Skip to content

alibabacloud-automation/terraform-alicloud-east-west-security-traffic

BranchesTags

Repository files navigation

Terraform module to build east-west security traffic network for Alibaba Cloud

terraform-alicloud-east-west-security-traffic

English | 简体中文

In traditional data center networks, the approach involves deploying a large number of security devices to create a security zone for safeguarding enterprise systems and controlling access. Network traffic must pass through different devices within the security zone based on business logic and security protection levels, which is known as service chaining. Nowadays, mutual traffic between instances, containers, or microservices deployed in public clouds also needs to adhere to the same security policies. For example, between different VPCs in the same region, or between VPCs and IDC, traffic is inspected and protected by security products based on rules, thereby reducing security threats within the enterprise's internal network.
Operational Workflow Overview:

  • Create 2 business VPCs and 1 security VPC, and configure the VSWs and route tables
  • Create a cloud enterprise network (CEN) instance and a transit router (TR)
  • Configure the VPC attachment for the TR, and implement routes to divert traffic to the security VPC and manage return routes using the TR's multiple route tables

Architecture Diagram:

image

Usage

provider "alicloud" {
  region = "cn-hangzhou"
}

module "complete" {
  source = "alibabacloud-automation/east-west-security-traffic/alicloud"

  vpcs = [
    {
      vpc_name   = "vpc1",
      cidr_block = "172.16.0.0/24"
      vswitches = [{
        subnet  = "172.16.0.0/25"
        zone_id = "cn-hangzhou-j"
        }, {
        subnet  = "172.16.0.128/25"
        zone_id = "cn-hangzhou-k"
      }]
    },
    {
      vpc_name   = "vpc2",
      cidr_block = "192.168.0.0/24"
      vswitches = [{
        subnet  = "192.168.0.0/25"
        zone_id = "cn-hangzhou-j"
        }, {
        subnet  = "192.168.0.128/25"
        zone_id = "cn-hangzhou-k"
      }]
    }
  ]

  firewall_vpc = {
    cidr_block = "10.0.0.0/23"
    firewall_vswitch = {
      subnet  = "10.0.1.0/24"
      zone_id = "cn-hangzhou-j"
    }
    tr_vswitches = [{
      subnet  = "10.0.0.0/25"
      zone_id = "cn-hangzhou-j"
      }, {
      subnet  = "10.0.0.128/25"
      zone_id = "cn-hangzhou-k"
    }]
  }
}

Examples

Requirements

Name Version
terraform >= 0.13

Providers

Name Version
alicloud n/a

Modules

Name Source Version
vpc ./modules/vpc n/a

Resources

Name Type
alicloud_cen_instance.this resource
alicloud_cen_transit_router.this resource
alicloud_cen_transit_router_route_entry.untrust resource
alicloud_cen_transit_router_route_table.trust resource
alicloud_cen_transit_router_route_table.untrust resource
alicloud_cen_transit_router_route_table_association.trust resource
alicloud_cen_transit_router_route_table_association.untrust resource
alicloud_cen_transit_router_route_table_propagation.trust1 resource
alicloud_cen_transit_router_vpc_attachment.firewall_vpc resource
alicloud_route_entry.firewall_vpc_outbound_route resource
alicloud_route_entry.vpc_default_route resource
alicloud_route_table.firewall_vpc_inbound_route resource
alicloud_route_table.firewall_vpc_outbound_route resource
alicloud_route_table_attachment.inbound resource
alicloud_route_table_attachment.outbound resource
alicloud_vpc.firewall_vpc resource
alicloud_vswitch.firewall_vswitch resource
alicloud_vswitch.tr_vswitches resource

Inputs

Name Description Type Default Required
cen_instance_config The parameters of cen instance. 
object({
    name        = optional(string, "east-west-cen")
    description = optional(string, "east-west-cen")
  })
 {} no
cen_instance_id The id of an exsiting cen instance. string null no
cen_transit_router_id The transit router id of an existing transit router. string null no
create_cen_instance Whether to create cen instance. If false, you can specify an existing cen instance by setting 'cen_instance_id'. Default to 'true' bool true no
create_cen_transit_router Whether to create transit router. If false, you can specify an existing transit router by setting 'cen_transit_router_id'. Default to 'true' bool true no
firewall_vpc The parameters of firewall vpc. 
object({
    vpc_name   = optional(string, "firewall-vpc")
    cidr_block = string
    firewall_vswitch = object({
      subnet  = string
      zone_id = string
    })
    tr_vswitches = list(object({
      subnet  = string
      zone_id = string
    }))
    inbound_route_table_name  = optional(string, "inbound")
    outbound_route_table_name = optional(string, "outbound")
  })
 
{
  "cidr_block": null,
  "firewall_vswitch": {
    "subnet": null,
    "zone_id": null
  },
  "tr_vswitches": [
    {
      "subnet": null,
      "zone_id": null
    },
    {
      "subnet": null,
      "zone_id": null
    }
  ]
}
 no
tr_config The parameters of transit router. 
object({
    name                            = optional(string, "east-west-tr")
    untrust_route_table_name        = optional(string, "untrust")
    untrust_route_table_description = optional(string, "untrust")
    trust_route_table_name          = optional(string, "trust")
    trust_route_table_description   = optional(string, "trust")
  })
 {} no
vpcs The parameters of vpc. The attribute 'cidr_block' is required. 
list(object({
    vpc_name   = optional(string, null)
    cidr_block = string
    vswitches = list(object({
      subnet  = string
      zone_id = string
    }))
  }))
 [] no

Outputs

Name Description
business_tr_vpc_attachment_id The id of attachment between TR and business VPC.
business_vpc_id The ids of business vpc.
business_vpc_route_table_id The route table id of business vpc.
business_vswitch_ids The ids of business vswitches.
cen_instance_id The id of CEN instance.
cen_transit_router_id The id of CEN transit router.
firewall_tr_vpc_attachment_id The id of attachment between TR and firewall VPC.
firewall_tr_vswitch_ids The ids of firewall vswitches.
firewall_vpc_id The ids of firewall vpc.
firewall_vswitch_id The route table id of firewall vpc.
inbound_route_table_id The id of inbound route table of firewall VPC.
outbound_route_table_id The id of outbound route table of firewall VPC.
trust_route_table_id The id of trust route table of transit router.
untrust_route_table_id The id of untrust route table of transit router.

Submit Issues

If you have any problems when using this module, please opening a provider issue and let us know.

Note: There does not recommend opening an issue on this repo.

Authors

Created and maintained by Alibaba Cloud Terraform Team(terraform@alibabacloud.com).

License

MIT Licensed. See LICENSE for full details.

Reference

About

registry.terraform.io/modules/alibabacloud-automation/east-west-security-traffic/alicloud/latest

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

1 watching

Forks

2 forks
Report repository

Releases 1

v1.0.0 Latest
Dec 13, 2024

Packages

No packages published

Contributors 2

  •  
  •  

Languages