## Description This Azure architecture uses a central NVA with NAT and BGP to enable communication between networks with overlapping IP addresses, ideal for company mergers, migrations, or multi-cloud integrations where addressing schemes cannot be modified. Traffic between spokes is routed through the hub via specific UDRs, where the NVA performs intelligent address translation and advertises virtual address spaces via BGP, delivering a flexible, controllable, and scalable solution without requiring IP addressing restructuring. Key strengths: preservation of existing addressing schemes, isolation and security with centralized traffic inspection, scalability to easily integrate additional overlapping networks, and optimal use of native Azure services (Route Server, UDR) for simplified management. **N.B:** - The Terraform code is automatically generated with best practices and contains variables that you can customize to fir your needs. - You have full control to change, add, delete resources or their configuration. The newly generated code will reflect these changes. - You can replace some resources with Terraform modules. > terraform apply status: successful > ## Architecture components Here's a table of the architecture components in Markdown format: | Component | Description | |-----------|-------------| | Resource Group | Container for all resources in the hub-spoke architecture | | Hub Virtual Network | Central network that connects to all spoke networks, contains shared services | | Spoke 1 Virtual Network | First spoke network connected to the hub, used for workload isolation | | Spoke 2 Virtual Network | Second spoke network connected to the hub, used for workload isolation | | Azure Firewall | Managed network security service that protects Azure Virtual Network resources | | Network Virtual Appliance (NVA) | Virtual appliance that performs specialized network functions like routing and NAT | | Azure Route Server | Service that enables dynamic routing between on-premises network and Azure | | Virtual Network Peering | Connection between the hub and each spoke virtual network | | Network Security Groups | Virtual firewalls that filter network traffic to and from Azure resources | | Route Tables (UDR) | User-defined routes that specify how traffic is directed between subnets | | Virtual Machines | Linux VMs deployed in the spokes and hub for testing connectivity | | Network Manager | Service that manages the hub-spoke connectivity configuration | | Subnets | Segmented portions of the virtual networks for different workloads | | Public IP Addresses | External addresses for resources like Azure Firewall and Route Server | | Network Interfaces | Virtual network cards that connect VMs to virtual networks | | BGP Connection | Border Gateway Protocol connection between the NVA and Azure Route Server | | SSH Keys | Generated keys for secure access to the Linux VMs | ## Requirements Here's the table with just the Terraform providers and version requirements: | Name| Configuration | |-----------|---------------| | Terraform Provider Requirements | azurerm version = "4.17.0" (exact version required) | | TLS Provider | Source: "hashicorp/tls" | | Azurerm Provider Configuration | Using default features with no special configuration | | TLS Provider Configuration | Using default configuration | | Authentication | Not explicitly defined, using default Azure authentication methods | ## How to use the architecture Clone the architecture and modify the following variables according to your needs: Here is a table of variables in Markdown format: | Variable Name | Description | |---------------|-------------| | Azure_SP_object_id | Object ID of the user Chafik | | Brainboard_IP_Range_List | List of Brainboard IP addresses | | app_a_vpc_id | VPC ID for application A | | brainboard_object_id | Object ID of the terraform manager | | cbelhaoues_object_id | Object ID of the user Chafik | | db_username | Username for database access | | firewall_name | Name of the Azure Firewall | | firewall_sku | SKU of the firewall | | hub_arsDelegation_name | Name for the Azure Route Server delegation | | hub_ars_name | Name for the hub Azure Route Server | | hub_ars_pip_name | Name for the hub Azure Route Server public IP | | hub_ars_subnet | Address prefix for the Azure Route Server subnet in the hub | | hub_firewall_ipconfig_name | Name for the hub firewall IP configuration | | hub_firewall_name | Name for the hub firewall | | hub_firewall_subnet | Address prefix for the AzureFirewallSubnet in the hub (must be /26 or larger) | | hub_fw_pip_mngt_name | Name for the hub firewall management public IP | | hub_fw_pip_name | Name for the hub firewall public IP | | hub_gateway_pip_name | Name for the hub gateway public IP | | hub_gateway_subnet | IP prefix of the GatewaySubnet | | hub_restricted_subnet_prefix | IP prefix for the restricted subnet in the hub | | hub_sku_tier | SKU tier for the hub resources | | hub_to_spoke_1_peering_name | Peering name from Hub to Spoke 1 | | hub_to_spoke_2_peering_name | Peering name from Hub to Spoke 2 | | hub_vnet_address_space | Address space of the Hub VNet | | hub_vnet_name | Name of the Hub virtual network | | hub_vpn_gateway_name | Name for the hub VPN gateway | | hub_vpn_pip_name | Name for the hub VPN public IP | | instance_port | Port number for the instance | | lb_path | Path for the load balancer health check | | lb_port | Port for the load balancer | | location | Azure region where resources will be deployed | | log_analytics_workspace_name | Name of the Log Analytics Workspace | | nat_spoke_a_external | NAT-translated IP range for Spoke A | | nat_spoke_a_internal | Internal IP range of Spoke A | | nat_spoke_b_external | NAT-translated IP range for Spoke B | | nat_spoke_b_internal | Internal IP range of Spoke B | | nva_ip_conf_name | Name for the Network Virtual Appliance IP configuration | | nva_nic_name | Name for the Network Virtual Appliance network interface | | nva_subnet_prefix | Address prefix for the NVA subnet in the hub | | office_ip | IP address of the office | | resource_group_name | Name of the resource group | | route_server_name | Name of the Route Server | | route_server_peer_asn | ASN of the BGP peer | | route_server_peer_ip | IP address of the BGP peer | | route_server_subnet_prefix | IP prefix of the RouteServerSubnet | | spoke1_default_subnet_name | Name for the default subnet in Spoke 1 | | spoke1_default_subnet_prefix | Address prefix for the default subnet in Spoke 1 | | spoke1_restricted_subnet_name | Name for the restricted subnet in Spoke 1 | | spoke1_restricted_subnet_prefix | Address prefix for the restricted subnet in Spoke 1 | | spoke1_vnet_address_space | Address space for the Spoke 1 Virtual Network | | spoke2_default_subnet_name | Name for the default subnet in Spoke 2 | | spoke2_default_subnet_prefix | Address prefix for the default subnet in Spoke 2 | | spoke2_restricted_subnet_name | Name for the restricted subnet in Spoke 2 | | spoke2_restricted_subnet_prefix | Address prefix for the restricted subnet in Spoke 2 | | spoke2_vnet_address_space | Address space for the Spoke 2 Virtual Network | | spoke_1_to_hub_peering_name | Peering name from Spoke 1 to Hub | | spoke_1_vnet_name | Name of Spoke 1 virtual network | | spoke_2_to_hub_peering_name | Peering name from Spoke 2 to Hub | | spoke_2_vnet_name | Name of Spoke 2 virtual network | | tags | Default tags to apply to all resources | | vnet_manager_name | Name of the Virtual Network Manager | | vpn_client_address_space | Address space for VPN clients | | vpn_gateway_name | Name of the VPN Gateway | | vpn_gateway_sku | VPN Gateway SKU | | | | **N.B:** - Feel free to remove the resources that are not relevant to your use-case. - Some variables have default values, please change it if it doesn't fit your deployment. ## Maintainer(s) You can reach out to these maintainers if you need help or assistance: - [Brainboard team](mailto:support@brainboard.co)