Google Certified Associate Cloud Engineer 2020

Sign Up Free or Log In to participate!

VPC challenge lab – solution

Hi,

here is my solution for the VPC challenge. Please have a look and let me know, how you would simplified it.

Thanks,

Marek


#create a project

gcloud projects create network-challenge-lab

# attach a billing account

gcloud beta billing projects link network-challenge-lab --billing-account 012161-B9DF32-722211

# create and activate the configuration(optional if you work from your local terminal)

gcloud init

# enable compute service

gcloud services enable compute

# delete default network(optional) - do this from the console as from the command line, you will have to first delete all depending resources.

# create an app-vpc custom network

gcloud compute networks create app-vpc --subnet-mode=custom

# create a frontend subnet

gcloud compute networks subnets create frontend-subnet --network app-vpc --region us-west1 --range 192.168.0.0/24

# create a backend subnet

gcloud compute networks subnets create backend-subnet --network app-vpc --region us-west1 --range 192.168.1.0/24

# create a custom role

gcloud iam roles create base_gce_role --description "Base GCE Role" --project network-challenge-lab --stage GA --permissions 

monitoring.metricDescriptors.create,monitoring.metricDescriptors.get,monitoring.metricDescriptors.list,

monitoring.monitoredResourceDescriptors.get,monitoring.monitoredResourceDescriptors.list,

monitoring.timeSeries.create,logging.logEntries.create

# create a frontend service account

gcloud iam service-accounts create frontend-sa --display-name frontend-sa

# create a backend service account

gcloud iam service-accounts create backend-sa --display-name backend-sa

# add Base GCE roles to the frontend service account

gcloud iam service-accounts add-iam-policy-binding frontend-sa@network-challenge-lab.iam.gserviceaccount.com 

--member serviceAccount:frontend-sa@network-challenge.iam.gserviceaccount.com --role projects/network-challenge-lab/roles/base_gce_role

# add Base GCE roles to the backend service account

gcloud iam service-accounts add-iam-policy-binding backend-sa@network-challenge-lab.iam.gserviceaccount.com 

--member serviceAccount:backend-sa@network-challenge-lab.iam.gserviceaccount.com --role projects/network-challenge-lab/roles/base_gce_role

# create a frontend instance template

gcloud compute instance-templates create frontend-it --machine-type f1-micro --network app-vpc --tags open-ssh-tag 

--region us-west1 --subnet frontend-subnet 

--service-account frontend-sa@network-challenge-lab.iam.gserviceaccount.com

# create a backend instance template

gcloud compute instance-templates create backend-it --machine-type f1-micro --network app-vpc --region us-west1 

--subnet backend-subnet --no-address 

--service-account backend-sa@network-challenge-lab.iam.gserviceaccount.com

# create a frontend instance group

gcloud compute instance-groups managed create frontend-ig 

--base-instance-name frontend-ig 

--size 2 

--template frontend-it 

--zones us-west1-a,us-west1-b,us-west1-c

# setup autoscaling for the frontend instance group

gcloud compute instance-groups managed set-autoscaling frontend-ig 

--max-num-replicas 3 --min-num-replicas 2 --region us-west1

# create a backend instance group

gcloud compute instance-groups managed create backend-ig 

--base-instance-name backend-ig 

--size 2 

--template backend-it 

--zones us-west1-a,us-west1-b,us-west1-c

# setup autoscaling for the frontend instance group

gcloud compute instance-groups managed set-autoscaling frontend-ig 

--max-num-replicas 3 --min-num-replicas 2 --region us-west1

# create a backend instance group

gcloud compute instance-groups managed create backend-ig 

--base-instance-name backend-ig 

--size 2 

--template backend-it 

--zones us-west1-a,us-west1-b,us-west1-c

# setup autoscaling for the backend instance group

gcloud compute instance-groups managed set-autoscaling backend-ig 

--max-num-replicas 3 --min-num-replicas 2 --region us-west1

# create an ingress Firewall rule to allow icmp to frontend from internet

gcloud compute --project=network-challenge-lab firewall-rules create allow-icmp-to-frontend-fwr 

--network=app-vpc --allow icmp --target-service-accounts=frontend-sa@network-challenge-lab.iam.gserviceaccount.com

# create an ingress Firewall rule to allow ssh to frontend from internet using open-ssh-tag

gcloud compute firewall-rules create allow-ssh-to-frontend-fwr --network app-vpc --allow tcp:22 

--target-tags=open-ssh-tag

# create an ingress Firewall rule to allow icmp to backend from frontend or backend

gcloud compute firewall-rules create allow-icmp-to-backend-fwr --network app-vpc --allow icmp 

--source-ranges 192.168.1.0/24 --source-service-accounts frontend-sa@network-challenge-lab.iam.gserviceaccount.com 

--target-service-accounts backend-sa@network-challenge-lab.iam.gserviceaccount.com

# create an egress Firewall rule to deny all traffic from backend with priority 3000

gcloud compute firewall-rules create block-all-from-backend-fwr --network app-vpc --action DENY --rules all 

--priority=3000 --target-service-accounts backend-sa@network-challenge-lab.iam.gserviceaccount.com --direction OUT

# create an egress Firewall rule to allow icmp from backend to backend with priority 1000

gcloud compute firewall-rules create allow-icmp-between-backends-fwr --network app-vpc --allow icmp 

--target-service-accounts backend-sa@network-challenge-lab.iam.gserviceaccount.com --destination-ranges 192.168.1.0/24 --direction OUT

# create an egress Firewall rule to allow ssh from backend to frontend with priority 1000

gcloud compute firewall-rules create allow-ssh-from-backends-fwr --network app-vpc --allow tcp:22 

--target-service-accounts backend-sa@network-challenge-lab.iam.gserviceaccount.com --destination-ranges 192.168.0.0/24 --direction OUT

# create an ingress Firewall rule to allow ssh to backend from frontend

gcloud compute firewall-rules create allow-ssh-to-backend-from-frontend-fwr --network app-vpc --allow tcp:22 --target-service-accounts backend-sa@network-challenge-lab.iam.gserviceaccount.com --source-service-accounts frontend-sa@network-challenge-lab.iam.gserviceaccount.com --direction IN
Marek Domaracky

Can you make a challenge with the one network only without using tags?

2 Answers

This is impressive, Marek!  Well done!  I love that you took on the challenge of scripting everything. 👍

For your firewall rules, I notice that you decided to make separate subnets for the frontend and backend, so you could control the communication with IP address ranges.  That’s a fair approach, and I’m glad you took it instead of being blocked.  That said, I have another way in which you can structure things, so that the subnets and their IP ranges are not used as the basis for securing the communication.  And because you and some other students have been asking about it, I took the opportunity to record new video explanations for you all. 😀 It wound up needing two videos:

As for the question you asked in your follow-up comment–about doing the challenge without tags–you should be able to set up the SSH rule however you’d like, really.  If you would prefer, you could skip the tag and just have it apply to all instances–and maybe remove the rule to allow SSH at all, when you’re done with it.  You could also scope it down by restricting the source IP range to only your own IP address you’re using, if you want.  You could even use a curl to http://api.ipify.org to get the address programmatically, if you plan to connect from the same machine that runs the script. 😁

All in all, nicely done.  Please do let me know if you have more questions after you watch my new solution videos.  Thanks!

Mattias

Marek Domaracky

Hi Mattias, thank you for looking into it and providing your solution. I will try to run it again to see with what exactly I was struggling as it’s some time already I did it. Just far the follow up question, I meant to do the challenge with the one subnet only without tags. If I remember well, I had an issue with the fact you mentioned in the video, that Google doesn’t have a service accounts filter for the egress rules. You structure it differently, but you are still using 2 subnets. Would it be possible to do the challenge with one subnet without using tags(except ssh)? I’ll try to run mine and yours solution in a following days to compare. If I have more question, I will ask 🙂 Thanks, Marek

Mattias Andersson

Hello, Marek! Please do try things out; that’s always a good idea! 😁 I did use two subnets, yes–but it should work just as well with only one. In retrospect, maybe I should have shown it with just one, instead, to avoid any confusion. But seeing how easy it is to connect cross-region also seemed valuable. Ah, well. Please do let us know what you see!

Cloud Geeks

create an ingress Firewall rule to allow icmp to backend from frontend or backend gcloud compute firewall-rules create allow-icmp-to-backend-fwr –network app-vpc –allow icmp –source-ranges 192.168.1.0/24 –source-service-accounts frontend-sa@network-challenge-lab.iam.gserviceaccount.com –target-service-accounts backend-sa@network-challenge-lab.iam.gserviceaccount.com How this will work from front end since the source ip ranges that was given is 192.168.1.0/24 (i.e was only of backend). Am I missing something here.?

Cloud Geeks

Ok I got it since there was –source-service-accounts frontend-sa@network-challenge-lab.iam.gserviceaccount.com was also mentioned

This is really cool, thanks for sharing!

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?