feat(module 04: webapp) (#5)

# Summary

Added module 4 and moved some things around

.gitignore

@@ -1,4 +1,4 @@
-
+!installers/**
 
 ##############################
 ### VisualStudio.gitignore ### SRC: https://github.com/github/gitignore/blob/main/VisualStudio.gitignore

CONTRIBUTING.md

@@ -2,8 +2,35 @@
 
 ## CONTRIBUTING
 
+### Linting & Formatting
+
 This document is linted w/ `prettier`.
 
-`$> npx prettier . --write`
+`$> npm run style`
+
+### Documentation
+
+#### Markdown
+
+Check the documentation for the [Markdown Guide](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax).
+
+##### Alerts
+
+**DO** use alerts
+
+For more information go to [Alerts](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#alerts)
+
+> [!NOTE]
+> Useful information that users should know, even when skimming content.
+
+> [!TIP]
+> Helpful advice for doing things better or more easily.
+
+> [!IMPORTANT]
+> Key information users need to know to achieve their goal.
+
+> [!WARNING]
+> Urgent info that needs immediate user attention to avoid problems.
 
-There is a script under `./scripts/style.ba.sh` to help you w/ this.
+> [!CAUTION]
+> Advises about risks or negative outcomes of certain actions.

docs/tutorial/01/README.md

@@ -6,6 +6,8 @@
 1. [Create Spoke VNet & resources](./spoke.md)
    1. VPN peerings
 
+![Diagram](../../../assets/img/azure/solution/diagrams/01.png)
+
 ## Before you begin
 
 ### Naming Conventions
@@ -47,7 +49,7 @@ You can visualize the progress of your network
 
 You should see something like this.-
 
-![Diagram](../../../assets/img/azure/solution/diagrams/01.png)
+![Diagram](../../../assets/img/azure/solution/vnets/network/01.png)
 
 ## Next Steps
 

docs/tutorial/01/hub.md

@@ -11,9 +11,9 @@ In this chapter we'll be creating the following resources
 - [R]esource [G]roup: `{my-prefix}-hub-{region}-{id}-rg`
   - [V]irtual [Net]work: `{my-prefix}-hub-{region}-{id}-vnet`: `10.1.x.x`
     - [Bas]tion: `{my-prefix}-hub-{region}-{id}-bas`
-      - [P]ublic [IP]: `{my-prefix}-hub-{region}-{id}-bas-pip`
+      - Public [IP]: `{my-prefix}-hub-{region}-{id}-bas-ip`
     - [F]ire[w]all: `{my-prefix}-hub-{region}-{id}-fw`
-      - [P]ublic [IP]: `{my-prefix}-hub-{region}-{id}-fw-pip`
+      - Public [IP]: `{my-prefix}-hub-{region}-{id}-fw-ip`
     - Subnets
       - `AzureBastionSubnet`: `10.1.0.x/26`
       - `AzureFirewallSubnet`: `10.1.1.x/26`
@@ -83,7 +83,7 @@ Toggle ON: **Bastion** & **Firewall**. We'll talk more about these below.
 - You can just let the default pre-selected '(New)'. It will create a new public IP address. It will add a `-bastion` suffix tho, so it will be `{my-prefix}-hub-{region}-{id}-bastion`, which is confusing.
 - So, if your OCD is anything like mine, and you are particular about naming, you can
   1. Click on `Create a public IP address`
-  1. Create a new one, naming it `{my-prefix}-hub-{region}-{id}-bas-pip` (see how the suffix just keep adding up?)
+  1. Create a new one, naming it `{my-prefix}-hub-{region}-{id}-bas-ip` (see how the suffix just keep adding up?)
   1. Go back to the previous screen and select the newly created public IP address.
 
 ###### Firewall
@@ -99,7 +99,7 @@ Before we begin, be mindful that this is an expensive resource, which is charged
 1. **Azure Firewall Public IP Address**: Same as above,
 
 - You can just let the default pre-selected '(New)'. It will create a new public IP address. It will add a `-firewall` suffix tho, so it will be `{my-prefix}-hub-{region}-{id}-firewall`, which is confusing.
-- But if you want to name it, you can create a new one, naming it `{my-prefix}-hub-{region}-{id}-fw-pip` and select it.
+- But if you want to name it, you can create a new one, naming it `{my-prefix}-hub-{region}-{id}-fw-ip` and select it.
 
 ##### IP Address
 
@@ -166,6 +166,18 @@ Look for a "Network security group" in the Azure Portal's market place
 
 ![Network Security Group](../../../assets/img/azure/market/nsg/logo.png)
 
+#### Settings
+
+##### Subnets
+
+> [!IMPORTANT]
+> Associate the `default` subnet to the NSG.
+
+> [!WARNING]
+> we recommend that you associate a network security group to a **subnet**, or a **network interface**, but **not both**.
+
+Unless you have a specific reason to, since rules in a network security group associated to a subnet can conflict with rules in a network security group associated to a network interface, you can have unexpected communication problems that require troubleshooting.
+
 ## Status Check
 
 ### Snapshot
@@ -176,7 +188,7 @@ Your resources should look like this.-
 
 ### Resource visualizer
 
-You can see the relationship between the Firewall `fw` and the Public IP `fw-pip` in the resource visualizer.
+You can see the relationship between the Firewall `fw` and the Public IP `fw-ip` in the resource visualizer.
 
 ![Resource visualizer](../../../assets/img/azure/solution/vnets/hub/fw/resources/01.png)
 

docs/tutorial/01/spoke.md

@@ -96,7 +96,7 @@ Note that you can allow traffic:
 - [x] Hub > Spoke
 - [x] Spoke > Hub
 
-For this excercise will check all the boxes.
+For this excercise will check some of the boxes.
 
 ##### Remote virtual network summary
 
@@ -115,8 +115,8 @@ For this excercise will check all the boxes.
 | ------------------------------------------------------------------------------ | ------ | ----- |
 | Allow {that vnet} to access {this vnet}                                        | `x`    | `x`   |
 | Allow {that vnet} to receive forwarded traffic from {this vnet}                | `x`    | `x`   |
-| Allow gateway or route server in {that vnet} to forward traffic to {this vnet} | `x`    | `x`   |
-| Enable {that vnet} tp use {this vnet}'s remote gateway or route server         | `x`    | `x`   |
+| Allow gateway or route server in {that vnet} to forward traffic to {this vnet} | ``     | ``    |
+| Enable {that vnet} tp use {this vnet}'s remote gateway or route server         | ``     | ``    |
 
 We can later come back and remove permissions to reinforce security.
 

docs/tutorial/02/README.md

@@ -9,6 +9,8 @@ Now that we have a Hub VNet enabled w/ **Bastion**, we can create a Virtual mach
    1. [Create a Route Table](./hub/rt.md)
    1. [Add Rules to Azure Firewall](./hub/fw.md)
 
+![Diagram](../../../assets/img/azure/solution/diagrams/02.png)
+
 ## Architecture
 
 This diagram is an oversimpification of what we've built so far. But it give an idea of what we're trying to achieve.-

docs/tutorial/02/hub/rt.md

@@ -34,10 +34,21 @@ Take a good look at the TERMS
 
 ### Routes
 
-#### Drive traffic through the Firewall
+We'll add the following routes.
+The order matters, we want the more specific routes at the top, and the more general ones at the bottom.
+
+| Source  | IP range   | CIDR          | Next Hop Type     | Details               |
+| ------- | ---------- | ------------- | ----------------- | --------------------- |
+| Default | `10.1.x.x` | `10.1.0.0/16` | Virtual network   | `hub`                 |
+| Default | `10.2.x.x` | `10.2.0.0/16` | Virtual network   | peering > `spoke`     |
+| Default | `10.x.x.x` | `10.0.0.0/8`  | None              | Avoids security risks |
+| Default | `x.x.x.x`  | `0.0.0.0/0`   | Virtual Appliance | `fw` > `WWW`          |
 
+> [!TIP]
 > Quiz: _"What is the IP address for 'Every possible IP ot there'?"_
 
+#### Drive traffic through the Firewall
+
 Go to Settings > Routes > Add
 
 ![Add](../../../../assets/img/azure/solution/vnets/hub/rt/routes/exit-vnet-thru-fw.png)

docs/tutorial/02/hub/vm.md

@@ -13,10 +13,13 @@ This enables more than 1 person connecting at the same time; assuming your VM su
 ## Resources
 
 - [R]esource [G]roup: `{my-prefix}-spoke-{region}-{id}-rg` (already exists)
+  - [V]irtual [N]etwork: `{my-prefix}-hub-{region}-{id}-vnet` (already exists)
+    - [S]ubnet: `default` (already exists)
+      - [N]etwork [S]ecurity [G]roup: `{my-prefix}-hub-{region}-{id}-nsg` (already exists)
   - [V]irtual [M]achine: `{my-prefix}-spoke-{region}-{id}-vm-jump`
     - [H]ard [D]isk [D]rive: `{my-prefix}-spoke-{region}-{id}-vm-jump-hdd`
     - [N]etwork [I]nterfa[c]e: `{my-prefix}-spoke-{region}-{id}-vm-jump-nic`
-    - [N]etwork [S]ecurity [G]roup: `{my-prefix}-spoke-{region}-{id}-vm-jump-nsg` (Optional, can use the Hub's NSG)
+    - [A]pplication [S]ecurity [G]roup: `{my-prefix}-spoke-{region}-{id}-vm-jump-asg`
 
 Where:
 
@@ -63,11 +66,16 @@ We'll just go ahead and put it in our `default` subnet (1 IP address down, 1,023
 ![Networking](../../../../assets/img/azure/solution/vnets/hub/vm/create/networking.png)
 
 - **Public IP**: _"None"_ .- **VERY IMPORTANT**. We'll access via Bastion's Public IP address
-- **NIC network security group**: _"Advanced"_
-- **Configure network security group**: You can use the NSG we created for all the Hub's `default` `subnet`, or create a new one specific for this VM if you need more level of control.
+- **NIC network security group**: **"None"**.- Having NSG attached on the `snet` level, as well as the VM's NIC's level can cause issues. So we'll stick to the `default` subnet's NSG.
+
 - [x] **Delete NIC when VM is deleted**: Checked
 - **Subnet**: `default`. Note that the other 2 **delegated subnets**, are listed, but not available for selection.
 
+> [!WARNING]
+> we recommend that you associate a network security group to a **subnet**, or a **network interface**, but **not both**.
+
+_"Unless you have a specific reason to, since rules in a network security group associated to a subnet can conflict with rules in a network security group associated to a network interface, you can have unexpected communication problems that require troubleshooting."_
+
 ![Networking](../../../../assets/img/azure/solution/vnets/hub/vm/create/subnet.png)
 
 ###### Load balancing
@@ -80,6 +88,24 @@ Take a good look at the TERMS
 
 ![Review + Create](../../../../assets/img/azure/solution/vnets/hub/vm/create/review.png)
 
+### [A]pplication [S]ecurity [G]roup
+
+We could have assigned a **static IP** that we know, and then use that in the `nsg` to control traffic. But managing that can very quickly become a nightmare.
+
+So creating an `asg` is a good idea, so we can keep a human readable name for the `nsg` rules.
+
+#### Market Place
+
+Search for "Application Security Group" in the Azure Portal's Market Place.
+
+![ASG](../../../../assets/img/azure/market/asg/logo.png)
+
+#### Create
+
+- **Name**: `{my-prefix}-hub-{region}-{id}-vm-jump-asg`
+
+Then link the NIC to the ASG.
+
 ## Status Check
 
 Note that some names will be auto-generated with randomized characters.

docs/tutorial/03/README.md

@@ -14,6 +14,8 @@
 1. Spoke
    1. [Create Storage Account](spoke/st.md)
 
+![Diagram](../../../assets/img/azure/solution/diagrams/03.png)
+
 ## Description
 
 **By default**, _Azure Storage Accounts_ expose **public URLs** (with **public IP addresses**)

docs/tutorial/03/hub/README.md

@@ -1,11 +1,12 @@
-# Module 3: Secure Storage Accounts
+# Module 3: Secure Storage Accounts, Hub resources
 
 ## Table of Contents
 
 1. Hub
-1. [Download and install Storage Explorer](../storage_explorer.md) inside the VM
-1. [Create Private DNS Zone](./dnsz.md)
-1. [Create Storage Account](./st.md)
+   1. VM
+      1. [Download and install Storage Explorer](../storage_explorer.md)
+   1. [Create Private DNS Zone](./pdnsz.md)
+   1. [Create Storage Account](./st.md)
 
 ## Status Check
 

docs/tutorial/03/hub/dnsz.md → docs/tutorial/03/hub/pdnsz.md

@@ -3,7 +3,10 @@
 ## Resources
 
 - [R]esource [G]roup: `{my-prefix}-hub-{region}-{id}-rg` (already exists)
-  - Private [DNS] [Z]one: `privatelink.blob.core.windows.net`
+  - [V]irtual [N]etwork: `{my-prefix}-hub-{region}-{id}-vnet` (already exists)
+    - [S]ubnet: `default` (already exists)
+      - [N]etwork [S]ecurity [G]roup: `{my-prefix}-hub-{region}-{id}-nsg` (already exists)
+  - [P]rivate [DNS] [Z]one: `privatelink.blob.core.windows.net`
     - Links to VNets
       - `privatelink-at-hub`
       - `privatelink-at-spoke-westus2`
@@ -14,22 +17,22 @@
 
 Look for a "Private DNS Zone" in the Azure Portal's market place
 
-![Market place](../../../../assets/img/azure/market/dnsz/logo.png)
+![Market place](../../../../assets/img/azure/market/pdnsz/logo.png)
 
 #### Create
 
 ##### Basics
 
 - **Name**: `privatelink.blob.core.windows.net`
 
-![Basics](../../../../assets/img/azure/solution/vnets/hub/dnsz/st/create/basics.png)
+![Basics](../../../../assets/img/azure/solution/vnets/hub/pdnsz/st/create/basics.png)
 
 > [!IMPORTANT]
 > All Storage containers will get registered under `{name}.blob.core.windows.net`
 
 ##### Review + Create
 
-![Review + Create](../../../../assets/img/azure/solution/vnets/hub/dnsz/st/create/review.png)
+![Review + Create](../../../../assets/img/azure/solution/vnets/hub/pdnsz/st/create/review.png)
 
 #### Create VNet Links
 
@@ -38,15 +41,15 @@ Look for a "Private DNS Zone" in the Azure Portal's market place
 
 ##### VNet: Hub
 
-![Link to Hub VNet](../../../../assets/img/azure/solution/vnets/hub/dnsz/st/vnet/links/hub.png)
+![Link to Hub VNet](../../../../assets/img/azure/solution/vnets/hub/pdnsz/st/vnet/links/hub.png)
 
 - **Link name**: Give a meaningful name to the link, like `privatelink-at-hub`
 - **Virtual Network**: Select the **Hub** VNet
 - [x] **Enable auto registration**: Click on this checkbox.
 
 ##### VNet: Spoke
 
-![Link to Spoke VNet](../../../../assets/img/azure/solution/vnets/hub/dnsz/st/vnet/links/spoke.png)
+![Link to Spoke VNet](../../../../assets/img/azure/solution/vnets/hub/pdnsz/st/vnet/links/spoke.png)
 
 - **Link name**: Give a meaningful name to the link, like `privatelink-at-hub`
 - **Virtual Network**: Select the **Hub** VNet
@@ -56,7 +59,19 @@ Look for a "Private DNS Zone" in the Azure Portal's market place
 
 Go to "DNS Management" > "Virtual Network Links".
 
-![Virtual Network Links](../../../../assets/img/azure/solution/vnets/hub/dnsz/st/vnet/links/all.png)
+![Virtual Network Links](../../../../assets/img/azure/solution/vnets/hub/pdnsz/st/vnet/links/all.png)
+
+### Network Security Group
+
+Private Endpoints will need to be able to register with the Private DNS Zone. So you need to take in account
+
+- Hub
+  - **Inbound**: Allow traffic DNS traffic (via port `53`) from `10.x.x.x`
+- Spoke
+  - **Outbound**: Allow DNS traffic to `10.1.x.x`
+    - Storage Account's Private Endpoints registering from `hub` VNet (`10.1.x.x`), as well as other spoke VNets (like `10.2.x.x`).
+
+In this tutorial we won't go to such extense (mainly because we do not know all the ports involved in DNS Zone registration), but you should take this into account in a production environment.
 
 ## Next Steps