-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdeploy-region.sh
131 lines (109 loc) · 4.38 KB
/
deploy-region.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#!/bin/bash
usage() { echo "Usage: $0 -g <string group name> -l <string azure regon>" 1>&2; exit 1; }
strip() { printf %"$(tput cols)"s |tr " " "="; }
while getopts g:l: option
do
case "${option}"
in
g) NAME=${OPTARG};;
l) LOCATION=${OPTARG};;
*) usage;;
esac
done
if [ -z "$NAME" ] || [ -z "$LOCATION" ]; then
usage
fi
STORAGE=`echo $NAME | tr -cd "[:alnum:]" | tr "[:upper:]" "[:lower:]"`$RANDOM
echo Deploying: $NAME
echo To region: $LOCATION
echo Stor Acct: $STORAGE
strip
### Resource Group ###
echo creating group...
az group create -l $LOCATION -n $NAME
### Networking ###
strip
echo NETWORK
strip
echo creating vnet...
az network vnet create -n $NAME-VNet -g $NAME \
--address-prefixes 10.1.0.0/16 \
--subnet-name App --subnet-prefixes 10.1.2.0/24
echo creating route table...
az network route-table create -g $NAME -n $NAME-RT
echo creating route entry...
az network route-table route create -g $NAME -n $NAME-FWROUTE \
--address-prefix 0.0.0.0/0 --next-hop-type VirtualAppliance \
--route-table-name $NAME-RT --next-hop-ip-address 10.1.1.4
echo creating firewall subnet...
az network vnet subnet create -g $NAME -n AzureFirewallSubnet \
--vnet-name $NAME-VNet --address-prefixes 10.1.1.0/24
echo creating app subnet...
az network vnet subnet create -g $NAME -n App \
--vnet-name $NAME-VNet --address-prefixes 10.1.2.0/24 \
--route-table $NAME-RT
echo creating firewall public ip...
az network public-ip create -g $NAME -n $NAME-FWIP --sku Standard
echo creating nsg...
az network nsg create -g $NAME -n $NAME-NSG
#### Firewall ###
strip
echo FIREWALL
strip
echo create firewall...
az network firewall create -g $NAME -n $NAME-FW
echo create firewall ip-config...
az network firewall ip-config create -g $NAME -n $NAME-IPConf --firewall-name $NAME-FW \
--public-ip-address $NAME-FWIP --private-ip-address 10.1.1.4 --vnet-name $NAME-VNet
#### Load Balancer ###
strip
echo LOAD BALANCER
strip
echo create internal lb...
az network lb create -g $NAME -n $NAME-AppLB \
--frontend-ip-name loadBalancerFrontEnd \
--private-ip-address 10.1.2.20 \
--backend-pool-name $NAME-AppLBBEPool \
--vnet-name $NAME-VNet \
--subnet App \
--sku Basic
echo creating app probe...
az network lb probe create -g $NAME --lb-name $NAME-AppLB -n App-Probe \
--protocol http --port 80 --path /
echo creating lb rule...
az network lb rule create -g $NAME --lb-name $NAME-AppLB -n App-Rule --protocol Tcp \
--frontend-ip-name loadBalancerFrontEnd --frontend-port 80 \
--backend-pool-name $NAME-AppLBBEPool --backend-port 80
### Application ###
strip
echo APPLICATION
strip
echo creating scale set...
az vmss create -g $NAME -n $NAME-App \
--image UbuntuLTS --instance-count 2 --upgrade-policy-mode Automatic --vm-sku Standard_B1s \
--ssh-key-value @~/.ssh/id_rsa.pub --lb $NAME-AppLB \
--subnet App --vnet-name $NAME-VNet --nsg $NAME-NSG
echo creating storage account...
az storage account create -n $STORAGE -g $NAME --kind StorageV2 --sku Standard_LRS
echo adding inbound NAT rule...
FIREWALLIP=$( echo `az network public-ip show -g $NAME -n $NAME-FWIP --query ipAddress --output json` | tr -d [\"] )
LBIP=$( echo `az network lb show -g $NAME -n $NAME-AppLB --output json --query "frontendIpConfigurations[0].privateIpAddress"` | tr -d [\"] )
az network firewall nat-rule create -g $NAME -f $NAME-FW -n App -c InboundAppRules \
--action Dnat --priority 200 --destination-addresses $FIREWALLIP --destination-ports 80 \
--translated-address $LBIP --translated-port 80 \
--source-addresses "*" --protocols TCP --description "inbound nat rule to app"
echo adding Azure storage rule...
az network firewall application-rule create -g $NAME -f $NAME-FW -n AzureStorage -c OutboundAppRules \
--action Allow --priority 200 --source-addresses "10.1.2.0/24" --protocols "Https=443" \
--target-fqdns "*.blob.core.windows.net" --description "outbound rule from app to azure storage"
echo adding Ubuntu apt repo rule...
az network firewall application-rule create -g $NAME -f $NAME-FW -n Ubuntu -c OutboundAppRules \
--source-addresses "10.1.2.0/24" --protocols "Https=443" "Http=80" \
--target-fqdns "*.ubuntu.com" --description "outbound rule from app to ubuntu apt repo"
### Done ###
strip
echo Firewall IP : $FIREWALLIP
echo Balancer IP : $LBIP
echo Instance IPs: `az vmss nic list -g $NAME --vmss-name $NAME-APP --query "[].[ipConfigurations[0].privateIpAddress]" --output tsv`
echo
echo Done!