## **Description** This architecture is designed to provide a secure environment for accessing and managing Azure resources via a Jumpbox and Azure Bastion. Based on a Hub-Spoke model, it ensures a clear separation of roles by hosting the Bastion Host and Jumpbox in dedicated VNets while facilitating communication with Spoke networks, where secure workloads are deployed. With this Jumpbox + Bastion + Spoke approach, virtual machine administration on Azure is centralized and secured, minimizing exposure to attacks by restricting access to private connections only. It follows Zero Trust Network principles, ensuring enhanced compliance and a high level of security for enterprises.  Ideal for any organization looking to strengthen its cloud infrastructure security while ensuring controlled and efficient access! > ✅ *terraform apply: successful*. ## **Architecture Components** | **Resource** | **Type** | **Description** | |-----------------------------------|-------------------------------------------------------|-------------------------------------------------------| | **Resource Groups** | `azurerm_resource_group` | Logical containers for organizing resources | | **Virtual Network (Jumpbox)** | `azurerm_virtual_network` | Dedicated VNet for Jumpbox administration | | **Virtual Network (Spoke)** | `azurerm_virtual_network` | VNet dedicated to hosting workloads | | **Virtual Network (Bastion Hub)** | `azurerm_virtual_network` | VNet hosting Azure Bastion | | **Subnet Bastion** | `azurerm_subnet` | Subnet reserved for Azure Bastion | | **Subnet Jumpbox** | `azurerm_subnet` | Subnet containing the Jumpbox | | **Subnet Spoke** | `azurerm_subnet` | Subnet containing the workloads | | **Bastion Public IP** | `azurerm_public_ip` | Public IP address for Azure Bastion | | **Azure Bastion Host** | `azurerm_bastion_host` | Bastion allowing access without public RDP or SSH | | **Jumpbox VM** | `azurerm_windows_virtual_machine` | Machine used as a secure access point | | **Spoke VM** | `azurerm_windows_virtual_machine` | Virtual machine hosted in the Spoke | | **Peering Jumpbox <-> Spoke** | `azurerm_virtual_network_peering` | Network connection between Jumpbox and Spoke | | **Peering Bastion <-> Jumpbox** | `azurerm_virtual_network_peering` | Network connection between Bastion and Jumpbox | | **NSG Jumpbox** | `azurerm_network_security_group` | Controls network traffic for the Jumpbox | | **NSG Spoke** | `azurerm_network_security_group` | Controls network traffic for workloads | | **Association NSG Jumpbox** | `azurerm_subnet_network_security_group_association` | Applies NSG rules to the Jumpbox subnet | | **Association NSG Spoke** | `azurerm_subnet_network_security_group_association` | Applies NSG rules to the Spoke subnet | ## **Requirements** | **Requirement** | **Details** | |----------------------------------|------------------------------------------------------------| | **Terraform Version** | Compatible with all versions | | **Provider** | Azure RM | | **Provider Version** | `>= 3.88.0` | | **Access Requirements** | Service Principal with Contributor Role | | **Network Security** | Virtual Network, NSGs, Private Peering, Bastion Security | | **Jumpbox Security** | NSG Rules, Private Subnet, No Public IP | | **Bastion Security** | Enforced through Azure Bastion with private subnet | | **Virtual Network Peering** | Required for secure communication between VNets | | **Authentication** | Managed Identities, No credentials stored | | **Jumpbox VM Configuration** | Windows VM with secure access controls | | **Spoke VM Configuration** | Windows VM for workload hosting | | **NSG Rules** | Enforced for both Jumpbox and Spoke networks | | **Public IP Restrictions** | Only required for Azure Bastion | | **Remote Access Method** | Azure Bastion (No RDP or SSH exposed publicly) | | **Compliance & Security** | Follows Zero Trust, Role-Based Access Control (RBAC) | ## **How to Use the Architecture** Clone the architecture and modify the following variables according to your needs: ## Variables and Default Values | **Variable** | **Default Value** | **Description** | |----------------------------------|--------------------------------------------|-------------------------------------------------------| | `bastion_host_name` | `"bastion-hub"` | Name of the Azure Bastion host | | `bastion_ip_conf_name` | `"bastion-ip-config"` | Bastion IP configuration name | | `bastion_snet_name` | `"bastion_subnet"` | Name of the subnet dedicated to Azure Bastion | | `computer_jumbox_name` | `"jumbox"` | Name of the Jumpbox virtual machine | | `computer_spoke_name` | `"vm-spoke"` | Name of the Spoke virtual machine | | `jumpbox_ip_conf_name` | `"internal"` | Name of the Jumpbox IP configuration | | `jumpbox_size` | `"Standard_DS1_v2"` | Size of the Jumpbox VM | | `location` | `"france central"` | Azure region for deployment | | `location_short` | `"frc"` | Short name for the Azure region | | `nic_jumpbox_name` | `"nic-jumpbox"` | Name of the Jumpbox network interface | | `nic_spoke_name` | `"nic-spoke"` | Name of the Spoke network interface | | `nsg_rules_snet_jumbox` | *List of security rules* | NSG rules for the Jumpbox subnet | | `nsg_rules_snet_spoke` | *List of security rules* | NSG rules for the Spoke subnet | | `pip_alloc` | `"Static"` | Public IP allocation method | | `prefix_name` | `"Hub"` | Prefix used for resource naming | | `public_ip_sku` | `"Standard"` | SKU for the public IP | | `pv_ip_address_alloc` | `"Dynamic"` | Private IP allocation method | | `snet_hub_bastion_addr` | `"10.0.1.0/26"` | Address prefix for the Bastion subnet | | `snet_jumpbox_addr_space` | `"10.0.2.0/26"` | Address prefix for the Jumpbox subnet | | `snet_spoke_addr_space` | `"10.0.3.0/25"` | Address prefix for the Spoke subnet | | `source_image_offer` | `"UbuntuServer"` | OS image offer for Jumpbox VM | | `source_image_publisher` | `"Canonical"` | Publisher of the Jumpbox VM OS image | | `source_image_sku` | `"18.04-LTS"` | SKU of the Jumpbox VM OS image | | `source_image_version` | `"latest"` | Version of the Jumpbox VM OS image | | `src_img_ref_offer` | `"WindowsServer"` | OS image offer for the Spoke VM | | `src_img_ref_publisher` | `"MicrosoftWindowsServer"` | Publisher of the Spoke VM OS image | | `src_img_ref_sku` | `"2022-datacenter"` | SKU of the Spoke VM OS image | | `src_img_ref_version` | `"latest"` | Version of the Spoke VM OS image | | `suffix_name` | `"hub-frc"` | Suffix for resource naming | | `tags` | `{ archuuid = "6c183421-c5dd-48ec-832b-0060135fa868", env = "Development" }` | Tags applied to all resources | | `vm_adm_user` | `"adminuser"` | Administrator username for Jumpbox VM | | `vm_admin_user` | `"adminuservmtest"` | Administrator username for Spoke VM | | `vm_pwd_admin` | `"vmpwdadmin8374"` | Administrator password for VMs | | `vm_size` | `"Standard_D2_v2"` | Size of the Spoke virtual machine | | `vm_st_type` | `"Standard_LRS"` | Storage type for the VM OS disk | | `vnet_bastion_hub_addr` | `"10.0.1.0/24"` | Address space for the Bastion VNet | | `vnet_jumpbox_addr` | `"10.0.2.0/24"` | Address space for the Jumpbox VNet | | `vnet_peering_name` | `"hub-to-jumbox"` | Name of the virtual network peering | | `vnet_spoke_addr` | `"10.0.3.0/24"` | Address space for the Spoke VNet | **N.B:** - Feel free to remove the resources that are not relevant to your use-case. - Some variables have default values, please change it if it doesn't fit your deployment. ## Maintainer(s) You can reach out to these maintainers if you need help or assistance: - [Brainboard team](mailto:support@brainboard.co)