DIY Installation
Ensure you've visited our marketplace page and accepted the terms & conditions, and any custom offers you may have been extended for your GCP account, first.
IMAGE IDENTIFIERS​
key | value |
---|---|
family | discriminat |
project | chasersystems-public |
For older versions, drop us a line and we'll get back to you ASAP.
Shared VPC support has landed in v2.3. Contact our DevSecOps for any questions or help with deployment.
DEPLOYMENT ESSENTIALS​
For effective functioning, the DiscrimiNAT will need:
- A machine type with at least 2 vCPU and 2 GiB RAM. An
e2-small
should suffice where throughput requirements are basic and allowlists small. Otherwise ann2-highcpu-2
makes a good choice for constant throughput. Talk to our DevSecOps to get the sizing right! - A service account that can read compute metadata, and write to logging and monitoring:
serviceAccounts:
- email: <project_number>-compute@developer.gserviceaccount.com
scopes:
- https://www.googleapis.com/auth/compute.readonly
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write - Ability to forward IP packets with the
canIpForward
property turned on. - A public IP.
- SSD disk type is recommended.
When deploying the instance(s), you may configure high-availability through a Managed Instance Group (see reference implementation here), routing and tagging as per your desired architecture. For example, the route to the Internet will be for destination 0.0.0.0/0
for instances without a public IP and should pass through the DiscrimiNAT instance – whether by tagging or by internal load-balancing.
For monitoring the logs and configuring the FQDN-based firewall egress rules, see the logs and config references.
TERRAFORM MODULES​
Before you dive into the DIY code that follows, you may want to consider our fully-working modules at the Terraform Registry, which include preconfigured high-availability and further examples. In fact, one of the examples extends from the canonical terraform-google-modules/network/google module at the registry.
You will find two modules relevant to Google Cloud at the registry, which can be briefly described as:
discriminat-ilb​
Architecture with internal TCP load balancers as next hops set as the default route, and tag based opt-out control.
discriminat-ntag​
Architecture with Network Tags in VPCs for fine-grained, opt-in control over routing.
Contact us for expert help at devsecops@chasersystems.com
at any stage of your journey – we'll jump on a screen-sharing call right away!
TERRAFORM EXAMPLE​
Lookup​
provider "google" {}
data "google_compute_image" "discriminat" {
family = "discriminat"
project = "chasersystems-public"
}
output "discriminat_image_self_link" {
value = data.google_compute_image.discriminat.self_link
}
Deploy​
This example deployment code is to be considered a starting point for your own architecture and requirements.
provider "google" {}
data "google_compute_image" "discriminat" {
family = "discriminat"
project = "chasersystems-public"
}
resource "google_compute_instance" "discriminat" {
name = "discriminat"
machine_type = "e2-small"
can_ip_forward = true
boot_disk {
initialize_params {
type = "pd-ssd"
image = data.google_compute_image.discriminat.self_link
}
}
network_interface {
network = "default"
access_config {}
}
service_account {
scopes = ["compute-rw", "logging-write", "monitoring-write"]
}
}
Contact us for expert help at devsecops@chasersystems.com
at any stage of your journey – we'll jump on a screen-sharing call right away!
gcloud CLI EXAMPLE​
Lookup​
gcloud compute images describe-from-family \
--format="value(selfLink)" \
--project chasersystems-public \
discriminat