Azure Single Gateway Deployment

This Terraform configuration creates a basic Azure networking setup with an Enforza server acting as a gateway/router for private subnets.

Architecture Diagram

Single AZ Diagram

Components Created

Network Infrastructure

VNet: 10.0.0.0/16 address space
Public Subnet: 10.0.1.0/24 (contains Enforza gateway)
Private Subnet 1: 10.0.10.0/24 (routes via gateway)
Private Subnet 2: 10.0.20.0/24 (routes via gateway)

Enforza Gateway Server

VM: Standard_B1s Ubuntu 22.04 LTS
Role: Router/Gateway
IP: Static 10.0.1.4 (private) + dynamic public IP
Security: NSG with "permit any any" rules
Features:
- Enforza agent automatically installed, and registers to the Enforza Cloud Controller
- Routes traffic from private subnets to internet via Enforza gateway

Route Tables

Private Subnets: Default route (0.0.0.0/0) → Gateway (10.0.1.4)
Internet Access: Private subnet VMs route through gateway for outbound

Quick Start

Clone the repository and navigate to the Azure Single AZ directory:

git clone https://github.com/enforza/azure-terraform.git
cd azure-terraform/simple-single-az

Authenticate to Azure:
```
az login
```

Configure variables:

cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with:
# - Your subscription ID
# - Your Enforza company ID
# - Authentication method (password or SSH key)

Deploy:

terraform init
terraform plan
terraform apply

Manage via the Enforza Cloud Controller:

The device will have automatically registered itself in the portal. Login, and under devices, you should see a newly provisioned device with no name.

Configure a name, associate with a policy, and push!

Authentication Options

Choose ONE method in terraform.tfvars:

Option 1: Password Authentication

admin_password = "YourSecurePassword123!"

Option 2: SSH Key Authentication (Recommended)

ssh_public_key = "ssh-rsa AAAAB3NzaC1yc2E... your-key-here"

Enforza Company ID

enforza_companyId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

You can get your enforza_companyId from the Enforza Cloud Controller portal here and navigating to "Profile" and copy/pasting Company ID.

Usage Examples

Deploy Private VMs (Optional)

After creating the gateway, you can deploy VMs in the private subnets. They will automatically route internet traffic through the gateway:

# Example: Add to main.tf to create private VM
resource "azurerm_network_interface" "private_vm" {
  name                = "private-vm-nic"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name

  ip_configuration {
    name                          = "internal"
    subnet_id                     = azurerm_subnet.private_1.id  # or private_2
    private_ip_address_allocation = "Dynamic"
  }
}

Monitor Traffic

SSH to the gateway and monitor routing:

# Watch traffic flowing through gateway
sudo tcpdump -i any -n host 10.0.10.0/24 or host 10.0.20.0/24

# Check routing table
ip route show

Test Connectivity from Private VMs

# From a private subnet VM (once deployed)
curl ifconfig.me  # Should show gateway's public IP
ping 8.8.8.8      # Should work via gateway

Cost Estimate

Monthly cost: ~$25-35 (UK South region)

Standard_B1s VM: ~$15-20/month
Storage (Premium SSD): ~$5/month
Public IP: ~$3/month
Networking: ~$2-7/month

Customization

Change VM Size

vm_size = "Standard_B2s"  # More powerful
vm_size = "Standard_B1ls" # Even cheaper (burstable)

Modify Network Ranges

vnet_address_space = ["192.168.0.0/16"]
public_subnet_prefix = "192.168.1.0/24"
private_subnet_1_prefix = "192.168.10.0/24"
private_subnet_2_prefix = "192.168.20.0/24"

Troubleshooting

Can't SSH to gateway?

Verify NSG rules allow SSH (should be "permit any any")
Check authentication method matches terraform.tfvars
Ensure public IP is assigned: az network public-ip show

Private VMs can't reach internet?

Verify route table association with private subnets
Check gateway's NAT rules are active
Ensure VMs in private subnets have route to 0.0.0.0/0 via 10.0.1.4

Security Note

This configuration uses "permit any any" NSG rules for simplicity. In production:

Restrict SSH to specific source IPs
Implement more granular firewall rules
Consider Azure Bastion for secure access
Use Key Vault for credentials

Clean Up

terraform destroy

This will remove all created resources and stop billing.

Architecture Diagram​

Components Created​

Network Infrastructure​

Enforza Gateway Server​

Route Tables​

Quick Start​

Authentication Options​

Option 1: Password Authentication​

Option 2: SSH Key Authentication (Recommended)​

Enforza Company ID​

Usage Examples​

Deploy Private VMs (Optional)​

Monitor Traffic​

Test Connectivity from Private VMs​

Cost Estimate​

Customization​

Change VM Size​

Modify Network Ranges​

Troubleshooting​

Can't SSH to gateway?​

Private VMs can't reach internet?​

Security Note​

Clean Up​