diff --git a/Building a Secure Service Fabric Cluster: Enabling Storage Account Access from Existing VNET with Firewall Configuration/AzureDeploy.Parameters.json.json b/Building a Secure Service Fabric Cluster: Enabling Storage Account Access from Existing VNET with Firewall Configuration/AzureDeploy.Parameters.json.json new file mode 100644 index 0000000..88621c5 --- /dev/null +++ b/Building a Secure Service Fabric Cluster: Enabling Storage Account Access from Existing VNET with Firewall Configuration/AzureDeploy.Parameters.json.json @@ -0,0 +1,129 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "value": "westus" + }, + "clusterName": { + "value": "GEN-UNIQUE" + }, + "nt0applicationStartPort": { + "value": 20000 + }, + "nt0applicationEndPort": { + "value": 30000 + }, + "nt0ephemeralStartPort": { + "value": 49152 + }, + "nt0ephemeralEndPort": { + "value": 65534 + }, + "nt0fabricTcpGatewayPort": { + "value": 19000 + }, + "nt0fabricHttpGatewayPort": { + "value": 19080 + }, + "subnet0Name": { + "value": "Subnet-0" + }, + "existingVNetRGName": { + "value": "pvt004" + }, + "existingVNetName": { + "value": "Vnet" + }, + "computeLocation": { + "value": null + }, + "publicIPAddressName": { + "value": "PublicIP-VM" + }, + "publicIPAddressType": { + "value": "Dynamic" + }, + "vmStorageAccountContainerName": { + "value": "vhds" + }, + "adminUserName": { + "value": "testadm" + }, + "adminPassword": { + "value": null + }, + "virtualNetworkName": { + "value": "VNet" + }, + "addressPrefix": { + "value": "10.0.0.0/16" + }, + "dnsName": { + "value": null + }, + "nicName": { + "value": "NIC" + }, + "lbName": { + "value": "LoadBalancer" + }, + "lbIPName": { + "value": "PublicIP-LB-FE" + }, + "overProvision": { + "value": "false" + }, + "vmImagePublisher": { + "value": "MicrosoftWindowsServer" + }, + "vmImageOffer": { + "value": "WindowsServer" + }, + "vmImageSku": { + "value": "2016-Datacenter-with-Containers" + }, + "vmImageVersion": { + "value": "latest" + }, + "sourceVaultValue": { + "value": "GEN-KEYVAULT-RESOURCE-ID" + }, + "certificateUrlValue": { + "value": "GEN-KEYVAULT-SSL-SECRET-URI" + }, + "clusterProtectionLevel": { + "value": "EncryptAndSign" + }, + "certificateStoreValue": { + "value": "My" + }, + "certificateThumbprint": { + "value": "GEN-CUSTOM-DOMAIN-SSLCERT-THUMBPRINT" + }, + "storageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountType": { + "value": "Standard_LRS" + }, + "supportLogStorageAccountName": { + "value": "[toLower( concat('sflogs', uniqueString(resourceGroup().id),'2'))]" + }, + "applicationDiagnosticsStorageAccountType": { + "value": "Standard_LRS" + }, + "applicationDiagnosticsStorageAccountName": { + "value": "[toLower(concat('wad',uniqueString(resourceGroup().id), '3' ))]" + }, + "nt0InstanceCount": { + "value": 3 + }, + "vmNodeType0Name": { + "value": "Type16" + }, + "vmNodeType0Size": { + "value": "Standard_D2_v2" + } + } +} \ No newline at end of file diff --git a/Building a Secure Service Fabric Cluster: Enabling Storage Account Access from Existing VNET with Firewall Configuration/AzureDeploy.json b/Building a Secure Service Fabric Cluster: Enabling Storage Account Access from Existing VNET with Firewall Configuration/AzureDeploy.json new file mode 100644 index 0000000..c6f1735 --- /dev/null +++ b/Building a Secure Service Fabric Cluster: Enabling Storage Account Access from Existing VNET with Firewall Configuration/AzureDeploy.json @@ -0,0 +1,695 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "clusterLocation": { + "defaultValue": "westus", + "type": "String", + "metadata": { + "description": "Location of the Cluster" + } + }, + "clusterName": { + "defaultValue": "GEN-UNIQUE", + "type": "String", + "metadata": { + "description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only" + } + }, + "nt0applicationStartPort": { + "defaultValue": 20000, + "type": "Int" + }, + "nt0applicationEndPort": { + "defaultValue": 30000, + "type": "Int" + }, + "nt0ephemeralStartPort": { + "defaultValue": 49152, + "type": "Int" + }, + "nt0ephemeralEndPort": { + "defaultValue": 65534, + "type": "Int" + }, + "nt0fabricTcpGatewayPort": { + "defaultValue": 19000, + "type": "Int" + }, + "nt0fabricHttpGatewayPort": { + "defaultValue": 19080, + "type": "Int" + }, + "subnet0Name": { + "defaultValue": "Subnet-0", + "type": "String" + }, + "existingVNetRGName": { + "defaultValue": "pvt004", + "type": "String" + }, + "existingVNetName": { + "defaultValue": "Vnet", + "type": "String" + }, + "computeLocation": { + "type": "String" + }, + "publicIPAddressName": { + "defaultValue": "PublicIP-VM", + "type": "String" + }, + "publicIPAddressType": { + "defaultValue": "Dynamic", + "allowedValues": [ + "Dynamic" + ], + "type": "String" + }, + "vmStorageAccountContainerName": { + "defaultValue": "vhds", + "type": "String" + }, + "adminUserName": { + "defaultValue": "testadm", + "type": "String", + "metadata": { + "description": "Remote desktop user Id" + } + }, + "adminPassword": { + "type": "SecureString", + "metadata": { + "description": "Remote desktop user password. Must be a strong password" + } + }, + "virtualNetworkName": { + "defaultValue": "VNet", + "type": "String" + }, + "addressPrefix": { + "defaultValue": "10.0.0.0/16", + "type": "String" + }, + "dnsName": { + "type": "String" + }, + "nicName": { + "defaultValue": "NIC", + "type": "String" + }, + "lbName": { + "defaultValue": "LoadBalancer", + "type": "String" + }, + "lbIPName": { + "defaultValue": "PublicIP-LB-FE", + "type": "String" + }, + "overProvision": { + "defaultValue": "false", + "type": "String" + }, + "vmImagePublisher": { + "defaultValue": "MicrosoftWindowsServer", + "type": "String", + "metadata": { + "description": "VM image Publisher" + } + }, + "vmImageOffer": { + "defaultValue": "WindowsServer", + "type": "String", + "metadata": { + "description": "VM image offer" + } + }, + "vmImageSku": { + "defaultValue": "2016-Datacenter-with-Containers", + "type": "String", + "metadata": { + "description": "VM image SKU" + } + }, + "vmImageVersion": { + "defaultValue": "latest", + "type": "String", + "metadata": { + "description": "VM image version" + } + }, + "sourceVaultValue": { + "defaultValue": "GEN-KEYVAULT-RESOURCE-ID", + "type": "String", + "metadata": { + "description": "Resource Id of the key vault, is should be in the format of /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" + } + }, + "certificateUrlValue": { + "defaultValue": "GEN-KEYVAULT-SSL-SECRET-URI", + "type": "String", + "metadata": { + "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://.vault.azure.net:443/secrets/" + } + }, + "clusterProtectionLevel": { + "defaultValue": "EncryptAndSign", + "allowedValues": [ + "None", + "Sign", + "EncryptAndSign" + ], + "type": "String", + "metadata": { + "description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to" + } + }, + "certificateStoreValue": { + "defaultValue": "My", + "allowedValues": [ + "My" + ], + "type": "String", + "metadata": { + "description": "The store name where the cert will be deployed in the virtual machine" + } + }, + "certificateThumbprint": { + "defaultValue": "GEN-CUSTOM-DOMAIN-SSLCERT-THUMBPRINT", + "type": "String", + "metadata": { + "description": "Certificate Thumbprint" + } + }, + "storageAccountType": { + "defaultValue": "Standard_LRS", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "type": "String", + "metadata": { + "description": "Replication option for the VM image storage account" + } + }, + "supportLogStorageAccountType": { + "defaultValue": "Standard_LRS", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "type": "String", + "metadata": { + "description": "Replication option for the support log storage account" + } + }, + "supportLogStorageAccountName": { + "defaultValue": "[toLower( concat('sflogs', uniqueString(resourceGroup().id),'2'))]", + "type": "String", + "metadata": { + "description": "Name for the storage account that contains support logs from the cluster" + } + }, + "applicationDiagnosticsStorageAccountType": { + "defaultValue": "Standard_LRS", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS" + ], + "type": "String", + "metadata": { + "description": "Replication option for the application diagnostics storage account" + } + }, + "applicationDiagnosticsStorageAccountName": { + "defaultValue": "[toLower(concat('wad',uniqueString(resourceGroup().id), '3' ))]", + "type": "String", + "metadata": { + "description": "Name for the storage account that contains application diagnostics data from the cluster" + } + }, + "nt0InstanceCount": { + "defaultValue": 3, + "type": "Int", + "metadata": { + "description": "Instance count for node type" + } + }, + "vmNodeType0Name": { + "defaultValue": "Type16", + "maxLength": 9, + "type": "String" + }, + "vmNodeType0Size": { + "defaultValue": "Standard_D2_v2", + "type": "String" + } + }, + "variables": { + "vmssApiVersion": "2017-03-30", + "sfrpApiVersion": "2018-02-01", + "lbApiVersion": "2015-06-15", + "vNetApiVersion": "2015-06-15", + "storageApiVersion": "2019-04-01", + "publicIPApiVersion": "2015-06-15", + "vnetID": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', parameters('existingVNetRGName'), '/providers/Microsoft.Network/virtualNetworks/', parameters('existingVNetName'))]", + "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',parameters('subnet0Name'))]", + "lbID0": "[resourceId('Microsoft.Network/loadBalancers', concat('LB','-', parameters('clusterName'),'-',parameters('vmNodeType0Name')))]", + "lbIPConfig0": "[concat(variables('lbID0'),'/frontendIPConfigurations/LoadBalancerIPConfig')]", + "lbPoolID0": "[concat(variables('lbID0'),'/backendAddressPools/LoadBalancerBEAddressPool')]", + "lbProbeID0": "[concat(variables('lbID0'),'/probes/FabricGatewayProbe')]", + "lbHttpProbeID0": "[concat(variables('lbID0'),'/probes/FabricHttpGatewayProbe')]", + "lbNatPoolID0": "[concat(variables('lbID0'),'/inboundNatPools/LoadBalancerBEAddressNatPool')]", + "vmStorageAccountName0": "[toLower(concat(uniqueString(resourceGroup().id), '1', '0' ))]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "[variables('storageApiVersion')]", + "name": "[parameters('supportLogStorageAccountName')]", + "location": "[parameters('computeLocation')]", + "dependsOn": [], + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + }, + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "kind": "StorageV2", + "properties": { + "allowBlobPublicAccess": false, + "networkAcls": { + "resourceAccessRules": [], + "bypass": "AzureServices", + "virtualNetworkRules": [ + { + "id": "/subscriptions/979dc9d7-xxxx-4919-8bcb-xxxxxxxxxx/resourceGroups/networkwatcherrg/providers/Microsoft.Network/virtualNetworks/testvnet/subnets/default", + "action": "Allow", + "state": "Succeeded" + } + ], + "ipRules": [], + "defaultAction": "Deny" + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "[variables('storageApiVersion')]", + "name": "[parameters('applicationDiagnosticsStorageAccountName')]", + "location": "[parameters('computeLocation')]", + "dependsOn": [], + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + }, + "sku": { + "name": "[parameters('applicationDiagnosticsStorageAccountType')]" + }, + "kind": "StorageV2", + "properties": { + "allowBlobPublicAccess": false, + "networkAcls": { + "resourceAccessRules": [], + "bypass": "AzureServices", + "virtualNetworkRules": [ + { + "id": "/subscriptions/979dc9d7-xxxx-4919-8bcb-xxxxxxxxxxxxxxx/resourceGroups/networkwatcherrg/ + providers/Microsoft.Network/virtualNetworks/testvnet/subnets/default", + "action": "Allow", + "state": "Succeeded" + } + ], + "ipRules": [], + "defaultAction": "Deny" + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('publicIPApiVersion')]", + "name": "[concat(parameters('lbIPName'),'-',parameters('vmNodeType0Name'))]", + "location": "[parameters('computeLocation')]", + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + }, + "properties": { + "dnsSettings": { + "domainNameLabel": "[parameters('dnsName')]" + }, + "publicIPAllocationMethod": "Dynamic" + } + }, + { + "type": "Microsoft.Network/loadBalancers", + "apiVersion": "[variables('lbApiVersion')]", + "name": "[concat('LB','-', parameters('clusterName'),'-',parameters('vmNodeType0Name'))]", + "location": "[parameters('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/',concat(parameters('lbIPName'),'-',parameters('vmNodeType0Name')))]" + ], + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + }, + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerIPConfig", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(parameters('lbIPName'),'-',parameters('vmNodeType0Name')))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LoadBalancerBEAddressPool", + "properties": {} + } + ], + "loadBalancingRules": [ + { + "name": "LBRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('nt0fabricTcpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('nt0fabricTcpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbProbeID0')]" + }, + "protocol": "tcp" + } + }, + { + "name": "LBHttpRule", + "properties": { + "backendAddressPool": { + "id": "[variables('lbPoolID0')]" + }, + "backendPort": "[parameters('nt0fabricHttpGatewayPort')]", + "enableFloatingIP": "false", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPort": "[parameters('nt0fabricHttpGatewayPort')]", + "idleTimeoutInMinutes": "5", + "probe": { + "id": "[variables('lbHttpProbeID0')]" + }, + "protocol": "tcp" + } + } + ], + "probes": [ + { + "name": "FabricGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('nt0fabricTcpGatewayPort')]", + "protocol": "tcp" + } + }, + { + "name": "FabricHttpGatewayProbe", + "properties": { + "intervalInSeconds": 5, + "numberOfProbes": 2, + "port": "[parameters('nt0fabricHttpGatewayPort')]", + "protocol": "tcp" + } + } + ], + "inboundNatPools": [ + { + "name": "LoadBalancerBEAddressNatPool", + "properties": { + "backendPort": "3389", + "frontendIPConfiguration": { + "id": "[variables('lbIPConfig0')]" + }, + "frontendPortRangeEnd": "4500", + "frontendPortRangeStart": "3389", + "protocol": "tcp" + } + } + ] + } + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "[variables('vmssApiVersion')]", + "name": "[parameters('vmNodeType0Name')]", + "location": "[parameters('computeLocation')]", + "dependsOn": [ + "[concat('Microsoft.Network/loadBalancers/', concat('LB','-', parameters('clusterName'),'-',parameters('vmNodeType0Name')))]", + "[concat('Microsoft.Storage/storageAccounts/', parameters('supportLogStorageAccountName'))]", + "[concat('Microsoft.Storage/storageAccounts/', parameters('applicationDiagnosticsStorageAccountName'))]" + ], + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + }, + "sku": { + "name": "[parameters('vmNodeType0Size')]", + "capacity": "[parameters('nt0InstanceCount')]", + "tier": "Standard" + }, + "properties": { + "overprovision": "[parameters('overProvision')]", + "upgradePolicy": { + "mode": "Automatic" + }, + "virtualMachineProfile": { + "extensionProfile": { + "extensions": [ + { + "name": "[concat(parameters('vmNodeType0Name'),'_ServiceFabricNode')]", + "properties": { + "type": "ServiceFabricNode", + "autoUpgradeMinorVersion": true, + "protectedSettings": { + "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('supportLogStorageAccountName')),'2015-05-01-preview').key1]", + "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('supportLogStorageAccountName')),'2015-05-01-preview').key2]" + }, + "publisher": "Microsoft.Azure.ServiceFabric", + "settings": { + "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]", + "nodeTypeRef": "[parameters('vmNodeType0Name')]", + "dataPath": "D:\\\\SvcFab", + "durabilityLevel": "Silver", + "enableParallelJobs": true, + "certificate": { + "thumbprint": "[parameters('certificateThumbprint')]", + "x509StoreName": "[parameters('certificateStoreValue')]" + } + }, + "typeHandlerVersion": "1.1" + } + }, + { + "name": "[concat('VMDiagnosticsVmExt','_vmNodeType0Name')]", + "properties": { + "type": "IaaSDiagnostics", + "autoUpgradeMinorVersion": true, + "protectedSettings": { + "storageAccountName": "[parameters('applicationDiagnosticsStorageAccountName')]", + "storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('applicationDiagnosticsStorageAccountName')),'2015-05-01-preview').key1]", + "storageAccountEndPoint": "https://core.windows.net/" + }, + "publisher": "Microsoft.Azure.Diagnostics", + "settings": { + "WadCfg": { + "DiagnosticMonitorConfiguration": { + "overallQuotaInMB": "50000", + "EtwProviders": { + "EtwEventSourceProviderConfiguration": [ + { + "provider": "Microsoft-ServiceFabric-Actors", + "scheduledTransferKeywordFilter": "1", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableActorEventTable" + } + }, + { + "provider": "Microsoft-ServiceFabric-Services", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricReliableServiceEventTable" + } + } + ], + "EtwManifestProviderConfiguration": [ + { + "provider": "cbd93bc2-71e5-4566-b3a7-595d8eeca6e8", + "scheduledTransferLogLevelFilter": "Information", + "scheduledTransferKeywordFilter": "4611686018427387904", + "scheduledTransferPeriod": "PT5M", + "DefaultEvents": { + "eventDestination": "ServiceFabricSystemEventTable" + } + } + ] + } + } + }, + "StorageAccount": "[parameters('applicationDiagnosticsStorageAccountName')]" + }, + "typeHandlerVersion": "1.5" + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "[concat(parameters('nicName'), '-0')]", + "properties": { + "ipConfigurations": [ + { + "name": "[concat(parameters('nicName'),'-',0)]", + "properties": { + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbPoolID0')]" + } + ], + "loadBalancerInboundNatPools": [ + { + "id": "[variables('lbNatPoolID0')]" + } + ], + "subnet": { + "id": "[variables('subnet0Ref')]" + } + } + } + ], + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computernamePrefix": "[parameters('vmNodeType0Name')]", + "secrets": [ + { + "sourceVault": { + "id": "[parameters('sourceVaultValue')]" + }, + "vaultCertificates": [ + { + "certificateStore": "[parameters('certificateStoreValue')]", + "certificateUrl": "[parameters('certificateUrlValue')]" + } + ] + } + ] + }, + "storageProfile": { + "imageReference": { + "publisher": "[parameters('vmImagePublisher')]", + "offer": "[parameters('vmImageOffer')]", + "sku": "[parameters('vmImageSku')]", + "version": "[parameters('vmImageVersion')]" + }, + "osDisk": { + "caching": "ReadOnly", + "createOption": "FromImage", + "managedDisk": { + "storageAccountType": "[parameters('storageAccountType')]" + } + } + } + } + } + }, + { + "type": "Microsoft.ServiceFabric/clusters", + "apiVersion": "2018-02-01", + "name": "[parameters('clusterName')]", + "location": "[parameters('clusterLocation')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', parameters('supportLogStorageAccountName'))]" + ], + "tags": { + "resourceType": "Service Fabric", + "clusterName": "[parameters('clusterName')]" + }, + "properties": { + "addonFeatures": [ + "DnsService" + ], + "certificate": { + "thumbprint": "[parameters('certificateThumbprint')]", + "x509StoreName": "[parameters('certificateStoreValue')]" + }, + "clientCertificateCommonNames": [], + "clientCertificateThumbprints": [], + "clusterCodeVersion": "9.1.1583.9590", + "clusterState": "Default", + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', parameters('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', parameters('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.queue]", + "storageAccountName": "[parameters('supportLogStorageAccountName')]", + "tableEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', parameters('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.table]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "[parameters('clusterProtectionLevel')]" + } + ], + "name": "Security" + } + ], + "managementEndpoint": "[concat('https://',reference(concat(parameters('lbIPName'),'-',parameters('vmNodeType0Name'))).dnsSettings.fqdn,':',parameters('nt0fabricHttpGatewayPort'))]", + "nodeTypes": [ + { + "name": "[parameters('vmNodeType0Name')]", + "applicationPorts": { + "endPort": "[parameters('nt0applicationEndPort')]", + "startPort": "[parameters('nt0applicationStartPort')]" + }, + "clientConnectionEndpointPort": "[parameters('nt0fabricTcpGatewayPort')]", + "durabilityLevel": "Silver", + "ephemeralPorts": { + "endPort": "[parameters('nt0ephemeralEndPort')]", + "startPort": "[parameters('nt0ephemeralStartPort')]" + }, + "httpGatewayEndpointPort": "[parameters('nt0fabricHttpGatewayPort')]", + "isPrimary": true, + "vmInstanceCount": "[parameters('nt0InstanceCount')]" + } + ], + "provisioningState": "Default", + "reliabilityLevel": "Bronze", + "upgradeMode": "Manual", + "vmImage": "Windows" + } + } + ], + "outputs": { + "clusterProperties": { + "type": "Object", + "value": "[reference(parameters('clusterName'))]" + } + } +} diff --git a/Building a Secure Service Fabric Cluster: Enabling Storage Account Access from Existing VNET with Firewall Configuration/README.md b/Building a Secure Service Fabric Cluster: Enabling Storage Account Access from Existing VNET with Firewall Configuration/README.md new file mode 100644 index 0000000..6d61cdc --- /dev/null +++ b/Building a Secure Service Fabric Cluster: Enabling Storage Account Access from Existing VNET with Firewall Configuration/README.md @@ -0,0 +1,102 @@ +[service-fabric-cluster-templates](https://github.com/Azure-Samples/service-fabric-cluster-templates/tree/master)/ +Building a Secure Service Fabric Cluster: Enabling Storage Account +Access from Existing VNET with Firewall Configuration + +## **Building a Secure Service Fabric Cluster: Enabling Storage Account Access from Existing VNET with Firewall Configuration** + +## Overview + +The purpose of this ARM (Azure Resource Manager) template is to +facilitate the seamless provisioning of a Service Fabric cluster while +ensuring the security and protection of the associated storage account. +By implementing the template, you can create a Service Fabric cluster +that is shielded from public network access, thereby minimizing +potential security risks. + +One of the key features of this template is the ability to configure +access to the storage account only from a whitelisted network/IP. This +ensures that access to the storage account is restricted to specific +networks or IP addresses, thereby enhancing the overall security posture +of your Service Fabric cluster. + +## Prerequisites + +- Azure Key Vault in the same region where the Service Fabric Cluster + would be created. + +- Changed the kind of Storage account to StorageV2. + +- Changed the API version of Storage resource to 2019-04-01 or higher. + +- Existing virtual network on which you will be deploying your cluster + & whitelisting it in Storage account Firewall rules from ARM + template. + +- Make sure your subnet has Microsoft.Storage service endpoint. + + - From Azure portal go the existing Virtual network you will be + using for cluster & navigating to subnet. Click on the subnet & + enable the Microsoft.Storage service endpoint. +![image](https://github.com/radhusharma11/service-fabric-cluster-templates/assets/113444108/bebfd584-a7c4-4fc2-92ef-c59a833017d7) + + +- Get your subnet ID at resources.azure.com \> select your + subscription \> Existing VNet Resource group \> Micosoft.Network\> + VNET \> Subnet, which is needed to be whitelisted. + +![image](https://github.com/radhusharma11/service-fabric-cluster-templates/assets/113444108/e18d8993-38c8-4af1-b7de-56f7adadd011) + + +- For securing the Storage account from public network access, include + the below definition on your storage account definition -\> + properties section. Make sure you replace the "**Subnetid**" & then + deploy the ARM template. + +> \"properties\": { +> +>                 \"allowBlobPublicAccess\": false, +> +>                 \"networkAcls\": { +> +>                     \"resourceAccessRules\": \[\], +> +>                     \"bypass\": \"AzureServices\", +> +>                     \"virtualNetworkRules\": \[ +> +>                          { +> +>                             \"id\": "**Subnetid**\", +> +>                             \"action\": \"Allow\", +> +>                             \"state\": \"Succeeded" +> +>                          } +> +>                      \], +> +>                     \"ipRules\": \[\], +> +>                     \"defaultAction\": \"Deny\" +> +>                 } +> +>             } +> + +![image](https://github.com/radhusharma11/service-fabric-cluster-templates/assets/113444108/cb1874a2-06b6-496a-b12d-644ddc42317c) + +## Key Parameters + +existingVNetRGName: Existing VNET's Resource group name. + +existingVNetName: Existing VNet name + +subnet0Name: Subnet name + +## References: + + + +