Load Balancer Module for Azure
A Terraform module for deploying a Load Balancer for VM-Series firewalls. Supports both standalone and scale set deployments. Supports either inbound or outbound configuration.
The module creates a single load balancer and a single backend for it, but it allows multiple frontends.
In case of a public load balancer, reusing the same frontend for inbound and outbound rules is possible - to achieve this, a key in
outbound_rules has to match a corresponding key from
For usage see any of the reference architecture examples.
|terraform||>= 1.2, < 2.0|
|frontend_ips||A map of objects describing LB Frontend IP configurations, inbound and outbound rules. Used for both public or private load balancers. |
Keys of the map are names of LB Frontend IP configurations.
Each Frontend IP configuration can have multiple rules assigned. They are defined in a maps called
Here is a list of properties supported by each
Forward to a different port on backend pool
Session persistence/Load distribution
By default the Load Balancer uses a 5 tuple hash to map traffic to available servers. This can be controlled using
Each Frontend IP config can have outbound rules specified. Setting at least one
Following properties are available:
|resource_group_name||Name of a pre-existing Resource Group to place the resources in.||n/a||yes|
|location||Region to deploy load balancer and dependencies.||n/a||yes|
|backend_name||The name of the backend pool to create. All the frontends of the load balancer always use the same single backend.||no|
|name||The name of the load balancer.||n/a||yes|
|probe_name||The name of the load balancer probe.||no|
|probe_port||Health check port number of the load balancer probe.||no|
|network_security_allow_source_ips||List of IP CIDR ranges (such as |
If it's empty, user is responsible for configuring a Network Security Group separately.
The list cannot include Azure tags like "Internet" or "Sql.EastUS".
|network_security_resource_group_name||Name of the Resource Group where the ||no|
|network_security_group_name||Name of the pre-existing Network Security Group (NSG) where to add auto-generated rules. Each NSG rule corresponds to a single |
User is responsible to associate the NSG with the load balancer's subnet, the module only supplies the rules.
If empty, user is responsible for configuring an NSG separately.
|network_security_base_priority||The base number from which the auto-generated priorities of the NSG rules grow.|
|tags||Azure tags to apply to the created resources.||no|
|avzones||Controls zones for load balancer's Fronted IP configurations. For:|
public IPs - these are regions in which the IP resource is available
private IPs - this represents Zones to which Azure will deploy paths leading to this Frontend IP.
For public IPs, after provider version 3.x (Azure API upgrade) you need to specify all zones available in a region (typically 3), ie: for zone-redundant with 3 availability zone in current region value will be:
|backend_pool_id||The identifier of the backend pool.|
|frontend_ip_configs||Map of IP addresses, one per each entry of |
|health_probe||The health probe object.|