emptyrtbody.json -while [[ $(az rest --uri $USEASTRESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done -spoke3connection=$(az network vhub connection show -n spoke-3-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query "id" -o tsv) -spoke4connection=$(az network vhub connection show -n spoke-4-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query "id" -o tsv) -USEASTVNETCONNECTIONSPOKE3="https://management.azure.com${spoke3connection}?api-version=2020-05-01" -USEASTVNETCONNECTIONSPOKE4="https://management.azure.com${spoke4connection}?api-version=2020-05-01" -sed "s#spokevnetid#$spoke3vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke3.json -sed -i "s#wedefaultrtid#$useastdefaultrtid#g" emptyspokeconnection-spoke3.json -sed "s#spokevnetid#$spoke4vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke4.json -sed -i "s#wedefaultrtid#$useastdefaultrtid#g" emptyspokeconnection-spoke4.json -az rest --method put --uri $USEASTVNETCONNECTIONSPOKE3 --body @emptyspokeconnection-spoke3.json -while [[ $(az rest --uri $USEASTVNETCONNECTIONSPOKE3 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done -az rest --method put --uri $USEASTVNETCONNECTIONSPOKE4 --body @emptyspokeconnection-spoke4.json -while [[ $(az rest --uri $USEASTVNETCONNECTIONSPOKE4 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done - - -ONPREMCONNECTIONID=$(az network vpn-gateway list -g vwan-microhack-hub-rg --query [].connections[].id -o tsv) -ONPREMCONNECTIONRESTEP="https://management.azure.com${ONPREMCONNECTIONID}?api-version=2020-05-01" -ONPREMCONNECTIONVPNSITE=$(az network vpn-gateway list -g vwan-microhack-hub-rg --query [].connections[].remoteVpnSite.id -o tsv) -sed "s#wedefaultrtid#$wedefaultrtid#g" onpremconnection.json | tee onpremconnection-values.json -sed -i "s#ONPREMCONNECTIONVPNSITE#$ONPREMCONNECTIONVPNSITE#g" onpremconnection-values.json -az rest --method put --uri $ONPREMCONNECTIONRESTEP --body @onpremconnection-values.json -while [[ $(az rest --uri $ONPREMCONNECTIONRESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done - - -echo "Deleting rt-shared-useast" -az network vhub route-table delete --name rt-shared-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub -echo "Deleting rt-shared-we" -az network vhub route-table delete --name rt-shared-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub - -echo "# connecting nva-vnet" -az network vhub connection create -n nva-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --remote-vnet $nvavnetid --no-wait - -echo "# peering spoke-1-vnet to nva-vnet" -az network vnet peering create --name spoke1-to-nva --resource-group vwan-microhack-spoke-rg --vnet-name spoke-1-vnet --remote-vnet nva-vnet --allow-vnet-access --allow-forwarded-traffic -az network vnet peering create --name nva-to-spoke1 --resource-group vwan-microhack-spoke-rg --vnet-name nva-vnet --remote-vnet spoke-1-vnet --allow-vnet-access --allow-forwarded-traffic -echo "# peering spoke-2-vnet to nva-vnet" -az network vnet peering create --name spoke2-to-nva --resource-group vwan-microhack-spoke-rg --vnet-name spoke-2-vnet --remote-vnet nva-vnet --allow-vnet-access --allow-forwarded-traffic -az network vnet peering create --name nva-to-spoke2 --resource-group vwan-microhack-spoke-rg --vnet-name nva-vnet --remote-vnet spoke-2-vnet --allow-vnet-access --allow-forwarded-traffic +spoke1vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-1-vnet --query "id" --output tsv) +spoke2vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-2-vnet --query "id" --output tsv) +spoke3vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-3-vnet --query "id" --output tsv) +spoke4vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-4-vnet --query "id" --output tsv) +servicesvnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n services-vnet --query "id" --output tsv) +nvavnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n nva-vnet --query "id" --output tsv) +wedefaultrtid=$(az network vhub route-table show --name defaultRouteTable --resource-group vwan-microhack-hub-rg --vhub-name microhack-we-hub --query id --output tsv) + +echo "Removing associations and propagations from rt-shared-we" + +wesharedrtid=$(az network vhub route-table show --name "RT-Shared-we" --resource-group "vwan-microhack-hub-rg" --vhub-name microhack-we-hub --query id --output tsv) +WERESTEP="https://management.azure.com${wesharedrtid}?api-version=2020-05-01" +az rest --method put --uri "$WERESTEP" --body @emptyrtbody.json +while [[ $(az rest --uri $WERESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done +spoke1connection=$(az network vhub connection show -n spoke-1-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) +spoke2connection=$(az network vhub connection show -n spoke-2-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) +servicesvnetconnection=$(az network vhub connection show -n services-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) +WEVNETCONNECTIONSPOKE1="https://management.azure.com${spoke1connection}?api-version=2020-05-01" +WEVNETCONNECTIONSPOKE2="https://management.azure.com${spoke2connection}?api-version=2020-05-01" +WEVNETCONNECTIONSERVICES="https://management.azure.com${servicesvnetconnection}?api-version=2020-05-01" +sed "s#spokevnetid#$spoke1vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke1.json +sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-spoke1.json +sed "s#spokevnetid#$spoke2vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke2.json +sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-spoke2.json +sed "s#spokevnetid#$servicesvnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-services.json +sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-services.json +az rest --method put --uri $WEVNETCONNECTIONSPOKE1 --body @emptyspokeconnection-spoke1.json +while [[ $(az rest --uri $WEVNETCONNECTIONSPOKE1 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done +az rest --method put --uri $WEVNETCONNECTIONSPOKE2 --body @emptyspokeconnection-spoke2.json +while [[ $(az rest --uri $WEVNETCONNECTIONSPOKE2 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done +az rest --method put --uri $WEVNETCONNECTIONSERVICES --body @emptyspokeconnection-services.json +while [[ $(az rest --uri $WEVNETCONNECTIONSERVICES | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done + + + +echo "# removing connection spoke-1-we" +az network vhub connection delete -n spoke-1-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --yes +echo "# removing connection spoke-2-we" +az network vhub connection delete -n spoke-2-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --yes + + + +echo "Removing associations and propagations from rt-shared-useast" +useastdefaultrtid=$(az network vhub route-table show --name defaultRouteTable --resource-group vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query id --output tsv) +useastsharedrtid=$(az network vhub route-table show --name "rt-shared-useast" --resource-group "vwan-microhack-hub-rg" --vhub-name microhack-useast-hub --query id --output tsv) +USEASTRESTEP="https://management.azure.com${useastsharedrtid}?api-version=2020-05-01" +az rest --method put --uri "$USEASTRESTEP" --body @emptyrtbody.json +while [[ $(az rest --uri $USEASTRESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done +spoke3connection=$(az network vhub connection show -n spoke-3-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query "id" -o tsv) +spoke4connection=$(az network vhub connection show -n spoke-4-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query "id" -o tsv) +USEASTVNETCONNECTIONSPOKE3="https://management.azure.com${spoke3connection}?api-version=2020-05-01" +USEASTVNETCONNECTIONSPOKE4="https://management.azure.com${spoke4connection}?api-version=2020-05-01" +sed "s#spokevnetid#$spoke3vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke3.json +sed -i "s#wedefaultrtid#$useastdefaultrtid#g" emptyspokeconnection-spoke3.json +sed "s#spokevnetid#$spoke4vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke4.json +sed -i "s#wedefaultrtid#$useastdefaultrtid#g" emptyspokeconnection-spoke4.json +az rest --method put --uri $USEASTVNETCONNECTIONSPOKE3 --body @emptyspokeconnection-spoke3.json +while [[ $(az rest --uri $USEASTVNETCONNECTIONSPOKE3 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done +az rest --method put --uri $USEASTVNETCONNECTIONSPOKE4 --body @emptyspokeconnection-spoke4.json +while [[ $(az rest --uri $USEASTVNETCONNECTIONSPOKE4 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done + + +ONPREMCONNECTIONID=$(az network vpn-gateway list -g vwan-microhack-hub-rg --query [].connections[].id -o tsv) +ONPREMCONNECTIONRESTEP="https://management.azure.com${ONPREMCONNECTIONID}?api-version=2020-05-01" +ONPREMCONNECTIONVPNSITE=$(az network vpn-gateway list -g vwan-microhack-hub-rg --query [].connections[].remoteVpnSite.id -o tsv) +sed "s#wedefaultrtid#$wedefaultrtid#g" onpremconnection.json | tee onpremconnection-values.json +sed -i "s#ONPREMCONNECTIONVPNSITE#$ONPREMCONNECTIONVPNSITE#g" onpremconnection-values.json +az rest --method put --uri $ONPREMCONNECTIONRESTEP --body @onpremconnection-values.json +while [[ $(az rest --uri $ONPREMCONNECTIONRESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done + + +echo "Deleting rt-shared-useast" +az network vhub route-table delete --name rt-shared-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub +echo "Deleting rt-shared-we" +az network vhub route-table delete --name rt-shared-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub + +echo "# connecting nva-vnet" +az network vhub connection create -n nva-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --remote-vnet $nvavnetid --no-wait + +echo "# peering spoke-1-vnet to nva-vnet" +az network vnet peering create --name spoke1-to-nva --resource-group vwan-microhack-spoke-rg --vnet-name spoke-1-vnet --remote-vnet nva-vnet --allow-vnet-access --allow-forwarded-traffic +az network vnet peering create --name nva-to-spoke1 --resource-group vwan-microhack-spoke-rg --vnet-name nva-vnet --remote-vnet spoke-1-vnet --allow-vnet-access --allow-forwarded-traffic +echo "# peering spoke-2-vnet to nva-vnet" +az network vnet peering create --name spoke2-to-nva --resource-group vwan-microhack-spoke-rg --vnet-name spoke-2-vnet --remote-vnet nva-vnet --allow-vnet-access --allow-forwarded-traffic +az network vnet peering create --name nva-to-spoke2 --resource-group vwan-microhack-spoke-rg --vnet-name nva-vnet --remote-vnet spoke-2-vnet --allow-vnet-access --allow-forwarded-traffic diff --git a/prep-for-scenario-6.sh b/prep-for-scenario-6.sh index 7eabcfd..1b2897c 100755 --- a/prep-for-scenario-6.sh +++ b/prep-for-scenario-6.sh @@ -1,36 +1,36 @@ -spoke1vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-1-vnet --query "id" --output tsv) -spoke2vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-2-vnet --query "id" --output tsv) -spoke3vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-3-vnet --query "id" --output tsv) -spoke4vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-4-vnet --query "id" --output tsv) -servicesvnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n services-vnet --query "id" --output tsv) -nvavnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n nva-vnet --query "id" --output tsv) - -echo "# removing peerings to from spoke-vnet-1 to nva-vnet" -az network vnet peering delete --name spoke1-to-nva --resource-group vwan-microhack-spoke-rg --vnet-name spoke-1-vnet -az network vnet peering delete --name nva-to-spoke1 --resource-group vwan-microhack-spoke-rg --vnet-name nva-vnet -echo "# removing peerings to from spoke-vnet-2 to nva-vnet" -az network vnet peering delete --name spoke2-to-nva --resource-group vwan-microhack-spoke-rg --vnet-name spoke-2-vnet -az network vnet peering delete --name nva-to-spoke2 --resource-group vwan-microhack-spoke-rg --vnet-name nva-vnet - -echo "# disconnecting nva-vnet" -az network vhub connection delete -n nva-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --yes - -echo "# connecting spoke-1-vnet" -az network vhub connection create --name spoke-1-we --resource-group vwan-microhack-hub-rg --vhub-name microhack-we-hub --remote-vnet $spoke1vnetid --labels default -echo "# connecting spoke-2-vnet" -az network vhub connection create --name spoke-2-we --resource-group vwan-microhack-hub-rg --vhub-name microhack-we-hub --remote-vnet $spoke2vnetid --labels default --no-wait - -echo "#removing custom routes from microhack-we-hub" -az network vhub route-table route remove --index 1 -n defaultRouteTable -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --no-wait -az network vhub route-table route remove --index 1 -n defaultRouteTable -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --no-wait -echo "#removing custom routes from microhack-useast-hub" -az network vhub route-table route remove --index 1 -n defaultRouteTable -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --no-wait -az network vhub route-table route remove --index 1 -n defaultRouteTable -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --no-wait - -echo "# detach UDR from vmSubnet in spoke-1-vnet" -az network vnet subnet update --resource-group vwan-microhack-spoke-rg --name vmSubnet --vnet-name spoke-1-vnet --route-table "" -echo "# detach UDR from vmSubnet in spoke-2-vnet" -az network vnet subnet update --resource-group vwan-microhack-spoke-rg --name vmSubnet --vnet-name spoke-2-vnet --route-table "" - - - +spoke1vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-1-vnet --query "id" --output tsv) +spoke2vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-2-vnet --query "id" --output tsv) +spoke3vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-3-vnet --query "id" --output tsv) +spoke4vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-4-vnet --query "id" --output tsv) +servicesvnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n services-vnet --query "id" --output tsv) +nvavnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n nva-vnet --query "id" --output tsv) + +echo "# removing peerings to from spoke-vnet-1 to nva-vnet" +az network vnet peering delete --name spoke1-to-nva --resource-group vwan-microhack-spoke-rg --vnet-name spoke-1-vnet +az network vnet peering delete --name nva-to-spoke1 --resource-group vwan-microhack-spoke-rg --vnet-name nva-vnet +echo "# removing peerings to from spoke-vnet-2 to nva-vnet" +az network vnet peering delete --name spoke2-to-nva --resource-group vwan-microhack-spoke-rg --vnet-name spoke-2-vnet +az network vnet peering delete --name nva-to-spoke2 --resource-group vwan-microhack-spoke-rg --vnet-name nva-vnet + +echo "# disconnecting nva-vnet" +az network vhub connection delete -n nva-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --yes + +echo "# connecting spoke-1-vnet" +az network vhub connection create --name spoke-1-we --resource-group vwan-microhack-hub-rg --vhub-name microhack-we-hub --remote-vnet $spoke1vnetid --labels default +echo "# connecting spoke-2-vnet" +az network vhub connection create --name spoke-2-we --resource-group vwan-microhack-hub-rg --vhub-name microhack-we-hub --remote-vnet $spoke2vnetid --labels default --no-wait + +echo "#removing custom routes from microhack-we-hub" +az network vhub route-table route remove --index 1 -n defaultRouteTable -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --no-wait +az network vhub route-table route remove --index 1 -n defaultRouteTable -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --no-wait +echo "#removing custom routes from microhack-useast-hub" +az network vhub route-table route remove --index 1 -n defaultRouteTable -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --no-wait +az network vhub route-table route remove --index 1 -n defaultRouteTable -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --no-wait + +echo "# detach UDR from vmSubnet in spoke-1-vnet" +az network vnet subnet update --resource-group vwan-microhack-spoke-rg --name vmSubnet --vnet-name spoke-1-vnet --route-table "" +echo "# detach UDR from vmSubnet in spoke-2-vnet" +az network vnet subnet update --resource-group vwan-microhack-spoke-rg --name vmSubnet --vnet-name spoke-2-vnet --route-table "" + + + diff --git a/spoke.tf b/spoke.tf index baecd32..c9f27c8 100644 --- a/spoke.tf +++ b/spoke.tf @@ -1,713 +1,713 @@ -####################################################################### -## Create Virtual Network - Spoke 1 -####################################################################### - -resource "azurerm_virtual_network" "spoke-1-vnet" { - name = "spoke-1-vnet" - location = var.location-spoke-1 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - address_space = ["172.16.1.0/24"] - - tags = { - environment = "spoke-1" - deployment = "terraform" - microhack = "vwan" - } -} - -####################################################################### -## Create Subnets - Spoke 1 -####################################################################### - -resource "azurerm_subnet" "spoke-1-vm-subnet" { - name = "vmSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.spoke-1-vnet.name - address_prefixes = ["172.16.1.0/25"] -} -resource "azurerm_subnet" "bastion-spoke-1-subnet" { - name = "AzureBastionSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.spoke-1-vnet.name - address_prefixes = ["172.16.1.128/27"] -} -####################################################################### -## Create Virtual Network - Spoke 2 -####################################################################### - -resource "azurerm_virtual_network" "spoke-2-vnet" { - name = "spoke-2-vnet" - location = var.location-spoke-2 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - address_space = ["172.16.2.0/24"] - - tags = { - environment = "spoke-2" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Subnets - Spoke 2 -####################################################################### -resource "azurerm_subnet" "spoke-2-vm-subnet" { - name = "vmSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.spoke-2-vnet.name - address_prefixes = ["172.16.2.0/25"] -} -resource "azurerm_subnet" "bastion-spoke-2-subnet" { - name = "AzureBastionSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.spoke-2-vnet.name - address_prefixes = ["172.16.2.128/27"] -} -####################################################################### -## Create Virtual Network - Spoke 3 -####################################################################### -resource "azurerm_virtual_network" "spoke-3-vnet" { - name = "spoke-3-vnet" - location = var.location-spoke-3 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - address_space = ["172.16.3.0/24"] - - tags = { - environment = "spoke-3" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Subnets - Spoke 3 -####################################################################### -resource "azurerm_subnet" "spoke-3-vm-subnet" { - name = "vmSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.spoke-3-vnet.name - address_prefixes = ["172.16.3.0/25"] -} -resource "azurerm_subnet" "bastion-spoke-3-subnet" { - name = "AzureBastionSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.spoke-3-vnet.name - address_prefixes = ["172.16.3.128/27"] -} -####################################################################### -## Create Virtual Network - Spoke 4 -####################################################################### - -resource "azurerm_virtual_network" "spoke-4-vnet" { - name = "spoke-4-vnet" - location = var.location-spoke-4 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - address_space = ["172.16.4.0/24"] - - tags = { - environment = "spoke-4" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Subnets - Spoke 4 -####################################################################### - -resource "azurerm_subnet" "spoke-4-vm-subnet" { - name = "vmSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.spoke-4-vnet.name - address_prefixes = ["172.16.4.0/25"] -} -resource "azurerm_subnet" "bastion-spoke-4-subnet" { - name = "AzureBastionSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.spoke-4-vnet.name - address_prefixes = ["172.16.4.128/27"] -} -####################################################################### -## Create Virtual Network - Onprem -####################################################################### - -resource "azurerm_virtual_network" "onprem-vnet" { - name = "onprem-vnet" - location = var.location-onprem - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - address_space = ["10.0.1.0/24","10.0.2.0/24"] - - tags = { - environment = "onprem" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Subnets - onprem -####################################################################### -resource "azurerm_subnet" "onprem-vm-subnet" { - name = "vmSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.onprem-vnet.name - address_prefixes = ["10.0.1.0/25"] -} -resource "azurerm_subnet" "bastion-onprem-subnet" { - name = "AzureBastionSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.onprem-vnet.name - address_prefixes = ["10.0.1.128/27"] -} -resource "azurerm_subnet" "onprem-gateway-subnet" { - name = "GatewaySubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.onprem-vnet.name - address_prefixes = ["10.0.1.160/27"] -} -####################################################################### -## Create Virtual Network - Services -####################################################################### -resource "azurerm_virtual_network" "services-vnet" { - name = "services-vnet" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - address_space = ["172.16.10.0/24"] - - tags = { - environment = "services" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Subnets - Services -####################################################################### - -resource "azurerm_subnet" "services-vm-1-subnet" { - name = "servicesSubnet-1" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.services-vnet.name - address_prefixes = ["172.16.10.0/25"] -} -resource "azurerm_subnet" "services-vm-2-subnet" { - name = "servicesSubnet-2" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.services-vnet.name - address_prefixes = ["172.16.10.128/27"] -} -resource "azurerm_subnet" "bastion-services-subnet" { - name = "AzureBastionSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.services-vnet.name - address_prefixes = ["172.16.10.160/27"] -} -####################################################################### -## Create Virtual Network - NVA -####################################################################### -resource "azurerm_virtual_network" "nva-vnet" { - name = "nva-vnet" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - address_space = ["172.16.20.0/24"] - - tags = { - environment = "nva" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Subnets - NVA -####################################################################### - -resource "azurerm_subnet" "nva-subnet-1" { - name = "nva-subnet-1" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.nva-vnet.name - address_prefixes = ["172.16.20.0/26"] -} -resource "azurerm_subnet" "nva-subnet-2" { - name = "nva-subnet-2" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.nva-vnet.name - address_prefixes = ["172.16.20.64/26"] -} -resource "azurerm_subnet" "bastion-nva-subnet" { - name = "AzureBastionSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.nva-vnet.name - address_prefixes = ["172.16.20.160/27"] -} -####################################################################### -## Create Network Interface - Spoke 1 -####################################################################### - -resource "azurerm_network_interface" "spoke-1-nic" { - name = "spoke-1-nic" - location = var.location-spoke-1 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - enable_ip_forwarding = false - - ip_configuration { - name = "spoke-1-ipconfig" - subnet_id = azurerm_subnet.spoke-1-vm-subnet.id - private_ip_address_allocation = "Dynamic" - } - - tags = { - environment = "spoke-1" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Network Interface - Spoke 2 -####################################################################### - -resource "azurerm_network_interface" "spoke-2-nic" { - name = "spoke-2-nic" - location = var.location-spoke-2 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - enable_ip_forwarding = false - - ip_configuration { - name = "spoke-2-ipconfig" - subnet_id = azurerm_subnet.spoke-2-vm-subnet.id - private_ip_address_allocation = "Dynamic" - } - - tags = { - environment = "spoke-1" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Network Interface - Spoke 3 -####################################################################### - -resource "azurerm_network_interface" "spoke-3-nic" { - name = "spoke-3-nic" - location = var.location-spoke-3 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - enable_ip_forwarding = false - - ip_configuration { - name = "spoke-3-ipconfig" - subnet_id = azurerm_subnet.spoke-3-vm-subnet.id - private_ip_address_allocation = "Dynamic" - } - - tags = { - environment = "spoke-3" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Network Interface - Spoke 4 -####################################################################### - -resource "azurerm_network_interface" "spoke-4-nic" { - name = "spoke-4-nic" - location = var.location-spoke-4 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - enable_ip_forwarding = false - - ip_configuration { - name = "spoke-4" - subnet_id = azurerm_subnet.spoke-4-vm-subnet.id - private_ip_address_allocation = "Dynamic" - } - - tags = { - environment = "spoke-4" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Network Interface - Spoke onprem -####################################################################### - -resource "azurerm_network_interface" "onprem-nic" { - name = "onprem-nic" - location = var.location-onprem - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - enable_ip_forwarding = false - - ip_configuration { - name = "onprem-ipconfig" - subnet_id = azurerm_subnet.onprem-vm-subnet.id - private_ip_address_allocation = "Dynamic" - } - - tags = { - environment = "onprem" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Network Interface - ADDC -####################################################################### - -resource "azurerm_network_interface" "spoke-addc-1-nic" { - name = "spoke-addc-1-nic" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - enable_ip_forwarding = false - - ip_configuration { - name = "addc-1-ipconfig" - subnet_id = azurerm_subnet.services-vm-1-subnet.id - private_ip_address_allocation = "Dynamic" - } - - tags = { - environment = "services" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Virtual Machine spoke-1 -####################################################################### - -resource "azurerm_windows_virtual_machine" "spoke-1-vm" { - name = "spoke-1-vm" - location = var.location-spoke-1 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - network_interface_ids = [azurerm_network_interface.spoke-1-nic.id] - size = var.vmsize - computer_name = "spoke-1-vm" - admin_username = var.username - admin_password = var.password - provision_vm_agent = true - - source_image_reference { - offer = "WindowsServer" - publisher = "MicrosoftWindowsServer" - sku = "2019-Datacenter" - version = "latest" - } - - os_disk { - name = "spoke-1-osdisk" - caching = "ReadWrite" - storage_account_type = "StandardSSD_LRS" - } - - tags = { - environment = "spoke-1" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Virtual Machine spoke-2 -####################################################################### -resource "azurerm_windows_virtual_machine" "spoke-2-vm" { - name = "spoke-2-vm" - location = var.location-spoke-2 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - network_interface_ids = [azurerm_network_interface.spoke-2-nic.id] - size = var.vmsize - computer_name = "spoke-2-vm" - admin_username = var.username - admin_password = var.password - provision_vm_agent = true - - - source_image_reference { - offer = "WindowsServer" - publisher = "MicrosoftWindowsServer" - sku = "2019-Datacenter" - version = "latest" - } - - os_disk { - name = "spoke-2-osdisk" - caching = "ReadWrite" - storage_account_type = "StandardSSD_LRS" - } - - tags = { - environment = "spoke-2" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Virtual Machine spoke-3 -####################################################################### -resource "azurerm_windows_virtual_machine" "spoke-3-vm" { - name = "spoke-3-vm" - location = var.location-spoke-3 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - network_interface_ids = [azurerm_network_interface.spoke-3-nic.id] - size = var.vmsize - computer_name = "spoke-3-vm" - admin_username = var.username - admin_password = var.password - provision_vm_agent = true - - source_image_reference { - offer = "WindowsServer" - publisher = "MicrosoftWindowsServer" - sku = "2019-Datacenter" - version = "latest" - } - - os_disk { - name = "spoke-3-osdisk" - caching = "ReadWrite" - storage_account_type = "StandardSSD_LRS" - } - - tags = { - environment = "spoke-3" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Virtual Machine spoke-4 -####################################################################### -resource "azurerm_windows_virtual_machine" "spoke-4-vm" { - name = "spoke-4-vm" - location = var.location-spoke-4 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - network_interface_ids = [azurerm_network_interface.spoke-4-nic.id] - size = var.vmsize - computer_name = "spoke-4-vm" - admin_username = var.username - admin_password = var.password - provision_vm_agent = true - - source_image_reference { - offer = "WindowsServer" - publisher = "MicrosoftWindowsServer" - sku = "2019-Datacenter" - version = "latest" - } - - os_disk { - name = "spoke-4-osdisk" - caching = "ReadWrite" - storage_account_type = "StandardSSD_LRS" - } - - tags = { - environment = "spoke-4" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Virtual Machine onprem -####################################################################### -resource "azurerm_windows_virtual_machine" "onprem-vm" { - name = "onprem-vm" - location = var.location-onprem - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - network_interface_ids = [azurerm_network_interface.onprem-nic.id] - size = var.vmsize - computer_name = "onprem-vm" - admin_username = var.username - admin_password = var.password - provision_vm_agent = true - - source_image_reference { - offer = "WindowsServer" - publisher = "MicrosoftWindowsServer" - sku = "2019-Datacenter" - version = "latest" - } - - os_disk { - name = "onprem-osdisk" - caching = "ReadWrite" - storage_account_type = "StandardSSD_LRS" - } - - tags = { - environment = "onprem" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Virtual Machine spoke-addc -####################################################################### -resource "azurerm_windows_virtual_machine" "spoke-addc-vm" { - name = "spoke-addc-vm" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - network_interface_ids = [azurerm_network_interface.spoke-addc-1-nic.id] - size = var.vmsize - computer_name = "spoke-addc-vm" - admin_username = var.username - admin_password = var.password - provision_vm_agent = true - - source_image_reference { - offer = "WindowsServer" - publisher = "MicrosoftWindowsServer" - sku = "2019-Datacenter" - version = "latest" - } - - os_disk { - name = "spoke-addc-osdisk" - caching = "ReadWrite" - storage_account_type = "StandardSSD_LRS" - } - - tags = { - environment = "addc" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Network Interface - nva-iptables-vm -####################################################################### -resource "azurerm_public_ip" "nva-iptables-vm-pub-ip"{ - name = "nva-iptables-vm-pub-ip" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - allocation_method = "Static" - tags = { - environment = "nva" - deployment = "terraform" - microhack = "vwan" - } -} -resource "azurerm_network_security_group" "nva-iptables-vm-nsg"{ - name = "nva-iptables-vm-nsg" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - - security_rule { - name = "ssh" - priority = 100 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "22" - source_address_prefix = "*" - destination_address_prefix = "*" - } - security_rule { - name = "http" - priority = 200 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "80" - source_address_prefix = "*" - destination_address_prefix = "*" - } - security_rule { - name = "https" - priority = 210 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "443" - source_address_prefix = "*" - destination_address_prefix = "*" - } - security_rule { - name = "icmp" - priority = 220 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "*" - source_address_prefix = "*" - destination_address_prefix = "*" - } - - tags = { - environment = "nva" - deployment = "terraform" - microhack = "vwan" - } -} -resource "azurerm_network_interface" "nva-iptables-vm-nic-1" { - name = "nva-iptables-vm-nic-1" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - enable_ip_forwarding = true - ip_configuration { - name = "nva-1-ipconfig" - subnet_id = azurerm_subnet.nva-subnet-1.id - private_ip_address_allocation = "Static" - private_ip_address = "172.16.20.4" - public_ip_address_id = azurerm_public_ip.nva-iptables-vm-pub-ip.id - } - tags = { - environment = "nva" - deployment = "terraform" - microhack = "vwan" - } -} -resource "azurerm_network_interface_security_group_association" "nva-iptables-vm-nsg-ass" { - network_interface_id = azurerm_network_interface.nva-iptables-vm-nic-1.id - network_security_group_id = azurerm_network_security_group.nva-iptables-vm-nsg.id -} -resource "azurerm_network_interface" "nva-iptables-vm-nic-2" { - name = "nva-iptables-vm-nic-2" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - enable_ip_forwarding = true - ip_configuration { - name = "nva-2-ipconfig" - subnet_id = azurerm_subnet.nva-subnet-2.id - private_ip_address_allocation = "Static" - private_ip_address = "172.16.20.68" - } - - tags = { - environment = "nva" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Virtual Machine - NVA -####################################################################### -resource "azurerm_linux_virtual_machine" "nva-iptables-vm" { - name = "nva-iptables-vm" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - network_interface_ids = [azurerm_network_interface.nva-iptables-vm-nic-1.id] - size = var.vmsize - admin_username = var.username - admin_password = var.password - disable_password_authentication = false - - source_image_reference { - publisher = "Canonical" - offer = "UbuntuServer" - sku = "18.04-LTS" - version = "latest" - } - - os_disk { - name = "nva-iptables-vm-osdisk" - caching = "ReadWrite" - storage_account_type = "StandardSSD_LRS" - } - - tags = { - environment = "nva" - deployment = "terraform" - microhack = "vwan" - } -} - - +####################################################################### +## Create Virtual Network - Spoke 1 +####################################################################### + +resource "azurerm_virtual_network" "spoke-1-vnet" { + name = "spoke-1-vnet" + location = var.location-spoke-1 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + address_space = ["172.16.1.0/24"] + + tags = { + environment = "spoke-1" + deployment = "terraform" + microhack = "vwan" + } +} + +####################################################################### +## Create Subnets - Spoke 1 +####################################################################### + +resource "azurerm_subnet" "spoke-1-vm-subnet" { + name = "vmSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.spoke-1-vnet.name + address_prefixes = ["172.16.1.0/25"] +} +resource "azurerm_subnet" "bastion-spoke-1-subnet" { + name = "AzureBastionSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.spoke-1-vnet.name + address_prefixes = ["172.16.1.128/27"] +} +####################################################################### +## Create Virtual Network - Spoke 2 +####################################################################### + +resource "azurerm_virtual_network" "spoke-2-vnet" { + name = "spoke-2-vnet" + location = var.location-spoke-2 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + address_space = ["172.16.2.0/24"] + + tags = { + environment = "spoke-2" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Subnets - Spoke 2 +####################################################################### +resource "azurerm_subnet" "spoke-2-vm-subnet" { + name = "vmSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.spoke-2-vnet.name + address_prefixes = ["172.16.2.0/25"] +} +resource "azurerm_subnet" "bastion-spoke-2-subnet" { + name = "AzureBastionSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.spoke-2-vnet.name + address_prefixes = ["172.16.2.128/27"] +} +####################################################################### +## Create Virtual Network - Spoke 3 +####################################################################### +resource "azurerm_virtual_network" "spoke-3-vnet" { + name = "spoke-3-vnet" + location = var.location-spoke-3 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + address_space = ["172.16.3.0/24"] + + tags = { + environment = "spoke-3" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Subnets - Spoke 3 +####################################################################### +resource "azurerm_subnet" "spoke-3-vm-subnet" { + name = "vmSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.spoke-3-vnet.name + address_prefixes = ["172.16.3.0/25"] +} +resource "azurerm_subnet" "bastion-spoke-3-subnet" { + name = "AzureBastionSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.spoke-3-vnet.name + address_prefixes = ["172.16.3.128/27"] +} +####################################################################### +## Create Virtual Network - Spoke 4 +####################################################################### + +resource "azurerm_virtual_network" "spoke-4-vnet" { + name = "spoke-4-vnet" + location = var.location-spoke-4 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + address_space = ["172.16.4.0/24"] + + tags = { + environment = "spoke-4" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Subnets - Spoke 4 +####################################################################### + +resource "azurerm_subnet" "spoke-4-vm-subnet" { + name = "vmSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.spoke-4-vnet.name + address_prefixes = ["172.16.4.0/25"] +} +resource "azurerm_subnet" "bastion-spoke-4-subnet" { + name = "AzureBastionSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.spoke-4-vnet.name + address_prefixes = ["172.16.4.128/27"] +} +####################################################################### +## Create Virtual Network - Onprem +####################################################################### + +resource "azurerm_virtual_network" "onprem-vnet" { + name = "onprem-vnet" + location = var.location-onprem + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + address_space = ["10.0.1.0/24","10.0.2.0/24"] + + tags = { + environment = "onprem" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Subnets - onprem +####################################################################### +resource "azurerm_subnet" "onprem-vm-subnet" { + name = "vmSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.onprem-vnet.name + address_prefixes = ["10.0.1.0/25"] +} +resource "azurerm_subnet" "bastion-onprem-subnet" { + name = "AzureBastionSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.onprem-vnet.name + address_prefixes = ["10.0.1.128/27"] +} +resource "azurerm_subnet" "onprem-gateway-subnet" { + name = "GatewaySubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.onprem-vnet.name + address_prefixes = ["10.0.1.160/27"] +} +####################################################################### +## Create Virtual Network - Services +####################################################################### +resource "azurerm_virtual_network" "services-vnet" { + name = "services-vnet" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + address_space = ["172.16.10.0/24"] + + tags = { + environment = "services" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Subnets - Services +####################################################################### + +resource "azurerm_subnet" "services-vm-1-subnet" { + name = "servicesSubnet-1" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.services-vnet.name + address_prefixes = ["172.16.10.0/25"] +} +resource "azurerm_subnet" "services-vm-2-subnet" { + name = "servicesSubnet-2" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.services-vnet.name + address_prefixes = ["172.16.10.128/27"] +} +resource "azurerm_subnet" "bastion-services-subnet" { + name = "AzureBastionSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.services-vnet.name + address_prefixes = ["172.16.10.160/27"] +} +####################################################################### +## Create Virtual Network - NVA +####################################################################### +resource "azurerm_virtual_network" "nva-vnet" { + name = "nva-vnet" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + address_space = ["172.16.20.0/24"] + + tags = { + environment = "nva" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Subnets - NVA +####################################################################### + +resource "azurerm_subnet" "nva-subnet-1" { + name = "nva-subnet-1" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.nva-vnet.name + address_prefixes = ["172.16.20.0/26"] +} +resource "azurerm_subnet" "nva-subnet-2" { + name = "nva-subnet-2" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.nva-vnet.name + address_prefixes = ["172.16.20.64/26"] +} +resource "azurerm_subnet" "bastion-nva-subnet" { + name = "AzureBastionSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.nva-vnet.name + address_prefixes = ["172.16.20.160/27"] +} +####################################################################### +## Create Network Interface - Spoke 1 +####################################################################### + +resource "azurerm_network_interface" "spoke-1-nic" { + name = "spoke-1-nic" + location = var.location-spoke-1 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + enable_ip_forwarding = false + + ip_configuration { + name = "spoke-1-ipconfig" + subnet_id = azurerm_subnet.spoke-1-vm-subnet.id + private_ip_address_allocation = "Dynamic" + } + + tags = { + environment = "spoke-1" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Network Interface - Spoke 2 +####################################################################### + +resource "azurerm_network_interface" "spoke-2-nic" { + name = "spoke-2-nic" + location = var.location-spoke-2 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + enable_ip_forwarding = false + + ip_configuration { + name = "spoke-2-ipconfig" + subnet_id = azurerm_subnet.spoke-2-vm-subnet.id + private_ip_address_allocation = "Dynamic" + } + + tags = { + environment = "spoke-1" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Network Interface - Spoke 3 +####################################################################### + +resource "azurerm_network_interface" "spoke-3-nic" { + name = "spoke-3-nic" + location = var.location-spoke-3 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + enable_ip_forwarding = false + + ip_configuration { + name = "spoke-3-ipconfig" + subnet_id = azurerm_subnet.spoke-3-vm-subnet.id + private_ip_address_allocation = "Dynamic" + } + + tags = { + environment = "spoke-3" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Network Interface - Spoke 4 +####################################################################### + +resource "azurerm_network_interface" "spoke-4-nic" { + name = "spoke-4-nic" + location = var.location-spoke-4 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + enable_ip_forwarding = false + + ip_configuration { + name = "spoke-4" + subnet_id = azurerm_subnet.spoke-4-vm-subnet.id + private_ip_address_allocation = "Dynamic" + } + + tags = { + environment = "spoke-4" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Network Interface - Spoke onprem +####################################################################### + +resource "azurerm_network_interface" "onprem-nic" { + name = "onprem-nic" + location = var.location-onprem + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + enable_ip_forwarding = false + + ip_configuration { + name = "onprem-ipconfig" + subnet_id = azurerm_subnet.onprem-vm-subnet.id + private_ip_address_allocation = "Dynamic" + } + + tags = { + environment = "onprem" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Network Interface - ADDC +####################################################################### + +resource "azurerm_network_interface" "spoke-addc-1-nic" { + name = "spoke-addc-1-nic" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + enable_ip_forwarding = false + + ip_configuration { + name = "addc-1-ipconfig" + subnet_id = azurerm_subnet.services-vm-1-subnet.id + private_ip_address_allocation = "Dynamic" + } + + tags = { + environment = "services" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Virtual Machine spoke-1 +####################################################################### + +resource "azurerm_windows_virtual_machine" "spoke-1-vm" { + name = "spoke-1-vm" + location = var.location-spoke-1 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + network_interface_ids = [azurerm_network_interface.spoke-1-nic.id] + size = var.vmsize + computer_name = "spoke-1-vm" + admin_username = var.username + admin_password = var.password + provision_vm_agent = true + + source_image_reference { + offer = "WindowsServer" + publisher = "MicrosoftWindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + + os_disk { + name = "spoke-1-osdisk" + caching = "ReadWrite" + storage_account_type = "StandardSSD_LRS" + } + + tags = { + environment = "spoke-1" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Virtual Machine spoke-2 +####################################################################### +resource "azurerm_windows_virtual_machine" "spoke-2-vm" { + name = "spoke-2-vm" + location = var.location-spoke-2 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + network_interface_ids = [azurerm_network_interface.spoke-2-nic.id] + size = var.vmsize + computer_name = "spoke-2-vm" + admin_username = var.username + admin_password = var.password + provision_vm_agent = true + + + source_image_reference { + offer = "WindowsServer" + publisher = "MicrosoftWindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + + os_disk { + name = "spoke-2-osdisk" + caching = "ReadWrite" + storage_account_type = "StandardSSD_LRS" + } + + tags = { + environment = "spoke-2" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Virtual Machine spoke-3 +####################################################################### +resource "azurerm_windows_virtual_machine" "spoke-3-vm" { + name = "spoke-3-vm" + location = var.location-spoke-3 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + network_interface_ids = [azurerm_network_interface.spoke-3-nic.id] + size = var.vmsize + computer_name = "spoke-3-vm" + admin_username = var.username + admin_password = var.password + provision_vm_agent = true + + source_image_reference { + offer = "WindowsServer" + publisher = "MicrosoftWindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + + os_disk { + name = "spoke-3-osdisk" + caching = "ReadWrite" + storage_account_type = "StandardSSD_LRS" + } + + tags = { + environment = "spoke-3" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Virtual Machine spoke-4 +####################################################################### +resource "azurerm_windows_virtual_machine" "spoke-4-vm" { + name = "spoke-4-vm" + location = var.location-spoke-4 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + network_interface_ids = [azurerm_network_interface.spoke-4-nic.id] + size = var.vmsize + computer_name = "spoke-4-vm" + admin_username = var.username + admin_password = var.password + provision_vm_agent = true + + source_image_reference { + offer = "WindowsServer" + publisher = "MicrosoftWindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + + os_disk { + name = "spoke-4-osdisk" + caching = "ReadWrite" + storage_account_type = "StandardSSD_LRS" + } + + tags = { + environment = "spoke-4" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Virtual Machine onprem +####################################################################### +resource "azurerm_windows_virtual_machine" "onprem-vm" { + name = "onprem-vm" + location = var.location-onprem + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + network_interface_ids = [azurerm_network_interface.onprem-nic.id] + size = var.vmsize + computer_name = "onprem-vm" + admin_username = var.username + admin_password = var.password + provision_vm_agent = true + + source_image_reference { + offer = "WindowsServer" + publisher = "MicrosoftWindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + + os_disk { + name = "onprem-osdisk" + caching = "ReadWrite" + storage_account_type = "StandardSSD_LRS" + } + + tags = { + environment = "onprem" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Virtual Machine spoke-addc +####################################################################### +resource "azurerm_windows_virtual_machine" "spoke-addc-vm" { + name = "spoke-addc-vm" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + network_interface_ids = [azurerm_network_interface.spoke-addc-1-nic.id] + size = var.vmsize + computer_name = "spoke-addc-vm" + admin_username = var.username + admin_password = var.password + provision_vm_agent = true + + source_image_reference { + offer = "WindowsServer" + publisher = "MicrosoftWindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + + os_disk { + name = "spoke-addc-osdisk" + caching = "ReadWrite" + storage_account_type = "StandardSSD_LRS" + } + + tags = { + environment = "addc" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Network Interface - nva-iptables-vm +####################################################################### +resource "azurerm_public_ip" "nva-iptables-vm-pub-ip"{ + name = "nva-iptables-vm-pub-ip" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + allocation_method = "Static" + tags = { + environment = "nva" + deployment = "terraform" + microhack = "vwan" + } +} +resource "azurerm_network_security_group" "nva-iptables-vm-nsg"{ + name = "nva-iptables-vm-nsg" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + + security_rule { + name = "ssh" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "*" + destination_address_prefix = "*" + } + security_rule { + name = "http" + priority = 200 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "80" + source_address_prefix = "*" + destination_address_prefix = "*" + } + security_rule { + name = "https" + priority = 210 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefix = "*" + } + security_rule { + name = "icmp" + priority = 220 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "*" + destination_address_prefix = "*" + } + + tags = { + environment = "nva" + deployment = "terraform" + microhack = "vwan" + } +} +resource "azurerm_network_interface" "nva-iptables-vm-nic-1" { + name = "nva-iptables-vm-nic-1" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + enable_ip_forwarding = true + ip_configuration { + name = "nva-1-ipconfig" + subnet_id = azurerm_subnet.nva-subnet-1.id + private_ip_address_allocation = "Static" + private_ip_address = "172.16.20.4" + public_ip_address_id = azurerm_public_ip.nva-iptables-vm-pub-ip.id + } + tags = { + environment = "nva" + deployment = "terraform" + microhack = "vwan" + } +} +resource "azurerm_network_interface_security_group_association" "nva-iptables-vm-nsg-ass" { + network_interface_id = azurerm_network_interface.nva-iptables-vm-nic-1.id + network_security_group_id = azurerm_network_security_group.nva-iptables-vm-nsg.id +} +resource "azurerm_network_interface" "nva-iptables-vm-nic-2" { + name = "nva-iptables-vm-nic-2" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + enable_ip_forwarding = true + ip_configuration { + name = "nva-2-ipconfig" + subnet_id = azurerm_subnet.nva-subnet-2.id + private_ip_address_allocation = "Static" + private_ip_address = "172.16.20.68" + } + + tags = { + environment = "nva" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Virtual Machine - NVA +####################################################################### +resource "azurerm_linux_virtual_machine" "nva-iptables-vm" { + name = "nva-iptables-vm" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + network_interface_ids = [azurerm_network_interface.nva-iptables-vm-nic-1.id] + size = var.vmsize + admin_username = var.username + admin_password = var.password + disable_password_authentication = false + + source_image_reference { + publisher = "Canonical" + offer = "UbuntuServer" + sku = "18.04-LTS" + version = "latest" + } + + os_disk { + name = "nva-iptables-vm-osdisk" + caching = "ReadWrite" + storage_account_type = "StandardSSD_LRS" + } + + tags = { + environment = "nva" + deployment = "terraform" + microhack = "vwan" + } +} + + diff --git a/tools/route-tables.sh b/tools/route-tables.sh new file mode 100644 index 0000000..246f0e9 --- /dev/null +++ b/tools/route-tables.sh @@ -0,0 +1,9 @@ +## Scenario 1 / Task 1 +az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table +# PoSh - Get-AzEffectiveRouteTable -ResourceGroupName vwan-microhack-spoke-rg -NetworkInterfaceName spoke-1-nic | ft + +## Scenario 1 / Task 2 +az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-2-nic --output table +# PoSh - Get-AzEffectiveRouteTable -ResourceGroupName vwan-microhack-spoke-rg -NetworkInterfaceName spoke-2-nic | ft + +## Scenario 2 / Task 1 diff --git a/variables.tf b/variables.tf index 356970c..aa38ba4 100644 --- a/variables.tf +++ b/variables.tf @@ -1,66 +1,66 @@ -variable "location-vwan" { - description = "Location to deploy vwan" - type = string - default = "WestEurope" -} -variable "location-vwan-we-hub" { - description = "Location to deploy we hub" - type = string - default = "WestEurope" -} - -variable "location-spoke-1" { - description = "Location to deploy spoke-1" - type = string - default = "WestEurope" -} -variable "location-spoke-2" { - description = "Location to deploy spoke-2" - type = string - default = "WestEurope" -} -variable "location-spoke-3" { - description = "Location to deploy spoke-3" - type = string - default = "EastUS" -} -variable "location-spoke-4" { - description = "Location to deploy spoke-4" - type = string - default = "WestUS" -} -variable "location-hub-1" { - description = "Location to deploy hub-1" - type = string - default = "WestEurope" -} -variable "location-hub-2" { - description = "Location to deploy hub-2" - type = string - default = "EastUS" -} -variable "location-onprem" { - description = "Location to deploy onprem" - type = string - default = "northeurope" -} -variable "location-spoke-services" { - description = "Location to deploy spoke-services" - type = string - default = "WestEurope" -} -variable "username" { - description = "Username for Virtual Machines" - type = string - default = "AzureAdmin" -} - -variable "password" { - description = "Virtual Machine password, must meet Azure complexity requirements" - type = string - default = "Microhack2020" -} -variable "vmsize" { - description = "Size of the VMs" - default = "Standard_D2_v3" -} +variable "location-vwan" { + description = "Location to deploy vwan" + type = string + default = "WestEurope" +} +variable "location-vwan-we-hub" { + description = "Location to deploy we hub" + type = string + default = "WestEurope" +} + +variable "location-spoke-1" { + description = "Location to deploy spoke-1" + type = string + default = "WestEurope" +} +variable "location-spoke-2" { + description = "Location to deploy spoke-2" + type = string + default = "WestEurope" +} +variable "location-spoke-3" { + description = "Location to deploy spoke-3" + type = string + default = "EastUS" +} +variable "location-spoke-4" { + description = "Location to deploy spoke-4" + type = string + default = "WestUS" +} +variable "location-hub-1" { + description = "Location to deploy hub-1" + type = string + default = "WestEurope" +} +variable "location-hub-2" { + description = "Location to deploy hub-2" + type = string + default = "EastUS" +} +variable "location-onprem" { + description = "Location to deploy onprem" + type = string + default = "northeurope" +} +variable "location-spoke-services" { + description = "Location to deploy spoke-services" + type = string + default = "WestEurope" +} +variable "username" { + description = "Username for Virtual Machines" + type = string + default = "AzureAdmin" +} + +variable "password" { + description = "Virtual Machine password, must meet Azure complexity requirements" + type = string + default = "Microhack2020" +} +variable "vmsize" { + description = "Size of the VMs" + default = "Standard_D2_v3" +} diff --git a/vm-extensions.tf b/vm-extensions.tf index 099ea86..95f6f08 100644 --- a/vm-extensions.tf +++ b/vm-extensions.tf @@ -1,148 +1,148 @@ - -########################################################## -## Install IIS role on spoke-1 -########################################################## -resource "azurerm_virtual_machine_extension" "install-iis-spoke-1-vm" { - - name = "install-iis-spoke-1-vm" - virtual_machine_id = azurerm_windows_virtual_machine.spoke-1-vm.id - publisher = "Microsoft.Compute" - type = "CustomScriptExtension" - type_handler_version = "1.9" - - settings = < Date: Tue, 22 Dec 2020 15:45:29 +0100 Subject: [PATCH 3/7] ReadMe.md - added WSL instructions, fixed typos, added some explanations add - .gitattributes - with LF for SH files to support git on Windows and usage in WSL --- .gitattributes | 2 ++ README.md | 31 +++++++++++++++++++++++++------ tools/route-tables.sh | 9 --------- 3 files changed, 27 insertions(+), 15 deletions(-) create mode 100644 .gitattributes delete mode 100644 tools/route-tables.sh diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..04f5402 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,2 @@ +# convert to LF line endings on checkout +*.sh text eol=LF diff --git a/README.md b/README.md index 693cf15..667f109 100644 --- a/README.md +++ b/README.md @@ -57,7 +57,20 @@ At the end of the lab your deployment looks like this: Although a Branch (site-to-site VPN) connection is part of this MicroHack, it does not cover the integration with products from SDWAN partners. # Prerequisites -To make the most of your time on this MircoHack, the green elements in the diagram above are deployed and configured for you through Terraform. You will focus on deploying and configuring the blue items using the Azure portal and Cloud Shell. +To make the most of your time on this MircoHack, the green elements in the diagram above are deployed and configured for you through Terraform. +You will focus on deploying and configuring the blue items using the Azure portal and Cloud Shell. + +## Optional: Prepare WSL with Ubuntu +If you would like to run the Microhack with WSLv2 and Ubuntu, please install the following packages before: +* Azure CLI + * instructions https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-apt + * direct install with: `curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash` +* Terraform + * download https://www.terraform.io/downloads.html + * instructions https://learn.hashicorp.com/tutorials/terraform/install-cli +* jq tool + * `sudo apt install jq -y` + ## Task 1: Deploy Steps: - Log in to Azure Cloud Shell at https://shell.azure.com/ and select Bash @@ -263,7 +276,10 @@ Alternatively, in Cloud Shell, issue this command: `az network vhub create --address-prefix 192.168.1.0/24 --name microhack-useast-hub --vwan microhack-vwan --resource-group vwan-microhack-hub-rg --location eastus --sku Standard` - This will take a few minutes to complete. + This will take a few minutes to complete. + +:exclamation: Please wait until the operation is finished. + The provisioning of the routing engine will take a while. The CLI will finish earlier than the real operation in the background. Please check in the portal that in "Hub US East / Overview" that the "routing status" has "succeeded" reached before proceeding. ## Task 2: Connect VNETs Connect spoke-3-vnet and spoke-4-vnet to the new Hub. We connected VNETs through the portal in Scenario 1, so to save time we'll do this through a prepared shell script. @@ -397,7 +413,7 @@ Tab Basics - Tab Propagations - Enter *nothing* because: - We do not want the local Spokes to propagate to this table, as they should not learn each other's routes - - The RT-Shared-useast table must only contain routes to the Shared Services Spoke- and the Branch connections, and it will learn these from the West Europe hub via the inter-hub link + - The RT-Shared-useast table must only contain routes to the Shared Services Spoke- and the Branch connections, and it will learn these from the West Europe hub via the inter-hub link (by the route label "shared") - Click Create Routing for the US East Hub shows both Spoke VNET connections propagating to the Default route table, and both are associated with the RT-Shared-useast table. @@ -607,7 +623,7 @@ View Effective Routes for spoke-1-vm, in the portal or in Cloud Shell: View Effective Routes for spoke-3-vm, in the portal or in Cloud Shell: -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-3-nic --output table` :question: Identify the routes that you see. Comparing to Spoke routes we saw in previous scenario's, is this now different and why (not)?. From the perspective of Spoke 3, has placing Spokes 1 and 2 behind an NVA VNET on the *remote* hub changed its view of the network? @@ -625,7 +641,7 @@ Now view Effective Routes for the Default table of the US East hub. :point_right: Outbound internet access -Traffic outbound to the internet from Spokes 1 and 2 is directed to the NVA, and it goes out via the NVA's public IP address. Verify this by browsing to www.whatismyipaddress.com from spoke-1-vm, check that the ip address reported is the public ip of the NVA shown in the portal. +Traffic outbound to the internet from Spokes 1 and 2 is directed to the NVA, and it goes out via the NVA's public IP address. Verify this by browsing to https://ipv6-test.com/ from spoke-1-vm, check that the ip address reported is the public ip of the NVA shown in the portal. It would be ideal if outbound internet from spoke vnets directly connected to the VWAN, such as Spokes 3 and 4, could be forced through the NVA as well. This requires a custom route in the Hub default route tables, for destination prefix 0.0.0.0/0 pointing to the nva-vnet connection. This is not possible today as VWAN does not support the default route as a custom route entry. @@ -715,7 +731,7 @@ Display the ip addresses of the he Azure Firewall in the secured hub: :exclamation: Note that the default route now points to the private (inside) address of the Azure Firewall instance in the secured hub. -On spoke-1-vm, browse to www.whatismyipaddress.com. +On spoke-1-vm, browse to http://v4.ipv6-test.com/api/myip.php. :exclamation: Note that the outbound ip address is now the public ip address of the Azure Firewall instance. @@ -732,6 +748,9 @@ This MicroHack is available for you to use with your teams, your customers and p Delete the vwan-microhack-hub-rg and vwan-microhack-spoke-rg resource groups. This may take up to 30 minutes to compete. Check back to verify that all resources have indeed been deleted. +`az group delete --name vwan-microhack-hub-rg` +`az group delete --name vwan-microhack-spoke-rg` + In Cloud Shell, delete the azure-vwan-microhack directory: `rm -rf azure-vwan-microhack` diff --git a/tools/route-tables.sh b/tools/route-tables.sh deleted file mode 100644 index 246f0e9..0000000 --- a/tools/route-tables.sh +++ /dev/null @@ -1,9 +0,0 @@ -## Scenario 1 / Task 1 -az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table -# PoSh - Get-AzEffectiveRouteTable -ResourceGroupName vwan-microhack-spoke-rg -NetworkInterfaceName spoke-1-nic | ft - -## Scenario 1 / Task 2 -az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-2-nic --output table -# PoSh - Get-AzEffectiveRouteTable -ResourceGroupName vwan-microhack-spoke-rg -NetworkInterfaceName spoke-2-nic | ft - -## Scenario 2 / Task 1 From 74e4bb81a2d6c8abdb0eb2625a865e1c61732fb3 Mon Sep 17 00:00:00 2001 From: HolgerR <48099512+HolgerReiners@users.noreply.github.com> Date: Tue, 22 Dec 2020 16:01:49 +0100 Subject: [PATCH 4/7] Revert "ReadMe.md - added WSL instructions, fixed typos, added some explanations add - .gitattributes - with LF for SH files to support git on Windows and usage in WSL" This reverts commit adc7a9c6dd6f2cd835ab576f1e0f7cc6dcfa7ba9. --- .gitattributes | 2 -- README.md | 31 ++++++------------------------- tools/route-tables.sh | 9 +++++++++ 3 files changed, 15 insertions(+), 27 deletions(-) delete mode 100644 .gitattributes create mode 100644 tools/route-tables.sh diff --git a/.gitattributes b/.gitattributes deleted file mode 100644 index 04f5402..0000000 --- a/.gitattributes +++ /dev/null @@ -1,2 +0,0 @@ -# convert to LF line endings on checkout -*.sh text eol=LF diff --git a/README.md b/README.md index 667f109..693cf15 100644 --- a/README.md +++ b/README.md @@ -57,20 +57,7 @@ At the end of the lab your deployment looks like this: Although a Branch (site-to-site VPN) connection is part of this MicroHack, it does not cover the integration with products from SDWAN partners. # Prerequisites -To make the most of your time on this MircoHack, the green elements in the diagram above are deployed and configured for you through Terraform. -You will focus on deploying and configuring the blue items using the Azure portal and Cloud Shell. - -## Optional: Prepare WSL with Ubuntu -If you would like to run the Microhack with WSLv2 and Ubuntu, please install the following packages before: -* Azure CLI - * instructions https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-apt - * direct install with: `curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash` -* Terraform - * download https://www.terraform.io/downloads.html - * instructions https://learn.hashicorp.com/tutorials/terraform/install-cli -* jq tool - * `sudo apt install jq -y` - +To make the most of your time on this MircoHack, the green elements in the diagram above are deployed and configured for you through Terraform. You will focus on deploying and configuring the blue items using the Azure portal and Cloud Shell. ## Task 1: Deploy Steps: - Log in to Azure Cloud Shell at https://shell.azure.com/ and select Bash @@ -276,10 +263,7 @@ Alternatively, in Cloud Shell, issue this command: `az network vhub create --address-prefix 192.168.1.0/24 --name microhack-useast-hub --vwan microhack-vwan --resource-group vwan-microhack-hub-rg --location eastus --sku Standard` - This will take a few minutes to complete. - -:exclamation: Please wait until the operation is finished. - The provisioning of the routing engine will take a while. The CLI will finish earlier than the real operation in the background. Please check in the portal that in "Hub US East / Overview" that the "routing status" has "succeeded" reached before proceeding. + This will take a few minutes to complete. ## Task 2: Connect VNETs Connect spoke-3-vnet and spoke-4-vnet to the new Hub. We connected VNETs through the portal in Scenario 1, so to save time we'll do this through a prepared shell script. @@ -413,7 +397,7 @@ Tab Basics - Tab Propagations - Enter *nothing* because: - We do not want the local Spokes to propagate to this table, as they should not learn each other's routes - - The RT-Shared-useast table must only contain routes to the Shared Services Spoke- and the Branch connections, and it will learn these from the West Europe hub via the inter-hub link (by the route label "shared") + - The RT-Shared-useast table must only contain routes to the Shared Services Spoke- and the Branch connections, and it will learn these from the West Europe hub via the inter-hub link - Click Create Routing for the US East Hub shows both Spoke VNET connections propagating to the Default route table, and both are associated with the RT-Shared-useast table. @@ -623,7 +607,7 @@ View Effective Routes for spoke-1-vm, in the portal or in Cloud Shell: View Effective Routes for spoke-3-vm, in the portal or in Cloud Shell: -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-3-nic --output table` +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` :question: Identify the routes that you see. Comparing to Spoke routes we saw in previous scenario's, is this now different and why (not)?. From the perspective of Spoke 3, has placing Spokes 1 and 2 behind an NVA VNET on the *remote* hub changed its view of the network? @@ -641,7 +625,7 @@ Now view Effective Routes for the Default table of the US East hub. :point_right: Outbound internet access -Traffic outbound to the internet from Spokes 1 and 2 is directed to the NVA, and it goes out via the NVA's public IP address. Verify this by browsing to https://ipv6-test.com/ from spoke-1-vm, check that the ip address reported is the public ip of the NVA shown in the portal. +Traffic outbound to the internet from Spokes 1 and 2 is directed to the NVA, and it goes out via the NVA's public IP address. Verify this by browsing to www.whatismyipaddress.com from spoke-1-vm, check that the ip address reported is the public ip of the NVA shown in the portal. It would be ideal if outbound internet from spoke vnets directly connected to the VWAN, such as Spokes 3 and 4, could be forced through the NVA as well. This requires a custom route in the Hub default route tables, for destination prefix 0.0.0.0/0 pointing to the nva-vnet connection. This is not possible today as VWAN does not support the default route as a custom route entry. @@ -731,7 +715,7 @@ Display the ip addresses of the he Azure Firewall in the secured hub: :exclamation: Note that the default route now points to the private (inside) address of the Azure Firewall instance in the secured hub. -On spoke-1-vm, browse to http://v4.ipv6-test.com/api/myip.php. +On spoke-1-vm, browse to www.whatismyipaddress.com. :exclamation: Note that the outbound ip address is now the public ip address of the Azure Firewall instance. @@ -748,9 +732,6 @@ This MicroHack is available for you to use with your teams, your customers and p Delete the vwan-microhack-hub-rg and vwan-microhack-spoke-rg resource groups. This may take up to 30 minutes to compete. Check back to verify that all resources have indeed been deleted. -`az group delete --name vwan-microhack-hub-rg` -`az group delete --name vwan-microhack-spoke-rg` - In Cloud Shell, delete the azure-vwan-microhack directory: `rm -rf azure-vwan-microhack` diff --git a/tools/route-tables.sh b/tools/route-tables.sh new file mode 100644 index 0000000..246f0e9 --- /dev/null +++ b/tools/route-tables.sh @@ -0,0 +1,9 @@ +## Scenario 1 / Task 1 +az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table +# PoSh - Get-AzEffectiveRouteTable -ResourceGroupName vwan-microhack-spoke-rg -NetworkInterfaceName spoke-1-nic | ft + +## Scenario 1 / Task 2 +az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-2-nic --output table +# PoSh - Get-AzEffectiveRouteTable -ResourceGroupName vwan-microhack-spoke-rg -NetworkInterfaceName spoke-2-nic | ft + +## Scenario 2 / Task 1 From 83e842d81e2d33c911ac7c8d58e72f9b20613500 Mon Sep 17 00:00:00 2001 From: HolgerR <48099512+HolgerReiners@users.noreply.github.com> Date: Tue, 22 Dec 2020 16:01:57 +0100 Subject: [PATCH 5/7] Revert "adding tools" This reverts commit b3a0522c15ac66a55a447aca281f6ffcd968d4c1. --- .gitignore | 68 +- README.md | 1474 +++++++++++++++++----------------- add-udrs-scenario5.sh | 14 +- bastions.tf | 306 +++---- branch-routes.sh | 22 +- clean-up-after-scenario-4.sh | 150 ++-- connect-branch.sh | 64 +- connect-services-spoke.sh | 2 +- connect-us-east-spokes.sh | 8 +- emptyrtbody.json | 10 +- emptyspokeconnection.json | 38 +- enable-routing-nva.sh | 6 +- main.tf | 52 +- onpremconnection.json | 68 +- prep-for-scenario-5.sh | 170 ++-- prep-for-scenario-6.sh | 72 +- spoke.tf | 1426 ++++++++++++++++---------------- tools/route-tables.sh | 9 - variables.tf | 132 +-- vm-extensions.tf | 296 +++---- vnet-gw.tf | 66 +- vwan.tf | 40 +- 22 files changed, 2242 insertions(+), 2251 deletions(-) delete mode 100644 tools/route-tables.sh diff --git a/.gitignore b/.gitignore index ade8300..9961612 100644 --- a/.gitignore +++ b/.gitignore @@ -1,35 +1,35 @@ -# Local .terraform directories -**/.terraform/* - -# Local lock -.terraform.lock.hcl - -# .tfstate files -*.tfstate -*.tfstate.* - -# tfvars -*.auto.tfvars - -# Crash log files -crash.log - -# Ignore any .tfvars files that are generated automatically for each Terraform run. Most -# .tfvars files are managed as part of configuration and so should be included in -# version control. -# -# example.tfvars - -# Ignore override files as they are usually used to override resources locally and so -# are not checked in -override.tf -override.tf.json -*_override.tf -*_override.tf.json - -# Include override files you do wish to add to version control using negated pattern -# -# !example_override.tf - -# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# Local .terraform directories +**/.terraform/* + +# Local lock +.terraform.lock.hcl + +# .tfstate files +*.tfstate +*.tfstate.* + +# tfvars +*.auto.tfvars + +# Crash log files +crash.log + +# Ignore any .tfvars files that are generated automatically for each Terraform run. Most +# .tfvars files are managed as part of configuration and so should be included in +# version control. +# +# example.tfvars + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan # example: *tfplan* \ No newline at end of file diff --git a/README.md b/README.md index 693cf15..c53c1b4 100644 --- a/README.md +++ b/README.md @@ -1,737 +1,737 @@ -# **Routing in Azure Virtual WAN MicroHack** - -# Contents -[Introduction](#introduction) - -[Objectives](#objectives) - -[Scenario](#scenario) - -[Lab](#lab) - -[Prerequisites](#prerequisites) - -[Scenario 1: Single region Virtual WAN with Default Routing](#scenario-1-single-region-virtual-wan-with-default-routing) - -[Scenario 2: Add a branch connection](#scenario-2-add-a-branch-connection) - -[Scenario 3: Multi-regional Virtual WAN](#scenario-3-multi-regional-virtual-wan) - -[Scenario 4: Isolated Spokes and Shared Services Spoke](#scenario-4-isolated-spokes-and-shared-services-spoke) - -[Scenario 5 (Optional): Filter traffic through a Network Virtual Appliance](#scenario-5-optional-filter-traffic-through-a-network-virtual-appliance) - -[Scenario 6 (Optional): Secured Hubs](#scenario-6-optional-secured-hubs) - -[Close out](#close-out) - -# Introduction -This MicroHack explores some of the advanced routing capabilities recently introduced into Azure Virtual WAN. - -The lab starts with a single Hub with Spoke VNETs and default routing. We then connect a simulated on-premise location via S2S VPN. Then we add another regional Hub with Spokes and observe how routing extends across multiple Hubs. Next we implement custom routing patterns for Shared Services- and Isolated Spokes. - -At the end of the MicroHack, there is optional content on network security in Virtual WAN with Network Virtual Appliances and with Secured Hubs. - -Prior to starting this MicroHack, please familiarize yourself with routing in Virtual WAN by reviewing the documentation at https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about and https://docs.microsoft.com/en-us/azure/virtual-wan/about-virtual-hub-routing. - -# Objectives -After completing this MicroHack you will: -- Know how to build a hub-and-spoke topology with Virtual WAN -- Understand default routing in Virtual WAN and how this differs from the classic virtual data center hub-and-spoke spoke architecture -- Understand how custom routing works and know how to build some custom routing scenarios - -# Lab - -The lab consists of a Virtual WAN with Hubs in West Europe and US East, 4 Spoke VNETs (2 in West Europe, 1 in US East and 1 US West), a Shared Services VNET in West-Europe and a simulated On-premise location in North Europe. - -Each of the Spoke and On-prem VNETs contains a Virtual Machine running a basic web site. The Shared Services VNET contains an Active Directory Domain Controller. the NVA VNET contains a Linux VM with Iptables. - -An additional VNET containing a Network Virtual Appliance Linux-based firewall is also deployed. This NVA VNET is used in the optional advanced scenario's on network security. - -During the course of the MicroHack you will connect the Spoke and Shared Services VNETs and the On-premise site to Virtual WAN, deploy an additional Virtual WAN Hub, and manipulate and observe routing. - -At the end of the lab your deployment looks like this: - -![image](images/microhack-vwan.png) - - -Although a Branch (site-to-site VPN) connection is part of this MicroHack, it does not cover the integration with products from SDWAN partners. -# Prerequisites -To make the most of your time on this MircoHack, the green elements in the diagram above are deployed and configured for you through Terraform. You will focus on deploying and configuring the blue items using the Azure portal and Cloud Shell. -## Task 1: Deploy -Steps: -- Log in to Azure Cloud Shell at https://shell.azure.com/ and select Bash -- Ensure Azure CLI and extensions are up to date: - - `az upgrade --yes` - -- If necessary select your target subscription: - - `az account set --subscription ` - -- Clone the GitHub repository: - - `git clone https://github.com/mddazure/azure-vwan-microhack` - - - Change directory: - - `cd ./azure-vwan-microhack` - - Initialize terraform and download the azurerm resource provider: - - `terraform init` - -- Now start the deployment (when prompted, confirm with **yes** to start the deployment): - - `terraform apply` - -Deployment takes approximately 30 minutes. -## Task 2: Explore and verify - -After the Terraform deployment concludes successfully, the following has been deployed into your subscription: -- A resource group named **vwan-microhack-spoke-rg** containing - - Four Spoke VNETs, each containing a Virtual Machine running a simple web site, and a Bastion Host. - - An Onprem VNET containing a Virtual Machine running a simple web site, a VNET Gateway and a Bastion Host. - - A Services VNET containing and a Virtual Machine configured as an Active Directory Domain Controller, and a Bastion Host. - - An NVA VNET containing a Virtual Machine with Linux (Ubuntu 18.4) and Iptables installed, and a Bastion Host. -- A resource group named **vwan-microhack-hub-rg** containing a Virtual WAN resource with one Hub and one VPN Gateway. You will deploy another Hub into this resource group manually later on. - -Verify these resources are present in the portal. - -Credentials are identical for all VMs, as follows: -- User name: AzureAdmin -- Password: Microhack2020 -- Domain: micro-hack.local (this is on the ADDC VM only, the other VMs are not joined to this domain yet) - -You may log on to each VM through Bastion. Disable IE Enhanced Security Configuration in Server Manager, open Internet Explorer and access http://localhost. You will see a blank page with the VM name in the upper left corner. When logging on to the ADDC VM before it is ready, you will see "Waiting for the Group Policy Client". That is OK, just let it run while you proceed with the lab. -# Scenario 1: Single Region Virtual WAN with Default Routing - -In this scenario you connect in-region VNETs to the pre-deployed Hub, and establish VNET-to-VNET communication. You will then inspect effective routes on the spoke VMs and take a look at the VWAN Default routing table. -## Task 1: Baseline -Connect to spoke-1-vm via Bastion, turn off IE Enhanced Security Configuration in Server Manager, open Internet Explorer and attempt to connect to spoke-2-vm at 172.16.2.4. - -:question: Does it connect? - -Check the routing on spoke-1-vm, as follows: - -In the portal, in the Properties view of the VM Overview blade, click on Networking. Then click on the name of the Network Interface. The NIC overview shows, under Support + troubleshooting click Effective routes. - -Alternatively, in Cloud Shell, issue this command: - -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` - -:question: Is there a specific route for spoke-2-vnet (172.16.2.0/24)? - -## Task 2: Connect VNETs -In the portal, navigate to the Virtual WAN named **microhack-vwan** in resource group **vwan-microhack-hub-rg**. - -Click "Virtual network connections" under "Connectivity" and click "+ Add connection" at the top of the page. - -Name your connection **spoke-1-we**, select the hub (microhack-we-hub) and in the Resource group drop down select **vwan-microhack-spoke-rg**. In the Virtual network drop down, select **spoke-1-vnet**. - -Under Routing configuration, select: -- Associate Route Table: Default -- Propagate to Route Tables: Default -- Propgate to labels: default - -Wait for the connection to reach status Succeeded, and do the same for **spoke-2-vnet**. -![image](images/vwan-with-connections.png) - -Your Virtual WAN now looks like this: - - -![image](images/scenario1.png) - -:question: Can you now browse from spoke-1-vm to spoke-2-vm and vice versa? - -### :point_right: Spoke routes -Again observe Effective routes for spoke-1-vm. - -:exclamation: Notice it now has a route for spoke-2-vnet (172.16.2.0/24), pointing to a public address. This is the address of the Route Service, deployed into the Hub to enable routing between peered VNETs, branch connections and other Hubs. The fact that this is a public IP address does not present a security risk, it is not reachable from the internet. - -:exclamation: Notice that the routes that enable spoke-to-spoke communication were plumbed into the spoke VNETs automatically. Contrast this with a "classic" hub-and-spoke architecture, where you would need to set up a routing device in the hub VNET and then put UDRs in each of the spokes manually. - -### :point_right: Hub routes -Navigate to the blade for the microhack-we-hub in your Virtual WAN and select Routing under Connectivity. Notice there are two Route tables present now: Default and None. - -Click on Effective Routes. In the drop downs on the next page, select Route Table and Default respectively. This brings up the Default route table. - -:exclamation: Note that routes for the prefixes of both connected VNETs are present, pointing to the respective VNET connections. - -Go back up to the microhack-vwan overview page, and click Virtual network connections under Connectivity. In the table, under Virtual network, click ">" to view the individual VNET connections. - -A Virtual WAN can contain multiple Route tables, and we'll add some in the course of this MicroHack. Each Connection (Hub-to-Spoke VNET, ExpressRoute, S2S (Branch) VPN or P2S (User) VPN) can be *Associated* with a single table and be *Propagating* to multiple tables. - -:exclamation: The Default table has Associated Connections and Propagating Connections. Both Spoke VNETs are Associated with and Propagating to the Default table. - -*Associated* means that traffic from the Connections listed is governed by this table, in this case the Default route table. This table decides where traffic sent from the connection to the VWAN Route Service (remember the route entry pointing to the public IP address in the Spoke VM's Effective Routes) goes. - -*Propagating* means that the Connection's destinations are entered into this Routing table: the table learns the Connection's routes. - -The None Route table is also present for each Hub; traffic from Connections Associated with this Route table is dropped. - -# Scenario 2: Add a branch connection - -Now connect a branch site via a BGP-enabled VPN connection and explore the routing between spokes and the branch. The branch site is simulated through a VNET with a VNET Gateway which was deployed through Terraform as part of the Prerequisites. - -## Task 1: Connect a simulated branch site - -In Cloud Shell, in the azure-vwan-microhack directory -- Run the connect-branch shell script: - -`./connect-branch.sh` - -The script contains Azure CLI commands that create following resources: -- A VPN Site named "onprem" in the Virtual WAN -- A BGP-enabled VPN connection from the "onprem" site to the West Europe Hub -- A Local Network Gateway named "lng" to represent the West Europe Hub -- A BGP-enabled VPN connection from the Gateway in "onprem-vnet" to the Local Network Gateway - -After the script completes, it may take a few minutes for the connection to show "Connected" in the portal. - -Your Virtual WAN now looks like this: - -![image](images/scenario2.png) - -## Task 2: Verify connectivity -Connect to onprem-vm via Bastion and turn off IE Enhanced Security Configuration in Server Manager. - -Open Internet Explorer and browse to spoke-1-vm at 172.16.1.4 and spoke-2-vm at 172.16.2.4. - -:question: Does it connect? -## Task 3: Inspect routing -### :point_right: BGP routing exchange over VPN -In Cloud Shell, in the azure-vwan-microhack directory, run the branch-routes script: - -`./branch-routes.sh` - -This scripts pulls information on the BGP session from the VNET Gateway vnet-onprem-gw. - -:exclamation: Note that the "routes learned" output contains all routes the Gateway knows: those that are in the same VNET, with "origin" indicating "Network", as well as routes learned from the Virtual WAN Hub via BGP with "origin" indicating "EBgp". - -### :point_right: Branch routes -Now observe Effective Routes for onprem-vm. - - In the portal, in the Properties view of the VM Overview blade, click on Networking. Then click on the name of the Network Interface. The NIC overview shows, under Support + troubleshooting click Effective routes. - - Alternatively, in Cloud Shell, issue this command: - -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n onprem-nic --output table` - -:exclamation: Note that routes are present for the Spoke VNETs, pointing to the local VNET VPN Gateway. - -The VNET Gateway learned the routes for the Spoke VNETs via BGP and programmed them into the vm route table automatically, without the need to install UDRs. - -### :point_right: Spoke routes -Observe Effective Routes for spoke-1-vm: - -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` - -:exclamation: Notice that spoke-vm-1 now has routes for the IP ranges of the onprem site, 10.0.1.0/24 and 10.0.2.0/24. This site is connected via VPN, and although "Source" and "Next Hop Type" are the same as for peered VNET spoke-2-vnet, the next hop address is different. - -Whereas the next hop for spoke-vnet-2 is the Hub routing engine, the next hop for VPN connection is the VPN Gateway, which has a private IP address from the range assigned to Hub. - -The routes for the VPN connection where plumbed into the spoke automatically and there is no need to place User Defined Routes in the spoke VNETs. - -### :point_right: Hub routes -Observe the Effective routes of the Default route table. - -:exclamation: Note that routes for the on-prem site's prefixes are now present, pointing to S2S VPN Gateway. - -Realize that the Route Service itself is not in the data path for branch traffic. The Route Service acts as a route reflector, traffic flows directly between the VM in the spoke and VPN Gateway. - -# Scenario 3: Multi-regional Virtual WAN -We will now expand the Virtual WAN across regions by adding a Hub with Spokes in the US East region. - -A key take away from this scenario is that each hub runs its own routing instance and contains its own routing tables. - -Although tables may be called the same across Hubs, Default for example, it is important to realize that these are independent and there is no "global" routing table spanning the entire VWAN. - -At the end of this scenario, your lab looks like this: - -![image](images/scenario3.png) - -## Task 1: Add a Hub - -In the portal, Select your **microhack-vwan**. Under Connectivity, select Hubs, then +New Hub at the top of the page and complete the Basics dialog as follows: -- Region: East US -- Name: microhack-useast-hub -- Hub private address space: 192.168.1.0/24 - -As this Hub will not contain any gateways, skip the other tabs, click Review + create and then Create. - -Alternatively, in Cloud Shell, issue this command: - -`az network vhub create --address-prefix 192.168.1.0/24 --name microhack-useast-hub --vwan microhack-vwan --resource-group vwan-microhack-hub-rg --location eastus --sku Standard` - - This will take a few minutes to complete. - -## Task 2: Connect VNETs -Connect spoke-3-vnet and spoke-4-vnet to the new Hub. We connected VNETs through the portal in Scenario 1, so to save time we'll do this through a prepared shell script. - -In Cloud Shell, enter - -`./connect-us-east-spokes.sh` - -This will take a few minutes to complete. While the script runs, you can see the connections being added in the portal, in your microhack-vwan under Connectivity, Virtual network connections. Wait for both Connections to show status Succeeded, and for the Hub's Routing status to change from Provisioning to Succeeded. - -## Task 3: Verifiy connectivity and inspect routing -Connect to spoke-1-vm via Bastion. Open Internet Explorer, browse to spoke-3-vm at 172.16.3.4 and to spoke-4-vm at 172.16.4.4. - -Do the same from on-prem-vm. - -:question: Do you see the web pages from spoke-3-vm and spoke--4vm? - -:point_right: Spoke routes - -Observe Effective Routes for spoke-1-vm, either in the portal or in Cloud Shell through - -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` - -:question: Which routes have been added to spoke-1-vm's route table? - -:question: What is the next hop for the new routes? - -:exclamation: Realize that Virtual WAN installed these routes into the Spoke 1 VNET automatically! - -Now observe Effective Routes for spoke-3-vm, which is in Spoke 3 connected to the US East Hub: - -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-3-nic --output table` - -:exclamation: Note all routes, both for the US East "local" Spoke 4 and "remote" West Europe destinations, have the address of the Route Service in the US East Hub as their next hop. - -Again, realize that Virtual WAN installed these routes in the Spoke VNETs automatically! - -### :point_right: BGP routing exchange over VPN -In Cloud Shell, run the branch-routes script: - -`./branch-routes.sh` - -:question: Compare the AS path of the new routes for Spokes 3 and 4, to the AS path of the routes for Spokes 1 and 2. Why are they different? - -:point_right: Hub routes - -Observe Effective Routes of the Default route table on the microhack-we-hub, as you did in Scenario 1. - -:question: Which routes have been added and where do they point? - -:question: What is the meaning of the AS path? - -Then go to Effective Routes of the Default route table on the newly added microhack-eastus-hub. - -:question: Where do the routes for Spoke 1 and Spoke 2 (172.16.(1)(2).0/24) and the Branch (10.0.(1)(2).0/24) point? - -:question: What is their AS path and how does this compare to what you saw on the West Europe hub? - -:point_right: Association and Propagation - -In the portal, in the microhack-vwan blade under Connectivity click Virtual network connections and expand Virtual networks for both Hubs. - -:exclamation: Note that for all 4 connections across both Hubs, under Associated to Route Table it says "defaultRouteTable". - -This means that each connection takes its routing information from the default route table of its *local* hub. This is always the case: the route service in a Hub only programs routing information to its directly connected Spokes. - -:exclamation: Under Propagation to Route Tables, it also says "defaultRouteTable". This means that this connection sends its reachability information (i.e. the prefixes behind it) to its *local* default route table only, but *not* to the other Hub. - -However, we observed that the defaultRouteTable of the West Europe Hub does have routes for the Spokes in US East and vice versa. - -This happens because under Propagating to labels, there is the entry "default". - -Labels are a method of grouping Route Tables across Hubs, so that they do not have to be specified individually. The defaultRouteTables in all Hubs in a VWAN are automatically included in the "default" label, and Propagation to this label is automatically enabled. It is possible to change this after deployment to implement custom routing patterns. - -# Scenario 4: Isolated Spokes and Shared Services Spoke -Imagine an IT department that must facilitate DevOps teams. IT operates a number of central services, such as the networks in and between Azure and on-premise, and the Active Directory domain. - -DevOps teams are given their own VNETs in Azure, connected to a central hub that provides connectivity and the domain. The DevOps teams operate independently and their environments must remain isolated from each other. - -This scenario adds a Shared Services Spoke with a Domain Controller, and changes the routing so that the Spokes can only reach the Branch and the Shared Services Spoke, but remain isolated from each other. - -See https://docs.microsoft.com/en-us/azure/virtual-wan/scenario-shared-services-vnet for background. - -At the end of this Scenario your lab, with enabled and disabled traffic flows, looks like this: - -![image](images/scenario4.png) - -## Task 1: Connect Services Spoke - -Run the following in Cloud Shell to connect services-vnet to microhack-we-hub: - -`./connect-services-spoke.sh` - -Wait for the connection to complete and show status Succeeded in the portal. - -## Task 2: Create custom Route Tables - -## :hand: West Europe Hub - -In the microhack-we-hub, under Connectivity select Routing and then +Create route table. Complete the configuration as follows: -- Tab Basics - - Name: RT-Shared-we -- Tab Labels - - Label Name: Shared -- Tab Associations - - In the drop down under Virtual Networks, select both Spokes but do *not* select services-vnet -- Tab Propagations - - Under Branches, at Propagate routes from connections to this route table?, select Yes - - Under Virtual Networks, select services-vnet but do *not* select the Spokes -- Click Create - -The Routing view of the West Europe Hub hub now shows 2 connections associated to the Default table (Shared Service Spoke and Branch), and 4 connections propagating to the Default table (both Spokes, Shared Services and Branch). - -The RT-Shared-we table has 2 connections associated (both Spokes), and 2 connections propagating (Shared Services and Branch). - -![image](images/scenario-4-we-routetables.png) - -:exclamation: It may take a few minutes for the changes to complete. If RT-Shared-does not look as expected, edit the table and correct the Associations and Propagations settings per the instructions above. - -Before proceeding, ensure that the routing view of microhack-we-hub look as above, and that microhack-we-hub shows Succeeded for Hub status and Routing status. - -## :hand: US East Hub - -For microhack-useast-hub, under Connectivity select Routing and then +Create route table and complete as follows: -Tab Basics - - Name: RT-Shared-useast -- Tab Labels - - Label Name: Shared -- Tab Associations - - In the drop down under Virtual Networks, select both Spokes. -- Tab Propagations - - Enter *nothing* because: - - We do not want the local Spokes to propagate to this table, as they should not learn each other's routes - - The RT-Shared-useast table must only contain routes to the Shared Services Spoke- and the Branch connections, and it will learn these from the West Europe hub via the inter-hub link - - Click Create - -Routing for the US East Hub shows both Spoke VNET connections propagating to the Default route table, and both are associated with the RT-Shared-useast table. - -![image](images/scenario-4-useast-routetables.png) - -## :handshake: Cross-region - -:exclamation: We must also ensure that the Shared Services VNET connection and the Branch connection, which are connected to the West Europe Hub, *also* propagate to the RT-Shared-useast table. - -For the **Shared Services VNET**, this is configured on the connection, and we will use the Shared label which groups the RT-Shared tables in both hubs. - -In the microhack-vwan view, select Virtual network connections. Expand the connections on microhack-we-hub, click the elipsis at the end of the services-vnet row and select Edit. In the Propagate to labels drop-down, select both default and Shared labels, and click Confirm. - -![image](images/scenario-4-edit-shared.png) - -To let the **Branch** route propagate accross to the East US Hub, the Branches setting in the Propagations tab of RT-Shared-we, the Shared table in the **West Europe** hub, must be updated. Edit RT-Shared-we, click the Propgations tab. Under Branches (Site VPN/ExpressRoute/User VPN) ensure both default and Shared are selected. Click Create. - -![image](images/scenario-4-edit-branch.png) - -:beetle: **Bug alert** You may see an error message similar to this: - -"Deployment template validation failed: 'The resource 'Microsoft.Network/vpnGateways/microhack-we-hub-vng/vpnConnections/onprem' at line '183' and column '9' is defined multiple times in a template." - -This is caused by a bug. The work around is to close the portal browser tab, log in to the portal from a fresh tab and redo the operation. - -## Task 3: Verify connectivity - -Clear the browser cache on spoke-1-vm by pressing CRTL+Shift+Del. From spoke-1-vm, try to browse to any of the other Spokes (172.16.2/3/4.4), and the Branch (10.0.1.4). - -:question: Do the web pages of the Spokes and the Branch display? - -Try to ping spoke-addc-vm (172.16.10.4). - -:question: Does ping succeed? - -## Task 4 (Optional): Join Spoke vm to Domain -The Shared Service VNET contains an AD domain controller. - -To demonstrate connectivity from the Spokes to the Shared Services VNET, you can optionally join one or more spoke vm's to the domain. -- Point the DNS in spoke-vnet-1 to spoke-addc-vm, in Cloud Shell: - -`az network vnet update --name spoke-1-vnet --resource-group vwan-microhack-spoke-rg --dns-servers 172.16.10.4` - -- On spoke-1-vm, open a command prompt and enter: - -`ipconfig /renew` - -- On spoke-1-vm, open Server Manager and click Local Server. -- Then click WORKGROUP, click the Change ... button, select the Domain radio button under Member of and enter micro-hack.local, click OK. -- Enter credentials - - User name: AzureAdmin - - Password: Microhack2020 - -The machine will now join the domain and will need to be restarted for this change to take effect. - -## Task 5: Inspect routing - -:point_right: Spoke routes - -View Effective Routes for spoke-1-vm, in the portal or in Cloud Shell: - -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` - -:question: Identify the routes that you see. Which routes are not there and is that as expected? - -View Effective Routes for spoke-addc-vm: - -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-addc-1-nic --output table` - -:question: Again identify the routes that you see. What is different here from the routes at spoke-vm-1? - -:point_right: Hub routes - -View Effective Routes for the Default table of the West Europe hub: in the portal from microhack-vwan select Hubs, microhack-we-hub, Routing, click Default and View effective routes for this table. - -:question: Are routes for the Spokes (172.16.(1)(2)(3)(4).0/24) present? What does that mean for connections Associated with this table? - -:exclamation: Click Associations and under Current settings (Routing Configuration), note that spoke-1-vnet and spoke-2-vnet are *not* associated with the defaultRouteTable table, but they *are* propagating to defaultRouteTable. - -Go back to the Route Tables view of microhack-we-hub, click RT-Shared-we and then View effective routes for this table. - -:question: Are routes for the Spokes (172.16.(1)(2)(3)(4).0/24) present? - -:question: Are routes for the Shared Services VNET (172.16.10.0/24) and the Branch (10.0.(1)(2).0/24) present? - -:question: As the Spokes are associated with RT-Shared-we, what does this mean for destinations that the Spokes can reach? - -Now view RT-Shared-useast and Default tables for the US East Hub. - -:question: what does RT-Shared-useast contain? Why and what does this mean for the Spokes connected to the US East Hub? - -:exclamation: Note that the Default table does not contain routes. The Default route table of the US East Hub does not have any connections Associated with it. It does have connections Propagating into it, so should contain routing information. *Apparently* a route table shows empty when it has no connections Associated, i.e. nothing to consume its routing information. - -# Close out -You have explored VWAN routing to a good level of detail. As Virtual WAN grows and matures, it is important you have a good understanding of this topic to guide and help customers in a variety of use cases. This MicroHack is available for you to use with your teams, your customers and partners to reinforce their understanding. - -Below are optional challenges on network security in Virtual WAN with Network Virtual Appliances and Secured Hubs. Use this content at your own pace to expand your knowledge and skills. If you decide to continue now, skip the clean-up task below and start the optional Scenario 5. - -## Final Task: Delete all resources - -Run this script to delete all resources: - -`./clean-up-after-scenario-4.sh` - -This may take up to 30 minutes to compete. Remember to verify that all resources have indeed been deleted. - -In Cloud Shell, delete the azure-vwan-microhack directory: - -`rm -rf azure-vwan-microhack` - - -# Scenario 5 (Optional): Filter traffic through a Network Virtual Appliance -Virtual WAN today does not support third party NVA firewalls in the Hub. Third party SD-WAN concentrators from Barracuda and Cisco Viptella are now supported, but that capability does not yet exist for firewall products. - -Third party NVA firewalls must therefore be placed in a Spoke, with protected VNETs peered behind. -See https://docs.microsoft.com/en-us/azure/virtual-wan/scenario-route-through-nva for background on this pattern. - -This scenario demonstrates how to route traffic through a third party Network Virtual Appliance. We use a single Linux VM with IPTables, with a rule set allowing all traffic. - -At the end of this Scenario your VWAN looks like this: - -![image](images/scenario5.png) - -:exclamation: Note that spoke-1-vnet and spoke-2-vnet are now disconnected from the West Europe Hub, and are peered behind a new Spoke containing the NVA. This nva-vnet is connected to Hub. - -In this scenario we will manipulate routing to direct traffic to and from spoke-1-vnet and spoke-2-vnet through the NVA. Outbound internet traffic from spoke-1-vnet and spoke-2-vnet will also be directed through the NVA, but we will discover that it is not possible to do so for spoke-3-vnet and spoke-4-vnet. - -## Task 1: Prepare the environment -A number of changes must be made to prepare the Virtual WAN for this scenario: -- Reconfigure for Default routing -- Disconnect Spoke 1 and Spoke 2 from the Hub -- Connect the NVA Spoke to the Hub -- Peer Spoke 1 and Spoke 2 with the NVA Spoke - -To implement these changes, run this script in Cloud Shell: - -`./prep-for-scenario-5.sh` - -This will take a few minutes to complete. - -## Task 2: Add User Defined Routes -We must now add UDRs to the subnet vmSubnet in both Spoke 1 and Spoke 2 VNETs, to direct all traffic to the NVA in nva-vnet. - -Run this script in Cloud Shell: - -`./add-udrs-scenario5.sh` - -In the portal, verify that a Route table (UDR) named "default-to-nva" has been created, and is associated subnet vmSubnet in both spoke-1-vnet and spoke-2-vnet. - -All traffic outbound from spoke-1-vm and spoke-2-vm is now directed to the NVA in nva-vnet. - -:exclamation: nva-vnet is already connected to West Europe Hub and has routes programmed by the Route Service, so we do not need to add a UDR manually. - -## Task 3: Modify VWAN routing -The Virtual WAN is not aware that Spoke 1 and Spoke 2 are now behind the NVA, so we must update the routing by adding static custom routes for Spoke 1 and Spoke 2 pointing to the NVA. - -:exclamation: Note that a static custom route must be added to the Default route table of *both* the West Europe *and* the US East Hubs. It is not sufficient to only a static route to the West Europe Hub, as this route will not propagate to remote hubs. - -In the portal, go to the Routing blade of microhack-we-hub. Click the Default route table, and in Basics at the bottom, create a custom route: -- Route name: spoke1-via-nva -- Destination type: leave at CIDR -- Destination prefix: 172.16.1.0/24 -- Next hop: select nva-we -- Next Hop IP: now Configure appears, click this and enter 172.16.20.4 under Next Hop IP (this is the IP address of the NVA) - -Create a similar entry for Spoke 2 (172.16.2.0/24). - -Click Review+create and then Create. - -Then go the Routing blade of microhack-useast-hub and do the same. You can skip adding the Next Hop IP as the connection to nva-vnet already has this configuration applied. - -## Task 4: Verify connectivity -:point_right: From "protected" VNETs Spoke 1 and Spoke 2 - -On spoke-1-vm, traceroute and browse to each of the Spokes (172.16.(2)(3)(4).4) and to the Branch (10.0.1.4). - -:question: Do all browser connections succeed, what are the first hop addresses? - -On spoke-1-vm, traceroute and browse to www.bing.com. - -:question: Does the browser connection succeed, what is the first hop address? - -:point_right: From "unprotected" VNETs Spoke 3 and Spoke 4 - -On spoke-3-vm, traceroute and browse to each of the Spokes (172.16.(1)(2)(4).4) and to the Branch (10.0.1.4). - -:question: Do all browser connections succeed, what are the first hop addresses? - -On spoke-3-vm, traceroute and browse to www.bing.com. - -:question: Does the browser connection succeed, what is the first hop address? - -## Task 5: Inspect routing - -:point_right: Spoke routes - -We will first look at the routes of one of the tiered Spokes. This is one of the Spokes connected behind the NVA VNET, no longer connected directlty to the Hub. - -View Effective Routes for spoke-1-vm, in the portal or in Cloud Shell: - -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` - -:question: Identify the routes that you see. Comparing to Spoke routes we saw in previous scenario's, which routes are not there and is that as expected? Which route is now present and why? - -:exclamation: Realize that VWAN does not have visibility of tiered Spokes and cannot program the routing in the VNET. That is why we had to place UDRs in the tiered Spokes. - -View Effective Routes for spoke-3-vm, in the portal or in Cloud Shell: - -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` - -:question: Identify the routes that you see. Comparing to Spoke routes we saw in previous scenario's, is this now different and why (not)?. From the perspective of Spoke 3, has placing Spokes 1 and 2 behind an NVA VNET on the *remote* hub changed its view of the network? - -:point_right: Hub routes - -View Effective Routes for the Default table of the West Europe hub: in the portal from microhack-vwan select Hubs, microhack-we-hub, Routing, click Default and View effective routes for this table. - -:question: Identify the routes for Spokes 1 and 2 (172.16.(1)(2).0/24). Where do they point and how did they get into the table? - -Now view Effective Routes for the Default table of the US East hub. - -:question: Again identify the routes for Spokes 1 and 2 (172.16.(1)(2).0/24). Where do they point and how did they get into the table? - -:exclamation: Note that the routes for the tiered Spokes 1 and 2 in the US East Hub's Default table have the connection to the nva-we VNET listed as next hop. This is somewhat confusing, because the nva-we connection exists on the *remote* West Europe Hub! From perspective of the US East Hub, the next hop for these prefixes really is the West Europe Hub's route service. - -:point_right: Outbound internet access - -Traffic outbound to the internet from Spokes 1 and 2 is directed to the NVA, and it goes out via the NVA's public IP address. Verify this by browsing to www.whatismyipaddress.com from spoke-1-vm, check that the ip address reported is the public ip of the NVA shown in the portal. - -It would be ideal if outbound internet from spoke vnets directly connected to the VWAN, such as Spokes 3 and 4, could be forced through the NVA as well. This requires a custom route in the Hub default route tables, for destination prefix 0.0.0.0/0 pointing to the nva-vnet connection. This is not possible today as VWAN does not support the default route as a custom route entry. - -:exclamation: Using a Network Virtual Appliance firewall for outbound internet access from Spokes directly connected to the VWAN is not supported. - -# Scenario 6 (Optional): Secured Hubs - -This final and optional scenario converts the Hubs into Secured Hubs through Azure Firewall Manager. This operation deploys Azure Firewall into the Hubs. - -## Task #1: Restore the Virtual WAN - -To put the VWAN back into "default" state, a number of changes must be made: - -- Disconnect Spoke 1 and Spoke 2 from the the NVA Spoke -- Remove UDRs from Spoke 1 and Spoke 2 -- Remove custom routes -- Disconnect the NVA Spoke to the Hub -- Connect Spoke 1 and Spoke 2 to the West Europe Hub - -To implement these changes, run this script in Cloud Shell: - -`./prep-for-scenario-6.sh` - -This will take a few minutes to complete. - -## Task #2: Convert to Secure Hubs - -We are now ready to convert our Virtual Hubs into Secured Hubs through Azure Firewall Manager. We will create a Firewall Policy in the same flow. - -:exclamation: Note that Firewall Manager is a separate top-level Azure service; it is not part of Virtual WAN. If you don't have it bookmarked already, find Firewall Manager using the search bar at the top of the portal. - -In the Firewall Mananger blade, click Azure Firewall Policies and + Create Azure Firewall Policy. - -**Basics** -- Resource group: select vwan-microhack-hub-rg -- Name: microhack-fw-policy -- Region: West Europe - -**Rules** -- Click + Add a rule collection - - Name: default-policy - - Rule collection type: Network - - Priority: 100 - - Action: Allow - - Rules: - - Name: Allow-all - - Source type: IP Address - - Source: * - - Protocol: Any - - Destination Ports: * - - Destination Type: IP Address - - Destination: * - - Click Add - -**Hubs** -- Click +Associate virtual hubs -- Select both your hubs -- Click Add - -**Review+create** - -**Create** - -This deploys Azure Firewall into your Hubs and applies the Allow-all policy to both. This operation will take a few minutes to complete. - -## Task 3: Secure Internet traffic - -Route settings for your Secured Hubs are managed in Firewall Manager. - -In the Firewall Manager blade, click Secured virtual hubs, select microhack-we-hub and then Security configuration. - -In the drop downs under Internet traffic and Private traffic, select Azure Firewall and Send via Azure Firewall and click Save. This sets up Azure Firewall as the security provider, and inserts routes pointing to the Azure Firewall for the prefixes listed as Private traffic prefixes (link next to the drop down. Default this is set to the RFC1918 ranges of 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/24. - -Select all Connections, in the drop down under **Internet traffic** select Azure Firewall and click Save. - -:point_right: Spoke routes - -In Cloud Shell, pull up Effective routes of spoke-1-vm: - -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` - -:question: where does the default route (0.0.0.0/0) point? - -Display the ip addresses of the he Azure Firewall in the secured hub: - -`az network firewall show -g vwan-microhack-hub-rg -n AzureFirewall_microhack-we-hub --query hubIpAddresses` - -:exclamation: Note that the default route now points to the private (inside) address of the Azure Firewall instance in the secured hub. - -On spoke-1-vm, browse to www.whatismyipaddress.com. - -:exclamation: Note that the outbound ip address is now the public ip address of the Azure Firewall instance. - -## Task 4: Secure Private traffic - -To be added, this is pending service update enabling V-SH-SH-V pattern. - -# Close out -You have explored VWAN routing to a good level of detail. As Virtual WAN grows and matures, it is important you have a good understanding of the subject, to guide and help customers in a variety of use cases. - -This MicroHack is available for you to use with your teams, your customers and partners to reinforce their understanding. - -## Final Task: Delete all resources - -Delete the vwan-microhack-hub-rg and vwan-microhack-spoke-rg resource groups. This may take up to 30 minutes to compete. Check back to verify that all resources have indeed been deleted. - -In Cloud Shell, delete the azure-vwan-microhack directory: - -`rm -rf azure-vwan-microhack` +# **Routing in Azure Virtual WAN MicroHack** + +# Contents +[Introduction](#introduction) + +[Objectives](#objectives) + +[Scenario](#scenario) + +[Lab](#lab) + +[Prerequisites](#prerequisites) + +[Scenario 1: Single region Virtual WAN with Default Routing](#scenario-1-single-region-virtual-wan-with-default-routing) + +[Scenario 2: Add a branch connection](#scenario-2-add-a-branch-connection) + +[Scenario 3: Multi-regional Virtual WAN](#scenario-3-multi-regional-virtual-wan) + +[Scenario 4: Isolated Spokes and Shared Services Spoke](#scenario-4-isolated-spokes-and-shared-services-spoke) + +[Scenario 5 (Optional): Filter traffic through a Network Virtual Appliance](#scenario-5-optional-filter-traffic-through-a-network-virtual-appliance) + +[Scenario 6 (Optional): Secured Hubs](#scenario-6-optional-secured-hubs) + +[Close out](#close-out) + +# Introduction +This MicroHack explores some of the advanced routing capabilities recently introduced into Azure Virtual WAN. + +The lab starts with a single Hub with Spoke VNETs and default routing. We then connect a simulated on-premise location via S2S VPN. Then we add another regional Hub with Spokes and observe how routing extends across multiple Hubs. Next we implement custom routing patterns for Shared Services- and Isolated Spokes. + +At the end of the MicroHack, there is optional content on network security in Virtual WAN with Network Virtual Appliances and with Secured Hubs. + +Prior to starting this MicroHack, please familiarize yourself with routing in Virtual WAN by reviewing the documentation at https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about and https://docs.microsoft.com/en-us/azure/virtual-wan/about-virtual-hub-routing. + +# Objectives +After completing this MicroHack you will: +- Know how to build a hub-and-spoke topology with Virtual WAN +- Understand default routing in Virtual WAN and how this differs from the classic virtual data center hub-and-spoke spoke architecture +- Understand how custom routing works and know how to build some custom routing scenarios + +# Lab + +The lab consists of a Virtual WAN with Hubs in West Europe and US East, 4 Spoke VNETs (2 in West Europe, 1 in US East and 1 US West), a Shared Services VNET in West-Europe and a simulated On-premise location in North Europe. + +Each of the Spoke and On-prem VNETs contains a Virtual Machine running a basic web site. The Shared Services VNET contains an Active Directory Domain Controller. the NVA VNET contains a Linux VM with Iptables. + +An additional VNET containing a Network Virtual Appliance Linux-based firewall is also deployed. This NVA VNET is used in the optional advanced scenario's on network security. + +During the course of the MicroHack you will connect the Spoke and Shared Services VNETs and the On-premise site to Virtual WAN, deploy an additional Virtual WAN Hub, and manipulate and observe routing. + +At the end of the lab your deployment looks like this: + +![image](images/microhack-vwan.png) + + +Although a Branch (site-to-site VPN) connection is part of this MicroHack, it does not cover the integration with products from SDWAN partners. +# Prerequisites +To make the most of your time on this MircoHack, the green elements in the diagram above are deployed and configured for you through Terraform. You will focus on deploying and configuring the blue items using the Azure portal and Cloud Shell. +## Task 1: Deploy +Steps: +- Log in to Azure Cloud Shell at https://shell.azure.com/ and select Bash +- Ensure Azure CLI and extensions are up to date: + + `az upgrade --yes` + +- If necessary select your target subscription: + + `az account set --subscription ` + +- Clone the GitHub repository: + + `git clone https://github.com/mddazure/azure-vwan-microhack` + + - Change directory: + + `cd ./azure-vwan-microhack` + - Initialize terraform and download the azurerm resource provider: + + `terraform init` + +- Now start the deployment (when prompted, confirm with **yes** to start the deployment): + + `terraform apply` + +Deployment takes approximately 30 minutes. +## Task 2: Explore and verify + +After the Terraform deployment concludes successfully, the following has been deployed into your subscription: +- A resource group named **vwan-microhack-spoke-rg** containing + - Four Spoke VNETs, each containing a Virtual Machine running a simple web site, and a Bastion Host. + - An Onprem VNET containing a Virtual Machine running a simple web site, a VNET Gateway and a Bastion Host. + - A Services VNET containing and a Virtual Machine configured as an Active Directory Domain Controller, and a Bastion Host. + - An NVA VNET containing a Virtual Machine with Linux (Ubuntu 18.4) and Iptables installed, and a Bastion Host. +- A resource group named **vwan-microhack-hub-rg** containing a Virtual WAN resource with one Hub and one VPN Gateway. You will deploy another Hub into this resource group manually later on. + +Verify these resources are present in the portal. + +Credentials are identical for all VMs, as follows: +- User name: AzureAdmin +- Password: Microhack2020 +- Domain: micro-hack.local (this is on the ADDC VM only, the other VMs are not joined to this domain yet) + +You may log on to each VM through Bastion. Disable IE Enhanced Security Configuration in Server Manager, open Internet Explorer and access http://localhost. You will see a blank page with the VM name in the upper left corner. When logging on to the ADDC VM before it is ready, you will see "Waiting for the Group Policy Client". That is OK, just let it run while you proceed with the lab. +# Scenario 1: Single Region Virtual WAN with Default Routing + +In this scenario you connect in-region VNETs to the pre-deployed Hub, and establish VNET-to-VNET communication. You will then inspect effective routes on the spoke VMs and take a look at the VWAN Default routing table. +## Task 1: Baseline +Connect to spoke-1-vm via Bastion, turn off IE Enhanced Security Configuration in Server Manager, open Internet Explorer and attempt to connect to spoke-2-vm at 172.16.2.4. + +:question: Does it connect? + +Check the routing on spoke-1-vm, as follows: + +In the portal, in the Properties view of the VM Overview blade, click on Networking. Then click on the name of the Network Interface. The NIC overview shows, under Support + troubleshooting click Effective routes. + +Alternatively, in Cloud Shell, issue this command: + +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` + +:question: Is there a specific route for spoke-2-vnet (172.16.2.0/24)? + +## Task 2: Connect VNETs +In the portal, navigate to the Virtual WAN named **microhack-vwan** in resource group **vwan-microhack-hub-rg**. + +Click "Virtual network connections" under "Connectivity" and click "+ Add connection" at the top of the page. + +Name your connection **spoke-1-we**, select the hub (microhack-we-hub) and in the Resource group drop down select **vwan-microhack-spoke-rg**. In the Virtual network drop down, select **spoke-1-vnet**. + +Under Routing configuration, select: +- Associate Route Table: Default +- Propagate to Route Tables: Default +- Propgate to labels: default + +Wait for the connection to reach status Succeeded, and do the same for **spoke-2-vnet**. +![image](images/vwan-with-connections.png) + +Your Virtual WAN now looks like this: + + +![image](images/scenario1.png) + +:question: Can you now browse from spoke-1-vm to spoke-2-vm and vice versa? + +### :point_right: Spoke routes +Again observe Effective routes for spoke-1-vm. + +:exclamation: Notice it now has a route for spoke-2-vnet (172.16.2.0/24), pointing to a public address. This is the address of the Route Service, deployed into the Hub to enable routing between peered VNETs, branch connections and other Hubs. The fact that this is a public IP address does not present a security risk, it is not reachable from the internet. + +:exclamation: Notice that the routes that enable spoke-to-spoke communication were plumbed into the spoke VNETs automatically. Contrast this with a "classic" hub-and-spoke architecture, where you would need to set up a routing device in the hub VNET and then put UDRs in each of the spokes manually. + +### :point_right: Hub routes +Navigate to the blade for the microhack-we-hub in your Virtual WAN and select Routing under Connectivity. Notice there are two Route tables present now: Default and None. + +Click on Effective Routes. In the drop downs on the next page, select Route Table and Default respectively. This brings up the Default route table. + +:exclamation: Note that routes for the prefixes of both connected VNETs are present, pointing to the respective VNET connections. + +Go back up to the microhack-vwan overview page, and click Virtual network connections under Connectivity. In the table, under Virtual network, click ">" to view the individual VNET connections. + +A Virtual WAN can contain multiple Route tables, and we'll add some in the course of this MicroHack. Each Connection (Hub-to-Spoke VNET, ExpressRoute, S2S (Branch) VPN or P2S (User) VPN) can be *Associated* with a single table and be *Propagating* to multiple tables. + +:exclamation: The Default table has Associated Connections and Propagating Connections. Both Spoke VNETs are Associated with and Propagating to the Default table. + +*Associated* means that traffic from the Connections listed is governed by this table, in this case the Default route table. This table decides where traffic sent from the connection to the VWAN Route Service (remember the route entry pointing to the public IP address in the Spoke VM's Effective Routes) goes. + +*Propagating* means that the Connection's destinations are entered into this Routing table: the table learns the Connection's routes. + +The None Route table is also present for each Hub; traffic from Connections Associated with this Route table is dropped. + +# Scenario 2: Add a branch connection + +Now connect a branch site via a BGP-enabled VPN connection and explore the routing between spokes and the branch. The branch site is simulated through a VNET with a VNET Gateway which was deployed through Terraform as part of the Prerequisites. + +## Task 1: Connect a simulated branch site + +In Cloud Shell, in the azure-vwan-microhack directory +- Run the connect-branch shell script: + +`./connect-branch.sh` + +The script contains Azure CLI commands that create following resources: +- A VPN Site named "onprem" in the Virtual WAN +- A BGP-enabled VPN connection from the "onprem" site to the West Europe Hub +- A Local Network Gateway named "lng" to represent the West Europe Hub +- A BGP-enabled VPN connection from the Gateway in "onprem-vnet" to the Local Network Gateway + +After the script completes, it may take a few minutes for the connection to show "Connected" in the portal. + +Your Virtual WAN now looks like this: + +![image](images/scenario2.png) + +## Task 2: Verify connectivity +Connect to onprem-vm via Bastion and turn off IE Enhanced Security Configuration in Server Manager. + +Open Internet Explorer and browse to spoke-1-vm at 172.16.1.4 and spoke-2-vm at 172.16.2.4. + +:question: Does it connect? +## Task 3: Inspect routing +### :point_right: BGP routing exchange over VPN +In Cloud Shell, in the azure-vwan-microhack directory, run the branch-routes script: + +`./branch-routes.sh` + +This scripts pulls information on the BGP session from the VNET Gateway vnet-onprem-gw. + +:exclamation: Note that the "routes learned" output contains all routes the Gateway knows: those that are in the same VNET, with "origin" indicating "Network", as well as routes learned from the Virtual WAN Hub via BGP with "origin" indicating "EBgp". + +### :point_right: Branch routes +Now observe Effective Routes for onprem-vm. + + In the portal, in the Properties view of the VM Overview blade, click on Networking. Then click on the name of the Network Interface. The NIC overview shows, under Support + troubleshooting click Effective routes. + + Alternatively, in Cloud Shell, issue this command: + +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n onprem-nic --output table` + +:exclamation: Note that routes are present for the Spoke VNETs, pointing to the local VNET VPN Gateway. + +The VNET Gateway learned the routes for the Spoke VNETs via BGP and programmed them into the vm route table automatically, without the need to install UDRs. + +### :point_right: Spoke routes +Observe Effective Routes for spoke-1-vm: + +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` + +:exclamation: Notice that spoke-vm-1 now has routes for the IP ranges of the onprem site, 10.0.1.0/24 and 10.0.2.0/24. This site is connected via VPN, and although "Source" and "Next Hop Type" are the same as for peered VNET spoke-2-vnet, the next hop address is different. + +Whereas the next hop for spoke-vnet-2 is the Hub routing engine, the next hop for VPN connection is the VPN Gateway, which has a private IP address from the range assigned to Hub. + +The routes for the VPN connection where plumbed into the spoke automatically and there is no need to place User Defined Routes in the spoke VNETs. + +### :point_right: Hub routes +Observe the Effective routes of the Default route table. + +:exclamation: Note that routes for the on-prem site's prefixes are now present, pointing to S2S VPN Gateway. + +Realize that the Route Service itself is not in the data path for branch traffic. The Route Service acts as a route reflector, traffic flows directly between the VM in the spoke and VPN Gateway. + +# Scenario 3: Multi-regional Virtual WAN +We will now expand the Virtual WAN across regions by adding a Hub with Spokes in the US East region. + +A key take away from this scenario is that each hub runs its own routing instance and contains its own routing tables. + +Although tables may be called the same across Hubs, Default for example, it is important to realize that these are independent and there is no "global" routing table spanning the entire VWAN. + +At the end of this scenario, your lab looks like this: + +![image](images/scenario3.png) + +## Task 1: Add a Hub + +In the portal, Select your **microhack-vwan**. Under Connectivity, select Hubs, then +New Hub at the top of the page and complete the Basics dialog as follows: +- Region: East US +- Name: microhack-useast-hub +- Hub private address space: 192.168.1.0/24 + +As this Hub will not contain any gateways, skip the other tabs, click Review + create and then Create. + +Alternatively, in Cloud Shell, issue this command: + +`az network vhub create --address-prefix 192.168.1.0/24 --name microhack-useast-hub --vwan microhack-vwan --resource-group vwan-microhack-hub-rg --location eastus --sku Standard` + + This will take a few minutes to complete. + +## Task 2: Connect VNETs +Connect spoke-3-vnet and spoke-4-vnet to the new Hub. We connected VNETs through the portal in Scenario 1, so to save time we'll do this through a prepared shell script. + +In Cloud Shell, enter + +`./connect-us-east-spokes.sh` + +This will take a few minutes to complete. While the script runs, you can see the connections being added in the portal, in your microhack-vwan under Connectivity, Virtual network connections. Wait for both Connections to show status Succeeded, and for the Hub's Routing status to change from Provisioning to Succeeded. + +## Task 3: Verifiy connectivity and inspect routing +Connect to spoke-1-vm via Bastion. Open Internet Explorer, browse to spoke-3-vm at 172.16.3.4 and to spoke-4-vm at 172.16.4.4. + +Do the same from on-prem-vm. + +:question: Do you see the web pages from spoke-3-vm and spoke--4vm? + +:point_right: Spoke routes + +Observe Effective Routes for spoke-1-vm, either in the portal or in Cloud Shell through + +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` + +:question: Which routes have been added to spoke-1-vm's route table? + +:question: What is the next hop for the new routes? + +:exclamation: Realize that Virtual WAN installed these routes into the Spoke 1 VNET automatically! + +Now observe Effective Routes for spoke-3-vm, which is in Spoke 3 connected to the US East Hub: + +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-3-nic --output table` + +:exclamation: Note all routes, both for the US East "local" Spoke 4 and "remote" West Europe destinations, have the address of the Route Service in the US East Hub as their next hop. + +Again, realize that Virtual WAN installed these routes in the Spoke VNETs automatically! + +### :point_right: BGP routing exchange over VPN +In Cloud Shell, run the branch-routes script: + +`./branch-routes.sh` + +:question: Compare the AS path of the new routes for Spokes 3 and 4, to the AS path of the routes for Spokes 1 and 2. Why are they different? + +:point_right: Hub routes + +Observe Effective Routes of the Default route table on the microhack-we-hub, as you did in Scenario 1. + +:question: Which routes have been added and where do they point? + +:question: What is the meaning of the AS path? + +Then go to Effective Routes of the Default route table on the newly added microhack-eastus-hub. + +:question: Where do the routes for Spoke 1 and Spoke 2 (172.16.(1)(2).0/24) and the Branch (10.0.(1)(2).0/24) point? + +:question: What is their AS path and how does this compare to what you saw on the West Europe hub? + +:point_right: Association and Propagation + +In the portal, in the microhack-vwan blade under Connectivity click Virtual network connections and expand Virtual networks for both Hubs. + +:exclamation: Note that for all 4 connections across both Hubs, under Associated to Route Table it says "defaultRouteTable". + +This means that each connection takes its routing information from the default route table of its *local* hub. This is always the case: the route service in a Hub only programs routing information to its directly connected Spokes. + +:exclamation: Under Propagation to Route Tables, it also says "defaultRouteTable". This means that this connection sends its reachability information (i.e. the prefixes behind it) to its *local* default route table only, but *not* to the other Hub. + +However, we observed that the defaultRouteTable of the West Europe Hub does have routes for the Spokes in US East and vice versa. + +This happens because under Propagating to labels, there is the entry "default". + +Labels are a method of grouping Route Tables across Hubs, so that they do not have to be specified individually. The defaultRouteTables in all Hubs in a VWAN are automatically included in the "default" label, and Propagation to this label is automatically enabled. It is possible to change this after deployment to implement custom routing patterns. + +# Scenario 4: Isolated Spokes and Shared Services Spoke +Imagine an IT department that must facilitate DevOps teams. IT operates a number of central services, such as the networks in and between Azure and on-premise, and the Active Directory domain. + +DevOps teams are given their own VNETs in Azure, connected to a central hub that provides connectivity and the domain. The DevOps teams operate independently and their environments must remain isolated from each other. + +This scenario adds a Shared Services Spoke with a Domain Controller, and changes the routing so that the Spokes can only reach the Branch and the Shared Services Spoke, but remain isolated from each other. + +See https://docs.microsoft.com/en-us/azure/virtual-wan/scenario-shared-services-vnet for background. + +At the end of this Scenario your lab, with enabled and disabled traffic flows, looks like this: + +![image](images/scenario4.png) + +## Task 1: Connect Services Spoke + +Run the following in Cloud Shell to connect services-vnet to microhack-we-hub: + +`./connect-services-spoke.sh` + +Wait for the connection to complete and show status Succeeded in the portal. + +## Task 2: Create custom Route Tables + +## :hand: West Europe Hub + +In the microhack-we-hub, under Connectivity select Routing and then +Create route table. Complete the configuration as follows: +- Tab Basics + - Name: RT-Shared-we +- Tab Labels + - Label Name: Shared +- Tab Associations + - In the drop down under Virtual Networks, select both Spokes but do *not* select services-vnet +- Tab Propagations + - Under Branches, at Propagate routes from connections to this route table?, select Yes + - Under Virtual Networks, select services-vnet but do *not* select the Spokes +- Click Create + +The Routing view of the West Europe Hub hub now shows 2 connections associated to the Default table (Shared Service Spoke and Branch), and 4 connections propagating to the Default table (both Spokes, Shared Services and Branch). + +The RT-Shared-we table has 2 connections associated (both Spokes), and 2 connections propagating (Shared Services and Branch). + +![image](images/scenario-4-we-routetables.png) + +:exclamation: It may take a few minutes for the changes to complete. If RT-Shared-does not look as expected, edit the table and correct the Associations and Propagations settings per the instructions above. + +Before proceeding, ensure that the routing view of microhack-we-hub look as above, and that microhack-we-hub shows Succeeded for Hub status and Routing status. + +## :hand: US East Hub + +For microhack-useast-hub, under Connectivity select Routing and then +Create route table and complete as follows: +Tab Basics + - Name: RT-Shared-useast +- Tab Labels + - Label Name: Shared +- Tab Associations + - In the drop down under Virtual Networks, select both Spokes. +- Tab Propagations + - Enter *nothing* because: + - We do not want the local Spokes to propagate to this table, as they should not learn each other's routes + - The RT-Shared-useast table must only contain routes to the Shared Services Spoke- and the Branch connections, and it will learn these from the West Europe hub via the inter-hub link + - Click Create + +Routing for the US East Hub shows both Spoke VNET connections propagating to the Default route table, and both are associated with the RT-Shared-useast table. + +![image](images/scenario-4-useast-routetables.png) + +## :handshake: Cross-region + +:exclamation: We must also ensure that the Shared Services VNET connection and the Branch connection, which are connected to the West Europe Hub, *also* propagate to the RT-Shared-useast table. + +For the **Shared Services VNET**, this is configured on the connection, and we will use the Shared label which groups the RT-Shared tables in both hubs. + +In the microhack-vwan view, select Virtual network connections. Expand the connections on microhack-we-hub, click the elipsis at the end of the services-vnet row and select Edit. In the Propagate to labels drop-down, select both default and Shared labels, and click Confirm. + +![image](images/scenario-4-edit-shared.png) + +To let the **Branch** route propagate accross to the East US Hub, the Branches setting in the Propagations tab of RT-Shared-we, the Shared table in the **West Europe** hub, must be updated. Edit RT-Shared-we, click the Propgations tab. Under Branches (Site VPN/ExpressRoute/User VPN) ensure both default and Shared are selected. Click Create. + +![image](images/scenario-4-edit-branch.png) + +:beetle: **Bug alert** You may see an error message similar to this: + +"Deployment template validation failed: 'The resource 'Microsoft.Network/vpnGateways/microhack-we-hub-vng/vpnConnections/onprem' at line '183' and column '9' is defined multiple times in a template." + +This is caused by a bug. The work around is to close the portal browser tab, log in to the portal from a fresh tab and redo the operation. + +## Task 3: Verify connectivity + +Clear the browser cache on spoke-1-vm by pressing CRTL+Shift+Del. From spoke-1-vm, try to browse to any of the other Spokes (172.16.2/3/4.4), and the Branch (10.0.1.4). + +:question: Do the web pages of the Spokes and the Branch display? + +Try to ping spoke-addc-vm (172.16.10.4). + +:question: Does ping succeed? + +## Task 4 (Optional): Join Spoke vm to Domain +The Shared Service VNET contains an AD domain controller. + +To demonstrate connectivity from the Spokes to the Shared Services VNET, you can optionally join one or more spoke vm's to the domain. +- Point the DNS in spoke-vnet-1 to spoke-addc-vm, in Cloud Shell: + +`az network vnet update --name spoke-1-vnet --resource-group vwan-microhack-spoke-rg --dns-servers 172.16.10.4` + +- On spoke-1-vm, open a command prompt and enter: + +`ipconfig /renew` + +- On spoke-1-vm, open Server Manager and click Local Server. +- Then click WORKGROUP, click the Change ... button, select the Domain radio button under Member of and enter micro-hack.local, click OK. +- Enter credentials + - User name: AzureAdmin + - Password: Microhack2020 + +The machine will now join the domain and will need to be restarted for this change to take effect. + +## Task 5: Inspect routing + +:point_right: Spoke routes + +View Effective Routes for spoke-1-vm, in the portal or in Cloud Shell: + +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` + +:question: Identify the routes that you see. Which routes are not there and is that as expected? + +View Effective Routes for spoke-addc-vm: + +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-addc-1-nic --output table` + +:question: Again identify the routes that you see. What is different here from the routes at spoke-vm-1? + +:point_right: Hub routes + +View Effective Routes for the Default table of the West Europe hub: in the portal from microhack-vwan select Hubs, microhack-we-hub, Routing, click Default and View effective routes for this table. + +:question: Are routes for the Spokes (172.16.(1)(2)(3)(4).0/24) present? What does that mean for connections Associated with this table? + +:exclamation: Click Associations and under Current settings (Routing Configuration), note that spoke-1-vnet and spoke-2-vnet are *not* associated with the defaultRouteTable table, but they *are* propagating to defaultRouteTable. + +Go back to the Route Tables view of microhack-we-hub, click RT-Shared-we and then View effective routes for this table. + +:question: Are routes for the Spokes (172.16.(1)(2)(3)(4).0/24) present? + +:question: Are routes for the Shared Services VNET (172.16.10.0/24) and the Branch (10.0.(1)(2).0/24) present? + +:question: As the Spokes are associated with RT-Shared-we, what does this mean for destinations that the Spokes can reach? + +Now view RT-Shared-useast and Default tables for the US East Hub. + +:question: what does RT-Shared-useast contain? Why and what does this mean for the Spokes connected to the US East Hub? + +:exclamation: Note that the Default table does not contain routes. The Default route table of the US East Hub does not have any connections Associated with it. It does have connections Propagating into it, so should contain routing information. *Apparently* a route table shows empty when it has no connections Associated, i.e. nothing to consume its routing information. + +# Close out +You have explored VWAN routing to a good level of detail. As Virtual WAN grows and matures, it is important you have a good understanding of this topic to guide and help customers in a variety of use cases. This MicroHack is available for you to use with your teams, your customers and partners to reinforce their understanding. + +Below are optional challenges on network security in Virtual WAN with Network Virtual Appliances and Secured Hubs. Use this content at your own pace to expand your knowledge and skills. If you decide to continue now, skip the clean-up task below and start the optional Scenario 5. + +## Final Task: Delete all resources + +Run this script to delete all resources: + +`./clean-up-after-scenario-4.sh` + +This may take up to 30 minutes to compete. Remember to verify that all resources have indeed been deleted. + +In Cloud Shell, delete the azure-vwan-microhack directory: + +`rm -rf azure-vwan-microhack` + + +# Scenario 5 (Optional): Filter traffic through a Network Virtual Appliance +Virtual WAN today does not support third party NVA firewalls in the Hub. Third party SD-WAN concentrators from Barracuda and Cisco Viptella are now supported, but that capability does not yet exist for firewall products. + +Third party NVA firewalls must therefore be placed in a Spoke, with protected VNETs peered behind. +See https://docs.microsoft.com/en-us/azure/virtual-wan/scenario-route-through-nva for background on this pattern. + +This scenario demonstrates how to route traffic through a third party Network Virtual Appliance. We use a single Linux VM with IPTables, with a rule set allowing all traffic. + +At the end of this Scenario your VWAN looks like this: + +![image](images/scenario5.png) + +:exclamation: Note that spoke-1-vnet and spoke-2-vnet are now disconnected from the West Europe Hub, and are peered behind a new Spoke containing the NVA. This nva-vnet is connected to Hub. + +In this scenario we will manipulate routing to direct traffic to and from spoke-1-vnet and spoke-2-vnet through the NVA. Outbound internet traffic from spoke-1-vnet and spoke-2-vnet will also be directed through the NVA, but we will discover that it is not possible to do so for spoke-3-vnet and spoke-4-vnet. + +## Task 1: Prepare the environment +A number of changes must be made to prepare the Virtual WAN for this scenario: +- Reconfigure for Default routing +- Disconnect Spoke 1 and Spoke 2 from the Hub +- Connect the NVA Spoke to the Hub +- Peer Spoke 1 and Spoke 2 with the NVA Spoke + +To implement these changes, run this script in Cloud Shell: + +`./prep-for-scenario-5.sh` + +This will take a few minutes to complete. + +## Task 2: Add User Defined Routes +We must now add UDRs to the subnet vmSubnet in both Spoke 1 and Spoke 2 VNETs, to direct all traffic to the NVA in nva-vnet. + +Run this script in Cloud Shell: + +`./add-udrs-scenario5.sh` + +In the portal, verify that a Route table (UDR) named "default-to-nva" has been created, and is associated subnet vmSubnet in both spoke-1-vnet and spoke-2-vnet. + +All traffic outbound from spoke-1-vm and spoke-2-vm is now directed to the NVA in nva-vnet. + +:exclamation: nva-vnet is already connected to West Europe Hub and has routes programmed by the Route Service, so we do not need to add a UDR manually. + +## Task 3: Modify VWAN routing +The Virtual WAN is not aware that Spoke 1 and Spoke 2 are now behind the NVA, so we must update the routing by adding static custom routes for Spoke 1 and Spoke 2 pointing to the NVA. + +:exclamation: Note that a static custom route must be added to the Default route table of *both* the West Europe *and* the US East Hubs. It is not sufficient to only a static route to the West Europe Hub, as this route will not propagate to remote hubs. + +In the portal, go to the Routing blade of microhack-we-hub. Click the Default route table, and in Basics at the bottom, create a custom route: +- Route name: spoke1-via-nva +- Destination type: leave at CIDR +- Destination prefix: 172.16.1.0/24 +- Next hop: select nva-we +- Next Hop IP: now Configure appears, click this and enter 172.16.20.4 under Next Hop IP (this is the IP address of the NVA) + +Create a similar entry for Spoke 2 (172.16.2.0/24). + +Click Review+create and then Create. + +Then go the Routing blade of microhack-useast-hub and do the same. You can skip adding the Next Hop IP as the connection to nva-vnet already has this configuration applied. + +## Task 4: Verify connectivity +:point_right: From "protected" VNETs Spoke 1 and Spoke 2 + +On spoke-1-vm, traceroute and browse to each of the Spokes (172.16.(2)(3)(4).4) and to the Branch (10.0.1.4). + +:question: Do all browser connections succeed, what are the first hop addresses? + +On spoke-1-vm, traceroute and browse to www.bing.com. + +:question: Does the browser connection succeed, what is the first hop address? + +:point_right: From "unprotected" VNETs Spoke 3 and Spoke 4 + +On spoke-3-vm, traceroute and browse to each of the Spokes (172.16.(1)(2)(4).4) and to the Branch (10.0.1.4). + +:question: Do all browser connections succeed, what are the first hop addresses? + +On spoke-3-vm, traceroute and browse to www.bing.com. + +:question: Does the browser connection succeed, what is the first hop address? + +## Task 5: Inspect routing + +:point_right: Spoke routes + +We will first look at the routes of one of the tiered Spokes. This is one of the Spokes connected behind the NVA VNET, no longer connected directlty to the Hub. + +View Effective Routes for spoke-1-vm, in the portal or in Cloud Shell: + +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` + +:question: Identify the routes that you see. Comparing to Spoke routes we saw in previous scenario's, which routes are not there and is that as expected? Which route is now present and why? + +:exclamation: Realize that VWAN does not have visibility of tiered Spokes and cannot program the routing in the VNET. That is why we had to place UDRs in the tiered Spokes. + +View Effective Routes for spoke-3-vm, in the portal or in Cloud Shell: + +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` + +:question: Identify the routes that you see. Comparing to Spoke routes we saw in previous scenario's, is this now different and why (not)?. From the perspective of Spoke 3, has placing Spokes 1 and 2 behind an NVA VNET on the *remote* hub changed its view of the network? + +:point_right: Hub routes + +View Effective Routes for the Default table of the West Europe hub: in the portal from microhack-vwan select Hubs, microhack-we-hub, Routing, click Default and View effective routes for this table. + +:question: Identify the routes for Spokes 1 and 2 (172.16.(1)(2).0/24). Where do they point and how did they get into the table? + +Now view Effective Routes for the Default table of the US East hub. + +:question: Again identify the routes for Spokes 1 and 2 (172.16.(1)(2).0/24). Where do they point and how did they get into the table? + +:exclamation: Note that the routes for the tiered Spokes 1 and 2 in the US East Hub's Default table have the connection to the nva-we VNET listed as next hop. This is somewhat confusing, because the nva-we connection exists on the *remote* West Europe Hub! From perspective of the US East Hub, the next hop for these prefixes really is the West Europe Hub's route service. + +:point_right: Outbound internet access + +Traffic outbound to the internet from Spokes 1 and 2 is directed to the NVA, and it goes out via the NVA's public IP address. Verify this by browsing to www.whatismyipaddress.com from spoke-1-vm, check that the ip address reported is the public ip of the NVA shown in the portal. + +It would be ideal if outbound internet from spoke vnets directly connected to the VWAN, such as Spokes 3 and 4, could be forced through the NVA as well. This requires a custom route in the Hub default route tables, for destination prefix 0.0.0.0/0 pointing to the nva-vnet connection. This is not possible today as VWAN does not support the default route as a custom route entry. + +:exclamation: Using a Network Virtual Appliance firewall for outbound internet access from Spokes directly connected to the VWAN is not supported. + +# Scenario 6 (Optional): Secured Hubs + +This final and optional scenario converts the Hubs into Secured Hubs through Azure Firewall Manager. This operation deploys Azure Firewall into the Hubs. + +## Task #1: Restore the Virtual WAN + +To put the VWAN back into "default" state, a number of changes must be made: + +- Disconnect Spoke 1 and Spoke 2 from the the NVA Spoke +- Remove UDRs from Spoke 1 and Spoke 2 +- Remove custom routes +- Disconnect the NVA Spoke to the Hub +- Connect Spoke 1 and Spoke 2 to the West Europe Hub + +To implement these changes, run this script in Cloud Shell: + +`./prep-for-scenario-6.sh` + +This will take a few minutes to complete. + +## Task #2: Convert to Secure Hubs + +We are now ready to convert our Virtual Hubs into Secured Hubs through Azure Firewall Manager. We will create a Firewall Policy in the same flow. + +:exclamation: Note that Firewall Manager is a separate top-level Azure service; it is not part of Virtual WAN. If you don't have it bookmarked already, find Firewall Manager using the search bar at the top of the portal. + +In the Firewall Mananger blade, click Azure Firewall Policies and + Create Azure Firewall Policy. + +**Basics** +- Resource group: select vwan-microhack-hub-rg +- Name: microhack-fw-policy +- Region: West Europe + +**Rules** +- Click + Add a rule collection + - Name: default-policy + - Rule collection type: Network + - Priority: 100 + - Action: Allow + - Rules: + - Name: Allow-all + - Source type: IP Address + - Source: * + - Protocol: Any + - Destination Ports: * + - Destination Type: IP Address + - Destination: * + - Click Add + +**Hubs** +- Click +Associate virtual hubs +- Select both your hubs +- Click Add + +**Review+create** + +**Create** + +This deploys Azure Firewall into your Hubs and applies the Allow-all policy to both. This operation will take a few minutes to complete. + +## Task 3: Secure Internet traffic + +Route settings for your Secured Hubs are managed in Firewall Manager. + +In the Firewall Manager blade, click Secured virtual hubs, select microhack-we-hub and then Security configuration. + +In the drop downs under Internet traffic and Private traffic, select Azure Firewall and Send via Azure Firewall and click Save. This sets up Azure Firewall as the security provider, and inserts routes pointing to the Azure Firewall for the prefixes listed as Private traffic prefixes (link next to the drop down. Default this is set to the RFC1918 ranges of 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/24. + +Select all Connections, in the drop down under **Internet traffic** select Azure Firewall and click Save. + +:point_right: Spoke routes + +In Cloud Shell, pull up Effective routes of spoke-1-vm: + +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` + +:question: where does the default route (0.0.0.0/0) point? + +Display the ip addresses of the he Azure Firewall in the secured hub: + +`az network firewall show -g vwan-microhack-hub-rg -n AzureFirewall_microhack-we-hub --query hubIpAddresses` + +:exclamation: Note that the default route now points to the private (inside) address of the Azure Firewall instance in the secured hub. + +On spoke-1-vm, browse to www.whatismyipaddress.com. + +:exclamation: Note that the outbound ip address is now the public ip address of the Azure Firewall instance. + +## Task 4: Secure Private traffic + +To be added, this is pending service update enabling V-SH-SH-V pattern. + +# Close out +You have explored VWAN routing to a good level of detail. As Virtual WAN grows and matures, it is important you have a good understanding of the subject, to guide and help customers in a variety of use cases. + +This MicroHack is available for you to use with your teams, your customers and partners to reinforce their understanding. + +## Final Task: Delete all resources + +Delete the vwan-microhack-hub-rg and vwan-microhack-spoke-rg resource groups. This may take up to 30 minutes to compete. Check back to verify that all resources have indeed been deleted. + +In Cloud Shell, delete the azure-vwan-microhack directory: + +`rm -rf azure-vwan-microhack` diff --git a/add-udrs-scenario5.sh b/add-udrs-scenario5.sh index f8d45c0..046dd2a 100755 --- a/add-udrs-scenario5.sh +++ b/add-udrs-scenario5.sh @@ -1,8 +1,8 @@ -echo "# creating UDR" -az network route-table create --name default-to-nva --resource-group vwan-microhack-spoke-rg --location westeurope -echo "# creating default route" -az network route-table route create --address-prefix 0.0.0.0/0 --name default-route --next-hop-type VirtualAppliance --next-hop-ip-address 172.16.20.4 --resource-group vwan-microhack-spoke-rg --route-table-name default-to-nva -echo "# associating with vmSubnet in spoke-1-vnet" -az network vnet subnet update --resource-group vwan-microhack-spoke-rg --name vmSubnet --vnet-name spoke-1-vnet --route-table default-to-nva -echo "# associating with vmSubnet in spoke-2-vnet" +echo "# creating UDR" +az network route-table create --name default-to-nva --resource-group vwan-microhack-spoke-rg --location westeurope +echo "# creating default route" +az network route-table route create --address-prefix 0.0.0.0/0 --name default-route --next-hop-type VirtualAppliance --next-hop-ip-address 172.16.20.4 --resource-group vwan-microhack-spoke-rg --route-table-name default-to-nva +echo "# associating with vmSubnet in spoke-1-vnet" +az network vnet subnet update --resource-group vwan-microhack-spoke-rg --name vmSubnet --vnet-name spoke-1-vnet --route-table default-to-nva +echo "# associating with vmSubnet in spoke-2-vnet" az network vnet subnet update --resource-group vwan-microhack-spoke-rg --name vmSubnet --vnet-name spoke-2-vnet --route-table default-to-nva \ No newline at end of file diff --git a/bastions.tf b/bastions.tf index 5dfb1d9..72b6a36 100644 --- a/bastions.tf +++ b/bastions.tf @@ -1,154 +1,154 @@ -####################################################################### -## Create Bastion spoke-1 -####################################################################### -resource "azurerm_public_ip" "bastion-spoke-1-pubip" { - name = "bastion-spoke-1-pubip" - location = var.location-spoke-1 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - allocation_method = "Static" - sku = "Standard" -} - -resource "azurerm_bastion_host" "bastion-spoke-1" { - name = "bastion-spoke-1" - location = var.location-spoke-1 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - - ip_configuration { - name = "bastion-spoke-1-configuration" - subnet_id = azurerm_subnet.bastion-spoke-1-subnet.id - public_ip_address_id = azurerm_public_ip.bastion-spoke-1-pubip.id - } -} -####################################################################### -## Create Bastion spoke-2 -####################################################################### -resource "azurerm_public_ip" "bastion-spoke-2-pubip" { - name = "bastion-spoke-2-pubip" - location = var.location-spoke-2 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - allocation_method = "Static" - sku = "Standard" -} - -resource "azurerm_bastion_host" "bastion-spoke-2" { - name = "bastion-spoke-2" - location = var.location-spoke-2 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - - ip_configuration { - name = "bastion-spoke-2-configuration" - subnet_id = azurerm_subnet.bastion-spoke-2-subnet.id - public_ip_address_id = azurerm_public_ip.bastion-spoke-2-pubip.id - } -} -####################################################################### -## Create Bastion spoke-3 -####################################################################### -resource "azurerm_public_ip" "bastion-spoke-3-pubip" { - name = "bastion-spoke-3-pubip" - location = var.location-spoke-3 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - allocation_method = "Static" - sku = "Standard" -} - -resource "azurerm_bastion_host" "bastion-spoke-3" { - name = "bastion-spoke-3" - location = var.location-spoke-3 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - - ip_configuration { - name = "bastion-spoke-3-configuration" - subnet_id = azurerm_subnet.bastion-spoke-3-subnet.id - public_ip_address_id = azurerm_public_ip.bastion-spoke-3-pubip.id - } -} -####################################################################### -## Create Bastion spoke-4 -####################################################################### -resource "azurerm_public_ip" "bastion-spoke-4-pubip" { - name = "bastion-spoke-4-pubip" - location = var.location-spoke-4 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - allocation_method = "Static" - sku = "Standard" -} - -resource "azurerm_bastion_host" "bastion-spoke-4" { - name = "bastion-spoke-4" - location = var.location-spoke-4 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - - ip_configuration { - name = "bastion-spoke-4-configuration" - subnet_id = azurerm_subnet.bastion-spoke-4-subnet.id - public_ip_address_id = azurerm_public_ip.bastion-spoke-4-pubip.id - } -} -####################################################################### -## Create Bastion onprem -####################################################################### -resource "azurerm_public_ip" "bastion-onprem-pubip" { - name = "bastion-onprem-pubip" - location = var.location-onprem - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - allocation_method = "Static" - sku = "Standard" -} - -resource "azurerm_bastion_host" "bastion-onprem" { - name = "bastion-onprem" - location = var.location-onprem - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - - ip_configuration { - name = "bastion-onprem-configuration" - subnet_id = azurerm_subnet.bastion-onprem-subnet.id - public_ip_address_id = azurerm_public_ip.bastion-onprem-pubip.id - } -} -####################################################################### -## Create Bastion Services -####################################################################### -resource "azurerm_public_ip" "bastion-services-pubip" { - name = "bastion-services-pubip" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - allocation_method = "Static" - sku = "Standard" -} - -resource "azurerm_bastion_host" "bastion-services" { - name = "bastion-services" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - - ip_configuration { - name = "bastion-services-configuration" - subnet_id = azurerm_subnet.bastion-services-subnet.id - public_ip_address_id = azurerm_public_ip.bastion-services-pubip.id - } -} -####################################################################### -## Create Bastion NVA -####################################################################### -resource "azurerm_public_ip" "bastion-nva-pubip" { - name = "bastion-services-nva" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - allocation_method = "Static" - sku = "Standard" -} - -resource "azurerm_bastion_host" "bastion-nva" { - name = "bastion-nva" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - - ip_configuration { - name = "bastion-nva-configuration" - subnet_id = azurerm_subnet.bastion-nva-subnet.id - public_ip_address_id = azurerm_public_ip.bastion-nva-pubip.id - } +####################################################################### +## Create Bastion spoke-1 +####################################################################### +resource "azurerm_public_ip" "bastion-spoke-1-pubip" { + name = "bastion-spoke-1-pubip" + location = var.location-spoke-1 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_bastion_host" "bastion-spoke-1" { + name = "bastion-spoke-1" + location = var.location-spoke-1 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + + ip_configuration { + name = "bastion-spoke-1-configuration" + subnet_id = azurerm_subnet.bastion-spoke-1-subnet.id + public_ip_address_id = azurerm_public_ip.bastion-spoke-1-pubip.id + } +} +####################################################################### +## Create Bastion spoke-2 +####################################################################### +resource "azurerm_public_ip" "bastion-spoke-2-pubip" { + name = "bastion-spoke-2-pubip" + location = var.location-spoke-2 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_bastion_host" "bastion-spoke-2" { + name = "bastion-spoke-2" + location = var.location-spoke-2 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + + ip_configuration { + name = "bastion-spoke-2-configuration" + subnet_id = azurerm_subnet.bastion-spoke-2-subnet.id + public_ip_address_id = azurerm_public_ip.bastion-spoke-2-pubip.id + } +} +####################################################################### +## Create Bastion spoke-3 +####################################################################### +resource "azurerm_public_ip" "bastion-spoke-3-pubip" { + name = "bastion-spoke-3-pubip" + location = var.location-spoke-3 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_bastion_host" "bastion-spoke-3" { + name = "bastion-spoke-3" + location = var.location-spoke-3 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + + ip_configuration { + name = "bastion-spoke-3-configuration" + subnet_id = azurerm_subnet.bastion-spoke-3-subnet.id + public_ip_address_id = azurerm_public_ip.bastion-spoke-3-pubip.id + } +} +####################################################################### +## Create Bastion spoke-4 +####################################################################### +resource "azurerm_public_ip" "bastion-spoke-4-pubip" { + name = "bastion-spoke-4-pubip" + location = var.location-spoke-4 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_bastion_host" "bastion-spoke-4" { + name = "bastion-spoke-4" + location = var.location-spoke-4 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + + ip_configuration { + name = "bastion-spoke-4-configuration" + subnet_id = azurerm_subnet.bastion-spoke-4-subnet.id + public_ip_address_id = azurerm_public_ip.bastion-spoke-4-pubip.id + } +} +####################################################################### +## Create Bastion onprem +####################################################################### +resource "azurerm_public_ip" "bastion-onprem-pubip" { + name = "bastion-onprem-pubip" + location = var.location-onprem + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_bastion_host" "bastion-onprem" { + name = "bastion-onprem" + location = var.location-onprem + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + + ip_configuration { + name = "bastion-onprem-configuration" + subnet_id = azurerm_subnet.bastion-onprem-subnet.id + public_ip_address_id = azurerm_public_ip.bastion-onprem-pubip.id + } +} +####################################################################### +## Create Bastion Services +####################################################################### +resource "azurerm_public_ip" "bastion-services-pubip" { + name = "bastion-services-pubip" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_bastion_host" "bastion-services" { + name = "bastion-services" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + + ip_configuration { + name = "bastion-services-configuration" + subnet_id = azurerm_subnet.bastion-services-subnet.id + public_ip_address_id = azurerm_public_ip.bastion-services-pubip.id + } +} +####################################################################### +## Create Bastion NVA +####################################################################### +resource "azurerm_public_ip" "bastion-nva-pubip" { + name = "bastion-services-nva" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_bastion_host" "bastion-nva" { + name = "bastion-nva" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + + ip_configuration { + name = "bastion-nva-configuration" + subnet_id = azurerm_subnet.bastion-nva-subnet.id + public_ip_address_id = azurerm_public_ip.bastion-nva-pubip.id + } } \ No newline at end of file diff --git a/branch-routes.sh b/branch-routes.sh index 5356a32..c99bdba 100755 --- a/branch-routes.sh +++ b/branch-routes.sh @@ -1,11 +1,11 @@ -hubgwbgpaddress=$(az network vpn-gateway show --name microhack-we-hub-vng -g vwan-microhack-hub-rg --query "bgpSettings.bgpPeeringAddresses[?ipconfigurationId == 'Instance0'].defaultBgpIpAddresses" --output tsv) -echo "Hub GW BGP address:" $hubgwbgpaddress - -echo "# VNETGW: Verify BGP peer status" -az network vnet-gateway list-bgp-peer-status -n vnet-gw-onprem -g vwan-microhack-spoke-rg --output table - -echo "# VNETGW: Display routes advertised from onprem gw to hub" -az network vnet-gateway list-advertised-routes -n vnet-gw-onprem -g vwan-microhack-spoke-rg --peer $hubgwbgpaddress --output table - -echo "# VNETGW: Display routes learned by onprem gw from hub" -az network vnet-gateway list-learned-routes -n vnet-gw-onprem -g vwan-microhack-spoke-rg --output table +hubgwbgpaddress=$(az network vpn-gateway show --name microhack-we-hub-vng -g vwan-microhack-hub-rg --query "bgpSettings.bgpPeeringAddresses[?ipconfigurationId == 'Instance0'].defaultBgpIpAddresses" --output tsv) +echo "Hub GW BGP address:" $hubgwbgpaddress + +echo "# VNETGW: Verify BGP peer status" +az network vnet-gateway list-bgp-peer-status -n vnet-gw-onprem -g vwan-microhack-spoke-rg --output table + +echo "# VNETGW: Display routes advertised from onprem gw to hub" +az network vnet-gateway list-advertised-routes -n vnet-gw-onprem -g vwan-microhack-spoke-rg --peer $hubgwbgpaddress --output table + +echo "# VNETGW: Display routes learned by onprem gw from hub" +az network vnet-gateway list-learned-routes -n vnet-gw-onprem -g vwan-microhack-spoke-rg --output table diff --git a/clean-up-after-scenario-4.sh b/clean-up-after-scenario-4.sh index e145167..21d4982 100755 --- a/clean-up-after-scenario-4.sh +++ b/clean-up-after-scenario-4.sh @@ -1,76 +1,76 @@ -spoke1vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-1-vnet --query "id" --output tsv) -spoke2vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-2-vnet --query "id" --output tsv) -spoke3vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-3-vnet --query "id" --output tsv) -spoke4vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-4-vnet --query "id" --output tsv) -servicesvnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n services-vnet --query "id" --output tsv) -nvavnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n nva-vnet --query "id" --output tsv) -wedefaultrtid=$(az network vhub route-table show --name defaultRouteTable --resource-group vwan-microhack-hub-rg --vhub-name microhack-we-hub --query id --output tsv) - -echo "Removing associations and propagations from rt-shared-we" - -wesharedrtid=$(az network vhub route-table show --name "RT-Shared-we" --resource-group "vwan-microhack-hub-rg" --vhub-name microhack-we-hub --query id --output tsv) -WERESTEP="https://management.azure.com${wesharedrtid}?api-version=2020-05-01" -az rest --method put --uri "$WERESTEP" --body @emptyrtbody.json -while [[ $(az rest --uri $WERESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done -spoke1connection=$(az network vhub connection show -n spoke-1-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) -spoke2connection=$(az network vhub connection show -n spoke-2-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) -servicesvnetconnection=$(az network vhub connection show -n services-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) -WEVNETCONNECTIONSPOKE1="https://management.azure.com${spoke1connection}?api-version=2020-05-01" -WEVNETCONNECTIONSPOKE2="https://management.azure.com${spoke2connection}?api-version=2020-05-01" -WEVNETCONNECTIONSERVICES="https://management.azure.com${servicesvnetconnection}?api-version=2020-05-01" -sed "s#spokevnetid#$spoke1vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke1.json -sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-spoke1.json -sed "s#spokevnetid#$spoke2vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke2.json -sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-spoke2.json -sed "s#spokevnetid#$servicesvnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-services.json -sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-services.json -az rest --method put --uri $WEVNETCONNECTIONSPOKE1 --body @emptyspokeconnection-spoke1.json -while [[ $(az rest --uri $WEVNETCONNECTIONSPOKE1 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done -az rest --method put --uri $WEVNETCONNECTIONSPOKE2 --body @emptyspokeconnection-spoke2.json -while [[ $(az rest --uri $WEVNETCONNECTIONSPOKE2 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done -az rest --method put --uri $WEVNETCONNECTIONSERVICES --body @emptyspokeconnection-services.json -while [[ $(az rest --uri $WEVNETCONNECTIONSERVICES | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done - -echo "Removing associations and propagations from rt-shared-useast" -useastdefaultrtid=$(az network vhub route-table show --name defaultRouteTable --resource-group vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query id --output tsv) -useastsharedrtid=$(az network vhub route-table show --name "rt-shared-useast" --resource-group "vwan-microhack-hub-rg" --vhub-name microhack-useast-hub --query id --output tsv) -USEASTRESTEP="https://management.azure.com${useastsharedrtid}?api-version=2020-05-01" -az rest --method put --uri "$USEASTRESTEP" --body @emptyrtbody.json -while [[ $(az rest --uri $USEASTRESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done -spoke3connection=$(az network vhub connection show -n spoke-3-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query "id" -o tsv) -spoke4connection=$(az network vhub connection show -n spoke-4-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query "id" -o tsv) -USEASTVNETCONNECTIONSPOKE3="https://management.azure.com${spoke3connection}?api-version=2020-05-01" -USEASTVNETCONNECTIONSPOKE4="https://management.azure.com${spoke4connection}?api-version=2020-05-01" -sed "s#spokevnetid#$spoke3vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke3.json -sed -i "s#wedefaultrtid#$useastdefaultrtid#g" emptyspokeconnection-spoke3.json -sed "s#spokevnetid#$spoke4vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke4.json -sed -i "s#wedefaultrtid#$useastdefaultrtid#g" emptyspokeconnection-spoke4.json -az rest --method put --uri $USEASTVNETCONNECTIONSPOKE3 --body @emptyspokeconnection-spoke3.json -while [[ $(az rest --uri $USEASTVNETCONNECTIONSPOKE3 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done -az rest --method put --uri $USEASTVNETCONNECTIONSPOKE4 --body @emptyspokeconnection-spoke4.json -while [[ $(az rest --uri $USEASTVNETCONNECTIONSPOKE4 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done - - -ONPREMCONNECTIONID=$(az network vpn-gateway list -g vwan-microhack-hub-rg --query [].connections[].id -o tsv) -ONPREMCONNECTIONRESTEP="https://management.azure.com${ONPREMCONNECTIONID}?api-version=2020-05-01" -ONPREMCONNECTIONVPNSITE=$(az network vpn-gateway list -g vwan-microhack-hub-rg --query [].connections[].remoteVpnSite.id -o tsv) -sed "s#wedefaultrtid#$wedefaultrtid#g" onpremconnection.json | tee onpremconnection-values.json -sed -i "s#ONPREMCONNECTIONVPNSITE#$ONPREMCONNECTIONVPNSITE#g" onpremconnection-values.json -az rest --method put --uri $ONPREMCONNECTIONRESTEP --body @onpremconnection-values.json -while [[ $(az rest --uri $ONPREMCONNECTIONRESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done - -echo "Deleting rt-shared-useast" -az network vhub route-table delete --name rt-shared-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub -echo "Deleting rt-shared-we" -az network vhub route-table delete --name rt-shared-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub - -echo "Disconnecting Branch" -az network vpn-gateway connection delete --gateway-name microhack-we-hub-vng --name onprem -g vwan-microhack-hub-rg -az network vpn-site delete --name onprem -g vwan-microhack-hub-rg - -echo "Deleting VPN Gateway" -az network vpn-gateway delete --name microhack-we-hub-vng -g vwan-microhack-hub-rg - -echo "Deleting resource groups" -az group delete --resource-group vwan-microhack-hub-rg --no-wait --yes +spoke1vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-1-vnet --query "id" --output tsv) +spoke2vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-2-vnet --query "id" --output tsv) +spoke3vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-3-vnet --query "id" --output tsv) +spoke4vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-4-vnet --query "id" --output tsv) +servicesvnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n services-vnet --query "id" --output tsv) +nvavnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n nva-vnet --query "id" --output tsv) +wedefaultrtid=$(az network vhub route-table show --name defaultRouteTable --resource-group vwan-microhack-hub-rg --vhub-name microhack-we-hub --query id --output tsv) + +echo "Removing associations and propagations from rt-shared-we" + +wesharedrtid=$(az network vhub route-table show --name "RT-Shared-we" --resource-group "vwan-microhack-hub-rg" --vhub-name microhack-we-hub --query id --output tsv) +WERESTEP="https://management.azure.com${wesharedrtid}?api-version=2020-05-01" +az rest --method put --uri "$WERESTEP" --body @emptyrtbody.json +while [[ $(az rest --uri $WERESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done +spoke1connection=$(az network vhub connection show -n spoke-1-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) +spoke2connection=$(az network vhub connection show -n spoke-2-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) +servicesvnetconnection=$(az network vhub connection show -n services-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) +WEVNETCONNECTIONSPOKE1="https://management.azure.com${spoke1connection}?api-version=2020-05-01" +WEVNETCONNECTIONSPOKE2="https://management.azure.com${spoke2connection}?api-version=2020-05-01" +WEVNETCONNECTIONSERVICES="https://management.azure.com${servicesvnetconnection}?api-version=2020-05-01" +sed "s#spokevnetid#$spoke1vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke1.json +sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-spoke1.json +sed "s#spokevnetid#$spoke2vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke2.json +sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-spoke2.json +sed "s#spokevnetid#$servicesvnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-services.json +sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-services.json +az rest --method put --uri $WEVNETCONNECTIONSPOKE1 --body @emptyspokeconnection-spoke1.json +while [[ $(az rest --uri $WEVNETCONNECTIONSPOKE1 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done +az rest --method put --uri $WEVNETCONNECTIONSPOKE2 --body @emptyspokeconnection-spoke2.json +while [[ $(az rest --uri $WEVNETCONNECTIONSPOKE2 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done +az rest --method put --uri $WEVNETCONNECTIONSERVICES --body @emptyspokeconnection-services.json +while [[ $(az rest --uri $WEVNETCONNECTIONSERVICES | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done + +echo "Removing associations and propagations from rt-shared-useast" +useastdefaultrtid=$(az network vhub route-table show --name defaultRouteTable --resource-group vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query id --output tsv) +useastsharedrtid=$(az network vhub route-table show --name "rt-shared-useast" --resource-group "vwan-microhack-hub-rg" --vhub-name microhack-useast-hub --query id --output tsv) +USEASTRESTEP="https://management.azure.com${useastsharedrtid}?api-version=2020-05-01" +az rest --method put --uri "$USEASTRESTEP" --body @emptyrtbody.json +while [[ $(az rest --uri $USEASTRESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done +spoke3connection=$(az network vhub connection show -n spoke-3-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query "id" -o tsv) +spoke4connection=$(az network vhub connection show -n spoke-4-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query "id" -o tsv) +USEASTVNETCONNECTIONSPOKE3="https://management.azure.com${spoke3connection}?api-version=2020-05-01" +USEASTVNETCONNECTIONSPOKE4="https://management.azure.com${spoke4connection}?api-version=2020-05-01" +sed "s#spokevnetid#$spoke3vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke3.json +sed -i "s#wedefaultrtid#$useastdefaultrtid#g" emptyspokeconnection-spoke3.json +sed "s#spokevnetid#$spoke4vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke4.json +sed -i "s#wedefaultrtid#$useastdefaultrtid#g" emptyspokeconnection-spoke4.json +az rest --method put --uri $USEASTVNETCONNECTIONSPOKE3 --body @emptyspokeconnection-spoke3.json +while [[ $(az rest --uri $USEASTVNETCONNECTIONSPOKE3 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done +az rest --method put --uri $USEASTVNETCONNECTIONSPOKE4 --body @emptyspokeconnection-spoke4.json +while [[ $(az rest --uri $USEASTVNETCONNECTIONSPOKE4 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done + + +ONPREMCONNECTIONID=$(az network vpn-gateway list -g vwan-microhack-hub-rg --query [].connections[].id -o tsv) +ONPREMCONNECTIONRESTEP="https://management.azure.com${ONPREMCONNECTIONID}?api-version=2020-05-01" +ONPREMCONNECTIONVPNSITE=$(az network vpn-gateway list -g vwan-microhack-hub-rg --query [].connections[].remoteVpnSite.id -o tsv) +sed "s#wedefaultrtid#$wedefaultrtid#g" onpremconnection.json | tee onpremconnection-values.json +sed -i "s#ONPREMCONNECTIONVPNSITE#$ONPREMCONNECTIONVPNSITE#g" onpremconnection-values.json +az rest --method put --uri $ONPREMCONNECTIONRESTEP --body @onpremconnection-values.json +while [[ $(az rest --uri $ONPREMCONNECTIONRESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 15; done + +echo "Deleting rt-shared-useast" +az network vhub route-table delete --name rt-shared-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub +echo "Deleting rt-shared-we" +az network vhub route-table delete --name rt-shared-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub + +echo "Disconnecting Branch" +az network vpn-gateway connection delete --gateway-name microhack-we-hub-vng --name onprem -g vwan-microhack-hub-rg +az network vpn-site delete --name onprem -g vwan-microhack-hub-rg + +echo "Deleting VPN Gateway" +az network vpn-gateway delete --name microhack-we-hub-vng -g vwan-microhack-hub-rg + +echo "Deleting resource groups" +az group delete --resource-group vwan-microhack-hub-rg --no-wait --yes az group delete --resource-group vwan-microhack-spoke-rg --no-wait --yes \ No newline at end of file diff --git a/connect-branch.sh b/connect-branch.sh index 17c566b..98d50ce 100755 --- a/connect-branch.sh +++ b/connect-branch.sh @@ -1,32 +1,32 @@ -az extension add --name virtual-wan - -echo "# VNETGW: Get parameters from onprem vnet gateway" -vnetgwtunnelip=$(az network vnet-gateway show -n vnet-gw-onprem -g vwan-microhack-spoke-rg --query "bgpSettings.bgpPeeringAddresses[0].tunnelIpAddresses[0]" --output tsv) -echo "VNET GW Tunnel address:" $vnetgwtunnelip -vnetgwbgpip=$(az network vnet-gateway show -n vnet-gw-onprem -g vwan-microhack-spoke-rg --query "bgpSettings.bgpPeeringAddress" --output tsv) -echo "VNET GW BGP address:" $vnetgwbgpip -vnetgwasn=$(az network vnet-gateway show -n vnet-gw-onprem -g vwan-microhack-spoke-rg --query "bgpSettings.asn" --output tsv) -echo "VNET GW BGP ASN:" $vnetgwasn -sharedkey="m1cr0hack" - -echo "# VWAN: Create remote site" -az network vpn-site create --ip-address $vnetgwtunnelip --name onprem -g vwan-microhack-hub-rg --asn $vnetgwasn --bgp-peering-address $vnetgwbgpip --virtual-wan microhack-vwan --location northeurope --device-model VNETGW --device-vendor Azure --link-speed 100 - -echo "# VWAN: Create connection - remote site to hub gw" -az network vpn-gateway connection create --gateway-name microhack-we-hub-vng --name onprem --remote-vpn-site onprem -g vwan-microhack-hub-rg --shared-key $sharedkey --enable-bgp true --no-wait - -echo "# VWAN: Get parameters from VWAN Hub GW" -hubgwtunneladdress=$(az network vpn-gateway show --name microhack-we-hub-vng -g vwan-microhack-hub-rg --query "bgpSettings.bgpPeeringAddresses[?ipconfigurationId == 'Instance0'].tunnelIpAddresses[0]" --output tsv) -echo "Hub GW Tunnel address:" $hubgwtunneladdress -hubgwbgpaddress=$(az network vpn-gateway show --name microhack-we-hub-vng -g vwan-microhack-hub-rg --query "bgpSettings.bgpPeeringAddresses[?ipconfigurationId == 'Instance0'].defaultBgpIpAddresses" --output tsv) -echo "Hub GW BGP address:" $hubgwbgpaddress -hubgwasn=$(az network vpn-gateway show --name microhack-we-hub-vng -g vwan-microhack-hub-rg --query "bgpSettings.asn" --output tsv) -echo "Hub GW BGP ASN:" $hubgwasn -hubgwkey=$(az network vpn-gateway connection show --gateway-name microhack-we-hub-vng --name onprem -g vwan-microhack-hub-rg --query "sharedKey" --output tsv) - -echo "# create local network gateway" -az network local-gateway create -g vwan-microhack-spoke-rg -n lng --gateway-ip-address $hubgwtunneladdress --location westeurope --asn $hubgwasn --bgp-peering-address $hubgwbgpaddress - -echo "# VNET GW: connect from vnet gw to local network gateway" -az network vpn-connection create -n to-we-hub --vnet-gateway1 vnet-gw-onprem -g vwan-microhack-spoke-rg --local-gateway2 lng -l northeurope --shared-key $sharedkey --enable-bgp - +az extension add --name virtual-wan + +echo "# VNETGW: Get parameters from onprem vnet gateway" +vnetgwtunnelip=$(az network vnet-gateway show -n vnet-gw-onprem -g vwan-microhack-spoke-rg --query "bgpSettings.bgpPeeringAddresses[0].tunnelIpAddresses[0]" --output tsv) +echo "VNET GW Tunnel address:" $vnetgwtunnelip +vnetgwbgpip=$(az network vnet-gateway show -n vnet-gw-onprem -g vwan-microhack-spoke-rg --query "bgpSettings.bgpPeeringAddress" --output tsv) +echo "VNET GW BGP address:" $vnetgwbgpip +vnetgwasn=$(az network vnet-gateway show -n vnet-gw-onprem -g vwan-microhack-spoke-rg --query "bgpSettings.asn" --output tsv) +echo "VNET GW BGP ASN:" $vnetgwasn +sharedkey="m1cr0hack" + +echo "# VWAN: Create remote site" +az network vpn-site create --ip-address $vnetgwtunnelip --name onprem -g vwan-microhack-hub-rg --asn $vnetgwasn --bgp-peering-address $vnetgwbgpip --virtual-wan microhack-vwan --location northeurope --device-model VNETGW --device-vendor Azure --link-speed 100 + +echo "# VWAN: Create connection - remote site to hub gw" +az network vpn-gateway connection create --gateway-name microhack-we-hub-vng --name onprem --remote-vpn-site onprem -g vwan-microhack-hub-rg --shared-key $sharedkey --enable-bgp true --no-wait + +echo "# VWAN: Get parameters from VWAN Hub GW" +hubgwtunneladdress=$(az network vpn-gateway show --name microhack-we-hub-vng -g vwan-microhack-hub-rg --query "bgpSettings.bgpPeeringAddresses[?ipconfigurationId == 'Instance0'].tunnelIpAddresses[0]" --output tsv) +echo "Hub GW Tunnel address:" $hubgwtunneladdress +hubgwbgpaddress=$(az network vpn-gateway show --name microhack-we-hub-vng -g vwan-microhack-hub-rg --query "bgpSettings.bgpPeeringAddresses[?ipconfigurationId == 'Instance0'].defaultBgpIpAddresses" --output tsv) +echo "Hub GW BGP address:" $hubgwbgpaddress +hubgwasn=$(az network vpn-gateway show --name microhack-we-hub-vng -g vwan-microhack-hub-rg --query "bgpSettings.asn" --output tsv) +echo "Hub GW BGP ASN:" $hubgwasn +hubgwkey=$(az network vpn-gateway connection show --gateway-name microhack-we-hub-vng --name onprem -g vwan-microhack-hub-rg --query "sharedKey" --output tsv) + +echo "# create local network gateway" +az network local-gateway create -g vwan-microhack-spoke-rg -n lng --gateway-ip-address $hubgwtunneladdress --location westeurope --asn $hubgwasn --bgp-peering-address $hubgwbgpaddress + +echo "# VNET GW: connect from vnet gw to local network gateway" +az network vpn-connection create -n to-we-hub --vnet-gateway1 vnet-gw-onprem -g vwan-microhack-spoke-rg --local-gateway2 lng -l northeurope --shared-key $sharedkey --enable-bgp + diff --git a/connect-services-spoke.sh b/connect-services-spoke.sh index a80e619..e3e776d 100755 --- a/connect-services-spoke.sh +++ b/connect-services-spoke.sh @@ -1,2 +1,2 @@ -servicesid=$(az network vnet show -g vwan-microhack-spoke-rg --name services-vnet --query "id" --output tsv) +servicesid=$(az network vnet show -g vwan-microhack-spoke-rg --name services-vnet --query "id" --output tsv) az network vhub connection create --name services-we --resource-group vwan-microhack-hub-rg --vhub-name microhack-we-hub --remote-vnet $servicesid --labels default \ No newline at end of file diff --git a/connect-us-east-spokes.sh b/connect-us-east-spokes.sh index 0da6bf1..5fe8f44 100755 --- a/connect-us-east-spokes.sh +++ b/connect-us-east-spokes.sh @@ -1,4 +1,4 @@ -spoke3id=$(az network vnet show -g vwan-microhack-spoke-rg --name spoke-3-vnet --query "id" --output tsv) -spoke4id=$(az network vnet show -g vwan-microhack-spoke-rg --name spoke-4-vnet --query "id" --output tsv) -az network vhub connection create --name spoke-3-useast --resource-group vwan-microhack-hub-rg --vhub-name microhack-useast-hub --remote-vnet $spoke3id --labels default -az network vhub connection create --name spoke-4-useast --resource-group vwan-microhack-hub-rg --vhub-name microhack-useast-hub --remote-vnet $spoke4id --labels default +spoke3id=$(az network vnet show -g vwan-microhack-spoke-rg --name spoke-3-vnet --query "id" --output tsv) +spoke4id=$(az network vnet show -g vwan-microhack-spoke-rg --name spoke-4-vnet --query "id" --output tsv) +az network vhub connection create --name spoke-3-useast --resource-group vwan-microhack-hub-rg --vhub-name microhack-useast-hub --remote-vnet $spoke3id --labels default +az network vhub connection create --name spoke-4-useast --resource-group vwan-microhack-hub-rg --vhub-name microhack-useast-hub --remote-vnet $spoke4id --labels default diff --git a/emptyrtbody.json b/emptyrtbody.json index 009a89f..90f562e 100644 --- a/emptyrtbody.json +++ b/emptyrtbody.json @@ -1,6 +1,6 @@ -{ - "properties": { - "labels": [], - "routes": [] - } +{ + "properties": { + "labels": [], + "routes": [] + } } \ No newline at end of file diff --git a/emptyspokeconnection.json b/emptyspokeconnection.json index 0de38a3..c16c0e7 100644 --- a/emptyspokeconnection.json +++ b/emptyspokeconnection.json @@ -1,20 +1,20 @@ -{ - "properties": { - "allowHubToRemoteVnetTransit": true, - "allowRemoteVnetToUseHubVnetGateways": true, - "enableInternetSecurity": false, - "remoteVirtualNetwork": { - "id": "spokevnetid", - "resourceGroup": "vwan-microhack-spoke-rg" - }, - "routingConfiguration": { - "associatedRouteTable": { - "id": "wedefaultrtid" - }, - "propagatedRouteTables": {}, - "vnetRoutes": { - "staticRoutes": [] - } - } - } +{ + "properties": { + "allowHubToRemoteVnetTransit": true, + "allowRemoteVnetToUseHubVnetGateways": true, + "enableInternetSecurity": false, + "remoteVirtualNetwork": { + "id": "spokevnetid", + "resourceGroup": "vwan-microhack-spoke-rg" + }, + "routingConfiguration": { + "associatedRouteTable": { + "id": "wedefaultrtid" + }, + "propagatedRouteTables": {}, + "vnetRoutes": { + "staticRoutes": [] + } + } + } } \ No newline at end of file diff --git a/enable-routing-nva.sh b/enable-routing-nva.sh index d243bb9..5052f02 100644 --- a/enable-routing-nva.sh +++ b/enable-routing-nva.sh @@ -1,4 +1,4 @@ -sudo chmod 777 /etc/sysctl.conf -echo "net.ipv4.ip_forward = 1" > /etc/sysctl.conf -sudo sysctl -p /etc/sysctl.conf +sudo chmod 777 /etc/sysctl.conf +echo "net.ipv4.ip_forward = 1" > /etc/sysctl.conf +sudo sysctl -p /etc/sysctl.conf sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE \ No newline at end of file diff --git a/main.tf b/main.tf index 06c33fc..307b993 100644 --- a/main.tf +++ b/main.tf @@ -1,26 +1,26 @@ -provider "azurerm" { - features {} -} -####################################################################### -## Create Resource Group -####################################################################### - -resource "azurerm_resource_group" "vwan-microhack-spoke-rg" { - name = "vwan-microhack-spoke-rg" - location = var.location-spoke-1 - tags = { - environment = "spoke" - deployment = "terraform" - microhack = "vwan" - } -} - -resource "azurerm_resource_group" "vwan-microhack-hub-rg" { - name = "vwan-microhack-hub-rg" - location = var.location-vwan - tags = { - environment = "hub" - deployment = "terraform" - microhack = "vwan" - } -} +provider "azurerm" { + features {} +} +####################################################################### +## Create Resource Group +####################################################################### + +resource "azurerm_resource_group" "vwan-microhack-spoke-rg" { + name = "vwan-microhack-spoke-rg" + location = var.location-spoke-1 + tags = { + environment = "spoke" + deployment = "terraform" + microhack = "vwan" + } +} + +resource "azurerm_resource_group" "vwan-microhack-hub-rg" { + name = "vwan-microhack-hub-rg" + location = var.location-vwan + tags = { + environment = "hub" + deployment = "terraform" + microhack = "vwan" + } +} diff --git a/onpremconnection.json b/onpremconnection.json index 2d98d6c..dc4ff86 100644 --- a/onpremconnection.json +++ b/onpremconnection.json @@ -1,35 +1,35 @@ -{ - "properties": { - "remoteVpnSite": { - "id": "ONPREMCONNECTIONVPNSITE" - }, - "routingConfiguration": { - "associatedRouteTable": { - "id": "wedefaultrtid" - }, - "propagatedRouteTables": { - "ids": [ - { - "id": "wedefaultrtid" - } - ], - "labels": [ - "default" - ] - }, - "vnetRoutes": { - "staticRoutes": [] - } - }, - "connectionBandwidth": 10, - "enableBgp": true, - "enableInternetSecurity": false, - "enableRateLimiting": false, - "ipsecPolicies": [], - "routingWeight": 0, - "sharedKey": "m1cr0hack", - "useLocalAzureIpAddress": false, - "usePolicyBasedTrafficSelectors": false, - "vpnConnectionProtocolType": "IKEv2" - } +{ + "properties": { + "remoteVpnSite": { + "id": "ONPREMCONNECTIONVPNSITE" + }, + "routingConfiguration": { + "associatedRouteTable": { + "id": "wedefaultrtid" + }, + "propagatedRouteTables": { + "ids": [ + { + "id": "wedefaultrtid" + } + ], + "labels": [ + "default" + ] + }, + "vnetRoutes": { + "staticRoutes": [] + } + }, + "connectionBandwidth": 10, + "enableBgp": true, + "enableInternetSecurity": false, + "enableRateLimiting": false, + "ipsecPolicies": [], + "routingWeight": 0, + "sharedKey": "m1cr0hack", + "useLocalAzureIpAddress": false, + "usePolicyBasedTrafficSelectors": false, + "vpnConnectionProtocolType": "IKEv2" + } } \ No newline at end of file diff --git a/prep-for-scenario-5.sh b/prep-for-scenario-5.sh index 10144e9..e14a9cb 100755 --- a/prep-for-scenario-5.sh +++ b/prep-for-scenario-5.sh @@ -1,85 +1,85 @@ -spoke1vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-1-vnet --query "id" --output tsv) -spoke2vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-2-vnet --query "id" --output tsv) -spoke3vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-3-vnet --query "id" --output tsv) -spoke4vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-4-vnet --query "id" --output tsv) -servicesvnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n services-vnet --query "id" --output tsv) -nvavnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n nva-vnet --query "id" --output tsv) -wedefaultrtid=$(az network vhub route-table show --name defaultRouteTable --resource-group vwan-microhack-hub-rg --vhub-name microhack-we-hub --query id --output tsv) - -echo "Removing associations and propagations from rt-shared-we" - -wesharedrtid=$(az network vhub route-table show --name "RT-Shared-we" --resource-group "vwan-microhack-hub-rg" --vhub-name microhack-we-hub --query id --output tsv) -WERESTEP="https://management.azure.com${wesharedrtid}?api-version=2020-05-01" -az rest --method put --uri "$WERESTEP" --body @emptyrtbody.json -while [[ $(az rest --uri $WERESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done -spoke1connection=$(az network vhub connection show -n spoke-1-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) -spoke2connection=$(az network vhub connection show -n spoke-2-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) -servicesvnetconnection=$(az network vhub connection show -n services-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) -WEVNETCONNECTIONSPOKE1="https://management.azure.com${spoke1connection}?api-version=2020-05-01" -WEVNETCONNECTIONSPOKE2="https://management.azure.com${spoke2connection}?api-version=2020-05-01" -WEVNETCONNECTIONSERVICES="https://management.azure.com${servicesvnetconnection}?api-version=2020-05-01" -sed "s#spokevnetid#$spoke1vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke1.json -sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-spoke1.json -sed "s#spokevnetid#$spoke2vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke2.json -sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-spoke2.json -sed "s#spokevnetid#$servicesvnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-services.json -sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-services.json -az rest --method put --uri $WEVNETCONNECTIONSPOKE1 --body @emptyspokeconnection-spoke1.json -while [[ $(az rest --uri $WEVNETCONNECTIONSPOKE1 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done -az rest --method put --uri $WEVNETCONNECTIONSPOKE2 --body @emptyspokeconnection-spoke2.json -while [[ $(az rest --uri $WEVNETCONNECTIONSPOKE2 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done -az rest --method put --uri $WEVNETCONNECTIONSERVICES --body @emptyspokeconnection-services.json -while [[ $(az rest --uri $WEVNETCONNECTIONSERVICES | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done - - - -echo "# removing connection spoke-1-we" -az network vhub connection delete -n spoke-1-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --yes -echo "# removing connection spoke-2-we" -az network vhub connection delete -n spoke-2-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --yes - - - -echo "Removing associations and propagations from rt-shared-useast" -useastdefaultrtid=$(az network vhub route-table show --name defaultRouteTable --resource-group vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query id --output tsv) -useastsharedrtid=$(az network vhub route-table show --name "rt-shared-useast" --resource-group "vwan-microhack-hub-rg" --vhub-name microhack-useast-hub --query id --output tsv) -USEASTRESTEP="https://management.azure.com${useastsharedrtid}?api-version=2020-05-01" -az rest --method put --uri "$USEASTRESTEP" --body @emptyrtbody.json -while [[ $(az rest --uri $USEASTRESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done -spoke3connection=$(az network vhub connection show -n spoke-3-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query "id" -o tsv) -spoke4connection=$(az network vhub connection show -n spoke-4-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query "id" -o tsv) -USEASTVNETCONNECTIONSPOKE3="https://management.azure.com${spoke3connection}?api-version=2020-05-01" -USEASTVNETCONNECTIONSPOKE4="https://management.azure.com${spoke4connection}?api-version=2020-05-01" -sed "s#spokevnetid#$spoke3vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke3.json -sed -i "s#wedefaultrtid#$useastdefaultrtid#g" emptyspokeconnection-spoke3.json -sed "s#spokevnetid#$spoke4vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke4.json -sed -i "s#wedefaultrtid#$useastdefaultrtid#g" emptyspokeconnection-spoke4.json -az rest --method put --uri $USEASTVNETCONNECTIONSPOKE3 --body @emptyspokeconnection-spoke3.json -while [[ $(az rest --uri $USEASTVNETCONNECTIONSPOKE3 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done -az rest --method put --uri $USEASTVNETCONNECTIONSPOKE4 --body @emptyspokeconnection-spoke4.json -while [[ $(az rest --uri $USEASTVNETCONNECTIONSPOKE4 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done - - -ONPREMCONNECTIONID=$(az network vpn-gateway list -g vwan-microhack-hub-rg --query [].connections[].id -o tsv) -ONPREMCONNECTIONRESTEP="https://management.azure.com${ONPREMCONNECTIONID}?api-version=2020-05-01" -ONPREMCONNECTIONVPNSITE=$(az network vpn-gateway list -g vwan-microhack-hub-rg --query [].connections[].remoteVpnSite.id -o tsv) -sed "s#wedefaultrtid#$wedefaultrtid#g" onpremconnection.json | tee onpremconnection-values.json -sed -i "s#ONPREMCONNECTIONVPNSITE#$ONPREMCONNECTIONVPNSITE#g" onpremconnection-values.json -az rest --method put --uri $ONPREMCONNECTIONRESTEP --body @onpremconnection-values.json -while [[ $(az rest --uri $ONPREMCONNECTIONRESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done - - -echo "Deleting rt-shared-useast" -az network vhub route-table delete --name rt-shared-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub -echo "Deleting rt-shared-we" -az network vhub route-table delete --name rt-shared-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub - -echo "# connecting nva-vnet" -az network vhub connection create -n nva-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --remote-vnet $nvavnetid --no-wait - -echo "# peering spoke-1-vnet to nva-vnet" -az network vnet peering create --name spoke1-to-nva --resource-group vwan-microhack-spoke-rg --vnet-name spoke-1-vnet --remote-vnet nva-vnet --allow-vnet-access --allow-forwarded-traffic -az network vnet peering create --name nva-to-spoke1 --resource-group vwan-microhack-spoke-rg --vnet-name nva-vnet --remote-vnet spoke-1-vnet --allow-vnet-access --allow-forwarded-traffic -echo "# peering spoke-2-vnet to nva-vnet" -az network vnet peering create --name spoke2-to-nva --resource-group vwan-microhack-spoke-rg --vnet-name spoke-2-vnet --remote-vnet nva-vnet --allow-vnet-access --allow-forwarded-traffic -az network vnet peering create --name nva-to-spoke2 --resource-group vwan-microhack-spoke-rg --vnet-name nva-vnet --remote-vnet spoke-2-vnet --allow-vnet-access --allow-forwarded-traffic +spoke1vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-1-vnet --query "id" --output tsv) +spoke2vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-2-vnet --query "id" --output tsv) +spoke3vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-3-vnet --query "id" --output tsv) +spoke4vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-4-vnet --query "id" --output tsv) +servicesvnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n services-vnet --query "id" --output tsv) +nvavnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n nva-vnet --query "id" --output tsv) +wedefaultrtid=$(az network vhub route-table show --name defaultRouteTable --resource-group vwan-microhack-hub-rg --vhub-name microhack-we-hub --query id --output tsv) + +echo "Removing associations and propagations from rt-shared-we" + +wesharedrtid=$(az network vhub route-table show --name "RT-Shared-we" --resource-group "vwan-microhack-hub-rg" --vhub-name microhack-we-hub --query id --output tsv) +WERESTEP="https://management.azure.com${wesharedrtid}?api-version=2020-05-01" +az rest --method put --uri "$WERESTEP" --body @emptyrtbody.json +while [[ $(az rest --uri $WERESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done +spoke1connection=$(az network vhub connection show -n spoke-1-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) +spoke2connection=$(az network vhub connection show -n spoke-2-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) +servicesvnetconnection=$(az network vhub connection show -n services-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --query "id" -o tsv) +WEVNETCONNECTIONSPOKE1="https://management.azure.com${spoke1connection}?api-version=2020-05-01" +WEVNETCONNECTIONSPOKE2="https://management.azure.com${spoke2connection}?api-version=2020-05-01" +WEVNETCONNECTIONSERVICES="https://management.azure.com${servicesvnetconnection}?api-version=2020-05-01" +sed "s#spokevnetid#$spoke1vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke1.json +sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-spoke1.json +sed "s#spokevnetid#$spoke2vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke2.json +sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-spoke2.json +sed "s#spokevnetid#$servicesvnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-services.json +sed -i "s#wedefaultrtid#$wedefaultrtid#g" emptyspokeconnection-services.json +az rest --method put --uri $WEVNETCONNECTIONSPOKE1 --body @emptyspokeconnection-spoke1.json +while [[ $(az rest --uri $WEVNETCONNECTIONSPOKE1 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done +az rest --method put --uri $WEVNETCONNECTIONSPOKE2 --body @emptyspokeconnection-spoke2.json +while [[ $(az rest --uri $WEVNETCONNECTIONSPOKE2 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done +az rest --method put --uri $WEVNETCONNECTIONSERVICES --body @emptyspokeconnection-services.json +while [[ $(az rest --uri $WEVNETCONNECTIONSERVICES | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done + + + +echo "# removing connection spoke-1-we" +az network vhub connection delete -n spoke-1-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --yes +echo "# removing connection spoke-2-we" +az network vhub connection delete -n spoke-2-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --yes + + + +echo "Removing associations and propagations from rt-shared-useast" +useastdefaultrtid=$(az network vhub route-table show --name defaultRouteTable --resource-group vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query id --output tsv) +useastsharedrtid=$(az network vhub route-table show --name "rt-shared-useast" --resource-group "vwan-microhack-hub-rg" --vhub-name microhack-useast-hub --query id --output tsv) +USEASTRESTEP="https://management.azure.com${useastsharedrtid}?api-version=2020-05-01" +az rest --method put --uri "$USEASTRESTEP" --body @emptyrtbody.json +while [[ $(az rest --uri $USEASTRESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done +spoke3connection=$(az network vhub connection show -n spoke-3-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query "id" -o tsv) +spoke4connection=$(az network vhub connection show -n spoke-4-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --query "id" -o tsv) +USEASTVNETCONNECTIONSPOKE3="https://management.azure.com${spoke3connection}?api-version=2020-05-01" +USEASTVNETCONNECTIONSPOKE4="https://management.azure.com${spoke4connection}?api-version=2020-05-01" +sed "s#spokevnetid#$spoke3vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke3.json +sed -i "s#wedefaultrtid#$useastdefaultrtid#g" emptyspokeconnection-spoke3.json +sed "s#spokevnetid#$spoke4vnetid#g" emptyspokeconnection.json | tee emptyspokeconnection-spoke4.json +sed -i "s#wedefaultrtid#$useastdefaultrtid#g" emptyspokeconnection-spoke4.json +az rest --method put --uri $USEASTVNETCONNECTIONSPOKE3 --body @emptyspokeconnection-spoke3.json +while [[ $(az rest --uri $USEASTVNETCONNECTIONSPOKE3 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done +az rest --method put --uri $USEASTVNETCONNECTIONSPOKE4 --body @emptyspokeconnection-spoke4.json +while [[ $(az rest --uri $USEASTVNETCONNECTIONSPOKE4 | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done + + +ONPREMCONNECTIONID=$(az network vpn-gateway list -g vwan-microhack-hub-rg --query [].connections[].id -o tsv) +ONPREMCONNECTIONRESTEP="https://management.azure.com${ONPREMCONNECTIONID}?api-version=2020-05-01" +ONPREMCONNECTIONVPNSITE=$(az network vpn-gateway list -g vwan-microhack-hub-rg --query [].connections[].remoteVpnSite.id -o tsv) +sed "s#wedefaultrtid#$wedefaultrtid#g" onpremconnection.json | tee onpremconnection-values.json +sed -i "s#ONPREMCONNECTIONVPNSITE#$ONPREMCONNECTIONVPNSITE#g" onpremconnection-values.json +az rest --method put --uri $ONPREMCONNECTIONRESTEP --body @onpremconnection-values.json +while [[ $(az rest --uri $ONPREMCONNECTIONRESTEP | jq .properties.provisioningState) != "\"Succeeded\"" ]]; do sleep 30; done + + +echo "Deleting rt-shared-useast" +az network vhub route-table delete --name rt-shared-useast -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub +echo "Deleting rt-shared-we" +az network vhub route-table delete --name rt-shared-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub + +echo "# connecting nva-vnet" +az network vhub connection create -n nva-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --remote-vnet $nvavnetid --no-wait + +echo "# peering spoke-1-vnet to nva-vnet" +az network vnet peering create --name spoke1-to-nva --resource-group vwan-microhack-spoke-rg --vnet-name spoke-1-vnet --remote-vnet nva-vnet --allow-vnet-access --allow-forwarded-traffic +az network vnet peering create --name nva-to-spoke1 --resource-group vwan-microhack-spoke-rg --vnet-name nva-vnet --remote-vnet spoke-1-vnet --allow-vnet-access --allow-forwarded-traffic +echo "# peering spoke-2-vnet to nva-vnet" +az network vnet peering create --name spoke2-to-nva --resource-group vwan-microhack-spoke-rg --vnet-name spoke-2-vnet --remote-vnet nva-vnet --allow-vnet-access --allow-forwarded-traffic +az network vnet peering create --name nva-to-spoke2 --resource-group vwan-microhack-spoke-rg --vnet-name nva-vnet --remote-vnet spoke-2-vnet --allow-vnet-access --allow-forwarded-traffic diff --git a/prep-for-scenario-6.sh b/prep-for-scenario-6.sh index 1b2897c..7eabcfd 100755 --- a/prep-for-scenario-6.sh +++ b/prep-for-scenario-6.sh @@ -1,36 +1,36 @@ -spoke1vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-1-vnet --query "id" --output tsv) -spoke2vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-2-vnet --query "id" --output tsv) -spoke3vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-3-vnet --query "id" --output tsv) -spoke4vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-4-vnet --query "id" --output tsv) -servicesvnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n services-vnet --query "id" --output tsv) -nvavnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n nva-vnet --query "id" --output tsv) - -echo "# removing peerings to from spoke-vnet-1 to nva-vnet" -az network vnet peering delete --name spoke1-to-nva --resource-group vwan-microhack-spoke-rg --vnet-name spoke-1-vnet -az network vnet peering delete --name nva-to-spoke1 --resource-group vwan-microhack-spoke-rg --vnet-name nva-vnet -echo "# removing peerings to from spoke-vnet-2 to nva-vnet" -az network vnet peering delete --name spoke2-to-nva --resource-group vwan-microhack-spoke-rg --vnet-name spoke-2-vnet -az network vnet peering delete --name nva-to-spoke2 --resource-group vwan-microhack-spoke-rg --vnet-name nva-vnet - -echo "# disconnecting nva-vnet" -az network vhub connection delete -n nva-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --yes - -echo "# connecting spoke-1-vnet" -az network vhub connection create --name spoke-1-we --resource-group vwan-microhack-hub-rg --vhub-name microhack-we-hub --remote-vnet $spoke1vnetid --labels default -echo "# connecting spoke-2-vnet" -az network vhub connection create --name spoke-2-we --resource-group vwan-microhack-hub-rg --vhub-name microhack-we-hub --remote-vnet $spoke2vnetid --labels default --no-wait - -echo "#removing custom routes from microhack-we-hub" -az network vhub route-table route remove --index 1 -n defaultRouteTable -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --no-wait -az network vhub route-table route remove --index 1 -n defaultRouteTable -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --no-wait -echo "#removing custom routes from microhack-useast-hub" -az network vhub route-table route remove --index 1 -n defaultRouteTable -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --no-wait -az network vhub route-table route remove --index 1 -n defaultRouteTable -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --no-wait - -echo "# detach UDR from vmSubnet in spoke-1-vnet" -az network vnet subnet update --resource-group vwan-microhack-spoke-rg --name vmSubnet --vnet-name spoke-1-vnet --route-table "" -echo "# detach UDR from vmSubnet in spoke-2-vnet" -az network vnet subnet update --resource-group vwan-microhack-spoke-rg --name vmSubnet --vnet-name spoke-2-vnet --route-table "" - - - +spoke1vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-1-vnet --query "id" --output tsv) +spoke2vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-2-vnet --query "id" --output tsv) +spoke3vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-3-vnet --query "id" --output tsv) +spoke4vnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n spoke-4-vnet --query "id" --output tsv) +servicesvnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n services-vnet --query "id" --output tsv) +nvavnetid=$(az network vnet show -g vwan-microhack-spoke-rg -n nva-vnet --query "id" --output tsv) + +echo "# removing peerings to from spoke-vnet-1 to nva-vnet" +az network vnet peering delete --name spoke1-to-nva --resource-group vwan-microhack-spoke-rg --vnet-name spoke-1-vnet +az network vnet peering delete --name nva-to-spoke1 --resource-group vwan-microhack-spoke-rg --vnet-name nva-vnet +echo "# removing peerings to from spoke-vnet-2 to nva-vnet" +az network vnet peering delete --name spoke2-to-nva --resource-group vwan-microhack-spoke-rg --vnet-name spoke-2-vnet +az network vnet peering delete --name nva-to-spoke2 --resource-group vwan-microhack-spoke-rg --vnet-name nva-vnet + +echo "# disconnecting nva-vnet" +az network vhub connection delete -n nva-we -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --yes + +echo "# connecting spoke-1-vnet" +az network vhub connection create --name spoke-1-we --resource-group vwan-microhack-hub-rg --vhub-name microhack-we-hub --remote-vnet $spoke1vnetid --labels default +echo "# connecting spoke-2-vnet" +az network vhub connection create --name spoke-2-we --resource-group vwan-microhack-hub-rg --vhub-name microhack-we-hub --remote-vnet $spoke2vnetid --labels default --no-wait + +echo "#removing custom routes from microhack-we-hub" +az network vhub route-table route remove --index 1 -n defaultRouteTable -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --no-wait +az network vhub route-table route remove --index 1 -n defaultRouteTable -g vwan-microhack-hub-rg --vhub-name microhack-we-hub --no-wait +echo "#removing custom routes from microhack-useast-hub" +az network vhub route-table route remove --index 1 -n defaultRouteTable -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --no-wait +az network vhub route-table route remove --index 1 -n defaultRouteTable -g vwan-microhack-hub-rg --vhub-name microhack-useast-hub --no-wait + +echo "# detach UDR from vmSubnet in spoke-1-vnet" +az network vnet subnet update --resource-group vwan-microhack-spoke-rg --name vmSubnet --vnet-name spoke-1-vnet --route-table "" +echo "# detach UDR from vmSubnet in spoke-2-vnet" +az network vnet subnet update --resource-group vwan-microhack-spoke-rg --name vmSubnet --vnet-name spoke-2-vnet --route-table "" + + + diff --git a/spoke.tf b/spoke.tf index c9f27c8..baecd32 100644 --- a/spoke.tf +++ b/spoke.tf @@ -1,713 +1,713 @@ -####################################################################### -## Create Virtual Network - Spoke 1 -####################################################################### - -resource "azurerm_virtual_network" "spoke-1-vnet" { - name = "spoke-1-vnet" - location = var.location-spoke-1 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - address_space = ["172.16.1.0/24"] - - tags = { - environment = "spoke-1" - deployment = "terraform" - microhack = "vwan" - } -} - -####################################################################### -## Create Subnets - Spoke 1 -####################################################################### - -resource "azurerm_subnet" "spoke-1-vm-subnet" { - name = "vmSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.spoke-1-vnet.name - address_prefixes = ["172.16.1.0/25"] -} -resource "azurerm_subnet" "bastion-spoke-1-subnet" { - name = "AzureBastionSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.spoke-1-vnet.name - address_prefixes = ["172.16.1.128/27"] -} -####################################################################### -## Create Virtual Network - Spoke 2 -####################################################################### - -resource "azurerm_virtual_network" "spoke-2-vnet" { - name = "spoke-2-vnet" - location = var.location-spoke-2 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - address_space = ["172.16.2.0/24"] - - tags = { - environment = "spoke-2" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Subnets - Spoke 2 -####################################################################### -resource "azurerm_subnet" "spoke-2-vm-subnet" { - name = "vmSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.spoke-2-vnet.name - address_prefixes = ["172.16.2.0/25"] -} -resource "azurerm_subnet" "bastion-spoke-2-subnet" { - name = "AzureBastionSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.spoke-2-vnet.name - address_prefixes = ["172.16.2.128/27"] -} -####################################################################### -## Create Virtual Network - Spoke 3 -####################################################################### -resource "azurerm_virtual_network" "spoke-3-vnet" { - name = "spoke-3-vnet" - location = var.location-spoke-3 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - address_space = ["172.16.3.0/24"] - - tags = { - environment = "spoke-3" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Subnets - Spoke 3 -####################################################################### -resource "azurerm_subnet" "spoke-3-vm-subnet" { - name = "vmSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.spoke-3-vnet.name - address_prefixes = ["172.16.3.0/25"] -} -resource "azurerm_subnet" "bastion-spoke-3-subnet" { - name = "AzureBastionSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.spoke-3-vnet.name - address_prefixes = ["172.16.3.128/27"] -} -####################################################################### -## Create Virtual Network - Spoke 4 -####################################################################### - -resource "azurerm_virtual_network" "spoke-4-vnet" { - name = "spoke-4-vnet" - location = var.location-spoke-4 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - address_space = ["172.16.4.0/24"] - - tags = { - environment = "spoke-4" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Subnets - Spoke 4 -####################################################################### - -resource "azurerm_subnet" "spoke-4-vm-subnet" { - name = "vmSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.spoke-4-vnet.name - address_prefixes = ["172.16.4.0/25"] -} -resource "azurerm_subnet" "bastion-spoke-4-subnet" { - name = "AzureBastionSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.spoke-4-vnet.name - address_prefixes = ["172.16.4.128/27"] -} -####################################################################### -## Create Virtual Network - Onprem -####################################################################### - -resource "azurerm_virtual_network" "onprem-vnet" { - name = "onprem-vnet" - location = var.location-onprem - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - address_space = ["10.0.1.0/24","10.0.2.0/24"] - - tags = { - environment = "onprem" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Subnets - onprem -####################################################################### -resource "azurerm_subnet" "onprem-vm-subnet" { - name = "vmSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.onprem-vnet.name - address_prefixes = ["10.0.1.0/25"] -} -resource "azurerm_subnet" "bastion-onprem-subnet" { - name = "AzureBastionSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.onprem-vnet.name - address_prefixes = ["10.0.1.128/27"] -} -resource "azurerm_subnet" "onprem-gateway-subnet" { - name = "GatewaySubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.onprem-vnet.name - address_prefixes = ["10.0.1.160/27"] -} -####################################################################### -## Create Virtual Network - Services -####################################################################### -resource "azurerm_virtual_network" "services-vnet" { - name = "services-vnet" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - address_space = ["172.16.10.0/24"] - - tags = { - environment = "services" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Subnets - Services -####################################################################### - -resource "azurerm_subnet" "services-vm-1-subnet" { - name = "servicesSubnet-1" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.services-vnet.name - address_prefixes = ["172.16.10.0/25"] -} -resource "azurerm_subnet" "services-vm-2-subnet" { - name = "servicesSubnet-2" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.services-vnet.name - address_prefixes = ["172.16.10.128/27"] -} -resource "azurerm_subnet" "bastion-services-subnet" { - name = "AzureBastionSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.services-vnet.name - address_prefixes = ["172.16.10.160/27"] -} -####################################################################### -## Create Virtual Network - NVA -####################################################################### -resource "azurerm_virtual_network" "nva-vnet" { - name = "nva-vnet" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - address_space = ["172.16.20.0/24"] - - tags = { - environment = "nva" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Subnets - NVA -####################################################################### - -resource "azurerm_subnet" "nva-subnet-1" { - name = "nva-subnet-1" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.nva-vnet.name - address_prefixes = ["172.16.20.0/26"] -} -resource "azurerm_subnet" "nva-subnet-2" { - name = "nva-subnet-2" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.nva-vnet.name - address_prefixes = ["172.16.20.64/26"] -} -resource "azurerm_subnet" "bastion-nva-subnet" { - name = "AzureBastionSubnet" - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - virtual_network_name = azurerm_virtual_network.nva-vnet.name - address_prefixes = ["172.16.20.160/27"] -} -####################################################################### -## Create Network Interface - Spoke 1 -####################################################################### - -resource "azurerm_network_interface" "spoke-1-nic" { - name = "spoke-1-nic" - location = var.location-spoke-1 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - enable_ip_forwarding = false - - ip_configuration { - name = "spoke-1-ipconfig" - subnet_id = azurerm_subnet.spoke-1-vm-subnet.id - private_ip_address_allocation = "Dynamic" - } - - tags = { - environment = "spoke-1" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Network Interface - Spoke 2 -####################################################################### - -resource "azurerm_network_interface" "spoke-2-nic" { - name = "spoke-2-nic" - location = var.location-spoke-2 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - enable_ip_forwarding = false - - ip_configuration { - name = "spoke-2-ipconfig" - subnet_id = azurerm_subnet.spoke-2-vm-subnet.id - private_ip_address_allocation = "Dynamic" - } - - tags = { - environment = "spoke-1" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Network Interface - Spoke 3 -####################################################################### - -resource "azurerm_network_interface" "spoke-3-nic" { - name = "spoke-3-nic" - location = var.location-spoke-3 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - enable_ip_forwarding = false - - ip_configuration { - name = "spoke-3-ipconfig" - subnet_id = azurerm_subnet.spoke-3-vm-subnet.id - private_ip_address_allocation = "Dynamic" - } - - tags = { - environment = "spoke-3" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Network Interface - Spoke 4 -####################################################################### - -resource "azurerm_network_interface" "spoke-4-nic" { - name = "spoke-4-nic" - location = var.location-spoke-4 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - enable_ip_forwarding = false - - ip_configuration { - name = "spoke-4" - subnet_id = azurerm_subnet.spoke-4-vm-subnet.id - private_ip_address_allocation = "Dynamic" - } - - tags = { - environment = "spoke-4" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Network Interface - Spoke onprem -####################################################################### - -resource "azurerm_network_interface" "onprem-nic" { - name = "onprem-nic" - location = var.location-onprem - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - enable_ip_forwarding = false - - ip_configuration { - name = "onprem-ipconfig" - subnet_id = azurerm_subnet.onprem-vm-subnet.id - private_ip_address_allocation = "Dynamic" - } - - tags = { - environment = "onprem" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Network Interface - ADDC -####################################################################### - -resource "azurerm_network_interface" "spoke-addc-1-nic" { - name = "spoke-addc-1-nic" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - enable_ip_forwarding = false - - ip_configuration { - name = "addc-1-ipconfig" - subnet_id = azurerm_subnet.services-vm-1-subnet.id - private_ip_address_allocation = "Dynamic" - } - - tags = { - environment = "services" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Virtual Machine spoke-1 -####################################################################### - -resource "azurerm_windows_virtual_machine" "spoke-1-vm" { - name = "spoke-1-vm" - location = var.location-spoke-1 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - network_interface_ids = [azurerm_network_interface.spoke-1-nic.id] - size = var.vmsize - computer_name = "spoke-1-vm" - admin_username = var.username - admin_password = var.password - provision_vm_agent = true - - source_image_reference { - offer = "WindowsServer" - publisher = "MicrosoftWindowsServer" - sku = "2019-Datacenter" - version = "latest" - } - - os_disk { - name = "spoke-1-osdisk" - caching = "ReadWrite" - storage_account_type = "StandardSSD_LRS" - } - - tags = { - environment = "spoke-1" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Virtual Machine spoke-2 -####################################################################### -resource "azurerm_windows_virtual_machine" "spoke-2-vm" { - name = "spoke-2-vm" - location = var.location-spoke-2 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - network_interface_ids = [azurerm_network_interface.spoke-2-nic.id] - size = var.vmsize - computer_name = "spoke-2-vm" - admin_username = var.username - admin_password = var.password - provision_vm_agent = true - - - source_image_reference { - offer = "WindowsServer" - publisher = "MicrosoftWindowsServer" - sku = "2019-Datacenter" - version = "latest" - } - - os_disk { - name = "spoke-2-osdisk" - caching = "ReadWrite" - storage_account_type = "StandardSSD_LRS" - } - - tags = { - environment = "spoke-2" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Virtual Machine spoke-3 -####################################################################### -resource "azurerm_windows_virtual_machine" "spoke-3-vm" { - name = "spoke-3-vm" - location = var.location-spoke-3 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - network_interface_ids = [azurerm_network_interface.spoke-3-nic.id] - size = var.vmsize - computer_name = "spoke-3-vm" - admin_username = var.username - admin_password = var.password - provision_vm_agent = true - - source_image_reference { - offer = "WindowsServer" - publisher = "MicrosoftWindowsServer" - sku = "2019-Datacenter" - version = "latest" - } - - os_disk { - name = "spoke-3-osdisk" - caching = "ReadWrite" - storage_account_type = "StandardSSD_LRS" - } - - tags = { - environment = "spoke-3" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Virtual Machine spoke-4 -####################################################################### -resource "azurerm_windows_virtual_machine" "spoke-4-vm" { - name = "spoke-4-vm" - location = var.location-spoke-4 - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - network_interface_ids = [azurerm_network_interface.spoke-4-nic.id] - size = var.vmsize - computer_name = "spoke-4-vm" - admin_username = var.username - admin_password = var.password - provision_vm_agent = true - - source_image_reference { - offer = "WindowsServer" - publisher = "MicrosoftWindowsServer" - sku = "2019-Datacenter" - version = "latest" - } - - os_disk { - name = "spoke-4-osdisk" - caching = "ReadWrite" - storage_account_type = "StandardSSD_LRS" - } - - tags = { - environment = "spoke-4" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Virtual Machine onprem -####################################################################### -resource "azurerm_windows_virtual_machine" "onprem-vm" { - name = "onprem-vm" - location = var.location-onprem - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - network_interface_ids = [azurerm_network_interface.onprem-nic.id] - size = var.vmsize - computer_name = "onprem-vm" - admin_username = var.username - admin_password = var.password - provision_vm_agent = true - - source_image_reference { - offer = "WindowsServer" - publisher = "MicrosoftWindowsServer" - sku = "2019-Datacenter" - version = "latest" - } - - os_disk { - name = "onprem-osdisk" - caching = "ReadWrite" - storage_account_type = "StandardSSD_LRS" - } - - tags = { - environment = "onprem" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Virtual Machine spoke-addc -####################################################################### -resource "azurerm_windows_virtual_machine" "spoke-addc-vm" { - name = "spoke-addc-vm" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - network_interface_ids = [azurerm_network_interface.spoke-addc-1-nic.id] - size = var.vmsize - computer_name = "spoke-addc-vm" - admin_username = var.username - admin_password = var.password - provision_vm_agent = true - - source_image_reference { - offer = "WindowsServer" - publisher = "MicrosoftWindowsServer" - sku = "2019-Datacenter" - version = "latest" - } - - os_disk { - name = "spoke-addc-osdisk" - caching = "ReadWrite" - storage_account_type = "StandardSSD_LRS" - } - - tags = { - environment = "addc" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Network Interface - nva-iptables-vm -####################################################################### -resource "azurerm_public_ip" "nva-iptables-vm-pub-ip"{ - name = "nva-iptables-vm-pub-ip" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - allocation_method = "Static" - tags = { - environment = "nva" - deployment = "terraform" - microhack = "vwan" - } -} -resource "azurerm_network_security_group" "nva-iptables-vm-nsg"{ - name = "nva-iptables-vm-nsg" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - - security_rule { - name = "ssh" - priority = 100 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "22" - source_address_prefix = "*" - destination_address_prefix = "*" - } - security_rule { - name = "http" - priority = 200 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "80" - source_address_prefix = "*" - destination_address_prefix = "*" - } - security_rule { - name = "https" - priority = 210 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "443" - source_address_prefix = "*" - destination_address_prefix = "*" - } - security_rule { - name = "icmp" - priority = 220 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "*" - source_address_prefix = "*" - destination_address_prefix = "*" - } - - tags = { - environment = "nva" - deployment = "terraform" - microhack = "vwan" - } -} -resource "azurerm_network_interface" "nva-iptables-vm-nic-1" { - name = "nva-iptables-vm-nic-1" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - enable_ip_forwarding = true - ip_configuration { - name = "nva-1-ipconfig" - subnet_id = azurerm_subnet.nva-subnet-1.id - private_ip_address_allocation = "Static" - private_ip_address = "172.16.20.4" - public_ip_address_id = azurerm_public_ip.nva-iptables-vm-pub-ip.id - } - tags = { - environment = "nva" - deployment = "terraform" - microhack = "vwan" - } -} -resource "azurerm_network_interface_security_group_association" "nva-iptables-vm-nsg-ass" { - network_interface_id = azurerm_network_interface.nva-iptables-vm-nic-1.id - network_security_group_id = azurerm_network_security_group.nva-iptables-vm-nsg.id -} -resource "azurerm_network_interface" "nva-iptables-vm-nic-2" { - name = "nva-iptables-vm-nic-2" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - enable_ip_forwarding = true - ip_configuration { - name = "nva-2-ipconfig" - subnet_id = azurerm_subnet.nva-subnet-2.id - private_ip_address_allocation = "Static" - private_ip_address = "172.16.20.68" - } - - tags = { - environment = "nva" - deployment = "terraform" - microhack = "vwan" - } -} -####################################################################### -## Create Virtual Machine - NVA -####################################################################### -resource "azurerm_linux_virtual_machine" "nva-iptables-vm" { - name = "nva-iptables-vm" - location = var.location-spoke-services - resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name - network_interface_ids = [azurerm_network_interface.nva-iptables-vm-nic-1.id] - size = var.vmsize - admin_username = var.username - admin_password = var.password - disable_password_authentication = false - - source_image_reference { - publisher = "Canonical" - offer = "UbuntuServer" - sku = "18.04-LTS" - version = "latest" - } - - os_disk { - name = "nva-iptables-vm-osdisk" - caching = "ReadWrite" - storage_account_type = "StandardSSD_LRS" - } - - tags = { - environment = "nva" - deployment = "terraform" - microhack = "vwan" - } -} - - +####################################################################### +## Create Virtual Network - Spoke 1 +####################################################################### + +resource "azurerm_virtual_network" "spoke-1-vnet" { + name = "spoke-1-vnet" + location = var.location-spoke-1 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + address_space = ["172.16.1.0/24"] + + tags = { + environment = "spoke-1" + deployment = "terraform" + microhack = "vwan" + } +} + +####################################################################### +## Create Subnets - Spoke 1 +####################################################################### + +resource "azurerm_subnet" "spoke-1-vm-subnet" { + name = "vmSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.spoke-1-vnet.name + address_prefixes = ["172.16.1.0/25"] +} +resource "azurerm_subnet" "bastion-spoke-1-subnet" { + name = "AzureBastionSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.spoke-1-vnet.name + address_prefixes = ["172.16.1.128/27"] +} +####################################################################### +## Create Virtual Network - Spoke 2 +####################################################################### + +resource "azurerm_virtual_network" "spoke-2-vnet" { + name = "spoke-2-vnet" + location = var.location-spoke-2 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + address_space = ["172.16.2.0/24"] + + tags = { + environment = "spoke-2" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Subnets - Spoke 2 +####################################################################### +resource "azurerm_subnet" "spoke-2-vm-subnet" { + name = "vmSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.spoke-2-vnet.name + address_prefixes = ["172.16.2.0/25"] +} +resource "azurerm_subnet" "bastion-spoke-2-subnet" { + name = "AzureBastionSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.spoke-2-vnet.name + address_prefixes = ["172.16.2.128/27"] +} +####################################################################### +## Create Virtual Network - Spoke 3 +####################################################################### +resource "azurerm_virtual_network" "spoke-3-vnet" { + name = "spoke-3-vnet" + location = var.location-spoke-3 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + address_space = ["172.16.3.0/24"] + + tags = { + environment = "spoke-3" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Subnets - Spoke 3 +####################################################################### +resource "azurerm_subnet" "spoke-3-vm-subnet" { + name = "vmSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.spoke-3-vnet.name + address_prefixes = ["172.16.3.0/25"] +} +resource "azurerm_subnet" "bastion-spoke-3-subnet" { + name = "AzureBastionSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.spoke-3-vnet.name + address_prefixes = ["172.16.3.128/27"] +} +####################################################################### +## Create Virtual Network - Spoke 4 +####################################################################### + +resource "azurerm_virtual_network" "spoke-4-vnet" { + name = "spoke-4-vnet" + location = var.location-spoke-4 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + address_space = ["172.16.4.0/24"] + + tags = { + environment = "spoke-4" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Subnets - Spoke 4 +####################################################################### + +resource "azurerm_subnet" "spoke-4-vm-subnet" { + name = "vmSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.spoke-4-vnet.name + address_prefixes = ["172.16.4.0/25"] +} +resource "azurerm_subnet" "bastion-spoke-4-subnet" { + name = "AzureBastionSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.spoke-4-vnet.name + address_prefixes = ["172.16.4.128/27"] +} +####################################################################### +## Create Virtual Network - Onprem +####################################################################### + +resource "azurerm_virtual_network" "onprem-vnet" { + name = "onprem-vnet" + location = var.location-onprem + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + address_space = ["10.0.1.0/24","10.0.2.0/24"] + + tags = { + environment = "onprem" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Subnets - onprem +####################################################################### +resource "azurerm_subnet" "onprem-vm-subnet" { + name = "vmSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.onprem-vnet.name + address_prefixes = ["10.0.1.0/25"] +} +resource "azurerm_subnet" "bastion-onprem-subnet" { + name = "AzureBastionSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.onprem-vnet.name + address_prefixes = ["10.0.1.128/27"] +} +resource "azurerm_subnet" "onprem-gateway-subnet" { + name = "GatewaySubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.onprem-vnet.name + address_prefixes = ["10.0.1.160/27"] +} +####################################################################### +## Create Virtual Network - Services +####################################################################### +resource "azurerm_virtual_network" "services-vnet" { + name = "services-vnet" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + address_space = ["172.16.10.0/24"] + + tags = { + environment = "services" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Subnets - Services +####################################################################### + +resource "azurerm_subnet" "services-vm-1-subnet" { + name = "servicesSubnet-1" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.services-vnet.name + address_prefixes = ["172.16.10.0/25"] +} +resource "azurerm_subnet" "services-vm-2-subnet" { + name = "servicesSubnet-2" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.services-vnet.name + address_prefixes = ["172.16.10.128/27"] +} +resource "azurerm_subnet" "bastion-services-subnet" { + name = "AzureBastionSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.services-vnet.name + address_prefixes = ["172.16.10.160/27"] +} +####################################################################### +## Create Virtual Network - NVA +####################################################################### +resource "azurerm_virtual_network" "nva-vnet" { + name = "nva-vnet" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + address_space = ["172.16.20.0/24"] + + tags = { + environment = "nva" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Subnets - NVA +####################################################################### + +resource "azurerm_subnet" "nva-subnet-1" { + name = "nva-subnet-1" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.nva-vnet.name + address_prefixes = ["172.16.20.0/26"] +} +resource "azurerm_subnet" "nva-subnet-2" { + name = "nva-subnet-2" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.nva-vnet.name + address_prefixes = ["172.16.20.64/26"] +} +resource "azurerm_subnet" "bastion-nva-subnet" { + name = "AzureBastionSubnet" + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + virtual_network_name = azurerm_virtual_network.nva-vnet.name + address_prefixes = ["172.16.20.160/27"] +} +####################################################################### +## Create Network Interface - Spoke 1 +####################################################################### + +resource "azurerm_network_interface" "spoke-1-nic" { + name = "spoke-1-nic" + location = var.location-spoke-1 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + enable_ip_forwarding = false + + ip_configuration { + name = "spoke-1-ipconfig" + subnet_id = azurerm_subnet.spoke-1-vm-subnet.id + private_ip_address_allocation = "Dynamic" + } + + tags = { + environment = "spoke-1" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Network Interface - Spoke 2 +####################################################################### + +resource "azurerm_network_interface" "spoke-2-nic" { + name = "spoke-2-nic" + location = var.location-spoke-2 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + enable_ip_forwarding = false + + ip_configuration { + name = "spoke-2-ipconfig" + subnet_id = azurerm_subnet.spoke-2-vm-subnet.id + private_ip_address_allocation = "Dynamic" + } + + tags = { + environment = "spoke-1" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Network Interface - Spoke 3 +####################################################################### + +resource "azurerm_network_interface" "spoke-3-nic" { + name = "spoke-3-nic" + location = var.location-spoke-3 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + enable_ip_forwarding = false + + ip_configuration { + name = "spoke-3-ipconfig" + subnet_id = azurerm_subnet.spoke-3-vm-subnet.id + private_ip_address_allocation = "Dynamic" + } + + tags = { + environment = "spoke-3" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Network Interface - Spoke 4 +####################################################################### + +resource "azurerm_network_interface" "spoke-4-nic" { + name = "spoke-4-nic" + location = var.location-spoke-4 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + enable_ip_forwarding = false + + ip_configuration { + name = "spoke-4" + subnet_id = azurerm_subnet.spoke-4-vm-subnet.id + private_ip_address_allocation = "Dynamic" + } + + tags = { + environment = "spoke-4" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Network Interface - Spoke onprem +####################################################################### + +resource "azurerm_network_interface" "onprem-nic" { + name = "onprem-nic" + location = var.location-onprem + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + enable_ip_forwarding = false + + ip_configuration { + name = "onprem-ipconfig" + subnet_id = azurerm_subnet.onprem-vm-subnet.id + private_ip_address_allocation = "Dynamic" + } + + tags = { + environment = "onprem" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Network Interface - ADDC +####################################################################### + +resource "azurerm_network_interface" "spoke-addc-1-nic" { + name = "spoke-addc-1-nic" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + enable_ip_forwarding = false + + ip_configuration { + name = "addc-1-ipconfig" + subnet_id = azurerm_subnet.services-vm-1-subnet.id + private_ip_address_allocation = "Dynamic" + } + + tags = { + environment = "services" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Virtual Machine spoke-1 +####################################################################### + +resource "azurerm_windows_virtual_machine" "spoke-1-vm" { + name = "spoke-1-vm" + location = var.location-spoke-1 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + network_interface_ids = [azurerm_network_interface.spoke-1-nic.id] + size = var.vmsize + computer_name = "spoke-1-vm" + admin_username = var.username + admin_password = var.password + provision_vm_agent = true + + source_image_reference { + offer = "WindowsServer" + publisher = "MicrosoftWindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + + os_disk { + name = "spoke-1-osdisk" + caching = "ReadWrite" + storage_account_type = "StandardSSD_LRS" + } + + tags = { + environment = "spoke-1" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Virtual Machine spoke-2 +####################################################################### +resource "azurerm_windows_virtual_machine" "spoke-2-vm" { + name = "spoke-2-vm" + location = var.location-spoke-2 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + network_interface_ids = [azurerm_network_interface.spoke-2-nic.id] + size = var.vmsize + computer_name = "spoke-2-vm" + admin_username = var.username + admin_password = var.password + provision_vm_agent = true + + + source_image_reference { + offer = "WindowsServer" + publisher = "MicrosoftWindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + + os_disk { + name = "spoke-2-osdisk" + caching = "ReadWrite" + storage_account_type = "StandardSSD_LRS" + } + + tags = { + environment = "spoke-2" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Virtual Machine spoke-3 +####################################################################### +resource "azurerm_windows_virtual_machine" "spoke-3-vm" { + name = "spoke-3-vm" + location = var.location-spoke-3 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + network_interface_ids = [azurerm_network_interface.spoke-3-nic.id] + size = var.vmsize + computer_name = "spoke-3-vm" + admin_username = var.username + admin_password = var.password + provision_vm_agent = true + + source_image_reference { + offer = "WindowsServer" + publisher = "MicrosoftWindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + + os_disk { + name = "spoke-3-osdisk" + caching = "ReadWrite" + storage_account_type = "StandardSSD_LRS" + } + + tags = { + environment = "spoke-3" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Virtual Machine spoke-4 +####################################################################### +resource "azurerm_windows_virtual_machine" "spoke-4-vm" { + name = "spoke-4-vm" + location = var.location-spoke-4 + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + network_interface_ids = [azurerm_network_interface.spoke-4-nic.id] + size = var.vmsize + computer_name = "spoke-4-vm" + admin_username = var.username + admin_password = var.password + provision_vm_agent = true + + source_image_reference { + offer = "WindowsServer" + publisher = "MicrosoftWindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + + os_disk { + name = "spoke-4-osdisk" + caching = "ReadWrite" + storage_account_type = "StandardSSD_LRS" + } + + tags = { + environment = "spoke-4" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Virtual Machine onprem +####################################################################### +resource "azurerm_windows_virtual_machine" "onprem-vm" { + name = "onprem-vm" + location = var.location-onprem + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + network_interface_ids = [azurerm_network_interface.onprem-nic.id] + size = var.vmsize + computer_name = "onprem-vm" + admin_username = var.username + admin_password = var.password + provision_vm_agent = true + + source_image_reference { + offer = "WindowsServer" + publisher = "MicrosoftWindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + + os_disk { + name = "onprem-osdisk" + caching = "ReadWrite" + storage_account_type = "StandardSSD_LRS" + } + + tags = { + environment = "onprem" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Virtual Machine spoke-addc +####################################################################### +resource "azurerm_windows_virtual_machine" "spoke-addc-vm" { + name = "spoke-addc-vm" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + network_interface_ids = [azurerm_network_interface.spoke-addc-1-nic.id] + size = var.vmsize + computer_name = "spoke-addc-vm" + admin_username = var.username + admin_password = var.password + provision_vm_agent = true + + source_image_reference { + offer = "WindowsServer" + publisher = "MicrosoftWindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + + os_disk { + name = "spoke-addc-osdisk" + caching = "ReadWrite" + storage_account_type = "StandardSSD_LRS" + } + + tags = { + environment = "addc" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Network Interface - nva-iptables-vm +####################################################################### +resource "azurerm_public_ip" "nva-iptables-vm-pub-ip"{ + name = "nva-iptables-vm-pub-ip" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + allocation_method = "Static" + tags = { + environment = "nva" + deployment = "terraform" + microhack = "vwan" + } +} +resource "azurerm_network_security_group" "nva-iptables-vm-nsg"{ + name = "nva-iptables-vm-nsg" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + + security_rule { + name = "ssh" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "*" + destination_address_prefix = "*" + } + security_rule { + name = "http" + priority = 200 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "80" + source_address_prefix = "*" + destination_address_prefix = "*" + } + security_rule { + name = "https" + priority = 210 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefix = "*" + } + security_rule { + name = "icmp" + priority = 220 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "*" + destination_address_prefix = "*" + } + + tags = { + environment = "nva" + deployment = "terraform" + microhack = "vwan" + } +} +resource "azurerm_network_interface" "nva-iptables-vm-nic-1" { + name = "nva-iptables-vm-nic-1" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + enable_ip_forwarding = true + ip_configuration { + name = "nva-1-ipconfig" + subnet_id = azurerm_subnet.nva-subnet-1.id + private_ip_address_allocation = "Static" + private_ip_address = "172.16.20.4" + public_ip_address_id = azurerm_public_ip.nva-iptables-vm-pub-ip.id + } + tags = { + environment = "nva" + deployment = "terraform" + microhack = "vwan" + } +} +resource "azurerm_network_interface_security_group_association" "nva-iptables-vm-nsg-ass" { + network_interface_id = azurerm_network_interface.nva-iptables-vm-nic-1.id + network_security_group_id = azurerm_network_security_group.nva-iptables-vm-nsg.id +} +resource "azurerm_network_interface" "nva-iptables-vm-nic-2" { + name = "nva-iptables-vm-nic-2" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + enable_ip_forwarding = true + ip_configuration { + name = "nva-2-ipconfig" + subnet_id = azurerm_subnet.nva-subnet-2.id + private_ip_address_allocation = "Static" + private_ip_address = "172.16.20.68" + } + + tags = { + environment = "nva" + deployment = "terraform" + microhack = "vwan" + } +} +####################################################################### +## Create Virtual Machine - NVA +####################################################################### +resource "azurerm_linux_virtual_machine" "nva-iptables-vm" { + name = "nva-iptables-vm" + location = var.location-spoke-services + resource_group_name = azurerm_resource_group.vwan-microhack-spoke-rg.name + network_interface_ids = [azurerm_network_interface.nva-iptables-vm-nic-1.id] + size = var.vmsize + admin_username = var.username + admin_password = var.password + disable_password_authentication = false + + source_image_reference { + publisher = "Canonical" + offer = "UbuntuServer" + sku = "18.04-LTS" + version = "latest" + } + + os_disk { + name = "nva-iptables-vm-osdisk" + caching = "ReadWrite" + storage_account_type = "StandardSSD_LRS" + } + + tags = { + environment = "nva" + deployment = "terraform" + microhack = "vwan" + } +} + + diff --git a/tools/route-tables.sh b/tools/route-tables.sh deleted file mode 100644 index 246f0e9..0000000 --- a/tools/route-tables.sh +++ /dev/null @@ -1,9 +0,0 @@ -## Scenario 1 / Task 1 -az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table -# PoSh - Get-AzEffectiveRouteTable -ResourceGroupName vwan-microhack-spoke-rg -NetworkInterfaceName spoke-1-nic | ft - -## Scenario 1 / Task 2 -az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-2-nic --output table -# PoSh - Get-AzEffectiveRouteTable -ResourceGroupName vwan-microhack-spoke-rg -NetworkInterfaceName spoke-2-nic | ft - -## Scenario 2 / Task 1 diff --git a/variables.tf b/variables.tf index aa38ba4..356970c 100644 --- a/variables.tf +++ b/variables.tf @@ -1,66 +1,66 @@ -variable "location-vwan" { - description = "Location to deploy vwan" - type = string - default = "WestEurope" -} -variable "location-vwan-we-hub" { - description = "Location to deploy we hub" - type = string - default = "WestEurope" -} - -variable "location-spoke-1" { - description = "Location to deploy spoke-1" - type = string - default = "WestEurope" -} -variable "location-spoke-2" { - description = "Location to deploy spoke-2" - type = string - default = "WestEurope" -} -variable "location-spoke-3" { - description = "Location to deploy spoke-3" - type = string - default = "EastUS" -} -variable "location-spoke-4" { - description = "Location to deploy spoke-4" - type = string - default = "WestUS" -} -variable "location-hub-1" { - description = "Location to deploy hub-1" - type = string - default = "WestEurope" -} -variable "location-hub-2" { - description = "Location to deploy hub-2" - type = string - default = "EastUS" -} -variable "location-onprem" { - description = "Location to deploy onprem" - type = string - default = "northeurope" -} -variable "location-spoke-services" { - description = "Location to deploy spoke-services" - type = string - default = "WestEurope" -} -variable "username" { - description = "Username for Virtual Machines" - type = string - default = "AzureAdmin" -} - -variable "password" { - description = "Virtual Machine password, must meet Azure complexity requirements" - type = string - default = "Microhack2020" -} -variable "vmsize" { - description = "Size of the VMs" - default = "Standard_D2_v3" -} +variable "location-vwan" { + description = "Location to deploy vwan" + type = string + default = "WestEurope" +} +variable "location-vwan-we-hub" { + description = "Location to deploy we hub" + type = string + default = "WestEurope" +} + +variable "location-spoke-1" { + description = "Location to deploy spoke-1" + type = string + default = "WestEurope" +} +variable "location-spoke-2" { + description = "Location to deploy spoke-2" + type = string + default = "WestEurope" +} +variable "location-spoke-3" { + description = "Location to deploy spoke-3" + type = string + default = "EastUS" +} +variable "location-spoke-4" { + description = "Location to deploy spoke-4" + type = string + default = "WestUS" +} +variable "location-hub-1" { + description = "Location to deploy hub-1" + type = string + default = "WestEurope" +} +variable "location-hub-2" { + description = "Location to deploy hub-2" + type = string + default = "EastUS" +} +variable "location-onprem" { + description = "Location to deploy onprem" + type = string + default = "northeurope" +} +variable "location-spoke-services" { + description = "Location to deploy spoke-services" + type = string + default = "WestEurope" +} +variable "username" { + description = "Username for Virtual Machines" + type = string + default = "AzureAdmin" +} + +variable "password" { + description = "Virtual Machine password, must meet Azure complexity requirements" + type = string + default = "Microhack2020" +} +variable "vmsize" { + description = "Size of the VMs" + default = "Standard_D2_v3" +} diff --git a/vm-extensions.tf b/vm-extensions.tf index 95f6f08..099ea86 100644 --- a/vm-extensions.tf +++ b/vm-extensions.tf @@ -1,148 +1,148 @@ - -########################################################## -## Install IIS role on spoke-1 -########################################################## -resource "azurerm_virtual_machine_extension" "install-iis-spoke-1-vm" { - - name = "install-iis-spoke-1-vm" - virtual_machine_id = azurerm_windows_virtual_machine.spoke-1-vm.id - publisher = "Microsoft.Compute" - type = "CustomScriptExtension" - type_handler_version = "1.9" - - settings = < Date: Tue, 22 Dec 2020 16:04:49 +0100 Subject: [PATCH 6/7] Create .gitattributes .gitattributes added with the LF option for *.sh files. to support Git management in Windows and running the scripts inside of WSL. --- .gitattributes | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .gitattributes diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..04f5402 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,2 @@ +# convert to LF line endings on checkout +*.sh text eol=LF From 518257ef1742060c7e93b11bb4247f3f7a40d8de Mon Sep 17 00:00:00 2001 From: HolgerR <48099512+HolgerReiners@users.noreply.github.com> Date: Tue, 22 Dec 2020 16:25:37 +0100 Subject: [PATCH 7/7] Update README.md Fixed some typos Fixed some MD syntax added WSL prerequisites --- README.md | 169 ++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 114 insertions(+), 55 deletions(-) diff --git a/README.md b/README.md index c53c1b4..e03682b 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ # **Routing in Azure Virtual WAN MicroHack** # Contents + [Introduction](#introduction) [Objectives](#objectives) @@ -26,41 +27,61 @@ [Close out](#close-out) # Introduction -This MicroHack explores some of the advanced routing capabilities recently introduced into Azure Virtual WAN. + +This MicroHack explores some of the advanced routing capabilities recently introduced into Azure Virtual WAN. The lab starts with a single Hub with Spoke VNETs and default routing. We then connect a simulated on-premise location via S2S VPN. Then we add another regional Hub with Spokes and observe how routing extends across multiple Hubs. Next we implement custom routing patterns for Shared Services- and Isolated Spokes. At the end of the MicroHack, there is optional content on network security in Virtual WAN with Network Virtual Appliances and with Secured Hubs. -Prior to starting this MicroHack, please familiarize yourself with routing in Virtual WAN by reviewing the documentation at https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about and https://docs.microsoft.com/en-us/azure/virtual-wan/about-virtual-hub-routing. +Prior to starting this MicroHack, please familiarize yourself with routing in Virtual WAN by reviewing the documentation at and . # Objectives + After completing this MicroHack you will: -- Know how to build a hub-and-spoke topology with Virtual WAN -- Understand default routing in Virtual WAN and how this differs from the classic virtual data center hub-and-spoke spoke architecture -- Understand how custom routing works and know how to build some custom routing scenarios + +- Know how to build a hub-and-spoke topology with Virtual WAN +- Understand default routing in Virtual WAN and how this differs from the classic virtual data center hub-and-spoke spoke architecture +- Understand how custom routing works and know how to build some custom routing scenarios # Lab -The lab consists of a Virtual WAN with Hubs in West Europe and US East, 4 Spoke VNETs (2 in West Europe, 1 in US East and 1 US West), a Shared Services VNET in West-Europe and a simulated On-premise location in North Europe. +The lab consists of a Virtual WAN with Hubs in West Europe and US East, 4 Spoke VNETs (2 in West Europe, 1 in US East and 1 US West), a Shared Services VNET in West-Europe and a simulated On-premise location in North Europe. Each of the Spoke and On-prem VNETs contains a Virtual Machine running a basic web site. The Shared Services VNET contains an Active Directory Domain Controller. the NVA VNET contains a Linux VM with Iptables. An additional VNET containing a Network Virtual Appliance Linux-based firewall is also deployed. This NVA VNET is used in the optional advanced scenario's on network security. -During the course of the MicroHack you will connect the Spoke and Shared Services VNETs and the On-premise site to Virtual WAN, deploy an additional Virtual WAN Hub, and manipulate and observe routing. +During the course of the MicroHack you will connect the Spoke and Shared Services VNETs and the On-premise site to Virtual WAN, deploy an additional Virtual WAN Hub, and manipulate and observe routing. At the end of the lab your deployment looks like this: ![image](images/microhack-vwan.png) - Although a Branch (site-to-site VPN) connection is part of this MicroHack, it does not cover the integration with products from SDWAN partners. + # Prerequisites + To make the most of your time on this MircoHack, the green elements in the diagram above are deployed and configured for you through Terraform. You will focus on deploying and configuring the blue items using the Azure portal and Cloud Shell. + +## Optional: Prepare WSL with Ubuntu + +If you would like to run the Microhack with WSLv2 and Ubuntu, please install the following packages before: + +- Azure CLI + - instructions + - direct install with: `curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash` +- Terraform + - download + - instructions +- jq tool + - `sudo apt install jq -y` + ## Task 1: Deploy + Steps: -- Log in to Azure Cloud Shell at https://shell.azure.com/ and select Bash + +- Log in to Azure Cloud Shell at and select Bash - Ensure Azure CLI and extensions are up to date: `az upgrade --yes` @@ -81,13 +102,15 @@ Steps: `terraform init` - Now start the deployment (when prompted, confirm with **yes** to start the deployment): - + `terraform apply` -Deployment takes approximately 30 minutes. +Deployment takes approximately 30 minutes. + ## Task 2: Explore and verify After the Terraform deployment concludes successfully, the following has been deployed into your subscription: + - A resource group named **vwan-microhack-spoke-rg** containing - Four Spoke VNETs, each containing a Virtual Machine running a simple web site, and a Bastion Host. - An Onprem VNET containing a Virtual Machine running a simple web site, a VNET Gateway and a Bastion Host. @@ -98,15 +121,19 @@ After the Terraform deployment concludes successfully, the following has been de Verify these resources are present in the portal. Credentials are identical for all VMs, as follows: + - User name: AzureAdmin - Password: Microhack2020 - Domain: micro-hack.local (this is on the ADDC VM only, the other VMs are not joined to this domain yet) -You may log on to each VM through Bastion. Disable IE Enhanced Security Configuration in Server Manager, open Internet Explorer and access http://localhost. You will see a blank page with the VM name in the upper left corner. When logging on to the ADDC VM before it is ready, you will see "Waiting for the Group Policy Client". That is OK, just let it run while you proceed with the lab. +You may log on to each VM through Bastion. Disable IE Enhanced Security Configuration in Server Manager, open Internet Explorer and access . You will see a blank page with the VM name in the upper left corner. When logging on to the ADDC VM before it is ready, you will see "Waiting for the Group Policy Client". That is OK, just let it run while you proceed with the lab. + # Scenario 1: Single Region Virtual WAN with Default Routing In this scenario you connect in-region VNETs to the pre-deployed Hub, and establish VNET-to-VNET communication. You will then inspect effective routes on the spoke VMs and take a look at the VWAN Default routing table. + ## Task 1: Baseline + Connect to spoke-1-vm via Bastion, turn off IE Enhanced Security Configuration in Server Manager, open Internet Explorer and attempt to connect to spoke-2-vm at 172.16.2.4. :question: Does it connect? @@ -122,13 +149,15 @@ Alternatively, in Cloud Shell, issue this command: :question: Is there a specific route for spoke-2-vnet (172.16.2.0/24)? ## Task 2: Connect VNETs -In the portal, navigate to the Virtual WAN named **microhack-vwan** in resource group **vwan-microhack-hub-rg**. + +In the portal, navigate to the Virtual WAN named **microhack-vwan** in resource group **vwan-microhack-hub-rg**. Click "Virtual network connections" under "Connectivity" and click "+ Add connection" at the top of the page. Name your connection **spoke-1-we**, select the hub (microhack-we-hub) and in the Resource group drop down select **vwan-microhack-spoke-rg**. In the Virtual network drop down, select **spoke-1-vnet**. Under Routing configuration, select: + - Associate Route Table: Default - Propagate to Route Tables: Default - Propgate to labels: default @@ -138,12 +167,12 @@ Wait for the connection to reach status Succeeded, and do the same for **spoke-2 Your Virtual WAN now looks like this: - ![image](images/scenario1.png) :question: Can you now browse from spoke-1-vm to spoke-2-vm and vice versa? ### :point_right: Spoke routes + Again observe Effective routes for spoke-1-vm. :exclamation: Notice it now has a route for spoke-2-vnet (172.16.2.0/24), pointing to a public address. This is the address of the Route Service, deployed into the Hub to enable routing between peered VNETs, branch connections and other Hubs. The fact that this is a public IP address does not present a security risk, it is not reachable from the internet. @@ -151,9 +180,10 @@ Again observe Effective routes for spoke-1-vm. :exclamation: Notice that the routes that enable spoke-to-spoke communication were plumbed into the spoke VNETs automatically. Contrast this with a "classic" hub-and-spoke architecture, where you would need to set up a routing device in the hub VNET and then put UDRs in each of the spokes manually. ### :point_right: Hub routes + Navigate to the blade for the microhack-we-hub in your Virtual WAN and select Routing under Connectivity. Notice there are two Route tables present now: Default and None. -Click on Effective Routes. In the drop downs on the next page, select Route Table and Default respectively. This brings up the Default route table. +Click on Effective Routes. In the drop downs on the next page, select Route Table and Default respectively. This brings up the Default route table. :exclamation: Note that routes for the prefixes of both connected VNETs are present, pointing to the respective VNET connections. @@ -165,9 +195,9 @@ A Virtual WAN can contain multiple Route tables, and we'll add some in the cours *Associated* means that traffic from the Connections listed is governed by this table, in this case the Default route table. This table decides where traffic sent from the connection to the VWAN Route Service (remember the route entry pointing to the public IP address in the Spoke VM's Effective Routes) goes. -*Propagating* means that the Connection's destinations are entered into this Routing table: the table learns the Connection's routes. +*Propagating* means that the Connection's destinations are entered into this Routing table: the table learns the Connection's routes. -The None Route table is also present for each Hub; traffic from Connections Associated with this Route table is dropped. +The None Route table is also present for each Hub; traffic from Connections Associated with this Route table is dropped. # Scenario 2: Add a branch connection @@ -176,11 +206,13 @@ Now connect a branch site via a BGP-enabled VPN connection and explore the routi ## Task 1: Connect a simulated branch site In Cloud Shell, in the azure-vwan-microhack directory + - Run the connect-branch shell script: `./connect-branch.sh` The script contains Azure CLI commands that create following resources: + - A VPN Site named "onprem" in the Virtual WAN - A BGP-enabled VPN connection from the "onprem" site to the West Europe Hub - A Local Network Gateway named "lng" to represent the West Europe Hub @@ -193,22 +225,27 @@ Your Virtual WAN now looks like this: ![image](images/scenario2.png) ## Task 2: Verify connectivity + Connect to onprem-vm via Bastion and turn off IE Enhanced Security Configuration in Server Manager. Open Internet Explorer and browse to spoke-1-vm at 172.16.1.4 and spoke-2-vm at 172.16.2.4. :question: Does it connect? + ## Task 3: Inspect routing + ### :point_right: BGP routing exchange over VPN + In Cloud Shell, in the azure-vwan-microhack directory, run the branch-routes script: `./branch-routes.sh` -This scripts pulls information on the BGP session from the VNET Gateway vnet-onprem-gw. +This scripts pulls information on the BGP session from the VNET Gateway vnet-onprem-gw. -:exclamation: Note that the "routes learned" output contains all routes the Gateway knows: those that are in the same VNET, with "origin" indicating "Network", as well as routes learned from the Virtual WAN Hub via BGP with "origin" indicating "EBgp". +:exclamation: Note that the "routes learned" output contains all routes the Gateway knows: those that are in the same VNET, with "origin" indicating "Network", as well as routes learned from the Virtual WAN Hub via BGP with "origin" indicating "EBgp". ### :point_right: Branch routes + Now observe Effective Routes for onprem-vm. In the portal, in the Properties view of the VM Overview blade, click on Networking. Then click on the name of the Network Interface. The NIC overview shows, under Support + troubleshooting click Effective routes. @@ -217,30 +254,33 @@ Now observe Effective Routes for onprem-vm. `az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n onprem-nic --output table` -:exclamation: Note that routes are present for the Spoke VNETs, pointing to the local VNET VPN Gateway. +:exclamation: Note that routes are present for the Spoke VNETs, pointing to the local VNET VPN Gateway. The VNET Gateway learned the routes for the Spoke VNETs via BGP and programmed them into the vm route table automatically, without the need to install UDRs. ### :point_right: Spoke routes + Observe Effective Routes for spoke-1-vm: `az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` :exclamation: Notice that spoke-vm-1 now has routes for the IP ranges of the onprem site, 10.0.1.0/24 and 10.0.2.0/24. This site is connected via VPN, and although "Source" and "Next Hop Type" are the same as for peered VNET spoke-2-vnet, the next hop address is different. - + Whereas the next hop for spoke-vnet-2 is the Hub routing engine, the next hop for VPN connection is the VPN Gateway, which has a private IP address from the range assigned to Hub. The routes for the VPN connection where plumbed into the spoke automatically and there is no need to place User Defined Routes in the spoke VNETs. ### :point_right: Hub routes -Observe the Effective routes of the Default route table. -:exclamation: Note that routes for the on-prem site's prefixes are now present, pointing to S2S VPN Gateway. +Observe the Effective routes of the Default route table. + +:exclamation: Note that routes for the on-prem site's prefixes are now present, pointing to S2S VPN Gateway. Realize that the Route Service itself is not in the data path for branch traffic. The Route Service acts as a route reflector, traffic flows directly between the VM in the spoke and VPN Gateway. # Scenario 3: Multi-regional Virtual WAN -We will now expand the Virtual WAN across regions by adding a Hub with Spokes in the US East region. + +We will now expand the Virtual WAN across regions by adding a Hub with Spokes in the US East region. A key take away from this scenario is that each hub runs its own routing instance and contains its own routing tables. @@ -253,6 +293,7 @@ At the end of this scenario, your lab looks like this: ## Task 1: Add a Hub In the portal, Select your **microhack-vwan**. Under Connectivity, select Hubs, then +New Hub at the top of the page and complete the Basics dialog as follows: + - Region: East US - Name: microhack-useast-hub - Hub private address space: 192.168.1.0/24 @@ -263,9 +304,10 @@ Alternatively, in Cloud Shell, issue this command: `az network vhub create --address-prefix 192.168.1.0/24 --name microhack-useast-hub --vwan microhack-vwan --resource-group vwan-microhack-hub-rg --location eastus --sku Standard` - This will take a few minutes to complete. + This will take a few minutes to complete. ## Task 2: Connect VNETs + Connect spoke-3-vnet and spoke-4-vnet to the new Hub. We connected VNETs through the portal in Scenario 1, so to save time we'll do this through a prepared shell script. In Cloud Shell, enter @@ -275,6 +317,7 @@ In Cloud Shell, enter This will take a few minutes to complete. While the script runs, you can see the connections being added in the portal, in your microhack-vwan under Connectivity, Virtual network connections. Wait for both Connections to show status Succeeded, and for the Hub's Routing status to change from Provisioning to Succeeded. ## Task 3: Verifiy connectivity and inspect routing + Connect to spoke-1-vm via Bastion. Open Internet Explorer, browse to spoke-3-vm at 172.16.3.4 and to spoke-4-vm at 172.16.4.4. Do the same from on-prem-vm. @@ -283,11 +326,11 @@ Do the same from on-prem-vm. :point_right: Spoke routes -Observe Effective Routes for spoke-1-vm, either in the portal or in Cloud Shell through +Observe Effective Routes for spoke-1-vm, either in the portal or in Cloud Shell through `az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` -:question: Which routes have been added to spoke-1-vm's route table? +:question: Which routes have been added to spoke-1-vm's route table? :question: What is the next hop for the new routes? @@ -302,6 +345,7 @@ Now observe Effective Routes for spoke-3-vm, which is in Spoke 3 connected to th Again, realize that Virtual WAN installed these routes in the Spoke VNETs automatically! ### :point_right: BGP routing exchange over VPN + In Cloud Shell, run the branch-routes script: `./branch-routes.sh` @@ -312,7 +356,7 @@ In Cloud Shell, run the branch-routes script: Observe Effective Routes of the Default route table on the microhack-we-hub, as you did in Scenario 1. -:question: Which routes have been added and where do they point? +:question: Which routes have been added and where do they point? :question: What is the meaning of the AS path? @@ -320,32 +364,33 @@ Then go to Effective Routes of the Default route table on the newly added microh :question: Where do the routes for Spoke 1 and Spoke 2 (172.16.(1)(2).0/24) and the Branch (10.0.(1)(2).0/24) point? -:question: What is their AS path and how does this compare to what you saw on the West Europe hub? +:question: What is their AS path and how does this compare to what you saw on the West Europe hub? :point_right: Association and Propagation -In the portal, in the microhack-vwan blade under Connectivity click Virtual network connections and expand Virtual networks for both Hubs. +In the portal, in the microhack-vwan blade under Connectivity click Virtual network connections and expand Virtual networks for both Hubs. -:exclamation: Note that for all 4 connections across both Hubs, under Associated to Route Table it says "defaultRouteTable". +:exclamation: Note that for all 4 connections across both Hubs, under Associated to Route Table it says "defaultRouteTable". This means that each connection takes its routing information from the default route table of its *local* hub. This is always the case: the route service in a Hub only programs routing information to its directly connected Spokes. :exclamation: Under Propagation to Route Tables, it also says "defaultRouteTable". This means that this connection sends its reachability information (i.e. the prefixes behind it) to its *local* default route table only, but *not* to the other Hub. -However, we observed that the defaultRouteTable of the West Europe Hub does have routes for the Spokes in US East and vice versa. +However, we observed that the defaultRouteTable of the West Europe Hub does have routes for the Spokes in US East and vice versa. -This happens because under Propagating to labels, there is the entry "default". +This happens because under Propagating to labels, there is the entry "default". Labels are a method of grouping Route Tables across Hubs, so that they do not have to be specified individually. The defaultRouteTables in all Hubs in a VWAN are automatically included in the "default" label, and Propagation to this label is automatically enabled. It is possible to change this after deployment to implement custom routing patterns. # Scenario 4: Isolated Spokes and Shared Services Spoke + Imagine an IT department that must facilitate DevOps teams. IT operates a number of central services, such as the networks in and between Azure and on-premise, and the Active Directory domain. DevOps teams are given their own VNETs in Azure, connected to a central hub that provides connectivity and the domain. The DevOps teams operate independently and their environments must remain isolated from each other. This scenario adds a Shared Services Spoke with a Domain Controller, and changes the routing so that the Spokes can only reach the Branch and the Shared Services Spoke, but remain isolated from each other. -See https://docs.microsoft.com/en-us/azure/virtual-wan/scenario-shared-services-vnet for background. +See for background. At the end of this Scenario your lab, with enabled and disabled traffic flows, looks like this: @@ -364,6 +409,7 @@ Wait for the connection to complete and show status Succeeded in the portal. ## :hand: West Europe Hub In the microhack-we-hub, under Connectivity select Routing and then +Create route table. Complete the configuration as follows: + - Tab Basics - Name: RT-Shared-we - Tab Labels @@ -379,7 +425,7 @@ The Routing view of the West Europe Hub hub now shows 2 connections associated t The RT-Shared-we table has 2 connections associated (both Spokes), and 2 connections propagating (Shared Services and Branch). -![image](images/scenario-4-we-routetables.png) +![image](images/scenario-4-we-routetables.png) :exclamation: It may take a few minutes for the changes to complete. If RT-Shared-does not look as expected, edit the table and correct the Associations and Propagations settings per the instructions above. @@ -389,30 +435,31 @@ Before proceeding, ensure that the routing view of microhack-we-hub look as abov For microhack-useast-hub, under Connectivity select Routing and then +Create route table and complete as follows: Tab Basics - - Name: RT-Shared-useast + +- Name: RT-Shared-useast - Tab Labels - Label Name: Shared - Tab Associations - In the drop down under Virtual Networks, select both Spokes. - Tab Propagations - Enter *nothing* because: - - We do not want the local Spokes to propagate to this table, as they should not learn each other's routes - - The RT-Shared-useast table must only contain routes to the Shared Services Spoke- and the Branch connections, and it will learn these from the West Europe hub via the inter-hub link + - We do not want the local Spokes to propagate to this table, as they should not learn each other's routes + - The RT-Shared-useast table must only contain routes to the Shared Services Spoke- and the Branch connections, and it will learn these from the West Europe hub via the inter-hub link - Click Create Routing for the US East Hub shows both Spoke VNET connections propagating to the Default route table, and both are associated with the RT-Shared-useast table. -![image](images/scenario-4-useast-routetables.png) +![image](images/scenario-4-useast-routetables.png) ## :handshake: Cross-region :exclamation: We must also ensure that the Shared Services VNET connection and the Branch connection, which are connected to the West Europe Hub, *also* propagate to the RT-Shared-useast table. -For the **Shared Services VNET**, this is configured on the connection, and we will use the Shared label which groups the RT-Shared tables in both hubs. +For the **Shared Services VNET**, this is configured on the connection, and we will use the Shared label which groups the RT-Shared tables in both hubs. In the microhack-vwan view, select Virtual network connections. Expand the connections on microhack-we-hub, click the elipsis at the end of the services-vnet row and select Edit. In the Propagate to labels drop-down, select both default and Shared labels, and click Confirm. -![image](images/scenario-4-edit-shared.png) +![image](images/scenario-4-edit-shared.png) To let the **Branch** route propagate accross to the East US Hub, the Branches setting in the Propagations tab of RT-Shared-we, the Shared table in the **West Europe** hub, must be updated. Edit RT-Shared-we, click the Propgations tab. Under Branches (Site VPN/ExpressRoute/User VPN) ensure both default and Shared are selected. Click Create. @@ -435,9 +482,11 @@ Try to ping spoke-addc-vm (172.16.10.4). :question: Does ping succeed? ## Task 4 (Optional): Join Spoke vm to Domain + The Shared Service VNET contains an AD domain controller. To demonstrate connectivity from the Spokes to the Shared Services VNET, you can optionally join one or more spoke vm's to the domain. + - Point the DNS in spoke-vnet-1 to spoke-addc-vm, in Cloud Shell: `az network vnet update --name spoke-1-vnet --resource-group vwan-microhack-spoke-rg --dns-servers 172.16.10.4` @@ -446,7 +495,7 @@ To demonstrate connectivity from the Spokes to the Shared Services VNET, you can `ipconfig /renew` -- On spoke-1-vm, open Server Manager and click Local Server. +- On spoke-1-vm, open Server Manager and click Local Server. - Then click WORKGROUP, click the Change ... button, select the Domain radio button under Member of and enter micro-hack.local, click OK. - Enter credentials - User name: AzureAdmin @@ -480,7 +529,7 @@ View Effective Routes for the Default table of the West Europe hub: in the porta Go back to the Route Tables view of microhack-we-hub, click RT-Shared-we and then View effective routes for this table. -:question: Are routes for the Spokes (172.16.(1)(2)(3)(4).0/24) present? +:question: Are routes for the Spokes (172.16.(1)(2)(3)(4).0/24) present? :question: Are routes for the Shared Services VNET (172.16.10.0/24) and the Branch (10.0.(1)(2).0/24) present? @@ -493,30 +542,31 @@ Now view RT-Shared-useast and Default tables for the US East Hub. :exclamation: Note that the Default table does not contain routes. The Default route table of the US East Hub does not have any connections Associated with it. It does have connections Propagating into it, so should contain routing information. *Apparently* a route table shows empty when it has no connections Associated, i.e. nothing to consume its routing information. # Close out + You have explored VWAN routing to a good level of detail. As Virtual WAN grows and matures, it is important you have a good understanding of this topic to guide and help customers in a variety of use cases. This MicroHack is available for you to use with your teams, your customers and partners to reinforce their understanding. Below are optional challenges on network security in Virtual WAN with Network Virtual Appliances and Secured Hubs. Use this content at your own pace to expand your knowledge and skills. If you decide to continue now, skip the clean-up task below and start the optional Scenario 5. -## Final Task: Delete all resources +## Final Task after scenario 4: Delete all resources Run this script to delete all resources: `./clean-up-after-scenario-4.sh` -This may take up to 30 minutes to compete. Remember to verify that all resources have indeed been deleted. +This may take up to 30 minutes to compete. Remember to verify that all resources have indeed been deleted. In Cloud Shell, delete the azure-vwan-microhack directory: `rm -rf azure-vwan-microhack` - # Scenario 5 (Optional): Filter traffic through a Network Virtual Appliance + Virtual WAN today does not support third party NVA firewalls in the Hub. Third party SD-WAN concentrators from Barracuda and Cisco Viptella are now supported, but that capability does not yet exist for firewall products. Third party NVA firewalls must therefore be placed in a Spoke, with protected VNETs peered behind. -See https://docs.microsoft.com/en-us/azure/virtual-wan/scenario-route-through-nva for background on this pattern. +See for background on this pattern. -This scenario demonstrates how to route traffic through a third party Network Virtual Appliance. We use a single Linux VM with IPTables, with a rule set allowing all traffic. +This scenario demonstrates how to route traffic through a third party Network Virtual Appliance. We use a single Linux VM with IPTables, with a rule set allowing all traffic. At the end of this Scenario your VWAN looks like this: @@ -527,7 +577,9 @@ At the end of this Scenario your VWAN looks like this: In this scenario we will manipulate routing to direct traffic to and from spoke-1-vnet and spoke-2-vnet through the NVA. Outbound internet traffic from spoke-1-vnet and spoke-2-vnet will also be directed through the NVA, but we will discover that it is not possible to do so for spoke-3-vnet and spoke-4-vnet. ## Task 1: Prepare the environment + A number of changes must be made to prepare the Virtual WAN for this scenario: + - Reconfigure for Default routing - Disconnect Spoke 1 and Spoke 2 from the Hub - Connect the NVA Spoke to the Hub @@ -540,6 +592,7 @@ To implement these changes, run this script in Cloud Shell: This will take a few minutes to complete. ## Task 2: Add User Defined Routes + We must now add UDRs to the subnet vmSubnet in both Spoke 1 and Spoke 2 VNETs, to direct all traffic to the NVA in nva-vnet. Run this script in Cloud Shell: @@ -553,11 +606,13 @@ All traffic outbound from spoke-1-vm and spoke-2-vm is now directed to the NVA i :exclamation: nva-vnet is already connected to West Europe Hub and has routes programmed by the Route Service, so we do not need to add a UDR manually. ## Task 3: Modify VWAN routing + The Virtual WAN is not aware that Spoke 1 and Spoke 2 are now behind the NVA, so we must update the routing by adding static custom routes for Spoke 1 and Spoke 2 pointing to the NVA. :exclamation: Note that a static custom route must be added to the Default route table of *both* the West Europe *and* the US East Hubs. It is not sufficient to only a static route to the West Europe Hub, as this route will not propagate to remote hubs. In the portal, go to the Routing blade of microhack-we-hub. Click the Default route table, and in Basics at the bottom, create a custom route: + - Route name: spoke1-via-nva - Destination type: leave at CIDR - Destination prefix: 172.16.1.0/24 @@ -571,6 +626,7 @@ Click Review+create and then Create. Then go the Routing blade of microhack-useast-hub and do the same. You can skip adding the Next Hop IP as the connection to nva-vnet already has this configuration applied. ## Task 4: Verify connectivity + :point_right: From "protected" VNETs Spoke 1 and Spoke 2 On spoke-1-vm, traceroute and browse to each of the Spokes (172.16.(2)(3)(4).4) and to the Branch (10.0.1.4). @@ -607,7 +663,7 @@ View Effective Routes for spoke-1-vm, in the portal or in Cloud Shell: View Effective Routes for spoke-3-vm, in the portal or in Cloud Shell: -`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-1-nic --output table` +`az network nic show-effective-route-table -g vwan-microhack-spoke-rg -n spoke-3-nic --output table` :question: Identify the routes that you see. Comparing to Spoke routes we saw in previous scenario's, is this now different and why (not)?. From the perspective of Spoke 3, has placing Spokes 1 and 2 behind an NVA VNET on the *remote* hub changed its view of the network? @@ -640,7 +696,7 @@ This final and optional scenario converts the Hubs into Secured Hubs through Azu To put the VWAN back into "default" state, a number of changes must be made: - Disconnect Spoke 1 and Spoke 2 from the the NVA Spoke -- Remove UDRs from Spoke 1 and Spoke 2 +- Remove UDRs from Spoke 1 and Spoke 2 - Remove custom routes - Disconnect the NVA Spoke to the Hub - Connect Spoke 1 and Spoke 2 to the West Europe Hub @@ -665,22 +721,24 @@ In the Firewall Mananger blade, click Azure Firewall Policies and + Create Azure - Region: West Europe **Rules** + - Click + Add a rule collection - Name: default-policy - Rule collection type: Network - Priority: 100 - Action: Allow - - Rules: + - Rules: - Name: Allow-all - Source type: IP Address - Source: * - Protocol: Any - - Destination Ports: * - - Destination Type: IP Address + - Destination Ports: * + - Destination Type: IP Address - Destination: * - Click Add **Hubs** + - Click +Associate virtual hubs - Select both your hubs - Click Add @@ -691,7 +749,7 @@ In the Firewall Mananger blade, click Azure Firewall Policies and + Create Azure This deploys Azure Firewall into your Hubs and applies the Allow-all policy to both. This operation will take a few minutes to complete. -## Task 3: Secure Internet traffic +## Task 3: Secure Internet traffic Route settings for your Secured Hubs are managed in Firewall Manager. @@ -724,11 +782,12 @@ On spoke-1-vm, browse to www.whatismyipaddress.com. To be added, this is pending service update enabling V-SH-SH-V pattern. # Close out + You have explored VWAN routing to a good level of detail. As Virtual WAN grows and matures, it is important you have a good understanding of the subject, to guide and help customers in a variety of use cases. This MicroHack is available for you to use with your teams, your customers and partners to reinforce their understanding. -## Final Task: Delete all resources +## Final Task after scenario 6: Delete all resources Delete the vwan-microhack-hub-rg and vwan-microhack-spoke-rg resource groups. This may take up to 30 minutes to compete. Check back to verify that all resources have indeed been deleted.