Configuring VMs for networking use cases

This page describes configuring a VM as a network proxy.

Configuring a VM as a network proxy

You can design your VPC network so that only one instance has external access, and all other instances in the VPC network use that instance as a proxy server to the outside world. This is useful if you want to control access into or out of your VPC network, or reduce the cost of paying for multiple external IP addresses.

This particular example discusses how to set up a network proxy on VM instances that use a Debian image. It uses a gateway instance as a Squid proxy server but this is only one way of setting up a proxy server.

To set up a Squid proxy server:

  1. Set up one instance with an external (static or ephemeral) IP address. For this example, name your instance gateway-instance:
    gcloud compute instances create gateway-instance 
    --project=project_id
    --zone=zone
    --network-interface=network-tier=PREMIUM,subnet=default
    --scopes=https://www.googleapis.com/auth/cloud-platform
  2. Set up one or more instances without external IP addresses by specifying gcloud compute instances create ... --no-address. For this example, call this instance hidden-instance:
    gcloud compute instances create hidden-instance 
    --project=project_id
    --zone=zone
    --network-interface=network-tier=PREMIUM,subnet=default,no-address
    --scopes=https://www.googleapis.com/auth/cloud-platform
  3. Learn how to connect from one instance to another because you will not be able to connect directly into your internal-only instances.
  4. Add a firewall to allow tcp traffic on port 3128:

    gcloud compute firewall-rules create [FIREWALL_RULE] --network [NETWORK] --allow tcp:3128
    
  5. Install Squid on gateway-instance, and configure it to allow access from any machines on the VPC network (valid subnet IP addresses). This assumes that gateway-instance and hidden-instance are both connected to the same VPC network, which enables them to connect to each other.

    user@gateway-instance:~$ sudo apt-get install squid3
    

    Enable any machine on the local network to use the Squid3 server. The following sed commands uncomment and enable the acl localnet src entries in the Squid config files for local networks and machines.

    user@gateway-instance:~$ sudo sed -i 's:#\(http_access allow localnet\):\1:' /etc/squid/squid.conf
    
    user@gateway-instance:~$ sudo sed -i 's:#\(http_access deny to_localhost\):\1:' /etc/squid/squid.conf
    
    user@gateway-instance:~$ sudo sed -i 's:#\(acl localnet src 10.0.0.0/8.*\):\1:' /etc/squid/squid.conf
    
    user@gateway-instance:~$ sudo sed -i 's:#\(acl localnet src 172.16.0.0/12.*\):\1:' /etc/squid/squid.conf
    
    user@gateway-instance:~$ sudo sed -i 's:#\(acl localnet src 192.168.0.0/16.*\):\1:' /etc/squid/squid.conf
    
    user@gateway-instance:~$ sudo sed -i 's:#\(acl localnet src fc00\:\:/7.*\):\1:' /etc/squid/squid.conf
    
    user@gateway-instance:~$ sudo sed -i 's:#\(acl localnet src fe80\:\:/10.*\):\1:' /etc/squid/squid.conf
    
    # Prevent proxy access to metadata server
    user@gateway-instance:~$ sudo tee -a /etc/squid/squid.conf <<'EOF'
    acl to_metadata dst 169.254.169.254
    http_access deny to_metadata
    EOF
    
    # Start Squid
    user@gateway:~$ sudo service squid start
    
  6. Configure hidden-instance to use gateway-instance as its proxy. Use ssh to connect into hidden-instance and define its proxy URL addresses to point to gateway-instance on port 3128 (the default Squid configuration) as shown here:

    user@gateway-instance:~$ ssh hidden-instance
    
    user@hidden-instance:~$ sudo -s
    
    root@hidden-instance:~# echo "export http_proxy=\"http://gateway-instance.$(dnsdomainname):3128\"" >> /etc/profile.d/proxy.sh
    
    root@hidden-instance:~# echo "export https_proxy=\"http://gateway-instance.$(dnsdomainname):3128\"" >> /etc/profile.d/proxy.sh
    
    root@hidden-instance:~# echo "export ftp_proxy=\"http://gateway-instance.$(dnsdomainname):3128\"" >> /etc/profile.d/proxy.sh
    
    root@hidden-instance:~# echo "export no_proxy=169.254.169.254,metadata,metadata.google.internal" >> /etc/profile.d/proxy.sh
    

    Update sudoers to pass these env variables through.

    root@hidden-instance:~# cp /etc/sudoers /tmp/sudoers.new
    
    root@hidden-instance:~# chmod 640 /tmp/sudoers.new
    
    root@hidden-instance:~# echo "Defaults env_keep += \"ftp_proxy http_proxy https_proxy no_proxy"\" >>/tmp/sudoers.new
    
    root@hidden-instance:~# chmod 440 /tmp/sudoers.new
    
    root@hidden-instance:~# visudo -c -f /tmp/sudoers.new && cp /tmp/sudoers.new /etc/sudoers
    
  7. Exit sudo, load the variables, and run apt-get on hidden-instance. It should now work using gateway as a proxy. If gateway were not serving as a proxy, apt-get would not work because hidden-instance has no direct connection to the Internet.

    root@hidden-instance:~# exit
    
    user@hidden-instance:~$ source ~/.profile
    
    user@hidden-instance:~$ sudo apt-get update
    

Configuring a VM as a VPN gateway

This content has been deprecated and removed. For a managed VPN solution, see the Cloud VPN documentation.

Configuring a VM as a NAT gateway

This content has been deprecated and removed. For a managed NAT solution, see the Cloud NAT documentation.

Building high availability and high bandwidth NAT gateways

This content has been deprecated and removed. For a managed NAT solution, see the Cloud NAT documentation.

What's next