Skip to content

Instantly share code, notes, and snippets.

@hermannolafs

hermannolafs/bastion_nsg.tf

Created October 4, 2022 09:41
Show Gist options
  • Save hermannolafs/813592e93b0316ee5293bcf930a7d12f to your computer and use it in GitHub Desktop.
Save hermannolafs/813592e93b0316ee5293bcf930a7d12f to your computer and use it in GitHub Desktop.
Download ZIP
Azure Bastion Network Security Groups NSG
Raw
bastion_nsg.tf
resource "azurerm_subnet_network_security_group_association" "bastion-to-vm" {
subnet_id = azurerm_subnet.this.id
network_security_group_id = azurerm_network_security_group.bastion_to_pipelines.id
}
resource "azurerm_network_security_group" "bastion_to_pipelines" {
name = "vm-nsg"
location = azurerm_resource_group.this.location
resource_group_name = azurerm_resource_group.this.name
security_rule {
name = "SSH-RDP"
priority = 1001
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_ranges = ["22","3389"]
source_address_prefix = azurerm_subnet.bastion.address_prefixes[0]
destination_address_prefix = "*"
}
}
resource "azurerm_subnet_network_security_group_association" "bastion_to_vm" {
subnet_id = azurerm_subnet.bastion.id
network_security_group_id = azurerm_network_security_group.bastion_nsg.id
}
resource "azurerm_network_security_group" "bastion_nsg" {
name = "bastion-nsg"
location = azurerm_resource_group.this.location
resource_group_name = azurerm_resource_group.this.name
// INBOUND RULES
security_rule {
name = "AllowHttpsInbound"
priority = 120
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
source_address_prefix = "Internet"
destination_port_ranges = ["443"]
destination_address_prefix = "*"
}
security_rule {
name = "AllowGatewayManagerInbound"
priority = 130
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
source_address_prefix = "GatewayManager"
destination_port_ranges = ["443"]
destination_address_prefix = "*"
}
security_rule {
name = "AllowAzureLoadBalancer"
priority = 140
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
source_address_prefix = "AzureLoadBalancer"
destination_port_ranges = ["443"]
destination_address_prefix = "*"
}
security_rule {
name = "AllowBastionHostCommunication"
priority = 150
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
source_address_prefix = "VirtualNetwork"
destination_port_ranges = ["8080", "5701"]
destination_address_prefix = "VirtualNetwork"
}
// OUTBOUND RULES
security_rule {
name = "AllowSshRdpOutbound"
priority = 100
direction = "Outbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
source_address_prefix = "*"
destination_port_ranges = ["22", "3389"]
destination_address_prefix = "VirtualNetwork"
}
security_rule {
name = "AllowAzureCloudOutbound"
priority = 110
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
source_address_prefix = "*"
destination_port_ranges = ["443"]
destination_address_prefix = "AzureCloud"
}
security_rule {
name = "AllowBastionCommunication"
priority = 120
direction = "Outbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
source_address_prefix = "VirtualNetwork"
destination_port_ranges = ["8080", "5701"]
destination_address_prefix = "VirtualNetwork"
}
security_rule {
name = "AllowGetSessionInformation"
priority = 130
direction = "Outbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
source_address_prefix = "*"
destination_port_ranges = ["80"]
destination_address_prefix = "Internet"
}
}
@hermannolafs
Copy link
Author

This is made from following this guide: https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg

I hope this saves you some time in typing this out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment