This repository builds out an ingress scenario leveraging Aviatrix on AWS using a 3-tier Wordpress Application.
It builds the following:
- Aviatrix Transit in us-east-1 with FireNet having Palo Alto Networks VM-series Firewalls.
- Aviatrix Transit in us-east-2 without FireNet.
- 3 Spoke VPCs (Ingress, Proxy, Web) attached to Aviatrix Transit in us-east-1
- 1 Spoke VPC (Database) attached to the Aviatrix Transit in us-east-2
- Wordpress Application (Proxy, Web and Database)
- Central Application Load Balancer (ALB) configured in the Ingress VPC
- Proxy LB (NLB) that services the Proxy tier of the application
- 3 x Ubuntu VMs (Proxy, Web, Database) that are private and get Outbound internet access through PAN FWs.
- Palo Alto Firewalls also are bootstrapped as part of the Terraform Code
- Aviatrix Controller UserConnect-6.8.1148
- Versions of the Aviatrix, and AWS providers can all be found in versions.tf.
- Software version requirements met
- Aviatrix Controller & Copilot (Highly Recommended) need to be up and running
- Onboarding the AWS Account is automated
- Sufficient limits in place for CSPs and regions in scope (EIPs, Compute quotas, etc.)
- Active subscriptions for the NGFW firewall images in scope
Firewall Bootstrapping is a key pillar in the architecture as it is required for the 3 x VMs (Proxy, Web and DB) to download the required packages in a secure fashion. Thus, Firewall Bootstrapping needs to take place before the creation of the 3 instances. For FW Bootstrapping you need to follow the steps found here: https://docs.aviatrix.com/HowTos/bootstrap_example.html In a nutshell, you need to create the IAM Role, attach it to the PAN FW Instance(s) and put the relevant files in the S3 directory.
S3 directory should look like the below screenshot. The variable name for the S3 bucket is pan_fw_s3_bucket_bootstrap and should be changed to match your bucket name.
Contents of the config folder should look like the below screenshot. Please note that I have attached both files bootstrap.xml and init.cfg to the github repository for your consumption.
PAN FW bootstrapping is a requirement. Please refer to the PAN FWs Bootstrapping section and download the two files bootstrap.xml and init.cfg from https://github.com/karimjamali/terraform-aviatrix-aws-ingress
home_ip: has to be IP Address/Mask for instance in the form 1.1.1.1/32
role_fw_s3: is the role attached to the FW instance to access S3 for bootstrapping
pan_fw_s3_bucket_bootstrap: is the bucket that hosts the bootstrap content
module "aws-ingress" {
source = "karimjamali/aws-ingress/aviatrix"
version = "1.18.0"
avx_controller_ip = ""
avx_controller_username = ""
avx_controller_password = ""
aws_account_number = ""
aws_acess_key = ""
aws_secret_key = ""
home_ip = ""
pan_fw_s3_bucket_bootstrap = ""
role_fw_s3 = ""
}
Please note that these are not required to run the code but to make some changes.
- Ubuntu VMs (Proxy, Web, and DB) have a username of ubuntu and their password is in the variable ubuntu_vms_password
- Variables proxy-lb-1 and proxy-lb-2 are the static addresses configured on the NLB.
- Variables pan_fw_username and pan_fw_password hold the values for the username and password for PAN FWs. You can't change the values unless you change the bootstrap package. The pan_fw_username is admin and pan_fw_password is Aviatrix123#
- The VMs are private, however they get outbound internet connectivity through the PAN FWs, thus bootstrapping is required for the VMs to download the packages to run Wordpress.