Volterra Azure Secure Cloud Gateway (SCA/SCG)

Volterra version of SCA/SCCA/SACA. What is that? An example of a Secure Cloud Architecture using Volterra for Multi-Cloud Networking deployment of Cloud based Services via Volterra Application Delivery Network, with hardening BIG-IP Service Insertion (Azure PAYG BEST; AFM,ASM,APM,LTM) publishing ELK and small demo applications. The goal of this solution is to provide a working demonstation and prototyping lab for anyone.

• Volterra Azure Secure Cloud Gateway (SCA/SCG)
  • To do
  • Requirements
  • Providers
  • Modules
  • Resources
  • Inputs
  • Outputs
  • Deployment
  • Troubleshooting

To do

• hardcoded IP values for testing, fix.
• flip elastic transport to tcp vs http
• flip logstash_beats to tcp vs http
• mgmt partition is leftover from SACA, can destroy.
• Azure Key Vaults takes 2m to provision. "module.azure.azurerm_key_vault.keyvault: Creation complete after 2m5s"
  • Doesnt work with runtime-init for some reason, troubleshoot later.

Requirements

Name	Version
terraform	>= 0.13
azurerm	~> 2.30.0
http	2.1.0
volterrarm	0.7.0

Providers

No providers.

Modules

Name	Source	Version
util	./util	n/a
azure	./azure	n/a
volterra	./volterra	n/a
firewall	./firewall	n/a
applications	./applications	n/a

Resources

No resources.

Inputs

Name	Description	Type	Default
tenant_name	REQUIRED: This is your Volterra Tenant Name: https://<tenant_name>.console.ves.volterra.io/api	string	"f5-sa"
adminUserName	REQUIRED: Admin Username for All systems	string	"xadmin"
namespace	REQUIRED: This is your Volterra Namespace	string	"m-coleman"
api_cert	REQUIRED: This is the path to the Volterra API Key. See https://volterra.io/docs/how-to/user-mgmt/credentials	string	"./creds/api2.cer"
location	REQUIRED: Azure Region: usgovvirginia, usgovarizona, etc. For a list of available locations for your subscription use az account list-locations -o table	string	"canadacentral"
name	REQUIRED: This is name for your deployment	string	"m-coleman"
api_url	REQUIRED: This is your Volterra Namespace	string	"https://f5-sa.console.ves.volterra.io/api"
region	Azure Region: US Gov Virginia, US Gov Arizona, etc	string	"Canada Central"
sshPublicKey	OPTIONAL: ssh public key for instances	string	""
api_p12_file	REQUIRED: This is the path to the Volterra API Key. See https://volterra.io/docs/how-to/user-mgmt/credentials	string	"./creds/f5-sa.console.ves.volterra.io.api-creds.p12"
sshPublicKeyPath	OPTIONAL: ssh public key path for instances	string	"./creds/id_rsa.pub"
api_key	REQUIRED: This is the path to the Volterra API Key. See https://volterra.io/docs/how-to/user-mgmt/credentials	string	"./creds/api.key"
volterra_tf_action	n/a	string	"apply"
delegated_dns_domain	n/a	string	"ves.dimensionc-132.com"
azure_client_id	n/a	string	""
azure_client_secret	n/a	string	""
azure_tenant_id	n/a	string	""
azure_subscription_id	n/a	string	""
gateway_type	n/a	string	"INGRESS_EGRESS_GATEWAY"
fleet_label	n/a	string	"fleet_label"
cidr	REQUIRED: VNET Network CIDR	string	"10.90.0.0/16"
azure_subnets	REQUIRED: Subnet CIDRs	map(string)	{ "application": "10.90.10.0/24", "external": "10.90.1.0/24", "inspect_ext": "10.90.3.0/24", "inspect_int": "10.90.4.0/24", "internal": "10.90.2.0/24", "management": "10.90.0.0/24" }
f5_mgmt	F5 BIG-IP Management IPs. These must be in the management subnet.	map(string)	{ "f5vm01mgmt": "10.90.0.14", "f5vm02mgmt": "10.90.0.15" }
f5_t1_ext	Tier 1 BIG-IP External IPs. These must be in the external subnet.	map(string)	{ "f5vm01ext": "10.90.2.14", "f5vm01ext_fou": "10.90.2.13", "f5vm01ext_sec": "10.90.2.11", "f5vm01ext_thi": "10.90.2.12" }
f5_t1_int	Tier 1 BIG-IP Internal IPs. These must be in the internal subnet.	map(string)	{ "f5vm01int": "10.90.4.14", "f5vm01int_sec": "10.90.4.11" }
app01ip	OPTIONAL: Example Application used by all use-cases to demonstrate functionality of deploymeny, must reside in the application subnet.	string	"10.90.10.101"
instanceType	BIGIP Instance Type, DS5_v2 is a solid baseline for BEST	string	"Standard_DS5_v2"
jumpinstanceType	Be careful which instance type selected, jump boxes currently use Premium_LRS managed disks	string	"Standard_B2s"
appInstanceType	Demo Application Instance Size	string	"Standard_DS3_v2"
image_name	REQUIRED: BIG-IP Image Name. 'az vm image list --output table --publisher f5-networks --location [region] --offer f5-big-ip --all' Default f5-bigip-virtual-edition-1g-best-hourly is PAYG Image. For BYOL use f5-big-all-2slot-byol	string	"f5-bigip-virtual-edition-1g-best-hourly"
product	REQUIRED: BYOL = f5-big-ip-byol, PAYG = f5-big-ip-best	string	"f5-big-ip-best"
bigip_version	REQUIRED: BIG-IP Version. Note: verify available versions before using as images can change.	string	"latest"
licenses	BIGIP Setup Licenses are only needed when using BYOL images	map(string)	{ "license1": "", "license2": "", "license3": "", "license4": "" }
hosts	n/a	map(string)	{ "host1": "f5vm01", "host2": "f5vm02" }
dns_server	REQUIRED: Default is set to Azure DNS.	string	"168.63.129.16"
asm_policy	REQUIRED: ASM Policy. Examples: https://github.com/f5devcentral/f5-asm-policy-templates. Default: OWASP Ready Autotuning	string	"https://raw.githubusercontent.com/f5devcentral/f5-asm-policy-templates/master/owasp_ready_template/owasp-auto-tune-v1.1.xml"
ntp_server	n/a	string	"time.nist.gov"
timezone	n/a	string	"UTC"
onboard_log	n/a	string	"/var/log/startup-script.log"
tags	Environment tags for objects	map(string)	{ "application": "f5app", "costcenter": "f5costcenter", "creator": "Terraform", "delete": "True", "environment": "azure", "group": "f5group", "owner": "f5owner", "purpose": "public" }

Outputs

Name	Description
auto_tag	n/a
deployment_info	n/a

Deployment

For deployment you can do the traditional terraform commands or use the provided scripts.

. ./prep.sh
terraform init
terraform plan
terraform apply

Troubleshooting

AS, DO, and runtime-init are rendered under ./debug for review. AS3 seems to occasionally fail on example partition, but is easily resolved with postman. Working on resolution.

Currently getting 503 from Volterra, LTM shows now traffic reaching it, so probably a UDR issue. Working on resultion.

Support

For support, please open a GitHub issue. Note, the code in this repository is community supported and is not supported by F5 Networks. For a complete list of supported projects please reference SUPPORT.md.

Community Code of Conduct

Please refer to the F5 DevCentral Community Code of Conduct.

License

Apache License 2.0

Copyright

Copyright 2014-2020 F5 Networks Inc.

F5 Networks Contributor License Agreement

Before you start contributing to any project sponsored by F5 Networks, Inc. (F5) on GitHub, you will need to sign a Contributor License Agreement (CLA).

If you are signing as an individual, we recommend that you talk to your employer (if applicable) before signing the CLA since some employment agreements may have restrictions on your contributions to other projects. Otherwise by submitting a CLA you represent that you are legally entitled to grant the licenses recited therein.

If your employer has rights to intellectual property that you create, such as your contributions, you represent that you have received permission to make contributions on behalf of that employer, that your employer has waived such rights for your contributions, or that your employer has executed a separate CLA with F5.

If you are signing on behalf of a company, you represent that you are legally entitled to grant the license recited therein. You represent further that each employee of the entity that submits contributions is authorized to submit such contributions on behalf of the entity pursuant to the CLA.