From 0 to 100 mph with Aviatrix and Terraform

Credit to Zack (https://www.linkedin.com/in/zack-schaefer/) on creating a high-available and disaster ready architecture on Azure using Aviatrix. Thanks also to Mr Smoker (https://www.linkedin.com/in/johnsmoker/) and Dennis (https://www.linkedin.com/in/dennishagens/) for helping directly and indirectly :).

The gist shared below creates the following topology:

Diagram stolen from Zack.

The VMs are running NGINX on port 80 and the traffic manager favors East.

Transit and Firenet

module "central-transit" {
source = "terraform-aviatrix-modules/mc-transit/aviatrix"
version = "v2.2.0"
cloud = var.cloud
cidr = var.cidr-region-a
region = var.region-a
account = var.account
enable_transit_firenet = true
enable_bgp_over_lan = true
insane_mode = false
}
module "central-firenet" {
source = "terraform-aviatrix-modules/mc-firenet/aviatrix"
version = "v1.2.0"
transit_module = module.central-transit
firewall_image = var.firewall_image
firewall_image_version = var.firewall_image_version
egress_enabled = false
inspection_enabled = true
instance_size = var.firewall_size
password = var.password
}
module "east-transit" {
source = "terraform-aviatrix-modules/mc-transit/aviatrix"
version = "v2.2.0"
cloud = var.cloud
cidr = var.cidr-region-b
region = var.region-b
account = var.account
enable_transit_firenet = true
enable_bgp_over_lan = true
insane_mode = false
}
module "east-firenet" {
source = "terraform-aviatrix-modules/mc-firenet/aviatrix"
version = "v1.2.0"
transit_module = module.east-transit
firewall_image = var.firewall_image
firewall_image_version = var.firewall_image_version
egress_enabled = false
inspection_enabled = true
instance_size = var.firewall_size
password = var.password
}
view raw transit.tf hosted with ❤ by GitHub

Peering

resource "aviatrix_transit_gateway_peering" "central-east-peering" {
transit_gateway_name1 = module.east-transit.transit_gateway.id
transit_gateway_name2 = module.central-transit.transit_gateway.id
}

Spokes

module "ingress-spoke-central" {
source = "terraform-aviatrix-modules/mc-spoke/aviatrix"
version = "1.3.0"
account = var.account
cloud = var.cloud
name = "avx-${var.region-a}-ingress"
region = var.region-a
cidr = cidrsubnet("${trimsuffix(var.cidr-region-a, "23")}16", 8, 2)
inspection = true
transit_gw = module.central-transit.transit_gateway.gw_name
ha_gw = true
instance_size = var.instance_size
single_az_ha = false
}
module "app-spoke-central" {
source = "terraform-aviatrix-modules/mc-spoke/aviatrix"
version = "1.3.0"
account = var.account
cloud = var.cloud
name = "avx-${var.region-a}-app"
region = var.region-a
cidr = cidrsubnet("${trimsuffix(var.cidr-region-a, "23")}16", 8, 3)
inspection = true
transit_gw = module.central-transit.transit_gateway.gw_name
ha_gw = true
instance_size = var.instance_size
single_az_ha = false
}
module "ingress-spoke-east" {
source = "terraform-aviatrix-modules/mc-spoke/aviatrix"
version = "1.3.0"
account = var.account
cloud = var.cloud
name = "avx-${var.region-b}-ingress"
region = var.region-b
cidr = cidrsubnet("${trimsuffix(var.cidr-region-b, "23")}16", 8, 2)
inspection = true
transit_gw = module.east-transit.transit_gateway.gw_name
ha_gw = true
instance_size = var.instance_size
single_az_ha = false
}
module "app-spoke-east" {
source = "terraform-aviatrix-modules/mc-spoke/aviatrix"
version = "1.3.0"
account = var.account
cloud = var.cloud
name = "avx-${var.region-b}-app"
region = var.region-b
cidr = cidrsubnet("${trimsuffix(var.cidr-region-b, "23")}16", 8, 3)
inspection = true
transit_gw = module.east-transit.transit_gateway.gw_name
ha_gw = true
instance_size = var.instance_size
single_az_ha = false
}
view raw spokes.tf hosted with ❤ by GitHub

VMs

East:

resource "azurerm_resource_group" "east-app-vm1-rg" {
name = "east-app-vm1-rg"
location = var.region-b
}
resource "azurerm_public_ip" "east-app-vm1-pip" {
name = "east-app-vm1-pip"
resource_group_name = azurerm_resource_group.east-app-vm1-rg.name
location = var.region-b
allocation_method = "Static"
sku = "Standard"
}
resource "azurerm_network_interface" "east-app-vm1-nic" {
name = "east-app-vm1-nic"
location = var.region-b
resource_group_name = azurerm_resource_group.east-app-vm1-rg.name
ip_configuration {
name = "primary"
subnet_id = module.app-spoke-east.vpc.public_subnets[1].subnet_id
private_ip_address_allocation = "Dynamic"
public_ip_address_id = azurerm_public_ip.east-app-vm1-pip.id
}
}
resource "azurerm_network_security_group" "east-app-vm1-nsg" {
name = "east-app-vm1-nsg"
location = var.region-b
resource_group_name = azurerm_resource_group.east-app-vm1-rg.name
security_rule {
access = "Allow"
direction = "Inbound"
name = "ssh"
priority = 900
protocol = "Tcp"
source_port_range = "*"
source_address_prefix = "*"
destination_port_range = "22"
destination_address_prefix = "*"
}
security_rule {
access = "Allow"
direction = "Inbound"
name = "http"
priority = 910
protocol = "Tcp"
source_port_range = "*"
source_address_prefix = "*"
destination_port_range = "80"
destination_address_prefix = "*"
}
security_rule {
access = "Allow"
direction = "Outbound"
name = "AnyOut"
priority = 920
protocol = "*"
source_port_range = "*"
source_address_prefix = "*"
destination_port_range = "*"
destination_address_prefix = "*"
}
}
resource "azurerm_subnet_network_security_group_association" "east-app-vm1-nsg-association" {
subnet_id = module.app-spoke-east.vpc.public_subnets[1].subnet_id
network_security_group_id = azurerm_network_security_group.east-app-vm1-nsg.id
}
resource "azurerm_linux_virtual_machine" "east-app-vm1" {
name = "east-app-vm1"
resource_group_name = azurerm_resource_group.east-app-vm1-rg.name
location = var.region-b
size = var.instance_size
admin_username = var.admin_username
admin_password = var.admin_password
disable_password_authentication = false
network_interface_ids = [
azurerm_network_interface.east-app-vm1-nic.id
]
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}
source_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "16.04-LTS"
version = "latest"
}
provisioner "remote-exec" {
inline = [
"/usr/bin/sudo apt install nginx -y"
]
connection {
type = "ssh"
user = var.admin_username
password = var.admin_password
host = azurerm_public_ip.east-app-vm1-pip.ip_address
}
}
}
resource "azurerm_resource_group" "east-app-vm2-rg" {
name = "east-app-vm2-rg"
location = var.region-b
}
resource "azurerm_public_ip" "east-app-vm2-pip" {
name = "east-app-vm2-pip"
resource_group_name = azurerm_resource_group.east-app-vm2-rg.name
location = var.region-b
allocation_method = "Static"
sku = "Standard"
}
resource "azurerm_network_interface" "east-app-vm2-nic" {
name = "east-app-vm2-nic"
location = var.region-b
resource_group_name = azurerm_resource_group.east-app-vm2-rg.name
ip_configuration {
name = "primary"
subnet_id = module.app-spoke-east.vpc.public_subnets[2].subnet_id
private_ip_address_allocation = "Dynamic"
public_ip_address_id = azurerm_public_ip.east-app-vm2-pip.id
}
}
resource "azurerm_network_security_group" "east-app-vm2-nsg" {
name = "east-app-vm2-nsg"
location = var.region-b
resource_group_name = azurerm_resource_group.east-app-vm2-rg.name
security_rule {
access = "Allow"
direction = "Inbound"
name = "ssh"
priority = 900
protocol = "Tcp"
source_port_range = "*"
source_address_prefix = "*"
destination_port_range = "22"
destination_address_prefix = "*"
}
security_rule {
access = "Allow"
direction = "Inbound"
name = "http"
priority = 910
protocol = "Tcp"
source_port_range = "*"
source_address_prefix = "*"
destination_port_range = "80"
destination_address_prefix = "*"
}
security_rule {
access = "Allow"
direction = "Outbound"
name = "AnyOut"
priority = 920
protocol = "*"
source_port_range = "*"
source_address_prefix = "*"
destination_port_range = "*"
destination_address_prefix = "*"
}
}
resource "azurerm_subnet_network_security_group_association" "east-app-vm2-nsg-association" {
subnet_id = module.app-spoke-east.vpc.public_subnets[2].subnet_id
network_security_group_id = azurerm_network_security_group.east-app-vm2-nsg.id
}
resource "azurerm_linux_virtual_machine" "east-app-vm2" {
name = "east-app-vm2"
resource_group_name = azurerm_resource_group.east-app-vm2-rg.name
location = var.region-b
size = var.instance_size
admin_username = var.admin_username
admin_password = var.admin_password
disable_password_authentication = false
network_interface_ids = [
azurerm_network_interface.east-app-vm2-nic.id
]
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}
source_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "16.04-LTS"
version = "latest"
}
provisioner "remote-exec" {
inline = [
"/usr/bin/sudo apt install nginx -y"
]
connection {
type = "ssh"
user = var.admin_username
password = var.admin_password
host = azurerm_public_ip.east-app-vm2-pip.ip_address
}
}
}
view raw vm-east.tf hosted with ❤ by GitHub

Central:

resource "azurerm_resource_group" "central-app-vm1-rg" {
name = "central-app-vm1-rg"
location = var.region-a
}
resource "azurerm_public_ip" "central-app-vm1-pip" {
name = "central-app-vm1-pip"
resource_group_name = azurerm_resource_group.central-app-vm1-rg.name
location = var.region-a
allocation_method = "Static"
sku = "Standard"
}
resource "azurerm_network_interface" "central-app-vm1-nic" {
name = "central-app-vm1-nic"
location = var.region-a
resource_group_name = azurerm_resource_group.central-app-vm1-rg.name
ip_configuration {
name = "primary"
subnet_id = module.app-spoke-central.vpc.public_subnets[1].subnet_id
private_ip_address_allocation = "Dynamic"
public_ip_address_id = azurerm_public_ip.central-app-vm1-pip.id
}
}
resource "azurerm_network_security_group" "central-app-vm1-nsg" {
name = "central-app-vm1-nsg"
location = var.region-a
resource_group_name = azurerm_resource_group.central-app-vm1-rg.name
security_rule {
access = "Allow"
direction = "Inbound"
name = "ssh"
priority = 900
protocol = "Tcp"
source_port_range = "*"
source_address_prefix = "*"
destination_port_range = "22"
destination_address_prefix = "*"
}
security_rule {
access = "Allow"
direction = "Inbound"
name = "http"
priority = 910
protocol = "Tcp"
source_port_range = "*"
source_address_prefix = "*"
destination_port_range = "80"
destination_address_prefix = "*"
}
security_rule {
access = "Allow"
direction = "Outbound"
name = "AnyOut"
priority = 920
protocol = "*"
source_port_range = "*"
source_address_prefix = "*"
destination_port_range = "*"
destination_address_prefix = "*"
}
}
resource "azurerm_subnet_network_security_group_association" "central-app-vm1-nsg-association" {
subnet_id = module.app-spoke-central.vpc.public_subnets[1].subnet_id
network_security_group_id = azurerm_network_security_group.central-app-vm1-nsg.id
}
resource "azurerm_linux_virtual_machine" "central-app-vm1" {
name = "central-app-vm1"
resource_group_name = azurerm_resource_group.central-app-vm1-rg.name
location = var.region-a
size = var.instance_size
admin_username = var.admin_username
admin_password = var.admin_password
disable_password_authentication = false
network_interface_ids = [
azurerm_network_interface.central-app-vm1-nic.id
]
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}
source_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "16.04-LTS"
version = "latest"
}
provisioner "remote-exec" {
inline = [
"/usr/bin/sudo apt install nginx -y"
]
connection {
type = "ssh"
user = var.admin_username
password = var.admin_password
host = azurerm_public_ip.central-app-vm1-pip.ip_address
}
}
}
resource "azurerm_resource_group" "central-app-vm2-rg" {
name = "central-app-vm2-rg"
location = var.region-a
}
resource "azurerm_public_ip" "central-app-vm2-pip" {
name = "central-app-vm2-pip"
resource_group_name = azurerm_resource_group.central-app-vm2-rg.name
location = var.region-a
allocation_method = "Static"
sku = "Standard"
}
resource "azurerm_network_interface" "central-app-vm2-nic" {
name = "central-app-vm2-nic"
location = var.region-a
resource_group_name = azurerm_resource_group.central-app-vm2-rg.name
ip_configuration {
name = "primary"
subnet_id = module.app-spoke-central.vpc.public_subnets[2].subnet_id
private_ip_address_allocation = "Dynamic"
public_ip_address_id = azurerm_public_ip.central-app-vm2-pip.id
}
}
resource "azurerm_network_security_group" "central-app-vm2-nsg" {
name = "central-app-vm2-nsg"
location = var.region-a
resource_group_name = azurerm_resource_group.central-app-vm2-rg.name
security_rule {
access = "Allow"
direction = "Inbound"
name = "ssh"
priority = 900
protocol = "Tcp"
source_port_range = "*"
source_address_prefix = "*"
destination_port_range = "22"
destination_address_prefix = "*"
}
security_rule {
access = "Allow"
direction = "Inbound"
name = "http"
priority = 910
protocol = "Tcp"
source_port_range = "*"
source_address_prefix = "*"
destination_port_range = "80"
destination_address_prefix = "*"
}
security_rule {
access = "Allow"
direction = "Outbound"
name = "AnyOut"
priority = 920
protocol = "*"
source_port_range = "*"
source_address_prefix = "*"
destination_port_range = "*"
destination_address_prefix = "*"
}
}
resource "azurerm_subnet_network_security_group_association" "central-app-vm2-nsg-association" {
subnet_id = module.app-spoke-central.vpc.public_subnets[2].subnet_id
network_security_group_id = azurerm_network_security_group.central-app-vm2-nsg.id
}
resource "azurerm_linux_virtual_machine" "central-app-vm2" {
name = "central-app-vm2"
resource_group_name = azurerm_resource_group.central-app-vm2-rg.name
location = var.region-a
size = var.instance_size
admin_username = var.admin_username
admin_password = var.admin_password
disable_password_authentication = false
network_interface_ids = [
azurerm_network_interface.central-app-vm2-nic.id
]
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}
source_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "16.04-LTS"
version = "latest"
}
provisioner "remote-exec" {
inline = [
"/usr/bin/sudo apt install nginx -y"
]
connection {
type = "ssh"
user = var.admin_username
password = var.admin_password
host = azurerm_public_ip.central-app-vm2-pip.ip_address
}
}
}
view raw vm-central.tf hosted with ❤ by GitHub

Load Balancers

resource "azurerm_resource_group" "ingress-east-us-lb-rg" {
name = "ingress-east-us-lb-rg"
location = var.region-b
}
resource "azurerm_public_ip" "ingress-east-us-lb-pip" {
name = "ingress-east-us-lb-pip"
resource_group_name = azurerm_resource_group.ingress-east-us-lb-rg.name
location = azurerm_resource_group.ingress-east-us-lb-rg.location
allocation_method = "Static"
sku = "Standard"
}
resource "azurerm_lb" "ingress-east-us-lb" {
name = "ingress-east-us-lb"
location = azurerm_resource_group.ingress-east-us-lb-rg.location
resource_group_name = azurerm_resource_group.ingress-east-us-lb-rg.name
sku = "Standard"
frontend_ip_configuration {
name = "PublicIPAddress"
public_ip_address_id = azurerm_public_ip.ingress-east-us-lb-pip.id
}
}
resource "azurerm_lb_probe" "ingress-east-us-lb-probe" {
loadbalancer_id = azurerm_lb.ingress-east-us-lb.id
name = "ingress-east-us-lb-probe"
port = "443"
}
resource "azurerm_lb_backend_address_pool_address" "azurerm_lb_backend_address_pool_address-ingress-gw-east" {
name = "ingress-gw-east"
backend_address_pool_id = azurerm_lb_backend_address_pool.ingress-east-us-lb-backend.id
virtual_network_id = module.ingress-spoke-east.vpc.azure_vnet_resource_id
ip_address = aviatrix_gateway.ingress-gw-east.private_ip
}
resource "azurerm_lb_rule" "ingress-east-us-lb-rule" {
loadbalancer_id = azurerm_lb.ingress-east-us-lb.id
name = "LBRule"
protocol = "Tcp"
frontend_port = "80"
backend_port = "80"
frontend_ip_configuration_name = "PublicIPAddress"
probe_id = azurerm_lb_probe.ingress-east-us-lb-probe.id
backend_address_pool_ids = ["${azurerm_lb_backend_address_pool.ingress-east-us-lb-backend.id}"]
enable_floating_ip = true
}
resource "azurerm_lb_backend_address_pool" "ingress-east-us-lb-backend" {
loadbalancer_id = azurerm_lb.ingress-east-us-lb.id
name = "BackEndPool"
}
resource "azurerm_resource_group" "ingress-central-us-lb-rg" {
name = "ingress-central-us-lb-rg"
location = var.region-a
}
resource "azurerm_public_ip" "ingress-central-us-lb-pip" {
name = "ingress-central-us-lb-pip"
resource_group_name = azurerm_resource_group.ingress-central-us-lb-rg.name
location = azurerm_resource_group.ingress-central-us-lb-rg.location
allocation_method = "Static"
sku = "Standard"
}
resource "azurerm_lb" "ingress-central-us-lb" {
name = "ingress-central-us-lb"
location = azurerm_resource_group.ingress-central-us-lb-rg.location
resource_group_name = azurerm_resource_group.ingress-central-us-lb-rg.name
sku = "Standard"
frontend_ip_configuration {
name = "PublicIPAddress"
public_ip_address_id = azurerm_public_ip.ingress-central-us-lb-pip.id
}
}
resource "azurerm_lb_probe" "ingress-central-us-lb-probe" {
loadbalancer_id = azurerm_lb.ingress-central-us-lb.id
name = "ingress-central-us-lb-probe"
port = "443"
}
resource "azurerm_lb_backend_address_pool_address" "azurerm_lb_backend_address_pool_address-ingress-gw-central" {
name = "ingress-gw-central"
backend_address_pool_id = azurerm_lb_backend_address_pool.ingress-central-us-lb-backend.id
virtual_network_id = module.ingress-spoke-central.vpc.azure_vnet_resource_id
ip_address = aviatrix_gateway.ingress-gw-central.private_ip
}
resource "azurerm_lb_rule" "ingress-central-us-lb-rule" {
loadbalancer_id = azurerm_lb.ingress-central-us-lb.id
name = "LBRule"
protocol = "Tcp"
frontend_port = "80"
backend_port = "80"
frontend_ip_configuration_name = "PublicIPAddress"
probe_id = azurerm_lb_probe.ingress-central-us-lb-probe.id
backend_address_pool_ids = ["${azurerm_lb_backend_address_pool.ingress-central-us-lb-backend.id}"]
enable_floating_ip = true
}
resource "azurerm_lb_backend_address_pool" "ingress-central-us-lb-backend" {
loadbalancer_id = azurerm_lb.ingress-central-us-lb.id
name = "BackEndPool"
}
resource "azurerm_resource_group" "east-us-lb-rg" {
name = "east-us-lb-rg"
location = var.region-b
}
resource "azurerm_lb" "east-us-lb" {
name = "east-us-lb"
location = azurerm_resource_group.east-us-lb-rg.location
resource_group_name = azurerm_resource_group.east-us-lb-rg.name
sku = "Standard"
frontend_ip_configuration {
name = "PublicIPAddress"
subnet_id = module.app-spoke-east.vpc.public_subnets[1].subnet_id
}
}
resource "azurerm_lb_probe" "east-us-lb-probe" {
loadbalancer_id = azurerm_lb.east-us-lb.id
name = "east-us-lb-probe"
port = "80"
}
resource "azurerm_lb_backend_address_pool_address" "azurerm_lb_backend_address_pool_address-east-app-vm1" {
name = "east-app-vm1"
backend_address_pool_id = azurerm_lb_backend_address_pool.east-us-lb-backend.id
virtual_network_id = module.app-spoke-east.vpc.azure_vnet_resource_id
ip_address = azurerm_network_interface.east-app-vm1-nic.private_ip_address
}
resource "azurerm_lb_backend_address_pool_address" "azurerm_lb_backend_address_pool_address-east-app-vm2" {
name = "east-app-vm2"
backend_address_pool_id = azurerm_lb_backend_address_pool.east-us-lb-backend.id
virtual_network_id = module.app-spoke-east.vpc.azure_vnet_resource_id
ip_address = azurerm_network_interface.east-app-vm2-nic.private_ip_address
}
resource "azurerm_lb_rule" "east-us-lb-rule" {
loadbalancer_id = azurerm_lb.east-us-lb.id
name = "LBRule"
protocol = "Tcp"
frontend_port = "80"
backend_port = "80"
frontend_ip_configuration_name = "PublicIPAddress"
probe_id = azurerm_lb_probe.east-us-lb-probe.id
backend_address_pool_ids = ["${azurerm_lb_backend_address_pool.east-us-lb-backend.id}"]
}
resource "azurerm_lb_backend_address_pool" "east-us-lb-backend" {
loadbalancer_id = azurerm_lb.east-us-lb.id
name = "BackEndPool"
}
resource "azurerm_resource_group" "central-us-lb-rg" {
name = "central-us-lb-rg"
location = var.region-a
}
resource "azurerm_lb" "central-us-lb" {
name = "central-us-lb"
location = azurerm_resource_group.central-us-lb-rg.location
resource_group_name = azurerm_resource_group.central-us-lb-rg.name
sku = "Standard"
frontend_ip_configuration {
name = "PublicIPAddress"
subnet_id = module.app-spoke-central.vpc.public_subnets[1].subnet_id
}
}
resource "azurerm_lb_probe" "central-us-lb-probe" {
loadbalancer_id = azurerm_lb.central-us-lb.id
name = "central-us-lb-probe"
port = "80"
}
resource "azurerm_lb_backend_address_pool_address" "azurerm_lb_backend_address_pool_address-central-app-vm1" {
name = "central-app-vm1"
backend_address_pool_id = azurerm_lb_backend_address_pool.central-us-lb-backend.id
virtual_network_id = module.app-spoke-central.vpc.azure_vnet_resource_id
ip_address = azurerm_network_interface.central-app-vm1-nic.private_ip_address
}
resource "azurerm_lb_backend_address_pool_address" "azurerm_lb_backend_address_pool_address-central-app-vm2" {
name = "central-app-vm2"
backend_address_pool_id = azurerm_lb_backend_address_pool.central-us-lb-backend.id
virtual_network_id = module.app-spoke-central.vpc.azure_vnet_resource_id
ip_address = azurerm_network_interface.central-app-vm2-nic.private_ip_address
}
resource "azurerm_lb_rule" "central-us-lb-rule" {
loadbalancer_id = azurerm_lb.central-us-lb.id
name = "LBRule"
protocol = "Tcp"
frontend_port = "80"
backend_port = "80"
frontend_ip_configuration_name = "PublicIPAddress"
probe_id = azurerm_lb_probe.central-us-lb-probe.id
backend_address_pool_ids = ["${azurerm_lb_backend_address_pool.central-us-lb-backend.id}"]
}
resource "azurerm_lb_backend_address_pool" "central-us-lb-backend" {
loadbalancer_id = azurerm_lb.central-us-lb.id
name = "BackEndPool"
}

Standalone Gateways

resource "aviatrix_gateway" "ingress-gw-east" {
cloud_type = "8"
account_name = var.account
gw_name = "ingress-gw-east"
gw_size = var.gw_size
vpc_id = module.ingress-spoke-east.vpc.vpc_id
vpc_reg = var.region-b
subnet = module.ingress-spoke-east.vpc.public_subnets[1].cidr
}
resource "aviatrix_gateway" "ingress-gw-central" {
cloud_type = "8"
account_name = var.account
gw_name = "ingress-gw-central"
gw_size = var.gw_size
vpc_id = module.ingress-spoke-central.vpc.vpc_id
vpc_reg = var.region-a
subnet = module.ingress-spoke-central.vpc.public_subnets[1].cidr
}
view raw gateway.tf hosted with ❤ by GitHub

SNAT

resource "aviatrix_gateway_snat" "ingress-gw-east-snat" {
gw_name = "ingress-gw-east"
snat_mode = "customized_snat"
snat_policy {
protocol = "all"
interface = "eth0"
connection = "None"
mark = "65535"
snat_ips = aviatrix_gateway.ingress-gw-east.private_ip
}
sync_to_ha = false
}
resource "aviatrix_gateway_snat" "ingress-gw-central-snat" {
gw_name = "ingress-gw-central"
snat_mode = "customized_snat"
snat_policy {
protocol = "all"
interface = "eth0"
connection = "None"
mark = "65537"
snat_ips = aviatrix_gateway.ingress-gw-central.private_ip
}
sync_to_ha = false
}
view raw gateway_snat.tf hosted with ❤ by GitHub

DNAT

resource "aviatrix_gateway_dnat" "ingress-gw-east-dnat" {
gw_name = "ingress-gw-east"
dnat_policy {
dst_cidr = "${azurerm_public_ip.ingress-east-us-lb-pip.ip_address}/32"
dst_port = "80"
protocol = "tcp"
interface = "eth0"
connection = "None"
mark = "65535"
dnat_ips = azurerm_lb.east-us-lb.private_ip_address
dnat_port = "80"
apply_route_entry = true
}
sync_to_ha = false
}
resource "aviatrix_gateway_dnat" "ingress-gw-central-dnat" {
gw_name = "ingress-gw-central"
dnat_policy {
dst_cidr = "${azurerm_public_ip.ingress-central-us-lb-pip.ip_address}/32"
dst_port = "80"
protocol = "tcp"
interface = "eth0"
connection = "None"
mark = "65537"
dnat_ips = azurerm_lb.central-us-lb.private_ip_address
dnat_port = "80"
apply_route_entry = true
}
sync_to_ha = false
}
view raw gateway_dnat.tf hosted with ❤ by GitHub

Traffic Manager

resource "azurerm_resource_group" "traffic-manager-acme-rg" {
name = "traffic-manager-acme-rg"
location = var.region-b
}
resource "azurerm_public_ip" "traffic-manager-acme-pip" {
name = "traffic-manager-acme-pip"
location = azurerm_resource_group.traffic-manager-acme-rg.location
resource_group_name = azurerm_resource_group.traffic-manager-acme-rg.name
allocation_method = "Static"
sku = "Standard"
}
resource "azurerm_traffic_manager_profile" "traffic-manager-acme" {
name = "acme"
resource_group_name = azurerm_resource_group.traffic-manager-acme-rg.name
traffic_routing_method = "Priority"
dns_config {
relative_name = "acme"
ttl = 60
}
monitor_config {
protocol = "TCP"
port = 80
path = "/"
interval_in_seconds = 30
timeout_in_seconds = 9
tolerated_number_of_failures = 3
}
}
resource "azurerm_traffic_manager_external_endpoint" "east-us-lb" {
name = "east-us-lb"
profile_id = azurerm_traffic_manager_profile.traffic-manager-acme.id
priority = 10
target = azurerm_public_ip.ingress-east-us-lb-pip.ip_address
}
resource "azurerm_traffic_manager_external_endpoint" "central-us-lb" {
name = "central-us-lb"
profile_id = azurerm_traffic_manager_profile.traffic-manager-acme.id
priority = 20
target = azurerm_public_ip.ingress-central-us-lb-pip.ip_address
}

Provider

terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.19.1"
}
aviatrix = {
source = "aviatrixsystems/aviatrix"
version = "~> 2.23.0"
}
}
}
provider "azurerm" {
subscription_id = var.subscription_id
client_id = var.client_id
client_secret = var.client_secret
tenant_id = var.tenant_id
features {}
}
provider "aviatrix" {
controller_ip = var.controller_ip
username = var.username
password = var.password
skip_version_validation = true
verify_ssl_certificate = false
}
view raw provider.tf hosted with ❤ by GitHub

Variables

variable "controller_ip" {
type = string
}
variable "username" {
type = string
}
variable "password" {
type = string
}
variable "cloud" {
type = string
}
variable "account" {
type = string
}
variable "subscription_id" {
type = string
}
variable "client_id" {
type = string
}
variable "client_secret" {
type = string
}
variable "tenant_id" {
type = string
}
variable "region-a" {
type = string
}
variable "region-b" {
type = string
}
variable "cidr-region-a" {
type = string
}
variable "cidr-region-b" {
type = string
}
variable "instance_size" {
type = string
}
variable "firewall_image" {
type = string
}
variable "firewall_image_version" {
type = string
}
variable "firewall_size" {
type = string
}
variable "admin_username" {
type = string
}
variable "admin_password" {
type = string
}
variable "gw_size" {
type = string
}
variable customer_name {
type = string
}
view raw variables.tf hosted with ❤ by GitHub

Leave a Reply