Firewall config for Anthos BM on GCE

[miticojo]

In my test on GCE I set firewall opening the ports used otherwise the ABM installation fails in the next step after terraform launch.

I would suggest to add firewall ports setting step. If you agree I can prepare a PR for that.

[bourgeoisor]

Thank you for the feedback! What tutorial / sample is this referring to?

[miticojo]

I was testing Anthos BM on GCE as described here: https://cloud.google.com/anthos/clusters/docs/bare-metal/latest/try/gce-vms-tf#deploy_the_hybrid_cluster

In the doc we're saying

After the Terraform execution completes you are ready to deploy the hybrid cluster.
Use SSH to connect to the admin host:
...

This doesn't work if before you don't open the required firewall port.

So we can suggest to change the doc or prepare this step in the terraform as prerequisite (I think this second would be more smooth for the UX).

[bourgeoisor]

Ok so this bit: https://github.com/GoogleCloudPlatform/anthos-samples/tree/main/anthos-bm-gcp-terraform Thank you for the clarification, we will look at that.

[Shabirmean]

@miticojo - Are you working off of a fresh GCP project or is it some specific environment which has guardrails? The scripts is used by the Getting Starter Guide in the public docs. Thus, we try to keep it very minimalistic assuming an audience based off of a fresh project. This helps us not add too many hooks to support different project environments.

[miticojo]

Yes, I tested in a fresh new project in a structured organization (with some limitation - for example default vpc is not created by default), but the issue I experienced was due to lack of communication between machine to setup VXLAN between nodes. This problem was fixed creating new incoming firewall rules for the nodes for the needed ports (outgoing is implicitly allowed).

[Shabirmean]

Ahh okay. So I see that the project was using a non-default VPC.

So what does the change look like? Adding a firewall rule that allows traffic to the listed ports? That sounds like a reasonable addition. Maybe the firewall rule can target the VM tags listed in the variables.

If it's just adding one extra step using the google_compute_firewall resource then seems like okay. Feel free to open a PR 🙂 .

[Shabirmean]

Also see another internal thread reporting similar issue

[Shabirmean]

@miticojo - do you think you will still be able to submit a PR for this improvement?