Kategorie: Google Cloud Platform

Beyond Corp Enterprise: True zero trust architecture for the multicloud

We recently announced the general availability of BeyondCorp Enterprise, Google’s comprehensive zero trust product offering. As we work to democratize zero trust, building a solution to support customers across different environments was top of mind for our team. Google has over a decade of experience managing and securing cloud applications at a global scale and this new offering was developed based on learnings from our experience managing our own enterprise, feedback from customers and partners, as well as informed by leading engineering and security research. We recognize the complexities that come with a zero trust journey and understand that most customers host resources across different cloud providers. With this in mind, BeyondCorp Enterprise was purpose-built as a multicloud solution, enabling customers to securely access resources hosted not only on Google Cloud or on-premises, but also across other clouds such as Azure and Amazon Web Services (AWS). Beyond Corp Enterprise provides context-aware access controls for internal and SaaS applications and cloud resources, and offers integrated threat and data protection without the for a Virtual Private Network (VPN). This solution is hosted on Google’s global network infrastructure and enables elastic-scaling based on use, helping customers manage secure access for different user groups, including employees, contractors or temporary workers, and partners. The diagram below shows the high-level architecture of BeyondCorp Enterprise. As you can see, BeyondCorp Enterprise supports applications and resources hosted on Google Cloud, on other clouds, or on-premises.Click to enlargeSo what does this mean for you and how can BeyondCorp Enterprise help? Google continues to emphasize its commitment for multi-cloud environments with BeyondCorp Enterprise. Customers “live” in a diverse world of different clouds and different vendors and we know it’s unrealistic that customers would have 100 percent of their resources hosted in one provider. That’s why we have been mindful to not only support access to apps on other clouds, but also build integrations with other leading technology vendors so customers can leverage their existing investments. The potential for the zero trust architecture is limitless as our ecosystem is built such that it is easily extensible by security partners, and the rulesets can be enriched to include additional signals like threat and data loss. Using a combination of user and device attributes, BeyondCorp Enterprise uses criteria such as the user’s location when trying to access a resource, the time of day the user is trying to access the resource, or the type of device a user is using to access a resource. BeyondCorp Enterprise also leverages Endpoint Verification in the Chrome Browser to identify the posture of the device accessing an application. These various parameters are used to configure “grant” or “deny” rules and policies, which are then enforced by the cloud Identity Aware Proxy and a combination of other controls.Click to enlargeEnterprise customers who adopt a “best of breed” approach to security will find Google’s approach to zero trust and the BeyondCorp Enterprise architecture complementary to their strategy. As an example, if you use one of our BeyondCorp Alliance partners  as your endpoint detection and response solution or Unified Endpoint Management (UEM) solution, you can also integrate signals from these solutions to incorporate into your policies and protect your resources across your on-premises, Google Cloud, or other clouds. This architecture ensures that you have the autonomy to choose your preferred security vendors.Once secure access is granted, BeyondCorp Enterprise provides threat and data protection capabilities, including the ability to protect SaaS applications and other websites from data loss, data exfiltration, credential theft, malware, and phishing attacks. Because these capabilities are delivered through the Chrome Browser, we can support users on Windows, Mac, Linux, and ChromeOS, again making it easy to meet customers where they are and enable simple deployment and adoption.Many people think zero trust requires a complete overhaul of their environment and would entail installing multiple agents on a computer; but instead, all you need is a web browser. We are excited to bring disruptive innovation to our customers in a way that does not disrupt security operations. rotectionGoogle is a true engineering-driven company. Innovating and solving global-scale problems is at the core of the company’s DNA. Ideas and projects that led to the creation of products that have redefined how people across the world work, such as Gmail, Google Maps, and of course, the Chrome Browser, which also birthed BeyondCorp Enterprise. If you would like to learn more about BeyondCorp Enterprise, visit the product page, register for our upcoming webinar on Feb 23, or contact your Google account team.Related ArticleBeyondCorp Enterprise: Introducing a safer era of computingThe GA of Google’s comprehensive zero trust product offering, BeyondCorp Enterprise, brings this modern, proven technology to organizatio…Read Article
Quelle: Google Cloud Platform

Set up Anthos Service Mesh for multiple GKE clusters using Terraform

Anthos Service Mesh is a managed service mesh for Google Kubernetes Engine (GKE) clusters. Anthos Service Mesh allows GKE clusters to use a single logical service mesh, so that pods can communicate across clusters securely and services can share a single Virtual Private Cloud (VPC). Using Anthos Service Mesh requires GKE clusters and firewall rules. As well, access to the GKE GKE control plane needs to be granted, if private clusters are used. Infrastructure-as-code (IaC) makes bootstrapping Anthos Service Mesh significantly easier. In this blog post, we explain the new features of Anthos Service Mesh, and how to implement it across two private GKE clusters using Terraform. We also provide automation scripts, giving a guided tour for setting up a cloud environment.For those who want to get started immediately, there is a Git repo with complete source code and README instructions. There are also bonus sections at the end, for mesh traffic security scanning and external databases respectively.Supported versionThe supported versions are Anthos Service Mesh 1.7 and 1.8. For more information on Anthos Service Mesh versions, please check the Anthos Service Mesh release notes.Fig 3.1 – Anthos Service Mesh version release notesShared VPCsAnthos Service Mesh 1.8 can be used for a single shared VPC, even across multiple projects. Please consult the documentation on Anthos Service Mesh 1.8 multi-cluster support for complete details:Fig 3.2 – Anthos Service Mesh multi-cluster supportSSL/TLS terminationTLS termination for external requests is supported with Anthos Service Mesh 1.8. Doing so requires modifying the Anthos Service Mesh setup files.You can set up Anthos Service Mesh using the install_asm script. A custom istio-operator.yaml file can be used by running install_asm with the –custom_overlay option.In order for Istio (i.e., Anthos Service Mesh) to allow access to external services, change the egress policy to REGISTRY_ONLY. Please see the blocking-by-default Istio documentation for more details.For TLS termination of requests to Prisma Cloud (Twistlock), please the below section on Prisma Cloud.SecurityAnthos Service Mesh has inherent security features (and limitations), as described in the security overview documentation. Additionally, please follow the GKE best practices for security.NOTE: Anthos Service Mesh inherently implements Istio security best practices, such as namespaces and limited service accounts. Workload identity is an optional GKE-specific service account, limited to a namespace.The Istio ingress gateway needs to be secured manually. Please see the Secure Gateways Istio documentation for more details.For security scanning of GKE cluster ingress, please see the below section on Prisma Cloud.Container workload securityGKE cluster network policies allow you to define workload access across pods and namespaces. This is built on top of the Kubernetes NetworkPolicy API. There is also a helpful tutorial on configuring GKE network policies for applications.There are detailed steps for securing container workloads in GKE. This involves a layered approach to node security, pod/container security contexts and pod security policies. As well, Google Cloud’s Container-Optimized OS (both cos and cos_containerd) apply the default Docker AppArmor security policies to all containers started by Kubernetes.Container runtime (Containerd)We recommend using the cos_containerd runtime for GKE clusters using Anthos Service Mesh. The current Docker container runtime is being sunsetted from GKE. Adopting cos_containerd now will avoid having to migrate in the future.Using Containerd as the container runtime still allows developers to use Docker to build containers. Here are some potential conflicts, when migrating from Docker to Containerd:running privileged Pods executing Docker commandsrunning scripts on nodes outside of Kubernetes infrastructure (for example, using ssh to troubleshoot issues)using third-party tools that perform such similarly privileged operationsusing tooling that was configured to react to Docker-specific log messages in your monitoring systemTo avoid such conflicts, we recommend a canary deployment of your clusters with cos_containerd. You can find Instructions for canary deployments in the above-linked migration documentation.Security scanning with Prisma Cloud (formerly Twistlock)To do a security scan of the pod traffic on Anthos Service Mesh, you can use Palo Alto Networks’ Prisma Cloud (formerly Twistlock), a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) that provides multi-cloud visibility and threat detection. Please consult the Prisma Cloud admin guide (latest as of January 7, 2021) for more details.Prisma Cloud setupFor setup instructions, please see the Twistlock folder README file in the anthos-service-mesh-multicluster source code repository. The table below contains links to the official Prisma Cloud setup documentation.Table 4.1 – Prisma VersionsTLS terminationPrisma Cloud TLS requests are terminated at the Prisma Cloud console. When a request comes from Prisma Cloud SaaS to a Twistlock container, the API call is also terminated with a TLS certificate.External databases with Google Cloud SQL for PostgreSQLMany organizations wish to establish external database connectivity to their Anthos Service Mesh environment. One common example uses Google Cloud SQL for PostgreSQL (Cloud SQL).Cloud SQL is external to GKE, thus requiring GKE to do SSL termination for external services. With Anthos Service Mesh, you can use an Istio ingress gateway, which allows SSL passthrough, so that the server certificates can reside in a container. However, this approach is problematic for many PostgreSQL databases.PostgreSQL uses application-level protocol negotiation for SSL connections. The Istio proxy currently uses TCP-level protocol negotiation. This causes the Istio proxy sidecar to error out during the SSL handshake, when it tries to auto-encrypt the connection with PostgreSQL. Fortunately Cloud SQL can itself host a sidecar for TLS termination.For setup instructions, please see the postgres folder README file in the anthos-service-mesh-multicluster source code repository.Towards federated clustersAnthos Service Mesh 1.7 and 1.8 can now federate multiple GKE clusters. Taken as “managed Istio” in a single VPC, this container orchestration model takes GKE to its full potential, and can be configured using tools like Terraform and shell scripts that are available in the anthos-service-mesh-multicluster Git repo.If you have not already tried out the sample code, please navigate to the Git repo and do so. This is a good next step as the README files are detailed and instructive. Learning-by-doing is an effective way to understand Anthos Service Mesh. As well, the Terraform code uses the latest Google Cloud modules, giving you valuable tools for your toolbox.We encourage you to make contributions to the Git repo, using Google Cloud Professional Services’ contributing instructions.NOTE: As of November 12, 2020, Anthos Service Mesh, Mesh CA and the Anthos Service Mesh dashboards in Google Cloud Console are available for any GKE customer and do not require the purchase of Anthos. See pricing for details.[1] Prisma Cloud SaaS Version Administrator’s Guide[2] Twistlock Reference ArchitectureRelated ArticleGKE best practices: Exposing GKE applications through Ingress and ServicesWe’ll walk through the different factors you should consider when exposing applications on GKE, explain how they impact application expos…Read Article
Quelle: Google Cloud Platform

Introducing HPC VM images—pre-tuned for optimal performance

Today, we’re excited to announce the Public Preview of a CentOS 7-based Virtual Machine (VM) image optimized for high performance computing (HPC) workloads, with a focus on tightly-coupled MPI workloads.In 2020, we introduced several features and best-practice tunings to help achieve optimal MPI performance on Google Cloud. With these best practices, we demonstrated that MPI ping-pong latency falls into single-digits of microseconds (us) and small MPI messages are delivered in 10us or less. Improved MPI performance translates directly to improved application scaling, expanding the set of HPC workloads that run efficiently on Google Cloud. However, building a VM image that includes these best practices requires systems expertise and knowledge of Google Cloud. Starting with an HPC-optimized image can make it easier to maintain an image.The HPC VM image makes it easy and quick to instantiate VMs that are tuned to achieve optimal CPU and network performance on Google Cloud. The HPC VM image is available at no additional cost via the Google Cloud Marketplace. Continue reading below for details about the HPC VM image and its benefits, or skip ahead to our documentation and quickstart guide to start creating instances using the HPC VM image today!Benefits of using the HPC VM imageThe HPC VM image is pre-configured and regularly maintained, providing the following advantages to HPC customers on Google Cloud:Easily create HPC-ready VMs out-of the-box that incorporate our best practices for tightly-coupled HPC applications. You can quickly create HPC-ready VMs and always stay up-to-date with the latest tunings.Networking optimizations for tightly-coupled workloads help reduce latency for small messages, and benefit applications that are heavily dependent on point-to-point and collective communications.Compute optimizations for HPC workloads allow more predictable single-node high performance by reducing system jitter that can lead to performance variation.Consistent and reproducible multi-node performance by using a set of tunings which have been tested across a range of HPC workloads.  Using the HPC VM image is simple and easy, as it is a drop-in replacement for the standard CentOS 7 image.Customer story: Scaling SDPB solver using CloudyCluster and HPC VM imageWalter Landry is a research software engineer in the Caltech Particle Theory Group working with the international Bootstrap Collaboration. The collaboration uses SDPB, a semidefinite program solver, to study Quantum Field Theories, with application to a wide variety of problems in theoretical physics, such as early universe inflation, superconductors, quantum Hall fluids, and phase transitions.To expand the collaboration’s computation capabilities, Landry wanted to see how SDPB would scale on Google Cloud. Working with Omnibond CloudyCluster and leveraging the HPC VM image, Landry achieved comparable performance and scaling to an on-premises cluster at Yale, based on Intel Xeon Gold 6240 processors and Infiniband FDR.Google Cloud’s C2-Standard-60 instance type is based on the second-generation Intel Xeon Scalable Processor. The C2 family of instances can utilize placement policies to reduce inter-node latency, ideal for tightly-coupled MPI workloads. CloudyCluster leverages the HPC VM image and placement policy for the C2 family out of the box, making it seamless for the researcher. These tests show the ability to scale low latency workloads across many instances in Google Cloud.If you would like to try out the HPC VM image with Omnibond CloudyCluster, an updated version of Omnibond CloudyCluster using the HPC VM image is available in the Google Cloud Marketplace. This version also comes complete with NSF funded Open OnDemand led by  Ohio Supercomputing Center, making it easy for system administrators to provide web access to HPC resources.What’s included in the HPC VM image? Tunings and OptimizationsThe current release of the HPC VM image focuses on tunings for tightly coupled HPC workloads and implements the following best-practices for optimal MPI application performance:Disable Hyper-Threading: Intel Hyper-Threading is disabled by default in the HPC VM image. Turning off Hyper-Threading allows more predictable performance and can decrease execution time for some HPC jobs.MPI collective tunings: The choice of MPI collective algorithms can have a significant impact on MPI application performance. HPC VM image includes recommended Intel MPI collective algorithms to use in the most common MPI job configurations.Increase tcp_*mem settings: C2 machines can support up to 32 Gbps bandwidth, and they benefit from larger TCP memory than Linux defaults.Enable busy polling: Busy polling can help reduce latency in the network receive path by allowing socket-layer code to poll the receive queue of a network device and by disabling network interrupts.Raise user limits: Default limits on system resources—like open files and numbers of processes that any one user can use—are typically unnecessary for HPC jobs where compute nodes in a cluster aren’t shared between users.Disable Linux firewalls, Disable SELinux: For Google Cloud CentOS Linux images, SELinux and firewall is turned on by default. HPC VM image disables Linux firewalls and SELinux to improve MPI performance.Disable CPUIdle: C2 machines support CPU C-states to enter low-power mode and save energy.  Disabling CPUIdle can help reduce jitter and provide consistent low latency.The benefits of these tunings can vary from application to application and we recommend that you benchmark your applications to find the most efficient or cost-effective configuration.Performance measurement using HPC benchmarksWe have  compared the performance of the HPC VM image vs. the default CentOS 7 image across both the Intel MPI Benchmarks and real application benchmarks for Finite Element Analysis (ANSYS LS-DYNA), Computational Fluid Dynamics (ANSYS Fluent) and Weather Modeling (WRF). The following versions of the HPC VM image and CentOS Image were used for the benchmarks in this section:HPC VM image: hpc-centos-7-v20210119 (with –nomitigation applied and mpitune configs installed as suggested in the HPC VM image documentation)CentOS Image:  centos-7-v20200811Intel MPI Benchmark (IMB) Ping-Pong IMB Ping-Pong measures the ping-pong latency of transferring a fix-sized message between two ranks over a pair of VMs. On average, we saw that the HPC VM image reduces inter-node ping-pong latency by up to 50% compared to the default CentOS 7 Image (baseline).Benchmark setup2x C2-standard-60 VMs with compact placement policyMPI Library: Intel MPI Library 2018 update 4Command line: mpirun -genv I_MPI_PIN=1 -genv I_MPI_PIN_PROCESSOR_LIST=0 -hostfile <hostfile> -np 2 -ppn 1 IMB-MPI1 Pingpong -iter 50000ResultsIntel MPI Benchmark (IMB) AllReduceThe IMB AllReduce benchmark measures the collective latency among multiple ranks across VMs. It reduces a vector of a fixed length with the MPI_SUM operation. We show 1 PPN (process-per-node) results to represent the case when we have a 1 MPI rank/node and 30 threads/rank and 30 PPN results where there are 30 MPI ranks/node and 1 thread/rank. We saw that the HPC VM image reduces AllReduce latency by up to 40% for 240 MPI ranks across 8 nodes (30 processes per node) compared to the default CentOS 7 image (baseline).Benchmark setup8x C2-standard-60 VMs with compact placement policyMPI Library: Intel MPI Library 2018 update 4Command line: mpirun -tune -genv I_MPI_PIN=1 -genv I_MPI_FABRICS ‘shm:tcp’ -hostfile <hostfile> -np <#vm*ppn> -ppn <ppn> IMB-MPI1 AllReduce -iter 50000 -npmin <#vm*ppn>ResultsHPC application benchmarks: LS-DYNA, Fluent and WRFAt an application level, the HPC VM image yielded up to a 25% performance improvement to the ANSYS LS-DYNA “3 cars” vehicle collision simulation benchmark when running on 240 MPI ranks across 8 Intel Xeon processor based C2 instances. With ANSYS Fluent and WRF, we observed up to 6% performance improvement using the HPC VM image in comparison with the default CentOS Image.Benchmark setupANSYS LS-DYNA (“3-cars” model): 8 C2-standard-60 VMs with compact placement policy, using the LS-DYNA MPP binary compiled with AVX-2 ANSYS Fluent (“aircraft_wing_14m” model): 12 C2-standard-60 VMs with compact placement policyWRF V3 Parallel Benchmark (12 KM CONUS): 16 C2-standard-60 VMs with compact placement policyMPI Library: Intel MPI Library 2018 update 4ResultsWhat’s next? SchedMD Slurm support and additional Linux distributionsWe are continuing to work with our HPC partners to integrate the HPC VM image with partner offerings by default. Starting next month, HPC customers who use Slurm will be able to start HPC-ready clusters that make use of the HPC VM image by default (preview version is  available here). For customers who are looking for HPC Enterprise Linux options and support, SUSE is working with Google on a SUSE Enterprise HPC VM image that has been optimized for Google Cloud. If you’re interested in learning more about SUSE Enterprise HPC VM image, or have a requirement for additional integrations or Linux distributions, please contact us.Get started today!The HPC VM image is available in Preview for all customers through the Google Cloud Marketplace today. Check out our documentation and quickstart guide for more details on creating instances using the HPC VM image. Special thanks to Jiuxing Liu, Tanner Love, Jian Yang, Hongbo Lu and Pallavi Phene for their contributions.Related ArticleGetting higher MPI performance for HPC applications on Google CloudYou can reduce MPI latency in HPC workloads running on Google Cloud by following these best practices.Read Article
Quelle: Google Cloud Platform

What are my hybrid and multicloud deployment options with Anthos?

Anthos is a managed application platform that extends Google Cloud services and engineering practices to your environments so you can modernize apps faster and establish operational consistency across them. With Anthos, you can build enterprise-grade containerized applications faster with managed Kubernetes on Google Cloud, on-premises, and other cloud providers.. In this blog post, we outline each of Anthos deployment options:Google Cloud VMware vSphereBare metal serversAWSMicrosoft AzureAttached clustersDeployment Option 1: Google CloudOne way to improve  your apps’ performance is to run your compute closer to your data. So, if you are already running your services on Google Cloud then it’s best to use Anthos to build, deploy, and optimize your containerized workloads directly on Google Cloud. You can take advantage of Google Cloud AI, machine learning, and data analytics services to gain critical business insights, improve decision-making, and accelerate innovation. In this video, Tony Pujals walks you through a sample deployment for Anthos, including how to use the different tools that Anthos offers—such as Anthos Service Mesh and Anthos Config Management—to modernize, manage, and standardize your Kubernetes environments.Deployment Option 2: VMware vSphere If you are using VMware vSphere in your own environment then you can choose to run Anthos clusters on VMware, which enables you to create, manage, and upgrade Kubernetes clusters on your existing infrastructure. This is a good option if vSphere is a corporate standard for your organization and if you have shared hardware across multiple teams or clusters and with integrated OS lifecycle management. With Anthos clusters on VMware, you can keep all your existing workloads on-premises without significant infrastructure updates. At the same time, you can modernize legacy applications by transforming them from VM-based to container-based using Migrate for Anthos. Going forward, you may decide to keep the newly updated, containerized apps on-prem or move them to the cloud. Either way, Anthos helps you to manage and modernize your apps with ease and at your own pace.Deployment Option 3: Bare metal serversThough virtual machines are unquestionably useful for a wide variety of workloads,  a growing number of organizations are  running Kubernetes on bare metal servers to take advantage of reduced complexity, cost, and hypervisor overhead. Anthos on bare metal lets you run Anthos on physical servers, deployed on an operating system provided by you, without a hypervisor layer. Anthos on bare metal comes with built-in networking, lifecycle management, diagnostics, health checks, logging, and monitoring. Mission critical applications often demand the highest levels of performance and lowest latency from the compute, storage, and networking stack. By removing the latency introduced by the hypervisor layer, Anthos on bare metal lets you run computationally intensive applications such as GPU-based video processing, machine learning, and more, in a cost-effective manner. Anthos on bare metal allows you to leverage existing investments in hardware, OS and networking infrastructure. The minimal system requirement to run Anthos on bare metal at the edge on resource-constrained hardware. This means that you can capitalize on all the benefits of Anthos—centralized management, increased flexibility, and developer agility—even for your most demanding applications.Deployment Option 4: AWSIf your organization has more than a few teams, chances are pretty good that they’re using different technologies, and perhaps even different cloud platforms. Anthos is designed to abstract these details and provide you with a consistent application platform.Anthos on AWS enables you to create Google Kubernetes-based clusters with all of the Anthos features you’d expect on Google Cloud. This means easy deployment using Kubernetes-native tooling, Anthos Config Management for policy and configuration enforcement, and Anthos Service Mesh for managing the increasing sprawl of microservices.When you use the Google Cloud Console, you have a single pane of glass that you can use to manage your applications all in one place no matter where they are deployed.  Deployment Option 5: Microsoft AzureWe are always extending Anthos to support more kinds of workloads, in more kinds of environments, and in  more locations. We announced last year that Anthos is coming to Azure. Support for Microsoft Azure is currently in preview, so stay tuned for more details!Deployment Option 6: Anthos attached clustersWhen thinking about deploying Anthos, you may be wondering about what you’ll do with your existing Kubernetes clusters. With Anthos attached clusters, you can retain your existing Kubernetes clusters while taking advantage of key Anthos features.  Whether you’re running Amazon EKS,  Microsoft AKS, or Red Hat OpenShift, you can attach your existing clusters to Anthos. That means you can centrally manage your deployments in Google Cloud Console, enforce policies and configuration using Anthos Config Management, and centrally monitor and collect logs. Of course, Anthos doesn’t manage everything; you still must manually maintain your clusters and keep them up to date. This deployment option does, however, enable you to begin your Anthos journey at a pace that works well for you, and eases the transition to Anthos in other cloud environments.ConclusionSo there you have it—six different hybrid and multicloud deployment options for Anthos! Depending on where your infrastructure and data is today, one or perhaps a combination of these options will help you power your application modernization journey, with a modern application platform that just works on-prem or in a public cloud, ties in seamlessly with legacy data center infrastructure, enables platform teams to cost-optimize, and supports a modern security posture anywhere.Here is a comprehensive video series on Anthos that walks you through how to get started:Here is a comprehensive video series on Anthos that walks you through how to get started:What is Anthos?For more resources on Anthos checkout the Consistent service delivery everywhere with Anthos eBook.And, for more #GCPSketchnote and similar cloud content follow me on twitter @pvergadia and keep an eye out on thecloudgirl.dev.Related ArticleIntroducing the Anthos Developer Sandbox—free with a Google accountThe new Anthos Developer Sandbox spins up all the tools you need to learn how to develop for the Anthos platform.Read Article
Quelle: Google Cloud Platform

Limiting public IPs on Google Cloud

You’ve heard this saying: Hope is not a strategy when it comes to security. You have to approach security from all angles, while minimizing the burden on dev and SecOps. But with an ever increasing number of endpoints, networks, and attack surfaces, setting automated and trickle down security policies across your cloud infrastructure can be a challenge. On top of that administrators need to set guardrails to ensure that their workloads are always compliant with security requirements and industry regulations. Public IPs are among the most common ways that enterprise environments are exposed to the internet, making them susceptible to attacks and data exfiltration. That’s why limiting public IPs is paramount in securing these environments. On Google Cloud Platform, it’s important to understand what resources use public IPs in your network, which can include:VMsLoad balancersVPN gatewaysWhen you start to deploy production level systems, you’re looking at potentially thousands of instances in which your developers can deploy public IP addresses. Organization PoliciesOrganization policies give you centralized control over your organization’s Google Cloud resources. As the organization policy administrator, you can configure restrictions across your entire resource hierarchy. For example, you can set organization policies on your top-level GCP organization, on nested folders, or on projects. These policies can be inherited by nested folders and projects, or they can be overridden on a case by case basis. Using organization policies, you can enforce constraints on Google Cloud resources, such as VMs and load balancers to adhere to basic security requirements at all times. You can use organization policies as guardrails to ensure no public IPs are allowed in your Google Cloud network. It’s a perfect tool for IT or Security Admins to ensure all cloud deployments adhere to their security standards. Let’s walk through how to set them up.Limit public IPs for VMsCompute Engine instances can be exposed to the internet directly when you:Assign the VM a public IPUse protocol forwarding with the VM as its endpointTo prevent Compute Engine instances from getting public IPs, first make sure you have the Org Policy Admin role in the organization, so you can add and edit org policies. Then, on the Organization policies page in the Google Cloud Console, search for and edit the org policy constraint named constraints/compute.vmExternalIpAccess. This constraint lets you define the set of Compute Engine VMs that are allowed to use public IPs in your network. (No other VMs will be able to be assigned a public IP.) Edit the policy with the following values:Under Custom values, paste the path to any instance for which you want to want to allow external IP creation, for example: projects/{project-id}/zones/{zone}/instances/{instance-name}.Now you’ve restricted public IP creation to only the instances you’ve explicitly specified, and prevented public IP creation for any other instances in your organization.Prevent protocol forwarding to a VMTo prevent protocol forwarding from being enabled, use the org policy constraint named constraints/compute.restrictProtocolForwardingCreationForTypes, and set it to the following values. Note that the policy value is case sensitive.This constraint lets you limit virtual hosting of public IPs by Compute Engine VM instances in your organization.Limit public IPs of VPN gatewaysFor VPNs, a VPN gateway requires a public IP address for you to connect your on-premises environment to Google Cloud. To ensure that your VPN gateway is protected, use the org policy constraint named constraints/compute.restrictVpnPeerIPs. This constraint will limit the public IPs that are allowed to initiate IPSec sessions with your VPN gateway.Limit Public IPs of Load BalancersGoogle Cloud offers a variety of internal and external load balancers. To prevent the creation of all external load balancer types, use the org policy constraint named  constraints/compute.restrictLoadBalancerCreationForTypes. Then make sure to add all external load balancers for the policy values, as shown below:Instead of manually entering each load balancer, you can also simply add in:EXTERNAL, which will always cover all types of external load balancers. As new load balancer types are introduced, you can be assured your infrastructure will remain secure.Restricting GKE servicesGoogle Kubernetes Engine (GKE) lets developers create and expose their services to the internet easily. But if you apply the previously discussed policies for VMs and load balancers, no new GKE services can be exposed to the internet without the org admin’s knowledge. For example, if a developer attempts to create a GKE service with an external load balancer, the forwarding rule for the required load balancer can’t be created with the org policy constraint in place. Furthermore, checking the status of the GKE service will deliver a pending external IP. When they run kubectl describe service, they’ll get an error due to the load balancer org policy constraint in place.Keep in mind organization policies are not retroactive. They will only apply to new infrastructure requests after the policy is set. So you don’t have to worry about breaking any existing workloads when you add these policies to your org. You can apply org policies easily and efficiently across your entire org hierarchy or on a subset of resources from a single, centralized place, and prevent stray resources from being assigned public IPs when they shouldn’t have them. Try it out for yourself, and learn more in the organization policy constraints documentation.For more cloud content, follow me on Twitter @stephr_wong.Related ArticleYour top network performance problems and how to fix themWhether you want to troubleshoot a performance problem or optimize your deployment decisions, Google Cloud has a comprehensive set of too…Read Article
Quelle: Google Cloud Platform