Skip to main content

DIY Installation

info

Ensure you've visited our marketplace page and accepted the terms & conditions, and any custom offers you may have been extended for your GCP account, first.

IMAGE IDENTIFIERS​

keyvalue
familydiscriminat
projectchasersystems-public

For older versions, drop us a line and we'll get back to you ASAP.

info

Shared VPC support has landed in v2.3. Contact our DevSecOps for any questions or help with deployment.

DEPLOYMENT ESSENTIALS​

For effective functioning, the DiscrimiNAT will need:

  1. A machine type with at least 2 vCPU and 2 GiB RAM. An e2-small should suffice where throughput requirements are basic and allowlists small. Otherwise an n2-highcpu-2 makes a good choice for constant throughput. Talk to our DevSecOps to get the sizing right!
  2. A service account that can read compute metadata, and write to logging and monitoring:
    serviceAccounts:
    - email: <project_number>-compute@developer.gserviceaccount.com
    scopes:
    - https://www.googleapis.com/auth/compute.readonly
    - https://www.googleapis.com/auth/logging.write
    - https://www.googleapis.com/auth/monitoring.write
  3. Ability to forward IP packets with the canIpForward property turned on.
  4. A public IP.
  5. SSD disk type is recommended.

When deploying the instance(s), you may configure high-availability through a Managed Instance Group (see reference implementation here), routing and tagging as per your desired architecture. For example, the route to the Internet will be for destination 0.0.0.0/0 for instances without a public IP and should pass through the DiscrimiNAT instance – whether by tagging or by internal load-balancing.

For monitoring the logs and configuring the FQDN-based firewall egress rules, see the logs and config references.

TERRAFORM MODULES​

Before you dive into the DIY code that follows, you may want to consider our fully-working modules at the Terraform Registry, which include preconfigured high-availability and further examples. In fact, one of the examples extends from the canonical terraform-google-modules/network/google module at the registry.

You will find two modules relevant to Google Cloud at the registry, which can be briefly described as:

discriminat-ilb​

Architecture with internal TCP load balancers as next hops set as the default route, and tag based opt-out control.

discriminat-ntag​

Architecture with Network Tags in VPCs for fine-grained, opt-in control over routing.

info

Contact us for expert help at devsecops@chasersystems.com at any stage of your journey – we'll jump on a screen-sharing call right away!

TERRAFORM EXAMPLE​

Lookup​

provider "google" {}

data "google_compute_image" "discriminat" {
family = "discriminat"
project = "chasersystems-public"
}

output "discriminat_image_self_link" {
value = data.google_compute_image.discriminat.self_link
}

Deploy​

This example deployment code is to be considered a starting point for your own architecture and requirements.

provider "google" {}

data "google_compute_image" "discriminat" {
family = "discriminat"
project = "chasersystems-public"
}

resource "google_compute_instance" "discriminat" {
name = "discriminat"
machine_type = "e2-small"

can_ip_forward = true

boot_disk {
initialize_params {
type = "pd-ssd"
image = data.google_compute_image.discriminat.self_link
}
}

network_interface {
network = "default"
access_config {}
}

service_account {
scopes = ["compute-rw", "logging-write", "monitoring-write"]
}
}
info

Contact us for expert help at devsecops@chasersystems.com at any stage of your journey – we'll jump on a screen-sharing call right away!

gcloud CLI EXAMPLE​

Lookup​

gcloud compute images describe-from-family   \
--format="value(selfLink)" \
--project chasersystems-public \
discriminat