Virtual Private Cloud(VPC)
Virtual Private Cloud(VPC) is a virtualized network on a cloud platform like a physical network.
GCP VPC provides networking functionality for resources and services like Compute Engine instances, Kubernetes Clusters and Cloud SQL instances on Google Cloud Platform.
A VPC is a global resource, which we divide into multiple subnets for regions. We can deploy GCP VPC with Terraform.
We are going to create a VPC called “devops-counsel-vpc” by using terraform.
devops-counsel-vpc will have following subnets and firewall rules.
| Subnet Name | CIDR | Region |
| devops-counsel-subnet-1 | 172.16.1.0/24 | us-central1 |
| devops-counsel-vpc-subnet-2 | 172.16.3.0/24 | us-west1 |
devops-counsel-subnet-1 subnet will have following secondary IP ranges.
| Range_Name | CIDR |
| k8s-pods | 172.22.0.0/16 |
| k8s-services | 172.16.2.0/24 |
Firewall allows port 22 from any network(0.0.0.0), so any one can ssh to compute engine instances.
Firewall allows traffic on all ports for all protocols originating from all subnets inside devops-counsel-vpc to allow compute engine instances to communicate with each other.
Deployment of VPC with Terraform Code
Copy the following code to a .tf file and apply it using “terraform apply“.
resource "google_compute_network" "vpc_network" {
name = "devops-counsel-vpc"
auto_create_subnetworks = false
project = "devops-counsel-demo"
}
resource "google_compute_subnetwork" "subnet-1" {
name = "devops-counsel-subnet-1"
ip_cidr_range = "172.16.1.0/24"
region = "us-central1"
network = google_compute_network.vpc_network.id
secondary_ip_range {
range_name = "k8s-pods"
ip_cidr_range = "172.22.0.0/16"
}
secondary_ip_range {
range_name = "k8s-services"
ip_cidr_range = "172.16.2.0/24"
}
}
resource "google_compute_subnetwork" "subnet-2" {
name = "devops-counsel-subnet-2"
ip_cidr_range = "172.16.3.0/24"
region = "us-central1"
network = google_compute_network.vpc_network.id
}
resource "google_compute_firewall" "allow-ssh" {
name = "allow-ssh"
project = "devops-counsel-demo"
network = google_compute_network.vpc_network.id
allow {
protocol = "tcp"
ports = ["22"]
}
source_ranges = ["0.0.0.0/0"]
}
resource "google_compute_firewall" "allow-internal" {
name = "allow-internal"
project = "devops-counsel-demo"
network = google_compute_network.vpc_network.id
allow {
protocol = "tcp"
ports = ["1-65535"]
}
allow {
protocol = "udp"
ports = ["1-65535"]
}
allow {
protocol = "icmp"
}
source_ranges = ["172.16.0.0/24", "172.16.1.0/24", "172.16.2.0/24" ]
}
This code will create following resources.
Terraform will perform the following actions:
# google_compute_firewall.allow-internal will be created
+ resource "google_compute_firewall" "allow-internal" {
+ creation_timestamp = (known after apply)
+ destination_ranges = (known after apply)
+ direction = (known after apply)
+ enable_logging = (known after apply)
+ id = (known after apply)
+ name = "allow-internal"
+ network = (known after apply)
+ priority = 1000
+ project = "devops-counsel-demo"
+ self_link = (known after apply)
+ source_ranges = [
+ "172.16.0.0/24",
+ "172.16.1.0/24",
+ "172.16.2.0/24",
]
+ allow {
+ ports = [
+ "1-65535",
]
+ protocol = "tcp"
}
+ allow {
+ ports = [
+ "1-65535",
]
+ protocol = "udp"
}
+ allow {
+ ports = []
+ protocol = "icmp"
}
}
# google_compute_firewall.allow-ssh will be created
+ resource "google_compute_firewall" "allow-ssh" {
+ creation_timestamp = (known after apply)
+ destination_ranges = (known after apply)
+ direction = (known after apply)
+ enable_logging = (known after apply)
+ id = (known after apply)
+ name = "allow-ssh"
+ network = (known after apply)
+ priority = 1000
+ project = "devops-counsel-demo"
+ self_link = (known after apply)
+ source_ranges = [
+ "0.0.0.0/0",
]
+ allow {
+ ports = [
+ "22",
]
+ protocol = "tcp"
}
}
# google_compute_network.vpc_network will be created
+ resource "google_compute_network" "vpc_network" {
+ auto_create_subnetworks = false
+ delete_default_routes_on_create = false
+ gateway_ipv4 = (known after apply)
+ id = (known after apply)
+ mtu = (known after apply)
+ name = "devops-counsel-vpc"
+ project = "devops-counsel-demo"
+ routing_mode = (known after apply)
+ self_link = (known after apply)
}
# google_compute_subnetwork.subnet-1 will be created
+ resource "google_compute_subnetwork" "subnet-1" {
+ creation_timestamp = (known after apply)
+ external_ipv6_prefix = (known after apply)
+ fingerprint = (known after apply)
+ gateway_address = (known after apply)
+ id = (known after apply)
+ ip_cidr_range = "172.16.1.0/24"
+ ipv6_cidr_range = (known after apply)
+ name = "devops-counsel-subnet-1"
+ network = (known after apply)
+ private_ipv6_google_access = (known after apply)
+ project = (known after apply)
+ purpose = (known after apply)
+ region = "us-central1"
+ secondary_ip_range = [
+ {
+ ip_cidr_range = "172.22.0.0/16"
+ range_name = "k8s-pods"
},
+ {
+ ip_cidr_range = "172.16.2.0/24"
+ range_name = "k8s-services"
},
]
+ self_link = (known after apply)
+ stack_type = (known after apply)
}
# google_compute_subnetwork.subnet-2 will be created
+ resource "google_compute_subnetwork" "subnet-2" {
+ creation_timestamp = (known after apply)
+ external_ipv6_prefix = (known after apply)
+ fingerprint = (known after apply)
+ gateway_address = (known after apply)
+ id = (known after apply)
+ ip_cidr_range = "172.16.3.0/24"
+ ipv6_cidr_range = (known after apply)
+ name = "devops-counsel-subnet-2"
+ network = (known after apply)
+ private_ipv6_google_access = (known after apply)
+ project = (known after apply)
+ purpose = (known after apply)
+ region = "us-central1"
+ secondary_ip_range = (known after apply)
+ self_link = (known after apply)
+ stack_type = (known after apply)
}
Plan: 5 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
google_compute_network.vpc_network: Creating...
google_compute_network.vpc_network: Still creating... [10s elapsed]
google_compute_network.vpc_network: Still creating... [20s elapsed]
google_compute_network.vpc_network: Creation complete after 22s [id=projects/devops-counsel-demo/global/networks/devops-counsel-vpc]
google_compute_subnetwork.subnet-2: Creating...
google_compute_firewall.allow-ssh: Creating...
google_compute_firewall.allow-internal: Creating...
google_compute_subnetwork.subnet-1: Creating...
google_compute_subnetwork.subnet-2: Still creating... [10s elapsed]
google_compute_firewall.allow-ssh: Still creating... [10s elapsed]
google_compute_firewall.allow-internal: Still creating... [10s elapsed]
google_compute_subnetwork.subnet-1: Still creating... [10s elapsed]
google_compute_subnetwork.subnet-2: Creation complete after 11s [id=projects/devops-counsel-demo/regions/us-central1/subnetworks/devops-counsel-subnet-2]
google_compute_firewall.allow-ssh: Creation complete after 11s [id=projects/devops-counsel-demo/global/firewalls/allow-ssh]
google_compute_firewall.allow-internal: Creation complete after 11s [id=projects/devops-counsel-demo/global/firewalls/allow-internal]
google_compute_subnetwork.subnet-1: Still creating... [20s elapsed]
google_compute_subnetwork.subnet-1: Creation complete after 21s [id=projects/devops-counsel-demo/regions/us-central1/subnetworks/devops-counsel-subnet-1]
Apply complete! Resources: 5 added, 0 changed, 0 destroyed.You can see newly created VPC on GCP console.
For more information about GCP VPC refer Google Cloud VPC documentation.
Refer Terraform documentation for GCP VPC for other argument references.
More on Terraform: