Cloud HA VPN Module
This module makes it easy to deploy either GCP-to-GCP or GCP-to-On-prem Cloud HA VPN.
Examples
GCP to GCP
module "vpn-1" {
source = "./fabric/modules/net-vpn-ha"
project_id = var.project_id
region = "europe-west4"
network = var.vpc1.self_link
name = "net1-to-net-2"
peer_gateways = {
default = { gcp = module.vpn-2.self_link }
}
router_config = {
asn = 64514
custom_advertise = {
all_subnets = true
ip_ranges = {
"10.0.0.0/8" = "default"
}
}
}
tunnels = {
remote-0 = {
bgp_peer = {
address = "169.254.1.1"
asn = 64513
}
bgp_session_range = "169.254.1.2/30"
vpn_gateway_interface = 0
}
remote-1 = {
bgp_peer = {
address = "169.254.2.1"
asn = 64513
}
bgp_session_range = "169.254.2.2/30"
vpn_gateway_interface = 1
}
}
}
module "vpn-2" {
source = "./fabric/modules/net-vpn-ha"
project_id = var.project_id
region = "europe-west4"
network = var.vpc2.self_link
name = "net2-to-net1"
router_config = { asn = 64513 }
peer_gateways = {
default = { gcp = module.vpn-1.self_link }
}
tunnels = {
remote-0 = {
bgp_peer = {
address = "169.254.1.2"
asn = 64514
}
bgp_session_range = "169.254.1.1/30"
shared_secret = module.vpn-1.random_secret
vpn_gateway_interface = 0
}
remote-1 = {
bgp_peer = {
address = "169.254.2.2"
asn = 64514
}
bgp_session_range = "169.254.2.1/30"
shared_secret = module.vpn-1.random_secret
vpn_gateway_interface = 1
}
}
}
# tftest modules=2 resources=18
Note: When using the for_each
meta-argument you might experience a Cycle Error due to the multiple net-vpn-ha
modules referencing each other. To fix this you can create the google_compute_ha_vpn_gateway resources separately and reference them in the net-vpn-ha
module via the vpn_gateway
and peer_gcp_gateway
variables.
GCP to on-prem
module "vpn_ha" {
source = "./fabric/modules/net-vpn-ha"
project_id = var.project_id
region = var.region
network = var.vpc.self_link
name = "mynet-to-onprem"
peer_gateways = {
default = {
external = {
redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT"
interfaces = ["8.8.8.8"] # on-prem router ip address
}
}
}
router_config = { asn = 64514 }
tunnels = {
remote-0 = {
bgp_peer = {
address = "169.254.1.1"
asn = 64513
}
bgp_session_range = "169.254.1.2/30"
peer_external_gateway_interface = 0
shared_secret = "mySecret"
vpn_gateway_interface = 0
}
remote-1 = {
bgp_peer = {
address = "169.254.2.1"
asn = 64513
}
bgp_session_range = "169.254.2.2/30"
peer_external_gateway_interface = 0
shared_secret = "mySecret"
vpn_gateway_interface = 1
}
}
}
# tftest modules=1 resources=10
Variables
name |
description |
type |
required |
default |
name |
VPN Gateway name (if an existing VPN Gateway is not used), and prefix used for dependent resources. |
string |
✓ |
|
network |
VPC used for the gateway and routes. |
string |
✓ |
|
project_id |
Project where resources will be created. |
string |
✓ |
|
region |
Region used for resources. |
string |
✓ |
|
router_config |
Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. |
object({…}) |
✓ |
|
peer_gateways |
Configuration of the (external or GCP) peer gateway. |
map(object({…})) |
|
{} |
tunnels |
VPN tunnel configurations. |
map(object({…})) |
|
{} |
vpn_gateway |
HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if vpn_gateway_create is set to true . |
string |
|
null |
vpn_gateway_create |
Create HA VPN Gateway. |
bool |
|
true |
Outputs