Networking Google Cloud Build with Aviatrix

From Google Cloud Build overview documentation, Cloud Build executes builds (a build contains instructions for Cloud Build to perform tasks) as a series of build steps, where each build step is run in a Docker container. Executing build steps is analogous to executing commands in a script.

Private pools

Cloud Build by default runs in a secure, hosted environment with access to the public internet. Each build runs on its own worker and is isolated from other workloads.

Private pools are dedicated pools of workers that can access resources in a private network.

Private pools are hosted in a Google-owned service producer network. For builds to access resources in a private network, a private VPC peering connection between the VPC network and the service producer network is required.

Diagram from https://cloud.google.com/build/docs/private-pools/private-pools-overview

Aviatrix Cloud Networking Reference Architecture

The Aviatrix FireNet reference architecture is described below:

Private Connection Configuration

Enable API:

In the VPC network, allocate a named IP range:

Cloud Build reserves the IP range 192.168.10.0/24 for the Docker bridge network.

Each service producer requires a minimum prefix size of /24. Create a private connection between the service producer network and your VPC network:

Route configuration:

Aviatrix spoke gateway configuration:

  • spoke50:
  • spoke60:

Permissions:

  • Cloud Run runs under Cloud Build Services Account

Create a pool:

Testing

The testing topology is show below:

I describe how to deploy a GKE on top of an Aviatrix cloud network on the following post:

We will verify that the solution is working by running the command kubectl get nodes in a build step which is running in the private pool:

steps:
name: "gcr.io/cloud-builders/kubectl"
args: ['get', 'nodes']
env:
'CLOUDSDK_COMPUTE_REGION=us-central1-c'
'CLOUDSDK_CONTAINER_CLUSTER=gke-us-central1-cluster'
options:
workerPool:
'projects/rtrentin01/locations/us-central1/workerPools/private-pool-spoke60'
view raw cloudbuild.yaml hosted with ❤ by GitHub

To submit run the command:

cloud builds submit --config=cloudbuild.yaml

We can also check the console: Cloud Build -> History:

References

https://cloud.google.com/build/docs/overview

https://cloud.google.com/architecture/accessing-private-gke-clusters-with-cloud-build-private-pools

Leave a Reply