An Example Multi-Cloud Terraform Configuration
This is an unusual article as it is principally only exists to deliver and explain a Terraform configuration that can be used as part of a broader investigation of running workloads in a multi-cloud infrastructure; specifically Google Cloud Platform (GCP) and Amazon Web Services (AWS).
The specific requirements of this configuration are:
- Demonstrate workloads running on virtual machines (VM); i.e., Google Compute Engine (GCE) and Amazon Elastic Compute Cloud (EC2)
- Demonstrate workloads running on managed Kubernetes, i.e., Google Kubernetes Engine (GKE) and Amazon Elastic Kubernetes Service (EKS)
- Workloads run on virtual machines (including the Kubernetes nodes) with no public IP addresses
- Workloads (including Kubernetes pods) have globally routable private IP addresses
- Workloads can freely communicate amongst themselves; here using ICMP as the representative protocol
- Using bastion hosts, one can SSH into the virtual machines (including the Kubernetes nodes)
Prerequisites
If you wish to deploy this Terraform configuration, you will need:
- Fresh GCP project and credentials with the Owner role
- Fresh AWS account and credentials with AdminAccess policy
- Terraform 0.15.4 or later
- gcloud CLI; configured with GCP project and credentials; also configured Application Default Credentials
- AWS CLI; configured with AWS account and credentials
- SSH client
- GCP SSH keys in GCP project
- AWS EC2 key pair in AWS account
You will need to copy the terraform.tfvars.sample file to terraform.tfvars in the root of the project; updating the following variables:
- aws_key_name: AWS EC2 key pair name
- gcp_project: The GCP project’s Project ID
To install the resources; from the root of the project run:
- terraform init
- terraform apply
To uninstall the resource; from the root of the project run:
- terraform destroy
Google Cloud Platform (GCP)
The principle GCP resources in this project are illustrated in the following diagram.
Specifically:
- Virtual Private Cloud (VPC)
- Subnet (10.1.0.0/24 primary and secondaries: 10.1.64.0/18 and 172.16.1.0/24). VMs (including Kubernetes nodes) on the primary, Kubernetes pods on the first secondary, and Kubernetes services on the second secondary
- Cloud NAT (NAT)
- GCE instance bastion (B)
- GCE instance (I)
- GKE cluster with three nodes (N); the diagram is missing the third zone and node
Amazon Web Services (AWS)
The principle AWS resources in this project are illustrated in the following diagram.
Specifically:
- Virtual Private Cloud (10.0.0.0/16)
- Public Subnets (10.0.0.0/24 and 10.0.1.0/24)
- Private Subnets (10.0.64.0/18 and 10.0.128.0/18)
- NAT Gateways (NAT)
- Internet Gateway (IG)
- EC2 instance bastion (B)
- EC2 instance (I)
- EKS cluster with two nodes (N)
Virtual Private Network (VPN)
The final resources in this project are to enable the workloads (including Kubernetes pods) have globally routable private IP addresses between GCP and AWS. This configuration is based on the instructions in the article, Connecting an AWS and GCP VPC using an IPSec VPN Tunnel with BGP.