def _create_bootstrap_vm_secgroup(self):
self.logging.info("Creating bootstrap VM security group")
secgroup_rules = [
net_models.SecurityRule(
protocol="Tcp",
priority="1000",
source_port_range="*",
source_address_prefix="0.0.0.0/0",
destination_port_range="22",
destination_address_prefix="0.0.0.0/0",
destination_address_prefixes=[],
destination_application_security_groups=[],
access=net_models.SecurityRuleAccess.allow,
direction=net_models.SecurityRuleDirection.inbound,
name="Allow_SSH")
]
secgroup_params = net_models.NetworkSecurityGroup(
name=self.bootstrap_vm_secgroup_name,
location=self.azure_location,
security_rules=secgroup_rules)
return utils.retry_on_error()(
self.network_client.network_security_groups.create_or_update)(
self.cluster_name, self.bootstrap_vm_secgroup_name,
secgroup_params).result()
def _create_control_plane_secgroup(self):
secgroup_rules = [
net_models.SecurityRule(
protocol="Tcp",
priority="1000",
source_port_range="*",
source_address_prefix="0.0.0.0/0",
destination_port_range="22",
destination_address_prefix="0.0.0.0/0",
destination_address_prefixes=[],
destination_application_security_groups=[],
access=net_models.SecurityRuleAccess.allow,
direction=net_models.SecurityRuleDirection.inbound,
name="Allow_SSH"),
net_models.SecurityRule(
protocol="Tcp",
priority="1001",
source_port_range="*",
source_address_prefix="0.0.0.0/0",
destination_port_range="6443",
destination_address_prefix="0.0.0.0/0",
destination_address_prefixes=[],
destination_application_security_groups=[],
access=net_models.SecurityRuleAccess.allow,
direction=net_models.SecurityRuleDirection.inbound,
name="Allow_K8s_API")
]
secgroup_name = "{}-controlplane-nsg".format(self.cluster_name)
secgroup_params = net_models.NetworkSecurityGroup(
name=secgroup_name,
location=self.azure_location,
security_rules=secgroup_rules)
nsg_client = self.network_client.network_security_groups
return nsg_client.begin_create_or_update(self.cluster_name,
secgroup_name,
secgroup_params).result()
def add_inbound_network_security_rule(network_client, vm_resource, rule_name,
inbound_rule):
# type: (azure.mgmt.network.NetworkManagementClient,
# settings.VmResource, str, settings.InboundNetworkSecurityRule) ->
# msrestazure.azure_operation.AzureOperationPoller
"""Add an inbound network security rule to an existing nsg
:param azure.mgmt.network.NetworkManagementClient network_client:
network client
:param settings.VmResource vm_resource: VM Resource
:param str rule_name: rule name
:param settings.InboundNetworkSecurityRule inbound_rule: inbound rule
:rtype: msrestazure.azure_operation.AzureOperationPoller
:return: async op poller
"""
nsg_name = settings.generate_network_security_group_name(vm_resource)
# check and fail if nsg exists
highest_prio = 0
try:
rules = network_client.security_rules.list(
resource_group_name=vm_resource.resource_group,
network_security_group_name=nsg_name)
except msrestazure.azure_exceptions.CloudError as e:
if e.status_code == 404:
pass
else:
raise
for rule in rules:
if rule.name == rule_name:
raise RuntimeError('security rule {} for nsg {} exists'.format(
rule_name, nsg_name))
if rule.priority < 65000 and rule.priority > highest_prio:
highest_prio = rule.priority
proto = inbound_rule.protocol.lower()
if proto == 'tcp':
proto = networkmodels.SecurityRuleProtocol.tcp
elif proto == 'udp':
proto = networkmodels.SecurityRuleProtocol.udp
elif proto == '*':
proto = networkmodels.SecurityRuleProtocol.asterisk
else:
raise ValueError('Unknown protocol {} for rule {}'.format(
proto, rule_name))
rule = networkmodels.SecurityRule(
name=settings.generate_network_security_inbound_rule_name(
rule_name, 0),
description=settings.
generate_network_security_inbound_rule_description(rule_name, 0),
protocol=proto,
source_port_range='*',
destination_port_range=str(inbound_rule.destination_port_range),
source_address_prefix=inbound_rule.source_address_prefix,
destination_address_prefix='*',
access=networkmodels.SecurityRuleAccess.allow,
priority=highest_prio + 1,
direction=networkmodels.SecurityRuleDirection.inbound)
return network_client.security_rules.create_or_update(
resource_group_name=vm_resource.resource_group,
network_security_group_name=nsg_name,
security_rule_name=rule.name,
security_rule_parameters=rule,
)
def create_vnet(results_queue, creds, subscription, vv):
settings = Settings()
hub_1_public = None
hub_1_private = None
resource_client = ResourceManagementClient(creds, subscription)
compute_client = ComputeManagementClient(creds, subscription)
storage_client = StorageManagementClient(creds, subscription)
network_client = NetworkManagementClient(creds, subscription)
# 1 Create Resource Group
resg = resource_client.resource_groups.create_or_update(
vv['resource_group_name'], {'location': vv['region']})
rg = resg.name
# 2 Create WAN Network Security Group
rule_ssh_in = network_models.SecurityRule(
description='allow ssh in',
protocol='TCP',
source_port_range='*',
destination_port_range='22',
source_address_prefix='*',
destination_address_prefix='*', # Or to local CIDR
access='Allow',
priority=100,
direction='Inbound',
name='ssh-inbound')
rule_internet_key_exchange_in = network_models.SecurityRule(
description='allow ike in',
protocol='UDP',
source_port_range='*',
destination_port_range='500',
source_address_prefix='*',
destination_address_prefix='*', # Or to local CIDR
access='Allow',
priority=110,
direction='Inbound',
name='ike-inbound')
rule_nat_t_in = network_models.SecurityRule(
description='allow nat-t in',
protocol='UDP',
source_port_range='*',
destination_port_range='4500',
source_address_prefix='*',
destination_address_prefix='*', # Or to local CIDR
access='Allow',
priority=120,
direction='Inbound',
name='nat-t-inbound')
wan_ipsec_nsg_params = network_models.NetworkSecurityGroup(
location=vv['region'],
security_rules=[
rule_ssh_in, rule_internet_key_exchange_in, rule_nat_t_in
])
nsg_creation = network_client.network_security_groups.create_or_update(
rg, vv['wan_security_group_name'], wan_ipsec_nsg_params)
wan_ipsec_nsg = network_client.network_security_groups.get(
vv['resource_group_name'], vv['wan_security_group_name'])
# Create Private Network Security Group
all_in = network_models.SecurityRule(description='allow all traffic',
protocol='*',
source_port_range='*',
destination_port_range='*',
source_address_prefix='*',
destination_address_prefix='*',
access='Allow',
priority=100,
direction='Inbound',
name='All')
open_nsg_params = network_models.NetworkSecurityGroup(
location=vv['region'], security_rules=[all_in])
open_nsg_creation = network_client.network_security_groups.create_or_update(
rg, 'open_nsg', open_nsg_params)
open_nsg = network_client.network_security_groups.get(
vv['resource_group_name'], 'open_nsg')
# 3 Create a VNET
address_space_model = network_models.AddressSpace(
address_prefixes=[vv['public_vnet_prefix'], vv['private_vnet_prefix']])
if vv['type'] == 'silb':
vnet_model = network_models.VirtualNetwork(
location=vv['region'],
tags={
vv['tvpc_program_key']: vv['cluster'],
'tvpc_silb_vnet': 'True'
},
address_space=address_space_model,
)
elif vv['type'] == 'vnet':
vnet_model = network_models.VirtualNetwork(
location=vv['region'],
tags={vv['tvpc_program_key']: vv['cluster']},
address_space=address_space_model,
)
else:
vnet_model = network_models.VirtualNetwork(
location=vv['region'],
address_space=address_space_model,
)
result_object_vnet_creation = network_client.virtual_networks.create_or_update(
resource_group_name=vv['resource_group_name'],
virtual_network_name=vv['vnet_name'],
parameters=vnet_model)
result_object_vnet_creation.wait()
# 4 Create Routes
default_route = network_models.Route(address_prefix='0.0.0.0/0',
next_hop_type='Internet',
name='default_route')
private_subnet_route = network_models.Route(
address_prefix=vv['private_vnet_prefix'],
next_hop_type='VnetLocal',
name='private_subnet_route')
# 5 Create Route Tables
wan_route_table_params = network_models.RouteTable(
location=vv['region'], routes=[default_route, private_subnet_route])
result_object_route_table_wan_creation = network_client.route_tables.create_or_update(
vv['resource_group_name'], 'wan_route_table', wan_route_table_params)
result_object_route_table_wan_creation.wait()
wan_route_table = result_object_route_table_wan_creation.result()
private_route_table_params = network_models.RouteTable(
location=vv['region'], routes=[private_subnet_route])
result_object_route_table_private_creation = network_client.route_tables.create_or_update(
vv['resource_group_name'], 'private_route_table',
private_route_table_params)
result_object_route_table_private_creation.wait()
private_route_table = result_object_route_table_private_creation.result()
# 6 Create Subnets
result_object_subnet_creation = network_client.subnets.create_or_update(
resource_group_name=vv['resource_group_name'],
virtual_network_name=vv['vnet_name'],
subnet_name='TVPC_WAN_Subnet',
subnet_parameters=network_models.Subnet(
address_prefix=vv['public_vnet_prefix'],
network_security_group=wan_ipsec_nsg,
route_table=wan_route_table))
subnet_wan = result_object_subnet_creation.result()
result_object_subnet_creation = network_client.subnets.create_or_update(
resource_group_name=vv['resource_group_name'],
virtual_network_name=vv['vnet_name'],
subnet_name='TVPC_Private_Subnet',
subnet_parameters=network_models.Subnet(
address_prefix=vv['private_vnet_prefix'],
route_table=private_route_table))
subnet_private = result_object_subnet_creation.result()
# 7 Create Storage Account
storage_result_object_operation = storage_client.storage_accounts.create(
vv['resource_group_name'], vv['storage_account_name'], {
'sku': {
'name': 'standard_lrs'
},
'kind': 'storage',
'location': vv['region']
})
storage_result_object_operation.wait()
# 8 Create an Availability Set
if vv['type'] == 'silb':
av_sku_params = compute_models.Sku(name='Aligned')
availability_set_parameters = compute_models.AvailabilitySet(
location=vv['region'],
platform_update_domain_count=5,
platform_fault_domain_count=2,
sku=av_sku_params)
avset = compute_client.availability_sets.create_or_update(
rg, vv['availability_set_name'], availability_set_parameters)
avset_return = compute_client.availability_sets.get(
vv['resource_group_name'], vv['availability_set_name'])
# 9 Create Load Balancer
if vv['type'] == 'silb':
load_balancer_name = 'SILB'
fip_name = 'FIPdmvpn'
bap_name = 'BAPdmvpn'
probe_name = 'SSHhealthcheck'
silb_rule_name = 'slball'
def construct_fip_id(subscription_id):
return ('/subscriptions/{}'
'/resourceGroups/{}'
'/providers/Microsoft.Network'
'/loadBalancers/{}'
'/frontendIPConfigurations/{}').format(
subscription_id, vv['resource_group_name'],
load_balancer_name, fip_name)
def construct_bap_id(subscription_id):
return ('/subscriptions/{}'
'/resourceGroups/{}'
'/providers/Microsoft.Network'
'/loadBalancers/{}'
'/backendAddressPools/{}').format(
subscription_id, vv['resource_group_name'],
load_balancer_name, bap_name)
def construct_probe_id(subscription_id):
return ('/subscriptions/{}'
'/resourceGroups/{}'
'/providers/Microsoft.Network'
'/loadBalancers/{}'
'/probes/{}').format(subscription_id,
vv['resource_group_name'],
load_balancer_name, probe_name)
subnet_silb = network_client.subnets.get(vv['resource_group_name'],
vv['vnet_name'],
'TVPC_Private_Subnet')
front_ip_config = network_models.FrontendIPConfiguration(
private_ip_allocation_method='Dynamic',
subnet={'id': subnet_silb.id},
name=fip_name,
)
back_pool = network_models.BackendAddressPool(name=bap_name)
fipn = construct_fip_id(subscription_id)
bapn = construct_bap_id(subscription_id)
proben = construct_probe_id(subscription_id)
silb_rules = network_models.LoadBalancingRule(
frontend_ip_configuration={'id': fipn},
backend_address_pool={'id': bapn},
probe={'id': proben},
protocol='All',
load_distribution='Default',
frontend_port=0,
backend_port=0,
idle_timeout_in_minutes=4,
enable_floating_ip=True,
enable_tcp_reset=False,
disable_outbound_snat=True,
name=silb_rule_name)
silb_probes = network_models.Probe(protocol='Tcp',
port=22,
interval_in_seconds=5,
number_of_probes=2,
name=probe_name)
silb_sku = network_models.LoadBalancerSku(name='Standard')
silb_model = network_models.LoadBalancer(
location=vv['region'],
frontend_ip_configurations=[front_ip_config],
backend_address_pools=[back_pool],
load_balancing_rules=[silb_rules],
probes=[silb_probes],
sku=silb_sku,
tags={vv['tvpc_program_key']: vv['cluster']},
)
lb_result_object_creation = network_client.load_balancers.create_or_update(
resource_group_name=vv['resource_group_name'],
load_balancer_name=load_balancer_name,
parameters=silb_model)
lb_info = lb_result_object_creation.result()
bap_info = network_client.load_balancer_backend_address_pools.get(
vv['resource_group_name'], load_balancer_name, bap_name)
router_counter = 0
for r in vv['dmvpn_address']:
vv['router_counter'] = str(router_counter)
vv['dmvpn_address_router'] = vv['dmvpn_address'][router_counter]
# 9 Create PublicIP
address_sku = network_models.PublicIPAddressSku(name='Standard')
public_ip_address_parameters = network_models.PublicIPAddress(
location=vv['region'],
public_ip_allocation_method='Static',
sku=address_sku)
pip_name = 'pip_' + str(router_counter)
result_object_public_ip_creation = network_client.public_ip_addresses.create_or_update(
vv['resource_group_name'], pip_name, public_ip_address_parameters)
result_object_public_ip_creation.wait()
public_ip_info = result_object_public_ip_creation.result()
# 10 Create NICs
nic_0_name = 'CSR_' + str(router_counter) + '_nic_0'
nic_0_config = network_models.IPConfiguration(
subnet=subnet_wan,
name=nic_0_name,
private_ip_allocation_method=network_models.IPAllocationMethod.
dynamic,
public_ip_address=public_ip_info)
nic_0_parameters = network_models.NetworkInterface(
location=vv['region'],
network_security_group=wan_ipsec_nsg,
enable_accelerated_networking=True,
ip_configurations=[nic_0_config],
primary=True,
enable_ip_forwarding=False # False
)
result_object_nic_0_create = network_client.network_interfaces.create_or_update(
vv['resource_group_name'], nic_0_name, nic_0_parameters)
result_object_nic_0_create.wait()
nic_0 = result_object_nic_0_create.result()
nic_0.primary = True # This is a bug. The primary key is always None after interface create or update
if vv['type'] == 'silb':
nic_1_name = 'CSR_' + str(router_counter) + '_nic_1'
result_object_nic_1_create = network_client.network_interfaces.create_or_update(
vv['resource_group_name'], nic_1_name, {
'location':
vv['region'],
'network_security_group':
open_nsg,
'enable_accelerated_networking':
True,
'enable_ip_forwarding':
True,
'primary':
False,
'ip_configurations': [{
'name':
'some_config_name',
'subnet': {
'id': subnet_silb.id
},
'private_ip_allocation_method':
network_models.IPAllocationMethod.dynamic,
'load_balancer_backend_address_pools': [{
'id':
bap_info.id
}]
}]
})
result_object_nic_1_create.wait()
nic_1 = result_object_nic_1_create.result()
nic_1.primary = False # This is a bug. The primary key is always None after interface create or update
else:
nic_1_name = 'CSR_' + str(router_counter) + '_nic_1'
nic_1_config = network_models.IPConfiguration(
subnet=subnet_private,
name=nic_1_name,
private_ip_allocation_method=network_models.IPAllocationMethod.
dynamic)
nic_1_parameters = network_models.NetworkInterface(
location=vv['region'],
network_security_group=wan_ipsec_nsg,
enable_accelerated_networking=True,
ip_configurations=[nic_1_config],
primary=False,
enable_ip_forwarding=True)
result_object_nic_1_create = network_client.network_interfaces.create_or_update(
vv['resource_group_name'], nic_1_name, nic_1_parameters)
result_object_nic_1_create.wait()
nic_1 = result_object_nic_1_create.result()
nic_1.primary = False # This is a bug. The primary key is always None after interface create or update
# 11 Create VM
computer_name = vv['hostname'] + str(router_counter)
os_profile = compute_models.OSProfile(computer_name=computer_name,
admin_username=vv['username'],
admin_password=vv['password'])
hardware_profile = compute_models.HardwareProfile(
vm_size=vv['instance_type'])
storage_profile = compute_models.StorageProfile(
image_reference=compute_models.ImageReference(
publisher=vv['azure_vm_publisher'],
offer=vv['azure_vm_offer'],
sku=vv['azure_vm_sku'],
version='latest'))
network_profile = compute_models.NetworkProfile(
network_interfaces=[nic_0, nic_1])
image_plan = compute_models.Plan(name=vv['azure_vm_sku'],
publisher=vv['azure_vm_publisher'],
product=vv['azure_vm_offer'])
if vv['type'] == 'silb':
vm_profile = compute_models.VirtualMachine(
location=vv['region'],
os_profile=os_profile,
plan=image_plan,
hardware_profile=hardware_profile,
storage_profile=storage_profile,
network_profile=network_profile,
availability_set={'id': avset_return.id})
else:
vm_profile = compute_models.VirtualMachine(
location=vv['region'],
os_profile=os_profile,
plan=image_plan,
hardware_profile=hardware_profile,
storage_profile=storage_profile,
network_profile=network_profile)
result_object_vm_creation = compute_client.virtual_machines.create_or_update(
vv['resource_group_name'], computer_name, vm_profile)
result_object_vm_creation.wait()
vm_result = result_object_vm_creation.result()
# Get IP address
result = network_client.public_ip_addresses.get(
rg, public_ip_info.name)
public_ip = result.ip_address
vv['public_ip'] = public_ip
# If DMVPN hub, save info
if vv['type'] == 'hub':
hub_1_public = public_ip
hub_1_private = vv['dmvpn_address_router']
router = Router(vv['public_ip'], vv['username'], vv['password'],
vv['region'], vv['instance_type'],
settings.instance_types[vv['instance_type']])
if not router.initial_check_responsive():
print('router unresponsive')
if settings.regions[vv['region']]['smart_licensing'] == 'True':
if not router.register():
print('router unable to register with smart licensing')
config = router.render_config_from_template(
template_name='templates/baseline.j2', variables_dict=vv)
# want an exception if configuration result is not true
if not router.configure_router(config):
print('unable to configure router')
if vv['type'] == 'hub':
config = router.render_config_from_template(
template_name='templates/dmvpn_hub.j2', variables_dict=vv)
if not router.configure_router(config):
print('unable to configure router')
elif vv['type'] == 'spoke':
config = router.render_config_from_template(
template_name='templates/dmvpn_spoke.j2', variables_dict=vv)
if not router.configure_router(config):
print('unable to configure router')
elif vv['type'] == 'silb':
config = router.render_config_from_template(
template_name='templates/dmvpn_spoke_silb.j2',
variables_dict=vv)
if not router.configure_router(config):
print('unable to configure router')
elif vv['type'] == 'vnet':
config = router.render_config_from_template(
template_name='templates/app_vnet.j2', variables_dict=vv)
if not router.configure_router(config):
print('unable to configure router')
if not router.configure_router(
['end', 'event manager run 10interface']):
print('unable to configure 10 gigabitethernet interface')
router_counter += 1
# Tag SILB VNET with SILB private IP
if vv['type'] == 'silb':
lb_info = network_client.load_balancers.get(vv['resource_group_name'],
load_balancer_name)
silb_private_ip = lb_info.frontend_ip_configurations[
0].private_ip_address
vnet = network_client.virtual_networks.get(vv['resource_group_name'],
vv['vnet_name'])
vnet.tags.update({'tvpc_silb_private_address': silb_private_ip})
network_client.virtual_networks.create_or_update(
vv['resource_group_name'], vv['vnet_name'], vnet)
results_queue.put({
'hub_1_public': hub_1_public,
'hub_1_private': hub_1_private
})
def create_network_security_group(network_client, vm_resource):
# type: (azure.mgmt.network.NetworkManagementClient,
# settings.VmResource) ->
# msrestazure.azure_operation.AzureOperationPoller
"""Create a network security group
:param azure.mgmt.network.NetworkManagementClient network_client:
network client
:param settings.VmResource vm_resource: VM Resource
:rtype: msrestazure.azure_operation.AzureOperationPoller
:return: async op poller
"""
nsg_name = settings.generate_network_security_group_name(vm_resource)
# check and fail if nsg exists
try:
network_client.network_security_groups.get(
resource_group_name=vm_resource.resource_group,
network_security_group_name=nsg_name,
)
raise RuntimeError('network security group {} exists'.format(nsg_name))
except msrestazure.azure_exceptions.CloudError as e:
if e.status_code == 404:
pass
else:
raise
# create security rules as found in settings
priority = 100
security_rules = []
for nsi in vm_resource.network_security.inbound:
i = 0
ir = vm_resource.network_security.inbound[nsi]
for sap in ir.source_address_prefix:
proto = ir.protocol.lower()
if proto == 'tcp':
proto = networkmodels.SecurityRuleProtocol.tcp
elif proto == 'udp':
proto = networkmodels.SecurityRuleProtocol.udp
elif proto == '*':
proto = networkmodels.SecurityRuleProtocol.asterisk
else:
raise ValueError('Unknown protocol {} for rule {}'.format(
proto, nsi))
security_rules.append(
networkmodels.SecurityRule(
name=settings.generate_network_security_inbound_rule_name(
nsi, i),
description=settings.
generate_network_security_inbound_rule_description(nsi, i),
protocol=proto,
source_port_range='*',
destination_port_range=str(ir.destination_port_range),
source_address_prefix=sap,
destination_address_prefix='*',
access=networkmodels.SecurityRuleAccess.allow,
priority=priority,
direction=networkmodels.SecurityRuleDirection.inbound))
priority += 1
i += 1
if len(security_rules) == 0:
logger.warning('no security rules to apply, not creating a network '
'security group')
return None
logger.debug('creating network security group: {}'.format(nsg_name))
return network_client.network_security_groups.create_or_update(
resource_group_name=vm_resource.resource_group,
network_security_group_name=nsg_name,
parameters=networkmodels.NetworkSecurityGroup(
location=vm_resource.location,
security_rules=security_rules,
),
)