Azure Arc-enabled Kubernetes MicroHack: comprehensive fixes and improvements

03-Azure/01-03-Infrastructure/03_Hybrid_Azure_Arc_Kubernetes/Readme.md

@@ -8,7 +8,7 @@
 * [**Objectives**](#objectives)
 * [**General Prerequisites**](#general-prerequisites)
 * [**MicroHack Challenges**](#microhack-challenges)
-  * [Challenge 01 - Onboarding your Kubernetes Cluster](challenges/challenge-01.md))
+  * [Challenge 01 - Onboarding your Kubernetes Cluster](challenges/challenge-01.md)
   * [Challenge 02 - Enable Azure Monitor for Containers](challenges/challenge-02.md)
   * [Challenge 03 - Deploy CPU based Large & Small Language Models (LLM/SLM) on Azure Arc-enabled Kubernetes](challenges/challenge-03.md)
   * [Challenge 04 - Deploy SQL Managed Instance](challenges/challenge-04.md)

03-Azure/01-03-Infrastructure/03_Hybrid_Azure_Arc_Kubernetes/challenges/challenge-01.md

@@ -7,7 +7,7 @@ In challenge 1 you will connect/onboard your existing K8s cluster to Azure Arc.
 * Verify all prerequisites are in place
   * Resource Providers
   * Azure CLI extensions
-  * Resource group (Name: mh-arc-k8s-<xy>)
+  * Resource group (Name: <xy>-k8s-arc)
   * Connectivity to required Azure endpoints
 * Deploy the Azure Arc agent pods to your k8s cluster
 * Assign permissions to view k8s resources in the Azure portal
@@ -18,13 +18,14 @@ In challenge 1 you will connect/onboard your existing K8s cluster to Azure Arc.
 
 ## Learning Resources
 * (https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/overview)
-* (https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/quickstart-connect-cluster?tabs=azure-cli)
+* (https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/quickstart-connect-cluster)
 * (https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/cluster-connect)
+* (https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/arc-gateway-simplify-networking)
 * (https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/azure-rbac)
 * (https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/kubernetes-resource-view)
 * (https://learn.microsoft.com/en-us/cli/azure/connectedk8s?view=azure-cli-latest)
 
 ## Solution - Spoilerwarning
-[Solution Steps](../walkthroughs/challenge-01/solution.md)
+[Solution Steps](../walkthrough/challenge-01/solution.md)
 
 [Next challenge](challenge-02.md) | [Back](../Readme.md)

03-Azure/01-03-Infrastructure/03_Hybrid_Azure_Arc_Kubernetes/challenges/challenge-02.md

@@ -32,6 +32,6 @@ All telemetry, logs, and security signals generated by these services flow into
 * https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-arc-enable-programmatically
 
 ## Solution - Spoilerwarning
-[Solution Steps](../walkthroughs/challenge-02/solution.md)
+[Solution Steps](../walkthrough/challenge-02/solution.md)
 
 [Next challenge](challenge-03.md) | [Back](../Readme.md)

03-Azure/01-03-Infrastructure/03_Hybrid_Azure_Arc_Kubernetes/challenges/challenge-03.md

@@ -20,6 +20,6 @@ In challenge 3 you will deploy a LLM/SLM to your Azure Arc-enabled Kubernetes Cl
 * (https://github.com/kaito-project/kaito) GPU Based LLM/SLM
 
 ### Solution - Spoilerwarning
-[Solution Steps](../walkthroughs/challenge-03/solution.md)
+[Solution Steps](../walkthrough/challenge-03/solution.md)
 
 [Next challenge](challenge-04.md) | [Back](../Readme.md)

03-Azure/01-03-Infrastructure/03_Hybrid_Azure_Arc_Kubernetes/challenges/challenge-04.md

@@ -25,6 +25,6 @@ In challenge 4 you will deploy Azure Arc-enabled Data Services to your cluster a
 * [Azure Arc Data Controller deployment](https://learn.microsoft.com/en-us/azure/azure-arc/data/create-data-controller)
 
 ## Solution - Spoilerwarning
-[Solution Steps](../walkthroughs/challenge-04/solution.md)
+[Solution Steps](../walkthrough/challenge-04/solution.md)
 
 [Next challenge](challenge-05.md) | [Back](../Readme.md)

03-Azure/01-03-Infrastructure/03_Hybrid_Azure_Arc_Kubernetes/challenges/challenge-05.md

@@ -21,6 +21,6 @@ Configure GitOps with Flux for cluster management. In this microhack we chose to
 * [Flux documentation - Get started](https://fluxcd.io/docs/get-started/)
 
 ## Solution - Spoilerwarning
-[Solution Steps](../walkthroughs/challenge-05/solution.md)
+[Solution Steps](../walkthrough/challenge-05/solution.md)
 
-[Next challenge](challenge-06.md) | [Back](../Readme.md)
+[Back](../Readme.md)

03-Azure/01-03-Infrastructure/03_Hybrid_Azure_Arc_Kubernetes/lab/ansible/.gitignore

@@ -0,0 +1,4 @@
+# Generated by Terraform — environment-specific
+inventory.yml
+open-bastion-tunnels.sh
+.bastion-tunnel-pids

03-Azure/01-03-Infrastructure/03_Hybrid_Azure_Arc_Kubernetes/lab/ansible/inventory.yml.tpl

@@ -0,0 +1,19 @@
+# Ansible connects via Bastion tunnels to localhost with per-VM ports.
+# Run open-bastion-tunnels.sh BEFORE running the playbook.
+all:
+  children:
+    workstations:
+      hosts:
+%{ for i, idx in indices ~}
+        workstation-${format("%02d", idx)}:
+          ansible_host: 127.0.0.1
+          ansible_winrm_port: ${55986 + i}
+          bastion_vm_id: ${workstation_vm_ids[i]}
+          private_ip: ${workstation_ips[i]}
+%{ endfor ~}
+      vars:
+        ansible_user: ${admin_user}
+        ansible_connection: winrm
+        ansible_winrm_scheme: https
+        ansible_winrm_transport: basic
+        ansible_winrm_server_cert_validation: ignore

03-Azure/01-03-Infrastructure/03_Hybrid_Azure_Arc_Kubernetes/lab/ansible/open-bastion-tunnels.sh.tpl

@@ -0,0 +1,56 @@
+#!/bin/bash
+# Auto-generated by Terraform — opens Bastion tunnels for all workstations.
+# Each tunnel forwards remote WinRM port 5986 to a unique local port.
+# Run this BEFORE running the Ansible playbook.
+#
+# Usage: ./open-bastion-tunnels.sh
+# Stop:  ./open-bastion-tunnels.sh --stop
+
+set -e
+
+BASTION_NAME="${bastion_name}"
+BASTION_RG="${bastion_rg}"
+PIDS_FILE="$(dirname "$0")/.bastion-tunnel-pids"
+
+if [[ "$1" == "--stop" ]]; then
+  echo "Stopping Bastion tunnels..."
+  # Kill tracked PIDs
+  if [[ -f "$PIDS_FILE" ]]; then
+    while read -r pid; do
+      kill "$pid" 2>/dev/null && echo "  Stopped tunnel (PID $pid)" || true
+    done < "$PIDS_FILE"
+    rm -f "$PIDS_FILE"
+  fi
+  # Also kill any orphaned bastion tunnel processes for this bastion
+  pkill -f "az network bastion tunnel --name $BASTION_NAME" 2>/dev/null && echo "  Cleaned up orphaned tunnel processes" || true
+  exit 0
+fi
+
+# Kill any leftover tunnels before starting new ones
+pkill -f "az network bastion tunnel --name $BASTION_NAME" 2>/dev/null || true
+sleep 1
+
+echo "Opening Bastion tunnels (Bastion: $BASTION_NAME in $BASTION_RG)..."
+echo ""
+
+> "$PIDS_FILE"
+
+%{ for i, idx in indices ~}
+echo "  workstation-${format("%02d", idx)}: localhost:${55986 + i} -> ${workstation_ips[i]}:5986"
+az network bastion tunnel \
+    --name "$BASTION_NAME" \
+    --resource-group "$BASTION_RG" \
+    --target-resource-id "${workstation_vm_ids[i]}" \
+    --resource-port 5986 \
+    --port ${55986 + i} &
+echo $! >> "$PIDS_FILE"
+
+%{ endfor ~}
+
+echo ""
+echo "All tunnels started. Waiting for tunnels to establish..."
+sleep 10
+echo "Ready. Run the Ansible playbook now:"
+echo "  ansible-playbook -i inventory.yml playbook-workstation.yml --extra-vars \"ansible_password=<password>\""
+echo ""
+echo "To stop tunnels later: $0 --stop"

03-Azure/01-03-Infrastructure/03_Hybrid_Azure_Arc_Kubernetes/lab/ansible/playbook-workstation.yml

@@ -0,0 +1,124 @@
+---
+# Ansible playbook to configure Windows 11 workstation VMs with all
+# MicroHack prerequisites: VS Code, Git, WSL2 + Ubuntu, Azure CLI,
+# kubectl, and Helm.
+#
+# Usage:
+#   ansible-galaxy collection install -r requirements.yml
+#   ./open-bastion-tunnels.sh
+#   ansible-playbook -i inventory.yml playbook-workstation.yml \
+#       --extra-vars "ansible_password=<admin_password>"
+#   ./open-bastion-tunnels.sh --stop
+
+- name: Configure Windows 11 Workstation for MicroHack
+  hosts: workstations
+  gather_facts: true
+
+  tasks:
+    # ── Windows tools via Chocolatey ──────────────────────────────────
+
+    - name: Install Git
+      chocolatey.chocolatey.win_chocolatey:
+        name: git
+        state: present
+
+    - name: Install Visual Studio Code
+      chocolatey.chocolatey.win_chocolatey:
+        name: vscode
+        state: present
+        package_params: "/NoDesktopIcon"
+
+    - name: Install VS Code WSL extension
+      ansible.windows.win_command: cmd /c code --install-extension ms-vscode-remote.remote-wsl
+      register: vscode_wsl_ext
+      changed_when: "'was successfully installed' in vscode_wsl_ext.stdout"
+      failed_when: false
+
+    # ── Install WSL2 + Ubuntu ────────────────────────────────────────
+    # On Win11 24H2 the in-box wsl.exe is a stub that requires Store
+    # install (which fails in non-interactive WinRM sessions).
+    # Use Chocolatey to install the WSL2 kernel and Ubuntu distro.
+
+    - name: Create temp directory on Windows
+      ansible.windows.win_file:
+        path: C:\Temp
+        state: directory
+
+    - name: Enable VirtualMachinePlatform feature
+      ansible.windows.win_optional_feature:
+        name: VirtualMachinePlatform
+        state: present
+      register: vm_platform
+
+    - name: Enable Microsoft-Windows-Subsystem-Linux feature
+      ansible.windows.win_optional_feature:
+        name: Microsoft-Windows-Subsystem-Linux
+        state: present
+      register: wsl_feature
+
+    - name: Reboot after enabling WSL features
+      ansible.windows.win_reboot:
+        reboot_timeout: 600
+      when: wsl_feature.reboot_required | default(false) or
+            vm_platform.reboot_required | default(false)
+
+    - name: Install WSL2 via Chocolatey
+      chocolatey.chocolatey.win_chocolatey:
+        name: wsl2
+        state: present
+      register: wsl2_choco
+
+    - name: Reboot after WSL2 install
+      ansible.windows.win_reboot:
+        reboot_timeout: 600
+      when: wsl2_choco.changed | default(false)
+
+    - name: Set WSL default version to 2
+      ansible.windows.win_command: wsl --set-default-version 2
+      register: wsl_ver
+      retries: 3
+      delay: 10
+      until: wsl_ver.rc == 0
+
+    - name: Check if Ubuntu WSL distribution is already installed
+      ansible.windows.win_shell: (wsl -l -q) -contains 'Ubuntu'
+      register: wsl_list
+      changed_when: false
+      failed_when: false
+
+    - name: Install Ubuntu WSL distribution
+      ansible.windows.win_command: wsl --install -d Ubuntu --no-launch
+      register: wsl_install_ubuntu
+      failed_when: wsl_install_ubuntu.rc not in [0, 1]
+      when: "'True' not in wsl_list.stdout"
+
+    - name: Reboot after Ubuntu install
+      ansible.windows.win_reboot:
+        reboot_timeout: 600
+      when: wsl_install_ubuntu is changed
+
+    - name: Initialize Ubuntu distro (first launch)
+      ansible.windows.win_command: >-
+        wsl -d Ubuntu -- echo "WSL Ubuntu initialized"
+      register: wsl_init
+      retries: 5
+      delay: 15
+      until: wsl_init.rc == 0
+
+    # ── Install tools inside WSL Ubuntu ──────────────────────────────
+
+    - name: Copy WSL tools setup script
+      ansible.windows.win_copy:
+        src: ../scripts/setup-wsl-tools.sh
+        dest: C:\Temp\setup-wsl-tools.sh
+
+    - name: Install prerequisite tools in WSL Ubuntu
+      ansible.windows.win_command: wsl -d Ubuntu -u root -- bash /mnt/c/Temp/setup-wsl-tools.sh
+      register: wsl_tools
+      async: 1200
+      poll: 30
+
+    - name: Show WSL tools installation output
+      ansible.builtin.debug:
+        var: wsl_tools.stdout_lines
+      when: wsl_tools.stdout_lines is defined

03-Azure/01-03-Infrastructure/03_Hybrid_Azure_Arc_Kubernetes/lab/ansible/requirements.yml

@@ -0,0 +1,6 @@
+---
+collections:
+  - name: ansible.windows
+    version: ">=2.3.0"
+  - name: chocolatey.chocolatey
+    version: ">=1.5.0"

03-Azure/01-03-Infrastructure/03_Hybrid_Azure_Arc_Kubernetes/lab/bastion.tf

@@ -0,0 +1,107 @@
+# ==============================================================================
+# Central Azure Bastion for secure RDP/SSH access to all participant VMs.
+# Uses Standard SKU with IP-based connection to reach VMs across peered VNets.
+# ==============================================================================
+
+# --- Bastion Resource Group ---
+
+resource "azurerm_resource_group" "bastion" {
+  name     = "mh-bastion"
+  location = var.bastion_location
+  tags     = { "SecurityControl" = "Ignore" }
+}
+
+# --- Bastion VNet ---
+
+resource "azurerm_virtual_network" "bastion" {
+  name                = "mh-bastion-vnet"
+  address_space       = [var.bastion_vnet_address_space]
+  location            = azurerm_resource_group.bastion.location
+  resource_group_name = azurerm_resource_group.bastion.name
+
+  tags = {
+    Project = "simulated onprem k8s cluster for microhack"
+  }
+}
+
+# Azure Bastion requires a subnet named exactly "AzureBastionSubnet"
+resource "azurerm_subnet" "bastion" {
+  name                 = "AzureBastionSubnet"
+  resource_group_name  = azurerm_resource_group.bastion.name
+  virtual_network_name = azurerm_virtual_network.bastion.name
+  address_prefixes     = [cidrsubnet(var.bastion_vnet_address_space, 8, 0)] # /24
+}
+
+# --- Bastion Public IP ---
+
+resource "azurerm_public_ip" "bastion" {
+  name                = "mh-bastion-ip"
+  resource_group_name = azurerm_resource_group.bastion.name
+  location            = azurerm_resource_group.bastion.location
+  allocation_method   = "Static"
+  sku                 = "Standard"
+
+  tags = {
+    Project = "simulated onprem k8s cluster for microhack"
+  }
+}
+
+# --- Azure Bastion Host (Standard SKU) ---
+
+resource "azurerm_bastion_host" "bastion" {
+  name                = "mh-bastion"
+  resource_group_name = azurerm_resource_group.bastion.name
+  location            = azurerm_resource_group.bastion.location
+  sku                 = "Standard"
+
+  # Required for cross-VNet connections via peering
+  ip_connect_enabled     = true
+  tunneling_enabled      = true
+  shareable_link_enabled = false
+
+  ip_configuration {
+    name                 = "bastion-ip-config"
+    subnet_id            = azurerm_subnet.bastion.id
+    public_ip_address_id = azurerm_public_ip.bastion.id
+  }
+
+  tags = {
+    Project = "simulated onprem k8s cluster for microhack"
+  }
+}
+
+# --- Global VNet Peering: Bastion <-> each participant VNet ---
+
+resource "azurerm_virtual_network_peering" "bastion_to_onprem" {
+  count                        = length(local.indices)
+  name                         = "bastion-to-${format("%02d", local.indices[count.index])}-onprem"
+  resource_group_name          = azurerm_resource_group.bastion.name
+  virtual_network_name         = azurerm_virtual_network.bastion.name
+  remote_virtual_network_id    = azurerm_virtual_network.onprem[count.index].id
+  allow_virtual_network_access = true
+  allow_forwarded_traffic      = true
+  allow_gateway_transit        = false
+  use_remote_gateways          = false
+}
+
+resource "azurerm_virtual_network_peering" "onprem_to_bastion" {
+  count                        = length(local.indices)
+  name                         = "${format("%02d", local.indices[count.index])}-onprem-to-bastion"
+  resource_group_name          = azurerm_resource_group.mh_k8s_onprem[count.index].name
+  virtual_network_name         = azurerm_virtual_network.onprem[count.index].name
+  remote_virtual_network_id    = azurerm_virtual_network.bastion.id
+  allow_virtual_network_access = true
+  allow_forwarded_traffic      = true
+  allow_gateway_transit        = false
+  use_remote_gateways          = false
+}
+
+# --- Outputs ---
+
+output "bastion_name" {
+  value = azurerm_bastion_host.bastion.name
+}
+
+output "bastion_resource_group" {
+  value = azurerm_resource_group.bastion.name
+}