Merge pull request microsoft#75 from ryhud/master

Adding AML 301 and updates to 201 and 202

Author: grayzu

.gitignore

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">=0.15.0"
+  required_version = ">=1.0"
 
   required_providers {
     azurerm = {

quickstart/101-machine-learning/main.tf

@@ -0,0 +1,125 @@
+resource "azurerm_public_ip" "azure_bastion" {
+  name                = "pip-azure-bastion"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  allocation_method   = "Static"
+  sku                 = "Standard"
+}
+
+resource "azurerm_network_security_group" "bastion_nsg" {
+  name                = "nsg-bastion"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+
+  security_rule {
+    name                       = "AllowHTTPSInbound"
+    priority                   = 100
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "443"
+    source_address_prefix      = "Internet"
+    destination_address_prefix = "*"
+  }
+  security_rule {
+    name                       = "AllowGatewayManagerInbound"
+    priority                   = 200
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "443"
+    source_address_prefix      = "GatewayManager"
+    destination_address_prefix = "*"
+  }
+  security_rule {
+    name                       = "AllowAzureLBInbound"
+    priority                   = 300
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "443"
+    source_address_prefix      = "AzureLoadBalancer"
+    destination_address_prefix = "*"
+  }
+  security_rule {
+    name                       = "AllowBastionHostCommunication"
+    priority                   = 400
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "*"
+    source_port_range          = "*"
+    destination_port_ranges    = ["5701", "8080"]
+    source_address_prefix      = "VirtualNetwork"
+    destination_address_prefix = "VirtualNetwork"
+  }
+  security_rule {
+    name                       = "AllowRdpSshOutbound"
+    priority                   = 100
+    direction                  = "Outbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_ranges    = ["22", "3389"]
+    source_address_prefix      = "*"
+    destination_address_prefix = "VirtualNetwork"
+  }
+  security_rule {
+    name                       = "AllowBastionHostCommunicationOutbound"
+    priority                   = 110
+    direction                  = "Outbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_ranges    = ["5701", "8080"]
+    source_address_prefix      = "VirtualNetwork"
+    destination_address_prefix = "VirtualNetwork"
+  }
+  security_rule {
+    name                       = "AllowAzureCloudOutbound"
+    priority                   = 120
+    direction                  = "Outbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_ranges    = ["443"]
+    source_address_prefix      = "*"
+    destination_address_prefix = "AzureCloud"
+  }
+  security_rule {
+    name                       = "AllowGetSessionInformation"
+    priority                   = 130
+    direction                  = "Outbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_ranges    = ["80"]
+    source_address_prefix      = "*"
+    destination_address_prefix = "Internet"
+  }
+
+}
+
+resource "azurerm_subnet_network_security_group_association" "bastion_nsg_assoc" {
+  subnet_id                 = azurerm_subnet.azure_bastion.id
+  network_security_group_id = azurerm_network_security_group.bastion_nsg.id
+  depends_on = [
+    azurerm_bastion_host.azure_bastion_instance
+  ]
+}
+
+
+resource "azurerm_bastion_host" "azure_bastion_instance" {
+  name                = "bas-${var.name}-${var.environment}"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+
+  ip_configuration {
+    name                 = "configuration"
+    subnet_id            = azurerm_subnet.azure_bastion.id
+    public_ip_address_id = azurerm_public_ip.azure_bastion.id
+  }
+}
+

quickstart/201-machine-learning-moderately-secure/bastion.tf

@@ -0,0 +1,48 @@
+resource "azurerm_network_interface" "dsvm" {
+  name                = "nic-${var.dsvm_name}"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+
+  ip_configuration {
+    name                          = "configuration"
+    subnet_id                     = azurerm_subnet.snet-dsvm.id
+    private_ip_address_allocation = "Dynamic"
+  }
+}
+
+resource "azurerm_windows_virtual_machine" "dsvm" {
+  name                = var.dsvm_name
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  network_interface_ids = [
+    azurerm_network_interface.dsvm.id
+  ]
+  size = "Standard_DS3_v2"
+
+  source_image_reference {
+    publisher = "microsoft-dsvm"
+    offer     = "dsvm-win-2019"
+    sku       = "server-2019"
+    version   = "latest"
+  }
+
+  os_disk {
+    name                 = "osdisk-${var.dsvm_name}"
+    caching              = "ReadWrite"
+    storage_account_type = "Premium_LRS"
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+  computer_name  = var.dsvm_name
+  admin_username = var.dsvm_admin_username
+  admin_password = var.dsvm_host_password
+
+  provision_vm_agent = true
+
+  timeouts {
+    create = "60m"
+    delete = "2h"
+  }
+}

quickstart/201-machine-learning-moderately-secure/dsvm.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">=0.15.0"
+  required_version = ">=1.0"
 
   required_providers {
     azurerm = {

quickstart/201-machine-learning-moderately-secure/main.tf

@@ -30,6 +30,21 @@ resource "azurerm_subnet" "snet-workspace" {
   enforce_private_link_endpoint_network_policies = true
 }
 
+resource "azurerm_subnet" "snet-dsvm" {
+  name                                           = "snet-dsvm"
+  resource_group_name                            = azurerm_resource_group.default.name
+  virtual_network_name                           = azurerm_virtual_network.default.name
+  address_prefixes                               = var.dsvm_subnet_address_space
+  enforce_private_link_endpoint_network_policies = true
+}
+
+resource "azurerm_subnet" "azure_bastion" {
+  name                 = "AzureBastionSubnet"
+  resource_group_name  = azurerm_resource_group.default.name
+  virtual_network_name = azurerm_virtual_network.default.name
+  address_prefixes     = var.bastion_subnet_address_space
+}
+
 # Private DNS Zones
 resource "azurerm_private_dns_zone" "dnsvault" {
   name                = "privatelink.vaultcore.azure.net"

quickstart/201-machine-learning-moderately-secure/network.tf

@@ -6,13 +6,15 @@ and its associated resources including Azure Key Vault, Azure Storage, Azure App
 In addition to these core services, this configuration specifies any networking components that are required to set up Azure Machine Learning
 for private network connectivity using [Azure Private Link](https://docs.microsoft.com/en-us/azure/private-link/). 
 
-This configuration describes the minimal set of resources you require to get started with Azure Machine Learning in a network-isolated set-up. This configuration creates new network components. If you want to reuse existing network components, see [202 example](../201-machine-learning-moderately-secure/readme.md).
+This configuration describes the minimal set of resources you require to get started with Azure Machine Learning in a network-isolated set-up. This configuration creates new network components. Use Azure Bastion to securely connect to the Windows Data Science Virtual Machine. If you want to reuse existing network components, see [202 example](../202-machine-learning-moderately-secure-existing-VNet/readme.md).
 
 ## Resources
 
 | Terraform Resource Type | Description |
 | - | - |
 | `azurerm_resource_group` | The resource group all resources get deployed into |
+| `azurerm_bastion_host` | An Azure Bastion Instance to securely RDP/SSH into Virtual Machines deployed into the Virtual Network |
+| `azurerm_windows_virtual_machine` | A Windows Data Science Virtual Machine used for connecting to the Azure Machine Learning workspace |
 | `azurerm_application_insights` | An Azure Application Insights instance associated to the Azure Machine Learning workspace |
 | `azurerm_key_vault` | An Azure Key Vault instance associated to the Azure Machine Learning workspace |
 | `azurerm_storage_account` | An Azure Storage instance associated to the Azure Machine Learning workspace |
@@ -39,6 +41,9 @@ This configuration describes the minimal set of resources you require to get sta
 | aks_subnet_address_space | Address space of the aks subnet | ["10.0.2.0/23"] |
 | ml_subnet_address_space | Address space of the ML workspace subnet | ["10.0.0.0/24"] |
 | image_build_compute_name | Name of the compute cluster to be created and configured for building docker images (Azure ML Environments) | image-builder |
+| dsvm_name | Name of the Windows Data Science VM resource | vmdsvm01 |
+| dsvm_admin_username | Admin username of the Windows Data Science VM | azureadmin |
+| dsvm_host_password | Password for the admin username of the Data Science VM | - |
 
 
 ## Usage

quickstart/201-machine-learning-moderately-secure/readme.md

@@ -38,9 +38,38 @@ variable "ml_subnet_address_space" {
   description = "Address space of the ML workspace subnet"
   default     = ["10.0.0.0/24"]
 }
+variable "dsvm_subnet_address_space" {
+  type        = list(string)
+  description = "Address space of the DSVM subnet"
+  default     = ["10.0.4.0/24"]
+}
+
+variable "bastion_subnet_address_space" {
+  type        = list(string)
+  description = "Address space of the bastion subnet"
+  default     = ["10.0.5.0/24"]
+}
 
 variable "image_build_compute_name" {
   type        = string
   description = "Name of the compute cluster to be created and set to build docker images"
   default     = "image-builder"
+}
+
+# DSVM Variables
+variable "dsvm_name" {
+  type        = string
+  description = "Name of the Data Science VM"
+  default     = "vmdsvm01"
+}
+variable "dsvm_admin_username" {
+  type        = string
+  description = "Admin username of the Data Science VM"
+  default     = "azureadmin"
+}
+
+variable "dsvm_host_password" {
+  type        = string
+  description = "Password for the admin username of the Data Science VM"
+  sensitive   = true
 }

quickstart/201-machine-learning-moderately-secure/variables.tf

@@ -63,6 +63,13 @@ resource "azurerm_machine_learning_workspace" "default" {
   # Args of use when using an Azure Private Link configuration
   public_network_access_enabled = false
   image_build_compute_name      = var.image_build_compute_name
+  depends_on = [
+    azurerm_private_endpoint.kv_ple,
+    azurerm_private_endpoint.st_ple_blob,
+    azurerm_private_endpoint.storage_ple_file,
+    azurerm_private_endpoint.cr_ple,
+    azurerm_subnet.snet-training
+  ]
 
 }
 

quickstart/201-machine-learning-moderately-secure/workspace.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">=0.15.0"
+  required_version = ">=1.0"
 
   required_providers {
     azurerm = {