使用Terraform创建具有internet访问权限的计算引擎

Question

运行下面的terraform gcp项目，我可以看到机器之间确实相互通信，但没有互联网，机器希望解析域，但无法对它们进行平分。我正在添加内部静态ip，因为我需要是静态的，这样实例才能相互通信。

我遗漏了什么吗？提前谢谢你

provider "google" {
  project     = "terraform-368808"
  region      = "us-west1"
}

resource "google_compute_network" "default" {
  name = "manager-network"
  auto_create_subnetworks = false
  mtu                     = 1460
}

resource "google_compute_subnetwork" "default" {
  name          = "manager-subnet"
  ip_cidr_range = "10.10.10.0/24"
  region        = "us-west1"
  network       = google_compute_network.default.id

}


resource "google_compute_address" "manager_ip_one" {
  name         = "manager-ip-one"
  subnetwork   = google_compute_subnetwork.default.id
  address_type = "INTERNAL"
  address      = "10.10.10.42"
  region       = "us-west1"
}

output "manager-ip-one" {
  value = google_compute_address.manager_ip_one.address
}


resource "google_compute_address" "manager_ip_two" {
  name         = "manager-two"
  subnetwork   = google_compute_subnetwork.default.id
  address_type = "INTERNAL"
  address      = "10.10.10.43"
  region       = "us-west1"
}

output "manager-ip-two" {
  value = google_compute_address.manager_ip_two.address
}


resource "google_compute_instance" "manager1" {
  name         = "manager-node-1"
  machine_type = "e2-medium"
  zone         = "us-west1-a"
  tags         = ["ssh"]

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-10"
    }
  }


  metadata_startup_script = "sudo apt update -y; sudo apt install wget htop -y;"

  network_interface {
    subnetwork = google_compute_subnetwork.default.id
    network_ip = google_compute_address.manager_ip_one.address
    
  }

  provisioner "local-exec" {
    command = "echo ${google_compute_address.manager_ip_one.address} >> private_ips.txt"
  }
}


resource "google_compute_instance" "manager2" {
  name         = "manager-node-2"
  machine_type = "e2-medium"
  zone         = "us-west1-a"
  tags         = ["ssh"]

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-10"
    }
  }

  metadata_startup_script = "sudo apt update -y; sudo apt install wget htop -y;"

  network_interface {
    subnetwork = google_compute_subnetwork.default.id
    network_ip = google_compute_address.manager_ip_two.address
    
  }

  provisioner "local-exec" {
    command = "echo ${google_compute_address.manager_ip_two.address} >> private_ips.txt"
  }
}


resource "google_compute_firewall" "ssh" {
  name = "allow-ssh"
  allow {
    ports    = ["22"]
    protocol = "tcp"
  }
  direction     = "INGRESS"
  network       = google_compute_network.default.id
  priority      = 1000
  source_ranges = ["0.0.0.0/0"]
  target_tags   = ["ssh"]
}


resource "google_compute_firewall" "icmp" {
  name = "allow-icmp"
  allow {
    protocol = "icmp"
  }
  direction     = "INGRESS"
  network       = google_compute_network.default.id
  priority      = 1001
  source_ranges = ["0.0.0.0/0"]
  target_tags   = ["icmp"]
}

Answer 1

我认为，为了从计算引擎(撇开防火墙规则)访问外部internet，计算引擎应该有一个外部IP地址，或者使用一个云NAT进行连接。

若要与internet通信，可以使用实例上配置的外部IPv4或外部IPv6地址。如果实例没有外部地址，则Cloud可以用于IPv4通信。

对于外部IP地址，您可能希望在terraform脚本中添加几行代码(我使用上面代码中的代码片段)来配置“访问配置”部分。

  network_interface {
    subnetwork = google_compute_subnetwork.default.id
    network_ip = google_compute_address.manager_ip_one.address
    
    access_config {
      // Ephemeral public IP
    }
  }

或者，您可能也在terraform脚本中创建/保留了一个外部IP地址(假设名称为manager_ip_ext)：

  network_interface {
    subnetwork = google_compute_subnetwork.default.id
    network_ip = google_compute_address.manager_ip_one.address
    
    access_config {
      // Explicit public IP
      nat_ip = google_compute_address.manager_ip_ext.address

    }
  }

如上文所述，另一种选择是通过云NAT解决方案组织出口。文档中提供了一些细节-- 用Cloud建立和管理网络地址转换云NAT也可以通过Terraform部署/管理。