Azure Virtual Network (hub-ready)

azure-vnet

Production VNet with subnets, NSGs, route tables, peering and optional NAT Gateway — the network backbone every Azure deployment starts with. The whole subnet/NSG/delegation matrix is driven by one map: each subnet gets its own NSG with an explicit DenyAllInbound catch-all, implicit "default outbound access" is disabled (egress goes through the optional NAT Gateway or your appliance routes), and private-endpoint network policies are on so NSGs/UDRs apply to private endpoints. Works with Terraform and OpenTofu (>= 1.6), azurerm provider >= 4.0, < 5.0.

Usage

module "vnet" {
  source              = "./azure-vnet"
  name                = "vnet-app-prod-weu-001"
  resource_group_name = "rg-network-prod"
  location            = "westeurope"
  address_space       = ["10.40.0.0/16"]

  subnets = {
    "snet-app" = {
      address_prefixes      = ["10.40.1.0/24"]
      associate_nat_gateway = true
      security_rules = [{
        name                       = "AllowHttpsInbound"
        priority                   = 200
        direction                  = "Inbound"
        access                     = "Allow"
        protocol                   = "Tcp"
        destination_port_range     = "443"
        source_address_prefix      = "VirtualNetwork"
        destination_address_prefix = "10.40.1.0/24"
      }]
    }
    "snet-data" = {
      address_prefixes  = ["10.40.2.0/24"]
      service_endpoints = ["Microsoft.Storage"]
    }
  }

  nat_gateway = { enabled = true }
}

Inputs

Name	Type	Default	Description
name	string	—	VNet name; also suffix base for NSG/RT/NAT names
resource_group_name	string	—	Existing resource group
location	string	—	Azure region
address_space	list(string)	—	VNet CIDR ranges
dns_servers	list(string)	[]	Custom DNS servers
ddos_protection_plan_id	string	null	Existing DDoS plan to attach
subnets	map(object)	—	Subnet matrix: prefixes, endpoints, delegation, NSG + rules, route-table key, NAT opt-in
route_tables	map(object)	{}	Route tables with named routes
peerings	map(object)	{}	Outbound peerings to remote VNet IDs
nat_gateway	object	disabled	{ enabled, sku_name, public_ip_count, idle_timeout_in_minutes, zones }
deny_all_inbound	bool	true	Append DenyAllInbound (4096) to every NSG
tags	map(string)	{}	Tags for all resources

Subnet defaults: NSG created per subnet, default_outbound_access_enabled = false, private_endpoint_network_policies = "Enabled". Set a delegation with delegation = { name = "Microsoft.Web/serverFarms" }.

Outputs

vnet_id, vnet_name, address_space, subnet_ids, subnet_address_prefixes, network_security_group_ids, route_table_ids, peering_ids, nat_gateway_id, nat_public_ip_addresses.

Notes

• Subnets default to default_outbound_access_enabled = false (Azure is retiring implicit outbound access in Sept 2025-era subnets). Give private subnets egress via associate_nat_gateway = true or a UDR, or flip the flag per subnet if you really want implicit outbound.
• Peering is one-directional; run the module (or a peering resource) on the remote side for the return path.
• A Standard NAT Gateway is zonal: pass at most one zone in nat_gateway.zones (or omit it for a no-zone deployment). It cannot span multiple zones — for zone redundancy set sku_name = "StandardV2" and leave zones unset. The module enforces this at plan time.

Requirements

Requirement	Version
Terraform / OpenTofu	>= 1.6
hashicorp/azurerm	>= 4.0, < 5.0

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).