professional-service-best-practices/landingzone_ipsec
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
landingzone_ipsec/README.md
Michael Sodan cb8dec0e30 change rmd
2025-08-21 11:51:59 +00:00

3.8 KiB
Raw Blame History

🌐 Infrastructure Deployment: Two SNAs with two Firewalls for showing VPN IPSEC Connections

This repository contains Terraform code to deploy the following sna/infrastructure projects:

📦 Projects Overview

1. ALPHA SNA

1.1 Landing Zone

  • Deploys a single pfSense VM as the central firewall/router.
  • Acts as the entry point for the environment.
  • Configures WAN and one LAN network:
    • wan_network: 10.220.0.0/24
    • lan_network1: 10.220.1.0/24
  • Interfaces:
    • WAN interface with static IP 10.220.0.254
    • LAN interfaces with dynamic IP

1.2 Core

  • Deploys a single Virtual Machine (VM) for core services or testing purposes.
  • Network setup includes:
    • p2_lan_network: 10.220.5.0/24 (routed)
    • p2_wan_network: 10.220.50.0/24 (routed) - optional and deactivated
  • Interfaces:
    • LAN interface with optional configured security group
    • WAN interface without additional security set

1.3 Backup

  • Used for backup and disaster recovery scenarios.
  • Creates an Object Storage Bucket.
  • Relevant access credentials are provisioned for use with other services.

1.4 SKE

  • Deploys a managed SKE (STACKIT Kubernetes Engine) cluster.
    • ske_network: 10.220.10.0/24

2. BETA SNA

2.1 VPN

  • Deploys a single pfSense VM as the central firewall/router.
  • Acts as the entry point for the environment.
  • Configures WAN and one LAN network:
    • wan_network: 10.230.0.0/24
    • lan_network1: 10.230.1.0/24
  • Interfaces:
    • WAN interface with static IP 10.230.0.254
    • LAN interfaces with dynamic IP

2.2 Infra

  • Deploys a single Virtual Machine (VM) for infra services or testing purposes.
  • Network setup includes:
    • p6_lan_network: 10.230.5.0/24 (routed)
  • Interfaces:
    • LAN interface with optional configured security group and dynamic IP.

Overview

  • The Project Backup and SKE is not shown in this picture. This will only show the flow of the connecting Networks via IPSec.

Overview

🚀 Getting Started

Prerequisites

  • Terraform ≥ 1.3
  • Valid STACKIT credentials
  • Access to STACKIT APIs (IaaS, Kubernetes, Object Storage)

Deployment Steps

  1. Clone this repository:

    git clone https://professional-service.git.onstackit.cloud/professional-service-best-practices/landingzone_ipsec.git
cd <repo-name>

  2. Initialize Terraform:

    terraform init

  3. Review and adjust variables if needed:

    99-variables.tf
set organization id (also in project module)
touch pfsense.qcow2

  4. Plan and apply the configuration:

    terraform apply

🔐 Output

The deployment will output:

  • VM IP addresses
  • pfSense Public IPs
  • Kubernetes cluster information (kubeconfig)
  • Object Storage credentials (access/secret key)

🔒 Make sure to store credentials securely and never commit them to version control.

📝 Notes

  • This setup is optimized for a test or POC environment and is intended to setup an IPSEC Site2Site VPN.
  • Check the SNA Routes for configuring the Remote Networks on pfSense side. Be sure to set the Identifier in IKE Phase 1 to the Public IP, because we are behind NAT.
  • pfSense must be manually configured after deployment. (User: admin, Passwort: STACKIT123!)
  • Kubernetes workloads are not included in this deployment but can be added later.
  • LVM striping (RAID0) can be used for temporary IOPS/performance improvement — but requires attention to backups.

⚠️ Limitations

  • The infrastructure is not auto-scaled or HA-enabled by default.
  • No automated DNS or certificate management is configured.

📬 Support

For issues, please create a Ticket or contact professional-service@stackit.cloud

Author: Michael Sodan
License: MIT