This repository aims to be an helper to setup a quick AVS labs setup that can later be shared with workshop participants.
It will help to deploy:
- an Azure vWAN Hub
- an P2S VPN configuration to provide network connectivity to AVS directly from their workstation
- a jump server used as the "admin-box" to deploy nested lab content
By providing P2S VPN connectivity for workshop attendees, there is no need to setup a jumpbox per attendee or per-lab to access AVS resources or nested lab ones.
This repository only provide resources to deploy the above mentionned resources. Nested lab content is deploy through the following repository content: Azure/avslabs.
A linux based distribution with Azure CLI is required to deploy the content of the content of this repository.
On top of this, the following packages are required:
- openssl
- unzip
The configuration is made through environment variables:
export AVS_LAB_ADMIN_PASSWORD=xxx # This is the password used to access the admin VM"
export AVS_LAB_ADMIN_RG=xxx # This is the name of the resource group where the admin ressources will be deployed"
export VPN_CA_PASSPHRASE=xxx # This is the passphrase used to protect the VPN CA private key"
export AVS_EXPRESSROUTE_ID=xxx # This is the ID of the ExpressRoute circuit used to connect to AVS"
export AVS_EXPRESSROUTE_AUTHKEY=xxx # This is the auth key of the ExpressRoute circuit used to connect to AVS"
Run the ./build-lab.sh
script to initiate the admin box content creation.
./build-lab.sh
# Output
Testing env variables
All required env variables are set
Starting the deployment of admin resources
VPN configuration is available in the vpn-config/ folder
You can use the following command to create VPN clients:
./new-vpn-user.sh <username> <validity-in-days>
Jumpbox IP: 10.123.123.4
Jumpbox username: avsjump
Connectivity is build on top of Azure vWAN with:
- Express Route connection to AVS
- P2S VPN for admin and user access
The P2S VPN is configured to accept certificate based authentication based on a local root certificate.
You can create a new certificate for user (or admin) by using the provided new-vpn-user.sh
script:
./new-vpn-user.sh <username>
You can repeat the command for each new user.
Each user needs a certificate and (common) Azure VPN configuration file to be able to connect.
Navigate to certs\clients
folder.
Provide the .pfx
or the .crt
matching username provided during the user creation process to the target user.
They will need to install the certificate in their local certificate store.
For example on Windows:
- double click on the
.pfx
file - "Current User"
- Next
- Next
- (No password) Next
- (Automatically select...) Next
- Finish
Azure VPN configuration file is common to all users of the labs and is available in folder vpn-config\AzureVPN
.
Share the azurevpnconfig.xml
with users.
When users are created, you can use Azure VPN to connect to lab resources.
- For Windows:
- Install using Client Install files: https://aka.ms/azvpnclientdownload.
- Install the Azure VPN Client from the Microsoft Store.
- For MacOS:
- Install the Azure VPN Client from the Apple Store.
- Import the configuration
azurevpnconfig.xml
in Azure VPN client - Select the appropriate certificate for client authentication.
- Connect to the newly created VPN connection to get access to the deployed resources.
When the admin box is deployed, you can use the admin jump box to deploy nested labs.
You can rely on this repository to do so: Azure/avslabs:
bootstrap.ps1
is alreay ready to be used in theC:\Temp
folder.
- Open a PowerShell session
cd C:\Temp
powershell.exe -ExecutionPolicy Unrestricted -File .\bootstrap.ps1 -NoAuto
- Download and customize nestedlabs.yml in the
C:\Temp
- Open a new PowerShell 7 (!) session
- Run the lab creation command based on the number of labs to create:
# to deploy 9 nested labs with group number 1
c:\temp\bootstrap-nestedlabs.ps1 -GroupId 1 -Labs 9
It could be required to restart the VPN connection in order to get the newly created network available through the VPN.
By default everything available from AVS will be advertised to both the Admin jump VM and the VPN connections.