TL;DR; is it possible to advertise BGP routes to a GCP Cloud Router over a WireGuard tunnel?
Details below.
I am using terraform to manage GCP-based resources.
I have an on-premise and a GCP network as follows:
10.1.1.1. Tunnel IP: 192.168.1.2. Interface: wg0.1.2.3.4 and 5.6.7.8.10.2.2.0/24.10.2.2.2. Tunnel IP: 192.168.1.3. Interface: wg0.I have set up a VPN tunnel between the two WireGuard endpoints.
I would like to make the on-premise servers 1.2.3.4 and 5.6.7.8 reachable from my GCP network via the VPN tunnel. In particular: the desired routing on GCP should be:
1.2.3.4: next hop is 10.2.2.2.5.6.7.8: next hop is 10.2.2.2.I have already achieved the desired routing by setting up two static routes.
However, static routes are global resources and I would like to eventually expand my GCP setup to multiple regions and have a separate WireGuard tunnel per region.
Ideally, I would like a region-based static route, but this is not available. After extensive research, I have found that dynamic routes are the cleanest approach.
I have no experience with BGP at all. Based on my understanding, I have to:
1.2.3.4 and 5.6.7.8 via BGP from my on-premise network.
10.2.2.2.I am note sure whether the last step is possible. I have found a page on using third-party VPNs, but I am not sure whether WireGuard is supported.
How can I configure a GCP Cloud Router to receive BGP routes from a WireGuard VPN tunnel?
Other approaches that I have found to implement region-based routes are:
However, both required load balancers to be set up which seems an overkill to effectively implement two static routes.
Your question is really How can I configure a GCP Cloud Router to receive BGP routes from a Network Virtual Appliance?
The answer is "NCC Router Appliance", which allows you to do precisely that. For a (very thorough and likely way more complex than you need) reference implementation you can take a look at the Fabric FAST implementation for the NCC-RA Networking stage