-
Notifications
You must be signed in to change notification settings - Fork 8
/
createFirewall.tf
130 lines (119 loc) · 3.86 KB
/
createFirewall.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
//create fw resources
resource "azurerm_subnet" "fwsubnet" {
name = "AzureFirewallSubnet"
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefixes = ["10.1.4.0/24"]
}
//firewall public ip address
resource "azurerm_public_ip" "fwpip" {
name = "fwpip"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
allocation_method = "Static"
sku = "Standard"
}
//temporary firewall public ip address
resource "azurerm_public_ip" "fwpip2" {
name = "fwpip2"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
allocation_method = "Static"
sku = "Standard"
}
resource "azurerm_firewall_policy" "fwpolicy" {
name = "fwpolicy"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
sku = "Premium"
dns {
proxy_enabled = "true"
}
}
//App Rule collection Group
resource "azurerm_firewall_policy_rule_collection_group" "example" {
name = "example-fwpolicy-rcg"
firewall_policy_id = azurerm_firewall_policy.fwpolicy.id
priority = 500
application_rule_collection {
name = "app_rule_collection1"
priority = 500
action = "Allow"
rule {
name = "app_rule_collection1_rule1"
protocols {
type = "Http"
port = 80
}
protocols {
type = "Https"
port = 443
}
source_addresses = ["*"]
destination_fqdns = ["*"]
}
}
network_rule_collection {
name = "network_rule_collection1"
priority = 400
action = "Allow"
rule {
name = "network_rule_collection1_rule1"
protocols = ["Any"]
source_addresses = ["*"]
destination_addresses = ["*"]
destination_ports = ["1234"]
}
}
//FIREWALL NAT RULE COLLECTION
nat_rule_collection {
name = "nat_rule_collection1"
priority = 300
action = "Dnat"
rule {
name = "nat_rule_collection1_rule1"
protocols = ["TCP"]
source_addresses = ["*"]
destination_address = azurerm_public_ip.fwpip.ip_address
destination_ports = ["80"]
translated_address = azurerm_public_ip.example.ip_address
translated_port = "80"
}
rule {
name = "nat_rule_collection1_rule2"
protocols = ["TCP"]
source_addresses = ["*"]
destination_address = azurerm_public_ip.fwpip.ip_address
destination_ports = ["3389"]
translated_address = azurerm_windows_virtual_machine.example.private_ip_address
translated_port = "3389"
}
}
}
//Create firewall resource
resource "azurerm_firewall" "firewall" {
name = "firewall"
sku_tier = "Premium"
sku_name = "AZFW_VNet"
firewall_policy_id = azurerm_firewall_policy.fwpolicy.id
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
ip_configuration {
name = "configuration"
subnet_id = azurerm_subnet.fwsubnet.id
public_ip_address_id = azurerm_public_ip.fwpip.id
}
}
//route table
resource "azurerm_route_table" "routetable" {
name = "RouteTable"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
//disable_bgp_route_propagation = false
route {
name = "DefaultGW"
address_prefix = "10.1.0.0/16"
next_hop_type = "VirtualAppliance"
next_hop_in_ip_address = azurerm_firewall.firewall.ip_configuration[0].private_ip_address
}
}