Skip to content

Commit 2b9b074

Browse files
ryhudryhud
committed
adding Azure Bastion and DSVM
1 parent 54355dc commit 2b9b074

4 files changed

Lines changed: 221 additions & 0 deletions

File tree

quickstart/201-machine-learning-moderately-secure/bastion.tf

Lines changed: 125 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,125 @@
1+
resource "azurerm_public_ip" "azure_bastion" {
2+
name = "pip-azure-bastion"
3+
location = azurerm_resource_group.default.location
4+
resource_group_name = azurerm_resource_group.default.name
5+
allocation_method = "Static"
6+
sku = "Standard"
7+
}
8+
9+
resource "azurerm_network_security_group" "bastion_nsg" {
10+
name = "nsg-bastion"
11+
location = azurerm_resource_group.default.location
12+
resource_group_name = azurerm_resource_group.default.name
13+
14+
security_rule {
15+
name = "AllowHTTPSInbound"
16+
priority = 100
17+
direction = "Inbound"
18+
access = "Allow"
19+
protocol = "Tcp"
20+
source_port_range = "*"
21+
destination_port_range = "443"
22+
source_address_prefix = "Internet"
23+
destination_address_prefix = "*"
24+
}
25+
security_rule {
26+
name = "AllowGatewayManagerInbound"
27+
priority = 200
28+
direction = "Inbound"
29+
access = "Allow"
30+
protocol = "Tcp"
31+
source_port_range = "*"
32+
destination_port_range = "443"
33+
source_address_prefix = "GatewayManager"
34+
destination_address_prefix = "*"
35+
}
36+
security_rule {
37+
name = "AllowAzureLBInbound"
38+
priority = 300
39+
direction = "Inbound"
40+
access = "Allow"
41+
protocol = "Tcp"
42+
source_port_range = "*"
43+
destination_port_range = "443"
44+
source_address_prefix = "AzureLoadBalancer"
45+
destination_address_prefix = "*"
46+
}
47+
security_rule {
48+
name = "AllowBastionHostCommunication"
49+
priority = 400
50+
direction = "Inbound"
51+
access = "Allow"
52+
protocol = "*"
53+
source_port_range = "*"
54+
destination_port_ranges = ["5701","8080"]
55+
source_address_prefix = "VirtualNetwork"
56+
destination_address_prefix = "VirtualNetwork"
57+
}
58+
security_rule {
59+
name = "AllowRdpSshOutbound"
60+
priority = 100
61+
direction = "Outbound"
62+
access = "Allow"
63+
protocol = "Tcp"
64+
source_port_range = "*"
65+
destination_port_ranges = ["22", "3389"]
66+
source_address_prefix = "*"
67+
destination_address_prefix = "VirtualNetwork"
68+
}
69+
security_rule {
70+
name = "AllowBastionHostCommunicationOutbound"
71+
priority = 110
72+
direction = "Outbound"
73+
access = "Allow"
74+
protocol = "Tcp"
75+
source_port_range = "*"
76+
destination_port_ranges = ["5701", "8080"]
77+
source_address_prefix = "VirtualNetwork"
78+
destination_address_prefix = "VirtualNetwork"
79+
}
80+
security_rule {
81+
name = "AllowAzureCloudOutbound"
82+
priority = 120
83+
direction = "Outbound"
84+
access = "Allow"
85+
protocol = "Tcp"
86+
source_port_range = "*"
87+
destination_port_ranges = ["443"]
88+
source_address_prefix = "*"
89+
destination_address_prefix = "AzureCloud"
90+
}
91+
security_rule {
92+
name = "AllowGetSessionInformation"
93+
priority = 130
94+
direction = "Outbound"
95+
access = "Allow"
96+
protocol = "Tcp"
97+
source_port_range = "*"
98+
destination_port_ranges = ["80"]
99+
source_address_prefix = "*"
100+
destination_address_prefix = "Internet"
101+
}
102+
103+
}
104+
105+
resource "azurerm_subnet_network_security_group_association" "bastion_nsg_assoc" {
106+
subnet_id = azurerm_subnet.azure_bastion.id
107+
network_security_group_id = azurerm_network_security_group.bastion_nsg.id
108+
depends_on = [
109+
azurerm_bastion_host.azure_bastion_instance
110+
]
111+
}
112+
113+
114+
resource "azurerm_bastion_host" "azure_bastion_instance" {
115+
name = "bas-${var.name}-${var.environment}"
116+
location = azurerm_resource_group.default.location
117+
resource_group_name = azurerm_resource_group.default.name
118+
119+
ip_configuration {
120+
name = "configuration"
121+
subnet_id = azurerm_subnet.azure_bastion.id
122+
public_ip_address_id = azurerm_public_ip.azure_bastion.id
123+
}
124+
}
125+

quickstart/201-machine-learning-moderately-secure/dsvm.tf

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
resource "azurerm_network_interface" "dsvm" {
2+
name = "nic-${var.dsvm_name}"
3+
location = azurerm_resource_group.default.location
4+
resource_group_name = azurerm_resource_group.default.name
5+
6+
ip_configuration {
7+
name = "configuration"
8+
subnet_id = azurerm_subnet.snet-dsvm.id
9+
private_ip_address_allocation = "Dynamic"
10+
}
11+
/*depends_on = [
12+
azurerm_route_table.jumphost_rt
13+
]
14+
*/
15+
}
16+
17+
resource "azurerm_windows_virtual_machine" "dsvm" {
18+
name = var.dsvm_name
19+
location = azurerm_resource_group.default.location
20+
resource_group_name = azurerm_resource_group.default.name
21+
network_interface_ids = [
22+
azurerm_network_interface.dsvm.id
23+
]
24+
size = "Standard_DS3_v2"
25+
26+
source_image_reference {
27+
publisher = "microsoft-dsvm"
28+
offer = "dsvm-win-2019"
29+
sku = "server-2019"
30+
version = "latest"
31+
}
32+
33+
os_disk {
34+
name = "osdisk-${var.dsvm_name}"
35+
caching = "ReadWrite"
36+
storage_account_type = "Premium_LRS"
37+
}
38+
39+
identity {
40+
type = "SystemAssigned"
41+
}
42+
computer_name = var.dsvm_name
43+
admin_username = var.dsvm_admin_username
44+
admin_password = var.dsvm_host_password
45+
46+
provision_vm_agent = true
47+
48+
timeouts {
49+
create = "60m"
50+
delete = "2h"
51+
}
52+
}

quickstart/201-machine-learning-moderately-secure/network.tf

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,21 @@ resource "azurerm_subnet" "snet-workspace" {
3030
enforce_private_link_endpoint_network_policies = true
3131
}
3232

33+
resource "azurerm_subnet" "snet-dsvm" {
34+
name = "snet-dsvm"
35+
resource_group_name = azurerm_resource_group.default.name
36+
virtual_network_name = azurerm_virtual_network.default.name
37+
address_prefixes = var.dsvm_subnet_address_space
38+
enforce_private_link_endpoint_network_policies = true
39+
}
40+
41+
resource "azurerm_subnet" "azure_bastion" {
42+
name = "AzureBastionSubnet"
43+
resource_group_name = azurerm_resource_group.default.name
44+
virtual_network_name = azurerm_virtual_network.default.name
45+
address_prefixes = var.bastion_subnet_address_space
46+
}
47+
3348
# Private DNS Zones
3449
resource "azurerm_private_dns_zone" "dnsvault" {
3550
name = "privatelink.vaultcore.azure.net"

quickstart/201-machine-learning-moderately-secure/variables.tf

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,9 +38,38 @@ variable "ml_subnet_address_space" {
3838
description = "Address space of the ML workspace subnet"
3939
default = ["10.0.0.0/24"]
4040
}
41+
variable "dsvm_subnet_address_space" {
42+
type = list(string)
43+
description = "Address space of the DSVM subnet"
44+
default = ["10.0.4.0/24"]
45+
}
46+
47+
variable "bastion_subnet_address_space" {
48+
type = list(string)
49+
description = "Address space of the bastion subnet"
50+
default = ["10.0.5.0/24"]
51+
}
4152

4253
variable "image_build_compute_name" {
4354
type = string
4455
description = "Name of the compute cluster to be created and set to build docker images"
4556
default = "image-builder"
57+
}
58+
59+
# DSVM Variables
60+
variable "dsvm_name" {
61+
type = string
62+
description = "Name of the Data Science VM"
63+
default = "vmdsvm01"
64+
}
65+
variable "dsvm_admin_username" {
66+
type = string
67+
description = "Admin username of the Data Science VM"
68+
default = "azureadmin"
69+
}
70+
71+
variable "dsvm_host_password" {
72+
type = string
73+
description = "Password for the admin username of the Data Science VM"
74+
sensitive = true
4675
}

0 commit comments

Comments
 (0)