diff --git a/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json b/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json index f1f40e9a..c989085c 100644 --- a/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json +++ b/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json @@ -292,7 +292,7 @@ "label": "Number of Availability Zones to use", "defaultValue": "None", "toolTip": "The number of avalability zones to use for the scale set. Note that the load balancers and their IP addresses will be zone redundant in any case.", - "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth ', concat(' ', location(), ' '))]", + "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth italynorth ', concat(' ', location(), ' '))]", "constraints": { "allowedValues": [ { @@ -1279,6 +1279,18 @@ ] } }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + }, + "visible": "[not(contains('R80.40 R81 R81.10 R81.20', steps('chkp').cloudGuardVersion))]" + }, { "name": "useCustomImageUri", "type": "Microsoft.Common.OptionsGroup", @@ -1411,6 +1423,27 @@ "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." }, "visible": "[steps('network').NSG]" + }, + { + "name": "addStorageAccountIpRules", + "type": "Microsoft.Common.OptionsGroup", + "defaultValue": "Network access from all networks", + "label": "Storage Account Network Access", + "toolTip": "Select your preferred network access to the Storage Account, for more information - https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#serial-console-security", + "constraints": { + "allowedValues": [ + { + "label": "Network access from all networks", + "value": false + }, + { + "label": "Network access only from Serial Console", + "value": true + } + ], + "required": true + }, + "visible": true } ] }, @@ -1460,6 +1493,7 @@ "sicKey": "[steps('chkp').sicKeyUi]", "bootstrapScript": "[steps('chkp').bootstrapScript]", "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", "diskType": "[if(contains('R80.40 R81 R81.10' , steps('chkp').cloudGuardVersion) , steps('chkp').VMDiskTypeOldVersions , steps('chkp').VMDiskType)]", "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]", "virtualNetworkName": "[steps('network').virtualNetwork.name]", @@ -1474,6 +1508,7 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" } diff --git a/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json b/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json index 8e91fee9..384e5b9f 100644 --- a/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json +++ b/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json @@ -267,6 +267,15 @@ "description": "The IP address used to manage the VMSS instances." } }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB), not relevant for R81.20 and below" + }, + "minValue": 0, + "maxValue": 3995 + }, "diskType": { "type": "string", "defaultValue": "Standard_LRS", @@ -386,6 +395,20 @@ "NewNsgName": { "type": "string", "defaultValue": "[concat(parameters('vmName'),'-nsg')]" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue" : false + }, + "storageAccountAdditionalIps":{ + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue" : [] } }, "variables": { @@ -411,10 +434,60 @@ "R81.20 - Pay As You Go (NGTX)": "R8120" }, "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "SerialConsoleGeographies": { + "eastasia" : ["20.205.69.28", "20.195.85.180"], + "southeastasia" : ["20.205.69.28", "20.195.85.180"], + "australiacentral" : ["20.53.53.224", "20.70.222.112"], + "australiacentral2" : ["20.53.53.224", "20.70.222.112"], + "australiaeast" : ["20.53.53.224", "20.70.222.112"], + "australiasoutheast" : ["20.53.53.224", "20.70.222.112"], + "brazilsouth" : ["91.234.136.63", "20.206.0.194"], + "brazilsoutheast" : ["91.234.136.63", "20.206.0.194"], + "canadacentral" : ["52.228.86.177", "52.242.40.90"], + "canadaeast" : ["52.228.86.177", "52.242.40.90"], + "northeurope" : ["52.146.139.220", "20.105.209.72"], + "westeurope" : ["52.146.139.220", "20.105.209.72"], + "francecentral" : ["20.111.0.244", "52.136.191.10"], + "francesouth" : ["20.111.0.244", "52.136.191.10"], + "germanynorth" : ["51.116.75.88", "20.52.95.48"], + "germanywestcentral" : ["51.116.75.88", "20.52.95.48"], + "centralindia" : ["20.192.168.150", "20.192.153.104"], + "southindia" : ["20.192.168.150", "20.192.153.104"], + "westindia" : ["20.192.168.150", "20.192.153.104"], + "japaneast" : ["20.43.70.205", "20.189.228.222"], + "japanwest" : ["20.43.70.205", "20.189.228.222"], + "koreacentral" : ["20.200.196.96", "52.147.119.29"], + "koreasouth" : ["20.200.196.96", "52.147.119.29"], + "norwaywest" : ["20.100.1.184", "51.13.138.76"], + "norwayeast" : ["20.100.1.184", "51.13.138.76"], + "switzerlandnorth" : ["20.208.4.98", "51.107.251.190"], + "switzerlandwest" : ["20.208.4.98", "51.107.251.190"], + "uaecentral" : ["20.45.95.66", "20.38.141.5"], + "uaenorth" : ["20.45.95.66", "20.38.141.5"], + "uksouth" : ["20.90.132.144", "20.58.68.62"], + "ukwest" : ["20.90.132.144", "20.58.68.62"], + "swedencentral" : ["51.12.72.223", "51.12.22.174"], + "swedensouth" : ["51.12.72.223", "51.12.22.174"], + "centralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "northcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "southcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus3" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2euap" : ["20.45.242.18", "20.51.21.252"], + "centraluseuap" : ["20.45.242.18", "20.51.21.252"]}, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps" : "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", "isBlink": true, "subnet1Name": "[parameters('subnet1Name')]", "storageAccountName": "[concat('bootdiag', uniqueString(variables('resourceGroup').id, deployment().name))]", "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "additionalDiskSizeGB": "[if(contains('R8040 R81 R8110 R8120', variables('osVersion')), 0, parameters('additionalDiskSizeGB'))]", + "diskSizeGB": "[add(variables('additionalDiskSizeGB'), variables('diskSize100GB'))]", "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'MaintenanceModePassword=\"', parameters('MaintenanceModePasswordHash'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", "imagePublisher": "checkpoint", @@ -544,7 +617,8 @@ "japaneast", "koreacentral", "southeastasia", - "eastasia" + "eastasia", + "italynorth" ], "availabilityZonesProperty": "[range(1, parameters('availabilityZonesNum'))]", "mgmtInterface": "[if(equals(parameters('instanceLevelPublicIP'), 'yes'), parameters('mgmtInterfaceOpt1'), 'eth0-private')]", @@ -571,7 +645,7 @@ "resources": [ { "apiVersion": "2020-06-01", - "name": "pid-6f13b00a-7546-4ab2-be9f-c66815cc6c8b-partnercenter", + "name": "pid-5432b4df-d783-57a2-b65f-39f4bca4974a", "type": "Microsoft.Resources/deployments", "properties": { "mode": "Incremental", @@ -749,7 +823,12 @@ "properties": { "supportsHttpsTrafficOnly": true, "allowBlobPublicAccess": false, - "minimumTlsVersion": "TLS1_2" + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } }, "location": "[variables('location')]", "sku": { @@ -805,6 +884,7 @@ "UserData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefix.value, reference('networkExistingSetup').outputs.vnetAddressPrefix.value), '\"', '\n' ))]", "storageProfile": { "osDisk": { + "diskSizeGB": "[variables('diskSizeGB')]", "caching": "ReadWrite", "createOption": "FromImage", "managedDisk": { @@ -826,9 +906,9 @@ "name": "eth0", "properties": { "primary": true, - "enableIPForwarding": false, + "enableIPForwarding": true, "enableAcceleratedNetworking": true, - "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "networkSecurityGroup":"[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", "ipConfigurations": [ { "name": "ipconfig1", diff --git a/azure/templates/marketplace-ha/createUiDefinition.json b/azure/templates/marketplace-ha/createUiDefinition.json index 3833a3f3..54546c6f 100644 --- a/azure/templates/marketplace-ha/createUiDefinition.json +++ b/azure/templates/marketplace-ha/createUiDefinition.json @@ -1632,7 +1632,7 @@ "label": "Availability options", "defaultValue": "Availability Set", "toolTip": "Use replicated Cluster VMs in Availability Set or Availability Zones. Note that the load balancers and their IP addresses will be zone redundant in any case.", - "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth ', concat(' ', location(), ' '))]", + "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth italynorth \\ ', concat(' ', location(), ' '))]", "constraints": { "allowedValues": [ { @@ -1738,7 +1738,7 @@ "type": "Microsoft.Common.TextBox", "label": "Additional disk space (GB)", "defaultValue": "0", - "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.", + "toolTip": "Additional disk space (in GB), initial disk size is 100 GB.", "constraints": { "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", "validationMessage": "Select a number between 0 and 3995" @@ -2241,6 +2241,27 @@ "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." }, "visible": "[steps('network').NSG]" + }, + { + "name": "addStorageAccountIpRules", + "type": "Microsoft.Common.OptionsGroup", + "defaultValue": "Network access from all networks", + "label": "Storage Account Network Access", + "toolTip": "Select your preferred network access to the Storage Account, for more information - https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#serial-console-security", + "constraints": { + "allowedValues": [ + { + "label": "Network access from all networks", + "value": false + }, + { + "label": "Network access only from Serial Console", + "value": true + } + ], + "required": true + }, + "visible": true } ] }, @@ -2305,6 +2326,7 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", "VipsNumber": "[int(steps('network').Vips_Number)]", "VipNames": "[concat(steps('network').VIP_Names.VIP2_Name, ',', steps('network').VIP_Names.VIP3_Name, ',', steps('network').VIP_Names.VIP4_Name, ',', steps('network').VIP_Names.VIP5_Name, ',', steps('network').VIP_Names.VIP6_Name, ',', steps('network').VIP_Names.VIP7_Name, ',', steps('network').VIP_Names.VIP8_Name, ',', steps('network').VIP_Names.VIP9_Name, ',', steps('network').VIP_Names.VIP10_Name)]", "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", diff --git a/azure/templates/marketplace-ha/mainTemplate.json b/azure/templates/marketplace-ha/mainTemplate.json index 2421f2cd..07b04add 100644 --- a/azure/templates/marketplace-ha/mainTemplate.json +++ b/azure/templates/marketplace-ha/mainTemplate.json @@ -256,13 +256,6 @@ "Premium_LRS" ] }, - "role": { - "type": "string", - "defaultValue": "Contributor", - "metadata": { - "description": "Role" - } - }, "managedSystemAssigned": { "type": "string", "allowedValues": [ @@ -350,7 +343,22 @@ "VipNames": { "type": "string", "defaultValue": "" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue" : false + }, + "storageAccountAdditionalIps":{ + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue" : [] } + }, "variables": { "VIPs_Number": "[int(parameters('VipsNumber'))]", @@ -390,6 +398,53 @@ "R81.20 - Pay As You Go (NGTX)": "R8120" }, "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "SerialConsoleGeographies": { + "eastasia" : ["20.205.69.28", "20.195.85.180"], + "southeastasia" : ["20.205.69.28", "20.195.85.180"], + "australiacentral" : ["20.53.53.224", "20.70.222.112"], + "australiacentral2" : ["20.53.53.224", "20.70.222.112"], + "australiaeast" : ["20.53.53.224", "20.70.222.112"], + "australiasoutheast" : ["20.53.53.224", "20.70.222.112"], + "brazilsouth" : ["91.234.136.63", "20.206.0.194"], + "brazilsoutheast" : ["91.234.136.63", "20.206.0.194"], + "canadacentral" : ["52.228.86.177", "52.242.40.90"], + "canadaeast" : ["52.228.86.177", "52.242.40.90"], + "northeurope" : ["52.146.139.220", "20.105.209.72"], + "westeurope" : ["52.146.139.220", "20.105.209.72"], + "francecentral" : ["20.111.0.244", "52.136.191.10"], + "francesouth" : ["20.111.0.244", "52.136.191.10"], + "germanynorth" : ["51.116.75.88", "20.52.95.48"], + "germanywestcentral" : ["51.116.75.88", "20.52.95.48"], + "centralindia" : ["20.192.168.150", "20.192.153.104"], + "southindia" : ["20.192.168.150", "20.192.153.104"], + "westindia" : ["20.192.168.150", "20.192.153.104"], + "japaneast" : ["20.43.70.205", "20.189.228.222"], + "japanwest" : ["20.43.70.205", "20.189.228.222"], + "koreacentral" : ["20.200.196.96", "52.147.119.29"], + "koreasouth" : ["20.200.196.96", "52.147.119.29"], + "norwaywest" : ["20.100.1.184", "51.13.138.76"], + "norwayeast" : ["20.100.1.184", "51.13.138.76"], + "switzerlandnorth" : ["20.208.4.98", "51.107.251.190"], + "switzerlandwest" : ["20.208.4.98", "51.107.251.190"], + "uaecentral" : ["20.45.95.66", "20.38.141.5"], + "uaenorth" : ["20.45.95.66", "20.38.141.5"], + "uksouth" : ["20.90.132.144", "20.58.68.62"], + "ukwest" : ["20.90.132.144", "20.58.68.62"], + "swedencentral" : ["51.12.72.223", "51.12.22.174"], + "swedensouth" : ["51.12.72.223", "51.12.22.174"], + "centralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "northcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "southcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus3" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2euap" : ["20.45.242.18", "20.51.21.252"], + "centraluseuap" : ["20.45.242.18", "20.51.21.252"]}, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps" : "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", "isBlink": true, "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", "storageAccountType": "Standard_LRS", @@ -489,7 +544,7 @@ "publisher": "[variables('imagePublisher')]" }, "plan": "[if(equals(variables('offer'), 'BYOL') , variables('planBYOL'), if(equals(variables('offer'), 'NGTP'), variables('planNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('planNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('planNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('planNGTX-V2'), json('null'))))))]", - "roleDefinitionId": "[if(equals(parameters('role'), 'Contributor'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c'), parameters('role'))]", + "roleDefinitionIds": "[createArray(subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7'))]", "identity": "[json('{\"type\": \"SystemAssigned\"}')]", "subnet2PrivateAddresses": [ "[concat(split(parameters('subnet2StartAddress'), '.')[0],'.', split(parameters('subnet2StartAddress'), '.')[1],'.', split(parameters('subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet2StartAddress'), '.')[3]),1)))]", @@ -537,7 +592,8 @@ "japaneast", "koreacentral", "southeastasia", - "eastasia" + "eastasia", + "italynorth" ], "availabilitySetProperty": { "id": "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]" @@ -681,7 +737,12 @@ "properties": { "supportsHttpsTrafficOnly": true, "allowBlobPublicAccess": false, - "minimumTlsVersion": "TLS1_2" + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } }, "location": "[variables('location')]", "sku": { @@ -890,9 +951,9 @@ "properties": { "primary": true, "enableIPForwarding": true, - "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", - "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", - "ipConfigurations": "[union(variables('DefaultIpAddresses'),variables('Vips'))]" + "enableAcceleratedNetworking": true, + "networkSecurityGroup":"[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "ipConfigurations":"[union(variables('DefaultIpAddresses'),variables('Vips'))]" }, "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" }, @@ -909,8 +970,8 @@ "properties": { "primary": true, "enableIPForwarding": true, - "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", - "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "enableAcceleratedNetworking": true, + "networkSecurityGroup":"[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", "ipConfigurations": [ { "name": "member-ip", @@ -951,7 +1012,7 @@ "properties": { "primary": false, "enableIPForwarding": true, - "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "enableAcceleratedNetworking": true, "ipConfigurations": [ { "name": "member-ip", @@ -1112,22 +1173,26 @@ "name": "[guid(resourceGroup().id, concat(parameters('vmName'), copyIndex(1)))]", "copy": { "name": "virtualMachineCopy", - "count": "[variables('count')]" + "count": "[mul(length(variables('roleDefinitionIds')), variables('count'))]" }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), copyIndex(1)))]" + "[resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), if(equals(mod(copyIndex(1), 2), 1), '1', '2')))]" ], "properties": { - "roleDefinitionId": "[variables('roleDefinitionId')]", + "roleDefinitionId": "[variables('roleDefinitionIds')[if(greater(copyIndex(1), 2), 1, 0)]]", "scope": "[resourceGroup().id]", - "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), copyIndex(1))), '2022-11-01', 'Full').identity.principalId]" + "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), if(equals(mod(copyIndex(1), 2), 1), '1', '2'))), '2022-11-01', 'Full').identity.principalId]" }, "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Authorization/roleAssignments'), parameters('tagsByResource')['Microsoft.Authorization/roleAssignments'], json('{}')) ]" }, { "condition": "[and(equals(parameters('managedSystemAssigned'), 'yes'), not(parameters('deployNewNSG')))]", "dependsOn": ["[resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '1'))]"], - "name": "ExistingNsgRoleAssignment", + "name": "[concat('ExistingNsgRoleAssignment', copyIndex())]", + "copy": { + "name": "ExistingNsgRoleAssignmentCopy", + "count": "[length(variables('roleDefinitionIds'))]" + }, "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", "resourceGroup": "[if(not(parameters('deployNewNSG')), split(parameters('ExistingNSG').id, '/')[4], '')]", @@ -1146,13 +1211,16 @@ "value": "[parameters('vmName')]" }, "roleDefinitionId": { - "value": "[variables('roleDefinitionId')]" + "value": "[variables('roleDefinitionIds')[copyIndex()]]" }, "principalId1": { "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '1')), '2022-11-01', 'Full').identity.principalId]" }, "principalId2": { "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '2')), '2022-11-01', 'Full').identity.principalId]" + }, + "index": { + "value": "[copyIndex()]" } } } diff --git a/azure/templates/marketplace-management/createUiDefinition.json b/azure/templates/marketplace-management/createUiDefinition.json index 0b64bbec..4aaf94c5 100644 --- a/azure/templates/marketplace-management/createUiDefinition.json +++ b/azure/templates/marketplace-management/createUiDefinition.json @@ -608,7 +608,7 @@ "type": "Microsoft.Common.TextBox", "label": "Additional disk space (GB)", "defaultValue": "0", - "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.", + "toolTip": "Additional disk space (in GB), initial disk size is 100 GB.", "constraints": { "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", "validationMessage": "Select a number between 0 and 3995" @@ -745,6 +745,27 @@ "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." }, "visible": "[steps('network').NSG]" + }, + { + "name": "addStorageAccountIpRules", + "type": "Microsoft.Common.OptionsGroup", + "defaultValue": "Network access from all networks", + "label": "Storage Account Network Access", + "toolTip": "Select your preferred network access to the Storage Account, for more information - https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#serial-console-security", + "constraints": { + "allowedValues": [ + { + "label": "Network access from all networks", + "value": false + }, + { + "label": "Network access only from Serial Console", + "value": true + } + ], + "required": true + }, + "visible": true } ] }, @@ -797,6 +818,7 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" } diff --git a/azure/templates/marketplace-management/mainTemplate.json b/azure/templates/marketplace-management/mainTemplate.json index 1103a8bb..877236ef 100644 --- a/azure/templates/marketplace-management/mainTemplate.json +++ b/azure/templates/marketplace-management/mainTemplate.json @@ -255,7 +255,22 @@ "NewNsgName": { "type": "string", "defaultValue": "[concat(parameters('vmName'),'-nsg')]" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue" : false + }, + "storageAccountAdditionalIps":{ + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue" : [] } + }, "variables": { "templateName": "management", @@ -283,6 +298,53 @@ "R81.20 - Pay As You Go (MGMT25)": "R8120" }, "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "SerialConsoleGeographies": { + "eastasia" : ["20.205.69.28", "20.195.85.180"], + "southeastasia" : ["20.205.69.28", "20.195.85.180"], + "australiacentral" : ["20.53.53.224", "20.70.222.112"], + "australiacentral2" : ["20.53.53.224", "20.70.222.112"], + "australiaeast" : ["20.53.53.224", "20.70.222.112"], + "australiasoutheast" : ["20.53.53.224", "20.70.222.112"], + "brazilsouth" : ["91.234.136.63", "20.206.0.194"], + "brazilsoutheast" : ["91.234.136.63", "20.206.0.194"], + "canadacentral" : ["52.228.86.177", "52.242.40.90"], + "canadaeast" : ["52.228.86.177", "52.242.40.90"], + "northeurope" : ["52.146.139.220", "20.105.209.72"], + "westeurope" : ["52.146.139.220", "20.105.209.72"], + "francecentral" : ["20.111.0.244", "52.136.191.10"], + "francesouth" : ["20.111.0.244", "52.136.191.10"], + "germanynorth" : ["51.116.75.88", "20.52.95.48"], + "germanywestcentral" : ["51.116.75.88", "20.52.95.48"], + "centralindia" : ["20.192.168.150", "20.192.153.104"], + "southindia" : ["20.192.168.150", "20.192.153.104"], + "westindia" : ["20.192.168.150", "20.192.153.104"], + "japaneast" : ["20.43.70.205", "20.189.228.222"], + "japanwest" : ["20.43.70.205", "20.189.228.222"], + "koreacentral" : ["20.200.196.96", "52.147.119.29"], + "koreasouth" : ["20.200.196.96", "52.147.119.29"], + "norwaywest" : ["20.100.1.184", "51.13.138.76"], + "norwayeast" : ["20.100.1.184", "51.13.138.76"], + "switzerlandnorth" : ["20.208.4.98", "51.107.251.190"], + "switzerlandwest" : ["20.208.4.98", "51.107.251.190"], + "uaecentral" : ["20.45.95.66", "20.38.141.5"], + "uaenorth" : ["20.45.95.66", "20.38.141.5"], + "uksouth" : ["20.90.132.144", "20.58.68.62"], + "ukwest" : ["20.90.132.144", "20.58.68.62"], + "swedencentral" : ["51.12.72.223", "51.12.22.174"], + "swedensouth" : ["51.12.72.223", "51.12.22.174"], + "centralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "northcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "southcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus3" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2euap" : ["20.45.242.18", "20.51.21.252"], + "centraluseuap" : ["20.45.242.18", "20.51.21.252"]}, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps" : "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", "isBlink": "[bool('false')]", "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", "storageAccountType": "Standard_LRS", @@ -370,7 +432,12 @@ "properties": { "supportsHttpsTrafficOnly": true, "allowBlobPublicAccess": false, - "minimumTlsVersion": "TLS1_2" + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } }, "location": "[variables('location')]", "sku": { @@ -461,6 +528,9 @@ "apiVersion": "2020-06-01", "location": "[variables('location')]", "name": "[variables('publicIPAddressName')]", + "sku": { + "name": "Standard" + }, "properties": { "idleTimeoutInMinutes": 30, "publicIPAllocationMethod": "Static", @@ -605,7 +675,7 @@ "name": "[variables('nic1Name')]", "properties": { "enableIPForwarding": false, - "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "networkSecurityGroup":"[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", "ipConfigurations": [ { "name": "ipconfig1", diff --git a/azure/templates/marketplace-mds/createUiDefinition.json b/azure/templates/marketplace-mds/createUiDefinition.json index 333f8484..41dcaf57 100644 --- a/azure/templates/marketplace-mds/createUiDefinition.json +++ b/azure/templates/marketplace-mds/createUiDefinition.json @@ -445,7 +445,7 @@ "type": "Microsoft.Common.TextBox", "label": "Additional disk space (GB)", "defaultValue": "0", - "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.", + "toolTip": "Additional disk space (in GB), initial disk size is 100 GB.", "constraints": { "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", "validationMessage": "Select a number between 0 and 3995" @@ -622,6 +622,27 @@ "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." }, "visible": "[steps('network').NSG]" + }, + { + "name": "addStorageAccountIpRules", + "type": "Microsoft.Common.OptionsGroup", + "defaultValue": "Network access from all networks", + "label": "Storage Account Network Access", + "toolTip": "Select your preferred network access to the Storage Account, for more information - https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#serial-console-security", + "constraints": { + "allowedValues": [ + { + "label": "Network access from all networks", + "value": false + }, + { + "label": "Network access only from Serial Console", + "value": true + } + ], + "required": true + }, + "visible": true } ] }, @@ -674,6 +695,7 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" } diff --git a/azure/templates/marketplace-mds/mainTemplate.json b/azure/templates/marketplace-mds/mainTemplate.json index 3256924f..f447c530 100644 --- a/azure/templates/marketplace-mds/mainTemplate.json +++ b/azure/templates/marketplace-mds/mainTemplate.json @@ -246,7 +246,22 @@ "NewNsgName": { "type": "string", "defaultValue": "[concat(parameters('vmName'),'-nsg')]" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue" : false + }, + "storageAccountAdditionalIps":{ + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue" : [] } + }, "variables": { "templateName": "mds", @@ -266,6 +281,55 @@ "R81.20 - Bring Your Own License": "R8120" }, "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "serialConsoleGeographies": { + "astasia" : ["20.205.69.28"], + "southeastasia" : ["20.205.69.28", "20.195.85.180"], + "eastasia" : ["20.195.85.180"], + "australiacentral" : ["20.53.53.224", "20.70.222.112"], + "australiacentral2" : ["20.53.53.224", "20.70.222.112"], + "australiaeast" : ["20.53.53.224", "20.70.222.112"], + "australiasoutheast" : ["20.53.53.224", "20.70.222.112"], + "brazilsouth" : ["91.234.136.63", "20.206.0.194"], + "brazilsoutheast" : ["91.234.136.63", "20.206.0.194"], + "canadacentral" : ["52.228.86.177", "52.242.40.90"], + "canadaeast" : ["52.228.86.177", "52.242.40.90"], + "northeurope" : ["52.146.139.220", "20.105.209.72"], + "westeurope" : ["52.146.139.220", "20.105.209.72"], + "francecentral" : ["20.111.0.244", "52.136.191.10"], + "francesouth" : ["20.111.0.244", "52.136.191.10"], + "germanynorth" : ["51.116.75.88", "20.52.95.48"], + "germanywestcentral" : ["51.116.75.88", "20.52.95.48"], + "centralindia" : ["20.192.168.150", "20.192.153.104"], + "southindia" : ["20.192.168.150", "20.192.153.104"], + "westindia" : ["20.192.168.150", "20.192.153.104"], + "japaneast" : ["20.43.70.205", "20.189.228.222"], + "japanwest" : ["20.43.70.205", "20.189.228.222"], + "koreacentral" : ["20.200.196.96", "52.147.119.29"], + "koreasouth" : ["20.200.196.96", "52.147.119.29"], + "norwaywest" : ["20.100.1.184", "51.13.138.76"], + "norwayeast" : ["20.100.1.184", "51.13.138.76"], + "switzerlandnorth" : ["20.208.4.98", "51.107.251.190"], + "switzerlandwest" : ["20.208.4.98", "51.107.251.190"], + "uaecentral" : ["20.45.95.66", "20.38.141.5"], + "uaenorth" : ["20.45.95.66", "20.38.141.5"], + "uksouth" : ["20.90.132.144", "20.58.68.62"], + "ukwest" : ["20.90.132.144", "20.58.68.62"], + "swedencentral" : ["51.12.72.223", "51.12.22.174"], + "swedensouth" : ["51.12.72.223", "51.12.22.174"], + "centralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "northcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "southcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus3" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2euap" : ["20.45.242.18", "20.51.21.252"], + "centraluseuap" : ["20.45.242.18", "20.51.21.252"] + }, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps" : "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", "isBlink": "[bool('false')]", "primary": "[equals(parameters('installationType'), 'mds-primary')]", "secondary": "[equals(parameters('installationType'), 'mds-secondary')]", @@ -345,7 +409,12 @@ "properties": { "supportsHttpsTrafficOnly": true, "allowBlobPublicAccess": false, - "minimumTlsVersion": "TLS1_2" + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } }, "location": "[variables('location')]", "sku": { @@ -436,6 +505,9 @@ "apiVersion": "2020-06-01", "location": "[variables('location')]", "name": "[variables('publicIPAddressName')]", + "sku": { + "name": "Standard" + }, "properties": { "idleTimeoutInMinutes": 30, "publicIPAllocationMethod": "Static", @@ -580,7 +652,7 @@ "name": "[variables('nic1Name')]", "properties": { "enableIPForwarding": false, - "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "networkSecurityGroup":"[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", "ipConfigurations": [ { "name": "ipconfig1", diff --git a/azure/templates/marketplace-single/createUiDefinition.json b/azure/templates/marketplace-single/createUiDefinition.json index 93230dd8..f9b769f6 100644 --- a/azure/templates/marketplace-single/createUiDefinition.json +++ b/azure/templates/marketplace-single/createUiDefinition.json @@ -1740,7 +1740,7 @@ "type": "Microsoft.Common.TextBox", "label": "Additional disk space (GB)", "defaultValue": "0", - "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.", + "toolTip": "Additional disk space (in GB), initial disk size is 100 GB.", "constraints": { "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", "validationMessage": "Select a number between 0 and 3995" @@ -1954,6 +1954,27 @@ "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." }, "visible": "[steps('network').NSG]" + }, + { + "name": "addStorageAccountIpRules", + "type": "Microsoft.Common.OptionsGroup", + "defaultValue": "Network access from all networks", + "label": "Storage Account Network Access", + "toolTip": "Select your preferred network access to the Storage Account, for more information - https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#serial-console-security", + "constraints": { + "allowedValues": [ + { + "label": "Network access from all networks", + "value": false + }, + { + "label": "Network access only from Serial Console", + "value": true + } + ], + "required": true + }, + "visible": true } ] }, @@ -2011,7 +2032,8 @@ "tagsByResource": "[steps('tags').tagsByResource]", "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", - "NewNsgName": "[steps('network').NSGName]" + "NewNsgName": "[steps('network').NSGName]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]" } } } diff --git a/azure/templates/marketplace-single/mainTemplate.json b/azure/templates/marketplace-single/mainTemplate.json index 4e57e59b..56dc957e 100644 --- a/azure/templates/marketplace-single/mainTemplate.json +++ b/azure/templates/marketplace-single/mainTemplate.json @@ -294,6 +294,20 @@ "NewNsgName": { "type": "string", "defaultValue": "[concat(parameters('vmName'),'-nsg')]" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue" : false + }, + "storageAccountAdditionalIps":{ + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue" : [] } }, "variables": { @@ -330,6 +344,56 @@ "R81.20 - Pay As You Go (NGTX)": "R8120" }, "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "serialConsoleGeographies": { + "eastasia" : ["20.205.69.28", "20.195.85.180"], + "southeastasia" : ["20.205.69.28", "20.195.85.180"], + "australiacentral" : ["20.53.53.224", "20.70.222.112"], + "australiacentral2" : ["20.53.53.224", "20.70.222.112"], + "australiaeast" : ["20.53.53.224", "20.70.222.112"], + "australiasoutheast" : ["20.53.53.224", "20.70.222.112"], + "brazilsouth" : ["91.234.136.63", "20.206.0.194"], + "brazilsoutheast" : ["91.234.136.63", "20.206.0.194"], + "canadacentral" : ["52.228.86.177", "52.242.40.90"], + "canadaeast" : ["52.228.86.177", "52.242.40.90"], + "northeurope" : ["52.146.139.220", "20.105.209.72"], + "westeurope" : ["52.146.139.220", "20.105.209.72"], + "francecentral" : ["20.111.0.244", "52.136.191.10"], + "francesouth" : ["20.111.0.244", "52.136.191.10"], + "germanynorth" : ["51.116.75.88", "20.52.95.48"], + "germanywestcentral" : ["51.116.75.88", "20.52.95.48"], + "centralindia" : ["20.192.168.150", "20.192.153.104"], + "southindia" : ["20.192.168.150", "20.192.153.104"], + "westindia" : ["20.192.168.150", "20.192.153.104"], + "japaneast" : ["20.43.70.205", "20.189.228.222"], + "japanwest" : ["20.43.70.205", "20.189.228.222"], + "koreacentral" : ["20.200.196.96", "52.147.119.29"], + "koreasouth" : ["20.200.196.96", "52.147.119.29"], + "norwaywest" : ["20.100.1.184", "51.13.138.76"], + "norwayeast" : ["20.100.1.184", "51.13.138.76"], + "switzerlandnorth" : ["20.208.4.98", "51.107.251.190"], + "switzerlandwest" : ["20.208.4.98", "51.107.251.190"], + "uaecentral" : ["20.45.95.66", "20.38.141.5"], + "uaenorth" : ["20.45.95.66", "20.38.141.5"], + "uksouth" : ["20.90.132.144", "20.58.68.62"], + "ukwest" : ["20.90.132.144", "20.58.68.62"], + "swedencentral" : ["51.12.72.223", "51.12.22.174"], + "swedensouth" : ["51.12.72.223", "51.12.22.174"], + "centralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "northcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "southcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus3" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2euap" : ["20.45.242.18", "20.51.21.252"], + "centraluseuap" : ["20.45.242.18", "20.51.21.252"], + "usgovarizona" : ["20.141.10.130", "52.127.55.131"], + "usgovvirginia" : ["20.141.10.130", "52.127.55.131"] + }, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps" : "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", "installationType": "[parameters('installationType')]", "isBlink": "[equals(variables('installationType'), 'gateway')]", "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", @@ -456,7 +520,12 @@ "properties": { "supportsHttpsTrafficOnly": true, "allowBlobPublicAccess": false, - "minimumTlsVersion": "TLS1_2" + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } }, "location": "[variables('location')]", "sku": { @@ -556,6 +625,9 @@ "apiVersion": "2020-06-01", "location": "[variables('location')]", "name": "[variables('publicIPAddressName')]", + "sku": { + "name": "Standard" + }, "properties": { "idleTimeoutInMinutes": 30, "publicIPAllocationMethod": "Static", @@ -576,8 +648,8 @@ "name": "[variables('nic1Name')]", "properties": { "enableIPForwarding": true, - "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", - "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "enableAcceleratedNetworking": true, + "networkSecurityGroup":"[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", "ipConfigurations": [ { "name": "ipconfig1", @@ -606,7 +678,7 @@ "name": "[variables('nic2Name')]", "properties": { "enableIPForwarding": true, - "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "enableAcceleratedNetworking": true, "ipConfigurations": [ { "name": "ipconfig2", diff --git a/azure/templates/marketplace-vmss/createUiDefinition.json b/azure/templates/marketplace-vmss/createUiDefinition.json index 72b21d92..802ec2b2 100644 --- a/azure/templates/marketplace-vmss/createUiDefinition.json +++ b/azure/templates/marketplace-vmss/createUiDefinition.json @@ -521,7 +521,7 @@ "label": "Number of Availability Zones to use", "defaultValue": "None", "toolTip": "The number of avalability zones to use for the scale set. Note that the load balancers and their IP addresses will be zone redundant in any case.", - "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth ', concat(' ', location(), ' '))]", + "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth italynorth ', concat(' ', location(), ' '))]", "constraints": { "allowedValues": [ { @@ -2194,6 +2194,18 @@ ] } }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + }, + "visible": "[not(contains('R80.40 R81 R81.10 R81.20', steps('chkp').cloudGuardVersion))]" + }, { "name": "useCustomImageUri", "type": "Microsoft.Common.OptionsGroup", @@ -2337,6 +2349,27 @@ "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." }, "visible": "[steps('network').NSG]" + }, + { + "name": "addStorageAccountIpRules", + "type": "Microsoft.Common.OptionsGroup", + "defaultValue": "Network access from all networks", + "label": "Storage Account Network Access", + "toolTip": "Select your preferred network access to the Storage Account, for more information - https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#serial-console-security", + "constraints": { + "allowedValues": [ + { + "label": "Network access from all networks", + "value": false + }, + { + "label": "Network access only from Serial Console", + "value": true + } + ], + "required": true + }, + "visible": true } ] }, @@ -2393,6 +2426,7 @@ "sicKey": "[steps('chkp').sicKeyUi]", "bootstrapScript": "[steps('chkp').bootstrapScript]", "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", "diskType": "[if(contains('R80.40 R81 R81.10' , steps('chkp').cloudGuardVersion) , steps('chkp').VMDiskTypeOldVersions , steps('chkp').VMDiskType)]", "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]", "virtualNetworkName": "[steps('network').virtualNetwork.name]", @@ -2414,6 +2448,7 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" } diff --git a/azure/templates/marketplace-vmss/mainTemplate.json b/azure/templates/marketplace-vmss/mainTemplate.json index 8fe2fbce..86b24607 100644 --- a/azure/templates/marketplace-vmss/mainTemplate.json +++ b/azure/templates/marketplace-vmss/mainTemplate.json @@ -368,6 +368,15 @@ "description": "The IP address used to manage the VMSS instances." } }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB), not relevant for R81.20 and below" + }, + "minValue": 0, + "maxValue": 3995 + }, "diskType": { "type": "string", "defaultValue": "Standard_LRS", @@ -479,6 +488,20 @@ "NewNsgName": { "type": "string", "defaultValue": "[concat(parameters('vmName'),'-nsg')]" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue" : false + }, + "storageAccountAdditionalIps":{ + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue" : [] } }, "variables": { @@ -517,10 +540,60 @@ "R81.20 - Pay As You Go (NGTX)": "R8120" }, "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "SerialConsoleGeographies": { + "eastasia" : ["20.205.69.28", "20.195.85.180"], + "southeastasia" : ["20.205.69.28", "20.195.85.180"], + "australiacentral" : ["20.53.53.224", "20.70.222.112"], + "australiacentral2" : ["20.53.53.224", "20.70.222.112"], + "australiaeast" : ["20.53.53.224", "20.70.222.112"], + "australiasoutheast" : ["20.53.53.224", "20.70.222.112"], + "brazilsouth" : ["91.234.136.63", "20.206.0.194"], + "brazilsoutheast" : ["91.234.136.63", "20.206.0.194"], + "canadacentral" : ["52.228.86.177", "52.242.40.90"], + "canadaeast" : ["52.228.86.177", "52.242.40.90"], + "northeurope" : ["52.146.139.220", "20.105.209.72"], + "westeurope" : ["52.146.139.220", "20.105.209.72"], + "francecentral" : ["20.111.0.244", "52.136.191.10"], + "francesouth" : ["20.111.0.244", "52.136.191.10"], + "germanynorth" : ["51.116.75.88", "20.52.95.48"], + "germanywestcentral" : ["51.116.75.88", "20.52.95.48"], + "centralindia" : ["20.192.168.150", "20.192.153.104"], + "southindia" : ["20.192.168.150", "20.192.153.104"], + "westindia" : ["20.192.168.150", "20.192.153.104"], + "japaneast" : ["20.43.70.205", "20.189.228.222"], + "japanwest" : ["20.43.70.205", "20.189.228.222"], + "koreacentral" : ["20.200.196.96", "52.147.119.29"], + "koreasouth" : ["20.200.196.96", "52.147.119.29"], + "norwaywest" : ["20.100.1.184", "51.13.138.76"], + "norwayeast" : ["20.100.1.184", "51.13.138.76"], + "switzerlandnorth" : ["20.208.4.98", "51.107.251.190"], + "switzerlandwest" : ["20.208.4.98", "51.107.251.190"], + "uaecentral" : ["20.45.95.66", "20.38.141.5"], + "uaenorth" : ["20.45.95.66", "20.38.141.5"], + "uksouth" : ["20.90.132.144", "20.58.68.62"], + "ukwest" : ["20.90.132.144", "20.58.68.62"], + "swedencentral" : ["51.12.72.223", "51.12.22.174"], + "swedensouth" : ["51.12.72.223", "51.12.22.174"], + "centralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "northcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "southcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus3" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2euap" : ["20.45.242.18", "20.51.21.252"], + "centraluseuap" : ["20.45.242.18", "20.51.21.252"]}, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps" : "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", "isBlink": true, "subnet2Name": "[parameters('subnet2Name')]", "storageAccountName": "[concat('bootdiag', uniqueString(variables('resourceGroup').id, deployment().name))]", "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "additionalDiskSizeGB": "[if(contains('R8040 R81 R8110 R8120', variables('osVersion')), 0, parameters('additionalDiskSizeGB'))]", + "diskSizeGB": "[add(variables('additionalDiskSizeGB'), variables('diskSize100GB'))]", "enableFloatingIP": "[equals(parameters('floatingIP'), 'yes')]", "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'MaintenanceModePassword=\"', parameters('MaintenanceModePasswordHash'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", @@ -645,7 +718,8 @@ "japaneast", "koreacentral", "southeastasia", - "eastasia" + "eastasia", + "italynorth" ], "availabilityZonesProperty": "[range(1, parameters('availabilityZonesNum'))]", "mgmtInterface": "[if(equals(parameters('instanceLevelPublicIP'), 'yes'), parameters('mgmtInterfaceOpt1'), parameters('mgmtInterfaceOpt2'))]", @@ -898,7 +972,12 @@ "properties": { "supportsHttpsTrafficOnly": true, "allowBlobPublicAccess": false, - "minimumTlsVersion": "TLS1_2" + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } }, "location": "[variables('location')]", "sku": { @@ -956,6 +1035,7 @@ "osDisk": { "caching": "ReadWrite", "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", "managedDisk": { "storageAccountType": "[parameters('diskType')]" } @@ -975,9 +1055,9 @@ "name": "eth0", "properties": { "primary": true, - "enableIPForwarding": false, - "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", - "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "networkSecurityGroup":"[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", "ipConfigurations": [ { "name": "ipconfig1", @@ -997,7 +1077,7 @@ "properties": { "primary": false, "enableIPForwarding": true, - "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "enableAcceleratedNetworking": true, "ipConfigurations": [ { "name": "ipconfig2", diff --git a/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json b/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json index 21e60733..f87d2fac 100755 --- a/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json +++ b/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json @@ -18,6 +18,9 @@ }, "principalId2": { "type": "string" + }, + "index": { + "type": "int" } }, "resources": [ @@ -25,7 +28,7 @@ "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[concat('Microsoft.Network/networkSecurityGroups/', parameters('ExistingNSG').name)]", - "name": "[guid(resourceGroup().id, concat(parameters('vmName'), parameters('principalId1'), '1', '-nsg'))]", + "name": "[guid(resourceGroup().id, concat(parameters('vmName'), parameters('principalId1'), '1', '-nsg', parameters('index')))]", "properties": { "roleDefinitionId": "[parameters('roleDefinitionId')]", "principalId": "[parameters('principalId1')]" @@ -35,7 +38,7 @@ "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[concat('Microsoft.Network/networkSecurityGroups/', parameters('ExistingNSG').name)]", - "name": "[guid(resourceGroup().id, concat(parameters('vmName'), parameters('principalId2'), '2', '-nsg'))]", + "name": "[guid(resourceGroup().id, concat(parameters('vmName'), parameters('principalId1'), '2', '-nsg', parameters('index')))]", "properties": { "roleDefinitionId": "[parameters('roleDefinitionId')]", "principalId": "[parameters('principalId2')]" diff --git a/azure/templates/single-ipv6/mainTemplate.json b/azure/templates/single-ipv6/mainTemplate.json index 1b2c9797..3963c054 100755 --- a/azure/templates/single-ipv6/mainTemplate.json +++ b/azure/templates/single-ipv6/mainTemplate.json @@ -275,7 +275,22 @@ "NewNsgName": { "type": "string", "defaultValue": "[concat(parameters('vmName'),'-nsg')]" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue" : false + }, + "storageAccountAdditionalIps":{ + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue" : [] } + }, "variables": { "vnetv4AddressRange": "[parameters('virtualNetworkAddressPrefix')]", @@ -322,6 +337,53 @@ "R81.20 - Pay As You Go (NGTX)": "R8120" }, "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "SerialConsoleGeographies": { + "eastasia" : ["20.205.69.28", "20.195.85.180"], + "southeastasia" : ["20.205.69.28", "20.195.85.180"], + "australiacentral" : ["20.53.53.224", "20.70.222.112"], + "australiacentral2" : ["20.53.53.224", "20.70.222.112"], + "australiaeast" : ["20.53.53.224", "20.70.222.112"], + "australiasoutheast" : ["20.53.53.224", "20.70.222.112"], + "brazilsouth" : ["91.234.136.63", "20.206.0.194"], + "brazilsoutheast" : ["91.234.136.63", "20.206.0.194"], + "canadacentral" : ["52.228.86.177", "52.242.40.90"], + "canadaeast" : ["52.228.86.177", "52.242.40.90"], + "northeurope" : ["52.146.139.220", "20.105.209.72"], + "westeurope" : ["52.146.139.220", "20.105.209.72"], + "francecentral" : ["20.111.0.244", "52.136.191.10"], + "francesouth" : ["20.111.0.244", "52.136.191.10"], + "germanynorth" : ["51.116.75.88", "20.52.95.48"], + "germanywestcentral" : ["51.116.75.88", "20.52.95.48"], + "centralindia" : ["20.192.168.150", "20.192.153.104"], + "southindia" : ["20.192.168.150", "20.192.153.104"], + "westindia" : ["20.192.168.150", "20.192.153.104"], + "japaneast" : ["20.43.70.205", "20.189.228.222"], + "japanwest" : ["20.43.70.205", "20.189.228.222"], + "koreacentral" : ["20.200.196.96", "52.147.119.29"], + "koreasouth" : ["20.200.196.96", "52.147.119.29"], + "norwaywest" : ["20.100.1.184", "51.13.138.76"], + "norwayeast" : ["20.100.1.184", "51.13.138.76"], + "switzerlandnorth" : ["20.208.4.98", "51.107.251.190"], + "switzerlandwest" : ["20.208.4.98", "51.107.251.190"], + "uaecentral" : ["20.45.95.66", "20.38.141.5"], + "uaenorth" : ["20.45.95.66", "20.38.141.5"], + "uksouth" : ["20.90.132.144", "20.58.68.62"], + "ukwest" : ["20.90.132.144", "20.58.68.62"], + "swedencentral" : ["51.12.72.223", "51.12.22.174"], + "swedensouth" : ["51.12.72.223", "51.12.22.174"], + "centralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "northcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "southcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus3" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2euap" : ["20.45.242.18", "20.51.21.252"], + "centraluseuap" : ["20.45.242.18", "20.51.21.252"]}, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps" : "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", "installationType": "[parameters('installationType')]", "isBlink": "[equals(variables('installationType'), 'gateway')]", "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", @@ -439,7 +501,12 @@ "properties": { "supportsHttpsTrafficOnly": true, "allowBlobPublicAccess": false, - "minimumTlsVersion": "TLS1_2" + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } }, "location": "[variables('location')]", "sku": { @@ -677,9 +744,9 @@ "location": "[variables('location')]", "name": "[variables('nic1Name')]", "properties": { - "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "networkSecurityGroup":"[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", "enableIPForwarding": true, - "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "enableAcceleratedNetworking": true, "ipConfigurations": [ { "name": "ipconfig-v4", @@ -728,7 +795,7 @@ "name": "[variables('nic2Name')]", "properties": { "enableIPForwarding": true, - "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "enableAcceleratedNetworking": true, "ipConfigurations": [ { "name": "ipconfig-v4", diff --git a/azure/templates/vmss-ipv6/mainTemplate.json b/azure/templates/vmss-ipv6/mainTemplate.json index 07cd60a7..7928c690 100755 --- a/azure/templates/vmss-ipv6/mainTemplate.json +++ b/azure/templates/vmss-ipv6/mainTemplate.json @@ -268,6 +268,15 @@ "description": "The IP address used to manage the VMSS instances." } }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB), not relevant for R81.20 and below" + }, + "minValue": 0, + "maxValue": 3995 + }, "diskType": { "type": "string", "defaultValue": "Standard_LRS", @@ -343,7 +352,22 @@ "NewNsgName": { "type": "string", "defaultValue": "default-nsg" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue" : false + }, + "storageAccountAdditionalIps":{ + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue" : [] } + }, "variables": { "vnetv4AddressRange": "[parameters('virtualNetworkAddressPrefix')]", @@ -393,9 +417,59 @@ "R81.20 - Pay As You Go (NGTX)": "R8120" }, "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "SerialConsoleGeographies": { + "eastasia" : ["20.205.69.28", "20.195.85.180"], + "southeastasia" : ["20.205.69.28", "20.195.85.180"], + "australiacentral" : ["20.53.53.224", "20.70.222.112"], + "australiacentral2" : ["20.53.53.224", "20.70.222.112"], + "australiaeast" : ["20.53.53.224", "20.70.222.112"], + "australiasoutheast" : ["20.53.53.224", "20.70.222.112"], + "brazilsouth" : ["91.234.136.63", "20.206.0.194"], + "brazilsoutheast" : ["91.234.136.63", "20.206.0.194"], + "canadacentral" : ["52.228.86.177", "52.242.40.90"], + "canadaeast" : ["52.228.86.177", "52.242.40.90"], + "northeurope" : ["52.146.139.220", "20.105.209.72"], + "westeurope" : ["52.146.139.220", "20.105.209.72"], + "francecentral" : ["20.111.0.244", "52.136.191.10"], + "francesouth" : ["20.111.0.244", "52.136.191.10"], + "germanynorth" : ["51.116.75.88", "20.52.95.48"], + "germanywestcentral" : ["51.116.75.88", "20.52.95.48"], + "centralindia" : ["20.192.168.150", "20.192.153.104"], + "southindia" : ["20.192.168.150", "20.192.153.104"], + "westindia" : ["20.192.168.150", "20.192.153.104"], + "japaneast" : ["20.43.70.205", "20.189.228.222"], + "japanwest" : ["20.43.70.205", "20.189.228.222"], + "koreacentral" : ["20.200.196.96", "52.147.119.29"], + "koreasouth" : ["20.200.196.96", "52.147.119.29"], + "norwaywest" : ["20.100.1.184", "51.13.138.76"], + "norwayeast" : ["20.100.1.184", "51.13.138.76"], + "switzerlandnorth" : ["20.208.4.98", "51.107.251.190"], + "switzerlandwest" : ["20.208.4.98", "51.107.251.190"], + "uaecentral" : ["20.45.95.66", "20.38.141.5"], + "uaenorth" : ["20.45.95.66", "20.38.141.5"], + "uksouth" : ["20.90.132.144", "20.58.68.62"], + "ukwest" : ["20.90.132.144", "20.58.68.62"], + "swedencentral" : ["51.12.72.223", "51.12.22.174"], + "swedensouth" : ["51.12.72.223", "51.12.22.174"], + "centralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "northcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "southcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus3" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2euap" : ["20.45.242.18", "20.51.21.252"], + "centraluseuap" : ["20.45.242.18", "20.51.21.252"]}, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps" : "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", "isBlink": true, "storageAccountName": "[concat('bootdiag', uniqueString(variables('resourceGroup').id, deployment().name))]", "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "additionalDiskSizeGB": "[if(contains('R8040 R81 R8110 R8120', variables('osVersion')), 0, parameters('additionalDiskSizeGB'))]", + "diskSizeGB": "[add(variables('additionalDiskSizeGB'), variables('diskSize100GB'))]", "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n')]", "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", "imagePublisher": "checkpoint", @@ -517,7 +591,8 @@ "japaneast", "koreacentral", "southeastasia", - "eastasia" + "eastasia", + "italynorth" ], "availabilityZonesProperty": "[range(1, parameters('availabilityZonesNum'))]", "mgmtInterface": "[if(equals(parameters('instanceLevelPublicIP'), 'yes'), parameters('mgmtInterfaceOpt1'), parameters('mgmtInterfaceOpt2'))]", @@ -896,7 +971,12 @@ "properties": { "supportsHttpsTrafficOnly": true, "allowBlobPublicAccess": false, - "minimumTlsVersion": "TLS1_2" + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } }, "location": "[variables('location')]", "sku": { @@ -923,6 +1003,7 @@ }, "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/images'), parameters('tagsByResource')['Microsoft.Compute/images'], json('{}')) ]" }, + { "type": "Microsoft.Network/networkSecurityGroups", "condition": "[and(parameters('deployNewNSG'),equals(parameters('vnetNewOrExisting'), 'new'))]", @@ -976,7 +1057,9 @@ "virtualMachineProfile": { "UserData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), split(parameters('virtualNetworkAddressPrefix'), '.')[0], reference('networkExistingSetup').outputs.vnetAddressPrefixes.value[0]), '\"', '\n' ))]", "storageProfile": { - "osDisk": { + "osDisk": + { + "diskSizeGB": "[variables('diskSizeGB')]", "caching": "ReadWrite", "createOption": "FromImage", "managedDisk": { @@ -998,8 +1081,8 @@ "name": "eth0", "properties": { "primary": true, - "enableIPForwarding": false, - "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", "ipConfigurations": [ { @@ -1041,7 +1124,7 @@ "properties": { "primary": false, "enableIPForwarding": true, - "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "enableAcceleratedNetworking": true, "ipConfigurations": [ { "name": "ipconfig2IPV6", diff --git a/azure/templates/vwan-managed-app/README.md b/azure/templates/vwan-managed-app/README.md index 293238e2..085e0620 100644 --- a/azure/templates/vwan-managed-app/README.md +++ b/azure/templates/vwan-managed-app/README.md @@ -64,8 +64,8 @@ https://management.azure.com/subscriptions/{subscription_id}/providers/Microsoft } ], "availableVersions": [ - "8110.900335.1522", - "8120.900631.1522", + "8110.900335.1435", + "8120.900631.1433", "latest" ], "marketPlaceLink": "https://aka.ms/Checkpointmarketplace", diff --git a/azure/templates/vwan-managed-app/mainTemplate.json b/azure/templates/vwan-managed-app/mainTemplate.json index 5b733a83..71aaa8e4 100644 --- a/azure/templates/vwan-managed-app/mainTemplate.json +++ b/azure/templates/vwan-managed-app/mainTemplate.json @@ -155,36 +155,7 @@ "metadata": { "description": "Managed app resource group Name" } - }, - "publicIPIngress": { - "type": "string", - "allowedValues": [ - "no", - "yes" - ], - "defaultValue": "no", - "metadata": { - "description": "Use public IP for ingress traffic" - } - }, - "createNewIPIngress": { - "type": "string", - "allowedValues": [ - "no", - "yes" - ], - "defaultValue": "no", - "metadata": { - "description": "Create new public IP" - } - }, - "ipIngressExistingResourceId": { - "type": "string", - "metadata": { - "description": "The resource id of the public IP" - }, - "defaultValue": "" - } + } }, "variables": { "managedResourceGroupId": "[concat(subscription().id, '/resourceGroups/', parameters('managedResourceGroupName'))]" @@ -267,15 +238,6 @@ }, "smart1CloudTokenE": { "value": "[parameters('smart1CloudTokenE')]" - }, - "publicIPIngress": { - "value": "[parameters('publicIPIngress')]" - }, - "createNewIPIngress": { - "value": "[parameters('createNewIPIngress')]" - }, - "ipIngressExistingResourceId": { - "value": "[parameters('ipIngressExistingResourceId')]" } } }