slawek/gcp-simple-lz
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5968cb558e9badc9d483440bd8cadf1cce988168
gcp-simple-lz/README.md
T
slawek 5968cb558e Finished LZ.
2025-04-25 06:45:10 +02:00

121 lines
2.5 KiB
Markdown
Raw Blame History

# GCP Simple Landing Zone
A simple LZ with a single subnet VPC network, a Cloud NAT and VPN connection.
There are two submodules:
* Network - a module that creates a VPC with defined subnets
* Cloud VPN - a module that creates a Cloud VPN
Compute Engine free tier regions:
* Oregon (**us-west1**)
* `us-west1-a`
* `us-west1-b`
* `us-west1-c`
* Iowa (**us-central1**)
* `us-central1-a`
* `us-central1-b`
* `us-central1-c`
* `us-central1-f`
* South Carolina (**us-east1**)
* `us-east1-b`
* `us-east1-c`
* `us-east1-d`
## Terraform and Google Cloud
Initialize Google authentication:
```shell
gcloud auth
```
## Firewall configuration
Google Cloud network range: `192.168.16.0/20` or `192.168.16.0/24` and `192.168.17.0/24`
On-premise network range: `192.168.0.0/20` or `192.168.2.0/24` and `192.168.10.0/24`
* Allow ICMP traffic (`allow-icmp-ingress`):
* from: `0.0.0.0/0`
* to: `gcp-range`
* protocol: `icmp`
* Allow SSH access (`allow-ssh-ingress`):
* from: `35.235.240.0/20`, `gcp-range`, `on-prem-range`
* to: `gcp-range`
* protocol: `tcp`
* port(s): `22`
* Allow Wireguard access (`allow-wireguard-ingress`):
* from: `0.0.0.0/0`
* to: `vm-gw-internal-ip`
* protocol: `udp`
* port(s): `51820-51829`
* Allow web traffic (`allow-web-ingress`):
* from: `0.0.0.0/0` or `gcp-range` and `on-prem-range`
* to: `gcp-range`
* protocol: `tcp`
* port(s): `80,443,5000,8080,8443` or `80,443`
* Allow DNS traffic (`allow-dns-ingress`):
* from: `35.199.192.0/19`, `gcp-range`
* to: `on-prem-range`
## Configure Wireguard on NVA
Elevate to `root`:
```shell
sudo -i
```
Install wireguard software:
```shell
apt -y install wireguard-tools
```
Enable IP forwarding.
```shell
cat >/etc/sysctl.d/20-ip-forwarding.conf <<EOF
net.ipv4.ip_forward=1
EOF
sysctl -f /etc/sysctl.d/20-ip-forwarding.conf
```
Generate interface key pair:
```shell
wg genkey | tee /etc/wireguard/wg0.key | wg pubkey > /etc/wireguard/wg0.pub
```
Create a server config file:
```shell
cat >/etc/wireguard/wg0.conf <<EOF
[Interface]
ListenPort = 51820
Address = 172.16.1.1/30
PostUp = wg set %i private-key /etc/wireguard/%i.key
[Peer]
PublicKey = _enter_client_public_key_here_
AllowedIPs = 172.16.1.2/32,192.168.0.0/20
EOF
```
Enable and start the interface:
```shell
systemctl enable --now wg-quick@wg0.service
```
Configure the client:
```ini
[Peer]
Endpoint = _put_server_external_ip_here_:51820
AllowedIPs = 172.16.1.1/30,35.199.192.0/19,192.168.16.0/20
```
> NOTE: DNS query traffic comes from the `35.199.192.0/19` range.
Reference in New Issue View Git Blame Copy Permalink