Automating the Azure Private Link integration

Striim provides a Terraform automation script designed to set up Striim Integration for on-premise/cross-cloud databases through your Azure tenant. It provisions the necessary cloud infrastructure, including a Virtual Machine (VM) with port forwarding rules, an internal load balancer (ILB) with NAT rules, and an Azure Private Link service.

Important

This script creates Azure resources such as VMs, Public IPs, load balancer and Private Link Services, which may incur charges. Ensure you review your costs before applying this Terraform module.

Infrastructure overview

The following components are automated:

Azure virtual machine
- Runs Linux or Windows based on your selection.
- Implements port forwarding rules using iptables (Linux) or netsh interface portproxy (Windows).
- Forwards traffic directly to the specified database.
Internal load balancer
- Uses NAT rules to forward traffic from Private Link Service to Azure Virtual Machine.
Azure Private Link service
- Enables secure, private connectivity between Striim and customer network.

Prerequisites

Before using this Terraform module, ensure the following:

You have an existing Azure Virtual Network (vNet) and subnet.
You have an active VPN connection between Azure vNet and your on-premise/AWS/GCP network.
Your on-premise or cloud databases are reachable from the Azure vNet.
You are able to create an Azure storage account for storing VM scripts temporarily.
Complete all required fields in the pass_values.tfvars file.

Deploying the integration

Deploying the integration requires cloning or downloading the repository, initializing Terraform, planning the deployment, and applying the changes to deploy resources.

To deploy the integration:

Clone or download the repository.

git clone https://github.com/striim/azure-privatelink-resource-setup-terraform.git"
cd azure-privatelink-resource-setup-terraform

Initialize Terraform.
```
terraform init
```
Plan the deployment by passing the values file.
```
terraform plan -var-file="pass_values.tfvars"
```

Apply the changes to deploy the resources.

terraform apply -var-file="pass_values.tfvars"

Verifying the deployment

Once the Terraform apply is completed successfully, you should see the following outputs:

VM information
- VM Name: the name of the provisioned VM (striim-int-vm)
- VM Public IP: the public IP address assigned to the VM (if applicable)
- OS Type Used: Linux or Windows (based on vm_os_type)
SSH/RDP credentials
- For Linux VM: SSH Private Key: a private key will be generated and displayed as a sensitive output.
  To connect:
```
ssh -i ~/.ssh/striim-integration-key azureuser@<vm-ip-address>
```
- For Windows VM: RDP Connection: use the admin username and password for RDP access.
Port forwarding rules (either one, based on OS type)
- Linux (iptables) rules applied.
  Run the following command inside the VM:
```
sudo iptables -t nat -nvL
```
  You should see DNAT and SNAT rules applied for the defined ip_forwarding_targets.
- Windows (netsh portproxy) rules applied.
  Run the following command inside the Windows VM:
```
netsh interface portproxy show all
```
  Expected output should list port forwarding rules mapping source ports to target database servers.
Internal load balancer
- ILB Name: ${base_name}-lb
- Backend Pool: the VM will be registered as a backend.
Private Link service
- Service Alias: the alias for the Private Link Service.
Storage account for scripts (Windows only)
- If using Windows, an Azure Storage Account will be created for storing startup scripts.
- The VM will download and execute the config-script.ps1 from the storage account.

If everything is working correctly, the VM should successfully forward traffic to the defined database servers.

Configuring and using the deployed resources

This section describes steps to configure and use the deployed resources.

If using a Linux VM, perform these steps to set up SSH:

To export the SSH key:

terraform output -raw ssh_private_key > ~/.ssh/striim-integration-key
chmod 600 ~/.ssh/striim-integration-key

To SSH into the VM:

ssh -i ~/.ssh/striim-integration-key azureuser@<vm-ip-address>

To check the port forwarding rules:

For Linux:

sudo iptables -t nat -nvL

To manually create a rule:

iptables -t nat -A PREROUTING -p tcp --dport <source-port> -j DNAT --to-destination <dest-ip>:<dest-port>
iptables -t nat -A POSTROUTING -p tcp -d <dest-ip> --dport <dest-port> -j SNAT --to-source $(hostname -i)
iptables-save

For Windows:

To check existing rules:

netsh interface portproxy show all

To create a new rule:

netsh interface portproxy add v4tov4 listenport=<port> listenaddress=0.0.0.0 connectport=<port> connectaddress=<dest-ip>

Terraform variables

Populate the following required variables:

Variable name	Description	Example
`subscription_id`	Azure subscription ID	"00000000-0000-0000-0000-000000000000"
`restricted_subscription_id`	Striim subscription ID	"00000000-0000-0000-0000-000000000000"
`admin_public_ip`	Public IP to allow access	"45.23.167.23/32"
`base_name`	Prefix for resource names	"striim-int"
`location`	Azure region	"eastus"
`resource_group_name`	Azure resource group	"your-azure-rg"
`vnet_name`	Virtual network name	"your-azure-vnet"
`subnet_name`	Subnet name	"your-subnet-name"
`admin_username`	VM admin username	"azureuser"
`admin_password`	VM admin password (Windows only)	"your-secure-password"
`vm_size`	VM SKU type	"Standard_D2s_v3"

Choose a VM type:

OS type	Terraform configuration
Linux	Uncomment `vm_os_type = "linux"` and `vm_image` for Ubuntu.
Windows	Uncomment `vm_os_type = "windows"` and `vm_image` for Windows Server.

Configure port forwarding rules:

Database IP address	Port
192.168.00.1	1433
192.168.00.2	1435
192.168.00.3	1438
192.168.00.4	1440

Troubleshooting the integration

The following are common issues:

Error	Solution
`VMExtensionProvisioningError`	Ensure the config-script.ps1 file is correctly uploaded to Azure Storage and accessible.
`Missing index error`	Make sure resources with `count` attributes are referenced using `count.index`.
`Port forwarding rules not applied`	Manually check and apply forwarding rules using iptables (Linux) or netsh (Windows).
`SSH Key output is sensitive`	If deploying a Windows VM, SSH keys are not applicable.

Security considerations

Observe the following security considerations when using this module:

Do not store passwords in Terraform variables. Use environment variables instead.
Restrict public SSH/RDP access using security groups.
Enable Azure Defender for monitoring security threats.
Use IAM roles to control access to Terraform and Azure resources.

Disclaimers

By using this Terraform module, you agree that:

Striim is not responsible for resource creation, deletion, or costs incurred on your Azure account.
You must review and approve the resources before deploying them.
Ensure your network security policies allow access between Azure and On-Prem environments.
Apply the module in a non-production environment first and verify all resources.
No outbound rules are required from the database network to your Azure vNet.

If necessary, you can clean up the resources as follows:

terraform destroy -var-file="pass_values.tfvars"