From a1d13658a39efdc2cfd8bfb6eecdfb819cb17eb1 Mon Sep 17 00:00:00 2001 From: Dylan Reed <71025787+djr1991@users.noreply.github.com> Date: Mon, 25 Oct 2021 19:10:15 -0400 Subject: [PATCH 1/6] random string for fw diagnostics + missing FW rule --- .../azure-firewall.tf | 24 +++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/quickstart/301-machine-learning-hub-spoke-secure/azure-firewall.tf b/quickstart/301-machine-learning-hub-spoke-secure/azure-firewall.tf index c5ab0b41..4c83703d 100644 --- a/quickstart/301-machine-learning-hub-spoke-secure/azure-firewall.tf +++ b/quickstart/301-machine-learning-hub-spoke-secure/azure-firewall.tf @@ -1,4 +1,10 @@ - +# Generate random string for unique firewall diagnostic name +resource "random_string" "fw_diag_prefix" { + length = 8 + upper = false + special = false + number = false +} resource "azurerm_ip_group" "ip_group_hub" { name = "hub-ipgroup" location = azurerm_resource_group.hub_rg.location @@ -61,7 +67,7 @@ resource "azurerm_firewall" "azure_firewall_instance" { } resource "azurerm_monitor_diagnostic_setting" "azure_firewall_instance" { - name = "diagnostics-${var.name}-${var.environment}" + name = "diagnostics-${var.name}-${var.environment}-${random_string.fw_diag_prefix.result}" target_resource_id = azurerm_firewall.azure_firewall_instance.id log_analytics_workspace_id = azurerm_log_analytics_workspace.default.id @@ -168,6 +174,20 @@ application_rule_collection { destination_fqdns = ["github.com"] } + rule { + name = "raw.githubusercontent.com" + protocols { + type = "Https" + port = 443 + } + protocols { + type = "Http" + port = 80 + } + source_ip_groups = [azurerm_ip_group.ip_group_spoke.id] + destination_fqdns = ["raw.githubusercontent.com"] + } + rule { name = "microsoft-metrics-rules" protocols { From 8e503110f91a7d570e720b09d9c2761b65ddb848 Mon Sep 17 00:00:00 2001 From: ryhud Date: Tue, 26 Oct 2021 10:11:56 -0400 Subject: [PATCH 2/6] Updating AML 201 readme --- .../201-machine-learning-moderately-secure/readme.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/quickstart/201-machine-learning-moderately-secure/readme.md b/quickstart/201-machine-learning-moderately-secure/readme.md index 1d206849..b4a9f376 100644 --- a/quickstart/201-machine-learning-moderately-secure/readme.md +++ b/quickstart/201-machine-learning-moderately-secure/readme.md @@ -6,13 +6,15 @@ and its associated resources including Azure Key Vault, Azure Storage, Azure App In addition to these core services, this configuration specifies any networking components that are required to set up Azure Machine Learning for private network connectivity using [Azure Private Link](https://docs.microsoft.com/en-us/azure/private-link/). -This configuration describes the minimal set of resources you require to get started with Azure Machine Learning in a network-isolated set-up. This configuration creates new network components. If you want to reuse existing network components, see [202 example](../201-machine-learning-moderately-secure/readme.md). +This configuration describes the minimal set of resources you require to get started with Azure Machine Learning in a network-isolated set-up. This configuration creates new network components. Use Azure Bastion to securely connect to the Windows Data Science Virtual Machine. If you want to reuse existing network components, see [202 example](../201-machine-learning-moderately-secure/readme.md). ## Resources | Terraform Resource Type | Description | | - | - | | `azurerm_resource_group` | The resource group all resources get deployed into | +| `azurerm_bastion_host` | An Azure Bastion Instance to securely RDP/SSH into Virtual Machines deployed into the Virtual Network | +| `azurerm_windows_virtual_machine` | A Windows Data Science Virtual Machine used for connecting to the Azure Machine Learning workspace | | `azurerm_application_insights` | An Azure Application Insights instance associated to the Azure Machine Learning workspace | | `azurerm_key_vault` | An Azure Key Vault instance associated to the Azure Machine Learning workspace | | `azurerm_storage_account` | An Azure Storage instance associated to the Azure Machine Learning workspace | @@ -39,6 +41,9 @@ This configuration describes the minimal set of resources you require to get sta | aks_subnet_address_space | Address space of the aks subnet | ["10.0.2.0/23"] | | ml_subnet_address_space | Address space of the ML workspace subnet | ["10.0.0.0/24"] | | image_build_compute_name | Name of the compute cluster to be created and configured for building docker images (Azure ML Environments) | image-builder | +| dsvm_name | Name of the Windows Data Science VM resource | vmdsvm01 | +| dsvm_admin_username | Admin username of the Windows Data Science VM | azureadmin | +| dsvm_host_password | Password for the admin username of the Data Science VM | - | ## Usage From e6cbe158b7c571adad124221c74e26d87d18ec16 Mon Sep 17 00:00:00 2001 From: ryhud Date: Thu, 28 Oct 2021 11:05:39 -0400 Subject: [PATCH 3/6] adding sensitive to DSVM password variable --- quickstart/301-machine-learning-hub-spoke-secure/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/quickstart/301-machine-learning-hub-spoke-secure/variables.tf b/quickstart/301-machine-learning-hub-spoke-secure/variables.tf index 7d0ef6b1..9618d98c 100644 --- a/quickstart/301-machine-learning-hub-spoke-secure/variables.tf +++ b/quickstart/301-machine-learning-hub-spoke-secure/variables.tf @@ -89,5 +89,5 @@ variable "dsvm_admin_username" { variable "dsvm_host_password" { type = string description = "Password for the admin username of the Data Science VM" - + sensitive = true } \ No newline at end of file From 0943dd056804c7760e7c126ded3c102f153076b5 Mon Sep 17 00:00:00 2001 From: ryhud Date: Thu, 28 Oct 2021 11:35:41 -0400 Subject: [PATCH 4/6] adding resource dependancy to fix destroy issue --- .../201-machine-learning-moderately-secure/workspace.tf | 7 +++++++ .../301-machine-learning-hub-spoke-secure/workspace.tf | 7 ++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/quickstart/201-machine-learning-moderately-secure/workspace.tf b/quickstart/201-machine-learning-moderately-secure/workspace.tf index 34b24334..dc0036cc 100644 --- a/quickstart/201-machine-learning-moderately-secure/workspace.tf +++ b/quickstart/201-machine-learning-moderately-secure/workspace.tf @@ -63,6 +63,13 @@ resource "azurerm_machine_learning_workspace" "default" { # Args of use when using an Azure Private Link configuration public_network_access_enabled = false image_build_compute_name = var.image_build_compute_name + depends_on = [ + azurerm_private_endpoint.kv_ple, + azurerm_private_endpoint.st_ple_blob, + azurerm_private_endpoint.storage_ple_file, + azurerm_private_endpoint.cr_ple, + azurerm_subnet.snet-training + ] } diff --git a/quickstart/301-machine-learning-hub-spoke-secure/workspace.tf b/quickstart/301-machine-learning-hub-spoke-secure/workspace.tf index 460c38cd..ddf72ac1 100644 --- a/quickstart/301-machine-learning-hub-spoke-secure/workspace.tf +++ b/quickstart/301-machine-learning-hub-spoke-secure/workspace.tf @@ -65,7 +65,12 @@ resource "azurerm_machine_learning_workspace" "default" { public_network_access_enabled = false image_build_compute_name = var.image_build_compute_name depends_on = [ - azurerm_firewall.azure_firewall_instance + azurerm_firewall.azure_firewall_instance, + azurerm_private_endpoint.kv_ple, + azurerm_private_endpoint.st_ple_blob, + azurerm_private_endpoint.storage_ple_file, + azurerm_private_endpoint.cr_ple, + azurerm_subnet.snet-training ] } From 3adc707d420ad5694514605440e040117f8c3c28 Mon Sep 17 00:00:00 2001 From: ryhud Date: Thu, 28 Oct 2021 11:51:42 -0400 Subject: [PATCH 5/6] removing comments --- quickstart/201-machine-learning-moderately-secure/dsvm.tf | 6 +----- quickstart/301-machine-learning-hub-spoke-secure/dsvm.tf | 6 +----- 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/quickstart/201-machine-learning-moderately-secure/dsvm.tf b/quickstart/201-machine-learning-moderately-secure/dsvm.tf index 0ad12aa8..5beed51f 100644 --- a/quickstart/201-machine-learning-moderately-secure/dsvm.tf +++ b/quickstart/201-machine-learning-moderately-secure/dsvm.tf @@ -7,11 +7,7 @@ resource "azurerm_network_interface" "dsvm" { name = "configuration" subnet_id = azurerm_subnet.snet-dsvm.id private_ip_address_allocation = "Dynamic" - } - /*depends_on = [ - azurerm_route_table.jumphost_rt - ] - */ + } } resource "azurerm_windows_virtual_machine" "dsvm" { diff --git a/quickstart/301-machine-learning-hub-spoke-secure/dsvm.tf b/quickstart/301-machine-learning-hub-spoke-secure/dsvm.tf index 8e1f93a3..383fccd3 100644 --- a/quickstart/301-machine-learning-hub-spoke-secure/dsvm.tf +++ b/quickstart/301-machine-learning-hub-spoke-secure/dsvm.tf @@ -7,11 +7,7 @@ resource "azurerm_network_interface" "dsvm" { name = "configuration" subnet_id = azurerm_subnet.snet-jumphost.id private_ip_address_allocation = "Dynamic" - } - /*depends_on = [ - azurerm_route_table.jumphost_rt - ] - */ + } } resource "azurerm_windows_virtual_machine" "dsvm" { From 71b05cfc0eb9e5ccda5cbedbe09659a70c371d1f Mon Sep 17 00:00:00 2001 From: ryhud Date: Thu, 28 Oct 2021 11:52:12 -0400 Subject: [PATCH 6/6] updating readme --- .../301-machine-learning-hub-spoke-secure/readme.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/quickstart/301-machine-learning-hub-spoke-secure/readme.md b/quickstart/301-machine-learning-hub-spoke-secure/readme.md index 688c8cf6..a495a86c 100644 --- a/quickstart/301-machine-learning-hub-spoke-secure/readme.md +++ b/quickstart/301-machine-learning-hub-spoke-secure/readme.md @@ -13,6 +13,8 @@ This configuration describes the minimal set of resources you require to get sta | Terraform Resource Type | Description | | - | - | | `azurerm_resource_group` | The resource group all resources get deployed into | +| `azurerm_bastion_host` | An Azure Bastion Instance to securely RDP/SSH into Virtual Machines deployed into the Virtual Network | +| `azurerm_windows_virtual_machine` | A Windows Data Science Virtual Machine used for connecting to the Azure Machine Learning workspace | | `azurerm_application_insights` | An Azure Application Insights instance associated to the Azure Machine Learning workspace | | `azurerm_key_vault` | An Azure Key Vault instance associated to the Azure Machine Learning workspace | | `azurerm_storage_account` | An Azure Storage instance associated to the Azure Machine Learning workspace | @@ -26,6 +28,8 @@ This configuration describes the minimal set of resources you require to get sta | `azurerm_machine_learning_compute_instance` | An Azure Machine Learning compute instance a single-node managed compute. | | `azurerm_machine_learning_compute_cluster` | An Azure Machine Learning compute cluster as multi-node shared and managed compute. | | `azurerm_network_security_group` | Network security group with required inbound and outbound rules for Azure Machine Learning. | +| `azurerm_firewall` | An Azure firewall instance used for egress traffic on the Virtual Network. | +| `azurerm_public_ip` | A public IP resource used for the Azure Firewall. | ## Variables @@ -38,8 +42,14 @@ This configuration describes the minimal set of resources you require to get sta | training_subnet_address_space | Address space of the training subnet | ["10.0.1.0/24"] | | aks_subnet_address_space | Address space of the aks subnet | ["10.0.2.0/23"] | | ml_subnet_address_space | Address space of the ML workspace subnet | ["10.0.0.0/24"] | +| vnet_hub_address_space | Address space of the Hub virtual network | ["10.1.0.0/16"] | +| jumphost_subnet_address_space | Address space of the Jumphost subnet | ["10.1.2.0/24"] | +| bastion_subnet_address_space | Address space of the bastion subnet | ["10.1.3.0/24"] | +| firewall_subnet_address_space | Address space of the Az Fiewall subnet | ["10.1.4.0/24"] | | image_build_compute_name | Name of the compute cluster to be created and configured for building docker images (Azure ML Environments) | image-builder | - +| dsvm_name | Name of the Windows Data Science VM resource | vmdsvm01 | +| dsvm_admin_username | Admin username of the Windows Data Science VM | azureadmin | +| dsvm_host_password | Password for the admin username of the Data Science VM | - | ## Usage