Network routing contract
Purpose: Define the address plan, ASNs, tunnel link ranges, and route-policy boundaries for HybridOps hybrid connectivity (GCP NCC hub with routed on‑prem and Azure spokes), as established by ADR-0109 and constrained by the VLAN plan in ADR-0101.
Maintainer: HybridOps
Scope
This contract defines:
- Routing identities (ASNs) for on‑prem, GCP, and Azure.
- Non-overlapping address ranges for on‑prem, GCP, and Azure.
- Link networks for BGP over route‑based IPsec tunnels (VTI / HA VPN / VPN Gateway).
- Route exchange boundaries (what is advertised, what is accepted, and what is rejected).
Role model
- On-prem routed edges default to VyOS on Proxmox.
- Hetzner routed edges default to VyOS when Hetzner participates as an edge site.
- In the current shipped WAN baseline, the Hetzner routed edge pair is the static public face
of the Site-A routed domain and terminates the GCP HA VPN underlay.
- The on-prem VyOS edge is introduced behind that static Hetzner transit layer as a spoke/site-extension
step, rather than depending on direct GCP acceptance of a dynamic on-prem public IP.
- The Hetzner shared control-plane host is a separate Linux service host for DNS, runners, and decision/control services.
- GCP remains the cloud-side routing hub using Cloud Router + HA VPN + NCC.
- Azure remains a routed spoke using cloud-native gateway constructs.
Multi‑WAN is an additive change: additional tunnels and peers follow the same contract and do not change the routing model described in ADR-0109.
Regions
- GCP hub region:
europe-west2 (London)
- Azure region:
UK South
Autonomous systems
| Domain |
ASN |
Notes |
| Site‑A routed domain (on‑prem + static Hetzner transit edge) |
65010 |
Current shipped baseline: Hetzner routed edges present ASN 65010 to GCP. The on-prem VyOS edge joins the same routed domain later through a spoke/site-extension layer, typically using iBGP internally while preserving eBGP toward the cloud hub. |
| GCP Cloud Router (hub) |
64514 |
Cloud Router ASN for HA VPN and NCC hub routing. |
| Azure VPN Gateway |
65515 |
Azure VPN Gateway ASN for inter‑cloud peering to GCP Cloud Router. |
Address plan
On‑prem VLAN VNets
| Segment |
VLAN |
CIDR |
Notes |
| Management |
10 |
10.10.0.0/24 |
Control-plane and platform management. |
| Observability |
11 |
10.11.0.0/24 |
Metrics, logging, dashboards. |
| Data / shared services |
12 |
10.12.0.0/24 |
PostgreSQL, NetBox, shared dependencies. |
| Development |
20 |
10.20.0.0/24 |
Dev workloads. |
| Staging |
30 |
10.30.0.0/24 |
Staging workloads. |
| Production |
40 |
10.40.0.0/24 |
Production workloads. |
| Lab |
50 |
10.50.0.0/24 |
Network lab and experiments. |
GCP
| Segment |
CIDR |
Notes |
| Hub VPC (NCC attachment) |
10.70.0.0/16 |
Hub routing domain for NCC and Cloud Router adjacency. |
| Workload subnet (example) |
10.70.16.0/20 |
Example workload subnet; additional subnets stay within 10.70.0.0/16. |
Azure
| Segment |
CIDR |
Notes |
| Azure VNet |
10.60.0.0/16 |
Primary Azure routing domain for AKS/AVD access. |
| GatewaySubnet (example) |
10.60.0.0/27 |
Reserved for VPN Gateway. |
| Workloads (example) |
10.60.16.0/20 |
Example workload subnet; additional subnets stay within 10.60.0.0/16. |
Kubernetes service networks
| Domain |
Pods CIDR |
Services CIDR |
Policy |
| Platform clusters |
172.21.0.0/16 |
172.22.0.0/16 |
Not advertised by default. Expose services via ingress/LB. Advertise only when explicitly required and filtered. |
Tunnel link networks
Use link‑local address space for BGP session IPs over each route‑based tunnel:
- Allocation pool:
169.254.0.0/16
- Each BGP session uses a dedicated
/30.
| Link |
Purpose |
Link /30 |
Left IP |
Right IP |
| Hetzner routed edge ↔ GCP HA VPN (tunnel A) |
Current shipped static site‑to‑hub underlay |
169.254.10.0/30 |
169.254.10.1 (Site‑A routed domain / Hetzner edge) |
169.254.10.2 (GCP) |
| Hetzner routed edge ↔ GCP HA VPN (tunnel B) |
Current shipped static site‑to‑hub underlay |
169.254.10.4/30 |
169.254.10.5 (Site‑A routed domain / Hetzner edge) |
169.254.10.6 (GCP) |
| On‑prem VyOS ↔ Hetzner routed edge (tunnel A) |
Reserved for on-prem spoke/site-extension layer |
169.254.30.0/30 |
169.254.30.1 (On‑prem) |
169.254.30.2 (Hetzner edge) |
| On‑prem VyOS ↔ Hetzner routed edge (tunnel B) |
Reserved for on-prem spoke/site-extension layer |
169.254.30.4/30 |
169.254.30.5 (On‑prem) |
169.254.30.6 (Hetzner edge) |
| Azure VPN GW ↔ GCP Cloud Router (tunnel A) |
Inter‑cloud spoke |
169.254.20.0/30 |
169.254.20.1 (Azure) |
169.254.20.2 (GCP) |
| Azure VPN GW ↔ GCP Cloud Router (tunnel B) |
Redundancy |
169.254.20.4/30 |
169.254.20.5 (Azure) |
169.254.20.6 (GCP) |
Notes:
- Link networks are not advertised. Filters must reject
169.254.0.0/16 in both directions.
- Multi‑WAN adds additional
/30 allocations from the same pool per WAN edge/tunnel.
Route exchange policy
Export
| Speaker |
Export to |
Advertise |
Do not advertise |
| Site‑A routed domain (ASN 65010) |
GCP Cloud Router |
10.10.0.0/24, 10.11.0.0/24, 10.12.0.0/24, 10.20.0.0/24, 10.30.0.0/24, 10.40.0.0/24, 10.50.0.0/24, but only after those routes are present on the static Hetzner edge baseline |
169.254.0.0/16, 172.21.0.0/16, 172.22.0.0/16, any RFC1918 outside approved on‑prem allocations. |
| Azure (ASN 65515) |
GCP Cloud Router |
10.60.0.0/16 |
169.254.0.0/16, 172.21.0.0/16, 172.22.0.0/16. |
| GCP (ASN 64514) |
Site‑A routed domain + Azure |
10.70.0.0/16 |
169.254.0.0/16, 172.21.0.0/16, 172.22.0.0/16. |
Import
| Receiver |
Accept |
Reject |
| GCP Cloud Router |
Approved on‑prem VLAN prefixes and approved Azure VNet prefixes |
Any unknown RFC1918, 169.254.0.0/16, Kubernetes pod/service CIDRs unless explicitly enabled. |
| Site‑A routed domain edge(s) |
10.70.0.0/16 and (optionally) 10.60.0.0/16 via hub |
Any unexpected RFC1918, 169.254.0.0/16, default routes unless explicitly engineered. |
| Azure VPN Gateway |
10.70.0.0/16 and approved on‑prem VLAN prefixes |
Any unexpected RFC1918, 169.254.0.0/16, default routes unless explicitly engineered. |
Safety controls
- Deny-by-default prefix filtering on all BGP sessions.
- Max-prefix per neighbor sized for the current design and increased only with evidence.
- Evidence capture: before/after BGP summaries, learned routes, and reachability checks.
Operational sequences are documented in the runbooks for NCC hub setup, edge control plane, and on-prem site extension.
References