About GCP Shielded VM

F5 GCP Shielded VM refers to deploying an F5 BIG-IP VM on a Google Cloud Platform (GCP), essentially running F5 load balancer on a highly secure virtual machine with enhanced security features like secure boot, vTPM, and integrity monitoring provided by GCP’s Shielded VM feature for protection against potential malware and unauthorized access.

Prerequisite

• Active Google Cloud account with authorization to Google Cloud CLI. For more information, see gcloud auth.
• Initialize gsutil or gcloud CLI. For more information, see gsutil tool.
• Ensure that the Shielded VM feature is enabled in the gcloud. For more information, see Enable Shielded VM options.
• From MyF5 Downloads, download release specific compressed boot VM disk image files in gce.tar.gz format. For example: - BIGIP-bigip17.5.x-<build>LTM-gce.tar.gz - BIGIP-bigip17.5.x-<build>LTM_1SLOT-gce.tar.gz - BIGIP-bigip17.5.x-<build>ALL_1SLOT-gce.tar.gz - BIGIP-bigip17.5.x-<build>ALL-gce.tar.gz
• From MyF5 Downloads, download the public keys file gcpShieldedVM_publicKeys.tar.gz.

Procedure

1. Login to gcloud auth using the following command:

   gcloud auth login
   

2. Upload the downloaded VM disk images to gcloud using the following command:

   gsutil cp $gcpdisk_filename gs://$gce_project/$gcpdisk_filename
   

3. Create GCP image using the following command. Use the keys from gcpShieldedVM_publicKeys.tar.gz file:

   gcloud compute images create $image_name \
      --family f5-networks \
      --description $rel_des \
      --source-uri gs://$gce_project/$gcpdisk_filename \
      --platform-key-file=pk-der \
      --key-exchange-key-file=MicWinProPCA.crt,kek-der \
      --signature-database-file=MicCorKEKCA.crt,MicCorUEFCA.crt,db-der \
      --guest-os-features="UEFI_COMPATIBLE"
   

4. Create a shielded VM enabled instance using the new GCP image. For more information, see Enable Shielded VM options.

Example Shell Script to Create GCP Shielded Image

Here is an example shell script to create a GCP shielded image:

#!/bin/bash

#######################################################################################################################################################################
# Use this script to create gce image, specifically created for gcp shielded image. You can use this script and create gcp image.                      #
#
# Prerequisite: GCP disk image must be available locally. Download gcp disk image (in gce.tar.gz format) from downloads.f5.com             #
#
# Usage:                                                                                  #
# ./gcp_image_generator.sh <gcpdisk_filename> <release_description> <gce_project> <gce account json file> <gce_json to redirect output info> <license file with path> #
#######################################################################################################################################################################

set -e

function upload_disk() {
    echo "Upload disk started"
    gsutil cp $gcpdisk_filename gs://$gce_project/$gcpdisk_filename
    echo "Upload disk completed"
}

function create_gce_image() {
    echo "Image creation started"
    gcloud compute images create $image_name \
    --family f5-networks \
    --description $rel_des \
    --source-uri gs://$gce_project/$gcpdisk_filename \
    --platform-key-file=pk-der \
    --key-exchange-key-file=MicWinProPCA.crt,kek-der \
    --signature-database-file=MicCorKEKCA.crt,MicCorUEFCA.crt,db-der \
    --guest-os-features="UEFI_COMPATIBLE" \
    --licenses $license_name_path
    echo "Image creation ended"
}

function delete_disk() {
    echo "Disk deletion is in process..."
    gsutil rm -f -a gs://$gce_project/$gcpdisk_filename
    echo "Disk deletion completed"
}

function setup_gcloud_account() {
    echo "Import account settings"
    gcloud auth activate-service-account --key-file=$gce_account_file
    gcloud config set project $gce_project

    echo "Verifying the account details"
    gcloud config list account | grep account > account.list
    echo "$(cat account.list)"

    gcloud config list project | grep project > project.list
    echo "$(cat project.list)"
}

function main() {
    gcpdisk_filename=$1
    rel_des=$2
    gce_project=$3
    gce_account_file=$4
    gce_json=$5
    license_name_path=$6

    epoch_time=$(date +%s)

    # Please make sure image name length should not be greater than 62 characters, tune image_name accordingly
    image_name=$(echo "$rel_des-$epoch_time" | sed -e 's/\./-/g' -e 's/+/-/g' -e 's/\(.*\)/\L\1/')

    setup_gcloud_account
    upload_disk
    create_gce_image
    delete_disk
    echo $image_name >> $gce_json
}

main  $1 $2 $3 $4 $5 $6