Create: VPC, 1x instance of vSRX with Elastic IP@
- Jean-luc KRIKER
Owned by Jean-luc KRIKER
1- Copy the terraform.tf file to the new directory
2- run the plan and apply command
3- find out the Public IP@ of the vSRX ( 15.1X49-D110.4 )
4- SSH to vSRX
.\terraform.exe plan
.\terraform.exe apply
.\terraform.exe show | grep public_ip
public_ip = 34.215.144.101
terraform.tf Expand source
# Create VPC-iGW-VGW + Subnet + Linux and vSRX Instance # 0- AWS access and secret key to access AWS # 1- create an VPC # 1a- create an Internet Gateway # 1b- create an default Route in the Main RT # 1c- create Mgt Security Groups ( Allow Inbound SSH) # 1d- create IPsec Security Groups ( Allow Indbound IPSec ) # 2b- create Public IPSec subnet ( for Data IPSec Tunnel) # 2c- create Public Mgmt subnet ( for vSRX Mgmt) # 2d- associate Public subnet to Main routing table # 2e- associate Mgmt subnet to Main routing table # 3- Create an Key pair to access the VM # 5- create a vSRX instance # 6- add Network interface to the vSRX Instance # 7- create an "second" Elastic IP address # define variables and point to terraform.tfvars variable "name" {} variable "access_key" {} variable "secret_key" {} variable my_cidr_block {} variable "region" {} variable pub_sub0 {} variable pub_sub1 {} variable pri_sub2 {} variable myvsrxami {} # 0- AWS access and secret key to access AWS provider "aws" { access_key = "${var.access_key}" secret_key = "${var.secret_key}" region = "${var.region}" } # 1- create an VPC in aws resource "aws_vpc" "vpc" { cidr_block = "${var.my_cidr_block}" enable_dns_support = true enable_dns_hostnames = true tags { Name = "${var.name}" } } # 1a- create an Internet Gateway resource "aws_internet_gateway" "gw" { vpc_id = "${aws_vpc.vpc.id}" tags { Name = "${var.name}-igw" } } # 1b- create an Route in the RT resource "aws_route" "internet_access" { route_table_id = "${aws_vpc.vpc.main_route_table_id}" destination_cidr_block = "0.0.0.0/0" gateway_id = "${aws_internet_gateway.gw.id}" } # 1c- create Mgt Security Groups resource "aws_security_group" "allow_ssh" { name = "allow_inbound_SSH" description = "Allow inbound SSH traffic from any IP@" vpc_id = "${aws_vpc.vpc.id}" ingress { from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] #prefix_list_ids = ["pl-12c4e678"] } tags { Name = "${var.name}-SG Allow SSH" } } # 1d- create IPsec Security Groups #UDP packets on port 500 (and port 4500 if using NAT traversal) resource "aws_security_group" "allow_IPSec" { name = "allow_inbound_IPSec" description = "Allow inbound IPSec traffic from any IP@" vpc_id = "${aws_vpc.vpc.id}" ingress { from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } ingress { from_port = 500 to_port = 500 protocol = "udp" cidr_blocks = ["0.0.0.0/0"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags { Name = "${var.name}-SG Allow IPSec" } } # 2b- create Public IPSec subnet ( for Data IPSec Tunnel ) resource "aws_subnet" "public" { vpc_id = "${aws_vpc.vpc.id}" cidr_block = "${var.pub_sub0}" # availability_zone = tags { Name = "${var.name}-public" } } # 2c- create Public Mgmt subnet ( for vSRX Mgmt) resource "aws_subnet" "mgmt" { vpc_id = "${aws_vpc.vpc.id}" cidr_block = "${var.pub_sub1}" availability_zone = "${aws_subnet.public.availability_zone }" tags { Name = "${var.name}-Mgmt" } } # 2d- associate Public subnet to Main routing table resource "aws_route_table_association" "assoc-public" { subnet_id = "${aws_subnet.public.id}" route_table_id = "${aws_vpc.vpc.main_route_table_id}" #route_table_id = #"${aws_route_table..id}" } # 2e- associate Mgmt subnet to Main routing table resource "aws_route_table_association" "assoc-mgmt" { subnet_id = "${aws_subnet.mgmt.id}" route_table_id = "${aws_vpc.vpc.main_route_table_id}" #route_table_id = #"${aws_route_table..id}" } #3- Create an Key pair to access the VM #resource "aws_key_pair" "admin_key" { # key_name = "admin_key" # public_key = "ssh-rsa AAAAB3[…]" #} # 5- create an vSRX instance resource "aws_instance" "vSRX" { #ami = "ami-f4958c90" ami = "${var.myvsrxami}" instance_type = "m4.xlarge" key_name = "TerraformKeyPair" subnet_id = "${aws_subnet.mgmt.id}" security_groups= ["${aws_security_group.allow_ssh.id}"] associate_public_ip_address = true availability_zone = "${aws_subnet.public.availability_zone }" tags { Name = "${var.name}-vSRX1" } } # 6- add Network interface to the vSRX Instance resource "aws_network_interface" "ge0-0-0" { subnet_id = "${aws_subnet.public.id}" #private_ips = ["10.0.0.2"] security_groups = ["${aws_security_group.allow_IPSec.id}"] attachment { instance = "${aws_instance.vSRX.id}" device_index = 1 } } # 7- create an "second" Elastic IP address resource "aws_eip" "eip" { #instance = "${aws_instance.web.id}" network_interface = "${aws_network_interface.ge0-0-0.id}" vpc = true }