This solution uses a Terraform template to launch a new networking stack. It will create three VPC networks with one subnet each: mgmt, external, internal. Use this terraform template to create your Google VPC infrastructure, and then head back to the BIG-IP GCP Terraform folder to get started!
Terraform is beneficial as it allows composing resources a bit differently to account for dependencies into Immutable/Mutable elements. For example, mutable includes items you would typically frequently change/mutate, such as traditional configs on the BIG-IP. Once the template is deployed, there are certain resources (network infrastructure) that are fixed while others (BIG-IP VMs and configurations) can be changed.
- This template requires a service account to deploy with the Terraform Google provider and build out all the neccessary Google objects
- See the Terraform Google Provider "Adding Credentials" for details. Also, review the available Google GCP permission scopes too.
- Permissions will depend on the objects you are creating
- My service account for Terraform deployments in GCP uses the following roles:
- Compute Admin
- Storage Admin
- Service Account User
- Service Account Admin
- Project IAM Admin
- Note: Make sure to practice least privilege
- Variables are configured in variables.tf
- Sensitive variables like Google SSH keys are configured in terraform.tfvars
- Note: Other items like BIG-IP password are stored in Google Cloud Secret Manager. Refer to the Prerequisites.
- Files
- main.tf - resources for provider, versions, storage bucket
- network.tf - resources for VPCs, subnets, firewall rules
| Name | Version |
|---|---|
| terraform | >= 0.14 |
| >= 3.90 |
| Name | Version |
|---|---|
| 3.90.1 |
No modules.
| Name | Type |
|---|---|
| google_compute_firewall.app | resource |
| google_compute_firewall.app-ilb-probe | resource |
| google_compute_firewall.default-allow-internal-ext | resource |
| google_compute_firewall.default-allow-internal-int | resource |
| google_compute_firewall.default-allow-internal-mgmt | resource |
| google_compute_firewall.mgmt | resource |
| google_compute_firewall.one_nic | resource |
| google_compute_network.vpc_ext | resource |
| google_compute_network.vpc_int | resource |
| google_compute_network.vpc_mgmt | resource |
| google_compute_subnetwork.vpc_ext_sub | resource |
| google_compute_subnetwork.vpc_int_sub | resource |
| google_compute_subnetwork.vpc_mgmt_sub | resource |
| google_storage_bucket.main | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| adminSrcAddr | Trusted source network for admin access | string |
"0.0.0.0/0" |
no |
| cidr_range_ext | IP CIDR range for external VPC network | string |
"10.1.10.0/24" |
no |
| cidr_range_int | IP CIDR range for internal VPC network | string |
"10.1.20.0/24" |
no |
| cidr_range_mgmt | IP CIDR range for management VPC network | string |
"10.1.1.0/24" |
no |
| f5_cloud_failover_label | This is a tag used for F5 Cloud Failover Extension to identity which cloud objects to move during a failover event. | string |
"mydeployment" |
no |
| gcp_project_id | GCP Project ID for provider | string |
null |
no |
| gcp_region | GCP Region for provider | string |
"us-west1" |
no |
| gcp_zone | GCP Zone for provider | string |
"us-west1-b" |
no |
| owner | This is a tag used for object creation. Example is last name. | string |
null |
no |
| prefix | This value is inserted at the beginning of each Google object (alpha-numeric, no special character) | string |
"demo" |
no |
| Name | Description |
|---|---|
| external_subnet | External subnet name |
| external_vpc | External VPC name |
| internal_subnet | Internal subnet name |
| internal_vpc | Internal VPC name |
| mgmt_subnet | Management subnet name |
| mgmt_vpc | Management VPC name |
| storage_bucket | Storage bucket name |
To run this Terraform template, perform the following steps:
- Clone the repo to your favorite location
- Modify terraform.tfvars with the required information
# Google Environment
prefix = "mydemo123"
adminSrcAddr = "0.0.0.0/0"
gcp_project_id = "xxxxx"
gcp_region = "us-west1"
gcp_zone = "us-west1-b"
- Initialize the directory
terraform init
- Test the plan and validate errors
terraform plan
- Finally, apply and deploy
terraform apply
- When done with everything, don't forget to clean up!
terraform destroy
Visit DevCentral to read Service Discovery in Google Cloud with F5 BIG-IP where I show you my basic VPC setup (networks, subnets) along with firewall rules.