Contents
This terraform code deploys a single-region Secured Virtual Network (Vnet) hub and spoke topology using Azure firewall and User-Defined Routes (UDR) to direct traffic to the firewall.
Hub1 has an Azure firewall used for inspection of traffic between branch and spokes. User-Defined Routes (UDR) are used to influence the Vnet data plane to route traffic from the branch and spokes via the firewall. An isolated spoke (Spoke3) does not have Vnet peering to the hub (Hub1), but is reachable from the hub via Private Link Service.
Branch1 is the on-premises network which is simulated using Vnet. A Multi-NIC Cisco-CSR-1000V NVA appliance connects to the Vnet hub using IPsec VPN connections with dynamic (BGP) routing.
Ensure you meet all requirements in the prerequisites before proceeding.
- Clone the Git Repository for the Labs
git clone https://github.com/kaysalawu/azure-network-terraform.git- Navigate to the lab directory
cd azure-network-terraform/1-hub-and-spoke/1-hub-spoke-azfw-single-region- Run the following terraform commands and type yes at the prompt:
terraform init
terraform plan
terraform applySee the troubleshooting section for tips on how to resolve common issues that may occur during the deployment of the lab.
Each virtual machine is pre-configured with a shell script to run various types of tests. Serial console access has been configured for all virtual mchines. You can access the serial console of a virtual machine from the Azure portal.
Login to virtual machine Hs11-spoke1-vm via the serial console.
- username = azureuser
- password = Password123
Run the following tests from inside the serial console.
This script pings the IP addresses of some test virtual machines and reports reachability and round trip time.
Run the IP ping test
ping-ipSample output
azureuser@Hs11-spoke1-vm:~$ ping-ip
ping ip ...
branch1 - 10.10.0.5 -OK 8.164 ms
hub1 - 10.11.0.5 -OK 3.577 ms
spoke1 - 10.1.0.5 -OK 0.042 ms
spoke2 - 10.2.0.5 -OK 4.564 ms
internet - icanhazip.com -NAThis script pings the DNS name of some test virtual machines and reports reachability and round trip time.
Run the DNS ping test
ping-dnsSample output
azureuser@Hs11-spoke1-vm:~$ ping-dns
ping dns ...
vm.branch1.corp - 10.10.0.5 -OK 7.485 ms
vm.hub1.az.corp - 10.11.0.5 -OK 2.550 ms
vm.spoke1.az.corp - 10.1.0.5 -OK 0.036 ms
vm.spoke2.az.corp - 10.2.0.5 -OK 3.851 ms
icanhazip.com - 104.18.115.97 -NAThis script uses curl to check reachability of web server (python Flask) on the test virtual machines. It reports HTTP response message, round trip time and IP address.
Run the DNS curl test
curl-dnsSample output
azureuser@Hs11-spoke1-vm:~$ curl-dns
curl dns ...
200 (0.051782s) - 10.10.0.5 - vm.branch1.corp
200 (0.028942s) - 10.11.0.5 - vm.hub1.az.corp
200 (0.026053s) - 10.11.4.4 - pep.hub1.az.corp
200 (0.018581s) - 10.1.0.5 - vm.spoke1.az.corp
[15899.972313] cloud-init[1570]: 10.1.0.5 - - [17/Sep/2023 17:48:07] "GET / HTTP/1.1" 200 -
200 (0.035168s) - 10.2.0.5 - vm.spoke2.az.corp
000 (2.001681s) - - vm.spoke3.az.corp
200 (0.016512s) - 104.18.114.97 - icanhazip.comWe can see that spoke3 vm.spoke3.az.corp returns a 000 HTTP response code. This is expected as there is no Vnet peering to Spoke3 from Hub1. But Spoke3 web application is reachable via Private Link Service private endpoint pep.hub1.az.corp.
Test access to Spoke3 application using the private endpoint in Hub1.
curl pep.hub1.az.corpSample output
azureuser@Hs11-spoke1-vm:~$ curl pep.hub1.az.corp
{
"headers": {
"Accept": "*/*",
"Host": "pep.hub1.az.corp",
"User-Agent": "curl/7.68.0"
},
"hostname": "Hs11-spoke3-vm",
"local-ip": "10.3.0.5",
"remote-ip": "10.3.3.4"
}The hostname and local-ip fields belong to the servers running the web application - in this case Spoke3 virtual machine. The remote-ip field (as seen by the web servers) is an IP addresses in the Private Link Service NAT subnet.
Check the Azure Firewall logs to observe the traffic flow.
- Select the Azure Firewall resource
Hs11-azfw-hub1in the Azure portal. - Click on Logs in the left navigation pane.
- Click Run in the Network rule log data log category.
- On the TargetIP column deselect all IP addresses except spoke2 (10.2.0.5)
Observe how traffic from spoke1 (10.1.0.5) to spoke2 flows via the firewall as expected.
Repeat steps 1-5 for all other spoke and branch virtual machines.
Let's login to the onprem router Hs11-branch1-nva and observe its dynamic routes.
- Login to virtual machine
Hs11-branch1-nvavia the serial console. - Enter username and password
- username = azureuser
- password = Password123
- Enter the Cisco enable mode
enable- Display the routing table
show ip routeSample output
...
[Truncated for brevity]
...
Gateway of last resort is 10.10.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.10.1.1
10.0.0.0/8 is variably subnetted, 14 subnets, 4 masks
B 10.1.0.0/16 [20/0] via 10.11.7.4, 01:13:55
B 10.2.0.0/16 [20/0] via 10.11.7.4, 01:13:55
S 10.10.0.0/24 [1/0] via 10.10.2.1
C 10.10.1.0/24 is directly connected, GigabitEthernet1
L 10.10.1.9/32 is directly connected, GigabitEthernet1
C 10.10.2.0/24 is directly connected, GigabitEthernet2
L 10.10.2.9/32 is directly connected, GigabitEthernet2
C 10.10.10.0/30 is directly connected, Tunnel0
L 10.10.10.1/32 is directly connected, Tunnel0
C 10.10.10.4/30 is directly connected, Tunnel1
L 10.10.10.5/32 is directly connected, Tunnel1
B 10.11.0.0/16 [20/0] via 10.11.7.4, 01:13:55
S 10.11.7.4/32 is directly connected, Tunnel0
S 10.11.7.5/32 is directly connected, Tunnel1
168.63.0.0/32 is subnetted, 1 subnets
S 168.63.129.16 [254/0] via 10.10.1.1
169.254.0.0/32 is subnetted, 1 subnets
S 169.254.169.254 [254/0] via 10.10.1.1
192.168.10.0/32 is subnetted, 1 subnets
C 192.168.10.10 is directly connected, Loopback0- Display BGP information
show ip bgpSample output
Hs11-branch1-nva-vm#show ip bgp
BGP table version is 5, local router ID is 192.168.10.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.1.0.0/16 10.11.7.4 0 65515 i
* 10.11.7.5 0 65515 i
*> 10.2.0.0/16 10.11.7.4 0 65515 i
* 10.11.7.5 0 65515 i
*> 10.10.0.0/24 10.10.2.1 0 32768 i
*> 10.11.0.0/16 10.11.7.4 0 65515 i
* 10.11.7.5 0 65515 i- Make sure you are in the lab directory
cd azure-network-terraform/1-hub-and-spoke/1-hub-spoke-azfw-single-region- Delete the resource group to remove all resources installed.
Run the following Azure CLI command:
az group delete -g Hs11RG --no-wait