03. VNet とネットワーク
Azure の仮想ネットワーク。AWS の VPC に相当しますが、NSG(Network Security Group)の動き方や Subnet と NSG の関連付け方など、Azure 固有の作法があります。
AWS との対応表
| Azure | AWS | 備考 |
|---|---|---|
| Virtual Network (VNet) | VPC | region 単位 |
| Subnet | Subnet | Azure は AZ を意識しないことが多い(Zone は VM 側で指定) |
| Network Security Group (NSG) | Security Group + NACL | NSG は Subnet にも NIC にも付けられる |
| Route Table | Route Table | 明示しなければ system route |
| NAT Gateway | NAT Gateway | 用途同じ |
| Public IP | EIP | 静的 / 動的の選択 |
azurerm_virtual_network
resource "azurerm_virtual_network" "main" {
name = "vnet-myapp-prd-jpe"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
address_space = ["10.0.0.0/16"]
tags = local.common_tags
}azurerm_subnet
resource "azurerm_subnet" "public" {
name = "snet-public"
resource_group_name = azurerm_resource_group.main.name
virtual_network_name = azurerm_virtual_network.main.name
address_prefixes = ["10.0.1.0/24"]
}
resource "azurerm_subnet" "private" {
name = "snet-private"
resource_group_name = azurerm_resource_group.main.name
virtual_network_name = azurerm_virtual_network.main.name
address_prefixes = ["10.0.11.0/24"]
# サブネットレベルの委任(Container Apps、Functions Premium 等で必要)
delegation {
name = "Microsoft.App.environments"
service_delegation {
name = "Microsoft.App/environments"
}
}
}NSG とルール
AWS の Security Group との大きな違い: NSG は Allow / Deny の両方を書ける。priority の数字が小さいほど優先。
resource "azurerm_network_security_group" "web" {
name = "nsg-web-prd"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
security_rule {
name = "AllowHTTPS"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "Internet" # サービスタグ
destination_address_prefix = "*"
}
security_rule {
name = "AllowSSHFromBastion"
priority = 110
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "10.0.99.0/24" # 踏み台サブネット
destination_address_prefix = "*"
}
security_rule {
name = "DenyAllInbound"
priority = 4096 # 最低優先(最後に評価)
direction = "Inbound"
access = "Deny"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
サービスタグ
Internet / VirtualNetwork / AzureLoadBalancer など、Azure 側が管理する IP セットを名前で参照できる。CIDR を直書きするより便利で安全。
Subnet と NSG の関連付け
これを書かないと NSG が 「作っただけで適用されていない」 状態になる。
resource "azurerm_subnet_network_security_group_association" "public" {
subnet_id = azurerm_subnet.public.id
network_security_group_id = azurerm_network_security_group.web.id
}NAT Gateway
resource "azurerm_public_ip" "nat" {
name = "pip-nat-prd"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
allocation_method = "Static"
sku = "Standard"
}
resource "azurerm_nat_gateway" "main" {
name = "natgw-prd"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
sku_name = "Standard"
}
resource "azurerm_nat_gateway_public_ip_association" "main" {
nat_gateway_id = azurerm_nat_gateway.main.id
public_ip_address_id = azurerm_public_ip.nat.id
}
resource "azurerm_subnet_nat_gateway_association" "private" {
subnet_id = azurerm_subnet.private.id
nat_gateway_id = azurerm_nat_gateway.main.id
}完成形
上記要素を組み合わせれば、AWS 章 02 と同等の Web 3 層基盤が VNet 上に構築できます。実装は modules/network/ としてモジュール化するのが定石。