Last active
February 28, 2021 17:10
-
-
Save kdemanuele/ae26ca958872fbfb86bd8212b16b2cc3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Initialising Variables | |
| $AzureEnvironment = [PSCustomObject]@{ | |
| Location = 'North Europe' | |
| Code = 'neu' | |
| } | |
| $Tags = @{ | |
| scope = 'training' | |
| practice = 'VPN Access to Storage' | |
| } | |
| $VpnDnaLabel = 'kdm-vpn-test' | |
| $DomainCN = 'P2SCertificate' | |
| $ShareName = 'testshare' | |
| $ClientVpnCertificate = 'vpn.pfx' | |
| ## Registering Azure Modules | |
| ## If working with CI/CD or without a fill install of PowerShell Azure SDK uncomment from line 25 to 27 | |
| #Install-Module Az.Accounts -AllowClobber -Scope CurrentUser | |
| #Install-Module Az.Network -AllowClobber -Scope CurrentUser | |
| #Install-Module Az.Storage -AllowClobber -Scope CurrentUser | |
| ## Login into Azure Tenant | |
| ## If working with CI/CD or without a pre-connected PowerShell terminal to Azure uncomment from line 33 to 35 | |
| #$ARM_Password = ConvertTo-SecureString -String $env:SUBSCRIPTION_CLIENT_SECRET -AsPlainText -Force | |
| #$Credentials = New-Object -TypeName System.Management.Automation.PSCredential($env:SUBSCRIPTION_CLIENT_ID, $ARM_PASSWORD) | |
| #Connect-AzAccount -ServicePrincipal -Credential $Credentials -Tenant $env:TENANT_ID | |
| ## Create Resource Groups | |
| Write-Host -ForegroundColor Yellow "Creating Networking Resource Group" | |
| $RgNetworking = New-AzResourceGroup ` | |
| -Name "rg-$($AzureEnvironment.Code)-net-001" ` | |
| -Location $AzureEnvironment.Location ` | |
| -Tag $Tags | |
| Write-Host -ForegroundColor Yellow "Creating Storage Resource Group" | |
| $RgStorage = New-AzResourceGroup ` | |
| -Name "rg-$($AzureEnvironment.Code)-stor-001" ` | |
| -Location $AzureEnvironment.Location ` | |
| -Tag $Tags | |
| ## Create VPN Gateway Subnet | |
| Write-Host -ForegroundColor Yellow "Creating VPN Subnet" | |
| $SnetGateway = New-AzVirtualNetworkSubnetConfig ` | |
| -Name "gatewaysubnet" ` | |
| -AddressPrefix "10.1.250.0/27" ` | |
| -ServiceEndpoint Microsoft.Storage | |
| ## Creating the Virtual Networks | |
| Write-Host -ForegroundColor Yellow "Creating Networking VNet (DDos Protection recommended for Enterprise setups)" | |
| $VnetNetwork = New-AzVirtualNetwork ` | |
| -Name "vnet-$($AzureEnvironment.Code)-net-001" ` | |
| -ResourceGroupName $RgNetworking.ResourceGroupName ` | |
| -Location $AzureEnvironment.Location ` | |
| -AddressPrefix 10.1.0.0/16 ` | |
| -Subnet $SnetGateway ` | |
| -Tag $Tags | |
| Write-Host -ForegroundColor Yellow "Creating Storage VNet" | |
| $VnetStorage = New-AzVirtualNetwork ` | |
| -Name "vnet-$($AzureEnvironment.Code)-stor-001" ` | |
| -ResourceGroupName $RgNetworking.ResourceGroupName ` | |
| -Location $AzureEnvironment.Location ` | |
| -AddressPrefix 10.2.0.0/24 ` | |
| -Tag $Tags | |
| ## Create VPN Gateway Public IP | |
| Write-Host -ForegroundColor Yellow "Creating VPN Public IP" | |
| $VpnIp = New-AzPublicIpAddress ` | |
| -ResourceGroupName $RgNetworking.ResourceGroupName ` | |
| -Name "pip-$($AzureEnvironment.Code)-vpn-001" ` | |
| -Location $AzureEnvironment.Location ` | |
| -Sku Basic ` | |
| -AllocationMethod Dynamic ` | |
| -DomainNameLabel $VpnDnaLabel ` | |
| -IpAddressVersion IPv6 ` | |
| -Tag $Tags | |
| ## Creating the 'Self-Signed' Certifications. Enterprise CA Certificates can be used and recommended for real implementation | |
| Write-Host -ForegroundColor Yellow "Generate VPN Certificate" | |
| $P2SCert = New-SelfSignedCertificate ` | |
| -Type Custom ` | |
| -KeySpec Signature ` | |
| -Subject "CN=$DomainCN" ` | |
| -KeyExportPolicy Exportable ` | |
| -KeyAlgorithm RSA ` | |
| -KeyLength 4096 ` | |
| -CertStoreLocation "Cert:\CurrentUser\My" ` | |
| -KeyUsageProperty Sign ` | |
| -KeyUsage CertSign | |
| $CertificateFingerPrint = [System.Convert]::ToBase64String($P2SCert.RawData) | |
| $CertificateForVpn = New-AzVpnClientRootCertificate ` | |
| -Name 'SelfSignedCert' ` | |
| -PublicCertData $CertificateFingerPrint | |
| Write-Host -ForegroundColor Yellow "Generate Client Certificate" | |
| $ClientCert = New-SelfSignedCertificate ` | |
| -Type Custom ` | |
| -KeySpec Signature ` | |
| -Subject "CN=Client$DomainCN" ` | |
| -KeyExportPolicy Exportable ` | |
| -KeyAlgorithm RSA ` | |
| -KeyLength 4096 ` | |
| -CertStoreLocation "Cert:\CurrentUser\My" ` | |
| -Signer $P2SCert ` | |
| -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2") | |
| Write-Host -ForegroundColor Yellow "Generate Password for Pfx file" | |
| $CertPass = ConvertTo-SecureString ` | |
| -String ([System.Web.Security.Membership]::GeneratePassword(32, (Get-Random -Minimum 5 -Maximum 16))) ` | |
| -Force ` | |
| -AsPlainText | |
| Write-Host -ForegroundColor Yellow "Exporting Password for Pfx file" | |
| Export-PfxCertificate ` | |
| -Cert $ClientCert.PSPath ` | |
| -FilePath $ClientVpnCertificate ` | |
| -Password $CertPass ` | |
| -ChainOption BuildChain | |
| $bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($CertPass) | |
| $plaintext = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr) | |
| Write-Host -ForegroundColor Red "Main Certificate Pfx key: $plaintext" | |
| Write-Host -ForegroundColor Green "Removing VPN Certificate from Certificates store" | |
| Remove-Item $P2SCert.PSPath -Force | |
| ## Create the VPN Gateway | |
| Write-Host -ForegroundColor Yellow "Creating the VPN" | |
| $SnetGateway = Get-AzVirtualNetworkSubnetConfig ` | |
| -Name "gatewaysubnet" ` | |
| -VirtualNetwork $VnetNetwork | |
| $GatewayIpConfig = New-AzVirtualNetworkGatewayIpConfig ` | |
| -Name "vpnip-$($AzureEnvironment.Code)-p2s-001" ` | |
| -SubnetId $SnetGateway.Id ` | |
| -PublicIpAddressId $VpnIp.Id | |
| $Vpn = New-AzVirtualNetworkGateway ` | |
| -Name "vpn-$($AzureEnvironment.Code)-p2s-001" ` | |
| -ResourceGroupName $RgNetworking.ResourceGroupName ` | |
| -Location $AzureEnvironment.Location ` | |
| -GatewayType Vpn ` | |
| -GatewaySku VpnGw1 ` | |
| -VpnType RouteBased ` | |
| -EnableBgp $true ` | |
| -IpConfigurations $GatewayIpConfig ` | |
| -VpnClientRootCertificates $CertificateForVpn ` | |
| -VpnClientAddressPool '172.16.0.0/24' ` | |
| -Tag $Tags | |
| ## Peering the Virtual Networks | |
| Write-Host -ForegroundColor Yellow "Enable VNet Peering" | |
| Add-AzVirtualNetworkPeering ` | |
| -Name netPeerPerimeterToStorage ` | |
| -VirtualNetwork $VnetNetwork ` | |
| -RemoteVirtualNetworkId $VnetStorage.Id ` | |
| -AllowGatewayTransit ` | |
| -AllowForwardedTraffic | |
| Add-AzVirtualNetworkPeering ` | |
| -Name netPeerStorageToPerimeter ` | |
| -VirtualNetwork $VnetStorage ` | |
| -RemoteVirtualNetworkId $VnetNetwork.Id ` | |
| -UseRemoteGateways ` | |
| -AllowForwardedTraffic | |
| ## Create Storage Account | |
| Write-Host -ForegroundColor Yellow "Creating the Storage Account" | |
| $StorageAccount = New-AzStorageAccount ` | |
| -Name "stor$($AzureEnvironment.Code)fs001" ` | |
| -ResourceGroupName $RgStorage.ResourceGroupName ` | |
| -SkuName Standard_LRS ` | |
| -Location $AzureEnvironment.Location ` | |
| -Kind StorageV2 ` | |
| -AccessTier Hot ` | |
| -EnableHttpsTrafficOnly $true ` | |
| -EnableLargeFileShare ` | |
| -AllowBlobPublicAccess $false | |
| Write-Host -ForegroundColor Yellow "Creating the File Share" | |
| $FileShareDrive = New-AzStorageShare ` | |
| -Name $ShareName ` | |
| -Context $StorageAccount.Context | |
| Set-AzStorageShareQuota ` | |
| -Share $FileShareDrive.CloudFileShare ` | |
| -Quota 1024 | |
| Write-Host -ForegroundColor Yellow "Set Storage Account Security" | |
| Update-AzStorageAccountNetworkRuleSet ` | |
| -ResourceGroupName $RgStorage.ResourceGroupName ` | |
| -StorageAccountName $StorageAccount.StorageAccountName ` | |
| -Bypass 'AzureServices' ` | |
| -VirtualNetworkRule (@{ ` | |
| VirtualNetworkResourceId="$($VnetNetwork.Subnets.Where({$_.Name -eq 'gatewaysubnet'}).Id)"}) ` | |
| -DefaultAction Deny | |
| # Create a private link service connection to the storage account. | |
| Write-Host -ForegroundColor Yellow "Creating the Storage Private Link" | |
| $FileShareConnection = New-AzPrivateLinkServiceConnection ` | |
| -Name "$($FileShare.StorageAccountName)-Connection" ` | |
| -PrivateLinkServiceId $StorageAccount.Id ` | |
| -GroupId "file" | |
| Add-AzVirtualNetworkSubnetConfig ` | |
| -Name "snet-fileshare" ` | |
| -AddressPrefix "10.2.0.0/27" ` | |
| -VirtualNetwork $VnetStorage ` | |
| -PrivateEndpointNetworkPoliciesFlag Disabled | |
| Set-AzVirtualNetwork -VirtualNetwork $VnetStorage | |
| # Getting the refreshed subnet details | |
| $SnetFileShare = (Get-AzVirtualNetwork ` | |
| -Name $VnetStorage.Name ` | |
| -ResourceGroupName $RgNetworking.ResourceGroupName).Subnets.Where({$_.Name -eq $SnetFileShare.Name }) ` | |
| | Select -First 1 | |
| $PrivateEndPoint = New-AzPrivateEndpoint ` | |
| -Name "$($StorageAccount.StorageAccountName)-PrivateEndPoint" ` | |
| -ResourceGroupName $RgStorage.ResourceGroupName ` | |
| -Location $AzureEnvironment.Location ` | |
| -Subnet $SnetFileShare ` | |
| -PrivateLinkServiceConnection $FileShareConnection | |
| Write-Host -ForegroundColor Yellow "Creating the Private DNS" | |
| $PrivateDns = New-AzPrivateDnsZone ` | |
| -ResourceGroupName $RgNetworking.ResourceGroupName ` | |
| -Name "pdns-$($AzureEnvironment.Code)-net-001.mydomain.com" ` | |
| -Tag $Tags | |
| New-AzPrivateDnsVirtualNetworkLink ` | |
| -ResourceGroupName $RgNetworking.ResourceGroupName ` | |
| -ZoneName $PrivateDns.Name ` | |
| -Name $PrivateEndPoint ` | |
| -VirtualNetwork $VnetStorage | |
| $PrivaeDnsConfig = New-AzPrivateDnsZoneConfig ` | |
| -Name $PrivateDns.Name ` | |
| -PrivateDnsZoneId $PrivateDns.ResourceId | |
| New-AzPrivateDnsZoneGroup ` | |
| -ResourceGroupName $RgStorage.ResourceGroupName ` | |
| -Name "FileSharePrivateLinkGroup" ` | |
| -PrivateEndpointName $PrivateEndPoint.Name ` | |
| -PrivateDnsZoneConfig $PrivaeDnsConfig |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment