Terraform - provision static ip addresses on Azure

Question

I've been using Terraform for some time and am comfortable with its use with VMware and Azure providers.

Currently I have a requirement to provision VMs in Azure with static IP addresses. Tried to talk them out of static, but a Security hammer was used on me that I cannot deflect.

While I can allocate some in a subnet and provide them to Terraform (i use ansible to drive Terraform), i wondered if anyone else had tackled this problem in Azure and might have good ideas.

As i see it, the main problem is concurrency. I need a way to atomically "allocate" an IP in a subnet and be sure that even if it takes a while for a VM to be built and start using that address, no other provisioning request running concurrently will get the same one.

In a private datacenter I would use an IPAM solution. In Azure I do not have one available. Looking for ideas at implementing strictly with Azure+Terraform+Ansible

Answer 1

So this seems to be a misconception about what "dynamic" means for a private IP in Azure. Creating a NIC in Azure with a "dynamic" private ip means the IP is assigned upon creation of the interface and only freed upon deletion of the interface.

This means it behaves exactly as "static" interfaces.

The only difference is that a "static" interface has a user assigned (as in input parameter) IP, a "dynamic" interface is automatically assigned a free IP from the subnet. I have send a PR to update the tf docs https://github.com/hashicorp/terraform-provider-azurerm/pull/15264

Answer 2

I also use terraform builtin functions to carve ip addresses, but I also understand your question and I didn't understand the answers, this doesn't guarantee that the ip won't be used. It also seems that you will need a variable as the ip address to push from the deployment system to iterate and not overlap ip addresses.

I'd love to know the complete solution to the answer above.

Anyhow, I have a module that creates an environment and I use the example below to get to static ip addresses, if you re run the module however it will reverse the static ip addresses to dynamic and then back to static :)

My own answer however would be to first create a nic which is set to static, and then create the same nic again, with a dynamic ip address, example below:

resource "azurerm_network_interface" "vm_nic" {
  name                = "nic"
  location            = "${var.location}"
  resource_group_name = "${azurerm_resource_group.rg.name}"

  ip_configuration {
    name                          = "privatenic"
    subnet_id                     = "${data.azurerm_subnet.subnet.id}"
    private_ip_address_allocation = "dynamic"
  }
}

resource "azurerm_network_interface" "vm_staticnic" {
  name                = "nic"
  location            = "${var.location}"
  resource_group_name = "${azurerm_resource_group.rg.name}"

  ip_configuration {
    name                          = "privatenic"
    subnet_id                     = "${data.azurerm_subnet.subnet.id}"
    private_ip_address_allocation = "static"
    private_ip_address            = "${azurerm_network_interface.vm_nic.private_ip_address}"
  }
}

Answer 3

One way of achieving this is by using the cidrhost interpolation within Terraform.

You can use it to create the same private IP address each time. One example of this could be as follows:

resource "azurerm_network_interface" "network_interface" {
name                = "dev-network-interface"
location            = "WestEurope"
resource_group_name = "dev-rg"

ip_configuration {
name                          = "dev-nic-ipconfig"
subnet_id                     = "${subnet_id}"
private_ip_address_allocation = "static"
private_ip_address            = "${cidrhost(10.100.0.56/27, 4)}"
public_ip_address_id          = "${publicip_id}"
}

The above example should give you a private IP of 10.100.0.60

Answer 4

I see no problem. I have some sample code for slicing subnets that I use in real work.

I use the cidrsubnet to compute the subnets from the virtual lan address space and cidrhost to assign the private IP to hosts. There is a very good tutorial here.

Obviously assigning static IPs doesn't work in scenarios like autoscaling.