- How much does it cost?
- Who can access my lab?
- Why not use packer?
- X is insecure!
- How to change the name of the resource group in which resources are created?
This is only an estimate based on two 10-hour periods I tested. Feel free to reach out if you have estimates for other regions or if you have evidence that the estimates below are inaccurate.
| Region | Number of workstations | Size of DC and workstations | Estimated price per hour (USD) |
|---|---|---|---|
| West Europe | 2 | Standard_D1_v2 | $0.33 |
| Us East 2 | 2 | Standard_D1_v2 | $0.43 |
The cost is not negligible if you leave the lab run continuously. It is mostly induced by the virtual machines (~90%) and the storage (~9%), so you can reduce it by spinning up only 1 workstation. You cannot play on the storage costs because they are enforced by the VM type and the base image.
By default, only your public outgoing IP (as returned by canihazip.com) is allowed to access your lab. This is configured on the Network Security Groups attached to VM interfaces.
Make sure your IP didn't change compared to when you last ran terraform apply. If it did change, just run terraform apply and the whitelisted IP will be automatically updated for you.
In standard infrastructure-as-code deployment, you typically deploy immutable infrastructure:
- Provision a base image with Packer (and the help of Ansible)
- Instantiate your infrastructure from the base image (no configuration management)
In the context of Azure more specifically, this is (partially) what happens when you use Packer:
- Create a VM
- Start the VM
- Use Ansible to provision the VM
- Shut down the VM
- Take a disk snapshot of the VM and convert it into an Azure Managed Image
- Remove all the resources created
While this works well, I found that it is extremely slow (~20-30 minutes to build a base image) and doesn't drastically reduce the instantiation time. It also raises the question of what should be in the base image and what should remain for runtime provisioning.
If you're interested for an option to use Packer, please vote for this issue.
Some of the components of this lab are not optimally secure: WinRM over HTTP, all machines have a public IP (although restricted to your outgoing IP), no TLS on Kibana, a local administrator account with the same password is created on every workstations, etc. The lab isn't hardened because it is, well, a lab.
If you stumble across something which looks too insecure, feel free to open an issue, though.
The Azure dynamic inventory plugin for Ansible unfortunately does not support setting the name of the resource group to use dynamically at runtime. Consequently, for now, you need to change the name in 2 places:
terraform/vars.tf: The variable is namedresource_group- change its default value or pass it toterraform apply.ansible/inventory_azure_rm.yml, under theinclude_vm_resource_groupskey.
For tracking of this matter, see #11 and ansible/ansible#69949.