DIY for discrimiNAT on GCP

Key information on discrimiNAT for integration in your Infrastructure-as-Code

Table of Contents
Ensure you’ve visited our marketplace page and accepted the terms & conditions, and any custom offers you may have been extended for your GCP account, first.

IMAGE IDENTIFIERS

keyvalue
familydiscriminat
projectchasersystems-public

For older versions, drop us a line and we’ll get back to you ASAP.

Contact our DevSecOps at [email protected] for queries at any stage of your journey. Alternatively, just reach out in the live chat.

DEPLOYMENT ESSENTIALS

For effective functioning, the discrimiNAT will need:

  1. A machine type of at least 2 vCPU and 2 GiB RAM. An e2-small should suffice where throughput requirements are basic.
  2. A service account that can read compute metadata, and write to logging and monitoring:
    serviceAccounts:
        - email: <project_number>[email protected]
        scopes:
            - https://www.googleapis.com/auth/compute.readonly
            - https://www.googleapis.com/auth/logging.write
            - https://www.googleapis.com/auth/monitoring.write
    
  3. Ability to forward IP packets with the canIpForward property turned on.
  4. A public IP.
  5. SSD disk type is recommended.

When deploying the instance(s), you may configure the availability (through a Managed Instance Group), routing and tagging as per your desired architecture. For example, the route to the Internet will be for destination 0.0.0.0/0 for instances without a public IP and should pass through the discrimiNAT instance — whether by tagging or by internal load-balancing.

For monitoring the logs and configuring the FQDN-based firewall egress rules, follow the Quick Start guide from Key Information onwards.

TERRAFORM MODULES

Before you dive into the DIY code that follows, you may want to consider our fully-working modules at the Terraform Registry, which include further examples. In fact, one of the examples extends from the canonical terraform-google-modules/network/google module at the registry.

You will find two modules relevant to Google Cloud at the registry, which can be briefly described as:

discriminat-ilb

Architecture with internal TCP load balancers as next hops set as the default route, and tag based opt-out control.

discriminat-ntag

Architecture with Network Tags in VPCs for fine-grained, opt-in control over routing.

Contact our DevSecOps at [email protected] for queries at any stage of your journey. Alternatively, just reach out in the live chat.

TERRAFORM EXAMPLE

Lookup

provider "google" {}

data "google_compute_image" "discriminat" {
  family  = "discriminat"
  project = "chasersystems-public"
}

output "discriminat_image_self_link" {
  value = data.google_compute_image.discriminat.self_link
}

Deploy

This example deployment code is to be considered a starting point for your own architecture and requirements.

provider "google" {}

data "google_compute_image" "discriminat" {
  family  = "discriminat"
  project = "chasersystems-public"
}

resource "google_compute_instance" "discriminat" {
  name         = "discriminat"
  machine_type = "e2-small"

  can_ip_forward = true

  boot_disk {
    initialize_params {
      type  = "pd-ssd"
      image = data.google_compute_image.discriminat.self_link
    }
  }

  network_interface {
    network = "default"
    access_config {}
  }

  service_account {
    scopes = ["compute-ro", "logging-write", "monitoring-write"]
  }
}
Contact our DevSecOps at [email protected] for queries at any stage of your journey. Alternatively, just reach out in the live chat.

gcloud CLI EXAMPLE

Lookup

gcloud compute images describe-from-family   \
  --format="value(selfLink)"                 \
  --project chasersystems-public             \
  discriminat