Do you already know what is ‘Azure Bastion’ ? if not, please refer here for details
Let’s first look at our Architecture diagram shown below to understand what all is needed for the successful implementation
In order to achieve the above, we need to first break down in to small steps— Let’s do that now as shown below
Build the basic Terraform Folder Structure
- Create a folder named
Az_Bastion_Lab
and ensure to follow and implement ‘Pre-requisites’ , 2nd and 3rd sections of my previous blog before proceeding to the next steps - Configure the
backend.tf
accordingly in that folder which is used to store the Terraform State remotely in the respective Azure Storage Account/Container
- Create
provider.tf
in the same folder and have the below code which helps to configure infrastructure in Microsoft Azure platform. If you are wondering what are those underkey_vault
section, feel free to refer my previous blog which covers the explanation
- Create
variables.auto.tfvars
having the default declared values like below. We defined address spaces for VNet, Subnet and also for AzureFirewallSubnet as per the needs shown in the architecture above.firewall_allocation_method
andfirewall_sku
will be consumed for buildingvirtual_networks
in the later section and definedscale_units
as2
for AzureBastionHost for later use as well
- Create
variables.tf
like below
- Create a Resource Group
- Files
rg_main.tf, rg_variables.tf, rg_outputs.tf
look like below. We’ve already covered the explanation of how to create Resource Groups using Terraform in our previous blogs. Hence, avoiding the duplication of explanation here but showing the code necessary for implementing this scenario [Similarly, I’ll not repeat explaining the VNets, KV and all other modules which we’ve covered in our previous blog/s. Feel free to refer them if required here and here as appropriate]
2. Create a VNet and a Subnet in that Resource Group
- Apart from the VNet and Subnet, we are creating a Network Interface for our LinuxVM so that Private IP can be assigned to it
- Now, our
main.tf
looks like below
- Now perform
terraform init, terraform plan
andterraform apply --auto-approve
one after the other successful command execution. Feel free to make use ofterraform validate
andterraform fmt
commands in between - You should be able to see the VNet, and Subnet in the respective RG in the portal
3. Create Azure Bastion Host and necessary components required
- For a successful, Bastion Host deployment, we should create a subnet with name
AzureBastionSubnet
and assign apublic ip
to it as well. Let’s do it now - Create a folder
az_bastion
undermodules
and have theazb_main.tf, azb_variables.tf
andazb_outputs.tf
files as shown below
- You can notice that with
azb_main.tf
, we are creating theAzureBastionSubnet
subnet,azure publicIp
andAzure Bastion Host
which uses the subnet and the public-ip we created. You may notice some warning/error messages in your code as some variables likelocation, rg-test-name
are not yet declared underaz_bastion
module. We’ll fix those issues in our next step withazb_variables.tf
- We need resources such as
public-Ip
andAzureFirewallSubnet-id
for our other module consumption hence they are mentioned inazb_outpputs.tf
as below
- Now, time to call this
az_bastion
module frommain.tf
- Now perform
terraform init, terraform plan
andterraform apply --auto-approve
one after the other successful command execution. - You should be able to see the intended resources in the Azure Portal successfully
4. Use Azure Key Vault and create Secret for the LinuxVM
- Let’s call the
az_key_vault
module from themain.tf
- Now perform
terraform init, terraform plan
andterraform apply --auto-approve
one after the other successful command execution. - You should be able to see the intended resources including the KV in the Azure Portal successfully
5. Create the LinuxVM
- We’ll create the LinuxVM and assign the NIC we created before during
virtual_networks
module to this VM
- Let’s call the
vm
module from themain.tf
- Now perform
terraform init, terraform plan
andterraform apply --auto-approve
one after the other successful command execution. - You should be able to see the intended resources including the VM in the Azure Portal successfully
6. Define the NSG Rules for AzureBastionHost and also for LinuxVM
- Before proceeding further, I strongly recommend you to read through this excellent documentation from Microsoft explaining the NSG needs for the Bastion
- We should define NSG rules for both
Ingress
andEgress
traffic from/to the Bastion and alsoIngress
traffic rules for the Linux VM - Recommended
Ingress and Egress
rules are like below for Bastion
- In order to implement the above NSG rules, let’s define
traffic_rules
module and implement the rules accordingly
- Now, associate the NSG defined to the subnet
AzureBastionSubnet
like below
- Define NSG rule for LinuxVM and associate it to the NIC [You can also associate it with the subnet in which this VM is present like
vnet1-subnet1
in case if you want to try that option. I suggest you to understand what difference it makes associating it with the NIC vs Subnet]
[When the file contains many lines, it is not feasible to show in one shot and explain at the same time, hence I’ve divided them in to multiple snippets such as rules_main.tf Snippet_*, where * represents numbering like 1,2,3 and so on....
I believe that allows you to follow the sequence of code accordingly. Same is true for files such as main.tf
. You can notice that as main.tf Snippet_*]
- We don’t really have anything from the
traffic_rules
module to output. Hence,rules_outputs.tf
is blank and it just sits there idle for the terraform schema/structure purpose - Finally, your Terraform folder structure looks like below for your visibility [Please ignore
images folder
and.md file
]
7. Deploy and Validate the Infrastructure
- Now perform
terraform init, terraform plan
andterraform apply --auto-approve
one after the other successful command execution. I encourage you to also useterraform validate
andterraform fmt
commands and fix any errors by following the blog carefully - With this, the deployment of resources is complete can be observed in your Azure Portal
- Connect to the LinuxVM using
Bastion
withusername
and thesecret
like below
- After successful login, you can access the LinuxVM as shown below
- That’s it and You are now done with this scenario :)
- Full code can be accessed from here — ramakb/Az_Bastion_Lab (github.com)
Finally perform terraform destroy --auto-approve
to destroy all the resources in the Azure Portal to free up consuming the $
Hope you find this information helpful.
Thanks for taking time to read!