r1154leasetupnatgateway.j2
markdown_lea
templates/nat_gateway_setup_lea/r1154leasetupnatgateway.j2
Jinja2 Template
441 lines
|**Metadata**|**Description** |
|--|--|
|Doc Title| MVM v3 LEA: Setup NAT Gateway in Azure Subnet|
|Navigation|[WIKI Home Page](https://dev.azure.com/mvmprodeus2/MVM/_wiki/wikis/documentation/1/documents-home#)|
|Tracking| Document Number: VPE-5512-536 |
|Author| Graeme Thomson (gt163y) |
| Agreement Number | 24252.S.005 |
***
**Notices**
Copyright © 2025 Metaswitch Networks. All rights reserved.
This manual is Confidential Information of Metaswitch Networks subject to the confidentiality terms
of the Agreement 01019223 as amended between AT&T and Metaswitch Networks.
It is issued on the understanding that no part of the product code or documentation (including this manual)
will be copied or distributed without prior agreement in writing from Metaswitch Networks and Alianza, Inc.
Metaswitch Networks and Alianza reserve the right to, without notice, modify or revise all or part of
this document and/or change product features or specifications and shall not be responsible for any
loss, cost, or damage, including consequential damage, caused by reliance on these materials.
Metaswitch and the Metaswitch logo are trademarks of Metaswitch Networks. Other brands and
products referenced herein are the trademarks or registered trademarks of their respective holders.
Product(s) and features documented in this manual handle various forms of data relating to your
users. You must comply with all laws and regulations applicable to your deployment, management,
and use of said product(s), and you should take all appropriate technical and organizational
measures to ensure you are handling this data appropriately according to any local legal and
regulatory obligations.
You are responsible for determining whether said product(s) or feature(s) is/are appropriate for
storage and processing of information subject to any specific law or regulation and for using said
product(s) or feature(s) in a manner consistent with your own legal and regulatory obligations. You
are also responsible for responding to any request from a third party regarding your use of said
product(s), such as a request to take down content under the U.S. Digital Millennium Copyright Act
or other applicable laws.
Metaswitch Networks
399 Main Street
Los Altos
CA 94022
<http://www.metaswitch.com>
***
***Table of Contents***
[[_TOC_]]
# 1. Document History
| **Issue** | **Issue Date** | **Author(s)** | **Identification** **of** **Changes** |
|-|-|-|-|
| 1| 12/12/2024| Gthomson| initial draft |
# 2. Versions
| **Version #** | **Editor** | **Comments** |
|-|-|-|
| 1| Gthomson| initial draft |
# 3. Integrated Solution Approach v1 (ISA v1)
| **Version #** | **Editor** | **Comments** |
|-|-|-|
| 1| Gthomson| initial draft |
# 4. MOP Impact Scope / General Information
## 4.1 Description
Default outbound access has been retired from new Azure deployments, and NAT Gateways
are now required to provide outbound access for resources in a subnet. This MOP describes
the process to create a NAT Gateway in an impacted subnet.
## 4.2 Site Specific Description
| **Originator** | **Date** | **Time** |
|-|-|-|
| **Deployment Location(s)** | |
| **Description** | This MOP applies to the MVM V3 on Azure deployment, Release R11.5.4 | |
## 4.3 Service Impact
Service impact is not expected during this procedure.
## 4.4 Coordination
This MOP has no interactions outside of the MVM subscription.
# 5. Prerequisite/Dependencies/Entrance Criteria of MOP
This is a standalone MOP that describes the process to add a NAT Gateway to a subnet.
## 5.1 Required parameters
The following parameter values are required to run this MOP
| **Identifier** | **Description** |
|-|-|
| **VM_RESOURCE_GROUP** | The resource group containing the impacted VMs |
| **VNET_RESOURCE_GROUP** | The resource group containing the virtual network |
| **SUBNET_NAME** | The name of the subnet used by the impacted VMs |
| **VNET_NAME** | The name of the virtual network used by the impacted VMs |
| **SUBSCRIPTION_ID** | Azure subscription identifier for the MVM subscription |
## 5.2 Required files
No additional files are required to run this MOP.
# 6. Assumptions
The target audience for this procedure is the AT&T Engineer who will be performing the task. They will need to be familiar with Azure and have a working knowledge of the Azure CLI and Linux.
# 7. Material Requirements
## 7.1 Required Documents
## 7.2 Tools
| **Tool** | **Description** | **Quantity** |
|-|-|-|
| Laptop or Desktop PC | PC With at least 1G Memory and a network communications software application such as Procomm, Reflections or PuTTY | 1 |
| Azure connectivity PC | CloudShell Connectivity is required to the azure subscription. This can be accessed via [My Dashboard - Microsoft Azure](https://portal.azure.com/#cloudshell/) | |
# 8. Pre Maintenance Check, Precautions and Preparations
## 8.1 Precautions and Preparation
## 8.2 Precautions
> This procedure may cause a partial outage during implementation. Use executable script files to minimize down time and typing errors. Familiarize yourself with back-out procedures prior to starting the procedure.
| **Ask Yourself Principle** | **Yes** | **No** | **N/A** |
|-|-|-|-|
| 1. Do I have the proper ID and appropriate building access permissions for the environment I am about to enter? | | |
| 2. Do I know why I'm doing this work? | | |
| 3. Have I identified and notified everybody - customers and internal groups - who will be directly affected by this work? | | |
| 4. Can I prevent or control service interruption? | | |
| 5. Is this the right time to do this work? | | |
| 6. Am I trained and qualified to do this work? | | |
| 7. Are the work orders, MOPs, and supporting documentation current and error-free? | | |
| 8. Do I have everything I need to quickly and safely restore service if something goes wrong? | | |
| 9. Have I walked through the procedure? | | |
| 10. Have I made sure the procedure includes proper closure including obtaining clearance and release for the appropriate work center? | | |
| **E911 Ask Yourself** | **Yes** | **No** | **N/A** |
|-|-|-|-|
| 1. Does this work impact E911? | | |
| 2. Do I know how this work could impact 911/e911? | | |
| 3. Do I know what 911/e911 phase is required? | | |
| 4. Have I identified potential risks to 911/e911 and taken all measures to minimize? | | |
| 5. Does this work affect 15+ sites? | | |
| 6. Can I prevent or control service Interruptions to 911/e911? | | |
| 7. Is this the right time to do the work? | | |
| 8. Is the individual performing the work trained and qualified to do this work? | | |
| 9. Are MOPs and supporting documents current and error free? | | |
| 10. Does the MOP include a 911/e911 test plan? | | |
## 8.3 Pre-Maintenance Check Tools/System
Tier 2 needs to identify which tools they will use. This doesn't necessarily need to be included in the MOP but OPS needs to know which tools they will run.
(NEED TO USE STANDARD TOOLS) TIER 2
## 8.4 Pre-Maintenance Check Manual (Non-Automated Requirements)
These will be identify by the tier 3 MOP developer were required.
(MANDATORY CHECK REQUIRE FOR THE MOP) TIER 3
## 8.5 MOP Certification Environment
Examples: PSL certified. OR This MOP was paper certified by ATS engineers.
## 8.6 ATS Bulletin
**ATS Bulletin Check**
| **Step** | **Action** | **Results/Description** | **Timeline** |
|-|-|-|-|
| 1. | No Applicable bulletins | | |
## 8.7 Emergency Contacts
The following emergency contact numbers are to be used in the event provisioning support is required.
In the event a service interruption is encountered the AT&T Implementation Engineer will:
- Cease all work immediately.
- Notify the AT&T Voicemail TRC.
- Escalate to the next level of support.
| **Organization** | **Contact Name** | **Contact Number** |
|-|-|-|
| Voicemail TRC | SANRC | 877-662-7674, opt 3 |
# 9. Implementation
## 9.1 Preliminary Implementation
Pre-check tasks are completed the night of the cutover at least one hour prior to cutover activities.
1. Connect to the DevOps Portal
1. Start a browser session to <https://dev.azure.com/>. This will be required to manage the pipelines
1. Select the project associated with MVM v3
1. Connect to the Azure Portal
1. Start a browser session to <https://portal.azure.com/>. This will be required to manage Azure resources
and access the log analytics workspace (LAW)
1. If prompted, complete the log in process
1. Connect to Azure Cloud Shell
1. Start a CloudShell session by connecting a browser to <https://shell.azure.com/>
1. If the menu at the top left indicates PowerShell select Bash from the menu and confirm at the prompt
1. Upload any files and directories outlined in section 5.2 to your Cloud Shell account as they will be needed later
This MOP describes the process to create a NAT Gateway in an impacted subnet.
## 9.2 Implementation
1. Set the following environment variables:
```
SUBSCRIPTION_ID={{ SUBSCRIPTION_ID | default('<SUBSCRIPTION_ID>') }}
VNET_NAME={{ VNET_NAME | default('<VNET_NAME>') }}
VNET_RESOURCE_GROUP={{ VNET_RESOURCE_GROUP | default('<VNET_RESOURCE_GROUP>') }}
VM_RESOURCE_GROUP={{ VM_RESOURCE_GROUP | default('<VM_RESOURCE_GROUP>') }}
SUBNET_NAME={{ SUBNET_NAME | default('<SUBNET_NAME>') }}
```
1. Set the default subscription by running the command:
```
az account set --subscription "${SUBSCRIPTION_ID}"
```
1. Create Standard Public IP
```
az network public-ip create \
--resource-group ${VM_RESOURCE_GROUP} \
--name ${VNET_NAME}_${SUBNET_NAME}_public_ip \
--sku Standard \
--allocation-method Static
```
1. Create and Configure NAT Gateway
```
# Create NAT gateway
az network nat gateway create \
--resource-group ${VM_RESOURCE_GROUP} \
--name ${VNET_NAME}_${SUBNET_NAME}_natgw \
--public-ip-addresses ${VNET_NAME}_${SUBNET_NAME}_public_ip \
--idle-timeout 10
# Associate NAT gateway with subnet
az network vnet subnet update \
--resource-group ${VNET_RESOURCE_GROUP} \
--vnet-name ${VNET_NAME} \
--name ${SUBNET_NAME} \
--nat-gateway ${VNET_NAME}_${SUBNET_NAME}_natgw
```
1. Disable default outbound access for the subnet
```
az network vnet subnet update --resource-group ${VNET_RESOURCE_GROUP} --name ${SUBNET_NAME} --vnet-name ${VNET_NAME} --default-outbound false
```
1. Verify Configuration
```
# Verify NAT gateway status
az network nat gateway show \
--resource-group ${VM_RESOURCE_GROUP} \
--name ${VNET_NAME}_${SUBNET_NAME}_natgw \
--query "provisioningState"
# Verify subnet association
az network vnet subnet show \
--resource-group ${VNET_RESOURCE_GROUP} \
--vnet-name ${VNET_NAME} \
--name ${SUBNET_NAME} \
--query "natGateway.id"
```
The output of the first command should show `Succeeded`, indicating that the NAT gateway was created successfully.
The second command should return the ID of the NAT gateway, which should look like: `/subscriptions/{{ SUBSCRIPTION_ID | default('<SUBSCRIPTION_ID>') }}/resourceGroups/{{ VM_RESOURCE_GROUP | default('<VM_RESOURCE_GROUP>') }}/providers/Microsoft.Network/natGateways/{{ VNET_NAME | default('<VNET_NAME>') }}_{{ SUBNET_NAME | default('<SUBNET_NAME>') }}_natgw`
1. Restart Virtual Machines
```
# Get all VM names in the resource group
VM_LIST=($(az vm list -g "${VM_RESOURCE_GROUP}" --query "[].name" -o tsv))
# Calculate the number of VMs we have found.
# Handle empty results properly
if [ -z "${VM_LIST[0]}" ]; then
VM_COUNT=0
echo "No VMs found in resource group '${VM_RESOURCE_GROUP}'"
else
# Only count non-empty elements
VM_COUNT=0
for vm in "${VM_LIST[@]}"; do
[ -n "$vm" ] && ((VM_COUNT++))
done
echo "Found ${VM_COUNT} VMs in resource group '${VM_RESOURCE_GROUP}': ${VM_LIST[*]}"
fi
for VM_NAME in "${VM_LIST[@]}"; do
echo "🔄 Restarting $VM_NAME..."
# Restart the VM
az vm restart --resource-group "${VM_RESOURCE_GROUP}" --name "$VM_NAME"
# Wait until the VM is running again
echo "⏳ Waiting for $VM_NAME to be running..."
while true; do
STATUS=$(az vm get-instance-view \
--resource-group "${VM_RESOURCE_GROUP}" \
--name "$VM_NAME" \
--query "instanceView.statuses[?starts_with(code, 'PowerState/')].code" \
-o tsv)
if [[ "$STATUS" == "PowerState/running" ]]; then
echo "✅ $VM_NAME is running."
break
else
echo "Still waiting... (current status: $STATUS)"
sleep 10
fi
done
done
echo "🎉 All VMs restarted sequentially."
```
## 9.3 Test Plan
1. Outbound access can be confirmed by running the following on a VM in the subnet:
```
# Test outbound access
curl -I https://azure.microsoft.com/en-us
```
The output should show a successful 200 OK HTTP response, indicating that outbound access is functioning correctly.
## 9.4 Backout Procedure
1. Remove the NAT Gateway from the subnet
```
az network vnet subnet update \
--resource-group ${VNET_RESOURCE_GROUP} \
--vnet-name ${VNET_NAME} \
--name ${SUBNET_NAME} \
--remove natGateway
```
1. Delete the NAT Gateway
```
az network nat gateway delete \
--name ${VNET_NAME}_${SUBNET_NAME}_natgw \
--resource-group ${VM_RESOURCE_GROUP}
```
1. Delete the Public IP
```
az network public-ip delete --resource-group ${VM_RESOURCE_GROUP} --name ${VNET_NAME}_${SUBNET_NAME}_public_ip
```
1. Restart Virtual Machines
```
# Get all VM names in the resource group
VM_LIST=($(az vm list -g "${VM_RESOURCE_GROUP}" --query "[].name" -o tsv))
# Calculate the number of VMs we have found.
# Handle empty results properly
if [ -z "${VM_LIST[0]}" ]; then
VM_COUNT=0
echo "No VMs found in resource group '${VM_RESOURCE_GROUP}'"
else
# Only count non-empty elements
VM_COUNT=0
for vm in "${VM_LIST[@]}"; do
[ -n "$vm" ] && ((VM_COUNT++))
done
echo "Found ${VM_COUNT} VMs in resource group '${VM_RESOURCE_GROUP}': ${VM_LIST[*]}"
fi
for VM_NAME in "${VM_LIST[@]}"; do
echo "🔄 Restarting $VM_NAME..."
# Restart the VM
az vm restart --resource-group "${VM_RESOURCE_GROUP}" --name "$VM_NAME"
# Wait until the VM is running again
echo "⏳ Waiting for $VM_NAME to be running..."
while true; do
STATUS=$(az vm get-instance-view \
--resource-group "${VM_RESOURCE_GROUP}" \
--name "$VM_NAME" \
--query "instanceView.statuses[?starts_with(code, 'PowerState/')].code" \
-o tsv)
if [[ "$STATUS" == "PowerState/running" ]]; then
echo "✅ $VM_NAME is running."
break
else
echo "Still waiting... (current status: $STATUS)"
sleep 10
fi
done
done
echo "🎉 All VMs restarted sequentially."
```
# 10. Post checks
[System healthchecks]
# 11. Risk Assessment Score
1 - TBD
# 12. Execute MOP clean up if required
# 13. End of Document MOP
# 14. Service Assurance/Monitoring
# A. Appendix and Tables
# B. Approvers
# C. Peer Reviewers
# D. References for Other Documents
# E. Additional Appendices (If required)