Skip to content

Instantly share code, notes, and snippets.

@gswallow
Last active Mar 9, 2018
Embed
What would you like to do?
Tooling around with Microsoft Azure
#!/bin/bash -e
# I wonder how much easier this is to do with Terraform :)
pw=$(openssl rand -base64 8)
ORG=${ORG:=dev}
AZ_LOCATION=${AZ_LOCATION:=eastus}
RESGROUP=${ORG}ADFSRG
# Resource Group must be created first.
az group create -l $AZ_LOCATION --name $RESGROUP
# Network and subnets
az network vnet create --name ${ORG}ADFSVnet -g $RESGROUP --address-prefix 172.18.64.0/19 --subnet-name DMZ --subnet-prefix 172.18.64.0/24 -l $AZ_LOCATION
az network vnet subnet create --vnet-name ${ORG}ADFSVnet -g $RESGROUP --address-prefix=172.18.65.0/24 -n DMZ2
az network vnet subnet create --vnet-name ${ORG}ADFSVnet -g $RESGROUP --address-prefix 172.18.68.0/22 -n Private
az network vnet subnet create --vnet-name ${ORG}ADFSVnet -g $RESGROUP --address-prefix 172.18.72.0/22 -n Private2
# Network security groups
az network nsg create -g $RESGROUP -l $AZ_LOCATION --name NSG_INT
az network nsg rule create -n DC-RDP --nsg-name NSG_INT -g $RESGROUP --priority 100 --access Allow --direction Inbound \
--source-address-prefixes 172.18.64.0/19 --destination-port-range 3389 --protocol Tcp
az network nsg rule create -n ADFS-HTTPS --nsg-name NSG_INT -g $RESGROUP --priority 110 --access Allow --direction Inbound \
--source-address-prefixes 172.18.64.0/19 --destination-port-range 443 --protocol Tcp
az network nsg rule create -n DC-UDP --nsg-name NSG_INT -g $RESGROUP --priority 200 --access Allow --direction Inbound \
--source-address-prefixes 172.18.64.0/19 --destination-port-range 42 53 88 135 137 138 389 445 1512 --protocol Udp
az network nsg rule create -n DC-TCP --nsg-name NSG_INT -g $RESGROUP --priority 210 --access Allow --direction Inbound \
--source-address-prefixes 172.18.64.0/19 --destination-port-range 42 53 88 135 137 139 389 445 636 1512 3268 3269 --protocol Tcp
az network vnet subnet update --vnet-name ${ORG}ADFSVnet --name Private --network-security-group NSG_INT -g $RESGROUP
az network vnet subnet update --vnet-name ${ORG}ADFSVnet --name Private2 --network-security-group NSG_INT -g $RESGROUP
az network nsg create -g $RESGROUP -l $AZ_LOCATION --name NSG_DMZ
az network nsg rule create -n ADFS-PROXY-RDP --nsg-name NSG_DMZ -g $RESGROUP --priority 4095 --access Allow --direction Inbound \
--source-address-prefixes 168.91.0.0/16 --destination-port-range 3389 --protocol Tcp
az network nsg rule create -n ADFS-PROXY-HTTPS --nsg-name NSG_DMZ -g $RESGROUP --priority 4094 --access Allow --direction Inbound \
--source-address-prefixes 0.0.0.0/0 --destination-port-range 443 --protocol Tcp
az network vnet subnet update --vnet-name ${ORG}ADFSVnet --name DMZ --network-security-group NSG_DMZ -g $RESGROUP
az network vnet subnet update --vnet-name ${ORG}ADFSVnet --name DMZ2 --network-security-group NSG_DMZ -g $RESGROUP
# Availability sets
az vm availability-set create -n ${ORG}ADFSDCAvSet -g $RESGROUP -l $AZ_LOCATION \
--platform-fault-domain-count 3 --platform-update-domain-count 3
az vm availability-set create -n ${ORG}ADFSProxyAvSet -g $RESGROUP -l $AZ_LOCATION \
--platform-fault-domain-count 3 --platform-update-domain-count 3
# Data disks for AD DS
az disk create -n dc1-data-disk -g $RESGROUP -l $AZ_LOCATION --size-gb 20
az disk create -n dc2-data-disk -g $RESGROUP -l $AZ_LOCATION --size-gb 20
# Domain Controllers
az vm create -n dc1 -g $RESGROUP -l $AZ_LOCATION --image Win2016Datacenter \
--availability-set ${ORG}ADFSDCAvSet --license-type Windows_server \
--authentication-type password --admin-password $pw \
--public-ip-address "" --private-ip-address 172.18.68.10 \
--subnet Private --vnet-name ${ORG}ADFSVnet
az vm create -n dc2 -g $RESGROUP -l $AZ_LOCATION --image Win2016Datacenter \
--availability-set ${ORG}ADFSDCAvSet --license-type Windows_server \
--authentication-type password --admin-password $pw \
--public-ip-address "" --private-ip-address 172.18.72.10 \
--subnet Private2 --vnet-name ${ORG}ADFSVnet
# Attach data disks to DCs
az vm disk attach --disk dc1-data-disk -g $RESGROUP --vm-name dc1
az vm disk attach --disk dc2-data-disk -g $RESGROUP --vm-name dc2
# Public IP
az network public-ip create -n ADFS_Public_IP -g $RESGROUP -l $AZ_LOCATION \
--allocation-method Static --idle-timeout 4
# ADFS/Proxy load balancer
az network lb create --name ADFS_Proxy_LB -g $RESGROUP -l $AZ_LOCATION \
--backend-pool-name ADFS_Proxy_LB_bepool --frontend-ip-name ADFS_Proxy_LB_feip \
--public-ip-address ADFS_Public_IP
# Rules set up traffic forwarding
az network lb rule create -n ADFS_Proxy_rule_https -g $RESGROUP --lb-name ADFS_Proxy_LB \
--frontend-port 443 --frontend-ip-name ADFS_Proxy_LB_feip \
--backend-port 443 --backend-pool-name ADFS_Proxy_LB_bepool \
--protocol Tcp
# Probes
az network lb probe create -n ADFS_Proxy_probe_https -g $RESGROUP --lb-name ADFS_Proxy_LB \
--port 443 --protocol Tcp
# Inbound NAT
az network lb inbound-nat-rule create -n ADFS_Proxy_NAT_rule_RDP -g $RESGROUP \
--lb-name ADFS_Proxy_LB --protocol Tcp --frontend-port 3389 --backend-port 3389
# NICs get tied to the load balancer (and NAT rules)
az network nic create --name proxy1-nic -g $RESGROUP -l $AZ_LOCATION \
--subnet DMZ --vnet-name ${ORG}ADFSVnet --private-ip-address 172.18.64.10 \
--lb-name ADFS_Proxy_LB --lb-address-pools ADFS_Proxy_LB_bepool \
--lb-inbound-nat-rules ADFS_Proxy_NAT_rule_RDP
az network nic create --name proxy2-nic -g $RESGROUP -l $AZ_LOCATION \
--subnet DMZ2 --vnet-name ${ORG}ADFSVnet --private-ip-address 172.18.65.10 \
--lb-name ADFS_Proxy_LB --lb-address-pools ADFS_Proxy_LB_bepool
# ADFS/Proxy Virtual Machines
az vm create -n proxy1 -g $RESGROUP -l $AZ_LOCATION --image Win2016Datacenter \
--availability-set ${ORG}ADFSProxyAvSet --license-type Windows_server \
--authentication-type password --admin-password $pw \
--nics proxy1-nic
az vm create -n proxy2 -g $RESGROUP -l $AZ_LOCATION --image Win2016Datacenter \
--availability-set ${ORG}ADFSProxyAvSet --license-type Windows_server \
--authentication-type password --admin-password $pw \
--nics proxy2-nic
echo "Administrator password is $pw"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment