Add vm-tailscale lab: Azure Linux VM with Tailscale SSH

Author: asw101

linux/vm-tailscale/README.md

@@ -0,0 +1,112 @@
+# Linux VM in Azure with Tailscale SSH
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure-Samples%2Fopen-source-labs%2Fmain%2Flinux%2Fvm-tailscale%2Fvm.json)
+
+Deploy an Azure Linux VM with [Tailscale SSH](https://tailscale.com/kb/1193/tailscale-ssh/) — no public SSH ports, no SSH keys to manage. Connect securely over your [Tailscale tailnet](https://tailscale.com/kb/1136/tailnet/).
+
+## Prerequisites
+
+- [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli)
+- A [Tailscale](https://tailscale.com/) account
+- A Tailscale [Auth key](https://login.tailscale.com/admin/settings/keys) (one-off recommended)
+
+## Quick Start
+
+Create a resource group:
+
+```bash
+RESOURCE_GROUP='260200-linux-ts'
+LOCATION='eastus'
+
+az group create \
+    --name $RESOURCE_GROUP \
+    --location $LOCATION
+```
+
+Deploy directly from URL (no local files needed):
+
+```bash
+az deployment group create \
+    --resource-group $RESOURCE_GROUP \
+    --template-uri https://raw.githubusercontent.com/Azure-Samples/open-source-labs/main/linux/vm-tailscale/vm.json \
+    --parameters \
+        cloudInit='tailscale' \
+        env='{"tskey":"<YOUR_TAILSCALE_AUTH_KEY>"}'
+```
+
+Or deploy using a local file:
+
+```bash
+az deployment group create \
+    --resource-group $RESOURCE_GROUP \
+    --template-file vm.bicep \
+    --parameters \
+        cloudInit='tailscale' \
+        env='{"tskey":"<YOUR_TAILSCALE_AUTH_KEY>"}'
+```
+
+Once deployed, SSH via Tailscale (with [MagicDNS](https://tailscale.com/kb/1081/magicdns/)):
+
+```bash
+ssh azureuser@vm1
+```
+
+Or by Tailscale IP:
+
+```bash
+ssh azureuser@<tailscale-ip>
+```
+
+## Parameters
+
+| Parameter | Default | Description |
+|-----------|---------|-------------|
+| `vmName` | `vm1` | VM name (also the Tailscale hostname) |
+| `vmSize` | `Standard_B2s_v2` | VM size (see VM Sizes below) |
+| `osImage` | `Ubuntu 24.04-LTS` | OS image (`Ubuntu 24.04-LTS (arm64)` for Arm) |
+| `osDiskSize` | `64` | OS disk size in GB |
+| `cloudInit` | `none` | `tailscale` or `none` |
+| `env` | `{}` | JSON object with `tskey` for Tailscale auth key |
+| `adminUsername` | `azureuser` | VM admin username |
+| `adminPasswordOrKey` | _(placeholder)_ | SSH public key (not needed with Tailscale SSH) |
+
+## VM Sizes
+
+| Size | vCPUs | RAM | Arch | Notes |
+|------|-------|-----|------|-------|
+| `Standard_B2ts_v2` | 2 | 1 GiB | x64 | Free tier eligible |
+| `Standard_B2ls_v2` | 2 | 4 GiB | x64 | |
+| `Standard_B2s_v2` | 2 | 8 GiB | x64 | Default |
+| `Standard_B4ls_v2` | 4 | 8 GiB | x64 | |
+| `Standard_B4s_v2` | 4 | 16 GiB | x64 | |
+| `Standard_D2s_v5` | 2 | 8 GiB | x64 | |
+| `Standard_D4s_v5` | 4 | 16 GiB | x64 | |
+| `Standard_D2ps_v5` | 2 | 8 GiB | arm64 | Ampere Altra |
+| `Standard_D4ps_v5` | 4 | 16 GiB | arm64 | Ampere Altra |
+
+## Arm64 VMs
+
+To deploy on [Ampere Altra Arm64-based VMs](https://azure.microsoft.com/blog/azure-virtual-machines-with-ampere-altra-arm-based-processors-generally-available/):
+
+```bash
+az deployment group create \
+    --resource-group $RESOURCE_GROUP \
+    --template-uri https://raw.githubusercontent.com/Azure-Samples/open-source-labs/main/linux/vm-tailscale/vm.json \
+    --parameters \
+        vmName='arm1' \
+        cloudInit='tailscale' \
+        env='{"tskey":"<YOUR_TAILSCALE_AUTH_KEY>"}' \
+        vmSize='Standard_D2ps_v5' \
+        osImage='Ubuntu 24.04-LTS (arm64)'
+```
+
+## Cleanup
+
+Empty the resource group (keeps the group, removes all resources):
+
+```bash
+az deployment group create \
+    --resource-group $RESOURCE_GROUP \
+    --template-uri https://raw.githubusercontent.com/Azure-Samples/open-source-labs/main/linux/vm-tailscale/empty.json \
+    --mode Complete
+```

linux/vm-tailscale/empty.bicep

@@ -0,0 +1 @@
+

linux/vm-tailscale/empty.json

@@ -0,0 +1,12 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.40.2.10011",
+      "templateHash": "1185148849829504269"
+    }
+  },
+  "resources": []
+}

linux/vm-tailscale/vm.bicep

@@ -0,0 +1,259 @@
+@description('The name of your Virtual Machine.')
+param vmName string = 'vm1'
+
+@description('The Virtual Machine size.')
+@allowed([
+  'Standard_B2ts_v2'
+  'Standard_B2ls_v2'
+  'Standard_B2s_v2'
+  'Standard_B4ls_v2'
+  'Standard_B4s_v2'
+  'Standard_D2s_v5'
+  'Standard_D4s_v5'
+  'Standard_D2ps_v5'
+  'Standard_D4ps_v5'
+])
+param vmSize string = 'Standard_B2s_v2'
+
+@description('The Storage Account Type for OS and Data disks.')
+@allowed([
+  'Standard_LRS'
+  'Premium_LRS'
+])
+param diskAccountType string = 'Premium_LRS'
+
+@description('The OS Disk size.')
+@allowed([
+  1024
+  512
+  256
+  128
+  64
+  32
+])
+param osDiskSize int = 64
+
+@description('The OS image for the VM.')
+@allowed([
+  'Ubuntu 24.04-LTS'
+  'Ubuntu 24.04-LTS (arm64)'
+])
+param osImage string = 'Ubuntu 24.04-LTS'
+
+@description('Location for all resources.')
+param location string = resourceGroup().location
+
+@description('Username for the Virtual Machine.')
+param adminUsername string = 'azureuser'
+
+@secure()
+@description('SSH Key for the Virtual Machine.')
+param adminPasswordOrKey string = ''
+
+@description('Deploy with Tailscale SSH.')
+@allowed([
+  'none'
+  'tailscale'
+])
+param cloudInit string = 'none'
+
+@description('Environment variables as JSON object (e.g. {"tskey":"tskey-auth-..."}).')
+@secure()
+param env object = {}
+
+var rand = substring(uniqueString(resourceGroup().id), 0, 6)
+var vnetName = '${resourceGroup().name}-vnet'
+var subnetName = 'default'
+var keyData_var = adminPasswordOrKey != '' ? adminPasswordOrKey : 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3gkRpKwprN00sT7yekr0xO0F+uTllDua02puhu1v0zGu3aENvUsygBHJiTy+flgrO2q3mY9F5/D67+WHDeSpr5s71UtnbzMxTams89qmo+raTm+IqjzdNujaWf0/pbT6JUkQq0fR0BfIvg3/7NTXhlzjmCOP2EpD91LzN6b5jAm/5hXr0V5mcpERo8kk2GWxjKmwmDOV+huH1DIFDpMxT3WzR2qvZp1DZbNSYmKkrite3FHlPGLXA1I3bRQT+iTj8vRGpxOPSiMdPK4RNMEZVXSGQ3OZbSl2FBCbd/tdJ1idKo8/ZCkHxdh9/em28/yfPUK0D164shgiEdIkdOQJv'
+var publicIPAddressName = '${vmName}-ip'
+var networkInterfaceName = '${vmName}-nic'
+var ipConfigName = '${vmName}-ipconfig'
+var subnetAddressPrefix = '10.1.0.0/24'
+var addressPrefix = '10.1.0.0/16'
+
+
+var cloudInitTailscale = '''
+#cloud-config
+# vim: syntax=yaml
+
+packages:
+- jq
+- curl
+
+write_files:
+- path: /home/azureuser/env.json
+  content: {0}
+  encoding: b64
+- path: /home/azureuser/tailscale.sh
+  content: |
+    curl -fsSL https://tailscale.com/install.sh | sh
+    sudo tailscale up --ssh --authkey "$1"
+
+runcmd:
+- cd /home/azureuser/
+- bash tailscale.sh "$(jq -r '.tskey' env.json)"
+- echo $(date) > hello.txt
+- chown -R azureuser:azureuser /home/azureuser/
+'''
+
+var cloudInitTailscaleFormat = format(cloudInitTailscale, base64(string(env)))
+
+var kvCloudInit = {
+  none: null
+  tailscale: base64(cloudInitTailscaleFormat)
+}
+
+var kvImageReference = {
+  'Ubuntu 24.04-LTS': {
+    publisher: 'canonical'
+    offer: 'ubuntu-24_04-lts'
+    sku: 'server'
+    version: 'latest'
+  }
+  'Ubuntu 24.04-LTS (arm64)': {
+    publisher: 'canonical'
+    offer: 'ubuntu-24_04-lts'
+    sku: 'server-arm64'
+    version: 'latest'
+  }
+}
+
+// Only Tailscale UDP port — SSH access is via Tailscale, not public internet
+var nsgSecurityRules = [
+  {
+    name: 'Port_41641'
+    properties: {
+      protocol: 'Udp'
+      sourcePortRange: '*'
+      destinationPortRange: '41641'
+      sourceAddressPrefix: 'Internet'
+      destinationAddressPrefix: '*'
+      access: 'Allow'
+      priority: 100
+      direction: 'Inbound'
+    }
+  }
+]
+
+resource identityName 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: '${resourceGroup().name}-identity'
+  location: location
+}
+
+resource nsg 'Microsoft.Network/networkSecurityGroups@2023-11-01' = {
+  name: '${resourceGroup().name}-nsg'
+  location: location
+  properties: {
+    securityRules: nsgSecurityRules
+  }
+}
+
+resource vnet 'Microsoft.Network/virtualNetworks@2023-11-01' = {
+  name: vnetName
+  location: location
+  properties: {
+    addressSpace: {
+      addressPrefixes: [
+        addressPrefix
+      ]
+    }
+    subnets: [
+      {
+        name: subnetName
+        properties: {
+          addressPrefix: subnetAddressPrefix
+        }
+      }
+    ]
+  }
+}
+
+resource publicIP 'Microsoft.Network/publicIPAddresses@2023-11-01' = {
+  name: publicIPAddressName
+  location: location
+  sku: {
+    name: 'Standard'
+  }
+  properties: {
+    publicIPAllocationMethod: 'Static'
+    dnsSettings: {
+      domainNameLabel: toLower('${vmName}-${rand}')
+    }
+  }
+}
+
+resource nic 'Microsoft.Network/networkInterfaces@2023-11-01' = {
+  name: networkInterfaceName
+  location: location
+  properties: {
+    ipConfigurations: [
+      {
+        name: ipConfigName
+        properties: {
+          subnet: {
+            id: vnet.properties.subnets[0].id
+          }
+          privateIPAllocationMethod: 'Dynamic'
+          publicIPAddress: { id: publicIP.id }
+        }
+      }
+    ]
+    networkSecurityGroup: {
+      id: nsg.id
+    }
+  }
+}
+
+resource vm 'Microsoft.Compute/virtualMachines@2024-03-01' = {
+  name: vmName
+  location: location
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${identityName.id}': {}
+    }
+  }
+  properties: {
+    hardwareProfile: {
+      vmSize: vmSize
+    }
+    storageProfile: {
+      osDisk: {
+        managedDisk: {
+          storageAccountType: diskAccountType
+        }
+        name: '${vmName}-osdisk1'
+        diskSizeGB: osDiskSize
+        createOption: 'FromImage'
+      }
+      imageReference: kvImageReference[osImage]
+    }
+    networkProfile: {
+      networkInterfaces: [
+        {
+          id: nic.id
+        }
+      ]
+    }
+    osProfile: {
+      computerName: vmName
+      customData: kvCloudInit[cloudInit]
+      adminUsername: adminUsername
+      linuxConfiguration: {
+        disablePasswordAuthentication: true
+        ssh: {
+          publicKeys: [
+            {
+              keyData: keyData_var
+              path: '/home/${adminUsername}/.ssh/authorized_keys'
+            }
+          ]
+        }
+      }
+    }
+  }
+}
+
+output adminUsername string = adminUsername
+output hostname string = publicIP.properties.dnsSettings.fqdn
+output sshCommand string = 'ssh ${adminUsername}@${publicIP.properties.dnsSettings.fqdn}'