Skip to content
/ terraform-google-azure-vpn Public

Drop-in Terraform module to set up a HA VPN between GCP and Azure. Together with BGP and a private DNS zone on Azure side for private connectivity to Google services.

1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cagataygurturk/terraform-google-azure-vpn

BranchesTags

Repository files navigation

VPN between GCP and Azure

This repository contains a drop-in Terraform template that sets up a HA VPN between Azure and Google Cloud Platform.

Features:

  • On GCP side a HA VPN is set up with two tunnels.
  • On Azure side an Azure Virtual VPN is set up with two connections. By default, a zone-redundant SKU is set (VpnGw1AZ) but it is possible to change the SKU to support higher bandwidths.
  • Both VPNs are configured to exchange the same randomly generated secret.
  • Both VPNs are configured to establish BGP sessions between each other, so Azure VNET and Google Cloud VPC automatically learns the routes from each other.
  • Proper routes are propagated from the GCP side to enable Private Google Access from Azure (see below)
  • A private DNS zone is created on the Azure side to support private connectivity to GCP APIs. (see here)

Installation

This stack requires the following resources:

  • On Azure side: A subscription, a resource group and a Virtual Network
  • On GCP side: A project, a VPC network

Many variables have default values. For those without default values, check out terraform.tfvars.

Example usage

module "vpn" {
  depends_on = [google_compute_network.vpc, azurerm_virtual_network.vnet, azurerm_resource_group.test]
  source           = "registry.terraform.io/cagataygurturk/azure-vpn/google"
  gcp_project_id   = "example-project-id"
  gcp_network_name = "vpc-network"
  gcp_vpn_region   = "us-central1"

  azure_resource_group_name             = "example-resource-group"
  azure_vnet_name                       = "example-vnet"
  azure_gateway_subnet_address_prefixes = ["172.16.10.0/24"]
}

Private Google Access

Google Cloud APIs (such as Storage, BigQuery, Pub/Sub) typically operate over the public Internet by default. However, in environments where security policies prohibit such configurations, it's possible to access Google APIs using private IP addresses. These addresses can be made accessible to on-premises and other cloud provider environments via VPNs or Interconnects. This capability is referred to as Private Google Access.

This Terraform module also enables Private Google Access by advertising the necessary IP addresses to the Azure side via BGP and establishing a private DNS zone. This setup assists the GCP SDK in directing requests through these IP addresses instead of relying on the public Internet. In other words, as soon as this module is set up on your environment, all the Google API requests from Azure side will be routed through the VPN tunnel. At this moment, it is not possible to turn off this feature. Please file a feature request if you need this feature.

If your objective is to restrict Google APIs solely to private IPs and block public Internet access altogether, you may want to explore VPC Service Controls.`

Requirements

Name Version
terraform >= 1.3
azurerm ~> 2
google >= 5.7, < 6
google-beta >= 5.7, < 6
random ~> 3.4

Providers

Name Version
azurerm ~> 2
google >= 5.7, < 6
random ~> 3.4

Resources

Name Type
azurerm_resource_group.current data source
azurerm_virtual_network.current data source
google_compute_network.vpc data source
google_project.gcp_project data source

Inputs

Name Description Type Default Required
azure_asn Specifies the ASN of Azure side of the BGP session number 65515 no
azure_bgp_ips n/a list(string) 
[
  "169.254.21.1",
  "169.254.22.1"
]
 no
azure_gateway_subnet_address_prefixes The CIDR of the gateway subnet of a virtual network in which the virtual network gateway will be created. list(string) n/a yes
azure_public_ip_availability_zone The availability zone to allocate the Public IP in. Possible values are Zone-Redundant, 1, 2, 3, and No-Zone. Note that standard Public IPs associated with VPN Gateways with AZ VPN skus must have zones configured. string "Zone-Redundant" no
azure_public_ip_sku The SKU of the Public IP. Accepted values are Basic and Standard. string "Standard" no
azure_resource_group_name Specifies the name of the resource group the Virtual Network Gateway is located in. string n/a yes
azure_vnet_name Specifies the name of the Azure Virtual Network the Virtual Network Gateway is located in. string n/a yes
azure_vpn_generation The Generation of the Virtual Network Gateway. string "Generation1" no
azure_vpn_name Specifies the name of the Azure Virtual Network Gateway. string "to-gcp" no
azure_vpn_sku Configuration of the size and capacity of the Azure Virtual Network Gateway. string "VpnGw1AZ" no
gcp_asn Specifies the ASN of GCP side of the BGP session number 65516 no
gcp_bgp_ips n/a list(string) 
[
  "169.254.21.2",
  "169.254.22.2"
]
 no
gcp_network_name Specifies the name of the VPC the VPN will be located in string n/a yes
gcp_project_id Specifies the project ID of Google project the VPN will be located in string n/a yes
gcp_vpn_name Specifies the name of the GCP VPN string "to-azure" no
gcp_vpn_region Specifies the GCP region the VPN will be located in string n/a yes

Outputs

No outputs.

License

Apache License 2.0

About

Drop-in Terraform module to set up a HA VPN between GCP and Azure. Together with BGP and a private DNS zone on Azure side for private connectivity to Google services.

Resources

Readme
Activity

Stars

1 star

Watchers

2 watching

Forks

1 fork
Report repository

Releases 1

v1.0.0 Latest
Apr 30, 2024

Packages

No packages published

Languages