1.1.3.4. SDPFクラウド/サーバーを構築する

各コマンドの実行については、rootユーザーに昇格して実行する前提で記載しています。
  1. 以下のコマンドを実行し、Terraformの作業ディレクトリを一度初期化します。
    # cd /etc/terraform/work
    # terraform init
    
    Initializing the backend...
    
    Initializing provider plugins...
    - Reusing previous version of nttcom/ecl from the dependency lock file
    - Using previously-installed nttcom/ecl v1.11.2
    
    Terraform has been successfully initialized!
    
    You may now begin working with Terraform. Try running "terraform plan" to see
    any changes that are required for your infrastructure. All Terraform commands
    should now work.
    
    If you ever set or change modules or backend configuration for Terraform,
    rerun this command to reinitialize your working directory. If you forget, other
    commands will detect it and remind you to do so if necessary.
    
  2. 以下のコマンドを実行し、設定内容の確認が表示されるので、問題なければ「yes」と入力しリソースの作成を開始します。

    注釈

    • ボリューム作成中、稀にSDPFクラウド側の問題でタイムアウトエラーが発生することがあります。
      その際はサポートチームにて対応が必要となりますので、チケットにてご依頼ください。
    # terraform plan
    # terraform apply
    
    data.ecl_network_common_function_pool_v2.common_function_pool_1: Reading...
    data.ecl_network_internet_service_v2.internet_service_1: Reading...
    data.ecl_vna_appliance_plan_v1.appliance_plan_1: Reading...
    data.ecl_network_fic_gateway_v2.fic_gateway_1: Reading...
    data.ecl_network_qos_options_v2.qos_options_1: Reading...
    data.ecl_network_fic_gateway_v2.fic_gateway_1: Read complete after 1s [id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX]
    data.ecl_network_internet_service_v2.internet_service_1: Read complete after 1s [id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX]
    data.ecl_network_common_function_pool_v2.common_function_pool_1: Read complete after 1s [id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX]
    data.ecl_network_qos_options_v2.qos_options_1: Read complete after 2s [id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX]
    data.ecl_vna_appliance_plan_v1.appliance_plan_1: Read complete after 5s [id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX]
    
    Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
      + create
    
    Terraform will perform the following actions:
    
      # ecl_compute_instance_v2.boot-from-volume will be created
      + resource "ecl_compute_instance_v2" "boot-from-volume" {
          + access_ip_v4        = (known after apply)
          + all_metadata        = (known after apply)
          + availability_zone   = (known after apply)
          + config_drive        = false
          + flavor_id           = "8CPU-16GB"
          + flavor_name         = (known after apply)
          + id                  = (known after apply)
          + image_id            = (known after apply)
          + image_name          = (known after apply)
          + name                = "Alkano-sv01"
          + power_state         = "active"
          + region              = (known after apply)
          + stop_before_destroy = false
    
          + block_device {
              + boot_index            = 0
              + delete_on_termination = true
              + destination_type      = "volume"
              + source_type           = "volume"
              + uuid                  = (known after apply)
            }
    
          + network {
              + access_network = false
              + fixed_ip_v4    = "172.16.201.61"
              + mac            = (known after apply)
              + name           = (known after apply)
              + port           = (known after apply)
              + uuid           = (known after apply)
            }
        }
    
    ~長文のため途中省略~
    
    Plan: 18 to add, 0 to change, 0 to destroy.
    
    Do you want to perform these actions?
      Terraform will perform the actions described above.
      Only 'yes' will be accepted to approve.
    
      Enter a value: yes
    
    ecl_network_internet_gateway_v2.internet_gateway_1: Creating...
    ecl_network_common_function_gateway_v2.common_function_gateway_1: Creating...
    ecl_network_network_v2.network_ficgw: Creating...
    ecl_network_network_v2.network_inetgw: Creating...
    ecl_network_network_v2.network_vm: Creating...
    ecl_compute_volume_v2.volume_1: Creating...
    ecl_network_network_v2.network_ficgw: Creation complete after 10s [id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX]
    ecl_network_subnet_v2.subnet_ficgw: Creating...
    ecl_network_network_v2.network_inetgw: Creation complete after 10s [id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX]
    
    ~長文のため途中省略~
    
    ecl_vna_appliance_v1.appliance_2: Still creating... [9m0s elapsed]
    ecl_vna_appliance_v1.appliance_1: Still creating... [9m0s elapsed]
    ecl_vna_appliance_v1.appliance_1: Still creating... [9m10s elapsed]
    ecl_vna_appliance_v1.appliance_2: Still creating... [9m10s elapsed]
    ecl_vna_appliance_v1.appliance_2: Still creating... [9m20s elapsed]
    ecl_vna_appliance_v1.appliance_1: Still creating... [9m20s elapsed]
    ecl_vna_appliance_v1.appliance_2: Creation complete after 9m22s [id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX]
    ecl_vna_appliance_v1.appliance_1: Creation complete after 9m22s [id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX]
    
    Apply complete! Resources: 18 added, 0 changed, 0 destroyed.
    
  3. 以下のコマンドを実行し、Ansible実行前の事前設定をします。
    # cd /usr/local/sdpf/vsrx
    # bash vsrx1-initialization.sh
    
    # Host 172.16.202.8 found: line 3
    /root/.ssh/known_hosts updated.
    Original contents retained as /root/.ssh/known_hosts.old
    # 172.16.202.8:22 SSH-2.0-OpenSSH_7.5
    expect version 5.45.4
    spawn ssh root@172.16.202.8 cli
    parent: waiting for sync byte
    parent: telling child to go ahead
    parent: now unsynchronized from child
    spawn: returns {111528}
    
    expect: does "" (spawn_id exp6) match glob pattern "Password:"? no
    
    expect: does "\r" (spawn_id exp6) match glob pattern "Password:"? no
    Password:
    expect: does "\rPassword:" (spawn_id exp6) match glob pattern "Password:"? yes
    expect: set expect_out(0,string) "Password:"
    expect: set expect_out(spawn_id) "exp6"
    expect: set expect_out(buffer) "\rPassword:"
    send: sending "XXXXXXXXXXXX\r" to { exp6 }
    
    expect: does "" (spawn_id exp6) match glob pattern "root>"? no
    
    
    expect: does "\r\n" (spawn_id exp6) match glob pattern "root>"? no
    root>
    expect: does "\r\nroot> " (spawn_id exp6) match glob pattern "root>"? yes
    expect: set expect_out(0,string) "root>"
    expect: set expect_out(spawn_id) "exp6"
    expect: set expect_out(buffer) "\r\nroot>"
    send: sending "configure\r" to { exp6 }
    
    expect: does " " (spawn_id exp6) match glob pattern "root#"? no
    configure
    
    expect: does " configure\r\n" (spawn_id exp6) match glob pattern "root#"? no
    configure
    expect: does " configure\r\nconfigure" (spawn_id exp6) match glob pattern "root#"? no
    
    expect: does " configure\r\nconfigure " (spawn_id exp6) match glob pattern "root#"? no
    
    
    expect: does " configure\r\nconfigure \r\n" (spawn_id exp6) match glob pattern "root#"? no
    Entering configuration mode
    
    expect: does " configure\r\nconfigure \r\nEntering configuration mode\r\n" (spawn_id exp6) match glob pattern "root#"? no
    
    [edit]
    root#
    expect: does " configure\r\nconfigure \r\nEntering configuration mode\r\n\r\n[edit]\r\nroot# " (spawn_id exp6) match glob pattern "root#"? yes
    
    ~長文のため途中省略~
    
    expect "root#"
    send "set system host-name vSRX1\r"
    expect "root#"
    send "set system services netconf ssh\r"
    expect "root#"
    send "set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services netconf\r"
    expect "root#"
    send "commit\r"
    expect "root#"
    send "exit\r"
    
    set argc 0
    set argv0 "expect"
    set argv ""
    
  4. 以下のコマンドを実行し、Ansible実行前の事前設定をします。
    # bash vsrx2-initialization.sh
    
    # Host 172.16.202.9 found: line 3
    /root/.ssh/known_hosts updated.
    Original contents retained as /root/.ssh/known_hosts.old
    # 172.16.202.9:22 SSH-2.0-OpenSSH_7.5
    expect version 5.45.4
    spawn ssh-keyscan 172.16.202.9 >> ~/.ssh/known_hosts
    parent: waiting for sync byte
    parent: telling child to go ahead
    parent: now unsynchronized from child
    spawn: returns {111540}
    spawn ssh root@172.16.202.9 cli
    parent: waiting for sync byte
    parent: telling child to go ahead
    parent: now unsynchronized from child
    spawn: returns {111543}
    
    expect: does "" (spawn_id exp8) match glob pattern "Password:"? no
    Password:
    expect: does "\rPassword:" (spawn_id exp8) match glob pattern "Password:"? yes
    expect: set expect_out(0,string) "Password:"
    expect: set expect_out(spawn_id) "exp8"
    expect: set expect_out(buffer) "\rPassword:"
    send: sending "XXXXXXXXXXXX\r" to { exp8 }
    
    expect: does "" (spawn_id exp8) match glob pattern "root>"? no
    
    
    expect: does "\r\n" (spawn_id exp8) match glob pattern "root>"? no
    root>
    expect: does "\r\nroot> " (spawn_id exp8) match glob pattern "root>"? yes
    expect: set expect_out(0,string) "root>"
    expect: set expect_out(spawn_id) "exp8"
    expect: set expect_out(buffer) "\r\nroot>"
    send: sending "configure\r" to { exp8 }
    
    expect: does " " (spawn_id exp8) match glob pattern "root#"? no
    configure
    
    expect: does " configure\r\n" (spawn_id exp8) match glob pattern "root#"? no
    configure
    expect: does " configure\r\nconfigure" (spawn_id exp8) match glob pattern "root#"? no
    
    expect: does " configure\r\nconfigure " (spawn_id exp8) match glob pattern "root#"? no
    
    
    expect: does " configure\r\nconfigure \r\n" (spawn_id exp8) match glob pattern "root#"? no
    Entering configuration mode
    
    expect: does " configure\r\nconfigure \r\nEntering configuration mode\r\n" (spawn_id exp8) match glob pattern "root#"? no
    
    [edit]
    root#
    expect: does " configure\r\nconfigure \r\nEntering configuration mode\r\n\r\n[edit]\r\nroot# " (spawn_id exp8) match glob pattern "root#"? yes
    
    ~長文のため途中省略~
    
    expect "root#"
    send "set system host-name vSRX1\r"
    expect "root#"
    send "set system services netconf ssh\r"
    expect "root#"
    send "set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services netconf\r"
    expect "root#"
    send "commit\r"
    expect "root#"
    send "exit\r"
    
    set argc 0
    set argv0 "expect"
    set argv ""
    
  5. 以下のコマンドを実行し、vSRX1号機の設定をします。
    # cd /etc/ansible/
    # ansible-playbook -i hosts playbook_vsrx01.yml
    
    PLAY [vSRX1] ***********************************************************************************************************************************************************
    
    TASK [vSRX_subuser_test : 1-1.ゾーン"trust"の設定] ***************************************************************************************************************************
    changed: [172.16.202.8]
    
    TASK [vSRX_subuser_test : 1-2.ゾーン"inetgw_zone"の設定] *********************************************************************************************************************
    changed: [172.16.202.8]
    
    TASK [vSRX_subuser_test : 1-3.ゾーン"vm-zone"の設定] *************************************************************************************************************************
    changed: [172.16.202.8]
    
    TASK [vSRX_subuser_test : 1-4.インターネットGWへのNAT設定] ************************************************************************************************************************
    changed: [172.16.202.8]
    
    TASK [vSRX_subuser_test : 1-5.共通機能GWへのNAT設定] ***************************************************************************************************************************
    changed: [172.16.202.8]
    
    TASK [vSRX_subuser_test : 1-6.VMから共通機能GWへの通信許可のポリシー設定] *****************************************************************************************************************
    changed: [172.16.202.8]
    
    TASK [vSRX_subuser_test : 1-7.VMからインターネットGWへの通信許可のポリシー設定] **************************************************************************************************************
    changed: [172.16.202.8]
    
    TASK [vSRX_subuser_test : 1-8.VMからFIC-GWへの通信許可のポリシー設定] ****************************************************************************************************************
    changed: [172.16.202.8]
    
    TASK [vSRX_subuser_test : 1-9.FIC-GWからVMへの通信許可のポリシー設定] ****************************************************************************************************************
    changed: [172.16.202.8]
    
    TASK [vSRX_subuser_test : 1-10.インターネットGWからFIC-GWへの通信拒否のポリシー設定] **************************************************************************************************************
    changed: [172.16.202.8]
    
    TASK [vSRX_subuser_test : 1-11.インターネットGWからVMへの通信拒否のポリシー設定] *************************************************************************************************************
    changed: [172.16.202.8]
    
    TASK [vSRX_subuser_test : 1-12.スタティックルート設定] ****************************************************************************************************************************
    changed: [172.16.202.8]
    
    TASK [vSRX_subuser_test : 1-13.vrrp-interface0の設定] *********************************************************************************************************************************
    changed: [172.16.202.8]
    
    TASK [vSRX_subuser_test : 1-14.vrrp-interface1の設定] ****************************************************************************************************************************
    changed: [172.16.202.8]
    
    TASK [vSRX_subuser_test : 1-15.vrrp-interface2の設定] *****************************************************************************************************************************
    changed: [172.16.202.8]
    
    TASK [vSRX_subuser_test : 1-16.vrrp-interface3の設定] *****************************************************************************************************************************
    changed: [172.16.202.8]
    
    TASK [vSRX_subuser_test : show_configurationの実行] **************************************************************************************************************************
    ok: [172.16.202.8]
    
    TASK [vSRX_subuser_test : debug] ***************************************************************************************************************************************
    ok: [172.16.202.8] => {
        "msg": {
            "changed": false,
            "failed": false,
    
    ~長文のため途中省略~
    
            "stdout_lines": [
                [
                    "set version 20.4R2.7",
                    "set system host-name vSRX1",
    
    ~長文のため途中省略~
    
                    "set security policies from-zone vm_zone to-zone vm_zone policy from-vm_to-common match source-address any",
                    "set security policies from-zone vm_zone to-zone vm_zone policy from-vm_to-common match destination-address any",
                    "set security policies from-zone vm_zone to-zone vm_zone policy from-vm_to-common match application any",
                    "set security policies from-zone vm_zone to-zone vm_zone policy from-vm_to-common then permit",
                    "set security policies from-zone vm_zone to-zone inetgw_zone policy from-vm_to-inet match source-address any",
                    "set security policies from-zone vm_zone to-zone inetgw_zone policy from-vm_to-inet match destination-address any",
                    "set security policies from-zone vm_zone to-zone inetgw_zone policy from-vm_to-inet match application any",
                    "set security policies from-zone vm_zone to-zone inetgw_zone policy from-vm_to-inet then permit",
                    "set security policies from-zone vm_zone to-zone trust policy from-vm_to-fic match source-address any",
                    "set security policies from-zone vm_zone to-zone trust policy from-vm_to-fic match destination-address any",
                    "set security policies from-zone vm_zone to-zone trust policy from-vm_to-fic match application any",
                    "set security policies from-zone vm_zone to-zone trust policy from-vm_to-fic then permit",
                    "set security policies from-zone trust to-zone vm_zone policy from-fic_to-vm match source-address any",
                    "set security policies from-zone trust to-zone vm_zone policy from-fic_to-vm match destination-address any",
                    "set security policies from-zone trust to-zone vm_zone policy from-fic_to-vm match application any",
                    "set security policies from-zone trust to-zone vm_zone policy from-fic_to-vm then permit",
                    "set security policies from-zone inetgw_zone to-zone trust policy from-inet_to-fic match source-address any",
                    "set security policies from-zone inetgw_zone to-zone trust policy from-inet_to-fic match destination-address any",
                    "set security policies from-zone inetgw_zone to-zone trust policy from-inet_to-fic match application any",
                    "set security policies from-zone inetgw_zone to-zone trust policy from-inet_to-fic then deny",
                    "set security policies from-zone inetgw_zone to-zone vm_zone policy from-inet_to-vm match source-address any",
                    "set security policies from-zone inetgw_zone to-zone vm_zone policy from-inet_to-vm match destination-address any",
                    "set security policies from-zone inetgw_zone to-zone vm_zone policy from-inet_to-vm match application any",
                    "set security policies from-zone inetgw_zone to-zone vm_zone policy from-inet_to-vm then deny",
                    "set security zones security-zone trust tcp-rst",
                    "set security zones security-zone trust host-inbound-traffic system-services https",
                    "set security zones security-zone trust host-inbound-traffic system-services ssh",
                    "set security zones security-zone trust host-inbound-traffic protocols all",
                    "set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh",
                    "set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services netconf",
                    "set security zones security-zone untrust screen untrust-screen",
                    "set security zones security-zone inetgw_zone host-inbound-traffic system-services all",
                    "set security zones security-zone inetgw_zone host-inbound-traffic protocols all",
                    "set security zones security-zone inetgw_zone interfaces ge-0/0/2.0",
                    "set security zones security-zone vm_zone host-inbound-traffic system-services all",
                    "set security zones security-zone vm_zone host-inbound-traffic protocols all",
                    "set security zones security-zone vm_zone interfaces ge-0/0/1.0",
                    "set security zones security-zone vm_zone interfaces ge-0/0/3.0",
                    "set interfaces ge-0/0/0 unit 0 family inet address 172.16.202.8/28 vrrp-group 10 virtual-address 172.16.202.7",
                    "set interfaces ge-0/0/0 unit 0 family inet address 172.16.202.8/28 vrrp-group 10 priority 200",
                    "set interfaces ge-0/0/0 unit 0 family inet address 172.16.202.8/28 vrrp-group 10 preempt",
                    "set interfaces ge-0/0/0 unit 0 family inet address 172.16.202.8/28 vrrp-group 10 accept-data",
                    "set interfaces ge-0/0/1 unit 0 family inet address 172.16.201.8/24 vrrp-group 20 virtual-address 172.16.201.7",
                    "set interfaces ge-0/0/1 unit 0 family inet address 172.16.201.8/24 vrrp-group 20 priority 200",
                    "set interfaces ge-0/0/1 unit 0 family inet address 172.16.201.8/24 vrrp-group 20 preempt",
                    "set interfaces ge-0/0/1 unit 0 family inet address 172.16.201.8/24 vrrp-group 20 accept-data",
                    "set interfaces ge-0/0/2 unit 0 family inet address 172.16.203.8/28 vrrp-group 30 virtual-address 172.16.203.7",
                    "set interfaces ge-0/0/2 unit 0 family inet address 172.16.203.8/28 vrrp-group 30 priority 200",
                    "set interfaces ge-0/0/2 unit 0 family inet address 172.16.203.8/28 vrrp-group 30 preempt",
                    "set interfaces ge-0/0/2 unit 0 family inet address 172.16.203.8/28 vrrp-group 30 accept-data",
                    "set interfaces ge-0/0/3 unit 0 family inet address 169.254.0.8/17 vrrp-group 40 virtual-address 169.254.0.7",
                    "set interfaces ge-0/0/3 unit 0 family inet address 169.254.0.8/17 vrrp-group 40 priority 200",
                    "set interfaces ge-0/0/3 unit 0 family inet address 169.254.0.8/17 vrrp-group 40 preempt",
                    "set interfaces ge-0/0/3 unit 0 family inet address 169.254.0.8/17 vrrp-group 40 accept-data",
                    "set interfaces ge-0/0/4 disable",
                    "set interfaces ge-0/0/5 disable",
                    "set interfaces ge-0/0/6 disable",
                    "set interfaces ge-0/0/7 disable",
                    "set interfaces fxp0 unit 0 family inet address XXX.XXX.XXX.XXX/XX",
                    "set snmp community XXXXXXXXXXXXXXXX authorization read-only",
                    "set routing-options static route XXX.XXX.XXX.XXX/XX next-hop XXX.XXX.XXX.XXX",
                    "set routing-options static route 0.0.0.0/0 next-hop 172.16.203.10",
                    "set routing-options static route 210.170.119.128/26 next-hop 172.16.202.10",
                    "set routing-options static route XXX.XXX.XXX.XXX/XX next-hop 172.16.202.10"
                ]
            ]
        }
    }
    
    PLAY RECAP *************************************************************************************************************************************************************
    172.16.202.8               : ok=18   changed=16   unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
    
  6. 以下のコマンドを実行し、vSRX2号機の設定をします。
    # ansible-playbook -i hosts playbook_vsrx02.yml
    
     PLAY [vSRX2] ***********************************************************************************************************************************************************
    
     TASK [vSRX2_subuser_test : 1-3.ゾーン"trust"の設定] **************************************************************************************************************************
     changed: [172.16.202.9]
    
     TASK [vSRX2_subuser_test : 1-4.ゾーン"inetgw_zone"の設定] ********************************************************************************************************************
     changed: [172.16.202.9]
    
     TASK [vSRX2_subuser_test : 1-5.ゾーン"vm-zone"の設定] ************************************************************************************************************************
     changed: [172.16.202.9]
    
     TASK [vSRX2_subuser_test : 1-6.インターネットGWへのNAT設定] ***********************************************************************************************************************
     changed: [172.16.202.9]
    
     TASK [vSRX2_subuser_test : 1-7.共通機能GWへのNAT設定] **************************************************************************************************************************
     changed: [172.16.202.9]
    
     TASK [vSRX2_subuser_test : 1-8.VMから共通機能GWへの通信許可のポリシー設定] ****************************************************************************************************************
     changed: [172.16.202.9]
    
     TASK [vSRX2_subuser_test : 1-9.VMからインターネットGWへの通信許可のポリシー設定] *************************************************************************************************************
     changed: [172.16.202.9]
    
     TASK [vSRX2_subuser_test : 1-10.VMからFIC-GWへの通信許可のポリシー設定] ***************************************************************************************************************
     changed: [172.16.202.9]
    
     TASK [vSRX2_subuser_test : 1-11.FIC-GWからVMへの通信許可のポリシー設定] ***************************************************************************************************************
     changed: [172.16.202.9]
    
     TASK [vSRX2_subuser_test : インターネットGWからFIC-GWへの通信拒否のポリシー設定] *************************************************************************************************************
     changed: [172.16.202.9]
    
     TASK [vSRX2_subuser_test : 1-13.インターネットGWからVMへの通信拒否のポリシー設定] ************************************************************************************************************
     changed: [172.16.202.9]
    
     TASK [vSRX2_subuser_test : 1-14.スタティックルート設定] ***************************************************************************************************************************
     changed: [172.16.202.9]
    
     TASK [vSRX2_subuser_test : config test] ********************************************************************************************************************************
     changed: [172.16.202.9]
    
     TASK [vSRX2_subuser_test : interface0/0/0/1] ***************************************************************************************************************************
     changed: [172.16.202.9]
    
     TASK [vSRX2_subuser_test : interfaces0/0/2] ****************************************************************************************************************************
     changed: [172.16.202.9]
    
     TASK [vSRX2_subuser_test : interfaces0/0/3] ****************************************************************************************************************************
     changed: [172.16.202.9]
    
     TASK [vSRX2_subuser_test : show configuration] *************************************************************************************************************************
     ok: [172.16.202.9]
    
     TASK [vSRX2_subuser_test : debug] **************************************************************************************************************************************
     ok: [172.16.202.9] => {
         "msg": {
             "changed": false,
             "failed": false,
     ~長文のため途中省略~
    
             "stdout_lines": [
                 [
                     "set version 20.4R2.7",
                     "set system host-name vSRX1",
    ~長文のため途中省略~
    
                     "set security policies from-zone vm_zone to-zone vm_zone policy from-vm_to-common match source-address any",
                     "set security policies from-zone vm_zone to-zone vm_zone policy from-vm_to-common match destination-address any",
                     "set security policies from-zone vm_zone to-zone vm_zone policy from-vm_to-common match application any",
                     "set security policies from-zone vm_zone to-zone vm_zone policy from-vm_to-common then permit",
                     "set security policies from-zone vm_zone to-zone inetgw_zone policy from-vm_to-inet match source-address any",
                     "set security policies from-zone vm_zone to-zone inetgw_zone policy from-vm_to-inet match destination-address any",
                     "set security policies from-zone vm_zone to-zone inetgw_zone policy from-vm_to-inet match application any",
                     "set security policies from-zone vm_zone to-zone inetgw_zone policy from-vm_to-inet then permit",
                     "set security policies from-zone vm_zone to-zone trust policy from-vm_to-fic match source-address any",
                     "set security policies from-zone vm_zone to-zone trust policy from-vm_to-fic match destination-address any",
                     "set security policies from-zone vm_zone to-zone trust policy from-vm_to-fic match application any",
                     "set security policies from-zone vm_zone to-zone trust policy from-vm_to-fic then permit",
                     "set security policies from-zone trust to-zone vm_zone policy from-fic_to-vm match source-address any",
                     "set security policies from-zone trust to-zone vm_zone policy from-fic_to-vm match destination-address any",
                     "set security policies from-zone trust to-zone vm_zone policy from-fic_to-vm match application any",
                     "set security policies from-zone trust to-zone vm_zone policy from-fic_to-vm then permit",
                     "set security policies from-zone inetgw_zone to-zone trust policy from-inet_to-fic match source-address any",
                     "set security policies from-zone inetgw_zone to-zone trust policy from-inet_to-fic match destination-address any",
                     "set security policies from-zone inetgw_zone to-zone trust policy from-inet_to-fic match application any",
                     "set security policies from-zone inetgw_zone to-zone trust policy from-inet_to-fic then deny",
                     "set security policies from-zone inetgw_zone to-zone vm_zone policy from-inet_to-vm match source-address any",
                     "set security policies from-zone inetgw_zone to-zone vm_zone policy from-inet_to-vm match destination-address any",
                     "set security policies from-zone inetgw_zone to-zone vm_zone policy from-inet_to-vm match application any",
                     "set security policies from-zone inetgw_zone to-zone vm_zone policy from-inet_to-vm then deny",
                     "set security zones security-zone trust tcp-rst",
                     "set security zones security-zone trust host-inbound-traffic system-services https",
                     "set security zones security-zone trust host-inbound-traffic system-services ssh",
                     "set security zones security-zone trust host-inbound-traffic protocols all",
                     "set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh",
                     "set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services netconf",
                     "set security zones security-zone untrust screen untrust-screen",
                     "set security zones security-zone inetgw_zone host-inbound-traffic system-services all",
                     "set security zones security-zone inetgw_zone host-inbound-traffic protocols all",
                     "set security zones security-zone inetgw_zone interfaces ge-0/0/2.0",
                     "set security zones security-zone vm_zone host-inbound-traffic system-services all",
                     "set security zones security-zone vm_zone host-inbound-traffic protocols all",
                     "set security zones security-zone vm_zone interfaces ge-0/0/1.0",
                     "set security zones security-zone vm_zone interfaces ge-0/0/3.0",
                     "set interfaces ge-0/0/0 unit 0 family inet address 172.16.202.9/28 vrrp-group 10 virtual-address 172.16.202.7",
                     "set interfaces ge-0/0/0 unit 0 family inet address 172.16.202.9/28 vrrp-group 10 priority 150",
                     "set interfaces ge-0/0/0 unit 0 family inet address 172.16.202.9/28 vrrp-group 10 preempt",
                     "set interfaces ge-0/0/0 unit 0 family inet address 172.16.202.9/28 vrrp-group 10 accept-data",
                     "set interfaces ge-0/0/1 unit 0 family inet address 172.16.201.9/24 vrrp-group 20 virtual-address 172.16.201.7",
                     "set interfaces ge-0/0/1 unit 0 family inet address 172.16.201.9/24 vrrp-group 20 priority 150",
                     "set interfaces ge-0/0/1 unit 0 family inet address 172.16.201.9/24 vrrp-group 20 preempt",
                     "set interfaces ge-0/0/1 unit 0 family inet address 172.16.201.9/24 vrrp-group 20 accept-data",
                     "set interfaces ge-0/0/2 unit 0 family inet address 172.16.203.9/28 vrrp-group 30 virtual-address 172.16.203.7",
                     "set interfaces ge-0/0/2 unit 0 family inet address 172.16.203.9/28 vrrp-group 30 priority 150",
                     "set interfaces ge-0/0/2 unit 0 family inet address 172.16.203.9/28 vrrp-group 30 preempt",
                     "set interfaces ge-0/0/2 unit 0 family inet address 172.16.203.9/28 vrrp-group 30 accept-data",
                     "set interfaces ge-0/0/3 unit 0 family inet address 169.254.0.9/17 vrrp-group 40 virtual-address 169.254.0.7",
                     "set interfaces ge-0/0/3 unit 0 family inet address 169.254.0.9/17 vrrp-group 40 priority 150",
                     "set interfaces ge-0/0/3 unit 0 family inet address 169.254.0.9/17 vrrp-group 40 preempt",
                     "set interfaces ge-0/0/3 unit 0 family inet address 169.254.0.9/17 vrrp-group 40 accept-data",
                     "set interfaces ge-0/0/4 disable",
                     "set interfaces ge-0/0/5 disable",
                     "set interfaces ge-0/0/6 disable",
                     "set interfaces ge-0/0/7 disable",
                     "set interfaces fxp0 unit 0 family inet address XXX.XXX.XXX.XXX/XX",
                     "set snmp community XXXXXXXXXXXXXXXX authorization read-only",
                     "set routing-options static route XXX.XXX.XXX.XXX/XX next-hop XXX.XXX.XXX.XXX",
                     "set routing-options static route 0.0.0.0/0 next-hop 172.16.203.10",
                     "set routing-options static route 210.170.119.128/26 next-hop 172.16.202.10",
                     "set routing-options static route XXX.XXX.XXX.XXX/XX next-hop 172.16.202.10"
                 ]
             ]
         }
     }
    
     PLAY RECAP *************************************************************************************************************************************************************
     172.16.202.9               : ok=18   changed=16   unreachable=0    failed=0    skipped=0    rescued=0    ignored=0