Table of Contents

• 1Overview
• 2Deploy DFPC Tier0 Common Bootstrap
  • 2.1Storage Accounts
    • 2.1.1network_rules
  • 2.2Keyvault
  • 2.3Backup Policies
• 3Network
  • 3.1Subnets
  • 3.2User Defined Route(Azure route table)
  • 3.3Traffic analytics
  • 3.4VNet Peering
  • 3.5Providers

Overview

The purpose of this effort is to have efficient documentation about Bootstrap Tier consisting of all necessary pre-requisites. By consuming Tier0 of DFPC module we can create multiple resources:

1. Resource Group
2. Automation Account
3. Storage Account
4. Recovery Service Vault
5. Keyvault
6. TDE Disk Encryption
7. Private Endpoints
8. Vnet and Subnets
9. User Defined Route(UDR)
10. NSG and NSG Flow Logs
11. Virtual Network Peering
12. Virtual Hub Connection
13. Azure Site Recovery

Deploy DFPC Tier0 Common Bootstrap

• Source Tag: v1.3.2
• Additional App ID: JMD501

Resource Group Naming Convention

All resources created on the Azure platform must follow this naming convention. It ensures that the names are unique and that they properly describe the type, application, and purpose. The convention we went with was:

<subscription>-<product(dfpc)>-<pod collection>-<category(core)>-<SDLC environment>-<location>

Storage Accounts

network_rules

ip_rules is a list of IPs to whitelist on the Storage Accounts. They are personal IP addresses for team members. 

Storage Account firewall default_action is set to “Allow” that allows all networks, including the Internet, can access the selected Azure Storage.

Keyvault

This input is down in the dfpc module block and is passed as an object. For this environment there are 4 key vaults in this object ready to be built.

These object_ids are a list of object ids for our team admin role (AdminRole-IT-InfrastructureEngineering), and for our teraform SPN that is specific to jmd501. 

This gives us and our SPN access to read from the key vaults we are creating. The object ids get added to the key vault access policies.

keyvault_ip_rules

This is a list of IPs to whitelist on the Keyvaults.

Default_action

Allow default action to allow unrestricted access to the key vault.

purge_protection_enabled

Purge protection is an optional Key Vault behavior and is not enabled by default.

Backup Policies

Backup frequency is set as shown in the table below:

Policy Name	Backup Frequency	Backup Time
smtp-daily-backup-policy	Daily	04:00
app-daily-backup-policy	Daily	23:00
bje-daily-backup-policy	Daily	02:00

Network

This section will break down some of the inputs that were assembled in locals, and where to get them for future reference.

address_space

The full address space for the UE2 region is 10.24.240.0/20.

This address space needs to be chopped up and a subset used for this subscription.

Use this (https://www.davidc.net/sites/default/subnets/subnets.html) tool. 

Enter the full address space, and divide the top line until you find some /22 blocks to use. Take the first non-zero block, so we use 10.24.244.0/22 for this environment.

Private Endpoint (pe)

Using the same tool as above, now enter the address space block we are going to use for 10.24.244.0/22.

Divide the mask bits until you find /24 blocks and take two subnet addresses for pe and avi address prefix. 

dns_servers

This is the Dayforce custaddssubnet used for external custadds domain controllers.

The architects configured Networking Infrastructure Devices IP by Azure Regions. Simply grab the IPs from there.

Subnets

There are four subnet inputs passed to tier0:

Example Subnets

address_space = "10.24.244.0/22"
  pe            = ["10.24.245.0/24"]
  avi           = ["10.24.246.0/24"]
  dns_servers   = ["10.16.10.36", "10.16.10.37"]

User Defined Route(Azure route table)

There are two entries in this object. The example code is right side:

1. The first on is for default routes to always hop to the IP address of the firewall we built as part of transit. (0.0.0.0/0 to 10.16.1.10)
2. The second is for internal routes to always hop to the IP address of the same firewall. (10.0.0.0/8 to 10.16.1.138)

Go here for more details and explanations

Example code:

Route Tables

  route_table = [
 
    {
      name                   = "Default_0.0.0.0_0"
      address_prefix         = "0.0.0.0/0"
      next_hop_type          = "VirtualAppliance"
      next_hop_in_ip_address = "10.16.1.10"
    },
    {
      name                   = "Internal_10.0.0.0_8"
      address_prefix         = "10.0.0.0/8"
      next_hop_type          = "VirtualAppliance"
      next_hop_in_ip_address = "10.16.1.138"
    }
  ]
}

Traffic analytics

Traffic analytics is a cloud-based solution that provides visibility into user and application activity in your cloud networks. Specifically, traffic analytics analyzes Azure Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud.

VNet Peering

transit_vnet_name & trasnit_vnet_rg

These are references to the VNets we built as part of transit. We deployed a VNet to east US 2 (Primary) and central US (Secondary), so the information needs to be passed for both.

This information is used for configuring peering to the transit VNet from our subscription VNet.

Providers

At the bottom, outside of the dfpc block… There are two blocks named ‘provider “azurerm”‘.

They are both references to the SS101 subscription, and are used by the module to read certain pieces of information needed during build.

The block with alias “certkv” is the subscription where the architecture team build the certificate key vaults.