diff --git a/fast/docs/1-network-ranges.md b/fast/docs/1-network-ranges.md
new file mode 100644
index 00000000..0536439e
--- /dev/null
+++ b/fast/docs/1-network-ranges.md
@@ -0,0 +1,39 @@
+# IP ranges for network stages
+
+**authors:** [Ludo](https://github.com/ludoo), [Roberto](https://github.com/drebes), [Julio](https://github.com/jccb) \
+**date:** Sept 20, 2023
+
+## Status
+
+Implemented
+
+## Context
+
+Adding or changing subnets to networking stages is a mistake-prone process because there is no clear IP plan. The problem was made worse when we began supporting GKE, which requires secondary ranges and a large number of IP addresses for pods and services.
+
+This was not an issue when there were only a few networking stages, but as FAST expands, it becomes more difficult to keep track of IP ranges for different regions and environments.
+
+## Decision
+
+We adopted an IP plan based on regions and environments with the following key points:
+- Large ranges for the 3 environments we have out of the box (landing, dev, prod)
+- Support for 2 regions
+- Leave enough space to easily grow either the number of environments or regions
+- Allocate large blocks from the CG-NAT range to use as secondary ranges, primarily for GKE pods and services.
+
+The following table summarizes the agreed IP plan:
+
+| | aggregate | landing | dev | prod |
+|----------------------------|--------------:|-------------------------------------------------------------------:|--------------:|--------------:|
+| Region 1, primary ranges | 10.64.0.0/12 | 10.64.0.0/16
Trusted: 10.64.0.0/17
Untrusted: 10.64.128.0/17 | 10.68.0.0/16 | 10.72.0.0/16 |
+| Region 2, primary ranges | 10.80.0.0/12 | 10.80.0.0/16
Trusted: 10.80.0.0/17
Untrusted: 10.80.128.0/17 | 10.84.0.0/16 | 10.88.0.0/16 |
+| Region 1, secondary ranges | 100.64.0.0/12 | 100.64.0.0/14 | 100.68.0.0/14 | 100.72.0.0/14 |
+| Region 2, secondary ranges | 100.80.0.0/12 | 100.80.0.0/14 | 100.84.0.0/16 | 100.88.0.0/14 |
+
+To allocate additional secondary ranges for GKE clusters:
+- For the pods range, use the next available /16 in the secondary range of its region/environment pair.
+- For the service range, use the next available /24 in the last /16 of its region/environment pair.
+
+## Consequences
+
+Default subnets for networking stages were updated to reflect to new ranges.
diff --git a/fast/stages/2-networking-a-peering/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-a-peering/data/subnets/dev/dev-dataplatform-ew1.yaml
index 444903eb..b037772d 100644
--- a/fast/stages/2-networking-a-peering/data/subnets/dev/dev-dataplatform-ew1.yaml
+++ b/fast/stages/2-networking-a-peering/data/subnets/dev/dev-dataplatform-ew1.yaml
@@ -2,7 +2,7 @@
region: europe-west1
description: Default subnet for dev Data Platform
-ip_cidr_range: 10.127.48.0/24
+ip_cidr_range: 10.68.2.0/24
secondary_ip_ranges:
- pods: 100.64.0.0/16
- services: 100.64.1.0/24
+ pods: 100.69.0.0/16
+ services: 100.71.2.0/24
diff --git a/fast/stages/2-networking-a-peering/data/subnets/dev/dev-default-ew1.yaml b/fast/stages/2-networking-a-peering/data/subnets/dev/dev-default-ew1.yaml
index 8b066ba7..fdb9c046 100644
--- a/fast/stages/2-networking-a-peering/data/subnets/dev/dev-default-ew1.yaml
+++ b/fast/stages/2-networking-a-peering/data/subnets/dev/dev-default-ew1.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west1
-ip_cidr_range: 10.128.32.0/24
+ip_cidr_range: 10.68.0.0/24
description: Default subnet for dev
diff --git a/fast/stages/2-networking-a-peering/data/subnets/dev/dev-gke-nodes-ew1.yaml b/fast/stages/2-networking-a-peering/data/subnets/dev/dev-gke-nodes-ew1.yaml
index 74ca5f42..087056b9 100644
--- a/fast/stages/2-networking-a-peering/data/subnets/dev/dev-gke-nodes-ew1.yaml
+++ b/fast/stages/2-networking-a-peering/data/subnets/dev/dev-gke-nodes-ew1.yaml
@@ -2,7 +2,7 @@
region: europe-west1
description: Default subnet for prod gke nodes
-ip_cidr_range: 10.127.49.0/24
+ip_cidr_range: 10.68.1.0/24
secondary_ip_ranges:
- pods: 100.65.0.0/16
- services: 100.65.1.0/24
+ pods: 100.68.0.0/16
+ services: 100.71.1.0/24
diff --git a/fast/stages/2-networking-a-peering/data/subnets/landing/landing-default-ew1.yaml b/fast/stages/2-networking-a-peering/data/subnets/landing/landing-default-ew1.yaml
index 5af68db6..3944c552 100644
--- a/fast/stages/2-networking-a-peering/data/subnets/landing/landing-default-ew1.yaml
+++ b/fast/stages/2-networking-a-peering/data/subnets/landing/landing-default-ew1.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west1
-ip_cidr_range: 10.128.0.0/24
+ip_cidr_range: 10.64.0.0/24
description: Default subnet for landing
diff --git a/fast/stages/2-networking-a-peering/data/subnets/prod/prod-default-ew1.yaml b/fast/stages/2-networking-a-peering/data/subnets/prod/prod-default-ew1.yaml
index 0052eff9..66a96398 100644
--- a/fast/stages/2-networking-a-peering/data/subnets/prod/prod-default-ew1.yaml
+++ b/fast/stages/2-networking-a-peering/data/subnets/prod/prod-default-ew1.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west1
-ip_cidr_range: 10.128.64.0/24
+ip_cidr_range: 10.72.0.0/24
description: Default subnet for prod
diff --git a/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-dataplatform-ew1.yaml
index 444903eb..b037772d 100644
--- a/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-dataplatform-ew1.yaml
+++ b/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-dataplatform-ew1.yaml
@@ -2,7 +2,7 @@
region: europe-west1
description: Default subnet for dev Data Platform
-ip_cidr_range: 10.127.48.0/24
+ip_cidr_range: 10.68.2.0/24
secondary_ip_ranges:
- pods: 100.64.0.0/16
- services: 100.64.1.0/24
+ pods: 100.69.0.0/16
+ services: 100.71.2.0/24
diff --git a/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-default-ew1.yaml b/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-default-ew1.yaml
index 8b066ba7..fdb9c046 100644
--- a/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-default-ew1.yaml
+++ b/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-default-ew1.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west1
-ip_cidr_range: 10.128.32.0/24
+ip_cidr_range: 10.68.0.0/24
description: Default subnet for dev
diff --git a/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-gke-nodes-ew1.yaml b/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-gke-nodes-ew1.yaml
index 74ca5f42..087056b9 100644
--- a/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-gke-nodes-ew1.yaml
+++ b/fast/stages/2-networking-b-vpn/data/subnets/dev/dev-gke-nodes-ew1.yaml
@@ -2,7 +2,7 @@
region: europe-west1
description: Default subnet for prod gke nodes
-ip_cidr_range: 10.127.49.0/24
+ip_cidr_range: 10.68.1.0/24
secondary_ip_ranges:
- pods: 100.65.0.0/16
- services: 100.65.1.0/24
+ pods: 100.68.0.0/16
+ services: 100.71.1.0/24
diff --git a/fast/stages/2-networking-b-vpn/data/subnets/landing/landing-default-ew1.yaml b/fast/stages/2-networking-b-vpn/data/subnets/landing/landing-default-ew1.yaml
index 5af68db6..3944c552 100644
--- a/fast/stages/2-networking-b-vpn/data/subnets/landing/landing-default-ew1.yaml
+++ b/fast/stages/2-networking-b-vpn/data/subnets/landing/landing-default-ew1.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west1
-ip_cidr_range: 10.128.0.0/24
+ip_cidr_range: 10.64.0.0/24
description: Default subnet for landing
diff --git a/fast/stages/2-networking-b-vpn/data/subnets/prod/prod-default-ew1.yaml b/fast/stages/2-networking-b-vpn/data/subnets/prod/prod-default-ew1.yaml
index 0052eff9..66a96398 100644
--- a/fast/stages/2-networking-b-vpn/data/subnets/prod/prod-default-ew1.yaml
+++ b/fast/stages/2-networking-b-vpn/data/subnets/prod/prod-default-ew1.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west1
-ip_cidr_range: 10.128.64.0/24
+ip_cidr_range: 10.72.0.0/24
description: Default subnet for prod
diff --git a/fast/stages/2-networking-c-nva/README.md b/fast/stages/2-networking-c-nva/README.md
index bb79f900..9da69cfa 100644
--- a/fast/stages/2-networking-c-nva/README.md
+++ b/fast/stages/2-networking-c-nva/README.md
@@ -121,13 +121,13 @@ This is an options summary:
Minimizing the number of routes (and subnets) in the cloud environment is important, as it simplifies management and it avoids hitting [Cloud Router](https://cloud.google.com/network-connectivity/docs/router/quotas) and [VPC](https://cloud.google.com/vpc/docs/quota) quotas and limits. For this reason, we recommend to carefully plan the IP space used in your cloud environment. This allows the use of larger IP CIDR blocks in routes, whenever possible.
-This stage uses a dedicated /16 block (10.128.0.0/16), which should be sized to the own needs. The subnets created in each VPC derive from this range.
+This stage uses a dedicated /11 block (10.64.0.0/11), which should be sized to the own needs. The subnets created in each VPC derive from this range.
-The /16 block is evenly split in eight, smaller /19 blocks, assigned to different areas of the GCP network: *landing untrusted europe-west1*, *landing untrusted europe-west4*, *landing trusted europe-west1*, *landing untrusted europe-west4*, *development europe-west1*, *development europe-west4*, *production europe-west1*, *production europe-west4*.
+The /11 block is evenly split in eight, smaller /16 blocks, assigned to different areas of the GCP network: *landing untrusted europe-west1*, *landing untrusted europe-west4*, *landing trusted europe-west1*, *landing untrusted europe-west4*, *development europe-west1*, *development europe-west4*, *production europe-west1*, *production europe-west4*.
The first /24 range in every area is allocated for a default subnet, which can be removed or modified as needed.
-Spoke VPCs also define and reserve three "special" CIDR ranges, derived from the respective /19, dedicated to
+Spoke VPCs also define and reserve three "special" CIDR ranges, derived from their respective /16, dedicated to
- [PSA (Private Service Access)](https://cloud.google.com/vpc/docs/private-services-access):
@@ -147,24 +147,24 @@ This is a summary of the subnets allocated by default in this setup:
| landing-trusted-default-ew4 | Trusted landing subnet - europe-west4 | 10.128.96.0/24 |
| landing-untrusted-default-ew1 | Untrusted landing subnet - europe-west1 | 10.128.0.0/24 |
| landing-untrusted-default-ew4 | Untrusted landing subnet - europe-west4 | 10.128.32.0/24 |
-| dev-default-ew1 | Dev spoke subnet - europe-west1 | 10.128.128.0/24 |
-| dev-default-ew1 (PSA MySQL) | PSA subnet for MySQL in dev spoke - europe-west1 | 10.128.157.0/24 |
-| dev-default-ew1 (PSA SQL Server) | PSA subnet for Postgres in dev spoke - europe-west1 | 10.128.158.0/24 |
-| dev-default-ew1 (L7 ILB) | L7 ILB subnet for dev spoke - europe-west1 | 10.128.92.0/24 |
-| dev-default-ew4 | Dev spoke subnet - europe-west4 | 10.128.160.0/24 |
-| dev-default-ew4 (PSA MySQL) | PSA subnet for MySQL in dev spoke - europe-west4 | 10.128.189.0/24 |
-| dev-default-ew4 (PSA SQL Server) | PSA subnet for Postgres in dev spoke - europe-west4 | 10.128.190.0/24 |
-| dev-default-ew4 (L7 ILB) | L7 ILB subnet for dev spoke - europe-west4 | 10.128.93.0/24 |
-| prod-default-ew1 | Prod spoke subnet - europe-west1 | 10.128.192.0/24 |
-| prod-default-ew1 (PSA MySQL) | PSA subnet for MySQL in prod spoke - europe-west1 | 10.128.221.0/24 |
-| prod-default-ew1 (PSA SQL Server) | PSA subnet for Postgres in prod spoke - europe-west1 | 10.128.253.0/24 |
-| prod-default-ew1 (L7 ILB) | L7 ILB subnet for prod spoke - europe-west1 | 10.128.60.0/24 |
-| prod-default-ew4 | Prod spoke subnet - europe-west4 | 10.128.224.0/24 |
-| prod-default-ew4 (PSA MySQL) | PSA subnet for MySQL in prod spoke - europe-west4 | 10.128.222.0/24 |
-| prod-default-ew4 (PSA SQL Server) | PSA subnet for Postgres in prod spoke - europe-west4 | 10.128.254.0/24 |
-| prod-default-ew4 (L7 ILB) | L7 ILB subnet for prod spoke - europe-west4 | 10.128.61.0/24 |
+| dev-default-ew1 | Dev spoke subnet - europe-west1 | 10.68.0.0/24 |
+| dev-default-ew1 (PSA MySQL) | PSA subnet for MySQL in dev spoke - europe-west1 | 10.68.253.0/24 |
+| dev-default-ew1 (PSA SQL Server) | PSA subnet for Postgres in dev spoke - europe-west1 | 10.68.254.0/24 |
+| dev-default-ew1 (L7 ILB) | L7 ILB subnet for dev spoke - europe-west1 | 10.68.255.0/24 |
+| dev-default-ew4 | Dev spoke subnet - europe-west4 | 10.84.0.0/24 |
+| dev-default-ew4 (PSA MySQL) | PSA subnet for MySQL in dev spoke - europe-west4 | 10.84.253.0/24 |
+| dev-default-ew4 (PSA SQL Server) | PSA subnet for Postgres in dev spoke - europe-west4 | 10.84.254.0/24 |
+| dev-default-ew4 (L7 ILB) | L7 ILB subnet for dev spoke - europe-west4 | 10.84.255.0/24 |
+| prod-default-ew1 | Prod spoke subnet - europe-west1 | 10.72.0.0/24 |
+| prod-default-ew1 (PSA MySQL) | PSA subnet for MySQL in prod spoke - europe-west1 | 10.72.253.0/24 |
+| prod-default-ew1 (PSA SQL Server) | PSA subnet for Postgres in prod spoke - europe-west1 | 10.72.254.0/24 |
+| prod-default-ew1 (L7 ILB) | L7 ILB subnet for prod spoke - europe-west1 | 10.72.255.0/24 |
+| prod-default-ew4 | Prod spoke subnet - europe-west4 | 10.88.0.0/24 |
+| prod-default-ew4 (PSA MySQL) | PSA subnet for MySQL in prod spoke - europe-west4 | 10.88.253.0/24 |
+| prod-default-ew4 (PSA SQL Server) | PSA subnet for Postgres in prod spoke - europe-west4 | 10.88.254.0/24 |
+| prod-default-ew4 (L7 ILB) | L7 ILB subnet for prod spoke - europe-west4 | 10.88.255.0/24 |
-These subnets are advertised to on-premises as a whole /16 range (10.128.0.0/16).
+These subnets can advertised to on-premises as an aggregate /11 range (10.64.0.0/11). Refer to the `var.vpn_onprem_primary_config.router_config` and `var.vpn_onprem_secondary_config.router_config` variables to configure it.
Routes in GCP are either automatically created (for example, when a subnet is added to a VPC), manually created via static routes, dynamically exchanged through VPC peerings, or dynamically programmed by [Cloud Routers](https://cloud.google.com/network-connectivity/docs/router#docs) when a BGP session is established. BGP sessions can be configured to advertise VPC ranges, and/or custom ranges via custom advertisements.
@@ -485,7 +485,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [custom_roles](variables.tf#L63) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
| [dns](variables.tf#L72) | Onprem DNS resolvers. | map(list(string)) | | {…} | |
| [factories_config](variables.tf#L80) | Configuration for network resource factories. | object({…}) | | {…} | |
-| [gcp_ranges](variables.tf#L111) | GCP address ranges in name => range format. | map(string) | | {…} | |
+| [gcp_ranges](variables.tf#L111) | GCP address ranges in name => range format. | map(string) | | {…} | |
| [onprem_cidr](variables.tf#L126) | Onprem addresses in name => range format. | map(string) | | {…} | |
| [outputs_location](variables.tf#L144) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
| [psa_ranges](variables.tf#L161) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | null | |
diff --git a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-c-nva/data/subnets/dev/dev-dataplatform-ew1.yaml
index 444903eb..b037772d 100644
--- a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-dataplatform-ew1.yaml
+++ b/fast/stages/2-networking-c-nva/data/subnets/dev/dev-dataplatform-ew1.yaml
@@ -2,7 +2,7 @@
region: europe-west1
description: Default subnet for dev Data Platform
-ip_cidr_range: 10.127.48.0/24
+ip_cidr_range: 10.68.2.0/24
secondary_ip_ranges:
- pods: 100.64.0.0/16
- services: 100.64.1.0/24
+ pods: 100.69.0.0/16
+ services: 100.71.2.0/24
diff --git a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-default-ew1.yaml b/fast/stages/2-networking-c-nva/data/subnets/dev/dev-default-ew1.yaml
index d6e4fcdb..0048f212 100644
--- a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-default-ew1.yaml
+++ b/fast/stages/2-networking-c-nva/data/subnets/dev/dev-default-ew1.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west1
-ip_cidr_range: 10.128.128.0/24
+ip_cidr_range: 10.68.0.0/24
description: Default europe-west1 subnet for dev
diff --git a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-default-ew4.yaml b/fast/stages/2-networking-c-nva/data/subnets/dev/dev-default-ew4.yaml
index 2a070fb5..47f41b96 100644
--- a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-default-ew4.yaml
+++ b/fast/stages/2-networking-c-nva/data/subnets/dev/dev-default-ew4.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west4
-ip_cidr_range: 10.128.160.0/24
+ip_cidr_range: 10.84.0.0/24
description: Default europe-west4 subnet for dev
diff --git a/fast/stages/2-networking-c-nva/data/subnets/dev/dev-gke-nodes-ew1.yaml b/fast/stages/2-networking-c-nva/data/subnets/dev/dev-gke-nodes-ew1.yaml
new file mode 100644
index 00000000..087056b9
--- /dev/null
+++ b/fast/stages/2-networking-c-nva/data/subnets/dev/dev-gke-nodes-ew1.yaml
@@ -0,0 +1,8 @@
+# skip boilerplate check
+
+region: europe-west1
+description: Default subnet for prod gke nodes
+ip_cidr_range: 10.68.1.0/24
+secondary_ip_ranges:
+ pods: 100.68.0.0/16
+ services: 100.71.1.0/24
diff --git a/fast/stages/2-networking-c-nva/data/subnets/landing-trusted/landing-trusted-default-ew1.yaml b/fast/stages/2-networking-c-nva/data/subnets/landing-trusted/landing-trusted-default-ew1.yaml
index 1a83620c..66a234a5 100644
--- a/fast/stages/2-networking-c-nva/data/subnets/landing-trusted/landing-trusted-default-ew1.yaml
+++ b/fast/stages/2-networking-c-nva/data/subnets/landing-trusted/landing-trusted-default-ew1.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west1
-ip_cidr_range: 10.128.64.0/24
+ip_cidr_range: 10.64.0.0/24
description: Default europe-west1 subnet for landing trusted
diff --git a/fast/stages/2-networking-c-nva/data/subnets/landing-trusted/landing-trusted-default-ew4.yaml b/fast/stages/2-networking-c-nva/data/subnets/landing-trusted/landing-trusted-default-ew4.yaml
index b302fef6..4507fe44 100644
--- a/fast/stages/2-networking-c-nva/data/subnets/landing-trusted/landing-trusted-default-ew4.yaml
+++ b/fast/stages/2-networking-c-nva/data/subnets/landing-trusted/landing-trusted-default-ew4.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west4
-ip_cidr_range: 10.128.96.0/24
+ip_cidr_range: 10.80.0.0/24
description: Default europe-west4 subnet for landing trusted
diff --git a/fast/stages/2-networking-c-nva/data/subnets/landing-untrusted/landing-untrusted-default-ew1.yaml b/fast/stages/2-networking-c-nva/data/subnets/landing-untrusted/landing-untrusted-default-ew1.yaml
index fae0f2eb..7927eb3d 100644
--- a/fast/stages/2-networking-c-nva/data/subnets/landing-untrusted/landing-untrusted-default-ew1.yaml
+++ b/fast/stages/2-networking-c-nva/data/subnets/landing-untrusted/landing-untrusted-default-ew1.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west1
-ip_cidr_range: 10.128.0.0/24
+ip_cidr_range: 10.64.128.0/24
description: Default europe-west1 subnet for landing untrusted
diff --git a/fast/stages/2-networking-c-nva/data/subnets/landing-untrusted/landing-untrusted-default-ew4.yaml b/fast/stages/2-networking-c-nva/data/subnets/landing-untrusted/landing-untrusted-default-ew4.yaml
index 5588d55e..7461a860 100644
--- a/fast/stages/2-networking-c-nva/data/subnets/landing-untrusted/landing-untrusted-default-ew4.yaml
+++ b/fast/stages/2-networking-c-nva/data/subnets/landing-untrusted/landing-untrusted-default-ew4.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west4
-ip_cidr_range: 10.128.32.0/24
+ip_cidr_range: 10.80.128.0/24
description: Default europe-west4 subnet for landing untrusted
diff --git a/fast/stages/2-networking-c-nva/data/subnets/prod/prod-default-ew1.yaml b/fast/stages/2-networking-c-nva/data/subnets/prod/prod-default-ew1.yaml
index 24155840..9b34bf44 100644
--- a/fast/stages/2-networking-c-nva/data/subnets/prod/prod-default-ew1.yaml
+++ b/fast/stages/2-networking-c-nva/data/subnets/prod/prod-default-ew1.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west1
-ip_cidr_range: 10.128.192.0/24
+ip_cidr_range: 10.72.0.0/24
description: Default europe-west1 subnet for prod
diff --git a/fast/stages/2-networking-c-nva/data/subnets/prod/prod-default-ew4.yaml b/fast/stages/2-networking-c-nva/data/subnets/prod/prod-default-ew4.yaml
index 26260e42..a27e53b6 100644
--- a/fast/stages/2-networking-c-nva/data/subnets/prod/prod-default-ew4.yaml
+++ b/fast/stages/2-networking-c-nva/data/subnets/prod/prod-default-ew4.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west4
-ip_cidr_range: 10.128.224.0/24
+ip_cidr_range: 10.88.0.0/24
description: Default europe-west4 subnet for prod
diff --git a/fast/stages/2-networking-c-nva/variables.tf b/fast/stages/2-networking-c-nva/variables.tf
index 67697a22..0780cfd9 100644
--- a/fast/stages/2-networking-c-nva/variables.tf
+++ b/fast/stages/2-networking-c-nva/variables.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -112,14 +112,14 @@ variable "gcp_ranges" {
description = "GCP address ranges in name => range format."
type = map(string)
default = {
- gcp_dev_primary = "10.128.128.0/19"
- gcp_dev_secondary = "10.128.160.0/19"
- gcp_landing_trusted_primary = "10.128.64.0/19"
- gcp_landing_trusted_secondary = "10.128.96.0/19"
- gcp_landing_untrusted_primary = "10.128.0.0/19"
- gcp_landing_untrusted_secondary = "10.128.32.0/19"
- gcp_prod_primary = "10.128.192.0/19"
- gcp_prod_secondary = "10.128.224.0/19"
+ gcp_dev_primary = "10.68.0.0/16"
+ gcp_dev_secondary = "10.84.0.0/16"
+ gcp_landing_trusted_primary = "10.64.0.0/17"
+ gcp_landing_trusted_secondary = "10.80.0.0/17"
+ gcp_landing_untrusted_primary = "10.64.127.0/17"
+ gcp_landing_untrusted_secondary = "10.80.127.0/17"
+ gcp_prod_primary = "10.72.0.0/16"
+ gcp_prod_secondary = "10.88.0.0/16"
}
}
diff --git a/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-dataplatform-ew1.yaml
index 444903eb..b037772d 100644
--- a/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-dataplatform-ew1.yaml
+++ b/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-dataplatform-ew1.yaml
@@ -2,7 +2,7 @@
region: europe-west1
description: Default subnet for dev Data Platform
-ip_cidr_range: 10.127.48.0/24
+ip_cidr_range: 10.68.2.0/24
secondary_ip_ranges:
- pods: 100.64.0.0/16
- services: 100.64.1.0/24
+ pods: 100.69.0.0/16
+ services: 100.71.2.0/24
diff --git a/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-default-ew1.yaml b/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-default-ew1.yaml
index 8b066ba7..fdb9c046 100644
--- a/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-default-ew1.yaml
+++ b/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-default-ew1.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west1
-ip_cidr_range: 10.128.32.0/24
+ip_cidr_range: 10.68.0.0/24
description: Default subnet for dev
diff --git a/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-gke-nodes-ew1.yaml b/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-gke-nodes-ew1.yaml
new file mode 100644
index 00000000..087056b9
--- /dev/null
+++ b/fast/stages/2-networking-d-separate-envs/data/subnets/dev/dev-gke-nodes-ew1.yaml
@@ -0,0 +1,8 @@
+# skip boilerplate check
+
+region: europe-west1
+description: Default subnet for prod gke nodes
+ip_cidr_range: 10.68.1.0/24
+secondary_ip_ranges:
+ pods: 100.68.0.0/16
+ services: 100.71.1.0/24
diff --git a/fast/stages/2-networking-d-separate-envs/data/subnets/prod/prod-default-ew1.yaml b/fast/stages/2-networking-d-separate-envs/data/subnets/prod/prod-default-ew1.yaml
index 0052eff9..66a96398 100644
--- a/fast/stages/2-networking-d-separate-envs/data/subnets/prod/prod-default-ew1.yaml
+++ b/fast/stages/2-networking-d-separate-envs/data/subnets/prod/prod-default-ew1.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west1
-ip_cidr_range: 10.128.64.0/24
+ip_cidr_range: 10.72.0.0/24
description: Default subnet for prod
diff --git a/fast/stages/2-networking-e-nva-bgp/README.md b/fast/stages/2-networking-e-nva-bgp/README.md
index 9c56a781..3b00bdd8 100644
--- a/fast/stages/2-networking-e-nva-bgp/README.md
+++ b/fast/stages/2-networking-e-nva-bgp/README.md
@@ -144,13 +144,13 @@ This is an options summary:
Minimizing the number of routes (and subnets) in the cloud environment is important, as it simplifies management and it avoids hitting [Cloud Router](https://cloud.google.com/network-connectivity/docs/router/quotas) and [VPC](https://cloud.google.com/vpc/docs/quota) quotas and limits. For this reason, we recommend to carefully plan the IP space used in your cloud environment. This allows the use of larger IP CIDR blocks in routes, whenever possible.
-This stage uses a dedicated /16 block (10.128.0.0/16), which should be sized to the own needs. The subnets created in each VPC derive from this range.
+This stage uses a dedicated /11 block (10.64.0.0/11), which should be sized to the own needs. The subnets created in each VPC derive from this range.
-The /16 block is evenly split in eight, smaller /19 blocks, assigned to different areas of the GCP network: *landing untrusted europe-west1*, *landing untrusted europe-west4*, *landing trusted europe-west1*, *landing untrusted europe-west4*, *development europe-west1*, *development europe-west4*, *production europe-west1*, *production europe-west4*.
+The /11 block is evenly split in eight, smaller /16 blocks, assigned to different areas of the GCP network: *landing untrusted europe-west1*, *landing untrusted europe-west4*, *landing trusted europe-west1*, *landing untrusted europe-west4*, *development europe-west1*, *development europe-west4*, *production europe-west1*, *production europe-west4*.
The first /24 range in every area is allocated for a default subnet, which can be removed or modified as needed.
-Spoke VPCs also define and reserve three "special" CIDR ranges, derived from the respective /19, dedicated to
+Spoke VPCs also define and reserve three "special" CIDR ranges, derived from their respective /16, dedicated to
- [PSA (Private Service Access)](https://cloud.google.com/vpc/docs/private-services-access):
@@ -170,24 +170,24 @@ This is a summary of the subnets allocated by default in this setup:
| landing-trusted-default-ew4 | Trusted landing subnet - europe-west4 | 10.128.96.0/24 |
| landing-untrusted-default-ew1 | Untrusted landing subnet - europe-west1 | 10.128.0.0/24 |
| landing-untrusted-default-ew4 | Untrusted landing subnet - europe-west4 | 10.128.32.0/24 |
-| dev-default-ew1 | Dev spoke subnet - europe-west1 | 10.128.128.0/24 |
-| dev-default-ew1 (PSA MySQL) | PSA subnet for MySQL in dev spoke - europe-west1 | 10.128.157.0/24 |
-| dev-default-ew1 (PSA SQL Server) | PSA subnet for Postgres in dev spoke - europe-west1 | 10.128.158.0/24 |
-| dev-default-ew1 (L7 ILB) | L7 ILB subnet for dev spoke - europe-west1 | 10.128.92.0/24 |
-| dev-default-ew4 | Dev spoke subnet - europe-west4 | 10.128.160.0/24 |
-| dev-default-ew4 (PSA MySQL) | PSA subnet for MySQL in dev spoke - europe-west4 | 10.128.189.0/24 |
-| dev-default-ew4 (PSA SQL Server) | PSA subnet for Postgres in dev spoke - europe-west4 | 10.128.190.0/24 |
-| dev-default-ew4 (L7 ILB) | L7 ILB subnet for dev spoke - europe-west4 | 10.128.93.0/24 |
-| prod-default-ew1 | Prod spoke subnet - europe-west1 | 10.128.192.0/24 |
-| prod-default-ew1 (PSA MySQL) | PSA subnet for MySQL in prod spoke - europe-west1 | 10.128.221.0/24 |
-| prod-default-ew1 (PSA SQL Server) | PSA subnet for Postgres in prod spoke - europe-west1 | 10.128.253.0/24 |
-| prod-default-ew1 (L7 ILB) | L7 ILB subnet for prod spoke - europe-west1 | 10.128.60.0/24 |
-| prod-default-ew4 | Prod spoke subnet - europe-west4 | 10.128.224.0/24 |
-| prod-default-ew4 (PSA MySQL) | PSA subnet for MySQL in prod spoke - europe-west4 | 10.128.222.0/24 |
-| prod-default-ew4 (PSA SQL Server) | PSA subnet for Postgres in prod spoke - europe-west4 | 10.128.254.0/24 |
-| prod-default-ew4 (L7 ILB) | L7 ILB subnet for prod spoke - europe-west4 | 10.128.61.0/24 |
+| dev-default-ew1 | Dev spoke subnet - europe-west1 | 10.68.0.0/24 |
+| dev-default-ew1 (PSA MySQL) | PSA subnet for MySQL in dev spoke - europe-west1 | 10.68.253.0/24 |
+| dev-default-ew1 (PSA SQL Server) | PSA subnet for Postgres in dev spoke - europe-west1 | 10.68.254.0/24 |
+| dev-default-ew1 (L7 ILB) | L7 ILB subnet for dev spoke - europe-west1 | 10.68.255.0/24 |
+| dev-default-ew4 | Dev spoke subnet - europe-west4 | 10.84.0.0/24 |
+| dev-default-ew4 (PSA MySQL) | PSA subnet for MySQL in dev spoke - europe-west4 | 10.84.253.0/24 |
+| dev-default-ew4 (PSA SQL Server) | PSA subnet for Postgres in dev spoke - europe-west4 | 10.84.254.0/24 |
+| dev-default-ew4 (L7 ILB) | L7 ILB subnet for dev spoke - europe-west4 | 10.84.255.0/24 |
+| prod-default-ew1 | Prod spoke subnet - europe-west1 | 10.72.0.0/24 |
+| prod-default-ew1 (PSA MySQL) | PSA subnet for MySQL in prod spoke - europe-west1 | 10.72.253.0/24 |
+| prod-default-ew1 (PSA SQL Server) | PSA subnet for Postgres in prod spoke - europe-west1 | 10.72.254.0/24 |
+| prod-default-ew1 (L7 ILB) | L7 ILB subnet for prod spoke - europe-west1 | 10.72.255.0/24 |
+| prod-default-ew4 | Prod spoke subnet - europe-west4 | 10.88.0.0/24 |
+| prod-default-ew4 (PSA MySQL) | PSA subnet for MySQL in prod spoke - europe-west4 | 10.88.253.0/24 |
+| prod-default-ew4 (PSA SQL Server) | PSA subnet for Postgres in prod spoke - europe-west4 | 10.88.254.0/24 |
+| prod-default-ew4 (L7 ILB) | L7 ILB subnet for prod spoke - europe-west4 | 10.88.255.0/24 |
-These subnets are advertised to on-premises as a whole /16 range (10.128.0.0/16).
+These subnets can advertised to on-premises as an aggregate /11 range (10.64.0.0/11). Refer to the `var.vpn_onprem_primary_config.router_config` and `var.vpn_onprem_secondary_config.router_config` variables to configure it.
Routes in GCP are either automatically created (for example, when a subnet is added to a VPC), manually created via static routes, dynamically exchanged through VPC peerings, or dynamically programmed by [Cloud Routers](https://cloud.google.com/network-connectivity/docs/router#docs) when a BGP session is established. BGP sessions can be configured to advertise VPC ranges, and/or custom ranges via custom advertisements.
@@ -511,7 +511,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [custom_roles](variables.tf#L63) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
| [dns](variables.tf#L72) | Onprem DNS resolvers. | map(list(string)) | | {…} | |
| [factories_config](variables.tf#L80) | Configuration for network resource factories. | object({…}) | | {…} | |
-| [gcp_ranges](variables.tf#L111) | GCP address ranges in name => range format. | map(string) | | {…} | |
+| [gcp_ranges](variables.tf#L111) | GCP address ranges in name => range format. | map(string) | | {…} | |
| [ncc_asn](variables.tf#L126) | The NCC Cloud Routers ASN configuration. | map(number) | | {…} | |
| [onprem_cidr](variables.tf#L137) | Onprem addresses in name => range format. | map(string) | | {…} | |
| [outputs_location](variables.tf#L155) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-dataplatform-ew1.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-dataplatform-ew1.yaml
index 1a8596b0..b037772d 100644
--- a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-dataplatform-ew1.yaml
+++ b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-dataplatform-ew1.yaml
@@ -2,7 +2,7 @@
region: europe-west1
description: Default subnet for dev Data Platform
-ip_cidr_range: 10.127.48.0/24
+ip_cidr_range: 10.68.2.0/24
secondary_ip_ranges:
- pods: 100.64.0.0/16
- services: 100.64.1.0/24
+ pods: 100.69.0.0/16
+ services: 100.71.2.0/24
diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew1.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew1.yaml
index d6e4fcdb..0048f212 100644
--- a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew1.yaml
+++ b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew1.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west1
-ip_cidr_range: 10.128.128.0/24
+ip_cidr_range: 10.68.0.0/24
description: Default europe-west1 subnet for dev
diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew4.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew4.yaml
index 2a070fb5..47f41b96 100644
--- a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew4.yaml
+++ b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-default-ew4.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west4
-ip_cidr_range: 10.128.160.0/24
+ip_cidr_range: 10.84.0.0/24
description: Default europe-west4 subnet for dev
diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-gke-nodes-ew1.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-gke-nodes-ew1.yaml
new file mode 100644
index 00000000..087056b9
--- /dev/null
+++ b/fast/stages/2-networking-e-nva-bgp/data/subnets/dev/dev-gke-nodes-ew1.yaml
@@ -0,0 +1,8 @@
+# skip boilerplate check
+
+region: europe-west1
+description: Default subnet for prod gke nodes
+ip_cidr_range: 10.68.1.0/24
+secondary_ip_ranges:
+ pods: 100.68.0.0/16
+ services: 100.71.1.0/24
diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-trusted/landing-trusted-default-ew1.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-trusted/landing-trusted-default-ew1.yaml
index 1a83620c..66a234a5 100644
--- a/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-trusted/landing-trusted-default-ew1.yaml
+++ b/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-trusted/landing-trusted-default-ew1.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west1
-ip_cidr_range: 10.128.64.0/24
+ip_cidr_range: 10.64.0.0/24
description: Default europe-west1 subnet for landing trusted
diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-trusted/landing-trusted-default-ew4.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-trusted/landing-trusted-default-ew4.yaml
index b302fef6..4507fe44 100644
--- a/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-trusted/landing-trusted-default-ew4.yaml
+++ b/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-trusted/landing-trusted-default-ew4.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west4
-ip_cidr_range: 10.128.96.0/24
+ip_cidr_range: 10.80.0.0/24
description: Default europe-west4 subnet for landing trusted
diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-untrusted/landing-untrusted-default-ew1.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-untrusted/landing-untrusted-default-ew1.yaml
index fae0f2eb..7927eb3d 100644
--- a/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-untrusted/landing-untrusted-default-ew1.yaml
+++ b/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-untrusted/landing-untrusted-default-ew1.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west1
-ip_cidr_range: 10.128.0.0/24
+ip_cidr_range: 10.64.128.0/24
description: Default europe-west1 subnet for landing untrusted
diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-untrusted/landing-untrusted-default-ew4.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-untrusted/landing-untrusted-default-ew4.yaml
index 5588d55e..7461a860 100644
--- a/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-untrusted/landing-untrusted-default-ew4.yaml
+++ b/fast/stages/2-networking-e-nva-bgp/data/subnets/landing-untrusted/landing-untrusted-default-ew4.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west4
-ip_cidr_range: 10.128.32.0/24
+ip_cidr_range: 10.80.128.0/24
description: Default europe-west4 subnet for landing untrusted
diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew1.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew1.yaml
index 24155840..9b34bf44 100644
--- a/fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew1.yaml
+++ b/fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew1.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west1
-ip_cidr_range: 10.128.192.0/24
+ip_cidr_range: 10.72.0.0/24
description: Default europe-west1 subnet for prod
diff --git a/fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew4.yaml b/fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew4.yaml
index 26260e42..a27e53b6 100644
--- a/fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew4.yaml
+++ b/fast/stages/2-networking-e-nva-bgp/data/subnets/prod/prod-default-ew4.yaml
@@ -1,5 +1,5 @@
# skip boilerplate check
region: europe-west4
-ip_cidr_range: 10.128.224.0/24
+ip_cidr_range: 10.88.0.0/24
description: Default europe-west4 subnet for prod
diff --git a/fast/stages/2-networking-e-nva-bgp/variables.tf b/fast/stages/2-networking-e-nva-bgp/variables.tf
index a784fda3..7ae8c048 100644
--- a/fast/stages/2-networking-e-nva-bgp/variables.tf
+++ b/fast/stages/2-networking-e-nva-bgp/variables.tf
@@ -112,14 +112,14 @@ variable "gcp_ranges" {
description = "GCP address ranges in name => range format."
type = map(string)
default = {
- gcp_dev_primary = "10.128.128.0/19"
- gcp_dev_secondary = "10.128.160.0/19"
- gcp_landing_trusted_primary = "10.128.64.0/19"
- gcp_landing_trusted_secondary = "10.128.96.0/19"
- gcp_landing_untrusted_primary = "10.128.0.0/19"
- gcp_landing_untrusted_secondary = "10.128.32.0/19"
- gcp_prod_primary = "10.128.192.0/19"
- gcp_prod_secondary = "10.128.224.0/19"
+ gcp_dev_primary = "10.68.0.0/16"
+ gcp_dev_secondary = "10.84.0.0/16"
+ gcp_landing_trusted_primary = "10.64.0.0/17"
+ gcp_landing_trusted_secondary = "10.80.0.0/17"
+ gcp_landing_untrusted_primary = "10.64.127.0/17"
+ gcp_landing_untrusted_secondary = "10.80.127.0/17"
+ gcp_prod_primary = "10.72.0.0/16"
+ gcp_prod_secondary = "10.88.0.0/16"
}
}
diff --git a/tests/fast/stages/s2_networking_c_nva/stage.yaml b/tests/fast/stages/s2_networking_c_nva/stage.yaml
index e1ce4a05..ff699bf9 100644
--- a/tests/fast/stages/s2_networking_c_nva/stage.yaml
+++ b/tests/fast/stages/s2_networking_c_nva/stage.yaml
@@ -14,4 +14,4 @@
counts:
modules: 42
- resources: 200
+ resources: 201
diff --git a/tests/fast/stages/s2_networking_d_separate_envs/stage.yaml b/tests/fast/stages/s2_networking_d_separate_envs/stage.yaml
index e2b6fe64..fe8ab2d6 100644
--- a/tests/fast/stages/s2_networking_d_separate_envs/stage.yaml
+++ b/tests/fast/stages/s2_networking_d_separate_envs/stage.yaml
@@ -14,4 +14,4 @@
counts:
modules: 21
- resources: 170
+ resources: 171
diff --git a/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml b/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml
index bc557683..2c1d072e 100644
--- a/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml
+++ b/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml
@@ -14,4 +14,4 @@
counts:
modules: 36
- resources: 211
+ resources: 212