Step-01: Introduction¶
- Remove Public IPs for VMs (Comment instace template access_config attribute)
- Create Health Check Firewall for GCP to perform health checks
- Reference Health check firewall in Instance Template
- Create CLOUD NAT, CLOUD ROUTER
- google_compute_router resource "google_compute_router_nat" "cloud_nat" {
- google_compute_router_nat
Step-02: c6-01-instance-template.tf¶
- Comment access_config block
# Google Compute Engine: Regional Instance Template resource "google_compute_region_instance_template" "myapp1" { name = "${local.name}-myapp1-template" description = "This template is used to create MyApp1 server instances." tags = [tolist(google_compute_firewall.fw_ssh.target_tags)[0], tolist(google_compute_firewall.fw_http.target_tags)[0]] instance_description = "MyApp1 VM Instances" machine_type = var.machine_type scheduling { automatic_restart = true on_host_maintenance = "MIGRATE" } # Create a new boot disk from an image disk { #source_image = "debian-cloud/debian-12" source_image = data.google_compute_image.my_image.self_link auto_delete = true boot = true } # Network Info network_interface { subnetwork = google_compute_subnetwork.mysubnet.id /*access_config { # Include this section to give the VM an external IP address } */ } # Install Webserver metadata_startup_script = file("${path.module}/app1-webserver-install.sh") labels = { environment = local.environment } metadata = { environment = local.environment } }
Step-03: c4-firewallrules.tf¶
# Firewall rule: Allow Health checks
resource "google_compute_firewall" "fw_health_checks" {
name = "fwrule-allow-health-checks"
network = google_compute_network.myvpc.id
allow {
protocol = "tcp"
ports = ["80"]
}
source_ranges = [
"35.191.0.0/16",
"130.211.0.0/22"
]
target_tags = ["allow-health-checks"]
}
Step-05: c6-01-instance-template.tf: Update firewall rule in Instance Template¶
# Comment Old one
#tags = [tolist(google_compute_firewall.fw_ssh.target_tags)[0], tolist(google_compute_firewall.fw_http.target_tags)[0]]
# Add new one
tags = [tolist(google_compute_firewall.fw_ssh.target_tags)[0], tolist(google_compute_firewall.fw_http.target_tags)[0], tolist(google_compute_firewall.fw_health_checks.target_tags)[0]]
Step-06: c8-Cloud-NAT-Cloud-Router.tf¶
- google_compute_router resource "google_compute_router_nat" "cloud_nat" {
- google_compute_router_nat
# Resource: Cloud Router resource "google_compute_router" "cloud_router" { name = "${local.name}-${var.gcp_region1}-cloud-router" network = google_compute_network.myvpc.id region = var.gcp_region1 } # Resource: Cloud NAT resource "google_compute_router_nat" "cloud_nat" { name = "${local.name}-${var.gcp_region1}-cloud-nat" router = google_compute_router.cloud_router.name region = google_compute_router.cloud_router.region nat_ip_allocate_option = "AUTO_ONLY" source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES" log_config { enable = true filter = "ALL" } }
Step-07: Execute Terraform Commands¶
# Terraform Initialize
terraform init
# Terraform Validate
terraform validate
# Terraform Plan
terraform plan
# Terraform Apply
terraform apply
Step-08: Verify Resources¶
- Static IP
- Load Balancer
- MIG
- VM Instnaces (Should not have external ip assigned)
- Curl Test
Step-12: Clean-Up¶
🎉 New Course
Ultimate DevOps Real-World Project Implementation on AWS
$15.99
$84.99
81% OFF
DEVOPS2026FEB
Enroll Now on Udemy →
🎉 Offer