DIY for discrimiNAT on GCP

Key information on discrimiNAT for integration in your Infrastructure-as-Code

Table of Contents
Ensure you’ve visited our marketplace page and accepted the terms & conditions, and any custom offers you may have been extended for your GCP account, first.

IMAGE IDENTIFIERS

keyvalue
familydiscriminat
projectchasersystems-public

For older versions, drop us a line and we’ll get back to you ASAP.

Contact our DevSecOps for early access to Shared VPC support.

DEPLOYMENT ESSENTIALS

For effective functioning, the discrimiNAT will need:

  1. A machine type with at least 2 vCPU and 2 GiB RAM. An e2-small should suffice where throughput requirements are basic and allowlists small. Otherwise an n2-highcpu-2 makes a good choice for constant throughput. Talk to our DevSecOps to get the sizing right!
  2. A service account that can read compute metadata, and write to logging and monitoring:
    serviceAccounts:
        - email: <project_number>[email protected]
          scopes:
            - https://www.googleapis.com/auth/compute.readonly
            - https://www.googleapis.com/auth/logging.write
            - https://www.googleapis.com/auth/monitoring.write
    
  3. Ability to forward IP packets with the canIpForward property turned on.
  4. A public IP.
  5. SSD disk type is recommended.

When deploying the instance(s), you may configure high-availability through a Managed Instance Group (see reference implementation here), routing and tagging as per your desired architecture. For example, the route to the Internet will be for destination 0.0.0.0/0 for instances without a public IP and should pass through the discrimiNAT instance – whether by tagging or by internal load-balancing.

For monitoring the logs and configuring the FQDN-based firewall egress rules, see the logs and config references.

TERRAFORM MODULES

Before you dive into the DIY code that follows, you may want to consider our fully-working modules at the Terraform Registry, which include preconfigured high-availability and further examples. In fact, one of the examples extends from the canonical terraform-google-modules/network/google module at the registry.

You will find two modules relevant to Google Cloud at the registry, which can be briefly described as:

discriminat-ilb

Architecture with internal TCP load balancers as next hops set as the default route, and tag based opt-out control.

discriminat-ntag

Architecture with Network Tags in VPCs for fine-grained, opt-in control over routing.

Contact our DevSecOps at [email protected] for queries at any stage of your journey. Alternatively, just reach out in the live chat.

TERRAFORM EXAMPLE

Lookup

provider "google" {}

data "google_compute_image" "discriminat" {
  family  = "discriminat"
  project = "chasersystems-public"
}

output "discriminat_image_self_link" {
  value = data.google_compute_image.discriminat.self_link
}

Deploy

This example deployment code is to be considered a starting point for your own architecture and requirements.

provider "google" {}

data "google_compute_image" "discriminat" {
  family  = "discriminat"
  project = "chasersystems-public"
}

resource "google_compute_instance" "discriminat" {
  name         = "discriminat"
  machine_type = "e2-small"

  can_ip_forward = true

  boot_disk {
    initialize_params {
      type  = "pd-ssd"
      image = data.google_compute_image.discriminat.self_link
    }
  }

  network_interface {
    network = "default"
    access_config {}
  }

  service_account {
    scopes = ["compute-ro", "logging-write", "monitoring-write"]
  }
}
Contact our DevSecOps at [email protected] for queries at any stage of your journey. Alternatively, just reach out in the live chat.

gcloud CLI EXAMPLE

Lookup

gcloud compute images describe-from-family   \
  --format="value(selfLink)"                 \
  --project chasersystems-public             \
  discriminat