search

GoogleCloudPlatform / pubsec-declarative-toolkit

The GCP PubSec Declarative Toolkit is a collection of declarative solutions to help you on your Journey to Google Cloud. Solutions are designed using Config Connector and deployed using Config Controller.
Apache License 2.0
31 stars 28 forks source link

LZ architecture questions #437

Closed fmichaelobrien closed 1 year ago

fmichaelobrien commented 1 year ago

Chris Carty, 8:24 AM @Michael O'Brien got some question from the team around the networking design and exposing apps. Any strongly held opinions?

In client project – any objection that a developer will create its own VPC / network directly?

A: in the interest of reducing unknown unknowns and also unknown knowns...shared opensource/public Q/A between clients helps with this.
No - I expect there will be 1-3 additional tiers off the primary LZ based on reducing IAM permissions where the client workload and micro changes will be in both/separate lz CI/CD pipelines and client workload pipelines.
The issue depends on how we handle automated peering up the 25 limit and use of the NCC (aka transit gateway) for vpc-vpc BGP dynamic routing (if the client needs vpn/interconnect connectivity at all)

Can we provide any permission to users in client project and trust the org policy to keep us safe ?

A: Yes start with the wide owner role per project or reduce to more granular IAM permissions.  Also depending on cross-project/shared roles.  Overriding the org policy is another issue and needs to be triaged per unclass/classified environments

What’s the right way of open the app to external world. i.e. external ip – as of now external ip usage is blocked by policy.

A: Multiple times 2-4 dimensions (SaaS/PaaS/IaaS/FaaS) - no right way just a layered set of design patterns
for example usually a direct external IP is blocked in favor of a shared L7 load balancer in the perimeter VPC.
Serverless is another dimension where the cloud run or cloud functions endpoint may be kept private via VPC connectors that I will expand on...

Answers ongoing Expanded answers in the design issues section of the architecture page

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/dev/solutions/landing-zone/architecture.md#design-issues

SSH procedures: https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/267

fmichaelobrien commented 1 year ago

SSH procedures: https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/267

when onboarding a services project attached to the host VPC. There will be questions about SSH access inside the vpc and outside all the way through a vpc/interconnect. There is a validated SSH private key procedure below where you override oslogin and update GCE metadata with the public key. Any GCE/GKE vm spun up with an oslogin override will get these keys propagated automatically. There is an initial reconcile hickup possible (both myself and a client later ran into it) - but you will be able to ssh -i key usernamedomain@ip OK. for the username replace any . with and append the org domain.

obriensystems commented 1 year ago

Additional transit peering instructions related to VPCs peered with the interconnect enabled VPC (perimeter) https://cloud.google.com/vpc/docs/vpc-peering#transit-network from https://cloud.google.com/network-connectivity/docs/network-connectivity-center/concepts/overview#vpc-peering

cartyc commented 1 year ago

Thanks Mike, this helped resolve the question that the user had.

fmichaelobrien commented 1 year ago

I'll add these to the architecture doc https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/dev/solutions/landing-zone/architecture.md#design-issues