diff --git a/compliance/uk-official/three-tier-web-with-adds/Deploy-ReferenceArchitecture.ps1 b/compliance/uk-official/three-tier-web-with-adds/Deploy-ReferenceArchitecture.ps1 deleted file mode 100644 index 882b5b0f0..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/Deploy-ReferenceArchitecture.ps1 +++ /dev/null @@ -1,186 +0,0 @@ -# -# Deploy_ReferenceArchitecture.ps1 -# -param( - [Parameter(Mandatory=$true)] - $SubscriptionId, - - [Parameter(Mandatory=$true)] - $Location, - - [Parameter(Mandatory=$false)] - [ValidateSet("DeployAll", "Infrastructure", "ADDS", "Operational")] - $Mode = "DeployAll" -) - -$ErrorActionPreference = "Stop" - -$templateRootUriString = $env:TEMPLATE_ROOT_URI -if ($templateRootUriString -eq $null) { - $templateRootUriString = "https://raw.githubusercontent.com/mspnp/template-building-blocks/v1.0.0/" -} - -if (![System.Uri]::IsWellFormedUriString($templateRootUriString, [System.UriKind]::Absolute)) { - throw "Invalid value for TEMPLATE_ROOT_URI: $env:TEMPLATE_ROOT_URI" -} - -Write-Host -Write-Host "Using $templateRootUriString to locate templates" -Write-Host - -$templateRootUri = New-Object System.Uri -ArgumentList @($templateRootUriString) - -$loadBalancerTemplate = New-Object System.Uri -ArgumentList @($templateRootUri, "templates/buildingBlocks/loadBalancer-backend-n-vm/azuredeploy.json") -$virtualNetworkTemplate = New-Object System.Uri -ArgumentList @($templateRootUri, "templates/buildingBlocks/vnet-n-subnet/azuredeploy.json") -$virtualMachineTemplate = New-Object System.Uri -ArgumentList @($templateRootUri, "templates/buildingBlocks/multi-vm-n-nic-m-storage/azuredeploy.json") -$dmzTemplate = New-Object System.Uri -ArgumentList @($templateRootUri, "templates/buildingBlocks/dmz/azuredeploy.json") -$nsgTemplate = New-Object System.Uri -ArgumentList @($templateRootUri, "templates/buildingBlocks/networkSecurityGroups/azuredeploy.json") -$virtualMachineExtensionsTemplate = New-Object System.Uri -ArgumentList @($templateRootUri, "templates/buildingBlocks/virtualMachine-extensions/azuredeploy.json") - -# Local templates -$opsNetworkInfrastructureTemplate = [System.IO.Path]::Combine($PSScriptRoot, "templates\azure\ops-network-infrastructure\azuredeploy.json") -$vnetPeeringTemplate = [System.IO.Path]::Combine($PSScriptRoot, "templates\azure\vnetpeering\azuredeploy.json") -$mgmtVnetPeeringTemplate = [System.IO.Path]::Combine($PSScriptRoot, "templates\azure\vnetpeering-mgmt-vnet.json") - -#Azure Quick Start template file -$applicationGatewayTemplate = New-Object System.Uri("https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-application-gateway-create/azuredeploy.json") - -# Azure Parameter Files -#network infrastructure -$opsNetworkParametersFile = [System.IO.Path]::Combine($PSScriptRoot, "parameters\azure\ops-network.parameters.json") -$azureMgmtVirtualNetworkParametersFile = [System.IO.Path]::Combine($PSScriptRoot, "parameters\azure\mgmt-vnet.parameters.json") -$operationalVnetPeeringParametersFile = [System.IO.Path]::Combine($PSScriptRoot, "parameters\azure\operational-vnet-peering.parameters.json") -$mgmtVnetPeeringParametersFile = [System.IO.Path]::Combine($PSScriptRoot, "parameters\azure\mgmt-vnet-peering.parameters.json") -$nsgParametersFile = [System.IO.Path]::Combine($PSScriptRoot, "parameters\azure\nsg-rules.parameters.json") -$opsNsgParametersFile = [System.IO.Path]::Combine($PSScriptRoot, "parameters\azure\ops-vent-nsgs.json") -#aads -$azureAddsVirtualMachinesParametersFile = [System.IO.Path]::Combine($PSScriptRoot, "parameters\azure\virtualMachines-adds.parameters.json") -$azureAddAddsDomainControllerExtensionParametersFile = [System.IO.Path]::Combine($PSScriptRoot, "parameters\azure\add-adds-domain-controller.parameters.json") -$azureVirtualNetworkDnsParametersFile = [System.IO.Path]::Combine($PSScriptRoot, "parameters\azure\virtualNetwork-adds-dns.parameters.json") -#workloads -$mgmtVMJumpboxParametersFile = [System.IO.Path]::Combine($PSScriptRoot, "parameters\azure\mgmt-virtualmachine.parameters.json") -$webLoadBalancerParametersFile = [System.IO.Path]::Combine($PSScriptRoot, "parameters\azure\loadBalancer-web.parameters.json") -$bizLoadBalancerParametersFile = [System.IO.Path]::Combine($PSScriptRoot, "parameters\azure\loadBalancer-biz.parameters.json") -$dataLoadBalancerParametersFile = [System.IO.Path]::Combine($PSScriptRoot, "parameters\azure\loadBalancer-data.parameters.json") - -# Azure ADDS Deployments -$azureNetworkResourceGroupName = "uk-official-networking-rg" -$workloadResourceGroupName = "uk-official-operational-rg" -$addsResourceGroupName = "uk-official-adds-rg" - -# Login to Azure and select your subscription -Login-AzureRmAccount -SubscriptionId $SubscriptionId #| Out-Null - - - -########################################################################## -# Deploy Vnet and VPN Infrastructure in cloud -########################################################################## - -if ($Mode -eq "Infrastructure" -Or $Mode -eq "DeployAll") { - - #Create resource group - Write-Host "Creating Networking resource group..." - $azureNetworkResourceGroup = New-AzureRmResourceGroup -Name $azureNetworkResourceGroupName -Location $Location - - # Deploy network infrastructure, VPN and App Gateway - Write-Host "Deploying operations network, VPN and AppGateway infrastructure..." - New-AzureRmResourceGroupDeployment -Name "ops-network-deployment" -ResourceGroupName $azureNetworkResourceGroup.ResourceGroupName ` - -TemplateFile $opsNetworkInfrastructureTemplate -TemplateParameterFile $opsNetworkParametersFile - - #Deploy Mgmt network - Write-Host "Deploying management network infrastructure..." - New-AzureRmResourceGroupDeployment -Name "mgmt-network-deployment" -ResourceGroupName $azureNetworkResourceGroup.ResourceGroupName ` - -TemplateUri $virtualNetworkTemplate.AbsoluteUri -TemplateParameterFile $azureMgmtVirtualNetworkParametersFile - - #Create VNet Peerings - Write-Host "Deploying Operational VNet Peering to Mgmt VNet..." - New-AzureRmResourceGroupDeployment -Name "ops-vnetpeer-deployment" -ResourceGroupName $azureNetworkResourceGroup.ResourceGroupName ` - -TemplateFile $vnetPeeringTemplate -TemplateParameterFile $mgmtVnetPeeringParametersFile - - - Write-Host "Deploying Mgmt VNet Peering to Operational VNet..." - New-AzureRmResourceGroupDeployment -Name "mgmt-vnetpeer-deployment" -ResourceGroupName $azureNetworkResourceGroup.ResourceGroupName ` - -TemplateFile $vnetPeeringTemplate -TemplateParameterFile $operationalVnetPeeringParametersFile - - ##Create NSGs for management VNET - Write-Host "Deploying NSGs" - New-AzureRmResourceGroupDeployment -Name "nsg-deployment" -ResourceGroupName $azureNetworkResourceGroup.ResourceGroupName ` ` - -TemplateUri $nsgTemplate.AbsoluteUri -TemplateParameterFile $nsgParametersFile - - #Create NSGs for ops VNET - Write-Host "Deploying NSGs" - New-AzureRmResourceGroupDeployment -Name "ops-nsg-deployment" -ResourceGroupName $azureNetworkResourceGroup.ResourceGroupName ` - -TemplateUri $nsgTemplate.AbsoluteUri -TemplateParameterFile $opsNsgParametersFile - -} - - -########################################################################## -# Deploy ADDS forest in cloud -########################################################################## - -if ($Mode -eq "ADDS" -Or $Mode -eq "DeployAll") { - # Deploy AD tier in azure - - # Creating ADDS resource group - Write-Host "Creating ADDS resource group..." - $addsResourceGroup = New-AzureRmResourceGroup -Name $addsResourceGroupName -Location $Location - - # "Deploying ADDS servers..." - Write-Host "Deploying ADDS servers..." - New-AzureRmResourceGroupDeployment -Name "operational-adds-deployment" ` - -ResourceGroupName $addsResourceGroup.ResourceGroupName -TemplateUri $virtualMachineTemplate.AbsoluteUri ` - -TemplateParameterFile $azureAddsVirtualMachinesParametersFile - - # Update Azure DNS entrys - Write-Host "Updating virtual network DNS servers..." - New-AzureRmResourceGroupDeployment -Name "operational-azure-dns-vnet-deployment" ` - -ResourceGroupName $addsResourceGroup.ResourceGroupName -TemplateUri $virtualNetworkTemplate.AbsoluteUri ` - -TemplateParameterFile $azureVirtualNetworkDnsParametersFile - - Write-Host "Creating ADDS domain..." - New-AzureRmResourceGroupDeployment -Name "operational-azure-adds-dc-deployment" ` - -ResourceGroupName $addsResourceGroup.ResourceGroupName ` - -TemplateUri $virtualMachineExtensionsTemplate.AbsoluteUri -TemplateParameterFile $azureAddAddsDomainControllerExtensionParametersFile - -} - - -########################################################################### -## Deploy operational tier workloads loadbalancers & VMs -########################################################################### - -if ($Mode -eq "Workload" -Or $Mode -eq "DeployAll") { - - Write-Host "Creating workload resource group..." - $workloadResourceGroup = New-AzureRmResourceGroup -Name $workloadResourceGroupName -Location $Location - - # Deploy management vnet network infrastructure - Write-Host "Deploying management jumpbox..." - New-AzureRmResourceGroupDeployment -Name "azure-mgmt-rg-deployment" -ResourceGroupName $workloadResourceGroup.ResourceGroupName ` - -TemplateUri $virtualMachineTemplate.AbsoluteUri -TemplateParameterFile $mgmtVMJumpboxParametersFile - - #Deploy workload tiers - Write-Host "Deploying web load balancer..." - New-AzureRmResourceGroupDeployment -Name "operational-web-deployment" ` - -ResourceGroupName $workloadResourceGroup.ResourceGroupName ` - -TemplateUri $loadBalancerTemplate.AbsoluteUri -TemplateParameterFile $webLoadBalancerParametersFile - - Write-Host "Deploying biz load balancer..." - New-AzureRmResourceGroupDeployment -Name "operational-biz-deployment" -ResourceGroupName $workloadResourceGroup.ResourceGroupName ` - -TemplateUri $loadBalancerTemplate.AbsoluteUri -TemplateParameterFile $bizLoadBalancerParametersFile - - Write-Host "Deploying data load balancer..." - New-AzureRmResourceGroupDeployment -Name "operational-data-deployment" -ResourceGroupName $workloadResourceGroup.ResourceGroupName ` - -TemplateUri $loadBalancerTemplate.AbsoluteUri -TemplateParameterFile $dataLoadBalancerParametersFile - - } - - - - - - - - diff --git a/compliance/uk-official/three-tier-web-with-adds/README.md b/compliance/uk-official/three-tier-web-with-adds/README.md index 5d85536a7..553d10227 100644 --- a/compliance/uk-official/three-tier-web-with-adds/README.md +++ b/compliance/uk-official/three-tier-web-with-adds/README.md @@ -1,524 +1,5 @@ A Microsoft Azure Three Tier Web Application Architecture For Workloads Classified as UK-OFFICIAL. =================================================================== -Contents -======== +This architecture has moved to a new location: https://aka.ms/ukwebappblueprintrepo -- [Overview](#overview) -- [Architecture Diagram and Components](#architecture-diagram-and-components) -- [Guidance and Recommendations](#guidance-and-recommendations) - - [Business continuity](#business-continuity) - - [Logging and Audit](#logging-and-audit) - - [Identity](#identity) - - [Security](#security) -- [NCSC Security Matrix Compliance](#ncsc-security-matrix-compliance) -- [Deployment Guide](#deployment-guide) -- [Deployment and Configuration Activities](#deployment-and-configuration-activities) - - [Deployment Process](#deployment-process) - - [Deploy Networking Infrastructure](#deploy-networking-infrastructure) - - [Deploy Active Directory Domain](#deploy-active-directory-domain) - - [Deploy operational workload infrastructure](#deploy-operational-workload-infrastructure) - - [(Optional) PowerShell Deployment](#optional-powershell-deployment) -- [UK Governments Private Network Connectivity](#uk-governments-private-network-connectivity) -- [Cost](#cost) -- [Further reading](#further-reading) - - - -Overview -======== - - This article provides guidance and automation scripts to deliver a Microsoft Azure three-tier web based architecture appropriate for handling many workloads classified as OFFICIAL in the United Kingdom. - - Using an Infrastructure as Code approach, the set of [Azure Resource Manager](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview) - (ARM) templates deploy an environment that aligns to the National Cyber Security Centre (NCSC) [Cloud Security Principles](https://www.ncsc.gov.uk/guidance/implementing-cloud-security-principles) and the Center for Internet Security (CIS) [Critical Security - Controls](https://www.cisecurity.org/critical-controls.cfm). - - The NCSC recommend their Cloud Security Principles be used by customers to evaluate the security properties of the service, and to help understand the division of responsibility between the customer and supplier. We’ve provided information against each of these principles to help you understand the split of responsibilities. - - This architecture and corresponding ARM templates are underpinned by the Microsoft whitepaper [Azure Blueprint for the UK Government](https://aka.ms/azureblueprintukg-cloud). This paper catalogue how Azure services align with the fourteen - cloud security principles set forth in the CESG/NCSC publication [Implementing the Cloud Security Principles](https://www.ncsc.gov.uk/guidance/implementing-cloud-security-principles)" - thereby enabling organisations to fast-track their ability to meet their compliance obligations using cloud-based services globally and in the UK on the Microsoft Azure cloud. - - This template deploys the infrastructure for the workload. Application code and supporting business tier and data tier software must be installed and configured. - - If you do not have an Azure subscription then you can sign up quickly and easily, [Get Started with Azure](https://azure.microsoft.com/en-us/get-started/). - - -Architecture Diagram and Components -=================================== - - The Azure templates deliver a three-tier web application - architecture in an Azure cloud environment that supports UK-OFFICIAL - workloads. The architecture delivers a secure hybrid environment that - extends an on-premises network to Azure allowing web based workloads - to be accessed securely by corporate users or from the internet. - -![alt text](images/diagram.png?raw=true "Azure UK-OFFICAL Three Tier Architecture") - - - The components of this architecture include - - -1. **On-premises network**. A private local-area network implemented in an organization. - -2. **Production VNet**. The Production [VNet](https://docs.microsoft.com/en-us/azure/Virtual-Network/virtual-networks-overview) (Virtual Network) hosts the application and other operational resources running in Azure. Each VNet may contain several subnets which are used for isolating and managing network traffic. - -3. **Web tier.** Handles incoming HTTP requests. Responses are returned through this tier. - -4. **Business tier:** Implements business processes and other functional logic for the system. - -5. **Database tier:** Provides persistent data storage, using [SQL Server Always On Availability Groups](https://msdn.microsoft.com/en-us/library/hh510230.aspx) for high availability. Customers may wish to consider using [Azure SQL Database](https://docs.microsoft.com/en-us/azure/sql-database/sql-database-technical-overview) as a PaaS alternative - -6. **Gateway**: The [VPN Gateway](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways) provides connectivity between the routers in the on-premises network and the Production VNet. - -7. **Internet Gateway and Public IP Address**: The internet gateway exposes application services to users through the internet. Traffic accessing these services is secured using an [Application Gateway](https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-introduction) offering Layer 7 routing and load balancing capabilities with web application firewall (WAF) protection. - -8. **Management VNet:** This [VNet](https://docs.microsoft.com/en-us/azure/Virtual-Network/virtual-networks-overviewcontains) contains resources that implement management and monitoring capabilities for the workloads running in the Production VNet. - -9. **Jumpbox.** Also, called a [bastion host](https://en.wikipedia.org/wiki/Bastion_host). A secure VM on the network that administrators use to connect to VMs in the Production VNet. The jumpbox has an NSG that allows remote traffic only from public IP addresses on a safe list. The NSG should permit remote desktop (RDP) traffic. Management of production resources is via RDP using a secured Jumpbox VM. - -10. **User defined routes (UDR)**. [User defined routes](https://docs.microsoft.com/en-gb/azure/virtual-network/virtual-networks-udr-overview) are used to define the flow of IP traffic within Azure VNets. - -11. **Network Peered VNETs:** The Production and Management VNets are connected using [VNet Peering](https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview)**.** - They are still managed as separate resources, but appear as one for all connectivity purposes with virtual machines in these networks able to communicate with each other directly by using private IP addresses. VNet peering is subject to the VNets being in the same Azure Region - -12. **Network Security Groups:** [NSGs](https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg) contain Access Control Lists that allow or Deny traffic within a VNet. NSGs can be used to secure traffic at a subnet or individual VM level. - -13. **Active Directory Domain Services (AD DS):** This architecture provides a dedicated [Active Directory](https://msdn.microsoft.com/library/azure/jj156090.aspx) [Active Directory Domain Services](https://technet.microsoft.com/library/dd448614.aspx) deployment. - -14. **Logging and Audit:** [Azure Activity Log](https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs) captures operations -taken on the resources in your subscription such as who initiated the operation, when the operation occurred, the status of the operation and the values of other properties that might help you research the operation. -Azure Activity Log is an Azure platform service that captures all actions on a subscription. Logs can be archived or exported if requried. - -15. **Network Monitoring and Alerting** [Azure Network Watcher](https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview) is a platform service provides network packet capture, flow logging, topology tools and diagnostics for network traffics within your VNets. - - -Guidance and Recommendations -============================= - - -### Business continuity - -> **High Availability:** Server workloads are grouped in a [Availability -> Set](https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-windows-manage-availability?toc=%2fazure%2fvirtual-machines%2fwindows%2ftoc.json) -> to ensure high availability of virtual machines in Azure. This -> configuration ensures that during a planned or unplanned maintenance -> event at least one virtual machine will be available and meet the -> 99.95% Azure SLA. - -### Logging and Audit - -> **Monitoring**: [Azure -> Monitor](https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-get-started) -> is the platform service that provides a single source for monitoring -> the activity log, metrics, and diagnostic logs of all your Azure -> resources. Azure Monitor can be configured to visualize, query, route, -> archive, and act on the metrics and logs coming from resources in -> Azure. It is recommended that Resource Based Access Control is used to secure the audit trail to ensure that users don’t have the ability to modify the logs. -> -> **Activity Logs**: Configure [Azure Activity -> Logs](https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs) -> to provide insight into the operations that were performed on -> resources in your subscription. -> -> **Diagnostic Logs:** [Diagnostic -> Logs](https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-of-diagnostic-logs) -> are all logs emitted by a resource. These logs could include Windows -> event system logs, blob, table, and queue logs. -> -> **Firewall Logs:** Application Gateway provides full diagnostics and -> access logs. Firewall logs are available for application gateway -> resources that have WAF enabled. -> -> **Log Archiving:** Logs storage can be configured to write to a -> centralised Azure storage account for archival and a defined retention -> period. Logs can be processed using Azure Log Analytics or by third -> party SIEM systems - -### Identity - -> **Active Directory Domain Services:** This architecture delivers an -> Active Directory Domain Services deployment in Azure w For -> specific recommendations on implementing Active Directory in Azure, -> see the following articles - -> -> [Extending Active Directory Domain Services (AD DS) to -> Azure](https://docs.microsoft.com/en-gb/azure/guidance/guidance-identity-adds-extend-domain). -> -> [Guidelines for Deploying Windows Server Active Directory on Azure -> Virtual -> Machines](https://msdn.microsoft.com/library/azure/jj156090.aspx). -> -> **Active Directory Integration:** As an alternative to a dedicated AD -> DS architecture, customers may wish to use [Azure Active -> Directory](https://docs.microsoft.com/en-gb/azure/guidance/guidance-ra-identity#using-azure-active-directory) -> integration or [Active Directory in Azure joined to an on-premises -> forest](https://docs.microsoft.com/en-gb/azure/guidance/guidance-ra-identity#using-active-directory-in-azure-joined-to-an-on-premises-forest). - -### Security - -> **Management Security:** This pattern allows administrators to connect -> to the management VNET and Jumpbox using RDP from a trusted source. -> Network traffic for the management VNET is controlled using NSGs to -> restrict access port 3389 to only traffic from a trusted IP range -> access to the subnet containing the Jumpbox. -> -> Customers may also consider using an [enhanced security administrative -> model](https://technet.microsoft.com/en-gb/windows-server-docs/security/securing-privileged-access/securing-privileged-access) -> to secure the environment when connecting to the Management VNET and -> Jumpbox. It is suggested that for enhanced security customers use a -> [Privileged Access -> Workstation](https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/privileged-access-workstations#what-is-a-privileged-access-workstation-paw) -> and RDGateway configuration. The use of Network Virtual Appliances and -> public/private DMZs will offer further security enhancements. -> -> **Securing the network:** [Network Security -> Groups](https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg) -> (NSG) are recommended for each subnet to provide a second level of -> protection against inbound traffic bypassing an incorrectly configured -> or disabled gateway. Example - [ARM Template for deploying an -> NSG](https://github.com/mspnp/template-building-blocks/tree/v1.0.0/templates/buildingBlocks/networkSecurityGroups). -> -> **Securing public endpoints:** The internet gateway exposes -> application services to users through the internet. Traffic accessing -> these services is secured using an [Application -> Gateway](https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-introduction) -> which provides a Web Application Firewall and HTTPS protocol -> management -> -> **IP Ranges:** The IP ranges in the architecture are suggested ranges, -> customers are advised to consider their own environment and use -> appropriate ranges. -> -> **Hybrid connectivity:** The cloud based workloads are connected to -> the on-premises datacentre through IPSEC VPN using the Azure VPN -> Gateway. Customers should ensure that they are using an appropriate -> VPN Gateway to connect to Azure. Example [VPN Gateway ARM -> Template](https://github.com/mspnp/template-building-blocks/tree/v1.0.0/templates/buildingBlocks/vpn-gateway-vpn-connection)**.** -> Customers running large-scale, mission critical workloads with big data requirements may wish to consider a hybrid network architecture using -> [ExpressRoute](https://docs.microsoft.com/en-gb/azure/guidance/guidance-hybrid-network-expressroute) -> to ensure private network connectivity to Microsoft cloud services -> -> **Separation of concerns:** This pattern separates the VNets for -> Management operations and business operations. Separate VNets and -> subnets allow traffic management and traffic ingress and egress -> restriction using NSGs between network segments following [Microsoft cloud services and network security](https://docs.microsoft.com/en-gb/azure/best-practices-network-security) -> best practices. -> -> **Resource Management**: Azure resources such as VMs, VNets, and load -> balancers are managed by grouping them together into [Azure Resource -> Groups](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview#resource-groupsresource). -> Resource Based Access Control roles can then be assigned to each -> resource group to restrict access to only authorized users. -> -> **Access control restrictions:** Use [Role-Based Access -> Control](https://docs.microsoft.com/en-gb/azure/active-directory/role-based-access-control-configure) -> (RBAC) to manage the resources in your application using [custom -> roles](https://docs.microsoft.com/en-gb/azure/active-directory/role-based-access-control-custom-roles) -> -> **Internet Access**: This pattern has utilised [Azure Application -> Gateway](https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-introduction) -> as the internet facing gateway and load balancer. Some customers may -> also consider the use of third party vendor Network Virtual Appliances -> for additional layers of networking security as an alternative to the -> [Azure Application -> Gateway](https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-introduction). -> -> **Azure Security Center:** The [Azure Security -> Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-intro) -> provides a central view of the security status of resources in the -> subscriptions, and provides recommendations that help prevent -> compromised resources. It can enable more granular policies (for -> example, applying policies to specific resource groups that allow the -> enterprise to tailor their posture to the risk they are addressing). -> It is recommended that customers enable Azure Security Center in their -> Azure Subscription. -> -> [RBAC](https://docs.microsoft.com/en-gb/azure/active-directory/role-based-access-control-configure) -> can be used to restrict the operations that DevOps can perform on each -> tier. When granting permissions, use the [principle of least -> privilege](https://msdn.microsoft.com/library/hdb58b2f(v=vs.110).aspx#Anchor_1). -> Log all administrative operations and perform regular audits to ensure -> any configuration changes were planned. - -NCSC Security Matrix Compliance -=============== - - This UK-OFFICIAL Azure template aligns to the 14 cloud security - principles are documented in the (NCSC) [Cloud Security - Principles](https://www.ncsc.gov.uk/guidance/implementing-cloud-security-principles) - paper to ensure an environment that supports workloads classified as - UK-OFFICIAL. - - The following matrix provides a high level alignment of the 14 cloud security principles the Microsoft Azure security model, a detailed - mapping of the 14 principles can be found in Microsoft's [Azure Blueprint for the UK Government](https://aka.ms/azureblueprintukg-cloud) - whitepaper. - - --- - -*Data in transit protection:* Consumer data transiting networks should be adequately protected against tampering and eavesdropping via -a combination of network protection and encryption. -> Azure uses the industry-standard Transport Layer Security (TLS) 1.2 protocol with 2048-bit RSA/SHA256 encryption keys to encrypt -communication internally and between customers and the cloud. - -*Asset protection and resilience:* Consumer data, and the assets that store or process it, should be protected against physical -tampering, loss, damage, and seizure. -> Most Azure services are deployed regionally, and customers can configure certain Azure services to store customer data only in a single region. Each facility is designed to run 24x7x365 and employs various industry-standard measures to help protect operations from power failure, physical intrusion, and network outages. -> These datacenters comply with industry standards (such as ISO 27001) for physical security and availability. They are managed, monitored, and administered by Microsoft operations personnel. Azure offers a wide range of encryption capabilities, giving customers the flexibility to choose the solution that best meets their needs. -> When customers delete data or leave Azure, Microsoft follows strict standards for overwriting storage resources before reuse.Upon a system's end-of-life, -> Microsoft operational personnel follow rigorous data handling procedures and hardware disposal processes to help assure that no hardware that may contain customer data is made available to untrusted parties. -> To ensure data resiliency Azure asynchronously replicates data from a primary location to a secondary location within the same region. -> For applications resiliency, Microsoft Azure patterns ensure that at least one virtual machine will be available and meet the 99.95% Azure SLA. - -*Separation between consumers:* Separation should exist between different consumers of the service to prevent one malicious or compromised consumer from affecting the service or data of another. -> Because all customer cloud servers are virtual, the physical separation paradigm no longer applies. -> Microsoft Azure was designed to help identify and counter risks inherent in a multitenant environment. -> Data storage and processing is logically segregated among consumers of Azure using Active Directory and functionality specifically -> developed for multitenant services, which aims to ensure that consumer data stored in shared Azure data centers is not accessible by -> another organisation. - -*Governance framework:* The service provider should have a security governance framework that coordinates and directs their overall - approach to the management of the service and information within it. -> The Microsoft compliance framework includes the following activities: - -> 1. Identify and integrate requirements - -> 2. Assess and remediate gaps. - -> 3. Test effectiveness and assess risk. - -> 4. Attain certification and attestations. - -> 5. Improve and optimize. - -*Operational security:* The service provider should have processes and procedures in place to ensure the operational security of the service. -> Operational Security Assurance (OSA) is a framework that incorporates the knowledge gained through a variety of resources that are unique to Microsoft, -> such as the Microsoft Security Response Center (MSRC), and incorporates deep awareness of the cybersecurity threat landscape. -> OSA helps make Microsoft cloud-based services' infrastructure more resilient to attack by decreasing the amount of time needed to prevent, detect, contain -> and respond to real and potential Internet-based security threats, thereby increasing the security of those services for customers. - -*Personnel security:* Service provider staff should be subject to personnel security screening and security education appropriate for their role. -> Microsoft Azure Operations and Customer Support personnel and data center staff, who operate Azure services and provide customer support (or Microsoft subcontractors -> who assist with platform operations, troubleshooting, and technical support) undergo a Microsoft standard background (or equivalent) check to evaluate employee -> education, employment, and criminal history. The background checks that are carried out are broadly in line with the requirements of the UK Government's -> BPSS / BS7858. They do not specifically include a formal identity check. - -*Secure development:* Services should be designed and developed to identify and mitigate threats to their security. -> The Microsoft [Security Development Lifecycle](https://www.microsoft.com/en-us/sdl/default.aspx) (SDL) provides an effective threat-modelling process to identify -> threats and vulnerabilities in software and services. The STRIDE system (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and -> Elevation of privilege) is used to help identify and resolve security threats early in the design process, before they can affect customers. - -*Supply chain security:* The service provider should ensure that its supply chain satisfactorily supports all of the security principles that the service -claims to implement.| -> In Azure, security risks that relate to external parties, such as customers and vendors, are identified and addressed as follows: - -> 1. Third parties undergo a review process and an approved vendor list is established and used. These vendors are required to comply with Microsoft security policies and are audited. - -> 2. Additional risks that relate to granting access to facilities and information systems are controlled and managed by Microsoft teams, including physical and network level access to facilities and Microsoft resources. - -*Secure consumer management:* Consumers should be provided with the tools required to help them securely manage their service. -> Customers administer their Azure resources through the Azure portal, which provides access to all virtual machines, databases, cloud services, and -> other resources configured for the customer's account. Web access to the Azure portal is secured by industry-standard Transport Layer Security (TLS) 1.2 -> connections using 2048-bit RSA/SHA256 encryption keys, as recommended by CESG/NCSC . Role-based access controls are provided to enable customers to provide -> limited access to Azure management resources for specific users and groups. - -*Identity and authentication* Access to all service interfaces (for consumers and providers) should be limited to authenticated and authorised individuals. -> Azure provides services to help track identity as well as integrate it with identity stores that may already be in use. Azure AD is a comprehensive identity and access management service for the cloud that helps secure access to data in on-premises and cloud applications. - -*External interface protection:* All external or less trusted interfaces of the service should be identified and have appropriate protections to defend against -attacks through them. -> Microsoft employs a method it calls 'Red Teaming' to improve Azure security controls and processes through regular penetration testing. - -*Secure service administration:* The methods used by the service providers administrators to manage the operational service should be designed to mitigate -any risk of exploitation that could undermine the security of the service. -> Azure infrastructure operations personnel are required to use secure admin workstations (SAWs; also known as privileged access workstations, or PAWs). The SAW approach is an extension of the well-established recommended practice to use separate admin and user accounts for administrative personnel. - -*Audit information provision to consumers:* Consumers should be provided with the audit records they need to monitor access to their service and the data held within it. -> Azure Log Analytics collects records of the events occurring within an organisation's systems and networks as soon as they occur, before anyone can tamper with them, and allows different types of analysis by correlating data across multiple computers. - -*Secure use of the service by the consumer:* Consumers have certain responsibilities when using a cloud service in order for this use to remain secure, and for their -data to be adequately protected. -> Azure Security Center helps consumers prevent, detect, and respond to threats with increased visibility into and control over the security of their Azure resources. -> It provides integrated security monitoring and policy management across Azure subscriptions, helps detect threats that might otherwise go unnoticed, -> and works with a broad ecosystem of security solutions. - - -The CSA published the Cloud Control Matrix to support customers in the evaluation of cloud providers and to identify questions that should be -answered before moving to cloud services. In response, Microsoft Azure answered the CSA Consensus Assessment Initiative Questionnaire [CSA CAIQ](https://aka.ms/csacaiqresponsesto) describe how Microsoft -addresses the suggested principles. - -The Crown Commercial Service (an agency that works to improve commercial and procurement activity by the government) renewed the -classification of Microsoft in-scope enterprise cloud services to G-Cloud v6, covering all its offerings at the OFFICIAL level. Details -of Azure and G-Cloud can be found in the [Azure UK G-Cloud security assessment summary](https://www.microsoft.com/en-us/trustcenter/Compliance/UK-G-Cloud?downloadDocument=1&documentId=b4ed7712-d221-4a9c-ad0b-b36cf0d83eae). - -Deployment Guide -================ -These templates automatically deploy the Azure resources for a multi-tier, Windows based three tier application with an Active Directory Domain architecture. **As this is a complex deployment that delivers the full infrastructure and environment configuration -deployment can take up to two hours.** Progress can be monitored from the Resource Group blade and Deployment output blade in the Azure -Portal. - -> Rather than develop the templates for this environment from scratch, some templates used are drawn from the [Microsoft Patterns and -> Practices GitHub Repository](https://github.com/mspnp) [Template -> Building Blocks](https://github.com/mspnp/template-building-blocks) -> and orchestrated through a an a master ARM template or PowerShell -> script. Other Azure architectural best practices and guidance can be -> found in [Azure Reference -> Architectures](https://docs.microsoft.com/en-gb/azure/guidance/guidance-architecture). -> Supporting Microsoft Visio templates are available from the [Microsoft -> download -> center](http://download.microsoft.com/download/1/5/6/1569703C-0A82-4A9C-8334-F13D0DF2F472/RAs.vsdx) -> with the corresponding ARM Templates found at [Azure Reference -> Architectures ARM -> Templates](https://github.com/mspnp/reference-architectures). - - As a pre-requisite to deployment users should ensure that they have - - -- An Azure Subscription - -- Admin or co-admin rights for the Subscription - -- The Azure Subscription ID has been noted - -- The [latest version of PowerShell](https://azure.microsoft.com/en-us/documentation/articles/powershell-install-configure/) to execute the deployment script - -## Deployment and Configuration Activities - - Activity|Configuration| - ---|--- - Create Management VNet Resource Groups|Enter resource group name during deployment - Create Operational VNet Resource Groups|Enter resource group name during deployment - Deploy VNet network infrastructure|Enter resource group name during deployment - Create VNet Peerings|None required| - Deploy VPN Gateway|The template deploys an Azure environment with a public facing endpoint and an Azure Gateway to allow VPN setup between the Azure environment and your on-premises environment. To complete this VPN connection, you will need to provide the Local Gateway (your on-premises VPN public IP address) and complete the VPN connection set up locally. VPN Gateway requires local gateway configuration in the [/parameters/azure/ops-network.parameters.json](/parameters/azure/ops-network.parameters.json) template parameters file or through the Azure portal. - Deploying internet facing Application Gateway|For SSL termination, Application Gateway requires you SSL certificates to be uploaded. When provisioned the Application Gateway will instantiate a public IP address and domain name to allow access to the web application - Create Network Security Groups for VNETs|RDP access to the Management VNet Jumpbox must be secured to a trusted IP address range. It is important to amend the "sourceAddressPrefix" parameter with your own trusted source IP address range in the [/parameters/azure/nsg-rules.parameters.json](/parameters/azure/nsg-rules.parameters.json) template parameters file. NSG configuration for the operational VNet can be found at [/parameters/azure/ops-vent-nsgs.json](/parameters/azure/ops-vent-nsgs.json) - Create ADDS resource group|Enter resource group name during deployment and edit the configuration fields if required - Deploying ADDS servers|None required - Updating DNS servers|None required - Create ADDS domain|The provided templates create a demo 'treyresearch' domain. To ensure that the required Active Directory Domain is created with the desired domain name and administrative user the fields can be configured in the deployment screen or in the [/parameters/azure/add-adds-domain-controller.parameters.json](/parameters/azure/add-adds-domain-controller.parameters.json) template parameters file must be edited with the required values - Create ADDS domain controller|None required - Create operational workload Resource Group|Enter resource group name during deployment - Deploy operational VM tiers and load balancers |None required - Set up IIS web server role for web tier|None required - Enable Windows Auth for VMs|None required - Deploy Microsoft Anti-malware to VMs|None required - Domain Join VMs|Domain joining the Virtual Machines is a post deployment step and must be **manually** completed - - -## Deployment Process - -A deployment for this reference architecture is available on -[GitHub](https://github.com/mspnp/reference-architectures/tree/master/compliance/uk-official/three-tier-web-with-adds). The templates can be cloned or downloaded if customisation of parameters are requried. -The reference architecture is deployed in four stages. To deploy the architecture, follow these steps for each deployment stage - - -For Virtual Machines The parameter files include a hard-coded -administrator user names and passwords. These values can be changed in the parameter files if required. Tt is *strongly recommended -that you immediately change both on all the VMs*. Click on each VM in the Azure portal then click on **Reset password** in the **Support -troubleshooting** blade. - -## Deploy Networking Infrastructure - - - - - - - - -1. Click on the **Deploy to Azure** button to begin the first stage of the deployment. The link takes you to the Azure Portal. -2. Select **Create New** and enter a value such as `uk-official-networking-rg` in the **Resource group** textbox. -3. Select a region such as `UKSouth` from the **Location** drop down box (All Resource Groups required for this architecture should be in the same Azure region e.g. `UKSouth` -4. Some parameters can be edited in the deployment page. If greater customisation is requried this can be down through cloning and editing the templates directly, or in situ by editing the templates by clicking 'Edit template'. -5. Review the terms and conditions, then click the **I agree to the terms and conditions stated above** checkbox. -6. Click on the **Purchase** button. -7. Check Azure portal notification for a message that the stage of deployment is complete and move on to the next if completed. -8. If for some reason your deployment fails. To avoid incurring cost and orphan resources it is advisable to delete the resource group in its entirety, fix the issue and redeploy the resource groups and template. - - -## Deploy Active Directory Domain - - - - - - - - -1. Click on the **Deploy to Azure** button to begin the first stage of the deployment. The link takes you to the Azure Portal. -2. Select **Create New** and enter a value such as `uk-official-adds-rg` in the **Resource group** textbox. -3. Select a region such as `UKSouth` from the **Location** drop down box (All Resource Groups required for this architecture should be in the same Azure region e.g. `UKSouth`. -4. Some parameters can be edited in the deployment page. If greater customisation is requried this can be down through cloning and editing the templates directly, or in situ by editing the templates by clicking 'Edit template'. -5. In the **Settings** textboxes, enter the networking resource group as entered when creating the networking infrastructure in deployment step 1. -6. Enter the Domain settings and Admin credentials. -7. Review the terms and conditions, then click the **I agree to the terms and conditions stated above* checkbox. -8. Click on the **Purchase** button. -9. Check Azure portal notification for a message that the stage of deployment is complete and move on to the next if completed. -10. If for some reason your deployment fails. To avoid incurring cost and orphan resources it is advisable to delete the resource group in its entirety, fix the issue and redeploy the resource groups and template. - -![alt text](images/create-official-aads-rg.JPG?raw=true "Create ADDS deployment") - - -## Deploy operational workload infrastructure - - - - - - - - -1. Click on the **Deploy to Azure** button to begin the first stage of the deployment. The link takes you to the Azure Portal. -2. Select **Create New** and enter a value such as `uk-official-operational-rg` in the **Resource group** textbox. -3. Select a region such as `UKSouth` from the **Location** drop down box (All Resource Groups required for this architecture should be in the same Azure region e.g. `UKSouth` -4. Some parameters can be edited in the deployment page. If greater customisation is requried this can be down through cloning and editing the templates directly, or in situ by editing the templates by clicking 'Edit template'. -5. In the **Settings** textboxes, enter the operational network resource group as entered when creating the networking infrastructure in deployment step 1. -6. Enter the Virtual Machine Admin credentials. -7. Review the terms and conditions, then click the **I agree to the terms and conditions stated above** checkbox. -8. Click on the **Purchase** button. -9. Check Azure portal notification for a message that the stage of deployment is complete and move on to the next if completed. -10. If for some reason your deployment fails. To avoid incurring cost and orphan resources it is advisable to delete the resource group in its entirety, fix the issue and redeploy the resource groups and template. - -![alt text](images/create-official-workload-rg.JPG?raw=true "Create ADDS deployment"). - - - -##(Optional) PowerShell Deployment - -To deploy this solution through PowerShell, you will need the latest version of the Azure CLI to run the PowerShell script that deploys the solution. To deploy the reference architecture, follow these steps - -1. Download or clone the solution folder from GitHub to your local machine. -2. Open the Azure CLI and navigate to the local solution folder. -3. Run the following command: `.\Deploy-ReferenceArchitecture.ps1 ` -4. Replace `` with your Azure subscription ID. -5. For ``, specify an Azure region, such as `UKSouth` or `UKWest`. -6. The `` parameter controls the granularity of the deployment, and can be one of the following values: -- `Infrastructure`: deploys the networking infrastructure -- `ADDS`: deploys the VMs acting as Active Directory DS servers, deploys Active Directory to these VMs, and deploys the domain in Azure. -- `Operational`: deploys the web, business and data tier VMs and load balancers -- `DeployAll`: deploys all the preceding deployments. - -UK Governments Private Network Connectivity -=========================================== - -Microsoft's customers are now able to use [private connections](https://news.microsoft.com/en-gb/2016/12/14/microsoft-now-offers-private-internet-connections-to-its-uk-data-centres/#sm.0001dca7sq10r1couwf4vvy9a85zx) -to the company's UK data centres. Microsoft's partners are providing a gateway from PSN/N3 to [ExpressRoute](https://azure.microsoft.com/en-us/services/expressroute/) and into Azure - just one of the new services the group has unveiled -since the company launched its [**Azure**](https://azure.microsoft.com/en-us/blog/) and Office 365 cloud offering in this country at launch (https://news.microsoft.com/en-gb/2016/09/07/not-publish-microsoft-becomes-first-company-open-data-centres-uk/). Since then, [**thousands of customers**](https://enterprise.microsoft.com/en-gb/industries/public-sector/microsoft-uk-data-centres-continue-to-build-momentum/?wt.mc_id=AID563187_QSG_1236) including the Ministry of Defence, the Met Police and parts of the NHS - have signed up to take advantage of the sites, which offer UK data residency, security and reliability. - -Cost -==== - -Deploying this template will create one or more Azure resources. You -will be responsible for the costs generated by these resources so it is -important that you review the applicable pricing and legal terms -associated with all resources and offerings deployed as part of this -template. For cost estimates, you can use the [Azure Pricing -Calculator](https://azure.microsoft.com/en-us/pricing/calculator). - -Further reading -=============== - -Further best practice information and recommendations for configuring and securing a multi-tier application in Azure can be found in - [Running Windows VMs for an N-tier architecture on Azure](https://docs.microsoft.com/en-gb/azure/guidance/guidance-compute-n-tier-vm). - -Best practices on Azure Network Security and a decision-making matrix can be found in [Microsoft cloud services and network -security](https://docs.microsoft.com/en-gb/azure/best-practices-network-security). \ No newline at end of file diff --git a/compliance/uk-official/three-tier-web-with-adds/extensions/adds-forest.ps1 b/compliance/uk-official/three-tier-web-with-adds/extensions/adds-forest.ps1 deleted file mode 100644 index 610691940..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/extensions/adds-forest.ps1 +++ /dev/null @@ -1,32 +0,0 @@ -[CmdletBinding()] -Param( - [string]$SafeModePassword = "SafeModeP@ssw0rd", - [string]$DomainName = "contoso.com", - [string]$DomainNetbiosName = "CONTOSO" -) - -$ErrorActionPreference = "Stop" - -Initialize-Disk -Number 2 -PartitionStyle GPT -New-Partition -UseMaximumSize -DriveLetter F -DiskNumber 2 -Format-Volume -DriveLetter F -Confirm:$false -FileSystem NTFS -force  - -Install-windowsfeature -name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools - -Import-Module ADDSDeployment - -$secSafeModePassword = ConvertTo-SecureString $SafeModePassword -AsPlainText -Force - -Install-ADDSForest ` --SafeModeAdministratorPassword $secSafeModePassword ` --CreateDnsDelegation:$false ` --DatabasePath "F:\Windows\NTDS" ` --DomainMode "Win2012R2" ` --DomainName $DomainName ` --DomainNetbiosName $DomainNetbiosName ` --ForestMode "Win2012R2" ` --InstallDns:$true ` --LogPath "F:\Windows\NTDS" ` --NoRebootOnCompletion:$false ` --SysvolPath "F:\Windows\SYSVOL" ` --Force:$true diff --git a/compliance/uk-official/three-tier-web-with-adds/extensions/adds.ps1 b/compliance/uk-official/three-tier-web-with-adds/extensions/adds.ps1 deleted file mode 100644 index 6612302b3..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/extensions/adds.ps1 +++ /dev/null @@ -1,45 +0,0 @@ -[CmdletBinding()] -Param( - [Parameter(Mandatory=$True)] - [string]$AdminUser, - - [Parameter(Mandatory=$True)] - [string]$AdminPassword, - - [Parameter(Mandatory=$True)] - [string]$SafeModePassword, - - [Parameter(Mandatory=$True)] - [string]$DomainName, - - [Parameter(Mandatory=$True)] - [string]$SiteName - -) - -Initialize-Disk -Number 2 -PartitionStyle GPT -New-Partition -UseMaximumSize -DriveLetter F -DiskNumber 2 -Format-Volume -DriveLetter F -Confirm:$false -FileSystem NTFS -force  - -$secSafeModePassword = ConvertTo-SecureString $SafeModePassword -AsPlainText -Force -$secAdminPassword = ConvertTo-SecureString $AdminPassword -AsPlainText -Force -$credential = New-Object System.Management.Automation.PSCredential ("$DomainName\$AdminUser", $secAdminPassword) - -Install-windowsfeature -name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools - -Import-Module ADDSDeployment - -Install-ADDSDomainController ` --Credential $credential ` --SafeModeAdministratorPassword $secSafeModePassword ` --DomainName $DomainName ` --SiteName $SiteName ` --SysvolPath "F:\Adds\SYSVOL" ` --DatabasePath "F:\Adds\NTDS" ` --LogPath "F:\Adds\NTDS" ` --NoGlobalCatalog:$false ` --CreateDnsDelegation:$false ` --CriticalReplicationOnly:$false ` --InstallDns:$true ` --NoRebootOnCompletion:$false ` --Force:$true \ No newline at end of file diff --git a/compliance/uk-official/three-tier-web-with-adds/extensions/enable-windows-auth.ps1 b/compliance/uk-official/three-tier-web-with-adds/extensions/enable-windows-auth.ps1 deleted file mode 100644 index c81c3bd8e..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/extensions/enable-windows-auth.ps1 +++ /dev/null @@ -1,5 +0,0 @@ -Set-WebConfigurationProperty -Filter "/system.webServer/security/authentication/windowsAuthentication" -Name Enabled -Value True -PSPath "IIS:\Sites\$SiteName\$AppName" - -Set-WebConfigurationProperty -Filter "/system.webServer/security/authentication/anonymousAuthentication" -Name Enabled -Value False -PSPath "IIS:\Sites\$SiteName\$AppName" - -IISRESET diff --git a/compliance/uk-official/three-tier-web-with-adds/extensions/iisaspnet.ps1.zip b/compliance/uk-official/three-tier-web-with-adds/extensions/iisaspnet.ps1.zip deleted file mode 100644 index e34b18eb2..000000000 Binary files a/compliance/uk-official/three-tier-web-with-adds/extensions/iisaspnet.ps1.zip and /dev/null differ diff --git a/compliance/uk-official/three-tier-web-with-adds/images/create-official-aads-rg.JPG b/compliance/uk-official/three-tier-web-with-adds/images/create-official-aads-rg.JPG deleted file mode 100644 index c3a3a421a..000000000 Binary files a/compliance/uk-official/three-tier-web-with-adds/images/create-official-aads-rg.JPG and /dev/null differ diff --git a/compliance/uk-official/three-tier-web-with-adds/images/create-official-ops-rg.JPG b/compliance/uk-official/three-tier-web-with-adds/images/create-official-ops-rg.JPG deleted file mode 100644 index 7ef368c66..000000000 Binary files a/compliance/uk-official/three-tier-web-with-adds/images/create-official-ops-rg.JPG and /dev/null differ diff --git a/compliance/uk-official/three-tier-web-with-adds/images/create-official-workload-rg.JPG b/compliance/uk-official/three-tier-web-with-adds/images/create-official-workload-rg.JPG deleted file mode 100644 index 341251305..000000000 Binary files a/compliance/uk-official/three-tier-web-with-adds/images/create-official-workload-rg.JPG and /dev/null differ diff --git a/compliance/uk-official/three-tier-web-with-adds/images/create-postdeployment.JPG b/compliance/uk-official/three-tier-web-with-adds/images/create-postdeployment.JPG deleted file mode 100644 index 20bc20415..000000000 Binary files a/compliance/uk-official/three-tier-web-with-adds/images/create-postdeployment.JPG and /dev/null differ diff --git a/compliance/uk-official/three-tier-web-with-adds/images/diagram.png b/compliance/uk-official/three-tier-web-with-adds/images/diagram.png deleted file mode 100644 index 5f5c66e03..000000000 Binary files a/compliance/uk-official/three-tier-web-with-adds/images/diagram.png and /dev/null differ diff --git a/compliance/uk-official/three-tier-web-with-adds/metadata.json b/compliance/uk-official/three-tier-web-with-adds/metadata.json deleted file mode 100644 index 5af635f29..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/metadata.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "itemDisplayName": "Azure UK-OFFICIAL Three Tier Web Application", - "description": "This template delivers a three tier web application architecture with Active Directory and Domain Services that ensures a UK-OFFICIAL compliant architecture.", - "summary": "Deploy a NCSC 14 Security Rules Azure UK-OFFICIAL Compliant Three Tier Web Application", - "githubUsername": "ben-houghton", - "dateUpdated": "2017-20-02" -} diff --git a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/add-adds-domain-controller.parameters.json b/compliance/uk-official/three-tier-web-with-adds/parameters/azure/add-adds-domain-controller.parameters.json deleted file mode 100644 index dfb6976c4..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/add-adds-domain-controller.parameters.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "virtualMachinesExtensionSettings": { - "metadata": { - "description": "VM Settings for ADDS DC" - }, - "value": [ - { - "vms": [ "operational-ad-vm1","operational-ad-vm2"], - "extensions": [ - { - "name": "install-adds", - "publisher": "Microsoft.Compute", - "type": "CustomScriptExtension", - "typeHandlerVersion": "1.8", - "autoUpgradeMinorVersion": false, - "settingsConfigMapperUri": "https://raw.githubusercontent.com/mspnp/reference-architectures/master/compliance/uk-official/three-tier-web-with-adds/templates/onpremise/adds-domain-controller-extension-settings-mapper.json", - "settingsConfig": { - "activeDirectorySettings": { - "domainName": "treyresearch.net", - "adminUser": "adminuser", - "adminPassword": "AweS0me@PW", - "siteName": "Default-First-Site-Name", - "safeModePassword": "Saf3M0de@PW" - }, - "fileUris": [ - "https://raw.githubusercontent.com/mspnp/reference-architectures/master/compliance/uk-official/three-tier-web-with-adds/extensions/adds.ps1" - ] - }, - "protectedSettingsConfig": { - } - }, - { - "name": "IaaSAntimalware", - "publisher": "Microsoft.Azure.Security", - "type": "IaaSAntimalware", - "typeHandlerVersion": "1.3", - "autoUpgradeMinorVersion": true, - "settingsConfigMapperUri": "https://raw.githubusercontent.com/mspnp/template-building-blocks/v1.0.0/templates/resources/Microsoft.Compute/virtualMachines/extensions/vm-extension-passthrough-settings-mapper.json", - "settingsConfig": { - "AntimalwareEnabled": true, - "RealtimeProtectionEnabled": "false", - "ScheduledScanSettings": { - "isEnabled": "false", - "day": "7", - "time": "120", - "scanType": "Quick" - }, - "Exclusions": { - } - }, - "protectedSettingsConfig": { } - } - ] - } - ] - } - } -} diff --git a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/create-adds-forest-extension.parameters.json b/compliance/uk-official/three-tier-web-with-adds/parameters/azure/create-adds-forest-extension.parameters.json deleted file mode 100644 index 9702f67a2..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/create-adds-forest-extension.parameters.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "virtualMachinesExtensionSettings": { - "metadata": { - "description": "VM Extension Settings" - }, - "value": [ - { - "vms": [ "operational-ad-vm1" ], - "extensions": [ - { - "name": "install-adds-forest", - "publisher": "Microsoft.Compute", - "type": "CustomScriptExtension", - "typeHandlerVersion": "1.8", - "autoUpgradeMinorVersion": false, - "settingsConfigMapperUri": "https://raw.githubusercontent.com/mspnp/reference-architectures/master/compliance/uk-official/three-tier-web-with-adds/templates/onpremise/adds-domain-controller-extension-settings-mapper.json", - "settingsConfig": { - "activeDirectorySettings": { - "domainName": "treyresearch.net", - "domainNetbiosName": "treyresearch", - "safeModePassword": "Saf3M0de@PW" - }, - "fileUris": [ - "https://raw.githubusercontent.com/mspnp/reference-architectures/master/compliance/uk-official/three-tier-web-with-adds/extensions/adds.ps1" - ] - }, - "protectedSettingsConfig": { - } - }, - { - "name": "IaaSAntimalware", - "publisher": "Microsoft.Azure.Security", - "type": "IaaSAntimalware", - "typeHandlerVersion": "1.3", - "autoUpgradeMinorVersion": true, - "settingsConfigMapperUri": "https://raw.githubusercontent.com/mspnp/template-building-blocks/v1.0.0/templates/resources/Microsoft.Compute/virtualMachines/extensions/vm-extension-passthrough-settings-mapper.json", - "settingsConfig": { - "AntimalwareEnabled": true, - "RealtimeProtectionEnabled": "false", - "ScheduledScanSettings": { - "isEnabled": "false", - "day": "7", - "time": "120", - "scanType": "Quick" - }, - "Exclusions": { - } - }, - "protectedSettingsConfig": { } - } - ] - } - ] - } - } -} diff --git a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/loadBalancer-biz.parameters.json b/compliance/uk-official/three-tier-web-with-adds/parameters/azure/loadBalancer-biz.parameters.json deleted file mode 100644 index 8a2887dde..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/loadBalancer-biz.parameters.json +++ /dev/null @@ -1,131 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "virtualMachinesSettings": { - "metadata": { - "description": "VM Settings for biz tier" - }, - "value": { - "namePrefix": "operational-biz", - "computerNamePrefix": "biz", - "size": "Standard_DS1_v2", - "osType": "windows", - "adminUsername": "AdminUser", - "adminPassword": "AweS0me@PW", - "osAuthenticationType": "password", - "nics": [ - { - "isPublic": "false", - "subnetName": "biz", - "privateIPAllocationMethod": "Dynamic", - "isPrimary": "true", - "enableIPForwarding": false, - "dnsServers": [ ] - } - ], - "imageReference": { - "publisher": "MicrosoftWindowsServer", - "offer": "WindowsServer", - "sku": "2012-R2-Datacenter", - "version": "latest" - }, - "dataDisks": { - "count": 1, - "properties": { - "diskSizeGB": 128, - "caching": "None", - "createOption": "Empty" - } - }, - "osDisk": { - "caching": "ReadWrite" - }, - "extensions": [ - { - "name": "IaaSAntimalware", - "publisher": "Microsoft.Azure.Security", - "type": "IaaSAntimalware", - "typeHandlerVersion": "1.3", - "autoUpgradeMinorVersion": true, - "settingsConfigMapperUri": "https://raw.githubusercontent.com/mspnp/template-building-blocks/v1.0.0/templates/resources/Microsoft.Compute/virtualMachines/extensions/vm-extension-passthrough-settings-mapper.json", - "settingsConfig": { - "AntimalwareEnabled": true, - "RealtimeProtectionEnabled": "false", - "ScheduledScanSettings": { - "isEnabled": "false", - "day": "7", - "time": "120", - "scanType": "Quick" - }, - "Exclusions": { - } - }, - "protectedSettingsConfig": { - } - } - ], - "availabilitySet": { - "useExistingAvailabilitySet": "No", - "name": "operational-biz-vm-as" - } - } - }, - "loadBalancerSettings": { - "value": { - "name": "operational-biz-lb", - "frontendIPConfigurations": [ - { - "name": "operational-biz-lb-fe", - "loadBalancerType": "internal", - "internalLoadBalancerSettings": { - "privateIPAddress": "10.0.2.254", - "subnetName": "biz" - } - } - ], - "backendPools": [ - { - "name": "operational-biz-lb-bep", - "nicIndex": 0 - } - ], - "loadBalancingRules": [ - { - "name": "https-rule", - "frontendPort": 443, - "backendPort": 443, - "protocol": "Tcp", - "backendPoolName": "operational-biz-lb-bep", - "frontendIPConfigurationName": "operational-biz-lb-fe", - "probeName": "https-probe", - "enableFloatingIP": false - } - ], - "probes": [ - { - "name": "https-probe", - "port": 443, - "protocol": "Http", - "requestPath": "/" - } - ], - "inboundNatRules": [ ] - } - }, - "virtualNetworkSettings": { - "value": { - "name": "azure-operational-vnet", - "resourceGroup": "uk-official-networking-rg" - } - }, - "buildingBlockSettings": { - "value": { - "storageAccountsCount": 2, - "vmCount": 2, - "vmStartIndex": 1 - } - } - } -} - diff --git a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/loadBalancer-data.parameters.json b/compliance/uk-official/three-tier-web-with-adds/parameters/azure/loadBalancer-data.parameters.json deleted file mode 100644 index c2807c092..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/loadBalancer-data.parameters.json +++ /dev/null @@ -1,131 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "virtualMachinesSettings": { - "metadata": { - "description": "VM Settings data tier" - }, - "value": { - "namePrefix": "operational-data", - "computerNamePrefix": "data", - "size": "Standard_DS1_v2", - "osType": "windows", - "adminUsername": "AdminUser", - "adminPassword": "AweS0me@PW", - "osAuthenticationType": "password", - "nics": [ - { - "isPublic": "false", - "subnetName": "data", - "privateIPAllocationMethod": "Dynamic", - "isPrimary": "true", - "enableIPForwarding": false, - "dnsServers": [ ] - } - ], - "imageReference": { - "publisher": "MicrosoftWindowsServer", - "offer": "WindowsServer", - "sku": "2012-R2-Datacenter", - "version": "latest" - }, - "dataDisks": { - "count": 1, - "properties": { - "diskSizeGB": 128, - "caching": "None", - "createOption": "Empty" - } - }, - "osDisk": { - "caching": "ReadWrite" - }, - "extensions": [ - { - "name": "IaaSAntimalware", - "publisher": "Microsoft.Azure.Security", - "type": "IaaSAntimalware", - "typeHandlerVersion": "1.3", - "autoUpgradeMinorVersion": true, - "settingsConfigMapperUri": "https://raw.githubusercontent.com/mspnp/template-building-blocks/v1.0.0/templates/resources/Microsoft.Compute/virtualMachines/extensions/vm-extension-passthrough-settings-mapper.json", - "settingsConfig": { - "AntimalwareEnabled": true, - "RealtimeProtectionEnabled": "false", - "ScheduledScanSettings": { - "isEnabled": "false", - "day": "7", - "time": "120", - "scanType": "Quick" - }, - "Exclusions": { - } - }, - "protectedSettingsConfig": { - } - } - ], - "availabilitySet": { - "useExistingAvailabilitySet": "No", - "name": "operational-data-vm-as" - } - } - }, - "loadBalancerSettings": { - "value": { - "name": "operational-data-lb", - "frontendIPConfigurations": [ - { - "name": "operational-data-lb-fe", - "loadBalancerType": "internal", - "internalLoadBalancerSettings": { - "privateIPAddress": "10.0.3.254", - "subnetName": "data" - } - } - ], - "backendPools": [ - { - "name": "operational-data-lb-bep", - "nicIndex": 0 - } - ], - "loadBalancingRules": [ - { - "name": "https-rule", - "frontendPort": 443, - "backendPort": 443, - "protocol": "Tcp", - "backendPoolName": "operational-data-lb-bep", - "frontendIPConfigurationName": "operational-data-lb-fe", - "probeName": "https-probe", - "enableFloatingIP": false - } - ], - "probes": [ - { - "name": "https-probe", - "port": 443, - "protocol": "Http", - "requestPath": "/" - } - ], - "inboundNatRules": [ ] - } - }, - "virtualNetworkSettings": { - "value": { - "name": "azure-operational-vnet", - "resourceGroup": "uk-official-networking-rg" - } - }, - "buildingBlockSettings": { - "value": { - "storageAccountsCount": 2, - "vmCount": 2, - "vmStartIndex": 1 - } - } - } -} - diff --git a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/loadBalancer-web.parameters.json b/compliance/uk-official/three-tier-web-with-adds/parameters/azure/loadBalancer-web.parameters.json deleted file mode 100644 index d0722d746..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/loadBalancer-web.parameters.json +++ /dev/null @@ -1,161 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "virtualMachinesSettings": { - "metadata": { - "description": "VM Settings for web tier" - }, - "value": { - "namePrefix": "operational-web", - "computerNamePrefix": "web", - "size": "Standard_DS1_v2", - "osType": "windows", - "adminUsername": "AdminUser", - "adminPassword": "AweS0me@PW", - "osAuthenticationType": "password", - "nics": [ - { - "isPublic": "false", - "subnetName": "web", - "privateIPAllocationMethod": "Dynamic", - "isPrimary": "true", - "enableIPForwarding": false, - "dnsServers": [ ] - } - ], - "imageReference": { - "publisher": "MicrosoftWindowsServer", - "offer": "WindowsServer", - "sku": "2012-R2-Datacenter", - "version": "latest" - }, - "dataDisks": { - "count": 1, - "properties": { - "diskSizeGB": 128, - "caching": "None", - "createOption": "Empty" - } - }, - "osDisk": { - "caching": "ReadWrite" - }, - "availabilitySet": { - "useExistingAvailabilitySet": "No", - "name": "operational-web-vm-as" - }, - "extensions": [ - { - "name": "iis-config-ext", - "settingsConfigMapperUri": "https://raw.githubusercontent.com/mspnp/template-building-blocks/v1.0.0/templates/resources/Microsoft.Compute/virtualMachines/extensions/vm-extension-passthrough-settings-mapper.json", - "publisher": "Microsoft.Powershell", - "type": "DSC", - "typeHandlerVersion": "2.20", - "autoUpgradeMinorVersion": true, - "settingsConfig": { - "modulesUrl": "https://raw.githubusercontent.com/mspnp/reference-architectures/master/compliance/uk-official/three-tier-web-with-adds/extensions/iisaspnet.ps1.zip", - "configurationFunction": "iisaspnet.ps1\\iisaspnet" - }, - "protectedSettingsConfig": { } - }, - { - "name": "IaaSAntimalware", - "publisher": "Microsoft.Azure.Security", - "type": "IaaSAntimalware", - "typeHandlerVersion": "1.3", - "autoUpgradeMinorVersion": true, - "settingsConfigMapperUri": "https://raw.githubusercontent.com/mspnp/template-building-blocks/v1.0.0/templates/resources/Microsoft.Compute/virtualMachines/extensions/vm-extension-passthrough-settings-mapper.json", - "settingsConfig": { - "AntimalwareEnabled": true, - "RealtimeProtectionEnabled": "false", - "ScheduledScanSettings": { - "isEnabled": "false", - "day": "7", - "time": "120", - "scanType": "Quick" - }, - "Exclusions": { - } - }, - "protectedSettingsConfig": { - } - } - ] - - } - }, - "loadBalancerSettings": { - "value": { - "name": "operational-web-lb", - "frontendIPConfigurations": [ - { - "name": "operational-web-lb-fe", - "loadBalancerType": "internal", - "internalLoadBalancerSettings": { - "privateIPAddress": "10.0.1.254", - "subnetName": "web" - } - } - ], - "backendPools": [ - { - "name": "operational-web-lb-bep", - "nicIndex": 0 - } - ], - "loadBalancingRules": [ - { - "name": "http-rule", - "frontendPort": 80, - "backendPort": 80, - "protocol": "Tcp", - "backendPoolName": "operational-web-lb-bep", - "frontendIPConfigurationName": "operational-web-lb-fe", - "probeName": "http-probe", - "enableFloatingIP": false - }, - { - "name": "https-rule", - "frontendPort": 443, - "backendPort": 443, - "protocol": "Tcp", - "backendPoolName": "operational-web-lb-bep", - "frontendIPConfigurationName": "operational-web-lb-fe", - "probeName": "https-probe", - "enableFloatingIP": false - } - ], - "probes": [ - { - "name": "http-probe", - "port": 80, - "protocol": "Tcp", - "requestPath": null - }, - { - "name": "https-probe", - "port": 443, - "protocol": "Tcp", - "requestPath": null - } - ], - "inboundNatRules": [ ] - } - }, - "virtualNetworkSettings": { - "value": { - "name": "azure-operational-vnet", - "resourceGroup": "uk-official-networking-rg" - } - }, - "buildingBlockSettings": { - "value": { - "storageAccountsCount": 2, - "vmCount": 2, - "vmStartIndex": 1 - } - } - } -} - diff --git a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/mgmt-virtualmachine.parameters.json b/compliance/uk-official/three-tier-web-with-adds/parameters/azure/mgmt-virtualmachine.parameters.json deleted file mode 100644 index 075efc48a..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/mgmt-virtualmachine.parameters.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "virtualMachinesSettings": { - "metadata": { - "description": "VM Settings for Jumpbox" - }, - "value": { - "namePrefix": "azure-mgmt", - "computerNamePrefix": "jumpbox", - "size": "Standard_DS1_v2", - "osType": "windows", - "adminUsername": "AdminUser", - "adminPassword": "AweS0me@PW", - "osAuthenticationType": "password", - "nics": [ - { - "isPublic": "true", - "subnetName": "mgmt-subnet", - "publicIPAllocationMethod": "Dynamic", - "privateIPAllocationMethod": "Static", - "startingIPAddress": "10.1.0.29", - "enableIPForwarding": false, - "dnsServers": [ ], - "isPrimary": "true", - "domainNameLabelPrefix": "" - } - ], - "imageReference": { - "publisher": "MicrosoftWindowsServer", - "offer": "WindowsServer", - "sku": "2012-R2-Datacenter", - "version": "latest" - }, - "dataDisks": { - "count": 0, - "properties": { } - }, - "osDisk": { - "caching": "ReadWrite" - }, - "extensions": [ - { - "name": "IaaSAntimalware", - "publisher": "Microsoft.Azure.Security", - "type": "IaaSAntimalware", - "typeHandlerVersion": "1.3", - "autoUpgradeMinorVersion": true, - "settingsConfigMapperUri": "https://raw.githubusercontent.com/mspnp/template-building-blocks/v1.0.0/templates/resources/Microsoft.Compute/virtualMachines/extensions/vm-extension-passthrough-settings-mapper.json", - "settingsConfig": { - "AntimalwareEnabled": true, - "RealtimeProtectionEnabled": "false", - "ScheduledScanSettings": { - "isEnabled": "false", - "day": "7", - "time": "120", - "scanType": "Quick" - }, - "Exclusions": { - } - }, - "protectedSettingsConfig": { - } - } - ], - "availabilitySet": { - "useExistingAvailabilitySet": "No", - "name": "" - } - } - }, - "virtualNetworkSettings": { - "value": { - "name": "azure-mgmt-vnet", - "resourceGroup": "uk-official-networking-rg" - } - }, - "buildingBlockSettings": { - "value": { - "storageAccountsCount": 1, - "vmCount": 1, - "vmStartIndex": 1 - } - } - } -} \ No newline at end of file diff --git a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/mgmt-vnet-peering.parameters.json b/compliance/uk-official/three-tier-web-with-adds/parameters/azure/mgmt-vnet-peering.parameters.json deleted file mode 100644 index b6b24e7ab..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/mgmt-vnet-peering.parameters.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "remoteVirtualNetworkName": { - "metadata": { - "description": "Remote VNet name" - }, - "value": "azure-operational-vnet" - }, - "peeringName": { - "metadata": { - "description": "Peering name" - }, - "value": "azure-mgmt-vnet/peering-to-operational-vnet" - } - } -} diff --git a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/mgmt-vnet.parameters.json b/compliance/uk-official/three-tier-web-with-adds/parameters/azure/mgmt-vnet.parameters.json deleted file mode 100644 index 929dc102b..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/mgmt-vnet.parameters.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "virtualNetworkSettings": { - "metadata": { - "description": "Settings for Mgmt Vnet" - }, - "value": { - "name": "azure-mgmt-vnet", - "addressPrefixes": [ - "10.1.0.0/24" - ], - "subnets": [ - { - "name": "mgmt-subnet", - "addressPrefix": "10.1.0.0/27" - } - ], - "dnsServers": [ - "10.0.4.4", - "10.0.4.5", - "168.63.129.16" - ] - } - } - } -} diff --git a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/nsg-rules.parameters.json b/compliance/uk-official/three-tier-web-with-adds/parameters/azure/nsg-rules.parameters.json deleted file mode 100644 index 69928b74a..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/nsg-rules.parameters.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "virtualNetworkSettings": { - "metadata": { - "description": "VNet name" - }, - "value": { - "name": "azure-mgmt-vnet" - } - }, - "networkSecurityGroupsSettings": { - "metadata": { - "description": "NSG Settings" - }, - "value": [ - { - "name": "mgmt-subnet-nsg", - "subnets": [ - "mgmt-subnet" - ], - "networkInterfaces": [ ], - "securityRules": [ - { - "name": "RDPAllow", - "direction": "Inbound", - "priority": 100, - "sourceAddressPrefix": "10.0.0.128/25", - "destinationAddressPrefix": "*", - "sourcePortRange": "*", - "destinationPortRange": "3389", - "access": "Allow", - "protocol": "Tcp" - } - ] - } - ] - } - } -} diff --git a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/operational-vnet-peering.parameters.json b/compliance/uk-official/three-tier-web-with-adds/parameters/azure/operational-vnet-peering.parameters.json deleted file mode 100644 index 377e7fb69..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/operational-vnet-peering.parameters.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "remoteVirtualNetworkName": { - "metadata": { - "description": "Remote VNet Name" - }, - "value": "azure-mgmt-vnet" - }, - "peeringName": { - "metadata": { - "description": "Peering name" - }, - "value": "azure-operational-vnet/peering-to-mgmt-vnet" - } - } -} diff --git a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/ops-network.parameters.json b/compliance/uk-official/three-tier-web-with-adds/parameters/azure/ops-network.parameters.json deleted file mode 100644 index 3252a4d2a..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/ops-network.parameters.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "vpnType": { - "metadata": { - "description": "VPN Type" - }, - "value": "RouteBased" - }, - "localGatewayName": { - "metadata": { - "description": "Local gateway name" - }, - "value": "azure-hybrid-vpn-lgw" - }, - "localGatewayIpAddress": { - "metadata": { - "description": "Local gateway address" - }, - "value": "1.1.1.1" - }, - "localAddressPrefix": { - "metadata": { - "description": "Local address prefix" - }, - "value": "192.168.0.0/16" - }, - "virtualNetworkName": { - "metadata": { - "description": "Vnet name" - }, - "value": "azure-operational-vnet" - }, - "azureVNetAddressPrefix": { - "metadata": { - "description": "Vnet address prefix" - }, - "value": "10.0.0.0/16" - }, - "gatewaySubnetPrefix": { - "metadata": { - "description": "Gateway subnet prefix" - }, - "value": "10.0.255.224/29" - }, - "gatewayPublicIPName": { - "metadata": { - "description": "Gate way public IP name" - }, - "value": "vpn-gateway-pip" - }, - "gatewayName": { - "metadata": { - "description": "Gateway name" - }, - "value": "operational-vpn-vgw" - }, - "connectionName": { - "metadata": { - "description": "Connection Name" - }, - "value": "operational-vpn-cn" - }, - "sharedKey": { - "metadata": { - "description": "VPN shared key" - }, - "value": "123secret" - }, - "applicationGatewayName": { - "metadata": { - "description": "Application Gateway Name" - }, - "value": "azure-app-gateway" - }, - "applicationGatewaySize": { - "metadata": { - "description": "Application gateway size" - }, - "value": "Standard_Small" - }, - "applicationGatewayInstanceCount": { - "metadata": { - "description": "Application gateway instance count" - }, - "value": 2 - }, - "frontendPort": { - "metadata": { - "description": "Application gateway front end port" - }, - "value": 80 - }, - "backendPort": { - "metadata": { - "description": "Application gateway back end port" - }, - "value": 80 - }, - "backendIPAddresses": { - "metadata": { - "description": "Application gateway backend IP address" - }, - "value": [ - { - "IpAddress": "10.0.1.254" - } - ] - }, - "cookieBasedAffinity": { - "metadata": { - "description": "Application gateway cookie affinity" - }, - "value": "Disabled" - } - } -} - diff --git a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/ops-vent-nsgs.json b/compliance/uk-official/three-tier-web-with-adds/parameters/azure/ops-vent-nsgs.json deleted file mode 100644 index 942c26834..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/ops-vent-nsgs.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "virtualNetworkSettings": { - "metadata": { - "description": "Vnet settings" - }, - "value": { - "name": "azure-operational-vnet" - } - }, - "networkSecurityGroupsSettings": { - "metadata": { - "description": "NSG settings" - }, - "value": [ - { - "name": "ops-subnet-nsg", - "subnets": [ - "web", - "biz", - "data", - "adds" - ], - "networkInterfaces": [ ], - "securityRules": [ - { - "name": "RDPAllow", - "direction": "Inbound", - "priority": 100, - "sourceAddressPrefix": "10.1.0.0/27", - "destinationAddressPrefix": "*", - "sourcePortRange": "3389", - "destinationPortRange": "3389", - "access": "Allow", - "protocol": "Tcp" - }, - { - "name": "OpsTrafficAllow", - "direction": "Inbound", - "priority": 110, - "sourceAddressPrefix": "10.0.0.0/16", - "destinationAddressPrefix": "*", - "sourcePortRange": "*", - "destinationPortRange": "*", - "access": "Allow", - "protocol": "*" - } - ] - } - ] - } - } -} diff --git a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/virtualMachines-adds.parameters.json b/compliance/uk-official/three-tier-web-with-adds/parameters/azure/virtualMachines-adds.parameters.json deleted file mode 100644 index 3545cefd8..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/virtualMachines-adds.parameters.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "virtualMachinesSettings": { - "metadata": { - "description": "VM Settings for ADDS" - }, - "value": { - "namePrefix": "operational-ad", - "computerNamePrefix": "aad", - "size": "Standard_DS3_v2", - "osType": "Windows", - "adminUsername": "AdminUser", - "adminPassword": "AweS0me@PW", - "osAuthenticationType": "password", - "nics": [ - { - "isPublic": "false", - "subnetName": "adds", - "privateIPAllocationMethod": "Static", - "startingIPAddress": "10.0.4.4", - "enableIPForwarding": false, - "dnsServers": [ - ], - "isPrimary": "true" - } - ], - "imageReference": { - "publisher": "MicrosoftWindowsServer", - "offer": "WindowsServer", - "sku": "2012-R2-Datacenter", - "version": "latest" - }, - "dataDisks": { - "count": 1, - "properties": { - "diskSizeGB": 127, - "caching": "None", - "createOption": "Empty" - } - }, - "osDisk": { - "caching": "ReadWrite" - }, - "extensions": [ - ], - "availabilitySet": { - "useExistingAvailabilitySet": "No", - "name": "operational-ad-as" - } - } - }, - "virtualNetworkSettings": { - "value": { - "name": "azure-operational-vnet", - "resourceGroup": "uk-official-networking-rg" - } - }, - "buildingBlockSettings": { - "value": { - "storageAccountsCount": 2, - "vmCount": 2, - "vmStartIndex": 1 - } - } - } -} diff --git a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/virtualNetwork-adds-dns.parameters.json b/compliance/uk-official/three-tier-web-with-adds/parameters/azure/virtualNetwork-adds-dns.parameters.json deleted file mode 100644 index 0f3fc94ac..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/virtualNetwork-adds-dns.parameters.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "virtualNetworkSettings": { - "metadata": { - "description": "ADDS DNS settings" - }, - "value": { - "name": "azure-operational-vnet", - "addressPrefixes": [ - "10.0.0.0/16" - ], - "subnets": [ - { - "name": "GatewaySubnet", - "addressPrefix": "10.0.255.224/27" - }, - { - "name": "web", - "addressPrefix": "10.0.1.0/24" - }, - { - "name": "biz", - "addressPrefix": "10.0.2.0/24" - }, - { - "name": "data", - "addressPrefix": "10.0.3.0/24" - }, - { - "name": "adds", - "addressPrefix": "10.0.4.0/27" - }, - { - "name": "ApplicationGatewaySubnet", - "addressPrefix": "10.0.254.224/29" - } - ], - "dnsServers": [ - "10.0.4.4", - "10.0.4.5", - "168.63.129.16" - ] - } - } - } -} diff --git a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/virtualNetworkGateway.parameters.json b/compliance/uk-official/three-tier-web-with-adds/parameters/azure/virtualNetworkGateway.parameters.json deleted file mode 100644 index 7487bba2c..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/virtualNetworkGateway.parameters.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "virtualNetworkSettings": { - "metadata": { - "description": "Vnet settings" - }, - "value": { - "name": "azure-operational-vnet", - "resourceGroup": "uk-official-networking-rg" - } - }, - "virtualNetworkGatewaySettings": { - "metadata": { - "description": "VPN Gateway settings" - }, - "value": { - "name": "operational-vpn-vgw", - "gatewayType": "Vpn", - "vpnType": "RouteBased", - "sku": "Standard" - } - }, - "connectionSettings": { - "metadata": { - "description": "Local connection settings" - }, - "value": { - "name": "operational-vpn-cn", - "connectionType": "IPSec", - "sharedKey": "123secret", - "virtualNetworkGateway1": { - "name": "operational-vpn-vgw" - }, - "localNetworkGateway": { - "name": "azure-hybrid-vpn-lgw", - "ipAddress": "1.1.1.1", - "addressPrefixes": [ "192.168.0.0/16" ] - } - } - } - } -} \ No newline at end of file diff --git a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/vm-domain-join.parameters.json b/compliance/uk-official/three-tier-web-with-adds/parameters/azure/vm-domain-join.parameters.json deleted file mode 100644 index ad19fa9f9..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/vm-domain-join.parameters.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "virtualMachinesExtensionSettings": { - "metadata": { - "description": "VM settings for domain joining" - }, - "value": [ - { - "vms": [ "operational-web-vm1", "operational-web-vm2", "operational-biz-vm1", "operational-biz-vm2", "operational-data-vm1", "operational-data-vm2", "azure-mgmt-vm1" ], - "extensions": [ - { - "name": "join-ad-domain", - "publisher": "Microsoft.Compute", - "type": "JsonADDomainExtension", - "typeHandlerVersion": "1.3", - "autoUpgradeMinorVersion": true, - "settingsConfigMapperUri": "https://raw.githubusercontent.com/mspnp/template-building-blocks/v1.0.0/templates/resources/Microsoft.Compute/virtualMachines/extensions/vm-extension-passthrough-settings-mapper.json", - "settingsConfig": { - "Name": "treyresearch.net", - "OUPath": "", - "User": "treyresearch.net\\AdminUser", - "Restart": true, - "Options": 3 - }, - "protectedSettingsConfig": { - "Password": "AweS0me@PW" - } - } - ] - } - ] - } - } -} diff --git a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/vm-enable-windows-auth.parameters.json b/compliance/uk-official/three-tier-web-with-adds/parameters/azure/vm-enable-windows-auth.parameters.json deleted file mode 100644 index 6548f9ba8..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/parameters/azure/vm-enable-windows-auth.parameters.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "virtualMachinesExtensionSettings": { - "metadata": { - "description": "VM settings for enabling windows authentication" - }, - "value": [ - { - "vms": [ "operational-web-vm1", "operational-web-vm2", "operational-biz-vm1", "operational-biz-vm2", "operational-data-vm1", "operational-data-vm2", "azure-mgmt-vm1" ], - "extensions": [ - { - "name": "enable-windows-auth", - "publisher": "Microsoft.Compute", - "type": "CustomScriptExtension", - "typeHandlerVersion": "1.8", - "autoUpgradeMinorVersion": false, - "settingsConfigMapperUri": "https://raw.githubusercontent.com/mspnp/reference-architectures/master/compliance/uk-official/three-tier-web-with-adds/templates/onpremise/enable-windows-auth-extension-settings-mapper.json", - "settingsConfig": { - "fileUris": [ - "https://raw.githubusercontent.com/mspnp/reference-architectures/master/compliance/uk-official/three-tier-web-with-adds/extensions/enable-windows-auth.ps1" - ] - }, - "protectedSettingsConfig": { - } - } - ] - } - ] - } - } -} diff --git a/compliance/uk-official/three-tier-web-with-adds/templates/aads.azuredeploy.json b/compliance/uk-official/three-tier-web-with-adds/templates/aads.azuredeploy.json deleted file mode 100644 index 2ec1311f9..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/templates/aads.azuredeploy.json +++ /dev/null @@ -1,225 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "operationalVirtualNetworkResourceGroupName": { - "type": "string", - "defaultValue": "uk-official-networking-rg", - "metadata": { - "description": "Operational VNet Resource Group" - } - }, - "domainName": { - "type": "string", - "defaultValue": "treyresearch.net", - "metadata": { - "description": "AD Domain" - } - }, - "vmAdminUserName": { - "type": "string", - "defaultValue": "AdminUser", - "metadata": { - "description": "VM Administrator Name" - } - }, - "vmAdminPassword": { - "type": "string", - "defaultValue": "AweS0me@PW", - "metadata": { - "description": "VM Admin Password" - } - }, - "aDSafeModePassword": { - "type": "string", - "defaultValue": "Saf3M0de@PW", - "metadata": { - "description": "AD Safemode Password" - } - } - }, - "variables": { - "templateBaseUrl": "https://raw.githubusercontent.com/mspnp/template-building-blocks/v1.0.0/", - "localRepoBaseUrl": "https://raw.githubusercontent.com/mspnp/reference-architectures/master/compliance/uk-official/three-tier-web-with-adds/", - "operationalVirtualNetworkName": "azure-operational-vnet", - "managementlVirtualNetworkName": "azure-mgmt-vnet", - "buildingBlocks": { - "virtualNetworkTemplate": "[concat(variables('templateBaseUrl'), 'templates/buildingBlocks/vnet-n-subnet/azuredeploy.json')]", - "virtualMachineTemplate": "[concat(variables('templateBaseUrl'), 'templates/buildingBlocks/multi-vm-n-nic-m-storage/azuredeploy.json')]", - "virtualMachineExtensionsTemplate": "[concat(variables('templateBaseUrl'), 'templates/buildingBlocks/virtualMachine-extensions/azuredeploy.json')]", - "antiMalwareTemplate": "[concat(variables('templateBaseUrl'), '/templates/resources/Microsoft.Compute/virtualMachines/extensions/vm-extension-passthrough-settings-mapper.json')]" - }, - "parameterFiles": { - "azureVirtualNetworkDnsParametersFile": "[concat(variables('localRepoBaseUrl'), 'parameters/azure/virtualNetwork-adds-dns.parameters.json')]" - }, - "templates": { - "installAdds": "[concat(variables('localRepoBaseUrl'), 'templates/onpremise/adds-domain-controller-extension-settings-mapper.json')]", - "installAddsScript": "[concat(variables('localRepoBaseUrl'), '/extensions/adds.ps1')]" - } - }, - "resources": [ - { - "apiVersion": "2015-01-01", - "name": "operational-adds-deployment-vms", - "type": "Microsoft.Resources/deployments", - "properties": { - "mode": "incremental", - "templateLink": { - "uri": "[variables('buildingBlocks').virtualMachineTemplate]", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "virtualMachinesSettings": { - "value": { - "namePrefix": "operational-ad", - "computerNamePrefix": "aad", - "size": "Standard_DS3_v2", - "osType": "Windows", - "adminUsername": "[parameters('vmAdminUserName')]", - "adminPassword": "[parameters('vmAdminPassword')]", - "osAuthenticationType": "password", - "nics": [ - { - "isPublic": "false", - "subnetName": "adds", - "privateIPAllocationMethod": "Static", - "startingIPAddress": "10.0.4.4", - "enableIPForwarding": false, - "dnsServers": [ - ], - "isPrimary": "true" - } - ], - "imageReference": { - "publisher": "MicrosoftWindowsServer", - "offer": "WindowsServer", - "sku": "2012-R2-Datacenter", - "version": "latest" - }, - "dataDisks": { - "count": 1, - "properties": { - "diskSizeGB": 127, - "caching": "None", - "createOption": "Empty" - } - }, - "osDisk": { - "caching": "ReadWrite" - }, - "extensions": [ - ], - "availabilitySet": { - "useExistingAvailabilitySet": "No", - "name": "operational-ad-as" - } - } - }, - "virtualNetworkSettings": { - "value": { - "name": "[variables('operationalVirtualNetworkName')]", - "resourceGroup": "[parameters('operationalVirtualNetworkResourceGroupName')]" - } - }, - "buildingBlockSettings": { - "value": { - "storageAccountsCount": 2, - "vmCount": 2, - "vmStartIndex": 1 - } - } - } - } - }, - { - "apiVersion": "2015-01-01", - "name": "operational-azure-adds-dc-deployment", - "type": "Microsoft.Resources/deployments", - "dependsOn": [ - "[concat('Microsoft.Resources/deployments/', 'operational-adds-deployment-vms')]" - ], - "properties": { - "mode": "incremental", - "templateLink": { - "uri": "[variables('buildingBlocks').virtualMachineExtensionsTemplate]", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "virtualMachinesExtensionSettings": { - "value": [ - { - "vms": [ "operational-ad-vm1", "operational-ad-vm2" ], - "extensions": [ - { - "name": "install-adds", - "publisher": "Microsoft.Compute", - "type": "CustomScriptExtension", - "typeHandlerVersion": "1.8", - "autoUpgradeMinorVersion": false, - "settingsConfigMapperUri": "[variables('templates').installAdds]", - "settingsConfig": { - "activeDirectorySettings": { - "domainName": "[parameters('domainName')]", - "adminUser": "[parameters('vmAdminUserName')]", - "adminPassword": "[parameters('vmAdminPassword')]", - "siteName": "Default-First-Site-Name", - "safeModePassword": "[parameters('aDSafeModePassword')]" - }, - "fileUris": [ - "[variables('templates').installAddsScript]" - ] - }, - "protectedSettingsConfig": { - } - }, - { - "name": "IaaSAntimalware", - "publisher": "Microsoft.Azure.Security", - "type": "IaaSAntimalware", - "typeHandlerVersion": "1.3", - "autoUpgradeMinorVersion": true, - "settingsConfigMapperUri": "[variables('buildingBlocks').antiMalwareTemplate]", - "settingsConfig": { - "AntimalwareEnabled": true, - "RealtimeProtectionEnabled": "false", - "ScheduledScanSettings": { - "isEnabled": "false", - "day": "7", - "time": "120", - "scanType": "Quick" - }, - "Exclusions": { - } - }, - "protectedSettingsConfig": { } - } - ] - } - ] - } - } - } - }, - { - "apiVersion": "2015-01-01", - "name": "operational-adds-deployment-dns", - "type": "Microsoft.Resources/deployments", - "dependsOn": [ - "[concat('Microsoft.Resources/deployments/', 'operational-adds-deployment-vms')]", - "[concat('Microsoft.Resources/deployments/', 'operational-azure-adds-dc-deployment')]" - ], - "properties": { - "mode": "incremental", - "templateLink": { - "uri": "[variables('buildingBlocks').virtualNetworkTemplate]", - "contentVersion": "1.0.0.0" - }, - "parametersLink": { - "uri": "[variables('parameterFiles').azureVirtualNetworkDnsParametersFile]", - "contentVersion": "1.0.0.0" - } - } - } - ] -} - diff --git a/compliance/uk-official/three-tier-web-with-adds/templates/azure/ops-network-infrastructure/azuredeploy.json b/compliance/uk-official/three-tier-web-with-adds/templates/azure/ops-network-infrastructure/azuredeploy.json deleted file mode 100644 index 180e3c169..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/templates/azure/ops-network-infrastructure/azuredeploy.json +++ /dev/null @@ -1,423 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", - "contentVersion": "1.0.0.0", - "parameters": { - "vpnType": { - "type": "string", - "metadata": { - "description": "Route based or policy based" - }, - "defaultValue": "RouteBased", - "allowedValues": [ - "RouteBased", - "PolicyBased" - ] - }, - "localGatewayName": { - "type": "string", - "defaultValue": "localGateway", - "metadata": { - "description": "Arbitrary name for gateway resource representing " - } - }, - "localGatewayIpAddress": { - "type": "string", - "defaultValue": "1.1.1.1", - "metadata": { - "description": "Public IP of your StrongSwan Instance" - } - }, - "localAddressPrefix": { - "type": "string", - "defaultValue": "192.168.0.0/16", - "metadata": { - "description": "CIDR block representing the address space of the OnPremise VPN network's Subnet" - } - }, - "virtualNetworkName": { - "type": "string", - "defaultValue": "azureVnet", - "metadata": { - "description": "Arbitrary name for the Azure Virtual Network" - } - }, - "azureVNetAddressPrefix": { - "type": "string", - "defaultValue": "10.3.0.0/16", - "metadata": { - "description": "CIDR block representing the address space of the Azure VNet" - } - }, - "gatewaySubnetPrefix": { - "type": "string", - "defaultValue": "10.3.200.0/29", - "metadata": { - "description": "CIDR block for gateway subnet, subset of azureVNetAddressPrefix address space" - } - }, - "gatewayPublicIPName": { - "type": "string", - "defaultValue": "azureGatewayIP", - "metadata": { - "description": "Arbitrary name for public IP resource used for the new azure gateway" - } - }, - "gatewayName": { - "type": "string", - "defaultValue": "azureGateway", - "metadata": { - "description": "Arbitrary name for the new gateway" - } - }, - "gatewaySku": { - "type": "string", - "defaultValue": "Basic", - "allowedValues": [ - "Basic", - "Standard", - "HighPerformance" - ], - "metadata": { - "description": "The Sku of the Gateway. This must be one of Basic, Standard or HighPerformance." - } - }, - "connectionName": { - "type": "string", - "defaultValue": "Azure2Other", - "metadata": { - "description": "Arbitrary name for the new connection between Azure VNet and other network" - } - }, - "sharedKey": { - "type": "securestring", - "metadata": { - "description": "Shared key (PSK) for IPSec tunnel" - } - }, - "applicationGatewayName": { - "type": "string", - "defaultValue": "applicationGateway1", - "metadata": { - "description": "application gateway name" - } - }, - "applicationGatewaySize": { - "type": "string", - "allowedValues": [ - "Standard_Small", - "Standard_Medium", - "Standard_Large" - ], - "defaultValue": "Standard_Small", - "metadata": { - "description": "application gateway size" - } - }, - "applicationGatewayInstanceCount": { - "type": "int", - "allowedValues": [ - 1, - 2, - 3, - 4, - 5, - 6, - 7, - 8, - 9, - 10 - ], - "defaultValue": 2, - "metadata": { - "description": "application gateway instance count" - } - }, - "frontendPort": { - "type": "int", - "defaultValue": 80, - "metadata": { - "description": "application gateway front end port" - } - }, - "backendPort": { - "type": "int", - "defaultValue": 80, - "metadata": { - "description": "application gateway back end port" - } - }, - "backendIPAddresses": { - "type": "array", - "defaultValue": [ - { - "IpAddress": "10.0.0.4" - }, - { - "IpAddress": "10.0.0.5" - } - ], - "metadata": { - "description": "back end pool ip addresses" - } - }, - "cookieBasedAffinity": { - "type": "string", - "allowedValues": [ - "Enabled", - "Disabled" - ], - "defaultValue": "Disabled", - "metadata": { - "description": "cookie based affinity" - } - } - }, - "variables": { - "aagPublicIPAddressName": "application-gateway-pip", - "aagPublicIPRef": "[resourceId('Microsoft.Network/publicIPAddresses', variables('aagPublicIPAddressName'))]", - "vnetID": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", - "gatewaySubnetRef": "[concat(variables('vnetID'),'/subnets/','GatewaySubnet')]", - "aagSubnetRef": "[concat(variables('vnetID'),'/subnets/','ApplicationGatewaySubnet')]", - "applicationGatewayID": "[resourceId('Microsoft.Network/applicationGateways',parameters('applicationGatewayName'))]", - "api-version": "2015-06-15" - }, - "resources": [ - { - "apiVersion": "[variables('api-version')]", - "type": "Microsoft.Network/localNetworkGateways", - "name": "[parameters('localGatewayName')]", - "location": "[resourceGroup().location]", - "properties": { - "localNetworkAddressSpace": { - "addressPrefixes": [ - "[parameters('localAddressPrefix')]" - ] - }, - "gatewayIpAddress": "[parameters('localGatewayIpAddress')]" - } - }, - { - "apiVersion": "[variables('api-version')]", - "name": "[parameters('connectionName')]", - "type": "Microsoft.Network/connections", - "location": "[resourceGroup().location]", - "dependsOn": [ - "[concat('Microsoft.Network/virtualNetworkGateways/', parameters('gatewayName'))]", - "[concat('Microsoft.Network/localNetworkGateways/', parameters('localGatewayName'))]" - ], - "properties": { - "virtualNetworkGateway1": { - "id": "[resourceId('Microsoft.Network/virtualNetworkGateways', parameters('gatewayName'))]" - }, - "localNetworkGateway2": { - "id": "[resourceId('Microsoft.Network/localNetworkGateways', parameters('localGatewayName'))]" - }, - "connectionType": "IPsec", - "routingWeight": 10, - "sharedKey": "[parameters('sharedKey')]" - } - }, - { - "apiVersion": "[variables('api-version')]", - "type": "Microsoft.Network/virtualNetworks", - "name": "[parameters('virtualNetworkName')]", - "location": "[resourceGroup().location]", - "properties": { - "addressSpace": { - "addressPrefixes": [ - "[parameters('azureVNetAddressPrefix')]" - ] - }, - "subnets": [ - { - "name": "GatewaySubnet", - "properties": { - "addressPrefix": "10.0.255.224/27" - } - }, - { - "name": "web", - "properties": { - "addressPrefix": "10.0.1.0/24" - } - }, - { - "name": "biz", - "properties": { - "addressPrefix": "10.0.2.0/24" - } - }, - { - "name": "data", - "properties": { - "addressPrefix": "10.0.3.0/24" - } - }, - { - "name": "adds", - "properties": { - "addressPrefix": "10.0.4.0/27" - } - }, - { - "name": "ApplicationGatewaySubnet", - "properties": { - "addressPrefix": "10.0.254.224/29" - } - } - ], - "dnsServers": [ - "10.0.4.4", - "10.0.4.5", - "168.63.129.16" - ] - } - }, - { - "apiVersion": "[variables('api-version')]", - "type": "Microsoft.Network/publicIPAddresses", - "name": "[parameters('gatewayPublicIPName')]", - "location": "[resourceGroup().location]", - "properties": { - "publicIPAllocationMethod": "Dynamic" - } - }, - { - "apiVersion": "[variables('api-version')]", - "type": "Microsoft.Network/virtualNetworkGateways", - "name": "[parameters('gatewayName')]", - "location": "[resourceGroup().location]", - "dependsOn": [ - "[concat('Microsoft.Network/publicIPAddresses/', parameters('gatewayPublicIPName'))]", - "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]" - ], - "properties": { - "ipConfigurations": [ - { - "properties": { - "privateIPAllocationMethod": "Dynamic", - "subnet": { - "id": "[variables('gatewaySubnetRef')]" - }, - "publicIPAddress": { - "id": "[resourceId('Microsoft.Network/publicIPAddresses',parameters('gatewayPublicIPName'))]" - } - }, - "name": "vnetGatewayConfig" - } - ], - "sku": { - "name": "[parameters('gatewaySku')]", - "tier": "[parameters('gatewaySku')]" - }, - "gatewayType": "Vpn", - "vpnType": "[parameters('vpnType')]", - "enableBgp": "false" - } - }, - { - "apiVersion": "[variables('api-version')]", - "type": "Microsoft.Network/publicIPAddresses", - "name": "[variables('aagPublicIPAddressName')]", - "location": "[resourceGroup().location]", - "properties": { - "publicIPAllocationMethod": "Dynamic" - } - }, - { - "apiVersion": "[variables('api-version')]", - "name": "[parameters('applicationGatewayName')]", - "type": "Microsoft.Network/applicationGateways", - "location": "[resourceGroup().location]", - "dependsOn": [ - "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]", - "[concat('Microsoft.Network/publicIPAddresses/', variables('aagPublicIPAddressName'))]" - ], - "properties": { - "sku": { - "name": "[parameters('applicationGatewaySize')]", - "tier": "Standard", - "capacity": "[parameters('applicationGatewayInstanceCount')]" - }, - "gatewayIPConfigurations": [ - { - "name": "appGatewayIpConfig", - "properties": { - "subnet": { - "id": "[variables('aagSubnetRef')]" - } - } - } - ], - "frontendIPConfigurations": [ - { - "name": "appGatewayFrontendIP", - "properties": { - "PublicIPAddress": { - "id": "[variables('aagPublicIPRef')]" - } - } - } - ], - "frontendPorts": [ - { - "name": "appGatewayFrontendPort", - "properties": { - "Port": "[parameters('frontendPort')]" - } - } - ], - "backendAddressPools": [ - { - "name": "appGatewayBackendPool", - "properties": { - "BackendAddresses": "[parameters('backendIPAddresses')]" - } - } - ], - "backendHttpSettingsCollection": [ - { - "name": "appGatewayBackendHttpSettings", - "properties": { - "Port": "[parameters('backendPort')]", - "Protocol": "Http", - "CookieBasedAffinity": "[parameters('cookieBasedAffinity')]" - } - } - ], - "httpListeners": [ - { - "name": "appGatewayHttpListener", - "properties": { - "FrontendIPConfiguration": { - "Id": "[concat(variables('applicationGatewayID'), '/frontendIPConfigurations/appGatewayFrontendIP')]" - }, - "FrontendPort": { - "Id": "[concat(variables('applicationGatewayID'), '/frontendPorts/appGatewayFrontendPort')]" - }, - "Protocol": "Http", - "SslCertificate": null - } - } - ], - "requestRoutingRules": [ - { - "Name": "rule1", - "properties": { - "RuleType": "Basic", - "httpListener": { - "id": "[concat(variables('applicationGatewayID'), '/httpListeners/appGatewayHttpListener')]" - }, - "backendAddressPool": { - "id": "[concat(variables('applicationGatewayID'), '/backendAddressPools/appGatewayBackendPool')]" - }, - "backendHttpSettings": { - "id": "[concat(variables('applicationGatewayID'), '/backendHttpSettingsCollection/appGatewayBackendHttpSettings')]" - } - } - } - ] - } - } - ] -} \ No newline at end of file diff --git a/compliance/uk-official/three-tier-web-with-adds/templates/azure/vnetpeering/azuredeploy.json b/compliance/uk-official/three-tier-web-with-adds/templates/azure/vnetpeering/azuredeploy.json deleted file mode 100644 index 3be1252a9..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/templates/azure/vnetpeering/azuredeploy.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "remoteVirtualNetworkName": { - "metadata": { - "description": "Remote Vnet name" - }, - "type": "string" - }, - "peeringName": { - "metadata": { - "description": "Peering name" - }, - "type": "string" - } - }, - "resources": [ - { - "apiVersion": "2016-06-01", - "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", - "name": "[parameters('peeringName')]", - "location": "[resourceGroup().location]", - "properties": { - "allowVirtualNetworkAccess": true, - "allowForwardedTraffic": false, - "allowGatewayTransit": false, - "useRemoteGateways": false, - "remoteVirtualNetwork": { - "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('remoteVirtualNetworkName'))]" - } - } - } - ] -} - diff --git a/compliance/uk-official/three-tier-web-with-adds/templates/onpremise/ad-forest-extension-settings-mapper.json b/compliance/uk-official/three-tier-web-with-adds/templates/onpremise/ad-forest-extension-settings-mapper.json deleted file mode 100644 index 3e96a38dd..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/templates/onpremise/ad-forest-extension-settings-mapper.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "deploymentContext": { "type": "object" }, - "source": { "type": "object" }, - "context": { "type": "object" } - }, - "variables": { - "instance": { - "settings": { - "fileUris": "[parameters('source').settingsConfig.fileUris]", - "commandToExecute": "[concat('powershell -ExecutionPolicy Unrestricted -Command \"& {.\\adds-forest.ps1 -DomainName \\\"', parameters('source').settingsConfig.activeDirectorySettings.domainName, '\\\" -DomainNetbiosName \\\"', parameters('source').settingsConfig.activeDirectorySettings.domainNetbiosName, '\\\" -SafeModePassword \\\"', parameters('source').settingsConfig.activeDirectorySettings.safeModePassword, '\\\" }\"')]" - }, - "protectedSettings": { } - } - - }, - "resources": [ - - ], - "outputs": { - "settings": { - "type": "object", - "value": "[variables('instance')]" - } - } -} diff --git a/compliance/uk-official/three-tier-web-with-adds/templates/onpremise/ad-replication-site-extension-settings-mapper.json b/compliance/uk-official/three-tier-web-with-adds/templates/onpremise/ad-replication-site-extension-settings-mapper.json deleted file mode 100644 index 26df7daa0..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/templates/onpremise/ad-replication-site-extension-settings-mapper.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "deploymentContext": { "type": "object" }, - "source": { "type": "object" }, - "context": { "type": "object" } - }, - "variables": { - "instance": { - "settings": { - "fileUris": "[parameters('source').settingsConfig.fileUris]", - "commandToExecute": "[concat('powershell -ExecutionPolicy Unrestricted -Command \"& {.\\adds-replication-site.ps1 -DomainName \\\"', parameters('source').settingsConfig.activeDirectorySettings.domainName, '\\\" -AdminUser \\\"', parameters('source').settingsConfig.activeDirectorySettings.adminUser, '\\\" -AdminPassword \\\"', parameters('source').settingsConfig.activeDirectorySettings.adminPassword, '\\\" -SiteName \\\"', parameters('source').settingsConfig.activeDirectorySettings.azureSiteName, '\\\" -OnpremSiteName \\\"', parameters('source').settingsConfig.activeDirectorySettings.onPremiseSiteName, '\\\" -Cidr \\\"', parameters('source').settingsConfig.activeDirectorySettings.azureAddressSpace, '\\\" -ReplicationFrequency ', string(parameters('source').settingsConfig.activeDirectorySettings.replicationFrequency), '}\"')]" - }, - "protectedSettings": { } - } - - }, - "resources": [ - - ], - "outputs": { - "settings": { - "type": "object", - "value": "[variables('instance')]" - } - } -} diff --git a/compliance/uk-official/three-tier-web-with-adds/templates/onpremise/adds-domain-controller-extension-settings-mapper.json b/compliance/uk-official/three-tier-web-with-adds/templates/onpremise/adds-domain-controller-extension-settings-mapper.json deleted file mode 100644 index 5d27058be..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/templates/onpremise/adds-domain-controller-extension-settings-mapper.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "deploymentContext": { "type": "object" }, - "source": { "type": "object" }, - "context": { "type": "object" } - }, - "variables": { - "instance": { - "settings": { - "fileUris": "[parameters('source').settingsConfig.fileUris]", - "commandToExecute": "[concat('powershell -ExecutionPolicy Unrestricted -Command \"& {.\\adds.ps1 -SafeModePassword \\\"', parameters('source').settingsConfig.activeDirectorySettings.safeModePassword, '\\\" -DomainName \\\"', parameters('source').settingsConfig.activeDirectorySettings.domainName, '\\\" -AdminUser \\\"', parameters('source').settingsConfig.activeDirectorySettings.adminUser, '\\\" -AdminPassword \\\"', parameters('source').settingsConfig.activeDirectorySettings.adminPassword, '\\\" -SiteName \\\"', parameters('source').settingsConfig.activeDirectorySettings.siteName, '\\\"}\"')]" - }, - "protectedSettings": { } - } - - }, - "resources": [ - - ], - "outputs": { - "settings": { - "type": "object", - "value": "[variables('instance')]" - } - } -} diff --git a/compliance/uk-official/three-tier-web-with-adds/templates/onpremise/connection.json b/compliance/uk-official/three-tier-web-with-adds/templates/onpremise/connection.json deleted file mode 100644 index cd91ab75c..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/templates/onpremise/connection.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "deploymentContext": { - "type": "object", - "defaultValue": { - "parentTemplateUniqueString": "bbConn" - } - }, - "connectionSettings": { - "type": "object" - } - }, - "variables": { - "templateUniqueString": "[uniqueString(concat(string(parameters('deploymentContext')), string(parameters('connectionSettings'))))]", - "connectionTemplate": "https://raw.githubusercontent.com/mspnp/template-building-blocks/v1.0.0/templates/resources/Microsoft.Network/connections/connection.json", - "connectionDeploymentName": "[concat(parameters('deploymentContext').parentTemplateUniqueString, '-deployConn-', variables('templateUniqueString'))]" - }, - "resources": [ - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2015-01-01", - "name": "[variables('connectionDeploymentName')]", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "[variables('connectionTemplate')]" - }, - "parameters": { - "deploymentContext": { - "value": { - "parentTemplateUniqueString": "[concat(variables('templateUniqueString'), '-deployConn')]" - } - }, - "connectionSettings": { - "value": "[parameters('connectionSettings')]" - } - } - } - } - ], - "outputs": { - "resources": { - "type": "array", - "value": "[reference(variables('connectionDeploymentName')).outputResources]" - } - } -} diff --git a/compliance/uk-official/three-tier-web-with-adds/templates/onpremise/enable-windows-auth-extension-settings-mapper.json b/compliance/uk-official/three-tier-web-with-adds/templates/onpremise/enable-windows-auth-extension-settings-mapper.json deleted file mode 100644 index bb53af6d0..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/templates/onpremise/enable-windows-auth-extension-settings-mapper.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "deploymentContext": { "type": "object" }, - "source": { "type": "object" }, - "context": { "type": "object" } - }, - "variables": { - "instance": { - "settings": { - "fileUris": "[parameters('source').settingsConfig.fileUris]", - "commandToExecute": "[concat('powershell -ExecutionPolicy Unrestricted -Command \"& {.\\enable-windows-auth.ps1}\"')]" - }, - "protectedSettings": { } - } - - }, - "resources": [ - - ], - "outputs": { - "settings": { - "type": "object", - "value": "[variables('instance')]" - } - } -} diff --git a/compliance/uk-official/three-tier-web-with-adds/templates/onpremise/virtualNetworkGateway.json b/compliance/uk-official/three-tier-web-with-adds/templates/onpremise/virtualNetworkGateway.json deleted file mode 100644 index bd6e6660a..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/templates/onpremise/virtualNetworkGateway.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "deploymentContext": { - "type": "object", - "defaultValue": { - "parentTemplateUniqueString": "bbVNG" - } - }, - "virtualNetworkSettings": { - "type": "object" - }, - "virtualNetworkGatewaySettings": { - "type": "object" - } - }, - "variables": { - "templateUniqueString": "[uniqueString(concat(string(parameters('deploymentContext')), string(parameters('virtualNetworkSettings')), string(parameters('virtualNetworkGatewaySettings'))))]", - "virtualNetworkGatewayTemplate": "https://raw.githubusercontent.com/mspnp/template-building-blocks/v1.0.0/templates/resources/Microsoft.Network/virtualNetworkGateways/virtualNetworkGateway.json", - "virtualNetworkGatewayDeploymentName": "[concat(parameters('deploymentContext').parentTemplateUniqueString, '-deployGW-', variables('templateUniqueString'))]" - }, - "resources": [ - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2015-01-01", - "name": "[variables('virtualNetworkGatewayDeploymentName')]", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "[variables('virtualNetworkGatewayTemplate')]" - }, - "parameters": { - "deploymentContext": { - "value": { - "parentTemplateUniqueString": "[concat(variables('templateUniqueString'), '-deployGW')]" - } - }, - "virtualNetworkSettings": { - "value": "[parameters('virtualNetworkSettings')]" - }, - "virtualNetworkGatewaySettings": { - "value": "[parameters('virtualNetworkGatewaySettings')]" - } - } - } - } - ], - "outputs": { - "resources": { - "type": "array", - "value": "[reference(variables('virtualNetworkGatewayDeploymentName')).outputResources]" - } - } -} diff --git a/compliance/uk-official/three-tier-web-with-adds/templates/virtualnetwork.azuredeploy.json b/compliance/uk-official/three-tier-web-with-adds/templates/virtualnetwork.azuredeploy.json deleted file mode 100644 index db4790e55..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/templates/virtualnetwork.azuredeploy.json +++ /dev/null @@ -1,133 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - }, - "variables": { - "templateBaseUrl": "https://raw.githubusercontent.com/mspnp/template-building-blocks/v1.0.0/", - "localRepoBaseUrl": "https://raw.githubusercontent.com/mspnp/reference-architectures/master/compliance/uk-official/three-tier-web-with-adds/", - "buildingBlocks": { - "virtualNetworkTemplate": "[concat(variables('templateBaseUrl'), 'templates/buildingBlocks/vnet-n-subnet/azuredeploy.json')]", - "virtualNetworkGatewayTemplate": "[concat(variables('templateBaseUrl'), 'templates/buildingBlocks/vpn-gateway-vpn-connection/azuredeploy.json')]", - "nsgTemplate": "[concat(variables('templateBaseUrl'), 'templates/buildingBlocks/networkSecurityGroups/azuredeploy.json')]" - }, - "vnetPeeringTemplate": "[concat(variables('localRepoBaseUrl'), 'templates/azure/vnetpeering/azuredeploy.json')]", - "opsNetworkInfrastructureTemplate": "[concat(variables('localRepoBaseUrl'), 'templates/azure/ops-network-infrastructure/azuredeploy.json')]", - "applicationGatewayTemplate": "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-application-gateway-create/azuredeploy.json", - "parameterFiles": { - "opsNetworkInfrastructureParametersFile": "[concat(variables('localRepoBaseUrl'), 'parameters/azure/ops-network.parameters.json')]", - "azureMgmtVirtualNetworkParametersFile": "[concat(variables('localRepoBaseUrl'), 'parameters/azure/mgmt-vnet.parameters.json')]", - "nsgParametersFile": "[concat(variables('localRepoBaseUrl'), 'parameters/azure/nsg-rules.parameters.json')]", - "opsNsgParametersFile": "[concat(variables('localRepoBaseUrl'), 'parameters/azure/ops-vent-nsgs.json')]", - "operationalVnetPeeringParametersFile": "[concat(variables('localRepoBaseUrl'), 'parameters/azure/operational-vnet-peering.parameters.json')]", - "mgmtVnetPeeringParametersFile": "[concat(variables('localRepoBaseUrl'), 'parameters/azure/mgmt-vnet-peering.parameters.json')]" - } - }, - "resources": [ - { - "apiVersion": "2015-01-01", - "name": "azure-ops-network-deployment", - "type": "Microsoft.Resources/deployments", - "properties": { - "mode": "incremental", - "templateLink": { - "uri": "[variables('opsNetworkInfrastructureTemplate')]", - "contentVersion": "1.0.0.0" - }, - "parametersLink": { - "uri": "[variables('parameterFiles').opsNetworkInfrastructureParametersFile]", - "contentVersion": "1.0.0.0" - } - } - }, - { - "apiVersion": "2015-01-01", - "name": "azure-mgmt-vnet-deployment", - "type": "Microsoft.Resources/deployments", - "properties": { - "mode": "incremental", - "templateLink": { - "uri": "[variables('buildingBlocks').virtualNetworkTemplate]", - "contentVersion": "1.0.0.0" - }, - "parametersLink": { - "uri": "[variables('parameterFiles').azureMgmtVirtualNetworkParametersFile]", - "contentVersion": "1.0.0.0" - } - } - }, - { - "apiVersion": "2015-01-01", - "name": "operational-vnet-peering-deployment", - "type": "Microsoft.Resources/deployments", - "dependsOn": [ - "[concat('Microsoft.Resources/deployments/', 'azure-ops-network-deployment')]", - "[concat('Microsoft.Resources/deployments/', 'azure-mgmt-vnet-deployment')]" - ], - "properties": { - "mode": "incremental", - "templateLink": { - "uri": "[variables('vnetPeeringTemplate')]", - "contentVersion": "1.0.0.0" - }, - "parametersLink": { - "uri": "[variables('parameterFiles').operationalVnetPeeringParametersFile]", - "contentVersion": "1.0.0.0" - } - } - }, - { - "apiVersion": "2015-01-01", - "name": "mgmt-vnet-peering-deployment", - "type": "Microsoft.Resources/deployments", - "dependsOn": [ - "[concat('Microsoft.Resources/deployments/', 'azure-ops-network-deployment')]", - "[concat('Microsoft.Resources/deployments/', 'azure-mgmt-vnet-deployment')]" - ], - "properties": { - "mode": "incremental", - "templateLink": { - "uri": "[variables('vnetPeeringTemplate')]", - "contentVersion": "1.0.0.0" - }, - "parametersLink": { - "uri": "[variables('parameterFiles').mgmtVnetPeeringParametersFile]", - "contentVersion": "1.0.0.0" - } - } - }, - { - "apiVersion": "2015-01-01", - "name": "nsg-deployment", - "type": "Microsoft.Resources/deployments", - "properties": { - "mode": "incremental", - "templateLink": { - "uri": "[variables('buildingBlocks').nsgTemplate]", - "contentVersion": "1.0.0.0" - }, - "parametersLink": { - "uri": "[variables('parameterFiles').nsgParametersFile]", - "contentVersion": "1.0.0.0" - } - } - }, - { - "apiVersion": "2015-01-01", - "name": "ops-nsg-deployment", - "type": "Microsoft.Resources/deployments", - "properties": { - "mode": "incremental", - "templateLink": { - "uri": "[variables('buildingBlocks').nsgTemplate]", - "contentVersion": "1.0.0.0" - }, - "parametersLink": { - "uri": "[variables('parameterFiles').opsNsgParametersFile]", - "contentVersion": "1.0.0.0" - } - } - } - ] -} - diff --git a/compliance/uk-official/three-tier-web-with-adds/templates/workloads.azuredeploy.json b/compliance/uk-official/three-tier-web-with-adds/templates/workloads.azuredeploy.json deleted file mode 100644 index e92ffb5f2..000000000 --- a/compliance/uk-official/three-tier-web-with-adds/templates/workloads.azuredeploy.json +++ /dev/null @@ -1,573 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "operationalVirtualNetworkResourceGroupName": { - "type": "string", - "defaultValue": "uk-official-networking-rg", - "metadata": { - "description": "Networking Resource Group" - } - }, - "vmAdminUserName": { - "type": "string", - "defaultValue": "AdminUser", - "metadata": { - "description": "VM Administrator Name" - } - }, - "vmAdminPassword": { - "type": "string", - "defaultValue": "AweS0me@PW", - "metadata": { - "description": "VM Admin Password" - } - } - }, - "variables": { - "templateBaseUrl": "https://raw.githubusercontent.com/mspnp/template-building-blocks/v1.0.0/", - "localRepoBaseUrl": "https://raw.githubusercontent.com/mspnp/reference-architectures/master/compliance/uk-official/three-tier-web-with-adds/", - "operationalVirtualNetworkName": "azure-operational-vnet", - "managementlVirtualNetworkName": "azure-mgmt-vnet", - "buildingBlocks": { - "loadBalancerTemplate": "[concat(variables('templateBaseUrl'), 'templates/buildingBlocks/loadBalancer-backend-n-vm/azuredeploy.json')]", - "vmTemplate": "[concat(variables('templateBaseUrl'), 'templates/buildingBlocks/multi-vm-n-nic-m-storage/azuredeploy.json')]" - }, - "templates": { - "installiis": "[concat(variables('localRepoBaseUrl'), 'extensions/iisaspnet.ps1.zip')]" - - } - }, - "resources": [ - { - "apiVersion": "2015-01-01", - "name": "azure-mgmt-jumpbox-deployment", - "type": "Microsoft.Resources/deployments", - "properties": { - "mode": "incremental", - "templateLink": { - "uri": "[variables('buildingBlocks').vmTemplate]", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "virtualMachinesSettings": { - "value": { - "namePrefix": "azure-mgmt", - "computerNamePrefix": "jumpbox", - "size": "Standard_DS1_v2", - "osType": "windows", - "adminUsername": "[parameters('vmAdminUserName')]", - "adminPassword": "[parameters('vmAdminPassword')]", - "osAuthenticationType": "password", - "nics": [ - { - "isPublic": "true", - "subnetName": "mgmt-subnet", - "publicIPAllocationMethod": "Dynamic", - "privateIPAllocationMethod": "Static", - "startingIPAddress": "10.1.0.29", - "enableIPForwarding": false, - "dnsServers": [ ], - "isPrimary": "true", - "domainNameLabelPrefix": "" - } - ], - "imageReference": { - "publisher": "MicrosoftWindowsServer", - "offer": "WindowsServer", - "sku": "2012-R2-Datacenter", - "version": "latest" - }, - "dataDisks": { - "count": 0, - "properties": { } - }, - "osDisk": { - "caching": "ReadWrite" - }, - "extensions": [ - { - "name": "IaaSAntimalware", - "publisher": "Microsoft.Azure.Security", - "type": "IaaSAntimalware", - "typeHandlerVersion": "1.3", - "autoUpgradeMinorVersion": true, - "settingsConfigMapperUri": "https://raw.githubusercontent.com/mspnp/template-building-blocks/v1.0.0/templates/resources/Microsoft.Compute/virtualMachines/extensions/vm-extension-passthrough-settings-mapper.json", - "settingsConfig": { - "AntimalwareEnabled": true, - "RealtimeProtectionEnabled": "false", - "ScheduledScanSettings": { - "isEnabled": "false", - "day": "7", - "time": "120", - "scanType": "Quick" - }, - "Exclusions": { - } - }, - "protectedSettingsConfig": { - } - } - ], - "availabilitySet": { - "useExistingAvailabilitySet": "No", - "name": "" - } - } - }, - "virtualNetworkSettings": { - "value": { - "name": "[variables('managementlVirtualNetworkName')]", - "resourceGroup": "[parameters('operationalVirtualNetworkResourceGroupName')]" - } - }, - "buildingBlockSettings": { - "value": { - "storageAccountsCount": 1, - "vmCount": 1, - "vmStartIndex": 1 - } - } - } - } - }, - { - "apiVersion": "2015-01-01", - "name": "azure-ops-web-deployment", - "type": "Microsoft.Resources/deployments", - "properties": { - "mode": "incremental", - "templateLink": { - "uri": "[variables('buildingBlocks').loadBalancerTemplate]", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "virtualMachinesSettings": { - "value": { - "namePrefix": "operational-web", - "computerNamePrefix": "web", - "size": "Standard_DS1_v2", - "osType": "windows", - "adminUsername": "[parameters('vmAdminUserName')]", - "adminPassword": "[parameters('vmAdminPassword')]", - "osAuthenticationType": "password", - "nics": [ - { - "isPublic": "false", - "subnetName": "web", - "privateIPAllocationMethod": "Dynamic", - "isPrimary": "true", - "enableIPForwarding": false, - "dnsServers": [ ] - } - ], - "imageReference": { - "publisher": "MicrosoftWindowsServer", - "offer": "WindowsServer", - "sku": "2012-R2-Datacenter", - "version": "latest" - }, - "dataDisks": { - "count": 1, - "properties": { - "diskSizeGB": 128, - "caching": "None", - "createOption": "Empty" - } - }, - "osDisk": { - "caching": "ReadWrite" - }, - "availabilitySet": { - "useExistingAvailabilitySet": "No", - "name": "operational-web-vm-as" - }, - "extensions": [ - { - "name": "iis-config-ext", - "settingsConfigMapperUri": "https://raw.githubusercontent.com/mspnp/template-building-blocks/v1.0.0/templates/resources/Microsoft.Compute/virtualMachines/extensions/vm-extension-passthrough-settings-mapper.json", - "publisher": "Microsoft.Powershell", - "type": "DSC", - "typeHandlerVersion": "2.20", - "autoUpgradeMinorVersion": true, - "settingsConfig": { - "modulesUrl": "[variables('templates').installiis]", - "configurationFunction": "iisaspnet.ps1\\iisaspnet" - }, - "protectedSettingsConfig": { } - }, - { - "name": "IaaSAntimalware", - "publisher": "Microsoft.Azure.Security", - "type": "IaaSAntimalware", - "typeHandlerVersion": "1.3", - "autoUpgradeMinorVersion": true, - "settingsConfigMapperUri": "https://raw.githubusercontent.com/mspnp/template-building-blocks/v1.0.0/templates/resources/Microsoft.Compute/virtualMachines/extensions/vm-extension-passthrough-settings-mapper.json", - "settingsConfig": { - "AntimalwareEnabled": true, - "RealtimeProtectionEnabled": "false", - "ScheduledScanSettings": { - "isEnabled": "false", - "day": "7", - "time": "120", - "scanType": "Quick" - }, - "Exclusions": { - } - }, - "protectedSettingsConfig": { - } - } - ] - - } - }, - "loadBalancerSettings": { - "value": { - "name": "operational-web-lb", - "frontendIPConfigurations": [ - { - "name": "operational-web-lb-fe", - "loadBalancerType": "internal", - "internalLoadBalancerSettings": { - "privateIPAddress": "10.0.1.254", - "subnetName": "web" - } - } - ], - "backendPools": [ - { - "name": "operational-web-lb-bep", - "nicIndex": 0 - } - ], - "loadBalancingRules": [ - { - "name": "http-rule", - "frontendPort": 80, - "backendPort": 80, - "protocol": "Tcp", - "backendPoolName": "operational-web-lb-bep", - "frontendIPConfigurationName": "operational-web-lb-fe", - "probeName": "http-probe", - "enableFloatingIP": false - }, - { - "name": "https-rule", - "frontendPort": 443, - "backendPort": 443, - "protocol": "Tcp", - "backendPoolName": "operational-web-lb-bep", - "frontendIPConfigurationName": "operational-web-lb-fe", - "probeName": "https-probe", - "enableFloatingIP": false - } - ], - "probes": [ - { - "name": "http-probe", - "port": 80, - "protocol": "Tcp", - "requestPath": null - }, - { - "name": "https-probe", - "port": 443, - "protocol": "Tcp", - "requestPath": null - } - ], - "inboundNatRules": [ ] - } - }, - "virtualNetworkSettings": { - "value": { - "name": "[variables('operationalVirtualNetworkName')]", - "resourceGroup": "[parameters('operationalVirtualNetworkResourceGroupName')]" - } - }, - "buildingBlockSettings": { - "value": { - "storageAccountsCount": 2, - "vmCount": 2, - "vmStartIndex": 1 - } - } - } - } - }, - { - "apiVersion": "2015-01-01", - "name": "azure-ops-biz-deployment", - "type": "Microsoft.Resources/deployments", - "properties": { - "mode": "incremental", - "templateLink": { - "uri": "[variables('buildingBlocks').loadBalancerTemplate]", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "virtualMachinesSettings": { - "value": { - "namePrefix": "operational-biz", - "computerNamePrefix": "biz", - "size": "Standard_DS1_v2", - "osType": "windows", - "adminUsername": "[parameters('vmAdminUserName')]", - "adminPassword": "[parameters('vmAdminPassword')]", - "osAuthenticationType": "password", - "nics": [ - { - "isPublic": "false", - "subnetName": "biz", - "privateIPAllocationMethod": "Dynamic", - "isPrimary": "true", - "enableIPForwarding": false, - "dnsServers": [ ] - } - ], - "imageReference": { - "publisher": "MicrosoftWindowsServer", - "offer": "WindowsServer", - "sku": "2012-R2-Datacenter", - "version": "latest" - }, - "dataDisks": { - "count": 1, - "properties": { - "diskSizeGB": 128, - "caching": "None", - "createOption": "Empty" - } - }, - "osDisk": { - "caching": "ReadWrite" - }, - "extensions": [ - { - "name": "IaaSAntimalware", - "publisher": "Microsoft.Azure.Security", - "type": "IaaSAntimalware", - "typeHandlerVersion": "1.3", - "autoUpgradeMinorVersion": true, - "settingsConfigMapperUri": "https://raw.githubusercontent.com/mspnp/template-building-blocks/v1.0.0/templates/resources/Microsoft.Compute/virtualMachines/extensions/vm-extension-passthrough-settings-mapper.json", - "settingsConfig": { - "AntimalwareEnabled": true, - "RealtimeProtectionEnabled": "false", - "ScheduledScanSettings": { - "isEnabled": "false", - "day": "7", - "time": "120", - "scanType": "Quick" - }, - "Exclusions": { - } - }, - "protectedSettingsConfig": { - } - } - ], - "availabilitySet": { - "useExistingAvailabilitySet": "No", - "name": "operational-biz-vm-as" - } - } - }, - "loadBalancerSettings": { - "value": { - "name": "operational-biz-lb", - "frontendIPConfigurations": [ - { - "name": "operational-biz-lb-fe", - "loadBalancerType": "internal", - "internalLoadBalancerSettings": { - "privateIPAddress": "10.0.2.254", - "subnetName": "biz" - } - } - ], - "backendPools": [ - { - "name": "operational-biz-lb-bep", - "nicIndex": 0 - } - ], - "loadBalancingRules": [ - { - "name": "https-rule", - "frontendPort": 443, - "backendPort": 443, - "protocol": "Tcp", - "backendPoolName": "operational-biz-lb-bep", - "frontendIPConfigurationName": "operational-biz-lb-fe", - "probeName": "https-probe", - "enableFloatingIP": false - } - ], - "probes": [ - { - "name": "https-probe", - "port": 443, - "protocol": "Http", - "requestPath": "/" - } - ], - "inboundNatRules": [ ] - } - }, - "virtualNetworkSettings": { - "value": { - "name": "[variables('operationalVirtualNetworkName')]", - "resourceGroup": "[parameters('operationalVirtualNetworkResourceGroupName')]" - } - }, - "buildingBlockSettings": { - "value": { - "storageAccountsCount": 2, - "vmCount": 2, - "vmStartIndex": 1 - } - } - } - } - }, - { - "apiVersion": "2015-01-01", - "name": "azure-ops-data-deployment", - "type": "Microsoft.Resources/deployments", - "properties": { - "mode": "incremental", - "templateLink": { - "uri": "[variables('buildingBlocks').loadBalancerTemplate]", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "virtualMachinesSettings": { - "value": { - "namePrefix": "operational-data", - "computerNamePrefix": "data", - "size": "Standard_DS1_v2", - "osType": "windows", - "adminUsername": "[parameters('vmAdminUserName')]", - "adminPassword": "[parameters('vmAdminPassword')]", - "osAuthenticationType": "password", - "nics": [ - { - "isPublic": "false", - "subnetName": "data", - "privateIPAllocationMethod": "Dynamic", - "isPrimary": "true", - "enableIPForwarding": false, - "dnsServers": [ ] - } - ], - "imageReference": { - "publisher": "MicrosoftWindowsServer", - "offer": "WindowsServer", - "sku": "2012-R2-Datacenter", - "version": "latest" - }, - "dataDisks": { - "count": 1, - "properties": { - "diskSizeGB": 128, - "caching": "None", - "createOption": "Empty" - } - }, - "osDisk": { - "caching": "ReadWrite" - }, - "extensions": [ - { - "name": "IaaSAntimalware", - "publisher": "Microsoft.Azure.Security", - "type": "IaaSAntimalware", - "typeHandlerVersion": "1.3", - "autoUpgradeMinorVersion": true, - "settingsConfigMapperUri": "https://raw.githubusercontent.com/mspnp/template-building-blocks/v1.0.0/templates/resources/Microsoft.Compute/virtualMachines/extensions/vm-extension-passthrough-settings-mapper.json", - "settingsConfig": { - "AntimalwareEnabled": true, - "RealtimeProtectionEnabled": "false", - "ScheduledScanSettings": { - "isEnabled": "false", - "day": "7", - "time": "120", - "scanType": "Quick" - }, - "Exclusions": { - } - }, - "protectedSettingsConfig": { - } - } - ], - "availabilitySet": { - "useExistingAvailabilitySet": "No", - "name": "operational-data-vm-as" - } - } - }, - "loadBalancerSettings": { - "value": { - "name": "operational-data-lb", - "frontendIPConfigurations": [ - { - "name": "operational-data-lb-fe", - "loadBalancerType": "internal", - "internalLoadBalancerSettings": { - "privateIPAddress": "10.0.3.254", - "subnetName": "data" - } - } - ], - "backendPools": [ - { - "name": "operational-data-lb-bep", - "nicIndex": 0 - } - ], - "loadBalancingRules": [ - { - "name": "https-rule", - "frontendPort": 443, - "backendPort": 443, - "protocol": "Tcp", - "backendPoolName": "operational-data-lb-bep", - "frontendIPConfigurationName": "operational-data-lb-fe", - "probeName": "https-probe", - "enableFloatingIP": false - } - ], - "probes": [ - { - "name": "https-probe", - "port": 443, - "protocol": "Http", - "requestPath": "/" - } - ], - "inboundNatRules": [ ] - } - }, - "virtualNetworkSettings": { - "value": { - "name": "[variables('operationalVirtualNetworkName')]", - "resourceGroup": "[parameters('operationalVirtualNetworkResourceGroupName')]" - } - }, - "buildingBlockSettings": { - "value": { - "storageAccountsCount": 2, - "vmCount": 2, - "vmStartIndex": 1 - } - } - } - } - } - ], - "outputs": { - } -} -