9.2 KiB
9.2 KiB
Cloud HA VPN Module
This module makes it easy to deploy either GCP-to-GCP or GCP-to-On-prem Cloud HA VPN.
Examples
GCP to GCP
module "vpn-1" {
source = "./fabric/modules/net-vpn-ha"
project_id = var.project_id
region = "europe-west4"
network = var.vpc1.self_link
name = "net1-to-net-2"
peer_gateways = {
default = { gcp = module.vpn-2.self_link }
}
router_config = {
asn = 64514
custom_advertise = {
all_subnets = true
ip_ranges = {
"10.0.0.0/8" = "default"
}
}
}
tunnels = {
remote-0 = {
bgp_peer = {
address = "169.254.1.1"
asn = 64513
}
bgp_session_range = "169.254.1.2/30"
vpn_gateway_interface = 0
}
remote-1 = {
bgp_peer = {
address = "169.254.2.1"
asn = 64513
}
bgp_session_range = "169.254.2.2/30"
vpn_gateway_interface = 1
}
}
}
module "vpn-2" {
source = "./fabric/modules/net-vpn-ha"
project_id = var.project_id
region = "europe-west4"
network = var.vpc2.self_link
name = "net2-to-net1"
router_config = { asn = 64513 }
peer_gateways = {
default = { gcp = module.vpn-1.self_link }
}
tunnels = {
remote-0 = {
bgp_peer = {
address = "169.254.1.2"
asn = 64514
}
bgp_session_range = "169.254.1.1/30"
shared_secret = module.vpn-1.random_secret
vpn_gateway_interface = 0
}
remote-1 = {
bgp_peer = {
address = "169.254.2.2"
asn = 64514
}
bgp_session_range = "169.254.2.1/30"
shared_secret = module.vpn-1.random_secret
vpn_gateway_interface = 1
}
}
}
# tftest modules=2 resources=18 inventory=gcp-to-gcp.yaml
Note: When using the for_each meta-argument you might experience a Cycle Error due to the multiple net-vpn-ha modules referencing each other. To fix this you can create the google_compute_ha_vpn_gateway resources separately and reference them in the net-vpn-ha module via the vpn_gateway and peer_gcp_gateway variables.
GCP to on-prem
module "vpn_ha" {
source = "./fabric/modules/net-vpn-ha"
project_id = var.project_id
region = var.region
network = var.vpc.self_link
name = "mynet-to-onprem"
peer_gateways = {
default = {
external = {
redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT"
interfaces = ["8.8.8.8"] # on-prem router ip address
}
}
}
router_config = { asn = 64514 }
tunnels = {
remote-0 = {
bgp_peer = {
address = "169.254.1.1"
asn = 64513
}
bgp_session_range = "169.254.1.2/30"
peer_external_gateway_interface = 0
shared_secret = "mySecret"
vpn_gateway_interface = 0
}
remote-1 = {
bgp_peer = {
address = "169.254.2.1"
asn = 64513
}
bgp_session_range = "169.254.2.2/30"
peer_external_gateway_interface = 0
shared_secret = "mySecret"
vpn_gateway_interface = 1
}
}
}
# tftest modules=1 resources=10 inventory=gcp-to-onprem.yaml
IPv6 (dual-stack)
You can optionally set your HA VPN gateway (and BGP sessions) to carry both IPv4 and IPv6 traffic. IPv6 only is not supported.
module "vpn_ha" {
source = "./fabric/modules/net-vpn-ha"
project_id = var.project_id
region = var.region
name = "mynet-to-onprem"
network = var.vpc.self_link
peer_gateways = {
default = {
external = {
redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT"
interfaces = ["8.8.8.8"] # on-prem router ip address
}
}
}
router_config = { asn = 64514 }
tunnels = {
remote-0 = {
bgp_peer = {
address = "169.254.1.1"
asn = 64513
ipv6 = {}
}
bgp_session_range = "169.254.1.2/30"
peer_external_gateway_interface = 0
shared_secret = "mySecret"
vpn_gateway_interface = 0
}
remote-1 = {
bgp_peer = {
address = "169.254.2.1"
asn = 64513
ipv6 = {
nexthop_address = "2600:2d00:0:2::1"
peer_nexthop_address = "2600:2d00:0:3::1"
}
}
bgp_session_range = "169.254.2.2/30"
peer_external_gateway_interface = 0
shared_secret = "mySecret"
vpn_gateway_interface = 1
}
}
vpn_gateway_create = {
stack_type = "IPV4_IPV6"
}
}
# tftest modules=1 resources=10 intentory=ipv6.yaml
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| name | VPN Gateway name (if an existing VPN Gateway is not used), and prefix used for dependent resources. | string |
✓ | |
| network | VPC used for the gateway and routes. | string |
✓ | |
| project_id | Project where resources will be created. | string |
✓ | |
| region | Region used for resources. | string |
✓ | |
| router_config | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | object({…}) |
✓ | |
| peer_gateways | Configuration of the (external or GCP) peer gateway. | map(object({…})) |
{} |
|
| tunnels | VPN tunnel configurations. | map(object({…})) |
{} |
|
| vpn_gateway | HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if vpn_gateway_create is set to true. |
string |
null |
|
| vpn_gateway_create | Create HA VPN Gateway. Set to null to avoid creation. | object({…}) |
{} |
Outputs
| name | description | sensitive |
|---|---|---|
| bgp_peers | BGP peer resources. | |
| external_gateway | External VPN gateway resource. | |
| gateway | VPN gateway resource (only if auto-created). | |
| id | Fully qualified VPN gateway id. | |
| name | VPN gateway name (only if auto-created). . | |
| random_secret | Generated secret. | |
| router | Router resource (only if auto-created). | |
| router_name | Router name. | |
| self_link | HA VPN gateway self link. | |
| tunnel_names | VPN tunnel names. | |
| tunnel_self_links | VPN tunnel self links. | |
| tunnels | VPN tunnel resources. |