CONFIDENTIAL

SIMPL VM Deployment Guide (Azure)

SIMPL-001_Azure - Version 6.11.0 - Issue 1-1451

October 2022

A Microsoft Company
SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

Notices
Copyright © 2020-2022 Microsoft. All rights reserved.

This manual is issued on a controlled basis to a specific person on the understanding that no part of
the product code or documentation (including this manual) will be copied or distributed without prior
agreement in writing from Metaswitch Networks and Microsoft.

Metaswitch Networks and Microsoft reserve the right to, without notice, modify or revise all or part of
this document and/or change product features or specifications and shall not be responsible for any
loss, cost, or damage, including consequential damage, caused by reliance on these materials.

Metaswitch and the Metaswitch logo are trademarks of Metaswitch Networks. Other brands and
products referenced herein are the trademarks or registered trademarks of their respective holders.
 CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

Contents

1 Introduction to the SIMPL VM.............................................................................. 4

2 Planning your SIMPL VM deployment................................................................. 9
2.1 VM specification.................................................................................................................... 9
2.2 Firewall configuration and connectivity................................................................................. 9
2.3 Azure requirements............................................................................................................. 11
2.4 Monitoring with SIMon or Fluentd....................................................................................... 11
2.5 Syslog audit logging............................................................................................................ 12
2.6 User access.........................................................................................................................13
3 Deploying the SIMPL VM.................................................................................... 15
3.1 Configuring Azure public cloud for the SIMPL VM............................................................. 15
3.2 Deploying SIMPL on Azure.................................................................................................16
3.2.1 Input variables....................................................................................................... 16
3.2.2 Preparing for deployment - networks and security groups.................................... 21
3.2.3 Preparing for deployment - storage, access and encryption................................. 23
3.2.4 Deploying the SIMPL VM...................................................................................... 28
3.3 Initial configuration...............................................................................................................30
3.4 Change SSH timeout according to security policy..............................................................32
3.5 Configuring syslog support over TLS..................................................................................32
4 Managing the SIMPL VM..................................................................................... 35
4.1 Upgrading or recovering the SIMPL VM on Azure............................................................. 35
4.2 Using the screen command for long running actions..........................................................40
4.3 Resizing disks on Azure..................................................................................................... 41
4.4 Destroying the SIMPL VM.................................................................................................. 44
5 Managing multiple sites...................................................................................... 46
6 Troubleshooting the SIMPL VM..........................................................................47
7 Appendix: Command reference..........................................................................49
7.1 CSAR commands................................................................................................................ 49
7.2 Other commands................................................................................................................. 51
 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

1 Introduction to the SIMPL VM

Metaswitch's ServiceIQ Management Platform VM (SIMPL VM) is a VM that simplifies the

management of other Metaswitch VMs. SIMPL provides a unified and consistent way to deploy,
commission, and update Metaswitch products on VMware vSphere, VMware vCloud, OpenStack, and
Azure.

What is the SIMPL VM?

The ServiceIQ Management Platform (SIMPL) VM interacts with your virtual infrastructure manager
(VIM) to manage the lifecycle procedures for your Metaswitch products deployed as virtual machines:
installing, updating, upgrading, healing and destroying VMs. SIMPL reduces the number of
touchpoints for operators because operations are performed solely through SIMPL rather than
needing direct access.

Figure 1: SIMPL VM overview

SIMPL supports vSphere, vCloud, OpenStack and Azure VIMs. See Supported products for what can
be deployed on your VIM and Deploying the SIMPL VM (OpenStack, VMware or Azure) for required
configuration.

The SIMPL VM is a long-lived VM that you continue to use to manage updates and upgrades
throughout your deployment's lifetime. SIMPL VM may also be used as a short-lived VM to speed up
the commissioning process that you remove from your deployment after initial commissioning

The SIMPL VM is intended to be the first Metaswitch VM created in your network and provides:

• VPN access (if permitted) for base commissioning and validation.

• Tooling to deploy VMs.

4 1 Introduction to the SIMPL VM

 CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

• Tooling to interact with the VMs and apply base 'day one' configuration.
• Deployment validation scripts to check VMs are correctly commissioned and working.
• Tooling to update product configuration and upgrade the software once initial VM deployment is
complete.

SIMPL relies on two key artifacts:

• SDF - The Solution Definition File is a single, declarative YAML file that encapsulates all the
information necessary to set up a specific Metaswitch deployment. Note SDFs, unlike CSARs, are
a Metaswich proprietary format.
• CSARs - Cloud Service Archives are an open standard for shipping product images together with
metadata describing the configuration they require, validation tests, and day one scripts. The
SIMPL VM creates deployments using CSARs, typically using one CSAR for each VM type. SIMPL
VM supports deploying Metaswitch CSARs, not CSARs from other vendors.

SIMPL VM also separates secret configuration, such as the passwords and private keys, from non-
sensitive configuration. The SDF does not contain secret values; instead, it contains identifiers that
are used to reference a secret value. The secret values are managed in a secure secret store hosted
on SIMPL VM. This allows SDFs to be safely shared between your engineers and Metaswitch support
without any risk of leaking secrets.

Deployment via the SIMPL VM

The SIMPL VM deploys Metaswitch products using a combination of the SDF and CSARs:

• The SIMPL VM is installed (as an OVA on VMware, via Heat on OpenStack, or as a VHD via ARM
on Azure).
• CSARs are downloaded onto the SIMPL VM and stored on a detachable volume.
• The SDF is written, and then copied onto the SIMPL VM. Your support representative will usually
write the SDF.
• Secrets are added to the secret store using the SIMPL VM CLI.
• The SIMPL VM validates the SDF, including:

• all syntax is correct

• all mandatory fields are filled out
• all IP address are in the right subnet
• no IP addresses clash
• The SIMPL VM needs the relevant permissions to speak to your VIM. We recommend, where
possible creating Metaswitch VMs in an isolated tenant on your VIM, or, on platforms such as
vSphere where this is not possible, we provide detailed instructions on the minimum permissions
necessary, so that SIMPL VM can interact with Metaswitch VMs only. SIMPL VM validates that
it can contact the VIM, and that permissions are configured appropriately, before all deploy
operations.
• Once you are ready to deploy, the SIMPL VM uploads the software image from the CSAR, checks
that it has all the required secrets it needs to deploy the target VMs, deploys your Metaswitch VMs
as specified in the SDF, and applies initial configuration.

1 Introduction to the SIMPL VM 5

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

• The SIMPL VM then checks that the VMs are running and are healthy.

This allows Metaswitch deployments to be spun up very quickly. If something goes wrong, you
can redeploy by running a few commands on the SIMPL VM. Similarly, if you need to replicate the
deployment at another location, you only need to make minor changes to the SDF and run a few
commands. Manual steps that previously took days now take a matter of minutes.

Updates and upgrades via the SIMPL VM

Metaswitch products fall into two categories:

• Products for which applying software updates are done by redeploying the VM:

• This is called the rolling upgrade model.

• In addition to changing software versions via redeploying up-level, these products also expect
'base' configuration, such as NTP servers and DNS to be updated via a redeploy.
• SIMPL provides a single update command that can be used to either update configuration
(including secrets) or upgrade to a new software version.
• SIMPL automates the upgrade procedure to make it as simple as downloading a CSAR for the
new software version, updating the SDF to reference the new version, and then running the
update command. For a configuration update, any changes to the SDF are applied with the
same command but using the existing CSAR.
• SIMPL contains all the logic to co-ordinate the upgrade or update across a cluster of VMs
providing the same service. This includes automating previously manual steps such as health
checks before and after each update, quiescing, deleting VMs and redeploying them using up-
level software, and detaching and reattaching persistent volumes. This ensures that service is
maintained throughout the procedure.
• Rolling upgrade is supported on OpenStack, VMware, and Azure.
• Products for which applying software updates is done via updating the software in-place, without
redeploying the VM:

• This is called the in-place upgrade model

• The VM is not destroyed and SIMPL updates the existing VM. In-place upgrade can be used to
automate upgrade of the software version, but cannot be used to update configuration of these
products.
• In-place upgrade is supported on OpenStack and VMware.

Other lifecycle operations

SIMPL also supports other lifecycle operations:

• Heal: SIMPL supports 'healing' some products. This means redeploying VMs and reattaching
any persistent disks. This is useful to recover from some errors, such as memory leaks. Products
which do not support heal have other recovery mechanisms, such as Software Protection Switches
(SPS).

6 1 Introduction to the SIMPL VM

 CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

• Redeploy: This includes deleting and then deploying all VMs. All resources SIMPL has created,
including disks and VMs, are destroyed in this process.
• Delete: SIMPL can delete resources it has created, such as VMs, VNFs or even entire
deployments.
• Scale Out: In some limited cases SIMPL supports scaling-out. This means adding new VMs to a
cluster to provide more capacity for that service. Scale in (reducing capacity) is not yet supported.

SIMPL VM technology
The SIMPL VM uses the following underlying technologies.

• Terraform - Terraform is a tool used for deploying infrastructure, which is used on the SIMPL VM
to deploy VMs on vSphere and vCloud.
• Heat - Heat is the standard OpenStack tool used for deploying stacks (containing associated VMs,
ports, security groups etc.).
• Ansible - Ansible is an industry standard tool used to interact with network elements over SSH
and automate tasks.
• ARM - ARM is the standard tool used for deploying Azure resources (VMs, disks, NICs etc.).

Terminology
The following terminology is used within the document.

Term Meaning

VNF Virtualized Network Function. A network function running in the

cloud (Azure, vSphere, vCloud or OpenStack).

VNFC VNF Component. A logical subset of a VNF, performing a distinct

function.

VNFCI VNF Component Instance. A specific VM of a given VNFC.

Service Group A group of VNFCIs. Used for targeted deployment or upgrade. For
example, if you had a VNFC with 6 VNFCIs, you could separate
them into two Service Groups of 3, to allow deploy or upgrade of
one Service Group at a time.

VNFD VNF Descriptor. Information about how to instantiate a VNF - for

example, a Heat template.

CSAR Cloud Service Archive. A zipfile containing product images and

associated metadata.

Solution Bundle Similar to CSARs without software images, these provide additional
metadata, configuration scripts, and validation tests for VNFs when

1 Introduction to the SIMPL VM 7

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

Term Meaning

they are deployed as part of a known solution, for example the

Metaswitch VoLTE solution.

Day zero configuration Configuration required to get the VM to boot on the management
network.

Day one configuration Configuration that falls between "day zero" and "service"
configuration. Varies between VM types, but may include e.g.
passwords or timeouts.

Service configuration Configuration consumed by an virtualized application (sometimes

also referred to as "day two" configuration).

Upgrade Either upgrading your SIMPL VM to a new version of software, or

a csar update operation that updates the version of a deployed
VNF/VNFC.

In-place update (also known The existing VNFC updates the software on itself without any impact
as in-place upgrade) on the underlying VM. Configuration changes are not possible.
Updates apply to the whole VNFC rather than individual VMs. In-
place updates are always in-service. This means there is no loss of
service or GR-redundancy over the update.

Rolling in-service update (also Existing VMs are deleted one at a time, and replaced with one
known as rolling in-service at the uplevel version. This method also allows updating of any
upgrade) configuration. Rolling updates can either be in-service or out-of-
service. Out-of-service updates involve a loss of service for the GR-
site being updated.

Out-of-service update (also All existing VMs within a site are deleted at the same time, and
known as out-of-service replaced with instances at the uplevel version. This method also
upgrade) allows updating of any configuration. Out-of-service updates involve
a loss of service for the GR-site being updated.

Update Updating of a VNFC for any reason. This could mean an upgrade,
or it could mean a configuration change, or both. Possible updates
depend on the VNF type.

8 1 Introduction to the SIMPL VM

 CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

2 Planning your SIMPL VM deployment

If your deployment consists of distinct sites, you have two options for deploying SIMPL VM:

• A single SIMPL VM which manages all VMs in all sites. You will need connectivity between the
SIMPL VM and the VMs in each site.

• You can optionally have backup SIMPL VMs in one or more of the other sites; see Managing
multiple sites on page 46.
• A SIMPL VM in each site which solely manages the VMs within that site. This is only
recommended if the connectivity requirements for the first option cannot be met.

For both options, you must configure firewalls that protect your network from unauthorized traffic while
allowing SIMPL VM connections to the managed sites.

Before deploying the SIMPL VM, see:

• VM specification on page 9
• Firewall configuration and connectivity on page 9
• Azure requirements on page 11
• Syslog audit logging on page 12
• User access on page 13.

2.1 VM specification
The SIMPL VM is available as a VHD for Azure.

The SIMPL VM is deployed with an extra disk to allow recovery from failures without losing state (see
Upgrading or recovering the SIMPL VM on Azure on page 35). This disk, called volume storage,
is 128GiB in size by default, but you can increase the disk size later if needed (see Resizing disks on
Azure on page 41).

The SIMPL VM uses the Standard_D2s_v4 VM size; see Sizes for virtual machines in Azure in the
Azure Virtual Machines documentation.

2.2 Firewall configuration and connectivity

Attention:

If the SIMPL VM is managing multiple sites, then it must have the connectivity listed below to each
of those sites. You will need to set up virtual networks, subnets and network security groups to do
this on Azure - see Networking within Azure in the Metaswitch Products Azure Deployment Design
Guide.

Note:

2 Planning your SIMPL VM deployment 9

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

If you are using rsyslog, you need ports open to the rsylog server. This is typically port 514, but can
be configured as something else when setting up rsyslog for SIMPL VM - see Syslog audit logging
on page 12.

Table 1: Firewall Permissions and Connectivity

Port Transport Security Destination Direction Purpose

22 TCP Public/ Metaswitch VPN ingress/ Metaswitch VPN

private key servers (1) egress

22 TCP Public/ Metaswitch VMs IP (2) ingress/ Configuring VMs after

private key egress instantiation

443 TCP TLS dl.metaswitch.com (3) ingress/ Optional to download

egress CSARs directly from
Metaswitch instead of
manually copying them to
the SIMPL VM.

514 UDP - Remote syslog server egress Optional to allow remote

syslog over UDP

514 TCP TLS Remote syslog server egress Optional to allow remote
syslog over TLS

80 TCP HTTPS SAS VMs in egress HTTP traffic out to SAS

deployment instances

3000 TCP HTTP Supported VMs (4) egress HTTP traffic out to QS
ready endpoints

4000 TCP HTTPS MDM VMs in egress HTTPS traffic out to MDM
deployment APIs

9042 TCP CQL Rhino VMs in egress CQL traffic out to Rhino
deployment VMs

9100 TCP HTTP SIMon VMs in ingress Allow SIMon to scrape

deployment node exporter metrics from
SIMPL VM

9200 TCP HTTP SIMon VMs in egress Allow SIMPL VM to send

deployment logs to SIMon

Note that traffic is two-way in most cases (not just one-way as "destination" implies).

1. Metaswitch's VPN servers (nexus(01-03).metaswitch.com) have the following IP addresses:

• 192.91.191.13
• 205.196.118.7

10 2 Planning your SIMPL VM deployment

 CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

• 198.147.226.4
2. This is the management IP addresses of all of the Metaswitch nodes in the network. This
is needed for doing base commissioning and validation of the nodes once they have been
instantiated.
3. This is Metaswitch's external Artifactory repository. Access is only needed while downloading
CSARs; therefore, the pinhole may only need to be open for 2-3 hours. The current IP address is
198.147.226.33. You can check this using:

• on Linux: dig dl.metaswitch.com

• on Windows nslookup dl.metaswitch.com
4. Products which expose a health checking API on port 3000, such as MDM, SDE and QCall. See
the relevant product documentation to see if it exposes this API.

Adding additional networks

If there isn't a single network available that can connect to all the destinations above, then you will
need to add additional NICs to the SIMPL VM and configure them with standard Linux commands.

2.3 Azure requirements

• Subscription - You will need an Azure subscription with enough capacity for your deployment.
Your subscription will contain resource groups for each VNFC as well as the SIMPL VM. The
maximum number of resource groups in a subscription is 980.
• Permissions - You will need to have access to the relevant tenant. See Configuring Azure public
cloud for the SIMPL VM on page 15 for the details on the permissions required.
• Region - Work with your support representative to determine the appropriate regions for your
deployment needs. If your deployment design uses Availability Zones, your Azure regions will need
to have support for these; see Regions and availability zones in the Azure documentation.
• Networks and access - You must provide a way for your support representative to add CSAR
files to your SIMPL VM, and for your operators to have SSH access to SIMPL VM. We recommend
that you set up an Azure VPN Gateway - see the Azure VPN Gateway documentation.

2.4 Monitoring with SIMon or Fluentd

SIMPL is integrated with ServiceIQ Monitoring (SIMon) to provide logs, metrics and alerts, along
with dashboards and tools to monitor them across your Metaswitch solution. Alternatively, you can
integrate with an external Fluentd service for use with a third-party monitoring platform.

Metaswitch solutions are typically provided with monitoring configuration files to cover all of the
components in the solution. However, you can also use the default configuration files (which only
cover SIMPL) provided with the SIMPL VM image. If you need help implementing monitoring for your
deployment, contact your support representative.

For more information about using SIMon to monitor your deployment, see the ServiceIQ Monitoring
Deployment Guide.

2 Planning your SIMPL VM deployment 11

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

Logs
SIMPL can send container and CSAR operation logs to either SIMon or an external Fluentd log
collector.

• To enable logging to SIMon, you must provide the management IP address that is or will be used
for the primary SIMon VM in the same site as the SIMPL VM.
• To enable logging to an external Fluentd log collector, you must provide the IP address for the
Fluentd server.

Attention:

You can only change the logging destination when installing or upgrading SIMPL.

Metrics
SIMon can scrape metrics from SIMPL. SIMPL exposes node_exporter (CPU/memory/disk/
networking) and fluentd metrics on ports 9100 and 24231 respectively.

SIMPL only supports manual scrape target configuration. You cannot monitor SIMPL's metrics and
alerts in a deployment that uses automatic scrape target discovery.

Metaswitch provides default metrics configuration files with the SIMPL VM image, and your
Metaswitch solution may also be provided with metrics configuration that includes SIMPL.

To enable metrics, see Manually configure scrape targets in the ServiceIQ Monitoring Deployment
Guide. No SIMPL configuration changes are required.

Alerts
SIMon can raise alerts on the basis of metrics generated by SIMPL. Metaswitch provides a default
alerting rules file with the SIMPL VM image, and your Metaswitch solution may also be provided with
alerting rules that include SIMPL.

To enable alerts, see Configure alerting rules in the ServiceIQ Monitoring Deployment Guide. No
SIMPL configuration changes are required.

Dashboards
Metaswitch provides a default Grafana dashboard file with the SIMPL VM image, and your Metaswitch
solution may also be provided with Grafana and/or Kibana dashboards that include SIMPL. You can
also create your own dashboards. Refer to your solution documentation for details.

2.5 Syslog audit logging

SIMPL VM supports sending audit logs to a remote syslog server over UDP and TLS. When enabled,
this sends all audit logs generated by the Linux audit framework (such as authentication attempts and
command line activity) to your remote syslog server over UDP or TLS (not provided by Metaswitch).

12 2 Planning your SIMPL VM deployment

 CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

We recommend configuring syslog over TLS if supported by your remote syslog server.

Configuring syslog over TLS support for Azure

We recommend configuring syslog over TLS if your remote syslog server supports TLS.

To enable syslog over TLS support, set the following fields in the Azure GUI when deploying the
SIMPL VM ARM template:

• remote_syslog_server_address : the FQDN of the remote syslog server, for example

myhost.example.co.uk
• remote_syslog_server_port : the port number of the remote syslog server. Defaults to 514.

Attention:

Using an IP address for remote_syslog_server_address will result in an error for syslog over
TLS. You must use an FQDN.

Note that these fields can be configured when the SIMPL VM is initially deployed following Deploying
SIMPL on Azure on page 16, or by updating configuration on an existing SIMPL VM following
Upgrading or recovering the SIMPL VM on Azure on page 35.

Run the procedure in Configuring syslog support over TLS on page 32 once SIMPL VM has
finished installing to finish configuring syslog over TLS.

Configuring syslog over UDP support for Azure

To enable syslog over UDP support, set the following fields in the Azure GUI when deploying the
SIMPL VM ARM template:

• remote_syslog_server_ip : the IP address of the remote syslog server

• remote_syslog_server_port : the port number of the remote syslog server. Defaults to 514.

These fields can be configured when the SIMPL VM is initially deployed following Deploying SIMPL on
Azure on page 16, or by updating configuration on an existing SIMPL VM following Upgrading or
recovering the SIMPL VM on Azure on page 35.

Syslog interoperability requirements

SIMPL requires that the remote server:

• has firewalls configured to allow traffic on the relevant syslog ports

• is running a syslog service
• has the correct configuration to forward received logs to the desired files.

2.6 User access

The SIMPL VM is a privileged system with considerable power to alter your deployment. There is a
risk that a user may accidentally run a command that could delete or damage your deployment. The

2 Planning your SIMPL VM deployment 13

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

SIMPL VM reduces this risk by restricting the commands available to logged-in users. The SIMPL VM
supports three users: admin, lifecycle-mgmt and secrets-mgmt. Each user has access to a different
set of commands.

This feature is designed to reduce the risk of a user accidentally damaging the deployment in the
course of their day-to-day operations. It is not designed to be proof against a determined, malicious
attacker. The SIMPL VM is a privileged system and, as such, all logins must be kept safe and secure
in a modern credential management system.

• The admin user allows access to all SIMPL VM CLI commands. It also has root permissions for
the SIMPL VM's operating system.
• The lifecycle-mgmt user restricts CLI commands to those that perform lifecycle operations or
display diagnostic information about your deployment. The lifecycle-mgmt user is not permitted
to use csar commands that modify any secret information in the SIMPL VM secret store, but the
user is not prevented from bypassing those commands and interacting with the secret store's API
directly.
• The secrets-mgmt user restricts CLI commands to those that manage secret information in the
SIMPL VM secret store or display diagnostic information about your deployment. The secrets-
mgmt user is not permitted to use csar commands that modify the state of the VNFs in your
deployment, but the user is not prevented from bypassing those commands to interact with the
underlying functionality directly.

Attention:

All of these users have considerable power to retrieve secret information about your deployment,
alter its state, or both. You must keep the passwords for these users secure.

User Lifecycle Secrets Diagnostics Root

operations permissions

admin Yes Yes Yes Yes

lifecycle-mgmt Yes No Yes No

secrets-mgmt No Yes Yes No

14 2 Planning your SIMPL VM deployment

 CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

3 Deploying the SIMPL VM

To deploy the SIMPL VM, perform the following steps:

1. Ensure you have the appropriate configuration: Configuring Azure public cloud for the SIMPL VM
on page 15
2. Deploy the SIMPL VM: Deploying SIMPL on Azure on page 16
3. Perform initial configuration of the SIMPL VM: Initial configuration on page 30.

3.1 Configuring Azure public cloud for the SIMPL VM

Install Azure CLI

See How to install the Azure CLI in the Azure CLI documentation.

Permissions
You need different permissions for deploying the SIMPL VM and using the SIMPL VM to deploy other
products. See Assign Azure roles using the Azure portal in the Azure RBAC documentation for how to
grant specific access by assigning roles, and Azure built-in roles for information on the roles available.

For deploying the SIMPL VM, you will need:

• Either the Owner or User Access Administrator role to set up the managed identities
(specifically to assign the required roles).
• Either the Owner or Contributor role to create the SIMPL VM.

To deploy and manage other products, SIMPL VM will need:

• The Contributor role at the subscription scope.

• A Storage Blob Data Contributor role for the storage account that SIMPL VM will need to access
for images.
• A Storage Blob Data Contributor role for the storage account that SIMPL VM will need to access
for upgrade.

A single storage account may be used for both image and upgrade storage.

If you are using managed identities, these roles are assigned to the managed identity by the supplied
ARM template.

Networking
See Networking within Azure in the Metaswitch Products Azure Deployment Design Guide for
information on Azure networking to help you create your network design.

Before deploying the SIMPL VM, you should have decided:

• Which VNets you require (we recommend one per region)

3 Deploying the SIMPL VM 15

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

• Which subnets you require on those VNets. We recommend:

• A single management subnet per VNet, used by SIMPL VM and all your VNFs
• Additional subnets for other traffic types, used by one or more VNFs - see the individual product
documentation for requirements.
• Which network security groups (NSGs) and rules you require for your subnets. In Azure, NSGs
serve the same purpose as a firewall, allowing you to configure rules for what traffic is permitted to
be sent to and from your subnets. You have two options:

• Associate a single NSG to each subnet, which will be shared between all the VMs on that
subnet. We recommend this option for easier management.
• Create a separate network security group for every VNF type (including one for SIMPL VM)
for each subnet used. It is not recommended to associate network security groups to both the
parent subnet and any individual VNFs; see How network security groups filter network traffic in
the Azure Virtual Network documentation.
• Whether you need VNet peering between VNets in different regions.

Your network security group rules should close down all traffic other than the requirements listed in
Firewall configuration and connectivity on page 9 and in the firewall configuration from each product
manual set.

Preparing for deployment - networks and security groups on page 21 contains instructions for
creating a VNet with a management and additional subnets as well as network security groups.

Note:

SIMPL VM does not currently support deploying VNFs with IPv6 addresses on Azure.

3.2 Deploying SIMPL on Azure

To deploy the SIMPL VM on Azure:

1. Set up your deployment variables; see Input variables on page 16

2. Prepare your network; see Preparing for deployment - networks and security groups on page
21.
3. Complete the pre-deployment steps; Preparing for deployment - storage, access and encryption on
page 23
4. Deploy the SIMPL VM; see Deploying the SIMPL VM on page 28.

3.2.1 Input variables

The following tables contain the variables you will need to deploy SIMPL VM. Determine a value for
each variable and keep it recorded for future reference.

16 3 Deploying the SIMPL VM

CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

Table 2: Azure variables needed across deployment steps

Identifier Description

SUBSCRIPTION_ID The Subscription ID of your Azure Subscription.

REGION_PORTAL The Azure portal name for the Azure Region you will
deploy to. For example, Europe (UK South).

REGION_ARM The Azure CLI/ARM name for the Azure Region you
will deploy to; for example, uksouth.

You can find the mapping of portal name to CLI/ARM

name by running az account list-locations
-o table in the Azure CLI.

Variables needed for setting up the SIMPL VM network

The variables in the following table are needed for completing Preparing for deployment - networks
and security groups on page 21 and Deploying the SIMPL VM on page 28.

Table 3: Variables needed for the SIMPL VM network

Identifier Description

VNET_NAME A name for your virtual network.

VNET_RESOURCE_GROUP A name for the resource group containing the virtual

network.

VNET_CIDR The IP range, in CIDR notation, of the VNet which

will contain the management (and optionally, the
core and access subnets for other products). For
example, 192.0.2.9/24.

MGMT_SUBNET_CIDR The subnet to use for the management network

within the Virtual Network, in CIDR notation. For
example, 192.0.2.9/24.

MGMT_SUBNET_NAME A name for your management subnet.

MANAGEMENT_IP An IPv4 address for your SIMPL VM on

your management subnet referenced by
SUBNET_NAME.

The variables in the following table are needed for completing Preparing for deployment - networks
and security groups on page 21. They are used for setting up your Azure Network Security Groups
(NSG), and you will need to determine new values for each NSG and rule you configure.

3 Deploying the SIMPL VM 17

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

Table 4: Variables needed for setting up the SIMPL VM network security groups

Identifier Description

NSG_NAME A name for this Azure network security group.

RULE_NAME The rule description for this Azure network security

group.

DIRECTION Whether the rule applies to inbound or outbound

traffic. Allowed values are Inbound and Outbound.

PRIORITY An integer representing the priority of the rule. Rules

with a lower priority value are applied first.

PROTOCOL The traffic protocol this rule will apply to. Allowed
values are *, Ah, Esp, Icmp, Tcp and Udp.

SOURCE_CIDR A space separated list of the source IP address

range(s) that this rule will apply to.

DESTINATION_CIDR A space separated list of the destination IP address

range(s) that this rule will apply to.

DESTINATION_PORT_RANGE A space separated list of the Destination Port

range(s) that this rule will apply to.

RULE_ACCESS Whether this rule will allow or reject traffic that

matches it. Allowed values are Allow and Deny.

Variables needed for setting up the SIMPL VM storage, access and encryption

The variables in the following table are needed for completing Preparing for deployment - storage,
access and encryption on page 23 and Deploying the SIMPL VM on page 28.

Table 5: Variables needed for deploying the SIMPL VM

Identifier Description

SIMPL_VM_NAME A name for the SIMPL VM. This cannot exceed 64

characters or use any of the following: ` ~ ! @ #
$ % ^ & * ( ) = + _ [ ] { } \\\\ | ; :
' \\\" , < > / ?.\.

SIMPL_VM_RESOURCE_GROUP A name for the resource group containing the SIMPL

VM. This cannot exceed 64 characters or use any of
the following: ` ~ ! @ # $ % ^ & * ( ) = + _
[ ] { } \\\\ | ; : ' \\\" , < > / ?.\.

IMAGE_RESOURCE_GROUP A name for a resource group where you will keep

SIMPL VM images and VHDs.

18 3 Deploying the SIMPL VM

CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

Identifier Description

IDENTITY_RESOURCE_GROUP A name for a resource group where you will keep

your managed identity.

STORAGE_ACCOUNT_NAME A name for your storage account. This can contain

only lowercase letters and numbers.

STORAGE_ACCOUNT_KEY The authentication key for the storage account used

to store the VHD file. You will create and retrieve
this key when following the procedures in Preparing
for deployment - storage, access and encryption on
page 23.

CONTAINER_NAME A name for your storage account container. This can

contain only lowercase letters and numbers.

VHD_FILENAME The file name of the .vhd file for the SIMPL VM,
including the .vhd suffix.

SIMPL_VHD_BLOB_URI The blob URI of your SIMPL VM VHD. You will

retrieve this when following the procedures in
Preparing for deployment - storage, access and
encryption on page 23.

IMAGE_NAME A name for the Azure image resource that will

be created from the VHD. This can contain only
alphanumeric characters, underscores, periods,
and hyphens; the first and last characters must be
alphanumeric.

IDENTITY_RESOURCE_ID Full resource ID of the managed identity. You

will retrieve this when following the procedures in
Preparing for deployment - storage, access and
encryption on page 23.

ADMIN_PUBLIC_SSH_KEY The public part of the ssh key created for the admin
user (copied from the .pub file). You will retrieve
this when following the procedures in Preparing for
deployment - storage, access and encryption on
page 23.

LIFECYCLEMGMT_PUBLIC_SSH_KEY The public part of the ssh key created for the
lifecycle-mgmt user (copied from the .pub file).
You will retrieve this when following the procedures
in Preparing for deployment - storage, access and
encryption on page 23.

3 Deploying the SIMPL VM 19

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

Identifier Description

SECRETSMGMT_PUBLIC_SSH_KEY The public part of the ssh key created for the
secrets-mgmt user (copied from the .pub file).
You will retrieve this when following the procedures
in Preparing for deployment - storage, access and
encryption on page 23.

PERSISTENT_DISK_ENCRYPTION_SET_NAME
The name of the Disk Encryption Set to use for
encrypting the persistent disk with a customer-
managed encryption key. Only set this variable if
you want to use your own managed key and rotation
strategy.

If left as an empty string (recommended), the disk will

default to using a platform-managed key.

This can be the same as

OS_DISK_ENCRYPTION_SET_NAME.

PERSISTENT_DISK_ENCRYPTION_SET_RGThe Resource Group containing

the disk encryption set
PERSISTENT_DISK_ENCRYPTION_SET_NAME.
This is only required if using a disk encryption set for
the persistent disk; otherwise, leave it as an empty
string.

OS_DISK_ENCRYPTION_SET_NAME The name of the Disk Encryption Set to use for

encrypting the OS disk with a customer-managed
encryption key. Only set this variable if you want to
use your own managed key and rotation strategy.

If left as an empty string (recommended), the disk will

default to using a platform-managed key.

This can be the same as

PERSISTENT_DISK_ENCRYPTION_SET_NAME.

OS_DISK_ENCRYPTION_SET_RG The resource group containing the disk encryption

set OS_DISK_ENCRYPTION_SET_NAME. This is
only required if using a disk encryption set for the OS
disk; otherwise, leave it as an empty string.

RSYSLOG_SERVER_IP The IP address of the remote syslog server

(optional). See Syslog audit logging on page 12.

RSYSLOG_SERVER_PORT The port number of the remote syslog server

(optional). This is typically port 514. See Syslog audit
logging on page 12.

20 3 Deploying the SIMPL VM

 CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

Identifier Description

SIMON_MGMT_IP The management IP address of the primary SIMon

VM to be used to monitor SIMPL VM (optional). See
Monitoring with SIMon or Fluentd on page 11.

FLUENTD_SERVER_ADDRESSES Comma-delimited list of IP addresses for Fluentd to

send logs to (optional). See Monitoring with SIMon or
Fluentd on page 11.

3.2.2 Preparing for deployment - networks and security groups

Before you begin

You will need:

• An Azure subscription.
• Azure credentials with Contributor or Owner permissions.
• Azure CLI installed.
• The list of VNets, subnets and network security groups your deployment requires; see Networking
in Configuring Azure public cloud for the SIMPL VM on page 15.

Refer to the Variables needed for setting up the SIMPL VM network you determined in Input variables
on page 16 for the information you will need to follow this procedure.

About this task

In this task, you will create the virtual network, a management subnet and all additional subnets on
which you will deploy the SIMPL VM. You will then create network security groups (NSGs) and rules
required to firewall your subnets. See:

1. Prepare your Azure virtual network and subnets on page 21

2. Create network security groups and rules on page 22.

Note:

The VNet created here must be shared by all products managed by the SIMPL VM.

Prepare your Azure virtual network and subnets

Create a VNet by following the Create a virtual network section in Quickstart: Create a virtual
network using the Azure portal (Azure Virtual Network documentation). Set the following additional
configuration:

1. In the Basics tab:

• Under Resource Group, select Create new. Set the resource group name to
VNET_RESOURCE_GROUP.
• Set the VNet name to VNET_NAME.

3 Deploying the SIMPL VM 21

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

• Set the region to REGION_PORTAL.

2. In the IP Addresses tab:

• Create the IP address space as required by VNET_CIDR.

• Select Add subnet. Create a management subnet with the required address range from
MGMT_SUBNET_CIDR and name MGMT_SUBNET_NAME.
• Delete the default subnet if there is one.
• Create all additional subnets that your deployment requires.
3. In the Security tab, skip any steps to configure a Bastion host. Instead of Bastion, we recommend
setting up a VPN Gateway for that purpose; this will be covered in Initial configuration on page
30.

Note:

If you have multiple regions for redundancy, you can have VNets in each region and VNet Peering
between them (see Virtual network peering in the Azure Virtual Network documentation).

Create network security groups and rules

You must create network security groups (NSGs) with a set of NSG rules to fit your networking needs
for each subnet. Your NSG rules will need to firewall traffic according to the requirements listed
in Firewall configuration and connectivity on page 9 and in the equivalent documentation for each
product the SIMPL VM manages.

Note:

You should create two rules that disallow all traffic, inbound and outbound, with high numbers for
their PRIORITY parameter. All subsequent rules allowing traffic must have lower PRIORITY values.

To create an NSG using the Azure portal, see Tutorial: Filter network traffic with a network security
group using the Azure portal in the Azure Virtual Network documentation and complete the following
steps:

1. Create a network security group

2. Associate network security group to subnet (if you have chosen the recommended approach of
having a single network security group per subnet)
3. Create security rules
4. Repeat this for each subnet (or each VNF and SIMPL VM if you have decided to have a separate
security group for each VNF and SIMPL VM).

To create an NSG using the Azure CLI:

1. Start the Azure CLI and sign in using your Azure credentials:

az login

2. For each network security group you want to create:

22 3 Deploying the SIMPL VM

 CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

a. Create the NSG:

az network nsg create \

--resource-group "$VNET_RESOURCE_GROUP" \
--name "$NSG_NAME"

b. If you are creating NSGs per subnet (rather than per VNF), associate the NSG with the subnet:

az network vnet subnet update \

--resource-group "$VNET_RESOURCE_GROUP" \
--name "$MGMT_SUBNET_NAME" \
--vnet-name "$VNET_NAME" \
--network-security-group "$NSG_NAME"

If you are creating the NSGs per VNF, make a note of their names. You will need them later for
preparing your Solution Definition File (SDF).
c. Create each rule and apply it to this NSG:

az network nsg rule create \

--resource-group "$VNET_RESOURCE_GROUP" \
--name "$RULE_NAME" \
--nsg-name "$NSG_NAME" \
--priority "$PRIORITY" \
--protocol "$PROTOCOL" \
--direction "$DIRECTION" \
--source-address-prefixes "$SOURCE_CIDR" \
--destination-address-prefixes "$DESTINATION_CIDR" \
--destination-port-ranges "$DESTINATION_PORT_RANGE" \
--access "$RULE_ACCESS"

Results

You have created all the VNets, subnets and NSGs required to deploy the SIMPL VM.

What to do next

Complete the additional pre-deployment steps. See Preparing for deployment - storage, access and
encryption on page 23.

3.2.3 Preparing for deployment - storage, access and encryption

Before you begin

You will need:

• An azure subscription.
• Azure credentials with Owner permissions. Alternatively, you will need the User Access
Administrator role for creating a managed identity and the Contributor role for all the other steps in
this section.
• Azure CLI installed.
• The SIMPL VHD file available in the environment where you will run the Azure CLI.

3 Deploying the SIMPL VM 23

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

• The SIMPL ARM identity template and parameters file (simpl_identity_params.json and
simpl_identity_template.json) available in the environment where you will run the Azure
CLI.
• Access to OpenSSH.

Refer to the Variables needed for setting up the SIMPL VM storage, access and encryption you
determined in Input variables on page 16 for the information you will need to follow this procedure.

About this task

In this task, you will create a storage account and container to store your SIMPL VM image, configure
a managed identity to handle user authentication in Azure, generate key pairs to set up SSH access
to the SIMPL VM, and configure disk encryption. See:

1. Create a storage account and blob container in Azure on page 24

2. Upload the SIMPL VM image on page 25
3. Create a managed identity on page 25
4. Create the SSH key pairs on page 26
5. Enable encryption at host on page 27
6. Optionally, create Azure Disk Encryption Sets on page 27.

Create a storage account and blob container in Azure

You will need to create a storage account and a container resource to store your SIMPL VM image.

1. Create a storage account by following Create a storage account in the Azure Blob Storage
documentation. Set the following additional configuration:

a. In the Basics tab:

• Under Resource Group, select Create new. Set the resource group name to
IMAGE_RESOURCE_GROUP.
• Set the storage account name to STORAGE_ACCOUNT_NAME.
• Set the region to REGION_PORTAL.
• Under Performance, select standard.
• Under Redundancy, select Locally-redundant storage.
b. In the Advanced tab, select Enable storage account key access and any additional options
that your deployment requires.
c. In the Networking tab, select Enable public access from selected virtual networks and IP
addresses.
d. In the Data protection tab, select any additional options that your deployment requires.
2. Configure your storage account to allow access from the management VNet and your IP address:

a. Navigate to the new storage account resource.

b. In the left pane, select Networking.
c. In the Firewalls and virtual networks tab, under Virtual networks, select Add existing
virtual network.

24 3 Deploying the SIMPL VM

CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

d. From the Virtual networks and Subnets drop-down menus, select the VNet and management
subnets you created in Preparing for deployment - networks and security groups on page
21. Select Add. This ensures SIMPL VM can access the storage account.
e. Under Firewall, add your IP address or range. This will allow you to upload the SIMPL VM
image in the next step.
f. Save your changes.
3. Create a container for your SIMPL VM image:

a. Navigate to the new storage account.

b. Follow Create a container in the Azure Blob Storage documentation to create the container. Set
your container name to CONTAINER_NAME.
4. Retrieve the container image blob URL:

a. Navigate to the new container.

b. In the left pane, select Properties.
c. Note down the value under URL. This corresponds to the SIMPL_VHD_BLOB_URI value in
Input variables on page 16.

Upload the SIMPL VM image

To upload the SIMPL VM image to the storage account you created in the previous step:

1. Retrieve the keys for your storage account:

a. In the left menu of your storage account, select Access keys.

b. Select Show Keys.
c. Copy the value of one of the keys and store it in a secure location. This corresponds to the
STORAGE_ACCOUNT_KEY value in Input variables on page 16.
2. Start the Azure CLI and sign in using your Azure credentials:

az login

3. Upload the SIMPL VM VHD file:

az storage blob upload --container-name "$CONTAINER_NAME" \

--name "$VHD_FILENAME" --file "$VHD_FILENAME" \
--subscription "$SUBSCRIPTION_ID" \
--account-name "$STORAGE_ACCOUNT_NAME" \
--account-key "$STORAGE_ACCOUNT_KEY"

Create a managed identity

We recommend creating a user assigned managed identity to set up the SIMPL VM authentication on
Azure. Once configured, the authentication token that SIMPL VM uses to perform ARM actions will be
handled invisibly, without the need for tracking it in the secret store or SDF.

1. Create a resource group for your managed identity by following Create resource groups in the
Manage Azure resources documentation with the additional configuration:

• Set the resource group name to IDENTITY_RESOURCE_GROUP

3 Deploying the SIMPL VM 25

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

• Set the resource group region to REGION_PORTAL.

2. Retrieve the simpl_identity_params.json and simpl_identity_template.json files.
3. Fill in the simpl_identity_params.json file with the input values you determined in Input
variables on page 16:

"parameters": {
"simplVmName": {
"value": "SIMPL_VM_NAME"
},
"identityRgName": {
"value": "IDENTITY_RESOURCE_GROUP"
},
"storageRgName": {
"value": "IMAGE_RESOURCE_GROUP"
},
"storageAccountName": {
"value": "STORAGE_ACCOUNT_NAME"
}
}

4. Using the Azure CLI, deploy the managed identity:

az deployment sub create \

--template-file simpl_identity_template.json \
--parameters simpl_identity_params.json \
--name "deployment_name" \
--location "$REGION_PORTAL"

where deployment_name is any unique string representing the deployment name in that region.

Note:

If you get an error stating that the managed identity could not be found, this may be due to a
propagation delay. Check the IDENTITY_RESOURCE_GROUP resource group; if the managed
identity is there, re-run this command and it should now find the managed identity.

5. Retrieve the managed identity resource ID:

a. Navigate to the new managed identity resource.

b. In the Overview tab, select JSON View.
c. Note down the value under id. This corresponds to the IDENTITY_RESOURCE_ID value in
Input variables on page 16.

Create the SSH key pairs

SIMPL VM has three users with different levels of permissions: admin, lifecycle-mgmt, and
secrets-mgmt (see User access on page 13). You will need keys for each user type to allow SSH
access to the SIMPL VM.

For each user type:

1. Using OpenSSH, generate a new RSA public/private key pair:

ssh-keygen -t rsa -m pem -C "keypair_name" -b 4096
where keypair_name is a unique alphanumeric string to represent the key pair.

26 3 Deploying the SIMPL VM

CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

2. When prompted to provide a passphrase, press enter twice to generate a private key without a
passphrase. SIMPL does not support the use of private keys with passphrases.
3. Save the keys that the command generates (the private key keyfilename and the corresponding
public key keyfilename.pub).
4. Open keyfilename.pub and note down its content. This corresponds to
the ADMIN_PUBLIC_SSH_KEY, LIFECYCLEMGMT_PUBLIC_SSH_KEY or
SECRETSMGMT_PUBLIC_SSH_KEY value in Input variables on page 16 (for the admin,
lifecycle-mgmt, and secrets-mgmt users respectively).

Enable encryption at host

Encryption at host offers an extra layer of encryption to the SIMPL VM and the traffic between the VM
and disks. Once you allow encryption at host on your Azure subscription, SIMPL VM will attempt to
deploy VMs with this feature enabled.

To update your Azure subscription to allow encryption at host, follow the Prerequisites section in
Enable end-to-end encryption using encryption at host in the Azure Virtual Machines documentation.

Optionally, create Azure Disk Encryption Sets

We recommend using the default platform-managed keys to encrypt the SIMPL VM OS and CSAR
data disks. If you are using platform-managed keys, you can skip this step.

If you want to encrypt the SIMPL VM disks with a customer-managed key, you will need to create a
Disk Encryption Set for each key you want to use. You can either use the same key for both disks or
have a separate key for each disk.

1. Create and configure a key vault by following Creating and configuring a key vault for Azure Disk
Encryption in the Azure Virtual Machines documentation.
2. Follow Use the Azure portal to enable double encryption at rest for managed disks in the Azure
Virtual Machines documentation to create a Disk Encryption Set. Note:

• You can use the same Disk Encryption Set for the OS and CSAR data disks or create a
separate Set for each.
• Under Encryption type, we recommend selecting Double encryption with platform-
managed and customer-managed keys. You can select a different encryption type if another
option is better suited for your deployment.

Results

You have completed the pre-deployment steps required to deploy the SIMPL VM.

What to do next

Deploy the SIMPL VM - see Deploying the SIMPL VM on page 28.

3 Deploying the SIMPL VM 27

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

3.2.4 Deploying the SIMPL VM

Before you begin

You will need:

• An Azure subscription.
• Azure credentials with Contributor or Owner permissions.
• Azure CLI installed.
• The SIMPL ARM templates and parameters file (simpl_image_template.json,
simpl_vm_template.json, simpl_image_parameters.json and
simpl_vm_parameters.json) available in the environment where you will run the Azure CLI.

About this task

To deploy the SIMPL VM, you will need to fill in ARM parameters files with the parameters you
determined in Input variables on page 16. You will then use the Azure CLI to deploy the image and
VM templates for the actual deployment.

Create the SIMPL VM

1. Create a resource group for your SIMPL VM by following Create resource groups in the Manage
Azure resources documentation with the additional configuration:

• Set the resource group name to SIMPL_VM_RESOURCE_GROUP

• Set the resource group region to REGION_PORTAL.
2. Retrieve the SIMPL VM ARM templates and parameters files.
3. Fill in the image parameters file simpl_image_params.json with the input values you
determined in Input variables on page 16:

"parameters": {
"simplVhdBlobUri": {
"value": "SIMPL_VHD_BLOB_URI"
},
"imageName": {
"value": "IMAGE_NAME"
},
"imageLocation": {
"value": "REGION_ARM"
}
}

Fill in the VM parameters file simpl_vm_params.json with the input values you determined in
Input variables on page 16:

"parameters": {
"simplVmName": {
"value": "SIMPL_VM_NAME"
},
"simplVmUserAssignedIdentityResourceId": {
"value": "IDENTITY_RESOURCE_ID"
},
"imageResourceGroup": {

28 3 Deploying the SIMPL VM

CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

"value": "IMAGE_RESOURCE_GROUP"
},
"imageName": {
"value": "IMAGE_NAME"
},
"simplVmDiskSizeGiB": {
"value": 128
},
"azureDeployLocation": {
"value": "REGION_ARM"
},
"vnetResourceGroup": {
"value": "VNET_RESOURCE_GROUP"
},
"vnetName": {
"value": "VNET_NAME"
},
"subnetName": {
"value": "MGMT_SUBNET_NAME"
},
"managementIp": {
"value": "MANAGEMENT_IP"
},
"sshPublicKeyAdmin": {
"value": "ADMIN_PUBLIC_SSH_KEY"
},
"sshPublicKeySecretsMgmt": {
"value": "SECRETSMGMT_PUBLIC_SSH_KEY"
},
"sshPublicKeyLifecycleMgmt": {
"value": "LIFECYCLEMGMT_PUBLIC_SSH_KEY"
},
"persistentDiskEncryptionSetName": {
"value": "PERSISTENT_DISK_ENCRYPTION_SET_NAME"
},
"persistentDiskEncryptionSetRG": {
"value": "PERSISTENT_DISK_ENCRYPTION_SET_RG"
},
"osDiskEncryptionSetName": {
"value": "OS_DISK_ENCRYPTION_SET_NAME"
},
"osDiskEncryptionSetRG": {
"value": "OS_DISK_ENCRYPTION_SET_RG"
},
"remoteSyslogServerIp": {
"value": "RSYSLOG_SERVER_IP"
},
"remoteSyslogServerPort": {
"value": "RSYSLOG_SERVER_PORT"
},
"simonMgmtIp": {
"value": "SIMON_MGMT_IP"
},
"fluentdServerAddresses": {
"value": "FLUENTD_SERVER_ADDRESSES"
}
}

Note the following:

• simplVmName must match the name used for the managed identity created in Preparing for
deployment - storage, access and encryption on page 23.
• simplVmDiskSizeGiB has a default value of 128. Do not change this unless instructed by
your product documentation.

3 Deploying the SIMPL VM 29

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

• fluentdServerAddresses must be in the following format:

"value": ["10.0.0.1","10.0.0.2"]

4. Save a copy of simpl_image_params.json and simpl_vm_params.json to a secure

location. You will need them in the future to upgrade your SIMPL VM.
5. Start the Azure CLI and sign in using your Azure credentials:

az login

6. Deploy the image template to create an Azure image from your VHD:

az deployment group create \

--resource-group "$IMAGE_RESOURCE_GROUP" \
--template-file simpl_image_template.json \
--parameters simpl_image_params.json

7. Deploy the VM template:

az deployment group create \

--resource-group "$SIMPL_VM_RESOURCE_GROUP" \
--template-file simpl_vm_template.json \
--parameters simpl_vm_params.json

Backout

1. In the Azure portal, navigate to the SIMPL_VM_RESOURCE_GROUP resource group.

2. Select the SIMPL_VM_NAME virtual machine resource. The Private IP address under
Networking should match the managementIp parameter in your simpl_vm_params.json file.
3. Select Delete from the top menu.
4. In the pop-up window, under Delete with VM, check OS disk, Data disks and Network
interfaces. Check the confirmation box and select Delete.
5. Wait for the notification indicating the delete has been successful.

Results

You have deployed your SIMPL VM.

What to do next

Configure and verify the SIMPL VM - see Initial configuration on page 30.

3.3 Initial configuration

Once you have installed the SIMPL VM, you must perform some initial configuration.

Network security groups

If you followed the recommendation to associate a single NSG to your management subnet, SIMPL
VM will be firewalled by the NSG without any further action.

30 3 Deploying the SIMPL VM

 CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

If you decided to create a separate NSG for the SIMPL VM, you need to associate the VM to the
NSG:

1. In the Azure portal, navigate to the SIMPL_VM_RESOURCE_GROUP resource group.

2. Find the regular network interface resource SIMPL_VM_NAME_network and select it.
3. From the left pane, select Network security group.
4. From the Network security group drop-down, select the NSG you created for SIMPL VM.
5. Select Save.

VPN
Set up an Azure VPN Gateway to provide a way for your support representative to access the SIMPL
VM. We recommend setting up certificate-based point-to-site configuration by following Configure a
Point-to-Site VPN connection using Azure certificate authentication: Azure portal, with the additional
notes:

• You can skip the Create a VNet step and go straight to Create the VPN gateway.
• When creating the VPN gateway, in the Basics tab, under Instance details, set the SKU field as:

• VpnGw1AZ for production environments

• VpnGw1 for non-production environments.

Alternatively, you can select the gateway that best suits your deployment and networking
requirements; see the Azure VPN Gateway documentation.

Verify your deployment

Note:

The setup process may still be running. If any verification steps fail, try waiting another 5-10
minutes before repeating the verification step.

If errors persist for any verification steps, refer to Backout in Deploying the SIMPL VM on page
28.

To verify if the SIMPL VM has been created correctly:

1. Open an SSH connection to the management IP address of your SIMPL VM and log in as the
admin user using your private key. Confirm the command prompt is available.
2. Run simpl-setup-complete and confirm that it reports that first time install is complete.

• You can check the progress in more detail by running sudo journalctl -u
simpl_startup
3. Check that the csar --help command executes successfully.
4. Run csar secrets check-backend-connectivity and confirm that it reports success. It
may take a few minutes for secret store setup to complete. If csar secrets check-backend-
connectivity does not succeed on the first attempt, wait five minutes and retry.

3 Deploying the SIMPL VM 31

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

3.4 Change SSH timeout according to security policy

By default, the SSH connection to a SIMPL VM times out after 5 minutes of inactivity, which is
implemented as a default best security practice. If this is not in accordance with your security policy,
you can manually change the timeout.

Note that some commands run on the SIMPL VM can run for several minutes, where the duration
increases with the number of VNFs you are interacting with. If commands run longer than the SSH
timeout, your connection will be terminated. To prevent this from happening you can increase the SSH
connection timeout to a conveniently high value, if your security policy allows this. Additionally, the
SIMPL VM uses the Linux screen tool (as described in Using the screen command for long running
actions on page 40) to allow commands to continue running if your connection is terminated.

Using your private key, log in to the SIMPL VM over SSH as the admin user.

To change the SSH timeout run set-ssh-timeout <timeout in seconds>, where you need to
provide a timeout larger or equal to 60 seconds.

3.5 Configuring syslog support over TLS

Note:

The following configuration does not persist over upgrade and will need to be re-applied after each
upgrade.

The following steps configure SIMPL VM to use syslog over TLS. We recommend configuring syslog
over TLS if your remote syslog server supports it.

If you configured the rsyslog server without TLS during installation, you can follow this procedure to
reconfigure it.

SIMPL VM also supports syslog over UDP - see Syslog audit logging on page 12.

This procedure is expected to take 10 minutes and does not need to be done during a maintenance
window.

Configure syslog
1. Using your private key, log in to the SIMPL VM over SSH as the admin user.
2. Append the following to /etc/vm_config.yaml below all existing configuration.
remote_syslog should not be indented. If the file does not exist, create it with just the following
configuration:

remote_syslog:
address: "address"
port: "port"
filters:
- "$programname == 'audispd'"
- "$syslogfacility-text == 'authpriv'"
tls_ca_cert: "/etc/certs-agent/upload/syslog_server_ca.pem"

32 3 Deploying the SIMPL VM

CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

tls_client_cert: "/etc/certs-agent/upload/syslog_client_cert.pem"
tls_client_key: "/etc/certs-agent/upload/syslog_client_key.pem"

• address is the management FQDN address as a string of the remote syslog server
and must be provided to use rsyslog. This will have already been set if you filled in the
remote_syslog_server_address field when deploying the SIMPL VM.

Attention:

Using an IP address for address will result in an error for syslog over TLS. You must use an
FQDN.

• port is the port of the rsyslog server as a string, it defaults to 514 and must be a valid port
(number from 0->65535). The rsyslog server must expect traffic on this port. This will have
already been set if you filled in the remote_syslog_server_port field when deploying the
SIMPL VM.
• tls_ca_cert is only required if TLS-encrypted TCP is to be used. The certificate must specify
the FQDN of the remote syslog server, either in its SAN DNS names or CN. Create a new file
containing the key at the specified path. You may need to create the directories for this path. If
you are not using TLS-encryped TCP, remove this line.
• tls_client_cert and tls_client_key are only required for mutual TLS (and should both be
provided or neither). If they are not provided, server-only authentication will be used. These
can only be provided if tls_ca_cert is. If providing the certificate and key, new files should be
created at the paths you specified in vm_config.yaml containing the certificate and key. If
you are not using mutual TLS, remove these lines.
• filters are required and it is not expected they are required to be changed. Please check with
your support representative before changing these.
3. Generate the configuration file:
sudo generate_config --templates /etc/templates/etc/rsyslog.d/ --
settings /etc/vm_config.yaml --destination /etc/rsyslog.d/
4. Add audit logging to the syslog configuration:
sudo /usr/sbin/set_audit_rules --enable-syslog admin secrets-mgmt
lifecycle-mgmt
• If you have specified a DNS server when deploying SIMPL, verify that the FQDN resolves to the
IP address of the remote syslog server by running the following:
nslookup syslog_fqdn_address
This should print out the IP address of the remote syslog server. If the server could not find the
address, the FQDN needs to be added to the DNS server's records.

• If you do not have a DNS server, open the hosts file at the path /etc/hosts (requires sudo
access) and add the following line to the end of the file:
syslog_ip_address syslog_fqdn_address
where syslog_ip_address is the IP address of your syslog server and syslog_fqdn_address
is the FQDN for the syslog server that appears in /etc/vm_config.yaml . This will allow you
to resolve the address without a DNS server.

3 Deploying the SIMPL VM 33

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

5. Restart the rsyslog service to pick up the configuration changes:

sudo service rsyslog restart

Verification
• Check the rsyslog has started successfully:
sudo systemctl status rsyslog.service
The output should include Active: active (running).
• Check that rsyslog is picking up the logs and commands being run on the VM as expected.

Backout process
• Remove the remote_syslog section you added to /etc/vm_config.yaml , or delete the file if
remote_syslog is the only configuration in the file.
• Run sudo rm /etc/rsyslog.d/remote_syslog.conf
• Run sudo /usr/sbin/set_audit_rules admin
• Run sudo service rsyslog restart

34 3 Deploying the SIMPL VM

 CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

4 Managing the SIMPL VM

For information on managing your SIMPL VM, see:

• Upgrading or recovering the SIMPL VM on Azure on page 35

• Using the screen command for long running actions on page 40
• Resizing disks on Azure on page 41
• Destroying the SIMPL VM on page 44.

4.1 Upgrading or recovering the SIMPL VM on Azure

Before you begin

You will need:

• An azure subscription.
• Azure credentials with Contributor permissions or above.
• Azure CLI installed.
• The latest SIMPL VHD file (to which you want to upgrade) available in the environment where you
will run the Azure CLI.
• The SIMPL ARM templates (simpl_image_template.json and simpl_vm_template.json)
for the up-level version, the parameters files (simpl_image_params.json and
simpl_vm_params.json) for the up-level version, and the parameters file that was used to
deploy the SIMPL VM originally. All templates and files must be available in the environment where
you will run the Azure CLI.

Make sure that the version of this documentation matches the image version used by the new SIMPL
VM you are deploying using this procedure.

About this task

This task upgrades a SIMPL VM on Azure to a new version by reinstalling it. You can also use this
task to change configuration on the SIMPL VM (without upgrading) or restore the SIMPL VM after a
failure.

The SIMPL VM holds some state about the products it manages (such as CSARs and VNFDs). This
state is stored on a separate volume, so you can recover it after reinstallation.

This task does not require a maintenance window; however, you should not use the SIMPL VM to
perform any operations on your deployment until it is complete.

Expected time to run this procedure: 30 minutes

Expected time to revert this procedure: 10 minutes

4 Managing the SIMPL VM 35

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

Check CSAR compatibility (upgrade only)

If you are upgrading to a new SIMPL VM version, you must confirm your down-level CSARs are
compatible with the up-level SIMPL VM.

Run simpl-version to get a list of your CSAR versions. Ask your support representative if these
are compatible with the up-level SIMPL VM.

Note:

A SIMPL VM on version A.B.C supports CSARs from version A.0.0 to A.B.X. In particular that
means that it does not support a CSAR on version A.B+1.X.

For example: A SIMPL VM on version 1.2.3 supports CSARs 1.0.0, 1.0.15, 1.1.0, 1.2.999. It does
not support 0.9.9, 1.3.0 or 2.0.0.

If all your CSARs are incompatible with the up-level SIMPL VM, there is no reason to follow this
procedure, as the CSARs stored on the separate volume are not useful and will need to be replaced.
You should just delete your old SIMPL VM and start again, replacing it with a new SIMPL VM
following Deploying SIMPL on Azure on page 16.

Prepare for SIMPL VM upgrade or recovery

Take backup copies of files

Any resources in /home/admin/ not in the ~/sdfs or ~/persistent_dir directories will not be
retained through upgrade. If you need these resources, manually back them up by copying them to an
external location.

The contents of the secret store are retained while you update the SIMPL VM. However, we
recommend taking a backup of the secret store by following Taking a backup of the secret store in
the SIMPL VM Product Deployment and Management Guide. This will allow you to restore the secret
store to its pre-update state in the rare case of a failure.

Note:

• Unpacked CSARs (including the output of CSAR commands), and copies of SDFs that have been
used via csar tooling will be transferred to the new VM during the update.
• Any resources that are stored in the ~/sdfs or ~/persistent_dir directories (including those
referenced by file path in the SDF (e.g. DCM tokens)) are retained when you update the SIMPL
VM.

Gather diagnostics from old VM

SSH into the SIMPL VM, run csar gather-diags, wait for the process to complete, then retrieve
the diagnostics package from the SIMPL VM before you begin. See Troubleshooting the SIMPL VM
on page 47.

36 4 Managing the SIMPL VM

CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

Upload the SIMPL VM VHD to blob storage (upgrade only, or if old image resource and
blob have been lost)

1. Retrieve the keys for your storage account:

a. In the left menu of your storage account, select Access keys.

b. Select Show Keys.
c. Copy the value of one of the keys and store it in a secure location. This corresponds to the
STORAGE_ACCOUNT_KEY value in Input variables on page 16.
2. Ensure that the IP address you are using is allowed to contact the storage account:

a. Navigate to your storage account resource.

b. From the left menu, select Networking.
c. In the Firewalls and virtual networks tab, check if access from your IP address is allowed. If
not, add it and save your changes.
3. Sign in to the Azure CLI using your Azure credentials:

az login

4. Upload the SIMPL VM VHD file:

az storage blob upload --container-name "$CONTAINER_NAME" \

--subscription "$SUBSCRIPTION_ID" --name "$VHD_FILENAME" \
--file "$VHD_FILENAME" --account-name "$STORAGE_ACCOUNT_NAME" \
--account-key "$STORAGE_ACCOUNT_KEY"

Prepare your ARM parameters

1. Retrieve the SIMPL VM ARM templates and parameters files.

2. Refer to the release note for any changes in the ARM templates and parameters and update the
parameters files accordingly.
3. Update simpl_image_params.json and the corresponding variables in Input variables on page
16 with the up-level values:

"parameters": {
"simplVhdBlobUri": {
"value": "SIMPL_VHD_BLOB_URI"
},
"imageName": {
"value": "IMAGE_NAME"
}
}

Also update simpl_vm_params.json with the up-level value:

"parameters": {
"imageName": {
"value": "IMAGE_NAME"
}
}

Note the following:

• simplVhdBblobUri is the blob URI for the up-level VHD you uploaded in the previous step.

4 Managing the SIMPL VM 37

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

• imageName is the updated name for the up-level SIMPL VM image. This must be different to
the name previously used in this field for the down-level SIMPL VM image.
• The simplVmName value must not be changed, otherwise the existing persistent disk will not
be reattached to the new VM.
4. Save copies of the updated parameters files to a secure location.

Upgrade or recover the SIMPL VM

1. SSH into the SIMPL VM and run csar list. Confirm that this command completes successfully
and outputs the expected list of CSARs. Take a copy of this list to compare with during verification
of this procedure.

Run csar secrets status. Confirm that this command completes successfully and outputs
the expected list of secrets. Take a copy of this list to compare with during verification of this
procedure.
2. Sign in to the Azure CLI (not from the SIMPL VM) using your Azure credentials:

az login

3. If upgrading, deploy the image template to create an Azure image from your VHD:

az deployment group create \

--resource-group "$IMAGE_RESOURCE_GROUP" \
--template-file simpl_image_template.json \
--parameters simpl_image_params.json

4. In the Azure portal, navigate to the SIMPL_VM_RESOURCE_GROUP resource group.

5. Select the SIMPL_VM_NAME virtual machine resource. The Private IP address under
Networking should match the managementIp parameter in your simpl_vm_params.json file.
6. Select Delete from the top menu on the blade for the SIMPL VM resource.
7. In the pop-up window, under Delete with VM, check OS disk and Network interfaces, but ensure
that Data disks is unchecked. Check the confirmation box and select Delete.
8. Wait for the notification indicating the delete has been successful.
9. Go back to the resource group for your SIMPL VM and refresh the view. You should only be able
to see the data disk and network.
10.Deploy the VM template:

az deployment group create \

--resource-group "$SIMPL_VM_RESOURCE_GROUP" \
--template-file simpl_vm_template.json \
--parameters simpl_vm_params.json

Verification
1. Log in to the SIMPL VM over SSH as the admin user. Confirm the command prompt is available.
2. Run simpl-setup-complete and confirm that the new SIMPL VM has completed its setup
process.
3. Run csar list and confirm that the all CSARs stored on the previous SIMPL VM are listed.

38 4 Managing the SIMPL VM

 CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

4. Run csar secrets status and confirm that all the secrets stored on the previous SIMPL VM
are listed. The secret store may take a few minutes to start up after upgrade; if the command does
not succeed on the first attempt, wait five minutes and retry.

Troubleshooting
See Managing deployment secrets in the SIMPL VM Product Deployment and Management Guide
for instructions on restoring a backup of the secret store or adding secrets using the CSAR CLI if any
secrets are missing after upgrading or restoring your SIMPL VM.

Post-verification steps

Restore backup copies of files

1. If you want to reuse any saved SDFs, copy them from ~/.local/share/csar/latest_sdfs/
to your working directory.

Note:

A copy of your SDF is saved off to the SIMPL VM's external disk every time you run csar
deploy, csar update, csar heal, or csar import.

To retrieve an SDF, run cdcsars to go to your CSAR home directory, then run cd
archived_sdfs. SDFs are saved off under the directory matching the date when one of the
SDF-saving CSAR commands was run. The filename is appended with the time when the SDF-
saving command was run, represented as an integer.

2. If you manually backed up resources that are referenced in the SDF by file path, copy these files
into the same directory as your restored SDFs.
3. Restore any further files that you manually backed up.

The following are preserved over SIMPL VM updates and do not need to be restored (except in the
rare case of a failure):

• Unpacked CSARs (including the output of CSAR commands)

• The secret store.

Attention:

Restoring secret store backups from SIMPL VM pre-V6.9.0 on post-V6.9.0 versions of SIMPL VM
is not supported using csar secrets restore. Backups taken on a V6.8 SIMPL VM before
upgrading to V6.9.0+ must only be used to restore the secret store after backing out the upgrade.

If you need to restore a pre-V6.9.0 backup file on a post-V6.9.0 SIMPL VM, contact your support
representative.

Update your SDF where necessary

If you have upgraded SIMPL VM or updated your CSARs, you may need to update your SDF to match
the YAML schema for the new versions. Check the SIMPL VM release note for your target release or

4 Managing the SIMPL VM 39

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

ask your support representative if this is required. If it is, follow Upgrading an SDF in the SIMPL VM
Product Deployment and Management Guide.

Set SSH timeout

The SSH connection timeout is not preserved over upgrade and will be reset to the default of 5
minutes. If you want to change it, follow the instructions at Change SSH timeout according to security
policy on page 32.

Backout
If you encountered any errors, you must backout the procedure by deleting the new VM and re-
deploying the old VM.

1. Retrieve the old ARM templates and parameters file.

2. Delete the SIMPL VM virtual machine and OS disk, as you did in Upgrade or recover the SIMPL
VM on page 38.
3. Recreate the old SIMPL VM using the old template and parameters file:

az deployment group create \

--resource-group "$SIMPL_VM_RESOURCE_GROUP" \
--template-file simpl_vm_template.json \
--parameters simpl_vm_params.json

4. Verify the health of the SIMPL VM (per Verification on page 38).

• If csar secrets status is not listing the expected secrets, restore the secrets backup file
taken at the beginning of the upgrade process. For instructions, see Restoring a backup of the
secret store in the SIMPL VM Product Deployment and Management Guide.
• Run csar secrets status again and confirm that all the secrets stored on the previous
SIMPL VM are listed.
5. Restore backed up copies of files (see Restore backup copies of files on page 39).

Results
You have upgraded, recovered or updated configuration on the SIMPL VM.

4.2 Using the screen command for long running actions

screen is a standard Linux utility that can be used to run processes in the background and bring
them back to the foreground.

For security, the SIMPL VM has an SSH timeout of 5 minutes. It automatically uses the screen utility
to ensure any csar or solution-bundle command is not terminated (by keeping it running in the
background) if your connection expires or goes down for any other reason.

40 4 Managing the SIMPL VM

 CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

Reattaching to an existing screen session

If your connection to the SIMPL VM is lost, whether intentionally or not, while running a csar or
solution-bundle command, you can reattach to the session to continue monitoring the output of
the command as follows:

1. Using your private key, log in to the SIMPL VM over SSH as the admin user.
2. The names of any disconnected sessions will be automatically listed on login. Each session name
consists of the command and subcommand being run in that session, together with a timestamp
of when the command was executed. For convenience, the full command (with all the parameters
specified) is also provided. For example:

Disconnected sessions:
- csar-deploy-2021-09-28-16-07-56 (command: csar deploy --sdf sdf-
sas.yaml)
- csar-deploy-2021-09-28-16-07-27 (command: csar deploy --sdf sdf-
eas.yaml)

3. To reconnect to a session, run screen -r Session Name

4. The screen session will automatically terminate once the command being run completes, unless
you reconnected after it completed, in which case type exit to terminate it. You can then continue
to use the CLI as normal.

Scrolling in a reattached screen session

Once reconnected to a screen session, you may need to scroll to view older output logged to the
terminal by the SIMPL VM. You can do this as follows:

• Press ctrl+a. Release the keys.

• Press Escape.
• Use the arrow keys to navigate up and down.
• When finished, press q or Escape to navigate back to the most recently logged text.

4.3 Resizing disks on Azure

Before you begin

You will need:

• An azure subscription.
• Azure credentials with Contributor permissions or above.
• Azure CLI installed.
• The SIMPL ARM template and parameters file that you used to deploy the SIMPL VM
(simpl_vm_template.json and simpl_vm_params.json) available in the environment
where you will run the Azure CLI.

4 Managing the SIMPL VM 41

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

About this task

If your persistent disk is full and you are unable to remove old CSARs, use this procedure to resize
your disk. You will need to back up your deployment information, modify the ARM parameters file, and
redeploy the SIMPL VM.

Attention:

You can increase the disk size, but not decrease it; therefore, you should consider costs before
following this procedure. See Azure managed disk types | Billing in the Azure Virtual Machines
documentation for disk management billing considerations.

This task does not require a maintenance window; however, you should not use the SIMPL VM to
perform any operations on your deployment until it is complete.

Expected time to run this procedure: 30 minutes

Expected time to revert this procedure: 10 minutes

Prepare backup files and diagnostics

Take backup copies of files

Unpacked CSARs (including the output of csar commands) and copies of SDFs that have been used
via csar tooling will be transferred to the new VM as part of this process.

Any resources that are stored in the ~/sdfs or ~/persistent_dir directories (including those
referenced by file path in the SDF (e.g. DCM tokens)) are retained when you update the SIMPL VM.

Any other resources in /home/admin/ not in the ~/sdfs or ~/persistent_dir directories will
not be retained through upgrade. If you need these resources, you should manually back them up (by
copying them to an external location).

Take a backup of the secret store

The contents of the secret store are retained while you update the SIMPL VM; however, we
recommend taking a backup of the secret store by following Taking a backup of the secret store in
the SIMPL VM Product Deployment and Management Guide. This will allow you to restore the secret
store to its pre-update state in the rare case of a failure.

Note:

Restoring secret store backups from SIMPL VM pre-V6.9.0 on post-V6.9.0 versions of SIMPL VM
is not supported using csar secrets restore. Backups taken on a V6.8.X SIMPL VM before
upgrading to V6.9.0+ must only be used to restore the secret store after backing out the upgrade.

If you need to restore a pre-V6.9.0 backup file on a post-V6.9.0 SIMPL VM, contact your support
representative.

42 4 Managing the SIMPL VM

 CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

Resize the SIMPL VM disks

1. In the Azure portal, navigate to your SIMPL VM resource. Select Stop from the top menu to stop
the VM.
2. Retrieve the SIMPL VM ARM templates and parameters file, simpl_vm_params.json.
3. Save a backup copy of the simpl_vm_params.json file to a secure location.
4. Update the simplVmDiskSizeGiB field in the simpl_vm_params.json file with the new
required size DISK_SIZE:

"parameters": {
"simplVmDiskSizeGiB": {
"value": DISK_SIZE
}
}

5. In the Azure portal, navigate to the SIMPL_VM_RESOURCE_GROUP resource group.

6. Select the SIMPL_VM_NAME virtual machine resource. The Private IP address under
Networking should match the managementIp parameter in your simpl_vm_params.json file.
7. Start the Azure CLI and sign in using your Azure credentials:

az login

8. Deploy the VM template:

az deployment group create \

--resource-group "$SIMPL_VM_RESOURCE_GROUP" \
--template-file simpl_vm_template.json \
--parameters simpl_vm_params.json

9. In the Azure portal, navigate to your SIMPL VM resource. Select Start from the top menu.

Backout
If you encountered any errors, you must backout the procedure by redeploying the VM template using
the backed up copy of the simpl_vm_params.json file.

1. Retrieve the backed up ARM templates and parameters file.

2. Deploy the VM template:

az deployment group create \

--resource-group "$SIMPL_VM_RESOURCE_GROUP" \
--template-file simpl_vm_template.json \
--parameters simpl_vm_params.json

3. Verify the health of the SIMPL VM (per Verification in Upgrading or recovering the SIMPL VM on
Azure on page 35).

• If csar secrets status is not listing the expected secrets, restore the secrets backup file
taken at the beginning of the upgrade process. For instructions, see Restoring a backup of the
secret store in the SIMPL VM Product Deployment and Management Guide.
• Run csar secrets status again and confirm that all the secrets stored on the previous
SIMPL VM are listed.

4 Managing the SIMPL VM 43

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

4. Restore backup copies of files (per Restore backup copies of files in Upgrading or recovering the
SIMPL VM on Azure on page 35).

4.4 Destroying the SIMPL VM

About this task

This task destroys a SIMPL VM and all data associated with it.

Attention:

You cannot revert this operation: if you destroy the VM in error, you will need to recreate it (see
Deploying SIMPL on Azure on page 16).

Attention:

Do not delete the SIMPL VM once you have started creating and managing deployments with it, as
it stores important running state which must not be lost

Expected time to run this procedure: 5 minutes

Destroy a SIMPL VM on Azure

Destroy the SIMPL VM and associated resources

Note:

You will need Azure credentials with Owner or Contributor privileges.

To destroy the SIMPL VM, its resource group, disks and network interfaces:

1. In the Azure portal, navigate to the SIMPL_VM_RESOURCE_GROUP resource group.

2. Select the SIMPL_VM_NAME virtual machine resource. The Private IP address under
Networking should match the managementIp parameter in your simpl_vm_params.json file.
3. Record the managed identity name and resource group:

a. From the left pane, select Identity.

b. Select the User assigned tab.
c. Select the user assigned managed identity resource.
d. Note down the managed identity name and resource group.
4. Navigate back to the SIMPL_VM_NAME virtual machine resource and select Overview from the
left pane.
5. Select Delete from the top menu.
6. In the pop-up window, under Delete with VM, check OS disk, Data disks and Network
interfaces. Check the confirmation box and select Delete.
7. Wait for the notification indicating the delete has been successful.

44 4 Managing the SIMPL VM

 CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

Destroy the managed identity

Note:

You will need Azure credentials with Owner or User Access Administrator privileges.

If you do not want to reuse the managed identity with another SIMPL VM, you can destroy it along
with associated role assignments.

1. Navigate to the resource group containing the managed identity you noted above.
2. Select the managed identity.
3. From the left pane, select Azure role assignments.
4. For each resource name in the list of role assignments:

a. Select the resource name.

b. From the left pane, select Access control (IAM).
c. Select the Role Assignments tab.
d. Search for the name of the managed identity.
e. For each role assignment in the list, double check that its name corresponds to the expected
managed identity.
f. Select Remove.
5. Once you have removed all the Azure rule assignments, navigate back to the managed identity
resource and select Overview from the left pane.
6. Select Delete and confirm your choice.

Results
You have destroyed the specified SIMPL VM.

4 Managing the SIMPL VM 45

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

5 Managing multiple sites

SIMPL VM can manage VNFs in multiple sites in two ways:

• If your sites are in different Azure regions, we recommend having multiple SIMPL VMs, one in
each site. Each SIMPL VM has its own site-specific SDF.
• If your sites are in the same Azure region (i.e. there is no region redundancy), you can include
multiple sites in the SDF and manage your deployment from a single SIMPL VM (with optional
backup SIMPL VMs for disaster recovery). Deploy and update commands can be run on a
particular site by specifying a sites parameter (see the documentation of each individual command
for details. A csar command reference can be found in CSAR commands on page 49).

Adding VNET peering for multiple sites

If you created different virtual networks for your different sites, you will need to set up VNet Peering
between the VNets for all traffic that needs to pass between them. You then need to apply network
security group rules to firewall this traffic for each subnet accordingly.

See Create, change, or delete a virtual network peering in the Azure Virtual Network documentation
for how to enable VNet peering between your virtual networks.

Multiple SIMPL VMs for disaster recovery

You can optionally deploy backup SIMPL VMs to support disaster recovery. You can have backup
SIMPL VMs ready with CSARs downloaded.

In normal usage all the commands must be run on the primary SIMPL VM, and the backups must not
be used.

Attention:

You must backup the SDF from the primary SIMPL VM to another secure location.

In the case of a disaster where the primary SIMPL VM is not recoverable, one of the backups may be
promoted to primary. (If the SIMPL VM is recoverable, you should instead follow Managing the SIMPL
VM on page 35 to recover it.) To do this:

1. Copy the up-to-date SDF (which must have been stored securely off the primary SIMPL VM) on to
the new primary SIMPL VM.
2. Download any missing CSARs required: Downloading CSARs in the SIMPL VM Product
Deployment and Management Guide.

You may then continue to use the new primary SIMPL VM as normal. If the old primary SIMPL VM is
then recovered it becomes a backup and must not be used for running commands.

46 5 Managing multiple sites

 CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

6 Troubleshooting the SIMPL VM

Gather diagnostics
If you need to raise a ticket with your support representative, you can gather diagnostics from the
SIMPL VM by performing the following steps:

1. Using your private key, log in to the SIMPL VM over SSH as the admin user.
2. Run csar gather-diags to gather all relevant files and diagnostics into one package.
3. Once complete, the command will output the path to the generated package in the /var/
diags-package-manager/package/ directory. Retrieve this file and send it to your support
representative.

Failures during CSAR operations

If you experience failures while running csar deploy, csar update or csar validate:

• determine the identity of the VNFC that's not behaving as expected - which should be clear from
the output to screen and applicable logs,
• investigate that instance, to better understand the cause of the failure; this may require application-
specific troubleshooting advice, but checking that the VM exists with the right software image, and
has management IP connectivity, is likely a good starting point,
• once understood and resolved, re-run the operation, or follow the relevant Backout section if the
problem is unclear and demands further investigation.

A list of common errors is included below for further information.

Deploying or redeploying a subset of VMs

You can deploy or redeploy individual VMs by name (see Redeploying individual VMs in Deploying
a VNF from a CSAR in the SIMPL VM Product Deployment and Management Guide). You can also
deploy or redeploy larger subsets of VMs. It is not possible to destroy a subset of VMs within a service
group.

Attention:

Please heed any warnings shown when running the commands in this section. If in any doubt, the
cleanest way to fix up a faulty new deployment is to follow Redeploying or deleting all VMs in a
VNF in Deploying a VNF from a CSAR in the SIMPL VM Product Deployment and Management
Guide.

6 Troubleshooting the SIMPL VM 47

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

Identify the VNF from the CSAR name. Identify the site, service group and index of the VMs to be
redeployed or deployed by finding the VNF in your SDF. These are referred to as VNF, SiteName,
ServiceGroupName and IndexRange in the instructions below.

The VM will be listed under the site and service group it is a part of, and will be referenced by name:

sites:
- name: my-site-name
vnfcs:
- type: my-vnfc
name: my-vnfc-group
cluster-configuration:
count: 2
instances:
- name: my-vm-name
- name: my-other-vm-name

In the above example, the site is my-site-name and the service group is mv-vnfc-group. The
index of the VM will be determined by which element of the instances list it is, with indexes starting
at 0. my-vm-name will have index 0 and my-other-vm-name will have index 1.

Note:

If your service group does not have an instances section, the index of your VM will be included in
the name of your VM. In this case, VM names will be made up of the service group name with the
index appended, for example my-vnfc-group-0.

Commands that you can run are:

• csar deploy --sdf PathToSDF --vnf VNF --sites SiteName --service-group

ServiceGroup --index-range IndexRange to retry deploying a range of instances that
failed to deploy. The IndexRange parameter must be a comma delimited list. Indexes start from
0.
• The same command with csar redeploy instead of csar deploy to destroy and deploy
multiple instances that succeeded. Note that an alternative to doing this is csar heal --sdf
PathToSDF --vm VMName which also runs healthchecks on healed VMs. However, not all
CSARs support healing their VMs. If healing is not supported, the csar heal command will return
an error explaining this, and will not do anything. See Healing a VM in the SIMPL VM Product
Deployment and Management Guide.

48 6 Troubleshooting the SIMPL VM

 CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

7 Appendix: Command reference

7.1 CSAR commands

Attention:

Note that some csar commands should be run by Commissioning Engineers only - and are not
documented below. Please do not run these commands without discussing with your Metaswitch
Customer Care contact.

Most of these commands have various options for acting on multiple CSARs / VNFs. This does not
contain every combination of arguments. However, the command help provides additional details for
each command.

Get command help:

csar --help
Get help for a specific command:
csar command --help
Get a CSAR onto the SIMPL VM from an HTTP server (e.g. Artifactory), and unpack it:
csar get CSARLocationAddress
Check CSAR and solution-bundle compatibility:
csar compatibility
Unpack a CSAR that you have put on the SIMPL VM in some other way. This command can be used
with a list of CSARs and/or wildcard statements:
csar unpack PathToCSAR1 PathToCSAR2 PathToCSARDir/*.zip
List installed/unpacked CSARs:
csar list
Generate an SDF help file:
csar sdf-help
Create DNS entries from templates in the product CSARs and solution bundle:
csar create-dns-entries --vnf VNF --solution Solution> --domain Domain> --
dns-ip DNS_IP --sdf PathToSDF

Note:

Here VNF is e.g. cfs, obs, etc.

Test a deploy command without creating any VMs. This allows you to check that the command you
enter will have the intended effect. It proceeds to:

• Validate the SDF

7 Appendix: Command reference 49

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

• Check that the user defined in the SDF has all the required VIM privileges
• Check that there is connectivity to the VIM hosts for image upload
• Print out which VMs would have been deployed.

You can check this output to verify whether the desired VMs would have been deployed:
csar deploy --dry-run --vnf VNF [--sites SiteName ...] --sdf PathToSDF
Deploy a CSAR (creates the VMs):
csar deploy --vnf VNF [--sites SiteName ...] --sdf PathToSDF
Destroy a VNF that has been deployed (or clean up after failed deploy):
csar delete --vnf VNF --sdf PathToSDF
Redeploy a CSAR (normally if it failed the first time - uses the same VNF descriptor):
csar redeploy --vnf VNF --sdf PathToSDF
Run the day one Ansible scripts for a VNF:
csar run-day-one --vnf VNF --sdf PathToSDF
Run the validation tests for a VNF:
csar validate --vnf VNF [--vnf VNF]] --sdf PathToSDF
Output ne_details.txt files with access information for each VNF:
csar create-ne-details --sdf PathToSDF
Remove one or more installed/unpacked CSARs:
csar remove VNF
Test that an update command will act on the intended target. This will not execute the update.
Instead, it will report the VNFs and VNFCs that would have been updated if had --dry-run not been
supplied. To trigger the full update workflow, rerun the csar update command without --dry-run.
csar update --dry-run --vnf VNF --sdf PathToSDF [--sites Site1
--sites Site2 ... [--service-group ServiceGroupName [--index-
range IndexRange]]]
Update or upgrade a deployed VNF:
csar update --vnf VNF --sdf PathToSDF [--sites Site1 --sites Site2 ... [--
service-group ServiceGroupName [--index-range IndexRange]]]
Test that a heal command will act on the intended target. This will not execute the heal. Instead, it will
report the VM that would have been healed if --dry-run not been supplied. To trigger the full heal
workflow, rerun the csar heal command without --dry-run.
csar heal --sdf PathToSDF --dry-run --vm VMName
Heal a single instance of a deployed VNF:
csar heal --sdf PathToSDF --vm VMName
Gather a diagnostics package:
csar gather-diags
Generate a template file containing secret identifiers required for a set of VNFs, sites, and/or service
groups in the SDF. The template file has placeholder fields for the secret values. The secret values
need to be entered into the template file before the secrets can be added to the secret store.

50 7 Appendix: Command reference

 CONFIDENTIAL SIMPL VM Deployment Guide (Azure) (V6.11.0)

csar secrets create-input-file --sdf PathToSDF --vnf VNF[ --sites Site1 --

sites Site2 ... [--service-group ServiceGroupName]]
Add secrets to the secret store:
csar secrets add PathToInputFile
Delete secrets from the secret store:
csar secrets delete secret_id1 secret_id2
Create a backup of the secret store:
csar secrets backup
Restore a backup of the secret store:
csar secrets restore PathToBackup PathToDecryptionKey
List all the secret identifiers in the secret store:

csar secrets status

Check whether all secrets needed for an SDF are in the secret store:

csar secrets status --sdf PathToSDF [--vnf VNF --sites Site1 --service-
group Sg1]

Check whether a specific secret is in the secret store:

csar secrets status --secret-id SecretId

Check connectivity to the secret store:

csar secrets check-backend-connectivity

Show the status of all VMs in your deployment:

csar status --sdf PathToSDF [--sites SiteName --vnf VNF --service-
group ServiceGroupName]

7.2 Other commands

Change to the CSARs directory:
cdcsars
Change to the solution-bundles directory:
cdbundles
Change to the logs directory:
cdtrc
Display the SIMPL VM version:
simpl-version
Check whether the SIMPL VM has finished setting up on first install:
simpl-setup-complete
Run the VPN Craft menu on the SIMPL VM:

7 Appendix: Command reference 51

 SIMPL VM Deployment Guide (Azure) (V6.11.0) CONFIDENTIAL

sdc

52 7 Appendix: Command reference