Deployment Manager VPN Creation

415 views
Skip to first unread message

Ward Harold

unread,
Apr 2, 2016, 5:05:07 PM4/2/16
to gce-discussion
'm trying to create a VPN with Deployment Manager.

I have a jinja template that creates:
- targetVpnGateway
- ESP forwarding rule
- UDP500 forwarding rule
- UDP4500 forwarding rule
- vpnTunnel
- route

My deployment fails with the message:

Unexpected response from resource of type compute.v1.vpnTunnel: 400 {statusMessage=Bad Request, errors=[{message=Invalid value for field 'resource.targetVpnGateway': 'https://www.googleapis.com/compute/v1/projects/<myproject>/regions/us-central1/targetVpnGateways/<mytargetvpn>'. VPN gateway must be configured with forwarding rules before creating tunnel., domain=global, reason=invalid}]}

But when I look in the console the targetVpnGateway actually has all the forwarding rules. I suspect the problem may have to do with vpnTunnel creation beginning after the gateway is created but before the forwarding rules are added.

Has anyone been successful in a similar endeavor?

... WkH

Kamran (Google Cloud Support)

unread,
Apr 3, 2016, 2:03:23 PM4/3/16
to gce-discussion

Hello Ward,

This error happens if before running VpnTunnels API all forwarding rules are not created or incorrectly created. If it's possible, please post your template and we can look at it.

Regards, 
Message has been deleted

Ward Harold

unread,
Apr 3, 2016, 2:45:54 PM4/3/16
to gce-discussion
Kamran, thanks for looking into this. Links to my deployment artifacts follow:

cluster-deployment.yaml                      https://gist.github.com/wkharold/dfcb197eba71618d22fd68d3fc669b0d
cluster-deployment.jinja                       https://gist.github.com/wkharold/46d2835392d0c9ec57c3a7dffafcd485
network-template.jinja                          https://gist.github.com/wkharold/420518c7b303dbea63b9f9eae3e1b1db
vpn-template.jinja                                 https://gist.github.com/wkharold/10ce67de0fe5c14bede55b1cf65a368e
vpn-tunnel-template.jinja                      https://gist.github.com/wkharold/5a9779e4cbd3ec1b81d191f2f912af22

We run our infrastructure in GKE and are super excited about using deployment manager to codify the creation of our clusters, the networks they use, and the VPNs that connect them.

Thanks again! ... WkH

Kamran (Google Cloud Support)

unread,
Apr 3, 2016, 8:27:07 PM4/3/16
to gce-dis...@googlegroups.com

Ward,

Your Jinja templates are good, however as I mentioned earlier VpnTunnels API should be run after forwarding rule, ESP and both UDP protocols are successfully created. It seems the deployment manager is trying to create VpnTunnels independent of the creation status of other resources, therefore it throws the error.

Please don't hesitate to report this issue on Google Compute Engine public issue tracker. Our engineering team will take a deeper look at this and fix it if required.

In the meantime, as workarounds you may use Python templates which support time library and add some delays before creating VpnTunnel. You can also use Operations API to fetch the status of the jobs and create VpnTunnels after forwarding rule and its protocols creation are completed. The other workaround could be creating VPN resources in two deployment baches and adding some delay between gcloud commands.

Regarding your templates, which is not related to this issue, I noticed you use network-template.jinja to create your VPN network resources, however in cluster-template.jinja a specific network (gateway) is being passed to VPN deployment templates. If not intentionally configured in this way, it will cause all VPNs networks to be the same.

I hope this helps. 

Regards,

Kamran

Ward Harold

unread,
Apr 5, 2016, 4:56:43 PM4/5/16
to gce-discussion
Kamran, thanks for your response. I suspected that there might be a race. I'll look into using python templates ... WkH
Reply all
Reply to author
Forward
0 new messages