From 9a658b0b90b7714eade05664dbb26d5a231246a6 Mon Sep 17 00:00:00 2001 From: simonebruzzechesse <60114646+simonebruzzechesse@users.noreply.github.com> Date: Thu, 23 Mar 2023 09:57:01 +0100 Subject: [PATCH] Small fixes to FAST Networking stage with NVAs (#1273) * fix issue with test-resources and internet connectivity from spokes * terraform fmt * removed reference to startup-script in README.md --- fast/stages/2-networking-c-nva/README.md | 63 ++++++++++--------- .../data/nva-startup-script.tftpl | 30 --------- fast/stages/2-networking-c-nva/nva.tf | 3 +- .../2-networking-c-nva/test-resources.tf | 52 +++++++++------ 4 files changed, 71 insertions(+), 77 deletions(-) delete mode 100644 fast/stages/2-networking-c-nva/data/nva-startup-script.tftpl diff --git a/fast/stages/2-networking-c-nva/README.md b/fast/stages/2-networking-c-nva/README.md index 28064305a3..8874dc4689 100644 --- a/fast/stages/2-networking-c-nva/README.md +++ b/fast/stages/2-networking-c-nva/README.md @@ -23,32 +23,41 @@ The final number of subnets, and their IP addressing will depend on the user-spe ## Table of contents -- [Design overview and choices](#design-overview-and-choices) - - [Multi-regional deployment](#multi-regional-deployment) - - [VPC design](#vpc-design) - - [External connectivity](#external-connectivity) - - [Internal connectivity](#internal-connectivity) - - [IP ranges, subnetting, routing](#ip-ranges-subnetting-routing) - - [Internet egress](#internet-egress) - - [VPC and Hierarchical Firewall](#vpc-and-hierarchical-firewall) - - [DNS](#dns) -- [Stage structure and files layout](#stage-structure-and-files-layout) - - [VPCs](#vpcs) - - [VPNs](#vpns) - - [Routing and BGP](#routing-and-bgp) - - [Firewall](#firewall) - - [DNS architecture](#dns-architecture) - - [Private Google Access](#private-google-access) -- [How to run this stage](#how-to-run-this-stage) - - [Provider and Terraform variables](#provider-and-terraform-variables) - - [Impersonating the automation service account](#impersonating-the-automation-service-account) - - [Variable configuration](#variable-configuration) - - [Running the stage](#running-the-stage) - - [Post-deployment activities](#post-deployment-activities) -- [Customizations](#customizations) - - [Changing default regions](#changing-default-regions) - - [Configuring the VPNs to on prem](#configuring-the-vpns-to-on-prem) - - [Adding an environment](#adding-an-environment) +- [Networking with Network Virtual Appliance](#networking-with-network-virtual-appliance) + - [Table of contents](#table-of-contents) + - [Design overview and choices](#design-overview-and-choices) + - [Multi-regional deployment](#multi-regional-deployment) + - [VPC design](#vpc-design) + - [External connectivity](#external-connectivity) + - [Internal connectivity](#internal-connectivity) + - [IP ranges, subnetting, routing](#ip-ranges-subnetting-routing) + - [Internet egress](#internet-egress) + - [VPC and Hierarchical Firewall](#vpc-and-hierarchical-firewall) + - [DNS](#dns) + - [Stage structure and files layout](#stage-structure-and-files-layout) + - [VPCs](#vpcs) + - [VPNs](#vpns) + - [Routing and BGP](#routing-and-bgp) + - [Firewall](#firewall) + - [DNS architecture](#dns-architecture) + - [Cloud environment](#cloud-environment) + - [Cloud to on-prem](#cloud-to-on-prem) + - [On-prem to cloud](#on-prem-to-cloud) + - [How to run this stage](#how-to-run-this-stage) + - [Provider and Terraform variables](#provider-and-terraform-variables) + - [Impersonating the automation service account](#impersonating-the-automation-service-account) + - [Variable configuration](#variable-configuration) + - [Using delayed billing association for projects](#using-delayed-billing-association-for-projects) + - [Running the stage](#running-the-stage) + - [Post-deployment activities](#post-deployment-activities) + - [Private Google Access](#private-google-access) + - [Customizations](#customizations) + - [Changing default regions](#changing-default-regions) + - [Configuring the VPNs to on prem](#configuring-the-vpns-to-on-prem) + - [Adding an environment](#adding-an-environment) + - [Files](#files) + - [Variables](#variables) + - [Outputs](#outputs) ## Design overview and choices @@ -446,8 +455,6 @@ The new VPC requires a set of dedicated CIDRs, one per region, added to variable > Variables managing L7 Internal Load Balancers (`l7ilb_subnets`) and Private Service Access (`psa_ranges`) should also be adapted, and subnets and firewall rules for the new spoke should be added, as described above. -Configure the NVAs deployed or update the sample [NVA config file](data/nva-startup-script.tftpl) making sure they support the new subnets. - DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS resolution to Landing through DNS peering, and optionally define a private zone (e.g. `dev.gcp.example.com`) which the landing peers to. To configure DNS for a new environment, copy one of the other environments DNS files [e.g. (dns-dev.tf)](dns-dev.tf) into a new `dns-*.tf` file suffixed with the environment name (e.g. `dns-staging.tf`), and update its content accordingly. Don't forget to add a peering zone from the landing to the newly created environment private zone. diff --git a/fast/stages/2-networking-c-nva/data/nva-startup-script.tftpl b/fast/stages/2-networking-c-nva/data/nva-startup-script.tftpl deleted file mode 100644 index 353c6fa19b..0000000000 --- a/fast/stages/2-networking-c-nva/data/nva-startup-script.tftpl +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash - -echo 'Enabling IP forwarding' -sed '/net.ipv4.ip_forward=1/s/^#//g' -i /etc/sysctl.conf && -sysctl -p /etc/sysctl.conf && -/etc/init.d/procps restart - -echo 'Setting Routes' -ip route add ${landing-untrusted-other-region} via ${gateway-untrusted} dev ens4 -ip route add ${landing-trusted-other-region} via ${gateway-trusted} dev ens5 -ip route add ${dev-default-ew1-cidr} via ${gateway-trusted} dev ens5 -ip route add ${dev-default-ew4-cidr} via ${gateway-trusted} dev ens5 -ip route add ${prod-default-ew1-cidr} via ${gateway-trusted} dev ens5 -ip route add ${prod-default-ew4-cidr} via ${gateway-trusted} dev ens5 -ip route add ${onprem-main-cidr} via ${gateway-trusted} dev ens5 - -echo 'Adding PBR rules to answer HCs also from the secondary nic' -grep -qxF '200 hc' /etc/iproute2/rt_tables || echo '200 hc' >> /etc/iproute2/rt_tables -ip_addr_ens5=$(ip route ls table local | awk '/ens5 proto 66 scope host/ {print $2}') -while [ -z $ip_addr_ens5 ]; do - echo 'Waiting for networking stack to be ready' - sleep 2 - ip_addr_ens5=$(ip route ls table local | awk '/ens5 proto 66 scope host/ {print $2}') -done -ip rule add from $ip_addr_ens5 lookup hc -ip route add default via ${gateway-trusted} dev ens5 table hc - -echo 'Setting NAT masquerade (for Internet connectivity)' -iptables --append FORWARD --in-interface ens5 -j ACCEPT -iptables --table nat --append POSTROUTING --out-interface ens4 -j MASQUERADE diff --git a/fast/stages/2-networking-c-nva/nva.tf b/fast/stages/2-networking-c-nva/nva.tf index 8d39d7de0c..62c45dbd22 100644 --- a/fast/stages/2-networking-c-nva/nva.tf +++ b/fast/stages/2-networking-c-nva/nva.tf @@ -19,7 +19,8 @@ locals { # local.routing_config[0] sets up the first interface, and so on. routing_config = [ { - name = "untrusted" + name = "untrusted" + enable_masquerading = true routes = [ var.gcp_ranges.gcp_landing_untrusted_primary, var.gcp_ranges.gcp_landing_untrusted_secondary, diff --git a/fast/stages/2-networking-c-nva/test-resources.tf b/fast/stages/2-networking-c-nva/test-resources.tf index 14676e8111..97bb7208c5 100644 --- a/fast/stages/2-networking-c-nva/test-resources.tf +++ b/fast/stages/2-networking-c-nva/test-resources.tf @@ -22,7 +22,7 @@ # source = "../../../modules/compute-vm" # project_id = module.landing-project.project_id # zone = "${var.regions.primary}-b" -# name = "test-vm-lnd-unt-primary-0" +# name = "test-vm-lnd-unt-pri-0" # network_interfaces = [{ # network = module.landing-untrusted-vpc.self_link # subnetwork = module.landing-untrusted-vpc.subnet_self_links["${var.regions.primary}/landing-untrusted-default-${local.region_shortnames[var.regions.primary]}"] @@ -30,7 +30,9 @@ # tags = ["primary", "ssh"] # service_account_create = true # boot_disk = { -# image = "projects/debian-cloud/global/images/family/debian-10" +# initialize_params = { +# image = "projects/debian-cloud/global/images/family/debian-10" +# } # } # options = { # spot = true @@ -48,7 +50,7 @@ # source = "../../../modules/compute-vm" # project_id = module.landing-project.project_id # zone = "${var.regions.secondary}-a" -# name = "test-vm-lnd-unt-secondary-0" +# name = "test-vm-lnd-unt-sec-0" # network_interfaces = [{ # network = module.landing-untrusted-vpc.self_link # subnetwork = module.landing-untrusted-vpc.subnet_self_links["${var.regions.secondary}/landing-untrusted-default-${local.region_shortnames[var.regions.secondary]}"] @@ -56,7 +58,9 @@ # tags = ["secondary", "ssh"] # service_account_create = true # boot_disk = { -# image = "projects/debian-cloud/global/images/family/debian-10" +# initialize_params = { +# image = "projects/debian-cloud/global/images/family/debian-10" +# } # } # options = { # spot = true @@ -76,7 +80,7 @@ # source = "../../../modules/compute-vm" # project_id = module.landing-project.project_id # zone = "${var.regions.primary}-b" -# name = "test-vm-lnd-tru-primary-0" +# name = "test-vm-lnd-tru-pri-0" # network_interfaces = [{ # network = module.landing-trusted-vpc.self_link # subnetwork = module.landing-trusted-vpc.subnet_self_links["${var.regions.primary}/landing-trusted-default-${local.region_shortnames[var.regions.primary]}"] @@ -84,7 +88,9 @@ # tags = ["primary", "ssh"] # service_account_create = true # boot_disk = { -# image = "projects/debian-cloud/global/images/family/debian-10" +# initialize_params = { +# image = "projects/debian-cloud/global/images/family/debian-10" +# } # } # options = { # spot = true @@ -102,7 +108,7 @@ # source = "../../../modules/compute-vm" # project_id = module.landing-project.project_id # zone = "${var.regions.secondary}-a" -# name = "test-vm-lnd-tru-secondary-0" +# name = "test-vm-lnd-tru-sec-0" # network_interfaces = [{ # network = module.landing-trusted-vpc.self_link # subnetwork = module.landing-trusted-vpc.subnet_self_links["${var.regions.secondary}/landing-trusted-default-${local.region_shortnames[var.regions.secondary]}"] @@ -110,7 +116,9 @@ # tags = ["secondary", "ssh"] # service_account_create = true # boot_disk = { -# image = "projects/debian-cloud/global/images/family/debian-10" +# initialize_params = { +# image = "projects/debian-cloud/global/images/family/debian-10" +# } # } # options = { # spot = true @@ -130,7 +138,7 @@ # source = "../../../modules/compute-vm" # project_id = module.dev-spoke-project.project_id # zone = "${var.regions.primary}-b" -# name = "test-vm-dev-primary-0" +# name = "test-vm-dev-pri-0" # network_interfaces = [{ # network = module.dev-spoke-vpc.self_link # # change the subnet name to match the values you are actually using @@ -139,7 +147,9 @@ # tags = ["primary", "ssh"] # service_account_create = true # boot_disk = { -# image = "projects/debian-cloud/global/images/family/debian-10" +# initialize_params = { +# image = "projects/debian-cloud/global/images/family/debian-10" +# } # } # options = { # spot = true @@ -157,7 +167,7 @@ # source = "../../../modules/compute-vm" # project_id = module.dev-spoke-project.project_id # zone = "${var.regions.secondary}-a" -# name = "test-vm-dev-secondary-0" +# name = "test-vm-dev-sec-0" # network_interfaces = [{ # network = module.dev-spoke-vpc.self_link # # change the subnet name to match the values you are actually using @@ -166,7 +176,9 @@ # tags = ["secondary", "ssh"] # service_account_create = true # boot_disk = { -# image = "projects/debian-cloud/global/images/family/debian-10" +# initialize_params = { +# image = "projects/debian-cloud/global/images/family/debian-10" +# } # } # options = { # spot = true @@ -186,7 +198,7 @@ # source = "../../../modules/compute-vm" # project_id = module.prod-spoke-project.project_id # zone = "${var.regions.primary}-b" -# name = "test-vm-prod-primary-0" +# name = "test-vm-prod-pri-0" # network_interfaces = [{ # network = module.prod-spoke-vpc.self_link # # change the subnet name to match the values you are actually using @@ -195,9 +207,11 @@ # tags = ["primary", "ssh"] # service_account_create = true # boot_disk = { -# image = "projects/debian-cloud/global/images/family/debian-10" -# type = "pd-balanced" -# size = 10 +# initialize_params = { +# image = "projects/debian-cloud/global/images/family/debian-10" +# type = "pd-balanced" +# size = 10 +# } # } # options = { # spot = true @@ -215,7 +229,7 @@ # source = "../../../modules/compute-vm" # project_id = module.prod-spoke-project.project_id # zone = "${var.regions.secondary}-a" -# name = "test-vm-prod-secondary-0" +# name = "test-vm-prod-sec-0" # network_interfaces = [{ # network = module.prod-spoke-vpc.self_link # # change the subnet name to match the values you are actually using @@ -224,7 +238,9 @@ # tags = ["secondary", "ssh"] # service_account_create = true # boot_disk = { -# image = "projects/debian-cloud/global/images/family/debian-10" +# initialize_params = { +# image = "projects/debian-cloud/global/images/family/debian-10" +# } # } # options = { # spot = true