Configure VMs for networking use cases
This page describes configuring a VM as a network proxy.
Configure a VM as a network proxy
You can design your VPC network so that only one instance has external access, and all other instances in the VPC network use that instance as a proxy server to the outside world. This is useful if you want to control access into or out of your VPC network, or reduce the cost of paying for multiple external IP addresses.
This particular example discusses how to set up a network proxy on VM instances that use a Debian image. It uses a gateway instance as a Squid proxy server but this is only one way of setting up a proxy server.
To set up a Squid proxy server:
- Set up one instance with an
external (static or ephemeral) IP address.
For this example, name your instance
gateway-instance:gcloud compute instances create gateway-instance
--project=project_id
--zone=zone
--network-interface=network-tier=PREMIUM,subnet=default
--scopes=https://www.googleapis.com/auth/cloud-platform - Set up one or more instances without external IP addresses by specifying
gcloud compute instances create ... --no-address. For this example, call this instancehidden-instance:gcloud compute instances create hidden-instance
--project=project_id
--zone=zone
--network-interface=network-tier=PREMIUM,subnet=default,no-address
--scopes=https://www.googleapis.com/auth/cloud-platform - Learn how to connect from one instance to another because you will not be able to connect directly into your internal-only instances.
Add a firewall to allow tcp traffic on port 3128:
gcloud compute firewall-rules create [FIREWALL_RULE] --network [NETWORK] --allow tcp:3128
Install Squid on
gateway-instance, and configure it to allow access from any machines on the VPC network (valid subnet IP addresses). This assumes thatgateway-instanceandhidden-instanceare both connected to the same VPC network, which enables them to connect to each other.user@gateway-instance:~$ sudo apt-get install squidEnable any machine on the local network to use the Squid server. The following
sedcommands uncomment and enable theacl localnet srcentries in the Squid config files for local networks and machines.user@gateway-instance:~$ sudo sed -i 's:#\(http_access allow localnet\):\1:' /etc/squid/squid.confuser@gateway-instance:~$ sudo sed -i 's:#\(http_access deny to_localhost\):\1:' /etc/squid/squid.confuser@gateway-instance:~$ sudo sed -i 's:#\(acl localnet src 10.0.0.0/8.*\):\1:' /etc/squid/squid.confuser@gateway-instance:~$ sudo sed -i 's:#\(acl localnet src 172.16.0.0/12.*\):\1:' /etc/squid/squid.confuser@gateway-instance:~$ sudo sed -i 's:#\(acl localnet src 192.168.0.0/16.*\):\1:' /etc/squid/squid.confuser@gateway-instance:~$ sudo sed -i 's:#\(acl localnet src fc00\:\:/7.*\):\1:' /etc/squid/squid.confuser@gateway-instance:~$ sudo sed -i 's:#\(acl localnet src fe80\:\:/10.*\):\1:' /etc/squid/squid.conf# Prevent proxy access to metadata server user@gateway-instance:~$ sudo tee -a /etc/squid/squid.conf <<'EOF' acl to_metadata dst 169.254.169.254 http_access deny to_metadata EOF# Start Squid user@gateway:~$ sudo service squid startConfigure
hidden-instanceto usegateway-instanceas its proxy. Use ssh to connect intohidden-instanceand define its proxy URL addresses to point togateway-instanceon port 3128 (the default Squid configuration) as shown here:user@gateway-instance:~$ ssh hidden-instanceuser@hidden-instance:~$ sudo -sroot@hidden-instance:~# echo "export http_proxy=\"http://gateway-instance.$(dnsdomainname):3128\"" >> /etc/profile.d/proxy.shroot@hidden-instance:~# echo "export https_proxy=\"http://gateway-instance.$(dnsdomainname):3128\"" >> /etc/profile.d/proxy.shroot@hidden-instance:~# echo "export ftp_proxy=\"http://gateway-instance.$(dnsdomainname):3128\"" >> /etc/profile.d/proxy.shroot@hidden-instance:~# echo "export no_proxy=169.254.169.254,metadata,metadata.google.internal" >> /etc/profile.d/proxy.shUpdate sudoers to pass these env variables through.
root@hidden-instance:~# cp /etc/sudoers /tmp/sudoers.newroot@hidden-instance:~# chmod 640 /tmp/sudoers.newroot@hidden-instance:~# echo "Defaults env_keep += \"ftp_proxy http_proxy https_proxy no_proxy"\" >>/tmp/sudoers.newroot@hidden-instance:~# chmod 440 /tmp/sudoers.newroot@hidden-instance:~# visudo -c -f /tmp/sudoers.new && cp /tmp/sudoers.new /etc/sudoersExit
sudo, load the variables, and runapt-getonhidden-instance. It should now work using gateway as a proxy. If gateway were not serving as a proxy,apt-getwould not work becausehidden-instancehas no direct connection to the Internet.root@hidden-instance:~# exituser@hidden-instance:~$ source ~/.profileuser@hidden-instance:~$ sudo apt-get update
Configure a VM as a VPN gateway
This content has been deprecated and removed. For a managed VPN solution, see the Cloud VPN documentation.
Configure a VM as a NAT gateway
This content has been deprecated and removed. For a managed NAT solution, see the Cloud NAT documentation.
Build high availability and high bandwidth NAT gateways
This content has been deprecated and removed. For a managed NAT solution, see the Cloud NAT documentation.
What's next
- To learn more about VPC networks, see VPC networks.
- To create, modify, or delete VPC networks, see Create and manage VPC networks.