Installing AVI on Google Cloud Platform
Creating Virtual Private Cloud Network
Create the avi-networks custom VPC network:
gcloud compute networks create avi-networks --subnet-mode custom
Create the controller subnet in the avi-networks VPC network:
gcloud compute networks subnets create controller \
--network avi-networks \
--range 10.240.0.0/24
The 10.240.0.0/24 IP address range can host up to 254 compute instances.
1. Firewall Rules
Exporting project name into environment variable
{
export PROJECT_NAME=ocp-project-287514
export NETWORK_NAME=sg-ltlql-network
export MASTER_SUBNET=sg-ltlql-master-subnet
export WORKER_SUBNET=sg-ltlql-worker-subnet
}
Creating Firewall Rules
Before creating the controller and Service Engine, we need to create the firewall rule to allow communications between them.
Ingress Firewall rule for avicontroller
gcloud compute firewall-rules create avi-controller-ingress \
--direction INGRESS \
--allow tcp:22,tcp:443,tcp:8443,tcp:5054,tcp:5098,udp:123 \
--network $NETWORK_NAME \
--source-ranges 0.0.0.0/0 \
--target-tags controller
Egress Firewall rule for avicontroller
gcloud compute firewall-rules create avi-controller-egress \
--direction EGRESS \
--allow tcp:22,tcp:443,tcp:8443,tcp:5098 \
--network $NETWORK_NAME \
--destination-ranges 0.0.0.0/0 \
--target-tags controller
Ingress Firewall rule for Service Engine
gcloud compute firewall-rules create avi-se-ingress \
--direction INGRESS \
--allow tcp:22,udp:1550,75,97 \
--network $NETWORK_NAME \
--source-ranges 0.0.0.0/0 \
--target-tags avise
Egress Firewall rule for Service Engine
gcloud compute firewall-rules create avi-se-egress \
--direction EGRESS \
--allow tcp:22,tcp:5098,tcp:8443,udp:1550,udp:123,75,97 \
--network $NETWORK_NAME \
--destination-ranges 0.0.0.0/0 \
--target-tags avise
Ingress Firewall rule for Data Traffic
gcloud compute firewall-rules create avi-data-ingress \
--direction INGRESS \
--allow tcp:53,tcp:80,tcp:443,udp:53 \
--network $NETWORK_NAME \
--source-ranges 0.0.0.0/0 \
--target-tags avise
Egress Firewall rule for Data Traffic
gcloud compute firewall-rules create avi-data-egress \
--direction EGRESS \
--allow tcp:53,udp:53,tcp:80,tcp:443 \
--network $NETWORK_NAME \
--destination-ranges 0.0.0.0/0 \
--target-tags avise
Verification
gcloud compute firewall-rules list --filter=avi
NAME NETWORK DIRECTION PRIORITY ALLOW DENY DISABLED
avi-controller-egress openshift4-4vsdg-network EGRESS 1000 tcp:22,tcp:443,tcp:8443,tcp:5098 False
avi-controller-ingress openshift4-4vsdg-network INGRESS 1000 tcp:22,tcp:443,tcp:8443,tcp:5054,tcp:5098,udp:123 False
avi-data-egress openshift4-4vsdg-network EGRESS 1000 udp:53 False
avi-data-ingress openshift4-4vsdg-network INGRESS 1000 tcp:53,tcp:80,tcp:443,udp:53 False
avi-se-egress openshift4-4vsdg-network EGRESS 1000 tcp:22,tcp:5098,tcp:8443,udp:1550,udp:123,75,97 False
avi-se-ingress openshift4-4vsdg-network INGRESS 1000 tcp:22,udp:1550,75,97 False
2. Configuring Roles and Permission
Download permission yaml file
{
wget https://raw.githubusercontent.com/avinetworks/devops/master/gcp/roles/storage_project_role.yaml
wget https://raw.githubusercontent.com/avinetworks/devops/master/gcp/roles/network_project_role.yaml
wget https://raw.githubusercontent.com/avinetworks/devops/master/gcp/roles/service_engine_project_role.yaml
wget https://raw.githubusercontent.com/avinetworks/devops/master/gcp/roles/cluster_vip_role.yaml
}
Creating Role in GCP
Creating Service Engine Project Role
gcloud iam roles create avi.se --project $PROJECT_NAME --file service_engine_project_role.yaml
Creating Network Project Role
gcloud iam roles create avi.network --project $PROJECT_NAME --file network_project_role.yaml
Creating Storage Project Role
gcloud iam roles create avi.storage --project $PROJECT_NAME --file storage_project_role.yaml
Assigning Role to Service Account
Assigning Service Engine Role to Service Account avi-service-account
gcloud projects add-iam-policy-binding $PROJECT_NAME --member serviceAccount:avi-service-account@$PROJECT_NAME.iam.gserviceaccount.com \
--role projects/$PROJECT_NAME/roles/avi.se \
--role projects/$PROJECT_NAME/roles/ \
--role projects/$PROJECT_NAME/roles/avi.storage
Generate Account Key
gcloud iam service-accounts keys create key.json \
--iam-account avi-service-account@$PROJECT_NAME.iam.gserviceaccount.com
3. AVI Controller Installation
Creating AVI Controller Image
Download the Avi Controller image for GCP from the Avi Networks customer portal.
Create new storage bucket and upload controller image
Create a new bucket
gsutil mb -p $PROJECT_NAME -l asia-southeast1 -b on gs://avi-bucket-$(od -vAn -N4 -tu < /dev/urandom | sed -e 's/^[ \t]*//')
Export bucket name into variable
export BUCKET_NAME=$(gsutil ls | (grep avi-bucket | sed 's/.....//;s/.$//'))
Upload avi controller image into the bucket
gsutil cp gcp_controller.tar.gz gs://$BUCKET_NAME/
Create the Google Compute Engine image using uploaded controller image
Create controller image on GCE
gcloud compute images create avi-controller --project=$PROJECT_NAME --description="Avi Controller Image" --source-uri=https://storage.googleapis.com/$BUCKET_NAME/gcp_controller.tar.gz
Results:
Created [https://www.googleapis.com/compute/v1/projects/ocp-project-287514/global/images/avi-controller].
NAME PROJECT FAMILY DEPRECATED STATUS
avi-controller ocp-project-287514 READY
Remove the image in the bucket
gsutil rm gs://$BUCKET_NAME/gcp_controller.tar.gz
Creating AVI Controller VM
gcloud compute instances create avi-controller \
--image avi-controller \
--machine-type n1-standard-8 \
--metadata role=avicontroller \
--tag [controller,https-server] \
--boot-disk-size 128GB \
--service-account avi-service-account@$PROJECT_NAME.iam.gserviceaccount.com \
--network $NETWORK_NAME \
--subnet=$MASTER_SUBNET \
--zone asia-southeast1-a
Clean Up
Removing Firewall Rule
gcloud compute firewall-rules delete avi-controller-ingress
gcloud compute firewall-rules delete avi-controller-egress
gcloud compute firewall-rules delete avi-se-ingress
gcloud compute firewall-rules delete avi-se-egress
gcloud compute firewall-rules delete avi-data-ingress
gcloud compute firewall-rules delete avi-data-egress
Removing Roles
gcloud iam roles delete avi.se
gcloud iam roles delete avi.network
gcloud iam roles deleteavi.storage
Removing Bucket
gsutil rb $BUCKET_NAME