From 14f31168dfeea1fbc4be69ca378c1f9d41bc0a46 Mon Sep 17 00:00:00 2001
From: Roshan Shyamsunder <r.shyamsunderanantharamakrishnan@f5.com>
Date: Tue, 14 Oct 2025 14:00:57 -0700
Subject: [PATCH] Add helper script for creating deployment connectivity
 resources

---
 .../create-deployment/deploy-console.md       | 174 +++++++++++++++++-
 1 file changed, 172 insertions(+), 2 deletions(-)

diff --git a/content/nginxaas-google/getting-started/create-deployment/deploy-console.md b/content/nginxaas-google/getting-started/create-deployment/deploy-console.md
index 99cdb2caa..f111effee 100644
--- a/content/nginxaas-google/getting-started/create-deployment/deploy-console.md
+++ b/content/nginxaas-google/getting-started/create-deployment/deploy-console.md
@@ -85,7 +85,9 @@ In the NGINXaaS Console,
 
 To set up connectivity to your NGINXaaS deployment, you will need to configure a [Private Service Connect backend](https://cloud.google.com/vpc/docs/private-service-connect-backends).
 
-1. Access the [Google Cloud Console](https://console.cloud.google.com/).
+1. Access the [Google Cloud Console](https://console.cloud.google.com/) and select the project where your networking resources for connecting to your F5 NGINXaaS deployment should be created.
+1. Create or reuse a [VPC network](https://cloud.google.com/vpc/docs/create-modify-vpc-networks).
+1. Create a proxy-only subnet in your consumer VPC. See [Google's documentation on creating a proxy-only subnet](https://cloud.google.com/load-balancing/docs/tcp/set-up-ext-reg-tcp-proxy-zonal#console_1) for a step-by-step guide.
 1. Create a public IP address. See [Google's documentation on reserving a static address](https://cloud.google.com/load-balancing/docs/tcp/set-up-ext-reg-tcp-proxy-zonal#console_3) for a step-by-step guide.
 1. Create a Private Service Connect Network Endpoint Group (PSC NEG). See [Google's documentation on creating a NEG](https://cloud.google.com/vpc/docs/access-apis-managed-services-private-service-connect-backends#console) for a step-by-step guide.
    - Set **Network endpoint group type** to **Private Service Connect NEG (Regional)**.
@@ -93,7 +95,6 @@ To set up connectivity to your NGINXaaS deployment, you will need to configure a
    - For **Target service**, enter your NGINXaaS deployment's Service Attachment, which is visible on the `Deployment Details` section for your deployment.
    - For **Producer port**, enter the port your NGINX server is listening on. If you're using the default NGINX config, enter port `80`.
    - For **Network** and **Subnetwork** select your consumer VPC network and subnet.
-1. Create a proxy-only subnet in your consumer VPC. See [Google's documentation on creating a proxy-only subnet](https://cloud.google.com/load-balancing/docs/tcp/set-up-ext-reg-tcp-proxy-zonal#console_1) for a step-by-step guide.
 1. Create a regional external proxy Network Load Balancer. See [Google's documentation on configuring the load balancer](https://cloud.google.com/load-balancing/docs/tcp/set-up-ext-reg-tcp-proxy-zonal#console_6) for a step-by-step guide.
    - For **Network**, select your consumer VPC network.
    - For **Backend configuration**, follow [Google's step-by-step guide to add a backend](https://cloud.google.com/vpc/docs/access-apis-managed-services-private-service-connect-backends#console_5).
@@ -101,6 +102,175 @@ To set up connectivity to your NGINXaaS deployment, you will need to configure a
       - For **IP address**, select the public IP address created earlier.
       - For **Port number**, enter the same port as your NEG's Producer port, for example, port `80`.
 
+
+Each listening port configured on NGINX requires its own network endpoint group with a matching port. You can use the following helper script to automate these steps:
+
+{{< details summary="Show helper script" >}}
+
+   ```bash
+   #!/bin/bash
+   set -euo pipefail
+
+   # Default values
+   PROJECT=""
+   REGION=""
+   NETWORK=""
+   SA_URI=""
+   PORTS="80"
+   PROXY_SUBNET="psc-proxy-subnet"
+   VIPNAME="psc-vip"
+   # Prerequisites:
+   # - gcloud CLI installed and configured
+   # - An existing projectID and a VPC network created in that project
+   # - A valid Service Attachment URI from F5 NGINXaaS
+
+   # Function to display usage
+   usage() {
+      cat << EOF
+      Usage: $0 --project PROJECT --region REGION --network NETWORK --service-attachment SA_URI [--ports PORTS]
+
+      Options:
+         --project                 GCP Project ID
+         --region                  GCP Region
+         --network                 VPC Network name
+         --service-attachment      Service Attachment Self Link
+         --ports                   Comma-separated list of ports (default: 80)
+         --help                    Show this help message
+
+      Note: Proxy subnet and public IP will be automatically created as 'psc-proxy-subnet' and 'psc-vip' respectively.
+
+      Example:
+         $0 --project my-project --region us-central1 --network my-vpc \\
+            --service-attachment "projects/producer-proj/regions/us-central1/serviceAttachments/sa-aa4c6965-4b03-4518-85ea-2ca6fc2e869c" \\
+         --ports "80,443,8080"
+      EOF
+   }
+
+   # Parse command line arguments
+   while [[ $# -gt 0 ]]; do
+      case $1 in
+         --project)
+            PROJECT="$2"
+            shift 2
+            ;;
+         --region)
+            REGION="$2"
+            shift 2
+            ;;
+         --network)
+            NETWORK="$2"
+            shift 2
+            ;;
+         --service-attachment)
+            SA_URI="$2"
+            shift 2
+            ;;
+         --ports)
+            PORTS="$2"
+            shift 2
+            ;;
+         --help|-h)
+            usage
+            exit 0
+            ;;
+        *)
+            echo "Unknown option: $1"
+            usage
+            exit 1
+            ;;
+      esac
+   done
+
+   # Set auto-generated proxy subnet name and VIP name
+
+   # Validate required parameters
+   missing_params=()
+   [[ -z "$PROJECT" ]] && missing_params+=("--project")
+   [[ -z "$REGION" ]] && missing_params+=("--region")
+   [[ -z "$NETWORK" ]] && missing_params+=("--network")
+   [[ -z "$SA_URI" ]] && missing_params+=("--service-attachment")
+
+   if [[ ${#missing_params[@]} -gt 0 ]]; then
+      echo "Error: Missing required parameters: ${missing_params[*]}"
+      usage
+      exit 1
+   fi
+
+   # Create proxy-only subnet (skip if exists)
+   echo "Creating proxy-only subnet..."
+   if ! gcloud compute networks subnets describe $PROXY_SUBNET --region=$REGION --project=$PROJECT >/dev/null 2>&1; then
+      gcloud compute networks subnets create $PROXY_SUBNET \
+         --project=$PROJECT --region=$REGION \
+         --network=$NETWORK \
+         --range=192.168.1.0/24 \
+         --purpose=REGIONAL_MANAGED_PROXY \
+         --role=ACTIVE
+      echo "Created proxy-only subnet: $PROXY_SUBNET"
+   else
+      echo "Proxy-only subnet $PROXY_SUBNET already exists"
+   fi
+
+   # Create regional VIP address (skip if exists)
+   echo "Creating regional VIP address..."
+   if ! gcloud compute addresses describe $VIPNAME --region=$REGION --project=$PROJECT >/dev/null 2>&1; then
+      gcloud compute addresses create $VIPNAME --region=$REGION --project=$PROJECT --network-tier=PREMIUM
+   fi
+   VIP=$(gcloud compute addresses describe $VIPNAME --region=$REGION --project=$PROJECT --format='get(address)')
+   echo "Using VIP address: $VIP"
+
+   # Convert comma-separated ports to array
+   IFS=',' read -ra PORTS_ARRAY <<< "$PORTS"
+
+   for P in "${PORTS_ARRAY[@]}"; do
+      echo "Processing port $P..."
+  
+      # Create Network Endpoint Group (skip if exists)
+      if ! gcloud compute network-endpoint-groups describe psc-neg-$P --region=$REGION --project=$PROJECT >/dev/null 2>&1; then
+         gcloud compute network-endpoint-groups create psc-neg-$P \
+            --project=$PROJECT --region=$REGION \
+            --network-endpoint-type=private-service-connect \
+            --psc-target-service="$SA_URI" \
+            --network=$NETWORK \
+            --producer-port=$P
+      fi
+
+      # Create Backend Service (skip if exists)
+      if ! gcloud compute backend-services describe be-$P --region=$REGION --project=$PROJECT >/dev/null 2>&1; then
+         gcloud compute backend-services create be-$P \
+            --project=$PROJECT --region=$REGION \
+            --protocol=TCP --load-balancing-scheme=EXTERNAL_MANAGED
+      
+      # Add backend to service
+      gcloud compute backend-services add-backend be-$P \
+         --project=$PROJECT --region=$REGION \
+         --network-endpoint-group=psc-neg-$P \
+         --network-endpoint-group-region=$REGION
+      fi
+
+      # Create Target TCP Proxy (skip if exists)
+      if ! gcloud compute target-tcp-proxies describe tp-$P --region=$REGION --project=$PROJECT >/dev/null 2>&1; then
+         gcloud compute target-tcp-proxies create tp-$P \
+            --project=$PROJECT --region=$REGION --backend-service=be-$P
+      fi
+
+      # Create Forwarding Rule (skip if exists)
+      if ! gcloud compute forwarding-rules describe fr-$P --region=$REGION --project=$PROJECT >/dev/null 2>&1; then
+         gcloud compute forwarding-rules create fr-$P \
+            --project=$PROJECT --region=$REGION \
+            --address=$VIP --network=$NETWORK \
+            --target-tcp-proxy=tp-$P --target-tcp-proxy-region=$REGION \
+            --ports=$P --load-balancing-scheme=EXTERNAL_MANAGED \
+            --network-tier=PREMIUM --ip-protocol=TCP
+      fi
+  
+      echo "Completed setup for port $P"
+   done
+
+   echo "Setup complete! Public Virtual IP: $VIP"
+   ```
+
+{{< /details >}}
+
 ## Test your deployment
 
 1. To test your deployment, go to the IP address created in [Set up connectivity to your deployment]({{< ref "/nginxaas-google/getting-started/create-deployment/deploy-console.md#set-up-connectivity-to-your-deployment" >}}) using your favorite web browser.