VM¶

Prerequisites:

I assume that you have Google Cloud account and
gcloud CLI

Create VM¶

In this section, I will describe how to list and choose parameters required to create a VM instance, and then create it.

Authenticate in Google Cloud — gcloud auth login
You can set default project with gcloud config set project project_name, and unset it with gcloud config unset project.
Choose region and zone

List regions along with available resources — gcloud compute regions list --project project_name

List zones — gcloud compute zones list --project project_name

Region picker — allows to pick the best region according to multiple metrics (compute price & latency).

Set default regions and zones for project:

gcloud compute project-info add-metadata                                                       \
    --metadata google-compute-default-region=region_name,google-compute-default-zone=zone_name \
    --project project_name

Choose image

List images, families and image-projects — gcloud compute images list --project project_name | grep -v -- "-arm64\|-pro-" | grep -i "PROJECT\|FAMILY\|ubuntu"

Pick “image project” and “image family”.
Choose disk
Disk types and pricing
- Description of different disk types (such as standard, balanced, ssd, etc…).
- Disks pricing.
Each VM instance has at least one disk attached to it.

List disk types — gcloud compute disk-types list --filter="zone:( ezone_name )" --project project_name
Choose instance configuration
1. Choose machine family and series based on its capabilities (range of cores, CPU manufacturer, RAM, etc…). (1)
  1. N2D is good for confidential computing. E2-standard is good for cost. E2-medium is has even less cost, but with shared core & CPU bursting.
2. Consider shared core & CPU bursting (machine series e2-micro, e2-small, e2-medium).
3. Choose security features:
  - Confidential computing (machine series N2D).
  - Shielded VM (secure boot, UEFI, TPM, Integrity monitoring).
    - List of images with Shielded VM support. If the image supports Shielded VM features, the following line appears in the output of
      gcloud compute images describe IMAGE_NAME --project=project_name type: UEFI_COMPATIBLE
    - Use these option during VM creation: --shielded-integrity-monitoring, --shielded-secure-boot, --shielded-vtpm to enable it. Or this command to enable Shielded VM features in already existing VM.
4. Check availability in chosen region — gcloud compute machine-types list --filter="zone:( zone_name )" --project project_name.
5. Take into account pricing:
  - Pricing of machines, disks, GPUs, etc…
  - Google Cloud Pricing Calculator.
  - Consider 1 & 3 year commitments.

Finally, now we have all information to create our VM instance.

gcloud compute instances create vm_name      \
    --image-family   image_family            \
    --image-project  image_project           \
    --boot-disk-size disk_size               \
    --boot-disk-type disk_type               \
    --machine-type   machine_type            \
    --shielded-integrity-monitoring          \
    --shielded-secure-boot                   \
    --project project_name

Other VM CRUD Doperations

Delete instance: gcloud compute instances delete vm_name
Stop instance: gcloud compute instances stop vm_name
Start instance: gcloud compute instances start vm_name

Allocate IP address¶

Allocate an IP address:

gcloud compute addresses create vm_name-ip --region=region_name --project project_name

Delete existing ephemeral IP address:

gcloud compute instances delete-access-config vm_name --access-config-name="external-nat" # (1)!

Where external-nat is a value of the name field from output of:

gcloud compute instances describe vm_name
networkInterfaces:
- accessConfigs:
- kind: compute#accessConfig
    name: external-nat
    natIP: _________
    networkTier: PREMIUM
    type: ONE_TO_ONE_NAT

Finally, assign IP address to VM:

gcloud compute instances add-access-config vm_name --access-config-name="external-nat" --address=(gcloud compute addresses list --filter="name=('vm_name-ip')" --format="get(address)")

Other IP CRUD operations

List IP addresses: gcloud compute addresses list
Delete IP address: gcloud compute addresses delete vm_name-ip

Setup the VM¶

Initialise users¶

Open terminal in browser, add users and install packages:

sudo adduser --gecos "" --disabled-password user
sudo usermod -a -G sudo user
sudo apt update && sudo apt full-upgrade -y && sudo apt install -y nano git locate

Allow password-less sudo:

sudo visudo

- %sudo   ALL=(ALL:ALL) ALL
+ %sudo   ALL=(ALL:ALL) NOPASSWD:ALL

Setup SSH access¶

sudo -u user bash -c "mkdir -p ~/.ssh && nano ~/.ssh/authorized_keys"

And copy your local ssh public key: cat ~/.ssh/id_ed25519.pub or ssh-add -L to ~/.ssh/authorized_keys.

Get host’s ssh key fingerprint (to compare it with what local ssh will print when you connect to the VM from local host):

ssh-keygen -lf <(ssh-keyscan localhost 2>/dev/null)

where the IP comes from output of: gcloud compute addresses list --filter="name=('vm_name-ip')" --format="get(address)"

Setup `rpi` user¶

sudo adduser --gecos "" --disabled-password rpi (1)
1. Add the user
mkdir -p ~/.ssh && nano ~/.ssh/authorized_keys && exit (1)
1. Populate ~/.ssh/authorized_keys with public key of pi user on RaspberryPi
sudo usermod -s /usr/sbin/nologin rpi (1)
1. Set nologin shell to the rpi user

Tweak SSH config on the VM:

sudo nano /etc/ssh/sshd_config

Match User rpi
   PasswordAuthentication no
   AllowTcpForwarding remote # yes
   AllowStreamLocalForwarding no
   X11Forwarding no
   PermitTunnel no
   GatewayPorts no
   AllowAgentForwarding no
   PermitOpen localhost:_____
   ForceCommand echo 'This account can only be used for reverse ssh tunnelling'

Connect from local host to the device¶

Now you can use this VM IP as a bastion host (1) to connect to RaspberryPi.

Baston hosts are usually public-facing, hardened systems that serve as an entrypoint to systems behind a firewall or other restricted location, and they are especially popular with the rise of cloud computing

VM¶