Open in app

Sign in

Write

Sign in

Follow-along guide for creating a GCVE Private Cloud and accessing it via Bastion Host

Satyapal Singh
Google Cloud - Community
Published in
10 min readFeb 12, 2024

If you’re a beginner(like myself) starting off with GCVE for the first time, it can seem to be a daunting task to provision a private cloud. It might even be difficult to decipher what exactly a private cloud is, what’s an ESXi host, what are clusters, etc, etc. You toil hard — read a plethora of documentations, pay StackOverflow umpteen visits, put two and two together and finally provision your first private cloud in GCVE, but then what? What happens next? How do you reap the rewards of your hard work? How do you actually get your hands dirty with this new thing? That’s another enigma needing some demystifying. Through this article we try answering these questions.

Key Terminology

  1. Private Cloud
    Isolated VMware stack comprising of compute, network and storage components of GCVE namely — nodes, NSX and vSAN.
  2. ESXi
    Hypervisor(Virtual Machine Manager) installed on top of physical nodes.
  3. Cluster
    Collection of multiple ESXi hosts. Houses the management appliances and required infrastructure for running workload VMs.
  4. vCenter Server
    Centralized management tool/server. Provides single point of control for different VMware infra components, allowing VM provisioning, monitoring and resource management.
  5. vSphere
    Entire virtualization platform. Includes ESXi, vCenter Server, vSphere Client, etc.
  6. NSX
    Network virtualization and security software.
  7. vSAN
    Virtualized storage platform.
  8. Bastion host
    External point of entry into a Virtual Private Cloud (VPC) network that contains VMs that don’t have external IP addresses.

NOTE: The idea of this article is to make the readers acquainted with the process of how a private cloud is provisioned and the steps required to be able to access it. It is not intended at deep-dive of the Google Cloud VMWare Engine concepts and individual components.

Architecture

High level overview of the infrastructure

In this approach, we will access the vSphere client through our local computer via an RDP client. To achieve this, we setup an Identity-aware proxy(IAP) tunnel from our local computer to a GCE VM acting as bastion host. The VM sits inside our GCP VPC network. Firewall rules are put in place to allow communication to and from the bastion vm. This VPC network is peered with the GCVE network which is also created beforehand. A VMware private cloud is provisioned where new VMs are created via the vSphere client. Network policies on the GCVE side are put in place to allow/deny access to internet from the VMs.

Setting up the infrastructure

Think of the complete infrastructure as a working combination of the following components:
1. GCVE Network
2. Private cloud inside this network
3. GCP VPC Network
4. Firewall Rules on this network
5. Bastion host inside this network
6. VPC Peering between the two networks
7. IAP Tunnel between your computer and the bastion host
8. Optional: Cloud NAT inside the VPC and Network Policies in GCVE network.

We discuss, in detail, each of these components in the following sections.

  1. GCVE Network
    You need to enable the VMWare Engine API first. You can either search for ‘VMWare Engine API’ in the search bar or open the VMWare Engine portal directly and it will redirect you to the API screen.

Once the API is enabled and you’re at the VMware Engine portal follow these steps:

Step 1. Click onVMWare Engine networks -> CREATE.

Step 2. You can provide any suitable name for the network and an optional description and click ‘Create’

2. GCVE Private Cloud

Step 1. Click on ‘Private clouds -> CREATE’

Step 2. Provide any suitable name to the private cloud and an optional description.

Step 3. Choose the type of private cloud that you require. For the purpose of this demonstration will choose ‘Single node private cloud’. It costs about $10/hour. A Standard private cloud has 3 nodes and costs about $30/hour.

Step 4. Choose your desired region and zone. For our demonstration they are ‘asia-south2’ and ‘asia-south2-a’ respectively.

Step 5. Fill in any suitable name under the ‘Cluster name’ for the primary cluster. Select `ve1-standard-72` as node type.

Step 6. Under the Networking tab, enter an IP address range for the Management plane. For this blog, we go with 10.10.0.0/23. In the VMWare Engine network section, choose the ‘Select from existing network’ option and choose the GCVE network that we had created in the previous section.

Step 7. Click on CREATE. It usually takes up ~2.5 hours for the private cloud to be provisioned.

3. GCP VPC Network:

You can choose to go ahead with the default VPC network in your project fo r establishing a VPC peering connection with your GCVE Network. If a default network doesn’t exist in your project you can create a custom VPC by following this documentation: https://cloud.google.com/vpc/docs/create-modify-vpc-networks.

Example VPC network details:
Name : gcp-vpc-network
Subnet: gcp-asia-subnet
Region: asia-south2
Internal IP Range: 172.16.0.0/24

4. Firewall Rules on the VPC:

We will create two firewall rules for the VPC. The first one will allow the creation of an IAP-Tunnel from your local computer to the bastion host. The second rule will allow any TCP or ICMP traffic ingress-ing the VPC for the bastion host.

Step 1. Go to VPC Network -> Firewall and click + CREATE FIREWALL RULE.

Step 2. Provide a suitable name for the rule. We choose ‘allow-iap-to-bastion’. Leave the rest of the fields to their defaults.

Step 3. Select Targets -> Specified target tags.

Step 4. In Target tags enter bastion. You can choose to enter any tag in place of bastion. Just make sure that you specify the exact same tag name when you are creating your bastion VM.

Step 5. Select Source filter -> IPv4 ranges

Step 6. Specify this exact IPv4 address range: 35.235.240.0/20. This allows Identity-aware connections to resources inside your VPC.

Step 7. In Protocols and ports -> Specified protocols and ports, check TCP and enter 3389 in Ports.

Step 8. Leave any other setting as default and click CREATE.

Now, we will create the second firewall rule with the name allow-mgmt-from-bastion. Beside the name you can let all other fields have their default value and edit from the ‘Targets’ field.

Step 1. In Targets, select All instances in the network.

Step 2. Select Source filter -> Source tags.

Step 3. In Source tags enter bastion. This again has to be the same as the tag that you are going to provide to your bastion VM during its creation.

Step 4. In Protocols and ports -> Specified protocols and ports, check TCP and enter 22, 80, 443, 3389 in Ports. Check Other as well and enter icmp in Protocols.

Step 5. Leave anything else as default and click on CREATE.

5. Configuring the Bastion Host for accessing Private Cloud.

Step 1. Enable the Cloud Identity-Aware Proxy API. You can do so by searching for the same.

Step 2. Create a service account. Goto IAM & Admin -> Service Accounts.

Step 3. Provide a name to the service account. We call it bastion-sa. Click CREATE AND CONTINUE.

Step 4. In the second section — Grant this service account access to project, give it the following roles:

Logs Writer
Monitoring Metric Writer
Monitoring Viewer
Compute OS Login

Step 5. Click on CONTINUE.

Step 6. In the Grant users access to this service account section, under Service account users role provide the user account email that will impersonate this service account. In our case its- art@dranetechnologies.joonix.net.

Step 6. Click on `Done`.

Step 7. Assign required role to your primary user to be able to create and use an IAP tunnel. Go to IAM & Admin -> IAM.

Step 8. Click on Grant Access. In New principals field enter your primary user account. Under Assign roles, select the IAP-Secured Tunnel User role and click on SAVE.

Provision the compute engine instance to act as the bastion host

Step 1. Go to Compute Engine -> Virutal Machines -> VM instances and click on CREATE INSTANCE.

Step 2. Provide a suitable name for the instance. Select the region and zone of the instance to be the same as of the provisioned private cloud. Let the machine type be default.

Step 3. Change the Boot disk option. Select PUBLIC IMAGES. Use the following configuration and click SELECT.

Operating system: Windows Server
Version: Windows Server 2019 Datacenter
Boot disk type: Balanced Persistent Disk
Size: 50 GB

Step 4. In the the Identity and API access section select the service account that you created in one of the previous step.

Step 5. Under Advanced options -> Networking set the Network tags field with any value. We have chosen bastion.

Step 6. In Network Interfaces, select your VPC network and corresponding subnet. Set External IPv4 address to None.

6. VPC Peering between GCP VPC and GCVE Network

Go back to the VMware Engine portal and follow the steps as mentioned here.

Step 1. Navigate to VPC Network peering and click on Create.

Step 2. Provide a name to the peering connection.

Step 3. Choose the VMWare Engine network name that you created in one of the previous step.

Step 4. Choose Standard as the Peered VPC type and select the VPC to be peered with in the Peered VPC name. This would be your GCP VPC network where your bastion host resides.

Step 5. Make sure both Import custom routes and Export custom routes are checked under Exchange custom routes.

Step 6. Click on CREATE. Wait for the peering to be established. On successful creation of the peering you would see an the status as Active.

7. Remote Desktop Configuration

In this step, we will create a new user for ourselves to be able to log into the OS that we installed onto the bastion VM in one of the previous steps.

Step 1. Go to Compute Engine -> VM instances. Click on the small drop-down arrow in the Connect column of your bastion vm.

Step 2. Click on Set Windows password. A pop-up will appear as shown in the below screenshot. Enter a username and click on SET.

The new windows password will show up. Make a note of this password. We will use it to log into our remote desktop.

Step 3. Start the IAP tunnel with the following command. Run the command on your local terminal. Make sure that you have gcloud already installed on your machine.

gcloud compute start-iap-tunnel bastion-vm 3389 — zone asia-south2-a

Step 4. Download any remote desktop client. We are using the Microsoft Remote Desktop app.

Step 5. Open the app and add a new PC. In the PC name enter localhost:<port_number>. The port_number is the one that your machine listens on when you start the iap tunnel. Check your terminal for the same. In this example, its 56215.

Step 6. Leave the remaining fields as default and click on Add.

Step 7. Open the newly added PC and when the pop-up as shown in the screenshot below appears, enter the username and password that you created earlier.

Step 8. Click the Continue button and let the login complete.

Step 9. Once logged in, open Internet Explorer/Edge browser and navigate to the vcenter server. The link can be found in your VMware engine private cloud page.

Step 10. Click on the ‘LAUNCH VSPHERE CLIENT (HTML5)’ button to log into the vCenter server.

Note: You can find the login credentials by clicking your private cloud name in the Private clouds section of GCVE and going to the MANAGEMENT APPLIANCES section. You can click on the KEY DETAILS for vCenter Server.

Voila, you have just logged into the vCenter server.

Gcve
Bastion Host
Vsphere
Google Cloud Platform
Infrastructure

--

--

Satyapal Singh
Google Cloud - Community

Written by Satyapal Singh

2 Followers
Writer for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams