# VLAN Attachment module This module allows for the provisioning of [HA VPN over Interconnect](https://cloud.google.com/network-connectivity/docs/interconnect/concepts/ha-vpn-interconnect?hl=it). Specifically, this module creates a VPN gateway, a configurable number of tunnels, and all the resources required to established IPSec and BGP with the peer routers. The required pair of encrypted VLAN Attachments can be created leveraging the [net-vlan-attachment](../net-vlan-attachment/) module, as shown in the [IoIC Blueprint](../../blueprints/networking/ha-vpn-over-interconnect/). ## Examples ### Single region setup ```hcl resource "google_compute_router" "encrypted-interconnect-overlay-router" { name = "encrypted-interconnect-overlay-router" project = "myproject" network = "mynet" region = "europe-west8" bgp { asn = 64514 advertise_mode = "CUSTOM" advertised_groups = ["ALL_SUBNETS"] advertised_ip_ranges { range = "10.255.255.0/24" } advertised_ip_ranges { range = "192.168.255.0/24" } } } resource "google_compute_external_vpn_gateway" "default" { name = "peer-vpn-gateway" project = "myproject" description = "Peer IPSec over Interconnect VPN gateway" interface { id = 0 ip_address = "10.0.0.1" } interface { id = 1 ip_address = "10.0.0.2" } } module "vpngw-a" { source = "./fabric/modules/net-ipsec-over-interconnect" project_id = "myproject" network = "mynet" region = "europe-west8" name = "vpngw-a" interconnect_attachments = { a = "attach-01" b = "attach-02" } peer_gateway_config = { create = false id = google_compute_external_vpn_gateway.default.id } router_config = { create = false name = google_compute_router.encrypted-interconnect-overlay-router.name } tunnels = { remote-0 = { bgp_peer = { address = "169.254.1.2" asn = 64514 } bgp_session_range = "169.254.1.1/30" shared_secret = "foobar" vpn_gateway_interface = 0 } remote-1 = { bgp_peer = { address = "169.254.1.6" asn = 64514 } bgp_session_range = "169.254.1.5/30" shared_secret = "foobar" vpn_gateway_interface = 1 } remote-2 = { bgp_peer = { address = "169.254.1.10" asn = 64514 } bgp_session_range = "169.254.1.9/30" shared_secret = "foobar" vpn_gateway_interface = 0 } remote-3 = { bgp_peer = { address = "169.254.1.14" asn = 64514 } bgp_session_range = "169.254.1.13/30" shared_secret = "foobar" vpn_gateway_interface = 1 } } } # tftest modules=1 resources=16 ``` ## Variables | name | description | type | required | default | |---|---|:---:|:---:|:---:| | [interconnect_attachments](variables.tf#L17) | VLAN attachments used by the VPN Gateway. | object({…}) | ✓ | | | [name](variables.tf#L25) | Common name to identify the VPN Gateway. | string | ✓ | | | [network](variables.tf#L30) | The VPC name to which resources are associated to. | string | ✓ | | | [peer_gateway_config](variables.tf#L35) | IP addresses for the external peer gateway. | object({…}) | ✓ | | | [project_id](variables.tf#L54) | The project id. | string | ✓ | | | [region](variables.tf#L59) | GCP Region. | string | ✓ | | | [router_config](variables.tf#L64) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | object({…}) | ✓ | | | [tunnels](variables.tf#L79) | VPN tunnel configurations. | map(object({…})) | | {} | ## Outputs | name | description | sensitive | |---|---|:---:| | [bgp_peers](outputs.tf#L18) | BGP peer resources. | | | [external_gateway](outputs.tf#L25) | External VPN gateway resource. | | | [id](outputs.tf#L30) | Fully qualified VPN gateway id. | | | [random_secret](outputs.tf#L35) | Generated secret. | | | [router](outputs.tf#L40) | Router resource (only if auto-created). | | | [router_name](outputs.tf#L45) | Router name. | | | [self_link](outputs.tf#L50) | HA VPN gateway self link. | | | [tunnels](outputs.tf#L55) | VPN tunnel resources. | |