Configure VMs for networking use cases
This page describes configuring a VM as a network proxy.
Configure a VM as a network proxy
You can design your VPC network so that only one instance has external access, and all other instances in the VPC network use that instance as a proxy server to the outside world. This is useful if you want to control access into or out of your VPC network, or reduce the cost of paying for multiple external IP addresses.
This particular example discusses how to set up a network proxy on VM instances that use a Debian image. It uses a gateway instance as a Squid proxy server but this is only one way of setting up a proxy server.
To set up a Squid proxy server:
- Set up one instance with an
external (static or ephemeral) IP address.
For this example, name your instance
gateway-instance
:gcloud compute instances create gateway-instance
--project=project_id
--zone=zone
--network-interface=network-tier=PREMIUM,subnet=default
--scopes=https://www.googleapis.com/auth/cloud-platform - Set up one or more instances without external IP addresses by specifying
gcloud compute instances create ... --no-address
. For this example, call this instancehidden-instance
:gcloud compute instances create hidden-instance
--project=project_id
--zone=zone
--network-interface=network-tier=PREMIUM,subnet=default,no-address
--scopes=https://www.googleapis.com/auth/cloud-platform - Choose a connection option for internal-only VMs because you will not be able to connect directly into your internal-only instances.
Add a firewall to allow tcp traffic on port 3128:
gcloud compute firewall-rules create [FIREWALL_RULE] --network [NETWORK] --allow tcp:3128
Install Squid on
gateway-instance
, and configure it to allow access from any machines on the VPC network (valid subnet IP addresses). This assumes thatgateway-instance
andhidden-instance
are both connected to the same VPC network, which enables them to connect to each other.user@gateway-instance:~$ sudo apt-get install squid
Enable any machine on the local network to use the Squid server. The following
sed
commands uncomment and enable theacl localnet src
entries in the Squid config files for local networks and machines.user@gateway-instance:~$ sudo sed -i 's:#\(http_access allow localnet\):\1:' /etc/squid/squid.conf
user@gateway-instance:~$ sudo sed -i 's:#\(http_access deny to_localhost\):\1:' /etc/squid/squid.conf
user@gateway-instance:~$ sudo sed -i 's:#\(acl localnet src 10.0.0.0/8.*\):\1:' /etc/squid/squid.conf
user@gateway-instance:~$ sudo sed -i 's:#\(acl localnet src 172.16.0.0/12.*\):\1:' /etc/squid/squid.conf
user@gateway-instance:~$ sudo sed -i 's:#\(acl localnet src 192.168.0.0/16.*\):\1:' /etc/squid/squid.conf
user@gateway-instance:~$ sudo sed -i 's:#\(acl localnet src fc00\:\:/7.*\):\1:' /etc/squid/squid.conf
user@gateway-instance:~$ sudo sed -i 's:#\(acl localnet src fe80\:\:/10.*\):\1:' /etc/squid/squid.conf
# Prevent proxy access to metadata server user@gateway-instance:~$ sudo tee -a /etc/squid/squid.conf <<'EOF' acl to_metadata dst 169.254.169.254 http_access deny to_metadata EOF
# Start Squid user@gateway:~$ sudo service squid start
Configure
hidden-instance
to usegateway-instance
as its proxy. Use ssh to connect intohidden-instance
and define its proxy URL addresses to point togateway-instance
on port 3128 (the default Squid configuration) as shown here:user@gateway-instance:~$ ssh hidden-instance
user@hidden-instance:~$ sudo -s
root@hidden-instance:~# echo "export http_proxy=\"http://gateway-instance.$(dnsdomainname):3128\"" >> /etc/profile.d/proxy.sh
root@hidden-instance:~# echo "export https_proxy=\"http://gateway-instance.$(dnsdomainname):3128\"" >> /etc/profile.d/proxy.sh
root@hidden-instance:~# echo "export ftp_proxy=\"http://gateway-instance.$(dnsdomainname):3128\"" >> /etc/profile.d/proxy.sh
root@hidden-instance:~# echo "export no_proxy=169.254.169.254,metadata,metadata.google.internal" >> /etc/profile.d/proxy.sh
Update sudoers to pass these env variables through.
root@hidden-instance:~# cp /etc/sudoers /tmp/sudoers.new
root@hidden-instance:~# chmod 640 /tmp/sudoers.new
root@hidden-instance:~# echo "Defaults env_keep += \"ftp_proxy http_proxy https_proxy no_proxy"\" >>/tmp/sudoers.new
root@hidden-instance:~# chmod 440 /tmp/sudoers.new
root@hidden-instance:~# visudo -c -f /tmp/sudoers.new && cp /tmp/sudoers.new /etc/sudoers
Exit
sudo
, load the variables, and runapt-get
onhidden-instance
. It should now work using gateway as a proxy. If gateway were not serving as a proxy,apt-get
would not work becausehidden-instance
has no direct connection to the Internet.root@hidden-instance:~# exit
user@hidden-instance:~$ source ~/.profile
user@hidden-instance:~$ sudo apt-get update
Configure a VM as a VPN gateway
This content has been deprecated and removed. For a managed VPN solution, see the Cloud VPN documentation.
Configure a VM as a NAT gateway
This content has been deprecated and removed. For a managed NAT solution, see the Cloud NAT documentation.
Build high availability and high bandwidth NAT gateways
This content has been deprecated and removed. For a managed NAT solution, see the Cloud NAT documentation.
What's next
- To learn more about VPC networks, see VPC networks.
- To create, modify, or delete VPC networks, see Create and manage VPC networks.