如果不手动插入硬编码的 IP 私有地址,我找不到通过 terraform 使用私有 IP 创建应用程序网关的方法。
我试过了:
只有在使用硬编码的 IP 地址创建应用程序网关时才有效。
这个解决方案对我来说不够好,因为我们要处理许多环境,我们不想让开发人员记住添加私有 IP。
有好的解决办法吗?
【问题讨论】:
标签: terraform terraform-provider-azure azure-application-gateway
你能粘贴你的 terraform 代码吗?
对于最新的 terraform 版本documentation say,该块frontend_ip_configuration 支持private_ip_address_allocation 参数,可以保存值Dynamic。
还请记住,应用网关必须有一个单独的网络,其中只有应用网关。我不确定,但我认为它是每个子网的网关,所以一个子网中有 2 个网关是不可能的。
【讨论】:
Application Gateway v2 SKU 仅支持静态 VIP 类型,而 V1 SKU 可配置为支持静态或动态内部 IP 地址和动态公共 IP 地址。
参考:Application Gateway frontend-ip-addresses
Application Gateway V2 目前不支持仅私有 IP 模式。 Azure 应用程序网关 V2 SKU 可以配置为支持静态内部 IP 地址和静态公共 IP 地址,或仅支持静态公共 IP 地址。不能将其配置为仅支持静态内部 IP 地址。
参考:Application gateway v2 with only private-ip
在使用terraform部署时,我们应该定义两个frontend_ip_configurationblocks,一个用于公共IP配置,另一个用于私有IP配置。
场景 1:当尝试使用 terraform 创建具有动态私有 IP 和动态公共 IP 的新应用程序网关时,它只会为 Standard 或 V1 SKU 创建。
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 2.65"
}
}
required_version = ">= 0.14.9"
}
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "test" {
name = "Terraformtest"
location = "West Europe"
}
resource "azurerm_virtual_network" "test" {
name = "terraformvnet"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
address_space = ["10.254.0.0/16"]
}
resource "azurerm_subnet" "frontend" {
name = "frontend"
resource_group_name = azurerm_resource_group.test.name
virtual_network_name = azurerm_virtual_network.test.name
address_prefixes = ["10.254.0.0/24"]
}
resource "azurerm_subnet" "backend" {
name = "backend"
resource_group_name = azurerm_resource_group.test.name
virtual_network_name = azurerm_virtual_network.test.name
address_prefixes = ["10.254.2.0/24"]
}
resource "azurerm_public_ip" "test" {
name = "test-pip"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
allocation_method = "Dynamic"
}
locals {
backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap"
frontend_port_name = "${azurerm_virtual_network.test.name}-feport"
frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip"
http_setting_name = "${azurerm_virtual_network.test.name}-be-htst"
listener_name = "${azurerm_virtual_network.test.name}-httplstn"
request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt"
redirect_configuration_name = "${azurerm_virtual_network.test.name}-rdrcfg"
}
resource "azurerm_application_gateway" "network" {
name = "test-appgateway"
resource_group_name = "${azurerm_resource_group.test.name}"
location = "${azurerm_resource_group.test.location}"
sku {
name = "Standard_Small"
tier = "Standard"
capacity = 2
}
gateway_ip_configuration {
name = "my-gateway-ip-configuration"
subnet_id = "${azurerm_subnet.frontend.id}"
}
frontend_port {
name = "${local.frontend_port_name}"
port = 80
}
frontend_ip_configuration {
name = "${local.frontend_ip_configuration_name}"
public_ip_address_id = "${azurerm_public_ip.test.id}"
}
frontend_ip_configuration {
name = "${local.frontend_ip_configuration_name}-private"
subnet_id = "${azurerm_subnet.frontend.id}"
private_ip_address_allocation = "Dynamic"
}
backend_address_pool {
name = "${local.backend_address_pool_name}"
}
backend_http_settings {
name = "${local.http_setting_name}"
cookie_based_affinity = "Disabled"
path = "/path1/"
port = 80
protocol = "Http"
request_timeout = 1
}
http_listener {
name = "${local.listener_name}"
frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}-private"
frontend_port_name = "${local.frontend_port_name}"
protocol = "Http"
}
request_routing_rule {
name = "${local.request_routing_rule_name}"
rule_type = "Basic"
http_listener_name = "${local.listener_name}"
backend_address_pool_name = "${local.backend_address_pool_name}"
backend_http_settings_name = "${local.http_setting_name}"
}
}
场景 2: 在创建 Standard V2 时,我们可以创建私有 IP,但它还不支持动态分配,所以它必须是静态的,并且您必须提及您要使用的 IP 地址.要使用它,您必须为公共 IP 选择标准 sku,并为公共选择静态 IP 地址分配。
所以,在更新private_ip_address_allocation = "Static" 和private_ip_address = "10.254.0.10" 之后就会成功创建。
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 2.65"
}
}
required_version = ">= 0.14.9"
}
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "test" {
name = "Terraformtest"
location = "West Europe"
}
resource "azurerm_virtual_network" "test" {
name = "terraformvnet"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
address_space = ["10.254.0.0/16"]
}
resource "azurerm_subnet" "frontend" {
name = "frontend"
resource_group_name = azurerm_resource_group.test.name
virtual_network_name = azurerm_virtual_network.test.name
address_prefixes = ["10.254.0.0/24"]
}
resource "azurerm_subnet" "backend" {
name = "backend"
resource_group_name = azurerm_resource_group.test.name
virtual_network_name = azurerm_virtual_network.test.name
address_prefixes = ["10.254.2.0/24"]
}
resource "azurerm_public_ip" "test" {
name = "test-pip"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
allocation_method = "Static"
sku = "Standard"
}
locals {
backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap"
frontend_port_name = "${azurerm_virtual_network.test.name}-feport"
frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip"
http_setting_name = "${azurerm_virtual_network.test.name}-be-htst"
listener_name = "${azurerm_virtual_network.test.name}-httplstn"
request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt"
redirect_configuration_name = "${azurerm_virtual_network.test.name}-rdrcfg"
}
resource "azurerm_application_gateway" "network" {
name = "test-appgateway"
resource_group_name = "${azurerm_resource_group.test.name}"
location = "${azurerm_resource_group.test.location}"
sku {
name = "Standard_v2"
tier = "Standard_v2"
capacity = 2
}
gateway_ip_configuration {
name = "my-gateway-ip-configuration"
subnet_id = "${azurerm_subnet.frontend.id}"
}
frontend_port {
name = "${local.frontend_port_name}"
port = 80
}
frontend_ip_configuration {
name = "${local.frontend_ip_configuration_name}"
public_ip_address_id = "${azurerm_public_ip.test.id}"
}
frontend_ip_configuration {
name = "${local.frontend_ip_configuration_name}-private"
subnet_id = "${azurerm_subnet.frontend.id}"
private_ip_address_allocation = "Static"
private_ip_address = "10.254.0.10"
}
backend_address_pool {
name = "${local.backend_address_pool_name}"
}
backend_http_settings {
name = "${local.http_setting_name}"
cookie_based_affinity = "Disabled"
path = "/path1/"
port = 80
protocol = "Http"
request_timeout = 1
}
http_listener {
name = "${local.listener_name}"
frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}"
frontend_port_name = "${local.frontend_port_name}"
protocol = "Http"
}
request_routing_rule {
name = "${local.request_routing_rule_name}"
rule_type = "Basic"
http_listener_name = "${local.listener_name}"
backend_address_pool_name = "${local.backend_address_pool_name}"
backend_http_settings_name = "${local.http_setting_name}"
}
}
注意: 2个应用网关不能使用同一个子网。因此,如果您要创建一个新的 appgw,那么您必须创建一个新的子网。
【讨论】: