Last active
March 9, 2018 17:24
-
-
Save gswallow/f0c158939cff2804c02c0983d8a184fa to your computer and use it in GitHub Desktop.
Tooling around with Microsoft Azure
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash -e | |
# I wonder how much easier this is to do with Terraform :) | |
pw=$(openssl rand -base64 8) | |
ORG=${ORG:=dev} | |
AZ_LOCATION=${AZ_LOCATION:=eastus} | |
RESGROUP=${ORG}ADFSRG | |
# Resource Group must be created first. | |
az group create -l $AZ_LOCATION --name $RESGROUP | |
# Network and subnets | |
az network vnet create --name ${ORG}ADFSVnet -g $RESGROUP --address-prefix 172.18.64.0/19 --subnet-name DMZ --subnet-prefix 172.18.64.0/24 -l $AZ_LOCATION | |
az network vnet subnet create --vnet-name ${ORG}ADFSVnet -g $RESGROUP --address-prefix=172.18.65.0/24 -n DMZ2 | |
az network vnet subnet create --vnet-name ${ORG}ADFSVnet -g $RESGROUP --address-prefix 172.18.68.0/22 -n Private | |
az network vnet subnet create --vnet-name ${ORG}ADFSVnet -g $RESGROUP --address-prefix 172.18.72.0/22 -n Private2 | |
# Network security groups | |
az network nsg create -g $RESGROUP -l $AZ_LOCATION --name NSG_INT | |
az network nsg rule create -n DC-RDP --nsg-name NSG_INT -g $RESGROUP --priority 100 --access Allow --direction Inbound \ | |
--source-address-prefixes 172.18.64.0/19 --destination-port-range 3389 --protocol Tcp | |
az network nsg rule create -n ADFS-HTTPS --nsg-name NSG_INT -g $RESGROUP --priority 110 --access Allow --direction Inbound \ | |
--source-address-prefixes 172.18.64.0/19 --destination-port-range 443 --protocol Tcp | |
az network nsg rule create -n DC-UDP --nsg-name NSG_INT -g $RESGROUP --priority 200 --access Allow --direction Inbound \ | |
--source-address-prefixes 172.18.64.0/19 --destination-port-range 42 53 88 135 137 138 389 445 1512 --protocol Udp | |
az network nsg rule create -n DC-TCP --nsg-name NSG_INT -g $RESGROUP --priority 210 --access Allow --direction Inbound \ | |
--source-address-prefixes 172.18.64.0/19 --destination-port-range 42 53 88 135 137 139 389 445 636 1512 3268 3269 --protocol Tcp | |
az network vnet subnet update --vnet-name ${ORG}ADFSVnet --name Private --network-security-group NSG_INT -g $RESGROUP | |
az network vnet subnet update --vnet-name ${ORG}ADFSVnet --name Private2 --network-security-group NSG_INT -g $RESGROUP | |
az network nsg create -g $RESGROUP -l $AZ_LOCATION --name NSG_DMZ | |
az network nsg rule create -n ADFS-PROXY-RDP --nsg-name NSG_DMZ -g $RESGROUP --priority 4095 --access Allow --direction Inbound \ | |
--source-address-prefixes 168.91.0.0/16 --destination-port-range 3389 --protocol Tcp | |
az network nsg rule create -n ADFS-PROXY-HTTPS --nsg-name NSG_DMZ -g $RESGROUP --priority 4094 --access Allow --direction Inbound \ | |
--source-address-prefixes 0.0.0.0/0 --destination-port-range 443 --protocol Tcp | |
az network vnet subnet update --vnet-name ${ORG}ADFSVnet --name DMZ --network-security-group NSG_DMZ -g $RESGROUP | |
az network vnet subnet update --vnet-name ${ORG}ADFSVnet --name DMZ2 --network-security-group NSG_DMZ -g $RESGROUP | |
# Availability sets | |
az vm availability-set create -n ${ORG}ADFSDCAvSet -g $RESGROUP -l $AZ_LOCATION \ | |
--platform-fault-domain-count 3 --platform-update-domain-count 3 | |
az vm availability-set create -n ${ORG}ADFSProxyAvSet -g $RESGROUP -l $AZ_LOCATION \ | |
--platform-fault-domain-count 3 --platform-update-domain-count 3 | |
# Data disks for AD DS | |
az disk create -n dc1-data-disk -g $RESGROUP -l $AZ_LOCATION --size-gb 20 | |
az disk create -n dc2-data-disk -g $RESGROUP -l $AZ_LOCATION --size-gb 20 | |
# Domain Controllers | |
az vm create -n dc1 -g $RESGROUP -l $AZ_LOCATION --image Win2016Datacenter \ | |
--availability-set ${ORG}ADFSDCAvSet --license-type Windows_server \ | |
--authentication-type password --admin-password $pw \ | |
--public-ip-address "" --private-ip-address 172.18.68.10 \ | |
--subnet Private --vnet-name ${ORG}ADFSVnet | |
az vm create -n dc2 -g $RESGROUP -l $AZ_LOCATION --image Win2016Datacenter \ | |
--availability-set ${ORG}ADFSDCAvSet --license-type Windows_server \ | |
--authentication-type password --admin-password $pw \ | |
--public-ip-address "" --private-ip-address 172.18.72.10 \ | |
--subnet Private2 --vnet-name ${ORG}ADFSVnet | |
# Attach data disks to DCs | |
az vm disk attach --disk dc1-data-disk -g $RESGROUP --vm-name dc1 | |
az vm disk attach --disk dc2-data-disk -g $RESGROUP --vm-name dc2 | |
# Public IP | |
az network public-ip create -n ADFS_Public_IP -g $RESGROUP -l $AZ_LOCATION \ | |
--allocation-method Static --idle-timeout 4 | |
# ADFS/Proxy load balancer | |
az network lb create --name ADFS_Proxy_LB -g $RESGROUP -l $AZ_LOCATION \ | |
--backend-pool-name ADFS_Proxy_LB_bepool --frontend-ip-name ADFS_Proxy_LB_feip \ | |
--public-ip-address ADFS_Public_IP | |
# Rules set up traffic forwarding | |
az network lb rule create -n ADFS_Proxy_rule_https -g $RESGROUP --lb-name ADFS_Proxy_LB \ | |
--frontend-port 443 --frontend-ip-name ADFS_Proxy_LB_feip \ | |
--backend-port 443 --backend-pool-name ADFS_Proxy_LB_bepool \ | |
--protocol Tcp | |
# Probes | |
az network lb probe create -n ADFS_Proxy_probe_https -g $RESGROUP --lb-name ADFS_Proxy_LB \ | |
--port 443 --protocol Tcp | |
# Inbound NAT | |
az network lb inbound-nat-rule create -n ADFS_Proxy_NAT_rule_RDP -g $RESGROUP \ | |
--lb-name ADFS_Proxy_LB --protocol Tcp --frontend-port 3389 --backend-port 3389 | |
# NICs get tied to the load balancer (and NAT rules) | |
az network nic create --name proxy1-nic -g $RESGROUP -l $AZ_LOCATION \ | |
--subnet DMZ --vnet-name ${ORG}ADFSVnet --private-ip-address 172.18.64.10 \ | |
--lb-name ADFS_Proxy_LB --lb-address-pools ADFS_Proxy_LB_bepool \ | |
--lb-inbound-nat-rules ADFS_Proxy_NAT_rule_RDP | |
az network nic create --name proxy2-nic -g $RESGROUP -l $AZ_LOCATION \ | |
--subnet DMZ2 --vnet-name ${ORG}ADFSVnet --private-ip-address 172.18.65.10 \ | |
--lb-name ADFS_Proxy_LB --lb-address-pools ADFS_Proxy_LB_bepool | |
# ADFS/Proxy Virtual Machines | |
az vm create -n proxy1 -g $RESGROUP -l $AZ_LOCATION --image Win2016Datacenter \ | |
--availability-set ${ORG}ADFSProxyAvSet --license-type Windows_server \ | |
--authentication-type password --admin-password $pw \ | |
--nics proxy1-nic | |
az vm create -n proxy2 -g $RESGROUP -l $AZ_LOCATION --image Win2016Datacenter \ | |
--availability-set ${ORG}ADFSProxyAvSet --license-type Windows_server \ | |
--authentication-type password --admin-password $pw \ | |
--nics proxy2-nic | |
echo "Administrator password is $pw" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment