Installing FreeSwitch on GCP with public and private VMs behind load balancer and NAT

freeswitch-gcp-nat-test.sh

#!/usr/bin/env bash

export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_USER=$(gcloud config get-value core/account) # set current user
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
export IDNS=${PROJECT_ID}.svc.id.goog # workflow identity domain

export GCP_REGION="us-west4"
export GCP_ZONE="us-west4-a"
export NETWORK_NAME="default"

export CLOUD_ROUTER_NAME="fs-router-1"
export CLOUD_ROUTER_ASN="64523"
export NAT_GW_NAME="fs-nat-1"

# enable apis
gcloud services enable compute.googleapis.com \
    iap.googleapis.com

# create compute instance
gcloud compute instances create freeswitch-test \
    --image-family debian-10 \
    --image-project debian-cloud \
    --tags=freeswitch

# create firewall rules
export FW_PORTS="UDP:1719,TCP:1720,TCP:2855-2856,UDP:3478-3479,TCP:5002-5003,UDP:5060,TCP:5060,UDP:5070,TCP:5070,UDP:5080,TCP:5080,UDP:16384-32768,TCP:5066,TCP:7443,TCP:8081-8082"
gcloud compute firewall-rules create freeswitch-policy \
    --allow $FW_PORTS \
    --source-ranges=0.0.0.0/0 \
    --target-tags=freeswitch

# create static IP and target pool / fwd rules
gcloud compute addresses create freeswitch-ip --region $GCP_REGION
gcloud compute target-pools create freeswitch --region $GCP_REGION
gcloud compute target-pools add-instances freeswitch \
    --instances freeswitch-test \
    --instances-zone $GCP_ZONE
gcloud compute forwarding-rules create freeswitch-forwarding \
    --address freeswitch-ip \
    --region $GCP_REGION \
    --target-pool freeswitch


###########################################
# ----------- NAT TEST -------------
###########################################

gcloud config set compute/region $GCP_REGION
gcloud config set compute/zone $GCP_ZONE

# grant SSH access
gcloud compute firewall-rules create allow-ssh-ingress-from-iap \
    --direction=INGRESS \
    --action=allow \
    --rules=tcp:22 \
    --source-ranges=35.235.240.0/20

# grant user tunneling (one for each user or group [preferred])
gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member=user:$PROJECT_USER \
    --role=roles/iap.tunnelResourceAccessor

# create cloud router and nat gateway
gcloud compute routers create $CLOUD_ROUTER_NAME \
    --network $NETWORK_NAME \
    --asn $CLOUD_ROUTER_ASN \
    --region $GCP_REGION

gcloud compute routers nats create $NAT_GW_NAME \
    --router=$CLOUD_ROUTER_NAME \
    --region=$GCP_REGION \
    --auto-allocate-nat-external-ips \
    --nat-all-subnet-ip-ranges \
    --enable-logging

# create second test VM
gcloud compute instances create freeswitch-private \
    --image-family debian-10 \
    --image-project debian-cloud \
    --no-address \
    --tags=freeswitch

# add private VM (no external IP) to target pool
gcloud compute target-pools add-instances freeswitch \
    --instances freeswitch-test,freeswitch-private \
    --instances-zone $GCP_ZONE

# IAP tunnel SSH into private VM
gcloud compute ssh freeswitch-private \
    --zone $GCP_ZONE \
    --tunnel-through-iap

# install freeswitch (using sudo for commands)
# https://freeswitch.org/confluence/display/FREESWITCH/Debian+10+Buster 

First test worked with basic VM and external IP

Second test worked with private VM and NAT gateway

Logged into VM using IAP tunnel and local terminal instead of cloud shell/SSH in console

Installed dependencies

Installed FreeSwitch (it auto-detected NAT)

CLI access success!