GCP Cloud Infrastructure — Deployment Guide¶
gpus-infra | Google Cloud Platform | us-central1 | Terraform¶
Project: gpus-infra (Project ID: gpus-infra)
Organization: greenpeace.us (Org ID: 229947811160)
Billing Account: 01FBB7-BDDEDF-BF8810
Region: us-central1 (Iowa — 100% renewable energy)
VPC CIDR: 172.16.0.0/24
On-Prem Peer: 38.140.146.68 (WDC Meraki MX100)
On-Prem Subnets: 192.168.120.0/23 (production) · 192.168.124.0/24 (management)
IaC: Terraform · State in GCS bucket
Services: Cloud VPN · Cloud Run (MkDocs + Status + Security) · Cloud Storage · Cloud DNS · Compute Engine (OAK/MAPLE/CEDAR) · Cloud NAT
Admin: rajesh.chhetry@greenpeace.us
Document Version: v2.3 — 2026-03-24
Classification: CONFIDENTIAL — Internal Use Only
Architecture Overview¶
INTERNET
│
┌────────┴────────┐
│ │
38.140.146.68 GCP VPN Gateway
WDC Meraki MX100 130.211.194.72
│ │
│ IPSec Tunnel │
│ IKEv2 │
│ AES-256-GCM │
│ │
┌─────────┴──────────┐ ┌──┴───────────────────────────────┐
│ ON-PREM (WDC) │ │ GCP VPC: 172.16.0.0/24 │
│ │ │ │
│ 192.168.120.0/23 │ │ Compute Engine (us-central1-a) │
│ ├── SKY .120.1 │ │ ├── OAK 172.16.0.10 (Scanner) │
│ ├── RAIN .120.2 │ │ ├── MAPLE 172.16.0.12 (Monitor) │
│ ├── SUN .120.3 │ │ └── CEDAR 172.16.0.13 (Logging) │
│ └── WIND .120.4 │ │ │
│ │ │ Cloud Run │
│ 192.168.124.0/24 │ │ ├── MkDocs Portal │
│ (management) │ │ ├── Status Site │
│ │ │ └── Security Site │
│ 192.168.122.0/24 │ │ │
│ (security) │ │ Cloud Storage (GCS) │
└────────────────────┘ │ ├── gpus-infra-backups-wdc │
│ └── gpus-infra-tf-state │
│ │
│ Cloud NAT: gpus-nat │
└───────────────────────────────────┘
1. Prerequisites¶
Completed before starting this guide.
| Requirement | Status |
|---|---|
| GCP Organization: greenpeace.us | ✅ Org ID: 229947811160 |
| GCP Account: rajesh.chhetry@greenpeace.us | ✅ Authenticated |
| Billing Account linked | ✅ 01FBB7-BDDEDF-BF8810 |
gcloud CLI installed |
✅ |
terraform CLI installed |
✅ |
Project gpus-infra created |
✅ |
| APIs enabled | ✅ compute, run, dns, storage, cloudbuild, artifactregistry, servicenetworking |
2. GCP Project Setup¶
2.1 Create Project and Link Billing¶
# Authenticate
gcloud auth login
# Verify account
gcloud auth list
# ACTIVE: rajesh.chhetry@greenpeace.us
# Check org and billing
gcloud organizations list
# greenpeace.us 229947811160
gcloud billing accounts list
# 01FBB7-BDDEDF-BF8810 My Billing Account True
# Create project
gcloud projects create gpus-infra \
--name="GPUS IT Infrastructure" \
--organization=229947811160
# Link billing
gcloud billing projects link gpus-infra \
--billing-account=01FBB7-BDDEDF-BF8810
# Set active project
gcloud config set project gpus-infra
2.2 Enable Required APIs¶
gcloud services enable \
compute.googleapis.com \
run.googleapis.com \
dns.googleapis.com \
storage.googleapis.com \
cloudbuild.googleapis.com \
artifactregistry.googleapis.com \
servicenetworking.googleapis.com
2.3 Authenticate Terraform¶
# Create Application Default Credentials for Terraform
gcloud auth application-default login
# Set quota project
gcloud auth application-default set-quota-project gpus-infra
3. Terraform Project Structure¶
~/terraform/gpus-infra/terraform/
├── main.tf # Provider, backend, project data
├── vpc.tf # VPC network, subnet, firewall rules
├── vpn.tf # Cloud VPN gateway, tunnel, router
├── cloud-run.tf # MkDocs portal + Status site
├── storage.tf # GCS buckets for backups + Terraform state
├── dns.tf # Cloud DNS managed zone
├── variables.tf # All input variables
├── terraform.tfvars # Variable values (DO NOT commit)
├── outputs.tf # Output values (IPs, URLs)
└── terraform.tfstate # (auto-generated, stored in GCS after bootstrap)
3.1 Initialize Terraform Directory¶
3.2 variables.tf¶
# ═══════════════════════════════════════════════════════════
# variables.tf — GPUS IT Infrastructure
# ═══════════════════════════════════════════════════════════
variable "project_id" {
description = "GCP project ID"
type = string
default = "gpus-infra"
}
variable "region" {
description = "GCP region — us-central1 (Ashburn, VA) closest to WDC"
type = string
default = "us-central1"
}
variable "zone" {
description = "GCP zone"
type = string
default = "us-central1-a"
}
variable "vpc_cidr" {
description = "VPC subnet CIDR"
type = string
default = "172.16.0.0/24"
}
variable "onprem_public_ip" {
description = "WDC public IP (Meraki MX100)"
type = string
default = "38.140.146.68"
}
variable "onprem_subnets" {
description = "On-prem subnets to route through VPN"
type = list(string)
default = ["192.168.120.0/23", "192.168.124.0/24"]
}
variable "vpn_shared_secret" {
description = "Pre-shared key for IPSec tunnel — generate with: openssl rand -base64 32"
type = string
sensitive = true
}
variable "domain_name" {
description = "Public DNS domain for Cloud Run services"
type = string
default = "infra.greenpeace.us"
}
3.3 main.tf¶
# ═══════════════════════════════════════════════════════════
# main.tf — GPUS IT Infrastructure
# Provider, backend, project reference
# ═══════════════════════════════════════════════════════════
terraform {
required_version = ">= 1.5"
required_providers {
google = {
source = "hashicorp/google"
version = "~> 5.0"
}
}
# After bootstrap: uncomment to store state in GCS
# backend "gcs" {
# bucket = "gpus-infra-tf-state"
# prefix = "terraform/state"
# }
}
provider "google" {
project = var.project_id
region = var.region
}
# Project data
data "google_project" "project" {
project_id = var.project_id
}
3.4 vpc.tf¶
# ═══════════════════════════════════════════════════════════
# vpc.tf — VPC Network, Subnet, Firewall Rules
# ═══════════════════════════════════════════════════════════
# VPC Network
resource "google_compute_network" "gpus_vpc" {
name = "gpus-vpc"
auto_create_subnetworks = false
description = "GPUS infrastructure VPC — connects to WDC via Cloud VPN"
}
# Subnet — 172.16.0.0/24 in us-central1
resource "google_compute_subnetwork" "gpus_subnet" {
name = "gpus-subnet-east4"
ip_cidr_range = var.vpc_cidr
region = var.region
network = google_compute_network.gpus_vpc.id
private_ip_google_access = true
log_config {
aggregation_interval = "INTERVAL_5_SEC"
flow_sampling = 0.5
metadata = "INCLUDE_ALL_METADATA"
}
}
# ── Firewall Rules ──────────────────────────────────────
# Allow VPN traffic from on-prem
resource "google_compute_firewall" "allow_onprem" {
name = "allow-onprem-via-vpn"
network = google_compute_network.gpus_vpc.id
allow {
protocol = "icmp"
}
allow {
protocol = "tcp"
ports = ["22", "443", "8080"]
}
source_ranges = var.onprem_subnets
description = "Allow traffic from WDC on-prem subnets through Cloud VPN"
}
# Allow internal VPC traffic
resource "google_compute_firewall" "allow_internal" {
name = "allow-internal"
network = google_compute_network.gpus_vpc.id
allow {
protocol = "tcp"
ports = ["0-65535"]
}
allow {
protocol = "udp"
ports = ["0-65535"]
}
allow {
protocol = "icmp"
}
source_ranges = [var.vpc_cidr]
description = "Allow all internal VPC traffic"
}
# Deny all ingress by default (implicit, but explicit for documentation)
resource "google_compute_firewall" "deny_all_ingress" {
name = "deny-all-ingress"
network = google_compute_network.gpus_vpc.id
priority = 65534
deny {
protocol = "all"
}
source_ranges = ["0.0.0.0/0"]
description = "Default deny all ingress — explicit for audit trail"
}
3.5 vpn.tf¶
# ═══════════════════════════════════════════════════════════
# vpn.tf — Cloud VPN (Classic) to WDC Meraki MX100
# IPSec tunnel: GCP ↔ 38.140.146.68
# ═══════════════════════════════════════════════════════════
# Static external IP for VPN gateway
resource "google_compute_address" "vpn_ip" {
name = "gpus-vpn-ip"
region = var.region
}
# VPN Gateway
resource "google_compute_vpn_gateway" "vpn_gw" {
name = "gpus-vpn-gateway"
network = google_compute_network.gpus_vpc.id
region = var.region
}
# Forwarding rules for IPSec protocols
resource "google_compute_forwarding_rule" "vpn_esp" {
name = "gpus-vpn-esp"
region = var.region
ip_protocol = "ESP"
ip_address = google_compute_address.vpn_ip.address
target = google_compute_vpn_gateway.vpn_gw.id
}
resource "google_compute_forwarding_rule" "vpn_udp500" {
name = "gpus-vpn-udp500"
region = var.region
ip_protocol = "UDP"
port_range = "500"
ip_address = google_compute_address.vpn_ip.address
target = google_compute_vpn_gateway.vpn_gw.id
}
resource "google_compute_forwarding_rule" "vpn_udp4500" {
name = "gpus-vpn-udp4500"
region = var.region
ip_protocol = "UDP"
port_range = "4500"
ip_address = google_compute_address.vpn_ip.address
target = google_compute_vpn_gateway.vpn_gw.id
}
# VPN Tunnel to WDC
resource "google_compute_vpn_tunnel" "wdc_tunnel" {
name = "gpus-vpn-tunnel-wdc"
region = var.region
target_vpn_gateway = google_compute_vpn_gateway.vpn_gw.id
peer_ip = var.onprem_public_ip
shared_secret = var.vpn_shared_secret
ike_version = 2
local_traffic_selector = [var.vpc_cidr]
remote_traffic_selector = var.onprem_subnets
depends_on = [
google_compute_forwarding_rule.vpn_esp,
google_compute_forwarding_rule.vpn_udp500,
google_compute_forwarding_rule.vpn_udp4500,
]
}
# Static routes for on-prem subnets through VPN tunnel
resource "google_compute_route" "onprem_prod" {
name = "route-onprem-prod"
network = google_compute_network.gpus_vpc.id
dest_range = "192.168.120.0/23"
next_hop_vpn_tunnel = google_compute_vpn_tunnel.wdc_tunnel.id
priority = 1000
}
resource "google_compute_route" "onprem_mgmt" {
name = "route-onprem-mgmt"
network = google_compute_network.gpus_vpc.id
dest_range = "192.168.124.0/24"
next_hop_vpn_tunnel = google_compute_vpn_tunnel.wdc_tunnel.id
priority = 1000
}
3.6 storage.tf¶
# ═══════════════════════════════════════════════════════════
# storage.tf — GCS Buckets
# ═══════════════════════════════════════════════════════════
# Terraform state bucket (create first, then enable backend)
resource "google_storage_bucket" "tf_state" {
name = "gpus-infra-tf-state"
location = var.region
force_destroy = false
versioning {
enabled = true
}
uniform_bucket_level_access = true
lifecycle_rule {
condition {
num_newer_versions = 5
}
action {
type = "Delete"
}
}
}
# Backup bucket — receives encrypted backups from on-prem via VPN
resource "google_storage_bucket" "backups" {
name = "gpus-infra-backups-wdc"
location = var.region
force_destroy = false
storage_class = "NEARLINE"
versioning {
enabled = true
}
uniform_bucket_level_access = true
lifecycle_rule {
condition {
age = 90
}
action {
type = "Delete"
}
}
encryption {
default_kms_key_name = null # Uses Google-managed encryption
}
}
3.7 cloud-run.tf¶
# ═══════════════════════════════════════════════════════════
# cloud-run.tf — MkDocs Portal + Status Site
# Scales to zero, HTTPS automatic, minimal cost
# ═══════════════════════════════════════════════════════════
# MkDocs Documentation Portal
resource "google_cloud_run_v2_service" "mkdocs" {
name = "gpus-mkdocs-portal"
location = var.region
template {
containers {
image = "us-central1-docker.pkg.dev/${var.project_id}/gpus-images/mkdocs:latest"
ports {
container_port = 8000
}
resources {
limits = {
cpu = "1"
memory = "512Mi"
}
}
}
scaling {
min_instance_count = 0
max_instance_count = 2
}
}
traffic {
percent = 100
type = "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST"
}
}
# Status Site / Executive Dashboard
resource "google_cloud_run_v2_service" "status_site" {
name = "gpus-status-site"
location = var.region
template {
containers {
image = "us-central1-docker.pkg.dev/${var.project_id}/gpus-images/status-site:latest"
ports {
container_port = 8080
}
resources {
limits = {
cpu = "1"
memory = "512Mi"
}
}
env {
name = "SKY_IP"
value = "192.168.120.1"
}
env {
name = "RAIN_IP"
value = "192.168.120.2"
}
env {
name = "SUN_IP"
value = "192.168.120.3"
}
env {
name = "WIND_IP"
value = "192.168.120.4"
}
}
scaling {
min_instance_count = 0
max_instance_count = 2
}
}
traffic {
percent = 100
type = "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST"
}
}
# Artifact Registry for container images
resource "google_artifact_registry_repository" "gpus_images" {
location = var.region
repository_id = "gpus-images"
format = "DOCKER"
description = "Container images for GPUS infrastructure services"
}
# Allow unauthenticated access to MkDocs portal
resource "google_cloud_run_v2_service_iam_member" "mkdocs_public" {
project = var.project_id
location = var.region
name = google_cloud_run_v2_service.mkdocs.name
role = "roles/run.invoker"
member = "allUsers"
}
# Status site — restrict to authenticated users only
resource "google_cloud_run_v2_service_iam_member" "status_auth" {
project = var.project_id
location = var.region
name = google_cloud_run_v2_service.status_site.name
role = "roles/run.invoker"
member = "domain:greenpeace.us"
}
3.8 dns.tf¶
# ═══════════════════════════════════════════════════════════
# dns.tf — Cloud DNS for public-facing services
# ═══════════════════════════════════════════════════════════
resource "google_dns_managed_zone" "infra_zone" {
name = "gpus-infra-zone"
dns_name = "${var.domain_name}."
description = "GPUS infrastructure public DNS zone"
dnssec_config {
state = "on"
}
}
# CNAME records will be added after Cloud Run URLs are known
# See outputs.tf for the Cloud Run URLs to map
3.9 outputs.tf¶
# ═══════════════════════════════════════════════════════════
# outputs.tf — Key values after apply
# ═══════════════════════════════════════════════════════════
output "vpn_gateway_ip" {
description = "GCP VPN gateway public IP — configure this on Meraki MX100"
value = google_compute_address.vpn_ip.address
}
output "vpc_subnet" {
description = "VPC subnet CIDR"
value = google_compute_subnetwork.gpus_subnet.ip_cidr_range
}
output "mkdocs_url" {
description = "MkDocs portal URL"
value = google_cloud_run_v2_service.mkdocs.uri
}
output "status_site_url" {
description = "Status site URL"
value = google_cloud_run_v2_service.status_site.uri
}
output "backup_bucket" {
description = "GCS backup bucket name"
value = google_storage_bucket.backups.name
}
output "tf_state_bucket" {
description = "Terraform state bucket"
value = google_storage_bucket.tf_state.name
}
output "artifact_registry" {
description = "Artifact Registry for container images"
value = "${var.region}-docker.pkg.dev/${var.project_id}/${google_artifact_registry_repository.gpus_images.repository_id}"
}
output "vpn_tunnel_status" {
description = "VPN tunnel name — check status with: gcloud compute vpn-tunnels describe gpus-vpn-tunnel-wdc --region=us-central1"
value = google_compute_vpn_tunnel.wdc_tunnel.name
}
3.10 terraform.tfvars¶
⚠️ DO NOT commit this file to Git — contains the VPN pre-shared key.
# ═══════════════════════════════════════════════════════════
# terraform.tfvars — Variable values for GPUS infrastructure
# WARNING: Contains secrets. Add to .gitignore
# ═══════════════════════════════════════════════════════════
project_id = "gpus-infra"
region = "us-central1"
zone = "us-central1-a"
vpc_cidr = "172.16.0.0/24"
onprem_public_ip = "38.140.146.68"
onprem_subnets = ["192.168.120.0/23", "192.168.124.0/24"]
domain_name = "infra.greenpeace.us"
# Generate with: openssl rand -base64 32
# Must match the PSK configured on Meraki MX100
vpn_shared_secret = "REPLACE_WITH_GENERATED_PSK"
4. Deployment Steps¶
4.1 Generate VPN Pre-Shared Key¶
Copy the output and paste it into terraform.tfvars as the vpn_shared_secret value. Save this key — you'll also need it when configuring the Meraki MX100.
4.2 Initialize Terraform¶
4.3 Plan and Review¶
Review the output — it should show creation of: VPC, subnet, firewall rules, VPN gateway + tunnel + routes, Cloud Run services (2), GCS buckets (2), Artifact Registry, Cloud DNS zone.
4.4 Apply¶
4.5 Record Outputs¶
Deployed Output Values (2026-03-10)¶
| Output | Value |
|---|---|
vpn_gateway_ip |
130.211.194.72 |
vpc_subnet |
172.16.0.0/24 |
mkdocs_url |
https://gpus-mkdocs-portal-3tmz2tp2iq-uc.a.run.app |
status_site_url |
https://gpus-status-site-3tmz2tp2iq-uc.a.run.app |
backup_bucket |
gpus-infra-backups-wdc |
tf_state_bucket |
gpus-infra-tf-state |
artifact_registry |
us-central1-docker.pkg.dev/gpus-infra/gpus-images |
| VPN Tunnel Status | ESTABLISHED — verified 2026-03-10 |
Save the vpn_gateway_ip — this is the IP you'll configure on the Meraki MX100 as the VPN peer.
5. Post-Deployment — Meraki VPN Configuration¶
After Terraform creates the VPN gateway, configure the Meraki MX100 at WDC:
5.1 Meraki Dashboard → Security & SD-WAN → Site-to-site VPN¶
| Parameter | Value |
|---|---|
| Type | Non-Meraki VPN peer |
| Name | GCP-GPUS-Infra |
| Public IP | 130.211.194.72 |
| Local Networks | 192.168.120.0/23, 192.168.124.0/24 |
| Remote Networks | 172.16.0.0/24 |
| IPSec Policies | Custom (see below) |
| IKE Version | IKEv2 |
Phase 1: AES-256, SHA-256, DH Group 14, Lifetime 28800s
Phase 2: AES-256, SHA-256, PFS Group 14, Lifetime 3600s
5.2 Verify VPN Tunnel¶
# From your Mac
gcloud compute vpn-tunnels describe gpus-vpn-tunnel-wdc \
--region=us-central1 \
--format="value(status,detailedStatus)"
Expected: ESTABLISHED
6. Post-Deployment — Container Images¶
Cloud Run services won't start until container images are pushed.
6.1 Configure Docker for Artifact Registry¶
gcloud auth configure-docker us-central1-docker.pkg.dev
# NOTE: Docker is not installed locally. Use Cloud Build instead:
# gcloud builds submit --tag us-central1-docker.pkg.dev/gpus-infra/gpus-images/IMAGE:latest .
6.2 Build and Push MkDocs Image¶
cd ~/terraform/gpus-infra/mkdocs
# (Dockerfile and content created in MkDocs portal build step)
docker build -t us-central1-docker.pkg.dev/gpus-infra/gpus-images/mkdocs:latest .
docker push us-central1-docker.pkg.dev/gpus-infra/gpus-images/mkdocs:latest
# Update Cloud Run
gcloud run deploy gpus-mkdocs-portal \
--image=us-central1-docker.pkg.dev/gpus-infra/gpus-images/mkdocs:latest \
--region=us-central1
6.3 Build and Push Status Site Image¶
cd ~/terraform/gpus-infra/status-site
docker build -t us-central1-docker.pkg.dev/gpus-infra/gpus-images/status-site:latest .
docker push us-central1-docker.pkg.dev/gpus-infra/gpus-images/status-site:latest
gcloud run deploy gpus-status-site \
--image=us-central1-docker.pkg.dev/gpus-infra/gpus-images/status-site:latest \
--region=us-central1
7. Security Controls Mapping¶
| CIS Control | Implementation |
|---|---|
| CIS 3.11 — Data Encryption | Cloud VPN AES-256-GCM; GCS encryption at rest; HTTPS on Cloud Run |
| CIS 4.4 — Firewall | VPC firewall deny-all-ingress default; explicit rules for VPN + internal |
| CIS 8.3 — Log Storage | VPC Flow Logs enabled; Cloud Audit Logs automatic |
| CIS 11.1 — Data Recovery | GCS backup bucket with 90-day retention; versioning enabled |
| CIS 12.4 — Network Segmentation | Separate VPC (172.16.0.0/24); only VPN traffic from on-prem permitted |
| NIST SC-7 — Boundary Protection | VPN tunnel encrypted; no direct internet ingress to VPC resources |
| NIST SC-8 — Transmission Confidentiality | IKEv2 with AES-256-GCM, SHA-384, DH Group 20 |
| NIST CP-9 — Information System Backup | Offsite backups to GCS via encrypted VPN tunnel |
| PCI 1.2.1 — Restrict Inbound Traffic | VPC firewall default-deny; only VPN source ranges permitted |
| PCI 1.5.1 — Secure Remote Access | Cloud VPN IPSec; Cloud Run behind IAM for status site |
8. Cost Estimate (Monthly)¶
| Service | Estimated Cost |
|---|---|
| Cloud VPN tunnel | ~$36/mo |
| OAK (n2-standard-2) | ~$62/mo |
| MAPLE (e2-standard-2) | ~$48/mo |
| CEDAR (e2-standard-4) | ~$97/mo |
| SSD Disks (6 × 50GB pd-ssd) | ~$51/mo |
| Cloud NAT | ~$15/mo |
| Cloud Run (3 services) | ~$8/mo |
| Cloud Storage (backups + TF state) | ~$5/mo |
| Static IP (VPN) | ~$7/mo |
| Networking / Egress | ~$25/mo |
| Other (DNS, logging) | ~$8/mo |
| Total | ~$362/mo |
Budget alert: Set at $400/mo — GCP Console → Billing → Budgets.
SSD quota: 500GB total us-central1. 300GB used. Request increase to 2TB before adding VM #4.
9. Ongoing Maintenance¶
9.1 VPN Health Check¶
gcloud compute vpn-tunnels describe gpus-vpn-tunnel-wdc \
--region=us-central1 \
--format="table(name,status,detailedStatus,peerIp)"
9.2 Cloud Run Service Status¶
9.3 Backup Bucket Audit¶
9.4 Terraform State¶
cd ~/terraform/gpus-infra/terraform
terraform plan # Detect drift
terraform apply # Reconcile if needed
Appendix — Key Resources¶
| Resource | Value |
|---|---|
| GCP Project ID | gpus-infra |
| Organization ID | 229947811160 |
| Billing Account | 01FBB7-BDDEDF-BF8810 |
| Region / Zone | us-central1 / us-central1-a |
| VPC Name | gpus-vpc |
| VPC CIDR | 172.16.0.0/24 |
| VPN Gateway IP | 130.211.194.72 |
| WDC Peer IP | 38.140.146.68 |
| OAK VM | 172.16.0.10 · n2-standard-2 · oak-agent@gpus-infra |
| MAPLE VM | 172.16.0.12 · e2-standard-2 · maple-agent@gpus-infra |
| CEDAR VM | 172.16.0.13 · e2-standard-4 · cedar-agent@gpus-infra |
| Cloud NAT | gpus-nat on gpus-nat-router |
| MkDocs Cloud Run | gpus-mkdocs-portal · https://infra.greenpeace.us |
| Status Site Cloud Run | gpus-status-site · https://status.greenpeace.us |
| Security Site Cloud Run | gpus-security-site · https://security.greenpeace.us |
| Backup Bucket | gpus-infra-backups-wdc |
| TF State Bucket | gpus-infra-tf-state |
| Artifact Registry | us-central1-docker.pkg.dev/gpus-infra/gpus-images |
GCP Cloud Infrastructure Deployment Guide
Project: gpus-infra · Region: us-central1 · VPC: 172.16.0.0/24
Terraform managed · Cloud VPN to WDC (38.140.146.68)
Classification: CONFIDENTIAL — Internal Use Only