Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Add_workflow_for_techpubs
AUTH1UserResourceIdentifier{userKey=8a00a0c86820e56901685f374974002d, userName='null'}
JIRAIDAUTHSBX-117834
REV5UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cb8305e9, userName='null'}
REV6UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cb8305e9, userName='null'}
REV3UserResourceIdentifier{userKey=8a00a0c87b4755e3017b4ba436730001, userName='null'}
REV1UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26ccf9091c, userName='null'}

Table of Contents
maxLevel3

This section describes the steps for creating a Standalone SBC SWe on Azure, starting with instructions for installing the Azure CLI tools.

Tip
All commands used in this document are part of the Azure CLI. Use it with the basic/default settings. For complete information on the Azure CLI commands, refer to Microsoft Azure Documentation.

Install Azure CLI

Use the following command to install Azure CLI in a Ubuntu machine. Ensure that the user logged in has sudo permission to execute this command.

The Azure CLI version used for this documentation is 2.4624.

Code Block
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

To install on Windows using the MSI, refer to Microsoft Azure Documentation.

Verify the installation by logging on to your Azure subscription using the following command:

az login


Info
titleNote

The Azure CLI uses the default subscription ID from your log in attempt. To use a different subscription, add the  --subscription <subscription ID> option to each command.

Alternatively, change the subscription used by the CLI tools by using the following command: az account set --subscription <SUBSCRIPTION NAME>

Configure Network

Before creating and configuring the SBC, configure your network on Azure by performing the steps given below.

Create Resource Group

Create a resource group by using the following command:

Syntax

Code Block
az group create --name <NAME> --location <LOCATION>

Example

Code Block
az group create --name RBBN-SBC-RG --location eastus

Ensure all SBC resources in Azure are created in the same Resource Group.

Create a Virtual Network

To create the SBC, you need only one virtual network ('vnet') with all network interfaces attached to it. 

Spacevars
0company
recommends the address prefix size as 10.X.X.X/16. You can create the virtual network by using the following command:

Syntax

Code Block
az network vnet create --name <NAME> --address-prefixes <CIDR> --resource-group <RESOURCE-GROUP-NAME> --location <LOCATION>

Example

Code Block
az network vnet create --name RibbonNet --address-prefixes 10.2.0.0/16 --resource-group RBBN-SBC-RG --location eastus

Create Network Security Group

Info
titleNote

Refer to Common Public Cloud Security Group Rules for recommended Security Group rules.

Security Groups define the set of rules to allow access to the Virtual Machines. Use the following command to create a Security Group:

Syntax

Code Block
az network nsg create --name <NAME> --resource-group <RESOURCE-GROUP-NAME> --location <LOCATION>

Example

Code Block
az network nsg create --name RbbnSbcSG --resource-group RBBN-SBC-RG --location eastus

The Network Security Group includes the following default rules described in the figure below:

Create Rules

To allow access to the SBC, you should add more rules to the Network Security Group created above by using the following command for each rule:

Syntax

Code Block
az net nsg rule create --name <NAME>
                       --nsg-name <SECURITY GROUP NAME>
                       --resource-group <RESOURCE-GROUP-NAME>
                       --protocol <PROTOCOL>
                       --source-address-prefixes <IP>
                       --source-port-ranges <PORT RANGES>
                       --priority <PRIORITY NUMBER>
                       --direction <Inbound/Outbound>
                       --destination-port-ranges <DEST PORT RANGES>


Example

Code Block
az network nsg rule create --name sshIn --nsg-name RbbnSbcSG --resource-group RBBN-SBC-RG --protocol tcp --source-address-prefixes 46.244.89.12 --source-port-ranges "*" --priority 127 --direction Inbound --destination-port-ranges 22

For detailed information on the parameters, refer to Microsoft Azure Documentation.

To allow access to the whole network, configure one outbound rule for each Network Security Group. See example below.

Example

Code Block
az network nsg rule create --name vnetOutbound --nsg-name RbbnSbcSG --resource-group RBBN-SBC-RG --protocol "*" --source-address-prefixes "*" --source-port-ranges "*" --priority 100 --direction Outbound --destination-port-ranges "*" --destination-address-prefixes 10.2.0.0/16

Create Subnet

A Standalone SBC requires four subnets, as each interface on a VM requires its own subnet. Ribbon recommends the address prefix as 10.X.X.X/24. The subnets cover the following interfaces:

  • MGMT interface
  • HA interface
  • PKT0 interface
  • PKT1 interface

You can create a subnet by using the following command:

Syntax

Code Block
az network vnet subnet create --name <NAME>
                              --address-prefixes <CIDR>
                              --resource-group <RESOURCE-GROUP-NAME>
                              --vnet-name <VNET_NAME>
                              --network-security-group <SECURITY GROUP NAME>

Examples

Code Block
az network vnet subnet create --name mgmt --address-prefixes 10.2.0.0/24 --resource-group RBBN-SBC-RG --vnet-name RibbonNet --network-security-group mgmtRbbnSbcSG
 
az network vnet subnet create --name ha --address-prefixes 10.2.1.0/24 --resource-group RBBN-SBC-RG --vnet-name RibbonNet --network-security-group haRbbnSbcSG
 
az network vnet subnet create --name pkt0 --address-prefixes 10.2.2.0/24 --resource-group RBBN-SBC-RG --vnet-name RibbonNet --network-security-group pkt0RbbnSbcSG
 
az network vnet subnet create --name pkt1 --address-prefixes 10.2.3.0/24 --resource-group RBBN-SBC-RG --vnet-name RibbonNet --network-security-group pky1RbbnSbcSG

User Assigned Managed Identities

The User Assigned Managed Identity allows authentication for requests to Azure servers, without storing any user credentials on the VM. It does this by creating a special 'Service Principal' account. The SBC requires the Identity to gather information about the resources attached to the VM.

Create User Assigned Managed Identity

Create a User Assigned Managed Identity by using the following command with "Owner" permissions:

Syntax

Code Block
az identity create --name <NAME> --resource-group <RESOURCE-GROUP-NAME>

Example

Code Block
az identity create --name rbbnUami --resource-group RBBN-SBC-RG

Create Role

Assign roles to the Managed Identity created above to allow it to access the resources it needs. This can be achieved by creating a definition with custom roles.

A standalone SBC requires access to the following roles:

  • Microsoft.Compute/virtualMachines/*/read
  • Microsoft.Network/networkInterfaces/*/read
  • Microsoft.Network/publicIPAddresses/*/read
  • Microsoft.Network/virtualNetworks/subnets/*/read

To assign roles, perform the following steps:

  1. Get your subscription IDs by using the following command and extracting the "id" from the output of the show command:

    Code Block
    az account show



  2. Create a JSON file <filename.json> containing the service roles:

    Code Block
    {
        "Name": "<ROLE NAME>",
        "Description" : "Service account roles for use with Ribbon SBCs",
        "Actions" : [
            "Microsoft.Compute/virtualMachines/*/read",
            "Microsoft.Network/networkInterfaces/*/read",
            "Microsoft.Network/publicIPAddresses/*/read",
            "Microsoft.Network/virtualNetworks/subnets/*/read"
        ],
        "AssignableScopes" : [
            "/subscriptions/<SUBSCRIPTION ID>"
        ]
    }


    Tip
    titleTip

    Define scope at the subscription level.


  3. To create the custom role definition, use the following command:

Syntax

Code Block
az role definition create --role-definition <JSON FILE>

Example

Code Block
az role definition create --role-definition role_definition.json

Retrieve User Assigned Managed Identity Information

To assign a role to an Identity, extract the "clientId" and "Role id" by performing the following steps:

To get the "clientId" for the Managed Identity, use the following command:

Code Block
az identity show --name <MANAGED IDENTITY NAME> --resource-group <RESOURCE-GROUP-NAME>


Example

Code Block
az identity show --name rbbnUami --resource-group RBBN-SBC-RG

To get the "Role id" , use the following command and extract the full "id" from the output of the command.

Use the "Name" for from the JSON file created to use as the "Role Name" in the command:

Syntax

Code Block
az role definition list --custom-role-only --name <ROLE NAME>

Example

Code Block
az role definition list --custom-role-only --name ServiceRolesDefinition

Assign Role to Identity

To assign a role to an Identity, extract the "clientId" and "Role id" by performing the following steps:

To get the "clientId" for the Managed Identity, use the following command:

Code Block
az identity show --name <MANAGED IDENTITY NAME> --resource-group <RESOURCE-GROUP-NAME>


Example

Code Block
az identity show --name rbbnUami --resource-group RBBN-SBC-RG


To get the "Role id" , use the following command and extract the full "id" from the output of the command.

Use the "Name" for from the JSON file created to use as the "Role Name" in the command:

Syntax

Code Block
az role definition list --custom-role-only --name <ROLE NAME>

Example

Code Block
az role definition list --custom-role-only --name ServiceRolesDefinition


To assign the Managed Identity, use the following command:

Syntax

Code Block
az role assignment create --assignee <clientId> --role <ROLE ID>


Example
Code Block
az role assignment create --assignee xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --role /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Create Storage Account

To store boot diagnostics, the SBC requires a storage account. This allows the use of the Serial Console. It is recommended to use the "storageV2" as the type for the storage account.

To create a storage account, use the following command:

Syntax

Code Block
az storage account create --name <NAME> --resource-group <RESOURCE_GROUP_NAME> --kind storageV2

Example

Code Block
az storage account create --name rbbnsbcstorage --resource-group RBBN-SBC-RG --kind storageV2


Info
titleNote

The Azure Storage Account name allows 3-24 characters. Use only lower-case letters and numbers. Special characters are not allowed.

Create SBC

To create the SBC on Azure, first create all resources separately by performing the steps below.

Info
titleNote

In order to create the SBC, you will need the SBC image in Azure. Refer to Access and Share SBC Image in Azure.

Create Public IPs

The MGMT, PKT0 and PKT1 interfaces all require Public IPs.

Create the Public IPs by using the following commands:

Syntax

Code Block
az network public-ip create --name <PUBLIC IP NAME> --resource-group <RESOURCE-GROUP-NAME> --allocation-method Static


Examples

Code Block
az network public-ip create --name sbc-mgmt-ip --resource-group RBBN-SBC-RG --allocation-method Static

az network public-ip create --name sbc-pkt0-ip --resource-group RBBN-SBC-RG --allocation-method Static

az network public-ip create --name sbc-pkt1-ip --resource-group RBBN-SBC-RG --allocation-method Static


Info
titleNote

By default, Azure kills an inactive TCP connection after four minutes through a Public IP. To increase this time limit, add the flag --idle-timeout <MINUTES> (range: 4-30 minutes).

Configure NICs

The SBC requires 4 NICs, each attached to a individual subnet for MGMT, HA, PKT0 and PKT1.

To create a standard NIC, use the following syntax:

Syntax

Code Block
az network nic create --name <NIC NAME>
                      --resource-group <RESOURCE GROUP NAME>
                      --vnet-name <VIRTUAL NETWORK NAME>
                      --subnet <SUBNET NAME>
                      --network-security-group <SECURITY GROUP NAME>
                      --public-ip-address <PUBLIC IP ADDRESS>
                      --accelerated-networking true

Example

Code Block
az network nic create --name <NIC NAME> --resource-group <RESOURCE_GROUP_NAME> --vnet-name <VNET_NAME> --subnet <SUBNET_NAME> --network-security-group <NET_SEC_GROUP> --public-ip-address <PUBLIC_IP_ADDRESS> --accelerated-networking true


Info
titleNote
The HA does not require a public IP interface when configuring the NIC.


Code Block
az network nic create --name sbc1-nic-mgmt --resource-group RBBN-SBC-RG --vnet-name RibbonNet --subnet SubnetMgmt --network-security-group RbbnSbcSG --public-ip-address sbc-mgmt-ip
az network nic create --name sbc1-nic-ha --resource-group RBBN-SBC-RG --vnet-name RibbonNet --subnet SubnetHA --network-security-group RbbnSbcSG
az network nic create --name sbc1-nic-pkt0 --resource-group RBBN-SBC-RG --vnet-name RibbonNet --subnet SubnetPkt0 --network-security-group RbbnSbcSG --public-ip-address sbc-pkt0-ip
az network nic create --name sbc1-nic-pkt1 --resource-group RBBN-SBC-RG --vnet-name RibbonNet --subnet SubnetPkt1 --network-security-group RbbnSbcSG --public-ip-address sbc-pkt1-ip

SBC Userdata

The Standalone SBC requires the following Userdata, which will be stored in a JSON file and called when creating the VM.

Standalone SBC - User Data

Key

Allow Values

Description

CENameN/A

Specifies the actual CE name of the SBC instance.

CEName Requirements:

  • Must start with an alphabetic character.

  • Contain only alphabetic characters and/or numbers; no special characters are allowed.

  • Cannot exceed 64 characters in length.

ReverseNatPkt0True/FalseRequires True for standalone SBC
ReverseNatPkt1True/FalseRequires True for standalone SBC

SystemName

N/A

Specifies the System Name of the SBC instances.

SystemName Requirements:

  • Must start with an alphabetic character.

  • Contain only alphabetic characters and/or numbers; no special characters are allowed.

  • Cannot exceed 26 characters in length.

  • Must be the same on both peers CEs.

SbcPersonalityType

isbc

The name of the SBC personality type for this instance. Currently, Ribbon supports only Integrated SBC (I-SBC).

Specifies the System Name of the SBC instances.

SystemName Requirements:

  • Must start with an alphabetic character.

  • Contain only alphabetic characters and/or numbers; no special characters are allowed.

  • Cannot exceed 26 characters in length.

  • Must be the same on both peers CEs.

AdminSshKey

ssh-rsa ...

Public SSH Key to access the admin user; must be in the form ssh-rsa ...

ThirdPartyCpuAlloc0-4

(Optional) Number of CPUs segregated for use with non-Ribbon applications.

Restrictions:

ThirdPartyMemAlloc0-4096

(Optional) Amount of memory (in MB) that segregated out for use with non Ribbon applications.

Restrictions:

    • 0-4096 CPUs
    • Both ThirdPartCpuAlloc and ThirdPartyMemAlloc must be configured.
    • The configuration must match between peer instances


Create a JSON file (userdata.json) using the following Standalone SBC structure:

Code Block
{    "CEName" : "<SBC CE NAME>",
    "ReverseNatPkt0" : "True",
    "ReverseNatPkt1" : "True",
    "SystemName" : "<SYSTEM NAME>",
    "SbcPersonalityType": "isbc",
    "AdminSshKey" : "<ssh-rsa ...>",
    "ThirdPartyCpuAlloc" : "<0-4>",
    "ThirdPartyMemAlloc" : "<0-4096>"
}


Note
titleCaution
  • The SBC requires user data in a valid JSON format. If the user-data is not a valid JSON, the instance shuts down immediately.
  • You cannot update user data on VMs in the Azure framework.

Create the Virtual Machine

You cannot create the Virtual Machine (VM) using the Azure Portal, as the portal does not allow attaching user data to unofficial images.

To create the VM, use the following command:

Code Block
az vm create --name <INSTANCE NAME>
             --resource-group <RESOURCE_GROUP_NAME>
             --admin-username linuxadmin
             --custom-data <USER DATA JSON FILE>
             --image "<IMAGE NAME>"
             --location "<LOCATION>"
             --os-disk-size-gb <DISK SIZE IN GB>
             --size <INSTANCE SIZE>
             --ssh-dest-key-path /home/linuxadmin/.ssh/authorized_keys
             --ssh-key-values <PUBLIC SSH KEY FILENAME>
             --nics <MGMT NIC NAME> <HA NIC NAME> <PKT0 NIC NAME> <PKT1 NIC NAME>
             --boot-diagnostics-storage <STORAGE ACCOUNT NAME>
             --assign-identity <USER ASSIGNED MANAGED IDENTITY ID>


The following table describes the flags:

VM Creation - Flags

Flag

Accepted Values

Example

Description

name
rbbnSbcName of the instance; must be unique in the Resource Group.
resource-group
RBBN-SBC-RGName of the Resource Group.
admin-usernamelinuxadminlinuxadminThe default user. For the SBC, set as linuxadmin.
custom-dataUser Data JSON FileuserData.jsonLocation of the JSON file containing the user data.
image

"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx/resourceGroups/RBBN-SBC-RG/providers/Microsoft.Compute/images/rbbn-sbc-v10.01.00.img"

Image recourse ID created from Access and Share SBC Image in Azure. The image and storage account is in the same region.
location
"East US"The location of the host of the VM. For more information, refer to Microsoft Azure Documentation.
os-disk-size-gb65+65The size of the disk. The SBC requires a minimum of 65GB.
size
Standard_D8s_v3

This is the instance size. In AWS, it is known as 'Instance Type', and Openstack calls it 'flavor'. For more information on instance sizes, refer to Microsoft Azure Documentation.

The SBC requires a minimum of 3vCpus, 10GB RAM, and 4 NICs.

ssh-dest-key-path/home/linuxadmin/.ssh/authorized_keys/home/linuxadmin/.ssh/authorized_keysThe path for the SSH key added in the flag --ssh-key-values. This must be the linuxadmin admin path, as the SSH key is for linuxadmin.
ssh-key-valuesFile Name.azureSshKey.pub

A file that contains the public SSH key for accessing the linuxadmin user.

This can be retrieved by using the following command: ssh-keygen -y -f azureSshKey.pem > azureSshKey.pub

Note: The Public Key must be in openSSH form: ssh-rsa XXX

nicsSpace separated listsbc1-nic-mgmt sbc1-nic-ha sbc1-nic-pkt0 sbc1-nic-pkt1The names of the NICs created in previous steps.
boot-diagnostics-storageStorage Account Name.rbbnsbcstorage

The storage account created in the previous steps for storing boot diagnostics. This allows the use of the serial console.

assign-identityUser Assigned Managed Identity ID/subscriptions/<SUBSCRIPTION ID>/resourceGroups/RBBN-SBC-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/rbbnUami

This is ID for the User Assigned Managed Identity created in the previous steps.

You can retrieve it by using the following command:

az identity show --name < IDENTITY NAME> --resource-group <RESOURCE-GROUP-NAME>

See Retrieve User Assigned Managed Identity Information.

Configure SBC

To configure the Standalone SBC, perform the following SBC CLI configuration steps.

Configure PKT Ports

Configure the PKT ports using the SBC CLI.

Example

admin@sbc-10.2.2.12> conf
Entering configuration mode private
[ok][2019-10-04 09:04:15]
 
[edit]
admin@sbc-10.2.2.12% set addressContext default ipInterfaceGroup LIG1 ipInterface LIF1 portName pkt0 ipVarV4 IF2.IPV4 prefixVarV4 IF2.PrefixV4 mode inService state enabled
[ok][2019-10-04 09:04:46]
 
[edit]
admin@sbc-10.2.2.12% commit
Commit complete.
[ok][2019-10-04 09:04:50]
 
[edit]
admin@sbc-10.2.2.12% set addressContext default ipInterfaceGroup LIG2 ipInterface LIF2 portName pkt1 ipVarV4 IF3.IPV4 prefixVarV4 IF3.PrefixV4 mode inService state enabled
[ok][2019-10-04 09:04:58]
 
[edit]
admin@sbc-10.2.2.12% com
Commit complete.
[ok][2019-10-04 09:05:00]
 
[edit]
admin@sbc-10.2.2.12% set addressContext default staticRoute 0.0.0.0 0 <PKT0 SUBNET GATEWAY> LIG1 LIF1 preference 100
[ok][2019-10-04 09:05:11]
 
[edit]
admin@sbc-10.2.2.12% com
Commit complete.
[ok][2019-10-04 09:05:15]
 
[edit]
admin@sbc-10.2.2.12% set addressContext default staticRoute 0.0.0.0 0 <PKT1 SUBNET GATEWAY> LIG2 LIF2 preference 100
[ok][2019-10-04 09:05:22]
 
[edit]
admin@sbc-10.2.2.12% com
Commit complete.
[ok][2019-10-04 09:05:24]
 
[edit]
admin@sbc-10.2.2.12%


Info
titleNote

The gateway IP address is the second IP in the CIDR

Example:

    For Subnet = 10.0.0.0/24 the Gateway = 10.0.0.1

    For Subnet = 10.0.0.128/27 the Gateway = 10.0.0.129

The correct SBC CLI configuration will look similar to the following:

admin@sbc-10.2.2.12> show table addressContext default staticRoute
                               IP
                               INTERFACE  IP
DESTINATION                    GROUP      INTERFACE              CE
IP ADDRESS   PREFIX  NEXT HOP  NAME       NAME       PREFERENCE  NAME
-----------------------------------------------------------------------
0.0.0.0      0       10.2.3.1  LIG1       LIF1       100         -
0.0.0.0      0       10.2.4.1  LIG2       LIF2       100         -
[ok][2019-10-04 09:16:47]
admin@sbc-10.2.2.12>
admin@sbc-10.2.2.12> show table addressContext default ipInterfaceGroup
 
                                                                                                                                                               IP      IP           IP
                      CE    PORT  IP               ALT IP   ALT                        DRYUP             BW           VLAN             IP VAR    PREFIX VAR    PUBLIC  VAR  PREFIX  PUBLIC
NAME  IPSEC     NAME  NAME  NAME  ADDRESS  PREFIX  ADDRESS  PREFIX  MODE       ACTION  TIMEOUT  STATE    CONTINGENCY  TAG   BANDWIDTH  V4        V4            VAR V4  V6   VAR V6  VAR V6
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
LIG1  disabled  LIF1  -     pkt0  -        -       -        -       inService  dryUp   60       enabled  0            -     0          IF2.IPV4  IF2.PrefixV4  -       -    -       -
LIG2  disabled  LIF2  -     pkt1  -        -       -        -       inService  dryUp   60       enabled  0            -     0          IF3.IPV4  IF3.PrefixV4  -       -    -       -
[ok][2019-10-04 09:18:35]

Sample Meta Variable Table

Example Meta Variable table for a Standalone SBC is given below:

admin@sbc-10.2.2.12> show table system metaVariable
CE NAME        NAME          VALUE
--------------------------------------------
sbc-10.2.2.12  IF0.GWV4      10.2.0.1
sbc-10.2.2.12  IF0.IPV4      10.2.0.9
sbc-10.2.2.12  IF0.Port      Mgt0
sbc-10.2.2.12  IF0.RNat      True
sbc-10.2.2.12  IF1.GWV4      10.2.2.1
sbc-10.2.2.12  IF1.IPV4      10.2.2.12
sbc-10.2.2.12  IF1.Port      Ha0
sbc-10.2.2.12  IF1.RNat      True
sbc-10.2.2.12  IF2.GWV4      10.2.3.1
sbc-10.2.2.12  IF2.IPV4      10.2.3.10
sbc-10.2.2.12  IF2.Port      Pkt0
sbc-10.2.2.12  IF2.RNat      True
sbc-10.2.2.12  IF3.GWV4      10.2.4.1
sbc-10.2.2.12  IF3.IPV4      10.2.4.10
sbc-10.2.2.12  IF3.Port      Pkt1
sbc-10.2.2.12  IF3.RNat      True
sbc-10.2.2.12  IF0.FIPV4     13.82.233.180
sbc-10.2.2.12  IF2.FIPV4     13.82.190.231
sbc-10.2.2.12  IF3.FIPV4     13.82.191.251
sbc-10.2.2.12  IF0.PrefixV4  24
sbc-10.2.2.12  IF1.PrefixV4  24
sbc-10.2.2.12  IF2.PrefixV4  24
sbc-10.2.2.12  IF3.PrefixV4  24
[ok][2019-10-04 09:05:55]
admin@sbc-10.2.2.12>