F5 deployment blueprint (#1883)
Co-authored-by: Luca Prete <lucaprete@google.com>
This commit is contained in:
Luca Prete
GitHub
parent
a89a49d85a
commit
56fcb4f88a
|
|
@ -24,6 +24,6 @@ The blueprints in this folder show how to automate installation of specific thir
|
|||
|
||||
### F5 BigIP
|
||||
|
||||
<a href="./f5-bigip/" title="F5 BigIP"><img src="./phpipam/diagram.png" align="left" width="320px"></a> <p style="margin-left: 340px">These examples show how to deploy both private and public active/active F5 BigIP-VE load balancers in GCP.</p>
|
||||
<a href="./f5-bigip/" title="F5 BigIP"><img src="./phpipam/diagram.png" align="left" width="320px"></a> <p style="margin-left: 340px">These examples show how to deploy F5 BigIP-VE load balancers in GCP.</p>
|
||||
|
||||
<br clear="left">
|
||||
|
|
@ -6,6 +6,12 @@ The blueprints in this folder show how to deploy both private and public active/
|
|||
|
||||
### F5 BigIP
|
||||
|
||||
<a href="./f5-bigip-ha-active/" title="F5 BigIP HA active-active"><img src="./f5-bigip-ha-active/diagram.png" align="left" width="320px"></a> <p style="margin-left: 340px">This example shows how to deploy both private and public active/active F5 BigIP-VE load balancers in GCP. It deploys external and/or internal GCP network passthrough load balancers in front of the F5 VMs in order to load balance the ingress traffic between them and it supports both IPv4 and IPv6.</p>
|
||||
<a href="./f5-bigip-ha-active/" title="F5 BigIP HA active-active"><img src="./f5-bigip-ha-active/diagram.png" align="left" width="320px"></a> <p style="margin-left: 340px">This blueprint shows how to deploy both private and public active/active F5 BigIP-VE load balancers in GCP. It deploys external and/or internal GCP network passthrough load balancers in front of the F5 VMs in order to load balance the ingress traffic and it supports both IPv4 and IPv6.</p>
|
||||
|
||||
<br clear="left">
|
||||
<br clear="left">
|
||||
|
||||
### F5 BigIP-HA deployment
|
||||
|
||||
<a href="./f5-bigip-ha-active/" title="F5 BigIP HA active-active"><img src="./f5-bigip-ha-active/diagram.png" align="left" width="320px"></a> <p style="margin-left: 340px">The blueprint demonstrates how to deploy active-active F5 BigIP load balancers in a VPC, leveraging the [f5-big-ha-active blueprint](./f5-bigip-ha-active/README.md). In this example, the load balancer is exposed to internal sample clients only and it can handle both IPv4 and an IPv6 traffic.</p>
|
||||
|
||||
<br clear="left">
|
||||
|
|
|
|||
|
|
@ -0,0 +1,122 @@
|
|||
# F5 Big-IP
|
||||
|
||||
This blueprint shows how to the deploy [F5 BigIP Virtual Edition (VE)](https://www.f5.com/trials/big-ip-virtual-edition) on GCP, leveraging the [f5-bigip-ha-active blueprint](../f5-bigip-ha-active/README.md).
|
||||
|
||||
<p align="center">
|
||||
<img src="diagram.svg" alt="Networking diagram">
|
||||
</p>
|
||||
|
||||
Calling the [f5-bigip-ha-active blueprint](../f5-bigip-ha-active/README.md), we deploy:
|
||||
- 2 F5 BigIP VMs, each in an unmanaged instance group, in a dedicated zone
|
||||
- 1 internal network passthrough load balancer in `L3_default` mode, pointing to the F5 instance groups. By default, the load balancer will expose two forwarding rules (IPs): one for IPv4, one for IPv6
|
||||
|
||||
Additionally, we deploy directly through this blueprint:
|
||||
- 1 project containing all the other resources (optional)
|
||||
- 1 dataplane VPC where all VM NICs are attached, equipped with Cloud NAT (so that the backend VMs can access the Internet). One subnet is dedicated to clients. One subnet is dedicated to F5 VMs and backend VMs
|
||||
- 1 management VPC used by F5 VMs only, equipped with Cloud NAT (for F5 management connectivity)
|
||||
- 2 demo backend VMs running Nginx, installed at startup
|
||||
- Different firewall rules to allow the clients to connect to the F5 instances, and the F5 instances to connect to the backends
|
||||
- 1 static route in the dataplane VPC that forwards traffic destined to the backends to the internal network passthrough load balancer
|
||||
|
||||
## Apply this blueprint
|
||||
|
||||
- If you're leveraging an existing project, make sure you have the roles to attach service accounts and log into VMs (typically, `roles/iam.serviceAccountUser`).
|
||||
- Register an F5 BigIP-VE license or apply for an F5 BigIP-VE trial license.
|
||||
- Substitute the default values for each F5 instance in the `instance_dedicated_config` variable.
|
||||
- Substitute the [default public key](data/my_key.pub) in the `data` folder with your own public key. This should automatically grant you SSH access.
|
||||
- Run `terraform init, terraform apply`
|
||||
- At startup, the F5 VMs should download some software and reboot twice. Check the serial console logs to make sure everything works as expected and no errors occur.
|
||||
|
||||
Please, refer to the [blueprint documentation](../f5-bigip-ha-active/README.md) for variables definitions and further module customizations.
|
||||
|
||||
## Access the F5 machines through IAP tunnels
|
||||
|
||||
F5 management IPs are private. If you haven't setup any hybrid connectivity (i.e. VPN/Interconnect) you can still access the VMs with SSH and their GUI leveraging IAP tunnels.
|
||||
|
||||
```shell
|
||||
gcloud compute ssh YOUR_F5_VM_NAME \
|
||||
--project YOUR_PROJECT \
|
||||
--zone europe-west8-a -- \
|
||||
-L 4431:127.0.0.1:8443 \
|
||||
-L 221:127.0.0.1:22 \
|
||||
-N -q -f
|
||||
|
||||
gcloud compute ssh YOUR_F5_VM_NAME \
|
||||
--project YOUR_PROJECT \
|
||||
--zone europe-west8-b -- \
|
||||
-L 4432:127.0.0.1:8443 \
|
||||
-L 222:127.0.0.1:22 \
|
||||
-N -q -f
|
||||
```
|
||||
|
||||
Once tunnels are established, from your machine:
|
||||
|
||||
Connect to the machine in zone `a` using:
|
||||
- SSH: `127.0.0.1`, port `221`
|
||||
- GUI: `127.0.0.1`, port `4431`
|
||||
|
||||
Connect to the machine in zone `b` using:
|
||||
- SSH: `127.0.0.1`, port `222`
|
||||
- GUI: `127.0.0.1`, port `4432`
|
||||
|
||||
The default username is `admin` and the password is `MyFabricSecret123!`
|
||||
|
||||
## F5 configuration
|
||||
|
||||
Please, refer to the [f5-bigip-ha-active blueprint section](../f5-bigip-ha-active/README.md#f5-configuration)
|
||||
|
||||
## Internal IPv4 traffic routing
|
||||
|
||||
For private IPv4 traffic, you have two options:
|
||||
|
||||
- Create as many forwarding rules as you need and point your clients directly to the forwarding rules virtual IPs.
|
||||
- Create one forwarding rule and create one static route that points to a virtual subnet representing your backend servers, that uses the load balancer VIP as the next-hop.
|
||||
|
||||
The blueprint chooses the second option, although this configuration is not enforced in the [f5-bigip-ha-active blueprint](../f5-bigip-ha-active/README.md) itself. This helps to minimize the number of forwarding rules.
|
||||
|
||||
The diagram shows the path of the traffic and how we modify the packet as it goes through the load balancers.
|
||||
|
||||
<p align="center">
|
||||
<img src="diagram-flow.svg" alt="IPv4 traffic flow diagram">
|
||||
</p>
|
||||
|
||||
Please, note there are a few caveats:
|
||||
|
||||
- Forwarding rules of protocol type `L3_DEFAULT` cannot be set as next-hops of static routes. That's why we set all the IPv4 load balancers with protocol type `TCP`. Anyway, if a load balancer is used as a next-hop for a route it can forward multiple protocols.
|
||||
- At the moment of writing, IPv6 forwarding rules cannot be used as route next-hops. You will need to create as many IPv6 forwarding rules you need.
|
||||
- The "route path" doesn't apply to external traffic.
|
||||
- The backend servers virtual subnet (`192.168.200.0/24`) is (by design) not configured on any VPC and is different from the backend VMs subnet (`192.168.0.0/24`). It's just a commodity subnet used to identify a backend service that we use as the static route destination. Traffic should land on your F5s using a (destination) IP in that subnet. Your irules should match those virtual IPs and change the packets destination IPs, as they forward it to the backends.
|
||||
<!-- BEGIN TFDOC -->
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [prefix](variables.tf#L82) | The name prefix used for resources. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L93) | The project id where we deploy the resources. | <code>string</code> | ✓ | |
|
||||
| [region](variables.tf#L98) | The region where we deploy the F5 IPs. | <code>string</code> | ✓ | |
|
||||
| [backend_vm_configs](variables.tf#L17) | The sample backend VMs configuration. Keys are the zones where VMs are deployed. | <code title="map(object({ address = string instance_type = string startup_script = string }))">map(object({…}))</code> | | <code title="{ a = { address = "192.168.100.101" instance_type = "e2-micro" startup_script = "apt update && apt install -y nginx" } b = { address = "192.168.100.102" instance_type = "e2-micro" startup_script = "apt update && apt install -y nginx" } }">{…}</code> |
|
||||
| [forwarding_rules_config](variables.tf#L38) | The optional configurations of the GCP load balancers forwarding rules. | <code>map(any)</code> | | <code title="{ "ipv4" = { address = "192.168.100.100" protocol = "TCP" } "ipv6" = { ip_version = "IPV6" } }">{…}</code> |
|
||||
| [instance_dedicated_configs](variables.tf#L52) | The F5 VMs configuration. The map keys are the zones where the VMs are deployed. | <code>map(any)</code> | | <code title="{ a = { license_key = "AAAAA-BBBBB-CCCCC-DDDDD-EEEEEEE" network_config = { alias_ip_range_address = "192.168.101.0/24" alias_ip_range_name = "f5-a" } } b = { license_key = "AAAAA-BBBBB-CCCCC-DDDDD-EEEEEEE" network_config = { alias_ip_range_address = "192.168.102.0/24" alias_ip_range_name = "f5-b" } } }">{…}</code> |
|
||||
| [instance_shared_config](variables.tf#L73) | The F5 VMs shared configurations. | <code>map(any)</code> | | <code title="{ enable_ipv6 = true ssh_public_key = "./data/mykey.pub" }">{…}</code> |
|
||||
| [project_create](variables.tf#L87) | Whether to automatically create a project. | <code>bool</code> | | <code>false</code> |
|
||||
| [vpc_config](variables.tf#L103) | VPC and subnet ids, in case existing VPCs are used. | <code title="object({ backend_vms_cidr = string # used by F5s. Not configured on the VPC. dataplane = object({ subnets = map(object({ cidr = optional(string) secondary_ip_ranges = optional(map(string)) # name -> cidr })) }) management = object({ subnets = map(object({ cidr = optional(string) secondary_ip_ranges = optional(map(string)) # name -> cidr })) }) })">object({…})</code> | | <code title="{ backend_vms_cidr = "192.168.200.0/24" dataplane = { subnets = { clients = { cidr = "192.168.0.0/24" } dataplane = { cidr = "192.168.100.0/24" secondary_ip_ranges = { f5-a = "192.168.101.0/24" f5-b = "192.168.102.0/24" } } } } management = { subnets = { management = { cidr = "192.168.250.0/24" } } } }">{…}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| [f5_management_ips](outputs.tf#L17) | The F5 management interfaces IP addresses. | |
|
||||
| [forwarding_rule_configss](outputs.tf#L22) | The GCP forwarding rules configurations. | |
|
||||
<!-- END TFDOC -->
|
||||
|
||||
## Test
|
||||
```hcl
|
||||
module "f5-deployment" {
|
||||
source = "./fabric/blueprints/third-party-solutions/f5-bigip/f5-bigip-ha-active-deployment"
|
||||
prefix = "test"
|
||||
project_create = true
|
||||
project_id = "test-project"
|
||||
region = "europe-west1"
|
||||
}
|
||||
# tftest modules=21 resources=45
|
||||
```
|
||||
|
|
@ -0,0 +1,57 @@
|
|||
/**
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
module "backend-vm-addresses" {
|
||||
source = "../../../../modules/net-address"
|
||||
project_id = local.project_id
|
||||
internal_addresses = {
|
||||
for k, v in var.backend_vm_configs
|
||||
: k => {
|
||||
address = v.address
|
||||
name = "${var.prefix}-backend-ip-${k}"
|
||||
region = var.region
|
||||
subnetwork = module.vpc-dataplane.subnet_self_links["${var.region}/${var.prefix}-dataplane"]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module "backends-sa" {
|
||||
source = "../../../../modules/iam-service-account"
|
||||
project_id = local.project_id
|
||||
name = "${var.prefix}-backends-sa"
|
||||
}
|
||||
|
||||
module "backend-vms" {
|
||||
for_each = var.backend_vm_configs
|
||||
source = "../../../../modules/compute-vm"
|
||||
project_id = local.project_id
|
||||
zone = "${var.region}-${each.key}"
|
||||
name = "${var.prefix}-backend-${each.key}"
|
||||
instance_type = "e2-micro"
|
||||
network_interfaces = [
|
||||
{
|
||||
network = module.vpc-dataplane.self_link
|
||||
subnetwork = module.vpc-dataplane.subnet_self_links["${var.region}/${var.prefix}-dataplane"]
|
||||
stack_type = "IPV4_IPV6"
|
||||
addresses = {
|
||||
internal = module.backend-vm-addresses.internal_addresses["${var.prefix}-backend-ip-${each.key}"].address
|
||||
}
|
||||
}
|
||||
]
|
||||
service_account = {
|
||||
email = module.backends-sa.email
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
/**
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
module "client-vm" {
|
||||
source = "../../../../modules/compute-vm"
|
||||
project_id = var.project_id
|
||||
zone = "${var.region}-${keys(var.backend_vm_configs)[0]}"
|
||||
name = "${var.prefix}-client"
|
||||
instance_type = "e2-micro"
|
||||
|
||||
network_interfaces = [
|
||||
{
|
||||
network = module.vpc-dataplane.self_link
|
||||
subnetwork = module.vpc-dataplane.subnet_self_links["${var.region}/${var.prefix}-clients"]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1 @@
|
|||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+9H0EktDukeR0GZ0jbIfXyGCmt/hCmJMMsXJ6PfHldxbk4BBxV+vYk4n2xTB/6dGeb306vxhXvPMuwnfH1QyUm6OqZ9Qn82K+vHHehy4ChF4mJWAvzruzIr5JMS278PRQtUPFsu2b891c+A2h1VtSt1t65+6JkuRjgLBZm8pkVp8HPADa3btRSuVhFeu85MRJgE3IORQnpodmPf2SQy7NeTxPKICI4M5+JWJnXhVw0UKIcPpxJU3VisP3zAiIcE2RZMORZuAxwccl+dEgjNaNAelE+aOG9KDnrDLHoNeE/vMEMfSifq1mkMna2/EnB4R674o2LBWaq/ooN1Gh6Cq2ZnSsp8UmS3my0KgTe/kRFkqs/NxOC/mV9MKJjF1yKLJKZxXQs/5yH5/DYjlSmGgDGxaicmkhOC1+pjcA2b7HqoKLvZ3tlswplvtdDwIGdQXsVYM0Dg/sEwbM2OZgeY8X5Lnxyij5ZLsEUftLzJLTuuaokGhyrG/aFs0CmwRPBHk= lucaprete@lucaprete-macbookpro.roam.corp.google.com
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 48 KiB |
File diff suppressed because one or more lines are too long
|
After Width: | Height: | Size: 185 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 63 KiB |
File diff suppressed because one or more lines are too long
|
After Width: | Height: | Size: 318 KiB |
|
|
@ -0,0 +1,48 @@
|
|||
/**
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
locals {
|
||||
instance_shared_config = merge(
|
||||
var.instance_shared_config,
|
||||
{ service_account = module.f5-sa.email }
|
||||
)
|
||||
}
|
||||
|
||||
module "f5-sa" {
|
||||
source = "../../../../modules/iam-service-account"
|
||||
project_id = local.project_id
|
||||
name = "${var.prefix}-f5-sa"
|
||||
}
|
||||
|
||||
module "f5-lb" {
|
||||
source = "../f5-bigip-ha-active"
|
||||
forwarding_rules_config = var.forwarding_rules_config
|
||||
instance_dedicated_configs = var.instance_dedicated_configs
|
||||
instance_shared_config = local.instance_shared_config
|
||||
prefix = var.prefix
|
||||
project_id = local.project_id
|
||||
region = var.region
|
||||
vpc_config = {
|
||||
dataplane = {
|
||||
network = module.vpc-dataplane.self_link
|
||||
subnetwork = module.vpc-dataplane.subnet_self_links["${var.region}/${var.prefix}-dataplane"]
|
||||
}
|
||||
management = {
|
||||
network = module.vpc-management.self_link
|
||||
subnetwork = module.vpc-management.subnet_self_links["${var.region}/${var.prefix}-management"]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,128 @@
|
|||
/**
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
locals {
|
||||
project_id = (
|
||||
var.project_create
|
||||
? module.project.project_id
|
||||
: var.project_id
|
||||
)
|
||||
}
|
||||
|
||||
module "project" {
|
||||
source = "../../../../modules/project"
|
||||
name = var.project_id
|
||||
project_create = var.project_create
|
||||
services = [
|
||||
"compute.googleapis.com"
|
||||
]
|
||||
}
|
||||
|
||||
module "vpc-dataplane" {
|
||||
source = "../../../../modules/net-vpc"
|
||||
project_id = local.project_id
|
||||
name = "${var.prefix}-vpc-dataplane"
|
||||
ipv6_config = {
|
||||
enable_ula_internal = true
|
||||
}
|
||||
routes = {
|
||||
next-hop = {
|
||||
description = "Route to virtual backend servers subnet."
|
||||
dest_range = var.vpc_config.backend_vms_cidr
|
||||
next_hop_type = "ilb"
|
||||
next_hop = var.forwarding_rules_config["ipv4"]["address"]
|
||||
}
|
||||
}
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = var.vpc_config.dataplane.subnets.clients.cidr
|
||||
ipv6 = {}
|
||||
name = "${var.prefix}-clients"
|
||||
region = var.region
|
||||
},
|
||||
{
|
||||
ip_cidr_range = var.vpc_config.dataplane.subnets.dataplane.cidr
|
||||
ipv6 = {}
|
||||
name = "${var.prefix}-dataplane"
|
||||
region = var.region
|
||||
secondary_ip_ranges = (
|
||||
var.vpc_config.dataplane.subnets.dataplane.secondary_ip_ranges
|
||||
)
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
module "firewall-rules-dataplane" {
|
||||
source = "../../../../modules/net-vpc-firewall"
|
||||
project_id = local.project_id
|
||||
network = module.vpc-dataplane.name
|
||||
ingress_rules = {
|
||||
allow-clients-to-f5 = {
|
||||
priority = 1001
|
||||
source_ranges = [var.vpc_config.dataplane.subnets.clients.cidr]
|
||||
targets = [module.f5-sa.email]
|
||||
use_service_accounts = true
|
||||
}
|
||||
allow-f5-to-backends = {
|
||||
priority = 1002
|
||||
sources = [module.f5-sa.email]
|
||||
targets = [module.backends-sa.email]
|
||||
use_service_accounts = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module "nat-dataplane" {
|
||||
source = "../../../../modules/net-cloudnat"
|
||||
name = "${var.prefix}-nat-dataplane"
|
||||
project_id = local.project_id
|
||||
region = var.region
|
||||
router_network = module.vpc-dataplane.self_link
|
||||
}
|
||||
|
||||
# Management
|
||||
|
||||
module "vpc-management" {
|
||||
source = "../../../../modules/net-vpc"
|
||||
project_id = local.project_id
|
||||
name = "${var.prefix}-vpc-management"
|
||||
ipv6_config = {
|
||||
enable_ula_internal = true
|
||||
}
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = var.vpc_config.management.subnets.management.cidr
|
||||
ipv6 = {}
|
||||
name = "${var.prefix}-management"
|
||||
region = var.region
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
# It installs the default firewall admin rules
|
||||
module "firewall-rules-management" {
|
||||
source = "../../../../modules/net-vpc-firewall"
|
||||
project_id = local.project_id
|
||||
network = module.vpc-management.name
|
||||
}
|
||||
|
||||
module "nat-management" {
|
||||
source = "../../../../modules/net-cloudnat"
|
||||
name = "${var.prefix}-nat-management"
|
||||
project_id = local.project_id
|
||||
region = var.region
|
||||
router_network = module.vpc-management.self_link
|
||||
}
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
/**
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
output "f5_management_ips" {
|
||||
description = "The F5 management interfaces IP addresses."
|
||||
value = module.f5-lb.f5_management_ips
|
||||
}
|
||||
|
||||
output "forwarding_rule_configss" {
|
||||
description = "The GCP forwarding rules configurations."
|
||||
value = module.f5-lb.forwarding_rules_configs
|
||||
}
|
||||
|
|
@ -0,0 +1,144 @@
|
|||
/**
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "backend_vm_configs" {
|
||||
description = "The sample backend VMs configuration. Keys are the zones where VMs are deployed."
|
||||
type = map(object({
|
||||
address = string
|
||||
instance_type = string
|
||||
startup_script = string
|
||||
}))
|
||||
default = {
|
||||
a = {
|
||||
address = "192.168.100.101"
|
||||
instance_type = "e2-micro"
|
||||
startup_script = "apt update && apt install -y nginx"
|
||||
}
|
||||
b = {
|
||||
address = "192.168.100.102"
|
||||
instance_type = "e2-micro"
|
||||
startup_script = "apt update && apt install -y nginx"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
variable "forwarding_rules_config" {
|
||||
type = map(any)
|
||||
description = "The optional configurations of the GCP load balancers forwarding rules."
|
||||
default = {
|
||||
"ipv4" = {
|
||||
address = "192.168.100.100"
|
||||
protocol = "TCP"
|
||||
}
|
||||
"ipv6" = {
|
||||
ip_version = "IPV6"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
variable "instance_dedicated_configs" {
|
||||
description = "The F5 VMs configuration. The map keys are the zones where the VMs are deployed."
|
||||
type = map(any)
|
||||
default = {
|
||||
a = {
|
||||
license_key = "AAAAA-BBBBB-CCCCC-DDDDD-EEEEEEE"
|
||||
network_config = {
|
||||
alias_ip_range_address = "192.168.101.0/24"
|
||||
alias_ip_range_name = "f5-a"
|
||||
}
|
||||
}
|
||||
b = {
|
||||
license_key = "AAAAA-BBBBB-CCCCC-DDDDD-EEEEEEE"
|
||||
network_config = {
|
||||
alias_ip_range_address = "192.168.102.0/24"
|
||||
alias_ip_range_name = "f5-b"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
variable "instance_shared_config" {
|
||||
description = "The F5 VMs shared configurations."
|
||||
type = map(any)
|
||||
default = {
|
||||
enable_ipv6 = true
|
||||
ssh_public_key = "./data/mykey.pub"
|
||||
}
|
||||
}
|
||||
|
||||
variable "prefix" {
|
||||
type = string
|
||||
description = "The name prefix used for resources."
|
||||
}
|
||||
|
||||
variable "project_create" {
|
||||
description = "Whether to automatically create a project."
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "project_id" {
|
||||
type = string
|
||||
description = "The project id where we deploy the resources."
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
type = string
|
||||
description = "The region where we deploy the F5 IPs."
|
||||
}
|
||||
|
||||
variable "vpc_config" {
|
||||
description = "VPC and subnet ids, in case existing VPCs are used."
|
||||
type = object({
|
||||
backend_vms_cidr = string # used by F5s. Not configured on the VPC.
|
||||
dataplane = object({
|
||||
subnets = map(object({
|
||||
cidr = optional(string)
|
||||
secondary_ip_ranges = optional(map(string)) # name -> cidr
|
||||
}))
|
||||
})
|
||||
management = object({
|
||||
subnets = map(object({
|
||||
cidr = optional(string)
|
||||
secondary_ip_ranges = optional(map(string)) # name -> cidr
|
||||
}))
|
||||
})
|
||||
})
|
||||
default = {
|
||||
backend_vms_cidr = "192.168.200.0/24"
|
||||
dataplane = {
|
||||
subnets = {
|
||||
clients = {
|
||||
cidr = "192.168.0.0/24"
|
||||
}
|
||||
dataplane = {
|
||||
cidr = "192.168.100.0/24"
|
||||
secondary_ip_ranges = {
|
||||
f5-a = "192.168.101.0/24"
|
||||
f5-b = "192.168.102.0/24"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
management = {
|
||||
subnets = {
|
||||
management = {
|
||||
cidr = "192.168.250.0/24"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue