add bastion host to connect to jumpbox without exporting port 22 to internet#1082
Merged
zqingqing1 merged 13 commits intomainfrom Mar 4, 2026
Merged
add bastion host to connect to jumpbox without exporting port 22 to internet#1082zqingqing1 merged 13 commits intomainfrom
zqingqing1 merged 13 commits intomainfrom
Conversation
… from the bastion host" This reverts commit 2b70751.
zqingqing1
requested review from
alyssa1303,
anson627,
liyu-ma,
sumanthreddy29,
vittoriasalim,
wonderyl and
xinWeiWei24
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the Azure “jumpbox” connectivity model to avoid requiring inbound TCP/22 from the public internet by optionally provisioning Azure Bastion (tunneling over 443) and updating pipeline SSH/SCP steps to use Bastion tunnels when available.
Changes:
- Provision an optional Azure Bastion host when a VNet includes an
AzureBastionSubnet, and adjust network module typing to allow NICs without public IPs. - Update SSH execution templates and Karpenter/ClusterLoader2 topology steps to prefer Bastion tunneling (fallback to direct SSH when Bastion/public IP exists).
- Update scenario/docs to add the Bastion subnet and to document restricting SSH NSG rules to the
AzureBastionSubnetCIDR.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| steps/topology/karpenter-private-cluster/validate-resources.yml | Discovers jumpbox VM + Bastion and uses Bastion tunnels for SSH/SCP. |
| steps/ssh/start-bastion-tunnel.yml | New helper step to start/reuse a Bastion tunnel and publish tunnel vars. |
| steps/ssh/stop-bastion-tunnel.yml | New helper step to stop a previously started Bastion tunnel. |
| steps/ssh/run-command.yml | Adds Bastion-aware SSH execution (tunnel to localhost when configured). |
| steps/engine/clusterloader2/autoscale/execute_jumpbox.yml | Uses Bastion tunneling for uploads/commands/downloads when jumpbox is private. |
| steps/engine/clusterloader2/autoscale/cleanup.yml | Updates cleanup routing (local vs jumpbox) and stops Bastion tunnel. |
| scenarios/perf-eval/nap-complex/terraform-inputs/azure.tfvars | Adds AzureBastionSubnet, restricts SSH rule source, and adjusts subnet sizing. |
| modules/terraform/azure/virtual-machine/README.md | Documents restricting SSH ingress when using Azure Bastion. |
| modules/terraform/azure/network/variables.tf | Makes NIC public_ip_name optional. |
| modules/terraform/azure/network/main.tf | Handles optional/empty public_ip_name safely when wiring public IPs. |
| modules/terraform/azure/main.tf | Provisions Azure Bastion + Public IP when AzureBastionSubnet is present. |
| docs/templates/azure.tfvars | Notes not to use * as SSH source when using Bastion. |
xinWeiWei24
reviewed
Mar 3, 2026
xinWeiWei24
reviewed
Mar 3, 2026
xinWeiWei24
reviewed
Mar 3, 2026
xinWeiWei24
approved these changes
Mar 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
NRMS will apply security admin rules to block port 22 from internet access, to apply with this security policy, in this PR, we will use azure bastion host service which connect over 443 to establish the tunnel, then ssh from the tunnel which will connect to the jumpbox with port 22.
Test passed: https://dev.azure.com/akstelescope/telescope/_build/results?buildId=56128&view=results