你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
在本快速入门中,你将使用 Terraform 创建 Azure ExpressRoute 线路及其关联的基础结构。 Terraform 模板创建完整的 ExpressRoute 设置,其中包括虚拟网络、ExpressRoute 网关、线路配置和专用对等互连。 所有资源都使用可配置的参数进行部署,以便根据特定要求自定义部署。
使用 Terraform 可以定义、预览和部署云基础结构。 使用 Terraform 时,请使用 HCL 语法来创建配置文件。 利用 HCL 语法,可指定 Azure 这样的云提供程序和构成云基础结构的元素。 创建配置文件后,请创建一个执行计划,利用该计划,可在部署基础结构更改之前先预览这些更改。 验证了更改后,请应用该执行计划以部署基础结构。
在本文中,学习如何:
- 创建具有唯一名称的 Azure 资源组
- 创建包含网关子网的虚拟网络
- 创建具有可配置 SKU 的 ExpressRoute 网关
- 创建具有可配置服务提供商参数的 ExpressRoute 电路
- 配置 ExpressRoute 线路的专用对等互连
- 输出密钥资源标识符和配置详细信息
Prerequisites
创建具有活动订阅的 Azure 帐户。 你可以免费创建一个帐户。
实现 Terraform 代码
注意
本文中的示例代码位于 Azure Terraform GitHub 存储库中。 你可以查看包含当前和以前 Terraform 版本的测试结果的日志文件。
有关更多示例,请参阅演示如何使用 Terraform 管理 Azure 资源的文章和示例代码。
创建用于测试和运行示例 Terraform 代码的目录,并将其设为当前目录。
创建名为
main.tf的文件并插入以下代码:# Create Resource Group resource "random_pet" "rg_name" { prefix = var.resource_group_name_prefix } resource "azurerm_resource_group" "rg" { location = var.resource_group_location name = random_pet.rg_name.id tags = var.tags } # Random String for unique naming resource "random_string" "name" { length = 8 special = false upper = false lower = true numeric = false } # Create Virtual Network resource "azurerm_virtual_network" "vnet" { name = "vnet-${random_string.name.result}" address_space = var.virtual_network_address_space location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name tags = var.tags } # Create ExpressRoute Gateway using Azure Verified Module with HOBO module "expressroute_gateway" { source = "Azure/avm-ptn-vnetgateway/azurerm" version = "~> 0.10.0" # Basic Configuration location = azurerm_resource_group.rg.location name = "vgw-${random_string.name.result}" parent_id = azurerm_resource_group.rg.id # ExpressRoute Gateway Configuration type = "ExpressRoute" sku = var.gateway_sku hosted_on_behalf_of_public_ip_enabled = var.enable_hosted_on_behalf_of_public_ip # Enable Azure-managed public IP (HOBO) # Virtual Network Configuration virtual_network_id = azurerm_virtual_network.vnet.id subnet_address_prefix = var.gateway_subnet_address_prefix # GatewaySubnet CIDR # Optional: Enable telemetry for Azure Verified Module enable_telemetry = true # Express Route Circuit Connection (if circuit is provided) express_route_circuits = var.express_route_circuit_id != null ? { "primary" = { id = var.express_route_circuit_id connection = { authorization_key = var.express_route_authorization_key } } } : {} tags = merge(var.tags, { environment = "production" project = "expressroute-hobo" gateway_type = "ExpressRoute" deployment = "azure-verified-module" }) depends_on = [azurerm_virtual_network.vnet] } # Create ExpressRoute Circuit (if enabled) resource "azurerm_express_route_circuit" "circuit" { count = var.create_express_route_circuit ? 1 : 0 name = "erc-${random_string.name.result}" resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location service_provider_name = var.service_provider_name peering_location = var.peering_location bandwidth_in_mbps = var.bandwidth_in_mbps sku { tier = var.circuit_sku_tier family = var.circuit_sku_family } tags = merge(var.tags, { environment = "production" project = "expressroute-hobo" }) } # Create ExpressRoute Circuit Peering (if circuit is created) resource "azurerm_express_route_circuit_peering" "private" { count = var.create_express_route_circuit && var.create_private_peering ? 1 : 0 peering_type = "AzurePrivatePeering" express_route_circuit_name = azurerm_express_route_circuit.circuit[0].name resource_group_name = azurerm_resource_group.rg.name primary_peer_address_prefix = var.primary_peer_address_prefix secondary_peer_address_prefix = var.secondary_peer_address_prefix vlan_id = var.vlan_id peer_asn = var.peer_asn }创建名为
outputs.tf的文件并插入以下代码:output "resource_group_name" { description = "Name of the resource group" value = azurerm_resource_group.rg.name } output "express_route_circuit_id" { description = "ID of the ExpressRoute circuit (if created)" value = var.create_express_route_circuit ? azurerm_express_route_circuit.circuit[0].id : null } output "express_route_circuit_service_key" { description = "Service key for the ExpressRoute circuit (if created)" value = var.create_express_route_circuit ? azurerm_express_route_circuit.circuit[0].service_key : null sensitive = true } output "gateway_id" { description = "ID of the ExpressRoute Virtual Network Gateway" value = module.expressroute_gateway.virtual_network_gateway.id } output "gateway_name" { description = "Name of the ExpressRoute Virtual Network Gateway" value = module.expressroute_gateway.virtual_network_gateway.name } output "gateway_subnet_id" { description = "ID of the GatewaySubnet created by the module" value = module.expressroute_gateway.subnet.id } output "hosted_on_behalf_of_public_ip_note" { description = "Information about the Azure-managed public IP for ExpressRoute gateway" value = "This ExpressRoute Virtual Network Gateway uses an Azure-managed public IP address. The public IP is automatically provisioned and managed by Azure, and is not visible in your subscription's public IP resources. This feature is only available for ExpressRoute gateways, not VPN gateways." } output "public_ip_addresses" { description = "Public IP addresses created by the module (empty when using HOBO for ExpressRoute)" value = module.expressroute_gateway.public_ip_addresses } output "virtual_network_id" { description = "ID of the virtual network" value = azurerm_virtual_network.vnet.id } output "virtual_network_gateway_connections" { description = "Virtual Network Gateway Connections created by the module" value = module.expressroute_gateway.virtual_network_gateway_connections }创建名为
providers.tf的文件并插入以下代码:terraform { required_version = ">= 1.3" required_providers { azapi = { source = "Azure/azapi" version = "~> 2.4" } azurerm = { source = "hashicorp/azurerm" version = "~> 4.0" } random = { source = "hashicorp/random" version = "~> 3.5" } } } provider "azurerm" { features {} }创建名为
variables.tf的文件并插入以下代码:variable "resource_group_location" { type = string default = "eastus" description = "Location of the resource group." } variable "resource_group_name_prefix" { type = string default = "rg" description = "Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription." } variable "tags" { type = map(string) default = {} description = "A map of tags to assign to all resources." } # Virtual Network Configuration variable "virtual_network_address_space" { type = list(string) default = ["10.0.0.0/16"] description = "The address space that is used by the virtual network." validation { condition = length(var.virtual_network_address_space) > 0 error_message = "At least one address space must be provided." } } variable "gateway_subnet_address_prefix" { type = string default = "10.0.0.0/24" description = "The address prefix for the GatewaySubnet. Must be at least /29." validation { condition = can(cidrhost(var.gateway_subnet_address_prefix, 0)) && tonumber(split("/", var.gateway_subnet_address_prefix)[1]) <= 29 error_message = "gateway_subnet_address_prefix must be a valid CIDR block with at least /29 prefix." } } # ExpressRoute Gateway Configuration variable "gateway_sku" { type = string default = "ErGw1AZ" description = "The SKU of the ExpressRoute Virtual Network Gateway. Valid values: ErGw1AZ, ErGw2AZ, ErGw3AZ, ErGwScale, HighPerformance, Standard, UltraPerformance." validation { condition = contains(["ErGw1AZ", "ErGw2AZ", "ErGw3AZ", "ErGwScale", "HighPerformance", "Standard", "UltraPerformance"], var.gateway_sku) error_message = "gateway_sku must be one of: ErGw1AZ, ErGw2AZ, ErGw3AZ, ErGwScale, HighPerformance, Standard, UltraPerformance." } } variable "enable_hosted_on_behalf_of_public_ip" { type = bool default = true description = "Enable Azure-managed public IP for the ExpressRoute gateway (HOBO feature). When enabled, Azure manages the public IP internally and it won't appear in your subscription." } # ExpressRoute Circuit Configuration variable "create_express_route_circuit" { type = bool default = true description = "Whether to create an ExpressRoute circuit. Set to false if you want to connect to an existing circuit." } variable "express_route_circuit_id" { type = string default = null description = "ID of an existing ExpressRoute circuit to connect to. Only used if create_express_route_circuit is false." } variable "express_route_authorization_key" { type = string default = null description = "Authorization key for connecting to an existing ExpressRoute circuit." sensitive = true } variable "service_provider_name" { type = string default = "Equinix" description = "The name of the ExpressRoute circuit service provider." } variable "peering_location" { type = string default = "Washington DC" description = "The name of the peering location and not the Azure resource location." } variable "bandwidth_in_mbps" { type = number default = 50 description = "The bandwidth in Mbps of the ExpressRoute circuit." validation { condition = contains([50, 100, 200, 500, 1000, 2000, 5000, 10000], var.bandwidth_in_mbps) error_message = "bandwidth_in_mbps must be one of: 50, 100, 200, 500, 1000, 2000, 5000, 10000." } } variable "circuit_sku_tier" { type = string default = "Standard" description = "The service tier of the ExpressRoute circuit SKU." validation { condition = contains(["Basic", "Local", "Standard", "Premium"], var.circuit_sku_tier) error_message = "circuit_sku_tier must be one of: Basic, Local, Standard, Premium." } } variable "circuit_sku_family" { type = string default = "MeteredData" description = "The billing mode for the ExpressRoute circuit SKU." validation { condition = contains(["MeteredData", "UnlimitedData"], var.circuit_sku_family) error_message = "circuit_sku_family must be either MeteredData or UnlimitedData." } } # ExpressRoute Private Peering Configuration variable "create_private_peering" { type = bool default = true description = "Whether to create Azure Private Peering for the ExpressRoute circuit." } variable "primary_peer_address_prefix" { type = string default = "192.168.10.16/30" description = "A /30 subnet for the primary link." validation { condition = can(cidrhost(var.primary_peer_address_prefix, 0)) error_message = "primary_peer_address_prefix must be a valid CIDR block." } } variable "secondary_peer_address_prefix" { type = string default = "192.168.10.20/30" description = "A /30 subnet for the secondary link." validation { condition = can(cidrhost(var.secondary_peer_address_prefix, 0)) error_message = "secondary_peer_address_prefix must be a valid CIDR block." } } variable "vlan_id" { type = number default = 200 description = "A valid VLAN ID to establish this peering on." validation { condition = var.vlan_id >= 1 && var.vlan_id <= 4094 error_message = "vlan_id must be between 1 and 4094." } } variable "peer_asn" { type = number default = 65001 description = "A valid private ASN for the customer side BGP session." validation { condition = (var.peer_asn >= 64512 && var.peer_asn <= 65534) || (var.peer_asn >= 4200000000 && var.peer_asn <= 4294967294) error_message = "peer_asn must be a valid private ASN (64512-65534 or 4200000000-4294967294)." } }
初始化 Terraform
运行 terraform init,将 Terraform 部署进行初始化。 此命令将下载管理 Azure 资源所需的 Azure 提供程序。
terraform init -upgrade
要点:
- 参数
-upgrade可将必要的提供程序插件升级到符合配置版本约束的最新版本。
创建 Terraform 执行计划
运行 terraform plan 以创建执行计划。
terraform plan -out main.tfplan
要点:
-
terraform plan命令将创建一个执行计划,但不会执行它。 它会确定创建配置文件中指定的配置需要执行哪些操作。 此模式允许你在对实际资源进行任何更改之前验证执行计划是否符合预期。 - 使用可选
-out参数可以为计划指定输出文件。 使用-out参数可以确保所查看的计划与所应用的计划完全一致。
应用 Terraform 执行计划
运行 terraform apply 以应用执行计划到云基础结构。
terraform apply main.tfplan
要点:
- 示例
terraform apply命令假设你先前运行了terraform plan -out main.tfplan。 - 如果为
-out参数指定了不同的文件名,请在对terraform apply的调用中使用该相同文件名。 - 如果未使用
-out参数,请调用不带任何参数的terraform apply。
验证结果
获取 Azure 资源组名称。
resource_group_name=$(terraform output -raw resource_group_name)获取 ExpressRoute 线路名称。
circuit_name=$(terraform output -raw expressroute_circuit_name)获取网关名称。
gateway_name=$(terraform output -raw gateway_name)运行
az network express-route show以查看 ExpressRoute 线路。az network express-route show --name $circuit_name --resource-group $resource_group_name运行
az network vnet-gateway show以查看 Azure 虚拟网络网关。az network vnet-gateway show --name $gateway_name --resource-group $resource_group_name
清理资源
不再需要通过 Terraform 创建的资源时,请执行以下步骤:
运行 terraform plan 并指定
destroy标志。terraform plan -destroy -out main.destroy.tfplan要点:
-
terraform plan命令将创建一个执行计划,但不会执行它。 它会确定创建配置文件中指定的配置需要执行哪些操作。 此模式允许你在对实际资源进行任何更改之前验证执行计划是否符合预期。 - 使用可选
-out参数可以为计划指定输出文件。 使用-out参数可以确保所查看的计划与所应用的计划完全一致。
-
运行 terraform apply 以应用执行计划。
terraform apply main.destroy.tfplan
Azure 上的 Terraform 故障排除
排查在 Azure 上使用 Terraform 时遇到的常见问题。
Next steps
若要了解如何将虚拟网络链接到线路,请继续学习 ExpressRoute 教程。