website/src/app/kb/automate/terraform/gcp/readme.mdx
import SupportOptions from "@/components/SupportOptions"; import Alert from "@/components/DocsAlert"; import Image from "next/image";
In this example, we will deploy one or more Firezone Gateways in a single VPC on Google Cloud Platform (GCP) that are configured to egress traffic through a single Cloud NAT that is assigned a single static IP address.
This example is built on top of our module for deploying a Firezone Gateway in Google Cloud.
Use this guide to give your Firezone Clients a static public IP address for egress traffic to particular Resource(s). Here are some common use cases for this example:
All Firezone Gateways deployed in this example will automatically failover and load balance for each other. No other configuration is necessary.
Deploy Gateway button, and navigating to the
instructions for the Terraform tab. Gateway tokens support multi-use, so
only a single token is needed to provision the Firezone Gateways in this
guide.Simply update the number of replicas to deploy more or fewer Firezone Gateways. There's no limit to the number of Firezone Gateways you can deploy in a single VPC.
<Alert color="warning">If you need more than 64,512 concurrent connections, you can increase the number of public IP addresses reserved for the Cloud NAT. See Google's documentation for more information.
</Alert>We've tested with e2-micro instances which still work quite well for most
applications. However, you may want to consider a larger instance type if you
have a high volume of traffic or lots of concurrent connections. See
Gateway sizing recommendations for
some general guidelines depending on your expected traffic.
git clone https://github.com/firezone/terraform-google-gateway
examples/nat-gateway directory.cd terraform-google-gateway/examples/nat-gateway
Configure the necessary Terraform
variables.
Here's an example terraform.tfvars you can use as a starting point:
project_id = "my-gcp-project"
region = "us-west1"
zone = "us-west1-a"
token = "<YOUR GATEWAY TOKEN>"
replicas = 3
machine_type = "f1-micro"
log_level = "info"
Run terraform init to initialize the working directory and download the
required providers.
Run terraform apply to deploy the Firezone Gateway(s) into your GCP
project.
You can see the static IP address assigned to the Cloud NAT in the Terraform output. This is the IP address that your Firezone Gateway(s) will use to egress traffic.
You can verify all Firezone Gateways are using this IP by viewing the Site in
the Firezone admin portal, where you should now see the Firezone Gateway(s)
listed as Online.
<Image src="/images/kb/automate/terraform/gcp/online-gateways.png" alt="Online Gateways" width={1200} height={1200} className="rounded-sm shadow-sm mx-auto" />
<Alert color="info">It can sometimes take up to 30 minutes for all of the resources in this example to provision and connect to the portal. If you suspect the Gateway(s) are not connecting, follow the instructions in the troubleshooting guide to diagnose the issue.
</Alert>To upgrade the Firezone Gateway(s) to the latest version, we recommend setting a
version to deploy with the vsn variable. Then, whenever you want to upgrade,
update this variable and run terraform apply, which will trigger a new
deployment of the Firezone Gateway(s) with the new version.
You can follow the latest releases of the Gateway at our changelog page.
</Alert>This will incur a few minutes of downtime as Terraform destroys the existing Firezone Gateway(s) and deploys new ones in their place.
static_ip_addresses will contain a list of static IP addresses that you can
use to whitelist your Firezone Gateway(s) in your third-party or partner
application.
To clean up the resources created by this example, run terraform destroy.