Script execution for a single spoke
To deploy a single spoke on the NCC by executing the script:
- The provided set of scripts deploys a single spoke on the NCC.
Filename
Description
deploy-fortigate-ncc.py
Script to deploy spoke in single region of the NCC.
Fortigate-ncc-param-zone1.json
Variables required for spoke deployment are stored here.
The variables listed in Fortigate-ncc-param-zone1.json except
project,ncc_vpc_ext, andncc_hubare unique for each spoke deployment. Ensure that you keepncc_vpc_intunique. This allows you to deploy and access resources under the spoke FortiGate in its port 2 subnet. The following lists variables listed in Fortigate-ncc-param-zone1.json:Variable
Description
Example
project
GCP project in which the infrastructure needs to be deployed.
project-001
region
Region in which spoke and cloud router are to be deployed.
us-west1
zone
Zone in which spoke and cloud router are to be deployed.
us-west1-a
ncc_vpc_ext
VPC for FortiGate external subnet.
demo-ext-1
ncc_vpc_int
VPC For FortiGate internal subnet.
demo-int-1
ncc_hub
Name of the NCC hub being created.
demo-ncc-hub
Cloud_router
Cloud router name for this zone.
zn1-cloudrouter
Fortigate_spoke1
Name of the spoke being created (shares name with FortiGate).
Fortigate-1
sitetositeData
Allows for exchange of site-to-site data and BGP routes between regions.
This variable must be set to
True.True
fortigate_spoke1_extip
Unique name for static public IP address created for the FortiGate.
spoke1-publicip
Ncc_vpc_ext_cidr
Subnet used in
ncc_vpc_ext(external).192.168.205.0/24
Ncc_vpc_int_cidr
Subnet used in
ncc_vpc_int(internal).192.168.215.0/24
fortigate_pwd
Administrator password for FortiGate instance.
<string>
cloud_router_ip1
IP address assigned to cloud router interface 1.
192.168.205.101
cloud_router_ip2
IP address assigned to cloud router interface 2.
192.168.205.102
cloud_router_asn
Autonomous system number (ASN) set on cloud router.
65012
fortigate_router_id
Router ID set on FortiGate (spoke).
169.254.254.254
fortigate_router_asn
ASN set on FortiGate.
7252
- Store the
Fortigate-ncc-param-zone1.jsontext file in the GCP bucket. - Create an API key to authenticate and create resources on behalf of a GCP account. See Authenticate using API keys for details on creating an API key.
- Copy
deploy-fortigate-ncc.pyand the API key file (api_key) locally for execution using the following command:gsutil cp gs://<bucket-name>/<filename>.py <local_path>
The following shows an example of the command:
gsutil cp gs://test-bucket/deploy-fortigate-ncc.py
See cp - Copy files and objects for details.
-
Execute the Python script, using the absolute path for the API key:
python3 deploy-fortigate-ncc.py <public_APIkey>.json <bucket_name> Fortigate-ncc-param-zone1.json
The following shows an example of the command:
python3 deploy-fortigate-ncc.py /home/pbapikey.json test-bucket1 Fortigate-ncc-param-zone1.json
-
Use the same script to deploy the hub and other individual spokes by changing the given
Fortigate-ncc-param-zone1.jsonfile to reflect the correct variables for the new spoke deployment. -
Verify that the script ran successfully by running the following commands. The commands describe the infrastructure that the script deployed:
-
To verify the hub, run
gcloud alpha network-connectivity hubs describe <ncc_hub>. For example, if the NCC hub is named testing-ncc-hub, the command would begcloud alpha network-connectivity hubs describe testing-ncc-hub.
-
To verify the spokes, run
gcloud alpha network-connectivity spokes describe <spoke_name> --<region_name>. For example, if the spoke is named testing-fgt-1 and the region is us-west1, the command would begcloud alpha network-connectivity spokes describe testing-fgt-1 --region=us-west1.
-
To verify the cloud router, run
gcloud compute routers describe <cloud_router> --region=<region_name>. For example, if the cloud router is named testing-cr-zn1 and the region is us-west1, the command would begcloud compute routers describe testing-cr-zn1 --region=us-west1.
-
To verify the hub, run