Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

include a Windows virtual machine for jumpbox access #417

Merged
merged 2 commits into from
Sep 21, 2021
Merged

include a Windows virtual machine for jumpbox access #417

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
06f6c46
include a windows virtual machine for jumpbox access
glennmusa Sep 17, 2021
b65aef7
update docs to include SSH linux example
glennmusa Sep 20, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 25 additions & 2 deletions src/bicep/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ The result will be a policy assignment created for each resource group deployed

## Adding Remote Access via Bastion Host

To deploy a virtual machine as a jumpbox into the network without a Public IP Address using Azure Bastion Host, provide two parameters `deployRemoteAccess=true` and `linuxVmAdminPasswordOrKey=<your password>` to the deployment. A quick and easy way to generate a secure password from the .devcontainer is the command `openssl rand -base64 14`.
To deploy a virtual machine as a jumpbox into the network without a Public IP Address using Azure Bastion Host, provide two parameters `deployRemoteAccess=true` and `linuxVmAdminPasswordOrKey=<your password>` and `windowsVmAdminPassword=<your password>` to the deployment. A quick and easy way to generate a secure password from the .devcontainer is the command `openssl rand -base64 14`.

```plaintext
my_password=$(openssl rand -base64 14)
Expand All @@ -147,5 +147,28 @@ az deployment sub create \
--location "eastus" \
--template-file "src/bicep/mlz.bicep" \
--parameters deployRemoteAccess="true" \
--parameters linuxVmAdminPasswordOrKey="$my_password"
--parameters linuxVmAdminPasswordOrKey="$my_password" \
--parameters windowsVmAdminPassword="$my_password"
```

### Using an SSH Key with Remote Access via Bastion Host

If you have a key pair you'd like to use for SSH connections to the Linux virtual machine that is deployed with `deployRemoteAccess=true`, specify the `linuxVmAuthenticationType` parameter to `sshPublicKey` like so:

```plaintext
my_sshkey=$(cat ~/.ssh/id_rsa.pub) # or, however you source your public key
my_password=$(openssl rand -base64 14)
az deployment sub create \
--name "myRemoteAccessDeployment" \
--location "eastus" \
--template-file "src/bicep/mlz.bicep" \
--parameters deployRemoteAccess="true" \
--parameters linuxVmAuthenticationType="sshPublicKey" \
--parameters linuxVmAdminPasswordOrKey="$my_sshkey" \
--parameters windowsVmAdminPassword="$my_password"
```

For more information on generating a public/private key pair see <https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-ssh-keys-detailed#generate-keys-with-ssh-keygen>.

Then, once you've deployed the virtual machine and Bastion Host, use these docs to connect: <https://docs.microsoft.com/en-us/azure/bastion/bastion-connect-vm-ssh#privatekey>
44 changes: 37 additions & 7 deletions src/bicep/examples/remoteAccess/main.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ param bastionHostPublicIPAddressAllocationMethod string = 'Static'
param bastionHostPublicIPAddressAvailabilityZones array = []
param bastionHostIPConfigurationName string = 'bastionHostIPConfiguration'

param linuxNetworkInterfaceName string = 'linuxVmNetworkInterface'
param linuxNetworkInterfaceIpConfigurationName string = 'linuxVmIpConfiguration'
param linuxNetworkInterfacePrivateIPAddressAllocationMethod string = 'Dynamic'

param linuxVmName string = 'linuxVirtualMachine'
param linuxVmSize string = 'Standard_B2s'
param linuxVmOsDiskCreateOption string = 'FromImage'
Expand All @@ -21,7 +25,6 @@ param linuxVmImageOffer string = 'UbuntuServer'
param linuxVmImageSku string = '18.04-LTS'
param linuxVmImageVersion string = 'latest'
param linuxVmAdminUsername string = 'azureuser'

@allowed([
'sshPublicKey'
'password'
Expand All @@ -31,9 +34,21 @@ param linuxVmAuthenticationType string = 'password'
@minLength(14)
param linuxVmAdminPasswordOrKey string

param linuxVmNetworkInterfaceName string = 'linuxVmNetworkInterface'
param linuxVmNetworkInterfaceIpConfigurationName string = 'linuxVmIpConfiguration'
param linuxVmNetworkInterfacePrivateIPAddressAllocationMethod string = 'Dynamic'
param windowsNetworkInterfaceName string = 'windowsVmNetworkInterface'
param windowsNetworkInterfaceIpConfigurationName string = 'windowsVmIpConfiguration'
param windowsNetworkInterfacePrivateIPAddressAllocationMethod string = 'Dynamic'
param windowsVmName string = 'windowsVm'
param windowsVmSize string = 'Standard_DS1_v2'
param windowsVmAdminUsername string = 'azureuser'
@secure()
@minLength(14)
param windowsVmAdminPassword string
param windowsVmPublisher string = 'MicrosoftWindowsServer'
param windowsVmOffer string = 'WindowsServer'
param windowsVmSku string = '2019-datacenter-gensecond'
param windowsVmVersion string = 'latest'
param windowsVmCreateOption string = 'FromImage'
param windowsVmStorageAccountType string = 'StandardSSD_LRS'

param nowUtc string = utcNow()

Expand All @@ -54,8 +69,9 @@ module remoteAccess '../../modules/remoteAccess.bicep' = {
bastionHostPublicIPAddressAvailabilityZones: bastionHostPublicIPAddressAvailabilityZones
bastionHostIPConfigurationName: bastionHostIPConfigurationName

linuxNetworkInterfaceIpConfigurationName: linuxVmNetworkInterfaceIpConfigurationName
linuxNetworkInterfacePrivateIPAddressAllocationMethod: linuxVmNetworkInterfacePrivateIPAddressAllocationMethod
linuxNetworkInterfaceName: linuxNetworkInterfaceName
linuxNetworkInterfaceIpConfigurationName: linuxNetworkInterfaceIpConfigurationName
linuxNetworkInterfacePrivateIPAddressAllocationMethod: linuxNetworkInterfacePrivateIPAddressAllocationMethod

linuxVmName: linuxVmName
linuxVmSize: linuxVmSize
Expand All @@ -68,6 +84,20 @@ module remoteAccess '../../modules/remoteAccess.bicep' = {
linuxVmAdminUsername: linuxVmAdminUsername
linuxVmAuthenticationType: linuxVmAuthenticationType
linuxVmAdminPasswordOrKey: linuxVmAdminPasswordOrKey
linuxVmNetworkInterfaceName: linuxVmNetworkInterfaceName

windowsNetworkInterfaceName: windowsNetworkInterfaceName
windowsNetworkInterfaceIpConfigurationName: windowsNetworkInterfaceIpConfigurationName
windowsNetworkInterfacePrivateIPAddressAllocationMethod: windowsNetworkInterfacePrivateIPAddressAllocationMethod

windowsVmName: windowsVmName
windowsVmSize: windowsVmSize
windowsVmAdminUsername: windowsVmAdminUsername
windowsVmAdminPassword: windowsVmAdminPassword
windowsVmPublisher: windowsVmPublisher
windowsVmOffer: windowsVmOffer
windowsVmSku: windowsVmSku
windowsVmVersion: windowsVmVersion
windowsVmCreateOption: windowsVmCreateOption
windowsVmStorageAccountType: windowsVmStorageAccountType
}
}
Loading