diff --git a/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure.parameters_Step1.json b/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure.parameters_Step1.json new file mode 100644 index 0000000..4345835 --- /dev/null +++ b/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure.parameters_Step1.json @@ -0,0 +1,54 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterName": { + "value": "Cluster" + }, + "clusterLocation": { + "value": "westus" + }, + "adminUserName": { + "value": "testuser" + }, + "vmImagePublisher": { + "value": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "value": "WindowsServer" + }, + "vmImageSku": { + "value": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "value": "latest" + }, + "loadBalancedAppPort1": { + "value": 80 + }, + "loadBalancedAppPort2": { + "value": 8081 + }, + "certificateStoreValue": { + "value": "My" + }, + "certificateThumbprint": { + "value": "thumbprint value" + }, + "sourceVaultValue": { + "value": "/subscriptions/subscription value/resourceGroups/key vault resource group name/providers/Microsoft.KeyVault/vaults/key vault name" + }, + "certificateUrlValue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "clusterProtectionLevel": { + "value": "EncryptAndSign" + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountType": { + "value": "Standard_LRS" + } + } +} \ No newline at end of file diff --git a/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure.parameters_Step2.json b/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure.parameters_Step2.json new file mode 100644 index 0000000..ee1a69c --- /dev/null +++ b/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure.parameters_Step2.json @@ -0,0 +1,60 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterName": { + "value": "Cluster" + }, + "clusterLocation": { + "value": "westus" + }, + "adminUserName": { + "value": "testuser" + }, + "vmImagePublisher": { + "value": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "value": "WindowsServer" + }, + "vmImageSku": { + "value": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "value": "latest" + }, + "loadBalancedAppPort1": { + "value": 80 + }, + "loadBalancedAppPort2": { + "value": 8081 + }, + "certificateStoreValue": { + "value": "My" + }, + "secCertificateThumbprint": { + "value": "thumbprint value" + }, + "secCertificateUrlValue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "certificateThumbprint": { + "value": "thumbprint value" + }, + "sourceVaultValue": { + "value": "/subscriptions/subscription value/resourceGroups/key vault resource group name/providers/Microsoft.KeyVault/vaults/key vault name" + }, + "certificateUrlValue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "clusterProtectionLevel": { + "value": "EncryptAndSign" + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountType": { + "value": "Standard_LRS" + } + } +} \ No newline at end of file diff --git a/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure_Step1.json b/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure_Step1.json new file mode 100644 index 0000000..f79ba61 --- /dev/null +++ b/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure_Step1.json @@ -0,0 +1,589 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "type": "string", + "metadata": { + "description": "Location of the Cluster" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "Cluster", + "metadata": { + "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" + } + }, + "adminUserName": { + "type": "string", + "defaultValue": "testadm", + "metadata": { + "description": "Remote desktop user Id" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Remote desktop user password. Must be a strong password" + } + }, + "vmImagePublisher": { + "type": "string", + "defaultValue": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "type": "string", + "defaultValue": "WindowsServer" + }, + "vmImageSku": { + "type": "string", + "defaultValue": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "type": "string", + "defaultValue": "latest" + }, + "loadBalancedAppPort1": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Input endpoint1 for the application to use. Replace it with what your application uses" + } + }, + "loadBalancedAppPort2": { + "type": "int", + "defaultValue": 8081, + "metadata": { + "description": "Input endpoint2 for the application to use. Replace it with what your application uses" + } + }, + "certificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "certificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sourceVaultValue": { + "type": "string", + "metadata": { + "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" + } + }, + "certificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "clusterProtectionLevel": { + "type": "string", + "allowedValues": [ + "None", + "Sign", + "EncryptAndSign" + ], + "defaultValue": "EncryptAndSign", + "metadata": { + "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" + } + }, + "storageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the VM image storage account" + } + }, + "supportLogStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the support log storage account" + } + } + }, + "variables": { + "computeLocation": "[parameters('clusterLocation')]", + "dnsName": "[parameters('clusterName')]", + "vmStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '1' ))]", + "vmName": "vm", + "publicIPAddressName": "PublicIP-VM", + "publicIPAddressType": "Dynamic", + "vmStorageAccountContainerName": "vhds", + "virtualNetworkName": "VNet", + "addressPrefix": "10.0.0.0/16", + "nicName": "NIC", + "lbName": "LoadBalancer", + "lbIPName": "PublicIP-LB-FE", + "availSetName": "AvailabilitySet", + "maxPercentUpgradeDomainDeltaUnhealthyNodes": "100", + "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]", + "overProvision": "false", + "vmssApiVersion": "2016-03-30", + "lbApiVersion": "2015-06-15", + "vNetApiVersion": "2015-06-15", + "storageApiVersion": "2015-06-15", + "publicIPApiVersion": "2015-06-15", + "vmImagePublisher": "MicrosoftWindowsServer", + "vmImageOffer": "WindowsServer", + "vmImageSku": "2012-R2-Datacenter", + "vmImageVersion": "latest", + "nt0applicationStartPort": "20000", + "nt0applicationEndPort": "30000", + "nt0ephemeralStartPort": "49152", + "nt0ephemeralEndPort": "65534", + "nt0fabricTcpGatewayPort": "19000", + "nt0fabricHttpGatewayPort": "19080", + "subnet0Name": "Subnet-0", + "subnet0Prefix": "10.0.0.0/24", + "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',variables('subnet0Name'))]", + "supportLogStorageAccountName": "[toLower( concat( uniqueString(resourceGroup().id),'2'))]", + "lbID0": "[resourceId('Microsoft.Network/loadBalancers',concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", + "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", + "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", + "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", + "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", + "vmNodeType0Name": "[toLower(concat('NT1', variables('vmName')))]", + "vmNodeType0Size": "Standard_D1", + "vmStorageAccountName0": "[toLower(concat(uniqueString(resourceGroup().id), '1', '0' ))]" + }, + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('vmStorageAccountName')]", + "location": "[variables('computeLocation')]", + "properties": { + "accountType": "[parameters('storageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('supportLogStorageAccountName')]", + "location": "[variables('computeLocation')]", + "properties": { + "accountType": "[parameters('supportLogStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vNetApiVersion')]", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[variables('computeLocation')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnet0Name')]", + "properties": { + "addressPrefix": "[variables('subnet0Prefix')]" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('publicIPApiVersion')]", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[concat(variables('lbIPName'),'-','0')]", + "location": "[variables('computeLocation')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[variables('dnsName')]" + }, + "publicIPAllocationMethod": "Dynamic" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('lbApiVersion')]", + "type": "Microsoft.Network/loadBalancers", + "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerIPConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LoadBalancerBEAddressPool", + "properties": {} + } + ], + "loadBalancingRules": [ + { + "name": "LBRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricTcpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricTcpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBHttpRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricHttpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricHttpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbHttpProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule1", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort1')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort1')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule2", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort2')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort2')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]" + }, + "protocol": "tcp" + } + } + ], + "probes": [ + { + "name": "FabricGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricTcpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "FabricHttpGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricHttpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe1", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort1')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe2", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort2')]", + "protocol": "tcp" + } + } + ], + "inboundNatPools": [ + { + "name": "LoadBalancerBEAddressNatPool", + "properties": { + "backendPort": "3389", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPortRangeEnd": "4500", + "frontendPortRangeStart": "3389", + "protocol": "tcp" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vmssApiVersion')]", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[variables('vmNodeType0Name')]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('vmStorageAccountName'))]", + "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "overprovision": "[variables('overProvision')]", + "upgradePolicy": { + "mode": "Automatic" + }, + "virtualMachineProfile": { + "extensionProfile": { + "extensions": [ + { + "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]", + "properties": { + "type": "ServiceFabricNode", + "autoUpgradeMinorVersion": false, + "protectedSettings": { + "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]", + "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]" + }, + "publisher": "Microsoft.Azure.ServiceFabric", + "settings": { + "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", + "nodeTypeRef": "[variables('vmNodeType0Name')]", + "dataPath": "D:\\\\SvcFab", + "durabilityLevel": "Bronze", + "nicPrefixOverride": "[variables('subnet0Prefix')]", + "certificate": { + "thumbprint": "[parameters('certificateThumbprint')]", + "x509StoreName": "[parameters('certificateStoreValue')]" + } + }, + "typeHandlerVersion": "1.0" + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "[concat(variables('nicName'), '-0')]", + "properties": { + "ipConfigurations": [ + { + "name": "[concat(variables('nicName'),'-',0)]", + "properties": { + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbPoolID0')]" + } + ], + "loadBalancerInboundNatPools": [ + { + "id": "[variables('lbNatPoolID0')]" + } + ], + "subnet": { + "id": "[variables('subnet0Ref')]" + } + } + } + ], + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computernamePrefix": "[variables('vmNodeType0Name')]", + "secrets": [ + { + "sourceVault": { + "id": "[parameters('sourceVaultValue')]" + }, + "vaultCertificates": [ + { + "certificateStore": "[parameters('certificateStoreValue')]", + "certificateUrl": "[parameters('certificateUrlValue')]" + } + ] + } + ] + }, + "storageProfile": { + "imageReference": { + "publisher": "[variables('vmImagePublisher')]", + "offer": "[variables('vmImageOffer')]", + "sku": "[variables('vmImageSku')]", + "version": "[variables('vmImageVersion')]" + }, + "osDisk": { + "vhdContainers": [ + "[concat('http://',variables('vmStorageAccountName'),'.blob.core.windows.net/',variables('vmStorageAccountContainerName'))]" + ], + "name": "vmssosdisk", + "caching": "ReadOnly", + "createOption": "FromImage" + } + } + } + }, + "sku": { + "name": "[variables('vmNodeType0Size')]", + "capacity": "5", + "tier": "Standard" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "2016-03-01", + "type": "Microsoft.ServiceFabric/clusters", + "name": "[parameters('clusterName')]", + "location": "[parameters('clusterLocation')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "certificate": { + "thumbprint": "[parameters('certificateThumbprint')]", + "x509StoreName": "[parameters('certificateStoreValue')]" + }, + "clientCertificateCommonNames": [], + "clientCertificateThumbprints": [], + "clusterState": "Default", + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[concat('https://',variables('supportLogStorageAccountName'),'.blob.core.windows.net/')]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[concat('https://',variables('supportLogStorageAccountName'),'.queue.core.windows.net/')]", + "storageAccountName": "[variables('supportLogStorageAccountName')]", + "tableEndpoint": "[concat('https://',variables('supportLogStorageAccountName'),'.table.core.windows.net/')]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "[parameters('clusterProtectionLevel')]" + } + ], + "name": "Security" + } + ], + "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-','0')).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]", + "nodeTypes": [ + { + "name": "[variables('vmNodeType0Name')]", + "applicationPorts": { + "endPort": "[variables('nt0applicationEndPort')]", + "startPort": "[variables('nt0applicationStartPort')]" + }, + "clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]", + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": "[variables('nt0ephemeralEndPort')]", + "startPort": "[variables('nt0ephemeralStartPort')]" + }, + "httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]", + "isPrimary": true, + "vmInstanceCount": 5 + } + ], + "provisioningState": "Default", + "reliabilityLevel": "Silver", + "vmImage": "Windows" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + } + ], + "outputs": { + "clusterProperties": { + "value": "[reference(parameters('clusterName'))]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure_Step2.json b/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure_Step2.json new file mode 100644 index 0000000..32eb275 --- /dev/null +++ b/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure_Step2.json @@ -0,0 +1,610 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "type": "string", + "metadata": { + "description": "Location of the Cluster" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "Cluster", + "metadata": { + "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" + } + }, + "adminUserName": { + "type": "string", + "defaultValue": "testadm", + "metadata": { + "description": "Remote desktop user Id" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Remote desktop user password. Must be a strong password" + } + }, + "vmImagePublisher": { + "type": "string", + "defaultValue": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "type": "string", + "defaultValue": "WindowsServer" + }, + "vmImageSku": { + "type": "string", + "defaultValue": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "type": "string", + "defaultValue": "latest" + }, + "loadBalancedAppPort1": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Input endpoint1 for the application to use. Replace it with what your application uses" + } + }, + "loadBalancedAppPort2": { + "type": "int", + "defaultValue": 8081, + "metadata": { + "description": "Input endpoint2 for the application to use. Replace it with what your application uses" + } + }, + "certificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "sourceVaultValue": { + "type": "string", + "metadata": { + "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" + } + }, + "certificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "certificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "secCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "secCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "clusterProtectionLevel": { + "type": "string", + "allowedValues": [ + "None", + "Sign", + "EncryptAndSign" + ], + "defaultValue": "EncryptAndSign", + "metadata": { + "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" + } + }, + "storageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the VM image storage account" + } + }, + "supportLogStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the support log storage account" + } + } + }, + "variables": { + "computeLocation": "[parameters('clusterLocation')]", + "dnsName": "[parameters('clusterName')]", + "vmStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '1' ))]", + "vmName": "vm", + "publicIPAddressName": "PublicIP-VM", + "publicIPAddressType": "Dynamic", + "vmStorageAccountContainerName": "vhds", + "virtualNetworkName": "VNet", + "addressPrefix": "10.0.0.0/16", + "nicName": "NIC", + "lbName": "LoadBalancer", + "lbIPName": "PublicIP-LB-FE", + "availSetName": "AvailabilitySet", + "maxPercentUpgradeDomainDeltaUnhealthyNodes": "100", + "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]", + "overProvision": "false", + "vmssApiVersion": "2016-03-30", + "lbApiVersion": "2015-06-15", + "vNetApiVersion": "2015-06-15", + "storageApiVersion": "2015-06-15", + "publicIPApiVersion": "2015-06-15", + "vmImagePublisher": "MicrosoftWindowsServer", + "vmImageOffer": "WindowsServer", + "vmImageSku": "2012-R2-Datacenter", + "vmImageVersion": "latest", + "nt0applicationStartPort": "20000", + "nt0applicationEndPort": "30000", + "nt0ephemeralStartPort": "49152", + "nt0ephemeralEndPort": "65534", + "nt0fabricTcpGatewayPort": "19000", + "nt0fabricHttpGatewayPort": "19080", + "subnet0Name": "Subnet-0", + "subnet0Prefix": "10.0.0.0/24", + "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',variables('subnet0Name'))]", + "supportLogStorageAccountName": "[toLower( concat( uniqueString(resourceGroup().id),'2'))]", + "lbID0": "[resourceId('Microsoft.Network/loadBalancers',concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", + "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", + "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", + "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", + "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", + "vmNodeType0Name": "[toLower(concat('NT1', variables('vmName')))]", + "vmNodeType0Size": "Standard_D1", + "vmStorageAccountName0": "[toLower(concat(uniqueString(resourceGroup().id), '1', '0' ))]" + }, + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('vmStorageAccountName')]", + "location": "[variables('computeLocation')]", + "properties": { + "accountType": "[parameters('storageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('supportLogStorageAccountName')]", + "location": "[variables('computeLocation')]", + "properties": { + "accountType": "[parameters('supportLogStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vNetApiVersion')]", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[variables('computeLocation')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnet0Name')]", + "properties": { + "addressPrefix": "[variables('subnet0Prefix')]" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('publicIPApiVersion')]", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[concat(variables('lbIPName'),'-','0')]", + "location": "[variables('computeLocation')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[variables('dnsName')]" + }, + "publicIPAllocationMethod": "Dynamic" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('lbApiVersion')]", + "type": "Microsoft.Network/loadBalancers", + "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerIPConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LoadBalancerBEAddressPool", + "properties": {} + } + ], + "loadBalancingRules": [ + { + "name": "LBRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricTcpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricTcpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBHttpRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricHttpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricHttpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbHttpProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule1", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort1')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort1')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule2", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort2')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort2')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]" + }, + "protocol": "tcp" + } + } + ], + "probes": [ + { + "name": "FabricGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricTcpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "FabricHttpGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricHttpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe1", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort1')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe2", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort2')]", + "protocol": "tcp" + } + } + ], + "inboundNatPools": [ + { + "name": "LoadBalancerBEAddressNatPool", + "properties": { + "backendPort": "3389", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPortRangeEnd": "4500", + "frontendPortRangeStart": "3389", + "protocol": "tcp" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vmssApiVersion')]", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[variables('vmNodeType0Name')]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('vmStorageAccountName'))]", + "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "overprovision": "[variables('overProvision')]", + "upgradePolicy": { + "mode": "Automatic" + }, + "virtualMachineProfile": { + "extensionProfile": { + "extensions": [ + { + "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]", + "properties": { + "type": "ServiceFabricNode", + "autoUpgradeMinorVersion": false, + "protectedSettings": { + "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]", + "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]" + }, + "publisher": "Microsoft.Azure.ServiceFabric", + "settings": { + "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", + "nodeTypeRef": "[variables('vmNodeType0Name')]", + "dataPath": "D:\\\\SvcFab", + "durabilityLevel": "Bronze", + "nicPrefixOverride": "[variables('subnet0Prefix')]", + "certificate": { + "thumbprint": "[parameters('secCertificateThumbprint')]", + "x509StoreName": "[parameters('certificateStoreValue')]" + }, + "certificateSecondary": { + "thumbprint": "[parameters('certificateThumbprint')]", + "x509StoreName": "[parameters('certificateStoreValue')]" + } + }, + "typeHandlerVersion": "1.0" + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "[concat(variables('nicName'), '-0')]", + "properties": { + "ipConfigurations": [ + { + "name": "[concat(variables('nicName'),'-',0)]", + "properties": { + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbPoolID0')]" + } + ], + "loadBalancerInboundNatPools": [ + { + "id": "[variables('lbNatPoolID0')]" + } + ], + "subnet": { + "id": "[variables('subnet0Ref')]" + } + } + } + ], + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computernamePrefix": "[variables('vmNodeType0Name')]", + "secrets": [ + { + "sourceVault": { + "id": "[parameters('sourceVaultValue')]" + }, + "vaultCertificates": [ + { + "certificateStore": "[parameters('certificateStoreValue')]", + "certificateUrl": "[parameters('certificateUrlValue')]" + }, + { + "certificateStore": "[parameters('certificateStoreValue')]", + "certificateUrl": "[parameters('secCertificateUrlValue')]" + } + ] + } + ] + }, + "storageProfile": { + "imageReference": { + "publisher": "[variables('vmImagePublisher')]", + "offer": "[variables('vmImageOffer')]", + "sku": "[variables('vmImageSku')]", + "version": "[variables('vmImageVersion')]" + }, + "osDisk": { + "vhdContainers": [ + "[concat('http://',variables('vmStorageAccountName'),'.blob.core.windows.net/',variables('vmStorageAccountContainerName'))]" + ], + "name": "vmssosdisk", + "caching": "ReadOnly", + "createOption": "FromImage" + } + } + } + }, + "sku": { + "name": "[variables('vmNodeType0Size')]", + "capacity": "5", + "tier": "Standard" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "2016-03-01", + "type": "Microsoft.ServiceFabric/clusters", + "name": "[parameters('clusterName')]", + "location": "[parameters('clusterLocation')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "certificate": { + "thumbprint": "[parameters('certificateThumbprint')]", + "thumbprintSecondary": "[parameters('secCertificateThumbprint')]", + "x509StoreName": "[parameters('certificateStoreValue')]" + }, + "clientCertificateCommonNames": [], + "clientCertificateThumbprints": [], + "clusterState": "Default", + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[concat('https://',variables('supportLogStorageAccountName'),'.blob.core.windows.net/')]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[concat('https://',variables('supportLogStorageAccountName'),'.queue.core.windows.net/')]", + "storageAccountName": "[variables('supportLogStorageAccountName')]", + "tableEndpoint": "[concat('https://',variables('supportLogStorageAccountName'),'.table.core.windows.net/')]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "[parameters('clusterProtectionLevel')]" + } + ], + "name": "Security" + } + ], + "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-','0')).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]", + "nodeTypes": [ + { + "name": "[variables('vmNodeType0Name')]", + "applicationPorts": { + "endPort": "[variables('nt0applicationEndPort')]", + "startPort": "[variables('nt0applicationStartPort')]" + }, + "clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]", + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": "[variables('nt0ephemeralEndPort')]", + "startPort": "[variables('nt0ephemeralStartPort')]" + }, + "httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]", + "isPrimary": true, + "vmInstanceCount": 5 + } + ], + "provisioningState": "Default", + "reliabilityLevel": "Silver", + "vmImage": "Windows" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + } + ], + "outputs": { + "clusterProperties": { + "value": "[reference(parameters('clusterName'))]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/Cert-Rollover-Sample/README.md b/Cert-Rollover-Sample/README.md new file mode 100644 index 0000000..1dee33d --- /dev/null +++ b/Cert-Rollover-Sample/README.md @@ -0,0 +1,18 @@ +# Introduction + +This folder contains the set of ARM templates you can use to deploy a secure five node service fabric cluster, add a new certificate and then rollover the current primary certificate. You can use these to follow along with the documentation for [rolling over certificates in your secure cluster](https://azure.microsoft.com/en-us/documentation/articles/service-fabric-cluster-security-update-certs-azure/) + + +## Microsoft Azure Service Fabric ARM template Samples in this folder + +### Step1: Provision a secure cluster +1. Template to provision a five node secure cluster - 5-VM-1-NodeTypes-Secure_Step1.JSON +2. Template parameters for the above template - 5-VM-1-NodeTypes-Secure.parameters_Step1.JSON + + +### Step2 :Add a secondary certificate and swamp it to be the primary using ARM Powershell + +[How to roll over certificates in your secure cluster](https://azure.microsoft.com/en-us/documentation/articles/service-fabric-cluster-security-update-certs-azure/) + +1. Template to provision a five node secure cluster - 5-VM-1-NodeTypes-Secure_Step2.JSON +2. Template parameters for the above template - 5-VM-1-NodeTypes-Secure.parameters_Step2.JSON \ No newline at end of file diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep1.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep1.json new file mode 100644 index 0000000..371ae2e --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep1.json @@ -0,0 +1,756 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "type": "string", + "metadata": { + "description": "Location of the Cluster" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "sfcluster", + "metadata": { + "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" + } + }, + "adminUserName": { + "type": "string", + "metadata": { + "description": "Remote desktop user Id" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Remote desktop user password. Must be a strong password" + } + }, + "vmImagePublisher": { + "type": "string", + "defaultValue": "MicrosoftWindowsServer", + "metadata": { + "description": "VM image Publisher" + } + }, + "vmImageOffer": { + "type": "string", + "defaultValue": "WindowsServer", + "metadata": { + "description": "VM image offer" + } + }, + "vmImageSku": { + "type": "string", + "defaultValue": "2012-R2-Datacenter", + "metadata": { + "description": "VM image SKU" + } + }, + "vmImageVersion": { + "type": "string", + "defaultValue": "latest", + "metadata": { + "description": "VM image version" + } + }, + "loadBalancedAppPort1": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Input endpoint1 for the application to use. Replace it with what your application uses" + } + }, + "loadBalancedAppPort2": { + "type": "int", + "defaultValue": 8081, + "metadata": { + "description": "Input endpoint2 for the application to use. Replace it with what your application uses" + } + }, + "SFReverseProxyPort": { + "type": "int", + "defaultValue": 19008, + "metadata": { + "description": "Endpoint for Service Fabric Reverse proxy" + } + }, + "clusterCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "clusterCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sourceVaultValue": { + "type": "string", + "metadata": { + "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" + } + }, + "clusterCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "sfReverseProxyCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "sfReverseProxyCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sfReverseProxyCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "sfReverseProxySecCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sfReverseProxySecCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "clusterProtectionLevel": { + "type": "string", + "allowedValues": [ + "None", + "Sign", + "EncryptAndSign" + ], + "defaultValue": "EncryptAndSign", + "metadata": { + "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" + } + }, + "storageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the VM image storage account" + } + }, + "supportLogStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the support log storage account" + } + }, + "applicationDiagnosticsStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the application diagnostics storage account" + } + }, + "nt0InstanceCount": { + "type": "int", + "defaultValue": 5, + "metadata": { + "description": "Instance count for node type" + } + } + }, + "variables": { + "computeLocation": "[parameters('clusterLocation')]", + "dnsName": "[parameters('clusterName')]", + "vmName": "vm", + "vmStorageAccountContainerName": "vhds", + "virtualNetworkName": "VNet", + "addressPrefix": "10.0.0.0/16", + "nicName": "NIC", + "lbIPName": "PublicIP-LB-FE", + "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]", + "overProvision": "false", + "vmssApiVersion": "2017-03-30", + "lbApiVersion": "2015-06-15", + "vNetApiVersion": "2015-06-15", + "storageApiVersion": "2016-01-01", + "publicIPApiVersion": "2015-06-15", + "nt0applicationStartPort": "20000", + "nt0applicationEndPort": "30000", + "nt0ephemeralStartPort": "49152", + "nt0ephemeralEndPort": "65534", + "nt0fabricTcpGatewayPort": "19000", + "nt0fabricHttpGatewayPort": "19080", + "subnet0Name": "Subnet-0", + "subnet0Prefix": "10.0.0.0/24", + "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',variables('subnet0Name'))]", + "supportLogStorageAccountName": "[toLower( concat( uniqueString(resourceGroup().id),'2'))]", + "applicationDiagnosticsStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '3' ))]", + "lbID0": "[resourceId('Microsoft.Network/loadBalancers',concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", + "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", + "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", + "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", + "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", + "vmNodeType0Name": "[toLower(concat('NT1', variables('vmName')))]", + "vmNodeType0Size": "Standard_DS2_v2" + }, + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('supportLogStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('applicationDiagnosticsStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('applicationDiagnosticsStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vNetApiVersion')]", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[variables('computeLocation')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnet0Name')]", + "properties": { + "addressPrefix": "[variables('subnet0Prefix')]" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('publicIPApiVersion')]", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[concat(variables('lbIPName'),'-','0')]", + "location": "[variables('computeLocation')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[variables('dnsName')]" + }, + "publicIPAllocationMethod": "Dynamic" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('lbApiVersion')]", + "type": "Microsoft.Network/loadBalancers", + "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerIPConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LoadBalancerBEAddressPool", + "properties": {} + } + ], + "loadBalancingRules": [ + { + "name": "LBRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricTcpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricTcpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBHttpRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricHttpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricHttpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbHttpProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBSFReverseProxyRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('SFReverseProxyPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('SFReverseProxyPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/SFReverseProxyProbe')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule1", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort1')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort1')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule2", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort2')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort2')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]" + }, + "protocol": "tcp" + } + } + ], + "probes": [ + { + "name": "FabricGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricTcpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "FabricHttpGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricHttpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "SFReverseProxyProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('SFReverseProxyPort')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe1", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort1')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe2", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort2')]", + "protocol": "tcp" + } + } + ], + "inboundNatPools": [ + { + "name": "LoadBalancerBEAddressNatPool", + "properties": { + "backendPort": "3389", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPortRangeEnd": "4500", + "frontendPortRangeStart": "3389", + "protocol": "tcp" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vmssApiVersion')]", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[variables('vmNodeType0Name')]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('applicationDiagnosticsStorageAccountName'))]" + ], + "properties": { + "overprovision": "[variables('overProvision')]", + "upgradePolicy": { + "mode": "Automatic" + }, + "virtualMachineProfile": { + "extensionProfile": { + "extensions": [ + { + "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]", + "properties": { + "type": "ServiceFabricNode", + "autoUpgradeMinorVersion": false, + "protectedSettings": { + "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]", + "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]" + }, + "publisher": "Microsoft.Azure.ServiceFabric", + "settings": { + "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", + "nodeTypeRef": "[variables('vmNodeType0Name')]", + "dataPath": "D:\\\\SvcFab", + "durabilityLevel": "Bronze", + "nicPrefixOverride": "[variables('subnet0Prefix')]", + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxySecCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + }, + "reverseProxySecondaryCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + } + }, + "typeHandlerVersion": "1.0" + } + }, + { + "name": "[concat('VMDiagnosticsVmExt','_vmNodeType0Name')]", + "properties": { + "type": "IaaSDiagnostics", + "autoUpgradeMinorVersion": true, + "protectedSettings": { + "storageAccountName": "[variables('applicationDiagnosticsStorageAccountName')]", + "storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('applicationDiagnosticsStorageAccountName')),'2015-05-01-preview').key1]", + "storageAccountEndPoint": "https://core.windows.net/" + }, + "publisher": "Microsoft.Azure.Diagnostics", + "settings": { + "WadCfg": { + "DiagnosticMonitorConfiguration": { + "overallQuotaInMB": "50000", + "EtwProviders": { + "EtwEventSourceProviderConfiguration": [ + { + "provider": "Microsoft-ServiceFabric-Actors", + "scheduledTransferKeywordFilter": "1", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableActorEventTable" + } + }, + { + "provider": "Microsoft-ServiceFabric-Services", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableServiceEventTable" + } + } + ], + "EtwManifestProviderConfiguration": [ + { + "provider": "cbd93bc2-71e5-4566-b3a7-595d8eeca6e8", + "scheduledTransferLogLevelFilter": "Information", + "scheduledTransferKeywordFilter": "4611686018427387904", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricSystemEventTable" + } + } + ] + } + } + }, + "StorageAccount": "[variables('applicationDiagnosticsStorageAccountName')]" + }, + "typeHandlerVersion": "1.5" + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "[concat(variables('nicName'), '-0')]", + "properties": { + "ipConfigurations": [ + { + "name": "[concat(variables('nicName'),'-',0)]", + "properties": { + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbPoolID0')]" + } + ], + "loadBalancerInboundNatPools": [ + { + "id": "[variables('lbNatPoolID0')]" + } + ], + "subnet": { + "id": "[variables('subnet0Ref')]" + } + } + } + ], + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computernamePrefix": "[variables('vmNodeType0Name')]", + "secrets": [ + { + "sourceVault": { + "id": "[parameters('sourceVaultValue')]" + }, + "vaultCertificates": [ + { + "certificateStore": "[parameters('clusterCertificateStorevalue')]", + "certificateUrl": "[parameters('clusterCertificateUrlValue')]" + }, + { + "certificateStore": "[parameters('sfReverseProxyCertificateStoreValue')]", + "certificateUrl": "[parameters('sfReverseProxyCertificateUrlValue')]" + }, + { + "certificateStore": "[parameters('sfReverseProxyCertificateStoreValue')]", + "certificateUrl": "[parameters('sfReverseProxySecCertificateUrlValue')]" + } + ] + } + ] + }, + "storageProfile": { + "imageReference": { + "publisher": "[parameters('vmImagePublisher')]", + "offer": "[parameters('vmImageOffer')]", + "sku": "[parameters('vmImageSku')]", + "version": "[parameters('vmImageVersion')]" + }, + "osDisk": { + "createOption": "FromImage", + "caching": "ReadOnly", + "managedDisk": { + "storageAccountType": "[parameters('storageAccountType')]" + } + } + } + } + }, + "sku": { + "name": "[variables('vmNodeType0Size')]", + "capacity": "[parameters('nt0InstanceCount')]", + "tier": "Standard" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "2016-09-01", + "type": "Microsoft.ServiceFabric/clusters", + "name": "[parameters('clusterName')]", + "location": "[parameters('clusterLocation')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + }, + "clientCertificateCommonNames": [], + "clientCertificateThumbprints": [], + "clusterState": "Default", + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.queue]", + "storageAccountName": "[variables('supportLogStorageAccountName')]", + "tableEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.table]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "[parameters('clusterProtectionLevel')]" + } + ], + "name": "Security" + } + ], + "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-','0')).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]", + "nodeTypes": [ + { + "name": "[variables('vmNodeType0Name')]", + "applicationPorts": { + "endPort": "[variables('nt0applicationEndPort')]", + "startPort": "[variables('nt0applicationStartPort')]" + }, + "clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]", + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": "[variables('nt0ephemeralEndPort')]", + "startPort": "[variables('nt0ephemeralStartPort')]" + }, + "httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]", + "reverseProxyEndpointPort": "[parameters('SFReverseProxyPort')]", + "isPrimary": true, + "vmInstanceCount": "[parameters('nt0InstanceCount')]" + } + ], + "provisioningState": "Default", + "reliabilityLevel": "Silver", + "upgradeMode": "Automatic", + "vmImage": "Windows" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + } + ], + "outputs": { + "clusterProperties": { + "value": "[reference(parameters('clusterName'))]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep1.parameters.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep1.parameters.json new file mode 100644 index 0000000..67ba61c --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep1.parameters.json @@ -0,0 +1,78 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "value": "westus" + }, + "clusterName": { + "value": "Cluster" + }, + "adminUserName": { + "value": "admuser" + }, + "adminPassword": { + "value": "val$$$" + }, + "vmImagePublisher": { + "value": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "value": "WindowsServer" + }, + "vmImageSku": { + "value": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "value": "latest" + }, + "loadBalancedAppPort1": { + "value": 80 + }, + "loadBalancedAppPort2": { + "value": 8081 + }, + "clusterCertificateStorevalue": { + "value": "My" + }, + "clusterCertificateThumbprint": { + "value": "thumbprint value" + }, + "sourceVaultvalue": { + "value": "/subscriptions/subscription value/resourceGroups/key vault resource group name/providers/Microsoft.KeyVault/vaults/key vault name" + }, + "clusterCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "sfReverseProxyCertificateStorevalue": { + "value": "My" + }, + "sfReverseProxyCertificateThumbprint": { + "value": "thumbprint value" + }, + "sfReverseProxyCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "sfReverseProxySecCertificateThumbprint": { + "value": "thumbprint value" + }, + "sfReverseProxySecCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "clusterProtectionLevel": { + "value": "EncryptAndSign" + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountType": { + "value": "Standard_LRS" + }, + "applicationDiagnosticsStorageAccountType": { + "value": "Standard_LRS" + }, + "nt0InstanceCount": { + "value": 5 + } + } +} diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep2.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep2.json new file mode 100644 index 0000000..f211ccf --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep2.json @@ -0,0 +1,757 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "type": "string", + "metadata": { + "description": "Location of the Cluster" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "sfcluster", + "metadata": { + "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" + } + }, + "adminUserName": { + "type": "string", + "metadata": { + "description": "Remote desktop user Id" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Remote desktop user password. Must be a strong password" + } + }, + "vmImagePublisher": { + "type": "string", + "defaultValue": "MicrosoftWindowsServer", + "metadata": { + "description": "VM image Publisher" + } + }, + "vmImageOffer": { + "type": "string", + "defaultValue": "WindowsServer", + "metadata": { + "description": "VM image offer" + } + }, + "vmImageSku": { + "type": "string", + "defaultValue": "2012-R2-Datacenter", + "metadata": { + "description": "VM image SKU" + } + }, + "vmImageVersion": { + "type": "string", + "defaultValue": "latest", + "metadata": { + "description": "VM image version" + } + }, + "loadBalancedAppPort1": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Input endpoint1 for the application to use. Replace it with what your application uses" + } + }, + "loadBalancedAppPort2": { + "type": "int", + "defaultValue": 8081, + "metadata": { + "description": "Input endpoint2 for the application to use. Replace it with what your application uses" + } + }, + "SFReverseProxyPort": { + "type": "int", + "defaultValue": 19008, + "metadata": { + "description": "Endpoint for Service Fabric Reverse proxy" + } + }, + "clusterCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "clusterCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sourceVaultValue": { + "type": "string", + "metadata": { + "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" + } + }, + "clusterCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "sfReverseProxyCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "sfReverseProxyCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sfReverseProxyCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "sfReverseProxySecCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sfReverseProxySecCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "clusterProtectionLevel": { + "type": "string", + "allowedValues": [ + "None", + "Sign", + "EncryptAndSign" + ], + "defaultValue": "EncryptAndSign", + "metadata": { + "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" + } + }, + "storageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the VM image storage account" + } + }, + "supportLogStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the support log storage account" + } + }, + "applicationDiagnosticsStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the application diagnostics storage account" + } + }, + "nt0InstanceCount": { + "type": "int", + "defaultValue": 5, + "metadata": { + "description": "Instance count for node type" + } + } + }, + "variables": { + "computeLocation": "[parameters('clusterLocation')]", + "dnsName": "[parameters('clusterName')]", + "vmName": "vm", + "vmStorageAccountContainerName": "vhds", + "virtualNetworkName": "VNet", + "addressPrefix": "10.0.0.0/16", + "nicName": "NIC", + "lbIPName": "PublicIP-LB-FE", + "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]", + "overProvision": "false", + "vmssApiVersion": "2017-03-30", + "lbApiVersion": "2015-06-15", + "vNetApiVersion": "2015-06-15", + "storageApiVersion": "2016-01-01", + "publicIPApiVersion": "2015-06-15", + "nt0applicationStartPort": "20000", + "nt0applicationEndPort": "30000", + "nt0ephemeralStartPort": "49152", + "nt0ephemeralEndPort": "65534", + "nt0fabricTcpGatewayPort": "19000", + "nt0fabricHttpGatewayPort": "19080", + "subnet0Name": "Subnet-0", + "subnet0Prefix": "10.0.0.0/24", + "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',variables('subnet0Name'))]", + "supportLogStorageAccountName": "[toLower( concat( uniqueString(resourceGroup().id),'2'))]", + "applicationDiagnosticsStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '3' ))]", + "lbID0": "[resourceId('Microsoft.Network/loadBalancers',concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", + "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", + "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", + "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", + "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", + "vmNodeType0Name": "[toLower(concat('NT1', variables('vmName')))]", + "vmNodeType0Size": "Standard_DS2_v2" + }, + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('supportLogStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('applicationDiagnosticsStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('applicationDiagnosticsStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vNetApiVersion')]", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[variables('computeLocation')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnet0Name')]", + "properties": { + "addressPrefix": "[variables('subnet0Prefix')]" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('publicIPApiVersion')]", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[concat(variables('lbIPName'),'-','0')]", + "location": "[variables('computeLocation')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[variables('dnsName')]" + }, + "publicIPAllocationMethod": "Dynamic" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('lbApiVersion')]", + "type": "Microsoft.Network/loadBalancers", + "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerIPConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LoadBalancerBEAddressPool", + "properties": {} + } + ], + "loadBalancingRules": [ + { + "name": "LBRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricTcpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricTcpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBHttpRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricHttpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricHttpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbHttpProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBSFReverseProxyRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('SFReverseProxyPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('SFReverseProxyPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/SFReverseProxyProbe')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule1", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort1')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort1')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule2", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort2')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort2')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]" + }, + "protocol": "tcp" + } + } + ], + "probes": [ + { + "name": "FabricGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricTcpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "FabricHttpGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricHttpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "SFReverseProxyProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('SFReverseProxyPort')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe1", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort1')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe2", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort2')]", + "protocol": "tcp" + } + } + ], + "inboundNatPools": [ + { + "name": "LoadBalancerBEAddressNatPool", + "properties": { + "backendPort": "3389", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPortRangeEnd": "4500", + "frontendPortRangeStart": "3389", + "protocol": "tcp" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vmssApiVersion')]", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[variables('vmNodeType0Name')]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('applicationDiagnosticsStorageAccountName'))]" + ], + "properties": { + "overprovision": "[variables('overProvision')]", + "upgradePolicy": { + "mode": "Automatic" + }, + "virtualMachineProfile": { + "extensionProfile": { + "extensions": [ + { + "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]", + "properties": { + "type": "ServiceFabricNode", + "autoUpgradeMinorVersion": false, + "protectedSettings": { + "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]", + "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]" + }, + "publisher": "Microsoft.Azure.ServiceFabric", + "settings": { + "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", + "nodeTypeRef": "[variables('vmNodeType0Name')]", + "dataPath": "D:\\\\SvcFab", + "durabilityLevel": "Bronze", + "nicPrefixOverride": "[variables('subnet0Prefix')]", + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxySecCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + }, + "reverseProxySecondaryCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + } + }, + "typeHandlerVersion": "1.0" + } + }, + { + "name": "[concat('VMDiagnosticsVmExt','_vmNodeType0Name')]", + "properties": { + "type": "IaaSDiagnostics", + "autoUpgradeMinorVersion": true, + "protectedSettings": { + "storageAccountName": "[variables('applicationDiagnosticsStorageAccountName')]", + "storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('applicationDiagnosticsStorageAccountName')),'2015-05-01-preview').key1]", + "storageAccountEndPoint": "https://core.windows.net/" + }, + "publisher": "Microsoft.Azure.Diagnostics", + "settings": { + "WadCfg": { + "DiagnosticMonitorConfiguration": { + "overallQuotaInMB": "50000", + "EtwProviders": { + "EtwEventSourceProviderConfiguration": [ + { + "provider": "Microsoft-ServiceFabric-Actors", + "scheduledTransferKeywordFilter": "1", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableActorEventTable" + } + }, + { + "provider": "Microsoft-ServiceFabric-Services", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableServiceEventTable" + } + } + ], + "EtwManifestProviderConfiguration": [ + { + "provider": "cbd93bc2-71e5-4566-b3a7-595d8eeca6e8", + "scheduledTransferLogLevelFilter": "Information", + "scheduledTransferKeywordFilter": "4611686018427387904", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricSystemEventTable" + } + } + ] + } + } + }, + "StorageAccount": "[variables('applicationDiagnosticsStorageAccountName')]" + }, + "typeHandlerVersion": "1.5" + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "[concat(variables('nicName'), '-0')]", + "properties": { + "ipConfigurations": [ + { + "name": "[concat(variables('nicName'),'-',0)]", + "properties": { + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbPoolID0')]" + } + ], + "loadBalancerInboundNatPools": [ + { + "id": "[variables('lbNatPoolID0')]" + } + ], + "subnet": { + "id": "[variables('subnet0Ref')]" + } + } + } + ], + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computernamePrefix": "[variables('vmNodeType0Name')]", + "secrets": [ + { + "sourceVault": { + "id": "[parameters('sourceVaultValue')]" + }, + "vaultCertificates": [ + { + "certificateStore": "[parameters('clusterCertificateStorevalue')]", + "certificateUrl": "[parameters('clusterCertificateUrlValue')]" + }, + { + "certificateStore": "[parameters('sfReverseProxyCertificateStoreValue')]", + "certificateUrl": "[parameters('sfReverseProxyCertificateUrlValue')]" + }, + { + "certificateStore": "[parameters('sfReverseProxyCertificateStoreValue')]", + "certificateUrl": "[parameters('sfReverseProxySecCertificateUrlValue')]" + } + ] + } + ] + }, + "storageProfile": { + "imageReference": { + "publisher": "[parameters('vmImagePublisher')]", + "offer": "[parameters('vmImageOffer')]", + "sku": "[parameters('vmImageSku')]", + "version": "[parameters('vmImageVersion')]" + }, + "osDisk": { + "createOption": "FromImage", + "caching": "ReadOnly", + "managedDisk": { + "storageAccountType": "[parameters('storageAccountType')]" + } + } + } + } + }, + "sku": { + "name": "[variables('vmNodeType0Size')]", + "capacity": "[parameters('nt0InstanceCount')]", + "tier": "Standard" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "2016-09-01", + "type": "Microsoft.ServiceFabric/clusters", + "name": "[parameters('clusterName')]", + "location": "[parameters('clusterLocation')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxySecCertificateThumbprint')]", + "thumbprintSecondary": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + }, + "clientCertificateCommonNames": [], + "clientCertificateThumbprints": [], + "clusterState": "Default", + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.queue]", + "storageAccountName": "[variables('supportLogStorageAccountName')]", + "tableEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.table]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "[parameters('clusterProtectionLevel')]" + } + ], + "name": "Security" + } + ], + "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-','0')).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]", + "nodeTypes": [ + { + "name": "[variables('vmNodeType0Name')]", + "applicationPorts": { + "endPort": "[variables('nt0applicationEndPort')]", + "startPort": "[variables('nt0applicationStartPort')]" + }, + "clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]", + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": "[variables('nt0ephemeralEndPort')]", + "startPort": "[variables('nt0ephemeralStartPort')]" + }, + "httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]", + "reverseProxyEndpointPort": "[parameters('SFReverseProxyPort')]", + "isPrimary": true, + "vmInstanceCount": "[parameters('nt0InstanceCount')]" + } + ], + "provisioningState": "Default", + "reliabilityLevel": "Silver", + "upgradeMode": "Automatic", + "vmImage": "Windows" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + } + ], + "outputs": { + "clusterProperties": { + "value": "[reference(parameters('clusterName'))]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep2.parameters.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep2.parameters.json new file mode 100644 index 0000000..67ba61c --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep2.parameters.json @@ -0,0 +1,78 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "value": "westus" + }, + "clusterName": { + "value": "Cluster" + }, + "adminUserName": { + "value": "admuser" + }, + "adminPassword": { + "value": "val$$$" + }, + "vmImagePublisher": { + "value": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "value": "WindowsServer" + }, + "vmImageSku": { + "value": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "value": "latest" + }, + "loadBalancedAppPort1": { + "value": 80 + }, + "loadBalancedAppPort2": { + "value": 8081 + }, + "clusterCertificateStorevalue": { + "value": "My" + }, + "clusterCertificateThumbprint": { + "value": "thumbprint value" + }, + "sourceVaultvalue": { + "value": "/subscriptions/subscription value/resourceGroups/key vault resource group name/providers/Microsoft.KeyVault/vaults/key vault name" + }, + "clusterCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "sfReverseProxyCertificateStorevalue": { + "value": "My" + }, + "sfReverseProxyCertificateThumbprint": { + "value": "thumbprint value" + }, + "sfReverseProxyCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "sfReverseProxySecCertificateThumbprint": { + "value": "thumbprint value" + }, + "sfReverseProxySecCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "clusterProtectionLevel": { + "value": "EncryptAndSign" + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountType": { + "value": "Standard_LRS" + }, + "applicationDiagnosticsStorageAccountType": { + "value": "Standard_LRS" + }, + "nt0InstanceCount": { + "value": 5 + } + } +} diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationCommonName.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationCommonName.json new file mode 100644 index 0000000..0b8041d --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationCommonName.json @@ -0,0 +1,754 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "type": "string", + "metadata": { + "description": "Location of the Cluster" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "sfcluster", + "metadata": { + "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" + } + }, + "adminUserName": { + "type": "string", + "metadata": { + "description": "Remote desktop user Id" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Remote desktop user password. Must be a strong password" + } + }, + "vmImagePublisher": { + "type": "string", + "defaultValue": "MicrosoftWindowsServer", + "metadata": { + "description": "VM image Publisher" + } + }, + "vmImageOffer": { + "type": "string", + "defaultValue": "WindowsServer", + "metadata": { + "description": "VM image offer" + } + }, + "vmImageSku": { + "type": "string", + "defaultValue": "2012-R2-Datacenter", + "metadata": { + "description": "VM image SKU" + } + }, + "vmImageVersion": { + "type": "string", + "defaultValue": "latest", + "metadata": { + "description": "VM image version" + } + }, + "loadBalancedAppPort1": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Input endpoint1 for the application to use. Replace it with what your application uses" + } + }, + "loadBalancedAppPort2": { + "type": "int", + "defaultValue": 8081, + "metadata": { + "description": "Input endpoint2 for the application to use. Replace it with what your application uses" + } + }, + "SFReverseProxyPort": { + "type": "int", + "defaultValue": 19008, + "metadata": { + "description": "Endpoint for Service Fabric Reverse proxy" + } + }, + "clusterCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "clusterCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sourceVaultValue": { + "type": "string", + "metadata": { + "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" + } + }, + "clusterCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "sfReverseProxyCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "sfReverseProxyCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sfReverseProxyCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "clusterProtectionLevel": { + "type": "string", + "allowedValues": [ + "None", + "Sign", + "EncryptAndSign" + ], + "defaultValue": "EncryptAndSign", + "metadata": { + "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" + } + }, + "serviceCommonNameAndIssuer": { + "type": "array", + "metadata": { + "description": "Array of accepted service certificate common name and issuer thumbprint pairs that the reverse proxy will accept." + } + }, + "storageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the VM image storage account" + } + }, + "supportLogStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the support log storage account" + } + }, + "applicationDiagnosticsStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the application diagnostics storage account" + } + }, + "nt0InstanceCount": { + "type": "int", + "defaultValue": 5, + "metadata": { + "description": "Instance count for node type" + } + } + }, + "variables": { + "computeLocation": "[parameters('clusterLocation')]", + "dnsName": "[parameters('clusterName')]", + "vmName": "vm", + "virtualNetworkName": "VNet", + "addressPrefix": "10.0.0.0/16", + "nicName": "NIC", + "lbIPName": "PublicIP-LB-FE", + "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]", + "overProvision": "false", + "vmssApiVersion": "2017-03-30", + "lbApiVersion": "2015-06-15", + "vNetApiVersion": "2015-06-15", + "storageApiVersion": "2016-01-01", + "publicIPApiVersion": "2015-06-15", + "nt0applicationStartPort": "20000", + "nt0applicationEndPort": "30000", + "nt0ephemeralStartPort": "49152", + "nt0ephemeralEndPort": "65534", + "nt0fabricTcpGatewayPort": "19000", + "nt0fabricHttpGatewayPort": "19080", + "subnet0Name": "Subnet-0", + "subnet0Prefix": "10.0.0.0/24", + "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',variables('subnet0Name'))]", + "supportLogStorageAccountName": "[toLower( concat( uniqueString(resourceGroup().id),'2'))]", + "applicationDiagnosticsStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '3' ))]", + "lbID0": "[resourceId('Microsoft.Network/loadBalancers',concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", + "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", + "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", + "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", + "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", + "vmNodeType0Name": "[toLower(concat('NT1', variables('vmName')))]", + "vmNodeType0Size": "Standard_DS2_v2" + }, + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('supportLogStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('applicationDiagnosticsStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('applicationDiagnosticsStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vNetApiVersion')]", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[variables('computeLocation')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnet0Name')]", + "properties": { + "addressPrefix": "[variables('subnet0Prefix')]" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('publicIPApiVersion')]", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[concat(variables('lbIPName'),'-','0')]", + "location": "[variables('computeLocation')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[variables('dnsName')]" + }, + "publicIPAllocationMethod": "Dynamic" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('lbApiVersion')]", + "type": "Microsoft.Network/loadBalancers", + "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerIPConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LoadBalancerBEAddressPool", + "properties": {} + } + ], + "loadBalancingRules": [ + { + "name": "LBRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricTcpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricTcpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBHttpRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricHttpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricHttpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbHttpProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBSFReverseProxyRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('SFReverseProxyPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('SFReverseProxyPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/SFReverseProxyProbe')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule1", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort1')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort1')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule2", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort2')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort2')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]" + }, + "protocol": "tcp" + } + } + ], + "probes": [ + { + "name": "FabricGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricTcpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "FabricHttpGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricHttpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "SFReverseProxyProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('SFReverseProxyPort')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe1", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort1')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe2", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort2')]", + "protocol": "tcp" + } + } + ], + "inboundNatPools": [ + { + "name": "LoadBalancerBEAddressNatPool", + "properties": { + "backendPort": "3389", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPortRangeEnd": "4500", + "frontendPortRangeStart": "3389", + "protocol": "tcp" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vmssApiVersion')]", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[variables('vmNodeType0Name')]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('applicationDiagnosticsStorageAccountName'))]" + ], + "properties": { + "overprovision": "[variables('overProvision')]", + "upgradePolicy": { + "mode": "Automatic" + }, + "virtualMachineProfile": { + "extensionProfile": { + "extensions": [ + { + "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]", + "properties": { + "type": "ServiceFabricNode", + "autoUpgradeMinorVersion": false, + "protectedSettings": { + "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]", + "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]" + }, + "publisher": "Microsoft.Azure.ServiceFabric", + "settings": { + "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", + "nodeTypeRef": "[variables('vmNodeType0Name')]", + "dataPath": "D:\\\\SvcFab", + "durabilityLevel": "Bronze", + "nicPrefixOverride": "[variables('subnet0Prefix')]", + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + } + }, + "typeHandlerVersion": "1.0" + } + }, + { + "name": "[concat('VMDiagnosticsVmExt','_vmNodeType0Name')]", + "properties": { + "type": "IaaSDiagnostics", + "autoUpgradeMinorVersion": true, + "protectedSettings": { + "storageAccountName": "[variables('applicationDiagnosticsStorageAccountName')]", + "storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('applicationDiagnosticsStorageAccountName')),'2015-05-01-preview').key1]", + "storageAccountEndPoint": "https://core.windows.net/" + }, + "publisher": "Microsoft.Azure.Diagnostics", + "settings": { + "WadCfg": { + "DiagnosticMonitorConfiguration": { + "overallQuotaInMB": "50000", + "EtwProviders": { + "EtwEventSourceProviderConfiguration": [ + { + "provider": "Microsoft-ServiceFabric-Actors", + "scheduledTransferKeywordFilter": "1", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableActorEventTable" + } + }, + { + "provider": "Microsoft-ServiceFabric-Services", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableServiceEventTable" + } + } + ], + "EtwManifestProviderConfiguration": [ + { + "provider": "cbd93bc2-71e5-4566-b3a7-595d8eeca6e8", + "scheduledTransferLogLevelFilter": "Information", + "scheduledTransferKeywordFilter": "4611686018427387904", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricSystemEventTable" + } + } + ] + } + } + }, + "StorageAccount": "[variables('applicationDiagnosticsStorageAccountName')]" + }, + "typeHandlerVersion": "1.5" + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "[concat(variables('nicName'), '-0')]", + "properties": { + "ipConfigurations": [ + { + "name": "[concat(variables('nicName'),'-',0)]", + "properties": { + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbPoolID0')]" + } + ], + "loadBalancerInboundNatPools": [ + { + "id": "[variables('lbNatPoolID0')]" + } + ], + "subnet": { + "id": "[variables('subnet0Ref')]" + } + } + } + ], + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computernamePrefix": "[variables('vmNodeType0Name')]", + "secrets": [ + { + "sourceVault": { + "id": "[parameters('sourceVaultValue')]" + }, + "vaultCertificates": [ + { + "certificateStore": "[parameters('clusterCertificateStorevalue')]", + "certificateUrl": "[parameters('clusterCertificateUrlValue')]" + }, + { + "certificateStore": "[parameters('sfReverseProxyCertificateStoreValue')]", + "certificateUrl": "[parameters('sfReverseProxyCertificateUrlValue')]" + } + ] + } + ] + }, + "storageProfile": { + "imageReference": { + "publisher": "[parameters('vmImagePublisher')]", + "offer": "[parameters('vmImageOffer')]", + "sku": "[parameters('vmImageSku')]", + "version": "[parameters('vmImageVersion')]" + }, + "osDisk": { + "createOption": "FromImage", + "caching": "ReadOnly", + "managedDisk": { + "storageAccountType": "[parameters('storageAccountType')]" + } + } + } + } + }, + "sku": { + "name": "[variables('vmNodeType0Size')]", + "capacity": "[parameters('nt0InstanceCount')]", + "tier": "Standard" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "2016-09-01", + "type": "Microsoft.ServiceFabric/clusters", + "name": "[parameters('clusterName')]", + "location": "[parameters('clusterLocation')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + }, + "clientCertificateCommonNames": [], + "clientCertificateThumbprints": [], + "clusterState": "Default", + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.queue]", + "storageAccountName": "[variables('supportLogStorageAccountName')]", + "tableEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.table]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "[parameters('clusterProtectionLevel')]" + } + ], + "name": "Security" + }, + { + "name": "ApplicationGateway/Http", + "parameters": [ + { + "name": "ApplicationCertificateValidationPolicy", + "value": "ServiceCommonNameAndIssuer" + } + ] + }, + { + "name": "ApplicationGateway/Http/ServiceCommonNameAndIssuer", + "parameters": "[parameters('serviceCommonNameAndIssuer')]" + } + ], + "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-','0')).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]", + "nodeTypes": [ + { + "name": "[variables('vmNodeType0Name')]", + "applicationPorts": { + "endPort": "[variables('nt0applicationEndPort')]", + "startPort": "[variables('nt0applicationStartPort')]" + }, + "clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]", + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": "[variables('nt0ephemeralEndPort')]", + "startPort": "[variables('nt0ephemeralStartPort')]" + }, + "httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]", + "reverseProxyEndpointPort": "[parameters('SFReverseProxyPort')]", + "isPrimary": true, + "vmInstanceCount": "[parameters('nt0InstanceCount')]" + } + ], + "provisioningState": "Default", + "reliabilityLevel": "Silver", + "upgradeMode": "Automatic", + "vmImage": "Windows" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + } + ], + "outputs": { + "clusterProperties": { + "value": "[reference(parameters('clusterName'))]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationCommonName.parameters.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationCommonName.parameters.json new file mode 100644 index 0000000..2e43cad --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationCommonName.parameters.json @@ -0,0 +1,84 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "value": "westus" + }, + "clusterName": { + "value": "Cluster" + }, + "adminUserName": { + "value": "admuser" + }, + "adminPassword": { + "value": "val$$$" + }, + "vmImagePublisher": { + "value": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "value": "WindowsServer" + }, + "vmImageSku": { + "value": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "value": "latest" + }, + "loadBalancedAppPort1": { + "value": 80 + }, + "loadBalancedAppPort2": { + "value": 8081 + }, + "clusterCertificateStorevalue": { + "value": "My" + }, + "clusterCertificateThumbprint": { + "value": "thumbprint value" + }, + "sourceVaultvalue": { + "value": "/subscriptions/subscription value/resourceGroups/key vault resource group name/providers/Microsoft.KeyVault/vaults/key vault name" + }, + "clusterCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "sfReverseProxyCertificateStorevalue": { + "value": "My" + }, + "sfReverseProxyCertificateThumbprint": { + "value": "thumbprint value" + }, + "sfReverseProxyCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "clusterProtectionLevel": { + "value": "EncryptAndSign" + }, + "serviceCommonNameAndIssuer": { + "value": [ + { + "name": "Certificate Common Name 1", + "value": "Immediate issuer thumbprint" + }, + { + "name": "Certificate Common Name 2", + "value": "Immediate issuer thumbprint" + } + ] + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountType": { + "value": "Standard_LRS" + }, + "applicationDiagnosticsStorageAccountType": { + "value": "Standard_LRS" + }, + "nt0InstanceCount": { + "value": 5 + } + } +} diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationNone.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationNone.json new file mode 100644 index 0000000..f10cdb8 --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationNone.json @@ -0,0 +1,744 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "type": "string", + "metadata": { + "description": "Location of the Cluster" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "sfcluster", + "metadata": { + "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" + } + }, + "adminUserName": { + "type": "string", + "metadata": { + "description": "Remote desktop user Id" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Remote desktop user password. Must be a strong password" + } + }, + "vmImagePublisher": { + "type": "string", + "defaultValue": "MicrosoftWindowsServer", + "metadata": { + "description": "VM image Publisher" + } + }, + "vmImageOffer": { + "type": "string", + "defaultValue": "WindowsServer", + "metadata": { + "description": "VM image offer" + } + }, + "vmImageSku": { + "type": "string", + "defaultValue": "2012-R2-Datacenter", + "metadata": { + "description": "VM image SKU" + } + }, + "vmImageVersion": { + "type": "string", + "defaultValue": "latest", + "metadata": { + "description": "VM image version" + } + }, + "loadBalancedAppPort1": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Input endpoint1 for the application to use. Replace it with what your application uses" + } + }, + "loadBalancedAppPort2": { + "type": "int", + "defaultValue": 8081, + "metadata": { + "description": "Input endpoint2 for the application to use. Replace it with what your application uses" + } + }, + "SFReverseProxyPort": { + "type": "int", + "defaultValue": 19008, + "metadata": { + "description": "Endpoint for Service Fabric Reverse proxy" + } + }, + "clusterCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "clusterCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sourceVaultValue": { + "type": "string", + "metadata": { + "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" + } + }, + "clusterCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "sfReverseProxyCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "sfReverseProxyCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sfReverseProxyCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "clusterProtectionLevel": { + "type": "string", + "allowedValues": [ + "None", + "Sign", + "EncryptAndSign" + ], + "defaultValue": "EncryptAndSign", + "metadata": { + "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" + } + }, + "storageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the VM image storage account" + } + }, + "supportLogStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the support log storage account" + } + }, + "applicationDiagnosticsStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the application diagnostics storage account" + } + }, + "nt0InstanceCount": { + "type": "int", + "defaultValue": 5, + "metadata": { + "description": "Instance count for node type" + } + } + }, + "variables": { + "computeLocation": "[parameters('clusterLocation')]", + "dnsName": "[parameters('clusterName')]", + "vmName": "vm", + "virtualNetworkName": "VNet", + "addressPrefix": "10.0.0.0/16", + "nicName": "NIC", + "lbIPName": "PublicIP-LB-FE", + "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]", + "overProvision": "false", + "vmssApiVersion": "2017-03-30", + "lbApiVersion": "2015-06-15", + "vNetApiVersion": "2015-06-15", + "storageApiVersion": "2016-01-01", + "publicIPApiVersion": "2015-06-15", + "nt0applicationStartPort": "20000", + "nt0applicationEndPort": "30000", + "nt0ephemeralStartPort": "49152", + "nt0ephemeralEndPort": "65534", + "nt0fabricTcpGatewayPort": "19000", + "nt0fabricHttpGatewayPort": "19080", + "subnet0Name": "Subnet-0", + "subnet0Prefix": "10.0.0.0/24", + "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',variables('subnet0Name'))]", + "supportLogStorageAccountName": "[toLower( concat( uniqueString(resourceGroup().id),'2'))]", + "applicationDiagnosticsStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '3' ))]", + "lbID0": "[resourceId('Microsoft.Network/loadBalancers',concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", + "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", + "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", + "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", + "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", + "vmNodeType0Name": "[toLower(concat('NT1', variables('vmName')))]", + "vmNodeType0Size": "Standard_DS2_v2" + }, + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('supportLogStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('applicationDiagnosticsStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('applicationDiagnosticsStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vNetApiVersion')]", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[variables('computeLocation')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnet0Name')]", + "properties": { + "addressPrefix": "[variables('subnet0Prefix')]" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('publicIPApiVersion')]", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[concat(variables('lbIPName'),'-','0')]", + "location": "[variables('computeLocation')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[variables('dnsName')]" + }, + "publicIPAllocationMethod": "Dynamic" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('lbApiVersion')]", + "type": "Microsoft.Network/loadBalancers", + "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerIPConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LoadBalancerBEAddressPool", + "properties": {} + } + ], + "loadBalancingRules": [ + { + "name": "LBRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricTcpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricTcpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBHttpRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricHttpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricHttpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbHttpProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBSFReverseProxyRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('SFReverseProxyPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('SFReverseProxyPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/SFReverseProxyProbe')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule1", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort1')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort1')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule2", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort2')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort2')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]" + }, + "protocol": "tcp" + } + } + ], + "probes": [ + { + "name": "FabricGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricTcpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "FabricHttpGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricHttpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "SFReverseProxyProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('SFReverseProxyPort')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe1", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort1')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe2", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort2')]", + "protocol": "tcp" + } + } + ], + "inboundNatPools": [ + { + "name": "LoadBalancerBEAddressNatPool", + "properties": { + "backendPort": "3389", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPortRangeEnd": "4500", + "frontendPortRangeStart": "3389", + "protocol": "tcp" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vmssApiVersion')]", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[variables('vmNodeType0Name')]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('applicationDiagnosticsStorageAccountName'))]" + ], + "properties": { + "overprovision": "[variables('overProvision')]", + "upgradePolicy": { + "mode": "Automatic" + }, + "virtualMachineProfile": { + "extensionProfile": { + "extensions": [ + { + "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]", + "properties": { + "type": "ServiceFabricNode", + "autoUpgradeMinorVersion": false, + "protectedSettings": { + "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]", + "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]" + }, + "publisher": "Microsoft.Azure.ServiceFabric", + "settings": { + "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", + "nodeTypeRef": "[variables('vmNodeType0Name')]", + "dataPath": "D:\\\\SvcFab", + "durabilityLevel": "Bronze", + "nicPrefixOverride": "[variables('subnet0Prefix')]", + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + } + }, + "typeHandlerVersion": "1.0" + } + }, + { + "name": "[concat('VMDiagnosticsVmExt','_vmNodeType0Name')]", + "properties": { + "type": "IaaSDiagnostics", + "autoUpgradeMinorVersion": true, + "protectedSettings": { + "storageAccountName": "[variables('applicationDiagnosticsStorageAccountName')]", + "storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('applicationDiagnosticsStorageAccountName')),'2015-05-01-preview').key1]", + "storageAccountEndPoint": "https://core.windows.net/" + }, + "publisher": "Microsoft.Azure.Diagnostics", + "settings": { + "WadCfg": { + "DiagnosticMonitorConfiguration": { + "overallQuotaInMB": "50000", + "EtwProviders": { + "EtwEventSourceProviderConfiguration": [ + { + "provider": "Microsoft-ServiceFabric-Actors", + "scheduledTransferKeywordFilter": "1", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableActorEventTable" + } + }, + { + "provider": "Microsoft-ServiceFabric-Services", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableServiceEventTable" + } + } + ], + "EtwManifestProviderConfiguration": [ + { + "provider": "cbd93bc2-71e5-4566-b3a7-595d8eeca6e8", + "scheduledTransferLogLevelFilter": "Information", + "scheduledTransferKeywordFilter": "4611686018427387904", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricSystemEventTable" + } + } + ] + } + } + }, + "StorageAccount": "[variables('applicationDiagnosticsStorageAccountName')]" + }, + "typeHandlerVersion": "1.5" + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "[concat(variables('nicName'), '-0')]", + "properties": { + "ipConfigurations": [ + { + "name": "[concat(variables('nicName'),'-',0)]", + "properties": { + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbPoolID0')]" + } + ], + "loadBalancerInboundNatPools": [ + { + "id": "[variables('lbNatPoolID0')]" + } + ], + "subnet": { + "id": "[variables('subnet0Ref')]" + } + } + } + ], + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computernamePrefix": "[variables('vmNodeType0Name')]", + "secrets": [ + { + "sourceVault": { + "id": "[parameters('sourceVaultValue')]" + }, + "vaultCertificates": [ + { + "certificateStore": "[parameters('clusterCertificateStorevalue')]", + "certificateUrl": "[parameters('clusterCertificateUrlValue')]" + }, + { + "certificateStore": "[parameters('sfReverseProxyCertificateStoreValue')]", + "certificateUrl": "[parameters('sfReverseProxyCertificateUrlValue')]" + } + ] + } + ] + }, + "storageProfile": { + "imageReference": { + "publisher": "[parameters('vmImagePublisher')]", + "offer": "[parameters('vmImageOffer')]", + "sku": "[parameters('vmImageSku')]", + "version": "[parameters('vmImageVersion')]" + }, + "osDisk": { + "createOption": "FromImage", + "caching": "ReadOnly", + "managedDisk": { + "storageAccountType": "[parameters('storageAccountType')]" + } + } + } + } + }, + "sku": { + "name": "[variables('vmNodeType0Size')]", + "capacity": "[parameters('nt0InstanceCount')]", + "tier": "Standard" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "2016-09-01", + "type": "Microsoft.ServiceFabric/clusters", + "name": "[parameters('clusterName')]", + "location": "[parameters('clusterLocation')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + }, + "clientCertificateCommonNames": [], + "clientCertificateThumbprints": [], + "clusterState": "Default", + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.queue]", + "storageAccountName": "[variables('supportLogStorageAccountName')]", + "tableEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.table]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "[parameters('clusterProtectionLevel')]" + } + ], + "name": "Security" + }, + { + "name": "ApplicationGateway/Http", + "parameters": [ + { + "name": "ApplicationCertificateValidationPolicy", + "value": "None" + } + ] + } + ], + "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-','0')).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]", + "nodeTypes": [ + { + "name": "[variables('vmNodeType0Name')]", + "applicationPorts": { + "endPort": "[variables('nt0applicationEndPort')]", + "startPort": "[variables('nt0applicationStartPort')]" + }, + "clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]", + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": "[variables('nt0ephemeralEndPort')]", + "startPort": "[variables('nt0ephemeralStartPort')]" + }, + "httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]", + "reverseProxyEndpointPort": "[parameters('SFReverseProxyPort')]", + "isPrimary": true, + "vmInstanceCount": "[parameters('nt0InstanceCount')]" + } + ], + "provisioningState": "Default", + "reliabilityLevel": "Silver", + "upgradeMode": "Automatic", + "vmImage": "Windows" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + } + ], + "outputs": { + "clusterProperties": { + "value": "[reference(parameters('clusterName'))]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationNone.parameters.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationNone.parameters.json new file mode 100644 index 0000000..da39320 --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationNone.parameters.json @@ -0,0 +1,72 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "value": "westus" + }, + "clusterName": { + "value": "Cluster" + }, + "adminUserName": { + "value": "admuser" + }, + "adminPassword": { + "value": "val$$$" + }, + "vmImagePublisher": { + "value": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "value": "WindowsServer" + }, + "vmImageSku": { + "value": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "value": "latest" + }, + "loadBalancedAppPort1": { + "value": 80 + }, + "loadBalancedAppPort2": { + "value": 8081 + }, + "clusterCertificateStorevalue": { + "value": "My" + }, + "clusterCertificateThumbprint": { + "value": "thumbprint value" + }, + "sourceVaultvalue": { + "value": "/subscriptions/subscription value/resourceGroups/key vault resource group name/providers/Microsoft.KeyVault/vaults/key vault name" + }, + "clusterCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "sfReverseProxyCertificateStorevalue": { + "value": "My" + }, + "sfReverseProxyCertificateThumbprint": { + "value": "thumbprint value" + }, + "sfReverseProxyCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "clusterProtectionLevel": { + "value": "EncryptAndSign" + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountType": { + "value": "Standard_LRS" + }, + "applicationDiagnosticsStorageAccountType": { + "value": "Standard_LRS" + }, + "nt0InstanceCount": { + "value": 5 + } + } +} diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationThumbprints.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationThumbprints.json new file mode 100644 index 0000000..e7c3621 --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationThumbprints.json @@ -0,0 +1,754 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "type": "string", + "metadata": { + "description": "Location of the Cluster" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "sfcluster", + "metadata": { + "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" + } + }, + "adminUserName": { + "type": "string", + "metadata": { + "description": "Remote desktop user Id" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Remote desktop user password. Must be a strong password" + } + }, + "vmImagePublisher": { + "type": "string", + "defaultValue": "MicrosoftWindowsServer", + "metadata": { + "description": "VM image Publisher" + } + }, + "vmImageOffer": { + "type": "string", + "defaultValue": "WindowsServer", + "metadata": { + "description": "VM image offer" + } + }, + "vmImageSku": { + "type": "string", + "defaultValue": "2012-R2-Datacenter", + "metadata": { + "description": "VM image SKU" + } + }, + "vmImageVersion": { + "type": "string", + "defaultValue": "latest", + "metadata": { + "description": "VM image version" + } + }, + "loadBalancedAppPort1": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Input endpoint1 for the application to use. Replace it with what your application uses" + } + }, + "loadBalancedAppPort2": { + "type": "int", + "defaultValue": 8081, + "metadata": { + "description": "Input endpoint2 for the application to use. Replace it with what your application uses" + } + }, + "SFReverseProxyPort": { + "type": "int", + "defaultValue": 19008, + "metadata": { + "description": "Endpoint for Service Fabric Reverse proxy" + } + }, + "clusterCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "clusterCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sourceVaultValue": { + "type": "string", + "metadata": { + "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" + } + }, + "clusterCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "sfReverseProxyCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "sfReverseProxyCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sfReverseProxyCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "clusterProtectionLevel": { + "type": "string", + "allowedValues": [ + "None", + "Sign", + "EncryptAndSign" + ], + "defaultValue": "EncryptAndSign", + "metadata": { + "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" + } + }, + "serviceCertificateThumbprints": { + "type": "string", + "metadata": { + "description": "Comma separated list of service's certificate thumbprints that the reverse proxy will trust" + } + }, + "storageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the VM image storage account" + } + }, + "supportLogStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the support log storage account" + } + }, + "applicationDiagnosticsStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the application diagnostics storage account" + } + }, + "nt0InstanceCount": { + "type": "int", + "defaultValue": 5, + "metadata": { + "description": "Instance count for node type" + } + } + }, + "variables": { + "computeLocation": "[parameters('clusterLocation')]", + "dnsName": "[parameters('clusterName')]", + "vmName": "vm", + "virtualNetworkName": "VNet", + "addressPrefix": "10.0.0.0/16", + "nicName": "NIC", + "lbIPName": "PublicIP-LB-FE", + "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]", + "overProvision": "false", + "vmssApiVersion": "2017-03-30", + "lbApiVersion": "2015-06-15", + "vNetApiVersion": "2015-06-15", + "storageApiVersion": "2016-01-01", + "publicIPApiVersion": "2015-06-15", + "nt0applicationStartPort": "20000", + "nt0applicationEndPort": "30000", + "nt0ephemeralStartPort": "49152", + "nt0ephemeralEndPort": "65534", + "nt0fabricTcpGatewayPort": "19000", + "nt0fabricHttpGatewayPort": "19080", + "subnet0Name": "Subnet-0", + "subnet0Prefix": "10.0.0.0/24", + "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',variables('subnet0Name'))]", + "supportLogStorageAccountName": "[toLower( concat( uniqueString(resourceGroup().id),'2'))]", + "applicationDiagnosticsStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '3' ))]", + "lbID0": "[resourceId('Microsoft.Network/loadBalancers',concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", + "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", + "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", + "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", + "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", + "vmNodeType0Name": "[toLower(concat('NT1', variables('vmName')))]", + "vmNodeType0Size": "Standard_DS2_v2" + }, + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('supportLogStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('applicationDiagnosticsStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('applicationDiagnosticsStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vNetApiVersion')]", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[variables('computeLocation')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnet0Name')]", + "properties": { + "addressPrefix": "[variables('subnet0Prefix')]" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('publicIPApiVersion')]", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[concat(variables('lbIPName'),'-','0')]", + "location": "[variables('computeLocation')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[variables('dnsName')]" + }, + "publicIPAllocationMethod": "Dynamic" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('lbApiVersion')]", + "type": "Microsoft.Network/loadBalancers", + "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerIPConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LoadBalancerBEAddressPool", + "properties": {} + } + ], + "loadBalancingRules": [ + { + "name": "LBRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricTcpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricTcpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBHttpRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricHttpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricHttpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbHttpProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBSFReverseProxyRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('SFReverseProxyPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('SFReverseProxyPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/SFReverseProxyProbe')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule1", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort1')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort1')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule2", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort2')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort2')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]" + }, + "protocol": "tcp" + } + } + ], + "probes": [ + { + "name": "FabricGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricTcpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "FabricHttpGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricHttpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "SFReverseProxyProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('SFReverseProxyPort')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe1", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort1')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe2", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort2')]", + "protocol": "tcp" + } + } + ], + "inboundNatPools": [ + { + "name": "LoadBalancerBEAddressNatPool", + "properties": { + "backendPort": "3389", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPortRangeEnd": "4500", + "frontendPortRangeStart": "3389", + "protocol": "tcp" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vmssApiVersion')]", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[variables('vmNodeType0Name')]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('applicationDiagnosticsStorageAccountName'))]" + ], + "properties": { + "overprovision": "[variables('overProvision')]", + "upgradePolicy": { + "mode": "Automatic" + }, + "virtualMachineProfile": { + "extensionProfile": { + "extensions": [ + { + "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]", + "properties": { + "type": "ServiceFabricNode", + "autoUpgradeMinorVersion": false, + "protectedSettings": { + "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]", + "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]" + }, + "publisher": "Microsoft.Azure.ServiceFabric", + "settings": { + "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", + "nodeTypeRef": "[variables('vmNodeType0Name')]", + "dataPath": "D:\\\\SvcFab", + "durabilityLevel": "Bronze", + "nicPrefixOverride": "[variables('subnet0Prefix')]", + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + } + }, + "typeHandlerVersion": "1.0" + } + }, + { + "name": "[concat('VMDiagnosticsVmExt','_vmNodeType0Name')]", + "properties": { + "type": "IaaSDiagnostics", + "autoUpgradeMinorVersion": true, + "protectedSettings": { + "storageAccountName": "[variables('applicationDiagnosticsStorageAccountName')]", + "storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('applicationDiagnosticsStorageAccountName')),'2015-05-01-preview').key1]", + "storageAccountEndPoint": "https://core.windows.net/" + }, + "publisher": "Microsoft.Azure.Diagnostics", + "settings": { + "WadCfg": { + "DiagnosticMonitorConfiguration": { + "overallQuotaInMB": "50000", + "EtwProviders": { + "EtwEventSourceProviderConfiguration": [ + { + "provider": "Microsoft-ServiceFabric-Actors", + "scheduledTransferKeywordFilter": "1", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableActorEventTable" + } + }, + { + "provider": "Microsoft-ServiceFabric-Services", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableServiceEventTable" + } + } + ], + "EtwManifestProviderConfiguration": [ + { + "provider": "cbd93bc2-71e5-4566-b3a7-595d8eeca6e8", + "scheduledTransferLogLevelFilter": "Information", + "scheduledTransferKeywordFilter": "4611686018427387904", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricSystemEventTable" + } + } + ] + } + } + }, + "StorageAccount": "[variables('applicationDiagnosticsStorageAccountName')]" + }, + "typeHandlerVersion": "1.5" + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "[concat(variables('nicName'), '-0')]", + "properties": { + "ipConfigurations": [ + { + "name": "[concat(variables('nicName'),'-',0)]", + "properties": { + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbPoolID0')]" + } + ], + "loadBalancerInboundNatPools": [ + { + "id": "[variables('lbNatPoolID0')]" + } + ], + "subnet": { + "id": "[variables('subnet0Ref')]" + } + } + } + ], + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computernamePrefix": "[variables('vmNodeType0Name')]", + "secrets": [ + { + "sourceVault": { + "id": "[parameters('sourceVaultValue')]" + }, + "vaultCertificates": [ + { + "certificateStore": "[parameters('clusterCertificateStorevalue')]", + "certificateUrl": "[parameters('clusterCertificateUrlValue')]" + }, + { + "certificateStore": "[parameters('sfReverseProxyCertificateStoreValue')]", + "certificateUrl": "[parameters('sfReverseProxyCertificateUrlValue')]" + } + ] + } + ] + }, + "storageProfile": { + "imageReference": { + "publisher": "[parameters('vmImagePublisher')]", + "offer": "[parameters('vmImageOffer')]", + "sku": "[parameters('vmImageSku')]", + "version": "[parameters('vmImageVersion')]" + }, + "osDisk": { + "createOption": "FromImage", + "caching": "ReadOnly", + "managedDisk": { + "storageAccountType": "[parameters('storageAccountType')]" + } + } + } + } + }, + "sku": { + "name": "[variables('vmNodeType0Size')]", + "capacity": "[parameters('nt0InstanceCount')]", + "tier": "Standard" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "2016-09-01", + "type": "Microsoft.ServiceFabric/clusters", + "name": "[parameters('clusterName')]", + "location": "[parameters('clusterLocation')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + }, + "clientCertificateCommonNames": [], + "clientCertificateThumbprints": [], + "clusterState": "Default", + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.queue]", + "storageAccountName": "[variables('supportLogStorageAccountName')]", + "tableEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.table]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "[parameters('clusterProtectionLevel')]" + } + ], + "name": "Security" + }, + { + "name": "ApplicationGateway/Http", + "parameters": [ + { + "name": "ApplicationCertificateValidationPolicy", + "value": "ServiceCertificateThumbprints" + }, + { + "name": "ServiceCertificateThumbprints", + "value": "[parameters('serviceCertificateThumbprints')]" + } + ] + } + ], + "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-','0')).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]", + "nodeTypes": [ + { + "name": "[variables('vmNodeType0Name')]", + "applicationPorts": { + "endPort": "[variables('nt0applicationEndPort')]", + "startPort": "[variables('nt0applicationStartPort')]" + }, + "clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]", + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": "[variables('nt0ephemeralEndPort')]", + "startPort": "[variables('nt0ephemeralStartPort')]" + }, + "httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]", + "reverseProxyEndpointPort": "[parameters('SFReverseProxyPort')]", + "isPrimary": true, + "vmInstanceCount": "[parameters('nt0InstanceCount')]" + } + ], + "provisioningState": "Default", + "reliabilityLevel": "Silver", + "upgradeMode": "Automatic", + "vmImage": "Windows" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + } + ], + "outputs": { + "clusterProperties": { + "value": "[reference(parameters('clusterName'))]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationThumbprints.parameters.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationThumbprints.parameters.json new file mode 100644 index 0000000..79b05be --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationThumbprints.parameters.json @@ -0,0 +1,75 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "value": "westus" + }, + "clusterName": { + "value": "Cluster" + }, + "adminUserName": { + "value": "admuser" + }, + "adminPassword": { + "value": "val$$$" + }, + "vmImagePublisher": { + "value": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "value": "WindowsServer" + }, + "vmImageSku": { + "value": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "value": "latest" + }, + "loadBalancedAppPort1": { + "value": 80 + }, + "loadBalancedAppPort2": { + "value": 8081 + }, + "clusterCertificateStorevalue": { + "value": "My" + }, + "clusterCertificateThumbprint": { + "value": "thumbprint value" + }, + "sourceVaultvalue": { + "value": "/subscriptions/subscription value/resourceGroups/key vault resource group name/providers/Microsoft.KeyVault/vaults/key vault name" + }, + "clusterCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "sfReverseProxyCertificateStorevalue": { + "value": "My" + }, + "sfReverseProxyCertificateThumbprint": { + "value": "thumbprint value" + }, + "sfReverseProxyCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "clusterProtectionLevel": { + "value": "EncryptAndSign" + }, + "serviceCertificateThumbprints": { + "value": "Comma separated list of certificate thumbprints that the reverse proxy will accept." + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountType": { + "value": "Standard_LRS" + }, + "applicationDiagnosticsStorageAccountType": { + "value": "Standard_LRS" + }, + "nt0InstanceCount": { + "value": 5 + } + } +} diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step1.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step1.json new file mode 100644 index 0000000..1b16961 --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step1.json @@ -0,0 +1,662 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "type": "string", + "metadata": { + "description": "Location of the Cluster" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "sfcluster", + "metadata": { + "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" + } + }, + "adminUserName": { + "type": "string", + "metadata": { + "description": "Remote desktop user Id" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Remote desktop user password. Must be a strong password" + } + }, + "vmImagePublisher": { + "type": "string", + "defaultValue": "MicrosoftWindowsServer", + "metadata": { + "description": "VM image Publisher"} + }, + "vmImageOffer": { + "type": "string", + "defaultValue": "WindowsServer", + "metadata": { + "description": "VM image offer"} + }, + "vmImageSku": { + "type": "string", + "defaultValue": "2012-R2-Datacenter", + "metadata": { + "description": "VM image SKU"} + }, + "vmImageVersion": { + "type": "string", + "defaultValue": "latest", + "metadata": { + "description": "VM image version"} + }, + "loadBalancedAppPort1": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Input endpoint1 for the application to use. Replace it with what your application uses" + } + }, + "loadBalancedAppPort2": { + "type": "int", + "defaultValue": 8081, + "metadata": { + "description": "Input endpoint2 for the application to use. Replace it with what your application uses" + } + }, + "clusterCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "clusterCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sourceVaultValue": { + "type": "string", + "metadata": { + "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" + } + }, + "clusterCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "clusterProtectionLevel": { + "type": "string", + "allowedValues": [ + "None", + "Sign", + "EncryptAndSign" + ], + "defaultValue": "EncryptAndSign", + "metadata": { + "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" + } + }, + "storageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the VM image storage account" + } + }, + "supportLogStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the support log storage account" + } + }, + "applicationDiagnosticsStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the application diagnostics storage account" + } + }, + "nt0InstanceCount": { + "type": "int", + "defaultValue": 5, + "metadata": { + "description": "Instance count for node type" + } + } + }, + "variables": { + "computeLocation": "[parameters('clusterLocation')]", + "dnsName": "[parameters('clusterName')]", + "vmName": "vm", + "vmStorageAccountContainerName": "vhds", + "virtualNetworkName": "VNet", + "addressPrefix": "10.0.0.0/16", + "nicName": "NIC", + "lbIPName": "PublicIP-LB-FE", + "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]", + "overProvision": "false", + "vmssApiVersion": "2017-03-30", + "lbApiVersion": "2015-06-15", + "vNetApiVersion": "2015-06-15", + "storageApiVersion": "2016-01-01", + "publicIPApiVersion": "2015-06-15", + "nt0applicationStartPort": "20000", + "nt0applicationEndPort": "30000", + "nt0ephemeralStartPort": "49152", + "nt0ephemeralEndPort": "65534", + "nt0fabricTcpGatewayPort": "19000", + "nt0fabricHttpGatewayPort": "19080", + "subnet0Name": "Subnet-0", + "subnet0Prefix": "10.0.0.0/24", + "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',variables('subnet0Name'))]", + "supportLogStorageAccountName": "[toLower( concat( uniqueString(resourceGroup().id),'2'))]", + "applicationDiagnosticsStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '3' ))]", + "lbID0": "[resourceId('Microsoft.Network/loadBalancers',concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", + "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", + "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", + "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", + "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", + "vmNodeType0Name": "[toLower(concat('NT1', variables('vmName')))]", + "vmNodeType0Size": "Standard_DS2_v2" + }, + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('supportLogStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('applicationDiagnosticsStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('applicationDiagnosticsStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vNetApiVersion')]", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[variables('computeLocation')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnet0Name')]", + "properties": { + "addressPrefix": "[variables('subnet0Prefix')]" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('publicIPApiVersion')]", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[concat(variables('lbIPName'),'-','0')]", + "location": "[variables('computeLocation')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[variables('dnsName')]" + }, + "publicIPAllocationMethod": "Dynamic" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('lbApiVersion')]", + "type": "Microsoft.Network/loadBalancers", + "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerIPConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LoadBalancerBEAddressPool", + "properties": {} + } + ], + "loadBalancingRules": [ + { + "name": "LBRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricTcpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricTcpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBHttpRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricHttpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricHttpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbHttpProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule1", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort1')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort1')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule2", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort2')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort2')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]" + }, + "protocol": "tcp" + } + } + ], + "probes": [ + { + "name": "FabricGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricTcpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "FabricHttpGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricHttpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe1", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort1')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe2", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort2')]", + "protocol": "tcp" + } + } + ], + "inboundNatPools": [ + { + "name": "LoadBalancerBEAddressNatPool", + "properties": { + "backendPort": "3389", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPortRangeEnd": "4500", + "frontendPortRangeStart": "3389", + "protocol": "tcp" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vmssApiVersion')]", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[variables('vmNodeType0Name')]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('applicationDiagnosticsStorageAccountName'))]" + ], + "properties": { + "overprovision": "[variables('overProvision')]", + "upgradePolicy": { + "mode": "Automatic" + }, + "virtualMachineProfile": { + "extensionProfile": { + "extensions": [ + { + "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]", + "properties": { + "type": "ServiceFabricNode", + "autoUpgradeMinorVersion": false, + "protectedSettings": { + "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]", + "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]" + }, + "publisher": "Microsoft.Azure.ServiceFabric", + "settings": { + "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", + "nodeTypeRef": "[variables('vmNodeType0Name')]", + "dataPath": "D:\\\\SvcFab", + "durabilityLevel": "Bronze", + "nicPrefixOverride": "[variables('subnet0Prefix')]", + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + } + }, + "typeHandlerVersion": "1.0" + } + }, + { + "name": "[concat('VMDiagnosticsVmExt','_vmNodeType0Name')]", + "properties": { + "type": "IaaSDiagnostics", + "autoUpgradeMinorVersion": true, + "protectedSettings": { + "storageAccountName": "[variables('applicationDiagnosticsStorageAccountName')]", + "storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('applicationDiagnosticsStorageAccountName')),'2015-05-01-preview').key1]", + "storageAccountEndPoint": "https://core.windows.net/" + }, + "publisher": "Microsoft.Azure.Diagnostics", + "settings": { + "WadCfg": { + "DiagnosticMonitorConfiguration": { + "overallQuotaInMB": "50000", + "EtwProviders": { + "EtwEventSourceProviderConfiguration": [ + { + "provider": "Microsoft-ServiceFabric-Actors", + "scheduledTransferKeywordFilter": "1", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableActorEventTable" + } + }, + { + "provider": "Microsoft-ServiceFabric-Services", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableServiceEventTable" + } + } + ], + "EtwManifestProviderConfiguration": [ + { + "provider": "cbd93bc2-71e5-4566-b3a7-595d8eeca6e8", + "scheduledTransferLogLevelFilter": "Information", + "scheduledTransferKeywordFilter": "4611686018427387904", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricSystemEventTable" + } + } + ] + } + } + }, + "StorageAccount": "[variables('applicationDiagnosticsStorageAccountName')]" + }, + "typeHandlerVersion": "1.5" + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "[concat(variables('nicName'), '-0')]", + "properties": { + "ipConfigurations": [ + { + "name": "[concat(variables('nicName'),'-',0)]", + "properties": { + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbPoolID0')]" + } + ], + "loadBalancerInboundNatPools": [ + { + "id": "[variables('lbNatPoolID0')]" + } + ], + "subnet": { + "id": "[variables('subnet0Ref')]" + } + } + } + ], + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computernamePrefix": "[variables('vmNodeType0Name')]", + "secrets": [ + { + "sourceVault": { + "id": "[parameters('sourceVaultValue')]" + }, + "vaultCertificates": [ + { + "certificateStore": "[parameters('clusterCertificateStorevalue')]", + "certificateUrl": "[parameters('clusterCertificateUrlValue')]" + } + ] + } + ] + }, + "storageProfile": { + "imageReference": { + "publisher": "[parameters('vmImagePublisher')]", + "offer": "[parameters('vmImageOffer')]", + "sku": "[parameters('vmImageSku')]", + "version": "[parameters('vmImageVersion')]" + }, + "osDisk": { + "managedDisk": { + "storageAccountType": "[parameters('storageAccountType')]" + }, + "caching": "ReadOnly", + "createOption": "FromImage" + } + } + } + }, + "sku": { + "name": "[variables('vmNodeType0Size')]", + "capacity": "[parameters('nt0InstanceCount')]", + "tier": "Standard" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "2016-09-01", + "type": "Microsoft.ServiceFabric/clusters", + "name": "[parameters('clusterName')]", + "location": "[parameters('clusterLocation')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "clientCertificateCommonNames": [], + "clientCertificateThumbprints": [], + "clusterState": "Default", + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.queue]", + "storageAccountName": "[variables('supportLogStorageAccountName')]", + "tableEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.table]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "[parameters('clusterProtectionLevel')]" + } + ], + "name": "Security" + } + ], + "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-','0')).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]", + "nodeTypes": [ + { + "name": "[variables('vmNodeType0Name')]", + "applicationPorts": { + "endPort": "[variables('nt0applicationEndPort')]", + "startPort": "[variables('nt0applicationStartPort')]" + }, + "clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]", + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": "[variables('nt0ephemeralEndPort')]", + "startPort": "[variables('nt0ephemeralStartPort')]" + }, + "httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]", + "isPrimary": true, + "vmInstanceCount": "[parameters('nt0InstanceCount')]" + } + ], + "provisioningState": "Default", + "reliabilityLevel": "Silver", + "upgradeMode": "Automatic", + "vmImage": "Windows" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + } + ], + "outputs": { + "clusterProperties": { + "value": "[reference(parameters('clusterName'))]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step1.parameters.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step1.parameters.json new file mode 100644 index 0000000..22e1145 --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step1.parameters.json @@ -0,0 +1,63 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "value": "westus" + }, + "clusterName": { + "value": "Cluster" + }, + "adminUserName": { + "value": "admuser" + }, + "adminPassword": { + "value": "val$$$" + }, + "vmImagePublisher": { + "value": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "value": "WindowsServer" + }, + "vmImageSku": { + "value": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "value": "latest" + }, + "loadBalancedAppPort1": { + "value": 80 + }, + "loadBalancedAppPort2": { + "value": 8081 + }, + "clusterCertificateStorevalue": { + "value": "My" + }, + "clusterCertificateThumbprint": { + "value": "thumbprint value" + }, + "sourceVaultvalue": { + "value": "/subscriptions/subscription value/resourceGroups/key vault resource group name/providers/Microsoft.KeyVault/vaults/key vault name" + }, + "clusterCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "clusterProtectionLevel": { + "value": "EncryptAndSign" + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountType": { + "value": "Standard_LRS" + }, + "applicationDiagnosticsStorageAccountType": { + "value": "Standard_LRS" + }, + "nt0InstanceCount": { + "value": 5 + } + } +} diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step2.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step2.json new file mode 100644 index 0000000..ab89690 --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step2.json @@ -0,0 +1,696 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "type": "string", + "metadata": { + "description": "Location of the Cluster" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "sfcluster", + "metadata": { + "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" + } + }, + "adminUserName": { + "type": "string", + "metadata": { + "description": "Remote desktop user Id" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Remote desktop user password. Must be a strong password" + } + }, + "vmImagePublisher": { + "type": "string", + "defaultValue": "MicrosoftWindowsServer", + "metadata": { + "description": "VM image Publisher" + } + }, + "vmImageOffer": { + "type": "string", + "defaultValue": "WindowsServer", + "metadata": { + "description": "VM image offer" + } + }, + "vmImageSku": { + "type": "string", + "defaultValue": "2012-R2-Datacenter", + "metadata": { + "description": "VM image SKU" + } + }, + "vmImageVersion": { + "type": "string", + "defaultValue": "latest", + "metadata": { + "description": "VM image version" + } + }, + "loadBalancedAppPort1": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Input endpoint1 for the application to use. Replace it with what your application uses" + } + }, + "loadBalancedAppPort2": { + "type": "int", + "defaultValue": 8081, + "metadata": { + "description": "Input endpoint2 for the application to use. Replace it with what your application uses" + } + }, + "clusterCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "clusterCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sourceVaultValue": { + "type": "string", + "metadata": { + "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" + } + }, + "clusterCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "sfReverseProxyCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "sfReverseProxyCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sfReverseProxyCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "clusterProtectionLevel": { + "type": "string", + "allowedValues": [ + "None", + "Sign", + "EncryptAndSign" + ], + "defaultValue": "EncryptAndSign", + "metadata": { + "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" + } + }, + "storageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the VM image storage account" + } + }, + "supportLogStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the support log storage account" + } + }, + "applicationDiagnosticsStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the application diagnostics storage account" + } + }, + "nt0InstanceCount": { + "type": "int", + "defaultValue": 5, + "metadata": { + "description": "Instance count for node type" + } + } + }, + "variables": { + "computeLocation": "[parameters('clusterLocation')]", + "dnsName": "[parameters('clusterName')]", + "vmName": "vm", + "vmStorageAccountContainerName": "vhds", + "virtualNetworkName": "VNet", + "addressPrefix": "10.0.0.0/16", + "nicName": "NIC", + "lbIPName": "PublicIP-LB-FE", + "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]", + "overProvision": "false", + "vmssApiVersion": "2017-03-30", + "lbApiVersion": "2015-06-15", + "vNetApiVersion": "2015-06-15", + "storageApiVersion": "2016-01-01", + "publicIPApiVersion": "2015-06-15", + "nt0applicationStartPort": "20000", + "nt0applicationEndPort": "30000", + "nt0ephemeralStartPort": "49152", + "nt0ephemeralEndPort": "65534", + "nt0fabricTcpGatewayPort": "19000", + "nt0fabricHttpGatewayPort": "19080", + "subnet0Name": "Subnet-0", + "subnet0Prefix": "10.0.0.0/24", + "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',variables('subnet0Name'))]", + "supportLogStorageAccountName": "[toLower( concat( uniqueString(resourceGroup().id),'2'))]", + "applicationDiagnosticsStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '3' ))]", + "lbID0": "[resourceId('Microsoft.Network/loadBalancers',concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", + "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", + "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", + "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", + "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", + "vmNodeType0Name": "[toLower(concat('NT1', variables('vmName')))]", + "vmNodeType0Size": "Standard_DS2_v2" + }, + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('supportLogStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('applicationDiagnosticsStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('applicationDiagnosticsStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vNetApiVersion')]", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[variables('computeLocation')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnet0Name')]", + "properties": { + "addressPrefix": "[variables('subnet0Prefix')]" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('publicIPApiVersion')]", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[concat(variables('lbIPName'),'-','0')]", + "location": "[variables('computeLocation')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[variables('dnsName')]" + }, + "publicIPAllocationMethod": "Dynamic" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('lbApiVersion')]", + "type": "Microsoft.Network/loadBalancers", + "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerIPConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LoadBalancerBEAddressPool", + "properties": {} + } + ], + "loadBalancingRules": [ + { + "name": "LBRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricTcpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricTcpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBHttpRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricHttpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricHttpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbHttpProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule1", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort1')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort1')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule2", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort2')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort2')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]" + }, + "protocol": "tcp" + } + } + ], + "probes": [ + { + "name": "FabricGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricTcpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "FabricHttpGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricHttpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe1", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort1')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe2", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort2')]", + "protocol": "tcp" + } + } + ], + "inboundNatPools": [ + { + "name": "LoadBalancerBEAddressNatPool", + "properties": { + "backendPort": "3389", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPortRangeEnd": "4500", + "frontendPortRangeStart": "3389", + "protocol": "tcp" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vmssApiVersion')]", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[variables('vmNodeType0Name')]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('applicationDiagnosticsStorageAccountName'))]" + ], + "properties": { + "overprovision": "[variables('overProvision')]", + "upgradePolicy": { + "mode": "Automatic" + }, + "virtualMachineProfile": { + "extensionProfile": { + "extensions": [ + { + "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]", + "properties": { + "type": "ServiceFabricNode", + "autoUpgradeMinorVersion": false, + "protectedSettings": { + "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]", + "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]" + }, + "publisher": "Microsoft.Azure.ServiceFabric", + "settings": { + "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", + "nodeTypeRef": "[variables('vmNodeType0Name')]", + "dataPath": "D:\\\\SvcFab", + "durabilityLevel": "Bronze", + "nicPrefixOverride": "[variables('subnet0Prefix')]", + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + } + }, + "typeHandlerVersion": "1.0" + } + }, + { + "name": "[concat('VMDiagnosticsVmExt','_vmNodeType0Name')]", + "properties": { + "type": "IaaSDiagnostics", + "autoUpgradeMinorVersion": true, + "protectedSettings": { + "storageAccountName": "[variables('applicationDiagnosticsStorageAccountName')]", + "storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('applicationDiagnosticsStorageAccountName')),'2015-05-01-preview').key1]", + "storageAccountEndPoint": "https://core.windows.net/" + }, + "publisher": "Microsoft.Azure.Diagnostics", + "settings": { + "WadCfg": { + "DiagnosticMonitorConfiguration": { + "overallQuotaInMB": "50000", + "EtwProviders": { + "EtwEventSourceProviderConfiguration": [ + { + "provider": "Microsoft-ServiceFabric-Actors", + "scheduledTransferKeywordFilter": "1", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableActorEventTable" + } + }, + { + "provider": "Microsoft-ServiceFabric-Services", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableServiceEventTable" + } + } + ], + "EtwManifestProviderConfiguration": [ + { + "provider": "cbd93bc2-71e5-4566-b3a7-595d8eeca6e8", + "scheduledTransferLogLevelFilter": "Information", + "scheduledTransferKeywordFilter": "4611686018427387904", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricSystemEventTable" + } + } + ] + } + } + }, + "StorageAccount": "[variables('applicationDiagnosticsStorageAccountName')]" + }, + "typeHandlerVersion": "1.5" + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "[concat(variables('nicName'), '-0')]", + "properties": { + "ipConfigurations": [ + { + "name": "[concat(variables('nicName'),'-',0)]", + "properties": { + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbPoolID0')]" + } + ], + "loadBalancerInboundNatPools": [ + { + "id": "[variables('lbNatPoolID0')]" + } + ], + "subnet": { + "id": "[variables('subnet0Ref')]" + } + } + } + ], + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computernamePrefix": "[variables('vmNodeType0Name')]", + "secrets": [ + { + "sourceVault": { + "id": "[parameters('sourceVaultValue')]" + }, + "vaultCertificates": [ + { + "certificateStore": "[parameters('clusterCertificateStorevalue')]", + "certificateUrl": "[parameters('clusterCertificateUrlValue')]" + }, + { + "certificateStore": "[parameters('sfReverseProxyCertificateStoreValue')]", + "certificateUrl": "[parameters('sfReverseProxyCertificateUrlValue')]" + } + ] + } + ] + }, + "storageProfile": { + "imageReference": { + "publisher": "[parameters('vmImagePublisher')]", + "offer": "[parameters('vmImageOffer')]", + "sku": "[parameters('vmImageSku')]", + "version": "[parameters('vmImageVersion')]" + }, + "osDisk": { + "createOption": "FromImage", + "caching": "ReadOnly", + "managedDisk": { + "storageAccountType": "[parameters('storageAccountType')]" + } + } + } + } + }, + "sku": { + "name": "[variables('vmNodeType0Size')]", + "capacity": "[parameters('nt0InstanceCount')]", + "tier": "Standard" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "2016-09-01", + "type": "Microsoft.ServiceFabric/clusters", + "name": "[parameters('clusterName')]", + "location": "[parameters('clusterLocation')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "clientCertificateCommonNames": [], + "clientCertificateThumbprints": [], + "clusterState": "Default", + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.queue]", + "storageAccountName": "[variables('supportLogStorageAccountName')]", + "tableEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.table]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "[parameters('clusterProtectionLevel')]" + } + ], + "name": "Security" + } + ], + "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-','0')).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]", + "nodeTypes": [ + { + "name": "[variables('vmNodeType0Name')]", + "applicationPorts": { + "endPort": "[variables('nt0applicationEndPort')]", + "startPort": "[variables('nt0applicationStartPort')]" + }, + "clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]", + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": "[variables('nt0ephemeralEndPort')]", + "startPort": "[variables('nt0ephemeralStartPort')]" + }, + "httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]", + "isPrimary": true, + "vmInstanceCount": "[parameters('nt0InstanceCount')]" + } + ], + "provisioningState": "Default", + "reliabilityLevel": "Silver", + "upgradeMode": "Automatic", + "vmImage": "Windows" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + } + ], + "outputs": { + "clusterProperties": { + "value": "[reference(parameters('clusterName'))]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step2.parameters.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step2.parameters.json new file mode 100644 index 0000000..da39320 --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step2.parameters.json @@ -0,0 +1,72 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "value": "westus" + }, + "clusterName": { + "value": "Cluster" + }, + "adminUserName": { + "value": "admuser" + }, + "adminPassword": { + "value": "val$$$" + }, + "vmImagePublisher": { + "value": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "value": "WindowsServer" + }, + "vmImageSku": { + "value": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "value": "latest" + }, + "loadBalancedAppPort1": { + "value": 80 + }, + "loadBalancedAppPort2": { + "value": 8081 + }, + "clusterCertificateStorevalue": { + "value": "My" + }, + "clusterCertificateThumbprint": { + "value": "thumbprint value" + }, + "sourceVaultvalue": { + "value": "/subscriptions/subscription value/resourceGroups/key vault resource group name/providers/Microsoft.KeyVault/vaults/key vault name" + }, + "clusterCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "sfReverseProxyCertificateStorevalue": { + "value": "My" + }, + "sfReverseProxyCertificateThumbprint": { + "value": "thumbprint value" + }, + "sfReverseProxyCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "clusterProtectionLevel": { + "value": "EncryptAndSign" + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountType": { + "value": "Standard_LRS" + }, + "applicationDiagnosticsStorageAccountType": { + "value": "Standard_LRS" + }, + "nt0InstanceCount": { + "value": 5 + } + } +} diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step3.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step3.json new file mode 100644 index 0000000..02f9cce --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step3.json @@ -0,0 +1,735 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "type": "string", + "metadata": { + "description": "Location of the Cluster" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "sfcluster", + "metadata": { + "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" + } + }, + "adminUserName": { + "type": "string", + "metadata": { + "description": "Remote desktop user Id" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Remote desktop user password. Must be a strong password" + } + }, + "vmImagePublisher": { + "type": "string", + "defaultValue": "MicrosoftWindowsServer", + "metadata": { + "description": "VM image Publisher" + } + }, + "vmImageOffer": { + "type": "string", + "defaultValue": "WindowsServer", + "metadata": { + "description": "VM image offer" + } + }, + "vmImageSku": { + "type": "string", + "defaultValue": "2012-R2-Datacenter", + "metadata": { + "description": "VM image SKU" + } + }, + "vmImageVersion": { + "type": "string", + "defaultValue": "latest", + "metadata": { + "description": "VM image version" + } + }, + "loadBalancedAppPort1": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Input endpoint1 for the application to use. Replace it with what your application uses" + } + }, + "loadBalancedAppPort2": { + "type": "int", + "defaultValue": 8081, + "metadata": { + "description": "Input endpoint2 for the application to use. Replace it with what your application uses" + } + }, + "SFReverseProxyPort": { + "type": "int", + "defaultValue": 19008, + "metadata": { + "description": "Endpoint for Service Fabric Reverse proxy" + } + }, + "clusterCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "clusterCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sourceVaultValue": { + "type": "string", + "metadata": { + "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" + } + }, + "clusterCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "sfReverseProxyCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "sfReverseProxyCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sfReverseProxyCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "clusterProtectionLevel": { + "type": "string", + "allowedValues": [ + "None", + "Sign", + "EncryptAndSign" + ], + "defaultValue": "EncryptAndSign", + "metadata": { + "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" + } + }, + "storageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the VM image storage account" + } + }, + "supportLogStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the support log storage account" + } + }, + "applicationDiagnosticsStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the application diagnostics storage account" + } + }, + "nt0InstanceCount": { + "type": "int", + "defaultValue": 5, + "metadata": { + "description": "Instance count for node type" + } + } + }, + "variables": { + "computeLocation": "[parameters('clusterLocation')]", + "dnsName": "[parameters('clusterName')]", + "vmName": "vm", + "virtualNetworkName": "VNet", + "addressPrefix": "10.0.0.0/16", + "nicName": "NIC", + "lbIPName": "PublicIP-LB-FE", + "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]", + "overProvision": "false", + "vmssApiVersion": "2017-03-30", + "lbApiVersion": "2015-06-15", + "vNetApiVersion": "2015-06-15", + "storageApiVersion": "2016-01-01", + "publicIPApiVersion": "2015-06-15", + "nt0applicationStartPort": "20000", + "nt0applicationEndPort": "30000", + "nt0ephemeralStartPort": "49152", + "nt0ephemeralEndPort": "65534", + "nt0fabricTcpGatewayPort": "19000", + "nt0fabricHttpGatewayPort": "19080", + "subnet0Name": "Subnet-0", + "subnet0Prefix": "10.0.0.0/24", + "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',variables('subnet0Name'))]", + "supportLogStorageAccountName": "[toLower( concat( uniqueString(resourceGroup().id),'2'))]", + "applicationDiagnosticsStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '3' ))]", + "lbID0": "[resourceId('Microsoft.Network/loadBalancers',concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", + "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", + "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", + "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", + "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", + "vmNodeType0Name": "[toLower(concat('NT1', variables('vmName')))]", + "vmNodeType0Size": "Standard_DS2_v2" + }, + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('supportLogStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('applicationDiagnosticsStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('applicationDiagnosticsStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vNetApiVersion')]", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[variables('computeLocation')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnet0Name')]", + "properties": { + "addressPrefix": "[variables('subnet0Prefix')]" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('publicIPApiVersion')]", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[concat(variables('lbIPName'),'-','0')]", + "location": "[variables('computeLocation')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[variables('dnsName')]" + }, + "publicIPAllocationMethod": "Dynamic" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('lbApiVersion')]", + "type": "Microsoft.Network/loadBalancers", + "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerIPConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LoadBalancerBEAddressPool", + "properties": {} + } + ], + "loadBalancingRules": [ + { + "name": "LBRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricTcpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricTcpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBHttpRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricHttpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricHttpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbHttpProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBSFReverseProxyRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('SFReverseProxyPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('SFReverseProxyPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/SFReverseProxyProbe')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule1", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort1')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort1')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule2", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort2')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort2')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]" + }, + "protocol": "tcp" + } + } + ], + "probes": [ + { + "name": "FabricGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricTcpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "FabricHttpGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricHttpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "SFReverseProxyProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('SFReverseProxyPort')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe1", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort1')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe2", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort2')]", + "protocol": "tcp" + } + } + ], + "inboundNatPools": [ + { + "name": "LoadBalancerBEAddressNatPool", + "properties": { + "backendPort": "3389", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPortRangeEnd": "4500", + "frontendPortRangeStart": "3389", + "protocol": "tcp" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vmssApiVersion')]", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[variables('vmNodeType0Name')]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('applicationDiagnosticsStorageAccountName'))]" + ], + "properties": { + "overprovision": "[variables('overProvision')]", + "upgradePolicy": { + "mode": "Automatic" + }, + "virtualMachineProfile": { + "extensionProfile": { + "extensions": [ + { + "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]", + "properties": { + "type": "ServiceFabricNode", + "autoUpgradeMinorVersion": false, + "protectedSettings": { + "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]", + "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]" + }, + "publisher": "Microsoft.Azure.ServiceFabric", + "settings": { + "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", + "nodeTypeRef": "[variables('vmNodeType0Name')]", + "dataPath": "D:\\\\SvcFab", + "durabilityLevel": "Bronze", + "nicPrefixOverride": "[variables('subnet0Prefix')]", + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + } + }, + "typeHandlerVersion": "1.0" + } + }, + { + "name": "[concat('VMDiagnosticsVmExt','_vmNodeType0Name')]", + "properties": { + "type": "IaaSDiagnostics", + "autoUpgradeMinorVersion": true, + "protectedSettings": { + "storageAccountName": "[variables('applicationDiagnosticsStorageAccountName')]", + "storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('applicationDiagnosticsStorageAccountName')),'2015-05-01-preview').key1]", + "storageAccountEndPoint": "https://core.windows.net/" + }, + "publisher": "Microsoft.Azure.Diagnostics", + "settings": { + "WadCfg": { + "DiagnosticMonitorConfiguration": { + "overallQuotaInMB": "50000", + "EtwProviders": { + "EtwEventSourceProviderConfiguration": [ + { + "provider": "Microsoft-ServiceFabric-Actors", + "scheduledTransferKeywordFilter": "1", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableActorEventTable" + } + }, + { + "provider": "Microsoft-ServiceFabric-Services", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableServiceEventTable" + } + } + ], + "EtwManifestProviderConfiguration": [ + { + "provider": "cbd93bc2-71e5-4566-b3a7-595d8eeca6e8", + "scheduledTransferLogLevelFilter": "Information", + "scheduledTransferKeywordFilter": "4611686018427387904", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricSystemEventTable" + } + } + ] + } + } + }, + "StorageAccount": "[variables('applicationDiagnosticsStorageAccountName')]" + }, + "typeHandlerVersion": "1.5" + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "[concat(variables('nicName'), '-0')]", + "properties": { + "ipConfigurations": [ + { + "name": "[concat(variables('nicName'),'-',0)]", + "properties": { + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbPoolID0')]" + } + ], + "loadBalancerInboundNatPools": [ + { + "id": "[variables('lbNatPoolID0')]" + } + ], + "subnet": { + "id": "[variables('subnet0Ref')]" + } + } + } + ], + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computernamePrefix": "[variables('vmNodeType0Name')]", + "secrets": [ + { + "sourceVault": { + "id": "[parameters('sourceVaultValue')]" + }, + "vaultCertificates": [ + { + "certificateStore": "[parameters('clusterCertificateStorevalue')]", + "certificateUrl": "[parameters('clusterCertificateUrlValue')]" + }, + { + "certificateStore": "[parameters('sfReverseProxyCertificateStoreValue')]", + "certificateUrl": "[parameters('sfReverseProxyCertificateUrlValue')]" + } + ] + } + ] + }, + "storageProfile": { + "imageReference": { + "publisher": "[parameters('vmImagePublisher')]", + "offer": "[parameters('vmImageOffer')]", + "sku": "[parameters('vmImageSku')]", + "version": "[parameters('vmImageVersion')]" + }, + "osDisk": { + "createOption": "FromImage", + "caching": "ReadOnly", + "managedDisk": { + "storageAccountType": "[parameters('storageAccountType')]" + } + } + } + } + }, + "sku": { + "name": "[variables('vmNodeType0Size')]", + "capacity": "[parameters('nt0InstanceCount')]", + "tier": "Standard" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "2016-09-01", + "type": "Microsoft.ServiceFabric/clusters", + "name": "[parameters('clusterName')]", + "location": "[parameters('clusterLocation')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + }, + "clientCertificateCommonNames": [], + "clientCertificateThumbprints": [], + "clusterState": "Default", + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.queue]", + "storageAccountName": "[variables('supportLogStorageAccountName')]", + "tableEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.table]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "[parameters('clusterProtectionLevel')]" + } + ], + "name": "Security" + } + ], + "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-','0')).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]", + "nodeTypes": [ + { + "name": "[variables('vmNodeType0Name')]", + "applicationPorts": { + "endPort": "[variables('nt0applicationEndPort')]", + "startPort": "[variables('nt0applicationStartPort')]" + }, + "clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]", + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": "[variables('nt0ephemeralEndPort')]", + "startPort": "[variables('nt0ephemeralStartPort')]" + }, + "httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]", + "reverseProxyEndpointPort": "[parameters('SFReverseProxyPort')]", + "isPrimary": true, + "vmInstanceCount": "[parameters('nt0InstanceCount')]" + } + ], + "provisioningState": "Default", + "reliabilityLevel": "Silver", + "upgradeMode": "Automatic", + "vmImage": "Windows" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + } + ], + "outputs": { + "clusterProperties": { + "value": "[reference(parameters('clusterName'))]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step3.parameters.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step3.parameters.json new file mode 100644 index 0000000..da39320 --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step3.parameters.json @@ -0,0 +1,72 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "value": "westus" + }, + "clusterName": { + "value": "Cluster" + }, + "adminUserName": { + "value": "admuser" + }, + "adminPassword": { + "value": "val$$$" + }, + "vmImagePublisher": { + "value": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "value": "WindowsServer" + }, + "vmImageSku": { + "value": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "value": "latest" + }, + "loadBalancedAppPort1": { + "value": 80 + }, + "loadBalancedAppPort2": { + "value": 8081 + }, + "clusterCertificateStorevalue": { + "value": "My" + }, + "clusterCertificateThumbprint": { + "value": "thumbprint value" + }, + "sourceVaultvalue": { + "value": "/subscriptions/subscription value/resourceGroups/key vault resource group name/providers/Microsoft.KeyVault/vaults/key vault name" + }, + "clusterCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "sfReverseProxyCertificateStorevalue": { + "value": "My" + }, + "sfReverseProxyCertificateThumbprint": { + "value": "thumbprint value" + }, + "sfReverseProxyCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "clusterProtectionLevel": { + "value": "EncryptAndSign" + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountType": { + "value": "Standard_LRS" + }, + "applicationDiagnosticsStorageAccountType": { + "value": "Standard_LRS" + }, + "nt0InstanceCount": { + "value": 5 + } + } +} diff --git a/Reverse-Proxy-Sample/README.md b/Reverse-Proxy-Sample/README.md new file mode 100644 index 0000000..b347a5d --- /dev/null +++ b/Reverse-Proxy-Sample/README.md @@ -0,0 +1,61 @@ + +# Introduction + +This folder contains the set of ARM templates you can use to deploy a secure five node service fabric cluster, enable/configure Reverse Proxy with a new certificate, and rollover the Reverse Proxy certificate. +To read more about the Reverse Proxy, refer to [Service Fabric Reverse Proxy](https://docs.microsoft.com/azure/service-fabric/service-fabric-reverseproxy) +To read about deploying templates to Azure, refer the section [Deploy the template to Azure](https://docs.microsoft.com/azure/service-fabric/service-fabric-cluster-security-update-certs-azure). + +## Configure HTTPS Reverse Proxy in a secure cluster. + +### Step1: Provision a secure cluster (without Reverse Proxy) +1. Template to provision a five node secure cluster - 5-VM-1-NodeTypes-SecureRP_Step1.JSON +2. Template parameters for the above template - 5-VM-1-NodeTypes-SecureRP_Step1.parameters.JSON + + +### Step2 :Provision a new certificate using ARM Powershell. +This upgrade step takes care of installing the Reverse Proxy certificate on all the VMs and acl'ing the certificate such that Service Fabric can access it. +Here the new certificate is added to the virtual machine scale set osProfile and the Service Fabric extension for virtual machine scale sets. + +1. Template to provision a five node secure cluster with new certificates to be used by Reverse Proxy later- 5-VM-1-NodeTypes-Secure_Step2.JSON +2. Template parameters for the above template - 5-VM-1-NodeTypes-SecureRP_Step2.parameters.JSON + +### Step3 :Enable Reverse Proxy using ARM Powershell +This upgrade step includes: + Configure Load balancer Rule and Probe for Reverse Proxy. + Configure the port for the Reverse Proxy. + Configure Reverse Proxy certificate in the Service Fabric cluster resource. + +1. Template to provision a five node secure cluster with Reverse Proxy - 5-VM-1-NodeTypes-SecureRP_Step3.JSON +2. Template parameters for the above template - 5-VM-1-NodeTypes-SecureRP_Step3.parameters.JSON + +## Rolling over Reverse Proxy certificate. +Once you have a cluster with Reverse Proxy configured (HTTPS, using the above steps), we can discuss how to rollover the Reverse Proxy certificate. +Rolling over the Reverse Proxy certificate involves issuing two upgrades: + +### Step1: Provision a second certificate for Reverse Proxy using ARM Powershell. + +This upgrade step takes care of installing the Reverse Proxy certificate on all the VMs and acl'ing the certificate such that Service Fabric can access it. + +1. Template to provision a five node secure cluster with new certificates to be used by Reverse Proxy later- 5-VM-1-NodeTypes-SecureRP_RollOverStep1.JSON +2. Template parameters for the above template - 5-VM-1-NodeTypes-SecureRP_RollOverStep1.parameters.JSON + + +### Step2 :Rollover Reverse Proxy certificate to use the one added in the above step using ARM Powershell. +Here, it sets the Reverse Proxy certificate in the Service Fabric cluster resource to the new thumbprint. + +1. Template to provision a five node secure cluster and have Reverse Proxy use the new certificate- 5-VM-1-NodeTypes-SecureRP_RollOverStep2.JSON +2. Template parameters for the above template - 5-VM-1-NodeTypes-SecureRP_RollOverStep2.parameters.JSON + +## Configure reverse proxy to connect to secure services +The below three templates show the different options to establish a secure channel between reverse proxy and services. +To read more about configuring secure end-to-end communication via the Reverse Proxy, refer to [Connect to a secure service with the reverse proxy](https://docs.microsoft.com/azure/service-fabric/service-fabric-reverseproxy-configure-secure-communication) + +### 5-VM-1-NodeTypes-SecureRP_ServiceCertValidationNone.JSON +Use this template to deploy a 5 node cluster with reverse proxy listening on HTTPS. Here ApplicationCertificateValidationPolicy is set to None. +Reverse proxy will skip the server certificate validation while connecting to secure services. + +### 5-VM-1-NodeTypes-SecureRP_ServiceCertValidationCommonName.JSON +This template shows how to configure the reverse proxy to validate the service's certificate based on certificate common name and issue's thumbprint. + +### 5-VM-1-NodeTypes-SecureRP_ServiceCertValidationThumbprints.JSON +This template shows how to configure the reverse proxy to validate the service's certificate based on certificate's thumbprints. \ No newline at end of file