La página que has solicitado no está disponible en tu idioma. Puedes traducir cualquier página web al instante al idioma que prefieras con la función de traducción integrada de Google Chrome.

Setup a GCP Shared VPC with custom subnet using gcloud cli

 

The Host project will contain a network the Elastifile deployment will use

The service project will contain the Elastifile compute resources

 

Host Project

support-team-a

Service Project

support-team-b

Configure the Service Project ("support-team-b")

Login to service account for service project

gcloud auth login chutch@support-team-b.iam.gserviceaccount.com

Set config to the service project

gcloud config set project support-team-b

Add roles required for deployment into service project

gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/compute.instanceAdmin.v1"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/iam.serviceAccountUser"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/compute.networkAdmin"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/compute.networkUser"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/storage.admin"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/compute.imageUser"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/editor"

 

Configure the Host Project ("support-team-a")

Login to service account for host project

gcloud auth login chutch@support-team-a.iam.gserviceaccount.com

Set config to the host project

gcloud config set project support-team-a

Verify credentials, region and zone are set for host project

gcloud config list
[compute]
region = us-central1
zone = us-central1-f
[core]
account = chutch@support-team-a.iam.gserviceaccount.com
project = support-team-a

Enabled SharedVPC on host project

(This requires “compute.organizations.enableXpnHost” granted from parent org)

gcloud compute shared-vpc enable support-team-a

Add the service project to the host project SharedVPC

gcloud compute shared-vpc associated-projects add --host-project=support-team-a support-team-b

Verify service project is configured from the host project

gcloud compute shared-vpc associated-projects list support-team-a
RESOURCE_ID     RESOURCE_TYPE
support-team-b  PROJECT

Verify host project is configured from the service project

gcloud compute shared-vpc get-host-project support-team-b
kind: compute#project
name: support-team-a

 

Setup a custom subnet in the Host Project

Create subnet in the host project

gcloud compute networks create elastifile-support --subnet-mode custom

Define subnet region and range in the host project

gcloud compute networks subnets create elastifile-central1 --network elastifile-support --region us-central1 --range 10.200.0.0/20

Save account credentials for the custom subnet to file

gcloud beta compute networks subnets get-iam-policy elastifile-central1 --project support-team-a --format json > subnet-policy.json

Edit subnet-policy.json adding service account from the service project

{
  "bindings": [
  {
     "members": [
           "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com"
        ],
        "role": "roles/compute.networkUser"
  }
  ],
  "etag": "ACAB"
}

Update credentials for custom subnet from host project

gcloud beta compute networks subnets set-iam-policy elastifile-central1 subnet-policy.json --project support-team-a

Add firewall rules to custom subnet in host project

gcloud compute firewall-rules create elastifile-central1-allow-icmp --network elastifile-support  --priority 65534 --allow icmp --source-ranges 0.0.0.0/0 --no-disabled
gcloud compute firewall-rules create elastifile-central1-allow-ssh --network elastifile-support  --priority 65534 --allow tcp:22 --source-ranges 0.0.0.0/0 --no-disabled
gcloud compute firewall-rules create elastifile-central1-allow-https --network elastifile-support  --priority 1000 --target-tags https-server --allow tcp:443 --source-ranges 0.0.0.0/0 --no-disabled

 

gcloud compute firewall-rules create elastifile-central1-allow-internal --network elastifile-support  --priority 65534 --allow tcp:0-65535,udp:0-65535,icmp --source-ranges 10.200.0.0/20 --no-disabled
gcloud compute firewall-rules create elastifile-central1-storage-management --network elastifile-support --priority 1000 --direction ingress --target-tags elastifile-management-node --source-tags elastifile-storage-node,elastifile-replication-node,elastifile-clients --source-ranges 10.200.0.0/20 --allow icmp,tcp:22,tcp:53,tcp:80,tcp:8080,tcp:443,tcp:10014-10017,udp:53,udp:123,udp:6667 --no-disabled 
gcloud compute firewall-rules create elastifile-central1-storage-service --network elastifile-support --priority 1000 --direction ingress --target-tags elastifile-storage-node,elastifile-replication-node --source-ranges 10.200.0.0/20 --source-tags elastifile-management-node,elastifile-clients --allow icmp,tcp:22,tcp:111,tcp:2049,tcp:644,tcp:4040,tcp:4045,tcp:10015-10017,tcp:8000-9224,tcp:32768-60999,udp:111,udp:2049,udp:644,udp:4040,udp:4045,udp:6667,udp:8000,udp:9224,udp:32768,udp:60999 --no-disabled

 

Deploy into service project using host project’s custom subnet

List subnets in the host project

gcloud compute networks subnets list-usable --project support-team-a
PROJECT         REGION                   NETWORK            SUBNET               RANGE          SECONDARY_RANGES
support-team-a  us-central1              elastifile-support  elastifile-central1  10.200.0.0/20

Obtain URI for target subnet in the host project

gcloud compute networks subnets list --project support-team-a --uri
https://www.googleapis.com/compute/v1/projects/support-team-a/regions/us-central1/subnetworks/elastifile-central1

Update terraform.tfvars to use “NETWORK” and “SUBNETWORK” from host project

ZONE = "us-central1-f"
PROJECT = "support-team-b"
NETWORK = "elastifile-suport"
SUBNETWORK = "/projects/support-team-a/regions/us-central1/subnetworks/elastifile-central1"
IMAGE = "elastifile-storage-2-7-5-12-ems"
CREDENTIALS = "support-team-b-0715a3734e41.json"
SERVICE_EMAIL = "chutch@support-team-b.iam.gserviceaccount.com"

Or launch EMS directly via gcloud and complete provisioning via UI

gcloud beta compute --project=support-team-b instances create elastifile-storage-sp --zone=us-central1-f --machine-type=n1-standard-4 --subnet=/projects/support-team-a/regions/us-central1/subnetworks/elastifile-central1 --network-tier=PREMIUM --maintenance-policy=MIGRATE --service-account=chutch@support-team-b.iam.gserviceaccount.com --scopes=https://www.googleapis.com/auth/cloud-platform --image=https://www.googleapis.com/compute/v1/projects/elastifle-public-196717/global/images/elastifile-storage-2-7-5-12-ems --boot-disk-size=100GB --boot-disk-type=pd-standard --boot-disk-device-name=elastifile-storage-sp --tags=elastifile-management-node

 

Was this helpful?

How can we improve it?
true
Search
Clear search
Close search
Main menu
16036956137621570294
true
Search Help Center
true
true
true
false
false