google_compute_router_interface missing connecting to subnetwork breaks NCC use-case

[bartekmo]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Google NCC supports using 3rd party SD-WAN virtual appliances as one of 3 spoke types (the others being Interconnect and Cloud VPN tunnel). Establishing BGP connectivity between an NVA and NCC cloud router requires adding cloud router interfaces (using 2 interfaces is recommended) to the same subnetwork as the appliance. Related options are available via API as subnetwork, privateIpAddress, and redundantInterface as well as via gcloud.

As none of these 3 properties is supported neither as a nested interfaces block in google_compute_router nor as google_compute_router_interface resource, configuring scenario with SD-WAN appliances and NCC is not possible via terraform.

Linked to the same use case is missing routerApplianceInstance parameter in bgpPeers[], which translates to router_appliance_instance argument in google_compute_router_peer resource.

New or Affected Resource(s)

• google_compute_router_interface
• google_compute_router_peer

Potential Terraform Configuration

resource "google_compute_router_interface" "nic0" {
  name = "cr-nic0"
  router = "ncc-cloud-router"
  region = "us-west1"
  subnetwork = "ncc-hub-subnet"
  ip_address = "10.0.0.2"
}

resource "google_compute_router_interface" "nic1" {
  name = "cr-nic1"
  router = "ncc-cloud-router"
  region = "us-west1"
  subnetwork = "ncc-hub-subnet"
  ip_address = "10.0.0.2"
  redundant_interface = google_compute_router_interface.nic0.id
}

resource "google_compute_router_peer" "ra_nic0" {
  name = "peer_ra_nic0"
  router = "ncc-cloud-router"
  region = "us-west1"
  peer_ip_address = "10.0.0.5"
  peer_asn = 65000
  interface = google_compute_router_interface.nic0.name
  router_appliance_instance = "projects/my-project/zones/us-west1-a/instances/my-ra-instance"
}

References

• Use-case overview
• API - add cloud router interfaces to a subnet
• API - BGP peering between RA and cloud router
• Router API reference

[kdoan-fiserv]

Just a note that the CLI for interfaces are working with the commands below (however, the peering is giving a 503 error)

---works---
gcloud compute routers add-interface cr-overlay-dmz-us-central1-01
--interface-name=if-cr-overlay-dmz-us-central1-01-0001
--ip-address=#######
--subnetwork=sb-n-hub-dmz-central1-base
--region=us-central1
--project=prj-=#######-n-sandbox-00001

gcloud compute routers add-interface cr-overlay-dmz-us-central1-01
--interface-name=if-cr-overlay-dmz-us-central1-01-0002
--ip-address==#######
--subnetwork=sb-n-hub-dmz-central1-base
--redundant-interface=if-cr-overlay-dmz-us-central1-01-0001
--region=us-central1
--project=prj-=#######-n-sandbox-00001

---not working---
gcloud compute routers add-bgp-peer cr-overlay-dmz-us-central1-01
--peer-name=bgp-=#######-cr-overlay-dmz-us-central1-01
--interface=if-cr-overlay-dmz-us-central1-01-0001
--peer-ip-address==#######
--peer-asn=65002
--instance==#######
--instance-zone=us-central1a
--region=us-central1

gcloud compute routers add-bgp-peer cr-overlay-dmz-us-central1-01
--peer-name=bgp-=#######-cr-overlay-dmz-us-central1-02
--interface=if-cr-overlay-dmz-us-central1-01-0002
--peer-ip-address==#######
--peer-asn=65002
--instance==#######
--instance-zone=us-central1a
--region=us-central1

[LucaPrete]

FYI I started the patches needed to make this happen:

• add the redundant_interface argument to CR interface
• add subnet and private_ip_address arguments to CR interface

Another one for BGP sessions is ready but will come in for review as soon as the first two get marged. Subnet and private IP address interface arguments are indeed needed, in order to make the tests pass.

[LucaPrete]

Update:

These have been merged:

• add the redundant_interface argument to CR interface
• add subnet and private_ip_address arguments to CR interface

The last patch (including a working example) is under review:

• Add BGP Peer Router Appliance instance argument

[LucaPrete]

With the last patch the issue can be closed.
The code has been all merged. I think the last PR should be available in the provider with the next release.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.