Developing with ARM IaaS - Part 1

Abstract

Azure Resource Manager (ARM) brings a new look into the infrastructure that supports our application's environment, we do not think of our applications, VMs, SQL Servers, Storage... as silos anymore but rather a group of resources that deploy as a single entity and share the same lifetime.

ARM allows us to define an Azure infrastructure-as-code by authoring JSON templates. This might seem like a little thing, but capabilities like these are at the heart of the new ALM transformation. We'll be integrating ARM infrastructure as part of the development of our software applications, how to code an Azure environment (Network, Security, infrastructure, VMs…) where our applications will live, then deploy all that as part of our application continuous deployment process to produce the same output every time with no last minute surprises.

We'll be using Visual Studio to build our JSON Deployment Templates and store it in source control and use Visual Studio Team Services (a.k.a Visual Studio Online) to create our build definitions. We'll also take a look at some of the other tools to interact with ARM using the new Azure Portal, PowerShell and REST API.

All source code for this series can be found on Github

Table of Contents

  • Overview
    • What is ARM?
    • IaaS Examples
  • Azure Virtual Network (VNet) Design Concepts
  • Building our First VNet
    • Create Virtual Network in Azure portal
    • Create NSG in Azure ARM PowerShell

Overview

What is ARM?

Azure Resource Manager is a set of services that allows you to manage and provision your independent resources in Azure as a single logical unit called Resource Group.

These set of ARM services allow administrators to view billing based on resource groups and manage access rights, it also allows deploying configuration templates to provision a whole set of resources within a resource group using Template Deployments.

IaaS Examples

Some of the IaaS resources that can be deployed along with your application using Template Deployment are:

  • Virtual Machines (VMs): Used to run workloads, SQL Servers, Domain Controller, development machines....

  • Azure Virtual Network (VNet): This Virtual Network provides an isolation and private communication between the resources deployed to it (VMs and applications), subnets are created to further secure the traffic flow within the VNET (DMZ\Frondend, Backend, Data, Operation...)

  • Network Security Groups (NSG): A Firewall for your VNet, securing inbound/outbound traffic to VMs, Subnets and cloud services.

  • VPN Gateway: for achieving connectivity with other virtual networks or on-premises network. Support for Site2Site, Point2Site....

Azure Virtual Network (VNet) Design Concepts

A VNet is our own network in the cloud. We can create subnets for organization and security, define IP address space that is private to our VMs, apply security policies and create routing table to control traffic between VMs

A typical network will have at a minimum a Frontend (a.k.a DMZ) and Backend subnets, the DMZ is for hosting applications that are externally accessible while a backend subnet is only accessed by internally hosted applications (or internal users). This separation between subnets allow securing resources from external attacks. For example, When building a web application you want to host this in an environment that allows external users to access your website over the internet, while web services/SQL Servers that are only accessed by your applications can be hosted in an environment that is protected/isolated from external access. This is where subnets come into play and designing your network security becomes important.

We will build a simple Azure Virtual Network/VNet that contains the following IaaS resources to support our application:

azure-vnet-subnet

  1. Azure Virtual Netowrk (VNet):

    • IP Address space: 192.168.0.0/16
    • Frontend subnet: 192.168.1.0/24
    • Backend subnet: 192.168.2.0/24
  2. Network Security Group (NSG) that is applied to both subnets:

    • Allow access from Internet to frontend on port 80
    • Allow RDP to VMs from internet to any VM on port 3389
    • Allow specific endpoints from frontend to backend
    • Deny all traffic from frontend to backend
    • Deny all traffic from internet to the virtual Network
    • Deny all traffic from backend to the internet

We'll be focusing on Template Deployment using Visual Studio throughout this post but initially I'll show different ways to build these resources using the Azure Portal and Azure ARM PowerShell, then we'll see how to export the configuration and use it as a base for our Template Deployment.

Building our First VNet

Create Virtual Network in Azure portal

We'll create our Virtual Network in the Azure Portal, this will help you visualize what we are trying to accomplish:

  1. Log-on to https://Portal.Azure.com
  2. Click on the "+ New" button on the top-left corner and type "Virtual Network" in the search field. New VNet
  3. Select the "Virtual Network" resource, a new blade will open, notice the deployment model "Resource Manager" then click create. VNet Search

VNet Create

  1. Enter the Virtual Network name and address space, then fill the "Frontend" subnet information as the image below: VNet Params

  2. Enter a new resource group name and tick the "Pin to dashboard" checkbox to easily locate your VNet after it is created.

Notice the Resource Group section, we want to create a "New" resource group for this network. If you are deciding to support multiple applications within this same network (building a network to support your organization infrastructure) then you will want to use one resource group for all networking resources (e.g. load balancers, VPN tunnel, Firewall...) and separate resource groups for your web applications resources as their lifespan is independent from the network resources.

  1. Now once you hit create and the portal finishes the deployment successfully, navigate to the "Virtual Network" blade and open the settings to create the backend subnet

VNet-main

  1. Click on Subnets, then add a new subnet from the top toolbar VNet-subnet

  2. Now enter the name and address space of the Backend subnet then click "OK" add subnet

You can also check Azure documentation for creating a Virtual Network here

Next we will be creating our Network Security Group and apply it to our network in PowerShell

Create NSG in Azure ARM PowerShell

If you do not have Azure PowerShell Module version 1.0, you will need to follow the instructions here to install and configure

For writing and executing PowerShell commands, either use Azure PowerShell command window or use my favourite tool "Windows PowerShell ISE", you can even use Visual Studio PowerShell project template.

This code can be found here

#Create Netowrk Security Group and apply it to VNet with two subnets to model a DMZ/Backend network environment 

Login-AzureRmAccount
$ResourceGroupName = "Example-Infra-EastUS-resgrp"
$VNetName = "Example-Infra-EastUS-vnet"
$NSGName = "NetworkFirewall-nsg"
$DeploymentLocation = "eastus2"
$FrontendAddress = "192.168.1.0/24"
$BackendAddress = "192.168.2.0/24"


#Allow RDP to VMs on the entire VNet
$rdpRule = New-AzureRmNetworkSecurityRuleConfig -Name "Allow-RDP" -Direction Inbound -Priority 110 -Access Allow -SourceAddressPrefix INTERNET -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange '3389' -Protocol Tcp -Description "Enable RDP to $VNetName VNet"

#Allow incoming http internet traffic on port 80 to the forntend subnet
$httpRule = New-AzureRmNetworkSecurityRuleConfig -Name "Allow-HTTP" -Direction Inbound -Priority 120 -Access Allow -SourceAddressPrefix INTERNET -SourcePortRange * -DestinationAddressPrefix $FrontendAddress -DestinationPortRange '80' -Protocol Tcp -Description "Enable HTTP to $VNetName VNet"

#Allow secure https incoming internet traffic on port 443 to the forntend subnet
$httpsRule = New-AzureRmNetworkSecurityRuleConfig -Name "Allow-HTTPs" -Direction Inbound -Priority 130 -Access Allow -SourceAddressPrefix INTERNET -SourcePortRange * -DestinationAddressPrefix $FrontendAddress -DestinationPortRange '443' -Protocol Tcp -Description "Enable HTTPs to $VNetName VNet"

#Allow traffic from the Frontend subnet to the backend subnet on port 3306 only (database)
$allowFrontToBackRule = New-AzureRmNetworkSecurityRuleConfig -Name "Allow-Database-backend " -Direction Inbound -Priority 140 -Access Allow -SourceAddressPrefix $FrontendAddress -SourcePortRange * -DestinationAddressPrefix $BackendAddress -DestinationPortRange '3306' -Protocol Tcp -Description "Enable MySQL DB to backend subnet from dmz"

#Deny all other incoming traffic from the internet on the entire VNet
$denyInternetRule = New-AzureRmNetworkSecurityRuleConfig -Name "Deny-Internet-External" -Direction Inbound -Priority 210 -Access Deny -SourceAddressPrefix INTERNET -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange * -Protocol * -Description "Isolate the $VNetName VNet from the Internet"

#Deny all other incoming traffic from the frontend to the backend subnet
$denyFrontToBackRule = New-AzureRmNetworkSecurityRuleConfig -Name "Deny-Frontend-Backend" -Direction Outbound -Priority 220 -Access Deny -SourceAddressPrefix $FrontendAddress -SourcePortRange * -DestinationAddressPrefix $BackendAddress -DestinationPortRange * -Protocol * -Description "Deny Frontend clssubnet access to Backend subnet"

#Dent internet on the backend subnet (prevent internet browsing and downloading)    
$denyInternetFromBackend = New-AzureRmNetworkSecurityRuleConfig -Name "Deny-Backend-Internet" -Direction Outbound -Priority 200 -Access Deny -SourceAddressPrefix $BackendAddress -SourcePortRange * -DestinationAddressPrefix Internet -DestinationPortRange * -Protocol * -Description "Block Internet"

#Create new NSG
$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName $ResourceGroupName -Name $NSGName -Location $DeploymentLocation -SecurityRules $rdpRule,$httpRule,$httpsRule,$denyInternetRule,$denyFrontToBackRule,$denyInternetFromBackend

#Get exsiting VNet
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName $ResourceGroupName -Name $VNetName 

#Apply NSG on the frontend subnet
Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name Frontend -NetworkSecurityGroup $nsg -AddressPrefix $FrontendAddress

#Apply NSG on the backend subnet
Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name Backend -NetworkSecurityGroup $nsg -AddressPrefix $BackendAddress

#Apply changes to the VNet
Set-AzureRmVirtualNetwork -VirtualNetwork $vnet

using the above code will create and configure our Firewall rules and apply them to both subnets in our network.

Now that we have a network ready, we can start building and deploying our Virtual Machines and applications into it. We will be using Visual Studio to author "Template Deployment" scripts in Part 2 of this post to do just that!