Skip to content

GCE - Dumbo

Overview

Attribute Value
Provider Google Cloud (GCE)
Zone us-central1-a
Instance Type e2-medium
Internal IP 10.1.0.110
Static IP 34.44.33.3
Purpose General workloads
Trust Level ✅ Trusted

Access

SSH

# Via SSH config alias (recommended)
ssh joe@dumbo

# Direct via public IP
ssh joe@34.44.33.3

# Via ZeroTier
ssh joe@192.168.194.x

Emergency Access (IAP)

If SSH is unreachable:

# SSH through IAP tunnel
gcloud compute ssh dumbo --zone=us-central1-a --tunnel-through-iap

See Emergency Access for details.

Network

Attribute Value
VPC 10.1.0.0/16
Subnet 10.1.0.0/24
Firewall SSH (22), ZeroTier (9993/UDP), IAP (35.235.240.0/20)
Network Tag iap-ssh
ZeroTier 192.168.194.x

Static IP

Protected Resource

The static IP (34.44.33.3) is protected and managed separately from instance Terraform.

Attribute Value
IP Address 34.44.33.3
Name threefour
Region us-central1

Services

Service Status Notes
ZeroTier ✅ Running Network 6ab565387a4b9177
fail2ban ✅ Running sshd jail active
cf-ddns ✅ Running Updates every 5 min
cloud-sql-proxy ✅ Running PostgreSQL on localhost:5432

Cloud SQL Access

Dumbo runs the Cloud SQL Auth Proxy providing access to scandora-postgres:

# Connect to Cloud SQL PostgreSQL
psql -h 127.0.0.1 -U joe -d dataeng

# Proxy status
systemctl status cloud-sql-proxy

# Proxy logs
journalctl -u cloud-sql-proxy -f

See Cloud SQL (PostgreSQL) for details.

1Password Access

Dumbo has 1Password service account access:

export OP_SERVICE_ACCOUNT_TOKEN=$(sudo cat /etc/op-service-account.token)
op item get "Item Name" --vault scandora.net --fields credential

Dynamic DNS

Record Type Updated By
dumbo.scandora.net A cf-ddns.sh

Script location: /usr/local/bin/cf-ddns.sh Config: /usr/local/etc/cf-ddns.conf Schedule: 2-59/5 * * * *

Terraform

# Directory
cd cloud/terraform/environments/production/gce/dumbo

# Plan changes
terraform plan -target=google_compute_instance.dumbo

# Apply
terraform apply -target=google_compute_instance.dumbo

Ansible

# Full deployment
ansible-playbook -i inventory/production.yml playbooks/site.yml --limit dumbo

# Base only
ansible-playbook -i inventory/production.yml playbooks/base.yml --limit dumbo

IAP Configuration

Dumbo is configured for IAP SSH access:

Firewall Rule

Name: allow-iap-ssh
Source: 35.235.240.0/20
Target tags: iap-ssh
Ports: tcp:22

Instance Tag

The instance has the iap-ssh network tag to receive the firewall rule.

Bogart (PowerDNS)

Bogart is another GCE instance dedicated to PowerDNS:

Attribute Value
Zone us-west1-?
Instance Type e2-micro
Internal IP 10.10.10.10
Static IP 35.209.219.216
Purpose PowerDNS server
Trust Level ⚠️ Untrusted

Untrusted Host

Bogart is classified as untrusted. No secrets should be stored there.

Performance Note

The e2-micro instance is under-powered for PowerDNS workloads. SSH and API calls are noticeably slow. Consider:

  • Upgrading instance type
  • Optimizing PostgreSQL configuration
  • Optimizing PowerDNS configuration

Access

# SSH
ssh joe@bogart
ssh joe@35.209.219.216

# PowerDNS API
curl -H "X-API-Key: $KEY" http://10.10.10.10:8081/api/v1/servers/localhost/zones