Skip to content

Commit

Permalink
Implemented dual Terraform scenarios for both traditional hub-and-spo…
Browse files Browse the repository at this point in the history 
…ke and Virtual WAN architectures, incorporating Azure Bastion, Firewall Policies, and connectivity resources.
  • Loading branch information
@FreddyAyala
FreddyAyala committed Jul 5, 2024
1 parent 8218210 commit 54237e6
Show file tree
Hide file tree
Showing 16 changed files with 1,171 additions and 0 deletions.
115 changes: 115 additions & 0 deletions docs/wiki/[User-Guide]-Starter-Module-Complete-Hub-And-Spoke.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
# Complete Hub and Spoke Scenario Documentation

The "Complete Hub and Spoke" scenario uses Terraform to fully customize Azure Landing Zone deployment. The scenario emphasizes a hub-and-spoke network topology and includes modules for management groups, connectivity, and security components.

## Recommended Modules

The following modules are key components for the "Complete Hub and Spoke" architecture:

### `caf-enterprise-scale`

The Cloud Adoption Framework's `caf-enterprise-scale` Terraform module sets up a scalable management group hierarchy, policy assignments, and compliance settings.



```hcl
module "enterprise_scale" {
source = "Azure/caf-enterprise-scale/azurerm"
version = "~> 5.2.0"
# ...
}
```

### `hubnetworking`

The `hubnetworking` Terraform module creates the hub-and-spoke network topology including the virtual networks and optionally deploys and configures network components like Azure Firewall.



```hcl
module "hubnetworking" {
source = "Azure/hubnetworking/azurerm"
version = "~> 1.1.0"
# ...
}
```

### `azurerm_firewall_policy`

This resource creates an Azure Firewall Policy, which enables customization of firewall rules and settings.



```hcl
resource "azurerm_firewall_policy" "this" {
# ...
}
```

### `azurerm_firewall_policy_rule_collection_group`

Assigns rule collection groups to the firewall policy to control network traffic flow.


```hcl
resource "azurerm_firewall_policy_rule_collection_group" "example" {
# ...
}
```

### `virtual_network_gateway`

Establishes a Virtual Network Gateway for secure VPN connections and can also be used for ExpressRoute connectivity.



```hcl
module "virtual_network_gateway" {
# ...
}
```

### Azure Bastion and Jumpbox VM

For secure RDP/SSH access to virtual machines, the Azure Bastion service is provisioned and a separate virtual machine is deployed to function as a jumpbox.



```hcl
module "azure_bastion" {
# ...
}
module "vmjumpbox" {
# ...
}
```

## Implementation Overview

- The central hub is the Azure VNet that acts as the connectivity focal point to which different spokes (VNets) will connect.
- The `caf-enterprise-scale` module will define and enforce governance, compliance, and management across all VNets.
- The `hubnetworking` module allows for the configuration of the central hub, including the deployment of Azure Firewall for enhanced security and firewall policies.
- An Azure Firewall Policy is defined and associated with the Azure Firewall to implement the required rule sets for traffic filtering.
- A Virtual Network Gateway is configured, enabling VPN or ExpressRoute for communication between Azure and on-premises networks.
- Azure Bastion provides secure and seamless RDP and SSH connectivity to Azure VMs without public IP addresses, directly through the Azure portal.
- A Jumpbox VM (Virtual Machine) is deployed to facilitate secure management tasks within the Azure environment.

## Deployment Process

To deploy the "Complete Hub and Spoke" scenario:

1. Customize the `enterprise_scale` and `hubnetworking` modules in your Terraform files according to your organizational structure and networking requirements.
2. Define your Azure Firewall policies and rulesets within the `azurerm_firewall_policy` and `azurerm_firewall_policy_rule_collection_group` resources.
3. Deploy the Virtual Network Gateway, Azure Bastion, and Jumpbox VM as per your connectivity and management access needs.
4. Apply the Terraform configuration to provision the resources in your Azure environment.

Please consider referencing Terraform and Azure documentation for in-depth guidance on module usage and attribute definitions to ensure the deployment aligns with best practices and your organization's architectural requirements.
101 changes: 101 additions & 0 deletions docs/wiki/[User-Guide]-Starter-Module-Complete-Virtual-Wan.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@

# Complete Virtual WAN Deployment Scenario Documentation

The "Complete Virtual WAN (vWAN)" scenario uses Terraform to create a scalable and automated Azure network infrastructure. This sophisticated configuration emphasizes a global transit network strategy that incorporates governance, connectivity, and security elements within a unified managed network service.

## Key Terraform Modules and Resources

### `caf-enterprise-scale`

The `caf-enterprise-scale` module establishes the governance structure for Azure by setting up a management group hierarchy, policy assignments, and ensuring compliance.

```hcl
module "enterprise_scale" {
source = "Azure/caf-enterprise-scale/azurerm"
version = "~> 5.2.0"
# ...
}
```

### `hubnetworking`

The `hubnetworking` module configures a shared virtual network which is utilized for centralized services like jumpbox and Azure Bastion.

```hcl
module "hubnetworking" {
source = "Azure/hubnetworking/azurerm"
version = "~> 1.1.0"
# ...
}
```

### `vwan`

The `vwan` module implements the Azure Virtual WAN service, facilitating a hub-and-spoke architecture that enables automated routing and global connectivity.

```hcl
module "vwan" {
source = "Azure/avm-ptn-virtualwan/azurerm"
version = "~> 0.5.0"
# ...
}
```

### `azurerm_virtual_hub_connection`

This resource establishes a connection between the virtual hubs within the vWAN and virtual networks, promoting seamless interconnectivity and centralized network management.

```hcl
resource "azurerm_virtual_hub_connection" "example_connection" {
# ...
}
```

### `azurerm_firewall_policy`

This resource defines a firewall policy for the virtual WAN, offering advanced routing and security settings at a WAN scope.

```hcl
resource "azurerm_firewall_policy" "this" {
# ...
}
```

### Azure Bastion and Jumpbox VM

Incorporating Azure Bastion within the vWAN infrastructure allows for secure RDP/SSH connectivity across the network without the need for public IP addresses. A separate jumpbox VM is used for secure administrative access.

```hcl
module "azure_bastion" {
# ...
}
module "vmjumpbox" {
# ...
}
```

## Virtual WAN vs Traditional Hub and Spoke

The vWAN architecture provides an orchestrated and optimized network connectivity solution compared to traditional hub-and-spoke configurations. Key differences include:

- Centralized routing and security controls across various segments of the network, including branch-to-branch connectivity.
- Global traffic transit with automated routing leveraging the Microsoft Global Network.
- A unified operational model and significantly simplified network management experience.
- Consistent policy and security enforcement across the entire network footprint.

This approach is well-suited for enterprises looking to simplify complex networking scenarios, especially for those requiring robust, global networking capabilities.

## Deployment Procedure

To implement the "Complete vWAN" scenario:

1. Tailor the `enterprise_scale`, `hubnetworking`, and `vwan` modules within your Terraform configurations to reflect your network architecture and requirements.
2. Establish Azure Firewall policies and rules at the WAN-level to maintain security and governance.
3. Setup Azure Bastion for central, secure access to VMs, and configure a jumpbox VM for network management operations.
4. Execute the Terraform plan to provision the defined Azure environment resources.

When deploying, consult the detailed Terraform and Azure documentation for guidance on utilizing these modules and resources, ensuring that the deployment adheres to your organization's network strategy and best practices.
70 changes: 70 additions & 0 deletions templates/complete_hub_and_spoke/config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
# This file contains templated variables to avoid repeating the same hard-coded values.
# Templated variables are denoted by the dollar curly braces token. The following details each templated variable that you can use:
# `default_location`: This is an Azure location sourced from the `default_location` variable. This can be used to set the location of resources.
# `default_postfix`: This is a string sourced from the variable `default_postfix`. This can be used to append to resource names for consistency.
# `root_parent_management_group_id`: This is the id of the management group that the ALZ hierarchy will be nested under.
# `subscription_id_identity`: The subscription ID of the subscription to deploy the identity resources to, sourced from the variable `subscription_id_identity`.
# `subscription_id_connectivity`: The subscription ID of the subscription to deploy the connectivity resources to, sourced from the variable `subscription_id_connectivity`.
# `subscription_id_management`: The subscription ID of the subscription to deploy the management resources to, sourced from the variable `subscription_id_management`.
---
archetypes: # `caf-enterprise-scale` module, add inputs as listed on the module registry where necessary.
root_name: es
root_id: Enterprise-Scale
subscription_id_connectivity: ${subscription_id_connectivity}
subscription_id_identity: ${subscription_id_identity}
subscription_id_management: ${subscription_id_management}
root_parent_id: ${root_parent_management_group_id}
deploy_corp_landing_zones: true
deploy_online_landing_zones: true
default_location: ${default_location}
disable_telemetry: true
deploy_management_resources: true
configure_management_resources:
location: ${default_location}
settings:
security_center:
config:
email_security_contact: "security_contact@replace_me"
advanced:
asc_export_resource_group_name: rg-asc-export
custom_settings_by_resource_type:
azurerm_resource_group:
management:
name: rg-management
azurerm_log_analytics_workspace:
management:
name: log-management
azurerm_automation_account:
management:
name: aa-management
connectivity:
hubnetworking: # `hubnetworking` module, add inputs as listed on the module registry where necessary.
hub_virtual_networks:
primary:
name: vnet-hub
resource_group_name: rg-connectivity
location: ${default_location}
address_space:
- 10.0.0.0/16
subnets:
AzureBastionSubnet:
name: "AzureBastionSubnet"
address_prefixes: ["10.0.3.0/27"]
assign_generated_route_table: false
SharedSubnet:
name: "SharedSubnet"
address_prefixes: ["10.0.4.0/27"]
firewall:
name: fw-hub
sku_name: AZFW_VNet
sku_tier: Standard
subnet_address_prefix: 10.0.1.0/24
zones: ["1", "2", "3"]
default_ip_configuration:
public_ip_config:
zones: ["1", "2", "3"]
name: "pip-hub"
virtual_network_gateway: # `avm-ptn-vnetgateway` module, add inputs as listed on the module registry where necessary.
name: vgw-hub
subnet_address_prefix: 10.0.2.0/24
vwan: # `avm-ptn-virtualwan` module, add inputs as listed on the module registry where necessary.
1 change: 1 addition & 0 deletions templates/complete_hub_and_spoke/data.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
data "azurerm_client_config" "core" {}
66 changes: 66 additions & 0 deletions templates/complete_hub_and_spoke/locals.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
locals {
config_file_extension = replace(lower(element(local.config_file_split, length(local.config_file_split) - 1)), local.const_yml, local.const_yaml)
config_file_name = var.configuration_file_path == "" ? "config.yaml" : basename(var.configuration_file_path)
config_file_split = split(".", local.config_file_name)
const_yaml = "yaml"
const_yml = "yml"
}
locals {
config = (local.config_file_extension == local.const_yaml ?
yamldecode(templatefile("${path.module}/${local.config_file_name}", local.config_template_file_variables)) :
jsondecode(templatefile("${path.module}/${local.config_file_name}", local.config_template_file_variables))
)
config_template_file_variables = {
default_location = var.default_location
default_postfix = var.default_postfix
root_parent_management_group_id = var.root_parent_management_group_id == "" ? data.azurerm_client_config.core.tenant_id : var.root_parent_management_group_id
subscription_id_connectivity = var.subscription_id_connectivity
subscription_id_identity = var.subscription_id_identity
subscription_id_management = var.subscription_id_management
}
}
locals {
archetypes = try(merge(local.config.archetypes, {}), {})
}
locals {
hub_virtual_networks = {
for key, hub_virtual_network in try(merge(local.config.connectivity.hubnetworking.hub_virtual_networks, {}), {}) : key => {
name = hub_virtual_network.name
resource_group_name = hub_virtual_network.resource_group_name
location = hub_virtual_network.location
address_space = hub_virtual_network.address_space
subnets = hub_virtual_network.subnets

// If the `firewall` block exists, merge the new policy ID, otherwise keep the firewall block as-is
firewall = merge(hub_virtual_network.firewall, {
firewall_policy_id = azurerm_firewall_policy.this.id
})

// Maintain all other configuration as is
virtual_network_gateway = hub_virtual_network.virtual_network_gateway
// ... any other fields that your network structure has
}
}

module_hubnetworking = {
hub_virtual_networks = {
for key, hub_virtual_network in local.hub_virtual_networks : key => {
for argument, value in hub_virtual_network : argument => value if argument != "virtual_network_gateway"
}
}
}
module_virtual_network_gateway = {
for key, hub_virtual_network in local.hub_virtual_networks : key => merge(
hub_virtual_network.virtual_network_gateway,
{
location = hub_virtual_network.location
virtual_network_id = module.hubnetworking[0].virtual_networks[key].id
}
)
if can(hub_virtual_network.virtual_network_gateway)
}
}
locals {
module_vwan = try(merge(local.config.connectivity.vwan, {}), {})
}

Loading

0 comments on commit 54237e6

Please sign in to comment.