Deploy NetFoundry ZTNA on Azure private MEC
Prerequisites:
- Azure Stack Edge Box installed and activated. Can follow the following docs to complete this step - https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-deploy-install
- Azure Network Function Manager (Device) needs to be created for ASE in 1. Follow this link: Register a Device for Azure Network Function Manager
- ASE network setup - Expected
- Port 1 (1GbE) of the physical appliance should be dedicated for local management/access of the appliance
- Enable Compute must be set to ‘yes’ on port 2 (1 GbE), port 3 (10GbE/25GbE) or port 4 (10GbE/25GbE) of the physical appliance (when you enable compute, a management virtual switch is created on your appliance on that network interface). This port will require open internet access and be able to reach external nameservers in order to register with Azure
- Port 5 of the physical appliance must be connected for Local Area Network or Access network (for connectivity to other internal network functions and external peers like eNodeBs)
- Port 6 of the physical device must be connected for WAN or Data network (for external corp/internet connectivity)
Important Notes:
- To deploy the NF Edge Router onto the MEC device, one needs to query for the MEC Device Manager. Every MEC device must have one manager associated with it to manage the VNF deployment on to the associated device. Also, this service is in preview mode, therefore customers need to be whitelisted by Microsoft to see this opinion in UI or able to query through APIs.
- NetFoundry Edge Router can only be deployed on the Management Network (i.e. single NIC deployment option) or the Management and Lan Networks (i.e. 2 NIC deployment option).
- With 2 NIC deployment, the ER inbound firewall rules are configured on ETH1 based on the services provisioned across that ER. If one wants to use ETH0 as ingress, then the ingress firewall rules need to be added manually through the command line. The command format that can be used is as follows:
sudo ufw allow from {{ ip prefix }} to any port {{ destination port number }} proto {{ protocal used, ie tcp/udp}}
Deploying NF Edge Router with Azure UI:
Important Notes:
- Optional parameters are dnsServers, publicSshKey. Although, the publicSshKey is strongly recommended to be provided, the dnsServers parameters are ignored in the current version. https://azuremarketplace.microsoft.com/en-us/marketplace/apps/netfoundryinc.application-ziti-private-edge?tab=Overview
- Endpoint gets created automatically with the name of the Edge Router created in step 2.
- Login to NF Console
- Create an Edge Router and save the Registration Key.
- Find our managed app in Azure Marketplace, i.e. search for “NetFoundry ZTNA on private MEC”
- Fill in the details as follows:
-
- Basics
- Network Settings
-
- Single NIC Deployment
- 2 NIC Deployment
-
- Assign Identity
- Accept the terms and click deploy.
Deploying NF Edge Router with Azure API - Integration with Orchestration Platforms:
As one can see in the Edge Router creation method that any orchestration platform UI may need to ask users for the parameters highlighted in red below. Additionally, the interface option (mecmgmtMIC) will most likely need to be a list of NICs in case users go with 2 NIC Edge Router deployments as shown in the Create Edge Router - 2 NICs. The parameter highlighted in green needs to be queried through the API get method as described in the Look up Azure Stack Edge device manager.
Important Note: Optional parameters are dnsServers, publicSshKey. Although, the publicSshKey is strongly recommended to be provided, the dnsServers parameters are ignored in the current version.
"parameters": {
"location": { "value": "{{location}}"},
"nfName": { "value": "{{applicationName}}" },
"deviceId": { "value": "/subscriptions/{{subscriptionId}}/resourceGroups/NetworkManagerGroup/providers/Microsoft.HybridNetwork/devices/{{deviceMangerName}}" },
"edgeRouterKey": { "value": "{{routerKey}}" }
"publicSshKey": { "value": "{{sshKey}}" },
"mecmgmtNic": {
"value": {
"ipAddress": "192.168.101.20",
"subnet": "192.168.101.0/24",
"gateway": "192.168.101.1",
"dnsServer1": "",
"dnsServer2": ""
}
}
Look up Azure Stack Edge device manager:
curl --location -g --request GET 'https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{deviceResourceGroupName}}/providers/Microsoft.HybridNetwork/devices?api-version=2020-01-01-preview' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {{token}}'
Response:
{
"value": [
{
"id": "/subscriptions/53d234e8-b7ac-4f09-a517-508ed55e4cae/resourceGroups/NetworkManagerGroup/providers/Microsoft.HybridNetwork/devices/WallNetworkDeviceManager",
"name": "WallNetworkDeviceManager",
"type": "Microsoft.HybridNetwork/devices",
"location": "eastus",
"properties": {
"status": "Registered",
"provisioningState": "Succeeded",
"deviceType": "AzureStackEdge",
"azureStackEdge": {
"id": "/subscriptions/53d234e8-b7ac-4f09-a517-508ed55e4cae/resourcegroups/MEC5GLAB/providers/Microsoft.DataBoxEdge/dataBoxEdgeDevices/Azure-Stack-Edge-01"
},
"networkFunctions": [
{
"id": "/subscriptions/53d234e8-b7ac-4f09-a517-508ed55e4cae/resourcegroups/mrg-application-connection-gateway-app-dariuszTest01-mec01/providers/Microsoft.HybridNetwork/networkFunctions/WallMECER01"
}
]
}
}
]
}
Create Edge Router - 2 NICs:
curl --location -g --request PUT 'https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupName}}/providers/Microsoft.Solutions/applications/{{applicationName}}?api-version=2019-07-01' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {{token}}' \
--data-raw '{
"properties": {
"managedResourceGroupId": "/subscriptions/{{subscriptionId}}/resourceGroups/{{managedResourceGroupName}}",
"parameters": {
"location": { "value": "{{location}}"},
"nfName": { "value": "{{applicationName}}" },
"deviceId": { "value": "/subscriptions/{{subscriptionId}}/resourceGroups/NetworkManagerGroup/providers/Microsoft.HybridNetwork/devices/{{deviceMangerName}}" },
"edgeRouterKey": { "value": "{{routerKey}}" },
"publicSshKey": { "value": "{{sshKey}}" },
"mecmgmtNic": {
"value": {
"ipAddress": "192.168.101.20",
"subnet": "192.168.101.0/24",
"gateway": "192.168.101.1",
"dnsServer1": "",
"dnsServer2": ""
}
},
"meclanNic": {
"value": {
"ipAddress": "192.168.100.20",
"subnet": "192.168.100.0/24",
"gateway": "192.168.100.1",
"dnsServer1": "",
"dnsServer2": ""
}
}
},
"jitAccessPolicy": null
},
"location": "{{location}}",
"kind": "MarketPlace",
"plan": {
"name": "app-edge-router-multinic",
"product": "application-ziti-private-edge",
"publisher": "netfoundryinc"
}
}'
Create Edge Router - 1 NICs
curl --location -g --request PUT 'https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupName}}/providers/Microsoft.Solutions/applications/{{applicationName}}?api-version=2019-07-01' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {{token}}' \
--data-raw '{
"properties": {
"managedResourceGroupId": "/subscriptions/{{subscriptionId}}/resourceGroups/{{managedResourceGroupName}}",
"parameters": {
"location": { "value": "{{location}}"},
"nfName": { "value": "{{applicationName}}" },
"deviceId": { "value": "/subscriptions/{{subscriptionId}}/resourceGroups/NetworkManagerGroup/providers/Microsoft.HybridNetwork/devices/{{deviceMangerName}}" },
"edgeRouterKey": { "value": "{{routerKey}}" },
"publicSshKey": { "value": "{{sshKey}}" },
"mecmgmtNic": {
"value": {
"ipAddress": "192.168.101.11",
"subnet": "192.168.101.0/24",
"gateway": "192.168.101.1",
"dnsServer1": "",
"dnsServer2": ""
}
}
},
"jitAccessPolicy": null
},
"location": "{{location}}",
"kind": "MarketPlace",
"plan": {
"name": "app-edge-router",
"product": "application-ziti-private-edge",
"publisher": "netfoundryinc"
}
}'
Response:
Header
Note: To check on Status of Edge Router Creation
Key: Azure-AsyncOperation
Value:
https://management.azure.com/subscriptions/53d234e8-b7ac-4f09-a517-508ed55e4cae/resourceGroups/test01/providers/Microsoft.Solutions/locations/East US/operationStatuses/eyJmdWxseVF1YWxpZmllZEFwcGxpYW5jZUlkIjoiL3N1YnNjcmlwdGlvbnMvNTNkMjM0ZTgtYjdhYy00ZjA5LWE1MTctNTA4ZWQ1NWU0Y2FlL3Jlc291cmNlR3JvdXBzL3Rlc3QwMS9wcm92aWRlcnMvTWljcm9zb2Z0LlNvbHV0aW9ucy9hcHBsaWNhdGlvbnMvV2FsbE1FQ0VSMDIiLCJqb2JJZCI6IkFwcGxpYW5jZVByb3Zpc2lvbmluZ0pvYjoyRFJHQToyRFRFU1QwMToyRFdBTExNRUNFUjAyIn0?api-version=2019-07-01
Body
{
"properties": {
"managedResourceGroupId": "/subscriptions/53d234e8-b7ac-4f09-a517-508ed55e4cae/resourceGroups/mrg-application-connection-gateway-app-dariuszTest01-mec02",
"provisioningState": "Accepted",
"publisherTenantId": "25445e86-2ae6-4434-b116-25c66c27168d",
"authorizations": [
{
"principalId": "5d991e79-4165-4b2d-9475-6064aca3ae72",
"roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c"
}
],
"managementMode": "Managed",
"customerSupport": {
"contactName": "Customer Support",
"email": "support@netfoundry.io",
"phone": "+18552842007"
},
"supportUrls": {
"publicAzure": "http://support.netfoundry.io"
},
"createdBy": {
"oid": "1fc1aebf-bd2b-4a47-88b7-2812f176182f",
"applicationId": "164b46cd-71cb-4b3d-9583-d16004a5a8b4"
},
"updatedBy": {
"oid": "1fc1aebf-bd2b-4a47-88b7-2812f176182f",
"applicationId": "164b46cd-71cb-4b3d-9583-d16004a5a8b4"
}
},
"plan": {
"name": "app-edge-router-multinic",
"product": "application-ziti-private-edge-preview",
"publisher": "netfoundryinc"
},
"id": "/subscriptions/53d234e8-b7ac-4f09-a517-508ed55e4cae/resourceGroups/test01/providers/Microsoft.Solutions/applications/WallMECER02",
"name": "WallMECER02",
"type": "Microsoft.Solutions/applications",
"kind": "MarketPlace",
"location": "East US"
}
Delete Edge Router:
curl --location -g --request DELETE https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupName}}/providers/Microsoft.Solutions/applications/{{applicationName}}?api-version=2019-07-01' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {{token}}'
Look up Edge Router:
curl --location -g --request GET 'https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupName}}/providers/Microsoft.Solutions/applications/{{applicationName}}?api-version=2019-07-01' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {{token}}'
Response:
{
"properties": {
"managedResourceGroupId": "/subscriptions/53d234e8-b7ac-4f09-a517-508ed55e4cae/resourceGroups/mrg-application-connection-gateway-app-dariuszTest01-mec01",
"parameters": {
"location": {
"type": "String",
"value": "eastus"
},
"nfName": {
"type": "String",
"value": "WallMECER01"
},
"deviceId": {
"type": "String",
"value": "/subscriptions/53d234e8-b7ac-4f09-a517-508ed55e4cae/resourceGroups/NetworkManagerGroup/providers/Microsoft.HybridNetwork/devices/WallNetworkDeviceManager"
},
"edgeRouterKey": {
"type": "String",
"value": "NFK77G2WNT"
},
"publicSshKey": {
"type": "String",
"value": "..."
},
"mecmgmtNic": {
"type": "Object",
"value": {
"ipAddress": "192.168.101.10",
"subnet": "192.168.101.0/24",
"gateway": "192.168.101.1",
"dnsServer1": "",
"dnsServer2": ""
}
}
},
"outputs": {},
"provisioningState": "Succeeded",
"publisherTenantId": "25445e86-2ae6-4434-b116-25c66c27168d",
"authorizations": [
{
"principalId": "5d991e79-4165-4b2d-9475-6064aca3ae72",
"roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c"
}
],
"managementMode": "Managed",
"customerSupport": {
"contactName": "Customer Support",
"email": "support@netfoundry.io",
"phone": "+18552842007"
},
"supportUrls": {
"publicAzure": "http://support.netfoundry.io"
},
"createdBy": {
"oid": "1fc1aebf-bd2b-4a47-88b7-2812f176182f",
"applicationId": "164b46cd-71cb-4b3d-9583-d16004a5a8b4"
},
"updatedBy": {
"oid": "1fc1aebf-bd2b-4a47-88b7-2812f176182f",
"applicationId": "164b46cd-71cb-4b3d-9583-d16004a5a8b4"
}
},
"plan": {
"name": "app-edge-router",
"product": "application-ziti-private-edge-preview",
"publisher": "netfoundryinc"
},
"id": "/subscriptions/53d234e8-b7ac-4f09-a517-508ed55e4cae/resourceGroups/test01/providers/Microsoft.Solutions/applications/WallMECER01",
"name": "WallMECER01",
"type": "Microsoft.Solutions/applications",
"kind": "MarketPlace",
"location": "East US"
}
Look up All Edge Routers:
curl --location --request GET 'https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupName}}/providers/Microsoft.Solutions/applications?api-version=2019-07-01' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {{token}}'
Response:
{
"value": [
{
"properties": {
"managedResourceGroupId": "/subscriptions/53d234e8-b7ac-4f09-a517-508ed55e4cae/resourceGroups/mrg-application-connection-gateway-app-dariuszTest01-mec01",
"parameters": {
"location": {
"type": "String",
"value": "eastus"
},
"nfName": {
"type": "String",
"value": "WallMECER01"
},
"deviceId": {
"type": "String",
"value": "/subscriptions/53d234e8-b7ac-4f09-a517-508ed55e4cae/resourceGroups/NetworkManagerGroup/providers/Microsoft.HybridNetwork/devices/WallNetworkDeviceManager"
},
"edgeRouterKey": {
"type": "String",
"value": "NFK77G2WNT"
},
"publicSshKey": {
"type": "String",
"value": "..."
},
"mecmgmtNic": {
"type": "Object",
"value": {
"ipAddress": "192.168.101.10",
"subnet": "192.168.101.0/24",
"gateway": "192.168.101.1",
"dnsServer1": "",
"dnsServer2": ""
}
}
},
"outputs": {},
"provisioningState": "Succeeded",
"publisherTenantId": "25445e86-2ae6-4434-b116-25c66c27168d",
"authorizations": [
{
"principalId": "5d991e79-4165-4b2d-9475-6064aca3ae72",
"roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c"
}
],
"managementMode": "Managed",
"customerSupport": {
"contactName": "Customer Support",
"email": "support@netfoundry.io",
"phone": "+18552842007"
},
"supportUrls": {
"publicAzure": "http://support.netfoundry.io"
},
"createdBy": {
"oid": "1fc1aebf-bd2b-4a47-88b7-2812f176182f",
"applicationId": "164b46cd-71cb-4b3d-9583-d16004a5a8b4"
},
"updatedBy": {
"oid": "1fc1aebf-bd2b-4a47-88b7-2812f176182f",
"applicationId": "164b46cd-71cb-4b3d-9583-d16004a5a8b4"
}
},
"plan": {
"name": "app-edge-router",
"product": "application-ziti-private-edge-preview",
"publisher": "netfoundryinc"
},
"id": "/subscriptions/53d234e8-b7ac-4f09-a517-508ed55e4cae/resourceGroups/test01/providers/Microsoft.Solutions/applications/WallMECER01",
"name": "WallMECER01",
"type": "Microsoft.Solutions/applications",
"kind": "MarketPlace",
"location": "East US"
}
]
}
Comments
0 comments