Add automation scripts for BDC to deploy in AKS private cluster (microsoft#804)

Melony QIN · web-flow · commit 4ece2d7b525a · 2020-08-19T16:47:10.000-07:00
* add bdc private cluster sample

* update templates

* update scripts

* add details for scripts

* adjust upon suggestions

* adjustment

* adjustment

* add space

* add params

* add chagnes
diff --git a/samples/features/sql-big-data-cluster/deployment/README.md b/samples/features/sql-big-data-cluster/deployment/README.md
@@ -13,4 +13,9 @@ Using the sample Python script in **aks** folder, you will deploy a Kubernetes c
 
 ## __[Push SQL Server big data cluster images to your own private Docker repository](offline/)__
 
-Using the sample Python script in **offline** folder, you will push the necessary images required for the deployment to your own repository.
+Using the sample Python script in **offline** folder, you will push the necessary images required for the deployment to your own repository.
+
+## __[Deploy SQL Server big data clusters (BDC) with Azure Kubernetes service (AKS) private cluster](private-aks/)__
+
+Using the sample Python script in **private-aks** folder, you will Deploy SQL Server big data cluster in in your private network with Azure Kubernetes service (AKS) private cluster.
+
diff --git a/samples/features/sql-big-data-cluster/deployment/private-aks/README.md b/samples/features/sql-big-data-cluster/deployment/private-aks/README.md
@@ -0,0 +1,81 @@
+# Deploy BDC in private AKS cluster with User-defined Route (UDR)
+
+This repository contains the scripts that you can use to deploy a BDC cluster in Azure Kubernetes Service (AKS) private cluster with advanced networking ( CNI ). 
+
+This repository contains 3 bash scripts : 
+- **deploy-private-aks.sh** : You can use it to deploy private AKS cluster with private endpoint, it fits the use case that you need to deploy BDC with a private endpoint with AKS private cluster.
+- **deploy-private-aks-udr.sh** : You can use it to deploy private AKS cluster with private endpoint, it fits the use case that you need to deploy BDC with a private endpoint with AKS private cluster and limit egress traffic with UDR ( User-defined Routes ). 
+- **deploy-bdc.sh** : You can use it to deploy Big Data Clusters ( BDC ) in private deployment mode on private AKS cluster with or without User-defined routes based on your project requirements. 
+
+
+## Prerequisites
+
+You can run those scripts on the following client envionrment with Linux OS or WSL/WSL2.
+
+The following table link listed common big data cluster tools and how to install them:
+
+https://docs.microsoft.com/en-us/sql/big-data-cluster/deploy-big-data-tools?view=sql-server-ver15
+
+
+## Instructions
+
+### deploy-private-aks.sh
+
+1. Download the script on the location that you are planning to use for the deployment
+
+``` bash
+curl --output setup-bdc.sh https://raw.githubusercontent.com/microsoft/sql-server-samples/master/samples/features/sql-big-data-cluster/deployment/private-aks/scripts/deploy-private-aks.sh
+```
+
+2. Make the script executable
+
+``` bash
+chmod +x deploy-private-aks.sh
+```
+
+3. Run the script (make sure you are running with sudo)
+
+``` bash
+sudo ./deploy-private-aks.sh
+```
+
+### deploy-private-aks-udr.sh
+
+1. Download the script on the location that you are planning to use for the deployment
+
+``` bash
+curl --output setup-bdc.sh https://raw.githubusercontent.com/microsoft/sql-server-samples/master/samples/features/sql-big-data-cluster/deployment/private-aks/scripts/deploy-private-aks-udr.sh
+```
+
+2. Make the script executable
+
+``` bash
+chmod +x deploy-private-aks-udr.sh
+```
+
+3. Run the script (make sure you are running with sudo)
+
+``` bash
+sudo ./deploy-private-aks-udr.sh
+```
+
+### deploy-bdc.sh
+
+1. Download the script on the location that you are planning to use for the deployment
+
+``` bash
+curl --output setup-bdc.sh https://raw.githubusercontent.com/microsoft/sql-server-samples/master/samples/features/sql-big-data-cluster/deployment/private-aks/scripts/deploy-bdc.sh
+```
+
+2. Make the script executable
+
+``` bash
+chmod +x deploy-bdc.sh
+```
+
+3. Run the script (make sure you are running with sudo)
+
+``` bash
+sudo ./deploy-bdc.sh
+```
+
diff --git a/samples/features/sql-big-data-cluster/deployment/private-aks/scripts/deploy-bdc.sh b/samples/features/sql-big-data-cluster/deployment/private-aks/scripts/deploy-bdc.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+#Get password as input. It is used as default for controller, SQL Server Master instance (sa account) and Knox.
+#
+while true; do
+    read -s -p "Create Admin username for Big Data Cluster: " bdcadmin
+    echo
+    read -s -p "Create Password for Big Data Cluster: " password
+    echo
+    read -s -p "Confirm your Password: " password2
+    echo
+    [ "$password" = "$password2" ] && break
+    echo "Password mismatch. Please try again."
+done
+
+
+#Create BDC custom profile
+azdata bdc config init --source aks-dev-test --target private-bdc-aks --force
+
+#Configurations for BDC deployment
+azdata bdc config replace -c private-bdc-aks/control.json -j "$.spec.docker.imageTag=2019-CU6-ubuntu-16.04"
+azdata bdc config replace -c private-bdc-aks/control.json -j "$.spec.storage.data.className=default"
+azdata bdc config replace -c private-bdc-aks/control.json -j "$.spec.storage.logs.className=default"
+
+azdata bdc config replace -c private-bdc-aks/control.json -j "$.spec.endpoints[0].serviceType=NodePort"
+azdata bdc config replace -c private-bdc-aks/control.json -j "$.spec.endpoints[1].serviceType=NodePort"
+
+azdata bdc config replace -c private-bdc-aks /bdc.json -j "$.spec.resources.master.spec.endpoints[0].serviceType=NodePort"
+azdata bdc config replace -c private-bdc-aks /bdc.json -j "$.spec.resources.gateway.spec.endpoints[0].serviceType=NodePort"
+azdata bdc config replace -c private-bdc-aks /bdc.json -j "$.spec.resources.appproxy.spec.endpoints[0].serviceType=NodePort"
+
+#In case you're deploying BDC in HA mode ( aks-dev-test-ha profile ) please also use the following command 
+#azdata bdc config replace -c private-bdc-aks /bdc.json -j "$.spec.resources.master.spec.endpoints[1].serviceType=NodePort"
+export AZDATA_USERNAME=$bdcadmin
+export AZDATA_PASSWORD=$password
+
+azdata bdc create --config-profile private-bdc-aks --accept-eula yes
+
+#Login and get endpoint list for the cluster.
+#
+azdata login -n mssql-cluster
+
+azdata bdc endpoint list --output table
diff --git a/samples/features/sql-big-data-cluster/deployment/private-aks/scripts/deploy-private-aks-udr.sh b/samples/features/sql-big-data-cluster/deployment/private-aks/scripts/deploy-private-aks-udr.sh
@@ -0,0 +1,138 @@
+#!/bin/bash
+#Get Subscription ID and Azure service principal as input. It is used as default for controller, SQL Server Master instance (sa account) and Knox.
+#
+while true; do
+    read -s -p "Your Azure Subscription: " subscription
+    echo
+    read -s -p "Your Resource Group Name: " resourcegroup
+    echo
+    read -s -p "In which region you're deploying: " region
+    echo
+    read -s -p "Your Azure service principal ID: " sp_id
+    echo
+    read -s -p "Your Azure service principal Password: " sp_pwd
+done
+
+#Define a set of environment variables to be used in resource creations.
+export SUBID=$subscription
+
+export REGION_NAME=$region
+export RESOURCE_GROUP=$resourcegroup
+export SUBNET_NAME=aks-subnet
+export VNET_NAME=bdc-vnet
+export AKS_NAME=bdcaksprivatecluster
+export FWNAME=bdcaksazfw
+export FWPUBIP=$FWNAME-ip
+export FWIPCONFIG_NAME=$FWNAME-config
+
+export FWROUTE_TABLE_NAME=bdcaks-rt
+export FWROUTE_NAME=bdcaksroute
+export FWROUTE_NAME_INTERNET=bdcaksrouteinet
+
+#Set Azure subscription current in use
+az account set --subscription $subscription
+
+#Create Azure Resource Group
+az group create -n $RESOURCE_GROUP -l $REGION_NAME
+ 
+#Create Azure Virtual Network to host your AKS cluster
+az network vnet create \
+    --resource-group $RESOURCE_GROUP \
+    --location $REGION_NAME \
+    --name $VNET_NAME \
+    --address-prefixes 10.0.0.0/8 \
+    --subnet-name $SUBNET_NAME \
+    --subnet-prefix 10.1.0.0/16
+ 
+
+SUBNET_ID=$(az network vnet subnet show \
+    --resource-group $RESOURCE_GROUP \
+    --vnet-name $VNET_NAME \
+    --name $SUBNET_NAME \
+    --query id -o tsv)
+
+
+#Add Azure firewall extension
+az extension add --name azure-firewall
+
+#Dedicated subnet for Azure Firewall (Firewall name cannot be changed)
+az network vnet subnet create \
+    --resource-group $RESOURCE_GROUP \
+    --vnet-name $VNET_NAME \
+    --name AzureFirewallSubnet \
+    --address-prefix 10.2.0.0/24
+
+#Create Azure firewall 
+az network firewall create -g $RESOURCE_GROUP -n $FWNAME -l $REGION_NAME --enable-dns-proxy true
+
+#Create public IP for Azure Firewall 
+az network public-ip create -g $RESOURCE_GROUP -n $FWPUBIP -l $REGION_NAME --sku "Standard"
+
+#Create IP configurations for Azure Firewall 
+az network firewall ip-config create -g $RESOURCE_GROUP -f $FWNAME -n $FWIPCONFIG_NAME --public-ip-address $FWPUBIP --vnet-name $VNET_NAME
+
+
+#Getting public and private IP addresses for Azure Firewall 
+export FWPUBLIC_IP=$(az network public-ip show -g $RESOURCE_GROUP -n $FWPUBIP --query "ipAddress" -o tsv)
+export FWPRIVATE_IP=$(az network firewall show -g $RESOURCE_GROUP -n $FWNAME --query "ipConfigurations[0].privateIpAddress" -o tsv)
+
+#Create an User defined route table
+az network route-table create -g $RESOURCE_GROUP --name $FWROUTE_TABLE_NAME
+
+#Create User defined routes 
+az network route-table route create -g $RESOURCE_GROUP --name $FWROUTE_NAME --route-table-name $FWROUTE_TABLE_NAME --address-prefix 0.0.0.0/0 --next-hop-type VirtualAppliance --next-hop-ip-address $FWPRIVATE_IP --subscription $SUBID
+
+az network route-table route create -g $RESOURCE_GROUP --name $FWROUTE_NAME_INTERNET --route-table-name $FWROUTE_TABLE_NAME --address-prefix $FWPUBLIC_IP/32 --next-hop-type Internet
+
+
+#Add FW Network Rules
+az network firewall network-rule create -g $RESOURCE_GROUP -f $FWNAME --collection-name 'aksfwnr' -n 'apiudp' --protocols 'UDP' --source-addresses '*' --destination-addresses "AzureCloud.$REGION_NAME" --destination-ports 1194 --action allow --priority 100
+az network firewall network-rule create -g $RESOURCE_GROUP -f $FWNAME --collection-name 'aksfwnr' -n 'apitcp' --protocols 'TCP' --source-addresses '*' --destination-addresses "AzureCloud.$REGION_NAME" --destination-ports 9000
+az network firewall network-rule create -g $RESOURCE_GROUP -f $FWNAME --collection-name 'aksfwnr' -n 'time' --protocols 'UDP' --source-addresses '*' --destination-fqdns 'ntp.ubuntu.com' --destination-ports 123
+
+#Add FW Application Rules
+az network firewall application-rule create -g $RESOURCE_GROUP -f $FWNAME --collection-name 'aksfwar' -n 'fqdn' --source-addresses '*' --protocols 'http=80' 'https=443' --fqdn-tags "AzureKubernetesService" --action allow --priority 100
+
+#Associate User defined route table (UDR) to AKS cluster where deployed BDC previsouly 
+az network vnet subnet update -g $RESOURCE_GROUP --vnet-name $VNET_NAME --name $SUBNET_NAME --route-table $FWROUTE_TABLE_NAME
+
+
+
+
+
+#Create SP and Assign Permission to Virtual Network
+az ad sp create-for-rbac -n "bdcaks-sp" --skip-assignment
+
+export APPID=$sp_id
+export PASSWORD=$sp_pwd
+export VNETID=$(az network vnet show -g $RESOURCE_GROUP --name $VNET_NAME --query id -o tsv)
+
+#Assign SP Permission to VNET
+az role assignment create --assignee $APPID --scope $VNETID --role "Network Contributor"
+
+#Assign SP Permission to route table
+export RTID=$(az network route-table show -g $RESOURCE_GROUP -n $FWROUTE_TABLE_NAME --query id -o tsv)
+az role assignment create --assignee $APPID --scope $RTID --role "Network Contributor"
+
+
+#Create AKS Cluster
+az aks create \
+    --resource-group $RESOURCE_GROUP \
+    --location $REGION_NAME \
+    --name $AKS_NAME \
+    --load-balancer-sku standard \
+    --outbound-type userDefinedRouting \
+    --enable-private-cluster \
+    --network-plugin azure \
+    --vnet-subnet-id $SUBNET_ID \
+    --docker-bridge-address 172.17.0.1/16 \
+    --dns-service-ip 10.2.0.10 \
+    --service-cidr 10.2.0.0/24 \
+    --service-principal $APPID \
+    --client-secret $PASSWORD \
+    --node-vm-size Standard_D13_v2 \
+    --node-count 2 \
+    --generate-ssh-keys
+
+
+
diff --git a/samples/features/sql-big-data-cluster/deployment/private-aks/scripts/deploy-private-aks.sh b/samples/features/sql-big-data-cluster/deployment/private-aks/scripts/deploy-private-aks.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+#Define a set of environment variables to be used in resource creations.
+#
+
+#!/bin/bash
+#Get Subscription ID and resource groups. It is used as default for controller, SQL Server Master instance (sa account) and Knox.
+#
+while true; do
+    read -s -p "Your Azure Subscription: " subscription
+    echo
+    read -s -p "Your Resource Group Name: " resourcegroup
+    echo
+    read -s -p "In which region you're deploying " region
+    echo
+done
+
+#Define a set of environment variables to be used in resource creations.
+export SUBID=$subscription
+
+export REGION_NAME=$region
+export RESOURCE_GROUP=$resourcegroup
+export SUBNET_NAME=aks-subnet
+export VNET_NAME=bdc-vnet
+export AKS_NAME=bdcaksprivatecluster
+ 
+#Set Azure subscription current in use
+az account set --subscription $subscription
+
+#Create Azure Resource Group
+az group create -n $RESOURCE_GROUP -l $REGION_NAME
+ 
+#Create Azure Virtual Network to host your AKS clus
+az network vnet create \
+    --resource-group $RESOURCE_GROUP \
+    --location $REGION_NAME \
+    --name $VNET_NAME \
+    --address-prefixes 10.0.0.0/8 \
+    --subnet-name $SUBNET_NAME \
+    --subnet-prefix 10.1.0.0/16
+
+SUBNET_ID=$(az network vnet subnet show \
+    --resource-group $RESOURCE_GROUP \
+    --vnet-name $VNET_NAME \
+    --name $SUBNET_NAME \
+    --query id -o tsv)
+ 
+#Create AKS Cluster
+az aks create \
+    --resource-group $RESOURCE_GROUP \
+    --name $AKS_NAME \
+    --load-balancer-sku standard \
+    --enable-private-cluster \
+    --network-plugin azure \
+    --vnet-subnet-id $SUBNET_ID \
+    --docker-bridge-address 172.17.0.1/16 \
+    --dns-service-ip 10.2.0.10 \
+    --service-cidr 10.2.0.0/24 \
+    --node-vm-size Standard_D13_v2 \
+    --node-count 2 \
+    --generate-ssh-keys
