I have been looking for a proper way to terraform my internal vm scale set with a INTERNAL load balancer that is not exposed to internet with a public IP. however, the nodes should have access to internet to download some packages that are located in github.
I am facing this issue where the load balancer is deployed as well as the scale set but, I do not have the internet outband connectivity from the nodes of the scale set...
I read this post but it does not tell how to proceed
From my understandings, I should have internet access from my nodes to download package cause I use a standard load balancer, but it does not work.
I am missing something ? I would prefer avoid using a NAT Gateway..
Below is my full terraform script that create RG, Vnet SUbnets, LB rules and finally VMSS and a jumbpox.
provider "azurerm" {
features {}
subscription_id = var.azure-subscription-id
client_id = var.azure-client-app-id
client_secret = var.azure-client-secret-password
tenant_id = var.azure-tenant-id
}
resource "azurerm_resource_group" "existing_terraform_rg" {
name = "rg-ict-spoke1-001"
location = "westeurope"
#depends_on = [var.rg_depends_on]
}
# Create storage account for boot diagnostics
resource "azurerm_storage_account" "mystorageaccount" {
name = "diag${random_id.randomId.hex}"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
location = "westeurope"
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_virtual_network" "existing_terraform_vnet" {
name = "vnet-spoke1-001"
location = "westeurope"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
address_space = ["10.0.0.0/16"]
#depends_on = [azurerm_resource_group.existing_terraform_rg]
}
// Subnets
# Create subnet
resource "azurerm_subnet" "spk1-jbx-subnet" {
name = "spk1-jbx-subnet"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
virtual_network_name = azurerm_virtual_network.existing_terraform_vnet.name
address_prefixes = ["10.0.0.0/24"]
}
resource "azurerm_subnet" "new_terraform_subnet_web" {
name = "snet-webtier-${var.environment}-vdc-001"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
virtual_network_name = azurerm_virtual_network.existing_terraform_vnet.name
address_prefix = var.webtier_address_prefix
depends_on = [azurerm_virtual_network.existing_terraform_vnet]
}
# Create Network Security Group and rule
resource "azurerm_network_security_group" "generic-nsg" {
name = "generic-nsg"
location = "westeurope"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
security_rule {
name = "GENERIC-RULE"
priority = 1001
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
#destination_port_range = "3389"
#destination_port_ranges = "["22","3389","80","8080"]"
destination_port_ranges = ["22","3389","80","8080","443"]
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
# Connect the security group to the network interface
resource "azurerm_subnet_network_security_group_association" "new_terraform_subnet_web-asso-nsg" {
subnet_id = azurerm_subnet.new_terraform_subnet_web.id
network_security_group_id = azurerm_network_security_group.generic-nsg.id
}
resource "azurerm_subnet_network_security_group_association" "spk1-jbx-subnet-asso-nsg" {
subnet_id = azurerm_subnet.spk1-jbx-subnet.id
network_security_group_id = azurerm_network_security_group.generic-nsg.id
}
# Generate random text for a unique storage account name
resource "random_id" "randomId" {
keepers = {
# Generate a new ID only when a new resource group is defined
resource_group = azurerm_resource_group.existing_terraform_rg.name
}
byte_length = 8
}
resource "azurerm_lb" "new_terraform_lb_web" {
name = "lb-${var.web_lb_name}-${var.environment}-vdc-001"
location = azurerm_resource_group.existing_terraform_rg.location
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
sku = var.lb_Sku
frontend_ip_configuration {
name = "PrivateIPAddress-${var.web_lb_name}"
subnet_id = azurerm_subnet.new_terraform_subnet_web.id
private_ip_address = var.web_lb_private_IP
private_ip_address_allocation = "Static"
}
}
resource "azurerm_lb_backend_address_pool" "new_terraform_bpepool_web" {
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
loadbalancer_id = azurerm_lb.new_terraform_lb_web.id
name = "${var.web_lb_name}-BackEndAddressPool"
}
resource "azurerm_lb_probe" "new_terraform_lb_probe_web" {
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
loadbalancer_id = azurerm_lb.new_terraform_lb_web.id
name = "${var.web_lb_name}-probe-${var.web_lb_probe_protocol}"
protocol = var.web_lb_probe_protocol
request_path = var.web_lb_probe_request_path
port = var.web_lb_probe_port
}
resource "azurerm_lb_rule" "new_terraform_bpepool_web_rule_http" {
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
loadbalancer_id = azurerm_lb.new_terraform_lb_web.id
backend_address_pool_id = azurerm_lb_backend_address_pool.new_terraform_bpepool_web.id
probe_id = azurerm_lb_probe.new_terraform_lb_probe_web.id
disable_outbound_snat = true
name = "new_terraform_bpepool_web_rule_http"
protocol = "Tcp"
frontend_port = 80
backend_port = 80
frontend_ip_configuration_name = "PrivateIPAddress-${var.web_lb_name}"
}
resource "azurerm_lb_rule" "new_terraform_bpepool_web_rule_https" {
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
loadbalancer_id = azurerm_lb.new_terraform_lb_web.id
backend_address_pool_id = azurerm_lb_backend_address_pool.new_terraform_bpepool_web.id
probe_id = azurerm_lb_probe.new_terraform_lb_probe_web.id
disable_outbound_snat = true
name = "new_terraform_bpepool_web_rule_https"
protocol = "Tcp"
frontend_port = 443
backend_port = 443
frontend_ip_configuration_name = "PrivateIPAddress-${var.web_lb_name}"
}
resource "azurerm_windows_virtual_machine_scale_set" "new_terraform_vmss_web" {
depends_on = [azurerm_lb_rule.new_terraform_bpepool_web_rule_http,azurerm_lb_rule.new_terraform_bpepool_web_rule_https]
name = "vmss-001"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
location = azurerm_resource_group.existing_terraform_rg.location
sku = var.webtier_vmss_sku
instances = var.webtier_vmss_instance_count
admin_password = var.webtier_vmss_admin_password
admin_username = var.webtier_vmss_admin_uname
zone_balance = true
zones = [1,2,3]
upgrade_mode = "Manual"
#automatic_os_upgrade_policy {
# disable_automatic_rollback = false
# enable_automatic_os_upgrade = true
#}
#rolling_upgrade_policy {
# max_batch_instance_percent = 20
# max_unhealthy_instance_percent = 20
# max_unhealthy_upgraded_instance_percent = 5
# pause_time_between_batches = "PT0S"
#}
#health_probe_id = azurerm_lb_probe.new_terraform_lb_probe_web.id
source_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = var.webtier_vmss_image_sku
version = "latest"
}
os_disk {
storage_account_type = "Standard_LRS"
caching = "ReadWrite"
}
network_interface {
name = "vmss-001-nic-1"
primary = true
ip_configuration {
name = "vmss-001-nic-1-Configuration"
primary = true
subnet_id = azurerm_subnet.new_terraform_subnet_web.id
load_balancer_backend_address_pool_ids = [azurerm_lb_backend_address_pool.new_terraform_bpepool_web.id]
#load_balancer_inbound_nat_rules_ids = [azurerm_lb_nat_pool.lbnatpool-1.id]
}
}
}
resource "azurerm_virtual_machine_scale_set_extension" "new_terraform_vmss_web_ext_1" {
name = "new_terraform_vmss_web_ext_1"
virtual_machine_scale_set_id = azurerm_windows_virtual_machine_scale_set.new_terraform_vmss_web.id
publisher = "Microsoft.Compute"
type = "CustomScriptExtension"
type_handler_version = "1.9"
settings = <<SETTINGS
{
"fileUris": ["https://raw.githubusercontent.com/Azure-Samples/compute-automation-configurations/master/automate-iis-v2.ps1"]
}
SETTINGS
protected_settings = <<PROTECTED_SETTINGS
{
"commandToExecute": "powershell -ExecutionPolicy Unrestricted -File automate-iis-v2.ps1"
}
PROTECTED_SETTINGS
}
# Create public IPs
resource "azurerm_public_ip" "spk1-jbx-puip" {
name = "spk1-jbx-puip"
location = "westeurope"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
allocation_method = "Dynamic"
}
# Create network interface
resource "azurerm_network_interface" "spk1-jbx-nic" {
name = "spk1-jbx-nic"
location = "westeurope"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
ip_configuration {
name = "spk1-jbx-nic-conf"
subnet_id = azurerm_subnet.spk1-jbx-subnet.id
private_ip_address_allocation = "Dynamic"
public_ip_address_id = azurerm_public_ip.spk1-jbx-puip.id
}
}
resource "azurerm_virtual_machine" "spk1-jbx-vm" {
name = "spk1-jbx-vm"
location = "westeurope"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
network_interface_ids = ["${azurerm_network_interface.spk1-jbx-nic.id}"]
vm_size = "Standard_D2s_v3"
storage_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2016-Datacenter"
version = "latest"
}
storage_os_disk {
name = "spk1-jbx-vm-mtwin-disk-os"
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}
os_profile {
computer_name = "spk1-jbx-vm"
admin_username = "demouser"
admin_password = "M0nP@ssw0rd!"
}
os_profile_windows_config {
provision_vm_agent = true
}
}
