HTTP Load Balancer with Cloud Armor UPDATED CONTENT #25
Description
#!/bin/bash
Variables
PROJECT_ID=$(gcloud config get-value project)
REGION_1="us-west1"
REGION_2="us-east4"
REGION_3="us-east1"
ZONE_3="us-east1-b"
NETWORK="default"
FIREWALL_RULE_HTTP="default-allow-http"
FIREWALL_RULE_HEALTH="default-allow-health-check"
TEMPLATE_1="us-west1-template"
TEMPLATE_2="us-east4-template"
MIG_1="us-west1-mig"
MIG_2="us-east4-mig"
LB_NAME="http-lb"
BACKEND_SERVICE="http-backend"
HEALTH_CHECK="http-health-check"
SIEGE_VM="siege-vm"
SECURITY_POLICY="denylist-siege"
Task 1: Configure HTTP and health check firewall rules
echo "Task 1: Configuring firewall rules..."
gcloud compute firewall-rules create $FIREWALL_RULE_HTTP
--network=$NETWORK
--allow=tcp:80
--source-ranges=0.0.0.0/0
--target-tags=http-server
gcloud compute firewall-rules create $FIREWALL_RULE_HEALTH
--network=$NETWORK
--allow=tcp
--source-ranges=130.211.0.0/22,35.191.0.0/16
--target-tags=http-server
Task 2: Configure instance templates and create instance groups
echo "Task 2: Configuring instance templates and creating instance groups..."
gcloud compute instance-templates create $TEMPLATE_1
--machine-type=e2-micro
--network=$NETWORK
--subnet=$NETWORK
--region=$REGION_1
--tags=http-server
--metadata=startup-script-url=gs://cloud-training/gcpnet/httplb/startup.sh
gcloud compute instance-templates create $TEMPLATE_2
--machine-type=e2-micro
--network=$NETWORK
--subnet=$NETWORK
--region=$REGION_2
--tags=http-server
--metadata=startup-script-url=gs://cloud-training/gcpnet/httplb/startup.sh
gcloud compute instance-groups managed create $MIG_1
--template=$TEMPLATE_1
--size=1
--region=$REGION_1
gcloud compute instance-groups managed set-autoscaling $MIG_1
--region=$REGION_1
--max-num-replicas=2
--target-cpu-utilization=0.80
--cool-down-period=45
gcloud compute instance-groups managed create $MIG_2
--template=$TEMPLATE_2
--size=1
--region=$REGION_2
gcloud compute instance-groups managed set-autoscaling $MIG_2
--region=$REGION_2
--max-num-replicas=2
--target-cpu-utilization=0.80
--cool-down-period=45
Function to add sleep and echo a message
wait_for_operation() {
local message=$1
local sleep_time=${2:-30} # Default sleep time of 30 seconds if not specified
echo "$message"
sleep $sleep_time
}
Task 3: Configure the HTTP Load Balancer
echo "Task 3: Configuring the HTTP Load Balancer..."
Check if health check exists, create if it doesn't
if ! gcloud compute health-checks describe $HEALTH_CHECK --global &>/dev/null; then
gcloud compute health-checks create tcp $HEALTH_CHECK --port=80
wait_for_operation "Waiting for health check to be fully created..."
else
echo "Health check $HEALTH_CHECK already exists."
fi
Check if backend service exists, create if it doesn't
if ! gcloud compute backend-services describe $BACKEND_SERVICE --global &>/dev/null; then
gcloud compute backend-services create $BACKEND_SERVICE
--protocol=HTTP
--port-name=http
--health-checks=$HEALTH_CHECK
--global
wait_for_operation "Waiting for backend service to be fully created..."
else
echo "Backend service $BACKEND_SERVICE already exists. Updating..."
gcloud compute backend-services update $BACKEND_SERVICE
--health-checks=$HEALTH_CHECK
--global
wait_for_operation "Waiting for backend service to be fully updated..."
fi
Function to add or update backend
add_or_update_backend() {
local backend_service=$1
local instance_group=$2
local instance_group_region=$3
local balancing_mode=$4
local capacity_param=$5
if gcloud compute backend-services get-health $backend_service --global | grep -q $instance_group; then
echo "Backend $instance_group already exists in $backend_service. Updating..."
gcloud compute backend-services update-backend $backend_service \
--instance-group=$instance_group \
--instance-group-region=$instance_group_region \
--balancing-mode=$balancing_mode \
$capacity_param \
--global
else
echo "Adding backend $instance_group to $backend_service..."
gcloud compute backend-services add-backend $backend_service \
--instance-group=$instance_group \
--instance-group-region=$instance_group_region \
--balancing-mode=$balancing_mode \
$capacity_param \
--global
fi
wait_for_operation "Waiting for backend to be fully added/updated..."
}
Add or update backends
add_or_update_backend $BACKEND_SERVICE $MIG_1 $REGION_1 RATE "--max-rate-per-instance=50"
add_or_update_backend $BACKEND_SERVICE $MIG_2 $REGION_2 UTILIZATION "--max-utilization=0.8"
Check if URL map exists, create if it doesn't
if ! gcloud compute url-maps describe $LB_NAME --global &>/dev/null; then
gcloud compute url-maps create $LB_NAME --default-service $BACKEND_SERVICE
wait_for_operation "Waiting for URL map to be fully created..."
else
echo "URL map $LB_NAME already exists. Updating..."
gcloud compute url-maps set-default-service $LB_NAME --default-service $BACKEND_SERVICE
wait_for_operation "Waiting for URL map to be fully updated..."
fi
Check if HTTP proxy exists, create if it doesn't
if ! gcloud compute target-http-proxies describe $LB_NAME-proxy --global &>/dev/null; then
gcloud compute target-http-proxies create $LB_NAME-proxy --url-map=$LB_NAME
wait_for_operation "Waiting for HTTP proxy to be fully created..."
else
echo "HTTP proxy $LB_NAME-proxy already exists. Updating..."
gcloud compute target-http-proxies update $LB_NAME-proxy --url-map=$LB_NAME
wait_for_operation "Waiting for HTTP proxy to be fully updated..."
fi
Check if forwarding rules exist, create if they don't
if ! gcloud compute forwarding-rules describe $LB_NAME-forwarding-rule-ipv4 --global &>/dev/null; then
gcloud compute forwarding-rules create $LB_NAME-forwarding-rule-ipv4
--global
--target-http-proxy=$LB_NAME-proxy
--ports=80
--ip-version=IPV4
wait_for_operation "Waiting for IPv4 forwarding rule to be fully created..."
else
echo "IPv4 forwarding rule $LB_NAME-forwarding-rule-ipv4 already exists."
fi
if ! gcloud compute forwarding-rules describe $LB_NAME-forwarding-rule-ipv6 --global &>/dev/null; then
gcloud compute forwarding-rules create $LB_NAME-forwarding-rule-ipv6
--global
--target-http-proxy=$LB_NAME-proxy
--ports=80
--ip-version=IPV6
wait_for_operation "Waiting for IPv6 forwarding rule to be fully created..."
else
echo "IPv6 forwarding rule $LB_NAME-forwarding-rule-ipv6 already exists."
fi
wait_for_operation "Waiting for all load balancer components to be fully propagated..." 60
echo "HTTP Load Balancer configuration completed."
Task 4: Test the HTTP Load Balancer
echo "Task 4: Testing the HTTP Load Balancer..."
LB_IP_V4=$(gcloud compute forwarding-rules describe $LB_NAME-forwarding-rule-ipv4 --global --format="get(IPAddress)")
LB_IP_V6=$(gcloud compute forwarding-rules describe $LB_NAME-forwarding-rule-ipv6 --global --format="get(IPAddress)")
echo "Load Balancer IPv4: $LB_IP_V4"
echo "Load Balancer IPv6: $LB_IP_V6"
Create siege-vm
gcloud compute instances create $SIEGE_VM
--zone=$ZONE_3
--machine-type=e2-medium
Wait for the instance to be ready
sleep 60
Install siege and run the test
gcloud compute ssh $SIEGE_VM --zone=$ZONE_3 --command="sudo apt-get update && sudo apt-get install -y siege && export LB_IP=$LB_IP_V4 && siege -c 150 -t120s http://$LB_IP"
Task 5: Denylist the siege-vm
echo "Task 5: Denylisting the siege-vm..."
SIEGE_IP=$(gcloud compute instances describe $SIEGE_VM --zone=$ZONE_3 --format="get(networkInterfaces[0].accessConfigs[0].natIP)")
gcloud compute security-policies create $SECURITY_POLICY
--description "Denylist for siege-vm"
gcloud compute security-policies rules create 1000
--security-policy $SECURITY_POLICY
--description "Deny siege-vm"
--src-ip-ranges $SIEGE_IP
--action "deny-403"
gcloud compute backend-services update $BACKEND_SERVICE
--security-policy $SECURITY_POLICY
--global
echo "Script completed. Please check the Google Cloud Console for details and to verify the setup."