GCP Cloud Environment¶
Classification: CONFIDENTIAL — Internal Use Only
The GCP cloud environment (gpus-infra) extends the WDC site into Google Cloud Platform via a site-to-site IPSec VPN. All infrastructure is managed by Terraform with state stored in GCS.
Key Parameters¶
| Parameter | Value |
|---|---|
| GCP Project | gpus-infra (Proj# 1056766133984) |
| Organization | greenpeace.us (Org ID: 229947811160) |
| Billing Account | 01FBB7-BDDEDF-BF8810 |
| Region / Zone | us-central1 / us-central1-a (Iowa — 100% renewable) |
| VPC Name | gpus-vpc |
| VPC CIDR | 172.16.0.0/24 |
| VPN Gateway IP | 130.211.194.72 |
| WDC Peer IP | 38.140.146.68 (Meraki MX100) |
| IaC | Terraform — state in gpus-infra-tf-state GCS bucket |
VPN Tunnel¶
The site-to-cloud tunnel runs IKEv2 with AES-256-GCM encryption between the WDC Meraki MX100 and the GCP Cloud VPN gateway. Status: ESTABLISHED.
# Verify tunnel status
gcloud compute vpn-tunnels describe gpus-vpn-tunnel-wdc \
--region=us-central1 \
--format="value(status,detailedStatus)"
Phase 1: AES-256, SHA-256, DH Group 14, Lifetime 28800s
Phase 2: AES-256, SHA-256, PFS Group 14, Lifetime 3600s
Routes tunneled: 192.168.120.0/23, 192.168.122.0/24, 192.168.124.0/24 ↔ 172.16.0.0/24
GCP VM Fleet¶
| Host | IP | Machine Type | Role | Service Account |
|---|---|---|---|---|
| OAK | 172.16.0.10 | n2-standard-2 | Security Scanner (OpenVAS) | oak-agent@gpus-infra |
| MAPLE | 172.16.0.12 | e2-standard-2 | Cloud Monitoring (Prometheus/Grafana/Wazuh) | maple-agent@gpus-infra |
| CEDAR | 172.16.0.13 | e2-standard-4 | Cloud Logging (ELK/Wazuh Indexer) | cedar-agent@gpus-infra |
All VMs: Rocky Linux 8.10, 50GB boot + 50GB data pd-ssd, CIS hardened, admin: cloudadmin.
SSD Quota: 500GB total in us-central1. Currently used: 300GB (3 × 100GB). Max 5 VMs before quota increase. Request increase to 2TB before adding VM #4.
Cloud NAT¶
| Resource | Value |
|---|---|
| Router | gpus-nat-router |
| NAT | gpus-nat |
| Region | us-central1 |
| Purpose | Outbound internet for GCP VMs (package installs, GCS, registry pulls) |
Cloud Run Services¶
| Service | Image | URL | Status |
|---|---|---|---|
| MkDocs Portal | gpus-images/mkdocs:latest |
https://infra.greenpeace.us | ✅ Running |
| Status Site | gpus-images/status-site:latest |
https://status.greenpeace.us | ✅ Running |
| Status Backend | gpus-images/status-backend:latest |
(internal) | ✅ Running |
| Security Site | gpus-images/security-site:latest |
https://security.greenpeace.us | ✅ Running |
| Security Backend | gpus-images/security-backend:latest |
(internal) | ✅ Running |
| SOC Site | gpus-images/soc-site:latest |
https://soc.greenpeace.us | ✅ Running |
| SOC Backend | gpus-images/soc-backend:latest |
(internal) | ✅ Running |
All 7 services scale to zero when idle. TLS is Google-managed. Images stored in Artifact Registry at us-central1-docker.pkg.dev/gpus-infra/gpus-images.
Deploy a service:
Cloud Run redeployment risk
Redeploying via terraform apply can overwrite with the default hello-world image if lifecycle { ignore_changes = [template[0].containers[0].image] } is not set. Always verify the image tag in Artifact Registry before applying Terraform.
DNS¶
| Zone | Purpose | Nameservers |
|---|---|---|
cloud.us |
GCP VMs (oak, maple, cedar) | Authoritative on SKY/RAIN |
wdc.us.gl3 |
WDC on-prem hosts | Authoritative on SKY/RAIN |
# Add/verify cloud VM DNS records on SKY
cat /var/named/cloud.us.db
dig oak.cloud.us @192.168.120.1
dig maple.cloud.us @192.168.120.1
dig cedar.cloud.us @192.168.120.1
Cloud Storage¶
| Bucket | Purpose | Class | Retention |
|---|---|---|---|
gpus-infra-backups-wdc |
Encrypted on-prem + GCP VM backups | NEARLINE | 90 days |
gpus-infra-tf-state |
Terraform state (versioned) | STANDARD | Indefinite |
GCP VMs use instance service accounts for GCS access (no key files). Backup script: /usr/local/bin/gpus-backup.sh.
Terraform Operations¶
cd ~/terraform/gpus-infra/terraform
# Check for configuration drift
terraform plan
# Apply changes
terraform apply
# View current outputs
terraform output
Terraform files:
| File | Purpose |
|---|---|
openvas.tf |
OAK VM + disks + firewall |
maple.tf |
MAPLE VM + disks + firewall |
cedar.tf |
CEDAR VM + disks + firewall |
cloud-run.tf |
Status/infra/security Cloud Run services |
Monthly Cost Estimate¶
| Service | Cost |
|---|---|
| Cloud VPN tunnel | ~$36/mo |
| OAK (n2-standard-2) | ~$62/mo |
| MAPLE (e2-standard-2) | ~$48/mo |
| CEDAR (e2-standard-4) | ~$97/mo |
| SSD Disks (6 × 50GB) | ~$51/mo |
| Cloud NAT | ~$15/mo |
| Cloud Run (7 services) | ~$8/mo |
| Cloud Storage | ~$5/mo |
| Networking + Egress | ~$25/mo |
| Other | ~$15/mo |
| Total | ~$362/mo |
Budget alert: Set at $400/mo in GCP Console → Billing → Budgets.
Cost optimization: Consider switching OAK to e2-standard-2 (~$14/mo saving). 1-year CUD on CEDAR saves ~$29/mo.
GCP Cloud Environment · v2.2 · 2026-04-07 · GPUS-IT · Classification: CONFIDENTIAL — Internal Use Only