Add helper script for creating deployment connectivity resources

rshyamsu · rshyamsu · commit 8082079f8a1d · 2025-10-14T14:00:57.000-07:00
diff --git a/content/nginxaas-google/getting-started/create-deployment/deploy-console.md b/content/nginxaas-google/getting-started/create-deployment/deploy-console.md
@@ -85,20 +85,189 @@ In the NGINXaaS Console,
 
 To set up connectivity to your NGINXaaS deployment, you will need to configure a [Private Service Connect backend](https://cloud.google.com/vpc/docs/private-service-connect-backends).
 
-1. Access the [Google Cloud Console](https://console.cloud.google.com/).
+1. Access the [Google Cloud Console](https://console.cloud.google.com/) and choose a project where you would like to create resources for connecting to your F5 NGINXaaS deployment.
+1. Create or reuse a [VPC network](https://cloud.google.com/vpc/docs/create-modify-vpc-networks).
+1. Create a proxy-only subnet in your consumer VPC. See [Google's documentation on creating a proxy-only subnet](https://cloud.google.com/load-balancing/docs/tcp/set-up-ext-reg-tcp-proxy-zonal#console_1) for a step-by-step guide.
 1. Create a public IP address. See [Google's documentation on reserving a static address](https://cloud.google.com/load-balancing/docs/tcp/set-up-ext-reg-tcp-proxy-zonal#console_3) for a step-by-step guide.
 1. Create a Network Endpoint Group (NEG). See [Google's documentation on creating a NEG](https://cloud.google.com/vpc/docs/access-apis-managed-services-private-service-connect-backends#console) for a step-by-step guide.
    - For **Target service**, enter your NGINXaaS deployment's Service Attachment, which is visible on the `Deployment Details` section for your deployment.
    - For **Producer port**, enter the port your NGINX server is listening on. If you're using the default NGINX config, enter port `80`.
    - For **Network** and **Subnetwork** select your consumer VPC network and subnet.
-1. Create a proxy-only subnet in your consumer VPC. See [Google's documentation on creating a proxy-only subnet](https://cloud.google.com/load-balancing/docs/tcp/set-up-ext-reg-tcp-proxy-zonal#console_1) for a step-by-step guide.
 1. Create a regional external proxy Network Load Balancer. See [Google's documentation on configuring the load balancer](https://cloud.google.com/load-balancing/docs/tcp/set-up-ext-reg-tcp-proxy-zonal#console_6) for a step-by-step guide.
    - For **Network**, select your consumer VPC network.
    - For **Backend configuration**, follow [Google's step-by-step guide to add a backend](https://cloud.google.com/vpc/docs/access-apis-managed-services-private-service-connect-backends#console_5).
    - In the **Frontend configuration** section,
       - For **IP address**, select the public IP address created earlier.
       - For **Port number**, enter the same port as your NEG's Producer port, for example, port `80`.
 
+{{< call-out "note" >}}
+   If you have multiple ports configured on NGINX, you will have to create a new network endpoint group for every port. You can also automate these steps by using the following helper script:
+
+   ```bash
+   #!/bin/bash
+
+# Default values
+PROJECT=""
+REGION=""
+NETWORK=""
+SA_URI=""
+PORTS="80"
+
+# Prerequisites:
+# - gcloud CLI installed and configured
+# - An existing projectID and a VPC network created in that project
+# - A valid Service Attachment URI from F5 NGINXaaS
+
+# Function to display usage
+usage() {
+    cat << EOF
+Usage: $0 --project PROJECT --region REGION --network NETWORK --service-attachment SA_URI [--ports PORTS]
+
+Options:
+    --project                 GCP Project ID
+    --region                  GCP Region
+    --network                 VPC Network name
+    --service-attachment      Service Attachment Self Link
+    --ports                   Comma-separated list of ports (default: 80)
+    --help                    Show this help message
+
+Note: Proxy subnet and public IP will be automatically created as 'psc-proxy-subnet' and 'psc-vip' respectively.
+
+Example:
+    $0 --project my-project --region us-central1 --network my-vpc \\
+       --service-attachment "projects/producer-proj/regions/us-central1/serviceAttachments/my-service" \\
+       --ports "80,443,8080"
+EOF
+}
+
+# Parse command line arguments
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --project)
+            PROJECT="$2"
+            shift 2
+            ;;
+        --region)
+            REGION="$2"
+            shift 2
+            ;;
+        --network)
+            NETWORK="$2"
+            shift 2
+            ;;
+        --service-attachment)
+            SA_URI="$2"
+            shift 2
+            ;;
+        --ports)
+            PORTS="$2"
+            shift 2
+            ;;
+        --help|-h)
+            usage
+            exit 0
+            ;;
+        *)
+            echo "Unknown option: $1"
+            usage
+            exit 1
+            ;;
+    esac
+done
+
+# Set auto-generated proxy subnet name and VIP name
+PROXY_SUBNET="psc-proxy-subnet"
+VIPNAME="psc-vip"
+
+# Validate required parameters
+missing_params=()
+[[ -z "$PROJECT" ]] && missing_params+=("--project")
+[[ -z "$REGION" ]] && missing_params+=("--region")
+[[ -z "$NETWORK" ]] && missing_params+=("--network")
+[[ -z "$SA_URI" ]] && missing_params+=("--service-attachment")
+
+if [[ ${#missing_params[@]} -gt 0 ]]; then
+    echo "Error: Missing required parameters: ${missing_params[*]}"
+    usage
+    exit 1
+fi
+
+# Create proxy-only subnet (skip if exists)
+echo "Creating proxy-only subnet..."
+if ! gcloud compute networks subnets describe $PROXY_SUBNET --region=$REGION --project=$PROJECT >/dev/null 2>&1; then
+    gcloud compute networks subnets create $PROXY_SUBNET \
+      --project=$PROJECT --region=$REGION \
+      --network=$NETWORK \
+      --range=192.168.1.0/24 \
+      --purpose=REGIONAL_MANAGED_PROXY \
+      --role=ACTIVE
+    echo "Created proxy-only subnet: $PROXY_SUBNET"
+else
+    echo "Proxy-only subnet $PROXY_SUBNET already exists"
+fi
+
+# Create regional VIP address (skip if exists)
+echo "Creating regional VIP address..."
+if ! gcloud compute addresses describe $VIPNAME --region=$REGION --project=$PROJECT >/dev/null 2>&1; then
+    gcloud compute addresses create $VIPNAME --region=$REGION --project=$PROJECT --network-tier=PREMIUM
+fi
+VIP=$(gcloud compute addresses describe $VIPNAME --region=$REGION --project=$PROJECT --format='get(address)')
+echo "Using VIP address: $VIP"
+
+# Convert comma-separated ports to array
+IFS=',' read -ra PORTS_ARRAY <<< "$PORTS"
+
+for P in "${PORTS_ARRAY[@]}"; do
+  echo "Processing port $P..."
+  
+  # Create Network Endpoint Group (skip if exists)
+  if ! gcloud compute network-endpoint-groups describe psc-neg-$P --region=$REGION --project=$PROJECT >/dev/null 2>&1; then
+    gcloud compute network-endpoint-groups create psc-neg-$P \
+      --project=$PROJECT --region=$REGION \
+      --network-endpoint-type=private-service-connect \
+      --psc-target-service="$SA_URI" \
+      --network=$NETWORK \
+      --producer-port=$P
+  fi
+
+  # Create Backend Service (skip if exists)
+  if ! gcloud compute backend-services describe be-$P --region=$REGION --project=$PROJECT >/dev/null 2>&1; then
+    gcloud compute backend-services create be-$P \
+      --project=$PROJECT --region=$REGION \
+      --protocol=TCP --load-balancing-scheme=EXTERNAL_MANAGED
+      
+    # Add backend to service
+    gcloud compute backend-services add-backend be-$P \
+      --project=$PROJECT --region=$REGION \
+      --network-endpoint-group=psc-neg-$P \
+      --network-endpoint-group-region=$REGION
+  fi
+
+  # Create Target TCP Proxy (skip if exists)
+  if ! gcloud compute target-tcp-proxies describe tp-$P --region=$REGION --project=$PROJECT >/dev/null 2>&1; then
+    gcloud compute target-tcp-proxies create tp-$P \
+      --project=$PROJECT --region=$REGION --backend-service=be-$P
+  fi
+
+  # Create Forwarding Rule (skip if exists)
+  if ! gcloud compute forwarding-rules describe fr-$P --region=$REGION --project=$PROJECT >/dev/null 2>&1; then
+    gcloud compute forwarding-rules create fr-$P \
+      --project=$PROJECT --region=$REGION \
+      --address=$VIP --network=$NETWORK \
+      --target-tcp-proxy=tp-$P --target-tcp-proxy-region=$REGION \
+      --ports=$P --load-balancing-scheme=EXTERNAL_MANAGED \
+      --network-tier=PREMIUM --ip-protocol=TCP
+  fi
+  
+  echo "Completed setup for port $P"
+done
+
+echo "Setup complete! Public Virtual IP: $VIP"
+   ```
+
+{{< /call-out >}}
+
+
 ## Test your deployment
 
 1. To test your deployment, go to the IP address created in [Set up connectivity to your deployment]({{< ref "/nginxaas-google/getting-started/create-deployment/deploy-console.md#set-up-connectivity-to-your-deployment" >}}) using your favorite web browser.
