How do I restrict inbound SSH traffic to a Virtual Machine?
In this guide, we will create an Azure Virtual Machine (VM) and restrict inbound SSH traffic using a Network Security Group (NSG). The NSG will be configured to allow SSH access only from a specific IP address range.
Key Points:
- Create an Azure Virtual Machine.
- Create a Network Security Group (NSG).
- Define an NSG rule to allow SSH traffic from a specific IP range.
- Associate the NSG with the VM’s network interface.
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure-native";
// Create an Azure Resource Group
const resourceGroup = new azure.resources.ResourceGroup("resourceGroup", {
location: "WestUS",
});
// Create a Virtual Network
const virtualNetwork = new azure.network.VirtualNetwork("virtualNetwork", {
resourceGroupName: resourceGroup.name,
location: resourceGroup.location,
addressSpace: { addressPrefixes: ["10.0.0.0/16"] },
});
// Create a Subnet
const subnet = new azure.network.Subnet("subnet", {
resourceGroupName: resourceGroup.name,
virtualNetworkName: virtualNetwork.name,
addressPrefix: "10.0.1.0/24",
});
// Create a Network Security Group
const networkSecurityGroup = new azure.network.NetworkSecurityGroup("networkSecurityGroup", {
resourceGroupName: resourceGroup.name,
location: resourceGroup.location,
securityRules: [{
name: "AllowSSH",
priority: 1000,
direction: "Inbound",
access: "Allow",
protocol: "Tcp",
sourcePortRange: "*",
destinationPortRange: "22",
sourceAddressPrefix: "203.0.113.0/24", // Replace with your IP range
destinationAddressPrefix: "*",
}],
});
// Create a Public IP
const publicIp = new azure.network.PublicIPAddress("publicIp", {
resourceGroupName: resourceGroup.name,
location: resourceGroup.location,
publicIPAllocationMethod: "Dynamic",
});
// Create a Network Interface
const networkInterface = new azure.network.NetworkInterface("networkInterface", {
resourceGroupName: resourceGroup.name,
location: resourceGroup.location,
ipConfigurations: [{
name: "ipConfig",
subnet: { id: subnet.id },
privateIPAllocationMethod: "Dynamic",
publicIPAddress: { id: publicIp.id },
}],
networkSecurityGroup: { id: networkSecurityGroup.id },
});
// Create a Virtual Machine
const vm = new azure.compute.VirtualMachine("virtualMachine", {
resourceGroupName: resourceGroup.name,
location: resourceGroup.location,
networkProfile: {
networkInterfaces: [{ id: networkInterface.id }],
},
hardwareProfile: {
vmSize: "Standard_B1s",
},
osProfile: {
computerName: "hostname",
adminUsername: "adminuser",
adminPassword: "Password1234!",
},
storageProfile: {
imageReference: {
publisher: "Canonical",
offer: "UbuntuServer",
sku: "18.04-LTS",
version: "latest",
},
osDisk: {
createOption: "FromImage",
},
},
});
Summary
In this guide, we created an Azure Virtual Machine and restricted inbound SSH traffic using a Network Security Group (NSG). The NSG was configured to allow SSH access only from a specific IP address range and associated with the VM’s network interface. This ensures that only authorized IP addresses can access the VM via SSH.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.