This section describes the steps for creating a Standalone SBC SWe on Azure, starting with instructions for installing the Azure CLI tools.
Use the following command to install Azure CLI in a Ubuntu machine. Ensure that the user logged in has sudo
permission to execute this command.
The Azure CLI version used for this documentation is 2.24.
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
To install on Windows using the MSI, refer to Microsoft Azure Documentation.
Verify the installation by logging on to your Azure subscription using the following command:
|
The Azure CLI uses the default subscription ID from your log in attempt. To use a different subscription, add the --subscription <subscription ID>
option to each command.
Alternatively, change the subscription used by the CLI tools by using the following command: az account set --subscription <SUBSCRIPTION NAME>
Before creating and configuring the SBC, configure your network on Azure by performing the steps given below.
Create a resource group by using the following command:
az group create --name <NAME> --location <LOCATION>
az group create --name RBBN-SBC-RG --location eastus
Ensure all SBC resources in Azure are created in the same Resource Group.
To create the SBC, you need only one virtual network ('vnet') with all network interfaces attached to it. Ribbon recommends the address prefix size as 10.X.X.X/16
. You can create the virtual network by using the following command:
az network vnet create --name <NAME> --address-prefixes <CIDR> --resource-group <RESOURCE-GROUP-NAME> --location <LOCATION>
az network vnet create --name RibbonNet --address-prefixes 10.2.0.0/16 --resource-group RBBN-SBC-RG --location eastus
Refer to Common Public Cloud Security Group Rules for recommended Security Group rules.
Security Groups define the set of rules to allow access to the Virtual Machines. Use the following command to create a Security Group:
az network nsg create --name <NAME> --resource-group <RESOURCE-GROUP-NAME> --location <LOCATION>
az network nsg create --name RbbnSbcSG --resource-group RBBN-SBC-RG --location eastus
The Network Security Group includes the following default rules described in the figure below:
To allow access to the SBC, you should add more rules to the Network Security Group created above by using the following command for each rule:
az net nsg rule create --name <NAME> --nsg-name <SECURITY GROUP NAME> --resource-group <RESOURCE-GROUP-NAME> --protocol <PROTOCOL> --source-address-prefixes <IP> --source-port-ranges <PORT RANGES> --priority <PRIORITY NUMBER> --direction <Inbound/Outbound> --destination-port-ranges <DEST PORT RANGES>
az network nsg rule create --name sshIn --nsg-name RbbnSbcSG --resource-group RBBN-SBC-RG --protocol tcp --source-address-prefixes 46.244.89.12 --source-port-ranges "*" --priority 127 --direction Inbound --destination-port-ranges 22
For detailed information on the parameters, refer to Microsoft Azure Documentation.
To allow access to the whole network, configure one outbound rule for each Network Security Group. See example below.
az network nsg rule create --name vnetOutbound --nsg-name RbbnSbcSG --resource-group RBBN-SBC-RG --protocol "*" --source-address-prefixes "*" --source-port-ranges "*" --priority 100 --direction Outbound --destination-port-ranges "*" --destination-address-prefixes 10.2.0.0/16
A Standalone SBC requires four subnets, as each interface on a VM requires its own subnet. Ribbon recommends the address prefix as 10.X.X.X/24
. The subnets cover the following interfaces:
You can create a subnet by using the following command:
az network vnet subnet create --name <NAME> --address-prefixes <CIDR> --resource-group <RESOURCE-GROUP-NAME> --vnet-name <VNET_NAME> --network-security-group <SECURITY GROUP NAME>
az network vnet subnet create --name mgmt --address-prefixes 10.2.0.0/24 --resource-group RBBN-SBC-RG --vnet-name RibbonNet --network-security-group mgmtRbbnSbcSG az network vnet subnet create --name ha --address-prefixes 10.2.1.0/24 --resource-group RBBN-SBC-RG --vnet-name RibbonNet --network-security-group haRbbnSbcSG az network vnet subnet create --name pkt0 --address-prefixes 10.2.2.0/24 --resource-group RBBN-SBC-RG --vnet-name RibbonNet --network-security-group pkt0RbbnSbcSG az network vnet subnet create --name pkt1 --address-prefixes 10.2.3.0/24 --resource-group RBBN-SBC-RG --vnet-name RibbonNet --network-security-group pky1RbbnSbcSG
The User Assigned Managed Identity allows authentication for requests to Azure servers, without storing any user credentials on the VM. It does this by creating a special 'Service Principal' account. The SBC requires the Identity to gather information about the resources attached to the VM.
Create a User Assigned Managed Identity by using the following command with "Owner" permissions:
az identity create --name <NAME> --resource-group <RESOURCE-GROUP-NAME>
az identity create --name rbbnUami --resource-group RBBN-SBC-RG
Assign roles to the Managed Identity created above to allow it to access the resources it needs. This can be achieved by creating a definition with custom roles.
A standalone SBC requires access to the following roles:
Microsoft.Compute/virtualMachines/*/read
Microsoft.Network/networkInterfaces/*/read
Microsoft.Network/publicIPAddresses/*/read
Microsoft.Network/virtualNetworks/subnets/*/read
To assign roles, perform the following steps:
Get your subscription IDs by using the following command and extracting the "id" from the output of the show command:
az account show
Create a JSON file <filename.json> containing the service roles:
{ "Name": "<ROLE NAME>", "Description" : "Service account roles for use with Ribbon SBCs", "Actions" : [ "Microsoft.Compute/virtualMachines/*/read", "Microsoft.Network/networkInterfaces/*/read", "Microsoft.Network/publicIPAddresses/*/read", "Microsoft.Network/virtualNetworks/subnets/*/read" ], "AssignableScopes" : [ "/subscriptions/<SUBSCRIPTION ID>" ] }
Define scope at the subscription level.
az role definition create --role-definition <JSON FILE>
az role definition create --role-definition role_definition.json
To assign a role to an Identity, extract the "clientId" and "Role id" by performing the following steps:
To get the "clientId" for the Managed Identity, use the following command:
az identity show --name <MANAGED IDENTITY NAME> --resource-group <RESOURCE-GROUP-NAME>
az identity show --name rbbnUami --resource-group RBBN-SBC-RG
To get the "Role id" , use the following command and extract the full "id" from the output of the command.
Use the "Name" for from the JSON file created to use as the "Role Name" in the command:
Syntax
az role definition list --custom-role-only --name <ROLE NAME>
Example
az role definition list --custom-role-only --name ServiceRolesDefinition
To assign a role to an Identity, extract the "clientId" and "Role id" by performing the following steps:
To get the "clientId" for the Managed Identity, use the following command:
az identity show --name <MANAGED IDENTITY NAME> --resource-group <RESOURCE-GROUP-NAME>
az identity show --name rbbnUami --resource-group RBBN-SBC-RG
To get the "Role id" , use the following command and extract the full "id" from the output of the command.
Use the "Name" for from the JSON file created to use as the "Role Name" in the command:
Syntax
az role definition list --custom-role-only --name <ROLE NAME>
Example
az role definition list --custom-role-only --name ServiceRolesDefinition
To assign the Managed Identity, use the following command:
Syntax
az role assignment create --assignee <clientId> --role <ROLE ID>
az role assignment create --assignee xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --role /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
To store boot diagnostics, the SBC requires a storage account. This allows the use of the Serial Console. It is recommended to use the "storageV2" as the type for the storage account.
To create a storage account, use the following command:
az storage account create --name <NAME> --resource-group <RESOURCE_GROUP_NAME> --kind storageV2
az storage account create --name rbbnsbcstorage --resource-group RBBN-SBC-RG --kind storageV2
The Azure Storage Account name allows 3-24 characters. Use only lower-case letters and numbers. Special characters are not allowed.
To create the SBC on Azure, first create all resources separately by performing the steps below.
In order to create the SBC, you will need the SBC image in Azure. Refer to Access and Share SBC Image in Azure.
The MGMT, PKT0 and PKT1 interfaces all require Public IPs.
Create the Public IPs by using the following commands:
az network public-ip create --name <PUBLIC IP NAME> --resource-group <RESOURCE-GROUP-NAME> --allocation-method Static
az network public-ip create --name sbc-mgmt-ip --resource-group RBBN-SBC-RG --allocation-method Static az network public-ip create --name sbc-pkt0-ip --resource-group RBBN-SBC-RG --allocation-method Static az network public-ip create --name sbc-pkt1-ip --resource-group RBBN-SBC-RG --allocation-method Static
By default, Azure kills an inactive TCP connection after four minutes through a Public IP. To increase this time limit, add the flag --idle-timeout <MINUTES>
(range: 4-30 minutes).
The SBC requires 4 NICs, each attached to a individual subnet for MGMT, HA, PKT0 and PKT1.
To create a standard NIC, use the following syntax:
az network nic create --name <NIC NAME> --resource-group <RESOURCE GROUP NAME> --vnet-name <VIRTUAL NETWORK NAME> --subnet <SUBNET NAME> --network-security-group <SECURITY GROUP NAME> --public-ip-address <PUBLIC IP ADDRESS> --accelerated-networking true
az network nic create --name <NIC NAME> --resource-group <RESOURCE_GROUP_NAME> --vnet-name <VNET_NAME> --subnet <SUBNET_NAME> --network-security-group <NET_SEC_GROUP> --public-ip-address <PUBLIC_IP_ADDRESS> --accelerated-networking true
az network nic create --name sbc1-nic-mgmt --resource-group RBBN-SBC-RG --vnet-name RibbonNet --subnet SubnetMgmt --network-security-group RbbnSbcSG --public-ip-address sbc-mgmt-ip az network nic create --name sbc1-nic-ha --resource-group RBBN-SBC-RG --vnet-name RibbonNet --subnet SubnetHA --network-security-group RbbnSbcSG az network nic create --name sbc1-nic-pkt0 --resource-group RBBN-SBC-RG --vnet-name RibbonNet --subnet SubnetPkt0 --network-security-group RbbnSbcSG --public-ip-address sbc-pkt0-ip az network nic create --name sbc1-nic-pkt1 --resource-group RBBN-SBC-RG --vnet-name RibbonNet --subnet SubnetPkt1 --network-security-group RbbnSbcSG --public-ip-address sbc-pkt1-ip
The Standalone SBC requires the following Userdata, which will be stored in a JSON file and called when creating the VM.
Standalone SBC - User Data
Key | Allow Values | Description |
---|---|---|
CEName | N/A | Specifies the actual CE name of the SBC instance. CEName Requirements:
|
ReverseNatPkt0 | True/False | Requires True for standalone SBC |
ReverseNatPkt1 | True/False | Requires True for standalone SBC |
SystemName | N/A | Specifies the System Name of the SBC instances. SystemName Requirements:
|
SbcPersonalityType | isbc | The name of the SBC personality type for this instance. Currently, Ribbon supports only Integrated SBC (I-SBC). Specifies the System Name of the SBC instances. SystemName Requirements:
|
AdminSshKey | ssh-rsa ... | Public SSH Key to access the admin user; must be in the form |
ThirdPartyCpuAlloc | 0-4 | (Optional) Number of CPUs segregated for use with non-Ribbon applications. Restrictions:
|
ThirdPartyMemAlloc | 0-4096 | (Optional) Amount of memory (in MB) that segregated out for use with non Ribbon applications. Restrictions:
|
Create a JSON file (userdata.json) using the following Standalone SBC structure:
{ "CEName" : "<SBC CE NAME>", "ReverseNatPkt0" : "True", "ReverseNatPkt1" : "True", "SystemName" : "<SYSTEM NAME>", "SbcPersonalityType": "isbc", "AdminSshKey" : "<ssh-rsa ...>", "ThirdPartyCpuAlloc" : "<0-4>", "ThirdPartyMemAlloc" : "<0-4096>" }
You cannot create the Virtual Machine (VM) using the Azure Portal, as the portal does not allow attaching user data to unofficial images.
To create the VM, use the following command:
az vm create --name <INSTANCE NAME> --resource-group <RESOURCE_GROUP_NAME> --admin-username linuxadmin --custom-data <USER DATA JSON FILE> --image "<IMAGE NAME>" --location "<LOCATION>" --os-disk-size-gb <DISK SIZE IN GB> --size <INSTANCE SIZE> --ssh-dest-key-path /home/linuxadmin/.ssh/authorized_keys --ssh-key-values <PUBLIC SSH KEY FILENAME> --nics <MGMT NIC NAME> <HA NIC NAME> <PKT0 NIC NAME> <PKT1 NIC NAME> --boot-diagnostics-storage <STORAGE ACCOUNT NAME> --assign-identity <USER ASSIGNED MANAGED IDENTITY ID>
The following table describes the flags:
VM Creation - Flags
Flag | Accepted Values | Example | Description |
---|---|---|---|
name | rbbnSbc | Name of the instance; must be unique in the Resource Group. | |
resource-group | RBBN-SBC-RG | Name of the Resource Group. | |
admin-username | linuxadmin | linuxadmin | The default user. For the SBC, set as linuxadmin . |
custom-data | User Data JSON File | userData.json | Location of the JSON file containing the user data. |
image | "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx/resourceGroups/RBBN-SBC-RG/providers/Microsoft.Compute/images/rbbn-sbc-v10.01.00.img" | Image recourse ID created from Access and Share SBC Image in Azure. The image and storage account is in the same region. | |
location | "East US" | The location of the host of the VM. For more information, refer to Microsoft Azure Documentation. | |
os-disk-size-gb | 65+ | 65 | The size of the disk. The SBC requires a minimum of 65GB. |
size | Standard_D8s_v3 | This is the instance size. In AWS, it is known as 'Instance Type', and Openstack calls it 'flavor'. For more information on instance sizes, refer to Microsoft Azure Documentation. The SBC requires a minimum of 3vCpus, 10GB RAM, and 4 NICs. | |
ssh-dest-key-path | /home/linuxadmin/.ssh/authorized_keys | /home/linuxadmin/.ssh/authorized_keys | The path for the SSH key added in the flag --ssh-key-values . This must be the linuxadmin admin path, as the SSH key is for linuxadmin . |
ssh-key-values | File Name. | azureSshKey.pub | A file that contains the public SSH key for accessing the This can be retrieved by using the following command: Note: The Public Key must be in openSSH form: |
nics | Space separated list | sbc1-nic-mgmt sbc1-nic-ha sbc1-nic-pkt0 sbc1-nic-pkt1 | The names of the NICs created in previous steps. |
boot-diagnostics-storage | Storage Account Name. | rbbnsbcstorage | The storage account created in the previous steps for storing boot diagnostics. This allows the use of the serial console. |
assign-identity | User Assigned Managed Identity ID | /subscriptions/<SUBSCRIPTION ID>/resourceGroups/RBBN-SBC-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/rbbnUami | This is ID for the User Assigned Managed Identity created in the previous steps. You can retrieve it by using the following command:
|
To configure the Standalone SBC, perform the following SBC CLI configuration steps.
Configure the PKT ports using the SBC CLI.
|
The gateway IP address is the second IP in the CIDR
Example:
For Subnet = 10.0.0.0/24 the Gateway = 10.0.0.1
For Subnet = 10.0.0.128/27 the Gateway = 10.0.0.129
The correct SBC CLI configuration will look similar to the following:
|
Example Meta Variable table for a Standalone SBC is given below:
|