VM instances

In GCP, a VM instance is quite similar to AWS EC2. You can choose from a variety of machine (instance) types that have different hardware configurations; you can also choose a Linux-or Windows-based OS or your customized OS.

As mentioned when talking about firewall rules, you can specify any number of network tags. A tag doesn't necessarily need to be created beforehand. This means you can launch VM instances with network tags first, even though a firewall rule isn't created. It's still valid, but no firewall rule is applied in this case. Then you can create a firewall rule with a network tag. Eventually a firewall rule will be applied to the VM instances afterward. This is why VM instances and firewall rules are loosely coupled, which provides flexibility to the user:

Before launching a VM instance, you need to create an ssh public key first in the same way as AWS EC2. The easiest way to do this is to run the following command to create and register a new key:

//this command create new ssh key pair
$ gcloud compute config-ssh


//key will be stored as ~/.ssh/google_compute_engine(.pub)
$ cd ~/.ssh
$ ls -l google_compute_engine*
-rw-------  1 saito  admin  1766 Aug 23 22:58 google_compute_engine
-rw-r--r--  1 saito  admin   417 Aug 23 22:58 google_compute_engine.pub

Now let's get started by launching a VM instance on GCP.

Deploy two instances on both subnet-a and subnet-b as public instances (use the public network tag) and then launch another instance on the subnet-a as a private instance (with a private network tag):

//create public instance ("public" tag) on subnet-a
$ gcloud compute instances create public-on-subnet-a --machine-type=f1-micro --network=my-custom-network --subnet=subnet-a --zone=us-west1-a --tags=public

//create public instance ("public" tag) on subnet-b
$ gcloud compute instances create public-on-subnet-b --machine-type=f1-micro --network=my-custom-network --subnet=subnet-b --zone=us-east1-c --tags=public

//create private instance ("private" tag) on subnet-a with larger size (g1-small)
$ gcloud compute instances create private-on-subnet-a --machine-type=g1-small --network=my-custom-network --subnet=subnet-a --zone=us-west1-a --tags=private

//Overall, there are 3 VM instances has been created in this example as below
$ gcloud compute instances list
NAME                                           ZONE           MACHINE_TYPE  PREEMPTIBLE  INTERNAL_IP  EXTERNAL_IP      STATUS
public-on-subnet-b                             us-east1-c     f1-micro                   172.16.1.2   35.196.228.40    RUNNING
private-on-subnet-a                            us-west1-a     g1-small                   10.0.1.2     104.199.121.234  RUNNING
public-on-subnet-a                             us-west1-a     f1-micro                   10.0.1.3     35.199.171.31    RUNNING

You can log in to those machines to check whether a firewall rule works as expected. First of all, you need to add an ssh key to ssh-agent on your machine:

$ ssh-add ~/.ssh/google_compute_engine
Enter passphrase for /Users/saito/.ssh/google_compute_engine:
Identity added: /Users/saito/.ssh/google_compute_engine
(/Users/saito/.ssh/google_compute_engine)

Then, check whether an ICMP firewall rule can reject traffic from external because ICMP only allows public or private tagged hosts, so the ping packet from your machine won't reach the public instance; this is shown in the following screenshot:

On the other hand, the public host allows ssh from your machine, because the public-ssh rule allows any (0.0.0.0/0):

Of course, this host can ping and ssh to private hosts on subnet-a (10.0.1.2) through a private IP address, because of the internal-icmp and private-ssh rules.

Let's ssh to a private host and then install tomcat8 and the tomcat8-examples package (this will install the /examples/ application for Tomcat):

Remember that subnet-a is a 10.0.1.0/24 CIDR prefix, but subnet-b is a 172.16.1.0/24 CIDR prefix. However, within the same VPC, there's connectivity with each other. This is the great benefit of using GCP as you can expand a network address block whenever this is required.

Now install nginx to public hosts (public-on-subnet-a and public-on-subnet-b):

//logout from VM instance, then back to your machine
$ exit

//install nginx from your machine via ssh
$ ssh 35.196.228.40 "sudo apt-get -y install nginx"
$ ssh 35.199.171.31 "sudo apt-get -y install nginx"

//check whether firewall rule (public-http) work or not
$ curl -I http://35.196.228.40/
HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Sun, 27 Aug 2017 07:07:01 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Fri, 25 Aug 2017 05:48:28 GMT
Connection: keep-alive
ETag: "599fba2c-264"
Accept-Ranges: bytes

However, at this moment, you can't access Tomcat on a private host even if it has a public IP address. This is because a private host doesn't yet have any firewall rule that allows 8080/tcp:

$ curl http://104.199.121.234:8080/examples/
curl: (7) Failed to connect to 104.199.121.234 port 8080: Operation timed out

Rather than simply creating a firewall rule for Tomcat, we'll set up a LoadBalancer to be configured for both nginx and Tomcat in the next section.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset