Setup a GCP Shared VPC with custom subnet using gcloud cli

 

The Host project will contain a network the Elastifile deployment will use

The service project will contain the Elastifile compute resources

 

Host Project

support-team-a

Service Project

support-team-b

Configure the Service Project ("support-team-b")

Login to service account for service project

gcloud auth login chutch@support-team-b.iam.gserviceaccount.com

Set config to the service project

gcloud config set project support-team-b

Add roles required for deployment into service project

gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/compute.instanceAdmin.v1"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/iam.serviceAccountUser"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/compute.networkAdmin"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/compute.networkUser"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/storage.admin"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/compute.imageUser"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/editor"

 

Configure the Host Project ("support-team-a")

Login to service account for host project

gcloud auth login chutch@support-team-a.iam.gserviceaccount.com

Set config to the host project

gcloud config set project support-team-a

Verify credentials, region and zone are set for host project

gcloud config list
[compute]
region = us-central1
zone = us-central1-f
[core]
account = chutch@support-team-a.iam.gserviceaccount.com
project = support-team-a

Enabled SharedVPC on host project

(This requires “compute.organizations.enableXpnHost” granted from parent org)

gcloud compute shared-vpc enable support-team-a

Add the service project to the host project SharedVPC

gcloud compute shared-vpc associated-projects add --host-project=support-team-a support-team-b

Verify service project is configured from the host project

gcloud compute shared-vpc associated-projects list support-team-a
RESOURCE_ID     RESOURCE_TYPE
support-team-b  PROJECT

Verify host project is configured from the service project

gcloud compute shared-vpc get-host-project support-team-b
kind: compute#project
name: support-team-a

 

Setup a custom subnet in the Host Project

Create subnet in the host project

gcloud compute networks create elastifile-support --subnet-mode custom

Define subnet region and range in the host project

gcloud compute networks subnets create elastifile-central1 --network elastifile-support --region us-central1 --range 10.200.0.0/20

Save account credentials for the custom subnet to file

gcloud beta compute networks subnets get-iam-policy elastifile-central1 --project support-team-a --format json > subnet-policy.json

Edit subnet-policy.json adding service account from the service project

{
  "bindings": [
  {
     "members": [
           "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com"
        ],
        "role": "roles/compute.networkUser"
  }
  ],
  "etag": "ACAB"
}

Update credentials for custom subnet from host project

gcloud beta compute networks subnets set-iam-policy elastifile-central1 subnet-policy.json --project support-team-a

Add firewall rules to custom subnet in host project

gcloud compute firewall-rules create elastifile-central1-allow-icmp --network elastifile-support  --priority 65534 --allow icmp --source-ranges 0.0.0.0/0 --no-disabled
gcloud compute firewall-rules create elastifile-central1-allow-ssh --network elastifile-support  --priority 65534 --allow tcp:22 --source-ranges 0.0.0.0/0 --no-disabled
gcloud compute firewall-rules create elastifile-central1-allow-https --network elastifile-support  --priority 1000 --target-tags https-server --allow tcp:443 --source-ranges 0.0.0.0/0 --no-disabled

 

gcloud compute firewall-rules create elastifile-central1-allow-internal --network elastifile-support  --priority 65534 --allow tcp:0-65535,udp:0-65535,icmp --source-ranges 10.200.0.0/20 --no-disabled
gcloud compute firewall-rules create elastifile-central1-storage-management --network elastifile-support --priority 1000 --direction ingress --target-tags elastifile-management-node --source-tags elastifile-storage-node,elastifile-replication-node,elastifile-clients --source-ranges 10.200.0.0/20 --allow icmp,tcp:22,tcp:53,tcp:80,tcp:8080,tcp:443,tcp:10014-10017,udp:53,udp:123,udp:6667 --no-disabled 
gcloud compute firewall-rules create elastifile-central1-storage-service --network elastifile-support --priority 1000 --direction ingress --target-tags elastifile-storage-node,elastifile-replication-node --source-ranges 10.200.0.0/20 --source-tags elastifile-management-node,elastifile-clients --allow icmp,tcp:22,tcp:111,tcp:2049,tcp:644,tcp:4040,tcp:4045,tcp:10015-10017,tcp:8000-9224,tcp:32768-60999,udp:111,udp:2049,udp:644,udp:4040,udp:4045,udp:6667,udp:8000,udp:9224,udp:32768,udp:60999 --no-disabled

 

Deploy into service project using host project’s custom subnet

List subnets in the host project

gcloud compute networks subnets list-usable --project support-team-a
PROJECT         REGION                   NETWORK            SUBNET               RANGE          SECONDARY_RANGES
support-team-a  us-central1              elastifile-support  elastifile-central1  10.200.0.0/20

Obtain URI for target subnet in the host project

gcloud compute networks subnets list --project support-team-a --uri
https://www.googleapis.com/compute/v1/projects/support-team-a/regions/us-central1/subnetworks/elastifile-central1

Update terraform.tfvars to use “NETWORK” and “SUBNETWORK” from host project

ZONE = "us-central1-f"
PROJECT = "support-team-b"
NETWORK = "elastifile-suport"
SUBNETWORK = "/projects/support-team-a/regions/us-central1/subnetworks/elastifile-central1"
IMAGE = "elastifile-storage-2-7-5-12-ems"
CREDENTIALS = "support-team-b-0715a3734e41.json"
SERVICE_EMAIL = "chutch@support-team-b.iam.gserviceaccount.com"

Or launch EMS directly via gcloud and complete provisioning via UI

gcloud beta compute --project=support-team-b instances create elastifile-storage-sp --zone=us-central1-f --machine-type=n1-standard-4 --subnet=/projects/support-team-a/regions/us-central1/subnetworks/elastifile-central1 --network-tier=PREMIUM --maintenance-policy=MIGRATE --service-account=chutch@support-team-b.iam.gserviceaccount.com --scopes=https://www.googleapis.com/auth/cloud-platform --image=https://www.googleapis.com/compute/v1/projects/elastifle-public-196717/global/images/elastifile-storage-2-7-5-12-ems --boot-disk-size=100GB --boot-disk-type=pd-standard --boot-disk-device-name=elastifile-storage-sp --tags=elastifile-management-node

 

Was this helpful?

How can we improve it?
true
Search
Clear search
Close search
Main menu
16156698566010429384
true
Search Help Center
true
true
true
false
false