# HA VPN over Interconnect This blueprint creates a complete HA VPN over Interconnect setup, which leverages IPSec to encrypt all traffic transiting through purposely-created VLAN Attachments. This blueprint supports Dedicated Interconnect and Partner Interconnect. In case of Partner Interconnect only partial apply is possible at first, which creates the VLAN Attachments. Only once the partner connection is established it is possible to deploy HA VPN Gateway and all dependant resources. ## Managed resources and services This blueprint creates two distinct sets of resources: - Underlay - A Cloud Router dedicated to the underlay networking, which exchanges and routes the VPN gateways ranges - Two VLAN Attachments, each created from a distinct Dedicated Interconnect connected to two different EADs in the same Metro - Overlay - A Cloud Router dedicated to the overlay networking, which exchanges and routes the overlay traffic (i.e. traffic from/to onprem) - VPN gateways and tunnels according to the provided configuration. ## Prerequisites A single pre-existing project and a VPC is used in this blueprint to keep variables and complexity to a minimum. The provided project needs a valid billing account and the Compute APIs enabled. The two Dedicated Interconnect connections should already exist, either in the same project or in any other project belonging to the same GCP Organization. ## Variables | name | description | type | required | default | |---|---|:---:|:---:|:---:| | [network](variables.tf#L18) | The VPC name to which resources are associated to. | string | ✓ | | | [overlay_config](variables.tf#L24) | Configuration for the overlay resources. | object({…}) | ✓ | | | [project_id](variables.tf#L63) | The project id. | string | ✓ | | | [region](variables.tf#L68) | GCP Region. | string | ✓ | | | [underlay_config](variables.tf#L73) | Configuration for the underlay resources. | object({…}) | ✓ | | ## Outputs | name | description | sensitive | |---|---|:---:| | [underlay](outputs.tf#L17) | Setup for the underlay connection. | | ## Test ```hcl module "test" { source = "./fabric/blueprints/networking/ha-vpn-over-interconnect" network = "mynet" project_id = "myproject" region = "europe-west8" overlay_config = { gcp_bgp = { asn = 65102 custom_advertise = { all_subnets = true ip_ranges = { "10.0.0.0/8" = "default" } } } onprem_vpn_gateway_interfaces = ["172.16.0.1", "172.16.0.2"] gateways = { a = { remote-0 = { bgp_peer = { address = "169.254.1.2" asn = 64514 } bgp_session_range = "169.254.1.1/30" peer_external_gateway_interface = 0 shared_secret = "foobar" vpn_gateway_interface = 0 } remote-1 = { bgp_peer = { address = "169.254.1.6" asn = 64514 } bgp_session_range = "169.254.1.5/30" peer_external_gateway_interface = 0 shared_secret = "foobar" vpn_gateway_interface = 1 } remote-2 = { bgp_peer = { address = "169.254.1.10" asn = 64514 } bgp_session_range = "169.254.1.9/30" peer_external_gateway_interface = 1 shared_secret = "foobar" vpn_gateway_interface = 0 } remote-3 = { bgp_peer = { address = "169.254.1.14" asn = 64514 } bgp_session_range = "169.254.1.13/30" peer_external_gateway_interface = 1 shared_secret = "foobar" vpn_gateway_interface = 1 } } b = { remote-0 = { bgp_peer = { address = "169.254.2.2" asn = 64514 } bgp_session_range = "169.254.2.1/30" peer_external_gateway_interface = 0 shared_secret = "foobar" vpn_gateway_interface = 0 } remote-1 = { bgp_peer = { address = "169.254.2.6" asn = 64514 } bgp_session_range = "169.254.2.5/30" peer_external_gateway_interface = 0 shared_secret = "foobar" vpn_gateway_interface = 1 } remote-2 = { bgp_peer = { address = "169.254.2.10" asn = 64514 } bgp_session_range = "169.254.2.9/30" peer_external_gateway_interface = 1 shared_secret = "foobar" vpn_gateway_interface = 0 } remote-3 = { bgp_peer = { address = "169.254.2.14" asn = 64514 } bgp_session_range = "169.254.2.13/30" peer_external_gateway_interface = 1 shared_secret = "foobar" vpn_gateway_interface = 1 } } } } underlay_config = { attachments = { "a" = { bgp_range = "169.254.255.0/29" interconnect_self_link = "https://www.googleapis.com/compute/v1/projects/gcpnetworking-hostproject/global/interconnects/interconnect-lab-sea26-zone1" onprem_asn = 65001 vlan_tag = 1001 vpn_gateways_ip_range = "10.255.255.0/29" } "b" = { bgp_range = "169.254.255.8/29" interconnect_self_link = "https://www.googleapis.com/compute/v1/projects/gcpnetworking-hostproject/global/interconnects/interconnect-lab-sea26-zone2" onprem_asn = 65001 vlan_tag = 1002 vpn_gateways_ip_range = "10.255.255.8/29" } } gcp_bgp = { asn = 65002 } } } # tftest modules=5 resources=39 ```