文件列表:

.devcontainer/
docs/images/
examples/
modules/
test/
.editorconfig
CHANGELOG.md
CONTRIBUTING.md
LICENSE
NOTICE
SECURITY.md
data.tf
locals.naming.tf
locals.tags.tf
locals.telemetry.tf
locals.tf
modules.management.hub.dns.tf
modules.management.hub.scaffolding.tf
modules.management.hub.storage.account.tf
modules.management.logging.tf
naming.tf
outputs.tf
resources.management.hub.bastion.tf
resources.management.hub.fw.policy.tf
resources.management.hub.fw.tf
resources.management.hub.locks.tf
resources.management.hub.network.watcher.tf
resources.management.hub.nsg.rules.tf
resources.management.hub.nsg.tf
resources.management.hub.role.tf
resources.management.hub.route.table.tf
resources.management.hub.snet.tf
resources.management.hub.telemetry.tf
resources.management.hub.vnet.tf
variables.bastion.tf
variables.dns.tf

# Azure Management Virtual Network Hub Overlay with Firewall Terraform Module [](CHANGELOG.md) [](NOTICE) [](LICENSE) [](https://registry.terraform.io/modules/azurenoops/overlays-management-hub/azurerm/) This Terraform module deploys a Management Virtual Network Hub Overlay using the [Microsoft recommended Hub-Spoke network topology](https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke). Usually, only one hub in each region with multiple spokes and each of the spokes can also be in separate subscriptions. ## Using Azure Clouds Since this module is built for both public and us government clouds. The `environment` variable defaults to `public` for Azure Cloud. When using this module with the Azure Government Cloud, you must set the `environment` variable to `usgovernment`. You will also need to set the azurerm provider `environment` variable to the proper cloud as well. This will ensure that the correct Azure Government Cloud endpoints are used. You will also need to set the `location` variable to a valid Azure Government Cloud location. Example Usage for Azure Government Cloud: ```hcl provider "azurerm" { environment = "usgovernment" } module "overlays-management-spoke" { source = "azurenoops/overlays-management-spoke/azurerm" version = "2.0.0" location = "usgovvirginia" environment = "usgovernment" ... } ``` ### Resource Provider List Terraform requires the following resource providers to be available: - Microsoft.Network - Microsoft.Storage - Microsoft.Compute - Microsoft.KeyVault - Microsoft.Authorization - Microsoft.Resources - Microsoft.OperationalInsights - Microsoft.GuestConfiguration - Microsoft.Insights - Microsoft.Advisor - Microsoft.Security - Microsoft.OperationsManagement - Microsoft.AAD - Microsoft.AlertsManagement - Microsoft.Authorization - Microsoft.AnalysisServices - Microsoft.Automation - Microsoft.Subscription - Microsoft.Support - Microsoft.PolicyInsights - Microsoft.SecurityInsights - Microsoft.Security - Microsoft.Monitor - Microsoft.Management - Microsoft.ManagedServices - Microsoft.ManagedIdentity - Microsoft.Billing - Microsoft.Consumption Please note that some of the resource providers may not be available in Azure Government Cloud. Please check the [Azure Government Cloud documentation](https://docs.microsoft.com/en-us/azure/azure-government/documentation-government-get-started-connect-with-cli) for more information. ## SCCA Compliance This module is be SCCA compliant and can be used in a SCCA compliant Network. Enable SCCA compliant network rules to make it SCCA compliant. For more information, please read the [SCCA documentation](https://www.cisa.gov/secure-cloud-computing-architecture). ## Contributing If you want to contribute to this repository, feel free to to contribute to our Terraform module. More details are available in the [CONTRIBUTING.md](./CONTRIBUTING.md#pull-request-process) file. ## Management Hub Overlay Architecture The following reference architecture shows how to implement a SCCA compliant hub-spoke topology in Azure. The Management Hub Overlay is a virtual network in Azure that acts as a central point of connectivity to an optional on-premises network. The spokes are virtual networks that peer with the Management Hub Overlay and can be used to isolate workloads. Traffic flows between the on-premises datacenter and the hub can be achieved through an ExpressRoute or VPN gateway connection. AzureFirewallSubnet and GatewaySubnet will not contain any UDR (User Defined Route) or NSG/Rules (Network Security Group). Management and DMZ subnets will route all outgoing traffic through firewall instance. Source: [Microsoft Azure Hub-Spoke Topology Documentation](https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke)  ## Resources Supported - [Virtual Network](https://www.terraform.io/docs/providers/azurerm/r/virtual_network.html) - [Subnets](https://www.terraform.io/docs/providers/azurerm/r/subnet.html) - [Subnet Service Delegation](https://www.terraform.io/docs/providers/azurerm/r/subnet.html#delegation) - [Virtual Network service endpoints](https://www.terraform.io/docs/providers/azurerm/r/subnet.html#service_endpoints) - [Private Link service/Endpoint network policies on Subnet](https://www.terraform.io/docs/providers/azurerm/r/subnet.html#enforce_private_link_endpoint_network_policies) - [AzureNetwork DDoS Protection Plan](https://www.terraform.io/docs/providers/azurerm/r/network_ddos_protection_plan.html) - [Network Security Groups](https://www.terraform.io/docs/providers/azurerm/r/network_security_group.html) - [Azure Firewall](https://www.terraform.io/docs/providers/azurerm/r/firewall.html) - [Azure Firewall Application Rule Collection](https://www.terraform.io/docs/providers/azurerm/r/firewall_application_rule_collection.html) - [Azure Firewall Network Rule Collection](https://www.terraform.io/docs/providers/azurerm/r/firewall_network_rule_collection.html) - [Azure Firewall NAT Rule Collection](https://www.terraform.io/docs/providers/azurerm/r/firewall_nat_rule_collection.html) - [Route Table](https://www.terraform.io/docs/providers/azurerm/r/route_table.html) - [Role Assignment for Peering](https://www.terraform.io/docs/providers/azurerm/r/role_assignment.html) - [Storage Account for Log Archive](https://www.terraform.io/docs/providers/azurerm/r/storage_account.html) - [Log Analytics Workspace](https://www.terraform.io/docs/providers/azurerm/r/log_analytics_workspace.html) - [Azure Monitoring Diagnostics](https://www.terraform.io/docs/providers/azurerm/r/monitor_diagnostic_setting.html) - [Network Watcher](https://www.terraform.io/docs/providers/azurerm/r/network_watcher.html) - [Network Watcher Workflow Logs](https://www.terraform.io/docs/providers/azurerm/r/network_watcher_flow_log.html) - [Private DNS Zone](https://www.terraform.io/docs/providers/azurerm/r/private_dns_zone.html) ## Module Usage ```terraform # Azurerm provider configuration provider "azurerm" { features {} } module "mod_vnet_hub" { source = "azurenoops/overlays-management-hub/azurerm" version = "x.x.x" # By default, this module will create a resource group, provide the name here # To use an existing resource group, specify the existing resource group name, # and set the argument to `create_hub_resource_group = false`. Location will be same as existing RG. create_hub_resource_group = true location = "eastus" deploy_environment = "dev" org_name = "anoa" environment = "public" workload_name = "hub-core" # Logging # Enable Azure Montior Private Link Scope enable_ampls = var.enable_ampls # (Optional) AMPLS Subnet Parameter ampls_subnet_address_prefix = var.ampls_subnet_address_prefix # By default, Azure NoOps will create a Log Analytics Workspace in Hub VNet. log_analytics_workspace_sku = var.log_analytics_workspace_sku log_analytics_logs_retention_in_days = var.log_analytics_logs_retention_in_days # Logging Solutions # All solutions are enabled (true) by default enable_azure_activity_log = var.enable_azure_activity_log enable_vm_insights = var.enable_vm_insights enable_azure_security_center = var.enable_azure_security_center enable_container_insights = var.enable_container_insights enable_key_vault_analytics = var.enable_key_vault_analytics enable_service_map = var.enable_service_map # Provide valid VNet Address space and specify valid domain name for Private DNS Zone. virtual_network_address_space = ["10.0.0.0/16"] # (Required) Hub Virtual Network Parameters firewall_subnet_address_prefix = ["10.0.100.0/26"] # (Required) Hub Firewall Subnet Parameters firewall_management_snet_address_prefix = ["10.0.100.128/26"] # (Optional) Hub Firewall Management Subnet Parameters gateway_subnet_address_prefix = ["10.0.100.192/27"] # (Optional) Hub Gateway Subnet Parameters # (Required) Hub Subnets # Default Subnets, Service Endpoints # This is the default subnet with required configuration, check README.md for more details # First address ranges from VNet Address space reserved for Firewall Subnets. # ex.: For 10.0.100.128/27 address space, usable address range start from 10.0.100.0/24 for all subnets. # default subnet name will be set as per Azure NoOps naming convention by default. # Multiple Subnets, Service delegation, Service Endpoints, Network security groups # These are default subnets with required configuration, check README.md for more details # NSG association to be added automatically for all subnets listed here. # First two address ranges from VNet Address space reserved for Gateway And Firewall Subnets. # ex.: For 10.1.0.0/16 address space, usable address range start from 10.1.2.0/24 for all subnets. # subnet name will be set as per Azure naming convention by default. expected value here is: hub_subnets = { default = { name = "hub-core" address_prefixes = ["10.0.100.64/26"] service_endpoints = ["Microsoft.Storage"] private_endpoint_network_policies_enabled = false private_endpoint_service_endpoints_enabled = true } dmz = { name = "appgateway" address_prefixes = ["10.0.100.224/27"] service_endpoints = ["Microsoft.Storage"] private_endpoint_network_policies_enabled = false private_endpoint_service_endpoints_enabled = true nsg_subnet_rules = [ { name = "allow-443", description = "Allow access to port 443", priority = 100, direction = "Inbound", access = "Allow", protocol = "*", source_port_range = "*", destination_port_range = "443", source_address_prefix = "*", destination_address_prefix = "*" } { name = "ntp_out", description = "Allow NTP out on 123", priority = 400, direction = "Outbound", access = "Allow", protocol = "Udp", source_port_range = "123", destination_port_range = "", source_address_prefix = "0.0.0.0/0", destination_address_prefix = "*" } ] } } # Firewall Settings # By default, Azure NoOps will create Azure Firewall in Hub VNet. # If you do not want to create Azure Firewall, # set enable_firewall to false. This will allow different firewall products to be used (Example: F5). enable_firewall = true # By default, forced tunneling is enabled for Azure Firewall. # If you do not want to enable forced tunneling, # set enable_forced_tunneling to false. enable_forced_tunneling = true # (Optional) To enable the availability zones for firewall. # Availability Zones can only be configured during deployment # You can't modify an existing firewall to include Availability Zones firewall_zones = [1, 2, 3] # # (Optional) specify the Network rules for Azure Firewall l # This is default values, do not need this if keeping default values firewall_network_rules_collection = [ { name = "AllowAzureCloud" priority = "100" action = "Allow" rules = [ { name = "AzureCloud" protocols = ["Any"] source_addresses = ["*"] destination_addresses = ["AzureCloud"] destination_ports = ["*"] } ] }, { name = "AllowTrafficBetweenSpokes" priority = "200" action = "Allow" rules = [ { name = "AllSpokeTraffic" protocols = ["Any"] source_addresses = ["10.96.0.0/19"] destination_addresses = ["*"] destination_ports = ["*"] } ] } ] # (Optional) specify the application rules for Azure Firewall # This is default values, do not need this if keeping default values firewall_application_rule_collection = [ { name = "AzureAuth" priority = "110" action = "Allow" rules = [ { name = "msftauth" source_addresses = ["*"] destination_fqdns = ["aadcdn.msftauth.net", "aadcdn.msauth.net"] protocols = { type = "Https" port = 443 } } ] } ] # Private DNS Zone Settings # By default, Azure NoOps will create Private DNS Zones for Logging in Hub VNet. # If you do want to create additional Private DNS Zones, # add in the list of private_dns_zones to be created. # else, remove the private_dns_zones argument. private_dns_zones = ["privatelink.file.core.windows.net"] # By default, this module will create a bastion host, # and set the argument to `enable_bastion_host = false`, to disable the bastion host. enable_bastion_host = true azure_bastion_host_sku = "Standard" azure_bastion_subnet_address_prefix = ["10.0.200.0/27"] # By default, this will apply resource locks to all resources created by this module. # To disable resource locks, set the argument to `enable_resource_locks = false`. enable_resource_locks = false # Tags add_tags = { Example = "Management Hub Overlay" } # Tags to be applied to all resources } ``` ## Hub Networking Hub Networking is set up in a Management Hub Overlay design based on the SCCA Hub/Spoke architecture. The Management Hub Overlay is a central point of connectivity to many different networks. The following parameters affect Management Virtual Network Hub Overlay. Parameter name | Location | Default Value | Description -------------- | ------------- | ------------- | ----------- `virtual_network_address_space` | `variables.vnet.tf` | '10.0.100.0/24' | The CIDR Virtual Network Address Prefix for the Hub Virtual Network. `subnet_address_prefix` | `variables.snet.tf` | '10.0.100.128/27' | The CIDR Subnet Address Prefix for the default Hub subnet. It must be in the Hub Virtual Network space. `firewall_client_snet_address_prefix` | `variables.fw.tf` | '10.0.100.0/26' | The CIDR Subnet Address Prefix for the Azure Firewall Subnet. It must be in the Hub Virtual Network space. It must be /26. `firewall_management_snet_address_prefix` | `variables.fw.tf` | '10.0.100.64/26' | The CIDR Subnet Address Prefix for the Azure Firewall Management Subnet. It must be in the Hub Virtual Network space. It must be /26. ## Subnets This module handles the creation and a list of address spaces for subnets. This module uses `for_each` to create subnets and corresponding service endpoints, service delegation, and network security groups. This module associates the subnets to network security groups as well with additional user-defined NSG rules. This module creates 4 subnets by default: Gateway Subnet, AzureFirewallSubnet, AzureFirewallManagementSubnet and AzureBastionSubnet. Name | Description ---- | ----------- GatewaySubnet| Contain VPN Gateway, Express route Gateway AzureFirewallSubnet|If added the Firewall module, it Deploys an Azure Firewall that will monitor all incoming and outgoing traffic AzureFirewallManagementSubnet| An additional dedicated subnet named AzureFirewallManagementSubnet (minimum subnet size /26) is required with its own associated public IP address. This public IP address is for management traffic. It is used exclusively by the Azure platform and can't be used for any other purpose. AzureBastionSubnet | Management subnet for Bastion host, accessible from gateway PrivateEndpointSubnet| Hosts the private endpoints used by the Azure Monitor. Both Gateway Subnet and AzureFirewallSubnet allow traffic out and can have public IPs. Management subnets route traffic through the firewall and does not support public IPs due to asymmetric routing. ## Virtual Network service endpoints Service Endpoints allows connecting certain platform services into virtual networks. With this option, Azure virtual machines can interact with Azure SQL and Azure Storage accounts, as if they’re part of the same virtual network, rather than Azure virtual machines accessing them over the public endpoint. This module supports enabling the service endpoint of your choosing under the virtual network and with the specified subnet. The list of Service endpoints to associate with the subnet values include: `Microsoft.AzureActiveDirectory`, `Microsoft.AzureCosmosDB`, `Microsoft.ContainerRegistry`, `Microsoft.EventHub`, `Microsoft.KeyVault`, `Microsoft.ServiceBus`, `Microsoft.Sql`, `Microsoft.Storage` and `Microsoft.Web`. ```hcl module "vnet-hub" { source = "azurenoops/overlays-management-hub/azurerm" version = "x.x.x" # .... omitted # Multiple Subnets, Service delegation, Service Endpoints subnets = { mgmt_subnet = { subnet_name = "management" subnet_address_prefix = "10.1.2.0/24" service_endpoints = ["Microsoft.Storage"] } } # ....omitted } ``` ## Subnet Service Delegation Subnet delegation enables you to designate a specific subnet for an Azure PaaS service of your choice that needs to be injected into your virtual network. The Subnet delegation provides full control to manage the integration of Azure services into virtual networks. This module supports enabling the service delegation of your choosing under the virtual network and with the specified subnet. For more information, check the [terraform resource documentation](https://www.terraform.io/docs/providers/azurerm/r/subnet.html#service_delegation). ```hcl module "vnet-hub" { source = "azurenoops/overlays-management-hub/azurerm" version = "x.x.x" # .... omitted # Multiple Subnets, Service delegation, Service Endpoints subnets = { mgmt_subnet = { subnet_name = "management" subnet_address_prefix = "10.1.2.0/24" delegation = { name = "demodelegationcg" service_delegation = { name = "Microsoft.ContainerInstance/containerGroups" actions = ["Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action"] } } } } # ....omitted } ``` ## `private_endpoint_network_policies_enabled` - Private Link Endpoint on the subnet Network policies, like network security groups (NSG), are not supported for Private Link Endpoints. In order to deploy a Private Link Endpoint on a given subnet, you must set the `private_endpoint_network_policies_enabled` attribute to `true`. This setting is only applicable for the Private Link Endpoint, for all o ... ...

近期下载者：

相关文件：

评论：[我要评论] [举报此文件]

收藏者：