Bashion Host Lab - GCP

 

Task 1: Launch an instance and verify access

Launch an instance

1.    In the Console, on the Navigation menu ( ), click Compute Engine > VM instances.

2.    Click Create.

3.    Specify the following, and leave the remaining settings as their defaults:

Property	Value (type value or select option as specified)
Name	webserver
Region	us-central1
Zone	us-central1-c
Firewall	Allow HTTP traffic

4.    Click Create.

Click Check my progress to verify the objective.

Launch an instance

Check my progress

Verify IP access

1.    For webserver, click SSH to launch a terminal and connect.

Tip: Setting the Source IP at creation time is a best practice for this lab because it allows the initial SSH credentials to be set for you behind the scenes.

2.    Enter a few commands to test connectivity:

ls

pwd

3.    Enter the following command to close the terminal:

exit

Task 2: Restrict firewall rule settings for SSH

The default setting for a default or auto-type network is to allow SSH access from any source IP address. Restrict access to just your source IP address to see what happens when you try to connect from the GCP Console.

Find your IP address

Find the IP address of the computer you are using. One easy way to do this is to go to a website that provides this address.

1.    Open a browser in a new tab.

2.    Go to www.google.com and search for "what's my IP." It will either directly reply with your IP or give you a list of sites that perform this service.

3.    Ensure that the IP address only contains numerals (IPv4) and is not represented in hexadecimals (IPv6).

4.    Copy your IP address. It will be referred to as YOUR_IP_ADDRESS. You will be using it to modify the default firewall rule.

Edit the default SSH rule

1.    In the GCP Console, on the Navigation menu ( ), click VPC network > Firewall rules.

2.    Click the default-allow-ssh rule, and then click Edit.

3.    Specify the following, and leave the remaining settings as their defaults:

Property	Value (type value or select option as specified)
Description	Allow SSH from my IP only
Source IP ranges	Remove 0.0.0.0/0 Add [YOUR_IP_ADDRESS]

4.    Click Save. Wait until the firewall rule is updated (the status in the bottom pane is Updating firewall rule; when it closes, you can continue).

Test connectivity

1.    On the Navigation menu ( ), click Compute Engine > VM instances.

2.    For webserver, click SSH to launch a terminal and connect.

What happened?

When you connect via SSH to an instance from your browser, you need to allow SSH from Cloud Platform resources, so you must allow connections from either any IP address or from Google's IP address range, which you can get from Public SPF records. If you want to restrict SSH access to just your IP address, you need to SSH from a terminal session.

For this lab, leaving SSH open to any connections is sufficient.

Reset the IP address range in the firewall rule

1.    In the GCP Console, on the Navigation menu ( ), click VPC network > Firewall rules.

2.    Click the default-allow-ssh rule, and then click Edit.

3.    Specify the following, and leave the remaining settings as their defaults:

Property	Value (type value or select option as specified)
Description	Allow SSH from all IPs
Source IP ranges	Add 0.0.0.0/0

4.    Click Save. Wait until the firewall rule is updated (the status in the bottom pane is Updating firewall rule; when it closes, you can continue).

Verify the change

1.    On the Navigation menu ( ), click Compute Engine > VM instances.

2.    For webserver, click SSH to launch a terminal and connect. Leave the terminal open for the next task.

Task 3: Install a simple web application

Install a simple web application on your instance to represent an internal application. You then secure it by preventing access from the internet.

Install and configure a web server

1.    In the webserver SSH terminal, update the package index:

sudo apt-get update

2.    Install the apache2 package:

sudo apt-get install apache2 -y

3.    To create a new default web page by overwriting the default, run the following:

echo '<!doctype html><html><body><h1>Hello World!</h1></body></html>' | sudo tee /var/www/html/index.html

Verify that the web server is working

Test that your instance is serving traffic on its external IP.

1.    In the GCP Console, on the Navigation menu ( ), click Compute Engine > VM instances.

2.    For webserver, click the external IP to open in a new tab. You should see the "Hello World!" page you updated earlier.

Task 4: Restrict firewall rule settings for HTTP

Restrict access to the web interface by changing the source IP address in the default-allow-http rule to your IP address.

Restrict HTTP access

1.    In the GCP Console, on the Navigation menu ( ), click VPC network > Firewall rules.

2.    Click the default-allow-http rule, and then click Edit.

3.    Specify the following, and leave the remaining settings as their defaults:

Property	Value (type value or select option as specified)
Description	Allow HTTP from my IP only
Source IP ranges	Remove 0.0.0.0/0 Add [YOUR_IP_ADDRESS]

4.    Click Save. Wait until the firewall rule is updated (the status in the bottom pane is Updating firewall rule; when it closes, you can continue).

Verify that you still have access to the web server

1.    On the Navigation menu ( ), click Compute Engine > VM instances.

2.    For webserver, click the external IP to open in a new tab. You should still see the "Hello World!" page.

Task 5: Restrict access to the VM from the internet

Edit the VM Properties

1.    Return to the VM instances page of the GCP Console.

2.    Click webserver to access the instance details.

3.    Click Edit.

4.    For Network interfaces, click the default network and change External IP from Ephemeral to None.

5.    Click Done.

6.    Click Save.

Try to access the VM

1.    First try HTTP: In the left pane, click VM instances. Notice that webserver doesn't have a value under External IP.

2.    Try SSH: for webserver, try to use the SSH link to launch a terminal and connect.

What happened?

The VM is no longer associated with an External IP. It is no longer reachable from the internet.

Click Check my progress to verify the objective.

Restrict access to the VM from the internet

Check my progress

Task 6: Create a Bastion Host

Launch another instance

1.    Click Create instance.

2.    Specify the following, and leave the remaining settings as their defaults:

Property	Value (type value or select option as specified)
Name	bastion
Region	us-central1
Zone	us-central1-c

3.    Click Create.

Click Check my progress to verify the objective.

Create a Bastion Host

Check my progress

Connect to the Bastion Host via SSH and verify access to webserver

1.    For bastion, click SSH to launch a terminal and connect.

2.    Verify that the home page on webserver is reachable from bastion by running the following command:

curl webserver

Even though webserver is no longer associated with an external IP address, clients inside your network can still view and use the web service on this VM over the internal IP address.

3.    From the bastion SSH terminal, connect to webserver by running the following command:

ssh -a webserver

4.    When prompted, type yes to continue.

When instances do not have external IP addresses, they can only be reached by other instances on the network or via a managed VPN gateway.

In this case, the bastion VM serves as a management and maintenance interface to the webserver VM.

Task 7: Review

You restricted access to the webserver VM by removing the external IP address.

You created a bastion host named bastion to gain access to the webserver VM over its internal IP. Normally, you would harden the bastion host by restricting the source IPs that can access the bastion host, by editing the firewall rules just as you did earlier in this lab. When you're not using the bastion host, you can shut it down.

Read More

Autoscaling Lab -Google cloud platform

 

Overview

Managed instance groups offer autoscaling capabilities that allow you to automatically add or remove instances from a managed instance group based on increases or decreases in load. Autoscaling helps your applications gracefully handle increases in traffic and reduces cost when the need for resources is lower. You just define the autoscaling policy, and the autoscaler performs automatic scaling based on the measured load.

Autoscaling works by scaling your instance group in or out. That is, it adds more instances to your instance group when there is more load (scaling out) and removes instances when the need for instances is lowered (scaling in).

Objectives

In this lab, you learn how to perform the following tasks:

·         Create a custom image for a web server

·         Create an instance template based on the custom image

·         Create a managed instance group

·         Create a load balancer

·         Stress test the autoscaler

For each lab, you get a new GCP project and set of resources for a fixed time at no cost.

1.    Make sure you signed into Qwiklabs using an incognito window.

2.    Note the lab's access time (for example,  and make sure you can finish in that time block.

There is no pause feature. You can restart if needed, but you have to start at the beginning.

3.    When ready, click .

4.    Note your lab credentials. You will use them to sign in to Cloud Platform Console. 

5.    Click Open Google Console.

6.    Click Use another account and copy/paste credentials for this lab into the prompts.

If you use other credentials, you'll get errors or incur charges.

7.    Accept the terms and skip the recovery resource page.

Do not click End Lab unless you are finished with the lab or want to restart it. This clears your work and removes the project.

Task 1: Create a custom image for a web server

Create a VM

1.    In the GCP Console, on the Navigation menu (), click Compute Engine > VM instances.

2.    Click Create.

3.    Specify the following, and leave the remaining settings as their defaults:

Property	Value (type value or select option as specified)
Name	webserver
Region	us-central1
Zone	us-central1-a
Machine type	micro (1 shared vCPU)
Firewall	Allow HTTP traffic Allow HTTPS traffic

4.    Click Management, security, disks, networking, sole tenancy.

5.    Click Disks, and disable Delete boot disk when instance is deleted.

6.    Click Create.

Customize the VM

1.    For webserver, click SSH to launch a terminal and connect.

2.    To install Apache2, run the following commands:

sudo apt-get update

sudo apt-get install -y apache2

3.    To start the apache server, run the following command:

sudo service apache2 start

4.    To enable SSL and restart the apache server, run the following commands:

sudo a2ensite default-ssl

sudo a2enmod ssl

sudo service apache2 restart

5.    In the GCP Console, for webserver, click the External IP address.

6.    Click through the warning to see the actual page. For example, in Chrome, click Advanced, and then click Proceed to External IP Address. The default page for the Apache2 server should be displayed.

In this test setup, the instance is using self-signed certificates. Therefore, you will see a warning in your browser the first time you access a page. Alternatively, you can copy the IP address and access the page in a new tab using http://<External IP address>/

Set the Apache service to start at boot

The software installation was successful. However, when a new VM is created using this image, the freshly booted VM does not have the Apache web server running. Use the following command to set the Apache service to automatically start on boot. Then test it to make sure it works.

1.    In the webserver SSH terminal, set the service to start on boot:

sudo update-rc.d apache2 enable

2.    In the GCP Console, select webserver, and then click Reset.

3.    In the confirmation dialog, click Reset.

Reset will stop and reboot the machine. It keeps the same IPs and the same persistent boot disk, but memory is wiped. Therefore, if the Apache service is available after the reset, the update-rc command was successful.

4.    For webserver, click the External IP address of the instance to verify that the Apache service is available. You should see the default page.

5.    You can also check the server by connecting via SSH to the VM and entering the following command:

sudo service apache2 status

6.    The result should show Started The Apache HTTP Server.

Prepare the disk to create a custom image

1.    On the VM instances page, click webserver to view the VM instance details and verify that Delete boot disk when instance is deleted is disabled.

2.    Return to the VM instances page, click webserver, and click Delete.

3.    In the confirmation dialog, click Delete.

4.    In the left pane, click Disks and verify that the webserver disk exists.

Create the custom image

1.    In the left pane, click Images.

2.    Click Create image.

3.    Specify the following, and leave the remaining settings as their defaults:

Property	Value (type value or select option as specified)
Name	mywebserver1
Source	Disk
Source disk	webserver

4.    Click Create.

You have created a custom image from which multiple identical webservers can be started. The next step is to use that image to define an Instance Template that can be used in a managed instance group.

Click Check my progress to verify the objective.

Create the custom image

Check my progress

Task 2: Create an Instance Template based on the custom image

1.    In the left pane, click Instance templates.

2.    Click Create instance template.

3.    Specify the following, and leave the remaining settings as their defaults:

Property	Value (type value or select option as specified)
Name	webserver-template
Machine type	micro (1 shared vCPU)

4.    For Boot disk, click Change.

5.    Click Custom images.

6.    Select mywebserver1.

7.    Click Select.

8.    For Firewall, enable Allow HTTP traffic and Allow HTTPS traffic.

9.    Click Create.

You created an instance template from the custom image. Now you can use it in a Managed Instance Group.

Click Check my progress to verify the objective.

Create an instance template based on the custom image

Check my progress

Task 3: Create a managed instance group

1.    In the left pane, click Instance groups.

2.    Click Create instance group.

3.    Specify the following, and leave the remaining settings as their defaults:

Property	Value (type value or select option as specified)
Name	mywebserver-group
Location	Multiple zones
Region	us-central1
Instance template	webserver-template
Autoscaling	On
Autoscaling policy	HTTP load balancing usage
Maximum number of instances	5

4.    For Health check, select Create a health check.

5.    For Name, type webserver-healthcheck.

6.    Click Save and continue.

7.    For Initial delay, type 60. This is how long the Instance Group waits after initializing the boot-up of a VM before it tries a health check. You don't want to wait 5 minutes for this during the lab, so you set it to 1 minute.

8.    Click Create. A warning tells you that there is no load balancer. That's OK; you are going to create and attach one to the Managed Instance Group in the next section.

9.    Click OK.

10.                In the left pane, click VM instances.

11.                Test the VM by clicking on the External IP address of the instance in the console.

12.                Click through the warning to see the actual page. For example, in Chrome, click Advanced, and then click Proceed to External IP Address.

In this test setup, the instance is using self-signed certificates. Therefore, you see a warning in your browser the first time you access this new External IP address. Alternatively, you can copy the IP address and access the page in a new tab using http://<External IP address>/

Click Check my progress to verify the objective.

Create a managed instance group

Check my progress

Task 4: Create a load balancer

1.    On the Navigation menu (), click Network services > Load balancing.

2.    Click Create load balancer.

3.    In HTTP(S) Load Balancing, click Start configuration and then click Continue.

4.    Click Frontend configuration.

5.    For Name, type mywebserver-frontend.

6.    Leave the remaining settings as their defaults, and click Done.

7.    Click Backend configuration.

8.    Click Create or select a backend service & backend buckets > Backend services > Create a backend service.

9.    For Name, type mywebserver-backend.

10.                In Backends > New backend, for Instance group, click mywebserver-group.

11.                Leave the remaining settings as their defaults, and click Done.

12.                For Health check, click webserver-healthcheck.

13.                Click Create.

14.                Enter a name for your HTTP(S) load balancer: webserver-load-balancer.

15.                Click Create.

Note: Creating the backend automatically set a Host and path rule to deliver all traffic to the backend.

16.                Click webserver-load-balancer.

17.                Find the External IP that was assigned to the Frontend, which is later referred to as [YOUR_LB_IP].

18.                On the Navigation menu (), click Compute Engine > Instance groups.

mywebserver-group may show a red icon indicating that there is no backend attached to the group. It may take a minute or two for the backend configuration to register. Click Refresh, and it should change.

Now you should see a warning icon indicating that there is no traffic to the site yet. This is expected.

19.                Open a new browser tab or window and browse to the load balancer's IP using http://[YOUR_LB_IP]/. You should see the Apache default page.

If you get a server error, wait 1 minute and refresh the page. There might be a delay in the load balancer response.

Click Check my progress to verify the objective.

Create a load balancer

Check my progress

Task 5: Stress test the Autoscaler

The entire configuration is working, as evidenced by the fact that you could browse to the load balancer's IP and view the default page on the web server. However, you need to see if the Autoscaler is working and will actually start new VMs in response to a load.

To test this you need software that can send repeated requests to a web server. Fortunately, free web server benchmarking software, called Apache Bench, is part of the Apache2 package.

That means that when you created the webserver custom image, you also installed and created the image with pre-installed software for a benchmark server.

1.    In the GCP Console, on the Navigation menu (), click Compute Engine > VM instances.

2.    Click Create instance.

3.    Specify the following, and leave the remaining settings as their defaults:

Property	Value (type value or select option as specified)
Name	stress-test
Region	us-central1
Zone	us-central1-a
Machine type	n1-standard-1 (1 vCPU)

4.    For Boot Disk, click Change.

5.    Click Custom images.

6.    Select mywebserver1.

7.    Click Select, and then click Create.

8.    On the VM instances page, for stress-test, click SSH to launch a terminal and connect.

9.    To create an environment variable for your load balancer IP address, run the following command:

export LB_IP=<Enter [YOUR_LB_IP] here>

10.                To place a load on the load balancer, run the following command:

ab -n 50000 -c 1000 http://$LB_IP/

11.                In the GCP Console, in the left pane, click Instance groups.

12.                Click mywebserver-group. Verify that new instances have been created.

Feel free to repeat the command a couple of times to create 5 instances (maximum number of instances defined in the Instance Group).

Task 6: Review

In this lab, you set up an HTTP(S) load balancer with autoscaling and verified that it was working. To do this, you first created a VM, then you customized it by installing software and changing a configuration setting (making Apache start on boot). You used the custom image in an instance template, and then used the image template to make a managed instance group. After all the backend and frontend parts were connected together, you stress-tested the system and triggered autoscaling using Apache bench.

Read More