Terraform-provider-azurerm: Support for Forced Tunneling / azurerm_firewall
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
Forced tunneling configuration of Azure Firewall is now Generally Available. Would be helpful if the provider supported this configuration for deployment.
New or Affected Resource(s)
azurerm_firewall
Potential Terraform Configuration
resource "azurerm_resource_group" "firewall" {
name = "firewall-resources"
location = "West US 2"
}
resource "azurerm_virtual_network" "firewall" {
name = "testvnet"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.firewall.location
resource_group_name = azurerm_resource_group.firewall.name
}
resource "azurerm_subnet" "firewall" {
name = "AzureFirewallSubnet"
resource_group_name = azurerm_resource_group.firewall.name
virtual_network_name = azurerm_virtual_network.firewall.name
address_prefix = "10.0.1.0/24"
}
resource "azurerm_subnet" "firewall-mgmt" {
name = "AzureFirewallManagementSubnet"
resource_group_name = azurerm_resource_group.firewall.name
virtual_network_name = azurerm_virtual_network.firewall.name
address_prefix = "10.0.2.0/24"
}
resource "azurerm_public_ip" "firewall" {
name = "fw-public"
location = azurerm_resource_group.firewall.location
resource_group_name = azurerm_resource_group.firewall.name
allocation_method = "Static"
sku = "Standard"
}
resource "azurerm_public_ip" "firewall-mgmt" {
name = "fw-mgmt"
location = azurerm_resource_group.firewall.location
resource_group_name = azurerm_resource_group.firewall.name
allocation_method = "Static"
sku = "Standard"
}
resource "azurerm_firewall" "firewall" {
name = "testfirewall"
location = azurerm_resource_group.firewall.location
resource_group_name = azurerm_resource_group.firewall.name
forced_tunneling = true
public_ip_configuration {
name = "configuration"
subnet_id = azurerm_subnet.firewall.id
public_ip_address_id = azurerm_public_ip.firewall.id
}
management_ip_configuration {
name = "management"
subnet_id = azurerm_subnet.firewall-mgmt.id
public_ip_address_id = azurerm_public_ip.firewall-mgmt.id
}
}
References
https://docs.microsoft.com/en-us/azure/firewall/forced-tunneling
When you configure a new Azure Firewall, you can route all Internet-bound traffic to a designated next hop instead of going directly to the Internet. For example, you may have an on-premises edge firewall or other network virtual appliance (NVA) to process network traffic before it's passed to the Internet. However, you can't configure an existing firewall for forced tunneling.
By default, forced tunneling isn't allowed on Azure Firewall to ensure all its outbound Azure dependencies are met. User Defined Route (UDR) configurations on the AzureFirewallSubnet that have a default route not going directly to the Internet are disabled.
johnwildes
All 11 comments
@johnwildes Thanks for opening the issue! I will work on the issue, but sorry that there is no firm ETA for this now.
lrxtom2
on 5 Jun 2020
@lrxtom2 Did you already start working on this and do you need any help? I need it and if wanted, I can try to assist you in writing this.
draggeta
on 9 Jul 2020
lrxtom2
on 27 Jul 2020
I believe forced tunneling is automatically possible when you have a management subnet. You just need to specify routes. Please correct me if I'm wrong.
draggeta
on 28 Jul 2020
It is not. A separate IP address is created, a separate management subnet is created (or needs to exist) and then you have to add routes. However, you can't build an AZFW resource without force tunneling and then add it later. It has to be done during deployment.
johnwildes
on 29 Jul 2020
Sorry, that is what I meant. There is no toggle for forced tunneling like in the Azure portal. You create the management subnet and management ipconfig during deployment (as well as pub IP) and then forced tunneling is possible (not enabled) with some additional config in UDRs.
draggeta
on 30 Jul 2020
Same issue here. Any updates since June 1st?
I'm deploying all Network infrastructure resources with terraform except Azure Firewall with PowerShell because Management support.
ropy1971
on 31 Jul 2020
Other Azure resources, related to Azure Firewall, that I currently do not find any Terraform deployment options for is:
- Azure Firewall Manager Policy: https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview
- Azure Firewall IP Group: https://docs.microsoft.com/en-us/azure/firewall/ip-groups
Would be nice to get support for these also, but "Forced Tunneling" is most important.
runemy
on 17 Aug 2020
@lrxtom2 I've started work on this today and opened the pull request. If you've already started working on it, let me know and I'll close the PR.
draggeta
on 25 Aug 2020
This has been released in version 2.28.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:
provider "azurerm" {
version = "~> 2.28.0"
}
# ... other configuration ...
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 17 Sep 2020
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!
hashibot[bot]
on 14 Oct 2020
Related issues
test-in-prod
·
28Comments
mjyeaney
·
34Comments
josh-barker
·
73Comments
TPPWC
·
55Comments
titilambert
·
35Comments