아보카도 오일은 여러 가지 등급으로 나뉘며, 이는 품질과 가공 방식에 따라 다릅니다. 여기에는 주로 세 가지 등급이 포함됩니다:
GSP178
영역설정
gcloud config set compute/zone us-central1-a
gcloud compute zones list
비공개 클러스터 만들기
gcloud beta container clusters create private-cluster \
--private-cluster \
--master-ipv4-cidr 172.16.0.16/28 \
--enable-ip-alias \
--create-subnetwork ""
서브넷 및 보조 IP 주소 범위 확인
gcloud compute networks subnets list --network default
조회결과
gke-private-cluster-subnet-7aee73db
gcloud compute networks subnets describe gke-private-cluster-subnet-7aee73db \
--region us-central1
마스터 승인 네트워크 사용 설정
vm 인스턴스 만들기
gcloud compute instances create source-instance --zone us-central1-a --scopes 'https://www.googleapis.com/auth/cloud-platform'
nat ip 확인
gcloud compute instances describe source-instance --zone us-central1-a | grep natIP
natIP: 34.70.56.122
gcloud container clusters update private-cluster \
--enable-master-authorized-networks \
--master-authorized-networks 34.70.56.122/32
source-instance 에 SSH 접속
gcloud compute ssh source-instance --zone us-central1-a
kubectl 구성요소 설치
gcloud components install kubectl
(실패할 경우)
sudo apt-get install kubectl
SSH 쉘에서 Kubernetes 클러스터 액세스 권한 설정하기
gcloud container clusters get-credentials private-cluster --zone us-central1-a
클러스터 노드에 외부 IP 주소가 없는지 확인하기
kubectl get nodes --output yaml | grep -A4 addresses
응답 메세지 중 type 값이 모두 InternalIP, InternalDNS 만 검색 됨
Kubernetes 클러스터 삭제
gcloud container clusters delete private-cluster --zone us-central1-a
사용자 지정 하위 네트워크를 사용하는 비공개 클러스터 만들기
1.하위 네트워크 및 보조 범위 만들기
gcloud compute networks subnets create my-subnet \
--network default \
--range 10.0.4.0/22 \
--enable-private-ip-google-access \
--region us-central1 \
--secondary-range my-svc-range=10.0.32.0/20,my-pod-range=10.4.0.0/14
2. 하위 네트워크를 사용하는 비공개 클러스터 만들기
gcloud beta container clusters create private-cluster2 \
--private-cluster \
--enable-ip-alias \
--master-ipv4-cidr 172.16.0.32/28 \
--subnetwork my-subnet \
--services-secondary-range-name my-svc-range \
--cluster-secondary-range-name my-pod-range
3.외부 IP 주소 확인
gcloud compute instances describe source-instance --zone us-central1-a | grep natIP
4.외부IP 주소 적용
gcloud container clusters update private-cluster2 \
--enable-master-authorized-networks \
--master-authorized-networks 34.70.56.122/32
5.source-instance 에 SSH 접속
gcloud compute ssh source-instance --zone us-central1-a
6.SSH 쉘에서 Kubernetes 클러스터 액세스 권한 설정
gcloud container clusters get-credentials private-cluster2 --zone us-central1-a
7.클러스터 노드에 외부 IP 주소가 없는지 확인
kubectl get nodes --output yaml | grep -A4 addresses
Google Cloud Virtual Private Cloud (VPC) Network Peering allows private connectivity across two VPC networks regardless of whether or not they belong to the same project or the same organization.
VPC Network Peering is useful for :
If you have multiple network administrative domains within your organizations, VPC Network Peering allows you to make services available across VPC networks in private space. VPC Network Peering allows you to make those services available in private space to those organizations. The ability to offer services across organizations is useful if you want to offer services to other enterprises, and it is useful within your own enterprise if you have several distinct organization nodes due to your own structure or as a result of mergers or acquisitions.
VPC Network Peering gives you serveral advantages over using external IP addresses or VPNs to connect networks, including:
Within the same organization node, a network could be hosting services that need to be accessible from other VPC networks in the same or different projects.
Alternatively, one organization may want to access services a third-party services offering
Create network-A VPC
gcloud compute networks create network-a --subnet-mode custom
gcloud compute networks subnets create network-a-central --network network-a --range 10.0.0.0/16 --region us-central1
gcloud compute instances create vm-a --zone us-central1-a --network network-a --subnet network-a-central
gcloud compute firewall-rules create network-a-fw --network network-a --allow tcp:22,icmpCreate network-B VPC
gcloud compute network create network-b --subnet-mode custom
gcloud compute network subnets create network-b-central --network network-b --range 10.8.0.0/16 --region us-central1
gcloud compute instances create vm-b --zone us-central1-a --network network-b --subnet network-b-central
ggcloud compute firewall-rules create network-b-fw --network network-b --allow tcp:22,icmpPeer network -a with network-b (peer-ab)
VPC Network > VPC network peering > Create Connection > Continue
Name : peer-ab
Your VPC network : network-a
Peering VPC network : (Radio Button) In another project
Project ID : 'second project id'
VPC network name : network-b
CreatePeer network-b with network-a (peer-ba)
VPC Network > VPC network peering > Create Connection > Continue
Name : peer-ba
Your VPC network : network-b
peering VPC network : (Radio Button) In another project
Project ID : 'first project id'
VPC Network name : network-a
Create
gcloud compute routes list --project <First_Project_ID>
Connectivity Test
Copy the internal ip for vm-a
ssh into vm-b instance
ping -c 5 <internal ip of vm-a>Service accounts are a special type of Google account that grant permissions to virtual machines instead of end users. Your application uses the service account to call the Google API of a service
This way the service account is the identity of the service, and the service account’s permissions control which resources the service can access
A service account is identified by its email address, which is unique to the account.
User-managed service accounts
When you create a new Cloud project using Cloud Console and if Compute Engine API is enabled for your project, a Compute Engine Service Account is created for you by default. It is identifiable using the email :
PROJECT_NUMBER-compute@developer.gserviceaccount.comGoogle-managed service accounts
In addition to the user-managed service accounts, you might see some additional service account in your project’s IAM policy or in the Cloud Console. These service accounts are created and owned by Google. These accounts represent different Google services and each account is automatically granted IAM roles to access your Google Cloud Project
An example of a Google-managed service account is a Google API service account identifiable using the email.
PROJECT_NUMBER@cloudservices.gserviceaccount.comThis service account is designed specifically to run internal Google processes on your behalf and is not listed in the Service Accounts section of Cloud Console. By default, the account is automatically granted the project editor role on the project and is listed in the IAM section of Cloud Console. This service account is deleted only when the project is deleted. Google services rely on the account
When you create a new Cloud project, Google Cloud automatically creates One Compute engine service account and one App Engine service account under that project. You can create up to 98 additional service accounts to your project to control access to your resources.
Creating a service account
Creating a service account is similar to adding a member to your project, but the service account belongs to your applications rather than an individual end user.
To create a service account, run the following command in Cloud Shell:
gcloud iam service-accounts create my-sa-123 --display-name "my service account"The output of this command is the service account, which will look similar to the following:
Created service account [my-sa-123]When granting IAM roles, you can treat a service account either as a resource or as an identity.
Your application uses a service account as an identity to authenticate to Google Cloud service. For example, if you have a Compute Engine Virtual Machine (VM) running as a service account, you can grant the editor role to the service account (the identity) for a project (the resource).
At the same time, you might also want to control who can start the VM. You can do this by granting a user (the identity) the serviceAccountUser role for the service account (the resource)
Granting roles to a service account for specific resources
You grant roles to a service account so that the service account has permission to complete specific actions on the resources in your Cloud Platform project. For example, you might grant the storage.admin role to a service account so that it has control over objects and buckets in Cloud Storage.
Run the following in Cloud Shell to grant roles to the service account you just made:
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID --member serviceAccount:my-sa-123@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role roles/editorWhen an identity calls a Google Cloud API, Google Cloud Identity and Access Management requires that the identity has the appropriate permissions to use the resource. You can grant permissions by granting roles to a user, a group, or a service account
Types of Roles
Navigation menu > IAM & Admin > + Create Service Account
Name : bigquery-qwiklab
Role : BigQuery Data Viewer, BigQuery User
Create Compute Engine instance
SSH Connect
sudo apt-get update
sudo apt-get install virtualenv
virtualenv -p python3 venv
source venv/bin/activate
(venv)sudo apt-get install -y git python3-pip
(venv)pip install google-cloud-bigquery
(venv)pip install pandasCreate python file
echo "
from google.auth import compute_engine
from google.cloud import bigquery
credentials = compute_engine.Credentials(
service_account_email='YOUR_SERVICE_ACCOUNT')
query = '''
SELECT
year,
COUNT(1) as num_babies
FROM
publicdata.samples.natality
WHERE
year > 2000
GROUP BY
year
'''
client = bigquery.Client(
project='YOUR_PROJECT_ID',
credentials=credentials)
print(client.query(query).to_dataframe())
" > query.pyChange ‘YOUR_PROJECT_ID’
sed -i -e "s/YOUR_PROJECT_ID/$(gcloud config get-value project)/g" query.pyChange ‘YOUR_SERVICE_ACCOUNT’
sed -i -e "s/YOUR_SERVICE_ACCOUNT/bigquery-qwiklab@$(gcloud config get-value project).iam.gserviceaccount.com/g" query.pyRun (failure but fix it)
python query.py
(venv) student-04-f226424281f6@bigquery-instance:~$ python query.py
Traceback (most recent call last):
File "query.py", line 23, in <module>
print(client.query(query).to_dataframe())
File "/home/student-04-f226424281f6/venv/lib/python3.7/site-packages/google/cloud/bigquery/job/query.py", line 1346, in to_dataframe
date_as_object=date_as_object,
File "/home/student-04-f226424281f6/venv/lib/python3.7/site-packages/google/cloud/bigquery/table.py", line 1867, in to_dataframe
create_bqstorage_client=create_bqstorage_client,
File "/home/student-04-f226424281f6/venv/lib/python3.7/site-packages/google/cloud/bigquery/table.py", line 1662, in to_arrow
raise ValueError(_NO_PYARROW_ERROR)
ValueError: The pyarrow library is not installed, please install pyarrow to use the to_arrow() function.
pip install pandas-gbq==0.14.0
(venv) student-04-f226424281f6@bigquery-instance:~$ python query.py
year num_babies
0 2006 4273225
1 2001 4031531
2 2007 4324008
3 2003 4096092
4 2004 4118907
5 2002 4027376
6 2005 4145619
7 2008 4255156
(venv) student-04-f226424281f6@bigquery-instance:~$
You can create a custom role at the organization level and at the project level. However, you cannot create custom roles at the folder level
permissions are represented in the form
<service>.<resource>.<verb>
compute.instances.listCustom roles can only be used to grant permissions in policies for the same project or organization that owns the roles or resource under them.
To create a custom role, a caller must have the iam.roles.create permission.
Organization Role Administrator role (roles/iam.organizationRoleAdmin)
IAM Role Administrator role (roles/iam.roleAdmin)
gcloud iam list-testable-permissionsgcloud iam roles describe [ROLE_NAME]
gcloud iam roles describe roles/viewer
gcloud iam roles describe roles/editorvi role-definition.yaml
title: "Role Editor"
description: "Edit access for App Versions"
stage: "ALPHA"
includedPermissions:
- appengine.versions.create
- appengine.versions.delete
gcloud iam roles create editor --project $DEVSHELL_PROJECT_ID \
--file role-definition.yaml
Created role [editor].
description: Edit access for App Versions
etag: BwVs4O4E3e4=
includedPermissions:
- appengine.versions.create
- appengine.versions.delete
name: projects/[PROJECT_ID]/roles/editor
stage: ALPHA
title: Role Editorgcloud iam roles create viewer --project $DEVSHELL_PROJECT_ID \
--title "Role Viewer" --description "Custom role description." \
--permissions compute.instances.get,compute.instances.list --stage ALPHA
Created role [viewer].
description: Custom role description.
etag: BwVs4PYHqYI=
includedPermissions:
- compute.instances.get
- compute.instances.list
name: projects/[PROJECT_ID]/roles/viewer
stage: ALPHA
title: Role Viewergcloud iam roles list --project $DEVSHELL_PROJECT_IDEditing an existing custom role
gcloud iam roles describe editor --project $DEVSHELL_PROJECT_ID]
description: Edit access for App Versions
etag: BwXCsFdYv0o=
includedPermissions:
- appengine.versions.create
- appengine.versions.delete
name: projects/qwiklabs-gcp-03-867ca1078c1e/roles/editor
stage: ALPHA
title: Role Editor
vi new-role-definition.yaml
description: Edit access for App Versions
etag: BwVxIBjfN3M=
includedPermissions:
- appengine.versions.create
- appengine.versions.delete
- storage.buckets.get
- storage.buckets.list
name: projects/[PROJECT_ID]/roles/editor
stage: ALPHA
title: Role Editor
gcloud iam roles update editor --project $DEVSHELL_PROJECT_ID --file new-role-definition.yaml
gcloud iam roles describe viewer --project $DEVSHELL_PROJECT_ID
description: Custom role description.
etag: BwXCsFyYXGs=
includedPermissions:
- compute.instances.get
- compute.instances.list
name: projects/qwiklabs-gcp-03-867ca1078c1e/roles/viewer
stage: ALPHA
title: Role Viewer
gcloud iam roles update viewer --project $DEVSHELL_PROJECT_ID --add-permissions storage.buckets.get,storage.buckets.list
description: Custom role description.
etag: BwXCsIGVf6M=
includedPermissions:
- compute.instances.get
- compute.instances.list
- storage.buckets.get
- storage.buckets.list
name: projects/qwiklabs-gcp-03-867ca1078c1e/roles/viewer
stage: ALPHA
title: Role Viewergcloud iam roles update viewer --project $DEVSHELL_PROJECT_ID --stage DISABLED
description: Custom role description.
etag: BwXCsIeZQcs=
includedPermissions:
- compute.instances.get
- compute.instances.list
- storage.buckets.get
- storage.buckets.list
name: projects/qwiklabs-gcp-03-867ca1078c1e/roles/viewer
stage: DISABLED
title: Role Viewergcloud iam roles delete viewer --project $DEVSHELL_PROJECT_ID
deleted: true
description: Custom role description.
etag: BwXCsIpRAkM=
includedPermissions:
- compute.instances.get
- compute.instances.list
- storage.buckets.get
- storage.buckets.list
name: projects/qwiklabs-gcp-03-867ca1078c1e/roles/viewer
stage: DISABLED
title: Role ViewerThe role can be undeleted within 7 days
After 7 days, the role enters a permanent deletion process that lasts 30 days
After 37 days, the Roel ID is available to be used again
gcloud iam roles undelete viewer --project $DEVSHELL_PROJECT_ID
description: Custom role description.
etag: BwXCsJhLFsY=
includedPermissions:
- compute.instances.get
- compute.instances.list
- storage.buckets.get
- storage.buckets.list
name: projects/qwiklabs-gcp-03-867ca1078c1e/roles/viewer
stage: DISABLED
title: Role ViewerCreate a Compute Engine instance
Add Apache2 HTTP Server to our instace
metadata 부분에 아래와 같은 스크립트 추가
key / value
startup-script /
#!/bin/bash
sudo apt-get update
sudo apt-get install -y apache2 php7.0
sudo service apache2 restartCreate a Monitoring workspace
Install the Monitoring and Logging agents
curl -sSO https://dl.google.com/cloudagents/add-monitoring-agent-repo.sh
sudo bash add-monitoring-agent-repo.sh
sudo apt-get update
sudo apt-get install stackdriver-agent
sudo apt-get install google-fluentdCreate an uptime check
Monitoring > Uptime Check > CREATE UPTIME CHECKCreate an alerting policy
Monitoring > Alerting > CREATE POLICYCreate a dashboard and chart
좀 기네…이건 다시 공부해야할듯
Python을 사용해 간단한 App Engine 앱을 작성 및 배포
git clone https://github.com/googlecodelabs/user-authentication-with-iap.git
cd user-authentication-with-iap
cd 1-HelloWorld
gcloud app deploy
(실행결과)
Please enter your numeric choice: 2
Creating App Engine application in project [qwiklabs-gcp-02-c8004de5b58e] and region [asia-northeast1]....done.
Services to deploy:
descriptor: [/home/student_02_86e97cfc3a04/user-authentication-with-iap/1-HelloWorld/app.yaml]
source: [/home/student_02_86e97cfc3a04/user-authentication-with-iap/1-HelloWorld]
target project: [qwiklabs-gcp-02-c8004de5b58e]
target service: [default]
target version: [20210513t082853]
target url: [https://qwiklabs-gcp-02-c8004de5b58e.an.r.appspot.com]
Do you want to continue (Y/n)? y
Beginning deployment of service [default]...
Created .gcloudignore file. See `gcloud topic gcloudignore` for details.
╔════════════════════════════════════════════════════════════╗
╠═ Uploading 6 files to Google Cloud Storage ═╣
╚════════════════════════════════════════════════════════════╝
File upload done.
ERROR: (gcloud.app.deploy) NOT_FOUND: Unable to retrieve P4SA: [service-942148416139@gcp-gae-service.iam.gserviceaccount.com] from GAIA. Could be GAIA propagation delay or request from deleted apps.
student_02_86e97cfc3a04@cloudshell:~/user-authentication-with-iap/1-HelloWorld (qwiklabs-gcp-02-c8004de5b58e)$
(안되서 다시함)
student_02_86e97cfc3a04@cloudshell:~/user-authentication-with-iap/1-HelloWorld (qwiklabs-gcp-02-c8004de5b58e)$ gcloud app deploy
Services to deploy:
descriptor: [/home/student_02_86e97cfc3a04/user-authentication-with-iap/1-HelloWorld/app.yaml]
source: [/home/student_02_86e97cfc3a04/user-authentication-with-iap/1-HelloWorld]
target project: [qwiklabs-gcp-02-c8004de5b58e]
target service: [default]
target version: [20210513t083521]
target url: [https://qwiklabs-gcp-02-c8004de5b58e.an.r.appspot.com]
Do you want to continue (Y/n)? y
Beginning deployment of service [default]...
╔════════════════════════════════════════════════════════════╗
╠═ Uploading 0 files to Google Cloud Storage ═╣
╚════════════════════════════════════════════════════════════╝
File upload done.
Updating service [default]...done.
Setting traffic split for service [default]...done.
Deployed service [default] to [https://qwiklabs-gcp-02-c8004de5b58e.an.r.appspot.com]
You can stream logs from the command line by running:
$ gcloud app logs tail -s default
To view your application in the web browser run:
$ gcloud app browse
student_02_86e97cfc3a04@cloudshell:~/user-authentication-with-iap/1-HelloWorld (qwiklabs-gcp-02-c8004de5b58e)$배포된 앱 확인
gcloud app browse
(실행결과)
Did not detect your browser. Go to this link to view your app:
https://qwiklabs-gcp-02-c8004de5b58e.an.r.appspot.com
student_02_86e97cfc3a04@cloudshell:~/user-authentication-with-iap/1-HelloWorld (qwiklabs-gcp-02-c8004de5b58e)$
(배포 성공 후 다시)
Did not detect your browser. Go to this link to view your app:
https://qwiklabs-gcp-02-c8004de5b58e.an.r.appspot.com
student_02_86e97cfc3a04@cloudshell:~/user-authentication-with-iap/1-HelloWorld (qwiklabs-gcp-02-c8004de5b58e)$
안되는 것처럼 보이지만 배포된 화면은 보여짐앱에 대한 액세스를 제한하기 위해 IAP 활성화 및 비활성화 방법
IAP 에서 앱으로 사용자 신원 정보를 가져오는 방법
스푸핑으로부터 IAP의 정보를 암호화 방식으로 확인 하는 방법
어플리케이션 배포 및 IAP 로 보호
사용자 신원 정보 접근
암호화 확인 사용
1. VPC 생성
gcloud compute networks create dm-stamford \
--subnet-mode=custom
2. 웹서버용 서브넷 생성
gcloud compute networks subnets create dm-stamford-uswest4 \
--range=172.21.0.0/24 \
--network=dm-stamford \
--region=us-west4
3. IDS용 서브넷 생성
gcloud compute networks subnets create dm-stamford-uswest4-ids \
--range=172.21.1.0/24 \
--network=dm-stamford \
--region=us-west41. 모든 VM이 TCP80, ICMP 프로토콜을 모든 소스로부터 받을 수 있도록 방화벽 정책 생성
gcloud compute firewall-rules create fw-dm-stamford-allow-any-web \
--direction=INGRESS \
--priority=1000 \
--network=dm-stamford \
--action=ALLOW \
--rules=tcp:80,icmp \
--source-ranges=0.0.0.0/0
2. IDS 가 모든 트래픽을 받을 수 있도록 방화벽 정책 생성 (Public IP를 할당하지 않는건 여기서 하지않음)
gcloud compute firewall-rules create fw-dm-stamford-ids-any-any \
--direction=INGRESS \
--priority=1000 \
--network=dm-stamford \
--action=ALLOW \
--rules=all \
--source-ranges=0.0.0.0/0 \
--target-tags=ids
3. 모든 VM이 tcp22, icmp 프로토콜을 GCP IAP Proxy IP 대역 (35.235.240.0/20)에서 접근 할 수 있도록 방화벽 정책 설정
gcloud compute firewall-rules create fw-dm-stamford-iapproxy \
--direction=INGRESS \
--priority=1000 \
--network=dm-stamford \
--action=ALLOW \
--rules=tcp:22,icmp \
--source-ranges=35.235.240.0/201. Cloud NAT 를 사용하려면 Cloud Router 설정이 선행되어야 함. 각자 Region 에서 반드시 가장 먼저 설정되어야함.
gcloud compute routers create router-stamford-nat-west4 \
--region=us-west4 \
--network=dm-stamford1. Public IP 없이 인터넷 접근을 허용하려면 Cloud NAT 는 반드시 각 리전에 생성되어야 함
gcloud compute routers nats create nat-gw-dm-stamford-west4 \
--router=router-stamford-nat-west4 \
--router-region=us-west4 \
--auto-allocate-nat-external-ips \
--nat-all-subnet-ip-ranges1. 웹서버용 인스턴스 템플릿 생성
gcloud compute instance-templates create template-dm-stamford-web-us-west4 \
--region=us-west4 \
--network=dm-stamford \
--subnet=dm-stamford-uswest4 \
--machine-type=g1-small \
--image=ubuntu-1604-xenial-v20200807 \
--image-project=ubuntu-os-cloud \
--tags=webserver \
--metadata=startup-script='#! /bin/bash
apt-get update
apt-get install apache2 -y
vm_hostname="$(curl -H "Metadata-Flavor:Google" \
http://169.254.169.254/computeMetadata/v1/instance/name)"
echo "Page served from: $vm_hostname" | \
tee /var/www/html/index.html
systemctl restart apache2'1. 웹서버용 인스턴스 그룹 생성
gcloud compute instance-groups managed create mig-dm-stamford-web-uswest4 \
--template=template-dm-stamford-web-us-west4 \
--size=2 \
--zone=us-west4-a1. IDS용 인스턴스 탬플릿 생성
gcloud compute instance-templates create template-dm-stamford-ids-us-west4 \
--region=us-west4 \
--network=dm-stamford \
--no-address \
--subnet=dm-stamford-uswest4-ids \
--image=ubuntu-1604-xenial-v20200807 \
--image-project=ubuntu-os-cloud \
--tags=ids,webserver \
--metadata=startup-script='#! /bin/bash
apt-get update
apt-get install apache2 -y
vm_hostname="$(curl -H "Metadata-Flavor:Google" \
http://169.254.169.254/computeMetadata/v1/instance/name)"
echo "Page served from: $vm_hostname" | \
tee /var/www/html/index.html
systemctl restart apache2'1. IDS용 인스턴스 그룹 생성
gcloud compute instance-groups managed create mig-dm-stamford-ids-uswest4 \
--template=template-dm-stamford-ids-us-west4 \
--size=1 \
--zone=us-west4-a1. 복제된 패킷을 수집서버에 전달함 (내부 로드벨런서). 여기서는 수집 그룹 컨테이너는 단일 VM 임
2. 먼저 백단 서버 체크하는 헬스체크 생성
gcloud compute health-checks create tcp hc-tcp-80 --port 80
3. ilb가 사용하는 백엔드 서비스 생성
gcloud compute backend-services create be-dm-stamford-suricata-us-west4 \
--load-balancing-scheme=INTERNAL \
--health-checks=hc-tcp-80 \
--network=dm-stamford \
--protocol=TCP \
--region=us-west4
4. IDS 인스턴스 이전 단계에서 만든 백엔드 서비스 그룹에 추가
gcloud compute backend-services add-backend be-dm-stamford-suricata-us-west4 \
--instance-group=mig-dm-stamford-ids-uswest4 \
--instance-group-zone=us-west4-a \
--region=us-west4
5. IDS 인스턴스로 보낼 frontend 전달 규칙 생성
gcloud compute forwarding-rules create ilb-dm-stamford-suricata-ilb-us-west4 \
--load-balancing-scheme=INTERNAL \
--backend-service be-dm-stamford-suricata-us-west4 \
--is-mirroring-collector \
--network=dm-stamford \
--region=us-west4 \
--subnet=dm-stamford-uswest4-ids \
--ip-protocol=TCP \
--ports=allsudo apt-get update -y
sudo apt-get install libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev zlib1g-dev libcap-ng-dev libmagic-dev libjansson-dev libjansson4 -y
sudo apt-get install libnspr4-dev -y
sudo apt-get install libnss3-dev -y
sudo apt-get install liblz4-dev -y
sudo apt install rustc cargo -y
sudo add-apt-repository ppa:oisf/suricata-stable -y
sudo apt-get update -y
sudo apt-get install suricata -y
suricata -V
This is Suricata version 6.0.2 RELEASEsudo systemctl stop suricata
sudo cp /etc/suricata/suricata.yaml /etc/suricata/suricata.backup
wget https://storage.googleapis.com/tech-academy-enablement/GCP-Packet-Mirroring-with-OpenSource-IDS/suricata.yaml
wget https://storage.googleapis.com/tech-academy-enablement/GCP-Packet-Mirroring-with-OpenSource-IDS/my.rules
sudo mkdir /etc/suricata/poc-rules
sudo cp my.rules /etc/suricata/poc-rules/my.rules
sudo cp suricata.yaml /etc/suricata/suricata.yamlsudo systemctl start suricata
sudo systemctl restart suricatagcloud compute packet-mirrorings create mirror-dm-stamford-web \
--collector-ilb=ilb-dm-stamford-suricata-ilb-us-west4 \
--network=dm-stamford \
--mirrored-subnets=dm-stamford-uswest4 \
--region=us-west4패스..
패스..
패스..
끝
Javis blog 