Going full DevOps with GCP (Draft)

facebook application icon
Photo by Pixabay on Pexels.com

Google API Access

Instances in VPC can reach Google and third-party APIs and services without an external IP address.

All Google Cloud APIs and services support private access.

The access methods are different for services in VPC networks compared to services in Google’s production infrastructure

Advantages:

  • decreased network latency
  • increased network security
  • lower network cost

Networking Services API

Container Registry

ricardotrentin@RicardontinsMBP % docker pull nginx:latest
ricardotrentin@RicardontinsMBP % gcloud auth configure-docker
ricardotrentin@RicardontinsMBP % docker tag nginx gcr.io/rtrentin-01/nginx
ricardotrentin@RicardontinsMBP % docker push gcr.io/rtrentin-01/nginx
ricardotrentin@RicardontinsMBP Downloads % docker images
REPOSITORY                 TAG       IMAGE ID       CREATED       SIZE
gcr.io/rtrentin-01/nginx   latest    d8906c7d4c44   2 weeks ago   135MB
nginx                      latest    d8906c7d4c44   2 weeks ago   135MB

Serverless VPC Access

Cloud Build

Cloud Build is a managed service on Google Cloud Platform infrastructure that allows you to continuously build, test and deploy containers.

Private pools are customer-specific resources and can be customized. One customization option is the capability to disable the association of external IPs:

Once a pool is created, we can connect repositories and set up triggers:

Using 2nd generation:

Testing

ricardotrentin@RicardontinsMBP gcp % cat cloudbuild.yaml 
steps:
- name: "gcr.io/cloud-builders/kubectl"
  args: ['get', 'nodes']
  env:
  - 'CLOUDSDK_COMPUTE_REGION=us-east1'
  - 'CLOUDSDK_CONTAINER_CLUSTER=gke-east-vpc001'
options:
  workerPool:
    'projects/rtrentin-01/locations/us-east1/workerPools/vpc001-private-pool'
logsBucket: 'gs://rtrentin-01_cloudbuild'

Baseline

Private Pool without Public IP

Enabling FQDN

AVX creates a 0.0.0.0/0 pointing to the gateway with priority 991 (show below) with a instance tag avx-snat-noip:

The challenge is that tagged routes are not exported:

Method 1:

  • Adding manually:
    • Priority 1000 is also used for avx gw internet route
    • Priority < 1000 creates a route loop with the avx gw

The traffic (all) is brought to the FQDN device: this is not exactly the desired end state. Also, traffic from Cloud Build is not “attracted” to the avx gw.

Cloud Run

Run containers on a fully managed platform

ricardotrentin@RicardontinsMBP gcp % docker images
REPOSITORY                 TAG       IMAGE ID       CREATED       SIZE
nginx                      latest    d8906c7d4c44   3 weeks ago   135MB
gcr.io/rtrentin-01/nginx   latest    d8906c7d4c44   3 weeks ago   135MB
curlimages/curl            latest    3e48386b76e2   6 weeks ago   14.4MB
gcr.io/rtrentin-01/curl    latest    3e48386b76e2   6 weeks ago   14.4MB

Networking options:

Cloud Function

Cloud Functions is a lightweight, event-based, asynchronous compute solution that allows you to create small, single-purpose functions that respond to cloud events – without the need to manage a server or a runtime environment.

Cloud Composer

A fully managed workflow orchestration service built on Apache Airflow.

Environments are self-contained Airflow deployments based on Google Kubernetes Engine.

Once we hit create:

References

https://cloud.google.com/vpc/docs/private-access-options

https://cloud.google.com/build/docs/cloud-builders

https://cloud.google.com/build/docs/private-pools/use-in-private-network

https://cloud.google.com/container-registry/docs/advanced-authentication

https://cloud.google.com/docs/samples?product=cloudbuild

https://cloud.google.com/run/docs/configuring/connecting-vpc

https://airflow.apache.org/docs/apache-airflow/stable/index.html

Leave a Reply