github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 10:18:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: Add AWS NAT Gateway example (#5543)

Browse Source 
- Adds the AWS equivalent of our GCP scalable NAT Gateway.
- Adds a new kb section `/kb/automate` that will contain various
automation / IaaC recipes going forward. It's better to have these
guides in the main docs with all the other info.

~~Will update the GCP example in another PR.~~

Portal helper docs in the gateway deploy page will come in another PR
after this is merged.
This commit is contained in:
Jamil
2024-06-27 21:05:38 -07:00
committed by GitHub
parent d529ace29c
commit fc8d89ea73
32 changed files with 943 additions and 298 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
docs/README.md
View File

@@ -103,12 +103,18 @@ product documentation, organized as follows:
- [kotlin/](../kotlin/android): Android / ChromeOS clients.
- [website/](../website): Marketing website and product documentation.
- [terraform/](../terraform): Terraform files for various example deployments.
- [terraform/examples/google-cloud/nat_gateway](../terraform/examples/google-cloud/nat_gateway):
Example Terraform configurations for deploying a cluster of Firezone
gateways behind a NAT gateway on GCP with single egress IP.
- [terraform/examples/google-cloud/nat-gateway](../terraform/examples/google-cloud/nat-gateway):
Example Terraform configuration for deploying a cluster of Firezone Gateways
behind a NAT gateway on GCP with single egress IP.
- [terraform/examples/aws/nat-gateway](../terraform/examples/aws/nat-gateway):
Example Terraform configuration for deploying a cluster of Firezone Gateways
behind a NAT gateway on AWS with single egress IP.
- [terraform/modules/google-cloud/apps/gateway-region-instance-group](../terraform/modules/google-cloud/apps/gateway-region-instance-group):
Production-ready Terraform module for deploying regional Firezone gateways
Production-ready Terraform module for deploying regional Firezone Gateways
to Google Cloud Compute using Regional Instance Groups.
- [terraform/modules/aws/firezone-gateway](../terraform/modules/aws/firezone-gateway):
Production-ready Terraform module for deploying Firezone Gateways to AWS
using Auto Scaling Groups.
## Quickstart

1
terraform/examples/.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
**/.terraform.*

9
terraform/examples/README.md
View File

@@ -8,9 +8,16 @@ Gateways to your infrastructure.
Each example below is self-contained and includes a `README.md` with
instructions on how to deploy the example.
### AWS
- [NAT Gateway](./aws/nat-gateway): This example shows how to deploy one or more
Firezone Gateways in a single AWS VPC that is configured with a NAT Gateway
for egress. Read this if you're looking to deploy Firezone Gateways behind a
single, shared static IP address on AWS.
### Google Cloud Platform (GCP)
- [NAT Gateway](./google-cloud/nat_gateway): This example shows how to deploy
- [NAT Gateway](./google-cloud/nat-gateway): This example shows how to deploy
one or more Firezone Gateways in a single GCP VPC that is configured with a
Cloud NAT for egress. Read this if you're looking to deploy Firezone Gateways
behind a single, shared static IP address on GCP.

4
terraform/examples/aws/nat-gateway/README.md Normal file
View File

@@ -0,0 +1,4 @@
# Deploy Firezone on AWS with Terraform
See [our docs for a detailed guide](/kb/automate/terraform/aws) on deploying
Firezone on AWS with Terraform using this example.

168
terraform/examples/aws/nat-gateway/main.tf Normal file
View File

@@ -0,0 +1,168 @@
module "gateway_aws_example" {
source = "github.com/firezone/firezone/terraform/modules/aws/firezone-gateway"
###################
# Required inputs #
###################
# Generate a token from the admin portal in Sites -> <site> -> Deploy Gateway.
# Only one token is needed for the cluster.
firezone_token = "YOUR_FIREZONE_TOKEN"
# Pick an AMI to use. We recommend Ubuntu LTS or Amazon Linux 2.
base_ami = data.aws_ami_ids.ubuntu.ids[0]
# Attach the Gateways to your VPC and subnets.
vpc = aws_vpc.main.id
public_subnet = aws_subnet.public.id
private_subnet = aws_subnet.private.id
instance_security_groups = [
aws_security_group.instance.id
]
###################
# Optional inputs #
###################
# Deploy a specific version of the Gateway. Generally, we recommend using the latest version.
# firezone_version = "latest"
# Override the default API URL. This should almost never be needed.
# firezone_api_url = "wss://api.firezone.dev"
# Gateways are very lightweight.
# See https://www.firezone.dev/kb/deploy/gateways#sizing-recommendations.
# instance_type = "t3.nano"
# We recommend a minimum of 3 instances for high availability.
# min_size = 3
# max_size = 5
# desired_capacity = 3
}
data "aws_ami_ids" "ubuntu" {
owners = ["099720109477"] # Canonical
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-*-22.04-amd64-server-*"]
}
}
provider "aws" {
# Change this to your desired region
region = "us-east-1"
}
resource "aws_vpc" "main" {
cidr_block = "172.16.0.0/16"
enable_dns_support = true
enable_dns_hostnames = true
}
resource "aws_subnet" "public" {
vpc_id = aws_vpc.main.id
cidr_block = "172.16.0.0/24"
map_public_ip_on_launch = true
}
resource "aws_subnet" "private" {
vpc_id = aws_vpc.main.id
cidr_block = "172.16.1.0/24"
}
resource "aws_internet_gateway" "gw" {
vpc_id = aws_vpc.main.id
}
resource "aws_eip" "nat" {
domain = "vpc"
}
resource "aws_nat_gateway" "nat" {
allocation_id = aws_eip.nat.id
subnet_id = aws_subnet.public.id
}
resource "aws_route_table" "public" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.gw.id
}
}
resource "aws_route_table" "private" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.nat.id
}
}
resource "aws_route_table_association" "public" {
subnet_id = aws_subnet.public.id
route_table_id = aws_route_table.public.id
}
resource "aws_route_table_association" "private" {
subnet_id = aws_subnet.private.id
route_table_id = aws_route_table.private.id
}
resource "aws_security_group" "instance" {
vpc_id = aws_vpc.main.id
// allow SSH from other machines on the subnet
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
aws_subnet.private.cidr_block,
aws_subnet.public.cidr_block
]
}
egress {
from_port = 0
to_port = 65535
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "instance_connect" {
name = "allow egress to all vpc subnets"
description = "Security group to allow SSH to vpc subnets. Created for use with EC2 Instance Connect Endpoint."
vpc_id = aws_vpc.main.id
egress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
aws_subnet.private.cidr_block,
aws_subnet.public.cidr_block
]
}
}
resource "aws_ec2_instance_connect_endpoint" "instance_connect_endpoint" {
subnet_id = aws_subnet.public.id
preserve_client_ip = false
security_group_ids = [
aws_security_group.instance_connect.id
]
tags = {
Name = "firezone-gateway-instance-connect-endpoint"
}
}
output "nat_public_ip" {
description = "The public IP of the NAT gateway"
value = aws_eip.nat.public_ip
}

4
terraform/examples/google-cloud/nat-gateway/README.md Normal file
View File

@@ -0,0 +1,4 @@
# Deploy Firezone on GCP with Terraform
See [our docs for a detailed guide](/kb/automate/terraform/gcp) on deploying
Firezone on GCP with Terraform using this example.

212
terraform/examples/google-cloud/nat-gateway/main.tf Normal file
View File

@@ -0,0 +1,212 @@
module "gateway_gcp_example" {
source = "github.com/firezone/firezone/terraform/modules/google-cloud/apps/gateway-region-instance-group"
# If you are changing this example along with the module, you should use the local path:
# source = "../../../modules/google-cloud/apps/gateway-region-instance-group"
project_id = var.project_id
compute_network = google_compute_network.firezone.id
compute_subnetwork = google_compute_subnetwork.firezone.id
compute_instance_replicas = var.replicas
compute_instance_type = var.machine_type
compute_region = var.region
# Since we are behind a NAT gateway, we don't need public IP addresses
# to be automatically provisioned for the instances
compute_provision_public_ipv6_address = false
compute_provision_public_ipv4_address = false
vsn = "latest"
observability_log_level = "info"
token = var.token
}
################################################################################
## Google Cloud Project
################################################################################
variable "project_id" {
type = string
description = "Google Cloud Project ID"
}
################################################################################
## Compute
################################################################################
variable "region" {
type = string
description = "Region to deploy the Gateway(s) in."
}
variable "replicas" {
type = number
description = "Number of Gateway replicas to deploy in the availability zone."
default = 3
}
variable "machine_type" {
type = string
default = "n1-standard-1"
}
################################################################################
## Observability
################################################################################
variable "log_level" {
type = string
nullable = false
default = "info"
description = "Sets RUST_LOG environment variable to configure the Gateway's log level. Default: 'info'."
}
################################################################################
## Firezone
################################################################################
variable "token" {
type = string
description = "Gateway token to use for authentication."
}
variable "subnet_cidr" {
type = string
description = "CIDR Range to use for subnet where Gateway(s) are deployed"
}
provider "google" {
project = var.project_id
region = var.region
}
resource "google_project_service" "compute-api" {
project = var.project_id
service = "compute.googleapis.com"
}
resource "google_service_account" "firezone" {
account_id = "firezone-gateway"
display_name = "Firezone Gateway Service Account"
}
# We create a new network and subnetwork. In real-world scenarios,
# you would likely use an existing ones where your application is deployed.
resource "google_compute_network" "firezone" {
name = "firezone-gateway"
auto_create_subnetworks = false
enable_ula_internal_ipv6 = true
depends_on = [google_project_service.compute-api]
}
resource "google_compute_subnetwork" "firezone" {
project = var.project_id
name = "firezone-gateways"
stack_type = "IPV4_IPV6"
ip_cidr_range = var.subnet_cidr
region = var.region
network = google_compute_network.firezone.id
ipv6_access_type = "INTERNAL"
private_ip_google_access = true
}
# Allocate IPv4 addresses for the NAT gateway
resource "google_compute_address" "ipv4" {
project = var.project_id
name = "firezone-gateway-nat-ipv4"
ip_version = "IPV4"
}
# Create a router and NAT to allow outbound traffic
resource "google_compute_router" "firezone" {
name = "firezone-gateway-router"
network = google_compute_network.firezone.id
}
resource "google_compute_router_nat" "firezone" {
name = "firezone-gateway-nat"
router = google_compute_router.firezone.name
nat_ip_allocate_option = "MANUAL_ONLY"
nat_ips = [
google_compute_address.ipv4.self_link,
]
source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
subnetwork {
name = google_compute_subnetwork.firezone.id
source_ip_ranges_to_nat = ["ALL_IP_RANGES"]
}
}
# Configure Firewall to allow outbound traffic
resource "google_compute_firewall" "gateways-egress-ipv4" {
project = var.project_id
name = "firezone-gateways-egress-ipv4"
network = google_compute_network.firezone.id
direction = "EGRESS"
target_tags = module.gateways.target_tags
destination_ranges = ["0.0.0.0/0"]
allow {
protocol = "all"
}
}
resource "google_compute_firewall" "gateways-egress-ipv6" {
project = var.project_id
name = "firezone-gateways-egress-ipv6"
network = google_compute_network.firezone.id
direction = "EGRESS"
target_tags = module.gateways.target_tags
destination_ranges = ["::/0"]
allow {
protocol = "all"
}
}
# Allow SSH access to the gateways. This is optional but helpful for debugging
# and administration of the gateways. Since they're not publicly accessible,
# you need to tunnel through IAP:
#
# gcloud compute instances list --project <PROJECT_ID>
# gcloud compute ssh --tunnel-through-iap --project <PROJECT_ID> gateway-XXXX
resource "google_compute_firewall" "ssh-rule" {
name = "allow-gateways-ssh"
network = google_compute_network.firezone.id
allow {
protocol = "tcp"
ports = ["22"]
}
target_tags = module.gateways.target_tags
source_ranges = ["35.235.240.0/20"] // IAP CIDR
}
output "static_ip_addresses" {
value = [google_compute_address.ipv4.address]
}
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "5.20"
}
}
}

40
terraform/examples/google-cloud/nat_gateway/main.tf
View File

@@ -1,40 +0,0 @@
provider "google" {
project = var.project_id
region = var.region
}
resource "google_project_service" "compute-api" {
project = var.project_id
service = "compute.googleapis.com"
}
resource "google_service_account" "firezone" {
account_id = "firezone-gateway"
display_name = "Firezone Gateway Service Account"
}
module "gateways" {
source = "github.com/firezone/firezone/terraform/modules/google-cloud/apps/gateway-region-instance-group"
# If you are changing this example along with the module, you should use the local path:
# source = "../../../modules/google-cloud/apps/gateway-region-instance-group"
project_id = var.project_id
compute_network = google_compute_network.firezone.id
compute_subnetwork = google_compute_subnetwork.firezone.id
compute_instance_replicas = var.replicas
compute_instance_type = var.machine_type
compute_region = var.region
# Since we are behind a NAT gateway, we don't need public IP addresses
# to be automatically provisioned for the instances
compute_provision_public_ipv6_address = false
compute_provision_public_ipv4_address = false
vsn = "latest"
observability_log_level = "info"
token = var.token
}

103
terraform/examples/google-cloud/nat_gateway/network.tf
View File

@@ -1,103 +0,0 @@
# We create a new network and subnetwork. In real-world scenarios,
# you would likely use an existing ones where your application is deployed.
resource "google_compute_network" "firezone" {
name = "firezone-gateway"
auto_create_subnetworks = false
enable_ula_internal_ipv6 = true
depends_on = [google_project_service.compute-api]
}
resource "google_compute_subnetwork" "firezone" {
project = var.project_id
name = "firezone-gateways"
stack_type = "IPV4_IPV6"
ip_cidr_range = var.subnet_cidr
region = var.region
network = google_compute_network.firezone.id
ipv6_access_type = "INTERNAL"
private_ip_google_access = true
}
# Allocate IPv4 addresses for the NAT gateway
resource "google_compute_address" "ipv4" {
project = var.project_id
name = "firezone-gateway-nat-ipv4"
ip_version = "IPV4"
}
# Create a router and NAT to allow outbound traffic
resource "google_compute_router" "firezone" {
name = "firezone-gateway-router"
network = google_compute_network.firezone.id
}
resource "google_compute_router_nat" "firezone" {
name = "firezone-gateway-nat"
router = google_compute_router.firezone.name
nat_ip_allocate_option = "MANUAL_ONLY"
nat_ips = [
google_compute_address.ipv4.self_link,
]
source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
subnetwork {
name = google_compute_subnetwork.firezone.id
source_ip_ranges_to_nat = ["ALL_IP_RANGES"]
}
}
# Configure Firewall to allow outbound traffic
resource "google_compute_firewall" "gateways-egress-ipv4" {
project = var.project_id
name = "firezone-gateways-egress-ipv4"
network = google_compute_network.firezone.id
direction = "EGRESS"
target_tags = module.gateways.target_tags
destination_ranges = ["0.0.0.0/0"]
allow {
protocol = "all"
}
}
resource "google_compute_firewall" "gateways-egress-ipv6" {
project = var.project_id
name = "firezone-gateways-egress-ipv6"
network = google_compute_network.firezone.id
direction = "EGRESS"
target_tags = module.gateways.target_tags
destination_ranges = ["::/0"]
allow {
protocol = "all"
}
}
# Allow SSH access to the gateways. This is optional but helpful for debugging
# and administration of the gateways. Since they're not publicly accessible,
# you need to tunnel through IAP:
#
# gcloud compute instances list --project <PROJECT_ID>
# gcloud compute ssh --tunnel-through-iap --project <PROJECT_ID> gateway-XXXX
resource "google_compute_firewall" "ssh-rule" {
name = "allow-gateways-ssh"
network = google_compute_network.firezone.id
allow {
protocol = "tcp"
ports = ["22"]
}
target_tags = module.gateways.target_tags
source_ranges = ["35.235.240.0/20"] // IAP CIDR
}

3
terraform/examples/google-cloud/nat_gateway/outputs.tf
View File

@@ -1,3 +0,0 @@
output "static_ip_addresses" {
value = [google_compute_address.ipv4.address]
}

55
terraform/examples/google-cloud/nat_gateway/variables.tf
View File

@@ -1,55 +0,0 @@
################################################################################
## Google Cloud Project
################################################################################
variable "project_id" {
type = string
description = "Google Cloud Project ID"
}
################################################################################
## Compute
################################################################################
variable "region" {
type = string
description = "Region to deploy the Gateway(s) in."
}
variable "replicas" {
type = number
description = "Number of Gateway replicas to deploy in the availability zone."
default = 3
}
variable "machine_type" {
type = string
default = "n1-standard-1"
}
################################################################################
## Observability
################################################################################
variable "log_level" {
type = string
nullable = false
default = "info"
description = "Sets RUST_LOG environment variable to configure the Gateway's log level. Default: 'info'."
}
################################################################################
## Firezone
################################################################################
variable "token" {
type = string
description = "Gateway token to use for authentication."
sensitive = true
}
variable "subnet_cidr" {
type = string
description = "CIDR Range to use for subnet where Gateway(s) are deployed"
}

8
terraform/examples/google-cloud/nat_gateway/versions.tf
View File

@@ -1,8 +0,0 @@
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "5.20"
}
}
}

54
terraform/modules/aws/firezone-gateway/main.tf Normal file
View File

@@ -0,0 +1,54 @@
resource "aws_launch_configuration" "lc" {
name = "firezone-gateway-lc"
image_id = var.base_ami
instance_type = var.instance_type
security_groups = var.instance_security_groups
associate_public_ip_address = false
lifecycle {
create_before_destroy = true
}
user_data = <<-EOF
#!/bin/bash
set -e
sudo apt-get update
sudo apt-get install -y curl uuid-runtime
FIREZONE_TOKEN="${var.firezone_token}" \
FIREZONE_VERSION="${var.firezone_version}" \
FIREZONE_NAME="${var.firezone_name}" \
FIREZONE_ID="$(uuidgen)" \
FIREZONE_API_URL="${var.firezone_api_url}" \
bash <(curl -fsSL https://raw.githubusercontent.com/firezone/firezone/main/scripts/gateway-systemd-install.sh)
EOF
}
resource "aws_autoscaling_group" "asg" {
desired_capacity = var.desired_capacity
max_size = var.max_size
min_size = var.min_size
vpc_zone_identifier = [var.private_subnet]
launch_configuration = aws_launch_configuration.lc.id
tag {
key = "Name"
value = "firezone-gateway-instance"
propagate_at_launch = true
}
dynamic "tag" {
for_each = var.extra_tags
content {
key = tag.value.key
propagate_at_launch = tag.value.propagate_at_launch
value = tag.value.value
}
}
lifecycle {
create_before_destroy = true
}
}

85
terraform/modules/aws/firezone-gateway/variables.tf Normal file
View File

@@ -0,0 +1,85 @@
variable "base_ami" {
description = "The base AMI for the instances"
type = string
}
variable "instance_type" {
description = "The instance type"
type = string
default = "t3.nano"
}
variable "desired_capacity" {
description = "The desired number of instances"
type = number
default = 3
}
variable "min_size" {
description = "The minimum number of instances"
type = number
default = 3
}
variable "max_size" {
description = "The maximum number of instances"
type = number
default = 5
}
variable "firezone_token" {
description = "The Firezone token"
type = string
nullable = false
sensitive = true
}
variable "firezone_version" {
description = "The Gateway version to deploy"
type = string
default = "latest"
}
variable "firezone_name" {
description = "Name for the Gateways used in the admin portal"
type = string
default = "$(hostname)"
}
variable "firezone_api_url" {
description = "The Firezone API URL"
type = string
default = "wss://api.firezone.dev"
}
variable "vpc" {
description = "The VPC id to use"
type = string
}
variable "private_subnet" {
description = "The private subnet id"
type = string
}
variable "public_subnet" {
description = "The public subnet id"
type = string
}
variable "instance_security_groups" {
description = "The security group ids to attach to the instances"
type = list(string)
}
variable "extra_tags" {
description = "Extra tags for the Auto Scaling group"
type = map(object({
key = string
value = string
propagate_at_launch = bool
}))
default = {}
}

38
website/public/images/kb/automate/aws-logo.svg Normal file
View File

@@ -0,0 +1,38 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 19.0.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
viewBox="0 0 304 182" style="enable-background:new 0 0 304 182;" xml:space="preserve">
<style type="text/css">
.st0{fill:#252F3E;}
.st1{fill-rule:evenodd;clip-rule:evenodd;fill:#FF9900;}
</style>
<g>
<path class="st0" d="M86.4,66.4c0,3.7,0.4,6.7,1.1,8.9c0.8,2.2,1.8,4.6,3.2,7.2c0.5,0.8,0.7,1.6,0.7,2.3c0,1-0.6,2-1.9,3l-6.3,4.2
c-0.9,0.6-1.8,0.9-2.6,0.9c-1,0-2-0.5-3-1.4C76.2,90,75,88.4,74,86.8c-1-1.7-2-3.6-3.1-5.9c-7.8,9.2-17.6,13.8-29.4,13.8
c-8.4,0-15.1-2.4-20-7.2c-4.9-4.8-7.4-11.2-7.4-19.2c0-8.5,3-15.4,9.1-20.6c6.1-5.2,14.2-7.8,24.5-7.8c3.4,0,6.9,0.3,10.6,0.8
c3.7,0.5,7.5,1.3,11.5,2.2v-7.3c0-7.6-1.6-12.9-4.7-16c-3.2-3.1-8.6-4.6-16.3-4.6c-3.5,0-7.1,0.4-10.8,1.3c-3.7,0.9-7.3,2-10.8,3.4
c-1.6,0.7-2.8,1.1-3.5,1.3c-0.7,0.2-1.2,0.3-1.6,0.3c-1.4,0-2.1-1-2.1-3.1v-4.9c0-1.6,0.2-2.8,0.7-3.5c0.5-0.7,1.4-1.4,2.8-2.1
c3.5-1.8,7.7-3.3,12.6-4.5c4.9-1.3,10.1-1.9,15.6-1.9c11.9,0,20.6,2.7,26.2,8.1c5.5,5.4,8.3,13.6,8.3,24.6V66.4z M45.8,81.6
c3.3,0,6.7-0.6,10.3-1.8c3.6-1.2,6.8-3.4,9.5-6.4c1.6-1.9,2.8-4,3.4-6.4c0.6-2.4,1-5.3,1-8.7v-4.2c-2.9-0.7-6-1.3-9.2-1.7
c-3.2-0.4-6.3-0.6-9.4-0.6c-6.7,0-11.6,1.3-14.9,4c-3.3,2.7-4.9,6.5-4.9,11.5c0,4.7,1.2,8.2,3.7,10.6
C37.7,80.4,41.2,81.6,45.8,81.6z M126.1,92.4c-1.8,0-3-0.3-3.8-1c-0.8-0.6-1.5-2-2.1-3.9L96.7,10.2c-0.6-2-0.9-3.3-0.9-4
c0-1.6,0.8-2.5,2.4-2.5h9.8c1.9,0,3.2,0.3,3.9,1c0.8,0.6,1.4,2,2,3.9l16.8,66.2l15.6-66.2c0.5-2,1.1-3.3,1.9-3.9c0.8-0.6,2.2-1,4-1
h8c1.9,0,3.2,0.3,4,1c0.8,0.6,1.5,2,1.9,3.9l15.8,67l17.3-67c0.6-2,1.3-3.3,2-3.9c0.8-0.6,2.1-1,3.9-1h9.3c1.6,0,2.5,0.8,2.5,2.5
c0,0.5-0.1,1-0.2,1.6c-0.1,0.6-0.3,1.4-0.7,2.5l-24.1,77.3c-0.6,2-1.3,3.3-2.1,3.9c-0.8,0.6-2.1,1-3.8,1h-8.6c-1.9,0-3.2-0.3-4-1
c-0.8-0.7-1.5-2-1.9-4L156,23l-15.4,64.4c-0.5,2-1.1,3.3-1.9,4c-0.8,0.7-2.2,1-4,1H126.1z M254.6,95.1c-5.2,0-10.4-0.6-15.4-1.8
c-5-1.2-8.9-2.5-11.5-4c-1.6-0.9-2.7-1.9-3.1-2.8c-0.4-0.9-0.6-1.9-0.6-2.8v-5.1c0-2.1,0.8-3.1,2.3-3.1c0.6,0,1.2,0.1,1.8,0.3
c0.6,0.2,1.5,0.6,2.5,1c3.4,1.5,7.1,2.7,11,3.5c4,0.8,7.9,1.2,11.9,1.2c6.3,0,11.2-1.1,14.6-3.3c3.4-2.2,5.2-5.4,5.2-9.5
c0-2.8-0.9-5.1-2.7-7c-1.8-1.9-5.2-3.6-10.1-5.2L246,52c-7.3-2.3-12.7-5.7-16-10.2c-3.3-4.4-5-9.3-5-14.5c0-4.2,0.9-7.9,2.7-11.1
c1.8-3.2,4.2-6,7.2-8.2c3-2.3,6.4-4,10.4-5.2c4-1.2,8.2-1.7,12.6-1.7c2.2,0,4.5,0.1,6.7,0.4c2.3,0.3,4.4,0.7,6.5,1.1
c2,0.5,3.9,1,5.7,1.6c1.8,0.6,3.2,1.2,4.2,1.8c1.4,0.8,2.4,1.6,3,2.5c0.6,0.8,0.9,1.9,0.9,3.3v4.7c0,2.1-0.8,3.2-2.3,3.2
c-0.8,0-2.1-0.4-3.8-1.2c-5.7-2.6-12.1-3.9-19.2-3.9c-5.7,0-10.2,0.9-13.3,2.8c-3.1,1.9-4.7,4.8-4.7,8.9c0,2.8,1,5.2,3,7.1
c2,1.9,5.7,3.8,11,5.5l14.2,4.5c7.2,2.3,12.4,5.5,15.5,9.6c3.1,4.1,4.6,8.8,4.6,14c0,4.3-0.9,8.2-2.6,11.6
c-1.8,3.4-4.2,6.4-7.3,8.8c-3.1,2.5-6.8,4.3-11.1,5.6C264.4,94.4,259.7,95.1,254.6,95.1z"/>
<g>
<path class="st1" d="M273.5,143.7c-32.9,24.3-80.7,37.2-121.8,37.2c-57.6,0-109.5-21.3-148.7-56.7c-3.1-2.8-0.3-6.6,3.4-4.4
c42.4,24.6,94.7,39.5,148.8,39.5c36.5,0,76.6-7.6,113.5-23.2C274.2,133.6,278.9,139.7,273.5,143.7z"/>
<path class="st1" d="M287.2,128.1c-4.2-5.4-27.8-2.6-38.5-1.3c-3.2,0.4-3.7-2.4-0.8-4.5c18.8-13.2,49.7-9.4,53.3-5
c3.6,4.5-1,35.4-18.6,50.2c-2.7,2.3-5.3,1.1-4.1-1.9C282.5,155.7,291.4,133.4,287.2,128.1z"/>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.4 KiB

1
website/public/images/kb/automate/gcp-logo.svg Normal file
View File

@@ -0,0 +1 @@
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 181 28"><defs><style>.cls-1{fill:#ea4335;}.cls-2{fill:#4285f4;}.cls-3{fill:#34a853;}.cls-4{fill:#fbbc05;}.cls-5{fill:#5f6368;}</style></defs><path class="cls-1" d="M21.85,7.41l1,0,2.85-2.85.14-1.21A12.81,12.81,0,0,0,5,9.6a1.55,1.55,0,0,1,1-.06l5.7-.94s.29-.48.44-.45a7.11,7.11,0,0,1,9.73-.74Z"/><path class="cls-2" d="M29.76,9.6a12.84,12.84,0,0,0-3.87-6.24l-4,4A7.11,7.11,0,0,1,24.5,13v.71a3.56,3.56,0,1,1,0,7.12H17.38l-.71.72v4.27l.71.71H24.5A9.26,9.26,0,0,0,29.76,9.6Z"/><path class="cls-3" d="M10.25,26.49h7.12v-5.7H10.25a3.54,3.54,0,0,1-1.47-.32l-1,.31L4.91,23.63l-.25,1A9.21,9.21,0,0,0,10.25,26.49Z"/><path class="cls-4" d="M10.25,8A9.26,9.26,0,0,0,4.66,24.6l4.13-4.13a3.56,3.56,0,1,1,4.71-4.71l4.13-4.13A9.25,9.25,0,0,0,10.25,8Z"/><path class="cls-5" d="M52.79,22.51a9.11,9.11,0,0,1-6.6-2.71,8.8,8.8,0,0,1-2.77-6.52,8.81,8.81,0,0,1,2.77-6.52A9.11,9.11,0,0,1,52.79,4a8.84,8.84,0,0,1,6.33,2.55L57.34,8.36a6.41,6.41,0,0,0-4.55-1.8,6.34,6.34,0,0,0-4.7,2,6.53,6.53,0,0,0-1.93,4.75A6.53,6.53,0,0,0,48.09,18a6.71,6.71,0,0,0,9.36.11A5.32,5.32,0,0,0,58.82,15h-6V12.44h8.49A8.12,8.12,0,0,1,61.41,14a8,8,0,0,1-2.19,5.9A8.51,8.51,0,0,1,52.79,22.51Zm19.74-1.7a6.12,6.12,0,0,1-8.47,0,5.7,5.7,0,0,1-1.73-4.25,5.71,5.71,0,0,1,1.73-4.25,6.13,6.13,0,0,1,8.47,0,5.71,5.71,0,0,1,1.73,4.25A5.7,5.7,0,0,1,72.52,20.81Zm-6.6-1.67a3.24,3.24,0,0,0,4.73,0,3.56,3.56,0,0,0,1-2.58,3.57,3.57,0,0,0-1-2.59,3.29,3.29,0,0,0-4.75,0,3.57,3.57,0,0,0-1,2.59A3.56,3.56,0,0,0,65.92,19.14Zm19.62,1.67a6.12,6.12,0,0,1-8.47,0,5.7,5.7,0,0,1-1.73-4.25,5.71,5.71,0,0,1,1.73-4.25,6.12,6.12,0,0,1,8.47,0,5.71,5.71,0,0,1,1.73,4.25A5.7,5.7,0,0,1,85.55,20.81Zm-6.6-1.67a3.24,3.24,0,0,0,4.73,0,3.56,3.56,0,0,0,1-2.58,3.57,3.57,0,0,0-1-2.59,3.29,3.29,0,0,0-4.75,0,3.57,3.57,0,0,0-1,2.59A3.56,3.56,0,0,0,78.94,19.14Zm15.16,8.71a5.24,5.24,0,0,1-3.33-1.06,6.13,6.13,0,0,1-1.94-2.46l2.28-.95a3.84,3.84,0,0,0,1.13,1.49,2.85,2.85,0,0,0,1.87.63,3,3,0,0,0,2.33-.9A3.65,3.65,0,0,0,97.28,22v-.86h-.09a3.81,3.81,0,0,1-3.13,1.35,5.43,5.43,0,0,1-4-1.74,5.75,5.75,0,0,1-1.71-4.19,5.81,5.81,0,0,1,1.71-4.22,5.42,5.42,0,0,1,4-1.75A4.3,4.3,0,0,1,95.9,11a3.7,3.7,0,0,1,1.3.95h.09V11h2.48V21.65a6.21,6.21,0,0,1-1.59,4.65A5.6,5.6,0,0,1,94.11,27.85Zm.18-7.68a2.91,2.91,0,0,0,2.26-1,3.7,3.7,0,0,0,.91-2.56A3.78,3.78,0,0,0,96.55,14a2.9,2.9,0,0,0-2.26-1,3.09,3.09,0,0,0-2.34,1,3.65,3.65,0,0,0-1,2.59,3.58,3.58,0,0,0,1,2.56A3.1,3.1,0,0,0,94.29,20.17Zm9.89-15.5V22.15h-2.61V4.67Zm7.16,17.84a5.68,5.68,0,0,1-4.21-1.71,5.79,5.79,0,0,1-1.69-4.24,5.86,5.86,0,0,1,1.63-4.28,5.36,5.36,0,0,1,4-1.67,5.05,5.05,0,0,1,2,.39,4.71,4.71,0,0,1,1.53,1,7,7,0,0,1,1,1.21,7.15,7.15,0,0,1,.59,1.17l.27.68-8,3.29a3,3,0,0,0,2.88,1.8,3.41,3.41,0,0,0,2.93-1.65l2,1.35a6.59,6.59,0,0,1-1.92,1.82A5.44,5.44,0,0,1,111.34,22.51ZM108,16.38l5.32-2.21a1.84,1.84,0,0,0-.83-.91,2.71,2.71,0,0,0-1.37-.35,3.09,3.09,0,0,0-2.15.95A3.17,3.17,0,0,0,108,16.38Z"/><path class="cls-5" d="M130.13,22.51a8.24,8.24,0,0,1-8.38-8.43,8.24,8.24,0,0,1,8.38-8.43,7.46,7.46,0,0,1,5.93,2.64l-1.44,1.4a5.44,5.44,0,0,0-4.48-2.05,6.11,6.11,0,0,0-4.45,1.78,6.24,6.24,0,0,0-1.81,4.66,6.24,6.24,0,0,0,1.81,4.66,6.11,6.11,0,0,0,4.45,1.78,6.36,6.36,0,0,0,5-2.34l1.44,1.44a7.86,7.86,0,0,1-2.77,2.11A8.48,8.48,0,0,1,130.13,22.51Z"/><path class="cls-5" d="M140.45,22.15h-2.07V6h2.07Z"/><path class="cls-5" d="M143.83,12.43a5.79,5.79,0,0,1,8.16,0,5.85,5.85,0,0,1,1.6,4.2,5.85,5.85,0,0,1-1.6,4.2,5.79,5.79,0,0,1-8.16,0,5.85,5.85,0,0,1-1.6-4.2A5.85,5.85,0,0,1,143.83,12.43Zm1.54,7.1a3.49,3.49,0,0,0,5.07,0,4,4,0,0,0,1.07-2.9,4,4,0,0,0-1.07-2.9,3.49,3.49,0,0,0-5.07,0,4,4,0,0,0-1.07,2.9A4,4,0,0,0,145.38,19.52Z"/><path class="cls-5" d="M165.06,22.15h-2V20.62H163A3.85,3.85,0,0,1,161.54,22a4.08,4.08,0,0,1-2.05.55,3.89,3.89,0,0,1-3.14-1.26,5,5,0,0,1-1.07-3.38V11.11h2.07v6.42q0,3.09,2.73,3.09a2.54,2.54,0,0,0,2.1-1,3.77,3.77,0,0,0,.81-2.39V11.11h2.07Z"/><path class="cls-5" d="M172.09,22.51a4.86,4.86,0,0,1-3.7-1.69,6,6,0,0,1-1.55-4.19,6,6,0,0,1,1.55-4.19,4.86,4.86,0,0,1,3.7-1.69,4.69,4.69,0,0,1,2.26.54,3.83,3.83,0,0,1,1.5,1.35h.09l-.09-1.53V6h2.07V22.15h-2V20.62h-.09a3.83,3.83,0,0,1-1.5,1.35A4.69,4.69,0,0,1,172.09,22.51Zm.34-1.89a3.3,3.3,0,0,0,2.49-1.08,4.05,4.05,0,0,0,1-2.91,4.05,4.05,0,0,0-1-2.91,3.38,3.38,0,0,0-5,0,4,4,0,0,0-1,2.9,4,4,0,0,0,1,2.9A3.3,3.3,0,0,0,172.43,20.62Z"/></svg>
Side by Side

After

Width:  |  Height:  |  Size: 4.2 KiB

7
website/public/images/kb/automate/terraform-logo.svg Normal file
View File

@@ -0,0 +1,7 @@
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 250 60.15">
<path class="text" fill="#000" d="M77.35 7.86V4.63h-3v3.23h-1.46V.11h1.51v3.25h3V.11h1.51v7.75zm7 0h-1.2l-.11-.38a3.28 3.28 0 0 1-1.7.52c-1.06 0-1.52-.7-1.52-1.66 0-1.14.51-1.57 1.7-1.57h1.4v-.62c0-.62-.18-.84-1.11-.84a8.46 8.46 0 0 0-1.61.17L80 2.42a7.89 7.89 0 0 1 2-.26c1.83 0 2.37.62 2.37 2zm-1.43-2.11h-1.08c-.48 0-.61.13-.61.55s.13.56.59.56a2.37 2.37 0 0 0 1.1-.29zM87.43 8a7.12 7.12 0 0 1-2-.32l.2-1.07a6.77 6.77 0 0 0 1.73.24c.65 0 .74-.14.74-.56s-.07-.52-1-.73c-1.42-.33-1.59-.68-1.59-1.76s.49-1.65 2.16-1.65a8 8 0 0 1 1.75.2l-.14 1.11a10.66 10.66 0 0 0-1.6-.16c-.63 0-.74.14-.74.48s0 .48.82.68c1.63.41 1.78.62 1.78 1.77S89.19 8 87.43 8zm6.68-.11V4c0-.3-.13-.45-.47-.45a4.14 4.14 0 0 0-1.52.45v3.86h-1.46V0l1.46.22v2.47a5.31 5.31 0 0 1 2.13-.54c1 0 1.32.65 1.32 1.65v4.06zm2.68-6.38V.11h1.46v1.37zm0 6.38V2.27h1.46v5.59zm2.62-5.54c0-1.4.85-2.22 2.83-2.22a9.37 9.37 0 0 1 2.16.25l-.17 1.25a12.21 12.21 0 0 0-1.95-.2c-1 0-1.37.34-1.37 1.16V5.5c0 .81.33 1.16 1.37 1.16a12.21 12.21 0 0 0 1.95-.2l.17 1.25a9.37 9.37 0 0 1-2.16.25c-2 0-2.83-.81-2.83-2.22zM107.63 8c-2 0-2.53-1.06-2.53-2.2V4.36c0-1.15.54-2.2 2.53-2.2s2.53 1.06 2.53 2.2v1.41c.01 1.15-.53 2.23-2.53 2.23zm0-4.63c-.78 0-1.08.33-1.08 1v1.5c0 .63.3 1 1.08 1s1.08-.33 1.08-1V4.31c0-.63-.3-.96-1.08-.96zm6.64.09a11.57 11.57 0 0 0-1.54.81v3.6h-1.46v-5.6h1.23l.1.62a6.63 6.63 0 0 1 1.53-.73zM120.1 6a1.73 1.73 0 0 1-1.92 2 8.36 8.36 0 0 1-1.55-.16v2.26l-1.46.22v-8h1.16l.14.47a3.15 3.15 0 0 1 1.84-.59c1.17 0 1.79.67 1.79 1.94zm-3.48.63a6.72 6.72 0 0 0 1.29.15c.53 0 .73-.24.73-.75v-2c0-.46-.18-.71-.72-.71a2.11 2.11 0 0 0-1.3.51zM81.78 19.54h-8.89v-5.31H96.7v5.31h-8.9v26.53h-6z"/>
<path class="text" fill="#000" d="M102.19 41.77a24.39 24.39 0 0 0 7.12-1.1l.91 4.4a25 25 0 0 1-8.56 1.48c-7.31 0-9.85-3.39-9.85-9V31.4c0-4.92 2.2-9.08 9.66-9.08s9.13 4.35 9.13 9.37v5h-13v1.2c.05 2.78 1.05 3.88 4.59 3.88zM97.65 32h7.41v-1.18c0-2.2-.67-3.73-3.54-3.73s-3.87 1.53-3.87 3.73zm28.54-4.33a45.65 45.65 0 0 0-6.19 3.39v15h-5.83V22.79h4.92l.38 2.58a26.09 26.09 0 0 1 6.12-3.06zm14.24 0a45.65 45.65 0 0 0-6.17 3.39v15h-5.83V22.79h4.92l.38 2.58a26.09 26.09 0 0 1 6.12-3.06zm19.51 18.4h-4.78l-.43-1.58a12.73 12.73 0 0 1-6.93 2.06c-4.25 0-6.07-2.92-6.07-6.93 0-4.73 2.06-6.55 6.79-6.55h5.59v-2.44c0-2.58-.72-3.49-4.45-3.49a32.53 32.53 0 0 0-6.45.72l-.72-4.45a30.38 30.38 0 0 1 8-1.1c7.31 0 9.47 2.58 9.47 8.41zm-5.83-8.8h-4.3c-1.91 0-2.44.53-2.44 2.29s.53 2.34 2.34 2.34a9.18 9.18 0 0 0 4.4-1.2zm23.75-19.79a17.11 17.11 0 0 0-3.35-.38c-2.29 0-2.63 1-2.63 2.77v2.92h5.93l-.33 4.64h-5.59v18.64h-5.83V27.43h-3.73v-4.64h3.73v-3.25c0-4.83 2.25-7.22 7.41-7.22a18.47 18.47 0 0 1 5 .67zm11.38 29.07c-8 0-10.13-4.4-10.13-9.18v-5.88c0-4.78 2.15-9.18 10.13-9.18s10.13 4.4 10.13 9.18v5.88c.01 4.78-2.15 9.18-10.13 9.18zm0-19.27c-3.11 0-4.3 1.39-4.3 4v6.26c0 2.63 1.2 4 4.3 4s4.3-1.39 4.3-4V31.3c0-2.63-1.19-4.02-4.3-4.02zm25.14.39a45.65 45.65 0 0 0-6.17 3.39v15h-5.83V22.79h4.92l.38 2.58a26.08 26.08 0 0 1 6.12-3.06zm16.02 18.4V29.82c0-1.24-.53-1.86-1.86-1.86a16.08 16.08 0 0 0-6.07 2v16.11h-5.83V22.79h4.45l.57 2a23.32 23.32 0 0 1 9.34-2.48 4.42 4.42 0 0 1 4.4 2.49 22.83 22.83 0 0 1 9.37-2.49c3.87 0 5.26 2.72 5.26 6.88v16.88h-5.83V29.82c0-1.24-.53-1.86-1.86-1.86a15.43 15.43 0 0 0-6.07 2v16.11z"/>
<path class="rect-dark" fill="#4040B2" d="M36.4 20.2v18.93l16.4-9.46V10.72L36.4 20.2z"/>
<path class="rect-light" fill="#5C4EE5" d="M18.2 10.72l16.4 9.48v18.93l-16.4-9.47V10.72z"/>
<path class="rect-light" fill="#5C4EE5" d="M0 .15v18.94l16.4 9.47V9.62L0 .15zm18.2 50.53l16.4 9.47V41.21l-16.4-9.47v18.94z"/>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.5 KiB

0
terraform/examples/google-cloud/nat_gateway/online-gateways.png → website/public/images/kb/automate/terraform/gcp/online-gateways.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 127 KiB

After

Width:  |  Height:  |  Size: 127 KiB

6
website/src/app/kb/automate/_page.tsx Normal file
View File

@@ -0,0 +1,6 @@
"use client";
import Content from "./readme.mdx";
export default function _Page() {
return <Content />;
}

17
website/src/app/kb/automate/page.tsx Normal file
View File

@@ -0,0 +1,17 @@
import { Metadata } from "next";
import _Page from "./_page";
import LastUpdated from "@/components/LastUpdated";
export const metadata: Metadata = {
title: "Automate • Firezone Docs",
description: "Automation recipes for deploying and managing Firezone.",
};
export default function Page() {
return (
<>
<_Page />
<LastUpdated dirname={__dirname} />
</>
);
}

49
website/src/app/kb/automate/readme.mdx Normal file
View File

@@ -0,0 +1,49 @@
import SupportOptions from "@/components/SupportOptions";
import Alert from "@/components/DocsAlert";
import Image from "next/image";
import Link from "next/link";
import NextStep from "@/components/NextStep";
import { KbCards, KbCard } from "@/components/KbCards";
import { FaPlus } from "react-icons/fa";
# Automate Firezone
These guides contain automation recipes for deploying Firezone using various
infrastructure as code (IaC) tools.
## Get started
Follow one of the guides below to setup a production-ready deployment of
Firezone on your infrastructure.
<KbCards>
<KbCard
title="Deploy Firezone on AWS"
href="/kb/automate/terraform/aws"
logo={
<div>
<Image width={200} height={200} alt="Terraform" src="/images/kb/automate/terraform-logo.svg" className="mx-auto mb-8" />
<FaPlus size={32} className="mx-auto mb-8" />
<Image width={100} height={100} alt="AWS" src="/images/kb/automate/aws-logo.svg" className="mx-auto mb-8" />
</div>
}>
Deploy a scalable cluster of Firezone Gateways behind a NAT gateway on AWS
with a single egress IP.
</KbCard>
<KbCard
title="Deploy Firezone on GCP"
href="/kb/automate/terraform/gcp"
logo={
<div>
<Image width={200} height={200} alt="Terraform" src="/images/kb/automate/terraform-logo.svg" className="mx-auto mb-8" />
<FaPlus size={32} className="mx-auto mb-8" />
<Image width={220} height={220} alt="GCP" src="/images/kb/automate/gcp-logo.svg" className="mx-auto mb-8" />
</div>
}>
Deploy a scalable cluster of Firezone Gateways behind a Cloud NAT on GCP
with a single egress IP.
</KbCard>
</KbCards>
<SupportOptions />

6
website/src/app/kb/automate/terraform/aws/_page.tsx Normal file
View File

@@ -0,0 +1,6 @@
"use client";
import Content from "./readme.mdx";
export default function _Page() {
return <Content />;
}

17
website/src/app/kb/automate/terraform/aws/page.tsx Normal file
View File

@@ -0,0 +1,17 @@
import { Metadata } from "next";
import _Page from "./_page";
import LastUpdated from "@/components/LastUpdated";
export const metadata: Metadata = {
title: "Deploy Firezone on AWS • Firezone Docs",
description: "Example Terraform configuration to deploy Firezone on AWS.",
};
export default function Page() {
return (
<>
<_Page />
<LastUpdated dirname={__dirname} />
</>
);
}

87
website/src/app/kb/automate/terraform/aws/readme.mdx Normal file
View File

@@ -0,0 +1,87 @@
import SupportOptions from "@/components/SupportOptions";
import Alert from "@/components/DocsAlert";
# Deploy Firezone on AWS with Terraform
In this guide, we'll deploy a cluster of Firezone Gateways in a private subnet
on AWS that are configured to egress traffic to the internet through an AWS
[NAT Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html).
## Common use cases
Use this guide to give your Firezone Clients a static, public IP address for
egress traffic to particular Resource(s). Here are some common use cases for
this example:
- Use an IP allowlist to access a third-party or partner application such as a
client's DB or third-party API.
- Use an IP allowlist with your identity provider to lock down access to a
public application.
- Enabling a team of remote contractors access to a regionally-locked
application or service.
## High availability
All Firezone Gateways deployed in this example will automatically failover and
load balance for each other.
## Prerequisites
1. [Terraform](https://www.terraform.io/downloads.html)
1. [AWS account](https://aws.amazon.com/) with the necessary permissions to
create the resources.
1. A [Firezone Site](https://www.firezone.dev/kb/deploy/sites) dedicated to use
for this example. This Site should contain **only** the Firezone Gateway(s)
deployed in this example and any associated Resources.
1. A Firezone Gateway token. See
[Multiple Gateways](/kb/deploy/gateways#deploy-multiple-gateways) for
instructions on how to obtain a Firezone Gateway token that can be used
across multiple instances.
## Sizing
Simply update the number of `desired_capacity` to deploy more or fewer Firezone
Gateways. There's no limit to the number of Firezone Gateways you can deploy in
a single VPC. A basic AutoScaling Group is provisioned as part of the linked
module.
We've tested with `t3.nano` instances which still work quite well for most
applications. However, you may want to consider a larger instance type if you
have a high volume of traffic or lots of concurrent connections.
## Deployment
1. [Download](https://raw.githubusercontent.com/firezone/firezone/main/terraform/examples/aws/nat-gateway/main.tf)
the `main.tf` from the example module.
1. Customize it as desired. At a minimum, you will need to set the
`firezone_token` and change `base_ami` and `region` to match your
environment.
1. Run `terraform init` to initialize the working directory and download the
required providers.
1. Run `terraform apply` to deploy the Firezone Gateway(s) into your AWS
project.
You can see the IP addresses assigned to the NAT Gateway in the Terraform
output. These are the IP addresses that your Firezone Gateway(s) will share to
egress traffic.
## Upgrading
To upgrade the Firezone Gateway(s) to the latest version, simply update the
`token` and issue a `terraform apply` which will trigger a redeployment of the
Firezone Gateway(s).
This will incur a few minutes of downtime as Terraform destroys the existing
Firezone Gateway(s) and deploys new ones in their place.
## Output
`nat_public_ip` will contain the public IP address of the NAT Gateway you can
use to whitelist your Firezone Gateway(s) in your third-party or partner
application.
# Cleanup
To clean up the resources created by this example, run `terraform destroy`.
<SupportOptions />

6
website/src/app/kb/automate/terraform/gcp/_page.tsx Normal file
View File

@@ -0,0 +1,6 @@
"use client";
import Content from "./readme.mdx";
export default function _Page() {
return <Content />;
}

18
website/src/app/kb/automate/terraform/gcp/page.tsx Normal file
View File

@@ -0,0 +1,18 @@
import { Metadata } from "next";
import _Page from "./_page";
import LastUpdated from "@/components/LastUpdated";
export const metadata: Metadata = {
title: "Deploy Firezone on GCP • Firezone Docs",
description:
"Example Terraform configuration to deploy Firezone on Google Cloud Platform.",
};
export default function Page() {
return (
<>
<_Page />
<LastUpdated dirname={__dirname} />
</>
);
}

30
terraform/examples/google-cloud/nat_gateway/README.md → website/src/app/kb/automate/terraform/gcp/readme.mdx
View File

@@ -1,4 +1,8 @@
# GCP NAT Gateway Example
import SupportOptions from "@/components/SupportOptions";
import Alert from "@/components/DocsAlert";
import Image from "next/image";
# Deploy Firezone on GCP with Terraform
In this example, we will deploy one or more Firezone Gateways in a single VPC on
Google Cloud Platform (GCP) that are configured to egress traffic through a
@@ -31,12 +35,12 @@ load balance for each other. No other configuration is necessary.
1. [Google Cloud Platform (GCP) account](https://cloud.google.com/)
1. [Google Cloud SDK](https://cloud.google.com/sdk/docs/install)
1. [Enable the Compute Engine API](https://console.cloud.google.com/flows/enableapi?apiid=compute.googleapis.com)
1. A [Firezone Site](https://www.firezone.dev/kb/deploy/sites) dedicated to use
for this example. This Site should contain **only** the Firezone Gateway(s)
deployed in this example and any associated Resources.
1. A [Firezone Site](/kb/deploy/sites) dedicated to use for this example. This
Site should contain **only** the Firezone Gateway(s) deployed in this example
and any associated Resources.
1. A Firezone Gateway token. See
[Multiple Gateways](https://www.firezone.dev/kb/deploy/gateways#deploy-multiple-gateways)
for instructions on how to obtain a Firezone Gateway token that can be used
[Multiple Gateways](/kb/deploy/gateways#deploy-multiple-gateways) for
instructions on how to obtain a Firezone Gateway token that can be used
across multiple instances.
## Sizing
@@ -51,6 +55,8 @@ have a high volume of traffic or lots of concurrent connections.
## Deployment
1. [Download](https://raw.githubusercontent.com/firezone/firezone/main/terraform/examples/google-cloud/nat_gateway/main.tf)
the `main.tf` from the example module.
1. Configure the necessary Terraform
[variables](https://developer.hashicorp.com/terraform/language/values/variables).
Here's an example `terraform.tfvars` you can use as a starting point:
@@ -78,11 +84,13 @@ You can verify all Firezone Gateways are using this IP by viewing the Site in
the Firezone admin portal, where you should now see the Firezone Gateway(s)
listed as `Online`.
<center>
![Online Gateways](./online-gateways.png)
</center>
<Image
src="/images/kb/automate/terraform/gcp/online-gateways.png"
alt="Online Gateways"
width={1200}
height={1200}
className="rounded shadow mx-auto"
/>
## Upgrading

7
website/src/app/kb/deploy/gateways/readme.mdx
View File

@@ -125,11 +125,10 @@ Resources in a Site. This effectively shards Client connections across all
Gateways in a Site, achieving higher overall throughput than otherwise possible
with a single Gateway.
#### Deploy using Terraform
### Automated Gateway deployment
See our
[Terraform examples](https://github.com/firezone/firezone/tree/main/terraform/examples)
for deploying and scaling Gateways using Terraform on various cloud providers.
See [our automation recipes](/kb/automate) for deploying Gateways on various
cloud providers using Terraform.
### Keeping Gateways up to date

144
website/src/app/page.tsx
View File

@@ -329,8 +329,8 @@ export default function Page() {
</div>
<div className="mx-auto px-4 mt-8 max-w-screen-lg grid sm:grid-cols-2 gap-8 lg:gap-16">
<div className="p-4">
<div className="grid grid-cols-2 gap-4">
<div className="flex flex-col p-4">
<div className="mb-12 grid grid-cols-2 gap-4">
<div className="p-4 flex items-center justify-center bg-white rounded-lg border border-2 border-neutral-200">
<AppleIcon size={12} href="/kb/user-guides/macos-client">
<span className="inline-block pt-4 w-full text-center">
@@ -374,74 +374,80 @@ export default function Page() {
</AppleIcon>
</div>
</div>
<p className="mt-4 md:mt-8 text-md md:text-xl tracking-tight md:text-justify">
Clients are available for every major platform, require no
configuration, and stay connected even when switching WiFi
networks.
</p>
<p className="mt-4">
<ActionLink
className="underline hover:no-underline text-md md:text-xl tracking-tight font-medium text-accent-500"
href="/kb/user-guides"
>
Download Client apps
</ActionLink>
</p>
</div>
<div className="p-4">
<div className="py-0.5 flex flex-col justify-between space-y-8 md:space-y-12">
<div className="mx-8 md:mx-16 flex justify-start">
<Image
width={200}
height={200}
alt="Gateway"
src="/images/docker.svg"
/>
</div>
<div className="mx-8 md:mx-16 flex justify-end">
<Image
width={200}
height={200}
alt="Gateway"
src="/images/terraform.svg"
/>
</div>
<div className="mx-8 md:mx-16 flex justify-start">
<Image
width={200}
height={200}
alt="Gateway"
src="/images/kubernetes.svg"
/>
</div>
<div className="mx-8 md:mx-16 flex justify-end">
<Image
width={200}
height={200}
alt="Gateway"
src="/images/pulumi.svg"
/>
</div>
<div className="mt-auto">
<p className="text-md md:text-xl tracking-tight md:text-justify">
Clients are available for every major platform, require no
configuration, and stay connected even when switching WiFi
networks.
</p>
<p className="mt-4">
<ActionLink
className="underline hover:no-underline text-md md:text-xl tracking-tight font-medium text-accent-500"
href="/kb/user-guides"
>
Download Client apps
</ActionLink>
</p>
</div>
</div>
<div className="flex flex-col p-4">
<div className="mb-12">
<div className="py-0.5 flex flex-col justify-between space-y-8 md:space-y-12">
<div className="mx-8 md:mx-16 flex justify-start">
<Image
width={200}
height={200}
alt="Gateway"
src="/images/docker.svg"
/>
</div>
<div className="mx-8 md:mx-16 flex justify-end">
<Image
width={200}
height={200}
alt="Gateway"
src="/images/terraform.svg"
/>
</div>
<div className="mx-8 md:mx-16 flex justify-start">
<Image
width={200}
height={200}
alt="Gateway"
src="/images/kubernetes.svg"
/>
</div>
<div className="mx-8 md:mx-16 flex justify-end">
<Image
width={200}
height={200}
alt="Gateway"
src="/images/pulumi.svg"
/>
</div>
</div>
<pre className="mt-4 md:mt-8 text-xs p-2 bg-neutral-900 rounded shadow text-neutral-50 text-wrap">
<code>
<strong>FIREZONE_TOKEN</strong>=&lt;your-token&gt; \<br /> ./
<strong>firezone-gateway</strong>
</code>
</pre>
</div>
<div className="mt-auto">
<p className="text-md md:text-xl tracking-tight md:text-justify">
Gateways are lightweight Linux binaries you deploy anywhere you
need access. Just configure a token with your preferred
orchestration tool and you're done.
</p>
<p className="mt-4">
<ActionLink
className="underline hover:no-underline text-md md:text-xl tracking-tight font-medium text-accent-500"
href="/kb/deploy/gateways"
>
Deploy your first Gateway
</ActionLink>
</p>
</div>
<pre className="mt-4 md:mt-8 text-xs p-2 bg-neutral-900 rounded shadow text-neutral-50 text-wrap">
<code>
<strong>FIREZONE_TOKEN</strong>=&lt;your-token&gt; \<br /> ./
<strong>firezone-gateway</strong>
</code>
</pre>
<p className="mt-4 md:mt-8 text-md md:text-xl tracking-tight md:text-justify">
Gateways are lightweight Linux binaries you deploy anywhere you
need access. Just configure a token with your preferred
orchestration tool and you're done.
</p>
<p className="mt-4">
<ActionLink
className="underline hover:no-underline text-md md:text-xl tracking-tight font-medium text-accent-500"
href="/kb/deploy/gateways"
>
Deploy your first Gateway
</ActionLink>
</p>
</div>
</div>
</section>

0
website/src/components/DocCards/index.tsx Normal file
View File

35
website/src/components/KbCards/index.tsx Normal file
View File

@@ -0,0 +1,35 @@
import { Route } from "next";
import Link from "next/link";
export function KbCard({
title,
href,
logo,
children,
}: {
title: string;
href: Route<string>;
logo: React.ReactNode;
children: React.ReactNode;
}) {
return (
<Link
href={href}
className="flex flex-col p-6 hover:shadow rounded border-2 hover:border-accent-200 hover:bg-accent-100 transition duration-100"
>
<h3 className="text-neutral-800 text-xl font-semibold tracking-tight mb-12">
{title}
</h3>
{logo}
<div className="mt-auto tracking-tight">{children}</div>
</Link>
);
}
export function KbCards({ children }: { children: React.ReactNode }) {
return (
<div className="not-format grid grid-cols-1 gap-8 sm:grid-cols-2 lg:grid-cols-3">
{children}
</div>
);
}

13
website/src/components/KbSidebar/index.tsx
View File

@@ -117,6 +117,19 @@ export default function KbSidebar() {
</li>
</Collapse>
</li>
<li>
<Collapse expanded={p.startsWith("/kb/automate")} label="Automate">
<li>
<Item href="/kb/automate">Overview</Item>
</li>
<li>
<Item href="/kb/automate/terraform/aws">Terraform + AWS</Item>
</li>
<li>
<Item href="/kb/automate/terraform/gcp">Terraform + GCP</Item>
</li>
</Collapse>
</li>
<li className="ml-3 pt-3 border-t border-neutral-200 uppercase font-bold text-neutral-800">
Use Firezone
</li>