discriminat-ilb
ChaserSystems/discriminat-ilb/google
DiscrimiNAT Firewall is a transparent, proxy-less solution to discover & filter egress traffic by FQDNs in a Shared VPC on Google Cloud. Architecture with internal TCP load balancers as next hops.
Install
README
DiscrimiNAT, ILB architecture DiscrimiNAT Firewall is a transparent, proxy-less solution to discover & filter egress traffic by FQDNs in a Shared VPC on Google Cloud. Just specify the allowed destination hostnames in the respective applications' native Firewall Rules and DiscrimiNAT will take care of the rest. Watch our 3½ minute egress FQDN discovery video.  Architecture with internal TCP load balancers as next hops set as the default, and network tag based opt-out control. Pentest Ready DiscrimiNAT enforces the use of contemporary encryption standards such as TLS 1.2+ and SSH v2 with bidirectional in-band checks. Anything older or insecure will be denied connection automatically. Also conducts out-of-band checks, such as DNS, for rob
Inputs (23)
| Name | Type | Description | Default |
|---|---|---|---|
| subnetwork_name | string | The name of the subnetwork to deploy the DiscrimiNAT Firewall instances in. This | |
| region | string | The region the specified subnetwork is to be found in. | |
| project_id | string | The GCP Project ID for this deployment. For example: my-project-111222 | |
| custom_service_account_email | string | Override with a specific, custom service account email in case support for archi | null |
| image_family | string | Reserved for use with Chaser support. Allows overriding the source image family | "discriminat" |
| zones_names | list(string) | Specific zones if you wish to override the default behaviour. If not overridden, | [] |
| custom_deployment_id | string | Override the randomly generated Deployment ID for this deployment. This is a uni | null |
| user_data_base64 | string | Strongly suggested to NOT run custom, startup scripts on the firewall instances. | null |
| image_auto_update | bool | Automatically look up and use the latest version of DiscrimiNAT image available | true |
| byol | string | If using the BYOL version from the marketplace, supply the licence key as suppli | null |
| ashr | bool | Automated System Health Reporting. See note in README to learn more. Set to `fal | true |
| machine_type | string | The default of `e2-small` should suffice for light to medium levels of usage. An | "e2-small" |
| mig_update_policy_type | string | OPPORTUNISTIC or PROACTIVE. Set to OPPORTUNISTIC to prevent a `terraform apply` | "PROACTIVE" |
| image_version | string | Reserved for use with Chaser support. Allows overriding the source image version | "2.20" |
| only_route_tags | list(string) | Restrict automatically created default route (to the Internet) to VMs with these | null |
| bypass_cidrs | map(map(string)) | Destination CIDRs that should be routed directly to the default internet gateway | {
"gcp-grpc-direct-conn": {
"descr |
| client_cidrs | list(string) | Additional CIDR blocks of clients which should be able to connect to, and hence | [
"10.0.0.0/8",
"172.16.0.0/12",
" |
| image_project | string | Reserved for use with Chaser support. Allows overriding the source image project | "chasersystems-public" |
| preferences | string | Default preferences. See docs at https://chasersystems.com/docs/discriminat/gcp/ | "{\n \"%default\": {\n \"wildcard_ex |
| labels | map(string) | Map of key-value label pairs to apply to resources created by this module. See e | {} |
| instances_per_zone | number | This can be set to a higher number if deployment is single-zone only, to achieve | 1 |
| mig_target_size | number | If left unset, automatically sets to the number of zones_names * instances_per_z | null |
| block-project-ssh-keys | bool | Strongly suggested to leave this to the default, that is to NOT allow project-wi | true |
Outputs (3)
opt_out_network_tag — The network tag for VMs needing to bypass DiscrimiNAT completely, such as bastion hosts. Such VMs shdeployment_id — The unique identifier, forming a part of various resource names, for this deployment.default_preferences — The default preferences supplied to DiscrimiNAT. See docs at https://chasersystems.com/docs/discrimiResources (10)
Details
Similar packages
Azure landing zones Terraform module
Terraform supermodule for the Terraform platform engineering for Azure
Terraform module to deploy landing zone subscriptions (and much more) in Azure
Terraform Module to define a consistent naming convention by (namespace, stage,