Skip to main content

DIY Installation

info

Ensure you've visited our marketplace page and accepted the terms & conditions, and any custom offers you may have been extended for your GCP account, first.

IMAGE IDENTIFIERS

keyvalue
familydiscriminat
projectchasersystems-public

For older versions, drop us a line and we'll get back to you ASAP.

info

Shared VPC support has landed in v2.3. Contact our DevSecOps for any questions or help with deployment.

DEPLOYMENT ESSENTIALS

For effective functioning, the discrimiNAT will need:

  1. A machine type with at least 2 vCPU and 2 GiB RAM. An e2-small should suffice where throughput requirements are basic and allowlists small. Otherwise an n2-highcpu-2 makes a good choice for constant throughput. Talk to our DevSecOps to get the sizing right!
  2. A service account that can read compute metadata, and write to logging and monitoring:
    serviceAccounts:
    - email: <project_number>-compute@developer.gserviceaccount.com
    scopes:
    - https://www.googleapis.com/auth/compute.readonly
    - https://www.googleapis.com/auth/logging.write
    - https://www.googleapis.com/auth/monitoring.write
  3. Ability to forward IP packets with the canIpForward property turned on.
  4. A public IP.
  5. SSD disk type is recommended.

When deploying the instance(s), you may configure high-availability through a Managed Instance Group (see reference implementation here), routing and tagging as per your desired architecture. For example, the route to the Internet will be for destination 0.0.0.0/0 for instances without a public IP and should pass through the discrimiNAT instance – whether by tagging or by internal load-balancing.

For monitoring the logs and configuring the FQDN-based firewall egress rules, see the logs and config references.

TERRAFORM MODULES

Before you dive into the DIY code that follows, you may want to consider our fully-working modules at the Terraform Registry, which include preconfigured high-availability and further examples. In fact, one of the examples extends from the canonical terraform-google-modules/network/google module at the registry.

You will find two modules relevant to Google Cloud at the registry, which can be briefly described as:

discriminat-ilb

Architecture with internal TCP load balancers as next hops set as the default route, and tag based opt-out control.

discriminat-ntag

Architecture with Network Tags in VPCs for fine-grained, opt-in control over routing.

info

Contact our DevSecOps Support for queries at any stage of your journey. Alternatively, reach out in the live chat.

TERRAFORM EXAMPLE

Lookup

provider "google" {}

data "google_compute_image" "discriminat" {
family = "discriminat"
project = "chasersystems-public"
}

output "discriminat_image_self_link" {
value = data.google_compute_image.discriminat.self_link
}

Deploy

This example deployment code is to be considered a starting point for your own architecture and requirements.

provider "google" {}

data "google_compute_image" "discriminat" {
family = "discriminat"
project = "chasersystems-public"
}

resource "google_compute_instance" "discriminat" {
name = "discriminat"
machine_type = "e2-small"

can_ip_forward = true

boot_disk {
initialize_params {
type = "pd-ssd"
image = data.google_compute_image.discriminat.self_link
}
}

network_interface {
network = "default"
access_config {}
}

service_account {
scopes = ["compute-ro", "logging-write", "monitoring-write"]
}
}
info

Contact our DevSecOps Support for queries at any stage of your journey. Alternatively, reach out in the live chat.

gcloud CLI EXAMPLE

Lookup

gcloud compute images describe-from-family   \
--format="value(selfLink)" \
--project chasersystems-public \
discriminat