Create on-premises virtual network in Azure using Terraform
Terraform enables the definition, preview, and deployment of cloud infrastructure. Using Terraform, you create configuration files using HCL syntax. The HCL syntax allows you to specify the cloud provider - such as Azure - and the elements that make up your cloud infrastructure. After you create your configuration files, you create an execution plan that allows you to preview your infrastructure changes before they're deployed. Once you verify the changes, you apply the execution plan to deploy the infrastructure.
This article shows how to implement an on-premises network in Azure. You can replace the sample network with a private virtual network. To do so, modify the subnet IP addresses to suit your environment.
In this article, you learn how to:
- Implement an on-premises VNet in hub-spoke topology
- Create hub network appliance resources
- Create on-premises virtual machine
- Create on-premises virtual private network gateway
1. Configure your environment
- Azure subscription: If you don't have an Azure subscription, create a free account before you begin.
Configure Terraform: If you haven't already done so, configure Terraform using one of the following options:
2. Implement the Terraform code
Make the example directory created in the first article of this series the current directory.
Create a file named
on-prem.tfand insert the following code:locals { onprem-location = "eastus" onprem-resource-group = "onprem-vnet-rg" prefix-onprem = "onprem" } resource "azurerm_resource_group" "onprem-vnet-rg" { name = local.onprem-resource-group location = local.onprem-location } resource "azurerm_virtual_network" "onprem-vnet" { name = "onprem-vnet" location = azurerm_resource_group.onprem-vnet-rg.location resource_group_name = azurerm_resource_group.onprem-vnet-rg.name address_space = ["192.168.0.0/16"] tags = { environment = local.prefix-onprem } } resource "azurerm_subnet" "onprem-gateway-subnet" { name = "GatewaySubnet" resource_group_name = azurerm_resource_group.onprem-vnet-rg.name virtual_network_name = azurerm_virtual_network.onprem-vnet.name address_prefixes = ["192.168.255.224/27"] } resource "azurerm_subnet" "onprem-mgmt" { name = "mgmt" resource_group_name = azurerm_resource_group.onprem-vnet-rg.name virtual_network_name = azurerm_virtual_network.onprem-vnet.name address_prefixes = ["192.168.1.128/25"] } resource "azurerm_public_ip" "onprem-pip" { name = "${local.prefix-onprem}-pip" location = azurerm_resource_group.onprem-vnet-rg.location resource_group_name = azurerm_resource_group.onprem-vnet-rg.name allocation_method = "Dynamic" tags = { environment = local.prefix-onprem } } resource "azurerm_network_interface" "onprem-nic" { name = "${local.prefix-onprem}-nic" location = azurerm_resource_group.onprem-vnet-rg.location resource_group_name = azurerm_resource_group.onprem-vnet-rg.name enable_ip_forwarding = true ip_configuration { name = local.prefix-onprem subnet_id = azurerm_subnet.onprem-mgmt.id private_ip_address_allocation = "Dynamic" public_ip_address_id = azurerm_public_ip.onprem-pip.id } } # Create Network Security Group and rule resource "azurerm_network_security_group" "onprem-nsg" { name = "${local.prefix-onprem}-nsg" location = azurerm_resource_group.onprem-vnet-rg.location resource_group_name = azurerm_resource_group.onprem-vnet-rg.name security_rule { name = "SSH" priority = 1001 direction = "Inbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "22" source_address_prefix = "*" destination_address_prefix = "*" } tags = { environment = "onprem" } } resource "azurerm_subnet_network_security_group_association" "mgmt-nsg-association" { subnet_id = azurerm_subnet.onprem-mgmt.id network_security_group_id = azurerm_network_security_group.onprem-nsg.id } resource "azurerm_virtual_machine" "onprem-vm" { name = "${local.prefix-onprem}-vm" location = azurerm_resource_group.onprem-vnet-rg.location resource_group_name = azurerm_resource_group.onprem-vnet-rg.name network_interface_ids = [azurerm_network_interface.onprem-nic.id] vm_size = var.vmsize storage_image_reference { publisher = "Canonical" offer = "UbuntuServer" sku = "16.04-LTS" version = "latest" } storage_os_disk { name = "myosdisk1" caching = "ReadWrite" create_option = "FromImage" managed_disk_type = "Standard_LRS" } os_profile { computer_name = "${local.prefix-onprem}-vm" admin_username = var.username admin_password = var.password } os_profile_linux_config { disable_password_authentication = false } tags = { environment = local.prefix-onprem } } resource "azurerm_public_ip" "onprem-vpn-gateway1-pip" { name = "${local.prefix-onprem}-vpn-gateway1-pip" location = azurerm_resource_group.onprem-vnet-rg.location resource_group_name = azurerm_resource_group.onprem-vnet-rg.name allocation_method = "Dynamic" } resource "azurerm_virtual_network_gateway" "onprem-vpn-gateway" { name = "onprem-vpn-gateway1" location = azurerm_resource_group.onprem-vnet-rg.location resource_group_name = azurerm_resource_group.onprem-vnet-rg.name type = "Vpn" vpn_type = "RouteBased" active_active = false enable_bgp = false sku = "VpnGw1" ip_configuration { name = "vnetGatewayConfig" public_ip_address_id = azurerm_public_ip.onprem-vpn-gateway1-pip.id private_ip_address_allocation = "Dynamic" subnet_id = azurerm_subnet.onprem-gateway-subnet.id } depends_on = [azurerm_public_ip.onprem-vpn-gateway1-pip] }
Troubleshoot Terraform on Azure
Troubleshoot common problems when using Terraform on Azure
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for