KaiWalter/2021-04-dns-vmss.bicep

## 2021-04-dns-vmss.bicep
// sample https://github.com/phealy/azure-custom-dns/blob/master/vmss-dnsfwd/template-vmss.json
// VMSS REST API https://docs.microsoft.com/en-us/rest/api/compute/virtualmachinescalesets/createorupdate

param location string = resourceGroup().location
param resourcePrefix string
param vmssName string = '${resourcePrefix}-hub-dns'
param computerNamePrefix string = '${resourcePrefix}-hub-dns-'
param capacity int = 3
param logAnalyticsWorkspaceName string = '${resourcePrefix}-log'

param vmCustomData string
param vnetId string
param nsgId string
param subnetName string
var subnetRef = '${vnetId}/subnets/${subnetName}'

@allowed([
  'Basic'
  'Standard'
])
param ilbSku string = 'Basic'

param adminUsername string

param authenticationType string = 'sshPublicKey'
param adminPasswordOrKey string

var linuxConfiguration = {
  disablePasswordAuthentication: true
  ssh: {
    publicKeys: [
      {
        path: '/home/${adminUsername}/.ssh/authorized_keys'
        keyData: adminPasswordOrKey
      }
    ]
  }
}

// consider outbound restrictions for ILB
// https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections
var ilbName = '${resourcePrefix}-dns-ilb'
var lbName = '${resourcePrefix}-dns-lb'

resource publicIP 'Microsoft.Network/publicIPAddresses@2020-05-01' = {
  name: '${lbName}-ip'
  location: location
  sku: {
    name: 'Standard'
  }
  properties: {
    publicIPAllocationMethod: 'Static'
    publicIPAddressVersion: 'IPv4'
  }
}

resource lb 'Microsoft.Network/loadBalancers@2020-11-01' = if (ilbSku == 'Standard') {
  name: lbName
  location: location
  sku: {
    name: 'Standard'
  }
  properties: {
    frontendIPConfigurations: [
      {
        name: 'LoadBalancerFrontEnd'
        properties: {
          publicIPAddress: {
            id: publicIP.id
          }
        }
      }
    ]
    backendAddressPools: [
      {
        name: 'dnsfwd'
        properties: {
          loadBalancerBackendAddresses: []
        }
      }
    ]
    outboundRules: [
      {
        name: 'dnsFwd'
        properties: {
          allocatedOutboundPorts: 0
          backendAddressPool: {
            id: resourceId('Microsoft.Network/loadBalancers/backendAddressPools', lbName, 'dnsfwd')
          }
          enableTcpReset: true
          idleTimeoutInMinutes: 4
          frontendIPConfigurations: [
            {
              id: resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', lbName, 'LoadBalancerFrontEnd')
            }
          ]
          protocol: 'All'
        }
      }
    ]
  }
}

var vmssLbConfiguration = ilbSku == 'Basic' ? [
  {
    id: resourceId('Microsoft.Network/loadBalancers/backendAddressPools', ilbName, 'dnsfwd')
  }
] : [
  {
    id: resourceId('Microsoft.Network/loadBalancers/backendAddressPools', ilbName, 'dnsfwd')
  }
  {
    id: resourceId('Microsoft.Network/loadBalancers/backendAddressPools', lbName, 'dnsfwd')
  }
]

resource ilb 'Microsoft.Network/loadBalancers@2020-11-01' = {
  name: ilbName
  location: location
  sku: {
    name: ilbSku
  }
  properties: {
    frontendIPConfigurations: [
      {
        name: 'LoadBalancerFrontEnd'
        properties: {
          privateIPAllocationMethod: 'Dynamic'
          subnet: {
            id: subnetRef
          }
        }
      }
    ]
    backendAddressPools: [
      {
        name: 'dnsfwd'
        properties: {
          loadBalancerBackendAddresses: []
        }
      }
    ]
    loadBalancingRules: [
      {
        name: 'dns-udp-53'
        properties: {
          frontendIPConfiguration: {
            id: resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', ilbName, 'LoadBalancerFrontEnd')
          }
          frontendPort: 53
          backendPort: 53
          enableFloatingIP: false
          idleTimeoutInMinutes: 4
          protocol: 'Udp'
          enableTcpReset: false
          loadDistribution: 'Default'
          disableOutboundSnat: true
          backendAddressPool: {
            id: resourceId('Microsoft.Network/loadBalancers/backendAddressPools', ilbName, 'dnsfwd')
          }
          probe: {
            id: resourceId('Microsoft.Network/loadBalancers/probes', ilbName, 'dns-tcp-53')
          }
        }
      }
      {
        name: 'dns-tcp-53'
        properties: {
          frontendIPConfiguration: {
            id: resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', ilbName, 'LoadBalancerFrontEnd')
          }
          frontendPort: 53
          backendPort: 53
          enableFloatingIP: false
          idleTimeoutInMinutes: 4
          protocol: 'Tcp'
          enableTcpReset: false
          loadDistribution: 'Default'
          disableOutboundSnat: true
          backendAddressPool: {
            id: resourceId('Microsoft.Network/loadBalancers/backendAddressPools', ilbName, 'dnsfwd')
          }
          probe: {
            id: resourceId('Microsoft.Network/loadBalancers/probes', ilbName, 'dns-tcp-53')
          }
        }
      }
    ]
    probes: [
      {
        name: 'dns-tcp-53'
        properties: {
          protocol: 'Tcp'
          port: 53
          intervalInSeconds: 5
          numberOfProbes: 2
        }
      }
    ]
  }
}

resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2020-12-01' = {
  name: vmssName
  location: location
  dependsOn: [
    ilb
  ]
  sku: {
    name: 'Standard_B1s'
    tier: 'Standard'
    capacity: capacity
  }
  properties: {
    singlePlacementGroup: ilbSku == 'Basic'
    upgradePolicy: {
      mode: 'Automatic'
      rollingUpgradePolicy: {
        maxBatchInstancePercent: 20
        maxUnhealthyInstancePercent: 20
        maxUnhealthyUpgradedInstancePercent: 20
        pauseTimeBetweenBatches: 'PT0S'
      }
      automaticOSUpgradePolicy: {
        enableAutomaticOSUpgrade: true
        disableAutomaticRollback: false
      }
    }
    scaleInPolicy: {
      rules: [
        'Default'
      ]
    }
    virtualMachineProfile: {
      osProfile: {
        computerNamePrefix: computerNamePrefix
        adminUsername: adminUsername
        adminPassword: adminPasswordOrKey
        customData: base64(vmCustomData)
        linuxConfiguration: any(authenticationType == 'password' ? null : linuxConfiguration)
      }
      storageProfile: {
        osDisk: {
          createOption: 'FromImage'
          caching: 'ReadWrite'
          managedDisk: {
            storageAccountType: 'Premium_LRS'
          }
          diskSizeGB: 30
        }
        imageReference: {
          publisher: 'Canonical'
          offer: 'UbuntuServer'
          sku: '18.04-LTS'
          version: 'latest'
        }
      }
      networkProfile: {
        networkInterfaceConfigurations: [
          {
            name: '${computerNamePrefix}nic'
            properties: {
              primary: true
              enableAcceleratedNetworking: false
              dnsSettings: {
                dnsServers: [
                  '168.63.129.16'
                ]
              }
              enableIPForwarding: false
              ipConfigurations: [
                {
                  name: '${computerNamePrefix}ip'
                  properties: {
                    primary: true
                    subnet: {
                      id: subnetRef
                    }
                    privateIPAddressVersion: 'IPv4'
                    loadBalancerBackendAddressPools: vmssLbConfiguration
                  }
                }
              ]
              networkSecurityGroup: {
                id: nsgId
              }
            }
          }
        ]
      }
      extensionProfile: {
        extensions: [
          {
            name: 'HealthExtension'
            properties: {
              autoUpgradeMinorVersion: false
              publisher: 'Microsoft.ManagedServices'
              type: 'ApplicationHealthLinux'
              typeHandlerVersion: '1.0'
              settings: {
                protocol: 'tcp'
                port: 53
              }
            }
          }
        ]
      }
      priority: 'Regular'
    }
    overprovision: true
    doNotRunExtensionsOnOverprovisionedVMs: false
    platformFaultDomainCount: 1
    automaticRepairsPolicy: {
      enabled: false
      gracePeriod: 'PT30M'
    }
  }
}

resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2020-08-01' existing = {
  name: logAnalyticsWorkspaceName
}

resource diagIlb 'microsoft.insights/diagnosticSettings@2017-05-01-preview' = {
  name: 'diagIlb'
  scope: ilb
  properties: {
    workspaceId: logAnalyticsWorkspace.id
    metrics: [
      {
        category: 'AllMetrics'
        enabled: true
        retentionPolicy: {
          days: 2
          enabled: true
        }
      }
    ]
  }
}

output ilbPrivateIPAddress string = ilb.properties.frontendIPConfigurations[0].properties.privateIPAddress
	// sample https://github.com/phealy/azure-custom-dns/blob/master/vmss-dnsfwd/template-vmss.json
	// VMSS REST API https://docs.microsoft.com/en-us/rest/api/compute/virtualmachinescalesets/createorupdate

	param location string = resourceGroup().location
	param resourcePrefix string
	param vmssName string = '${resourcePrefix}-hub-dns'
	param computerNamePrefix string = '${resourcePrefix}-hub-dns-'
	param capacity int = 3
	param logAnalyticsWorkspaceName string = '${resourcePrefix}-log'

	param vmCustomData string
	param vnetId string
	param nsgId string
	param subnetName string
	var subnetRef = '${vnetId}/subnets/${subnetName}'

	@allowed([
	'Basic'
	'Standard'
	])
	param ilbSku string = 'Basic'

	param adminUsername string

	param authenticationType string = 'sshPublicKey'
	param adminPasswordOrKey string

	var linuxConfiguration = {
	disablePasswordAuthentication: true
	ssh: {
	publicKeys: [
	{
	path: '/home/${adminUsername}/.ssh/authorized_keys'
	keyData: adminPasswordOrKey
	}
	]
	}
	}

	// consider outbound restrictions for ILB
	// https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections
	var ilbName = '${resourcePrefix}-dns-ilb'
	var lbName = '${resourcePrefix}-dns-lb'

	resource publicIP 'Microsoft.Network/publicIPAddresses@2020-05-01' = {
	name: '${lbName}-ip'
	location: location
	sku: {
	name: 'Standard'
	}
	properties: {
	publicIPAllocationMethod: 'Static'
	publicIPAddressVersion: 'IPv4'
	}
	}

	resource lb 'Microsoft.Network/loadBalancers@2020-11-01' = if (ilbSku == 'Standard') {
	name: lbName
	location: location
	sku: {
	name: 'Standard'
	}
	properties: {
	frontendIPConfigurations: [
	{
	name: 'LoadBalancerFrontEnd'
	properties: {
	publicIPAddress: {
	id: publicIP.id
	}
	}
	}
	]
	backendAddressPools: [
	{
	name: 'dnsfwd'
	properties: {
	loadBalancerBackendAddresses: []
	}
	}
	]
	outboundRules: [
	{
	name: 'dnsFwd'
	properties: {
	allocatedOutboundPorts: 0
	backendAddressPool: {
	id: resourceId('Microsoft.Network/loadBalancers/backendAddressPools', lbName, 'dnsfwd')
	}
	enableTcpReset: true
	idleTimeoutInMinutes: 4
	frontendIPConfigurations: [
	{
	id: resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', lbName, 'LoadBalancerFrontEnd')
	}
	]
	protocol: 'All'
	}
	}
	]
	}
	}

	var vmssLbConfiguration = ilbSku == 'Basic' ? [
	{
	id: resourceId('Microsoft.Network/loadBalancers/backendAddressPools', ilbName, 'dnsfwd')
	}
	] : [
	{
	id: resourceId('Microsoft.Network/loadBalancers/backendAddressPools', ilbName, 'dnsfwd')
	}
	{
	id: resourceId('Microsoft.Network/loadBalancers/backendAddressPools', lbName, 'dnsfwd')
	}
	]

	resource ilb 'Microsoft.Network/loadBalancers@2020-11-01' = {
	name: ilbName
	location: location
	sku: {
	name: ilbSku
	}
	properties: {
	frontendIPConfigurations: [
	{
	name: 'LoadBalancerFrontEnd'
	properties: {
	privateIPAllocationMethod: 'Dynamic'
	subnet: {
	id: subnetRef
	}
	}
	}
	]
	backendAddressPools: [
	{
	name: 'dnsfwd'
	properties: {
	loadBalancerBackendAddresses: []
	}
	}
	]
	loadBalancingRules: [
	{
	name: 'dns-udp-53'
	properties: {
	frontendIPConfiguration: {
	id: resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', ilbName, 'LoadBalancerFrontEnd')
	}
	frontendPort: 53
	backendPort: 53
	enableFloatingIP: false
	idleTimeoutInMinutes: 4
	protocol: 'Udp'
	enableTcpReset: false
	loadDistribution: 'Default'
	disableOutboundSnat: true
	backendAddressPool: {
	id: resourceId('Microsoft.Network/loadBalancers/backendAddressPools', ilbName, 'dnsfwd')
	}
	probe: {
	id: resourceId('Microsoft.Network/loadBalancers/probes', ilbName, 'dns-tcp-53')
	}
	}
	}
	{
	name: 'dns-tcp-53'
	properties: {
	frontendIPConfiguration: {
	id: resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', ilbName, 'LoadBalancerFrontEnd')
	}
	frontendPort: 53
	backendPort: 53
	enableFloatingIP: false
	idleTimeoutInMinutes: 4
	protocol: 'Tcp'
	enableTcpReset: false
	loadDistribution: 'Default'
	disableOutboundSnat: true
	backendAddressPool: {
	id: resourceId('Microsoft.Network/loadBalancers/backendAddressPools', ilbName, 'dnsfwd')
	}
	probe: {
	id: resourceId('Microsoft.Network/loadBalancers/probes', ilbName, 'dns-tcp-53')
	}
	}
	}
	]
	probes: [
	{
	name: 'dns-tcp-53'
	properties: {
	protocol: 'Tcp'
	port: 53
	intervalInSeconds: 5
	numberOfProbes: 2
	}
	}
	]
	}
	}

	resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2020-12-01' = {
	name: vmssName
	location: location
	dependsOn: [
	ilb
	]
	sku: {
	name: 'Standard_B1s'
	tier: 'Standard'
	capacity: capacity
	}
	properties: {
	singlePlacementGroup: ilbSku == 'Basic'
	upgradePolicy: {
	mode: 'Automatic'
	rollingUpgradePolicy: {
	maxBatchInstancePercent: 20
	maxUnhealthyInstancePercent: 20
	maxUnhealthyUpgradedInstancePercent: 20
	pauseTimeBetweenBatches: 'PT0S'
	}
	automaticOSUpgradePolicy: {
	enableAutomaticOSUpgrade: true
	disableAutomaticRollback: false
	}
	}
	scaleInPolicy: {
	rules: [
	'Default'
	]
	}
	virtualMachineProfile: {
	osProfile: {
	computerNamePrefix: computerNamePrefix
	adminUsername: adminUsername
	adminPassword: adminPasswordOrKey
	customData: base64(vmCustomData)
	linuxConfiguration: any(authenticationType == 'password' ? null : linuxConfiguration)
	}
	storageProfile: {
	osDisk: {
	createOption: 'FromImage'
	caching: 'ReadWrite'
	managedDisk: {
	storageAccountType: 'Premium_LRS'
	}
	diskSizeGB: 30
	}
	imageReference: {
	publisher: 'Canonical'
	offer: 'UbuntuServer'
	sku: '18.04-LTS'
	version: 'latest'
	}
	}
	networkProfile: {
	networkInterfaceConfigurations: [
	{
	name: '${computerNamePrefix}nic'
	properties: {
	primary: true
	enableAcceleratedNetworking: false
	dnsSettings: {
	dnsServers: [
	'168.63.129.16'
	]
	}
	enableIPForwarding: false
	ipConfigurations: [
	{
	name: '${computerNamePrefix}ip'
	properties: {
	primary: true
	subnet: {
	id: subnetRef
	}
	privateIPAddressVersion: 'IPv4'
	loadBalancerBackendAddressPools: vmssLbConfiguration
	}
	}
	]
	networkSecurityGroup: {
	id: nsgId
	}
	}
	}
	]
	}
	extensionProfile: {
	extensions: [
	{
	name: 'HealthExtension'
	properties: {
	autoUpgradeMinorVersion: false
	publisher: 'Microsoft.ManagedServices'
	type: 'ApplicationHealthLinux'
	typeHandlerVersion: '1.0'
	settings: {
	protocol: 'tcp'
	port: 53
	}
	}
	}
	]
	}
	priority: 'Regular'
	}
	overprovision: true
	doNotRunExtensionsOnOverprovisionedVMs: false
	platformFaultDomainCount: 1
	automaticRepairsPolicy: {
	enabled: false
	gracePeriod: 'PT30M'
	}
	}
	}

	resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2020-08-01' existing = {
	name: logAnalyticsWorkspaceName
	}

	resource diagIlb 'microsoft.insights/diagnosticSettings@2017-05-01-preview' = {
	name: 'diagIlb'
	scope: ilb
	properties: {
	workspaceId: logAnalyticsWorkspace.id
	metrics: [
	{
	category: 'AllMetrics'
	enabled: true
	retentionPolicy: {
	days: 2
	enabled: true
	}
	}
	]
	}
	}

	output ilbPrivateIPAddress string = ilb.properties.frontendIPConfigurations[0].properties.privateIPAddress