# Cross-Region Connectivity Options

This directory contains Terraform configurations for cross-region connectivity between West Europe (Nginx proxy) and US regions (backend VMs).

## Options

### Option A: Azure VPN Gateway (Recommended for Phase 1)
- **File**: `vpn-gateway.tf`
- **Cost**: ~$150/month for VpnGw1
- **Setup Time**: 1-2 hours
- **Pros**: 
  - Native Azure solution
  - Secure (IPsec)
  - Good performance
- **Cons**: 
  - Requires VPN Gateway in each region (or site-to-site VPN)
  - Higher cost than Cloudflare Tunnel

### Option B: Cloudflare Tunnel on Backend VMs
- **File**: `scripts/setup-cloudflare-tunnel-backend.sh` (already exists)
- **Cost**: Free (Cloudflare Tunnel)
- **Setup Time**: 30 minutes
- **Pros**: 
  - No VPN infrastructure needed
  - Free
  - Quick setup
- **Cons**: 
  - Adds latency
  - Requires Cloudflare Tunnel on each VM

### Option C: Azure Private Link
- **File**: Not yet implemented
- **Cost**: ~$0.01/GB data transfer
- **Setup Time**: 2-3 hours
- **Pros**: 
  - Azure-native
  - Secure
  - Good for production
- **Cons**: 
  - More complex setup
  - Requires Private Link services

## Recommendation

For Phase 1, use **Option B (Cloudflare Tunnel)** for quick setup, then migrate to **Option A (VPN Gateway)** for production.

## Usage

### VPN Gateway Setup
```bash
cd terraform/phases/phase1/connectivity
terraform init
terraform plan
terraform apply
```

### Cloudflare Tunnel Setup
```bash
# On each backend VM (via VPN/Bastion)
ssh besuadmin@<backend-vm-ip>
/tmp/setup-cloudflare-tunnel-backend.sh <vm-name> <region>
```