Adding 202 for existing VNet

Author: ryhud

quickstart/202-machine-learning-moderately-secure-existing-VNet/.gitignore

@@ -0,0 +1,37 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+values.tfvars
+*.tfvars
+settings.tfvars
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+terraform/.terraform.lock.hcl
+.DS_Store
+terraform/.terraform.lock.hcl
+terraform/.terraform.lock.hcl
+.terraform.lock.hcl
+terraform/.terraform.lock.hcl

quickstart/202-machine-learning-moderately-secure-existing-VNet/main.tf

@@ -0,0 +1,21 @@
+terraform {
+  required_version = ">=0.15.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "=2.76.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_resource_group" "default" {
+  name     = "rg-${var.name}-${var.environment}"
+  location = var.location
+}

quickstart/202-machine-learning-moderately-secure-existing-VNet/network.tf

@@ -0,0 +1,214 @@
+/*
+# Virtual Network
+resource "azurerm_virtual_network" "default" {
+  name                = "vnet-${var.name}-${var.environment}"
+  address_space       = var.vnet_address_space
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+}
+
+resource "azurerm_subnet" "snet-training" {
+  name                 = "snet-training"
+  resource_group_name  = azurerm_resource_group.default.name
+  virtual_network_name = azurerm_virtual_network.default.name
+  address_prefixes     = var.training_subnet_address_space
+  enforce_private_link_endpoint_network_policies = true
+}
+
+resource "azurerm_subnet" "snet-aks" {
+  name                 = "snet-aks"
+  resource_group_name  = azurerm_resource_group.default.name
+  virtual_network_name = azurerm_virtual_network.default.name
+  address_prefixes     = var.aks_subnet_address_space
+  enforce_private_link_endpoint_network_policies = true
+}
+
+resource "azurerm_subnet" "snet-workspace" {
+  name                 = "snet-workspace"
+  resource_group_name  = azurerm_resource_group.default.name
+  virtual_network_name = azurerm_virtual_network.default.name
+  address_prefixes     = var.ml_subnet_address_space
+  enforce_private_link_endpoint_network_policies = true
+}
+
+# Private DNS Zones
+resource "azurerm_private_dns_zone" "dnsvault" {
+  name                = "privatelink.vaultcore.azure.net"
+  resource_group_name = azurerm_resource_group.default.name
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkvault" {
+  name                  = "dnsvaultlink"
+  resource_group_name   = azurerm_resource_group.default.name
+  private_dns_zone_name = azurerm_private_dns_zone.dnsvault.name
+  virtual_network_id    = azurerm_virtual_network.default.id
+}
+
+resource "azurerm_private_dns_zone" "dnsstorageblob" {
+  name                = "privatelink.blob.core.windows.net"
+  resource_group_name = azurerm_resource_group.default.name
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkblob" {
+  name                  = "dnsblobstoragelink"
+  resource_group_name   = azurerm_resource_group.default.name
+  private_dns_zone_name = azurerm_private_dns_zone.dnsstorageblob.name
+  virtual_network_id    = azurerm_virtual_network.default.id
+}
+
+
+resource "azurerm_private_dns_zone" "dnsstoragefile" {
+  name                = "privatelink.file.core.windows.net"
+  resource_group_name = azurerm_resource_group.default.name
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkfile" {
+  name                  = "dnsfilestoragelink"
+  resource_group_name   = azurerm_resource_group.default.name
+  private_dns_zone_name = azurerm_private_dns_zone.dnsstoragefile.name
+  virtual_network_id    = azurerm_virtual_network.default.id
+}
+
+resource "azurerm_private_dns_zone" "dnscontainerregistry" {
+  name                = "privatelink.azurecr.io"
+  resource_group_name = azurerm_resource_group.default.name
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkcr" {
+  name                  = "dnscrlink"
+  resource_group_name   = azurerm_resource_group.default.name
+  private_dns_zone_name = azurerm_private_dns_zone.dnscontainerregistry.name
+  virtual_network_id    = azurerm_virtual_network.default.id
+}
+
+resource "azurerm_private_dns_zone" "dnsazureml" {
+  name                = "privatelink.api.azureml.ms"
+  resource_group_name = azurerm_resource_group.default.name
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkml" {
+  name                  = "dnsazuremllink"
+  resource_group_name   = azurerm_resource_group.default.name
+  private_dns_zone_name = azurerm_private_dns_zone.dnsazureml.name
+  virtual_network_id    = azurerm_virtual_network.default.id
+}
+
+resource "azurerm_private_dns_zone" "dnsnotebooks" {
+  name                = "privatelink.azureml.notebooks.net"
+  resource_group_name = azurerm_resource_group.default.name
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinknbs" {
+  name                  = "dnsnotebookslink"
+  resource_group_name   = azurerm_resource_group.default.name
+  private_dns_zone_name = azurerm_private_dns_zone.dnsnotebooks.name
+  virtual_network_id    = azurerm_virtual_network.default.id
+}
+*/
+
+# Network Security Groups
+
+resource "azurerm_network_security_group" "nsg-training" {
+  name                = "nsg-training"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+
+  security_rule {
+    name                       = "BatchNodeManagement"
+    priority                   = 100
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "29876-29877"
+    source_address_prefix      = "BatchNodeManagement"
+    destination_address_prefix = "*"
+  }
+  security_rule {
+    name                       = "AzureMachineLearning"
+    priority                   = 110
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "44224"
+    source_address_prefix      = "AzureMachineLearning"
+    destination_address_prefix = "*"
+  }
+}
+
+resource "azurerm_subnet_network_security_group_association" "nsg-training-link" {
+  subnet_id                 = var.training_subnet_resource_id
+  network_security_group_id = azurerm_network_security_group.nsg-training.id
+}
+
+resource "azurerm_network_security_group" "nsg-aks" {
+  name                = "nsg-aks"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+
+
+}
+
+resource "azurerm_subnet_network_security_group_association" "nsg-aks-link" {
+  subnet_id                 = var.aks_subnet_resource_id
+  network_security_group_id = azurerm_network_security_group.nsg-aks.id
+}
+
+# User Defined Routes
+
+#UDR for Compute instance and compute clusters
+resource "azurerm_route_table" "rt-training" {
+  name                = "rt-training"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+}
+
+resource "azurerm_route" "training-Internet-Route" {
+  name                = "Internet"
+  resource_group_name = azurerm_resource_group.default.name
+  route_table_name    = azurerm_route_table.rt-training.name
+  address_prefix      = "0.0.0.0/0"
+  next_hop_type       = "Internet"
+}
+
+resource "azurerm_route" "training-AzureMLRoute" {
+  name                = "AzureMLRoute"
+  resource_group_name = azurerm_resource_group.default.name
+  route_table_name    = azurerm_route_table.rt-training.name
+  address_prefix      = "AzureMachineLearning"
+  next_hop_type       = "Internet"
+}
+
+resource "azurerm_route" "training-BatchRoute" {
+  name                = "BatchRoute"
+  resource_group_name = azurerm_resource_group.default.name
+  route_table_name    = azurerm_route_table.rt-training.name
+  address_prefix      = "BatchNodeManagement"
+  next_hop_type       = "Internet"
+}
+
+resource "azurerm_subnet_route_table_association" "rt-training-link" {
+  subnet_id      = var.training_subnet_resource_id
+  route_table_id = azurerm_route_table.rt-training.id
+}
+# Inferencing (AKS) Route
+
+resource "azurerm_route_table" "rt-aks" {
+  name                = "rt-aks"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+}
+
+resource "azurerm_route" "aks-Internet-Route" {
+  name                = "Internet"
+  resource_group_name = azurerm_resource_group.default.name
+  route_table_name    = azurerm_route_table.rt-aks.name
+  address_prefix      = "0.0.0.0/0"
+  next_hop_type       = "Internet"
+}
+
+resource "azurerm_subnet_route_table_association" "rt-aks-link" {
+  subnet_id      = var.aks_subnet_resource_id
+  route_table_id = azurerm_route_table.rt-aks.id
+}

quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md

@@ -0,0 +1,44 @@
+# Azure Machine Learning workspace (moderately secure network set up)
+
+This deployment configuration specifies an [Azure Machine Learning workspace](https://docs.microsoft.com/en-us/azure/machine-learning/concept-workspace), 
+and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry.
+
+In addition to these core services, this configuration specifies any networking components that are required to set up Azure Machine Learning
+for private network connectivity using [Azure Private Link](https://docs.microsoft.com/en-us/azure/private-link/). 
+
+This configuration describes the minimal set of resources you require to get started with Azure Machine Learning in a network-isolated set-up.
+
+To learn more about security configurations in Azure Machine Learning, see [Enterprise security and governance for Azure Machine Learning](https://docs.microsoft.com/en-us/azure/machine-learning/concept-enterprise-security).
+
+## Resources
+
+| Terraform Resource Type | Description |
+| - | - |
+| `azurerm_resource_group` | The resource group all resources get deployed into |
+| `azurerm_application_insights` | An Azure Application Insights instance associated to the Azure Machine Learning workspace |
+| `azurerm_key_vault` | An Azure Key Vault instance associated to the Azure Machine Learning workspace |
+| `azurerm_storage_account` | An Azure Storage instance associated to the Azure Machine Learning workspace |
+| `azurerm_container_registry` | An Azure Container Registry instance associated to the Azure Machine Learning workspace |
+| `azurerm_machine_learning_workspace` | An Azure Machine Learning workspace instance |
+| `azurerm_virtual_network` | An Azure Machine Learning workspace instance |
+| `azurerm_subnet` | An Azure Machine Learning workspace instance |
+| `azurerm_private_dns_zone` | Private DNS Zones for FQDNs required for Azure Machine Learning and associated resources |
+| `azurerm_private_dns_zone_virtual_network_link` | Virtual network links of the Private DNS Zones to the virtual network resource |
+| `azurerm_private_endpoint` | Private Endpoints for the Azure Machine Learning workspace and associated resources |
+
+## Variables
+
+| Name | Description |
+|-|-|
+| name | Name of the deployment |
+| environment | The deployment environment name (used for pre- and postfixing resource names) |
+| location | The Azure region used for deployments |
+
+
+## Usage
+
+```bash
+terraform plan -var name=azureml567 -out demo.tfplan
+
+terraform apply "demo.tfplan"
+```

quickstart/202-machine-learning-moderately-secure-existing-VNet/variables.tf

@@ -0,0 +1,71 @@
+variable "name" {
+  type        = string
+  description = "Name of the deployment"
+}
+
+variable "environment" {
+  type        = string
+  description = "Name of the environment"
+  default     = "dev"
+}
+
+variable "location" {
+  type        = string
+  description = "Location of the resources"
+}
+
+variable "image_build_compute_name" {
+  type        = string
+  description = "Name of the compute cluster to be created and set to build docker images"
+  default     = "image-builder"
+}
+
+# Existing subnets variables
+
+variable "training_subnet_resource_id" {
+  type        = string
+  description = "Resource ID of the existing training subnet"
+}
+
+variable "aks_subnet_resource_id" {
+  type        = string
+  description = "Resource ID of the existing aks subnet"
+}
+
+variable "ml_subnet_resource_id" {
+  type        = string
+  description = "Resource ID of the existing ML workspace subnet"
+}
+
+
+# Existing private DNS zones variables
+
+variable "privatelink_api_azureml_ms_resource_id" {
+  type        = string
+  description = "Resource ID of the existing privatelink.api.azureml.ms private dns zone"
+}
+
+variable "privatelink_azurecr_io_resource_id" {
+  type        = string
+  description = "Resource ID of the existing privatelink.azurecr.io private dns zone"
+}
+
+variable "privatelink_notebooks_azure_net_resource_id" {
+  type        = string
+  description = "Resource ID of the existing privatelink.notebooks.azure.net private dns zone"
+}
+
+variable "privatelink_blob_core_windows_net_resource_id" {
+  type        = string
+  description = "Resource ID of the existing privatelink.blob.core.windows.net private dns zone"
+}
+
+variable "privatelink_file_core_windows_net_resource_id" {
+  type        = string
+  description = "Resource ID of the existing privatelink.file.core.windows.net private dns zone"
+}
+
+variable "privatelink_vaultcore_azure_net_resource_id" {
+  type        = string
+  description = "Resource ID of the existing privatelink.vaultcore.azure.net private dns zone"
+}