GCP | Added support to deploy GCP HA without public IPs

gcp/deployment-packages/ha-byol/README.md

@@ -117,6 +117,8 @@ To deploy the Deployment Manager's package manually, without using the GCP Marke
 |  |  |  |  |  |
 | **shell** | Admin shell | string | /etc/cli.sh;<br/>/bin/bash;<br/>/bin/csh;<br/>/bin/tcsh;<br/> |
 |  |  |  |  |  |
+| **deployWithPublicIPs** | Deploy HA with public IPs | boolean | true; <br/>false; |
+|  |  |  |  |  |
 | **instanceSSHKey** | Public SSH key for the user 'admin' | string | A valid public ssh key |
 |  |  |  |  |  |
 | **smart1CloudTokenA** | Smart-1 Cloud token to connect ***member A*** to Check Point's Security Management as a Service. <br/><br/> Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.|
@@ -149,6 +151,7 @@ To deploy the Deployment Manager's package manually, without using the GCP Marke
     generatePassword: false
     allowUploadDownload: false
     shell: "/bin/bash"
+    deployWithPublicIPs: true
     cluster-network-cidr: "10.0.1.0/24"
     cluster-network-name: "external-vpc"
     cluster-network-subnetwork-name: "frontend"

gcp/deployment-packages/ha-byol/check-point-cluster--byol.py

@@ -31,6 +31,8 @@
 
 MGMT_NIC = 1
 
+NO_PUBLIC_IP = 'no-public-ip'
+
 startup_script = '''
 #cloud-config
 runcmd:
@@ -149,39 +151,44 @@ def make_static_address(prop, name):
     return address
 
 
-def create_external_addresses(prop, resources, member_a_nics, member_b_nics):
-    member_a_address_name = common.set_name_and_truncate(
-        prop['deployment'], '-member-a-address')
-    member_b_address_name = common.set_name_and_truncate(
-        prop['deployment'], '-member-b-address')
+def create_external_addresses_if_needed(
+        prop, resources, member_a_nics, member_b_nics):
+    if not prop['deployWithPublicIPs']:
+        prop['primary_cluster_address_name'] = NO_PUBLIC_IP
+        prop['secondary_cluster_address_name'] = NO_PUBLIC_IP
+    else:
+        member_a_address_name = common.set_name_and_truncate(
+            prop['deployment'], '-member-a-address')
+        member_b_address_name = common.set_name_and_truncate(
+            prop['deployment'], '-member-b-address')
 
-    prop['member_a_address_name'] = member_a_address_name
-    prop['member_b_address_name'] = member_b_address_name
+        prop['member_a_address_name'] = member_a_address_name
+        prop['member_b_address_name'] = member_b_address_name
 
-    member_a_address = make_static_address(prop, member_a_address_name)
-    member_b_address = make_static_address(prop, member_b_address_name)
+        member_a_address = make_static_address(prop, member_a_address_name)
+        member_b_address = make_static_address(prop, member_b_address_name)
 
-    resources += [member_a_address, member_b_address]
+        resources += [member_a_address, member_b_address]
 
-    member_a_nics[MGMT_NIC]['accessConfigs'] = [make_access_config(
-        '$(ref.{}.address)'.format(member_a_address_name))]
-    member_b_nics[MGMT_NIC]['accessConfigs'] = [make_access_config(
-        '$(ref.{}.address)'.format(member_b_address_name))]
+        member_a_nics[MGMT_NIC]['accessConfigs'] = [make_access_config(
+            '$(ref.{}.address)'.format(member_a_address_name))]
+        member_b_nics[MGMT_NIC]['accessConfigs'] = [make_access_config(
+            '$(ref.{}.address)'.format(member_b_address_name))]
 
-    primary_cluster_address_name = common.set_name_and_truncate(
-        prop['deployment'], '-primary-cluster-address')
-    secondary_cluster_address_name = common.set_name_and_truncate(
-        prop['deployment'], '-secondary-cluster-address')
+        primary_cluster_address_name = common.set_name_and_truncate(
+            prop['deployment'], '-primary-cluster-address')
+        secondary_cluster_address_name = common.set_name_and_truncate(
+            prop['deployment'], '-secondary-cluster-address')
 
-    primary_cluster_address = make_static_address(
-        prop, primary_cluster_address_name)
-    secondary_cluster_address = make_static_address(
-        prop, secondary_cluster_address_name)
+        primary_cluster_address = make_static_address(
+            prop, primary_cluster_address_name)
+        secondary_cluster_address = make_static_address(
+            prop, secondary_cluster_address_name)
 
-    resources += [primary_cluster_address, secondary_cluster_address]
+        resources += [primary_cluster_address, secondary_cluster_address]
 
-    prop['primary_cluster_address_name'] = primary_cluster_address_name
-    prop['secondary_cluster_address_name'] = secondary_cluster_address_name
+        prop['primary_cluster_address_name'] = primary_cluster_address_name
+        prop['secondary_cluster_address_name'] = secondary_cluster_address_name
 
 
 def make_nic(prop, net_name, subnet_name):
@@ -412,7 +419,8 @@ def generate_config(context):
 
     member_b_nics = copy.deepcopy(member_a_nics)
 
-    create_external_addresses(prop, resources, member_a_nics, member_b_nics)
+    create_external_addresses_if_needed(
+        prop, resources, member_a_nics, member_b_nics)
 
     member_a_name = common.set_name_and_truncate(
         prop['deployment'], '-member-a')
@@ -442,19 +450,10 @@ def generate_config(context):
             'name': 'project',
             'value': prop['project']
         },
-        {
-            'name': 'clusterIP',
-            'value': '$(ref.{}.address)'.format(
-                prop['primary_cluster_address_name'])
-        },
         {
             'name': 'vmAName',
             'value': member_a_name,
         },
-        {
-            'name': 'vmAExternalIP',
-            'value': '$(ref.{}.address)'.format(prop['member_a_address_name'])
-        },
         {
             'name': 'vmASelfLink',
             'value': '$(ref.{}.selfLink)'.format(member_a_name),
@@ -463,10 +462,6 @@ def generate_config(context):
             'name': 'vmBName',
             'value': member_b_name,
         },
-        {
-            'name': 'vmBExternalIP',
-            'value': '$(ref.{}.address)'.format(prop['member_b_address_name'])
-        },
         {
             'name': 'vmBSelfLink',
             'value': '$(ref.{}.selfLink)'.format(member_b_name),
@@ -477,4 +472,23 @@ def generate_config(context):
         }
     ]
 
+    if prop['deployWithPublicIPs']:
+        outputs += [
+            {
+                'name': 'clusterIP',
+                'value': '$(ref.{}.address)'.format(
+                    prop['primary_cluster_address_name'])
+            },
+            {
+                'name': 'vmAExternalIP',
+                'value': '$(ref.{}.address)'.format(
+                    prop['member_a_address_name'])
+            },
+            {
+                'name': 'vmBExternalIP',
+                'value': '$(ref.{}.address)'.format(
+                    prop['member_b_address_name'])
+            }
+        ]
+
     return common.MakeResource(resources, outputs)

gcp/deployment-packages/ha-byol/check-point-cluster--byol.py.schema

@@ -39,6 +39,9 @@ properties:
       gceMachineType:
         minCpu: 2
         minRamGb: 1.843000054359436
+  deployWithPublicIPs:
+    type: boolean
+    default: True
   instanceSSHKey:
     type: string
     pattern: ^([0-9a-z\-]+ +[0-9A-Za-z/\+=]+( .*)?|)$

gcp/deployment-packages/ha-byol/config.yaml

@@ -25,6 +25,7 @@ resources:
       generatePassword: "PLEASE ENTER true or false"
       allowUploadDownload: "PLEASE ENTER true or false"
       shell: "PLEASE ENTER A SHELL"
+      deployWithPublicIPs: "PLEASE ENTER true or false"
       cluster-network-cidr: "PLEASE ENTER CLUSTER NETWORK CIDR"
       cluster-network-name: "PLEASE ENTER CLUSTER NETWORK ID"
       cluster-network-subnetwork-name: "PLEASE ENTER CLUSTER SUBNETWORK ID"

gcp/deployment-packages/ha-payg/README.md

@@ -117,6 +117,8 @@ To deploy the Deployment Manager's package manually, without using the GCP Marke
 |  |  |  |  |  |
 | **shell** | Admin shell | string | /etc/cli.sh;<br/>/bin/bash;<br/>/bin/csh;<br/>/bin/tcsh;<br/> |
 |  |  |  |  |  |
+| **deployWithPublicIPs** | Deploy HA with public IPs | boolean | true; <br/>false; |
+|  |  |  |  |  |
 | **instanceSSHKey** | Public SSH key for the user 'admin' | string | A valid public ssh key |
 |  |  |  |  |  |
 | **smart1CloudTokenA** | Smart-1 Cloud token to connect ***member A*** to Check Point's Security Management as a Service. <br/><br/> Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.|
@@ -149,6 +151,7 @@ To deploy the Deployment Manager's package manually, without using the GCP Marke
     generatePassword: false
     allowUploadDownload: false
     shell: "/bin/bash"
+    deployWithPublicIPs: true
     cluster-network-cidr: "10.0.1.0/24"
     cluster-network-name: "external-vpc"
     cluster-network-subnetwork-name: "frontend"

gcp/deployment-packages/ha-payg/check-point-cluster--payg.py

@@ -31,6 +31,8 @@
 
 MGMT_NIC = 1
 
+NO_PUBLIC_IP = 'no-public-ip'
+
 startup_script = '''
 #cloud-config
 runcmd:
@@ -149,39 +151,44 @@ def make_static_address(prop, name):
     return address
 
 
-def create_external_addresses(prop, resources, member_a_nics, member_b_nics):
-    member_a_address_name = common.set_name_and_truncate(
-        prop['deployment'], '-member-a-address')
-    member_b_address_name = common.set_name_and_truncate(
-        prop['deployment'], '-member-b-address')
+def create_external_addresses_if_needed(
+        prop, resources, member_a_nics, member_b_nics):
+    if not prop['deployWithPublicIPs']:
+        prop['primary_cluster_address_name'] = NO_PUBLIC_IP
+        prop['secondary_cluster_address_name'] = NO_PUBLIC_IP
+    else:
+        member_a_address_name = common.set_name_and_truncate(
+            prop['deployment'], '-member-a-address')
+        member_b_address_name = common.set_name_and_truncate(
+            prop['deployment'], '-member-b-address')
 
-    prop['member_a_address_name'] = member_a_address_name
-    prop['member_b_address_name'] = member_b_address_name
+        prop['member_a_address_name'] = member_a_address_name
+        prop['member_b_address_name'] = member_b_address_name
 
-    member_a_address = make_static_address(prop, member_a_address_name)
-    member_b_address = make_static_address(prop, member_b_address_name)
+        member_a_address = make_static_address(prop, member_a_address_name)
+        member_b_address = make_static_address(prop, member_b_address_name)
 
-    resources += [member_a_address, member_b_address]
+        resources += [member_a_address, member_b_address]
 
-    member_a_nics[MGMT_NIC]['accessConfigs'] = [make_access_config(
-        '$(ref.{}.address)'.format(member_a_address_name))]
-    member_b_nics[MGMT_NIC]['accessConfigs'] = [make_access_config(
-        '$(ref.{}.address)'.format(member_b_address_name))]
+        member_a_nics[MGMT_NIC]['accessConfigs'] = [make_access_config(
+            '$(ref.{}.address)'.format(member_a_address_name))]
+        member_b_nics[MGMT_NIC]['accessConfigs'] = [make_access_config(
+            '$(ref.{}.address)'.format(member_b_address_name))]
 
-    primary_cluster_address_name = common.set_name_and_truncate(
-        prop['deployment'], '-primary-cluster-address')
-    secondary_cluster_address_name = common.set_name_and_truncate(
-        prop['deployment'], '-secondary-cluster-address')
+        primary_cluster_address_name = common.set_name_and_truncate(
+            prop['deployment'], '-primary-cluster-address')
+        secondary_cluster_address_name = common.set_name_and_truncate(
+            prop['deployment'], '-secondary-cluster-address')
 
-    primary_cluster_address = make_static_address(
-        prop, primary_cluster_address_name)
-    secondary_cluster_address = make_static_address(
-        prop, secondary_cluster_address_name)
+        primary_cluster_address = make_static_address(
+            prop, primary_cluster_address_name)
+        secondary_cluster_address = make_static_address(
+            prop, secondary_cluster_address_name)
 
-    resources += [primary_cluster_address, secondary_cluster_address]
+        resources += [primary_cluster_address, secondary_cluster_address]
 
-    prop['primary_cluster_address_name'] = primary_cluster_address_name
-    prop['secondary_cluster_address_name'] = secondary_cluster_address_name
+        prop['primary_cluster_address_name'] = primary_cluster_address_name
+        prop['secondary_cluster_address_name'] = secondary_cluster_address_name
 
 
 def make_nic(prop, net_name, subnet_name):
@@ -412,7 +419,8 @@ def generate_config(context):
 
     member_b_nics = copy.deepcopy(member_a_nics)
 
-    create_external_addresses(prop, resources, member_a_nics, member_b_nics)
+    create_external_addresses_if_needed(
+        prop, resources, member_a_nics, member_b_nics)
 
     member_a_name = common.set_name_and_truncate(
         prop['deployment'], '-member-a')
@@ -442,19 +450,10 @@ def generate_config(context):
             'name': 'project',
             'value': prop['project']
         },
-        {
-            'name': 'clusterIP',
-            'value': '$(ref.{}.address)'.format(
-                prop['primary_cluster_address_name'])
-        },
         {
             'name': 'vmAName',
             'value': member_a_name,
         },
-        {
-            'name': 'vmAExternalIP',
-            'value': '$(ref.{}.address)'.format(prop['member_a_address_name'])
-        },
         {
             'name': 'vmASelfLink',
             'value': '$(ref.{}.selfLink)'.format(member_a_name),
@@ -463,10 +462,6 @@ def generate_config(context):
             'name': 'vmBName',
             'value': member_b_name,
         },
-        {
-            'name': 'vmBExternalIP',
-            'value': '$(ref.{}.address)'.format(prop['member_b_address_name'])
-        },
         {
             'name': 'vmBSelfLink',
             'value': '$(ref.{}.selfLink)'.format(member_b_name),
@@ -477,4 +472,23 @@ def generate_config(context):
         }
     ]
 
+    if prop['deployWithPublicIPs']:
+        outputs += [
+            {
+                'name': 'clusterIP',
+                'value': '$(ref.{}.address)'.format(
+                    prop['primary_cluster_address_name'])
+            },
+            {
+                'name': 'vmAExternalIP',
+                'value': '$(ref.{}.address)'.format(
+                    prop['member_a_address_name'])
+            },
+            {
+                'name': 'vmBExternalIP',
+                'value': '$(ref.{}.address)'.format(
+                    prop['member_b_address_name'])
+            }
+        ]
+
     return common.MakeResource(resources, outputs)

gcp/deployment-packages/ha-payg/check-point-cluster--payg.py.schema

@@ -39,6 +39,9 @@ properties:
       gceMachineType:
         minCpu: 2
         minRamGb: 1.843000054359436
+  deployWithPublicIPs:
+    type: boolean
+    default: True
   instanceSSHKey:
     type: string
     pattern: ^([0-9a-z\-]+ +[0-9A-Za-z/\+=]+( .*)?|)$

gcp/deployment-packages/ha-payg/config.yaml

@@ -25,6 +25,7 @@ resources:
       generatePassword: "PLEASE ENTER true or false"
       allowUploadDownload: "PLEASE ENTER true or false"
       shell: "PLEASE ENTER A SHELL"
+      deployWithPublicIPs: "PLEASE ENTER true or false"
       cluster-network-cidr: "PLEASE ENTER CLUSTER NETWORK CIDR"
       cluster-network-name: "PLEASE ENTER CLUSTER NETWORK ID"
       cluster-network-subnetwork-name: "PLEASE ENTER CLUSTER SUBNETWORK ID"