#!/bin/bash # Variables SUBSCRIPTION_ID="" RESOURCE_GROUP="" LOCATION="East US" VNET_NAME="" VNET_ADDRESS_PREFIX="" INTEGRATION_SUBNET_NAME="" INTEGRATION_SUBNET_PREFIX="" ENDPOINT_SUBNET_NAME="" ENDPOINT_SUBNET_PREFIX="" FRONTEND_APP_NAME="" BACKEND_APP_NAME="" DNS_ZONE_NAME="privatelink.azurewebsites.net" DNS_LINK_NAME="" PRIVATE_ENDPOINT_NAME="" CONNECTION_NAME="" ZONE_GROUP_NAME="" echo "Starting the N-tier secure architecture setup..." # 1. Create Virtual Network echo "Creating Virtual Network..." az network vnet create \ --resource-group $RESOURCE_GROUP \ --location $LOCATION \ --name $VNET_NAME \ --address-prefixes $VNET_ADDRESS_PREFIX # 2. Create Integration Subnet for Frontend echo "Creating Integration Subnet..." az network vnet subnet create \ --resource-group $RESOURCE_GROUP \ --vnet-name $VNET_NAME \ --name $INTEGRATION_SUBNET_NAME \ --address-prefixes $INTEGRATION_SUBNET_PREFIX \ --delegation Microsoft.Web/serverFarms \ --private-endpoint-network-policies Disabled # 3. Create Private Endpoint Subnet for Backend echo "Creating Private Endpoint Subnet..." az network vnet subnet create \ --resource-group $RESOURCE_GROUP \ --vnet-name $VNET_NAME \ --name $ENDPOINT_SUBNET_NAME \ --address-prefixes $ENDPOINT_SUBNET_PREFIX \ --private-endpoint-network-policies Disabled # 4. Create Private DNS Zone echo "Creating Private DNS Zone..." az network private-dns zone create \ --resource-group $RESOURCE_GROUP \ --name $DNS_ZONE_NAME # 5. Link DNS Zone to Virtual Network echo "Linking DNS Zone to Virtual Network..." az network private-dns link vnet create \ --resource-group $RESOURCE_GROUP \ --name $DNS_LINK_NAME \ --zone-name $DNS_ZONE_NAME \ --virtual-network $VNET_NAME \ --registration-enabled false # 6. Create Private Endpoint for Backend echo "Creating Private Endpoint for Backend..." BACKEND_ID=$(az webapp show --resource-group $RESOURCE_GROUP --name $BACKEND_APP_NAME --query id --output tsv) az network private-endpoint create \ --resource-group $RESOURCE_GROUP \ --name $PRIVATE_ENDPOINT_NAME \ --location $LOCATION \ --connection-name $CONNECTION_NAME \ --private-connection-resource-id $BACKEND_ID \ --group-id sites \ --vnet-name $VNET_NAME \ --subnet $ENDPOINT_SUBNET_NAME # 7. Configure DNS for Private Endpoint echo "Configuring DNS for Private Endpoint..." az network private-endpoint dns-zone-group create \ --resource-group $RESOURCE_GROUP \ --endpoint-name $PRIVATE_ENDPOINT_NAME \ --name $ZONE_GROUP_NAME \ --private-dns-zone $DNS_ZONE_NAME \ --zone-name $DNS_ZONE_NAME # 8. Configure VNet Integration for Frontend echo "Configuring VNet Integration for Frontend..." az webapp vnet-integration add \ --resource-group $RESOURCE_GROUP \ --name $FRONTEND_APP_NAME \ --vnet $VNET_NAME \ --subnet $INTEGRATION_SUBNET_NAME # 9. Disable Public Network Access to Backend echo "Disabling Public Network Access to Backend..." az webapp update \ --resource-group $RESOURCE_GROUP \ --name $BACKEND_APP_NAME \ --set publicNetworkAccess=Disabled # 10. Set IP Security Restrictions Default Action to Deny echo "Setting IP Security Restrictions for Backend..." az resource update \ --resource-group $RESOURCE_GROUP \ --name $BACKEND_APP_NAME \ --namespace Microsoft.Web \ --resource-type sites \ --set properties.siteConfig.ipSecurityRestrictionsDefaultAction=Deny # 11. Allow SCM Access for Deployments echo "Allowing SCM Access for Deployments..." az resource update \ --resource-group $RESOURCE_GROUP \ --name $BACKEND_APP_NAME \ --namespace Microsoft.Web \ --resource-type sites \ --set properties.siteConfig.scmIpSecurityRestrictionsDefaultAction=Allow # 12. Disable FTP Publishing for Frontend echo "Disabling FTP Publishing for Frontend..." az resource update \ --resource-group $RESOURCE_GROUP \ --name ftp \ --namespace Microsoft.Web \ --resource-type basicPublishingCredentialsPolicies \ --parent sites/$FRONTEND_APP_NAME \ --set properties.allow=false # 13. Disable FTP Publishing for Backend echo "Disabling FTP Publishing for Backend..." az resource update \ --resource-group $RESOURCE_GROUP \ --name ftp \ --namespace Microsoft.Web \ --resource-type basicPublishingCredentialsPolicies \ --parent sites/$BACKEND_APP_NAME \ --set properties.allow=false # 14. Configure Frontend Network Settings echo "Configuring Frontend Network Settings..." az webapp config appsettings set \ --resource-group $RESOURCE_GROUP \ --name $FRONTEND_APP_NAME \ --settings WEBSITE_VNET_ROUTE_ALL=1 WEBSITE_DNS_SERVER=168.63.129.16 # 15. Restart the Apps to Apply Changes echo "Restarting Apps to Apply Changes..." az webapp restart --resource-group $RESOURCE_GROUP --name $FRONTEND_APP_NAME az webapp restart --resource-group $RESOURCE_GROUP --name $BACKEND_APP_NAME echo "Setup complete! Your secure N-tier architecture has been deployed." echo "Frontend URL: https://$FRONTEND_APP_NAME.azurewebsites.net" echo "Backend URL (private): https://$BACKEND_APP_NAME.azurewebsites.net" echo "Note: The backend is only accessible from the frontend through the private endpoint."