azfw-afd.azcli

############################################################################
# Created by Jose Moreno
# April 2020
#
# The script creates AzFW and AppGW, plus some VMs for testing:
#
############################################################################

# Variables
rg=azfwafd
location=eastus
vnet_name=azfw
vnet_prefix=192.168.0.0/16
vm_name=testvmlinux
vm_pip_name=testvmlinux-pip
nva_size=Standard_B2ms   # A bit of a larger VM is required for the AFD probes
vm_subnet_name=vm
vm_subnet_prefix=192.168.1.0/24
vm_cloudinit_filename=/tmp/cloudinit-whoami.txt
vm_cloudinit_url=https://raw.githubusercontent.com/erjosito/azcli/master/cloudinit-whoami.txt
vm_rt_name=vm
vm_nsg_name=vm-nsg
# AzFW
azfw_name=myazfw
azfw_pip_name=myazfw-pip
azfw_subnet_name=AzureFirewallSubnet
azfw_subnet_prefix=192.168.100.0/24
azfw_policy_name=myazfw_policy
# AFD
afd_name=azfwafd


# RG and vnet
az group create -n $rg -l $location
az network vnet create -n $vnet_name -g $rg --address-prefixes $vnet_prefix --subnet-name $azfw_subnet_name --subnet-prefixes $azfw_subnet_prefix
az network vnet subnet create -n $vm_subnet_name --vnet-name $vnet_name -g $rg --address-prefixes $vm_subnet_prefix

# Create Log Analytics workspace
logws_name=$(az monitor log-analytics workspace list -g $rg --query '[].name' -o tsv 2>/dev/null)  # Retrieve the WS name if it already existed
if [[ -z "$logws_name" ]]
then
    logws_name=log$RANDOM
    az monitor log-analytics workspace create -n $logws_name -g $rg
fi
logws_id=$(az resource list -g $rg -n $logws_name --query '[].id' -o tsv)
logws_customerid=$(az monitor log-analytics workspace show -n $logws_name -g $rg --query customerId -o tsv)

# Deploy a Linux VM with a troubleshooting web page
az network public-ip create -g $rg -n $vm_pip_name --sku standard --allocation-method static -l $location
az network nsg create -n $vm_nsg_name -g $rg
az network nsg rule create -n ssh --nsg-name $vm_nsg_name -g $rg --priority 500 --destination-port-ranges 22 --access Allow --protocol Tcp
az network nsg rule create -n web --nsg-name $vm_nsg_name -g $rg --priority 510 --destination-port-ranges 8080 --access Allow --protocol Tcp
az network nsg rule create -n https --nsg-name $vm_nsg_name -g $rg --priority 520 --destination-port-ranges 443 --access Allow --protocol Tcp
az network nsg rule create -n web80 --nsg-name $vm_nsg_name -g $rg --priority 530 --destination-port-ranges 80 --access Allow --protocol Tcp
cat <<EOF > $vm_cloudinit_filename
#cloud-config
runcmd:
  - apt update && apt install -y python3-pip nginx
  - pip3 install flask
  - wget https://raw.githubusercontent.com/erjosito/azcli/master/myip.py -O /root/myip.py
  - python3 /root/myip.py &
EOF
az vm create -n $vm_name -g $rg --image UbuntuLTS --generate-ssh-keys --size $vm_sku \
   --vnet-name $vnet_name --subnet $vm_subnet_name --nsg $vm_nsg_name --public-ip-address $vm_pip_name \
   --custom-data $vm_cloudinit_filename
vm_private_ip=$(az vm show -g $rg -n $vm_name -d --query privateIps -o tsv) && echo $vm_private_ip

# Generate certificates
# Create openssl.cnf
cnf_filename=/tmp/openssl.cnf
rootCA_cert=/tmp/rootCA.crt
rootCA_key=/tmp/rootCA.key
interCA_key=/tmp/interCA.key
interCA_csr=/tmp/interCA.csr
interCA_cert=/tmp/interCA.crt
interCA_pfx=/tmp/interCA.pfx
interCA_base64=/tmp/interCA.pfx.base64
cat <<EOF > $cnf_filename
[ req ]
  default_bits = 4096
  distinguished_name = req_distinguished_name
  string_mask = utf8only
  default_md = sha512

[ req_distinguished_name ]
  countryName = DE
  stateOrProvinceName = BY
  localityName = Munich
  0.organizationName = Contoso
  organizationalUnitName = Contoso
  commonName = contoso.com
  emailAddress = admin@contoso.com

[ rootCA_ext ]
  subjectKeyIdentifier = hash
  authorityKeyIdentifier = keyid:always,issuer
  basicConstraints = critical, CA:true
  keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ interCA_ext ]
  subjectKeyIdentifier = hash
  authorityKeyIdentifier = keyid:always,issuer
  basicConstraints = critical, CA:true, pathlen:1
  keyUsage = critical, digitalSignature, cRLSign, keyCertSign
EOF
# Create root CA
openssl req -x509 -new -nodes -newkey rsa:4096 -keyout $rootCA_key -sha256 -days 1024 -out $rootCA_cert -subj "/C=US/ST=US/O=Self Signed/CN=Self Signed Root CA" -config $cnf_filename -extensions rootCA_ext
# Create intermediate CA request
openssl req -new -nodes -newkey rsa:4096 -keyout $interCA_key -sha256 -out $interCA_csr -subj "/C=US/ST=US/O=Self Signed/CN=Self Signed Intermediate CA"
# Sign on the intermediate CA
openssl x509 -req -in $interCA_csr -CA $rootCA_cert -CAkey $rootCA_key -CAcreateserial -out $interCA_cert -days 1024 -extfile $cnf_filename -extensions interCA_ext
# Export the intermediate CA into PFX
openssl pkcs12 -export -out $interCA_pfx -inkey $interCA_key -in $interCA_cert -password "pass:"
# Convert the PFX into base64
cat $interCA_pfx | base64 > $interCA_base64
# echo ""
# echo "================"
# echo "Successfully generated root and intermediate CA certificates"
# echo " - rootCA.crt/rootCA.key - Root CA public certificate and private key"
# echo " - interCA.crt/interCA.key - Intermediate CA public certificate and private key"
# echo " - interCA.pfx.base64 - Intermediate CA pkcs12 package to be consumed by CACertificate template"
# echo "================"
# Upload to AKV
akv_name=erjositoKeyvault
akv_secret_name=azfwca
akv_secret_value=$(cat $interCA_base64)
az keyvault secret set -n $akv_secret_name --value $akv_secret_value --vault-name $akv_name
akv_secret_id=$(az keyvault secret show --vault-name $akv_name -n $akv_secret_name --query id -o tsv)
# Create identity so that the AzFW can read from AKV
id_name=azfwid
az identity create -n $id_name -g $rg
id_principal_id=$(az identity show -n $id_name -g $rg --query principalId -o tsv)
az keyvault set-policy -n "$akv_name" --object-id "$id_principal_id" --secret-permissions get list 
id_id=$(az identity show -n $id_name -g $rg --query id -o tsv)

# Create AzFw policy with TLS
az network firewall policy create -n "$azfw_policy_name" -g $rg --sku Premium --idps-mode Deny --cert-name "$akv_secret_name" --key-vault-secret-id "$akv_secret_id" --identity "$id_id"

# Deploy AzFW Premium
az network public-ip create -g $rg -n $azfw_pip_name --sku standard --allocation-method static -l $location
azfw_pip_address=$(az network public-ip show -g $rg -n $azfw_pip_name --query ipAddress -o tsv)
azfw_policy_id=$(az network firewall policy show -n $azfw_policy_name -g $rg --query id -o tsv)

# Go to the portal!
az network firewall create -n $azfw_name -g $rg -l $location --sku-tier Premium --policy $azfw_policy_id # Not working yet...
az network firewall ip-config create -f $azfw_name -n azfw-ipconfig -g $rg --public-ip-address $azfw_pip_name --vnet-name $vnet_name
az network firewall update -n $azfw_name -g $rg

# Continue here...
azfw_id=$(az network firewall show -n $azfw_name -g $rg -o tsv --query id)
az monitor diagnostic-settings create -n mydiag --resource $azfw_id --workspace $logws_id \
    --metrics '[{"category": "AllMetrics", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false }, "timeGrain": null}]' \
    --logs '[{"category": "AzureFirewallApplicationRule", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false}}, 
            {"category": "AzureFirewallNetworkRule", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false}}]'
azfw_private_ip=$(az network firewall show -n $azfw_name -g $rg -o tsv --query 'ipConfigurations[0].privateIpAddress')

# Outgoing app rule for all FQDNs
az network firewall policy rule-collection-group create -n ruleset01 --policy-name $azfw_policy_name -g $rg --priority 100
# App rule for SSL/HTTP
az network firewall policy rule-collection-group collection add-filter-collection --policy-name $azfw_policy_name --rule-collection-group-name ruleset01 -g $rg \
    --name apprule --collection-priority 200 --action Allow --rule-name permitVnet --rule-type ApplicationRule --description "Permit HTTP traffic" \
    --target-fqdns '*' --source-addresses '*' --protocols Http=8080 Https=443 --enable-tls-inspection
az network firewall policy rule-collection-group collection rule add --policy-name $azfw_policy_name --rule-collection-group-name ruleset01 -g $rg \
    --collection-name apprule --name permit80 --description "Permit HTTP traffic on TCP80" --rule-type ApplicationRule \
    --target-fqdns '*' --source-addresses '*' --protocols Http=80
# Net rule for ICMP
az network firewall policy rule-collection-group collection add-filter-collection --policy-name $azfw_policy_name --rule-collection-group-name ruleset01 -g $rg \
    --name NetworkTraffic --collection-priority 150 --action Allow --rule-name permitIcmp --rule-type NetworkRule --description "Permit intra-vnet ICMP traffic" \
    --destination-addresses '*' --destination-ports '*' --source-addresses '*' --ip-protocols 'Icmp'
az network firewall policy rule-collection-group collection rule add --policy-name $azfw_policy_name --rule-collection-group-name ruleset01 -g $rg \
    --collection-name NetworkTraffic --name RFC1918 --description "Permit internal traffic" --rule-type NetworkRule \
    --destination-addresses '10.0.0.0/8' '172.16.0.0/12' '192.168.0.0/16' --destination-ports '*' --source-addresses '10.0.0.0/8' '172.16.0.0/12' '192.168.0.0/16' --ip-protocols 'Any'
# Sample for delete rule
# az network firewall policy rule-collection-group collection rule remove --policy-name $azfw_policy_name --rule-collection-group-name ruleset01 -g $rg \
#     --collection-name NetworkTraffic --name permit8080

# DNAT rules for the test VM, to access the test VM over SSH/443 through the firewall
# These commands might give some errors, but they still seem to work for me
az network firewall policy rule-collection-group collection add-nat-collection --policy-name $azfw_policy_name --rule-collection-group-name ruleset01 -g $rg \
    --name testDNAT --collection-priority 110 --action DNAT --rule-name DnatSSL --description "DNAT 443 traffic to test VM" \
    --source-addresses '*' --destination-addresses "$azfw_pip_address" --destination-ports 443 --ip-protocols TCP \
    --translated-address "$vm_private_ip" --translated-port 443
az network firewall policy rule-collection-group collection rule add --policy-name $azfw_policy_name --rule-collection-group-name ruleset01 -g $rg \
    --collection-name testDNAT --name DnatSSH --description "DNAT TCP22 traffic to test VM" --rule-type NatRule \
    --source-addresses '*' --destination-addresses "$azfw_pip_address" --destination-ports 22 --ip-protocols TCP \
    --translated-address "$vm_private_ip" --translated-port 22
az network firewall policy rule-collection-group collection rule add --policy-name $azfw_policy_name --rule-collection-group-name ruleset01 -g $rg \
    --collection-name testDNAT --name Dnat8080 --description "DNAT TCP8080 traffic to test VM" --rule-type NatRule \
    --source-addresses '*' --destination-addresses "$azfw_pip_address" --destination-ports 8080 --ip-protocols TCP \
    --translated-address "$vm_private_ip" --translated-port 8080

# Create public DNS record
public_domain=cloudtrooper.net
fw_dns_name='test-fw'
azfw_fqdn="${fw_dns_name}.${public_domain}"
public_dns_rg=$(az network dns zone list --query "[?name=='$public_domain'].resourceGroup" -o tsv)
if [[ -z "$public_dns_rg" ]]
then
  echo "ERROR: I could not find the public DNS zone $public_domain in subscription $sub_name"
else
  # First, remove any existing A-record if already exists
  a_record_set=$(az network dns record-set a show -n "$fw_dns_name" -z "$public_domain" -g "$public_dns_rg" -o tsv --query id 2>/dev/null)
  if [[ -n "$a_record_set" ]]
  then
    echo "Deleting existing A record for ${fw_dns_name}.${public_domain}..."
    az network dns record-set a delete -n "$fw_dns_name" -z "$public_domain" -g "$public_dns_rg" -y
  else
    echo "No conflicting A records found in ${public_domain}"
  fi
  # Now create new A record
  az network dns record-set a create -g $public_dns_rg -z cloudtrooper.net -n $fw_dns_name
  az network dns record-set a add-record -g $public_dns_rg -z cloudtrooper.net -n $fw_dns_name -a $azfw_pip_address
fi

# Verify Linux VM deployed correctly and SSH is working fine
vm_pip_address=$(az network public-ip show -n $vm_pip_name -g $rg --query ipAddress -o tsv) && echo $vm_pip_address
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "ip a"
curl ${vm_pip_address}:8080/api/healthcheck
curl ${vm_pip_address}:8080/api/ip

# Install nginx for SSL termination
# ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "sudo apt install -y nginx"
nginx_config_file=/tmp/nginx.conf
cat <<EOF > $nginx_config_file
worker_processes auto;
events {
  worker_connections 1024;
}
pid        /var/run/nginx.pid;
http {
    server {
        listen 80;  # If port 80 is required additionally to 8080
        listen [::]:443 ssl;
        listen 443 ssl;
        server_name localhost;
        ssl_protocols              TLSv1.2;
        ssl_ciphers                ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
        ssl_prefer_server_ciphers  on;
        ssl_session_cache    shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
        ssl_session_timeout  24h;
        keepalive_timeout 75; # up from 75 secs default
        add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
        ssl_certificate      /etc/nginx/ssl.crt;
        ssl_certificate_key  /etc/nginx/ssl.key;
        location /api/ {
            proxy_pass http://127.0.0.1:8080 ;
            proxy_set_header Connection "";
            proxy_set_header Host \$host;
            proxy_set_header X-Real-IP \$remote_addr;
            proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
            # proxy_set_header X-Forwarded-For \$remote_addr;
            proxy_buffer_size          128k;
            proxy_buffers              4 256k;
            proxy_busy_buffers_size    256k;
        }
    }
}
EOF
scp "$nginx_config_file" "${vm_pip_address}:~/"
# Put public certs in NGINX. Note: you need to have some public certs in advance
cert_file="${HOME}/onedrive/Admin/Certs/cloudtrooper.net/2021/cloudtrooper_chain.pem"
key_file="${HOME}/onedrive/Admin/Certs/cloudtrooper.net/2021/cloudtrooper.key"
scp "$cert_file" "${vm_pip_address}:~/ssl.crt"
scp "$key_file" "${vm_pip_address}:~/ssl.key"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "sudo mv ./* /etc/nginx/"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "systemctl status nginx"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "sudo systemctl restart nginx"

# Private DNS Zone for AzFW resolution
az network private-dns zone create -n $public_domain -g $rg
az network private-dns record-set a add-record --record-set-name $vm_dns_name -z $public_domain -g $rg -a $vm_private_ip
az network private-dns record-set a add-record --record-set-name "${vm_dns_name}-privatezone" -z $public_domain -g $rg -a $vm_private_ip
az network private-dns link vnet create -g $rg -z $public_domain -n myDnsLink --virtual-network $vnet_name --registration-enabled false

# Create A record in public domain
public_domain=cloudtrooper.net
vm_dns_name='test-vm'
public_dns_rg=$(az network dns zone list --query "[?name=='$public_domain'].resourceGroup" -o tsv)
if [[ -z "$public_dns_rg" ]]
then
  echo "ERROR: I could not find the public DNS zone $public_domain in subscription $sub_name"
else
  # First, remove any existing A-record if already exists
  a_record_set=$(az network dns record-set a show -n "$vm_dns_name" -z "$public_domain" -g "$public_dns_rg" -o tsv --query id 2>/dev/null)
  if [[ -n "$a_record_set" ]]
  then
    echo "Deleting existing A record for ${vm_dns_name}.${public_domain}..."
    az network dns record-set a delete -n "$vm_dns_name" -z "$public_domain" -g "$public_dns_rg" -y
  else
    echo "No conflicting A records found in ${public_domain}"
  fi
  # Now create new A record
  az network dns record-set a create -g $public_dns_rg -z cloudtrooper.net -n $vm_dns_name
  az network dns record-set a add-record -g $public_dns_rg -z cloudtrooper.net -n $vm_dns_name -a $vm_pip_address
fi
vm_fqdn="${vm_dns_name}.${public_domain}" && echo $vm_fqdn
curl -k "https://${vm_fqdn}/api/healthcheck"

# Test file uploads
test_file="/tmp/testfile"
echo $(tr -dc a-zA-Z0-9 </dev/urandom 2>/dev/null| head -c 25) >$test_file
curl -k -F "file=@${test_file}" "https://${vm_fqdn}/api/filesize"
bad_file="/tmp/badfile"
wget "https://secure.eicar.org/eicar.com" -O $bad_file
curl -k -F "file=@${bad_file}" "https://${vm_fqdn}/api/filesize"

# Disable lower case header IDPS signatures in AzFW
az network firewall policy intrusion-detection add --policy-name $azfw_policy_name -g $rg --mode Off --signature-id 2845390
az network firewall policy intrusion-detection add --policy-name $azfw_policy_name -g $rg --mode Off --signature-id 2845391
# Disable signatures for ifconfig.co
az network firewall policy intrusion-detection add --policy-name $azfw_policy_name -g $rg --mode Off --signature-id 2834195
az network firewall policy intrusion-detection add --policy-name $azfw_policy_name -g $rg --mode Off --signature-id 2013028


###################
# Test Client  VM #
###################

# You can optionally use this VM to connect to the linux VM over HTTPS and test certificates, from the AppGW's VNet,
#   or to test the AppGW effective routes
test_subnet_name=testvm
test_subnet_prefix=192.168.2.0/24
az network vnet subnet create -g $rg -n $test_subnet_name --vnet-name $vnet_name --address-prefix $test_subnet_prefix
# Linux
test_vm_name=clientlinux
test_vm_pip_name="${test_vm_name}-pip"
test_vm_nsg_name="${test_vm_name}-nsg"
test_vm_sku=Standard_B1s
az vm create -n $test_vm_name -g $rg --image UbuntuLTS --generate-ssh-keys --size $test_vm_sku \
   --vnet-name $vnet_name --subnet $test_subnet_name --nsg $test_vm_nsg_name --public-ip-address $test_vm_pip_name
test_vm_pip_ip=$(az network public-ip show -g $rg -n $test_vm_pip_name --query ipAddress -o tsv) && echo $test_vm_pip_ip
# Windows
win_user=$(whoami)
win_password=Microsoft123!
win_vm_name=testvmwin
win_vm_sku=Standard_B2ms
win_pip_name=testvmwin-pip
az vm create -n $win_vm_name -g $rg --image win2019datacenter --admin-username $win_user --admin-password $win_password --size $win_vm_sku \
   --vnet-name $appgw_vnet_name --subnet $win_subnet_name --public-ip-address $win_pip_name


#######################
#  Deploy Front Door  #
#######################

# Create AFD
az network front-door create -n $afd_name -g $rg --enforce-certificate-name-check Disabled \
    --accepted-protocols Https --forwarding-protocol MatchRequest \
    --backend-address $azfw_fqdn --backend-host-header $azfw_fqdn \
    --interval 60 --path '/api/healthcheck' --probeMethod GET --protocol Https
backend_pool_name=$(az network front-door backend-pool list -f $afd_name -g $rg --query '[0].name' -o tsv)
# Probe: change to GET (default is HEAD), and increase interval to send fewer requests to the VM
afd_probe_name=$(az network front-door probe list -f $afd_name -g $rg --query '[0].name' -o tsv) && echo $afd_probe_name
az network front-door probe update -n $afd_probe_name -f $afd_name -g $rg --protocol Https --path /api/healthcheck --interval 60 --probeMethod GET
# Routing rule
routing_rule_name=$(az network front-door routing-rule list -f $afd_name -g $rg --query '[0].name' -o tsv)
# az network front-door routing-rule update -n $routing_rule_name -f $afd_name -g $rg --accepted-protocols Http Https --forwarding-protocol HttpOnly  # Change from Https to Http
# Frontend FQDN
afd_frontend_name=$(az network front-door frontend-endpoint list -f $afd_name -g $rg --query '[].name' -o tsv) && echo $afd_frontend_name
afd_fqdn=$(az network front-door frontend-endpoint show -n $afd_frontend_name -f $afd_name -g $rg --query hostName -o tsv) && echo $afd_fqdn
# Test
curl -k "https://${afd_fqdn}/api/healthcheck"

# Configure AFD logging to Azure Monitor
afd_id=$(az network front-door show -n $afd_name -g $rg --query id -o tsv)
az monitor diagnostic-settings create -n mydiag --resource $afd_id --workspace $logws_id \
    --metrics '[{"category": "AllMetrics", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false }, "timeGrain": null}]' \
    --logs '[{"category": "FrontdoorAccessLog", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false}}, 
            {"category": "FrontdoorWebApplicationFirewallLog", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false}}]'

# Custom domain (Assumes you have a public DNS zone in Azure)
dns_zone_name=cloudtrooper.net
dns_name=kuard-afd
dns_zone_rg=$(az network dns zone list -o tsv --query "[?name=='$dns_zone_name'].resourceGroup")
dns_fqdn=${dns_name}.${dns_zone_name}
# az network dns record-set cname set-record -z $dns_zone_name -g $dns_zone_rg -n afdverify.${dns_name} -c afdverify.${afd_fqdn} (recommended for prod, not required for tests)
az network dns record-set cname set-record -z $dns_zone_name -g $dns_zone_rg -n ${dns_name} -c ${afd_fqdn}
az network front-door frontend-endpoint create -n $afd_frontend_name -f $afd_name -g $rg --host-name $dns_fqdn # No update command, using "create" to replace
afd_fqdn=$(az network front-door frontend-endpoint show -n $afd_frontend_name -f $afd_name -g $rg --query hostName -o tsv)
fqdn_validation_result=$(az network front-door check-custom-domain -n $app_name -g $rg --host-name $dns_fqdn --query customDomainValidated -o tsv)
if [[ "$fqdn_validation_result" == "true" ]]
then
    echo "FQDN validated OK"
else
    echo "FQDN validation failed"
fi
echo "Point your browser to http://${afd_fqdn} or https://${afd_fqdn}"



######################
# Deploy App Gateway #
#    TO BE REMOVED   #
######################

# Create GW with sample config for port 8080
az network public-ip create -g $rg -n $appgw_pip_name --sku standard --allocation-method static -l $location
appgw_pip_address=$(az network public-ip show -g $rg -n $appgw_pip_name --query ipAddress -o tsv)
az network application-gateway create -g $rg -n $appgw_name --capacity 2 --sku $appgw_sku \
    --frontend-port 8080 --routing-rule-type basic \
    --servers $vm_fqdn --http-settings-port 8080 --http-settings-protocol Http \
    --sku Standard_v2 --min-capacity 1 --max-capacity 2 \
    --public-ip-address $appgw_pip_name --vnet-name $vnet_name --subnet $appgw_subnet_name

# Import certs from AKV
cert_name=cloudtroopernet
cert_id=$(az network application-gateway ssl-cert show -n "$cert_name" --gateway-name "$appgw_name" -g "$rg" --query id -o tsv 2>/dev/null)
if [[ -z "$cert_id" ]]
then
    echo "Adding SSL certificate to Application Gateway from Key Vault..."
    # The --keyvault-secret-id parameter doesnt seem to be working in Github's action CLI version (Feb 2021)
    # cert_sid=$(az keyvault certificate show -n "$cert_name" --vault-name "$akv_name" --query sid -o tsv)
    # az network application-gateway ssl-cert create -n "$cert_name" --gateway-name "$appgw_name" -g "$rg" --keyvault-secret-id "$cert_sid"
    pfx_file="/tmp/appgwcert.pfx"
    az keyvault secret download -n "$cert_name" --vault-name "$akv_name" --encoding base64 --file "$pfx_file"
    cert_passphrase=''
    az network application-gateway ssl-cert create -g "$rg" --gateway-name "$appgw_name" -n "$cert_name" --cert-file "$pfx_file" --cert-password "$cert_passphrase" -o none
else
    echo "Cert $cert_name already exists in application gateway $appgw_name"
fi

# Root cert from firewall
root_cert_id=$(az network application-gateway ssl-cert show -n azfwroot --gateway-name "$appgw_name" -g "$rg" --query id -o tsv 2>/dev/null)
if [[ -z "$root_cert_id" ]]
then
    az network application-gateway root-cert create -g "$rg" --gateway-name "$appgw_name" --name azfwroot --cert-file "$rootCA_cert" -o none
else
    echo "Root certificate already present in Application Gateway $appgw_name"
fi

# Intermediate CA cert from firewall
# root_cert_id=$(az network application-gateway ssl-cert show -n azfwinter --gateway-name "$appgw_name" -g "$rg" --query id -o tsv 2>/dev/null)
# if [[ -z "$root_cert_id" ]]
# then
#     az network application-gateway root-cert create -g "$rg" --gateway-name "$appgw_name" --name azfwinter --cert-file "$interCA_cert" -o none
# else
#     echo "Intermediate certificate already present in Application Gateway $appgw_name"
# fi

# HTTP Settings and probe
echo "Creating probe and HTTP settings..."
az network application-gateway probe create -g "$rg" --gateway-name "$appgw_name" \
--name testvmprobe --protocol Https --host-name-from-http-settings --match-status-codes 200-399 --port 443 --path /api/healthcheck -o none
az network application-gateway http-settings create -g "$rg" --gateway-name "$appgw_name" --port 443 \
--name testvmsettings --protocol https --host-name ${vm_fqdn} --probe testvmprobe --root-certs azfwroot -o none

# Create rule
az network application-gateway address-pool create -n testvmpool -g "$rg" --gateway-name "$appgw_name" --servers "$vm_private_ip" -o none
frontend_name=$(az network application-gateway frontend-ip list -g "$rg" --gateway-name "$appgw_name" --query '[0].name' -o tsv)
az network application-gateway frontend-port create -n testvmport -g "$rg" --gateway-name "$appgw_name" --port 443 -o none
az network application-gateway http-listener create -n testvmlistener -g "$rg" --gateway-name "$appgw_name" \
--frontend-port testvmport --frontend-ip "$frontend_name" --ssl-cert "$cert_name" -o none
az network application-gateway rule create -g "$rg" --gateway-name "$appgw_name" -n testvmrule \
--http-listener testvmlistener --rule-type Basic --address-pool testvmpool --http-settings testvmsettings -o none

# Connect app gw to Azure Monitor
appgw_id=$(az network application-gateway show -n $appgw_name -g $rg --query id -o tsv)
az monitor diagnostic-settings create -n mydiag --resource $appgw_id --workspace $logws_id \
    --metrics '[{"category": "AllMetrics", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false }, "timeGrain": null}]' \
    --logs '[{"category": "ApplicationGatewayAccessLog", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false}}, 
        {"category": "ApplicationGatewayPerformanceLog", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false}}, 
        {"category": "ApplicationGatewayFirewallLog", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false}}]'

# Implement routing to AzFW
# RT for the AppGW subnet
azfw_private_ip=$(az network firewall show -n $azfw_name -g $rg -o tsv --query 'ipConfigurations[0].privateIpAddress') && echo $azfw_private_ip
appgw_rt_name=appgwrt
az network route-table create --name "$appgw_rt_name" --resource-group "$rg" --location "$location"
az network route-table route create  --route-table-name $appgw_rt_name -g $rg --address-prefix $vm_subnet_prefix --name "ToVMSubnet"  --next-hop-type VirtualAppliance --next-hop-ip-address "$azfw_private_ip"
az network vnet subnet update --name $appgw_subnet_name --route-table $appgw_rt_name --vnet-name $vnet_name --resource-group $rg

# RT in the VM subnet required if using network rules
rt_name=vmrt
az network route-table create --name "$rt_name" --resource-group "$rg" --location "$location"
az network route-table route create  --route-table-name $rt_name -g $rg --address-prefix $appgw_subnet_prefix --name "ToAppGWSubnet"  --next-hop-type VirtualAppliance --next-hop-ip-address "$azfw_private_ip"
az network route-table route create  --route-table-name $rt_name -g $rg --address-prefix $vm_subnet_prefix --name "intrasubnet"  --next-hop-type VirtualAppliance --next-hop-ip-address "$azfw_private_ip"
az network vnet subnet update --name $vm_subnet_name --route-table $rt_name --vnet-name $vnet_name --resource-group $rg

# Create A record in public domain for AppGW
public_domain=cloudtrooper.net
appgw_dns_name='test-gw'
public_dns_rg=$(az network dns zone list --query "[?name=='$public_domain'].resourceGroup" -o tsv)
if [[ -z "$public_dns_rg" ]]
then
  echo "ERROR: I could not find the public DNS zone $public_domain in subscription $sub_name"
else
  # First, remove any existing A-record if already exists
  a_record_set=$(az network dns record-set a show -n "$appgw_dns_name" -z "$public_domain" -g "$public_dns_rg" -o tsv --query id 2>/dev/null)
  if [[ -n "$a_record_set" ]]
  then
    echo "Deleting existing A record for ${appgw_dns_name}.${public_domain}..."
    az network dns record-set a delete -n "$appgw_dns_name" -z "$public_domain" -g "$public_dns_rg" -y
  else
    echo "No conflicting A records found in ${public_domain}"
  fi
  # Now create new A record
  az network dns record-set a create -g $public_dns_rg -z cloudtrooper.net -n $appgw_dns_name
  az network dns record-set a add-record -g $public_dns_rg -z cloudtrooper.net -n $appgw_dns_name -a $appgw_pip_address
fi

# Verify access to the app over the App Gateway
appgw_fqdn="${appgw_dns_name}.${public_domain}" && echo $vm_fqdn
curl -k "https://${appgw_fqdn}/api/healthcheck"

########################
# Query AzMonitor logs #
########################

# AzFW Log Categories
query='AzureDiagnostics 
| where ResourceType == "AZUREFIREWALLS" 
| distinct Category '
az monitor log-analytics query -w $logws_customerid --analytics-query $query -o tsv
# AzFW Net rules
query_net='AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" 
| where Category == "AzureFirewallNetworkRule"
| where TimeGenerated >= ago(5m) 
| project TimeGenerated, msg_s
| take 100 '
az monitor log-analytics query -w $logws_customerid --analytics-query $query_net -o tsv
# AzFW App rules
query_app='AzureDiagnostics 
| where ResourceType == "AZUREFIREWALLS" 
| where Category == "AzureFirewallApplicationRule" 
| where TimeGenerated >= ago(5m) 
| project TimeGenerated, msg_s
| take 100'
az monitor log-analytics query -w $logws_customerid --analytics-query $query_app -o tsv
# AFD Logs
query_afd='AzureDiagnostics 
| where TimeGenerated >= ago(10m) 
| where Category == "FrontdoorAccessLog" 
| project TimeGenerated, clientIp_s, httpMethod_s, requestUri_s'
query_afd='AzureDiagnostics 
| where TimeGenerated >= ago(10m) 
| distinct Category ' 
az monitor log-analytics query -w $logws_customerid --analytics-query $query_afd -o tsv
# AppGW Log Categories
query='AzureDiagnostics 
| where ResourceType == "APPLICATIONGATEWAYS" 
| distinct Category ' 
az monitor log-analytics query -w $logws_customerid --analytics-query $query -o tsv
# AppGW Access Logs
query_acc='AzureDiagnostics 
| where TimeGenerated >= ago(1d) 
| where ResourceType == "APPLICATIONGATEWAYS" 
| where Category == "ApplicationGatewayAccessLog"
//| project TimeStamp_s, ClientIP_s, Host_s
| take 20'
az monitor log-analytics query -w $logws_customerid --analytics-query $query_acc -o tsv


###################
# Test Windows VM #
###################

# You can use this VM to connect to the linux VM over HTTPS and test certificates
win_user=$(whoami)
win_password=Microsoft123!
win_vm_name=testvmwin
win_vm_sku=Standard_B2ms
win_pip_name=testvmwin-pip
az vm create -n $win_vm_name -g $rg --image win2019datacenter --admin-username $win_user --admin-password $win_password --size $win_vm_sku \
   --vnet-name $vnet_name --subnet $vm_subnet_name --public-ip-address $win_pip_name

#################
# Test Analyzer #
#################

# Create peered vnet with Ubuntu VM
nva_subnet_name=nva
nva_subnet_prefix=192.168.10.0/24
nva_name=ubuntufw
nva_pip=${nva_name}-pip
nva_size=Standard_B1s
az network vnet subnet create --vnet-name $vnet_name --name $nva_subnet_name -g $rg --address-prefixes $nva_subnet_prefix
az vm create -n $nva_name -g $rg -l $location --image ubuntuLTS --generate-ssh-keys \
    --public-ip-address $nva_pip --vnet-name $vnet_name --size $nva_size --subnet $nva_subnet_name
nva_nic_id=$(az vm show -n $nva_name -g "$rg" --query 'networkProfile.networkInterfaces[0].id' -o tsv)
az network nic update --ids $nva_nic_id --ip-forwarding
nva_pip_ip=$(az network public-ip show -n $nva_pip -g $rg --query ipAddress -o tsv) && echo $nva_pip_ip
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $nva_pip_ip "sudo sysctl -w net.ipv4.ip_forward=1"
nva_private_ip=$(az network nic show --ids $nva_nic_id --query 'ipConfigurations[0].privateIpAddress' -o tsv) && echo $nva_private_ip

# Send traffic between AppGW and AzFW to the NVA
# RT in the AzFW Subnet
azfw_rt_name=azfwrt
az network route-table create --name "$azfw_rt_name" --resource-group "$rg" --location "$location"
az network route-table route create  --route-table-name $azfw_rt_name -g $rg --address-prefix $appgw_subnet_prefix --name "ToAppGWSubnet"  --next-hop-type VirtualAppliance --next-hop-ip-address "$nva_private_ip"
az network route-table route create  --route-table-name $azfw_rt_name -g $rg --address-prefix '0.0.0.0/0' --name "Defaultroute"  --next-hop-type Internet
az network vnet subnet update --name $azfw_subnet_name --route-table $azfw_rt_name --vnet-name $vnet_name --resource-group $rg
# Change AppGW RT
appgw_rt_name=appgwrt
az network route-table route update --route-table-name $appgw_rt_name -g $rg --address-prefix $vm_subnet_prefix --name "ToVMSubnet"  --next-hop-type VirtualAppliance --next-hop-ip-address "$nva_private_ip"
# RT in the NVA Subnet
nva_rt_name=nvart
az network route-table create --name "$nva_rt_name" --resource-group "$rg" --location "$location"
az network route-table route create --route-table-name $nva_rt_name -g $rg --address-prefix $vm_subnet_prefix --name "ToVMSubnet"  --next-hop-type VirtualAppliance --next-hop-ip-address "$azfw_private_ip"
az network vnet subnet update --name $nva_subnet_name --route-table $nva_rt_name --vnet-name $vnet_name --resource-group $rg

# Capture traffic on port 8080
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $nva_pip_ip "sudo tcpdump -n port 8080"

# Restablish normal traffic flow
az network vnet subnet update --name $azfw_subnet_name --route-table '' --vnet-name $vnet_name --resource-group $rg
az network route-table route update --route-table-name $appgw_rt_name -g $rg --address-prefix $vm_subnet_prefix --name "ToVMSubnet"  --next-hop-type VirtualAppliance --next-hop-ip-address "$azfw_private_ip"

###############
# Diagnostics #
###############

# Public IPs
az network public-ip list -g $rg -o table

# Virtual Machines
az vm list -g $rg -o table

# Azure Firewall
az network firewall nat-rule collection list -f $azfw_name -g $rg -o table
az network firewall nat-rule list -c VMTraffic -f $azfw_name -g $rg --query rules -o table
az network firewall network-rule collection list -f $azfw_name -g $rg -o table
az network firewall application-rule collection list -f $azfw_name -g $rg -o table
az network firewall application-rule list -c AllowAll -f $azfw_name -g $rg --query rules -o table
az network firewall application-rule list -c AllowAll -f $azfw_name -g $rg --query rules --query '[].{Name:name,Protocols:protocols[],SourceAddresses:sourceAddresses[],TargetFQDNs:targetFqdns[]}'

# Azure Firewall: SNAT configuration
# No yet supported with CLI (https://docs.microsoft.com/en-us/azure/firewall/snat-private-range)

# AFD
az network front-door backend-pool backend list --pool-name $backend_pool_name -f $afd_name -g $rg -o table
az network front-door probe list -f $afd_name -g $rg -o table

# App Gateway
az network application-gateway list -g $appgw_rg -o table
az network application-gateway http-listener list -g $appgw_rg --gateway-name $appgw_name -o table
az network application-gateway frontend-ip list -g $appgw_rg --gateway-name $appgw_name -o table
az network application-gateway probe list -g $appgw_rg --gateway-name $appgw_name -o table
az network application-gateway address-pool list -g $appgw_rg --gateway-name $appgw_name -o table
az network application-gateway rule list -g $appgw_rg --gateway-name $appgw_name -o table
az network application-gateway rule show -g $appgw_rg --gateway-name $appgw_name -n rule1
az network application-gateway rule list -g $appgw_rg --gateway-name $appgw_name -o table
rule=$(az network application-gateway rule list -g $appgw_rg --gateway-name $appgw_name --query '[0].name' -o tsv)
az network application-gateway rule show -g $appgw_rg --gateway-name $appgw_name -n $rule
az network application-gateway url-path-map list -g $appgw_rg --gateway-name $appgw_name -o table
az network application-gateway http-settings list -g $appgw_rg --gateway-name $appgw_name -o table

# Delete VM
vm_nic_id=$(az vm show -n $vm_name -g $rg --query 'networkProfile.networkInterfaces[0].id' -o tsv)
vm_disk_id=$(az vm show -n $vm_name -g $rg --query 'storageProfile.osDisk.managedDisk.id' -o tsv)
az vm delete -n $vm_name -g $rg -y
az disk delete --ids $vm_disk_id -y
az network nic delete --ids $vm_nic_id

# Cleanup all
az group delete -n $rg -y --no-wait

################################ WORK IN PROGRES ############################################

# APIM Gateway 
apim_subnet_name=APIMSubnet
apim_subnet_prefix=192.168.210.0/24
apim_sku=Developer  # The Premium SKU offers multi-region on top
apim_vnet_type=Internal
apim_name=apim$RANDOM
apim_publisher_email=admin@contoso.com
apim_publisher_name=Contoso

az network vnet subnet create -g $rg -n $apim_subnet_name --vnet-name $vnet_name --address-prefix $apim_subnet_prefix
apim_subnet_id=$(az network vnet subnet show -n $apim_subnet_name --vnet-name $vnet_name -g $rg --query id -o tsv)
# This takes 34m!
az apim create -n $apim_name -g $rg \
  --publisher-email $apim_publisher_email --publisher-name $apim_publisher_name \
  --sku-name $apim_sku --virtual-network $apim_vnet_type
# And this another 23m
az apim update -n $apim_name -g $rg \
  --set virtualNetworkType=$apim_vnet_type \
  --set virtualNetworkConfiguration.subnetResourceId=$apim_subnet_id
##############################################################################################