Merge pull request #2 from albertogeniola/development

Development

example/Web proxy/networking.tf → example/1. Web proxy/networking.tf

@@ -36,6 +36,7 @@ resource "google_compute_firewall" "proxy_internal_vms" {
   name          = "fw-inbound-proxy-internal"
   network       = google_compute_network.vyos_internal_vpc.self_link
   source_ranges = [local.internal_subnet_cidr]
+  target_service_accounts = [module.vyos_instance.sa_email]
   allow {
     protocol  = "tcp"
     ports     = [ 3128 ]

example/Web proxy HA Unmanaged/networking.tf → example/2. Web proxy HA Unmanaged/networking.tf

@@ -36,6 +36,7 @@ resource "google_compute_firewall" "proxy_internal_vms" {
   name          = "fw-inbound-proxy-internal"
   network       = google_compute_network.vyos_internal_vpc.self_link
   source_ranges = [local.internal_subnet_cidr]
+  target_service_accounts = [module.vyos_instance_1.sa_email, module.vyos_instance_2.sa_email]
   allow {
     protocol  = "tcp"
     ports     = [ 3128 ]

example/3. Simple NAT/.gitignore

@@ -0,0 +1 @@
+terraform.tfvars

example/3. Simple NAT/README.md

@@ -0,0 +1,16 @@
+# VyOS as RFC1918 NAT
+This example shows how to use this module to instantiate a VyOS instance that acts as an NAT appliance working in a RFC1918 address space.
+In fact, at the time of writing, there is no managed GA solution to implement NAT/PAT on GCP: that requires an appliance to be configured. 
+
+This specific example implements a simple NAT instance routing traffic from internal VPC to another internal VPC.
+Specifically, the idea is to enable corporate to workaround their overlapping IP address space problems (on on-premise) with a cloud NAT instance.
+
+The following diagram explains the target result of this terraform project.
+
+<img src="./simple-nat.png" width=600 alt="Simple PAT implementation"/>
+
+A custom static route redirects all the traffic from the internal vpc network towards the VyOS instance, configured as next-hop.
+The VyOS instance is configured to apply PAT to TCP and UDP packets coming from 10.10.0.0/16 (address space of internal_subnet)
+and to masquerade it via ETH1 address (10.0.0.3/16). This configuration handles the traffic against RFC1918 targets belonging
+to the external VPC, but also performs NATTING against public endpoints, using the VyOS ETH1 public address. 
+

example/3. Simple NAT/internal-instance.tf

@@ -0,0 +1,35 @@
+data "google_compute_image" "debian" {
+  family    = "debian-11"
+  project   = "debian-cloud"
+}
+
+resource "google_compute_instance" "internal_instance" {
+  project       = var.project_id
+  name          = "internal-vm"
+  machine_type  = "n2-standard-2"
+  zone          = "europe-west8-b"
+
+  boot_disk {
+    initialize_params {
+      image = data.google_compute_image.debian.self_link
+    }
+  }
+  tags = [local.allow_iap_ssh_inbound_tag]
+  network_interface {
+    network     = google_compute_network.vyos_internal_vpc.self_link
+    subnetwork  = google_compute_subnetwork.vyos_internal_subnet.self_link
+    network_ip  = cidrhost(google_compute_subnetwork.vyos_internal_subnet.ip_cidr_range, 6)
+  }
+
+  metadata_startup_script = <<EOF
+  echo "" > /etc/profile.d/terraform-gce-proxy.sh
+  
+  # Test the curl feature
+  sleep 30 # Give some time to the proxy to spawn
+  curl -o /root/proxy-test.json https://api.ipify.org?format=json
+  EOF
+
+  depends_on = [
+    module.vyos_instance
+  ]
+}

example/3. Simple NAT/networking.tf

@@ -0,0 +1,80 @@
+# Define an external VPC
+resource "google_compute_network" "vyos_external_vpc" {
+  name                      = "vyos-external-vpc"
+  project                   = var.project_id 
+  auto_create_subnetworks   = false
+}
+
+resource "google_compute_subnetwork" "vyos_external_subnet" {
+  region                    = var.region
+  name                      = "vyos-external-subnet"
+  project                   = var.project_id 
+  network                   = google_compute_network.vyos_external_vpc.self_link
+  ip_cidr_range             = local.external_subnet_cidr
+  private_ip_google_access  = true  
+}
+
+# Define an internal VPC
+resource "google_compute_network" "vyos_internal_vpc" {
+  name                      = "vyos-internal-vpc"
+  project                   = var.project_id 
+  auto_create_subnetworks   = false
+}
+
+resource "google_compute_subnetwork" "vyos_internal_subnet" {
+  region                    = var.region
+  name                      = "vyos-internal-subnet"
+  project                   = var.project_id 
+  network                   = google_compute_network.vyos_internal_vpc.self_link
+  ip_cidr_range             = local.internal_subnet_cidr
+  private_ip_google_access  = true  
+}
+
+# Enable firewall rules for Proxy access for the internal VM
+resource "google_compute_firewall" "proxy_internal_vms" {
+  project                 = var.project_id 
+  name                    = "fw-inbound-proxy-internal"
+  network                 = google_compute_network.vyos_internal_vpc.self_link
+  source_ranges           = [local.internal_subnet_cidr]
+  target_service_accounts = [module.vyos_instance.sa_email]
+  allow {
+    protocol  = "tcp"
+  }
+  allow {
+    protocol  = "udp"
+  }
+}
+
+# Enable firewall rules for SSH access for the internal VM
+resource "google_compute_firewall" "ssh_iap_internal_vms" {
+  project       = var.project_id 
+  name          = "fw-inbound-iap-ssh"
+  network       = google_compute_network.vyos_internal_vpc.self_link
+  target_tags   = [local.allow_iap_ssh_inbound_tag]
+  source_ranges = local.iap_cidrs
+  allow {
+    protocol  = "tcp"
+    ports     = [ 22 ]
+  }
+}
+
+# Default route for internal VPC
+resource "google_compute_route" "name" {
+  project     = var.project_id
+  name        = "default-route-to-vyos-nat"
+  dest_range  = "0.0.0.0/0"
+  network     = google_compute_network.vyos_internal_vpc.self_link
+  next_hop_ip = local.internal_vyos_ip
+  priority    = 100
+}
+
+locals {
+  external_subnet_cidr        = "10.0.0.0/16"
+  internal_subnet_cidr        = "10.10.0.0/16"
+  allow_iap_ssh_inbound_tag   = "ssh-iap"
+  iap_cidrs                   = ["35.235.240.0/20"]
+  external_vyos_ip = cidrhost(local.external_subnet_cidr, 3)
+  internal_vyos_ip = cidrhost(local.internal_subnet_cidr, 3)
+
+  ilb_hc_cidrs       = ["35.191.0.0/16", "130.211.0.0/22"]
+}

example/3. Simple NAT/variables.tf

@@ -0,0 +1,3 @@
+variable project_id {}
+variable "region" {}
+variable "zone" {}

example/3. Simple NAT/vyos.config

@@ -0,0 +1,96 @@
+interfaces {
+    ethernet eth0 {
+        address dhcp
+    }
+    ethernet eth1 {
+        address dhcp
+    }
+    loopback lo {
+    }
+}
+nat {
+     source {
+         rule 1 {
+             outbound-interface eth0
+             protocol tcp_udp
+             source {
+                 address 10.10.0.0/16
+             }
+             translation {
+                 address masquerade
+             }
+         }
+     }
+ }
+service {
+    ssh {
+        listen-address 0.0.0.0
+        port 22
+        disable-password-authentication
+    }
+}
+system {
+    config-management {
+        commit-revisions 100
+    }
+    conntrack {
+        modules {
+            ftp
+            h323
+            nfs
+            pptp
+            sip
+            sqlnet
+            tftp
+        }
+    }
+    console {
+        device ttyS0 {
+            speed 38400
+        }
+    }
+    host-name vyos-gce
+    login {
+        banner {
+            post-login "Welcome to VyOs\n=========================================================================\nPlease note the following:\n    * This image is integrated with Google Ops Agent and supports metadata\nssh-keys login;\n    * You can still manage vyos configuration using the Serial Console,\nlogging in as vyos credentials: vyos/vyos;\n    * Note: vyos ssh plaintext/password is disabled.\n\nBuilt using https://github.com/albertogeniola/terraform-gce-vyos\n========================================================================="
+        }
+        user vyos {
+            authentication {
+                encrypted-password $6$gf2ShN8QhLqyH$WedSwHWXMYgC/qoM7ibe2XwdZro.A.qsYqMH0P9jf5opselu31ACTUD1bkRTL8S3WeKjoJ1Uu2xOgZXSV9SOr1
+                plaintext-password ""
+            }
+        }
+        user admin {
+        }
+    }
+    name-server 169.254.169.254
+    name-server 8.8.8.8
+    name-server 8.8.4.4
+
+    ntp {
+        server time1.vyos.net {
+        }
+        server time2.vyos.net {
+        }
+        server time3.vyos.net {
+        }
+    }
+    static-host-mapping {
+        host-name metadata.google.internal {
+            inet 169.254.169.254
+        }
+    }
+    syslog {
+        global {
+            facility all {
+                level info
+            }
+            facility protocols {
+                level debug
+            }
+        }
+    }
+}
+// Warning: Do not remove the following line.
+// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@22:ipoe-server@1:ipsec@5:isis@1:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@8:rpki@1:salt@1:snmp@2:ssh@2:sstp@3:system@21:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1"
+// Release version: equuleus

example/3. Simple NAT/vyos.tf

@@ -0,0 +1,52 @@
+# VyOS instance
+module "vyos_instance" {
+    source = "../../module-src"
+
+    # Project info
+    project_id      = var.project_id
+    gcp_region      = var.region
+    instance_name   = "vyos-instance"
+
+    # Dynamic config
+    configuration_bucket_name   = "${var.project_id}-vyos-conf"
+    configuration_bucket_path   = "configuration"
+    vyos_configuration_content  = file("vyos.config")
+
+    # GCE config
+    instance_tier               = "n2-standard-2"
+    instance_zone               = var.zone
+    instance_vyos_image_name    = "vyos-gce" # ATTENTION! THIS IS THE NAME OF THE VYOS IMAGE IMPORTED FROM THIS REPO.
+
+    # We want to be able to connect via serial port
+    enable_serial_port_connection = true
+
+    # Networking configuration
+    networks_configuration = {
+
+      # Primary interface
+      0 = {
+        network_project_id  = var.project_id
+        network             = google_compute_network.vyos_external_vpc.self_link
+        subnetwork          = google_compute_subnetwork.vyos_external_subnet.self_link
+        network_ip          =  local.external_vyos_ip
+
+        assign_external_ip = true
+        static_external_ip = null
+
+        # Enable IAP connections on the external interface.
+        create_iap_ssh_firewall_rule = true
+      },
+      # Secondary interface
+      1 = {
+        network_project_id  = var.project_id
+        network             = google_compute_network.vyos_internal_vpc.self_link
+        subnetwork          = google_compute_subnetwork.vyos_internal_subnet.self_link
+        network_ip          = local.internal_vyos_ip
+
+        assign_external_ip = false
+        static_external_ip = null
+
+        create_iap_ssh_firewall_rule = true
+      }
+    }
+}