GCP Networking

Creates a VPC network with subnets, firewall rules, Cloud NAT, and VPC peering for a GKE cluster.

Use this module when the Rabbit platform needs a dedicated VPC with private networking, NAT egress, and firewall rules before provisioning a GKE cluster.

Supported Features

• VPC network creation.
• Subnet with configurable CIDR and private Google access.
• Firewall rules with per-rule protocol, port, and source range settings.
• Cloud Router and Cloud NAT for egress from private nodes.
• Reserved regional static IP for load balancing.
• Global internal address for VPC peering (used by Cloud SQL private IP).
• VPC peering via service networking connection.
• HTTP health check for backend services.

Prerequisites

• GCP credentials with permission to manage Compute Engine networking resources.
• The servicenetworking.googleapis.com API enabled when VPC peering is needed.

Important Notes

• This module must run before gcp-gke-cluster because the cluster references the VPC and subnet created here.
• cluster_network and cluster_subnetwork names must match what the GKE cluster module expects.
• nat_ip_allocate_option set to AUTO_ONLY lets GCP assign NAT IPs automatically.
• Firewall rules are created as a map; keys are arbitrary identifiers.

Minimal Example

services:
  - name: "GCP Networking"
    module: "gcp-networking"
    id: "networking"
    deployment_order: 10
    configurations:
      cluster_name: "my-cluster"
      cluster_network: "my-network"
      cluster_subnetwork: "my-subnetwork"
      subnet_cidr: "10.0.0.0/24"
      region: "us-central1"

Outputs

Output	Description
vpc_name	The name of the created VPC.
subnet_name	The name of the created subnet.
public_ip	The reserved public IP address.

Full Configuration Schema

The fields below are public module inputs under configurations.

configurations:
  subnet_cidr: "10.0.0.0/24"
  region: "us-central1"
  cluster_name: "gcp-gke-cluster"
  cluster_network: "gcp-gke-cluster-network"
  cluster_subnetwork: "gcp-gke-cluster-subnetwork"
  network_tier: "PREMIUM"
  auto_create_subnetworks: false
  private_ip_google_access: true
  router_name: "gcp-gke-cluster-router"
  router_nat_name: "gcp-gke-cluster-router-nat"
  router_nat_log_config_enable: true
  router_nat_log_config_filter: "ERRORS_ONLY"
  source_ip_ranges_to_nat: ["ALL_IP_RANGES"]
  source_subnetwork_ip_ranges_to_nat: "LIST_OF_SUBNETWORKS"
  nat_ip_allocate_option: "AUTO_ONLY"
  enable_endpoint_independent_mapping: true
  google_compute_global_address_name: "rabbit-gke-test"
  google_compute_global_address_purpose: "VPC_PEERING"
  google_compute_global_address_address_type: "INTERNAL"
  google_compute_global_address_prefix_length: 20
  router_bgp_asn: 64514
  http_health_check_port: "8080"
  http_health_check_path: "/health"
  http_health_check_interval_sec: "10"
  http_health_check_timeout_sec: "5"
  firewall_rules:
    rule1:
      name: "allow-http"
      protocol: "tcp"
      ports: ["80", "8080"]
      source_ranges: ["0.0.0.0/0"]

Top-Level Fields

Field	Type	Required	Description
subnet_cidr	string	Yes	Subnet CIDR range. Defaults to 10.0.0.0/24.
region	string	Yes	GCP region. Defaults to us-central1.
cluster_name	string	Yes	Cluster name used for naming derived resources.
cluster_network	string	Yes	VPC network name.
cluster_subnetwork	string	Yes	Subnet name.
network_tier	string	No	Network tier for the static IP. Defaults to PREMIUM.
auto_create_subnetworks	boolean	No	Auto-create subnetworks in the VPC. Defaults to false.
private_ip_google_access	boolean	No	Enables private Google access on the subnet. Defaults to true.
router_name	string	No	Cloud Router name.
router_nat_name	string	No	Cloud NAT name.
router_nat_log_config_enable	boolean	No	Enables NAT logging. Defaults to true.
router_nat_log_config_filter	string	No	NAT log filter. Defaults to ERRORS_ONLY.
source_ip_ranges_to_nat	array[string]	No	IP ranges to NAT. Defaults to ["ALL_IP_RANGES"].
source_subnetwork_ip_ranges_to_nat	string	No	Subnetwork IP range NAT mode. Defaults to LIST_OF_SUBNETWORKS.
nat_ip_allocate_option	string	No	NAT IP allocation. Defaults to AUTO_ONLY.
enable_endpoint_independent_mapping	boolean	No	Enables endpoint-independent mapping. Defaults to true.
google_compute_global_address_name	string	No	Global address name for VPC peering.
google_compute_global_address_purpose	string	No	Global address purpose. Defaults to VPC_PEERING.
google_compute_global_address_address_type	string	No	Global address type. Defaults to INTERNAL.
google_compute_global_address_prefix_length	number	No	Global address prefix length. Defaults to 20.
router_bgp_asn	number	No	BGP ASN for the Cloud Router. Defaults to 64514.
http_health_check_port	string	No	Health check port. Defaults to 8080.
http_health_check_path	string	No	Health check path. Defaults to /health.
http_health_check_interval_sec	string	No	Health check interval in seconds. Defaults to 10.
http_health_check_timeout_sec	string	No	Health check timeout in seconds. Defaults to 5.
firewall_rules	map[firewall_rule]	No	Map of firewall rule definitions.

firewall_rules

Field	Type	Required	Description
name	string	Yes	Firewall rule name suffix.
protocol	string	Yes	Network protocol, such as tcp or udp.
ports	array[string]	Yes	Allowed ports.
source_ranges	array[string]	Yes	Source CIDR ranges.