Remote Access to Azure Virtual Machines for Model Development

Question

Pulumi · Accepted Answer

When you want to set up remote access to an Azure Virtual Machine (VM) for purposes such as model development, the main considerations typically include provisioning the VM itself, configuring the network to allow remote access securely, and setting up any necessary identity and access management.

For Azure, you can use services like Azure Bastion for providing secure RDP (Remote Desktop Protocol) or SSH (Secure Shell) access to your VMs without exposing them to the public internet. Additionally, you might want to configure the network security group (NSG) to further restrict access.

Here's how you can set up the infrastructure using Pulumi to create an Azure Virtual machine that can be accessed remotely:

1. **Virtual Network and Subnet**: These resources are necessary for hosting our VM and related resources. They provide a network space where our resources can reside.
2. **Public IP Address**: This will be used by Azure Bastion to enable secure remote access to the VM.
3. **Network Security Group**: This will define security rules to control inbound and outbound traffic for network interfaces (NIC), VMs, and subnets.
4. **Network Interface**: Serves as the intermediary between the VM and the virtual network.
5. **Azure Bastion Host**: Provides secure and seamless RDP/SSH connectivity to your VMs directly in the Azure portal over SSL.
6. **Azure Virtual Machine**: This is the actual compute resource where your model development environment will be set up.

Here's the Pulumi program, written in Python, that sets up this infrastructure:

```python
import pulumi
import pulumi_azure_native as azure_native

# Resource Group
resource_group = azure_native.resources.ResourceGroup('rg')

# Virtual Network and Subnet config
virtual_network = azure_native.network.VirtualNetwork(
    'vnet',
    resource_group_name=resource_group.name,
    address_space=azure_native.network.AddressSpaceArgs(
        address_prefixes=['10.0.0.0/16']
    ),
    subnets=[azure_native.network.SubnetArgs(
        name='default',
        address_prefix='10.0.1.0/24',
    )]
)

# Network Security Group config
network_security_group = azure_native.network.NetworkSecurityGroup(
    'nsg',
    resource_group_name=resource_group.name
)

# Public IP Address for Bastion Host
public_ip = azure_native.network.PublicIPAddress(
    'public-ip',
    resource_group_name=resource_group.name,
    public_ip_allocation_method=azure_native.network.IPAllocationMethod.STATIC
)

# Network Interface config
network_interface = azure_native.network.NetworkInterface(
    'nic',
    resource_group_name=resource_group.name,
    ip_configurations=[azure_native.network.NetworkInterfaceIPConfigurationArgs(
        name='default',
        subnet=azure_native.network.SubnetArgs(
            id=virtual_network.subnets.apply(lambda subnets: subnets[0].id)
        )
    )]
)

# Azure Bastion Host config
bastion_host = azure_native.network.BastionHost(
    'bastionhost',
    resource_group_name=resource_group.name,
    ip_configurations=[azure_native.network.BastionHostIPConfigurationArgs(
        name='default',
        subnet=azure_native.network.SubnetArgs(
            id=virtual_network.subnets.apply(lambda subnets: subnets[0].id)
        ),
        public_ip_address=azure_native.network.PublicIPAddressArgs(
            id=public_ip.id
        )
    )]
)

# Virtual Machine config
vm = azure_native.compute.VirtualMachine(
    'vm',
    resource_group_name=resource_group.name,
    network_profile=azure_native.compute.NetworkProfileArgs(
        network_interfaces=[azure_native.compute.NetworkInterfaceReferenceArgs(
            id=network_interface.id,
            primary=True
        )]
    ),
    hardware_profile=azure_native.compute.HardwareProfileArgs(
        vm_size=azure_native.compute.VirtualMachineSizeTypes.STANDARD_DS1_V2
    ),
    os_profile=azure_native.compute.OSProfileArgs(
        computer_name='myvm',
        admin_username='adminuser',
        admin_password='securepassword123',
        linux_configuration=azure_native.compute.LinuxConfigurationArgs(
            disable_password_authentication=False
        )
    ),
    storage_profile=azure_native.compute.StorageProfileArgs(
        image_reference=azure_native.compute.ImageReferenceArgs(
            publisher='Canonical',
            offer='UbuntuServer',
            sku='18.04-LTS',
            version='latest'
        ),
        os_disk=azure_native.compute.OSDiskArgs(
            create_option='FromImage',
            manage_disk=azure_native.compute.ManagedDiskParametersArgs(
                storage_account_type=azure_native.compute.StorageAccountTypes.STANDARD_LRS
            )
        )
    )
)

# Output the public IP address for Azure Bastion Host
pulumi.export('bastion_public_ip', public_ip.ip_address)
# Output the VM ID
pulumi.export('vm_id', vm.id)
```

To use the above program:
1. Have Pulumi CLI installed and configured for Azure access.
2. Save above code in a file named `__main__.py`.
3. Run `pulumi up` to preview and deploy the resources.

After deploying this stack, you will be able to connect securely to your virtual machine using Azure Bastion with the provided public IP address. This connection can be made directly in the Azure portal, which facilitates the establishment of an RDP or SSH session over SSL without the need to expose your VM to the public internet.