Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
147 lines (86 sloc) 10 KB

1-DeployAndConfigureAzureResources.ps1

Deploying this solution requires that a subscription be configured with the proper permissions and roles. For more information, see Script Details: 0-Setup-AdministrativeAccountAndPermission.ps1. This and all PowerShell scripts in the enviroment will run in an 'Unrestricted' execution policy.

CAUTION The script adds domain users to the Azure Active Directory (AAD) tenant that you specify. It is recommended to create a new Azure Active Directory (AAD) tenant to test this demo payment processing solution.

CAUTION It is recommended to use a clean Windows 10 (or similar) VM to deploy the solution to ensure that the correct PowerShell modules get loaded. If challenges are experienced with loading the correct PowerShell modules, remove any Azure-specific modules from the PowerShell modules directory.

CAUTION If any issues are encountered during the deployment, see FAQ and troubleshooting.

This PowerShell script is used to deploy this Blueprint.

.\1-DeployAndConfigureAzureResources.ps1

Deployment Timeline

The estimated time to deploy the solution components is shown in the diagram below. The total time required is approximately 2.0-2.5 hours from when the script starts. If the App Service Environment takes greater than 2 hours to deploy, the deployment may time out.

Using the script

The following scenarios are supported by the script:

  • Simple deployment.
    • This scenario is intended for users that want to deploy a pilot production environment using the deployment solution defaults. This will be set up and deployed using a self-signed certificate. This solution is intended to serve as a base for building a production environment for web applications specific to payment processing.
  • Deploying with a custom certificate and a custom domain
    • This scenario is intended for users that would like to utilize their existing domain and associated SSL certificate for deploying a pilot production environment. This solution is intended to serve as a base with a custom domain for building a production environment for web applications specific to payment processing.

NOTE: The deployment script is a guided solution that will prompt for additional inputs if further customization is required. The 'Optional Parameters' section outlines the customization options available for this deployment.

Simple deployment

.\1-DeployAndConfigureAzureResources.ps1 

This deployment script creates the required Azure Active Directory (AAD) accounts and generates a self-signed certificate for the ASE ILB and Application Gateway SSL endpoint using a provided custom domain. Users will be prompted for two logins, one for Azure Active Directory (AAD) and another for Azure Resource Manager (ARM). The only required inputs are guided prompts for providing an email address for SQL Threat Detection alerts and an Azure Subscription ID.

Deploying with a custom certificate and a custom domain

.\1-DeployAndConfigureAzureResources.ps1

This deployment script creates the required Azure Active Directory (AAD) accounts and deploys the necessary resources for the ASE ILB and Application Gateway SSL endpoint using a provided custom domain. Users will be prompted for two logins, one for Azure Active Directory (AAD) and another for Azure Resource Manager (ARM). The only required inputs are guided prompts for providing an email address for SQL Threat Detection alerts and an Azure Subscription ID.

Users will be prompted to provide their own custom certificate for supporting a custom domain, if selected for.

Initiating the Deployment

An Azure Active Directory (AAD) Global Administrator account will be required for initiating this deployment. This user must be a Global Administrator that has been granted full control of the default Azure Active Directory instance. The user must be in the Azure Active Directory domain namespace.

In deploying this solution, two login prompts will be presented such that users' AAD Global Administrator account credentials are not captured and presented in the open PowerShell session.

As the deployment utilizes both the AzureRM and MSOnline PowerShell modules for monitoring and configuring the deployment, there are two login prompts users will be required to provide credentials for.

Azure Active Directory Global Admininistrator credentials will not be presented in the PowerShell console, and is securely authenticated through web portal logins.

Role-based access control (RBAC) requires that an administrator grants themselves administrative rights in AAD. Refer to this blog for a detailed explanation.

Delegating Admin Rights in Microsoft Azure PowerShell - Connecting to Azure Active Directory using Microsoft Account user.

For more information, see Script Details: 0-Setup-AdministrativeAccountAndPermission.ps1.

Required Parameters

Resource Group Name

Specifies the Resource Group name into which all resources will be deployed.

Azure Active Directory Domain Name

Specifies the ID of the Azure Active Directory Domain, as defined by Get-ADDomain.

Azure Subscription ID

Specifies the ID of a subscription. This needs to be provided for validating the Azure Active Directory (AAD) global administrator account that will be used with the deployment.

Suffix

Used as an identifier in the deployment of the solution. This can be any character or identifier, such as a business unit name.

Email Address for SQL Threat Detection Alerts

Provide a valid email address for SQL Threat Detection alerts and issues associated with your deployment.

Optional Parameters

Custom Host Name

Specifies a custom domain for the deployment. To be able to connect to the website, it is required that you provide a custom domain name, such as contoso.com. This is enabled by using the '-customHostName' switch in step 2. A custom domain name is not required to successfully deploy the solution for it to run, however you will not be able to connect to the website for demonstration purposes. For more information, see How to buy and enable a custom domain name for Azure Web Apps. If this parameter is used you will be required to update the application's IP address with your DNS hosting provider (custom domain name). In the example, the customer’s DNS settings require the Application Gateway IP address to be updated as a DNS record on the hosting site. You can do this via the steps below.

  1. Collect the Application Gateway IP address using the following PowerShell command:
Get-AzureRmPublicIpAddress | where {$_.Name -eq "publicIp-AppGateway"} |select IpAddress

This command will return the IP address. For example:

IpAddress
--------- 52.168.0.1

  1. Log into your DNS hosting provider and update the A/AAAA record with the Application Gateway IP address.

Enable SSL

Indicates whether to enable SSL on the Application Gateway, allowing the user to browse the website via https://www.contosowebstore.com.

Input Usage
none Customer can browse the application via HTTP (for example http://...).
Switch present Customer can browse the application via HTTPS (for example https://...). When this switch is used in combination with appGatewaySslCertPath and appGatewaySslCertPwd, it enables a custom certificate on the Application Gateway. If you want to pass a custom certificate, use the .pfx certificate file with the process below to create the correct file.
  1. Review the instructions on creating a website SSL certificate.

  2. Retrieve your private key. This file will have a name similar to www.contosowebstore.com\_private\_key.key.

  3. Retrieve your certificate. This file will have a name similar to www.contosowebstore.com\_ssl\_certificate.cer.

  4. Create a personal information exchange (pfx) file and protect this file with a password.

Optional variables

$location

This variable can be changed to a different location than the default value eastus. Changing this setting requires that the deployment is monitored to ensure its successful completion. If this is updated, the variables set in azuredeploy.json under aseLocation and omsRegion will need to be updated to match the corresponding region set for $location.

$automationAcclocation

This variable can be changed to a different location than the default value eastus2. Changing this setting requires that the deployment is monitored to ensure its successful completion. If this is updated, the variable set in azuredeploy.json under automationRegion will need to be updated to match the corresponding region set for $automationAcclocation.

Troubleshooting the deployment script

If errors are experience when attempting to run the 1A-ContosoWebStoreDemoAzureResources.ps1 script, verify that the correct version PowerShell modules were imported when running the 0-Setup-AdministrativeAccountAndPermission.ps1 script.

Next Steps (2-EnableOMSLoggingOnResources.ps1)

Once the deployment is complete, 2-EnableOMSLoggingOnResources.ps1 can be run for enabling OMS logging on the resources deployed with the deployment. It is recommended to fully deploy an application solution into the environment before running this script.