Hi,
here is my solution for the VPC challenge. Please have a look and let me know, how you would simplified it.
Thanks,
Marek
#create a project
gcloud projects create network-challenge-lab
# attach a billing account
gcloud beta billing projects link network-challenge-lab --billing-account 012161-B9DF32-722211
# create and activate the configuration(optional if you work from your local terminal)
gcloud init
# enable compute service
gcloud services enable compute
# delete default network(optional) - do this from the console as from the command line, you will have to first delete all depending resources.
# create an app-vpc custom network
gcloud compute networks create app-vpc --subnet-mode=custom
# create a frontend subnet
gcloud compute networks subnets create frontend-subnet --network app-vpc --region us-west1 --range 192.168.0.0/24
# create a backend subnet
gcloud compute networks subnets create backend-subnet --network app-vpc --region us-west1 --range 192.168.1.0/24
# create a custom role
gcloud iam roles create base_gce_role --description "Base GCE Role" --project network-challenge-lab --stage GA --permissions
monitoring.metricDescriptors.create,monitoring.metricDescriptors.get,monitoring.metricDescriptors.list,
monitoring.monitoredResourceDescriptors.get,monitoring.monitoredResourceDescriptors.list,
monitoring.timeSeries.create,logging.logEntries.create
# create a frontend service account
gcloud iam service-accounts create frontend-sa --display-name frontend-sa
# create a backend service account
gcloud iam service-accounts create backend-sa --display-name backend-sa
# add Base GCE roles to the frontend service account
gcloud iam service-accounts add-iam-policy-binding frontend-sa@network-challenge-lab.iam.gserviceaccount.com
--member serviceAccount:frontend-sa@network-challenge.iam.gserviceaccount.com --role projects/network-challenge-lab/roles/base_gce_role
# add Base GCE roles to the backend service account
gcloud iam service-accounts add-iam-policy-binding backend-sa@network-challenge-lab.iam.gserviceaccount.com
--member serviceAccount:backend-sa@network-challenge-lab.iam.gserviceaccount.com --role projects/network-challenge-lab/roles/base_gce_role
# create a frontend instance template
gcloud compute instance-templates create frontend-it --machine-type f1-micro --network app-vpc --tags open-ssh-tag
--region us-west1 --subnet frontend-subnet
--service-account frontend-sa@network-challenge-lab.iam.gserviceaccount.com
# create a backend instance template
gcloud compute instance-templates create backend-it --machine-type f1-micro --network app-vpc --region us-west1
--subnet backend-subnet --no-address
--service-account backend-sa@network-challenge-lab.iam.gserviceaccount.com
# create a frontend instance group
gcloud compute instance-groups managed create frontend-ig
--base-instance-name frontend-ig
--size 2
--template frontend-it
--zones us-west1-a,us-west1-b,us-west1-c
# setup autoscaling for the frontend instance group
gcloud compute instance-groups managed set-autoscaling frontend-ig
--max-num-replicas 3 --min-num-replicas 2 --region us-west1
# create a backend instance group
gcloud compute instance-groups managed create backend-ig
--base-instance-name backend-ig
--size 2
--template backend-it
--zones us-west1-a,us-west1-b,us-west1-c
# setup autoscaling for the frontend instance group
gcloud compute instance-groups managed set-autoscaling frontend-ig
--max-num-replicas 3 --min-num-replicas 2 --region us-west1
# create a backend instance group
gcloud compute instance-groups managed create backend-ig
--base-instance-name backend-ig
--size 2
--template backend-it
--zones us-west1-a,us-west1-b,us-west1-c
# setup autoscaling for the backend instance group
gcloud compute instance-groups managed set-autoscaling backend-ig
--max-num-replicas 3 --min-num-replicas 2 --region us-west1
# create an ingress Firewall rule to allow icmp to frontend from internet
gcloud compute --project=network-challenge-lab firewall-rules create allow-icmp-to-frontend-fwr
--network=app-vpc --allow icmp --target-service-accounts=frontend-sa@network-challenge-lab.iam.gserviceaccount.com
# create an ingress Firewall rule to allow ssh to frontend from internet using open-ssh-tag
gcloud compute firewall-rules create allow-ssh-to-frontend-fwr --network app-vpc --allow tcp:22
--target-tags=open-ssh-tag
# create an ingress Firewall rule to allow icmp to backend from frontend or backend
gcloud compute firewall-rules create allow-icmp-to-backend-fwr --network app-vpc --allow icmp
--source-ranges 192.168.1.0/24 --source-service-accounts frontend-sa@network-challenge-lab.iam.gserviceaccount.com
--target-service-accounts backend-sa@network-challenge-lab.iam.gserviceaccount.com
# create an egress Firewall rule to deny all traffic from backend with priority 3000
gcloud compute firewall-rules create block-all-from-backend-fwr --network app-vpc --action DENY --rules all
--priority=3000 --target-service-accounts backend-sa@network-challenge-lab.iam.gserviceaccount.com --direction OUT
# create an egress Firewall rule to allow icmp from backend to backend with priority 1000
gcloud compute firewall-rules create allow-icmp-between-backends-fwr --network app-vpc --allow icmp
--target-service-accounts backend-sa@network-challenge-lab.iam.gserviceaccount.com --destination-ranges 192.168.1.0/24 --direction OUT
# create an egress Firewall rule to allow ssh from backend to frontend with priority 1000
gcloud compute firewall-rules create allow-ssh-from-backends-fwr --network app-vpc --allow tcp:22
--target-service-accounts backend-sa@network-challenge-lab.iam.gserviceaccount.com --destination-ranges 192.168.0.0/24 --direction OUT
# create an ingress Firewall rule to allow ssh to backend from frontend
gcloud compute firewall-rules create allow-ssh-to-backend-from-frontend-fwr --network app-vpc --allow tcp:22 --target-service-accounts backend-sa@network-challenge-lab.iam.gserviceaccount.com --source-service-accounts frontend-sa@network-challenge-lab.iam.gserviceaccount.com --direction IN
2 Answers
This is impressive, Marek! Well done! I love that you took on the challenge of scripting everything. 👍
For your firewall rules, I notice that you decided to make separate subnets for the frontend and backend, so you could control the communication with IP address ranges. That’s a fair approach, and I’m glad you took it instead of being blocked. That said, I have another way in which you can structure things, so that the subnets and their IP ranges are not used as the basis for securing the communication. And because you and some other students have been asking about it, I took the opportunity to record new video explanations for you all. 😀 It wound up needing two videos:
As for the question you asked in your follow-up comment–about doing the challenge without tags–you should be able to set up the SSH rule however you’d like, really. If you would prefer, you could skip the tag and just have it apply to all instances–and maybe remove the rule to allow SSH at all, when you’re done with it. You could also scope it down by restricting the source IP range to only your own IP address you’re using, if you want. You could even use a curl to http://api.ipify.org to get the address programmatically, if you plan to connect from the same machine that runs the script. 😁
All in all, nicely done. Please do let me know if you have more questions after you watch my new solution videos. Thanks!
Mattias
Hi Mattias, thank you for looking into it and providing your solution. I will try to run it again to see with what exactly I was struggling as it’s some time already I did it. Just far the follow up question, I meant to do the challenge with the one subnet only without tags. If I remember well, I had an issue with the fact you mentioned in the video, that Google doesn’t have a service accounts filter for the egress rules. You structure it differently, but you are still using 2 subnets. Would it be possible to do the challenge with one subnet without using tags(except ssh)? I’ll try to run mine and yours solution in a following days to compare. If I have more question, I will ask 🙂 Thanks, Marek
Hello, Marek! Please do try things out; that’s always a good idea! 😁 I did use two subnets, yes–but it should work just as well with only one. In retrospect, maybe I should have shown it with just one, instead, to avoid any confusion. But seeing how easy it is to connect cross-region also seemed valuable. Ah, well. Please do let us know what you see!
create an ingress Firewall rule to allow icmp to backend from frontend or backend gcloud compute firewall-rules create allow-icmp-to-backend-fwr –network app-vpc –allow icmp –source-ranges 192.168.1.0/24 –source-service-accounts frontend-sa@network-challenge-lab.iam.gserviceaccount.com –target-service-accounts backend-sa@network-challenge-lab.iam.gserviceaccount.com How this will work from front end since the source ip ranges that was given is 192.168.1.0/24 (i.e was only of backend). Am I missing something here.?
Ok I got it since there was –source-service-accounts frontend-sa@network-challenge-lab.iam.gserviceaccount.com was also mentioned
This is really cool, thanks for sharing!
Can you make a challenge with the one network only without using tags?