Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Microservices on Cloud Run + VPC Network

Microservices on Cloud Run + VPC Network

Yuki Ito

July 18, 2022
Tweet

More Decks by Yuki Ito

Other Decks in Technology

Transcript

  1. Microservices on Cloud Run + VPC Network
    Yuki Ito (@mrno110)
    Backend LT

    View full-size slide

  2. Kauche


    Architect
    Yuki Ito


    @mrno110

    View full-size slide

  3. Agenda
    ɾArchitecture


    ɾCloud Run Service-to-Service Networking

    View full-size slide

  4. Agenda
    ɾArchitecture


    ɾCloud Run Service-to-Service Networking

    View full-size slide

  5. What is Cloud Run
    Cloud Run is a managed compute
    platform that enables you to run
    containers that are invocable via
    requests or events.


    Cloud Run is serverless: it abstracts
    away all infrastructure management...
    https://cloud.google.com/run/docs

    View full-size slide

  6. Architecture
    Run
    Tasks
    Pub/Sub
    Mobile App External Service
    Mobile API Web Hook API Job API
    Scheduler

    View full-size slide

  7. from Single Service

    View full-size slide

  8. to Multiple Services

    View full-size slide

  9. Agenda
    ɾArchitecture


    ɾCloud Run Service-to-Service Networking

    View full-size slide

  10. Agenda
    ɾArchitecture


    ɾCloud Run Service-to-Service Networking

    View full-size slide

  11. Cloud Run Service-to-Service Networking
    • Access Control


    • Serverless VPC Access Connector


    • Shared VPC Network


    • VPC Service Controls Perimeter

    View full-size slide

  12. Cloud Run Service-to-Service Networking
    • Access Control


    • Serverless VPC Access Connector


    • Shared VPC Network


    • VPC Service Controls Perimeter

    View full-size slide

  13. Access Control

    View full-size slide

  14. Access Control

    View full-size slide

  15. Access Control
    • Access Control with IAM


    • Restricting Ingress

    View full-size slide

  16. Access Control with IAM

    View full-size slide

  17. Access Control with IAM

    View full-size slide

  18. Restricting Ingress

    View full-size slide

  19. Ingress Setting
    • all


    • internal-and-cloud-load-balancing


    • internal

    View full-size slide

  20. Ingress Setting
    all

    View full-size slide

  21. Ingress Setting
    internal-and-cloud-load-balancing

    View full-size slide

  22. Ingress Setting
    internal

    View full-size slide

  23. Ingress Setting
    ---


    apiVersion: serving.knative.dev/v1


    kind: Service


    metadata:


    annotations:


    run.googleapis.com/ingress: internal


    name: service-c


    spec:


    # ...

    View full-size slide

  24. Ingress Setting
    ---


    apiVersion: serving.knative.dev/v1


    kind: Service


    metadata:


    annotations:


    run.googleapis.com/ingress: internal


    name: service-c


    spec:


    # ...

    View full-size slide

  25. Access Control
    Ingress settings and IAM authentication
    methods are two ways of managing access to a
    service. They are independent of each other.
    For a layered approach to managing access,
    use both.
    https://cloud.google.com/run/docs/securing/ingress

    View full-size slide

  26. Access Control

    View full-size slide

  27. Cloud Run Service-to-Service Networking
    • Access Control


    • Serverless VPC Access Connector


    • Shared VPC Network


    • VPC Service Controls Perimeter

    View full-size slide

  28. Cloud Run Service-to-Service Networking
    • Access Control


    • Serverless VPC Access Connector


    • Shared VPC Network


    • VPC Service Controls Perimeter

    View full-size slide

  29. Serverless VPC Access Conector
    Ingress Setting: internal

    View full-size slide

  30. Serverless VPC Access Conector
    What does "internl" mean...?
    https://cloud.google.com/run/docs/securing/ingress#settings

    View full-size slide

  31. Serverless VPC Access Conector
    By default, requests from other Cloud Run Services
    are not treated as "internal"

    View full-size slide

  32. Serverless VPC Access Conector
    For requests from other Cloud Run services ...
    in the same project, connect the service ... to a
    VPC network and route all egress through the
    connector...
    https://cloud.google.com/run/docs/securing/ingress#internal-services

    View full-size slide

  33. Serverless VPC Access Conector

    View full-size slide

  34. Serverless VPC Access Conector
    Serverless VPC Access makes it possible for you
    to connect directly to your Virtual Private Cloud
    network from serverless environments such as
    Cloud Run...
    https://cloud.google.com/vpc/docs/serverless-vpc-access
    What is "Serverless VPC Access"...?

    View full-size slide

  35. Serverless VPC Access Conector
    ---
    apiVersion: serving.knative.dev/v1
    kind: Service
    metadata:
    name: service-a
    spec:
    template:
    metadata:
    annotations:
    run.googleapis.com/vpc-access-egress: all-traffic
    run.googleapis.com/vpc-access-connector: projects//locations/asia-northeast1/connectors/
    # ...

    View full-size slide

  36. Serverless VPC Access Conector

    View full-size slide

  37. Cloud Run Service-to-Service Networking
    • Access Control


    • Serverless VPC Access Connector


    • Shared VPC Network


    • VPC Service Controls Perimeter

    View full-size slide

  38. Cloud Run Service-to-Service Networking
    • Access Control


    • Serverless VPC Access Connector


    • Shared VPC Network


    • VPC Service Controls Perimeter

    View full-size slide

  39. Single VPC Network

    View full-size slide

  40. Shared VPC Network

    View full-size slide

  41. Shared VPC Network
    Shared VPC allows an organization to connect
    resources from multiple projects to a common
    Virtual Private Cloud (VPC) network, so that they
    can communicate with each other securely and
    e
    ffi
    ciently using internal IPs from that network
    https://cloud.google.com/vpc/docs/shared-vpc
    What is "Shared VPC"...?

    View full-size slide

  42. Shared VPC Network
    ✅ Delegating network responsibilities to administrators


    ✅ Centralized control over network resources

    View full-size slide

  43. Shared VPC Network

    View full-size slide

  44. Shared VPC Network
    By default, requests through the Shared VPC Host Project


    are not treated as "internal"

    View full-size slide

  45. Shared VPC Network
    Resources in Shared VPC networks can only call
    internal services if the Shared VPC resources and
    the internal service are in the same VPC SC
    perimeter
    https://cloud.google.com/run/docs/securing/ingress#internal-services

    View full-size slide

  46. Cloud Run Service-to-Service Networking
    • Access Control


    • Serverless VPC Access Connector


    • Shared VPC Network


    • VPC Service Controls Perimeter

    View full-size slide

  47. Cloud Run Service-to-Service Networking
    • Access Control


    • Serverless VPC Access Connector


    • Shared VPC Network


    • VPC Service Controls Perimeter

    View full-size slide

  48. VPC Service Controls Perimeter
    VPC Service Controls improves your ability to
    mitigate the risk of data ex
    fi
    ltration from Google
    Cloud services...


    You can use VPC Service Controls to create
    perimeters that protect the resources and data...
    https://cloud.google.com/vpc-service-controls/docs/overview
    What is "VPC Service Controls Perimeter"...?

    View full-size slide

  49. VPC Service Controls Perimeter
    e.g. Compromised Service Account

    View full-size slide

  50. VPC Service Controls Perimeter
    e.g. Compromised Service Account

    View full-size slide

  51. VPC Service Controls Perimeter
    e.g. Compromised Service Account

    View full-size slide

  52. VPC Service Controls Perimeter

    View full-size slide

  53. Cloud Run Service-to-Service Networking
    • Access Control


    • Serverless VPC Access Connector


    • Shared VPC Network


    • VPC Service Controls Perimeter

    View full-size slide

  54. VPC Service Controls Perimeter

    View full-size slide