There are no
discriminat-config logs at all.
- Check if the service account for DiscrimiNAT instances is enabled. It is the default Compute Engine account if DiscrimiNAT is deployed through the Marketplace directly. If deployed through Terraform, the default service account is the same unless overridden with the
- Check if the Cloud Logging API is enabled.
Clients' network traffic sometimes allowed, sometimes not.
Please upgrade the machine type from
n2-highcpu-2. This is done via the
machine_type Terraform variable.
e2-small machine type only suffices for light loads and a few clients. The
n2-highcpu-2 offers the best CPU to egress bandwidth and price ratios for the kind of work involved.
n2-standard-* machine types is not recommended because the DiscrimiNAT is not a memory-intensive application, therefore making machines with more memory than needed not a cost-optimal choice.
There are no
discriminat-flow logs from certain clients.
Certain, or all, clients may not even be able to access the Internet in this case. Requests would be timing out instead of being quickly terminated with a reset.
- Check if the subnet, where the affected clients are, is allowed for ingress in a firewall rule named "discriminat-<custom_deployment_id>-from-clients".
If deployed via our Terraform module, additional subnets can be added to this firewall rule through the
see-thru mode not working
discriminat-config logs do not show a log line picking up a see-thru rule, you may have a problem with the annotation's syntax.
The see-thru mode requires a firewall rule to:
- allow all ports
- allow all protocols
- allow the 0.0.0.0/0 IP range
- have the Egress direction of traffic
- have a valid, calendar date specified in the description field. For example,
discriminat:see-thru:2022-02-29is NOT a valid date but
Service Projects' network traffic not going through
discriminat-config logs do not show log lines picking up VM Instances' IPs or other managed services' subnets from the Service Projects, you may have a problem with how the service account was configured.
For Service Projects to work through the DiscrimiNAT, ensure that:
- DiscrimiNAT is running with a custom service account. This is overridden with the
custom_service_account_emailvariable in Terraform.
- The Role to be associated with that service account is defined at the Organisation level in your Google Cloud and NOT at the Project level.
- The IAM binding of the service account to that Role should be defined at the Folder† level (or the Organisation level) and NOT at the Project level.
† The chosen Folder should contain the Host project and all Service projects either directly or through subfolders.
For more details on the service account and the Role required, please see the Service Account page.