This module composes the mc-transit, mc-firenet and peering modules(1)(2) together to provide a reference transit layer implementation.
Warning: This module leverages a Terraform experimental feature. Read the details of this feature and decide whether it is appropriate for you to adopt this module as-is, while using this feature.
| Module version | Terraform version | Controller version | Terraform provider version | Used Transit module | Used Firenet module |
|---|---|---|---|---|---|
| v0.0.3 | >=1.1.0 | >= 6.7 | ~> 2.22.0 | v2.1.2 | v1.1.0 |
Check release notes for more details. Check compatibility list for older versions.
module "framework" {
source = "terraform-aviatrix-modules/mc-transit-deployment-framework/aviatrix"
version = "v0.0.3"
default_transit_accounts = {
aws = "AWS-Account",
azure = "Azure-Account",
gcp = "GCP-Account",
}
default_firenet_firewall_image = {
aws = "Palo Alto Networks VM-Series Next-Generation Firewall Bundle 1",
azure = "Palo Alto Networks VM-Series Next-Generation Firewall Bundle 1",
gcp = "Palo Alto Networks VM-Series Next-Generation Firewall BUNDLE1",
}
transit_firenet = {
#Transit firenet in AWS, using default_firewall_image
transit1a = {
transit_cloud = "aws",
transit_cidr = "10.1.0.0/23",
transit_region_name = "eu-central-1",
transit_asn = 65101,
firenet = true,
},
#Egress transit firenet, with different NGFW then provided in default_firewall_image (override).
transit1b = {
transit_cloud = "aws",
transit_cidr = "10.1.0.0/23",
transit_region_name = "eu-central-1",
transit_asn = 65111,
transit_enable_egress_transit_firenet = true,
firenet = true,
firenet_firewall_image = "Fortinet FortiGate Next-Generation Firewall",
},
#Transit in Azure
transit2 = {
transit_cloud = "azure",
transit_cidr = "10.1.2.0/23",
transit_region_name = "West Europe",
transit_asn = 65102,
},
#Transit firenet in GCP, using default_firewall_image
transit3 = {
transit_cloud = "gcp",
transit_cidr = "10.1.4.0/23",
transit_lan_cidr = "10.99.1.0/24",
firenet_egress_cidr = "10.99.2.0/24",
transit_region_name = "us-east1",
transit_asn = 65103,
firenet = true,
},
}
}
The following variables are required:
| key | value |
|---|---|
| transit_firenet | A map with all relevant transit and firenet arguments. See Transit-Firenet map arguments to see which arguments are supported and mandatory. Can also be provided as JSON or YAML. |
The following variables are optional:
| key | default | value |
|---|---|---|
| default_transit_accounts** | Map of default access accounts to be used to deploy the transit Firenet infrastructure. (Valid keys are "aws", "azure", "gcp", "oci" and "ali".) | |
| default_firenet_firewall_image** | Map of default firewall images for deploying Firenet. (Valid keys are "aws", "azure", "gcp" and "oci".) | |
| excluded_cidrs | ["0.0.0.0/0", ] | List of CIDR's to exlude in peerings (not used for custom peerings). |
| peering_mode | full_mesh_optimized | Choose between full_mesh, full_mesh_optimized, custom or none. |
| peering_map | {} | If peering_mode is custom, this map of peerings will be built. Example see link. |
| peering_prune_list | [] | If peering_mode is full_mesh or optimized_full_mesh, this list of peerings will NOT be built. Example see link. |
**Any defaults that are not configured, need to be explicitly set in the transit_firenet variable for each entry, if the argument is used (e.g. firenet_firewall_image does not require to be set if firenet is not deployed altogether).
Arguments in this map prepended with "transit_" are pushed to the underlying mc-transit module. Arguments prepended with "firenet_" are pushed to the mc-firenet module. As such, more details on these arguments can also be found in the documentation of the mc-transit and mc-firenet modules. (e.g. "transit_cidr" maps to the "cidr" argument on the mc-transit module)
The following arguments are mandatory in the "transit_firenet" map variable:
| key | value |
|---|---|
| transit_cloud | Cloud in which this entry needs to be deployed. Valid values are: aws, azure, gcp, ali, oci. |
| transit_cidr | The CIDR for creating the transit (firenet) VPC/VNET/VCN. |
| transit_region_name | The name of the region in which this entry needs to be deployed. |
| transit_asn | A global unique AS Number for the transit gateway. |
The following arguments are optional in the transit firenet map variable: Any options set here will override the default_* variables for that particular instance.
= AWS, 
= Azure, 
= GCP, 
= OCI, 
= Alibaba
| Key | Supported_CSP's | Default value | Description |
|---|---|---|---|
| transit_account** | |
Access accounts to be used to deploy the transit Firenet infrastructure. | |
| transit_az_support | |
true | Set to false if the region does not support Availability Zones. |
| transit_az1 | |
a az-1 b |
Concatenates with region to form az names. e.g. eu-central-1a. Only used for insane mode and AWS GWLB. |
| transit_az2 | |
b az-2 c |
Concatenates with region to form az names. e.g. eu-central-1b. Only used for insane mode and AWS GWLB. If az1 and az2 are equal. Single AZ mode (deploy everyting in 1 AZ) is triggered. |
| transit_bgp_ecmp | |
false | Enable Equal Cost Multi Path (ECMP) routing for the next hop |
| transit_bgp_lan_interfaces | |
A list of interfaces to run BGP protocol on top of the ethernet interface | |
| transit_bgp_manual_spoke_advertise_cidrs | |
Intended CIDR list to advertise via BGP. Example: "10.2.0.0/16,10.4.0.0/16" | |
| transit_bgp_polling_time | |
50 | BGP route polling time. Unit is in seconds |
| transit_connected_transit | |
true | Set to false to disable connected_transit |
| transit_customer_managed_keys | |
Customer managed key ID for EBS Volume encryption. | |
| transit_enable_active_standby_preemptive | |
false | Enables Preemptive Mode for Active-Standby. Available only with BGP enabled, HA enabled and Active-Standby enabled. |
| transit_enable_advertise_transit_cidr | |
false | Switch to enable/disable advertise transit VPC network CIDR for a VGW connection |
| transit_enable_bgp_over_lan | |
false | Enable BGP over LAN. Creates interface for integration with SDWAN or other BGP peerings over LAN. |
| transit_enable_egress_transit_firenet | |
false | Enable Egress Transit FireNet |
| transit_enable_encrypt_volume | |
false | Set to true to enable EBS volume encryption for Gateway. |
| transit_enable_firenet | |
false | Sign of readiness for FireNet connection with TGW |
| transit_enable_multi_tier_transit | |
false | Switch to enable multi tier transit |
| transit_enable_s2c_rx_balancing | |
false | Allows to toggle the S2C receive packet CPU re-balancing on transit gateway. |
| transit_enable_segmentation | |
false | Switch to true to enable transit segmentation |
| transit_enable_transit_firenet | |
false | Sign of readiness for Transit FireNet connection |
| transit_gw_name | |
Name for the transit gateway. | |
| transit_ha_bgp_lan_interfaces | |
A list of interfaces to run BGP protocol on top of the ethernet interface | |
| transit_ha_cidr | |
The IP CIDR to be used to create ha_region spoke subnet. Only required when ha_region is set. | |
| transit_ha_gw | |
true | Set to false if you only want to deploy a single Aviatrix spoke gateway |
| transit_ha_region | |
Region for multi region HA. HA is multi-az single region by default, but will become multi region when this is set. | |
| transit_hybrid_connection | |
false | Sign of readiness for TGW connection |
| transit_insane_mode | |
false | Set to true to enable insane mode encryption |
| transit_instance_size (insane mode/firenet) | |
c5n.xlarge Standard_D3_v2 n1-highcpu-4 VM.Standard2.4 |
The size of the Aviatrix transit gateways when insane mode or Transit Firenet is enabled. |
| transit_instance_size | |
t3.medium Standard_B1ms n1-standard-1 VM.Standard2.2 ecs.g5ne.large |
The size of the Aviatrix transit gateways. |
| transit_lan_cidr | |
CIDR For LAN VPC for GCP Firenet. Only required when deploying in GCP and enable_transit_firenet is true. | |
| transit_learned_cidr_approval | |
false | Switch to true to enable learned CIDR approval |
| transit_learned_cidrs_approval_mode | |
Learned cidrs approval mode. Defaults to Gateway. Valid values: gateway, connection | |
| transit_name | |
avx-<region>-transit | Name for this Transit VPC/VNET/VCN and it's gateways |
| transit_resource_group | |
Specify existing resource group to deploy transit resources into. | |
| transit_single_az_ha | |
true | Set to false if Controller managed Gateway HA is desired |
| transit_single_ip_snat | |
false | Specify whether to enable Source NAT feature in single_ip mode on the gateway or not. Please disable AWS NAT instance before enabling this feature. Currently only supports AWS(1) and AZURE(8) |
| transit_tags | |
Map of tags to assign to the gateway. | |
| transit_tunnel_detection_time | |
The IPsec tunnel down detection time for the Spoke Gateway in seconds. Must be a number in the range [20-600]. Default is 60. | |
| firenet | |
false | Set to true to deploy firenet in this transit entry. |
| firenet_attached | |
true | Attach firewall instances to Aviatrix Gateways. |
| firenet_bootstrap_bucket_name_1 | |
Name of bootstrap bucket to pull firewall config from. (If bootstrap_bucket_name_2 is not set, this will used for all NGFW instances) | |
| firenet_bootstrap_bucket_name_2 | |
Name of bootstrap bucket to pull firewall config from. (Only used if 2 or more FW instances are deployed, e.g. when ha_gw is true. Applies to "even" fw instances (2,4,6 etc)) | |
| firenet_bootstrap_storage_name_1 | |
null | Storagename to get bootstrap files from (PANW only). (If bootstrap_storage_name_2 is not set, this will used for all NGFW instances) |
| firenet_bootstrap_storage_name_2 | |
null | Storagename to get bootstrap files from (PANW only) (Only used when HA FW instance is deployed) |
| firenet_custom_fw_names | |
[] | If set, the NGFW instances will be deployed with the names provided in this list. First half of the list for instances in az1, second half for az2. |
| firenet_east_west_inspection_excluded_cidrs | |
Network List Excluded From East-West Inspection. | |
| firenet_egress_cidr | |
CIDR For Egress VPC for GCP Firenet. Only required when deploying in GCP and enable_transit_firenet is true. | |
| firenet_egress_enabled | |
false | Enable/disable internet egress via NGFW. |
| firenet_egress_static_cidrs | |
[] | List of egress static CIDRs. Egress is required to be enabled. Example: ["1.171.15.184/32", "1.171.15.185/32"]. |
| firenet_fail_close_enabled | |
false | Set to true to enable fail close |
| firenet_file_share_folder_1 | |
null | Name of the folder containing the bootstrap files (PANW only) (If file_share_folder_2 is not set, this will used for all NGFW instances) |
| firenet_file_share_folder_2 | |
null | Name of the folder containing the bootstrap files (PANW only) (Only used when HA FW instance is deployed) |
| firenet_firewall_image** | |
The firewall image to be used to deploy the NGFW's. | |
| firenet_firewall_image_id | |
Firewall image ID. Applicable to AWS and Azure only. For AWS, please use AMI ID. For Azure, the format is “Publisher:Offer:Plan:Version”. | |
| firenet_firewall_image_version | |
When not provided, latest available will be used. | |
| firenet_fw_amount | |
The amount of NGFW instances to deploy. These will be deployed accross multiple AZ's. Amount must be even and only applies when transit is HA. | |
| firenet_iam_role_1 | |
IAM Role used to access bootstrap bucket. (If iam_role_2 is not set, this will used for all NGFW instances) | |
| firenet_iam_role_2 | |
IAM Role used to access bootstrap bucket. (Only used if 2 or more FW instances are deployed, e.g. when ha_gw is true. Applies to "even" fw instances (2,4,6 etc)) | |
| firenet_inspection_enabled | |
true | Enable/disable east/west + north/south inspection via NGFW. |
| firenet_instance_size | |
c5.xlarge Standard_D3_v2 n1-standard-4 VM.Standard2.4 |
Size of the NGFW instances |
| firenet_keep_alive_via_lan_interface_enabled | |
False | Enable Keep Alive via Firewall LAN Interface. |
| firenet_mgmt_cidr | |
CIDR For Management VPC for GCP Firenet. Only required when deploying in GCP and enable_transit_firenet is true and deploying Palo Alto NGFW. | |
| firenet_password | |
Aviatrix#1234 | Default initial password for firewall instances |
| firenet_storage_access_key_1 | |
null | Storage_access_key to access bootstrap storage (PANW only) (If storage_access_key_2 is not set, this will used for all NGFW instances) |
| firenet_storage_access_key_2 | |
null | Storage_access_key to access bootstrap storage (PANW only) (Only used when HA FW instance is deployed) |
| firenet_tags | |
Map of tags to assign to the firewall or FQDN egress gw's. | |
| firenet_use_gwlb | |
Deploy firenet using the AWS GWLB. | |
| firenet_user_data_1 | |
Userdata to bootstrap FortiGate or Checkpoint Firewall. | |
| firenet_user_data_2 | |
Userdata to bootstrap FortiGate or Checkpoint Firewall. If not set, user_data_1 will be used. | |
| firenet_username | |
fwadmin | Applicable to Azure or AzureGov deployment only. "admin" as a username is not accepted. (For Checkpoint it is always admin) |
This module will return the following outputs:
| key | description |
|---|---|
| transit | A map containing all created transit objects |
| firenet | A map containing all created firenet objects |
| region_transit_map | A map of all regions with a list per region of transit gw names in that region. |
See how to use outputs to attach for example, spokes or VPN's to the transits created with this module.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent