Managing VPC Networks with Terraform

Learn how to set up and manage Google Cloud VPC networks using Terraform

In this guide, we’ll explore how to manage Google Cloud VPC networks using Terraform.

Video Tutorial

Learn more about managing Google Cloud VPC networks with Terraform in this comprehensive video tutorial:

Prerequisites

  • Google Cloud SDK installed and configured
  • Terraform installed (version 1.0.0 or later)
  • A GCP project with billing enabled

Provider Configuration

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "~> 4.0"
    }
  }
}

provider "google" {
  project = var.project_id
  region  = var.region
}

Variables

variable "project_id" {
  description = "The ID of the GCP project"
  type        = string
}

variable "region" {
  description = "The region to deploy resources to"
  type        = string
  default     = "us-central1"
}

variable "network_name" {
  description = "Name of the VPC network"
  type        = string
}

VPC Network Configuration

resource "google_compute_network" "vpc_network" {
  name                    = var.network_name
  auto_create_subnetworks = false
  routing_mode            = "GLOBAL"
  mtu                     = 1460

  delete_default_routes_on_create = false
}

resource "google_compute_subnetwork" "subnet" {
  name          = "${var.network_name}-subnet"
  ip_cidr_range = "10.0.0.0/24"
  region        = var.region
  network       = google_compute_network.vpc_network.id

  private_ip_google_access = true

  secondary_ip_range {
    range_name    = "services-range"
    ip_cidr_range = "192.168.1.0/24"
  }

  secondary_ip_range {
    range_name    = "pod-ranges"
    ip_cidr_range = "192.168.64.0/22"
  }

  log_config {
    aggregation_interval = "INTERVAL_10_MIN"
    flow_sampling       = 0.5
    metadata           = "INCLUDE_ALL_METADATA"
  }
}

Firewall Rules

resource "google_compute_firewall" "allow_internal" {
  name    = "${var.network_name}-allow-internal"
  network = google_compute_network.vpc_network.name

  allow {
    protocol = "icmp"
  }

  allow {
    protocol = "tcp"
    ports    = ["0-65535"]
  }

  allow {
    protocol = "udp"
    ports    = ["0-65535"]
  }

  source_ranges = ["10.0.0.0/8"]
}

resource "google_compute_firewall" "allow_ssh" {
  name    = "${var.network_name}-allow-ssh"
  network = google_compute_network.vpc_network.name

  allow {
    protocol = "tcp"
    ports    = ["22"]
  }

  source_ranges = ["0.0.0.0/0"]
  target_tags   = ["ssh"]
}

NAT Configuration

resource "google_compute_router" "router" {
  name    = "${var.network_name}-router"
  region  = var.region
  network = google_compute_network.vpc_network.id
}

resource "google_compute_router_nat" "nat" {
  name                               = "${var.network_name}-nat"
  router                            = google_compute_router.router.name
  region                            = var.region
  nat_ip_allocate_option            = "AUTO_ONLY"
  source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"

  log_config {
    enable = true
    filter = "ERRORS_ONLY"
  }
}

VPC Peering

resource "google_compute_network_peering" "peering1" {
  name         = "peering1"
  network      = google_compute_network.vpc_network.id
  peer_network = "projects/${var.peer_project}/global/networks/${var.peer_network}"

  export_custom_routes = true
  import_custom_routes = true
}

Outputs

output "network_id" {
  value       = google_compute_network.vpc_network.id
  description = "The ID of the VPC network"
}

output "subnet_id" {
  value       = google_compute_subnetwork.subnet.id
  description = "The ID of the subnet"
}

output "nat_ip" {
  value       = google_compute_router_nat.nat.nat_ips
  description = "The NAT IP addresses"
}

Best Practices

  1. Network Design:

    • Plan IP ranges carefully
    • Use appropriate subnet sizes
    • Implement proper segmentation
    • Consider future growth

  2. Security:

    • Implement proper firewall rules
    • Use service accounts
    • Enable flow logs
    • Regular security audits

  3. Performance:

    • Choose appropriate regions
    • Configure proper routing
    • Monitor network usage
    • Optimize paths

  4. Cost Optimization:

    • Monitor egress traffic
    • Use appropriate NAT configs
    • Clean up unused resources
    • Regular review

Common Operations

Creating Resources

terraform init
terraform plan
terraform apply

Testing Connectivity

# Test internal connectivity
gcloud compute ssh instance-name --zone=zone

# Test NAT configuration
curl ifconfig.me

Best Practices and Tips

  1. Network Management:

    • Document IP ranges
    • Maintain naming conventions
    • Regular monitoring
    • Backup configurations

  2. Security:

    • Regular audits
    • Monitor logs
    • Update firewall rules
    • Review access

  3. Operations:

    • Monitor performance
    • Track metrics
    • Set up alerts
    • Regular maintenance

Conclusion

You’ve learned how to set up and manage Google Cloud VPC networks using Terraform. This setup provides:

  • Secure network infrastructure
  • Scalable networking
  • Best practices implementation
  • Easy management and monitoring