Google Cloud Platform

This article describes how to import an Airlock Gateway cloud image and deploy it as a VM on Google Cloud Platform (GCP).

Cloud image import

Before starting, download the Airlock Gateway cloud image as a TAR.GZ archive containing a single RAW disk image (disk.raw) from the Airlock Gateway download page on Techzone. This image file will be uploaded to Azure Storage and then registered as a VM image.

Uploading and creating a GCE image

The Airlock Gateway cloud image must be uploaded to a Google Cloud Storage bucket in your GCP project. From there, a new GCE image can be created:

 
Terminal box
UPLOAD_BUCKET="gs://airlock-gateway-image-upload-tmp"

# create a temporary bucket for upload
gsutil mb "${UPLOAD_BUCKET}"

# upload the converted image file
gsutil cp "${GCE_IMG_FILE}" "${UPLOAD_BUCKET}"

# create the GCE image from the uploaded file
gcloud compute images create "${GCE_IMG_NAME}" \
  --source-uri="${UPLOAD_BUCKET}/${GCE_IMG_FILE}"

# clean up: remove files and bucket
gsutil rm "${UPLOAD_BUCKET}/*"
gsutil rb "${UPLOAD_BUCKET}"

Instance creation

VM creation options

Since the Airlock Gateway cloud image relies on cloud-init for provisioning, the following GCE settings must be specified – either globally in the GCE metadata settings of your project or in the metadata of a specific VM:

  • SSH key configuration

  • An SSH public key must be configured to enable SSH access to an Airlock Gateway instance.

  • Note: It is mandatory that the SSH key is named cloudinit.

  • Cloud-init user-data usage

  • To inject user-data at boot time, create a metadata entry with the key user-data and the script content as its value. We recommend configuring at least the following options:

    • Swap space: The Airlock Gateway cloud image does not include preconfigured swap. Configure swap space via the user-data script as explained under Swap configuration.
    • Administrator user: Define a default administrator for the Airlock Gateway Configuration Center via the user-data script, as described under Administrative access configuration.
  • Machine type specification

  • For instance sizing, refer to the Disk image properties table.

  • Serial console diagnostics enablement

  • The Airlock Gateway cloud image is configured to support the GCP serial console, which can be useful for debugging. For details on enabling the serial console for a VM, refer to the Google Cloud documentation on the serial console..

Example of a full gcloud compute instances create command

 
Terminal box
INSTANCE_NAME="airlock-waf-1"
IMAGE_NAME="airlock-waf-7-2"
SSH_KEY="ssh-rsa AAAA...ihEn cloudinit"
USER_DATA='#cloud-config
swap:
size: 2G
filename: /swap.img'

gcloud compute instances create "${INSTANCE_NAME}" --zone=europe-west3-a --
machine-type=n1-standard-2 --subnet=default --network-tier=PREMIUM \
--metadata=user-data="${USER_DATA}",block-project-ssh-keys=true,ssh-
keys="cloudinit:${SSH_KEY}" \
--maintenance-policy=MIGRATE --no-service-account --no-scopes \
--tags=http-server,https-server --image="${IMAGE_NAME}" --boot-disk-size=10GB \
--boot-disk-type=pd-ssd --boot-disk-device-name="${INSTANCE_NAME}"

Opening the required ports

In Google Cloud, inbound and outbound traffic is controlled through VPC firewall rules. By default, a newly created VM instance is only accessible via SSH on port 22 (and possibly RDP or ICMP, depending on the default firewall rules). To make Airlock Gateway fully usable, additional inbound firewall rules covering the following ports must be added to the VPC network:

  • 8443 for the Airlock Gateway Configuration Center
  • 80 and/or 443 for virtual hosts (HTTP/HTTPS)

  • Those required inbound ports correspond to the port assignment recommended for the Airlock network setup.

For step-by-step instructions on creating firewall rules, refer to the VPC firewall rules section in the GCP documentation.