In many cases, it may be necessary to assign a public IP address directly to a workload running on Google Cloud VMware Engine (GCVE). One of the major use case for assigning a public IP address to a virtual machine (VM) in GCVE is to provide external access to the VM over the internet. This can be useful for hosting a web server, allowing remote access to the VM for administration (via SSH or RDP), or providing a way for users to connect to the VM for various services or applications. Additionally, by assigning a public IP address to a VM, it can be accessed by other VMs in the same environment.

Another use case for assigning a public IP address to a VM in GCVE is to enable connectivity to other services or resources that are hosted outside of the GCVE environment. For example, if a company has an application or service hosted on-premises or in another public cloud, a VM in GCVE with a public IP address can be used to connect to and access those resources.

Besides the above use cases, allocating a public IP address to a resource also offers several advantages including automatic DDoS attack prevention (In GCVE, this protection is automatically enabled for the public IP addresses), constant monitoring of traffic, and real-time mitigation of common network-level attacks.

In this article, we'll demonstrate how we can assign Public IP Address to the workload running on GCVE. In this example, we're exposing all services running on a VM to external users (including SSH).

Let's get started.

Enable the public IP network service in a region:

To enable the public IP network service for a workload VM in the VMware Engine portal follow the below steps:

• Access the VMware Engine portal.

Picture 1: Google Cloud VMware Engine (GCVE) Console – Resource Summary Screen

• Go to Network > Regional settings.

Picture 2: GCVE Console – Network Screen

• In the row corresponding to the region of interest, select Edit.

Picture 3: GCVE Console – Network > Regional Settings Screen

• Toggle Public IP Service to Enabled, Ensuring internet access service is also enabled.
• Enter the Edge Services CIDR field, typically a /26 address range.

Picture 4: GCVE Console – Network > Regional Settings Edit Screen

• Click Submit.
• Wait for the status to change to "Enabled".

Allocate a public IP address to Workload VM:

To allocate a public IP address for a workload VM follow the below steps:

• Open the Google Cloud VMware Engine portal.
• Go to Network > Public IPs.
• Click Allocate.

Picture 5: GCVE Console – Network > Public IPs Screen

• Enter a name for the public IP address in the Name field. We have named in “gcve-hybrid-app01” for our example.
• Select the Private cloud and Location for the allocation. In our example, our Private Cloud is “mca-gcve-demo-sddc”.
• Enter the local IP address of the VM you want to assign the public IP to in the Attached local address field. In our example, our Attached Local Address is “10.122.200.113”.
• As you can see in below vCenter Web UI Screenshot, we’ve a workload VM “gcve-hybrid-app01” with Private IP Address “10.122.200.113”.

Picture 6: vCenter Web Console – Virtual Machine Summary Screen showing DNS Name and Private IP Address

• Click Submit to begin the allocation task.

Picture 7: GCVE Console – Network > Allocate Public IP Screen

• Check the status of the task on the Activity > Tasks page.
• Once complete, the new public IP will appear on the Public IPs page with the Operational status. In our case, the Public IP address allocated to us is “34.94.108.96”

Picture 8: GCVE Console – Public IPs Screen

Create Firewall Rule for Public IP:

Now it’s time to create firewall rule to allow all inbound traffic coming to Public IP address “34.94.108.96” and route it to our Workload VM. For that, follow below steps:

• In Google Cloud VMware Engine portal, Go to Network > Firewall Tables
• Click on “Dataplane Policy”

Picture 9: GCVE Console – Network > Firewall Tables Screen

• In Data plane Policy Page, Click “Create new Firewall Rule”

Picture 10: GCVE Console – Network > Firewall Tables Screen

• Create an Inbound rule and populate required fields such as “Name”, “Priority”, “Traffic type”, “Protocol”, “Direction”, “Action”, “Source”, “Source port range”, “Destination (VMware Engine network)” and “Destination port Range” as below.

Picture 11: GCVE Console – Network > Create new Firewall Rule Screen

• Click Done.

Once the Firewall rule is created, test out the Public IP “34.94.108.96” in any web browser or “curl” command and see if it can fetch the web site from the Workload VM in GCVE. Our workload has a vanilla Apache installed with a placeholder index.html page as shown below.

Picture 12: Browser screen accessing Public IP address 34.94.108.96 that fetches a webpage from Workload VM in GCVE

And That’s It.

Assigning a public IP address to a VM in GCVE can provide several benefits, including increased accessibility, improved connectivity with external resources, and enhanced security. While there are many ways to provide public access to VMs, in this article we covered a simple use case when a Public IP address is directly assigned to a workload VM running in GCVE. Hope you find this article useful. Let us know what other contents you want to see on knowledgeacademy.io.