Thanks to visit codestin.com
Credit goes to docs.ciq.com

Skip to content

GCP - Deployment

Overview

This guide shows how to deploy Rocky Linux from CIQ – Hardened (RLC-H) on Google Cloud Platform (GCP) using the gcloud CLI.

RLC-H is a hardened image of Rocky Linux published by CIQ through Google Cloud Marketplace, providing kernel-level protections and compliance-ready configurations.

Prerequisites

  • Familiarity with GCP concepts (Projects, VPC Networks, Subnets, Firewalls, IAM, CMEK)

  • Installed and initialized Google Cloud CLI (gcloud):

    gcloud auth login
gcloud config set project <YOUR_PROJECT_ID>

  • Rights to accept Marketplace terms and launch Compute Engine resources

  • SSH key available (or create/import one below)

Hardware Requirements

Component Minimum Recommended
vCPUs 2 vCPUs 4+ vCPUs
Memory 4 GB RAM 8 GB RAM or more
Storage 25 GB root 64 GB+ SSD persistent disk
Machine Type e2-standard-2 (2 vCPU, 8 GB) n2-standard-4 (4 vCPU, 16 GB)

Notes

  • Shielded VM and Secure Boot are enabled by default on most machine families.
  • Use SSD Persistent Disks for production workloads.
  • Consider ≥ 8 GB RAM when running with LKRG and hardened memory.

How to Acquire RLC-H via Marketplace

  1. Navigate to Google Cloud Platform (GCP) and search for “Rocky Linux from CIQ - Hardened”.
  2. Select the CIQ Rocky Linux Hardened offering (the exact name may vary; look for the latest "Rocky Linux from CIQ - Hardened" image for your architecture)
  3. Click Launch, or select Deploy with CLI to open the Command-line deployment tab.
  4. Accept the terms or private offer for your project (one-time).
  5. Continue following the instructions in this guide.

Note

The Marketplace subscription step needs to be completed only once per project.
After acceptance, you can deploy as many RLC-H VM instances as needed using the CLI.

Marketplace Information

RLC-H images are published by CIQ.

Image Name Pattern (example) Publisher Support Tier
ciq-rocky-linux-9-rlc-hardened-gcp-x86-* CIQ Basic Support
Coming soon CIQ Standard Support
Coming soon CIQ Premium Support

When creating the instance, use the image resource name provided in the Marketplace Command-line deployment tab.

Find the RLC-H Image

Google Cloud Marketplace requires the resource name of the RLC-H image to deploy via CLI.

Step 1 — Visit the Product Listing

  1. Open the Rocky Linux from CIQ – Hardened Marketplace listing.
  2. Click Deploy with CLI to open the Command-line deployment tab.

Step 2 — Configure a Service Account (Optional)

You may use your authenticated user or a service account.
If you choose a service account, it must have:

  • roles/config.agent
  • roles/compute.admin
  • roles/iam.serviceAccountUser

Configure your project for CLI authentication:

gcloud config set project <YOUR_PROJECT_ID>
gcloud auth application-default login

Step 3 — Retrieve the Image Resource Name

The Marketplace page displays the exact image resource name for deployment.
Example:

projects/mpi-ciqrocky-public/global/images/ciq-rocky-linux-9-rlc-hardened-gcp-x86-v1753911818

Copy it exactly as shown, and assign it to a variable:

IMAGE="projects/mpi-ciqrocky-public/global/images/ciq-rocky-linux-9-rlc-hardened-gcp-x86-v1753911818"

Create VPC and Networking

VPC_NAME="rlch-vpc"
SUBNET_NAME="rlch-subnet"
REGION="us-central1"
CIDR="10.10.1.0/24"
FIREWALL_NAME="rlch-ssh-fw"

Create VPC and Subnet

gcloud compute networks create "$VPC_NAME" --subnet-mode=custom
gcloud compute networks subnets create "$SUBNET_NAME" \
  --network="$VPC_NAME" --region="$REGION" --range="$CIDR"

Create Firewall Rule (allow SSH)

gcloud compute firewall-rules create "$FIREWALL_NAME" \
  --network "$VPC_NAME" \
  --allow tcp:22 \
  --source-ranges="<YOUR_ADMIN_CIDR>" \
  --target-tags="rlch-ssh"

Note

Replace 0.0.0.0/0 with your admin or VPN CIDR for better security.

Create or Use an SSH Key Pair

You can use existing SSH keys from your Google Cloud project metadata or generate a new one.

Option A — Use an existing key

If your key is already added to project or instance metadata, no further steps are required.

Option B — Create a new key

ssh-keygen -t rsa -b 4096 -f ~/.ssh/rlch-gcp

Add the public key to your Project Metadata or VM Metadata under SSH Keys by following these steps.

Create the RLC-H Instance

INSTANCE_NAME="vm-rlch"
ZONE="us-central1-a"
MACHINE_TYPE="e2-standard-2"

gcloud compute instances create "$INSTANCE_NAME" \
  --zone "$ZONE" \
  --machine-type "$MACHINE_TYPE" \
  --image "$IMAGE" \
  --subnet "$SUBNET_NAME" \
  --tags "rlch-ssh" \
  --boot-disk-size "30GB" \
  --boot-disk-type "pd-ssd" \
  --shielded-secure-boot

Verify the Instance

Get the external IP

gcloud compute instances describe "$INSTANCE_NAME" \
  --zone "$ZONE" \
  --format='get(networkInterfaces[0].accessConfigs[0].natIP)'

SSH into the instance

gcloud compute ssh rocky@"$INSTANCE_NAME" --zone "$ZONE"

Confirm RLC-H version and hardening

cat /etc/os-release
rpm -qa | grep lkrg

Note

The default SSH user is rocky.
You must use the private key corresponding to the SSH key added to your project or instance metadata.

Next Steps

  • Restrict firewall rules to admin IPs or private networks.
  • Use Customer-Managed Encryption Keys (CMEK) for data-at-rest encryption.
  • Enable Cloud Logging and Cloud Monitoring for auditing and metrics.
  • Configure OS Login or IAP tunneling for secure SSH access.
  • Run compliance checks (oscap, scap-security-guide) as needed.

Best Practices for RLC-H on GCP

Security

  • Enforce OS Login and MFA; prefer IAP tunneling over public SSH.
  • Keep Shielded VM and Secure Boot enabled.
  • Use least-privilege service accounts and avoid storing long-lived keys.
  • Centralize logging via Cloud Logging and Security Command Center.

Performance with Security

  • Prefer N2 or C2 machine families for compute-heavy workloads.
  • Use pd-ssd or balanced PD for production systems.
  • Monitor LKRG and hardened malloc overhead using Cloud Monitoring metrics.

Compliance

  • Use OSCAP or CIS/STIG benchmarks for compliance validation.
  • Export compliance results to Cloud Storage for audit tracking.
  • Tag resources appropriately for governance and inventory.

High Availability

  • Deploy across multiple zones for redundancy.
  • Use regional disks or snapshots for durability.
  • Add Load Balancing for distributed applications.
  • Implement Backup & DR with scheduled backups and encryption.

For additional security configurations and troubleshooting, see the main RLC-H documentation.