Terraform Verified Module for Azure Virtual WAN Hub Networking
This module is designed to simplify the creation of virtual wan based networks in Azure.
Features
- Virtual WAN:
- Virtual WAN Hub:
- Virtual WAN Hub.
- Secured Virtual Hub.
- Routing intent
- Azure Firewall
- Secured Virtual Hub
- AzureFirewallSubnet.
- Site-to-Site Virtual Network Gateway:
- S2S VPN Gateway.
- Active-Active or Single.
- VPN Site
- VPN Site Connection
- Deployment of
GatewaySubnet.
- Point-to-Site Virtual Network Gateway:
- P2S VPN Gateway.
- P2S server configuration.
- Active-Active or Single.
- Deployment of
GatewaySubnet.
- ER Gateway:
- ER Gateway.
- ER Gateway Connection.
- Active-Active or Single.
- Deployment of
GatewaySubnet.
Example
module "vwan_with_vhub" {
source = "../../"
resource_group_name = "tvmVwanRg"
location = "australiaeast"
virtual_wan_name = "tvmVwan"
disable_vpn_encryption = false
allow_branch_to_branch_traffic = true
bgp_community = "12076:51010"
type = "Standard"
virtual_wan_tags = {
environment = "dev"
deployment = "terraform"
}
virtual_hubs = {
aue-vhub = {
name = "aue_vhub"
location = "australiaeast"
resource_group = "demo-vwan-rsg"
address_prefix = "10.0.0.0/24"
tags = {
"location" = "AUE"
}
}
}
vpn_gateways = {
"aue-vhub-vpn-gw" = {
name = "aue-vhub-vpn-gw"
virtual_hub_key = "aue-vhub"
}
}
vpn_sites = {
"aue-vhub-vpn-site" = {
name = "aue-vhub-vpn-site"
virtual_hub_key = "aue-vhub"
links = [{
name = "link1"
provider_name = "Cisco"
bgp = {
asn = 65001
peering_address = "172.16.1.254"
}
ip_address = "20.28.182.157"
speed_in_mbps = "20"
}]
}
}
vpn_site_connections = {
"onprem1" = {
name = "aue-vhub-vpn-conn01"
vpn_gateway_key = "aue-vhub-vpn-gw"
remote_vpn_site_key = "aue-vhub-vpn-site"
vpn_links = [{
name = "link1"
bandwidth_mbps = 10
bgp_enabled = true
local_azure_ip_address_enabled = false
policy_based_traffic_selector_enabled = false
ratelimit_enabled = false
route_weight = 1
shared_key = "AzureA1b2C3"
vpn_site_link_number = 0
}]
}
}
}
Requirements
The following requirements are needed by this module:
Providers
The following providers are used by this module:
Resources
The following resources are used by this module:
- azurerm_express_route_connection.er_connection (resource)
- azurerm_express_route_gateway.express_route_gateway (resource)
- azurerm_firewall.fw (resource)
- azurerm_point_to_site_vpn_gateway.p2s_gateway (resource)
- azurerm_resource_group.rg (resource)
- azurerm_virtual_hub.virtual_hub (resource)
- azurerm_virtual_hub_connection.hub_connection (resource)
- azurerm_virtual_hub_routing_intent.routing_intent (resource)
- azurerm_virtual_wan.virtual_wan (resource)
- azurerm_vpn_gateway.vpn_gateway (resource)
- azurerm_vpn_gateway_connection.vpn_site_connection (resource)
- azurerm_vpn_server_configuration.p2s_gateway_vpn_server_configuration (resource)
- azurerm_vpn_site.vpn_site (resource)
- modtm_telemetry.telemetry (resource)
- random_uuid.telemetry (resource)
- azurerm_client_config.telemetry (data source)
- azurerm_resource_group.rg (data source)
- modtm_module_source.telemetry (data source)
Required Inputs
The following input variables are required:
allow_branch_to_branch_traffic
Description: Switch to flip VWAN branch to branch traffic
Type: bool
location
Description: Virtual WAN location
Type: string
resource_group_name
Description: Virtual WAN Resource group name
Type: string
virtual_wan_name
Description: Virtual WAN name
Type: string
Optional Inputs
The following input variables are optional (have default values):
create_resource_group
Description: If true will create a resource group, otherwise will use the existing resource group supplied in resource_group_name
Type: bool
Default: false
disable_vpn_encryption
Description: Switch to flip VWAN vpn encryption
Type: bool
Default: false
enable_telemetry
Description: This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.
Type: bool
Default: true
er_circuit_connections
Description: Mapping object to link ER circuits to ER Gateways for the creation of connection
Type:
map(object({
name = string
express_route_gateway_key = string
express_route_circuit_peering_id = string
authorization_key = optional(string)
enable_internet_security = optional(bool)
express_route_gateway_bypass_enabled = optional(bool)
routing = optional(object({
associated_route_table_id = string
propagated_route_table = optional(object({
route_table_ids = optional(list(string))
labels = optional(list(string))
}))
inbound_route_map_id = optional(string)
outbound_route_map_id = optional(string)
}))
routing_weight = optional(number)
}))Default: {}
expressroute_gateways
Description: Express Route Gateway parameters
Type:
map(object({
name = string
virtual_hub_key = string
tags = optional(map(string))
allow_non_virtual_wan_traffic = optional(bool)
scale_units = number
}))Default: {}
firewalls
Description: Azure Firewall parameters
Type:
map(object({
virtual_hub_key = string
sku_name = string
sku_tier = string
name = optional(string)
dns_servers = optional(list(string))
firewall_policy_id = optional(string)
private_ip_ranges = optional(list(string))
threat_intel_mode = optional(string, "Alert")
zones = optional(list(string))
vhub_public_ip_count = optional(string)
tags = optional(map(string))
default_ip_configuration = optional(object({
name = optional(string)
public_ip_config = optional(object({
name = optional(set(string))
zones = optional(set(string))
ip_version = optional(string)
sku_tier = optional(string, "Regional")
}))
}))
management_ip_configuration = optional(object({
name = string
subnet_id = string
public_ip_address_id = string
}))
ip_configuration = optional(object({
name = string
subnet_id = string
public_ip_address_id = string
}))
}))Default: {}
office365_local_breakout_category
Description: Specifies the Office365 local breakout category. Possible values include: Optimize, OptimizeAndAllow, All, None. Defaults to None
Type: string
Default: "None"
p2s_gateway_vpn_server_configurations
Description: P2S VPN Gateway server configuration parameters
Type:
map(object({
name = string
virtual_hub_key = string
vpn_authentication_types = list(string)
tags = optional(map(string))
client_root_certificate = optional(object({
name = string
public_cert_data = string
}))
azure_active_directory_authentication = optional(object({
audience = string
issuer = string
tenant = string
}))
ipsec_policy = optional(object({
dh_group = string
ike_encryption = string
ike_integrity = string
ipsec_encryption = string
ipsec_integrity = string
pfs_group = string
sa_lifetime_seconds = string
sa_data_size_kilobytes = string
}))
vpn_protocols = optional(list(string))
}))Default: {}
p2s_gateways
Description: P2S VPN Gateway parameters
Type:
map(object({
name = string
virtual_hub_key = string
tags = optional(map(string))
p2s_gateway_vpn_server_configuration_key = string
connection_configuration = object({
name = string
vpn_client_address_pool = object({
address_prefixes = list(string)
})
})
routing_preference = optional(string)
scale_unit = number
dns_servers = optional(list(string))
routing_preference_internet_enabled = optional(bool)
}))Default: {}
resource_group_tags
Description: Virtual WAN Resource group tags
Type: map(string)
Default: {}
routing_intents
Description: Routing intent for virutal hubs
Type:
map(object({
name = string
virtual_hub_key = string
routing_policies = list(object({
name = string
destinations = list(string)
next_hop_firewall_key = string
}))
}))Default: {}
tags
Description: (Optional) Tags of the resource.
Type: map(string)
Default: null
type
Description: Type of the virtual WAN
Type: string
Default: "Standard"
virtual_hubs
Description: Virtual Hub parameters
Type:
map(object({
name = string
location = string
resource_group = optional(string, null)
address_prefix = string
tags = optional(map(string))
hub_routing_preference = optional(string)
}))Default: {}
virtual_network_connections
Description: Azure virtual network connections
Type:
map(object({
name = string
virtual_hub_key = string
remote_virtual_network_id = string
internet_security_enabled = optional(bool, false)
routing = optional(object({
associated_route_table_id = string
propagated_route_table = optional(object({
route_table_ids = optional(list(string), [])
labels = optional(list(string), [])
}))
static_vnet_route = optional(object({
name = optional(string)
address_prefixes = optional(list(string), [])
next_hop_ip_address = optional(string)
}))
}))
}))Default: {}
virtual_wan_tags
Description: Virtual WAN tags
Type: map(string)
Default: {}
vpn_gateways
Description: S2S VPN Gateway parameters
Type:
map(object({
name = string
virtual_hub_key = string
tags = optional(map(string))
bgp_route_translation_for_nat_enabled = optional(bool)
bgp_settings = optional(object({
asn = number
instance_0_bgp_peering_address = optional(string)
instance_1_bgp_peering_address = optional(string)
peer_weight = number
}))
routing_preference = optional(string)
scale_unit = optional(number)
}))Default: {}
vpn_site_connections
Description: S2S VPN Site Connections parameter
Type:
map(object({
name = string
vpn_gateway_key = string
remote_vpn_site_key = string
vpn_links = list(object({
name = string
egress_nat_rule_ids = optional(list(string))
ingress_nat_rule_ids = optional(list(string))
# Index of the link on the vpn gateway
vpn_site_link_number = number
bandwidth_mbps = optional(number)
bgp_enabled = optional(bool)
connection_mode = optional(string)
ipsec_policy = optional(object({
dh_group = string
ike_encryption_algorithm = string
ike_integrity_algorithm = string
encryption_algorithm = string
integrity_algorithm = string
pfs_group = string
sa_data_size_kb = string
sa_lifetime_sec = string
}))
protocol = optional(string)
ratelimit_enabled = optional(bool)
route_weight = optional(number)
shared_key = optional(string)
local_azure_ip_address_enabled = optional(bool)
policy_based_traffic_selector_enabled = optional(bool)
custom_bgp_address = optional(list(object({
ip_address = string
ip_configuration_id = string
})))
}))
internet_security_enabled = optional(bool)
routing = optional(object({
associated_route_table = string
propagated_route_table = optional(object({
route_table_ids = optional(list(string))
labels = optional(list(string))
}))
inbound_route_map_id = optional(string)
outbound_route_map_id = optional(string)
}))
traffic_selector_policy = optional(object({
local_address_ranges = string
remote_address_ranges = string
}))
}))Default: {}
vpn_sites
Description: S2S VPN Sites parameter
Type:
map(object({
name = string
# Name of the virtual hub
virtual_hub_key = string
links = list(object({
name = string
bgp = optional(object({
asn = number
peering_address = string
}))
fqdn = optional(string)
ip_address = optional(string)
provider_name = optional(string)
speed_in_mbps = optional(number)
}
))
address_cidrs = optional(list(string))
device_model = optional(string)
device_vendor = optional(string)
o365_policy = optional(object({
traffic_category = object({
allow_endpoint_enabled = optional(bool)
default_endpoint_enabled = optional(bool)
optimize_endpoint_enabled = optional(bool)
})
}))
tags = optional(map(string))
}))Default: {}
Outputs
The following outputs are exported:
azure_firewall_resource_ids
Description: A map of Azure Firewall resource IDs with the map keys of the firewalls variable.
azure_firewall_resource_names
Description: A map of Azure Firewall resource names with the map keys of the firewalls variable.
er_gw_id
Description: ExpressRoute Gateway ID
expressroute_gateway_resource_ids
Description: A map of expressRoute Gateway IDs with the map keys of the expressroute_gateways variable.
expressroute_gateway_resource_names
Description: A map of expressRoute Gateway names with the map keys of the expressroute_gateways variable.
fw
Description: Firewall Name
p2s_vpn_gw_id
Description: P2S VPN Gateway ID
p2s_vpn_gw_resource_ids
Description: A map of point to site VPN gateway names with the map keys of the p2s_gateways variable.
p2s_vpn_gw_resource_names
Description: A map of point to site VPN gateway names with the map keys of the p2s_gateways variable.
resource
Description: The full resource outputs.
resource_group_name
Description: Resource Group Name
resource_id
Description: Virtual WAN ID
s2s_vpn_gw
Description: S2S VPN Gateway Objects
s2s_vpn_gw_id
Description: S2S VPN Gateway ID
virtual_hub_id
Description: Virtual Hub ID
virtual_hub_resource_ids
Description: A map of Azure Virtual Hub resource IDs with the map keys of the virtual_hubs variable.
virtual_hub_resource_names
Description: A map of Azure Virtual Hub resource names with the map keys of the virtual_hubs variable.
virtual_wan_id
Description: Virtual WAN ID
vpn_gateway_resource_ids
Description: A map of Azure VPN Gateway resource IDs with the map keys of the vpn_gateways variable.
vpn_gateway_resource_names
Description: A map of Azure VPN Gateway resource names with the map keys of the vpn_gateways variable.
Modules
No modules.
Data Collection
The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.