This module deploys a hub network using the Microsoft recommended Hub-Spoke network topology. Usually, only one hub in each region with multiple spokes and each of them can also be in separate subscriptions.
This is designed to quickly deploy hub and spoke architecture in the azure and further security hardening would be recommend to add appropriate NSG rules to use this for any production workloads.
module "vnet-hub" {
source = "github.com/tietoevry-infra-as-code/terraform-azurerm-caf-vnet-hub?ref=v2.0.0"
# By default, this module will create a resource group, proivde the name here
# to use an existing resource group, specify the existing resource group name,
# and set the argument to `create_resource_group = false`. Location will be same as existing RG.
resource_group_name = "rg-hub-shared-westeurope-002"
location = "westeurope"
hub_vnet_name = "default-hub"
# Provide valid VNet Address space and specify valid domain name for Private DNS Zone.
vnet_address_space = ["10.1.0.0/16"]
gateway_subnet_address_prefix = ["10.1.1.0/27"]
private_dns_zone_name = "publiccloud.example.com"
# (Required) To enable Azure Monitoring and flow logs
# Log Retention in days - Possible values range between 30 and 730
log_analytics_workspace_sku = "PerGB2018"
log_analytics_logs_retention_in_days = 30
# Adding Standard DDoS Plan, and custom DNS servers (Optional)
dns_servers = []
# Multiple Subnets, Service delegation, Service Endpoints, Network security groups
# These are default subnets with required configuration, check README.md for more details
# NSG association to be added automatically for all subnets listed here.
# First two address ranges from VNet Address space reserved for Gateway And Firewall Subnets.
# ex.: For 10.1.0.0/16 address space, usable address range start from 10.1.2.0/24 for all subnets.
# subnet name will be set as per Azure naming convention by defaut. expected value here is: <App or project name>
subnets = {
mgnt_subnet = {
subnet_name = "management"
subnet_address_prefix = ["10.1.2.0/24"]
service_endpoints = ["Microsoft.Storage"]
nsg_inbound_rules = [
# [name, priority, direction, access, protocol, destination_port_range, source_address_prefix, destination_address_prefix]
# To use defaults, use "" without adding any value and to use this subnet as a source or destination prefix.
["ssh", "200", "Inbound", "Allow", "Tcp", "22", "*", ""],
["rdp", "201", "Inbound", "Allow", "Tcp", "3389", "*", ""],
]
nsg_outbound_rules = [
# [name, priority, direction, access, protocol, destination_port_range, source_address_prefix, destination_address_prefix]
# To use defaults, use "" without adding any value and to use this subnet as a source or destination prefix.
["ntp_out", "203", "Outbound", "Allow", "Udp", "123", "", "0.0.0.0/0"],
]
}
dmz_subnet = {
subnet_name = "appgateway"
subnet_address_prefix = ["10.1.3.0/24"]
service_endpoints = ["Microsoft.Storage"]
nsg_inbound_rules = [
# [name, priority, direction, access, protocol, destination_port_range, source_address_prefix, destination_address_prefix]
# To use defaults, use "" without adding any value and to use this subnet as a source or destination prefix.
["http", "100", "Inbound", "Allow", "Tcp", "80", "*", "0.0.0.0/0"],
["https", "101", "Inbound", "Allow", "Tcp", "443", "*", ""],
]
nsg_outbound_rules = [
# [name, priority, direction, access, protocol, destination_port_range, source_address_prefix, destination_address_prefix]
# To use defaults, use "" without adding any value and to use this subnet as a source or destination prefix.
["ntp_out", "102", "Outbound", "Allow", "Udp", "123", "", "0.0.0.0/0"],
]
}
}
# Adding TAG's to your Azure resources (Required)
# ProjectName and Env are already declared above, to use them here, create a varible.
tags = {
ProjectName = "demo-internal"
Env = "dev"
Owner = "user@example.com"
BusinessUnit = "CORP"
ServiceClass = "Gold"
}
}To run this example you need to execute following Terraform commands
terraform init
terraform plan
terraform applyRun terraform destroy when you don't need these resources.
| Name | Description |
|---|---|
resource_group_name |
The name of the resource group in which resources are created |
resource_group_id |
The id of the resource group in which resources are created |
resource_group_location |
The location of the resource group in which resources are created |
virtual_network_name |
The name of the virtual network. |
virtual_network_id |
The virtual NetworkConfiguration ID. |
virtual_network_address_space |
List of address spaces that are used the virtual network. |
subnet_ids |
List of IDs of subnets |
subnet_address_prefixes |
List of address prefix for subnets |
network_security_group_ids |
List of Network security groups and ids |
ddos_protection_plan_id |
Azure Network DDoS protection plan id |
network_watcher_id |
ID of Network Watcher |
private_dns_zone_name |
The resource name of Private DNS zones within Azure DNS |
private_dns_zone_id |
The resource id of Private DNS zones within Azure DNS |
storage_account_id |
The ID of the storage account |
storage_account_name |
The name of the storage account |
storage_primary_access_key |
The primary access key for the storage account |
log_analytics_workspace_name |
Specifies the name of the Log Analytics Workspace |
log_analytics_workspace_id |
The resource id of the Log Analytics Workspace |
log_analytics_customer_id |
The Workspace (or Customer) ID for the Log Analytics Workspace. |
log_analytics_logs_retention_in_days |
The workspace data retention in days. Possible values range between 30 and 730 |