RLC Pro Hardened on Google Cloud Platform

Overview

This guide shows how to deploy RLC Pro Hardened on Google Cloud Platform (GCP) using the gcloud CLI.

RLC Pro Hardened is a hardened image of Rocky Linux published by CIQ through Google Cloud Marketplace, providing kernel-level protections and compliance-ready configurations.

Prerequisites

• Familiarity with GCP concepts (Projects, VPC Networks, Subnets, Firewalls, IAM, CMEK)

• Installed and initialized Google Cloud CLI (gcloud):

  gcloud auth login
  gcloud config set project <YOUR_PROJECT_ID>
  

• Rights to accept Marketplace terms and launch Compute Engine resources

• SSH key available (or create/import one below)

Hardware Requirements

How to Acquire RLC Pro Hardened via Marketplace

1. Navigate to Google Cloud Platform (GCP) and search for “RLC Pro Hardened”.
2. Select the CIQ Rocky Linux Hardened offering (the exact name may vary; look for the latest "RLC Pro Hardened" image for your architecture)
3. Click Launch, or select Deploy with CLI to open the Command-line deployment tab.
4. Accept the terms or private offer for your project (one-time).
5. Continue following the instructions in this guide.

Marketplace Information

RLC Pro Hardened images are published by CIQ.

When creating the instance, use the image resource name provided in the Marketplace Command-line deployment tab.

Find the RLC Pro Hardened Image

Google Cloud Marketplace requires the resource name of the RLC Pro Hardened image to deploy via CLI.

Step 1 - Visit the Product Listing

1. Open the RLC Pro Hardened Marketplace listing.
2. Click Deploy with CLI to open the Command-line deployment tab.

Step 2 - Configure a Service Account (Optional)

You may use your authenticated user or a service account.
If you choose a service account, it must have:

• roles/config.agent
• roles/compute.admin
• roles/iam.serviceAccountUser

Configure your project for CLI authentication:

gcloud config set project <YOUR_PROJECT_ID>
gcloud auth application-default login

Step 3 - Retrieve the Image Resource Name

The Marketplace page displays the exact image resource name for deployment.
Example:

projects/mpi-ciqrocky-public/global/images/ciq-rocky-linux-9-rlc-hardened-gcp-x86-v1753911818

Copy it exactly as shown, and assign it to a variable:

IMAGE="projects/mpi-ciqrocky-public/global/images/ciq-rocky-linux-9-rlc-hardened-gcp-x86-v1753911818"

Create VPC and Networking

VPC_NAME="rlch-vpc"
SUBNET_NAME="rlch-subnet"
REGION="us-central1"
CIDR="10.10.1.0/24"
FIREWALL_NAME="rlch-ssh-fw"

Create VPC and Subnet

gcloud compute networks create "$VPC_NAME" --subnet-mode=custom
gcloud compute networks subnets create "$SUBNET_NAME" \
  --network="$VPC_NAME" --region="$REGION" --range="$CIDR"

Create Firewall Rule (allow SSH)

gcloud compute firewall-rules create "$FIREWALL_NAME" \
  --network "$VPC_NAME" \
  --allow tcp:22 \
  --source-ranges="<YOUR_ADMIN_CIDR>" \
  --target-tags="rlch-ssh"

Create or Use an SSH Key Pair

You can use existing SSH keys from your Google Cloud project metadata or generate a new one.

Option A - Use an existing key

If your key is already added to project or instance metadata, no further steps are required.

Option B - Create a new key

ssh-keygen -t rsa -b 4096 -f ~/.ssh/rlch-gcp

Add the public key to your Project Metadata or VM Metadata under SSH Keys by following these steps.

Create the RLC Pro Hardened Instance

INSTANCE_NAME="vm-rlch"
ZONE="us-central1-a"
MACHINE_TYPE="e2-standard-2"

gcloud compute instances create "$INSTANCE_NAME" \
  --zone "$ZONE" \
  --machine-type "$MACHINE_TYPE" \
  --image "$IMAGE" \
  --subnet "$SUBNET_NAME" \
  --tags "rlch-ssh" \
  --boot-disk-size "30GB" \
  --boot-disk-type "pd-ssd" \
  --shielded-secure-boot

Verify the Instance

Get the external IP

gcloud compute instances describe "$INSTANCE_NAME" \
  --zone "$ZONE" \
  --format='get(networkInterfaces[0].accessConfigs[0].natIP)'

SSH into the instance

gcloud compute ssh rocky@"$INSTANCE_NAME" --zone "$ZONE"

Confirm RLC Pro Hardened version and hardening

cat /etc/os-release
rpm -qa | grep lkrg

Next Steps

• Restrict firewall rules to admin IPs or private networks.
• Use Customer-Managed Encryption Keys (CMEK) for data-at-rest encryption.
• Enable Cloud Logging and Cloud Monitoring for auditing and metrics.
• Configure OS Login or IAP tunneling for secure SSH access.
• Run compliance checks (oscap, scap-security-guide) as needed.

Best Practices for RLC Pro Hardened on GCP

Security

• Enforce OS Login and MFA; prefer IAP tunneling over public SSH.
• Keep Shielded VM and Secure Boot enabled.
• Use least-privilege service accounts and avoid storing long-lived keys.
• Centralize logging via Cloud Logging and Security Command Center.

Performance with Security

• Prefer N2 or C2 machine families for compute-heavy workloads.
• Use pd-ssd or balanced PD for production systems.
• Monitor LKRG and hardened malloc overhead using Cloud Monitoring metrics.

Compliance

• Use OSCAP or CIS/STIG benchmarks for compliance validation.
• Export compliance results to Cloud Storage for audit tracking.
• Tag resources appropriately for governance and inventory.

High Availability

• Deploy across multiple zones for redundancy.
• Use regional disks or snapshots for durability.
• Add Load Balancing for distributed applications.
• Implement Backup & DR with scheduled backups and encryption.

For additional security configurations and troubleshooting, see the main RLC Pro Hardened documentation.