Skip to content

Commit

Permalink
Add NCC NVA stage
Browse files Browse the repository at this point in the history
  • Loading branch information
Luca Prete committed Mar 21, 2023
1 parent 3b20d61 commit 991492b
Show file tree
Hide file tree
Showing 21 changed files with 655 additions and 264 deletions.
77 changes: 51 additions & 26 deletions fast/stages/2-networking-c-nva/README.md
View file

Large diffs are not rendered by default.

74 changes: 74 additions & 0 deletions fast/stages/2-networking-c-nva/data/bgp-configs/primary-b.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
# NVA primary-b BGP configuration

log syslog informational
no ipv6 forwarding
service integrated-vtysh-config

interface lo
ip address ${ip_untrusted}/32

route-map ALLOW-ALL permit 100
route-map PRIMARY permit 10
set metric 100
route-map SECONDARY permit 20
set metric 10100
route-map NVA-TO-NVA permit 30
set metric 50

# Peering with untrusted VPC Cloud Routers
router bgp ${asn_nva} view untrusted
no bgp ebgp-requires-policy
no bgp network import-check
neighbor ${ip_neighbor_untrusted_0} remote-as ${asn_untrusted}
neighbor ${ip_neighbor_untrusted_1} remote-as ${asn_untrusted}
address-family ipv4 unicast
neighbor ${ip_neighbor_untrusted_0} activate
neighbor ${ip_neighbor_untrusted_0} soft-reconfiguration inbound
neighbor ${ip_neighbor_untrusted_1} activate
neighbor ${ip_neighbor_untrusted_1} soft-reconfiguration inbound
network ${gcp_landing_trusted_primary} route-map PRIMARY
network ${gcp_landing_trusted_secondary} route-map SECONDARY
network ${gcp_dev_primary} route-map PRIMARY
network ${gcp_dev_secondary} route-map SECONDARY
network ${gcp_prod_primary} route-map PRIMARY
network ${gcp_prod_secondary} route-map SECONDARY
exit-address-family

# Peering with trusted VPC Cloud Routers
router bgp ${asn_nva} view trusted
no bgp ebgp-requires-policy
no bgp network import-check
neighbor ${ip_neighbor_trusted_0} remote-as ${asn_trusted}
neighbor ${ip_neighbor_trusted_1} remote-as ${asn_trusted}
address-family ipv4 unicast
neighbor ${ip_neighbor_trusted_0} activate
neighbor ${ip_neighbor_trusted_0} soft-reconfiguration inbound
neighbor ${ip_neighbor_trusted_1} activate
neighbor ${ip_neighbor_trusted_1} soft-reconfiguration inbound
network 0.0.0.0/0 route-map PRIMARY
exit-address-family

# Peering with cross-region NVAs
# (for cross-spoke communication)
router bgp ${asn_nva} view cross-nva
bgp router-id ${ip_untrusted}/32
no bgp ebgp-requires-policy
no bgp network import-check
neighbor ${ip_neighbor_cross_region_nva_0} remote-as ${asn_nva}
neighbor ${ip_neighbor_cross_region_nva_0} update-source lo
neighbor ${ip_neighbor_cross_region_nva_0} ebgp-multihop 2
neighbor ${ip_neighbor_cross_region_nva_0} next-hop-self
neighbor ${ip_neighbor_cross_region_nva_1} remote-as ${asn_nva}
neighbor ${ip_neighbor_cross_region_nva_1} update-source lo
neighbor ${ip_neighbor_cross_region_nva_1} ebgp-multihop 2
neighbor ${ip_neighbor_cross_region_nva_1} next-hop-self
address-family ipv4 unicast
neighbor ${ip_neighbor_cross_region_nva_0} activate
neighbor ${ip_neighbor_cross_region_nva_0} soft-reconfiguration inbound
neighbor ${ip_neighbor_cross_region_nva_1} activate
neighbor ${ip_neighbor_cross_region_nva_1} soft-reconfiguration inbound
network ${gcp_dev_primary} route-map NVA-TO-NVA
network ${gcp_prod_primary} route-map NVA-TO-NVA
exit-address-family

line vty
74 changes: 74 additions & 0 deletions fast/stages/2-networking-c-nva/data/bgp-configs/primary-c.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
# NVA primary-c BGP configuration

log syslog informational
no ipv6 forwarding
service integrated-vtysh-config

interface lo
ip address ${ip_untrusted}/32

route-map ALLOW-ALL permit 100
route-map PRIMARY permit 10
set metric 101
route-map SECONDARY permit 20
set metric 10101
route-map NVA-TO-NVA permit 30
set metric 51

# Peering with untrusted VPC Cloud Routers
router bgp ${asn_nva} view untrusted
no bgp ebgp-requires-policy
no bgp network import-check
neighbor ${ip_neighbor_untrusted_0} remote-as ${asn_trusted}
neighbor ${ip_neighbor_untrusted_1} remote-as ${asn_trusted}
address-family ipv4 unicast
neighbor ${ip_neighbor_untrusted_0} activate
neighbor ${ip_neighbor_untrusted_0} soft-reconfiguration inbound
neighbor ${ip_neighbor_untrusted_1} activate
neighbor ${ip_neighbor_untrusted_1} soft-reconfiguration inbound
network ${gcp_landing_trusted_primary} route-map PRIMARY
network ${gcp_landing_trusted_secondary} route-map SECONDARY
network ${gcp_dev_primary} route-map PRIMARY
network ${gcp_dev_secondary} route-map SECONDARY
network ${gcp_prod_primary} route-map PRIMARY
network ${gcp_prod_secondary} route-map SECONDARY
exit-address-family

# Peering with trusted VPC Cloud Routers
router bgp ${asn_nva} view trusted
no bgp ebgp-requires-policy
no bgp network import-check
neighbor ${ip_neighbor_trusted_0} remote-as ${asn_trusted}
neighbor ${ip_neighbor_trusted_1} remote-as ${asn_trusted}
address-family ipv4 unicast
neighbor ${ip_neighbor_trusted_0} activate
neighbor ${ip_neighbor_trusted_0} soft-reconfiguration inbound
neighbor ${ip_neighbor_trusted_1} activate
neighbor ${ip_neighbor_trusted_1} soft-reconfiguration inbound
network 0.0.0.0/0 route-map PRIMARY
exit-address-family

# Peering with cross-region NVAs
# (for cross-spoke communication)
router bgp ${asn_nva} view cross-nva
bgp router-id ${ip_untrusted}/32
no bgp ebgp-requires-policy
no bgp network import-check
neighbor ${ip_neighbor_cross_region_nva_0} remote-as ${asn_nva}
neighbor ${ip_neighbor_cross_region_nva_0} update-source lo
neighbor ${ip_neighbor_cross_region_nva_0} ebgp-multihop 2
neighbor ${ip_neighbor_cross_region_nva_0} next-hop-self
neighbor ${ip_neighbor_cross_region_nva_1} remote-as ${asn_nva}
neighbor ${ip_neighbor_cross_region_nva_1} update-source lo
neighbor ${ip_neighbor_cross_region_nva_1} ebgp-multihop 2
neighbor ${ip_neighbor_cross_region_nva_1} next-hop-self
address-family ipv4 unicast
neighbor ${ip_neighbor_cross_region_nva_0} activate
neighbor ${ip_neighbor_cross_region_nva_0} soft-reconfiguration inbound
neighbor ${ip_neighbor_cross_region_nva_1} activate
neighbor ${ip_neighbor_cross_region_nva_1} soft-reconfiguration inbound
network ${gcp_dev_primary} route-map NVA-TO-NVA
network ${gcp_prod_primary} route-map NVA-TO-NVA
exit-address-family

line vty
74 changes: 74 additions & 0 deletions fast/stages/2-networking-c-nva/data/bgp-configs/secondary-b.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
# NVA secondary-b BGP configuration

log syslog informational
no ipv6 forwarding
service integrated-vtysh-config

interface lo
ip address ${ip_untrusted}/32

route-map ALLOW-ALL permit 100
route-map PRIMARY permit 10
set metric 100
route-map SECONDARY permit 10
set metric 10100
route-map NVA-TO-NVA permit 30
set metric 50

# Peering with untrusted VPC Cloud Routers
router bgp ${asn_nva} view untrusted
no bgp ebgp-requires-policy
no bgp network import-check
neighbor ${ip_neighbor_untrusted_0} remote-as ${asn_untrusted}
neighbor ${ip_neighbor_untrusted_1} remote-as ${asn_untrusted}
address-family ipv4 unicast
neighbor ${ip_neighbor_untrusted_0} activate
neighbor ${ip_neighbor_untrusted_0} soft-reconfiguration inbound
neighbor ${ip_neighbor_untrusted_0} activate
neighbor ${ip_neighbor_untrusted_1} soft-reconfiguration inbound
network ${gcp_landing_trusted_primary} route-map SECONDARY
network ${gcp_landing_trusted_secondary} route-map PRIMARY
network ${gcp_dev_primary} route-map SECONDARY
network ${gcp_dev_secondary} route-map PRIMARY
network ${gcp_prod_primary} route-map SECONDARY
network ${gcp_prod_secondary} route-map PRIMARY
exit-address-family

# Peering with trusted VPC Cloud Routers
router bgp ${asn_nva} view trusted
no bgp ebgp-requires-policy
no bgp network import-check
neighbor ${ip_neighbor_trusted_0} remote-as ${asn_trusted}
neighbor ${ip_neighbor_trusted_1} remote-as ${asn_trusted}
address-family ipv4 unicast
neighbor ${ip_neighbor_trusted_0} activate
neighbor ${ip_neighbor_trusted_0} soft-reconfiguration inbound
neighbor ${ip_neighbor_trusted_1} activate
neighbor ${ip_neighbor_trusted_1} soft-reconfiguration inbound
network 0.0.0.0/0 route-map PRIMARY
exit-address-family

# Peering with cross-region NVAs
# (for cross-spoke communication)
router bgp ${asn_nva} view cross-nva
bgp router-id ${ip_untrusted}/32
no bgp ebgp-requires-policy
no bgp network import-check
neighbor ${ip_neighbor_cross_region_nva_0} remote-as ${asn_nva}
neighbor ${ip_neighbor_cross_region_nva_0} update-source lo
neighbor ${ip_neighbor_cross_region_nva_0} ebgp-multihop 2
neighbor ${ip_neighbor_cross_region_nva_0} next-hop-self
neighbor ${ip_neighbor_cross_region_nva_1} remote-as ${asn_nva}
neighbor ${ip_neighbor_cross_region_nva_1} update-source lo
neighbor ${ip_neighbor_cross_region_nva_1} ebgp-multihop 2
neighbor ${ip_neighbor_cross_region_nva_1} next-hop-self
address-family ipv4 unicast
neighbor ${ip_neighbor_cross_region_nva_0} activate
neighbor ${ip_neighbor_cross_region_nva_0} soft-reconfiguration inbound
neighbor ${ip_neighbor_cross_region_nva_1} activate
neighbor ${ip_neighbor_cross_region_nva_1} soft-reconfiguration inbound
network ${gcp_dev_secondary} route-map NVA-TO-NVA
network ${gcp_prod_secondary} route-map NVA-TO-NVA
exit-address-family

line vty
74 changes: 74 additions & 0 deletions fast/stages/2-networking-c-nva/data/bgp-configs/secondary-c.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
# NVA secondary-c BGP configuration

log syslog informational
no ipv6 forwarding
service integrated-vtysh-config

interface lo
ip address ${ip_untrusted}/32

route-map ALLOW-ALL permit 100
route-map PRIMARY permit 10
set metric 101
route-map SECONDARY permit 10
set metric 10101
route-map NVA-TO-NVA permit 30
set metric 51

# Peering with untrusted VPC Cloud Routers
router bgp ${asn_nva} view untrusted
no bgp ebgp-requires-policy
no bgp network import-check
neighbor ${ip_neighbor_untrusted_0} remote-as ${asn_untrusted}
neighbor ${ip_neighbor_untrusted_1} remote-as ${asn_untrusted}
address-family ipv4 unicast
neighbor ${ip_neighbor_untrusted_0} activate
neighbor ${ip_neighbor_untrusted_0} soft-reconfiguration inbound
neighbor ${ip_neighbor_untrusted_1} activate
neighbor ${ip_neighbor_untrusted_1} soft-reconfiguration inbound
network ${gcp_landing_trusted_primary} route-map SECONDARY
network ${gcp_landing_trusted_secondary} route-map PRIMARY
network ${gcp_dev_primary} route-map SECONDARY
network ${gcp_dev_secondary} route-map PRIMARY
network ${gcp_prod_primary} route-map SECONDARY
network ${gcp_prod_secondary} route-map PRIMARY
exit-address-family

# Peering with trusted VPC Cloud Routers
router bgp ${asn_nva} view trusted
no bgp ebgp-requires-policy
no bgp network import-check
neighbor ${ip_neighbor_trusted_0} remote-as ${asn_trusted}
neighbor ${ip_neighbor_trusted_1} remote-as ${asn_trusted}
address-family ipv4 unicast
neighbor ${ip_neighbor_trusted_0} activate
neighbor ${ip_neighbor_trusted_0} soft-reconfiguration inbound
neighbor ${ip_neighbor_trusted_1} activate
neighbor ${ip_neighbor_trusted_1} soft-reconfiguration inbound
network 0.0.0.0/0 route-map PRIMARY
exit-address-family

# Peering with cross-region NVAs
# (for cross-spoke communication)
router bgp ${asn_nva} view cross-nva
bgp router-id ${ip_untrusted}/32
no bgp ebgp-requires-policy
no bgp network import-check
neighbor ${ip_neighbor_cross_region_nva_0} remote-as ${asn_nva}
neighbor ${ip_neighbor_cross_region_nva_0} update-source lo
neighbor ${ip_neighbor_cross_region_nva_0} ebgp-multihop 2
neighbor ${ip_neighbor_cross_region_nva_0} next-hop-self
neighbor ${ip_neighbor_cross_region_nva_1} remote-as ${asn_nva}
neighbor ${ip_neighbor_cross_region_nva_1} update-source lo
neighbor ${ip_neighbor_cross_region_nva_1} ebgp-multihop 2
neighbor ${ip_neighbor_cross_region_nva_1} next-hop-self
address-family ipv4 unicast
neighbor ${ip_neighbor_cross_region_nva_0} activate
neighbor ${ip_neighbor_cross_region_nva_0} soft-reconfiguration inbound
neighbor ${ip_neighbor_cross_region_nva_1} activate
neighbor ${ip_neighbor_cross_region_nva_1} soft-reconfiguration inbound
network ${gcp_prod_secondary} route-map NVA-TO-NVA
network ${gcp_dev_secondary} route-map NVA-TO-NVA
exit-address-family

line vty
12 changes: 12 additions & 0 deletions fast/stages/2-networking-c-nva/data/cidrs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,18 @@ healthchecks:
- 209.85.152.0/22
- 209.85.204.0/22

ncc_cloud_routers_trusted:
- 10.128.64.201/32
- 10.128.64.202/32
- 10.128.96.201/32
- 10.128.96.202/32

ncc_cloud_routers_untrusted:
- 10.128.0.201/32
- 10.128.0.202/32
- 10.128.32.201/32
- 10.128.32.202/32

rfc1918:
- 10.0.0.0/8
- 172.16.0.0/12
Expand Down
9 changes: 9 additions & 0 deletions fast/stages/2-networking-c-nva/data/firewall-rules/landing-trusted/rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,12 @@ ingress:
- protocol: tcp
ports:
- 12345
allow-ncc-nva-bgp-trusted:
description: "Allow BGP traffic from NCC Cloud Routers to NVAs"
source_ranges:
- ncc_cloud_routers_trusted
targets: ["nva"]
rules:
- protocol: tcp
ports:
- 179
9 changes: 9 additions & 0 deletions fast/stages/2-networking-c-nva/data/firewall-rules/landing-untrusted/rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,12 @@ ingress:
- protocol: tcp
ports:
- 22
allow-ncc-nva-bgp-untrusted:
description: "Allow BGP traffic from NCC Cloud Routers to NVAs"
source_ranges:
- ncc_cloud_routers_untrusted
targets: ["nva"]
rules:
- protocol: tcp
ports:
- 179
30 changes: 0 additions & 30 deletions fast/stages/2-networking-c-nva/data/nva-startup-script.tftpl
View file

This file was deleted.

Binary file modified fast/stages/2-networking-c-nva/diagram.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 1 addition & 1 deletion fast/stages/2-networking-c-nva/diagram.svg
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
1 change: 1 addition & 0 deletions fast/stages/2-networking-c-nva/landing.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ module "landing-project" {
"compute.googleapis.com",
"dns.googleapis.com",
"iap.googleapis.com",
"networkconnectivity.googleapis.com",
"networkmanagement.googleapis.com",
"stackdriver.googleapis.com"
]
Expand Down
Loading

0 comments on commit 991492b

Please sign in to comment.