shadow: Prototype/yaml SCED/SC2G HA partner interconnect - cloud to ground for profile 5 and 6

[fmichaelobrien]

See private DNS work in #286 - as a result of transitive peering - add a 2nd interconnect set in non-prod in #289 Configure IaC in TF for partner interconnect overlay

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/pull/258 https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/pull/259 https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/pull/260 https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/pull/261

shadow already prototyped cologix partner interconnect running in KCC LZ V2 https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/298 Create Terraform version of Kubernetes Config Controller based work in 298

• adjust TEF V3 backport https://github.com/terraform-google-modules/terraform-example-foundation/issues/940

TODO

• Traffic Engineering across multiple interconnects through cloud router + BGP sessions - https://cloud.google.com/network-connectivity/docs/router/how-to/updating-priority
• Investigate hub spoke Network Connectivity Center - as part of partner interconnect enabled transitive peering solution (Around the 25 limit)

  78

• https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/dev/solutions/landing-zone/architecture.md#di-05-complete-network-design
• Need to spin up/verify an alternative to regular peering (due to the 25 limit/project) for the hub-spoke pattern - https://cloud.google.com/network-connectivity/docs/network-connectivity-center/concepts/overview over the normal https://cloud.google.com/architecture/deploy-hub-spoke-vpc-network-topology

R1: Implement SCED/SC2G for GCP

R2: Use MacSEC over IPSec

R3: partner interconnect over direct connect

R4: ASNs Google: 16550

R5: Interconnect redundancy

• https://cloud.google.com/network-connectivity/docs/interconnect/concepts/best-practices#use_activeactive_vlan_attachments
• https://cloud.google.com/network-connectivity/docs/interconnect/how-to/partner/creating-vlan-attachments#gcloud

R6: VPC Global Dynamic Routing and traffic shaping

• https://docs.equinix.com/en-us/Content/Interconnection/Fabric/connections/Fabric-connect-google.htm
• https://cloud.google.com/network-connectivity/docs/interconnect/support/faq#ilb-backends
• https://registry.terraform.io/providers/hashicorp/google/3.22.0/docs/resources/compute_interconnect_attachment

Phase 1: brute force minimal connection test Phase 2: Architecture final review

Initial work item is to start an interconnect and get the SDN UID to tag traffic. Testing out https://cloud.google.com/network-connectivity/docs/interconnect/concepts/partner-overview#provisioning

Links

Slide 19, 18 were used a lot in presentations at IRCC and ISED (from 2019 but still valid) - for profile 5/6 https://wiki.gccollab.ca/images/7/75/GC_Cloud_Connection_Patterns.pdf review: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/blueprints/networking/private-cloud-function-from-onprem review https://cloud.google.com/network-connectivity/docs/interconnect/concepts/ha-vpn-interconnect

slide 65 in progress in https://docs.google.com/presentation/d/13sjT2tJ4yLIYGRREE3wBrylB1OvcEMpKdquVuJB_nX4/edit?resourcekey=0-N3DruQaiutFvZ98HTT7-vQ#slide=id.g2223ba5ee2b_0_665

20230717

20230413

20230321

https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/blueprints/networking/psc-hybrid

Organization Policies

• subset of https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/org-policies/organization
• add org policy admin role
• constraints/compute.disableGlobalSerialPortAccess
• constraints/compute.vmExternalIpAccess

Architecture Notes

• Multiple Shared VPCs per Host Project - sharing interconnect/VPN https://cloud.google.com/architecture/best-practices-vpc-design#connecting_multiple_networks

[obriensystems]

20230710: update for partner interconnect

• clean org with minimal terraform LZ - use the TOC version from https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/251#issuecomment-1629103711

• add services project to host project

  

• enable gce, gke

• todo - services.tf update

  michael@cloudshell:~$ gcloud config set project vpc-host-nonprod-hh015-gz357
  michael@cloudshell:~ (vpc-host-nonprod-hh015-gz357)$  gcloud services enable container.googleapis.com
  michael@cloudshell:~ (vpc-host-nonprod-hh015-gz357)$ gcloud services enable compute.googleapis.com

• select non-prod host project

  

• attach services project to host project

  

Prototype single BGP router and VLAN attachment from

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_interconnect_attachment

with region additions

# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_interconnect_attachment

resource "google_compute_interconnect_attachment" "on_prem1" {
  name                     = "on-prem-attachment1"
  edge_availability_domain = "AVAILABILITY_DOMAIN_1"
  type                     = "PARTNER"
  router                   = google_compute_router.router1.id
  region = "northamerica-northeast2"
  mtu                      = 1500
}

resource "google_compute_router" "router1" {
  name    = "router-1"
  network = "vpc-nonprod-shared" #google_compute_network.network-ia.name
  region = "northamerica-northeast2"
  bgp {
    asn = 16550
  }
}

#resource "google_compute_network" "network-ia" {
#  name                    = "network-ia"
#  auto_create_subnetworks = false
#}

michael@cloudshell:~/tef_in_pbmm/vpchost-non-prod/pbmm-on-gcp-onboarding/2023_technical_onboarding_center/20-partner-interconnect (vpc-host-nonprod-hh015-gz357)$ terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_compute_interconnect_attachment.on_prem1 will be created
  + resource "google_compute_interconnect_attachment" "on_prem1" {
      + admin_enabled              = true
      + bandwidth                  = (known after apply)
      + cloud_router_ip_address    = (known after apply)
      + creation_timestamp         = (known after apply)
      + customer_router_ip_address = (known after apply)
      + edge_availability_domain   = "AVAILABILITY_DOMAIN_1"
      + encryption                 = "NONE"
      + google_reference_id        = (known after apply)
      + id                         = (known after apply)
      + mtu                        = "1500"
      + name                       = "on-prem-attachment1"
      + pairing_key                = (known after apply)
      + partner_asn                = (known after apply)
      + private_interconnect_info  = (known after apply)
      + project                    = (known after apply)
      + region                     = (known after apply)
      + router                     = (known after apply)
      + self_link                  = (known after apply)
      + state                      = (known after apply)
      + type                       = "PARTNER"
      + vlan_tag8021q              = (known after apply)
    }

  # google_compute_router.router1 will be created
  + resource "google_compute_router" "router1" {
      + creation_timestamp = (known after apply)
      + id                 = (known after apply)
      + name               = "router-1"
      + network            = "vpc-nonprod-shared"
      + project            = (known after apply)
      + region             = "northamerica-northeast2"
      + self_link          = (known after apply)

      + bgp {
          + advertise_mode     = "DEFAULT"
          + asn                = 16550
          + keepalive_interval = 20
        }
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

google_compute_router.router1: Creating...
google_compute_router.router1: Still creating... [10s elapsed]
google_compute_router.router1: Still creating... [20s elapsed]
google_compute_router.router1: Creation complete after 21s [id=projects/vpc-host-nonprod-hh015-gz357/regions/northamerica-northeast2/routers/router-1]
google_compute_interconnect_attachment.on_prem1: Creating...
╷
│ Error: Cannot determine region: set in this resource, or set provider-level 'region' or 'zone'.
│ 
│   with google_compute_interconnect_attachment.on_prem1,
│   on main.tf line 23, in resource "google_compute_interconnect_attachment" "on_prem1":
│   23: resource "google_compute_interconnect_attachment" "on_prem1" {
│ 
╵
michael@cloudshell:~/tef_in_pbmm/vpchost-non-prod/pbmm-on-gcp-onboarding/2023_technical_onboarding_center/20-partner-interconnect (vpc-host-nonprod-hh015-gz357)$ terraform plan
google_compute_router.router1: Refreshing state... [id=projects/vpc-host-nonprod-hh015-gz357/regions/northamerica-northeast2/routers/router-1]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_compute_interconnect_attachment.on_prem1 will be created
  + resource "google_compute_interconnect_attachment" "on_prem1" {
      + admin_enabled              = true
      + bandwidth                  = (known after apply)
      + cloud_router_ip_address    = (known after apply)
      + creation_timestamp         = (known after apply)
      + customer_router_ip_address = (known after apply)
      + edge_availability_domain   = "AVAILABILITY_DOMAIN_1"
      + encryption                 = "NONE"
      + google_reference_id        = (known after apply)
      + id                         = (known after apply)
      + mtu                        = "1500"
      + name                       = "on-prem-attachment1"
      + pairing_key                = (known after apply)
      + partner_asn                = (known after apply)
      + private_interconnect_info  = (known after apply)
      + project                    = (known after apply)
      + region                     = "northamerica-northeast2"
      + router                     = "projects/vpc-host-nonprod-hh015-gz357/regions/northamerica-northeast2/routers/router-1"
      + self_link                  = (known after apply)
      + state                      = (known after apply)
      + type                       = "PARTNER"
      + vlan_tag8021q              = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.
michael@cloudshell:~/tef_in_pbmm/vpchost-non-prod/pbmm-on-gcp-onboarding/2023_technical_onboarding_center/20-partner-interconnect (vpc-host-nonprod-hh015-gz357)$ 

google_compute_interconnect_attachment.on_prem1: Creating...
google_compute_interconnect_attachment.on_prem1: Still creating... [10s elapsed]
google_compute_interconnect_attachment.on_prem1: Creation complete after 12s [id=projects/vpc-host-nonprod-hh015-gz357/regions/northamerica-northeast2/interconnectAttachments/on-prem-attachment1]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Router and VLAN up - waiting on service provider as expected

google_compute_interconnect_attachment.on_prem1: Destroying... [id=projects/vpc-host-nonprod-hh015-gz357/regions/northamerica-northeast2/interconnectAttachments/on-prem-attachment1]
google_compute_interconnect_attachment.on_prem1: Still destroying... [id=projects/vpc-host-nonprod-hh015-gz357/r...connectAttachments/on-prem-attachment1, 10s elapsed]
google_compute_interconnect_attachment.on_prem1: Destruction complete after 11s
google_compute_router.router1: Destroying... [id=projects/vpc-host-nonprod-hh015-gz357/regions/northamerica-northeast2/routers/router-1]
google_compute_router.router1: Still destroying... [id=projects/vpc-host-nonprod-hh015-gz357/r...rthamerica-northeast2/routers/router-1, 10s elapsed]
google_compute_router.router1: Destruction complete after 11s

Destroy complete! Resources: 2 destroyed.

add 2nd vlan attachment

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/commit/2bf0cd302ac067346262a423a24e005faead8865

oogle_compute_router.router1: Creating...
google_compute_router.router1: Still creating... [10s elapsed]
google_compute_router.router1: Creation complete after 12s [id=projects/vpc-host-nonprod-hh015-gz357/regions/northamerica-northeast2/routers/router-1]
google_compute_interconnect_attachment.on_prem2: Creating...
google_compute_interconnect_attachment.on_prem1: Creating...
google_compute_interconnect_attachment.on_prem2: Still creating... [10s elapsed]
google_compute_interconnect_attachment.on_prem1: Still creating... [10s elapsed]
google_compute_interconnect_attachment.on_prem1: Creation complete after 11s [id=projects/vpc-host-nonprod-hh015-gz357/regions/northamerica-northeast2/interconnectAttachments/on-prem-attachment1]
google_compute_interconnect_attachment.on_prem2: Creation complete after 11s [id=projects/vpc-host-nonprod-hh015-gz357/regions/northamerica-northeast2/interconnectAttachments/on-prem-attachment2]

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

Outputs:

[fmichaelobrien]

• bgp route changes - some way to view/manage bgp routing on top of the discovered/static routes
• in AWS one CSR logical instance via direct connect - multi regional router A: look at NCC for transit gateway like behaviour
• Equinix is the standby, cologix is the active - create 4 vlans 2 to each by key
• adjust router logic to send traffic to cologix first.- check link
• put test VM right into non-prod host
• no peering between perimeter and host projects - waiting for NGFW?
• switch hardcoded region to 1 in main.tf
• LZ V1b - fix cap project name but lc project id
• instructions fix: for non-CSR apply - switch to project owning VPC
• finish network diagram subset

[obriensystems]

Update: To switch billing accounts from the original 10% script run bootstrap - where the original terraform service account is created

• add the TF SA to both billing Billing Account Administrator and IAM BAA on both the original and target BIDs
• for example - switching back to the original BID from the target gets an error because although originally BAA was not required - it is now

  
  Step #4 - "tf apply": │ Error: Error setting billing account "01BFA...3B" for project "projects/tzpe-....z-de": googleapi: Error 403: The caller does not have permission, forbidden

<img width="1821" alt="Screenshot 2023-07-24 at 08 41 00" src="https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/assets/24765473/64e84c04-cb4e-4a9f-be8d-ee1ae8823157">

<img width="124" alt="Screenshot 2023-07-24 at 08 41 39" src="https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/assets/24765473/76d08205-6e81-4370-a601-c9f8c0ea4f08">

<img width="140" alt="Screenshot 2023-07-24 at 08 46 36" src="https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/assets/24765473/7a5dc6cd-34ca-4c45-ac41-eb4ae502c8a5">

<img width="497" alt="Screenshot 2023-07-24 at 08 45 57" src="https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/assets/24765473/9323b93c-00bd-48e4-96bc-10053e0c34cc">

also replaced iam owner on tfsa
<img width="731" alt="Screenshot 2023-07-24 at 08 52 44" src="https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/assets/24765473/9f171952-bcf6-4d01-abe1-48f9f6badf79">

[obriensystems]

Starting module version of router + interconnect

Start with integration of existing terraform into nonprod - then parameterize and move to modules

20230724:1230 router up in non-prod via cloud build gitops pipeline

[obriensystems]

PR:

        new file:   modules/20-partner-interconnect/main.tf
        new file:   modules/20-partner-interconnect/outputs.tf
        new file:   modules/20-partner-interconnect/variables.tf

Step #3 - "tf plan": Terraform will perform the following actions:
Step #3 - "tf plan": 
Step #3 - "tf plan":   # module.partner-interconnect-primary.google_compute_router.router1 will be created
Step #3 - "tf plan":   + resource "google_compute_router" "router1" {
Step #3 - "tf plan":       + creation_timestamp = (known after apply)
Step #3 - "tf plan":       + id                 = (known after apply)
Step #3 - "tf plan":       + name               = "router-1"
Step #3 - "tf plan":       + network            = "tzpecnr-nonprod-svpc-vpc"
Step #3 - "tf plan":       + project            = "tzpe-tlz-tlz-np2"
Step #3 - "tf plan":       + region             = "northamerica-northeast1"
Step #3 - "tf plan":       + self_link          = (known after apply)
Step #3 - "tf plan": 
Step #3 - "tf plan":       + bgp {
Step #3 - "tf plan":           + advertise_mode = "DEFAULT"
Step #3 - "tf plan":           + asn            = 16550
Step #3 - "tf plan":         }
Step #3 - "tf plan":     }

[obriensystems]

interconnect part of the phased PR

        modified:   environments/nonprod/main.tf
        modified:   modules/20-partner-interconnect/main.tf
        modified:   modules/20-partner-interconnect/outputs.tf

Step #4 - "tf apply": ******* At environment: environments/nonprod ***********
Step #4 - "tf apply": *************************************************
Step #4 - "tf apply": module.net-host-prj.module.network["nonprod-svpc"].module.subnets["npsubnet02"].google_compute_subnetwork.subnetwork: Modifying... [id=projects/tzpe-tlz-tlz-np2/regions/northamerica-northeast1/subnetworks/tzpecnr-npsubnet02-np2-snet]
Step #4 - "tf apply": module.net-host-prj.module.network["nonprod-svpc"].module.subnets["npsubnet02"].google_compute_subnetwork.subnetwork: Modifications complete after 1s [id=projects/tzpe-tlz-tlz-np2/regions/northamerica-northeast1/subnetworks/tzpecnr-npsubnet02-np2-snet]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem1: Creating...
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem2: Creating...
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem4: Creating...
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem3: Creating...
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem1: Still creating... [10s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem2: Still creating... [10s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem4: Still creating... [10s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem3: Still creating... [10s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem2: Creation complete after 11s [id=projects/tzpe-tlz-tlz-np2/regions/northamerica-northeast1/interconnectAttachments/vlan-attach-cologix-2]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem3: Creation complete after 11s [id=projects/tzpe-tlz-tlz-np2/regions/northamerica-northeast1/interconnectAttachments/vlan-attach-equinix-3]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem4: Creation complete after 11s [id=projects/tzpe-tlz-tlz-np2/regions/northamerica-northeast1/interconnectAttachments/vlan-attach-equinix-4]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem1: Still creating... [20s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem1: Creation complete after 21s [id=projects/tzpe-tlz-tlz-np2/regions/northamerica-northeast1/interconnectAttachments/vlan-attach-cologix-1]
Step #4 - "tf apply": ╷

[obriensystems]

Finish naming conventions and parameterization

        modified:   environments/nonprod/main.tf
        modified:   environments/nonprod/nonp-interconnect.auto.tfvars
        modified:   modules/20-partner-interconnect/main.tf
        modified:   modules/20-partner-interconnect/variables.tf
        modified:   environments/nonprod/variables.tf

delete
Step #3 - "tf plan": Plan: 0 to add, 2 to change, 5 to destroy.

Step #4 - "tf apply": ******* At environment: environments/nonprod ***********
Step #4 - "tf apply": *************************************************
tep #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem3: Destroying... [id=projects/tzpe-tlz-tlz-np2/regions/northamerica-northeast1/interconnectAttachments/vlan-attach-equinix-3]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem4: Destroying... [id=projects/tzpe-tlz-tlz-np2/regions/northamerica-northeast1/interconnectAttachments/vlan-attach-equinix-4]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem2: Destroying... [id=projects/tzpe-tlz-tlz-np2/regions/northamerica-northeast1/interconnectAttachments/vlan-attach-cologix-2]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem1: Destroying... [id=projects/tzpe-tlz-tlz-np2/regions/northamerica-northeast1/interconnectAttachments/vlan-attach-cologix-1]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem3: Still destroying... [id=projects/tzpe-tlz-tlz-np2/regions/north...nnectAttachments/vlan-attach-equinix-3, 10s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem2: Still destroying... [id=projects/tzpe-tlz-tlz-np2/regions/north...nnectAttachments/vlan-attach-cologix-2, 10s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem4: Still destroying... [id=projects/tzpe-tlz-tlz-np2/regions/north...nnectAttachments/vlan-attach-equinix-4, 10s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem1: Still destroying... [id=projects/tzpe-tlz-tlz-np2/regions/north...nnectAttachments/vlan-attach-cologix-1, 10s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem1: Destruction complete after 11s
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem3: Destruction complete after 12s
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem4: Still destroying... [id=projects/tzpe-tlz-tlz-np2/regions/north...nnectAttachments/vlan-attach-equinix-4, 20s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem2: Still destroying... [id=projects/tzpe-tlz-tlz-np2/regions/north...nnectAttachments/vlan-attach-cologix-2, 20s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem2: Destruction complete after 22s
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem4: Destruction complete after 22s
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_router.router1: Destroying... [id=projects/tzpe-tlz-tlz-np2/regions/northamerica-northeast1/routers/interconnect-router]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_router.router1: Still destroying... [id=projects/tzpe-tlz-tlz-np2/regions/north...northeast1/routers/interconnect-router, 10s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_router.router1: Still destroying... [id=projects/tzpe-tlz-tlz-np2/regions/north...northeast1/routers/interconnect-router, 20s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_router.router1: Destruction complete after 21s
Step #4 - "tf apply": module.net-host-prj.module.network["nonprod-svpc"].module.subnets["npsubnet02"].google_compute_subnetwork.subnetwork: Modifying... [id=projects/tzpe-tlz-tlz-np2/regions/northamerica-northeast1/subnetworks/tzpecnr-npsubnet02-np2-snet]
Step #4 - "tf apply": module.net-host-prj.module.network["nonprod-svpc"].module.subnets["npsubnet02"].google_compute_subnetwork.subnetwork: Modifications complete after 2s [id=projects/tzpe-tlz-tlz-np2/regions/northamerica-northeast1/subnetworks/tzpecnr-npsubnet02-np2-snet]
Step #4 - "tf apply": ╷
Step #4 - "tf apply": │ Warning: Experimental feature "module_variable_optional_attrs" is active

recreate

Step #3 - "tf plan": Plan: 5 to add, 2 to change, 0 to destroy.

Step #4 - "tf apply": ******* At environment: environments/nonprod ***********
Step #4 - "tf apply": *************************************************
tep #4 - "tf apply": module.net-host-prj.module.network["nonprod-svpc"].module.subnets["npsubnet02"].google_compute_subnetwork.subnetwork: Modifying... [id=projects/tzpe-tlz-tlz-np2/regions/northamerica-northeast1/subnetworks/tzpecnr-npsubnet02-np2-snet]
Step #4 - "tf apply": module.net-host-prj.module.network["nonprod-svpc"].module.subnets["npsubnet02"].google_compute_subnetwork.subnetwork: Modifications complete after 1s [id=projects/tzpe-tlz-tlz-np2/regions/northamerica-northeast1/subnetworks/tzpecnr-npsubnet02-np2-snet]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_router.router1: Creating...
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_router.router1: Still creating... [10s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_router.router1: Still creating... [20s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_router.router1: Creation complete after 22s [id=projects/tzpe-tlz-tlz-np2/regions/northamerica-northeast1/routers/interconnect-router]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem3: Creating...
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem2: Creating...
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem1: Creating...
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem4: Creating...
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem2: Still creating... [10s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem1: Still creating... [10s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem4: Still creating... [10s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem3: Still creating... [10s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem3: Creation complete after 11s [id=projects/tzpe-tlz-tlz-np2/regions/northamerica-northeast1/interconnectAttachments/vlan-attach-equinix-3]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem2: Still creating... [20s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem1: Still creating... [20s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem4: Still creating... [20s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem4: Creation complete after 22s [id=projects/tzpe-tlz-tlz-np2/regions/northamerica-northeast1/interconnectAttachments/vlan-attach-equinix-4]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem1: Creation complete after 22s [id=projects/tzpe-tlz-tlz-np2/regions/northamerica-northeast1/interconnectAttachments/vlan-attach-cologix-1]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem2: Still creating... [30s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem2: Creation complete after 32s [id=projects/tzpe-tlz-tlz-np2/regions/northamerica-northeast1/interconnectAttachments/vlan-attach-cologix-2]
Step #4 - "tf apply": ╷

[obriensystems]

Add prod

root_@cloudshell:~/lz-tls/_lz2/pbmm-on-gcp-onboarding (lz-tls)$ git status
On branch main
Changes to be committed:
  (use "git restore --staged <file>..." to unstage)
        new file:   environments/prod/prod-interconnect.auto.tfvars

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
        modified:   environments/prod/main.tf
        modified:   environments/prod/variables.tf

Step #3 - "tf plan": Plan: 5 to add, 2 to change, 0 to destroy.

Step #4 - "tf apply": *************** TERRAFORM APPLY ******************
Step #4 - "tf apply": ******* At environment: environments/prod ***********
Step #4 - "tf apply": *************************************************
tep #4 - "tf apply": module.net-host-prj.module.network["tlzprod-svpc"].module.subnets["prsubnet02"].google_compute_subnetwork.subnetwork: Modifying... [id=projects/tzpe-tlz-tlzprod-host4/regions/northamerica-northeast1/subnetworks/tzpecnr-prsubnet02-host4-snet]
Step #4 - "tf apply": module.net-host-prj.module.network["tlzprod-svpc"].module.subnets["prsubnet02"].google_compute_subnetwork.subnetwork: Modifications complete after 1s [id=projects/tzpe-tlz-tlzprod-host4/regions/northamerica-northeast1/subnetworks/tzpecnr-prsubnet02-host4-snet]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_router.router1: Creating...
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_router.router1: Still creating... [10s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_router.router1: Still creating... [20s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_router.router1: Creation complete after 21s [id=projects/tzpe-tlz-tlzprod-host4/regions/northamerica-northeast1/routers/interconnect-prod-router]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem1: Creating...
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem2: Creating...
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem4: Creating...
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem3: Creating...
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem1: Still creating... [10s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem4: Still creating... [10s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem2: Still creating... [10s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem3: Still creating... [10s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem4: Creation complete after 12s [id=projects/tzpe-tlz-tlzprod-host4/regions/northamerica-northeast1/interconnectAttachments/vlan-attach-equinix-4]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem2: Creation complete after 12s [id=projects/tzpe-tlz-tlzprod-host4/regions/northamerica-northeast1/interconnectAttachments/vlan-attach-cologix-2]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem1: Still creating... [20s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem3: Still creating... [20s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem1: Creation complete after 22s [id=projects/tzpe-tlz-tlzprod-host4/regions/northamerica-northeast1/interconnectAttachments/vlan-attach-cologix-1]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem3: Still creating... [30s elapsed]
Step #4 - "tf apply": module.partner-interconnect-primary.google_compute_interconnect_attachment.on_prem3: Creation complete after 32s [id=projects/tzpe-tlz-tlzprod-host4/regions/northamerica-northeast1/interconnectAttachments/vlan-attach-equinix-3]
Step #4 - "tf apply": ╷

[fmichaelobrien]

Customer side requirements

Also, for DNS forwarding return - I thought I read that the 34.199.192.0/19 range was implicitly advertised but hidden on all BGP routing - it turns out it is up to the customer to advertise this - by adding a custom route directly on the interconnect/vpn router beside the dynamic BGP routes - found this a bit odd but I can see optional case for those not wanting cloud to ground and only ground to cloud for SCED/SC2G

• Key for cloud to ground private DNS forwarded queries - add the network-patterns https://docs.google.com/presentation/d/13sjT2tJ4yLIYGRREE3wBrylB1OvcEMpKdquVuJB_nX4/edit?resourcekey=0-N3DruQaiutFvZ98HTT7-vQ#slide=id.g1154b3b950f_2_3152 slide 27 referenced ingress proxy 34.199.192.0/19 as a custom route on the interconnect router (in addition to dynamic subnet routes) - without this DNS queries from gcp to on-prem will not resolve.
• specifically - https://cloud.google.com/dns/docs/policies#return-route "For Cloud VPN tunnels that use dynamic routing or for Cloud Interconnect, configure a custom route advertisement for 35.199.192.0/19 on the BGP session of the Cloud Router that manages the tunnel or VLAN attachment."
• https://cloud.google.com/network-connectivity/docs/router/how-to/advertising-custom-ip
• see also https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/468
• on top of the partner/direct interconnect add the following
• firewall rule to open incoming DNS query traffic from the private cloud DNS forwarding zone ns 35.199.192.0/19 - https://cloud.google.com/dns/docs/zones/forwarding-zones#firewall-rules
• add 34.199.192.0/19 to the ingress policy on prem
• raise an issue with GCP on whether we can add a customer provided IP for return DNS traffic

[fmichaelobrien]

20240406: Closing issue during retrofit/rebase of this TEF V1 based/modified repo to TEF V4 standards This issue may participate in the LZ refactor after rebase Query on all issues related to the older V1 version via the tag https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/labels/2024-pre-tef-v4