VPN

This module makes it easy to deploy either GCP-to-GCP or GCP-to-On-prem VPN using Cloud HA VPN including HA VPN Gateway itself. VPN includes one or more VPN instances (connections).

Each created VPN instance is represented by 1..4 VPN tunnels that taget remote VPN gateway(s) located in a single remote location. Remote VPN gateway(s) might have singe IP address (redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT") or 2 IP addresses (redundancy_type = "TWO_IPS_REDUNDANCY").

Example

data "google_compute_network" "test" {
  name    = "<network_name>"
  project = "<project_id>"
}

module "vpn" {
  source = "../../../modules/vpn"

  project = "<project_id>"
  region  = "us-central1"

  vpn_gateway_name = "my-test-gateway"
  router_name      = "my-test-router"
  network          = data.google_compute_network.test.self_link

  vpn_config = {
    router_asn    = 65000
    local_network = "vpc-vpn"

    router_advertise_config = {
      ip_ranges = {
        "10.10.0.0/16" : "GCP range 1"
      }
      mode   = "CUSTOM"
      groups = null
    }

    instances = {
      vpn-to-onprem1 = {
        name = "vpn-to-onprem1",
        peer_external_gateway = {
          redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT"
          interfaces = [{
            id         = 0
            ip_address = "1.1.1.1"
          }]
        },
        tunnels = {
          remote0 = {
            bgp_peer = {
              address = "169.254.1.2"
              asn     = 65001
            }
            bgp_peer_options                = null
            bgp_session_range               = "169.254.1.1/30"
            ike_version                     = 2
            vpn_gateway_interface           = 0
            peer_external_gateway_interface = 0
            shared_secret                   = "secret"
          }
          remote1 = {
            bgp_peer = {
              address = "169.254.1.6"
              asn     = 65001
            }
            bgp_peer_options                = null
            bgp_session_range               = "169.254.1.5/30"
            ike_version                     = 2
            vpn_gateway_interface           = 1
            peer_external_gateway_interface = null
            shared_secret                   = "secret"
          }
        }
      }
      vpn-to-onprem2 = {
        name = "vpn-to-onprem2",
        peer_external_gateway = {
          redundancy_type = "TWO_IPS_REDUNDANCY"
          interfaces = [{
            id         = 0
            ip_address = "3.3.3.3"
            }, {
            id         = 1
            ip_address = "4.4.4.4"
          }]
        },
        tunnels = {
          remote0 = {
            bgp_peer = {
              address = "169.254.2.2"
              asn     = 65002
            }
            bgp_peer_options                = null
            bgp_session_range               = "169.254.2.1/30"
            ike_version                     = 2
            vpn_gateway_interface           = 0
            peer_external_gateway_interface = 0
            shared_secret                   = "secret"
          }
          remote1 = {
            bgp_peer = {
              address = "169.254.2.6"
              asn     = 65002
            }
            bgp_peer_options                = null
            bgp_session_range               = "169.254.2.5/30"
            ike_version                     = 2
            vpn_gateway_interface           = 1
            peer_external_gateway_interface = 1
            shared_secret                   = "secret"
          }
        }
      }
      vpn-to-gcp = {
        name = "vpn-to-gcp",

        peer_gcp_gateway = "https://www.googleapis.com/compute/v1/projects/<remote_project_id>/regions/<region>/vpnGateways/<remote_vpn_gw_name>"

        tunnels = {
          remote0 = {
            bgp_peer = {
              address = "169.254.3.2"
              asn     = 65003
            }
            bgp_peer_options                = null
            bgp_session_range               = "169.254.3.1/30"
            ike_version                     = 2
            vpn_gateway_interface           = 0
            peer_external_gateway_interface = null
            shared_secret                   = "secret"
          }
          remote1 = {
            bgp_peer = {
              address = "169.254.3.6"
              asn     = 65003
            }
            bgp_peer_options                = null
            bgp_session_range               = "169.254.3.5/30"
            ike_version                     = 2
            vpn_gateway_interface           = 1
            peer_external_gateway_interface = 1
            shared_secret                   = "secret"
          }
        }
      }
    }
  }
}

Reference

Requirements

Name	Version
terraform	>= 1.3, < 2.0
google	>= 4.58

Providers

Name	Version
google	>= 4.58
google-beta	n/a
random	n/a

Modules

No modules.

Resources

Name	Type
google-beta_google_compute_vpn_tunnel.tunnels	resource
google_compute_external_vpn_gateway.external_gateway	resource
google_compute_ha_vpn_gateway.ha_gateway	resource
google_compute_router.router	resource
google_compute_router_interface.router_interface	resource
google_compute_router_peer.bgp_peer	resource
random_id.secret	resource

Inputs

Name	Description	Type	Default	Required
labels	Labels for VPN components	`map(string)`	`{}`	no
network	VPC network ID that should be used for deployment	`string`	n/a	yes
project	n/a	`string`	`null`	no
region	Region to deploy VPN gateway in	`string`	n/a	yes
router_name	Cloud router name. The router is created by the module	`string`	`null`	no
vpn_config	VPN configuration from GCP to on-prem or from GCP to GCP. If you'd like secrets to be randomly generated set `shared_secret` to empty string (""). Example:vpn_config = { router_asn = 65000 local_network = "vpc-vpn" router_advertise_config = { ip_ranges = { "10.10.0.0/16" : "GCP range 1" } mode = "CUSTOM" groups = null } instances = { vpn-to-onprem = { name = "vpn-to-onprem", peer_external_gateway = { redundancy_type = "TWO_IPS_REDUNDANCY" interfaces = [{ id = 0 ip_address = "1.1.1.1" }, { id = 1 ip_address = "2.2.2.2" }] }, tunnels = { remote0 = { bgp_peer = { address = "169.254.1.2" asn = 65001 } bgp_peer_options = null bgp_session_range = "169.254.1.1/30" ike_version = 2 vpn_gateway_interface = 0 peer_external_gateway_interface = 0 shared_secret = "secret" } remote1 = { bgp_peer = { address = "169.254.1.6" asn = 65001 } bgp_peer_options = null bgp_session_range = "169.254.1.5/30" ike_version = 2 vpn_gateway_interface = 1 peer_external_gateway_interface = 1 shared_secret = "secret" } } } } }	`any`	n/a	yes
vpn_gateway_name	VPN gateway name. Gateway created by the module	`string`	n/a	yes

Outputs

Name	Description
random_secret	HA VPN IPsec tunnels secret that has been randomly generated
vpn_gw_local_address_1	HA VPN gateway IP address 1
vpn_gw_local_address_2	HA VPN gateway IP address 2
vpn_gw_name	HA VPN gateway name
vpn_gw_self_link	HA VPN gateway self_link

Requirements

Name	Version
terraform	>= 1.2, < 2.0
google	== 4.58

Providers

Name	Version
google	== 4.58

Modules

Name	Source	Version
vpn_ha	terraform-google-modules/vpn/google	3.0.1

Resources

Name	Type
google_compute_ha_vpn_gateway.ha_gateway	resource

Inputs

Name	Description	Type	Default	Required
project	n/a	`string`	`null`	no
region	Region to deploy VPN gateway in	`string`	n/a	yes
vpc_network_id	VPC network ID that should be used for deployment	`string`	n/a	yes
vpn	VPN configuration from GCP to on-prem or from GCP to GCP. If you'd like secrets to be randomly generated set `shared_secret` to empty string (""). Example:vpn = { router_asn = 65000 local_network = "vpc-vpn" router_advertise_config = { ip_ranges = { "10.10.0.0/16" : "GCP range 1" } mode = "CUSTOM" groups = null } instances = { vpn-to-onprem = { name = "vpn-to-onprem", peer_external_gateway = { redundancy_type = "TWO_IPS_REDUNDANCY" interfaces = [{ id = 0 ip_address = "1.1.1.1" }, { id = 1 ip_address = "2.2.2.2" }] }, tunnels = { remote0 = { bgp_peer = { address = "169.254.1.2" asn = 65001 } bgp_peer_options = null bgp_session_range = "169.254.1.1/30" ike_version = 2 vpn_gateway_interface = 0 peer_external_gateway_interface = 0 shared_secret = "secret" } remote1 = { bgp_peer = { address = "169.254.1.6" asn = 65001 } bgp_peer_options = null bgp_session_range = "169.254.1.5/30" ike_version = 2 vpn_gateway_interface = 1 peer_external_gateway_interface = 1 shared_secret = "secret" } } } }	`any`	n/a	yes
vpn_gateway_name	VPN gateway name	`string`	n/a	yes

Outputs

Name	Description
local_ipsec_gw2_address_2	HA VPN gateway IP address 2
local_ipsec_gw_address_1	HA VPN gateway IP address 1
random_secrets_map	HA VPN IPsec tunnels secrets that were randomly generated
vpn_gateway_name	HA VPN gateway name
vpn_gateway_self_link	HA VPN gateway self_link

Example​

Reference​

Requirements​

Providers​

Modules​

Resources​

Inputs​

Outputs​

Requirements​

Providers​

Modules​

Resources​

Inputs​

Outputs​

Example

Reference

Requirements

Providers

Modules

Resources

Inputs

Outputs

Requirements

Providers

Modules

Resources

Inputs

Outputs