In this section:
This section describes the steps for creating a Standalone SBC SWe on Azure, starting with instructions for installing the Azure CLI tools.
All commands used in this document are part of the Azure CLI, and are executed with the basic/default settings. For complete information on the Azure CLI commands, refer to Microsoft Azure Documentation.
Install Azure CLI in a Ubuntu/Debian Machine by executing the following command:
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
To install on Windows using the MSI, refer to Microsoft Azure Documentation.
Verify the installation by executing the following command to log on to your Azure subscription:
az login
The Azure CLI uses the default subscription ID from your log in attempt. To a different subscription, add the --subscription <subscription ID>
option to each command.
Alternatively, change the subscription used by the CLI tools by executing the following command: az account set --subscription <SUBSCRIPTION NAME>
Before creating and configuring the SBC, you must configure your network on Azure by performing the steps given below.
Create a resource group by executing the following command:
Syntax
az group create --name <NAME> --location <LOCATION>
Example
az group create --name RBBN-SBC-RG --location eastus
Link all resources in Azure to a resource group.
To create the SBC, you need only one virtual network ('vnet') with all network interfaces attached to it. Ribbon recommends the address prefix size as 10.X.X.X/16
. You can create the virtual network by executing the following command:
Syntax
az network vnet create --name <NAME> --address-prefixes <CIDR> --resource-group <RESOURCE-GROUP-NAME> --location <LOCATION>
Example
az network vnet create --name RibbonNet --address-prefixes 10.2.0.0/16 --resource-group RBBN-SBC-RG --location eastus
Refer to Creating Security Groups for SBC SWe in AWS for recommneded Security Group rules.
Security Groups define the set of rules to allow access to the Virtual Machines. Create a Security Group by executing the following command:
Syntax
az network nsg create --name <NAME> --resource-group <RESOURCE-GROUP-NAME> --location <LOCATION>
Example
az network nsg create --name RbbnSbcSG --resource-group RBBN-SBC-RG --location eastus
The Network Security Group includes the following default rules:
To allow access to the SBC, you can add more rules to the Network Security Group created above by executing the following command:
Syntax
az net nsg rule create --name <NAME> --nsg-name <SECURITY GROUP NAME> --resource-group <RESOURCE-GROUP-NAME> --protocol <PROTOCOL> --source-address-prefixes <IP> --source-port-ranges <PORT RANGES> --priority <PRIORITY NUMBER> --direction <Inbound/Outbound> --destination-port-ranges <DEST PORT RANGES>
Example
az network nsg rule create --name sshIn --nsg-name RbbnSbcSG --resource-group RBBN-SBC-RG --protocol tcp --source-address-prefixes 46.244.89.12 --source-port-ranges "*" --priority 127 --direction Inbound --destination-port-ranges 22
For detailed information on the parameters, refer to Microsoft Azure Documentation.
To allow access to the whole network, configure one outbound rule for each Network Security Group. For example:
az network nsg rule create --name vnetOutbound--nsg-name RbbnSbcSG --resource-group RBBN-SBC-RG --protocol "*" --source-address-prefixes "*" --source-port-ranges "*" --priority 100 --direction Outbound --destination-port-ranges "*" --destination-address-prefixes 10.2.0.0/16
A Standalone SBC requires four subnets, as each interface on a VM requires its own subnet. Ribbon recommends the address prefix as 10.X.X.X/24
. The subnets cover the following interfaces:
You can create a subnet by executing the following command:
Syntax
az network vnet subnet create --name <NAME> --address-prefixes <CIDR> --resource-group <RESOURCE-GROUP-NAME> --vnet-name <VNET_NAME> --network-security-group <SECURITY GROUP NAME>
Example
az network vnet subnet create --name mgmt --address-prefixes 10.2.0.0/24 --resource-group RBBN-SBC-RG --vnet-name RibbonNet --network-security-group RbbnSbcSG
The User Assigned Managed Identity allows authentication for requests to Azure servers, without storing any user credentials on the VM. It does this by creating a special 'Service Principal' account. The SBC requires the Identity to gather information about the resources attached to the VM.
Create a User Assigned Managed Identity by executing the following command:
Syntax
az identity create --name <NAME> --resource-group <RESOURCE-GROUP-NAME>
Example
az identity create --name rbbnUami --resource-group RBBN-SBC-RG
Assign role to the Identity created above to allow it to access the resources it needs. A standalone SBC requires access to the following:
Microsoft.Compute/virtualMachines/*/read
Microsoft.Network/networkInterfaces/*/read
Microsoft.Network/publicIPAddresses/*/read
Microsoft.Network/virtualNetworks/subnets/*/read
To assign role, perform the following steps:
Get your subscription IDs by executing the following command:
az account show
Create a JSON file containing the service roles:
{ "Name": "<ROLE NAME>", "Description" : "Service account roles for use with Ribbon SBCs", "Actions" : [ "Microsoft.Compute/virtualMachines/*/read", "Microsoft.Network/networkInterfaces/*/read", "Microsoft.Network/publicIPAddresses/*/read", "Microsoft.Network/virtualNetworks/subnets/*/read" ], "AssignableScopes" : [ "/subscriptions/<SUBSCRIPTION ID>" ] }
Define scope at the subscription level.
Execute the following command:
az role definition create --role-definition <JSON FILE>
To assign role to an Identity, perform the following steps:
Get the clientId
for the Identity by executing the following command:
az identity show --name < IDENTITY NAME> --resource-group <RESOURCE-GROUP-NAME>
Get the id
for the role by executing the following command:
az role definition list --custom-role-only --name <ROLE NAME>
Assign the role by executing the following command:
az role assignment create --assignee <IDENTITY clientId> --role <ROLE ID>
To store boot diagnostics, the SBC requires a storage account. This allows the use of the Serial Console.
Create a storage account by executing the following command:
Syntax
az storage account create --name <NAME> --resource-group <RESOURCE_GROUP_NAME> --kind storageV2
Example
az storage account create --name sbcdiagstore --resource-group RBBN-SBC-RG --kind storageV2
The Azure Storage Account name allows 3-24 character. Use only lower-case letters and numbers.
To create the SBC on Azure, first create all resources separately by performing the steps below.
In order to create the SBC, you will need to the SBC image in Azure. Refer to Access and Share SBC Image in Azure.
The MGMT, PTK0 and PKT1 interfaces require Public IPs.
Create Public IPs by executing the following command:
Syntax
az network public-ip create --name <PUBLIC IP NAME> --resource-group <RESOURCE-GROUP-NAME> --allocation-method Static
Example
az network public-ip create --name sbc-mgmt-ip --resource-group RBBN-SBC-RG --allocation-method Static
By default, Azure kills an inactive TCP connection after four minutes through a Public IP. To increase this time limit, add the flag --idle-timeout <MINUTES>
(range: 4-30 minutes).
Refer to the topic "Configure NICs".
The Standalone SBC requires the user data described in the topic SBC Userdata.
You cannot create the VM using the Aure Portal, as the portal does not allow attaching user data to unofficial images.
You must create both SBC and HFE VMs within seconds of each other; otherwise, the application will fail to start and then require rebooting.
If the HFE node(s) are already created, when the SBC CREATE commands are run, simply reboot the HFE node(s) to make them work.
To create the VM, execute the following command:
az vm create --name <INSTANCE NAME> --resource-group <RESOURCE_GROUP_NAME> --admin-username linuxadmin --custom-data <USER DATA JSON FILE> --image <IMAGE NAME> --location "<LOCATION>" --os-disk-size-gb <DISK SIZE IN GB> --size <INSTANCE SIZE> --ssh-dest-key-path /home/linuxadmin/.ssh/authorized_keys --ssh-key-values <PUBLIC SSH KEY FILENAME> --nics <MGMT NIC NAME> <HA NIC NAME> <PKT0 NIC NAME> <PKT1 NIC NAME> --boot-diagnostics-storage <STORAGE ACCOUNT NAME> --assign-identity <USER ASSIGNED MANAGED IDENTITY ID>
The following table describes the flags:
To configure the SBC, perform the steps given below.
Configure the PKT ports using the SBC CLI. For example:
admin@sbc-10.2.2.12> conf Entering configuration mode private [ok][2019-10-04 09:04:15] [edit] admin@sbc-10.2.2.12% set addressContext default ipInterfaceGroup LIG1 ipInterface LIF1 portName pkt0 ipVarV4 IF2.IPV4 prefixVarV4 IF2.PrefixV4 mode inService state enabled [ok][2019-10-04 09:04:46] [edit] admin@sbc-10.2.2.12% commit Commit complete. [ok][2019-10-04 09:04:50] [edit] admin@sbc-10.2.2.12% set addressContext default ipInterfaceGroup LIG2 ipInterface LIF2 portName pkt1 ipVarV4 IF3.IPV4 prefixVarV4 IF3.PrefixV4 mode inService state enabled [ok][2019-10-04 09:04:58] [edit] admin@sbc-10.2.2.12% com Commit complete. [ok][2019-10-04 09:05:00] [edit] admin@sbc-10.2.2.12% set addressContext default staticRoute 0.0.0.0 0 <PKT0 SUBNET GATEWAY> LIG1 LIF1 preference 100 [ok][2019-10-04 09:05:11] [edit] admin@sbc-10.2.2.12% com Commit complete. [ok][2019-10-04 09:05:15] [edit] admin@sbc-10.2.2.12% set addressContext default staticRoute 0.0.0.0 0 <PKT1 SUBNET GATEWAY> LIG2 LIF2 preference 100 [ok][2019-10-04 09:05:22] [edit] admin@sbc-10.2.2.12% com Commit complete. [ok][2019-10-04 09:05:24] [edit] admin@sbc-10.2.2.12%
The gateway IP address for the subnet is X.X.X.1
The correct configuration look similar to the following example:
admin@sbc-10.2.2.12> show table addressContext default staticRoute IP INTERFACE IP DESTINATION GROUP INTERFACE CE IP ADDRESS PREFIX NEXT HOP NAME NAME PREFERENCE NAME ----------------------------------------------------------------------- 0.0.0.0 0 10.2.3.1 LIG1 LIF1 100 - 0.0.0.0 0 10.2.4.1 LIG2 LIF2 100 - [ok][2019-10-04 09:16:47] admin@sbc-10.2.2.12> admin@sbc-10.2.2.12> show table addressContext default ipInterfaceGroup IP IP IP CE PORT IP ALT IP ALT DRYUP BW VLAN IP VAR PREFIX VAR PUBLIC VAR PREFIX PUBLIC NAME IPSEC NAME NAME NAME ADDRESS PREFIX ADDRESS PREFIX MODE ACTION TIMEOUT STATE CONTINGENCY TAG BANDWIDTH V4 V4 VAR V4 V6 VAR V6 VAR V6 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- LIG1 disabled LIF1 - pkt0 - - - - inService dryUp 60 enabled 0 - 0 IF2.IPV4 IF2.PrefixV4 - - - - LIG2 disabled LIF2 - pkt1 - - - - inService dryUp 60 enabled 0 - 0 IF3.IPV4 IF3.PrefixV4 - - - - [ok][2019-10-04 09:18:35]
Example Meta Variable table for a standalone SBC is given below:
admin@sbc-10.2.2.12> show table system metaVariable CE NAME NAME VALUE -------------------------------------------- sbc-10.2.2.12 IF0.GWV4 10.2.0.1 sbc-10.2.2.12 IF0.IPV4 10.2.0.9 sbc-10.2.2.12 IF0.Port Mgt0 sbc-10.2.2.12 IF0.RNat True sbc-10.2.2.12 IF1.GWV4 10.2.2.1 sbc-10.2.2.12 IF1.IPV4 10.2.2.12 sbc-10.2.2.12 IF1.Port Ha0 sbc-10.2.2.12 IF1.RNat True sbc-10.2.2.12 IF2.GWV4 10.2.3.1 sbc-10.2.2.12 IF2.IPV4 10.2.3.10 sbc-10.2.2.12 IF2.Port Pkt0 sbc-10.2.2.12 IF2.RNat True sbc-10.2.2.12 IF3.GWV4 10.2.4.1 sbc-10.2.2.12 IF3.IPV4 10.2.4.10 sbc-10.2.2.12 IF3.Port Pkt1 sbc-10.2.2.12 IF3.RNat True sbc-10.2.2.12 IF0.FIPV4 13.82.233.180 sbc-10.2.2.12 IF2.FIPV4 13.82.190.231 sbc-10.2.2.12 IF3.FIPV4 13.82.191.251 sbc-10.2.2.12 IF0.PrefixV4 24 sbc-10.2.2.12 IF1.PrefixV4 24 sbc-10.2.2.12 IF2.PrefixV4 24 sbc-10.2.2.12 IF3.PrefixV4 24 [ok][2019-10-04 09:05:55] admin@sbc-10.2.2.12>