Skip to content

Commit

Permalink
Update Tier 3 Deployment (#105)
Browse files Browse the repository at this point in the history
* Changed default version of F5 in parameter table

* Updated F5 access steps

* Added F5 config steps to Tier 3 deployment guide

* Added RDP SSH Rules to workload NSG

* Updated usage guide for artifactsUrl parameter

* Changed default address space for workload
Updated documentation

* Added params and vars to mlz-ash.bicep
Added nsgRule module
Added updateMLZNSGs module
Added output to spokeNetwork module
Added output to hubDeploymentVaules module

* Updated T3 documentation

* Apply json changes

Co-authored-by: Phydeauxman <[email protected]>
Co-authored-by: Vidya Bala <[email protected]>
  • Loading branch information
3 people authored Feb 14, 2022
1 parent 1a1ed75 commit 0ddb02a
Show file tree
Hide file tree
Showing 12 changed files with 380 additions and 179 deletions.
7 changes: 4 additions & 3 deletions docs/F5_manual_cfg.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,10 @@ This guide will walk the MLZ-Edge deployer thru the steps to manually configure

From the system used to deploy the instance, RDP into the Windows 2019 management VM using the public IP. The credentials to use to authenticate to the VM are `azureuser` along with the password retrieved from the Key Vault.

Once logged onto the Windows 2019 VM, the administrator will be presented with the Server Manager application. On the left hand side of the `Server Manager` application, click on the `Local Server` blade. In the `PROPERTIES` pane for the `Local Server`, click the `IE Enhanced Security Configuration` setting and select `Off` for both `Administrators` and `Users`. Close the `Server Manager` application.
Once logged onto the Windows 2019 VM, right-click on the Internet Explorer icon on the Taskbar, right-click on `Internet Explorer` from the menu that opens and then select `Run as administrator`. Click `Yes` on the UAC dialog box that pops up.

From the Windows 2019 management VM, open Internet Explorer and enter the URL `https://<private_management_ip_of_the_F5_BIG-IP>`. The URL for a default deployment would be (<https://10.90.0.4>). A page stating `This site is not secure` should appear. Click the `More information` drop down on the page and then click on `Go on to the webpage (not recommended)` link.
In the address bar of Internet Explorer, enter the URL `https://<private_management_ip_of_the_F5_BIG-IP>`. The URL for a default deployment would be (<https://10.90.0.4>). In the Security Alert popup that opens, check the box next to `In the future, do not show this warning` and then click `OK`.
A page stating `This site is not secure` should appear. Click the `More information` drop down on the page and then click on `Go on to the webpage (not recommended)` link.

The `F5 BIG-IP Configuration Utility` page should appear. Login to the page with `f5admin` along with the password retrieved from the Key Vault.

Expand All @@ -46,7 +47,7 @@ The `F5 BIG-IP Configuration Utility` page should appear. Login to the page with

Once logged into the F5 BIG-IP, the screen displayed will be the `Welcome` page of the `Setup Utility`. Click `Next` on the page.

On the `General Properties`, click `Activate` to enter the license key. Enter the license key into the `Base Registration Key` field, select `Manual` in the `Activation Method` field and then clcik the `Next` button.
On the `General Properties`, click `Activate` to enter the license key. Enter the license key into the `Base Registration Key` field, select `Manual` in the `Activation Method` field and then click the `Next` button.

On the next screen, select `Download/Upload File` and then click the `Click Here To Download Dossier File`. Transfer the `dossier.do` file downloaded to the `Downloads` folder to a system that has Internet connectivity.

Expand Down
5 changes: 3 additions & 2 deletions docs/F5_scripted_config.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,10 @@ This guide will walk the MLZ-Edge deployer thru the steps to configure the F5 BI

From the system used to deploy the instance, RDP into the Windows 2019 management VM using the public IP. The credentials to use to authenticate to the VM are `azureuser` along with the password retrieved from the Key Vault.

Once logged onto the Windows 2019 VM, the administrator will be presented with the Server Manager application. On the left hand side of the `Server Manager` application, click on the `Local Server` blade. In the `PROPERTIES` pane for the `Local Server`, click the `IE Enhanced Security Configuration` setting and select `Off` for both `Administrators` and `Users`. Close the `Server Manager` application.
Once logged onto the Windows 2019 VM, right-click on the Internet Explorer icon on the Taskbar, right-click on `Internet Explorer` from the menu that opens and then select `Run as administrator`. Click `Yes` on the UAC dialog box that pops up.

From the Windows 2019 management VM, open Internet Explorer and enter the URL `https://<private_management_ip_of_the_F5_BIG-IP>`. The URL for a default deployment would be (<https://10.90.0.4>). A page stating `This site is not secure` should appear. Click the `More information` drop down on the page and then click on `Go on to the webpage (not recommended)` link.
In the address bar of Internet Explorer, enter the URL `https://<private_management_ip_of_the_F5_BIG-IP>`. The URL for a default deployment would be (<https://10.90.0.4>). In the Security Alert popup that opens, check the box next to `In the future, do not show this warning` and then click `OK`.
A page stating `This site is not secure` should appear. Click the `More information` drop down on the page and then click on `Go on to the webpage (not recommended)` link.

The `F5 BIG-IP Configuration Utility` page should appear. Login to the page with `f5admin` along with the password retrieved from the Key Vault.

Expand Down
5 changes: 3 additions & 2 deletions docs/STIG_Guide.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,12 @@ Optional:

Currently the process is as follows:

Step 1: The syndication container process described in the [Deployment Container Setup README](./STIG_Guide.md) will not only allow uploading the required market place items needed by MLZ to deploy but also Marketplace items for DSC to set STIG controls as well as a set of scripts and tools needed to accomplish the setting of controls.
Step 1: The syndication container process described in the [Deployment Container Setup README](./Deployment_container_setup.md) will not only allow uploading the required Marketplace items needed by MLZ to deploy but also Marketplace items for DSC to set STIG controls as well as a set of scripts and tools needed to accomplish the setting of controls.
These tools will be uploaded into a storage account in the admin portal of the Azure Stack Hub and made readable to all on the network. Not all files uploaded to the storage account are currently used as part of the base MLZ deployment but are provided for customized deployments.
Step 2: During the deployment of a landing zone instance, the `[artifactsUrl](./STIG_Guide.md)` parameter can be set to `<storage suffix>` which then adds the 'custom script' and 'DSC' extensions to the Windows remote access host. Example: `myregion.azurestack.local`.
Step 2: During the deployment of a landing zone instance, the `artifactsUrl` parameter can be set to `<storage_suffix_for_target_platform>` which then adds the 'custom script' and 'DSC' extensions to the Windows remote access host. Example: `myregion.azurestack.local`.

Once the syndication process has uploaded the required scripts and files for the STIG process, PowerShell commands can be run to add the extensions to existing Windows VM's deployed on the ASH stamp.

>**NOTE**: The Linux VM STIG process is still under development
Example: Optionally run after deployment
Expand Down
120 changes: 103 additions & 17 deletions docs/Tier3_Workload_deployment.md
Original file line number Diff line number Diff line change
@@ -1,40 +1,126 @@
# Mission LZ Edge Bicep - Tier 3 workload

## Deployment
## Table of Contents

### **Prerequisistes**
1. [Deployment Prerequisites](#deployment-prerequisistes)
1. [Deployment Parameters](#workload-tier3-deployment-parameters)
1. [Deploy with default parameters](#default-mlz-workload-tier3-instance-deployment)
1. [Deploy with custom parameters](#custom-mlz-workload-tier3-instance-deployment)
1. [Post Deployment F5 Configuration](#post-deployment-f5-configuration)

The Mission LZ - Edge existing deployment to Azure Stack subscription.
## **Deployment Prerequisistes**

### **Common Workload(tier3)Deployment Parameters**
Existing MLZ-Edge instance

## **Workload (Tier3) Deployment Parameters**

Below is a table of parameters that should be reviewed before deployment. While not an exhaustive list of all parameters, these parameters either do not have default values or have defaults that customers may want to modify:

**Parameter Name** | **Default value** | **Description**
------------------------| --------------| -----------
addSpokeRules | false | Boolen value that is used to enable or disable the addition of NSG rules to the MLZ spoke NSGs to allow traffic to flow from the workload to the Identity, Operations, and ShareServices spoke
rulePriority | 100 | Integer value that denotes the priority to assign to a rule
resourcePrefix | None | A prefix, 3-10 alphanumeric characters without whitespace, used to prefix resources and generate uniqueness for resources with globally unique naming requirements like Storage Accounts & key Vaults
hubDeploymentName | None | Required to extract MLZ-ASH deployment values
hubSubscriptionId | None | Required to extract MLZ-ASH deployment values
hubResourceGroupName | None | Required to extract MLZ-ASH deployment values
workloadVirtualNetworkAddressPrefix | 10.94.0.0/16 | The CIDR Virtual Network Address Prefix for the Workload Virtual Network
workloadsSubnetAddressPrefix | 10.94.0.0/24 | The CIDR Subnet Address Prefix for the default Workload subnet. It must be in the Workload Virtual Network space
workloadVirtualNetworkAddressPrefix | 10.100.0.0/16 | The CIDR Virtual Network Address Prefix for the Workload Virtual Network
workloadsSubnetAddressPrefix | 10.100.0.0/24 | The CIDR Subnet Address Prefix for the default Workload subnet. It must be in the Workload Virtual Network space

## **Default MLZ Workload (Tier3) Instance deployment**

To deploy workload to an existing MLZ-ASH instance with default values for the virtual network and subnet, provide values for the `resourcePrefix, region, hubDeploymentName, hubSubscriptionId,` and `hubResourceGroupName` parameters and specify the `./workloadSpoke.bicep` template file. The deployment will extract values from the hub deployment to be used to deploy the workload Tier3.
Using the default deployment example below, the workload will be deployed but will NOT be able to communicate with resources deployed in the MLZ spokes (Identity, Operations, Shared Services)

Step 1: cd src/bicep/tier3WorkloadSpoke

Step 2: Run the deployment script below:

#### **Default MLZ workload(tier3) Instance deployment**
```plaintext
resourcePrefix="<value>"
region="<value>"
hubDeploymentName="<value>"
hubSubscriptionId="<value>"
hubResourceGroupName="<value>"
az deployment sub create \
--name "deploy-tier3-${resourcePrefix}" \
--location ${region} \
--template-file ./workloadSpoke.bicep \
--parameters \
resourcePrefix=${resourcePrefix}
hubDeploymentName=${hubDeploymentName} \
hubSubscriptionId=${hubSubscriptionId} \
hubResourceGroupName=${hubResourceGroupName}
```

## **Custom MLZ Workload (Tier3) Instance deployment**

To deploy workload to an existing MLZ-ASH instance with default values, provide values for the --name, --location parameters (by default, location will be "local" unless that stamp has a custom domain name) and specify the `./workloadSpoke.bicep` template file with following parameters to extract output values of existing MLZ-ASH deployment: resourcePrefix,hubDeploymentName,hubSubscriptionId, and hubResourceGroupName
To deploy a workload to an existing MLZ-ASH instance with custom values for other parameters, provide values for the `resourcePrefix, region, hubDeploymentName, hubSubscriptionId,` and `hubResourceGroupName` parameters, specify the `./workloadSpoke.bicep` template file then add the additional parameters to be changed.
The deployment will extract values from the hub deployment to be used to deploy the workload Tier3.
The deployment below enables rules being added to the Network Security Groups (NSGs) of the MLZ spokes (Identity, Operations, Shared Services).
Using the example below would add an NSG rule to each of the spoke NSGs aloowing traffic from the workload to flow into the spoke. If using this example, make sure to also follow the steps outline in optional [section](#optional---post-deployment-f5-configuration) below to configure the fire wall for the traffic flow.

Step 1: cd src/bicep/tier3WorkloadSpoke

Step 2: Run the deployment script below with defaults by providing required parameter values for resourcePrefix and keyVaultAccessPolicyObjectId
Step 2: Run the deployment script below:

```plaintext
resourcePrefix="<value>"
region="<value>"
hubDeploymentName="<value>"
hubSubscriptionId="<value>"
hubResourceGroupName="<value>"
addSpokeRules="true"
rulePriority="<value>"
az deployment sub create \
--name <t3 deployment Name> \
--template-file workloadSpoke.bicep \
--location 3173r03b \
--name "deploy-tier3-${resourcePrefix}" \
--location ${region} \
--template-file ./workloadSpoke.bicep \
--parameters \
resourcePrefix =<resource prefix> \
hubDeploymentName = {Hub and Spoke Deployment Name that recently deployed} \
hubSubscriptionId = {Hub Subscription Id} \
hubResourceGroupName = {Hub Resource Group Name}
```
resourcePrefix=${resourcePrefix}
hubDeploymentName=${hubDeploymentName} \
hubSubscriptionId=${hubSubscriptionId} \
hubResourceGroupName=${hubResourceGroupName} \
addSpokeRules=${addSpokeRules} \
rulePriority=${rulePriority}
```

## **Post Deployment F5 Configuration**

Once a workload (Tier 3) is deployed, configurations need to be made to the F5 to enable traffic flows out of the new workload. The steps that follow will detail the configurations to make that will enable flows initiated from within the workload virtual network.

The configurations need to be made on the F5 in the MLZ-Edge hub. Access to the F5 portal is done from the Windows 2019 management VM deployed in the hub attached to the `MGMT` subnet.

Remote Access into the workload (Tier 3) virtual network will only be possible from the Windows 2019 VM deployed in the hub. This traffic is allowed via the virtual network peering that is established between the workload virtual network and the hub virtual network as part of the workload deployment.

### **OPTIONAL - Workload to MLZ Tiers Flow**

The steps below should only be performed if the workload was deployed setting the `addSpokeRules` parameter to `true`. The steps below will allow traffic initiated in the workload with a destination for one of the MLZ-Edge tiers (Identity, Shared Services, Operations):

In the `Local Traffic > Virtual Servers > Virtual Server List` section, click the `Create...` button and enter the information below:

- Enter a name and description for the Virtual Server (example: `<name_for_workload>_to_MLZ-Spokes`)
- In the `Type` dropdown, select `Forwarding (IP)`
- In the `Source Address` field, enter `<workload_address_space/mask>`. Using deployment defaults, value would be `10.100.0.0/16`
- In the `Destination Address/Mask` field, enter `10.88.0.0/13`. This is the default value which is a supernet of the MLZ spoke virtual networks
- In the `Service Port` field, select `* All Ports`.
- In the `VLAN and Tunnel Traffic` field, select `Enabled on...` from the dropdown.
- In the `VLANS and Tunnels` field, select the VLAN that is associated with the internal subnet (example: `Internal_Interface`).
- In the `Source Address Translation` field, select `Auto Map` from the dropdown.
- Leave all other fields with the default settings and click the `Finished` button at the bottom of the page

### **Workload to External Flow**

The steps below will allow traffic initiated in the workload with a destination external to the MLZ-Edge instance:

- Enter a name and description for the Virtual Server (example: `<name_for_workload>_to_External`)
- In the `Type` dropdown, select `Forwarding (IP)`
- In the `Source Address` field, enter `<workload_address_space/mask>`. Using deployment defaults, value would be `10.100.0.0/16`
- In the `Destination Address/Mask` field, enter `0.0.0.0/0`. This can be further restricted down depending on the desired traffic flow.
- In the `Service Port` field, select `HTTPS`.
- In the `VLAN and Tunnel Traffic` field, select `Enabled on...` from the dropdown.
- In the `VLANS and Tunnels` field, select the VLAN that is associated with the internal subnet (example: `Internal_Interface`).
- In the `Source Address Translation` field, select `Auto Map` from the dropdown.
- Leave all other fields with the default settings and click the `Finished` button at the bottom of the page
13 changes: 9 additions & 4 deletions docs/Usage_Guide.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
1. [Remote Access](#remote-access)
1. [Deployment Examples](#deployment-examples)
1. [Deployment Process](#deployment-process)
1. [Workload Deployment](#workload-deployment)

## **Prerequisistes**

Expand Down Expand Up @@ -57,10 +58,12 @@ sharedServicesSubnetAddressPrefix | 10.93.0.0/24 | The CIDR Subnet Address Prefi
f5VmAuthenticationType | sshPublicKey | Allowed values are {password, sshPublicKey} with a minimum length of 14 characters with atleast 1 uppercase, 1 lowercase, 1 alphnumeric, 1 special character
f5VmAdminUsername | f5admin | Administrator account on the F5 NVAs that get deployed
f5VmSize | Standard_DS3_v2 | The size of the F5 firewall appliance. It defaults to "Standard_DS3_v2"
f5VmImageVersion | 15.0.100000 | Version of F5 BIG-IP sku being deployed
f5VmImageVersion | 15.1.004000 | Version of F5 BIG-IP sku being deployed
[artifactsUrl](./STIG_Guide.md) | None | Setting to the storage suffix will allow Desired State Configuration on Windows remote access host to set STIG related controls. ie: location.azurestack.local
deployLinux | false | Setting to true deploys a Ubuntu 180.04 management VM alongside the Windows 2019 management VM using the same credentials

>**NOTE** The `artifactsUrl` parameter is reliant on the existance of a storage account that has been populated with source files using the deployment container. If deploying MLZ-Edge into Azure Commercial or Azure Government hyper-scale, do not include the `artifactsUrl` in the deployment command.
## **Setup Deployment Container**

The deployment container can be created using the container image generated from the dockerfile in this repo. Transfer the image to the MLZ deployment system. Once the image is on the MLZ deployment system and imported into the local docker repository, perform the steps below to create and configure the deployment container:
Expand Down Expand Up @@ -149,22 +152,20 @@ az deployment sub create \
keyVaultAccessPolicyObjectId=${keyVaultAccessPolicyObjectId}
```

The example below is a custom deployment in Azure Government that overrides the `f5VmAuthenticationType` default of `password` with `sshPublicKey` and [allows setting STIG controls on the Windows machine](./STIG_Guide.md) by setting `artifactsUrl` to the storage accounts suffix, ie; local.azurestack.external:
The example below is a custom deployment in Azure Government that overrides the `f5VmAuthenticationType` default of `password` with `sshPublicKey`:

```plaintext
resourcePrefix="<value>"
f5AuthType="sshPublicKey"
f5VmImageVersion="15.1.400000"
keyVaultAccessPolicyObjectId="<value>"
region="<value>"
artifactsUrl="<value>"
az deployment sub create \
--name "deploy-mlz-${resourcePrefix}" \
--location ${region} \
--template-file ./mlz-ash.bicep \
--parameters \
artifactsUrl=${artifactsUrl} \
resourcePrefix=${resourcePrefix} \
f5VmAuthenticationType=${f5AuthType} \
f5VmImageVersion=${f5VmImageVersion} \
Expand Down Expand Up @@ -274,3 +275,7 @@ To deploy an initial instance of MLZ onto an Azure Stack Hub stamp that has been
1. Configure the F5 BIG-IP using the appropriate guide ([Partially Scripted](./F5_manual_cfg.md) or [Fully Scripted](./F5_scripted_config.md)) for the deployment scenario
1. Test remote (RDP) connectivity to the F5 BIG-IP using the `Inbound` public IP of the F5
1. If the test in the previouis step is successful, disassociate the public IP attached to the Windows 2019 management VM NIC and delete the public IP resource

## **Workload Deployment**

Once the MLZ-Edge instance is deployed and functional as outlined in the [Deployment Process](#deployment-process) section, `N` number of Tier 3 deployments can be performed to integrate workloads with the MLZ-Edge instance. Refer to the [Tier 3 Workload Deployment Guide](./Tier3_Workload_deployment.md) for details on deploying workloads.
Loading

0 comments on commit 0ddb02a

Please sign in to comment.