History

Ludovico Magnocavallo 5453c585e0 FAST multitenant bootstrap and resource management, rename org-level FAST stages (#1052 ) * rename stages * remove support for external org billing, rename output files * resman: make groups optional, align on new billing account variable * bootstrap: multitenant outputs * tenant bootstrap stage, untested * fix folder name * fix stage 0 output names * optional creation for tag keys in organization module * single tenant bootstrap minus tag * rename output files, add tenant tag key * fix organization module tag values output * test skipping creation for tags in organization module * single tenant bootstrap plan working * multitenant bootstrap * tfdoc * fix check links error messages * fix links * tfdoc * fix links * rename fast tests, fix bootstrap tests * multitenant stages have their own folder, simplify stage numbering * stage renumbering * wip * rename tests * exclude fast providers in fixture * stage 0 tests * stage 1 tests * network stages tests * stage tests * tfdoc * fix links * tfdoc * multitenant tests * remove local files * stage links command * fix links script, TODO * wip * wip single tenant bootstrap * working tenant bootstrap * update gitignore * remove local files * tfdoc * remove local files * allow tests for tenant bootstrap stage * tenant bootstrap proxies stage 1 tfvars * stage 2 and 3 service accounts and IAM in tenant bootstrap * wip * wip * wip * drop multitenant bootstrap * tfdoc * add missing stage 2 SAs, fix org-level IAM condition * wip * wip * optional tag value creation in organization module * stage 1 working * linting * linting * READMEs * wip * Make stage-links script work in old macos bash * stage links command help * fix output file names * diagrams * fix svg * stage 0 skeleton and diagram * test svg * test svg * test diagram * diagram * readme * fix stage links script * stage 0 readme * README changes * stage readmes * fix outputs order * fix link * fix tests * stage 1 test * skip stage example * boilerplate * fix tftest skip * default bootstrap stage log sinks to log buckets * add logging to tenant bootstrap * move iam variables out of tenant config * fix cicd, reintroduce missing variable * use optional in stage 1 cicd variable * rename extras stage * rename and move identity providers local, use optional for cicd variable * tfdoc * add support for wif pool and providers, ci/cd * tfdoc * fix links * better handling of modules repository * add missing role on logging project * fix cicd pools in locals, test cicd * fix workflow extension * fix module source replacement * allow tenant bootstrap cicd sa to impersonate resman sa * tenant workflow templates fix for no providers file * fix output files, push github workflow template to new repository * remove try from outpout files * align stage 1 cicd internals to stage 0 * tfdoc * tests * fix tests * tests * improve variable descriptions * use optional in fast features * actually create tenant log sinks, and allow the resman sa to do it * test * tests * aaaand tests again * fast features tenant override * fast features tenant override * fix wording * add missing comment * configure pf service accounts * add missing comment * tfdoc * tests * IAM docs * update copyright --------- Co-authored-by: Julio Castillo <jccb@google.com>		2023-02-04 15:00:45 +01:00
..
README.md	FAST multitenant bootstrap and resource management, rename org-level FAST stages (#1052 )	2023-02-04 15:00:45 +01:00
backend.tf.sample	Rename examples folder to blueprints	2022-09-09 16:38:43 +02:00
diagram.png	Rename examples folder to blueprints	2022-09-09 16:38:43 +02:00
main.tf	Normalize prefix handling in blueprints (#1003 )	2022-11-23 11:09:00 +01:00
net-dev.tf	Normalize prefix handling in blueprints (#1003 )	2022-11-23 11:09:00 +01:00
net-landing.tf	Normalize prefix handling in blueprints (#1003 )	2022-11-23 11:09:00 +01:00
net-prod.tf	Normalize prefix handling in blueprints (#1003 )	2022-11-23 11:09:00 +01:00
outputs.tf	Rename examples folder to blueprints	2022-09-09 16:38:43 +02:00
variables.tf	Normalize prefix handling in blueprints (#1003 )	2022-11-23 11:09:00 +01:00
versions.tf	Bump beta provider to 4.48	2023-01-29 15:50:24 +01:00
vpn-dev-r1.tf	Remove optional stuff	2022-11-30 16:00:53 +01:00
vpn-prod-r1.tf	Remove optional stuff	2022-11-30 16:00:53 +01:00

README.md

Hub and Spoke via VPN

This blueprint creates a simple Hub and Spoke VPN setup, where the VPC network connects satellite locations (spokes) through a single intermediary location (hub) via IPsec HA VPN.

A few additional features are also shown:

custom BGP advertisements to implement transitivity between spokes
VPC Global Routing to leverage a regional set of VPN gateways in different regions as next hops (used here for illustrative/study purpose, not usually done in real life)

The blueprint has been purposefully kept simple to show how to use and wire the VPC and VPN-HA modules together, and so that it can be used as a basis for experimentation. For a more complex scenario that better reflects real-life usage, including Shared VPC and DNS cross-project binding please refer to the FAST network stage.

This is the high level diagram of this blueprint:

Managed resources and services

This sample creates several distinct groups of resources:

one VPC for each hub and each spoke
one set of firewall rules for each VPC
one HA VPN gateway with two tunnels and one Cloud Router for each spoke
two HA VPN gateways with two tunnels and a shared Cloud Routers for the hub
one DNS private zone in the hub
one DNS peering zone and one DNS private zone in each spoke
one test instance for the hub each spoke

Prerequisites

A single pre-existing project is used in this blueprint to keep variables and complexity to a minimum, in a real world scenarios each spoke would probably use a separate project.

The provided project needs a valid billing account, the Compute and DNS APIs are enabled by the blueprint.

You can easily create such a project by commenting turning on project creation in the project module contained in main.tf, as shown in this snippet:

module "project" {
  source = "../../../modules/project"
  name   = var.project_id
  # comment or remove this line to enable project creation
  # project_create = false
  # add the following line with your billing account id value
  billing_account = "12345-ABCD-12345"
  services = [
    "compute.googleapis.com",
    "dns.googleapis.com"
  ]
}

# tftest skip

Testing

Once the blueprint is up, you can quickly test features by logging in to one of the test VMs:

gcloud compute ssh hs-ha-lnd-test-r1
# test DNS resolution of the landing zone
ping test-r1.example.com
# test DNS resolution of the prod zone, and prod reachability
ping test-r1.prod.example.com
# test DNS resolution of the dev zone, and dev reachability via global routing
ping test-r2.dev.example.com

Files

name	description	modules
main.tf	Module-level locals and resources.	`compute-vm` · `project`
net-dev.tf	Development spoke VPC.	`dns` · `net-vpc` · `net-vpc-firewall`
net-landing.tf	Landing hub VPC.	`dns` · `net-vpc` · `net-vpc-firewall`
net-prod.tf	Production spoke VPC.	`dns` · `net-vpc` · `net-vpc-firewall`
outputs.tf	Module outputs.
variables.tf	Module variables.
versions.tf	Version pins.
vpn-dev-r1.tf	Landing to Development VPN for region 1.	`net-vpn-ha`
vpn-prod-r1.tf	Landing to Production VPN for region 1.	`net-vpn-ha`

Variables

name	description	type	required	default
prefix	Prefix used for resource names.	`string`	✓
project_id	Project id for all resources.	`string`	✓
ip_ranges	Subnet IP CIDR ranges.	`map(string)`		`{…}`
ip_secondary_ranges	Subnet secondary ranges.	`map(map(string))`		`{}`
project_create_config	Populate with billing account id to trigger project creation.	`object({…})`		`null`
regions	VPC regions.	`map(string)`		`{…}`
vpn_configs	VPN configurations.	`map(object({…}))`		`{…}`

Outputs

name	description	sensitive
subnets	Subnet details.
vms	GCE VMs.