IaC Bazaar
Get started
Google CloudPlan-validated

HA VPN (Site-to-Site)

99.99% SLA HA VPN gateway pair with BGP-dynamic routing — GCP-to-on-prem or GCP-to-AWS/Azure.

terraformGCP#gcp
gcp-ha-vpnterraform v1.7

Verification

Plan-validated

Passed: module logic verified on a mocked plan — inputs, validation rules, conditional creation and outputs resolve (no real provider, no cloud).

Conformance

  • Static validation (fmt · validate · tflint)
  • Security scan: findings disclosed (Checkov)
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live test pending (no cloud run yet)

Last verified 2026-06-28 · how we verify

Documentation

gcp-ha-vpn

A 99.99%-SLA HA VPN gateway pair with BGP-dynamic routing — connect a GCP VPC to on-prem, AWS or Azure (peer_type = "external"), or to a second GCP VPC (peer_type = "gcp"). One module call builds the HA VPN gateway (two interfaces, two Google-assigned external IPs), a Cloud Router for BGP, the peer gateway, the redundant tunnels, the Cloud Router interfaces and the BGP sessions — with the BGP wiring (the buyer's main pain point) made explicit and validated. Works with Terraform and OpenTofu (>= 1.6), Google provider >= 7.0, < 8.0.

Status: static-validated, live-test pending. Validated with tofu validate + tflint + checkov against the hashicorp/google provider. Not yet applied against a live GCP project (no cloud sandbox), so it ships under live-test quarantine. The intended live test is GCP-to-GCP across two VPCs in one project (see examples/basic).

Design & secure defaults

  • HA topology by construction. The HA VPN gateway always exposes two interfaces; the tunnels map is intended to carry two tunnels (one per interface) so a single tunnel or interface failure does not drop the connection — the requirement for the 99.99% SLA.
  • BGP-dynamic routing. A Cloud Router runs BGP on the Google side. The local ASN is validated to be a private RFC6996 ASN. Per-session advertised_route_priority (MED) lets you make one tunnel active and one standby.
  • BFD on by default for sub-second failure detection on each BGP session.
  • IKEv2 only by default (ike_version = 2).
  • Secrets stay out of the topology. Pre-shared keys live in a separate tunnel_shared_secrets map marked sensitive; the non-sensitive tunnels map drives for_each, and secrets are looked up by key (Terraform cannot iterate a sensitive collection). Nothing is hardcoded.
  • Cross-field invariants enforced with precondition: an external peer requires a peer_external_gateway_interface on every tunnel; a GCP peer requires peer_gcp_gateway.

This module describes the Google side plus the peer-gateway object. On the remote side (on-prem / AWS / Azure, or the second GCP module) you configure the mirror-image tunnels, ASNs and link-local /30s.

Requirements

RequirementVersion
Terraform / OpenTofu>= 1.6
hashicorp/google>= 7.0, < 8.0

License

Commercial — LicenseRef-IaCBazaar-Commercial. See the IaC Bazaar terms.

Usage code & full reference unlock after purchase

The complete copy-paste usage, the full input/output reference, and operational notes ship with your licence — shown here and bundled in the download.

  • Usage
  • Inputs
  • Outputs