Credit to Zack (https://www.linkedin.com/in/zack-schaefer/) on creating a high-available and disaster ready architecture on Azure using Aviatrix. Thanks also to Mr Smoker (https://www.linkedin.com/in/johnsmoker/) and Dennis (https://www.linkedin.com/in/dennishagens/) for helping directly and indirectly :).
The gist shared below creates the following topology:
The VMs are running NGINX on port 80 and the traffic manager favors East.
Transit and Firenet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| module "central-transit" { | |
| source = "terraform-aviatrix-modules/mc-transit/aviatrix" | |
| version = "v2.2.0" | |
| cloud = var.cloud | |
| cidr = var.cidr-region-a | |
| region = var.region-a | |
| account = var.account | |
| enable_transit_firenet = true | |
| enable_bgp_over_lan = true | |
| insane_mode = false | |
| } | |
| module "central-firenet" { | |
| source = "terraform-aviatrix-modules/mc-firenet/aviatrix" | |
| version = "v1.2.0" | |
| transit_module = module.central-transit | |
| firewall_image = var.firewall_image | |
| firewall_image_version = var.firewall_image_version | |
| egress_enabled = false | |
| inspection_enabled = true | |
| instance_size = var.firewall_size | |
| password = var.password | |
| } | |
| module "east-transit" { | |
| source = "terraform-aviatrix-modules/mc-transit/aviatrix" | |
| version = "v2.2.0" | |
| cloud = var.cloud | |
| cidr = var.cidr-region-b | |
| region = var.region-b | |
| account = var.account | |
| enable_transit_firenet = true | |
| enable_bgp_over_lan = true | |
| insane_mode = false | |
| } | |
| module "east-firenet" { | |
| source = "terraform-aviatrix-modules/mc-firenet/aviatrix" | |
| version = "v1.2.0" | |
| transit_module = module.east-transit | |
| firewall_image = var.firewall_image | |
| firewall_image_version = var.firewall_image_version | |
| egress_enabled = false | |
| inspection_enabled = true | |
| instance_size = var.firewall_size | |
| password = var.password | |
| } |
Peering
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "aviatrix_transit_gateway_peering" "central-east-peering" { | |
| transit_gateway_name1 = module.east-transit.transit_gateway.id | |
| transit_gateway_name2 = module.central-transit.transit_gateway.id | |
| } |
Spokes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| module "ingress-spoke-central" { | |
| source = "terraform-aviatrix-modules/mc-spoke/aviatrix" | |
| version = "1.3.0" | |
| account = var.account | |
| cloud = var.cloud | |
| name = "avx-${var.region-a}-ingress" | |
| region = var.region-a | |
| cidr = cidrsubnet("${trimsuffix(var.cidr-region-a, "23")}16", 8, 2) | |
| inspection = true | |
| transit_gw = module.central-transit.transit_gateway.gw_name | |
| ha_gw = true | |
| instance_size = var.instance_size | |
| single_az_ha = false | |
| } | |
| module "app-spoke-central" { | |
| source = "terraform-aviatrix-modules/mc-spoke/aviatrix" | |
| version = "1.3.0" | |
| account = var.account | |
| cloud = var.cloud | |
| name = "avx-${var.region-a}-app" | |
| region = var.region-a | |
| cidr = cidrsubnet("${trimsuffix(var.cidr-region-a, "23")}16", 8, 3) | |
| inspection = true | |
| transit_gw = module.central-transit.transit_gateway.gw_name | |
| ha_gw = true | |
| instance_size = var.instance_size | |
| single_az_ha = false | |
| } | |
| module "ingress-spoke-east" { | |
| source = "terraform-aviatrix-modules/mc-spoke/aviatrix" | |
| version = "1.3.0" | |
| account = var.account | |
| cloud = var.cloud | |
| name = "avx-${var.region-b}-ingress" | |
| region = var.region-b | |
| cidr = cidrsubnet("${trimsuffix(var.cidr-region-b, "23")}16", 8, 2) | |
| inspection = true | |
| transit_gw = module.east-transit.transit_gateway.gw_name | |
| ha_gw = true | |
| instance_size = var.instance_size | |
| single_az_ha = false | |
| } | |
| module "app-spoke-east" { | |
| source = "terraform-aviatrix-modules/mc-spoke/aviatrix" | |
| version = "1.3.0" | |
| account = var.account | |
| cloud = var.cloud | |
| name = "avx-${var.region-b}-app" | |
| region = var.region-b | |
| cidr = cidrsubnet("${trimsuffix(var.cidr-region-b, "23")}16", 8, 3) | |
| inspection = true | |
| transit_gw = module.east-transit.transit_gateway.gw_name | |
| ha_gw = true | |
| instance_size = var.instance_size | |
| single_az_ha = false | |
| } |
VMs
East:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "azurerm_resource_group" "east-app-vm1-rg" { | |
| name = "east-app-vm1-rg" | |
| location = var.region-b | |
| } | |
| resource "azurerm_public_ip" "east-app-vm1-pip" { | |
| name = "east-app-vm1-pip" | |
| resource_group_name = azurerm_resource_group.east-app-vm1-rg.name | |
| location = var.region-b | |
| allocation_method = "Static" | |
| sku = "Standard" | |
| } | |
| resource "azurerm_network_interface" "east-app-vm1-nic" { | |
| name = "east-app-vm1-nic" | |
| location = var.region-b | |
| resource_group_name = azurerm_resource_group.east-app-vm1-rg.name | |
| ip_configuration { | |
| name = "primary" | |
| subnet_id = module.app-spoke-east.vpc.public_subnets[1].subnet_id | |
| private_ip_address_allocation = "Dynamic" | |
| public_ip_address_id = azurerm_public_ip.east-app-vm1-pip.id | |
| } | |
| } | |
| resource "azurerm_network_security_group" "east-app-vm1-nsg" { | |
| name = "east-app-vm1-nsg" | |
| location = var.region-b | |
| resource_group_name = azurerm_resource_group.east-app-vm1-rg.name | |
| security_rule { | |
| access = "Allow" | |
| direction = "Inbound" | |
| name = "ssh" | |
| priority = 900 | |
| protocol = "Tcp" | |
| source_port_range = "*" | |
| source_address_prefix = "*" | |
| destination_port_range = "22" | |
| destination_address_prefix = "*" | |
| } | |
| security_rule { | |
| access = "Allow" | |
| direction = "Inbound" | |
| name = "http" | |
| priority = 910 | |
| protocol = "Tcp" | |
| source_port_range = "*" | |
| source_address_prefix = "*" | |
| destination_port_range = "80" | |
| destination_address_prefix = "*" | |
| } | |
| security_rule { | |
| access = "Allow" | |
| direction = "Outbound" | |
| name = "AnyOut" | |
| priority = 920 | |
| protocol = "*" | |
| source_port_range = "*" | |
| source_address_prefix = "*" | |
| destination_port_range = "*" | |
| destination_address_prefix = "*" | |
| } | |
| } | |
| resource "azurerm_subnet_network_security_group_association" "east-app-vm1-nsg-association" { | |
| subnet_id = module.app-spoke-east.vpc.public_subnets[1].subnet_id | |
| network_security_group_id = azurerm_network_security_group.east-app-vm1-nsg.id | |
| } | |
| resource "azurerm_linux_virtual_machine" "east-app-vm1" { | |
| name = "east-app-vm1" | |
| resource_group_name = azurerm_resource_group.east-app-vm1-rg.name | |
| location = var.region-b | |
| size = var.instance_size | |
| admin_username = var.admin_username | |
| admin_password = var.admin_password | |
| disable_password_authentication = false | |
| network_interface_ids = [ | |
| azurerm_network_interface.east-app-vm1-nic.id | |
| ] | |
| os_disk { | |
| caching = "ReadWrite" | |
| storage_account_type = "Standard_LRS" | |
| } | |
| source_image_reference { | |
| publisher = "Canonical" | |
| offer = "UbuntuServer" | |
| sku = "16.04-LTS" | |
| version = "latest" | |
| } | |
| provisioner "remote-exec" { | |
| inline = [ | |
| "/usr/bin/sudo apt install nginx -y" | |
| ] | |
| connection { | |
| type = "ssh" | |
| user = var.admin_username | |
| password = var.admin_password | |
| host = azurerm_public_ip.east-app-vm1-pip.ip_address | |
| } | |
| } | |
| } | |
| resource "azurerm_resource_group" "east-app-vm2-rg" { | |
| name = "east-app-vm2-rg" | |
| location = var.region-b | |
| } | |
| resource "azurerm_public_ip" "east-app-vm2-pip" { | |
| name = "east-app-vm2-pip" | |
| resource_group_name = azurerm_resource_group.east-app-vm2-rg.name | |
| location = var.region-b | |
| allocation_method = "Static" | |
| sku = "Standard" | |
| } | |
| resource "azurerm_network_interface" "east-app-vm2-nic" { | |
| name = "east-app-vm2-nic" | |
| location = var.region-b | |
| resource_group_name = azurerm_resource_group.east-app-vm2-rg.name | |
| ip_configuration { | |
| name = "primary" | |
| subnet_id = module.app-spoke-east.vpc.public_subnets[2].subnet_id | |
| private_ip_address_allocation = "Dynamic" | |
| public_ip_address_id = azurerm_public_ip.east-app-vm2-pip.id | |
| } | |
| } | |
| resource "azurerm_network_security_group" "east-app-vm2-nsg" { | |
| name = "east-app-vm2-nsg" | |
| location = var.region-b | |
| resource_group_name = azurerm_resource_group.east-app-vm2-rg.name | |
| security_rule { | |
| access = "Allow" | |
| direction = "Inbound" | |
| name = "ssh" | |
| priority = 900 | |
| protocol = "Tcp" | |
| source_port_range = "*" | |
| source_address_prefix = "*" | |
| destination_port_range = "22" | |
| destination_address_prefix = "*" | |
| } | |
| security_rule { | |
| access = "Allow" | |
| direction = "Inbound" | |
| name = "http" | |
| priority = 910 | |
| protocol = "Tcp" | |
| source_port_range = "*" | |
| source_address_prefix = "*" | |
| destination_port_range = "80" | |
| destination_address_prefix = "*" | |
| } | |
| security_rule { | |
| access = "Allow" | |
| direction = "Outbound" | |
| name = "AnyOut" | |
| priority = 920 | |
| protocol = "*" | |
| source_port_range = "*" | |
| source_address_prefix = "*" | |
| destination_port_range = "*" | |
| destination_address_prefix = "*" | |
| } | |
| } | |
| resource "azurerm_subnet_network_security_group_association" "east-app-vm2-nsg-association" { | |
| subnet_id = module.app-spoke-east.vpc.public_subnets[2].subnet_id | |
| network_security_group_id = azurerm_network_security_group.east-app-vm2-nsg.id | |
| } | |
| resource "azurerm_linux_virtual_machine" "east-app-vm2" { | |
| name = "east-app-vm2" | |
| resource_group_name = azurerm_resource_group.east-app-vm2-rg.name | |
| location = var.region-b | |
| size = var.instance_size | |
| admin_username = var.admin_username | |
| admin_password = var.admin_password | |
| disable_password_authentication = false | |
| network_interface_ids = [ | |
| azurerm_network_interface.east-app-vm2-nic.id | |
| ] | |
| os_disk { | |
| caching = "ReadWrite" | |
| storage_account_type = "Standard_LRS" | |
| } | |
| source_image_reference { | |
| publisher = "Canonical" | |
| offer = "UbuntuServer" | |
| sku = "16.04-LTS" | |
| version = "latest" | |
| } | |
| provisioner "remote-exec" { | |
| inline = [ | |
| "/usr/bin/sudo apt install nginx -y" | |
| ] | |
| connection { | |
| type = "ssh" | |
| user = var.admin_username | |
| password = var.admin_password | |
| host = azurerm_public_ip.east-app-vm2-pip.ip_address | |
| } | |
| } | |
| } |
Central:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "azurerm_resource_group" "central-app-vm1-rg" { | |
| name = "central-app-vm1-rg" | |
| location = var.region-a | |
| } | |
| resource "azurerm_public_ip" "central-app-vm1-pip" { | |
| name = "central-app-vm1-pip" | |
| resource_group_name = azurerm_resource_group.central-app-vm1-rg.name | |
| location = var.region-a | |
| allocation_method = "Static" | |
| sku = "Standard" | |
| } | |
| resource "azurerm_network_interface" "central-app-vm1-nic" { | |
| name = "central-app-vm1-nic" | |
| location = var.region-a | |
| resource_group_name = azurerm_resource_group.central-app-vm1-rg.name | |
| ip_configuration { | |
| name = "primary" | |
| subnet_id = module.app-spoke-central.vpc.public_subnets[1].subnet_id | |
| private_ip_address_allocation = "Dynamic" | |
| public_ip_address_id = azurerm_public_ip.central-app-vm1-pip.id | |
| } | |
| } | |
| resource "azurerm_network_security_group" "central-app-vm1-nsg" { | |
| name = "central-app-vm1-nsg" | |
| location = var.region-a | |
| resource_group_name = azurerm_resource_group.central-app-vm1-rg.name | |
| security_rule { | |
| access = "Allow" | |
| direction = "Inbound" | |
| name = "ssh" | |
| priority = 900 | |
| protocol = "Tcp" | |
| source_port_range = "*" | |
| source_address_prefix = "*" | |
| destination_port_range = "22" | |
| destination_address_prefix = "*" | |
| } | |
| security_rule { | |
| access = "Allow" | |
| direction = "Inbound" | |
| name = "http" | |
| priority = 910 | |
| protocol = "Tcp" | |
| source_port_range = "*" | |
| source_address_prefix = "*" | |
| destination_port_range = "80" | |
| destination_address_prefix = "*" | |
| } | |
| security_rule { | |
| access = "Allow" | |
| direction = "Outbound" | |
| name = "AnyOut" | |
| priority = 920 | |
| protocol = "*" | |
| source_port_range = "*" | |
| source_address_prefix = "*" | |
| destination_port_range = "*" | |
| destination_address_prefix = "*" | |
| } | |
| } | |
| resource "azurerm_subnet_network_security_group_association" "central-app-vm1-nsg-association" { | |
| subnet_id = module.app-spoke-central.vpc.public_subnets[1].subnet_id | |
| network_security_group_id = azurerm_network_security_group.central-app-vm1-nsg.id | |
| } | |
| resource "azurerm_linux_virtual_machine" "central-app-vm1" { | |
| name = "central-app-vm1" | |
| resource_group_name = azurerm_resource_group.central-app-vm1-rg.name | |
| location = var.region-a | |
| size = var.instance_size | |
| admin_username = var.admin_username | |
| admin_password = var.admin_password | |
| disable_password_authentication = false | |
| network_interface_ids = [ | |
| azurerm_network_interface.central-app-vm1-nic.id | |
| ] | |
| os_disk { | |
| caching = "ReadWrite" | |
| storage_account_type = "Standard_LRS" | |
| } | |
| source_image_reference { | |
| publisher = "Canonical" | |
| offer = "UbuntuServer" | |
| sku = "16.04-LTS" | |
| version = "latest" | |
| } | |
| provisioner "remote-exec" { | |
| inline = [ | |
| "/usr/bin/sudo apt install nginx -y" | |
| ] | |
| connection { | |
| type = "ssh" | |
| user = var.admin_username | |
| password = var.admin_password | |
| host = azurerm_public_ip.central-app-vm1-pip.ip_address | |
| } | |
| } | |
| } | |
| resource "azurerm_resource_group" "central-app-vm2-rg" { | |
| name = "central-app-vm2-rg" | |
| location = var.region-a | |
| } | |
| resource "azurerm_public_ip" "central-app-vm2-pip" { | |
| name = "central-app-vm2-pip" | |
| resource_group_name = azurerm_resource_group.central-app-vm2-rg.name | |
| location = var.region-a | |
| allocation_method = "Static" | |
| sku = "Standard" | |
| } | |
| resource "azurerm_network_interface" "central-app-vm2-nic" { | |
| name = "central-app-vm2-nic" | |
| location = var.region-a | |
| resource_group_name = azurerm_resource_group.central-app-vm2-rg.name | |
| ip_configuration { | |
| name = "primary" | |
| subnet_id = module.app-spoke-central.vpc.public_subnets[2].subnet_id | |
| private_ip_address_allocation = "Dynamic" | |
| public_ip_address_id = azurerm_public_ip.central-app-vm2-pip.id | |
| } | |
| } | |
| resource "azurerm_network_security_group" "central-app-vm2-nsg" { | |
| name = "central-app-vm2-nsg" | |
| location = var.region-a | |
| resource_group_name = azurerm_resource_group.central-app-vm2-rg.name | |
| security_rule { | |
| access = "Allow" | |
| direction = "Inbound" | |
| name = "ssh" | |
| priority = 900 | |
| protocol = "Tcp" | |
| source_port_range = "*" | |
| source_address_prefix = "*" | |
| destination_port_range = "22" | |
| destination_address_prefix = "*" | |
| } | |
| security_rule { | |
| access = "Allow" | |
| direction = "Inbound" | |
| name = "http" | |
| priority = 910 | |
| protocol = "Tcp" | |
| source_port_range = "*" | |
| source_address_prefix = "*" | |
| destination_port_range = "80" | |
| destination_address_prefix = "*" | |
| } | |
| security_rule { | |
| access = "Allow" | |
| direction = "Outbound" | |
| name = "AnyOut" | |
| priority = 920 | |
| protocol = "*" | |
| source_port_range = "*" | |
| source_address_prefix = "*" | |
| destination_port_range = "*" | |
| destination_address_prefix = "*" | |
| } | |
| } | |
| resource "azurerm_subnet_network_security_group_association" "central-app-vm2-nsg-association" { | |
| subnet_id = module.app-spoke-central.vpc.public_subnets[2].subnet_id | |
| network_security_group_id = azurerm_network_security_group.central-app-vm2-nsg.id | |
| } | |
| resource "azurerm_linux_virtual_machine" "central-app-vm2" { | |
| name = "central-app-vm2" | |
| resource_group_name = azurerm_resource_group.central-app-vm2-rg.name | |
| location = var.region-a | |
| size = var.instance_size | |
| admin_username = var.admin_username | |
| admin_password = var.admin_password | |
| disable_password_authentication = false | |
| network_interface_ids = [ | |
| azurerm_network_interface.central-app-vm2-nic.id | |
| ] | |
| os_disk { | |
| caching = "ReadWrite" | |
| storage_account_type = "Standard_LRS" | |
| } | |
| source_image_reference { | |
| publisher = "Canonical" | |
| offer = "UbuntuServer" | |
| sku = "16.04-LTS" | |
| version = "latest" | |
| } | |
| provisioner "remote-exec" { | |
| inline = [ | |
| "/usr/bin/sudo apt install nginx -y" | |
| ] | |
| connection { | |
| type = "ssh" | |
| user = var.admin_username | |
| password = var.admin_password | |
| host = azurerm_public_ip.central-app-vm2-pip.ip_address | |
| } | |
| } | |
| } |
Load Balancers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "azurerm_resource_group" "ingress-east-us-lb-rg" { | |
| name = "ingress-east-us-lb-rg" | |
| location = var.region-b | |
| } | |
| resource "azurerm_public_ip" "ingress-east-us-lb-pip" { | |
| name = "ingress-east-us-lb-pip" | |
| resource_group_name = azurerm_resource_group.ingress-east-us-lb-rg.name | |
| location = azurerm_resource_group.ingress-east-us-lb-rg.location | |
| allocation_method = "Static" | |
| sku = "Standard" | |
| } | |
| resource "azurerm_lb" "ingress-east-us-lb" { | |
| name = "ingress-east-us-lb" | |
| location = azurerm_resource_group.ingress-east-us-lb-rg.location | |
| resource_group_name = azurerm_resource_group.ingress-east-us-lb-rg.name | |
| sku = "Standard" | |
| frontend_ip_configuration { | |
| name = "PublicIPAddress" | |
| public_ip_address_id = azurerm_public_ip.ingress-east-us-lb-pip.id | |
| } | |
| } | |
| resource "azurerm_lb_probe" "ingress-east-us-lb-probe" { | |
| loadbalancer_id = azurerm_lb.ingress-east-us-lb.id | |
| name = "ingress-east-us-lb-probe" | |
| port = "443" | |
| } | |
| resource "azurerm_lb_backend_address_pool_address" "azurerm_lb_backend_address_pool_address-ingress-gw-east" { | |
| name = "ingress-gw-east" | |
| backend_address_pool_id = azurerm_lb_backend_address_pool.ingress-east-us-lb-backend.id | |
| virtual_network_id = module.ingress-spoke-east.vpc.azure_vnet_resource_id | |
| ip_address = aviatrix_gateway.ingress-gw-east.private_ip | |
| } | |
| resource "azurerm_lb_rule" "ingress-east-us-lb-rule" { | |
| loadbalancer_id = azurerm_lb.ingress-east-us-lb.id | |
| name = "LBRule" | |
| protocol = "Tcp" | |
| frontend_port = "80" | |
| backend_port = "80" | |
| frontend_ip_configuration_name = "PublicIPAddress" | |
| probe_id = azurerm_lb_probe.ingress-east-us-lb-probe.id | |
| backend_address_pool_ids = ["${azurerm_lb_backend_address_pool.ingress-east-us-lb-backend.id}"] | |
| enable_floating_ip = true | |
| } | |
| resource "azurerm_lb_backend_address_pool" "ingress-east-us-lb-backend" { | |
| loadbalancer_id = azurerm_lb.ingress-east-us-lb.id | |
| name = "BackEndPool" | |
| } | |
| resource "azurerm_resource_group" "ingress-central-us-lb-rg" { | |
| name = "ingress-central-us-lb-rg" | |
| location = var.region-a | |
| } | |
| resource "azurerm_public_ip" "ingress-central-us-lb-pip" { | |
| name = "ingress-central-us-lb-pip" | |
| resource_group_name = azurerm_resource_group.ingress-central-us-lb-rg.name | |
| location = azurerm_resource_group.ingress-central-us-lb-rg.location | |
| allocation_method = "Static" | |
| sku = "Standard" | |
| } | |
| resource "azurerm_lb" "ingress-central-us-lb" { | |
| name = "ingress-central-us-lb" | |
| location = azurerm_resource_group.ingress-central-us-lb-rg.location | |
| resource_group_name = azurerm_resource_group.ingress-central-us-lb-rg.name | |
| sku = "Standard" | |
| frontend_ip_configuration { | |
| name = "PublicIPAddress" | |
| public_ip_address_id = azurerm_public_ip.ingress-central-us-lb-pip.id | |
| } | |
| } | |
| resource "azurerm_lb_probe" "ingress-central-us-lb-probe" { | |
| loadbalancer_id = azurerm_lb.ingress-central-us-lb.id | |
| name = "ingress-central-us-lb-probe" | |
| port = "443" | |
| } | |
| resource "azurerm_lb_backend_address_pool_address" "azurerm_lb_backend_address_pool_address-ingress-gw-central" { | |
| name = "ingress-gw-central" | |
| backend_address_pool_id = azurerm_lb_backend_address_pool.ingress-central-us-lb-backend.id | |
| virtual_network_id = module.ingress-spoke-central.vpc.azure_vnet_resource_id | |
| ip_address = aviatrix_gateway.ingress-gw-central.private_ip | |
| } | |
| resource "azurerm_lb_rule" "ingress-central-us-lb-rule" { | |
| loadbalancer_id = azurerm_lb.ingress-central-us-lb.id | |
| name = "LBRule" | |
| protocol = "Tcp" | |
| frontend_port = "80" | |
| backend_port = "80" | |
| frontend_ip_configuration_name = "PublicIPAddress" | |
| probe_id = azurerm_lb_probe.ingress-central-us-lb-probe.id | |
| backend_address_pool_ids = ["${azurerm_lb_backend_address_pool.ingress-central-us-lb-backend.id}"] | |
| enable_floating_ip = true | |
| } | |
| resource "azurerm_lb_backend_address_pool" "ingress-central-us-lb-backend" { | |
| loadbalancer_id = azurerm_lb.ingress-central-us-lb.id | |
| name = "BackEndPool" | |
| } | |
| resource "azurerm_resource_group" "east-us-lb-rg" { | |
| name = "east-us-lb-rg" | |
| location = var.region-b | |
| } | |
| resource "azurerm_lb" "east-us-lb" { | |
| name = "east-us-lb" | |
| location = azurerm_resource_group.east-us-lb-rg.location | |
| resource_group_name = azurerm_resource_group.east-us-lb-rg.name | |
| sku = "Standard" | |
| frontend_ip_configuration { | |
| name = "PublicIPAddress" | |
| subnet_id = module.app-spoke-east.vpc.public_subnets[1].subnet_id | |
| } | |
| } | |
| resource "azurerm_lb_probe" "east-us-lb-probe" { | |
| loadbalancer_id = azurerm_lb.east-us-lb.id | |
| name = "east-us-lb-probe" | |
| port = "80" | |
| } | |
| resource "azurerm_lb_backend_address_pool_address" "azurerm_lb_backend_address_pool_address-east-app-vm1" { | |
| name = "east-app-vm1" | |
| backend_address_pool_id = azurerm_lb_backend_address_pool.east-us-lb-backend.id | |
| virtual_network_id = module.app-spoke-east.vpc.azure_vnet_resource_id | |
| ip_address = azurerm_network_interface.east-app-vm1-nic.private_ip_address | |
| } | |
| resource "azurerm_lb_backend_address_pool_address" "azurerm_lb_backend_address_pool_address-east-app-vm2" { | |
| name = "east-app-vm2" | |
| backend_address_pool_id = azurerm_lb_backend_address_pool.east-us-lb-backend.id | |
| virtual_network_id = module.app-spoke-east.vpc.azure_vnet_resource_id | |
| ip_address = azurerm_network_interface.east-app-vm2-nic.private_ip_address | |
| } | |
| resource "azurerm_lb_rule" "east-us-lb-rule" { | |
| loadbalancer_id = azurerm_lb.east-us-lb.id | |
| name = "LBRule" | |
| protocol = "Tcp" | |
| frontend_port = "80" | |
| backend_port = "80" | |
| frontend_ip_configuration_name = "PublicIPAddress" | |
| probe_id = azurerm_lb_probe.east-us-lb-probe.id | |
| backend_address_pool_ids = ["${azurerm_lb_backend_address_pool.east-us-lb-backend.id}"] | |
| } | |
| resource "azurerm_lb_backend_address_pool" "east-us-lb-backend" { | |
| loadbalancer_id = azurerm_lb.east-us-lb.id | |
| name = "BackEndPool" | |
| } | |
| resource "azurerm_resource_group" "central-us-lb-rg" { | |
| name = "central-us-lb-rg" | |
| location = var.region-a | |
| } | |
| resource "azurerm_lb" "central-us-lb" { | |
| name = "central-us-lb" | |
| location = azurerm_resource_group.central-us-lb-rg.location | |
| resource_group_name = azurerm_resource_group.central-us-lb-rg.name | |
| sku = "Standard" | |
| frontend_ip_configuration { | |
| name = "PublicIPAddress" | |
| subnet_id = module.app-spoke-central.vpc.public_subnets[1].subnet_id | |
| } | |
| } | |
| resource "azurerm_lb_probe" "central-us-lb-probe" { | |
| loadbalancer_id = azurerm_lb.central-us-lb.id | |
| name = "central-us-lb-probe" | |
| port = "80" | |
| } | |
| resource "azurerm_lb_backend_address_pool_address" "azurerm_lb_backend_address_pool_address-central-app-vm1" { | |
| name = "central-app-vm1" | |
| backend_address_pool_id = azurerm_lb_backend_address_pool.central-us-lb-backend.id | |
| virtual_network_id = module.app-spoke-central.vpc.azure_vnet_resource_id | |
| ip_address = azurerm_network_interface.central-app-vm1-nic.private_ip_address | |
| } | |
| resource "azurerm_lb_backend_address_pool_address" "azurerm_lb_backend_address_pool_address-central-app-vm2" { | |
| name = "central-app-vm2" | |
| backend_address_pool_id = azurerm_lb_backend_address_pool.central-us-lb-backend.id | |
| virtual_network_id = module.app-spoke-central.vpc.azure_vnet_resource_id | |
| ip_address = azurerm_network_interface.central-app-vm2-nic.private_ip_address | |
| } | |
| resource "azurerm_lb_rule" "central-us-lb-rule" { | |
| loadbalancer_id = azurerm_lb.central-us-lb.id | |
| name = "LBRule" | |
| protocol = "Tcp" | |
| frontend_port = "80" | |
| backend_port = "80" | |
| frontend_ip_configuration_name = "PublicIPAddress" | |
| probe_id = azurerm_lb_probe.central-us-lb-probe.id | |
| backend_address_pool_ids = ["${azurerm_lb_backend_address_pool.central-us-lb-backend.id}"] | |
| } | |
| resource "azurerm_lb_backend_address_pool" "central-us-lb-backend" { | |
| loadbalancer_id = azurerm_lb.central-us-lb.id | |
| name = "BackEndPool" | |
| } |
Standalone Gateways
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "aviatrix_gateway" "ingress-gw-east" { | |
| cloud_type = "8" | |
| account_name = var.account | |
| gw_name = "ingress-gw-east" | |
| gw_size = var.gw_size | |
| vpc_id = module.ingress-spoke-east.vpc.vpc_id | |
| vpc_reg = var.region-b | |
| subnet = module.ingress-spoke-east.vpc.public_subnets[1].cidr | |
| } | |
| resource "aviatrix_gateway" "ingress-gw-central" { | |
| cloud_type = "8" | |
| account_name = var.account | |
| gw_name = "ingress-gw-central" | |
| gw_size = var.gw_size | |
| vpc_id = module.ingress-spoke-central.vpc.vpc_id | |
| vpc_reg = var.region-a | |
| subnet = module.ingress-spoke-central.vpc.public_subnets[1].cidr | |
| } |
SNAT
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "aviatrix_gateway_snat" "ingress-gw-east-snat" { | |
| gw_name = "ingress-gw-east" | |
| snat_mode = "customized_snat" | |
| snat_policy { | |
| protocol = "all" | |
| interface = "eth0" | |
| connection = "None" | |
| mark = "65535" | |
| snat_ips = aviatrix_gateway.ingress-gw-east.private_ip | |
| } | |
| sync_to_ha = false | |
| } | |
| resource "aviatrix_gateway_snat" "ingress-gw-central-snat" { | |
| gw_name = "ingress-gw-central" | |
| snat_mode = "customized_snat" | |
| snat_policy { | |
| protocol = "all" | |
| interface = "eth0" | |
| connection = "None" | |
| mark = "65537" | |
| snat_ips = aviatrix_gateway.ingress-gw-central.private_ip | |
| } | |
| sync_to_ha = false | |
| } |
DNAT
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "aviatrix_gateway_dnat" "ingress-gw-east-dnat" { | |
| gw_name = "ingress-gw-east" | |
| dnat_policy { | |
| dst_cidr = "${azurerm_public_ip.ingress-east-us-lb-pip.ip_address}/32" | |
| dst_port = "80" | |
| protocol = "tcp" | |
| interface = "eth0" | |
| connection = "None" | |
| mark = "65535" | |
| dnat_ips = azurerm_lb.east-us-lb.private_ip_address | |
| dnat_port = "80" | |
| apply_route_entry = true | |
| } | |
| sync_to_ha = false | |
| } | |
| resource "aviatrix_gateway_dnat" "ingress-gw-central-dnat" { | |
| gw_name = "ingress-gw-central" | |
| dnat_policy { | |
| dst_cidr = "${azurerm_public_ip.ingress-central-us-lb-pip.ip_address}/32" | |
| dst_port = "80" | |
| protocol = "tcp" | |
| interface = "eth0" | |
| connection = "None" | |
| mark = "65537" | |
| dnat_ips = azurerm_lb.central-us-lb.private_ip_address | |
| dnat_port = "80" | |
| apply_route_entry = true | |
| } | |
| sync_to_ha = false | |
| } |
Traffic Manager
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "azurerm_resource_group" "traffic-manager-acme-rg" { | |
| name = "traffic-manager-acme-rg" | |
| location = var.region-b | |
| } | |
| resource "azurerm_public_ip" "traffic-manager-acme-pip" { | |
| name = "traffic-manager-acme-pip" | |
| location = azurerm_resource_group.traffic-manager-acme-rg.location | |
| resource_group_name = azurerm_resource_group.traffic-manager-acme-rg.name | |
| allocation_method = "Static" | |
| sku = "Standard" | |
| } | |
| resource "azurerm_traffic_manager_profile" "traffic-manager-acme" { | |
| name = "acme" | |
| resource_group_name = azurerm_resource_group.traffic-manager-acme-rg.name | |
| traffic_routing_method = "Priority" | |
| dns_config { | |
| relative_name = "acme" | |
| ttl = 60 | |
| } | |
| monitor_config { | |
| protocol = "TCP" | |
| port = 80 | |
| path = "/" | |
| interval_in_seconds = 30 | |
| timeout_in_seconds = 9 | |
| tolerated_number_of_failures = 3 | |
| } | |
| } | |
| resource "azurerm_traffic_manager_external_endpoint" "east-us-lb" { | |
| name = "east-us-lb" | |
| profile_id = azurerm_traffic_manager_profile.traffic-manager-acme.id | |
| priority = 10 | |
| target = azurerm_public_ip.ingress-east-us-lb-pip.ip_address | |
| } | |
| resource "azurerm_traffic_manager_external_endpoint" "central-us-lb" { | |
| name = "central-us-lb" | |
| profile_id = azurerm_traffic_manager_profile.traffic-manager-acme.id | |
| priority = 20 | |
| target = azurerm_public_ip.ingress-central-us-lb-pip.ip_address | |
| } |
Provider
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| terraform { | |
| required_providers { | |
| azurerm = { | |
| source = "hashicorp/azurerm" | |
| version = "3.19.1" | |
| } | |
| aviatrix = { | |
| source = "aviatrixsystems/aviatrix" | |
| version = "~> 2.23.0" | |
| } | |
| } | |
| } | |
| provider "azurerm" { | |
| subscription_id = var.subscription_id | |
| client_id = var.client_id | |
| client_secret = var.client_secret | |
| tenant_id = var.tenant_id | |
| features {} | |
| } | |
| provider "aviatrix" { | |
| controller_ip = var.controller_ip | |
| username = var.username | |
| password = var.password | |
| skip_version_validation = true | |
| verify_ssl_certificate = false | |
| } |
Variables
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| variable "controller_ip" { | |
| type = string | |
| } | |
| variable "username" { | |
| type = string | |
| } | |
| variable "password" { | |
| type = string | |
| } | |
| variable "cloud" { | |
| type = string | |
| } | |
| variable "account" { | |
| type = string | |
| } | |
| variable "subscription_id" { | |
| type = string | |
| } | |
| variable "client_id" { | |
| type = string | |
| } | |
| variable "client_secret" { | |
| type = string | |
| } | |
| variable "tenant_id" { | |
| type = string | |
| } | |
| variable "region-a" { | |
| type = string | |
| } | |
| variable "region-b" { | |
| type = string | |
| } | |
| variable "cidr-region-a" { | |
| type = string | |
| } | |
| variable "cidr-region-b" { | |
| type = string | |
| } | |
| variable "instance_size" { | |
| type = string | |
| } | |
| variable "firewall_image" { | |
| type = string | |
| } | |
| variable "firewall_image_version" { | |
| type = string | |
| } | |
| variable "firewall_size" { | |
| type = string | |
| } | |
| variable "admin_username" { | |
| type = string | |
| } | |
| variable "admin_password" { | |
| type = string | |
| } | |
| variable "gw_size" { | |
| type = string | |
| } | |
| variable customer_name { | |
| type = string | |
| } |
