Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Microservices on Cloud Run + VPC Network

Microservices on Cloud Run + VPC Network

Yuki Ito

July 18, 2022
Tweet

More Decks by Yuki Ito

Other Decks in Technology

Transcript

  1. Microservices on Cloud Run + VPC Network Yuki Ito (@mrno110)

    Backend LT
  2. Kauche Architect Yuki Ito @mrno110

  3. None
  4. Agenda ɾArchitecture ɾCloud Run Service-to-Service Networking

  5. Agenda ɾArchitecture ɾCloud Run Service-to-Service Networking

  6. What is Cloud Run Cloud Run is a managed compute

    platform that enables you to run containers that are invocable via requests or events. Cloud Run is serverless: it abstracts away all infrastructure management... https://cloud.google.com/run/docs
  7. Architecture Run Tasks Pub/Sub Mobile App External Service Mobile API

    Web Hook API Job API Scheduler
  8. from Single Service

  9. to Multiple Services

  10. Agenda ɾArchitecture ɾCloud Run Service-to-Service Networking

  11. Agenda ɾArchitecture ɾCloud Run Service-to-Service Networking

  12. Cloud Run Service-to-Service Networking • Access Control • Serverless VPC

    Access Connector • Shared VPC Network • VPC Service Controls Perimeter
  13. Cloud Run Service-to-Service Networking • Access Control • Serverless VPC

    Access Connector • Shared VPC Network • VPC Service Controls Perimeter
  14. Access Control

  15. Access Control

  16. Access Control • Access Control with IAM • Restricting Ingress

  17. Access Control with IAM

  18. Access Control with IAM

  19. Restricting Ingress

  20. Ingress Setting • all • internal-and-cloud-load-balancing • internal

  21. Ingress Setting all

  22. Ingress Setting internal-and-cloud-load-balancing

  23. Ingress Setting internal

  24. Ingress Setting --- apiVersion: serving.knative.dev/v1 kind: Service metadata: annotations: run.googleapis.com/ingress:

    internal name: service-c spec: # ...
  25. Ingress Setting --- apiVersion: serving.knative.dev/v1 kind: Service metadata: annotations: run.googleapis.com/ingress:

    internal name: service-c spec: # ...
  26. Access Control Ingress settings and IAM authentication methods are two

    ways of managing access to a service. They are independent of each other. For a layered approach to managing access, use both. https://cloud.google.com/run/docs/securing/ingress
  27. Access Control

  28. Cloud Run Service-to-Service Networking • Access Control • Serverless VPC

    Access Connector • Shared VPC Network • VPC Service Controls Perimeter
  29. Cloud Run Service-to-Service Networking • Access Control • Serverless VPC

    Access Connector • Shared VPC Network • VPC Service Controls Perimeter
  30. Serverless VPC Access Conector Ingress Setting: internal

  31. Serverless VPC Access Conector What does "internl" mean...? https://cloud.google.com/run/docs/securing/ingress#settings

  32. Serverless VPC Access Conector By default, requests from other Cloud

    Run Services are not treated as "internal"
  33. Serverless VPC Access Conector For requests from other Cloud Run

    services ... in the same project, connect the service ... to a VPC network and route all egress through the connector... https://cloud.google.com/run/docs/securing/ingress#internal-services
  34. Serverless VPC Access Conector

  35. Serverless VPC Access Conector Serverless VPC Access makes it possible

    for you to connect directly to your Virtual Private Cloud network from serverless environments such as Cloud Run... https://cloud.google.com/vpc/docs/serverless-vpc-access What is "Serverless VPC Access"...?
  36. Serverless VPC Access Conector --- apiVersion: serving.knative.dev/v1 kind: Service metadata:

    name: service-a spec: template: metadata: annotations: run.googleapis.com/vpc-access-egress: all-traffic run.googleapis.com/vpc-access-connector: projects/<Project Name>/locations/asia-northeast1/connectors/<Connector Name> # ...
  37. Serverless VPC Access Conector

  38. Cloud Run Service-to-Service Networking • Access Control • Serverless VPC

    Access Connector • Shared VPC Network • VPC Service Controls Perimeter
  39. Cloud Run Service-to-Service Networking • Access Control • Serverless VPC

    Access Connector • Shared VPC Network • VPC Service Controls Perimeter
  40. Single VPC Network

  41. Shared VPC Network

  42. Shared VPC Network Shared VPC allows an organization to connect

    resources from multiple projects to a common Virtual Private Cloud (VPC) network, so that they can communicate with each other securely and e ffi ciently using internal IPs from that network https://cloud.google.com/vpc/docs/shared-vpc What is "Shared VPC"...?
  43. Shared VPC Network ✅ Delegating network responsibilities to administrators ✅

    Centralized control over network resources
  44. Shared VPC Network

  45. Shared VPC Network By default, requests through the Shared VPC

    Host Project are not treated as "internal"
  46. Shared VPC Network Resources in Shared VPC networks can only

    call internal services if the Shared VPC resources and the internal service are in the same VPC SC perimeter https://cloud.google.com/run/docs/securing/ingress#internal-services
  47. Cloud Run Service-to-Service Networking • Access Control • Serverless VPC

    Access Connector • Shared VPC Network • VPC Service Controls Perimeter
  48. Cloud Run Service-to-Service Networking • Access Control • Serverless VPC

    Access Connector • Shared VPC Network • VPC Service Controls Perimeter
  49. VPC Service Controls Perimeter VPC Service Controls improves your ability

    to mitigate the risk of data ex fi ltration from Google Cloud services... You can use VPC Service Controls to create perimeters that protect the resources and data... https://cloud.google.com/vpc-service-controls/docs/overview What is "VPC Service Controls Perimeter"...?
  50. VPC Service Controls Perimeter e.g. Compromised Service Account

  51. VPC Service Controls Perimeter e.g. Compromised Service Account

  52. VPC Service Controls Perimeter e.g. Compromised Service Account

  53. VPC Service Controls Perimeter

  54. Cloud Run Service-to-Service Networking • Access Control • Serverless VPC

    Access Connector • Shared VPC Network • VPC Service Controls Perimeter
  55. VPC Service Controls Perimeter