diff --git a/sql-database/backup-database/backup-database.sh b/sql-database/backup-database/backup-database.sh new file mode 100644 index 00000000..e46ab1df --- /dev/null +++ b/sql-database/backup-database/backup-database.sh @@ -0,0 +1,39 @@ +#!/bin/bash + +$subscription = "" # add subscription here +$location = "East US" + +$randomIdentifier = $(Get-Random) + +$resourceGroup = "resource-$randomIdentifier" +$server = "server-$randomIdentifier" +$database = "database-$randomIdentifier" +$storage = "storage$randomIdentifier" +$container = "container-$randomIdentifier" + +$bacpac = "backup.bacpac" + +$login = "sampleLogin" +$password = "samplePassword123!" + +echo "Using resource group $($resourceGroup) with login: $($login), password: $($password)..." + +echo "Creating resource groups..." +az group create --name $resourceGroup --location $location + +echo "Creating $($storage)..." +az storage account create --name $storage --resource-group $resourceGroup --location $location --sku Standard_LRS + +echo "Creating $($container) on $($storage)..." +$key = az storage account keys list --account-name $storage --resource-group $resourceGroup -o json --query [0].value +az storage container create --name $container --account-key $key --account-name $storage + +echo "Creating $($server)..." +az sql server create --name $server --resource-group $resourceGroup --location $location --admin-user $login --admin-password $password +az sql server firewall-rule create --resource-group $resourceGroup --server $server --name AllowAzureServices --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0 + +echo "Creating $($database)..." +az sql db create --name $database --resource-group $resourceGroup --server $server --edition GeneralPurpose --sample-name AdventureWorksLT + +echo "Backing up $($database)..." +az sql db export --admin-password $password --admin-user $login --storage-key $key --storage-key-type StorageAccessKey --storage-uri "https://$storage.blob.core.windows.net/$container/$bacpac" --name $database --resource-group $resourceGroup --server $server \ No newline at end of file diff --git a/sql-database/copy-database-to-new-server/copy-database-to-new-server.sh b/sql-database/copy-database-to-new-server/copy-database-to-new-server.sh index b8c8eb96..3473025c 100644 --- a/sql-database/copy-database-to-new-server/copy-database-to-new-server.sh +++ b/sql-database/copy-database-to-new-server/copy-database-to-new-server.sh @@ -1,76 +1,34 @@ #!/bin/bash -# Connect-AzAccount +$subscription = "" # add subscription here +$location = "East US" -$subscriptionId = '' -$sourceResourceGroupName = "mySourceResourceGroup-$(Get-Random)" -$sourceResourceGroupLocation = "westus2" -$targetResourceGroupname = "myTargetResourceGroup-$(Get-Random)" -$targetResourceGroupLocation = "eastus" -$adminSqlLogin = "SqlAdmin" -$password = "ChangeYourAdminPassword1" -$sourceServerName = "source-server-$(Get-Random)" -$targetServerName = "target-server-$(Get-Random)" -$sourceDatabaseName = "mySampleDatabase" -$targetDatabaseName = "CopyOfMySampleDatabase" +$randomIdentifier = $(Get-Random) -# The ip address range that you want to allow to access your servers -$sourceStartIp = "0.0.0.0" -$sourceEndIp = "0.0.0.0" -$targetStartIp = "0.0.0.0" -$targetEndIp = "0.0.0.0" +$resourceGroup = "resource-$randomIdentifier" +$server = "server-$randomIdentifier" +$database = "database-$randomIdentifier" -# set the subscription context for the Azure account -az account set -s $subscriptionID +$targetResourceGroup = "targetResource-$randomIdentifier" +$targetLocation = "West US" +$targetServer = "targetServer-$randomIdentifier" +$targetDatabase = "targetDatabase-$randomIdentifier" -# create two new resource groups -az group create \ - --name $sourceResourceGroupName \ - --location $sourceResourceGroupLocation -az group create \ - --name $targetResourceGroupname \ - --location $targetResourceGroupLocation +$login = "sampleLogin" +$password = "samplePassword123!" -# create a server with a system wide unique server name -az sql server create \ - --name $sourceServerName \ - --resource-group $sourceResourceGroupName \ - --location $sourceResourceGroupLocation \ - --admin-user $adminSqlLogin \ - --admin-password $password -az sql server create \ - --name $targetServerName \ - --resource-group $targetResourceGroupname \ - --location $targetResourceGroupLocation \ - --admin-user $adminSqlLogin \ - --admin-password $password +echo "Using resource group $($resourceGroup) with login: $($login), password: $($password)..." -# create a server firewall rule that allows access from the specified IP range -az sql server firewall-rule create --end-ip-address $sourceEndIp \ - --name "AllowedIPs" \ - --resource-group $sourceResourceGroupName \ - --server $sourceServerName \ - --start-ip-address $sourcestartip -az sql server firewall-rule create --end-ip-address $targetEndIp \ - --name "AllowedIPs" \ - --resource-group $targetResourceGroupname \ - --server $targetServerName \ - --start-ip-address $targetStartIp +echo "Creating $($resourceGroup) (and $($targetResourceGroup))..." +az group create --name $resourceGroup --location $location +az group create --name $targetResourceGroup --location $targetLocation -# create a blank database in the source-server with an S0 performance level -az sql db create --name $sourceDatabaseName \ - --resource-group $sourceResourceGroupName \ - --server $sourceServerName \ - --service-objective S0 +echo "Creating $($server) in $($location) (and $($targetServer) in $($targetLocation))..." +az sql server create --name $server --resource-group $resourceGroup --location $location --admin-user $login --admin-password $password +az sql server create --name $targetServer --resource-group $targetResourceGroup --location $targetLocation --admin-user $login --admin-password $password -# copy source database to the target server -az sql db copy --dest-name $targetDatabaseName \ - --dest-resource-group $targetResourceGroupname \ - --dest-server $targetServerName \ - --name $sourceDatabaseName \ - --resource-group $sourceResourceGroupName \ - --server $sourceServerName +echo "Creating $($database) on $($server)..." +az sql db create --name $database --resource-group $resourceGroup --server $server --service-objective S0 -# clean up deployment -# az group delete --name $sourceResourceGroupName -# az group delete --name $targetResourceGroupname \ No newline at end of file +echo "Copying $($database) (on $($server)) to $($targetDatabase) (on $($targetServer))..." +az sql db copy --dest-name $targetDatabase --dest-resource-group $targetResourceGroup --dest-server $targetServer --name $database --resource-group $resourceGroup --server $server \ No newline at end of file diff --git a/sql-database/database-auditing-and-threat-detection/database-auditing-and-threat-detection.sh b/sql-database/database-auditing-and-threat-detection/database-auditing-and-threat-detection.sh index 390eee30..f80ea1bf 100644 --- a/sql-database/database-auditing-and-threat-detection/database-auditing-and-threat-detection.sh +++ b/sql-database/database-auditing-and-threat-detection/database-auditing-and-threat-detection.sh @@ -1,71 +1,36 @@ #!/bin/bash -# Connect-AzAccount +$subscription = "" # add subscription here +$location = "East US" -$subscriptionId = '' -$resourceGroupName = "myResourceGroup-$(Get-Random)" -$location = "southcentralus" -$adminSqlLogin = "SqlAdmin" -$password = "ChangeYourAdminPassword1" -$serverName = "server-$(Get-Random)" -$databaseName = "mySampleDatabase" +$randomIdentifier = $(Get-Random) -# The ip address range that you want to allow to access your server -$startIp = "0.0.0.0" -$endIp = "0.0.0.0" -$storageAccountName = $("sql$(Get-Random)") -$notificationEmailReceipient = "changeto@your.email;changeto@your.email" +$resourceGroup = "resource-$randomIdentifier" +$server = "server-$randomIdentifier" +$database = "database-$randomIdentifier" +$storage = "storage$randomIdentifier" -# set the subscription context for the Azure account -az account set -s $subscriptionID +$notification = "changeto@your.email;changeto@your.email" -# create a new resource group -az group create \ - --name $resourceGroupName \ - --location $location +$login = "sampleLogin" +$password = "samplePassword123!" -# create a new server with a system wide unique server name -az sql server create \ - --name $serverName \ - --resource-group $resourceGroupName \ - --location $location \ - --admin-user $adminSqlLogin \ - --admin-password $password +echo "Using resource group $($resourceGroup) with login: $($login), password: $($password)..." -# create a server firewall rule that allows access from the specified IP range -az sql server firewall-rule create --end-ip-address $endIp \ - --name "AllowedIPs" \ - --resource-group $resourceGroupName \ - --server $serverName \ - --start-ip-address $startIp +echo "Creating $($resourceGroup)..." +az group create --name $resourceGroup --location $location -# create a blank database with S0 performance level -az sql db create --name $databaseName \ - --resource-group $resourceGroupName \ - --server $serverName \ - --service-objective S0 +echo "Creating $($server) in $($location) ..." +az sql server create --name $server --resource-group $resourceGroup --location $location --admin-user $login --admin-password $password -# create a Storage Account -az storage account create --name $storageAccountName \ - --resource-group $resourceGroupName \ - --location $location \ - --sku Standard_LRS +echo "Creating $($database) on $($server)..." +az sql db create --name $database --resource-group $resourceGroup --server $server --service-objective S0 -# set an auditing policy -az sql db audit-policy update --name $databaseName \ - --resource-group $resourceGroupName \ - --server $serverName \ - --state Enabled \ - --storage-account $storageAccountName +echo "Creating $($storage)..." +az storage account create --name $storage --resource-group $resourceGroup --location $location --sku Standard_LRS -# set a threat detection policy -az sql db threat-policy update --email-account-admins Disabled \ ---email-addresses $notificationEmailReceipient \ ---name $databaseName \ ---resource-group $resourceGroupName \ ---server $serverName \ ---state Enabled \ ---storage-account $storageAccountName +echo "Setting access policy on $($storage)..." +az sql db audit-policy update --name $database --resource-group $resourceGroup --server $server --state Enabled --storage-account $storage -# clean up deployment -# az group delete --name $resourceGroupName \ No newline at end of file +echo "Setting threat detection policy on $($storage)..." +az sql db threat-policy update --email-account-admins Disabled --email-addresses $notification --name $database --resource-group $resourceGroup --server $server --state Enabled --storage-account $storage \ No newline at end of file diff --git a/sql-database/failover-groups/add-elastic-pool-to-failover-group-az-cli.sh b/sql-database/failover-groups/add-elastic-pool-to-failover-group-az-cli.sh index d7b2f719..1b81a271 100644 --- a/sql-database/failover-groups/add-elastic-pool-to-failover-group-az-cli.sh +++ b/sql-database/failover-groups/add-elastic-pool-to-failover-group-az-cli.sh @@ -1,158 +1,61 @@ #!/bin/bash -$subscriptionId = '' -$randomIdentifier = $RANDOM -$resourceGroupName = "myResourceGroup-$randomIdentifier" +$subscription = "" # add subscription here $location = "East US" -$adminLogin = "azureuser" -$password = "PWD27!"+(New-Guid).Guid -$serverName = "mysqlserver-$randomIdentifier" -$poolName = "myElasticPool" -$databaseName = "mySampleDatabase" -$drLocation = "West US" -$drServerName = "mysqlsecondary-$randomIdentifier" -$failoverGroupName = "failovergrouptutorial-$randomIdentifier" - -# The ip address range that you want to allow to access your server -# Leaving at 0.0.0.0 will prevent outside-of-azure connections -$startIp = "0.0.0.0" -$endIp = "0.0.0.0" - -# show randomized variables -echo "Resource group name is" $resourceGroupName -echo "Password is" $password -echo "Server name is" $serverName -echo "DR Server name is" $drServerName -echo "Failover group name is" $failoverGroupName - -# set the subscription context for the Azure account -az account set -s $subscriptionID - -# create a resource group -echo "Creating resource group..." -az group create \ - --name $resourceGroupName \ - --location $location \ - --tags Owner[=SQLDB-Samples] - -# create a server in the resource group -echo "Creating server..." -az sql server create \ - --name $serverName \ - --resource-group $resourceGroupName \ - --location $location \ - --admin-user $adminLogin \ - --admin-password $password - -# create a server firewall rule that allows access from the specified IP range -echo "Configuring firewall for primary logical server..." -az sql server firewall-rule create --end-ip-address $endIp \ - --name "AllowedIPs" \ - --resource-group $resourceGroupName \ - --server $serverName \ - --start-ip-address $startIp -echo "Firewall configured" - -# create General Purpose Gen5 database with 2 vCore -echo "Creating a gen5 2 vCore database..." -az sql db create --name $databaseName \ - --resource-group $resourceGroupName \ - --server $serverName \ - --edition "GeneralPurpose" \ - --family Gen5 \ - --max-size 2 \ - --min-capacity 1 \ - --sample-name "AdventureWorksLT" - -# create primary Gen5 elastic 2 vCore pool -echo "Creating elastic pool..." -az sql elastic-pool create --name $poolName \ - --resource-group $resourceGroupName \ - --server $serverName \ - --edition "GeneralPurpose" \ - --family Gen5 \ - --max-size 2 - -# add single db into elastic pool -echo "Adding database to elastic pool..." -az sql db update --elastic-pool $poolName \ - --name $databaseName \ - --resource-group $resourceGroupName \ - --server $serverName - -# create a secondary server in the failover region -echo "Creating secondary server..." -az sql server create \ - --name $drServerName \ - --resource-group $resourceGroupName \ - --location $drLocation \ - --admin-user $adminLogin \ - --admin-password $password - -# create a server firewall rule that allows access from the specified IP range -echo "Configuring firewall for primary logical server..." -az sql server firewall-rule create --end-ip-address $endIp \ - --name "AllowedIPs" \ - --resource-group $resourceGroupName \ - --server $drServerName \ - --start-ip-address $startIp -echo "Firewall configured" - -# create secondary Gen5 elastic 2 vCore pool -echo "Creating secondary elastic pool..." -az sql elastic-pool create --name $poolName \ - --resource-group $resourceGroupName \ - --server $drServerName \ - --edition "GeneralPurpose" \ - --family Gen5 \ - --max-size 2 - -# create a failover group between the servers -echo "Creating failover group..." -az sql failover-group create --name $failoverGroupName \ - --partner-server $drServerName \ - --resource-group $resourceGroupName \ - --server $serverName \ - --failover-policy Automatic \ - --grace-period 2 -echo "Failover group created successfully." - -# add elastic pool to the failover group -echo "Enumerating databases in elastic pool...." -$databases = az sql elastic-pool list-dbs --name $poolName \ - --resource-group $resourceGroupName \ - --server $serverName -echo "Adding databases to failover group..." -az sql failover-group update --name $failoverGroupName \ - --add-db $databases \ - --resource-group $resourceGroupName \ - --server $serverName - -# check role of secondary replica (note ReplicationRole property) -echo "Confirming the secondary server is secondary...." -az sql failover-group show --name $failoverGroupName \ - --resource-group $resourceGroupName - -# failover to secondary server -echo "Failing over failover group to the secondary..." -az sql failover-group set-primary --name $failoverGroupName \ - --resource-group $resourceGroupName \ - --server $drServerName -echo "Failover group failed over to" $drServerName - -# check role of secondary replica (note ReplicationRole property) -echo "Confirming the secondary server is now primary..." -az sql failover-group show --name $failoverGroupName \ - --resource-group $resourceGroupName - -# revert failover to primary server -echo "Failing over failover group to the primary...." -az sql failover-group set-primary --name $failoverGroupName \ - --resource-group $resourceGroupName \ - --server $serverName -echo "Failover group failed over to" $serverName - -# clean up resources by removing the resource group -# echo "Removing resource group..." -# az group delete --name $resourceGroupName -# echo "Resource group removed" + +$randomIdentifier = $(Get-Random) + +$resourceGroup = "resource-$randomIdentifier" +$server = "sqlserver-$randomIdentifier" +$pool = "pool-$randomIdentifier" +$database = "database-$randomIdentifier" + +$failover = "failover-$randomIdentifier" +$failoverLocation = "West US" +$failoverServer = "sqlsecondary-$randomIdentifier" + +$login = "sampleLogin" +$password = "samplePassword123!" + +echo "Using resource group $($resourceGroup) with login: $($login), password: $($password)..." + +echo "Creating $($resourceGroup)..." +az group create --name $resourceGroup --location $location + +echo "Creating $($server) in $($location)..." +az sql server create --name $server --resource-group $resourceGroup --location $location --admin-user $login --admin-password $password + +echo "Creating $($database) on $($server)..." +az sql db create --name $database --resource-group $resourceGroup --server $server --sample-name AdventureWorksLT + +echo "Creating $($pool) on $($server)..." +az sql elastic-pool create --name $pool --resource-group $resourceGroup --server $server + +echo "Adding $($database) to $($pool)..." +az sql db update --elastic-pool $pool --name $database --resource-group $resourceGroup --server $server + +echo "Creating $($failoverServer) in $($failoverLocation)..." +az sql server create --name $failoverServer --resource-group $resourceGroup --location $failoverLocation --admin-user $login --admin-password $password + +echo "Creating $($pool) on $($failoverServer)..." +az sql elastic-pool create --name $pool --resource-group $resourceGroup --server $failoverServer + +echo "Creating $($failover) between $($server) and $($failoverServer)..." +az sql failover-group create --name $failover --partner-server $failoverServer --resource-group $resourceGroup --server $server --failover-policy Automatic --grace-period 2 + +$databaseId = az sql elastic-pool list-dbs --name $pool --resource-group $resourceGroup --server $server --query [0].name -o json + +echo "Adding $($database) to $($failover)..." +az sql failover-group update --name $failover --add-db $databaseId --resource-group $resourceGroup --server $server + +echo "Confirming role of $($failoverServer) is secondary..." # note ReplicationRole property +az sql failover-group show --name $failover --resource-group $resourceGroup --server $server + +echo "Failing over to $($failoverServer)..." +az sql failover-group set-primary --name $failover --resource-group $resourceGroup --server $failoverServer + +echo "Confirming role of $($failoverServer) is now primary..." # note ReplicationRole property +az sql failover-group show --name $failover --resource-group $resourceGroup --server $server + +echo "Failing back to $($server)...." +az sql failover-group set-primary --name $failover --resource-group $resourceGroup --server $server \ No newline at end of file diff --git a/sql-database/failover-groups/add-managed-instance-to-failover-group-az-cli.sh b/sql-database/failover-groups/add-managed-instance-to-failover-group-az-cli.sh index 783a89d1..81b29a18 100644 --- a/sql-database/failover-groups/add-managed-instance-to-failover-group-az-cli.sh +++ b/sql-database/failover-groups/add-managed-instance-to-failover-group-az-cli.sh @@ -1,706 +1,125 @@ #!/bin/bash -# Due to deployment times, you should plan for a full day to complete the entire script. -# You can monitor deployment progress in the activity log within the Azure portal. - +# Due to deployment times, you should plan for a full day to complete the entire script. You can monitor deployment progress in the activity log within the Azure portal. # For more information on deployment times, see https://docs.microsoft.com/azure/sql-database/sql-database-managed-instance#managed-instance-management-operations. -# Closing the session will result in an incomplete deployment. To continue progress, you will -# need to determine what the random modifier is and manually replace the random variable with -# the previously-assigned value. - -$subscriptionId = "" # subscriptionId in which to create these objects -$randomIdentifier = $RANDOM # create a random identifier to use as subscript for the different resource names -$resourceGroupName = "myResourceGroup-$randomIdentifier" -$location = "eastus" -$drLocation = "eastus2" - -# set the networking values for your primary managed instance -$primaryVNet = "primaryVNet-$randomIdentifier" -$primaryAddressPrefix = "10.0.0.0/16" -$primaryDefaultSubnet = "primaryDefaultSubnet-$randomIdentifier" -$primaryDefaultSubnetAddress = "10.0.0.0/24" -$primaryMiSubnetName = "primaryMISubnet-$randomIdentifier" -$primaryMiSubnetAddress = "10.0.0.0/24" -$primaryMiGwSubnetAddress = "10.0.255.0/27" -$primaryGWName = "primaryGateway-$randomIdentifier" -$primaryGWPublicIPAddress = $primaryGWName + "-ip" -$primaryGWIPConfig = $primaryGWName + "-ipc" -$primaryGWAsn = 61000 -$primaryGWConnection = $primaryGWName + "-connection" - -# set the networking values for your secondary managed instance -$secondaryVNet = "secondaryVNet-$randomIdentifier" -$secondaryAddressPrefix = "10.128.0.0/16" -$secondaryDefaultSubnet = "secondaryDefaultSubnet-$randomIdentifier" -$secondaryDefaultSubnetAddress = "10.128.0.0/24" -$secondaryMiSubnetName = "secondaryMISubnet-$randomIdentifier" -$secondaryMiSubnetAddress = "10.128.0.0/24" -$secondaryMiGwSubnetAddress = "10.128.255.0/27" -$secondaryGWName = "secondaryGateway-$randomIdentifier" -$secondaryGWPublicIPAddress = $secondaryGWName + "-IP" -$secondaryGWIPConfig = $secondaryGWName + "-ipc" -$secondaryGWAsn = 62000 -$secondaryGWConnection = $secondaryGWName + "-connection" - -# set the managed instance name for the new managed instances -$primaryInstance = "primary-mi-$randomIdentifier" -$secondaryInstance = "secondary-mi-$randomIdentifier" - -# set the admin login and password for your managed instance -$secuser = "azureuser" -$secpasswd = "PWD27!" + $RANDOM - -# set the managed instance service tier, compute level, and license mode -$edition = "General Purpose" -$vCores = 8 -$maxStorage = 256 -$computeGeneration = "Gen5" -$license = "LicenseIncluded" #"BasePrice" or LicenseIncluded if you have don't have SQL Server licence that can be used for AHB discount - -# set failover group details -$vpnSharedKey = "mi1mi2psk" -$failoverGroupName = "failovergroup-$randomIdentifier" - -# show randomized variables -echo "Resource group name is" $resourceGroupName -echo "Password is" $secpasswd -echo "Primary Virtual Network name is" $primaryVNet -echo "Primary default subnet name is" $primaryDefaultSubnet -echo "Primary managed instance subnet name is" $primaryMiSubnetName -echo "Secondary Virtual Network name is" $secondaryVNet -echo "Secondary default subnet name is" $secondaryDefaultSubnet -echo "Secondary managed instance subnet name is" $secondaryMiSubnetName -echo "Primary managed instance name is" $primaryInstance -echo "Secondary managed instance name is" $secondaryInstance -echo "Failover group name is" $failoverGroupName - -# set the subscription context for the Azure account -az account set -s $subscriptionId - -# create a resource group -echo "Creating resource group..." -az group create \ - --name $resourceGroupName \ - --location $location \ - --tags Owner[=SQLDB-Samples] - -# configure primary virtual network -echo "Creating primary virtual network..." -az network vnet create --name $primaryVNet \ - --resource-group $resourceGroupName \ - --address-prefixes $primaryAddressPrefix \ - --location $location - -az network vnet subnet create --address-prefixes $primaryMiSubnetAddress \ - --name $primaryMiSubnetName \ - --resource-group $resourceGroupName \ - --vnet-name $primaryVNet - -# configure primary MI subnet -echo "Configuring primary MI subnet..." -az network vnet show --name $primaryVNet \ - --resource-group $resourceGroupName - -az network vnet subnet show --name $primaryMiSubnetName \ - --vnet-name $primaryVirtualNetwork - -# configure network security group management service -echo "Configuring network security group..." -az network nsg create --name 'primaryNSGMiManagementService' \ - --resource-group $resourceGroupName \ - --location $location - -# configure route table management service -echo "Configuring primary MI route table management service..." -az network route-table create --name 'primaryRouteTableMiManagementService' \ - --resource-group $resourceGroupName \ - --location $location - -# configure the primary network security group -echo "Configuring primary network security group..." -az network vnet subnet update --address-prefixes $PrimaryMiSubnetAddress \ - --name $primaryMiSubnetName \ - --network-security-group $primaryNSGMiManagementService \ - --route-table $primaryRouteTableMiManagementService \ - --vnet-name $primaryVirtualNetwork - -az network nsg rule create --name "allow_management_inbound" \ - --nsg-name "primaryNSGMiManagementService" \ - --priority 100 \ - --resource-group $resourceGroupName \ - --access Allow \ - --destination-address-prefixes * \ - --destination-port-ranges 9000,9003,1438,1440,1452 \ - --direction Inbound \ - --protocol Tcp \ - --source-address-prefixes * \ - --source-port-ranges * - -az network nsg rule create --name "allow_misubnet_inbound" \ - --nsg-name "primaryNSGMiManagementService" \ - --priority 200 \ - --resource-group $resourceGroupName \ - --access Allow \ - --destination-address-prefixes * \ - --destination-port-ranges * \ - --direction Inbound \ - --protocol * \ - --source-address-prefixes $PrimaryMiSubnetAddress \ - --source-port-ranges * - -az network nsg rule create --name "allow_health_probe_inbound" \ - --nsg-name "primaryNSGMiManagementService" \ - --priority 300 \ - --resource-group $resourceGroupName \ - --access Allow \ - --destination-address-prefixes * \ - --destination-port-ranges * \ - --direction Inbound \ - --protocol * \ - --source-address-prefixes AzureLoadBalancer \ - --source-port-ranges * - -az network nsg rule create --name "allow_tds_inbound" \ - --nsg-name "primaryNSGMiManagementService" \ - --priority 1000 \ - --resource-group $resourceGroupName \ - --access Allow \ - --destination-address-prefixes * \ - --destination-port-ranges 1433 \ - --direction Inbound \ - --protocol Tcp \ - --source-address-prefixes VirtualNetwork \ - --source-port-ranges * - -az network nsg rule create --name "allow_redirect_inbound" \ - --nsg-name "primaryNSGMiManagementService" \ - --priority 1100 \ - --resource-group $resourceGroupName \ - --access Allow \ - --destination-address-prefixes * \ - --destination-port-ranges 11000-11999 \ - --direction Inbound \ - --protocol Tcp \ - --source-address-prefixes VirtualNetwork \ - --source-port-ranges * - -az network nsg rule create --name "allow_geodr_inbound" \ - --nsg-name "primaryNSGMiManagementService" \ - --priority 1200 \ - --resource-group $resourceGroupName \ - --access Allow \ - --destination-address-prefixes * \ - --destination-port-ranges 5022 \ - --direction Inbound \ - --protocol Tcp \ - --source-address-prefixes VirtualNetwork \ - --source-port-ranges * - -az network nsg rule create --name "deny_all_inbound" \ - --nsg-name "" \ - --priority 4096 \ - --resource-group $resourceGroupName \ - --access Deny \ - --destination-address-prefixes * \ - --destination-port-ranges \ - --direction Inbound \ - --protocol * \ - --source-address-prefixes * \ - --source-port-ranges * - -az network nsg rule create --name "allow_redirect_inbound" \ - --nsg-name "primaryNSGMiManagementService" \ - --priority 1100 \ - --resource-group $resourceGroupName \ - --access Allow \ - --destination-address-prefixes * \ - --destination-port-ranges 80,443,12000 \ - --direction Outbound \ - --protocol Tcp \ - --source-address-prefixes * \ - --source-port-ranges * - -az network nsg rule create --name "allow_misubnet_outbound" \ - --nsg-name "primaryNSGMiManagementService" \ - --priority 200 \ - --resource-group $resourceGroupName \ - --access Allow \ - --destination-address-prefixes $PrimaryMiSubnetAddress \ - --destination-port-ranges 11000-11999 \ - --direction Outbound \ - --protocol Tcp \ - --source-address-prefixes * \ - --source-port-ranges * - -az network nsg rule create --name "allow_redirect_outbound" \ - --nsg-name "primaryNSGMiManagementService" \ - --priority 1100 \ - --resource-group $resourceGroupName \ - --access Allow \ - --destination-address-prefixes * \ - --destination-port-ranges 11000-11999 \ - --direction Outbound \ - --protocol Tcp \ - --source-address-prefixes VirtualNetwork \ - --source-port-ranges * - -az network nsg rule create --name "allow_geodr_outbound" \ - --nsg-name "primaryNSGMiManagementService" \ - --priority 1200 \ - --resource-group $resourceGroupName \ - --access Allow \ - --destination-address-prefixes * \ - --destination-port-ranges 5022 \ - --direction Outbound \ - --protocol Tcp \ - --source-address-prefixes VirtualNetwork \ - --source-port-ranges * - -az network nsg rule create --name "deny_all_outbound" \ - --nsg-name "primaryNSGMiManagementService" \ - --priority 4096 \ - --resource-group $resourceGroupName \ - --access Deny \ - --destination-address-prefixes * \ - --destination-port-ranges * \ - --direction Outbound \ - --protocol Tcp \ - --source-address-prefixes * \ - --source-port-ranges * - -echo "Primary network security group configured successfully." - -az network route-table route create --address-prefix 0.0.0.0/0 \ - --name "primaryToMIManagementService" \ - --next-hop-type Internet \ - --resource-group $resourceGroupName \ - --route-table-name "primaryRouteTableMiManagementService" - -az network route-table route create --address-prefix $PrimaryMiSubnetAddress \ - --name "ToLocalClusterNode" \ - --next-hop-type VnetLocal \ - --resource-group $resourceGroupName \ - --route-table-name "primaryRouteTableMiManagementService" - -echo "Primary network route table configured successfully." - -# create primary managed instance -echo "Creating primary managed instance..." -echo "This will take some time, see https://docs.microsoft.com/azure/sql-database/sql-database-managed-instance#managed-instance-management-operations for more information." -az sql mi create --admin-password \ - --admin-user \ - --name $primaryInstance \ - --resource-group $resourceGroupName \ - --subnet $primaryMiSubnetConfigId \ - --capacity $vCores \ - --edition $edition \ - --family $computeGeneration \ - --license-type $license \ - --location $location \ - --storage $maxStorage -echo "Primary managed instance created successfully." - -# configure secondary virtual network -echo "Configuring secondary virtual network..." -az network vnet create --name $secondaryVNet \ - --resource-group $resourceGroupName \ - --address-prefixes $secondaryAddressPrefix \ - --location $drlocation - -az network vnet subnet create --address-prefixes $secondaryMiSubnetAddress \ - --name $secondaryMiSubnetName \ - --vnet-name $SecondaryVirtualNetwork - -# configure secondary managed instance subnet -echo "Configuring secondary MI subnet..." - -$SecondaryVirtualNetwork = Get-AzVirtualNetwork -Name $secondaryVNet -ResourceGroupName $resourceGroupName - -$secondaryMiSubnetConfig = Get-AzVirtualNetworkSubnetConfig ` - -Name $secondaryMiSubnetName ` - -VirtualNetwork $SecondaryVirtualNetwork -$secondaryMiSubnetConfig - -# configure secondary network security group management service -echo "Configuring secondary network security group management service..." - -$secondaryMiSubnetConfigId = $secondaryMiSubnetConfig.Id - -az network nsg create --name 'secondaryToMIManagementService' \ - --resource-group $resourceGroupName \ - --location $drlocation - -# configure secondary route table MI management service -echo "Configuring secondary route table MI management service..." -az network route-table create --name 'secondaryRouteTableMiManagementService' \ - --resource-group $resourceGroupName \ - --location $drlocation - -# configure the secondary network security group -echo "Configuring secondary network security group..." -az network vnet subnet update --address-prefixes $secondaryMiSubnetAddress \ - --name $secondaryMiSubnetName \ - --network-security-group $secondaryNSGMiManagementService \ - --route-table $secondaryRouteTableMiManagementService \ - --vnet-name $SecondaryVirtualNetwork - -az network nsg rule create --name "allow_management_inbound" \ - --nsg-name "secondaryToMIManagementService" \ - --priority 100 \ - --resource-group $resourceGroupName \ - --access Allow \ - --destination-address-prefixes * \ - --destination-port-ranges 9000,9003,1438,1440,1452 \ - --direction Inbound \ - --protocol Tcp \ - --source-address-prefixes * \ - --source-port-ranges * - -az network nsg rule create --name "allow_misubnet_inbound" \ - --nsg-name "secondaryToMIManagementService" \ - --priority 200 \ - --resource-group $resourceGroupName \ - --access Allow \ - --destination-address-prefixes * \ - --destination-port-ranges * \ - --direction Inbound \ - --protocol * \ - --source-address-prefixes $secondaryMiSubnetAddress \ - --source-port-ranges * - -az network nsg rule create --name "allow_health_probe_inbound" \ - --nsg-name "secondaryToMIManagementService" \ - --priority 300 \ - --resource-group $resourceGroupName \ - --access Allow \ - --destination-address-prefixes * \ - --destination-port-ranges * \ - --direction Inbound \ - --protocol Tcp \ - --source-address-prefixes AzureLoadBalancer \ - --source-port-ranges * - -az network nsg rule create --name "allow_tds_inbound" \ - --nsg-name "secondaryToMIManagementService" \ - --priority 1000 \ - --resource-group $resourceGroupName \ - --access Allow \ - --destination-address-prefixes * \ - --destination-port-ranges 1433 \ - --direction Inbound \ - --protocol Tcp \ - --source-address-prefixes VirtualNetwork \ - --source-port-ranges * - -az network nsg rule create --name "allow_redirect_inbound" \ - --nsg-name "secondaryToMIManagementService" \ - --priority 1100 \ - --resource-group $resourceGroupName \ - --access Allow \ - --destination-address-prefixes * \ - --destination-port-ranges 11000-11999 \ - --direction Inbound \ - --protocol Tcp \ - --source-address-prefixes VirtualNetwork \ - --source-port-ranges * - -az network nsg rule create --name "allow_geodr_inbound" \ - --nsg-name "secondaryToMIManagementService" \ - --priority 1200 \ - --resource-group $resourceGroupName \ - --access Allow \ - --destination-address-prefixes * \ - --destination-port-ranges 5022 \ - --direction Inbound \ - --protocol Tcp \ - --source-address-prefixes VirtualNetwork \ - --source-port-ranges * - -az network nsg rule create --name "deny_all_inbound" \ - --nsg-name "secondaryToMIManagementService" \ - --priority 4096 \ - --resource-group $resourceGroupName \ - --access Deny \ - --destination-address-prefixes * \ - --destination-port-ranges * \ - --direction Inbound \ - --protocol * \ - --source-address-prefixes * \ - --source-port-ranges * - -az network nsg rule create --name "allow_management_outbound" \ - --nsg-name "secondaryToMIManagementService" \ - --priority 100 \ - --resource-group $resourceGroupName \ - --access Allow \ - --destination-address-prefixes * \ - --destination-port-ranges 80,443,12000 \ - --direction Outbound \ - --protocol Tcp \ - --source-address-prefixes * \ - --source-port-ranges * - -az network nsg rule create --name "allow_misubnet_outbound" \ - --nsg-name "secondaryToMIManagementService" \ - --priority 200 \ - --resource-group $resourceGroupName \ - --access Allow \ - --destination-address-prefixes $secondaryMiSubnetAddress \ - --destination-port-ranges * \ - --direction Outbound \ - --protocol Tcp \ - --source-address-prefixes * \ - --source-port-ranges * - -az network nsg rule create --name "allow_redirect_outbound" \ - --nsg-name "secondaryToMIManagementService" \ - --priority 1100 \ - --resource-group $resourceGroupName \ - --access Allow \ - --destination-address-prefixes * \ - --destination-port-ranges 11000-11999 \ - --direction Outbound \ - --protocol Tcp \ - --source-address-prefixes VirtualNetwork \ - --source-port-ranges * - -az network nsg rule create --name "allow_geodr_outbound" \ - --nsg-name "secondaryToMIManagementService" \ - --priority 1200 \ - --resource-group $resourceGroupName \ - --access Allow \ - --destination-address-prefixes * \ - --destination-port-ranges 5022 \ - --direction Intbound \ - --protocol Tcp \ - --source-address-prefixes VirtualNetwork \ - --source-port-ranges * - -az network nsg rule create --name "deny_all_outbound" \ - --nsg-name "secondaryToMIManagementService" \ - --priority 4096 \ - --resource-group $resourceGroupName \ - --access Deny \ - --destination-address-prefixes * \ - --destination-port-ranges * \ - --direction Outbound \ - --protocol * \ - --source-address-prefixes * \ - --source-port-ranges * - -az network route-table route create --address-prefix 0.0.0.0/0 \ - --name "secondaryToMIManagementService" \ - --next-hop-type Internet \ - --resource-group $resourceGroupName \ - --route-table-name "secondaryRouteTableMiManagementService" - -az network route-table route create --address-prefix $secondaryMiSubnetAddress \ - --name "ToLocalClusterNode" \ - --next-hop-type VnetLocal \ - --resource-group $resourceGroupName \ - --route-table-name "secondaryRouteTableMiManagementService" -echo "Secondary network security group configured successfully." - -# create secondary managed instance -echo "Creating secondary managed instance..." -echo "This will take some time, see https://docs.microsoft.com/azure/sql-database/sql-database-managed-instance#managed-instance-management-operations for more information." --DnsZonePartner $primaryManagedInstanceId.Id - -az sql mi create --admin-password $secpassword \ - --admin-user $secuser \ - --name $secondaryInstance \ - --resource-group $resourceGroupName \ - --subnet $secondaryMiSubnetConfigId \ - --capacity $vCores \ - --edition $edition \ - --family $computeGeneration \ - --license-type $license \ - --location $drLocation \ - --storage $maxStorage - -echo "Secondary managed instance created successfully." - -# create primary gateway -echo "Adding GatewaySubnet to primary VNet..." -Get-AzVirtualNetwork ` - -Name $primaryVNet ` - -ResourceGroupName $resourceGroupName ` - | Add-AzVirtualNetworkSubnetConfig ` - -Name "GatewaySubnet" ` - -AddressPrefix $primaryMiGwSubnetAddress ` - | Set-AzVirtualNetwork - -$primaryVirtualNetwork = Get-AzVirtualNetwork ` - -Name $primaryVNet ` - -ResourceGroupName $resourceGroupName -$primaryGatewaySubnet = Get-AzVirtualNetworkSubnetConfig ` - -Name "GatewaySubnet" ` - -VirtualNetwork $primaryVirtualNetwork - -echo "Creating primary gateway..." -echo "This will take some time." -az network public-ip create --name $primaryGWPublicIPAddress \ - --resource-group $resourceGroupName \ - --allocation-method Dynamic \ - --location $location - -$primaryGatewayIPConfig = New-AzVirtualNetworkGatewayIpConfig -Name $primaryGWIPConfig ` - -Subnet -PublicIpAddress $primaryGWPublicIP -az network nic ip-config create --name - --nic-name - --resource-group - [--app-gateway-address-pools] - [--application-security-groups] - [--gateway-name] - [--lb-address-pools] - [--lb-inbound-nat-rules] - [--lb-name] - [--make-primary] - [--private-ip-address] - [--private-ip-address-version {IPv4, IPv6}] - [--public-ip-address $primaryGWPublicIPAddress - [--subnet $primaryGatewaySubnet - [--subscription] - [--vnet-name] - -az network vnet-gateway create --name $primaryGWName \ - --public-ip-addresses $primaryGatewayIPConfig \ - --resource-group $resourceGroupName \ - --asn $primaryGWAsn \ - [--bgp-peering-address] - --gateway-type Vpn \ - --location $location \ - --sku VpnGw1 \ - --vpn-type RouteBased -#-EnableBgp $true - -# create the secondary gateway -echo "Creating secondary gateway..." -echo "Adding GatewaySubnet to secondary VNet..." -Get-AzVirtualNetwork ` - -Name ` - -ResourceGroupName ` - | Add-AzVirtualNetworkSubnetConfig ` - -Name "GatewaySubnet" ` - -AddressPrefix $secondaryMiGwSubnetAddress ` - | Set-AzVirtualNetwork -az network vnet update [--add] - [--address-prefixes] - [--ddos-protection {false, true}] - [--ddos-protection-plan] - [--defer] - [--dns-servers] - [--force-string] - [--ids] - [--name $secondaryVNet - [--remove] - [--resource-group $resourceGroupName - [--set] - [--subscription] - [--vm-protection {false, true}] -$secondaryVirtualNetwork = Get-AzVirtualNetwork ` - -Name $secondaryVNet ` - -ResourceGroupName $resourceGroupName -$secondaryGatewaySubnet = Get-AzVirtualNetworkSubnetConfig ` - -Name "GatewaySubnet" ` - -VirtualNetwork $secondaryVirtualNetwork -$drLocation = $secondaryVirtualNetwork.Location - -echo "Creating primary gateway..." -echo "This will take some time." -$secondaryGWPublicIP = New-AzPublicIpAddress -Name $secondaryGWPublicIPAddress -ResourceGroupName $resourceGroupName ` - -Location $drLocation -AllocationMethod Dynamic -$secondaryGatewayIPConfig = New-AzVirtualNetworkGatewayIpConfig -Name $secondaryGWIPConfig ` - -Subnet $secondaryGatewaySubnet -PublicIpAddress $secondaryGWPublicIP -az network public-ip create --name - --resource-group - [--allocation-method {Dynamic, Static}] - [--dns-name] - [--idle-timeout] - [--ip-tags] - [--location] - [--public-ip-prefix] - [--reverse-fqdn] - [--sku {Basic, Standard}] - [--subscription] - [--tags] - [--version {IPv4, IPv6}] - [--zone {1, 2, 3}] - -az network vnet-gateway create --name $secondaryGWName \ - --public-ip-addresses $secondaryGatewayIPConfig \ - --resource-group $resourceGroupName \ - --asn $secondaryGWAsn \ - --gateway-type Vpn \ - --location $drLocation \ - --sku VpnGw1 \ - --vpn-type RouteBased -#-EnableBgp $true - -# connect the primary to secondary gateway -echo "Connecting the primary gateway to secondary gateway..." -az network vpn-connection create --name $primaryGWConnection \ - --resource-group $resourceGroupName \ - --vnet-gateway1 $primaryGateway \ - --enable-bgp $true \ - --location $location \ - --shared-key $vpnSharedKey \ - --vnet-gateway2 $secondaryGateway -#-ConnectionType Vnet2Vnet - -# connect the secondary to primary gateway -echo "Connecting the secondary gateway to primary gateway..." -az network vpn-connection create --name $secondaryGWConnection \ - --resource-group $resourceGroupName \ - --vnet-gateway1 $secondaryGateway \ - --enable-bgp $true \ - --location $drLocation \ - --shared-key $vpnSharedKey \ - --vnet-gateway2 $primaryGateway -#ConnectionType Vnet2Vnet - -# create failover group +$subscription = "" # add subscription here +#!/bin/bash + +$subscription = "" # add subscription here +$location = "East US" +$failoverLocation = "West US" + +$randomIdentifier = $(Get-Random) + +$resourceGroup = "resource-$randomIdentifier" +$failoverResourceGroup = "failoverResource-$randomIdentifier" + +$vnet = "vnet-$randomIdentifier" +$subnet = "subnet-$randomIdentifier" +$nsg = "nsg-$randomIdentifier" +$route = "route-$randomIdentifier" +$instance = "instance-$randomIdentifier" + +$failover = "failover-$randomIdentifier" + +$failoverVnet = "failoverVnet-$randomIdentifier" +$failoverSubnet = "failoverSubnet-$randomIdentifier" +$failoverNsg = "failoverNsg-$randomIdentifier" +$failoverRoute = "failoverRoute-$randomIdentifier" +$failoverInstance = "failoverInstance-$randomIdentifier" + +$login = "sampleLogin" +$password = "samplePassword123!" + +$vpnSharedKey = "abc123" + +$gateway = "gateway-$randomIdentifier" +$gatewayIP = $gateway + "-ip" +$gatewayConnection = $gateway + "-connection" + +$failoverGateway = "failoverGateway-$randomIdentifier" +$failoverGatewayIP = $failoverGateway + "-ip" +$failoverGatewayConnection = $failoverGateway + "-connection" + +echo "Using resource group $($resourceGroup) and $($failoverResourceGroup) with login: $($login), password: $($password)..." + +echo "Creating $($resourceGroup)..." +az group create --name $resourceGroup --location $location +az group create --name $failoverResourceGroup --location $failoverLocation + +echo "Creating $($vnet) with $($subnet)..." +az network vnet create --name $vnet --resource-group $resourceGroup --location $location --address-prefixes 10.0.0.0/16 +az network vnet subnet create --name $subnet --resource-group $resourceGroup --vnet-name $vnet --address-prefixes 10.0.0.0/24 + +echo "Creating $($nsg)..." +az network nsg create --name $nsg --resource-group $resourceGroup --location $location + +az network nsg rule create --name "allow_management_inbound" --nsg-name $nsg --priority 100 --resource-group $resourceGroup --access Allow --destination-address-prefixes 10.0.0.0/24 --destination-port-ranges 9000 9003 1438 1440 1452 --direction Inbound --protocol Tcp --source-address-prefixes * --source-port-ranges * +az network nsg rule create --name "allow_misubnet_inbound" --nsg-name $nsg --priority 200 --resource-group $resourceGroup --access Allow --destination-address-prefixes 10.0.0.0/24 --destination-port-ranges * --direction Inbound --protocol * --source-address-prefixes 10.0.0.0/24 --source-port-ranges * +az network nsg rule create --name "allow_health_probe_inbound" --nsg-name $nsg --priority 300 --resource-group $resourceGroup --access Allow --destination-address-prefixes 10.0.0.0/24 --destination-port-ranges * --direction Inbound --protocol * --source-address-prefixes AzureLoadBalancer --source-port-ranges * +az network nsg rule create --name "allow_management_outbound" --nsg-name $nsg --priority 1100 --resource-group $resourceGroup --access Allow --destination-address-prefixes AzureCloud --destination-port-ranges 443 12000 --direction Outbound --protocol Tcp --source-address-prefixes 10.0.0.0/24 --source-port-ranges * +az network nsg rule create --name "allow_misubnet_outbound" --nsg-name $nsg --priority 200 --resource-group $resourceGroup --access Allow --destination-address-prefixes 10.0.0.0/24 --destination-port-ranges * --direction Outbound --protocol * --source-address-prefixes 10.0.0.0/24 --source-port-ranges * + +echo "Creating $($route)..." +az network route-table create --name $route --resource-group $resourceGroup --location $location + +az network route-table route create --address-prefix 0.0.0.0/0 --name "primaryToMIManagementService" --next-hop-type Internet --resource-group $resourceGroup --route-table-name $route +az network route-table route create --address-prefix 10.0.0.0/24 --name "ToLocalClusterNode" --next-hop-type VnetLocal --resource-group $resourceGroup --route-table-name $route + +echo "Configuring $($subnet) with $($nsg) and $($route)..." +az network vnet subnet update --name $subnet --network-security-group $nsg --route-table $route --vnet-name $vnet --resource-group $resourceGroup + +echo "Creating $($instance) with $($vnet) and $($subnet)..." +az sql mi create --admin-password $password --admin-user $login --name $instance --resource-group $resourceGroup --subnet $subnet --vnet-name $vnet --location $location --assign-identity + +echo "Creating $($failoverVnet) with $($failoverSubnet)..." +az network vnet create --name $failoverVnet --resource-group $failoverResourceGroup --location $failoverLocation --address-prefixes 10.128.0.0/16 +az network vnet subnet create --name $failoverSubnet --resource-group $failoverResourceGroup --vnet-name $failoverVnet --address-prefixes 10.128.0.0/24 + +echo "Creating $($failoverNsg)..." +az network nsg create --name $failoverNsg --resource-group $failoverResourceGroup --location $failoverLocation + +az network nsg rule create --name "allow_management_inbound" --nsg-name $failoverNsg --priority 100 --resource-group $failoverResourceGroup --access Allow --destination-address-prefixes 10.128.0.0/24 --destination-port-ranges 9000 9003 1438 1440 1452 --direction Inbound --protocol Tcp --source-address-prefixes * --source-port-ranges * +az network nsg rule create --name "allow_misubnet_inbound" --nsg-name $failoverNsg --priority 200 --resource-group $failoverResourceGroup --access Allow --destination-address-prefixes 10.128.0.0/24 --destination-port-ranges * --direction Inbound --protocol * --source-address-prefixes 10.128.0.0/24 --source-port-ranges * +az network nsg rule create --name "allow_health_probe_inbound" --nsg-name $failoverNsg --priority 300 --resource-group $failoverResourceGroup --access Allow --destination-address-prefixes 10.128.0.0/24 --destination-port-ranges * --direction Inbound --protocol * --source-address-prefixes AzureLoadBalancer --source-port-ranges * +az network nsg rule create --name "allow_management_outbound" --nsg-name $failoverNsg --priority 1100 --resource-group $failoverResourceGroup --access Allow --destination-address-prefixes AzureCloud --destination-port-ranges 443 12000 --direction Outbound --protocol Tcp --source-address-prefixes 10.128.0.0/24 --source-port-ranges * +az network nsg rule create --name "allow_misubnet_outbound" --nsg-name $failoverNsg --priority 200 --resource-group $failoverResourceGroup --access Allow --destination-address-prefixes 10.128.0.0/24 --destination-port-ranges * --direction Outbound --protocol * --source-address-prefixes 10.128.0.0/24 --source-port-ranges * + +echo "Creating $($failoverRoute)..." +az network route-table create --name $failoverRoute --resource-group $failoverResourceGroup --location $failoverLocation + +az network route-table route create --address-prefix 0.0.0.0/0 --name "primaryToMIManagementService" --next-hop-type Internet --resource-group $failoverResourceGroup --route-table-name $failoverRoute +az network route-table route create --address-prefix 10.128.0.0/24 --name "ToLocalClusterNode" --next-hop-type VnetLocal --resource-group $failoverResourceGroup --route-table-name $failoverRoute + +echo "Configuring $($failoverSubnet) with $($failoverNsg) and $($failoverRoute)..." +az network vnet subnet update --name $failoverSubnet --network-security-group $failoverNsg --route-table $failoverRoute --vnet-name $failoverVnet --resource-group $failoverResourceGroup + +echo "Creating $($failoverInstance) with $($failoverVnet) and $($failoverSubnet)..." +az sql mi create --admin-password $password --admin-user $login --name $failoverInstance --resource-group $failoverResourceGroup --subnet $failoverSubnet --vnet-name $failoverVnet --location $failoverLocation --assign-identity + +echo "Creating gateway..." +az network vnet subnet create --name "GatewaySubnet" --resource-group $resourceGroup --vnet-name $vnet --address-prefixes 10.0.255.0/27 +az network public-ip create --name $gatewayIP --resource-group $resourceGroup --allocation-method Dynamic --location $location +az network vnet-gateway create --name $gateway --public-ip-addresses $gatewayIP --resource-group $resourceGroup --vnet $vnet --asn 61000 --gateway-type Vpn --location $location --sku VpnGw1 --vpn-type RouteBased #-EnableBgp $true + +echo "Creating failover gateway..." +az network vnet subnet create --name "GatewaySubnet" --resource-group $failoverResourceGroup --vnet-name $failoverVnet --address-prefixes 10.128.255.0/27 +az network public-ip create --name $failoverGatewayIP --resource-group $failoverResourceGroup --allocation-method Dynamic --location $failoverLocation +az network vnet-gateway create --name $failoverGateway --public-ip-addresses $failoverGatewayIP --resource-group $failoverResourceGroup --vnet $failoverVnet --asn 62000 --gateway-type Vpn --location $failoverLocation --sku VpnGw1 --vpn-type RouteBased + +echo "Connecting gateway and failover gateway..." +az network vpn-connection create --name $gatewayConnection --resource-group $resourceGroup --vnet-gateway1 $gateway --enable-bgp --location $location --vnet-gateway2 $failoverGateway --shared-key $vpnSharedKey +az network vpn-connection create --name $failoverGatewayConnection --resource-group $failoverResourceGroup --vnet-gateway1 $failoverGateway --enable-bgp --location $failoverLocation --shared-key $vpnSharedKey --vnet-gateway2 $gateway + echo "Creating the failover group..." -az sql instance-failover-group create --mi $primaryInstance - --name $failoverGroupName - --partner-mi $secondaryInstance - --partner-resource-group - --resource-group $resourceGroupName - --failover-policy Automatic - --grace-period 1 -# -Location $location -PartnerRegion $drLocation - -# verify the current primary role -az sql instance-failover-group show --location $location \ - --name $failoverGroupName \ - --resource-group $resourceGroupName - -# failover the primary managed instance to the secondary role -echo "Failing primary over to the secondary location" -az sql instance-failover-group set-primary --location $drLocation \ - --name $failoverGroupName \ - --resource-group $resourceGroupName -echo "Successfully failed failover group to secondary location" - -# verify the current primary role -az sql instance-failover-group show --location $drLocation \ - --name $failoverGroupName \ - --resource-group $resourceGroupName - -# fail primary managed instance back to primary role -echo "Failing primary back to primary role" -az sql instance-failover-group set-primary --location $location \ - --name $failoverGroupName \ - --resource-group $resourceGroupName -echo "Successfully failed failover group to primary location" - -# verify the current primary role -az sql instance-failover-group show --location $location \ - --name $failoverGroupName \ - --resource-group $resourceGroupName - -# clean up deployment  -# You will need to remove the resource group twice. Removing the resource group the first time will remove the managed instance and virtual clusters but will then fail with a conflict. Run the az group delete command a second time to remove any residual resources as well as the resource group. -# az group delete --name $resourceGroupName -# az group delete --name $resourceGroupName \ No newline at end of file +az sql instance-failover-group create --mi $instance --name $failover --partner-mi $failoverInstance --resource-group $resourceGroup --partner-resource-group $failoverResourceGroup --failover-policy Automatic --grace-period 1 +az sql instance-failover-group show --location $location --name $failover --resource-group $resourceGroup # verify the primary role + +echo "Failing managed instance over to secondary location..." +az sql instance-failover-group set-primary --location $failoverLocation --name $failover --resource-group $resourceGroup +az sql instance-failover-group show --location $failoverLocation --name $failover --resource-group $resourceGroup # verify the primary role + +echo "Failing managed instance back to primary location..." +az sql instance-failover-group set-primary --location $location --name $failover --resource-group $resourceGroup +az sql instance-failover-group show --location $location --name $failover --resource-group $resourceGroup # verify the primary role diff --git a/sql-database/failover-groups/add-single-db-to-failover-group-az-cli.sh b/sql-database/failover-groups/add-single-db-to-failover-group-az-cli.sh index 2f555336..61d4c5f2 100644 --- a/sql-database/failover-groups/add-single-db-to-failover-group-az-cli.sh +++ b/sql-database/failover-groups/add-single-db-to-failover-group-az-cli.sh @@ -1,109 +1,46 @@ #!/bin/bash -subscriptionID= -resourceGroupName=myResourceGroup-$RANDOM -location=SouthCentralUS -adminLogin=azureuser -password="PWD27!"+`openssl rand -base64 18` -serverName=mysqlserver-$RANDOM -databaseName=mySampleDatabase -drLocation=NorthEurope -drServerName=mysqlsecondary-$RANDOM -failoverGroupName=failovergrouptutorial-$RANDOM +$subscription = "" # add subscription here +$location = "East US" -# The ip address range that you want to allow access to your DB. -# Leaving at 0.0.0.0 will prevent outside-of-azure connections -startip=0.0.0.0 -endip=0.0.0.0 +$randomIdentifier = $(Get-Random) -# print out randomized variables -echo Resource group name is $resourceGroupName -echo Passowrd is $password -echo Servername is $serverName -echo DR Server name $drServerName -echo Failover group name $failoverGroupName +$resourceGroup = "resource-$randomIdentifier" +$server = "sqlserver-$randomIdentifier" +$database = "database-$randomIdentifier" -# set the subscription context for the Azure account -az account set -s $subscriptionID +$failover = "failover-$randomIdentifier" +$failoverLocation = "West US" +$failoverServer = "sqlsecondary-$randomIdentifier" -# create a resource group -echo "Creating resource group..." -az group create \ - --name $resourceGroupName \ - --location $location \ - --tags Owner[=SQLDB-Samples] +$login = "sampleLogin" +$password = "samplePassword123!" -# create a logical server in the resource group -echo "Creating primary logical server..." -az sql server create \ - --name $serverName \ - --resource-group $resourceGroupName \ - --location $location \ - --admin-user $adminLogin \ - --admin-password $password +echo "Using resource group $($resourceGroup) with login: $($login), password: $($password)..." -# configure a firewall rule for the server -echo "Configuring firewall..." -az sql server firewall-rule create \ - --resource-group $resourceGroupName \ - --server $serverName \ - -n AllowYourIp \ - --start-ip-address $startip \ - --end-ip-address $endip +echo "Creating $($resourceGroup)..." +az group create --name $resourceGroup --location $location -# create a gen5 2vCore database in the server -echo "Creating a gen5 2 vCore database..." -az sql db create \ - --resource-group $resourceGroupName \ - --server $serverName \ - --name $databaseName \ - --sample-name AdventureWorksLT \ - --edition GeneralPurpose \ - --family Gen5 \ - --capacity 2 +echo "Creating $($server) in $($location)..." +az sql server create --name $server --resource-group $resourceGroup --location $location --admin-user $login --admin-password $password -# create a secondary server in the failover region -echo "Creating a secondary logical server in the DR region..." -az sql server create \ - --name $drServerName \ - --resource-group $resourceGroupName \ - --location $drLocation \ - --admin-user $adminLogin\ - --admin-password $password +echo "Creating $($database) on $($server)..." +az sql db create --name $database --resource-group $resourceGroup --server $server --sample-name AdventureWorksLT -# create a failover group between the servers and add the database -echo "Creating a failover group between the two servers..." -az sql failover-group create \ - --name $failoverGroupName \ - --partner-server $drServerName \ - --resource-group $resourceGroupName \ - --server $serverName \ - --add-db $databaseName - --failover-policy Automatic +echo "Creating $($failoverServer) in $($failoverLocation)..." +az sql server create --name $failoverServer --resource-group $resourceGroup --location $failoverLocation --admin-user $login --admin-password $password -# verify which server is secondary -echo "Verifying which server is in the secondary role..." -az sql failover-group list \ - --server $serverName \ - --resource-group $resourceGroupName +echo "Creating $($failover) between $($server) and $($failoverServer)..." +az sql failover-group create --name $failover --partner-server $failoverServer --resource-group $resourceGroup --server $server --failover-policy Automatic --grace-period 2 --add-db $database -# failover to the secondary server -echo "Failing over group to the secondary server..." -az sql failover-group set-primary \ - --name $failoverGroupName \ - --resource-group $resourceGroupName \ - --server $drServerName -echo "Successfully failed failover group over to" $drServerName +echo "Confirming role of $($failoverServer) is secondary..." # note ReplicationRole property +az sql failover-group show --name $failover --resource-group $resourceGroup --server $server -# revert failover group back to the primary server -echo "Failing over group back to the primary server..." -az sql failover-group set-primary \ - --name $failoverGroupName \ - --resource-group $resourceGroupName \ - --server $serverName -echo "Successfully failed failover group back to" $serverName +echo "Failing over to $($failoverServer)..." +az sql failover-group set-primary --name $failover --resource-group $resourceGroup --server $failoverServer -# clean up resources by removing the resource group -# echo "Cleaning up resources by removing the resource group..." -# az group delete --name $resourceGroupName -# echo "Successfully removed resource group" $resourceGroupName \ No newline at end of file +echo "Confirming role of $($failoverServer) is now primary..." # note ReplicationRole property +az sql failover-group show --name $failover --resource-group $resourceGroup --server $server + +echo "Failing back to $($server)...." +az sql failover-group set-primary --name $failover --resource-group $resourceGroup --server $server \ No newline at end of file diff --git a/sql-database/import-from-bacpac/import-from-bacpac.sh b/sql-database/import-from-bacpac/import-from-bacpac.sh index f18d6036..0418e6a9 100644 --- a/sql-database/import-from-bacpac/import-from-bacpac.sh +++ b/sql-database/import-from-bacpac/import-from-bacpac.sh @@ -1,87 +1,45 @@ #!/bin/bash -# Connect-AzAccount +$subscription = "" # add subscription here +$location = "East US" -$subscriptionId = '' -$resourceGroupName = "myResourceGroup-$(Get-Random)" -$location = "westeurope" -$adminSqlLogin = "SqlAdmin" -$password = "ChangeYourAdminPassword1" -$serverName = "server-$(Get-Random)" -$databaseName = "myImportedDatabase" -$storageAccountName = "sqlimport$(Get-Random)" -$storageContainerName = "importcontainer$(Get-Random)" -$bacpacFilename = "sample.bacpac" +$randomIdentifier = $(Get-Random) -# The ip address range that you want to allow to access your server -$startip = "0.0.0.0" -$endip = "0.0.0.0" +$resourceGroup = "resource-$randomIdentifier" +$server = "server-$randomIdentifier" +$database = "database-$randomIdentifier" +$storage = "storage$randomIdentifier" +$container = "container-$randomIdentifier" -# set the subscription context for the Azure account -az account set -s $subscriptionID +$bacpac = "sample.bacpac" -# create a resource group -az group create \ - --name $resourceGroupName \ - --location $location +$login = "sampleLogin" +$password = "samplePassword123!" -# create a storage account -az storage account create --name $storageAccountName \ - --resource-group $resourceGroupName \ - --location $location \ - --sku Standard_LRS +echo "Using resource group $($resourceGroup) with login: $($login), password: $($password)..." -# create a storage container -$storageKey = az storage account keys list --account-name $storageAccountName \ - --resource-group $resourceGroupName \ - -o json --query [0].value +echo "Creating $($resourceGroup)..." +az group create --name $resourceGroup --location $location -az storage container create --name $storageContainerName \ - --account-key $storageKey \ - --account-name $storageAccountName +echo "Creating $($storage)..." +az storage account create --name $storage --resource-group $resourceGroup --location $location --sku Standard_LRS -# download sample database from Github -az rest --uri https://github.com/Microsoft/sql-server-samples/releases/download/wide-world-importers-v1.0/WideWorldImporters-Standard.bacpac \ - --output-file $bacpacfilename -m get --skip-authorization-header +echo "Creating $($container) on $($storage)..." +$key = az storage account keys list --account-name $storage --resource-group $resourceGroup -o json --query [0].value +az storage container create --name $container --account-key $key --account-name $storage #--public-access container -# upload sample database into storage container -az storage blob upload --container-name $storagecontainername \ - --file $bacpacFilename \ - --name \ - --account-key $storageKey \ - --account-name $storageAccountName +echo "Downloading sample database..." +az rest --uri https://github.com/Microsoft/sql-server-samples/releases/download/wide-world-importers-v1.0/WideWorldImporters-Standard.bacpac --output-file $bacpac -m get --skip-authorization-header -# create a new server with a system wide unique server name -az sql server create \ - --name $serverName \ - --resource-group $resourceGroupName \ - --location $location \ - --admin-user $adminSqlLogin \ - --admin-password $password +echo "Uploading sample database to $($container)..." +az storage blob upload --container-name $container --file $bacpac --name $bacpac --account-key $key --account-name $storage -# create a server firewall rule that allows access from the specified IP range -az sql server firewall-rule create --end-ip-address $endIp \ - --name "AllowedIPs" \ - --resource-group $resourceGroupName \ - --server $serverName \ - --start-ip-address $startIp +echo "Creating $($server)..." +az sql server create --name $server --resource-group $resourceGroup --location $location --admin-user $login --admin-password $password +az sql server firewall-rule create --resource-group $resourceGroup --server $server --name AllowAzureServices --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0 -# import bacpac to database with an S3 performance level -az sql db import --admin-password $password \ - --admin-user $adminSqlLogin \ - --storage-key $storageKey \ - --storage-key-type StorageAccessKey \ - --storage-uri "https://$storageaccountname.blob.core.windows.net/$storageContainerName/$bacpacFilename" \ - --name $databaseName \ - --resource-group $resourceGroupName \ - --server $serverName +echo "Creating $($database)..." +az sql db create --name $database --resource-group $resourceGroup --server $server --edition "GeneralPurpose" -# scale down to S0 after import is complete -az sql db update --edition "Standard" \ - --name $databaseName \ - --resource-group $resourceGroupName \ - --server $serverName \ - --service-objective "S0" - -# clean up deployment -# az group delete --name $resourceGroupName \ No newline at end of file +echo "Importing sample database from $($container) to $($database)..." +az sql db import --admin-password $password --admin-user $login --storage-key $key --storage-key-type StorageAccessKey --storage-uri https://$storage.blob.core.windows.net/$container/$bacpac --name $database --resource-group $resourceGroup --server $server \ No newline at end of file diff --git a/sql-database/managed-instance/create-managed-instance.sh b/sql-database/managed-instance/create-managed-instance.sh new file mode 100644 index 00000000..154222a7 --- /dev/null +++ b/sql-database/managed-instance/create-managed-instance.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +$subscription = "" # add subscription here +$location = "East US" + +$randomIdentifier = $(Get-Random) + +$resourceGroup = "resource-$randomIdentifier" +$vnet = "vnet-$randomIdentifier" +$subnet = "subnet-$randomIdentifier" +$nsg = "nsg-$randomIdentifier" +$route = "route-$randomIdentifier" +$instance = "instance-$randomIdentifier" + +$login = "sampleLogin" +$password = "samplePassword123!" + +echo "Using resource group $($resourceGroup) with login: $($login), password: $($password)..." + +echo "Creating $($resourceGroup)..." +az group create --name $resourceGroup --location $location + +echo "Creating $($vnet) with $($subnet)..." +az network vnet create --name $vnet --resource-group $resourceGroup --location $location --address-prefixes 10.0.0.0/16 +az network vnet subnet create --name $subnet --resource-group $resourceGroup --vnet-name $vnet --address-prefixes 10.0.0.0/24 + +echo "Creating $($nsg)..." +az network nsg create --name $nsg --resource-group $resourceGroup --location $location + +az network nsg rule create --name "allow_management_inbound" --nsg-name $nsg --priority 100 --resource-group $resourceGroup --access Allow --destination-address-prefixes 10.0.0.0/24 --destination-port-ranges 9000 9003 1438 1440 1452 --direction Inbound --protocol Tcp --source-address-prefixes * --source-port-ranges * +az network nsg rule create --name "allow_misubnet_inbound" --nsg-name $nsg --priority 200 --resource-group $resourceGroup --access Allow --destination-address-prefixes 10.0.0.0/24 --destination-port-ranges * --direction Inbound --protocol * --source-address-prefixes 10.0.0.0/24 --source-port-ranges * +az network nsg rule create --name "allow_health_probe_inbound" --nsg-name $nsg --priority 300 --resource-group $resourceGroup --access Allow --destination-address-prefixes 10.0.0.0/24 --destination-port-ranges * --direction Inbound --protocol * --source-address-prefixes AzureLoadBalancer --source-port-ranges * +az network nsg rule create --name "allow_management_outbound" --nsg-name $nsg --priority 1100 --resource-group $resourceGroup --access Allow --destination-address-prefixes AzureCloud --destination-port-ranges 443 12000 --direction Outbound --protocol Tcp --source-address-prefixes 10.0.0.0/24 --source-port-ranges * +az network nsg rule create --name "allow_misubnet_outbound" --nsg-name $nsg --priority 200 --resource-group $resourceGroup --access Allow --destination-address-prefixes 10.0.0.0/24 --destination-port-ranges * --direction Outbound --protocol * --source-address-prefixes 10.0.0.0/24 --source-port-ranges * + +echo "Creating $($route)..." +az network route-table create --name $route --resource-group $resourceGroup --location $location + +az network route-table route create --address-prefix 0.0.0.0/0 --name "primaryToMIManagementService" --next-hop-type Internet --resource-group $resourceGroup --route-table-name $route +az network route-table route create --address-prefix 10.0.0.0/24 --name "ToLocalClusterNode" --next-hop-type VnetLocal --resource-group $resourceGroup --route-table-name $route + +echo "Configuring $($subnet) with $($nsg) and $($route)..." +az network vnet subnet update --name $subnet --network-security-group $nsg --route-table $route --vnet-name $vnet --resource-group $resourceGroup + +echo "Creating $($instance) with $($vnet) and $($subnet)..." +az sql mi create --admin-password $password --admin-user $login --name $instance --resource-group $resourceGroup --subnet $subnet --vnet-name $vnet --location $location \ No newline at end of file diff --git a/sql-database/monitor-and-scale-database/monitor-and-scale-database.sh b/sql-database/monitor-and-scale-database/monitor-and-scale-database.sh index e794817d..20302190 100644 --- a/sql-database/monitor-and-scale-database/monitor-and-scale-database.sh +++ b/sql-database/monitor-and-scale-database/monitor-and-scale-database.sh @@ -1,56 +1,30 @@ #!/bin/bash -# set execution context (if necessary) -az account set --subscription - -# Set the resource group name and location for your server -resourceGroupName=myResourceGroup-$RANDOM -location=westus2 - -# Set an admin login and password for your database -adminlogin=ServerAdmin -password=`openssl rand -base64 16` -# password= - -# The logical server name has to be unique in the system -servername=server-$RANDOM - -# Create a resource group -az group create \ - --name $resourceGroupName \ - --location $location - -# Create a server -az sql server create \ - --name $servername \ - --resource-group $resourceGroupName \ - --location $location \ - --admin-user $adminlogin \ - --admin-password $password - -# Create a General Purpose Gen4 database with 1 vCore -az sql db create \ - --resource-group $resourceGroupName \ - --server $servername \ - --name mySampleDatabase \ - --edition GeneralPurpose \ - --family Gen4 \ - --capacity 1 - -# Monitor database size -az sql db list-usages \ - --name mySampleDatabase \ - --resource-group $resourceGroupName \ - --server $servername - -# Scale up database to 2 vCores (create command executes update if DB already exists) -az sql db create \ - --resource-group $resourceGroupName \ - --server $servername \ - --name mySampleDatabase \ - --edition GeneralPurpose \ - --family Gen4 \ - --capacity 2 - -# Echo random password -echo $password \ No newline at end of file +$subscription = "" # add subscription here +$location = "East US" + +$randomIdentifier = $(Get-Random) + +$resourceGroup = "resource-$randomIdentifier" +$server = "server-$randomIdentifier" +$database = "database-$randomIdentifier" + +$login = "sampleLogin" +$password = "samplePassword123!" + +echo "Using resource group $($resourceGroup) with login: $($login), password: $($password)..." + +echo "Creating $($resourceGroup)..." +az group create --name $resourceGroup --location $location + +echo "Creating $($server) on $($resourceGroup)..." +az sql server create --name $server --resource-group $resourceGroup --location $location --admin-user $login --admin-password $password + +echo "Creating $($database) on $($server)..." +az sql db create --resource-group $resourceGroup --server $server --name $database --edition GeneralPurpose --family Gen4 --capacity 1 + +echo "Monitoring size of $($database)..." +az sql db list-usages --name $database --resource-group $resourceGroup --server $server + +echo "Scaling up $($database)..." # create command executes update if database already exists +az sql db create --resource-group $resourceGroup --server $server --name $database --edition GeneralPurpose --family Gen4 --capacity 2 \ No newline at end of file diff --git a/sql-database/restore-database/restore-database.sh b/sql-database/restore-database/restore-database.sh index 8a22a5a3..c4399bcd 100644 --- a/sql-database/restore-database/restore-database.sh +++ b/sql-database/restore-database/restore-database.sh @@ -1,73 +1,34 @@ #!/bin/bash -# Set variables -subscriptionID= -resourceGroupName=myResourceGroup-$RANDOM -location=westus2 -adminLogin=SqlAdmin -password="ChangeYourAdminPassword1" -serverName=server-$RANDOM -databaseName=mySampleDatabase -restoreDatabaseName=MySampleDatabase_GeoRestore -pointInTimeRestoreDatabaseName=MySampleDatabase_10MinutesAgo -# The ip address range that you want to allow access to your DB. -# Leaving at 0.0.0.0 will prevent outside-of-azure connections -startip=0.0.0.0 -endip=0.0.0.0 +$subscription = "" # add subscription here +$location = "East US" -# Set the subscription context for the Azure account -az account set -s $subscriptionID +$randomIdentifier = $(Get-Random) -# Create a resource group -az group create \ - --name $resourceGroupName \ - --location $location +$resourceGroup = "resource-$randomIdentifier" -# Create a logical server in the resource group -az sql server create \ - --name $serverName \ - --resource-group $resourceGroupName \ - --location $location \ - --admin-user $adminLogin \ - --admin-password $password +$server = "server-$randomIdentifier" +$database = "database-$randomIdentifier" +$restore = "restore-$randomIdentifier" -# Configure a firewall rule for the server -az sql server firewall-rule create \ - --resource-group $resourceGroupName \ - --server $serverName \ - -n AllowYourIp \ - --start-ip-address $startip \ - --end-ip-address $endip +$login = "sampleLogin" +$password = "samplePassword123!" -# Create a blank database with an S0 performance level -echo "Creating a gen5 2 vCore database..." -az sql db create \ - --resource-group $resourceGroupName \ - --server $serverName \ - --name $databaseName \ - --service-objective S0 +echo "Using resource group $($resourceGroup) with login: $($login), password: $($password)..." -Start-Sleep -second 600 -$restoreDateTime = (Get-Date).ToUniversalTime().AddMinutes(-2) -$azRestoreTime = '{0:s}' -f $restoreDateTime - -# Restore database to its state 7 minutes ago -# Note: Point-in-time restore requires database to be at least 5 minutes old -az sql db restore --dest-name $pointInTimeRestoreDatabaseName \ - --edition Standard \ - --ids \ - --name $restoreDatabaseName \ - --resource-group $resourceGroupName \ - --server $serverName \ - --service-objective S0 \ - --time $azRestoreTime +echo "Creating $($resourceGroup)..." +az group create --name $resourceGroup --location $location +echo "Creating $($server)..." +az sql server create --name $server --resource-group $resourceGroup --location $location --admin-user $login --admin-password $password - -ResourceId $database.ResourceID ` +echo "Creating $($database) on $($server)..." +az sql db create --resource-group $resourceGroup --server $server --name $database --service-objective S0 +echo "Sleeping..." +Start-Sleep -second 960 +$restoreDateTime = (Get-Date).ToUniversalTime().AddMinutes(-2) +$restoreTime = '{0:s}' -f $restoreDateTime -# Clean up resources by removing the resource group -# echo "Cleaning up resources by removing the resource group..." -# az group delete \ -# --name $resourceGroupName -# echo "Successfully removed resource group" $resourceGroupName +echo "Restoring $($database) to $($restoreTime)..." # restore database to its state 2 minutes ago, point-in-time restore requires database to be at least 5 minutes old +az sql db restore --dest-name $restore --edition Standard --name $database --resource-group $resourceGroup --server $server --service-objective S0 --time $restoreTime \ No newline at end of file diff --git a/sql-database/setup-geodr-and-failover/setup-geodr-and-failover-elastic-pool.sh b/sql-database/setup-geodr-and-failover/setup-geodr-and-failover-elastic-pool.sh index c927a19e..09f41317 100644 --- a/sql-database/setup-geodr-and-failover/setup-geodr-and-failover-elastic-pool.sh +++ b/sql-database/setup-geodr-and-failover/setup-geodr-and-failover-elastic-pool.sh @@ -1,103 +1,45 @@ #!/bin/bash -# Connect-AzAccount +$subscription = "" # add subscription here +$location = "East US" -$subscriptionId = '' -$primaryResourceGroupName = "myPrimaryResourceGroup-$(Get-Random)" -$secondaryResourceGroupName = "mySecondaryResourceGroup-$(Get-Random)" -$primaryLocation = "westus2" -$secondaryLocation = "eastus" -$primaryServerName = "primary-server-$(Get-Random)" -$secondaryServerName = "secondary-server-$(Get-Random)" -$adminSqlLgin = "SqlAdmin" -$password = "ChangeYourAdminPassword1" -$databaseName = "mySampleDatabase" -$primaryPoolName = "PrimaryPool" -$secondarypoolname = "SecondaryPool" +$randomIdentifier = $(Get-Random) -# The ip address ranges that you want to allow to access your servers -$primaryStartIp = "0.0.0.0" -$primaryEndIp = "0.0.0.0" -$secondaryStartIp = "0.0.0.0" -$secondaryEndIp = "0.0.0.0" +$resourceGroup = "resource-$randomIdentifier" +$server = "server-$randomIdentifier" +$database = "database-$randomIdentifier" +$pool = "pool-$randomIdentifier" -# set the subscription context for the Azure account -az account set -s $subscriptionID +$secondaryResourceGroup = "secondaryResource-$randomIdentifier" +$secondaryLocation = "West US" +$secondaryServer = "secondaryserver-$randomIdentifier" +$secondarypool = "secondarypool-$randomIdentifier" -# create two new resource groups -az group create \ - --name $primaryResourceGroupName \ - --location $primaryLocation -az group create \ - --name $secondaryResourceGroupname \ - --location $secondaryLocation +$login = "sampleLogin" +$password = "samplePassword123!" -# create two new logical servers with a system wide unique server name -az sql server create \ - --name $primaryServerName \ - --resource-group $primaryResourceGroupName \ - --location $primaryLocation \ - --admin-user $adminSqlLgin \ - --admin-password $password -az sql server create \ - --name $secondaryServerName \ - --resource-group $secondaryResourceGroupName \ - --location $secondaryLocation \ - --admin-user $adminSqlLgin \ - --admin-password $password +echo "Using resource group $($resourceGroup) with login: $($login), password: $($password)..." -# create a server firewall rule for each server that allows access from the specified IP range -az sql server firewall-rule create --end-ip-address $primaryEndIp \ - --name "AllowedIPs" \ - --resource-group $primaryResourceGroupName \ - --server $primaryServerName \ - --start-ip-address $primaryStartIp -az sql server firewall-rule create --end-ip-address $secondaryEndIp \ - --name "AllowedIPs" \ - --resource-group $secondaryResourceGroupName \ - --server $secondaryServerName \ - --start-ip-address $secondaryStartIp +echo "Creating $($resourceGroup) (and $($secondaryResourceGroup))..." +az group create --name $resourceGroup --location $location +az group create --name $secondaryResourceGroup --location $secondaryLocation -# create a pool in each of the servers -az sql elastic-pool create --name $primaryPoolName \ - --resource-group $primaryResourceGroupName \ - --server $primaryServerName \ - --capacity 50 \ - --db-dtu-max 50 \ - --db-dtu-min 10 \ - --edition "Standard" -az sql elastic-pool create --name $secondaryPoolName \ - --resource-group $secondaryResourceGroupName \ - --server $secondaryServerNamee \ - --capacity 50 \ - --db-dtu-max 50 \ - --db-dtu-min 10 \ - --edition "Standard" +echo "Creating $($server) in $($location) (and $($secondaryServer) in $($secondaryLocation))..." +az sql server create --name $server --resource-group $resourceGroup --location $location --admin-user $login --admin-password $password +az sql server create --name $secondaryServer --resource-group $secondaryResourceGroup --location $secondaryLocation --admin-user $login --admin-password $password -# create a blank database in the pool on the primary server -az sql db create --name $databaseName \ - --resource-group $primaryResourceGroupName \ - --server $primaryServerName \ - --elastic-pool $primaryPoolName +echo "Creating $($pool) on $($server) (and $($secondaryPool) on $($secondaryServer))..." +az sql elastic-pool create --name $pool --resource-group $resourceGroup --server $server --capacity 50 --db-dtu-max 50 --db-dtu-min 10 --edition "Standard" +az sql elastic-pool create --name $secondaryPool --resource-group $secondaryResourceGroup --server $secondaryServer --capacity 50 --db-dtu-max 50 --db-dtu-min 10 --edition "Standard" -# establish Active Geo-Replication -az sql db replica create --name $databaseName - --partner-server $secondaryServerName - --resource-group $primaryResourceGroupName - --server $primaryServerName - --elastic-pool $secondaryPoolName - --partner-resource-group $secondaryResourceGroupName +echo "Creating $($database) in $($pool)..." +az sql db create --name $database --resource-group $resourceGroup --server $server --elastic-pool $pool -# initiate a planned failover -az sql db replica set-primary --name $databaseName \ - --resource-group $secondaryResourceGroupName \ - --server $secondaryServerName +echo "Establishing geo-replication for $($database) between $($server) and $($secondaryServer)..." +az sql db replica create --name $database --partner-server $secondaryServer --resource-group $resourceGroup --server $server --elastic-pool $secondaryPool --partner-resource-group $secondaryResourceGroup -# monitor Geo-Replication config and health after failover -az sql db replica list-links --name $databaseName \ - --resource-group $secondaryResourceGroupName \ - --server $secondaryServerName +echo "Initiating failover to $($secondaryServer)..." +az sql db replica set-primary --name $database --resource-group $secondaryResourceGroup --server $secondaryServer -# clean up deployment -# az group delete --name $primaryResourceGroupName -# az group delete --name $secondaryResourceGroupName \ No newline at end of file +echo "Monitoring health of $($database) on $($secondaryServer)..." +az sql db replica list-links --name $database --resource-group $secondaryResourceGroup --server $secondaryServer \ No newline at end of file diff --git a/sql-database/setup-geodr-and-failover/setup-geodr-and-failover-single-database.sh b/sql-database/setup-geodr-and-failover/setup-geodr-and-failover-single-database.sh index bf2b1dc5..4b02968c 100644 --- a/sql-database/setup-geodr-and-failover/setup-geodr-and-failover-single-database.sh +++ b/sql-database/setup-geodr-and-failover/setup-geodr-and-failover-single-database.sh @@ -1,92 +1,43 @@ #!/bin/bash -# Connect-AzAccount +$subscription = "" # add subscription here +$location = "East US" -$subscriptionId = '' -$primaryResourceGroupName = "myPrimaryResourceGroup-$(Get-Random)" -$primaryLocation = "westus2" -$secondaryResourceGroupName = "mySecondaryResourceGroup-$(Get-Random)" -$secondaryLocation = "eastus" -$adminSqlLogin = "SqlAdmin" -$password = "ChangeYourAdminPassword1" -$primaryServerName = "primary-server-$(Get-Random)" -$secondaryServerName = "secondary-server-$(Get-Random)" -$databasename = "mySampleDatabase" +$randomIdentifier = $(Get-Random) -# The ip address range that you want to allow to access your servers -$primaryStartIp = "0.0.0.0" -$primaryEndIp = "0.0.0.0" -$secondaryStartIp = "0.0.0.0" -$secondaryEndIp = "0.0.0.0" +$resourceGroup = "resource-$randomIdentifier" +$server = "server-$randomIdentifier" +$database = "database-$randomIdentifier" -# set the subscription context for the Azure account -az account set -s $subscriptionID +$secondaryResourceGroup = "secondaryresource-$randomIdentifier" +$secondaryLocation = "West US" +$secondaryServer = "secondaryserver-$randomIdentifier" -# create two new resource groups -az group create \ - --name $primaryResourceGroupName \ - --location $primaryLocation -az group create \ - --name $secondaryResourceGroupname \ - --location $secondaryLocation +$login = "sampleLogin" +$password = "samplePassword123!" -# create two new logical servers with a system wide unique server name -az sql server create \ - --name $primaryServerName \ - --resource-group $primaryResourceGroupName \ - --location $primaryLocation \ - --admin-user $adminSqlLogin \ - --admin-password $password -az sql server create \ - --name $secondaryServerName \ - --resource-group $secondaryResourceGroupName \ - --location $secondaryLocation \ - --admin-user $adminSqlLogin \ - --admin-password $password +echo "Using resource group $($resourceGroup) with login: $($login), password: $($password)..." -# create a server firewall rule for each server that allows access from the specified IP range -az sql server firewall-rule create --end-ip-address $primaryEndIp \ - --name "AllowedIPs" \ - --resource-group $primaryResourceGroupName \ - --server $primaryservername \ - --start-ip-address $primaryStartIp +echo "Creating $($resourceGroup) (and $($secondaryResourceGroup))..." +az group create --name $resourceGroup --location $location +az group create --name $secondaryResourceGroup --location $secondaryLocation -az sql server firewall-rule create --end-ip-address $secondaryEndIp \ - --name "AllowedIPs" \ - --resource-group $secondaryResourceGroupName \ - --server $secondaryservername \ - --start-ip-address $secondaryStartIp +echo "Creating $($server) in $($location) (and $($secondaryServer) in $($secondaryLocation))..." +az sql server create --name $server --resource-group $resourceGroup --location $location --admin-user $login --admin-password $password +az sql server create --name $secondaryServer --resource-group $secondaryResourceGroup --location $secondaryLocation --admin-user $login --admin-password $password -# create a blank database with S0 performance level on the primary server -az sql db create --name $databaseName \ - --resource-group $primaryResourceGroupName \ - --server $primaryServerName \ - --service-objective S0 +echo "Creating $($database) on $($server)..." +az sql db create --name $database --resource-group $resourceGroup --server $server --service-objective S0 -# establish Active Geo-Replication -az sql db replica create --name $databaseName \ - --partner-server $secondaryServerName \ - --resource-group $primaryResourceGroupName \ - --server $primaryServerName \ - --partner-resource-group $secondaryResourceGroupName \ +echo "Establishing geo-replication on $($database)..." +az sql db replica create --name $database --partner-server $secondaryServer --resource-group $resourceGroup --server $server --partner-resource-group $secondaryResourceGroup +az sql db replica list-links --name $database --resource-group $resourceGroup --server $server -# initiate a planned failover -az sql db replica set-primary --name $databasename \ - --resource-group $secondaryResourceGroupName \ - --server $secondaryServerName +echo "Initiating failover..." +az sql db replica set-primary --name $database --resource-group $secondaryResourceGroup --server $secondaryServer -# monitor Geo-Replication config and health after failover -az sql db replica list-links --name $databasename \ - --resource-group $secondaryResourceGroupName \ - --server $secondaryServerName +echo "Monitoring health of $($database)..." +az sql db replica list-links --name $database --resource-group $secondaryResourceGroup --server $secondaryServer -# remove the replication link after the failover -az sql db replica delete-link --partner-server $primaryServerName \ - --name $databasename \ - --partner-resource-group $primaryResourceGroupName \ - --resource-group $secondaryResourceGroupName \ - --server $secondaryServerName - -# clean up deployment -# az group delete --name $primaryResourceGroupName -# az group delete --name $secondaryResourceGroupName \ No newline at end of file +echo "Removing replication link after failover..." +az sql db replica delete-link --resource-group $secondaryResourceGroup --server $secondaryServer --name $database --partner-server $server --yes \ No newline at end of file diff --git a/sql-database/transparent-data-encryption/setup-tde-byok-sqlmi.sh b/sql-database/transparent-data-encryption/setup-tde-byok-sqlmi.sh index a529aa62..9ecc7cf8 100644 --- a/sql-database/transparent-data-encryption/setup-tde-byok-sqlmi.sh +++ b/sql-database/transparent-data-encryption/setup-tde-byok-sqlmi.sh @@ -1,122 +1,36 @@ #!/bin/bash -# You will need an existing Managed Instance as a prerequisite for completing this script. -# See https://docs.microsoft.com/azure/sql-database/scripts/sql-database-create-configure-managed-instance-cli +$subscription = "" # add subscription here +$instance = "" # add instance here +$location = "East US" -# login to your Azure account -az login +$randomIdentifier = $(Get-Random) -# set the subscription context for the Azure account -az account set -s $subscriptionID +$vault = "vault-$randomIdentifier" +$key = "key-$randomIdentifier" +echo "Using resource group $($resourceGroup)..." -# 1. Create Resource and setup Azure Key Vault (skip if already done) +echo "Creating $($resourceGroup)..." +az group create --name $resourceGroup --location $location -# create Resource group (name the resource and specify the location) -$location = "westus2" # specify the location -$resourcegroup = "MyRG" # specify a new RG name -az group create \ - --name $resourceGroup \ - --location $location +echo "Creating $($vault)..." +az keyvault create --name $vault --resource-group $resourcegroup --enable-soft-delete true --location $location -# create new Azure Key Vault with a globally unique VaultName and soft-delete option turned on: -$vaultname = "MyKeyVault" # specify a globally unique VaultName -az keyvault create --name $vaultname \ - --resource-group $resourcegroup \ - --enable-soft-delete true \ - --location $location +echo "Setting policy on $($vault)..." +$instanceId = az sql mi show --name $instance --resource-group $resourceGroup -o json --query identity.principalId -# authorize Managed Instance to use the AKV (wrap/unwrap key and get public part of key, if public part exists): -$objectid = (Set-AzSqlInstance -ResourceGroupName -Name -AssignIdentity).Identity.PrincipalId +az keyvault set-policy --name $vault --key-permissions get, unwrapKey, wrapKey --object-id $instanceId -$objectid = az sql mi show --name "MyManagedInstance" \ - --resource-group $resourcegroup \ - -o json - --query [0].identity.principalid +echo "Creating $($key)..." +az keyvault key create --name $key --vault-name $vault --size 2048 -az keyvault set-policy --name $vaultname \ - --key-permissions get, unwrapKey, wrapKey \ - --object-id $objectid -#-BypassObjectIdValidation +#$keyPath = "C:\yourFolder\yourCert.pfx" +#$keyPassword = "yourPassword" +#az keyvault certificate import --file $keyPath --name $key --vault-name $vault --password $keyPassword -az sql mi update [--add] - [--admin-password] - [--assign-identity] - [--capacity] - [--force-string] - [--ids] - [--license-type {BasePrice, LicenseIncluded}] - [--name "MyManagedInstance" - [--no-wait] - [--proxy-override {Default, Proxy, Redirect}] - [--public-data-endpoint-enabled {false, true}] - [--remove] - [--resource-group $resourcegroup - [--set] - [--storage] - [--subscription] +echo "Setting security on $($instance) with $($key)..." +$keyId = az keyvault key show --name $key --vault-name $vault -o json --query key.kid -# allow access from trusted Azure services: -Update-AzKeyVaultNetworkRuleSet -VaultName -Bypass AzureServices -az keyvault network-rule add --name $vaultname - [--ip-address] - [--resource-group] - [--subnet] - [--subscription] - [--vnet-name] - -# turn the network rules ON by setting the default action to Deny: -Update-AzKeyVaultNetworkRuleSet -VaultName -DefaultAction Deny -az keyvault network-rule add --name $vaultname - [--ip-address] - [--resource-group] - [--subnet] - [--subscription] - [--vnet-name] - - -# 2. Provide TDE Protector key (skip if already done) - -# the recommended way is to import an existing key from a .pfx file. Replace "" with the actual password below: -$keypath = "c:\some_path\mytdekey.pfx" # Supply your .pfx path and name -$securepfxpwd = ConvertTo-SecureString -String "" -AsPlainText -Force -$key = Add-AzKeyVaultKey -VaultName -Name -KeyFilePath $keypath -KeyFilePassword $securepfxpwd - -az keyvault key create --name "MyTDEKey" - --vault-name $vaultname - [--curve {P-256, P-256K, P-384, P-521}] - [--disabled {false, true}] - [--expires] - [--kty {EC, EC-HSM, RSA, RSA-HSM, oct}] - [--not-before] - [--ops {decrypt, encrypt, sign, unwrapKey, verify, wrapKey}] - [--protection {hsm, software}] - [--size] - [--subscription] - [--tags] - -# ...or get an existing key from the vault: -$key = az keyvault key show --name "MyTDEKey" \ - --vault-name $vaultname \ - -o json - --query [0].value - -# alternatively, generate a new key directly in Azure Key Vault (recommended for test purposes only - uncomment below): -$key = az keyvault key create --name "MyTDEKey" \ - --vault-name $vaultname \ - --size 2048 \ - -o json --query [0].value - - -# 3. Set up BYOK TDE on Managed Instance: - -# assign the key to the Managed Instance: -az sql mi key create --kid $key \ - --managed-instance "MyManagedInstance" \ - --resource-group $resourcegroup - -# set TDE operation mode to BYOK: -az sql mi tde-key set --server-key-type AzureKeyVault \ - --kid $key \ - --managed-instance "MyManagedInstance" \ - --resource-group $resourcegroup \ No newline at end of file +az sql mi key create --kid $keyId --managed-instance $instance --resource-group $resourcegroup +az sql mi tde-key set --server-key-type AzureKeyVault --kid $keyId --managed-instance $instance --resource-group $resourcegroup \ No newline at end of file