Enterprise-grade Terraform module for deploying a hub-and-spoke network topology on Azure. Provisions a centralized hub virtual network with Azure Firewall (Standard/Premium), Azure Bastion, VPN Gateway, ExpressRoute Gateway, and Route Server, alongside configurable spoke VNets with automatic peering and firewall-routed UDRs. Includes integrated diagnostic settings for comprehensive network monitoring.
VNets, Peerings, Firewall, Bastion, Gateways, Route Tables, Diagnostics
Configurable input parameters
IDs, IPs, DNS names for all components
Basic, Advanced, Complete
| Resource | Purpose | Optional |
|---|---|---|
azurerm_virtual_network.hub | Hub VNet with reserved subnets (Firewall, Gateway, Bastion, RouteServer) | No |
azurerm_virtual_network.spoke | Spoke VNets with configurable subnets | No |
azurerm_virtual_network_peering | Bidirectional hub-to-spoke peering with gateway transit | No |
azurerm_firewall | Azure Firewall (Standard/Premium) with policy and rule collections | Yes |
azurerm_firewall_policy | Firewall policy with IDPS, DNS proxy, threat intelligence | Yes |
azurerm_bastion_host | Azure Bastion for secure VM access (Basic/Standard) | Yes |
azurerm_virtual_network_gateway.vpn | VPN Gateway for site-to-site connectivity | Yes |
azurerm_virtual_network_gateway.expressroute | ExpressRoute Gateway for private connectivity | Yes |
azurerm_route_server | Route Server for dynamic NVA route exchange | Yes |
azurerm_route_table.spoke | UDR tables routing spoke traffic through firewall | Yes |
azurerm_monitor_diagnostic_setting | Firewall and Bastion diagnostic logs to Log Analytics | Yes |
Spoke-to-Internet: Traffic from spoke subnets with route_through_firewall = true hits the UDR default route, forcing all egress through Azure Firewall for inspection. Spoke-to-Spoke: Inter-spoke traffic transits the hub via peering and firewall. On-Premises: VPN/ExpressRoute terminates at the hub gateway; spokes use remote gateways via peering config.
- Hub-spoke isolation with VNet peering
- Per-spoke UDR forcing traffic through firewall
- BGP route propagation disabled on spoke route tables
- Subnet-level security boundaries
- Azure Firewall Premium with IDPS (Alert mode)
- Threat intelligence mode: Deny
- DNS proxy for FQDN-based rules
- Network, application, and NAT rule collections
- Diagnostic logging for all rule hits
- Azure Bastion for secure SSH/RDP (no public IPs on VMs)
- Standard SKU with advanced features
- Audit logging for Bastion sessions
- VPN Gateway with RouteBased VPN
- ExpressRoute for private WAN
- Gateway transit enabled for spoke access
- Route Server for NVA BGP integration
Hub-spoke with shared services, centralized firewall, and multi-spoke isolation for different business units
ExpressRoute for dedicated connectivity, Firewall Premium with IDPS, strict UDR enforcement on all spokes
Network segmentation for HIPAA compliance, Bastion for audit-logged access, no public IP exposure
Azure Firewall threat intelligence in Deny mode, full diagnostic logging, Route Server for NVA integration
| Variable | Type | Default | Description |
|---|---|---|---|
name_prefix | string | -- | Prefix for all resource names |
resource_group_name | string | -- | Resource group name |
location | string | -- | Azure region |
hub_vnet_address_space | list(string) | -- | Hub VNet CIDR blocks |
spoke_vnets | map(object) | {} | Spoke VNets with subnets and firewall routing |
enable_firewall | bool | true | Deploy Azure Firewall |
firewall_sku_tier | string | Premium | Standard or Premium |
enable_bastion | bool | true | Deploy Azure Bastion |
enable_vpn_gateway | bool | false | Deploy VPN Gateway |
enable_expressroute | bool | false | Deploy ExpressRoute Gateway |
enable_route_server | bool | false | Deploy Azure Route Server |
terraform init terraform plan -var-file="networking.tfvars" terraform apply -var-file="networking.tfvars" # Verify hub VNet az network vnet show --name myproject-hub-vnet --resource-group rg-networking # Check firewall status az network firewall show --name myproject-fw --resource-group rg-networking