CloudNet Config Solutions: Simplified Google Cloud Networking with Terraform 🌐

Introduction

This repository leverages pre-built terraform templates to streamline the setup and management of Google Cloud's networking infrastructure. This project accelerates your access to managed services like AlloyDB, GKE, Vertex AI services, Cloud SQL and Memorystore for Redis Clusters while maintaining robust security boundaries between your on-premises resources and the cloud environment. By defining role-based stages, the solution ensures that only authorized users can modify specific network components, adhering to the principle of least privilege and enhancing overall security.

Key Features and Enhancements

Network Services

• Network Connectivity Center (NCC): Simplified consumption using VPC as a Spoke, Hybrid Spokes, and Producer VPC as a Spoke. (VPC as a Spoke, Producer VPC as a spoke, Hybrid VPC spokes)
• Firewall Endpoints and Firewall Endpoint Association: New features for enhanced network security. (Firewall Endpoint Documentation)
• Hybrid Connectivity (VPN/Interconnect): Extend your on-premises network to Google Cloud to allow secure access to services like AlloyDB from your on-prem environment. (Interconnect Documentation)
• Networking Componenets: It empowers you to create a secure, highly available, and customizable network infrastructure that aligns with your organization's specific requirements. (Networking Documentation)

Security Services

• Security Profiles and Security Profile Groups: Added for improved security management. (Documentation)
• Secure Firewall Rules for Google Cloud Vertex AI Workbench: Added for secure access to Vertex AI Workbench instances. (Documentation)
• Firewall Rules for Google Cloud Managed Instance Groups (MIGs): Added for secure communication between MIG instances, including health checks. (Documentation)
• Firewall Policies: Added for centralized and scalable management of firewall rules. (Documentation)
• Google Compute Managed SSL Certificate: Facilitates the creation and management of Google Compute Managed SSL Certificate. (Documentation)

Producers

• AlloyDB: Deploys AlloyDB clusters with options for both Private Service Access (PSA) and Private Service Connect (PSC). (PSA Documentation, PSC Documentation)
• Cloud SQL: Deploys Cloud SQL instances with options for both PSA and PSC. (PSA Documentation, PSC Documentation)
• GKE: Deploys Google Kubernetes Engine (GKE) clusters with various networking configurations. (GKE Documentation)
• Memorystore for Redis Cluster (MRC): Deploys MRC instances for high-performance, in-memory data storage. (MRC Documentation)
• Vector Search: Deploys Vector Search for building high-performance vector similarity search engines. (Vector Search Documentation)
• Vertex AI Online Endpoints: Deploys Vertex AI endpoints for real-time predictions. (Vertex AI Documentation)

Producer Connectivity

• Private Service Connect (PSC): Securely connects services across different VPC networks using PSC. (Producer Connectivity Documentation)

Consumers

• Vertex AI Workbench: Enhanced networking for creating private and secure deployments. (Documentation)
• App Engine Standard Environments: Smoother network integration for scalable web and mobile backends. (Standard Documentation)
• App Engine Flexible Environments: Smoother network integration for scalable web and mobile backends. (Flexible Documentation)
• Backend resources: Increased support with MIG and UMIG as backend resources for LBs. (MIG Documentation, UMIG Documentation))
• App Engine (Standard & Flexible) Environments: Smoother network integration for scalable web and mobile backends. (Standard Documentation, Flexible Documentation)
• Cloud Run (Jobs): Support for running jobs with direct VPC egress or through a Serverless VPC Access connector. (Direct VPC Egress Documentation, Serverless VPC Connector Documentation)

Load Balancers

• External Application LB: Deploys External Application loadbalancer for loadbalancing requirements. (External Application LB Documentation)
• Internal Network Passthrough LB: Deploys Internal Network Passthrough loadbalancer for loadbalancing requirements. (Internal Network Passthrough Documentation)
• External Network Passthrough LB: Deploys External Network Passthrough loadbalancer for loadbalancing requirements. (External Network Passthrough Documentation)

Network Security Integration

• Network Security Integration (NSI) Out of Band: Deploys Network Security Integration Out of Band reasouces like Mirroring Deployment, Mirroring Deployment Groups, Mirroring Endpoints and Mirroing Endpoint groups. (NSI Out of Band Documentation)
• Security Profiles and Security Profile Groups: Deploys Security profiles and security profile groups. (Security Profiles Documentation)
• Packet Mirroring Rule: Deploys Firewall Policy Packet Mirroring Rule. (Packet Mirroring Rule Documentation)

Deployment Features

• Click-to-Deploy Functionality:
  • Increased coverage for AlloyDB: Expanded support with PSA and PSC. (PSA Documentation)
  • Expanded support for External Load Balancers. (ELB Documentation)
  • Expanded support for External Network Passthrough Load Balancers. (ENLB Documentation)
  • Expanded support for Internal Network Passthrough Load Balancers. (INLP Documentation)

Project Structure

The project is structured into the following folders:

  cloudnetworking-config-solutions
    ├──configuration
        ├── bootstrap.tfvars
        ├── organization.tfvars
        ├── networking.tfvars
        ├── producer-connectivity.tfvars
        ├── networking
            ├── clouddns
            ├── firewallendpoint
            └── ncc
        ├── producer
            ├── alloydb
            ├── cloudsql
            ├── gke
            ├── vectorsearch
            ├── vertex-ai-online-endpoints
            ├── mrc
            └── bigquery
        ├── consumer
            ├── cloudrun
            ├── gce
            ├── mig
            ├── workbench
            ├── umig
            ├── severless
              ├── appengine
                  ├── flexible
                  ├── standard
              ├── cloudrun
                  ├── job
                  ├── service
              ├── vpcaccessconnector
        ├──security
            ├── certificates
              ├── compute-ssl-certs
                  ├── google-managed
                      ├── google_managed_ssl.tfvars
            ├── firewall
              ├──  firewallpolicy
            ├── securityprofile
            ├── alloydb.tfvars
            ├── cloudsql.tfvars
            ├── gce.tfvars
            ├── mig.tfvars
            ├── mrc.tfvars
            └── workbench.tfvars
        └──consumer-load-balancing
            ├── application load balancers
              ├── external
            ├── network load balancers
              ├── passthrough
                  ├── internal
                  └── external
        └──network-security-integration
            ├── outofband
            ├── packetmirroringrule
            └── securityprofile
    ├──execution
        ├── 00-bootstrap
        ├── 01-organization
        ├── 02-networking
        ├── 03-security
        ├── 04-producer
        ├── 05-producer-connectivity
        ├── 06-consumer
        ├── 07-consumer-load-balancing
        └── 08-network-security-integration
    ├──modules
          ├── net-vpc
          ├── psc_forwarding_rule
          ├── vector-search
          ├── vertex-ai-online-endpoints
          ├── umig
          ├── lb_http
          ├── google_compute_managed_ssl_certificate
          ├── network-connectivity-center
          ├── firewall_endpoint
          ├── nsi_out_of_band
          ├── packet_mirroring_rule
          ├── security_profile
          └── app_engine

• configuration: This folder contains Terraform configuration files (*.tfvars) that hold variables used for multiple stages. These .tfvars files would include configurable variables such as project IDs, region or other values that you want to customize for your specific environment.

• execution: This folder houses the main Terraform code, organized into stages:

  • 00-bootstrap: Sets up foundational resources like service accounts and Terraform state storage.
  • 01-organization: Manages organization-level policies for network resources.
  • 02-networking: Manages VPCs, subnets, Cloud HA VPN and other core networking components like PSA, SCP, Cloud NAT.
  • 03-security: Configures firewalls rules, security profiles, firewall policies and Google Managed SSL certificates.
  • 04-producer: Implements producer services like AlloyDB, Memorystore for Redis clusters, BigQuery and Cloud SQL.
  • 05-producer-connectivity: Implements networking services like Private Service Connectivity.
  • 06-consumer: Implements consumer services like Google Compute Engine instances, Cloud Run, Workbench, AppEngine, Managed and Unmanaged Instance Groups.
  • 07-consumer-load-balancing: Implements load balancing services. As a part of Load Balancing, the following Load Balancers are presently supported : External Application Load Balancer, External and Internal Network Passthrough Load Balancer.
  • 08-network-security-integration: Implements networking security services like Security Profiles and Security Profile Groups, Mirroring Deployments, Mirroring Deployment Groups, Mirrroing Endpoints, Mirroring Endpoint Groups and Packet Mirroring Rule.

• modules: contains reusable Terraform modules.

Prerequisites

configuration

Houses all the *.tfvars files that define customizable variables like project IDs, regions, and service-specific inputs.

• bootstrap.tfvars
• organization.tfvars
• networking.tfvars
• producer-connectivity.tfvars
• consumer/
• producer/
• security/
• consumer-load-balancing/
• network-security-integration/

execution

This is where the main Terraform logic resides — split into sequential, modular stages:

Prerequisites

• Terraform: Ensure you have Terraform installed. Download from the official website

• Google Cloud SDK (gcloud CLI): Install and authenticate with your Google Cloud project. Follow the instructions official documentation to install.

• Google Cloud Project: Have an active Google Cloud project where you'll deploy the infrastructure. You can create a new project in the Google Cloud console.

• IAM Permissions: Each stage's README will detail the required IAM permissions for that specific stage. Administrators must assign these permissions to users/service accounts responsible for each stage.

🚀 Getting Started

1. Clone the Repository

   git clone https://github.com/GoogleCloudPlatform/cloudnetworking-config-solutions.git
   cd cloudnetworking-config-solutions
   

2. Customize Configuration

   Edit relevant *.tfvars or yaml configurations in the configuration/ folder.

3. Execute the terraform script You can now deploy the stages individually using run.sh or you can deploy all the stages automatically using the run.sh file. Navigate to the execution/ directory and run this command to run the automatic deployment using run.sh .

   ./run.sh -s all -t init-apply-auto-approve
   or
   ./run.sh --stage all --tfcommand init-apply-auto-approve
   

4. Proceed Sequentially

   Follow 00 to 08 in order to maintain dependency consistency. Each stage has a README with instructions for updating the configuration.

Important Notes

• Customization: Adjust templates to meet specific networking/security requirements.
• Dependencies: Later stages depend on outputs from earlier ones.
• State Management: Use Google Cloud Storage backend for state file management.