The Host project will contain a network the Elastifile deployment will use
The service project will contain the Elastifile compute resources
Host Project |
support-team-a |
Service Project |
support-team-b |
Configure the Service Project ("support-team-b")
Login to service account for service project
gcloud auth login chutch@support-team-b.iam.gserviceaccount.com
Set config to the service project
gcloud config set project support-team-b
Add roles required for deployment into service project
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/compute.instanceAdmin.v1"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/iam.serviceAccountUser"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/compute.networkAdmin"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/compute.networkUser"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/storage.admin"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/compute.imageUser"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/editor"
Configure the Host Project ("support-team-a")
Login to service account for host project
gcloud auth login chutch@support-team-a.iam.gserviceaccount.com
Set config to the host project
gcloud config set project support-team-a
Verify credentials, region and zone are set for host project
gcloud config list
[compute]
region = us-central1
zone = us-central1-f
[core]
account = chutch@support-team-a.iam.gserviceaccount.com
project = support-team-a
Enabled SharedVPC on host project
(This requires “compute.organizations.enableXpnHost” granted from parent org)
gcloud compute shared-vpc enable support-team-a
Add the service project to the host project SharedVPC
gcloud compute shared-vpc associated-projects add --host-project=support-team-a support-team-b
Verify service project is configured from the host project
gcloud compute shared-vpc associated-projects list support-team-a
RESOURCE_ID RESOURCE_TYPE
support-team-b PROJECT
Verify host project is configured from the service project
gcloud compute shared-vpc get-host-project support-team-b
kind: compute#project
name: support-team-a
Setup a custom subnet in the Host Project
Create subnet in the host project
gcloud compute networks create elastifile-support --subnet-mode custom
Define subnet region and range in the host project
gcloud compute networks subnets create elastifile-central1 --network elastifile-support --region us-central1 --range 10.200.0.0/20
Save account credentials for the custom subnet to file
gcloud beta compute networks subnets get-iam-policy elastifile-central1 --project support-team-a --format json > subnet-policy.json
Edit subnet-policy.json adding service account from the service project
{
"bindings": [
{
"members": [
"serviceAccount:chutch@support-team-b.iam.gserviceaccount.com"
],
"role": "roles/compute.networkUser"
}
],
"etag": "ACAB"
}
Update credentials for custom subnet from host project
gcloud beta compute networks subnets set-iam-policy elastifile-central1 subnet-policy.json --project support-team-a
Add firewall rules to custom subnet in host project
gcloud compute firewall-rules create elastifile-central1-allow-icmp --network elastifile-support --priority 65534 --allow icmp --source-ranges 0.0.0.0/0 --no-disabled
gcloud compute firewall-rules create elastifile-central1-allow-ssh --network elastifile-support --priority 65534 --allow tcp:22 --source-ranges 0.0.0.0/0 --no-disabled
gcloud compute firewall-rules create elastifile-central1-allow-https --network elastifile-support --priority 1000 --target-tags https-server --allow tcp:443 --source-ranges 0.0.0.0/0 --no-disabled
gcloud compute firewall-rules create elastifile-central1-allow-internal --network elastifile-support --priority 65534 --allow tcp:0-65535,udp:0-65535,icmp --source-ranges 10.200.0.0/20 --no-disabled
gcloud compute firewall-rules create elastifile-central1-storage-management --network elastifile-support --priority 1000 --direction ingress --target-tags elastifile-management-node --source-tags elastifile-storage-node,elastifile-replication-node,elastifile-clients --source-ranges 10.200.0.0/20 --allow icmp,tcp:22,tcp:53,tcp:80,tcp:8080,tcp:443,tcp:10014-10017,udp:53,udp:123,udp:6667 --no-disabled
gcloud compute firewall-rules create elastifile-central1-storage-service --network elastifile-support --priority 1000 --direction ingress --target-tags elastifile-storage-node,elastifile-replication-node --source-ranges 10.200.0.0/20 --source-tags elastifile-management-node,elastifile-clients --allow icmp,tcp:22,tcp:111,tcp:2049,tcp:644,tcp:4040,tcp:4045,tcp:10015-10017,tcp:8000-9224,tcp:32768-60999,udp:111,udp:2049,udp:644,udp:4040,udp:4045,udp:6667,udp:8000,udp:9224,udp:32768,udp:60999 --no-disabled
Deploy into service project using host project’s custom subnet
List subnets in the host project
gcloud compute networks subnets list-usable --project support-team-a
PROJECT REGION NETWORK SUBNET RANGE SECONDARY_RANGES
support-team-a us-central1 elastifile-support elastifile-central1 10.200.0.0/20
Obtain URI for target subnet in the host project
gcloud compute networks subnets list --project support-team-a --uri
https://www.googleapis.com/compute/v1/projects/support-team-a/regions/us-central1/subnetworks/elastifile-central1
Update terraform.tfvars to use “NETWORK” and “SUBNETWORK” from host project
ZONE = "us-central1-f"
PROJECT = "support-team-b"
NETWORK = "elastifile-suport"
SUBNETWORK = "/projects/support-team-a/regions/us-central1/subnetworks/elastifile-central1"
IMAGE = "elastifile-storage-2-7-5-12-ems"
CREDENTIALS = "support-team-b-0715a3734e41.json"
SERVICE_EMAIL = "chutch@support-team-b.iam.gserviceaccount.com"
Or launch EMS directly via gcloud and complete provisioning via UI
gcloud beta compute --project=support-team-b instances create elastifile-storage-sp --zone=us-central1-f --machine-type=n1-standard-4 --subnet=/projects/support-team-a/regions/us-central1/subnetworks/elastifile-central1 --network-tier=PREMIUM --maintenance-policy=MIGRATE --service-account=chutch@support-team-b.iam.gserviceaccount.com --scopes=https://www.googleapis.com/auth/cloud-platform --image=https://www.googleapis.com/compute/v1/projects/elastifle-public-196717/global/images/elastifile-storage-2-7-5-12-ems --boot-disk-size=100GB --boot-disk-type=pd-standard --boot-disk-device-name=elastifile-storage-sp --tags=elastifile-management-node