diff --git a/roles/aws_controllers/tasks/aws_vbond_ec2_instance.yml b/roles/aws_controllers/tasks/aws_vbond_ec2_instance.yml index dadd598..1aee5b4 100644 --- a/roles/aws_controllers/tasks/aws_vbond_ec2_instance.yml +++ b/roles/aws_controllers/tasks/aws_vbond_ec2_instance.yml @@ -10,6 +10,25 @@ # 2 aws_eip # 1 ec2 instance +- name: AMI Registration from EBS Snapshot + amazon.aws.ec2_ami: + name: "{{ aws_tag_creator }}-Validator" + region: "{{ aws_region }}" + state: present + architecture: x86_64 + virtualization_type: hvm + root_device_name: /dev/xvda + device_mapping: + - device_name: /dev/xvda + snapshot_id: "{{ volume_snapshots[0] }}" + delete_on_termination: true + volume_type: gp2 + tags: + Name: "{{ aws_tag_creator }}-Validator" + Creator: "{{ aws_tag_creator }}" + when: volume_snapshots + register: ami_result + # NICs - name: Filter required subnets for instance creation. Set aws_mgmt_subnet and aws_transport_subnet facts @@ -95,7 +114,7 @@ count: 1 instance_type: "{{ aws_vbond_instance_type }}" image: - id: "{{ aws_vbond_ami_id }}" + id: "{{ ami_result.image_id if volume_snapshots else aws_vmanage_ami_id }}" state: present vpc_subnet_id: "{{ aws_mgmt_subnet.id }}" region: "{{ aws_region }}" @@ -121,6 +140,14 @@ delete_on_termination: true register: ec2_vbond +- name: Deregister/Delete AMI (keep associated snapshots) + amazon.aws.ec2_ami: + image_id: "{{ ami_result.image_id }}" + delete_snapshot: false + state: absent + region: "{{ aws_region }}" + when: volume_snapshots + - name: Store vBond instance details for deployment_results ansible.builtin.set_fact: instance: @@ -163,15 +190,17 @@ purge_rules: false purge_tags: false purge_rules_egress: false - rules: + rules: "{{ sg_rules_vbond }}" + rules_egress: "{{ sg_rules_vbond if aws_sg_block_egress else [] }}" + register: allow_traffic + retries: 3 + delay: 3 + until: allow_traffic is succeeded + vars: + sg_rules_vbond: - proto: all cidr_ip: "{{ eip_vbond.results[0].public_ip }}/32" rule_desc: "{{ hostname }} - mgmt (VPN 512)" - proto: all cidr_ip: "{{ eip_vbond.results[1].public_ip }}/32" rule_desc: "{{ hostname }} - transport (VPN 0)" - rules_egress: [] - register: allow_traffic - retries: 3 - delay: 3 - until: allow_traffic is succeeded diff --git a/roles/aws_controllers/tasks/aws_vmanage_ec2_instance.yml b/roles/aws_controllers/tasks/aws_vmanage_ec2_instance.yml index 16ed9ac..5d1299d 100644 --- a/roles/aws_controllers/tasks/aws_vmanage_ec2_instance.yml +++ b/roles/aws_controllers/tasks/aws_vmanage_ec2_instance.yml @@ -9,6 +9,24 @@ # 2 aws_eip # 1 ec2 instance +- name: AMI Registration from EBS Snapshot + amazon.aws.ec2_ami: + name: "{{ aws_tag_creator }}-Manager" + region: "{{ aws_region }}" + state: present + architecture: x86_64 + virtualization_type: hvm + root_device_name: /dev/xvda + device_mapping: + - device_name: /dev/xvda + snapshot_id: "{{ volume_snapshots[0] }}" + delete_on_termination: true + volume_type: gp2 + tags: + Name: "{{ aws_tag_creator }}-Manager" + Creator: "{{ aws_tag_creator }}" + when: volume_snapshots + register: ami_result # NICs - name: Filter required subnets for instance creation. Set aws_mgmt_subnet and aws_transport_subnet facts @@ -26,6 +44,7 @@ description: Network interface for SD-WAN Controller security_groups: "{{ aws_security_group_config.group_id }}" region: "{{ aws_region }}" + private_ip_address: "{{ cluster_private_ip if subnet_item.tags.Name | regex_search('cluster') and cluster_private_ip else omit }}" tags: Name: "nic-{{ subnet_item.tags.Name }}" Creator: "{{ aws_tag_creator }}" @@ -115,7 +134,7 @@ count: 1 instance_type: "{{ aws_vmanage_instance_type }}" image: - id: "{{ aws_vmanage_ami_id }}" + id: "{{ ami_result.image_id if volume_snapshots else aws_vmanage_ami_id }}" state: present vpc_subnet_id: "{{ aws_mgmt_subnet.id }}" region: "{{ aws_region }}" @@ -137,8 +156,17 @@ ebs: volume_size: 60 delete_on_termination: true + snapshot_id: "{{ volume_snapshots[1] if volume_snapshots else omit }}" register: ec2_vmanage +- name: Deregister/Delete AMI (keep associated snapshots) + amazon.aws.ec2_ami: + image_id: "{{ ami_result.image_id }}" + delete_snapshot: false + state: absent + region: "{{ aws_region }}" + when: volume_snapshots + - name: Store vManage instance details for deployment_results ansible.builtin.set_fact: instance: @@ -199,7 +227,7 @@ purge_tags: false purge_rules_egress: false rules: "{{ sg_rules }}" - rules_egress: [] + rules_egress: "{{ sg_rules if aws_sg_block_egress else [] }}" register: allow_traffic retries: 3 delay: 3 diff --git a/roles/aws_controllers/tasks/aws_vsmart_ec2_instance.yml b/roles/aws_controllers/tasks/aws_vsmart_ec2_instance.yml index db57d84..b3057b6 100644 --- a/roles/aws_controllers/tasks/aws_vsmart_ec2_instance.yml +++ b/roles/aws_controllers/tasks/aws_vsmart_ec2_instance.yml @@ -10,6 +10,25 @@ # 2 aws_eip # 1 ec2 instance +- name: AMI Registration from EBS Snapshot + amazon.aws.ec2_ami: + name: "{{ aws_tag_creator }}-Controller" + region: "{{ aws_region }}" + state: present + architecture: x86_64 + virtualization_type: hvm + root_device_name: /dev/xvda + device_mapping: + - device_name: /dev/xvda + snapshot_id: "{{ volume_snapshots[0] }}" + delete_on_termination: true + volume_type: gp2 + tags: + Name: "{{ aws_tag_creator }}-Controller" + Creator: "{{ aws_tag_creator }}" + when: volume_snapshots + register: ami_result + # NICs - name: Filter required subnets for instance creation. Set aws_mgmt_subnet and aws_transport_subnet facts @@ -91,7 +110,7 @@ count: 1 instance_type: "{{ aws_vsmart_instance_type }}" image: - id: "{{ aws_vsmart_ami_id }}" + id: "{{ ami_result.image_id if volume_snapshots else aws_vmanage_ami_id }}" state: present vpc_subnet_id: "{{ aws_mgmt_subnet.id }}" region: "{{ aws_region }}" @@ -117,6 +136,14 @@ delete_on_termination: true register: ec2_vsmart +- name: Deregister/Delete AMI (keep associated snapshots) + amazon.aws.ec2_ami: + image_id: "{{ ami_result.image_id }}" + delete_snapshot: false + state: absent + region: "{{ aws_region }}" + when: volume_snapshots + # TODO: # Note that the variable: ec2_vsmart.instances[0].network_interfaces is returning a list of interfaces # but that list can be different than device_index (so mgmt and transport are mixed) @@ -166,15 +193,17 @@ purge_rules: false purge_tags: false purge_rules_egress: false - rules: + rules: "{{ sg_rules_vsmart }}" + rules_egress: "{{ sg_rules_vsmart if aws_sg_block_egress else [] }}" + register: allow_traffic + retries: 3 + delay: 3 + until: allow_traffic is succeeded + vars: + sg_rules_vsmart: - proto: all cidr_ip: "{{ eip_vsmart.results[0].public_ip }}/32" rule_desc: "{{ hostname }} - mgmt (VPN 512)" - proto: all cidr_ip: "{{ eip_vsmart.results[1].public_ip }}/32" rule_desc: "{{ hostname }} - transport (VPN 0)" - rules_egress: [] - register: allow_traffic - retries: 3 - delay: 3 - until: allow_traffic is succeeded diff --git a/roles/aws_controllers/tasks/main.yml b/roles/aws_controllers/tasks/main.yml index 0218b19..7180e02 100644 --- a/roles/aws_controllers/tasks/main.yml +++ b/roles/aws_controllers/tasks/main.yml @@ -72,6 +72,7 @@ hostname: "{{ instance_item.hostname }}" system_ip: "{{ instance_item.system_ip }}" site_id: "{{ instance_item.site_id }}" + volume_snapshots: "{{ instance_item.volume_snapshots | default([]) }}" loop: "{{ vbond_instances }}" loop_control: loop_var: instance_item @@ -84,6 +85,8 @@ system_ip: "{{ instance_item.system_ip }}" site_id: "{{ instance_item.site_id }}" persona: "{{ instance_item.persona }}" + volume_snapshots: "{{ instance_item.volume_snapshots | default([]) }}" + cluster_private_ip: "{{ instance_item.cluster_private_ip | default(omit) }}" loop: "{{ vmanage_instances }}" loop_control: loop_var: instance_item @@ -95,6 +98,7 @@ hostname: "{{ instance_item.hostname }}" system_ip: "{{ instance_item.system_ip }}" site_id: "{{ instance_item.site_id }}" + volume_snapshots: "{{ instance_item.volume_snapshots | default([]) }}" loop: "{{ vsmart_instances }}" loop_control: loop_var: instance_item diff --git a/roles/aws_network_infrastructure/defaults/main.yml b/roles/aws_network_infrastructure/defaults/main.yml index 555d0f5..bee4a6f 100644 --- a/roles/aws_network_infrastructure/defaults/main.yml +++ b/roles/aws_network_infrastructure/defaults/main.yml @@ -5,6 +5,7 @@ # VPN subnets from which we can connect to AWS EIPs (Security Group config) aws_allowed_subnets: null +aws_sg_block_egress: false ##################################### # General AWS configuration # diff --git a/roles/aws_network_infrastructure/tasks/aws_create_network_infrastructure.yml b/roles/aws_network_infrastructure/tasks/aws_create_network_infrastructure.yml index fe0cf8f..08b1b54 100644 --- a/roles/aws_network_infrastructure/tasks/aws_create_network_infrastructure.yml +++ b/roles/aws_network_infrastructure/tasks/aws_create_network_infrastructure.yml @@ -156,18 +156,20 @@ from_port: 8 to_port: -1 cidr_ip: "{{ aws_allowed_subnets }}" - rules_egress: - - proto: -1 - from_port: 0 - to_port: 0 - cidr_ip: 0.0.0.0/0 + rules_egress: "{{ egress_allow_all if not aws_sg_block_egress else [] }}" purge_rules: false purge_tags: false - purge_rules_egress: false + purge_rules_egress: "{{ aws_sg_block_egress and _created_vpc.changed }}" tags: Name: "{{ aws_security_group_name }}" Creator: "{{ aws_tag_creator }}" register: _created_security_group + vars: + egress_allow_all: + - proto: -1 + from_port: 0 + to_port: 0 + cidr_ip: 0.0.0.0/0 - name: Copy Security Group resources information to log file ansible.builtin.blockinfile: diff --git a/roles/azure_controllers/defaults/main.yml b/roles/azure_controllers/defaults/main.yml index 24de968..9cfa50b 100644 --- a/roles/azure_controllers/defaults/main.yml +++ b/roles/azure_controllers/defaults/main.yml @@ -47,6 +47,7 @@ az_subnets: | # Security group az_network_security_group: "{{ az_resources_prefix }}-nsg" +az_nsg_block_edgess: false # VPN subnets from which we can connect to Azure EIPs (Network Security Group config) diff --git a/roles/azure_controllers/tasks/azure_vbond_vm.yml b/roles/azure_controllers/tasks/azure_vbond_vm.yml index 6411ca0..484044e 100644 --- a/roles/azure_controllers/tasks/azure_vbond_vm.yml +++ b/roles/azure_controllers/tasks/azure_vbond_vm.yml @@ -36,15 +36,7 @@ azure.azcollection.azure_rm_securitygroup: resource_group: "{{ az_resource_group }}" name: "{{ az_network_security_group }}" - rules: - - name: "{{ public_ip_state.state.name }}" - protocol: "*" - destination_port_range: "*" - source_port_range: "*" - source_address_prefix: "{{ public_ip_state.state.ip_address }}" - access: Allow - priority: "{{ 1500 + ((az_res_gr.securitygroups | first).rules | length) + 1 + my_idx }}" - direction: Inbound + rules: "{{ [inbound_rule, outbound_rule] if az_nsg_block_edgess else [inbound_rule] }}" tags: Name: "{{ az_network_security_group }}" Creator: "{{ az_tag_creator }}" @@ -55,6 +47,25 @@ index_var: my_idx label: public_ip_state.state.name when: public_ip_state.state.name not in az_res_gr.securitygroups | map(attribute='rules') | flatten | map(attribute='name') | list + vars: + inbound_rule: + name: "{{ public_ip_state.state.name }}" + protocol: "*" + destination_port_range: "*" + source_port_range: "*" + source_address_prefix: "{{ public_ip_state.state.ip_address }}" + access: Allow + priority: "{{ 1500 + ((az_res_gr.securitygroups | first).rules | length) + 1 + my_idx }}" + direction: Inbound + outbound_rule: + name: "{{ public_ip_state.state.name }}-out" + protocol: "*" + destination_port_range: "*" + source_port_range: "*" + destination_address_prefix: "{{ public_ip_state.state.ip_address }}" + access: Allow + priority: "{{ 1500 + ((az_res_gr.securitygroups | first).rules | length) + 1 + my_idx }}" + direction: Outbound - name: "Create virtual network interface cards" azure.azcollection.azure_rm_networkinterface: @@ -136,7 +147,7 @@ location: "{{ az_location }}" os_type: "Linux" hyper_v_generation: "V1" - source: "{{ az_vbond_image_vhd_source }}" + source: "{{ volume_snapshots[0] if volume_snapshots else az_vbond_image_vhd_source }}" - name: "Create vBond VM: {{ hostname }}" azure.azcollection.azure_rm_virtualmachine: diff --git a/roles/azure_controllers/tasks/azure_vmanage_vm.yml b/roles/azure_controllers/tasks/azure_vmanage_vm.yml index e6d4a1e..1ebcfb1 100644 --- a/roles/azure_controllers/tasks/azure_vmanage_vm.yml +++ b/roles/azure_controllers/tasks/azure_vmanage_vm.yml @@ -38,15 +38,7 @@ azure.azcollection.azure_rm_securitygroup: resource_group: "{{ az_resource_group }}" name: "{{ az_network_security_group }}" - rules: - - name: "{{ public_ip_state.state.name }}" - protocol: "*" - destination_port_range: "*" - source_port_range: "*" - source_address_prefix: "{{ public_ip_state.state.ip_address }}" - access: Allow - priority: "{{ 2500 + ((az_res_gr.securitygroups | first).rules | length) + 1 + my_idx }}" - direction: Inbound + rules: "{{ [inbound_rule, outbound_rule] if az_nsg_block_edgess else [inbound_rule] }}" tags: Name: "{{ az_network_security_group }}" Creator: "{{ az_tag_creator }}" @@ -59,6 +51,25 @@ when: - public_ip_state.state is defined - public_ip_state.state.name not in az_res_gr.securitygroups | map(attribute='rules') | flatten | map(attribute='name') | list + vars: + inbound_rule: + name: "{{ public_ip_state.state.name }}" + protocol: "*" + destination_port_range: "*" + source_port_range: "*" + source_address_prefix: "{{ public_ip_state.state.ip_address }}" + access: Allow + priority: "{{ 2500 + ((az_res_gr.securitygroups | first).rules | length) + 1 + my_idx }}" + direction: Inbound + outbound_rule: + name: "{{ public_ip_state.state.name }}-out" + protocol: "*" + destination_port_range: "*" + source_port_range: "*" + destination_address_prefix: "{{ public_ip_state.state.ip_address }}" + access: Allow + priority: "{{ 2500 + ((az_res_gr.securitygroups | first).rules | length) + 1 + my_idx }}" + direction: Outbound - name: "Create virtual network interface cards for public interfaces" azure.azcollection.azure_rm_networkinterface: @@ -120,15 +131,7 @@ azure.azcollection.azure_rm_securitygroup: resource_group: "{{ az_resource_group }}" name: "{{ az_network_security_group }}" - rules: - - name: "{{ cluster_vmanage_nic.state.name }}" - protocol: "*" - destination_port_range: "*" - source_port_range: "*" - source_address_prefix: "{{ cluster_vmanage_nic.state.ip_configuration.private_ip_address }}" - access: Allow - priority: "{{ 2500 + ((az_res_gr.securitygroups | first).rules | length) + 1 }}" - direction: Inbound + rules: "{{ [inbound_rule, outbound_rule] if az_nsg_block_edgess else [inbound_rule] }}" tags: Name: "{{ az_network_security_group }}" Creator: "{{ az_tag_creator }}" @@ -136,6 +139,25 @@ when: - cluster_subnet is defined - cluster_subnet != "" + vars: + inbound_rule: + name: "{{ cluster_vmanage_nic.state.name }}" + protocol: "*" + destination_port_range: "*" + source_port_range: "*" + source_address_prefix: "{{ cluster_vmanage_nic.state.ip_configuration.private_ip_address }}" + access: Allow + priority: "{{ 2500 + ((az_res_gr.securitygroups | first).rules | length) + 1 }}" + direction: Inbound + outbound_rule: + name: "{{ cluster_vmanage_nic.state.name }}-out" + protocol: "*" + destination_port_range: "*" + source_port_range: "*" + destination_address_prefix: "{{ cluster_vmanage_nic.state.ip_configuration.private_ip_address }}" + access: Allow + priority: "{{ 2500 + ((az_res_gr.securitygroups | first).rules | length) + 1 }}" + direction: Outbound - name: Set az_network_interfaces_vmanage fact with a list of interfaces for vmanage ansible.builtin.set_fact: @@ -212,7 +234,17 @@ location: "{{ az_location }}" os_type: "Linux" hyper_v_generation: "V1" - source: "{{ az_vmanage_image_vhd_source }}" + source: "{{ volume_snapshots[0] if volume_snapshots else az_vmanage_image_vhd_source }}" + +- name: "Create an image from a VHD for vManage: {{ hostname }}-image" + azure.azcollection.azure_rm_manageddisk: + resource_group: "{{ az_resource_group }}" + name: "{{ hostname }}-datadisk1" + location: "{{ az_location }}" + source_uri: "{{ volume_snapshots[1] }}" + create_option: copy + when: volume_snapshots + register: datadisk_info - name: "Create VM for vmanage: {{ hostname }}" azure.azcollection.azure_rm_virtualmachine: @@ -239,6 +271,7 @@ disk_size_gb: 100 managed_disk_type: Premium_LRS storage_container_name: "{{ hostname }}-datadisk1" + managed_disk_id: "{{ datadisk_info.state.id if volume_snapshots else omit }}" tags: Name: "{{ hostname }}" Creator: "{{ az_tag_creator }}" diff --git a/roles/azure_controllers/tasks/azure_vsmart_vm.yml b/roles/azure_controllers/tasks/azure_vsmart_vm.yml index ba7d587..55da062 100644 --- a/roles/azure_controllers/tasks/azure_vsmart_vm.yml +++ b/roles/azure_controllers/tasks/azure_vsmart_vm.yml @@ -36,15 +36,7 @@ azure.azcollection.azure_rm_securitygroup: resource_group: "{{ az_resource_group }}" name: "{{ az_network_security_group }}" - rules: - - name: "{{ public_ip_state.state.name }}" - protocol: "*" - destination_port_range: "*" - source_port_range: "*" - source_address_prefix: "{{ public_ip_state.state.ip_address }}" - access: Allow - priority: "{{ 2000 + ((az_res_gr.securitygroups | first).rules | length) + 1 + my_idx }}" - direction: Inbound + rules: "{{ [inbound_rule, outbound_rule] if az_nsg_block_edgess else [inbound_rule] }}" tags: Name: "{{ az_network_security_group }}" Creator: "{{ az_tag_creator }}" @@ -55,6 +47,25 @@ index_var: my_idx label: public_ip_state.state.name when: public_ip_state.state.name not in az_res_gr.securitygroups | map(attribute='rules') | flatten | map(attribute='name') | list + vars: + inbound_rule: + name: "{{ public_ip_state.state.name }}" + protocol: "*" + destination_port_range: "*" + source_port_range: "*" + source_address_prefix: "{{ public_ip_state.state.ip_address }}" + access: Allow + priority: "{{ 2000 + ((az_res_gr.securitygroups | first).rules | length) + 1 + my_idx }}" + direction: Inbound + outbound_rule: + name: "{{ public_ip_state.state.name }}-out" + protocol: "*" + destination_port_range: "*" + source_port_range: "*" + destination_address_prefix: "{{ public_ip_state.state.ip_address }}" + access: Allow + priority: "{{ 2000 + ((az_res_gr.securitygroups | first).rules | length) + 1 + my_idx }}" + direction: Outbound - name: "Create virtual network interface cards" azure.azcollection.azure_rm_networkinterface: @@ -126,7 +137,7 @@ location: "{{ az_location }}" os_type: "Linux" hyper_v_generation: "V1" - source: "{{ az_vsmart_image_vhd_source }}" + source: "{{ volume_snapshots[0] if volume_snapshots else az_vsmart_image_vhd_source }}" - name: "Create vSmart VM: {{ hostname }}" azure.azcollection.azure_rm_virtualmachine: diff --git a/roles/azure_controllers/tasks/main.yml b/roles/azure_controllers/tasks/main.yml index 3377640..79e993d 100644 --- a/roles/azure_controllers/tasks/main.yml +++ b/roles/azure_controllers/tasks/main.yml @@ -53,6 +53,7 @@ hostname: "{{ instance_item.hostname }}" system_ip: "{{ instance_item.system_ip }}" site_id: "{{ instance_item.site_id }}" + volume_snapshots: "{{ instance_item.volume_snapshots | default([]) }}" loop: "{{ vbond_instances }}" loop_control: loop_var: instance_item @@ -101,6 +102,7 @@ hostname: "{{ instance_item.hostname }}" system_ip: "{{ instance_item.system_ip }}" site_id: "{{ instance_item.site_id }}" + volume_snapshots: "{{ instance_item.volume_snapshots | default([]) }}" loop: "{{ vsmart_instances }}" loop_control: loop_var: instance_item @@ -113,6 +115,7 @@ system_ip: "{{ instance_item.system_ip }}" site_id: "{{ instance_item.site_id }}" persona: "{{ instance_item.persona }}" + volume_snapshots: "{{ instance_item.volume_snapshots | default([]) }}" loop: "{{ vmanage_instances }}" loop_control: loop_var: instance_item diff --git a/roles/azure_network_infrastructure/defaults/main.yml b/roles/azure_network_infrastructure/defaults/main.yml index 0d8ef89..a07f199 100644 --- a/roles/azure_network_infrastructure/defaults/main.yml +++ b/roles/azure_network_infrastructure/defaults/main.yml @@ -47,6 +47,7 @@ az_subnets: | # Security group az_network_security_group: "{{ az_resources_prefix }}-nsg" +az_nsg_block_edgess: false # VPN subnets from which we can connect to Azure EIPs (Network Security Group config) diff --git a/roles/azure_network_infrastructure/tasks/azure_network_infrastructure.yml b/roles/azure_network_infrastructure/tasks/azure_network_infrastructure.yml index 768868f..c3d39b8 100644 --- a/roles/azure_network_infrastructure/tasks/azure_network_infrastructure.yml +++ b/roles/azure_network_infrastructure/tasks/azure_network_infrastructure.yml @@ -79,3 +79,49 @@ Name: "{{ az_network_security_group }}" Creator: "{{ az_tag_creator }}" Organization: "{{ organization_name }}" + +- name: "Block Outbound traffic: {{ az_network_security_group }}" + azure.azcollection.azure_rm_securitygroup: + resource_group: "{{ az_resource_group }}" + name: "{{ az_network_security_group }}" + rules: + - name: DenyAll + access: Deny + direction: Outbound + priority: 4000 + - name: ExternalTCP-out + protocol: Tcp + destination_port_range: + - 22 + - 443 + - 830 # NETCONF over SSH + - 8443 + source_address_prefix: "{{ az_allowed_subnets }}" + access: Allow + priority: 1001 + direction: Outbound + - name: InternalTCP-out + protocol: Tcp + destination_port_range: 23456-24156 + source_address_prefix: "{{ az_allowed_subnets }}" + access: Allow + priority: 1002 + direction: Outbound + - name: InternalUDP-out + protocol: Udp + destination_port_range: 12346-13046 + source_address_prefix: "{{ az_allowed_subnets }}" + access: Allow + priority: 1003 + direction: Outbound + - name: ICMP-out + protocol: Icmp + source_address_prefix: "{{ az_allowed_subnets }}" + access: Allow + priority: 1004 + direction: Outbound + tags: + Name: "{{ az_network_security_group }}" + Creator: "{{ az_tag_creator }}" + Organization: "{{ organization_name }}" + when: az_nsg_block_edgess