Version:

Version:


Table of Contents

GCP Administration Guide

Download PDF
Copy Link

Script execution for a single spoke

To deploy a single spoke on the NCC by executing the script:
  1. The provided set of scripts deploys a single spoke on the NCC.

    Filename

    Description

    deploy-fortigate-ncc.py

    Script to deploy spoke in single region of the NCC.

    Fortigate-ncc-param-zone1.json

    Variables required for spoke deployment are stored here.

    The variables listed in Fortigate-ncc-param-zone1.json except project, ncc_vpc_ext, and ncc_hub are unique for each spoke deployment. Ensure that you keep ncc_vpc_int unique. This allows you to deploy and access resources under the spoke FortiGate in its port 2 subnet. The following lists variables listed in Fortigate-ncc-param-zone1.json:

    Variable

    Description

    Example

    project

    GCP project in which the infrastructure needs to be deployed.

    project-001

    region

    Region in which spoke and cloud router are to be deployed.

    us-west1

    zone

    Zone in which spoke and cloud router are to be deployed.

    us-west1-a

    ncc_vpc_ext

    VPC for FortiGate external subnet.

    demo-ext-1

    ncc_vpc_int

    VPC For FortiGate internal subnet.

    demo-int-1

    ncc_hub

    Name of the NCC hub being created.

    demo-ncc-hub

    Cloud_router

    Cloud router name for this zone.

    zn1-cloudrouter

    Fortigate_spoke1

    Name of the spoke being created (shares name with FortiGate).

    Fortigate-1

    sitetositeData

    Allows for exchange of site-to-site data and BGP routes between regions.

    This variable must be set to True.

    True

    fortigate_spoke1_extip

    Unique name for static public IP address created for the FortiGate.

    spoke1-publicip

    Ncc_vpc_ext_cidr

    Subnet used in ncc_vpc_ext (external).

    192.168.205.0/24

    Ncc_vpc_int_cidr

    Subnet used in ncc_vpc_int (internal).

    192.168.215.0/24

    fortigate_pwd

    Administrator password for FortiGate instance.

    <string>

    cloud_router_ip1

    IP address assigned to cloud router interface 1.

    192.168.205.101

    cloud_router_ip2

    IP address assigned to cloud router interface 2.

    192.168.205.102

    cloud_router_asn

    Autonomous system number (ASN) set on cloud router.

    65012

    fortigate_router_id

    Router ID set on FortiGate (spoke).

    169.254.254.254

    fortigate_router_asn

    ASN set on FortiGate.

    7252

  2. Store the Fortigate-ncc-param-zone1.json text file in the GCP bucket.
  3. Create an API key to authenticate and create resources on behalf of a GCP account. See Using API keys for details on creating an API key.
  4. Copy deploy-fortigate-ncc.py and the API key file (api_key) locally for execution using the following command:

    gsutil cp gs://<bucket-name>/<filename>.py <local_path>

    The following shows an example of the command:

    gsutil cp gs://test-bucket/deploy-fortigate-ncc.py

    See cp - Copy files and objects for details.

  5. Execute the Python script, using the absolute path for the API key:

    python3 deploy-fortigate-ncc.py <public_APIkey>.json <bucket_name> Fortigate-ncc-param-zone1.json

    The following shows an example of the command:

    python3 deploy-fortigate-ncc.py /home/pbapikey.json test-bucket1 Fortigate-ncc-param-zone1.json

  6. Use the same script to deploy the hub and other individual spokes by changing the given Fortigate-ncc-param-zone1.json file to reflect the correct variables for the new spoke deployment.

  7. Verify that the script ran successfully by running the following commands. The commands describe the infrastructure that the script deployed:

    1. To verify the hub, run gcloud alpha network-connectivity hubs describe <ncc_hub>. For example, if the NCC hub is named testing-ncc-hub, the command would be gcloud alpha network-connectivity hubs describe testing-ncc-hub.

    2. To verify the spokes, run gcloud alpha network-connectivity spokes describe <spoke_name> --<region_name>. For example, if the spoke is named testing-fgt-1 and the region is us-west1, the command would be gcloud alpha network-connectivity spokes describe testing-fgt-1 --region=us-west1.

    3. To verify the cloud router, run gcloud compute routers describe <cloud_router> --region=<region_name>. For example, if the cloud router is named testing-cr-zn1 and the region is us-west1, the command would be gcloud compute routers describe testing-cr-zn1 --region=us-west1.

Script execution for a single spoke

To deploy a single spoke on the NCC by executing the script:
  1. The provided set of scripts deploys a single spoke on the NCC.

    Filename

    Description

    deploy-fortigate-ncc.py

    Script to deploy spoke in single region of the NCC.

    Fortigate-ncc-param-zone1.json

    Variables required for spoke deployment are stored here.

    The variables listed in Fortigate-ncc-param-zone1.json except project, ncc_vpc_ext, and ncc_hub are unique for each spoke deployment. Ensure that you keep ncc_vpc_int unique. This allows you to deploy and access resources under the spoke FortiGate in its port 2 subnet. The following lists variables listed in Fortigate-ncc-param-zone1.json:

    Variable

    Description

    Example

    project

    GCP project in which the infrastructure needs to be deployed.

    project-001

    region

    Region in which spoke and cloud router are to be deployed.

    us-west1

    zone

    Zone in which spoke and cloud router are to be deployed.

    us-west1-a

    ncc_vpc_ext

    VPC for FortiGate external subnet.

    demo-ext-1

    ncc_vpc_int

    VPC For FortiGate internal subnet.

    demo-int-1

    ncc_hub

    Name of the NCC hub being created.

    demo-ncc-hub

    Cloud_router

    Cloud router name for this zone.

    zn1-cloudrouter

    Fortigate_spoke1

    Name of the spoke being created (shares name with FortiGate).

    Fortigate-1

    sitetositeData

    Allows for exchange of site-to-site data and BGP routes between regions.

    This variable must be set to True.

    True

    fortigate_spoke1_extip

    Unique name for static public IP address created for the FortiGate.

    spoke1-publicip

    Ncc_vpc_ext_cidr

    Subnet used in ncc_vpc_ext (external).

    192.168.205.0/24

    Ncc_vpc_int_cidr

    Subnet used in ncc_vpc_int (internal).

    192.168.215.0/24

    fortigate_pwd

    Administrator password for FortiGate instance.

    <string>

    cloud_router_ip1

    IP address assigned to cloud router interface 1.

    192.168.205.101

    cloud_router_ip2

    IP address assigned to cloud router interface 2.

    192.168.205.102

    cloud_router_asn

    Autonomous system number (ASN) set on cloud router.

    65012

    fortigate_router_id

    Router ID set on FortiGate (spoke).

    169.254.254.254

    fortigate_router_asn

    ASN set on FortiGate.

    7252

  2. Store the Fortigate-ncc-param-zone1.json text file in the GCP bucket.
  3. Create an API key to authenticate and create resources on behalf of a GCP account. See Using API keys for details on creating an API key.
  4. Copy deploy-fortigate-ncc.py and the API key file (api_key) locally for execution using the following command:

    gsutil cp gs://<bucket-name>/<filename>.py <local_path>

    The following shows an example of the command:

    gsutil cp gs://test-bucket/deploy-fortigate-ncc.py

    See cp - Copy files and objects for details.

  5. Execute the Python script, using the absolute path for the API key:

    python3 deploy-fortigate-ncc.py <public_APIkey>.json <bucket_name> Fortigate-ncc-param-zone1.json

    The following shows an example of the command:

    python3 deploy-fortigate-ncc.py /home/pbapikey.json test-bucket1 Fortigate-ncc-param-zone1.json

  6. Use the same script to deploy the hub and other individual spokes by changing the given Fortigate-ncc-param-zone1.json file to reflect the correct variables for the new spoke deployment.

  7. Verify that the script ran successfully by running the following commands. The commands describe the infrastructure that the script deployed:

    1. To verify the hub, run gcloud alpha network-connectivity hubs describe <ncc_hub>. For example, if the NCC hub is named testing-ncc-hub, the command would be gcloud alpha network-connectivity hubs describe testing-ncc-hub.

    2. To verify the spokes, run gcloud alpha network-connectivity spokes describe <spoke_name> --<region_name>. For example, if the spoke is named testing-fgt-1 and the region is us-west1, the command would be gcloud alpha network-connectivity spokes describe testing-fgt-1 --region=us-west1.

    3. To verify the cloud router, run gcloud compute routers describe <cloud_router> --region=<region_name>. For example, if the cloud router is named testing-cr-zn1 and the region is us-west1, the command would be gcloud compute routers describe testing-cr-zn1 --region=us-west1.