Terraform_ISE_Azure_Deployment

Terraform code for creating a lab environment in Azure using Cisco ISE 3.2 and the necessary Azure environment constructs (Resource Group, Virtual Network, Subnets, Security Group, Route Tables, etc)

I built this code so that I could quickly spin up ISE nodes in Azure (they still take ~30min to complete building), test what I need, and tear the lab environment down when I am finished. The code for the ISE resources can be scaled up/down as needed and used for either non-production or production environments.

This code was validated using:

• ISE 3.2 VM image (Australia East region) from the Azure Marketplace
• Terraform version 1.3.9
• Terraform azurerm provider version 3.48.0
• (Site-to-Site VPN) Cisco ASA 5506-X (Security Plus license) running software version 9.16(3)23

The following resources are created by this Terraform code:

• Azure Resource Group
• Virtual Network
• Subnets and Route Tables for ISE and Virtual Network Gateway
• Security Group and Network Interface for ISE
• ISE Virtual Machine
• Public IP Addresses for ISE and Virtual Network Gateway
• Local Network Gateway
• Virtual Network Gateway

Note: This code only deploys the individual standalone ISE node. It does not perform any operations to configure the ISE cluster.

Pre-requisites

• Terraform application installed
• Necessary Azure credentials and roles
• Local RSA public/private keypair used to SSH into the ISE nodes
  • Code uses a public key located in home directory "~/.ssh/ise_azure_sshkey.pub" (configurable in the code)

See the following guide for how to get started using Terraform and Azure:

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs

Topology Diagram

The following diagram represents the basic topology built by this code. The on-prem 'Home Lab Network' is shown for reference only. No on-prem resources are created by this code.

Quick Start

1. Clone this repository:

   git clone https://github.com/grg1bbs/Terraform_ISE_Azure_Deployment

2. Edit the 'variables.tf' file to suit your environment (Vnet, Resource Group, Subnets, Availability Zones, VM size, ISE node IP addresses, etc.)

3. Update the user data text file (ise32az1.txt) to replace the <variables> to suit your environment. If preferred, change the hostname to suit your naming convention.

   See Deploy Cisco Identity Services Engine Natively on Cloud Platforms for guidance.

4. If needed, update the 'security-group.tf' file to provide greater restrictions for the Security Group

5. Optional - The code includes optional files and variables for building a site-to-site VPN tunnel with an on-prem VPN headend. This was validated using an on-prem Cisco ASA.

   If you want to create these site-to-site VPN resources, perform the following:

   • Un-comment the code in the 'vpn-gateway.tf' file (by removing the '/*' and '*/' characters)
   • Un-comment the code in the 'variables.tf' and update the variables with your tunnel pre-shared keys and vpn headend IP
   • Un-comment the code in the 'outputs.tf' file; this will inform terraform to print out the VPN tunnel IP addresses generated by Azure after they are created (the VPN Gateway resource can take up to 30 minutes to complete)

   Example ASA configuration can be found in the 'asa_vpn.txt' file in this repository

6. Initialise, Plan, and Apply the terraform run

   terraform init
   
   terraform plan
   
   terraform apply

Results without the optional site-to-site VPN resources

Unless any errors are found, after the resource build is complete, the resulting status should be:

+ Apply complete! Resources: 11 added, 0 changed, 0 destroyed.

If you check the terraform state, you should see the following resources:

> terraform state list
azurerm_linux_virtual_machine.ise32_az1
azurerm_network_interface.ise32_az1_gig0
azurerm_network_interface_security_group_association.ise32_az1_sg
azurerm_network_security_group.ise_sg
azurerm_public_ip.ise32_az1_public_ip
azurerm_resource_group.rg
azurerm_route_table.ise_rt
azurerm_ssh_public_key.ise_sshkey
azurerm_subnet.ise_subnet
azurerm_subnet_route_table_association.subnet_ise_rt
azurerm_virtual_network.virtualnet

Results with the optional site-to-site VPN resources

+ Apply complete! Resources: 17 added, 0 changed, 0 destroyed.

+ Outputs:

vpngw_public_ip = "<gw_ip1>"

If you check the terraform state, you should see the following resources:

> terraform state list
azurerm_linux_virtual_machine.ise32_az1
azurerm_local_network_gateway.home_lng
azurerm_network_interface.ise32_az1_gig0
azurerm_network_interface_security_group_association.ise32_az1_sg
azurerm_network_security_group.ise_sg
azurerm_public_ip.ise32_az1_public_ip
azurerm_public_ip.vpngw_public_ip
azurerm_resource_group.rg
azurerm_route.ise_rt_onprem
azurerm_route_table.ise_rt
azurerm_ssh_public_key.ise_sshkey
azurerm_subnet.ise_subnet
azurerm_subnet.vpngw_subnet
azurerm_subnet_route_table_association.subnet_ise_rt
azurerm_virtual_network.virtualnet
azurerm_virtual_network_gateway.ise_vpngw

Teardown

To tear down the entire environment, use 'terraform destroy' and the dependency mappings will ensure everything is destroyed in the correct order.

> terraform destroy

Example Azure Resource List

The following image shows an example of the resources created in Azure.

Example Azure Resource Visualizer

The following image shows an example of the resource relationships as illustrated by the Azure Resource Visualizer.