Merge pull request #84 from nicolgit/main

publish new version with backend api

Author: nicolgit

INSTALL.md

@@ -0,0 +1,95 @@
+# Install az-firewall-mon in your environment
+
+When installed in your environment, `az-firewall-mon` will deploy the following resources:
+
+![architecture](./images/deployment.png)
+
+Follow these steps to install a private copy of `az-firewall-mon` in your environment:
+
+* Fork the GitHub repository
+* Create a GitHub Personal Access Token (PAT)
+* Create all Azure resources
+* Configure the GitHub Action to deploy both the SPA and the backend API
+* Review Environment variables
+* Limit access
+  
+# Fork the GitHub repository
+
+The first step is to fork the `az-firewall-mon` repository. This allows you to pull down and build the latest changes and updates from the original repository while maintaining your own personal copy.
+
+* Navigate to: <https://github.com/nicolgit/azure-firewall-mon>
+* Click **Fork** > **Create a new fork** (top right of the repository)
+* Click **Create fork**
+
+> You now have a fork of the `az-firewall-mon` repository. When a new update is available, you can select **Sync fork** to keep your fork up-to-date and trigger a new build.
+
+# Create a GitHub Personal Access Token (PAT)
+
+1. Go to your GitHub account settings
+2. Select **Developer settings** > **Personal access tokens** > **Tokens (classic)** (<https://github.com/settings/tokens>)
+3. Click **Generate new token** > **Generate new token (classic)**
+4. Give your token a name like "Azure Static Web App Deployment"
+5. Expiration: `No Expiration`
+6. Select the following scopes:
+   - `repo` (Full control of private repositories)
+   - `workflow` (Update GitHub Action workflows)
+7. Click **Generate token**
+8. **Copy your token** (you won't be able to see it again)
+
+# Create all Azure resources
+An instance of `az-firewall-mon` consists of:
+* 1 Azure Static Web App (standard plan)
+* 1 Azure Maps account
+* 1 Azure OpenAI account
+* 1 Application Insights instance
+
+You can deploy all these resources to your subscription by clicking the button below:
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fnicolgit%2Fazure-firewall-mon%2Fmain%2Fbicep%2Fsetup.json)
+
+When deploying, fill in the following parameters:
+   - `staticWebAppName`: Name for your static web app
+   - `repositoryUrl`: Your GitHub repository URL (e.g., `https://github.com/username/azure-firewall-mon`)
+   - `repositoryToken`: Your GitHub PAT created in the previous step
+   - `branch`: Your main branch (typically 'main')
+
+This will create also an action in your repository that builds and deploys the solution to Azure.
+
+Go to `https://github.com/YOUR-GITHUB-ACCOUNT/azure-firewall-mon/actions` to see the deployment status. When deployment is complete, navigate to Azure Portal > Static Web Apps > View app in browser
+
+# Review environment variables 
+
+`az-firewall-mon` requires several environment variables to function properly. These variables are configured automatically during deployment. Here's a reference in case you need to change any:
+
+* **APPLICATIONINSIGHTS_CONNECTION_STRING**: Application Insights connection string 
+    
+Azure Maps settings:
+* **ip_api_key**: Azure Maps API key
+* **ip_throttling_calls**: '1'
+* **ip_throttling_window_milliseconds**: '1000'
+
+With these settings IP API will return a `429` status code if you make more than 1 call to IP API per second (1000 milliseconds)
+
+Azure OpenAI settings:
+* **aoai_api_key**: Azure OpenAI key
+* **aoai_endpoint**: Azure OpenAI endpoint
+* **aoai_deployment**: Azure OpenAI deployment name
+* **llm_throttling_calls**: '5'
+* **llm_throttling_window_milliseconds**: '60000'
+
+With these settings Chat API will return a `429` status code if you make more than 5 calls per minute (60000 milliseconds)
+
+Angulare application settings:
+* **spa_applicationinsights_connection_string**: Application Insights connection string 
+* **spa_builddate**: build timestamp
+* **spa_local_queuelength**: 100000
+
+> **spa_local_queuelength** is the number of log items that are kept client-side in the browser. When the number of log items in the event-hub is greater than this number, only the latest ones are kept and all others are deleted. 
+
+# Limit access
+After setup is complete, anyone with a valid Microsoft account can access your copy of `az-firewall-mon`. If you want to restrict access, you have several options:
+
+* [Static Web App Private Endpoint](https://learn.microsoft.com/en-us/azure/static-web-apps/private-endpoint): Expose `az-firewall-mon` on a private IP in your virtual network connected via site-to-site VPN or ExpressRoute to your intranet. This makes the tool available only to your company's employees.
+
+* [Static Web App Authorization](https://learn.microsoft.com/en-us/azure/static-web-apps/authentication-authorization): Since `az-firewall-mon` is a Microsoft account-authenticated app, you can configure a list of emails authorized to access it. The file to update, `staticwebapp.config.json`, is located in [./firewall-mon-app/src/assets](./firewall-mon-app/src/assets/staticwebapp.config.json).
+

README.md

@@ -1,12 +1,10 @@
-
-
 <div align="center">
 <img alt="logo" src="images\logo.png" width="72" height="72" style="vertical-align:middle; background-color: DimGray;border-radius: 15%;">
 </div>
 <h1 align="center">az-firewall-mon🧑‍🚒</h1>
 
 <div align="center">
-  an <i>alternative and opinionable</i> way to access and inspect Azure Firewall logs
+  an <i>alternative and opinionated</i> way to access and inspect Azure Firewall logs
 </div>
 
 <br/>
@@ -23,9 +21,9 @@
 
 ![azure-firewall-mon-app](images/firewall-mon-app.png)
 
-We all know that Microsoft's recommended approach for analysing Azure Firewall logs is to set up a Log Analytics Workspace to collect all the data and use Kusto (KQL) queries to check the results. 
+We all know that Microsoft's recommended approach for analyzing Azure Firewall logs is to set up a Log Analytics Workspace to collect all the data and use Kusto Query Language (KQL) queries to check the results. 
 
-Azure-Firewall-mon focuses more on providing a tool that can answer the simple question "_what is happening right now?_" in an alternative and hopefully practical way: the idea is to provide an approach much more like [Sysinternals Process Monitor](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon) or [Check Point's SmartView/SmartLog](https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_LoggingAndMonitoring_AdminGuide/Topics-LMG/Using-log-view.htm?tocpath=Logging%7C_____2), where there is no KUSTO queries or dashboards that you need to implement first to get working. Still, all events are available as a _log-stream_.
+Azure-Firewall-mon focuses more on providing a tool that can answer the simple question "_what is happening right now?_" in an alternative and practical way. The idea is to provide an approach similar to [Sysinternals Process Monitor](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon) or [Check Point's SmartView/SmartLog](https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_LoggingAndMonitoring_AdminGuide/Topics-LMG/Using-log-view.htm?tocpath=Logging%7C_____2), where you don't need to implement KQL queries or dashboards first to get it working. All events are available as a _log-stream_.
 
 The real strength of the tool is the search field available in the top toolbar. To search for an event, simply start typing and the log flow will be automatically filtered according to those parameters.
 
@@ -35,7 +33,7 @@ The timestamp field displays the event date in UTC or local format. You can filt
 
 ![text filter](images/02-time-filtering.png)
 
-Within this tool, only events from the last 24 hours will appear because this is the duration set on the Event Hub Namespace. A longer duration would slow down the tool and not help answer the question "_what is happening right now_" that az-firewall-mon aims to address.
+Within this tool, only events from the last 24 hours will appear because this is the duration set on the Event Hub Namespace. A longer duration would slow down the tool and not help answer the question "_what is happening right now?_" that az-firewall-mon aims to address.
 
 As an alternative to full-text search, you can use the **chatGPT mode**: in the top search field, you can enter a request in natural language, and the system will filter the content accordingly.
 
@@ -52,63 +50,73 @@ Some examples of queries are as follows:
 
 ![chatgpt](images/03-chatgpt.gif)
 
-# Setup a connection with your Azure Firewall
+# Set up a connection with your Azure Firewall
+Azure-Firewall-mon is an open-source [Single Page Application](https://en.wikipedia.org/wiki/Single-page_application) written in [Angular](https://angular.io/) with an [Azure Functions](https://learn.microsoft.com/en-us/azure/azure-functions/functions-overview) backend written in C# .NET. 
+
+Here's the current architecture:
+
+![architecture](./images/architecture.png)
+
+To use this app with **YOUR FIREWALL data**, you have 2 options:
 
-![architecture](images/architecture.png)
+1. Use the Azure Firewall mon sample deployment available at <https://az-firewall-mon.duckiesfarm.com> 
+2. Deploy Azure Firewall mon in your environment
 
-Azure-Firewall-mon is an open source, [Single Page Application](https://en.wikipedia.org/wiki/Single-page_application), written in [Angular](https://angular.io/). 
+The recommended option is number 2, as this way you can be 100% sure your logs are not going outside your environment. I suggest using the public deployment only for testing purposes.
 
-To use this app with **YOUR data**, you must perform the following steps on your Azure Subscription:
+> <https://az-firewall-mon.duckiesfarm.com> uses resources from my subscription (Azure Maps API, Azure OpenAI, Azure Static Web App Standard). These resources have a cost, so I am limiting their usage as much as possible. As a result, the tool may be quite slow. In your own deployment, you can dedicate more resources and achieve better performance.
+
+# Use az-firewall-mon sample deployment
+To use this version with your data, you must perform the following steps on your Azure Subscription:
 
 1. Create an Azure Event Hub Namespace
 2. Create an Azure Event Hub inside the namespace, with a `1-day retention` and `1 partition`
-3. Create a Shared Access Policy, with  _Listen_ claim
-4. Create an Azure Map Account
-5. Create an Azure OpenAI Service
-6. Go to OpenAI Studio > Deployments > Create a new deployment using as model `gpt-4o version 2024-05-13`
-7. Open the Azure Firewall instance you want to monitor, go to Monitoring > Diagnostic Settings > Add Diagnostic Settings: 
+3. Create a Shared Access Policy, with _Listen_ claim
+4. Open the Azure Firewall instance you want to monitor, go to Monitoring > Diagnostic Settings > Add Diagnostic Settings: 
 
     - Select _all_ _logs_ and "Stream to Event Hub"
     - Select the Event Hub Namespace and Hub created above
     - click `SAVE`
 
-Lazy engineers can performs steps from 1 to 6 by clicking the following button [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fnicolgit%2Fazure-firewall-mon%2Fmain%2Fbicep%2Ffirewall-mon-azure-stuff.json) :-)
+If you are a lazy engineer, like me, you can perform all these steps by clicking the following button 😊
 
-Now, open <https://az-firewall-mon.duckiesfarm.com/> and do the following:
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fnicolgit%2Fazure-firewall-mon%2Fmain%2Fbicep%2Ffirewall-mon-azure-stuff.json)
+
+Open the Azure Firewall instance you want to monitor from the Azure portal, go to Monitoring > Diagnostic Settings > Add Diagnostic Settings:
 
-1. copy in the `Event Hub Connection String` field the connection string of the Shared Access Policy created above
-2. copy the corresponding `Event Hub Consumer Group` Name
-3. copy in the `Azure Map Account Shared Key` field the primary or secondary Shared Key of the Azure Map Account created above
-4. copy in the `Azure OpenAi Endpoint` field the enpoint URI for the OpenAI resouce created above
-5. copy in the `Azure OpenAI deployment` field tne name of the deployment created above
-6. copy in the `Azure OpenAI access key` field the primary or secondary Shared Key of the Azure OpenAI account created above
-7. click on `Let's begin`.
+* Select all logs and "Stream to Event Hub"
+* Select the Event Hub Namespace and Hub created above
+* Click SAVE
+
+Now, open <https://az-firewall-mon.duckiesfarm.com/> and do the following:
 
-# Install Azure-firewall-mon in your environment
+1. Copy the connection string of the Shared Access Policy created above into the `Event Hub Connection String` field
+2. Copy the corresponding `Event Hub Consumer Group` name
+3. Click on `Let's begin`.
 
-[@lukemurraynz](https://github.com/lukemurraynz) has written a very detailed blog post on how deploy Azure-Firewall-mon in an Azure Static Web App. If you prefer this approach, have a look at his blog post <https://luke.geek.nz/azure/deploy-azure-firewall-mon-to-a-static-web-app/>
+# Install az-firewall-mon in your environment
 
-> NOTE: `environment.prod.ts` must be updated with your environment information. az-firewall-mon requires an [Application Insights](https://learn.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview) instance to work properly.
+To install az-firewall-mon in your environment, follow [this guide](INSTALL.md). Once the instance is ready and working, you can go back and follow the instructions in the [Use az-firewall-mon sample deployment](#use-az-firewall-mon-sample-deployment) section. Just replace the URL with the one from your deployment.
 
 # More Information
 
-[Azure Firewall](https://learn.microsoft.com/en-us/azure/firewall/overview) (AF) is a cloud-native and intelligent network firewall security service that provides the best of breed threat protection for your cloud workloads running in Azure. It's a fully stateful, firewall as a service with built-in high availability and unrestricted cloud scalability. It provides both east-west and north-south traffic inspection.
+[Azure Firewall](https://learn.microsoft.com/en-us/azure/firewall/overview) (AF) is a cloud-native and intelligent network firewall security service that provides best-of-breed threat protection for your cloud workloads running in Azure. It's a fully stateful, firewall-as-a-service with built-in high availability and unrestricted cloud scalability. It provides both east-west and north-south traffic inspection.
 
 [Azure Monitor](https://learn.microsoft.com/en-us/azure/azure-monitor/overview) helps you maximize the availability and performance of your applications and services. It delivers a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. 
 
-AF (Azure-Firewall-Mon) is integrated with Azure Monitor. This means you can forward AF metrics and logs to:
+Azure Firewall is integrated with Azure Monitor. This means you can forward Azure Firewall metrics and logs to:
 
 * Log Analytics Workspace
 * Azure Storage
-* Event hub
+* Event Hub
 
 A [Log Analytics workspace](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-workspace-overview) is a unique environment for log data from Azure Monitor and other Azure services. Each workspace has its own data repository and configuration but might combine data from multiple services.
 
-Be mindful, that the ingest of logs into a Log Analytics workspace has some Latency, so you may see a delay with the logs displaying.
+Be mindful that the ingestion of logs into a Log Analytics workspace has some latency, so you may see a delay before logs are displayed.
 
-Latency refers to the time that data is created on the monitored system and the time that it comes available for analysis in Azure Monitor. 
+Latency refers to the time between when data is created on the monitored system and when it becomes available for analysis in Azure Monitor.
 
-The [Kusto](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/) Query Language is a  tool to explore your data in a Log Analytics Workspace. The query uses schema entities that are organized in a hierarchy similar to SQL's: databases, tables, and columns.
+The [Kusto Query Language](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/) (KQL) is a tool to explore your data in a Log Analytics Workspace. The query uses schema entities that are organized in a hierarchy similar to SQL's: databases, tables, and columns.
 
 # UIs and tools that inspired Az-Firewall-mon
 

bicep/firewall-mon-azure-stuff.bicep

@@ -1,11 +1,8 @@
-param namespace string = 'fwmonns354526'
+@description('Namespace for the Event Hub')
+param namespace string = 'fwmonns${uniqueString(resourceGroup().id, deployment().name)}'
 param hubname string = 'fwmonhub'
 param sharedkey string = 'fwmonkey'
-param mapAccountName string = 'fwmonflags'
-param openAiAccountName string = 'fwmonaoai'
 param location string = resourceGroup().location
-param locationaoai string = 'swedencentral'
-param fwmonappinsights string = 'fwmonappinsights'
 
 resource eventHubNamespace 'Microsoft.EventHub/namespaces@2017-04-01' = {
   name: namespace
@@ -37,49 +34,4 @@ resource firewallMonHub 'Microsoft.EventHub/namespaces/eventhubs/authorizationRu
   }
 }
 
-resource mapsAccount 'Microsoft.Maps/accounts@2023-06-01' = {
-  name: mapAccountName
-  location: location
-  sku: {
-    name: 'G2'
-  }
-  kind: 'Gen2'
-}
-
-resource openAiService 'Microsoft.CognitiveServices/accounts@2022-03-01' = {
-  name: openAiAccountName
-  location: locationaoai
-  sku: {
-    name: 'S0'
-  }
-  kind: 'OpenAI'
-  properties: {
-    customSubDomainName: openAiAccountName
-    networkAcls: {
-      defaultAction: 'Allow'
-      virtualNetworkRules: []
-      ipRules: []
-    }
-    publicNetworkAccess: 'Enabled'
-  }
-}
-
-resource cognitiveServicesDeployment 'Microsoft.CognitiveServices/accounts/deployments@2024-04-01-preview' = {
-  parent: openAiService
-  name: 'mygpt4'
-  sku: {
-    name: 'Standard'
-    capacity: 2
-  }
-  properties: {
-    model: {
-      format: 'OpenAI'
-      name: 'gpt-4o'
-      version: '2024-05-13'
-    }
-    versionUpgradeOption: 'OnceNewDefaultVersionAvailable'
-    currentCapacity: 2
-    raiPolicyName: 'Microsoft.Default'
-  }
-}