From 6c139b8f4db711fca89962818081d0cef802005e Mon Sep 17 00:00:00 2001 From: yairra Date: Thu, 20 Jun 2024 12:43:12 +0300 Subject: [PATCH] Updated README --- .../marketplace-ha/createUiDefinition.json | 2 +- azure/templates/single-ipv6/mainTemplate.json | 4 +- azure/templates/vmss-ipv6/mainTemplate.json | 5 +- terraform/azure/modules/add-routing-intent.py | 29 +++ .../azure/nva-into-existing-hub/README.md | 4 +- terraform/azure/nva-into-new-vwan/README.md | 2 +- terraform/azure/vmss-existing-vnet/README.md | 173 +++++++++--------- .../azure/vmss-existing-vnet/variables.tf | 5 +- 8 files changed, 126 insertions(+), 98 deletions(-) create mode 100755 terraform/azure/modules/add-routing-intent.py diff --git a/azure/templates/marketplace-ha/createUiDefinition.json b/azure/templates/marketplace-ha/createUiDefinition.json index 6cb71b1e..76eaa532 100644 --- a/azure/templates/marketplace-ha/createUiDefinition.json +++ b/azure/templates/marketplace-ha/createUiDefinition.json @@ -1632,7 +1632,7 @@ "label": "Availability options", "defaultValue": "Availability Set", "toolTip": "Use replicated Cluster VMs in Availability Set or Availability Zones. Note that the load balancers and their IP addresses will be zone redundant in any case.", - "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth italynorth \\ ', concat(' ', location(), ' '))]", + "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth italynorth ', concat(' ', location(), ' '))]", "constraints": { "allowedValues": [ { diff --git a/azure/templates/single-ipv6/mainTemplate.json b/azure/templates/single-ipv6/mainTemplate.json index acdd6dc7..7679d2a9 100755 --- a/azure/templates/single-ipv6/mainTemplate.json +++ b/azure/templates/single-ipv6/mainTemplate.json @@ -667,8 +667,8 @@ "properties": { "dhcpOptions": { "dnsServers": [ - "cafe:43:: ", - "cafe:45:: " + "cafe:43::", + "cafe:45::" ] }, "addressSpace": { diff --git a/azure/templates/vmss-ipv6/mainTemplate.json b/azure/templates/vmss-ipv6/mainTemplate.json index fe20dc6c..5821a075 100755 --- a/azure/templates/vmss-ipv6/mainTemplate.json +++ b/azure/templates/vmss-ipv6/mainTemplate.json @@ -872,8 +872,8 @@ "properties": { "dhcpOptions": { "dnsServers": [ - "cafe:43:: ", - "cafe:45:: " + "cafe:43::", + "cafe:45::" ] }, "addressSpace": { @@ -1003,7 +1003,6 @@ }, "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/images'), parameters('tagsByResource')['Microsoft.Compute/images'], json('{}')) ]" }, - { "type": "Microsoft.Network/networkSecurityGroups", "condition": "[and(parameters('deployNewNSG'),equals(parameters('vnetNewOrExisting'), 'new'))]", diff --git a/terraform/azure/modules/add-routing-intent.py b/terraform/azure/modules/add-routing-intent.py new file mode 100755 index 00000000..87437061 --- /dev/null +++ b/terraform/azure/modules/add-routing-intent.py @@ -0,0 +1,29 @@ +import json +import requests +import sys + + +def perform_put_request(url, data, headers=None): + """ + This function perform the PUT request to Azure in order to edit the vWAN Hub Routing-Intent + """ + result = {"status": "success", "message": ""} + try: + response = requests.put(url, json=data, headers=headers) + result["message"] = response.text + except Exception as e: + result["status"] = "error" + result["message"] = f"An error occurred: {str(e)}" + return result + + +if __name__ == "__main__": + """ + This script receives url, body, and authorization token as arguments and set vWAN Hub Routing-Intent + """ + api_url = sys.argv[1] + api_data = eval(sys.argv[2]) + auth_token = sys.argv[3] + api_headers = {"Authorization": f'Bearer {auth_token}'} + result = perform_put_request(api_url, api_data, api_headers) + print(json.dumps(result)) diff --git a/terraform/azure/nva-into-existing-hub/README.md b/terraform/azure/nva-into-existing-hub/README.md index 253cce89..bf778364 100755 --- a/terraform/azure/nva-into-existing-hub/README.md +++ b/terraform/azure/nva-into-existing-hub/README.md @@ -1,6 +1,6 @@ # Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure -This Terraform module deploys Check Point CloudGuard Network Security vWAN NVA solution into an existing vWAN Hub in Azure. +This Terraform module deploys Check Point CloudGuard Network Security Virtual WAN NVA solution into an existing vWAN Hub in Azure. As part of the deployment the following resources are created: - Resource groups - Azure Managed Application: @@ -77,7 +77,7 @@ please see the [CloudGuard Network for Azure Virtual WAN Deployment Guide](https | | | | | | | **vwan-hub-name** | The name of the virtual WAN hub that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a | | | | | | | - | **vwan-hub-resource-group** | The vWAN hub resource group name | string | | n/a | + | **vwan-hub-resource-group** | The virtual WAN hub resource group name | string | | n/a | | | | | | | | **managed-app-name** | The name of the managed application that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | "tf-vwan-managed-app-nva" | | | | | | | diff --git a/terraform/azure/nva-into-new-vwan/README.md b/terraform/azure/nva-into-new-vwan/README.md index c7f06c09..0ef61fa3 100755 --- a/terraform/azure/nva-into-new-vwan/README.md +++ b/terraform/azure/nva-into-new-vwan/README.md @@ -1,6 +1,6 @@ # Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure -This Terraform module deploys Check Point CloudGuard Network Security vWAN NVA solution into a new vWAN Hub in Azure. +This Terraform module deploys Check Point CloudGuard Network Security Virtual WAN NVA solution into a new vWAN Hub in Azure. As part of the deployment the following resources are created: - Resource groups - Virtual WAN diff --git a/terraform/azure/vmss-existing-vnet/README.md b/terraform/azure/vmss-existing-vnet/README.md index 2a686911..3be7f0c5 100755 --- a/terraform/azure/vmss-existing-vnet/README.md +++ b/terraform/azure/vmss-existing-vnet/README.md @@ -71,91 +71,91 @@ This solution uses the following modules: terraform apply ### terraform.tfvars variables: - | Name | Description | Type | Allowed values | Default | - | ------------- | ------------- | ------------- | ------------- | ------------- | - | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a - | | | | | | - | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a - | | | | | | - | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a - | | | | | | - | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a - | | | | | | - | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" - | | | | | | - | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period
Note: Resource group name must not contain reserved words based on: sk40179| n/a - | | | | | | - | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a - | | | | | | - | **vmss_name** | The name of the Check Point VMSS Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long
Note: vmss_name name must not contain reserved words based on: sk40179 | n/a - | | | | | | - | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a - | | | | | | - | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | n/a - | | | | | | - | **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | n/a - | | | | | | - | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | n/a - | | | | | | - | **backend_lb_IP_address** | Is a whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix| string | Starting from 5-th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4 , the LB IP is 10.0.1.4 | n/a - | | | | | | - | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a - | | | | | | - | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a - | | | | | | - | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a - | | | | | | - | **disk_size** | Storage data disk size size(GB) must be 100 for versions R81.20 and below | string | A number in the range 100 - 3995 (GB) | 100 - | | | | | | - | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | n/a - | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a - | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a - | | | | | | - | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a - | | | | | | - | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a - | | | | | | - | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a - | | | | | | - | **availability_zones_num** | A list of a single item of the Availability Zone which the Virtual Machine should be allocated in | string | "centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" | n/a - | | | | | | - | **minimum_number_of_vm_instances** | The minimum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a - | | | | | | - | **maximum_number_of_vm_instances** | The maximum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a - | | | | | | - | **management_name** | The name of the management server as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a - | | | | | | - | **management_IP** | The IP address used to manage the VMSS instances | string | A valid IP address | n/a - | | | | | | - | **management_interface** | Management option for the Gateways in the VMSS | string | "eth0-public" - Manages the GWs using their external NIC's public IP address;
"eth0-private" -Manages the GWs using their external NIC's private IP address;
"eth1-private" - Manages the GWs using their internal NIC's private IP address | "eth1-private" - | | | | | | - | **configuration_template_name** | The configuration template name as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a - | | | | | | - | **frontend_load_distribution** | The load balancing distribution method for the External Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a - | | | | | | - | **backend_load_distribution** | The load balancing distribution method for the Internal Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a - | | | | | | - | **notification_email** | An email address to notify about scaling operations | string | Leave empty double quotes or enter a valid email address | n/a - | | | | | | - | **enable_custom_metrics** | Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring | boolean | true;
false; | true - | | | | | | - | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP | boolean | true;
false; | false - | | | | | | - | **deployment_mode** | Indicates which load balancer need to be deployed. External + Internal(Standard), only External, only Internal | string | Standard ;
External;
Internal; | "Standard" - | | | | | | - | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" - | | | | | | - | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a - | | | | | | - | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a - | | | | | | - | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" - | | | | | | - | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false - | | | | | | - | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + | Name | Description | Type | Allowed values | Default | + | ------------- |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | ------------- | ------------- | + | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subsscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period
Note: Resource group name must not contain reserved words based on: sk40179| n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vmss_name** | The name of the Check Point VMSS Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long
Note: vmss_name name must not contain reserved words based on: sk40179 | n/a + | | | | | | + | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | n/a + | | | | | | + | **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | n/a + | | | | | | + | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | n/a + | | | | | | + | **backend_lb_IP_address** | Is a whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix | string | Starting from 5-th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4 , the LB IP is 10.0.1.4 | n/a + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) must be 100 for versions R81.20 and below | string | A number in the range 100 - 3995 (GB) | 100 + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **availability_zones_num** | A list of a single item of the Availability Zone which the Virtual Machine should be allocated in | string | "centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" | n/a + | | | | | | + | **minimum_number_of_vm_instances** | The minimum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a + | | | | | | + | **maximum_number_of_vm_instances** | The maximum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a + | | | | | | + | **management_name** | The name of the management server as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **management_IP** | The IP address used to manage the VMSS instances | string | A valid IP address | n/a + | | | | | | + | **management_interface** | Management option for the Gateways in the VMSS | string | "eth0-public" - Manages the GWs using their external NIC's public IP address;
"eth0-private" -Manages the GWs using their external NIC's private IP address;
"eth1-private" - Manages the GWs using their internal NIC's private IP address | "eth1-private" + | | | | | | + | **configuration_template_name** | The configuration template name as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **frontend_load_distribution** | The load balancing distribution method for the External Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a + | | | | | | + | **backend_load_distribution** | The load balancing distribution method for the Internal Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a + | | | | | | + | **notification_email** | An email address to notify about scaling operations | string | Leave empty double quotes or enter a valid email address | n/a + | | | | | | + | **enable_custom_metrics** | Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring | boolean | true;
false; | true + | | | | | | + | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP | boolean | true;
false; | false + | | | | | | + | **deployment_mode** | Indicates which load balancer need to be deployed. External + Internal(Standard), only External, only Internal | string | Standard ;
External;
Internal; | "Standard" + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] ## Conditional creation To create role assignment and enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service: @@ -215,9 +215,6 @@ enable_custom_metrics = true ## Known limitations -1. Deploy the VMSS with External load balancer only (Inbound inspection only) is not supported -2. Deploy the VMSS with Internal load balancer only (Outbound and E-W inspection only) is not supported - ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) diff --git a/terraform/azure/vmss-existing-vnet/variables.tf b/terraform/azure/vmss-existing-vnet/variables.tf index 647ddbef..9ef598a3 100755 --- a/terraform/azure/vmss-existing-vnet/variables.tf +++ b/terraform/azure/vmss-existing-vnet/variables.tf @@ -243,7 +243,10 @@ variable "storage_account_additional_ips" { type = list(string) description = "IPs/CIDRs that are allowed access to the Storage Account" default = [] -}//********************* Load Balancers Variables **********************// +} + +//********************* Load Balancers Variables **********************// + variable "deployment_mode" { description = "The type of the deployment, can be 'Standard' for both load balancers or 'External' for external load balancer or 'Internal for internal load balancer" type = string