Cloud Router
Deploy cloud routers with VRF, BGP, NAT, and advanced tunneling using the NetActuate Terraform provider v2. Cloud routers provide full-featured routing capabilities at the edge of your infrastructure.
Repository
git clone https://github.com/netactuate/netactuate-terraform-router
cd netactuate-terraform-router
Core Resources
Router Creation
resource "netactuate_router" "edge" {
name = "edge-router-01"
location = "SJC"
plan = "VR2x2x25"
}
NTP Configuration
Configure NTP servers on the router:
resource "netactuate_router_ntp" "ntp" {
router_id = netactuate_router.edge.id
enabled = true
upstreams {
domain = "pool.ntp.org"
}
upstreams {
domain = "time.google.com"
}
}
VRF and Interfaces
Create a VRF and attach interfaces:
resource "netactuate_router_vrf" "main" {
router_id = netactuate_router.edge.id
name = "production"
}
resource "netactuate_router_vrf_interface" "dummy0" {
router_id = netactuate_router.edge.id
vrf_id = netactuate_router_vrf.main.id
name = "dummy0"
type = "dummy"
ipv4_cidr = "10.255.0.1/32"
}
BGP Configuration
Local ASN and Advertised Networks
resource "netactuate_router_vrf_bgp" "bgp" {
router_id = netactuate_router.edge.id
vrf_id = netactuate_router_vrf.main.id
local_asn = 65000
networks {
subnet = "10.0.0.0/24"
}
networks {
subnet = "10.1.0.0/24"
}
}
BGP Neighbors
resource "netactuate_router_vrf_bgp_neighbor" "peer1" {
router_id = netactuate_router.edge.id
vrf_id = netactuate_router_vrf.main.id
address = "169.254.0.1"
remote_asn = 65001
description = "upstream-peer"
}
Routing
Static Routes
resource "netactuate_router_static_route" "default" {
router_id = netactuate_router.edge.id
vrf_id = netactuate_router_vrf.main.id
network = "0.0.0.0/0"
next_hop = "169.254.0.1"
}
Prefix Lists
resource "netactuate_router_prefix_list" "allowed" {
router_id = netactuate_router.edge.id
name = "allowed-prefixes"
ip_version = 4
rule {
prefix = "10.0.0.0/8"
action = "permit"
}
}
NAT Rules
SNAT
resource "netactuate_router_vrf_snat_rule" "outbound" {
router_id = netactuate_router.edge.id
vrf_id = netactuate_router_vrf.main.id
ip_version = 4
protocol = "TCP"
match_interface_id = netactuate_router_vrf_interface.dummy0.id
match_network = "10.0.0.0/24"
match_port_start = 1
match_port_end = 32000
translation_network = "203.0.113.1/32"
translation_port_start = 1
translation_port_end = 32000
}
DNAT
resource "netactuate_router_vrf_dnat_rule" "web" {
router_id = netactuate_router.edge.id
vrf_id = netactuate_router_vrf.main.id
ip_version = 4
protocol = "TCP"
match_interface_id = netactuate_router_vrf_interface.dummy0.id
match_network = "203.0.113.1/32"
match_port_start = 443
match_port_end = 443
translation_network = "10.0.0.10/32"
translation_port_start = 443
translation_port_end = 443
}
Note: Router configuration changes are serialized with a 60-second interval between operations. Terraform will automatically wait between resource applications. Plan accordingly for configurations with many resources.
Advanced Features
IPSec VPN
Configure IPSec with global settings and per-VRF peers:
resource "netactuate_router_ipsec" "global" {
router_id = netactuate_router.edge.id
ike_lifetime_seconds = 28800
ike_dh_group_number = 14
ike_encryption = "aes256"
ike_hash = "sha256"
ike_prf = "prfsha256"
esp_lifetime_seconds = 3600
esp_encryption = "aes256"
esp_hash = "sha256"
}
resource "netactuate_router_vrf_ipsec_peer" "site_a" {
router_id = netactuate_router.edge.id
vrf_id = netactuate_router_vrf.main.id
name = "site-a"
peer_address = "203.0.113.1"
remote_id = "203.0.113.1"
psk_secret = var.ipsec_psk
do_initiate_connection = true
overlay_ipv4 = "10.200.0.1/30"
}
WireGuard
Create a WireGuard interface and add peers:
resource "netactuate_router_vrf_interface" "wg0" {
router_id = netactuate_router.edge.id
vrf_id = netactuate_router_vrf.main.id
name = "wg0"
type = "wireguard"
ipv4_cidr = "10.100.0.1/24"
wireguard_port = 51820
}
resource "netactuate_router_vrf_interface_wireguard_peer" "remote" {
router_id = netactuate_router.edge.id
vrf_id = netactuate_router_vrf.main.id
interface_id = netactuate_router_vrf_interface.wg0.id
public_key = var.wg_peer_public_key
remote = "203.0.113.2:51820"
allowed_ips {
network = "10.100.0.2/32"
}
allowed_ips {
network = "192.168.2.0/24"
}
}
GRE Tunnels
resource "netactuate_router_vrf_tunnel" "gre1" {
router_id = netactuate_router.edge.id
vrf_id = netactuate_router_vrf.main.id
name = "gre-to-site-b"
mtu = 1476
ip_key = 100
endpoint_address_remote = "203.0.113.3"
ipv4_cidr = "10.200.0.1/30"
}
DHCP Server
Configure a DHCP server on a VRF interface:
resource "netactuate_router_vrf_dhcp" "lan" {
router_id = netactuate_router.edge.id
vrf_id = netactuate_router_vrf.main.id
enabled = true
interface_id = netactuate_router_vrf_interface.dummy0.id
subnet = "10.0.0.0/24"
default_router_address = "10.0.0.1"
range {
first_address = "10.0.0.100"
last_address = "10.0.0.200"
}
domain_name_servers {
address = "8.8.8.8"
}
domain_name_servers {
address = "8.8.4.4"
}
ntp_servers {
address = "162.159.200.1"
}
}
Note: The
ntp_servers.addressfield must be an IPv4 address, not a hostname. Using a hostname will cause a validation error.
Magic Mesh
Magic Mesh creates a multi-router BGP overlay network for automatic route distribution across locations:
resource "netactuate_magic_mesh" "overlay" {
name = "global-mesh"
}
resource "netactuate_magic_mesh_router" "sjc" {
mesh_id = netactuate_magic_mesh.overlay.id
router_id = netactuate_router.edge_sjc.id
}
resource "netactuate_magic_mesh_router" "ams" {
mesh_id = netactuate_magic_mesh.overlay.id
router_id = netactuate_router.edge_ams.id
}
Note: Routers added to a Magic Mesh must not have an existing VRF named
magic-mesh. The mesh automatically creates and manages its own VRF on each member router.
Need Help?
If you need assistance with cloud router configuration, visit our support page.