6.2 KiB
Hub and Spoke via VPN
This blueprint creates a simple Hub and Spoke VPN setup, where the VPC network connects satellite locations (spokes) through a single intermediary location (hub) via IPsec HA VPN.
A few additional features are also shown:
- custom BGP advertisements to implement transitivity between spokes
- VPC Global Routing to leverage a regional set of VPN gateways in different regions as next hops (used here for illustrative/study purpose, not usually done in real life)
The blueprint has been purposefully kept simple to show how to use and wire the VPC and VPN-HA modules together, and so that it can be used as a basis for experimentation. For a more complex scenario that better reflects real-life usage, including Shared VPC and DNS cross-project binding please refer to the FAST network stage.
This is the high level diagram of this blueprint:
Managed resources and services
This sample creates several distinct groups of resources:
- one VPC for each hub and each spoke
- one set of firewall rules for each VPC
- one HA VPN gateway with two tunnels and one Cloud Router for each spoke
- two HA VPN gateways with two tunnels and a shared Cloud Routers for the hub
- one DNS private zone in the hub
- one DNS peering zone and one DNS private zone in each spoke
- one test instance for the hub each spoke
Prerequisites
A single pre-existing project is used in this blueprint to keep variables and complexity to a minimum, in a real world scenarios each spoke would probably use a separate project.
The provided project needs a valid billing account, the Compute and DNS APIs are enabled by the blueprint.
You can easily create such a project by commenting turning on project creation in the project module contained in main.tf, as shown in this snippet:
module "project" {
source = "../../../modules/project"
name = var.project_id
# comment or remove this line to enable project creation
# project_create = false
# add the following line with your billing account id value
billing_account = "12345-ABCD-12345"
services = [
"compute.googleapis.com",
"dns.googleapis.com"
]
}
# tftest skip
Testing
Once the blueprint is up, you can quickly test features by logging in to one of the test VMs:
gcloud compute ssh hs-ha-lnd-test-r1
# test DNS resolution of the landing zone
ping test-r1.example.com
# test DNS resolution of the prod zone, and prod reachability
ping test-r1.prod.example.com
# test DNS resolution of the dev zone, and dev reachability via global routing
ping test-r2.dev.example.com
Files
| name | description | modules |
|---|---|---|
| main.tf | Module-level locals and resources. | compute-vm · project |
| net-dev.tf | Development spoke VPC. | dns · net-vpc · net-vpc-firewall |
| net-landing.tf | Landing hub VPC. | dns · net-vpc · net-vpc-firewall |
| net-prod.tf | Production spoke VPC. | dns · net-vpc · net-vpc-firewall |
| outputs.tf | Module outputs. | |
| variables.tf | Module variables. | |
| versions.tf | Version pins. | |
| vpn-dev-r1.tf | Landing to Development VPN for region 1. | net-vpn-ha |
| vpn-prod-r1.tf | Landing to Production VPN for region 1. | net-vpn-ha |
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| prefix | Prefix used for resource names. | string |
✓ | |
| project_id | Project id for all resources. | string |
✓ | |
| ip_ranges | Subnet IP CIDR ranges. | map(string) |
{…} |
|
| ip_secondary_ranges | Subnet secondary ranges. | map(map(string)) |
{} |
|
| project_create_config | Populate with billing account id to trigger project creation. | object({…}) |
null |
|
| regions | VPC regions. | map(string) |
{…} |
|
| vpn_configs | VPN configurations. | map(object({…})) |
{…} |
Outputs
| name | description | sensitive |
|---|---|---|
| subnets | Subnet details. | |
| vms | GCE VMs. |