Preparing GCP

Page last updated:

This guide describes the preparation steps required to install Pivotal Cloud Foundry (PCF) on Google Cloud Platform (GCP).

In addition to fulfilling the prerequisites listed in the Installing Pivotal Cloud Foundry on GCP topic, you must create resources in GCP such as a new network, firewall rules, load balancers, and a service account before deploying PCF. Follow these procedures to prepare your GCP environment.

When deploying PCF on GCP, Pivotal recommends using the following GCP components:

For more information, review the different deployment options and recommendations in the Reference Architecture for Pivotal Cloud Foundry on GCP.

Step 1: Set up an IAM Service Account

  1. From the GCP Console, select IAM & Admin, then Service accounts.
  2. Click Create Service Account:

    • Service account name: Enter a name. For example, bosh.
    • Role: Select the following roles for the service account:

      You must scroll down in the pop-up windows to select all required roles.

      • Project > Service Account Actor
      • Compute Engine > Compute Instance Admin
      • Compute Engine > Compute Network Admin
      • Compute Engine > Compute Storage Admin
      • Storage > Storage Admin

        The Service Account Actor role is only required if you plan to use The Ops Manager VM Service Account to deploy Ops Manager.

    • Service account ID: The field automatically generates a unique ID based on the username.
    • Furnish a new private key: Select this checkbox and JSON as the Key type. Iam account
  3. Click Create. Your browser automatically downloads a JSON file with a private key for this account. Save this file in a secure location.

Step 2: Enable Google Cloud APIs

Ops Manager manages GCP resources using the Google Compute Engine and Cloud Resource Manager APIs. To enable these APIs, perform the following steps:

  1. Log in to the Google Developers console at https://console.developers.google.com.

  2. In the console, navigate to the GCP project where you want to install PCF.

  3. Select API Manager > Library.

  4. Under Google Cloud APIs, select Compute Engine API.

  5. On the Google Compute Engine API page, click Enable.

  6. In the search field, enter Google Cloud Resource Manager API.

  7. On the Google Cloud Resource Manager API page, click Enable.

  8. To verify that the APIs have been enabled, perform the following steps:

    1. Log in to GCP using the IAM service account you created in Set up an IAM Service Account:
      $ gcloud auth activate-service-account --key-file JSON_KEY_FILENAME
      
    2. List your projects:
      $ gcloud projects list
      PROJECT_ID       NAME                 PROJECT_NUMBER
      my-project-id    my-project-name      ##############
      

    This command lists the projects where you enabled Google Cloud APIs.

Step 3: Create a GCP Network with Subnets

  1. Log in to the GCP Console.

  2. Navigate to the GCP project where you want to install PCF.

  3. Select VPC network, then CREATE VPC NETWORK. Create VPC Network

  4. In the Name field, enter MY-PCF-virt-net.
    MY-PCF is a prefix to help you identify resources for this PCF deployment in the GCP console. Enter VPC Name

    1. Under Subnets complete the form as follows:
      Name MY-PCF-subnet-infrastructure-MY-GCP-REGION
      Region A region that supports three availability zones. For help selecting the correct region for your deployment, see the Google documentation on regions and zones.
      IP address range A CIDR ending in /26

      See the following image for an example: Create VPC Subnet
    2. Click Add subnet to add a second subnet with the following details:
      Name MY-PCF-subnet-ert-MY-GCP-REGION
      Region The same region you selected for the infrastructure subnet
      IP address range A CIDR ending in /22
      Example: 192.168.16.0/22

    3. Click Add subnet to add a third Subnet with the following details:
      Name MY-PCF-subnet-services-MY-GCP-REGION
      Region The same region you selected for the previous subnets
      IP address range A CIDR in /22
      Example: 192.168.20.0/22

      See the following image for an example: Subnetworks Example
  5. Under Dynamic routing mode, leave Regional selected.

  6. Click Create.

Step 4: Create NAT Instances

Use NAT instances when you want to expose only a minimal number of public IP addresses.

For more information, see the Reference Architecture for Pivotal Cloud Foundry on GCP and GCP documentation.

  1. In the console, navigate to Compute Engine > VM instances. Compute Instance

  2. Click CREATE INSTANCE. Create Instance

  3. Complete the following fields:

    • Name: Enter MY-PCF-nat-gateway-pri.
      This is the first, or primary, of three NAT instances you need.
    • Zone: Select the first zone from your region.
      Example: For region us-west1, select zone us-west1-a.
    • Machine type: Select n1-standard-4.
    • Boot disk: Click Change and select Ubuntu 14.04 LTS.
      Primary Nat Example
  4. Expand the additional configuration fields by clicking Management, disks, networking, SSH keys.
    Management dropdown

    1. In the Startup script field under Automation, enter the following text: #! /bin/bash
      sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
      sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
      Startup Script
  5. Click Networking to open additional network configuration fields: NAT Networking settings

    1. In the Network tags field, add the following: nat-traverse and MY-PCF-nat-instance.
    2. Click on the Networking tab and the pencil icon to edit the Network interface.
    3. For Network, select MY-PCF-virt-net. You created this network in Step 1: Create a GCP Network with Subnets.
    4. For Subnetwork, select MY-PCF-subnet-infrastructure-MY-GCP-REGION.
    5. For Primary internal IP, select Ephemeral (Custom). Enter an IP address (for example, 192.168.101.2) in the Custom ephemeral IP address field. Specify an internal IP address located within the reserved IP range that you will configure in Ops Manager Director. Do not use the Gateway IP, for example 192.168.101.1.
    6. For External IP, select Ephemeral.

      Note: If you select a static external IP address for the NAT instance, then you can use the static IP to further secure access to your CloudSQL instances.

    7. Set IP forwarding to On.
    8. Click Done.
  6. Click Create to finish creating the NAT instance.

  7. Repeat steps 2-6 to create two additional NAT instances with the names and zones specified in the table below. The rest of the configuration remains the same.

    Instance 2 Name: MY-PCF-nat-gateway-sec.
    Zone: Select the second zone from your region.
    Example: For region us-west1, select zone us-west1-b.
    Internal IP: Select Custom and enter an IP address (for example, 192.168.101.3) in the Internal IP address field. Specify an internal IP address located within the reserved IP range that you will configure in Ops Manager Director. Do not use the Gateway IP, for example 192.168.101.1.
    Instance 3 Name: MY-PCF-nat-gateway-ter.
    Zone: Select the third zone from your region.
    Example: For region us-west1, select zone us-west1-c.
    Internal IP: Select Custom and enter an IP address (for example, 192.168.101.4) in the Internal IP address field. Specify an internal IP address located within the reserved IP range that you will configure in Ops Manager Director. Do not use the Gateway IP, for example 192.168.101.1.

Create Routes for NAT Instances

  1. In the GCP console, navigate to VPC Networks > Routes. NAT Routes

  2. Click CREATE ROUTE.

  3. Complete the form as follows:

    • Name: MY-PCF-nat-pri
    • Network: MY-PCF-virt-net
    • Destination IP range: 0.0.0.0/0
    • Priority: 800
    • Instance tags: MY-PCF
    • Next hop: Specify an instance
    • Next hop instance: MY-PCF-nat-gateway-pri
  4. Click Create to finish creating the route.

  5. Repeat steps 2-4 to create two additional routes with the names and next hop instances specified in the table below. The rest of the configuration remains the same.

    Route 2 Name: MY-PCF-nat-sec
    Next hop instance: MY-PCF-nat-gateway-sec
    Route 3 Name: MY-PCF-nat-ter
    Next hop instance: MY-PCF-nat-gateway-ter

Step 5: Create Firewall Rules for the Network

GCP lets you assign tags to virtual machine (VM) instances and create firewall rules that apply to VMs based on their tags. This step assigns tags and firewall rules to Ops Manager components and VMs that handle incoming traffic.

  1. In the Networking > VPC network pane, select Firewall rules.

  2. Create firewall rules according to the table below:

    Note: If you want your firewalls rules to only allow traffic within your private network, modify the Source IP Ranges from the table accordingly.

    Firewall Rules
    Rule 1 This rule allows SSH from public networks.

    Name: MY-PCF-allow-ssh
    Network: MY-PCF-virt-net
    Allowed protocols and ports: tcp:22
    Source filter: IP ranges
    Source IP ranges: 0.0.0.0/0
    Target tags: allow-ssh
    Rule 2 This rule allows HTTP from public networks.

    Name: MY-PCF-allow-http
    Network: MY-PCF-virt-net
    Allowed protocols and ports: tcp:80
    Source filter: IP ranges
    Source IP ranges: 0.0.0.0/0
    Target tags: allow-http, router
    Rule 3 This rule allows HTTPS from public networks.

    Name: MY-PCF-allow-https
    Network: MY-PCF-virt-net
    Allowed protocols and ports: tcp:443
    Source filter: IP ranges
    Source IP ranges: 0.0.0.0/0
    Target tags: allow-https, router
    Rule 4 This rule allows Gorouter health checks.

    Name: MY-PCF-allow-http-8080
    Network: MY-PCF-virt-net
    Allowed protocols and ports: tcp:8080
    Source filter: IP ranges
    Source IP Ranges: 0.0.0.0/0
    Target tags: router
    Rule 5 This rule allows communication between BOSH-deployed PAS jobs.

    Name: MY-PCF-allow-ert-all
    Network: MY-PCF-virt-net
    Allowed protocols and ports: tcp;udp;icmp
    Source filter: Source tags
    Target tags: MY-PCF, MY-PCF-opsman, nat-traverse
    Source tags: MY-PCF, MY-PCF-opsman, nat-traverse
    Rule 6 (Optional) This rule allows access to the TCP router.

    Name: MY-PCF-allow-cf-tcp
    Network: MY-PCF-virt-net
    Source filter: IP ranges
    Source IP ranges: 0.0.0.0/0
    Allowed protocols and ports: tcp:1024-65535
    Target tags: MY-PCF-cf-tcp
    Rule 7 (Optional) This rule allows access to the SSH proxy.

    Name: MY-PCF-allow-ssh-proxy
    Network: MY-PCF-virt-net
    Source filter: IP ranges
    Source IP ranges: 0.0.0.0/0
    Allowed protocols and ports: tcp:2222
    Target tags: MY-PCF-ssh-proxy, diego-brain

  3. If you are only using your GCP project to deploy PCF, then you can delete the following default firewall rules:

    • default-allow-http
    • default-allow-https
    • default-allow-icmp
    • default-allow-internal
    • default-allow-rdp
    • default-allow-ssh

Step 6: Create Database Instance and Databases

Create Database Instance

  1. From the GCP Console, select SQL and click CREATE INSTANCE.
  2. Ensure MySQL is selected and click Next.
  3. Click Choose Second Generation.
  4. Configure the instance as follows:
    • Instance ID: MY-PCF-ert-sql
    • Root password: Set a password for the root user.
    • Region: Select the region you specified when creating networks.
    • Zone: Any.
    • Configure machine type and storage: Select db-n1-standard-2.
    • Enable auto backups and high availability: Make the following selections:
      • Leave Automate backups and Enable binary logging selected.
      • Under High availability, select the Create failover replica checkbox.
    • Authorize Networks: Click Add network and create a network named all that allows traffic from 0.0.0.0/0.

      Note: If you assigned static IP addresses to your NAT instances, you can instead limit access to the database instances by specifying the NAT IP addresses.

  5. Click Create.

Create Databases

  1. From the Instances page, select the database instance you just created.
  2. Select the Databases tab.
  3. Use the Create database button to create the following databases:
    • account
    • app_usage_service
    • autoscale
    • ccdb
    • console
    • diego
    • locket
    • networkpolicyserver
    • nfsvolume
    • notifications
    • routing
    • silk
    • uaa
    • credhub
  4. Select the USERS tab.
  5. Use the Create user account button to create a unique username and password for each database you created above. For Host name, select Allow any host. You must create a total of 13 user accounts.

Step 7: Create Storage Buckets

  1. From the GCP Console, select Storage > Browser.
  2. Using CREATE BUCKET, create buckets with the following names. For Default storage class, select Multi-Regional:
    • MY-PCF-buildpacks
    • MY-PCF-droplets
    • MY-PCF-packages
    • MY-PCF-resources

Step 8: Create HTTP Load Balancer

Create Instance Group

  1. Navigate to Compute Engine > Instance groups.
  2. Click CREATE INSTANCE GROUP.
  3. Complete the form as follows:
    • For Name, enter MY-PCF-http-lb
    • For Location, select Single-zone.
    • For Zone, select the first zone from your region.
      Example: For region us-west1, select zone us-west1-a.
    • Under Group type, select Unmanaged instance group.
    • For Network, select MY-PCF-virt-net.
    • For Subnetwork, select the MY-PCF-subnet-ert-MY-GCP-REGION subnet that you created previously.
    • Click Create.
  4. Create a second instance group with the following details:
    • Name: MY-PCF-http-lb
    • Location: Single-zone
    • Zone: Select the second zone from your region.
      Example: For region us-west1, select zone us-west1-b.
    • Group type: Select Unmanaged instance group.
    • Network: Select MY-PCF-virt-net.
    • Subnetwork: Select the MY-PCF-subnet-ert-MY-GCP-REGION subnet that you created previously.
  5. Create a third instance group with the following details:
    • Name: MY-PCF-http-lb
    • Location: Single-zone
    • Zone: Select the third zone from your region.
      Example: For region us-west1, select zone us-west1-c.
    • Group type: Select Unmanaged instance group.
    • Network: Select MY-PCF-virt-net.
    • Subnetwork: Select the MY-PCF-subnet-ert-MY-GCP-REGION subnet that you created previously.

Create Health Check

  1. Navigate to Compute Engine > Health checks.
  2. Click CREATE HEALTH CHECK.
  3. Complete the form as follows:
    • Name: MY-PCF-cf-public
    • Port: 8080
    • Request path: /health
    • Check interval: 30
    • Timeout: 5
    • Healthy threshold: 10
    • Unhealthy threshold: 2
  4. Click Create.

Configure Backend

  1. Navigate to Network services > Load balancing.
  2. Click CREATE LOAD BALANCER.
  3. Under HTTP(S) Load Balancing, click the Start configuration button.
  4. For the Name, enter MY-PCF-global-pcf.
  5. Select Backend configuration
    1. From the dropdown, select Backend services > Create a backend service.
    2. Complete the form as follows:
    3. Name: MY-PCF-http-lb-backend.
    4. Protocol: HTTP.
    5. Named port: http.
    6. Timeout: 10 seconds.
    7. Under Backends > New backend, select the Instance group that corresponds to the first zone of the multi-zone instance group you created. For example: MY-PCF-http-lb-us-west1-a. Click Done.
    8. Click Add backend, select the Instance group that corresponds to the second zone of the multi-zone instance group you created. For example: MY-PCF-http-lb-us-west1-b. Click Done.
    9. Click Add backend, select the Instance group that corresponds to the third zone of the multi-zone instance group you created. For example: MY-PCF-http-lb-us-west1-c. Click Done.
    10. Health check: Select the MY-PCF-cf-public health check that you created.
    11. Cloud CDN: Ensure Cloud CDN is disabled.
    12. Click Create.

Configure Frontend

  1. Click Host and path rules to populate the default fields and a green check mark.

  2. Select Frontend configuration, and add the following:

    • Name: MY-PCF-cf-lb-http
    • Protocol: HTTP
    • IP: Perform the following steps:
      1. Select Create IP address.
      2. Enter a Name for the new static IP address and an optional description. For example, MY-PCF-global-pcf.
      3. Click Reserve.
    • Port: 80
  3. If you are using a trusted SSL certificate or already have a self-signed certificate, proceed to step 5.

  4. If you want to use a self-signed certificate generated during PAS network configuration, skip over the next step of adding the HTTPS frontend configuration until after you generate the certificate in PAS. After you generate the certificate, return to step 5 using the following guidelines:

    • Copy and paste the generated contents of the Router SSL Termination Certificate and Private Key fields from PAS into the public certificate and private key fields.
    • Since you are using a self-signed certificate, do not enter a value in the Certificate Chain field.
  5. Click Add Frontend IP and port and add the following:

    • Name: MY-PCF-cf-lb-https
    • Protocol: HTTPS
    • IP address: Select the MY-PCF-global-pcf address you create for the previous Frontend IP and Port.
    • Port: 443
    • Certificate: Select Create a new certificate. In the next dialog, perform the following steps:
      • In the Name field, enter a name for the certificate. Lb frontend cert
      • In the Public key certificate field, copy in the contents of your public certificate, or upload your certificate as a .pem file.
      • In the Certificate chain field, enter or upload your certificate chain in the .pem format. If you are using a self-signed certificate, you do not need to populate this field.
      • In the Private key field, copy in the contents or upload the .pem file of the private key for the certificate.
  6. Review the completed frontend configuration.

  7. Click Review and finalize to verify your configuration.

  8. Click Create.

Step 9: Create TCP WebSockets Load Balancer

The load balancer for tailing logs with WebSockets for PCF on GCP operates on TCP port 443.

  1. From the GCP Console, select Network services > Load balancing > Create load balancer.

  2. Under TCP Load Balancing, click Start configuration. Create new lb

  3. In the Create a load balancer configuration screen, make the following selections:

    • Under Internet facing or internal only, select From Internet to my VMs.
    • Under Multiple regions or single region, select Single region only.
    • Under Connection termination, select No (TCP). Lb connection termination
  4. Click Continue.

  5. In the New TCP load balancer window, enter MY-PCF-wss-logs in the Name field.

  6. Click Backend configuration to configure the Backend service: Tcp websockets backend

    • Region: Select the region you used to create the network in Create a GCP Network with Subnets.
    • From the Health check drop-down menu, create a health check with the following details:
      • Name: MY-PCF-gorouter
      • Port: 8080
      • Request path: /health
      • Check interval: 30
      • Timeout: 5
      • Healthy threshold: 10
      • Unhealthy threshold: 2 The Backend configuration section shows a green check mark.
  7. Click Frontend configuration to open its configuration window and complete the fields:

    • Protocol: TCP
    • IP: Perform the following steps:
      1. Select Create IP address.
      2. For name Name for the new static IP address and an optional description. For example, MY-PCF-gorouter-wss.
      3. Click Reserve.
    • Port: 443
  8. Click Review and finalize to verify your configuration. Websockets lb finalize

  9. Click Create.

Step 10: Create SSH Proxy Load Balancer

  1. From the GCP Console, select Network services > Load balancing > Create load balancer.

  2. Under TCP Load Balancing, click Start configuration.

  3. Under Internet facing or internal only, select From Internet to my VMs.

  4. Under Connection termination, select No (TCP). Lb connection termination

  5. Click Continue.

  6. In the New TCP load balancer window, enter MY-PCF-ssh-proxy in the Name field.

  7. Select Backend configuration, and enter the following field values:

    • Region: Select the region you used to create the network in Create a GCP Network with Subnet.
    • Backup pool: None
    • Failover ratio: 10%
    • Health check: No health check Ssl lb backend config complete
  8. Select Frontend configuration, and add the following:

    • Protocol: TCP
    • IP: Perform the following steps:
      1. Select Create IP address.
      2. Enter a Name for the new static IP address and an optional description. For example, MY-PCF-ssh-proxy.
      3. Click Reserve.
    • Port: 2222
  9. Optionally, review and finalize your load balancer.

  10. Click Create.

Step 11: Create Load Balancer for TCP Router

Note: This step is optional and only required if you enable TCP routing in your deployment.

To create a load balancer for TCP routing in GCP, perform the following steps:

  1. From the GCP Console, select Network services > Load balancing > Create load balancer.

  2. Under TCP Load Balancing, click Start configuration.

  3. Under Connection termination, select No (TCP). Click Continue.

    Lb connection termination

  4. On the New TCP load balancer screen, enter a unique name for the load balancer in the Name field. For example, MY-PCF-cf-tcp-lb.

  5. Select Backend configuration, and enter the following field values:

    • Region: Select the region you used to create the network in Create a GCP Network with Subnet.
    • From the Health check drop-down menu, create a health check with the following details:
      • Name: MY-PCF-tcp-lb
      • Port: 80
      • Request path: /health
      • Check interval: 30
      • Timeout: 5
      • Healthy threshold: 10
      • Unhealthy threshold: 2
      • Click Save and continue. Tcp lb backend
  6. Select Frontend configuration, and add the frontend IP and port entry as follows:

    • Protocol: TCP
    • IP: Perform the following steps:
      1. Select Create IP address.
      2. Enter a Name for the new static IP address and an optional description. For example, MY-PCF-cf-tcp-lb.
      3. Click Reserve.
    • Port: 1024-65535

    Tcp lb frontend

  7. Click Review and finalize to verify your configuration.

  8. Click Create.

Step 12: Add DNS Records for Your Load Balancers

In this step you redirect queries for your domain to the IP addresses of your load balancers.

  1. Locate the static IP addresses of the load balancers you created in Preparing to Deploy PCF on GCP:

    • An HTTP(S) load balancer named MY-PCF-global-pcf
    • A TCP load balancer for WebSockets named MY-PCF-wss-logs
    • A TCP load balancer named MY-PCF-ssh-proxy
    • A TCP load balancer named MY-PCF-cf-tcp-lb

      Note: You can locate the static IP address of each load balancer by clicking its name under Network services > Load balancing in the GCP Console.

  2. Log in to the DNS registrar that hosts your domain. Examples of DNS registrars include Network Solutions, GoDaddy, and Register.com.

  3. Create A records with your DNS registrar that map domain names to the public static IP addresses of the load balancers located above:

    Create and map this record…To the IP of this load balancerRequired
    *.sys.MY-DOMAIN
    Example: *.sys.example.com
    MY-PCF-global-pcf Yes
    *.apps.MY-DOMAIN
    Example: *.apps.example.com
    MY-PCF-global-pcf Yes
    doppler.sys.MY-DOMAIN
    Example: doppler.sys.example.com
    MY-PCF-wss-logs Yes
    loggregator.sys.MY-DOMAIN
    Example: loggregator.sys.example.com
    MY-PCF-wss-logs Yes
    ssh.sys.MY-DOMAIN
    Example: ssh.sys.example.com
    MY-PCF-ssh-proxy Yes, to allow SSH access to apps
    tcp.MY-DOMAIN
    Example: tcp.example.com
    MY-PCF-cf-tcp-lb No, only set up if you have enabled the TCP routing feature

  4. Save changes within the web interface of your DNS registrar.

  5. In a terminal window, run the following dig command to confirm that you created your A record successfully:

    dig xyz.EXAMPLE.COM

    You should see the A record that you just created:

    ;; ANSWER SECTION:
    xyz.EXAMPLE.COM.      1767    IN  A 203.0.113.1

What to Do Next

Create a pull request or raise an issue on the source for this page in GitHub