added 810 net gateway

800_onprem_vpn/commands.ps1 → 800_onprem_vpn_gateway_p2s/certs/commands.ps1

@@ -22,11 +22,12 @@ $params = @{
 
 $RootCert = New-SelfSignedCertificate @params
 
-Export-Certificate -Cert $RootCert -FilePath ".\certs\P2SRootCert800Encoded.cer" -NoClobber | Out-Null
+Export-Certificate -Cert $RootCert -FilePath ".\P2SRootCert800Encoded.cer" -NoClobber | Out-Null
 
-certutil -encode ".\certs\P2SRootCert800Encoded.cer" ".\certs\P2SRootCert800.cer" | Out-Null
+certutil -encode ".\P2SRootCert800Encoded.cer" ".\P2SRootCert800.cer" | Out-Null
 
 # Generate a client certificate
+# Optional if you want to use the certificate in another machine
 
 Get-ChildItem -Path "Cert:\CurrentUser\My"
 # PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My
@@ -58,4 +59,4 @@ $ClientCert = New-SelfSignedCertificate @params
 
 $CertPwd = ConvertTo-SecureString -String "@Aa123456789" -Force -AsPlainText
 
-Export-PfxCertificate -FilePath ".\certs\P2SClientCert800.pfx" -Password $CertPwd -Cert $ClientCert | Out-Null
+Export-PfxCertificate -FilePath ".\P2SClientCert800.pfx" -Password $CertPwd -Cert $ClientCert | Out-Null

800_onprem_vpn_gateway_p2s/output.tf

@@ -0,0 +1,15 @@
+output "vm_linux_hub_private_ip" {
+ value = azurerm_linux_virtual_machine.vm.private_ip_address
+}
+
+output "vm_windows_hub_private_ip" {
+ value = azurerm_windows_virtual_machine.vm.private_ip_address
+}
+
+output "storage_account_url" {
+ value = azurerm_storage_account.sa.primary_blob_endpoint
+}
+
+output "storage_account_blob_url" {
+ value = azurerm_storage_blob.blob.url
+}

800_onprem_vpn/private_dns_zone.tf → 800_onprem_vpn_gateway_p2s/private_dns_zone.tf

@@ -3,7 +3,7 @@ resource "azurerm_private_dns_zone" "private-dns-zone" {
  resource_group_name = azurerm_resource_group.rg.name
 }
 
-resource "azurerm_private_dns_a_record" "dns_a_record_test" {
+resource "azurerm_private_dns_a_record" "a-record" {
  name = "vm"
  zone_name = azurerm_private_dns_zone.private-dns-zone.name
  resource_group_name = azurerm_private_dns_zone.private-dns-zone.resource_group_name

800_onprem_vpn/rg.tf → 800_onprem_vpn_gateway_p2s/rg.tf

@@ -1,4 +1,4 @@
 resource "azurerm_resource_group" "rg" {
- name = "rg-vnet-gateway-basic-${var.prefix}"
+ name = "rg-vpn-gateway-p2s-${var.prefix}"
  location = "westeurope"
 }

800_onprem_vpn_gateway_p2s/storage_account.tf

@@ -0,0 +1,21 @@
+resource "azurerm_storage_account" "sa" {
+ name = "storageaccgw${var.prefix}"
+ resource_group_name = azurerm_resource_group.rg.name
+ location = azurerm_resource_group.rg.location
+ account_tier = "Standard"
+ account_replication_type = "LRS"
+}
+
+resource "azurerm_storage_container" "container" {
+ name = "content"
+ storage_account_name = azurerm_storage_account.sa.name
+ container_access_type = "private"
+}
+
+resource "azurerm_storage_blob" "blob" {
+ name = "my-awesome-content.zip"
+ storage_account_name = azurerm_storage_account.sa.name
+ storage_container_name = azurerm_storage_container.container.name
+ type = "Block"
+ source = "Readme.md"
+}

800_onprem_vpn/windows_vm.tf → 800_onprem_vpn_gateway_p2s/vm_windows.tf

@@ -20,8 +20,6 @@ resource "azurerm_windows_virtual_machine" "vm" {
  admin_password = "@Aa123456789"
  network_interface_ids = [azurerm_network_interface.nic-vm-windows.id]
 
- # custom_data = filebase64("./install-tools-windows.ps1")
-
  os_disk {
  caching = "ReadWrite"
  storage_account_type = "Standard_LRS"
@@ -37,17 +35,4 @@ resource "azurerm_windows_virtual_machine" "vm" {
  boot_diagnostics {
  storage_account_uri = null
  }
-}
-
-# resource "azurerm_virtual_machine_extension" "cloudinit" {
-# name = "cloudinit"
-# virtual_machine_id = azurerm_windows_virtual_machine.vm.id
-# publisher = "Microsoft.Compute"
-# type = "CustomScriptExtension"
-# type_handler_version = "1.10"
-# settings = <<SETTINGS
-# {
-# "commandToExecute": "powershell -ExecutionPolicy unrestricted -NoProfile -NonInteractive -command \"cp c:/azuredata/customdata.bin c:/azuredata/install.ps1; c:/azuredata/install.ps1\""
-# }
-# SETTINGS
-# }
+}

800_onprem_vpn/vnet_gateway.tf → 800_onprem_vpn_gateway_p2s/vpn_gateway.tf

@@ -5,8 +5,8 @@ resource "azurerm_public_ip" "pip-vnet-gateway" {
  allocation_method = "Dynamic"
 }
 
-resource "azurerm_virtual_network_gateway" "vnet-gateway" {
- name = "vnet-gateway"
+resource "azurerm_virtual_network_gateway" "vpn-gateway" {
+ name = "vpn-gateway"
  location = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
 

810_onprem_vpn_gateway_p2s_hub_spokes/Readme.md

@@ -0,0 +1,8 @@
+# Azure VNET Gateway
+
+![](images/architecture.png)
+
+```sh
+terraform init
+terraform apply -auto-approve
+```

810_onprem_vpn_gateway_p2s_hub_spokes/certs/P2SRootCert810.cer

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7TCCAdWgAwIBAgIQVm8qtZVhm4RPvkrpQFQThzANBgkqhkiG9w0BAQsFADAZ
+MRcwFQYDVQQDDA5QMlNSb290Q2VydDgxMDAeFw0yNDAxMjkwNzAxMzRaFw0yNjAx
+MjkwNzExMzRaMBkxFzAVBgNVBAMMDlAyU1Jvb3RDZXJ0ODEwMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsh3DVYXMtGqhHckZEhKR4Cg56nLiQ/G1smbp
+aAd64XyB4lDkOAMB8RMiCX0r4RC+UcOIjunIeC4B9pRKxoZoa2zTjKpUmqV/p1l+
+CEEkiWEMB/P/ydu2nzaiF4lfRxvlrJvxVY1dF7VAwdvYgQR8Gpe60lVlLNBCQD6v
+LexWHTlIAVo5qTu/iosYgjkVT8ZYGLDKHAkS5BEO6exU50Awn5m2FzO4/jiChPy9
+W4uLvCaY1hYTnP3DamRiMLf2ONhMprlCZxE4/Cbb4+ot6fnN05WCSPBmZMdk8VaV
+pFyfunbN0JX2wkSbDv2amMr/+LTUBzq2O/mocDibCffQgC12sQIDAQABozEwLzAO
+BgNVHQ8BAf8EBAMCAgQwHQYDVR0OBBYEFDnxacYgutdyRhxGOyJg92t3E5M1MA0G
+CSqGSIb3DQEBCwUAA4IBAQAqCHLsT8iyp2kl9Y0n7wtgakhacj0YoVxMBqpS8hy/
+Evc0CBquJXbVDKRAtTeEoYyV5sIIBgxpflfZaSFj4T3Qx10pJqDdG2UCX9sz3ozW
+uSIq1c8Rk0XZjG9zX6iLLFrrsftR1WS8vfFv+6uy99Pgpw0CPUbRkxwcXczB368S
+QEI03Jx1+fQ13t2Kxtk+zHtfP7kdp/l4zVHTbPpNGnPkHj92pXOwvFHezfN3kwuJ
+soqt5nMpk/fn70EtNkMz2zGKO5NhkId+xvpBTrIF12z8UBl6fz9lmnJp/3CYioSu
+XaMyoPG2cqdO6H3cwa6S9DHrbeEY3PqsShXKxWYuI1Vr
+-----END CERTIFICATE-----

810_onprem_vpn_gateway_p2s_hub_spokes/certs/commands.ps1

@@ -0,0 +1,55 @@
+# https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
+# https://learn.microsoft.com/en-us/azure/storage/files/storage-files-configure-p2s-vpn-windows?tabs=azure-portal
+
+# Generate and export certificates for point-to-site using PowerShell
+
+# Create a self-signed root certificate
+
+$RootCertName = "CN=P2SRootCert810"
+
+$params = @{
+ Type = 'Custom'
+ Subject = $RootCertName
+ KeySpec = 'Signature'
+ KeyExportPolicy = 'Exportable'
+ KeyUsage = 'CertSign'
+ KeyUsageProperty = 'Sign'
+ KeyLength = 2048
+ HashAlgorithm = 'sha256'
+ NotAfter = (Get-Date).AddMonths(24)
+ CertStoreLocation = 'Cert:\CurrentUser\My'
+}
+
+$RootCert = New-SelfSignedCertificate @params
+
+Export-Certificate -Cert $RootCert -FilePath ".\P2SRootCert810Encoded.cer" -NoClobber | Out-Null
+
+certutil -encode ".\P2SRootCert810Encoded.cer" ".\P2SRootCert810.cer" | Out-Null
+
+# Generate a client certificate
+# Optional if you want to use the certificate in another machine
+
+Get-ChildItem -Path "Cert:\CurrentUser\My"
+
+$params = @{
+ Type = 'Custom'
+ Subject = 'CN=P2SClientCert810'
+ DnsName = 'P2SClientCert810'
+ KeySpec = 'Signature'
+ KeyExportPolicy = 'Exportable'
+ KeyLength = 2048
+ HashAlgorithm = 'sha256'
+ NotAfter = (Get-Date).AddMonths(18)
+ CertStoreLocation = 'Cert:\CurrentUser\My'
+ Signer = $RootCert
+ TextExtension = @(
+ '2.5.29.37={text}1.3.6.1.5.5.7.3.2')
+}
+
+$ClientCert = New-SelfSignedCertificate @params
+
+# Export the root certificate public key (.cer)
+
+$CertPwd = ConvertTo-SecureString -String "@Aa123456789" -Force -AsPlainText
+
+Export-PfxCertificate -FilePath ".\P2SClientCert810.pfx" -Password $CertPwd -Cert $ClientCert | Out-Null

810_onprem_vpn_gateway_p2s_hub_spokes/install-webapp.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+sudo apt install nginx -y
+
+IP=$(hostname -i)
+
+echo "Hello from virtual machine: $HOSTNAME, with IP address: $IP" > /var/www/html/index.html

810_onprem_vpn_gateway_p2s_hub_spokes/modules/spoke/install-webapp.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+sudo apt install nginx -y
+
+IP=$(hostname -i)
+
+echo "Hello from virtual machine: $HOSTNAME, with IP address: $IP" > /var/www/html/index.html

810_onprem_vpn_gateway_p2s_hub_spokes/modules/spoke/output.tf

@@ -0,0 +1,3 @@
+output "vm_linux_private_ip" {
+ value = azurerm_linux_virtual_machine.vm.private_ip_address
+}

810_onprem_vpn_gateway_p2s_hub_spokes/modules/spoke/rg.tf

@@ -0,0 +1,4 @@
+resource "azurerm_resource_group" "rg" {
+ name = "rg-${var.spoke_name}"
+ location = var.spoke_rg_location
+}

810_onprem_vpn_gateway_p2s_hub_spokes/modules/spoke/variables.tf

@@ -0,0 +1,8 @@
+variable "spoke_name" { type = string }
+variable "spoke_rg_location" { type = string }
+variable "spoke_vnet_cidr" { type = string }
+variable "allow_gateway_transit" { type = bool }
+variable "hub_vnet" { type = object({
+ name = string,
+ rg = string,
+id = string }) }

810_onprem_vpn_gateway_p2s_hub_spokes/modules/spoke/vm-linux.tf

@@ -0,0 +1,49 @@
+resource "azurerm_public_ip" "pip-vm" {
+ name = "pip-vm"
+ location = azurerm_resource_group.rg.location
+ resource_group_name = azurerm_resource_group.rg.name
+ allocation_method = "Dynamic"
+}
+
+resource "azurerm_network_interface" "nic-vm" {
+ name = "nic-vm"
+ resource_group_name = azurerm_resource_group.rg.name
+ location = azurerm_resource_group.rg.location
+ enable_ip_forwarding = false
+
+ ip_configuration {
+ name = "internal"
+ subnet_id = azurerm_subnet.subnet-vm.id
+ private_ip_address_allocation = "Dynamic"
+ public_ip_address_id = azurerm_public_ip.pip-vm.id
+ }
+}
+
+resource "azurerm_linux_virtual_machine" "vm" {
+ name = "vm-linux-${var.spoke_name}"
+ resource_group_name = azurerm_resource_group.rg.name
+ location = azurerm_resource_group.rg.location
+ size = "Standard_B2als_v2"
+ disable_password_authentication = false
+ admin_username = "azureuser"
+ admin_password = "@Aa123456789"
+ network_interface_ids = [azurerm_network_interface.nic-vm.id]
+
+ custom_data = filebase64("./install-webapp.sh")
+
+ os_disk {
+ caching = "ReadWrite"
+ storage_account_type = "Standard_LRS"
+ }
+
+ source_image_reference {
+ publisher = "canonical"
+ offer = "0001-com-ubuntu-server-jammy"
+ sku = "22_04-lts-gen2"
+ version = "latest"
+ }
+
+ boot_diagnostics {
+ storage_account_uri = null
+ }
+}

810_onprem_vpn_gateway_p2s_hub_spokes/modules/spoke/vnet-peering.tf

@@ -0,0 +1,21 @@
+resource "azurerm_virtual_network_peering" "peering-hub-to-spoke" {
+ name = "peering-hub-to-${var.spoke_name}"
+ virtual_network_name = var.hub_vnet.name
+ resource_group_name = var.hub_vnet.rg
+ remote_virtual_network_id = azurerm_virtual_network.vnet-spoke.id
+ allow_virtual_network_access = true
+ allow_forwarded_traffic = true
+ allow_gateway_transit = var.allow_gateway_transit
+ use_remote_gateways = false
+}
+
+resource "azurerm_virtual_network_peering" "peering-spoke-to-hub" {
+ name = "peering-${var.spoke_name}-to-hub"
+ virtual_network_name = azurerm_virtual_network.vnet-spoke.name
+ resource_group_name = azurerm_virtual_network.vnet-spoke.resource_group_name
+ remote_virtual_network_id = var.hub_vnet.id
+ allow_virtual_network_access = true
+ allow_forwarded_traffic = true
+ allow_gateway_transit = false
+ use_remote_gateways = true
+}

810_onprem_vpn_gateway_p2s_hub_spokes/modules/spoke/vnet-spoke.tf

@@ -0,0 +1,14 @@
+resource "azurerm_virtual_network" "vnet-spoke" {
+ name = "vnet-${var.spoke_name}"
+ resource_group_name = azurerm_resource_group.rg.name
+ location = azurerm_resource_group.rg.location
+ address_space = [var.spoke_vnet_cidr]
+ dns_servers = null
+}
+
+resource "azurerm_subnet" "subnet-vm" {
+ name = "subnet-vm"
+ resource_group_name = azurerm_virtual_network.vnet-spoke.resource_group_name
+ virtual_network_name = azurerm_virtual_network.vnet-spoke.name
+ address_prefixes = [cidrsubnet(var.spoke_vnet_cidr, 8, 0)]
+}

810_onprem_vpn_gateway_p2s_hub_spokes/output.tf

@@ -0,0 +1,23 @@
+output "vm_linux_hub_private_ip" {
+ value = azurerm_linux_virtual_machine.vm.private_ip_address
+}
+
+output "storage_account_url" {
+ value = azurerm_storage_account.sa.primary_blob_endpoint
+}
+
+output "storage_account_blob_url" {
+ value = azurerm_storage_blob.blob.url
+}
+
+output "vm_linux_spoke1_private_ip" {
+ value = module.spoke1.vm_linux_private_ip
+}
+
+output "vm_linux_spoke2_private_ip" {
+ value = module.spoke2.vm_linux_private_ip
+}
+
+output "private_dns_zone_fqdn" {
+ value = azurerm_private_dns_a_record.a-record.fqdn
+}

810_onprem_vpn_gateway_p2s_hub_spokes/private_dns_zone.tf

@@ -0,0 +1,19 @@
+resource "azurerm_private_dns_zone" "private-dns-zone" {
+ name = "internal.corp"
+ resource_group_name = azurerm_resource_group.rg.name
+}
+
+resource "azurerm_private_dns_a_record" "a-record" {
+ name = "vm"
+ zone_name = azurerm_private_dns_zone.private-dns-zone.name
+ resource_group_name = azurerm_private_dns_zone.private-dns-zone.resource_group_name
+ ttl = 300
+ records = [azurerm_linux_virtual_machine.vm.private_ip_address] # just example IP address
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "link-dns-vnet" {
+ name = "link-dns-vnet"
+ resource_group_name = azurerm_private_dns_zone.private-dns-zone.resource_group_name
+ private_dns_zone_name = azurerm_private_dns_zone.private-dns-zone.name
+ virtual_network_id = azurerm_virtual_network.vnet-hub.id
+}