121 lines
2.5 KiB
Markdown
121 lines
2.5 KiB
Markdown
# GCP Simple Landing Zone
|
|
|
|
A simple LZ with a single subnet VPC network, a Cloud NAT and VPN connection.
|
|
|
|
There are two submodules:
|
|
|
|
* Network - a module that creates a VPC with defined subnets
|
|
* Cloud VPN - a module that creates a Cloud VPN
|
|
|
|
Compute Engine free tier regions:
|
|
|
|
* Oregon (**us-west1**)
|
|
* `us-west1-a`
|
|
* `us-west1-b`
|
|
* `us-west1-c`
|
|
* Iowa (**us-central1**)
|
|
* `us-central1-a`
|
|
* `us-central1-b`
|
|
* `us-central1-c`
|
|
* `us-central1-f`
|
|
* South Carolina (**us-east1**)
|
|
* `us-east1-b`
|
|
* `us-east1-c`
|
|
* `us-east1-d`
|
|
|
|
## Terraform and Google Cloud
|
|
|
|
Initialize Google authentication:
|
|
|
|
```shell
|
|
gcloud auth
|
|
```
|
|
|
|
## Firewall configuration
|
|
|
|
Google Cloud network range: `192.168.16.0/20` or `192.168.16.0/24` and `192.168.17.0/24`
|
|
On-premise network range: `192.168.0.0/20` or `192.168.2.0/24` and `192.168.10.0/24`
|
|
|
|
* Allow ICMP traffic (`allow-icmp-ingress`):
|
|
* from: `0.0.0.0/0`
|
|
* to: `gcp-range`
|
|
* protocol: `icmp`
|
|
* Allow SSH access (`allow-ssh-ingress`):
|
|
* from: `35.235.240.0/20`, `gcp-range`, `on-prem-range`
|
|
* to: `gcp-range`
|
|
* protocol: `tcp`
|
|
* port(s): `22`
|
|
* Allow Wireguard access (`allow-wireguard-ingress`):
|
|
* from: `0.0.0.0/0`
|
|
* to: `vm-gw-internal-ip`
|
|
* protocol: `udp`
|
|
* port(s): `51820-51829`
|
|
* Allow web traffic (`allow-web-ingress`):
|
|
* from: `0.0.0.0/0` or `gcp-range` and `on-prem-range`
|
|
* to: `gcp-range`
|
|
* protocol: `tcp`
|
|
* port(s): `80,443,5000,8080,8443` or `80,443`
|
|
* Allow DNS traffic (`allow-dns-ingress`):
|
|
* from: `35.199.192.0/19`, `gcp-range`
|
|
* to: `on-prem-range`
|
|
|
|
## Configure Wireguard on NVA
|
|
|
|
Elevate to `root`:
|
|
|
|
```shell
|
|
sudo -i
|
|
```
|
|
|
|
Install wireguard software:
|
|
|
|
```shell
|
|
apt -y install wireguard-tools
|
|
```
|
|
|
|
Enable IP forwarding.
|
|
|
|
```shell
|
|
cat >/etc/sysctl.d/20-ip-forwarding.conf <<EOF
|
|
net.ipv4.ip_forward=1
|
|
EOF
|
|
sysctl -f /etc/sysctl.d/20-ip-forwarding.conf
|
|
```
|
|
|
|
Generate interface key pair:
|
|
|
|
```shell
|
|
wg genkey | tee /etc/wireguard/wg0.key | wg pubkey > /etc/wireguard/wg0.pub
|
|
```
|
|
|
|
Create a server config file:
|
|
|
|
```shell
|
|
cat >/etc/wireguard/wg0.conf <<EOF
|
|
[Interface]
|
|
ListenPort = 51820
|
|
Address = 172.16.1.1/30
|
|
PostUp = wg set %i private-key /etc/wireguard/%i.key
|
|
|
|
[Peer]
|
|
PublicKey = _enter_client_public_key_here_
|
|
AllowedIPs = 172.16.1.2/32,192.168.0.0/20
|
|
EOF
|
|
```
|
|
|
|
Enable and start the interface:
|
|
|
|
```shell
|
|
systemctl enable --now wg-quick@wg0.service
|
|
```
|
|
|
|
Configure the client:
|
|
|
|
```ini
|
|
[Peer]
|
|
Endpoint = _put_server_external_ip_here_:51820
|
|
AllowedIPs = 172.16.1.1/30,35.199.192.0/19,192.168.16.0/20
|
|
```
|
|
|
|
> NOTE: DNS query traffic comes from the `35.199.192.0/19` range.
|