Skip to content

Instantly share code, notes, and snippets.

@kdemanuele
Last active February 28, 2021 17:10
Show Gist options
  • Save kdemanuele/ae26ca958872fbfb86bd8212b16b2cc3 to your computer and use it in GitHub Desktop.
Save kdemanuele/ae26ca958872fbfb86bd8212b16b2cc3 to your computer and use it in GitHub Desktop.
## Initialising Variables
$AzureEnvironment = [PSCustomObject]@{
Location = 'North Europe'
Code = 'neu'
}
$Tags = @{
scope = 'training'
practice = 'VPN Access to Storage'
}
$VpnDnaLabel = 'kdm-vpn-test'
$DomainCN = 'P2SCertificate'
$ShareName = 'testshare'
$ClientVpnCertificate = 'vpn.pfx'
## Registering Azure Modules
## If working with CI/CD or without a fill install of PowerShell Azure SDK uncomment from line 25 to 27
#Install-Module Az.Accounts -AllowClobber -Scope CurrentUser
#Install-Module Az.Network -AllowClobber -Scope CurrentUser
#Install-Module Az.Storage -AllowClobber -Scope CurrentUser
## Login into Azure Tenant
## If working with CI/CD or without a pre-connected PowerShell terminal to Azure uncomment from line 33 to 35
#$ARM_Password = ConvertTo-SecureString -String $env:SUBSCRIPTION_CLIENT_SECRET -AsPlainText -Force
#$Credentials = New-Object -TypeName System.Management.Automation.PSCredential($env:SUBSCRIPTION_CLIENT_ID, $ARM_PASSWORD)
#Connect-AzAccount -ServicePrincipal -Credential $Credentials -Tenant $env:TENANT_ID
## Create Resource Groups
Write-Host -ForegroundColor Yellow "Creating Networking Resource Group"
$RgNetworking = New-AzResourceGroup `
-Name "rg-$($AzureEnvironment.Code)-net-001" `
-Location $AzureEnvironment.Location `
-Tag $Tags
Write-Host -ForegroundColor Yellow "Creating Storage Resource Group"
$RgStorage = New-AzResourceGroup `
-Name "rg-$($AzureEnvironment.Code)-stor-001" `
-Location $AzureEnvironment.Location `
-Tag $Tags
## Create VPN Gateway Subnet
Write-Host -ForegroundColor Yellow "Creating VPN Subnet"
$SnetGateway = New-AzVirtualNetworkSubnetConfig `
-Name "gatewaysubnet" `
-AddressPrefix "10.1.250.0/27" `
-ServiceEndpoint Microsoft.Storage
## Creating the Virtual Networks
Write-Host -ForegroundColor Yellow "Creating Networking VNet (DDos Protection recommended for Enterprise setups)"
$VnetNetwork = New-AzVirtualNetwork `
-Name "vnet-$($AzureEnvironment.Code)-net-001" `
-ResourceGroupName $RgNetworking.ResourceGroupName `
-Location $AzureEnvironment.Location `
-AddressPrefix 10.1.0.0/16 `
-Subnet $SnetGateway `
-Tag $Tags
Write-Host -ForegroundColor Yellow "Creating Storage VNet"
$VnetStorage = New-AzVirtualNetwork `
-Name "vnet-$($AzureEnvironment.Code)-stor-001" `
-ResourceGroupName $RgNetworking.ResourceGroupName `
-Location $AzureEnvironment.Location `
-AddressPrefix 10.2.0.0/24 `
-Tag $Tags
## Create VPN Gateway Public IP
Write-Host -ForegroundColor Yellow "Creating VPN Public IP"
$VpnIp = New-AzPublicIpAddress `
-ResourceGroupName $RgNetworking.ResourceGroupName `
-Name "pip-$($AzureEnvironment.Code)-vpn-001" `
-Location $AzureEnvironment.Location `
-Sku Basic `
-AllocationMethod Dynamic `
-DomainNameLabel $VpnDnaLabel `
-IpAddressVersion IPv6 `
-Tag $Tags
## Creating the 'Self-Signed' Certifications. Enterprise CA Certificates can be used and recommended for real implementation
Write-Host -ForegroundColor Yellow "Generate VPN Certificate"
$P2SCert = New-SelfSignedCertificate `
-Type Custom `
-KeySpec Signature `
-Subject "CN=$DomainCN" `
-KeyExportPolicy Exportable `
-KeyAlgorithm RSA `
-KeyLength 4096 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-KeyUsageProperty Sign `
-KeyUsage CertSign
$CertificateFingerPrint = [System.Convert]::ToBase64String($P2SCert.RawData)
$CertificateForVpn = New-AzVpnClientRootCertificate `
-Name 'SelfSignedCert' `
-PublicCertData $CertificateFingerPrint
Write-Host -ForegroundColor Yellow "Generate Client Certificate"
$ClientCert = New-SelfSignedCertificate `
-Type Custom `
-KeySpec Signature `
-Subject "CN=Client$DomainCN" `
-KeyExportPolicy Exportable `
-KeyAlgorithm RSA `
-KeyLength 4096 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $P2SCert `
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
Write-Host -ForegroundColor Yellow "Generate Password for Pfx file"
$CertPass = ConvertTo-SecureString `
-String ([System.Web.Security.Membership]::GeneratePassword(32, (Get-Random -Minimum 5 -Maximum 16))) `
-Force `
-AsPlainText
Write-Host -ForegroundColor Yellow "Exporting Password for Pfx file"
Export-PfxCertificate `
-Cert $ClientCert.PSPath `
-FilePath $ClientVpnCertificate `
-Password $CertPass `
-ChainOption BuildChain
$bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($CertPass)
$plaintext = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr)
Write-Host -ForegroundColor Red "Main Certificate Pfx key: $plaintext"
Write-Host -ForegroundColor Green "Removing VPN Certificate from Certificates store"
Remove-Item $P2SCert.PSPath -Force
## Create the VPN Gateway
Write-Host -ForegroundColor Yellow "Creating the VPN"
$SnetGateway = Get-AzVirtualNetworkSubnetConfig `
-Name "gatewaysubnet" `
-VirtualNetwork $VnetNetwork
$GatewayIpConfig = New-AzVirtualNetworkGatewayIpConfig `
-Name "vpnip-$($AzureEnvironment.Code)-p2s-001" `
-SubnetId $SnetGateway.Id `
-PublicIpAddressId $VpnIp.Id
$Vpn = New-AzVirtualNetworkGateway `
-Name "vpn-$($AzureEnvironment.Code)-p2s-001" `
-ResourceGroupName $RgNetworking.ResourceGroupName `
-Location $AzureEnvironment.Location `
-GatewayType Vpn `
-GatewaySku VpnGw1 `
-VpnType RouteBased `
-EnableBgp $true `
-IpConfigurations $GatewayIpConfig `
-VpnClientRootCertificates $CertificateForVpn `
-VpnClientAddressPool '172.16.0.0/24' `
-Tag $Tags
## Peering the Virtual Networks
Write-Host -ForegroundColor Yellow "Enable VNet Peering"
Add-AzVirtualNetworkPeering `
-Name netPeerPerimeterToStorage `
-VirtualNetwork $VnetNetwork `
-RemoteVirtualNetworkId $VnetStorage.Id `
-AllowGatewayTransit `
-AllowForwardedTraffic
Add-AzVirtualNetworkPeering `
-Name netPeerStorageToPerimeter `
-VirtualNetwork $VnetStorage `
-RemoteVirtualNetworkId $VnetNetwork.Id `
-UseRemoteGateways `
-AllowForwardedTraffic
## Create Storage Account
Write-Host -ForegroundColor Yellow "Creating the Storage Account"
$StorageAccount = New-AzStorageAccount `
-Name "stor$($AzureEnvironment.Code)fs001" `
-ResourceGroupName $RgStorage.ResourceGroupName `
-SkuName Standard_LRS `
-Location $AzureEnvironment.Location `
-Kind StorageV2 `
-AccessTier Hot `
-EnableHttpsTrafficOnly $true `
-EnableLargeFileShare `
-AllowBlobPublicAccess $false
Write-Host -ForegroundColor Yellow "Creating the File Share"
$FileShareDrive = New-AzStorageShare `
-Name $ShareName `
-Context $StorageAccount.Context
Set-AzStorageShareQuota `
-Share $FileShareDrive.CloudFileShare `
-Quota 1024
Write-Host -ForegroundColor Yellow "Set Storage Account Security"
Update-AzStorageAccountNetworkRuleSet `
-ResourceGroupName $RgStorage.ResourceGroupName `
-StorageAccountName $StorageAccount.StorageAccountName `
-Bypass 'AzureServices' `
-VirtualNetworkRule (@{ `
VirtualNetworkResourceId="$($VnetNetwork.Subnets.Where({$_.Name -eq 'gatewaysubnet'}).Id)"}) `
-DefaultAction Deny
# Create a private link service connection to the storage account.
Write-Host -ForegroundColor Yellow "Creating the Storage Private Link"
$FileShareConnection = New-AzPrivateLinkServiceConnection `
-Name "$($FileShare.StorageAccountName)-Connection" `
-PrivateLinkServiceId $StorageAccount.Id `
-GroupId "file"
Add-AzVirtualNetworkSubnetConfig `
-Name "snet-fileshare" `
-AddressPrefix "10.2.0.0/27" `
-VirtualNetwork $VnetStorage `
-PrivateEndpointNetworkPoliciesFlag Disabled
Set-AzVirtualNetwork -VirtualNetwork $VnetStorage
# Getting the refreshed subnet details
$SnetFileShare = (Get-AzVirtualNetwork `
-Name $VnetStorage.Name `
-ResourceGroupName $RgNetworking.ResourceGroupName).Subnets.Where({$_.Name -eq $SnetFileShare.Name }) `
| Select -First 1
$PrivateEndPoint = New-AzPrivateEndpoint `
-Name "$($StorageAccount.StorageAccountName)-PrivateEndPoint" `
-ResourceGroupName $RgStorage.ResourceGroupName `
-Location $AzureEnvironment.Location `
-Subnet $SnetFileShare `
-PrivateLinkServiceConnection $FileShareConnection
Write-Host -ForegroundColor Yellow "Creating the Private DNS"
$PrivateDns = New-AzPrivateDnsZone `
-ResourceGroupName $RgNetworking.ResourceGroupName `
-Name "pdns-$($AzureEnvironment.Code)-net-001.mydomain.com" `
-Tag $Tags
New-AzPrivateDnsVirtualNetworkLink `
-ResourceGroupName $RgNetworking.ResourceGroupName `
-ZoneName $PrivateDns.Name `
-Name $PrivateEndPoint `
-VirtualNetwork $VnetStorage
$PrivaeDnsConfig = New-AzPrivateDnsZoneConfig `
-Name $PrivateDns.Name `
-PrivateDnsZoneId $PrivateDns.ResourceId
New-AzPrivateDnsZoneGroup `
-ResourceGroupName $RgStorage.ResourceGroupName `
-Name "FileSharePrivateLinkGroup" `
-PrivateEndpointName $PrivateEndPoint.Name `
-PrivateDnsZoneConfig $PrivaeDnsConfig
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment