This module composes the mc-transit, mc-firenet and peering modules(1)(2) together to provide a reference transit layer implementation.
Warning: This module leverages a Terraform experimental feature. Read the details of this feature and decide whether it is appropriate for you to adopt this module as-is, while using this feature.
Module version | Terraform version | Controller version | Terraform provider version | Used Transit module | Used Firenet module |
---|---|---|---|---|---|
v0.0.3 | >=1.1.0 | >= 6.7 | ~> 2.22.0 | v2.1.2 | v1.1.0 |
Check release notes for more details. Check compatibility list for older versions.
module "framework" {
source = "terraform-aviatrix-modules/mc-transit-deployment-framework/aviatrix"
version = "v0.0.3"
default_transit_accounts = {
aws = "AWS-Account",
azure = "Azure-Account",
gcp = "GCP-Account",
}
default_firenet_firewall_image = {
aws = "Palo Alto Networks VM-Series Next-Generation Firewall Bundle 1",
azure = "Palo Alto Networks VM-Series Next-Generation Firewall Bundle 1",
gcp = "Palo Alto Networks VM-Series Next-Generation Firewall BUNDLE1",
}
transit_firenet = {
#Transit firenet in AWS, using default_firewall_image
transit1a = {
transit_cloud = "aws",
transit_cidr = "10.1.0.0/23",
transit_region_name = "eu-central-1",
transit_asn = 65101,
firenet = true,
},
#Egress transit firenet, with different NGFW then provided in default_firewall_image (override).
transit1b = {
transit_cloud = "aws",
transit_cidr = "10.1.0.0/23",
transit_region_name = "eu-central-1",
transit_asn = 65111,
transit_enable_egress_transit_firenet = true,
firenet = true,
firenet_firewall_image = "Fortinet FortiGate Next-Generation Firewall",
},
#Transit in Azure
transit2 = {
transit_cloud = "azure",
transit_cidr = "10.1.2.0/23",
transit_region_name = "West Europe",
transit_asn = 65102,
},
#Transit firenet in GCP, using default_firewall_image
transit3 = {
transit_cloud = "gcp",
transit_cidr = "10.1.4.0/23",
transit_lan_cidr = "10.99.1.0/24",
firenet_egress_cidr = "10.99.2.0/24",
transit_region_name = "us-east1",
transit_asn = 65103,
firenet = true,
},
}
}
The following variables are required:
key | value |
---|---|
transit_firenet | A map with all relevant transit and firenet arguments. See Transit-Firenet map arguments to see which arguments are supported and mandatory. Can also be provided as JSON or YAML. |
The following variables are optional:
key | default | value |
---|---|---|
default_transit_accounts** | Map of default access accounts to be used to deploy the transit Firenet infrastructure. (Valid keys are "aws", "azure", "gcp", "oci" and "ali".) | |
default_firenet_firewall_image** | Map of default firewall images for deploying Firenet. (Valid keys are "aws", "azure", "gcp" and "oci".) | |
excluded_cidrs | ["0.0.0.0/0", ] | List of CIDR's to exlude in peerings (not used for custom peerings). |
peering_mode | full_mesh_optimized | Choose between full_mesh, full_mesh_optimized, custom or none. |
peering_map | {} | If peering_mode is custom, this map of peerings will be built. Example see link. |
peering_prune_list | [] | If peering_mode is full_mesh or optimized_full_mesh, this list of peerings will NOT be built. Example see link. |
**Any defaults that are not configured, need to be explicitly set in the transit_firenet variable for each entry, if the argument is used (e.g. firenet_firewall_image does not require to be set if firenet is not deployed altogether).
Arguments in this map prepended with "transit_" are pushed to the underlying mc-transit module. Arguments prepended with "firenet_" are pushed to the mc-firenet module. As such, more details on these arguments can also be found in the documentation of the mc-transit and mc-firenet modules. (e.g. "transit_cidr" maps to the "cidr" argument on the mc-transit module)
The following arguments are mandatory in the "transit_firenet" map variable:
key | value |
---|---|
transit_cloud | Cloud in which this entry needs to be deployed. Valid values are: aws, azure, gcp, ali, oci. |
transit_cidr | The CIDR for creating the transit (firenet) VPC/VNET/VCN. |
transit_region_name | The name of the region in which this entry needs to be deployed. |
transit_asn | A global unique AS Number for the transit gateway. |
The following arguments are optional in the transit firenet map variable: Any options set here will override the default_* variables for that particular instance.
= AWS,
= Azure,
= GCP,
= OCI,
= Alibaba
Key | Supported_CSP's | Default value | Description |
---|---|---|---|
transit_account** | ![]() ![]() ![]() ![]() ![]() |
Access accounts to be used to deploy the transit Firenet infrastructure. | |
transit_az_support | ![]() |
true | Set to false if the region does not support Availability Zones. |
transit_az1 | ![]() ![]() ![]() |
a az-1 b |
Concatenates with region to form az names. e.g. eu-central-1a. Only used for insane mode and AWS GWLB. |
transit_az2 | ![]() ![]() ![]() |
b az-2 c |
Concatenates with region to form az names. e.g. eu-central-1b. Only used for insane mode and AWS GWLB. If az1 and az2 are equal. Single AZ mode (deploy everyting in 1 AZ) is triggered. |
transit_bgp_ecmp | ![]() ![]() ![]() ![]() ![]() |
false | Enable Equal Cost Multi Path (ECMP) routing for the next hop |
transit_bgp_lan_interfaces | ![]() |
A list of interfaces to run BGP protocol on top of the ethernet interface | |
transit_bgp_manual_spoke_advertise_cidrs | ![]() ![]() ![]() ![]() ![]() |
Intended CIDR list to advertise via BGP. Example: "10.2.0.0/16,10.4.0.0/16" | |
transit_bgp_polling_time | ![]() ![]() ![]() ![]() ![]() |
50 | BGP route polling time. Unit is in seconds |
transit_connected_transit | ![]() ![]() ![]() ![]() ![]() |
true | Set to false to disable connected_transit |
transit_customer_managed_keys | ![]() |
Customer managed key ID for EBS Volume encryption. | |
transit_enable_active_standby_preemptive | ![]() ![]() ![]() ![]() ![]() |
false | Enables Preemptive Mode for Active-Standby. Available only with BGP enabled, HA enabled and Active-Standby enabled. |
transit_enable_advertise_transit_cidr | ![]() ![]() ![]() ![]() ![]() |
false | Switch to enable/disable advertise transit VPC network CIDR for a VGW connection |
transit_enable_bgp_over_lan | ![]() ![]() |
false | Enable BGP over LAN. Creates interface for integration with SDWAN or other BGP peerings over LAN. |
transit_enable_egress_transit_firenet | ![]() ![]() |
false | Enable Egress Transit FireNet |
transit_enable_encrypt_volume | ![]() |
false | Set to true to enable EBS volume encryption for Gateway. |
transit_enable_firenet | ![]() |
false | Sign of readiness for FireNet connection with TGW |
transit_enable_multi_tier_transit | ![]() ![]() ![]() ![]() ![]() |
false | Switch to enable multi tier transit |
transit_enable_s2c_rx_balancing | ![]() ![]() ![]() ![]() ![]() |
false | Allows to toggle the S2C receive packet CPU re-balancing on transit gateway. |
transit_enable_segmentation | ![]() ![]() ![]() ![]() ![]() |
false | Switch to true to enable transit segmentation |
transit_enable_transit_firenet | ![]() ![]() ![]() ![]() |
false | Sign of readiness for Transit FireNet connection |
transit_gw_name | ![]() ![]() ![]() ![]() ![]() |
Name for the transit gateway. | |
transit_ha_bgp_lan_interfaces | ![]() |
A list of interfaces to run BGP protocol on top of the ethernet interface | |
transit_ha_cidr | ![]() |
The IP CIDR to be used to create ha_region spoke subnet. Only required when ha_region is set. | |
transit_ha_gw | ![]() ![]() ![]() ![]() ![]() |
true | Set to false if you only want to deploy a single Aviatrix spoke gateway |
transit_ha_region | ![]() |
Region for multi region HA. HA is multi-az single region by default, but will become multi region when this is set. | |
transit_hybrid_connection | ![]() |
false | Sign of readiness for TGW connection |
transit_insane_mode | ![]() ![]() ![]() ![]() |
false | Set to true to enable insane mode encryption |
transit_instance_size (insane mode/firenet) | ![]() ![]() ![]() ![]() |
c5n.xlarge Standard_D3_v2 n1-highcpu-4 VM.Standard2.4 |
The size of the Aviatrix transit gateways when insane mode or Transit Firenet is enabled. |
transit_instance_size | ![]() ![]() ![]() ![]() ![]() |
t3.medium Standard_B1ms n1-standard-1 VM.Standard2.2 ecs.g5ne.large |
The size of the Aviatrix transit gateways. |
transit_lan_cidr | ![]() |
CIDR For LAN VPC for GCP Firenet. Only required when deploying in GCP and enable_transit_firenet is true. | |
transit_learned_cidr_approval | ![]() ![]() ![]() ![]() ![]() |
false | Switch to true to enable learned CIDR approval |
transit_learned_cidrs_approval_mode | ![]() ![]() ![]() ![]() ![]() |
Learned cidrs approval mode. Defaults to Gateway. Valid values: gateway, connection | |
transit_name | ![]() ![]() ![]() ![]() ![]() |
avx-<region>-transit | Name for this Transit VPC/VNET/VCN and it's gateways |
transit_resource_group | ![]() |
Specify existing resource group to deploy transit resources into. | |
transit_single_az_ha | ![]() ![]() ![]() ![]() ![]() |
true | Set to false if Controller managed Gateway HA is desired |
transit_single_ip_snat | ![]() ![]() ![]() ![]() ![]() |
false | Specify whether to enable Source NAT feature in single_ip mode on the gateway or not. Please disable AWS NAT instance before enabling this feature. Currently only supports AWS(1) and AZURE(8) |
transit_tags | ![]() ![]() |
Map of tags to assign to the gateway. | |
transit_tunnel_detection_time | ![]() ![]() ![]() ![]() ![]() |
The IPsec tunnel down detection time for the Spoke Gateway in seconds. Must be a number in the range [20-600]. Default is 60. | |
firenet | ![]() ![]() ![]() ![]() |
false | Set to true to deploy firenet in this transit entry. |
firenet_attached | ![]() ![]() ![]() ![]() |
true | Attach firewall instances to Aviatrix Gateways. |
firenet_bootstrap_bucket_name_1 | ![]() ![]() |
Name of bootstrap bucket to pull firewall config from. (If bootstrap_bucket_name_2 is not set, this will used for all NGFW instances) | |
firenet_bootstrap_bucket_name_2 | ![]() ![]() |
Name of bootstrap bucket to pull firewall config from. (Only used if 2 or more FW instances are deployed, e.g. when ha_gw is true. Applies to "even" fw instances (2,4,6 etc)) | |
firenet_bootstrap_storage_name_1 | ![]() |
null | Storagename to get bootstrap files from (PANW only). (If bootstrap_storage_name_2 is not set, this will used for all NGFW instances) |
firenet_bootstrap_storage_name_2 | ![]() |
null | Storagename to get bootstrap files from (PANW only) (Only used when HA FW instance is deployed) |
firenet_custom_fw_names | ![]() ![]() ![]() ![]() |
[] | If set, the NGFW instances will be deployed with the names provided in this list. First half of the list for instances in az1, second half for az2. |
firenet_east_west_inspection_excluded_cidrs | ![]() ![]() ![]() ![]() |
Network List Excluded From East-West Inspection. | |
firenet_egress_cidr | ![]() |
CIDR For Egress VPC for GCP Firenet. Only required when deploying in GCP and enable_transit_firenet is true. | |
firenet_egress_enabled | ![]() ![]() ![]() ![]() |
false | Enable/disable internet egress via NGFW. |
firenet_egress_static_cidrs | ![]() ![]() ![]() ![]() |
[] | List of egress static CIDRs. Egress is required to be enabled. Example: ["1.171.15.184/32", "1.171.15.185/32"]. |
firenet_fail_close_enabled | ![]() ![]() ![]() ![]() |
false | Set to true to enable fail close |
firenet_file_share_folder_1 | ![]() |
null | Name of the folder containing the bootstrap files (PANW only) (If file_share_folder_2 is not set, this will used for all NGFW instances) |
firenet_file_share_folder_2 | ![]() |
null | Name of the folder containing the bootstrap files (PANW only) (Only used when HA FW instance is deployed) |
firenet_firewall_image** | ![]() ![]() ![]() ![]() |
The firewall image to be used to deploy the NGFW's. | |
firenet_firewall_image_id | ![]() ![]() |
Firewall image ID. Applicable to AWS and Azure only. For AWS, please use AMI ID. For Azure, the format is “Publisher:Offer:Plan:Version”. | |
firenet_firewall_image_version | ![]() ![]() ![]() ![]() |
When not provided, latest available will be used. | |
firenet_fw_amount | ![]() ![]() |
The amount of NGFW instances to deploy. These will be deployed accross multiple AZ's. Amount must be even and only applies when transit is HA. | |
firenet_iam_role_1 | ![]() |
IAM Role used to access bootstrap bucket. (If iam_role_2 is not set, this will used for all NGFW instances) | |
firenet_iam_role_2 | ![]() |
IAM Role used to access bootstrap bucket. (Only used if 2 or more FW instances are deployed, e.g. when ha_gw is true. Applies to "even" fw instances (2,4,6 etc)) | |
firenet_inspection_enabled | ![]() ![]() ![]() ![]() |
true | Enable/disable east/west + north/south inspection via NGFW. |
firenet_instance_size | ![]() ![]() ![]() ![]() |
c5.xlarge Standard_D3_v2 n1-standard-4 VM.Standard2.4 |
Size of the NGFW instances |
firenet_keep_alive_via_lan_interface_enabled | ![]() ![]() ![]() ![]() |
False | Enable Keep Alive via Firewall LAN Interface. |
firenet_mgmt_cidr | ![]() |
CIDR For Management VPC for GCP Firenet. Only required when deploying in GCP and enable_transit_firenet is true and deploying Palo Alto NGFW. | |
firenet_password | ![]() |
Aviatrix#1234 | Default initial password for firewall instances |
firenet_storage_access_key_1 | ![]() |
null | Storage_access_key to access bootstrap storage (PANW only) (If storage_access_key_2 is not set, this will used for all NGFW instances) |
firenet_storage_access_key_2 | ![]() |
null | Storage_access_key to access bootstrap storage (PANW only) (Only used when HA FW instance is deployed) |
firenet_tags | ![]() ![]() ![]() |
Map of tags to assign to the firewall or FQDN egress gw's. | |
firenet_use_gwlb | ![]() |
Deploy firenet using the AWS GWLB. | |
firenet_user_data_1 | ![]() ![]() ![]() ![]() |
Userdata to bootstrap FortiGate or Checkpoint Firewall. | |
firenet_user_data_2 | ![]() ![]() ![]() ![]() |
Userdata to bootstrap FortiGate or Checkpoint Firewall. If not set, user_data_1 will be used. | |
firenet_username | ![]() |
fwadmin | Applicable to Azure or AzureGov deployment only. "admin" as a username is not accepted. (For Checkpoint it is always admin) |
This module will return the following outputs:
key | description |
---|---|
transit | A map containing all created transit objects |
firenet | A map containing all created firenet objects |
region_transit_map | A map of all regions with a list per region of transit gw names in that region. |
See how to use outputs to attach for example, spokes or VPN's to the transits created with this module.