VPC Deployment

Deploy a virtual private cloud with private networking, NAT, firewall rules, floating IPs, and virtual machines using the NetActuate Terraform provider v2.

Repository

git clone https://github.com/netactuate/netactuate-terraform-vpc
cd netactuate-terraform-vpc

Configuration

Copy terraform.tfvars.example to terraform.tfvars and fill in:

Variable	Description	Example
`api_key`	NetActuate API key	From Account -> API Keys
`location`	Deployment location	`SJC`
`vpc_name`	Name for the VPC	`production`
`plan`	VM plan	`VR1x1x25`
`image`	OS image identifier	See OS Images
`ssh_public_key`	Path to SSH public key	`~/.ssh/id_ed25519.pub`
`vm_count`	Number of VMs to deploy	`2`

Deployment

Initialize the configuration:
```
terraform init
```
Review the plan:
```
terraform plan
```
Apply the configuration:
```
terraform apply
```

Key Concepts

Bastion IP

The VPC gateway provides a public IP that serves as the bastion entry point. All VMs within the VPC are accessible through this IP using DNAT port forwarding rules.

Private Networking

VMs deployed in a VPC receive a private IP address from the vpc_reserved_network range. They do not have direct public IP addresses. Outbound traffic is routed through the VPC gateway using SNAT.

Floating IPs

Floating IPs are public addresses that you can assign to specific VMs or services within the VPC. Use netactuate_vpc_floating_ip to allocate them and DNAT rules to direct traffic to backend VMs.

DNAT Port Forwarding

Destination NAT rules map external ports on the gateway IP (or a floating IP) to internal VM addresses and ports. This is how you expose services running on private VMs to the internet.

resource "netactuate_vpc_gateway_dnat_rule" "ssh_vm1" {
  vpc_id                = netactuate_vpc.main.id
  match_port_start      = 2201
  match_port_end        = 2201
  translation_address   = netactuate_server.vm[0].private_ip
  translation_port_start = 22
  translation_port_end   = 22
  protocol              = "TCP"
  ip_version            = 4
}

SNAT for Outbound Traffic

Source NAT rules allow VMs on the private network to reach the internet through the gateway. The gateway rewrites the source address so return traffic is routed back correctly.

resource "netactuate_vpc_gateway_snat_rule" "outbound" {
  vpc_id              = netactuate_vpc.main.id
  match_internal_cidr = "10.0.0.0/24"
  ip_version          = 4
}

Gateway Firewall Rules

Firewall rules on the VPC gateway control what traffic is allowed in and out.

resource "netactuate_vpc_gateway_firewall_rule" "allow_ssh" {
  vpc_id     = netactuate_vpc.main.id
  direction  = "inbound"
  protocol   = "TCP"
  port_start = 22
  port_end   = 22
  network    = "0.0.0.0/0"
  ip_version = 4
}

Outputs

After deployment, Terraform outputs include:

Gateway IP -- The public bastion IP for the VPC
VM private IPs -- Internal addresses of each VM
Floating IPs -- Any allocated floating IP addresses
SSH commands -- Ready-to-use SSH commands with DNAT port mappings

Teardown

terraform destroy

Note: Destroying the VPC removes all associated resources including VMs, NAT rules, firewall rules, and floating IPs.

Need Help?

If you need assistance with VPC deployment, visit our support page.

Repository​

Configuration​

Deployment​

Key Concepts​

Bastion IP​

Private Networking​

Floating IPs​

DNAT Port Forwarding​

SNAT for Outbound Traffic​

Gateway Firewall Rules​

Outputs​

Teardown​

Need Help?​