Deploy Firezone on GCP with Terraform

In this example, we will deploy one or more Firezone Gateways in a single VPC on Google Cloud Platform (GCP) that are configured to egress traffic through a single Cloud NAT that is assigned a single static IP address.

This example is built on top of Google Cloud Gateway via Regional Instance Group.

Common use cases

Use this guide to give your Firezone Clients a static public IP address for egress traffic to particular Resource(s). Here are some common use cases for this example:

  • Use IP whitelisting to access a third-party or partner application such as a client's DB or third-party API.
  • Use IP whitelisting with your identity provider to lock down access to a public application.
  • Enabling a team of remote contractors access to a regionally-locked application or service.

High availability

All Firezone Gateways deployed in this example will automatically failover and load balance for each other. No other configuration is necessary.


  1. Terraform
  2. Google Cloud Platform (GCP) account
  3. Google Cloud SDK
  4. Enable the Compute Engine API
  5. A Firezone Site dedicated to use for this example. This Site should contain only the Firezone Gateway(s) deployed in this example and any associated Resources.
  6. A Firezone Gateway token. This can be obtained by viewing your Site in the admin portal, clicking the Deploy Gateway button, and navigating to the instructions for the GCP tab. Gateway tokens support multi-use, so only a single token is needed to provision the Firezone Gateways in this guide.


Simply update the number of replicas to deploy more or fewer Firezone Gateways. There's no limit to the number of Firezone Gateways you can deploy in a single VPC.

If you need more than 64,512 concurrent connections, you can increase the number of public IP addresses reserved for the Cloud NAT. See Google's documentation for more information.

We've tested with f1-micro instances which still work quite well for most applications. However, you may want to consider a larger instance type if you have a high volume of traffic or lots of concurrent connections. See Gateway sizing recommendations for some general guidelines depending on your expected traffic.


  1. Download the from the example module.

  2. Configure the necessary Terraform variables. Here's an example terraform.tfvars you can use as a starting point:

    project_id     = "my-gcp-project"
    region         = "us-west1"
    zone           = "us-west1-a"
    token          = "<YOUR GATEWAY TOKEN>"
    replicas       = 3
    machine_type   = "f1-micro"
    log_level      = "info"
  3. Run terraform init to initialize the working directory and download the required providers.

  4. Run terraform apply to deploy the Firezone Gateway(s) into your GCP project.

You can see the static IP address assigned to the Cloud NAT in the Terraform output. This is the IP address that your Firezone Gateway(s) will use to egress traffic.

You can verify all Firezone Gateways are using this IP by viewing the Site in the Firezone admin portal, where you should now see the Firezone Gateway(s) listed as Online.

Online Gateways


To upgrade the Firezone Gateway(s) to the latest version, we recommend setting a version to deploy with the vsn variable. Then, whenever you want to upgrade, update this variable and run terraform apply, which will trigger a new deployment of the Firezone Gateway(s) with the new version.

You can follow the latest releases of the Gateway at our changelog page.

This will incur a few minutes of downtime as Terraform destroys the existing Firezone Gateway(s) and deploys new ones in their place.


static_ip_addresses will contain a list of static IP addresses that you can use to whitelist your Firezone Gateway(s) in your third-party or partner application.


To clean up the resources created by this example, run terraform destroy.

Last updated: July 12, 2024