{"id":15698833,"url":"https://github.com/ipspace/azure","last_synced_at":"2025-05-09T02:13:59.885Z","repository":{"id":148025776,"uuid":"186107658","full_name":"ipspace/azure","owner":"ipspace","description":"Azure Networking Workshop","archived":false,"fork":false,"pushed_at":"2021-01-17T16:23:55.000Z","size":43,"stargazers_count":6,"open_issues_count":0,"forks_count":3,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-05-09T02:13:54.659Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ipspace.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-05-11T08:30:03.000Z","updated_at":"2025-01-25T21:40:46.000Z","dependencies_parsed_at":null,"dependency_job_id":"eb94d432-9c46-418a-9475-8924e3b19418","html_url":"https://github.com/ipspace/azure","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ipspace%2Fazure","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ipspace%2Fazure/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ipspace%2Fazure/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ipspace%2Fazure/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ipspace","download_url":"https://codeload.github.com/ipspace/azure/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253176445,"owners_count":21866143,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-03T19:34:41.079Z","updated_at":"2025-05-09T02:13:59.868Z","avatar_url":"https://github.com/ipspace.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Azure Workshop Demo Script\n\nThis repository contains demos used in [Microsoft Azure Networking Workshop](https://www.ipspace.net/Microsoft_Azure_Networking_(Workshop)) and [webinar](https://www.ipspace.net/Microsoft_Azure_Networking).\n\nYou will need an Azure subscription (account) to work through them.\n\nTo recreate the demos, follow this script:\n\n## Prepare the environment\n\n* Start Azure shell by opening a browser window and logging into [online Azure shell](https://shell.azure.com/)\n* Create a set of SSH keys with **ssh-keygen**\n* Clone the demo repository with **git clone https://github.com/ipspace/azure**\n* Change working directory to **azure**\n* Log into Azure (if needed) with **az login** and configure Azure CLI with **az configure**\n\n## List the available Azure locations\n\n```\nsimple/list-locations\n```\n\nThe script executes **az account list-locations** command. You can execute various versions of this command, for example using **-o table** option to create a table output.\n\nNote: all demos use scripts with one or several **az** commands. The first command in every script enables bash command tracing so you'll be able to see the exact commands being executed.\n\n## Create a resource group and start a VM\n\nThe first demo creates a resource group in East US location (hardcoded in the script) and starts a VM to demonstrate the variety of objects needed to support a single VM. Note that all those objects are created automatically.\n\nThe **create-rg** script creates a resource group and saves the resource group name into **~/.rg** file. All subsequent scripts read the resource group name from that file.\n\n```\nsetup/create-rg Simple\nsimple/create-vm-a\n```\n\nAfter the VM is created, the Azure CLI prints a JSON object describing the VM. Find the public IP address in that data and log into the VM using **ssh azure@public-ip-address**. Use [Azure Portal](https://portal.azure.com/#home) to explore various objects created to support the VM.\n\nNote: You can also use **. setup/get-public vm-name** command (for example, **. setup/get-public A**) to get the public IP address of a VM from Azure and set a corresponding *bash* environment variable (that's why you need . in front of the command). After using the above command you could SSH into A using **ssh azure@$A**.\n\n### Create another VM in the same subnet\n\nCreate the second VM in the same resorce group:\n\n```\nsimple/create-vm-b\n```\n\nNote that while Azure CLI created a new VM, new disk, new public IP address, and new network security group (NSG) it did not create a new virtual network (VNet) or subnet.\n\n## Cleanup\n\nDestroy all objects used in this demo by deleting the resource group with **delete-rg** script or  with **az group delete** command.\n\n```\nsetup/delete-rg\n```\n\n## Create application environments with two subnets\n\nThis demo creates:\n\n* A new resource group\n* Virtual network *AppNet* with IP address space 172.16.0.0/16 and two subnets: *AppSubnet* (172.16.1.0/24) and *DBSubnet*\n* Create a virtual machine in each subnet.\n\n```\nsetup/create-rg Net\nnetwork/create-vnet\nnetwork/create-vm\n```\n\nAfter the virtual machines have been created you can log into the *Web* virtual machine but not in the *DB* virtual machine as it has no permanent public IP address. You can, however, ping the private IP address of *DB* virtual machine from *Web* virtual machine, or reach external destinations from *DB* over TCP or UDP (use **curl** or **wget** from DB to download a few public web pages).\n\nDon't forget to clean up afterwards:\n\n```\nsetup/delete-rg\n```\n\n## Create Network Security Groups\n\nThis demo creates:\n\n* Virtual network *AppNet* with the same subnets as the previous demo\n* Unprotected VMs in the virtual network (with no per-VM Network Security Group). *Web* VM is reachable from the Internet, *DB* VM has no public IP address and is thus reachable only from within the virtual network\n\n```\nsetup/create-rg NSG\nnetwork/create-vnet\nnsg/create-vm\n```\n\nAfter creating the virtual machines, log into the *Web* VM and verify that you can ping *DB* VM and reach it over SSH (you won't be able to log in unless you fix the SSH keys)\n\nNext, create *Web* and *DB* Network Security Groups and apply them to the *Web* and *DB* subnets:\n\n```\nnsg/create-web-nsg\nnsg/create-db-nsg\nnsg/apply-nsg\n```\n\nUse **az network nsg list -o table** command to list the contents of the newly-created NSG.\n\n### Test NSG\n\nLog into *Web* VM and check whether you can reach *DB* VM over SSH, ping, or TCP port 80 (using **curl http://db** or **telnet db 80**). Please note that when the attempts to connect to web server on port 80 return an error it's generated by the host (because there's no web server running on the host) not by the Azure virtual network (which quietly drops the packets).\n\nIf your NSG doesn't work as expected use the following commands to figure out what the problem might be:\n\n```\naz network nsg rule list -g NSG --nsg-name DB-NSG -o table\naz network nic list-effective-nsg --resource-group NSG --name DBVMNic -o table\naz network nsg rule list -g NSG --nsg-name DB-NSG -o table --include-default\n```\n\nRemove SSH entry from DB-NSG using portal. Recheck the connectivity with SSH.\n\n### Fixing the NSG\n\nIf you can't fix the NSG for the *DB* subnet yourself, use this command to fix it:\n\n```\nnsg/fix-db-nsg\n```\n\n### Cleanup\n\nDon't forget to delete the resource group after completing the demo.\n\n```\nsetup/delete-rg\n```\n\n## Application Security Groups Demo\n\nIn the Application Security Groups (ASG) demo we'll repeat the steps from the NSG demo but replace the subnet prefixes used in previous demo with ASG objects. The initial steps are almost identical to the previous demo:\n\n* Create a resource group;\n* Create a virtual network with two subnets;\n* Create an application security group (ASG);\n* Create two VMs (one in each ASG)\n\n```\nsetup/create-rg ASG\nnetwork/create-vnet\nasg/create-asg\nasg/create-vm\n```\n\nWhen creating NSG rules we'll use ASG objects instead of subnet prefixes:\n\n```\nasg/create-db-nsg\nasg/create-web-nsg\nnsg/apply-nsg\n```\n\nAfter setting up the demo, connect to *Web* VM and explore which TCP ports on *DB* VM you can reach. Also, try to figure out which IP addresses belong to a particular ASG (**az network nic list-effective-nsg -g ASG -n DBVMNic** doesn't seem to return usable information).\n\nDon't forget to delete the resource group after completing the demo.\n\n```\nsetup/delete-rg\n```\n\n## Route table demo\n\nThis demo will replace the default route table in database subnet with a custom route table where the system default route (pointing to Internet) is replaced with a custom default route with *drop* next hop (effectively blocking Internet access for *DB* VM).\n\nWe'll reuse the steps from virtual networking demo to create the virtual network, the two subnets, and the *DB* and *Web* VMs.\n\n```\nsetup/create-rg rt\nnetwork/create-vnet\nnetwork/create-vm\n```\n\nTo test the outbound connectivity from *DB* VM you have to be able to log into it, and you can only do it from the *Web* VM, so you have to copy your private SSH key to the *Web* VM (never do that in production).\n\n```\n. setup/get-public Web\nscp ~/.ssh/id_rsa azure@$Web:.ssh/\n```\n\nNow you can use *Web* VM as a SSH jump host to get to the *DB* VM and test outbound Internet connectivity.\n\n```\nssh azure@$Web\nWeb\u003e ssh azure@172.16.2.4\nDB\u003e curl www.example.com\n```\n\nYou can display routing table in *DBSubnet* to verify that it includes the default route pointing toward the Internet.\n\n```\naz network nic show-effective-route-table -g rt -n DBVMNic -o table\n```\n\nNext, create a custom route table and apply it to *DBSubnet*\n\n```\nrt/create-rt\nrt/apply-rt\n```\n\nCheck whether the routing table applied to *DBVMNic* has been modified:\n\n```\naz network nic show-effective-route-table -g Net -n DBVMNic -o table\n```\n\nFinally, log into *DB* VM and try to fetch a web page from the public Internet.\n\n## Peering demo\n\nIn the VNet Peering demo we'll create two virtual networks and three VMs (two in network A, one in network B).\n\n```\nsetup/create-rg peer\npeer/create-net-a\npeer/create-net-b\npeer/create-vm\n```\n\nDisplay private and public VM IP address with these commands:\n\n```\naz network nic list -g peer --query \"[ [*].name,[*].ipConfigurations[*].privateIpAddress ]\" -o table\naz vm list -g peer -d -o table\n```\n\nLog into A1, try to ping A2 and B1. You should be able to ping A2, but not B1.\n\n### Create network peering\n\nUse these commands to create and verify VNet peering between A and B.\n\n```\npeer/create-peer\naz network vnet peering list -g peer --vnet-name Net-A -o table\naz network vnet peering show --name A2B --vnet-name Net-A --resource-group peer\n```\n\nLog into A1, try to ping A2 and B1. You should not be able to ping B1 even though the VNet peering has been successfully established.\n\n### Troubleshooting\n\nCheck the routing tables on A1 and B1 NICs:\n\n```\naz network nic show-effective-route-table -g peer -n A1VMNic -o table\naz network nic show-effective-route-table -g peer -n B1VMNic -o table\n```\n\nYou'll notice that the routing tables include prefixes from the peered network. Try to figure out why the traffic is not exchanged between A1 and B1 (for example, using *IP Flow Verify* feature in GUI portal).\n\nCheck the effective NSG applied to VM NICs, in particular the actual prefixes used in packet filters. You'll notice that the *VirtualNetwork* service tag does not include prefixes from the peered virtual network.\n\n```\naz network nic list-effective-nsg -g peer -n A1VMNic\naz network nic list-effective-nsg -g peer -n B1VMNic\n```\n\n### Enable virtual network access\n\nFix the NSG by setting the *allowVirtualNetworkAccess* flag on VNet peering.\n\n```\naz network vnet peering update --name A2B --vnet-name Net-A --set allowVirtualNetworkAccess=true --resource-group peer\naz network vnet peering update --name B2A --vnet-name Net-B --set allowVirtualNetworkAccess=true --resource-group peer\naz network nic list-effective-nsg -g peer -n A1VMNic\naz network nic list-effective-nsg -g peer -n B1VMNic\n```\n\nYou might want to change the flag on one side of the peering and check effective NSG on VM NIC before changing the flag on the other side of the peering.\n\n## Cleanup\n\nCongratulations, you completed the last demo. Don't forget to clean up all resources and resource groups you created - Microsoft will happily bill you if you keep them running.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fipspace%2Fazure","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fipspace%2Fazure","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fipspace%2Fazure/lists"}