I have been looking for a proper way to terraform my internal vm scale set with a INTERNAL load balancer that is not exposed to internet with a public IP. however, the nodes should have access to internet to download some packages that are located in github.
I am facing this issue where the load balancer is deployed as well as the scale set but, I do not have the internet outband connectivity from the nodes of the scale set...
I read this post but it does not tell how to proceed
From my understandings, I should have internet access from my nodes to download package cause I use a standard load balancer, but it does not work.
I am missing something ? I would prefer avoid using a NAT Gateway..
Below is my full terraform script that create RG, Vnet SUbnets, LB rules and finally VMSS and a jumbpox.
provider "azurerm" {
features {}
subscription_id = var.azure-subscription-id
client_id = var.azure-client-app-id
client_secret = var.azure-client-secret-password
tenant_id = var.azure-tenant-id
}
resource "azurerm_resource_group" "existing_terraform_rg" {
name = "rg-ict-spoke1-001"
location = "westeurope"
#depends_on = [var.rg_depends_on]
}
# Create storage account for boot diagnostics
resource "azurerm_storage_account" "mystorageaccount" {
name = "diag${random_id.randomId.hex}"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
location = "westeurope"
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_virtual_network" "existing_terraform_vnet" {
name = "vnet-spoke1-001"
location = "westeurope"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
address_space = ["10.0.0.0/16"]
#depends_on = [azurerm_resource_group.existing_terraform_rg]
}
// Subnets
# Create subnet
resource "azurerm_subnet" "spk1-jbx-subnet" {
name = "spk1-jbx-subnet"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
virtual_network_name = azurerm_virtual_network.existing_terraform_vnet.name
address_prefixes = ["10.0.0.0/24"]
}
resource "azurerm_subnet" "new_terraform_subnet_web" {
name = "snet-webtier-${var.environment}-vdc-001"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
virtual_network_name = azurerm_virtual_network.existing_terraform_vnet.name
address_prefix = var.webtier_address_prefix
depends_on = [azurerm_virtual_network.existing_terraform_vnet]
}
# Create Network Security Group and rule
resource "azurerm_network_security_group" "generic-nsg" {
name = "generic-nsg"
location = "westeurope"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
security_rule {
name = "GENERIC-RULE"
priority = 1001
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
#destination_port_range = "3389"
#destination_port_ranges = "["22","3389","80","8080"]"
destination_port_ranges = ["22","3389","80","8080","443"]
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
# Connect the security group to the network interface
resource "azurerm_subnet_network_security_group_association" "new_terraform_subnet_web-asso-nsg" {
subnet_id = azurerm_subnet.new_terraform_subnet_web.id
network_security_group_id = azurerm_network_security_group.generic-nsg.id
}
resource "azurerm_subnet_network_security_group_association" "spk1-jbx-subnet-asso-nsg" {
subnet_id = azurerm_subnet.spk1-jbx-subnet.id
network_security_group_id = azurerm_network_security_group.generic-nsg.id
}
# Generate random text for a unique storage account name
resource "random_id" "randomId" {
keepers = {
# Generate a new ID only when a new resource group is defined
resource_group = azurerm_resource_group.existing_terraform_rg.name
}
byte_length = 8
}
resource "azurerm_lb" "new_terraform_lb_web" {
name = "lb-${var.web_lb_name}-${var.environment}-vdc-001"
location = azurerm_resource_group.existing_terraform_rg.location
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
sku = var.lb_Sku
frontend_ip_configuration {
name = "PrivateIPAddress-${var.web_lb_name}"
subnet_id = azurerm_subnet.new_terraform_subnet_web.id
private_ip_address = var.web_lb_private_IP
private_ip_address_allocation = "Static"
}
}
resource "azurerm_lb_backend_address_pool" "new_terraform_bpepool_web" {
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
loadbalancer_id = azurerm_lb.new_terraform_lb_web.id
name = "${var.web_lb_name}-BackEndAddressPool"
}
resource "azurerm_lb_probe" "new_terraform_lb_probe_web" {
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
loadbalancer_id = azurerm_lb.new_terraform_lb_web.id
name = "${var.web_lb_name}-probe-${var.web_lb_probe_protocol}"
protocol = var.web_lb_probe_protocol
request_path = var.web_lb_probe_request_path
port = var.web_lb_probe_port
}
resource "azurerm_lb_rule" "new_terraform_bpepool_web_rule_http" {
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
loadbalancer_id = azurerm_lb.new_terraform_lb_web.id
backend_address_pool_id = azurerm_lb_backend_address_pool.new_terraform_bpepool_web.id
probe_id = azurerm_lb_probe.new_terraform_lb_probe_web.id
disable_outbound_snat = true
name = "new_terraform_bpepool_web_rule_http"
protocol = "Tcp"
frontend_port = 80
backend_port = 80
frontend_ip_configuration_name = "PrivateIPAddress-${var.web_lb_name}"
}
resource "azurerm_lb_rule" "new_terraform_bpepool_web_rule_https" {
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
loadbalancer_id = azurerm_lb.new_terraform_lb_web.id
backend_address_pool_id = azurerm_lb_backend_address_pool.new_terraform_bpepool_web.id
probe_id = azurerm_lb_probe.new_terraform_lb_probe_web.id
disable_outbound_snat = true
name = "new_terraform_bpepool_web_rule_https"
protocol = "Tcp"
frontend_port = 443
backend_port = 443
frontend_ip_configuration_name = "PrivateIPAddress-${var.web_lb_name}"
}
resource "azurerm_windows_virtual_machine_scale_set" "new_terraform_vmss_web" {
depends_on = [azurerm_lb_rule.new_terraform_bpepool_web_rule_http,azurerm_lb_rule.new_terraform_bpepool_web_rule_https]
name = "vmss-001"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
location = azurerm_resource_group.existing_terraform_rg.location
sku = var.webtier_vmss_sku
instances = var.webtier_vmss_instance_count
admin_password = var.webtier_vmss_admin_password
admin_username = var.webtier_vmss_admin_uname
zone_balance = true
zones = [1,2,3]
upgrade_mode = "Manual"
#automatic_os_upgrade_policy {
# disable_automatic_rollback = false
# enable_automatic_os_upgrade = true
#}
#rolling_upgrade_policy {
# max_batch_instance_percent = 20
# max_unhealthy_instance_percent = 20
# max_unhealthy_upgraded_instance_percent = 5
# pause_time_between_batches = "PT0S"
#}
#health_probe_id = azurerm_lb_probe.new_terraform_lb_probe_web.id
source_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = var.webtier_vmss_image_sku
version = "latest"
}
os_disk {
storage_account_type = "Standard_LRS"
caching = "ReadWrite"
}
network_interface {
name = "vmss-001-nic-1"
primary = true
ip_configuration {
name = "vmss-001-nic-1-Configuration"
primary = true
subnet_id = azurerm_subnet.new_terraform_subnet_web.id
load_balancer_backend_address_pool_ids = [azurerm_lb_backend_address_pool.new_terraform_bpepool_web.id]
#load_balancer_inbound_nat_rules_ids = [azurerm_lb_nat_pool.lbnatpool-1.id]
}
}
}
resource "azurerm_virtual_machine_scale_set_extension" "new_terraform_vmss_web_ext_1" {
name = "new_terraform_vmss_web_ext_1"
virtual_machine_scale_set_id = azurerm_windows_virtual_machine_scale_set.new_terraform_vmss_web.id
publisher = "Microsoft.Compute"
type = "CustomScriptExtension"
type_handler_version = "1.9"
settings = <<SETTINGS
{
"fileUris": ["https://raw.githubusercontent.com/Azure-Samples/compute-automation-configurations/master/automate-iis-v2.ps1"]
}
SETTINGS
protected_settings = <<PROTECTED_SETTINGS
{
"commandToExecute": "powershell -ExecutionPolicy Unrestricted -File automate-iis-v2.ps1"
}
PROTECTED_SETTINGS
}
# Create public IPs
resource "azurerm_public_ip" "spk1-jbx-puip" {
name = "spk1-jbx-puip"
location = "westeurope"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
allocation_method = "Dynamic"
}
# Create network interface
resource "azurerm_network_interface" "spk1-jbx-nic" {
name = "spk1-jbx-nic"
location = "westeurope"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
ip_configuration {
name = "spk1-jbx-nic-conf"
subnet_id = azurerm_subnet.spk1-jbx-subnet.id
private_ip_address_allocation = "Dynamic"
public_ip_address_id = azurerm_public_ip.spk1-jbx-puip.id
}
}
resource "azurerm_virtual_machine" "spk1-jbx-vm" {
name = "spk1-jbx-vm"
location = "westeurope"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
network_interface_ids = ["${azurerm_network_interface.spk1-jbx-nic.id}"]
vm_size = "Standard_D2s_v3"
storage_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2016-Datacenter"
version = "latest"
}
storage_os_disk {
name = "spk1-jbx-vm-mtwin-disk-os"
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}
os_profile {
computer_name = "spk1-jbx-vm"
admin_username = "demouser"
admin_password = "M0nP@ssw0rd!"
}
os_profile_windows_config {
provision_vm_agent = true
}
}
You need a public Load Balancer for Port masquerading SNAT (PAT) the outbound traffic. You can configure both an internal and public LB as indicated in the document Azure you referenced.
Outbound NAT for internal Standard Load Balancer scenarios When using an internal Standard Load Balancer, outbound NAT is not available until outbound connectivity has been explicitly declared. You can define outbound connectivity using an outbound rule to create outbound connectivity for VMs behind an internal Standard Load Balancer with these steps: 1. Create a public Standard Load Balancer. 2. Create a backend pool and place the VMs into a backend pool of the public Load Balancer in addition to the internal Load Balancer. 3. Configure an outbound rule on the public Load Balancer to program outbound NAT for these VMs.