forked from erjosito/azure-networking-lab
-
Notifications
You must be signed in to change notification settings - Fork 1
/
cli_cheatsheet.sh
145 lines (122 loc) · 11 KB
/
cli_cheatsheet.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
# Azure CLI lab cheat sheet (for Linux)
# Lab initialization
az group create -n vnetTest -l westeurope
az configure --defaults group=vnetTest
url='https://raw.githubusercontent.com/erjosito/azure-networking-lab/master/NetworkingLab_master.json'
# Option 1: default (all vnets in one location)
az group deployment create -n netLabDeployment --template-uri $url -g vnetTest --parameters '{"adminPassword":{"value":"Microsoft123!"}}'
# Option 2: with Vnet 3 in a separate location
az group deployment create -n netLabDeployment --template-uri $url -g vnetTest --parameters '{"adminPassword":{"value":"Microsoft123!"}, "location2ary":{"value": "westus2"}, "location2aryVnets":{"value": [3]}}'
# Verify LB SKUs
az network lb list --query [].[name,sku.name] -o table
# Configure routing pointing to the ILB
next_hop='10.4.2.100'
az network route-table create --name vnet1-subnet1
az network vnet subnet update -n myVnet1Subnet1 --vnet-name myVnet1 --route-table vnet1-subnet1
az network route-table route create --address-prefix 10.2.0.0/16 --next-hop-ip-address $next_hop --next-hop-type VirtualAppliance --route-table-name vnet1-subnet1 -n vnet2
az network route-table route create --address-prefix 10.1.1.0/24 --next-hop-ip-address $next_hop --next-hop-type VirtualAppliance --route-table-name vnet1-subnet1 -n vnet1-subnet1
az network route-table create --name vnet2-subnet1
az network vnet subnet update -n myVnet2Subnet1 --vnet-name myVnet2 --route-table vnet2-subnet1
az network route-table route create --address-prefix 10.1.0.0/16 --next-hop-ip-address $next_hop --next-hop-type VirtualAppliance --route-table-name vnet2-subnet1 -n vnet1
az network route-table create --name vnet3-subnet1 -l westus2
az network vnet subnet update -n myVnet3Subnet1 --vnet-name myVnet3 --route-table vnet3-subnet1
az network route-table route create --address-prefix 10.1.0.0/16 --next-hop-ip-address $next_hop --next-hop-type VirtualAppliance --route-table-name vnet3-subnet1 -n vnet1
az network route-table route create --address-prefix 10.2.0.0/16 --next-hop-ip-address $next_hop --next-hop-type VirtualAppliance --route-table-name vnet3-subnet1 -n vnet2
az network route-table route create --address-prefix 10.3.0.0/16 --next-hop-ip-address $next_hop --next-hop-type VirtualAppliance --route-table-name vnet1-subnet1 -n vnet3
az network route-table route create --address-prefix 10.3.0.0/16 --next-hop-ip-address $next_hop --next-hop-type VirtualAppliance --route-table-name vnet2-subnet1 -n vnet3
# Verify effective routing
az network nic show-effective-route-table -n myVnet3-vm1-nic
az network nic show-effective-route-table -n myVnet3-vm1-nic | jq -r '.value[] | "\(.addressPrefix)\t\(.nextHopIpAddress)\t\(.nextHopType)"'
# Configure ILB
az network nic ip-config address-pool add --ip-config-name linuxnva-1-nic0-ipConfig --nic-name linuxnva-1-nic0 --address-pool linuxnva-slbBackend-int --lb-name linuxnva-slb-int
az network nic ip-config address-pool add --ip-config-name linuxnva-2-nic0-ipConfig --nic-name linuxnva-2-nic0 --address-pool linuxnva-slbBackend-int --lb-name linuxnva-slb-int
az network lb address-pool list --lb-name linuxnva-slb-int -o table --query [].backendIpConfigurations[].id
# NSG (to bring one of the firewalls out of the ILB rotation)
az network nsg rule create --nsg-name linuxnva-1-nic0-nsg -n deny_all_in --priority 100 --access Deny --direction Inbound --protocol "*" --source-address-prefixes "*" --source-port-ranges "*" --destination-address-prefixes "*" --destination-port-ranges "*"
az network nsg rule list --nsg-name linuxnva-1-nic0-nsg -o table
az network nsg rule delete -n deny_all_in --nsg-name linuxnva-1-nic0-nsg
# Configure ELB (outbound NAT)
az network nic ip-config address-pool add --ip-config-name linuxnva-1-nic0-ipConfig --nic-name linuxnva-1-nic0 --address-pool linuxnva-slbBackend-ext --lb-name linuxnva-slb-ext
az network nic ip-config address-pool add --ip-config-name linuxnva-2-nic0-ipConfig --nic-name linuxnva-2-nic0 --address-pool linuxnva-slbBackend-ext --lb-name linuxnva-slb-ext
az network lb address-pool list --lb-name linuxnva-slb-ext -o table --query [].backendIpConfigurations[].id
az network nic update -n linuxnva-1-nic0 --network-security-group ""
az network nic show -n linuxnva-1-nic0 --query networkSecurityGroup
az network nic update -n linuxnva-2-nic0 --network-security-group ""
az network nic show -n linuxnva-2-nic0 --query networkSecurityGroup
az network nic update -n linuxnva-1-nic0 --network-security-group 'linuxnva-1-nic0-nsg'
az network nic update -n linuxnva-2-nic0 --network-security-group 'linuxnva-2-nic0-nsg'
az network nsg rule list --nsg-name linuxnva-1-nic0-nsg -o table --include-default
az network nsg rule create --nsg-name linuxnva-1-nic0-nsg -n allow_vnet_internet --priority 110 --access Allow --direction Inbound --protocol "Tcp" --source-address-prefix "VirtualNetwork" --source-port-ranges "*" --destination-address-prefixes "*" --destination-port-ranges "80-80"
# Additional tests (not in the lab guide)
# Delete/Recreate outbound NAT rule in the ELB
# You can use this to attach an ELB to a second NIC of an NVA
az network lb outbound-rule delete -g vnetTest --lb-name linuxnva-slb-ext -n myrule
az network lb rule create -g vnetTest --lb-name linxnva-slb-ext -n mylbrule --frontend-ip-name myFrontendConfig --backend-pool-name linuxnva-slbBackend-ext --protocol All --frontend-port 0 --backend-port 0
# Create PIP/frontend/LB-rule in the external LB, and allow Internet SSH
az network public-ip create -g vnetTest -n linuxnva-slbPip-ext2 --sku Standard --allocation-method Static
az network lb frontend-ip create -g vnetTest -n myFrontendConfig2 --lb-name linuxnva-slb-ext --public-ip-addres linuxnva-slbPip-ext2
az network lb rule create -g vnetTest --lb-name linuxnva-slb-ext -n mylbrule --frontend-ip-name myFrontendConfig2 --backend-pool-name linuxnva-slbBackend-ext --protocol Tcp --frontend-port 1022 --backend-port 22
az network nsg rule create --nsg-name linuxnva-1-nic0-nsg -n allow_ssh_in --priority 120 --access Allow --direction Inbound --protocol "Tcp" --source-address-prefix Internet --source-port-ranges "*" --destination-address-prefixes "*" --destination-port-ranges "22-22"
az network nsg rule create --nsg-name linuxnva-2-nic0-nsg -n allow_ssh_in --priority 120 --access Allow --direction Inbound --protocol "Tcp" --source-address-prefix Internet --source-port-ranges "*" --destination-address-prefixes "*" --destination-port-ranges "22-22"
# Remove LB from IP Config
lbname=linuxnva-slb-int
nic=linuxnva-1-nic0
az network nic ip-config address-pool remove -g vnetTest --ip-config-name "$nic-ipConfig" --nic-name $nic --address-pool linuxnva-slbBackend-int --lb-name $lbname
az network lb address-pool list --lb-name $lbname -o table --query [].backendIpConfigurations[].id
########
# VMSS #
########
vmss_url='https://raw.githubusercontent.com/erjosito/azure-networking-lab/master/nvaLinux_1nic_noVnet_ScaleSet.json'
az group deployment create -n vmssDeployment -g vnetTest --template-uri $vmss_url --parameters '{"vmPwd":{"value":"Microsoft123!"}}'
az network lb outbound-rule create --lb-name linuxnva-vmss-slb-ext -n myoutboundnat --frontend-ip-configs myFrontendConfig --protocol All --idle-timeout 15 --outbound-ports 10000 --address-pool linuxnva-vmss-slbBackend-ext
az network route-table route update --route-table-name vnet1-subnet1 -n vnet1 --next-hop-ip-address 10.4.2.200 --next-hop-type VirtualAppliance
az network route-table route update --route-table-name vnet1 -n vnet2 --next-hop-ip-address 10.4.2.200 --next-hop-type VirtualAppliance
az network route-table route update --route-table-name vnet2 -n vnet1 --next-hop-ip-address 10.4.2.200 --next-hop-type VirtualAppliance
# Verify LB
az network lb address-pool list --lb-name linuxnva-vmss-slb-int -o table --query [].backendIpConfigurations[].id
az network lb address-pool list --lb-name linuxnva-vmss-slb-ext -o table --query [].backendIpConfigurations[].id
az network lb rule list --lb-name linuxnva-vmss-slb-int -o table
az network lb outbound-rule list --lb-name linuxnva-vmss-slb-ext -o table
############
# UDR #
############
# Update to single NVA
next_hop=10.4.2.101
az network route-table route update --route-table-name vnet1-subnet1 -n vnet1-subnet1 --next-hop-ip-address $next_hop --next-hop-type VirtualAppliance
az network route-table route update --route-table-name vnet1-subnet1 -n vnet2 --next-hop-ip-address $next_hop --next-hop-type VirtualAppliance
az network route-table route update --route-table-name vnet1-subnet1 -n vnet3 --next-hop-ip-address $next_hop --next-hop-type VirtualAppliance
az network route-table route update --route-table-name vnet2-subnet1 -n default --next-hop-ip-address $next_hop --next-hop-type VirtualAppliance
az network route-table route update --route-table-name vnet2-subnet1 -n vnet1 --next-hop-ip-address $next_hop --next-hop-type VirtualAppliance
az network route-table route update --route-table-name vnet2-subnet1 -n vnet3 --next-hop-ip-address $next_hop --next-hop-type VirtualAppliance
az network route-table route update --route-table-name vnet3-subnet1 -n vnet1 --next-hop-ip-address $next_hop --next-hop-type VirtualAppliance
az network route-table route update --route-table-name vnet3-subnet1 -n vnet2 --next-hop-ip-address $next_hop --next-hop-type VirtualAppliance
############
# VPN #
############
az network vnet-gateway create --name vnet4Gw --vnet myVnet4 --public-ip-addresses vnet4gwPip --sku VpnGw1 --asn 65504
az network vnet-gateway create --name vnet5Gw --vnet myVnet5 --public-ip-addresses vnet5gwPip --sku VpnGw1 --asn 65505
az network route-table route update --next-hop-ip-address 10.4.0.4 --route-table-name vnet1-subnet1 -n vnet2
az network route-table route update --next-hop-ip-address 10.4.0.4 --route-table-name vnet2-subnet1 -n vnet1
az network vpn-connection create -n 4to5 --vnet-gateway1 vnet4gw --enable-bgp --shared-key Microsoft123 --vnet-gateway2 vnet5gw
az network vpn-connection create -n 5to4 --vnet-gateway1 vnet5gw --enable-bgp --shared-key Microsoft123 --vnet-gateway2 vnet4gw
az network vnet peering update --vnet-name myVnet4 -g vnetTest --name LinkTomyVnet1 --set allowGatewayTransit=true
az network vnet peering update --vnet-name myVnet4 -g vnetTest --name LinkTomyVnet2 --set allowGatewayTransit=true
az network vnet peering update --vnet-name myVnet4 -g vnetTest --name LinkTomyVnet3 --set allowGatewayTransit=true
az network vnet peering update --vnet-name myVnet1 -g vnetTest --name LinkTomyVnet4 --set useRemoteGateways=true
az network vnet peering update --vnet-name myVnet2 -g vnetTest --name LinkTomyVnet4 --set useRemoteGateways=true
az network vnet peering update --vnet-name myVnet3 -g vnetTest --name LinkTomyVnet4 --set useRemoteGateways=true
############
# iptables #
############
sudo iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -o eth0 ! -s 10.0.0.0/255.0.0.0 -j MASQUERADE
#########
# OTHER #
#########
# Deploy standard ELB
lburl='https://raw.githubusercontent.com/erjosito/azure-networking-lab/master/externalLB_standard.json'
az group deployment create -n elbDeploy -g vnetTest --template-uri $lburl
############
# Clean up #
############
az group delete -n vnetTest -y --no-wait