diff --git a/terraform/infrastructure/azure/main.tf b/terraform/infrastructure/azure/main.tf
index a749b8cf6..16b7c6bb7 100644
--- a/terraform/infrastructure/azure/main.tf
+++ b/terraform/infrastructure/azure/main.tf
@@ -295,3 +295,90 @@ data "azurerm_user_assigned_identity" "uaid" {
name = local.uai_name
resource_group_name = local.uai_resource_group
}
+
+############## For emergency ssh access ##############
+resource "azurerm_public_ip" "loadbalancer_ssh_ip" {
+ count = var.emergency_ssh ? 1 : 0
+ name = "${local.name}-ssh-lb"
+ domain_name_label = "${local.name}-ssh"
+ resource_group_name = var.resource_group
+ location = var.location
+ allocation_method = "Static"
+ sku = "Standard"
+ tags = local.tags
+
+ lifecycle {
+ ignore_changes = [name]
+ }
+}
+
+// Reads data from the resource of the same name.
+// Used to wait to the actual resource to become ready, before using data from that resource.
+// Property "fqdn" only becomes available on azurerm_public_ip resources once domain_name_label is set.
+// Since we are setting domain_name_label starting with 2.10 we need to migrate
+// resources for clusters created before 2.9. In those cases we need to wait until loadbalancer_ip has
+// been updated before reading from it.
+data "azurerm_public_ip" "loadbalancer_ssh_ip" {
+ count = var.emergency_ssh ? 1 : 0
+ name = "${local.name}-ssh-lb"
+ resource_group_name = var.resource_group
+ depends_on = [azurerm_public_ip.loadbalancer_ssh_ip]
+}
+
+resource "azurerm_lb" "loadbalancer_ssh" {
+ count = var.emergency_ssh ? 1 : 0
+ name = "${local.name}-ssh"
+ location = var.location
+ resource_group_name = var.resource_group
+ sku = "Standard"
+ tags = local.tags
+
+ dynamic "frontend_ip_configuration" {
+ for_each = var.emergency_ssh ? [1] : []
+ content {
+ name = "PublicIPAddress"
+ public_ip_address_id = azurerm_public_ip.loadbalancer_ssh_ip[0].id
+ }
+ }
+}
+
+module "loadbalancer_backend_control_plane_ssh" {
+ count = var.emergency_ssh ? 1 : 0
+ source = "./modules/load_balancer_backend"
+
+ name = "${local.name}-control-plane-ssh"
+ loadbalancer_id = azurerm_lb.loadbalancer_ssh[0].id
+ frontend_ip_configuration_name = azurerm_lb.loadbalancer_ssh[0].frontend_ip_configuration[0].name
+ ports = [{ name = "ssh-cp", port = "22", health_check_protocol = "Tcp", path = null, priority = 100 }]
+}
+
+module "loadbalancer_backend_worker_ssh" {
+ count = var.emergency_ssh ? 1 : 0
+ source = "./modules/load_balancer_backend"
+
+ name = "${local.name}-worker-ssh"
+ loadbalancer_id = azurerm_lb.loadbalancer_ssh[0].id
+ frontend_ip_configuration_name = azurerm_lb.loadbalancer_ssh[0].frontend_ip_configuration[0].name
+ ports = []
+}
+
+resource "azurerm_lb_backend_address_pool" "all_ssh" {
+ count = var.emergency_ssh ? 1 : 0
+ loadbalancer_id = azurerm_lb.loadbalancer_ssh[0].id
+ name = "${var.name}-all-ssh"
+}
+
+resource "azurerm_network_security_rule" "nsg_rule_ssh" {
+ count = var.emergency_ssh ? 1 : 0
+ name = "ssh-new"
+ priority = 210
+ direction = "Inbound"
+ access = "Allow"
+ protocol = "Tcp"
+ source_port_range = "*"
+ destination_port_range = "22"
+ source_address_prefix = "*"
+ destination_address_prefix = "*"
+ resource_group_name = var.resource_group
+ network_security_group_name = azurerm_network_security_group.security_group.name
+}
diff --git a/terraform/infrastructure/azure/variables.tf b/terraform/infrastructure/azure/variables.tf
index a3ab1fd0b..e28558068 100644
--- a/terraform/infrastructure/azure/variables.tf
+++ b/terraform/infrastructure/azure/variables.tf
@@ -101,3 +101,9 @@ variable "additional_tags" {
default = {}
description = "Additional tags that should be applied to created resources."
}
+
+variable "emergency_ssh" {
+ type = bool
+ default = false
+ description = "Wether to deploy a load balancer to connect to nodes via ssh."
+}