173 lines
5.5 KiB
HCL
173 lines
5.5 KiB
HCL
# An example of how to connect two GCE networks with a VPN
|
|
provider "google" {
|
|
account_file = "${file("~/gce/account.json")}"
|
|
project = "${var.project}"
|
|
region = "${var.region1}"
|
|
}
|
|
|
|
# Create the two networks we want to join. They must have seperate, internal
|
|
# ranges.
|
|
resource "google_compute_network" "network1" {
|
|
name = "network1"
|
|
ipv4_range = "10.120.0.0/16"
|
|
}
|
|
|
|
resource "google_compute_network" "network2" {
|
|
name = "network2"
|
|
ipv4_range = "10.121.0.0/16"
|
|
}
|
|
|
|
# Attach a VPN gateway to each network.
|
|
resource "google_compute_vpn_gateway" "target_gateway1" {
|
|
name = "vpn1"
|
|
network = "${google_compute_network.network1.self_link}"
|
|
region = "${var.region1}"
|
|
}
|
|
|
|
resource "google_compute_vpn_gateway" "target_gateway2" {
|
|
name = "vpn2"
|
|
network = "${google_compute_network.network2.self_link}"
|
|
region = "${var.region2}"
|
|
}
|
|
|
|
# Create an outward facing static IP for each VPN that will be used by the
|
|
# other VPN to connect.
|
|
resource "google_compute_address" "vpn_static_ip1" {
|
|
name = "vpn-static-ip1"
|
|
region = "${var.region1}"
|
|
}
|
|
|
|
resource "google_compute_address" "vpn_static_ip2" {
|
|
name = "vpn-static-ip2"
|
|
region = "${var.region2}"
|
|
}
|
|
|
|
# Forward IPSec traffic coming into our static IP to our VPN gateway.
|
|
resource "google_compute_forwarding_rule" "fr1_esp" {
|
|
name = "fr1-esp"
|
|
region = "${var.region1}"
|
|
ip_protocol = "ESP"
|
|
ip_address = "${google_compute_address.vpn_static_ip1.address}"
|
|
target = "${google_compute_vpn_gateway.target_gateway1.self_link}"
|
|
}
|
|
|
|
resource "google_compute_forwarding_rule" "fr2_esp" {
|
|
name = "fr2-esp"
|
|
region = "${var.region2}"
|
|
ip_protocol = "ESP"
|
|
ip_address = "${google_compute_address.vpn_static_ip2.address}"
|
|
target = "${google_compute_vpn_gateway.target_gateway2.self_link}"
|
|
}
|
|
|
|
# The following two sets of forwarding rules are used as a part of the IPSec
|
|
# protocol
|
|
resource "google_compute_forwarding_rule" "fr1_udp500" {
|
|
name = "fr1-udp500"
|
|
region = "${var.region1}"
|
|
ip_protocol = "UDP"
|
|
port_range = "500"
|
|
ip_address = "${google_compute_address.vpn_static_ip1.address}"
|
|
target = "${google_compute_vpn_gateway.target_gateway1.self_link}"
|
|
}
|
|
|
|
resource "google_compute_forwarding_rule" "fr2_udp500" {
|
|
name = "fr2-udp500"
|
|
region = "${var.region2}"
|
|
ip_protocol = "UDP"
|
|
port_range = "500"
|
|
ip_address = "${google_compute_address.vpn_static_ip2.address}"
|
|
target = "${google_compute_vpn_gateway.target_gateway2.self_link}"
|
|
}
|
|
|
|
resource "google_compute_forwarding_rule" "fr1_udp4500" {
|
|
name = "fr1-udp4500"
|
|
region = "${var.region1}"
|
|
ip_protocol = "UDP"
|
|
port_range = "4500"
|
|
ip_address = "${google_compute_address.vpn_static_ip1.address}"
|
|
target = "${google_compute_vpn_gateway.target_gateway1.self_link}"
|
|
}
|
|
|
|
resource "google_compute_forwarding_rule" "fr2_udp4500" {
|
|
name = "fr2-udp4500"
|
|
region = "${var.region2}"
|
|
ip_protocol = "UDP"
|
|
port_range = "4500"
|
|
ip_address = "${google_compute_address.vpn_static_ip2.address}"
|
|
target = "${google_compute_vpn_gateway.target_gateway2.self_link}"
|
|
}
|
|
|
|
# Each tunnel is responsible for encrypting and decrypting traffic exiting
|
|
# and leaving its associated gateway
|
|
resource "google_compute_vpn_tunnel" "tunnel1" {
|
|
name = "tunnel1"
|
|
region = "${var.region1}"
|
|
peer_ip = "${google_compute_address.vpn_static_ip2.address}"
|
|
shared_secret = "a secret message"
|
|
target_vpn_gateway = "${google_compute_vpn_gateway.target_gateway1.self_link}"
|
|
depends_on = ["google_compute_forwarding_rule.fr1_udp500",
|
|
"google_compute_forwarding_rule.fr1_udp4500",
|
|
"google_compute_forwarding_rule.fr1_esp"]
|
|
}
|
|
|
|
resource "google_compute_vpn_tunnel" "tunnel2" {
|
|
name = "tunnel2"
|
|
region = "${var.region2}"
|
|
peer_ip = "${google_compute_address.vpn_static_ip1.address}"
|
|
shared_secret = "a secret message"
|
|
target_vpn_gateway = "${google_compute_vpn_gateway.target_gateway2.self_link}"
|
|
depends_on = ["google_compute_forwarding_rule.fr2_udp500",
|
|
"google_compute_forwarding_rule.fr2_udp4500",
|
|
"google_compute_forwarding_rule.fr2_esp"]
|
|
}
|
|
|
|
# Each route tells the associated network to send all traffic in the dest_range
|
|
# through the VPN tunnel
|
|
resource "google_compute_route" "route1" {
|
|
name = "route1"
|
|
network = "${google_compute_network.network1.name}"
|
|
next_hop_vpn_tunnel = "${google_compute_vpn_tunnel.tunnel1.self_link}"
|
|
dest_range = "${google_compute_network.network2.ipv4_range}"
|
|
priority = 1000
|
|
}
|
|
|
|
resource "google_compute_route" "route2" {
|
|
name = "route2"
|
|
network = "${google_compute_network.network2.name}"
|
|
next_hop_vpn_tunnel = "${google_compute_vpn_tunnel.tunnel2.self_link}"
|
|
dest_range = "${google_compute_network.network1.ipv4_range}"
|
|
priority = 1000
|
|
}
|
|
|
|
# We want to allow the two networks to communicate, so we need to unblock
|
|
# them in the firewall
|
|
resource "google_compute_firewall" "network1-allow-network1" {
|
|
name = "network1-allow-network1"
|
|
network = "${google_compute_network.network1.name}"
|
|
source_ranges = ["${google_compute_network.network1.ipv4_range}"]
|
|
allow {
|
|
protocol = "tcp"
|
|
}
|
|
allow {
|
|
protocol = "udp"
|
|
}
|
|
allow {
|
|
protocol = "icmp"
|
|
}
|
|
}
|
|
|
|
resource "google_compute_firewall" "network1-allow-network2" {
|
|
name = "network1-allow-network2"
|
|
network = "${google_compute_network.network1.name}"
|
|
source_ranges = ["${google_compute_network.network2.ipv4_range}"]
|
|
allow {
|
|
protocol = "tcp"
|
|
}
|
|
allow {
|
|
protocol = "udp"
|
|
}
|
|
allow {
|
|
protocol = "icmp"
|
|
}
|
|
}
|