Merge pull request #290275 from sushantjrao/break-glass-setup

Added Break Blass and Micro BFD document

Author: v-ccolin

articles/operator-nexus/TOC.yml

@@ -155,6 +155,8 @@
                   href: howto-cluster-runtime-upgrade.md
                 - name: Cluster Upgrades With PauseRack Startegy
                   href: howto-cluster-runtime-upgrade-with-pauserack-strategy.md
+                - name: How to upgrade Network Fabric
+                  href: howto-upgrade-nexus-fabric.md  
                 - name: Credential Rotation
                   href: howto-credential-rotation.md
                 - name: Credential Manager Key Vault
@@ -182,9 +184,7 @@
           href: howto-update-access-control-list-for-network-to-network-interconnects.md
         - name: Delete ACLs associated with Network-to-Network Interconnects (NNI)
           href: howto-delete-access-control-list-network-to-network-interconnect.md
-        - name:
-            How to Configure Diagnostic Settings and Monitor Configuration Differences
-            in Nexus Network Fabric
+        - name: How to Configure Diagnostic Settings and Monitor Configuration Differences in Nexus Network Fabric
           href: howto-configure-diagnostic-settings-monitor-configuration-differences.md
         - name: How to Delete L3 Isolation Domains in Azure Nexus Network Fabric
           href: howto-delete-layer-3-isolation-domains.md
@@ -198,8 +198,12 @@
           href: howto-replace-network-devices.md
         - name: How to put a device into maintenance mode
           href: howto-put-device-in-maintenance-mode.md
-        - name: How to upgrade Network Fabric
-          href: howto-upgrade-nexus-fabric.md
+        - name: How to set up break glass access
+          href: howto-set-up-break-glass-access.md
+        - name: How to use-break-glass-access.md
+          href: howto-use-break-glass-access.md
+        - name: How to enable-Micro-BFD on CE and PE devices.md
+          href: howto-enable-micro-bfd.md
     - name: Cluster
       expanded: false
       items:

articles/operator-nexus/howto-azure-operator-nexus-prerequisites.md

@@ -59,6 +59,7 @@ az provider register --namespace Microsoft.OperationsManagement
 az provider register --namespace Microsoft.ResourceConnector
 az provider register --namespace Microsoft.Resources
 az provider register --namespace Microsoft.Storage
+az provider register --namespace Microsoft.NexusIdentity
 ```
 
 ## EncryptionAtHost feature registration

articles/operator-nexus/howto-enable-micro-bfd.md

@@ -0,0 +1,70 @@
+---
+title: How to enable Micro-BFD on CE and PE devices
+description: Process of enabling Micro-BFD On CE and PE devices.
+author: sushantjrao 
+ms.author: sushrao
+ms.service: azure-operator-nexus
+ms.topic: how-to
+ms.date: 08/12/2024
+ms.custom: template-how-to, devx-track-azurecli
+---
+
+# Enabling Micro-BFD
+
+Micro-BFD (Bidirectional Forwarding Detection) is a lightweight protocol designed to quickly detect failures between adjacent network devices, such as routers or switches, with minimal overhead. This guide provides step-by-step instructions to enable Micro-BFD on Customer Edge (CE) and Provider Edge (PE) devices.
+
+## Prerequisites
+
+Before enabling Micro-BFD, perform the following steps:
+
+- Both CE and PE devices are configured with the required Micro-BFD settings.
+
+- The feature flag `MicroBFDEnabled` is turned off by default.
+
+> [!Note]
+> Contact Microsoft support through a support incident to enable the feature flag.
+
+- It is necessary to [put the device in maintenance mode](.\howto-put-device-in-maintenance-mode.md) to apply below the configuration changes. 
+
+## Configuration steps
+
+### Step 1: Configure CE devices
+
+1. Access the CE device and enter the configuration mode.
+
+2. Add the following configuration to enable Micro-BFD on the CE-PE interface:
+
+   ```bash
+   ip address 10.30.0.65/30
+   bfd interval 50 min-rx 50 multiplier 3
+   bfd neighbor 10.30.0.66
+   bfd per-link rfc-7130
+   ```
+
+### Step 2: Configure PE devices
+
+1. Access the PE device and enter the configuration mode.
+
+2. Add the following configuration to enable Micro-BFD on the PE-CE interface:
+
+   ```bash
+   ip address 10.30.0.66/30
+   bfd interval 50 min-rx 50 multiplier 3
+   bfd neighbor 10.30.0.65
+   bfd per-link rfc-7130
+   ```
+
+### Step 3: Enable feature flag
+
+1. Request the DE team to enable the `MicroBFDEnabled` feature flag.
+
+2. Verify the configuration by checking the status of Micro-BFD sessions on both CE and PE devices.
+
+### Step 4: Validate configuration
+
+Use the following command to check the status of Micro-BFD sessions on the PE device:
+
+```bash
+show bfd status dest-ip 10.30.0.65 detail
+```
+Ensure that the Micro-BFD sessions are established and operational.

articles/operator-nexus/howto-set-up-break-glass-access.md

@@ -0,0 +1,109 @@
+---
+title:  How to set up Method D v2.0 secure break-glass access
+description: Process of setting up secure break-glass access using Method D v2.0
+author: sushantjrao 
+ms.author: sushrao
+ms.service: azure-operator-nexus
+ms.topic: how-to
+ms.date: 11/04/2024
+ms.custom: template-how-to, devx-track-azurecli
+---
+
+# Set up Method D v2.0 secure break-glass access
+
+The Break-Glass mechanism provides temporary and emergency access to Azure Operator Nexus devices or services, primarily for disaster recovery, incident response, or essential maintenance. Access is granted under controlled Identity Access Management (IAM) policies, maintaining security even during emergencies.
+
+For Network Fabric environments, the current break-glass model, known as Method D v1.5, relies on password authentication. This model, however, is limited to 15 shared accounts and poses significant security risks. Method D v2.0 introduces a modernized approach, implementing FIDO-2 devices and SSH keys to secure break-glass access. Key improvements include:
+
+- **Strict access control**: Customer administrators control access through individual assignments instead of shared accounts.
+
+- **Strong authentication**: Break-glass access is managed via Microsoft Entra with multifactor authentication (MFA) eliminating local account dependencies.
+
+- **Enhanced security**: All access attempts are logged for audit and investigation purposes.
+
+## FIDO2 token 
+
+In the Method D v2.0 model, break-glass users uses a FIDO2 token to create and upload a public key linked to their Entra identity. This configuration provides secure SSH access to Fabric devices. Entra Role-Based Access Control (RBAC) manages authorization, allowing administrators to assign appropriate access levels to users.
+
+For offline accessibility, usernames, public keys, and permissions are pre-provisioned on all the Network Fabric devices, allowing break-glass SSH login without requiring an active Azure connection.
+
+Each FIDO2 token serves usually as a physical USB device, offering unphishable, multifactor authentication through user presence and PIN verification.
+
+## Method D v2.0 setup and operations
+
+This guide is divided into two sections 
+
+1.	**Method D v2.0 infrastructure setup** - Mandatory for both existing and new Network Fabric (NF) deployments running Runtime Fabric version 4.0.0. 
+
+2. [**Using Method D v2.0 break glass access**](howto-use-break-glass-access.md)
+
+
+### Method D v2.0 infrastructure setup
+
+This guide provides an overview of the infrastructure setup that is mandatory for both existing and new deployments using NF Runtime version 4.0.0.
+
+#### Step 1: Register NexusIdentity Resource Provider
+
+Register the **Microsoft.NexusIdentity** resource provider. 
+
+1. Register the resource provider:
+
+   ```Azure CLI
+   az provider register --namespace Microsoft.NexusIdentity --wait
+   ```
+
+2. Verify the registration status:
+
+   ```Azure CLI
+   az provider show --namespace Microsoft.NexusIdentity -o table
+   ```
+
+   The registration status should display as **"Registered"**.
+
+#### Step 2: Assign necessary permissions for Network Fabric access
+
+As part of the **Secure Future Initiative (SFI)**, **On-Behalf-Of (OBO) tokens** are now required to grant access to customer resources. This token grants NexusIdentity permissions scoped at the subscription, resource group, or network fabric level to enable **read access** to Network Fabric role assignments. The following role permissions should be assigned to end users responsible for NF create, NF upgrade, and NF delete operations. These permissions can be granted temporarily, limited to the duration required to perform these operations.
+
+##### Required permissions
+
+1. Microsoft.NexusIdentity/identitySets/read
+2. Microsoft.NexusIdentity/identitySets/write
+3. Microsoft.NexusIdentity/identitySets/delete
+
+
+##### Configure Azure RBAC for Network Fabric Runtime version 4.0.0
+
+1. Under **Privileged Administrator Roles**, select **Azure RBAC Administrator** as the built-in role and click **Next**.
+
+   :::image type="content" source="media/breakglass-role-assignment.png" alt-text="Screenshot of adding role-assignment":::
+
+2. In the **Members** tab, add the identity of the user responsible for performing NF create, update, and delete operations.
+   
+   :::image type="content" source="media/breakglass-add-member-nexusidenitityrp.png" alt-text="Screenshot of adding member to role assignment":::
+
+3. In the **Conditions** tab, select "Allow users to only assign selected roles to selected principals (fewer privileges).
+
+   :::image type="content" source="media/breakglass-conditions-roles-assignment.png" alt-text="Screenshot of adding conditions to role assignment":::
+
+   -  Select Constrain roles and principals and click Configure, 
+
+   - Select the following parameters:
+
+      **Role:** Reader
+      
+      **Principal:** NexusIdentityRP
+
+:::image type="content" source="media/breakglass-constrain-roles-principals.png" alt-text="Screenshot of adding roles and principals":::
+
+4. Click Review + Assign to finalize the configuration.
+
+5. Activate role
+
+   - To activate the role, select **Role Based Access Control Administrator** from Eligible assignments tab.
+
+> [!NOTE]
+> Ensure that **Role Based Access Control Administrator** is sucessfully activated.
+
+## Next Steps
+
+[How to use Method D v2.0 break-glass access](howto-use-break-glass-access.md)

articles/operator-nexus/howto-use-break-glass-access.md

@@ -0,0 +1,129 @@
+---
+title:  How to use Method D v2.0 secure break-glass access
+description: Process of using Method D v2.0 break glass access
+author: sushantjrao 
+ms.author: sushrao
+ms.service: azure-operator-nexus
+ms.topic: how-to
+ms.date: 11/04/2024
+ms.custom: template-how-to, devx-track-azurecli
+---
+
+# Use Method D v2.0 break glass access
+
+Break glass access using Method D v2.0 is a streamlined approach for administrators to grant secure, emergency access to critical network fabric devices. This guide walks you through setting up and using break glass access, including generating SSH keys, granting permissions, and accessing network fabric devices.
+
+## Generating SSH Keys using the Nexusidentity Azure CLI
+
+To start with break glass IAM configuration, you need to set up SSH keys using the Nexusidentity extension. Make sure you have the following prerequisites installed and updated.
+
+### Prerequisites
+
+- **Setup Method D v2.0** using as referred in [article](howto-set-up-break-glass-access.md)
+- **Windows Computer** with PowerShell
+- **OpenSSH**: Version 9.4 or higher
+- **Python**: Version 3.11 or higher (64-bit)
+- **Azure CLI**: Version 2.61 or higher (64-bit)
+- **Nexusidentity Extension**: This extension must be added to Azure CLI.
+
+### Steps to Install Nexusidentity Extension and Generate SSH Keys
+
+1. **Open PowerShell**:
+
+> [!Note]
+> Use non-admin mode for this process.
+
+2. **Update Azure CLI**:
+
+   - Run the following command to update Azure CLI to the latest version:
+
+     ```Azure CLI
+     az upgrade
+     ```
+
+3. **Install Nexusidentity extension**:
+
+   - To add the Nexusidentity extension
+
+     ```Azure CLI
+     az extension add --name nexusidentity
+     ```
+
+4. **Generate SSH Keys with Nexusidentity extension**:
+
+   a. Download the [Yubico Key Manager](https://www.yubico.com/support/download/yubikey-manager) to reset your YubiKey for initial setup.
+   
+   b. Attach your **YubiKey** to your computer.
+
+   c. Log in to Azure with:
+
+      ```Azure CLI
+      az login
+      ```
+
+   d. Run the following command to generate SSH keys:
+
+      ```Azure CLI
+      az nexusidentity gen-keys
+      ```
+
+   e. During this process:
+
+      - If prompted to overwrite keys in token, press **Enter**.
+
+      - Select the **Security Key** in the popup window and follow the prompts.
+
+      - Enter your **YubiKey PIN** and touch the device when prompted.
+
+      - If prompted to overwrite keys- press **Enter**
+
+      - If prompted to enter a passphrase, press **Enter**.
+   
+   f. After successful key generation, you should see:
+
+      ```
+      Successfully uploaded public key to Microsoft Entra Id account {user.mail}
+      ```
+
+## Granting break-glass permissions to an Entra user on a Network Fabric
+
+To enable break glass access, administrator can assign below roles to Entra users on a Network Fabric device.
+
+- **Nexus Network Fabric Service Reader**:
+
+  - Allows the user to execute show commands on fabric devices.
+
+  - Doesn't permit access to configuration mode.
+
+- **Nexus Network Fabric Service Writer**:
+
+  - Allows show commands and commands to modify the running configuration.
+
+Once these roles are assigned, the corresponding username and public SSH key will be automatically provisioned across all devices within the designated fabric instance.
+
+> [!Note]
+> If a subscription owner assigns an user,  the Network Fabric Service Reader or Writer role at the subscription scope, this role assignment will be inherited by all Network Fabric instances. Consequently, the user will be granted the privileges associated with the built-in role across all Network Fabric instances.
+
+> [!Note]
+> break glass user accounts are reconciled every 4 hours. For immediate reconciliation, open a support ticket with the network fabric support team.
+
+## Break-glass access to Network Fabric device
+
+Once permissions are granted, users can access network fabric devices with their FIDO-2 hardware token (for example, YubiKey). Follow the steps below to use break glass access.
+
+1. **Prepare for access**:
+
+   - Make sure your **FIDO-2 hardware token** is plugged into your computer.
+
+2. **Use SSH with the `-J` option**:
+
+   - The `-J` option enables you to log in through a jump server and access a fabric device directly. This involves authentication  first with the jump server and then with the fabric device (using ssh keys).
+
+   Use the following command format to access a fabric device:
+
+   ```bash
+   ssh -J JumpBoxUsername@JumpBoxIp EntraUsername@FabricDeviceIP
+   ```
+
+> [!Note]
+> This command establishes a secure connection, using the jump server as an intermediary for authentication.