Skip to content

Commit 9f0bdfa

Browse files
Ay1man2Jennifer-Valle
authored and
GitHub Enterprise
committed
Updated POC Docs to reflect new VPN Server changes (#1985)
* feat: json to iac vars * feat: crn vars * feat: rm fields * feat: notes * fix: default * updated POC documentation to reflect new VPN Server changes * removed CRN rows from VPN Server Values Table * made fixes/requested changes * fixed typo found --------- Co-authored-by: Jennifer-Valle <[email protected]>
1 parent 4ee300e commit 9f0bdfa

File tree

4 files changed

+37
-23
lines changed

4 files changed

+37
-23
lines changed

.docs/powervs-poc-classic.md

Lines changed: 17 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -128,12 +128,8 @@ There are multiple ways to manage volumes in Power Virtual Server:
128128
* To remove volumes that are not attached to a virtual server, click on the volume's icon and click the delete button in the right panel.
129129

130130
### VPC VPN Server - Client to Site VPN
131-
The VPC VPN Server used for client to site VPNs requires SSL/TLS certificates stored in a Secrets Manager instance. The Secrets Manager should be created outside of CRAIG and populated with the certificates before creating the VPN Server deployment in CRAIG.
132131

133-
1. Create a Secrets Manager instance and either [order public certificates](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-public-certificates&interface=ui
134-
), [create private certificates](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-private-certificates&interface=ui
135-
), or [import certificates](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-certificates&interface=ui). Consult the [VPC client-to-site server authentication documentation](https://cloud.ibm.com/docs/vpc?topic=vpc-client-to-site-authentication) to ensure the certificate authorities and certificates are created using values that are compatible with the VPN server.
136-
2. Choose VPC Deployments from the menu and create a new security group for the VPN Server.
132+
1. Choose VPC Deployments from the menu and create a new security group for the VPN Server.
137133
Create the security group in the `transit-rg` resource group.
138134
Add the following rules to the group:
139135

@@ -143,7 +139,7 @@ Add the following rules to the group:
143139
| vpn-inbound-tcp | inbound | 0.0.0.0/0 | TCP | 443 |
144140
| vpn-outbound | outbound | 0.0.0.0/0 | ALL | ALL |
145141

146-
3. Create a VPN Server deployment
142+
2. Create a VPN Server deployment
147143
Set the VPN Server values using the following table as a guide.
148144

149145
| Field | Value |
@@ -153,8 +149,6 @@ Set the VPN Server values using the following table as a guide.
153149
| Subnets | vpn-zone-1 |
154150
| Security group | security group created in step 3 |
155151
| Authentication method | Username and Certificate |
156-
| Certificate CRN | The CRN of the Secrets Manager secret containing the certificate for the VPN Server. |
157-
| Client CA CRN | The CRN of the Secrets Manager secret containing the certificate for the VPN client. |
158152
| Client CIDR Pool | Specify a network CIDR that does not conflict with any on-premises network, the VPC network, or the Power VS network. The prefix length must be between 9 and 22 inclusive. The CIDR should also be a subnet of `10.0.0.0/8` to avoid additional security group and routing table changes. For example `10.60.0.0/22` does not conflict with the default VPC, Power VS, or on-premises networks in the template. |
159153
| Port | 443 |
160154
| Protocol | UDP |
@@ -163,7 +157,7 @@ Set the VPN Server values using the following table as a guide.
163157
| Client DNS Server IPs | Leave empty |
164158
| Additional VPC Prefixes | Zone 1, add the CIDR specified in `Client CIDR Pool` |
165159

166-
4. After the VPN server is created, click on the VPN server icon to add routes. Routes are added by clicking the plus icon at the bottom of the VPN Server settings. Add the following route:
160+
3. After the VPN server is created, click on the VPN server icon to add routes. Routes are added by clicking the plus icon at the bottom of the VPN Server settings. Add the following route:
167161

168162
| Name | Destination | Action |
169163
| ------- | ----------------------------------------------------------------------- | --------- |
@@ -177,9 +171,22 @@ The project resources can be provisioned in the cloud using either IBM Cloud Sch
177171

178172
Resources can also be provisioned using a local Terraform install. The downloaded zip contains the `main.tf` and other Terraform files needed to provision the resources.
179173

174+
### Certificates for VPN Server
175+
176+
If you added a VPC VPN server to the project, you must have SSL/TLS certificates stored in a Secrets Manager instance. The VPC VPN Server used for client to site VPNs requires SSL/TLS certificates stored in a Secrets Manager instance. The Secrets Manager should be created outside of CRAIG and populated with the certificates as these certificate CRNs will be required inputs at deployment time.
177+
178+
> Create a Secrets Manager instance and either [order public certificates](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-public-certificates&interface=ui
179+
), [create private certificates](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-private-certificates&interface=ui
180+
), or [import certificates](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-certificates&interface=ui). Consult the [VPC client-to-site server authentication documentation](https://cloud.ibm.com/docs/vpc?topic=vpc-client-to-site-authentication) to ensure the certificate authorities and certificates are created using values that are compatible with the VPN server.
181+
180182
### Inputs Required at Deployment Time
181183
>**Note:** The following input fields (Terraform values) must be set in IBM Schematics or Terraform at Generate Plan / Apply Plan time.
182-
>* `ibmcloud_api_key`: The IBM Cloud platform API key that will be used to deploy the project resources. See [Access Policies](access-policies.md) for access policies and account settings required for creating and managing resources created in CRAIG projects.
184+
185+
| Field | Description |
186+
| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
187+
| `ibmcloud_api_key` | The IBM Cloud platform API key that will be used to deploy the project resources. See [Access Policies](access-policies.md) for access policies and account settings required for creating and managing resources created in CRAIG projects. |
188+
| `*_certificate_crn` | The CRN of the Secrets Manager secret containing the certificate for the VPN Server if a Client to Site VPN is being deployed _(variable exists only if a VPN server was added)._ |
189+
| `*_client_ca_crn` | The CRN of the Secrets Manager secret containing the certificate for the VPN client if a Client to Site VPN is being deployed _(variable exists only if a VPN server was added)._ |
183190

184191
### Cost estimation
185192
IBM Cloud Schematics provides a cost estimation for the project resources after running the `Generate Plan` step. See [the Schematics Integration document](./schematics-how-to.md) for more information.

.docs/powervs-poc.md

Lines changed: 18 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -121,12 +121,8 @@ There are multiple ways to manage volumes in Power Virtual Server:
121121
* To remove volumes that are not attached to a virtual server, click on the volume's icon and click the delete button in the right panel.
122122

123123
### VPC VPN Server - Client to Site VPN
124-
The VPC VPN Server used for client to site VPNs requires SSL/TLS certificates stored in a Secrets Manager instance. The Secrets Manager should be created outside of CRAIG and populated with the certificates before creating the VPN Server deployment in CRAIG.
125124

126-
1. Create a Secrets Manager instance and either [order public certificates](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-public-certificates&interface=ui
127-
), [create private certificates](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-private-certificates&interface=ui
128-
), or [import certificates](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-certificates&interface=ui). Consult the [VPC client-to-site server authentication documentation](https://cloud.ibm.com/docs/vpc?topic=vpc-client-to-site-authentication) to ensure the certificate authorities and certificates are created using values that are compatible with the VPN server.
129-
2. Choose VPC Deployments from the menu and create a new security group for the VPN Server.
125+
1. Choose VPC Deployments from the menu and create a new security group for the VPN Server.
130126
Create the security group in the `transit-rg` resource group.
131127
Add the following rules to the group:
132128

@@ -136,7 +132,7 @@ Add the following rules to the group:
136132
| vpn-inbound-tcp | inbound | 0.0.0.0/0 | TCP | 443 |
137133
| vpn-outbound | outbound | 0.0.0.0/0 | ALL | ALL |
138134

139-
3. Create a VPN Server deployment
135+
2. Create a VPN Server deployment
140136
Set the VPN Server values using the following table as a guide.
141137

142138
| Field | Value |
@@ -146,8 +142,6 @@ Set the VPN Server values using the following table as a guide.
146142
| Subnets | vpn-zone-1 |
147143
| Security group | security group created in step 3 |
148144
| Authentication method | Username and Certificate |
149-
| Certificate CRN | The CRN of the Secrets Manager secret containing the certificate for the VPN Server. |
150-
| Client CA CRN | The CRN of the Secrets Manager secret containing the certificate for the VPN client. |
151145
| Client CIDR Pool | Specify a network CIDR that does not conflict with any on-premises network, the VPC network, or the Power VS network. The prefix length must be between 9 and 22 inclusive. The CIDR should also be a subnet of `10.0.0.0/8` to avoid additional security group and routing table changes. For example `10.60.0.0/22` does not conflict with the default VPC, Power VS, or on-premises networks in the template. |
152146
| Port | 443 |
153147
| Protocol | UDP |
@@ -156,7 +150,7 @@ Set the VPN Server values using the following table as a guide.
156150
| Client DNS Server IPs | Leave empty |
157151
| Additional VPC Prefixes | Zone 1, add the CIDR specified in `Client CIDR Pool` |
158152

159-
4. After the VPN server is created, click on the VPN server icon to add routes. Routes are added by clicking the plus icon at the bottom of the VPN Server settings. Add two routes:
153+
3. After the VPN server is created, click on the VPN server icon to add routes. Routes are added by clicking the plus icon at the bottom of the VPN Server settings. Add two routes:
160154

161155
| Name | Destination | Action |
162156
| ------- | ----------------------------------------------------------------------- | --------- |
@@ -171,10 +165,23 @@ The project resources can be provisioned in the cloud using either IBM Cloud Sch
171165

172166
Resources can also be provisioned using a local Terraform install. The downloaded zip contains the `main.tf` and other Terraform files needed to provision the resources.
173167

168+
### Certificates for VPN Server
169+
170+
If you added a VPC VPN server to the project, you must have SSL/TLS certificates stored in a Secrets Manager instance. The VPC VPN Server used for client to site VPNs requires SSL/TLS certificates stored in a Secrets Manager instance. The Secrets Manager should be created outside of CRAIG and populated with the certificates as these certificate CRNs will be required inputs at deployment time.
171+
172+
> Create a Secrets Manager instance and either [order public certificates](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-public-certificates&interface=ui
173+
), [create private certificates](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-private-certificates&interface=ui
174+
), or [import certificates](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-certificates&interface=ui). Consult the [VPC client-to-site server authentication documentation](https://cloud.ibm.com/docs/vpc?topic=vpc-client-to-site-authentication) to ensure the certificate authorities and certificates are created using values that are compatible with the VPN server.
175+
174176
### Inputs Required at Deployment Time
175177
>**Note:** The following input fields (Terraform values) must be set in IBM Schematics or Terraform at Generate Plan / Apply Plan time.
176-
>* `ibmcloud_api_key`: The IBM Cloud platform API key that will be used to deploy the project resources. See [Access Policies](access-policies.md) for access policies and account settings required for creating and managing resources created in CRAIG projects.
177-
>* `dal10gw_on_prem_connection_preshared_key`: This is the preshared key for the VPN Gateway connection (site-to-site VPN). The variable name will be different if you change the name of the VPN gateway or the connection. This variable will also not be present if the VPN Gateway is removed from the project.
178+
179+
| Field | Description |
180+
| ------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
181+
| `ibmcloud_api_key` | The IBM Cloud platform API key that will be used to deploy the project resources. See [Access Policies](access-policies.md) for access policies and account settings required for creating and managing resources created in CRAIG projects. |
182+
| `dal10gw_on_prem_connection_preshared_key` | This is the preshared key for the VPN Gateway connection (site-to-site VPN). The variable name will be different if you change the name of the VPN gateway or the connection. This variable will also not be present if the VPN Gateway is removed from the project. |
183+
| `*_certificate_crn` | The CRN of the Secrets Manager secret containing the certificate for the VPN Server if a Client to Site VPN is being deployed _(variable exists only if a VPN server was added)._ |
184+
| `*_client_ca_crn` | The CRN of the Secrets Manager secret containing the certificate for the VPN client if a Client to Site VPN is being deployed _(variable exists only if a VPN server was added)._ |
178185

179186
### Cost estimation
180187
IBM Cloud Schematics provides a cost estimation for the project resources after running the `Generate Plan` step. See [the Schematics Integration document](./schematics-how-to.md) for more information.

client/src/components/pages/vpc/Connectivity.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -166,7 +166,7 @@ class VpcConnectivityPage extends React.Component {
166166
>
167167
{craig.store.json.transit_gateways.length === 0 ? (
168168
<CraigEmptyResourceTile
169-
name="Tranist Gateways"
169+
name="Transit Gateways"
170170
className="width580 marginTopHalfRem"
171171
/>
172172
) : (

unit-tests/state/transit-gateways.test.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -375,7 +375,7 @@ describe("transit_gateways", () => {
375375
{
376376
connections: [
377377
{
378-
tgw: "tranist-gateway",
378+
tgw: "transit-gateway",
379379
vpc: "management",
380380
},
381381
],

0 commit comments

Comments
 (0)