Creating Virtual Private Cloud Network

Create the avi-networks custom VPC network:

gcloud compute networks create avi-networks --subnet-mode custom

Create the controller subnet in the avi-networks VPC network:

gcloud compute networks subnets create controller \
  --network avi-networks \
  --range 10.240.0.0/24

The 10.240.0.0/24 IP address range can host up to 254 compute instances.

1. Firewall Rules

Exporting project name into environment variable

{
    export PROJECT_NAME=ocp-project-287514
    export NETWORK_NAME=sg-ltlql-network
    export MASTER_SUBNET=sg-ltlql-master-subnet
    export WORKER_SUBNET=sg-ltlql-worker-subnet
}

Creating Firewall Rules

Before creating the controller and Service Engine, we need to create the firewall rule to allow communications between them.

Ingress Firewall rule for avicontroller

gcloud compute firewall-rules create avi-controller-ingress \
  --direction INGRESS \
  --allow tcp:22,tcp:443,tcp:8443,tcp:5054,tcp:5098,udp:123 \
  --network $NETWORK_NAME \
  --source-ranges 0.0.0.0/0 \
  --target-tags controller

Egress Firewall rule for avicontroller

gcloud compute firewall-rules create avi-controller-egress \
  --direction EGRESS \
  --allow tcp:22,tcp:443,tcp:8443,tcp:5098 \
  --network $NETWORK_NAME \
  --destination-ranges 0.0.0.0/0 \
  --target-tags controller

Ingress Firewall rule for Service Engine

gcloud compute firewall-rules create avi-se-ingress \
  --direction INGRESS \
  --allow tcp:22,udp:1550,75,97 \
  --network $NETWORK_NAME \
  --source-ranges 0.0.0.0/0 \
  --target-tags avise

Egress Firewall rule for Service Engine

gcloud compute firewall-rules create avi-se-egress \
  --direction EGRESS \
  --allow tcp:22,tcp:5098,tcp:8443,udp:1550,udp:123,75,97 \
  --network $NETWORK_NAME \
  --destination-ranges 0.0.0.0/0 \
  --target-tags avise

Ingress Firewall rule for Data Traffic

gcloud compute firewall-rules create avi-data-ingress \
  --direction INGRESS \
  --allow tcp:53,tcp:80,tcp:443,udp:53 \
  --network $NETWORK_NAME \
  --source-ranges 0.0.0.0/0 \
  --target-tags avise

Egress Firewall rule for Data Traffic

gcloud compute firewall-rules create avi-data-egress \
  --direction EGRESS \
  --allow tcp:53,udp:53,tcp:80,tcp:443 \
  --network $NETWORK_NAME \
  --destination-ranges 0.0.0.0/0 \
  --target-tags avise

Verification

gcloud compute firewall-rules list --filter=avi

NAME                    NETWORK                   DIRECTION  PRIORITY  ALLOW                                              DENY  DISABLED
avi-controller-egress   openshift4-4vsdg-network  EGRESS     1000      tcp:22,tcp:443,tcp:8443,tcp:5098                         False
avi-controller-ingress  openshift4-4vsdg-network  INGRESS    1000      tcp:22,tcp:443,tcp:8443,tcp:5054,tcp:5098,udp:123        False
avi-data-egress         openshift4-4vsdg-network  EGRESS     1000      udp:53                                                   False
avi-data-ingress        openshift4-4vsdg-network  INGRESS    1000      tcp:53,tcp:80,tcp:443,udp:53                             False
avi-se-egress           openshift4-4vsdg-network  EGRESS     1000      tcp:22,tcp:5098,tcp:8443,udp:1550,udp:123,75,97          False
avi-se-ingress          openshift4-4vsdg-network  INGRESS    1000      tcp:22,udp:1550,75,97                                    False

2. Configuring Roles and Permission

Download permission yaml file

{
    wget https://raw.githubusercontent.com/avinetworks/devops/master/gcp/roles/storage_project_role.yaml
    wget https://raw.githubusercontent.com/avinetworks/devops/master/gcp/roles/network_project_role.yaml
    wget https://raw.githubusercontent.com/avinetworks/devops/master/gcp/roles/service_engine_project_role.yaml
    wget https://raw.githubusercontent.com/avinetworks/devops/master/gcp/roles/cluster_vip_role.yaml
}

Creating Role in GCP

Creating Service Engine Project Role

gcloud iam roles create avi.se --project $PROJECT_NAME --file service_engine_project_role.yaml

Creating Network Project Role

gcloud iam roles create avi.network --project $PROJECT_NAME --file network_project_role.yaml

Creating Storage Project Role

gcloud iam roles create avi.storage --project $PROJECT_NAME --file storage_project_role.yaml

Assigning Role to Service Account

Assigning Service Engine Role to Service Account avi-service-account

gcloud projects add-iam-policy-binding $PROJECT_NAME --member serviceAccount:[email protected]$PROJECT_NAME.iam.gserviceaccount.com \
--role projects/$PROJECT_NAME/roles/avi.se \
--role projects/$PROJECT_NAME/roles/ \
--role projects/$PROJECT_NAME/roles/avi.storage

Generate Account Key

gcloud iam service-accounts keys create key.json \
  --iam-account [email protected]$PROJECT_NAME.iam.gserviceaccount.com

3. AVI Controller Installation

Creating AVI Controller Image

Download the Avi Controller image for GCP from the Avi Networks customer portal.

Create new storage bucket and upload controller image

Create a new bucket

gsutil mb -p $PROJECT_NAME -l asia-southeast1 -b on gs://avi-bucket-$(od -vAn -N4 -tu < /dev/urandom | sed -e 's/^[ \t]*//')

Export bucket name into variable

export BUCKET_NAME=$(gsutil ls | (grep avi-bucket | sed 's/.....//;s/.$//'))

Upload avi controller image into the bucket

gsutil cp gcp_controller.tar.gz gs://$BUCKET_NAME/

Create the Google Compute Engine image using uploaded controller image

Create controller image on GCE

gcloud compute images create avi-controller --project=$PROJECT_NAME --description="Avi Controller Image" --source-uri=https://storage.googleapis.com/$BUCKET_NAME/gcp_controller.tar.gz

Results:

Created [https://www.googleapis.com/compute/v1/projects/ocp-project-287514/global/images/avi-controller].
NAME            PROJECT             FAMILY  DEPRECATED  STATUS
avi-controller  ocp-project-287514                      READY

Remove the image in the bucket

gsutil rm gs://$BUCKET_NAME/gcp_controller.tar.gz

Creating AVI Controller VM

gcloud compute instances create avi-controller \
 --image avi-controller \
 --machine-type n1-standard-8 \
 --metadata role=avicontroller \
 --tag [controller,https-server] \
 --boot-disk-size 128GB \
 --service-account [email protected]$PROJECT_NAME.iam.gserviceaccount.com \
 --network $NETWORK_NAME \
 --subnet=$MASTER_SUBNET \
 --zone asia-southeast1-a

Clean Up

Removing Firewall Rule

gcloud compute firewall-rules delete avi-controller-ingress
gcloud compute firewall-rules delete avi-controller-egress
gcloud compute firewall-rules delete avi-se-ingress
gcloud compute firewall-rules delete avi-se-egress
gcloud compute firewall-rules delete avi-data-ingress
gcloud compute firewall-rules delete avi-data-egress

Removing Roles

gcloud iam roles delete avi.se
gcloud iam roles delete avi.network
gcloud iam roles deleteavi.storage

Removing Bucket

gsutil rb $BUCKET_NAME