In the traditional software development process, security is often an afterthought and addressed only during the later stages of development or in a separate security testing phase. This approach can lead to security vulnerabilities that are expensive and time-consuming to fix, and can also put users’ data and systems at risk.

DevSecOps, on the other hand, integrates security practices into the development process from the very beginning, making security an integral part of the development pipeline. This involves automating security testing, using security-focused code reviews, and implementing security controls and best practices throughout the development process.

Here’s an example of how DevSecOps might work in practice:

Suppose a team of developers is building a new web application for a financial institution. As part of the DevSecOps process, the team implements automated security testing tools that scan the code for common vulnerabilities such as cross-site scripting (XSS) and SQL injection. These tests are run every time new code is committed to the repository, ensuring that any security issues are caught early in the development cycle.

In addition, the team conducts security-focused code reviews, with a particular emphasis on authentication and authorization mechanisms to protect against unauthorized access to the system. They also implement security controls such as encryption and access controls to safeguard user data and prevent data breaches.

Throughout the development process, the team works closely with the security team to ensure that the application is designed and built with security in mind. By following a DevSecOps approach, the team is able to deliver a secure and resilient application that meets the needs of the financial institution and its customers, while reducing the risk of security breaches and other vulnerabilities.

Secure Kubernetes Deployment Configuration: One of the key practices in securing Kubernetes is to ensure that the deployment configurations are secure. You should apply best practices in configuring Kubernetes resources like namespaces, services, and network policies. For example, you can use Kubernetes network policies to restrict network traffic between different services in your cluster, reducing the potential attack surface.

Deny all ingress traffic: This policy will block all incoming traffic to a service.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
spec:
  podSelector: {}
  policyTypes:
  - Ingress

Allow traffic only from specific sources: This policy will allow incoming traffic only from a specific set of sources.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-specific-sources
spec:
  podSelector: {}
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: allowed-source-app
    ports:
    - protocol: TCP
      port: 80

Deny egress traffic to specific destinations: This policy will block outgoing traffic from a service to a specific set of destinations.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-specific-egress
spec:
  podSelector:
    matchLabels:
      app: my-app
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 80

Allow traffic only to specific ports: This policy will allow outgoing traffic only to specific ports.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-specific-egress
spec:
  podSelector:
    matchLabels:
      app: my-app
  policyTypes:
  - Egress
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: allowed-destination-app
    ports:
    - protocol: TCP
      port: 80

Note that these policies are just examples, and may need to be adapted to your specific use case. Additionally, it’s important to thoroughly test any network policies before implementing them in a production environment.

Use Kubernetes Secrets: Kubernetes Secrets is a native way to store and manage sensitive information, like passwords or tokens, in your Kubernetes cluster. Instead of storing these secrets in plain text, you can use Kubernetes Secrets to encrypt and protect them. This makes it more difficult for attackers to access sensitive data in the event of a breach.

Implement Kubernetes RBAC: Kubernetes Role-Based Access Control (RBAC) lets you control access to Kubernetes resources at a granular level. By implementing RBAC, you can limit access to your cluster to only the users and services that need it, reducing the risk of unauthorized access.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: example-service-account

---

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: example-role
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "watch", "list"]
  - apiGroups: ["extensions"]
    resources: ["deployments"]
    verbs: ["get", "watch", "list"]

---

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: example-role-binding
subjects:
  - kind: ServiceAccount
    name: example-service-account
roleRef:
  kind: Role
  name: example-role
  apiGroup: rbac.authorization.k8s.io

In this manifest, we first define a service account named “example-service-account”. We then define a role named “example-role” that specifies the permissions to access pods and deployments. Finally, we define a role binding named “example-role-binding” that binds the service account to the role. This means that any pod that is associated with the service account will have the permissions specified in the role.

Regularly Update and Patch Kubernetes: Regularly updating and patching Kubernetes is a critical aspect of DevSecOps. Updates and patches often include important security fixes and vulnerability patches. Make sure to follow the Kubernetes security updates and patch your cluster regularly.

Use Kubernetes Admission Controllers: Kubernetes Admission Controllers is a security feature that allows you to define policies that must be enforced before any request to Kubernetes is processed. These policies can be used to ensure that all containers running in the cluster are using only approved images and other resources.

Integrate Security into the CI/CD Pipeline: Integrating security into the CI/CD pipeline is a key aspect of DevSecOps. You can use tools like container scanning

DevSecOps practices can be applied to Kubernetes, a popular container orchestration platform, to ensure the security of the applications running on it. Here are some best practices for DevSecOps with Kubernetes, along with examples:

Secure Kubernetes cluster setup: The first step in securing Kubernetes is to ensure that the cluster is set up securely. This involves applying security best practices such as enabling role-based access control (RBAC) and using secure network policies.
Example: Use Kubernetes’ built-in RBAC features to grant permissions only to users who need them. For example, a developer should not have the same level of access as an administrator. Limiting the permissions of each user can help reduce the risk of a security breach.

Continuous security testing: Just as with any software development process, continuous security testing is essential for Kubernetes applications. This includes running automated security scans to detect vulnerabilities in Kubernetes resources, such as deployments and pods.
Example: Use security testing tools like Aqua Security or Sysdig to scan Kubernetes resources for security vulnerabilities, such as misconfigurations or exposed credentials. These tools can help identify vulnerabilities early in the development process, allowing teams to fix them before deployment.

Container image security: The container images used to run Kubernetes applications should be secure and free from vulnerabilities. This involves scanning container images for security vulnerabilities before deployment.
Example: Use container image scanning tools like Clair or Trivy to scan container images for known vulnerabilities. These tools can be integrated into the Kubernetes pipeline to scan images automatically before deployment.

Network security: Kubernetes network security involves securing the communication between Kubernetes resources and ensuring that they are only accessible by authorized users and services.
Example: Use Kubernetes network policies to define and enforce rules around how resources can communicate with each other. For example, you can create a policy that only allows traffic between specific pods or namespaces.

Secure secrets management: Kubernetes allows you to store and manage secrets such as passwords and API keys. It’s important to ensure that these secrets are encrypted and secured.
Example: Use Kubernetes secrets to store sensitive data, such as database credentials, and encrypt them at rest. Use RBAC to ensure that only authorized users and services can access these secrets.

apiVersion: v1
kind: Secret
metadata:
  name: mysecrets
type: Opaque
data:
  username: 
  password: 

In this example, we are creating a secret called “mysecrets” with two key-value pairs: “username” and “password”. The values are base64-encoded to ensure that they are not stored in plain text.

You can create this manifest file and apply it using the kubectl command line tool. Here is an example of how to create the secret from the manifest file:

kubectl apply -f mysecrets.yaml

Once the secret is created, you can use it in your application by referencing it in your deployment or pod configuration file. For example, if you wanted to use the “username” and “password” values in your application’s environment variables, you could include the following lines in your deployment or pod manifest:

spec:
  containers:
  - name: myapp
    image: myapp:latest
    env:
    - name: MY_USERNAME
      valueFrom:
        secretKeyRef:
          name: mysecrets
          key: username
    - name: MY_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mysecrets
          key: password

This will inject the values from the “mysecrets” secret into your application’s environment variables at runtime, allowing you to securely access sensitive information without exposing it in your code or configuration files.
By following these DevSecOps best practices, teams can ensure that their Kubernetes applications are secure and resilient, and can reduce the risk of security breaches and other vulnerabilities.

Red Hat as usual has a great overview on the subject here – https://www.redhat.com/en/topics/devops/what-is-devsecops

These are some other very useful links;
OWASP: https://owasp.org/
NIST: https://www.nist.gov/
DevSecOps.org: https://www.devsecops.org/
SANS Institute: https://www.sans.org/
Jenkins: https://www.jenkins.io/

In some cases, however, containerized applications require a DHCP server to lease IP addresses to the containers running on the same network. By running a Dockerized DHCP server, you can simplify the deployment and management of your containerized applications, and create virtual networks for practicing networking concepts and configurations. In this article, we will walk through the steps for creating and using a Dockerized DHCP server for your applications and networks.

We will cover how to create a bridge network, run the DHCP server container, and configure your host and other containers to use the DHCP server to obtain IP addresses.

Choose a base image: You will need a base image for your DHCP server. In this example, we will use the Alpine Linux base image, which is a lightweight distribution of Linux that is popular for Docker images.

Install DHCP server software: Next, you will need to install the DHCP server software on your image. In this example, we will use the ISC DHCP server software, which is a widely used and well-supported DHCP server.

Configure the DHCP server: Once you have installed the DHCP server software, you will need to configure it to lease IPs. You will need to specify the range of IP addresses that can be leased, the subnet mask, and other network settings.

Create a Docker Network – I have called mine <my>-<network>

docker network create my-network

Create the DHCPD.CONF file in the build directory.

##########dhcpd.conf###########

default-lease-time 259200;
max-lease-time 777600;
option domain-name "your-domain.com";

subnet 192.168.2.0 netmask 255.255.255.0{
range 192.168.2.2 192.168.2.250;
option broadcast-address 192.168.2.255;
option routers 192.168.2.1;
option domain-name-servers 192.168.1.1;
}

Create a Dockerfile: With the base image and DHCP server software installed and configured, you can now create a Dockerfile that will build the image. Here is an example Dockerfile:

Create a Dockerfile

FROM alpine:latest

RUN apk add --no-cache dhcp

COPY dhcpd.conf /etc/dhcpd.conf

EXPOSE 67/udp

ENTRYPOINT ["dhcpd", "-f", "-d", "--no-pid"]

In this Dockerfile, we start with the latest Alpine Linux image, then we install the ISC DHCP server software using the apk package manager. We copy a pre-configured dhcpd.conf file to the /etc directory, which contains the configuration settings for the DHCP server. We expose port 67/udp, which is the port used by DHCP servers to lease IP addresses. Finally, we set the ENTRYPOINT to start the dhcpd daemon with the specified options.

Build the image: Once you have created the Dockerfile, you can build the image using the docker build command:

docker build -t dhcp-server .

Run the container: With the image built, you can now run a container from the image using the docker run command:

docker run -d --name dhcp-server --net=host dhcp-server

In this command, we run the container in detached mode (-d), give it a name (–name dhcp-server), and use the host network (–net=host) so that the DHCP server can lease IPs to devices on the same network as the host. We specify the name of the image we built in the previous step (dhcp-server) as the container to run.

Your DHCP server container should now be running and leasing IPs to devices on your network. You can view the logs of the container using the docker logs command:

docker logs dhcp-server

And you can stop and remove the container using the docker stop and docker rm commands:

docker stop dhcp-server
docker rm dhcp-server

There are several use cases for having a Docker image running as a DHCP server:

Development and testing: Developers and testers can use a Dockerized DHCP server to create isolated test networks for their applications or services. This allows them to test network configurations and connectivity without interfering with the production network.

Containerized applications: Some containerized applications require a DHCP server to lease IP addresses to the containers running on the same network. By running a Dockerized DHCP server, you can simplify the deployment and management of your containerized applications.

Education and training: DHCP servers are commonly used in networking courses and training programs. By running a Dockerized DHCP server, educators and students can create virtual networks for practicing networking concepts and configurations.

To get hosts to connect to the network served by the Dockerized DHCP server, you will need to configure the hosts to use DHCP to obtain an IP address. This can usually be done by configuring the network interface of the host to use DHCP. The exact steps to do this will depend on the operating system of the host.

For example, on a Linux host, you can configure the network interface to use DHCP by editing the /etc/network/interfaces file and adding the following lines

auto eth0
iface eth0 inet dhcp

On a Windows host, you can configure the network interface to use DHCP by going to the Control Panel, selecting Network and Sharing Center, selecting Change adapter settings, right-clicking on the network adapter, selecting Properties, selecting Internet Protocol Version 4 (TCP/IPv4), and selecting Obtain an IP address automatically.

Once the host is configured to use DHCP, it will automatically obtain an IP address from the Dockerized DHCP server when it is connected to the network.

You might rightly ask how these other containers or hosts get an IP address from the above DHCP server container.

Well, below is the answer to your question.

You would need to create a Docker network to add containers in there before they can receive IP addresses from the DHCP server. When you create a Docker network, you can specify that it is a bridge network, which is the default network type for Docker. Containers connected to a bridge network can communicate with each other using their IP addresses.

To create a bridge network, you can use the docker network create command. Here’s an example:

docker network create my-network

This command creates a bridge network named my-network. You can then start your DHCP server container on this network by using the –network option when running the container:

docker run -d --name dhcp-server --network my-network dhcp-server

This command starts the DHCP server container in detached mode (-d), names the container dhcp-server, and connects it to the my-network network.

Once your DHCP server container is running on the my-network network, you can start other containers on the same network by using the –network option:

docker run -d --name my-container --network my-network my-image

This command starts a container named my-container from the my-image image, and connects it to the my-network network.

When the container starts up, it will obtain an IP address from the DHCP server running on the my-network network. You can view the IP address of the container by using the docker inspect command:

docker inspect my-container

In the output, look for the IPAddress field under the NetworkSettings section. This will show you the IP address that was assigned to the container by the DHCP server.

Ubuntu has a good guide on DHCP – https://ubuntu.com/server/docs/network-dhcp

The power of clustering goes a long way to enforce technical knowledge and hands-on application of technologies, it is essential for any serious engineer to build full scale labs covering best known architectures. Learning Kubernetes is best when you are able to build a production grade cluster replica. Minikube has always been helpful but the true benefit of a real world architecture does not come with Minikubing. This is where KIND comes in, bringing the power of real hands on without dedicating much hardware and resources as you would in using virtual machines to create a Kubernetes cluster.

Install Prerequisites

apt-get install curl

Install Docker

sudo apt-get update

	
curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh

Give user permissions to query Docker

sudo usermod -aG docker $USER
Restart your hosts (Nodes) for the permissions to take effect.

Install Kind on Linux

curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64
chmod +x ./kind
mv ./kind /usr/local/bin

Install Kubectl

We’ll need kubectl to work with Kubernetes cluster, in case its not already installed. For this, we can use below commands:

curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"

Set Permissions

chmod +x ./kubectl

Move kubectl to local

sudo mv ./kubectl /usr/local/bin/kubectl

Create Multi-Node Clusters – 1 Master and 2 Worker Nodes

Create Cluster Manifest File – cluster-config-yaml.yaml

# A sample multi-node cluster config file
# A three node (two workers, one controller) cluster config
# To add more worker nodes, add another role: worker to the list
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
name: 
nodes:
- role: control-plane
  kubeadmConfigPatches:
  - |
    kind: InitConfiguration
    nodeRegistration:
      kubeletExtraArgs:
        node-labels: "ingress-ready=true"    
  extraPortMappings:
  - containerPort: 80
    hostPort: 80
    protocol: TCP
  - containerPort: 443
    hostPort: 443
    protocol: TCP
- role: worker
- role: worker


root@cluster-vm:/home/cluster# kind create cluster --name=azvmms-node --config=single-cluster.yaml
Creating cluster "azvmms-node" ...
✓ Ensuring node image (kindest/node:v1.21.1) 🖼
✓ Preparing nodes 📦 📦
✓ Writing configuration 📜
✓ Starting control-plane 🕹
✓ Installing CNI 🔌
✓ Installing StorageClass 💾
✓ Joining worker nodes 🚜
Set kubectl context to "kind-azvmms-node"
You can now use your cluster with:

kubectl cluster-info --context kind-azvmms-node


Creates the Control Plane

- role: control-plane

Creates the 2 Worker Nodes

- role: worker
- role: worker

Create Cluster

kind create cluster --config=<cluster-config-yaml.yaml>

Check Pods

$ kubectl get pods -ns -A -o wide
NAMESPACE            NAME                                            READY   STATUS    RESTARTS   AGE   IP           NODE                    NOMINATED NODE   READINESS GATES
kube-system          coredns-558bd4d5db-2gszr                        1/1     Running   0          91m   10.244.0.3   spacers-control-plane              
kube-system          coredns-558bd4d5db-46rkp                        1/1     Running   0          91m   10.244.0.2   spacers-control-plane              
kube-system          etcd-spacers-control-plane                      1/1     Running   0          92m   172.18.0.4   spacers-control-plane              
kube-system          kindnet-9jmwv                                   1/1     Running   0          91m   172.18.0.2   spacers-worker2                    
kube-system          kindnet-c2jrx                                   1/1     Running   0          91m   172.18.0.4   spacers-control-plane              
kube-system          kindnet-hlhmx                                   1/1     Running   0          91m   172.18.0.3   spacers-worker                     
kube-system          kube-apiserver-spacers-control-plane            1/1     Running   0          92m   172.18.0.4   spacers-control-plane              
kube-system          kube-controller-manager-spacers-control-plane   1/1     Running   0          91m   172.18.0.4   spacers-control-plane              
kube-system          kube-proxy-97q94                                1/1     Running   0          91m   172.18.0.3   spacers-worker                     
kube-system          kube-proxy-t4ltb                                1/1     Running   0          91m   172.18.0.4   spacers-control-plane              
kube-system          kube-proxy-xrd5l                                1/1     Running   0          91m   172.18.0.2   spacers-worker2                    
kube-system          kube-scheduler-spacers-control-plane            1/1     Running   0          91m   172.18.0.4   spacers-control-plane              
local-path-storage   local-path-provisioner-547f784dff-5dgp6         1/1     Running   0          91m   10.244.0.4   spacers-control-plane              

Deploy a Sample App

kubectl apply -n portainer -f https://raw.githubusercontent.com/portainer/k8s/master/deploy/manifests/portainer/portainer.yaml

Test Access

https://localhost:30779/
kubectl run my-nginx --image=nginx --replicas=2 --port=8080

Delete Cluster
kind delete clusters <cluster-name>

Configure a Linux virtual machine in Azure using Terraform

How to Create Azure Standard Load Balancer with Backend Pools in Terraform

Below is a list of parts which constitutes this build.

• Resource Group
• Virtual Machines
• Network Interfaces
• Standard Loadbalancer
• Availability Sets

As it appears in Azure

Open your IDE and create the following Terraform files;
providers.tf
network.tf
loadbalancer.tf
virtualmachines.tf

Clone the Git Code Repository

git clone https://github.com/expertcloudconsultant/createazureloadbalancer.git

#Create the providers providers.tf

#IaC on Azure Cloud Platform | Declare Azure as the Provider
# Configure the Microsoft Azure Provider
terraform {

  required_version = ">=0.12"

  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~>2.0"
    }
  }


}

provider "azurerm" {
  features {}
}

#Create the virutal network and subnets with with Terraform. network.tf

#Create Resource Groups
resource "azurerm_resource_group" "corporate-production-rg" {
  name     = "corporate-production-rg"
  location = var.avzs[0] #Avaialability Zone 0 always marks your Primary Region.
}



#Create Virtual Networks > Create Spoke Virtual Network
resource "azurerm_virtual_network" "corporate-prod-vnet" {
  name                = "corporate-prod-vnet"
  location            = azurerm_resource_group.corporate-production-rg.location
  resource_group_name = azurerm_resource_group.corporate-production-rg.name
  address_space       = ["10.20.0.0/16"]

  tags = {
    environment = "Production Network"
  }
}


#Create Subnet
resource "azurerm_subnet" "business-tier-subnet" {
  name                 = "business-tier-subnet"
  resource_group_name  = azurerm_resource_group.corporate-production-rg.name
  virtual_network_name = azurerm_virtual_network.corporate-prod-vnet.name
  address_prefixes     = ["10.20.10.0/24"]
}

#Create Private Network Interfaces
resource "azurerm_network_interface" "corpnic" {
  name                = "corpnic-${count.index + 1}"
  location            = azurerm_resource_group.corporate-production-rg.location
  resource_group_name = azurerm_resource_group.corporate-production-rg.name
  count               = 2

  ip_configuration {
    name                          = "ipconfig-${count.index + 1}"
    subnet_id                     = azurerm_subnet.business-tier-subnet.id
    private_ip_address_allocation = "Dynamic"

  }
}

#Create the standard load balancer with Terraform. loadbalancer.tf

#Create Load Balancer
resource "azurerm_lb" "business-tier-lb" {
  name                = "business-tier-lb"
  location            = azurerm_resource_group.corporate-production-rg.location
  resource_group_name = azurerm_resource_group.corporate-production-rg.name

  frontend_ip_configuration {
    name                          = "businesslbfrontendip"
    subnet_id                     = azurerm_subnet.business-tier-subnet.id
    private_ip_address            = var.env == "Static" ? var.private_ip : null
    private_ip_address_allocation = var.env == "Static" ? "Static" : "Dynamic"
  }
}

#Create Loadbalancing Rules

#Create Loadbalancing Rules
resource "azurerm_lb_rule" "production-inbound-rules" {
  loadbalancer_id                = azurerm_lb.business-tier-lb.id
  resource_group_name            = azurerm_resource_group.corporate-production-rg.name
  name                           = "ssh-inbound-rule"
  protocol                       = "Tcp"
  frontend_port                  = 22
  backend_port                   = 22
  frontend_ip_configuration_name = "businesslbfrontendip"
  probe_id                       = azurerm_lb_probe.ssh-inbound-probe.id
  backend_address_pool_ids        = ["${azurerm_lb_backend_address_pool.business-backend-pool.id}"]
 

}

#Create Probe

#Create Probe
resource "azurerm_lb_probe" "ssh-inbound-probe" {
  resource_group_name = azurerm_resource_group.corporate-production-rg.name
  loadbalancer_id     = azurerm_lb.business-tier-lb.id
  name                = "ssh-inbound-probe"
  port                = 22
}

#Create Backend Address Pool

#Create Backend Address Pool
resource "azurerm_lb_backend_address_pool" "business-backend-pool" {
  loadbalancer_id = azurerm_lb.business-tier-lb.id
  name            = "business-backend-pool"
}

#Automated Backend Pool Addition

#Automated Backend Pool Addition > Gem Configuration to add the network interfaces of the VMs to the backend pool.
resource "azurerm_network_interface_backend_address_pool_association" "business-tier-pool" {
  count                   = 2
  network_interface_id    = azurerm_network_interface.corpnic.*.id[count.index]
  ip_configuration_name   = azurerm_network_interface.corpnic.*.ip_configuration.0.name[count.index]
  backend_address_pool_id = azurerm_lb_backend_address_pool.business-backend-pool.id

}

This line of configuration is what intelligently adds the network interfaces to the backendpool. I call it a gem because it took me quite sometime to figure it all out.

 ip_configuration_name   = azurerm_network_interface.corpnic.*.ip_configuration.0.name[count.index]

Create the Linux Virtual Machines virtualmachines.tf

# Create (and display) an SSH key
resource "tls_private_key" "linuxvmsshkey" {
  algorithm = "RSA"
  rsa_bits  = 4096
}

#Custom Data Insertion Here
data "template_cloudinit_config" "webserverconfig" {
  gzip          = true
  base64_encode = true

  part {

    content_type = "text/cloud-config"
    content      = "packages: ['nginx']"
  }
}



# Create Network Security Group and rule
resource "azurerm_network_security_group" "corporate-production-nsg" {
  name                = "corporate-production-nsg"
  location            = azurerm_resource_group.corporate-production-rg.location
  resource_group_name = azurerm_resource_group.corporate-production-rg.name


  #Add rule for Inbound Access
  security_rule {
    name                       = "SSH"
    priority                   = 1001
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = var.ssh_access_port # Referenced SSH Port 22 from vars.tf file.
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
}


#Connect NSG to Subnet
resource "azurerm_subnet_network_security_group_association" "corporate-production-nsg-assoc" {
  subnet_id                 = azurerm_subnet.business-tier-subnet.id
  network_security_group_id = azurerm_network_security_group.corporate-production-nsg.id
}



#Availability Set - Fault Domains [Rack Resilience]
resource "azurerm_availability_set" "vmavset" {
  name                         = "vmavset"
  location                     = azurerm_resource_group.corporate-production-rg.location
  resource_group_name          = azurerm_resource_group.corporate-production-rg.name
  platform_fault_domain_count  = 2
  platform_update_domain_count = 2
  managed                      = true
  tags = {
    environment = "Production"
  }
}


#Create Linux Virtual Machines Workloads
resource "azurerm_linux_virtual_machine" "corporate-business-linux-vm" {

  name                  = "${var.corp}linuxvm${count.index}"
  location              = azurerm_resource_group.corporate-production-rg.location
  resource_group_name   = azurerm_resource_group.corporate-production-rg.name
  availability_set_id   = azurerm_availability_set.vmavset.id
  network_interface_ids = ["${element(azurerm_network_interface.corpnic.*.id, count.index)}"]
  size                  =  "Standard_B1s"  # "Standard_D2ads_v5" # "Standard_DC1ds_v3" "Standard_D2s_v3"
  count                 = 2


  #Create Operating System Disk
  os_disk {
    name                 = "${var.corp}disk${count.index}"
    caching              = "ReadWrite"
    storage_account_type = "Standard_LRS" #Consider Storage Type
  }


  #Reference Source Image from Publisher
  source_image_reference {
    publisher = "Canonical"                    #az vm image list -p "Canonical" --output table
    offer     = "0001-com-ubuntu-server-focal" # az vm image list -p "Canonical" --output table
    sku       = "20_04-lts-gen2"               #az vm image list -s "20.04-LTS" --output table
    version   = "latest"
  }


  #Create Computer Name and Specify Administrative User Credentials
  computer_name                   = "corporate-linux-vm${count.index}"
  admin_username                  = "linuxsvruser${count.index}"
  disable_password_authentication = true



  #Create SSH Key for Secured Authentication - on Windows Management Server [Putty + PrivateKey]
  admin_ssh_key {
    username   = "linuxsvruser${count.index}"
    public_key = tls_private_key.linuxvmsshkey.public_key_openssh
  }

  #Deploy Custom Data on Hosts
  custom_data = data.template_cloudinit_config.webserverconfig.rendered

}

If you are interested in using the UI to create a solution as above, then follow Microsoft’s Get started with Azure Load Balancer by using the Azure portal to create an internal load balancer and two virtual machines.

What is Git?
According to Wikipedia;

Git is software for tracking changes in any set of files, usually used for coordinating work among programmers collaboratively developing source code during software development. Its goals include speed, data integrity, and support for distributed, non-linear workflows.

A successful connection to GitHub does require an established trust between the client {your working host} and the server {GitHub}.

An SSH key relies upon the use of two related keys, a public key and a private key, that together create a key pair that is used as the secure access credential. The private key is secret, known only to the user, and should be encrypted and stored safely. The public key can be shared freely with any SSH server to which the user wishes to connect.

Public Key authentication – what and why?

The motivation for using public key authentication over simple passwords is security. Public key authentication provides cryptographic strength that even extremely long passwords can not offer. With SSH, public key authentication improves security considerably as it frees the users from remembering complicated passwords (or worse yet, writing them down).

In addition to security public key authentication also offers usability benefits – it allows users to implement single sign-on across the SSH servers they connect to. Public key authentication also allows automated, passwordless login that is a key enabler for the countless secure automation processes that execute within enterprise networks globally.

Checking for existing SSH keys
Before you generate an SSH key, you can check to see if you have any existing SSH keys.

ls -al ~/.ssh

total 27
drwxr-xr-x 1 Cloud Architect 197121    0 May 16 09:39 ./
drwxr-xr-x 1 Cloud Architect 197121    0 May 10 14:40 ../
-rw-r--r-- 1 Cloud Architect 197121  419 May 16 09:39 githubaccount
-rw-r--r-- 1 Cloud Architect 197121  107 May 16 09:39 githubaccount.pub
-rw-r--r-- 1 Cloud Architect 197121 2675 Nov 11  2021 id_rsa
-rw-r--r-- 1 Cloud Architect 197121  585 Nov 11  2021 id_rsa.pub
-rw-r--r-- 1 Cloud Architect 197121 1422 Mar 18 16:50 known_hosts

The known_hosts file contains details of your remote hosts and their public keys.

Generating a new SSH key

$ ssh-keygen -t ed25519 -C "your_email@domain.com"

This creates a new SSH key, using the provided email as a label.

> Generating public/private algorithm key pair.

When you’re prompted to “Enter a file in which to save the key,” press Enter. This accepts the default file location.

> Enter a file in which to save the key (/c/Users/you/.ssh/id_algorithm):[Press enter]

Generating public/private ed25519 key pair.
Enter file in which to save the key (/c/userPath/.ssh/id_ed25519): /c/userPath/.ssh/githubaccount
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /c/userPath/.ssh/githubaccount
Your public key has been saved in /c/userPath/.ssh/githubaccount.pub
The key fingerprint is:
SHA256:CZaWiynl94Vk6dkqXXIBCnewmbgY6vhGnqeq8PrRmulQ git.user@domain.com
The key's randomart image is:
+--[ED25519 256]--+
|    .o..o+. o.   |
|. o .oo.+o o..   |
|oo +. .oo....o.  |
|=o..  .  + .o..  |
|o.=E   .S..o..   |
| *.     . + o    |
|o.+        o     |
|+*               |
|@*o              |
+----[SHA256]-----+

Cloud Architect@DESKTOP-ATCRUJV MINGW64 /c/Workdir/terraform
$

At the prompt, type a secure passphrase. For more information, see “Working with SSH key passphrases.”

> Enter passphrase (empty for no passphrase): [Type a passphrase]
> Enter same passphrase again: [Type passphrase again]

Copy the SSH public key to your clipboard.

If your SSH public key file has a different name than the example code, modify the filename to match your current setup. When copying your key, don’t add any newlines or whitespace.

Adding your SSH key to the ssh-agent
Before adding a new SSH key to the ssh-agent to manage your keys, you should have checked for existing SSH keys and generated a new SSH key.
If you have GitHub Desktop installed, you can use it to clone repositories and not deal with SSH keys.

Ensure the ssh-agent is running. You can use the “Auto-launching the ssh-agent” instructions in “Working with SSH key passphrases”, or start it manually:

# start the ssh-agent in the background
$ eval "$(ssh-agent -s)"
Agent pid 1304

$ clip < ~/.ssh/githubaccount.pub
# Copies the contents of the id_ed25519.pub file to your clipboard

In the "Access" section of the sidebar, click SSH and GPG keys.
Click New SSH key or Add SSH key.

add public ssh key to github

added new public ssh key to github successfully

create new repository on github

Create new Public Repository on GitHub

Create new Public Repository on GitHub

Testing your SSH connection
After you've set up your SSH key and added it to your account on GitHub.com, you can test your connection.

Enter the following:

$ ssh -T git@github.com
# Attempts to ssh to GitHub

You may see a warning like this:

> The authenticity of host 'github.com (IP ADDRESS)' can't be established.
> RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
> Are you sure you want to continue connecting (yes/no)?

Troubleshooting

$ ssh -vT git@github.com:remote-git-repo/azterraform.git
OpenSSH_8.8p1, OpenSSL 1.1.1l  24 Aug 2021
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: resolve_canonicalize: hostname github.com:remote-git-repo/azterraform.git is an unrecognised address
ssh: Could not resolve hostname github.com:remote-git-repo/azterraform.git: Name or service not known

Solutions are always in the problems

$ ssh -vT git@github.com:remote-git-repo/azterraform.git
OpenSSH_8.8p1, OpenSSL 1.1.1l  24 Aug 2021
debug1: Reading configuration data /c/userPath/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: resolve_canonicalize: hostname github.com:remote-git-repo/azterraform.git is an unrecognised address
ssh: Could not resolve hostname github.com:remote-git-repo/azterraform.git: Name or service not known

Add the following line to /etc/ssh/ssh_config file.

# Host *
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
    IdentityFile ~/.ssh/githubaccount
#   Port 22
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com

Create the config file under ~/.ssh/ and add the following lines

Setup Your Local Working Environment

Clone your remote Repository - use git clone

$ git clone git@github.com:remote-git-repo/azterraform.git
Cloning into 'azterraform'...
remote: Enumerating objects: 6, done.
remote: Counting objects: 100% (6/6), done.
remote: Compressing objects: 100% (2/2), done.
Receiving objects: 100% (6/6), done.
remote: Total 6 (delta 0), reused 0 (delta 0), pack-reused 0
Cloud Architect@DESKTOP-ATCRUJV MINGW64 /c/Workdir/terraform (master)
$

Now begin to perform your functions

touch filename.tf

Add all items in your working directory using git add .

$ git add .

Commit your changes to your repo.

$ git commit -m "Version 1 - Files Created on Local PC"
[main 2f462f4] Version 1 - Files Created on Local PC
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 main.tf

Remove Git from Folder

rm -rf .git

Configure Your Environment

Configure Deployment Parts

Create your vars.tf file

#Variable file used to store details of repetitive references
variable "location" {
  description = "availability zone that is a string type variable"
  type    = string
  default = "eastus2"
}

variable "prefix" {
  type    = string
  default = "emc-eus2-corporate"
}

Create your providers.tf file

#Variable file used to store details of repetitive references
variable "location" {
  type    = string
  default = "eastus2"
}

variable "prefix" {
  type    = string
  default = "emc-eus2-corporate"
}

In the next steps, we create the main.tf file and add the following cmdlets.

Create a virtual network

#Create virtual network and subnets
resource "azurerm_virtual_network" "emc-eus2-corporate-network-vnet" {
  name                = "emc-eus2-corporate-network-vnet"
  location            = azurerm_resource_group.emc-eus2-corporate-resources-rg.location
  resource_group_name = azurerm_resource_group.emc-eus2-corporate-resources-rg.name
  address_space       = ["172.20.0.0/16"]

  tags = {
    environment = "Production"
  }
}

Create a subnet

#Create subnet - presentation tier
resource "azurerm_subnet" "presentation-subnet" {
  name                 = "presentation-subnet"
  resource_group_name  = azurerm_resource_group.emc-eus2-corporate-resources-rg.name
  virtual_network_name = azurerm_virtual_network.emc-eus2-corporate-network-vnet.name
  address_prefixes     = ["172.20.1.0/24"]
}

#Create subnet - data access tier
resource "azurerm_subnet" "data-access-subnet" {
  name                 = "data-access-subnet"
  resource_group_name  = azurerm_resource_group.emc-eus2-corporate-resources-rg.name
  virtual_network_name = azurerm_virtual_network.emc-eus2-corporate-network-vnet.name
  address_prefixes     = ["172.20.2.0/24"]
}

Create a public IP address

#Create Public IP Address
resource "azurerm_public_ip" "emc-eus2-corporate-nic-01-pip" {
  name                = "emc-eus2-corporate-nic-01-pip"
  location            = azurerm_resource_group.emc-eus2-corporate-resources-rg.location
  resource_group_name = azurerm_resource_group.emc-eus2-corporate-resources-rg.name
  allocation_method   = "Dynamic"
}

Create a network security group and SSH inbound rule

# Create Network Security Group and rule
resource "azurerm_network_security_group" "emc-eus2-corporate-nsg" {
  name                = "emc-eus2-corporate-nsg"
  location            = azurerm_resource_group.emc-eus2-corporate-resources-rg.location
  resource_group_name = azurerm_resource_group.emc-eus2-corporate-resources-rg.name

  security_rule {
    name                       = "SSH"
    priority                   = 1001
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "22"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
}

Create a virtual network interface card

# Create network interface
resource "azurerm_network_interface" "corporate-webserver-vm-01-nic" {
  name                = "corporate-webserver-vm-01-nic"
  location            = azurerm_resource_group.emc-eus2-corporate-resources-rg.location
  resource_group_name = azurerm_resource_group.emc-eus2-corporate-resources-rg.name

  ip_configuration {
    name                          = "corporate-webserver-vm-01-nic-ip"
    subnet_id                     = azurerm_subnet.presentation-subnet.id
    private_ip_address_allocation = "Dynamic"
    public_ip_address_id          = azurerm_public_ip.corporate-webserver-vm-01-ip.id
  }
}

Connect the network security group to the network interface

# Connect the security group to the network interface
resource "azurerm_network_interface_security_group_association" "corporate-webserver-vm-01-nsg-link" {
  network_interface_id      = azurerm_network_interface.corporate-webserver-vm-01-nic.id
  network_security_group_id = azurerm_network_security_group.emc-eus2-corporate-nsg.id
}

Create a storage account for boot diagnostics

# Generate random text for a unique storage account name
resource "random_id" "randomId" {
  keepers = {
    # Generate a new ID only when a new resource group is defined
    resource_group = azurerm_resource_group.emc-eus2-corporate-resources-rg.name
  }
  byte_length = 8
}

Create a storage account for boot diagnostics

# Create storage account for boot diagnostics
resource "azurerm_storage_account" "corpwebservervm01storage" {
  name                     = "diag${random_id.randomId.hex}"
  location                 = azurerm_resource_group.emc-eus2-corporate-resources-rg.location
  resource_group_name      = azurerm_resource_group.emc-eus2-corporate-resources-rg.name
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

Create SSH Key

# Create (and display) an SSH key
resource "tls_private_key" "linuxsrvuserprivkey" {
  algorithm = "RSA"
  rsa_bits  = 4096
}

Create a virtual machine

# Create virtual machine
resource "azurerm_linux_virtual_machine" "emc-eus2-corporate-webserver-vm-01" {
  name                  = "emc-eus2-corporate-webserver-vm-01"
  location              = azurerm_resource_group.emc-eus2-corporate-resources-rg.location
  resource_group_name   = azurerm_resource_group.emc-eus2-corporate-resources-rg.name
  network_interface_ids = [azurerm_network_interface.corporate-webserver-vm-01-nic.id]
  size                  = "Standard_DC1ds_v3"

  os_disk {
    name                 = "corpwebservervm01disk"
    caching              = "ReadWrite"
    storage_account_type = "Premium_LRS"
  }

  source_image_reference {
    publisher = "Canonical"
    offer     = "0001-com-ubuntu-server-focal"
    sku       = "20_04-lts-gen2"
    version   = "latest"
  }

  computer_name                   = "corporate-webserver-vm-01"
  admin_username                  = "linuxsrvuser"
  disable_password_authentication = true

  admin_ssh_key {
    username   = "linuxsrvuser"
    public_key = tls_private_key.linuxsrvuserprivkey.public_key_openssh
  }
}

Terraform Plan

The terraform plan command evaluates a Terraform configuration to determine the desired state of all the resources it declares, then compares that desired state to the real infrastructure objects being managed with the current working directory and workspace. It uses state data to determine which real objects correspond to which declared resources, and checks the current state of each resource using the relevant infrastructure provider’s API.

terraform plan

Terraform Apply

The terraform apply command performs a plan just like terraform plan does, but then actually carries out the planned changes to each resource using the relevant infrastructure provider’s API. It asks for confirmation from the user before making any changes, unless it was explicitly told to skip approval.

terraform apply

Command to find an image based on the SKU.

samuel@Azure:~$ az vm image list -s "2019-Datacenter" --output table
You are viewing an offline list of images, use --all to retrieve an up-to-date list
Offer          Publisher               Sku              Urn                                                          UrnAlias           Version
-------------  ----------------------  ---------------  -----------------------------------------------------------  -----------------  ---------
WindowsServer  MicrosoftWindowsServer  2019-Datacenter  MicrosoftWindowsServer:WindowsServer:2019-Datacenter:latest  Win2019Datacenter  latest
samuel@Azure:~$ 

samuel@Azure:~$ az vm image list -s "18.04-LTS" --output table
You are viewing an offline list of images, use --all to retrieve an up-to-date list
Offer         Publisher    Sku        Urn                                      UrnAlias    Version
------------  -----------  ---------  ---------------------------------------  ----------  ---------
UbuntuServer  Canonical    18.04-LTS  Canonical:UbuntuServer:18.04-LTS:latest  UbuntuLTS   latest

Command to find an image based on the Publisher.

samuel@Azure:~$ az vm image list -p "Microsoft" --output table
You are viewing an offline list of images, use --all to retrieve an up-to-date list
Offer          Publisher               Sku                                 Urn                                                                             UrnAlias                 Version
-------------  ----------------------  ----------------------------------  ------------------------------------------------------------------------------  -----------------------  ---------
WindowsServer  MicrosoftWindowsServer  2022-Datacenter                     MicrosoftWindowsServer:WindowsServer:2022-Datacenter:latest                     Win2022Datacenter        latest
WindowsServer  MicrosoftWindowsServer  2022-datacenter-azure-edition-core  MicrosoftWindowsServer:WindowsServer:2022-datacenter-azure-edition-core:latest  Win2022AzureEditionCore  latest
WindowsServer  MicrosoftWindowsServer  2019-Datacenter                     MicrosoftWindowsServer:WindowsServer:2019-Datacenter:latest                     Win2019Datacenter        latest

samuel@Azure:~$ az vm image list -p "Canonical" --output table
You are viewing an offline list of images, use --all to retrieve an up-to-date list
Offer         Publisher    Sku        Urn                                      UrnAlias    Version
------------  -----------  ---------  ---------------------------------------  ----------  ---------
UbuntuServer  Canonical    18.04-LTS  Canonical:UbuntuServer:18.04-LTS:latest  UbuntuLTS   latest

At this point, the required pieces to build a Linux Virtual Machine on Azure is complete. It’s time to test your code.

You can learn more from Hashicorp by visiting the following link.
This article was helpful in troubleshooting issues with the Ubuntu SKU.

Enable the IP Forwarding on the Network Interface of the VM in Azure

Enable the IP Forwarding in the VM

sudo sed -i 's/#net.ipv4.ip_forward=/net.ipv4.ip_forward=/' /etc/sysctl.conf
sudo sed -i 's/net.ipv4.ip_forward=0/net.ipv4.ip_forward=1/' /etc/sysctl.conf
sudo sed -i 's/#net.ipv6.conf.all.forwarding=/net.ipv6.conf.all.forwarding=/' /etc/sysctl.conf
sudo sed -i 's/net.ipv6.conf.all.forwarding=0/net.ipv6.conf.all.forwarding=1/' /etc/sysctl.conf
sudo sysctl -p

Add route on Route Table for outbound traffic via NVA on Azure

Associate Subnet to Route Table

Assess Network Topology to understand how traffic flow works

Check effective routes from the associate subnet network interfaces – in this guide, the presentation-tier vm

It appears that a route has been injected into our effective routes. But from the topology diagram above, there isn’t a known connection between the hub virtual network and the production virtual network.

Verify IP Flow with Azure Network Watcher

Access is found to be denied because there is no physical connection between the VNets. I will now go ahead to create a VNet to VNet Peering so the two networks can begin communicating.

create a virtual network peer from the hub to the spoke networks

Review the topology

Verify IP Flow to the NVA with Azure Network Watcher

Route Network Traffic with a Route Table and Network Virtual Appliance

In Windows

PS C:\> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -Name IpEnableRouter -Value 1
PS C:\> New-NetFirewallRule -DisplayName "Allow ICMPv4-In" -Protocol ICMPv4

Name                  : {c66932ef-d397-4efc-83cd-75155dad403e}
DisplayName           : Allow ICMPv4-In
Description           :
DisplayGroup          :
Group                 :
Enabled               : True
Profile               : Any
Platform              : {}
Direction             : Inbound
Action                : Allow
EdgeTraversalPolicy   : Block
LooseSourceMapping    : False
LocalOnlyMapping      : False
Owner                 :
PrimaryStatus         : OK
Status                : The rule was parsed successfully from the store. (65536)
EnforcementStatus     : NotApplicable
PolicyStoreSource     : PersistentStore
PolicyStoreSourceType : Local



PS C:\>

As strain increases on a website or business application, eventually, a single server cannot support the full workload. To meet demand, organizations spread the workload over multiple servers. Called “load balancing,” this practice prevents a single server from becoming overworked, which could cause it to slow down, drop requests, and even crash.

Load balancing lets you evenly distribute network traffic to prevent failure caused by overloading a particular resource. This strategy improves the performance and availability of applications, websites, databases, and other computing resources. It also helps process user requests quickly and accurately.

Pre-requisites

• Resource Group
• Virtual Network
• Subnet
• Network Security Group

Create Resource Group

az group create --name resouceGroupName --location $location

Create Virtual Network and Subnet

az network vnet create \
		--resource-group resouceGroupName \
		--name virtualnetworkName \
		--address-prefixes 172.16.0.0/16 \
		--subnet-name subnetName \
		--subnet-prefixes 172.16.10.0/24

Create NSG on Azure and Inbound Rule

az network nsg create \
--resource-group resouceGroupName \
--name myNSG

Create NSG Inbound Rule

az network nsg rule create \
		--resource-group resouceGroupName \
		--nsg-name myNSG \
		--name myNSGRuleHTTP \
		--protocol '*' \
		--direction inbound \
		--source-address-prefix '*' \
		--source-port-range '*' \
		--destination-address-prefix '*' \
		--destination-port-range 80 \
		--access allow \
		--priority 200

Associate NSG to Subnet

azure network vnet subnet set --resource-group resouceGroupName \
		--vnet-name virtualnetworkName \
		--name subnetName \
		--network-security-group-name myNSG
	

Create Load Balancer

az network lb create \
		--resource-group resouceGroupName \
		--name myLoadBalancer \
		--sku Standard \
		--public-ip-address myPublicIP \
		--frontend-ip-name myFrontEnd \
		--backend-pool-name myBackEndPool

Create Frontend IP

az network public-ip create \
		--resource-group resouceGroupName \
		--name myPublicIP \
		--sku Standard \
		--zone 1 2 3

Create Backend Pool

array=(myNicVM1 myNicVM2)
  for vmnic in "${array[@]}"
  do
    az network nic ip-config address-pool add \
		--address-pool myBackendPool \
		--ip-config-name ipconfig1 \
		--nic-name $vmnic \
		--resource-group resouceGroupName \
		--lb-name myLoadBalancer
  done

Create Load Balancing Rules – Port 80 allows access to the webservers over HTTP

az network lb rule create \
		--resource-group resouceGroupName \
		--lb-name myLoadBalancer \
		--name myHTTPRule \
		--protocol tcp \
		--frontend-port 80 \
		--backend-port 80 \
		--frontend-ip-name myFrontEnd \
		--backend-pool-name myBackEndPool \
		--probe-name myHealthProbe \
		--disable-outbound-snat true \
		--idle-timeout 15 \
		--enable-tcp-reset true

Create Health Probes

az network lb probe create \
		--resource-group resouceGroupName \
		--lb-name myLoadBalancer \
		--name myHealthProbe \
		--protocol tcp \
		--port 80

Create Network Interfaces for VMs

array=(myNicVM1 myNicVM2)
  for vmnic in "${array[@]}"
  do
    az network nic create \
        --resource-group resouceGroupName \
        --name $vmnic \
        --vnet-name myVNet \
        --subnet myBackEndSubnet \
        --network-security-group myNSG
  done

Create Virtual Machines

Create Virtual Machine #1

az vm create --resource-group resouceGroupName \
		--name webservervm1 \
		--vnet-name virtualnetworkName  \
		--subnet subnetName \
		--nics myNicVM1 \
		--image "Canonical:UbuntuServer:20.04-LTS:latest" \
		--admin-username azureuser \
		--generate-ssh-keys

Create Virtual Machine #2

az vm create --resource-group resouceGroupName \
		--name webservervm1 \
		--vnet-name virtualnetworkName  \
		--subnet subnetName \
		--nics myNicVM2 \
		--image "Canonical:UbuntuServer:20.04-LTS:latest" \
		--admin-username azureuser \
		--generate-ssh-keys

Add virtual machines to load balancer backend pool

array=(myNicVM1 myNicVM2)
  for vmnic in "${array[@]}"
  do
    az network nic ip-config address-pool add \
		--address-pool myBackendPool \
		--ip-config-name ipconfig1 \
		--nic-name $vmnic \
		--resource-group resouceGroupName \
		--lb-name myLoadBalancer
  done

Option for Outbound Connectivity for your Virtual Machines – Outbound Rules

Outbound rules enable you to explicitly define SNAT (source network address translation) for a standard SKU public load balancer. This configuration allows you to use the public IP or IPs of your load balancer for outbound connectivity of the backend instances.

Create NAT gateway

az network public-ip create \
		--resource-group resouceGroupName \
		--name myNATgatewayIP \
		--sku Standard \
		--zone 1 2 3

Create NAT gateway resource
Use az network nat gateway create to create the NAT gateway resource. The public IP created in the previous step is associated with the NAT gateway.

az network nat gateway create \
		--resource-group resouceGroupName \
		--name myNATgateway \
		--public-ip-addresses myNATgatewayIP \
		--idle-timeout 10

Associate NAT gateway with subnet
Configure the source subnet in virtual network to use a specific NAT gateway resource with az network vnet subnet update.

az network vnet subnet update \
		--resource-group resouceGroupName \
		--vnet-name myVNet \
		--name myBackendSubnet \
		--nat-gateway myNATgateway

Install NGINX on Ubuntu Servers

sudo apt-get -y update
sudo apt-get -y install nginx

Use vim to edit the default debian page on Ubuntu
Browse to the location of the index file. Make sure you are a super user in order to make the changes.

Customise your nginx webserver for both virtual machines

cd /var/www/html/
alpha-weu-production-webservers-vm01:/var/www/html$ ls -ltra
total 12
drwxr-xr-x 3 root root 4096 Apr 23 16:18 ..
-rw-r--r-- 1 root root  672 Apr 23 17:08 index.nginx-debian.html
drwxr-xr-x 2 root root 4096 Apr 23 17:08 .
alpha-weu-production-webservers-vm01:/var/www/html$

Modify the Index file

Topology of your perfectly load balanced linux webservers

So here is the deal, I had a great affinity for Arduino until I fell in love with Python. My life has never been the same again. Aaahhh, do I need to ditch my Ardunio control boards to use a Raspberry Pi instead? How about all the interesting projects I made back then in Arduino? Could I not learn to code them in Python and just use my Python scripts to control them?

Things you’ll need;

• Personal Computer Linux | MAC | Windows with Arduino IDE.
• Arduino Board (I have used the Elegoo Uno Version here)
• USB cable for Arduino.
• Breadboard
• Jumper Wires
• LED Light
• Resistor

Step 1: Upload Standard Firmata on your Arduino board (Firmata is a serial communication protocol that can control the Arduino’s GPIO)
Files > Examples > Firmata > StandardFirmata (You will only need to upload this once).

What is Firmata

Firmata is an intermediate protocol that connects an embedded system to a host computer, and the protocol channel uses a serial port by default. The Arduino platform is the standard reference implementation for Firmata. The Arduino IDE comes with the support for Firmata.

This could work perfectly with Odyssey-X86 with its onboard Arduino Core meaning that you can control the Arduino Core simply using Firmata protocol with different programming languages too!

The Firmata library implements the Firmata protocol for communicating with software on the host computer. This allows you to write custom firmware without having to create your own protocol and objects for the programming environment that you are using.

To use this library
#include <Firmata.h>

Step 2:
Install PyFirmata on Ubuntu

pip3 install pyfirmata

Step 3:

Build your circuit. Roll your sleeves and get your jumper wires, resistor and LED together in a very simple circuit like the one below;

Schematic: How to wire up your circuit

Step 4: Write Your Python Blink LED Program

from pyfirmata import Arduino
import time

if __name__ == '__main__':
    board = Arduino('/dev/ttyACM1')
    print("Communication Successfully Initiated ")

    while True:
        board.digital[13].write(1)
        time.sleep(0.5)
        board.digital[13].write(0)
        time.sleep(0.5)

Full Code: Blink LED Python Program


from pyfirmata import Arduino, util
import time

while True:
board.digital[9].write(1)
time.sleep(0.5)
board.digital[9].write(0)
time.sleep(0.5)


Step 5 Hit Run and see it in action

Troubleshooting
Your USB connection to your Arduino board is disconnected if you see this sudden error;

raise SerialException('write failed: {}'.format(e))
serial.serialutil.SerialException: write failed: [Errno 5] Input/output error

Here you are, a step by step guide to get Python to control your GPIOs on Arduino. Hope this little project helps you on your journey to great electronics?

See more python projects like this fading led light project.

Network engineers do not only deal with physical network elements but in recent times have had to build virtual network infrastructure thanks to virtualisation to complement their network architecture and operations. Imagine you need to build a small Data Centre running DHCP using Microsoft Servers or use a Hypervisor to run a network appliance of any favourite vendor like Cisco, F5, Checkpoint, Palo and Fortigate, you need to have knowledge of virtualisation and today our focus is purely on the worlds renowned virtualisation platform, VMWare.

In this step by step guide, I am going to show you how to install VMWare Workstation on Ubuntu. This tutorial works for Ubuntu versions 12 and up. I am running the Desktop version of Ubuntu 20.04 in this post.

You will learn:

• How to install VMware Workstation prerequisites
• How to download VMware Workstation
• How to install VMware Workstation
• How to start VMware Workstation

Let us begin by downloading VMWare Workstation for Linux: Download VMWare Workstation for Linux

Figure 1.0 – Download VMWare Workstation Pro.

Figure 1.1 – Download VMWare Workstation Pro for Linux.

Step 1:
Always start with an update

$ sudo apt update

Step 2:
Install the Essentials

$ sudo apt install build-essential

Figure 1.1 – Install Build Essentials

Step 3:
Install all the required libraries

sudo apt install libcanberra-gtk-module
sudo apt install libaio1 libcanberra-gtk-module build-essential linux-headers &&  -$(uname -r)

dpkg -l | grep linux-headers 

Now, press Y and then press to confirm the installation.

How to Install VMWare Workstation 15 on ubuntu 20.04

Step 4:
Browse to the Downloads folder where the VMWare Workstation Installer was saved.

ubuntu-20.04-Desktop:/$ cd ~/Downloads/
VMware-Workstation-Full-15.5.2-15785246.x86_64.bundle

Locate Installer
Figure 1.2 – Once the VMware Workstation Pro installer is downloaded, navigate to the ~/Downloads directory with the following command:

Step 4b:

As you can see, the VMware Workstation Pro installer file is here. Copy the filename.
$ ls -lh

Figure 1.3 – Copy VMWare Workstation Bundle filename for the remainder of the steps

Temporarily disable host access control with the following command:

$ xhost +

Figure 1.4 – Disable Host Access Control.

Step 5:
Apply Permissions

$ chmod +x VMware-Workstation-Full-15.5.2-15785246.x86_64.bundle

Figure 1.5 – Use CHMOD +X to apply the appropriate permissions for the installer file VMware-Workstation-Full-15.5.2-15785246.x86_64.bundle

Step 6:
Begin Installation of VMWare Workstation Pro.
Locate the previously downloaded VMware Workstation PRO for Linux bundle file and begin the installation. Please note that the file name might be different:

$ sudo VMware-Workstation-Full-15.5.2-15785246.x86_64.bundle

Figure 1.6 – Install VMWare Workstation on Ubuntu

Begin the installation of the VMware Workstation PRO for Linux on Ubuntu 20.04
Be patient. Wait for the installation to finish.

Step 7:
Launch VMware Workstation Pro.

Congratulations, You have just successfully installed VMWare Workstation for Ubuntu.

Use a Trial Evaluation or apply license to enjoy the amazing virtualisation platform.

Sometimes, you may encounter issues with VMWare Workstation not able to run your virtual machines and throwing up a series of errors. Below are some very popular ones you are likely to encounter.

Error 1:
“Could not open /dev/vmmon: No such file or directory.
Please make sure that the kernel module `vmmon’ is loaded.”

Error 2:
“Failed to initialize monitor device.”

Error 3:
“Unable to change virtual machine power state: Transport (VMDB) error -14: Pipe connection has been broken.”

Apply the following commands to Troubleshoot these errors.

Generate key pairs for vmmon and vmnet components

1) sudo openssl req -new -x509 -newkey rsa:2048 -keyout VMWARE.priv -outform DER -out VMWARE.der -nodes -days 36500 -subj "/CN=VMware/"

Attach the generated key to the vmmon and vmnet components

2) sudo /usr/src/linux-headers-`uname -r`/scripts/sign-file sha256 ./VMWARE.priv ./VMWARE.der $(modinfo -n vmmon)
3) sudo /usr/src/linux-headers-`uname -r`/scripts/sign-file sha256 ./VMWARE.priv ./VMWARE.der $(modinfo -n vmnet)

4) sudo mokutil --import VMWARE.der

Create and confirm a password:

Test

5) mokutil --test-key VMWARE.der

A better fix as that has always worked for me is to Disable Secured Boot from Bios. That works very well.

Reboot PC and Enter Bios Menu

Disable Secured Boot

Reboot and then run:
sudo vmware-modconfig –console –install-all {Not always necessary but might be helpful}

Now that you have a fully working VMWare Workstation, let us build a quick lab by spinning up a Virtual Machine and working on a Network Address Translation lab as per this guide here: Configure NAT on Cisco and VyOS