This is a simple solution that leverages Google Cloud Packet Mirroring [1] to make troubleshooting easier. This was in response to a need to capture packets for a workload running in GKE with pods across several nodes. What's provisioned:
- A packet mirroring policy to mirror packets from GCE instances using the provided network tags
- An internal TCP Load Balancer, health check, backend service, instance group, and GCE instance to capture the mirrored traffic
- Firewall rules to permit the required traffic
- Terraform v0.15.1 [2] For easy switching between terraform versions, use
[3] - Google Cloud SDK (gcloud CLI) [4]
- Setup google credentials
gcloud auth application-default login
- If required, switch to terraform v0.15.1
tfenv install 0.15.1 && tfenv use 0.15.1
- Initialize terraform, using default local state
terraform init
- Make a copy of the variables input file
cp terraform.tfvars.sample terraform.tfvars
- Edit
to reflect values for your environment, also overriding any default values you would like to change that are located in
file. - Run the plan
terraform plan -out tf.plan
- If everything looks good, apply
terraform apply tf.plan
- connect to the vm to run
viagcloud compute ssh pcap-vm --tunnel-through-iap
. Here's a great guide to filtering traffic viatcpdump
options [5].
- Run tcpdump as a daemon
- Write pcap file to GCS
- SSH via IAP configuration
- [1] Google Cloud Packet Mirroring:
- [2] Terraform:
- [3] tfenv:
- [4] Google Cloud SDK:
- [5] tcpdump: