In this section:

This section describes the steps for creating a Standalone SBC SWe on Azure, starting with instructions for installing the Azure CLI tools.

Tip

All commands used in this document are part of the Azure CLI, and are executed with the basic/default settings. For complete information on the Azure CLI commands, refer to Microsoft Azure Documentation.

Install Azure CLI

Install Azure CLI in a Ubuntu/Debian Machine by executing the following command:

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

To install on Windows using the MSI, refer to Microsoft Azure Documentation.

Verify the installation by executing the following command to log on to your Azure subscription:

az login


Note

The Azure CLI uses the default subscription ID from your log in attempt. To a different subscription, add the  --subscription <subscription ID> option to each command.

Alternatively, change the subscription used by the CLI tools by executing the following command: az account set --subscription <SUBSCRIPTION NAME>

Configure Network

Before creating and configuring the SBC, you must configure your network on Azure by performing the steps given below.

Create Resource Group

Create a resource group by executing the following command:

Syntax

az group create --name <NAME> --location <LOCATION>


Example

az group create --name RBBN-SBC-RG --location eastus


Link all resources in Azure to a resource group.

Create a Virtual Network

To create the SBC, you need only one virtual network ('vnet') with all network interfaces attached to it. Ribbon recommends the address prefix size as 10.X.X.X/16. You can create the virtual network by executing the following command:

Syntax

az network vnet create --name <NAME> --address-prefixes <CIDR> --resource-group <RESOURCE-GROUP-NAME> --location <LOCATION>


Example

az network vnet create --name RibbonNet --address-prefixes 10.2.0.0/16 --resource-group RBBN-SBC-RG --location eastus

Create Network Security Group

Note

Refer to Creating Security Groups for SBC SWe in AWS for recommneded Security Group rules.


Security Groups define the set of rules to allow access to the Virtual Machines. Create a Security Group by executing the following command:

Syntax

az network nsg create --name <NAME> --resource-group <RESOURCE-GROUP-NAME> --location <LOCATION>


Example

az network nsg create --name RbbnSbcSG --resource-group RBBN-SBC-RG --location eastus


The Network Security Group includes the following default rules:

Standalone SBC on Azure - Default Network Security Group Rules

Create Rules

To allow access to the SBC, you can add more rules to the Network Security Group created above by executing the following command:

Syntax

az net nsg rule create --name <NAME>
					   --nsg-name <SECURITY GROUP NAME>
                       --resource-group <RESOURCE-GROUP-NAME>
                       --protocol <PROTOCOL>
                       --source-address-prefixes <IP>
                       --source-port-ranges <PORT RANGES>
                       --priority <PRIORITY NUMBER>
                       --direction <Inbound/Outbound>
                       --destination-port-ranges <DEST PORT RANGES>


Example

az network nsg rule create --name sshIn --nsg-name RbbnSbcSG --resource-group RBBN-SBC-RG --protocol tcp --source-address-prefixes 46.244.89.12 --source-port-ranges "*" --priority 127 --direction Inbound --destination-port-ranges 22


For detailed information on the parameters, refer to Microsoft Azure Documentation.

To allow access to the whole network, configure one outbound rule for each Network Security Group. For example:

az network nsg rule create --name vnetOutbound--nsg-name RbbnSbcSG --resource-group RBBN-SBC-RG --protocol "*" --source-address-prefixes "*" --source-port-ranges "*" --priority 100 --direction Outbound --destination-port-ranges "*" --destination-address-prefixes 10.2.0.0/16

Create Subnet

A Standalone SBC requires four subnets, as each interface on a VM requires its own subnet. Ribbon recommends the address prefix as 10.X.X.X/24. The subnets cover the following interfaces:

  • MGMT interface
  • HA interface
  • PKT0 interface
  • PKT1 interface

You can create a subnet by executing the following command:

Syntax

az network vnet subnet create --name <NAME>
                              --address-prefixes <CIDR>
                              --resource-group <RESOURCE-GROUP-NAME>
                              --vnet-name <VNET_NAME>
                              --network-security-group <SECURITY GROUP NAME>


Example

az network vnet subnet create --name mgmt --address-prefixes 10.2.0.0/24 --resource-group RBBN-SBC-RG --vnet-name RibbonNet --network-security-group RbbnSbcSG

User Assigned Managed Identities

The User Assigned Managed Identity allows authentication for requests to Azure servers, without storing any user credentials on the VM. It does this by creating a special 'Service Principal' account. The SBC requires the Identity to gather information about the resources attached to the VM.

Create User Assigned Managed Identity

Create a User Assigned Managed Identity by executing the following command:

Syntax

az identity create --name <NAME> --resource-group <RESOURCE-GROUP-NAME>


Example

az identity create --name rbbnUami --resource-group RBBN-SBC-RG

Create Role

Assign role to the Identity created above to allow it to access the resources it needs. A standalone SBC requires access to the following:

  • Microsoft.Compute/virtualMachines/*/read
  • Microsoft.Network/networkInterfaces/*/read
  • Microsoft.Network/publicIPAddresses/*/read
  • Microsoft.Network/virtualNetworks/subnets/*/read

To assign role, perform the following steps:

  1. Get your subscription IDs by executing the following command:

    az account show
  2. Create a JSON file containing the service roles:

    {
    	"Name": "<ROLE NAME>",
    	"Description" : "Service account roles for use with Ribbon SBCs",
    	"Actions" : [
    		"Microsoft.Compute/virtualMachines/*/read",
    		"Microsoft.Network/networkInterfaces/*/read",
    		"Microsoft.Network/publicIPAddresses/*/read",
    		"Microsoft.Network/virtualNetworks/subnets/*/read"
    	],
    	"AssignableScopes" : [
    		"/subscriptions/<SUBSCRIPTION ID>"
    	]
    }
    Tip

    Define scope at the subscription level.

  3. Execute the following command:

    az role definition create --role-definition <JSON FILE>

Assign Role to Identity

To assign role to an Identity, perform the following steps:

  1. Get the clientId for the Identity by executing the following command:

    az identity show --name < IDENTITY NAME> --resource-group <RESOURCE-GROUP-NAME>
  2. Get the id for the role by executing the following command:

    az role definition list --custom-role-only  --name <ROLE NAME>
  3. Assign the role by executing the following command:

    az role assignment create --assignee <IDENTITY clientId> --role <ROLE ID>


Create Storage Account

To store boot diagnostics, the SBC requires a storage account. This allows the use of the Serial Console.

Create a storage account by executing the following command:

Syntax

az storage account create --name <NAME> --resource-group <RESOURCE_GROUP_NAME> --kind storageV2


Example

az storage account create --name sbcdiagstore --resource-group RBBN-SBC-RG --kind storageV2


Note

The Azure Storage Account name allows 3-24 character. Use only lower-case letters and numbers.


Create SBC

To create the SBC on Azure, first create all resources separately by performing the steps below.

In order to create the SBC, you will need to the SBC image in Azure. Refer to Access and Share SBC Image in Azure.


Create Public IPs

The MGMT, PTK0 and PKT1 interfaces require Public IPs.

Create Public IPs by executing the following command:

Syntax

az network public-ip create --name <PUBLIC IP NAME> --resource-group <RESOURCE-GROUP-NAME> --allocation-method Static


Example

az network public-ip create --name sbc-mgmt-ip --resource-group RBBN-SBC-RG --allocation-method Static


Note

By default, Azure kills an inactive TCP connection after four minutes through a Public IP. To increase this time limit, add the flag --idle-timeout <MINUTES> (range: 4-30 minutes).


Create NICs

Refer to the topic "Configure NICs". 

User Data

The Standalone SBC requires the user data described in the topic SBC Userdata.

Create the VM

You cannot create the VM using the Aure Portal, as the portal does not allow attaching user data to unofficial images.

Note

You must create both SBC and HFE VMs within seconds of each other; otherwise, the application will fail to start and then require rebooting.

If the HFE node(s) are already created, when the SBC CREATE commands are run, simply reboot the HFE node(s) to make them work.

To create the VM, execute the following command:

az vm create --name <INSTANCE NAME> 
             --resource-group <RESOURCE_GROUP_NAME> 
             --admin-username linuxadmin 
             --custom-data <USER DATA JSON FILE> 
             --image <IMAGE NAME> 
             --location "<LOCATION>" 
             --os-disk-size-gb <DISK SIZE IN GB> 
             --size <INSTANCE SIZE> 
             --ssh-dest-key-path /home/linuxadmin/.ssh/authorized_keys 
             --ssh-key-values <PUBLIC SSH KEY FILENAME> 
             --nics <MGMT NIC NAME> <HA NIC NAME> <PKT0 NIC NAME> <PKT1 NIC NAME> 
             --boot-diagnostics-storage <STORAGE ACCOUNT NAME> 
             --assign-identity <USER ASSIGNED MANAGED IDENTITY ID>

The following table describes the flags:

VM Creation - Flags

FlagAccepted ValuesExampleDescription
name
rbbnSbcName of the instance; must be unique in the Resource Group.
resource-group
RBBN-SBC-RGName of the Resource Group.
admin--user-namelinuxadminlinuxadminThe default user. For the SBC, set as linuxadmin.
custom-dataUser Data JSON FileuserData.jsonLocation of the JSON file containing the user data.
image
/subscriptions/572e564f-87ea-4269-aadb-a14739637a31/resourceGroups/RBBN-SBC-DEV1/providers/Microsoft.Compute/galleries/RibbonAzureImageShare/images/SBX-09.00.00-PoCImage version URL from the Shared Image Gallery.
location
East USThe location of the host of the VM. For more information, refer to Microsoft Azure Documentation.
os-disk-size-gb65+65The size of the disk. The SBC requires a minimum of 65GB.
size
Standard_DS3_v2

This is the instance size. In AWS, it is known as 'Instance Type', and Openstack calls it 'flavor'. For more information on instance sizes, refer to Microsoft Azure Documentation.

The SBC requires a minimum of 3vCpus, 10GB RAM, and 4 NICs.

ssh-dest-key-path/home/linuxadmin/.ssh/authorized_keys/home/linuxadmin/.ssh/authorized_keysThe path for the SSH key added in the flag --ssh-key-values. This must be the linuxadmin admin path, as the SSH key is for linuxadmin.
ssh-key-valuesFile Name.azureSshKey.pub

A file that contains the public SSH key for accessing the linuxadmin user.

This can be retrieved by executing the following command: ssh-keygen -y -f azureSshKey.pem > azureSshKey.pub

Note: The Public Key must be in openSSH form: ssh-rsa XXX

nicsSpace separated listsbc-mgmt sbc-ha sbc-pkt0 sbc-pkt1The names of the NICs created in previous steps.
boot-diagnostics-storageStorage Account Name.sbcdiagstore

The storage account created in the previous steps for storing boot diagnostics. This allows the use of the serial console.

assign-identityUser Assigned Managed Identity ID/subscriptions/<SUBSCRIPTION ID>/resourceGroups/RBBN-SBC-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/rbbnUami

This is ID for the User Assigned Managed Identity created in the previous steps.

You can retrieve it by executing the following command:

az identity show --name < IDENTITY NAME> --resource-group <RESOURCE-GROUP-NAME>


Configure SBC

To configure the SBC, perform the steps given below.

Configure PKT Ports

Configure the PKT ports using the SBC CLI. For example:

admin@sbc-10.2.2.12> conf
Entering configuration mode private
[ok][2019-10-04 09:04:15]

[edit]
admin@sbc-10.2.2.12% set addressContext default ipInterfaceGroup LIG1 ipInterface LIF1 portName pkt0 ipVarV4 IF2.IPV4 prefixVarV4 IF2.PrefixV4 mode inService state enabled
[ok][2019-10-04 09:04:46]

[edit]
admin@sbc-10.2.2.12% commit
Commit complete.
[ok][2019-10-04 09:04:50]

[edit]
admin@sbc-10.2.2.12% set addressContext default ipInterfaceGroup LIG2 ipInterface LIF2 portName pkt1 ipVarV4 IF3.IPV4 prefixVarV4 IF3.PrefixV4 mode inService state enabled
[ok][2019-10-04 09:04:58]

[edit]
admin@sbc-10.2.2.12% com
Commit complete.
[ok][2019-10-04 09:05:00]

[edit]
admin@sbc-10.2.2.12% set addressContext default staticRoute 0.0.0.0 0 <PKT0 SUBNET GATEWAY> LIG1 LIF1 preference 100
[ok][2019-10-04 09:05:11]

[edit]
admin@sbc-10.2.2.12% com
Commit complete.
[ok][2019-10-04 09:05:15]

[edit]
admin@sbc-10.2.2.12% set addressContext default staticRoute 0.0.0.0 0 <PKT1 SUBNET GATEWAY> LIG2 LIF2 preference 100
[ok][2019-10-04 09:05:22]

[edit]
admin@sbc-10.2.2.12% com
Commit complete.
[ok][2019-10-04 09:05:24]

[edit]
admin@sbc-10.2.2.12%

Note

The gateway IP address for the subnet is X.X.X.1


The correct configuration look similar to the following example:

admin@sbc-10.2.2.12> show table addressContext default staticRoute
                               IP
                               INTERFACE  IP
DESTINATION                    GROUP      INTERFACE              CE
IP ADDRESS   PREFIX  NEXT HOP  NAME       NAME       PREFERENCE  NAME
-----------------------------------------------------------------------
0.0.0.0      0       10.2.3.1  LIG1       LIF1       100         -
0.0.0.0      0       10.2.4.1  LIG2       LIF2       100         -
[ok][2019-10-04 09:16:47]
admin@sbc-10.2.2.12>
admin@sbc-10.2.2.12> show table addressContext default ipInterfaceGroup

                                                                                                                                                               IP      IP           IP
                      CE    PORT  IP               ALT IP   ALT                        DRYUP             BW           VLAN             IP VAR    PREFIX VAR    PUBLIC  VAR  PREFIX  PUBLIC
NAME  IPSEC     NAME  NAME  NAME  ADDRESS  PREFIX  ADDRESS  PREFIX  MODE       ACTION  TIMEOUT  STATE    CONTINGENCY  TAG   BANDWIDTH  V4        V4            VAR V4  V6   VAR V6  VAR V6
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
LIG1  disabled  LIF1  -     pkt0  -        -       -        -       inService  dryUp   60       enabled  0            -     0          IF2.IPV4  IF2.PrefixV4  -       -    -       -
LIG2  disabled  LIF2  -     pkt1  -        -       -        -       inService  dryUp   60       enabled  0            -     0          IF3.IPV4  IF3.PrefixV4  -       -    -       -
[ok][2019-10-04 09:18:35]

Sample Meta Variable Table

Example Meta Variable table for a standalone SBC is given below:

admin@sbc-10.2.2.12> show table system metaVariable
CE NAME        NAME          VALUE
--------------------------------------------
sbc-10.2.2.12  IF0.GWV4      10.2.0.1
sbc-10.2.2.12  IF0.IPV4      10.2.0.9
sbc-10.2.2.12  IF0.Port      Mgt0
sbc-10.2.2.12  IF0.RNat      True
sbc-10.2.2.12  IF1.GWV4      10.2.2.1
sbc-10.2.2.12  IF1.IPV4      10.2.2.12
sbc-10.2.2.12  IF1.Port      Ha0
sbc-10.2.2.12  IF1.RNat      True
sbc-10.2.2.12  IF2.GWV4      10.2.3.1
sbc-10.2.2.12  IF2.IPV4      10.2.3.10
sbc-10.2.2.12  IF2.Port      Pkt0
sbc-10.2.2.12  IF2.RNat      True
sbc-10.2.2.12  IF3.GWV4      10.2.4.1
sbc-10.2.2.12  IF3.IPV4      10.2.4.10
sbc-10.2.2.12  IF3.Port      Pkt1
sbc-10.2.2.12  IF3.RNat      True
sbc-10.2.2.12  IF0.FIPV4     13.82.233.180
sbc-10.2.2.12  IF2.FIPV4     13.82.190.231
sbc-10.2.2.12  IF3.FIPV4     13.82.191.251
sbc-10.2.2.12  IF0.PrefixV4  24
sbc-10.2.2.12  IF1.PrefixV4  24
sbc-10.2.2.12  IF2.PrefixV4  24
sbc-10.2.2.12  IF3.PrefixV4  24
[ok][2019-10-04 09:05:55]
admin@sbc-10.2.2.12>