Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Microservices on Cloud Run + VPC Network

Yuki Ito
July 18, 2022
Technology
0
250

Microservices on Cloud Run + VPC Network

Yuki Ito

July 18, 2022
Tweet

More Decks by Yuki Ito

See All by Yuki Ito
Cloud Run CI/CD + QA @ KAUCHE
110y
1
220
Microservices on Cloud Run @ KAUCHE
110y
0
68
KAUCHE Loves Go
110y
0
190
Evolution of Architecture @ Kauche
110y
3
260
Envoy as an API Gateway
110y
0
110
How We Use Cloud Run and its Friends
110y
0
240
Custom Kubernetes Controllers at Mercari
110y
1
480
What Is the Go Workspace Mode
110y
4
1.1k
What Are We Doing as Merpay Architect
110y
0
1.3k

Other Decks in Technology

See All in Technology
TryToUseCloudFlareTunnel_20230317.pdf
kenichirokimura
0
120
What's Data Lake ? Azure Data Lake best practice
ryomaru0825
4
1.6k
新卒入社から1500人規模のCTOに: エンジニアが圧倒的に成長する3つのコツ / 技育祭2023春
carta_engineering
1
660
AmebaにおけるQAコスト改善施策〜テスト項目の整理とAutify for Mobileによる自動化
sosuiiii
0
160
LINE Blockchain Developers APIではじめるWeb3
sbtechnight
PRO
0
320
チームにスクラムを導入してみた
sbtechnight
PRO
0
310
How we build Ads Platform in Rust
mapbox_jp
1
190
技育祭2023春 ちゅらデータ講演資料
foursue
1
350
エンジニアのためのドキュメントライティング / Docs for Developers
iwashi86
18
5.3k
「新卒エンジニアが1年間で顔を売るために取った行動100連発」/YAPC::Kyoto 2023 前日祭 ネコトーストラボ杯争奪東西対抗LTマッチ
arthur1
0
250
BIMIとメールセキュリティ
sbtechnight
PRO
0
350
位置情報ビッグデータの可視化技術の紹介と実社会での活用
sbtechnight
PRO
0
320

Featured

See All Featured
How to name files
jennybc
48
76k
The Language of Interfaces
destraynor
149
21k
Building Flexible Design Systems
yeseniaperezcruz
314
35k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
176
9.2k
Web Components: a chance to create the future
zenorocha
304
41k
4 Signs Your Business is Dying
shpigford
171
20k
The Illustrated Children's Guide to Kubernetes
chrisshort
23
43k
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.6k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
657
120k
Designing for humans not robots
tammielis
245
24k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
31
20k
Building an army of robots
kneath
300
41k

Transcript

  1. Microservices on Cloud Run + VPC Network
    Yuki Ito (@mrno110)
    Backend LT

    View Slide

  2. Kauche


    Architect
    Yuki Ito


    @mrno110

    View Slide

  3. View Slide

  4. Agenda
    ɾArchitecture


    ɾCloud Run Service-to-Service Networking

    View Slide

  5. Agenda
    ɾArchitecture


    ɾCloud Run Service-to-Service Networking

    View Slide

  6. What is Cloud Run
    Cloud Run is a managed compute
    platform that enables you to run
    containers that are invocable via
    requests or events.


    Cloud Run is serverless: it abstracts
    away all infrastructure management...
    https://cloud.google.com/run/docs

    View Slide

  7. Architecture
    Run
    Tasks
    Pub/Sub
    Mobile App External Service
    Mobile API Web Hook API Job API
    Scheduler

    View Slide

  8. from Single Service

    View Slide

  9. to Multiple Services

    View Slide

  10. Agenda
    ɾArchitecture


    ɾCloud Run Service-to-Service Networking

    View Slide

  11. Agenda
    ɾArchitecture


    ɾCloud Run Service-to-Service Networking

    View Slide

  12. Cloud Run Service-to-Service Networking
    • Access Control


    • Serverless VPC Access Connector


    • Shared VPC Network


    • VPC Service Controls Perimeter

    View Slide

  13. Cloud Run Service-to-Service Networking
    • Access Control


    • Serverless VPC Access Connector


    • Shared VPC Network


    • VPC Service Controls Perimeter

    View Slide

  14. Access Control

    View Slide

  15. Access Control

    View Slide

  16. Access Control
    • Access Control with IAM


    • Restricting Ingress

    View Slide

  17. Access Control with IAM

    View Slide

  18. Access Control with IAM

    View Slide

  19. Restricting Ingress

    View Slide

  20. Ingress Setting
    • all


    • internal-and-cloud-load-balancing


    • internal

    View Slide

  21. Ingress Setting
    all

    View Slide

  22. Ingress Setting
    internal-and-cloud-load-balancing

    View Slide

  23. Ingress Setting
    internal

    View Slide

  24. Ingress Setting
    ---


    apiVersion: serving.knative.dev/v1


    kind: Service


    metadata:


    annotations:


    run.googleapis.com/ingress: internal


    name: service-c


    spec:


    # ...

    View Slide

  25. Ingress Setting
    ---


    apiVersion: serving.knative.dev/v1


    kind: Service


    metadata:


    annotations:


    run.googleapis.com/ingress: internal


    name: service-c


    spec:


    # ...

    View Slide

  26. Access Control
    Ingress settings and IAM authentication
    methods are two ways of managing access to a
    service. They are independent of each other.
    For a layered approach to managing access,
    use both.
    https://cloud.google.com/run/docs/securing/ingress

    View Slide

  27. Access Control

    View Slide

  28. Cloud Run Service-to-Service Networking
    • Access Control


    • Serverless VPC Access Connector


    • Shared VPC Network


    • VPC Service Controls Perimeter

    View Slide

  29. Cloud Run Service-to-Service Networking
    • Access Control


    • Serverless VPC Access Connector


    • Shared VPC Network


    • VPC Service Controls Perimeter

    View Slide

  30. Serverless VPC Access Conector
    Ingress Setting: internal

    View Slide

  31. Serverless VPC Access Conector
    What does "internl" mean...?
    https://cloud.google.com/run/docs/securing/ingress#settings

    View Slide

  32. Serverless VPC Access Conector
    By default, requests from other Cloud Run Services
    are not treated as "internal"

    View Slide

  33. Serverless VPC Access Conector
    For requests from other Cloud Run services ...
    in the same project, connect the service ... to a
    VPC network and route all egress through the
    connector...
    https://cloud.google.com/run/docs/securing/ingress#internal-services

    View Slide

  34. Serverless VPC Access Conector

    View Slide

  35. Serverless VPC Access Conector
    Serverless VPC Access makes it possible for you
    to connect directly to your Virtual Private Cloud
    network from serverless environments such as
    Cloud Run...
    https://cloud.google.com/vpc/docs/serverless-vpc-access
    What is "Serverless VPC Access"...?

    View Slide

  36. Serverless VPC Access Conector
    ---
    apiVersion: serving.knative.dev/v1
    kind: Service
    metadata:
    name: service-a
    spec:
    template:
    metadata:
    annotations:
    run.googleapis.com/vpc-access-egress: all-traffic
    run.googleapis.com/vpc-access-connector: projects//locations/asia-northeast1/connectors/
    # ...

    View Slide

  37. Serverless VPC Access Conector

    View Slide

  38. Cloud Run Service-to-Service Networking
    • Access Control


    • Serverless VPC Access Connector


    • Shared VPC Network


    • VPC Service Controls Perimeter

    View Slide

  39. Cloud Run Service-to-Service Networking
    • Access Control


    • Serverless VPC Access Connector


    • Shared VPC Network


    • VPC Service Controls Perimeter

    View Slide

  40. Single VPC Network

    View Slide

  41. Shared VPC Network

    View Slide

  42. Shared VPC Network
    Shared VPC allows an organization to connect
    resources from multiple projects to a common
    Virtual Private Cloud (VPC) network, so that they
    can communicate with each other securely and
    e
    ffi
    ciently using internal IPs from that network
    https://cloud.google.com/vpc/docs/shared-vpc
    What is "Shared VPC"...?

    View Slide

  43. Shared VPC Network
    ✅ Delegating network responsibilities to administrators


    ✅ Centralized control over network resources

    View Slide

  44. Shared VPC Network

    View Slide

  45. Shared VPC Network
    By default, requests through the Shared VPC Host Project


    are not treated as "internal"

    View Slide

  46. Shared VPC Network
    Resources in Shared VPC networks can only call
    internal services if the Shared VPC resources and
    the internal service are in the same VPC SC
    perimeter
    https://cloud.google.com/run/docs/securing/ingress#internal-services

    View Slide

  47. Cloud Run Service-to-Service Networking
    • Access Control


    • Serverless VPC Access Connector


    • Shared VPC Network


    • VPC Service Controls Perimeter

    View Slide

  48. Cloud Run Service-to-Service Networking
    • Access Control


    • Serverless VPC Access Connector


    • Shared VPC Network


    • VPC Service Controls Perimeter

    View Slide

  49. VPC Service Controls Perimeter
    VPC Service Controls improves your ability to
    mitigate the risk of data ex
    fi
    ltration from Google
    Cloud services...


    You can use VPC Service Controls to create
    perimeters that protect the resources and data...
    https://cloud.google.com/vpc-service-controls/docs/overview
    What is "VPC Service Controls Perimeter"...?

    View Slide

  50. VPC Service Controls Perimeter
    e.g. Compromised Service Account

    View Slide

  51. VPC Service Controls Perimeter
    e.g. Compromised Service Account

    View Slide

  52. VPC Service Controls Perimeter
    e.g. Compromised Service Account

    View Slide

  53. VPC Service Controls Perimeter

    View Slide

  54. Cloud Run Service-to-Service Networking
    • Access Control


    • Serverless VPC Access Connector


    • Shared VPC Network


    • VPC Service Controls Perimeter

    View Slide

  55. VPC Service Controls Perimeter

    View Slide