Merge pull request #38 from microsoft/nsg-updates

Infra - nsg inbound updates to use optional IP

Author: mswantek68

infra/main.bicep

@@ -37,6 +37,9 @@ param tags object = {}
 @description('Specifies the object id of a Microsoft Entra ID user. In general, this the object id of the system administrator who deploys the Azure resources. This defaults to the deploying user.')
 param userObjectId string = deployer().objectId
 
+@description('Optional IP address to allow access to the jump-box VM. This is necessary to provide secure access to the private VNET via a jump-box VM with Bastion. If not specified, all IP addresses are allowed.')
+param allowedIpAddress string = ''
+
 @description('Specifies if Microsoft APIM is deployed.')
 param apiManagementEnabled bool = false
 
@@ -280,6 +283,7 @@ module network './modules/virtualNetwork.bicep' = if (networkIsolation) {
     natGatewayName: toLower('nat-${name}')
     natGatewayPublicIps: 1
     natGatewayIdleTimeoutMins: 30
+    allowedIpAddress: allowedIpAddress
     workspaceId: logAnalyticsWorkspace.outputs.resourceId
     location: location
     tags: allTags

infra/main.parameters.json

@@ -14,6 +14,9 @@
         "vmSize": {
             "value": "${AZURE_VM_SIZE=Standard_DS4_v2}"
         },
+        "allowedIpAddress": {
+            "value": "${AZURE_ALLOWED_IP_ADDRESS}"
+        },
         "aiModelDeployments": {
             "value": [
                 {

infra/modules/virtualNetwork.bicep

@@ -59,6 +59,9 @@ param natGatewayPublicIps int = 1
 @description('Specifies the idle timeout in minutes for the Azure NAT Gateway.')
 param natGatewayIdleTimeoutMins int = 30
 
+@description('Optional IP address to allow access throught Bastion NSG. If not specified, all IP addresses are allowed.')
+param allowedIpAddress string = ''
+
 @description('Specifies the resource id of the Log Analytics workspace.')
 param workspaceId string
 
@@ -179,7 +182,7 @@ resource bastionSubnetNsg 'Microsoft.Network/networkSecurityGroups@2023-04-01' =
         properties: {
           protocol: 'Tcp'
           sourcePortRange: '*'
-          sourceAddressPrefix: 'Internet'
+          sourceAddressPrefix: empty(allowedIpAddress) ? 'Internet' : allowedIpAddress
           destinationPortRange: '443'
           destinationAddressPrefix: '*'
           access: 'Allow'
@@ -325,34 +328,7 @@ resource vmSubnetNsg 'Microsoft.Network/networkSecurityGroups@2023-04-01' = {
   location: location
   tags: tags
   properties: {
-    securityRules: [
-      {
-        name: 'AllowSshInbound'
-        properties: {
-          priority: 100
-          access: 'Allow'
-          direction: 'Inbound'
-          protocol: 'Tcp'
-          sourcePortRange: '*'
-          destinationPortRange: '22'
-          sourceAddressPrefix: '*'          
-          destinationAddressPrefix: '*'
-        }
-      }
-      {
-        name: 'AllowRDP'
-        properties: {
-          priority: 101
-          access: 'Allow'
-          direction: 'Inbound'
-          protocol: 'Tcp'
-          sourcePortRange: '*'
-          destinationPortRange: '3389'
-          sourceAddressPrefix: '*'
-          destinationAddressPrefix: '*'
-        }
-      }
-    ]
+    securityRules: []
   }
 }