zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/modules/net-vpn-ha
History
Luca Prete f2c80e17f1
[#138] Update copyright headers to 2020 (#139) 
Co-authored-by: Luca Prete <lucaprete@google.com>
 		2020-09-23 11:07:03 +02:00
..
README.md Make VPN Gateway creation optional for the module. 2020-09-01 12:38:25 +02:00
main.tf [#138] Update copyright headers to 2020 (#139) 2020-09-23 11:07:03 +02:00
outputs.tf [#138] Update copyright headers to 2020 (#139) 2020-09-23 11:07:03 +02:00
variables.tf [#138] Update copyright headers to 2020 (#139) 2020-09-23 11:07:03 +02:00
versions.tf [#138] Update copyright headers to 2020 (#139) 2020-09-23 11:07:03 +02:00

README.md

Cloud VPN HA Module

This module makes it easy to deploy either GCP-to-GCP or GCP-to-On-prem Cloud HA VPN.

Examples

GCP to GCP

module "vpn_ha-1" {
  source = "../modules/net-vpn-ha"
  project_id  = "<PROJECT_ID>"
  region  = "europe-west4"
  network         = "https://www.googleapis.com/compute/v1/projects/<PROJECT_ID>/global/networks/network-1"
  name            = "net1-to-net-2"
  peer_gcp_gateway = module.vpn_ha-2.self_link
  router_asn = 64514
  router_advertise_config = {
    groups = ["ALL_SUBNETS"]
    ip_ranges = {
      "10.0.0.0/8" = "default"
    }
    mode = "CUSTOM"
  }
  tunnels = {
    remote-0 = {
      bgp_peer = {
        address = "169.254.1.1"
        asn     = 64513
      }
      bgp_peer_options  = null
      bgp_session_range = "169.254.1.2/30"
      ike_version       = 2
      vpn_gateway_interface = 0
      peer_external_gateway_interface = null
      shared_secret     = ""
    }
    remote-1 = {
      bgp_peer = {
        address = "169.254.2.1"
        asn     = 64513
      }
      bgp_peer_options  = null
      bgp_session_range = "169.254.2.2/30"
      ike_version       = 2
      vpn_gateway_interface = 1
      peer_external_gateway_interface = null
      shared_secret     = ""
    }
  }
}

module "vpn_ha-2" {
  source = "../modules/net-vpn-ha"
  project_id  = "<PROJECT_ID>"
  region  = "europe-west4"
  network         = "https://www.googleapis.com/compute/v1/projects/<PROJECT_ID>/global/networks/local-network"
  name            = "net2-to-net1"
  router_asn = 64513
  peer_gcp_gateway = module.vpn_ha-1.self_link
  tunnels = {
    remote-0 = {
      bgp_peer = {
        address = "169.254.1.2"
        asn     = 64514
      }
      bgp_peer_options  = null
      bgp_session_range = "169.254.1.1/30"
      ike_version       = 2
      vpn_gateway_interface = 0
      peer_external_gateway_interface = null
      shared_secret     = module.vpn_ha-1.random_secret
    }
    remote-1 = {
      bgp_peer = {
        address = "169.254.2.2"
        asn     = 64514
      }
      bgp_peer_options  = null
      bgp_session_range = "169.254.2.1/30"
      ike_version       = 2
      vpn_gateway_interface = 1
      peer_external_gateway_interface = null
      shared_secret     = module.vpn_ha-1.random_secret
    }
  }
}

GCP to on-prem

module "vpn_ha" {
  source = "../modules/net-vpn-ha"
  project_id  = "<PROJECT_ID>"
  region  = "europe-west4"
  network         = "https://www.googleapis.com/compute/v1/projects/<PROJECT_ID>/global/networks/my-network"
  name            = "mynet-to-onprem"
  peer_external_gateway = {
      redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT"
      interfaces = [{
          id = 0
          ip_address = "8.8.8.8" # on-prem router ip address

      }]
  }
  router_asn = 64514
  tunnels = {
    remote-0 = {
      bgp_peer = {
        address = "169.254.1.1"
        asn     = 64513
      }
      bgp_peer_options  = null
      bgp_session_range = "169.254.1.2/30"
      ike_version       = 2
      vpn_gateway_interface = 0
      peer_external_gateway_interface = 0
      shared_secret     = "mySecret"
    }
    remote-1 = {
      bgp_peer = {
        address = "169.254.2.1"
        asn     = 64513
      }
      bgp_peer_options  = null
      bgp_session_range = "169.254.2.2/30"
      ike_version       = 2
      vpn_gateway_interface = 1
      peer_external_gateway_interface = 0
      shared_secret     = "mySecret"
    }
  }
}

Variables

name description type required default
name VPN Gateway name (if an existing VPN Gateway is not used), and prefix used for dependent resources. string
network VPC used for the gateway and routes. string
project_id Project where resources will be created. string
region Region used for resources. string
peer_external_gateway Configuration of an external VPN gateway to which this VPN is connected. object({...}) null
peer_gcp_gateway Self Link URL of the peer side HA GCP VPN gateway to which this VPN tunnel is connected. string null
route_priority Route priority, defaults to 1000. number 1000
router_advertise_config Router custom advertisement configuration, ip_ranges is a map of address ranges and descriptions. object({...}) null
router_asn Router ASN used for auto-created router. number 64514
router_create Create router. bool true
router_name Router name used for auto created router, or to specify an existing router to use if router_create is set to true. Leave blank to use VPN name for auto created router. string
tunnels VPN tunnel configurations, bgp_peer_options is usually null. map(object({...})) {}
vpn_gateway HA VPN Gateway Self Link for using an existing HA VPN Gateway, leave empty if vpn_gateway_create is set to true. string null
vpn_gateway_create Create HA VPN Gateway. bool true

Outputs

name description sensitive
external_gateway External VPN gateway resource.
gateway VPN gateway resource (only if auto-created).
name VPN gateway name (only if auto-created).
random_secret Generated secret.
router Router resource (only if auto-created).
router_name Router name.
self_link HA VPN gateway self link.
tunnel_names VPN tunnel names.
tunnel_self_links VPN tunnel self links.
tunnels VPN tunnel resources.