Terraform-Azure-Vnet-Peering/main.tf at main · lukas362/Terraform-Azure-Vnet-Peering · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
# Required provider (Azure) and what version version
terraform {
    required_providers {
        azurerm = {
            source = "hashicorp/azurerm"
            version ="~> 3.0"
        }
    }
}

# Configure the provider (Azure)
provider "azurerm" {
    features {}
}

# container that holds Azure resources
resource "azurerm_resource_group" "jensen" {
    name     = "jensen-resources"
    location = "swedencentral"

    tags = {
        environment = "development"
        owner       = "Owner_Name"    # Owner name here
    }
}

# VNet A
resource "azurerm_virtual_network" "vnet_a" {
    name                = "jensen-vnet-a"
    address_space       = ["10.1.0.0/16"]
    location            = azurerm_resource_group.jensen.location
    resource_group_name = azurerm_resource_group.jensen.name     # Needs to be name here
}

# VNet B
resource "azurerm_virtual_network" "vnet_b" {
    name                = "jensen-vnet-b"
    address_space       = ["10.2.0.0/16"]
    location            = azurerm_resource_group.jensen.location
    resource_group_name = azurerm_resource_group.jensen.name     # Needs to be name here
}

# VNet Peering (Allows communication between with diffrent VNets)

# Peering from VNet A to VNet B
resource "azurerm_virtual_network_peering" "a_to_b" {
    name                        = "vnet_a_to_vnet_b"
    resource_group_name         = azurerm_resource_group.jensen.name
    virtual_network_name        = azurerm_virtual_network.vnet_a.name
    remote_virtual_network_id   = azurerm_virtual_network.vnet_b.id     # Needs to be id here

    allow_virtual_network_access    = true        # Allow VMs in VNet A to access VNet B (Default = true)
    allow_forwarded_traffic         = false       # Denies fowards traffic (Default = false)
    allow_gateway_transit           = false       # Doesn't allow VNet A to use VNet B gateway (Default = false)
    use_remote_gateways             = false       # Controls if remote gateways can be used on the local virtual network (Default = false)
}

resource "azurerm_virtual_network_peering" "b_to_a" {
    name                        = "vnet_b_to_vnet_a"
    resource_group_name         = azurerm_resource_group.jensen.name
    virtual_network_name        = azurerm_virtual_network.vnet_b.name
    remote_virtual_network_id   = azurerm_virtual_network.vnet_a.id     # Needs to be id here

    allow_virtual_network_access    = true         # Allow VMs in VNet B to access VNet A (Default = true)
    allow_forwarded_traffic         = false        # Denies fowards traffic (Default = false)
    allow_gateway_transit           = false        # Doesn't allow VNet A to use VNet B gateway (Default = false)
    use_remote_gateways             = false        # Controls if remote gateways can be used on the local virtual network (Default = false)
}

# NSGs
# NSG allows for traffic from internet
resource "azurerm_network_security_group" "vnet_a_nsg" {
    name                = "vnet-a-nsg"
    location            = azurerm_resource_group.jensen.location
    resource_group_name = azurerm_resource_group.jensen.name

#Allow HTTPS traffic from port 443
    security_rule {
        name                       = "https"
        priority                   = 100            # Priority 100 goes first as it has the lowest priority
        direction                  = "Inbound"
        access                     = "Allow"
        protocol                   = "Tcp"
        source_port_range          = "*"
        destination_port_range     = "443"
        source_address_prefix      = "*"
        destination_address_prefix = "*"
    }

#Allow HTTP traffic from port 80
    security_rule {
        name                       = "http"
        priority                   = 110
        direction                  = "Inbound"
        access                     = "Allow"
        protocol                   = "Tcp"
        source_port_range          = "*"
        destination_port_range     = "80"
        source_address_prefix      = "*"
        destination_address_prefix = "*"
    }

#Allow SSH access from port 22
    security_rule {
        name                       = "allow-ssh"
        priority                   = 120
        direction                  = "Inbound"
        access                     = "Allow"
        protocol                   = "Tcp"
        source_port_range          = "*"
        destination_port_range     = "22"
        source_address_prefix      = "IP here" # Specific IP address
        destination_address_prefix = "*"
    }
}

# NSG allows traffic from VNet A
resource "azurerm_network_security_group" "vnet_b_nsg" {
    name                = "vnet-b-nsg"
    location            = azurerm_resource_group.jensen.location
    resource_group_name = azurerm_resource_group.jensen.name

    security_rule {
        name                       = "vnet-a"
        priority                   = 100
        direction                  = "Inbound"
        access                     = "Allow"
        protocol                   = "*" # Any protocol
        source_port_range          = "*"
        destination_port_range     = "*" # Any port
        source_address_prefix      = "10.1.0.0/16" # Only traffic from VNet A
        destination_address_prefix = "*"
    }

# SSH access
    security_rule {
        name                       = "allow-ssh"
        priority                   = 110
        direction                  = "Inbound"
        access                     = "Allow"
        protocol                   = "Tcp"
        source_port_range          = "*"
        destination_port_range     = "22"
        source_address_prefix      = "10.1.0.0/16"
        destination_address_prefix = "*"
    }

# Any other traffic will be denied
    security_rule {
        name                       = "deny-all-other-inbound"
        priority                   = 4096            # Lowest possible priority
        direction                  = "Inbound"
        access                     = "Deny"
        protocol                   = "*"
        source_port_range          = "*"
        destination_port_range     = "*"
        source_address_prefix      = "*"
        destination_address_prefix = "*"
    }
}

# Subnets
# Subnet in VNet A
resource "azurerm_subnet" "vnet_a_subnet" {
    name                 = "subnet_a"
    resource_group_name  = azurerm_resource_group.jensen.name
    virtual_network_name = azurerm_virtual_network.vnet_a.name
    address_prefixes     = ["10.1.1.0/24"]
}

# Subnet in VNet B
resource "azurerm_subnet" "vnet_b_subnet" {
    name                 = "subnet_b"
    resource_group_name  = azurerm_resource_group.jensen.name
    virtual_network_name = azurerm_virtual_network.vnet_b.name
    address_prefixes     = ["10.2.1.0/24"]
}

# NSG associations (Attaches/applies the NSG rules from before onto the subnets. In other words it makes sure that they are active and used in the right subnet)
# Apply NSG to VNet A subnet
resource "azurerm_subnet_network_security_group_association" "vnet_a_nsg_assoc" {
    subnet_id                 = azurerm_subnet.vnet_a_subnet.id
    network_security_group_id = azurerm_network_security_group.vnet_a_nsg.id
}

# Apply NSG to VNet B subnet
resource "azurerm_subnet_network_security_group_association" "vnet_b_nsg_assoc" {
    subnet_id                 = azurerm_subnet.vnet_b_subnet.id
    network_security_group_id = azurerm_network_security_group.vnet_b_nsg.id

}