·
35 commits
to main
since this release
deployment can create a secure hub-spoke network using Azure VWANs.
The setup will deploy:
- Azure VWAN
- Azure Hubs
- Azure VWAN Firewall
- Azure VWAN s2s gateway
- Azure VWAN p2s gateway
- Azure VNETs (Spokes)
A regular central hub network is also deployed in this release which will host most core infra services in the future. There are currently spoke examples which need some updating but you can also DIY your own implementation passing in the values you need from the global module and hub module as needed.
Force tunneling for Azure VPN only supports IPv4 today (October 2022)
To enable force tunneling you must ensure you have:
internet_security_enabled = truefor VPN gateways and for VNET-Hub connections (aka Secure Hubs)- create a route named
public_trafficwith route0.0.0.0/0set to the firewall for a given hub and that this route is associated to the default route table of a hub - You must ensure when you download the Azure VPN client config package for the "AzureVPN" Client app, manually change the version attribute/tag set in
azurevpnconfig.xmlfile to "2" (e.g.<version>2</version>) NOTE: Version "1" does not seem to enforce forced tunneling - You must also ensure you import 3 certicicates: (1) the client.pfx file (windows), (2) the self-signed rootca certificate (ca.pem) and the
DigiCert Global Root CAcertificate into your local system trust so that VPN certificate validation works accordingly - The
client.pfxcert should be stored under the users client certificates location and both the self-signed rootca and DigiCert stored to the machine'sTrusted Root Certificate Authoritylocations