Files

Cooper van Wijck 3cf8889967 Add name overrides for Internal and External Load Balancers (#2420 )

* Add override_name optional variable

* Add override name optional variable

* Allow override for each forwarding rule

* Add optional override_name variable to forwarding_rules_config

* Remove duplicate (unused) variable override_name

* Add optional override_name variable for network peering

* Add optional override_name variable for network peering

* Formatting

* Update VPN tunnel interface name handling for override

* Update bgp peer handling for override

* Added renaming for both sides of peering

* Fix precondition

* Remove spurious folders

* Apply suggestions to peering module

* Use coalesce and name (instead of override_name)

* remove unneeded null

* Revert windows style slashes in readme

* Fix more null checks

* Fix unneeded null checks in net-lb-int

* Change override_name back to name in the rest of the locations, bgppeer, tunnel and interface names

* Fix linter

* Update READMEs

---------

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
Co-authored-by: unknown <jack@JACK-PC.lfn.arpa>
Co-authored-by: jacklever-hub24 <jack.lever@hub24.com.au>
Co-authored-by: Julio Castillo <jccb@google.com>

2024-08-16 08:45:29 +02:00

10 KiB

Raw Blame History

Cloud HA VPN Module

This module makes it easy to deploy either GCP-to-GCP or GCP-to-On-prem Cloud HA VPN.

Examples

GCP to GCP

module "vpn-1" {
  source     = "./fabric/modules/net-vpn-ha"
  project_id = var.project_id
  region     = "europe-west4"
  network    = var.vpc1.self_link
  name       = "net1-to-net-2"
  peer_gateways = {
    default = { gcp = module.vpn-2.self_link }
  }
  router_config = {
    asn = 64514
    custom_advertise = {
      all_subnets = true
      ip_ranges = {
        "10.0.0.0/8" = "default"
      }
    }
  }
  tunnels = {
    remote-0 = {
      bgp_peer = {
        address = "169.254.1.1"
        asn     = 64513
      }
      bgp_session_range     = "169.254.1.2/30"
      vpn_gateway_interface = 0
    }
    remote-1 = {
      bgp_peer = {
        address = "169.254.2.1"
        asn     = 64513
      }
      bgp_session_range     = "169.254.2.2/30"
      vpn_gateway_interface = 1
    }
  }
}

module "vpn-2" {
  source        = "./fabric/modules/net-vpn-ha"
  project_id    = var.project_id
  region        = "europe-west4"
  network       = var.vpc2.self_link
  name          = "net2-to-net1"
  router_config = { asn = 64513 }
  peer_gateways = {
    default = { gcp = module.vpn-1.self_link }
  }
  tunnels = {
    remote-0 = {
      bgp_peer = {
        address = "169.254.1.2"
        asn     = 64514
      }
      bgp_session_range     = "169.254.1.1/30"
      shared_secret         = module.vpn-1.random_secret
      vpn_gateway_interface = 0
    }
    remote-1 = {
      bgp_peer = {
        address = "169.254.2.2"
        asn     = 64514
      }
      bgp_session_range     = "169.254.2.1/30"
      shared_secret         = module.vpn-1.random_secret
      vpn_gateway_interface = 1
    }
  }
}
# tftest modules=2 resources=18 inventory=gcp-to-gcp.yaml

Note: When using the for_each meta-argument you might experience a Cycle Error due to the multiple net-vpn-ha modules referencing each other. To fix this you can create the google_compute_ha_vpn_gateway resources separately and reference them in the net-vpn-ha module via the vpn_gateway and peer_gcp_gateway variables.

GCP to on-prem

module "vpn_ha" {
  source     = "./fabric/modules/net-vpn-ha"
  project_id = var.project_id
  region     = var.region
  network    = var.vpc.self_link
  name       = "mynet-to-onprem"
  peer_gateways = {
    default = {
      external = {
        redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT"
        interfaces      = ["8.8.8.8"] # on-prem router ip address
      }
    }
  }
  router_config = { asn = 64514 }
  tunnels = {
    remote-0 = {
      bgp_peer = {
        address = "169.254.1.1"
        asn     = 64513
        # BFD is optional
        bfd = {
          min_receive_interval        = 1000
          min_transmit_interval       = 1000
          multiplier                  = 5
          session_initialization_mode = "ACTIVE"
        }
        # MD5 Authentication is optional
        md5_authentication_key = {
          name = "foo"
          key  = "bar"
        }
      }
      bgp_session_range               = "169.254.1.2/30"
      peer_external_gateway_interface = 0
      shared_secret                   = "mySecret"
      vpn_gateway_interface           = 0
    }
    remote-1 = {
      bgp_peer = {
        address = "169.254.2.1"
        asn     = 64513
        # BFD is optional
        bfd = {
          min_receive_interval        = 1000
          min_transmit_interval       = 1000
          multiplier                  = 5
          session_initialization_mode = "ACTIVE"
        }
        # MD5 Authentication is optional
        md5_authentication_key = {
          name = "foo"
          key  = "bar"
        }
      }
      bgp_session_range               = "169.254.2.2/30"
      peer_external_gateway_interface = 0
      shared_secret                   = "mySecret"
      vpn_gateway_interface           = 1
    }
  }
}
# tftest modules=1 resources=10 inventory=gcp-to-onprem.yaml

IPv6 (dual-stack)

You can optionally set your HA VPN gateway (and BGP sessions) to carry both IPv4 and IPv6 traffic. IPv6 only is not supported.

module "vpn_ha" {
  source     = "./fabric/modules/net-vpn-ha"
  project_id = var.project_id
  region     = var.region
  name       = "mynet-to-onprem"
  network    = var.vpc.self_link
  peer_gateways = {
    default = {
      external = {
        redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT"
        interfaces      = ["8.8.8.8"] # on-prem router ip address
      }
    }
  }
  router_config = { asn = 64514 }
  tunnels = {
    remote-0 = {
      bgp_peer = {
        address = "169.254.1.1"
        asn     = 64513
        ipv6    = {}
      }
      bgp_session_range               = "169.254.1.2/30"
      peer_external_gateway_interface = 0
      shared_secret                   = "mySecret"
      vpn_gateway_interface           = 0
    }
    remote-1 = {
      bgp_peer = {
        address = "169.254.2.1"
        asn     = 64513
        ipv6 = {
          nexthop_address      = "2600:2d00:0:2::1"
          peer_nexthop_address = "2600:2d00:0:3::1"
        }
      }
      bgp_session_range               = "169.254.2.2/30"
      peer_external_gateway_interface = 0
      shared_secret                   = "mySecret"
      vpn_gateway_interface           = 1
    }
  }
  vpn_gateway_create = {
    stack_type = "IPV4_IPV6"
  }
}
# tftest modules=1 resources=10 intentory=ipv6.yaml

Variables

name	description	type	required	default
name	VPN Gateway name (if an existing VPN Gateway is not used), and prefix used for dependent resources.	`string`	✓
network	VPC used for the gateway and routes.	`string`	✓
project_id	Project where resources will be created.	`string`	✓
region	Region used for resources.	`string`	✓
router_config	Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router.	`object({…})`	✓
peer_gateways	Configuration of the (external or GCP) peer gateway.	`map(object({…}))`		`{}`
tunnels	VPN tunnel configurations.	`map(object({…}))`		`{}`
vpn_gateway	HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`.	`string`		`null`
vpn_gateway_create	Create HA VPN Gateway. Set to null to avoid creation.	`object({…})`		`{}`

Outputs

name	description	sensitive
bgp_peers	BGP peer resources.
external_gateway	External VPN gateway resource.
gateway	VPN gateway resource (only if auto-created).
id	Fully qualified VPN gateway id.
name	VPN gateway name (only if auto-created). .
random_secret	Generated secret.
router	Router resource (only if auto-created).
router_name	Router name.
self_link	HA VPN gateway self link.
tunnel_names	VPN tunnel names.
tunnel_self_links	VPN tunnel self links.
tunnels	VPN tunnel resources.

10 KiB Raw Blame History