Azure

Criando Web Site com alta disponibilidade Azure CLI (Bash)

Neste artigo iremos criar Web Site em alta disponibilidade, composto por duas VM Windows Server 2019 com IIS habilitado e um load balance, não iremos abordar aqui segurança como Application Gateway, WAF, API MAN, etc. Este artigo visa somente a criação via scritp de toda a infraestrutura (também não iremos abordar o deploy de qualquer aplicação neste artigo).

#!/bin/bash

##Declarando Variaveis (Obrigatório)

export Subscription_Name=”Santana-Corp”
export RG_Name=”WEBSERVER-PRD-EAST”
export Location=”eastus”
export Object_Name=”WEBSERVER”

##Storage Accout

export Storage=”stgdiag${Object_Name,,}”
export SKU_Storage=”Standard_LRS” ##Exemplo Standard_LRS##

##Grupo de Disponibiliade Availability Set

export Name_AV_SET=”AV-SET”-“${Object_Name}”

##Network Security Group NSG

export NSG_Name=”NSG”-“${Object_Name}”
export Fault_Domain=”3″
export Update_Domain=”20″
export Rule01=”HTTP”
export Rule02=”HTTPS”

##Vnet Existente (Variaveis para utilizar Vnet Existente)

export RG_Vnet=”Resource Group da Vnet existente”
export Subnet_Name=”Subnet da Vnet existente”
export Vnet_Name=”Vnet existente”

##Variaveis de Rede (Obrigatório)

export NIC_Name1=”NIC”-“${Object_Name}”1
export NIC_Name2=”NIC”-“${Object_Name}”2
export Accelerated=”False”
export PublicIP=”PUBLIC-IP”-“${Object_Name}”
export PublicIP_Method=”Static”
export ELB_Name=”ELB”-“${Object_Name}”
export SKU=”Basic”
export Frontend_Name=”FE”-“${Object_Name}”
export BackendPool_Name=”BEP”-“${Object_Name}”
export ProbeName01=”Probe-http”
export ProbeName02=”Probe-https”
export Protocol01=”tcp”
export Port01=”80″
export Port02=”443″

##Variavel para criacao da VM (Obrigatório)

export Image_SO=”Win2019Datacenter”
export VM_Name1=”VM”-“${Object_Name}”1
export VM_Name2=”VM”-“${Object_Name}”2
export User_Name=”azroot”
export PWD=”#!49_WelCome_Az@#”
export Size=”Standard_D2S_v3″
export SKU_STG=”Standard_LRS” ## Disco ##
export DiskName_01=”DISK”-“${Object_Name}”01
export DiskName_02=”DISK”-“${Object_Name}”02
export SizeDisk_01=”256″
export SizeDisk_02=”512″
export Disk_Data01=”DISK-DATA”-“${Object_Name}”1
export Disk_Data02=”DISK-DATA”-“${Object_Name}”2

##Variaveis TAGs (Não Obrigatório)

export Costacenter=”Centro de Custos”
export Value_Costcenter=”111245″
export Environment=”Environment”
export Environment_Value=”Produção”
export Depto=”Departamento”
export Depto_Value=”Recursos Humanos”

###Execução do Script

###Selecionar subscription

az account set –subscription “${Subscription_Name}”

###Criando Resource Group

az group create -n “${RG_Name}” -l “${Location}” –tags “${Costacenter}”=”${Value_Costcenter}” “${Environment}”=”${Environment_Value}” “${Depto}”=”${Depto_Value}”

###Criando Storage Accout

az storage account create -g “${RG_Name}” -n “${Storage}” -l “${Location}” –sku “${SKU_Storage}” –tags “${Costacenter}”=”${Value_Costcenter}” “${Environment}”=”${Environment_Value}” “${Depto}”=”${Depto_Value}”

###Criano IP Publico

az network public-ip create -g “${RG_Name}” -n “${PublicIP}” -l “${Location}” –allocation-method “${PublicIP_Method}” –tags “${Costacenter}”=”${Value_Costcenter}” “${Environment}”=”${Environment_Value}” “${Depto}”=”${Depto_Value}”

###Criando Network Security Group NSG

az network nsg create -g “${RG_Name}” -n “${NSG_Name}” -l “${Location}” –tags “${Costacenter}”=”${Value_Costcenter}” “${Environment}”=”${Environment_Value}” “${Depto}”=”${Depto_Value}”

###Criar regras NSG

az network nsg rule create -g “${RG_Name}” –nsg-name “${NSG_Name}” -n “${Rule01}” –protocol tcp –priority 100 –source-address-prefixes 0.0.0.0/0 –destination-port-range 80 –access allow
az network nsg rule create -g “${RG_Name}” –nsg-name “${NSG_Name}” -n “${Rule02}” –protocol tcp –priority 101 –source-address-prefixes 0.0.0.0/0 –destination-port-range 443 –access allow

###Criar Grupo de Disponibilidade

az vm availability-set create -g “${RG_Name}” -n “${Name_AV_SET}” –platform-fault-domain-count “${Fault_Domain}” –platform-update-domain-count “${Update_Domain}” -l “${Location}” –tags “${Costacenter}”=”${Value_Costcenter}” “${Environment}”=”${Environment_Value}” “${Depto}”=”${Depto_Value}”

###Declarando varivel para utilizar Vnet existente (Obrigatório)

SUBNET_ID001=$(az network vnet subnet show –name “${Subnet_Name}” –vnet-name “${Vnet_Name}” -g “${RG_Vnet}” –query id –output tsv)
SUBNET_ID002=$(az network vnet subnet show –name “${Subnet_Name}” –vnet-name “${Vnet_Name}” -g “${RG_Vnet}” –query id –output tsv)
export IPConfig_Name=”ipconfig1″

###Criando NIC (Interface de rede)

az network nic create –name “${NIC_Name1}” -g “${RG_Name}” –subnet $SUBNET_ID001 –accelerated-networking “${Accelerated}” –network-security-group “${NSG_Name}” –tags “${Costacenter}”=”${Value_Costcenter}” “${Environment}”=”${Environment_Value}” “${Depto}”=”${Depto_Value}”
az network nic create –name “${NIC_Name2}” -g “${RG_Name}” –subnet $SUBNET_ID002 –accelerated-networking “${Accelerated}” –network-security-group “${NSG_Name}” –tags “${Costacenter}”=”${Value_Costcenter}” “${Environment}”=”${Environment_Value}” “${Depto}”=”${Depto_Value}”

###Declaranado Variaveis para Fixar IP

NIC_ID001=$(az network nic show –name “${NIC_Name1}” -g “${RG_Name}” –query id –output tsv)
NIC_ID002=$(az network nic show –name “${NIC_Name2}” -g “${RG_Name}” –query id –output tsv)

###Declarando varivel para utilizar IP Fixo existente (Obrigatório)

IP_ID001=$(az network nic ip-config show -g “${RG_Name}” -n “${IPConfig_Name}” –nic-name “${NIC_Name1}” –query privateIpAddress –output tsv)
IP_ID002=$(az network nic ip-config show -g “${RG_Name}” -n “${IPConfig_Name}” –nic-name “${NIC_Name2}” –query privateIpAddress –output tsv)

###Fixando IP na interface de rede#Fixando IP

az network nic ip-config update -g “${RG_Name}” –nic-name “${NIC_Name1}” -n “${IPConfig_Name}” –private-ip-address $IP_ID001
az network nic ip-config update -g “${RG_Name}” –nic-name “${NIC_Name2}” -n “${IPConfig_Name}” –private-ip-address $IP_ID002

###Criando Virtual Machine Windows Server 2019

az vm create –name “${VM_Name1}” -g “${RG_Name}” -l “${Location}” –availability-set “${Name_AV_SET}” –boot-diagnostics-storage “${Storage}” –os-disk-name “${DiskName_01}” –os-disk-size-gb “${SizeDisk_01}” –image “${Image_SO}” –nics $NIC_ID001 –admin-username “${User_Name}” –admin-password “${PWD}” –size “${Size}” –storage-sku “${SKU_STG}”
az vm create –name “${VM_Name2}” -g “${RG_Name}” -l “${Location}” –availability-set “${Name_AV_SET}” –boot-diagnostics-storage “${Storage}” –os-disk-name “${DiskName_02}” –os-disk-size-gb “${SizeDisk_01}” –image “${Image_SO}” –nics $NIC_ID002 –admin-username “${User_Name}” –admin-password “${PWD}” –size “${Size}” –storage-sku “${SKU_STG}”

###Criando disco de dados

az disk create -g “${RG_Name}” -n “${Disk_Data01}” –size-gb “${SizeDisk_02}”
az disk create -g “${RG_Name}” -n “${Disk_Data02}” –size-gb “${SizeDisk_02}”

###Anexando Disco a VM existente

az vm disk attach -g “${RG_Name}” –vm-name “${VM_Name1}” –name “${Disk_Data01}”
az vm disk attach -g “${RG_Name}” –vm-name “${VM_Name2}” –name “${Disk_Data02}”

###Habilitando IIS Windows Server

az vm extension set –publisher Microsoft.Compute –version 1.8 –name CustomScriptExtension –vm-name “${VM_Name1}” -g “${RG_Name}” –settings ‘{“commandToExecute”:”powershell.exe Install-WindowsFeature -Name Web-Server”}’
az vm extension set –publisher Microsoft.Compute –version 1.8 –name CustomScriptExtension –vm-name “${VM_Name2}” -g “${RG_Name}” –settings ‘{“commandToExecute”:”powershell.exe Install-WindowsFeature -Name Web-Server”}’

###Criando Load Balance

az network lb create -g “${RG_Name}” -n “${ELB_Name}” –sku “${SKU}” –public-ip-address “${PublicIP}” –frontend-ip-name “${Frontend_Name}” –backend-pool-name “${BackendPool_Name}”

###Create health probe on port 80/443

az network lb probe create -g “${RG_Name}” –lb-name “${ELB_Name}” -n “${ProbeName01}” –protocol “${Protocol01}” –port “${Port01}”
az network lb probe create -g “${RG_Name}” –lb-name “${ELB_Name}” -n “${ProbeName02}” –protocol “${Protocol01}” –port “${Port02}”

###Create load balancer rule for port 80/443

az network lb rule create -g “${RG_Name}” –lb-name “${ELB_Name}” -n “${Rule01}” –protocol “${Protocol01}” –frontend-port “${Port01}” –backend-port “${Port01}” –frontend-ip-name “${Frontend_Name}” –backend-pool-name “${BackendPool_Name}” –probe-name “${ProbeName01}”
az network lb rule create -g “${RG_Name}” –lb-name “${ELB_Name}” -n “${Rule02}” –protocol “${Protocol01}” –frontend-port “${Port02}” –backend-port “${Port02}” –frontend-ip-name “${Frontend_Name}” –backend-pool-name “${BackendPool_Name}” –probe-name “${ProbeName02}”

###Adicionando Inteface REDE ao pool de backend Load Balance

az network nic ip-config address-pool add -g “${RG_Name}” –nic-name “${NIC_Name1}” -n “${IPConfig_Name}” –lb-name “${ELB_Name}” –address-pool “${BackendPool_Name}”
az network nic ip-config address-pool add -g “${RG_Name}” –nic-name “${NIC_Name2}” -n “${IPConfig_Name}” –lb-name “${ELB_Name}” –address-pool “${BackendPool_Name}”

###fim do scrip.

Criando Virtual Machine Azure (Windows Server) CLI (bash)

Neste artigo iremos criar uma Maquina Virtual com Windows utilizando uma Vnet existente e fixando IP (rede interna), criaremos também um NSG para esta VM, um storage account para diagnostico de boot e conjunto de disponibilidade.

Vamos ao script

#!/bin/bash

##Declarando variaveis
export Subscription_Name=”Subscription Azure”
export RG_Name=”Nome do Resource Group”
export Location=”Azure Region”
export Object_Name=”Nome do Objeto”

##Storage Accout

##Conjunto de Disponibiliade Availability Set
export Name_AV_SET=”Nome do Grupo de Disponibilidade”

##Network Security Group NSG
export NSG_Name=”Nome do NSG##Exemplo NSG-VM-Frontend##
export Fault_Domain=”3″
export Update_Domain=”20″

##Vnet Existente (Variaveis para utilizar Vnet Existente)
export RG_Vnet=”Resource Grupo Vnet existente”
export Subnet_Name=”subnet-existente”
export Vnet_Name=”Vnet existente”

##Variaveis de Rede (Obrigatório)
export NIC_Name=”NIC”-“${Object_Name}”
export Accelerated=”False”

##Variavel para criacao da VM (Obrigatório)
export Image_SO=”Win2019Datacenter”
export VM_Name=”SRVWEBSERVER01″
export User_Name=”azroot”
export PWD=”@edRc%2010T$3U”
export Size=”Standard_D2S_v3″
export SKU_STG=”Standard_LRS” ## Disco ##

##Variaveis TAGs (Não Obrigatório)
export Costacenter=”Centro de Custos”
export Value_Costcenter=”111245″
export Environment=”Environment”
export Environment_Value=”Produção”
export Depto=”Departamento”
export Depto_Value=”Recursos Humanos”

###Execução do Script

###Selecionar subscription
az account set –subscription “${Subscription_Name}”

###Criando Resource Group
az group create -n “${RG_Name}” -l “${Location}” –tags “${Costacenter}”=”${Value_Costcenter}” “${Environment}”=”${Environment_Value}” “${Depto}”=”${Depto_Value}”

###Criando Storage Accout
az storage account create -g “${RG_Name}” -n “${Storage}” -l “${Location}” –sku “${SKU_Storage}” –tags “${Costacenter}”=”${Value_Costcenter}” “${Environment}”=”${Environment_Value}” “${Depto}”=”${Depto_Value}”

###Criando Network Security Group NSG
az network nsg create -g “${RG_Name}” -n “${NSG_Name}” -l “${Location}” –tags “${Costacenter}”=”${Value_Costcenter}” “${Environment}”=”${Environment_Value}” “${Depto}”=”${Depto_Value}”

###Criar Grupo de Disponibilidade
az vm availability-set create -g “${RG_Name}” -n “${Name_AV_SET}” –platform-fault-domain-count “${Fault_Domain}” –platform-update-domain-count “${Update_Domain}” -l “${Location}” –tags “${Costacenter}”=”${Value_Costcenter}” “${Environment}”=”${Environment_Value}” “${Depto}”=”${Depto_Value}”

###Declarando varivel para utilizar Vnet existente (Obrigatório)
SUBNET_ID001=$(az network vnet subnet show –name “${Subnet_Name}” –vnet-name “${Vnet_Name}” -g “${RG_Vnet}” –query id –output tsv)
export IPConfig_Name=”ipconfig1″

###Criando NIC (Interface de rede)
az network nic create –name “${NIC_Name}” -g “${RG_Name}” –subnet $SUBNET_ID001 –accelerated-networking “${Accelerated}” –network-security-group “${NSG_Name}” –tags “${Costacenter}”=”${Value_Costcenter}” “${Environment}”=”${Environment_Value}” “${Depto}”=”${Depto_Value}”

###Declaranado Variaveis para Fixar IP
NIC_ID001=$(az network nic show –name “${NIC_Name}” -g “${RG_Name}” –query id –output tsv)

###Declarando varivel para utilizar IP Fixo existente (Obrigatório)
IP_ID001=$(az network nic ip-config show -g “${RG_Name}” -n “${IPConfig_Name}” –nic-name “${NIC_Name}” –query privateIpAddress –output tsv)

###Fixando IP na interface de rede
###Fixando IP
az network nic ip-config update -g “${RG_Name}” –nic-name “${NIC_Name}” -n “${IPConfig_Name}” –private-ip-address $IP_ID001

###Criando Virtual Machine Windows Server 2019
az vm create –name “${VM_Name}” -g “${RG_Name}” -l “${Location}” –availability-set “${Name_AV_SET}” –boot-diagnostics-storage “${Storage}” –image “${Image_SO}” –nics $NIC_ID001 –admin-username “${User_Name}” –admin-password “${PWD}” –size “${Size}” –storage-sku “${SKU_STG}”

Links de referencia

https://docs.microsoft.com/pt-br/cli/azure/

https://docs.microsoft.com/pt-br/azure/virtual-machines/availability-set-overview

https://docs.microsoft.com/pt-br/azure/virtual-network/network-security-groups-overview

Adicionando Vnet a infraestrutura existente com Peering e propagação BGP, via CLI (Bash) Azure

Como vimos em nossa seria de artigos de criação de vnet, peering, bgp e VPN IPSec com BGP, vamos criar mais uma vnet em nossa infraestrutura já existente. Veja nossos artigos nas sequencia:

Criando Vnet com Tags via CLI (Bash) Azure
Criando Virtual Network Gateway (VPN com BGP) Azure via CLI (Bash)
Criando Virtual Network com Peering via CLI (Bash) Azure
Criando Peering Virtual Network (Azure) via CLI (Bash) com Gateway de propagação.
Criando Local Network Gateway com BGP – VPN IPSec Fortigate.

Vamos ao script

#!/bin/bash
#Declarando variaveis
##Selecionar subscription

export Subscription_01=’Santana-Corp’

##região
export Location=brazilsouth

##Environmont
export Environment_01=’backend-Prodution’

##Resouce Group
export RG_Name01=”${Environment_01}”-Network

##Vnet Name
export Vnet_01=vnet-“${Environment_01}”

##Nome do Objeto
export NameObject_01=”${Vnet_01}”

##Projeto
export Projecto_01=’Backend’
export ID_Object=’678654789′

##Centro de Custo
export Costcenter_Team=’Team Backend’
export Costcenter_Number=’78954′

##Suporte Acionamento
export Support_Team=’team-backend@santanacorp.com’
export Support_Number=’+55 11 3000-XXXX’

##CIDR Network (Prefixo da Rede)
export CIDR_01=’172.29.226.0/24′

##Nome subnet
export Subnet_01=sub01-“${NameObject_01}”
export Subnet_02=sub02-“${NameObject_01}”
export Subnet_03=sub03-“${NameObject_01}”
export Subnet_04=sub04-“${NameObject_01}”

##CIDR Subnet
export prefix_01=’172.29.226.0/26′
export prefix_02=’172.29.226.64/26′
export prefix_03=’172.29.226.128/26′
export prefix_04=’172.29.226.192/26′

##Tags
export Tag01_Key=”${Environment_01}”
export Tag02_Key=”${Projecto_01}”
export Tag03_Key=”${ID_Object}”
export Tag04_Key=”${Costcenter_Team}”
export Tag05_Key=”${Costcenter_Number}”
export Tag06_Key=”${Support_Team}”
export Tag07_Key=”${Support_Number}”
export Name_Value_01=’Environment’
export Name_Value_02=’Projeto’
export Name_Value_03=’ID Projeto’
export Name_Value_04=’Centro de Custo Team’
export Name_Value_05=’Centro de Custo Number’
export Name_Value_06=’Time de Suporte’
export Name_Value_07=’Telefone do Suporte’

#Seleciona Subscription
az account set –subscription “$Subscription_01”

#Criando Resource Groups
az group create –name “${RG_Name01}” –location $Location –tags “${Name_Value_01}”=”${Tag01_Key}” “${Name_Value_02}”=”${Tag02_Key}” “${Name_Value_03}”=”${Tag03_Key}” “${Name_Value_04}”=”${Tag04_Key}” “${Name_Value_05}”=”${Tag05_Key}” “${Name_Value_06}”=”${Tag06_Key}” “${Name_Value_07}”=”${Tag07_Key}”

#Criando Virtual Network (Vnet)
az network vnet create -g “${RG_Name01}” -n “${NameObject_01}” –address-prefix $CIDR_01 –location $Location –tags “${Name_Value_01}”=”${Tag01_Key}” “${Name_Value_02}”=”${Tag02_Key}” “${Name_Value_03}”=”${Tag03_Key}” “${Name_Value_04}”=”${Tag04_Key}” “${Name_Value_05}”=”${Tag05_Key}” “${Name_Value_06}”=”${Tag06_Key}” “${Name_Value_07}”=”${Tag07_Key}” 

#Criando Subnet
az network vnet subnet create -g “${RG_Name01}” –vnet-name “${NameObject_01}” -n $Subnet_01 –address-prefixes $prefix_01
az network vnet subnet create -g “${RG_Name01}” –vnet-name “${NameObject_01}” -n $Subnet_02 –address-prefixes $prefix_02
az network vnet subnet create -g “${RG_Name01}” –vnet-name “${NameObject_01}” -n $Subnet_03 –address-prefixes $prefix_03
az network vnet subnet create -g “${RG_Name01}” –vnet-name “${NameObject_01}” -n $Subnet_04 –address-prefixes $prefix_04

##Variaveis para criação do Peering

#Subscriptions
export Subscription_01=’Santana-COrp’

#Resouce Group
export RG_Name01=”Shared-Prodution-Network”export RG_Name02=”backend-Prodution-Network”

#Name Object
export NameObject_01=”${Vnet_01}”-“${Subscription_01}”-“${Environment_01}”

#Peering
export Vnet_Name_01=”vnet-Shared-Prodution”
export Vnet_Name_02=”vnet-backend-Prodution”
export Peering_01=”Peering-vnet-Shared-Prodution2″
export Peering_02=”Peering-backend-Prodution-Network”

#export Vnet_Remote=$(az network vnet show –resource-group Shared-Prodution-Network -n vnet-Shared-Prodution –query id –output tsv)

#Vnet Remote
export Vnet_Remote_01=”/subscriptions/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/resourceGroups/backend-Prodution-Network/providers/Microsoft.Network/virtualNetworks/vnet-backend-Prodution”
export Vnet_Remote_02=”/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/Shared-Prodution-Network/providers/Microsoft.Network/virtualNetworks/vnet-Shared-Prodution”

#Selecionar subscription
az account set –subscription “${Subscription_01}”

#Criando Peering
## Vnet Shared Prodution

az network vnet peering create -g “${RG_Name01}” -n “${Peering_01}” –vnet-name “${Vnet_Name_01}” –remote-vnet “${Vnet_Remote_01}” –allow-vnet-access –allow-forwarded-traffic –allow-gateway-transit –allow-vnet-access

## Vnet Backend Prodution
az network vnet peering create -g “${RG_Name02}” -n “${Peering_02}” –vnet-name “${Vnet_Name_02}” –remote-vnet “${Vnet_Remote_02}” –allow-vnet-access –allow-forwarded-traffic –allow-vnet-access –use-remote-gateways

Veja o resultado

Em nosso fortigate

Com isso concluimos nossa seria de Vnet com peering e propagação BGP, a cada vnet nova criada com peering (utilizando as configuração aqui exibidas) não é necessário fazer mais nada em nosso fortigate ou Gateway de VPN, um lembrete muito importante as redes não podem se sobscrever (Over lapping).

Criando Local Network Gateway com BGP – VPN IPSec Fortigate.

Neste artigo iremos criar nossa conexão de VPN IPSec com BGP entre nosso Gateway BGP e nosso ambiente OnPremises com Fortigate.

#!/bin/bash
#Declarando variaveis
##Selecionar subscription

export Subscription_01=’Santana-Corp’
##região
export Location=brazilsouth
##Resouce Group
export RG_Name01=”${Environment_01}”-Network
##Projeto
export Projecto_01=’VPN Produção BGP’
export ID_Object=’789654741′
##Centro de Custo
export Costcenter_Team=’Team Network’
export Costcenter_Number=’78954′
##Suporte Acionamento
export Support_Team=’team-network@santanacorp.com’
export Support_Number=’+55 11 3000-XXXX’
##Environmont
export Environment_01=’VPN-BGP-Prodution’
export LGW_01=’lgw-fgt-operadora-01′
##Variaveis de Conexão
export IP_Peer_01=’xxx.xxx.xxx.xxx’ ##peer da VPN do firewall onpremises
export Local_Network_01=’192.168.0.0/16′ ##rede local do ambiente onpremises
export ASN_01=’65010′ ##este ASN é privado, você pode utilizar seu proprio ASN ou um disponivel pelo azure, neste exemplo iremos utilizar 65010 para ser o ASN local
export Peer_BGP_01=’169.254.21.11′ ##este é o IP que será utilizado na interface do firewall


##Tags
export Tag01_Key=”${Environment_01}”
export Tag02_Key=”${Projecto_01}”
export Tag03_Key=”${ID_Object}”
export Tag04_Key=”${Costcenter_Team}”
export Tag05_Key=”${Costcenter_Number}”
export Tag06_Key=”${Support_Team}”
export Tag07_Key=”${Support_Number}”
export Name_Value_01=’Environment’
export Name_Value_02=’Projeto’
export Name_Value_03=’ID Projeto’
export Name_Value_04=’Centro de Custo Team’
export Name_Value_05=’Centro de Custo Number’
export Name_Value_06=’Time de Suporte’
export Name_Value_07=’Telefone do Suporte’

##Criando Local Network Gateway
az network local-gateway create -g “${RG_Name01}” -n “${LGW_01}” -l “${Location}” –gateway-ip-address “${IP_Peer_01}” –local-address-prefixes “${Local_Network_01}” –asn “${ASN_01}” –bgp-peering-address “${Peer_BGP_01}” –tags “${Name_Value_01}”=”${Tag01_Key}” “${Name_Value_02}”=”${Tag02_Key}” “${Name_Value_03}”=”${Tag03_Key}” “${Name_Value_04}”=”${Tag04_Key}” “${Name_Value_05}”=”${Tag05_Key}” “${Name_Value_06}”=”${Tag06_Key}” “${Name_Value_07}”=”${Tag07_Key}”

Temos esse resutado

Agora iremos criar a conexão “connection”

#!/bin/bash
#Declarando variaveis
##Selecionar subscription

export Subscription_01=’Santana-Corp’
##região
export Location=brazilsouth
##Environment
export Environment_01=”${Shared-Prodution}”
##Resouce Group
export RG_Name01=’Shared-Prodution-Network’
##Variaveis da conexão
export Conenction_01=’connection-fgt-01′
export Gateway_Value_01=’GWVPNPROBGP’
export LGW_01=’lgw-fgt-operadora-01′
export PSK=’123vfe56TFr’
##Tags
export Tag01_Key=”${Environment_02}”
export Tag02_Key=”${Projecto_01}”
export Tag03_Key=”${ID_Object}”
export Tag04_Key=”${Costcenter_Team}”
export Tag05_Key=”${Costcenter_Number}”
export Tag06_Key=”${Support_Team}”
export Tag07_Key=”${Support_Number}”
export Name_Value_01=’Environment’
export Name_Value_02=’Projeto’
export Name_Value_03=’ID Projeto’
export Name_Value_04=’Centro de Custo Team’export Name_Value_05=’Centro de Custo Number’export Name_Value_06=’Time de Suporte’
export Name_Value_07=’Telefone do Suporte’
#Selecionar subscription
az account set –subscription “${Subscription_01}”
##Criando a conexão
az network vpn-connection create -g “${RG_Name01}” -n “${Conenction_01}” –vnet-gateway1 “${Gateway_Value_01}” –local-gateway2 “${LGW_01}” –shared-key “${PSK}” –enable-bgp -l “${Location}” –tags “${Name_Value_01}”=”${Tag01_Key}” “${Name_Value_02}”=”${Tag02_Key}” “${Name_Value_03}”=”${Tag03_Key}” “${Name_Value_04}”=”${Tag04_Key}” “${Name_Value_05}”=”${Tag05_Key}” “${Name_Value_06}”=”${Tag06_Key}” “${Name_Value_07}”=”${Tag07_Key}”

Resultado

Agora vamos para as configurações no Fortigate (neste exemplo iremos utilizar Fortinet, mas pode ser qualquer appliance com suport a BGP)

##Aqui definimos as Phase1

config vpn ipsec phase1-interface
edit AZU-HA-VPN-INT0
set interface port1 ## porta WAN
set ike-version 2
set keylife 28800
set peertype any
set proposal aes256-sha1 3des-sha1 aes256-sha256
set dhgrp 2
set remote-gw xxx.xxx.xxx.xxx ##IP 01 do Gateway que foi criado em nossos artigo
set psksecret 123vfe56TFr
next
end

##Aqui definimos a Phase2
config vpn ipsec phase2-interface
edit AZU-HA-VPN-INT0
set phase1name AZU-HA-VPN-INT0
set proposal aes256-sha1 3des-sha1 aes256-sha256 aes256gcm
set pfs disable

set keylifeseconds 27000
next
end

##Aqui editamos a interface que criamos com o endereçamento IP que criamos anteriormente em nossos artigos
config system interface
edit AZU-HA-VPN-INT0
set ip 169.254.21.11 255.255.255.255
set remote-ip 169.254.21.10 255.255.255.255
next
end

##Aqui configuramos o BGP
config router bgp
set as 65010
set router-id XXX.XXX.XXX.XXX ##IP Publico da interface da VPN

##Aqui configuramos o PAR BGP que configuramos no Azure
config neighbor
edit 169.254.21.10
set soft-reconfiguration enable
set remote-as 65512
next
end

##Aqui anunciamos nossas redes OnPremises, neste exemplo 192.168.0.0/16
config router bgp
config network
edit 1
set prefix 192.168.0.0 255.255.0.0
next
end

##Aqui configuramos uma ZONA para ter varias interfaces na mesma zona,
config system zone
edit Cloud
set interface AZU-HA-VPN-INT0
set intrazone allow
next
end

## Aqui configuramos as regras de firewall de INBOUND e OUTBOUND
config firewall policy
edit 1
set name LAN-TO-CLOUD

set srcintf port2
set dstintf Cloud
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
next
edit 2
set name CLOUD-TO-LAN
set srcintf Cloud
set dstintf port2
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
end

Resultado


Aqui verificamos que as rotas BGP ja estão sendo anunciadas e recebidas


Nesta série de artigos vimos com criar vnet/gateway BGP/local network/connection com BGP.

Agora cada vnet criada com peering com nossa Vnet Shared-PRO, teremos propagada a CIDR de forma automatica para nossa BGP.

Para criação da segunda VPN com outra operadora basta seguir os passos novamente.

Criando Virtual Network com Peering via CLI (Bash) Azure

Continuando nossa infraestrutura de rede relembrando nestes artigos:

Criando Vnet e Criando GW VPN BGP

Neste artigo iremos criar uma Vnet em outro Resource Group e na mesa Region do nosso Gateway de VPN BGP (Isso não é um pré-requisito) e fazer um peering deixando nossa vnet onde esta nosso Gateway de VPN BGP como Gateway.

Nesta infraestrutura de rede não iremos precisar criar um vnet “gatewayvnet”

#!/bin/bash

#Declarando variaveis

#Selecionar subscription

export Subscription_01=’Santana-Corp’

#região

export Location=brazilsouth

#Environmont

export Environment_01=’databases-Prodution’

#Resouce Group

export RG_Name01=”${Environment_01}”-Network#

#Vnet Name

export Vnet_01=vnet-“${Environment_01}”

#Nome do Objeto

export NameObject_01=”${Vnet_01}”

#Projeto

export Projecto_01=’Data Bases Pro’
export ID_Object=’789654789′

#Centro de Custo

export Costcenter_Team=’Team Databases’
export Costcenter_Number=’78954′

#Suporte Acionanento

export Support_Team=’team-dba@santanacorp.com’
export Support_Number=’+55 11 3000-XXXX’

#CIDR Network (Prefixo da Rede)

export CIDR_01=’172.29.228.0/24′

#Nome subnet

export Subnet_01=sub01-“${NameObject_01}”
export Subnet_02=sub02-“${NameObject_01}”
export Subnet_03=sub03-“${NameObject_01}”
export Subnet_04=sub04-“${NameObject_01}”

#CIDR Subnet

export prefix_01=’172.29.228.0/26′
export prefix_02=’172.29.228.64/26′
export prefix_03=’172.29.228.128/26′
export prefix_04=’172.29.228.192/26′

#Tags

export Tag01_Key=”${Environment_01}”
export Tag02_Key=”${Projecto_01}”
export Tag03_Key=”${ID_Object}”
export Tag04_Key=”${Costcenter_Team}”
export Tag05_Key=”${Costcenter_Number}”
export Tag06_Key=”${Support_Team}”
export Tag07_Key=”${Support_Number}”

export Name_Value_01=’Environment’
export Name_Value_02=’Projeto’
export Name_Value_03=’ID Projeto’
export Name_Value_04=’Centro de Custo Team’
export Name_Value_05=’Centro de Custo Number’
export Name_Value_06=’Time de Suporte’
export Name_Value_07=’Telefone do Suporte’

#Seleciona Subscription

az account set –subscription “$Subscription_01”

#Criando Resource Groups

az group create –name “${RG_Name01}” –location $Location –tags “${Name_Value_01}”=”${Tag01_Key}” “${Name_Value_02}”=”${Tag02_Key}” “${Name_Value_03}”=”${Tag03_Key}” “${Name_Value_04}”=”${Tag04_Key}” “${Name_Value_05}”=”${Tag05_Key}” “${Name_Value_06}”=”${Tag06_Key}” “${Name_Value_07}”=”${Tag07_Key}”

#Criando Virtual Network (Vnet)

az network vnet create -g “${RG_Name01}” -n “${NameObject_01}” –address-prefix $CIDR_01 –location $Location –tags “${Name_Value_01}”=”${Tag01_Key}” “${Name_Value_02}”=”${Tag02_Key}” “${Name_Value_03}”=”${Tag03_Key}” “${Name_Value_04}”=”${Tag04_Key}” “${Name_Value_05}”=”${Tag05_Key}” “${Name_Value_06}”=”${Tag06_Key}” “${Name_Value_07}”=”${Tag07_Key}”

#Criando Subnet

az network vnet subnet create -g “${RG_Name01}” –vnet-name “${NameObject_01}” -n $Subnet_01 –address-prefixes $prefix_01
az network vnet subnet create -g “${RG_Name01}” –vnet-name “${NameObject_01}” -n $Subnet_02 –address-prefixes $prefix_02
az network vnet subnet create -g “${RG_Name01}” –vnet-name “${NameObject_01}” -n $Subnet_03 –address-prefixes $prefix_03
az network vnet subnet create -g “${RG_Name01}” –vnet-name “${NameObject_01}” -n $Subnet_04 –address-prefixes $prefix_04

##Criando Peering entre a Vnet que acabamos de criar e a Vnet criada em nosso artigo anterior, clique aqui, para criação do Peering veja neste artigo.

Criando banco de dados PaaS (SQL Server) Azure via CLI (bash)

Neste artigo vamos criar um banco de dados PaaS (SQL Server) no Azure via CLI bash.

#Login no conta do Azure
az login

#Seleciona Subscription
az account set –subscription “Santana Corp”

#Criando Resource Groups
az group create –name db-sql-prd –location brazilsouth –tags costcenter=projeto-x enviroment=producao squad=xxx

#Create DB SQL

##Criando server com user e senha
az sql server create -l brazilsouth -g db-sql-prd -n db-sql-prd -u ‘admindb’ -p ‘$N@taL56devDBaz’ –tags costcenter=projeto-x Environment=producao Squad=xxxx

##Criando data base
az sql db create -g db-sql-prd -s db-sql-prd -n db-sql-prd –service-objective Basic –tags costcenter=projeto-x Environment=producao Squad=xxxx

##Liberando acesso a servidor via firewall sql
###Liberando serviços do azure para acessar o servidor sql
az sql server firewall-rule create -g db-sql-prd  -s db-sql-prd  -n azureservice –start-ip-address 0.0.0.0 –end-ip-address 0.0.0.0

###Liberando o acesso ao sql da sua rede (internet)
az sql server firewall-rule create -g db-sql-prd -s db-sql-prd -n LinkOperadora –start-ip-address 200.200.200.1 –end-ip-address 200.200.200.10

links de referencias
https://docs.microsoft.com/pt-br/cli/azure/sql/server?view=azure-cli-latest
https://docs.microsoft.com/pt-br/cli/azure/sql/db?view=azure-cli-latest

Script Bash

#!/bin/bash

#Seleciona Subscription

az account set –subscription “Santana Corp”

#Criando Resource Groups

az group create –name db-sql-prd –location brazilsouth –tags costcenter=projeto-x Environment=producao Squad=xxxx

#Create DB SQL (Server)

az sql server create -l brazilsouth -g db-sql-prd -n db-sql-prdv -u ‘admindb’ -p ‘$N@taL56devDB’ –tags costcenter=projeto-x Environment=producao Squad=xxxx

#Create Data Base

az sql db create -g db-sql-prd -s db-sql-prd -n db-sql-prd–service-objective Basic –tags costcenter=projeto-x Environment=producao Squad=xxxx

#Create rule firewall
##Liberando o acesso a partir dos serviços do Azure
az sql server firewall-rule create -g db-sql-prd -s db-sql-prdv -n azureservice –start-ip-address 0.0.0.0 –end-ip-address 0.0.0.0

##Liberando o acesso para o Public IP especifico
az sql server firewall-rule create -g db-sql-prd -s db-sql-prdv -n LinkOperado –start-ip-address 200.200.200.1 –end-ip-address 200.200.200.10

*Somente em alguns casos devemos expor o banco de dados para internet, sempre recomendo utilizando via rede interna com private link, mas tem casos que realmente não tem como.



Criando entradas Azure DNS via CLI (bash)

Muitas vezes precisamos criar varios entradas em nosso DNS, utilizando o portal do Azure é bem simples, agora imagina ter que repitir a mesma ação por 20 vezes por exemplo para poder criar 20 entras diferentes? Com isso criei este post para ajudar no dia a dia da administração do Azure DNS, isso será feito via CLI, veja como instalar o azure cli aqui.

Primeiramente iremos nos conectar (usarei neste exemplo ubuntu linux como subsystem windows 10)

#Conectar no Azure
az login (enter)

#Selecionando a subscription (supondo que tenha mais de uma)
az account set –subscription “Santana Corp”

az network dns record-set a add-record –resource-group dns \
–zone-name charlessantana.com –record-set-name hello \
–ttl 300 –ipv4-address 192.0.78.24

Resultado

Agora vamos verificar se funcionou, com um simples nslookup

nslookup hello.charlessantana.com


Agora vamos criar uma entrada do tipo CNAME

az network dns record-set cname set-record –resource-group dns \
–zone-name charlessantana.com –record-set-name ww2 –cname ‘www.charlessantana.com.br

Script simples em bash

#!/bin/bash

#Seleciona Subscription

az account set –subscription “Santana Corp”

#Criando entrada DNS do Tipo A

az network dns record-set a add-record –resource-group dns \
–zone-name charlessantana.com –record-set-name hello –ttl 300 –ipv4-address 192.0.78.24

#Criando entrada DNS do Tipo CNAME

az network dns record-set cname set-record –resource-group dns \
–zone-name charlessantana.com –record-set-name ww2 –cname ‘www.charlessantana.com.br’

VPN IPSEC Fortinet for Azure

How to VPN IPESec Fortinet for Azure Cloud.

 

ISO 5.4

http://cookbook.fortinet.com/ipsec-vpn-microsoft-azure-54/

Gateway

Nat Traversal “Disable”
Dead Peer Detection “On idle”
IKE “V2”

Phase1

Encryption “AES128”
Authentication “SHA256”
Diffie-Hellman Group “2”
Key Lifetime (seconds) “28800”

Phase2

Encryption “AES128”
Authenticaton “SHA256”
(PFS) “Disable”
Local Port “Enable”
Remote Port “Enable”
Protocol “Enable”
Auto-negotiate “Disable”
Auto Keep Alive “Disable”
Key Lifetime “seconds”
Seconds “27000”

 

IOS 5.2

http://cookbook.fortinet.com/download/3127

Gateway

Nat Traversal “Disable”
Dead Peer Detection “Disable”

IKE “V2”

Phase1

Encryption “AES128”
Authentication “SHA1”
Encryption “AES256”
Authentication “SHA256”

Diffie-Hellman Group “2”
Key Lifetime (seconds) “56600”

Phase2

Encryption “AES128”
Authentication “SHA1”
Encryption “AES256”
Authentication “SHA256”
Enable replay Detaction “Disable”
(PFS) “Disable”
Local Port “Enable”
Remote Port “Enable”
Protocol “Enable”
Auto-negotiate “Disable”
Auto Keep Alive “Disable”
Key Lifetime “seconds”
Seconds “2900” “Segunda suporte Microsoft esses valores devem ser maiores que do Azure”

Best Regards.