5453c585e0
* rename stages * remove support for external org billing, rename output files * resman: make groups optional, align on new billing account variable * bootstrap: multitenant outputs * tenant bootstrap stage, untested * fix folder name * fix stage 0 output names * optional creation for tag keys in organization module * single tenant bootstrap minus tag * rename output files, add tenant tag key * fix organization module tag values output * test skipping creation for tags in organization module * single tenant bootstrap plan working * multitenant bootstrap * tfdoc * fix check links error messages * fix links * tfdoc * fix links * rename fast tests, fix bootstrap tests * multitenant stages have their own folder, simplify stage numbering * stage renumbering * wip * rename tests * exclude fast providers in fixture * stage 0 tests * stage 1 tests * network stages tests * stage tests * tfdoc * fix links * tfdoc * multitenant tests * remove local files * stage links command * fix links script, TODO * wip * wip single tenant bootstrap * working tenant bootstrap * update gitignore * remove local files * tfdoc * remove local files * allow tests for tenant bootstrap stage * tenant bootstrap proxies stage 1 tfvars * stage 2 and 3 service accounts and IAM in tenant bootstrap * wip * wip * wip * drop multitenant bootstrap * tfdoc * add missing stage 2 SAs, fix org-level IAM condition * wip * wip * optional tag value creation in organization module * stage 1 working * linting * linting * READMEs * wip * Make stage-links script work in old macos bash * stage links command help * fix output file names * diagrams * fix svg * stage 0 skeleton and diagram * test svg * test svg * test diagram * diagram * readme * fix stage links script * stage 0 readme * README changes * stage readmes * fix outputs order * fix link * fix tests * stage 1 test * skip stage example * boilerplate * fix tftest skip * default bootstrap stage log sinks to log buckets * add logging to tenant bootstrap * move iam variables out of tenant config * fix cicd, reintroduce missing variable * use optional in stage 1 cicd variable * rename extras stage * rename and move identity providers local, use optional for cicd variable * tfdoc * add support for wif pool and providers, ci/cd * tfdoc * fix links * better handling of modules repository * add missing role on logging project * fix cicd pools in locals, test cicd * fix workflow extension * fix module source replacement * allow tenant bootstrap cicd sa to impersonate resman sa * tenant workflow templates fix for no providers file * fix output files, push github workflow template to new repository * remove try from outpout files * align stage 1 cicd internals to stage 0 * tfdoc * tests * fix tests * tests * improve variable descriptions * use optional in fast features * actually create tenant log sinks, and allow the resman sa to do it * test * tests * aaaand tests again * fast features tenant override * fast features tenant override * fix wording * add missing comment * configure pf service accounts * add missing comment * tfdoc * tests * IAM docs * update copyright --------- Co-authored-by: Julio Castillo <jccb@google.com> |
||
---|---|---|
.. | ||
README.md | ||
backend.tf.sample | ||
diagram.png | ||
main.tf | ||
net-dev.tf | ||
net-landing.tf | ||
net-prod.tf | ||
outputs.tf | ||
variables.tf | ||
versions.tf | ||
vpn-dev-r1.tf | ||
vpn-prod-r1.tf |
README.md
Hub and Spoke via VPN
This blueprint creates a simple Hub and Spoke VPN setup, where the VPC network connects satellite locations (spokes) through a single intermediary location (hub) via IPsec HA VPN.
A few additional features are also shown:
- custom BGP advertisements to implement transitivity between spokes
- VPC Global Routing to leverage a regional set of VPN gateways in different regions as next hops (used here for illustrative/study purpose, not usually done in real life)
The blueprint has been purposefully kept simple to show how to use and wire the VPC and VPN-HA modules together, and so that it can be used as a basis for experimentation. For a more complex scenario that better reflects real-life usage, including Shared VPC and DNS cross-project binding please refer to the FAST network stage.
This is the high level diagram of this blueprint:
Managed resources and services
This sample creates several distinct groups of resources:
- one VPC for each hub and each spoke
- one set of firewall rules for each VPC
- one HA VPN gateway with two tunnels and one Cloud Router for each spoke
- two HA VPN gateways with two tunnels and a shared Cloud Routers for the hub
- one DNS private zone in the hub
- one DNS peering zone and one DNS private zone in each spoke
- one test instance for the hub each spoke
Prerequisites
A single pre-existing project is used in this blueprint to keep variables and complexity to a minimum, in a real world scenarios each spoke would probably use a separate project.
The provided project needs a valid billing account, the Compute and DNS APIs are enabled by the blueprint.
You can easily create such a project by commenting turning on project creation in the project module contained in main.tf
, as shown in this snippet:
module "project" {
source = "../../../modules/project"
name = var.project_id
# comment or remove this line to enable project creation
# project_create = false
# add the following line with your billing account id value
billing_account = "12345-ABCD-12345"
services = [
"compute.googleapis.com",
"dns.googleapis.com"
]
}
# tftest skip
Testing
Once the blueprint is up, you can quickly test features by logging in to one of the test VMs:
gcloud compute ssh hs-ha-lnd-test-r1
# test DNS resolution of the landing zone
ping test-r1.example.com
# test DNS resolution of the prod zone, and prod reachability
ping test-r1.prod.example.com
# test DNS resolution of the dev zone, and dev reachability via global routing
ping test-r2.dev.example.com
Files
name | description | modules |
---|---|---|
main.tf | Module-level locals and resources. | compute-vm · project |
net-dev.tf | Development spoke VPC. | dns · net-vpc · net-vpc-firewall |
net-landing.tf | Landing hub VPC. | dns · net-vpc · net-vpc-firewall |
net-prod.tf | Production spoke VPC. | dns · net-vpc · net-vpc-firewall |
outputs.tf | Module outputs. | |
variables.tf | Module variables. | |
versions.tf | Version pins. | |
vpn-dev-r1.tf | Landing to Development VPN for region 1. | net-vpn-ha |
vpn-prod-r1.tf | Landing to Production VPN for region 1. | net-vpn-ha |
Variables
name | description | type | required | default |
---|---|---|---|---|
prefix | Prefix used for resource names. | string |
✓ | |
project_id | Project id for all resources. | string |
✓ | |
ip_ranges | Subnet IP CIDR ranges. | map(string) |
{…} |
|
ip_secondary_ranges | Subnet secondary ranges. | map(map(string)) |
{} |
|
project_create_config | Populate with billing account id to trigger project creation. | object({…}) |
null |
|
regions | VPC regions. | map(string) |
{…} |
|
vpn_configs | VPN configurations. | map(object({…})) |
{…} |
Outputs
name | description | sensitive |
---|---|---|
subnets | Subnet details. | |
vms | GCE VMs. |