134 lines
		
	
	
	
		
			3.7 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			134 lines
		
	
	
	
		
			3.7 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| # 🌐 Infrastructure Deployment: Two SNAs with two Firewalls for showing VPN IPSEC Connections
 | |
| 
 | |
| This repository contains Terraform code to deploy the following sna/infrastructure projects:
 | |
| 
 | |
| ---
 | |
| 
 | |
| ## 📦 Projects Overview
 | |
| 
 | |
| 
 | |
| 
 | |
| ### 1. **ALPHA SNA**
 | |
| 
 | |
| #### 1.1 **Landing Zone**
 | |
| - Deploys a single **pfSense VM** as the central firewall/router.
 | |
| - Acts as the entry point for the environment.
 | |
| - Configures **WAN and one LAN network**:
 | |
|   - `wan_network`: `10.220.0.0/24`
 | |
|   - `lan_network1`: `10.220.1.0/24`
 | |
| - Interfaces:
 | |
|   - WAN interface with static IP `10.220.0.254`
 | |
|   - LAN interfaces with dynamic IP
 | |
| 
 | |
| #### 1.2 **Core**
 | |
| - Deploys a single **Virtual Machine** (VM) for core services or testing purposes.
 | |
| - Network setup includes:
 | |
|   - `p2_lan_network`: `10.220.5.0/24` (routed)
 | |
|   - `p2_wan_network`: `10.220.50.0/24` (routed) - optional and deactivated
 | |
| - Interfaces:
 | |
|   - LAN interface with optional configured security group
 | |
|   - WAN interface without additional security set
 | |
| 
 | |
| #### 1.3 **Backup**
 | |
| - Used for backup and disaster recovery scenarios.
 | |
| - Creates an **Object Storage Bucket**.
 | |
| - Relevant **access credentials** are provisioned for use with other services.
 | |
| 
 | |
| #### 1.4 **SKE**
 | |
| - Deploys a managed **SKE (STACKIT Kubernetes Engine)** cluster.
 | |
|   - `ske_network`: `10.220.10.0/24`
 | |
| 
 | |
| ### 2. **BETA SNA**
 | |
| 
 | |
| #### 2.1 **VPN**
 | |
| - Deploys a single **pfSense VM** as the central firewall/router.
 | |
| - Acts as the entry point for the environment.
 | |
| - Configures **WAN and one LAN network**:
 | |
|   - `wan_network`: `10.230.0.0/24`
 | |
|   - `lan_network1`: `10.230.1.0/24`
 | |
| - Interfaces:
 | |
|   - WAN interface with static IP `10.230.0.254`
 | |
|   - LAN interfaces with dynamic IP
 | |
| 
 | |
| #### 2.2 **Infra**
 | |
| - Deploys a single **Virtual Machine** (VM) for infra services or testing purposes.
 | |
| - Network setup includes:
 | |
|   - `p6_lan_network`: `10.230.5.0/24` (routed)
 | |
| - Interfaces:
 | |
|   - LAN interface with optional configured security group and dynamic IP.
 | |
| ---
 | |
| 
 | |
| ## 🚀 Getting Started
 | |
| 
 | |
| ### Prerequisites
 | |
| - Terraform ≥ 1.3
 | |
| - Valid STACKIT credentials
 | |
| - Access to STACKIT APIs (IaaS, Kubernetes, Object Storage)
 | |
| 
 | |
| ### Deployment Steps
 | |
| 
 | |
| 1. Clone this repository:
 | |
|    ```bash
 | |
|    git clone https://professional-service.git.onstackit.cloud/professional-service-best-practices/landingzone_ipsec.git
 | |
|    cd <repo-name>
 | |
|    ```
 | |
| 
 | |
| 2. Initialize Terraform:
 | |
|    ```bash
 | |
|    terraform init
 | |
|    ```
 | |
| 
 | |
| 3. Review and adjust variables if needed:
 | |
|    ```bash
 | |
|    99-variables.tf
 | |
|    set organization id (also in project module)
 | |
|    touch pfsense.qcow2
 | |
|    ```
 | |
| 
 | |
| 4. Plan and apply the configuration:
 | |
|    ```bash
 | |
|    terraform apply
 | |
|    ```
 | |
| 
 | |
| ---
 | |
| 
 | |
| ## 🔐 Output
 | |
| 
 | |
| The deployment will output:
 | |
| - VM IP addresses
 | |
| - pfSense Public IPs
 | |
| - Kubernetes cluster information (kubeconfig)
 | |
| - Object Storage credentials (access/secret key)
 | |
| 
 | |
| > 🔒 Make sure to store credentials securely and **never commit them** to version control.
 | |
| 
 | |
| ---
 | |
| 
 | |
| ## 📝 Notes
 | |
| 
 | |
| - This setup is optimized for a **test or POC environment** and is intended to setup an IPSEC Site2Site VPN.
 | |
| - Check the SNA Routes for configuring the Remote Networks on pfSense side. **Be sure to set the Identifier in IKE Phase 1 to the Public IP, because we are behind NAT.**
 | |
| - pfSense must be manually configured after deployment. (User: admin, Passwort: STACKIT123!)
 | |
| - Kubernetes workloads are not included in this deployment but can be added later.
 | |
| - LVM striping (RAID0) can be used for temporary IOPS/performance improvement — but **requires attention to backups**.
 | |
| 
 | |
| ---
 | |
| 
 | |
| ## ⚠️ Limitations
 | |
| 
 | |
| - The infrastructure is not auto-scaled or HA-enabled by default.
 | |
| - No automated DNS or certificate management is configured.
 | |
| 
 | |
| ---
 | |
| 
 | |
| ## Overview
 | |
| 
 | |
| 
 | |
| ## 📬 Support
 | |
| 
 | |
| For issues, please create a Ticket or contact professional-service@stackit.cloud
 | |
| 
 | |
| ---
 | |
| 
 | |
| **Author**: Michael Sodan  
 | |
| **License**: MIT
 |