Skip to content

Commit

Permalink
include a Windows virtual machine for jumpbox access (#417)
Browse files Browse the repository at this point in the history
  • Loading branch information
@glennmusa
glennmusa authored Sep 21, 2021
1 parent c308deb commit 334f58c
Show file tree
Hide file tree
Showing 8 changed files with 1,024 additions and 66 deletions.
27 changes: 25 additions & 2 deletions src/bicep/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ The result will be a policy assignment created for each resource group deployed

## Adding Remote Access via Bastion Host

To deploy a virtual machine as a jumpbox into the network without a Public IP Address using Azure Bastion Host, provide two parameters `deployRemoteAccess=true` and `linuxVmAdminPasswordOrKey=<your password>` to the deployment. A quick and easy way to generate a secure password from the .devcontainer is the command `openssl rand -base64 14`.
To deploy a virtual machine as a jumpbox into the network without a Public IP Address using Azure Bastion Host, provide two parameters `deployRemoteAccess=true` and `linuxVmAdminPasswordOrKey=<your password>` and `windowsVmAdminPassword=<your password>` to the deployment. A quick and easy way to generate a secure password from the .devcontainer is the command `openssl rand -base64 14`.

```plaintext
my_password=$(openssl rand -base64 14)
Expand All @@ -147,5 +147,28 @@ az deployment sub create \
--location "eastus" \
--template-file "src/bicep/mlz.bicep" \
--parameters deployRemoteAccess="true" \
--parameters linuxVmAdminPasswordOrKey="$my_password"
--parameters linuxVmAdminPasswordOrKey="$my_password" \
--parameters windowsVmAdminPassword="$my_password"
```

### Using an SSH Key with Remote Access via Bastion Host

If you have a key pair you'd like to use for SSH connections to the Linux virtual machine that is deployed with `deployRemoteAccess=true`, specify the `linuxVmAuthenticationType` parameter to `sshPublicKey` like so:

```plaintext
my_sshkey=$(cat ~/.ssh/id_rsa.pub) # or, however you source your public key
my_password=$(openssl rand -base64 14)
az deployment sub create \
--name "myRemoteAccessDeployment" \
--location "eastus" \
--template-file "src/bicep/mlz.bicep" \
--parameters deployRemoteAccess="true" \
--parameters linuxVmAuthenticationType="sshPublicKey" \
--parameters linuxVmAdminPasswordOrKey="$my_sshkey" \
--parameters windowsVmAdminPassword="$my_password"
```

For more information on generating a public/private key pair see <https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-ssh-keys-detailed#generate-keys-with-ssh-keygen>.

Then, once you've deployed the virtual machine and Bastion Host, use these docs to connect: <https://docs.microsoft.com/en-us/azure/bastion/bastion-connect-vm-ssh#privatekey>
44 changes: 37 additions & 7 deletions src/bicep/examples/remoteAccess/main.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ param bastionHostPublicIPAddressAllocationMethod string = 'Static'
param bastionHostPublicIPAddressAvailabilityZones array = []
param bastionHostIPConfigurationName string = 'bastionHostIPConfiguration'

param linuxNetworkInterfaceName string = 'linuxVmNetworkInterface'
param linuxNetworkInterfaceIpConfigurationName string = 'linuxVmIpConfiguration'
param linuxNetworkInterfacePrivateIPAddressAllocationMethod string = 'Dynamic'

param linuxVmName string = 'linuxVirtualMachine'
param linuxVmSize string = 'Standard_B2s'
param linuxVmOsDiskCreateOption string = 'FromImage'
Expand All @@ -21,7 +25,6 @@ param linuxVmImageOffer string = 'UbuntuServer'
param linuxVmImageSku string = '18.04-LTS'
param linuxVmImageVersion string = 'latest'
param linuxVmAdminUsername string = 'azureuser'

@allowed([
'sshPublicKey'
'password'
Expand All @@ -31,9 +34,21 @@ param linuxVmAuthenticationType string = 'password'
@minLength(14)
param linuxVmAdminPasswordOrKey string

param linuxVmNetworkInterfaceName string = 'linuxVmNetworkInterface'
param linuxVmNetworkInterfaceIpConfigurationName string = 'linuxVmIpConfiguration'
param linuxVmNetworkInterfacePrivateIPAddressAllocationMethod string = 'Dynamic'
param windowsNetworkInterfaceName string = 'windowsVmNetworkInterface'
param windowsNetworkInterfaceIpConfigurationName string = 'windowsVmIpConfiguration'
param windowsNetworkInterfacePrivateIPAddressAllocationMethod string = 'Dynamic'
param windowsVmName string = 'windowsVm'
param windowsVmSize string = 'Standard_DS1_v2'
param windowsVmAdminUsername string = 'azureuser'
@secure()
@minLength(14)
param windowsVmAdminPassword string
param windowsVmPublisher string = 'MicrosoftWindowsServer'
param windowsVmOffer string = 'WindowsServer'
param windowsVmSku string = '2019-datacenter-gensecond'
param windowsVmVersion string = 'latest'
param windowsVmCreateOption string = 'FromImage'
param windowsVmStorageAccountType string = 'StandardSSD_LRS'

param nowUtc string = utcNow()

Expand All @@ -54,8 +69,9 @@ module remoteAccess '../../modules/remoteAccess.bicep' = {
bastionHostPublicIPAddressAvailabilityZones: bastionHostPublicIPAddressAvailabilityZones
bastionHostIPConfigurationName: bastionHostIPConfigurationName

linuxNetworkInterfaceIpConfigurationName: linuxVmNetworkInterfaceIpConfigurationName
linuxNetworkInterfacePrivateIPAddressAllocationMethod: linuxVmNetworkInterfacePrivateIPAddressAllocationMethod
linuxNetworkInterfaceName: linuxNetworkInterfaceName
linuxNetworkInterfaceIpConfigurationName: linuxNetworkInterfaceIpConfigurationName
linuxNetworkInterfacePrivateIPAddressAllocationMethod: linuxNetworkInterfacePrivateIPAddressAllocationMethod

linuxVmName: linuxVmName
linuxVmSize: linuxVmSize
Expand All @@ -68,6 +84,20 @@ module remoteAccess '../../modules/remoteAccess.bicep' = {
linuxVmAdminUsername: linuxVmAdminUsername
linuxVmAuthenticationType: linuxVmAuthenticationType
linuxVmAdminPasswordOrKey: linuxVmAdminPasswordOrKey
linuxVmNetworkInterfaceName: linuxVmNetworkInterfaceName

windowsNetworkInterfaceName: windowsNetworkInterfaceName
windowsNetworkInterfaceIpConfigurationName: windowsNetworkInterfaceIpConfigurationName
windowsNetworkInterfacePrivateIPAddressAllocationMethod: windowsNetworkInterfacePrivateIPAddressAllocationMethod

windowsVmName: windowsVmName
windowsVmSize: windowsVmSize
windowsVmAdminUsername: windowsVmAdminUsername
windowsVmAdminPassword: windowsVmAdminPassword
windowsVmPublisher: windowsVmPublisher
windowsVmOffer: windowsVmOffer
windowsVmSku: windowsVmSku
windowsVmVersion: windowsVmVersion
windowsVmCreateOption: windowsVmCreateOption
windowsVmStorageAccountType: windowsVmStorageAccountType
}
}
Loading

0 comments on commit 334f58c

Please sign in to comment.