https://www.softbank.jp/biz/blog/cloud-technology/articles/202208/vpn-alibabacloud-googlecloud/
前提:
基礎ネットワークとVMインスタンスはTerraformで作成
その他はCLIで作成
Alibaba VPN Gateway作成画面でService-linked Role作成済み
IPSec tunnel使用本数: 1本
macから実施
設定の流れ:
1. Alibaba Cloud側での設定
VPN Gateway作成
2. GCP側での設定
Cloud HA VPN ゲートウェイ作成
ピアVPNゲートウェイ作成
Cloud Router作成
VPNトンネル作成
BGPセッションの構成
3. Alibaba Cloud側での設定
Customer Gateways作成
IPsec Connection作成
4. 動作確認
GCP:
東京リージョン
サブネット : 10.0.1.0/24
Security Group : ICMP,SSH
ASN: 64512
Alibaba:
北京リージョン
VPC : 172.16.0.0/16
vSwitch : 172.16.1.0/24
Security Group : ICMP,SSH
ASN: 65000
-- 1. プロジェクト作成【GCP】
gcloud init
gcloud auth list
gcloud --version
gcloud projects create project01-9999999 \
--name="project01"
gcloud config list
gcloud config set project project01-9999999
gcloud config set compute/region asia-northeast1 --quiet
gcloud config set compute/zone asia-northeast1-a --quiet
gcloud beta billing accounts list
gcloud beta billing projects link project01-9999999 --billing-account=111111-111111-111111
gcloud services enable compute.googleapis.com --project project01-9999999
-- 2. VPC、サブネット、VMインスタンス作成【GCP】
cat <<-'EOF' > main.tf
provider "google" {
project = "project01-9999999"
region = "asia-northeast1"
}
resource "google_compute_network" "vpc01" {
name = "vpc01"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "subnet01" {
name = "subnet01"
ip_cidr_range = "10.0.1.0/24"
network = google_compute_network.vpc01.id
private_ip_google_access =true
}
resource "google_service_account" "sa99999999" {
account_id = "sa99999999"
display_name = "sa99999999"
}
resource "google_compute_instance" "vm01" {
name = "vm01"
machine_type = "e2-micro"
zone = "asia-northeast1-a"
tags = ["tag01"]
boot_disk {
initialize_params {
image = "centos-7-v20221004"
}
}
network_interface {
network = google_compute_network.vpc01.self_link
subnetwork = google_compute_subnetwork.subnet01.self_link
access_config {}
}
service_account {
email = google_service_account.sa99999999.email
scopes = ["cloud-platform"]
}
scheduling {
preemptible = true
automatic_restart = false
}
}
resource "google_compute_firewall" "fw01" {
name = "fw01"
network = google_compute_network.vpc01.name
direction = "INGRESS"
allow {
protocol = "tcp"
ports = ["22"]
}
source_ranges = [
"0.0.0.0/0"
]
target_tags = ["tag01"]
}
resource "google_compute_firewall" "fw02" {
name = "fw02"
network = google_compute_network.vpc01.name
direction = "INGRESS"
allow {
protocol = "all"
}
source_ranges = [
"172.16.1.0/24"
]
target_tags = ["tag01"]
}
EOF
terraform init
terraform fmt
terraform -version
terraform plan
terraform apply -auto-approve
# terraform destroy -auto-approve
# gcloud compute ssh vm01
cd ..
-- 3. VPC、VSwitch、ECS作成【Alibaba】
mkdir alibaba
cd alibaba
cat <<-'EOF' > variables.tf
locals {
availability_zone1 = "cn-beijing-k"
availability_zone2 = "cn-beijing-l"
}
variable "instance_type" {
description = "instance_type"
type = string
default = "ecs.t6-c4m1.large"
}
variable "image_id" {
description = "image_id"
type = string
default = "aliyun_2_1903_x64_20G_alibase_20231221.vhd"
}
EOF
cat <<-'EOF' > main.tf
terraform {
required_version = ">= 1.0.0, < 2.0.0"
required_providers {
alicloud = {
source = "aliyun/alicloud"
version = "= 1.217.0"
}
}
}
provider "alicloud" {
region = "cn-beijing"
}
resource "alicloud_vpc" "vpc01" {
vpc_name = "vpc01"
description = "vpc01"
cidr_block = "172.16.0.0/16"
}
resource "alicloud_vswitch" "sw01" {
vswitch_name = "sw01"
description = "sw01"
vpc_id = alicloud_vpc.vpc01.id
cidr_block = "172.16.1.0/24"
zone_id = local.availability_zone1
}
resource "alicloud_vswitch" "sw02" {
vswitch_name = "sw02"
description = "sw02"
vpc_id = alicloud_vpc.vpc01.id
cidr_block = "172.16.2.0/24"
zone_id = local.availability_zone2
}
resource "alicloud_security_group" "sg01" {
name = "sg01"
description = "sg01"
vpc_id = alicloud_vpc.vpc01.id
security_group_type = "normal"
}
resource "alicloud_security_group_rule" "sg0101" {
type = "ingress"
ip_protocol = "tcp"
port_range = "22/22"
security_group_id = alicloud_security_group.sg01.id
nic_type = "intranet"
policy = "accept"
priority = 10
cidr_ip = "0.0.0.0/0"
description = "sg0101"
}
resource "alicloud_security_group_rule" "sg0102" {
type = "ingress"
ip_protocol = "icmp"
port_range = "-1/-1"
security_group_id = alicloud_security_group.sg01.id
nic_type = "intranet"
policy = "accept"
priority = 10
cidr_ip = "10.0.1.0/24"
description = "sg0102"
}
resource "alicloud_vpc_ipv4_gateway" "gw01" {
ipv4_gateway_name = "gw01"
ipv4_gateway_description = "gw01"
vpc_id = alicloud_vpc.vpc01.id
enabled = true
}
# ルートテーブルへvSwitchの関連付け
resource "alicloud_route_table_attachment" "sw01_rt01" {
vswitch_id = alicloud_vswitch.sw01.id
route_table_id = alicloud_vpc.vpc01.route_table_id
}
# ルートテーブルへカスタムルート追加
resource "alicloud_route_entry" "rt0101" {
name = "rt0101"
route_table_id = alicloud_vpc.vpc01.route_table_id
destination_cidrblock = "0.0.0.0/0"
nexthop_type = "Ipv4Gateway"
nexthop_id = alicloud_vpc_ipv4_gateway.gw01.id
}
resource "alicloud_instance" "instance01" {
image_id = var.image_id
instance_type = var.instance_type
security_groups = [alicloud_security_group.sg01.id]
instance_name = "instance01"
system_disk_category = "cloud_essd"
system_disk_name = "instance01"
system_disk_size = 20
description = "instance01"
internet_charge_type = "PayByBandwidth"
internet_max_bandwidth_out = 0
host_name = "instance01"
vswitch_id = alicloud_vswitch.sw01.id
instance_charge_type = "PostPaid"
key_name = "alibabakey04"
deletion_protection = false
credit_specification = "Standard"
}
resource "alicloud_eip_address" "eip01" {
address_name = "eip01"
bandwidth = 1
deletion_protection = false
description = "eip01"
internet_charge_type = "PayByTraffic"
isp = "BGP"
payment_type = "PayAsYouGo"
netmode = "public"
}
# インスタンスとEIPの関連付け
resource "alicloud_eip_association" "instance01_eip01" {
instance_id = alicloud_instance.instance01.id
allocation_id = alicloud_eip_address.eip01.id
}
EOF
cat <<-'EOF' > outputs.tf
output "vpc01_id" {
value = alicloud_vpc.vpc01.id
description = "vpc01.id"
}
output "vpc01_route_table_id" {
value = alicloud_vpc.vpc01.route_table_id
description = "vpc01.route_table_id"
}
output "sw01_id" {
value = alicloud_vswitch.sw01.id
description = "sw01.id"
}
output "sw02_id" {
value = alicloud_vswitch.sw02.id
description = "sw02.id"
}
output "sg01_id" {
value = alicloud_security_group.sg01.id
description = "sg01.id"
}
output "gw01_id" {
value = alicloud_vpc_ipv4_gateway.gw01.id
description = "gw01.id"
}
output "instance01_id" {
value = alicloud_instance.instance01.id
description = "instance01.id"
}
output "eip01_id" {
value = alicloud_eip_address.eip01.id
description = "eip01.id"
}
EOF
terraform init
terraform fmt
terraform -version
terraform plan
terraform apply -auto-approve
# terraform destroy -auto-approve
cd ..
aliyun vpc CreateVpnGateway \
--Name vgw01 \
--VpcId vpc-111111111111111111111 \
--InstanceChargeType POSTPAY \
--AutoPay false \
--Bandwidth 10 \
--EnableIpsec true \
--EnableSsl false \
--VSwitchId vsw-111111111111111111111 \
--VpnType Normal \
--NetworkType public \
--DisasterRecoveryVSwitchId vsw-111111111111111111111 \
--force
コマンドは正常終了するが、DescribeVpnGatewaysしてもリソースは確認できない
→ GUIから実施
作成後、画面から「Enable Automatic Route」有効化も必要
aliyun vpc DescribeVpnGateways
aliyun vpc DescribeVpnGateway \
--VpnGatewayId vpn-111111111111111111111
-- 5. Cloud HA VPN ゲートウェイ作成 【GCP】
gcloud compute vpn-gateways create vpn11 \
--region=asia-northeast1 \
--network=vpc01 \
--stack-type=IPV4_ONLY
gcloud compute external-vpn-gateways create pvg11 \
--interfaces 0=192.0.2.1
※ipアドレスはAlibaba側Tunnel #1の外部IPアドレス
gcloud compute external-vpn-gateways list
-- 7. Cloud Router作成 【GCP】
gcloud compute routers create cr11 \
--region=asia-northeast1 \
--network=vpc01 \
--asn=64512
gcloud compute routers list
gcloud compute routers describe cr11 \
--region=asia-northeast1
gcloud compute vpn-tunnels create tun11 \
--shared-secret=PreSharedKey1 \
--peer-external-gateway=pvg11 \
--vpn-gateway=vpn11 \
--ike-version=2 \
--interface=0 \
--peer-external-gateway-interface=0 \
--region=asia-northeast1 \
--router=cr11 \
--router-region=asia-northeast1
gcloud compute vpn-tunnels list
gcloud compute vpn-tunnels describe tun11 \
--region=asia-northeast1
-- 9. BGPセッションの構成【GCP】
gcloud compute routers add-interface cr11 \
--interface-name=bgp-interface11 \
--vpn-tunnel=tun11 \
--vpn-tunnel-region=asia-northeast1 \
--ip-address=169.254.20.1 \
--mask-length=30 \
--region=asia-northeast1
※ip-addressはGCP側IPSec Tunnel #1の内部IPアドレス
gcloud compute routers add-bgp-peer cr11 \
--interface=bgp-interface11 \
--peer-asn=65000 \
--peer-name=bgp-peer11 \
--advertisement-mode=DEFAULT \
--no-enable-ipv6 \
--peer-ip-address=169.254.20.2 \
--region=asia-northeast1
※peer-ip-addressはAlibaba側Tunnel #1の内部IPアドレス
-- 10. カスタマーゲートウェイ作成【Alibaba】
aliyun vpc CreateCustomerGateway \
--IpAddress 192.0.2.2 \
--Name cgw01 \
--Asn 64512
※ IpAddressはGCP Tunnel #1 のパブリックIPアドレス
aliyun vpc DescribeCustomerGateways
aliyun vpc DescribeCustomerGateway \
--CustomerGatewayId cgw-111111111111111111111
-- 11. IPsec Connection作成【Alibaba】
aliyun vpc CreateVpnConnection \
--region cn-beijing \
--RegionId 'cn-beijing' \
--CustomerGatewayId 'cgw-111111111111111111111' \
--VpnGatewayId 'vpn-111111111111111111111' \
--Name vpn01 \
--LocalSubnet '0.0.0.0/0' \
--RemoteSubnet '0.0.0.0/0' \
--EffectImmediately true \
--TunnelOptionsSpecification.1.TunnelBgpConfig.LocalAsn 65000 \
--TunnelOptionsSpecification.1.TunnelBgpConfig.LocalBgpIp '169.254.20.2' \
--TunnelOptionsSpecification.1.TunnelBgpConfig.TunnelCidr '169.254.20.0/30' \
--TunnelOptionsSpecification.1.CustomerGatewayId 'cgw-111111111111111111111' \
--TunnelOptionsSpecification.1.EnableDpd true \
--TunnelOptionsSpecification.1.EnableNatTraversal true \
--TunnelOptionsSpecification.1.Role master \
--TunnelOptionsSpecification.1.TunnelIkeConfig.IkeAuthAlg sha1 \
--TunnelOptionsSpecification.1.TunnelIkeConfig.IkeEncAlg aes \
--TunnelOptionsSpecification.1.TunnelIkeConfig.IkeLifetime 86400 \
--TunnelOptionsSpecification.1.TunnelIkeConfig.IkeMode main \
--TunnelOptionsSpecification.1.TunnelIkeConfig.IkePfs group2 \
--TunnelOptionsSpecification.1.TunnelIkeConfig.IkeVersion ikev2 \
--TunnelOptionsSpecification.1.TunnelIkeConfig.LocalId '192.0.2.1' \
--TunnelOptionsSpecification.1.TunnelIkeConfig.Psk PreSharedKey1 \
--TunnelOptionsSpecification.1.TunnelIkeConfig.RemoteId '192.0.2.2' \
--TunnelOptionsSpecification.1.TunnelIpsecConfig.IpsecAuthAlg sha1 \
--TunnelOptionsSpecification.1.TunnelIpsecConfig.IpsecEncAlg aes \
--TunnelOptionsSpecification.1.TunnelIpsecConfig.IpsecLifetime 86400 \
--TunnelOptionsSpecification.1.TunnelIpsecConfig.IpsecPfs group2 \
--TunnelOptionsSpecification.2.TunnelBgpConfig.LocalAsn 65000 \
--TunnelOptionsSpecification.2.TunnelBgpConfig.LocalBgpIp '169.254.21.2' \
--TunnelOptionsSpecification.2.TunnelBgpConfig.TunnelCidr '169.254.21.0/30' \
--TunnelOptionsSpecification.2.CustomerGatewayId 'cgw-111111111111111111111' \
--TunnelOptionsSpecification.2.EnableDpd true \
--TunnelOptionsSpecification.2.EnableNatTraversal true \
--TunnelOptionsSpecification.2.Role slave \
--TunnelOptionsSpecification.2.TunnelIkeConfig.IkeAuthAlg sha1 \
--TunnelOptionsSpecification.2.TunnelIkeConfig.IkeEncAlg aes \
--TunnelOptionsSpecification.2.TunnelIkeConfig.IkeLifetime 86400 \
--TunnelOptionsSpecification.2.TunnelIkeConfig.IkeMode main \
--TunnelOptionsSpecification.2.TunnelIkeConfig.IkePfs group2 \
--TunnelOptionsSpecification.2.TunnelIkeConfig.IkeVersion ikev2 \
--TunnelOptionsSpecification.2.TunnelIkeConfig.LocalId '192.0.2.3' \
--TunnelOptionsSpecification.2.TunnelIkeConfig.Psk PreSharedKey1 \
--TunnelOptionsSpecification.2.TunnelIkeConfig.RemoteId '192.0.2.4' \
--TunnelOptionsSpecification.2.TunnelIpsecConfig.IpsecAuthAlg sha1 \
--TunnelOptionsSpecification.2.TunnelIpsecConfig.IpsecEncAlg aes \
--TunnelOptionsSpecification.2.TunnelIpsecConfig.IpsecLifetime 86400 \
--TunnelOptionsSpecification.2.TunnelIpsecConfig.IpsecPfs group2 \
--force \
--EnableTunnelsBgp true
aliyun vpc DescribeVpnConnections
aliyun vpc DescribeVpnConnection \
--VpnConnectionId vco-111111111111111111
-- 12. VPN GatewayのPolicy-based Routing設定【Alibaba】
aliyun vpc CreateVpnPbrRouteEntry \
--VpnGatewayId vpn-111111111111111111111 \
--RouteSource "172.16.1.0/24" \
--RouteDest "10.0.1.0/24" \
--NextHop vco-111111111111111111 \
--Weight 100 \
--PublishVpc true \
--Priority 10
aliyun vpc DescribeVpnPbrRouteEntries \
--VpnGatewayId vpn-111111111111111111111
-- 13. BGPステータス確認 【GCP】
gcloud compute routers get-status cr11
-- 14. ルートテーブル修正
-- 14.1 Alibaba(172.16.1.0/24)への経路(ターゲットはCloud HA VPN ゲートウェイ)をサブネットのルートテーブルに追加【GCP】
自動で追加されるため、不要
-- 14.2 GCP側(10.0.1.0/24)への経路(ターゲットはVPN Gateway)をサブネットのルートテーブルに追加【Alibaba】
自動で追加されるため、不要
ping 172.16.1.26
-- 16. pingで疎通確認【Alibaba】
ping 10.0.1.2
-- 17. クリーンアップ【GCP】
-- BGPセッション削除
gcloud compute routers remove-bgp-peer cr11 \
--peer-name=bgp-peer11
gcloud compute routers remove-interface cr11 \
--interface-name=bgp-interface11
-- VPNトンネル削除
gcloud compute vpn-tunnels list
gcloud compute vpn-tunnels delete tun11 \
--region=asia-northeast1 \
--quiet
-- Cloud Router削除
gcloud compute routers list
gcloud compute routers delete cr11 \
--region=asia-northeast1 \
--quiet
gcloud compute external-vpn-gateways list
gcloud compute external-vpn-gateways delete pvg11 \
--quiet
-- Cloud HA VPN ゲートウェイ削除
gcloud compute vpn-gateways list
gcloud compute vpn-gateways delete vpn11 \
--region=asia-northeast1 \
--quiet
cd gcp
terraform destroy -auto-approve
cd ..
-- プロジェクト削除
gcloud projects list
gcloud projects delete project01-9999999 \
--quiet
gcloud beta billing projects unlink project01-9999999
-- 18. クリーンアップ【Alibaba】
-- Policy-based Routing削除
aliyun vpc DescribeVpnPbrRouteEntries \
--VpnGatewayId vpn-111111111111111111111
aliyun vpc DeleteVpnPbrRouteEntry \
--VpnGatewayId vpn-111111111111111111111 \
--RouteSource "172.16.1.0/24" \
--RouteDest "10.0.1.0/24" \
--NextHop vco-111111111111111111 \
--Weight 100 \
--Priority 10
-- IPsec Connection削除
aliyun vpc DescribeVpnConnections
aliyun vpc DeleteVpnConnection \
--VpnConnectionId vco-111111111111111111
-- Customer Gateways削除
aliyun vpc DescribeCustomerGateways
aliyun vpc DeleteCustomerGateway \
--CustomerGatewayId cgw-111111111111111111111
aliyun vpc DescribeVpnGateways
aliyun vpc DeleteVpnGateway \
--VpnGatewayId vpn-111111111111111111111
cd alibaba
terraform destroy -auto-approve
cd ..
