Setting up the Bare Metal Solution environment

When your Bare Metal Solution environment is ready, you are notified by Google Cloud. The notification includes the internal IP addresses of your new machines.

These instructions show you how to do the following tasks that are required to connect to your Bare Metal Solution environment:

  • Create redundant VLAN attachments to the Bare Metal Solution environment.
  • Create a bastion host in your VPC network.
  • SSH or RDP into your new machines from the bastion host.

After you are connected to your machines, validate the configuration of your Bare Metal Solution order.

Before you begin

To connect to and configure your Bare Metal Solution environment, you need:

  • A Google Cloud project with billing enabled. You can create a project on the project selector page in the Google Cloud Console.
  • A Virtual Private Cloud (VPC) network. This is the VPC network that you named when you placed your order for Bare Metal Solution. If you need to create the VPC network, see Using VPC networks.
  • The following information that is provided to you by Google Cloud when your Bare Metal Solution is ready:
    • The IP addresses of your bare-metal machines.
    • The temporary passwords for each of your bare-metal machines.

Create the VLAN Attachments for the Cloud Interconnect connection

After you have been notified that your Bare Metal Solution machines are ready, to complete the connection to them, you need to create redundant VLAN attachments in the same region as your Bare Metal Solution machines.

The VLAN attachments (also known as InterconnectAttachments) connect your Virtual Private Cloud network with your Bare Metal Solution environment by allocating VLANs on the Cloud Interconnect connection.

Currently, individual Bare Metal interconnect VLAN attachments support 10 Gbps at the maximum. To achieve higher throughput into a VPC network, you can configure multiple attachments into the VPC network. For each BGP session, you should use the same MED values to allow the traffic to use ECMP over all of the configured interconnect attachments.

Console

  1. If you don't already have Cloud Router instances in the network and region that you are using with Bare Metal Solution, you need to create one for each VLAN attachment. When you create the routers, specify 16550 as the ASN for each Cloud Router.

    For instructions, see Creating Cloud Routers.

  2. Go to the Cloud Interconnect VLAN attachments tab in the Google Cloud Console.
    Go to VLAN attachments tab

  3. Click Add VLAN attachment.

  4. Select Partner Interconnect to create Partner VLAN attachments, and then click Continue.

  5. Click I already have a service provider.

  6. Select Create a redundant pair of VLANs. Both attachments can serve traffic, and you can route the traffic to load-balance between them. If one attachment goes down, for example during scheduled maintenance, the other attachment continues to serve traffic. For more information, see the Redundancy section in the Partner Interconnect Overview page.

  7. For the Network and Region fields, select the VPC network and Google Cloud region where your attachments will connect to.

  8. Specify the details of your VLAN attachments.

    • Cloud Router — A Cloud Router to associate with this attachment. You can only choose a Cloud Router in the VPC network and region that you selected with an ASN of 16550.
    • VLAN attachment name — A name for the attachment. This name is displayed in the console and used by the gcloud command-line tool to reference the attachment, such as my-attachment.
  9. Click Create to create the attachments, which takes a few moments to complete.

  10. After creation is complete, copy the pairing keys. The keys include an alpha-numeric code, the name of the region, and the number of the network availability zone, for example /1 or /2. You'll share these keys with Google Cloud.

  11. Click OK to view a list of your VLAN attachments.

  12. After Google Cloud notifies you that your Bare Metal Solution machines are ready, if you didn't pre-activate your VLAN attachments when you created them, activate them now.

    1. Go to the VLAN attachments tab in the Google Cloud Console.
      Go to VLAN attachments tab
    2. Select the VLAN attachment to view its details page.
    3. Click Activate.

gcloud

  1. If you don't already have Cloud Router instances in the network and region that you are using with Bare Metal Solution, create one for each VLAN attachment. Use 16550 as the ASN number:

    gcloud compute routers create router-name \
    --network vpc-network-name \
    --asn 16550 \
    --region region \

    For more information, see Creating Cloud Routers.

  2. Create an InterconnectAttachment of type PARTNER, specifying the name of your Cloud Router and the edge availability domain (EAD) of the VLAN attachment.

    gcloud compute interconnects attachments partner create first-attachment-name \
      --region region \
      --router first-router-name \
      --edge-availability-domain availability-domain-1
    gcloud compute interconnects attachments partner create second-attachment-name \
      --region region \
      --router second-router-name \
      --edge-availability-domain availability-domain-2

    Google Cloud automatically adds an interface and a BGP peer on the Cloud Router. The attachment generates a pairing key that you'll need to share with Google Cloud later.

    The following example creates redundant attachments, one in EAD availability-domain-1 and another in EAD availability-domain-2. Each is associated with a separate Cloud Router, my-router-1 and my-router-2, respectively. They are both in the us-central1 region.

    gcloud compute interconnects attachments partner create my-attachment \
     --region us-central1 \
     --router my-router-1 \
     --edge-availability-domain availability-domain-1
    gcloud compute interconnects attachments partner create my-attachment \
     --region us-central1 \
     --router my-router-2 \
     --edge-availability-domain availability-domain-2
  3. Describe the attachment to retrieve its pairing key. You'll share the key with Google Cloud after you open a change request to create the connection to the Bare Metal Solution environment.

    gcloud compute interconnects attachments describe my-attachment \
      --region us-central1
    adminEnabled: false
    edgeAvailabilityDomain: AVAILABILITY_DOMAIN_1
    creationTimestamp: '2017-12-01T08:29:09.886-08:00'
    id: '7976913826166357434'
    kind: compute#interconnectAttachment
    labelFingerprint: 42WmSpB8rSM=
    name: my-attachment
    pairingKey: 7e51371e-72a3-40b5-b844-2e3efefaee59/us-central1/1
    region: https://www.googleapis.com/compute/v1/projects/customer-project/regions/us-central1
    router: https://www.googleapis.com/compute/v1/projects/customer-project/regions/us-central1/routers/my-router
    selfLink: https://www.googleapis.com/compute/v1/projects/customer-project/regions/us-central1/interconnectAttachments/my-attachment
    state: PENDING_PARTNER
    type: PARTNER
    • The pairingKey field contains the pairing key that you need to copy and share with your service provider. Treat the pairing key as sensitive information until your VLAN attachment is configured.
    • The state of the VLAN attachment is PENDING_PARTNER until Google Cloud completes your VLAN attachment configuration. Afterwards, the state of the attachment is INACTIVE or ACTIVE, depending on whether you chose to pre-activate your attachments.

    When you request connections from Google Cloud, you must select the same metro (city) for both attachments for them to be redundant. For more information, see the Redundancy section in the Partner Interconnect Overview page.

  4. Activate each VLAN attachment:

    gcloud compute interconnects attachments partner update attachment-name \
    --region region \
    --admin-enabled

You can check the status of the Cloud Routers and your advertised routes in the Cloud Console. For more information, see Viewing Router Status and Advertised Routes.

Set up routing between Bare Metal Solution and Google Cloud

As soon as your VLAN attachments are active, your BGP sessions come up and the routes from the Bare Metal Solution environment are received over the BGP sessions.

Add a custom advertisement for a default IP range to your BGP sessions

To set up routing for traffic from the Bare Metal Solution environment, the recommendation is to add a custom advertisement of a default route, such as 0.0.0.0/0, on your BGP sessions to the Bare Metal Solution environment.

To specify advertisements on an existing BGP session:

Console

  1. Go to the Cloud Router page in the Google Cloud Console.
    Cloud Router list
  2. Select the Cloud Router that contains the BGP session to update.
  3. In the Cloud Router's detail page, select the BGP session to update.
  4. In the BGP session details page, select Edit.
  5. For the Routes, select Create custom routes.
  6. Select Add custom route to add an advertised route.
  7. Configure the route advertisement.
    • Source — Select Custom IP range to specify a custom IP range.
    • IP address range — Specify the custom IP range by using CIDR notation.
    • Description — Add a description to help you identify the purpose of this route advertisement.
  8. After you're done adding routes, select Save.

gcloud

You can add to existing custom advertisements or you can set a new customer advertisement, which replaces any existing custom advertisements with the new one.

To set a new custom advertisement for a default IP range, use the --set-advertisement-ranges flag:

gcloud compute routers update-bgp-peer router-name \
   --peer-name bgp-session-name \
   --advertisement-mode custom \
   --set-advertisement-ranges 0.0.0.0/0

To append the default IP range to existing ones, use the --add-advertisement-ranges flag. Note that this flag requires the Cloud Router's advertisement mode to already be set to custom. The following example, adds the 0.0.0.0/0 custom IP to the Cloud Router's advertisements:

gcloud compute routers update-bgp-peer router-name \
   --peer-name bgp-session-name \
   --add-advertisement-ranges 0.0.0.0/0

Optionally, set the VPC Network Dynamic Routing Mode to global

If you have Bare Metal Solution machines in two different regions, consider enabling global routing mode on the VPC network to have your Bare Metal Solution regions talk to each other directly over the VPC network.

The global routing mode is also needed to enable communications between an on-premises environment that is connected to one Google Cloud region and a Bare Metal Solution environment in another Google Cloud region.

To set the global routing mode, see Setting the VPC Network Dynamic Routing Mode.

VPC firewall setup

New VPC networks come with active default firewall rules that restrict most traffic in the VPC network.

To connect to your Bare Metal Solution environment, network traffic must be enabled between:

  • Your Bare Metal Solution environment and network destinations on Google Cloud.
  • Your local environment and your resources on Google Cloud, such as any jump server you might use to connect to your Bare Metal Solution environment.

Within your Bare Metal Solution environment, if you need to control network traffic between the bare-metal machines or between the machines and destinations not on Google Cloud, you need to implement a control mechanism yourself.

To create a firewall rule in your VPC network on Google Cloud:

Console

  1. Go to the Firewall rules page:

    Go to Firewall rules

  2. Click CREATE FIREWALL RULE.

  3. Define the firewall rule.

    1. Name the firewall rule.
    2. In the Network field, select the network where your VM is located.
    3. In the Targets field, specify either Specified target tags or Specified service account.
    4. Specify the target network tag or service account in the appropriate fields.
    5. In the Source filter field, specify IP ranges to allow incoming traffic from your Bare Metal Solution environment.
    6. In the Source IP ranges field, specify the IP addresses of the machines or devices in your Bare Metal Solution environment.
    7. In the Protocols and ports section, specify the protocols and ports that are required in your environment.
    8. Click Create.

gcloud

The following command creates a firewall rule that defines the source by using an IP range and the target by using the network tag of an instance. Modify the command for your environment as necessary.

gcloud compute firewall-rules create rule-name \
    --project=your-project-id \
    --direction=INGRESS \
    --priority=1000 \
    --network=your-network-name \
    --action=ALLOW \
    --rules=protocol:port \
    --source-ranges=ip-range \
    --target-tags=instance-network-tag

For more information about creating firewall rules, see Creating firewall rules.

Connecting to your bare-metal machine

The machines in your Bare Metal Solution environment are not provisioned with external IP addresses.

After you have created a firewall rule to allow traffic into your VPC network from the Bare Metal Solution environment, you can connect to your machine by using a jump server or bastion host.

Create a jump server on Google Cloud

To quickly connect to your bare-metal machines, create a Compute Engine virtual machine (VM) to use as a jump server. Create the VM in the same VPC network and Google Cloud region as your Bare Metal Solution environment.

If you need a more secure connection method, see Connecting through a bastion host.

To create a jump server, choose the instructions below based on the operating system you are using in your Bare Metal Solution environment.

For more information about creating Compute Engine VM instances, see Creating and starting a VM instance.

Linux

Create a virtual machine instance

  1. In the Cloud Console, go to the VM Instances page:

    Go to the VM Instances page

  2. Click CREATE INSTANCE.

  3. In the Name field, specify a name for the VM instance.

  4. Under Region, select the region of your Bare Metal Solution environment.

  5. In the Boot disk section, click Change.

    1. In the Operating systems field, select the same Linux OS that you are using on your Bare Metal Solution machines.
    2. In the Version field, select the OS version.
  6. Click Management, security, disks, networking, sole tenancy to expand the section.

  7. Click Networking to display the networking options.

    • Optionally, under Network tags, define one or more network tags for the instance.
    • Under Network interfaces, confirm that the proper VPC network is displayed.
  8. Click Create.

Allow a short time for the instance to start. After the instance is ready, it is listed on the VM instances page with a green status icon.

Connect to your jump server

  1. If you need to create a firewall rule to allow access to your jump server, see Firewall setup.

  2. In the Cloud Console, go to the VM instances page:

    Go to the VM Instances page

  3. In the list of VM instances, click SSH in the row of your jump server VM.

    The SSH button is highlighted on the jump server row on the VM
instances page

You now have a terminal window with your jump server, from which you can connect to your bare-metal machine by using SSH.

Windows

Create a virtual machine instance

  1. In the Cloud Console, go to the VM Instances page:

    Go to the VM Instances page

  2. Click CREATE INSTANCE.

  3. In the Name field, specify a name for the VM instance.

  4. Under Region, select the region of your Bare Metal Solution environment.

  5. In the Boot disk section, click Change.

    1. In the Operating systems field, select Windows Server.
    2. In the Version field, select a Windows Server version.
  6. Click Management, security, disks, networking, sole tenancy to expand the section.

  7. Click Networking to display the networking options.

    • Optionally, under Network tags, define one or more network tags for the instance.
    • Under Network interfaces, confirm that the proper VPC network is selected.
  8. Click Create.

Allow a short time for the instance to start. After the instance is ready, it is listed on the VM instances page with a green status icon.

Connect to your jump server

  1. Go to the VM Instances page in the Google Cloud Console:

    Go to the VM Instances page

  2. Under the Name column, click the name of your virtual machine instance.

  3. Under the Remote Access section, click the Set Windows Password button.

    VM instance details page shows RDP and Password buttons

  4. Specify a username, then click Set to generate a new password for this Windows instance. Save the username and password so you can log into the instance.

  5. Connect to your instance using your choice of graphical or command line tools.

Logging in to a Bare Metal Solution machine for the first time

Linux

  1. Connect to your jump-server VM.

  2. On the jump server, open a command-line terminal and confirm that you can reach the machine:

    ping bare-metal-ip

    If your ping is unsuccessful, check the following things:

    • That your VPC includes a firewall rule that allows access from the IP range that you are using in the Bare Metal Solution environment for communication with the Google Cloud environment.
    • That your VLAN attachments are active.
    • That your VLAN attachments include a custom route advertisement of 0.0.0.0/0.
  3. Prepare to create and store a new password for your bare-metal machine. On first login, you are required to change the password.

  4. From the jump server, SSH into the bare-metal machine by using the customeradmin user ID and the password provided to you by Google Cloud:

    ssh customeradmin@bare-metal-ip
  5. When prompted, enter the password that you were provided by Google Cloud.

  6. Set a new password. You might need to switch to the root user by using sudo.

    When you are done, exit root and store your passwords in a safe place.

  7. Confirm that your machine configuration matches your order. The things to check include:

    • The machine configuration, including the number and type of CPUs, the sockets, and the memory.
    • The operating system or hypervisor software, including vendor and version.
    • The storage, including type and amount.

Windows

  1. Connect to your jump-server VM.

  2. On the jump server, open a command-line shell and confirm that you can reach the machine:

    ping bare-metal-ip
  3. Prepare to create and store a new password for your bare-metal machine. On first login, you are required to change the password.

  4. From the jump server, remote into the bare-metal machine.

  5. When prompted, enter the password that you were provided by Google Cloud.

  6. Set a new password and store the new password securely.

  7. Confirm that your machine configuration matches your order. The things to check include:

    • The machine configuration, including the number and type of CPUs, the sockets, and the memory.
    • The operating system or hypervisor software, including vendor and version.
    • The storage, including the type and amount.

Accessing network services, Google Cloud services, or the public internet

Bare Metal Solution does not come with access to Google Cloud services, networking services, or the internet. You have many options for implementing access and which you choose depends on various factors, including your business requirements, existing infrastructure, and others. The following sections present some of the options.

Accessing the internet

Some of the options for accessing the internet include:

  • Routing outgoing traffic through a NAT gateway.
  • Routing traffic through a Compute Engine VM that serves as a proxy server.
  • Routing traffic through Cloud VPN or Dedicated Interconnect to on-premises gateways to the internet.

Setting up a NAT gateway on a Compute Engine VM

The following instructions set up a NAT gateway on a Compute Engine VM to connect the machines in a Bare Metal Solution environment to the internet for purposes such as receiving software updates.

The instructions use the default internet gateway of your VPC network to access the internet.

The Linux commands that are shown in the following instructions are for the Debian operating system. If you use a different operating system, the commands you need to use might also be different.

In the VPC network that you are using with your Bare Metal Solution environment, perform the following steps:

  1. Open the Cloud Shell:

    Go to the Cloud Shell

  2. Create and configure a Compute Engine VM to serve as a NAT gateway.

    1. Create a VM:

      gcloud compute instances create instance-name \
        --machine-type=machine-type-name \
        --network vpc-network-name \
        --subnet=subnet-name \
        --can-ip-forward \
        --zone=your-zone \
        --image-family=os-image-family-name \
        --image-project=os-image-project \
        --tags=natgw-network-tag
        --service-account=optional-service-account-email
      

      In later steps, you use the network tag that you define in this step to route traffic to this VM.

      If you don't specify a service account, remove the --service-account= flag. Compute Engine uses the default service account of the project.

    2. SSH into the VM and configure the iptables:

      $ sudo sysctl -w net.ipv4.ip_forward=1
      $ sudo iptables -t nat -A POSTROUTING \
         -o $(/sbin/ifconfig | head -1 | awk -F: {'print $1'}) -j MASQUERADE
      

      The first sudo command tells the kernel that you want to allow IP forwarding. The second sudo command masquerades packets received from internal instances as if they were sent from the NAT gateway instance.

    3. Check the iptables:

      $ sudo iptables -v -L -t nat
    4. To retain your NAT gateway settings across a reboot, execute the following commands on the NAT gateway VM:

      $ sudo -i
      
      $ echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/20-natgw.conf
      
      $ apt-get install iptables-persistent
      
      $ exit
      
  3. In Cloud Shell, create a route to 0.0.0.0/0 with the default internet gateway as the next hop. Specify the network tag that you defined in the previous step on the --tags argument. Assign the route a higher priority than any other default route.

    gcloud compute routes create route-name \
        --destination-range=0.0.0.0/0 \
        --network=network-name \
        --priority=800 \
        --tags=natgw-network-tag \
        --next-hop-gateway=default-internet-gateway
    
  4. Add the network tag that you just created to any existing VMs in your VPC network that need internet access, so that they can continue to access the internet after you create a new default route that your Bare Metal Solution machines can also use.

  5. Optional: Remove routes to the internet that existed before the route you created in the previous step, including those created by default.

  6. Confirm that any existing VMs in your network and the NAT gateway VM can access the internet by pinging a public IP address, such as 8.8.8.8, the Google DNS, from each VM.

  7. Create a default route to 0.0.0.0/0 with the NAT gateway VM as the next hop. Give the route a lower priority than priority that you specified for the first route that you created.

    gcloud compute routes create route-name \
        --destination-range=0.0.0.0/0 \
        --network=network-name \
        --priority=900 \
        --next-hop-instance=natgw-vm-name \
        --next-hop-instance-zone=natgw-vm-zone
    
  8. Log in to your Bare Metal Solution machines and ping a public IP address to confirm that they can access the internet.

    If the ping is not successful, make sure that you have created a firewall rule that allows access from your Bare Metal Solution environment to your VPC network.

Setting up access to Google Cloud APIs and services

You can access Google Cloud APIs and services privately from your Bare Metal Solution environment.

You set up private access to the Google Cloud APIs and services from a Bare Metal Solution environment as you would for an on-premises environment. Follow the instructions for on-premises environments in Configuring Private Google Access for on-premises hosts.

The instructions guide you through the following high-level steps:

  1. Configuring routes for the Google API traffic
  2. Configuring firewall rules in any Bare Metal Solution firewall to allow the outgoing traffic to the Restricted Google APIs IP range.
  3. Configuring your Bare Metal Solution DNS to resolve *.googleapis.com as a CNAME to restricted.googleapis.com.

What's next

After you have set up your Bare Metal Solution environment, you can install your workloads.

If you plan to run Oracle databases on the machines in your Bare Metal Solution environment, you can use the open source Toolkit for Bare Metal Solution to install your Oracle software.