Typically the DuploCloud onboarding team performs these steps in your GCP project with your permission. These steps need to be performed and are described in detail in the subsequent subsections:

1. Add Service Account, Key Creation, and Project to the DuploCloud Portal. A single DuploCloud Portal supports multiple GCP projects. Each project is added to DuploCloud, and the DuploCloud platform gives access to the project via Service Account keys.

2. Set up Cloud DNS Zone.

3. Create Certificates for Load Balancers and Kubernetes Ingress.

4. Perform initial Infrastructure and Tenant setup.

5. Set up tools for the Tenant, such as enabling kubectl shell.

A service account and a key are created for each GCP project to be onboarded.

Disabling Restriction on the Service Account Key

1. Login to the and select the desired project.

2. Open the navigation pane at the top left of the home page ( ), and select IAM & Admin -> Organization Policies.

3. Filter and search for iam.disableServiceAccountKeyCreation.

4. Click the options menu ( ) and select Edit policy.

5. Add a Rule (Rule 1 in the graphic below) to turn off enablement.

Creating a Service Account

1. In the left navigation pane, click IAM & Admin -> Service Accounts. The Service Accounts page for your project displays.

2. Click Create Service Account. The Create service account wizard opens.

3. Complete Service Account Details.

4. In the Grant this service account access to project step, assign the Owner role as shown below, giving the account owner permission to the project. Complete the wizard, and click Done.

1. Select the Service Account you created and add a new JSON Key.

2. Download the JSON file and give it a meaningful name, such as my-gcp-project-sa-key.json.

3. Open a Terminal window and navigate to the location of the downloaded JSON file.

4. Run the following command. This copies the key contents on your clipboard. You can verify the contents by pasting it into a text editor.

Adding the Service Account Private Key to the DuploCloud Portal

To add the private key to DuploCloud:

1. Login to the DuploCloud and navigate to Administrator -> Cloud Credentials. The Cloud Credentials page displays.

2. Paste the key in the Service Account Private Key field.

3. Enter a Display name for easy reference. Ideally, this name should include the project name.

4. Enter the Project ID and Service Account Email from the JSON key file you downloaded.

5. Click Submit.

The DuploCloud Platform requires a unique GCP Cloud DNS zone to create DNS entries for the services you deploy. The domain must be registered with a domain provider and set in DuploCloud before configuration. We recommend creating a subdomain such as apps.[MY-COMPANY].com or internal.[my-company].com.

Creating a DNS Zone

Create a DNS Zone in the GCP Console:

1. Log in to the GCP console.

2. Select Network Services -> Cloud DNS.

3. Click Create Zone, as shown below, and note the Zone Name you create. You will need it to add to DuploCloud in a later step.

4. Access the zone and note the Nameserver names.

Configuring NS Records

1. Navigate to your root Domain Provider's site (for acme.com, for example).

2. Create an NS record that references the domain name of the hosted zone you created (apps.acme.com), and add the zone name to the Nameservers you noted above.

Provisioning the Zone in DuploCloud

Provision the zone in every DuploCloud Plan, starting with the Plan created in the previous step.

1. In the DuploCloud Portal, navigate to Administrator -> Plans.

2. Select the Plan name from the NAME column.

3. Select the DNS tab, and click Edit. The Set Plan DNS pane displays.

4. In the Cloud DNS Zone field, enter the zone name.

5. In the External DNS Suffix and Internal DNS Suffix fields, enter the domain name, preceded with a dot (.)

6. Click Submit.

Once your GCP project has been added to the DuploCloud Portal, the next step is to set up the first Infrastructure.

Creating an Initial Infrastructure

1. From the DuploCloud Portal, navigate to Administrator -> Infrastructure, and click Add.

2. Give the Infrastructure a Name, e.g., nonprod.

3. Select the appropriate Account.

4. Enter the VPC CIDR, e.g., 10.30.0.0/16 (Note: A /16 CIDR block is recommended for Kubernetes to accommodate its IP address requirements).

5. From the Cluster Mode list box, select GKE Standard.

6. From the GKE Endpoint Visibility list box, select Public (for production Infrastructures, set visibility to Private).

7. For the remaining fields, keep the default values.

1. Click Create. It will take approximately 15 to 20 minutes for the setup to complete. Monitor faults to see if any issues arise (NTP clock sync faults can be ignored).

Once the initial infrastructure setup is complete, the next step is to add a DuploCloud Tenant for tools like kubectl shell, OpenTelemetry, etc.

Follow the instructions in the DuploCloud documentation to . Name the Tenant Tools, and select the Plan with the same name as the initial Infrastructure you created in the previous step.

This section includes optional configurations for DuploCloud users managing Docker-based deployments in GCP. These configurations help optimize workflows and ensure containerized applications are securely managed and efficiently deployed. It includes two subsections:

• : This page explains how to configure credentials for external Docker registries such as Docker Hub, Amazon ECR, or private repositories.

• : This section guides Native Docker users through setting up a Docker shell to access the command-line interface for building, running, and managing containers.

For Docker Native users, setting up shell access for Docker enables you to run Docker commands, build, push, and pull images, and manage containers deployed in GCP. Configuring shell access helps ensure that your GCP environment, integrated with DuploCloud, is fully equipped to handle container operations.

Enabling the Docker Native Container Shell

1. In the DuploCloud Portal, navigate to Docker -> Services. The Services page displays.

2. Click the Docker button, and select Enable Docker Shell. The Start Shell Service pane displays.
3. From the Platform list box, select Docker Native.

4. From the Certificate list box, select the certificate name.

5. From the Visibility list box, select Public.

6. Click Update. DuploCloud provisions a Service named dockerservices-shell, enabling you to access your containers using SSH.

Configure and implement secure VPN connections using OpenVPN. These configurations help optimize network security and ensure you can securely access your cloud resources. It includes two subsections:

• : This page outlines the two-step process for setting up OpenVPN, including accepting the OpenVPN agreement in the GCP Marketplace and provisioning a VPN in the DuploCloud Portal.

• : This section guides users through connecting to the provisioned VPN, enabling secure communication between local environments and cloud resources.

Enabling kubectl shell access in GCP is part of a one-time DuploCloud Portal setup process.

Step 1: Create a Node Pool

1. In the Tenant list box, select the Tools Tenant.

2. Navigate to Kubernetes -> Nodes.

3. Select the Node Pool tab, and click Add.

1. Complete the required fields, and click Create.

2. Once the node pool is complete, it will display on the GCP VM tab with a status of Running.

Step 2. Create a DuploCloud Service

1. In the Tenant list box, select the Tools Tenant.

2. Navigate to Kubernetes -> Services.

3. Click Add. The Add Service page displays.

4. From the table below, enter the values that correspond to the fields on the Add Service page. Accept default values for fields not specified.

1. In the Environment Variables field, enter the following YAML. Replace the flask app secret (b33d13ab-5b46-443d-a19d-asdfsd443 in this example) with a string of random numbers and letters in the same format and replace CUSTOMER_PREFIX with your customer URL prefix.

1. Click Next. The Advanced Options page displays.

2. Click Create. The Service is created.

Step 3: Create a Load Balancer

1. Navigate to Kubernetes -> Services.

2. Select the kubectl Service from the NAME column.

3. Select the Load Balancers tab, and click Configure Load Balancer. The Add Load Balancer Listener pane displays.

4. In the Select Type list box, select K8s Cluster IP.

5. In the Container port and External port fields, enter 80.

6. In the Health Check field, enter /duplo_auth.

7. In the Backend Protocol list box, select TCP

8. Select Advanced Kubernetes settings and Set HealthCheck annotations for Ingress.

9. Click Add. The Load Balancer listener is added.

Step 4: Add an Ingress

1. In the Tenant list box, select the Tools Tenant.

2. Navigate to Kubernetes -> Ingress.

3. Click Add. The Add Kubernetes Ingress page displays.

4. In the Ingress Name field, enter kubect-shell.

5. From the Ingress Controller list box, select gce.

6. In the Visibility list box, select Public.

7. In the DNS Prefix field, enter the DNS name prefix.

8. In the Certificate ARN list box, select the ARN added to the Plan in the Certificate for Load Balancer and Ingress step.

1. Click Add Rule. The Add Ingress Rule pane displays.

2. In the Path field, enter (/)

3. In the Service Name list box, select the Service previously created (kubectl:80)

4. Click Add Rule. A rule directing all traffic to the kubectl Service is created.

13. On the Add Kubernetes Ingress page, click Add. The Ingress is created.

Step 5: Add the DNS name to System Settings

1. Navigate to Administrator -> Systems Settings.

2. Select the System Config tab, and click Add. The Add Config pane displays.
3. From the Config Type list box, select AppConfig.

4. From the Key list box, select Other.

5. In the second Key field, enter DuploShellfqdn

6. In the Value field, paste the Ingress DNS. To find the Ingress DNS, navigate to Kubernetes -> Ingress, and copy the DNS from the DNS column.
7. Click Submit. kubectl shell access is enabled.

If you use an external Docker registry (outside of Google’s own GCR or GAR) like Docker Hub, Amazon ECR, or private registries, you must configure Docker registry credentials. This step ensures that your GCP environment has the proper authentication to access images from an external registry, preventing unauthorized access or image pull failures.

Set Docker Registry Credentials

1. In the DuploCloud Portal, navigate to Docker -> Services.

2. From the Docker list box, select Docker Credentials. The Set Docker registry Creds pane displays.

3. Enter your Docker credentials (Username, Password, and Email), and click Submit. The Docker registry credentials are passed to the Kubernetes cluster as a kubernetes.io/dockerconfigjson secret.

Add Multiple Docker Registry Credentials

Pull images from multiple Docker registries by adding multiple Docker Registry Credentials.

1. In the DuploCloud Portal, click Administrator -> Plan. The Plans page displays.

2. Select the Plan name from the NAME column.

3. Select the Config tab, and click Add. The Add Config pane displays.

4. In the Config Type list box, select DockerRegistryCreds.

5. In the Name field, enter the registry name.

6. In the Value field, enter your registry credentials.

7. Click Submit.

SSL certificates secure connections between clients, servers, and Load Balancers by encrypting data transmitted over the network using Transport Layer Security (TLS). GCP provides two primary methods for configuring SSL certificates: Compute Engine SSL Certificates and Certificate Manager (using certificate maps). While DuploCloud supports both methods, we recommend Certificate Manager whenever possible. This approach is preferable because Compute Engine certificates cannot be validated until associated with a Load Balancer, potentially leading to downtime. In contrast, certificate maps can be validated in advance, helping to ensure consistent uptime and a smoother management experience.

Prerequisites

• Obtain public and private certificate files from your chosen SSL certificate provider, such as GoDaddy or Namecheap.

Creating a Certificate Map With Certificate Manager

1. Create a DNS authorization resource using the following command where YOUR_DOMAIN is your domain URL and MAP_NAME is your certificate name (a unique name you choose for your certificate map).

gcloud certificate-manager dns-authorizations create MAP_NAME \
  --domain="YOUR_DOMAIN"
gcloud certificate-manager dns-authorizations list

1. Manually create the DNS records shown in the output of the list command. You'll usually do this in the certificate's domain zone in the Cloud DNS service for the same project, but it depends on how you set up DNS.

2. Create the certificate:

gcloud certificate-manager certificates create MAP_NAME \
  --domains="YOUR_DOMAIN,*.YOUR_DOMAIN" \
  --dns-authorizations=MAP_NAME

1. Create the certificate map and its entries:

gcloud certificate-manager maps create MAP_NAME
gcloud certificate-manager maps entries create MAP_NAME \
  --map="MAP_NAME" \
  --certificates="MAP_NAME" \
  --hostname="YOUR_DOMAIN"
gcloud certificate-manager maps entries create MAP_NAME-wildcard \
  --map="MAP_NAME" \
  --certificates="MAP_NAME" \
  --hostname="*.YOUR_DOMAIN"

1. Add the certificate map to the DuploCloud Plan. Navigate to Administrator -> Plans. Select the Certificates tab and click Add. The Add a Certificate pane displays.

2. In the Name field, create a name for the certificate (the name is arbitrary as it is only a display name to be used within DuploCloud).

3. In the GCP Certificate Type list box, select the certificate type. The certificate type must match the certificate entered in the gcloud certificate-manager maps entries create command.

4. In the GCP Certificate Map field, enter the name of your map (in this example, MAP_NAME).

5. Click Create. The certificate can now be used with your DuploCloud Services.

Create a docker image repository in GCP's Artifact Registry service and push an image to it.

Prerequisites

1. Install Docker.

2. Install and configure the gcloud CLI.

3. Run gcloud info and confirm it shows your email address and GCP project.

Creating the Repository

1. Navigate Google Cloud Console and create a repository with the following inputs:

• Type: Docker

• Mode: Standard

• Location: Unless you know you need multiple regions, use the same region as your Duplo portal.

• Encryption: Google-managed encryption key

• Immutable tags: Enabled (this isn't required, but it's a common good practice)

• Cleanup policies: Dry run

1. Copy the repo path from the Google UI. This will be used to tag the image later. The path will look similar to this: us-east1-docker.pkg.dev/qa-gcp3/testrepo.

Building and Pushing an Image

Now you can tag and push any image you build. On some platforms (like Apple M1 laptops), you may need to specify a build architecture.

1. Authenticate Docker with GCP: gcloud auth configure-docker us-east1-docker.pkg.dev

2. Build an image: docker build --platform linux/amd64 . -t testimage:amd64

3. Add a tag to the image that includes the repo path from above: docker tag testimage:amd64 us-east1-docker.pkg.dev/qa-gcp3/testrepo/testimage:amd64 (Alternatively, you can add this tag with -t flags in the build step.)

4. Push the image: docker push us-east1-docker.pkg.dev/qa-gcp3/testrepo/testimage:amd64

5. The image tag displays in the GCP UI:

Using the Image in DuploCloud

Enter the image tag in the Docker Image field of any DuploCloud Service running in the same GCP account. Use the full path and tag (the arguments to the push command) as shown below.

us-east1-docker.pkg.dev/qa-gcp3/testrepo/testimage:amd64

Applications deployed in the GCP environment must be exposed using SSL/TLS. To expose these applications, we provide GCP with certificates that can be used for Load Balancers and GKE ingress. In this step, we'll create an SSL certificate for the domain associated with the hosted zone you created earlier.

Prerequisites

• Obtain the public and private certificate files from your chosen SSL certificate provider, such as GoDaddy or Namecheap. We recommend obtaining a wildcard SSL certificate for the domain associated with your hosted zone (e.g., .apps.acme.com) to cover all subdomains. For example, if your DNS zone is for apps.acme.com, you should issue a wildcard certificate for *.apps.acme.com to secure all subdomains.

Creating a Global Certificate for Public-Facing Load Balancers

Create global and regional SSL certificates in the GCP Console using the Classic Certificates method.

1. Log in to the GCP Console.

2. Navigate to Certificate Manager, and click Classic Certificates.
3. Click on Create SSL Certificate.

4. Provide the certificate with a name and upload the public and private key certificate files obtained in the prerequisite.

   • As a best practice, name the certificate global-<DNS Domain name>, where the dots (.) are replaced with hyphens (-). For example, if your domain is example.com, name the certificate global-example-com.

5. Note the name of the global certificate for use in future steps.

Creating a Regional Certificate for Private/Internal Load Balancers

1. From the GCP Console, open the GCP Cloud Shell by clicking on the Cloud Shell icon in the top right corner.

2. Once the Cloud Shell opens, create the following files:

   • public.cert Paste the content of the public certificate into this file.

   • private.key Paste the content of the private key into this file.

3. Run the following command to create a regional SSL certificate:

gcloud compute ssl-certificates create uscentral1-internal-acme-com --certificate=chain.crt --private-key=key.pem --region=us-central 

• As a best practice, name the certificate using the format <region>-<DNS Domain name>, where the dots (.) in the domain name are replaced with hyphens (-). For example, for the us-central region and domain acme.com, the certificate should be named uscentral1-internal-acme-com.

1. After running the command, refresh the Classic Certificates page in the GCP Console. Both global and regional certificates should now be listed.

2. Note the certificate names for use in future steps.

Adding Certificates in DuploCloud

Add multiple domains to the SSL certificate. This is especially useful for domain names that differ from the internal zone you set up in the previous step. This allows you to secure your primary domain and any other domains you may use for your applications or services.

1. Log in to the DuploCloud Portal.

2. Navigate to Administrator -> Plans.

3. Select the Certificates tab, and click Add.

4. Add the global and regional certificates, one at a time You can name them the same names you used in the GCP portal. For each certificate, choose the type LB SSL Certificate.

5. Click Create. The GCP certificates are added to your DuploCloud Portal.

DuploCloud integrates with OpenVPN by automatically provisioning VPNs for users added through the DuploCloud Portal. As a DuploCloud user, you can securely access resources within the private network by connecting via the OpenVPN client.

Accessing VPN Credentials

1. Click on your user name in the upper right corner of the DuploCloud Portal, and select Profile. Your Profile page displays.

2. VPN credentials are displayed in the VPN Details area of the Profile page.

Setting up the OpenVPN User Profile and Client App

1. Click on your user name in the upper right corner of the DuploCloud Portal, and select Profile. Your Profile page displays.

2. Click the VPN URL link in the VPN Details section. Browsers may call the link unsafe since it is using a self-signed certificate. Proceed to it anyway.

3. Log in to the OpenVPN Access Server portal using the credentials from your Profile page.

4. Click on the OpenVPN Connect Recommended for your device link to install the OpenVPN Connect application on your local machine.

1. Click the link labeled Yourself (user-locked profile) to download your OpenVPN user profile.
2. Open the .ovpn file and click OK in the Import .ovpn profile dialog.
3. Click Connect. The OpenVPN user profile and client app are set up.

DuploCloud integrates with OpenVPN by provisioning VPNs for users added through the DuploCloud Portal. The OpenVPN setup involves a two-step process: accepting the OpenVPN agreement in the GCP Marketplace, and Provisioning a VPN in the DuploCloud Portal.

Accepting OpenVPN

Accept the OpenVPN Free Tier (Bring Your Own License) agreement in the GCP marketplace:

1. Log into your GCP account.

2. In the Google Cloud Console, navigate to the Marketplace.

3. Search for OpenVPN in the Marketplace.

4. Select the product (OpenVPN Free Tier) and accept the agreement.

Provisioning a VPN

1. In the DuploCloud Portal, navigate to Administrator -> System Settings.

2. Select the VPN tab.

3. Click Provision VPN. Behind the scenes, DuploCloud launches a cloud formation script to provision the OpenVPN. OpenVPN is ready to use.

Optional VPN Configurations

Provisioning a VPN While Creating a User

1. In the DuploCloud Portal, navigate to Administrator -> Users.

2. Click Add. The Create User pane displays.

3. Enter the username in the Username field.

4. In the Roles field, select the appropriate role(s) for the user.

5. Select Provision VPN.

6. Click Submit.

Deleting VPN Access for a User

See Deleting a VPN user. To delete VPN access, you must have administrator privileges.

Opening a VPN Port

By default, users connected to a VPN can SSH or RDP into virtual machines (VMs). Users can also connect to internal Load Balancers and application endpoints. However, you must open a VPN port to connect to other Services, such as databases and ElastiCach.

1. In the DuploCloud Portal, navigate to Administrator -> Tenants.

2. Select the Tenant in the NAME column.

3. Select the Security tab.

4. Click Add. The Add Tenant Security pane displays.
5. In the Source Type field, select Ip Address.

6. In the IP CIDR field, enter the VPN IP address range in CIDR notation, for example, 10.0.0.0/24 or 192.168.1.0/24.

7. In the Protocol list box, select the protocol you wish to allow through the VPN port.

8. Enter the range in the Port Range field, specify the port or range of ports that need to be opened.

9. Enter a brief description of the security rule being added in the Description field.

10. Click Add. The VPN port is open.