[Module]: multi-hub networking

[matt-FFFFFF]

Speaking to @grayzu, suggested raising this here. Perhaps it should be an issue template?

This issue is to track the request to create a hub & spoke tfvm. It has been created to avoid duplication of effort.

In the Azure Landing Zones team, we have a requirement to deploy hub & spoke network architectures.

I propose the following top level functional spec items:

• Create n number of hub virtual networks with supplied address spaces, locations and resource groups.
• For any hub network:
  • Supply custom DNS servers
  • optionally create full mesh peering with other hubs
  • Ability to associate IP supernets to each hub, with the module able to process this data and create route tables in peered hubs.
  • Optional linking to DDoS plan
  • Optional linking to private DNS zones
  • Optional Deployment of Azure Firewall with ability to link to an existing azure firewall policy
  • Optional deployment of ER GW in a hub network
  • Optional deployment of P2S GW in a hub network

/cc @jtracey93

Am happy to take on the work for this, using this issue to track

[lonegunmanb]

Hi @matt-FFFFFF, since we've got verified modules to create virtual network and corresponding subnets:(terraform-azurerm-network & terraform-azurerm-subnets), maybe we should leave the creation of subnets to these modules?

My thought on "which resource should be declared in a module" is here:

The criterion for determining whether a resource should be put into the current module is: only the resource that "belongs" to this module should be declared.

So I think the Azure Firewall should has it's own module, but the Gateway looks "belong" to this h&s peering. I'm not familiar with Azure's h&s peering, I think the most important challenge is to determine the boundary of this "h&s peering"'s domain like DDD did. The problem we're facing now is a domain design problem, it would be great if we could learn from the CAF team's case study.

Please let me know if you have further thought on this thread.

[lonegunmanb]

Additional thought:

We can design and implement several modules we need to implement a full h&s peering architecture, then we can assemble them into an complete example and submit it to example document repo.

[matt-FFFFFF]

@lonegunmanb this is what I was thinking of.

The H&S module would use the subnets module, but then deploy the other resources itself.

graph TD
    H[H&S] --> S[subnets] --> RS([vnets/subnets])
    H --> RP([peerings])
    H --> RR([route tables])
    H --> FR([firewall])
    H --> GR([gateways])
    style RS stroke:#f66,stroke-width:2px,color:#fff,stroke-dasharray: 5 5
    style RP stroke:#f66,stroke-width:2px,color:#fff,stroke-dasharray: 5 5
    style RR stroke:#f66,stroke-width:2px,color:#fff,stroke-dasharray: 5 5
    style FR stroke:#f66,stroke-width:2px,color:#fff,stroke-dasharray: 5 5
    style GR stroke:#f66,stroke-width:2px,color:#fff,stroke-dasharray: 5 5

[matt-FFFFFF]

See wip here

https://github.com/Azure/terraform-azure-hubandspoke

[matt-FFFFFF]

MVP complete @lonegunmanb do we need to publish to home page?

[matt-FFFFFF]

Has been released