VLAN Attachment module
This module allows for the provisioning of HA VPN over Interconnect. Specifically, this module creates a VPN gateway, a configurable number of tunnels, and all the resources required to established IPSec and BGP with the peer routers.
The required pair of encrypted VLAN Attachments can be created leveraging the net-vlan-attachment module, as shown in the IoIC Blueprint.
Examples
Single region setup
resource "google_compute_router" "encrypted-interconnect-overlay-router" {
name = "encrypted-interconnect-overlay-router"
project = "myproject"
network = "mynet"
region = "europe-west8"
bgp {
asn = 64514
advertise_mode = "CUSTOM"
advertised_groups = ["ALL_SUBNETS"]
advertised_ip_ranges {
range = "10.255.255.0/24"
}
advertised_ip_ranges {
range = "192.168.255.0/24"
}
}
}
resource "google_compute_external_vpn_gateway" "default" {
name = "peer-vpn-gateway"
project = "myproject"
description = "Peer IPSec over Interconnect VPN gateway"
interface {
id = 0
ip_address = "10.0.0.1"
}
interface {
id = 1
ip_address = "10.0.0.2"
}
}
module "vpngw-a" {
source = "./fabric/modules/net-ipsec-over-interconnect"
project_id = "myproject"
network = "mynet"
region = "europe-west8"
name = "vpngw-a"
interconnect_attachments = {
a = "attach-01"
b = "attach-02"
}
peer_gateway_config = {
create = false
id = google_compute_external_vpn_gateway.default.id
}
router_config = {
create = false
name = google_compute_router.encrypted-interconnect-overlay-router.name
}
tunnels = {
remote-0 = {
bgp_peer = {
address = "169.254.1.2"
asn = 64514
}
bgp_session_range = "169.254.1.1/30"
shared_secret = "foobar"
vpn_gateway_interface = 0
}
remote-1 = {
bgp_peer = {
address = "169.254.1.6"
asn = 64514
}
bgp_session_range = "169.254.1.5/30"
shared_secret = "foobar"
vpn_gateway_interface = 1
}
remote-2 = {
bgp_peer = {
address = "169.254.1.10"
asn = 64514
}
bgp_session_range = "169.254.1.9/30"
shared_secret = "foobar"
vpn_gateway_interface = 0
}
remote-3 = {
bgp_peer = {
address = "169.254.1.14"
asn = 64514
}
bgp_session_range = "169.254.1.13/30"
shared_secret = "foobar"
vpn_gateway_interface = 1
}
}
}
# tftest modules=1 resources=16
Variables
| name |
description |
type |
required |
default |
| interconnect_attachments |
VLAN attachments used by the VPN Gateway. |
object({…}) |
✓ |
|
| name |
Common name to identify the VPN Gateway. |
string |
✓ |
|
| network |
The VPC name to which resources are associated to. |
string |
✓ |
|
| peer_gateway_config |
IP addresses for the external peer gateway. |
object({…}) |
✓ |
|
| project_id |
The project id. |
string |
✓ |
|
| region |
GCP Region. |
string |
✓ |
|
| router_config |
Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. |
object({…}) |
✓ |
|
| tunnels |
VPN tunnel configurations. |
map(object({…})) |
|
{} |
Outputs
789328ff5a