260

HoussemDellai · Sep 14, 2024 · a86468c · a86468c
1 parent 26f385f
commit a86468c
Show file tree

Hide file tree

Showing 9 changed files with 74 additions and 12 deletions.
diff --git a/260_private_aks_bastion/Readme.md b/260_private_aks_bastion/Readme.md
@@ -0,0 +1,62 @@
+# Connecting to private AKS cluster using Azure Bastion
+
+`Azure Bastion` is a fully managed PaaS service that provides secure and seamless `RDP` and `SSH` access to your virtual machines directly through the Azure Portal over `SSL`. When you connect via Azure Bastion, your virtual machines do not need a public IP address. Azure Bastion is provisioned directly in your Virtual Network (VNet) and supports all VMs in your `Virtual Network` (VNet) using SSL without any exposure through `public IP addresses`.
+
+In this lab, you will learn how to connect to a private AKS cluster using `Azure Bastion`.
+
+![](images/architecture.png)
+
+## Deploying resources using Terraform
+
+You will use Terraform to deploy the following resources:
+
+- Resource group
+- Virtual network
+- Azure Bastion
+- Private AKS cluster
+- Azure Linux VM acting as a Jumpbox
+- User-assigned Managed Identity for the Jumpbox with RBAC role over the subscription
+
+Run the following commands to deploy the resources:
+
+```bash
+terraform init
+terraform plan -out tfplan
+terraform apply tfplan
+```
+
+The following resources should be deployed.
+
+![](images/resources.png)
+
+## Connecting to the private AKS cluster
+
+You can either use the Azure portal or the command line to connect to `private AKS`. In this lab, you will use the Azure CLI to connect to the private AKS cluster.
+Run the following command to connect to the Azure VM using SSH through Bastion:
+
+```bash
+# get vm resource ID
+az vm show -g rg-private-aks-bastion-260 -n vm-linux-jumpbox --query id -o tsv
+
+# connect to the VM using Azure Bastion (replace the resource ID with the one you got from the previous command)
+az network bastion ssh -n bastion -g rg-private-aks-bastion-260 --username azureuser --auth-type password --target-resource-id "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/rg-private-aks-bastion-260/providers/Microsoft.Compute/virtualMachines/vm-linux-jumpbox"
+```
+
+Once you are connected to the Azure VM, run the following command to connect to the private AKS cluster:
+
+```bash
+# login to your Azure subscription using the Managed Identity
+az login --identity
+
+# get the credentials of the AKS cluster
+az aks get-credentials -g rg-private-aks-bastion-260 -n aks-private-260
+
+# verify the connection
+kubectl get nodes
+```
+
+## Azure Bastion in a Hub and Spoke model
+
+Azure Bastion can be deployed in a hub and spoke model where the hub network contains the Azure Bastion and the spoke networks contain the resources that need to be accessed. This model provides a centralized and secure way to access resources in the spoke networks.
+
+![](images/architecture-hub-spoke.png)
diff --git a/260_private_aks_bastion/identity-vm.tf b/260_private_aks_bastion/identity-vm.tf
@@ -1,4 +1,4 @@
-resource "azurerm_user_assigned_identity" "identity" {
+resource "azurerm_user_assigned_identity" "identity-vm" {
   name                = "identity-vm"
   resource_group_name = azurerm_resource_group.rg.name
   location            = azurerm_resource_group.rg.location
@@ -7,7 +7,7 @@ resource "azurerm_user_assigned_identity" "identity" {
 resource "azurerm_role_assignment" "vm-contributor" {
   scope                = data.azurerm_subscription.current.id
   role_definition_name = "Contributor"
-  principal_id         = azurerm_user_assigned_identity.identity.principal_id
+  principal_id         = azurerm_user_assigned_identity.identity-vm.principal_id
 }
 
 data "azurerm_subscription" "current" {}
diff --git a/...e_aks_bastion/images/access-azure-kubernetes-service-cluster-api-server-architecture.vsdx b/...e_aks_bastion/images/access-azure-kubernetes-service-cluster-api-server-architecture.vsdx
diff --git a/260_private_aks_bastion/images/architecture-hub-spoke.png b/260_private_aks_bastion/images/architecture-hub-spoke.png
diff --git a/260_private_aks_bastion/images/architecture.png b/260_private_aks_bastion/images/architecture.png
diff --git a/260_private_aks_bastion/images/resources.png b/260_private_aks_bastion/images/resources.png
diff --git a/260_private_aks_bastion/output.tf b/260_private_aks_bastion/output.tf
@@ -3,5 +3,5 @@ output "rg_name" {
 }
 
 output "vm_id" {
-  value = azurerm_linux_virtual_machine.vm.id
+  value = azurerm_linux_virtual_machine.vm-linux.id
 }
diff --git a/260_private_aks_bastion/vm-linux.tf → 260_private_aks_bastion/vm-linux-jumpbox.tf b/260_private_aks_bastion/vm-linux.tf → 260_private_aks_bastion/vm-linux-jumpbox.tf
@@ -1,5 +1,5 @@
-resource "azurerm_network_interface" "nic" {
-  name                 = "nic"
+resource "azurerm_network_interface" "nic-vm" {
+  name                 = "nic-vm"
   resource_group_name  = azurerm_resource_group.rg.name
   location             = azurerm_resource_group.rg.location
 
@@ -11,23 +11,23 @@ resource "azurerm_network_interface" "nic" {
   }
 }
 
-resource "azurerm_linux_virtual_machine" "vm" {
+resource "azurerm_linux_virtual_machine" "vm-linux" {
   name                            = "vm-linux-jumpbox"
   resource_group_name             = azurerm_resource_group.rg.name
   location                        = azurerm_resource_group.rg.location
   size                            = "Standard_B2ats_v2"
   disable_password_authentication = false
   admin_username                  = "azureuser"
   admin_password                  = "@Aa123456789"
-  network_interface_ids           = [azurerm_network_interface.nic.id]
+  network_interface_ids           = [azurerm_network_interface.nic-vm.id]
   priority                        = "Spot"
   eviction_policy                 = "Deallocate"
 
   custom_data = filebase64("./install-tools.sh")
 
   identity {
     type         = "UserAssigned"
-    identity_ids = [azurerm_user_assigned_identity.identity.id]
+    identity_ids = [azurerm_user_assigned_identity.identity-vm.id]
   }
 
   os_disk {

diff --git a/260_private_aks_bastion/vnet.tf b/260_private_aks_bastion/vnet.tf
@@ -2,26 +2,26 @@ resource "azurerm_virtual_network" "vnet" {
   name                = "vnet-spoke"
   resource_group_name = azurerm_resource_group.rg.name
   location            = azurerm_resource_group.rg.location
-  address_space       = ["10.1.0.0/16"]
+  address_space       = ["10.10.0.0/16"]
 }
 
 resource "azurerm_subnet" "snet-aks" {
   name                 = "snet-aks"
   resource_group_name  = azurerm_virtual_network.vnet.resource_group_name
   virtual_network_name = azurerm_virtual_network.vnet.name
-  address_prefixes     = ["10.1.0.0/24"]
+  address_prefixes     = ["10.10.0.0/24"]
 }
 
 resource "azurerm_subnet" "snet-bastion" {
   name                 = "AzureBastionSubnet"
   resource_group_name  = azurerm_virtual_network.vnet.resource_group_name
   virtual_network_name = azurerm_virtual_network.vnet.name
-  address_prefixes     = ["10.1.1.0/24"]
+  address_prefixes     = ["10.10.1.0/24"]
 }
 
 resource "azurerm_subnet" "snet-vm" {
   name                 = "snet-vm"
   resource_group_name  = azurerm_virtual_network.vnet.resource_group_name
   virtual_network_name = azurerm_virtual_network.vnet.name
-  address_prefixes     = ["10.1.2.0/24"]
+  address_prefixes     = ["10.10.2.0/24"]
 }