Google API Access
Instances in VPC can reach Google and third-party APIs and services without an external IP address.
All Google Cloud APIs and services support private access.
The access methods are different for services in VPC networks compared to services in Google’s production infrastructure
Advantages:
- decreased network latency
- increased network security
- lower network cost
Networking Services API
Container Registry
ricardotrentin@RicardontinsMBP % docker pull nginx:latest
ricardotrentin@RicardontinsMBP % gcloud auth configure-docker
ricardotrentin@RicardontinsMBP % docker tag nginx gcr.io/rtrentin-01/nginx
ricardotrentin@RicardontinsMBP % docker push gcr.io/rtrentin-01/nginx
ricardotrentin@RicardontinsMBP Downloads % docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
gcr.io/rtrentin-01/nginx latest d8906c7d4c44 2 weeks ago 135MB
nginx latest d8906c7d4c44 2 weeks ago 135MB
Serverless VPC Access
Cloud Build
Cloud Build is a managed service on Google Cloud Platform infrastructure that allows you to continuously build, test and deploy containers.
Private pools are customer-specific resources and can be customized. One customization option is the capability to disable the association of external IPs:
Once a pool is created, we can connect repositories and set up triggers:
Using 2nd generation:
Testing
ricardotrentin@RicardontinsMBP gcp % cat cloudbuild.yaml
steps:
- name: "gcr.io/cloud-builders/kubectl"
args: ['get', 'nodes']
env:
- 'CLOUDSDK_COMPUTE_REGION=us-east1'
- 'CLOUDSDK_CONTAINER_CLUSTER=gke-east-vpc001'
options:
workerPool:
'projects/rtrentin-01/locations/us-east1/workerPools/vpc001-private-pool'
logsBucket: 'gs://rtrentin-01_cloudbuild'Baseline
Private Pool without Public IP
Enabling FQDN
AVX creates a 0.0.0.0/0 pointing to the gateway with priority 991 (show below) with a instance tag avx-snat-noip:
The challenge is that tagged routes are not exported:
Method 1:
- Adding manually:
- Priority 1000 is also used for avx gw internet route
- Priority < 1000 creates a route loop with the avx gw
The traffic (all) is brought to the FQDN device: this is not exactly the desired end state. Also, traffic from Cloud Build is not “attracted” to the avx gw.
Cloud Run
Run containers on a fully managed platform
ricardotrentin@RicardontinsMBP gcp % docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest d8906c7d4c44 3 weeks ago 135MB
gcr.io/rtrentin-01/nginx latest d8906c7d4c44 3 weeks ago 135MB
curlimages/curl latest 3e48386b76e2 6 weeks ago 14.4MB
gcr.io/rtrentin-01/curl latest 3e48386b76e2 6 weeks ago 14.4MB
Networking options:
Cloud Function
Cloud Functions is a lightweight, event-based, asynchronous compute solution that allows you to create small, single-purpose functions that respond to cloud events – without the need to manage a server or a runtime environment.
Cloud Composer
A fully managed workflow orchestration service built on Apache Airflow.
Environments are self-contained Airflow deployments based on Google Kubernetes Engine.
Once we hit create:
References
https://cloud.google.com/vpc/docs/private-access-options
https://cloud.google.com/build/docs/cloud-builders
https://cloud.google.com/build/docs/private-pools/use-in-private-network
https://cloud.google.com/container-registry/docs/advanced-authentication
https://cloud.google.com/docs/samples?product=cloudbuild
https://cloud.google.com/run/docs/configuring/connecting-vpc
https://airflow.apache.org/docs/apache-airflow/stable/index.html
