This Terraform configuration provides a flexible and robust framework for deploying and managing essential networking components within your Google Cloud Platform (GCP) environment. It empowers you to create a secure, highly available, and customizable network infrastructure that aligns with your organization's specific requirements.
Key features of this configuration include:
- Virtual Private Cloud (VPC) Network: Establish a custom VPC network tailored to your needs. Designate subnets for different purposes, manage routing tables, and leverage Private Service Access (PSA) for seamless communication with Google-managed services.- Service Connection Policies (SCP): Implements Private Service Connect to automate private connectivity to a managed service.
- High Availability VPN (HA VPN): Create redundant VPN tunnels for secure, resilient site-to-site connectivity. Leverage BGP for dynamic routing and optimal path selection.
- Cloud NAT: Enable private Google Compute Engine (GCE) instances within your VPC to access the internet while maintaining the security of private IP addresses.
- Dedicated Interconnect: Establish a private, high-bandwidth connection between your on-premises network and Google Cloud. Configure VLAN attachments to dedicate connections for specific services or traffic types.
- High Availability: This configuration promotes high availability through redundant VPN tunnels and strategically placed subnets.
- Modularity: The modular structure of this configuration allows you to easily add or remove components as needed.
- PSA and PSC configuration : This module allows you to use either or both PSA (Service Networking) and PSC (Private Service Connectivity) for your large scale deployments.
- Before creating networking resources, ensure you have the completed the following pre-requsites:
-
Completed Prior Stages: Successful deployment of networking resources depends on the completion of the following stages:
- 01-organization: This stage handles the activation of required Google Cloud APIs.
-
Enable the following APIs :
- Compute Engine API: Used for creating and managing VPC networks, subnets, forwarding rules, HA VPN tunnels/gateways, Cloud NAT and firewall rules.
- Service Networking API: to manage Private Service Access (PSA) configurations.
- Network Connectivity API
- Enables connectivity with and between Google Cloud resources.
- Service Consumer Management API : enabled in the project that Private Service Connect endpoints are deployed in. This API lets Google Cloud create the Network Connectivity Service Account that deploys Private Service Connect endpoints.
-
Permissions required for this stage :
- Compute Network Admin : roles/compute.networkAdmin : Grants full control over VPC networks, subnets, firewall rules, and related resources.
- Compute Shared VPN Admin : roles/compute.xpnAdmin : Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network.
-
ha-vpn.tf:- Defines the HA VPN gateway, creating two redundant tunnels for high availability.
- Configures BGP sessions for dynamic routing between your on-premises network and GCP.
- Manages custom route advertisement to control traffic flow.
-
interconnect.tf:- Creates Interconnect attachments (VLAN attachments):Establishes connectivity between your on-premises network and your VPC network.
- Supports both Dedicated Interconnect and Partner Interconnect:Provides flexibility in choosing the Interconnect type that best suits your needs.
- Configures VLAN attachments:Sets up the necessary VLAN tags and other parameters for the Interconnect attachment.
- Connects the Interconnect attachment to your existing VPC network.
- creates Cloud Router and BGP peering:Enables dynamic routing between your on-premises network and your VPC network.
-
nat.tf: Sets up the Cloud NAT gateway and associates it with the VPC network.- Sets up a Cloud NAT gateway to provide internet access for instances in your private subnets.
- Configures NAT routing to direct outbound traffic to the internet.
-
scp.tf: Defines SCP for provisioning Private Service Connectivity to services like Memorystore for Redis Clusters.- Automates private connectivity to a managed service.
-
vpc.tf: Creates the VPC network, subnets, and routing configuration.- Creates a VPC network with specified subnets and IP ranges.
- Configures routing tables, including custom routes for PSA if required.
- Supports Private Service Access (PSA) for private connectivity to Google-managed services.
-
locals.tf: Defines local variables for use within the configuration. -
output.tf: Provides outputs for easy access to information about the created resources. -
variables.tf: Defines input variables for customizing the network configuration.
NOTE :
If you're creating Subnet secondary IP address range for Pods and Services for GKE cluster as a producer please refer to the official documentation for Pods and Services.
To configure networking.tfvars for your environment, here's an example which can be used for your reference :
project_id = "" # Replace with your Google Cloud Project ID
region = "us-central1" # Specify the region for your resources
## VPC input variables
network_name = "workbench-vpc" # Name of the VPC
subnets = [
{
name = "workbench-subnet" # Name of the subnet
ip_cidr_range = "10.20.0.0/24" # CIDR range for the subnet
region = "us-central1" # Region for the subnet
enable_private_access = true # Enable Private Google Access (required for Workbench)
}
]
# Configuration for setting up a Shared VPC Host project,
# enabling centralized network management and resource sharing across multiple projects.
shared_vpc_host = false # Set to true if using a Shared VPC Host
## PSC/Service Connectivity Variables
create_scp_policy = false # Set to true to create a Service Connectivity Policy
subnets_for_scp_policy = [] # List subnets for the SCP policy in the same region
## Cloud NAT input variables
create_nat = true # Set to true to create a Cloud NAT instance
## Cloud HA VPN input variables
create_havpn = false # Set to true to create a High Availability VPN
peer_gateways = {
default = {
gcp = "" # Specify the peer VPN gateway, e.g., projects/<peer-project-id>/regions/<region>/vpnGateways/<vpn-name>
}
}
tunnel_1_router_bgp_session_range = "169.254.1.0/30" # BGP session range for Tunnel 1
tunnel_1_bgp_peer_asn = 64514 # ASN for Tunnel 1 BGP peer
tunnel_1_bgp_peer_ip_address = "" # IP address for Tunnel 1 BGP peer
tunnel_1_shared_secret = "" # Shared secret for Tunnel 1
tunnel_2_router_bgp_session_range = "169.254.2.0/30" # BGP session range for Tunnel 2
tunnel_2_bgp_peer_asn = 64514 # ASN for Tunnel 2 BGP peer
tunnel_2_bgp_peer_ip_address = "" # IP address for Tunnel 2 BGP peer
tunnel_2_shared_secret = "" # Shared secret for Tunnel 2
## Cloud Interconnect input variables
create_interconnect = false # Set to true to create a Cloud InterconnectNOTE : run the terraform commands with the -var-file referencing the networking.tfvars present under the /configuration folder. Example :
terraform plan -var-file=../../configuration/networking.tfvars
terraform apply -var-file=../../configuration/networking.tfvars
- Initialize: Run
terraform init. - Plan: Run
terraform plan -var-file=../../configuration/networking.tfvarsto review the planned changes. - Apply: If the plan looks good, run
terraform apply -var-file=../../configuration/networking.tfvarsto create or update the resources.
- Dependencies: Ensure that the required GCP services are enabled in your project.
- Resource Names: Choose unique names to avoid conflicts.
- Security: Review the default firewall rules and SCPs to ensure they align with your security requirements.
| Name | Version |
|---|---|
| n/a |
| Name | Source | Version |
|---|---|---|
| havpn | github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/net-vpn-ha | v36.0.1 |
| nat | github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/net-cloudnat | v36.0.1 |
| vlan_attachment_a | github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/net-vlan-attachment | v36.0.1 |
| vlan_attachment_b | github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/net-vlan-attachment | v36.0.1 |
| vpc_network | ../../modules/net-vpc | n/a |
| Name | Type |
|---|---|
| google_compute_route.default | resource |
| google_compute_router.interconnect-router | resource |
| google_network_connectivity_service_connection_policy.policy | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| admin_enabled | Whether the VLAN attachment is enabled. | bool |
true |
no |
| advertise_all_subnets | Set to true if all subnets are required to be advertised. | bool |
false |
no |
| create_first_vc_router | Select 'true' to create a separate router for this VLAN attachment, or 'false' to use the current router configuration. | bool |
false |
no |
| create_havpn | Set to true to create a Cloud HA VPN. | string |
"false" |
no |
| create_interconnect | Set to true to create google cloud resources for setting up dedicated interconnect. | string |
"false" |
no |
| create_nat | Set to true to create a Cloud NAT. | string |
"true" |
no |
| create_network | Variable to determine if a new network should be created or not. | bool |
true |
no |
| create_psa | Set to true to create PSA resources (ranges and connections). | bool |
true |
no |
| create_scp_policy | Boolean flat to create a service connection policy. Set to true to create a service connection policy | bool |
false |
no |
| create_second_vc_router | Select 'true' to create a separate router for this VLAN attachment, or 'false' to use the current router configuration. | bool |
false |
no |
| create_subnetwork | Variable to determine if a new sub network should be created or not. | bool |
true |
no |
| delete_default_routes_on_create | Set to true to delete the default routes at creation time. | bool |
true |
no |
| deletion_policy | The deletion policy for the service networking connection. Setting to ABANDON allows the resource to be abandoned rather than deleted. This will enable a successful terraform destroy when destroying CloudSQL instances. Use with care as it can lead to dangling resources. | string |
null |
no |
| destination_range | The destination range of outgoing packets that this route applies to. Only IPv4 is supported. | string |
"0.0.0.0/0" |
no |
| export_custom_routes | Whether to export the custom routes to the peer network. | bool |
true |
no |
| firewall_policy_enforcement_order | Order that Firewall Rules and Firewall Policies are evaluated. Can be either 'BEFORE_CLASSIC_FIREWALL' or 'AFTER_CLASSIC_FIREWALL'. | string |
"AFTER_CLASSIC_FIREWALL" |
no |
| first_interconnect_name | Name of the first interconnect object. This will be used to populate the URL of the underlying Interconnect object that this attachment's traffic will traverse through. | string |
"" |
no |
| first_va_asn | (Required) Local BGP Autonomous System Number (ASN). Must be an RFC6996 private ASN, either 16-bit or 32-bit. The value will be fixed for this router resource. | string |
"" |
no |
| first_va_bandwidth | Provisioned bandwidth capacity for the first interconnect attachment. | string |
"BPS_1G" |
no |
| first_va_bgp_range | Up to 16 candidate prefixes that can be used to restrict the allocation of cloudRouterIpAddress and customerRouterIpAddress for this attachment. All prefixes must be within link-local address space (169.254.0.0/16) and must be /29 or shorter (/28, /27, etc). | string |
"" |
no |
| first_va_description | The description of the first interconnect attachment | string |
"interconnect-a vlan attachment 0" |
no |
| first_va_name | The name of the first interconnect attachment | string |
"dedicated-ic-vlan-attachment-3" |
no |
| first_vlan_tag | The IEEE 802.1Q VLAN tag for this attachment, in the range 2-4094. | number |
null |
no |
| ha_vpn_gateway1_name | VPN Gateway name and prefix used for dependent resources. | string |
"vpn1" |
no |
| ic_router_advertise_groups | User-specified list of prefix groups to advertise in custom mode. This field can only be populated if advertiseMode is CUSTOM and is advertised to all peers of the router. | list(string) |
[ |
no |
| ic_router_advertise_mode | User-specified flag to indicate which mode to use for advertisement. Default value is DEFAULT. Possible values are: DEFAULT, CUSTOM | string |
"CUSTOM" |
no |
| ic_router_bgp_asn | Local BGP Autonomous System Number (ASN). Must be an RFC6996 private ASN, either 16-bit or 32-bit. The value will be fixed for this router resource. | string |
"" |
no |
| ic_router_name | Name of the interconnect router. | string |
"interconnect-router" |
no |
| import_custom_routes | Whether to import the custom routes to the peer network. | bool |
true |
no |
| interconnect_project_id | The ID of the project in which the resource(physical connection at colocation facilitity) belongs. | string |
"" |
no |
| nat_name | Name of the Cloud NAT to be created. | string |
"internet-gateway" |
no |
| network_name | Name of the VPC network to be created if var.create_network is marked as true or Name of the already existing network if var.create_network is false. | string |
n/a | yes |
| next_hop_gateway | URL to a gateway that should handle matching packets. Currently, you can only specify the internet gateway, using a full or partial valid URL. | string |
"default-internet-gateway" |
no |
| peer_gateways | Configuration of the (external or GCP) peer gateway. | map(object({ |
{} |
no |
| project_id | The project ID of the Google Cloud project where the VPC will be created. | string |
n/a | yes |
| psa_range | Variable to describe the CIDR range required by the PSA/Service Networking. | string |
"10.0.64.0/20" |
no |
| psa_range_name | Variable to describe the name of the CIDR range required by the PSA/Service Networking. | string |
"psarange" |
no |
| region | Name of a Google Cloud region. | string |
n/a | yes |
| router1_asn | ASN number required for the router1. | number |
64513 |
no |
| scp_connection_limit | Limit of the total number of connections to be allowed through the policy | string |
5 |
no |
| second_interconnect_name | Name of the second interconnect object. This will be used to populate the URL of the underlying Interconnect object that this attachment's traffic will traverse through. | string |
"" |
no |
| second_va_asn | (Required) Local BGP Autonomous System Number (ASN). Must be an RFC6996 private ASN, either 16-bit or 32-bit. The value will be fixed for this router resource. | string |
"" |
no |
| second_va_bandwidth | Provisioned bandwidth capacity for the second interconnect attachment. | string |
"BPS_1G" |
no |
| second_va_bgp_range | Up to 16 candidate prefixes that can be used to restrict the allocation of cloudRouterIpAddress and customerRouterIpAddress for this attachment. All prefixes must be within link-local address space (169.254.0.0/16) and must be /29 or shorter (/28, /27, etc). | string |
"" |
no |
| second_va_description | The description of the second interconnect attachment | string |
"interconnect-b vlan attachment 1" |
no |
| second_va_name | The name of the Second interconnect attachment. | string |
"dedicated-ic-vlan-attachment-4" |
no |
| second_vlan_tag | The IEEE 802.1Q VLAN tag for this attachment, in the range 2-4094. | number |
null |
no |
| service_class | Allowed service class (static) | string |
"gcp-memorystore-redis" |
no |
| shared_vpc_host | Enable shared VPC for this project. | bool |
false |
no |
| shared_vpc_service_projects | Shared VPC service projects to register with this host. | list(string) |
[] |
no |
| subnets | Subnet configuration. | list(object({ |
[] |
no |
| subnets_for_scp_policy | List of subnet names to apply the SCP policy to. | list(string) |
[ |
no |
| tunnel_1_bgp_peer_asn | Peer BGP Autonomous System Number (ASN). | number |
n/a | yes |
| tunnel_1_bgp_peer_ip_address | Peer IP address of the BGP interface outside Google Cloud. Only IPv4 is supported. | string |
n/a | yes |
| tunnel_1_gateway_interface | The interface ID of the VPN gateway with which this VPN tunnel is associated. | number |
0 |
no |
| tunnel_1_router_bgp_session_range | IP address and range of the interface. | string |
"169.254.1.2/30" |
no |
| tunnel_1_shared_secret | Shared secret used to set the secure session between the Cloud VPN gateway and the peer VPN gateway. Note: This property is sensitive and should be preserved carefully. | string |
n/a | yes |
| tunnel_2_bgp_peer_asn | Peer BGP Autonomous System Number (ASN). | number |
n/a | yes |
| tunnel_2_bgp_peer_ip_address | Peer IP address of the BGP interface outside Google Cloud. Only IPv4 is supported. | string |
n/a | yes |
| tunnel_2_gateway_interface | The interface ID of the VPN gateway with which this VPN tunnel is associated. | number |
1 |
no |
| tunnel_2_router_bgp_session_range | IP address and range of the interface. | string |
"169.254.2.2/30" |
no |
| tunnel_2_shared_secret | Shared secret used to set the secure session between the Cloud VPN gateway and the peer VPN gateway. Note: This property is sensitive and should be preserved carefully. | string |
n/a | yes |
| user_specified_ip_range | User-specified list of individual IP ranges to advertise in custom mode. This range specifies google private api address. | list(string) |
[ |
no |
| Name | Description |
|---|---|
| name | Name of the VPC network. |
| network_id | Fully qualified network ID. |
| service_connection_policy_details | Detailed information about each service connection policy |
| service_connection_policy_ids | Map of service class to service connection policy IDs |
| subnet_ids | Map of subnet IDs keyed by name. |
| subnet_self_links_for_scp_policy | The self-links of the subnets where the SCP policy is applied. |
| vpc_networks | Complete details of the VPC network. |