feat: add proxying to vnet via azure vm

matihost · Dec 8, 2024 · a11646a · a11646a
1 parent 51d7f8a
commit a11646a
Show file tree

Hide file tree

Showing 5 changed files with 63 additions and 3 deletions.
diff --git a/terraform/azure/azure-instance/Makefile b/terraform/azure/azure-instance/Makefile
@@ -34,6 +34,33 @@ ssh-via-bastion: ## connect to instance via Azure Bastion
 		--username ubuntu \
 		--ssh-key ~/.ssh/id_rsa.cloud.vm
 
+expose-direct-proxy-locally: ## expose TinyProxy locally to access resource inside VNet - uses az tunnel (limitations, slow)
+	@[ "$(shell sudo ss -antl |grep -c 8888)" -ne 0 ] || az network bastion tunnel \
+  --name $(shell cd stage/$(ENV) && terragrunt output bastion_name)  \
+  --resource-group dev \
+  --target-resource-id $(shell cd stage/$(ENV) && terragrunt output vm_id) \
+  --resource-port 8888 \
+  --port 8888 &
+
+shutdown-local-proxy: ## shutdown tunneled bastion's HTTP proxy
+	@-[ "$(shell sudo ss -antl |grep -c 8888)" -eq 0 ] || sudo kill -9 $(shell sudo lsof -t -i:8888)
+	@-[ "$(shell sudo ss -antl |grep -c 2022)" -eq 0 ] || sudo kill -9 $(shell sudo lsof -t -i:2022)
+
+
+expose-proxy-via-ssh-locally: ## expose TinyProxy locally to access resource inside VNet - uses ssh tunneling (done via az tunnel), needs 2 ports, but more resilient
+	@[ "$(shell sudo ss -antl |grep -c 2022)" -ne 0 ] || az network bastion tunnel \
+  --name $(shell cd stage/$(ENV) && terragrunt output bastion_name)  \
+  --resource-group dev \
+  --target-resource-id $(shell cd stage/$(ENV) && terragrunt output vm_id) \
+  --resource-port 22 \
+  --port 2022 &
+	@sleep 2 # workaround for az tunnel delay when run in background
+	@[ "$(shell sudo ss -antl |grep -c 8888)" -ne 0 ] || ssh -o StrictHostKeyChecking=accept-new -f -N -i ~/.ssh/id_rsa.cloud.vm [email protected] -p 2022 -L 8888:127.0.0.1:8888
+
+
+test: ## test connectivity via proxy to vm ngnix
+	export http_proxy=http://localhost:8888 && export https_proxy=http://localhost:8888 && curl http://dev-weu-vm
+
 show-state: ## show state
 	cd stage/$(ENV) && terragrunt state list && terragrunt show
 

diff --git a/terraform/azure/azure-instance/README.md b/terraform/azure/azure-instance/README.md
@@ -31,4 +31,29 @@ make run MODE=apply ENV=dev-westeurope
 
 # connect to instance via Azure Bastion
 make ssh-via-bastion
+
+
+# to test or to access other resouces inside VNet via VM
+
+# expose TinyProxy locally to access resource inside VNet - uses az tunnel (limitations, slow)
+make expose-direct-proxy-locally
+
+# or
+
+# expose TinyProxy locally to access resource inside VNet - uses ssh tunneling (done via az tunnel), needs 2 ports, but more resilient
+make expose-proxy-via-ssh-locally
+
+# then
+# test connectivity via proxy to vm ngnix
+make test
+
+# or access any other resource in the vnet via proxy exposed on 8888 port
+# to do so export proxy variables:
+export http_proxy=http://localhost:8888 && export https_proxy=http://localhost:8888
+# then you can curl whatever in the vm
+
+# at then end close the proxy tunnel:
+
+# shutdown tunneled bastion's HTTP proxy
+make shutdown-local-proxy
 ```
diff --git a/terraform/azure/azure-instance/stage/dev-polandcentral/vm.cloud-init.tpl b/terraform/azure/azure-instance/stage/dev-polandcentral/vm.cloud-init.tpl
@@ -8,7 +8,9 @@ repo_upgrade: all
 
 packages:
  - nginx
+ - tinyproxy
  - plocate
+ - dnsutils
  - azure-cli
 
 # cloud-init creates a final script in: /var/lib/cloud/instance/scripts/runcmd
@@ -19,3 +21,5 @@ runcmd:
  - cat /home/${admin_username}/.ssh/id_rsa.pub >> /home/${admin_username}/.ssh/authorized_keys
  - 'chown ${admin_username}:${admin_username} /home/${admin_username}/.ssh/id_rsa*'
  - chmod 400 /home/${admin_username}/.ssh/id_rsa
+ - sed -i -E "s/^#Allow 10.0.0.0\/8.*$/Allow 10.0.0.0\/8/" /etc/tinyproxy/tinyproxy.conf
+ - systemctl restart tinyproxy
diff --git a/terraform/azure/azure-instance/stage/dev-westeurope/vm.cloud-init.tpl b/terraform/azure/azure-instance/stage/dev-westeurope/vm.cloud-init.tpl
@@ -8,7 +8,9 @@ repo_upgrade: all
 
 packages:
  - nginx
+ - tinyproxy
  - plocate
+ - dnsutils
  - azure-cli
 
 # cloud-init creates a final script in: /var/lib/cloud/instance/scripts/runcmd
@@ -19,3 +21,5 @@ runcmd:
  - cat /home/${admin_username}/.ssh/id_rsa.pub >> /home/${admin_username}/.ssh/authorized_keys
  - 'chown ${admin_username}:${admin_username} /home/${admin_username}/.ssh/id_rsa*'
  - chmod 400 /home/${admin_username}/.ssh/id_rsa
+ - sed -i -E "s/^#Allow 10.0.0.0\/8.*$/Allow 10.0.0.0\/8/" /etc/tinyproxy/tinyproxy.conf
+ - systemctl restart tinyproxy
diff --git a/terraform/azure/azure-network-setup/module/bastion.tf b/terraform/azure/azure-network-setup/module/bastion.tf
@@ -41,7 +41,7 @@ resource "azurerm_network_security_group" "bastion" {
     access                     = "Allow"
     protocol                   = "*"
     source_port_range          = "*"
-    destination_port_ranges    = ["8080", "5701"]
+    destination_port_ranges    = ["8080", "5701", "8888"]
     source_address_prefix      = "VirtualNetwork"
     destination_address_prefix = "VirtualNetwork"
   }
@@ -72,13 +72,13 @@ resource "azurerm_network_security_group" "bastion" {
 
 
   security_rule {
-    name                       = "AllowSSHandRDPOutBound"
+    name                       = "AllowSSHandRDPandProxyOutBound"
     priority                   = 110
     direction                  = "Outbound"
     access                     = "Allow"
     protocol                   = "Tcp"
     source_port_range          = "*"
-    destination_port_ranges    = ["22", "3389"]
+    destination_port_ranges    = ["22", "3389", "8888"]
     source_address_prefix      = "*"
     destination_address_prefix = "VirtualNetwork"
   }