Skip to main content

DIY & Terraform

info

Ensure you've visited our marketplace page and accepted the terms & conditions, and any custom offers you may have been extended for your GCP account, first.

IMAGE IDENTIFIERS

keyvalue
familydiscriminat
projectchasersystems-public

DEPLOYMENT ESSENTIALS

For effective functioning, DiscrimiNAT will need:

  1. A machine type with at least 2 vCPU and 2 GiB RAM. An e2-small should suffice where throughput requirements are basic and allowlists small. Otherwise an n2-highcpu-2 makes a good choice for constant throughput. Talk to our DevSecOps to get the sizing right.
  2. A service account that can read/write compute metadata, and write to logging and monitoring:
    serviceAccounts:
        - email: <project_number>-compute@developer.gserviceaccount.com
          scopes:
            - https://www.googleapis.com/auth/compute
            - https://www.googleapis.com/auth/logging.write
            - https://www.googleapis.com/auth/monitoring.write
  3. Ability to forward IP packets with the canIpForward property turned on.
  4. A public IP.
  5. SSD disk type is recommended.

When deploying the instance(s), you may configure high-availability through a Managed Instance Group (see reference implementation here), routing and tagging as per your desired architecture. For example, the route to the Internet will be for destination 0.0.0.0/0 for instances without a public IP and should pass through the DiscrimiNAT instance – whether by tagging or by internal load-balancing.

For monitoring the logs and configuring the FQDN-based firewall egress rules, see the logs and config references.

TERRAFORM MODULES

Before you dive into the DIY code that follows, you may want to consider our fully-working modules at the Terraform Registry, which include preconfigured high-availability and further examples. In fact, one of the examples extends from the canonical terraform-google-modules/network/google module at the registry.

You will find two modules relevant to Google Cloud at the registry, which can be briefly described as:

discriminat-ilb

Architecture with internal TCP load balancers as next hops set as the default route, and tag based opt-out control.

discriminat-ntag

Architecture with Network Tags in VPCs for fine-grained, opt-in control over routing.

info

Drop us an email at devsecops@chasersystems.com to receive quarterly version update release notes one week prior to GA. Also for a demo, best practices and architecture review.

gcloud CLI EXAMPLE

Lookup

gcloud compute images describe-from-family  \
  --format="value(selfLink)"                   \
  --project chasersystems-public               \
  discriminat