Disable SNAT regardless of the destination IP address (Firewall) sinc…

…e forced tunneling is turned on (Azure#194) * testing snat * corrected string type * corrected list type * changed variable for private_ip_ranges to be more readbale to user Co-authored-by: jjansen23 <[email protected]>
ARPA-H · May 7, 2021 · 5c99272 · 5c99272
1 parent 15913b2
commit 5c99272
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/src/modules/firewall/main.tf b/src/modules/firewall/main.tf
@@ -29,6 +29,7 @@ resource "azurerm_firewall" "firewall" {
   location            = data.azurerm_resource_group.hub.location
   resource_group_name = data.azurerm_resource_group.hub.name
   sku_tier            = var.firewall_sku
+  private_ip_ranges   = var.disable_snat_ip_range
   tags                = var.tags
 
   ip_configuration {

diff --git a/src/modules/firewall/variables.tf b/src/modules/firewall/variables.tf
@@ -49,3 +49,13 @@ variable "tags" {
   type        = map(string)
   default     = {}
 }
+
+# With forced tunneling on, Configure Azure Firewall to never SNAT regardless of the destination IP address, 
+# use 0.0.0.0/0 as your private IP address range. 
+# With this configuration, Azure Firewall can never route traffic directly to the Internet.
+# see: https://docs.microsoft.com/en-us/azure/firewall/snat-private-range
+variable "disable_snat_ip_range" {
+  description = "The address space to be used to ensure that SNAT is disabled."
+  default     = ["0.0.0.0/0"]
+  type        = list
+}