Deploying ERM in Google Cloud Platform (GCP)

You can deploy ERM in Google Cloud Platform (GCP). Pexip publishes a disk image for the Pexip ERM Installer virtual machine that you can run on a VM instance in GCP.

In summary, you need to:

  1. Prepare your GCP environment and SSH keys.
  2. Obtain and prepare the ERM disk image.
  3. Create a VM instance to host ERM.
  4. Connect to the instance and run the ERM onboarding wizard.

Full details on how to perform these tasks are described below.

Deployment guidelines

This section provides information about what you need to prepare before you can deploy ERM in GCP.

We recommend that you deploy ERM in a dedicated GCP project.

Recommended instance types

GCP instances come in many different sizes. ERM is not compute intensive, it functions as a web server and database, and therefore a general purpose instance type such as the E2 machine series should suffice. We recommend:

  • e2-standard-4 for deployments with up to 500 endpoints
  • e2-standard-8 for deployments with more than 500 endpoints

Security and SSH keys

An SSH key must be applied to the VM instance that will host ERM (in order to complete the installation). Keys can be applied project wide or for a particular VM instance.

The username element of the SSH key must be "admin" or "admin@<domain>" i.e. the key takes the format:
ssh-rsa [KEY_VALUE] admin  or
ssh-rsa [KEY_VALUE] admin@vc.example.com  for example.

You can create key pairs with third-party tools such as PuTTYgen, or you can use an existing SSH key pair but you will need to format the public key to work in Compute Engine metadata (and ensure the username is modified to "admin"). You can also use other key types than rsa, such as ed25519. For more information about using and formatting SSH keys for GCP, see https://cloud.google.com/compute/docs/instances/access-overview and https://cloud.google.com/source-repositories/docs/authentication#ssh.

Google Cloud IP addressing and VPN for private/hybrid cloud deployments

All GCE VM instances are allocated a Primary internal IP (i.e. private) address. For ERM, you typically also need to assign a static External IP (i.e. public) address to a GCE VM instance.

For a private or hybrid cloud deployment, you must configure the Google Cloud virtual private network (VPN) to connect your on-premises network to the Google Cloud Platform. For full information about how to configure the Google Cloud VPN, see https://cloud.google.com/compute/docs/vpn/overview.

Note that the VM starts up with default configuration running DHCP. You get or set a specific IP address during the VM deployment. When running in DHCP mode you cannot currently set and override the DNS server using the onboarding wizard. If you set the DNS servers while running in DHCP mode they will be overwritten on the next boot. The workaround in this case is to change from DHCP to static IP on the VM and configure your DNS servers again.

Configuring your Google VPC network and firewall rules

We recommend that you configure your Google VPC network (via VPC network > Firewall from the GCP project console in your dedicated Google project) to the firewall rules as described in ERM network port requirements. This ensures that access is locked down to just the required ports, and that all relevant ports are enabled.

Note that:

  • While the default VPC network and firewall rules allow access to the VM instance running ERM, they do not enable access to the ERM Installer web interface (port 8999). Therefore, you must add a firewall rule for your VPC that allows access to port 8999 on the VM instance.
  • The default-allow-ssh rule allows SSH access to the VM instance running ERM from any device on the Internet. You may want to limit the source IP addresses that can access this service.
  • When configuring your VM instance you can ignore (leave as unselected) the Allow HTTP traffic and Allow HTTPS traffic options, as you will have already enabled HTTP(S) access as described in ERM network port requirements. (If they are selected, GCE will automatically add network tags to your instance and additional firewall rules to your VPC).

Assumptions and prerequisites

These deployment instructions assume that within GCP you have already:

  • signed up to the Google Cloud Platform
  • configured a Google Cloud VPN (for a private or hybrid cloud deployment)

For more information on setting up your Google Cloud Platform Virtual Machines, see https://cloud.google.com/compute/docs/instances/.

No changes should be made to any Pexip ERM system (other than as described within this documentation for installing and maintaining your deployment) unless directed to do so by Pexip support. This includes (but is not limited to) any changes to the operating system or the installation of any third-party code/applications. If you encounter any issues, please contact your Pexip authorized support representative.

Obtaining and preparing the disk image for GCE Virtual Machines

Pexip publishes Google Compute Engine (GCE) optimized disk images for ERM.

Before you can use the published ERM disk images, you must copy them to your storage bucket in the Google Cloud Platform (GCP). This guide refers to a disk image copied to your storage bucket as a custom disk image. All deployment operations use custom disk images.

Obtaining the Pexip disk images

To obtain your disk images, go to https://www.pexip.com/help-center/platform-download, expand the Enhanced Room Management installation section, and select the .tar.gz file download option for a GCP deployment. This downloads a gce.tar.gz file with a filename in the format Pexip_ERM_<version>_generic_<build>_gce.tar.gz.

Uploading disk images to Google Cloud Storage

The Pexip disk image packages must be uploaded to Google Cloud Storage.

  1. Create a bucket to store the images:

    1. From the GCP project console, go to Cloud Storage > Browser.
    2. Select Create Bucket.
    3. Enter a Name (for example, "pexip-v1"), and then select an appropriate Storage class and Location for your deployment.

      For more information about storage buckets, see https://cloud.google.com/storage/docs/creating-buckets

    4. Select Create.
  2. Upload the Pexip images to the new bucket:

    1. Select the new bucket e.g. pexip-v1.
    2. Select Upload Files.
    3. In the dialog that appears, select the ERM tar.gz file that you downloaded from Pexip.
    4. Select Open.

Preparing custom disk images

You must now prepare a custom disk image for ERM:

  1. From the GCP project console, go to Compute engine > Images.
  2. Select Create Image.
  3. Enter a Name, for example "pexip-erm-v1".
  4. Select a Source of Cloud Storage file.
  5. Select Browse and select the ERM image package in your storage bucket e.g. pexip-v1.
  6. Select Create.

You can now deploy ERM in Google Cloud Platform.

Creating a VM instance to host ERM

After you have prepared a custom disk image for ERM, you can deploy it on a Google Compute Engine VM:

  1. From the GCP project console, go to Compute engine > VM instances.
  2. Select Create Instance.
  3. Complete the following fields (leave all other settings as default):

    Name Enter a unique name for the instance, for example "pexiperm".
    Region / Zone Select an appropriate Region and Zone. Typically you should choose a region and zone that is geographically close to the location from where it will be administered.
    Series and Machine type The E2 series and an e2-standard-4 machine type should be sufficient. See Recommended instance types for more information.
    Boot disk

    Select the ERM custom disk image:

    1. Select Change.
    2. Select Custom images.
    3. Select your GCP project.
    4. Select the ERM custom disk image, e.g. "pexip-erm-v1".
    5. Select a Boot disk type of SSD persistent disk.
    6. Select Select.
    Identity and API access For Service account, select No service account.

    Networking:

    External IP

    In most deployment scenarios you need to assign a public (external) IP address to the instance.

    1. Expand the Advanced options section and open the Networking section.
    2. In the Network interfaces field, select the default interface to open the Network interface dialog.
    3. Select a Subnetwork if appropriate (e.g. if it is a private/hybrid deployment and you have created new subnets to avoid overlapping addresses in your corporate network).
    4. Select an appropriate External IP:

      • None: no external IP address will be assigned. Use this where the instance does not need to have a publicly-accessible IP address.
      • Create IP address: select this option to create a static external address. You can enter a Name for the address and GCP will allocate a static IP address.
      • <external address>: you can select a specific static external address if you have already created one in advance.

    Do not select Ephemeral — if you stop and restart the instance a new address will be assigned.

    SSH keys

    An SSH key must be applied to the instance so that you can access the console and run the setup wizard.

    The username element of the SSH key must be "admin" or "admin@<domain>". To apply an instance-level key:

    1. Open the Security section and then open the Manage Access section.
    2. Select Add item to add your own, existing SSH key. This produces a text box. Copy the contents of your public SSH key file and paste them into the text box. Modify the username element at the end of the key to "admin" or "admin@<domain>" if necessary.

    See Security and SSH keys for more information.

  4. Select Create to create the instance.

Connecting to the instance and running the ERM onboarding wizard

You must now connect over SSH into the instance to run the ERM setup wizard.

  1. Use a command window to connect to the instance via SSH:

    1. Open a command window on your local computer.
    2. Connect to the instance via ssh, using a command in the format: ssh -i <path to private key> admin@<instance IP address>

      For example:

      ssh -i .ssh\gcpprivkey admin@192.168.5.3

    For more information see https://cloud.google.com/compute/docs/instances/connecting-advanced#thirdpartytools

  2. Run the ERM setup wizard. From the command prompt run:

    sudo onboard_wizard

You can now follow the setup instructions as shown in Deploying the ERM Installer virtual machine.