discrimiNAT on Google Cloud (GCP)

Table of Contents

DIY ➜

If you require complex or custom routing, and have Infrastructure-as-Code for your deployments already, this is where you will find the key information. Terraform practitioners pick this option.

QUICK START ➜

For a 5-minute deployment, assuming secure defaults, from within the marketplace console itself. This will totally lock down your VPC from the get-go unless appropriate FQDN-based egress firewall rules exist for outbound connections, and VMs needing to bypass discrimiNAT completely are network-tagged with bypass-discriminat.

CONFIG REFERENCE ➜

The various ways GCP-native Firewall Rules can be annotated with appropriate FQDN allowlists and traffic monitoring rules after deployment of discrimiNAT.

LOGS REFERENCE ➜

Fields, filters and recipes to find what you need from discrimiNAT’s config and flow logs in GCP.

ARCHITECTURE

Pertaining to the Quick Start only. If you go down the DIY route, the architecture will be as per your design.

A discrimiNAT firewall becomes the NAT solution for your VPC, making the use or presence of other NAT gateways redundant.

It is architected along the Internal TCP/UDP load balancers as next hops guide from Google Cloud. As the guide suggests, these NAT instances are simply a bump-in-the-wire with:

  • no explicit client configuration
  • load balancing
  • proactive health-checks
Contact our DevSecOps at [email protected] for queries at any stage of your journey. Alternatively, just reach out in the live chat.

MARKETPLACE

Launch Free Trial on Google Cloud

The discrimiNAT firewall is listed on the Google Cloud Marketplace. The architecture discussed above is available as a Deployment Manager template to launch on subsequent steps from the marketplace subscription.

Finding the needles in the StackDriver haystack

Fields, filters and recipes to find what you need from discrimiNAT's config and flow logs in GCP

Configuring the upgraded Firewall Rules

The various ways GCP-native Firewall Rules can be annotated with appropriate FQDN allowlists and traffic monitoring rules after deployment of discrimiNAT.

DIY for discrimiNAT on GCP

Integrate discrimiNAT firewall on GCP in your bespoke VPC layout

Creating a Bastion for SSH access on GCP

In Google Cloud (GCP), you may want a bastion host present in your VPC for accessing a discrimiNAT instance over SSH or a host without a public IP.

Quick Start for discrimiNAT on GCP

Deploy discrimiNAT firewall on Google Cloud in 5 minutes – Quick Start Guide