title | description |
---|---|
Azure Bastion Host and Service using Terraform |
Create Azure Bastion Host and Service using Terraform |
We are going to create two important Bastion Resources
- Azure Bastion Host
- Azure Bastion Service
We are going to use following Azure Resources for the same.
- Terraform Input Variables
- azurerm_public_ip
- azurerm_network_interface
- azurerm_linux_virtual_machine
- Terraform Null Resource
null_resource
- Terraform File Provisioner
- Terraform remote-exec Provisioner
- azurerm_bastion_host
- Terraform Output Values
# Create Folder
cd terraform-manifests/
mkdir ssh-keys
# Create SSH Key
cd ssh-keys
ssh-keygen \
-m PEM \
-t rsa \
-b 4096 \
-C "azureuser@myserver" \
-f terraform-azure.pem
Important Note: Don't provide any passhprase, as the passphrase is not supported on latest provider versions
# List Files
ls -lrt ssh-keys/
# Files Generated after above command
Public Key: terraform-azure.pem.pub -> Rename as terraform-azure.pub
Private Key: terraform-azure.pem
# Permissions for Pem file
chmod 400 terraform-azure.pem
Create providers.tf
file.
Create variables.tf
file.
Create locals.tf
file.
Create random.tf
file.
Create resource-groups.tf
file.
- VNet variables
vnet-variables.tf
- VNet
vnets.tf
- Web subnet and NSG
web-subnet-and-nsg.tf
- Bastion subnet and NSG
bastion-subnet-and-nsg.tf
- NIC
web-linuxvm-network-interface.tf
- VM
web-linuxvm.tf
- Input variables
bastion-host-input-variables.tf
- Public IP
bastion-host-public-ip.tf
- NIC
bastion-host-network-interface.tf
- VM
bastion-host-linuxvm.tf
Create move-ssh-key-to-bastion-host.tf
file and fill it in.
Create bastion-service.tf
file.
Create bastion-outputs.tf
file to output the bastion host public IP address.
# Terraform Initialize
terraform init
# Terraform Validate
terraform validate
# Terraform Plan
terraform plan
# Terraform Apply
terraform apply -auto-approve
# Important Note:
Azure Bastions Service takes 10 to 15 minutes to create.
Verify Resources - Virtual Network
- Azure Resource Group
- Azure Virtual Network
- Azure Subnets (Web, Bastion)
- Azure Network Security Groups (Web, Bastion)
- View the topology
- Verify Terraform Outputs in Terraform CLI
- Verify Network Interface created for Web Linux VM
- Verify Web Linux VM
- Verify Network Security Groups associated with VM (web Subnet NSG)
- View Topology at Web Linux VM -> Networking
- Verify if only private IP associated with Web Linux VM
- Verify Bastion Host VM Public IP
- Verify Bastion Host VM Network Interface
- Verify Bastion VM
- Verify Bastion VM -> Networking -> NSG Rules
- Verify Bastion VM Topology
# Connect to Bastion Host VM
1. Connect to Bastion Host Linux VM
ssh -i ssh-keys/terraform-azure.pem azureuser@<Bastion-Host-LinuxVM-PublicIP>
sudo su -
cd /tmp
ls
2. terraform-azure.pem file should be present in /tmp directory
# Connect to Web Linux VM using Bastion Host VM
1. Connect to Web Linux VM
ssh -i /tmp/terraform-azure.pem azureuser@<Web-LinuxVM-PrivateIP>
sudo su -
cd /var/log
tail -100f cloud-init-output.log
cd /var/www/html
ls -lrt
cd /var/www/html/app1
ls -lrt
exit
exit
exit
exit
- Go to Azure Management Portal Console -> Bastions
- Verify Bastion Service -> hr-dev-bastion-service
- Verify Settings -> Sessions
- Verify Settings -> Configuration
1. Go to Web Linux VM using Azure Portal Console
2. Portal Console -> Virtual machines -> hr-dev-web-linuxvm -> Settings -> Connect
3. Select "Bastion" tab -> Click on "Use Bastion"
- Open in new window: checked
- Username: azureuser
- Authentication Type: SSH Private Key from Local File
- Local File: Browse from ssh-keys/terraform-azure.pem
- Click on Connect
4. In new tab, we should be logged in to VM "hr-dev-web-linuxvm"
5. Run additional commands
sudo su -
cd /var/www/html
ls
cd /var/www/html/app1
ls
- Go to Azure Management Portal Console -> Bastions
- Verify Bastion Service -> hr-dev-bastion-service
- Verify Settings -> Sessions
# Delete Resources
terraform destroy
[or]
terraform apply -destroy -auto-approve
# Clean-Up Files
rm -rf .terraform*
rm -rf terraform.tfstate*