Palo Alto Networks VNet Module for Azure
A Terraform module for deploying a Virtual Network and its components required for the VM-Series firewalls in Azure.
Usage
This module is designed to work in several modes depending on which variables or flags are set. Most common usage scenarios are:
create all - creates a VNET, Subnet, NSGs and Route Tables. In this example the two latter are assigned to the Subnet. The NSG and Route Table have rules defined:
name = "transit"
resource_group_name = "existing-rg"
address_space = ["10.0.0.0/25"]
network_security_groups = {
inbound = {
name = "inbound-nsg"
rules = {
mgmt_inbound = {
name = "allow-traffic"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_address_prefixes = ["1.1.1.1/32"] # TODO: Whitelist public IP addresses that will be used to manage the appliances
source_port_range = "*"
destination_address_prefix = "10.0.0.0/28"
destination_port_ranges = ["22", "443"]
}
}
}
}
route_tables = {
default = {
name = "default-rt"
routes = {
"default" = {
name = "default-udr"
address_prefix = "0.0.0.0/0"
next_hop_type = "VirtualAppliance"
next_hop_in_ip_address = "5.6.7.8"
}
}
}
}
subnets = {
"subnet" = {
name = "snet"
address_prefixes = ["10.0.0.0/28"]
network_security_group = "inbound"
route_table = "default"
}
}source a VNET but create Subnets, NSGs and Route Tables. This is a similar example to the above one, NSG and Route Table are empty this time:
create_virtual_network = false
name = "existing-vnet"
resource_group_name = "existing-rg"
network_security_groups = {
inbound = { name = "inbound-nsg" }
}
route_tables = {
default = { name = "default-rt" }
}
subnets = {
"subnet" = {
name = "snet"
address_prefixes = ["10.0.0.0/28"]
network_security_group = "inbound"
route_table = "default"
}
}source a VNET and Subnet, but create NSGs and Route Tables. This is a common brownfield use case: we will source Subnets, and create and assign NSGs and Route Tables to them:
create_virtual_network = false
name = "existing-vnet"
resource_group_name = "existing-rg"
network_security_groups = {
inbound = {
name = "inbound-nsg"
rules = {
mgmt_inbound = {
name = "allow-traffic"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_address_prefixes = ["1.1.1.1/32"] # TODO: Whitelist public IP addresses that will be used to manage the appliances
source_port_range = "*"
destination_address_prefix = "10.0.0.0/28"
destination_port_ranges = ["22", "443"]
}
}
}
}
route_tables = {
default = {
name = "default-rt"
routes = {
"default" = {
name = "default-udr"
address_prefix = "0.0.0.0/0"
next_hop_type = "VirtualAppliance"
next_hop_in_ip_address = "5.6.7.8"
}
}
}
}
create_subnets = false
subnets = {
"subnet" = {
name = "snet"
network_security_group = "inbound"
route_table = "default"
}
}
Reference
Requirements
terraform, version: >= 1.5, < 2.0azurerm, version: ~> 3.98
Providers
azurerm, version: ~> 3.98
Resources
network_security_group(managed)network_security_rule(managed)route(managed)route_table(managed)subnet(managed)subnet_network_security_group_association(managed)subnet_route_table_association(managed)virtual_network(managed)subnet(data)virtual_network(data)
Required Inputs
| Name | Type | Description |
|---|---|---|
name | string | The name of the Azure Virtual Network. |
resource_group_name | string | The name of the Resource Group to use. |
region | string | The name of the Azure region to deploy the resources in. |
Optional Inputs
| Name | Type | Description |
|---|---|---|
tags | map | The map of tags to assign to all created resources. |
create_virtual_network | bool | Controls Virtual Network creation. |
address_space | list | The address space used by the virtual network. |
vnet_encryption | string | Enables Azure Virtual Network encryption feature (in AllowUnencrypted mode by default). |
network_security_groups | map | Map of objects describing Network Security Groups. |
route_tables | map | Map of objects describing a Route Tables. |
create_subnets | bool | Controls subnet creation. |
subnets | map | Map of objects describing subnets to manage. |
Outputs
| Name | Description |
|---|---|
virtual_network_id | The identifier of the created or sourced Virtual Network. |
vnet_cidr | VNET address space. |
subnet_ids | The identifiers of the created or sourced Subnets. |
subnet_cidrs | Subnet CIDRs (sourced or created). |
network_security_group_ids | The identifiers of the created Network Security Groups. |
route_table_ids | The identifiers of the created Route Tables. |
Required Inputs details
name
The name of the Azure Virtual Network.
Type: string
[back to list](#modules-required-inputs)resource_group_name
The name of the Resource Group to use.
Type: string
[back to list](#modules-required-inputs)region
The name of the Azure region to deploy the resources in.
Type: string
[back to list](#modules-required-inputs)Optional Inputs details
tags
The map of tags to assign to all created resources.
Type: map(string)
Default value: map[]
create_virtual_network
Controls Virtual Network creation.
When set to true, creates the Virtual Network, otherwise just use a pre-existing network.
Type: bool
Default value: true
address_space
The address space used by the virtual network.
You can supply more than one address space. Required only when you create a VNET.
Type: list(string)
Default value: &{}
vnet_encryption
Enables Azure Virtual Network encryption feature (in AllowUnencrypted mode by default).
When set to null VNET encryption is disabled.
Type: string
Default value: AllowUnencrypted
network_security_groups
Map of objects describing Network Security Groups.
List of available properties:
name- (string, required) name of the Network Security Group.rules- (map, optional, defaults to{}) A list of objects representing Network Security Rules.Note! \ All port values are integers between
0and65535. Port ranges can be specified asminimum-maximumport value, example:21-23.Following attributes are available:
name- (string, required) name of the rule.priority- (number, required) numeric priority of the rule. The value can be between 100 and 4096 and must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule.direction- (string, required) the direction specifies if rule will be evaluated on incoming or outgoing traffic. Possible values areInboundandOutbound.access- (string, required) specifies whether network traffic is allowed or denied. Possible values areAllowandDeny.protocol- (string, required) a network protocol this rule applies to. Possible values includeTcp,Udp,Icmp, or*(which matches all). For supported values refer to the provider documentation.source_port_range- (string, required, mutually exclusive withsource_port_ranges) a source port or a range of ports. This can also be an*to match all.source_port_ranges- (list, required, mutually exclusive withsource_port_range) a list of source ports or ranges of ports.source_address_prefix- (string, required, mutually exclusive withsource_address_prefixes) source CIDR or IP range or*to match any IP. This can also be a tag. To see all available tags for a region use the following command (example for US West Central):az network list-service-tags --location westcentralus.source_address_prefixes- (list, required, mutually exclusive withsource_address_prefix) a list of source address prefixes. Tags are not allowed.destination_port_range- (string, required, mutually exclusive withdestination_port_ranges) destination port or a range of ports. This can also be an*to match all.destination_port_ranges- (list, required, mutually exclusive withdestination_port_range) a list of destination ports or a ranges of ports.destination_address_prefix- (string, required, mutually exclusive withdestination_address_prefixes) destination CIDR or IP range or*to match any IP. Tags are allowed, seesource_address_prefixfor details.destination_address_prefixes- (list, required, mutually exclusive withdestination_address_prefixes) a list of destination address prefixes. Tags are not allowed.
Example:
{
"nsg_1" = {
name = "network_security_group_1"
rules = {
"AllOutbound" = {
name = = "DefaultOutbound"
priority = 100
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
source_address_prefix = "*"
destination_port_range = "*"
destination_address_prefix = "*"
},
"AllowSSH" = {
name = "InboundSSH"
priority = 200
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
source_address_prefix = "*"
destination_port_range = "22"
destination_address_prefix = "*"
},
"AllowWebBrowsing" = {
name = "InboundWeb"
priority = 300
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
source_address_prefix = "*"
destination_port_ranges = ["80","443"]
destination_address_prefix = "VirtualNetwork"
}
}
},
"nsg_2" = {
name = "empty-nsg
}
}
Type:
map(object({
name = string
rules = optional(map(object({
name = string
priority = number
direction = string
access = string
protocol = string
source_port_range = optional(string)
source_port_ranges = optional(list(string))
source_address_prefix = optional(string)
source_address_prefixes = optional(list(string))
destination_port_range = optional(string)
destination_port_ranges = optional(list(string))
destination_address_prefix = optional(string)
destination_address_prefixes = optional(list(string))
})), {})
}))
Default value: map[]
route_tables
Map of objects describing a Route Tables.
List of available properties:
name- (string, required) name of a Route Table.disable_bgp_route_propagation- (bool, optional, defaults tofalse) controls propagation of routes learned by BGP.routes- (map, required) a map of Route Table entries (UDRs):name- (string, required) a name of a UDR.address_prefix- (string, required) the destination CIDR to which the route applies, such as10.1.0.0/16.next_hop_type- (string, required) the type of Azure hop the packet should be sent to. Possible values are:VirtualNetworkGateway,VnetLocal,Internet,VirtualApplianceandNone.next_hop_ip_address- (string, required) contains the IP address packets should be forwarded to. Used only whennext_hop_typeis set toVirtualAppliance, ignored otherwise.
Example:
{
"rt_1" = {
name = "route_table_1"
routes = {
"route_1" = {
name = "route-1"
address_prefix = "10.1.0.0/16"
next_hop_type = "VnetLocal"
},
"route_2" = {
name = "route-2"
address_prefix = "10.2.0.0/16"
next_hop_type = "VnetLocal"
},
}
},
"rt_2" = {
name = "route_table_2"
routes = {
"route_3" = {
name = "default-nva-route"
address_prefix = "0.0.0.0/0"
next_hop_type = "VirtualAppliance"
next_hop_ip_address = "10.112.0.100"
}
},
},
}
Type:
map(object({
name = string
disable_bgp_route_propagation = optional(bool, false)
routes = map(object({
name = string
address_prefix = string
next_hop_type = string
next_hop_ip_address = optional(string)
}))
}))
Default value: map[]
create_subnets
Controls subnet creation.
Possible variants:
true- create subnets described invar.subnets.false- source subnets described invar.subnets.
Note! \
When this variable is false and var.subnets variable is empty, subnets management is skipped.
Type: bool
Default value: true
subnets
Map of objects describing subnets to manage.
By the default the described subnets will be created. If however create_subnets is set to false this is just a mapping
between the existing subnets and UDRs and NSGs that should be assigned to them.
List of available attributes of each subnet entry:
name- (string, required) name of a subnet.address_prefixes- (list(string), required whencreate_subnets = true) a list of address prefixes within VNET's address space to assign to a created subnet.network_security_group_key- (string, optional, defaults tonull) a key identifying an NSG defined innetwork_security_groupsthat should be assigned to this subnet.route_table_key- (string, optional, defaults tonull) a key identifying a Route Table defined inroute_tablesthat should be assigned to this subnet.enable_storage_service_endpoint- (bool, optional, defaults tofalse) a flag that enablesMicrosoft.Storageservice endpoint on a subnet. This is a suggested setting for the management interface when full bootstrapping using an Azure Storage Account is used.
Example:
{
"management" = {
name = "management-snet"
address_prefixes = ["10.100.0.0/24"]
network_security_group_key = "network_security_group_1"
enable_storage_service_endpoint = true
},
"private" = {
name = "private-snet"
address_prefixes = ["10.100.1.0/24"]
route_table_key = "route_table_2"
},
"public" = {
name = "public-snet"
address_prefixes = ["10.100.2.0/24"]
}
}
Type:
map(object({
name = string
address_prefixes = optional(list(string), [])
network_security_group_key = optional(string)
route_table_key = optional(string)
enable_storage_service_endpoint = optional(bool, false)
}))
Default value: map[]