Network API

A multi cloud network API that let you automate the management of multiple VPCs in diferent cloud providers.

It works as a serverless application running primarily on AWS, using AWS SAM for orchestrating the deployment and DynamoDB for storing network metadata. Providers are pluggable by using a webhook, currently only aws-provider is available.

Subnets Layout

The API generates subnets for any given size of network, from /16 down to /24, using the following layout, example given using a 10.0.0.0/20 network.

subnet ranges type
10.0.0.0/22 10.0.0.0/23 private
10.0.2.0/24 public
10.0.3.0/28 tgw
10.0.4.0/22 10.0.4.0/23 private
10.0.6.0/24 public
10.0.7.0/28 tgw
10.0.8.0/22 10.0.8.0/23 private
10.0.10.0/24 public
10.0.11.0/28 tgw
10.0.12.0/22 spare

Providers

Providers webhook receive the following payload when called:

const (
	CreateNetwork EventType = "create_network"
	CheckNework   EventType = "check_network"
	DeleteNetwork EventType = "delete_network"
	QueryNetwork  EventType = "query_network"
)

type ProviderWebhook struct {
	Event       EventType `json:"event"`
	NetworkID   string    `json:"networkID" validate:"required"`
	Account     string    `json:"account" validate:"required"`
	Region      string    `json:"region" validate:"required"`
	Environment string    `json:"environment" validate:"required"`
	CIDR        string    `json:"cidr" validate:"required_if=Event create_network,omitempty,cidr"`
	Subnets     []*Subnet `json:"subnets,omitempty" validate:"required_if=Event create_network,omitempty"`
}

AWS

AWS Provider uses a cloudformation template for creating new VPCs, which is stored in a bucket. The lambda has a default role that allows it to assume roles in multiple accounts, for this to work you have to deploy a stackset on your master account using aws_provider_trust_role.yaml.

For security it uses a KMS key to validate the used token, to create a token use aws-provider-token command.

The cloudformation template has the following parameters:

Parameter Description
VPCName The name of the VPC being created.
Environment The VPC environment. Values: prod or qa
VPCCidr The CIDR of the VPC being created. Example: 10.0.0.0/16
PublicSubnet0Cidr The CIDR of the public subnet being created. Example: 10.0.0.0/16
PublicSubnet1Cidr
PublicSubnet2Cidr
PrivateSubnet0Cidr The CIDR of the private subnet being created. Example: 10.0.0.0/16
PrivateSubnet1Cidr
PrivateSubnet2Cidr
TGWSubnet0Cidr The CIDR of the TGW Attachment subnet being created. Example: 10.0.0.0/16
TGWSubnet1Cidr
TGWSubnet2Cidr

Local

GOARCH=amd64 GOOS=linux go build -o api ./cmd/network-api
sam local start-api

Deploy

ToDo

Configuring

export ENDPOINT="..."

# Pools
curl -H "Content-Type: application/json" -d '{"region":"us-east-1","name":"main-aws","subnetIP":"10.0.0.0","subnetMaxIP":"10.240.255.255"}' -v $ENDPOINT/api/v1/pools
curl -H "Content-Type: application/json" -d '{"region":"sa-east-1","name":"southamerica-aws","subnetIP":"10.240.0.0","subnetMask":16}' -v $ENDPOINT/api/v1/pools

# Providers
curl -H "Content-Type: application/json" -d '{"name":"aws","webhookURL":"https://something.localhost","apiToken":"1234token"}' -v $ENDPOINT/api/v1/providers

curl -H "Content-Type: application/json" -d '{"region":"us-east-1","subnetSize":16,"account":"123","provider":"aws","environment":"prod","attachTGW":true,"privateSubnet":true,"publicSubnet":true}' -v $ENDPOINT/api/v1/networks

GitHub

View Github