-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnsg.tf
131 lines (118 loc) · 4.83 KB
/
nsg.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
//////////////////////// Subnet 2 NSG //////////////////////////////////////
resource "azurerm_network_security_group" "nsg" {
name = "nsg-sub2"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
# security_rule {
# name = "deny-all"
# priority = 100 # Lowest priority, so it applies last
# direction = "Inbound"
# access = "Deny"
# protocol = "*"
# source_port_range = "*"
# destination_port_range = "*"
# source_address_prefix = "*" // "0.0.0.0/0" # Deny from any external source
# destination_address_prefix = azurerm_subnet.subnet2.address_prefixes[0] // 20.105.224.37
# }
security_rule {
name = "deny-all"
priority = 100 # Lowest priority, so it applies last
direction = "Inbound"
access = "Deny"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*" // "0.0.0.0/0" # Deny from any external source
destination_address_prefix = "20.105.224.0/24"
}
# Deny all inbound traffic from the internet
security_rule {
name = "DenyAllInbound"
priority = 150
direction = "Inbound"
access = "Deny"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "Internet"
destination_address_prefix = "*"
}
# You can still allow specific internal traffic if needed
security_rule {
name = "AllowVNetInbound"
priority = 200
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "VirtualNetwork"
destination_address_prefix = "*"
}
}
resource "azurerm_subnet_network_security_group_association" "assoc_app2_sub" {
subnet_id = azurerm_subnet.subnet2.id
network_security_group_id = azurerm_network_security_group.nsg.id
}
//////////////////////// Subnet 3 NSG //////////////////////////////////////
resource "azurerm_network_security_group" "nsg-2" {
name = "nsg-sub3"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
# Block ALL inbound traffic
security_rule {
name = "deny-all-inbound"
priority = 100
direction = "Inbound"
access = "Deny"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
# Associate NSG with PE Subnet
resource "azurerm_subnet_network_security_group_association" "assoc_pe_sub" {
subnet_id = azurerm_subnet.subnet3.id
network_security_group_id = azurerm_network_security_group.nsg-2.id
}
//////////////////////// Subnet 1 NSG //////////////////////////////////////
resource "azurerm_network_security_group" "nsg-1" {
name = "nsg-sub1"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
security_rule {
name = "deny-all"
priority = 200 # Lowest priority, so it applies last
direction = "Inbound"
access = "Deny"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = azurerm_subnet.subnet1.address_prefixes[0]
}
}
resource "azurerm_subnet_network_security_group_association" "assoc_app1_sub" {
subnet_id = azurerm_subnet.subnet1.id
network_security_group_id = azurerm_network_security_group.nsg-1.id
}
//////////////////////// Subnet 3 NSG //////////////////////////////////////
resource "azurerm_network_security_group" "nsg-2" {
name = "nsg-sub3"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
# Block ALL inbound traffic
security_rule {
name = "deny-all-inbound"
priority = 100
direction = "Inbound"
access = "Deny"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}