This module composes the mc-transit, mc-firenet and peering modules(1)(2) together to provide a reference transit layer implementation.
Module version | Terraform version | Controller version | Terraform provider version | Used Transit module | Used Firenet module |
---|---|---|---|---|---|
v1.2.3 | >=1.3.0 | >= 7.1 | ~> 3.1.0 | v2.5.1 | v1.5.0 |
Check release notes for more details. Check compatibility list for older versions.
module "framework" {
source = "terraform-aviatrix-modules/backbone/aviatrix"
version = "v1.2.2"
global_settings = {
transit_accounts = {
aws = "AWS-Account",
azure = "Azure-Account",
gcp = "GCP-Account",
}
firenet_firewall_image = {
aws = "Palo Alto Networks VM-Series Next-Generation Firewall Bundle 1",
azure = "Palo Alto Networks VM-Series Next-Generation Firewall Bundle 1",
gcp = "Palo Alto Networks VM-Series Next-Generation Firewall BUNDLE1",
}
transit_ha_gw = false
}
transit_firenet = {
#Transit firenet in AWS, using default_firewall_image
transit1a = {
transit_cloud = "aws",
transit_cidr = "10.1.0.0/23",
transit_region_name = "eu-central-1",
transit_asn = 65101,
firenet = true,
},
#Egress transit firenet, with different NGFW then provided in default_firewall_image (override).
transit1b = {
transit_cloud = "aws",
transit_cidr = "10.1.0.0/23",
transit_region_name = "eu-central-1",
transit_asn = 65111,
transit_enable_egress_transit_firenet = true,
firenet = true,
firenet_firewall_image = "Fortinet FortiGate Next-Generation Firewall",
},
#Transit in Azure
transit2 = {
transit_cloud = "azure",
transit_cidr = "10.1.2.0/23",
transit_region_name = "West Europe",
transit_asn = 65102,
},
#Transit firenet in GCP, using default_firewall_image
transit3 = {
transit_cloud = "gcp",
transit_cidr = "10.1.4.0/23",
transit_lan_cidr = "10.99.1.0/24",
firenet_egress_cidr = "10.99.2.0/24",
transit_region_name = "us-east1",
transit_asn = 65103,
firenet = true,
},
}
}
The following variables are required:
key | value |
---|---|
transit_firenet | A map with all relevant transit and firenet arguments. See Transit-Firenet map arguments to see which arguments are supported and mandatory. Can also be provided as JSON or YAML. |
The following variables are optional:
key | default | value |
---|---|---|
global_settings | Map of values to override default behavior or set standard values. | |
enable_max_performance | Enable/disable multiple tunnels for peerings between HPE gateways. | |
excluded_cidrs | ["0.0.0.0/0", ] | List of CIDR's to exlude in peerings (not used for custom peerings). |
peering_mode | full_mesh_optimized | Choose between full_mesh, full_mesh_optimized, custom or none. |
peering_map | {} | If peering_mode is custom, this map of peerings will be built. Example see link. |
peering_prune_list | [] | If peering_mode is full_mesh or optimized_full_mesh, this list of peerings will NOT be built. Example see link. |
Arguments in this map prepended with "transit_" are pushed to the underlying mc-transit module. Arguments prepended with "firenet_" are pushed to the mc-firenet module. As such, more details on these arguments can also be found in the documentation of the mc-transit and mc-firenet modules. (e.g. "transit_cidr" maps to the "cidr" argument on the mc-transit module)
The following arguments are mandatory in the "transit_firenet" map variable:
key | value |
---|---|
transit_cloud | Cloud in which this entry needs to be deployed. Valid values are: aws, azure, gcp, ali, oci. |
transit_cidr | The CIDR for creating the transit (firenet) VPC/VNET/VCN. |
transit_region_name | The name of the region in which this entry needs to be deployed. |
transit_asn | A global unique AS Number for the transit gateway. |
The following arguments are optional in the transit firenet map variable: Any options set here will override the default_* variables for that particular instance.
= AWS, = Azure, = GCP, = OCI, = Alibaba
Key | Supported_CSP's | Default value | Description |
---|---|---|---|
transit_allocate_new_eip | null | When value is false, reuse an idle address in Elastic IP pool for this gateway. Otherwise, allocate a new Elastic IP and use it for this gateway. | |
transit_account** | Access accounts to be used to deploy the transit Firenet infrastructure. | ||
transit_availability_domain | Availability domain in OCI. | ||
transit_az_support | true | Set to false if the region does not support Availability Zones. | |
transit_az1 | a az-1 b |
Concatenates with region to form az names. e.g. eu-central-1a. Only used for insane mode and AWS GWLB. | |
transit_az2 | b az-2 c |
Concatenates with region to form az names. e.g. eu-central-1b. Only used for insane mode and AWS GWLB. If az1 and az2 are equal. Single AZ mode (deploy everyting in 1 AZ) is triggered. | |
transit_azure_eip_name_resource_group | null | Name of public IP Address resource and its resource group in Azure to be assigned to the Transit Gateway instance. | |
transit_bgp_ecmp | false | Enable Equal Cost Multi Path (ECMP) routing for the next hop | |
transit_bgp_hold_time | 180 | Set the BGP Hold time. | |
transit_bgp_lan_interfaces | A list of interfaces to run BGP protocol on top of the ethernet interface | ||
transit_bgp_lan_interfaces_count | Number of interfaces that will be created for BGP over LAN enabled Azure transit. | ||
transit_bgp_manual_spoke_advertise_cidrs | Intended CIDR list to advertise via BGP. Example: "10.2.0.0/16,10.4.0.0/16" | ||
transit_bgp_polling_time | 50 | BGP route polling time. Unit is in seconds | |
transit_connected_transit | true | Set to false to disable connected_transit | |
transit_customer_managed_keys | Customer managed key ID for EBS Volume encryption. | ||
transit_eip | null | Required when allocate_new_eip is false. It uses the specified EIP for this gateway. | |
transit_enable_active_standby | false | Enables Active-Standby Mode. Available only with HA enabled. | |
transit_enable_active_standby_preemptive | false | Enables Preemptive Mode for Active-Standby. Available only with BGP enabled, HA enabled and Active-Standby enabled. | |
transit_enable_advertise_transit_cidr | false | Switch to enable/disable advertise transit VPC network CIDR for a VGW connection | |
transit_enable_bgp_over_lan | false | Enable BGP over LAN. Creates interface for integration with SDWAN or other BGP peerings over LAN. | |
transit_enable_egress_transit_firenet | false | Enable Egress Transit FireNet | |
transit_enable_encrypt_volume | false | Set to true to enable EBS volume encryption for Gateway. | |
transit_enable_firenet | false | Sign of readiness for FireNet connection with TGW | |
transit_enable_gateway_load_balancer | false | Enable FireNet interfaces with AWS Gateway Load Balancer. | |
transit_enable_gro_gso | true | Enable GRO/GSO for this transit gateway. | |
transit_enable_monitor_gateway_subnets | false | If set to true, the Monitor Gateway Subnets feature in AWS is enabled. | |
transit_enable_multi_tier_transit | false | Switch to enable multi tier transit | |
transit_enable_preserve_as_path | false | Enable preserve as_path when advertising manual summary cidrs on BGP transit gateway. | |
transit_enable_s2c_rx_balancing | false | Allows to toggle the S2C receive packet CPU re-balancing on transit gateway. | |
transit_enable_vpc_dns_server | null | Enable VPC DNS Server for Gateway. | |
transit_segmentation | true | Switch to true to enable transit segmentation | |
transit_enable_transit_firenet | false | Sign of readiness for Transit FireNet connection | |
transit_fault_domain | Fault domain in OCI. | ||
transit_gw_name | Name for the transit gateway. | ||
transit_ha_availability_domain | Availability domain in OCI for HA GW. | ||
transit_ha_azure_eip_name_resource_group | null | Name of public IP Address resource and its resource group in Azure to be assigned to the Transit Gateway instance. | |
transit_ha_bgp_lan_interfaces | A list of interfaces to run BGP protocol on top of the ethernet interface | ||
transit_ha_cidr | The IP CIDR to be used to create ha_region spoke subnet. Only required when ha_region is set. | ||
transit_ha_eip | null | Required when allocate_new_eip is false. It uses the specified EIP for this gateway. | |
transit_ha_fault_domain | Fault domain in OCI for HA GW. | ||
transit_ha_gw | true | Set to false if you only want to deploy a single Aviatrix transit gateway | |
transit_ha_region | Region for multi region HA. HA is multi-az single region by default, but will become multi region when this is set. | ||
transit_hybrid_connection | false | Sign of readiness for TGW connection | |
transit_insane_mode | false | Set to true to enable insane mode encryption | |
transit_instance_size (insane mode/firenet) | c5n.xlarge Standard_D3_v2 n1-highcpu-4 VM.Standard2.4 |
The size of the Aviatrix transit gateways when insane mode or Transit Firenet is enabled. | |
transit_instance_size | t3.medium Standard_B1ms n1-standard-1 VM.Standard2.2 ecs.g5ne.large |
The size of the Aviatrix transit gateways. | |
transit_lan_cidr | CIDR For LAN VPC for GCP Firenet. Only required when deploying in GCP and enable_transit_firenet is true. | ||
transit_learned_cidr_approval | false | Switch to true to enable learned CIDR approval | |
transit_learned_cidrs_approval_mode | Learned cidrs approval mode. Defaults to Gateway. Valid values: gateway, connection | ||
transit_name | avx-<region>-transit | Name for this Transit VPC/VNET/VCN and it's gateways | |
transit_private_mode_lb_vpc_id | VPC ID of Private Mode load balancer. Required when Private Mode is enabled on the Controller. | ||
transit_private_mode_subnet_zone | Availability Zone of the subnet. Required when Private Mode is enabled on the Controller and cloud_type is AWS or AWSGov. | ||
transit_private_mode_subnets | |||
transit_ha_private_mode_subnet_zone | Availability Zone of the HA subnet. Required when Private Mode is enabled on the Controller and cloud_type is AWS or AWSGov. | ||
transit_resource_group | Specify existing resource group to deploy transit resources into. | ||
transit_single_az_ha | true | Set to false if Controller managed Gateway HA is desired | |
transit_single_ip_snat | false | Specify whether to enable Source NAT feature in single_ip mode on the gateway or not. Please disable AWS NAT instance before enabling this feature. Currently only supports AWS(1) and AZURE(8) | |
transit_tags | Map of tags to assign to the gateway. | ||
transit_tunnel_detection_time | The IPsec tunnel down detection time for the Spoke Gateway in seconds. Must be a number in the range [20-600]. Default is 60. | ||
firenet | false | Set to true to deploy firenet in this transit entry. | |
firenet_attached | true | Attach firewall instances to Aviatrix Gateways. | |
firenet_bootstrap_bucket_name_1 | Name of bootstrap bucket to pull firewall config from. (If bootstrap_bucket_name_2 is not set, this will used for all NGFW instances) | ||
firenet_bootstrap_bucket_name_2 | Name of bootstrap bucket to pull firewall config from. (Only used if 2 or more FW instances are deployed, e.g. when ha_gw is true. Applies to "even" fw instances (2,4,6 etc)) | ||
firenet_bootstrap_storage_name_1 | null | Storagename to get bootstrap files from (PANW only). (If bootstrap_storage_name_2 is not set, this will used for all NGFW instances) | |
firenet_bootstrap_storage_name_2 | null | Storagename to get bootstrap files from (PANW only) (Only used when HA FW instance is deployed) | |
firenet_custom_fw_names | [] | If set, the NGFW instances will be deployed with the names provided in this list. First half of the list for instances in az1, second half for az2. | |
firenet_east_west_inspection_excluded_cidrs | Network List Excluded From East-West Inspection. | ||
firenet_egress_cidr | CIDR For Egress VPC for GCP Firenet. Only required when deploying in GCP and enable_transit_firenet is true. | ||
firenet_egress_enabled | false | Enable/disable internet egress via NGFW. | |
firenet_egress_static_cidrs | [] | List of egress static CIDRs. Egress is required to be enabled. Example: ["1.171.15.184/32", "1.171.15.185/32"]. | |
firenet_file_share_folder_1 | null | Name of the folder containing the bootstrap files (PANW only) (If file_share_folder_2 is not set, this will used for all NGFW instances) | |
firenet_file_share_folder_2 | null | Name of the folder containing the bootstrap files (PANW only) (Only used when HA FW instance is deployed) | |
firenet_firewall_image** | The firewall image to be used to deploy the NGFW's. | ||
firenet_firewall_image_id | Firewall image ID. Applicable to AWS and Azure only. For AWS, please use AMI ID. For Azure, the format is “Publisher:Offer:Plan:Version”. | ||
firenet_firewall_image_version | When not provided, latest available will be used. | ||
firenet_fw_amount | The amount of NGFW instances to deploy. These will be deployed accross multiple AZ's. Amount must be even and only applies when transit is HA. | ||
firenet_iam_role_1 | IAM Role used to access bootstrap bucket. (If iam_role_2 is not set, this will used for all NGFW instances) | ||
firenet_iam_role_2 | IAM Role used to access bootstrap bucket. (Only used if 2 or more FW instances are deployed, e.g. when ha_gw is true. Applies to "even" fw instances (2,4,6 etc)) | ||
firenet_inspection_enabled | true | Enable/disable east/west + north/south inspection via NGFW. | |
firenet_instance_size | |
c5.xlarge Standard_D3_v2 n1-standard-4 VM.Standard2.4 |
Size of the NGFW instances |
firenet_keep_alive_via_lan_interface_enabled | False | Enable Keep Alive via Firewall LAN Interface. | |
firenet_mgmt_cidr | CIDR For Management VPC for GCP Firenet. Only required when deploying in GCP and enable_transit_firenet is true and deploying Palo Alto NGFW. | ||
firenet_password | Aviatrix#1234 | Default initial password for firewall instances | |
firenet_storage_access_key_1 | null | Storage_access_key to access bootstrap storage (PANW only) (If storage_access_key_2 is not set, this will used for all NGFW instances) | |
firenet_storage_access_key_2 | null | Storage_access_key to access bootstrap storage (PANW only) (Only used when HA FW instance is deployed) | |
firenet_tags | Map of tags to assign to the firewall or FQDN egress gw's. | ||
firenet_user_data_1 | Userdata to bootstrap FortiGate or Checkpoint Firewall. | ||
firenet_user_data_2 | Userdata to bootstrap FortiGate or Checkpoint Firewall. If not set, user_data_1 will be used. | ||
firenet_username | fwadmin | Applicable to Azure or AzureGov deployment only. "admin" as a username is not accepted. (For Checkpoint it is always admin) |
If you want to override default settings, without having to declare them for each individual entry in the transit firenet map, you can do that by defining the global_settings
map.
The following items are supported:
key | type |
---|---|
transit_accounts | map(string) |
transit_bgp_ecmp | bool |
transit_bgp_polling_time | number |
transit_connected_transit | bool |
transit_customer_managed_keys | bool |
transit_enable_active_standby_preemptive | bool |
transit_enable_advertise_transit_cidr | bool |
transit_enable_egress_transit_firenet | bool |
transit_enable_encrypt_volume | bool |
transit_enable_multi_tier_transit | bool |
transit_enable_s2c_rx_balancing | bool |
transit_enable_transit_firenet | bool |
transit_ha_gw | bool |
transit_insane_mode | bool |
transit_learned_cidr_approval | bool |
transit_learned_cidrs_approval_mode | string |
transit_segmentation | bool |
transit_single_az_ha | bool |
transit_tags | map(string) |
transit_tunnel_detection_time | number |
transit_enable_preserve_as_path | bool |
transit_enable_monitor_gateway_subnets | bool |
transit_enable_gro_gso | bool |
transit_bgp_hold_time | number |
firenet | bool |
firenet_attached | bool |
firenet_east_west_inspection_excluded_cidrs | list(string) |
firenet_egress_enabled | bool |
firenet_egress_static_cidrs | list(string) |
firenet_firewall_image | map(string) |
firenet_fw_amount | number |
firenet_inspection_enabled | bool |
firenet_keep_alive_via_lan_interface_enabled | bool |
firenet_tags | map(string) |
This module will return the following outputs:
key | description |
---|---|
transit | A map containing all created transit objects |
firenet | A map containing all created firenet objects |
region_transit_map | A map of all regions with a list per region of transit gw names in that region. |
See how to use outputs to attach for example, spokes or VPN's to the transits created with this module.