zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/blueprints/networking/filtering-proxy/README.md

3.6 KiB
Raw Blame History

Network filtering with Squid

This blueprint shows how to deploy a filtering HTTP proxy to restrict Internet access. Here we show one way to do this using a VPC with two subnets:

  • The apps subnet hosts the VMs that will have their Internet access tightly controlled by a non-caching filtering forward proxy.
  • The proxy subnet hosts a Cloud NAT instance and a Squid server.

The VPC is a Shared VPC and all the service projects will be located under a folder enforcing the compute.vmExternalIpAccess organization policy. This prevents the service projects from having external IPs, thus forcing all outbound Internet connections through the proxy.

To allow Internet connectivity to the proxy subnet, a Cloud NAT instance is configured to allow usage from that subnet only. All other subnets are not allowed to use the Cloud NAT instance.

To simplify the usage of the proxy, a Cloud DNS private zone is created and the IP address of the proxy is exposed with the FQDN proxy.internal.

You can optionally deploy the Squid server as Managed Instance Group by setting the mig option to true. This option defaults to false which results in a standalone VM.

High-level diagram

Variables

name description type required default
billing_account Billing account id used as default for new projects. string
prefix Prefix used for resource names. string
root_node Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'. string
allowed_domains List of domains allowed by the squid proxy. list(string) […]
cidrs CIDR ranges for subnets. map(string) {…}
mig Enables the creation of an autoscaling managed instance group of squid instances. bool false
nat_logging Enables Cloud NAT logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'. string "ERRORS_ONLY"
region Default region for resources. string "europe-west1"

Outputs

name description sensitive
squid-address IP address of the Squid proxy.

Test

module "test1" {
  source          = "./fabric/blueprints/networking/filtering-proxy"
  billing_account = "123456-123456-123456"
  mig             = true
  prefix          = "fabric"
  root_node       = "folders/123456789"
}
# tftest modules=14 resources=38

module "test2" {
  source          = "./fabric/blueprints/networking/filtering-proxy"
  billing_account = "123456-123456-123456"
  mig             = false
  prefix          = "fabric"
  root_node       = "folders/123456789"
}
# tftest modules=12 resources=32