CLI with the provided docker image
This section assume you already run:
git clone https://github.com/fortinet-solutions-cse/secured-AKS-refarch
cd secured-AKS-refarch
Run with the provided Docker image with all cli installed
docker run -v $PWD:/Azure/ -i --name az-aks-cli -h az-aks-cli -t fortinetsolutioncse/az-aks-cli
Type the rest of the commands in a shell inside this docker runtime.
optionnal
If like me you have internal SSL inspection you use the same image. (Curious check the code).
export FGTCA=$(base64 Fortinet_CA_SSL.cer -b0)
# this is for MacOS use -w0 on Linux
docker run -v $PWD:/Azure/ -e FGTCA -i --name az-aks-cli -h az-aks-cli -t fortinetsolutioncse/az-aks-cli
Fortigate and networks
You can customize region and name of the resource group if necessary (shared accounts for example). You must be able to manage service principals
Warning if you want to effectively change region you must update region parameter in myparameters.json file
az login
export GROUP_NAME="ftnt-demo-aks"
export REGION="westeurope"
./Step1-FortigateAndNetworks.sh
This deploy a single fortigate VM with predefined setup. To login to the fortigate use fgtadmin/Fortin3t-aks.
It can be replaced by a more advanced Fortigate in HA, scalable transit etc.. Depends on Fortinet generic blueprint : https://github.com/fortinet/azure-templates
AKS/ACR architecture
export GROUP_NAME="ftnt-demo-aks"
export REGION="westeurope"
./Step2-PrivateAKS.sh
This second part has been kept in a small script and readable commands so that you can check the differents steps and options by yourself more easily.
This deploy a jumphost VM in the transit area for convenience. A AKS with the following options:
- enable-private-cluster
- network-plugin azure
- generate-ssh-keys
- outbound-type userDefinedRouting
The result is a fully private setup (API and nodes) and ensuring there is firewall observability and prevention on outbound an inter-nodes traffic.
Fortigate setup
Apply configuration to the FGT. Replace the IP with the public IP of your fortigate. You may need to retry if experiencing a timeout.
ansible-playbook fgt-playbook.yaml -i hosts -e ansible_host=52.174.188.48
VPN to Fortigate
The Fortigate has been setup (Ansible) to accept a VPN IpSec to the environment. (recommended) Setup Forticlient IPSec client on your laptop with the public IP of the Fortigate:
- psk: Fortin3t-aks
- user: aks
- password: Fortin3t-aks
Access the environment
Kubectl commands should work after this stage.
Use AKS
Try to run kubectl commands:
kubectl cluster-info
If returning information you are good to go for the hands on demos part. It is an supported AKS so you can also follow AKS Tutorial
Optionnal
add Windows based nodepool
export GROUP_NAME="ftnt-demo-aks"
export REGION="westeurope"
./Step3-WindowsNodes.sh
Use Lens
Thanks to the vpn you can direclty and easily use Lens directly on you laptop.
Cleaning
Remove the resource group on the portal or:
az group delete -g $GROUP_NAME -y