# Hub and Spoke via VPN
This blueprint creates a simple **Hub and Spoke VPN** setup, where the VPC network connects satellite locations (spokes) through a single intermediary location (hub) via [IPsec HA VPN](https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview#ha-vpn).
A few additional features are also shown:
- [custom BGP advertisements](https://cloud.google.com/network-connectivity/docs/router/how-to/advertising-overview) to implement transitivity between spokes
- [VPC Global Routing](https://cloud.google.com/network-connectivity/docs/router/how-to/configuring-routing-mode) to leverage a regional set of VPN gateways in different regions as next hops (used here for illustrative/study purpose, not usually done in real life)
The blueprint has been purposefully kept simple to show how to use and wire the VPC and VPN-HA modules together, and so that it can be used as a basis for experimentation. For a more complex scenario that better reflects real-life usage, including [Shared VPC](https://cloud.google.com/vpc/docs/shared-vpc) and [DNS cross-project binding](https://cloud.google.com/dns/docs/zones/cross-project-binding) please refer to the [FAST network stage](../../../fast/stages/2-networking-b-vpn/).
This is the high level diagram of this blueprint:
## Managed resources and services
This sample creates several distinct groups of resources:
- one VPC for each hub and each spoke
- one set of firewall rules for each VPC
- one HA VPN gateway with two tunnels and one Cloud Router for each spoke
- two HA VPN gateways with two tunnels and a shared Cloud Routers for the hub
- one DNS private zone in the hub
- one DNS peering zone and one DNS private zone in each spoke
- one test instance for the hub each spoke
## Prerequisites
A single pre-existing project is used in this blueprint to keep variables and complexity to a minimum, in a real world scenarios each spoke would probably use a separate project.
The provided project needs a valid billing account, the Compute and DNS APIs are enabled by the blueprint.
You can easily create such a project by commenting turning on project creation in the project module contained in `main.tf`, as shown in this snippet:
```hcl
module "project" {
source = "../../../modules/project"
name = var.project_id
# comment or remove this line to enable project creation
# project_create = false
# add the following line with your billing account id value
billing_account = "12345-ABCD-12345"
services = [
"compute.googleapis.com",
"dns.googleapis.com"
]
}
# tftest skip
```
## Testing
Once the blueprint is up, you can quickly test features by logging in to one of the test VMs:
```bash
gcloud compute ssh hs-ha-lnd-test-r1
# test DNS resolution of the landing zone
ping test-r1.example.com
# test DNS resolution of the prod zone, and prod reachability
ping test-r1.prod.example.com
# test DNS resolution of the dev zone, and dev reachability via global routing
ping test-r2.dev.example.com
```
## Files
| name | description | modules |
|---|---|---|
| [main.tf](./main.tf) | Module-level locals and resources. | compute-vm · project |
| [net-dev.tf](./net-dev.tf) | Development spoke VPC. | dns · net-vpc · net-vpc-firewall |
| [net-landing.tf](./net-landing.tf) | Landing hub VPC. | dns · net-vpc · net-vpc-firewall |
| [net-prod.tf](./net-prod.tf) | Production spoke VPC. | dns · net-vpc · net-vpc-firewall |
| [outputs.tf](./outputs.tf) | Module outputs. | |
| [variables.tf](./variables.tf) | Module variables. | |
| [versions.tf](./versions.tf) | Version pins. | |
| [vpn-dev-r1.tf](./vpn-dev-r1.tf) | Landing to Development VPN for region 1. | net-vpn-ha |
| [vpn-prod-r1.tf](./vpn-prod-r1.tf) | Landing to Production VPN for region 1. | net-vpn-ha |
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [prefix](variables.tf#L34) | Prefix used for resource names. | string | ✓ | |
| [project_id](variables.tf#L52) | Project id for all resources. | string | ✓ | |
| [ip_ranges](variables.tf#L15) | Subnet IP CIDR ranges. | map(string) | | {…} |
| [ip_secondary_ranges](variables.tf#L28) | Subnet secondary ranges. | map(map(string)) | | {} |
| [project_create_config](variables.tf#L43) | Populate with billing account id to trigger project creation. | object({…}) | | null |
| [regions](variables.tf#L57) | VPC regions. | map(string) | | {…} |
| [vpn_configs](variables.tf#L66) | VPN configurations. | map(object({…})) | | {…} |
## Outputs
| name | description | sensitive |
|---|---|:---:|
| [subnets](outputs.tf#L15) | Subnet details. | |
| [vms](outputs.tf#L39) | GCE VMs. | |
## Test
```hcl
module "test" {
source = "./fabric/blueprints/networking/hub-and-spoke-vpn"
prefix = "prefix"
project_create_config = {
billing_account_id = "123456-123456-123456"
parent_id = "folders/123456789"
}
project_id = "project-1"
}
# tftest modules=20 resources=79
```