Automate zero-trust security for your Azure resources using Terraform and Banyan

Use Banyan's short-lived cryptographic credentials to connect to your Azure resources and enforce zero-trust access control policies.

  • Updated on May 04, 2023
  • 15 minutes to read
  • Contributors

Overview

Terraform is an open-source infrastructure as code software tool that enables you to safely and predictably create, change, and improve infrastructure. DevOps teams use Terraform to manage cloud resources in Microsoft Azure using the Terraform Azure Provider.

This solution guide shows how you can use Terraform and Banyan to automate provisioning access to your Azure resources. Banyan enables you to roll out a zero-trust security model using short-lived cryptographic credentials.

The code samples used in this guide are available via the Banyan Security GitHub repo.

Approach

With Banyan, your architecture is as follows:

The Banyan data plane (i.e., the Self-hosted Private Edge or Global Edge Network) functions as a reverse proxy through which you can access your Azure resources, thus terminating TLS, enforcing security policies, and forwarding traffic to the appropriate Azure resources.

Terraform uses APIs, provided by the Azure Console and the Banyan Cloud Command Center, to automate the deployment of Azure resources and to publish services for your end users.

Note: The solution guide below assumes you’re using Banyan’s Global Edge Network deployment model. If you’re using the Private Edge deployment model with Self-hosted Private Edges, this guide still applies; however, you have to modify the steps below to use a Self-hosted Private Edge instead of a Connector.

Prerequisites

To run this guide, you’ll need the following:

  1. Azure account with credentials
  2. An SSH key-pair for authentication into Linux VMs
  3. Terraform CLI 0.14.9+, configured for Azure provisioning
  4. Banyan account and admin API key, and a device with the Banyan Desktop App installed (free with Banyan’s Team Edition)

For detailed instructions on how to set these prerequisites up, visit the Prerequisities Details section in the GitHub repo.

Steps

Now, let’s dive into how you can grant secure access to your Azure resources with Terraform Banyan in three steps:

  1. Verify the prerequisites
  2. Provision the Azure resources
  3. Access your Azure resources using the Banyan app

Step 1. Verify the prerequisites

Start by verifying that you have credentials to manage your Azure resources:

$> az vm list

Also, confirm that Terraform has been installed on your device correctly:

$> terraform -version

Then, launch the Banyan app and ensure you can log in:

Step 2. Provision the Azure resources

Clone the GitHub repo with the Terraform code for this guide, and navigate to the folder:

$> git clone https://github.com/banyansecurity/demo-terraform-azure
$> cd demo-terraform-azure

Initialize the project, which will download the plugins that allow Terraform to interact with Azure and Banyan:

$> terraform init

Edit the locals.tf file with details from your environment.

locals {
  name_prefix = "bnn-demo-azure"

  region = "westus3"
  ssh_key_path = "~/.ssh/id_rsa.pub"

  banyan_host = "https://team.console.banyanops.com/"
  banyan_api_key = "YOUR_BANYAN_API_KEY"
  banyan_org = "YOUR_BANYAN_ORG"
}

Provision the resource using apply. When Terraform asks you to confirm, enter yes and then select ENTER.

$> terraform apply

Provisioning can be divided into six steps:

  1. Network - a new Resource Group with a virtual network and subnet
  2. Database - an Azure Database for MySQL instance
  3. Application - a VM instance that runs a demo website container
  4. Banyan Connector - deploy an VM instance with the connector to create an outbound connection to the Banyan Global Edge network, so you can manage access to your Azure environment
  5. Banyan Policies - create a few roles and policies to establish which users and devices can access your Azure environment
  6. Banyan Services - publish the services that are deployed in your Azure environment for your end users

The first three steps get you a basic yet representative Azure environment. The last three steps set up Banyan to provide secure remote access to this environment.

Step 3. Access your Azure resources using the Banyan app

All of your deployed Azure resources - VM and Database - are in a private subnet with private IPs. They cannot be directly reached from the public internet.

To access your Azure resources from your device, open the Banyan app and select a service to connect to it.

Selecting “Open” on your web application bnn-demo-azure-web will launch a new browser tab and take you the demo site after authentication.

To SSH into the Linux server, select “Connect” on the SSH service bnn-demo-azure-ssh. Then, run the SSH command with your SSH key as the credential:

ssh -i PATH_TO_SSH_KEY adminuser@bnn-demo-azure-ssh

To access your Azure Database instance, select “Connect” on the DB service bnn-demo-azure-db. Then, start your preferred MySQL client and connect to your database at 127.0.0.1:8811, using the credentials (banyan@bnn-demo-azure-db, insecure123!@#) we configured via Terraform:

mysql --host=127.0.0.1 --port=8811 --user='banyan@bnn-demo-azure-db' --password='insecure123!@#'

Behind the scenes, Banyan uses short-lived cryptographic credentials to connect you to your Azure resources and a zero-trust security model to enforce access control policies.

Summary

In this guide, you completed the following:

  1. Provisioned a basic yet representative Azure environment using Terraform. You created a new Resource Group with a subnet, an Azure Database instance, and a VM instance that runs a demo website container.
  2. Deployed the Banyan Connector and created Policies using Terraform. You connected your Azure environment to Banyan so you can manage access via roles and policies, establishing which users and devices can access your resources.
  3. Published Services for your end users using Terraform. Set up Banyan to provide secure remote access to this environment.

Can’t find what you’re looking for?

We’re happy to help. Contact our team.