Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Network Connectivity Center module #1219

Merged
merged 41 commits into from
Mar 9, 2023
Merged

Network Connectivity Center module #1219

Show file tree
Hide file tree
Changes from 19 commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
02707eb
Initial commit for NCC module
juliodiez Mar 6, 2023
e835730
Add router BGP peers
juliodiez Mar 6, 2023
25b1446
Simplify some naming
juliodiez Mar 6, 2023
6567164
Make optional some router config fields
juliodiez Mar 6, 2023
69493d8
Add README with first example
juliodiez Mar 6, 2023
0f4919a
Add image for site to VPC example
juliodiez Mar 6, 2023
71cb18f
Replace map key derived from resource attributes
juliodiez Mar 7, 2023
e7963eb
Set a unique name to spokes
juliodiez Mar 7, 2023
87107ba
Set a unique name to CRs linked to spokes
juliodiez Mar 7, 2023
449f5cb
Adapt example to use only allowed chars for resource names
juliodiez Mar 7, 2023
76972d5
Add example of site to two VPCs
juliodiez Mar 7, 2023
3e0a8c4
Add image for site to two VPCs example
juliodiez Mar 7, 2023
58c90fe
Add example of load-balanced router appliances
juliodiez Mar 7, 2023
9b5bc40
Add image for load-balanced router appliances example
juliodiez Mar 7, 2023
94f3a08
Add example of custom route advertisements
juliodiez Mar 7, 2023
ac224ad
Add tftest to README
juliodiez Mar 7, 2023
d9eaa59
Generated variable table via tfdoc
juliodiez Mar 7, 2023
5374c0e
Merge pull request #15 from GoogleCloudPlatform/master
juliodiez Mar 7, 2023
6eb82a2
Merge pull request #16 from juliodiez/master
juliodiez Mar 7, 2023
2f64fcd
Reimplement the module to manage only one spoke
juliodiez Mar 8, 2023
d5d7431
Make custom_advertise optional
juliodiez Mar 8, 2023
81121f4
data_transfer default to false
juliodiez Mar 8, 2023
0da0f33
Make keepalive optional
juliodiez Mar 8, 2023
1b4ba11
Make IPs for the CR interfaces optional
juliodiez Mar 8, 2023
34c6a6a
Make creation of the hub optional
juliodiez Mar 8, 2023
6196851
Output the name of the hub if created
juliodiez Mar 8, 2023
6253950
Update README for the new implementation
juliodiez Mar 8, 2023
93bb809
Rename module net-ncc -> ncc-spoke-ra
juliodiez Mar 8, 2023
96f35c5
Fix README variables to pass pytest
juliodiez Mar 8, 2023
5489162
Merge branch 'master' into ncc
ludoo Mar 8, 2023
e9312e4
var ras -> router_appliances
juliodiez Mar 9, 2023
b25ee97
Group vpc and subnet under vpc_config
juliodiez Mar 9, 2023
84d3b83
Group router information under router_config
juliodiez Mar 9, 2023
eef6a48
Make ip_interfaceX not optional
juliodiez Mar 9, 2023
7e6635f
Alphabetical order and better naming
juliodiez Mar 9, 2023
0cf254f
Update variable and output tables
juliodiez Mar 9, 2023
3e85175
Adapt README examples to the variables config
juliodiez Mar 9, 2023
7eb9fbf
Merge branch 'master' into ncc
juliodiez Mar 9, 2023
f82b528
Change semantics of custom_advertise
juliodiez Mar 9, 2023
d0f346f
Add resources created as outputs
juliodiez Mar 9, 2023
ff8f737
Merge branch 'master' into ncc
juliodiez Mar 9, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
332 changes: 332 additions & 0 deletions modules/net-ncc/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,332 @@
# Network Connectivity Center Module

This module allows the creation and management of an NCC-based hub-and-spoke architecture. It focuses in site-to-cloud connectivity with network virtual appliances (NVAs) as the _backing resource_ for spokes. This allows to connect an external network to Google Cloud by using a SD-WAN router or another appliance with BGP capabilities. It does not handle site-to-site data transfer which is not available in all regions, in particular in EMEA.

The module can manage a hub, multiple spokes, and corresponding Cloud Routers and BGP sessions to network virtual appliances. The NVAs themselves, VPCs, and other Google Cloud resources should be managed externally.

## Examples

### Connect a site to a VPC network

In this example a router appliance connects with a peer router in an on-premises network, and also peers with a Cloud Router.

<p align="center"> <img src="images/site-to-vpc.png" width="600"> </p>

```hcl
module "vpc" {
source = "./fabric/modules/net-vpc"
project_id = "my-project"
name = "network-a"
subnets = [
{
name = "subnet-a"
ip_cidr_range = "10.1.3.0/24"
region = "us-central1"
}
]
}

module "nva1" {
source = "./fabric/modules/compute-vm"
project_id = "my-project"
zone = "us-central1-a"
name = "router-app-a"
network_interfaces = [{
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links["us-central1/subnet-a"]
addresses = { external = null, internal = "10.1.3.8" }
}]
can_ip_forward = true
}

module "ncc" {
source = "./fabric/modules/net-ncc"
asn = 65000
name = "ncc-hub"
project_id = "my-project"
spokes = {
spoke-a = {
vpc = module.vpc.name
region = "us-central1"
subnetwork = module.vpc.subnet_self_links["us-central1/subnet-a"]
nvas = [
{
vm = module.nva1.self_link
ip = module.nva1.internal_ip
}
]
router = {
ip1 = "10.1.3.14"
ip2 = "10.1.3.15"
peer_asn = 65001
}
}
}
}
# tftest modules=3 resources=10
```

### Connect a site to two VPC networks

In the following topology, a router appliance instance has interfaces in two VPC networks. Each interface has been used to create a Router appliance spoke.

<p align="center"> <img src="images/site-to-two-vpcs.png" width="600"> </p>

```hcl
module "vpc-a" {
source = "./fabric/modules/net-vpc"
project_id = "my-project"
name = "network-a"
subnets = [
{
name = "subnet-a"
ip_cidr_range = "10.1.3.0/24"
region = "us-central1"
}
]
}

module "vpc-b" {
source = "./fabric/modules/net-vpc"
project_id = "my-project"
name = "network-b"
subnets = [
{
name = "subnet-b"
ip_cidr_range = "192.168.10.0/24"
region = "us-central1"
}
]
}

module "nva1" {
source = "./fabric/modules/compute-vm"
project_id = "my-project"
zone = "us-central1-a"
name = "router-app-a"
network_interfaces = [
{
network = module.vpc-a.self_link
subnetwork = module.vpc-a.subnet_self_links["us-central1/subnet-a"]
addresses = { external = null, internal = "10.1.3.8" }
},
{
network = module.vpc-b.self_link
subnetwork = module.vpc-b.subnet_self_links["us-central1/subnet-b"]
addresses = { external = null, internal = "192.168.10.3" }
}
]
can_ip_forward = true
}

module "ncc" {
source = "./fabric/modules/net-ncc"
asn = 65000
name = "ncc-hub"
project_id = "my-project"
spokes = {
spoke-a = {
vpc = module.vpc-a.name
region = "us-central1"
subnetwork = module.vpc-a.subnet_self_links["us-central1/subnet-a"]
nvas = [
{
vm = module.nva1.self_link
ip = module.nva1.internal_ips[0]
}
]
router = {
ip1 = "10.1.3.14"
ip2 = "10.1.3.15"
peer_asn = 65001
}
},
spoke-b = {
vpc = module.vpc-b.name
region = "us-central1"
subnetwork = module.vpc-b.subnet_self_links["us-central1/subnet-b"]
nvas = [
{
vm = module.nva1.self_link
ip = module.nva1.internal_ips[1]
}
]
router = {
ip1 = "192.168.10.14"
ip2 = "192.168.10.15"
peer_asn = 65001
}
}
}
}
# tftest modules=4 resources=18
```

### Using load-balanced router appliances

The following topology shows a site that uses load-balanced router appliance instances to connect to Google Cloud. Both router appliance instances are backing resources for the same spoke.

<p align="center"> <img src="images/load-balanced-router-appliances.png" width="600"> </p>

```hcl
module "vpc" {
source = "./fabric/modules/net-vpc"
project_id = "my-project"
name = "network-a"
subnets = [
{
name = "subnet-a-1"
ip_cidr_range = "10.0.1.0/24"
region = "us-west1"
}
]
}

module "nva1" {
source = "./fabric/modules/compute-vm"
project_id = "my-project"
zone = "us-west1-a"
name = "router-app-a"
network_interfaces = [{
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links["us-west1/subnet-a-1"]
addresses = { external = null, internal = "10.0.1.10" }
}]
can_ip_forward = true
}

module "nva2" {
source = "./fabric/modules/compute-vm"
project_id = "my-project"
zone = "us-west1-b"
name = "router-app-b"
network_interfaces = [{
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links["us-west1/subnet-a-1"]
addresses = { external = null, internal = "10.0.1.11" }
}]
can_ip_forward = true
}

module "ncc" {
source = "./fabric/modules/net-ncc"
asn = 65000
name = "ncc-hub"
project_id = "my-project"
spokes = {
spoke-a = {
vpc = module.vpc.name
region = "us-west1"
subnetwork = module.vpc.subnet_self_links["us-west1/subnet-a-1"]
nvas = [
{
vm = module.nva1.self_link
ip = module.nva1.internal_ip
},
{
vm = module.nva2.self_link
ip = module.nva2.internal_ip
}
]
router = {
ip1 = "10.0.1.5"
ip2 = "10.0.1.6"
peer_asn = 65001
}
}
}
}
# tftest modules=4 resources=13
```

It is possible to add custom route advertisements. For example, suppose the VPC network-a is peered to another VPC network-b using the CIDR range 10.10.0.0/24. If you want to reach this VPC network-b from the on-premises network you should advertise its range to the router appliances:

```hcl
module "vpc" {
source = "./fabric/modules/net-vpc"
project_id = "my-project"
name = "network-a"
subnets = [
{
name = "subnet-a-1"
ip_cidr_range = "10.0.1.0/24"
region = "us-west1"
}
]
}

module "nva1" {
source = "./fabric/modules/compute-vm"
project_id = "my-project"
zone = "us-west1-a"
name = "router-app-a"
network_interfaces = [{
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links["us-west1/subnet-a-1"]
addresses = { external = null, internal = "10.0.1.10" }
}]
can_ip_forward = true
}

module "nva2" {
source = "./fabric/modules/compute-vm"
project_id = "my-project"
zone = "us-west1-b"
name = "router-app-b"
network_interfaces = [{
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links["us-west1/subnet-a-1"]
addresses = { external = null, internal = "10.0.1.11" }
}]
can_ip_forward = true
}

module "ncc" {
source = "./fabric/modules/net-ncc"
asn = 65000
name = "ncc-hub"
project_id = "my-project"
spokes = {
spoke-a = {
vpc = module.vpc.name
region = "us-west1"
subnetwork = module.vpc.subnet_self_links["us-west1/subnet-a-1"]
nvas = [
{
vm = module.nva1.self_link
ip = module.nva1.internal_ip
},
{
vm = module.nva2.self_link
ip = module.nva2.internal_ip
}
]
router = {
juliodiez marked this conversation as resolved.
Show resolved Hide resolved
custom_advertise = {
all_subnets = true
ip_ranges = {
"peered-vpc-b" = "10.10.0.0/24"
}
}
ip1 = "10.0.1.5"
ip2 = "10.0.1.6"
peer_asn = 65001
}
}
}
}
# tftest modules=4 resources=13
```
<!-- BEGIN TFDOC -->

## Variables

| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [asn](variables.tf#L17) | ASN for all CRs in the hub. | <code>number</code> | ✓ | |
| [name](variables.tf#L28) | The name of the NCC hub being created. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L33) | The ID of the project where the NCC hub & spokes will be created. | <code>string</code> | ✓ | |
| [spokes](variables.tf#L38) | List of NCC spokes. | <code title="map&#40;object&#40;&#123;&#10; vpc &#61; string&#10; region &#61; string&#10; subnetwork &#61; string &#35; URI&#10; nvas &#61; list&#40;object&#40;&#123;&#10; vm &#61; string &#35; URI&#10; ip &#61; string&#10; &#125;&#41;&#41;&#10; router &#61; object&#40;&#123;&#10; custom_advertise &#61; optional&#40;object&#40;&#123;&#10; all_subnets &#61; bool&#10; ip_ranges &#61; map&#40;string&#41; &#35; map of descriptions and address ranges&#10; &#125;&#41;&#41;&#10; ip1 &#61; string&#10; ip2 &#61; string&#10; keepalive &#61; optional&#40;number&#41;&#10; peer_asn &#61; number&#10; &#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | ✓ | |
| [description](variables.tf#L22) | An optional description of the NCC hub. | <code>string</code> | | <code>&#34;Terraform-managed.&#34;</code> |

<!-- END TFDOC -->
Binary file added modules/net-ncc/images/load-balanced-router-appliances.png
View file
Open in desktop
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added modules/net-ncc/images/site-to-two-vpcs.png
View file
Open in desktop
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added modules/net-ncc/images/site-to-vpc.png
View file
Open in desktop
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.