This repository has been archived by the owner on Jun 22, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
4 changed files
with
457 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,185 @@ | ||
| # Azure Virtual Network Hub with Firewall Terraform Module | ||
|
|
||
| This module deploys a hub network using the [Microsoft recommended Hub-Spoke network topology](https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke). Usually, only one hub in each region with multiple spokes and each of them can also be in separate subscriptions. | ||
|
|
||
| The hub is a virtual network in Azure that acts as a central point of connectivity to an on-premises network. The spokes are virtual networks that peer with the hub and can be used to isolate workloads. Traffic flows between the on-premises datacenter and the hub through an ExpressRoute or VPN gateway connection. AzureFirewallSubnet and GatewaySubnet will not contain any UDR (User Defined Route) or NSG (Network Security Group). Management and DMZ will route all outgoing traffic through firewall instance. | ||
|
|
||
| This is designed to quickly deploy hub and spoke architecture in the azure and further security hardening would be recommend to add appropriate NSG rules to use this for any production workloads. | ||
|
|
||
| ## Module Usage | ||
|
|
||
| ``` hcl | ||
| module "vnet-hub" { | ||
| source = "github.com/tietoevry-infra-as-code/terraform-azurerm-caf-vnet-hub-firewall?ref=v1.0.0" | ||
| # By default, this module will create a resource group, proivde the name here | ||
| # to use an existing resource group, specify the existing resource group name, | ||
| # and set the argument to `create_resource_group = false`. Location will be same as existing RG. | ||
| resource_group_name = "rg-hub-demo-internal-shared-westeurope-001" | ||
| location = "westeurope" | ||
| hub_vnet_name = "default-hub" | ||
| # Provide valid VNet Address space and specify valid domain name for Private DNS Zone. | ||
| vnet_address_space = ["10.1.0.0/16"] | ||
| firewall_subnet_address_prefix = ["10.1.0.0/26"] | ||
| gateway_subnet_address_prefix = ["10.1.1.0/27"] | ||
| private_dns_zone_name = "publiccloud.example.com" | ||
| # (Required) To enable Azure Monitoring and flow logs | ||
| # Log Retention in days - Possible values range between 30 and 730 | ||
| log_analytics_workspace_sku = "PerGB2018" | ||
| log_analytics_logs_retention_in_days = 30 | ||
| # Adding Standard DDoS Plan, and custom DNS servers (Optional) | ||
| dns_servers = [] | ||
| # Multiple Subnets, Service delegation, Service Endpoints, Network security groups | ||
| # These are default subnets with required configuration, check README.md for more details | ||
| # NSG association to be added automatically for all subnets listed here. | ||
| # First two address ranges from VNet Address space reserved for Gateway And Firewall Subnets. | ||
| # ex.: For 10.1.0.0/16 address space, usable address range start from 10.1.2.0/24 for all subnets. | ||
| # subnet name will be set as per Azure naming convention by defaut. expected value here is: <App or project name> | ||
| subnets = { | ||
| mgnt_subnet = { | ||
| subnet_name = "management" | ||
| subnet_address_prefix = ["10.1.2.0/24"] | ||
| service_endpoints = ["Microsoft.Storage"] | ||
| nsg_inbound_rules = [ | ||
| # [name, priority, direction, access, protocol, destination_port_range, source_address_prefix, destination_address_prefix] | ||
| # To use defaults, use "" without adding any value and to use this subnet as a source or destination prefix. | ||
| ["weballow", "100", "Inbound", "Allow", "Tcp", "22", "*", ""], | ||
| ["weballow1", "200", "Inbound", "Allow", "Tcp", "3389", "*", ""], | ||
| ] | ||
| nsg_outbound_rules = [ | ||
| # [name, priority, direction, access, protocol, destination_port_range, source_address_prefix, destination_address_prefix] | ||
| # To use defaults, use "" without adding any value and to use this subnet as a source or destination prefix. | ||
| ["ntp_out", "100", "Outbound", "Allow", "Udp", "123", "", "0.0.0.0/0"], | ||
| ] | ||
| } | ||
| dmz_subnet = { | ||
| subnet_name = "appgateway" | ||
| subnet_address_prefix = ["10.1.3.0/24"] | ||
| service_endpoints = ["Microsoft.Storage"] | ||
| nsg_inbound_rules = [ | ||
| # [name, priority, direction, access, protocol, destination_port_range, source_address_prefix, destination_address_prefix] | ||
| # To use defaults, use "" without adding any value and to use this subnet as a source or destination prefix. | ||
| # 65200-65335 port to be opened if you planning to create application gateway | ||
| ["http", "100", "Inbound", "Allow", "Tcp", "80", "*", "0.0.0.0/0"], | ||
| ["https", "200", "Inbound", "Allow", "Tcp", "443", "*", ""], | ||
| ["appgwports", "300", "Inbound", "Allow", "Tcp", "65200-65335", "*", ""], | ||
| ] | ||
| nsg_outbound_rules = [ | ||
| # [name, priority, direction, access, protocol, destination_port_range, source_address_prefix, destination_address_prefix] | ||
| # To use defaults, use "" without adding any value and to use this subnet as a source or destination prefix. | ||
| ["ntp_out", "100", "Outbound", "Allow", "Udp", "123", "", "0.0.0.0/0"], | ||
| ] | ||
| } | ||
| } | ||
| # (Optional) To enable the availability zones for firewall. | ||
| # Availability Zones can only be configured during deployment | ||
| # You can't modify an existing firewall to include Availability Zones | ||
| firewall_zones = [1, 2, 3] | ||
| # (Optional) specify the application rules for Azure Firewall | ||
| firewall_application_rules = [ | ||
| { | ||
| name = "microsoft" | ||
| action = "Allow" | ||
| source_addresses = ["10.0.0.0/8"] | ||
| target_fqdns = ["*.microsoft.com"] | ||
| protocol = { | ||
| type = "Http" | ||
| port = "80" | ||
| } | ||
| }, | ||
| ] | ||
| # (Optional) specify the Network rules for Azure Firewall | ||
| firewall_network_rules = [ | ||
| { | ||
| name = "ntp" | ||
| action = "Allow" | ||
| source_addresses = ["10.0.0.0/8"] | ||
| destination_ports = ["123"] | ||
| destination_addresses = ["*"] | ||
| protocols = ["UDP"] | ||
| }, | ||
| ] | ||
| # (Optional) specify the NAT rules for Azure Firewall | ||
| # Destination address must be Firewall public IP | ||
| # `fw-public` is a variable value and automatically pick the firewall public IP from module. | ||
| firewall_nat_rules = [ | ||
| { | ||
| name = "testrule" | ||
| action = "Dnat" | ||
| source_addresses = ["10.0.0.0/8"] | ||
| destination_ports = ["53", ] | ||
| destination_addresses = ["fw-public"] | ||
| translated_port = 53 | ||
| translated_address = "8.8.8.8" | ||
| protocols = ["TCP", "UDP", ] | ||
| }, | ||
| ] | ||
| # Adding TAG's to your Azure resources (Required) | ||
| # ProjectName and Env are already declared above, to use them here, create a varible. | ||
| tags = { | ||
| ProjectName = "demo-internal" | ||
| Env = "dev" | ||
| Owner = "user@example.com" | ||
| BusinessUnit = "CORP" | ||
| ServiceClass = "Gold" | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| ## Terraform Usage | ||
|
|
||
| To run this example you need to execute following Terraform commands | ||
|
|
||
| ``` hcl | ||
| terraform init | ||
| terraform plan | ||
| terraform apply | ||
| ``` | ||
|
|
||
| Run `terraform destroy` when you don't need these resources. | ||
|
|
||
| ## Outputs | ||
|
|
||
| Name | Description | ||
| ---- | ----------- | ||
| `resource_group_name`| The name of the resource group in which resources are created | ||
| `resource_group_id`| The id of the resource group in which resources are created | ||
| `resource_group_location`| The location of the resource group in which resources are created | ||
| `virtual_network_name` | The name of the virtual network. | ||
| `virtual_network_id` |The virtual NetworkConfiguration ID. | ||
| `virtual_network_address_space` | List of address spaces that are used the virtual network. | ||
| `subnet_ids` | List of IDs of subnets | ||
| `subnet_address_prefixes` | List of address prefix for subnets | ||
| `network_security_group_ids`|List of Network security groups and ids | ||
| `ddos_protection_plan_id` | Azure Network DDoS protection plan id | ||
| `network_watcher_id` | ID of Network Watcher | ||
| `route_table_name`|The resource id of the route table | ||
| `route_table_id`|The resource id of the route table | ||
| `private_dns_zone_name`|The resource name of Private DNS zones within Azure DNS | ||
| `private_dns_zone_id`|The resource id of Private DNS zones within Azure DNS | ||
| `storage_account_id`|The ID of the storage account | ||
| `storage_account_name`|The name of the storage account | ||
| `storage_primary_access_key`|The primary access key for the storage account | ||
| `log_analytics_workspace_name`|Specifies the name of the Log Analytics Workspace | ||
| `log_analytics_workspace_id`|The resource id of the Log Analytics Workspace | ||
| `log_analytics_customer_id`|The Workspace (or Customer) ID for the Log Analytics Workspace. | ||
| `log_analytics_logs_retention_in_days`|The workspace data retention in days. Possible values range between 30 and 730 | ||
| `public_ip_prefix_id`|The id of the Public IP Prefix resource | ||
| `firewall_public_ip`|The public IP of firewall | ||
| `firewall_public_ip_fqdn`|Fully qualified domain name of the A DNS record associated with the public IP | ||
| `firewall_name`|The name of the Azure Firewall | ||
| `firewall_id`|The Resource ID of the Azure Firewall | ||
| `firewall_private_ip`|The private IP of firewall |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,128 @@ | ||
| module "vnet-hub" { | ||
| source = "github.com/tietoevry-infra-as-code/terraform-azurerm-caf-vnet-hub-firewall?ref=v1.0.0" | ||
|
|
||
| # By default, this module will create a resource group, proivde the name here | ||
| # to use an existing resource group, specify the existing resource group name, | ||
| # and set the argument to `create_resource_group = false`. Location will be same as existing RG. | ||
| resource_group_name = "rg-hub-demo-internal-shared-westeurope-001" | ||
| location = "westeurope" | ||
| hub_vnet_name = "default-hub" | ||
|
|
||
| # Provide valid VNet Address space and specify valid domain name for Private DNS Zone. | ||
| vnet_address_space = ["10.1.0.0/16"] | ||
| firewall_subnet_address_prefix = ["10.1.0.0/26"] | ||
| gateway_subnet_address_prefix = ["10.1.1.0/27"] | ||
| private_dns_zone_name = "publiccloud.example.com" | ||
|
|
||
| # (Required) To enable Azure Monitoring and flow logs | ||
| # Log Retention in days - Possible values range between 30 and 730 | ||
| log_analytics_workspace_sku = "PerGB2018" | ||
| log_analytics_logs_retention_in_days = 30 | ||
|
|
||
| # Adding Standard DDoS Plan, and custom DNS servers (Optional) | ||
| dns_servers = [] | ||
|
|
||
| # Multiple Subnets, Service delegation, Service Endpoints, Network security groups | ||
| # These are default subnets with required configuration, check README.md for more details | ||
| # NSG association to be added automatically for all subnets listed here. | ||
| # First two address ranges from VNet Address space reserved for Gateway And Firewall Subnets. | ||
| # ex.: For 10.1.0.0/16 address space, usable address range start from 10.1.2.0/24 for all subnets. | ||
| # subnet name will be set as per Azure naming convention by defaut. expected value here is: <App or project name> | ||
| subnets = { | ||
| mgnt_subnet = { | ||
| subnet_name = "management" | ||
| subnet_address_prefix = ["10.1.2.0/24"] | ||
| service_endpoints = ["Microsoft.Storage"] | ||
|
|
||
| nsg_inbound_rules = [ | ||
| # [name, priority, direction, access, protocol, destination_port_range, source_address_prefix, destination_address_prefix] | ||
| # To use defaults, use "" without adding any value and to use this subnet as a source or destination prefix. | ||
| ["weballow", "100", "Inbound", "Allow", "Tcp", "22", "*", ""], | ||
| ["weballow1", "200", "Inbound", "Allow", "Tcp", "3389", "*", ""], | ||
| ] | ||
|
|
||
| nsg_outbound_rules = [ | ||
| # [name, priority, direction, access, protocol, destination_port_range, source_address_prefix, destination_address_prefix] | ||
| # To use defaults, use "" without adding any value and to use this subnet as a source or destination prefix. | ||
| ["ntp_out", "100", "Outbound", "Allow", "Udp", "123", "", "0.0.0.0/0"], | ||
| ] | ||
| } | ||
|
|
||
| dmz_subnet = { | ||
| subnet_name = "appgateway" | ||
| subnet_address_prefix = ["10.1.3.0/24"] | ||
| service_endpoints = ["Microsoft.Storage"] | ||
| nsg_inbound_rules = [ | ||
| # [name, priority, direction, access, protocol, destination_port_range, source_address_prefix, destination_address_prefix] | ||
| # To use defaults, use "" without adding any value and to use this subnet as a source or destination prefix. | ||
| # 65200-65335 port to be opened if you planning to create application gateway | ||
| ["http", "100", "Inbound", "Allow", "Tcp", "80", "*", "0.0.0.0/0"], | ||
| ["https", "200", "Inbound", "Allow", "Tcp", "443", "*", ""], | ||
| ["appgwports", "300", "Inbound", "Allow", "Tcp", "65200-65335", "*", ""], | ||
|
|
||
| ] | ||
| nsg_outbound_rules = [ | ||
| # [name, priority, direction, access, protocol, destination_port_range, source_address_prefix, destination_address_prefix] | ||
| # To use defaults, use "" without adding any value and to use this subnet as a source or destination prefix. | ||
| ["ntp_out", "100", "Outbound", "Allow", "Udp", "123", "", "0.0.0.0/0"], | ||
| ] | ||
| } | ||
| } | ||
|
|
||
| # (Optional) To enable the availability zones for firewall. | ||
| # Availability Zones can only be configured during deployment | ||
| # You can't modify an existing firewall to include Availability Zones | ||
| firewall_zones = [1, 2, 3] | ||
|
|
||
| # (Optional) specify the application rules for Azure Firewall | ||
| firewall_application_rules = [ | ||
| { | ||
| name = "microsoft" | ||
| action = "Allow" | ||
| source_addresses = ["10.0.0.0/8"] | ||
| target_fqdns = ["*.microsoft.com"] | ||
| protocol = { | ||
| type = "Http" | ||
| port = "80" | ||
| } | ||
| }, | ||
| ] | ||
|
|
||
| # (Optional) specify the Network rules for Azure Firewall | ||
| firewall_network_rules = [ | ||
| { | ||
| name = "ntp" | ||
| action = "Allow" | ||
| source_addresses = ["10.0.0.0/8"] | ||
| destination_ports = ["123"] | ||
| destination_addresses = ["*"] | ||
| protocols = ["UDP"] | ||
| }, | ||
| ] | ||
|
|
||
| # (Optional) specify the NAT rules for Azure Firewall | ||
| # Destination address must be Firewall public IP | ||
| # `fw-public` is a variable value and automatically pick the firewall public IP from module. | ||
| firewall_nat_rules = [ | ||
| { | ||
| name = "testrule" | ||
| action = "Dnat" | ||
| source_addresses = ["10.0.0.0/8"] | ||
| destination_ports = ["53", ] | ||
| destination_addresses = ["fw-public"] | ||
| translated_port = 53 | ||
| translated_address = "8.8.8.8" | ||
| protocols = ["TCP", "UDP", ] | ||
| }, | ||
| ] | ||
|
|
||
| # Adding TAG's to your Azure resources (Required) | ||
| # ProjectName and Env are already declared above, to use them here, create a varible. | ||
| tags = { | ||
| ProjectName = "demo-internal" | ||
| Env = "dev" | ||
| Owner = "user@example.com" | ||
| BusinessUnit = "CORP" | ||
| ServiceClass = "Gold" | ||
| } | ||
| } |
Oops, something went wrong.