Preparing to Deploy PCF on GCP

Page last updated:

This guide describes the preparation steps required to install Pivotal Cloud Foundry (PCF) on Google Cloud Platform (GCP).

In addition to fulfilling the prerequisites listed in the Installing Pivotal Cloud Foundry on GCP topic, you must create resources in GCP such as a new network, firewall rules, load balancers, and a service account before deploying PCF. Follow these procedures to prepare your GCP environment. You may also find it helpful to review different deployment options in the Reference Architecture for Pivotal Cloud Foundry on GCP.

Step 1: Create a GCP Network with Subnet

  1. Log in to the GCP Console at https://console.cloud.google.com.

  2. In the console, navigate to the GCP project where you want to install PCF.

  3. Select Networking, then Create Network.

    1. Enter a name and description for your network.
    2. Under Subnetworks, select Custom and specify a name, region, and address range in CIDR notation.

    Make sure you select a region with enough zones to support the availability zone needs of your deployment. For help selecting the correct region for your deployment, see the Google documentation on regions and zones.

    Gcp network create

  4. Click Create.

Step 2: Create Firewall Rules for the Network

GCP lets you assign tags to virtual machine (VM) instances and create firewall rules that apply to VMs based on their tags. This step assigns tags and firewall rules to Ops Manager components and VMs that handle incoming traffic.

  1. In the Networking pane, select Firewall rules, then Create Firewall Rule.
  2. Create a firewall rule to allow all traffic within the subnetwork.
    • Name: Enter a name, such as all-internal.
    • Network: Select the network you created in the section above, Create a GCP Network with Subnet.
    • Source filter: Choose Subnetworks, then select the subnetwork or subnetworks you defined in the section above.
    • Allowed protocols and ports: Enter tcp:0-65535;udp:0-65535;icmp.
    • Target tags: Not used for this firewall rule. This rule uses subnetwork CIDR rules instead to accomodate on-demand service brokers. These brokers deploy VMs outside of Ops Manager and do not apply VM tags.
  3. Create a firewall rule to allow tcp:22;tcp:80;tcp:443 traffic from any source to VMs tagged with pcf-opsmanager.
    • Name: Enter pcf-opsmanager.
    • Network: Select the network you created in the section above, Create a GCP Network with Subnet.
    • Source filter: Choose Allow from any source (0.0.0.0/0).
    • Allowed protocols and ports: Enter tcp:22;tcp:80;tcp:443.
    • Target tags: Enter pcf-opsmanager.
  4. Create a firewall rule to allow tcp:80;tcp:443;tcp:2222;tcp:8080 traffic from any source to VMs tagged with pcf-lb.
    • Name: Enter pcf-lb.
    • Network: Select the network you created in the section above, Create a GCP Network with Subnet.
    • Source filter: Choose Allow from any source (0.0.0.0/0).
    • Allowed protocols and ports: Enter tcp:80;tcp:443;tcp:2222;tcp:8080.
    • Target tags: Enter pcf-lb.
  5. If you plan to enable the TCP routing feature, create another firewall rule to allow incoming TCP traffic to the TCP router.
    • Name: Enter a name, such as pcf-tcp-lb.
    • Network: Select the network you created in the section above, Create a GCP Network with Subnet.
    • Source filter: Choose Allow from any source (0.0.0.0/0).
    • Allowed protocols and ports: Enter tcp:1024-65535.
    • Target tags: Enter pcf-tcp-lb.

Step 3: Set up an IAM Service Account

  1. From the GCP Console, select IAM & Admin, then Service accounts.
  2. Click Create Service Account:

    • Service account name: Enter a name. For example, bosh.
    • Role: Select the following roles for the service account:

      Note: You must scroll down in the pop-up windows to select all required roles.

      • Project > Service Account Actor
      • Compute Engine > Compute Instance Admin
      • Compute Engine > Compute Network Admin
      • Compute Engine > Compute Storage Admin
      • Storage > Storage Admin

        Note: To configure the service account with the least permissive options, refer to the list of minimum required permissions for deploying to GCP in the BOSH Documentation.

        Note: The Service Account Actor role is only required if you plan to use the Ops Manager VM Service Account to deploy Ops Manager.

    • Service account ID: The field autogenerates a unique ID based on the username.
    • Furnish a new private key: Select this checkbox and JSON as the Key type. Iam account
  3. Click Create. Your browser automatically downloads a JSON file with a private key for this account. Save this file in a secure location.

Step 4: Create a Project-Wide SSH Keypair for Your Project

  1. Create an SSH keypair on your local machine with the username vcap. For example, use the following command:

    $ ssh-keygen -t rsa -f vcap-key -C vcap@local
    

    When prompted, press enter twice to use no passphrase.

  2. Open and copy the contents of the public key file vcap-key.pub.

  3. In the GCP console, navigate to Compute Engine > Metadata > SSH Keys. Click Add SSH Keys, or Edit if you already have project-wide keys.

  4. Paste in the contents of the vcap-key.pub file. The username vcap autopopulates the username field.

  5. Click Save.

  6. Verify that the public key data is uploaded to your project:

    1. If you have not done so already, install and set up gcloud compute.
    2. Execute the following command:
      $ gcloud compute project-info describe
      
      The command outputs project metadata with the new key data appearing as a value in the sshKeys field.
      commonInstanceMetadata:
      fingerprint: #######
      items:
      - key: sshKeys
      value: |
          vcap:ssh-rsa ...
      

Step 5: Enable Google Cloud APIs

Ops Manager manages GCP resources using the Google Compute Engine and Cloud Resource Manager APIs. To enable these APIs, perform the following steps:

  1. Log in to the Google Developers console at https://console.developers.google.com.

  2. In the console, navigate to the GCP project where you want to install PCF.

  3. Select API Manager > Library.

  4. Under Google Cloud APIs, select Compute Engine API.

  5. On the Google Compute Engine API page, click Enable.

  6. In the search field, enter Google Cloud Resource Manager API.

  7. On the Google Cloud Resource Manager API page, click Enable.

  8. To verify that the APIs have been enabled, perform the following steps:

    1. Log in to GCP using the IAM service account you created in Set up an IAM Service Account:
      $ gcloud auth activate-service-account --key-file JSON_KEY_FILENAME
      
    2. List your projects:
      $ gcloud projects list
      PROJECT_ID       NAME                 PROJECT_NUMBER
      my-project-id    my-project-name      ##############
      

    This command lists the projects where you enabled Google Cloud APIs.

Step 6: Create Load Balancers in GCP

You need at least three and as many as four load balancers to operate PCF on GCP, as follows:

The steps required to set up each load balancer are described below.

Create Instance Groups and the HTTP(S) Load Balancer

To configure HTTP(S) load balancing for PCF on GCP you need to follow two steps:

  1. Create one or more Instance Group(s) for load balancer configuration to the GCP Backend service.
  2. Create an HTTP(S) Load Balancer.

Create Instance Group(s)

You need to create and associate one or more Instance Group(s) with the HTTP(S) load balancer you create.

  1. From the GCP Console, select Compute Engine and click Instance groups. Create instance group

  2. Click Create instance group.

  3. In the Create a new instance group window, name the instance group in the Name field. If you are creating multiple instance groups, make sure each instance group name has a unique name. For example, you might create the following instance groups:

    • pcf-instance-group-lb-1a
    • pcf-instance-group-lb-1b
    • pcf-instance-group-lb-1c

      Note: You need one Google Instance Group for each Availability Zone you plan to support. All Instance Groups must connect to the Google Backend Service to configure your load balancer, described below. For a high availability production installation of PCF, Pivotal recommends using three availability zones.

  4. For each individual instance group, choose Single-zone in the Location section.

  5. From the Zone drop-down menu, select a zone that matches the Region of the network you created above. Pick a unique zone for each instance group that you create. For example, if you created the network in the us-central1 region, you could pick the following zones for your instance groups:

    • pcf-instance-group-lb-1a:us-central1-a
    • pcf-instance-group-lb-1b:us-central1-b
    • pcf-instance-group-lb-1c:us-central1-c
  6. Under Group type, select Unmanaged instance group.

  7. Under Network and Subnetwork, select the network and subnet you created in the Create a GCP Network with Subnet step above. Configure new instance group

    Note: If opsmgr is your only network, the Network drop-down does not appear because the sole network is automatically selected.

  8. Click Create.

  9. If you are creating multiple instance groups, repeat substeps 2-7 of this procedure.

Create the HTTP(S) Load Balancer

To create a load balancer for HTTP(S) in GCP:

  1. From the GCP Console, select Networking > Load Balancing > Create load balancer.

  2. Under HTTP(S) Load Balancing, click Start configuration. Http lb configure

  3. In the New HTTP(S) load balancer window, enter pcf-router in the Name field. Http lb name

  4. Click Backend configuration to configure the Backend service.

  5. In the Create or select a backend service drop-down menu, choose Create a backend service to open the Backend service window.

  6. Fill in the name for your Backend service in the Name field. Leave Protocol set to HTTP. Backend service name

  7. In the Backends section, from the Instance Group drop-down menu, choose one of the Instance Group(s) you created above, and select it.

  8. Add port 80 to the Port numbers field for PCF to make API calls. Backend service config

  9. If you have created multiple instance groups to support a multiple availability zone PCF deployment, perform the following steps:

    1. Click Add backend.
    2. Select another instance group from the Instance Group drop-down menu.
    3. Specify port 80 again if necessary.
    4. Repeat until you have selected all the instance groups (three for three availability zones) that you created.
  10. From the Health check drop-down menu, click to Create a Health Check with the following field values:

    • Name: Enter a name, for example health-check, or pcf-public.
    • Description:
    • Protocol: HTTP
    • Port: 8080
    • Request path: /health
    • Use the default Health criteria field values:
      • Check interval: 5 seconds
      • Timeout: 5 seconds
      • Healthy threshold: 2 consecutive successes
      • Unhealthy threshold: 2 consecutive failures Health check defaults
    • Click Save and continue. The Backend configuration section shows a green check mark.
  11. Click Host and path rules to populate the default fields and a green check mark.

  12. Select Frontend configuration, and add the following:

    • Protocol: HTTP
    • IP: Perform the following steps:
      1. Select Create IP address.
      2. Enter a Name for the new static IP address and an optional description. For example, pcf-router-ip.
      3. Under IP, make sure this new static IP address is selected.
      4. Click Reserve.
    • Port: 80
  13. If you are using a trusted SSL certificate or already have a self-signed certificate, proceed to step 15.

  14. If you want to use a self-signed certificate generated during Elastic Runtime network configuration, skip over the next step of adding the HTTPS frontend configuration until after you generate the certificate in Elastic Runtime. After you generate the certificate, return to step 15 using the following guidelines:

    • Copy and paste the generated contents of the Router SSL Termination Certificate and Private Key fields from Elastic Runtime into the public certificate and private key fields.
    • Since you are using a self-signed certificate, do not enter a value in the Certificate Chain field.
  15. Click Add frontend IP and port, and add the following:

    • Protocol: HTTPS
    • IP: Select the static IP address you just created for the previous rule.
    • Port: Leave 443 selected.
    • Certificate: Select Create a new certificate. In the next dialog, perform the following steps:
      • In the Name field, enter a name for the certificate. Lb frontend cert
      • In the Public key certificate field, copy in the contents of your public certificate, or upload your certificate as a .pem file.
      • In the Certificate chain field, enter or upload your certificate chain in the .pem format. If you are using a self-signed certificate, you do not need to populate this field.
      • In the Private key field, copy in the contents or upload the .pem file of the private key for the certificate.
  16. Review the completed frontend configuration. Lb frontend config

  17. Click Review and finalize to verify your configuration. Http lb finalize

  18. Click Create.

Create the TCP WebSockets Load Balancer

The load balancer for tailing logs with WebSockets for PCF on GCP operates on TCP port 443.

  1. From the GCP Console, select Networking > Load Balancing > Create load balancer.

  2. Under TCP Load Balancing, click Start configuration. Create new lb

  3. Under Internet facing or internal only, select From Internet to my VMs. Under Connection termination, select No (TCP).

  4. Click Continue. Lb connection termination

  5. In the New TCP load balancer window, enter pcf-websockets in the Name field.

  6. Click Backend configuration to configure the Backend service: Tcp websockets backend

    • Region: Select the region you used to create the network in Create a GCP Network with Subnet.
    • From the Health check drop-down menu, select the Health check that you created above. The Backend configuration section shows a green check mark.
  7. Click Frontend configuration to open its configuration window and complete the fields:

    • Protocol: TCP
    • IP: Perform the following steps:
      1. Select Create IP address.
      2. Enter a Name for the new static IP address and an optional description. For example, pcf-websockets-ip.
      3. Click Reserve.
    • Port: 443 Tcp websockets frontend
  8. Click Review and finalize to verify your configuration. Websockets lb finalize

  9. Click Create.

Create the SSH Proxy Load Balancer

  1. From the GCP Console, select Networking > Load Balancing > Create load balancer.

  2. Under TCP Load Balancing, click Start configuration. Lb configure

  3. Under Internet facing or internal only, select From Internet to my VMs.

  4. Under Connection termination, select No (TCP). Lb connection termination

  5. Click Continue.

  6. In the New TCP load balancer window, enter pcf-ssh in the Name field. Ssl backend lb configuration

  7. Select Backend configuration, and enter the following field values:

    • Region: Select the region you used to create the network in Create a GCP Network with Subnet.
    • Backup pool: None
    • Failover ratio: 10%
    • Health check: No health check Ssl lb backend config complete
  8. Select Frontend configuration, and add the following:

  9. Optionally, review and finalize your load balancer.

  10. Click Create.

(Optional) Create the Load Balancer for TCP Router

Note: This step is optional and only required if you enable TCP routing in your deployment.

To create a load balancer for TCP routing in GCP, perform the following steps:

  1. From the GCP Console, select Networking > Load Balancing > Create load balancer.

  2. Under TCP Load Balancing, click Start configuration.

    Lb configure

  3. Under Connection termination, select No (TCP). Click Continue.

    Lb connection termination

  4. On the New TCP load balancer screen, enter a unique name for the load balancer in the Name field. For example, pcf-tcp-lb.

  5. Select Backend configuration, and enter the following field values:

    • Region: Select the region you used to create the network in Create a GCP Network with Subnet.
    • Health check: Select the health check for your TCP router. Create a new health check for the TCP router on port 80 in the Health checks pane if you do not already have one.
      • Click Save and continue. Tcp lb backend
  6. Select Frontend configuration, and add the frontend IP and port entry as follows:

    • Protocol: TCP
    • IP: Perform the following steps:
      1. Select Create IP address.
      2. Enter a Name for the new static IP address and an optional description. For example, pcf-tcp-router-ip.
      3. Click Reserve.
    • Port: 1024-65535

    Tcp lb frontend

  7. Click Review and finalize to verify your configuration.

  8. Click Create.

What to Do Next

Create a pull request or raise an issue on the source for this page in GitHub