DIY for discrimiNAT on GCP

Key information on discrimiNAT for integration in your Infrastructure-as-Code

Table of Contents

Ensure you’ve visited our marketplace page and accepted the terms & conditions, and any custom offers you may have been extended for your GCP account, first.

IMAGE IDENTIFIERS

key	value
family	discriminat
project	chasersystems-public

For older versions, drop us a line and we’ll get back to you ASAP.

Shared VPC support has landed in v2.3. Contact our DevSecOps for any questions or help with deployment.

DEPLOYMENT ESSENTIALS

For effective functioning, the discrimiNAT will need:

A machine type with at least 2 vCPU and 2 GiB RAM. An e2-small should suffice where throughput requirements are basic and allowlists small. Otherwise an n2-highcpu-2 makes a good choice for constant throughput. Talk to our DevSecOps to get the sizing right!

A service account that can read compute metadata, and write to logging and monitoring:

serviceAccounts:
    - email: <project_number>-compute@developer.gserviceaccount.com
      scopes:
        - https://www.googleapis.com/auth/compute.readonly
        - https://www.googleapis.com/auth/logging.write
        - https://www.googleapis.com/auth/monitoring.write

Ability to forward IP packets with the canIpForward property turned on.
A public IP.
SSD disk type is recommended.

When deploying the instance(s), you may configure high-availability through a Managed Instance Group (see reference implementation here), routing and tagging as per your desired architecture. For example, the route to the Internet will be for destination 0.0.0.0/0 for instances without a public IP and should pass through the discrimiNAT instance – whether by tagging or by internal load-balancing.

For monitoring the logs and configuring the FQDN-based firewall egress rules, see the logs and config references.

TERRAFORM MODULES

Before you dive into the DIY code that follows, you may want to consider our fully-working modules at the Terraform Registry, which include preconfigured high-availability and further examples. In fact, one of the examples extends from the canonical terraform-google-modules/network/google module at the registry.

You will find two modules relevant to Google Cloud at the registry, which can be briefly described as:

discriminat-ilb

Architecture with internal TCP load balancers as next hops set as the default route, and tag based opt-out control.

discriminat-ntag

Architecture with Network Tags in VPCs for fine-grained, opt-in control over routing.

Contact our DevSecOps at devsecops@chasersystems.com for queries at any stage of your journey. Alternatively, just reach out in the live chat.

TERRAFORM EXAMPLE

Lookup

provider "google" {}

data "google_compute_image" "discriminat" {
  family  = "discriminat"
  project = "chasersystems-public"
}

output "discriminat_image_self_link" {
  value = data.google_compute_image.discriminat.self_link
}

Deploy

This example deployment code is to be considered a starting point for your own architecture and requirements.

provider "google" {}

data "google_compute_image" "discriminat" {
  family  = "discriminat"
  project = "chasersystems-public"
}

resource "google_compute_instance" "discriminat" {
  name         = "discriminat"
  machine_type = "e2-small"

  can_ip_forward = true

  boot_disk {
    initialize_params {
      type  = "pd-ssd"
      image = data.google_compute_image.discriminat.self_link
    }
  }

  network_interface {
    network = "default"
    access_config {}
  }

  service_account {
    scopes = ["compute-ro", "logging-write", "monitoring-write"]
  }
}

Contact our DevSecOps at devsecops@chasersystems.com for queries at any stage of your journey. Alternatively, just reach out in the live chat.

gcloud CLI EXAMPLE

Lookup

gcloud compute images describe-from-family   \
  --format="value(selfLink)"                 \
  --project chasersystems-public             \
  discriminat