It is a simplification of the networking and follows a logical path. It simplifies the understanding of the network traffic flow and lends itself a more simple explaination. It keeps the networks consistent across AZ paths. Additionally lends itself to search and replace networks and the firewall security policy for the health probes and management access.
security_groups = {
vmseries_private = {
name = "vmseries_private"
rules = {
all_outbound = {
description = "Permit All traffic outbound"
type = "egress", from_port = "0", to_port = "0", protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
geneve = {
description = "Permit GENEVE to GWLB subnets"
type = "ingress", from_port = "6081", to_port = "6081", protocol = "udp"
cidr_blocks = [
"10.253.0.48/28", "10.253.1.48/28", "10.253.2.48/28", "10.253.3.48/28"
]
}
health_probe = {
description = "Permit Port 80 Health Probe to GWLB subnets"
type = "ingress", from_port = "80", to_port = "80", protocol = "tcp"
cidr_blocks = [
"10.253.0.48/28", "10.253.1.48/28", "10.253.2.48/28", "10.253.3.48/28"
]
}
}
}
vmseries_mgmt = {
name = "vmseries_mgmt"
rules = {
all_outbound = {
description = "Permit All traffic outbound"
type = "egress", from_port = "0", to_port = "0", protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
https = {
description = "Permit HTTPS"
type = "ingress", from_port = "443", to_port = "443", protocol = "tcp"
cidr_blocks = ["10.0.0.0/8",] # TODO: update here (replace 0.0.0.0/0 by your IP range)
}
ssh = {
description = "Permit SSH"
type = "ingress", from_port = "22", to_port = "22", protocol = "tcp"
cidr_blocks = ["10.0.0.0/8",] # TODO: update here (replace 0.0.0.0/0 by your IP range)
}
panorama_mgt = {
description = "Permit Panorama mgt"
type = "ingress", from_port = "3978", to_port = "3978", protocol = "tcp"
cidr_blocks = ["10.0.0.0/8"]
}
}
}
vmseries_public = {
name = "vmseries_public"
rules = {
all_outbound = {
description = "Permit All traffic outbound"
type = "egress", from_port = "0", to_port = "0", protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
ssh = {
description = "Permit SSH"
type = "ingress", from_port = "22", to_port = "22", protocol = "tcp"
cidr_blocks = ["10.104.0.0/22", "10.105.0.0/22"] # TODO: update here (replace 0.0.0.0/0 by your IP range)
}
https = {
description = "Permit HTTPS"
type = "ingress", from_port = "443", to_port = "443", protocol = "tcp"
cidr_blocks = ["10.104.0.0/22", "10.105.0.0/22"] # TODO: update here (replace 0.0.0.0/0 by your IP range)
}
http = {
description = "Permit HTTP"
type = "ingress", from_port = "80", to_port = "80", protocol = "tcp"
cidr_blocks = ["10.104.0.0/22", "10.105.0.0/22"] # TODO: update here (replace 0.0.0.0/0 by your IP range)
}
}
}
}
Describe alternatives you've considered.
This is the way.
Additional context
The public facing documentation using a /16 for 2 firewalls is a ridiculous example of exactly what NOT to do. We can do better. Provide a straightforward, real-world example that can be immediately applied, adhering to networking best practices that are easy to follow and understand.
Agreed it would be nice to have sane defaults of /22 for security VPC and /28 for subnets. And some logic on the IP scheme to match the flow of traffic makes sense to me also
Is your feature request related to a problem?
It is a simplification of the networking and follows a logical path. It simplifies the understanding of the network traffic flow and lends itself a more simple explaination. It keeps the networks consistent across AZ paths. Additionally lends itself to search and replace networks and the firewall security policy for the health probes and management access.
*** also adds all AZ's for GWLB interfaces
Describe the solution you'd like
Traffic flow through the security vpc
vpcs = { security_vpc = { name = "security-vpc" cidr = "10.253.0.0/22" subnets = {
Value of
nacl
must match key of objects stored innacls
Updated security groups also.
security_groups = { vmseries_private = { name = "vmseries_private" rules = { all_outbound = { description = "Permit All traffic outbound" type = "egress", from_port = "0", to_port = "0", protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } geneve = { description = "Permit GENEVE to GWLB subnets" type = "ingress", from_port = "6081", to_port = "6081", protocol = "udp" cidr_blocks = [ "10.253.0.48/28", "10.253.1.48/28", "10.253.2.48/28", "10.253.3.48/28" ] } health_probe = { description = "Permit Port 80 Health Probe to GWLB subnets" type = "ingress", from_port = "80", to_port = "80", protocol = "tcp" cidr_blocks = [ "10.253.0.48/28", "10.253.1.48/28", "10.253.2.48/28", "10.253.3.48/28" ] } } } vmseries_mgmt = { name = "vmseries_mgmt" rules = { all_outbound = { description = "Permit All traffic outbound" type = "egress", from_port = "0", to_port = "0", protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } https = { description = "Permit HTTPS" type = "ingress", from_port = "443", to_port = "443", protocol = "tcp" cidr_blocks = ["10.0.0.0/8",] # TODO: update here (replace 0.0.0.0/0 by your IP range) } ssh = { description = "Permit SSH" type = "ingress", from_port = "22", to_port = "22", protocol = "tcp" cidr_blocks = ["10.0.0.0/8",] # TODO: update here (replace 0.0.0.0/0 by your IP range) } panorama_mgt = { description = "Permit Panorama mgt" type = "ingress", from_port = "3978", to_port = "3978", protocol = "tcp" cidr_blocks = ["10.0.0.0/8"] } } } vmseries_public = { name = "vmseries_public" rules = { all_outbound = { description = "Permit All traffic outbound" type = "egress", from_port = "0", to_port = "0", protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } ssh = { description = "Permit SSH" type = "ingress", from_port = "22", to_port = "22", protocol = "tcp" cidr_blocks = ["10.104.0.0/22", "10.105.0.0/22"] # TODO: update here (replace 0.0.0.0/0 by your IP range) } https = { description = "Permit HTTPS" type = "ingress", from_port = "443", to_port = "443", protocol = "tcp" cidr_blocks = ["10.104.0.0/22", "10.105.0.0/22"] # TODO: update here (replace 0.0.0.0/0 by your IP range) } http = { description = "Permit HTTP" type = "ingress", from_port = "80", to_port = "80", protocol = "tcp" cidr_blocks = ["10.104.0.0/22", "10.105.0.0/22"] # TODO: update here (replace 0.0.0.0/0 by your IP range) } } } }
Describe alternatives you've considered.
This is the way.
Additional context
The public facing documentation using a /16 for 2 firewalls is a ridiculous example of exactly what NOT to do. We can do better. Provide a straightforward, real-world example that can be immediately applied, adhering to networking best practices that are easy to follow and understand.