This is a demo environment to setup a baseline to deploy a multi-subscription hub-spoke infrastructure on Azure.
- go to
${repo_root}/terraform/infra/ - copy the
terraform.tfvars.exampletoterraform.tfvars - edit/add the correct values in
terraform.tfvarsfile - ensure you're logged into your Azure account (
az login) - run
terraformterraform init && terraform plan -out tfplan && terraform apply tfplan
- Terraform
- Azure CLI
- Helm
${repo_root}/terraform/infra/modules/jumpbox/
- Jumpbox Azure VM Configs
${repo_root}/terraform/infra/modules/jumpbox/main.tf - Jumpbox OS configs
${repo_root}/terraform/infra/modules/jumpbox/config/jumpbox-cloud-init.yaml - sshd port has been changed to 2022 not default 22
- xrdp port has been changed to 2023 not default 3389
- NSG:
- http/https ports 80/443 are open on NSG and used to get letsencrypt TLS certificates (allow all inbound from internet)
- ssh/xrdp ports (2022/2023) have been locked down to your deployment machine's publicIP address using
https://api.ipify.orgto determine your Public IP address
Notes:
- User Assigned Managed Identity: The Jumpbox is assigned a User MSI that has contributor rights over the initial resource groups (hub, spoke1, spoke2, spoke3)
xrdp is installed by default (see Jumpbox OS Configs above). However you still need to enter a password for your default user account or create one that can login via password as XRDP requires password auth for the GUI session. To do so ssh into your your jumpbox in the hub network and set your admin_user's password. This does not disable ssh passwordless authentication but is needed when loging into the GUI session. run:
## Example Only
ssh -p 2022 -i ${path.module}/certs/${terraform.workspace}/global/id_rsa ${local.admin_username}@${module.hub.jumpbox.ip_address}
## You can get this command as it's been added to Terraform outputs for convenience
terraform output
## Output result example:
hub = {
"jumpbox" = {
"fqdn" = "abcde.azureregion.cloudapp.azure.com"
"ip_address" = "52.xxx.xxx.102"
}
"ssh" = "ssh -p 2022 -i ./certs/default/global/id_rsa [email protected]"
}
## then change password for your admin_username
sudo passwd ${admin_username}
Download Combined Cert/Private Key file (presuming cert was created with the ability to export key)
# Download combined certificate
az keyvault secret download --vault-name <vault-name> --name <secret-name> --file combined-cert.crt
# Extract only the private key in combined PKCS12 formatted cert AND convert to pem format private key
openssl pkcs12 -nodes -nocerts -in combined-cert.crt | openssl rsa -out private.key
# Extract only the private key in combined PEM formatted cert
openssl rsa -in combined-cert.pem -out private.key
# Create x509 public cert fingerprint
openssl x509 -noout -fingerprint -sha1 -inform pem -in combined-cert.pem
Some steps are not yet available as TF config settings. You must manually enable these features via the Azure Portal.
- Add UDR Route on Default Route
- 0.0.0.0/0 -> Next Hop: Azure Firewall
- Manually Enable this in Azure Firewall Manager for each Hub:Security Configuration
- Internet Traffic -> Azure Firewall
- Private Traffice -> Bypass Azure Firewall
- Change VPN XML value to version 2
- How do I direct all traffic to the VPN tunnel (forced tunneling)?