Example 258 fortigate perimeter package deploy procedure/verify for core lz unmanaged client

[fmichaelobrien]

updates

• review alternative serverless approach using https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-firewall-plus-with-intrusion-prevention
• 20240125: move setup.sh to merge in phases in #766
• 20240220: investigate policy based routing for the hub-env package VPC - https://cloud.google.com/vpc/docs/policy-based-routes
• • refer to https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/494 dev = root landing systems test = nuage finops dev.. nua.cl.o
• training https://www.cloudskillsboost.google/focuses/77469?catalog_rank=%7B%22rank%22%3A1%2C%22num_filters%22%3A0%2C%22has_search%22%3Atrue%7D&parent=catalog&search_id=29853894

FinOps: PAYG + GKE + GCE costs will be $80/day above the normal $10/day for the GKE cluster alone.

The client requires deployment of the #258 perimeter on top of the core lz with additional DNS zones TBD

Document and reuse on top of #420 and and #421 gcloud deployment testing later 2022 - #158 See pre-kcc deployment run in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/158

gcloud reference install: https://github.com/fortinet/fortigate-tutorial-gcp/issues/1

see https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/DevOps

graph LR;
    style LZV2 fill:#44f,stroke:#f66,stroke-width:2px,color:#fff,stroke-dasharray: 5 5
    %% mapped and documented
    project/hub-env-->core-landing-zone;
    client-setup;
    client-setup-->dns-project;
    client-setup-->kcc-management-project;
    client-landing-zone-->client-setup;
    client-project-setup-->client-landing-zone;
    client-project-setup-->client-management-project;
    gatekeeper-policies;

    kcc-management-project;
    core-landing-zone-->kcc-management-project;
    dns-project-->core-landing-zone;
    logging-project-->core-landing-zone;
    client-management-project-->client-setup;
    host-project-->client-landing-zone;

mermaid - diagrams as code See

• 20231027 clean org demo run of core-landing-zone and hub-env https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/611

• 78

• 168

• 166

• 177

• 207

• 573

  todo:

• add client-landing-zone on top of existing core-landing-zone before hub-env

Package Inventory

• https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/core-landing-zone
• https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/client-landing-zone
• https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/project/hub-env

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/Architecture

Notes:

• .sh linter failures https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/728

[fmichaelobrien]

add to setup.sh - Anoop's RBAC addition in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/834

766 deprecated this #446

[obriensystems]

Nat issue fixed by adding a restrictCloudNATUsage project level override for hub-env in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/837