Adding a new template to connect VCNs using multiple VNICs (#552)

Add new solution to connect VCNs using multiple VNICs

Author: prasanna-naik-oracle

docs/solutions/connect_vcns_using_multiple_vnics/README.md

@@ -0,0 +1,60 @@
+    #     ___  ____     _    ____ _     _____
+    #    / _ \|  _ \   / \  / ___| |   | ____|
+    #   | | | | |_) | / _ \| |   | |   |  _|
+    #   | |_| |  _ < / ___ | |___| |___| |___
+    #    \___/|_| \_/_/   \_\____|_____|_____|
+***
+This example creates 2 VCNs with non-overlapping subnets and establishes connectivity between the 2 using attached VNICs.
+
+Each VCN has a public subnet and a private subnet. Each subnet is created with a separate security list and route table. 
+The template then launches a private instance in each one of the private subnets.
+
+A public instance is created in the public subnet of the first VCN. 
+The public instance is configured as a Bridge instance (by enabling and configuring firewall to do forwarding).
+
+The first VCN's private subnet's route table is configured to use the Bridge instance's private IP address as the default route target. See [Using a Private IP as a Route Target](https://docs.us-phoenix-1.oraclecloud.com/Content/Network/Tasks/managingroutetables.htm#privateip) for more details on this feature.
+
+A secondary VNIC is created and attached to the Bridge instance. See [Configuring and using Secondary VNIC](https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/managingVNICs.htm) for more details on this feature. This secondary VNIC is attached to the public subnet of the second VCN. Now the Brdige instance has 2 VNICs, 1 is a default VNIC attached to the first VCN and other is the secondary VNIC attached to the second VCN.
+
+The second VCN's private subnet's route table is configured to use the Bridge instance's secondary VNIC's private IP address as default route target. 
+
+![Architecture diagram](images/connect_vcns_using_multiple_vnics.png)
+
+### Using this example
+* Update env-vars with the required information. Most examples use the same set of environment variables so you only need to do this once.
+* Source env-vars
+  * `$ . env-vars`
+* Update variables in bridge.tf as applicable to your target environment.
+
+Once the environment is built, both the private instances in the different VCNs should be connected. You can login to the public Bridge instance, from there login to the private instances and then ping/SSH the other private instance to verify conectivity between the private instances in different VCNs.
+
+### How to validate this example
+Steps to validate this example will also be listed in the output when the terraform is deployed. 
+1. Enable ssh forwarding from your machine by performing "ssh-add ~/.ssh/id_rsa"
+2. Login to Bridge instance using command "ssh -A Bridge-Instance-Public-IP-Address"
+3. After that, login to privateInstance-1 using "ssh PrivateInstance-1-IP-Address"
+4. Ping the other PrivateInstance-2 "ping PrivateInstance-2-IP-Address"
+5. Vice versa should work fine as well.
+
+### Files in the configuration
+
+#### `env-vars`
+Is used to export the environmental variables used in the configuration. These are usually authentication related, be sure to exclude this file from your version control system. It's typical to keep this file outside of the configuration.
+
+Before you plan, apply, or destroy the configuration source the file -  
+`$ . env-vars`
+
+#### `user_data.tpl`
+Enabling and configuring firewall to do forwarding.
+
+#### `bridge.tf`
+Defines the bridge instance resources.
+
+#### vcn1.tf
+Defines VCN1 resources.
+
+#### vcn2.tf
+Defines VCN2 resources.
+
+#### output.tf
+Displays the output.

docs/solutions/connect_vcns_using_multiple_vnics/bridge.tf

@@ -0,0 +1,88 @@
+# Creating the Bridge Instance
+resource "oci_core_instance" "BridgeInstance" {
+  availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.AD - 1],"name")}"
+  compartment_id      = "${var.compartment_ocid}"
+  display_name        = "BridgeInstance"
+  image               = "${var.InstanceImageOCID[var.region]}"
+  shape               = "${var.InstanceShape}"
+
+  create_vnic_details {
+    subnet_id              = "${oci_core_subnet.MgmtSubnet.id}"
+    skip_source_dest_check = true
+  }
+
+  metadata {
+    ssh_authorized_keys = "${var.ssh_public_key}"
+    user_data           = "${base64encode(file("user_data.tpl"))}"
+  }
+
+  timeouts {
+    create = "10m"
+  }
+}
+
+# Gets a list of VNIC attachments on the instance
+data "oci_core_vnic_attachments" "BridgeInstanceVnics" {
+  compartment_id      = "${var.compartment_ocid}"
+  availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.AD - 1],"name")}"
+  instance_id         = "${oci_core_instance.BridgeInstance.id}"
+}
+
+# Create PrivateIP
+resource "oci_core_private_ip" "BridgeInstancePrivateIP" {
+  vnic_id      = "${lookup(data.oci_core_vnic_attachments.BridgeInstanceVnics.vnic_attachments[0],"vnic_id")}"
+  display_name = "BridgeInstancePrivateIP"
+}
+
+# Get the OCID of the first (default) VNIC
+data "oci_core_vnic" "BridgeInstanceVnic1" {
+  vnic_id = "${lookup(data.oci_core_vnic_attachments.BridgeInstanceVnics.vnic_attachments[0],"vnic_id")}"
+}
+
+# Creating secondary VNIC on BridgeInstance and attaching it to Second VCN Mgmt subnet
+resource "oci_core_vnic_attachment" "SecondaryVnicAttachment" {
+  create_vnic_details {
+    subnet_id              = "${oci_core_subnet.MgmtSubnet2.id}"
+    display_name           = "SecondaryVNIC"
+    skip_source_dest_check = true
+  }
+
+  instance_id = "${oci_core_instance.BridgeInstance.id}"
+}
+
+# Gets a list of VNIC attachments on the instance
+data "oci_core_vnic_attachments" "BridgeInstanceVnics2" {
+  compartment_id      = "${var.compartment_ocid}"
+  availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.AD - 1],"name")}"
+  instance_id         = "${oci_core_instance.BridgeInstance.id}"
+}
+
+# Gets the OCID of the second VNIC
+data "oci_core_vnic" "BridgeInstanceVnic2" {
+  vnic_id = "${oci_core_vnic_attachment.SecondaryVnicAttachment.vnic_id}"
+}
+
+# Gets a list of private IPs on the second VNIC
+data "oci_core_private_ips" "BridgeInstancePrivateIP2" {
+  vnic_id = "${data.oci_core_vnic.BridgeInstanceVnic2.id}"
+}
+
+# Configurations for setting up the secondary VNIC
+resource "null_resource" "configure-secondary-vnic" {
+  connection {
+    type        = "ssh"
+    user        = "opc"
+    private_key = "${var.ssh_private_key}"
+    host        = "${data.oci_core_vnic.BridgeInstanceVnic1.public_ip_address}"
+    timeout     = "30m"
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "sudo wget https://docs.cloud.oracle.com/iaas/Content/Resources/Assets/secondary_vnic_all_configure.sh",
+      "sudo chmod 777 secondary_vnic_all_configure.sh",
+      "sudo ./secondary_vnic_all_configure.sh -c ${lookup(data.oci_core_private_ips.BridgeInstancePrivateIP2.private_ips[0],"id")}",
+      "sudo ip route add ${var.vcn_cidr2} dev ens4 via ${oci_core_subnet.MgmtSubnet2.virtual_router_ip}",
+    ]
+  }
+}

docs/solutions/connect_vcns_using_multiple_vnics/env-vars

@@ -0,0 +1,38 @@
+### Provider credentials
+export TF_VAR_tenancy_ocid=""
+export TF_VAR_user_ocid=""
+export TF_VAR_fingerprint=""
+export TF_VAR_private_key_path=""
+
+### Instance credentials
+export TF_VAR_ssh_public_key=$(cat .../id_rsa.pub)
+export TF_VAR_ssh_private_key=$(cat .../id_rsa)
+
+### Region
+export TF_VAR_region=""
+
+### AD
+# Possible values are 1, 2, 3
+export TF_VAR_AD=""
+
+### Compartment
+export TF_VAR_compartment_ocid=""
+
+######
+# Optional Variables
+######
+
+### VCN-1 configuration
+#export TF_VAR_vcn_cidr=""
+#export TF_VAR_mgmt_subnet_cidr=""
+#export TF_VAR_private_subnet_cidr=""
+
+### VCN-2 configuration
+#export TF_VAR_vcn_cidr2=""
+#export TF_VAR_mgmt_subnet_cidr2=""
+#export TF_VAR_private_subnet_cidr2=""
+
+### Instance configuration
+#export TF_VAR_InstanceShape=""
+#export TF_VAR_InstanceOS=""
+#export TF_VAR_InstanceOSVersion=""

docs/solutions/connect_vcns_using_multiple_vnics/images/connect_vcns_using_multiple_vnics.png

@@ -0,0 +1,28 @@
+# Outputing required info for users
+output "Bridge Instance Public IP" {
+  value = "${data.oci_core_vnic.BridgeInstanceVnic1.public_ip_address}"
+}
+
+output "PrivateInstance1 Private IP" {
+  value = "${oci_core_instance.PrivateInstance.private_ip}"
+}
+
+output "PrivateInstance2 Private IP" {
+  value = "${oci_core_instance.PrivateInstance2.private_ip}"
+}
+
+output "SSH login to the Bridge Instance" {
+  value = "ssh -A opc@${data.oci_core_vnic.BridgeInstanceVnic1.public_ip_address}"
+}
+
+output "SSH login to the Private Instance-1 after logging into Bridge Instance as shown above" {
+  value = "ssh -A opc@${oci_core_instance.PrivateInstance.private_ip}"
+}
+
+output "SSH login to the Private Instance-2 after logging into Bridge Instance as shown above" {
+  value = "ssh -A opc@${oci_core_instance.PrivateInstance2.private_ip}"
+}
+
+output "Ping from PrivateInstance-1 to PrivateInstance-2" {
+  value = "ping ${oci_core_instance.PrivateInstance2.private_ip} "
+}

docs/solutions/connect_vcns_using_multiple_vnics/output.tf

@@ -0,0 +1,16 @@
+#cloud-config
+
+write_files:
+  # Create file to be used when enabling ip forwarding
+  - path: /etc/sysctl.d/98-ip-forward.conf
+    content: |
+      net.ipv4.ip_forward = 1
+
+runcmd:
+  # Run firewall commands to enable masquerading and port forwarding
+  # Enable ip forwarding by setting sysctl kernel parameter
+  - firewall-offline-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens3 -j ACCEPT
+  - firewall-offline-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens4 -j ACCEPT
+  - /bin/systemctl restart firewalld
+  - sysctl -p /etc/sysctl.d/98-ip-forward.conf
+