Question

最近从GCP的Terraform开始，我想完成一个练习：

用一个子网创建一个新的VPC网络。
创建一个防火墙规则，该规则允许外部RDP流量流向堡垒主机系统。
部署两个同时连接到VPC网络和默认网络的Windows服务器。
创建一个指向启动脚本的虚拟机。
配置防火墙规则以允许HTTP访问虚拟机。

这是我的解决方案：

创建一个称为securenetwork的新VPC网络，然后在securenetwork内创建一个新的VPC子网。一旦配置了网络和子网，请配置防火墙规则，该规则允许从Internet到堡垒主机的入站RDP通信（TCP端口3389）。

# Create the securenetwork network
resource "google_compute_network" "securenetwork" {
  name                    = "securenetwork"
  auto_create_subnetworks = false
}

# Create securesubnet-us subnetwork
resource "google_compute_subnetwork" "securesubnet-eu" {
  name          = "securesubnet-eu"
  region        = "europe-west1"
  network       = "${google_compute_network.securenetwork.self_link}"
  ip_cidr_range = "10.130.0.0/20"
}

# Create a firewall rule to allow HTTP, SSH, RDP and ICMP traffic on securenetwork
resource "google_compute_firewall" "securenetwork-allow-http-ssh-rdp-icmp" {
  name    = "securenetwork-allow-http-ssh-rdp-icmp"
  network = "${google_compute_network.securenetwork.self_link}"

  allow {
    protocol = "tcp"
    ports    = ["3389"]
  }

  allow {
    protocol = "icmp"
  }
}

# Create the vm-securehost instance
module "vm-securehost" {
  source              = "./instance/securehost"
  instance_name       = "vm-securehost"
  instance_zone       = "europe-west1-d"
  instance_subnetwork = "${google_compute_subnetwork.securesubnet-eu.self_link}"
  instance_network = "${google_compute_network.securenetwork.self_link}"
}

# Create the vm-bastionhost instance
module "vm-bastionhost" {
  source              = "./instance/bastionhost"
  instance_name       = "vm-bastionhost"
  instance_zone       = "europe-west1-d"
  instance_subnetwork = "${google_compute_subnetwork.securesubnet-eu.self_link}"
  instance_network = "${google_compute_network.securenetwork.self_link}"
}

部署Windows实例
- 一个名为 vm-securehost 的Windows 2016服务器实例，具有两个网络接口。将第一个网络接口配置为与新VPC子网的内部唯一连接，第二个网络接口配置为与默认VPC网络的内部唯一连接。这是安全的服务器。

variable "instance_name" {}
variable "instance_zone" {}

variable "instance_type" {
  default = "n1-standard-1"
}

variable "instance_subnetwork" {}
variable "instance_network" {}

resource "google_compute_instance" "vm_instance" {
  name         = "${var.instance_name}"
  zone         = "${var.instance_zone}"
  machine_type = "${var.instance_type}"

  boot_disk {
    initialize_params {
      image = "windows-cloud/windows-2016"
    }
  }

  network_interface {
    subnetwork = "${var.instance_subnetwork}"
    access_config {
      # Allocate a one-to-one NAT IP to the instance
    }
  }
}

第二个Windows 2016服务器实例vm-bastionhost，具有两个网络接口。配置第一个网络接口以使用临时公共（外部NAT）地址连接到新的VPC子网，配置第二个网络接口以仅内部连接到默认VPC网络。这是跳转框或堡垒主机。

variable "instance_name" {}
variable "instance_zone" {}

variable "instance_type" {
  default = "n1-standard-1"
}

variable "instance_subnetwork" {}
variable "instance_network" {}

resource "google_compute_address" "default" {
  name = "default"
  region = "europe-west1"
}

resource "google_compute_instance" "vm_instance" {
  name         = "${var.instance_name}"
  zone         = "${var.instance_zone}"
  machine_type = "${var.instance_type}"

  boot_disk {
    initialize_params {
      image = "windows-cloud/windows-2016"
    }
  }

  network_interface {
    subnetwork = "${var.instance_subnetwork}"
    network = "${var.instance_network}"
    access_config {
      # Allocate a one-to-one NAT IP to the instance
      nat_ip = "${google_compute_address.default.address}"
    }
  }
}

我的问题：

如何配置没有公共IP地址的Windows计算实例vm-securehost？
如何配置名为vm-securehost的Windows计算实例，该实例在启动时运行Microsoft IIS Web服务器软件？
感谢您对解决方案的任何评论

Answer 1

要创建一个没有任何外部 ip 地址的虚拟机，请省略 terraform 脚本中的“访问配置”参数，因为它负责创建外部 ip 地址。

要在启动时在 vm 上运行 Microsoft IIS Web 服务器软件，请在 vm 创建块中添加以下参数（不包括引号）- 'metadata_startup_script = import-module servermanager && add-windowsfeature web-server -includeallsubfeature'

有关该问题的详细信息，请参阅以下链接 -

https://cloud.google.com/compute/docs/tutorials/basic-webserver-iis

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#metadata_startup_script

使用启动脚本使用Terraform创建专用网络-Google云平台

1 个答案: