ampls.azcli

#############################################
# To test Azure Monitor Private Link Scopes
#
# Jose Moreno, March 2022
#############################################

# Variables
rg=amplstest
location=westeurope
logws_name=amplstest$RANDOM
num_spokes=4
vm_size=Standard_B1s

# Create Hub with DNS server
az group create -n $rg -l $location -o none
# - Enabling OS IP fwding everywhere, even if it is not really needed
cloudinit_file=/tmp/cloudinit.txt
cat <<EOF > $cloudinit_file
#cloud-config
package_upgrade: true
packages:
  - dnsmasq
EOF
az vm create -n hub -g $rg -l $location --image ubuntuLTS --generate-ssh-keys --size $vm_size --public-ip-address hub-pip --public-ip-sku Standard \
    --vnet-name hub --vnet-address-prefix 192.168.0.0/24 --subnet vm --subnet-address-prefix 192.168.0.0/26 --custom-data $cloudinit_file -o none --no-wait
# Create spokes
for spoke_id in $(seq 1 ${num_spokes})
do
    az vm create -n "spoke${spoke_id}" -g $rg -l $location --image ubuntuLTS --generate-ssh-keys --size $vm_size --public-ip-address "${spoke_id}-pip" --public-ip-sku Standard \
    --vnet-name "spoke${spoke_id}" --vnet-address-prefix "192.168.${spoke_id}.0/24" --subnet vm --subnet-address-prefix "192.168.${spoke_id}.0/26" -o none --no-wait
done
# Create peerings and configure VNet
hub_nic_id=$(az vm show -n hub -g $rg --query 'networkProfile.networkInterfaces[0].id' -o tsv)
hub_ip=$(az network nic show --ids $hub_nic_id --query 'ipConfigurations[0].privateIpAddress' -o tsv)
for spoke_id in $(seq 1 ${num_spokes})
do
    az network vnet update -n "spoke${spoke_id}" -g $rg --dns-servers $hub_ip -o none
    az network vnet peering create -n "hubtospoke${spoke_id}" -g $rg --vnet-name hub --remote-vnet "spoke${spoke_id}" --allow-vnet-access --allow-forwarded-traffic -o none
    az network vnet peering create -n "spoke${spoke_id}tohub" -g $rg --vnet-name "spoke${spoke_id}" --remote-vnet hub --allow-vnet-access --allow-forwarded-traffic -o none
done
az monitor log-analytics workspace create -g $rg -n $logws_name -o none
logws_id=$(az resource list -g $rg -n $logws_name --query '[].id' -o tsv)
logws_customerid=$(az monitor log-analytics workspace show -n $logws_name -g $rg --query customerId -o tsv)
logws_key=$(az monitor log-analytics workspace get-shared-keys -n $logws_name -g $rg --query 'primarySharedKey' -o tsv)

# Create DNS Zones, and link them to the hub VNet
for zone in privatelink.agentsvc.azure-automation.net privatelink.blob.core.windows.net privatelink.monitor.azure.com privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com
do
    az network private-dns zone create -n $zone -g $rg --no-wait -o none
done
for zone in privatelink.agentsvc.azure-automation.net privatelink.blob.core.windows.net privatelink.monitor.azure.com privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com
do
    az network private-dns link vnet create -g $rg -z $zone -n hub --virtual-network hub --registration-enabled false -o none
done

# Create Private Link Scope and associate with AzMonitor
az monitor private-link-scope create -n ampls -g $rg -o none
az monitor private-link-scope scoped-resource create -n $logws_name --linked-resource $logws_id -g $rg --scope-name amls -o none

# Create Private Endpoint
ampls_id=$(az monitor private-link-scope show -n ampls -g $rg --query id -o tsv)
az network vnet subnet create -g $rg --vnet-name hub -n endpoints --address-prefix "192.168.0.64/26" -o none
az network vnet subnet update -n endpoints -g $rg --vnet-name hub --disable-private-endpoint-network-policies true -o none
az network private-endpoint create -n ampls -g $rg --vnet-name hub --subnet endpoints --private-connection-resource-id $ampls_id --connection-name ampls -l $location --group-id azuremonitor -o none

# Create Zone Groups
zone=privatelink.agentsvc.azure-automation.net
zone_dash=$(echo $zone | tr '.' '-')
az network private-endpoint dns-zone-group create --endpoint-name ampls -g $rg -n default --zone-name $zone_dash --private-dns-zone $zone -o none
for zone in privatelink.blob.core.windows.net privatelink.monitor.azure.com privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com
do
    zone_dash=$(echo $zone | tr '.' '-')
    az network private-endpoint dns-zone-group add --endpoint-name ampls -g $rg -n default --zone-name $zone_dash --private-dns-zone $zone -o none
done

# Refresh DNS server configuration in VMs (we updated the VNets after the VMs were up)
for spoke_id in $(seq 1 ${num_spokes})
do
    pip_name="${spoke_id}-pip"
    pip=$(az network public-ip show -n $pip_name -g $rg --query 'ipAddress' -o tsv)
    ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no "$pip" "sudo systemctl restart systemd-networkd"
done

# Associate VMs to AzMonitor
az vm extension set -n OmsAgentForLinux -g $rg --vm-name hub --publisher Microsoft.EnterpriseCloud.Monitoring --protected-settings "{\"workspaceKey\":\"${logws_key}\"}" --settings "{\"workspaceId\":\"${logws_customerid}\"}" --no-wait -o none
for spoke_id in $(seq 1 ${num_spokes})
do
    az vm extension set -n OmsAgentForLinux -g $rg --vm-name spoke${spoke_id} --publisher Microsoft.EnterpriseCloud.Monitoring --protected-settings "{\"workspaceKey\":\"${logws_key}\"}" --settings "{\"workspaceId\":\"${logws_customerid}\"}" --no-wait -o none
done

# Query
query='Heartbeat
| where TimeGenerated > ago(15m)
| extend PrivateIP = tostring(ComputerPrivateIPs[0])
| summarize count() by Computer, ComputerIP, PrivateIP'
az monitor log-analytics query -w $logws_customerid --analytics-query $query -o tsv

# Diagnostics
az network private-endpoint dns-zone-group list --endpoint-name ampls -g $rg
for zone in privatelink.agentsvc.azure-automation.net privatelink.blob.core.windows.net privatelink.monitor.azure.com privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com
do
    az network private-dns record-set a list -z $zone -g $rg --query '[].[aRecords[0].ipv4Address, fqdn]' -o tsv
done


###########
# Cleanup #
# DANGER! #
###########

# az group delete -y --no-wait -n $rg