Create GCP Site

Objective

This document provides instructions on how to install Volterra node or cluster (multi-node) on Google Cloud Platform (GCP) using custom GCP Image for the Volterra node or cluster. For more information on Volterra site and nodes, see the Volterra Site document.

You can deploy a GCP VPC site using VoltConsole by creating a VPC site object and performing site deployment using either automatic mode or assisted mode. In case of assisted mode, it is required that you download the terraform parametera generated in VoltConsole for the VPC site object. Using the generated terraform parameters and Volterra's terraform container, you can perform deployment from your computer. Automatic mode of deployment can be performed directly from VoltConsole.

Note: Configuring site mesh group is not supported for the sites deployed from VoltConsole.

Using the instructions provided in this guide, you can deploy an GCP VPC ingress gateway site or ingress/egress gateway site. For more information, see Network Topology of a Site.


Design

GCP VPC Site automates the deployment of Volterra Sites in GCP. As part of the GCP VPC Site configuration, users can indicate that new VPC, subnets, route tables need to be created. Alterntively, users can choose to provide existing vpc and subnet information, and the creation of VPC and subnet resources will be skipped.

Note: By default, a Voltera site deployed in GCP supports Google Cloud Storage. See Configure Storage in Fleet.

GCP VPC Site Deployment Types

A Volterra Site can be deployed in 2 different modes with the GCP VPC Site workflow. Those modes are:

  1. Ingress Gateway (One Interface): In this deployment mode the Volterra Site is attached to a single VPC and single Subnet. It can provide discovery of services & endpoints reachable from this subnet to any other site configured in the Volterra tenant.
  2. Ingress/Egress Gateway (Two Interfaces): In this deployment mode the Volterra Site is attached to a single VPC with at least two interfaces on different subnets. One subnet is labeled (Outside) and the other (Inside). In this mode, the Volterra Site provides security and connectivity needs for VMs & Subnets via default gateway through the Volterra Site Inside interface.

Ingress Gateway (One Interface)

In this deployment mode, VoltMesh needs one interface attached. Services running on the node connect to the internet using this interface. Also, this interface is used to discover other services and virtual machines and expose them to other Volterra sites in the same tenant. For example, in the below figure, TCP or HTTP services on the DevOps or Dev GCP VM instances can be discovered and exposed via reverse proxy remotely.

As shown in the below figure, the interface is on the Outside subnet which is associated with the VPC main routing table whose default route is pointing to the internet gateway. That's how traffic coming from the outside interface can reach the Internet, along with other subnets associated with this routing-table object. In case of other Subnets (i.e. Dev & Devops) these are associated with the VPC main routing table which means that any newly created subnet in this VPC is automatically associated with this routing table.

design ingr gw
Figure: GCP VPC Site Deployment - Ingress Gateway (One Interface)

Ingress/Egress Gateway (Two Interfaces)

In this deployment scenario the VoltMesh nodes need two interfaces attached. The first interface is the outside interface through which services running on the node can connect to the internet. The second interface is the inside interface which will become the default gateway IP address for all the application workloads & services present in the private subnets.

As shown in the below figure, the outside interface is on the outside subnet which is associated with the outside subnet route table whose default route is pointing to the internet gateway. That's how traffic coming from the outside interface can reach the internet. In case of inside subnets these are associated with the inside subnet route table which is also the main route table for this VPC which means that any newly created subnet in this VPC is automatically associated with the inside subnet route table. This private subnet route table has a default route pointing to the inside IP address of the VoltMesh node (192.168.0.186).

design ingr egr gw
Figure: GCP VPC Site Deployment - Ingress / Egress Gateway (Two Interfaces) - Single AZ

Once the VoltMesh site comes online, the inside network of the node will be connected to the outside network through a forward proxy and SNAT enabled on the outside interface. Such that all traffic coming on the inside interface will be forwarded to the internet over the forward proxy and SNAT happening on the outside interface. Now all the workloads on private subnets can reach the internet through VoltMesh site.

Network Policies

The Volterra Site can be your ingress/egress security policy enforcement point as all the traffic coming from private subnets will flow through Volterra Site. If the traffic does not match the type defined in network policy then the default action will be to deny it.

Users can define which endpoint/subnet by using the network policy. You can define the egress policy by adding the egress rules from the point of endpoint to deny/allow specific traffic patterns based on intent and you can also add ingress rules to deny/allow traffic coming towards the endpoint.

Forward Proxy Policy

Using a forward proxy policy, the user can specify allowed/denied TLS domains or HTTP URLs. The traffic from workloads on private subnets towards the Internet via the Volterra GCP VPC site is allowed or denied accordingly.

More details on how to configure this is captured in the rest of this document.


Prerequisites

The following prerequisites apply:

Note: By proceeding with the installation, download and/or access and use, as applicable, of the Volterra software, and/or Volterra platform, you acknowledge that you have read, understand, and agree to be bound by this agreement.


Deploy Using VoltConsole

The following video shows the GCP VPC site creation and site deployment workflow using VoltConsole:

GCP VPC site creation and management requires performing the following sequence of actions:

Phase Description
Create GCP VPC Site Object Create the GCP VPC site object in VoltConsole using the guided wizard.
Deploy Site Deploy the sites configured in the GCP VPC site object using automated or assisted method.

Create GCP VPC Site Object

The wizard to create the GCP VPC site object guides you through the steps for required configuration. This document covers each guided step and explains the required actions to be performed for each step.

Perform the following steps:

Step 1: Log into the VoltConsole and start GCP VPC site object creation.

Select Manage from the configuration menu in the system namespace. Select Site Management -> GCP VPC Site from the options. Click Add GCP VPC Site. Enter a name for your VPC object in the metadata section.

Step 2: Configure the VPC and site settings.

Go to Site Type Selection section` and perform the following:

Step 2.1: Set region and configure VPC.
  • Select a region in the GCP Region drop-down field.
  • Select an option for the Select Ingress Gateway or Ingress/Egress Gateway field and perform configuration as per the guidelines provided below.
Ingress Gateway (One Interface):

For the Ingress Gateway (One Interface) option, click Configure and do the following:

  • Select an option for the Select existing VPC network or create new VPC network field and do one of the following:

    • For the New VPC Parameters option, enter the name in the GCP VPC Network Name field.
    • For the Existing VPC Network option, enter an existing VPC network name in the GCP VPC Network Name field.
  • Select an option for the GCP Zone name field that matches the configured GCP Region.
  • Select New Subnet Parameters or Existing Subnet for the Select existing subnet or create new subnet field and do one of the following:

    • For new subnet option, enter a name for the subnet in the VPC Subnet Name and subnet prefix in the IPv4 Subnet Prefix field.
    • For existing subnet option, enter the existing subnet name in the VPC Subnet Name field.

Note: You can add more than one nodes using the Add item option.

vpc nodetype
Figure: Ingress Gateway Site Settings

Note: The GCP Certified Hardware is set to gcp-byol-voltmesh by default.

Ingress/Egress Gateway (Two Interface)

For the Ingress/Egress Gateway (Two Interface) option, click Configure and configure the GCP VPC Network for Inside Interface as per the following guidelines:

  • Select an option for the Select existing VPC network or create new VPC network field and do one of the following:

    • For the New VPC Parameters option, enter the name in the GCP VPC Network Name field.
    • For the Existing VPC Network option, enter an existing VPC network name in the GCP VPC Network Name field.
  • Similarly configure the GCP VPC Network for Outside Interface.

two int nodes nws
Figure: Ingress/Egress Gateway VPC Networks

  • Configure Ingress/Egress Gateway (two Interface) Nodes as per the following guidelines:
  • Select an option for the GCP AZ name field that matches the configured GCP Region.
  • Configure Subnet for Inside Interface - Select New Subnet Parameters or Existing Subnet for the Select existing subnet or create new subnet field and do one of the following:

    • For new subnet option, enter a name for the subnet in the VPC Subnet Name and subnet prefix in the IPv4 Subnet Prefix field.
    • For existing subnet option, enter the existing subnet name in the VPC Subnet Name field.
  • Similarly configure Subnet for Outside Interface.

Note: You can add more than one nodes using the Add item option.

two int nodes subnets
Figure: Inside and Outside Subnet Settings

  • Click Apply.

Note: The GCP Certified Hardware is set to gcp-byol-multi-nic-voltmesh by default.

Voltstack Cluster (one Interface)

For the Voltstack Cluster (one Interface) option, click Configure and configure the GCP VPC Network for Inside Interface as per the following guidelines:

  • Select an option for the Select existing VPC network or create new VPC network field and do one of the following:

    • For the New VPC Parameters option, enter the name in the GCP VPC Network Name field.
    • For the Existing VPC Network option, enter an existing VPC network name in the GCP VPC Network Name field.
  • Configure Voltstack Cluster (one Interface) Nodes as per the following guidelines:
  • Select an option for the GCP Zone name field that matches the configured GCP Region.
  • Configure Subnet for local interface - Select New Subnet Parameters or Existing Subnet for the Select existing subnet or create new subnet field and do one of the following:

    • For new subnet option, enter a name for the subnet in the VPC Subnet Name and subnet prefix in the IPv4 Subnet Prefix field.
    • For existing subnet option, enter the existing subnet name in the VPC Subnet Name field.
  • Similarly configure Subnet for Outside Interface.

Note: You can add more than one nodes using the Add item option.

  • Click Apply.

Note: The GCP Certified Hardware is set to gcp-byol-voltstack-combo by default.

Step 2.2: Set the deployment type.

Select an option for the Select Automatic or Assisted Deployment field and perform further actions as per the following guidelines.

  • For the Automatic Deployment option, select an existing GCP credentials object or click Create new cloud credential option to load new credential creation wizard. Create the new credentials as per the following guidelines:

    • Enter a name in the metadata section. Optionally set labels and enter a description.
    • Select GCP Credentials in the Select Cloud Credential Type field and click Configure.
    • Select an option for the Secret Info. If you select Blindfold Secret, enter the secret in the secret field and click Blindfold. If you select Clear Secret, enter the secret in one of the formats displayed (by selecting the Type field). Click Apply.
    • Click Continue to add the new credentials.

Note: Refer to the Cloud Credentials guide for more information. Ensure that the GCP credentials are applied with required access policies as per the Policy Requirements document.

  • For the Assisted Deployment option, obtain the GCP parameters after the GCP VPC site object is created in VoltConsole and perform the site deployment as per the instructions in the Deploy Site chapter.

auto deployment
Figure: Deployment Configuration

Step 3: Set the site node parameters.

Go to the Site Node Parameters section and do the following:

  • Set the GCP instance type by selecting an option for the GCP Instance Type for Node field.
  • Enter your SSH key in the Public SSH key field.

    site node params
    Figure: Site Node Parameters Configuration

Step 4: Complete the GCP VPC site object creation.

Click Save and Exit to complete creating the GCP VPC site object.

Note: The Status field for the GCP VPC site object shows Generated.


Deploy Site

You can deploy the site using automatic or assisted deployment, depending on your GCP VPC site object configuration.

Automatic Deployment

Perform this procedure in case you created the VPC object with automatic deployment option.

  • Navigate to the created GCP VPC site object using the Manage -> Site Management -> GCP VPC Site option. Find your GCP VPC site object and click Apply under the Actions column. The Status field for your GCP VPC object changes to Applying.

Note: Optionally, you can perform terraform plan activity before the deployment. Find your GCP VPC site object and click ... -> Plan (Optional) to generate the execution plan for terraform.

  • Wait for the apply to complete and the status to change to Applied.

Note: You can check the status for the apply action. Click ... -> Terraform Parameters for your GCP VPC site object and click the Apply Status tab.

  • Navigate to Sites -> Sites List. Find your site from the displayed list and verify that the status is ONLINE.

Note: It takes a few minutes for the site to be deployed and status to become ONLINE.

Assisted Deployment

Perform this procedure in case you created the VPC object with assisted deployment option.

  • Download the terraform variables in case of assisted deployment. Navigate to the created GCP VPC site object using the Manage -> Site Management -> GCP VPC Site option.
  • Find your GCP VPC site object and click ... -> Terraform Parameters for it. Copy the parameters to a file in your local machine.
  • Download Volterra's volt-terraform container.
docker pull gcr.io/volterraio/volt-terraform
  • Run the terraform container.
docker run --entrypoint tail --name terraform-cli -d -it \
-w /terraform/templates \
-v ${HOME}/.ssh:/root/.ssh \
gcr.io/volterraio/volt-terraform:latest \
-f /dev/null
  • Copy the downloaded terraform variables file to the container. The following example copies to the /var/tmp folder on the container.
docker cp /Users/ted/Downloads/system-gcp-vpc-a.json terraform-cli:/var/tmp
  • Download API certificate from the VoltConsole and copy it to the container.
docker cp /Users/ted/Downloads/playground.console.api-creds.p12 terraform-cli:/var/tmp

Note: See the Generate API Certificate for information on API credentials.

  • Download GCP credentials and copy to the docker container. GCP credentials are used for authentication. This example shows copying credentials file named gcp-creds.json.
docker cp /Users/ted/Downloads/gcp-creds.json terraform-cli:/var/tmp

Note: For more information on GCP project and credentials, refer to GCP Project and GCP Authentication.

  • Enter the terraform container.
docker exec -it terraform-cli sh
  • Export variables for GCP credentials and project. This example shows exporting gcp-creds.json file for credentials and project1 for GCP project.
export TF_VAR_google_credentials=/var/tmp/gcp-creds.json
export TF_VAR_google_project=project1
  • Change to the VPC template directory.
cd /terraform/templates/views/assisted/gcp-volt-node
  • Set the following environment variables required for the Volterra provider.
  • VOLT_API_P12_FILE: This is for the path to API certificate file.
  • VES_P12_PASSWORD: This variable is for API credentials password. This is the password which you set while downloading API certificate.
  • VOLT_API_URL: This is for the tenant URL.

The following is a sample. Change the values as per your setup.

export VOLT_API_P12_FILE="/var/tmp/playground.console.api-creds.p12"
export VES_P12_PASSWORD=<api_cred_password>
export VOLT_API_URL="https://playground.console.ves.volterra.io/api"
export TF_VAR_akar_api_url=$VOLT_API_URL
  • Deploy the nodes by executing the terraform commands.
terraform init
terraform apply -var-file=/var/tmp/system-gcp-vpc-a.json

Note: The terraform init command downloads the terraform providers defined in the module. When the terraform apply command is executed, it prompts for user input to proceed. Enter yes to begin deploying the node(s) and wait for the deployment to complete.

  • Navigate to Sites -> Sites List. Find your site from the displayed list and verify that the status is ONLINE.

Note: It takes a few minutes for the site to be deployed and status to become ONLINE.

Note: In case of network issues, GCP allows enabling serial console using the following command: gcloud compute instances add-metadata <<instance_name>> --metadata serial-port-enable=TRUE --project <<project>>


Delete GCP VPC Site

Depending on the method with which the GCP VPC site is deployed, perform one of the following:

Automatic Deployment

Do the following to delete the GCP VPC site object from the VoltConsole:

  • Navigate to the created GCP VPC site object using the Manage -> Site Management -> GCP VPC Site option.
  • Find your GCP VPC site object and click ... -> Delete.
  • Click Delete in the confirmation window.

Note: Deleting the VPC site object deletes the sites and nodes from the VPC and deletes the VPC. In case the delete operation does not remove the object and returns any error, check the error from the status, fix the error, and re-attempt the delete operation. If the problem persists, contact technical support. You can check the status using the ... ->Terraform Parameters-> Apply status option.

Assisted Deployment

Delete the terraform deployment made in assisted mode and then delete the site in VoltConsole.

Step 1: Delete the terraform deployment.
  • Enter the terraform container.
docker exec -it terraform-cli sh
  • Change to the GCP VPC site template directory.
cd /terraform/templates/views/assisted/gcp-volt-node
  • Set the environment variable needed for volterra provider
  • VOLT_API_P12_FILE: This is for the path to API certificate file.
  • VES_P12_PASSWORD: This variable is for API credentials password. This is the password which you set while downloading API certificate.
  • VOLT_API_URL: This is for the tenant URL.

The following is a sample. Change the values as per your setup.

export VOLT_API_P12_FILE="/var/tmp/playground.console.api-creds.p12"
export VES_P12_PASSWORD=<api_cred_password>
export VOLT_API_URL="https://playground.console.ves.volterra.io/api"
export TF_VAR_akar_api_url=$VOLT_API_URL
  • Destroy the site objects from GCP by executing the terraform commands.
terraform init
terraform destroy -var-file=/var/tmp/system-gcp-vpc-a.json

Note: When the terraform destroy command is executed, it prompts for user input to proceed. Enter yes and wait for the destroy to complete.

Step 2: Delete the site from VoltConsole.

Perform the following to delete the VPC site object:

  • Navigate to the created GCP VPC site object using the Manage -> Site Management -> GCP VPC Site option.
  • Find your GCP VPC site object and click ... -> Delete.
  • Click Delete in the confirmation window.

Note: In case you scale down the GCP instance size from the GCP UI and revert it to original number, ensure that you create the instance in the instance group with the same instance name using the create-instance command from the gcloud CLI.


Volterra Concepts