Microservices on Cloud Run + VPC Network

by Yuki Ito

Slide 1

Slide 1 text

Microservices on Cloud Run + VPC Network Yuki Ito (@mrno110) Backend LT

Slide 2

Slide 2 text

Kauche Architect Yuki Ito @mrno110

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

Agenda ɾArchitecture ɾCloud Run Service-to-Service Networking

Slide 5

Slide 5 text

Agenda ɾArchitecture ɾCloud Run Service-to-Service Networking

Slide 6

Slide 6 text

What is Cloud Run Cloud Run is a managed compute platform that enables you to run containers that are invocable via requests or events. Cloud Run is serverless: it abstracts away all infrastructure management... https://cloud.google.com/run/docs

Slide 7

Slide 7 text

Architecture Run Tasks Pub/Sub Mobile App External Service Mobile API Web Hook API Job API Scheduler

Slide 8

Slide 8 text

from Single Service

Slide 9

Slide 9 text

to Multiple Services

Slide 10

Slide 10 text

Agenda ɾArchitecture ɾCloud Run Service-to-Service Networking

Slide 11

Slide 11 text

Agenda ɾArchitecture ɾCloud Run Service-to-Service Networking

Slide 12

Slide 12 text

Cloud Run Service-to-Service Networking • Access Control • Serverless VPC Access Connector • Shared VPC Network • VPC Service Controls Perimeter

Slide 13

Slide 13 text

Cloud Run Service-to-Service Networking • Access Control • Serverless VPC Access Connector • Shared VPC Network • VPC Service Controls Perimeter

Slide 14

Slide 14 text

Access Control

Slide 15

Slide 15 text

Access Control

Slide 16

Slide 16 text

Access Control • Access Control with IAM • Restricting Ingress

Slide 17

Slide 17 text

Access Control with IAM

Slide 18

Slide 18 text

Access Control with IAM

Slide 19

Slide 19 text

Restricting Ingress

Slide 20

Slide 20 text

Ingress Setting • all • internal-and-cloud-load-balancing • internal

Slide 21

Slide 21 text

Ingress Setting all

Slide 22

Slide 22 text

Ingress Setting internal-and-cloud-load-balancing

Slide 23

Slide 23 text

Ingress Setting internal

Slide 24

Slide 24 text

Ingress Setting --- apiVersion: serving.knative.dev/v1 kind: Service metadata: annotations: run.googleapis.com/ingress: internal name: service-c spec: # ...

Slide 25

Slide 25 text

Ingress Setting --- apiVersion: serving.knative.dev/v1 kind: Service metadata: annotations: run.googleapis.com/ingress: internal name: service-c spec: # ...

Slide 26

Slide 26 text

Access Control Ingress settings and IAM authentication methods are two ways of managing access to a service. They are independent of each other. For a layered approach to managing access, use both. https://cloud.google.com/run/docs/securing/ingress

Slide 27

Slide 27 text

Access Control

Slide 28

Slide 28 text

Cloud Run Service-to-Service Networking • Access Control • Serverless VPC Access Connector • Shared VPC Network • VPC Service Controls Perimeter

Slide 29

Slide 29 text

Cloud Run Service-to-Service Networking • Access Control • Serverless VPC Access Connector • Shared VPC Network • VPC Service Controls Perimeter

Slide 30

Slide 30 text

Serverless VPC Access Conector Ingress Setting: internal

Slide 31

Slide 31 text

Serverless VPC Access Conector What does "internl" mean...? https://cloud.google.com/run/docs/securing/ingress#settings

Slide 32

Slide 32 text

Serverless VPC Access Conector By default, requests from other Cloud Run Services are not treated as "internal"

Slide 33

Slide 33 text

Serverless VPC Access Conector For requests from other Cloud Run services ... in the same project, connect the service ... to a VPC network and route all egress through the connector... https://cloud.google.com/run/docs/securing/ingress#internal-services

Slide 34

Slide 34 text

Serverless VPC Access Conector

Slide 35

Slide 35 text

Serverless VPC Access Conector Serverless VPC Access makes it possible for you to connect directly to your Virtual Private Cloud network from serverless environments such as Cloud Run... https://cloud.google.com/vpc/docs/serverless-vpc-access What is "Serverless VPC Access"...?

Slide 36

Slide 36 text

Serverless VPC Access Conector --- apiVersion: serving.knative.dev/v1 kind: Service metadata: name: service-a spec: template: metadata: annotations: run.googleapis.com/vpc-access-egress: all-traffic run.googleapis.com/vpc-access-connector: projects//locations/asia-northeast1/connectors/ # ...

Slide 37

Slide 37 text

Serverless VPC Access Conector

Slide 38

Slide 38 text

Cloud Run Service-to-Service Networking • Access Control • Serverless VPC Access Connector • Shared VPC Network • VPC Service Controls Perimeter

Slide 39

Slide 39 text

Cloud Run Service-to-Service Networking • Access Control • Serverless VPC Access Connector • Shared VPC Network • VPC Service Controls Perimeter

Slide 40

Slide 40 text

Single VPC Network

Slide 41

Slide 41 text

Shared VPC Network

Slide 42

Slide 42 text

Shared VPC Network Shared VPC allows an organization to connect resources from multiple projects to a common Virtual Private Cloud (VPC) network, so that they can communicate with each other securely and e ffi ciently using internal IPs from that network https://cloud.google.com/vpc/docs/shared-vpc What is "Shared VPC"...?

Slide 43

Slide 43 text

Shared VPC Network ✅ Delegating network responsibilities to administrators ✅ Centralized control over network resources

Slide 44

Slide 44 text

Shared VPC Network

Slide 45

Slide 45 text

Shared VPC Network By default, requests through the Shared VPC Host Project are not treated as "internal"

Slide 46

Slide 46 text

Shared VPC Network Resources in Shared VPC networks can only call internal services if the Shared VPC resources and the internal service are in the same VPC SC perimeter https://cloud.google.com/run/docs/securing/ingress#internal-services

Slide 47

Slide 47 text

Cloud Run Service-to-Service Networking • Access Control • Serverless VPC Access Connector • Shared VPC Network • VPC Service Controls Perimeter

Slide 48

Slide 48 text

Cloud Run Service-to-Service Networking • Access Control • Serverless VPC Access Connector • Shared VPC Network • VPC Service Controls Perimeter

Slide 49

Slide 49 text

VPC Service Controls Perimeter VPC Service Controls improves your ability to mitigate the risk of data ex fi ltration from Google Cloud services... You can use VPC Service Controls to create perimeters that protect the resources and data... https://cloud.google.com/vpc-service-controls/docs/overview What is "VPC Service Controls Perimeter"...?

Slide 50

Slide 50 text

VPC Service Controls Perimeter e.g. Compromised Service Account

Slide 51

Slide 51 text

VPC Service Controls Perimeter e.g. Compromised Service Account

Slide 52

Slide 52 text

VPC Service Controls Perimeter e.g. Compromised Service Account

Slide 53

Slide 53 text

VPC Service Controls Perimeter

Slide 54

Slide 54 text

Cloud Run Service-to-Service Networking • Access Control • Serverless VPC Access Connector • Shared VPC Network • VPC Service Controls Perimeter

Slide 55

Slide 55 text

VPC Service Controls Perimeter