Add option for forced tunneling through TRE's Firewall

CHANGELOG.md

@@ -43,6 +43,7 @@ BUG FIXES:
 * Bump terraform version in windows VM template ([#4212](https://github.com/microsoft/AzureTRE/issues/4212))
 * Upgrade azurerm terraform provider from v3.112.0 to v3.117.0 to mitiagte storage account deployment issue ([#4004](https://github.com/microsoft/AzureTRE/issues/4004))
 * Fix VM actions where Workspace shared storage doesn't allow shared key access ([#4222](https://github.com/microsoft/AzureTRE/issues/4222))
+* Add option to force tunnel TRE's Firewall ([#4237](https://github.com/microsoft/AzureTRE/issues/4237))
 
 COMPONENTS:
 

docs/tre-admins/configure-firewall-force-tunneling.md

@@ -0,0 +1,20 @@
+# Forced Tunneling to External Firewall in TRE
+
+Forced tunneling ensures that all traffic from TRE is routed through a specific external firewall. This guarantees that all data passes through the firewall for inspection, control, or further processing before reaching its destination.
+
+To setup forced tunneling to an external firewall, follow these steps:
+
+## 1. Set the rp_bundle_values Parameter in  the config.yaml file
+Provide the external firewall's IP address:
+
+```json
+rp_bundle_values: '{"firewall_force_tunnel_ip":"10.0.0.4"}'
+```
+This automatically creates a route table to direct TRE’s traffic to the specified IP.
+
+## 2. Manually Connect TRE to Your Firewall
+Configure connectivity between TRE’s VNet and your external firewall using one of the following methods:
+
+1. **VNet Peering**: Peer the TRE VNet with your firewall’s VNet.
+1. **ExpressRoute**: Use a private connection for firewalls located on-premises.
+1. **Site-to-Site VPN**: Establish a VPN connection as an alternative.

mkdocs.yml

@@ -140,6 +140,7 @@ nav:
           - Supported Clouds: tre-admins/supported-clouds.md
           - Customer Managed Keys: tre-admins/customer-managed-keys.md
           - Custom Domain Name: tre-admins/custom-domain.md
+          - Firewall Force Tunneling: tre-admins/configure-firewall-force-tunneling.md
 
       - Development: # Docs related to the developing code for the AzureTRE
           - Local Development: using-tre/local-development/local-development.md

templates/shared_services/firewall/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-firewall
-version: 1.2.8
+version: 1.3.0
 description: "An Azure TRE Firewall shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@@ -54,6 +54,9 @@ parameters:
     default: "graph.microsoft.com"
   - name: arm_environment
     type: string
+  - name: firewall_force_tunnel_ip
+    type: string
+    default: ""
 
 mixins:
   - terraform:
@@ -69,6 +72,7 @@ install:
         api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections }
         firewall_sku: ${ bundle.parameters.firewall_sku }
         microsoft_graph_fqdn: ${ bundle.parameters.microsoft_graph_fqdn }
+        firewall_force_tunnel_ip: ${ bundle.parameters.firewall_force_tunnel_ip }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
@@ -87,6 +91,7 @@ upgrade:
         api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections }
         firewall_sku: ${ bundle.parameters.firewall_sku }
         microsoft_graph_fqdn: ${ bundle.parameters.microsoft_graph_fqdn }
+        firewall_force_tunnel_ip: ${ bundle.parameters.firewall_force_tunnel_ip }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
@@ -105,6 +110,7 @@ uninstall:
         api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections }
         firewall_sku: ${ bundle.parameters.firewall_sku }
         microsoft_graph_fqdn: ${ bundle.parameters.microsoft_graph_fqdn }
+        firewall_force_tunnel_ip: ${ bundle.parameters.firewall_force_tunnel_ip }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"

templates/shared_services/firewall/terraform/firewall.tf

@@ -15,7 +15,7 @@ moved {
 }
 
 resource "azurerm_public_ip" "fwmanagement" {
-  count               = local.effective_firewall_sku == "Basic" ? 1 : 0
+  count               = (var.firewall_force_tunnel_ip != "" || local.effective_firewall_sku == "Basic") ? 1 : 0
   name                = "pip-fw-management-${var.tre_id}"
   resource_group_name = local.core_resource_group_name
   location            = data.azurerm_resource_group.rg.location
@@ -42,7 +42,7 @@ resource "azurerm_firewall" "fw" {
   }
 
   dynamic "management_ip_configuration" {
-    for_each = local.effective_firewall_sku == "Basic" ? [1] : []
+    for_each = (var.firewall_force_tunnel_ip != "" || local.effective_firewall_sku == "Basic") ? [1] : []
     content {
       name                 = "mgmtconfig"
       subnet_id            = data.azurerm_subnet.firewall_management.id

templates/shared_services/firewall/terraform/routetable.tf

@@ -87,3 +87,28 @@ resource "azurerm_subnet_route_table_association" "rt_airlock_events_subnet_asso
     azurerm_firewall_policy_rule_collection_group.dynamic_application
   ]
 }
+
+resource "azurerm_route_table" "fw_tunnel_rt" {
+  count                         = var.firewall_force_tunnel_ip != "" ? 1 : 0
+  name                          = "rt-fw-tunnel-${var.tre_id}"
+  resource_group_name           = local.core_resource_group_name
+  location                      = data.azurerm_resource_group.rg.location
+  bgp_route_propagation_enabled = true
+  tags                          = local.tre_shared_service_tags
+
+  lifecycle { ignore_changes = [tags] }
+
+  route {
+    name                   = "ForceTunnelRoute"
+    address_prefix         = "0.0.0.0/0"
+    next_hop_type          = "VirtualAppliance"
+    next_hop_in_ip_address = var.firewall_force_tunnel_ip
+  }
+}
+
+resource "azurerm_subnet_route_table_association" "rt_fw_tunnel_subnet_association" {
+  count          = var.firewall_force_tunnel_ip != "" ? 1 : 0
+  subnet_id      = data.azurerm_subnet.firewall.id
+  route_table_id = azurerm_route_table.fw_tunnel_rt[0].id
+}
+

templates/shared_services/firewall/terraform/variables.tf

@@ -27,3 +27,8 @@ variable "firewall_sku" {
   type    = string
   default = ""
 }
+
+variable "firewall_force_tunnel_ip" {
+  type    = string
+  default = ""
+}