Configure a Firewall and a Startup Script with Deployment Manager – Qwiklab

0 136

Brief Introduction of Challenge Scenario

When you open the page of this lab in Qwiklabs, you can find the task requirements by click the green activity tracker (on the top right of the page) to expand the score box.

The screenshot above shows that there are 6 steps required for completing this lab. Combining with the instruction details, they are translated to the following mission statements.

  1. Configure a deployment template and apply it to the Deployment Manager.
  2. The deployment creates a VM instance with an embedded startup-script.
  3. The VM instance that has a startup-script also has a tag called http.
  4. Create a firewall rule that allows port 80 (HTTP) traffic and is applied using the tag http.
  5. The virtual machine responds to web requests using the Apache web server, which should be installed by the startup script.
  6. The Deployment manager includes startup script and firewall resources.

 

  1. Download the baseline Deployment Manager template
    1. The lab gives a basic deployment manager template, containing with the .jinja.yaml and .jinja.schema files as well as the sample startup script. In a cloud shell, use the following commands to download and unpack the files.
      mkdir deployment_manager
      cd deployment_manager
      gsutil cp gs://spls/gsp302/* .

       

    2. You can explore the files by opening a Cloud Shell code editor. The template for you to deploy a virtual machine
  2. Edit the Jinja Template
    1. Open the qwiklabs.jinja file, you should see the following codes:
    2. The template already includes the following configurations:
      • Instance name: vm-test
      • Zone: Read the value from the qwiklabs.yaml
      • Machine Type: f1-micro
      • Disks: Persistent, Debian-9
      • Network Interfaces: Default Network with a public IP address
    3. To fulfil the lab requirements, the template still does not have,
      • metadata for embedding the startup script, and
      • a tag called http.
  3. Setting Metadata and Using Startup Scripts
    1. Open the install-web.sh file, you should see the following codes:
    2. Add the following properties to the instance configuration:
        metadata:
            items:
            - key: startup-script
              value: |
                #!/bin/bash
                apt-get update
                apt-get install -y apache2
  4. A tag called http is required to associate the GCE instance with the firewall rule that will be created in the next section. Append the following properties to the instance configuration:
       tags:
          items:
          - http

     

  5. Add Firewall Rule for HTTP traffic
      1. Firewall rules and VM instances are separated resources, so make sure to correctly space/indent the firewall configuration code to be part of the resource block. You may manually list and parameterize the configuration all by yourself, if you can. A more robust way to use the GCP web console to visually configure and generate a REST profile with creating the firewall.Format the REST profile using a JSON to YAML converter, such as https://www.json2yaml.com/. You should obtain something similar to the following codes:
         type: compute.v1.firewall
          name: default-allow-http
          properties:
            network: https://www.googleapis.com/compute/v1/projects//global/networks/default
            targetTags:
            - http
            allowed:
            - IPProtocol: tcp
              ports:
              - '80'
            sourceRanges:
            - 0.0.0.0/0
      2. Copy the above firewall configuration to the .jinja file. The final qwiklabs.jinja file should become:
        resources:
        - type: compute.v1.instance
          name: vm-test
          properties:
            zone: {{ properties["zone"] }}
            machineType: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/zones/{{ properties["zone"] }}/machineTypes/f1-micro
            disks:
            - deviceName: boot
              type: PERSISTENT
              boot: true
              autoDelete: true
              initializeParams:
                diskName: disk-{{ env["deployment"] }}
                sourceImage: https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/family/debian-9
            networkInterfaces:
            - network: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/global/networks/default
              accessConfigs:
              - name: External NAT
                type: ONE_TO_ONE_NAT
            metadata:
              items:
              - key: startup-script
                value: |
                  #!/bin/bash
                  apt-get update
                  apt-get install -y apache2
            tags:
              items:
              - http
            serviceAccounts:
            - email: 27225449300-compute@developer.gserviceaccount.com
              scopes:
              - https://www.googleapis.com/auth/devstorage.read_only
              - https://www.googleapis.com/auth/logging.write
              - https://www.googleapis.com/auth/monitoring.write
              - https://www.googleapis.com/auth/servicecontrol
              - https://www.googleapis.com/auth/service.management.readonly
              - https://www.googleapis.com/auth/trace.append
        - type: compute.v1.firewall
          name: default-allow-http
          properties:
            network: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/global/networks/default
            targetTags:
            - http
            allowed:
            - IPProtocol: tcp
              ports:
              - '80'
            sourceRanges:
            - 0.0.0.0/0<p/pre>
        
  6. Apply the Deployment: It’s the time to deploy the configuration file and see if the deployment works. Run the following gcloud command in Cloud Shell.
    gcloud deployment-manager deployments create vm-test --config=qwiklabs.yaml

 

Leave A Reply

Your email address will not be published.