113 lines
6.4 KiB
Markdown
113 lines
6.4 KiB
Markdown
|
# VPC Connectivity Lab
|
||
|
|
||
|
This blueprint creates a networking playground showing a number of different VPC connectivity options:
|
||
|
|
||
|
* Hub and spoke via HA VPN
|
||
|
* Hub and spoke via VPC peering
|
||
|
* Interconnecting two networks via a network virtual appliance (aka NVA)
|
||
|
|
||
|
On top of that, this blueprint implements Policy Based Routing (aka PBR) to show how to force all traffic within a VPC to be funneled through an internal network passthrough load balancer, to implement an Intrusion Prevention System (IPS). PBR is enabled in the `hub` VPC, matching all traffic originating from within that VPC.
|
||
|
|
||
|
The blueprint has been purposefully kept simple to show how to use and wire VPCs together, and so that it can be used as a basis for experimentation.
|
||
|
|
||
|
This is the high level diagram of this blueprint:
|
||
|
|
||
|
![High-level diagram](diagram.png "High-level diagram")
|
||
|
|
||
|
## Prerequisites
|
||
|
|
||
|
This blueprint is contained within a single project to keep complexity to a minimum, even though in a real world scenario each spoke would probably use a separate project.
|
||
|
|
||
|
The blueprint can either create a new project or consume an existing one.
|
||
|
If the variable `var.project_create_config` is populated, the blueprint will create a new project named `var.project_id`, otherwise the blueprint will use an existing project with the same id.
|
||
|
|
||
|
## Testing reachability
|
||
|
|
||
|
After running terraform, and in case `var.test_vms` is set to true (as it is by default), a set of ping commands will be printed to check the reachability of all VMs. The blueprint is configured to ensure that all VMs can ping each other - so you can simply SSH to each one, and run the generated ping commands, e.g.:
|
||
|
|
||
|
```bash
|
||
|
ping -c 1 ext.example
|
||
|
ping -c 1 hub-a.example
|
||
|
ping -c 1 hub-b.example
|
||
|
ping -c 1 spoke-peering-a.example
|
||
|
ping -c 1 spoke-peering-b.example
|
||
|
ping -c 1 spoke-vpn-a.example
|
||
|
ping -c 1 spoke-vpn-b.example
|
||
|
```
|
||
|
|
||
|
## Testing IPS/NVA
|
||
|
|
||
|
Per blueprint setup, not all traffic will flow through the deployed test NVAs.
|
||
|
You should expect the following flows to be routed through them:
|
||
|
|
||
|
* `ext` to {`hub`, `peering-a`, `peering-b`, `vpn-a`, `vpn-b`}
|
||
|
* `peering-a` to {`ext`, `peering-b`}
|
||
|
* `peering-b` to {`ext`, `peering-a`}
|
||
|
* `vpn-a` to {`ext`}
|
||
|
* `vpn-b` to {`ext`}
|
||
|
|
||
|
Additional PBR routes could be configured to force all traffic coming from `vpn-{a,b}` to go through the NVA - however traffic coming from `peering-{a,b}` can NOT be subjected to PBR routes, due to product constrains.
|
||
|
|
||
|
In order to see the actual traffic flow, you'll want to manually stop one of the NVA instances (to force all traffic to be sent through a single VM), SSH to the active NVA instance and run the following commands:
|
||
|
|
||
|
```bash
|
||
|
# Setting the toolbox up might take a while since we're using cheap instances :)
|
||
|
$ toolbox
|
||
|
|
||
|
# Once inside the toolbox
|
||
|
$ tcpdump -i any icmp -n
|
||
|
|
||
|
```
|
||
|
|
||
|
<!-- TFDOC OPTS files:1 -->
|
||
|
<!-- BEGIN TFDOC -->
|
||
|
## Files
|
||
|
|
||
|
| name | description | modules | resources |
|
||
|
|---|---|---|---|
|
||
|
| [dns-hub.tf](./dns-hub.tf) | DNS setup. | <code>dns</code> | |
|
||
|
| [main.tf](./main.tf) | Project setup. | <code>project</code> | |
|
||
|
| [nva.tf](./nva.tf) | None | <code>compute-vm</code> · <code>simple-nva</code> | <code>google_compute_instance_group</code> |
|
||
|
| [outputs.tf](./outputs.tf) | Module outputs. | | |
|
||
|
| [test-resources.tf](./test-resources.tf) | None | | |
|
||
|
| [variables.tf](./variables.tf) | Module variables. | | |
|
||
|
| [vpc-ext.tf](./vpc-ext.tf) | External VPC. | <code>net-address</code> · <code>net-cloudnat</code> · <code>net-lb-int</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> | <code>google_compute_route</code> |
|
||
|
| [vpc-hub.tf](./vpc-hub.tf) | Internal Hub VPC. | <code>net-address</code> · <code>net-lb-int</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>net-vpn-ha</code> | <code>google_compute_route</code> |
|
||
|
| [vpc-peering-a.tf](./vpc-peering-a.tf) | None | <code>net-vpc</code> · <code>net-vpc-firewall</code> | |
|
||
|
| [vpc-peering-b.tf](./vpc-peering-b.tf) | None | <code>net-vpc</code> · <code>net-vpc-firewall</code> | |
|
||
|
| [vpc-vpn-a.tf](./vpc-vpn-a.tf) | None | <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpn-ha</code> | |
|
||
|
| [vpc-vpn-b.tf](./vpc-vpn-b.tf) | None | <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpn-ha</code> | |
|
||
|
|
||
|
## Variables
|
||
|
|
||
|
| name | description | type | required | default |
|
||
|
|---|---|:---:|:---:|:---:|
|
||
|
| [prefix](variables.tf#L37) | Prefix used for resource names. | <code>string</code> | ✓ | |
|
||
|
| [ip_ranges](variables.tf#L17) | Subnet/Routes IP CIDR ranges. | <code>map(string)</code> | | <code title="{ ext = "10.255.0.0/16" hub-a = "10.0.1.0/24" hub-all = "10.0.0.0/16" hub-b = "10.0.2.0/24" hub-nva = "10.0.0.0/24" int = "10.0.0.0/9" peering-a = "10.3.0.0/24" peering-b = "10.4.0.0/24" rfc1918_10 = "10.0.0.0/8" rfc1918_172 = "172.16.0.0/12" rfc1918_192 = "192.168.0.0/16" vpn-a = "10.1.0.0/24" vpn-b = "10.2.0.0/24" }">{…}</code> |
|
||
|
| [project_create_config](variables.tf#L46) | Populate with billing account id to trigger project creation. | <code title="object({ billing_account_id = string parent_id = string })">object({…})</code> | | <code>null</code> |
|
||
|
| [project_id](variables.tf#L55) | Project id for all resources. | <code>string</code> | | <code>"net-test-02"</code> |
|
||
|
| [region](variables.tf#L61) | Region used to deploy resources. | <code>string</code> | | <code>"europe-west8"</code> |
|
||
|
| [test_vms](variables.tf#L67) | Enable the creation of test resources. | <code>bool</code> | | <code>true</code> |
|
||
|
|
||
|
## Outputs
|
||
|
|
||
|
| name | description | sensitive |
|
||
|
|---|---|:---:|
|
||
|
| [ping_commands](outputs.tf#L17) | Ping commands that can be run to check VPC reachability. | |
|
||
|
<!-- END TFDOC -->
|
||
|
## Test
|
||
|
|
||
|
```hcl
|
||
|
module "test" {
|
||
|
source = "./fabric/blueprints/networking/vpc-connectivity-lab"
|
||
|
project_create_config = {
|
||
|
billing_account_id = "123456-123456-123456"
|
||
|
parent_id = "folders/123456789"
|
||
|
}
|
||
|
project_id = "net-test-04"
|
||
|
prefix = "fast-sr0-sbox"
|
||
|
}
|
||
|
|
||
|
# tftest modules=35 resources=131
|
||
|
```
|