Terraform/Azure/Site-to-Site-BGP-FW/files/vyos_01_user_data.tpl


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204

#cloud-config
vyos_config_commands:
    - set system host-name 'VyOS-01'
    - set system login banner pre-login 'Welcome to the VyOS on Azure'
    - set interfaces ethernet eth0 description 'OUTSIDE'
    - set interfaces ethernet eth1 description 'INSIDE'
    - set system name-server '${dns_1}'
    - set system name-server '${dns_2}'
    - set service dns forwarding name-server '${dns_1}'
    - set service dns forwarding listen-address '${vyos_01_priv_nic_ip}'
    - set service dns forwarding allow-from '${vnet_01_priv_subnet_prefix}'
    - set service dns forwarding no-serve-rfc1918
    - set nat source rule 10 outbound-interface name 'eth0'
    - set nat source rule 10 source address '${vnet_01_priv_subnet_prefix}'
    - set nat source rule 10 translation address 'masquerade'
    - set vpn ipsec interface 'eth0'
    - set vpn ipsec esp-group AZURE lifetime '3600'
    - set vpn ipsec esp-group AZURE mode 'tunnel'
    - set vpn ipsec esp-group AZURE pfs 'dh-group2'
    - set vpn ipsec esp-group AZURE proposal 1 encryption 'aes256'
    - set vpn ipsec esp-group AZURE proposal 1 hash 'sha1'
    - set vpn ipsec ike-group AZURE dead-peer-detection action 'restart'
    - set vpn ipsec ike-group AZURE dead-peer-detection interval '15'
    - set vpn ipsec ike-group AZURE dead-peer-detection timeout '30'
    - set vpn ipsec ike-group AZURE ikev2-reauth
    - set vpn ipsec ike-group AZURE key-exchange 'ikev2'
    - set vpn ipsec ike-group AZURE lifetime '28800'
    - set vpn ipsec ike-group AZURE proposal 1 dh-group '2'
    - set vpn ipsec ike-group AZURE proposal 1 encryption 'aes256'
    - set vpn ipsec ike-group AZURE proposal 1 hash 'sha1'
    - set vpn ipsec ike-group AZURE close-action start
    - set vpn ipsec option disable-route-autoinstall
    - set interfaces vti vti1 address '10.1.100.11/32'
    - set interfaces vti vti1 description 'Tunnel VyOS 02'
    - set interfaces vti vti1 ip adjust-mss '1350'
    - set protocols static route 10.2.100.11/32 interface vti1
    - set vpn ipsec authentication psk VyOS id '${public_ip_address_01}'
    - set vpn ipsec authentication psk VyOS id '${on_prem_public_ip_address}'
    - set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk'
    - set vpn ipsec site-to-site peer VyOS-02 authentication local-id '${public_ip_address_01}'
    - set vpn ipsec site-to-site peer VyOS-02 authentication mode 'pre-shared-secret'
    - set vpn ipsec site-to-site peer VyOS-02 authentication remote-id '${on_prem_public_ip_address}'
    - set vpn ipsec site-to-site peer VyOS-02 connection-type 'none'
    - set vpn ipsec site-to-site peer VyOS-02 description 'AZURE TUNNEL to VyOS on NET 02'
    - set vpn ipsec site-to-site peer VyOS-02 ike-group 'AZURE'
    - set vpn ipsec site-to-site peer VyOS-02 ikev2-reauth 'inherit'
    - set vpn ipsec site-to-site peer VyOS-02 local-address '${vyos_01_pub_nic_ip}'
    - set vpn ipsec site-to-site peer VyOS-02 remote-address '${on_prem_public_ip_address}'
    - set vpn ipsec site-to-site peer VyOS-02 vti bind 'vti1'
    - set vpn ipsec site-to-site peer VyOS-02 vti esp-group 'AZURE'
    - set protocols bgp system-as '${vnet_01_bgp_as_number}'
    - set protocols bgp address-family ipv4-unicast network ${vnet_01_priv_subnet_prefix}
    - set protocols bgp neighbor 10.2.100.11 remote-as '${on_prem_bgp_as_number}'
    - set protocols bgp neighbor 10.2.100.11 address-family ipv4-unicast soft-reconfiguration inbound
    - set protocols bgp neighbor 10.2.100.11 timers holdtime '30'
    - set protocols bgp neighbor 10.2.100.11 timers keepalive '10'
    - set protocols bgp neighbor 10.2.100.11 disable-connected-check
    - set firewall group network-group Local network '${vnet_01_priv_subnet_prefix}'
    - set firewall group port-group dns_ports port '53'
    - set firewall group port-group mail_ports port '110'
    - set firewall group port-group mail_ports port '25'
    - set firewall group port-group web_ports port '443'
    - set firewall group port-group web_ports port '8080'
    - set firewall group port-group web_ports port '80'
    - set firewall ipv4 forward filter default-action 'drop'
    - set firewall ipv4 forward filter rule 10 action 'accept'
    - set firewall ipv4 forward filter rule 10 state 'established'
    - set firewall ipv4 forward filter rule 10 state 'related'
    - set firewall ipv4 forward filter rule 11 action 'drop'
    - set firewall ipv4 forward filter rule 11 state 'invalid'
    - set firewall ipv4 forward filter rule 20 action 'accept'
    - set firewall ipv4 forward filter rule 20 description 'Allow ICMP'
    - set firewall ipv4 forward filter rule 20 icmp type-name 'echo-request'
    - set firewall ipv4 forward filter rule 20 inbound-interface name 'eth0'
    - set firewall ipv4 forward filter rule 20 protocol 'icmp'
    - set firewall ipv4 forward filter rule 20 state 'new'
    - set firewall ipv4 forward filter rule 30 action 'drop'
    - set firewall ipv4 forward filter rule 30 description 'Mitigate SSH brute-forcing'
    - set firewall ipv4 forward filter rule 30 destination port '22'
    - set firewall ipv4 forward filter rule 30 inbound-interface name 'eth0'
    - set firewall ipv4 forward filter rule 30 protocol 'tcp'
    - set firewall ipv4 forward filter rule 30 recent count '4'
    - set firewall ipv4 forward filter rule 30 recent time 'minute'
    - set firewall ipv4 forward filter rule 30 state 'new'
    - set firewall ipv4 forward filter rule 31 action 'accept'
    - set firewall ipv4 forward filter rule 31 description 'Allow SSH'
    - set firewall ipv4 forward filter rule 31 destination port '22'
    - set firewall ipv4 forward filter rule 31 inbound-interface name 'eth0'
    - set firewall ipv4 forward filter rule 31 protocol 'tcp'
    - set firewall ipv4 forward filter rule 31 state 'new'
    - set firewall ipv4 forward filter rule 120 action 'accept'
    - set firewall ipv4 forward filter rule 120 description 'LAN clients web requests to Web SRVs'
    - set firewall ipv4 forward filter rule 120 destination group port-group 'web_ports'
    - set firewall ipv4 forward filter rule 120 inbound-interface name 'eth1'
    - set firewall ipv4 forward filter rule 120 protocol 'tcp'
    - set firewall ipv4 forward filter rule 130 action 'accept'
    - set firewall ipv4 forward filter rule 130 description 'LAN clients ICMP'
    - set firewall ipv4 forward filter rule 130 icmp type-name 'echo-request'
    - set firewall ipv4 forward filter rule 130 inbound-interface name 'eth1'
    - set firewall ipv4 forward filter rule 130 state 'new'
    - set firewall ipv4 forward filter rule 140 action 'drop'
    - set firewall ipv4 forward filter rule 140 description 'Mitigate clients SSH brute-forcing'
    - set firewall ipv4 forward filter rule 140 destination port '22'
    - set firewall ipv4 forward filter rule 140 inbound-interface name 'eth1'
    - set firewall ipv4 forward filter rule 140 protocol 'tcp'
    - set firewall ipv4 forward filter rule 140 recent count '4'
    - set firewall ipv4 forward filter rule 140 recent time 'minute'
    - set firewall ipv4 forward filter rule 140 state 'new'
    - set firewall ipv4 forward filter rule 141 action 'accept'
    - set firewall ipv4 forward filter rule 141 description 'Allow clients SSH'
    - set firewall ipv4 forward filter rule 141 destination port '22'
    - set firewall ipv4 forward filter rule 141 inbound-interface name 'eth1'
    - set firewall ipv4 forward filter rule 141 protocol 'tcp'
    - set firewall ipv4 forward filter rule 141 state 'new'
    - set firewall ipv4 input filter default-action 'drop'
    - set firewall ipv4 input filter rule 10 action 'accept'
    - set firewall ipv4 input filter rule 10 description 'Allow established/related'
    - set firewall ipv4 input filter rule 10 state 'established'
    - set firewall ipv4 input filter rule 10 state 'related'
    - set firewall ipv4 input filter rule 11 action 'drop'
    - set firewall ipv4 input filter rule 11 state 'invalid'
    - set firewall ipv4 input filter rule 20 action 'accept'
    - set firewall ipv4 input filter rule 20 description 'WireGuard_IN'
    - set firewall ipv4 input filter rule 20 destination port '2224'
    - set firewall ipv4 input filter rule 20 inbound-interface name 'eth0'
    - set firewall ipv4 input filter rule 20 log
    - set firewall ipv4 input filter rule 20 protocol 'udp'
    - set firewall ipv4 input filter rule 30 action 'accept'
    - set firewall ipv4 input filter rule 30 description 'OpenVPN_IN'
    - set firewall ipv4 input filter rule 30 destination port '1194'
    - set firewall ipv4 input filter rule 30 inbound-interface name 'eth0'
    - set firewall ipv4 input filter rule 30 log
    - set firewall ipv4 input filter rule 30 protocol 'udp'
    - set firewall ipv4 input filter rule 40 action 'accept'
    - set firewall ipv4 input filter rule 40 description 'Allow ESP'
    - set firewall ipv4 input filter rule 40 inbound-interface name 'eth0'
    - set firewall ipv4 input filter rule 40 protocol 'esp'
    - set firewall ipv4 input filter rule 50 action 'accept'
    - set firewall ipv4 input filter rule 50 description 'Allow ISAKMP'
    - set firewall ipv4 input filter rule 50 destination port '500'
    - set firewall ipv4 input filter rule 50 inbound-interface name 'eth0'
    - set firewall ipv4 input filter rule 50 protocol 'udp'
    - set firewall ipv4 input filter rule 60 action 'accept'
    - set firewall ipv4 input filter rule 60 description 'IPSec NAT Traversal'
    - set firewall ipv4 input filter rule 60 destination port '4500'
    - set firewall ipv4 input filter rule 60 inbound-interface name 'eth0'
    - set firewall ipv4 input filter rule 60 protocol 'udp'
    - set firewall ipv4 input filter rule 70 action 'accept'
    - set firewall ipv4 input filter rule 70 description 'Allow L2TP'
    - set firewall ipv4 input filter rule 70 destination port '1701'
    - set firewall ipv4 input filter rule 70 inbound-interface name 'eth0'
    - set firewall ipv4 input filter rule 70 ipsec match-ipsec
    - set firewall ipv4 input filter rule 70 protocol 'udp'
    - set firewall ipv4 input filter rule 80 action 'accept'
    - set firewall ipv4 input filter rule 80 description 'Allow ICMP'
    - set firewall ipv4 input filter rule 80 icmp type-name 'echo-request'
    - set firewall ipv4 input filter rule 80 inbound-interface name 'eth0'
    - set firewall ipv4 input filter rule 80 protocol 'icmp'
    - set firewall ipv4 input filter rule 80 state 'new'
    - set firewall ipv4 input filter rule 90 action 'drop'
    - set firewall ipv4 input filter rule 90 description 'Mitigate SSH brute-forcing'
    - set firewall ipv4 input filter rule 90 destination port '22'
    - set firewall ipv4 input filter rule 90 inbound-interface name 'eth0'
    - set firewall ipv4 input filter rule 90 protocol 'tcp'
    - set firewall ipv4 input filter rule 90 recent count '4'
    - set firewall ipv4 input filter rule 90 recent time 'minute'
    - set firewall ipv4 input filter rule 90 state 'new'
    - set firewall ipv4 input filter rule 91 action 'accept'
    - set firewall ipv4 input filter rule 91 description 'Allow SSH'
    - set firewall ipv4 input filter rule 91 destination port '22'
    - set firewall ipv4 input filter rule 91 inbound-interface name 'eth0'
    - set firewall ipv4 input filter rule 91 protocol 'tcp'
    - set firewall ipv4 input filter rule 91 state 'new'
    - set firewall ipv4 input filter rule 140 action 'accept'
    - set firewall ipv4 input filter rule 140 description 'Allow ESP'
    - set firewall ipv4 input filter rule 140 inbound-interface name 'vti1'
    - set firewall ipv4 input filter rule 140 protocol 'esp'
    - set firewall ipv4 input filter rule 150 action 'accept'
    - set firewall ipv4 input filter rule 150 description 'Allow ISAKMP'
    - set firewall ipv4 input filter rule 150 destination port '500'
    - set firewall ipv4 input filter rule 150 inbound-interface name 'vti1'
    - set firewall ipv4 input filter rule 150 protocol 'udp'
    - set firewall ipv4 input filter rule 160 action 'accept'
    - set firewall ipv4 input filter rule 160 description 'IPSec NAT Traversal'
    - set firewall ipv4 input filter rule 160 destination port '4500'
    - set firewall ipv4 input filter rule 160 inbound-interface name 'vti1'
    - set firewall ipv4 input filter rule 160 protocol 'udp'
    - set firewall ipv4 input filter rule 170 action 'accept'
    - set firewall ipv4 input filter rule 170 description 'Allow L2TP'
    - set firewall ipv4 input filter rule 170 destination port '1701'
    - set firewall ipv4 input filter rule 170 inbound-interface name 'vti1'
    - set firewall ipv4 input filter rule 170 ipsec match-ipsec
    - set firewall ipv4 input filter rule 170 protocol 'udp'
    - set firewall ipv4 input filter rule 180 action 'accept'
    - set firewall ipv4 input filter rule 180 description 'Allow ICMP'
    - set firewall ipv4 input filter rule 180 icmp type-name 'echo-request'
    - set firewall ipv4 input filter rule 180 inbound-interface name 'vti1'
    - set firewall ipv4 input filter rule 180 protocol 'icmp'
    - set firewall ipv4 input filter rule 180 state 'new'
    - set firewall ipv4 input filter rule 190 action 'accept'
    - set firewall ipv4 input filter rule 190 description 'Allow BGP'
    - set firewall ipv4 input filter rule 190 destination port '179'
    - set firewall ipv4 input filter rule 190 inbound-interface name 'vti1'
    - set firewall ipv4 input filter rule 190 protocol 'tcp'