Deploys a VPC/VNET/VCN and Aviatrix Transit gateways.
Module version | Terraform version | Controller version | Terraform provider version |
---|---|---|---|
v2.5.4 | >= 1.3.0 | >= 7.1 | ~>3.1.0 |
Check release notes for more details. Check Compatibility list for older versions.
Warning: Upgrading from v1.x to v2.x has breaking changes! This was done to provide compatibility with the mc-firenet module. Check release notes for more details.
See examples
The following variables are required:
key | value |
---|---|
cloud | Cloud where this is deployed. Valid values: "AWS", "Azure", "ALI", "OCI", "GCP" |
region | Cloud region to deploy this VPC/VNET/VCN in |
cidr | What ip CIDR to use for this VPC/VNET/VCN |
account | The account name as known by the Aviatrix controller |
The following variables are optional:
= AWS, = Azure, = GCP, = OCI, = Alibaba
Key | Supported_CSP's | Default value | Description |
---|---|---|---|
allocate_new_eip | null | When value is false, reuse an idle address in Elastic IP pool for this gateway. Otherwise, allocate a new Elastic IP and use it for this gateway. | |
approved_learned_cidrs | A set of approved learned CIDRs. Only valid when enable_learned_cidrs_approval is set to true. Example: ["10.250.0.0/16", "10.251.0.0/16"] | ||
availability_domain | Availability domain in OCI. | ||
az_support | true | Set to false if the region does not support Availability Zones. (Automatically set to false for gov and dod regions) | |
azure_eip_name_resource_group | null | Name of public IP Address resource and its resource group in Azure to be assigned to the Transit Gateway instance. | |
az1 | a az-1 b |
Concatenates with region to form az names. e.g. eu-central-1a. Only used for insane mode and AWS GWLB. | |
az2 | b az-2 c |
Concatenates with region to form az names. e.g. eu-central-1b. Only used for insane mode and AWS GWLB. If az1 and az2 are equal. Single AZ mode (deploy everyting in 1 AZ) is triggered. | |
bgp_ecmp | false | Enable Equal Cost Multi Path (ECMP) routing for the next hop | |
bgp_hold_time | 180 | Set the BGP Hold time. | |
bgp_lan_interfaces | A list of interfaces to run BGP protocol on top of the ethernet interface List of objects with structure here. |
||
bgp_lan_interfaces_count | Number of interfaces that will be created for BGP over LAN enabled Azure transit. | ||
bgp_manual_spoke_advertise_cidrs | Intended CIDR list to advertise via BGP. Example: "10.2.0.0/16,10.4.0.0/16" | ||
bgp_polling_time | 50 | BGP route polling time. Unit is in seconds | |
connected_transit | true | Set to false to disable connected_transit | |
customized_transit_vpc_routes | A list of CIDRs to be customized for the transit VPC routes. | ||
customer_managed_keys | Customer managed key ID for EBS Volume encryption. | ||
eip | null | Required when allocate_new_eip is false. It uses the specified EIP for this gateway. | |
enable_active_standby | false | Enables Active-Standby Mode. Available only with HA enabled. | |
enable_active_standby_preemptive | false | Enables Preemptive Mode for Active-Standby. Available only with BGP enabled, HA enabled and Active-Standby enabled. | |
enable_advertise_transit_cidr | false | Switch to enable/disable advertise transit VPC network CIDR for a VGW connection | |
enable_bgp_over_lan | false | Enable BGP over LAN. Creates interface for integration with SDWAN or other BGP peerings over LAN. | |
enable_egress_transit_firenet | false | Enable Egress Transit FireNet | |
enable_encrypt_volume | false | Set to true to enable EBS volume encryption for Gateway. | |
enable_firenet | false | Sign of readiness for FireNet connection with TGW | |
enable_gateway_load_balancer | false | Enable FireNet interfaces with AWS Gateway Load Balancer. | |
enable_gro_gso | true | Enable GRO/GSO for this transit gateway. | |
enable_monitor_gateway_subnets | false | If set to true, the Monitor Gateway Subnets feature in AWS is enabled. | |
enable_multi_tier_transit | false | Switch to enable multi tier transit | |
enable_s2c_rx_balancing | false | Allows to toggle the S2C receive packet CPU re-balancing on transit gateway. | |
enable_segmentation | false | Switch to true to enable transit segmentation | |
enable_transit_firenet | false | Sign of readiness for Transit FireNet connection | |
enable_transit_summarize_cidr_to_tgw | false | Enable summarize CIDR to TGW. | |
enable_preserve_as_path | false | Enable preserve as_path when advertising manual summary cidrs on BGP transit gateway. | |
enable_vpc_dns_server | null | Enable VPC DNS Server for Gateway. | |
excluded_advertised_spoke_routes | null | A list of comma-separated CIDRs to be advertised to on-prem as 'Excluded CIDR List'. | |
fault_domain | Fault domain in OCI. | ||
filtered_spoke_vpc_routes | A list of comma separated CIDRs to be filtered from the spoke VPC route table. | ||
gw_name | Name for the transit gateway. | ||
gw_subnet | Subnet CIDR, for using an existing VPC. Required when use_existing_vpc is enabled. Make sure this is a public subnet. | ||
ha_availability_domain | Availability domain in OCI for HA GW. | ||
ha_azure_eip_name_resource_group | null | Name of public IP Address resource and its resource group in Azure to be assigned to the Transit Gateway instance. | |
ha_bgp_lan_interfaces | A list of interfaces to run BGP protocol on top of the ethernet interface List of objects with structure here. |
||
ha_cidr | The IP CIDR to be used to create ha_region spoke subnet. Only required when ha_region is set. | ||
ha_eip | null | Required when allocate_new_eip is false. It uses the specified EIP for this gateway. | |
ha_fault_domain | Fault domain in OCI for HA GW. | ||
ha_gw | true | Set to false if you only want to deploy a single Aviatrix spoke gateway | |
ha_region | Region for multi region HA. HA is multi-az single region by default, but will become multi region when this is set. | ||
hagw_subnet | Subnet CIDR, for using an existing VPC. Required when use_existing_vpc is enabled and ha_gw is true. Make sure this is a public subnet. | ||
hybrid_connection | false | Sign of readiness for TGW connection | |
insane_mode | false | Set to true to enable insane mode encryption | |
instance_size (insane mode/firenet) | c5n.xlarge Standard_D3_v2 n1-highcpu-4 VM.Standard2.4 |
The size of the Aviatrix transit gateways when insane mode or Transit Firenet is enabled. | |
instance_size | t3.medium Standard_B1ms n1-standard-1 VM.Standard2.2 ecs.g5ne.large |
The size of the Aviatrix transit gateways. | |
lan_cidr | CIDR For LAN VPC for GCP Firenet. Only required when deploying in GCP and enable_transit_firenet is true. | ||
learned_cidr_approval | false | Switch to true to enable learned CIDR approval | |
learned_cidrs_approval_mode | Learned cidrs approval mode. Defaults to Gateway. Valid values: gateway, connection | ||
local_as_number | Changes the Aviatrix Transit Gateway ASN number before you setup Aviatrix Transit Gateway connection configurations. | ||
name | avx-<region>-transit | Name for this Transit VPC/VNET/VCN and it's gateways. Gateway name can be overridden with gw_name. | |
private_mode_lb_vpc_id | VPC ID of Private Mode load balancer. Required when Private Mode is enabled on the Controller. | ||
private_mode_subnets | Switch to only launch private subnets. Only available when Private Mode is enabled on the Controller. | ||
resource_group | Specify existing resource group to deploy transit resources into. | ||
rx_queue_size | Gateway ethernet interface RX queue size. Once set, can't be deleted or disabled. | ||
single_az_ha | true | Set to false if Controller managed Gateway HA is desired | |
single_ip_snat | false | Specify whether to enable Source NAT feature in single_ip mode on the gateway or not. Please disable AWS NAT instance before enabling this feature. Currently only supports AWS(1) and AZURE(8) | |
tags | Map of tags to assign to the gateway. | ||
tunnel_detection_time | The IPsec tunnel down detection time for the Spoke Gateway in seconds. Must be a number in the range [20-600]. Default is 60. | ||
use_existing_vpc | false | Set to true to use existing VPC. | |
vpc_id | VPC ID, for using an existing VPC. |
The bgp_lan_interfaces and ha_bgp_lan_interfaces accept lists of objects with the following structure.
key | optional | default | description |
---|---|---|---|
vpc_id | true | avx-<region>-transit-bgp-<bgp interface index> avx-<region>-transit-ha-bgp-<bgp interface index> |
Name of the VPC for the interface(s). Required if the VPC/subnet exists. |
subnet | false | subnet CIDR of the subnet to use. | |
create_vpc | true | true if vpc_id is empty. false if vpc_id is populated. |
Create the BGP over LAN VPC. Required as true if specifying the VPC name. |
This module will return the following outputs:
key | description |
---|---|
vpc | The created VPC as an object with all of it's attributes (when use_existing_vpc is false). This was created using the aviatrix_vpc resource. |
transit_gateway | The created Aviatrix transit gateway as an object with all of it's attributes. |
mc_firenet_details | Outputs specific for composing with mc-firenet module |
module_metadata | Information about the module, like module version. |