Add custom routes for directpath to net-vpc module (#2966)

* add custom routes for directpath to net-vpc module

* blueprint tests

* blueprint tests

* blueprint tests

* fast tests

* tfdoc

* module examples

blueprints/serverless/cloud-run-explore/README.md

@@ -21,7 +21,7 @@ The following diagram depicts the main components that this blueprint will set u
 The following products or features are used to fulfill the different use cases covered in this blueprint (to learn more about them click on the hyperlinks):
 
 * [Cloud Run](https://cloud.google.com/run/docs/overview/what-is-cloud-run) -  Cloud Run is a managed compute platform that lets you run containers directly on top of Google's scalable infrastructure.
-* [Cloud Run Ingress Settings](https://cloud.google.com/run/docs/securing/ingress) - feature that restricts network access to your Cloud Run service. At a network level, by default, any resource on the Internet can reach your Cloud Run service on its run.app URL or at a custom domain set up in Cloud Run. You can change this default by specifying a different setting for its ingress. All ingress paths, including the default run.app URL, are subject to your ingress setting. Ingress is set at the service level. The following settings are available: 
+* [Cloud Run Ingress Settings](https://cloud.google.com/run/docs/securing/ingress) - feature that restricts network access to your Cloud Run service. At a network level, by default, any resource on the Internet can reach your Cloud Run service on its run.app URL or at a custom domain set up in Cloud Run. You can change this default by specifying a different setting for its ingress. All ingress paths, including the default run.app URL, are subject to your ingress setting. Ingress is set at the service level. The following settings are available:
   * __Internal__: Allows requests from VPC networks that are in the same project or VPC Service Controls perimeter as your Cloud Run service.
   * __Internal and Cloud Load Balancing__: Allows requests from resources allowed by the more restrictive Internal setting and an External HTTP(S) load balancer.
   * __All__ (default):  Allows all requests, including requests directly from the Internet to the default run.app URL.
@@ -85,10 +85,13 @@ This is the simplest case, the "Hello World" for Cloud Run. A Cloud Run service
 <p align="center"> <img src="images/use-case-1.png" width="700"> </p>
 
 In this case the only variable that you need to set in `terraform.tfvars` is the project ID:
+
 ```tfvars
 project_id = "[your-project-id]"
 ```
+
 Alternatively you can pass this value on the command line:
+
 ```bash
 terraform apply -var project_id="[your-project-id]"
 ```
@@ -104,10 +107,12 @@ If you want to use your own custom domain you need a GCLB in front of your Cloud
 <p align="center"> <img src="images/use-case-2.png" width="700"> </p>
 
 The following values will need to be set in `terraform.tfvars`, replacing the custom_domain value with your own domain:
+
 ```tfvars
 project_id    = "[your-project-id]"
 custom_domain = "cloud-run-explore.example.org"
 ```
+
 Since it is an HTTPS connection a Google managed certificate is created, but for it to be provisioned correctly you will need to point to the load balancer IP address with an A DNS record at your registrar: [Use Google-managed SSL certificates | Load Balancing](https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs#update-dns). The LB IP is shown as a terraform output.
 
 Be aware that in this case the Cloud Run service can also be reached through the default URL. To limit access only through the custom domain see the next use case.
@@ -119,6 +124,7 @@ To block access to the default URL, you can configure Ingress Settings so that I
 <p align="center"> <img src="images/use-case-3.png" width="700"> </p>
 
 You only need to set one more value in the previous `terraform.tfvars` file:
+
 ```tfvars
 project_id       = "[your-project-id]"
 custom_domain    = "cloud-run-explore.example.org"
@@ -134,6 +140,7 @@ To use Cloud Armor to protect the Cloud Run service, you need to create a securi
 <p align="center"> <img src="images/use-case-4.png" width="700"> </p>
 
 The code allows to block a list of IPs and a specific URL path. For example, you may want to block access to a login page to external users. To test its behavior, by default all IPs and the path `"/login.html"` are blocked, but you can override any of these settings with your own values:
+
 ```tfvars
 project_id       = "[your-project-id]"
 custom_domain    = "cloud-run-explore.example.org"
@@ -166,14 +173,17 @@ iap = {
   email   = "user@example.org"
 }
 ```
+
 When visiting it you may be redirected to login with Google. You can use an incognito window to test this behavior.
 
 ## Cleaning up your environment
 
 The easiest way to remove all the deployed resources is to run the following command:
+
 ```bash
 terraform destroy
 ```
+
 The above command will delete the associated resources so there will be no billable charges afterwards. IAP Brands, though, can only be created once per project and not deleted. Destroying a Terraform-managed IAP Brand will remove it from state but will not delete it from Google Cloud.
 <!-- BEGIN TFDOC -->