This repository contains a drop-in Terraform module that sets up a HA VPN between GCP and Oracle Cloud Infrastructure (OCI).
- Establishes a HA VPN on the GCP side with two or four tunnels. (Refer to the documentation for more information.)
- Sets up two Site-to-Site VPN connections on the OCI side with two connections each.
- Configures both sides to establish BGP sessions, allowing the two platforms to automatically learn routes from each other.
- Propagates proper routes from the GCP side to enable Private Google Access from OCI.
On the OCI side: Create a compartment and a Distributed Routing Gateway (DRG). On the GCP side: Set up a project and a VPC network.
module "vpn" {
source = "registry.terraform.io/cagataygurturk/oci-vpn/google"
version = "1.0.0"
providers = {
google = google
oci = oci
}
gcp_network_name = var.gcp_network_name
gcp_project_id = var.gcp_project_id
gcp_vpn_region = var.gcp_vpn_region
oci_compartment_id = var.oci_compartment_id
oci_drg_id = var.oci_drg_id
}For an HA VPN, Google Cloud creates two IP addresses that must be utilized by at least one tunnel each. When a Site-to-Site VPN is installed on the OCI side, two tunnels are created with diverse IPs. However, OCI does not support assigning these IPs to connect to two different Customer Premise Equipments (CPE). To overcome this limitation, this module deploys two Site-to-Site VPNs, creating four OCI tunnels in total. The module also provides the option to create four tunnels on the GCP side (two for each GCP VPN IP). By selecting this option, full high availability and higher bandwidth can be achieved. However, please note that each tunnel incurs an additional cost on the GCP side, and using four tunnels may be excessive. To address this, the module includes the four_tunnels_redundancy option, which allows for the use of only two tunnels. In this configuration, each GCP IP is terminated to one of the tunnels of the two Site-to-Site VPNs on the OCI side. With this setup, only one tunnel from each VPN on the OCI side will be utilized, and OCI might raise concerns about the lack of high availability. However, since two VPNs are established, high availability is still achieved.`
| Name | Version |
|---|---|
| >= 3.30.0, < 5.0 | |
| oci | ~> 5.0 |
| Name | Version |
|---|---|
| >= 3.30.0, < 5.0 | |
| oci | ~> 5.0 |
| random | n/a |
| Name | Type |
|---|---|
| google_compute_network.vpc | data source |
| google_project.gcp_project | data source |
| oci_core_ipsec_connection_tunnels.gcp | data source |
| oci_identity_compartment.compartment | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| four_tunnels_redundancy | Whether to deploy four tunnels or not. When set to false, only two tunnels are established. |
bool |
false |
no |
| gcp_asn | Specifies the ASN of GCP side of the BGP session | number |
65516 |
no |
| gcp_network_name | Specifies the name of the VPC the VPN will be located in | string |
n/a | yes |
| gcp_project_id | Specifies the project ID of Google project the VPN will be located in | string |
n/a | yes |
| gcp_vpn_region | Specifies the GCP region the VPN will be located in | string |
n/a | yes |
| oci_compartment_id | OCID of the compartment where the VPN will be created | string |
n/a | yes |
| oci_drg_id | OCID of the DRG (Dynamic Routing Gateway) where the VPN will be connected to | string |
n/a | yes |
| shared_secret | Shared secret for the VPN connection. When left empty, a random secret is created and shared between GCP and OCI. | string |
null |
no |
| Name | Description |
|---|---|
| shared_secret | Shared Secret that was used to establish the VPN connection |