terraform-example-foundation icon indicating copy to clipboard operation
terraform-example-foundation copied to clipboard

Published 20 hours ago verified publisher icon terraform-google-modules

Is 3-networks-dual-svpc no longer available as a network design?

Open salehpremiercloud opened this issue 6 months ago • 2 comments

I am deploying this and have a requirement to create 2 VPCs for restricted and non-restricted workloads.

I recall not long time ago seeing an option to deploy the bluepring with 2 shared VPCs, one as a normal VPC, while the other is restricted.

In the current version I don't see that folder which should be called '3-networks-dual-svpc', so is this option has been removed or it is still possible to use the related module from somehwere in the structure?

salehpremiercloud avatar May 05 '25 10:05 salehpremiercloud

I am wondering if the recent change is a mistake. It seems the new svpc is is using the restricted vpc private_service_connect

https://github.com/terraform-google-modules/terraform-example-foundation/blob/main/3-networks-svpc/modules/shared_vpc/private_service_connect.tf#L26

The shared vpc now uses forwarding_rule_target = "vpc-sc"

In the old example, the shared vpc uses forwarding_rule_target = "all-apis" https://github.com/terraform-google-modules/terraform-example-foundation/blob/7acb98350145d16b24fe6500a15ede70bc379a22/3-networks-dual-svpc/modules/base_shared_vpc/private_service_connect.tf#L26

Shouldn't this be all-apis?

If you set forwarding_rule_target = "vpc-sc", your Private Service Connect forwarding rule will only allow access to the Google APIs that are protected by VPC Service Controls — the ones inside that VPC-SC perimeter.

What this means: You won’t be able to use Google APIs that are not protected by VPC Service Controls through that forwarding rule.

So, any API outside the VPC-SC scope won’t be reachable via PSC if your forwarding rule targets "vpc-sc".

For example, some Google APIs like Compute Engine, Cloud DNS, or some newer or less sensitive APIs might not be protected by VPC-SC yet and won’t be accessible.

ajbeach2 avatar Jun 05 '25 15:06 ajbeach2

@salehpremiercloud the main difference between the shared and restricted is the forwarding_rule_target, and the regular_service_perimeter resource

The old shared vpc example (non restricted) allows for all google apis (not just api's that are restricted.googleapis.com).

With forwarding_rule_target set to vcp-sc, which i think is a bug #1417, this example would only work for restricted apis.

ajbeach2 avatar Jun 05 '25 19:06 ajbeach2