Credit to Zack (https://www.linkedin.com/in/zack-schaefer/) on creating a high-available and disaster ready architecture on Azure using Aviatrix. Thanks also to Mr Smoker (https://www.linkedin.com/in/johnsmoker/) and Dennis (https://www.linkedin.com/in/dennishagens/) for helping directly and indirectly :).
The gist shared below creates the following topology:

The VMs are running NGINX on port 80 and the traffic manager favors East.
Transit and Firenet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
module "central-transit" { | |
source = "terraform-aviatrix-modules/mc-transit/aviatrix" | |
version = "v2.2.0" | |
cloud = var.cloud | |
cidr = var.cidr-region-a | |
region = var.region-a | |
account = var.account | |
enable_transit_firenet = true | |
enable_bgp_over_lan = true | |
insane_mode = false | |
} | |
module "central-firenet" { | |
source = "terraform-aviatrix-modules/mc-firenet/aviatrix" | |
version = "v1.2.0" | |
transit_module = module.central-transit | |
firewall_image = var.firewall_image | |
firewall_image_version = var.firewall_image_version | |
egress_enabled = false | |
inspection_enabled = true | |
instance_size = var.firewall_size | |
password = var.password | |
} | |
module "east-transit" { | |
source = "terraform-aviatrix-modules/mc-transit/aviatrix" | |
version = "v2.2.0" | |
cloud = var.cloud | |
cidr = var.cidr-region-b | |
region = var.region-b | |
account = var.account | |
enable_transit_firenet = true | |
enable_bgp_over_lan = true | |
insane_mode = false | |
} | |
module "east-firenet" { | |
source = "terraform-aviatrix-modules/mc-firenet/aviatrix" | |
version = "v1.2.0" | |
transit_module = module.east-transit | |
firewall_image = var.firewall_image | |
firewall_image_version = var.firewall_image_version | |
egress_enabled = false | |
inspection_enabled = true | |
instance_size = var.firewall_size | |
password = var.password | |
} |
Peering
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "aviatrix_transit_gateway_peering" "central-east-peering" { | |
transit_gateway_name1 = module.east-transit.transit_gateway.id | |
transit_gateway_name2 = module.central-transit.transit_gateway.id | |
} |
Spokes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
module "ingress-spoke-central" { | |
source = "terraform-aviatrix-modules/mc-spoke/aviatrix" | |
version = "1.3.0" | |
account = var.account | |
cloud = var.cloud | |
name = "avx-${var.region-a}-ingress" | |
region = var.region-a | |
cidr = cidrsubnet("${trimsuffix(var.cidr-region-a, "23")}16", 8, 2) | |
inspection = true | |
transit_gw = module.central-transit.transit_gateway.gw_name | |
ha_gw = true | |
instance_size = var.instance_size | |
single_az_ha = false | |
} | |
module "app-spoke-central" { | |
source = "terraform-aviatrix-modules/mc-spoke/aviatrix" | |
version = "1.3.0" | |
account = var.account | |
cloud = var.cloud | |
name = "avx-${var.region-a}-app" | |
region = var.region-a | |
cidr = cidrsubnet("${trimsuffix(var.cidr-region-a, "23")}16", 8, 3) | |
inspection = true | |
transit_gw = module.central-transit.transit_gateway.gw_name | |
ha_gw = true | |
instance_size = var.instance_size | |
single_az_ha = false | |
} | |
module "ingress-spoke-east" { | |
source = "terraform-aviatrix-modules/mc-spoke/aviatrix" | |
version = "1.3.0" | |
account = var.account | |
cloud = var.cloud | |
name = "avx-${var.region-b}-ingress" | |
region = var.region-b | |
cidr = cidrsubnet("${trimsuffix(var.cidr-region-b, "23")}16", 8, 2) | |
inspection = true | |
transit_gw = module.east-transit.transit_gateway.gw_name | |
ha_gw = true | |
instance_size = var.instance_size | |
single_az_ha = false | |
} | |
module "app-spoke-east" { | |
source = "terraform-aviatrix-modules/mc-spoke/aviatrix" | |
version = "1.3.0" | |
account = var.account | |
cloud = var.cloud | |
name = "avx-${var.region-b}-app" | |
region = var.region-b | |
cidr = cidrsubnet("${trimsuffix(var.cidr-region-b, "23")}16", 8, 3) | |
inspection = true | |
transit_gw = module.east-transit.transit_gateway.gw_name | |
ha_gw = true | |
instance_size = var.instance_size | |
single_az_ha = false | |
} |
VMs
East:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "azurerm_resource_group" "east-app-vm1-rg" { | |
name = "east-app-vm1-rg" | |
location = var.region-b | |
} | |
resource "azurerm_public_ip" "east-app-vm1-pip" { | |
name = "east-app-vm1-pip" | |
resource_group_name = azurerm_resource_group.east-app-vm1-rg.name | |
location = var.region-b | |
allocation_method = "Static" | |
sku = "Standard" | |
} | |
resource "azurerm_network_interface" "east-app-vm1-nic" { | |
name = "east-app-vm1-nic" | |
location = var.region-b | |
resource_group_name = azurerm_resource_group.east-app-vm1-rg.name | |
ip_configuration { | |
name = "primary" | |
subnet_id = module.app-spoke-east.vpc.public_subnets[1].subnet_id | |
private_ip_address_allocation = "Dynamic" | |
public_ip_address_id = azurerm_public_ip.east-app-vm1-pip.id | |
} | |
} | |
resource "azurerm_network_security_group" "east-app-vm1-nsg" { | |
name = "east-app-vm1-nsg" | |
location = var.region-b | |
resource_group_name = azurerm_resource_group.east-app-vm1-rg.name | |
security_rule { | |
access = "Allow" | |
direction = "Inbound" | |
name = "ssh" | |
priority = 900 | |
protocol = "Tcp" | |
source_port_range = "*" | |
source_address_prefix = "*" | |
destination_port_range = "22" | |
destination_address_prefix = "*" | |
} | |
security_rule { | |
access = "Allow" | |
direction = "Inbound" | |
name = "http" | |
priority = 910 | |
protocol = "Tcp" | |
source_port_range = "*" | |
source_address_prefix = "*" | |
destination_port_range = "80" | |
destination_address_prefix = "*" | |
} | |
security_rule { | |
access = "Allow" | |
direction = "Outbound" | |
name = "AnyOut" | |
priority = 920 | |
protocol = "*" | |
source_port_range = "*" | |
source_address_prefix = "*" | |
destination_port_range = "*" | |
destination_address_prefix = "*" | |
} | |
} | |
resource "azurerm_subnet_network_security_group_association" "east-app-vm1-nsg-association" { | |
subnet_id = module.app-spoke-east.vpc.public_subnets[1].subnet_id | |
network_security_group_id = azurerm_network_security_group.east-app-vm1-nsg.id | |
} | |
resource "azurerm_linux_virtual_machine" "east-app-vm1" { | |
name = "east-app-vm1" | |
resource_group_name = azurerm_resource_group.east-app-vm1-rg.name | |
location = var.region-b | |
size = var.instance_size | |
admin_username = var.admin_username | |
admin_password = var.admin_password | |
disable_password_authentication = false | |
network_interface_ids = [ | |
azurerm_network_interface.east-app-vm1-nic.id | |
] | |
os_disk { | |
caching = "ReadWrite" | |
storage_account_type = "Standard_LRS" | |
} | |
source_image_reference { | |
publisher = "Canonical" | |
offer = "UbuntuServer" | |
sku = "16.04-LTS" | |
version = "latest" | |
} | |
provisioner "remote-exec" { | |
inline = [ | |
"/usr/bin/sudo apt install nginx -y" | |
] | |
connection { | |
type = "ssh" | |
user = var.admin_username | |
password = var.admin_password | |
host = azurerm_public_ip.east-app-vm1-pip.ip_address | |
} | |
} | |
} | |
resource "azurerm_resource_group" "east-app-vm2-rg" { | |
name = "east-app-vm2-rg" | |
location = var.region-b | |
} | |
resource "azurerm_public_ip" "east-app-vm2-pip" { | |
name = "east-app-vm2-pip" | |
resource_group_name = azurerm_resource_group.east-app-vm2-rg.name | |
location = var.region-b | |
allocation_method = "Static" | |
sku = "Standard" | |
} | |
resource "azurerm_network_interface" "east-app-vm2-nic" { | |
name = "east-app-vm2-nic" | |
location = var.region-b | |
resource_group_name = azurerm_resource_group.east-app-vm2-rg.name | |
ip_configuration { | |
name = "primary" | |
subnet_id = module.app-spoke-east.vpc.public_subnets[2].subnet_id | |
private_ip_address_allocation = "Dynamic" | |
public_ip_address_id = azurerm_public_ip.east-app-vm2-pip.id | |
} | |
} | |
resource "azurerm_network_security_group" "east-app-vm2-nsg" { | |
name = "east-app-vm2-nsg" | |
location = var.region-b | |
resource_group_name = azurerm_resource_group.east-app-vm2-rg.name | |
security_rule { | |
access = "Allow" | |
direction = "Inbound" | |
name = "ssh" | |
priority = 900 | |
protocol = "Tcp" | |
source_port_range = "*" | |
source_address_prefix = "*" | |
destination_port_range = "22" | |
destination_address_prefix = "*" | |
} | |
security_rule { | |
access = "Allow" | |
direction = "Inbound" | |
name = "http" | |
priority = 910 | |
protocol = "Tcp" | |
source_port_range = "*" | |
source_address_prefix = "*" | |
destination_port_range = "80" | |
destination_address_prefix = "*" | |
} | |
security_rule { | |
access = "Allow" | |
direction = "Outbound" | |
name = "AnyOut" | |
priority = 920 | |
protocol = "*" | |
source_port_range = "*" | |
source_address_prefix = "*" | |
destination_port_range = "*" | |
destination_address_prefix = "*" | |
} | |
} | |
resource "azurerm_subnet_network_security_group_association" "east-app-vm2-nsg-association" { | |
subnet_id = module.app-spoke-east.vpc.public_subnets[2].subnet_id | |
network_security_group_id = azurerm_network_security_group.east-app-vm2-nsg.id | |
} | |
resource "azurerm_linux_virtual_machine" "east-app-vm2" { | |
name = "east-app-vm2" | |
resource_group_name = azurerm_resource_group.east-app-vm2-rg.name | |
location = var.region-b | |
size = var.instance_size | |
admin_username = var.admin_username | |
admin_password = var.admin_password | |
disable_password_authentication = false | |
network_interface_ids = [ | |
azurerm_network_interface.east-app-vm2-nic.id | |
] | |
os_disk { | |
caching = "ReadWrite" | |
storage_account_type = "Standard_LRS" | |
} | |
source_image_reference { | |
publisher = "Canonical" | |
offer = "UbuntuServer" | |
sku = "16.04-LTS" | |
version = "latest" | |
} | |
provisioner "remote-exec" { | |
inline = [ | |
"/usr/bin/sudo apt install nginx -y" | |
] | |
connection { | |
type = "ssh" | |
user = var.admin_username | |
password = var.admin_password | |
host = azurerm_public_ip.east-app-vm2-pip.ip_address | |
} | |
} | |
} |
Central:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "azurerm_resource_group" "central-app-vm1-rg" { | |
name = "central-app-vm1-rg" | |
location = var.region-a | |
} | |
resource "azurerm_public_ip" "central-app-vm1-pip" { | |
name = "central-app-vm1-pip" | |
resource_group_name = azurerm_resource_group.central-app-vm1-rg.name | |
location = var.region-a | |
allocation_method = "Static" | |
sku = "Standard" | |
} | |
resource "azurerm_network_interface" "central-app-vm1-nic" { | |
name = "central-app-vm1-nic" | |
location = var.region-a | |
resource_group_name = azurerm_resource_group.central-app-vm1-rg.name | |
ip_configuration { | |
name = "primary" | |
subnet_id = module.app-spoke-central.vpc.public_subnets[1].subnet_id | |
private_ip_address_allocation = "Dynamic" | |
public_ip_address_id = azurerm_public_ip.central-app-vm1-pip.id | |
} | |
} | |
resource "azurerm_network_security_group" "central-app-vm1-nsg" { | |
name = "central-app-vm1-nsg" | |
location = var.region-a | |
resource_group_name = azurerm_resource_group.central-app-vm1-rg.name | |
security_rule { | |
access = "Allow" | |
direction = "Inbound" | |
name = "ssh" | |
priority = 900 | |
protocol = "Tcp" | |
source_port_range = "*" | |
source_address_prefix = "*" | |
destination_port_range = "22" | |
destination_address_prefix = "*" | |
} | |
security_rule { | |
access = "Allow" | |
direction = "Inbound" | |
name = "http" | |
priority = 910 | |
protocol = "Tcp" | |
source_port_range = "*" | |
source_address_prefix = "*" | |
destination_port_range = "80" | |
destination_address_prefix = "*" | |
} | |
security_rule { | |
access = "Allow" | |
direction = "Outbound" | |
name = "AnyOut" | |
priority = 920 | |
protocol = "*" | |
source_port_range = "*" | |
source_address_prefix = "*" | |
destination_port_range = "*" | |
destination_address_prefix = "*" | |
} | |
} | |
resource "azurerm_subnet_network_security_group_association" "central-app-vm1-nsg-association" { | |
subnet_id = module.app-spoke-central.vpc.public_subnets[1].subnet_id | |
network_security_group_id = azurerm_network_security_group.central-app-vm1-nsg.id | |
} | |
resource "azurerm_linux_virtual_machine" "central-app-vm1" { | |
name = "central-app-vm1" | |
resource_group_name = azurerm_resource_group.central-app-vm1-rg.name | |
location = var.region-a | |
size = var.instance_size | |
admin_username = var.admin_username | |
admin_password = var.admin_password | |
disable_password_authentication = false | |
network_interface_ids = [ | |
azurerm_network_interface.central-app-vm1-nic.id | |
] | |
os_disk { | |
caching = "ReadWrite" | |
storage_account_type = "Standard_LRS" | |
} | |
source_image_reference { | |
publisher = "Canonical" | |
offer = "UbuntuServer" | |
sku = "16.04-LTS" | |
version = "latest" | |
} | |
provisioner "remote-exec" { | |
inline = [ | |
"/usr/bin/sudo apt install nginx -y" | |
] | |
connection { | |
type = "ssh" | |
user = var.admin_username | |
password = var.admin_password | |
host = azurerm_public_ip.central-app-vm1-pip.ip_address | |
} | |
} | |
} | |
resource "azurerm_resource_group" "central-app-vm2-rg" { | |
name = "central-app-vm2-rg" | |
location = var.region-a | |
} | |
resource "azurerm_public_ip" "central-app-vm2-pip" { | |
name = "central-app-vm2-pip" | |
resource_group_name = azurerm_resource_group.central-app-vm2-rg.name | |
location = var.region-a | |
allocation_method = "Static" | |
sku = "Standard" | |
} | |
resource "azurerm_network_interface" "central-app-vm2-nic" { | |
name = "central-app-vm2-nic" | |
location = var.region-a | |
resource_group_name = azurerm_resource_group.central-app-vm2-rg.name | |
ip_configuration { | |
name = "primary" | |
subnet_id = module.app-spoke-central.vpc.public_subnets[2].subnet_id | |
private_ip_address_allocation = "Dynamic" | |
public_ip_address_id = azurerm_public_ip.central-app-vm2-pip.id | |
} | |
} | |
resource "azurerm_network_security_group" "central-app-vm2-nsg" { | |
name = "central-app-vm2-nsg" | |
location = var.region-a | |
resource_group_name = azurerm_resource_group.central-app-vm2-rg.name | |
security_rule { | |
access = "Allow" | |
direction = "Inbound" | |
name = "ssh" | |
priority = 900 | |
protocol = "Tcp" | |
source_port_range = "*" | |
source_address_prefix = "*" | |
destination_port_range = "22" | |
destination_address_prefix = "*" | |
} | |
security_rule { | |
access = "Allow" | |
direction = "Inbound" | |
name = "http" | |
priority = 910 | |
protocol = "Tcp" | |
source_port_range = "*" | |
source_address_prefix = "*" | |
destination_port_range = "80" | |
destination_address_prefix = "*" | |
} | |
security_rule { | |
access = "Allow" | |
direction = "Outbound" | |
name = "AnyOut" | |
priority = 920 | |
protocol = "*" | |
source_port_range = "*" | |
source_address_prefix = "*" | |
destination_port_range = "*" | |
destination_address_prefix = "*" | |
} | |
} | |
resource "azurerm_subnet_network_security_group_association" "central-app-vm2-nsg-association" { | |
subnet_id = module.app-spoke-central.vpc.public_subnets[2].subnet_id | |
network_security_group_id = azurerm_network_security_group.central-app-vm2-nsg.id | |
} | |
resource "azurerm_linux_virtual_machine" "central-app-vm2" { | |
name = "central-app-vm2" | |
resource_group_name = azurerm_resource_group.central-app-vm2-rg.name | |
location = var.region-a | |
size = var.instance_size | |
admin_username = var.admin_username | |
admin_password = var.admin_password | |
disable_password_authentication = false | |
network_interface_ids = [ | |
azurerm_network_interface.central-app-vm2-nic.id | |
] | |
os_disk { | |
caching = "ReadWrite" | |
storage_account_type = "Standard_LRS" | |
} | |
source_image_reference { | |
publisher = "Canonical" | |
offer = "UbuntuServer" | |
sku = "16.04-LTS" | |
version = "latest" | |
} | |
provisioner "remote-exec" { | |
inline = [ | |
"/usr/bin/sudo apt install nginx -y" | |
] | |
connection { | |
type = "ssh" | |
user = var.admin_username | |
password = var.admin_password | |
host = azurerm_public_ip.central-app-vm2-pip.ip_address | |
} | |
} | |
} |
Load Balancers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "azurerm_resource_group" "ingress-east-us-lb-rg" { | |
name = "ingress-east-us-lb-rg" | |
location = var.region-b | |
} | |
resource "azurerm_public_ip" "ingress-east-us-lb-pip" { | |
name = "ingress-east-us-lb-pip" | |
resource_group_name = azurerm_resource_group.ingress-east-us-lb-rg.name | |
location = azurerm_resource_group.ingress-east-us-lb-rg.location | |
allocation_method = "Static" | |
sku = "Standard" | |
} | |
resource "azurerm_lb" "ingress-east-us-lb" { | |
name = "ingress-east-us-lb" | |
location = azurerm_resource_group.ingress-east-us-lb-rg.location | |
resource_group_name = azurerm_resource_group.ingress-east-us-lb-rg.name | |
sku = "Standard" | |
frontend_ip_configuration { | |
name = "PublicIPAddress" | |
public_ip_address_id = azurerm_public_ip.ingress-east-us-lb-pip.id | |
} | |
} | |
resource "azurerm_lb_probe" "ingress-east-us-lb-probe" { | |
loadbalancer_id = azurerm_lb.ingress-east-us-lb.id | |
name = "ingress-east-us-lb-probe" | |
port = "443" | |
} | |
resource "azurerm_lb_backend_address_pool_address" "azurerm_lb_backend_address_pool_address-ingress-gw-east" { | |
name = "ingress-gw-east" | |
backend_address_pool_id = azurerm_lb_backend_address_pool.ingress-east-us-lb-backend.id | |
virtual_network_id = module.ingress-spoke-east.vpc.azure_vnet_resource_id | |
ip_address = aviatrix_gateway.ingress-gw-east.private_ip | |
} | |
resource "azurerm_lb_rule" "ingress-east-us-lb-rule" { | |
loadbalancer_id = azurerm_lb.ingress-east-us-lb.id | |
name = "LBRule" | |
protocol = "Tcp" | |
frontend_port = "80" | |
backend_port = "80" | |
frontend_ip_configuration_name = "PublicIPAddress" | |
probe_id = azurerm_lb_probe.ingress-east-us-lb-probe.id | |
backend_address_pool_ids = ["${azurerm_lb_backend_address_pool.ingress-east-us-lb-backend.id}"] | |
enable_floating_ip = true | |
} | |
resource "azurerm_lb_backend_address_pool" "ingress-east-us-lb-backend" { | |
loadbalancer_id = azurerm_lb.ingress-east-us-lb.id | |
name = "BackEndPool" | |
} | |
resource "azurerm_resource_group" "ingress-central-us-lb-rg" { | |
name = "ingress-central-us-lb-rg" | |
location = var.region-a | |
} | |
resource "azurerm_public_ip" "ingress-central-us-lb-pip" { | |
name = "ingress-central-us-lb-pip" | |
resource_group_name = azurerm_resource_group.ingress-central-us-lb-rg.name | |
location = azurerm_resource_group.ingress-central-us-lb-rg.location | |
allocation_method = "Static" | |
sku = "Standard" | |
} | |
resource "azurerm_lb" "ingress-central-us-lb" { | |
name = "ingress-central-us-lb" | |
location = azurerm_resource_group.ingress-central-us-lb-rg.location | |
resource_group_name = azurerm_resource_group.ingress-central-us-lb-rg.name | |
sku = "Standard" | |
frontend_ip_configuration { | |
name = "PublicIPAddress" | |
public_ip_address_id = azurerm_public_ip.ingress-central-us-lb-pip.id | |
} | |
} | |
resource "azurerm_lb_probe" "ingress-central-us-lb-probe" { | |
loadbalancer_id = azurerm_lb.ingress-central-us-lb.id | |
name = "ingress-central-us-lb-probe" | |
port = "443" | |
} | |
resource "azurerm_lb_backend_address_pool_address" "azurerm_lb_backend_address_pool_address-ingress-gw-central" { | |
name = "ingress-gw-central" | |
backend_address_pool_id = azurerm_lb_backend_address_pool.ingress-central-us-lb-backend.id | |
virtual_network_id = module.ingress-spoke-central.vpc.azure_vnet_resource_id | |
ip_address = aviatrix_gateway.ingress-gw-central.private_ip | |
} | |
resource "azurerm_lb_rule" "ingress-central-us-lb-rule" { | |
loadbalancer_id = azurerm_lb.ingress-central-us-lb.id | |
name = "LBRule" | |
protocol = "Tcp" | |
frontend_port = "80" | |
backend_port = "80" | |
frontend_ip_configuration_name = "PublicIPAddress" | |
probe_id = azurerm_lb_probe.ingress-central-us-lb-probe.id | |
backend_address_pool_ids = ["${azurerm_lb_backend_address_pool.ingress-central-us-lb-backend.id}"] | |
enable_floating_ip = true | |
} | |
resource "azurerm_lb_backend_address_pool" "ingress-central-us-lb-backend" { | |
loadbalancer_id = azurerm_lb.ingress-central-us-lb.id | |
name = "BackEndPool" | |
} | |
resource "azurerm_resource_group" "east-us-lb-rg" { | |
name = "east-us-lb-rg" | |
location = var.region-b | |
} | |
resource "azurerm_lb" "east-us-lb" { | |
name = "east-us-lb" | |
location = azurerm_resource_group.east-us-lb-rg.location | |
resource_group_name = azurerm_resource_group.east-us-lb-rg.name | |
sku = "Standard" | |
frontend_ip_configuration { | |
name = "PublicIPAddress" | |
subnet_id = module.app-spoke-east.vpc.public_subnets[1].subnet_id | |
} | |
} | |
resource "azurerm_lb_probe" "east-us-lb-probe" { | |
loadbalancer_id = azurerm_lb.east-us-lb.id | |
name = "east-us-lb-probe" | |
port = "80" | |
} | |
resource "azurerm_lb_backend_address_pool_address" "azurerm_lb_backend_address_pool_address-east-app-vm1" { | |
name = "east-app-vm1" | |
backend_address_pool_id = azurerm_lb_backend_address_pool.east-us-lb-backend.id | |
virtual_network_id = module.app-spoke-east.vpc.azure_vnet_resource_id | |
ip_address = azurerm_network_interface.east-app-vm1-nic.private_ip_address | |
} | |
resource "azurerm_lb_backend_address_pool_address" "azurerm_lb_backend_address_pool_address-east-app-vm2" { | |
name = "east-app-vm2" | |
backend_address_pool_id = azurerm_lb_backend_address_pool.east-us-lb-backend.id | |
virtual_network_id = module.app-spoke-east.vpc.azure_vnet_resource_id | |
ip_address = azurerm_network_interface.east-app-vm2-nic.private_ip_address | |
} | |
resource "azurerm_lb_rule" "east-us-lb-rule" { | |
loadbalancer_id = azurerm_lb.east-us-lb.id | |
name = "LBRule" | |
protocol = "Tcp" | |
frontend_port = "80" | |
backend_port = "80" | |
frontend_ip_configuration_name = "PublicIPAddress" | |
probe_id = azurerm_lb_probe.east-us-lb-probe.id | |
backend_address_pool_ids = ["${azurerm_lb_backend_address_pool.east-us-lb-backend.id}"] | |
} | |
resource "azurerm_lb_backend_address_pool" "east-us-lb-backend" { | |
loadbalancer_id = azurerm_lb.east-us-lb.id | |
name = "BackEndPool" | |
} | |
resource "azurerm_resource_group" "central-us-lb-rg" { | |
name = "central-us-lb-rg" | |
location = var.region-a | |
} | |
resource "azurerm_lb" "central-us-lb" { | |
name = "central-us-lb" | |
location = azurerm_resource_group.central-us-lb-rg.location | |
resource_group_name = azurerm_resource_group.central-us-lb-rg.name | |
sku = "Standard" | |
frontend_ip_configuration { | |
name = "PublicIPAddress" | |
subnet_id = module.app-spoke-central.vpc.public_subnets[1].subnet_id | |
} | |
} | |
resource "azurerm_lb_probe" "central-us-lb-probe" { | |
loadbalancer_id = azurerm_lb.central-us-lb.id | |
name = "central-us-lb-probe" | |
port = "80" | |
} | |
resource "azurerm_lb_backend_address_pool_address" "azurerm_lb_backend_address_pool_address-central-app-vm1" { | |
name = "central-app-vm1" | |
backend_address_pool_id = azurerm_lb_backend_address_pool.central-us-lb-backend.id | |
virtual_network_id = module.app-spoke-central.vpc.azure_vnet_resource_id | |
ip_address = azurerm_network_interface.central-app-vm1-nic.private_ip_address | |
} | |
resource "azurerm_lb_backend_address_pool_address" "azurerm_lb_backend_address_pool_address-central-app-vm2" { | |
name = "central-app-vm2" | |
backend_address_pool_id = azurerm_lb_backend_address_pool.central-us-lb-backend.id | |
virtual_network_id = module.app-spoke-central.vpc.azure_vnet_resource_id | |
ip_address = azurerm_network_interface.central-app-vm2-nic.private_ip_address | |
} | |
resource "azurerm_lb_rule" "central-us-lb-rule" { | |
loadbalancer_id = azurerm_lb.central-us-lb.id | |
name = "LBRule" | |
protocol = "Tcp" | |
frontend_port = "80" | |
backend_port = "80" | |
frontend_ip_configuration_name = "PublicIPAddress" | |
probe_id = azurerm_lb_probe.central-us-lb-probe.id | |
backend_address_pool_ids = ["${azurerm_lb_backend_address_pool.central-us-lb-backend.id}"] | |
} | |
resource "azurerm_lb_backend_address_pool" "central-us-lb-backend" { | |
loadbalancer_id = azurerm_lb.central-us-lb.id | |
name = "BackEndPool" | |
} |
Standalone Gateways
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "aviatrix_gateway" "ingress-gw-east" { | |
cloud_type = "8" | |
account_name = var.account | |
gw_name = "ingress-gw-east" | |
gw_size = var.gw_size | |
vpc_id = module.ingress-spoke-east.vpc.vpc_id | |
vpc_reg = var.region-b | |
subnet = module.ingress-spoke-east.vpc.public_subnets[1].cidr | |
} | |
resource "aviatrix_gateway" "ingress-gw-central" { | |
cloud_type = "8" | |
account_name = var.account | |
gw_name = "ingress-gw-central" | |
gw_size = var.gw_size | |
vpc_id = module.ingress-spoke-central.vpc.vpc_id | |
vpc_reg = var.region-a | |
subnet = module.ingress-spoke-central.vpc.public_subnets[1].cidr | |
} |
SNAT
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "aviatrix_gateway_snat" "ingress-gw-east-snat" { | |
gw_name = "ingress-gw-east" | |
snat_mode = "customized_snat" | |
snat_policy { | |
protocol = "all" | |
interface = "eth0" | |
connection = "None" | |
mark = "65535" | |
snat_ips = aviatrix_gateway.ingress-gw-east.private_ip | |
} | |
sync_to_ha = false | |
} | |
resource "aviatrix_gateway_snat" "ingress-gw-central-snat" { | |
gw_name = "ingress-gw-central" | |
snat_mode = "customized_snat" | |
snat_policy { | |
protocol = "all" | |
interface = "eth0" | |
connection = "None" | |
mark = "65537" | |
snat_ips = aviatrix_gateway.ingress-gw-central.private_ip | |
} | |
sync_to_ha = false | |
} |
DNAT
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "aviatrix_gateway_dnat" "ingress-gw-east-dnat" { | |
gw_name = "ingress-gw-east" | |
dnat_policy { | |
dst_cidr = "${azurerm_public_ip.ingress-east-us-lb-pip.ip_address}/32" | |
dst_port = "80" | |
protocol = "tcp" | |
interface = "eth0" | |
connection = "None" | |
mark = "65535" | |
dnat_ips = azurerm_lb.east-us-lb.private_ip_address | |
dnat_port = "80" | |
apply_route_entry = true | |
} | |
sync_to_ha = false | |
} | |
resource "aviatrix_gateway_dnat" "ingress-gw-central-dnat" { | |
gw_name = "ingress-gw-central" | |
dnat_policy { | |
dst_cidr = "${azurerm_public_ip.ingress-central-us-lb-pip.ip_address}/32" | |
dst_port = "80" | |
protocol = "tcp" | |
interface = "eth0" | |
connection = "None" | |
mark = "65537" | |
dnat_ips = azurerm_lb.central-us-lb.private_ip_address | |
dnat_port = "80" | |
apply_route_entry = true | |
} | |
sync_to_ha = false | |
} |
Traffic Manager
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "azurerm_resource_group" "traffic-manager-acme-rg" { | |
name = "traffic-manager-acme-rg" | |
location = var.region-b | |
} | |
resource "azurerm_public_ip" "traffic-manager-acme-pip" { | |
name = "traffic-manager-acme-pip" | |
location = azurerm_resource_group.traffic-manager-acme-rg.location | |
resource_group_name = azurerm_resource_group.traffic-manager-acme-rg.name | |
allocation_method = "Static" | |
sku = "Standard" | |
} | |
resource "azurerm_traffic_manager_profile" "traffic-manager-acme" { | |
name = "acme" | |
resource_group_name = azurerm_resource_group.traffic-manager-acme-rg.name | |
traffic_routing_method = "Priority" | |
dns_config { | |
relative_name = "acme" | |
ttl = 60 | |
} | |
monitor_config { | |
protocol = "TCP" | |
port = 80 | |
path = "/" | |
interval_in_seconds = 30 | |
timeout_in_seconds = 9 | |
tolerated_number_of_failures = 3 | |
} | |
} | |
resource "azurerm_traffic_manager_external_endpoint" "east-us-lb" { | |
name = "east-us-lb" | |
profile_id = azurerm_traffic_manager_profile.traffic-manager-acme.id | |
priority = 10 | |
target = azurerm_public_ip.ingress-east-us-lb-pip.ip_address | |
} | |
resource "azurerm_traffic_manager_external_endpoint" "central-us-lb" { | |
name = "central-us-lb" | |
profile_id = azurerm_traffic_manager_profile.traffic-manager-acme.id | |
priority = 20 | |
target = azurerm_public_ip.ingress-central-us-lb-pip.ip_address | |
} |
Provider
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
terraform { | |
required_providers { | |
azurerm = { | |
source = "hashicorp/azurerm" | |
version = "3.19.1" | |
} | |
aviatrix = { | |
source = "aviatrixsystems/aviatrix" | |
version = "~> 2.23.0" | |
} | |
} | |
} | |
provider "azurerm" { | |
subscription_id = var.subscription_id | |
client_id = var.client_id | |
client_secret = var.client_secret | |
tenant_id = var.tenant_id | |
features {} | |
} | |
provider "aviatrix" { | |
controller_ip = var.controller_ip | |
username = var.username | |
password = var.password | |
skip_version_validation = true | |
verify_ssl_certificate = false | |
} |
Variables
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
variable "controller_ip" { | |
type = string | |
} | |
variable "username" { | |
type = string | |
} | |
variable "password" { | |
type = string | |
} | |
variable "cloud" { | |
type = string | |
} | |
variable "account" { | |
type = string | |
} | |
variable "subscription_id" { | |
type = string | |
} | |
variable "client_id" { | |
type = string | |
} | |
variable "client_secret" { | |
type = string | |
} | |
variable "tenant_id" { | |
type = string | |
} | |
variable "region-a" { | |
type = string | |
} | |
variable "region-b" { | |
type = string | |
} | |
variable "cidr-region-a" { | |
type = string | |
} | |
variable "cidr-region-b" { | |
type = string | |
} | |
variable "instance_size" { | |
type = string | |
} | |
variable "firewall_image" { | |
type = string | |
} | |
variable "firewall_image_version" { | |
type = string | |
} | |
variable "firewall_size" { | |
type = string | |
} | |
variable "admin_username" { | |
type = string | |
} | |
variable "admin_password" { | |
type = string | |
} | |
variable "gw_size" { | |
type = string | |
} | |
variable customer_name { | |
type = string | |
} |