An Example Multi-Cloud Terraform Configuration

This is an unusual article as it is principally only exists to deliver and explain a Terraform configuration that can be used as part of a broader investigation of running workloads in a multi-cloud infrastructure; specifically Google Cloud Platform (GCP) and Amazon Web Services (AWS).

The specific requirements of this configuration are:

  • Demonstrate workloads running on virtual machines (VM); i.e., Google Compute Engine (GCE) and Amazon Elastic Compute Cloud (EC2)
  • Demonstrate workloads running on managed Kubernetes, i.e., Google Kubernetes Engine (GKE) and Amazon Elastic Kubernetes Service (EKS)
  • Workloads run on virtual machines (including the Kubernetes nodes) with no public IP addresses
  • Workloads (including Kubernetes pods) have globally routable private IP addresses
  • Workloads can freely communicate amongst themselves; here using ICMP as the representative protocol
  • Using bastion hosts, one can SSH into the virtual machines (including the Kubernetes nodes)

Prerequisites

If you wish to deploy this Terraform configuration, you will need:

You will need to copy the terraform.tfvars.sample file to terraform.tfvars in the root of the project; updating the following variables:

  • aws_key_name: AWS EC2 key pair name
  • gcp_project: The GCP project’s Project ID

To install the resources; from the root of the project run:

  • terraform init
  • terraform apply

To uninstall the resource; from the root of the project run:

  • terraform destroy

Google Cloud Platform (GCP)

The principle GCP resources in this project are illustrated in the following diagram.

Specifically:

  • Virtual Private Cloud (VPC)
  • Subnet (10.1.0.0/24 primary and secondaries: 10.1.64.0/18 and 172.16.1.0/24). VMs (including Kubernetes nodes) on the primary, Kubernetes pods on the first secondary, and Kubernetes services on the second secondary
  • Cloud NAT (NAT)
  • GCE instance bastion (B)
  • GCE instance (I)
  • GKE cluster with three nodes (N); the diagram is missing the third zone and node

Amazon Web Services (AWS)

The principle AWS resources in this project are illustrated in the following diagram.

Specifically:

  • Virtual Private Cloud (10.0.0.0/16)
  • Public Subnets (10.0.0.0/24 and 10.0.1.0/24)
  • Private Subnets (10.0.64.0/18 and 10.0.128.0/18)
  • NAT Gateways (NAT)
  • Internet Gateway (IG)
  • EC2 instance bastion (B)
  • EC2 instance (I)
  • EKS cluster with two nodes (N)

Virtual Private Network (VPN)

The final resources in this project are to enable the workloads (including Kubernetes pods) have globally routable private IP addresses between GCP and AWS. This configuration is based on the instructions in the article, Connecting an AWS and GCP VPC using an IPSec VPN Tunnel with BGP.

Broad infrastructure, development, and soft-skill background