microsoft · mbrat2005 · Jul 25, 2022 · Jul 25, 2022 · Jul 25, 2022 · Jul 25, 2022
@@ -26,3 +26,17 @@ These topics are not covered, and you might want to introduce them along the way
     - Add an Application Gateway to the mix
 - Challenge 5: **[PaaS Networking](05-Paas.md)**
     - Integrate Azure Web Apps and Azure SQL Databases with your hub and spoke design
+
+## Deployment using Infrastructure-as-Code
+The coaches solutions for this hack includes a deployment of the challenges written in Bicep.
+
+For coaches, the infrastructure deployed in the solution can provide a quick reference architecture/lab for an approach to implementing the challenges.
+
+For students, the automation presents a solution, which the students are generally expected to figure out on their own. However, there are a number of scenarios where providing a student with the Bicep files could be helpful:
+
+* Bringing a student up to speed with the rest of the cohort
+* Enabling students to focus on the network aspects of the hack, versus manual infrastructure deployment (especially when they are struggling with a less-relevant aspect)
+* Quickly bringing a cohort of students up to a specific challenge (for example, enabling data-focused students to work with PaaS services and Private Endpoints, without having had to manually deploy the underlying infrastructure)
+* Providing examples to students looking to implement the hack with IaC
+
+**See [Bicep Solution Readme](./Solutions/bicep/README.md) for detail deployment process.**
@@ -0,0 +1,23 @@
+param location string = 'eastus2'
+
+targetScope = 'subscription'
+//hub resources
+resource wthrghub 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: 'wth-rg-hub'
+  location: location
+}
+
+resource wthrgspoke01 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: 'wth-rg-spoke1'
+  location: location
+}
+
+resource wthrgspoke02 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: 'wth-rg-spoke2'
+  location: location
+}
+
+resource wthrgonprem 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: 'wth-rg-onprem'
+  location: location
+}
@@ -0,0 +1,281 @@
+param location string = 'eastus2'
+param hubVMUsername string = 'admin-wth'
+@secure()
+param vmPassword string
+
+targetScope = 'resourceGroup'
+//hub resources
+
+resource wthhubvnet 'Microsoft.Network/virtualNetworks@2021-08-01' = {
+  name: 'wth-vnet-hub01'
+  location: location
+  properties: {
+    addressSpace: {
+      addressPrefixes: [
+        '10.0.0.0/16'
+      ]
+    }
+    subnets: [
+      {
+        name: 'GatewaySubnet'
+        properties: {
+          addressPrefix: '10.0.0.0/24'
+          routeTable: {
+            id: rtvnetgw.id
+          }
+        }
+      }
+      {
+        name: 'subnet-hubvms'
+        properties: {
+          addressPrefix: '10.0.10.0/24'
+          routeTable: {
+            id: rthubvms.id
+          }
+          networkSecurityGroup: {
+            id: nsghubvms.id
+          }
+        }
+      }
+      {
+        name: 'AzureFirewallSubnet'
+        properties: {
+          addressPrefix: '10.0.1.0/24'
+        }
+      }
+    ]
+  }
+}
+
+resource wthhubgwpip01 'Microsoft.Network/publicIPAddresses@2022-01-01' = {
+  name: 'wth-pip-gw01'
+  location: location
+  sku: {
+    name: 'Standard'
+    tier: 'Regional'
+  }
+  properties: {
+    publicIPAllocationMethod: 'Static'
+  }
+}
+
+output pipgw1 string = wthhubgwpip01.properties.ipAddress
+
+resource wthhubgwpip02 'Microsoft.Network/publicIPAddresses@2022-01-01' = {
+  name: 'wth-pip-gw02'
+  location: location
+  sku: {
+    name: 'Standard'
+    tier: 'Regional'
+  }
+  properties: {
+    publicIPAllocationMethod: 'Static'
+  }
+}
+
+output pipgw2 string = wthhubgwpip02.properties.ipAddress
+
+resource wthhubvnetgw 'Microsoft.Network/virtualNetworkGateways@2022-01-01' = {
+  name: 'wth-vngw-hub01'
+  location: location
+  properties: {
+    activeActive: true
+    bgpSettings: {
+      asn: 65515
+    }
+    enableBgp: true
+    gatewayType: 'Vpn'
+    vpnType: 'RouteBased'
+    vpnGatewayGeneration: 'Generation1'
+    sku: {
+      name: 'VpnGw1'
+      tier: 'VpnGw1'
+    }
+    ipConfigurations: [
+      {
+        name: 'ipconfig1'
+        properties: {
+          publicIPAddress: {
+            id: wthhubgwpip01.id
+          }
+          subnet: {
+            id: '${wthhubvnet.id}/subnets/GatewaySubnet'
+          }
+        }
+      }
+      {
+        name: 'ipconfig2'
+        properties: {
+          publicIPAddress: {
+            id: wthhubgwpip02.id
+          }
+          subnet: {
+            id: '${wthhubvnet.id}/subnets/GatewaySubnet'
+          }
+        }
+      }
+    ]
+  }
+}
+
+output wthhubvnetgwasn int = wthhubvnetgw.properties.bgpSettings.asn
+output wthhubvnetgwprivateip1 string = wthhubvnetgw.properties.bgpSettings.bgpPeeringAddresses[0].defaultBgpIpAddresses[0]
+output wthhubvnetgwprivateip2 string = wthhubvnetgw.properties.bgpSettings.bgpPeeringAddresses[1].defaultBgpIpAddresses[0]
+
+resource changerdpport 'Microsoft.Compute/virtualMachines/extensions@2022-03-01' = {
+  name: '${wthhubvm01.name}/wth-vmextn-changerdpport33899'
+  location: location
+  properties: {
+    publisher: 'Microsoft.Compute'
+    type: 'CustomScriptExtension'
+    typeHandlerVersion: '1.10'
+    settings: {
+      /*
+      To generate encoded command in PowerShell: 
+
+      $s = @'
+      Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" -Name PortNumber -Value 33899
+      New-NetFirewallRule -DisplayName "RDP 33899 TCP" -Direction Inbound -LocalPort 33899 -Protocol TCP -Action Allow
+      New-NetFirewallRule -DisplayName "RDP 33899 UDP" -Direction Inbound -LocalPort 33899 -Protocol UDP -Action Allow
+      Restart-Service -Name TermService -Force
+
+      New-NetFirewallRule -DisplayName 'ICMPv4' -Direction Inbound -Action Allow -Protocol icmpv4 -Enabled True
+      '@
+      $bytes = [System.Text.Encoding]::Unicode.GetBytes($s)
+      [convert]::ToBase64String($bytes) */
+      commandToExecute: 'powershell.exe -ep bypass -encodedcommand UwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwB5AHMAdABlAG0AXABDAHUAcgByAGUAbgB0AEMAbwBuAHQAcgBvAGwAUwBlAHQAXABDAG8AbgB0AHIAbwBsAFwAVABlAHIAbQBpAG4AYQBsACAAUwBlAHIAdgBlAHIAXABXAGkAbgBTAHQAYQB0AGkAbwBuAHMAXABSAEQAUAAtAFQAYwBwAFwAIgAgAC0ATgBhAG0AZQAgAFAAbwByAHQATgB1AG0AYgBlAHIAIAAtAFYAYQBsAHUAZQAgADMAMwA4ADkAOQANAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBSAEQAUAAgADMAMwA4ADkAOQAgAFQAQwBQACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAASQBuAGIAbwB1AG4AZAAgAC0ATABvAGMAYQBsAFAAbwByAHQAIAAzADMAOAA5ADkAIAAtAFAAcgBvAHQAbwBjAG8AbAAgAFQAQwBQACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwANAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBSAEQAUAAgADMAMwA4ADkAOQAgAFUARABQACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAASQBuAGIAbwB1AG4AZAAgAC0ATABvAGMAYQBsAFAAbwByAHQAIAAzADMAOAA5ADkAIAAtAFAAcgBvAHQAbwBjAG8AbAAgAFUARABQACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwANAAoAUgBlAHMAdABhAHIAdAAtAFMAZQByAHYAaQBjAGUAIAAtAE4AYQBtAGUAIABUAGUAcgBtAFMAZQByAHYAaQBjAGUAIAAtAEYAbwByAGMAZQANAAoADQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACcASQBDAE0AUAB2ADQAJwAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABJAG4AYgBvAHUAbgBkACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0AUAByAG8AdABvAGMAbwBsACAAaQBjAG0AcAB2ADQAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAA=='
+    }
+  }
+}
+
+resource wthhubvmpip01 'Microsoft.Network/publicIPAddresses@2022-01-01' = {
+  name: 'wth-pip-hubvm01'
+  location: location
+  sku: {
+    name: 'Standard'
+    tier: 'Regional'
+  }
+  properties: {
+    publicIPAllocationMethod: 'Static'
+  }
+}
+
+resource wthhubvmnic 'Microsoft.Network/networkInterfaces@2022-01-01' = {
+  name: 'wth-nic-hubvm01'
+  location: location
+  properties: {
+    ipConfigurations: [
+      {
+        name: 'ipconfig1'
+        properties: {
+          subnet: {
+            id: '${wthhubvnet.id}/subnets/subnet-hubvms'
+          }
+          privateIPAddress: '10.0.10.4'
+          publicIPAddress: {
+            id: wthhubvmpip01.id
+          }
+        }
+      }
+    ]
+  }
+}
+
+resource wthhubvm01 'Microsoft.Compute/virtualMachines@2022-03-01' = {
+  name: 'wth-vm-hub01'
+  location: location
+  properties: {
+    hardwareProfile: {
+      vmSize: 'Standard_B2s'
+    }
+    storageProfile: {
+      imageReference: {
+        publisher: 'MicrosoftWindowsServer'
+        offer: 'WindowsServer'
+        sku: '2022-datacenter-azure-edition'
+        version: 'latest'
+      }
+      osDisk: {
+        osType: 'Windows'
+        name: 'wth-disk-vmhubos01'
+        createOption: 'FromImage'
+        caching: 'ReadWrite'
+      }
+    }
+    osProfile: {
+      computerName: 'vm-hub01'
+      adminUsername: hubVMUsername
+      adminPassword: vmPassword
+      windowsConfiguration: {
+        provisionVMAgent: true
+        enableAutomaticUpdates: true
+      }
+    }
+    networkProfile: {
+      networkInterfaces: [
+        {
+          id: wthhubvmnic.id
+        }
+      ]
+    }
+    diagnosticsProfile: {
+      bootDiagnostics: {
+        enabled: true
+      }
+    }
+    licenseType: 'Windows_Server'
+  }
+}
+
+resource rtvnetgw 'Microsoft.Network/routeTables@2022-01-01' = {
+  name: 'wth-rt-hubgwsubnet'
+  location: location
+  properties: {
+    routes: []
+    disableBgpRoutePropagation: false
+  }
+}
+
+resource rthubvms 'Microsoft.Network/routeTables@2022-01-01' = {
+  name: 'wth-rt-hubvmssubnet'
+  location: location
+  properties: {
+    routes: []
+    disableBgpRoutePropagation: false
+  }
+}
+
+resource nsghubvms 'Microsoft.Network/networkSecurityGroups@2022-01-01' = {
+  name: 'wth-nsg-hubvmssubnet'
+  location: location
+  properties: {
+    securityRules: [
+      {
+        name: 'allow-altrdp-to-vmssubnet-from-any'
+        properties: {
+          priority: 1000
+          access: 'Allow'
+          direction: 'Inbound'
+          protocol: 'Tcp'
+          sourcePortRange: '*'
+          destinationPortRange: '33899-33899'
+          sourceAddressPrefix: '*'
+          destinationAddressPrefix: '10.0.10.0/24'
+        }
+      }
+      {
+        name: 'allow-altssh-to-vmssubnet-from-any'
+        properties: {
+          priority: 1001
+          access: 'Allow'
+          direction: 'Inbound'
+          protocol: 'Tcp'
+          sourcePortRange: '*'
+          destinationPortRange: '22222-22222'
+          sourceAddressPrefix: '*'
+          destinationAddressPrefix: '10.0.10.0/24'
+        }
+      }
+    ]
+  }
+}