From ed29f3c468701a3c87063ccd816613eaa2a65f2e Mon Sep 17 00:00:00 2001 From: Charles Shea Date: Tue, 22 Aug 2023 19:02:39 -0400 Subject: [PATCH] adding azfw quickstarts --- quickstart/101-azfw-with-fwpolicy/README.md | 230 ++++++++ quickstart/101-azfw-with-fwpolicy/main.tf | 153 +++++ quickstart/101-azfw-with-fwpolicy/outputs.tf | 3 + quickstart/101-azfw-with-fwpolicy/provider.tf | 16 + .../101-azfw-with-fwpolicy/variables.tf | 18 + quickstart/201-azfw-with-secure-hub/README.md | 543 ++++++++++++++++++ quickstart/201-azfw-with-secure-hub/main.tf | 370 ++++++++++++ .../201-azfw-with-secure-hub/outputs.tf | 3 + .../201-azfw-with-secure-hub/provider.tf | 16 + .../201-azfw-with-secure-hub/variables.tf | 30 + 10 files changed, 1382 insertions(+) create mode 100644 quickstart/101-azfw-with-fwpolicy/README.md create mode 100644 quickstart/101-azfw-with-fwpolicy/main.tf create mode 100644 quickstart/101-azfw-with-fwpolicy/outputs.tf create mode 100644 quickstart/101-azfw-with-fwpolicy/provider.tf create mode 100644 quickstart/101-azfw-with-fwpolicy/variables.tf create mode 100644 quickstart/201-azfw-with-secure-hub/README.md create mode 100644 quickstart/201-azfw-with-secure-hub/main.tf create mode 100644 quickstart/201-azfw-with-secure-hub/outputs.tf create mode 100644 quickstart/201-azfw-with-secure-hub/provider.tf create mode 100644 quickstart/201-azfw-with-secure-hub/variables.tf diff --git a/quickstart/101-azfw-with-fwpolicy/README.md b/quickstart/101-azfw-with-fwpolicy/README.md new file mode 100644 index 00000000..5fb78139 --- /dev/null +++ b/quickstart/101-azfw-with-fwpolicy/README.md @@ -0,0 +1,230 @@ +# Deploy Azure Firewall and a Firewall Policy + +This template deploys an Azure Firewall and a Firewall Policy. The Firewall Policy is associated to the Firewall. + +## Resources + +| Terraform Resource Type | Description | +| - | - | +| `azurerm_resource_group` | The resource group all the deployed resources.| +| `azurerm_virtual_network` | The virtual network for the firewall. | +| `azurerm_subnet` |The firewall subnet.| +| `azurerm_public_ip` | The firewall public IP address. | +| `azurerm_firewall` | The premium Azure Firewall. | +| `azurerm_firewall_policy` | The policy associated to the Firewall | +| `azurerm_firewall_policy_rule_collection_group` | the rules collection group for firewall policy | +| `azurerm_ip_group` | The IP group for source addresses. | + +## Variables + +| Name | Description | +|-|-| +| `location` | location for your resources | +| `tags` | tags to organize your resources | +| `fw_sku` | Sku size for your Firewall and Firewall Policy | + +## Example + +```powershell +terraform plan -out main.tfplan + + # azurerm_firewall.fw will be created + + resource "azurerm_firewall" "fw" { + + firewall_policy_id = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "azfw" + + resource_group_name = "azfw-rg" + + sku_name = "AZFW_VNet" + + sku_tier = "Premium" + + threat_intel_mode = (known after apply) + + + ip_configuration { + + name = "azfw-ipconfig" + + private_ip_address = (known after apply) + + public_ip_address_id = (known after apply) + + subnet_id = (known after apply) + } + } + + # azurerm_firewall_policy.azfw_policy will be created + + resource "azurerm_firewall_policy" "azfw_policy" { + + child_policies = (known after apply) + + firewalls = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "azfw-policy" + + resource_group_name = "azfw-rg" + + rule_collection_groups = (known after apply) + + sku = "Premium" + + threat_intelligence_mode = "Alert" + } + + # azurerm_firewall_policy_rule_collection_group.app_policy_rule_collection_group will be created + + resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { + + firewall_policy_id = (known after apply) + + id = (known after apply) + + name = "DefaulApplicationtRuleCollectionGroup" + + priority = 300 + + + application_rule_collection { + + action = "Allow" + + name = "DefaultApplicationRuleCollection" + + priority = 500 + + + rule { + + description = "Allow Windows Update" + + destination_fqdn_tags = [ + + "WindowsUpdate", + ] + + name = "AllowWindowsUpdate" + + source_ip_groups = (known after apply) + + + protocols { + + port = 80 + + type = "Http" + } + + protocols { + + port = 443 + + type = "Https" + } + } + + rule { + + description = "Allow access to Microsoft.com" + + destination_fqdns = [ + + "*.microsoft.com", + ] + + name = "Global Rule" + + source_ip_groups = (known after apply) + + terminate_tls = false + + + protocols { + + port = 443 + + type = "Https" + } + } + } + } + + # azurerm_firewall_policy_rule_collection_group.net_policy_rule_collection_group will be created + + resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" { + + firewall_policy_id = (known after apply) + + id = (known after apply) + + name = "DefaultNetworkRuleCollectionGroup" + + priority = 200 + + + network_rule_collection { + + action = "Allow" + + name = "DefaultNetworkRuleCollection" + + priority = 200 + + + rule { + + destination_addresses = [ + + "132.86.101.172", + ] + + destination_ports = [ + + "123", + ] + + name = "time-windows" + + protocols = [ + + "UDP", + ] + + source_ip_groups = (known after apply) + } + } + } + + # azurerm_ip_group.infra_ip_group will be created + + resource "azurerm_ip_group" "infra_ip_group" { + + cidrs = [ + + "10.40.0.0/24", + + "10.50.0.0/24", + ] + + firewall_ids = (known after apply) + + firewall_policy_ids = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "infra-ip-group" + + resource_group_name = "azfw-rg" + } + + # azurerm_ip_group.workload_ip_group will be created + + resource "azurerm_ip_group" "workload_ip_group" { + + cidrs = [ + + "10.20.0.0/24", + + "10.30.0.0/24", + ] + + firewall_ids = (known after apply) + + firewall_policy_ids = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "workload-ip-group" + + resource_group_name = "azfw-rg" + } + + # azurerm_public_ip.pip_azfw will be created + + resource "azurerm_public_ip" "pip_azfw" { + + allocation_method = "Static" + + ddos_protection_mode = "VirtualNetworkInherited" + + fqdn = (known after apply) + + id = (known after apply) + + idle_timeout_in_minutes = 4 + + ip_address = (known after apply) + + ip_version = "IPv4" + + location = "eastus" + + name = "pip-azfw" + + resource_group_name = "azfw-rg" + + sku = "Standard" + + sku_tier = "Regional" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_resource_group.azfw_rg will be created + + resource "azurerm_resource_group" "azfw_rg" { + + id = (known after apply) + + location = "eastus" + + name = "azfw-rg" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_subnet.azfw_subnet will be created + + resource "azurerm_subnet" "azfw_subnet" { + + address_prefixes = [ + + "10.10.0.0/26", + ] + + enforce_private_link_endpoint_network_policies = (known after apply) + + enforce_private_link_service_network_policies = (known after apply) + + id = (known after apply) + + name = "AzureFirewallSubnet" + + private_endpoint_network_policies_enabled = (known after apply) + + private_link_service_network_policies_enabled = (known after apply) + + resource_group_name = "azfw-rg" + + virtual_network_name = "azfw-vnet" + } + + # azurerm_virtual_network.azfw_vnet will be created + + resource "azurerm_virtual_network" "azfw_vnet" { + + address_space = [ + + "10.10.0.0/24", + ] + + dns_servers = (known after apply) + + guid = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "azfw-vnet" + + resource_group_name = "azfw-rg" + + subnet = (known after apply) + } + +Plan: 10 to add, 0 to change, 0 to destroy. +`````` \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/main.tf b/quickstart/101-azfw-with-fwpolicy/main.tf new file mode 100644 index 00000000..c3998133 --- /dev/null +++ b/quickstart/101-azfw-with-fwpolicy/main.tf @@ -0,0 +1,153 @@ + +// Create a Resource Group +resource "azurerm_resource_group" "azfw_rg" { + name = "azfw-rg" + location = var.location + tags = var.tags +} +// Create a Virtual Network +resource "azurerm_virtual_network" "azfw_vnet" { + name = "azfw-vnet" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + address_space = ["10.10.0.0/24"] + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create IP Groups +resource "azurerm_ip_group" "workload_ip_group" { + name = "workload-ip-group" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + cidrs = ["10.20.0.0/24", "10.30.0.0/24"] + depends_on = [ + azurerm_resource_group.azfw_rg, + azurerm_virtual_network.azfw_vnet + ] +} +resource "azurerm_ip_group" "infra_ip_group" { + name = "infra-ip-group" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + cidrs = ["10.40.0.0/24", "10.50.0.0/24"] + depends_on = [ + azurerm_resource_group.azfw_rg, + azurerm_virtual_network.azfw_vnet + ] +} + +// Create the Azure Firewall Subnet +resource "azurerm_subnet" "azfw_subnet" { + name = "AzureFirewallSubnet" + resource_group_name = azurerm_resource_group.azfw_rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.0.0/26"] + depends_on = [ + azurerm_resource_group.azfw_rg, + azurerm_virtual_network.azfw_vnet + ] +} + +// Create a Public IP Address for Azure Firewall +resource "azurerm_public_ip" "pip_azfw" { + name = "pip-azfw" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + allocation_method = "Static" + sku = "Standard" + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a Azure Firewall Policy +resource "azurerm_firewall_policy" "azfw_policy" { + name = "azfw-policy" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + sku = var.fw_sku + threat_intelligence_mode = "Alert" +} + +// Create a Network Rule Collection Group +// Create a Network Rule Collection +// Create rules for NTP +resource "azurerm_firewall_policy_rule_collection_group" "net_policy_rule_collection_group" { + name = "DefaultNetworkRuleCollectionGroup" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 200 + network_rule_collection { + name = "DefaultNetworkRuleCollection" + action = "Allow" + priority = 200 + rule { + name = "time-windows" + protocols = ["UDP"] + source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] + destination_ports = ["123"] + destination_addresses = ["132.86.101.172"] + } + } +} + +// Create a Azure Firewall Policy Rule Collection Group +// Create a Application Rule Collection +// Create rules for Windows Update +// Create rules for Microsoft.com +resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { + name = "DefaulApplicationtRuleCollectionGroup" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 300 + application_rule_collection { + name = "DefaultApplicationRuleCollection" + action = "Allow" + priority = 500 + rule { + name = "AllowWindowsUpdate" + + description = "Allow Windows Update" + protocols { + type = "Http" + port = 80 + } + protocols { + type = "Https" + port = 443 + } + source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] + destination_fqdn_tags = ["WindowsUpdate"] + } + rule { + name = "Global Rule" + description = "Allow access to Microsoft.com" + protocols { + type = "Https" + port = 443 + } + destination_fqdns = ["*.microsoft.com"] + terminate_tls = false + source_ip_groups = [azurerm_ip_group.workload_ip_group.id, azurerm_ip_group.infra_ip_group.id] + } + } + depends_on = [ + azurerm_firewall_policy.azfw_policy + ] +} + +// Create the Azure Firewall +resource "azurerm_firewall" "fw" { + name = "azfw" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + sku_name = "AZFW_VNet" + sku_tier = var.fw_sku + ip_configuration { + name = "azfw-ipconfig" + subnet_id = azurerm_subnet.azfw_subnet.id + public_ip_address_id = azurerm_public_ip.pip_azfw.id + } + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id +} \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/outputs.tf b/quickstart/101-azfw-with-fwpolicy/outputs.tf new file mode 100644 index 00000000..67ad7df3 --- /dev/null +++ b/quickstart/101-azfw-with-fwpolicy/outputs.tf @@ -0,0 +1,3 @@ +output "rg_name" { + value = azurerm_resource_group.azfw_rg.name +} \ No newline at end of file diff --git a/quickstart/101-azfw-with-fwpolicy/provider.tf b/quickstart/101-azfw-with-fwpolicy/provider.tf new file mode 100644 index 00000000..76b5065b --- /dev/null +++ b/quickstart/101-azfw-with-fwpolicy/provider.tf @@ -0,0 +1,16 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "3.69.0" + } + } +} + +provider "azurerm" { + features { + resource_group { + prevent_deletion_if_contains_resources = false // Set to True for Production + } + } +} diff --git a/quickstart/101-azfw-with-fwpolicy/variables.tf b/quickstart/101-azfw-with-fwpolicy/variables.tf new file mode 100644 index 00000000..2a925a38 --- /dev/null +++ b/quickstart/101-azfw-with-fwpolicy/variables.tf @@ -0,0 +1,18 @@ +// Create Variables for Location and Tags +variable "location" { + default = "eastus" +} +variable "tags" { + default = { + environment = "dev" + costcenter = "1234556677" + owner = "cloud team" + workload = "azure firewall" + } +} + +// Create Firewall Variables +variable "fw_sku" { + default = "Premium" # Valid values are Standard and Premium +} + diff --git a/quickstart/201-azfw-with-secure-hub/README.md b/quickstart/201-azfw-with-secure-hub/README.md new file mode 100644 index 00000000..2bdb52b8 --- /dev/null +++ b/quickstart/201-azfw-with-secure-hub/README.md @@ -0,0 +1,543 @@ +# Deploy Azure Firewall and a Firewall Policy + +This template deploys an Azure Firewall and a Firewall Policy to a Secure Hub. The Firewall Policy is associated with the Firewall policy. + +## Resources + +| Terraform Resource Type | Description | +| - | - | +| `azurerm_resource_group` | The resource group all the deployed resources.| +| `azurerm_virtual_wan` | The virtual wan for the virtual hub | +| `azurerm_virtual_hub` | The virtual hub for the firewall | +| `azurerm_virtual_hub_route_table` | The route table for the virtual hub | +| `azurerm_virtual_hub_connection` | The connection between the virtual hub and the virtual network spoke | +| `azurerm_public_ip` | The firewall public IP address and public access to the jump vm. | +| `azurerm_firewall_policy` | The policy associated to the Firewall | +| `azurerm_firewall_policy_rule_collection_group` | the rules collection group to add network and application rule collections for firewall policy | +| `azurerm_firewall` | The premium Azure Firewall. | +| `azurerm_virtual_network` | The virtual network for the firewall. | +| `azurerm_subnet` | The subnets for jump and workload vms. | +| `azurerm_network_interface` | The nics for the jump and workload vms | +| `azurerm_network_security_group` | The nsg for the jump and workload vms | +| `azurerm_network_interface_security_group_association` | The association between the nics and the nsgs | +| `azurerm_virtual_machine` | The jump and workload vms for testing | +| `azurerm_route_table` | The route table for the jump vms | +| `azurerm_subnet_route_table_association` | The association between the subnets and the route tables | +| `azurerm_virtual_hub_route_table` | The route table for the virtual hub | + +## Variables + +| Name | Description | +|-|-| +| `location` | location for your resources | +| `tags` | tags to organize your resources | +| `fw_sku` | Sku size for your Firewall and Firewall Policy | +| `vm_size` | Sku size for your jump and workload vms | +| `admin_username` | admin username for the jump and workload vms | +| `admin_password` | admin password for the jump and workload vms | + +## Example + +```powershell +Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + + create + +Terraform will perform the following actions: + + # azurerm_firewall.fw will be created + + resource "azurerm_firewall" "fw" { + + firewall_policy_id = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "fw-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + sku_name = "AZFW_Hub" + + sku_tier = "Premium" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + + threat_intel_mode = (known after apply) + + + virtual_hub { + + private_ip_address = (known after apply) + + public_ip_addresses = (known after apply) + + public_ip_count = 1 + + virtual_hub_id = (known after apply) + } + } + + # azurerm_firewall_policy.azfw_policy will be created + + resource "azurerm_firewall_policy" "azfw_policy" { + + child_policies = (known after apply) + + firewalls = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "policy-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + rule_collection_groups = (known after apply) + + sku = "Premium" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + + threat_intelligence_mode = "Alert" + } + + # azurerm_firewall_policy_rule_collection_group.app_policy_rule_collection_group will be created + + resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { + + firewall_policy_id = (known after apply) + + id = (known after apply) + + name = "DefaulApplicationtRuleCollectionGroup" + + priority = 300 + + + application_rule_collection { + + action = "Allow" + + name = "DefaultApplicationRuleCollection" + + priority = 100 + + + rule { + + description = "Allow access to Microsoft.com" + + destination_fqdns = [ + + "*.microsoft.com", + ] + + name = "Allow-MSFT" + + source_addresses = [ + + "*", + ] + + terminate_tls = false + + + protocols { + + port = 443 + + type = "Https" + } + + protocols { + + port = 80 + + type = "Http" + } + } + } + } + + # azurerm_network_interface.vm_jump_nic will be created + + resource "azurerm_network_interface" "vm_jump_nic" { + + applied_dns_servers = (known after apply) + + dns_servers = (known after apply) + + enable_accelerated_networking = false + + enable_ip_forwarding = false + + id = (known after apply) + + internal_dns_name_label = (known after apply) + + internal_domain_name_suffix = (known after apply) + + location = "eastus" + + mac_address = (known after apply) + + name = "nic-jump" + + private_ip_address = (known after apply) + + private_ip_addresses = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + virtual_machine_id = (known after apply) + + + ip_configuration { + + gateway_load_balancer_frontend_ip_configuration_id = (known after apply) + + name = "ipconfig-jump" + + primary = (known after apply) + + private_ip_address = (known after apply) + + private_ip_address_allocation = "Dynamic" + + private_ip_address_version = "IPv4" + + public_ip_address_id = (known after apply) + + subnet_id = (known after apply) + } + } + + # azurerm_network_interface.vm_workload_nic will be created + + resource "azurerm_network_interface" "vm_workload_nic" { + + applied_dns_servers = (known after apply) + + dns_servers = (known after apply) + + enable_accelerated_networking = false + + enable_ip_forwarding = false + + id = (known after apply) + + internal_dns_name_label = (known after apply) + + internal_domain_name_suffix = (known after apply) + + location = "eastus" + + mac_address = (known after apply) + + name = "nic-workload" + + private_ip_address = (known after apply) + + private_ip_addresses = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + virtual_machine_id = (known after apply) + + + ip_configuration { + + gateway_load_balancer_frontend_ip_configuration_id = (known after apply) + + name = "ipconfig-workload" + + primary = (known after apply) + + private_ip_address = (known after apply) + + private_ip_address_allocation = "Dynamic" + + private_ip_address_version = "IPv4" + + subnet_id = (known after apply) + } + } + + # azurerm_network_interface_security_group_association.vm_jump_nsg_association will be created + + resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" { + + id = (known after apply) + + network_interface_id = (known after apply) + + network_security_group_id = (known after apply) + } + + # azurerm_network_interface_security_group_association.vm_workload_nsg_association will be created + + resource "azurerm_network_interface_security_group_association" "vm_workload_nsg_association" { + + id = (known after apply) + + network_interface_id = (known after apply) + + network_security_group_id = (known after apply) + } + + # azurerm_network_security_group.vm_jump_nsg will be created + + resource "azurerm_network_security_group" "vm_jump_nsg" { + + id = (known after apply) + + location = "eastus" + + name = "nsg-jump" + + resource_group_name = "rg-azfw-securehub-eus" + + security_rule = [ + + { + + access = "Allow" + + description = "" + + destination_address_prefix = "*" + + destination_address_prefixes = [] + + destination_application_security_group_ids = [] + + destination_port_range = "3389" + + destination_port_ranges = [] + + direction = "Inbound" + + name = "Allow-RDP" + + priority = 300 + + protocol = "Tcp" + + source_address_prefix = "*" + + source_address_prefixes = [] + + source_application_security_group_ids = [] + + source_port_range = "*" + + source_port_ranges = [] + }, + ] + } + + # azurerm_network_security_group.vm_workload_nsg will be created + + resource "azurerm_network_security_group" "vm_workload_nsg" { + + id = (known after apply) + + location = "eastus" + + name = "nsg-workload" + + resource_group_name = "rg-azfw-securehub-eus" + + security_rule = (known after apply) + } + + # azurerm_public_ip.pip_azfw will be created + + resource "azurerm_public_ip" "pip_azfw" { + + allocation_method = "Static" + + ddos_protection_mode = "VirtualNetworkInherited" + + fqdn = (known after apply) + + id = (known after apply) + + idle_timeout_in_minutes = 4 + + ip_address = (known after apply) + + ip_version = "IPv4" + + location = "eastus" + + name = "pip-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + sku = "Standard" + + sku_tier = "Regional" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_public_ip.vm_jump_pip will be created + + resource "azurerm_public_ip" "vm_jump_pip" { + + allocation_method = "Static" + + ddos_protection_mode = "VirtualNetworkInherited" + + fqdn = (known after apply) + + id = (known after apply) + + idle_timeout_in_minutes = 4 + + ip_address = (known after apply) + + ip_version = "IPv4" + + location = "eastus" + + name = "pip-jump" + + resource_group_name = "rg-azfw-securehub-eus" + + sku = "Standard" + + sku_tier = "Regional" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_resource_group.azfw_rg will be created + + resource "azurerm_resource_group" "azfw_rg" { + + id = (known after apply) + + location = "eastus" + + name = "rg-azfw-securehub-eus" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_route_table.rt will be created + + resource "azurerm_route_table" "rt" { + + disable_bgp_route_propagation = false + + id = (known after apply) + + location = "eastus" + + name = "rt-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + route = [ + + { + + address_prefix = "0.0.0.0/0" + + name = "jump-to-internet" + + next_hop_in_ip_address = "" + + next_hop_type = "Internet" + }, + ] + + subnets = (known after apply) + } + + # azurerm_subnet.jump_subnet will be created + + resource "azurerm_subnet" "jump_subnet" { + + address_prefixes = [ + + "10.10.2.0/24", + ] + + enforce_private_link_endpoint_network_policies = (known after apply) + + enforce_private_link_service_network_policies = (known after apply) + + id = (known after apply) + + name = "subnet-jump" + + private_endpoint_network_policies_enabled = (known after apply) + + private_link_service_network_policies_enabled = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + virtual_network_name = "vnet-azfw-securehub-eus" + } + + # azurerm_subnet.workload_subnet will be created + + resource "azurerm_subnet" "workload_subnet" { + + address_prefixes = [ + + "10.10.1.0/24", + ] + + enforce_private_link_endpoint_network_policies = (known after apply) + + enforce_private_link_service_network_policies = (known after apply) + + id = (known after apply) + + name = "subnet-workload" + + private_endpoint_network_policies_enabled = (known after apply) + + private_link_service_network_policies_enabled = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + virtual_network_name = "vnet-azfw-securehub-eus" + } + + # azurerm_subnet_route_table_association.jump_subnet_rt_association will be created + + resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { + + id = (known after apply) + + route_table_id = (known after apply) + + subnet_id = (known after apply) + } + + # azurerm_virtual_hub.azfw_vwan_hub will be created + + resource "azurerm_virtual_hub" "azfw_vwan_hub" { + + address_prefix = "10.20.0.0/23" + + default_route_table_id = (known after apply) + + hub_routing_preference = "ExpressRoute" + + id = (known after apply) + + location = "eastus" + + name = "hub-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + + virtual_router_asn = (known after apply) + + virtual_router_auto_scale_min_capacity = 2 + + virtual_router_ips = (known after apply) + + virtual_wan_id = (known after apply) + } + + # azurerm_virtual_hub_connection.azfw_vwan_hub_connection will be created + + resource "azurerm_virtual_hub_connection" "azfw_vwan_hub_connection" { + + id = (known after apply) + + internet_security_enabled = true + + name = "hub-to-spoke" + + remote_virtual_network_id = (known after apply) + + virtual_hub_id = (known after apply) + + + routing { + + associated_route_table_id = (known after apply) + + + propagated_route_table { + + labels = [ + + "VNet", + ] + + route_table_ids = (known after apply) + } + } + } + + # azurerm_virtual_hub_route_table.vhub_rt will be created + + resource "azurerm_virtual_hub_route_table" "vhub_rt" { + + id = (known after apply) + + labels = [ + + "VNet", + ] + + name = "vhub-rt-azfw-securehub-eus" + + virtual_hub_id = (known after apply) + + + route { + + destinations = [ + + "0.0.0.0/0", + ] + + destinations_type = "CIDR" + + name = "InternetToFirewall" + + next_hop = (known after apply) + + next_hop_type = "ResourceId" + } + + route { + + destinations = [ + + "10.10.1.0/24", + ] + + destinations_type = "CIDR" + + name = "workload-SNToFirewall" + + next_hop = (known after apply) + + next_hop_type = "ResourceId" + } + } + + # azurerm_virtual_network.azfw_vnet will be created + + resource "azurerm_virtual_network" "azfw_vnet" { + + address_space = [ + + "10.10.0.0/16", + ] + + dns_servers = (known after apply) + + guid = (known after apply) + + id = (known after apply) + + location = "eastus" + + name = "vnet-azfw-securehub-eus" + + resource_group_name = "rg-azfw-securehub-eus" + + subnet = (known after apply) + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + } + + # azurerm_virtual_wan.azfw_vwan will be created + + resource "azurerm_virtual_wan" "azfw_vwan" { + + allow_branch_to_branch_traffic = true + + disable_vpn_encryption = false + + id = (known after apply) + + location = "eastus" + + name = "vwan-azfw-securehub-eus" + + office365_local_breakout_category = "None" + + resource_group_name = "rg-azfw-securehub-eus" + + tags = { + + "costcenter" = "1234556677" + + "environment" = "dev" + + "owner" = "cloud team" + + "workload" = "azure firewall" + } + + type = "Standard" + } + + # azurerm_windows_virtual_machine.vm_jump will be created + + resource "azurerm_windows_virtual_machine" "vm_jump" { + + admin_password = (sensitive value) + + admin_username = "azureuser" + + allow_extension_operations = true + + bypass_platform_safety_checks_on_user_schedule_enabled = false + + computer_name = (known after apply) + + enable_automatic_updates = true + + extensions_time_budget = "PT1H30M" + + hotpatching_enabled = false + + id = (known after apply) + + location = "eastus" + + max_bid_price = -1 + + name = "jump-vm" + + network_interface_ids = (known after apply) + + patch_assessment_mode = "ImageDefault" + + patch_mode = "AutomaticByOS" + + platform_fault_domain = -1 + + priority = "Regular" + + private_ip_address = (known after apply) + + private_ip_addresses = (known after apply) + + provision_vm_agent = true + + public_ip_address = (known after apply) + + public_ip_addresses = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + size = "Standard_D2_v3" + + virtual_machine_id = (known after apply) + + + os_disk { + + caching = "ReadWrite" + + disk_size_gb = (known after apply) + + name = (known after apply) + + storage_account_type = "Standard_LRS" + + write_accelerator_enabled = false + } + + + source_image_reference { + + offer = "WindowsServer" + + publisher = "MicrosoftWindowsServer" + + sku = "2019-Datacenter" + + version = "latest" + } + } + + # azurerm_windows_virtual_machine.vm_workload will be created + + resource "azurerm_windows_virtual_machine" "vm_workload" { + + admin_password = (sensitive value) + + admin_username = "azureuser" + + allow_extension_operations = true + + bypass_platform_safety_checks_on_user_schedule_enabled = false + + computer_name = (known after apply) + + enable_automatic_updates = true + + extensions_time_budget = "PT1H30M" + + hotpatching_enabled = false + + id = (known after apply) + + location = "eastus" + + max_bid_price = -1 + + name = "workload-vm" + + network_interface_ids = (known after apply) + + patch_assessment_mode = "ImageDefault" + + patch_mode = "AutomaticByOS" + + platform_fault_domain = -1 + + priority = "Regular" + + private_ip_address = (known after apply) + + private_ip_addresses = (known after apply) + + provision_vm_agent = true + + public_ip_address = (known after apply) + + public_ip_addresses = (known after apply) + + resource_group_name = "rg-azfw-securehub-eus" + + size = "Standard_D2_v3" + + virtual_machine_id = (known after apply) + + + os_disk { + + caching = "ReadWrite" + + disk_size_gb = (known after apply) + + name = (known after apply) + + storage_account_type = "Standard_LRS" + + write_accelerator_enabled = false + } + + + source_image_reference { + + offer = "WindowsServer" + + publisher = "MicrosoftWindowsServer" + + sku = "2019-Datacenter" + + version = "latest" + } + } + +Plan: 23 to add, 0 to change, 0 to destroy. +`````` \ No newline at end of file diff --git a/quickstart/201-azfw-with-secure-hub/main.tf b/quickstart/201-azfw-with-secure-hub/main.tf new file mode 100644 index 00000000..46c99695 --- /dev/null +++ b/quickstart/201-azfw-with-secure-hub/main.tf @@ -0,0 +1,370 @@ + +// Create a Resource Group +resource "azurerm_resource_group" "azfw_rg" { + name = "rg-azfw-securehub-eus" + location = var.location + tags = var.tags +} + +// Create resources for Azure Virtual WAN +// Create a Azure Vwan +resource "azurerm_virtual_wan" "azfw_vwan" { + name = "vwan-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + tags = azurerm_resource_group.azfw_rg.tags + allow_branch_to_branch_traffic = true + disable_vpn_encryption = false + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a Azure Vwan Hub +resource "azurerm_virtual_hub" "azfw_vwan_hub" { + name = "hub-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + virtual_wan_id = azurerm_virtual_wan.azfw_vwan.id + address_prefix = "10.20.0.0/23" + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_virtual_wan.azfw_vwan + ] +} + +// Create a Azure VWan Hub Connection +resource "azurerm_virtual_hub_connection" "azfw_vwan_hub_connection" { + name = "hub-to-spoke" + virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id + remote_virtual_network_id = azurerm_virtual_network.azfw_vnet.id + internet_security_enabled = true + routing { + associated_route_table_id = azurerm_virtual_hub_route_table.vhub_rt.id + propagated_route_table { + route_table_ids = [azurerm_virtual_hub_route_table.vhub_rt.id] + labels = ["VNet"] + } + } + depends_on = [ + azurerm_virtual_hub.azfw_vwan_hub, + azurerm_virtual_network.azfw_vnet + ] +} + +// Create resources for Azure Firewall +// Create a Public IP Address for Azure Firewall +resource "azurerm_public_ip" "pip_azfw" { + name = "pip-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + allocation_method = "Static" + sku = "Standard" + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a Azure Firewall Policy +resource "azurerm_firewall_policy" "azfw_policy" { + name = "policy-azfw-securehub-eus" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + sku = "Premium" + threat_intelligence_mode = "Alert" + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a Azure Firewall Policy Rule Collection Group +// Create a Application Rule Collection +// Create rules for Windows Update +// Create rules for Microsoft.com +resource "azurerm_firewall_policy_rule_collection_group" "app_policy_rule_collection_group" { + name = "DefaulApplicationtRuleCollectionGroup" + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + priority = 300 + application_rule_collection { + name = "DefaultApplicationRuleCollection" + action = "Allow" + priority = 100 + rule { + name = "Allow-MSFT" + description = "Allow access to Microsoft.com" + protocols { + type = "Https" + port = 443 + } + protocols { + type = "Http" + port = 80 + } + destination_fqdns = ["*.microsoft.com"] + terminate_tls = false + source_addresses = ["*"] + } + } + depends_on = [ + azurerm_firewall_policy.azfw_policy + ] +} + +// Create the Azure Firewall +resource "azurerm_firewall" "fw" { + name = "fw-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + sku_name = "AZFW_Hub" + sku_tier = var.fw_sku + tags = azurerm_resource_group.azfw_rg.tags + virtual_hub { + virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id + public_ip_count = 1 + } + firewall_policy_id = azurerm_firewall_policy.azfw_policy.id + depends_on = [ + azurerm_firewall_policy.azfw_policy, + azurerm_virtual_hub.azfw_vwan_hub + ] +} + +// Create Virtual Network, Subnets, PIP, NICs, NSGs, and NIC-NSG associations +// Create a Virtual Network +resource "azurerm_virtual_network" "azfw_vnet" { + name = "vnet-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + address_space = ["10.10.0.0/16"] + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a Subnet for Workload VMs +resource "azurerm_subnet" "workload_subnet" { + name = "subnet-workload" + resource_group_name = azurerm_resource_group.azfw_rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.1.0/24"] + depends_on = [ + azurerm_virtual_network.azfw_vnet + ] +} + +// Create a Subnet for Jump VM +resource "azurerm_subnet" "jump_subnet" { + name = "subnet-jump" + resource_group_name = azurerm_resource_group.azfw_rg.name + virtual_network_name = azurerm_virtual_network.azfw_vnet.name + address_prefixes = ["10.10.2.0/24"] + + depends_on = [ + azurerm_virtual_network.azfw_vnet, + azurerm_route_table.rt + ] +} + +// Create a NIC for Workload VM +resource "azurerm_network_interface" "vm_workload_nic" { + name = "nic-workload" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + + ip_configuration { + name = "ipconfig-workload" + subnet_id = azurerm_subnet.workload_subnet.id + private_ip_address_allocation = "Dynamic" + } + depends_on = [ + azurerm_subnet.workload_subnet + ] +} + +// Create a PIP for Jump VM +resource "azurerm_public_ip" "vm_jump_pip" { + name = "pip-jump" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + allocation_method = "Static" + sku = "Standard" + tags = azurerm_resource_group.azfw_rg.tags + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a NIC for Jump VM +resource "azurerm_network_interface" "vm_jump_nic" { + name = "nic-jump" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + + ip_configuration { + name = "ipconfig-jump" + subnet_id = azurerm_subnet.jump_subnet.id + private_ip_address_allocation = "Dynamic" + public_ip_address_id = azurerm_public_ip.vm_jump_pip.id + } + depends_on = [ + azurerm_subnet.jump_subnet, + azurerm_public_ip.vm_jump_pip + ] +} + +// Create a NSG for Workload VM +resource "azurerm_network_security_group" "vm_workload_nsg" { + name = "nsg-workload" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Create a NSG for Jump VM +resource "azurerm_network_security_group" "vm_jump_nsg" { + name = "nsg-jump" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + security_rule { + name = "Allow-RDP" + priority = 300 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "*" + destination_address_prefix = "*" + } + + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Associate NSG for Workload VM NIC +resource "azurerm_network_interface_security_group_association" "vm_workload_nsg_association" { + network_interface_id = azurerm_network_interface.vm_workload_nic.id + network_security_group_id = azurerm_network_security_group.vm_workload_nsg.id + depends_on = [ + azurerm_network_interface.vm_workload_nic, + azurerm_network_security_group.vm_workload_nsg + ] +} + +// Associate NSG for Jump VM NIC +resource "azurerm_network_interface_security_group_association" "vm_jump_nsg_association" { + network_interface_id = azurerm_network_interface.vm_jump_nic.id + network_security_group_id = azurerm_network_security_group.vm_jump_nsg.id + depends_on = [ + azurerm_network_interface.vm_jump_nic, + azurerm_network_security_group.vm_jump_nsg + ] +} + +// Create Virtual Machines for testing +// Create a Workload Virtual Machine +resource "azurerm_windows_virtual_machine" "vm_workload" { + name = "workload-vm" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + size = var.vm_size + admin_username = var.admin_username + admin_password = var.admin_password + network_interface_ids = [azurerm_network_interface.vm_workload_nic.id] + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + source_image_reference { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + depends_on = [ + azurerm_network_interface.vm_workload_nic + ] +} + +// Create a Jump Virtual Machine +resource "azurerm_windows_virtual_machine" "vm_jump" { + name = "jump-vm" + resource_group_name = azurerm_resource_group.azfw_rg.name + location = azurerm_resource_group.azfw_rg.location + size = var.vm_size + admin_username = var.admin_username + admin_password = var.admin_password + network_interface_ids = [azurerm_network_interface.vm_jump_nic.id] + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + source_image_reference { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2019-Datacenter" + version = "latest" + } + depends_on = [ + azurerm_network_interface.vm_jump_nic + ] +} + +// Create Routing for testing +// Create a Route Table +resource "azurerm_route_table" "rt" { + name = "rt-azfw-securehub-eus" + location = azurerm_resource_group.azfw_rg.location + resource_group_name = azurerm_resource_group.azfw_rg.name + disable_bgp_route_propagation = false + route { + name = "jump-to-internet" + address_prefix = "0.0.0.0/0" + next_hop_type = "Internet" + } + depends_on = [ + azurerm_resource_group.azfw_rg + ] +} + +// Associate Route Table to Jump VM Subnet +resource "azurerm_subnet_route_table_association" "jump_subnet_rt_association" { + subnet_id = azurerm_subnet.jump_subnet.id + route_table_id = azurerm_route_table.rt.id + depends_on = [ + azurerm_subnet.jump_subnet, + azurerm_route_table.rt + ] +} + +// Creat a Virtual Hub Route Table +resource "azurerm_virtual_hub_route_table" "vhub_rt" { + name = "vhub-rt-azfw-securehub-eus" + virtual_hub_id = azurerm_virtual_hub.azfw_vwan_hub.id + route { + name = "workload-SNToFirewall" + destinations_type = "CIDR" + destinations = ["10.10.1.0/24"] + next_hop_type = "ResourceId" + next_hop = azurerm_firewall.fw.id + } + route { + name = "InternetToFirewall" + destinations_type = "CIDR" + destinations = ["0.0.0.0/0"] + next_hop_type = "ResourceId" + next_hop = azurerm_firewall.fw.id + } + labels = ["VNet"] + depends_on = [ + azurerm_virtual_hub.azfw_vwan_hub, + azurerm_firewall.fw + ] +} + diff --git a/quickstart/201-azfw-with-secure-hub/outputs.tf b/quickstart/201-azfw-with-secure-hub/outputs.tf new file mode 100644 index 00000000..67ad7df3 --- /dev/null +++ b/quickstart/201-azfw-with-secure-hub/outputs.tf @@ -0,0 +1,3 @@ +output "rg_name" { + value = azurerm_resource_group.azfw_rg.name +} \ No newline at end of file diff --git a/quickstart/201-azfw-with-secure-hub/provider.tf b/quickstart/201-azfw-with-secure-hub/provider.tf new file mode 100644 index 00000000..76b5065b --- /dev/null +++ b/quickstart/201-azfw-with-secure-hub/provider.tf @@ -0,0 +1,16 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "3.69.0" + } + } +} + +provider "azurerm" { + features { + resource_group { + prevent_deletion_if_contains_resources = false // Set to True for Production + } + } +} diff --git a/quickstart/201-azfw-with-secure-hub/variables.tf b/quickstart/201-azfw-with-secure-hub/variables.tf new file mode 100644 index 00000000..fd29a859 --- /dev/null +++ b/quickstart/201-azfw-with-secure-hub/variables.tf @@ -0,0 +1,30 @@ +// Create Variables for Location and Tags +variable "location" { + default = "eastus" +} +variable "tags" { + default = { + environment = "dev" + costcenter = "1234556677" + owner = "cloud team" + workload = "azure firewall" + } +} + +// Create Firewall Variables +variable "fw_sku" { + default = "Premium" # Valid values are Standard and Premium +} + +// Create Virtual Machine Sku Size Variables +variable "vm_size" { + default = "Standard_D2_v3" +} + +// Create Admin Username and Password +variable "admin_username" { + default = "azureuser" +} +variable "admin_password" { + default = "P@ssw0rd1234!" +}