如何在 GCP 中 DeploymentManager 创建的 VM 实例中包含防火墙
How to include firewall in VM instance creation by DeploymentManager in GCP
我的yaml模板如下,我想加防火墙属性允许http流量:
resources:
- name: deployed-vm2222
type: compute.v1.instance
properties:
zone: us-central1-f
machineType: https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-f/machineTypes/f1-micro
disks:
- deviceName: boot
type: PERSISTENT
boot: true
autoDelete: true
您可以在模板中添加防火墙规则,如下所示:
- name: allow-http-fw
type: compute.v1.firewall
properties:
allowed:
- IPProtocol: TCP
ports: 80
sourceRanges: [ 0.0.0.0/0 ]
您可以定义为 firewall resource 列出的属性。
执行此操作时需要注意几件事,确保实例已正确标记以启用标记。例如,标记实例、http-server 或 https-server 确保防火墙知道它正在处理 public 流量。
添加防火墙入口可以通过以下方式实现。
resources:
- name: instance
type: xxxxxxxx
properties:
zone: us-east1-b
tags:
items: ["http-server", "tensorboard"]
- name: default-allow-http
type: compute.v1.firewall
properties:
network: https://www.googleapis.com/compute/v1/projects/myproject/global/networks/default
targetTags: ["http-server"]
sourceRanges: ["0.0.0.0/0"]
allowed:
- IPProtocol: TCP
ports: ["80"]
- name: default-allow-tensorboard
type: compute.v1.firewall
properties:
network: https://www.googleapis.com/compute/v1/projects/myproject/global/networks/default
targetTags: ["tensorboard"]
sourceRanges: ["0.0.0.0/0"]
allowed:
- IPProtocol: TCP
ports: ["6006"]
在防火墙中,我们使用:
targetTags: ["http"]
那么,在实例中,我们使用:
tags:
items: ["http"]
完整的文件可以如图:
resources:
- name: default-allow-http
type: compute.v1.firewall
properties:
targetTags: ["http"]
sourceRanges: ["0.0.0.0/0"]
allowed:
- IPProtocol: TCP
ports: ["80"]
- name: vm-test
type: compute.v1.instance
properties:
zone: xxxx
machineType: xxxx
tags:
items: ["http"]
disks:
- deviceName: boot
type: PERSISTENT
boot: true
autoDelete: true
initializeParams:
diskName: xxxx
sourceImage: xxxx
networkInterfaces:
- network: xxxx
accessConfigs:
- name: External NAT
type: ONE_TO_ONE_NAT
@LundinCast 几乎完全正确
properties 下的 network: 缺失。
它将与 networkInterfaces:
下的值相同
我的yaml模板如下,我想加防火墙属性允许http流量:
resources:
- name: deployed-vm2222
type: compute.v1.instance
properties:
zone: us-central1-f
machineType: https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-f/machineTypes/f1-micro
disks:
- deviceName: boot
type: PERSISTENT
boot: true
autoDelete: true
您可以在模板中添加防火墙规则,如下所示:
- name: allow-http-fw
type: compute.v1.firewall
properties:
allowed:
- IPProtocol: TCP
ports: 80
sourceRanges: [ 0.0.0.0/0 ]
您可以定义为 firewall resource 列出的属性。
执行此操作时需要注意几件事,确保实例已正确标记以启用标记。例如,标记实例、http-server 或 https-server 确保防火墙知道它正在处理 public 流量。
添加防火墙入口可以通过以下方式实现。
resources:
- name: instance
type: xxxxxxxx
properties:
zone: us-east1-b
tags:
items: ["http-server", "tensorboard"]
- name: default-allow-http
type: compute.v1.firewall
properties:
network: https://www.googleapis.com/compute/v1/projects/myproject/global/networks/default
targetTags: ["http-server"]
sourceRanges: ["0.0.0.0/0"]
allowed:
- IPProtocol: TCP
ports: ["80"]
- name: default-allow-tensorboard
type: compute.v1.firewall
properties:
network: https://www.googleapis.com/compute/v1/projects/myproject/global/networks/default
targetTags: ["tensorboard"]
sourceRanges: ["0.0.0.0/0"]
allowed:
- IPProtocol: TCP
ports: ["6006"]
在防火墙中,我们使用:
targetTags: ["http"]
那么,在实例中,我们使用:
tags:
items: ["http"]
完整的文件可以如图:
resources:
- name: default-allow-http
type: compute.v1.firewall
properties:
targetTags: ["http"]
sourceRanges: ["0.0.0.0/0"]
allowed:
- IPProtocol: TCP
ports: ["80"]
- name: vm-test
type: compute.v1.instance
properties:
zone: xxxx
machineType: xxxx
tags:
items: ["http"]
disks:
- deviceName: boot
type: PERSISTENT
boot: true
autoDelete: true
initializeParams:
diskName: xxxx
sourceImage: xxxx
networkInterfaces:
- network: xxxx
accessConfigs:
- name: External NAT
type: ONE_TO_ONE_NAT
@LundinCast 几乎完全正确
properties 下的 network: 缺失。
它将与 networkInterfaces: