Deploy a hub-and-spoke network using VPC Network Peering

This tutorial shows how to set up a hub-and-spoke network in Google Cloud using the network peering capability of Virtual Private Cloud (VPC). VPC Network Peering enables you to connect VPC networks so that workloads in different VPC networks can communicate internally. Traffic stays within Google's network and doesn't go through the public internet.

The following diagram shows the architecture that you deploy. It consists of two spoke VPC networks, each peered with a central hub VPC network. A VPN tunnel between one of the spoke VPC networks and the hub VPC network enables inter-spoke connectivity.

Hub-and-spoke architecture using VPC Network Peering

To learn more about this architecture and other design alternatives, see Hub-and-spoke network architecture.

Objectives

Provision the following resources in Google Cloud by using a Google-provided Terraform template:

  • Three VPC networks, one designated as the hub and the other two as spokes.
  • A subnet in each of the VPC networks in a region that you specify.
  • VPC Network Peering configurations between each spoke VPC network and the hub VPC network.
  • A set of firewall rules for each VPC network.
  • A Cloud NAT gateway for each spoke VPC network.
  • A test Compute Engine instance for each VPC network.
  • A test Google Kubernetes Engine (GKE) cluster with a single node pool in the spoke-2 VPC network.
  • A service account for the Compute Engine instances.
  • A service account for the GKE nodes.
  • Static Cloud VPN gateways in the hub VPC network and in the spoke-2 VPC network, with a single tunnel each.

Costs

This tutorial uses the following billable components of Google Cloud:

To generate a cost estimate based on your projected usage, use the pricing calculator. New Google Cloud users might be eligible for a free trial.

When you finish this tutorial, you can avoid continued billing by deleting the resources you created. For more information, see Cleaning up.

New Google Cloud users might be eligible for a free trial.

Before you begin

  1. Decide whether you want to deploy the resources in an existing project or a new project that Terraform creates for you.

  2. Get the required permissions.

    To create and manage resources by using the provided Terraform templates, the Google account or service account needs the following Identity and Access Management (IAM) roles:

    • Compute Admin (roles/compute.admin)
    • Kubernetes Engine Admin (roles/container.admin)
    • Service Account Admin (roles/iam.serviceAccountAdmin)
    • Project IAM Admin (roles/resourcemanager.projectIamAdmin)
    • Service Usage Admin (roles/serviceusage.serviceUsageAdmin)
    • Project Creator (roles/resourcemanager.projectCreator) (required to deploy the resources in a new project)

    If you don't have a required permission or aren't sure, contact your organization's administrator.

  3. (Optional) Skip this step if you want to deploy the resources in a new project that Terraform creates.

    To use an existing project or a project that you create, complete the following steps:

    1. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

      Go to project selector

    2. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

    3. Enable the Compute Engine, GKE, IAM, Service Usage, and Resource Manager APIs.

      Enable the APIs

Preparing the environment

You can complete this tutorial using Cloud Shell or your local host. Cloud Shell has Terraform pre-installed and set up to authenticate with Google Cloud.

To use Cloud Shell

  • Download and open the Terraform example templates in Cloud Shell.

    Open in Cloud Shell

    Cloud Shell is launched in a separate browser tab, and the Terraform example templates are downloaded to the $HOME/cloudshell_open directory of your Cloud Shell environment.

To use your local host

Complete the following steps:

  1. Install Terraform version 0.13.0 or later.

  2. Download the Terraform example templates from Terraform Examples and Modules for Google Cloud.

  3. Create a service account and key.

    Cloud Console

    Create a service account:

    1. In the Cloud Console, go to the Create service account page.

      Go to Create service account
    2. Select a project.
    3. In the Service account name field, enter a name. The Cloud Console fills in the Service account ID field based on this name.

      In the Service account description field, enter a description. For example, Service account for quickstart.

    4. Click Create and continue.
    5. Click the Select a role field.

      Under Quick access, click Basic, then click Owner.

    6. Click Continue.
    7. Click Done to finish creating the service account.

      Do not close your browser window. You will use it in the next step.

    Create a service account key:

    1. In the Cloud Console, click the email address for the service account that you created.
    2. Click Keys.
    3. Click Add key, then click Create new key.
    4. Click Create. A JSON key file is downloaded to your computer.
    5. Click Close.

    Command line

    You can run the following commands using the Cloud SDK on your local machine, or in Cloud Shell.

    1. Create the service account. Replace NAME with a name for the service account.

      gcloud iam service-accounts create NAME
    2. Grant permissions to the service account. Replace PROJECT_ID with your project ID.

      gcloud projects add-iam-policy-binding PROJECT_ID --member="serviceAccount:NAME@PROJECT_ID.iam.gserviceaccount.com" --role="roles/owner"
    3. Generate the key file. Replace FILE_NAME with a name for the key file.

      gcloud iam service-accounts keys create FILE_NAME.json --iam-account=NAME@PROJECT_ID.iam.gserviceaccount.com
  4. Provide authentication credentials to your application code by setting the environment variable GOOGLE_APPLICATION_CREDENTIALS. This variable only applies to your current shell session, so if you open a new session, set the variable again.

    Linux or macOS

    export GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"

    Replace KEY_PATH with the path of the JSON file that contains your service account key.

    For example:

    export GOOGLE_APPLICATION_CREDENTIALS="/home/user/Downloads/service-account-file.json"

    Windows

    For PowerShell:

    $env:GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"

    Replace KEY_PATH with the path of the JSON file that contains your service account key.

    For example:

    $env:GOOGLE_APPLICATION_CREDENTIALS="C:\Users\username\Downloads\service-account-file.json"

    For command prompt:

    set GOOGLE_APPLICATION_CREDENTIALS=KEY_PATH

    Replace KEY_PATH with the path of the JSON file that contains your service account key.

Configuring the Terraform variables

The Terraform code that you downloaded includes variables that you can use to customize the deployment based on your requirements. For example, you can adjust the subnet CIDR ranges and specify the project where the resources should be deployed.

  1. In the code that you downloaded (on your local host or in Cloud Shell), go to the networking/hub-and-spoke-peering subdirectory.

    cd networking/hub-and-spoke-peering
    
  2. Open the file variables.tf.

    The input variables for the Terraform configuration are declared in this file. Some of the variables have a default value.

  3. Identify the variables for which you need to assign values:

    • Variables that don't have a default value (for example, project_id).
    • Variables with a default value that you might want to change.

      For example, ip_ranges has default CIDR ranges, but you might need to use different ranges for your deployment.

    For each variable that you identify, read its description, and note its type.

  4. Create a text file named terraform.tfvars.

  5. In the terraform.tfvars file, assign appropriate values to the variables that you identified earlier.

    Example:

    ip_ranges = {
      hub     = "10.0.0.0/24"
      spoke-1 = "10.0.24.0/24"
      spoke-2 = "10.0.48.0/24"
    }
    
    prefix = "dev"
    
    project_id = "my-project"
    
    region = "us-central1"
    
  6. Initialize Terraform:

    terraform init
    

    Wait until you see the following message:

    Terraform has been successfully initialized!
    
  7. Verify that the configuration has no errors:

    terraform validate
    

    If the command returns an error, make the required corrections in the configuration, and run terraform validate again.

    Repeat this step until the command returns the following message:

    Success! The configuration is valid.
    
  8. Review the resources defined in the configuration:

    terraform plan
    

    The output lists the resources that Terraform provisions when you apply the configuration.

    If you want to make any changes, edit the configuration, and then run terraform validate and terraform plan again.

Provisioning resources

When no further changes are necessary in the configuration, deploy the resources:

  1. Run the following command:

    terraform apply
    

    Terraform displays a list of the resources that will be created.

  2. At the prompt to perform the actions, enter yes.

    If Terraform displays an error message that one or more APIs are not enabled, use each link shown in the message to enable the required APIs.

    Terraform displays messages showing the progress of the deployment. After all the resources are created, Terraform displays the following message:

    Apply complete!
    

You've now deployed a hub-and-spoke network in Google Cloud.

Adding, changing, or removing resources

To add, change, or remove resources, edit the Terraform configuration, and then run the commands terraform validate, terraform plan, and terraform apply, in that order.

Clean up

To avoid incurring charges to your Google Cloud account for the resources you created in this tutorial, delete all the resources when you don't need them.

  1. Run the following command:

    terraform destroy
    

    Terraform displays a list of the resources that will be destroyed.

  2. At the prompt to perform the actions, enter yes.

    Terraform displays messages showing the progress. After all the resources are deleted, Terraform displays the following message:

    Destroy complete!
    

What's next