Provisioning the jump server
The jump server is a small Microsoft® Windows® Virtual Server Instance (VSI) deployed in the IBM Cloud® account where the VMware Cloud Foundation for Classic - Automated instance with the Veeam® service is located. The VSI is connected to both the IBM Cloud private and public networks. The public network interface is protected by a security group that restricts Remote Desktop Protocol (RDP) access to a known remote IP address.
The jump server is used to provide graphical access to the Veeam Backup and replication server, vCenter appliance, and NSX-T Manager. In this step, the following tasks are included:
- Order a security group to protect the jump server.
- Order a public VSI running Microsoft Windows for the jump server.
Prerequisites
- The IBM Cloud CLI is installed and the required IBM Cloud account is targeted.
- Configuration is done through a laptop that has internet connectivity.
- The user has the required privileges in the IBM Cloud account to order the required components.
Ordering a security group
This task uses the IBM Cloud CLI to order a security group and configures inbound and outbound rules.
- The
<jmp_security_group_name>
is the required name for the security group, such assgjump
. - The
sgid
captures the security group ID for use in subsequent commands. - The
myip
captures the external IP address of your laptop. - The inbound rule allows TCP port
3389
to ingress from a known internet IP address. - The outbound rule allows any protocol to egress to any IP address.
- When the jump server VSI is ordered, it is ordered attached to the security group.
export sgname=<jmp_security_group_name>
ibmcloud sl securitygroup create --name $sgname --description "Allow RDP from known external IP address"
export sgid=$(ibmcloud sl securitygroup list --output json | jq -r '.[] | select (.name==env.sgn) | .id')
export myip=$(curl -s ifconfig.me)
ibmcloud sl securitygroup rule-add $sgid --remote-ip $myip --direction ingress --port-max 3389 --port-min 3389 --protocol tcp
ibmcloud sl securitygroup rule-add $sgid --remote-ip 0.0.0.0/0 --direction egress
ibmcloud sl securitygroup rule-list $sgid
Ordering a public VSI
The jump server host is a small Microsoft Windows 2019 public VSI:
- The
ibmcloud sl vlan list
andibmcloud sl subnet list
need to be run first so that the IDs of the public and private VLANs and the primary subnets are captured for use in the ordering process. - The
<js_hostname>
is the required hostname for the jump server, such aswinjs01
. - The
<root_domain>
the required domain name, such as the matching root-domain name of your VCF for Classic - Automated instance. - The Linux® server is ordered with 2 vCPU and 4 GB RAM.
- The
<dc_code>
is the code for the data center in which the VSI is provisioned into, such as DAL10. - The
<public_vlan_number>
and<private_vlan_number>
are the VLAN numbers of the required public and private VLANs previously captured. - The
--os WIN_LATEST_64
switch currently installs Windows 2019. - The
--disk 100 --san
switches orders a 100 GB SAN disk. - The
--network 1000
orders a 1 Gb NIC for public and private networks. - The
--public-security-group $sgid
switch connects the VSI to the security group previously ordered and the ID captured in the variable$sgid
.
export hostname=<js_hostname>
export domain=<root_domain>
export vcpu=2
export mem=4096
export dc=<dc_code>
export pubvlan=<public_vlan_number>
export privlanid=<private_vlan_number>
export privlanid=$(ibmcloud sl vlan list --number $privlan --output json | jq --raw-output '.[] | .id')
export pubvlanid=$(ibmcloud sl vlan list --number $pubvlan --output json | jq --raw-output '.[] | .id')
ibmcloud sl vs create --hostname $hostname --domain $domain --cpu $vcpu --memory $mem --datacenter $dc --os WIN_LATEST_64 --disk 100 --san --network 1000 --vlan-public $pubvlanid --vlan-private $privlanid --public-security-group $sgid