Microservices on Cloud Run + VPC Network

Transcript

1. Microservices on Cloud Run + VPC Network Yuki Ito (@mrno110)

   Backend LT

2. Kauche Architect Yuki Ito @mrno110

3. None

4. Agenda ɾArchitecture ɾCloud Run Service-to-Service Networking

5. Agenda ɾArchitecture ɾCloud Run Service-to-Service Networking

6. What is Cloud Run Cloud Run is a managed compute

   platform that enables you to run containers that are invocable via requests or events. Cloud Run is serverless: it abstracts away all infrastructure management... https://cloud.google.com/run/docs

7. Architecture Run Tasks Pub/Sub Mobile App External Service Mobile API

   Web Hook API Job API Scheduler

8. from Single Service

9. to Multiple Services

10. Agenda ɾArchitecture ɾCloud Run Service-to-Service Networking

11. Agenda ɾArchitecture ɾCloud Run Service-to-Service Networking

12. Cloud Run Service-to-Service Networking • Access Control • Serverless VPC

    Access Connector • Shared VPC Network • VPC Service Controls Perimeter

13. Cloud Run Service-to-Service Networking • Access Control • Serverless VPC

    Access Connector • Shared VPC Network • VPC Service Controls Perimeter

14. Access Control

15. Access Control

16. Access Control • Access Control with IAM • Restricting Ingress

17. Access Control with IAM

18. Access Control with IAM

19. Restricting Ingress

20. Ingress Setting • all • internal-and-cloud-load-balancing • internal

21. Ingress Setting all

22. Ingress Setting internal-and-cloud-load-balancing

23. Ingress Setting internal

24. Ingress Setting --- apiVersion: serving.knative.dev/v1 kind: Service metadata: annotations: run.googleapis.com/ingress:

    internal name: service-c spec: # ...

25. Ingress Setting --- apiVersion: serving.knative.dev/v1 kind: Service metadata: annotations: run.googleapis.com/ingress:

    internal name: service-c spec: # ...

26. Access Control Ingress settings and IAM authentication methods are two

    ways of managing access to a service. They are independent of each other. For a layered approach to managing access, use both. https://cloud.google.com/run/docs/securing/ingress

27. Access Control

28. Cloud Run Service-to-Service Networking • Access Control • Serverless VPC

    Access Connector • Shared VPC Network • VPC Service Controls Perimeter

29. Cloud Run Service-to-Service Networking • Access Control • Serverless VPC

    Access Connector • Shared VPC Network • VPC Service Controls Perimeter

30. Serverless VPC Access Conector Ingress Setting: internal

31. Serverless VPC Access Conector What does "internl" mean...? https://cloud.google.com/run/docs/securing/ingress#settings

32. Serverless VPC Access Conector By default, requests from other Cloud

    Run Services are not treated as "internal"

33. Serverless VPC Access Conector For requests from other Cloud Run

    services ... in the same project, connect the service ... to a VPC network and route all egress through the connector... https://cloud.google.com/run/docs/securing/ingress#internal-services

34. Serverless VPC Access Conector

35. Serverless VPC Access Conector Serverless VPC Access makes it possible

    for you to connect directly to your Virtual Private Cloud network from serverless environments such as Cloud Run... https://cloud.google.com/vpc/docs/serverless-vpc-access What is "Serverless VPC Access"...?

36. Serverless VPC Access Conector --- apiVersion: serving.knative.dev/v1 kind: Service metadata:

    name: service-a spec: template: metadata: annotations: run.googleapis.com/vpc-access-egress: all-traffic run.googleapis.com/vpc-access-connector: projects/<Project Name>/locations/asia-northeast1/connectors/<Connector Name> # ...

37. Serverless VPC Access Conector

38. Cloud Run Service-to-Service Networking • Access Control • Serverless VPC

    Access Connector • Shared VPC Network • VPC Service Controls Perimeter

39. Cloud Run Service-to-Service Networking • Access Control • Serverless VPC

    Access Connector • Shared VPC Network • VPC Service Controls Perimeter

40. Single VPC Network

41. Shared VPC Network

42. Shared VPC Network Shared VPC allows an organization to connect

    resources from multiple projects to a common Virtual Private Cloud (VPC) network, so that they can communicate with each other securely and e ffi ciently using internal IPs from that network https://cloud.google.com/vpc/docs/shared-vpc What is "Shared VPC"...?

43. Shared VPC Network ✅ Delegating network responsibilities to administrators ✅

    Centralized control over network resources

44. Shared VPC Network

45. Shared VPC Network By default, requests through the Shared VPC

    Host Project are not treated as "internal"

46. Shared VPC Network Resources in Shared VPC networks can only

    call internal services if the Shared VPC resources and the internal service are in the same VPC SC perimeter https://cloud.google.com/run/docs/securing/ingress#internal-services

47. Cloud Run Service-to-Service Networking • Access Control • Serverless VPC

    Access Connector • Shared VPC Network • VPC Service Controls Perimeter

48. Cloud Run Service-to-Service Networking • Access Control • Serverless VPC

    Access Connector • Shared VPC Network • VPC Service Controls Perimeter

49. VPC Service Controls Perimeter VPC Service Controls improves your ability

    to mitigate the risk of data ex fi ltration from Google Cloud services... You can use VPC Service Controls to create perimeters that protect the resources and data... https://cloud.google.com/vpc-service-controls/docs/overview What is "VPC Service Controls Perimeter"...?

50. VPC Service Controls Perimeter e.g. Compromised Service Account

51. VPC Service Controls Perimeter e.g. Compromised Service Account

52. VPC Service Controls Perimeter e.g. Compromised Service Account

53. VPC Service Controls Perimeter

54. Cloud Run Service-to-Service Networking • Access Control • Serverless VPC

    Access Connector • Shared VPC Network • VPC Service Controls Perimeter

55. VPC Service Controls Perimeter