slawek/gcp-simple-lz
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
gcp-simple-lz/README.md
T
slawek 5968cb558e Finished LZ.
2025-04-25 06:45:10 +02:00

2.5 KiB
Raw Permalink Blame History

GCP Simple Landing Zone

A simple LZ with a single subnet VPC network, a Cloud NAT and VPN connection.

There are two submodules:

  • Network - a module that creates a VPC with defined subnets
  • Cloud VPN - a module that creates a Cloud VPN

Compute Engine free tier regions:

  • Oregon (us-west1)
    • us-west1-a
    • us-west1-b
    • us-west1-c
  • Iowa (us-central1)
    • us-central1-a
    • us-central1-b
    • us-central1-c
    • us-central1-f
  • South Carolina (us-east1)
    • us-east1-b
    • us-east1-c
    • us-east1-d

Terraform and Google Cloud

Initialize Google authentication:

gcloud auth

Firewall configuration

Google Cloud network range: 192.168.16.0/20 or 192.168.16.0/24 and 192.168.17.0/24
On-premise network range: 192.168.0.0/20 or 192.168.2.0/24 and 192.168.10.0/24

  • Allow ICMP traffic (allow-icmp-ingress):
    • from: 0.0.0.0/0
    • to: gcp-range
    • protocol: icmp
  • Allow SSH access (allow-ssh-ingress):
    • from: 35.235.240.0/20, gcp-range, on-prem-range
    • to: gcp-range
    • protocol: tcp
    • port(s): 22
  • Allow Wireguard access (allow-wireguard-ingress):
    • from: 0.0.0.0/0
    • to: vm-gw-internal-ip
    • protocol: udp
    • port(s): 51820-51829
  • Allow web traffic (allow-web-ingress):
    • from: 0.0.0.0/0 or gcp-range and on-prem-range
    • to: gcp-range
    • protocol: tcp
    • port(s): 80,443,5000,8080,8443 or 80,443
  • Allow DNS traffic (allow-dns-ingress):
    • from: 35.199.192.0/19, gcp-range
    • to: on-prem-range

Configure Wireguard on NVA

Elevate to root:

sudo -i

Install wireguard software:

apt -y install wireguard-tools

Enable IP forwarding.

cat >/etc/sysctl.d/20-ip-forwarding.conf <<EOF
net.ipv4.ip_forward=1
EOF
sysctl -f /etc/sysctl.d/20-ip-forwarding.conf

Generate interface key pair:

wg genkey | tee /etc/wireguard/wg0.key | wg pubkey > /etc/wireguard/wg0.pub

Create a server config file:

cat >/etc/wireguard/wg0.conf <<EOF
[Interface]
ListenPort = 51820
Address = 172.16.1.1/30
PostUp = wg set %i private-key /etc/wireguard/%i.key

[Peer]
PublicKey = _enter_client_public_key_here_
AllowedIPs = 172.16.1.2/32,192.168.0.0/20
EOF

Enable and start the interface:

systemctl enable --now wg-quick@wg0.service

Configure the client:

[Peer]
Endpoint = _put_server_external_ip_here_:51820
AllowedIPs = 172.16.1.1/30,35.199.192.0/19,192.168.16.0/20

NOTE: DNS query traffic comes from the 35.199.192.0/19 range.

Reference in New Issue View Git Blame Copy Permalink