Skip to content

Commit

Permalink
Merge FAST C and E network stages into a new B stage. (#2309)
Browse files Browse the repository at this point in the history
Merge FAST C and E network stages into a new B stage.
  • Loading branch information
sruffilli authored May 28, 2024
1 parent 9e1008d commit 532f1ec
Show file tree
Hide file tree
Showing 99 changed files with 330 additions and 7,029 deletions.
2 changes: 1 addition & 1 deletion fast/stages/2-networking-a-simple/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ This is a summary of the main options:
- [HA VPN](https://cloud.google.com/network-connectivity/docs/vpn/concepts/topologies) (implemented here)
- Pros: simple compatibility with GCP services that leverage peering internally, better control on routes, avoids peering groups shared quotas and limits
- Cons: additional cost, marginal increase in latency, requires multiple tunnels for full bandwidth
- [Multi-NIC appliances](https://cloud.google.com/architecture/best-practices-vpc-design#multi-nic) (implemented by [2-networking-c-nva](../2-networking-c-nva/) and [2-networking-e-nva-bgp](../2-networking-e-nva-bgp/))
- [Multi-NIC appliances](https://cloud.google.com/architecture/best-practices-vpc-design#multi-nic) (implemented by [2-networking-b-nva](../2-networking-b-nva/)
- Pros: additional security features (e.g. IPS), potentially better integration with on-prem systems by using the same vendor
- Cons: complex HA/failover setup, limited by VM bandwidth and scale, additional costs for VMs and licenses, out of band management of a critical cloud component

Expand Down

Large diffs are not rendered by default.

23 changes: 23 additions & 0 deletions fast/stages/2-networking-b-nva/data/firewall-rules/dmz/bgp.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# skip boilerplate check
# This is only relevant when using NCC-RA, and can be safely removed otherwise
ingress:
allow-ncc-nva-bgp-dmz:
description: "Allow BGP traffic from NCC Cloud Routers to NVAs"
source_ranges:
- 10.128.0.201/32
- 10.128.0.202/32
- 10.128.32.201/32
- 10.128.32.202/32
targets: ["nva"]
rules:
- protocol: tcp
ports:
- 179
allow-nva-nva-bgp-dmz:
description: "Allow BGP traffic from cross-regional NVAs"
sources: ["nva"]
targets: ["nva"]
rules:
- protocol: tcp
ports:
- 179
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# skip boilerplate check
# This is only relevant when using NCC-RA, and can be safely removed otherwise
ingress:
allow-ncc-nva-bgp-landing:
description: "Allow BGP traffic from NCC Cloud Routers to NVAs"
source_ranges:
- 10.128.64.201/32
- 10.128.64.202/32
- 10.128.96.201/32
- 10.128.96.202/32
targets: ["nva"]
rules:
- protocol: tcp
ports:
- 179
File renamed without changes
File renamed without changes
File renamed without changes.
File renamed without changes.
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@

locals {
custom_roles = coalesce(var.custom_roles, {})
nva_zones = ["b", "c"]
# combine all regions from variables and subnets
regions = distinct(concat(
values(var.regions),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ module "dev-spoke-vpc" {
private = true
restricted = true
}
routes = {
routes = var.enable_ncc_ra ? null : {
nva-primary-to-primary = {
dest_range = "0.0.0.0/0"
priority = 1000
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ module "prod-spoke-vpc" {
private = true
restricted = true
}
routes = {
routes = var.enable_ncc_ra ? null : {
nva-primary-to-primary = {
dest_range = "0.0.0.0/0"
priority = 1000
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,40 +14,51 @@
* limitations under the License.
*/

locals {
ncc_asn = {
dmz = 64512
landing = 64515
nva_primary = 64513
nva_secondary = 64514
}
}

resource "google_network_connectivity_hub" "hub_landing" {
count = var.enable_ncc_ra ? 1 : 0
name = "prod-hub-landing"
description = "Prod hub landing (trusted)"
project = module.landing-project.project_id
}

resource "google_network_connectivity_hub" "hub_dmz" {
count = var.enable_ncc_ra ? 1 : 0
name = "prod-hub-dmz"
description = "Prod hub DMZ (untrusted)"
project = module.landing-project.project_id
}

module "spokes-landing" {
for_each = var.regions
module "ncc-spokes-landing" {
for_each = var.enable_ncc_ra ? var.regions : {}
source = "../../../modules/ncc-spoke-ra"
name = "prod-spoke-landing-${local.region_shortnames[each.value]}"
project_id = module.landing-project.project_id
region = each.value

hub = {
create = false,
id = google_network_connectivity_hub.hub_landing.id
id = google_network_connectivity_hub.hub_landing[0].id
}

router_appliances = [
for key, config in local.nva_configs :
for key, config in local.bgp_nva_configs :
{
internal_ip = module.nva[key].internal_ips[1]
vm_self_link = module.nva[key].self_link
internal_ip = module.nva-bgp[key].internal_ips[1]
vm_self_link = module.nva-bgp[key].self_link
} if config.region == each.value
]

router_config = {
asn = var.ncc_asn.landing
asn = local.ncc_asn.landing
ip_interface0 = cidrhost(
module.landing-vpc.subnet_ips["${each.value}/landing-default"], 201
)
Expand All @@ -56,8 +67,8 @@ module "spokes-landing" {
)
peer_asn = (
each.key == "primary"
? var.ncc_asn.nva_primary
: var.ncc_asn.nva_secondary
? local.ncc_asn.nva_primary
: local.ncc_asn.nva_secondary
)
routes_priority = 100

Expand All @@ -80,28 +91,28 @@ module "spokes-landing" {
}
}

module "spokes-dmz" {
for_each = var.regions
module "ncc-spokes-dmz" {
for_each = var.enable_ncc_ra ? var.regions : {}
source = "../../../modules/ncc-spoke-ra"
name = "prod-spoke-dmz-${local.region_shortnames[each.value]}"
project_id = module.landing-project.project_id
region = each.value

hub = {
create = false,
id = google_network_connectivity_hub.hub_dmz.id
id = google_network_connectivity_hub.hub_dmz[0].id
}

router_appliances = [
for key, config in local.nva_configs :
for key, config in local.bgp_nva_configs :
{
internal_ip = module.nva[key].internal_ips[0]
vm_self_link = module.nva[key].self_link
internal_ip = module.nva-bgp[key].internal_ips[0]
vm_self_link = module.nva-bgp[key].self_link
} if config.region == each.value
]

router_config = {
asn = var.ncc_asn.dmz
asn = local.ncc_asn.dmz
ip_interface0 = cidrhost(
module.dmz-vpc.subnet_ips["${each.value}/dmz-default"], 201
)
Expand All @@ -110,8 +121,8 @@ module "spokes-dmz" {
)
peer_asn = (
each.key == "primary"
? var.ncc_asn.nva_primary
: var.ncc_asn.nva_secondary
? local.ncc_asn.nva_primary
: local.ncc_asn.nva_secondary
)
routes_priority = 100

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,36 +15,34 @@
*/

locals {
_nva_zones = ["b", "c"]

# The configurations used to create the NVA VMs.
#
# Rendered as following:
# nva_configs = {
# bgp_nva_configs = {
# primary-b = {...}
# primary-c = {...}
# secondary-b = {...}
# secondary-c = {...}
# }
nva_configs = {
for v in setproduct(keys(var.regions), local._nva_zones) :
bgp_nva_configs = {
for v in setproduct(keys(var.regions), local.nva_zones) :
join("-", v) => {
# Each NVA announces its trusted regional subnets
announce-to-nva = upper(v[0])
# NVAs in each region have their own ASN
# and peer with cross-regional NVAs.
asn_nva = (
v[0] == "primary"
? var.ncc_asn.nva_primary
: var.ncc_asn.nva_secondary
? local.ncc_asn.nva_primary
: local.ncc_asn.nva_secondary
)
asn_nva_cross_region = (
v[0] == "primary"
? var.ncc_asn.nva_secondary
: var.ncc_asn.nva_primary
? local.ncc_asn.nva_secondary
: local.ncc_asn.nva_primary
)
asn_landing = var.ncc_asn.landing
asn_dmz = var.ncc_asn.dmz
asn_landing = local.ncc_asn.landing
asn_dmz = local.ncc_asn.dmz
# To guarantee traffic to remain symmetric,
# NVAs need to advertise cross-region routes with a higher cost (10100)
cost_primary = v[0] == "primary" ? "100" : "10100"
Expand Down Expand Up @@ -82,11 +80,11 @@ locals {
# in the landing and in the DMZ VPCs.
ip_landing = cidrhost(
module.landing-vpc.subnet_ips["${var.regions[v[0]]}/landing-default"],
101 + index(var.zones, v[1])
101 + index(local.nva_zones, v[1])
)
ip_dmz = cidrhost(
module.dmz-vpc.subnet_ips["${var.regions[v[0]]}/dmz-default"],
101 + index(var.zones, v[1])
101 + index(local.nva_zones, v[1])
)
# Either primary or secondary
name = v[0]
Expand All @@ -100,11 +98,11 @@ locals {
}
}

# The routing_config should be aligned to the NVA NICs.
# The bgp_routing_config should be aligned to the NVA NICs.
# For example:
# local.routing_config[0] configures eth0;
# local.routing_config[0] configures eth1.
routing_config = [
# local.bgp_routing_config[0] configures eth0;
# local.bgp_routing_config[0] configures eth1.
bgp_routing_config = [
{
enable_masquerading = true
name = "dmz"
Expand All @@ -124,10 +122,10 @@ locals {
}

module "nva-bgp-cloud-config" {
for_each = local.nva_configs
for_each = var.enable_ncc_ra ? local.bgp_nva_configs : {}
source = "../../../modules/cloud-config-container/simple-nva"
enable_health_checks = true
network_interfaces = local.routing_config
network_interfaces = local.bgp_routing_config
frr_config = {
config_file = templatefile("data/bgp-config.tftpl", each.value)
daemons_enabled = ["bgpd"]
Expand All @@ -137,7 +135,7 @@ module "nva-bgp-cloud-config" {
# TODO: use address module

resource "google_compute_address" "nva_static_ip_landing" {
for_each = local.nva_configs
for_each = var.enable_ncc_ra ? local.bgp_nva_configs : {}
name = "nva-ip-landing-${each.value.shortname}-${each.value.zone}"
project = module.landing-project.project_id
subnetwork = module.landing-vpc.subnet_self_links["${each.value.region}/landing-default"]
Expand All @@ -147,7 +145,7 @@ resource "google_compute_address" "nva_static_ip_landing" {
}

resource "google_compute_address" "nva_static_ip_dmz" {
for_each = local.nva_configs
for_each = var.enable_ncc_ra ? local.bgp_nva_configs : {}
name = "nva-ip-dmz-${each.value.shortname}-${each.value.zone}"
project = module.landing-project.project_id
subnetwork = module.dmz-vpc.subnet_self_links["${each.value.region}/dmz-default"]
Expand All @@ -156,12 +154,12 @@ resource "google_compute_address" "nva_static_ip_dmz" {
region = each.value.region
}

module "nva" {
for_each = local.nva_configs
module "nva-bgp" {
for_each = var.enable_ncc_ra ? local.bgp_nva_configs : {}
source = "../../../modules/compute-vm"
project_id = module.landing-project.project_id
name = "nva-${each.value.shortname}-${each.value.zone}"
instance_type = "e2-standard-2"
instance_type = "e2-micro"
can_ip_forward = true
zone = "${each.value.region}-${each.value.zone}"
tags = ["nva"]
Expand Down
Loading

0 comments on commit 532f1ec

Please sign in to comment.