def create_nfs_nsg(config, args):
assert "source_addresses_prefixes" in config["cloud_config_nsg_rules"][
"dev_network"], "Please \
setup source_addresses_prefixes in config.yaml, otherwise, your cluster cannot be accessed"
source_addresses_prefixes = config["cloud_config_nsg_rules"][
"dev_network"]["source_addresses_prefixes"]
if int(config["azure_cluster"]["nfs_node_num"]) > 0:
cmd = """az network nsg create \
--resource-group %s \
--name %s
""" % (config["azure_cluster"]["resource_group"],
config["azure_cluster"]["nfs_nsg_name"])
execute_or_dump_locally(cmd, args.verbose, args.dryrun, args.output)
merged_ip = keep_widest_subnet(
config["cloud_config_nsg_rules"]["nfs_ssh"]["source_ips"] +
source_addresses_prefixes)
cmd = """az network nsg rule create \
--resource-group %s \
--nsg-name %s \
--name allow_ssh\
--priority 1200 \
--destination-port-ranges %s \
--source-address-prefixes %s \
--access allow
""" % (
config["azure_cluster"]["resource_group"],
config["azure_cluster"]["nfs_nsg_name"],
config["cloud_config_nsg_rules"]["nfs_ssh"]["port"],
" ".join(merged_ip),
)
execute_or_dump_locally(cmd, args.verbose, args.dryrun, args.output)
for i, service_tag in enumerate(config["cloud_config_nsg_rules"].get(
"service_tags", [])):
create_nsg_rule_with_service_tag(
config["azure_cluster"]["resource_group"],
config["azure_cluster"]["nfs_nsg_name"], 1300 + i,
config["cloud_config_nsg_rules"].get("tcp_port_ranges",
"\'*\'"), service_tag, args)
def add_nsg_rule_whitelist(config, args, ips):
# Replicating dev_network access for whitelisting users
source_address_prefixes = whitelist_source_address_prefixes(config)
if len(source_address_prefixes) == 0:
dev_network = config["cloud_config_nsg_rules"]["dev_network"]
source_address_prefixes = dev_network.get("source_addresses_prefixes")
if source_address_prefixes is None:
print("Please setup source_addresses_prefixes in config.yaml")
exit()
if isinstance(source_address_prefixes, str):
source_address_prefixes = source_address_prefixes.split(" ")
# Assume ips is a comma separated string if valid
if ips is not None and ips != "":
source_address_prefixes += ips.split(",")
# Safe guard against overlapping IP range
source_address_prefixes = keep_widest_subnet(source_address_prefixes)
source_address_prefixes = " ".join(list(set(source_address_prefixes)))
resource_group = config["azure_cluster"]["resource_group"]
nsg_name = config["azure_cluster"]["nsg_name"]
tcp_port_ranges = config["cloud_config_nsg_rules"]["tcp_port_ranges"]
cmd = """
az network nsg rule create \
--resource-group %s \
--nsg-name %s \
--name whitelist \
--protocol tcp \
--priority 1005 \
--destination-port-ranges %s \
--source-address-prefixes %s \
--access allow
""" % (resource_group, nsg_name, tcp_port_ranges,
source_address_prefixes)
execute_or_dump_locally(cmd, args.verbose, args.dryrun, args.output)
def create_nfs_nsg():
if "source_addresses_prefixes" in config["cloud_config"]["dev_network"]:
source_addresses_prefixes = config["cloud_config"]["dev_network"][
"source_addresses_prefixes"]
else:
print "Please setup source_addresses_prefixes in config.yaml, otherwise, your cluster cannot be accessed"
exit()
if int(config["azure_cluster"]["nfs_node_num"]) > 0:
cmd = """
az network nsg create \
--resource-group %s \
--name %s
""" % (config["azure_cluster"]["resource_group_name"],
config["azure_cluster"]["nfs_nsg_name"])
if verbose:
print(cmd)
if not no_execution:
output = utils.exec_cmd_local(cmd)
print(output)
print type(
config["cloud_config"]["nfs_ssh"]
["source_ips"]), config["cloud_config"]["nfs_ssh"]["source_ips"], type(
source_addresses_prefixes), source_addresses_prefixes
merged_ip = utils.keep_widest_subnet(
config["cloud_config"]["nfs_ssh"]["source_ips"] +
source_addresses_prefixes)
cmd = """
az network nsg rule create \
--resource-group %s \
--nsg-name %s \
--name allow_ssh\
--priority 1200 \
--destination-port-ranges %s \
--source-address-prefixes %s \
--access allow
""" % (
config["azure_cluster"]["resource_group_name"],
config["azure_cluster"]["nfs_nsg_name"],
config["cloud_config"]["nfs_ssh"]["port"],
" ".join(merged_ip),
)
if verbose:
print(cmd)
if not no_execution:
output = utils.exec_cmd_local(cmd)
print(output)
cmd = """
az network nsg rule create \
--resource-group %s \
--nsg-name %s \
--name allow_share \
--priority 1300 \
--source-address-prefixes %s \
--destination-port-ranges \'*\' \
--access allow
""" % (
config["azure_cluster"]["resource_group_name"],
config["azure_cluster"]["nfs_nsg_name"],
" ".join(config["cloud_config"]["nfs_share"]["source_ips"]),
)
if not no_execution:
output = utils.exec_cmd_local(cmd)
print(output)
def vm_interconnects(config, args):
with open(STATUS_YAML) as f:
vminfo = yaml.safe_load(f)
ip_list, infra_ip_list = [], []
for name, onevm in vminfo["machines"].items():
ip_list.append(onevm["public_ip"] + "/32")
if 'infra' in onevm['role']:
infra_ip_list.append(onevm["public_ip"] + "/32")
allowed_incoming_ips = " ".join(ip_list)
cmd = """
az network nsg rule create \
--resource-group %s \
--nsg-name %s \
--name tcpinterconnect \
--protocol tcp \
--priority 850 \
--destination-port-ranges %s \
--source-address-prefixes %s \
--access allow
""" % (config["azure_cluster"]["resource_group"],
config["azure_cluster"]["nsg_name"],
config["cloud_config_nsg_rules"]["inter_connect"]
["tcp_port_ranges"], allowed_incoming_ips)
allowed_incoming_infra_ips = " ".join(infra_ip_list)
cmd += """
; az network nsg rule create \
--resource-group %s \
--nsg-name %s \
--name nfs_allow_master \
--protocol tcp \
--priority 1400 \
--destination-port-ranges %s \
--source-address-prefixes %s \
--access allow
""" % (config["azure_cluster"]["resource_group"],
config["azure_cluster"]["nfs_nsg_name"],
config["cloud_config_nsg_rules"]["nfs_allow_master"]
["tcp_port_ranges"], allowed_incoming_infra_ips)
restricted_source_address_prefixes = "'*'"
if "restricted_source_address_prefixes" in config[
"cloud_config_nsg_rules"]:
restricted_source_address_prefixes = config["cloud_config_nsg_rules"][
"restricted_source_address_prefixes"]
if isinstance(restricted_source_address_prefixes, list):
restricted_source_address_prefixes = " ".join(
keep_widest_subnet(
infra_ip_list +
list(set(restricted_source_address_prefixes))))
cmd += """
; az network nsg rule update \
--resource-group %s \
--nsg-name %s \
--name allowalltcp \
--source-address-prefixes %s \
--access allow
""" % (config["azure_cluster"]["resource_group"],
config["azure_cluster"]["nsg_name"],
restricted_source_address_prefixes)
execute_or_dump_locally(cmd, args.verbose, args.dryrun, args.output)