fw quickstart with multiple addresses

quickstart/201-azfw-multi-addresses/main.tf

@@ -0,0 +1,240 @@
+resource "random_pet" "rg_name" {
+  prefix = var.resource_group_name_prefix
+}
+
+resource "random_password" "password" {
+  count       = 2
+  length      = 20
+  min_lower   = 1
+  min_upper   = 1
+  min_numeric = 1
+  min_special = 1
+  special     = true
+}
+
+resource "azurerm_resource_group" "rg" {
+  name     = random_pet.rg_name.id
+  location = var.resource_group_location
+}
+
+resource "azurerm_public_ip_prefix" "pip_prefix" {
+  name                = "pip-prefix"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  sku                 = "Standard"
+  prefix_length       = 31
+}
+
+resource "azurerm_public_ip" "pip_azfw" {
+  name                = "pip-azfw"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  sku                 = "Standard"
+  allocation_method   = "Static"
+  public_ip_prefix_id = azurerm_public_ip_prefix.pip_prefix.id
+}
+
+resource "azurerm_public_ip" "pip_azfw_2" {
+  name                = "pip-azfw-1"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  sku                 = "Standard"
+  allocation_method   = "Static"
+  public_ip_prefix_id = azurerm_public_ip_prefix.pip_prefix.id
+}
+
+resource "azurerm_virtual_network" "azfw_vnet" {
+  name                = "azfw-vnet"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  address_space       = ["10.10.0.0/16"]
+}
+
+resource "azurerm_subnet" "azfw_subnet" {
+  name                 = "AzureFirewallSubnet"
+  resource_group_name  = azurerm_resource_group.rg.name
+  virtual_network_name = azurerm_virtual_network.azfw_vnet.name
+  address_prefixes     = ["10.10.0.0/26"]
+}
+
+resource "azurerm_subnet" "backend_subnet" {
+  name                 = "subnet-backend"
+  resource_group_name  = azurerm_resource_group.rg.name
+  virtual_network_name = azurerm_virtual_network.azfw_vnet.name
+  address_prefixes     = ["10.10.1.0/24"]
+}
+
+resource "azurerm_network_interface" "backend_nic" {
+  count               = 2
+  name                = "nic-backend-${count.index + 1}"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+
+  ip_configuration {
+    name                          = "ipconfig-backend-${count.index + 1}"
+    subnet_id                     = azurerm_subnet.backend_subnet.id
+    private_ip_address_allocation = "Dynamic"
+  }
+}
+
+resource "azurerm_network_security_group" "backend_nsg" {
+  name                = "nsg-backend"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  security_rule {
+    name                       = "RDP"
+    priority                   = 300
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "3389"
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }
+}
+
+resource "azurerm_network_interface_security_group_association" "vm_backend_nsg_association" {
+  count                     = 2
+  network_interface_id      = azurerm_network_interface.backend_nic[count.index].id
+  network_security_group_id = azurerm_network_security_group.backend_nsg.id
+}
+
+resource "azurerm_windows_virtual_machine" "vm_backend" {
+  count                 = 2
+  name                  = "vm-backend-${count.index + 1}"
+  resource_group_name   = azurerm_resource_group.rg.name
+  location              = azurerm_resource_group.rg.location
+  size                  = var.virtual_machine_size
+  admin_username        = var.admin_username
+  admin_password        = random_password.password[count.index].result
+  network_interface_ids = [azurerm_network_interface.backend_nic[count.index].id]
+  os_disk {
+    caching              = "ReadWrite"
+    storage_account_type = "Standard_LRS"
+  }
+  source_image_reference {
+    publisher = "MicrosoftWindowsServer"
+    offer     = "WindowsServer"
+    sku       = "2019-Datacenter"
+    version   = "latest"
+  }
+}
+
+resource "azurerm_firewall_policy" "azfw_policy" {
+  name                     = "azfw-policy"
+  resource_group_name      = azurerm_resource_group.rg.name
+  location                 = azurerm_resource_group.rg.location
+  sku                      = var.firewall_sku_tier
+  threat_intelligence_mode = "Alert"
+}
+
+resource "azurerm_firewall_policy_rule_collection_group" "policy_rule_collection_group" {
+  name               = "RuleCollectionGroup"
+  firewall_policy_id = azurerm_firewall_policy.azfw_policy.id
+  priority           = 300
+  application_rule_collection {
+    name     = "web"
+    priority = 100
+    action   = "Allow"
+    rule {
+      name = "wan-address"
+      protocols {
+        type = "Http"
+        port = 80
+      }
+      protocols {
+        type = "Https"
+        port = 443
+      }
+      destination_fqdns = ["getmywanip.com"]
+      source_addresses  = ["*"]
+    }
+    rule {
+      name = "google"
+      protocols {
+        type = "Http"
+        port = 80
+      }
+      protocols {
+        type = "Https"
+        port = 443
+      }
+      destination_fqdns = ["www.google.com"]
+      source_addresses  = ["10.10.1.0/24"]
+    }
+    rule {
+      name = "wupdate"
+      protocols {
+        type = "Http"
+        port = 80
+      }
+      protocols {
+        type = "Https"
+        port = 443
+      }
+      destination_fqdn_tags = ["WindowsUpdate"]
+      source_addresses      = ["*"]
+    }
+  }
+  nat_rule_collection {
+    name     = "Coll-01"
+    action   = "Dnat"
+    priority = 200
+    rule {
+      name                = "rdp-01"
+      protocols           = ["TCP"]
+      translated_address  = "10.10.1.4"
+      translated_port     = "3389"
+      source_addresses    = ["*"]
+      destination_address = azurerm_public_ip.pip_azfw.ip_address
+      destination_ports   = ["3389"]
+    }
+    rule {
+      name                = "rdp-02"
+      protocols           = ["TCP"]
+      translated_address  = "10.10.1.5"
+      translated_port     = "3389"
+      source_addresses    = ["*"]
+      destination_address = azurerm_public_ip.pip_azfw.ip_address
+      destination_ports   = ["3389"]
+    }
+  }
+}
+
+resource "azurerm_firewall" "fw" {
+  name                = "azfw"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  sku_name            = "AZFW_VNet"
+  sku_tier            = var.firewall_sku_tier
+  ip_configuration {
+    name                 = "azfw-ipconfig"
+    subnet_id            = azurerm_subnet.azfw_subnet.id
+    public_ip_address_id = azurerm_public_ip.pip_azfw.id
+  }
+  ip_configuration {
+    name                 = "azfw-ipconfig-2"
+    public_ip_address_id = azurerm_public_ip.pip_azfw_2.id
+  }
+  firewall_policy_id = azurerm_firewall_policy.azfw_policy.id
+}
+
+resource "azurerm_route_table" "rt" {
+  name                          = "rt-azfw-eus"
+  location                      = azurerm_resource_group.rg.location
+  resource_group_name           = azurerm_resource_group.rg.name
+  disable_bgp_route_propagation = false
+  route {
+    name                   = "azfw"
+    address_prefix         = "0.0.0.0/0"
+    next_hop_type          = "VirtualAppliance"
+    next_hop_in_ip_address = "10.10.0.4"
+  }
+}
+
+resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" {
+  subnet_id      = azurerm_subnet.backend_subnet.id
+  route_table_id = azurerm_route_table.rt.id
+}
+

quickstart/201-azfw-multi-addresses/outputs.tf

@@ -0,0 +1,8 @@
+output "resource_group_name" {
+  value = azurerm_resource_group.rg.name
+}
+output "backend_admin_password" {
+  sensitive = true
+  value     = azurerm_windows_virtual_machine.vm_backend[*].admin_password
+}
+

quickstart/201-azfw-multi-addresses/providers.tf

@@ -0,0 +1,21 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~>3.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~>3.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {
+    virtual_machine {
+      delete_os_disk_on_deletion     = true
+      skip_shutdown_and_force_delete = true
+    }
+  }
+}

quickstart/201-azfw-multi-addresses/readme.md

@@ -0,0 +1,32 @@
+# Deploy Azure Firewall with multiple public IP addresses
+
+This template deploys an [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) with multiple [Public IP Address](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) from a public IP address prefix. The deployed firewall has NAT rule collection rules that allow RDP connections to two Windows Server 2019 virtual machines.\
+
+## Terraform resource types
+
+- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group)
+- [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network)
+- [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet)
+- [azurerm_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip)
+- [azurerm_public_ip_prefix](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip_prefix)
+- [azurerm_firewall_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy)
+- [azurerm_firewall_policy_rule_collection_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group)
+- [azurerm_firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall)
+- [azurerm_network_interface](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface)
+- [azurerm_network_security_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group)
+- [azurerm_network_interface_security_group_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_security_group_association
+- [azurerm_route_table](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/route_table)
+- [azurerm_subnet_route_table_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_route_table_association)
+- [azurerm_windows_virtual_machine](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_virtual_machine)
+- [random_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password)
+- [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet)
+
+## Variables
+
+| Name | Description | Default value |
+|-|-|-|
+| `resource_group_location`    | Location of the resource group                                                                                                          | eastus         |
+| `firewall_sku_tier`          | SKU size for your Firewall and Firewall Policy. Possible values: Standard, Premium                                                      | Premium        |
+| `resource_group_name_prefix` |  Prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription.                  | rg             |
+| `virtual_machine_size`       | SKU size for your jump and workload VMs                                                                                                 | Standard_D2_v3 |
+| `admin_username`             | THe admin username for the jump and workload VMs                                                                                        | azureuser      |

quickstart/201-azfw-multi-addresses/variables.tf

@@ -0,0 +1,33 @@
+variable "resource_group_location" {
+  type        = string
+  description = "Location for all resources."
+  default     = "eastus"
+}
+
+variable "resource_group_name_prefix" {
+  type        = string
+  description = "Prefix for the Resource Group Name that's combined with a random id so name is unique in your Azure subcription."
+  default     = "rg"
+}
+
+variable "firewall_sku_tier" {
+  type        = string
+  description = "Firewall SKU."
+  default     = "Premium" # Valid values are Standard and Premium
+  validation {
+    condition     = contains(["Standard", "Premium"], var.firewall_sku_tier)
+    error_message = "The sku must be one of the following: Standard, Premium"
+  }
+}
+
+variable "virtual_machine_size" {
+  type        = string
+  description = "Size of the virtual machine."
+  default     = "Standard_D2_v3"
+}
+
+variable "admin_username" {
+  type        = string
+  description = "value of the admin username."
+  default     = "azureuser"
+}