zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/blueprints/networking/filtering-proxy-psc/README.md

3.4 KiB
Raw Blame History

Network filtering with Squid with isolated VPCs using Private Service Connect

This blueprint shows how to deploy a filtering HTTP proxy to restrict Internet access. Here we show one way to do this using isolated VPCs and Private Service Connect:

  • The app subnet hosts the consumer VMs that will have their Internet access tightly controlled by a non-caching filtering forward proxy.
  • The proxy subnet hosts a Cloud NAT instance and a Squid server.
  • The psc subnet is reserved for the Private Service Connect.

The reason for using Privat Service Connect in this setup is to have a common proxy setup between all environments without having to share a VPC between projects. This allows us to enforce the compute.vmExternalIpAccess organization policy, which prevents the service projects from having external IPs, thus forcing all outbound Internet connections through the proxy.

To allow Internet connectivity to the proxy subnet, a Cloud NAT instance is configured to allow usage from that subnet only. All other subnets are not allowed to use the Cloud NAT instance.

To simplify the usage of the proxy, a Cloud DNS private zone is created in each consumer VPC and the IP address of the proxy is exposed with the FQDN proxy.internal. In addition, system-wide http_proxy and https_proxy environment variables and an APT configuration are rolled out via a startup script.

Variables

name description type required default
prefix Prefix used for resource names. string
project_id Project id used for all resources. string
allowed_domains List of domains allowed by the squid proxy. list(string) […]
cidrs CIDR ranges for subnets. map(string) {…}
nat_logging Enables Cloud NAT logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'. string "ERRORS_ONLY"
project_create Set to non null if project needs to be created. object({…}) null
region Default region for resources. string "europe-west1"

Test

module "test" {
  source = "./fabric/blueprints/networking/filtering-proxy-psc"
  prefix = "fabric"
  project_create = {
    billing_account = "123456-ABCDEF-123456"
    parent          = "folders/1234567890"
  }
  project_id = "test-project"
}
# tftest modules=13 resources=41