This module is designed to simplify the creation of virtual wan based networks in Azure.
- Virtual WAN:
- Virtual WAN Hub:
- Virtual WAN Hub.
- Secured Virtual Hub.
- Routing intent
- Azure Firewall
- Secured Virtual Hub
- AzureFirewallSubnet.
- Site-to-Site Virtual Network Gateway:
- S2S VPN Gateway.
- Active-Active or Single.
- VPN Site
- VPN Site Connection
- Deployment of
GatewaySubnet.
- Point-to-Site Virtual Network Gateway:
- P2S VPN Gateway.
- P2S server configuration.
- Active-Active or Single.
- Deployment of
GatewaySubnet.
- ER Gateway:
- ER Gateway.
- ER Gateway Connection.
- Active-Active or Single.
- Deployment of
GatewaySubnet.
module "vwan_with_vhub" {
source = "../../"
resource_group_name = "tvmVwanRg"
location = "australiaeast"
virtual_wan_name = "tvmVwan"
disable_vpn_encryption = false
allow_branch_to_branch_traffic = true
bgp_community = "12076:51010"
type = "Standard"
virtual_wan_tags = {
environment = "dev"
deployment = "terraform"
}
virtual_hubs = {
aue-vhub = {
name = "aue_vhub"
location = "australiaeast"
resource_group = "demo-vwan-rsg"
address_prefix = "10.0.0.0/24"
tags = {
"location" = "AUE"
}
}
}
vpn_gateways = {
"aue-vhub-vpn-gw" = {
name = "aue-vhub-vpn-gw"
virtual_hub_key = "aue-vhub"
}
}
vpn_sites = {
"aue-vhub-vpn-site" = {
name = "aue-vhub-vpn-site"
virtual_hub_key = "aue-vhub"
links = [{
name = "link1"
provider_name = "Cisco"
bgp = {
asn = 65001
peering_address = "172.16.1.254"
}
ip_address = "20.28.182.157"
speed_in_mbps = "20"
}]
}
}
vpn_site_connections = {
"onprem1" = {
name = "aue-vhub-vpn-conn01"
vpn_gateway_key = "aue-vhub-vpn-gw"
remote_vpn_site_key = "aue-vhub-vpn-site"
vpn_links = [{
name = "link1"
bandwidth_mbps = 10
bgp_enabled = true
local_azure_ip_address_enabled = false
policy_based_traffic_selector_enabled = false
ratelimit_enabled = false
route_weight = 1
shared_key = "AzureA1b2C3"
vpn_site_link_number = 0
}]
}
}
}
The following requirements are needed by this module:
The following providers are used by this module:
The following resources are used by this module:
- azurerm_express_route_connection.er_connection (resource)
- azurerm_express_route_gateway.express_route_gateway (resource)
- azurerm_firewall.fw (resource)
- azurerm_point_to_site_vpn_gateway.p2s_gateway (resource)
- azurerm_resource_group.rg (resource)
- azurerm_resource_group_template_deployment.telemetry (resource)
- azurerm_virtual_hub.virtual_hub (resource)
- azurerm_virtual_hub_connection.hub_connection (resource)
- azurerm_virtual_hub_routing_intent.routing_intent (resource)
- azurerm_virtual_wan.virtual_wan (resource)
- azurerm_vpn_gateway.vpn_gateway (resource)
- azurerm_vpn_gateway_connection.vpn_site_connection (resource)
- azurerm_vpn_server_configuration.p2s_gateway_vpn_server_configuration (resource)
- azurerm_vpn_site.vpn_site (resource)
- random_id.telem (resource)
- azurerm_resource_group.rg (data source)
The following input variables are required:
Description: Switch to flip VWAN branch to branch traffic
Type: bool
Description: Virtual WAN location
Type: string
Description: Virtual WAN Resource group name
Type: string
Description: Virtual WAN name
Type: string
The following input variables are optional (have default values):
Description: If true will create a resource group, otherwise will use the existing resource group supplied in resource_group_name
Type: bool
Default: false
Description: Switch to flip VWAN vpn encryption
Type: bool
Default: false
Description: This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.
Type: bool
Default: true
Description: Mapping object to link ER circuits to ER Gateways for the creation of connection
Type:
map(object({
name = string
express_route_gateway_key = string
express_route_circuit_peering_id = string
authorization_key = optional(string)
enable_internet_security = optional(bool)
express_route_gateway_bypass_enabled = optional(bool)
routing = optional(object({
associated_route_table_id = string
propagated_route_table = optional(object({
route_table_ids = optional(list(string))
labels = optional(list(string))
}))
inbound_route_map_id = optional(string)
outbound_route_map_id = optional(string)
}))
routing_weight = optional(number)
}))Default: {}
Description: Express Route Gateway parameters
Type:
map(object({
name = string
virtual_hub_key = string
tags = optional(map(string))
allow_non_virtual_wan_traffic = optional(bool)
scale_units = number
}))Default: {}
Description: Azure Firewall parameters
Type:
map(object({
virtual_hub_key = string
sku_name = string
sku_tier = string
name = optional(string)
dns_servers = optional(list(string))
firewall_policy_id = optional(string)
private_ip_ranges = optional(list(string))
threat_intel_mode = optional(string, "Alert")
zones = optional(list(string))
vhub_public_ip_count = optional(string)
tags = optional(map(string))
default_ip_configuration = optional(object({
name = optional(string)
public_ip_config = optional(object({
name = optional(set(string))
zones = optional(set(string))
ip_version = optional(string)
sku_tier = optional(string, "Regional")
}))
}))
management_ip_configuration = optional(object({
name = string
subnet_id = string
public_ip_address_id = string
}))
ip_configuration = optional(object({
name = string
subnet_id = string
public_ip_address_id = string
}))
}))Default: {}
Description: Specifies the Office365 local breakout category. Possible values include: Optimize, OptimizeAndAllow, All, None. Defaults to None
Type: string
Default: "None"
Description: P2S VPN Gateway server configuration parameters
Type:
map(object({
name = string
virtual_hub_key = string
vpn_authentication_types = list(string)
tags = optional(map(string))
client_root_certificate = object({
name = string
public_cert_data = string
})
ipsec_policy = optional(object({
dh_group = string
ike_encryption = string
ike_integrity = string
ipsec_encryption = string
ipsec_integrity = string
pfs_group = string
sa_lifetime_seconds = string
sa_data_size_kilobytes = string
}))
vpn_protocols = optional(list(string))
}))Default: {}
Description: P2S VPN Gateway parameters
Type:
map(object({
name = string
virtual_hub_key = string
tags = optional(map(string))
p2s_gateway_vpn_server_configuration_key = string
connection_configuration = object({
name = string
vpn_client_address_pool = object({
address_prefixes = list(string)
})
})
routing_preference = optional(string)
scale_unit = number
dns_servers = optional(list(string))
routing_preference_internet_enabled = optional(bool)
}))Default: {}
Description: Virtual WAN Resource group tags
Type: map(string)
Default: {}
Description: Routing intent for virutal hubs
Type:
map(object({
name = string
virtual_hub_key = string
routing_policies = list(object({
name = string
destinations = list(string)
next_hop_firewall_key = string
}))
}))Default: {}
Description: (Optional) Tags of the resource.
Type: map(string)
Default: null
Description: The resource group where the telemetry will be deployed.
Type: string
Default: ""
Description: Type of the virtual WAN
Type: string
Default: "Standard"
Description: Virtual Hub parameters
Type:
map(object({
name = string
location = string
resource_group = optional(string, null)
address_prefix = string
tags = optional(map(string))
hub_routing_preference = optional(string)
}))Default: {}
Description: Azure virtual network connections
Type:
map(object({
name = string
virtual_hub_key = string
remote_virtual_network_id = string
internet_security_enabled = optional(bool, false)
routing = optional(object({
associated_route_table_id = string
propagated_route_table = optional(object({
route_table_ids = optional(list(string), [])
labels = optional(list(string), [])
}))
static_vnet_route = optional(object({
name = optional(string)
address_prefixes = optional(list(string), [])
next_hop_ip_address = optional(string)
}))
}))
}))Default: {}
Description: Virtual WAN tags
Type: map(string)
Default: {}
Description: S2S VPN Gateway parameters
Type:
map(object({
name = string
virtual_hub_key = string
tags = optional(map(string))
bgp_route_translation_for_nat_enabled = optional(bool)
bgp_settings = optional(object({
asn = number
instance_0_bgp_peering_address = optional(string)
instance_1_bgp_peering_address = optional(string)
peer_weight = number
}))
routing_preference = optional(string)
scale_unit = optional(number)
}))Default: {}
Description: S2S VPN Site Connections parameter
Type:
map(object({
name = string
vpn_gateway_key = string
remote_vpn_site_key = string
vpn_links = list(object({
name = string
egress_nat_rule_ids = optional(list(string))
ingress_nat_rule_ids = optional(list(string))
# Index of the link on the vpn gateway
vpn_site_link_number = number
bandwidth_mbps = optional(number)
bgp_enabled = optional(bool)
connection_mode = optional(string)
ipsec_policy = optional(object({
dh_group = string
ike_encryption_algorithm = string
ike_integrity_algorithm = string
encryption_algorithm = string
integrity_algorithm = string
pfs_group = string
sa_data_size_kb = string
sa_lifetime_sec = string
}))
protocol = optional(string)
ratelimit_enabled = optional(bool)
route_weight = optional(number)
shared_key = optional(string)
local_azure_ip_address_enabled = optional(bool)
policy_based_traffic_selector_enabled = optional(bool)
custom_bgp_address = optional(list(object({
ip_address = string
ip_configuration_id = string
})))
}))
internet_security_enabled = optional(bool)
routing = optional(object({
associated_route_table = string
propagated_route_table = optional(object({
route_table_ids = optional(list(string))
labels = optional(list(string))
}))
inbound_route_map_id = optional(string)
outbound_route_map_id = optional(string)
}))
traffic_selector_policy = optional(object({
local_address_ranges = string
remote_address_ranges = string
}))
}))Default: {}
Description: S2S VPN Sites parameter
Type:
map(object({
name = string
# Name of the virtual hub
virtual_hub_key = string
links = list(object({
name = string
bgp = optional(object({
asn = number
peering_address = string
}))
fqdn = optional(string)
ip_address = optional(string)
provider_name = optional(string)
speed_in_mbps = optional(number)
}
))
address_cidrs = optional(list(string))
device_model = optional(string)
device_vendor = optional(string)
o365_policy = optional(object({
traffic_category = object({
allow_endpoint_enabled = optional(bool)
default_endpoint_enabled = optional(bool)
optimize_endpoint_enabled = optional(bool)
})
}))
tags = optional(map(string))
}))Default: {}
The following outputs are exported:
Description: ExpressRoute Gateway ID
Description: Firewall Name
Description: P2S VPN Gateway ID
Description: Resource Group Name
Description: S2S VPN Gateway Objects
Description: S2S VPN Gateway ID
Description: Virtual Hub ID
Description: Virtual WAN ID
No modules.
The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.