From ccb087e6c41c30a1d053f61e082ecdc8e15b709b Mon Sep 17 00:00:00 2001 From: Jorge Cotillo Date: Wed, 17 Apr 2019 11:09:30 -0700 Subject: [PATCH] added palo-alto test archetype (#33) --- .../archetype.palo-alto.test.json | 868 ++++++++++++++++++ .../shared-services/archetype.test.json | 10 +- 2 files changed, 870 insertions(+), 8 deletions(-) create mode 100644 archetypes/shared-services/archetype.palo-alto.test.json diff --git a/archetypes/shared-services/archetype.palo-alto.test.json b/archetypes/shared-services/archetype.palo-alto.test.json new file mode 100644 index 000000000..060356ecf --- /dev/null +++ b/archetypes/shared-services/archetype.palo-alto.test.json @@ -0,0 +1,868 @@ +{ + "general": { + "organization-name": "org", + "tenant-id": "00000000-0000-0000-0000-000000000000", + "deployment-user-id": "00000000-0000-0000-0000-000000000000", + "vdc-storage-account-name": "storage", + "vdc-storage-account-rg": "vdc-storage-rg", + "on-premises": { + "deployment-name": "onprem", + "subscription-id": "00000000-0000-0000-0000-000000000000", + "region": "Central US", + "active-directory": { + "AD-sitename": "Cloud-Site", + "domain-admin-user": "contoso", + "domain-name": "contoso.com" + } + }, + "shared-services": { + "deployment-name": "ssvcs", + "subscription-id": "00000000-0000-0000-0000-000000000000", + "region": "Central US", + "vm-configuration": { + "local-admin-user": "admin-user", + "enable-encryption": false, + "encryption-keys-for": [] + }, + "keyvault": { + "secrets": [ + { + "secretName": "${general.shared-services.vm-configuration.local-admin-user}", + "secretValue": "" + }, + { + "secretName": "${general.on-premises.active-directory.domain-admin-user}", + "secretValue": "" + }, + { + "secretName": "self-certificate-base64", + "secretValue": "" + }, + { + "secretName": "self-certificate-password", + "secretValue": "" + } + ] + }, + "log-analytics": { + "region": "West US 2" + }, + "paloalto-storage-resource-group-name": "${general.organization-name}-${shared-services.deployment-name}-paloalto-storage-rg" + }, + "custom-script": { + "bash-result": "", + "pwsh-result": "" + } + }, + "orchestration": { + "modules-to-deploy": [ + "la", + "nsg", + "shared-services-net", + "vgw", + "vgw-connection", + "onprem-vgw-connection", + "kv", + "palo-alto-storage", + "custom-script-palo-alto-bootstrap-0", + "custom-script-palo-alto-bootstrap-1", + "palo-alto-egress-nva", + "custom-script-palo-alto-bootstrap-2", + "palo-alto-udr", + "palo-alto-ingress-nva", + "jb", + "adds" + ], + "module-validation-dependencies": [ + "kv" + ], + "module-configuration": { + "import-modules": "file(modules)", + "custom-scripts": "file(scripts)", + "modules": [ + { + "module": "la", + "source": { + "version": "1.0", + "template-path": "file(modules/la/1.0)", + "parameters-path": "file(modules/la/1.0)", + "policy-path": "file(modules/la/1.0)" + }, + "dependencies": [] + }, + { + "module": "shared-services-net", + "resource-group-name": "${general.organization-name}-${shared-services.deployment-name}-net-rg", + "source": { + "version": "1.0" + }, + "dependencies": [ + "nsg" + ] + }, + { + "module": "nsg", + "resource-group-name": "${general.organization-name}-${shared-services.deployment-name}-net-rg", + "source": { + "version": "latest" + }, + "dependencies": [ + "la" + ] + }, + { + "module": "vgw", + "resource-group-name": "${general.organization-name}-${shared-services.deployment-name}-net-rg", + "source": { + "version": "1.0" + }, + "dependencies": [ + "shared-services-net" + ] + }, + { + "module": "vgw-connection", + "resource-group-name": "${general.organization-name}-${shared-services.deployment-name}-net-rg", + "source": { + "version": "1.0" + }, + "dependencies": [ + "shared-services-net", + "vgw" + ] + }, + { + "module": "onprem-vgw-connection", + "resource-group-name": "${general.organization-name}-${shared-services.deployment-name}-net-rg", + "source": { + "version": "1.0" + }, + "dependencies": [ + "shared-services-net" + ] + }, + { + "module": "azure-fw", + "resource-group-name": "${general.organization-name}-${shared-services.deployment-name}-net-rg", + "source": { + "version": "1.0" + }, + "dependencies": [ + "shared-services-net", + "la" + ] + }, + { + "module": "custom-script-palo-alto-bootstrap-0", + "type": "bash", + "command": "chmod +x scripts/palo-alto/create-bootstrap.sh", + "dependencies": [] + }, + { + "module": "custom-script-palo-alto-bootstrap-1", + "type": "bash", + "command": "scripts/palo-alto/create-bootstrap.sh '${shared-services.paloalto-storage-resource-group-name}' ${general.shared-services.subscription-id} 'fwpaloalto/ingress/config' 'scripts/palo-alto/ingress/bootstrap.xml' 'fwpaloalto/egress/config' 'scripts/palo-alto/egress/bootstrap.xml' 'scripts/palo-alto/init-cfg.txt'", + "dependencies": [ + "custom-script-palo-alto-bootstrap-0" + ] + }, + { + "module": "palo-alto-storage", + "resource-group-name": "${shared-services.paloalto-storage-resource-group-name}", + "source": { + "version": "1.0" + }, + "dependencies": [ + "custom-script-palo-alto-bootstrap-1" + ] + }, + { + "module": "palo-alto-ingress-nva", + "resource-group-name": "${general.organization-name}-${shared-services.deployment-name}-paloalto-ingress-rg", + "source": { + "version": "1.0" + }, + "dependencies": [ + "kv", + "shared-services-net", + "palo-alto-storage" + ] + }, + { + "module": "custom-script-palo-alto-bootstrap-2", + "type": "bash", + "command": "sleep 120", + "dependencies": [] + }, + { + "module": "palo-alto-egress-nva", + "resource-group-name": "${general.organization-name}-${shared-services.deployment-name}-paloalto-egress-rg", + "source": { + "version": "1.0" + }, + "dependencies": [ + "kv", + "shared-services-net", + "palo-alto-storage" + ] + }, + { + "module": "palo-alto-udr", + "resource-group-name": "${general.organization-name}-${shared-services.deployment-name}-net-rg", + "source": { + "version": "1.0" + }, + "dependencies": [ + "palo-alto-egress-nva", + "custom-script-palo-alto-bootstrap-2" + ] + }, + { + "module": "kv", + "resource-group-name": "${general.organization-name}-${shared-services.deployment-name}-kv-rg", + "source": { + "version": "1.0" + }, + "dependencies": [ + "la" + ] + }, + { + "module": "adds", + "source": { + "version": "1.0" + }, + "dependencies": [ + "kv", + "shared-services-net", + "la" + ] + }, + { + "module": "jb", + "source": { + "version": "1.0" + }, + "dependencies": [ + "kv", + "shared-services-net", + "la" + ] + }, + { + "module": "ubuntu-nva", + "source": { + "version": "1.0" + }, + "dependencies": [ + "kv", + "shared-services-net" + ] + } + ] + } + }, + "on-premises": { + "subscription-id": "${general.on-premises.subscription-id}", + "deployment-name": "${general.on-premises.deployment-name}", + "region": "${general.on-premises.region}", + "network": { + "address-prefix": "192.168.1.0/28", + "resource-group-name": "${general.organization-name}-${on-premises.deployment-name}-net-rg", + "virtual-gateway": { + "gateway-name": "${general.organization-name}-${on-premises.deployment-name}-gw" + } + }, + "active-directory": { + "AD-sitename": "${general.on-premises.active-directory.AD-sitename}", + "domain-admin-user": "${general.on-premises.active-directory.domain-admin-user}", + "domain-name": "${general.on-premises.active-directory.domain-name}", + "primaryDC-IP": "192.168.1.4" + }, + "allow-rdp-address-range": "192.168.1.4" + }, + "shared-services": { + "subscription-id": "${general.shared-services.subscription-id}", + "deployment-name": "${general.shared-services.deployment-name}", + "region": "${general.shared-services.region}", + "adds": { + "vm-ip-address-start": "10.4.0.46" + }, + "vm-configuration": { + "local-admin-user": "${general.shared-services.vm-configuration.local-admin-user}", + "enable-encryption": "${general.shared-services.vm-configuration.enable-encryption}", + "encryption-keys-for": "${general.shared-services.vm-configuration.encryption-keys-for}" + }, + "log-analytics": { + "region": "${general.shared-services.log-analytics.region}" + }, + "paloalto-storage-resource-group-name": "${general.shared-services.paloalto-storage-resource-group-name}", + "keyvault": "${general.shared-services.keyvault}", + "network": { + "enable-ddos-protection": false, + "address-prefix": "10.4.0.0/23", + "network-virtual-appliance": { + "egress-ip": "${shared-services.network.network-virtual-appliance.palo-alto.egress.ip}", + "azure-firewall": { + "egress": { + "ip": "10.4.1.4" + } + }, + "palo-alto": { + "ingress": { + "vm-ip-address-start": "10.4.0.60" + }, + "egress": { + "ip": "10.4.0.101", + "vm-ip-address-start": "10.4.0.41" + }, + "image": { + "offer": "vmseries1", + "publisher": "paloaltonetworks", + "sku": "bundle2", + "version": "latest" + }, + "enable-bootstrap": true + }, + "custom-ubuntu": { + "egress": { + "ip": "10.4.0.20", + "vm-ip-address-start": "10.4.0.5" + } + } + }, + "virtual-gateway": { + "gateway-type": "vpn", + "gateway-sku": "VpnGw1", + "vpn-type": "RouteBased" + }, + "application-security-groups": [ + { + "name": "dc" + }, + { + "name": "jb" + }, + { + "name": "mgmt" + }, + { + "name": "trust" + }, + { + "name": "untrust" + } + ], + "network-security-groups": [ + { + "name": "sharedsvcs", + "rules": [ + { + "name": "allow-tcp-between-adds", + "properties": { + "access": "Allow", + "destinationAddressPrefixes": [], + "destinationAddressPrefix": "", + "destinationPortRange": "", + "destinationPortRanges": [ + "389", + "42", + "88", + "636", + "3268", + "3269", + "445", + "25", + "135", + "5722", + "464", + "9389", + "139", + "53", + "49152-65535" + ], + "direction": "Inbound", + "priority": 100, + "protocol": "Tcp", + "sourceAddressPrefix": "", + "sourcePortRange": "*", + "sourcePortRanges": [], + "destinationApplicationSecurityGroups": [ + { + "name": "${shared-services.network.application-security-groups[0].name}" + } + ], + "sourceApplicationSecurityGroups": [ + { + "name": "${shared-services.network.application-security-groups[0].name}" + } + ] + } + }, + { + "name": "allow-udp-between-adds", + "properties": { + "access": "Allow", + "destinationAddressPrefixes": [], + "destinationAddressPrefix": "", + "destinationPortRange": "", + "destinationPortRanges": [ + "389", + "88", + "445", + "123", + "464", + "138", + "137", + "53", + "49152-65535" + ], + "destinationApplicationSecurityGroups": [ + { + "name": "${shared-services.network.application-security-groups[0].name}" + } + ], + "direction": "Inbound", + "priority": 110, + "protocol": "Udp", + "sourceAddressPrefix": "", + "sourcePortRange": "*", + "sourcePortRanges": [], + "sourceApplicationSecurityGroups": [ + { + "name": "${shared-services.network.application-security-groups[0].name}" + } + ] + } + }, + { + "name": "allow-tcp-ad", + "properties": { + "access": "Allow", + "destinationAddressPrefixes": [], + "destinationAddressPrefix": "", + "destinationPortRange": "", + "destinationPortRanges": [ + "389", + "42", + "88", + "636", + "3268", + "3269", + "445", + "25", + "135", + "5722", + "464", + "9389", + "139", + "53", + "49152-65535" + ], + "direction": "Inbound", + "priority": 120, + "protocol": "Tcp", + "sourceAddressPrefix": "${on-premises.active-directory.primaryDC-IP}", + "sourcePortRange": "*", + "sourcePortRanges": [], + "destinationApplicationSecurityGroups": [ + { + "name": "${shared-services.network.application-security-groups[0].name}" + } + ], + "sourceApplicationSecurityGroups": [] + } + }, + { + "name": "allow-udp-ad", + "properties": { + "access": "Allow", + "destinationAddressPrefixes": [], + "destinationAddressPrefix": "", + "destinationPortRange": "", + "destinationPortRanges": [ + "389", + "88", + "445", + "123", + "464", + "138", + "137", + "53", + "49152-65535" + ], + "direction": "Inbound", + "priority": 130, + "protocol": "Udp", + "sourceAddressPrefix": "${on-premises.active-directory.primaryDC-IP}", + "sourcePortRange": "*", + "sourcePortRanges": [], + "destinationApplicationSecurityGroups": [ + { + "name": "${shared-services.network.application-security-groups[0].name}" + } + ], + "sourceApplicationSecurityGroups": [] + } + }, + { + "name": "allow-rdp-into-dc", + "properties": { + "access": "Allow", + "destinationAddressPrefixes": [], + "destinationAddressPrefix": "", + "destinationPortRange": "3389", + "destinationPortRanges": [], + "direction": "Inbound", + "priority": 140, + "protocol": "TCP", + "sourceAddressPrefix": "", + "sourcePortRange": "*", + "sourcePortRanges": [], + "destinationApplicationSecurityGroups": [ + { + "name": "${shared-services.network.application-security-groups[0].name}" + } + ], + "sourceApplicationSecurityGroups": [ + { + "name": "${shared-services.network.application-security-groups[1].name}" + } + ] + } + }, + { + "name": "allow-rdp-ssh-into-jb", + "properties": { + "access": "Allow", + "destinationAddressPrefixes": [], + "destinationAddressPrefix": "", + "destinationPortRanges": [ + "3389", + "22" + ], + "destinationPortRange": "", + "direction": "Inbound", + "priority": 150, + "protocol": "TCP", + "sourceAddressPrefix": "${on-premises.network.address-prefix}", + "sourcePortRange": "*", + "sourcePortRanges": [], + "destinationApplicationSecurityGroups": [ + { + "name": "${shared-services.network.application-security-groups[1].name}" + } + ], + "sourceApplicationSecurityGroups": [] + } + }, + { + "name": "allow-tcp-vnet-adds", + "properties": { + "access": "Allow", + "destinationAddressPrefixes": [], + "destinationAddressPrefix": "", + "destinationPortRanges": [ + "389", + "42", + "88", + "636", + "3268", + "3269", + "445", + "25", + "135", + "5722", + "464", + "9389", + "139", + "53", + "49152-65535" + ], + "destinationPortRange": "", + "direction": "Inbound", + "priority": 160, + "protocol": "TCP", + "sourceAddressPrefix": "VirtualNetwork", + "sourcePortRange": "*", + "sourcePortRanges": [], + "destinationApplicationSecurityGroups": [ + { + "name": "${shared-services.network.application-security-groups[0].name}" + } + ], + "sourceApplicationSecurityGroups": [] + } + }, + { + "name": "allow-udp-vnet-adds", + "properties": { + "access": "Allow", + "destinationAddressPrefixes": [], + "destinationAddressPrefix": "", + "destinationPortRanges": [ + "389", + "88", + "445", + "123", + "464", + "138", + "137", + "53", + "49152-65535" + ], + "destinationPortRange": "", + "direction": "Inbound", + "priority": 170, + "protocol": "UDP", + "sourceAddressPrefix": "VirtualNetwork", + "sourcePortRange": "*", + "sourcePortRanges": [], + "destinationApplicationSecurityGroups": [ + { + "name": "${shared-services.network.application-security-groups[0].name}" + } + ], + "sourceApplicationSecurityGroups": [] + } + }, + { + "name": "allow-http-and-ssh-into-palo-alto", + "properties": { + "access": "Allow", + "destinationAddressPrefixes": [], + "destinationAddressPrefix": "", + "destinationPortRanges": [ + "443", + "22" + ], + "destinationPortRange": "", + "direction": "Inbound", + "priority": 180, + "protocol": "TCP", + "sourceAddressPrefix": "", + "sourcePortRange": "*", + "sourcePortRanges": [], + "destinationApplicationSecurityGroups": [ + { + "name": "${shared-services.network.application-security-groups[2].name}" + } + ], + "sourceApplicationSecurityGroups": [ + { + "name": "${shared-services.network.application-security-groups[1].name}" + } + ] + } + }, + { + "name": "deny-vnet", + "properties": { + "access": "Deny", + "destinationAddressPrefix": "VirtualNetwork", + "destinationAddressPrefixes": [], + "destinationPortRange": "*", + "destinationPortRanges": [], + "direction": "Inbound", + "priority": 4096, + "protocol": "*", + "sourceAddressPrefix": "VirtualNetwork", + "sourcePortRange": "*", + "sourcePortRanges": [], + "destinationApplicationSecurityGroups": [], + "sourceApplicationSecurityGroups": [] + } + }, + { + "name": "allow-vnet", + "properties": { + "access": "Allow", + "destinationAddressPrefix": "*", + "destinationAddressPrefixes": [], + "destinationPortRange": "*", + "destinationPortRanges": [], + "direction": "Outbound", + "priority": 100, + "protocol": "*", + "sourceAddressPrefix": "VirtualNetwork", + "sourcePortRange": "*", + "sourcePortRanges": [], + "destinationApplicationSecurityGroups": [], + "sourceApplicationSecurityGroups": [] + } + } + ] + }, + { + "name": "trust", + "rules": [ + { + "name": "allow-vnet-inbound", + "properties": { + "access": "Allow", + "destinationAddressPrefix": "VirtualNetwork", + "destinationAddressPrefixes": [], + "destinationPortRange": "*", + "destinationPortRanges": [], + "direction": "Inbound", + "priority": 100, + "protocol": "*", + "sourceAddressPrefix": "VirtualNetwork", + "sourcePortRange": "*", + "sourcePortRanges": [], + "destinationApplicationSecurityGroups": [], + "sourceApplicationSecurityGroups": [] + } + }, + { + "name": "allow-loadbalancer", + "properties": { + "access": "Allow", + "destinationAddressPrefix": "VirtualNetwork", + "destinationAddressPrefixes": [], + "destinationPortRange": "*", + "destinationPortRanges": [], + "direction": "Inbound", + "priority": 110, + "protocol": "*", + "sourceAddressPrefix": "AzureLoadBalancer", + "sourcePortRange": "*", + "sourcePortRanges": [], + "destinationApplicationSecurityGroups": [], + "sourceApplicationSecurityGroups": [] + } + }, + { + "name": "allow-internet", + "properties": { + "access": "Allow", + "destinationAddressPrefix": "*", + "destinationAddressPrefixes": [], + "destinationPortRange": "*", + "destinationPortRanges": [], + "direction": "Inbound", + "priority": 120, + "protocol": "*", + "sourceAddressPrefix": "VirtualNetwork", + "sourcePortRange": "*", + "sourcePortRanges": [], + "destinationApplicationSecurityGroups": [], + "sourceApplicationSecurityGroups": [] + } + }, + { + "name": "allow-vnet-outbound", + "properties": { + "access": "Allow", + "destinationAddressPrefix": "*", + "destinationAddressPrefixes": [], + "destinationPortRange": "*", + "destinationPortRanges": [], + "direction": "Outbound", + "priority": 100, + "protocol": "*", + "sourceAddressPrefix": "VirtualNetwork", + "sourcePortRange": "*", + "sourcePortRanges": [], + "destinationApplicationSecurityGroups": [], + "sourceApplicationSecurityGroups": [] + } + } + ] + }, + { + "name": "dmz", + "rules": [ + { + "name": "allow-vnet", + "properties": { + "access": "Allow", + "destinationAddressPrefix": "*", + "destinationAddressPrefixes": [], + "destinationPortRange": "*", + "destinationPortRanges": [], + "direction": "Inbound", + "priority": 100, + "protocol": "*", + "sourceAddressPrefix": "VirtualNetwork", + "sourcePortRange": "*", + "sourcePortRanges": [], + "destinationApplicationSecurityGroups": [], + "sourceApplicationSecurityGroups": [] + } + } + ] + } + ], + "user-defined-routes": [ + { + "name": "sharedsvcs", + "routes": [ + { + "name": "default", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopIpAddress": "${shared-services.network.network-virtual-appliance.egress-ip}", + "nextHopType": "VirtualAppliance" + } + }, + { + "name": "to-on-premises", + "properties": { + "addressPrefix": "${on-premises.network.address-prefix}", + "nextHopType": "VirtualNetworkGateway" + } + } + ] + } + ], + "subnets": [ + { + "name": "sharedsvcs", + "address-prefix": "10.4.0.32/27", + "network-security-group": "${shared-services.network.network-security-groups[0].name}", + "user-defined-route": "${shared-services.network.user-defined-routes[0].name}", + "service-endpoints": [] + }, + { + "name": "trust", + "address-prefix": "10.4.0.96/28", + "network-security-group": "${shared-services.network.network-security-groups[1].name}", + "user-defined-route": "", + "service-endpoints": [] + }, + { + "name": "dmz", + "address-prefix": "10.4.0.0/27", + "network-security-group": "${shared-services.network.network-security-groups[2].name}", + "user-defined-route": "", + "service-endpoints": [] + }, + { + "name": "AppGateway", + "address-prefix": "10.4.0.64/27", + "network-security-group": "", + "user-defined-route": "", + "service-endpoints": [] + }, + { + "name": "AzureFirewallSubnet", + "address-prefix": "10.4.1.0/25", + "network-security-group": "", + "user-defined-route": "", + "service-endpoints": [] + }, + { + "name": "GatewaySubnet", + "address-prefix": "10.4.0.128/27", + "network-security-group": "", + "user-defined-route": "", + "service-endpoints": [] + } + ], + "dns-servers": [ + "${shared-services.adds.vm-ip-address-start}" + ] + } + } +} \ No newline at end of file diff --git a/archetypes/shared-services/archetype.test.json b/archetypes/shared-services/archetype.test.json index 060356ecf..7c4aa5c41 100644 --- a/archetypes/shared-services/archetype.test.json +++ b/archetypes/shared-services/archetype.test.json @@ -63,13 +63,7 @@ "vgw-connection", "onprem-vgw-connection", "kv", - "palo-alto-storage", - "custom-script-palo-alto-bootstrap-0", - "custom-script-palo-alto-bootstrap-1", - "palo-alto-egress-nva", - "custom-script-palo-alto-bootstrap-2", - "palo-alto-udr", - "palo-alto-ingress-nva", + "azure-fw", "jb", "adds" ], @@ -302,7 +296,7 @@ "enable-ddos-protection": false, "address-prefix": "10.4.0.0/23", "network-virtual-appliance": { - "egress-ip": "${shared-services.network.network-virtual-appliance.palo-alto.egress.ip}", + "egress-ip": "${shared-services.network.network-virtual-appliance.azure-firewall.egress.ip}", "azure-firewall": { "egress": { "ip": "10.4.1.4"