Skip to content

NOAA Fisheries Cloud Network Changes

Deploying an instance of VIAME-Web requires several configuration changes within your GCP project. These changes can be requested by submitting a System Change Request (SCR).

  • To be able to access this web service, the SSH server's configuration (file: /etc/ssh/sshd_config) needs to include AllowTCPForwarding=yes. However, this is a baseline setting, specifically: "CIS Benchmarks for Ubuntu Linux 20.04 LTS v1.1.0" Server Level 2 - 5.3.20 "Ensure SSH AllowTcpForwarding is disabled". Thus this config change must be approved by NMFS Change Control Board (CCB) on an per-instance basis. The viame-web-noaa-gcp install scripts change this setting as necessary when the machines are being provisioned, and thus you only need to follow the deployment instructions once you have received approval to use this setting.

  • If you are splitting services between a web and a worker node, you must allow communication between these VMs. In GCP networks are software defined, and thus all traffic is blocked unless a VPC firewall rule is created to allow it, even if it's on the same subnet. Thus, for split services, traffic between ports 8010 (Web traffic) and 5672 (RabbitMQ) within the subnet must be explicitly allowed between the web and worker nodes. In your SCR, request to have the network team add a tag that allows traffic between these ports for the IP addresses in your subnet. Apply this network tag to your web and worker VMs.

  • Private Google Access must be enabled within the project to allow (along with appropriate service account permissions) communication between the VM and buckets. This should now be turned on by default for every project. You can confirm that Private Google Access is enabled for your subnet by following these instructions.