Azure Templates Improvements | ARM

CheckPointSW · Jun 13, 2024 · 69b8bcb · 69b8bcb
1 parent 7f0f399
commit 69b8bcb
Show file tree

Hide file tree

Showing 17 changed files with 817 additions and 102 deletions.
diff --git a/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json b/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json
@@ -292,7 +292,7 @@
             "label": "Number of Availability Zones to use",
             "defaultValue": "None",
             "toolTip": "The number of avalability zones to use for the scale set. Note that the load balancers and their IP addresses will be zone redundant in any case.",
-            "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth ', concat(' ', location(), ' '))]",
+            "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth italynorth ', concat(' ', location(), ' '))]",
             "constraints": {
               "allowedValues": [
                 {
@@ -1279,6 +1279,18 @@
               ]
             }
           },
+          {
+            "name": "additionalDiskSizeGB",
+            "type": "Microsoft.Common.TextBox",
+            "label": "Additional disk space (GB)",
+            "defaultValue": "0",
+            "toolTip": "Additional disk space (in GB), initial disk size is 100 GB.",
+            "constraints": {
+              "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$",
+              "validationMessage": "Select a number between 0 and 3995"
+            },
+            "visible": "[not(contains('R80.40 R81 R81.10 R81.20', steps('chkp').cloudGuardVersion))]"
+          },
           {
             "name": "useCustomImageUri",
             "type": "Microsoft.Common.OptionsGroup",
@@ -1411,6 +1423,27 @@
               "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long."
             },
             "visible": "[steps('network').NSG]"
+          },
+          {
+            "name": "addStorageAccountIpRules",
+            "type": "Microsoft.Common.OptionsGroup",
+            "defaultValue": "Network access from all networks",
+            "label": "Storage Account Network Access",
+            "toolTip": "Select your preferred network access to the Storage Account, for more information - https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#serial-console-security",
+            "constraints": {
+              "allowedValues": [
+                {
+                  "label": "Network access from all networks",
+                  "value": false
+                },
+                {
+                  "label": "Network access only from Serial Console",
+                  "value": true
+                }
+              ],
+              "required": true
+            },
+            "visible": true
           }
         ]
       },
@@ -1460,6 +1493,7 @@
       "sicKey": "[steps('chkp').sicKeyUi]",
       "bootstrapScript": "[steps('chkp').bootstrapScript]",
       "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]",
+      "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]",
       "diskType": "[if(contains('R80.40 R81 R81.10' , steps('chkp').cloudGuardVersion) , steps('chkp').VMDiskTypeOldVersions , steps('chkp').VMDiskType)]",
       "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]",
       "virtualNetworkName": "[steps('network').virtualNetwork.name]",
@@ -1474,6 +1508,7 @@
       "deployNewNSG": "[steps('network').NSG]",
       "ExistingNSG": "[steps('network').nsgSelector]",
       "NewNsgName": "[steps('network').NSGName]",
+      "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]",
       "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]",
       "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]"
     }

diff --git a/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json b/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json
@@ -267,6 +267,15 @@
         "description": "The IP address used to manage the VMSS instances."
       }
     },
+    "additionalDiskSizeGB": {
+      "type": "int",
+      "defaultValue": 0,
+      "metadata": {
+        "description": "Amount of additional disk space (in GB), not relevant for R81.20 and below"
+      },
+      "minValue": 0,
+      "maxValue": 3995
+    },
     "diskType": {
       "type": "string",
       "defaultValue": "Standard_LRS",
@@ -386,6 +395,20 @@
     "NewNsgName": {
       "type": "string",
       "defaultValue": "[concat(parameters('vmName'),'-nsg')]"
+    },
+    "addStorageAccountIpRules": {
+      "type": "bool",
+      "metadata": {
+        "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled"
+      },
+      "defaultValue" : false
+    },
+    "storageAccountAdditionalIps":{
+      "type": "array",
+      "metadata": {
+        "description": "IPs/CIDRs that are allowed access to the Storage Account"
+      },
+      "defaultValue" : []
     }
   },
   "variables": {
@@ -411,10 +434,60 @@
       "R81.20 - Pay As You Go (NGTX)": "R8120"
     },
     "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]",
+    "SerialConsoleGeographies": {
+      "eastasia" : ["20.205.69.28", "20.195.85.180"],
+      "southeastasia" : ["20.205.69.28", "20.195.85.180"],
+      "australiacentral" : ["20.53.53.224", "20.70.222.112"],
+      "australiacentral2" : ["20.53.53.224", "20.70.222.112"],
+      "australiaeast" : ["20.53.53.224", "20.70.222.112"],
+      "australiasoutheast" : ["20.53.53.224", "20.70.222.112"],
+      "brazilsouth" : ["91.234.136.63", "20.206.0.194"],
+      "brazilsoutheast" : ["91.234.136.63", "20.206.0.194"],
+      "canadacentral" : ["52.228.86.177", "52.242.40.90"],
+      "canadaeast" : ["52.228.86.177", "52.242.40.90"],
+      "northeurope" : ["52.146.139.220", "20.105.209.72"],
+      "westeurope" : ["52.146.139.220", "20.105.209.72"],
+      "francecentral" : ["20.111.0.244", "52.136.191.10"],
+      "francesouth" : ["20.111.0.244", "52.136.191.10"],
+      "germanynorth" : ["51.116.75.88", "20.52.95.48"],
+      "germanywestcentral" : ["51.116.75.88", "20.52.95.48"],
+      "centralindia" : ["20.192.168.150", "20.192.153.104"],
+      "southindia" : ["20.192.168.150", "20.192.153.104"],
+      "westindia" : ["20.192.168.150", "20.192.153.104"],
+      "japaneast" : ["20.43.70.205", "20.189.228.222"],
+      "japanwest" : ["20.43.70.205", "20.189.228.222"],
+      "koreacentral" : ["20.200.196.96", "52.147.119.29"],
+      "koreasouth" : ["20.200.196.96", "52.147.119.29"],
+      "norwaywest" : ["20.100.1.184", "51.13.138.76"],
+      "norwayeast" : ["20.100.1.184", "51.13.138.76"],
+      "switzerlandnorth" : ["20.208.4.98", "51.107.251.190"],
+      "switzerlandwest" : ["20.208.4.98", "51.107.251.190"],
+      "uaecentral" : ["20.45.95.66", "20.38.141.5"],
+      "uaenorth" : ["20.45.95.66", "20.38.141.5"],
+      "uksouth" : ["20.90.132.144", "20.58.68.62"],
+      "ukwest" : ["20.90.132.144", "20.58.68.62"],
+      "swedencentral" : ["51.12.72.223", "51.12.22.174"],
+      "swedensouth" : ["51.12.72.223", "51.12.22.174"],
+      "centralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"],
+      "eastus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"],
+      "eastus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"],
+      "northcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"],
+      "southcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"],
+      "westus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"],
+      "westus3" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"],
+      "westcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"],
+      "westus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"],
+      "eastus2euap" : ["20.45.242.18", "20.51.21.252"],
+      "centraluseuap" : ["20.45.242.18", "20.51.21.252"]},
+    "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]",
+    "storageAccountIps" : "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]",
     "isBlink": true,
     "subnet1Name": "[parameters('subnet1Name')]",
     "storageAccountName": "[concat('bootdiag', uniqueString(variables('resourceGroup').id, deployment().name))]",
     "storageAccountType": "Standard_LRS",
+    "diskSize100GB": 100,
+    "additionalDiskSizeGB": "[if(contains('R8040 R81 R8110 R8120', variables('osVersion')), 0, parameters('additionalDiskSizeGB'))]",
+    "diskSizeGB": "[add(variables('additionalDiskSizeGB'), variables('diskSize100GB'))]",
     "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'MaintenanceModePassword=\"', parameters('MaintenanceModePasswordHash'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]",
     "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]",
     "imagePublisher": "checkpoint",
@@ -544,7 +617,8 @@
       "japaneast",
       "koreacentral",
       "southeastasia",
-      "eastasia"
+      "eastasia",
+      "italynorth"
     ],
     "availabilityZonesProperty": "[range(1, parameters('availabilityZonesNum'))]",
     "mgmtInterface": "[if(equals(parameters('instanceLevelPublicIP'), 'yes'), parameters('mgmtInterfaceOpt1'), 'eth0-private')]",
@@ -571,7 +645,7 @@
   "resources": [
     {
       "apiVersion": "2020-06-01",
-      "name": "pid-6f13b00a-7546-4ab2-be9f-c66815cc6c8b-partnercenter",
+      "name": "pid-5432b4df-d783-57a2-b65f-39f4bca4974a",
       "type": "Microsoft.Resources/deployments",
       "properties": {
         "mode": "Incremental",
@@ -749,7 +823,12 @@
       "properties": {
         "supportsHttpsTrafficOnly": true,
         "allowBlobPublicAccess": false,
-        "minimumTlsVersion": "TLS1_2"
+        "minimumTlsVersion": "TLS1_2",
+        "networkAcls": {
+          "bypass": "None",
+          "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]",
+          "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]"
+        }
       },
       "location": "[variables('location')]",
       "sku": {
@@ -805,6 +884,7 @@
           "UserData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefix.value, reference('networkExistingSetup').outputs.vnetAddressPrefix.value), '\"', '\n' ))]",
           "storageProfile": {
             "osDisk": {
+              "diskSizeGB": "[variables('diskSizeGB')]",
               "caching": "ReadWrite",
               "createOption": "FromImage",
               "managedDisk": {
@@ -826,9 +906,9 @@
                 "name": "eth0",
                 "properties": {
                   "primary": true,
-                  "enableIPForwarding": false,
+                  "enableIPForwarding": true,
                   "enableAcceleratedNetworking": true,
-                  "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]",
+                  "networkSecurityGroup":"[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]",
                   "ipConfigurations": [
                     {
                       "name": "ipconfig1",

diff --git a/azure/templates/marketplace-ha/createUiDefinition.json b/azure/templates/marketplace-ha/createUiDefinition.json
@@ -1632,7 +1632,7 @@
             "label": "Availability options",
             "defaultValue": "Availability Set",
             "toolTip": "Use replicated Cluster VMs in Availability Set or Availability Zones. Note that the load balancers and their IP addresses will be zone redundant in any case.",
-            "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth ', concat(' ', location(), ' '))]",
+            "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth italynorth \\ ', concat(' ', location(), ' '))]",
             "constraints": {
               "allowedValues": [
                 {
@@ -1738,7 +1738,7 @@
             "type": "Microsoft.Common.TextBox",
             "label": "Additional disk space (GB)",
             "defaultValue": "0",
-            "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.",
+            "toolTip": "Additional disk space (in GB), initial disk size is 100 GB.",
             "constraints": {
               "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$",
               "validationMessage": "Select a number between 0 and 3995"
@@ -2241,6 +2241,27 @@
               "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long."
             },
             "visible": "[steps('network').NSG]"
+          },
+          {
+            "name": "addStorageAccountIpRules",
+            "type": "Microsoft.Common.OptionsGroup",
+            "defaultValue": "Network access from all networks",
+            "label": "Storage Account Network Access",
+            "toolTip": "Select your preferred network access to the Storage Account, for more information - https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#serial-console-security",
+            "constraints": {
+              "allowedValues": [
+                {
+                  "label": "Network access from all networks",
+                  "value": false
+                },
+                {
+                  "label": "Network access only from Serial Console",
+                  "value": true
+                }
+              ],
+              "required": true
+            },
+            "visible": true
           }
         ]
       },
@@ -2305,6 +2326,7 @@
       "deployNewNSG": "[steps('network').NSG]",
       "ExistingNSG": "[steps('network').nsgSelector]",
       "NewNsgName": "[steps('network').NSGName]",
+      "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]",
       "VipsNumber": "[int(steps('network').Vips_Number)]",
       "VipNames": "[concat(steps('network').VIP_Names.VIP2_Name, ',', steps('network').VIP_Names.VIP3_Name, ',', steps('network').VIP_Names.VIP4_Name, ',', steps('network').VIP_Names.VIP5_Name, ',', steps('network').VIP_Names.VIP6_Name, ',', steps('network').VIP_Names.VIP7_Name, ',', steps('network').VIP_Names.VIP8_Name, ',', steps('network').VIP_Names.VIP9_Name, ',', steps('network').VIP_Names.VIP10_Name)]",
       "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]",