diff options
Diffstat (limited to 'Terraform/Azure/Site-to-Site-BGP')
| -rw-r--r-- | Terraform/Azure/Site-to-Site-BGP/diagram/VyOS-instance-on-Azure.png | bin | 0 -> 28918 bytes | |||
| -rw-r--r-- | Terraform/Azure/Site-to-Site-BGP/files/on_prem_vyos_instance.conf | 58 | ||||
| -rw-r--r-- | Terraform/Azure/Site-to-Site-BGP/files/vyos_01_user_data.tpl | 57 | ||||
| -rw-r--r-- | Terraform/Azure/Site-to-Site-BGP/main.tf | 59 | ||||
| -rw-r--r-- | Terraform/Azure/Site-to-Site-BGP/outputs.tf | 12 | ||||
| -rw-r--r-- | Terraform/Azure/Site-to-Site-BGP/provider.tf | 18 | ||||
| -rw-r--r-- | Terraform/Azure/Site-to-Site-BGP/readme.md | 78 | ||||
| -rw-r--r-- | Terraform/Azure/Site-to-Site-BGP/security_groups.tf | 97 | ||||
| -rw-r--r-- | Terraform/Azure/Site-to-Site-BGP/variables.tf | 113 | ||||
| -rw-r--r-- | Terraform/Azure/Site-to-Site-BGP/virtual_networks.tf | 107 |
10 files changed, 599 insertions, 0 deletions
diff --git a/Terraform/Azure/Site-to-Site-BGP/diagram/VyOS-instance-on-Azure.png b/Terraform/Azure/Site-to-Site-BGP/diagram/VyOS-instance-on-Azure.png Binary files differnew file mode 100644 index 0000000..03b9b30 --- /dev/null +++ b/Terraform/Azure/Site-to-Site-BGP/diagram/VyOS-instance-on-Azure.png diff --git a/Terraform/Azure/Site-to-Site-BGP/files/on_prem_vyos_instance.conf b/Terraform/Azure/Site-to-Site-BGP/files/on_prem_vyos_instance.conf new file mode 100644 index 0000000..e29dff6 --- /dev/null +++ b/Terraform/Azure/Site-to-Site-BGP/files/on_prem_vyos_instance.conf @@ -0,0 +1,58 @@ +#On Prem VyOS instance configuration example +set system host-name 'VyOS-02' +set system login banner pre-login 'Welcome to the VyOS on Azure' +set interfaces ethernet eth0 description 'OUTSIDE' +set interfaces ethernet eth1 description 'INSIDE' +set system name-server '<DNS IP>' +set system name-server '<DNS IP>' +set service dns forwarding name-server '<DNS IP>' +set service dns forwarding listen-address '<VyOS_Priv_NIC_IP>' +set service dns forwarding allow-from '<On_Prem_Priv_Subnet_Prefix>' +set service dns forwarding no-serve-rfc1918 +set nat source rule 10 outbound-interface name 'eth0' +set nat source rule 10 source address '<On_Prem_Priv_Subnet_Prefix>' +set nat source rule 10 translation address 'masquerade' +set vpn ipsec interface 'eth0' +set vpn ipsec esp-group AZURE lifetime '3600' +set vpn ipsec esp-group AZURE mode 'tunnel' +set vpn ipsec esp-group AZURE pfs 'dh-group2' +set vpn ipsec esp-group AZURE proposal 1 encryption 'aes256' +set vpn ipsec esp-group AZURE proposal 1 hash 'sha1' +set vpn ipsec ike-group AZURE dead-peer-detection action 'restart' +set vpn ipsec ike-group AZURE dead-peer-detection interval '15' +set vpn ipsec ike-group AZURE dead-peer-detection timeout '30' +set vpn ipsec ike-group AZURE ikev2-reauth +set vpn ipsec ike-group AZURE key-exchange 'ikev2' +set vpn ipsec ike-group AZURE lifetime '28800' +set vpn ipsec ike-group AZURE proposal 1 dh-group '2' +set vpn ipsec ike-group AZURE proposal 1 encryption 'aes256' +set vpn ipsec ike-group AZURE proposal 1 hash 'sha1' +set vpn ipsec ike-group AZURE close-action start +set vpn ipsec option disable-route-autoinstall +set vpn ipsec interface 'eth0' +set interfaces vti vti1 address '10.2.100.11/32' +set interfaces vti vti1 description 'Azure Tunnel to VyOS 01' +set interfaces vti vti1 ip adjust-mss '1350' +set protocols static route 10.1.100.11/32 interface vti1 +set vpn ipsec authentication psk VyOS id '<Azure_VyOS_Instance_Public_IP_Address>' +set vpn ipsec authentication psk VyOS id '<On_Prem_VyOS_Instance_Public_IP_Address>' +set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk' +set vpn ipsec site-to-site peer VyOS-01 authentication local-id '<On_Prem_VyOS_Instance_Public_IP_Address>' +set vpn ipsec site-to-site peer VyOS-01 authentication mode 'pre-shared-secret' +set vpn ipsec site-to-site peer VyOS-01 authentication remote-id '<Azure_VyOS_Instance_Public_IP_Address>' +set vpn ipsec site-to-site peer VyOS-01 connection-type 'initiate' +set vpn ipsec site-to-site peer VyOS-01 description 'AZURE TUNNEL to 01' +set vpn ipsec site-to-site peer VyOS-01 ike-group 'AZURE' +set vpn ipsec site-to-site peer VyOS-01 ikev2-reauth 'inherit' +set vpn ipsec site-to-site peer VyOS-01 local-address '<On_Prem_VyOS_Instance_Public_IP_Address>' +set vpn ipsec site-to-site peer VyOS-01 remote-address '<Azure_VyOS_Instance_Public_IP_Address>' +set vpn ipsec site-to-site peer VyOS-01 vti bind 'vti1' +set vpn ipsec site-to-site peer VyOS-01 vti esp-group 'AZURE' +set protocols bgp system-as '<On_Prem_Net_BGP_AS_Number>' +set protocols bgp address-family ipv4-unicast network '<On_Prem_Net_Subnet_Prefix>' +set protocols bgp neighbor 10.1.100.11 remote-as '<Azure_Net_BGP_AS_Number>' +set protocols bgp neighbor 10.1.100.11 address-family ipv4-unicast soft-reconfiguration inbound +set protocols bgp neighbor 10.1.100.11 timers holdtime '30' +set protocols bgp neighbor 10.1.100.11 timers keepalive '10' +set protocols bgp neighbor 10.1.100.11 disable-connected-check +
\ No newline at end of file diff --git a/Terraform/Azure/Site-to-Site-BGP/files/vyos_01_user_data.tpl b/Terraform/Azure/Site-to-Site-BGP/files/vyos_01_user_data.tpl new file mode 100644 index 0000000..a814454 --- /dev/null +++ b/Terraform/Azure/Site-to-Site-BGP/files/vyos_01_user_data.tpl @@ -0,0 +1,57 @@ +#cloud-config +vyos_config_commands: + - set system host-name 'VyOS-01' + - set system login banner pre-login 'Welcome to the VyOS on Azure' + - set interfaces ethernet eth0 description 'OUTSIDE' + - set interfaces ethernet eth1 description 'INSIDE' + - set system name-server '${dns_1}' + - set system name-server '${dns_2}' + - set service dns forwarding name-server '${dns_1}' + - set service dns forwarding listen-address '${vyos_01_priv_nic_ip}' + - set service dns forwarding allow-from '${vnet_01_priv_subnet_prefix}' + - set service dns forwarding no-serve-rfc1918 + - set nat source rule 10 outbound-interface name 'eth0' + - set nat source rule 10 source address '${vnet_01_priv_subnet_prefix}' + - set nat source rule 10 translation address 'masquerade' + - set vpn ipsec interface 'eth0' + - set vpn ipsec esp-group AZURE lifetime '3600' + - set vpn ipsec esp-group AZURE mode 'tunnel' + - set vpn ipsec esp-group AZURE pfs 'dh-group2' + - set vpn ipsec esp-group AZURE proposal 1 encryption 'aes256' + - set vpn ipsec esp-group AZURE proposal 1 hash 'sha1' + - set vpn ipsec ike-group AZURE dead-peer-detection action 'restart' + - set vpn ipsec ike-group AZURE dead-peer-detection interval '15' + - set vpn ipsec ike-group AZURE dead-peer-detection timeout '30' + - set vpn ipsec ike-group AZURE ikev2-reauth + - set vpn ipsec ike-group AZURE key-exchange 'ikev2' + - set vpn ipsec ike-group AZURE lifetime '28800' + - set vpn ipsec ike-group AZURE proposal 1 dh-group '2' + - set vpn ipsec ike-group AZURE proposal 1 encryption 'aes256' + - set vpn ipsec ike-group AZURE proposal 1 hash 'sha1' + - set vpn ipsec ike-group AZURE close-action start + - set vpn ipsec option disable-route-autoinstall + - set interfaces vti vti1 address '10.1.100.11/32' + - set interfaces vti vti1 description 'Tunnel VyOS 02' + - set interfaces vti vti1 ip adjust-mss '1350' + - set protocols static route 10.2.100.11/32 interface vti1 + - set vpn ipsec authentication psk VyOS id '${public_ip_address_01}' + - set vpn ipsec authentication psk VyOS id '${on_prem_public_ip_address}' + - set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk' + - set vpn ipsec site-to-site peer VyOS-02 authentication local-id '${public_ip_address_01}' + - set vpn ipsec site-to-site peer VyOS-02 authentication mode 'pre-shared-secret' + - set vpn ipsec site-to-site peer VyOS-02 authentication remote-id '${on_prem_public_ip_address}' + - set vpn ipsec site-to-site peer VyOS-02 connection-type 'none' + - set vpn ipsec site-to-site peer VyOS-02 description 'AZURE TUNNEL to VyOS on NET 02' + - set vpn ipsec site-to-site peer VyOS-02 ike-group 'AZURE' + - set vpn ipsec site-to-site peer VyOS-02 ikev2-reauth 'inherit' + - set vpn ipsec site-to-site peer VyOS-02 local-address '${vyos_01_pub_nic_ip}' + - set vpn ipsec site-to-site peer VyOS-02 remote-address '${on_prem_public_ip_address}' + - set vpn ipsec site-to-site peer VyOS-02 vti bind 'vti1' + - set vpn ipsec site-to-site peer VyOS-02 vti esp-group 'AZURE' + - set protocols bgp system-as '${vnet_01_bgp_as_number}' + - set protocols bgp address-family ipv4-unicast network ${vnet_01_priv_subnet_prefix} + - set protocols bgp neighbor 10.2.100.11 remote-as '${on_prem_bgp_as_number}' + - set protocols bgp neighbor 10.2.100.11 address-family ipv4-unicast soft-reconfiguration inbound + - set protocols bgp neighbor 10.2.100.11 timers holdtime '30' + - set protocols bgp neighbor 10.2.100.11 timers keepalive '10' + - set protocols bgp neighbor 10.2.100.11 disable-connected-check diff --git a/Terraform/Azure/Site-to-Site-BGP/main.tf b/Terraform/Azure/Site-to-Site-BGP/main.tf new file mode 100644 index 0000000..0f7ebc8 --- /dev/null +++ b/Terraform/Azure/Site-to-Site-BGP/main.tf @@ -0,0 +1,59 @@ + + +# --------------------------- VyOS 01 -------------------------------------- +# Net 01 VyOS 01 instance +resource "azurerm_virtual_machine" "net_01_VyOS_01" { + name = join("-", [var.prefix, "VyOS", "01"]) + location = var.location + resource_group_name = var.resource_group + vm_size = var.vm_size + tags = var.tags + + network_interface_ids = [azurerm_network_interface.azure_vnet_01_vyos_01_nic_pub.id, azurerm_network_interface.azure_vnet_01_vyos_01_nic_priv.id] + primary_network_interface_id = azurerm_network_interface.azure_vnet_01_vyos_01_nic_pub.id + delete_os_disk_on_termination = "true" + + plan { + publisher = var.image_publisher + name = var.image_sku + product = var.image_offer + } + + storage_image_reference { + publisher = var.image_publisher + offer = var.image_offer + sku = var.image_sku + version = var.image_version + } + + storage_os_disk { + name = join("_", [var.prefix, "VyOS", "01", "osdisk"]) + managed_disk_type = "Standard_LRS" + caching = "ReadWrite" + create_option = "FromImage" + } + + os_profile { + computer_name = join("-", [var.prefix, "VyOS", "01"]) + admin_username = var.admin_username + admin_password = var.admin_password + custom_data = base64encode(templatefile("${path.module}/files/vyos_01_user_data.tpl", { + vnet_01_priv_subnet_prefix = var.vnet_01_priv_subnet_prefix, + public_ip_address_01 = azurerm_public_ip.azure_vnet_01_public_address.ip_address, + on_prem_public_ip_address = var.on_prem_public_ip_address, + vyos_01_pub_nic_ip = azurerm_network_interface.azure_vnet_01_vyos_01_nic_pub.private_ip_address, + vyos_01_priv_nic_ip = azurerm_network_interface.azure_vnet_01_vyos_01_nic_priv.private_ip_address, + dns_1 = var.dns_1, + dns_2 = var.dns_2, + vnet_01_bgp_as_number = var.vnet_01_bgp_as_number, + on_prem_bgp_as_number = var.on_prem_bgp_as_number + })) + } + + depends_on = [azurerm_network_interface.azure_vnet_01_vyos_01_nic_priv, + azurerm_network_interface.azure_vnet_01_vyos_01_nic_pub] + + os_profile_linux_config { + disable_password_authentication = false + } +} diff --git a/Terraform/Azure/Site-to-Site-BGP/outputs.tf b/Terraform/Azure/Site-to-Site-BGP/outputs.tf new file mode 100644 index 0000000..2a0b0e9 --- /dev/null +++ b/Terraform/Azure/Site-to-Site-BGP/outputs.tf @@ -0,0 +1,12 @@ +# Management information +output "Admin_Username" { + value = var.admin_username +} +output "Admin_Password" { + value = var.admin_password +} + +# IP Address configuration +output "VyOS_01_Public_IP_Address" { + value = azurerm_public_ip.azure_vnet_01_public_address.ip_address +} diff --git a/Terraform/Azure/Site-to-Site-BGP/provider.tf b/Terraform/Azure/Site-to-Site-BGP/provider.tf new file mode 100644 index 0000000..09a6225 --- /dev/null +++ b/Terraform/Azure/Site-to-Site-BGP/provider.tf @@ -0,0 +1,18 @@ +terraform { + required_version = ">=1.2" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = ">=3.99.0" + } + } +} + +provider "azurerm" { + features { + resource_group { + prevent_deletion_if_contains_resources = false + } + } +} + diff --git a/Terraform/Azure/Site-to-Site-BGP/readme.md b/Terraform/Azure/Site-to-Site-BGP/readme.md new file mode 100644 index 0000000..0137080 --- /dev/null +++ b/Terraform/Azure/Site-to-Site-BGP/readme.md @@ -0,0 +1,78 @@ +# VyOS instance (NVA) on Azure (with Site to Site VPN, Static/Dynamic (BGP), NAT, DNS forwarding options) + +This Terraform module deploys a VyOS instance (NVA) on Azure. All necessary parameters will be configured automatically, and you will receive management and access information from outputs. +This is the connection diagram: + + +The module consists of different files containing necessary resources and variables: + +- `provider.tf`: Each resource in the configuration must be associated with one provider configuration. Provider configurations, unlike most other concepts in Terraform, are global to an entire Terraform configuration and can be shared across module boundaries. + +- `variables.tf`: Access information, network parameters, VyOS image parameters, and virtual network parameters are defined here. You may edit/change these parameters based on your requirements. **Note:** After editing IP addresses inside `variables.tf`, check `files/vyos_01_user_data.tpl` file as well. All necessary configurations are based on this file. + +- `security_groups.tf`: Security groups are one of the most important pillars that support vNET security. They are software-defined network firewalls defined inside a vNet that allow or deny traffic to resources based on the inbound and outbound rules. They support stateful Layer 3 (Network layer) and Layer 4 (Transport layer) filtering capabilities. + +- `virtual_networks.tf`: All network resources such as Virtual Network, Subnets, Network Interface Cards, Public IP Address, Routing Table contains in this file. + +- `main.tf`: Contains the resource definitions for the VyOS VM (NVA). + +- `files/vyos_01_user_data.tpl` : All necessary configurations of the VyOS instance have been defined in this file based on the VyOS CLI reference. + +- `files/on_prem_vyos_instance.conf`: Contains the configuration for the on-premise VyOS instance, which can serve as a reference when setting up a site-to-site VPN with the Azure VyOS instance. + +- `outputs.tf`: Will contain the output definitions for the module, such as access data, Public IP Address of the VyOS instances, etc. + +## Prerequisites + +Before applying this module, ensure you have: + +- An active Azure subscription: + ```sh + az account set --subscription "<subscription ID or name>" + ``` + +- Azure CLI installed. [Installation link](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) + +- Logged in with Azure credentials via CLI: + ```sh + az version + az login + ``` + +- Azure Resource Group (RG) created: + ```sh + az group create --name demoResourceGroup --location westus + az group list + az group show --name exampleGroup + ``` + +- Terraform installed. [Installation link](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli) + +## Usage + +### Setup Variables + +All variables needed for customization are defined in `variables.tf`. Adjust them according to your infrastructure requirements. + +### Implementation Process + +1. Run `terraform fmt` to format the structure. +2. Execute `terraform validate` to perform a syntax check. +3. Use `terraform plan` to preview the infrastructure changes before applying. +4. Run `terraform apply` to apply the script and provision the infrastructure. +5. Use `terraform output` to view the management IP and credentials for the VyOS instance. +6. To destroy the infrastructure, execute `terraform destroy`. + +### Management + +For management, use the `VyOS_01_Public_IP_Address` and VyOS credentials from `outputs`. + +Sample command: `ssh vyos@<VyOS_01_Public_IP_Address>` + +### Note + +Ensure that you have appropriate permissions and configurations set up in your Azure environment before executing the Terraform commands. + +Feel free to modify the script to suit your specific testing needs. + +For further assistance or customization, refer to the VyOS, Terraform, and Azure documentation.
\ No newline at end of file diff --git a/Terraform/Azure/Site-to-Site-BGP/security_groups.tf b/Terraform/Azure/Site-to-Site-BGP/security_groups.tf new file mode 100644 index 0000000..200e7df --- /dev/null +++ b/Terraform/Azure/Site-to-Site-BGP/security_groups.tf @@ -0,0 +1,97 @@ +resource "azurerm_network_security_group" "VyOS" { + name = join("-", [var.prefix, "VyOS", "SG"]) + location = var.location + resource_group_name = var.resource_group + tags = var.tags + + # For SSH Traffic + security_rule { + name = "SSH" + priority = 101 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "*" + destination_address_prefix = "*" + } + + # For Wireguard Traffic + security_rule { + name = "Wireguard" + priority = 102 + direction = "Inbound" + access = "Allow" + protocol = "Udp" + source_port_range = "*" + destination_port_range = "51820" + source_address_prefix = "*" + destination_address_prefix = "*" + } + + # For OpenVPN Traffic + security_rule { + name = "OpenVPN" + priority = 103 + direction = "Inbound" + access = "Allow" + protocol = "Udp" + source_port_range = "*" + destination_port_range = "1194" + source_address_prefix = "*" + destination_address_prefix = "*" + } + + # For ESP Traffic + security_rule { + name = "ESP" + priority = 104 + direction = "Inbound" + access = "Allow" + protocol = "Esp" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "*" + destination_address_prefix = "*" + } + + # For IKE Traffic + security_rule { + name = "IKE" + priority = 105 + direction = "Inbound" + access = "Allow" + protocol = "Udp" + source_port_range = "*" + destination_port_range = "500" + source_address_prefix = "*" + destination_address_prefix = "*" + } + + # For IPSEC Traffic + security_rule { + name = "IPSEC" + priority = 106 + direction = "Inbound" + access = "Allow" + protocol = "Udp" + source_port_range = "*" + destination_port_range = "1701" + source_address_prefix = "*" + destination_address_prefix = "*" + } + + # For NAT Traversal + security_rule { + name = "NAT_Traversal" + priority = 107 + direction = "Inbound" + access = "Allow" + protocol = "Udp" + source_port_range = "*" + destination_port_range = "4500" + source_address_prefix = "*" + destination_address_prefix = "*" + } +}
\ No newline at end of file diff --git a/Terraform/Azure/Site-to-Site-BGP/variables.tf b/Terraform/Azure/Site-to-Site-BGP/variables.tf new file mode 100644 index 0000000..806aa6e --- /dev/null +++ b/Terraform/Azure/Site-to-Site-BGP/variables.tf @@ -0,0 +1,113 @@ +# General Variables + +variable "location" { + description = "The region where all resources will deploy" + default = "LOCATION EXAMPLE: West Europe" +} + +variable "resource_group" { + description = "The name of your Azure Resource Group." + default = "<YOUR RESOURCE GROUP>" +} + +variable "vm_size" { + description = "Specifies the size of the virtual machine." + default = "Standard_B2s" +} + +variable "tags" { + description = "A map of tags to add to all resources" + type = map(string) + default = { + environment = "Test" + project = "VyOS sample VPN" + owner = "VyOS Networks" + created-by = "Terraform" + } +} + +variable "prefix" { + default = "VPN-Instance" +} + +variable "dns_1" { + default = "8.8.8.8" +} + +variable "dns_2" { + default = "8.8.4.4" +} + +# ----------------------------------------------------------------- +# Variables related credentials +variable "admin_username" { + description = "Administrator user name" + default = "vyos" +} + +variable "admin_password" { + description = "Administrator password" + default = "<ADMIN PASSWORD>" +} + +# ----------------------------------------------------------------- +# Variables related image selection + +variable "image_publisher" { + description = "Name of the publisher of the image (az vm image list)" + default = "sentriumsl" +} + +variable "image_offer" { + description = "Name of the offer (az vm image list)" + default = "vyos-1-2-lts-on-azure" +} + +variable "image_sku" { + description = "Image SKU to apply (az vm image list)" + default = "vyos-1-3" +} + +variable "image_version" { + description = "Version of the image to apply (az vm image list)" + default = "1.4.0" +} + +# ----------------------------------------------------- +# Variables related Virtual Networks + +# VNet 01 + +variable "vnet_01_name" { + description = "The name for your virtual network." + default = "Net-01" +} + +variable "vnet_01_address_prefix" { + description = "The address space that is used by the virtual network." + default = "10.1.0.0/16" +} + +variable "vnet_01_priv_subnet_prefix" { + description = "The address prefix to use for the subnet." + default = "10.1.1.0/24" +} + +variable "vnet_01_pub_subnet_prefix" { + description = "The address prefix to use for the subnet." + default = "10.1.11.0/24" +} + +variable "vnet_01_bgp_as_number" { + default = "65001" +} + +# On Prem Data Center + +variable "on_prem_bgp_as_number" { + default = "65002" +} + +variable "on_prem_public_ip_address" { + default = "192.0.2.1" +} diff --git a/Terraform/Azure/Site-to-Site-BGP/virtual_networks.tf b/Terraform/Azure/Site-to-Site-BGP/virtual_networks.tf new file mode 100644 index 0000000..5398da2 --- /dev/null +++ b/Terraform/Azure/Site-to-Site-BGP/virtual_networks.tf @@ -0,0 +1,107 @@ +# vNET Creation +resource "azurerm_virtual_network" "azure_vnet_01" { + name = join("-", [var.prefix, var.vnet_01_name]) + address_space = [var.vnet_01_address_prefix] + location = var.location + resource_group_name = var.resource_group + depends_on = [ + var.resource_group + ] + tags = var.tags +} + +# Net 01 Subnet Private +resource "azurerm_subnet" "azure_vnet_01_priv_subnet" { + name = join("-", [var.prefix, var.vnet_01_name, "priv"]) + resource_group_name = var.resource_group + address_prefixes = [var.vnet_01_priv_subnet_prefix] + virtual_network_name = azurerm_virtual_network.azure_vnet_01.name +} + +# Net 01 Subnet Public +resource "azurerm_subnet" "azure_vnet_01_pub_subnet" { + name = join("-", [var.prefix, var.vnet_01_name, "pub"]) + resource_group_name = var.resource_group + address_prefixes = [var.vnet_01_pub_subnet_prefix] + virtual_network_name = azurerm_virtual_network.azure_vnet_01.name +} + +# Public Address +resource "azurerm_public_ip" "azure_vnet_01_public_address" { + name = join("-", [var.prefix, var.vnet_01_name, "public", "IP"]) + location = var.location + resource_group_name = var.resource_group + sku = "Standard" + allocation_method = "Static" + idle_timeout_in_minutes = "30" + tags = var.tags +} + +# VyOS Route Table +resource "azurerm_route_table" "azure_vnet_01_vyos_01_route" { + name = join("-", [var.prefix, var.vnet_01_name, "VyOS", "01", "route"]) + resource_group_name = var.resource_group + location = var.location + disable_bgp_route_propagation = false + tags = var.tags + + route { + name = "Default" + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_in_ip_address = azurerm_network_interface.azure_vnet_01_vyos_01_nic_priv.private_ip_address + } +} + +# Assosiate route table to subnet +resource "azurerm_subnet_route_table_association" "azure_vnet_vpn_net_assosiation_01" { + subnet_id = azurerm_subnet.azure_vnet_01_priv_subnet.id + route_table_id = azurerm_route_table.azure_vnet_01_vyos_01_route.id +} + +# --------------------------- Network Interface Cards ------------------------ + +# VyOS-01 Pub-NIC +resource "azurerm_network_interface" "azure_vnet_01_vyos_01_nic_pub" { + name = join("-", [var.prefix, var.vnet_01_name, "VyOS", "01", "pub", "NIC"]) + location = var.location + resource_group_name = var.resource_group + enable_ip_forwarding = true + tags = var.tags + + ip_configuration { + name = "external-01" + subnet_id = azurerm_subnet.azure_vnet_01_pub_subnet.id + private_ip_address_allocation = "Dynamic" + public_ip_address_id = azurerm_public_ip.azure_vnet_01_public_address.id + } + + depends_on = [ + azurerm_virtual_network.azure_vnet_01 + ] +} + +# VyOS-01 Priv-NIC +resource "azurerm_network_interface" "azure_vnet_01_vyos_01_nic_priv" { + name = join("-", [var.prefix, var.vnet_01_name, "VyOS", "01", "priv", "NIC"]) + location = var.location + resource_group_name = var.resource_group + enable_ip_forwarding = true + tags = var.tags + + ip_configuration { + name = "internal-01" + subnet_id = azurerm_subnet.azure_vnet_01_priv_subnet.id + private_ip_address_allocation = "Dynamic" + } + + depends_on = [ + azurerm_virtual_network.azure_vnet_01 + ] +} + +# VyOS 01 Security Group Assosiation +resource "azurerm_network_interface_security_group_association" "azure_vnet_01_vyos_01_pub_attach" { + network_interface_id = azurerm_network_interface.azure_vnet_01_vyos_01_nic_pub.id + network_security_group_id = azurerm_network_security_group.VyOS.id +} |
