具有多个订阅的 Azure Terraform Hub and Spoke
Azure Terraform Hub and Spoke with multiple subscriptions
我想在多个订阅中使用 terraform 部署 Azure landingzone,Hub 网络应该在 subscription1 中有 azure 防火墙,每个分支都有不同的订阅,我需要 4 个分支,它们将部署在 4 个单独的订阅中。
谁能帮我解决逻辑问题,如何编写 terraform。
根据您的要求,这里是 architecture that you can follow. The Hub and the spoke are connected via the VNet Peering。根据描述:
The virtual networks can be in the same, or different subscriptions.
When you peer virtual networks in different subscriptions, both
subscriptions can be associated to the same or different Azure Active
Directory tenant.
所以你可以在两个不同的订阅中对等 VNet。我假设您使用 Azure CLI 作为身份验证,您的帐户已经登录并且在两个订阅中都有足够的权限。这是一个示例代码:
provider "azurerm" {
features {}
alias = "subscription1"
subscription_id = "xxxxxxx"
}
provider "azurerm" {
features {}
alias = "subscription2"
subscription_id = "xxxxxxx"
}
data "azurerm_virtual_network" "remote" {
provider = azurerm.subscription1
name = "remote_vnet_name"
resource_group_name = "remote_group_name"
}
data "azurerm_virtual_network" "vnet" {
provider = azurerm.subscription2
name = "vnet_name"
resource_group_name = "group_name"
}
resource "azurerm_virtual_network_peering" "peering" {
provider = azurerm.subscription2
name = "${data.azurerm_virtual_network.vnet.name}-to-${data.azurerm_virtual_network.remote.name}"
resource_group_name = "group_name"
virtual_network_name = data.azurerm_virtual_network.vnet.name
remote_virtual_network_id = data.azurerm_virtual_network.remote.id
allow_virtual_network_access = true
allow_forwarded_traffic = true
# `allow_gateway_transit` must be set to false for vnet Global Peering
allow_gateway_transit = false
}
resource "azurerm_virtual_network_peering" "peering1" {
provider = azurerm.subscription1
name = "${data.azurerm_virtual_network.remote.name}-to-${data.azurerm_virtual_network.vnet.name}"
resource_group_name = "remote_group_name"
virtual_network_name = data.azurerm_virtual_network.remote.name
remote_virtual_network_id = data.azurerm_virtual_network.vnet.id
allow_virtual_network_access = true
allow_forwarded_traffic = true
# `allow_gateway_transit` must be set to false for vnet Global Peering
allow_gateway_transit = false
}
VNet 对等始终带有一对。因此,您需要为每个 VNet 创建对等互连中不同订阅中的对等互连。此示例仅向你展示如何为不同订阅中的两个 VNet 创建对等互连。然后你就可以在Terraform中随心所欲地完成整个架构了。
我想在多个订阅中使用 terraform 部署 Azure landingzone,Hub 网络应该在 subscription1 中有 azure 防火墙,每个分支都有不同的订阅,我需要 4 个分支,它们将部署在 4 个单独的订阅中。
谁能帮我解决逻辑问题,如何编写 terraform。
根据您的要求,这里是 architecture that you can follow. The Hub and the spoke are connected via the VNet Peering。根据描述:
The virtual networks can be in the same, or different subscriptions. When you peer virtual networks in different subscriptions, both subscriptions can be associated to the same or different Azure Active Directory tenant.
所以你可以在两个不同的订阅中对等 VNet。我假设您使用 Azure CLI 作为身份验证,您的帐户已经登录并且在两个订阅中都有足够的权限。这是一个示例代码:
provider "azurerm" {
features {}
alias = "subscription1"
subscription_id = "xxxxxxx"
}
provider "azurerm" {
features {}
alias = "subscription2"
subscription_id = "xxxxxxx"
}
data "azurerm_virtual_network" "remote" {
provider = azurerm.subscription1
name = "remote_vnet_name"
resource_group_name = "remote_group_name"
}
data "azurerm_virtual_network" "vnet" {
provider = azurerm.subscription2
name = "vnet_name"
resource_group_name = "group_name"
}
resource "azurerm_virtual_network_peering" "peering" {
provider = azurerm.subscription2
name = "${data.azurerm_virtual_network.vnet.name}-to-${data.azurerm_virtual_network.remote.name}"
resource_group_name = "group_name"
virtual_network_name = data.azurerm_virtual_network.vnet.name
remote_virtual_network_id = data.azurerm_virtual_network.remote.id
allow_virtual_network_access = true
allow_forwarded_traffic = true
# `allow_gateway_transit` must be set to false for vnet Global Peering
allow_gateway_transit = false
}
resource "azurerm_virtual_network_peering" "peering1" {
provider = azurerm.subscription1
name = "${data.azurerm_virtual_network.remote.name}-to-${data.azurerm_virtual_network.vnet.name}"
resource_group_name = "remote_group_name"
virtual_network_name = data.azurerm_virtual_network.remote.name
remote_virtual_network_id = data.azurerm_virtual_network.vnet.id
allow_virtual_network_access = true
allow_forwarded_traffic = true
# `allow_gateway_transit` must be set to false for vnet Global Peering
allow_gateway_transit = false
}
VNet 对等始终带有一对。因此,您需要为每个 VNet 创建对等互连中不同订阅中的对等互连。此示例仅向你展示如何为不同订阅中的两个 VNet 创建对等互连。然后你就可以在Terraform中随心所欲地完成整个架构了。