Document toolboxDocument toolbox

Prerequisites

Owned by Jyothi KP
Last updated: Sept 05, 2024
2 min read

Before deploying vNIOS for GCP, ensure that you have completed the following:

  • Set up a GCP account and create a project, if none already exists.

  • If you want to join the vNIOS for GCP instance to the on-prem Grid, Configure an on-premise Infoblox Grid or Grid Master. For more information, refer to the Infoblox NIOS Documentation.

  • Install the GCP CLI utility to perform CLI based operations. For more information, see https://cloud.google.com/sdk/gcloud/.

  • To deploy a single network interface instance in a shared VPC network on GCP, ensure that the VPC of your host project is shared with the service projects.

  • To deploy a vNIOS for GCP instance in an HA (high availability) setup, a capability introduced in NIOS 9.0.4:

    • In the Google Cloud console, set up a service account that is linked to both nodes in the HA pair, with the role permissions required to form an HA pair. For more information, see the Configuring a GCP Service Account section.

    • Set up each node (VM) of the HA pair with three network interfaces for MGMT, LAN1, and HA, and ensure that each of these interfaces is assigned to subnetworks on different VPCs. For more information, see Deploying a vNIOS for GCP Instance with HA.

    • In NIOS, configure a DNS resolver in the Grid Properties Editor. For more information about DNS resolvers, refer to the Enabling DNS Resolution topic in the Infoblox NIOS Documentation.
      If the configured DNS resolver fails to resolve the Google API metadata.google.internal, Infoblox recommends that you use 169.254.169.254 as the resolver.

  • If you want to use shared VPC feature, ensure to attach service project(s) to host projects(s).

Configuring a GCP Service Account

To enable a vNIOS instance to form an HA pair, you must configure it with a GCP service account that is attached to a role that is assigned with permissions defined in this section. These permissions are a minimum requirement to allow the vNIOS instance to manage resources in the GCP cloud. For more information about Google service accounts, see the Create a Service Account section.

The list of permissions that you must assign to a role are:

compute.addresses.use
compute.instances.get
compute.instances.list
compute.instances.updateNetworkInterface
compute.subnetworks.use
iam.roles.get
resourcemanager.projects.getIamPolicy

  • Ensure that the Role launch stage field in the role that you assign to the service account is set to General Availability.

  • NIOS uses the roles with read permissions to run a check and validate the configuration on the host every five minutes.

  • NIOS uses the role with write permission compute.instances.updateNetworkInterface to unassign private IP addresses from and assign private IP addresses to network interfaces during an HA failover.