# 🌐 Infrastructure Deployment: Two SNAs with two Firewalls for showing VPN IPSEC Connections This repository contains Terraform code to deploy the following sna/infrastructure projects: --- ## 📦 Projects Overview ### 1. **ALPHA SNA** #### 1.1 **Landing Zone** - Deploys a single **pfSense VM** as the central firewall/router. - Acts as the entry point for the environment. - Configures **WAN and one LAN network**: - `wan_network`: `10.220.0.0/24` - `lan_network1`: `10.220.1.0/24` - Interfaces: - WAN interface with static IP `10.220.0.254` - LAN interfaces with dynamic IP #### 1.2 **Core** - Deploys a single **Virtual Machine** (VM) for core services or testing purposes. - Network setup includes: - `p2_lan_network`: `10.220.5.0/24` (routed) - `p2_wan_network`: `10.220.50.0/24` (routed) - optional and deactivated - Interfaces: - LAN interface with optional configured security group - WAN interface without additional security set #### 1.3 **Backup** - Used for backup and disaster recovery scenarios. - Creates an **Object Storage Bucket**. - Relevant **access credentials** are provisioned for use with other services. #### 1.4 **SKE** - Deploys a managed **SKE (STACKIT Kubernetes Engine)** cluster. - `ske_network`: `10.220.10.0/24` ### 2. **BETA SNA** #### 2.1 **VPN** - Deploys a single **pfSense VM** as the central firewall/router. - Acts as the entry point for the environment. - Configures **WAN and one LAN network**: - `wan_network`: `10.230.0.0/24` - `lan_network1`: `10.230.1.0/24` - Interfaces: - WAN interface with static IP `10.230.0.254` - LAN interfaces with dynamic IP #### 2.2 **Infra** - Deploys a single **Virtual Machine** (VM) for infra services or testing purposes. - Network setup includes: - `p6_lan_network`: `10.230.5.0/24` (routed) - Interfaces: - LAN interface with optional configured security group and dynamic IP. ## Overview - The Project Backup and SKE is not shown in this picture. This will only show the flow of the connecting Networks via IPSec. ![Overview](./landingzone_ipsec.png) --- ## 🚀 Getting Started ### Prerequisites - Terraform ≥ 1.3 - Valid STACKIT credentials - Access to STACKIT APIs (IaaS, Kubernetes, Object Storage) ### Deployment Steps 1. Clone this repository: ```bash git clone https://professional-service.git.onstackit.cloud/professional-service-best-practices/landingzone_ipsec.git cd ``` 2. Initialize Terraform: ```bash terraform init ``` 3. Review and adjust variables if needed: ```bash 99-variables.tf set organization id (also in project module) touch pfsense.qcow2 ``` 4. Plan and apply the configuration: ```bash terraform apply ``` --- ## 🔐 Output The deployment will output: - VM IP addresses - pfSense Public IPs - Kubernetes cluster information (kubeconfig) - Object Storage credentials (access/secret key) > 🔒 Make sure to store credentials securely and **never commit them** to version control. --- ## 📝 Notes - This setup is optimized for a **test or POC environment** and is intended to setup an IPSEC Site2Site VPN. - Check the SNA Routes for configuring the Remote Networks on pfSense side. **Be sure to set the Identifier in IKE Phase 1 to the Public IP, because we are behind NAT.** - pfSense must be manually configured after deployment. (User: admin, Passwort: STACKIT123!) - Kubernetes workloads are not included in this deployment but can be added later. - LVM striping (RAID0) can be used for temporary IOPS/performance improvement — but **requires attention to backups**. --- ## ⚠️ Limitations - The infrastructure is not auto-scaled or HA-enabled by default. - No automated DNS or certificate management is configured. --- ## 📬 Support For issues, please create a Ticket or contact professional-service@stackit.cloud --- **Author**: Michael Sodan **License**: MIT