DIY Installation
info
Ensure you've visited our marketplace page and accepted the terms & conditions, and any custom offers you may have been extended for your GCP account, first.
IMAGE IDENTIFIERS
key | value |
---|---|
family | discriminat |
project | chasersystems-public |
For older versions, drop us a line and we'll get back to you ASAP.
info
Shared VPC support has landed in v2.3. Contact our DevSecOps for any questions or help with deployment.
DEPLOYMENT ESSENTIALS
For effective functioning, the discrimiNAT will need:
- A machine type with at least 2 vCPU and 2 GiB RAM. An
e2-small
should suffice where throughput requirements are basic and allowlists small. Otherwise ann2-highcpu-2
makes a good choice for constant throughput. Talk to our DevSecOps to get the sizing right! - A service account that can read compute metadata, and write to logging and monitoring:
serviceAccounts:
- email: <project_number>-compute@developer.gserviceaccount.com
scopes:
- https://www.googleapis.com/auth/compute.readonly
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write - Ability to forward IP packets with the
canIpForward
property turned on. - A public IP.
- SSD disk type is recommended.
When deploying the instance(s), you may configure high-availability through a Managed Instance Group (see reference implementation here), routing and tagging as per your desired architecture. For example, the route to the Internet will be for destination 0.0.0.0/0
for instances without a public IP and should pass through the discrimiNAT instance – whether by tagging or by internal load-balancing.
For monitoring the logs and configuring the FQDN-based firewall egress rules, see the logs and config references.
TERRAFORM MODULES
Before you dive into the DIY code that follows, you may want to consider our fully-working modules at the Terraform Registry, which include preconfigured high-availability and further examples. In fact, one of the examples extends from the canonical terraform-google-modules/network/google module at the registry.
You will find two modules relevant to Google Cloud at the registry, which can be briefly described as:
discriminat-ilb
Architecture with internal TCP load balancers as next hops set as the default route, and tag based opt-out control.
discriminat-ntag
Architecture with Network Tags in VPCs for fine-grained, opt-in control over routing.
info
Contact our DevSecOps Support for queries at any stage of your journey. Alternatively, reach out in the live chat.
TERRAFORM EXAMPLE
Lookup
provider "google" {}
data "google_compute_image" "discriminat" {
family = "discriminat"
project = "chasersystems-public"
}
output "discriminat_image_self_link" {
value = data.google_compute_image.discriminat.self_link
}
Deploy
This example deployment code is to be considered a starting point for your own architecture and requirements.
provider "google" {}
data "google_compute_image" "discriminat" {
family = "discriminat"
project = "chasersystems-public"
}
resource "google_compute_instance" "discriminat" {
name = "discriminat"
machine_type = "e2-small"
can_ip_forward = true
boot_disk {
initialize_params {
type = "pd-ssd"
image = data.google_compute_image.discriminat.self_link
}
}
network_interface {
network = "default"
access_config {}
}
service_account {
scopes = ["compute-ro", "logging-write", "monitoring-write"]
}
}
info
Contact our DevSecOps Support for queries at any stage of your journey. Alternatively, reach out in the live chat.
gcloud CLI EXAMPLE
Lookup
gcloud compute images describe-from-family \
--format="value(selfLink)" \
--project chasersystems-public \
discriminat