Small fixes to FAST Networking stage with NVAs (#1273)
* fix issue with test-resources and internet connectivity from spokes * terraform fmt * removed reference to startup-script in README.md
This commit is contained in:
parent
a4bc9c613a
commit
c4c4688adc
|
@ -23,32 +23,41 @@ The final number of subnets, and their IP addressing will depend on the user-spe
|
|||
|
||||
## Table of contents
|
||||
|
||||
- [Design overview and choices](#design-overview-and-choices)
|
||||
- [Multi-regional deployment](#multi-regional-deployment)
|
||||
- [VPC design](#vpc-design)
|
||||
- [External connectivity](#external-connectivity)
|
||||
- [Internal connectivity](#internal-connectivity)
|
||||
- [IP ranges, subnetting, routing](#ip-ranges-subnetting-routing)
|
||||
- [Internet egress](#internet-egress)
|
||||
- [VPC and Hierarchical Firewall](#vpc-and-hierarchical-firewall)
|
||||
- [DNS](#dns)
|
||||
- [Stage structure and files layout](#stage-structure-and-files-layout)
|
||||
- [VPCs](#vpcs)
|
||||
- [VPNs](#vpns)
|
||||
- [Routing and BGP](#routing-and-bgp)
|
||||
- [Firewall](#firewall)
|
||||
- [DNS architecture](#dns-architecture)
|
||||
- [Private Google Access](#private-google-access)
|
||||
- [How to run this stage](#how-to-run-this-stage)
|
||||
- [Provider and Terraform variables](#provider-and-terraform-variables)
|
||||
- [Impersonating the automation service account](#impersonating-the-automation-service-account)
|
||||
- [Variable configuration](#variable-configuration)
|
||||
- [Running the stage](#running-the-stage)
|
||||
- [Post-deployment activities](#post-deployment-activities)
|
||||
- [Customizations](#customizations)
|
||||
- [Changing default regions](#changing-default-regions)
|
||||
- [Configuring the VPNs to on prem](#configuring-the-vpns-to-on-prem)
|
||||
- [Adding an environment](#adding-an-environment)
|
||||
- [Networking with Network Virtual Appliance](#networking-with-network-virtual-appliance)
|
||||
- [Table of contents](#table-of-contents)
|
||||
- [Design overview and choices](#design-overview-and-choices)
|
||||
- [Multi-regional deployment](#multi-regional-deployment)
|
||||
- [VPC design](#vpc-design)
|
||||
- [External connectivity](#external-connectivity)
|
||||
- [Internal connectivity](#internal-connectivity)
|
||||
- [IP ranges, subnetting, routing](#ip-ranges-subnetting-routing)
|
||||
- [Internet egress](#internet-egress)
|
||||
- [VPC and Hierarchical Firewall](#vpc-and-hierarchical-firewall)
|
||||
- [DNS](#dns)
|
||||
- [Stage structure and files layout](#stage-structure-and-files-layout)
|
||||
- [VPCs](#vpcs)
|
||||
- [VPNs](#vpns)
|
||||
- [Routing and BGP](#routing-and-bgp)
|
||||
- [Firewall](#firewall)
|
||||
- [DNS architecture](#dns-architecture)
|
||||
- [Cloud environment](#cloud-environment)
|
||||
- [Cloud to on-prem](#cloud-to-on-prem)
|
||||
- [On-prem to cloud](#on-prem-to-cloud)
|
||||
- [How to run this stage](#how-to-run-this-stage)
|
||||
- [Provider and Terraform variables](#provider-and-terraform-variables)
|
||||
- [Impersonating the automation service account](#impersonating-the-automation-service-account)
|
||||
- [Variable configuration](#variable-configuration)
|
||||
- [Using delayed billing association for projects](#using-delayed-billing-association-for-projects)
|
||||
- [Running the stage](#running-the-stage)
|
||||
- [Post-deployment activities](#post-deployment-activities)
|
||||
- [Private Google Access](#private-google-access)
|
||||
- [Customizations](#customizations)
|
||||
- [Changing default regions](#changing-default-regions)
|
||||
- [Configuring the VPNs to on prem](#configuring-the-vpns-to-on-prem)
|
||||
- [Adding an environment](#adding-an-environment)
|
||||
- [Files](#files)
|
||||
- [Variables](#variables)
|
||||
- [Outputs](#outputs)
|
||||
|
||||
## Design overview and choices
|
||||
|
||||
|
@ -446,8 +455,6 @@ The new VPC requires a set of dedicated CIDRs, one per region, added to variable
|
|||
>
|
||||
Variables managing L7 Internal Load Balancers (`l7ilb_subnets`) and Private Service Access (`psa_ranges`) should also be adapted, and subnets and firewall rules for the new spoke should be added, as described above.
|
||||
|
||||
Configure the NVAs deployed or update the sample [NVA config file](data/nva-startup-script.tftpl) making sure they support the new subnets.
|
||||
|
||||
DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS resolution to Landing through DNS peering, and optionally define a private zone (e.g. `dev.gcp.example.com`) which the landing peers to. To configure DNS for a new environment, copy one of the other environments DNS files [e.g. (dns-dev.tf)](dns-dev.tf) into a new `dns-*.tf` file suffixed with the environment name (e.g. `dns-staging.tf`), and update its content accordingly. Don't forget to add a peering zone from the landing to the newly created environment private zone.
|
||||
|
||||
<!-- TFDOC OPTS files:1 show_extra:1 -->
|
||||
|
|
|
@ -1,30 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
echo 'Enabling IP forwarding'
|
||||
sed '/net.ipv4.ip_forward=1/s/^#//g' -i /etc/sysctl.conf &&
|
||||
sysctl -p /etc/sysctl.conf &&
|
||||
/etc/init.d/procps restart
|
||||
|
||||
echo 'Setting Routes'
|
||||
ip route add ${landing-untrusted-other-region} via ${gateway-untrusted} dev ens4
|
||||
ip route add ${landing-trusted-other-region} via ${gateway-trusted} dev ens5
|
||||
ip route add ${dev-default-ew1-cidr} via ${gateway-trusted} dev ens5
|
||||
ip route add ${dev-default-ew4-cidr} via ${gateway-trusted} dev ens5
|
||||
ip route add ${prod-default-ew1-cidr} via ${gateway-trusted} dev ens5
|
||||
ip route add ${prod-default-ew4-cidr} via ${gateway-trusted} dev ens5
|
||||
ip route add ${onprem-main-cidr} via ${gateway-trusted} dev ens5
|
||||
|
||||
echo 'Adding PBR rules to answer HCs also from the secondary nic'
|
||||
grep -qxF '200 hc' /etc/iproute2/rt_tables || echo '200 hc' >> /etc/iproute2/rt_tables
|
||||
ip_addr_ens5=$(ip route ls table local | awk '/ens5 proto 66 scope host/ {print $2}')
|
||||
while [ -z $ip_addr_ens5 ]; do
|
||||
echo 'Waiting for networking stack to be ready'
|
||||
sleep 2
|
||||
ip_addr_ens5=$(ip route ls table local | awk '/ens5 proto 66 scope host/ {print $2}')
|
||||
done
|
||||
ip rule add from $ip_addr_ens5 lookup hc
|
||||
ip route add default via ${gateway-trusted} dev ens5 table hc
|
||||
|
||||
echo 'Setting NAT masquerade (for Internet connectivity)'
|
||||
iptables --append FORWARD --in-interface ens5 -j ACCEPT
|
||||
iptables --table nat --append POSTROUTING --out-interface ens4 -j MASQUERADE
|
|
@ -19,7 +19,8 @@ locals {
|
|||
# local.routing_config[0] sets up the first interface, and so on.
|
||||
routing_config = [
|
||||
{
|
||||
name = "untrusted"
|
||||
name = "untrusted"
|
||||
enable_masquerading = true
|
||||
routes = [
|
||||
var.gcp_ranges.gcp_landing_untrusted_primary,
|
||||
var.gcp_ranges.gcp_landing_untrusted_secondary,
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
# source = "../../../modules/compute-vm"
|
||||
# project_id = module.landing-project.project_id
|
||||
# zone = "${var.regions.primary}-b"
|
||||
# name = "test-vm-lnd-unt-primary-0"
|
||||
# name = "test-vm-lnd-unt-pri-0"
|
||||
# network_interfaces = [{
|
||||
# network = module.landing-untrusted-vpc.self_link
|
||||
# subnetwork = module.landing-untrusted-vpc.subnet_self_links["${var.regions.primary}/landing-untrusted-default-${local.region_shortnames[var.regions.primary]}"]
|
||||
|
@ -30,7 +30,9 @@
|
|||
# tags = ["primary", "ssh"]
|
||||
# service_account_create = true
|
||||
# boot_disk = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# initialize_params = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# }
|
||||
# }
|
||||
# options = {
|
||||
# spot = true
|
||||
|
@ -48,7 +50,7 @@
|
|||
# source = "../../../modules/compute-vm"
|
||||
# project_id = module.landing-project.project_id
|
||||
# zone = "${var.regions.secondary}-a"
|
||||
# name = "test-vm-lnd-unt-secondary-0"
|
||||
# name = "test-vm-lnd-unt-sec-0"
|
||||
# network_interfaces = [{
|
||||
# network = module.landing-untrusted-vpc.self_link
|
||||
# subnetwork = module.landing-untrusted-vpc.subnet_self_links["${var.regions.secondary}/landing-untrusted-default-${local.region_shortnames[var.regions.secondary]}"]
|
||||
|
@ -56,7 +58,9 @@
|
|||
# tags = ["secondary", "ssh"]
|
||||
# service_account_create = true
|
||||
# boot_disk = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# initialize_params = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# }
|
||||
# }
|
||||
# options = {
|
||||
# spot = true
|
||||
|
@ -76,7 +80,7 @@
|
|||
# source = "../../../modules/compute-vm"
|
||||
# project_id = module.landing-project.project_id
|
||||
# zone = "${var.regions.primary}-b"
|
||||
# name = "test-vm-lnd-tru-primary-0"
|
||||
# name = "test-vm-lnd-tru-pri-0"
|
||||
# network_interfaces = [{
|
||||
# network = module.landing-trusted-vpc.self_link
|
||||
# subnetwork = module.landing-trusted-vpc.subnet_self_links["${var.regions.primary}/landing-trusted-default-${local.region_shortnames[var.regions.primary]}"]
|
||||
|
@ -84,7 +88,9 @@
|
|||
# tags = ["primary", "ssh"]
|
||||
# service_account_create = true
|
||||
# boot_disk = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# initialize_params = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# }
|
||||
# }
|
||||
# options = {
|
||||
# spot = true
|
||||
|
@ -102,7 +108,7 @@
|
|||
# source = "../../../modules/compute-vm"
|
||||
# project_id = module.landing-project.project_id
|
||||
# zone = "${var.regions.secondary}-a"
|
||||
# name = "test-vm-lnd-tru-secondary-0"
|
||||
# name = "test-vm-lnd-tru-sec-0"
|
||||
# network_interfaces = [{
|
||||
# network = module.landing-trusted-vpc.self_link
|
||||
# subnetwork = module.landing-trusted-vpc.subnet_self_links["${var.regions.secondary}/landing-trusted-default-${local.region_shortnames[var.regions.secondary]}"]
|
||||
|
@ -110,7 +116,9 @@
|
|||
# tags = ["secondary", "ssh"]
|
||||
# service_account_create = true
|
||||
# boot_disk = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# initialize_params = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# }
|
||||
# }
|
||||
# options = {
|
||||
# spot = true
|
||||
|
@ -130,7 +138,7 @@
|
|||
# source = "../../../modules/compute-vm"
|
||||
# project_id = module.dev-spoke-project.project_id
|
||||
# zone = "${var.regions.primary}-b"
|
||||
# name = "test-vm-dev-primary-0"
|
||||
# name = "test-vm-dev-pri-0"
|
||||
# network_interfaces = [{
|
||||
# network = module.dev-spoke-vpc.self_link
|
||||
# # change the subnet name to match the values you are actually using
|
||||
|
@ -139,7 +147,9 @@
|
|||
# tags = ["primary", "ssh"]
|
||||
# service_account_create = true
|
||||
# boot_disk = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# initialize_params = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# }
|
||||
# }
|
||||
# options = {
|
||||
# spot = true
|
||||
|
@ -157,7 +167,7 @@
|
|||
# source = "../../../modules/compute-vm"
|
||||
# project_id = module.dev-spoke-project.project_id
|
||||
# zone = "${var.regions.secondary}-a"
|
||||
# name = "test-vm-dev-secondary-0"
|
||||
# name = "test-vm-dev-sec-0"
|
||||
# network_interfaces = [{
|
||||
# network = module.dev-spoke-vpc.self_link
|
||||
# # change the subnet name to match the values you are actually using
|
||||
|
@ -166,7 +176,9 @@
|
|||
# tags = ["secondary", "ssh"]
|
||||
# service_account_create = true
|
||||
# boot_disk = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# initialize_params = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# }
|
||||
# }
|
||||
# options = {
|
||||
# spot = true
|
||||
|
@ -186,7 +198,7 @@
|
|||
# source = "../../../modules/compute-vm"
|
||||
# project_id = module.prod-spoke-project.project_id
|
||||
# zone = "${var.regions.primary}-b"
|
||||
# name = "test-vm-prod-primary-0"
|
||||
# name = "test-vm-prod-pri-0"
|
||||
# network_interfaces = [{
|
||||
# network = module.prod-spoke-vpc.self_link
|
||||
# # change the subnet name to match the values you are actually using
|
||||
|
@ -195,9 +207,11 @@
|
|||
# tags = ["primary", "ssh"]
|
||||
# service_account_create = true
|
||||
# boot_disk = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# type = "pd-balanced"
|
||||
# size = 10
|
||||
# initialize_params = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# type = "pd-balanced"
|
||||
# size = 10
|
||||
# }
|
||||
# }
|
||||
# options = {
|
||||
# spot = true
|
||||
|
@ -215,7 +229,7 @@
|
|||
# source = "../../../modules/compute-vm"
|
||||
# project_id = module.prod-spoke-project.project_id
|
||||
# zone = "${var.regions.secondary}-a"
|
||||
# name = "test-vm-prod-secondary-0"
|
||||
# name = "test-vm-prod-sec-0"
|
||||
# network_interfaces = [{
|
||||
# network = module.prod-spoke-vpc.self_link
|
||||
# # change the subnet name to match the values you are actually using
|
||||
|
@ -224,7 +238,9 @@
|
|||
# tags = ["secondary", "ssh"]
|
||||
# service_account_create = true
|
||||
# boot_disk = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# initialize_params = {
|
||||
# image = "projects/debian-cloud/global/images/family/debian-10"
|
||||
# }
|
||||
# }
|
||||
# options = {
|
||||
# spot = true
|
||||
|
|
Loading…
Reference in New Issue