diff --git a/quickstart/201-azfw-with-avzones/main.tf b/quickstart/201-azfw-with-avzones/main.tf new file mode 100644 index 000000000..f6f26cf9f --- /dev/null +++ b/quickstart/201-azfw-with-avzones/main.tf @@ -0,0 +1,264 @@ +resource "random_pet" "rg_name" { + prefix = var.resource_group_name_prefix +} + +resource "random_string" "storage_account_name" { + length = 8 + lower = true + numeric = false + special = false + upper = false +} + +resource "random_password" "password" { + length = 20 + min_lower = 1 + min_upper = 1 + min_numeric = 1 + min_special = 1 + special = true +} + +resource "azurerm_resource_group" "rg" { + name = random_pet.rg_name.id + location = var.resource_group_location +} + +resource "azurerm_public_ip" "pip_azfw" { + name = "pip-azfw" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + allocation_method = "Static" + sku = "Standard" + zones = ["1", "2", "3"] +} + +resource "azurerm_storage_account" "sa" { + name = random_string.storage_account_name.result + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + account_tier = "Standard" + account_replication_type = "LRS" + account_kind = "StorageV2" +} + +resource "azurerm_virtual_network" "azfw_vnet" { + name = "azfw-vnet" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + address_space = ["10.10.0.0/16"] +} + +resource "azurerm_subnet" "azfw_subnet" { + name = "AzureFirewallSubnet" + resource_group_name = azurerm_resource_group.rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.0.0/26"] +} + +resource "azurerm_subnet" "server_subnet" { + name = "subnet-server" + resource_group_name = azurerm_resource_group.rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.1.0/24"] +} + +resource "azurerm_subnet" "jump_subnet" { + name = "subnet-jump" + resource_group_name = azurerm_resource_group.rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.2.0/24"] +} + +resource "azurerm_public_ip" "vm_jump_pip" { + name = "pip-jump" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + allocation_method = "Static" + sku = "Standard" +} + +resource "azurerm_network_interface" "vm_server_nic" { + name = "nic-server" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + + ip_configuration { + name = "ipconfig-workload" + subnet_id = azurerm_subnet.server_subnet.id + private_ip_address_allocation = "Dynamic" + } +} + +resource "azurerm_network_interface" "vm_jump_nic" { + name = "nic-jump" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + + ip_configuration { + name = "ipconfig-jump" + subnet_id = azurerm_subnet.jump_subnet.id + private_ip_address_allocation = "Dynamic" + public_ip_address_id = azurerm_public_ip.vm_jump_pip.id + } +} + +resource "azurerm_network_security_group" "vm_server_nsg" { + name = "nsg-server" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name +} + +resource "azurerm_network_security_group" "vm_jump_nsg" { + name = "nsg-jump" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + security_rule { + name = "Allow-TCP" + priority = 1000 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "*" + destination_address_prefix = "*" + } +} + +resource "azurerm_network_interface_security_group_association" "vm_server_nsg_association" { + network_interface_id = azurerm_network_interface.vm_server_nic.id + network_security_group_id = azurerm_network_security_group.vm_server_nsg.id +} + +resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" { + network_interface_id = azurerm_network_interface.vm_jump_nic.id + network_security_group_id = azurerm_network_security_group.vm_jump_nsg.id +} + +resource "azurerm_windows_virtual_machine" "vm_server" { + name = "server-vm" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + computer_name = "server" + size = var.virtual_machine_size + admin_username = var.admin_username + admin_password = random_password.password.result + network_interface_ids = [azurerm_network_interface.vm_server_nic.id] + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + disk_size_gb = "128" + } + source_image_reference { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + boot_diagnostics { + storage_account_uri = azurerm_storage_account.sa.primary_blob_endpoint + } +} + +resource "azurerm_windows_virtual_machine" "vm_jump" { + name = "jump-vm" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + computer_name = "jumpbox" + size = var.virtual_machine_size + admin_username = var.admin_username + admin_password = random_password.password.result + network_interface_ids = [azurerm_network_interface.vm_jump_nic.id] + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + disk_size_gb = "128" + } + source_image_reference { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + boot_diagnostics { + storage_account_uri = azurerm_storage_account.sa.primary_blob_endpoint + } +} + +resource "azurerm_firewall_policy" "azfw_policy" { + name = "azfw-policy" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + sku = var.firewall_sku_tier + threat_intelligence_mode = "Alert" +} + +resource "azurerm_firewall_policy_rule_collection_group" "prcg" { + name = "prcg" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 300 + application_rule_collection { + name = "appRc1" + priority = 101 + action = "Allow" + rule { + name = "appRule1" + protocols { + type = "Http" + port = 80 + } + protocols { + type = "Https" + port = 443 + } + destination_fqdns = ["www.microsoft.com"] + source_addresses = ["10.10.1.0/24"] + } + } + network_rule_collection { + name = "netRc1" + priority = 200 + action = "Allow" + rule { + name = "netRule1" + protocols = ["TCP"] + source_addresses = ["10.10.1.0/24"] + destination_addresses = ["*"] + destination_ports = ["8000", "8999"] + } + } +} + +resource "azurerm_firewall" "fw" { + name = "azfw" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + sku_name = "AZFW_VNet" + sku_tier = var.firewall_sku_tier + zones = ["1", "2", "3"] + ip_configuration { + name = "azfw-ipconfig" + subnet_id = azurerm_subnet.azfw_subnet.id + public_ip_address_id = azurerm_public_ip.pip_azfw.id + } + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id +} + +resource "azurerm_route_table" "rt" { + name = "rt-azfw-eus" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + disable_bgp_route_propagation = false + route { + name = "azfwDefaultRoute" + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_in_ip_address = azurerm_firewall.fw.ip_configuration[0].private_ip_address + } +} + +resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { + subnet_id = azurerm_subnet.server_subnet.id + route_table_id = azurerm_route_table.rt.id +} \ No newline at end of file diff --git a/quickstart/201-azfw-with-avzones/outputs.tf b/quickstart/201-azfw-with-avzones/outputs.tf new file mode 100644 index 000000000..3d6f89a11 --- /dev/null +++ b/quickstart/201-azfw-with-avzones/outputs.tf @@ -0,0 +1,7 @@ +output "resource_group_name" { + value = azurerm_resource_group.rg.name +} + +output "firewall_name" { + value = azurerm_firewall.fw.name +} \ No newline at end of file diff --git a/quickstart/201-azfw-with-avzones/providers.tf b/quickstart/201-azfw-with-avzones/providers.tf new file mode 100644 index 000000000..7261b1fb4 --- /dev/null +++ b/quickstart/201-azfw-with-avzones/providers.tf @@ -0,0 +1,16 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~>3.0" + } + random = { + source = "hashicorp/random" + version = "~>3.0" + } + } +} + +provider "azurerm" { + features {} +} \ No newline at end of file diff --git a/quickstart/201-azfw-with-avzones/readme.md b/quickstart/201-azfw-with-avzones/readme.md new file mode 100644 index 000000000..f795edf7d --- /dev/null +++ b/quickstart/201-azfw-with-avzones/readme.md @@ -0,0 +1,41 @@ +# Deploying Azure Firewall in Availability Zones + +This template deploys a test network environment with [Azure Firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) in Availability Zones. The network has one virtual network (VNet) with three subnets: AzureFirewallSubnet, server_subnet, and jump_subnet. The server-subnet and jump-subnet subnet each have a single, two-core Windows Server virtual machine. + +The firewall is in the AzureFirewallSubnet subnet, and has an application rule collection with a single rule that allows access to www.microsoft.com. + +A user-defined route points network traffic from the server-subnet through the firewall, where the firewall rules are applied. + + + +## Terraform resource types + +- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) +- [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) +- [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) +- [azurerm_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) +- [azurerm_firewall_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy) +- [azurerm_firewall_policy_rule_collection_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy_rule_collection_group) +- [azurerm_firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) +- [azurerm_network_interface](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface) +- [azurerm_network_security_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) +- [azurerm_network_interface_security_group_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_security_group_association) +- [azurerm_route_table](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/route_table) +- [azurerm_subnet_route_table_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_route_table_association) +- [azurerm_windows_virtual_machine](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_virtual_machine) +- [azurerm_storage_account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) +- [random_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) +- [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) +- [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) + +## Variables + +| Name | Description | Default value | +|-|-|-| +| `resource_group_location` | Location of the resource group | eastus | +| `firewall_sku_tier` | SKU size for your Firewall and Firewall Policy. Possible values: Standard, Premium | Premium | +| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so that name is unique in your Azure subscription. | rg | +| `virtual_machine_size` | SKU size for your jump and workload VMs | Standard_D2_v3 | +| `admin_username` | The admin username for the jump and workload VMs | azureuser | + +## Example \ No newline at end of file diff --git a/quickstart/201-azfw-with-avzones/variables.tf b/quickstart/201-azfw-with-avzones/variables.tf new file mode 100644 index 000000000..549583d20 --- /dev/null +++ b/quickstart/201-azfw-with-avzones/variables.tf @@ -0,0 +1,33 @@ +variable "resource_group_location" { + type = string + description = "Location for all resources." + default = "eastus" +} + +variable "resource_group_name_prefix" { + type = string + description = "Prefix for the Resource Group Name that's combined with a random id so name is unique in your Azure subcription." + default = "rg" +} + +variable "firewall_sku_tier" { + type = string + description = "Firewall SKU." + default = "Premium" # Valid values are Standard and Premium + validation { + condition = contains(["Standard", "Premium"], var.firewall_sku_tier) + error_message = "The SKU must be one of the following: Standard, Premium" + } +} + +variable "virtual_machine_size" { + type = string + description = "Size of the virtual machine." + default = "Standard_D2_v3" +} + +variable "admin_username" { + type = string + description = "Value of the admin username." + default = "azureuser" +} \ No newline at end of file