In this example, we will deploy one or more Firezone Gateways in a single VPC on Google Cloud Platform (GCP) that are configured to egress traffic through a single Cloud NAT that is assigned a single static IP address.
This example is built on top of Google Cloud Gateway via Regional Instance Group.
Use this guide to give your Firezone Clients a static public IP address for egress traffic to particular Resource(s). Here are some common use cases for this example:
- Use IP whitelisting to access a third-party or partner application such as a client's DB or third-party API.
- Use IP whitelisting with your identity provider to lock down access to a public application.
- Enabling a team of remote contractors access to a regionally-locked application or service.
All Firezone Gateways deployed in this example will automatically failover and load balance for each other. No other configuration is necessary.
- Terraform
- Google Cloud Platform (GCP) account
- Google Cloud SDK
- Enable the Compute Engine API
- A Firezone Site dedicated to use for this example. This Site should contain only the Firezone Gateway(s) deployed in this example and any associated Resources.
- A Firezone Gateway token. See Multiple Gateways for instructions on how to obtain a Firezone Gateway token that can be used across multiple instances.
Simply update the number of replicas to deploy more or fewer Firezone Gateways. There's no limit to the number of Firezone Gateways you can deploy in a single VPC.
We've tested with f1-micro instances which still work quite well for most
applications. However, you may want to consider a larger instance type if you
have a high volume of traffic or lots of concurrent connections.
-
Configure the necessary Terraform variables. Here's an example
terraform.tfvarsyou can use as a starting point:project_id = "my-gcp-project" region = "us-west1" zone = "us-west1-a" token = "<YOUR GATEWAY TOKEN>" replicas = 3 machine_type = "f1-micro" log_level = "info"
-
Run
terraform initto initialize the working directory and download the required providers. -
Run
terraform applyto deploy the Firezone Gateway(s) into your GCP project.
You can see the static IP address assigned to the Cloud NAT in the Terraform output. This is the IP address that your Firezone Gateway(s) will use to egress traffic.
You can verify all Firezone Gateways are using this IP by viewing the Site in
the Firezone admin portal, where you should now see the Firezone Gateway(s)
listed as Online.
To upgrade the Firezone Gateway(s) to the latest version, simply update the
token and issue a terraform apply which will trigger a redeployment of the
Firezone Gateway(s).
This will incur about a minute or two of downtime as Terraform destroys the existing Firezone Gateway(s) and deploys new ones in their place.
static_ip_addresses will contain a list of static IP addresses that you can
use to whitelist your Firezone Gateway(s) in your third-party or partner
application.
To clean up the resources created by this example, run terraform destroy.