https://docs.oracle.com/ja-jp/iaas/Content/Network/Tasks/vpn_to_gcp.htm
前提:
基礎ネットワークとEC2インスタンスはTerraformで作成
その他はCLIで作成
macから実施
GCP側のASN: 64513
OCI側のASN: 31898
※OCI側のASNは固定値31898を使用する必要あり
IPSec tunnel使用本数: 1本
GCP側のサブネット: 10.0.0.0/24
OCI側のサブネット: 10.1.0.0/24
-- 1. プロジェクト作成【GCP】
gcloud init
gcloud auth list
gcloud --version
gcloud projects create project01-9999999 \
--name="project01"
gcloud config list
gcloud config set project project01-9999999
gcloud config set compute/region asia-northeast1 --quiet
gcloud config set compute/zone asia-northeast1-a --quiet
gcloud beta billing accounts list
gcloud beta billing projects link project01-9999999 --billing-account=111111-111111-111111
gcloud services enable compute.googleapis.com --project project01-9999999
-- 2. VPC、サブネット、VMインスタンス作成【GCP】
cat <<-'EOF' > main.tf
provider "google" {
project = "project01-9999999"
region = "asia-northeast1"
}
resource "google_compute_network" "vpc01" {
name = "vpc01"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "subnet01" {
name = "subnet01"
ip_cidr_range = "10.0.0.0/24"
network = google_compute_network.vpc01.id
private_ip_google_access =true
}
resource "google_service_account" "sa123" {
account_id = "sa123"
display_name = "sa123"
}
resource "google_compute_instance" "vm01" {
name = "vm01"
machine_type = "e2-micro"
zone = "asia-northeast1-a"
tags = ["tag01"]
boot_disk {
initialize_params {
image = "centos-7-v20221004"
}
}
network_interface {
network = google_compute_network.vpc01.self_link
subnetwork = google_compute_subnetwork.subnet01.self_link
access_config {}
}
service_account {
email = google_service_account.sa123.email
scopes = ["cloud-platform"]
}
scheduling {
preemptible = true
automatic_restart = false
}
}
resource "google_compute_firewall" "fw01" {
name = "fw01"
network = google_compute_network.vpc01.name
direction = "INGRESS"
allow {
protocol = "tcp"
ports = ["22"]
}
source_ranges = [
"0.0.0.0/0"
]
target_tags = ["tag01"]
}
resource "google_compute_firewall" "fw02" {
name = "fw02"
network = google_compute_network.vpc01.name
direction = "INGRESS"
allow {
protocol = "all"
}
source_ranges = [
"10.1.0.0/24"
]
target_tags = ["tag01"]
}
EOF
terraform init
terraform fmt
terraform -version
terraform plan
terraform apply -auto-approve
# terraform destroy -auto-approve
# gcloud compute ssh vm01
cd ..
-- 3. VPC、サブネット、コンピュートインスタンス作成【OCI】
mkdir oci
cd oci
cat <<-'EOF' > variables.tf
locals {
tenancy_ocid = "ocid1.tenancy.oc1..000000000000000000000000000000000000000000000000000000000000"
}
variable "compartment_name" {
description = "compartment_name"
type = string
default = "cmp01"
}
EOF
cat <<-'EOF' > main.tf
terraform {
required_version = ">= 1.0.0, < 2.0.0"
required_providers {
oci = {
source = "hashicorp/oci"
version = "= 5.23.0"
}
}
}
provider "oci" {
tenancy_ocid = local.tenancy_ocid
user_ocid = "ocid1.user.oc1..000000000000000000000000000000000000000000000000000000000000"
private_key_path = "~/.oci/oci_api_key.pem"
fingerprint = "45:ed:22:e6:cc:fd:63:97:12:9d:62:7a:90:12:65:7a"
region = "us-ashburn-1"
}
resource "oci_identity_compartment" "cmp01" {
# Required
compartment_id = local.tenancy_ocid
description = var.compartment_name
name = var.compartment_name
enable_delete = true
}
resource "oci_core_vcn" "vcn01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
#Optional
cidr_block = "10.1.0.0/16"
display_name = "vcn01"
dns_label = "vcn01"
}
resource "oci_core_internet_gateway" "igw01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id
#Optional
enabled = true
display_name = "igw01"
}
resource "oci_core_route_table" "rt01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id
#Optional
display_name = "rt01"
route_rules {
network_entity_id = oci_core_internet_gateway.igw01.id
destination = "0.0.0.0/0"
}
}
resource "oci_core_security_list" "sl01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id
#Optional
display_name = "sl01"
egress_security_rules {
protocol = "all"
destination = "0.0.0.0/0"
stateless = false
}
ingress_security_rules {
protocol = "6"
source = "0.0.0.0/0"
stateless = false
tcp_options {
max = 22
min = 22
}
}
ingress_security_rules {
protocol = "all"
source = "10.0.0.0/24"
stateless = false
}
}
resource "oci_core_subnet" "subnet01" {
#Required
cidr_block = "10.1.0.0/24"
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id
#Optional
display_name = "subnet01"
dns_label = "subnet01"
route_table_id = oci_core_route_table.rt01.id
security_list_ids = [oci_core_security_list.sl01.id]
}
data "oci_core_images" "ol9_latest" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
#Optional
operating_system = "Oracle Linux"
operating_system_version = "9"
shape = "VM.Standard.E2.1"
sort_by = "TIMECREATED"
sort_order = "DESC"
filter {
name = "display_name"
values = ["Oracle-Linux-9.2-2023.*"]
regex = true
}
}
resource "oci_core_instance" "vm01" {
#Required
availability_domain = "OEIw:US-ASHBURN-AD-1"
compartment_id = oci_identity_compartment.cmp01.id
shape = "VM.Standard.E2.1"
agent_config {
plugins_config {
desired_state = "ENABLED"
name = "OS Management Service Agent"
}
plugins_config {
desired_state = "ENABLED"
name = "Compute Instance Run Command"
}
plugins_config {
desired_state = "ENABLED"
name = "Compute Instance Monitoring"
}
}
create_vnic_details {
#Optional
assign_public_ip = true
subnet_id = oci_core_subnet.subnet01.id
}
display_name = "vm01"
fault_domain = "FAULT-DOMAIN-1"
metadata = {
ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
}
source_details {
#Required
source_id = data.oci_core_images.ol9_latest.images[0].id
source_type = "image"
#Optional
boot_volume_size_in_gbs = 50
}
preserve_boot_volume = false
preemptible_instance_config {
preemption_action {
type = "TERMINATE"
preserve_boot_volume = false
}
}
}
EOF
cat <<-'EOF' > outputs.tf
output "cmp01_id" {
value = oci_identity_compartment.cmp01.id
description = "cmp01.id"
}
output "vcn01_id" {
value = oci_core_vcn.vcn01.id
description = "vcn01.id"
}
output "igw01_id" {
value = oci_core_internet_gateway.igw01.id
description = "igw01.id"
}
output "rt01_id" {
value = oci_core_route_table.rt01.id
description = "rt01.id"
}
output "sl01_id" {
value = oci_core_security_list.sl01.id
description = "sl01.id"
}
output "subnet01_id" {
value = oci_core_subnet.subnet01.id
description = "subnet01.id"
}
EOF
terraform init
terraform fmt
terraform -version
export TF_VAR_compartment_name=cmp01
terraform plan
terraform apply -auto-approve
# terraform destroy -auto-approve
cd ..
-- 4. Cloud HA VPN ゲートウェイ作成 【GCP】
gcloud compute vpn-gateways create vpn11 \
--region=asia-northeast1 \
--network=vpc01 \
--stack-type=IPV4_ONLY
gcloud compute vpn-gateways list
gcloud compute vpn-gateways describe vpn11 \
--region=asia-northeast1
-- 5. 動的ルーティング・ゲートウェイ作成 【OCI】
oci network drg create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--display-name drg01
oci network drg list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000
VCNへのDRGのアタッチ
oci network drg-attachment create --generate-full-command-json-input
oci network drg-attachment create \
--drg-id ocid1.drg.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--display-name drg0101 \
--network-details '{
"id": "ocid1.vcn.oc1.iad.000000000000000000000000000000000000000000000000000000000000",
"route-table-id": null,
"type": "VCN",
"vcn-route-type": "SUBNET_CIDRS"
}'
-- 6. 顧客構内機器作成【OCI】
oci network cpe-device-shape list \
--query 'data.{"vendor":"cpe-device-info"."vendor","id":"id"}' \
--output table
oci network cpe create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--ip-address 192.0.2.1 \
--display-name cpe01 \
--cpe-device-shape-id 0c14a129-ce70-43f3-bf07-e980a6784ae8
ip-addressはGCP VPNゲートウェイの外部IPアドレス
oci network cpe list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000
-- 7. サイト間VPN作成【OCI】
oci network ip-sec-connection create --generate-full-command-json-input
oci network ip-sec-connection create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--cpe-id ocid1.cpe.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--drg-id ocid1.drg.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--static-routes '["10.0.0.0/24"]' \
--display-name vpn01 \
--tunnel-configuration '[
{
"associatedVirtualCircuits": ,
"bgpSessionConfig": {
"customerBgpAsn": "64513",
"customerInterfaceIp": "169.254.20.1/30",
"customerInterfaceIpv6": null,
"oracleInterfaceIp": "169.254.20.2/30",
"oracleInterfaceIpv6": null
},
"displayName": "tun01",
"dpdConfig": {
"dpdMode": "INITIATE_AND_RESPOND",
"dpdTimeoutInSec": "20"
},
"drgRouteTableId": null,
"encryptionDomainConfig": null,
"ikeVersion": "V2",
"natTranslationEnabled": "AUTO",
"oracleInitiation": "INITIATOR_OR_RESPONDER",
"oracleTunnelIp": null,
"phaseOneConfig": {
"authenticationAlgorithm": null,
"diffieHelmanGroup": null,
"encryptionAlgorithm": null,
"isCustomPhaseOneConfig": false,
"lifetimeInSeconds": "36000"
},
"phaseTwoConfig": {
"authenticationAlgorithm": null,
"encryptionAlgorithm": null,
"isCustomPhaseTwoConfig": false,
"isPfsEnabled": true,
"lifetimeInSeconds": "10800",
"pfsDhGroup": "GROUP5"
},
"routing": "BGP",
"sharedSecret": "PreSharedKey1"
}
]'
oci network ip-sec-connection list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000
oci network ip-sec-tunnel list \
--ipsc-id ocid1.ipsecconnection.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--all
-- 8. ピアVPNゲートウェイ作成【GCP】
gcloud compute external-vpn-gateways create pvg11 \
--interfaces 0=192.0.2.1
※ipアドレスはOracle VPN の外部IPアドレス
gcloud compute external-vpn-gateways list
-- 9. Cloud Router作成 【GCP】
gcloud compute routers create cr11 \
--region=asia-northeast1 \
--network=vpc01 \
--asn=64513
gcloud compute routers list
gcloud compute routers describe cr11 \
--region=asia-northeast1
-- 10. VPNトンネル作成【GCP】
gcloud compute vpn-tunnels create tun11 \
--shared-secret=PreSharedKey1 \
--peer-external-gateway=pvg11 \
--vpn-gateway=vpn11 \
--ike-version=2 \
--interface=0 \
--peer-external-gateway-interface=0 \
--region=asia-northeast1 \
--router=cr11 \
--router-region=asia-northeast1
gcloud compute vpn-tunnels list
gcloud compute vpn-tunnels describe tun11 \
--region=asia-northeast1
-- 11. BGPセッションの構成【GCP】
gcloud compute routers add-interface cr11 \
--interface-name=bgp-interface11 \
--vpn-tunnel=tun11 \
--vpn-tunnel-region=asia-northeast1 \
--ip-address=169.254.20.1 \
--mask-length=30 \
--region=asia-northeast1
※ip-addressはGCP側IPSec Tunnel #1の内部IPアドレス
gcloud compute routers add-bgp-peer cr11 \
--interface=bgp-interface11 \
--peer-asn=31898 \
--peer-name=bgp-peer11 \
--advertisement-mode=DEFAULT \
--no-enable-ipv6 \
--peer-ip-address=169.254.20.2 \
--region=asia-northeast1
※peer-ip-addressはOCI側IPSec Tunnel #1の内部IPアドレス
-- 12. BGPステータス確認
【GCP】
gcloud compute routers get-status cr11
【OCI】
IPSecステータスとIPv4 BGPステータスが「稼働中」になるまで待つ
-- 13. ルートテーブル修正
-- 13.1 OCI(10.1.0.0/24)への経路(ターゲットはCloud HA VPN ゲートウェイ)をサブネットのルートテーブルに追加【GCP】
https://cloud.google.com/network-connectivity/docs/router/concepts/overview?hl=ja#egress
動的ルートとして追加されるため設定不要
-- 13.2 GCP側(10.0.0.0/24)への経路(ターゲットは動的ルーティング・ゲートウェイ)をサブネットのルートテーブルに追加【OCI】
resource "oci_core_route_table" "rt01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id
#Optional
display_name = "rt01"
route_rules {
network_entity_id = oci_core_internet_gateway.igw01.id
destination = "0.0.0.0/0"
}
route_rules {
network_entity_id = "ocid1.drg.oc1.iad.000000000000000000000000000000000000000000000000000000000000"
destination = "10.0.0.0/24"
}
}
terraform apply -auto-approve
-- 14.pingで疎通確認【GCP】
ping 10.1.0.162
-- 15. pingで疎通確認【OCI】
ping 10.0.0.3
-- 16. クリーンアップ【GCP】
-- BGPセッション削除
gcloud compute routers remove-bgp-peer cr11 \
--peer-name=bgp-peer11
gcloud compute routers remove-interface cr11 \
--interface-name=bgp-interface11
-- VPNトンネル削除
gcloud compute vpn-tunnels list
gcloud compute vpn-tunnels delete tun11 \
--region=asia-northeast1 \
--quiet
-- Cloud Router削除
gcloud compute routers list
gcloud compute routers delete cr11 \
--region=asia-northeast1 \
--quiet
-- ピアVPNゲートウェイ削除
gcloud compute external-vpn-gateways list
gcloud compute external-vpn-gateways delete pvg11 \
--quiet
-- Cloud HA VPN ゲートウェイ削除
gcloud compute vpn-gateways list
gcloud compute vpn-gateways delete vpn11 \
--region=asia-northeast1 \
--quiet
cd gcp
terraform destroy -auto-approve
cd ..
-- プロジェクト削除
gcloud projects list
gcloud projects delete project01-9999999 \
--quiet
gcloud beta billing projects unlink project01-9999999
-- 17. クリーンアップ【OCI】
-- サイト間VPN削除
oci network ip-sec-connection list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000
oci network ip-sec-connection delete \
--ipsc-id ocid1.ipsecconnection.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force
-- 顧客構内機器削除
oci network cpe list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000
oci network cpe delete \
--cpe-id ocid1.cpe.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force
-- 動的ルーティング・ゲートウェイ削除(VCNからデタッチしてから)
oci network drg-attachment list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000
oci network drg-attachment delete \
--drg-attachment-id ocid1.drgattachment.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force
oci network drg list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000
oci network drg delete \
--drg-id ocid1.drg.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force
cd oci
terraform destroy -auto-approve
cd ..