Last active
June 24, 2020 15:33
-
-
Save machv/9c7c585cc89bd5c97f0577c8da6d2e56 to your computer and use it in GitHub Desktop.
Terraform script to deploy Site-to-site IPSec demo in Azure
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| locals { | |
| ike_secret = "tajneheslo" | |
| # Azure site | |
| ip_azure_range = "10.10.0.0/16" | |
| ip_azure_subnet_main = "10.10.0.0/24" | |
| ip_azure_subnet_gw = "10.10.255.240/28" | |
| asn_azure = "65010" | |
| # On-premises site | |
| ip_onprem_range = "10.20.0.0/16" | |
| ip_onprem_subnet_main = "10.20.0.0/24" | |
| ip_onprem_subnet_gw = "10.20.255.240/28" | |
| asn_onprem = "60520" | |
| } | |
| provider "azurerm" { | |
| version = "~>2.0" | |
| features {} | |
| } | |
| ## | |
| ## Azure site | |
| ## | |
| resource "azurerm_resource_group" "site_azure" { | |
| name = "site-azure" | |
| location = "eastus" | |
| tags = { | |
| environment = "Cloud" | |
| } | |
| } | |
| resource "azurerm_virtual_network" "vnet_azure" { | |
| name = "vnet-azure" | |
| address_space = [local.ip_azure_range] | |
| location = azurerm_resource_group.site_azure.location | |
| resource_group_name = azurerm_resource_group.site_azure.name | |
| } | |
| resource "azurerm_subnet" "subnet_azure_main" { | |
| name = "main" | |
| resource_group_name = azurerm_resource_group.site_azure.name | |
| virtual_network_name = azurerm_virtual_network.vnet_azure.name | |
| address_prefixes = [local.ip_azure_subnet_main] | |
| } | |
| resource "azurerm_subnet" "subnet_azure_gw" { | |
| name = "GatewaySubnet" | |
| resource_group_name = azurerm_resource_group.site_azure.name | |
| virtual_network_name = azurerm_virtual_network.vnet_azure.name | |
| address_prefixes = [local.ip_azure_subnet_gw] | |
| } | |
| resource "azurerm_public_ip" "gw_azure_pip1" { | |
| name = "gw-azure-pip1" | |
| location = azurerm_resource_group.site_azure.location | |
| resource_group_name = azurerm_resource_group.site_azure.name | |
| allocation_method = "Dynamic" | |
| } | |
| data "azurerm_public_ip" "gw_azure_pip1" { | |
| name = azurerm_public_ip.gw_azure_pip1.name | |
| resource_group_name = azurerm_resource_group.site_azure.name | |
| } | |
| resource "azurerm_public_ip" "gw_azure_pip2" { | |
| name = "gw-azure-pip2" | |
| location = azurerm_resource_group.site_azure.location | |
| resource_group_name = azurerm_resource_group.site_azure.name | |
| allocation_method = "Dynamic" | |
| } | |
| data "azurerm_public_ip" "gw_azure_pip2" { | |
| name = azurerm_public_ip.gw_azure_pip2.name | |
| resource_group_name = azurerm_resource_group.site_azure.name | |
| } | |
| resource "azurerm_virtual_network_gateway" "gw_azure" { | |
| name = "gw-azure" | |
| location = azurerm_resource_group.site_azure.location | |
| resource_group_name = azurerm_resource_group.site_azure.name | |
| type = "Vpn" | |
| vpn_type = "RouteBased" | |
| active_active = true | |
| sku = "VpnGw1" | |
| enable_bgp = true | |
| bgp_settings { | |
| asn = local.asn_azure | |
| } | |
| ip_configuration { | |
| name = azurerm_public_ip.gw_azure_pip1.name | |
| public_ip_address_id = azurerm_public_ip.gw_azure_pip1.id | |
| subnet_id = azurerm_subnet.subnet_azure_gw.id | |
| } | |
| ip_configuration { | |
| name = azurerm_public_ip.gw_azure_pip2.name | |
| public_ip_address_id = azurerm_public_ip.gw_azure_pip2.id | |
| subnet_id = azurerm_subnet.subnet_azure_gw.id | |
| } | |
| depends_on = [azurerm_public_ip.gw_azure_pip1, azurerm_public_ip.gw_azure_pip2] | |
| } | |
| data "azurerm_virtual_network_gateway" "gw_azure" { | |
| name = "gw-azure" | |
| resource_group_name = azurerm_resource_group.site_azure.name | |
| depends_on = [azurerm_virtual_network_gateway.gw_azure] | |
| } | |
| locals { | |
| azure_bgp_peers = "${split(",", data.azurerm_virtual_network_gateway.gw_azure.bgp_settings[0].peering_address)}" | |
| azure_bgp_peer_1 = "${element(local.azure_bgp_peers,0)}" | |
| azure_bgp_peer_2 = "${element(local.azure_bgp_peers,1)}" | |
| } | |
| resource "azurerm_local_network_gateway" "lgw_onprem_01" { | |
| name = "lgw-onprem-01" | |
| location = azurerm_resource_group.site_azure.location | |
| resource_group_name = azurerm_resource_group.site_azure.name | |
| gateway_address = data.azurerm_public_ip.gw_onprem_pip1.ip_address | |
| address_space = ["${local.onprem_bgp_peer_1}/32"] | |
| bgp_settings { | |
| asn = local.asn_onprem | |
| bgp_peering_address = local.onprem_bgp_peer_1 | |
| } | |
| depends_on = [azurerm_virtual_network_gateway.gw_onprem, data.azurerm_public_ip.gw_onprem_pip1] | |
| } | |
| resource "azurerm_local_network_gateway" "lgw_onprem_02" { | |
| name = "lgw-onprem-02" | |
| location = azurerm_resource_group.site_azure.location | |
| resource_group_name = azurerm_resource_group.site_azure.name | |
| gateway_address = data.azurerm_public_ip.gw_onprem_pip2.ip_address | |
| address_space = ["${local.onprem_bgp_peer_2}/32"] | |
| bgp_settings { | |
| asn = local.asn_onprem | |
| bgp_peering_address = local.onprem_bgp_peer_2 | |
| } | |
| depends_on = [azurerm_virtual_network_gateway.gw_onprem, data.azurerm_public_ip.gw_onprem_pip2] | |
| } | |
| ## | |
| ## On-Premises site | |
| ## | |
| resource "azurerm_resource_group" "site_onprem" { | |
| name = "site-onprem" | |
| location = "westus" | |
| tags = { | |
| environment = "On-Prem" | |
| } | |
| } | |
| resource "azurerm_virtual_network" "vnet_onprem" { | |
| name = "vnet-onprem" | |
| address_space = [local.ip_onprem_range] | |
| location = azurerm_resource_group.site_onprem.location | |
| resource_group_name = azurerm_resource_group.site_onprem.name | |
| } | |
| resource "azurerm_subnet" "subnet_onprem_main" { | |
| name = "main" | |
| resource_group_name = azurerm_resource_group.site_onprem.name | |
| virtual_network_name = azurerm_virtual_network.vnet_onprem.name | |
| address_prefixes = [local.ip_onprem_subnet_main] | |
| } | |
| resource "azurerm_subnet" "subnet_onprem_gw" { | |
| name = "GatewaySubnet" | |
| resource_group_name = azurerm_resource_group.site_onprem.name | |
| virtual_network_name = azurerm_virtual_network.vnet_onprem.name | |
| address_prefixes = [local.ip_onprem_subnet_gw] | |
| } | |
| resource "azurerm_public_ip" "gw_onprem_pip1" { | |
| name = "gw-onprem-pip1" | |
| location = azurerm_resource_group.site_onprem.location | |
| resource_group_name = azurerm_resource_group.site_onprem.name | |
| allocation_method = "Dynamic" | |
| } | |
| data "azurerm_public_ip" "gw_onprem_pip1" { | |
| name = azurerm_public_ip.gw_onprem_pip1.name | |
| resource_group_name = azurerm_resource_group.site_onprem.name | |
| } | |
| resource "azurerm_public_ip" "gw_onprem_pip2" { | |
| name = "gw-onprem-pip2" | |
| location = azurerm_resource_group.site_onprem.location | |
| resource_group_name = azurerm_resource_group.site_onprem.name | |
| allocation_method = "Dynamic" | |
| } | |
| data "azurerm_public_ip" "gw_onprem_pip2" { | |
| name = azurerm_public_ip.gw_onprem_pip2.name | |
| resource_group_name = azurerm_resource_group.site_onprem.name | |
| } | |
| resource "azurerm_virtual_network_gateway" "gw_onprem" { | |
| name = "gw-onprem" | |
| location = azurerm_resource_group.site_onprem.location | |
| resource_group_name = azurerm_resource_group.site_onprem.name | |
| type = "Vpn" | |
| vpn_type = "RouteBased" | |
| active_active = true | |
| sku = "VpnGw1" | |
| enable_bgp = true | |
| bgp_settings { | |
| asn = local.asn_onprem | |
| } | |
| ip_configuration { | |
| name = azurerm_public_ip.gw_onprem_pip1.name | |
| public_ip_address_id = azurerm_public_ip.gw_onprem_pip1.id | |
| subnet_id = azurerm_subnet.subnet_onprem_gw.id | |
| } | |
| ip_configuration { | |
| name = azurerm_public_ip.gw_onprem_pip2.name | |
| public_ip_address_id = azurerm_public_ip.gw_onprem_pip2.id | |
| subnet_id = azurerm_subnet.subnet_onprem_gw.id | |
| } | |
| } | |
| data "azurerm_virtual_network_gateway" "gw_onprem" { | |
| name = "gw-onprem" | |
| resource_group_name = azurerm_resource_group.site_onprem.name | |
| } | |
| locals { | |
| onprem_bgp_peers = "${split(",", data.azurerm_virtual_network_gateway.gw_onprem.bgp_settings[0].peering_address)}" | |
| onprem_bgp_peer_1 = "${element(local.onprem_bgp_peers,0)}" | |
| onprem_bgp_peer_2 = "${element(local.onprem_bgp_peers,1)}" | |
| } | |
| resource "azurerm_local_network_gateway" "lgw_azure_01" { | |
| name = "lgw-azure-01" | |
| location = azurerm_resource_group.site_onprem.location | |
| resource_group_name = azurerm_resource_group.site_onprem.name | |
| gateway_address = data.azurerm_public_ip.gw_azure_pip1.ip_address | |
| address_space = ["${local.azure_bgp_peer_1}/32"] | |
| bgp_settings { | |
| asn = local.asn_azure | |
| bgp_peering_address = local.azure_bgp_peer_1 | |
| } | |
| } | |
| resource "azurerm_local_network_gateway" "lgw_azure_02" { | |
| name = "lgw-azure-02" | |
| location = azurerm_resource_group.site_onprem.location | |
| resource_group_name = azurerm_resource_group.site_onprem.name | |
| gateway_address = data.azurerm_public_ip.gw_azure_pip2.ip_address | |
| address_space = ["${local.azure_bgp_peer_2}/32"] | |
| bgp_settings { | |
| asn = local.asn_azure | |
| bgp_peering_address = local.azure_bgp_peer_2 | |
| } | |
| } | |
| ## | |
| ## Connect both sites using redundant connections | |
| ## | |
| # Primary (Azure -> On-Prem) | |
| resource "azurerm_virtual_network_gateway_connection" "connection_azure_to_onprem_01" { | |
| name = "con-azure-to-onprem-01" | |
| location = azurerm_resource_group.site_azure.location | |
| resource_group_name = azurerm_resource_group.site_azure.name | |
| type = "IPsec" | |
| virtual_network_gateway_id = azurerm_virtual_network_gateway.gw_azure.id | |
| local_network_gateway_id = azurerm_local_network_gateway.lgw_onprem_01.id | |
| shared_key = local.ike_secret | |
| enable_bgp = true | |
| } | |
| # Secondary (Azure -> On-Prem) | |
| resource "azurerm_virtual_network_gateway_connection" "connection_azure_to_onprem_02" { | |
| name = "con-azure-to-onprem-02" | |
| location = azurerm_resource_group.site_azure.location | |
| resource_group_name = azurerm_resource_group.site_azure.name | |
| type = "IPsec" | |
| virtual_network_gateway_id = azurerm_virtual_network_gateway.gw_azure.id | |
| local_network_gateway_id = azurerm_local_network_gateway.lgw_onprem_02.id | |
| shared_key = local.ike_secret | |
| enable_bgp = true | |
| } | |
| # Primary (On-Prem -> Azure) | |
| resource "azurerm_virtual_network_gateway_connection" "connection_onprem_to_azure_01" { | |
| name = "con-onprem-to-azure-01" | |
| location = azurerm_resource_group.site_onprem.location | |
| resource_group_name = azurerm_resource_group.site_onprem.name | |
| type = "IPsec" | |
| virtual_network_gateway_id = azurerm_virtual_network_gateway.gw_onprem.id | |
| local_network_gateway_id = azurerm_local_network_gateway.lgw_azure_01.id | |
| shared_key = local.ike_secret | |
| enable_bgp = true | |
| } | |
| # Secondary (On-Prem -> Azure) | |
| resource "azurerm_virtual_network_gateway_connection" "connection_onprem_to_azure_02" { | |
| name = "con-onprem-to-azure-02" | |
| location = azurerm_resource_group.site_onprem.location | |
| resource_group_name = azurerm_resource_group.site_onprem.name | |
| type = "IPsec" | |
| virtual_network_gateway_id = azurerm_virtual_network_gateway.gw_onprem.id | |
| local_network_gateway_id = azurerm_local_network_gateway.lgw_azure_02.id | |
| shared_key = local.ike_secret | |
| enable_bgp = true | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment