{VPN}Site-to-Site VPN(GCP <-> OCI) - HTN20190109の日記

https://docs.oracle.com/ja-jp/iaas/Content/Network/Tasks/vpn_to_gcp.htm

前提:
基礎ネットワークとEC2インスタンスはTerraformで作成
その他はCLIで作成

macから実施

GCP側のASN: 64513
OCI側のASN: 31898

※OCI側のASNは固定値31898を使用する必要あり

IPSec tunnel使用本数: 1本

GCP側のサブネット: 10.0.0.0/24
OCI側のサブネット: 10.1.0.0/24

-- 1. プロジェクト作成【GCP】

gcloud init
gcloud auth list

gcloud --version

gcloud projects create project01-9999999 \
--name="project01"

gcloud config list
gcloud config set project project01-9999999
gcloud config set compute/region asia-northeast1 --quiet
gcloud config set compute/zone asia-northeast1-a --quiet

gcloud beta billing accounts list
gcloud beta billing projects link project01-9999999 --billing-account=111111-111111-111111

gcloud services enable compute.googleapis.com --project project01-9999999

-- 2. VPC、サブネット、VM インスタンス作成【GCP】

mkdir gcp
cd gcp

cat <<-'EOF' > main.tf

provider "google" {
project = "project01-9999999"
region = "asia-northeast1"
}

resource "google_compute_network" "vpc01" {
name = "vpc01"
auto_create_subnetworks = false
}

resource "google_compute_subnetwork" "subnet01" {
name = "subnet01"
ip_cidr_range = "10.0.0.0/24"
network = google_compute_network.vpc01.id
private_ip_google_access =true
}

resource "google_service_account" "sa123" {
account_id = "sa123"
display_name = "sa123"
}

resource "google_compute_instance" "vm01" {
name = "vm01"
machine_type = "e2-micro"
zone = "asia-northeast1-a"

tags = ["tag01"]

boot_disk {
initialize_params {
image = "centos-7-v20221004"
}
}

network_interface {
network = google_compute_network.vpc01.self_link
subnetwork = google_compute_subnetwork.subnet01.self_link
access_config {}
}

service_account {
email = google_service_account.sa123.email
scopes = ["cloud-platform"]
}

scheduling {
preemptible = true
automatic_restart = false
}
}

resource "google_compute_firewall" "fw01" {
name = "fw01"
network = google_compute_network.vpc01.name
direction = "INGRESS"
allow {
protocol = "tcp"
ports = ["22"]
}
source_ranges = [
"0.0.0.0/0"
]
target_tags = ["tag01"]
}

resource "google_compute_firewall" "fw02" {
name = "fw02"
network = google_compute_network.vpc01.name
direction = "INGRESS"
allow {
protocol = "all"
}
source_ranges = [
"10.1.0.0/24"
]
target_tags = ["tag01"]
}

EOF

terraform init
terraform fmt
terraform -version

terraform plan

terraform apply -auto-approve

# terraform destroy -auto-approve
# gcloud compute ssh vm01

cd ..

-- 3. VPC、サブネット、コンピュートインスタンス作成【OCI】

mkdir oci
cd oci

cat <<-'EOF' > variables.tf

locals {
tenancy_ocid = "ocid1.tenancy.oc1..000000000000000000000000000000000000000000000000000000000000"

}

variable "compartment_name" {
description = "compartment_name"
type = string
default = "cmp01"
}

EOF

cat <<-'EOF' > main.tf

terraform {
required_version = ">= 1.0.0, < 2.0.0"
required_providers {
oci = {
source = "hashicorp/oci"
version = "= 5.23.0"
}
}
}

provider "oci" {
tenancy_ocid = local.tenancy_ocid
user_ocid = "ocid1.user.oc1..000000000000000000000000000000000000000000000000000000000000"
private_key_path = "~/.oci/oci_api_key.pem"
fingerprint = "45:ed:22:e6:cc:fd:63:97:12:9d:62:7a:90:12:65:7a"
region = "us-ashburn-1"
}

resource "oci_identity_compartment" "cmp01" {
# Required
compartment_id = local.tenancy_ocid
description = var.compartment_name
name = var.compartment_name

enable_delete = true
}

resource "oci_core_vcn" "vcn01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id

#Optional
cidr_block = "10.1.0.0/16"
display_name = "vcn01"
dns_label = "vcn01"

}

resource "oci_core_internet_gateway" "igw01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id

#Optional
enabled = true
display_name = "igw01"
}

resource "oci_core_route_table" "rt01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id

#Optional
display_name = "rt01"
route_rules {
network_entity_id = oci_core_internet_gateway.igw01.id
destination = "0.0.0.0/0"
}

}

resource "oci_core_security_list" "sl01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id

#Optional
display_name = "sl01"

egress_security_rules {
protocol = "all"
destination = "0.0.0.0/0"
stateless = false
}

ingress_security_rules {
protocol = "6"
source = "0.0.0.0/0"
stateless = false
tcp_options {
max = 22
min = 22
}
}
ingress_security_rules {
protocol = "all"
source = "10.0.0.0/24"
stateless = false
}

}

resource "oci_core_subnet" "subnet01" {
#Required
cidr_block = "10.1.0.0/24"
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id

#Optional

display_name = "subnet01"
dns_label = "subnet01"
route_table_id = oci_core_route_table.rt01.id
security_list_ids = [oci_core_security_list.sl01.id]
}

data "oci_core_images" "ol9_latest" {
#Required
compartment_id = oci_identity_compartment.cmp01.id

#Optional
operating_system = "Oracle Linux"
operating_system_version = "9"
shape = "VM.Standard.E2.1"
sort_by = "TIMECREATED"
sort_order = "DESC"

filter {
name = "display_name"
values = ["Oracle-Linux-9.2-2023.*"]
regex = true
}

}

resource "oci_core_instance" "vm01" {
#Required
availability_domain = "OEIw:US-ASHBURN-AD-1"
compartment_id = oci_identity_compartment.cmp01.id
shape = "VM.Standard.E2.1"

agent_config {
plugins_config {
desired_state = "ENABLED"
name = "OS Management Service Agent"
}
plugins_config {
desired_state = "ENABLED"
name = "Compute Instance Run Command"
}
plugins_config {
desired_state = "ENABLED"
name = "Compute Instance Monitoring"
}

}

create_vnic_details {
#Optional
assign_public_ip = true
subnet_id = oci_core_subnet.subnet01.id
}

display_name = "vm01"
fault_domain = "FAULT-DOMAIN-1"

metadata = {
ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
}

source_details {
#Required
source_id = data.oci_core_images.ol9_latest.images[0].id
source_type = "image"

#Optional
boot_volume_size_in_gbs = 50
}
preserve_boot_volume = false
preemptible_instance_config {
preemption_action {
type = "TERMINATE"
preserve_boot_volume = false
}
}

}

EOF

cat <<-'EOF' > outputs.tf

output "cmp01_id" {
value = oci_identity_compartment.cmp01.id
description = "cmp01.id"
}

output "vcn01_id" {
value = oci_core_vcn.vcn01.id
description = "vcn01.id"
}

output "igw01_id" {
value = oci_core_internet_gateway.igw01.id
description = "igw01.id"
}
output "rt01_id" {
value = oci_core_route_table.rt01.id
description = "rt01.id"
}

output "sl01_id" {
value = oci_core_security_list.sl01.id
description = "sl01.id"
}

output "subnet01_id" {
value = oci_core_subnet.subnet01.id
description = "subnet01.id"
}

EOF

terraform init
terraform fmt
terraform -version

export TF_VAR_compartment_name=cmp01

terraform plan

terraform apply -auto-approve

# terraform destroy -auto-approve

cd ..

-- 4. Cloud HA VPN ゲートウェイ作成【GCP】

gcloud compute vpn-gateways create vpn11 \
--region=asia-northeast1 \
--network=vpc01 \
--stack-type=IPV4_ONLY

gcloud compute vpn-gateways list

gcloud compute vpn-gateways describe vpn11 \
--region=asia-northeast1

-- 5. 動的ルーティング・ゲートウェイ作成【OCI】

oci network drg create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--display-name drg01

oci network drg list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000

VCNへのDRGのアタッチ

oci network drg-attachment create --generate-full-command-json-input

oci network drg-attachment create \
--drg-id ocid1.drg.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--display-name drg0101 \
--network-details '{
"id": "ocid1.vcn.oc1.iad.000000000000000000000000000000000000000000000000000000000000",
"route-table-id": null,
"type": "VCN",
"vcn-route-type": "SUBNET_CIDRS"
}'

-- 6. 顧客構内機器作成【OCI】

oci network cpe-device-shape list \
--query 'data.{"vendor":"cpe-device-info"."vendor","id":"id"}' \
--output table

oci network cpe create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--ip-address 192.0.2.1 \
--display-name cpe01 \
--cpe-device-shape-id 0c14a129-ce70-43f3-bf07-e980a6784ae8

ip-addressはGCP VPNゲートウェイの外部IPアドレス

oci network cpe list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000

-- 7. サイト間VPN作成【OCI】

oci network ip-sec-connection create --generate-full-command-json-input

oci network ip-sec-connection create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--cpe-id ocid1.cpe.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--drg-id ocid1.drg.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--static-routes '["10.0.0.0/24"]' \
--display-name vpn01 \
--tunnel-configuration '[
{
"associatedVirtualCircuits": ,
"bgpSessionConfig": {
"customerBgpAsn": "64513",
"customerInterfaceIp": "169.254.20.1/30",
"customerInterfaceIpv6": null,
"oracleInterfaceIp": "169.254.20.2/30",
"oracleInterfaceIpv6": null
},
"displayName": "tun01",
"dpdConfig": {
"dpdMode": "INITIATE_AND_RESPOND",
"dpdTimeoutInSec": "20"
},
"drgRouteTableId": null,
"encryptionDomainConfig": null,
"ikeVersion": "V2",
"natTranslationEnabled": "AUTO",
"oracleInitiation": "INITIATOR_OR_RESPONDER",
"oracleTunnelIp": null,
"phaseOneConfig": {
"authenticationAlgorithm": null,
"diffieHelmanGroup": null,
"encryptionAlgorithm": null,
"isCustomPhaseOneConfig": false,
"lifetimeInSeconds": "36000"
},
"phaseTwoConfig": {
"authenticationAlgorithm": null,
"encryptionAlgorithm": null,
"isCustomPhaseTwoConfig": false,
"isPfsEnabled": true,
"lifetimeInSeconds": "10800",
"pfsDhGroup": "GROUP5"
},
"routing": "BGP",
"sharedSecret": "PreSharedKey1"
}
]'

oci network ip-sec-connection list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000

oci network ip-sec-tunnel list \
--ipsc-id ocid1.ipsecconnection.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--all

-- 8. ピアVPNゲートウェイ作成【GCP】

gcloud compute external-vpn-gateways create pvg11 \
--interfaces 0=192.0.2.1

※ipアドレスはOracle VPN の外部IPアドレス

gcloud compute external-vpn-gateways list

-- 9. Cloud Router作成【GCP】

gcloud compute routers create cr11 \
--region=asia-northeast1 \
--network=vpc01 \
--asn=64513

gcloud compute routers list

gcloud compute routers describe cr11 \
--region=asia-northeast1

-- 10. VPNトンネル作成【GCP】

gcloud compute vpn-tunnels create tun11 \
--shared-secret=PreSharedKey1 \
--peer-external-gateway=pvg11 \
--vpn-gateway=vpn11 \
--ike-version=2 \
--interface=0 \
--peer-external-gateway-interface=0 \
--region=asia-northeast1 \
--router=cr11 \
--router-region=asia-northeast1

gcloud compute vpn-tunnels list

gcloud compute vpn-tunnels describe tun11 \
--region=asia-northeast1

-- 11. BGPセッションの構成【GCP】

gcloud compute routers add-interface cr11 \
--interface-name=bgp-interface11 \
--vpn-tunnel=tun11 \
--vpn-tunnel-region=asia-northeast1 \
--ip-address=169.254.20.1 \
--mask-length=30 \
--region=asia-northeast1

※ip-addressはGCP側IPSec Tunnel #1の内部IPアドレス

gcloud compute routers add-bgp-peer cr11 \
--interface=bgp-interface11 \
--peer-asn=31898 \
--peer-name=bgp-peer11 \
--advertisement-mode=DEFAULT \
--no-enable-ipv6 \
--peer-ip-address=169.254.20.2 \
--region=asia-northeast1

※peer-ip-addressはOCI側IPSec Tunnel #1の内部IPアドレス

-- 12. BGPステータス確認

【GCP】

gcloud compute routers get-status cr11

【OCI】
IPSecステータスとIPv4 BGPステータスが「稼働中」になるまで待つ

-- 13. ルートテーブル修正

-- 13.1 OCI(10.1.0.0/24)への経路(ターゲットはCloud HA VPN ゲートウェイ)をサブネットのルートテーブルに追加【GCP】
https://cloud.google.com/network-connectivity/docs/router/concepts/overview?hl=ja#egress

動的ルートとして追加されるため設定不要

-- 13.2 GCP側(10.0.0.0/24)への経路(ターゲットは動的ルーティング・ゲートウェイ)をサブネットのルートテーブルに追加【OCI】

resource "oci_core_route_table" "rt01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id

#Optional
display_name = "rt01"
route_rules {
network_entity_id = oci_core_internet_gateway.igw01.id
destination = "0.0.0.0/0"
}
route_rules {
network_entity_id = "ocid1.drg.oc1.iad.000000000000000000000000000000000000000000000000000000000000"
destination = "10.0.0.0/24"
}
}

terraform apply -auto-approve

-- 14.pingで疎通確認【GCP】

ping 10.1.0.162

-- 15. pingで疎通確認【OCI】

ping 10.0.0.3

-- 16. クリーンアップ【GCP】

-- BGPセッション削除

gcloud compute routers remove-bgp-peer cr11 \
--peer-name=bgp-peer11

gcloud compute routers remove-interface cr11 \
--interface-name=bgp-interface11

-- VPNトンネル削除

gcloud compute vpn-tunnels list

gcloud compute vpn-tunnels delete tun11 \
--region=asia-northeast1 \
--quiet

-- Cloud Router削除

gcloud compute routers list

gcloud compute routers delete cr11 \
--region=asia-northeast1 \
--quiet

-- ピアVPNゲートウェイ削除

gcloud compute external-vpn-gateways list

gcloud compute external-vpn-gateways delete pvg11 \
--quiet

-- Cloud HA VPN ゲートウェイ削除
gcloud compute vpn-gateways list

gcloud compute vpn-gateways delete vpn11 \
--region=asia-northeast1 \
--quiet

cd gcp

terraform destroy -auto-approve

cd ..

-- プロジェクト削除

gcloud projects list

gcloud projects delete project01-9999999 \
--quiet

gcloud beta billing projects unlink project01-9999999

-- 17. クリーンアップ【OCI】

-- サイト間VPN削除

oci network ip-sec-connection list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000

oci network ip-sec-connection delete \
--ipsc-id ocid1.ipsecconnection.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force

-- 顧客構内機器削除

oci network cpe list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000

oci network cpe delete \
--cpe-id ocid1.cpe.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force

-- 動的ルーティング・ゲートウェイ削除(VCNからデタッチしてから)

oci network drg-attachment list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000

oci network drg-attachment delete \
--drg-attachment-id ocid1.drgattachment.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force

oci network drg list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000

oci network drg delete \
--drg-id ocid1.drg.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force

cd oci

terraform destroy -auto-approve

cd ..