A Virtual Private Cloud (VPC) network implemented inside of Google's production network
No Additional PropertiesThis field will be used to explitly name this resource
{
"name": "alpha",
"subnetworks": "......",
"routes": "......",
"firewall_rules": "....."
}
{
"name": "bravo",
"subnetworks": "......",
"routes": "......",
"firewall_rules": "....."
}
This field will be used to combine with [environment] and [prefix] to generate a unique VPC name
{
"label": "alpha",
"subnetworks": "......",
"routes": "......",
"firewall_rules": "....."
}
{
"label": "bravo",
"subnetworks": "......",
"routes": "......",
"firewall_rules": "....."
}
If true, this resource should be pre-existing and not be created and/or updated.
If specified this 'Project ID' value will override the default value specified in the Terraform module
If specified this 'Environment' value will override the default value specified in the Terraform module
If specified this 'Prefix' value will override the default value specified in the Terraform module
Description to be used for the created Network
Maximum transmission unit (MTU) is the size of the largest IP packet that can be transmitted on this network.
[
{
"name": "......",
"mtu": 1460,
"subnetworks": "......",
"routes": "......",
"firewall_rules": "....."
},
{
"name": "......",
"mtu": 1500,
"subnetworks": "......",
"routes": "......",
"firewall_rules": "....."
}
]
Private Google Access for is an alternative to connecting to Google APIs and services over the internet. Setting this to PRIVATE or RESTRICTED will deploy the required Cloud DNS and Routing functionality to enable this feature.
Does not deploy GCP configuration required for Private Google Access
Specific value:"DISABLED" Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls.
Specific value:"PRIVATE" Provides access to Cloud and Developer APIs that support VPC Service Controls. Blocks access to Google APIs and services that do not support VPC Service Controls.
Specific value:"RESTRICTED" [
{
"name": "......",
"private_google_access": "DISABLED",
"subnetworks": "......",
"routes": "......",
"firewall_rules": "....."
}
]
[
{
"name": "......",
"private_google_access": "PRIVATE",
"subnetworks": "......",
"routes": "......",
"firewall_rules": "....."
}
]
[
{
"name": "......",
"private_google_access": "RESTRICTED",
"subnetworks": "......",
"routes": "......",
"firewall_rules": "....."
}
]
Allows private consumption of services across VPC networks that belong to different groups, teams, projects, or organizations
WORD WORDS WORDS - IP CIDR RANGE - WORDS WORDS WORDS
If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"IP_CIDR_RANGE" {
"ip_cidr_range": "192.168.0.0/24",
"export_custom_routes": true,
"import_custom_routes": false
}
If true, the network will export custom routes to peer network.
If true, the network will import custom routes from peer network.
IP space allocated to this subnetwork in CIDR format.
Must match regular expression:^(?:([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])){3}/(([0-9]|[1-2][0-9]|3[0-2])))$ "192.168.0.0/24"
WORD WORDS WORDS - IP CIDR PREFIX - WORDS WORDS WORDS
If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"IP_CIDR_PREFIX" {
"ip_cidr_prefix": 16,
"export_custom_routes": true,
"import_custom_routes": false
}
If true, the network will export custom routes to peer network.
If true, the network will import custom routes from peer network.
IP CIDR prefix used for this connection. Google will automtically allocated a IP CIDR Range based on the provided prefix
Value must be greater or equal to 8 and lesser or equal to 30
16
[
{
"name": "......",
"private_service_connection": {
"ip_cidr_range": "192.168.0.0/24",
"export_custom_routes": true,
"import_custom_routes": false
},
"subnetworks": "......",
"routes": "......",
"firewall_rules": "....."
}
]
[
{
"name": "......",
"private_service_connection": {
"ip_cidr_prefix": "16",
"export_custom_routes": true,
"import_custom_routes": false
},
"subnetworks": "......",
"routes": "......",
"firewall_rules": "....."
}
]
The BGP routing mode for this network.
Cloud Routers in this network advertise subnetworks from all regions to their BGP peers, and program instances in all regions with the router's best learned BGP routes.
Specific value:"GLOBAL" Cloud Routers in this network advertise subnetworks from their local region only to their BGP peers, and program instances in their local region only with the router's best learned BGP routes.
Specific value:"REGIONAL" [
{
"name": "......",
"routing_mode": "REGIONAL",
"subnetworks": "......",
"routes": "......",
"firewall_rules": "....."
}
]
[
{
"name": "......",
"routing_mode": "GLOBAL",
"subnetworks": "......",
"routes": "......",
"firewall_rules": "....."
}
]
Must contain a minimum of 0 items
Must contain a maximum of 100 items
All items must be unique
A subnetwork with purpose set to PRIVATE is a user-created subnetwork that is reserved for Google Compute Engine instances.
If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"PRIVATE" {
"ip_cidr_range": "192.168.0.0/24",
"region": "US-CENTRAL1",
"private_ip_google_access": "ENABLED",
"cloud_nat": {
"subnetworks_to_nat": "SELECTED_SECONDARY_SUBNETWORKS"
},
"purpose": "PRIVATE",
"log_config": {
"enabled": true,
"metadata": "INCLUDE_ALL_METADATA",
"flow_sampling": 50,
"metadata_fields": [],
"aggregation_interval": "INTERVAL_5_SEC"
},
"secondary_subnetworks": [
{
"ip_cidr_range": "192.168.1.0/24",
"nat_group_id": "nat-group-alpha"
}
]
}
{
"ip_cidr_range": "192.168.16.0/24",
"region": "US-CENTRAL1",
"private_ip_google_access": "ENABLED",
"cloud_nat": {
"subnetworks_to_nat": "ALL_SUBNETWORKS",
"nat_group_id": "nat-group-alpha"
},
"purpose": "PRIVATE",
"log_config": {
"enabled": true,
"metadata": "INCLUDE_ALL_METADATA",
"flow_sampling": 50,
"metadata_fields": [],
"aggregation_interval": "INTERVAL_5_SEC"
},
"secondary_subnetworks": [
{
"ip_cidr_range": "192.168.17.0/24"
}
]
}
If this field is not provided ipcidrrange value will be dynamically generated based on the ipcidrrange. WARNING, if this field is not set changing the ipcidrrange will change the name dynamically generated.
Must match regular expression:^(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)$ Must be at least 1 characters long
Must be at most 63 characters long
"<prefix>-<environment>-<network>-subnet-<192-168-0-0-24>"
Description of this subnetwork.
"US-CENTRAL1"
IP space allocated to this subnetwork in CIDR format.
Must match regular expression:^(?:([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])){3}/(([0-9]|[1-2][0-9]|3[0-2])))$ "192.168.0.0/24"
The purpose of this subnetwork.
Specific value:"PRIVATE" Collection of Secondary Subnetworks that are assigned to this Primary Subnetwokr
Must contain a minimum of 0 items
Must contain a maximum of 30 items
All items must be unique
If this field is not provided ipcidrrange value will be dynamically generated based on the ipcidrrange. WARNING, if this field is not set changing the ipcidrrange will change the name dynamically generated.
Must match regular expression:^(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)$ Must be at least 1 characters long
Must be at most 63 characters long
"<prefix>-<environment>-<network>-subnet-<192-168-0-0-24>"
Cloud Nat configuration ID to inherrit configruations from.
"nat-group-alpha"
IP space allocated to this subnetwork in CIDR format.
Must match regular expression:^(?:([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])){3}/(([0-9]|[1-2][0-9]|3[0-2])))$ "192.168.0.0/24"
[
{
"name": "gke-services",
"ip_cidr_range": "192.168.0.0/24"
},
{
"nat_group_id": "nat-group-alpha",
"ip_cidr_range": "192.168.1.0/24"
},
{
"ip_cidr_range": "192.168.2.0/24"
}
]
Provide access to Google Cloud APIs from this subnet for instances without a public ip address.
Denotes the logging options for the subnetwork flow logs. If logging is enabled logs will be exported to Stackdriver.
If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"CUSTOM_METADATA" Enable/disable VPC Flow Logs for this subnet.
Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections.
Set the sampling rate of VPC flow logs within the subnetwork where 100 means all collected logs are reported, 50 means half of all collected logs are reported and 0 means no logs are reported.
Value must be greater or equal to 0 and lesser or equal to 100
Configures whether metadata fields should be added to the reported logs.
Include all metadata in VPC flow logs
Specific value:"INCLUDE_ALL_METADATA" Exclude all metadata in VPC flow logs
Specific value:"EXCLUDE_ALL_METADATA" Include only specific attributes for metadata in VPC flow logs
Specific value:"CUSTOM_METADATA" If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"CUSTOM_METADATA" Enable/disable VPC Flow Logs for this subnet.
Toggles the aggregation interval for collecting flow logs. Increasing the interval time will reduce the amount of generated flow logs for long lasting connections.
Set the sampling rate of VPC flow logs within the subnetwork where 100 means all collected logs are reported, 50 means half of all collected logs are reported and 0 means no logs are reported.
Value must be greater or equal to 0 and lesser or equal to 100
Configures whether metadata fields should be added to the reported logs.
Include all metadata in VPC flow logs
Specific value:"INCLUDE_ALL_METADATA" Exclude all metadata in VPC flow logs
Specific value:"EXCLUDE_ALL_METADATA" Include only specific attributes for metadata in VPC flow logs
Specific value:"CUSTOM_METADATA" "CUSTOM_METADATA" List of supported fields can be found at https://cloud.google.com/vpc/docs/flow-logs#record_format
All items must be unique
If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project.
Specific value:"src_instance" ID of the project containing the VM
Specific value:"src_instance.project_id" Instance name of the VM
Specific value:"src_instance.vm_name" Region of the VM
Specific value:"src_instance.region" Zone of the VM
Specific value:"src_instance.zone" If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project.
Specific value:"dest_instance" ID of the project containing the VM
Specific value:"dest_instance.project_id" Instance name of the VM
Specific value:"dest_instance.vm_name" Region of the VM
Specific value:"dest_instance.region" Zone of the VM
Specific value:"dest_instance.zone" If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project.
Specific value:"src_vpc" ID of the project containing the VPC
Specific value:"src_vpc.project_id" VPC on which the VM is operating
Specific value:"src_vpc.vpc_name" Subnetwork on which the VM is operating
Specific value:"src_vpc.subnetwork_name" If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project.
Specific value:"dest_vpc" ID of the project containing the VPC
Specific value:"dest_vpc.project_id" VPC on which the VM is operating
Specific value:"dest_vpc.vpc_name" Subnetwork on which the VM is operating
Specific value:"dest_vpc.subnetwork_name" If the source of the connection was external to the VPC, this field is populated with available location metadata.
Specific value:"src_location" Continent for external endpoints
Specific value:"src_location.continent" Country for external endpoints, represented as ISO 3166-1 Alpha-3 country codes.
Specific value:"src_location.country" Region for external endpoints
Specific value:"src_location.region" City for external endpoints
Specific value:"src_location.city" The autonomous system number (ASN) of the external network to which this endpoint belongs.
Specific value:"src_location.asn" If the destination of the connection was external to the VPC, this field is populated with available location metadata.
Specific value:"dest_location" Continent for external endpoints
Specific value:"dest_location.continent" Country for external endpoints, represented as ISO 3166-1 Alpha-3 country codes.
Specific value:"dest_location.country" Region for external endpoints
Specific value:"dest_location.region" City for external endpoints
Specific value:"dest_location.city" The autonomous system number (ASN) of the external network to which this endpoint belongs.
Specific value:"dest_location.asn" GKE metadata for source endpoints. Only available if the endpoint is GKE.
Specific value:"src_gke_details" GKE cluster metadata.
Specific value:"src_gke_details.cluster" GKE cluster name.
Specific value:"src_gke_details.cluster.cluster_name" Location of the cluster. This can be a zone or a region depending if the cluster is zonal or regional.
Specific value:"src_gke_details.cluster.cluster_location" GKE Pod metadata, populated when the source or destination of the traffic is a Pod.
Specific value:"src_gke_details.pod" Name of the Pod.
Specific value:"src_gke_details.pod.pod_name" Namespace of the Pod.
Specific value:"src_gke_details.pod.pod_namespace" GKE Service metadata, populated in Service endpoints only. The record contains up to two Services. If there are more than two relevant Services, this field contains a single Service with a special MANY_SERVICES marker.
Specific value:"src_gke_details.service" Name of the Service. If there are more than two relevant Services, the field is set to a special MANY_SERVICES marker.
Specific value:"src_gke_details.service.service_name" Namespace of the Service.
Specific value:"src_gke_details.service.service_namespace" GKE metadata for destination endpoints. Only available if the endpoint is GKE.
Specific value:"dest_gke_details" GKE cluster metadata.
Specific value:"dest_gke_details.cluster" GKE cluster name.
Specific value:"dest_gke_details.cluster.cluster_name" Location of the cluster. This can be a zone or a region depending if the cluster is zonal or regional.
Specific value:"dest_gke_details.cluster.cluster_location" GKE Pod metadata, populated when the source or destination of the traffic is a Pod.
Specific value:"dest_gke_details.pod" Name of the Pod.
Specific value:"dest_gke_details.pod.pod_name" Namespace of the Pod.
Specific value:"dest_gke_details.pod.pod_namespace" GKE Service metadata, populated in Service endpoints only. The record contains up to two Services. If there are more than two relevant Services, this field contains a single Service with a special MANY_SERVICES marker.
Specific value:"dest_gke_details.service" Name of the Service. If there are more than two relevant Services, the field is set to a special MANY_SERVICES marker.
Specific value:"dest_gke_details.service.service_name" Namespace of the Service.
Specific value:"dest_gke_details.service.service_namespace" [
"src_vpc",
"dest_vpc"
]
[
"src_instance.vm_name",
"dest_instance.vm_name"
]
{
"status": "ENABLED",
"aggregation_interval": "INTERVAL_1_MIN"
}
{
"status": "ENABLED",
"metadata": "EXCLUDE_ALL_METADATA",
"aggregation_interval": "INTERVAL_1_MIN"
}
{
"status": "ENABLED",
"metadata": "CUSTOM_METADATA",
"metadata_fields": [
"connection",
"src_vpc",
"dest_vpc"
]
}
Configures whether metadata fields should be added to the reported logs.
Include all metadata in VPC flow logs
Specific value:"INCLUDE_ALL_METADATA" Exclude all metadata in VPC flow logs
Specific value:"EXCLUDE_ALL_METADATA" Include only specific attributes for metadata in VPC flow logs
Specific value:"CUSTOM_METADATA" This section specifies how Primary and Secondary Subnetworks should be configured to NAT egress traffic.
No Additional PropertiesIf the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"DISABLED" If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"ALL_SUBNETWORKS" If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"PRIMARY_SUBNETWORK" If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"PRIMARY_SUBNETWORK_SELECTED_SECONDARY_SUBNETWORKS" If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"ALL_SECONDARY_SUBNETWORKS" If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"SELECTED_SECONDARY_SUBNETWORKS" {}
{
"subnetworks_to_nat": "ALL_SUBNETWORKS",
"nat_group_id": "nat-group-alpha"
}
{
"subnetworks_to_nat": "SELECTED_SECONDARY_SUBNETWORKS",
"nat_group_id": "nat-group-alpha"
}
{
"subnetworks_to_nat": "ALL_SECONDARY_SUBNETWORKS"
}
Used to determine if NAT should be applied to either Primary, Secondary or Combination of each Subnetworks
This section is only implemented if subnetworkstonat is set to SELECTEDPRIMARYSUBNETWORKSSELECTEDSECONDARYSUBNETWORKS in the parent cloudnat section.
Cloud NAT should not be applied to either the primary or secondary subnetworks.
This does not override cloudnat configurations in the parent object when set to ALLPRIMARYSUBNETWORKSALLSECONDARYSUBNETWORKS.
"DISABLED" Cloud NAT Should be applied to the Primary and All Secondary Subnetworks.
Specific value:"ALL_SUBNETWORKS" Cloud NAT Should be applied to the Primary Subnetwork.
Specific value:"PRIMARY_SUBNETWORK" Cloud NAT Should be applied to the Primary and Selected Secondary Subnetworks.
Specific value:"PRIMARY_SUBNETWORK_SELECTED_SECONDARY_SUBNETWORKS" Cloud NAT Should be applied to All Secondary Subnetworks.
Specific value:"ALL_SECONDARY_SUBNETWORKS" Cloud NAT Should be applied to Selected Secondary Subnetworks.
Specific value:"SELECTED_SECONDARY_SUBNETWORKS" This ID is used to match the corresponding cloud nat configuration in the parent object.
"nat-group-alpha"
A subnetwork with purpose set to PRIVATESERVICECONNECT is a user-created subnetwork that is reserved for Private Service Connect Internal Load Balancing.
If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"PRIVATE_SERVICE_CONNECT" {
"region": "US-CENTRAL1",
"ip_cidr_range": "192.168.0.0/24",
"purpose": "PRIVATE_SERVICE_CONNECT"
}
If this field is not provided ipcidrrange value will be dynamically generated based on the ipcidrrange. WARNING, if this field is not set changing the ipcidrrange will change the name dynamically generated.
Must match regular expression:^(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)$ Must be at least 1 characters long
Must be at most 63 characters long
"<prefix>-<environment>-<network>-subnet-<192-168-0-0-24>"
Description of this subnetwork.
"US-CENTRAL1"
IP space allocated to this subnetwork in CIDR format.
Must match regular expression:^(?:([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])){3}/(([0-9]|[1-2][0-9]|3[0-2])))$ "192.168.0.0/24"
"PRIVATE_SERVICE_CONNECT" A subnetwork with purpose set to INTERNALHTTPSLOAD_BALANCER is a user-created subnetwork that is reserved for Internal HTTP(S) Load Balancing.
If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"INTERNAL_HTTPS_LOAD_BALANCER" {
"region": "US-CENTRAL1",
"ip_cidr_range": "192.168.0.0/24",
"purpose": "INTERNAL_HTTPS_LOAD_BALANCER",
"role": "ACTIVE"
}
{
"region": "US-CENTRAL1",
"ip_cidr_range": "192.168.1.0/24",
"purpose": "INTERNAL_HTTPS_LOAD_BALANCER",
"role": "BACKUP"
}
If this field is not provided ipcidrrange value will be dynamically generated based on the ipcidrrange. WARNING, if this field is not set changing the ipcidrrange will change the name dynamically generated.
Must match regular expression:^(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)$ Must be at least 1 characters long
Must be at most 63 characters long
"<prefix>-<environment>-<network>-subnet-<192-168-0-0-24>"
Description of this subnetwork.
"US-CENTRAL1"
IP space allocated to this subnetwork in CIDR format.
Must match regular expression:^(?:([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])){3}/(([0-9]|[1-2][0-9]|3[0-2])))$ "192.168.0.0/24"
"INTERNAL_HTTPS_LOAD_BALANCER" The purpose of this subnetwork.
Automatically nat all egress traffic from all primary and secondary subnetworks in this network
If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"ALL_PRIMARY_SUBNETWORKS_ALL_SECONDARY_SUBNETWORKS" Enable endpoint-independent mapping for the NAT (as defined in RFC 5128).
Enable logging for the NAT. Logs will be exported to Stackdriver.
Minimum number of ports allocated to a VM from this NAT.
Timeout in seconds for UDP connections.
Timeout in seconds for ICMP connections.
Timeout in seconds for TCP established connections.
Timeout in seconds for TCP transitory connections.
Automatically nat all egress traffic from all primary subnetworks in this network
If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"ALL_PRIMARY_SUBNETWORKS" Enable endpoint-independent mapping for the NAT (as defined in RFC 5128).
Enable logging for the NAT. Logs will be exported to Stackdriver.
Minimum number of ports allocated to a VM from this NAT.
Timeout in seconds for UDP connections.
Timeout in seconds for ICMP connections.
Timeout in seconds for TCP established connections.
Timeout in seconds for TCP transitory connections.
Allows you to select specific primary and secondary subnetworks to nat based on natgroupid
If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"SELECTED_PRIMARY_SUBNETWORKS_SELECTED_SECONDARY_SUBNETWORKS" Must contain a minimum of 0 items
All items must be unique
Enable endpoint-independent mapping for the NAT (as defined in RFC 5128).
Enable logging for the NAT. Logs will be exported to Stackdriver.
Minimum number of ports allocated to a VM from this NAT.
Timeout in seconds for UDP connections.
Timeout in seconds for ICMP connections.
Timeout in seconds for TCP established connections.
Timeout in seconds for TCP transitory connections.
Disabled placeholder for GENERIC cloud nat, when DISABLED nothing is configured within GCP
If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"DISABLED" "DISABLED" Collection of VPC Peers that enables you to connect VPC networks so that workloads in different VPC networks can communicate internally.
All items must be unique
{
"network": "prod-network"
}
{
"network": "dev-network",
"export_custom_routes": false,
"import_custom_routes": true
}
{
"network": "test-network",
"export_custom_routes": false,
"import_custom_routes": true,
"import_subnet_routes_with_public_ip": false,
"export_subnet_routes_with_public_ip": true
}
{
"project": "remote-project-id",
"network": "remote-network"
}
The name of the project for the peer network. If not specified, defaults to current project.
"remote-project-id"
The name of the network to be peered with the current network.
"prod-network"
If true, the network will export custom routes to peer network.
If true, the network will import custom routes from peer network.
If true, the network will import subnet routes with addresses in the public IP ranges from peer network.
If true, the network will export subnet routes with addresses in the public IP ranges from peer network.
[
{
"name": "......",
"peers": [
{
"network": "prod-network"
},
{
"network": "dev-network",
"export_custom_routes": false,
"import_custom_routes": true
},
{
"project": "remote-project-id",
"network": "remote-network"
}
],
"subnetworks": "......",
"routes": "......",
"firewall_rules": "....."
}
]
Must contain a minimum of 0 items
Must contain a maximum of 100 items
All items must be unique
If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"INTERNET_GATEWAY" {
"destination": "0.0.0.0/0",
"priority": 0,
"next_hop_type": "INTERNET_GATEWAY"
}
{
"tags": [
"allow-internet"
],
"destination": "0.0.0.0/0",
"priority": 0,
"next_hop_type": "INTERNET_GATEWAY"
}
if this field is not provided name value will be dynamically generated.
Must match regular expression:^(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)$ Must be at least 1 characters long
Must be at most 63 characters long
An optional, textual description for the route.
The destination range of outgoing packets that the route will apply to.
Must match regular expression:^(?:([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])){3}/(([0-9]|[1-2][0-9]|3[0-2])))$ "192.168.0.0/24"
Specifies the priority of this route relative to other routes with the same specificity. The lower the value, the higher the priority.
Value must be greater or equal to 0 and lesser or equal to 2147483647
The type of route to be created.
"INTERNET_GATEWAY" If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"ADDRESS" {
"tags": [
"rf1918-to-ngfw"
],
"destination": "192.168.0.0/16",
"priority": 0,
"next_hop_type": "ADDRESS",
"next_hop_address": "192.168.0.1"
}
{
"tags": [
"rf1918-to-ngfw"
],
"destination": "172.16.0.0/12",
"priority": 100,
"next_hop_type": "ADDRESS",
"next_hop_address": "192.168.0.1"
}
if this field is not provided name value will be dynamically generated.
Must match regular expression:^(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)$ Must be at least 1 characters long
Must be at most 63 characters long
An optional, textual description for the route.
The destination range of outgoing packets that the route will apply to.
Must match regular expression:^(?:([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])){3}/(([0-9]|[1-2][0-9]|3[0-2])))$ "192.168.0.0/24"
Specifies the priority of this route relative to other routes with the same specificity. The lower the value, the higher the priority.
Value must be greater or equal to 0 and lesser or equal to 2147483647
The type of route to be created.
"ADDRESS" IP Address.
Must match regular expression:^(?:([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])){3})$ "192.168.0.0"
If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"LOAD_BALANCER" {
"tags": [
"rf1918-to-ngfw"
],
"destination": "192.168.0.0/16",
"priority": 0,
"next_hop_type": "LOAD_BALANCER",
"next_hop_load_balancer_id": "projects/example-project/regions/us-central1/forwardingRules/example-load-balancer"
}
if this field is not provided name value will be dynamically generated.
Must match regular expression:^(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)$ Must be at least 1 characters long
Must be at most 63 characters long
An optional, textual description for the route.
The destination range of outgoing packets that the route will apply to.
Must match regular expression:^(?:([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])){3}/(([0-9]|[1-2][0-9]|3[0-2])))$ "192.168.0.0/24"
Specifies the priority of this route relative to other routes with the same specificity. The lower the value, the higher the priority.
Value must be greater or equal to 0 and lesser or equal to 2147483647
The type of route to be created.
"LOAD_BALANCER" Target Load Balancer that traffic should be routed to. Expected format is projects/
^(projects/.*/regions/.*/forwardingRules/.*)$ If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"INSTANCE" {
"tags": [
"rf1918-to-ngfw"
],
"destination": "192.168.0.0/16",
"priority": 0,
"next_hop_type": "INSTANCE",
"next_hop_instance": "MY-INSTANCE",
"next_hop_instance_zone": "US-CENTRAL1-A"
}
if this field is not provided name value will be dynamically generated.
Must match regular expression:^(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)$ Must be at least 1 characters long
Must be at most 63 characters long
An optional, textual description for the route.
The destination range of outgoing packets that the route will apply to.
Must match regular expression:^(?:([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])){3}/(([0-9]|[1-2][0-9]|3[0-2])))$ "192.168.0.0/24"
Specifies the priority of this route relative to other routes with the same specificity. The lower the value, the higher the priority.
Value must be greater or equal to 0 and lesser or equal to 2147483647
The type of route to be created.
"INSTANCE" "US-CENTRAL1-A"
The type of route to be created.
[
{
"name": "......",
"subnetworks": "......",
"routes": [
{
"tags": [
"allow-internet"
],
"destination": "0.0.0.0/0",
"priority": 0,
"next_hop_type": "INTERNET_GATEWAY"
},
{
"tags": [
"rf1918-to-ngfw"
],
"destination": "192.168.0.0/16",
"priority": 0,
"next_hop_type": "ADDRESS",
"next_hop_address": "192.168.0.1"
},
{
"tags": [
"rf1918-to-ngfw"
],
"destination": "172.16.0.0/12",
"priority": 100,
"next_hop_type": "ADDRESS",
"next_hop_address": "192.168.0.1"
}
],
"firewall_rules": "......"
}
]
Must contain a minimum of 0 items
Must contain a maximum of 100 items
All items must be unique
Words go here
If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"INGRESS" wors go here
No Additional PropertiesWords go here, IF not specified name will based on id field
Must match regular expression:^(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)$ Must be at least 1 characters long
Must be at most 63 characters long
"<prefix>-<environment>-<network>-subnet-<192-168-0-0-24>"
Words go here, IF not specified name will based on id field
Must match regular expression:^[a-z][a-z0-9-]{0,23}$ Must be at least 1 characters long
Must be at most 24 characters long
"<prefix>-<environment>-<network>-subnet-<192-168-0-0-24>"
Words go here, IF not specified name will based on id field
Must match regular expression:^(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)$ Must be at least 1 characters long
Must be at most 63 characters long
"<prefix>-<environment>-<network>-subnet-<192-168-0-0-24>"
"INGRESS" Must contain a minimum of 1 items
All items must be unique
If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
^(TCP|UDP)$ Specified ports to be either allowed or denied
Must contain a minimum of 0 items
All items must be unique
Value must be greater or equal to 0 and lesser or equal to 65535
Ranges of ports to be either allowed or denied
Must contain a minimum of 0 items
All items must be unique
^(0|6[0-5][0-5][0-3][0-5]|[1-5][0-9][0-9][0-9][0-9]|[1-9][0-9]{0,3})-(6[0-5][0-5][0-3][0-5]|[1-5][0-9][0-9][0-9][0-9]|[1-9][0-9]{0,3})$ If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
^(ALL|ICMP|ESP|AH|SCTP|IPIP)$ Words go here
If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
"EGRESS" wors go here
No Additional PropertiesWords go here, IF not specified name will based on id field
Must match regular expression:^(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)$ Must be at least 1 characters long
Must be at most 63 characters long
"<prefix>-<environment>-<network>-subnet-<192-168-0-0-24>"
Words go here, IF not specified name will based on id field
Must match regular expression:^[a-z][a-z0-9-]{0,23}$ Must be at least 1 characters long
Must be at most 24 characters long
"<prefix>-<environment>-<network>-subnet-<192-168-0-0-24>"
Words go here, IF not specified name will based on id field
Must match regular expression:^(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)$ Must be at least 1 characters long
Must be at most 63 characters long
"<prefix>-<environment>-<network>-subnet-<192-168-0-0-24>"
"EGRESS" Must contain a minimum of 1 items
All items must be unique
If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
^(TCP|UDP)$ Specified ports to be either allowed or denied
Must contain a minimum of 0 items
All items must be unique
Value must be greater or equal to 0 and lesser or equal to 65535
Ranges of ports to be either allowed or denied
Must contain a minimum of 0 items
All items must be unique
^(0|6[0-5][0-5][0-3][0-5]|[1-5][0-9][0-9][0-9][0-9]|[1-9][0-9]{0,3})-(6[0-5][0-5][0-3][0-5]|[1-5][0-9][0-9][0-9][0-9]|[1-9][0-9]{0,3})$ If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
^(ALL|ICMP|ESP|AH|SCTP|IPIP)$ Coming Soon
[
{
"name": "network-single",
"description": "This will create a single VPC Network and nothing else"
}
]
[
{
"name": "network-alpha",
"description": "This will create a network alpha and nothing else"
},
{
"name": "network-bravo",
"description": "This will create a network bravo and nothing else"
}
]
[
{
"name": "subnetwork-secondary-subnetworks",
"description": "This will create a single VPC Network, Primary Subnetwork and two Secondary Ranges",
"subnetworks": [
{
"region": "US-EAST4",
"ip_cidr_range": "172.16.0.0/24",
"secondary_subnetworks": [
{
"ip_cidr_range": "172.16.1.0/24"
},
{
"ip_cidr_range": "172.16.2.0/24"
}
]
}
]
}
]
[
{
"name": "cloud-nat-all",
"description": "This will create a single VPC Network with Primary and Secondary Subnetworks with Cloud-NAT",
"routing_mode": "GLOBAL",
"cloud_nat": {
"subnetworks_to_nat": "ALL_PRIMARY_SUBNETWORKS_ALL_SECONDARY_SUBNETWORKS"
},
"subnetworks": [
{
"region": "US-WEST1",
"ip_cidr_range": "172.16.32.0/24",
"secondary_subnetworks": [
{
"ip_cidr_range": "10.20.32.0/24"
},
{
"ip_cidr_range": "10.20.33.0/24"
}
]
}
]
}
]