# GCP Simple Landing Zone A simple LZ with a single subnet VPC network, a Cloud NAT and VPN connection. There are two submodules: * Network - a module that creates a VPC with defined subnets * Cloud VPN - a module that creates a Cloud VPN Compute Engine free tier regions: * Oregon (**us-west1**) * `us-west1-a` * `us-west1-b` * `us-west1-c` * Iowa (**us-central1**) * `us-central1-a` * `us-central1-b` * `us-central1-c` * `us-central1-f` * South Carolina (**us-east1**) * `us-east1-b` * `us-east1-c` * `us-east1-d` ## Terraform and Google Cloud Initialize Google authentication: ```shell gcloud auth ``` ## Firewall configuration Google Cloud network range: `192.168.16.0/20` or `192.168.16.0/24` and `192.168.17.0/24` On-premise network range: `192.168.0.0/20` or `192.168.2.0/24` and `192.168.10.0/24` * Allow ICMP traffic (`allow-icmp-ingress`): * from: `0.0.0.0/0` * to: `gcp-range` * protocol: `icmp` * Allow SSH access (`allow-ssh-ingress`): * from: `35.235.240.0/20`, `gcp-range`, `on-prem-range` * to: `gcp-range` * protocol: `tcp` * port(s): `22` * Allow Wireguard access (`allow-wireguard-ingress`): * from: `0.0.0.0/0` * to: `vm-gw-internal-ip` * protocol: `udp` * port(s): `51820-51829` * Allow web traffic (`allow-web-ingress`): * from: `0.0.0.0/0` or `gcp-range` and `on-prem-range` * to: `gcp-range` * protocol: `tcp` * port(s): `80,443,5000,8080,8443` or `80,443` * Allow DNS traffic (`allow-dns-ingress`): * from: `35.199.192.0/19`, `gcp-range` * to: `on-prem-range` ## Configure Wireguard on NVA Elevate to `root`: ```shell sudo -i ``` Install wireguard software: ```shell apt -y install wireguard-tools ``` Enable IP forwarding. ```shell cat >/etc/sysctl.d/20-ip-forwarding.conf < /etc/wireguard/wg0.pub ``` Create a server config file: ```shell cat >/etc/wireguard/wg0.conf < NOTE: DNS query traffic comes from the `35.199.192.0/19` range.