diff --git a/quickstart/201-azfw-multi-addresses/main.tf b/quickstart/201-azfw-multi-addresses/main.tf new file mode 100644 index 000000000..8d252f1a8 --- /dev/null +++ b/quickstart/201-azfw-multi-addresses/main.tf @@ -0,0 +1,240 @@ +resource "random_pet" "rg_name" { + prefix = var.resource_group_name_prefix +} + +resource "random_password" "password" { + count = 2 + length = 20 + min_lower = 1 + min_upper = 1 + min_numeric = 1 + min_special = 1 + special = true +} + +resource "azurerm_resource_group" "rg" { + name = random_pet.rg_name.id + location = var.resource_group_location +} + +resource "azurerm_public_ip_prefix" "pip_prefix" { + name = "pip-prefix" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + sku = "Standard" + prefix_length = 31 +} + +resource "azurerm_public_ip" "pip_azfw" { + name = "pip-azfw" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + sku = "Standard" + allocation_method = "Static" + public_ip_prefix_id = azurerm_public_ip_prefix.pip_prefix.id +} + +resource "azurerm_public_ip" "pip_azfw_2" { + name = "pip-azfw-1" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + sku = "Standard" + allocation_method = "Static" + public_ip_prefix_id = azurerm_public_ip_prefix.pip_prefix.id +} + +resource "azurerm_virtual_network" "azfw_vnet" { + name = "azfw-vnet" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + address_space = ["10.10.0.0/16"] +} + +resource "azurerm_subnet" "azfw_subnet" { + name = "AzureFirewallSubnet" + resource_group_name = azurerm_resource_group.rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.0.0/26"] +} + +resource "azurerm_subnet" "backend_subnet" { + name = "subnet-backend" + resource_group_name = azurerm_resource_group.rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.1.0/24"] +} + +resource "azurerm_network_interface" "backend_nic" { + count = 2 + name = "nic-backend-${count.index + 1}" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + + ip_configuration { + name = "ipconfig-backend-${count.index + 1}" + subnet_id = azurerm_subnet.backend_subnet.id + private_ip_address_allocation = "Dynamic" + } +} + +resource "azurerm_network_security_group" "backend_nsg" { + name = "nsg-backend" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + security_rule { + name = "RDP" + priority = 300 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "*" + destination_address_prefix = "*" + } +} + +resource "azurerm_network_interface_security_group_association" "vm_backend_nsg_association" { + count = 2 + network_interface_id = azurerm_network_interface.backend_nic[count.index].id + network_security_group_id = azurerm_network_security_group.backend_nsg.id +} + +resource "azurerm_windows_virtual_machine" "vm_backend" { + count = 2 + name = "vm-backend-${count.index + 1}" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + size = var.virtual_machine_size + admin_username = var.admin_username + admin_password = random_password.password[count.index].result + network_interface_ids = [azurerm_network_interface.backend_nic[count.index].id] + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + source_image_reference { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2019-Datacenter" + version = "latest" + } +} + +resource "azurerm_firewall_policy" "azfw_policy" { + name = "azfw-policy" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + sku = var.firewall_sku_tier + threat_intelligence_mode = "Alert" +} + +resource "azurerm_firewall_policy_rule_collection_group" "policy_rule_collection_group" { + name = "RuleCollectionGroup" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 300 + application_rule_collection { + name = "web" + priority = 100 + action = "Allow" + rule { + name = "wan-address" + protocols { + type = "Http" + port = 80 + } + protocols { + type = "Https" + port = 443 + } + destination_fqdns = ["getmywanip.com"] + source_addresses = ["*"] + } + rule { + name = "google" + protocols { + type = "Http" + port = 80 + } + protocols { + type = "Https" + port = 443 + } + destination_fqdns = ["www.google.com"] + source_addresses = ["10.10.1.0/24"] + } + rule { + name = "wupdate" + protocols { + type = "Http" + port = 80 + } + protocols { + type = "Https" + port = 443 + } + destination_fqdn_tags = ["WindowsUpdate"] + source_addresses = ["*"] + } + } + nat_rule_collection { + name = "Coll-01" + action = "Dnat" + priority = 200 + rule { + name = "rdp-01" + protocols = ["TCP"] + translated_address = "10.10.1.4" + translated_port = "3389" + source_addresses = ["*"] + destination_address = azurerm_public_ip.pip_azfw.ip_address + destination_ports = ["3389"] + } + rule { + name = "rdp-02" + protocols = ["TCP"] + translated_address = "10.10.1.5" + translated_port = "3389" + source_addresses = ["*"] + destination_address = azurerm_public_ip.pip_azfw.ip_address + destination_ports = ["3389"] + } + } +} + +resource "azurerm_firewall" "fw" { + name = "azfw" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + sku_name = "AZFW_VNet" + sku_tier = var.firewall_sku_tier + ip_configuration { + name = "azfw-ipconfig" + subnet_id = azurerm_subnet.azfw_subnet.id + public_ip_address_id = azurerm_public_ip.pip_azfw.id + } + ip_configuration { + name = "azfw-ipconfig-2" + public_ip_address_id = azurerm_public_ip.pip_azfw_2.id + } + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id +} + +resource "azurerm_route_table" "rt" { + name = "rt-azfw-eus" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + disable_bgp_route_propagation = false + route { + name = "azfw" + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_in_ip_address = "10.10.0.4" + } +} + +resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { + subnet_id = azurerm_subnet.backend_subnet.id + route_table_id = azurerm_route_table.rt.id +} + diff --git a/quickstart/201-azfw-multi-addresses/outputs.tf b/quickstart/201-azfw-multi-addresses/outputs.tf new file mode 100644 index 000000000..7a255dcb3 --- /dev/null +++ b/quickstart/201-azfw-multi-addresses/outputs.tf @@ -0,0 +1,8 @@ +output "resource_group_name" { + value = azurerm_resource_group.rg.name +} +output "backend_admin_password" { + sensitive = true + value = azurerm_windows_virtual_machine.vm_backend[*].admin_password +} + diff --git a/quickstart/201-azfw-multi-addresses/providers.tf b/quickstart/201-azfw-multi-addresses/providers.tf new file mode 100644 index 000000000..72b9204f2 --- /dev/null +++ b/quickstart/201-azfw-multi-addresses/providers.tf @@ -0,0 +1,21 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~>3.0" + } + random = { + source = "hashicorp/random" + version = "~>3.0" + } + } +} + +provider "azurerm" { + features { + virtual_machine { + delete_os_disk_on_deletion = true + skip_shutdown_and_force_delete = true + } + } +} diff --git a/quickstart/201-azfw-multi-addresses/readme.md b/quickstart/201-azfw-multi-addresses/readme.md new file mode 100644 index 000000000..c9364f504 --- /dev/null +++ b/quickstart/201-azfw-multi-addresses/readme.md @@ -0,0 +1,32 @@ +# Deploy Azure Firewall with multiple public IP addresses + +This template deploys an [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) with multiple [Public IP Address](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) from a public IP address prefix. The deployed firewall has NAT rule collection rules that allow RDP connections to two Windows Server 2019 virtual machines. + +## Terraform resource types + +- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) +- [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) +- [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) +- [azurerm_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) +- [azurerm_public_ip_prefix](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip_prefix) +- [azurerm_firewall_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy) +- [azurerm_firewall_policy_rule_collection_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group) +- [azurerm_firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) +- [azurerm_network_interface](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface) +- [azurerm_network_security_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) +- [azurerm_network_interface_security_group_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_security_group_association +- [azurerm_route_table](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/route_table) +- [azurerm_subnet_route_table_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_route_table_association) +- [azurerm_windows_virtual_machine](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_virtual_machine) +- [random_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) +- [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) + +## Variables + +| Name | Description | Default value | +|-|-|-| +| `resource_group_location` | Location of the resource group | eastus | +| `firewall_sku_tier` | SKU size for your Firewall and Firewall Policy. Possible values: Standard, Premium | Premium | +| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription. | rg | +| `virtual_machine_size` | SKU size for your jump and workload VMs | Standard_D2_v3 | +| `admin_username` | THe admin username for the jump and workload VMs | azureuser | \ No newline at end of file diff --git a/quickstart/201-azfw-multi-addresses/variables.tf b/quickstart/201-azfw-multi-addresses/variables.tf new file mode 100644 index 000000000..c3af42e47 --- /dev/null +++ b/quickstart/201-azfw-multi-addresses/variables.tf @@ -0,0 +1,33 @@ +variable "resource_group_location" { + type = string + description = "Location for all resources." + default = "eastus" +} + +variable "resource_group_name_prefix" { + type = string + description = "Prefix for the Resource Group Name that's combined with a random id so name is unique in your Azure subcription." + default = "rg" +} + +variable "firewall_sku_tier" { + type = string + description = "Firewall SKU." + default = "Premium" # Valid values are Standard and Premium + validation { + condition = contains(["Standard", "Premium"], var.firewall_sku_tier) + error_message = "The SKU must be one of the following: Standard, Premium" + } +} + +variable "virtual_machine_size" { + type = string + description = "Size of the virtual machine." + default = "Standard_D2_v3" +} + +variable "admin_username" { + type = string + description = "Value of the admin username." + default = "azureuser" +}