This guide is intended for IT infrastructure architects and DevOps professionals responsible for deploying or enabling Web Access on Google Cloud Platform (GCP).
This guide applies to Nasuni Edge Appliance 10.1 and later.
Introduction
The Google HTTPS load balancer secures access to a Web Access instance. Benefits include certificate generation and renewal via the GCP platform.
NOTE: Google offers three types of load balancers: Classic, Regional, and Global. This document is for Global load balancers. Regional load balancers are not recommended.
Prerequisites
Nasuni Support must set the Restrict Session IP account setting to False.
Deploy an Edge Appliance to GCP and join the Edge Appliance to the NMC.
A public FQDN for your instance and a corresponding SSL or TLS server certificate.
Access to DNS to set up the FQDN.
Creating an SSL Policy
Create an SSL policy. For details, see SSL policies for HTTPS and SSL proxy load balancers.
To create an SSL policy, follow these steps:
On the Google Cloud Platform, navigate to ☰ Navigation menu → View all products → Networking → Network Services → SSL Policies.
Click Create policy.
Enter a Name for the SSL policy.
From the “Minimum TLS version” drop-down list, select the minimum TLS version that the load balancer will negotiate TLS with. It is recommended that you use only the latest TLS versions.
From the Profile drop-down list, select the set of cipher suites that the load balancer can use. It is recommended that you use only the latest ciphers.
Click Create.
The SSL policy is created and appears in the list of SSL policies.
Creating an Instance Group
Create an instance group.
To create an instance group, follow these steps:
On the Google Cloud Platform, navigate to ☰ Navigation menu → Compute Engine → Instance groups.
Click Create Instance Group.
From the left menu panel, select New unmanaged instance group.
Enter a Name for the instance group.
Select the same Region, Zone, Network and Subnetwork as the current Web Access instance.
From the VM instances dropdown, select the Web Access instance.
Do not select more than one Web Access instance.Click Create.
Creating a Health Check
Create a health check to be used later:
On the Google Cloud Platform, navigate to ☰ Navigation menu → Compute Engine → Health Checks.
Click “Create a Health Check”.
Enter a Name for the health check.
For Scope, select Global.
For Protocol, select HTTPS.
For Port, select 443.
For the Source regions, select the same region that the instances run in, plus two more.
For Request path, enter /fs/auth/login
For Logs, enter your organization’s preference.
For Health criteria, keep the defaults.
Creating a HTTPS Load Balancer
Create an HTTPS load balancer.
To create an HTTPS load balancer, follow these steps:
On the Google Cloud Platform, navigate to ☰ Navigation menu → Network services → Load balancing.
Click Create Load Balancer.
Under “Type of load balancer”, choose “Application Load Balancer (HTTP/HTTPS)”.
Then click Next.
Under “Public facing or internal”, choose Public facing (external).
Then click Next.
Under “Global or single region deployment”, choose Best for global workloads.
Then click Next.
Under “Load balancer generation”, choose Global external Application Load Balancer.
Then click Next.
Click Configure to move to the next phase .
Configuring the Load Balancer
To configure the load balancer, follow these steps:
On the Frontend configuration page, enter the Load Balancer name.
In the “New Frontend IP and Port” area, provide the following information:
Assign a Name.
For the protocol, choose “HTTPS (includes HTTP/2 and HTTP/3)”.
For the IP version, choose IPv4.
For the IP address, choose “Create IP address”. Then enter a name to reserve a static IP address.
Do not select Ephemeral.For the Port, choose 443.
For the Certificate, either upload a certificate or select “Create a new certificate” and create a new certificate.
From the SSL Policy drop-down list, select the SSL policy you created in Creating an SSL Policy.
Select “Enable HTTP to HTTPS redirect”.
Click Done.
On the Backend configuration page, click in the “Backend services & backend buckets” area, and click “Create a backend service”.
Then provide the following information:
Create a Name for the backend.
From the Backend type drop-down list, select Instance Group.
From the Protocol drop-down list, select HTTPS.
For the Named port, enter https.
For Timeout, enter 30 seconds.
From the “IP address selection policy” drop-down list, select Only IPv4.
From the Health check drop-down list, select the previously created health check.
Under the New Backend section, provide this information:
For the IP stack type, select “IPv4 (single stack)”.
From the Instance group drop-down list, select the previously defined instance group.
For Port numbers, enter 443.
For the Balancing mode, leave as the default. This is unused because it is a single instance only.
In the Cloud CDN area, it is recommended to unselect “Enable Cloud CDN”.
For Cloud Armor, it is recommended to retain the default security policy.
Click Create.
The Backend is created.
To configure routing rules, click Routing Rules.
Select “Simple host and path rule”.
From the list of “Host and path rules”, select the backend defined above.
Click “Review and Finalize”. Review the Frontend, Backend, and Routing Rules.
Click Create.
The configured load balancer is created. This can take a few minutes.
Testing the Load Balancer
After the Load Balancer is created, test that it is operating as expected:
Navigate to the static IP address of the Load Balancer.
The Web Access login page should load after you accept that the certificate does not match in the browser security.
Select the Load Balancer.
Copy the public IP address
Use the Load Balancer IP address to create an A record in the DNS host, mapping the proper FQDN.
After this is complete, the Web Access site should load without browser certificate warnings.