Advanced networking arm templates (#302)

rakeshvanga · web-flow · commit ec9bc2da1ec2 · 2020-04-08T19:32:06.000-07:00
* advanced networking arm templates

* use correct file name

* review comments

* fix deployment errors

* making sure that 3389 port is enabled on vm

* doc updates

* create uniquestring

* remove quotes

* read me updates and clean up
diff --git a/advanced networking/README.md b/advanced networking/README.md
@@ -0,0 +1,41 @@
+# Advanced Networking
+This directory contains scripts and ARM templates to deploy resources which would show how to securely debug your projects using Azure Dev Spaces in a secured virtual network.  
+
+## Overview
+These ARM templates deploy a virtual network with an Azure firewall. The virtual network and Azure firewall ensure the traffic into and out of the virtual network is secured and monitored by the firewall. The AKS cluster is deployed into a private virutal network into the `aks-subnet`. An Azure Dev Spaces controller with `private` endpoint is also created on this AKS cluster and the controller's endpoint is only available in the same virtual network as the AKS cluster. To use Azure Dev Spaces to start debugging your projects, the ARM templates deploy a Windows 10 virtual machine in the `vm-subnet` subnet, which is also in the same virtual network as the AKS cluster.
+The Azure Dev Spaces routing capabilities as well as the endpoints of your services are only available within the virtual network.
+
+To learn more about the network architecture of Azure Dev Spaces and configuring its endpoint types see [Configure networking for Azure Dev Spaces in different network topologies.](https://aka.ms/azds-networking)
+
+## Prerequisites
+1. This scripts requires `az cli` & `kubectl` to set up the resources.
+2. Ensure that the subscription has `Microsoft.ContainerInstance` & `Microsoft.Storage` resource providers are registered. This is required as the
+   templates uses arm's deploymentScripts resource.
+
+## Deploying the ARM template
+This folder contains following files which would help in deploying resources:
+ * `devspaces-vnet-template.json` is the ARM template 
+ * `devspaces-vnet-parameters.json` defines the parameter values for the ARM template 
+ * `deploy.sh` is a script you can use to automate the deployment of the ARM template
+
+When using the `deploy.sh` script to deploy the ARM template, the script prompts you for the necessary values. For example:
+```
+$ chmod +x ./deploy.sh
+$ ./deploy.sh
+This script will deploy resouces which will enable you to work securely in a private virtual network.
+Enter the Resource Group name:
+< Enter a resource group name >
+Enter the managed identity name:
+< Enter a name for managed identity >
+Enter a password for connecting to vm:
+< Enter password for the windows VM that is used as a development machine to debug your projects > 
+```
+After the deployment is done, the script outputs the required details to connect to the VM for debugging. For example:
+```
+Use '< password >' password to connect to the '< ipaddress >' windows VM created in the Resource group '< resource group name >' to securely debug your projects with Azure Dev Spaces.
+```
+
+**Important:** The resources deployed using these templates should be used only as a starting point to secure your virtual network.
+
+## Connecting to the virtual network for secure development
+Use the virtual machine created by the ARM template on the virtual network to start developing on your AKS cluster with Azure Dev Spaces. You can use the IP address and the password you set when deploying the ARM template to connect to the virtual machine. For more details on developing with Azure Dev Spaces, see the [Azure Dev Spaces quickstart.](https://aka.ms/azds-quickstart-netcore)
diff --git a/advanced networking/deploy.sh b/advanced networking/deploy.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+fatal()   { echo "[FATAL]   $*" ; exit 1 ; }
+
+if ! which az >/dev/null 2>/dev/null; then
+    fatal "Install azure cli to continue deploying resources."
+fi
+if ! which kubectl >/dev/null 2>/dev/null; then
+    fatal "Install kubectl to continue deploying resources."
+fi
+
+echo "This script will deploy resouces which will enable you to work securely in a private virtual network".
+echo "Enter the Resource Group name:" &&
+read resourceGroupName &&
+echo "Enter the location:" &&
+read region &&
+echo "Enter the managed identity name:" &&
+read idName &&
+echo "Enter a password for connecting to vm:" &&
+read password &&
+
+echo "Running..."
+
+# 1. Create resource group
+az group create -n $resourceGroupName -l $region
+
+# 2. Create user assigned MI for running scripts in ARM templates
+identity=$(az identity create -g $resourceGroupName -n $idName --query id -o tsv)
+
+# 3. Assign contributor role for the MI on the RG
+miPrincipalId=$(az identity show -g $resourceGroupName -n $idName --query principalId -o tsv)
+az role assignment create --role 'Contributor' -g $resourceGroupName --assignee $miPrincipalId
+
+# 4. Create Service principal to be used by the AKS cluster
+sp_name="aks-sp-private"
+aks_sp_secret=$(az ad sp create-for-rbac --name "http://$sp_name" -o tsv --query password)
+aks_sp_id=$(az ad sp show --id http://$sp_name -o tsv --query appId)
+
+# 5. Updating the parameters of the ARM template
+sed -i "s#{identity}#$identity#g" devspaces-vnet-parameters.json
+sed -i "s/{aks_sp_secret}/$aks_sp_secret/g" devspaces-vnet-parameters.json
+sed -i "s/{aks_sp_id}/$aks_sp_id/g" devspaces-vnet-parameters.json
+sed -i "s/{password}/$password/g" devspaces-vnet-parameters.json
+
+# 6. Deploy the resources
+az group deployment create -g $resourceGroupName --template-file devspaces-vnet-template.json --parameters devspaces-vnet-parameters.json
+
+# 7. Get the Public IP of the VM
+ip=$(az network public-ip show -g $resourceGroupName -n "bridge-vm_ip" --query ipAddress -o tsv)
+
+# 8. Get the kube-api server IP
+az aks get-credentials -n private-aks-cluster -g $resourceGroupName -f ./kubeconfig
+chmod +x ./kubeconfig
+api_server=$(kubectl get endpoints --kubeconfig=./kubeconfig -o=jsonpath='{.items[?(@.metadata.name == "kubernetes")].subsets[].addresses[].ip}')
+
+# add the api server ip to the firewall
+az extension add --name azure-firewall
+az network firewall network-rule create --firewall-name private-firewall --resource-group $resourceGroupName --collection-name "aksnetwork" --destination-addresses "$api_server"  --destination-ports 22 443 9000 --name "allow network" --protocols "TCP" --source-addresses "*" --action "Allow" --description "aks network rule" --priority 100
+
+# clean up the mi created for deploying the resources
+az role assignment delete --role 'Contributor' -g $resourceGroupName --assignee $miPrincipalId
+az identity delete -g $resourceGroupName -n $idName
+rm -rf ./kubeconfig
+
+echo "Use '$password' password to connect to the '$ip' windows VM created in the Resource group '$resourceGroupName' to securely debug your projects with Azure Dev Spaces."
+echo "Please follow the documentation here https://aka.ms/azds-networking to try out different endpoint scenarios."
diff --git a/advanced networking/devspaces-vnet-parameters.json b/advanced networking/devspaces-vnet-parameters.json
@@ -0,0 +1,21 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "identity": {
+            "value": "{identity}"
+        },
+        "endpointType": {
+            "value": "Private"
+        },
+        "vm_password": {
+            "value": "{password}"
+        },
+        "aks_sp_id": {
+            "value": "{aks_sp_id}"
+        },
+        "aks_sp_secret": {
+            "value": "{aks_sp_secret}"
+        }
+    }
+}
diff --git a/advanced networking/devspaces-vnet-template.json b/advanced networking/devspaces-vnet-template.json
