1562844f64 | ||
---|---|---|
.. | ||
README.md | ||
main.tf | ||
outputs.tf | ||
squid.png | ||
variables.tf |
README.md
Network filtering with Squid
This example shows how to deploy a filtering HTTP proxy to restrict Internet access. Here we show one way to do this using a VPC with two subnets:
- The
apps
subnet hosts the VMs that will have their Internet access tightly controlled by a non-caching filtering forward proxy. - The
proxy
subnet hosts a Cloud NAT instance and a Squid server.
The VPC is a Shared VPC and all the service projects will be located under a folder enforcing the compute.vmExternalIpAccess
organization policy. This prevents the service projects from having external IPs, thus forcing all outbound Internet connections through the proxy.
To allow Internet connectivity to the proxy subnet, a Cloud NAT instance is configured to allow usage from that subnet only. All other subnets are not allowed to use the Cloud NAT instance.
To simplify the usage of the proxy, a Cloud DNS private zone is created and the IP address of the proxy is exposed with the FQDN proxy.internal
.
You can optionally deploy the Squid server as Managed Instance Group by setting the mig
option to true
. This option defaults to false
which results in a standalone VM.
Variables
name | description | type | required | default |
---|---|---|---|---|
billing_account | Billing account id used as default for new projects. | string |
✓ | |
prefix | Prefix used for resources that need unique names. | string |
✓ | |
root_node | Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'. | string |
✓ | |
allowed_domains | List of domains allowed by the squid proxy. | list(string) |
... |
|
cidrs | CIDR ranges for subnets | map(string) |
... |
|
mig | Enables the creation of an autoscaling managed instance group of squid instances. | bool |
false |
|
nat_logging | Enables Cloud NAT logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'. | string |
ERRORS_ONLY |
|
region | Default region for resources | string |
europe-west1 |
Outputs
name | description | sensitive |
---|---|---|
squid-address | None |