Merge pull request microsoft#2 from ryhud/ryhud-301

Ryhud 301

Author: ryhud

quickstart/201-machine-learning-moderately-secure/dsvm.tf

@@ -7,11 +7,7 @@ resource "azurerm_network_interface" "dsvm" {
         name                          = "configuration"
         subnet_id                     = azurerm_subnet.snet-dsvm.id 
         private_ip_address_allocation = "Dynamic"        
-    }
-    /*depends_on = [
-      azurerm_route_table.jumphost_rt
-    ]
-    */
+    }    
 }
 
 resource "azurerm_windows_virtual_machine" "dsvm" {

quickstart/201-machine-learning-moderately-secure/readme.md

@@ -6,13 +6,15 @@ and its associated resources including Azure Key Vault, Azure Storage, Azure App
 In addition to these core services, this configuration specifies any networking components that are required to set up Azure Machine Learning
 for private network connectivity using [Azure Private Link](https://docs.microsoft.com/en-us/azure/private-link/). 
 
-This configuration describes the minimal set of resources you require to get started with Azure Machine Learning in a network-isolated set-up. This configuration creates new network components. If you want to reuse existing network components, see [202 example](../201-machine-learning-moderately-secure/readme.md).
+This configuration describes the minimal set of resources you require to get started with Azure Machine Learning in a network-isolated set-up. This configuration creates new network components. Use Azure Bastion to securely connect to the Windows Data Science Virtual Machine. If you want to reuse existing network components, see [202 example](../201-machine-learning-moderately-secure/readme.md).
 
 ## Resources
 
 | Terraform Resource Type | Description |
 | - | - |
 | `azurerm_resource_group` | The resource group all resources get deployed into |
+| `azurerm_bastion_host` | An Azure Bastion Instance to securely RDP/SSH into Virtual Machines deployed into the Virtual Network |
+| `azurerm_windows_virtual_machine` | A Windows Data Science Virtual Machine used for connecting to the Azure Machine Learning workspace |
 | `azurerm_application_insights` | An Azure Application Insights instance associated to the Azure Machine Learning workspace |
 | `azurerm_key_vault` | An Azure Key Vault instance associated to the Azure Machine Learning workspace |
 | `azurerm_storage_account` | An Azure Storage instance associated to the Azure Machine Learning workspace |
@@ -39,6 +41,9 @@ This configuration describes the minimal set of resources you require to get sta
 | aks_subnet_address_space | Address space of the aks subnet | ["10.0.2.0/23"] |
 | ml_subnet_address_space | Address space of the ML workspace subnet | ["10.0.0.0/24"] |
 | image_build_compute_name | Name of the compute cluster to be created and configured for building docker images (Azure ML Environments) | image-builder |
+| dsvm_name | Name of the Windows Data Science VM resource | vmdsvm01 |
+| dsvm_admin_username | Admin username of the Windows Data Science VM | azureadmin |
+| dsvm_host_password | Password for the admin username of the Data Science VM | - |
 
 
 ## Usage

quickstart/201-machine-learning-moderately-secure/workspace.tf

@@ -63,6 +63,13 @@ resource "azurerm_machine_learning_workspace" "default" {
   # Args of use when using an Azure Private Link configuration
   public_network_access_enabled = false
   image_build_compute_name      = var.image_build_compute_name
+  depends_on = [    
+    azurerm_private_endpoint.kv_ple,
+    azurerm_private_endpoint.st_ple_blob,
+    azurerm_private_endpoint.storage_ple_file,
+    azurerm_private_endpoint.cr_ple,
+    azurerm_subnet.snet-training
+  ]
 
 }
 

quickstart/301-machine-learning-hub-spoke-secure/azure-firewall.tf

@@ -1,4 +1,10 @@
-
+# Generate random string for unique firewall diagnostic name
+resource "random_string" "fw_diag_prefix" {
+  length  = 8
+  upper   = false
+  special = false
+  number  = false
+}
 resource "azurerm_ip_group" "ip_group_hub" {
   name                = "hub-ipgroup"
   location            = azurerm_resource_group.hub_rg.location
@@ -61,7 +67,7 @@ resource "azurerm_firewall" "azure_firewall_instance" {
 }
 
 resource "azurerm_monitor_diagnostic_setting" "azure_firewall_instance" {
-  name                        = "diagnostics-${var.name}-${var.environment}"
+  name                        = "diagnostics-${var.name}-${var.environment}-${random_string.fw_diag_prefix.result}"
   target_resource_id          = azurerm_firewall.azure_firewall_instance.id
   log_analytics_workspace_id  = azurerm_log_analytics_workspace.default.id
 
@@ -168,6 +174,20 @@ application_rule_collection {
       destination_fqdns = ["github.com"]
     }
 
+    rule {
+      name = "raw.githubusercontent.com"
+      protocols {
+        type = "Https"
+        port = 443
+      }
+      protocols {
+        type = "Http"
+        port = 80
+      }
+      source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]      
+      destination_fqdns = ["raw.githubusercontent.com"]
+    }
+
     rule {
       name = "microsoft-metrics-rules"
       protocols {

quickstart/301-machine-learning-hub-spoke-secure/dsvm.tf

@@ -7,11 +7,7 @@ resource "azurerm_network_interface" "dsvm" {
         name                          = "configuration"
         subnet_id                     = azurerm_subnet.snet-jumphost.id 
         private_ip_address_allocation = "Dynamic"        
-    }
-    /*depends_on = [
-      azurerm_route_table.jumphost_rt
-    ]
-    */
+    }    
 }
 
 resource "azurerm_windows_virtual_machine" "dsvm" {

quickstart/301-machine-learning-hub-spoke-secure/readme.md

@@ -13,6 +13,8 @@ This configuration describes the minimal set of resources you require to get sta
 | Terraform Resource Type | Description |
 | - | - |
 | `azurerm_resource_group` | The resource group all resources get deployed into |
+| `azurerm_bastion_host` | An Azure Bastion Instance to securely RDP/SSH into Virtual Machines deployed into the Virtual Network |
+| `azurerm_windows_virtual_machine` | A Windows Data Science Virtual Machine used for connecting to the Azure Machine Learning workspace |
 | `azurerm_application_insights` | An Azure Application Insights instance associated to the Azure Machine Learning workspace |
 | `azurerm_key_vault` | An Azure Key Vault instance associated to the Azure Machine Learning workspace |
 | `azurerm_storage_account` | An Azure Storage instance associated to the Azure Machine Learning workspace |
@@ -26,6 +28,8 @@ This configuration describes the minimal set of resources you require to get sta
 | `azurerm_machine_learning_compute_instance` | An Azure Machine Learning compute instance a single-node managed compute. |
 | `azurerm_machine_learning_compute_cluster` | An Azure Machine Learning compute cluster as multi-node shared and managed compute. |
 | `azurerm_network_security_group` | Network security group with required inbound and outbound rules for Azure Machine Learning. |
+| `azurerm_firewall` | An Azure firewall instance used for egress traffic on the Virtual Network. |
+| `azurerm_public_ip` | A public IP resource used for the Azure Firewall. |
 
 ## Variables
 
@@ -38,8 +42,14 @@ This configuration describes the minimal set of resources you require to get sta
 | training_subnet_address_space | Address space of the training subnet | ["10.0.1.0/24"] |
 | aks_subnet_address_space | Address space of the aks subnet | ["10.0.2.0/23"] |
 | ml_subnet_address_space | Address space of the ML workspace subnet | ["10.0.0.0/24"] |
+| vnet_hub_address_space | Address space of the Hub virtual network | ["10.1.0.0/16"] |
+| jumphost_subnet_address_space | Address space of the Jumphost subnet | ["10.1.2.0/24"] |
+| bastion_subnet_address_space | Address space of the bastion subnet | ["10.1.3.0/24"] |
+| firewall_subnet_address_space | Address space of the Az Fiewall subnet | ["10.1.4.0/24"] |
 | image_build_compute_name | Name of the compute cluster to be created and configured for building docker images (Azure ML Environments) | image-builder |
-
+| dsvm_name | Name of the Windows Data Science VM resource | vmdsvm01 |
+| dsvm_admin_username | Admin username of the Windows Data Science VM | azureadmin |
+| dsvm_host_password | Password for the admin username of the Data Science VM | - |
 
 ## Usage
 

quickstart/301-machine-learning-hub-spoke-secure/variables.tf

@@ -89,5 +89,5 @@ variable "dsvm_admin_username" {
 variable "dsvm_host_password" {
   type        = string
   description = "Password for the admin username of the Data Science VM"
-  
+  sensitive   = true
 }

quickstart/301-machine-learning-hub-spoke-secure/workspace.tf

@@ -65,7 +65,12 @@ resource "azurerm_machine_learning_workspace" "default" {
   public_network_access_enabled = false
   image_build_compute_name      = var.image_build_compute_name
   depends_on = [
-    azurerm_firewall.azure_firewall_instance
+    azurerm_firewall.azure_firewall_instance,
+    azurerm_private_endpoint.kv_ple,
+    azurerm_private_endpoint.st_ple_blob,
+    azurerm_private_endpoint.storage_ple_file,
+    azurerm_private_endpoint.cr_ple,
+    azurerm_subnet.snet-training
   ]
 
 }