Google Compute Engine VPN Tunnel

google_compute_vpn_tunnel (Terraform)

The VPN Tunnel in Compute Engine can be configured in Terraform with the resource name google_compute_vpn_tunnel. The following sections describe 2 examples of how to use the resource and its parameters.

Example Usage from GitHub

PacketBeta/gcve-cloudvpn-transit-vpc

resource "google_compute_vpn_tunnel" "tunnel1" {
  name                  = "gcve-to-filestore-tunnel1"
  region                = var.region
  vpn_gateway           = google_compute_ha_vpn_gateway.gcve_gateway.id
  peer_gcp_gateway      = google_compute_ha_vpn_gateway.filestore_gateway.id
  shared_secret         = var.vpn_psk

tranquilitybase-io/tb-module-gcp-aws-vpn

resource "google_compute_vpn_tunnel" "tunnel1" {
  provider         = "google-beta"
  project     = var.gcp_project_id
  name             = var.tunnel_name_if1
  region           = var.gcp_region
  vpn_gateway      = var.ha_vpn_gateway

Parameters

• creation_timestamp optional computed - string

Creation timestamp in RFC3339 text format.

• description optional - string

An optional description of this resource.

• detailed_status optional computed - string

Detailed status message for the VPN tunnel.

• id optional computed - string
• ike_version optional - number

IKE protocol version to use when establishing the VPN tunnel with peer VPN gateway. Acceptable IKE versions are 1 or 2. Default version is 2.

• local_traffic_selector optional computed - set of string

Local traffic selector to use when establishing the VPN tunnel with peer VPN gateway. The value should be a CIDR formatted string, for example '192.168.0.0/16'. The ranges should be disjoint. Only IPv4 is supported.

• name required - string

Name of the resource. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression 'a-z?' which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.

• peer_external_gateway optional - string

URL of the peer side external VPN gateway to which this VPN tunnel is connected.

• peer_external_gateway_interface optional - number

The interface ID of the external VPN gateway to which this VPN tunnel is connected.

• peer_gcp_gateway optional - string

URL of the peer side HA GCP VPN gateway to which this VPN tunnel is connected. If provided, the VPN tunnel will automatically use the same vpn_gateway_interface ID in the peer GCP VPN gateway. This field must reference a 'google_compute_ha_vpn_gateway' resource.

• peer_ip optional computed - string

IP address of the peer VPN gateway. Only IPv4 is supported.

• project optional computed - string
• region optional computed - string

The region where the tunnel is located. If unset, is set to the region of 'target_vpn_gateway'.

• remote_traffic_selector optional computed - set of string

Remote traffic selector to use when establishing the VPN tunnel with peer VPN gateway. The value should be a CIDR formatted string, for example '192.168.0.0/16'. The ranges should be disjoint. Only IPv4 is supported.

• router optional - string

URL of router resource to be used for dynamic routing.

• self_link optional computed - string
• shared_secret required - string

Shared secret used to set the secure session between the Cloud VPN gateway and the peer VPN gateway.

• shared_secret_hash optional computed - string

Hash of the shared secret.

• target_vpn_gateway optional - string

URL of the Target VPN gateway with which this VPN tunnel is associated.

• tunnel_id optional computed - string

The unique identifier for the resource. This identifier is defined by the server.

• vpn_gateway optional - string

URL of the VPN gateway with which this VPN tunnel is associated. This must be used if a High Availability VPN gateway resource is created. This field must reference a 'google_compute_ha_vpn_gateway' resource.

• vpn_gateway_interface optional - number

The interface ID of the VPN gateway with which this VPN tunnel is associated.

• timeouts single block
  • create optional - string
  • delete optional - string

Explanation in Terraform Registry

VPN tunnel resource. To get more information about VpnTunnel, see:

• API documentation
• How-to Guides
  • Cloud VPN Overview * Networks and Tunnel Routing

    Warning: All arguments including shared_secret will be stored in the raw state as plain-text. Read more about sensitive data in state.

Tips: Best Practices for The Other Google Compute Engine Resources

In addition to the google_compute_disk, Google Compute Engine has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

google_compute_disk

Ensure the encryption key for your GCE disk is stored securely

It is better to store the encryption key for your GCE disk securely. Secret Manager could be used instead.

google_compute_firewall

Ensure your VPC firewall blocks unwanted outbound traffic

It is better to block unwanted outbound traffic not to expose resources in the VPC to unwanted attacks.

google_compute_instance

Ensure appropriate service account is assigned to your GCE instance

It is better to create a custom service account for the instance and assign it.

google_compute_project_metadata

Ensure OS login for your GCE instances is enabled at project level

It is better to enable OS login for your GCE instances. Enabling OS login ensures that SSH keys used to connect to instances are mapped with IAM users, allowing centralized and automated SSH key management.

google_compute_ssl_policy

Ensure to use modern TLS protocols

It's better to adopt TLS v1.2+ instead of outdated TLS protocols.

google_compute_subnetwork

Ensure VPC flow logging is enabled

It is better to enable VPC flow logging. VPC flow logging allows us to audit traffic in your network.