Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Tasks to perform before you use GCP with DuploCloud
Before using DuploCloud, ensure the following prerequisites are met.
Read the Access Control section to ensure at least one person has administrator access.
Set Docker registry credentials
In the DuploCloud Portal, navigate to Docker -> Services. Docker registry credentials are passed to the Kubernetes cluster as kubernetes.io/dockerconfigjson
.
Click the Docker item list in the upper right and select Docker Credentials. The Set Docker registry Creds pane displays.
Supply the credentials and click Submit.
Enable the Docker Shell Service by clicking Enable Docker Shell.
You can pull images from multiple Docker registries by adding multiple Docker Registry Credentials.
In the DuploCloud Portal, click Administrator -> Plan. The Plans page displays.
Select the Plan in the Name column.
Click the Config tab.
Click Add. The Add Config pane displays.
Creating a Route 53 hosted zone to program DNS entries
The DuploCloud platform needs a unique GCP Cloud DNS zone to create DNS entries for services that you deploy. The domain must be created out-of-band and set in DuploCloud. The zone is a subdomain such as apps.[
MY-COMPANY
].com
.
Never use this subdomain for anything else, as DuploCloud owns all CNAME
entries in this domain and removes all entries it has no record of.
To create the Route53 hosted zone using the GCP Console:
Log in to the GCP console.
Navigate to Cloud DNS under Network Services.
Create a new zone with the desired domain name, for example, apps.acme.com
.
Access the zone and note the name server names.
Go to your root Domain Provider's site (for acme.com
, for example), and create a NS
record that references the domain name of the hosted zone you created (apps.acme.com
) and add the zone name to the name servers that you noted above.
Once this is complete, provision the Zone in every DuploCloud Plan, starting with the default plan. Add the zone Name and domain name, preceded with a dot (.).
Do not forget the dot (.) at the beginning of the DNS suffix, in the form as shown below.
Note that this domain must be set in each new Plan you create in your DuploCloud Infrastructure.
Enable access to the DuploCloud shell for your GCP account
Enabling DuploCloud shell access in GCP is part of a one-time DuploCloud portal setup process.
Create a DuploCloud Service in any Tenant.
From the DuploCloud portal, navigate to Kubernetes -> Services.
Click Add. The Add Service page displays.
From the table below, enter the values that correspond to the fields on the Add Service page. Accept all other default values for fields not specified.
In the Environment Variables field, enter the following YAML. Replace the flask app secret (b33d13ab-5b46-443d-a19d-asdfsd443 in this example) with a string of random numbers and letters in the same format and replace CUSTOMER_PREFIX with your customer URL prefix.
Click Next. The Advanced Options page displays.
Click Create. The Service is created.
Follow the steps on the GKE Ingress page to add Kubernetes Ingress, substituting the following values in the Name and Annotations fields:
Name: duplo-shell
Annotations: enter the following, replacing CERTIFICATE_NAME with your certificate name.
From the DuploCloud portal, navigate to Kubernetes -> Ingress.
Click on duplo-shell in the NAME column. The duplo-shell Ingress details page displays.
Select the Configuration tab.
From the DNS box, copy the DNS.
Navigate to Administrator -> Systems Settings.
Select the System Config tab, and click Add.
From the Config Type list box, select AppConfig.
From the Key list box, select Other.
In the second Key field, enter DuploShellfqdn
In the Value field, paste the DNS you copied from the Ingress details page.
Click Submit. DuploCloud shell access is enabled in GCP.
Add Service page field | Value |
---|---|
Name
YOUR_SERVICE_NAME
Cloud
Google
Platform
GKE Linux
Docker Image
duplocloud/shell:terraform_kubectl_v15
Enabling shell access using Docker Native
DuploCloud allows shell access into the deployed containers.
In the DuploCloud Portal, navigate to Docker -> Services, displaying the Services page.
From the Platform list box, select Docker Native.
From the Certificate list box, select a certificate name.
From the Visibility list box, select Public.
Click Update.
A provisioned service named dockerservices-shell is created, enabling you to access the Service containers using SSH.
Connecting to the DuploCloud VPN with the OpenVPN client
DuploCloud integrates natively with OpenVPN by provisioning VPN users added in the Duplocloud portal. As a DuploCloud user, you can access resources in the private network by connecting to the VPN with the OpenVPN client.
The OpenVPN Access Server is set to forward only traffic destined for network resources in the DuploCloud-managed private networks. Traffic accessing other resources on the internet does not pass through the tunnel.
User VPN credentials are accessible on the User Profile page. It can be accessed through the menu on the upper right of the page or through the User menu option on the left.
Click the VPN URL link in the VPN Details section of your user profile. Browsers will call the link unsafe since it is using a self-signed certificate. Proceed to it.
Log in to the OpenVPN Access Server user portal using the credentials from the DuploCloud user profile section.
Open the .ovpn file and click OK in the Import .ovpn profile dialog.
Integrate with OpenVPN by provisioning VPN users
DuploCloud integrates natively with OpenVPN by provisioning VPN users that you add to the Duplocloud Portal. OpenVPN setup is a two-step process.
Accept OpenVPN Free tier (Bring Your Own License) in the GCP marketplace:
Log into your GCP account. In the console, navigate to: https://console.cloud.google.com/marketplace?_ga=2.26702909.1494282976.1678740607-1491144562.1675196305&pli=1.
Accept the agreement.
In the DuploCloud Portal, navigate to Administrator -> System Settings.
Click the VPN tab.
Click Provision VPN.
After the OpenVPN is provisioned, it is ready to use. Behind the scenes, DuploCloud launches a cloud formation script to provision the OpenVPN.
You can find the OpenVPN admin password in the cloud formation stack in your GCP console.
Provision a VPN while creating a user:
In the DuploCloud Portal, navigate to Administrator -> Users.
Click Add. The Create User pane displays.
Enter a valid email address in the Username field.
In the Roles field, select the appropriate role for the User.
Select Provision VPN.
Click Submit.
For information about removing VPN access for a user, see Deleting a VPN user. To delete VPN access, you must have administrator privileges.
By default, users connected to a VPN can SSH or RDP into virtual machines (VMs). Users can also connect to internal load balancers and endpoints of the applications. However, to connect to other services, such as databases and elastic cache, you must open the port to the VPN:
In the DuploCloud Portal, navigate to Administrator -> Tenants.
Select the Tenant in the Name column.
Click the Security tab.
Click Add. The Add Tenant Security pane displays.
In the Source Type field, select Ip Address.
In the IP CIDR field, enter the name of your VPN.
Click Add.
Establish secure access to the DuploCloud portal with regional or global SSL certificates for GCP
Although DuploCloud supports both certificate configuration methods, we recommend avoiding using compute engine certificates, if possible. This is because compute engine certificates can't be validated until they're attached to a Load Balancer, which can make it hard to manage uptime. In contrast, certificate maps can be validated in advance, circumventing potential downtime.
Create a DNS authorization resource using the following command where YOUR_DOMAIN is your domain URL and MAP_NAME is your certificate name (a unique name you choose for your certificate map).
Manually create the DNS records shown in the output of the list
command. You'll usually do this in the certificate's domain zone in the Cloud DNS service for the same project, but it depends on how you set up DNS.
Create the certificate:
Create the certificate map and its entries:
Add the certificate map in the DuploCloud Plan. Navigate to Administrator -> Plans. Select the Certificates tab and click Add. The Add a Certificate pane displays.
In the Name field, create a name for the certificate (the name is arbitrary as it is only a display name to be used within DuploCloud).
In the GCP Certificate Type list box, select the certificate type. The certificate type must match the certificate entered in the gcloud certificate-manager maps entries create
command.
In the GCP Certificate Map field, enter the name of your map (in this example, MAP_NAME). Click Create.
Now you can use your certificate with your DuploCloud Services.
Click the Options Menu ( ) on the top row of the Services page, as in the example below. Select Enable Docker Shell. The Start Shell Service pane displays.
Install the OpenVPN Connect application on your local machine.
Download the OpenVPN user profile for your account from the link labeled Yourself (user-locked profile).
Click Connect.
SSL certificates secure connections between clients and servers or Load Balancers by encrypting information sent over the network using Transport Layer Security (TLS). GCP users have two options to configure SSL certificates: Compute Engine SSL certificates resource (compute engine certificates) and Certificate Manager (certificate maps). For more information, see the Google Cloud documentation about the different and .