3.1 KiB
Network filtering with Squid with isolated VPCs using Private Service Connect
This blueprint shows how to deploy a filtering HTTP proxy to restrict Internet access. Here we show one way to do this using isolated VPCs and Private Service Connect:
- The
app
subnet hosts the consumer VMs that will have their Internet access tightly controlled by a non-caching filtering forward proxy. - The
proxy
subnet hosts a Cloud NAT instance and a Squid server. - The
psc
subnet is reserved for the Private Service Connect.
The reason for using Privat Service Connect in this setup is to have a common proxy setup between all environments without having to share a VPC between projects. This allows us to enforce the compute.vmExternalIpAccess
organization policy, which prevents the service projects from having external IPs, thus forcing all outbound Internet connections through the proxy.
To allow Internet connectivity to the proxy subnet, a Cloud NAT instance is configured to allow usage from that subnet only. All other subnets are not allowed to use the Cloud NAT instance.
To simplify the usage of the proxy, a Cloud DNS private zone is created in each consumer VPC and the IP address of the proxy is exposed with the FQDN proxy.internal
. In addition, system-wide http_proxy
and https_proxy
environment variables and an APT configuration are rolled out via a startup script.
Variables
name | description | type | required | default |
---|---|---|---|---|
prefix | Prefix used for resource names. | string |
✓ | |
project_id | Project id used for all resources. | string |
✓ | |
allowed_domains | List of domains allowed by the squid proxy. | list(string) |
[…] |
|
cidrs | CIDR ranges for subnets. | map(string) |
{…} |
|
nat_logging | Enables Cloud NAT logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'. | string |
"ERRORS_ONLY" |
|
project_create | Set to non null if project needs to be created. | object({…}) |
null |
|
region | Default region for resources. | string |
"europe-west1" |