From 422ec3f81267dfb06c0d827ae93ebdc39f2dd066 Mon Sep 17 00:00:00 2001 From: Nicolas Oman Date: Thu, 24 Oct 2019 11:36:49 -0700 Subject: [PATCH 1/5] ported linux oms sample --- .../AzureDeploy.Parameters.json | 36 + .../AzureDeploy.json | 770 ++++++++++++++++++ 5-VM-Linux-1-NodeType-OMS-Secure/README.md | 11 + 3 files changed, 817 insertions(+) create mode 100644 5-VM-Linux-1-NodeType-OMS-Secure/AzureDeploy.Parameters.json create mode 100644 5-VM-Linux-1-NodeType-OMS-Secure/AzureDeploy.json create mode 100644 5-VM-Linux-1-NodeType-OMS-Secure/README.md diff --git a/5-VM-Linux-1-NodeType-OMS-Secure/AzureDeploy.Parameters.json b/5-VM-Linux-1-NodeType-OMS-Secure/AzureDeploy.Parameters.json new file mode 100644 index 0000000..1728377 --- /dev/null +++ b/5-VM-Linux-1-NodeType-OMS-Secure/AzureDeploy.Parameters.json @@ -0,0 +1,36 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterName": { + "value": "linuxcluster" + }, + "adminUserName": { + "value": "adminuser" + }, + "adminPassword": { + "value": "Pa$$word$1234" + }, + "clusterLocation": { + "value": "eastus" + }, + "certificateThumbprint": { + "value": "" + }, + "sourceVaultValue": { + "value": "" + }, + "certificateUrlValue": { + "value": "" + }, + "clusterProtectionLevel": { + "value": "EncryptAndSign" + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountType": { + "value": "Standard_LRS" + } + } +} \ No newline at end of file diff --git a/5-VM-Linux-1-NodeType-OMS-Secure/AzureDeploy.json b/5-VM-Linux-1-NodeType-OMS-Secure/AzureDeploy.json new file mode 100644 index 0000000..ee8d68a --- /dev/null +++ b/5-VM-Linux-1-NodeType-OMS-Secure/AzureDeploy.json @@ -0,0 +1,770 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "type": "string", + "metadata": { + "description": "Location of the Cluster" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "Cluster", + "metadata": { + "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" + } + }, + "adminUserName": { + "type": "string", + "defaultValue": "testadm", + "metadata": { + "description": "Remote desktop user Id" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Remote desktop user password. Must be a strong password" + } + }, + "vmImagePublisher": { + "type": "string", + "defaultValue": "Canonical" + }, + "vmImageOffer": { + "type": "string", + "defaultValue": "UbuntuServer" + }, + "vmImageSku": { + "type": "string", + "defaultValue": "16.04-LTS" + }, + "vmImageVersion": { + "type": "string", + "defaultValue": "latest" + }, + "loadBalancedAppPort1": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Input endpoint1 for the application to use. Replace it with what your application uses" + } + }, + "loadBalancedAppPort2": { + "type": "int", + "defaultValue": 8081, + "metadata": { + "description": "Input endpoint2 for the application to use. Replace it with what your application uses" + } + }, + "certificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "certificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sourceVaultValue": { + "type": "string", + "metadata": { + "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" + } + }, + "certificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "clusterProtectionLevel": { + "type": "string", + "allowedValues": [ + "None", + "Sign", + "EncryptAndSign" + ], + "defaultValue": "EncryptAndSign", + "metadata": { + "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" + } + }, + "storageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the VM image storage account" + } + }, + "supportLogStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the support log storage account" + } + }, + "applicationDiagnosticsStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the application diagnostics storage account" + } + }, + "nt0InstanceCount": { + "type": "int", + "defaultValue": 5, + "metadata": { + "description": "Instance count for node type" + } + }, + "omsWorkspacename": { + "type": "string", + "defaultValue": "[toLower(concat('sf',uniqueString(resourceGroup().id)))]", + "metadata": { + "description": "Name of your OMS Log Analytics Workspace" + } + }, + "omsWorkspaceLocation": { + "type": "string", + "defaultValue": "eastus", + "metadata": { + "description": "Select the region for your OMS workspace. Default is East US" + } + } + }, + "variables": { + "computeLocation": "[parameters('clusterLocation')]", + "dnsName": "[parameters('clusterName')]", + "vmStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '1' ))]", + "vmName": "vm", + "publicIPAddressName": "PublicIP-VM", + "publicIPAddressType": "Dynamic", + "vmStorageAccountContainerName": "vhds", + "virtualNetworkName": "VNet", + "addressPrefix": "10.0.0.0/16", + "nicName": "NIC", + "lbName": "LoadBalancer", + "lbIPName": "PublicIP-LB-FE", + "availSetName": "AvailabilitySet", + "maxPercentUpgradeDomainDeltaUnhealthyNodes": "100", + "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]", + "overProvision": "false", + "vmssApiVersion": "2016-03-30", + "lbApiVersion": "2015-06-15", + "vNetApiVersion": "2015-06-15", + "storageApiVersion": "2016-01-01", + "publicIPApiVersion": "2015-06-15", + "nt0applicationStartPort": "20000", + "nt0applicationEndPort": "30000", + "nt0ephemeralStartPort": "49152", + "nt0ephemeralEndPort": "65534", + "nt0fabricTcpGatewayPort": "19000", + "nt0fabricHttpGatewayPort": "19080", + "subnet0Name": "Subnet-0", + "subnet0Prefix": "10.0.0.0/24", + "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',variables('subnet0Name'))]", + "supportLogStorageAccountName": "[toLower( concat( uniqueString(resourceGroup().id),'2'))]", + "applicationDiagnosticsStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '3' ))]", + "wadlogs": "", + "wadperfcounters1": "", + "wadperfcounters2": "", + "wadcfgxstart": "[concat(variables('wadlogs'),variables('wadperfcounters1'),variables('wadperfcounters2'),'')]", + "lbID0": "[resourceId('Microsoft.Network/loadBalancers',concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", + "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", + "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", + "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", + "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", + "vmNodeType0Name": "[toLower(concat('NT1', variables('vmName')))]", + "vmNodeType0Size": "Standard_D2_v2", + "vmStorageAccountName0": "[toLower(concat(uniqueString(resourceGroup().id), '1', '0' ))]", + "uniqueStringArray0": [ + "[concat(variables('vmStorageAccountName0'), '0')]", + "[concat(variables('vmStorageAccountName0'), '1')]", + "[concat(variables('vmStorageAccountName0'), '2')]", + "[concat(variables('vmStorageAccountName0'), '3')]", + "[concat(variables('vmStorageAccountName0'), '4')]" + ], + "wadmetricsresourceid0": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name ,'/providers/','Microsoft.Compute/virtualMachineScaleSets/', variables('vmNodeType0Name'))]", + "omsSolution": { + "batch": [ + { + "solutionName": "[concat('Containers', '(', parameters('omsWorkspacename'), ')')]", + "solution": "Containers" + }, + { + "solutionName": "[concat('ServiceFabric', '(', parameters('omsWorkspacename'), ')')]", + "solution": "ServiceFabric" + } + ] + }, + "omsWorkspaceLocation": "[replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(parameters('clusterLocation'), 'northeurope', 'westeurope'), 'eastus2', 'eastus'), 'westindia', 'australiasoutheast'), 'canadaeast', 'eastus'), 'westus', 'westcentralus'), 'westus2', 'westcentralus'), 'northcentralus', 'westcentralus'), 'southcentralus', 'westcentralus'), 'eastasia', 'southeastasia'), 'japaneast', 'southeastasia'), 'japanwest', 'southeastasia'), 'australiaeast', 'australiasoutheast'), 'southindia', 'southeastasia'), 'centralindia', 'southeastasia'), 'canadacentral', 'eastus'), 'koreacentral', 'southeastasia'), 'koreasouth', 'southeastasia'), 'brazilsouth', 'eastus'), 'ukwest', 'westeurope'), 'uksouth', 'westeurope'), 'centralus', 'westcentralus')]" + }, + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('supportLogStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('applicationDiagnosticsStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('applicationDiagnosticsStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vNetApiVersion')]", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[variables('computeLocation')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnet0Name')]", + "properties": { + "addressPrefix": "[variables('subnet0Prefix')]" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('publicIPApiVersion')]", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[concat(variables('lbIPName'),'-','0')]", + "location": "[variables('computeLocation')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[variables('dnsName')]" + }, + "publicIPAllocationMethod": "Dynamic" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('lbApiVersion')]", + "type": "Microsoft.Network/loadBalancers", + "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerIPConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LoadBalancerBEAddressPool", + "properties": {} + } + ], + "loadBalancingRules": [ + { + "name": "LBRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricTcpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricTcpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBHttpRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricHttpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricHttpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbHttpProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule1", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort1')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort1')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule2", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort2')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort2')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]" + }, + "protocol": "tcp" + } + } + ], + "probes": [ + { + "name": "FabricGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricTcpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "FabricHttpGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricHttpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe1", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort1')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe2", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort2')]", + "protocol": "tcp" + } + } + ], + "inboundNatPools": [ + { + "name": "LoadBalancerBEAddressNatPool", + "properties": { + "backendPort": "22", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPortRangeEnd": "4500", + "frontendPortRangeStart": "3389", + "protocol": "tcp" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('uniqueStringArray0')[copyIndex()]]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "copy": { + "name": "storageLoop", + "count": 5 + }, + "kind": "Storage", + "sku": { + "name": "[parameters('storageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vmssApiVersion')]", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[variables('vmNodeType0Name')]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('uniqueStringArray0')[0])]", + "[concat('Microsoft.Storage/storageAccounts/', variables('uniqueStringArray0')[1])]", + "[concat('Microsoft.Storage/storageAccounts/', variables('uniqueStringArray0')[2])]", + "[concat('Microsoft.Storage/storageAccounts/', variables('uniqueStringArray0')[3])]", + "[concat('Microsoft.Storage/storageAccounts/', variables('uniqueStringArray0')[4])]", + "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('applicationDiagnosticsStorageAccountName'))]" + ], + "properties": { + "overprovision": "[variables('overProvision')]", + "upgradePolicy": { + "mode": "Automatic" + }, + "virtualMachineProfile": { + "extensionProfile": { + "extensions": [ + { + "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]", + "properties": { + "type": "ServiceFabricLinuxNode", + "autoUpgradeMinorVersion": true, + "protectedSettings": { + "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]", + "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]" + }, + "publisher": "Microsoft.Azure.ServiceFabric", + "settings": { + "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", + "nodeTypeRef": "[variables('vmNodeType0Name')]", + "durabilityLevel": "Bronze", + "certificate": { + "thumbprint": "[parameters('certificateThumbprint')]", + "x509StoreName": "[parameters('certificateStoreValue')]" + } + }, + "typeHandlerVersion": "1.0" + } + }, + { + "name": "[concat(variables('vmNodeType0Name'),'OMS')]", + "properties": { + "publisher": "Microsoft.EnterpriseCloud.Monitoring", + "type": "OmsAgentForLinux", + "typeHandlerVersion": "1.4", + "autoUpgradeMinorVersion": true, + "settings": { + "workspaceId": "[reference(resourceId('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspacename')), '2015-11-01-preview').customerId]" + }, + "protectedSettings": { + "workspaceKey": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspacename')),'2015-11-01-preview').primarySharedKey]" + } + } + }, + { + "name": "[concat('VMDiagnosticsVmExt','_vmNodeType0Name')]", + "properties": { + "type": "LinuxDiagnostic", + "autoUpgradeMinorVersion": true, + "protectedSettings": { + "storageAccountName": "[variables('applicationDiagnosticsStorageAccountName')]", + "storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('applicationDiagnosticsStorageAccountName')),'2015-05-01-preview').key1]", + "storageAccountEndPoint": "https://core.windows.net/" + }, + "publisher": "Microsoft.OSTCExtensions", + "settings": { + "xmlCfg": "[base64(concat(variables('wadcfgxstart'),variables('wadmetricsresourceid0'),variables('wadcfgxend')))]", + "StorageAccount": "[variables('applicationDiagnosticsStorageAccountName')]" + }, + "typeHandlerVersion": "2.3" + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "[concat(variables('nicName'), '-0')]", + "properties": { + "ipConfigurations": [ + { + "name": "[concat(variables('nicName'),'-',0)]", + "properties": { + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbPoolID0')]" + } + ], + "loadBalancerInboundNatPools": [ + { + "id": "[variables('lbNatPoolID0')]" + } + ], + "subnet": { + "id": "[variables('subnet0Ref')]" + } + } + } + ], + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computernamePrefix": "[variables('vmNodeType0Name')]", + "secrets": [ + { + "sourceVault": { + "id": "[parameters('sourceVaultValue')]" + }, + "vaultCertificates": [ + { + "certificateUrl": "[parameters('certificateUrlValue')]" + } + ] + } + ] + }, + "storageProfile": { + "imageReference": { + "publisher": "[parameters('vmImagePublisher')]", + "offer": "[parameters('vmImageOffer')]", + "sku": "[parameters('vmImageSku')]", + "version": "[parameters('vmImageVersion')]" + }, + "osDisk": { + "vhdContainers": [ + "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('uniqueStringArray0')[0]), variables('storageApiVersion')).primaryEndpoints.blob, variables('vmStorageAccountContainerName'))]", + "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('uniqueStringArray0')[1]), variables('storageApiVersion')).primaryEndpoints.blob, variables('vmStorageAccountContainerName'))]", + "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('uniqueStringArray0')[2]), variables('storageApiVersion')).primaryEndpoints.blob, variables('vmStorageAccountContainerName'))]", + "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('uniqueStringArray0')[3]), variables('storageApiVersion')).primaryEndpoints.blob, variables('vmStorageAccountContainerName'))]", + "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('uniqueStringArray0')[4]), variables('storageApiVersion')).primaryEndpoints.blob, variables('vmStorageAccountContainerName'))]" + ], + "name": "vmssosdisk", + "caching": "ReadOnly", + "createOption": "FromImage" + } + } + } + }, + "sku": { + "name": "[variables('vmNodeType0Size')]", + "capacity": "[parameters('nt0InstanceCount')]", + "tier": "Standard" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "2015-11-01-preview", + "location": "[parameters('omsWorkspaceLocation')]", + "name": "[parameters('omsWorkspacename')]", + "type": "Microsoft.OperationalInsights/workspaces", + "properties": { + "sku": { + "name": "Free" + } + }, + "resources": [ + { + "apiVersion": "2015-11-01-preview", + "name": "[concat(variables('applicationDiagnosticsStorageAccountName'),parameters('omsWorkspacename'))]", + "type": "storageInsightConfigs", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspacename'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('applicationDiagnosticsStorageAccountName'))]" + ], + "properties": { + "containers": [], + "tables": [ + "WADServiceFabric*EventTable", + "WADWindowsEventLogsTable", + "WADETWEventTable" + ], + "storageAccount": { + "id": "[resourceId('Microsoft.Storage/storageaccounts/', variables('applicationDiagnosticsStorageAccountName'))]", + "key": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('applicationDiagnosticsStorageAccountName')),'2015-06-15').key1]" + } + } + } + ] + }, + { + "apiVersion": "2015-11-01-preview", + "location": "[parameters('omsWorkspaceLocation')]", + "name": "[concat(variables('omsSolution').batch[copyIndex()].solutionName)]", + "type": "Microsoft.OperationsManagement/solutions", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('OMSWorkspacename'))]", + "[concat('Microsoft.ServiceFabric/clusters/', parameters('clusterName'))]" + ], + "copy": { + "name": "solutionCopy", + "count": "[length(variables('omsSolution').batch)]" + }, + "properties": { + "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspacename'))]" + }, + "plan": { + "name": "[variables('omsSolution').batch[copyIndex()].solutionName]", + "publisher": "Microsoft", + "product": "[Concat('OMSGallery/', variables('omsSolution').batch[copyIndex()].solution)]", + "promotionCode": "" + } + }, + { + "apiVersion": "2017-07-01-preview", + "type": "Microsoft.ServiceFabric/clusters", + "name": "[parameters('clusterName')]", + "location": "[parameters('clusterLocation')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "certificate": { + "thumbprint": "[parameters('certificateThumbprint')]", + "x509StoreName": "[parameters('certificateStoreValue')]" + }, + "clientCertificateCommonNames": [], + "clientCertificateThumbprints": [], + "clusterState": "Default", + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.queue]", + "storageAccountName": "[variables('supportLogStorageAccountName')]", + "tableEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.table]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "[parameters('clusterProtectionLevel')]" + } + ], + "name": "Security" + } + ], + "addonFeatures": [ + "DnsService" + ], + "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-','0')).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]", + "nodeTypes": [ + { + "name": "[variables('vmNodeType0Name')]", + "applicationPorts": { + "endPort": "[variables('nt0applicationEndPort')]", + "startPort": "[variables('nt0applicationStartPort')]" + }, + "clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]", + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": "[variables('nt0ephemeralEndPort')]", + "startPort": "[variables('nt0ephemeralStartPort')]" + }, + "httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]", + "isPrimary": true, + "vmInstanceCount": "[parameters('nt0InstanceCount')]" + } + ], + "provisioningState": "Default", + "reliabilityLevel": "Silver", + "upgradeMode": "Automatic", + "vmImage": "Linux" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + } + ], + "outputs": { + "clusterProperties": { + "value": "[reference(parameters('clusterName'))]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/5-VM-Linux-1-NodeType-OMS-Secure/README.md b/5-VM-Linux-1-NodeType-OMS-Secure/README.md new file mode 100644 index 0000000..7f89e24 --- /dev/null +++ b/5-VM-Linux-1-NodeType-OMS-Secure/README.md @@ -0,0 +1,11 @@ +# Create a Service Fabric cluster with OMS + +This template allows you to deploy a secure 1, 3 - 99 node Service Fabric cluster running Linux. The template also creates an OMS Workspace with Service Fabric and Containers solutions within it, and deploys the OMS agent to each of the nodes to collect diagnostics information. + +## Creating a custom ARM template + +To create a custom ARM template for your cluster, log in to the Azure Portal and go through the process of creating a new cluster as described in [Creating Service Fabric Cluster via portal](https://docs.microsoft.com/azure/service-fabric/service-fabric-cluster-creation-via-portal). When ready, instead of clicking **create** for the resource, go to **Summary** and download the template and parameters. + +## Deploying the ARM template to Azure using Resource Manager PowerShell + +Refer to [Deploying ARM templates using ARM PS](https://azure.microsoft.com/documentation/articles/service-fabric-cluster-creation-via-arm/) for detailed guidance on how to. There is detailed guidance on how to set up your certificates as well. \ No newline at end of file From 34b1aa1b3c8438596c79c5f0422159cc21af0dd2 Mon Sep 17 00:00:00 2001 From: Nicolas Oman Date: Thu, 24 Oct 2019 11:46:54 -0700 Subject: [PATCH 2/5] removed duplicate repo --- .../AzureDeploy.Parameters.json | 36 - .../AzureDeploy.json | 770 ------------------ 5-VM-Linux-1-NodeType-OMS-Secure/README.md | 11 - 3 files changed, 817 deletions(-) delete mode 100644 5-VM-Linux-1-NodeType-OMS-Secure/AzureDeploy.Parameters.json delete mode 100644 5-VM-Linux-1-NodeType-OMS-Secure/AzureDeploy.json delete mode 100644 5-VM-Linux-1-NodeType-OMS-Secure/README.md diff --git a/5-VM-Linux-1-NodeType-OMS-Secure/AzureDeploy.Parameters.json b/5-VM-Linux-1-NodeType-OMS-Secure/AzureDeploy.Parameters.json deleted file mode 100644 index 1728377..0000000 --- a/5-VM-Linux-1-NodeType-OMS-Secure/AzureDeploy.Parameters.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json", - "contentVersion": "1.0.0.0", - "parameters": { - "clusterName": { - "value": "linuxcluster" - }, - "adminUserName": { - "value": "adminuser" - }, - "adminPassword": { - "value": "Pa$$word$1234" - }, - "clusterLocation": { - "value": "eastus" - }, - "certificateThumbprint": { - "value": "" - }, - "sourceVaultValue": { - "value": "" - }, - "certificateUrlValue": { - "value": "" - }, - "clusterProtectionLevel": { - "value": "EncryptAndSign" - }, - "storageAccountType": { - "value": "Standard_LRS" - }, - "supportLogStorageAccountType": { - "value": "Standard_LRS" - } - } -} \ No newline at end of file diff --git a/5-VM-Linux-1-NodeType-OMS-Secure/AzureDeploy.json b/5-VM-Linux-1-NodeType-OMS-Secure/AzureDeploy.json deleted file mode 100644 index ee8d68a..0000000 --- a/5-VM-Linux-1-NodeType-OMS-Secure/AzureDeploy.json +++ /dev/null @@ -1,770 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", - "contentVersion": "1.0.0.0", - "parameters": { - "clusterLocation": { - "type": "string", - "metadata": { - "description": "Location of the Cluster" - } - }, - "clusterName": { - "type": "string", - "defaultValue": "Cluster", - "metadata": { - "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" - } - }, - "adminUserName": { - "type": "string", - "defaultValue": "testadm", - "metadata": { - "description": "Remote desktop user Id" - } - }, - "adminPassword": { - "type": "securestring", - "metadata": { - "description": "Remote desktop user password. Must be a strong password" - } - }, - "vmImagePublisher": { - "type": "string", - "defaultValue": "Canonical" - }, - "vmImageOffer": { - "type": "string", - "defaultValue": "UbuntuServer" - }, - "vmImageSku": { - "type": "string", - "defaultValue": "16.04-LTS" - }, - "vmImageVersion": { - "type": "string", - "defaultValue": "latest" - }, - "loadBalancedAppPort1": { - "type": "int", - "defaultValue": 80, - "metadata": { - "description": "Input endpoint1 for the application to use. Replace it with what your application uses" - } - }, - "loadBalancedAppPort2": { - "type": "int", - "defaultValue": 8081, - "metadata": { - "description": "Input endpoint2 for the application to use. Replace it with what your application uses" - } - }, - "certificateStoreValue": { - "type": "string", - "allowedValues": [ - "My" - ], - "defaultValue": "My", - "metadata": { - "description": "The store name where the cert will be deployed in the virtual machine" - } - }, - "certificateThumbprint": { - "type": "string", - "metadata": { - "description": "Certificate Thumbprint" - } - }, - "sourceVaultValue": { - "type": "string", - "metadata": { - "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" - } - }, - "certificateUrlValue": { - "type": "string", - "metadata": { - "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" - } - }, - "clusterProtectionLevel": { - "type": "string", - "allowedValues": [ - "None", - "Sign", - "EncryptAndSign" - ], - "defaultValue": "EncryptAndSign", - "metadata": { - "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" - } - }, - "storageAccountType": { - "type": "string", - "allowedValues": [ - "Standard_LRS", - "Standard_GRS" - ], - "defaultValue": "Standard_LRS", - "metadata": { - "description": "Replication option for the VM image storage account" - } - }, - "supportLogStorageAccountType": { - "type": "string", - "allowedValues": [ - "Standard_LRS", - "Standard_GRS" - ], - "defaultValue": "Standard_LRS", - "metadata": { - "description": "Replication option for the support log storage account" - } - }, - "applicationDiagnosticsStorageAccountType": { - "type": "string", - "allowedValues": [ - "Standard_LRS", - "Standard_GRS" - ], - "defaultValue": "Standard_LRS", - "metadata": { - "description": "Replication option for the application diagnostics storage account" - } - }, - "nt0InstanceCount": { - "type": "int", - "defaultValue": 5, - "metadata": { - "description": "Instance count for node type" - } - }, - "omsWorkspacename": { - "type": "string", - "defaultValue": "[toLower(concat('sf',uniqueString(resourceGroup().id)))]", - "metadata": { - "description": "Name of your OMS Log Analytics Workspace" - } - }, - "omsWorkspaceLocation": { - "type": "string", - "defaultValue": "eastus", - "metadata": { - "description": "Select the region for your OMS workspace. Default is East US" - } - } - }, - "variables": { - "computeLocation": "[parameters('clusterLocation')]", - "dnsName": "[parameters('clusterName')]", - "vmStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '1' ))]", - "vmName": "vm", - "publicIPAddressName": "PublicIP-VM", - "publicIPAddressType": "Dynamic", - "vmStorageAccountContainerName": "vhds", - "virtualNetworkName": "VNet", - "addressPrefix": "10.0.0.0/16", - "nicName": "NIC", - "lbName": "LoadBalancer", - "lbIPName": "PublicIP-LB-FE", - "availSetName": "AvailabilitySet", - "maxPercentUpgradeDomainDeltaUnhealthyNodes": "100", - "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]", - "overProvision": "false", - "vmssApiVersion": "2016-03-30", - "lbApiVersion": "2015-06-15", - "vNetApiVersion": "2015-06-15", - "storageApiVersion": "2016-01-01", - "publicIPApiVersion": "2015-06-15", - "nt0applicationStartPort": "20000", - "nt0applicationEndPort": "30000", - "nt0ephemeralStartPort": "49152", - "nt0ephemeralEndPort": "65534", - "nt0fabricTcpGatewayPort": "19000", - "nt0fabricHttpGatewayPort": "19080", - "subnet0Name": "Subnet-0", - "subnet0Prefix": "10.0.0.0/24", - "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',variables('subnet0Name'))]", - "supportLogStorageAccountName": "[toLower( concat( uniqueString(resourceGroup().id),'2'))]", - "applicationDiagnosticsStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '3' ))]", - "wadlogs": "", - "wadperfcounters1": "", - "wadperfcounters2": "", - "wadcfgxstart": "[concat(variables('wadlogs'),variables('wadperfcounters1'),variables('wadperfcounters2'),'')]", - "lbID0": "[resourceId('Microsoft.Network/loadBalancers',concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", - "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", - "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", - "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", - "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", - "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", - "vmNodeType0Name": "[toLower(concat('NT1', variables('vmName')))]", - "vmNodeType0Size": "Standard_D2_v2", - "vmStorageAccountName0": "[toLower(concat(uniqueString(resourceGroup().id), '1', '0' ))]", - "uniqueStringArray0": [ - "[concat(variables('vmStorageAccountName0'), '0')]", - "[concat(variables('vmStorageAccountName0'), '1')]", - "[concat(variables('vmStorageAccountName0'), '2')]", - "[concat(variables('vmStorageAccountName0'), '3')]", - "[concat(variables('vmStorageAccountName0'), '4')]" - ], - "wadmetricsresourceid0": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name ,'/providers/','Microsoft.Compute/virtualMachineScaleSets/', variables('vmNodeType0Name'))]", - "omsSolution": { - "batch": [ - { - "solutionName": "[concat('Containers', '(', parameters('omsWorkspacename'), ')')]", - "solution": "Containers" - }, - { - "solutionName": "[concat('ServiceFabric', '(', parameters('omsWorkspacename'), ')')]", - "solution": "ServiceFabric" - } - ] - }, - "omsWorkspaceLocation": "[replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(parameters('clusterLocation'), 'northeurope', 'westeurope'), 'eastus2', 'eastus'), 'westindia', 'australiasoutheast'), 'canadaeast', 'eastus'), 'westus', 'westcentralus'), 'westus2', 'westcentralus'), 'northcentralus', 'westcentralus'), 'southcentralus', 'westcentralus'), 'eastasia', 'southeastasia'), 'japaneast', 'southeastasia'), 'japanwest', 'southeastasia'), 'australiaeast', 'australiasoutheast'), 'southindia', 'southeastasia'), 'centralindia', 'southeastasia'), 'canadacentral', 'eastus'), 'koreacentral', 'southeastasia'), 'koreasouth', 'southeastasia'), 'brazilsouth', 'eastus'), 'ukwest', 'westeurope'), 'uksouth', 'westeurope'), 'centralus', 'westcentralus')]" - }, - "resources": [ - { - "apiVersion": "[variables('storageApiVersion')]", - "type": "Microsoft.Storage/storageAccounts", - "name": "[variables('supportLogStorageAccountName')]", - "location": "[variables('computeLocation')]", - "dependsOn": [], - "properties": {}, - "kind": "Storage", - "sku": { - "name": "[parameters('supportLogStorageAccountType')]" - }, - "tags": { - "resourceType": "Service Fabric", - "clusterName": "[parameters('clusterName')]" - } - }, - { - "apiVersion": "[variables('storageApiVersion')]", - "type": "Microsoft.Storage/storageAccounts", - "name": "[variables('applicationDiagnosticsStorageAccountName')]", - "location": "[variables('computeLocation')]", - "dependsOn": [], - "properties": {}, - "kind": "Storage", - "sku": { - "name": "[parameters('applicationDiagnosticsStorageAccountType')]" - }, - "tags": { - "resourceType": "Service Fabric", - "clusterName": "[parameters('clusterName')]" - } - }, - { - "apiVersion": "[variables('vNetApiVersion')]", - "type": "Microsoft.Network/virtualNetworks", - "name": "[variables('virtualNetworkName')]", - "location": "[variables('computeLocation')]", - "properties": { - "addressSpace": { - "addressPrefixes": [ - "[variables('addressPrefix')]" - ] - }, - "subnets": [ - { - "name": "[variables('subnet0Name')]", - "properties": { - "addressPrefix": "[variables('subnet0Prefix')]" - } - } - ] - }, - "tags": { - "resourceType": "Service Fabric", - "clusterName": "[parameters('clusterName')]" - } - }, - { - "apiVersion": "[variables('publicIPApiVersion')]", - "type": "Microsoft.Network/publicIPAddresses", - "name": "[concat(variables('lbIPName'),'-','0')]", - "location": "[variables('computeLocation')]", - "properties": { - "dnsSettings": { - "domainNameLabel": "[variables('dnsName')]" - }, - "publicIPAllocationMethod": "Dynamic" - }, - "tags": { - "resourceType": "Service Fabric", - "clusterName": "[parameters('clusterName')]" - } - }, - { - "apiVersion": "[variables('lbApiVersion')]", - "type": "Microsoft.Network/loadBalancers", - "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]", - "location": "[variables('computeLocation')]", - "dependsOn": [ - "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]" - ], - "properties": { - "frontendIPConfigurations": [ - { - "name": "LoadBalancerIPConfig", - "properties": { - "publicIPAddress": { - "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]" - } - } - } - ], - "backendAddressPools": [ - { - "name": "LoadBalancerBEAddressPool", - "properties": {} - } - ], - "loadBalancingRules": [ - { - "name": "LBRule", - "properties": { - "backendAddressPool": { - "id": "[variables('lbPoolID0')]" - }, - "backendPort": "[variables('nt0fabricTcpGatewayPort')]", - "enableFloatingIP": "false", - "frontendIPConfiguration": { - "id": "[variables('lbIPConfig0')]" - }, - "frontendPort": "[variables('nt0fabricTcpGatewayPort')]", - "idleTimeoutInMinutes": "5", - "probe": { - "id": "[variables('lbProbeID0')]" - }, - "protocol": "tcp" - } - }, - { - "name": "LBHttpRule", - "properties": { - "backendAddressPool": { - "id": "[variables('lbPoolID0')]" - }, - "backendPort": "[variables('nt0fabricHttpGatewayPort')]", - "enableFloatingIP": "false", - "frontendIPConfiguration": { - "id": "[variables('lbIPConfig0')]" - }, - "frontendPort": "[variables('nt0fabricHttpGatewayPort')]", - "idleTimeoutInMinutes": "5", - "probe": { - "id": "[variables('lbHttpProbeID0')]" - }, - "protocol": "tcp" - } - }, - { - "name": "AppPortLBRule1", - "properties": { - "backendAddressPool": { - "id": "[variables('lbPoolID0')]" - }, - "backendPort": "[parameters('loadBalancedAppPort1')]", - "enableFloatingIP": "false", - "frontendIPConfiguration": { - "id": "[variables('lbIPConfig0')]" - }, - "frontendPort": "[parameters('loadBalancedAppPort1')]", - "idleTimeoutInMinutes": "5", - "probe": { - "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]" - }, - "protocol": "tcp" - } - }, - { - "name": "AppPortLBRule2", - "properties": { - "backendAddressPool": { - "id": "[variables('lbPoolID0')]" - }, - "backendPort": "[parameters('loadBalancedAppPort2')]", - "enableFloatingIP": "false", - "frontendIPConfiguration": { - "id": "[variables('lbIPConfig0')]" - }, - "frontendPort": "[parameters('loadBalancedAppPort2')]", - "idleTimeoutInMinutes": "5", - "probe": { - "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]" - }, - "protocol": "tcp" - } - } - ], - "probes": [ - { - "name": "FabricGatewayProbe", - "properties": { - "intervalInSeconds": 5, - "numberOfProbes": 2, - "port": "[variables('nt0fabricTcpGatewayPort')]", - "protocol": "tcp" - } - }, - { - "name": "FabricHttpGatewayProbe", - "properties": { - "intervalInSeconds": 5, - "numberOfProbes": 2, - "port": "[variables('nt0fabricHttpGatewayPort')]", - "protocol": "tcp" - } - }, - { - "name": "AppPortProbe1", - "properties": { - "intervalInSeconds": 5, - "numberOfProbes": 2, - "port": "[parameters('loadBalancedAppPort1')]", - "protocol": "tcp" - } - }, - { - "name": "AppPortProbe2", - "properties": { - "intervalInSeconds": 5, - "numberOfProbes": 2, - "port": "[parameters('loadBalancedAppPort2')]", - "protocol": "tcp" - } - } - ], - "inboundNatPools": [ - { - "name": "LoadBalancerBEAddressNatPool", - "properties": { - "backendPort": "22", - "frontendIPConfiguration": { - "id": "[variables('lbIPConfig0')]" - }, - "frontendPortRangeEnd": "4500", - "frontendPortRangeStart": "3389", - "protocol": "tcp" - } - } - ] - }, - "tags": { - "resourceType": "Service Fabric", - "clusterName": "[parameters('clusterName')]" - } - }, - { - "apiVersion": "[variables('storageApiVersion')]", - "type": "Microsoft.Storage/storageAccounts", - "name": "[variables('uniqueStringArray0')[copyIndex()]]", - "location": "[variables('computeLocation')]", - "dependsOn": [], - "properties": {}, - "copy": { - "name": "storageLoop", - "count": 5 - }, - "kind": "Storage", - "sku": { - "name": "[parameters('storageAccountType')]" - }, - "tags": { - "resourceType": "Service Fabric", - "clusterName": "[parameters('clusterName')]" - } - }, - { - "apiVersion": "[variables('vmssApiVersion')]", - "type": "Microsoft.Compute/virtualMachineScaleSets", - "name": "[variables('vmNodeType0Name')]", - "location": "[variables('computeLocation')]", - "dependsOn": [ - "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", - "[concat('Microsoft.Storage/storageAccounts/', variables('uniqueStringArray0')[0])]", - "[concat('Microsoft.Storage/storageAccounts/', variables('uniqueStringArray0')[1])]", - "[concat('Microsoft.Storage/storageAccounts/', variables('uniqueStringArray0')[2])]", - "[concat('Microsoft.Storage/storageAccounts/', variables('uniqueStringArray0')[3])]", - "[concat('Microsoft.Storage/storageAccounts/', variables('uniqueStringArray0')[4])]", - "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", - "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]", - "[concat('Microsoft.Storage/storageAccounts/', variables('applicationDiagnosticsStorageAccountName'))]" - ], - "properties": { - "overprovision": "[variables('overProvision')]", - "upgradePolicy": { - "mode": "Automatic" - }, - "virtualMachineProfile": { - "extensionProfile": { - "extensions": [ - { - "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]", - "properties": { - "type": "ServiceFabricLinuxNode", - "autoUpgradeMinorVersion": true, - "protectedSettings": { - "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]", - "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]" - }, - "publisher": "Microsoft.Azure.ServiceFabric", - "settings": { - "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", - "nodeTypeRef": "[variables('vmNodeType0Name')]", - "durabilityLevel": "Bronze", - "certificate": { - "thumbprint": "[parameters('certificateThumbprint')]", - "x509StoreName": "[parameters('certificateStoreValue')]" - } - }, - "typeHandlerVersion": "1.0" - } - }, - { - "name": "[concat(variables('vmNodeType0Name'),'OMS')]", - "properties": { - "publisher": "Microsoft.EnterpriseCloud.Monitoring", - "type": "OmsAgentForLinux", - "typeHandlerVersion": "1.4", - "autoUpgradeMinorVersion": true, - "settings": { - "workspaceId": "[reference(resourceId('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspacename')), '2015-11-01-preview').customerId]" - }, - "protectedSettings": { - "workspaceKey": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspacename')),'2015-11-01-preview').primarySharedKey]" - } - } - }, - { - "name": "[concat('VMDiagnosticsVmExt','_vmNodeType0Name')]", - "properties": { - "type": "LinuxDiagnostic", - "autoUpgradeMinorVersion": true, - "protectedSettings": { - "storageAccountName": "[variables('applicationDiagnosticsStorageAccountName')]", - "storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('applicationDiagnosticsStorageAccountName')),'2015-05-01-preview').key1]", - "storageAccountEndPoint": "https://core.windows.net/" - }, - "publisher": "Microsoft.OSTCExtensions", - "settings": { - "xmlCfg": "[base64(concat(variables('wadcfgxstart'),variables('wadmetricsresourceid0'),variables('wadcfgxend')))]", - "StorageAccount": "[variables('applicationDiagnosticsStorageAccountName')]" - }, - "typeHandlerVersion": "2.3" - } - } - ] - }, - "networkProfile": { - "networkInterfaceConfigurations": [ - { - "name": "[concat(variables('nicName'), '-0')]", - "properties": { - "ipConfigurations": [ - { - "name": "[concat(variables('nicName'),'-',0)]", - "properties": { - "loadBalancerBackendAddressPools": [ - { - "id": "[variables('lbPoolID0')]" - } - ], - "loadBalancerInboundNatPools": [ - { - "id": "[variables('lbNatPoolID0')]" - } - ], - "subnet": { - "id": "[variables('subnet0Ref')]" - } - } - } - ], - "primary": true - } - } - ] - }, - "osProfile": { - "adminPassword": "[parameters('adminPassword')]", - "adminUsername": "[parameters('adminUsername')]", - "computernamePrefix": "[variables('vmNodeType0Name')]", - "secrets": [ - { - "sourceVault": { - "id": "[parameters('sourceVaultValue')]" - }, - "vaultCertificates": [ - { - "certificateUrl": "[parameters('certificateUrlValue')]" - } - ] - } - ] - }, - "storageProfile": { - "imageReference": { - "publisher": "[parameters('vmImagePublisher')]", - "offer": "[parameters('vmImageOffer')]", - "sku": "[parameters('vmImageSku')]", - "version": "[parameters('vmImageVersion')]" - }, - "osDisk": { - "vhdContainers": [ - "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('uniqueStringArray0')[0]), variables('storageApiVersion')).primaryEndpoints.blob, variables('vmStorageAccountContainerName'))]", - "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('uniqueStringArray0')[1]), variables('storageApiVersion')).primaryEndpoints.blob, variables('vmStorageAccountContainerName'))]", - "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('uniqueStringArray0')[2]), variables('storageApiVersion')).primaryEndpoints.blob, variables('vmStorageAccountContainerName'))]", - "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('uniqueStringArray0')[3]), variables('storageApiVersion')).primaryEndpoints.blob, variables('vmStorageAccountContainerName'))]", - "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('uniqueStringArray0')[4]), variables('storageApiVersion')).primaryEndpoints.blob, variables('vmStorageAccountContainerName'))]" - ], - "name": "vmssosdisk", - "caching": "ReadOnly", - "createOption": "FromImage" - } - } - } - }, - "sku": { - "name": "[variables('vmNodeType0Size')]", - "capacity": "[parameters('nt0InstanceCount')]", - "tier": "Standard" - }, - "tags": { - "resourceType": "Service Fabric", - "clusterName": "[parameters('clusterName')]" - } - }, - { - "apiVersion": "2015-11-01-preview", - "location": "[parameters('omsWorkspaceLocation')]", - "name": "[parameters('omsWorkspacename')]", - "type": "Microsoft.OperationalInsights/workspaces", - "properties": { - "sku": { - "name": "Free" - } - }, - "resources": [ - { - "apiVersion": "2015-11-01-preview", - "name": "[concat(variables('applicationDiagnosticsStorageAccountName'),parameters('omsWorkspacename'))]", - "type": "storageInsightConfigs", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspacename'))]", - "[concat('Microsoft.Storage/storageAccounts/', variables('applicationDiagnosticsStorageAccountName'))]" - ], - "properties": { - "containers": [], - "tables": [ - "WADServiceFabric*EventTable", - "WADWindowsEventLogsTable", - "WADETWEventTable" - ], - "storageAccount": { - "id": "[resourceId('Microsoft.Storage/storageaccounts/', variables('applicationDiagnosticsStorageAccountName'))]", - "key": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('applicationDiagnosticsStorageAccountName')),'2015-06-15').key1]" - } - } - } - ] - }, - { - "apiVersion": "2015-11-01-preview", - "location": "[parameters('omsWorkspaceLocation')]", - "name": "[concat(variables('omsSolution').batch[copyIndex()].solutionName)]", - "type": "Microsoft.OperationsManagement/solutions", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('OMSWorkspacename'))]", - "[concat('Microsoft.ServiceFabric/clusters/', parameters('clusterName'))]" - ], - "copy": { - "name": "solutionCopy", - "count": "[length(variables('omsSolution').batch)]" - }, - "properties": { - "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspacename'))]" - }, - "plan": { - "name": "[variables('omsSolution').batch[copyIndex()].solutionName]", - "publisher": "Microsoft", - "product": "[Concat('OMSGallery/', variables('omsSolution').batch[copyIndex()].solution)]", - "promotionCode": "" - } - }, - { - "apiVersion": "2017-07-01-preview", - "type": "Microsoft.ServiceFabric/clusters", - "name": "[parameters('clusterName')]", - "location": "[parameters('clusterLocation')]", - "dependsOn": [ - "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" - ], - "properties": { - "certificate": { - "thumbprint": "[parameters('certificateThumbprint')]", - "x509StoreName": "[parameters('certificateStoreValue')]" - }, - "clientCertificateCommonNames": [], - "clientCertificateThumbprints": [], - "clusterState": "Default", - "diagnosticsStorageAccountConfig": { - "blobEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]", - "protectedAccountKeyName": "StorageAccountKey1", - "queueEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.queue]", - "storageAccountName": "[variables('supportLogStorageAccountName')]", - "tableEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.table]" - }, - "fabricSettings": [ - { - "parameters": [ - { - "name": "ClusterProtectionLevel", - "value": "[parameters('clusterProtectionLevel')]" - } - ], - "name": "Security" - } - ], - "addonFeatures": [ - "DnsService" - ], - "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-','0')).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]", - "nodeTypes": [ - { - "name": "[variables('vmNodeType0Name')]", - "applicationPorts": { - "endPort": "[variables('nt0applicationEndPort')]", - "startPort": "[variables('nt0applicationStartPort')]" - }, - "clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]", - "durabilityLevel": "Bronze", - "ephemeralPorts": { - "endPort": "[variables('nt0ephemeralEndPort')]", - "startPort": "[variables('nt0ephemeralStartPort')]" - }, - "httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]", - "isPrimary": true, - "vmInstanceCount": "[parameters('nt0InstanceCount')]" - } - ], - "provisioningState": "Default", - "reliabilityLevel": "Silver", - "upgradeMode": "Automatic", - "vmImage": "Linux" - }, - "tags": { - "resourceType": "Service Fabric", - "clusterName": "[parameters('clusterName')]" - } - } - ], - "outputs": { - "clusterProperties": { - "value": "[reference(parameters('clusterName'))]", - "type": "object" - } - } -} \ No newline at end of file diff --git a/5-VM-Linux-1-NodeType-OMS-Secure/README.md b/5-VM-Linux-1-NodeType-OMS-Secure/README.md deleted file mode 100644 index 7f89e24..0000000 --- a/5-VM-Linux-1-NodeType-OMS-Secure/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# Create a Service Fabric cluster with OMS - -This template allows you to deploy a secure 1, 3 - 99 node Service Fabric cluster running Linux. The template also creates an OMS Workspace with Service Fabric and Containers solutions within it, and deploys the OMS agent to each of the nodes to collect diagnostics information. - -## Creating a custom ARM template - -To create a custom ARM template for your cluster, log in to the Azure Portal and go through the process of creating a new cluster as described in [Creating Service Fabric Cluster via portal](https://docs.microsoft.com/azure/service-fabric/service-fabric-cluster-creation-via-portal). When ready, instead of clicking **create** for the resource, go to **Summary** and download the template and parameters. - -## Deploying the ARM template to Azure using Resource Manager PowerShell - -Refer to [Deploying ARM templates using ARM PS](https://azure.microsoft.com/documentation/articles/service-fabric-cluster-creation-via-arm/) for detailed guidance on how to. There is detailed guidance on how to set up your certificates as well. \ No newline at end of file From 5ff963a5b4b5d91b4b0c093fbe3fa4043f288c23 Mon Sep 17 00:00:00 2001 From: Nicolas Oman Date: Thu, 24 Oct 2019 12:03:15 -0700 Subject: [PATCH 3/5] ported certification rollover sample --- ...M-1-NodeTypes-Secure.parameters_Step1.json | 54 ++ ...M-1-NodeTypes-Secure.parameters_Step2.json | 60 ++ .../5-VM-1-NodeTypes-Secure_Step1.json | 589 +++++++++++++++++ .../5-VM-1-NodeTypes-Secure_Step2.json | 610 ++++++++++++++++++ Cert-Rollover-Sample/README.md | 18 + 5 files changed, 1331 insertions(+) create mode 100644 Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure.parameters_Step1.json create mode 100644 Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure.parameters_Step2.json create mode 100644 Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure_Step1.json create mode 100644 Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure_Step2.json create mode 100644 Cert-Rollover-Sample/README.md diff --git a/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure.parameters_Step1.json b/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure.parameters_Step1.json new file mode 100644 index 0000000..4345835 --- /dev/null +++ b/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure.parameters_Step1.json @@ -0,0 +1,54 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterName": { + "value": "Cluster" + }, + "clusterLocation": { + "value": "westus" + }, + "adminUserName": { + "value": "testuser" + }, + "vmImagePublisher": { + "value": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "value": "WindowsServer" + }, + "vmImageSku": { + "value": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "value": "latest" + }, + "loadBalancedAppPort1": { + "value": 80 + }, + "loadBalancedAppPort2": { + "value": 8081 + }, + "certificateStoreValue": { + "value": "My" + }, + "certificateThumbprint": { + "value": "thumbprint value" + }, + "sourceVaultValue": { + "value": "/subscriptions/subscription value/resourceGroups/key vault resource group name/providers/Microsoft.KeyVault/vaults/key vault name" + }, + "certificateUrlValue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "clusterProtectionLevel": { + "value": "EncryptAndSign" + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountType": { + "value": "Standard_LRS" + } + } +} \ No newline at end of file diff --git a/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure.parameters_Step2.json b/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure.parameters_Step2.json new file mode 100644 index 0000000..ee1a69c --- /dev/null +++ b/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure.parameters_Step2.json @@ -0,0 +1,60 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterName": { + "value": "Cluster" + }, + "clusterLocation": { + "value": "westus" + }, + "adminUserName": { + "value": "testuser" + }, + "vmImagePublisher": { + "value": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "value": "WindowsServer" + }, + "vmImageSku": { + "value": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "value": "latest" + }, + "loadBalancedAppPort1": { + "value": 80 + }, + "loadBalancedAppPort2": { + "value": 8081 + }, + "certificateStoreValue": { + "value": "My" + }, + "secCertificateThumbprint": { + "value": "thumbprint value" + }, + "secCertificateUrlValue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "certificateThumbprint": { + "value": "thumbprint value" + }, + "sourceVaultValue": { + "value": "/subscriptions/subscription value/resourceGroups/key vault resource group name/providers/Microsoft.KeyVault/vaults/key vault name" + }, + "certificateUrlValue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "clusterProtectionLevel": { + "value": "EncryptAndSign" + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountType": { + "value": "Standard_LRS" + } + } +} \ No newline at end of file diff --git a/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure_Step1.json b/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure_Step1.json new file mode 100644 index 0000000..f79ba61 --- /dev/null +++ b/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure_Step1.json @@ -0,0 +1,589 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "type": "string", + "metadata": { + "description": "Location of the Cluster" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "Cluster", + "metadata": { + "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" + } + }, + "adminUserName": { + "type": "string", + "defaultValue": "testadm", + "metadata": { + "description": "Remote desktop user Id" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Remote desktop user password. Must be a strong password" + } + }, + "vmImagePublisher": { + "type": "string", + "defaultValue": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "type": "string", + "defaultValue": "WindowsServer" + }, + "vmImageSku": { + "type": "string", + "defaultValue": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "type": "string", + "defaultValue": "latest" + }, + "loadBalancedAppPort1": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Input endpoint1 for the application to use. Replace it with what your application uses" + } + }, + "loadBalancedAppPort2": { + "type": "int", + "defaultValue": 8081, + "metadata": { + "description": "Input endpoint2 for the application to use. Replace it with what your application uses" + } + }, + "certificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "certificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sourceVaultValue": { + "type": "string", + "metadata": { + "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" + } + }, + "certificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "clusterProtectionLevel": { + "type": "string", + "allowedValues": [ + "None", + "Sign", + "EncryptAndSign" + ], + "defaultValue": "EncryptAndSign", + "metadata": { + "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" + } + }, + "storageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the VM image storage account" + } + }, + "supportLogStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the support log storage account" + } + } + }, + "variables": { + "computeLocation": "[parameters('clusterLocation')]", + "dnsName": "[parameters('clusterName')]", + "vmStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '1' ))]", + "vmName": "vm", + "publicIPAddressName": "PublicIP-VM", + "publicIPAddressType": "Dynamic", + "vmStorageAccountContainerName": "vhds", + "virtualNetworkName": "VNet", + "addressPrefix": "10.0.0.0/16", + "nicName": "NIC", + "lbName": "LoadBalancer", + "lbIPName": "PublicIP-LB-FE", + "availSetName": "AvailabilitySet", + "maxPercentUpgradeDomainDeltaUnhealthyNodes": "100", + "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]", + "overProvision": "false", + "vmssApiVersion": "2016-03-30", + "lbApiVersion": "2015-06-15", + "vNetApiVersion": "2015-06-15", + "storageApiVersion": "2015-06-15", + "publicIPApiVersion": "2015-06-15", + "vmImagePublisher": "MicrosoftWindowsServer", + "vmImageOffer": "WindowsServer", + "vmImageSku": "2012-R2-Datacenter", + "vmImageVersion": "latest", + "nt0applicationStartPort": "20000", + "nt0applicationEndPort": "30000", + "nt0ephemeralStartPort": "49152", + "nt0ephemeralEndPort": "65534", + "nt0fabricTcpGatewayPort": "19000", + "nt0fabricHttpGatewayPort": "19080", + "subnet0Name": "Subnet-0", + "subnet0Prefix": "10.0.0.0/24", + "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',variables('subnet0Name'))]", + "supportLogStorageAccountName": "[toLower( concat( uniqueString(resourceGroup().id),'2'))]", + "lbID0": "[resourceId('Microsoft.Network/loadBalancers',concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", + "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", + "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", + "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", + "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", + "vmNodeType0Name": "[toLower(concat('NT1', variables('vmName')))]", + "vmNodeType0Size": "Standard_D1", + "vmStorageAccountName0": "[toLower(concat(uniqueString(resourceGroup().id), '1', '0' ))]" + }, + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('vmStorageAccountName')]", + "location": "[variables('computeLocation')]", + "properties": { + "accountType": "[parameters('storageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('supportLogStorageAccountName')]", + "location": "[variables('computeLocation')]", + "properties": { + "accountType": "[parameters('supportLogStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vNetApiVersion')]", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[variables('computeLocation')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnet0Name')]", + "properties": { + "addressPrefix": "[variables('subnet0Prefix')]" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('publicIPApiVersion')]", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[concat(variables('lbIPName'),'-','0')]", + "location": "[variables('computeLocation')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[variables('dnsName')]" + }, + "publicIPAllocationMethod": "Dynamic" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('lbApiVersion')]", + "type": "Microsoft.Network/loadBalancers", + "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerIPConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LoadBalancerBEAddressPool", + "properties": {} + } + ], + "loadBalancingRules": [ + { + "name": "LBRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricTcpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricTcpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBHttpRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricHttpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricHttpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbHttpProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule1", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort1')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort1')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule2", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort2')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort2')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]" + }, + "protocol": "tcp" + } + } + ], + "probes": [ + { + "name": "FabricGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricTcpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "FabricHttpGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricHttpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe1", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort1')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe2", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort2')]", + "protocol": "tcp" + } + } + ], + "inboundNatPools": [ + { + "name": "LoadBalancerBEAddressNatPool", + "properties": { + "backendPort": "3389", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPortRangeEnd": "4500", + "frontendPortRangeStart": "3389", + "protocol": "tcp" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vmssApiVersion')]", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[variables('vmNodeType0Name')]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('vmStorageAccountName'))]", + "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "overprovision": "[variables('overProvision')]", + "upgradePolicy": { + "mode": "Automatic" + }, + "virtualMachineProfile": { + "extensionProfile": { + "extensions": [ + { + "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]", + "properties": { + "type": "ServiceFabricNode", + "autoUpgradeMinorVersion": false, + "protectedSettings": { + "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]", + "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]" + }, + "publisher": "Microsoft.Azure.ServiceFabric", + "settings": { + "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", + "nodeTypeRef": "[variables('vmNodeType0Name')]", + "dataPath": "D:\\\\SvcFab", + "durabilityLevel": "Bronze", + "nicPrefixOverride": "[variables('subnet0Prefix')]", + "certificate": { + "thumbprint": "[parameters('certificateThumbprint')]", + "x509StoreName": "[parameters('certificateStoreValue')]" + } + }, + "typeHandlerVersion": "1.0" + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "[concat(variables('nicName'), '-0')]", + "properties": { + "ipConfigurations": [ + { + "name": "[concat(variables('nicName'),'-',0)]", + "properties": { + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbPoolID0')]" + } + ], + "loadBalancerInboundNatPools": [ + { + "id": "[variables('lbNatPoolID0')]" + } + ], + "subnet": { + "id": "[variables('subnet0Ref')]" + } + } + } + ], + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computernamePrefix": "[variables('vmNodeType0Name')]", + "secrets": [ + { + "sourceVault": { + "id": "[parameters('sourceVaultValue')]" + }, + "vaultCertificates": [ + { + "certificateStore": "[parameters('certificateStoreValue')]", + "certificateUrl": "[parameters('certificateUrlValue')]" + } + ] + } + ] + }, + "storageProfile": { + "imageReference": { + "publisher": "[variables('vmImagePublisher')]", + "offer": "[variables('vmImageOffer')]", + "sku": "[variables('vmImageSku')]", + "version": "[variables('vmImageVersion')]" + }, + "osDisk": { + "vhdContainers": [ + "[concat('http://',variables('vmStorageAccountName'),'.blob.core.windows.net/',variables('vmStorageAccountContainerName'))]" + ], + "name": "vmssosdisk", + "caching": "ReadOnly", + "createOption": "FromImage" + } + } + } + }, + "sku": { + "name": "[variables('vmNodeType0Size')]", + "capacity": "5", + "tier": "Standard" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "2016-03-01", + "type": "Microsoft.ServiceFabric/clusters", + "name": "[parameters('clusterName')]", + "location": "[parameters('clusterLocation')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "certificate": { + "thumbprint": "[parameters('certificateThumbprint')]", + "x509StoreName": "[parameters('certificateStoreValue')]" + }, + "clientCertificateCommonNames": [], + "clientCertificateThumbprints": [], + "clusterState": "Default", + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[concat('https://',variables('supportLogStorageAccountName'),'.blob.core.windows.net/')]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[concat('https://',variables('supportLogStorageAccountName'),'.queue.core.windows.net/')]", + "storageAccountName": "[variables('supportLogStorageAccountName')]", + "tableEndpoint": "[concat('https://',variables('supportLogStorageAccountName'),'.table.core.windows.net/')]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "[parameters('clusterProtectionLevel')]" + } + ], + "name": "Security" + } + ], + "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-','0')).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]", + "nodeTypes": [ + { + "name": "[variables('vmNodeType0Name')]", + "applicationPorts": { + "endPort": "[variables('nt0applicationEndPort')]", + "startPort": "[variables('nt0applicationStartPort')]" + }, + "clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]", + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": "[variables('nt0ephemeralEndPort')]", + "startPort": "[variables('nt0ephemeralStartPort')]" + }, + "httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]", + "isPrimary": true, + "vmInstanceCount": 5 + } + ], + "provisioningState": "Default", + "reliabilityLevel": "Silver", + "vmImage": "Windows" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + } + ], + "outputs": { + "clusterProperties": { + "value": "[reference(parameters('clusterName'))]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure_Step2.json b/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure_Step2.json new file mode 100644 index 0000000..32eb275 --- /dev/null +++ b/Cert-Rollover-Sample/5-VM-1-NodeTypes-Secure_Step2.json @@ -0,0 +1,610 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "type": "string", + "metadata": { + "description": "Location of the Cluster" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "Cluster", + "metadata": { + "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" + } + }, + "adminUserName": { + "type": "string", + "defaultValue": "testadm", + "metadata": { + "description": "Remote desktop user Id" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Remote desktop user password. Must be a strong password" + } + }, + "vmImagePublisher": { + "type": "string", + "defaultValue": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "type": "string", + "defaultValue": "WindowsServer" + }, + "vmImageSku": { + "type": "string", + "defaultValue": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "type": "string", + "defaultValue": "latest" + }, + "loadBalancedAppPort1": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Input endpoint1 for the application to use. Replace it with what your application uses" + } + }, + "loadBalancedAppPort2": { + "type": "int", + "defaultValue": 8081, + "metadata": { + "description": "Input endpoint2 for the application to use. Replace it with what your application uses" + } + }, + "certificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "sourceVaultValue": { + "type": "string", + "metadata": { + "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" + } + }, + "certificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "certificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "secCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "secCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "clusterProtectionLevel": { + "type": "string", + "allowedValues": [ + "None", + "Sign", + "EncryptAndSign" + ], + "defaultValue": "EncryptAndSign", + "metadata": { + "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" + } + }, + "storageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the VM image storage account" + } + }, + "supportLogStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the support log storage account" + } + } + }, + "variables": { + "computeLocation": "[parameters('clusterLocation')]", + "dnsName": "[parameters('clusterName')]", + "vmStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '1' ))]", + "vmName": "vm", + "publicIPAddressName": "PublicIP-VM", + "publicIPAddressType": "Dynamic", + "vmStorageAccountContainerName": "vhds", + "virtualNetworkName": "VNet", + "addressPrefix": "10.0.0.0/16", + "nicName": "NIC", + "lbName": "LoadBalancer", + "lbIPName": "PublicIP-LB-FE", + "availSetName": "AvailabilitySet", + "maxPercentUpgradeDomainDeltaUnhealthyNodes": "100", + "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]", + "overProvision": "false", + "vmssApiVersion": "2016-03-30", + "lbApiVersion": "2015-06-15", + "vNetApiVersion": "2015-06-15", + "storageApiVersion": "2015-06-15", + "publicIPApiVersion": "2015-06-15", + "vmImagePublisher": "MicrosoftWindowsServer", + "vmImageOffer": "WindowsServer", + "vmImageSku": "2012-R2-Datacenter", + "vmImageVersion": "latest", + "nt0applicationStartPort": "20000", + "nt0applicationEndPort": "30000", + "nt0ephemeralStartPort": "49152", + "nt0ephemeralEndPort": "65534", + "nt0fabricTcpGatewayPort": "19000", + "nt0fabricHttpGatewayPort": "19080", + "subnet0Name": "Subnet-0", + "subnet0Prefix": "10.0.0.0/24", + "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',variables('subnet0Name'))]", + "supportLogStorageAccountName": "[toLower( concat( uniqueString(resourceGroup().id),'2'))]", + "lbID0": "[resourceId('Microsoft.Network/loadBalancers',concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", + "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", + "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", + "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", + "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", + "vmNodeType0Name": "[toLower(concat('NT1', variables('vmName')))]", + "vmNodeType0Size": "Standard_D1", + "vmStorageAccountName0": "[toLower(concat(uniqueString(resourceGroup().id), '1', '0' ))]" + }, + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('vmStorageAccountName')]", + "location": "[variables('computeLocation')]", + "properties": { + "accountType": "[parameters('storageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('supportLogStorageAccountName')]", + "location": "[variables('computeLocation')]", + "properties": { + "accountType": "[parameters('supportLogStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vNetApiVersion')]", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[variables('computeLocation')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnet0Name')]", + "properties": { + "addressPrefix": "[variables('subnet0Prefix')]" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('publicIPApiVersion')]", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[concat(variables('lbIPName'),'-','0')]", + "location": "[variables('computeLocation')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[variables('dnsName')]" + }, + "publicIPAllocationMethod": "Dynamic" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('lbApiVersion')]", + "type": "Microsoft.Network/loadBalancers", + "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerIPConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LoadBalancerBEAddressPool", + "properties": {} + } + ], + "loadBalancingRules": [ + { + "name": "LBRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricTcpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricTcpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBHttpRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricHttpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricHttpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbHttpProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule1", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort1')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort1')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule2", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort2')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort2')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]" + }, + "protocol": "tcp" + } + } + ], + "probes": [ + { + "name": "FabricGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricTcpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "FabricHttpGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricHttpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe1", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort1')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe2", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort2')]", + "protocol": "tcp" + } + } + ], + "inboundNatPools": [ + { + "name": "LoadBalancerBEAddressNatPool", + "properties": { + "backendPort": "3389", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPortRangeEnd": "4500", + "frontendPortRangeStart": "3389", + "protocol": "tcp" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vmssApiVersion')]", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[variables('vmNodeType0Name')]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('vmStorageAccountName'))]", + "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "overprovision": "[variables('overProvision')]", + "upgradePolicy": { + "mode": "Automatic" + }, + "virtualMachineProfile": { + "extensionProfile": { + "extensions": [ + { + "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]", + "properties": { + "type": "ServiceFabricNode", + "autoUpgradeMinorVersion": false, + "protectedSettings": { + "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]", + "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]" + }, + "publisher": "Microsoft.Azure.ServiceFabric", + "settings": { + "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", + "nodeTypeRef": "[variables('vmNodeType0Name')]", + "dataPath": "D:\\\\SvcFab", + "durabilityLevel": "Bronze", + "nicPrefixOverride": "[variables('subnet0Prefix')]", + "certificate": { + "thumbprint": "[parameters('secCertificateThumbprint')]", + "x509StoreName": "[parameters('certificateStoreValue')]" + }, + "certificateSecondary": { + "thumbprint": "[parameters('certificateThumbprint')]", + "x509StoreName": "[parameters('certificateStoreValue')]" + } + }, + "typeHandlerVersion": "1.0" + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "[concat(variables('nicName'), '-0')]", + "properties": { + "ipConfigurations": [ + { + "name": "[concat(variables('nicName'),'-',0)]", + "properties": { + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbPoolID0')]" + } + ], + "loadBalancerInboundNatPools": [ + { + "id": "[variables('lbNatPoolID0')]" + } + ], + "subnet": { + "id": "[variables('subnet0Ref')]" + } + } + } + ], + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computernamePrefix": "[variables('vmNodeType0Name')]", + "secrets": [ + { + "sourceVault": { + "id": "[parameters('sourceVaultValue')]" + }, + "vaultCertificates": [ + { + "certificateStore": "[parameters('certificateStoreValue')]", + "certificateUrl": "[parameters('certificateUrlValue')]" + }, + { + "certificateStore": "[parameters('certificateStoreValue')]", + "certificateUrl": "[parameters('secCertificateUrlValue')]" + } + ] + } + ] + }, + "storageProfile": { + "imageReference": { + "publisher": "[variables('vmImagePublisher')]", + "offer": "[variables('vmImageOffer')]", + "sku": "[variables('vmImageSku')]", + "version": "[variables('vmImageVersion')]" + }, + "osDisk": { + "vhdContainers": [ + "[concat('http://',variables('vmStorageAccountName'),'.blob.core.windows.net/',variables('vmStorageAccountContainerName'))]" + ], + "name": "vmssosdisk", + "caching": "ReadOnly", + "createOption": "FromImage" + } + } + } + }, + "sku": { + "name": "[variables('vmNodeType0Size')]", + "capacity": "5", + "tier": "Standard" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "2016-03-01", + "type": "Microsoft.ServiceFabric/clusters", + "name": "[parameters('clusterName')]", + "location": "[parameters('clusterLocation')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "certificate": { + "thumbprint": "[parameters('certificateThumbprint')]", + "thumbprintSecondary": "[parameters('secCertificateThumbprint')]", + "x509StoreName": "[parameters('certificateStoreValue')]" + }, + "clientCertificateCommonNames": [], + "clientCertificateThumbprints": [], + "clusterState": "Default", + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[concat('https://',variables('supportLogStorageAccountName'),'.blob.core.windows.net/')]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[concat('https://',variables('supportLogStorageAccountName'),'.queue.core.windows.net/')]", + "storageAccountName": "[variables('supportLogStorageAccountName')]", + "tableEndpoint": "[concat('https://',variables('supportLogStorageAccountName'),'.table.core.windows.net/')]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "[parameters('clusterProtectionLevel')]" + } + ], + "name": "Security" + } + ], + "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-','0')).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]", + "nodeTypes": [ + { + "name": "[variables('vmNodeType0Name')]", + "applicationPorts": { + "endPort": "[variables('nt0applicationEndPort')]", + "startPort": "[variables('nt0applicationStartPort')]" + }, + "clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]", + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": "[variables('nt0ephemeralEndPort')]", + "startPort": "[variables('nt0ephemeralStartPort')]" + }, + "httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]", + "isPrimary": true, + "vmInstanceCount": 5 + } + ], + "provisioningState": "Default", + "reliabilityLevel": "Silver", + "vmImage": "Windows" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + } + ], + "outputs": { + "clusterProperties": { + "value": "[reference(parameters('clusterName'))]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/Cert-Rollover-Sample/README.md b/Cert-Rollover-Sample/README.md new file mode 100644 index 0000000..1dee33d --- /dev/null +++ b/Cert-Rollover-Sample/README.md @@ -0,0 +1,18 @@ +# Introduction + +This folder contains the set of ARM templates you can use to deploy a secure five node service fabric cluster, add a new certificate and then rollover the current primary certificate. You can use these to follow along with the documentation for [rolling over certificates in your secure cluster](https://azure.microsoft.com/en-us/documentation/articles/service-fabric-cluster-security-update-certs-azure/) + + +## Microsoft Azure Service Fabric ARM template Samples in this folder + +### Step1: Provision a secure cluster +1. Template to provision a five node secure cluster - 5-VM-1-NodeTypes-Secure_Step1.JSON +2. Template parameters for the above template - 5-VM-1-NodeTypes-Secure.parameters_Step1.JSON + + +### Step2 :Add a secondary certificate and swamp it to be the primary using ARM Powershell + +[How to roll over certificates in your secure cluster](https://azure.microsoft.com/en-us/documentation/articles/service-fabric-cluster-security-update-certs-azure/) + +1. Template to provision a five node secure cluster - 5-VM-1-NodeTypes-Secure_Step2.JSON +2. Template parameters for the above template - 5-VM-1-NodeTypes-Secure.parameters_Step2.JSON \ No newline at end of file From 19d5a5ccea050073f5a512efd81e0ba33c20b9c8 Mon Sep 17 00:00:00 2001 From: Nicolas Oman Date: Thu, 24 Oct 2019 12:21:40 -0700 Subject: [PATCH 4/5] ported reverse proxy sample --- ...VM-1-NodeTypes-SecureRP_RollOverStep1.json | 756 +++++++++++++++++ ...pes-SecureRP_RollOverStep1.parameters.json | 78 ++ ...VM-1-NodeTypes-SecureRP_RollOverStep2.json | 757 ++++++++++++++++++ ...pes-SecureRP_RollOverStep2.parameters.json | 78 ++ ...ureRP_ServiceCertValidationCommonName.json | 754 +++++++++++++++++ ...ceCertValidationCommonName.parameters.json | 84 ++ ...es-SecureRP_ServiceCertValidationNone.json | 744 +++++++++++++++++ ..._ServiceCertValidationNone.parameters.json | 72 ++ ...reRP_ServiceCertValidationThumbprints.json | 754 +++++++++++++++++ ...eCertValidationThumbprints.parameters.json | 75 ++ .../5-VM-1-NodeTypes-SecureRP_Step1.json | 662 +++++++++++++++ ...1-NodeTypes-SecureRP_Step1.parameters.json | 63 ++ .../5-VM-1-NodeTypes-SecureRP_Step2.json | 696 ++++++++++++++++ ...1-NodeTypes-SecureRP_Step2.parameters.json | 72 ++ .../5-VM-1-NodeTypes-SecureRP_Step3.json | 735 +++++++++++++++++ ...1-NodeTypes-SecureRP_Step3.parameters.json | 72 ++ Reverse-Proxy-Sample/README.md | 61 ++ 17 files changed, 6513 insertions(+) create mode 100644 Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep1.json create mode 100644 Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep1.parameters.json create mode 100644 Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep2.json create mode 100644 Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep2.parameters.json create mode 100644 Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationCommonName.json create mode 100644 Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationCommonName.parameters.json create mode 100644 Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationNone.json create mode 100644 Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationNone.parameters.json create mode 100644 Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationThumbprints.json create mode 100644 Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationThumbprints.parameters.json create mode 100644 Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step1.json create mode 100644 Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step1.parameters.json create mode 100644 Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step2.json create mode 100644 Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step2.parameters.json create mode 100644 Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step3.json create mode 100644 Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step3.parameters.json create mode 100644 Reverse-Proxy-Sample/README.md diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep1.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep1.json new file mode 100644 index 0000000..371ae2e --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep1.json @@ -0,0 +1,756 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "type": "string", + "metadata": { + "description": "Location of the Cluster" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "sfcluster", + "metadata": { + "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" + } + }, + "adminUserName": { + "type": "string", + "metadata": { + "description": "Remote desktop user Id" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Remote desktop user password. Must be a strong password" + } + }, + "vmImagePublisher": { + "type": "string", + "defaultValue": "MicrosoftWindowsServer", + "metadata": { + "description": "VM image Publisher" + } + }, + "vmImageOffer": { + "type": "string", + "defaultValue": "WindowsServer", + "metadata": { + "description": "VM image offer" + } + }, + "vmImageSku": { + "type": "string", + "defaultValue": "2012-R2-Datacenter", + "metadata": { + "description": "VM image SKU" + } + }, + "vmImageVersion": { + "type": "string", + "defaultValue": "latest", + "metadata": { + "description": "VM image version" + } + }, + "loadBalancedAppPort1": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Input endpoint1 for the application to use. Replace it with what your application uses" + } + }, + "loadBalancedAppPort2": { + "type": "int", + "defaultValue": 8081, + "metadata": { + "description": "Input endpoint2 for the application to use. Replace it with what your application uses" + } + }, + "SFReverseProxyPort": { + "type": "int", + "defaultValue": 19008, + "metadata": { + "description": "Endpoint for Service Fabric Reverse proxy" + } + }, + "clusterCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "clusterCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sourceVaultValue": { + "type": "string", + "metadata": { + "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" + } + }, + "clusterCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "sfReverseProxyCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "sfReverseProxyCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sfReverseProxyCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "sfReverseProxySecCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sfReverseProxySecCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "clusterProtectionLevel": { + "type": "string", + "allowedValues": [ + "None", + "Sign", + "EncryptAndSign" + ], + "defaultValue": "EncryptAndSign", + "metadata": { + "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" + } + }, + "storageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the VM image storage account" + } + }, + "supportLogStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the support log storage account" + } + }, + "applicationDiagnosticsStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the application diagnostics storage account" + } + }, + "nt0InstanceCount": { + "type": "int", + "defaultValue": 5, + "metadata": { + "description": "Instance count for node type" + } + } + }, + "variables": { + "computeLocation": "[parameters('clusterLocation')]", + "dnsName": "[parameters('clusterName')]", + "vmName": "vm", + "vmStorageAccountContainerName": "vhds", + "virtualNetworkName": "VNet", + "addressPrefix": "10.0.0.0/16", + "nicName": "NIC", + "lbIPName": "PublicIP-LB-FE", + "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]", + "overProvision": "false", + "vmssApiVersion": "2017-03-30", + "lbApiVersion": "2015-06-15", + "vNetApiVersion": "2015-06-15", + "storageApiVersion": "2016-01-01", + "publicIPApiVersion": "2015-06-15", + "nt0applicationStartPort": "20000", + "nt0applicationEndPort": "30000", + "nt0ephemeralStartPort": "49152", + "nt0ephemeralEndPort": "65534", + "nt0fabricTcpGatewayPort": "19000", + "nt0fabricHttpGatewayPort": "19080", + "subnet0Name": "Subnet-0", + "subnet0Prefix": "10.0.0.0/24", + "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',variables('subnet0Name'))]", + "supportLogStorageAccountName": "[toLower( concat( uniqueString(resourceGroup().id),'2'))]", + "applicationDiagnosticsStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '3' ))]", + "lbID0": "[resourceId('Microsoft.Network/loadBalancers',concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", + "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", + "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", + "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", + "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", + "vmNodeType0Name": "[toLower(concat('NT1', variables('vmName')))]", + "vmNodeType0Size": "Standard_DS2_v2" + }, + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('supportLogStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('applicationDiagnosticsStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('applicationDiagnosticsStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vNetApiVersion')]", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[variables('computeLocation')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnet0Name')]", + "properties": { + "addressPrefix": "[variables('subnet0Prefix')]" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('publicIPApiVersion')]", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[concat(variables('lbIPName'),'-','0')]", + "location": "[variables('computeLocation')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[variables('dnsName')]" + }, + "publicIPAllocationMethod": "Dynamic" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('lbApiVersion')]", + "type": "Microsoft.Network/loadBalancers", + "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerIPConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LoadBalancerBEAddressPool", + "properties": {} + } + ], + "loadBalancingRules": [ + { + "name": "LBRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricTcpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricTcpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBHttpRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricHttpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricHttpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbHttpProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBSFReverseProxyRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('SFReverseProxyPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('SFReverseProxyPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/SFReverseProxyProbe')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule1", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort1')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort1')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule2", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort2')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort2')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]" + }, + "protocol": "tcp" + } + } + ], + "probes": [ + { + "name": "FabricGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricTcpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "FabricHttpGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricHttpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "SFReverseProxyProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('SFReverseProxyPort')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe1", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort1')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe2", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort2')]", + "protocol": "tcp" + } + } + ], + "inboundNatPools": [ + { + "name": "LoadBalancerBEAddressNatPool", + "properties": { + "backendPort": "3389", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPortRangeEnd": "4500", + "frontendPortRangeStart": "3389", + "protocol": "tcp" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vmssApiVersion')]", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[variables('vmNodeType0Name')]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('applicationDiagnosticsStorageAccountName'))]" + ], + "properties": { + "overprovision": "[variables('overProvision')]", + "upgradePolicy": { + "mode": "Automatic" + }, + "virtualMachineProfile": { + "extensionProfile": { + "extensions": [ + { + "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]", + "properties": { + "type": "ServiceFabricNode", + "autoUpgradeMinorVersion": false, + "protectedSettings": { + "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]", + "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]" + }, + "publisher": "Microsoft.Azure.ServiceFabric", + "settings": { + "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", + "nodeTypeRef": "[variables('vmNodeType0Name')]", + "dataPath": "D:\\\\SvcFab", + "durabilityLevel": "Bronze", + "nicPrefixOverride": "[variables('subnet0Prefix')]", + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxySecCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + }, + "reverseProxySecondaryCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + } + }, + "typeHandlerVersion": "1.0" + } + }, + { + "name": "[concat('VMDiagnosticsVmExt','_vmNodeType0Name')]", + "properties": { + "type": "IaaSDiagnostics", + "autoUpgradeMinorVersion": true, + "protectedSettings": { + "storageAccountName": "[variables('applicationDiagnosticsStorageAccountName')]", + "storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('applicationDiagnosticsStorageAccountName')),'2015-05-01-preview').key1]", + "storageAccountEndPoint": "https://core.windows.net/" + }, + "publisher": "Microsoft.Azure.Diagnostics", + "settings": { + "WadCfg": { + "DiagnosticMonitorConfiguration": { + "overallQuotaInMB": "50000", + "EtwProviders": { + "EtwEventSourceProviderConfiguration": [ + { + "provider": "Microsoft-ServiceFabric-Actors", + "scheduledTransferKeywordFilter": "1", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableActorEventTable" + } + }, + { + "provider": "Microsoft-ServiceFabric-Services", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableServiceEventTable" + } + } + ], + "EtwManifestProviderConfiguration": [ + { + "provider": "cbd93bc2-71e5-4566-b3a7-595d8eeca6e8", + "scheduledTransferLogLevelFilter": "Information", + "scheduledTransferKeywordFilter": "4611686018427387904", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricSystemEventTable" + } + } + ] + } + } + }, + "StorageAccount": "[variables('applicationDiagnosticsStorageAccountName')]" + }, + "typeHandlerVersion": "1.5" + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "[concat(variables('nicName'), '-0')]", + "properties": { + "ipConfigurations": [ + { + "name": "[concat(variables('nicName'),'-',0)]", + "properties": { + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbPoolID0')]" + } + ], + "loadBalancerInboundNatPools": [ + { + "id": "[variables('lbNatPoolID0')]" + } + ], + "subnet": { + "id": "[variables('subnet0Ref')]" + } + } + } + ], + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computernamePrefix": "[variables('vmNodeType0Name')]", + "secrets": [ + { + "sourceVault": { + "id": "[parameters('sourceVaultValue')]" + }, + "vaultCertificates": [ + { + "certificateStore": "[parameters('clusterCertificateStorevalue')]", + "certificateUrl": "[parameters('clusterCertificateUrlValue')]" + }, + { + "certificateStore": "[parameters('sfReverseProxyCertificateStoreValue')]", + "certificateUrl": "[parameters('sfReverseProxyCertificateUrlValue')]" + }, + { + "certificateStore": "[parameters('sfReverseProxyCertificateStoreValue')]", + "certificateUrl": "[parameters('sfReverseProxySecCertificateUrlValue')]" + } + ] + } + ] + }, + "storageProfile": { + "imageReference": { + "publisher": "[parameters('vmImagePublisher')]", + "offer": "[parameters('vmImageOffer')]", + "sku": "[parameters('vmImageSku')]", + "version": "[parameters('vmImageVersion')]" + }, + "osDisk": { + "createOption": "FromImage", + "caching": "ReadOnly", + "managedDisk": { + "storageAccountType": "[parameters('storageAccountType')]" + } + } + } + } + }, + "sku": { + "name": "[variables('vmNodeType0Size')]", + "capacity": "[parameters('nt0InstanceCount')]", + "tier": "Standard" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "2016-09-01", + "type": "Microsoft.ServiceFabric/clusters", + "name": "[parameters('clusterName')]", + "location": "[parameters('clusterLocation')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + }, + "clientCertificateCommonNames": [], + "clientCertificateThumbprints": [], + "clusterState": "Default", + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.queue]", + "storageAccountName": "[variables('supportLogStorageAccountName')]", + "tableEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.table]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "[parameters('clusterProtectionLevel')]" + } + ], + "name": "Security" + } + ], + "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-','0')).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]", + "nodeTypes": [ + { + "name": "[variables('vmNodeType0Name')]", + "applicationPorts": { + "endPort": "[variables('nt0applicationEndPort')]", + "startPort": "[variables('nt0applicationStartPort')]" + }, + "clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]", + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": "[variables('nt0ephemeralEndPort')]", + "startPort": "[variables('nt0ephemeralStartPort')]" + }, + "httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]", + "reverseProxyEndpointPort": "[parameters('SFReverseProxyPort')]", + "isPrimary": true, + "vmInstanceCount": "[parameters('nt0InstanceCount')]" + } + ], + "provisioningState": "Default", + "reliabilityLevel": "Silver", + "upgradeMode": "Automatic", + "vmImage": "Windows" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + } + ], + "outputs": { + "clusterProperties": { + "value": "[reference(parameters('clusterName'))]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep1.parameters.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep1.parameters.json new file mode 100644 index 0000000..67ba61c --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep1.parameters.json @@ -0,0 +1,78 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "value": "westus" + }, + "clusterName": { + "value": "Cluster" + }, + "adminUserName": { + "value": "admuser" + }, + "adminPassword": { + "value": "val$$$" + }, + "vmImagePublisher": { + "value": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "value": "WindowsServer" + }, + "vmImageSku": { + "value": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "value": "latest" + }, + "loadBalancedAppPort1": { + "value": 80 + }, + "loadBalancedAppPort2": { + "value": 8081 + }, + "clusterCertificateStorevalue": { + "value": "My" + }, + "clusterCertificateThumbprint": { + "value": "thumbprint value" + }, + "sourceVaultvalue": { + "value": "/subscriptions/subscription value/resourceGroups/key vault resource group name/providers/Microsoft.KeyVault/vaults/key vault name" + }, + "clusterCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "sfReverseProxyCertificateStorevalue": { + "value": "My" + }, + "sfReverseProxyCertificateThumbprint": { + "value": "thumbprint value" + }, + "sfReverseProxyCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "sfReverseProxySecCertificateThumbprint": { + "value": "thumbprint value" + }, + "sfReverseProxySecCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "clusterProtectionLevel": { + "value": "EncryptAndSign" + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountType": { + "value": "Standard_LRS" + }, + "applicationDiagnosticsStorageAccountType": { + "value": "Standard_LRS" + }, + "nt0InstanceCount": { + "value": 5 + } + } +} diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep2.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep2.json new file mode 100644 index 0000000..f211ccf --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep2.json @@ -0,0 +1,757 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "type": "string", + "metadata": { + "description": "Location of the Cluster" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "sfcluster", + "metadata": { + "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" + } + }, + "adminUserName": { + "type": "string", + "metadata": { + "description": "Remote desktop user Id" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Remote desktop user password. Must be a strong password" + } + }, + "vmImagePublisher": { + "type": "string", + "defaultValue": "MicrosoftWindowsServer", + "metadata": { + "description": "VM image Publisher" + } + }, + "vmImageOffer": { + "type": "string", + "defaultValue": "WindowsServer", + "metadata": { + "description": "VM image offer" + } + }, + "vmImageSku": { + "type": "string", + "defaultValue": "2012-R2-Datacenter", + "metadata": { + "description": "VM image SKU" + } + }, + "vmImageVersion": { + "type": "string", + "defaultValue": "latest", + "metadata": { + "description": "VM image version" + } + }, + "loadBalancedAppPort1": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Input endpoint1 for the application to use. Replace it with what your application uses" + } + }, + "loadBalancedAppPort2": { + "type": "int", + "defaultValue": 8081, + "metadata": { + "description": "Input endpoint2 for the application to use. Replace it with what your application uses" + } + }, + "SFReverseProxyPort": { + "type": "int", + "defaultValue": 19008, + "metadata": { + "description": "Endpoint for Service Fabric Reverse proxy" + } + }, + "clusterCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "clusterCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sourceVaultValue": { + "type": "string", + "metadata": { + "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" + } + }, + "clusterCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "sfReverseProxyCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "sfReverseProxyCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sfReverseProxyCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "sfReverseProxySecCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sfReverseProxySecCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "clusterProtectionLevel": { + "type": "string", + "allowedValues": [ + "None", + "Sign", + "EncryptAndSign" + ], + "defaultValue": "EncryptAndSign", + "metadata": { + "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" + } + }, + "storageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the VM image storage account" + } + }, + "supportLogStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the support log storage account" + } + }, + "applicationDiagnosticsStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the application diagnostics storage account" + } + }, + "nt0InstanceCount": { + "type": "int", + "defaultValue": 5, + "metadata": { + "description": "Instance count for node type" + } + } + }, + "variables": { + "computeLocation": "[parameters('clusterLocation')]", + "dnsName": "[parameters('clusterName')]", + "vmName": "vm", + "vmStorageAccountContainerName": "vhds", + "virtualNetworkName": "VNet", + "addressPrefix": "10.0.0.0/16", + "nicName": "NIC", + "lbIPName": "PublicIP-LB-FE", + "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]", + "overProvision": "false", + "vmssApiVersion": "2017-03-30", + "lbApiVersion": "2015-06-15", + "vNetApiVersion": "2015-06-15", + "storageApiVersion": "2016-01-01", + "publicIPApiVersion": "2015-06-15", + "nt0applicationStartPort": "20000", + "nt0applicationEndPort": "30000", + "nt0ephemeralStartPort": "49152", + "nt0ephemeralEndPort": "65534", + "nt0fabricTcpGatewayPort": "19000", + "nt0fabricHttpGatewayPort": "19080", + "subnet0Name": "Subnet-0", + "subnet0Prefix": "10.0.0.0/24", + "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',variables('subnet0Name'))]", + "supportLogStorageAccountName": "[toLower( concat( uniqueString(resourceGroup().id),'2'))]", + "applicationDiagnosticsStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '3' ))]", + "lbID0": "[resourceId('Microsoft.Network/loadBalancers',concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", + "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", + "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", + "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", + "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", + "vmNodeType0Name": "[toLower(concat('NT1', variables('vmName')))]", + "vmNodeType0Size": "Standard_DS2_v2" + }, + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('supportLogStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('applicationDiagnosticsStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('applicationDiagnosticsStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vNetApiVersion')]", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[variables('computeLocation')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnet0Name')]", + "properties": { + "addressPrefix": "[variables('subnet0Prefix')]" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('publicIPApiVersion')]", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[concat(variables('lbIPName'),'-','0')]", + "location": "[variables('computeLocation')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[variables('dnsName')]" + }, + "publicIPAllocationMethod": "Dynamic" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('lbApiVersion')]", + "type": "Microsoft.Network/loadBalancers", + "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerIPConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LoadBalancerBEAddressPool", + "properties": {} + } + ], + "loadBalancingRules": [ + { + "name": "LBRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricTcpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricTcpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBHttpRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricHttpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricHttpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbHttpProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBSFReverseProxyRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('SFReverseProxyPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('SFReverseProxyPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/SFReverseProxyProbe')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule1", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort1')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort1')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule2", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort2')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort2')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]" + }, + "protocol": "tcp" + } + } + ], + "probes": [ + { + "name": "FabricGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricTcpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "FabricHttpGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricHttpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "SFReverseProxyProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('SFReverseProxyPort')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe1", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort1')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe2", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort2')]", + "protocol": "tcp" + } + } + ], + "inboundNatPools": [ + { + "name": "LoadBalancerBEAddressNatPool", + "properties": { + "backendPort": "3389", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPortRangeEnd": "4500", + "frontendPortRangeStart": "3389", + "protocol": "tcp" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vmssApiVersion')]", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[variables('vmNodeType0Name')]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('applicationDiagnosticsStorageAccountName'))]" + ], + "properties": { + "overprovision": "[variables('overProvision')]", + "upgradePolicy": { + "mode": "Automatic" + }, + "virtualMachineProfile": { + "extensionProfile": { + "extensions": [ + { + "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]", + "properties": { + "type": "ServiceFabricNode", + "autoUpgradeMinorVersion": false, + "protectedSettings": { + "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]", + "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]" + }, + "publisher": "Microsoft.Azure.ServiceFabric", + "settings": { + "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", + "nodeTypeRef": "[variables('vmNodeType0Name')]", + "dataPath": "D:\\\\SvcFab", + "durabilityLevel": "Bronze", + "nicPrefixOverride": "[variables('subnet0Prefix')]", + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxySecCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + }, + "reverseProxySecondaryCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + } + }, + "typeHandlerVersion": "1.0" + } + }, + { + "name": "[concat('VMDiagnosticsVmExt','_vmNodeType0Name')]", + "properties": { + "type": "IaaSDiagnostics", + "autoUpgradeMinorVersion": true, + "protectedSettings": { + "storageAccountName": "[variables('applicationDiagnosticsStorageAccountName')]", + "storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('applicationDiagnosticsStorageAccountName')),'2015-05-01-preview').key1]", + "storageAccountEndPoint": "https://core.windows.net/" + }, + "publisher": "Microsoft.Azure.Diagnostics", + "settings": { + "WadCfg": { + "DiagnosticMonitorConfiguration": { + "overallQuotaInMB": "50000", + "EtwProviders": { + "EtwEventSourceProviderConfiguration": [ + { + "provider": "Microsoft-ServiceFabric-Actors", + "scheduledTransferKeywordFilter": "1", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableActorEventTable" + } + }, + { + "provider": "Microsoft-ServiceFabric-Services", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableServiceEventTable" + } + } + ], + "EtwManifestProviderConfiguration": [ + { + "provider": "cbd93bc2-71e5-4566-b3a7-595d8eeca6e8", + "scheduledTransferLogLevelFilter": "Information", + "scheduledTransferKeywordFilter": "4611686018427387904", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricSystemEventTable" + } + } + ] + } + } + }, + "StorageAccount": "[variables('applicationDiagnosticsStorageAccountName')]" + }, + "typeHandlerVersion": "1.5" + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "[concat(variables('nicName'), '-0')]", + "properties": { + "ipConfigurations": [ + { + "name": "[concat(variables('nicName'),'-',0)]", + "properties": { + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbPoolID0')]" + } + ], + "loadBalancerInboundNatPools": [ + { + "id": "[variables('lbNatPoolID0')]" + } + ], + "subnet": { + "id": "[variables('subnet0Ref')]" + } + } + } + ], + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computernamePrefix": "[variables('vmNodeType0Name')]", + "secrets": [ + { + "sourceVault": { + "id": "[parameters('sourceVaultValue')]" + }, + "vaultCertificates": [ + { + "certificateStore": "[parameters('clusterCertificateStorevalue')]", + "certificateUrl": "[parameters('clusterCertificateUrlValue')]" + }, + { + "certificateStore": "[parameters('sfReverseProxyCertificateStoreValue')]", + "certificateUrl": "[parameters('sfReverseProxyCertificateUrlValue')]" + }, + { + "certificateStore": "[parameters('sfReverseProxyCertificateStoreValue')]", + "certificateUrl": "[parameters('sfReverseProxySecCertificateUrlValue')]" + } + ] + } + ] + }, + "storageProfile": { + "imageReference": { + "publisher": "[parameters('vmImagePublisher')]", + "offer": "[parameters('vmImageOffer')]", + "sku": "[parameters('vmImageSku')]", + "version": "[parameters('vmImageVersion')]" + }, + "osDisk": { + "createOption": "FromImage", + "caching": "ReadOnly", + "managedDisk": { + "storageAccountType": "[parameters('storageAccountType')]" + } + } + } + } + }, + "sku": { + "name": "[variables('vmNodeType0Size')]", + "capacity": "[parameters('nt0InstanceCount')]", + "tier": "Standard" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "2016-09-01", + "type": "Microsoft.ServiceFabric/clusters", + "name": "[parameters('clusterName')]", + "location": "[parameters('clusterLocation')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxySecCertificateThumbprint')]", + "thumbprintSecondary": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + }, + "clientCertificateCommonNames": [], + "clientCertificateThumbprints": [], + "clusterState": "Default", + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.queue]", + "storageAccountName": "[variables('supportLogStorageAccountName')]", + "tableEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.table]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "[parameters('clusterProtectionLevel')]" + } + ], + "name": "Security" + } + ], + "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-','0')).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]", + "nodeTypes": [ + { + "name": "[variables('vmNodeType0Name')]", + "applicationPorts": { + "endPort": "[variables('nt0applicationEndPort')]", + "startPort": "[variables('nt0applicationStartPort')]" + }, + "clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]", + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": "[variables('nt0ephemeralEndPort')]", + "startPort": "[variables('nt0ephemeralStartPort')]" + }, + "httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]", + "reverseProxyEndpointPort": "[parameters('SFReverseProxyPort')]", + "isPrimary": true, + "vmInstanceCount": "[parameters('nt0InstanceCount')]" + } + ], + "provisioningState": "Default", + "reliabilityLevel": "Silver", + "upgradeMode": "Automatic", + "vmImage": "Windows" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + } + ], + "outputs": { + "clusterProperties": { + "value": "[reference(parameters('clusterName'))]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep2.parameters.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep2.parameters.json new file mode 100644 index 0000000..67ba61c --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_RollOverStep2.parameters.json @@ -0,0 +1,78 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "value": "westus" + }, + "clusterName": { + "value": "Cluster" + }, + "adminUserName": { + "value": "admuser" + }, + "adminPassword": { + "value": "val$$$" + }, + "vmImagePublisher": { + "value": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "value": "WindowsServer" + }, + "vmImageSku": { + "value": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "value": "latest" + }, + "loadBalancedAppPort1": { + "value": 80 + }, + "loadBalancedAppPort2": { + "value": 8081 + }, + "clusterCertificateStorevalue": { + "value": "My" + }, + "clusterCertificateThumbprint": { + "value": "thumbprint value" + }, + "sourceVaultvalue": { + "value": "/subscriptions/subscription value/resourceGroups/key vault resource group name/providers/Microsoft.KeyVault/vaults/key vault name" + }, + "clusterCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "sfReverseProxyCertificateStorevalue": { + "value": "My" + }, + "sfReverseProxyCertificateThumbprint": { + "value": "thumbprint value" + }, + "sfReverseProxyCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "sfReverseProxySecCertificateThumbprint": { + "value": "thumbprint value" + }, + "sfReverseProxySecCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "clusterProtectionLevel": { + "value": "EncryptAndSign" + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountType": { + "value": "Standard_LRS" + }, + "applicationDiagnosticsStorageAccountType": { + "value": "Standard_LRS" + }, + "nt0InstanceCount": { + "value": 5 + } + } +} diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationCommonName.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationCommonName.json new file mode 100644 index 0000000..0b8041d --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationCommonName.json @@ -0,0 +1,754 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "type": "string", + "metadata": { + "description": "Location of the Cluster" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "sfcluster", + "metadata": { + "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" + } + }, + "adminUserName": { + "type": "string", + "metadata": { + "description": "Remote desktop user Id" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Remote desktop user password. Must be a strong password" + } + }, + "vmImagePublisher": { + "type": "string", + "defaultValue": "MicrosoftWindowsServer", + "metadata": { + "description": "VM image Publisher" + } + }, + "vmImageOffer": { + "type": "string", + "defaultValue": "WindowsServer", + "metadata": { + "description": "VM image offer" + } + }, + "vmImageSku": { + "type": "string", + "defaultValue": "2012-R2-Datacenter", + "metadata": { + "description": "VM image SKU" + } + }, + "vmImageVersion": { + "type": "string", + "defaultValue": "latest", + "metadata": { + "description": "VM image version" + } + }, + "loadBalancedAppPort1": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Input endpoint1 for the application to use. Replace it with what your application uses" + } + }, + "loadBalancedAppPort2": { + "type": "int", + "defaultValue": 8081, + "metadata": { + "description": "Input endpoint2 for the application to use. Replace it with what your application uses" + } + }, + "SFReverseProxyPort": { + "type": "int", + "defaultValue": 19008, + "metadata": { + "description": "Endpoint for Service Fabric Reverse proxy" + } + }, + "clusterCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "clusterCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sourceVaultValue": { + "type": "string", + "metadata": { + "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" + } + }, + "clusterCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "sfReverseProxyCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "sfReverseProxyCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sfReverseProxyCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "clusterProtectionLevel": { + "type": "string", + "allowedValues": [ + "None", + "Sign", + "EncryptAndSign" + ], + "defaultValue": "EncryptAndSign", + "metadata": { + "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" + } + }, + "serviceCommonNameAndIssuer": { + "type": "array", + "metadata": { + "description": "Array of accepted service certificate common name and issuer thumbprint pairs that the reverse proxy will accept." + } + }, + "storageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the VM image storage account" + } + }, + "supportLogStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the support log storage account" + } + }, + "applicationDiagnosticsStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the application diagnostics storage account" + } + }, + "nt0InstanceCount": { + "type": "int", + "defaultValue": 5, + "metadata": { + "description": "Instance count for node type" + } + } + }, + "variables": { + "computeLocation": "[parameters('clusterLocation')]", + "dnsName": "[parameters('clusterName')]", + "vmName": "vm", + "virtualNetworkName": "VNet", + "addressPrefix": "10.0.0.0/16", + "nicName": "NIC", + "lbIPName": "PublicIP-LB-FE", + "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]", + "overProvision": "false", + "vmssApiVersion": "2017-03-30", + "lbApiVersion": "2015-06-15", + "vNetApiVersion": "2015-06-15", + "storageApiVersion": "2016-01-01", + "publicIPApiVersion": "2015-06-15", + "nt0applicationStartPort": "20000", + "nt0applicationEndPort": "30000", + "nt0ephemeralStartPort": "49152", + "nt0ephemeralEndPort": "65534", + "nt0fabricTcpGatewayPort": "19000", + "nt0fabricHttpGatewayPort": "19080", + "subnet0Name": "Subnet-0", + "subnet0Prefix": "10.0.0.0/24", + "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',variables('subnet0Name'))]", + "supportLogStorageAccountName": "[toLower( concat( uniqueString(resourceGroup().id),'2'))]", + "applicationDiagnosticsStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '3' ))]", + "lbID0": "[resourceId('Microsoft.Network/loadBalancers',concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", + "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", + "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", + "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", + "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", + "vmNodeType0Name": "[toLower(concat('NT1', variables('vmName')))]", + "vmNodeType0Size": "Standard_DS2_v2" + }, + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('supportLogStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('applicationDiagnosticsStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('applicationDiagnosticsStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vNetApiVersion')]", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[variables('computeLocation')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnet0Name')]", + "properties": { + "addressPrefix": "[variables('subnet0Prefix')]" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('publicIPApiVersion')]", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[concat(variables('lbIPName'),'-','0')]", + "location": "[variables('computeLocation')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[variables('dnsName')]" + }, + "publicIPAllocationMethod": "Dynamic" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('lbApiVersion')]", + "type": "Microsoft.Network/loadBalancers", + "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerIPConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LoadBalancerBEAddressPool", + "properties": {} + } + ], + "loadBalancingRules": [ + { + "name": "LBRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricTcpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricTcpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBHttpRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricHttpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricHttpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbHttpProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBSFReverseProxyRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('SFReverseProxyPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('SFReverseProxyPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/SFReverseProxyProbe')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule1", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort1')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort1')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule2", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort2')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort2')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]" + }, + "protocol": "tcp" + } + } + ], + "probes": [ + { + "name": "FabricGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricTcpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "FabricHttpGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricHttpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "SFReverseProxyProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('SFReverseProxyPort')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe1", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort1')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe2", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort2')]", + "protocol": "tcp" + } + } + ], + "inboundNatPools": [ + { + "name": "LoadBalancerBEAddressNatPool", + "properties": { + "backendPort": "3389", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPortRangeEnd": "4500", + "frontendPortRangeStart": "3389", + "protocol": "tcp" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vmssApiVersion')]", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[variables('vmNodeType0Name')]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('applicationDiagnosticsStorageAccountName'))]" + ], + "properties": { + "overprovision": "[variables('overProvision')]", + "upgradePolicy": { + "mode": "Automatic" + }, + "virtualMachineProfile": { + "extensionProfile": { + "extensions": [ + { + "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]", + "properties": { + "type": "ServiceFabricNode", + "autoUpgradeMinorVersion": false, + "protectedSettings": { + "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]", + "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]" + }, + "publisher": "Microsoft.Azure.ServiceFabric", + "settings": { + "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", + "nodeTypeRef": "[variables('vmNodeType0Name')]", + "dataPath": "D:\\\\SvcFab", + "durabilityLevel": "Bronze", + "nicPrefixOverride": "[variables('subnet0Prefix')]", + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + } + }, + "typeHandlerVersion": "1.0" + } + }, + { + "name": "[concat('VMDiagnosticsVmExt','_vmNodeType0Name')]", + "properties": { + "type": "IaaSDiagnostics", + "autoUpgradeMinorVersion": true, + "protectedSettings": { + "storageAccountName": "[variables('applicationDiagnosticsStorageAccountName')]", + "storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('applicationDiagnosticsStorageAccountName')),'2015-05-01-preview').key1]", + "storageAccountEndPoint": "https://core.windows.net/" + }, + "publisher": "Microsoft.Azure.Diagnostics", + "settings": { + "WadCfg": { + "DiagnosticMonitorConfiguration": { + "overallQuotaInMB": "50000", + "EtwProviders": { + "EtwEventSourceProviderConfiguration": [ + { + "provider": "Microsoft-ServiceFabric-Actors", + "scheduledTransferKeywordFilter": "1", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableActorEventTable" + } + }, + { + "provider": "Microsoft-ServiceFabric-Services", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableServiceEventTable" + } + } + ], + "EtwManifestProviderConfiguration": [ + { + "provider": "cbd93bc2-71e5-4566-b3a7-595d8eeca6e8", + "scheduledTransferLogLevelFilter": "Information", + "scheduledTransferKeywordFilter": "4611686018427387904", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricSystemEventTable" + } + } + ] + } + } + }, + "StorageAccount": "[variables('applicationDiagnosticsStorageAccountName')]" + }, + "typeHandlerVersion": "1.5" + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "[concat(variables('nicName'), '-0')]", + "properties": { + "ipConfigurations": [ + { + "name": "[concat(variables('nicName'),'-',0)]", + "properties": { + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbPoolID0')]" + } + ], + "loadBalancerInboundNatPools": [ + { + "id": "[variables('lbNatPoolID0')]" + } + ], + "subnet": { + "id": "[variables('subnet0Ref')]" + } + } + } + ], + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computernamePrefix": "[variables('vmNodeType0Name')]", + "secrets": [ + { + "sourceVault": { + "id": "[parameters('sourceVaultValue')]" + }, + "vaultCertificates": [ + { + "certificateStore": "[parameters('clusterCertificateStorevalue')]", + "certificateUrl": "[parameters('clusterCertificateUrlValue')]" + }, + { + "certificateStore": "[parameters('sfReverseProxyCertificateStoreValue')]", + "certificateUrl": "[parameters('sfReverseProxyCertificateUrlValue')]" + } + ] + } + ] + }, + "storageProfile": { + "imageReference": { + "publisher": "[parameters('vmImagePublisher')]", + "offer": "[parameters('vmImageOffer')]", + "sku": "[parameters('vmImageSku')]", + "version": "[parameters('vmImageVersion')]" + }, + "osDisk": { + "createOption": "FromImage", + "caching": "ReadOnly", + "managedDisk": { + "storageAccountType": "[parameters('storageAccountType')]" + } + } + } + } + }, + "sku": { + "name": "[variables('vmNodeType0Size')]", + "capacity": "[parameters('nt0InstanceCount')]", + "tier": "Standard" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "2016-09-01", + "type": "Microsoft.ServiceFabric/clusters", + "name": "[parameters('clusterName')]", + "location": "[parameters('clusterLocation')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + }, + "clientCertificateCommonNames": [], + "clientCertificateThumbprints": [], + "clusterState": "Default", + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.queue]", + "storageAccountName": "[variables('supportLogStorageAccountName')]", + "tableEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.table]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "[parameters('clusterProtectionLevel')]" + } + ], + "name": "Security" + }, + { + "name": "ApplicationGateway/Http", + "parameters": [ + { + "name": "ApplicationCertificateValidationPolicy", + "value": "ServiceCommonNameAndIssuer" + } + ] + }, + { + "name": "ApplicationGateway/Http/ServiceCommonNameAndIssuer", + "parameters": "[parameters('serviceCommonNameAndIssuer')]" + } + ], + "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-','0')).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]", + "nodeTypes": [ + { + "name": "[variables('vmNodeType0Name')]", + "applicationPorts": { + "endPort": "[variables('nt0applicationEndPort')]", + "startPort": "[variables('nt0applicationStartPort')]" + }, + "clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]", + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": "[variables('nt0ephemeralEndPort')]", + "startPort": "[variables('nt0ephemeralStartPort')]" + }, + "httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]", + "reverseProxyEndpointPort": "[parameters('SFReverseProxyPort')]", + "isPrimary": true, + "vmInstanceCount": "[parameters('nt0InstanceCount')]" + } + ], + "provisioningState": "Default", + "reliabilityLevel": "Silver", + "upgradeMode": "Automatic", + "vmImage": "Windows" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + } + ], + "outputs": { + "clusterProperties": { + "value": "[reference(parameters('clusterName'))]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationCommonName.parameters.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationCommonName.parameters.json new file mode 100644 index 0000000..2e43cad --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationCommonName.parameters.json @@ -0,0 +1,84 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "value": "westus" + }, + "clusterName": { + "value": "Cluster" + }, + "adminUserName": { + "value": "admuser" + }, + "adminPassword": { + "value": "val$$$" + }, + "vmImagePublisher": { + "value": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "value": "WindowsServer" + }, + "vmImageSku": { + "value": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "value": "latest" + }, + "loadBalancedAppPort1": { + "value": 80 + }, + "loadBalancedAppPort2": { + "value": 8081 + }, + "clusterCertificateStorevalue": { + "value": "My" + }, + "clusterCertificateThumbprint": { + "value": "thumbprint value" + }, + "sourceVaultvalue": { + "value": "/subscriptions/subscription value/resourceGroups/key vault resource group name/providers/Microsoft.KeyVault/vaults/key vault name" + }, + "clusterCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "sfReverseProxyCertificateStorevalue": { + "value": "My" + }, + "sfReverseProxyCertificateThumbprint": { + "value": "thumbprint value" + }, + "sfReverseProxyCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "clusterProtectionLevel": { + "value": "EncryptAndSign" + }, + "serviceCommonNameAndIssuer": { + "value": [ + { + "name": "Certificate Common Name 1", + "value": "Immediate issuer thumbprint" + }, + { + "name": "Certificate Common Name 2", + "value": "Immediate issuer thumbprint" + } + ] + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountType": { + "value": "Standard_LRS" + }, + "applicationDiagnosticsStorageAccountType": { + "value": "Standard_LRS" + }, + "nt0InstanceCount": { + "value": 5 + } + } +} diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationNone.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationNone.json new file mode 100644 index 0000000..f10cdb8 --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationNone.json @@ -0,0 +1,744 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "type": "string", + "metadata": { + "description": "Location of the Cluster" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "sfcluster", + "metadata": { + "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" + } + }, + "adminUserName": { + "type": "string", + "metadata": { + "description": "Remote desktop user Id" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Remote desktop user password. Must be a strong password" + } + }, + "vmImagePublisher": { + "type": "string", + "defaultValue": "MicrosoftWindowsServer", + "metadata": { + "description": "VM image Publisher" + } + }, + "vmImageOffer": { + "type": "string", + "defaultValue": "WindowsServer", + "metadata": { + "description": "VM image offer" + } + }, + "vmImageSku": { + "type": "string", + "defaultValue": "2012-R2-Datacenter", + "metadata": { + "description": "VM image SKU" + } + }, + "vmImageVersion": { + "type": "string", + "defaultValue": "latest", + "metadata": { + "description": "VM image version" + } + }, + "loadBalancedAppPort1": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Input endpoint1 for the application to use. Replace it with what your application uses" + } + }, + "loadBalancedAppPort2": { + "type": "int", + "defaultValue": 8081, + "metadata": { + "description": "Input endpoint2 for the application to use. Replace it with what your application uses" + } + }, + "SFReverseProxyPort": { + "type": "int", + "defaultValue": 19008, + "metadata": { + "description": "Endpoint for Service Fabric Reverse proxy" + } + }, + "clusterCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "clusterCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sourceVaultValue": { + "type": "string", + "metadata": { + "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" + } + }, + "clusterCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "sfReverseProxyCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "sfReverseProxyCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sfReverseProxyCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "clusterProtectionLevel": { + "type": "string", + "allowedValues": [ + "None", + "Sign", + "EncryptAndSign" + ], + "defaultValue": "EncryptAndSign", + "metadata": { + "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" + } + }, + "storageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the VM image storage account" + } + }, + "supportLogStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the support log storage account" + } + }, + "applicationDiagnosticsStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the application diagnostics storage account" + } + }, + "nt0InstanceCount": { + "type": "int", + "defaultValue": 5, + "metadata": { + "description": "Instance count for node type" + } + } + }, + "variables": { + "computeLocation": "[parameters('clusterLocation')]", + "dnsName": "[parameters('clusterName')]", + "vmName": "vm", + "virtualNetworkName": "VNet", + "addressPrefix": "10.0.0.0/16", + "nicName": "NIC", + "lbIPName": "PublicIP-LB-FE", + "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]", + "overProvision": "false", + "vmssApiVersion": "2017-03-30", + "lbApiVersion": "2015-06-15", + "vNetApiVersion": "2015-06-15", + "storageApiVersion": "2016-01-01", + "publicIPApiVersion": "2015-06-15", + "nt0applicationStartPort": "20000", + "nt0applicationEndPort": "30000", + "nt0ephemeralStartPort": "49152", + "nt0ephemeralEndPort": "65534", + "nt0fabricTcpGatewayPort": "19000", + "nt0fabricHttpGatewayPort": "19080", + "subnet0Name": "Subnet-0", + "subnet0Prefix": "10.0.0.0/24", + "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',variables('subnet0Name'))]", + "supportLogStorageAccountName": "[toLower( concat( uniqueString(resourceGroup().id),'2'))]", + "applicationDiagnosticsStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '3' ))]", + "lbID0": "[resourceId('Microsoft.Network/loadBalancers',concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", + "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", + "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", + "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", + "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", + "vmNodeType0Name": "[toLower(concat('NT1', variables('vmName')))]", + "vmNodeType0Size": "Standard_DS2_v2" + }, + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('supportLogStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('applicationDiagnosticsStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('applicationDiagnosticsStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vNetApiVersion')]", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[variables('computeLocation')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnet0Name')]", + "properties": { + "addressPrefix": "[variables('subnet0Prefix')]" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('publicIPApiVersion')]", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[concat(variables('lbIPName'),'-','0')]", + "location": "[variables('computeLocation')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[variables('dnsName')]" + }, + "publicIPAllocationMethod": "Dynamic" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('lbApiVersion')]", + "type": "Microsoft.Network/loadBalancers", + "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerIPConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LoadBalancerBEAddressPool", + "properties": {} + } + ], + "loadBalancingRules": [ + { + "name": "LBRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricTcpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricTcpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBHttpRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricHttpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricHttpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbHttpProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBSFReverseProxyRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('SFReverseProxyPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('SFReverseProxyPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/SFReverseProxyProbe')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule1", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort1')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort1')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule2", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort2')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort2')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]" + }, + "protocol": "tcp" + } + } + ], + "probes": [ + { + "name": "FabricGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricTcpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "FabricHttpGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricHttpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "SFReverseProxyProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('SFReverseProxyPort')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe1", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort1')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe2", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort2')]", + "protocol": "tcp" + } + } + ], + "inboundNatPools": [ + { + "name": "LoadBalancerBEAddressNatPool", + "properties": { + "backendPort": "3389", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPortRangeEnd": "4500", + "frontendPortRangeStart": "3389", + "protocol": "tcp" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vmssApiVersion')]", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[variables('vmNodeType0Name')]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('applicationDiagnosticsStorageAccountName'))]" + ], + "properties": { + "overprovision": "[variables('overProvision')]", + "upgradePolicy": { + "mode": "Automatic" + }, + "virtualMachineProfile": { + "extensionProfile": { + "extensions": [ + { + "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]", + "properties": { + "type": "ServiceFabricNode", + "autoUpgradeMinorVersion": false, + "protectedSettings": { + "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]", + "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]" + }, + "publisher": "Microsoft.Azure.ServiceFabric", + "settings": { + "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", + "nodeTypeRef": "[variables('vmNodeType0Name')]", + "dataPath": "D:\\\\SvcFab", + "durabilityLevel": "Bronze", + "nicPrefixOverride": "[variables('subnet0Prefix')]", + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + } + }, + "typeHandlerVersion": "1.0" + } + }, + { + "name": "[concat('VMDiagnosticsVmExt','_vmNodeType0Name')]", + "properties": { + "type": "IaaSDiagnostics", + "autoUpgradeMinorVersion": true, + "protectedSettings": { + "storageAccountName": "[variables('applicationDiagnosticsStorageAccountName')]", + "storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('applicationDiagnosticsStorageAccountName')),'2015-05-01-preview').key1]", + "storageAccountEndPoint": "https://core.windows.net/" + }, + "publisher": "Microsoft.Azure.Diagnostics", + "settings": { + "WadCfg": { + "DiagnosticMonitorConfiguration": { + "overallQuotaInMB": "50000", + "EtwProviders": { + "EtwEventSourceProviderConfiguration": [ + { + "provider": "Microsoft-ServiceFabric-Actors", + "scheduledTransferKeywordFilter": "1", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableActorEventTable" + } + }, + { + "provider": "Microsoft-ServiceFabric-Services", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableServiceEventTable" + } + } + ], + "EtwManifestProviderConfiguration": [ + { + "provider": "cbd93bc2-71e5-4566-b3a7-595d8eeca6e8", + "scheduledTransferLogLevelFilter": "Information", + "scheduledTransferKeywordFilter": "4611686018427387904", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricSystemEventTable" + } + } + ] + } + } + }, + "StorageAccount": "[variables('applicationDiagnosticsStorageAccountName')]" + }, + "typeHandlerVersion": "1.5" + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "[concat(variables('nicName'), '-0')]", + "properties": { + "ipConfigurations": [ + { + "name": "[concat(variables('nicName'),'-',0)]", + "properties": { + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbPoolID0')]" + } + ], + "loadBalancerInboundNatPools": [ + { + "id": "[variables('lbNatPoolID0')]" + } + ], + "subnet": { + "id": "[variables('subnet0Ref')]" + } + } + } + ], + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computernamePrefix": "[variables('vmNodeType0Name')]", + "secrets": [ + { + "sourceVault": { + "id": "[parameters('sourceVaultValue')]" + }, + "vaultCertificates": [ + { + "certificateStore": "[parameters('clusterCertificateStorevalue')]", + "certificateUrl": "[parameters('clusterCertificateUrlValue')]" + }, + { + "certificateStore": "[parameters('sfReverseProxyCertificateStoreValue')]", + "certificateUrl": "[parameters('sfReverseProxyCertificateUrlValue')]" + } + ] + } + ] + }, + "storageProfile": { + "imageReference": { + "publisher": "[parameters('vmImagePublisher')]", + "offer": "[parameters('vmImageOffer')]", + "sku": "[parameters('vmImageSku')]", + "version": "[parameters('vmImageVersion')]" + }, + "osDisk": { + "createOption": "FromImage", + "caching": "ReadOnly", + "managedDisk": { + "storageAccountType": "[parameters('storageAccountType')]" + } + } + } + } + }, + "sku": { + "name": "[variables('vmNodeType0Size')]", + "capacity": "[parameters('nt0InstanceCount')]", + "tier": "Standard" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "2016-09-01", + "type": "Microsoft.ServiceFabric/clusters", + "name": "[parameters('clusterName')]", + "location": "[parameters('clusterLocation')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + }, + "clientCertificateCommonNames": [], + "clientCertificateThumbprints": [], + "clusterState": "Default", + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.queue]", + "storageAccountName": "[variables('supportLogStorageAccountName')]", + "tableEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.table]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "[parameters('clusterProtectionLevel')]" + } + ], + "name": "Security" + }, + { + "name": "ApplicationGateway/Http", + "parameters": [ + { + "name": "ApplicationCertificateValidationPolicy", + "value": "None" + } + ] + } + ], + "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-','0')).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]", + "nodeTypes": [ + { + "name": "[variables('vmNodeType0Name')]", + "applicationPorts": { + "endPort": "[variables('nt0applicationEndPort')]", + "startPort": "[variables('nt0applicationStartPort')]" + }, + "clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]", + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": "[variables('nt0ephemeralEndPort')]", + "startPort": "[variables('nt0ephemeralStartPort')]" + }, + "httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]", + "reverseProxyEndpointPort": "[parameters('SFReverseProxyPort')]", + "isPrimary": true, + "vmInstanceCount": "[parameters('nt0InstanceCount')]" + } + ], + "provisioningState": "Default", + "reliabilityLevel": "Silver", + "upgradeMode": "Automatic", + "vmImage": "Windows" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + } + ], + "outputs": { + "clusterProperties": { + "value": "[reference(parameters('clusterName'))]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationNone.parameters.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationNone.parameters.json new file mode 100644 index 0000000..da39320 --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationNone.parameters.json @@ -0,0 +1,72 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "value": "westus" + }, + "clusterName": { + "value": "Cluster" + }, + "adminUserName": { + "value": "admuser" + }, + "adminPassword": { + "value": "val$$$" + }, + "vmImagePublisher": { + "value": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "value": "WindowsServer" + }, + "vmImageSku": { + "value": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "value": "latest" + }, + "loadBalancedAppPort1": { + "value": 80 + }, + "loadBalancedAppPort2": { + "value": 8081 + }, + "clusterCertificateStorevalue": { + "value": "My" + }, + "clusterCertificateThumbprint": { + "value": "thumbprint value" + }, + "sourceVaultvalue": { + "value": "/subscriptions/subscription value/resourceGroups/key vault resource group name/providers/Microsoft.KeyVault/vaults/key vault name" + }, + "clusterCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "sfReverseProxyCertificateStorevalue": { + "value": "My" + }, + "sfReverseProxyCertificateThumbprint": { + "value": "thumbprint value" + }, + "sfReverseProxyCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "clusterProtectionLevel": { + "value": "EncryptAndSign" + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountType": { + "value": "Standard_LRS" + }, + "applicationDiagnosticsStorageAccountType": { + "value": "Standard_LRS" + }, + "nt0InstanceCount": { + "value": 5 + } + } +} diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationThumbprints.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationThumbprints.json new file mode 100644 index 0000000..e7c3621 --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationThumbprints.json @@ -0,0 +1,754 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "type": "string", + "metadata": { + "description": "Location of the Cluster" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "sfcluster", + "metadata": { + "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" + } + }, + "adminUserName": { + "type": "string", + "metadata": { + "description": "Remote desktop user Id" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Remote desktop user password. Must be a strong password" + } + }, + "vmImagePublisher": { + "type": "string", + "defaultValue": "MicrosoftWindowsServer", + "metadata": { + "description": "VM image Publisher" + } + }, + "vmImageOffer": { + "type": "string", + "defaultValue": "WindowsServer", + "metadata": { + "description": "VM image offer" + } + }, + "vmImageSku": { + "type": "string", + "defaultValue": "2012-R2-Datacenter", + "metadata": { + "description": "VM image SKU" + } + }, + "vmImageVersion": { + "type": "string", + "defaultValue": "latest", + "metadata": { + "description": "VM image version" + } + }, + "loadBalancedAppPort1": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Input endpoint1 for the application to use. Replace it with what your application uses" + } + }, + "loadBalancedAppPort2": { + "type": "int", + "defaultValue": 8081, + "metadata": { + "description": "Input endpoint2 for the application to use. Replace it with what your application uses" + } + }, + "SFReverseProxyPort": { + "type": "int", + "defaultValue": 19008, + "metadata": { + "description": "Endpoint for Service Fabric Reverse proxy" + } + }, + "clusterCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "clusterCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sourceVaultValue": { + "type": "string", + "metadata": { + "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" + } + }, + "clusterCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "sfReverseProxyCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "sfReverseProxyCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sfReverseProxyCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "clusterProtectionLevel": { + "type": "string", + "allowedValues": [ + "None", + "Sign", + "EncryptAndSign" + ], + "defaultValue": "EncryptAndSign", + "metadata": { + "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" + } + }, + "serviceCertificateThumbprints": { + "type": "string", + "metadata": { + "description": "Comma separated list of service's certificate thumbprints that the reverse proxy will trust" + } + }, + "storageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the VM image storage account" + } + }, + "supportLogStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the support log storage account" + } + }, + "applicationDiagnosticsStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the application diagnostics storage account" + } + }, + "nt0InstanceCount": { + "type": "int", + "defaultValue": 5, + "metadata": { + "description": "Instance count for node type" + } + } + }, + "variables": { + "computeLocation": "[parameters('clusterLocation')]", + "dnsName": "[parameters('clusterName')]", + "vmName": "vm", + "virtualNetworkName": "VNet", + "addressPrefix": "10.0.0.0/16", + "nicName": "NIC", + "lbIPName": "PublicIP-LB-FE", + "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]", + "overProvision": "false", + "vmssApiVersion": "2017-03-30", + "lbApiVersion": "2015-06-15", + "vNetApiVersion": "2015-06-15", + "storageApiVersion": "2016-01-01", + "publicIPApiVersion": "2015-06-15", + "nt0applicationStartPort": "20000", + "nt0applicationEndPort": "30000", + "nt0ephemeralStartPort": "49152", + "nt0ephemeralEndPort": "65534", + "nt0fabricTcpGatewayPort": "19000", + "nt0fabricHttpGatewayPort": "19080", + "subnet0Name": "Subnet-0", + "subnet0Prefix": "10.0.0.0/24", + "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',variables('subnet0Name'))]", + "supportLogStorageAccountName": "[toLower( concat( uniqueString(resourceGroup().id),'2'))]", + "applicationDiagnosticsStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '3' ))]", + "lbID0": "[resourceId('Microsoft.Network/loadBalancers',concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", + "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", + "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", + "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", + "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", + "vmNodeType0Name": "[toLower(concat('NT1', variables('vmName')))]", + "vmNodeType0Size": "Standard_DS2_v2" + }, + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('supportLogStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('applicationDiagnosticsStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('applicationDiagnosticsStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vNetApiVersion')]", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[variables('computeLocation')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnet0Name')]", + "properties": { + "addressPrefix": "[variables('subnet0Prefix')]" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('publicIPApiVersion')]", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[concat(variables('lbIPName'),'-','0')]", + "location": "[variables('computeLocation')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[variables('dnsName')]" + }, + "publicIPAllocationMethod": "Dynamic" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('lbApiVersion')]", + "type": "Microsoft.Network/loadBalancers", + "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerIPConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LoadBalancerBEAddressPool", + "properties": {} + } + ], + "loadBalancingRules": [ + { + "name": "LBRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricTcpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricTcpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBHttpRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricHttpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricHttpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbHttpProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBSFReverseProxyRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('SFReverseProxyPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('SFReverseProxyPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/SFReverseProxyProbe')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule1", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort1')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort1')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule2", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort2')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort2')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]" + }, + "protocol": "tcp" + } + } + ], + "probes": [ + { + "name": "FabricGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricTcpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "FabricHttpGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricHttpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "SFReverseProxyProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('SFReverseProxyPort')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe1", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort1')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe2", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort2')]", + "protocol": "tcp" + } + } + ], + "inboundNatPools": [ + { + "name": "LoadBalancerBEAddressNatPool", + "properties": { + "backendPort": "3389", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPortRangeEnd": "4500", + "frontendPortRangeStart": "3389", + "protocol": "tcp" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vmssApiVersion')]", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[variables('vmNodeType0Name')]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('applicationDiagnosticsStorageAccountName'))]" + ], + "properties": { + "overprovision": "[variables('overProvision')]", + "upgradePolicy": { + "mode": "Automatic" + }, + "virtualMachineProfile": { + "extensionProfile": { + "extensions": [ + { + "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]", + "properties": { + "type": "ServiceFabricNode", + "autoUpgradeMinorVersion": false, + "protectedSettings": { + "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]", + "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]" + }, + "publisher": "Microsoft.Azure.ServiceFabric", + "settings": { + "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", + "nodeTypeRef": "[variables('vmNodeType0Name')]", + "dataPath": "D:\\\\SvcFab", + "durabilityLevel": "Bronze", + "nicPrefixOverride": "[variables('subnet0Prefix')]", + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + } + }, + "typeHandlerVersion": "1.0" + } + }, + { + "name": "[concat('VMDiagnosticsVmExt','_vmNodeType0Name')]", + "properties": { + "type": "IaaSDiagnostics", + "autoUpgradeMinorVersion": true, + "protectedSettings": { + "storageAccountName": "[variables('applicationDiagnosticsStorageAccountName')]", + "storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('applicationDiagnosticsStorageAccountName')),'2015-05-01-preview').key1]", + "storageAccountEndPoint": "https://core.windows.net/" + }, + "publisher": "Microsoft.Azure.Diagnostics", + "settings": { + "WadCfg": { + "DiagnosticMonitorConfiguration": { + "overallQuotaInMB": "50000", + "EtwProviders": { + "EtwEventSourceProviderConfiguration": [ + { + "provider": "Microsoft-ServiceFabric-Actors", + "scheduledTransferKeywordFilter": "1", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableActorEventTable" + } + }, + { + "provider": "Microsoft-ServiceFabric-Services", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableServiceEventTable" + } + } + ], + "EtwManifestProviderConfiguration": [ + { + "provider": "cbd93bc2-71e5-4566-b3a7-595d8eeca6e8", + "scheduledTransferLogLevelFilter": "Information", + "scheduledTransferKeywordFilter": "4611686018427387904", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricSystemEventTable" + } + } + ] + } + } + }, + "StorageAccount": "[variables('applicationDiagnosticsStorageAccountName')]" + }, + "typeHandlerVersion": "1.5" + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "[concat(variables('nicName'), '-0')]", + "properties": { + "ipConfigurations": [ + { + "name": "[concat(variables('nicName'),'-',0)]", + "properties": { + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbPoolID0')]" + } + ], + "loadBalancerInboundNatPools": [ + { + "id": "[variables('lbNatPoolID0')]" + } + ], + "subnet": { + "id": "[variables('subnet0Ref')]" + } + } + } + ], + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computernamePrefix": "[variables('vmNodeType0Name')]", + "secrets": [ + { + "sourceVault": { + "id": "[parameters('sourceVaultValue')]" + }, + "vaultCertificates": [ + { + "certificateStore": "[parameters('clusterCertificateStorevalue')]", + "certificateUrl": "[parameters('clusterCertificateUrlValue')]" + }, + { + "certificateStore": "[parameters('sfReverseProxyCertificateStoreValue')]", + "certificateUrl": "[parameters('sfReverseProxyCertificateUrlValue')]" + } + ] + } + ] + }, + "storageProfile": { + "imageReference": { + "publisher": "[parameters('vmImagePublisher')]", + "offer": "[parameters('vmImageOffer')]", + "sku": "[parameters('vmImageSku')]", + "version": "[parameters('vmImageVersion')]" + }, + "osDisk": { + "createOption": "FromImage", + "caching": "ReadOnly", + "managedDisk": { + "storageAccountType": "[parameters('storageAccountType')]" + } + } + } + } + }, + "sku": { + "name": "[variables('vmNodeType0Size')]", + "capacity": "[parameters('nt0InstanceCount')]", + "tier": "Standard" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "2016-09-01", + "type": "Microsoft.ServiceFabric/clusters", + "name": "[parameters('clusterName')]", + "location": "[parameters('clusterLocation')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + }, + "clientCertificateCommonNames": [], + "clientCertificateThumbprints": [], + "clusterState": "Default", + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.queue]", + "storageAccountName": "[variables('supportLogStorageAccountName')]", + "tableEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.table]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "[parameters('clusterProtectionLevel')]" + } + ], + "name": "Security" + }, + { + "name": "ApplicationGateway/Http", + "parameters": [ + { + "name": "ApplicationCertificateValidationPolicy", + "value": "ServiceCertificateThumbprints" + }, + { + "name": "ServiceCertificateThumbprints", + "value": "[parameters('serviceCertificateThumbprints')]" + } + ] + } + ], + "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-','0')).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]", + "nodeTypes": [ + { + "name": "[variables('vmNodeType0Name')]", + "applicationPorts": { + "endPort": "[variables('nt0applicationEndPort')]", + "startPort": "[variables('nt0applicationStartPort')]" + }, + "clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]", + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": "[variables('nt0ephemeralEndPort')]", + "startPort": "[variables('nt0ephemeralStartPort')]" + }, + "httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]", + "reverseProxyEndpointPort": "[parameters('SFReverseProxyPort')]", + "isPrimary": true, + "vmInstanceCount": "[parameters('nt0InstanceCount')]" + } + ], + "provisioningState": "Default", + "reliabilityLevel": "Silver", + "upgradeMode": "Automatic", + "vmImage": "Windows" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + } + ], + "outputs": { + "clusterProperties": { + "value": "[reference(parameters('clusterName'))]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationThumbprints.parameters.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationThumbprints.parameters.json new file mode 100644 index 0000000..79b05be --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_ServiceCertValidationThumbprints.parameters.json @@ -0,0 +1,75 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "value": "westus" + }, + "clusterName": { + "value": "Cluster" + }, + "adminUserName": { + "value": "admuser" + }, + "adminPassword": { + "value": "val$$$" + }, + "vmImagePublisher": { + "value": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "value": "WindowsServer" + }, + "vmImageSku": { + "value": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "value": "latest" + }, + "loadBalancedAppPort1": { + "value": 80 + }, + "loadBalancedAppPort2": { + "value": 8081 + }, + "clusterCertificateStorevalue": { + "value": "My" + }, + "clusterCertificateThumbprint": { + "value": "thumbprint value" + }, + "sourceVaultvalue": { + "value": "/subscriptions/subscription value/resourceGroups/key vault resource group name/providers/Microsoft.KeyVault/vaults/key vault name" + }, + "clusterCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "sfReverseProxyCertificateStorevalue": { + "value": "My" + }, + "sfReverseProxyCertificateThumbprint": { + "value": "thumbprint value" + }, + "sfReverseProxyCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "clusterProtectionLevel": { + "value": "EncryptAndSign" + }, + "serviceCertificateThumbprints": { + "value": "Comma separated list of certificate thumbprints that the reverse proxy will accept." + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountType": { + "value": "Standard_LRS" + }, + "applicationDiagnosticsStorageAccountType": { + "value": "Standard_LRS" + }, + "nt0InstanceCount": { + "value": 5 + } + } +} diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step1.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step1.json new file mode 100644 index 0000000..1b16961 --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step1.json @@ -0,0 +1,662 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "type": "string", + "metadata": { + "description": "Location of the Cluster" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "sfcluster", + "metadata": { + "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" + } + }, + "adminUserName": { + "type": "string", + "metadata": { + "description": "Remote desktop user Id" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Remote desktop user password. Must be a strong password" + } + }, + "vmImagePublisher": { + "type": "string", + "defaultValue": "MicrosoftWindowsServer", + "metadata": { + "description": "VM image Publisher"} + }, + "vmImageOffer": { + "type": "string", + "defaultValue": "WindowsServer", + "metadata": { + "description": "VM image offer"} + }, + "vmImageSku": { + "type": "string", + "defaultValue": "2012-R2-Datacenter", + "metadata": { + "description": "VM image SKU"} + }, + "vmImageVersion": { + "type": "string", + "defaultValue": "latest", + "metadata": { + "description": "VM image version"} + }, + "loadBalancedAppPort1": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Input endpoint1 for the application to use. Replace it with what your application uses" + } + }, + "loadBalancedAppPort2": { + "type": "int", + "defaultValue": 8081, + "metadata": { + "description": "Input endpoint2 for the application to use. Replace it with what your application uses" + } + }, + "clusterCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "clusterCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sourceVaultValue": { + "type": "string", + "metadata": { + "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" + } + }, + "clusterCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "clusterProtectionLevel": { + "type": "string", + "allowedValues": [ + "None", + "Sign", + "EncryptAndSign" + ], + "defaultValue": "EncryptAndSign", + "metadata": { + "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" + } + }, + "storageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the VM image storage account" + } + }, + "supportLogStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the support log storage account" + } + }, + "applicationDiagnosticsStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the application diagnostics storage account" + } + }, + "nt0InstanceCount": { + "type": "int", + "defaultValue": 5, + "metadata": { + "description": "Instance count for node type" + } + } + }, + "variables": { + "computeLocation": "[parameters('clusterLocation')]", + "dnsName": "[parameters('clusterName')]", + "vmName": "vm", + "vmStorageAccountContainerName": "vhds", + "virtualNetworkName": "VNet", + "addressPrefix": "10.0.0.0/16", + "nicName": "NIC", + "lbIPName": "PublicIP-LB-FE", + "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]", + "overProvision": "false", + "vmssApiVersion": "2017-03-30", + "lbApiVersion": "2015-06-15", + "vNetApiVersion": "2015-06-15", + "storageApiVersion": "2016-01-01", + "publicIPApiVersion": "2015-06-15", + "nt0applicationStartPort": "20000", + "nt0applicationEndPort": "30000", + "nt0ephemeralStartPort": "49152", + "nt0ephemeralEndPort": "65534", + "nt0fabricTcpGatewayPort": "19000", + "nt0fabricHttpGatewayPort": "19080", + "subnet0Name": "Subnet-0", + "subnet0Prefix": "10.0.0.0/24", + "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',variables('subnet0Name'))]", + "supportLogStorageAccountName": "[toLower( concat( uniqueString(resourceGroup().id),'2'))]", + "applicationDiagnosticsStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '3' ))]", + "lbID0": "[resourceId('Microsoft.Network/loadBalancers',concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", + "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", + "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", + "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", + "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", + "vmNodeType0Name": "[toLower(concat('NT1', variables('vmName')))]", + "vmNodeType0Size": "Standard_DS2_v2" + }, + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('supportLogStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('applicationDiagnosticsStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('applicationDiagnosticsStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vNetApiVersion')]", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[variables('computeLocation')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnet0Name')]", + "properties": { + "addressPrefix": "[variables('subnet0Prefix')]" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('publicIPApiVersion')]", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[concat(variables('lbIPName'),'-','0')]", + "location": "[variables('computeLocation')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[variables('dnsName')]" + }, + "publicIPAllocationMethod": "Dynamic" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('lbApiVersion')]", + "type": "Microsoft.Network/loadBalancers", + "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerIPConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LoadBalancerBEAddressPool", + "properties": {} + } + ], + "loadBalancingRules": [ + { + "name": "LBRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricTcpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricTcpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBHttpRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricHttpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricHttpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbHttpProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule1", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort1')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort1')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule2", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort2')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort2')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]" + }, + "protocol": "tcp" + } + } + ], + "probes": [ + { + "name": "FabricGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricTcpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "FabricHttpGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricHttpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe1", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort1')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe2", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort2')]", + "protocol": "tcp" + } + } + ], + "inboundNatPools": [ + { + "name": "LoadBalancerBEAddressNatPool", + "properties": { + "backendPort": "3389", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPortRangeEnd": "4500", + "frontendPortRangeStart": "3389", + "protocol": "tcp" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vmssApiVersion')]", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[variables('vmNodeType0Name')]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('applicationDiagnosticsStorageAccountName'))]" + ], + "properties": { + "overprovision": "[variables('overProvision')]", + "upgradePolicy": { + "mode": "Automatic" + }, + "virtualMachineProfile": { + "extensionProfile": { + "extensions": [ + { + "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]", + "properties": { + "type": "ServiceFabricNode", + "autoUpgradeMinorVersion": false, + "protectedSettings": { + "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]", + "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]" + }, + "publisher": "Microsoft.Azure.ServiceFabric", + "settings": { + "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", + "nodeTypeRef": "[variables('vmNodeType0Name')]", + "dataPath": "D:\\\\SvcFab", + "durabilityLevel": "Bronze", + "nicPrefixOverride": "[variables('subnet0Prefix')]", + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + } + }, + "typeHandlerVersion": "1.0" + } + }, + { + "name": "[concat('VMDiagnosticsVmExt','_vmNodeType0Name')]", + "properties": { + "type": "IaaSDiagnostics", + "autoUpgradeMinorVersion": true, + "protectedSettings": { + "storageAccountName": "[variables('applicationDiagnosticsStorageAccountName')]", + "storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('applicationDiagnosticsStorageAccountName')),'2015-05-01-preview').key1]", + "storageAccountEndPoint": "https://core.windows.net/" + }, + "publisher": "Microsoft.Azure.Diagnostics", + "settings": { + "WadCfg": { + "DiagnosticMonitorConfiguration": { + "overallQuotaInMB": "50000", + "EtwProviders": { + "EtwEventSourceProviderConfiguration": [ + { + "provider": "Microsoft-ServiceFabric-Actors", + "scheduledTransferKeywordFilter": "1", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableActorEventTable" + } + }, + { + "provider": "Microsoft-ServiceFabric-Services", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableServiceEventTable" + } + } + ], + "EtwManifestProviderConfiguration": [ + { + "provider": "cbd93bc2-71e5-4566-b3a7-595d8eeca6e8", + "scheduledTransferLogLevelFilter": "Information", + "scheduledTransferKeywordFilter": "4611686018427387904", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricSystemEventTable" + } + } + ] + } + } + }, + "StorageAccount": "[variables('applicationDiagnosticsStorageAccountName')]" + }, + "typeHandlerVersion": "1.5" + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "[concat(variables('nicName'), '-0')]", + "properties": { + "ipConfigurations": [ + { + "name": "[concat(variables('nicName'),'-',0)]", + "properties": { + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbPoolID0')]" + } + ], + "loadBalancerInboundNatPools": [ + { + "id": "[variables('lbNatPoolID0')]" + } + ], + "subnet": { + "id": "[variables('subnet0Ref')]" + } + } + } + ], + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computernamePrefix": "[variables('vmNodeType0Name')]", + "secrets": [ + { + "sourceVault": { + "id": "[parameters('sourceVaultValue')]" + }, + "vaultCertificates": [ + { + "certificateStore": "[parameters('clusterCertificateStorevalue')]", + "certificateUrl": "[parameters('clusterCertificateUrlValue')]" + } + ] + } + ] + }, + "storageProfile": { + "imageReference": { + "publisher": "[parameters('vmImagePublisher')]", + "offer": "[parameters('vmImageOffer')]", + "sku": "[parameters('vmImageSku')]", + "version": "[parameters('vmImageVersion')]" + }, + "osDisk": { + "managedDisk": { + "storageAccountType": "[parameters('storageAccountType')]" + }, + "caching": "ReadOnly", + "createOption": "FromImage" + } + } + } + }, + "sku": { + "name": "[variables('vmNodeType0Size')]", + "capacity": "[parameters('nt0InstanceCount')]", + "tier": "Standard" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "2016-09-01", + "type": "Microsoft.ServiceFabric/clusters", + "name": "[parameters('clusterName')]", + "location": "[parameters('clusterLocation')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "clientCertificateCommonNames": [], + "clientCertificateThumbprints": [], + "clusterState": "Default", + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.queue]", + "storageAccountName": "[variables('supportLogStorageAccountName')]", + "tableEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.table]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "[parameters('clusterProtectionLevel')]" + } + ], + "name": "Security" + } + ], + "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-','0')).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]", + "nodeTypes": [ + { + "name": "[variables('vmNodeType0Name')]", + "applicationPorts": { + "endPort": "[variables('nt0applicationEndPort')]", + "startPort": "[variables('nt0applicationStartPort')]" + }, + "clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]", + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": "[variables('nt0ephemeralEndPort')]", + "startPort": "[variables('nt0ephemeralStartPort')]" + }, + "httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]", + "isPrimary": true, + "vmInstanceCount": "[parameters('nt0InstanceCount')]" + } + ], + "provisioningState": "Default", + "reliabilityLevel": "Silver", + "upgradeMode": "Automatic", + "vmImage": "Windows" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + } + ], + "outputs": { + "clusterProperties": { + "value": "[reference(parameters('clusterName'))]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step1.parameters.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step1.parameters.json new file mode 100644 index 0000000..22e1145 --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step1.parameters.json @@ -0,0 +1,63 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "value": "westus" + }, + "clusterName": { + "value": "Cluster" + }, + "adminUserName": { + "value": "admuser" + }, + "adminPassword": { + "value": "val$$$" + }, + "vmImagePublisher": { + "value": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "value": "WindowsServer" + }, + "vmImageSku": { + "value": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "value": "latest" + }, + "loadBalancedAppPort1": { + "value": 80 + }, + "loadBalancedAppPort2": { + "value": 8081 + }, + "clusterCertificateStorevalue": { + "value": "My" + }, + "clusterCertificateThumbprint": { + "value": "thumbprint value" + }, + "sourceVaultvalue": { + "value": "/subscriptions/subscription value/resourceGroups/key vault resource group name/providers/Microsoft.KeyVault/vaults/key vault name" + }, + "clusterCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "clusterProtectionLevel": { + "value": "EncryptAndSign" + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountType": { + "value": "Standard_LRS" + }, + "applicationDiagnosticsStorageAccountType": { + "value": "Standard_LRS" + }, + "nt0InstanceCount": { + "value": 5 + } + } +} diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step2.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step2.json new file mode 100644 index 0000000..ab89690 --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step2.json @@ -0,0 +1,696 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "type": "string", + "metadata": { + "description": "Location of the Cluster" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "sfcluster", + "metadata": { + "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" + } + }, + "adminUserName": { + "type": "string", + "metadata": { + "description": "Remote desktop user Id" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Remote desktop user password. Must be a strong password" + } + }, + "vmImagePublisher": { + "type": "string", + "defaultValue": "MicrosoftWindowsServer", + "metadata": { + "description": "VM image Publisher" + } + }, + "vmImageOffer": { + "type": "string", + "defaultValue": "WindowsServer", + "metadata": { + "description": "VM image offer" + } + }, + "vmImageSku": { + "type": "string", + "defaultValue": "2012-R2-Datacenter", + "metadata": { + "description": "VM image SKU" + } + }, + "vmImageVersion": { + "type": "string", + "defaultValue": "latest", + "metadata": { + "description": "VM image version" + } + }, + "loadBalancedAppPort1": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Input endpoint1 for the application to use. Replace it with what your application uses" + } + }, + "loadBalancedAppPort2": { + "type": "int", + "defaultValue": 8081, + "metadata": { + "description": "Input endpoint2 for the application to use. Replace it with what your application uses" + } + }, + "clusterCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "clusterCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sourceVaultValue": { + "type": "string", + "metadata": { + "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" + } + }, + "clusterCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "sfReverseProxyCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "sfReverseProxyCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sfReverseProxyCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "clusterProtectionLevel": { + "type": "string", + "allowedValues": [ + "None", + "Sign", + "EncryptAndSign" + ], + "defaultValue": "EncryptAndSign", + "metadata": { + "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" + } + }, + "storageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the VM image storage account" + } + }, + "supportLogStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the support log storage account" + } + }, + "applicationDiagnosticsStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the application diagnostics storage account" + } + }, + "nt0InstanceCount": { + "type": "int", + "defaultValue": 5, + "metadata": { + "description": "Instance count for node type" + } + } + }, + "variables": { + "computeLocation": "[parameters('clusterLocation')]", + "dnsName": "[parameters('clusterName')]", + "vmName": "vm", + "vmStorageAccountContainerName": "vhds", + "virtualNetworkName": "VNet", + "addressPrefix": "10.0.0.0/16", + "nicName": "NIC", + "lbIPName": "PublicIP-LB-FE", + "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]", + "overProvision": "false", + "vmssApiVersion": "2017-03-30", + "lbApiVersion": "2015-06-15", + "vNetApiVersion": "2015-06-15", + "storageApiVersion": "2016-01-01", + "publicIPApiVersion": "2015-06-15", + "nt0applicationStartPort": "20000", + "nt0applicationEndPort": "30000", + "nt0ephemeralStartPort": "49152", + "nt0ephemeralEndPort": "65534", + "nt0fabricTcpGatewayPort": "19000", + "nt0fabricHttpGatewayPort": "19080", + "subnet0Name": "Subnet-0", + "subnet0Prefix": "10.0.0.0/24", + "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',variables('subnet0Name'))]", + "supportLogStorageAccountName": "[toLower( concat( uniqueString(resourceGroup().id),'2'))]", + "applicationDiagnosticsStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '3' ))]", + "lbID0": "[resourceId('Microsoft.Network/loadBalancers',concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", + "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", + "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", + "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", + "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", + "vmNodeType0Name": "[toLower(concat('NT1', variables('vmName')))]", + "vmNodeType0Size": "Standard_DS2_v2" + }, + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('supportLogStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('applicationDiagnosticsStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('applicationDiagnosticsStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vNetApiVersion')]", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[variables('computeLocation')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnet0Name')]", + "properties": { + "addressPrefix": "[variables('subnet0Prefix')]" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('publicIPApiVersion')]", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[concat(variables('lbIPName'),'-','0')]", + "location": "[variables('computeLocation')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[variables('dnsName')]" + }, + "publicIPAllocationMethod": "Dynamic" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('lbApiVersion')]", + "type": "Microsoft.Network/loadBalancers", + "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerIPConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LoadBalancerBEAddressPool", + "properties": {} + } + ], + "loadBalancingRules": [ + { + "name": "LBRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricTcpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricTcpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBHttpRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricHttpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricHttpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbHttpProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule1", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort1')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort1')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule2", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort2')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort2')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]" + }, + "protocol": "tcp" + } + } + ], + "probes": [ + { + "name": "FabricGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricTcpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "FabricHttpGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricHttpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe1", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort1')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe2", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort2')]", + "protocol": "tcp" + } + } + ], + "inboundNatPools": [ + { + "name": "LoadBalancerBEAddressNatPool", + "properties": { + "backendPort": "3389", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPortRangeEnd": "4500", + "frontendPortRangeStart": "3389", + "protocol": "tcp" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vmssApiVersion')]", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[variables('vmNodeType0Name')]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('applicationDiagnosticsStorageAccountName'))]" + ], + "properties": { + "overprovision": "[variables('overProvision')]", + "upgradePolicy": { + "mode": "Automatic" + }, + "virtualMachineProfile": { + "extensionProfile": { + "extensions": [ + { + "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]", + "properties": { + "type": "ServiceFabricNode", + "autoUpgradeMinorVersion": false, + "protectedSettings": { + "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]", + "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]" + }, + "publisher": "Microsoft.Azure.ServiceFabric", + "settings": { + "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", + "nodeTypeRef": "[variables('vmNodeType0Name')]", + "dataPath": "D:\\\\SvcFab", + "durabilityLevel": "Bronze", + "nicPrefixOverride": "[variables('subnet0Prefix')]", + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + } + }, + "typeHandlerVersion": "1.0" + } + }, + { + "name": "[concat('VMDiagnosticsVmExt','_vmNodeType0Name')]", + "properties": { + "type": "IaaSDiagnostics", + "autoUpgradeMinorVersion": true, + "protectedSettings": { + "storageAccountName": "[variables('applicationDiagnosticsStorageAccountName')]", + "storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('applicationDiagnosticsStorageAccountName')),'2015-05-01-preview').key1]", + "storageAccountEndPoint": "https://core.windows.net/" + }, + "publisher": "Microsoft.Azure.Diagnostics", + "settings": { + "WadCfg": { + "DiagnosticMonitorConfiguration": { + "overallQuotaInMB": "50000", + "EtwProviders": { + "EtwEventSourceProviderConfiguration": [ + { + "provider": "Microsoft-ServiceFabric-Actors", + "scheduledTransferKeywordFilter": "1", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableActorEventTable" + } + }, + { + "provider": "Microsoft-ServiceFabric-Services", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableServiceEventTable" + } + } + ], + "EtwManifestProviderConfiguration": [ + { + "provider": "cbd93bc2-71e5-4566-b3a7-595d8eeca6e8", + "scheduledTransferLogLevelFilter": "Information", + "scheduledTransferKeywordFilter": "4611686018427387904", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricSystemEventTable" + } + } + ] + } + } + }, + "StorageAccount": "[variables('applicationDiagnosticsStorageAccountName')]" + }, + "typeHandlerVersion": "1.5" + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "[concat(variables('nicName'), '-0')]", + "properties": { + "ipConfigurations": [ + { + "name": "[concat(variables('nicName'),'-',0)]", + "properties": { + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbPoolID0')]" + } + ], + "loadBalancerInboundNatPools": [ + { + "id": "[variables('lbNatPoolID0')]" + } + ], + "subnet": { + "id": "[variables('subnet0Ref')]" + } + } + } + ], + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computernamePrefix": "[variables('vmNodeType0Name')]", + "secrets": [ + { + "sourceVault": { + "id": "[parameters('sourceVaultValue')]" + }, + "vaultCertificates": [ + { + "certificateStore": "[parameters('clusterCertificateStorevalue')]", + "certificateUrl": "[parameters('clusterCertificateUrlValue')]" + }, + { + "certificateStore": "[parameters('sfReverseProxyCertificateStoreValue')]", + "certificateUrl": "[parameters('sfReverseProxyCertificateUrlValue')]" + } + ] + } + ] + }, + "storageProfile": { + "imageReference": { + "publisher": "[parameters('vmImagePublisher')]", + "offer": "[parameters('vmImageOffer')]", + "sku": "[parameters('vmImageSku')]", + "version": "[parameters('vmImageVersion')]" + }, + "osDisk": { + "createOption": "FromImage", + "caching": "ReadOnly", + "managedDisk": { + "storageAccountType": "[parameters('storageAccountType')]" + } + } + } + } + }, + "sku": { + "name": "[variables('vmNodeType0Size')]", + "capacity": "[parameters('nt0InstanceCount')]", + "tier": "Standard" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "2016-09-01", + "type": "Microsoft.ServiceFabric/clusters", + "name": "[parameters('clusterName')]", + "location": "[parameters('clusterLocation')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "clientCertificateCommonNames": [], + "clientCertificateThumbprints": [], + "clusterState": "Default", + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.queue]", + "storageAccountName": "[variables('supportLogStorageAccountName')]", + "tableEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.table]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "[parameters('clusterProtectionLevel')]" + } + ], + "name": "Security" + } + ], + "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-','0')).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]", + "nodeTypes": [ + { + "name": "[variables('vmNodeType0Name')]", + "applicationPorts": { + "endPort": "[variables('nt0applicationEndPort')]", + "startPort": "[variables('nt0applicationStartPort')]" + }, + "clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]", + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": "[variables('nt0ephemeralEndPort')]", + "startPort": "[variables('nt0ephemeralStartPort')]" + }, + "httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]", + "isPrimary": true, + "vmInstanceCount": "[parameters('nt0InstanceCount')]" + } + ], + "provisioningState": "Default", + "reliabilityLevel": "Silver", + "upgradeMode": "Automatic", + "vmImage": "Windows" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + } + ], + "outputs": { + "clusterProperties": { + "value": "[reference(parameters('clusterName'))]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step2.parameters.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step2.parameters.json new file mode 100644 index 0000000..da39320 --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step2.parameters.json @@ -0,0 +1,72 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "value": "westus" + }, + "clusterName": { + "value": "Cluster" + }, + "adminUserName": { + "value": "admuser" + }, + "adminPassword": { + "value": "val$$$" + }, + "vmImagePublisher": { + "value": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "value": "WindowsServer" + }, + "vmImageSku": { + "value": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "value": "latest" + }, + "loadBalancedAppPort1": { + "value": 80 + }, + "loadBalancedAppPort2": { + "value": 8081 + }, + "clusterCertificateStorevalue": { + "value": "My" + }, + "clusterCertificateThumbprint": { + "value": "thumbprint value" + }, + "sourceVaultvalue": { + "value": "/subscriptions/subscription value/resourceGroups/key vault resource group name/providers/Microsoft.KeyVault/vaults/key vault name" + }, + "clusterCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "sfReverseProxyCertificateStorevalue": { + "value": "My" + }, + "sfReverseProxyCertificateThumbprint": { + "value": "thumbprint value" + }, + "sfReverseProxyCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "clusterProtectionLevel": { + "value": "EncryptAndSign" + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountType": { + "value": "Standard_LRS" + }, + "applicationDiagnosticsStorageAccountType": { + "value": "Standard_LRS" + }, + "nt0InstanceCount": { + "value": 5 + } + } +} diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step3.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step3.json new file mode 100644 index 0000000..02f9cce --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step3.json @@ -0,0 +1,735 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "type": "string", + "metadata": { + "description": "Location of the Cluster" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "sfcluster", + "metadata": { + "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" + } + }, + "adminUserName": { + "type": "string", + "metadata": { + "description": "Remote desktop user Id" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Remote desktop user password. Must be a strong password" + } + }, + "vmImagePublisher": { + "type": "string", + "defaultValue": "MicrosoftWindowsServer", + "metadata": { + "description": "VM image Publisher" + } + }, + "vmImageOffer": { + "type": "string", + "defaultValue": "WindowsServer", + "metadata": { + "description": "VM image offer" + } + }, + "vmImageSku": { + "type": "string", + "defaultValue": "2012-R2-Datacenter", + "metadata": { + "description": "VM image SKU" + } + }, + "vmImageVersion": { + "type": "string", + "defaultValue": "latest", + "metadata": { + "description": "VM image version" + } + }, + "loadBalancedAppPort1": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Input endpoint1 for the application to use. Replace it with what your application uses" + } + }, + "loadBalancedAppPort2": { + "type": "int", + "defaultValue": 8081, + "metadata": { + "description": "Input endpoint2 for the application to use. Replace it with what your application uses" + } + }, + "SFReverseProxyPort": { + "type": "int", + "defaultValue": 19008, + "metadata": { + "description": "Endpoint for Service Fabric Reverse proxy" + } + }, + "clusterCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "clusterCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sourceVaultValue": { + "type": "string", + "metadata": { + "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" + } + }, + "clusterCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "sfReverseProxyCertificateStoreValue": { + "type": "string", + "allowedValues": [ + "My" + ], + "defaultValue": "My", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "sfReverseProxyCertificateThumbprint": { + "type": "string", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "sfReverseProxyCertificateUrlValue": { + "type": "string", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "clusterProtectionLevel": { + "type": "string", + "allowedValues": [ + "None", + "Sign", + "EncryptAndSign" + ], + "defaultValue": "EncryptAndSign", + "metadata": { + "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" + } + }, + "storageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the VM image storage account" + } + }, + "supportLogStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the support log storage account" + } + }, + "applicationDiagnosticsStorageAccountType": { + "type": "string", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "defaultValue": "Standard_LRS", + "metadata": { + "description": "Replication option for the application diagnostics storage account" + } + }, + "nt0InstanceCount": { + "type": "int", + "defaultValue": 5, + "metadata": { + "description": "Instance count for node type" + } + } + }, + "variables": { + "computeLocation": "[parameters('clusterLocation')]", + "dnsName": "[parameters('clusterName')]", + "vmName": "vm", + "virtualNetworkName": "VNet", + "addressPrefix": "10.0.0.0/16", + "nicName": "NIC", + "lbIPName": "PublicIP-LB-FE", + "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]", + "overProvision": "false", + "vmssApiVersion": "2017-03-30", + "lbApiVersion": "2015-06-15", + "vNetApiVersion": "2015-06-15", + "storageApiVersion": "2016-01-01", + "publicIPApiVersion": "2015-06-15", + "nt0applicationStartPort": "20000", + "nt0applicationEndPort": "30000", + "nt0ephemeralStartPort": "49152", + "nt0ephemeralEndPort": "65534", + "nt0fabricTcpGatewayPort": "19000", + "nt0fabricHttpGatewayPort": "19080", + "subnet0Name": "Subnet-0", + "subnet0Prefix": "10.0.0.0/24", + "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',variables('subnet0Name'))]", + "supportLogStorageAccountName": "[toLower( concat( uniqueString(resourceGroup().id),'2'))]", + "applicationDiagnosticsStorageAccountName": "[toLower(concat(uniqueString(resourceGroup().id), '3' ))]", + "lbID0": "[resourceId('Microsoft.Network/loadBalancers',concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", + "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", + "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", + "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", + "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", + "vmNodeType0Name": "[toLower(concat('NT1', variables('vmName')))]", + "vmNodeType0Size": "Standard_DS2_v2" + }, + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('supportLogStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('storageApiVersion')]", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('applicationDiagnosticsStorageAccountName')]", + "location": "[variables('computeLocation')]", + "dependsOn": [], + "properties": {}, + "kind": "Storage", + "sku": { + "name": "[parameters('applicationDiagnosticsStorageAccountType')]" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vNetApiVersion')]", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[variables('computeLocation')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnet0Name')]", + "properties": { + "addressPrefix": "[variables('subnet0Prefix')]" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('publicIPApiVersion')]", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[concat(variables('lbIPName'),'-','0')]", + "location": "[variables('computeLocation')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[variables('dnsName')]" + }, + "publicIPAllocationMethod": "Dynamic" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('lbApiVersion')]", + "type": "Microsoft.Network/loadBalancers", + "name": "[concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name'))]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-','0'))]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerIPConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('lbIPName'),'-','0'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LoadBalancerBEAddressPool", + "properties": {} + } + ], + "loadBalancingRules": [ + { + "name": "LBRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricTcpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricTcpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBHttpRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[variables('nt0fabricHttpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[variables('nt0fabricHttpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbHttpProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBSFReverseProxyRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('SFReverseProxyPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('SFReverseProxyPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/SFReverseProxyProbe')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule1", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort1')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort1')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe1')]" + }, + "protocol": "tcp" + } + }, + { + "name": "AppPortLBRule2", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('loadBalancedAppPort2')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('loadBalancedAppPort2')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[concat(variables('lbID0'),'/probes/AppPortProbe2')]" + }, + "protocol": "tcp" + } + } + ], + "probes": [ + { + "name": "FabricGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricTcpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "FabricHttpGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[variables('nt0fabricHttpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "SFReverseProxyProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('SFReverseProxyPort')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe1", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort1')]", + "protocol": "tcp" + } + }, + { + "name": "AppPortProbe2", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('loadBalancedAppPort2')]", + "protocol": "tcp" + } + } + ], + "inboundNatPools": [ + { + "name": "LoadBalancerBEAddressNatPool", + "properties": { + "backendPort": "3389", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPortRangeEnd": "4500", + "frontendPortRangeStart": "3389", + "protocol": "tcp" + } + } + ] + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "[variables('vmssApiVersion')]", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[variables('vmNodeType0Name')]", + "location": "[variables('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',variables('vmNodeType0Name')))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('applicationDiagnosticsStorageAccountName'))]" + ], + "properties": { + "overprovision": "[variables('overProvision')]", + "upgradePolicy": { + "mode": "Automatic" + }, + "virtualMachineProfile": { + "extensionProfile": { + "extensions": [ + { + "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]", + "properties": { + "type": "ServiceFabricNode", + "autoUpgradeMinorVersion": false, + "protectedSettings": { + "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]", + "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]" + }, + "publisher": "Microsoft.Azure.ServiceFabric", + "settings": { + "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", + "nodeTypeRef": "[variables('vmNodeType0Name')]", + "dataPath": "D:\\\\SvcFab", + "durabilityLevel": "Bronze", + "nicPrefixOverride": "[variables('subnet0Prefix')]", + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + } + }, + "typeHandlerVersion": "1.0" + } + }, + { + "name": "[concat('VMDiagnosticsVmExt','_vmNodeType0Name')]", + "properties": { + "type": "IaaSDiagnostics", + "autoUpgradeMinorVersion": true, + "protectedSettings": { + "storageAccountName": "[variables('applicationDiagnosticsStorageAccountName')]", + "storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('applicationDiagnosticsStorageAccountName')),'2015-05-01-preview').key1]", + "storageAccountEndPoint": "https://core.windows.net/" + }, + "publisher": "Microsoft.Azure.Diagnostics", + "settings": { + "WadCfg": { + "DiagnosticMonitorConfiguration": { + "overallQuotaInMB": "50000", + "EtwProviders": { + "EtwEventSourceProviderConfiguration": [ + { + "provider": "Microsoft-ServiceFabric-Actors", + "scheduledTransferKeywordFilter": "1", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableActorEventTable" + } + }, + { + "provider": "Microsoft-ServiceFabric-Services", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableServiceEventTable" + } + } + ], + "EtwManifestProviderConfiguration": [ + { + "provider": "cbd93bc2-71e5-4566-b3a7-595d8eeca6e8", + "scheduledTransferLogLevelFilter": "Information", + "scheduledTransferKeywordFilter": "4611686018427387904", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricSystemEventTable" + } + } + ] + } + } + }, + "StorageAccount": "[variables('applicationDiagnosticsStorageAccountName')]" + }, + "typeHandlerVersion": "1.5" + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "[concat(variables('nicName'), '-0')]", + "properties": { + "ipConfigurations": [ + { + "name": "[concat(variables('nicName'),'-',0)]", + "properties": { + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbPoolID0')]" + } + ], + "loadBalancerInboundNatPools": [ + { + "id": "[variables('lbNatPoolID0')]" + } + ], + "subnet": { + "id": "[variables('subnet0Ref')]" + } + } + } + ], + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computernamePrefix": "[variables('vmNodeType0Name')]", + "secrets": [ + { + "sourceVault": { + "id": "[parameters('sourceVaultValue')]" + }, + "vaultCertificates": [ + { + "certificateStore": "[parameters('clusterCertificateStorevalue')]", + "certificateUrl": "[parameters('clusterCertificateUrlValue')]" + }, + { + "certificateStore": "[parameters('sfReverseProxyCertificateStoreValue')]", + "certificateUrl": "[parameters('sfReverseProxyCertificateUrlValue')]" + } + ] + } + ] + }, + "storageProfile": { + "imageReference": { + "publisher": "[parameters('vmImagePublisher')]", + "offer": "[parameters('vmImageOffer')]", + "sku": "[parameters('vmImageSku')]", + "version": "[parameters('vmImageVersion')]" + }, + "osDisk": { + "createOption": "FromImage", + "caching": "ReadOnly", + "managedDisk": { + "storageAccountType": "[parameters('storageAccountType')]" + } + } + } + } + }, + "sku": { + "name": "[variables('vmNodeType0Size')]", + "capacity": "[parameters('nt0InstanceCount')]", + "tier": "Standard" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + }, + { + "apiVersion": "2016-09-01", + "type": "Microsoft.ServiceFabric/clusters", + "name": "[parameters('clusterName')]", + "location": "[parameters('clusterLocation')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]" + ], + "properties": { + "certificate": { + "thumbprint": "[parameters('clusterCertificateThumbprint')]", + "x509StoreName": "[parameters('clusterCertificateStoreValue')]" + }, + "reverseProxyCertificate": { + "thumbprint": "[parameters('sfReverseProxyCertificateThumbprint')]", + "x509StoreName": "[parameters('sfReverseProxyCertificateStoreValue')]" + }, + "clientCertificateCommonNames": [], + "clientCertificateThumbprints": [], + "clusterState": "Default", + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.queue]", + "storageAccountName": "[variables('supportLogStorageAccountName')]", + "tableEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.table]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "[parameters('clusterProtectionLevel')]" + } + ], + "name": "Security" + } + ], + "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-','0')).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]", + "nodeTypes": [ + { + "name": "[variables('vmNodeType0Name')]", + "applicationPorts": { + "endPort": "[variables('nt0applicationEndPort')]", + "startPort": "[variables('nt0applicationStartPort')]" + }, + "clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]", + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": "[variables('nt0ephemeralEndPort')]", + "startPort": "[variables('nt0ephemeralStartPort')]" + }, + "httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]", + "reverseProxyEndpointPort": "[parameters('SFReverseProxyPort')]", + "isPrimary": true, + "vmInstanceCount": "[parameters('nt0InstanceCount')]" + } + ], + "provisioningState": "Default", + "reliabilityLevel": "Silver", + "upgradeMode": "Automatic", + "vmImage": "Windows" + }, + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + } + } + ], + "outputs": { + "clusterProperties": { + "value": "[reference(parameters('clusterName'))]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step3.parameters.json b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step3.parameters.json new file mode 100644 index 0000000..da39320 --- /dev/null +++ b/Reverse-Proxy-Sample/5-VM-1-NodeTypes-SecureRP_Step3.parameters.json @@ -0,0 +1,72 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "value": "westus" + }, + "clusterName": { + "value": "Cluster" + }, + "adminUserName": { + "value": "admuser" + }, + "adminPassword": { + "value": "val$$$" + }, + "vmImagePublisher": { + "value": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "value": "WindowsServer" + }, + "vmImageSku": { + "value": "2012-R2-Datacenter" + }, + "vmImageVersion": { + "value": "latest" + }, + "loadBalancedAppPort1": { + "value": 80 + }, + "loadBalancedAppPort2": { + "value": 8081 + }, + "clusterCertificateStorevalue": { + "value": "My" + }, + "clusterCertificateThumbprint": { + "value": "thumbprint value" + }, + "sourceVaultvalue": { + "value": "/subscriptions/subscription value/resourceGroups/key vault resource group name/providers/Microsoft.KeyVault/vaults/key vault name" + }, + "clusterCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "sfReverseProxyCertificateStorevalue": { + "value": "My" + }, + "sfReverseProxyCertificateThumbprint": { + "value": "thumbprint value" + }, + "sfReverseProxyCertificateUrlvalue": { + "value": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + }, + "clusterProtectionLevel": { + "value": "EncryptAndSign" + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountType": { + "value": "Standard_LRS" + }, + "applicationDiagnosticsStorageAccountType": { + "value": "Standard_LRS" + }, + "nt0InstanceCount": { + "value": 5 + } + } +} diff --git a/Reverse-Proxy-Sample/README.md b/Reverse-Proxy-Sample/README.md new file mode 100644 index 0000000..3256b9c --- /dev/null +++ b/Reverse-Proxy-Sample/README.md @@ -0,0 +1,61 @@ + +# Introduction + +This folder contains the set of ARM templates you can use to deploy a secure five node service fabric cluster and then enable/configure Reverse Proxy with a new certificate and then rollover the Reverse Proxy certificate. +To read more about the Reverse Proxy, refer [Service Fabric Reverse Proxy](https://docs.microsoft.com/azure/service-fabric/service-fabric-reverseproxy) +To read about Deploy templates to Azure, refer the section [Deploy the template to Azure](https://docs.microsoft.com/azure/service-fabric/service-fabric-cluster-security-update-certs-azure) + +## Configure HTTPS Reverse Proxy in a secure cluster. + +### Step1: Provision a secure cluster (without Reverse Proxy) +1. Template to provision a five node secure cluster - 5-VM-1-NodeTypes-SecureRP_Step1.JSON +2. Template parameters for the above template - 5-VM-1-NodeTypes-SecureRP_Step1.parameters.JSON + + +### Step2 :Provision a new certificate using ARM Powershell. +This upgrade step takes care of installing the Reverse Proxy certificate on all the VMs and acl'ing the certificate such that Service Fabric can access it. +Here the new certificate is added to the virtual machine scale set osProfile and the Service Fabric extension for virtual machine scale sets. + +1. Template to provision a five node secure cluster with new certificates to be used by Reverse Proxy later- 5-VM-1-NodeTypes-Secure_Step2.JSON +2. Template parameters for the above template - 5-VM-1-NodeTypes-SecureRP_Step2.parameters.JSON + +### Step3 :Enable Reverse Proxy using ARM Powershell +This upgrade step includes: + Configure Load balancer Rule and Probe for Reverse Proxy. + Configure the port for the Reverse Proxy. + Configure Reverse Proxy certificate in the Service Fabric cluster resource. + +1. Template to provision a five node secure cluster with Reverse Proxy - 5-VM-1-NodeTypes-SecureRP_Step3.JSON +2. Template parameters for the above template - 5-VM-1-NodeTypes-SecureRP_Step3.parameters.JSON + +## Rolling over Reverse Proxy certificate. +Once you have a cluster with Reverse Proxy configured (HTTPS, using the above steps), now we will discuss how to rollover the Reverse Proxy certificate. +Rolling over the Reverse Proxy certificate involves issuing two upgrades: + +### Step1: Provision a second certificate for Reverse Proxy using ARM Powershell. + +This upgrade step takes care of installing the Reverse Proxy certificate on all the VMs and acl'ing the certificate such that Service Fabric can access it. + +1. Template to provision a five node secure cluster with new certificates to be used by Reverse Proxy later- 5-VM-1-NodeTypes-SecureRP_RollOverStep1.JSON +2. Template parameters for the above template - 5-VM-1-NodeTypes-SecureRP_RollOverStep1.parameters.JSON + + +### Step2 :Rollover Reverse Proxy certificate to use the one added in the above step using ARM Powershell. +Here, it sets the Reverse Proxy certificate in the Service Fabric cluster resource to the new thumbprint. + +1. Template to provision a five node secure cluster and have Reverse Proxy use the new certificate- 5-VM-1-NodeTypes-SecureRP_RollOverStep2.JSON +2. Template parameters for the above template - 5-VM-1-NodeTypes-SecureRP_RollOverStep2.parameters.JSON + +## Configure reverse proxy to connect to secure services +The below three templates show the different options to establish a secure channel between reverse proxy and services. +To read more about configuring secure end-to-end communication via the Reverse Proxy, refer [Connect to a secure service with the reverse proxy](https://docs.microsoft.com/azure/service-fabric/service-fabric-reverseproxy-configure-secure-communication) + +### 5-VM-1-NodeTypes-SecureRP_ServiceCertValidationNone.JSON +Use this template to deploy a 5 node cluster with reverse proxy listening on HTTPS. Here ApplicationCertificateValidationPolicy is set to None. +Reverse proxy will skip the server certificate validation while connecting to secure services. + +### 5-VM-1-NodeTypes-SecureRP_ServiceCertValidationCommonName.JSON +This template shows how to configure the reverse proxy to validate the service's certificate based on certificate common name and issue's thumbprint. + +### 5-VM-1-NodeTypes-SecureRP_ServiceCertValidationThumbprints.JSON +This template shows how to configure the reverse proxy to validate the service's certificate based on certificate's thumbprints. \ No newline at end of file From fdf3df07394200016d99620f444d7b4ee9399068 Mon Sep 17 00:00:00 2001 From: Nicolas Oman Date: Thu, 24 Oct 2019 12:26:33 -0700 Subject: [PATCH 5/5] updated readme --- Reverse-Proxy-Sample/README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Reverse-Proxy-Sample/README.md b/Reverse-Proxy-Sample/README.md index 3256b9c..b347a5d 100644 --- a/Reverse-Proxy-Sample/README.md +++ b/Reverse-Proxy-Sample/README.md @@ -1,9 +1,9 @@ # Introduction -This folder contains the set of ARM templates you can use to deploy a secure five node service fabric cluster and then enable/configure Reverse Proxy with a new certificate and then rollover the Reverse Proxy certificate. -To read more about the Reverse Proxy, refer [Service Fabric Reverse Proxy](https://docs.microsoft.com/azure/service-fabric/service-fabric-reverseproxy) -To read about Deploy templates to Azure, refer the section [Deploy the template to Azure](https://docs.microsoft.com/azure/service-fabric/service-fabric-cluster-security-update-certs-azure) +This folder contains the set of ARM templates you can use to deploy a secure five node service fabric cluster, enable/configure Reverse Proxy with a new certificate, and rollover the Reverse Proxy certificate. +To read more about the Reverse Proxy, refer to [Service Fabric Reverse Proxy](https://docs.microsoft.com/azure/service-fabric/service-fabric-reverseproxy) +To read about deploying templates to Azure, refer the section [Deploy the template to Azure](https://docs.microsoft.com/azure/service-fabric/service-fabric-cluster-security-update-certs-azure). ## Configure HTTPS Reverse Proxy in a secure cluster. @@ -29,7 +29,7 @@ This upgrade step includes: 2. Template parameters for the above template - 5-VM-1-NodeTypes-SecureRP_Step3.parameters.JSON ## Rolling over Reverse Proxy certificate. -Once you have a cluster with Reverse Proxy configured (HTTPS, using the above steps), now we will discuss how to rollover the Reverse Proxy certificate. +Once you have a cluster with Reverse Proxy configured (HTTPS, using the above steps), we can discuss how to rollover the Reverse Proxy certificate. Rolling over the Reverse Proxy certificate involves issuing two upgrades: ### Step1: Provision a second certificate for Reverse Proxy using ARM Powershell. @@ -48,7 +48,7 @@ Here, it sets the Reverse Proxy certificate in the Service Fabric cluster resour ## Configure reverse proxy to connect to secure services The below three templates show the different options to establish a secure channel between reverse proxy and services. -To read more about configuring secure end-to-end communication via the Reverse Proxy, refer [Connect to a secure service with the reverse proxy](https://docs.microsoft.com/azure/service-fabric/service-fabric-reverseproxy-configure-secure-communication) +To read more about configuring secure end-to-end communication via the Reverse Proxy, refer to [Connect to a secure service with the reverse proxy](https://docs.microsoft.com/azure/service-fabric/service-fabric-reverseproxy-configure-secure-communication) ### 5-VM-1-NodeTypes-SecureRP_ServiceCertValidationNone.JSON Use this template to deploy a 5 node cluster with reverse proxy listening on HTTPS. Here ApplicationCertificateValidationPolicy is set to None.