While deploying Dockerized applications, familiarize yourself with some key concepts and terminologies.

Hosts

These are virtual machines. In GCP deployments, they are also called Worker nodes. By default, apps within a Tenant are pinned to VMs in the same Tenant. DuploCloud has the ability to deploy Hosts in a separate Tenant and apps in other Tenants that leverage these Hosts. This is called Shared Host Model and is not applicable to GCP.

Service

Service is a DuploCloud term. DuploCloud Services are not Kubernetes Services. Services are microservices that are defined by a Name, DockerImage, and a number of replicas in addition to many other optional parameters. Behind the scenes, a DuploCloud Service maps 1:1 either to a Kubernetes deployment set or to a StatefulSet depending on whether the microservice has stateful volumes or not.

When deploying services, especially in a staging environment, it's crucial to ensure that containers have the necessary permissions for read/write operations. This may involve configuring a security context within the service's configuration to address local write failures, a common issue when containers are restricted compared to their local development environment. This adjustment ensures that the container can write to temporary file directories on the server, facilitating smooth deployment and operation.

Services have many optional configurations representing various ways Docker containers can be run, including:

• Environment variables

• Host Network Mode

• Volume mounts

• Entrypoint or command overrides

• Resource caps

• Health Checks

Allocation Tags

If a service needs to be pinned to run only a specific set of hosts, set an Allocation Tag on the Hosts as well as on the Service. The Allocation Tag is a case-insensitive substring match. For example, an Allocation Tag specified on a service is usually a substring of the tag specified on the host. A Host may be tagged as HighCpu;HighMem and the Service (if tagged highcpu) can be allocated on the Host. However, if the service is tagged highcpu;gpu then it won't be allocated and needs a host that has been tagged highcpu;gpu. If a Service does not have any tag set, it can be placed on any host.

In the case of Kubernetes deployments, the concept of Allocation Tags maps to labels on nodes, and on node selectors on the deployment set or StatefulSet.

• Host Networking: By default, Docker containers have their own network addresses. If you want these containers to use the same network interface as the VM, this is achieved through Host Network Mode.

• Load Balancer: If a service must be accessed by other services, it needs to be exposed using internal and external load balancers.

This comprehensive approach ensures that services are deployed efficiently and securely, with appropriate configurations for networking, permissions, and resource allocation, facilitating a smooth operation across different environments.

DuploCloud abstracts the complexity of container orchestration technologies, allowing you to focus on the deployment, updating, and debugging of your containerized application.

Among the technologies supported are:

• Google Kubernetes Engine (GKE Autopilot): DuploCloud platform uses GKE Autopilot, providing you with a user-friendly interface that conceals the complexities of Kubernetes serverless workloads. Using the UI you can add K8S configurations around Pods, Containers, Secrets, and so on. See here on how to setup a Auto-Pilot cluster.

• Google Kubernetes Engine (GKE Standard): DuploCloud platform uses GKE Standard, providing the same user-friendly interface to manage underlying Kubernetes Cluster and Node Pools. See here on how to setup a standard cluster.

• Built-in (Docker Native): DuploCloud platform's built-in container management has the same interface as the docker run command, except that it can be scaled to hundreds of containers across many hosts, providing capabilities such as associated load balancers, DNS, and more.

Typically the DuploCloud onboarding team performs these steps in your GCP project with your permission. These steps need to be performed and are described in detail in the subsequent subsections:

1. Add Service Account, Key Creation, and Project to the DuploCloud Portal. A single DuploCloud Portal supports multiple GCP projects. Each project is added to DuploCloud, and the DuploCloud platform gives access to the project via Service Account keys.

2. Set up Cloud DNS Zone.

3. Create Certificates for Load Balancers and Kubernetes Ingress.

4. Perform initial Infrastructure and Tenant setup.

5. Set up tools for the Tenant, such as enabling kubectl shell.

The DuploCloud platform installs a Virtual Machine resource within your GCP Project. It can be accessed using a web interface, API, and a Terraform provider. Log in to the DuploCloud portal via SSO through your GSuite or O365 login.

Prerequisites

Before you begin, ensure that:

• DuploCloud Portal has been set up and you have access to it.

• You have access to your individual Slack or Teams channel for 24x7 support from the DuploCloud team.

Behind the scenes, a topology is created similar to the following low-level configuration in GCP.

DuploCloud abstracts the complexity of container orchestration technologies, allowing you to focus on the deployment, updating, and debugging of your containerized application.

Among the technologies supported are:

• Google Kubernetes Engine (GKE Autopilot): DuploCloud platform uses GKE Autopilot, providing you with a user-friendly interface that conceals the complexities of Kubernetes serverless workloads. Using the UI you can add K8S configurations around Pods, Containers, Secrets, and so on.

• Google Kubernetes Engine (GKE Standard): DuploCloud platform uses GKE Standard, providing the same user-friendly interface to manage underlying Kubernetes Cluster and Node Pools.

• Built-in (DuploCloud): DuploCloud platform's built-in container management has the same interface as the docker run command, except that it can be scaled to hundreds of containers across many hosts, providing capabilities such as associated load balancers, DNS, and more.

Container orchestration feature matrix

Use the feature matrix below to compare the features of the orchestration technologies that DuploCloud supports. DuploCloud helps you implement any option you choose through the Portal or the Terraform API.

Feature definitions

Use the definitions below to understand how each feature in the matrix above is rated in relation to each of the three listed technologies (Kubernetes, Built-In).

• Ease of Use:

  • Kubernetes is extensible and customizable, but not without a cost in ease of use. The DuploCloud platform reduces the complexities of Kubernetes, making it comparable with other container orchestration technologies in ease of adoption.

  • DuploCloud's Built-in orchestration mirrors docker run. You can SSH into a virtual machine (VM) and run docker commands to debug and diagnose. If you have an application with a few stateless microservices; or configurations that use environment variables or Google Cloud Extensions, Google Cloud Storage, or GCP Secret Manager, consider using DuploCloud's Built-in container orchestration.

• Features and Ecosystem Tools: Kubernetes is rich in many additional built-in features and ecosystem tools, most notably Secrets Management and ConfigMaps. While Kubernetes features have an equivalent in GCP, third parties tend to publish their software as Kubernetes packages (Helm Charts). Some examples are Influx DB, Time Series DB, Prefect, etc.

• Suitability for Stateful apps: Stateful applications should be avoided in GCP. Instead, cloud-managed storage solutions should be leveraged for the best availability and SLA compliance. In scenarios where this is undesirable due to cost, Kubernetes offers the best solution. Kubernetes uses StatefulSets and Volumes to implicitly manage Google Cloud Storage volumes.

• Stability and Maintenance: Although Kubernetes is highly stable, it is an open-source product. The native customizability and extensibility of Kubernetes can lead to points of failure when a mandatory cluster upgrade is needed, for example. This complexity often leads to support costs from third-party vendors. Maintenance can be costly with GKE, as versions are deprecated frequently and you are required to upgrade the control plane and data nodes. While DuploCloud automates this upgrade process, it still requires careful planning and execution.

• GCP Cost: While the GCP control plane cost is relatively low, it is not recommended to operate a GKE environment without business support at an additional premium. If you are a small business, you may be able to add the support tier when you need it and then turn it off to reduce costs.

• Multi-Cloud: For many enterprises and independent software vendors this is a requirement, either immediately or in the future. While Kubernetes provides this benefit, DuploCloud's implementation is much easier to maintain and easier to implement.

Enabling kubectl shell access in GCP is part of a one-time DuploCloud Portal setup process.

Step 1: Create a Node Pool

1. In the Tenant list box, select the Tools Tenant.

2. Navigate to Kubernetes -> Nodes.

3. Select the Node Pool tab, and click Add.

1. Complete the required fields, and click Create.

2. Once the node pool is complete, it will display on the GCP VM tab with a status of Running.

Step 2. Create a DuploCloud Service

1. In the Tenant list box, select the Tools Tenant.

2. Navigate to Kubernetes -> Services.

3. Click Add. The Add Service page displays.

4. From the table below, enter the values that correspond to the fields on the Add Service page. Accept default values for fields not specified.

1. In the Environment Variables field, enter the following YAML. Replace the flask app secret (b33d13ab-5b46-443d-a19d-asdfsd443 in this example) with a string of random numbers and letters in the same format and replace CUSTOMER_PREFIX with your customer URL prefix.

1. Click Next. The Advanced Options page displays.

2. Click Create. The Service is created.

Step 3: Create a Load Balancer

1. Navigate to Kubernetes -> Services.

2. Select the kubectl Service from the NAME column.

3. Select the Load Balancers tab, and click Configure Load Balancer. The Add Load Balancer Listener pane displays.

4. In the Select Type list box, select K8s Cluster IP.

5. In the Container port and External port fields, enter 80.

6. In the Health Check field, enter /duplo_auth.

7. In the Backend Protocol list box, select TCP

8. Select Advanced Kubernetes settings and Set HealthCheck annotations for Ingress.

9. Click Add. The Load Balancer listener is added.

Step 4: Add an Ingress

1. In the Tenant list box, select the Tools Tenant.

2. Navigate to Kubernetes -> Ingress.

3. Click Add. The Add Kubernetes Ingress page displays.

4. In the Ingress Name field, enter kubect-shell.

5. From the Ingress Controller list box, select gce.

6. In the Visibility list box, select Public.

7. In the DNS Prefix field, enter the DNS name prefix.

8. In the Certificate ARN list box, select the ARN added to the Plan in the Certificate for Load Balancer and Ingress step.

1. Click Add Rule. The Add Ingress Rule pane displays.

2. In the Path field, enter (/)

3. In the Service Name list box, select the Service previously created (kubectl:80)

4. Click Add Rule. A rule directing all traffic to the kubectl Service is created.

13. On the Add Kubernetes Ingress page, click Add. The Ingress is created.

Step 5: Add the DNS name to System Settings

1. Navigate to Administrator -> Systems Settings.

2. Select the System Config tab, and click Add. The Add Config pane displays.
3. From the Config Type list box, select AppConfig.

4. From the Key list box, select Other.

5. In the second Key field, enter DuploShellfqdn

6. In the Value field, paste the Ingress DNS. To find the Ingress DNS, navigate to Kubernetes -> Ingress, and copy the DNS from the DNS column.
7. Click Submit. kubectl shell access is enabled.

A service account and a key are created for each GCP project to be onboarded.

Disabling Restriction on the Service Account Key

1. Login to the and select the desired project.

2. Open the navigation pane at the top left of the home page ( ), and select IAM & Admin -> Organization Policies.

3. Filter and search for iam.disableServiceAccountKeyCreation.

4. Click the options menu ( ) and select Edit policy.

5. Add a Rule (Rule 1 in the graphic below) to turn off enablement.

Creating a Service Account

1. In the left navigation pane, click IAM & Admin -> Service Accounts. The Service Accounts page for your project displays.

2. Click Create Service Account. The Create service account wizard opens.

3. Complete Service Account Details.

4. In the Grant this service account access to project step, assign the Owner role as shown below, giving the account owner permission to the project. Complete the wizard, and click Done.

1. Select the Service Account you created and add a new JSON Key.

2. Download the JSON file and give it a meaningful name, such as my-gcp-project-sa-key.json.

3. Open a Terminal window and navigate to the location of the downloaded JSON file.

4. Run the following command. This copies the key contents on your clipboard. You can verify the contents by pasting it into a text editor.

Adding the Service Account Private Key to the DuploCloud Portal

To add the private key to DuploCloud:

1. Login to the DuploCloud and navigate to Administrator -> Cloud Credentials. The Cloud Credentials page displays.

2. Paste the key in the Service Account Private Key field.

3. Enter a Display name for easy reference. Ideally, this name should include the project name.

4. Enter the Project ID and Service Account Email from the JSON key file you downloaded.

5. Click Submit.

Once your GCP project has been added to the DuploCloud Portal, the next step is to set up the first Infrastructure.

Creating an Initial Infrastructure

1. From the DuploCloud Portal, navigate to Administrator -> Infrastructure, and click Add.

2. Give the Infrastructure a Name, e.g., nonprod.

3. Select the appropriate Account.

4. Enter the VPC CIDR, e.g., 10.30.0.0/16 (Note: A /16 CIDR block is recommended for Kubernetes to accommodate its IP address requirements).

5. From the Cluster Mode list box, select GKE Standard.

6. From the GKE Endpoint Visibility list box, select Public (for production Infrastructures, set visibility to Private).

7. For the remaining fields, keep the default values.

1. Click Create. It will take approximately 15 to 20 minutes for the setup to complete. Monitor faults to see if any issues arise (NTP clock sync faults can be ignored).

Applications deployed in the GCP environment must be exposed using SSL/TLS. To expose these applications, we provide GCP with certificates that can be used for Load Balancers and GKE ingress. In this step, we'll create an SSL certificate for the domain associated with the hosted zone you created earlier.

Prerequisites

• Obtain the public and private certificate files from your chosen SSL certificate provider, such as GoDaddy or Namecheap. We recommend obtaining a wildcard SSL certificate for the domain associated with your hosted zone (e.g., .apps.acme.com) to cover all subdomains. For example, if your DNS zone is for apps.acme.com, you should issue a wildcard certificate for *.apps.acme.com to secure all subdomains.

Creating a Global Certificate for Public-Facing Load Balancers

Create global and regional SSL certificates in the GCP Console using the Classic Certificates method.

1. Log in to the GCP Console.

2. Navigate to Certificate Manager, and click Classic Certificates.
3. Click on Create SSL Certificate.

4. Provide the certificate with a name and upload the public and private key certificate files obtained in the prerequisite.

   • As a best practice, name the certificate global-<DNS Domain name>, where the dots (.) are replaced with hyphens (-). For example, if your domain is example.com, name the certificate global-example-com.

5. Note the name of the global certificate for use in future steps.

Creating a Regional Certificate for Private/Internal Load Balancers

1. From the GCP Console, open the GCP Cloud Shell by clicking on the Cloud Shell icon in the top right corner.

2. Once the Cloud Shell opens, create the following files:

   • public.cert Paste the content of the public certificate into this file.

   • private.key Paste the content of the private key into this file.

3. Run the following command to create a regional SSL certificate:

• As a best practice, name the certificate using the format <region>-<DNS Domain name>, where the dots (.) in the domain name are replaced with hyphens (-). For example, for the us-central region and domain acme.com, the certificate should be named uscentral1-internal-acme-com.

1. After running the command, refresh the Classic Certificates page in the GCP Console. Both global and regional certificates should now be listed.

2. Note the certificate names for use in future steps.

Adding Certificates in DuploCloud

Add multiple domains to the SSL certificate. This is especially useful for domain names that differ from the internal zone you set up in the previous step. This allows you to secure your primary domain and any other domains you may use for your applications or services.

1. Log in to the DuploCloud Portal.

2. Navigate to Administrator -> Plans.

3. Select the Certificates tab, and click Add.

4. Add the global and regional certificates, one at a time You can name them the same names you used in the GCP portal. For each certificate, choose the type LB SSL Certificate.

5. Click Create. The GCP certificates are added to your DuploCloud Portal.

Once the initial infrastructure setup is complete, the next step is to add a DuploCloud Tenant for tools like kubectl shell, OpenTelemetry, etc.

Follow the instructions in the DuploCloud documentation to . Name the Tenant Tools, and select the Plan with the same name as the initial Infrastructure you created in the previous step.

This section includes optional configurations for DuploCloud users managing Docker-based deployments in GCP. These configurations help optimize workflows and ensure containerized applications are securely managed and efficiently deployed. It includes two subsections:

• Docker Registry Credentials: This page explains how to configure credentials for external Docker registries such as Docker Hub, Amazon ECR, or private repositories.

• Setting up a Shell for Docker: This section guides Native Docker users through setting up a Docker shell to access the command-line interface for building, running, and managing containers.

Configure and implement secure VPN connections using OpenVPN. These configurations help optimize network security and ensure you can securely access your cloud resources. It includes two subsections:

• VPN Setup: This page outlines the two-step process for setting up OpenVPN, including accepting the OpenVPN agreement in the GCP Marketplace and provisioning a VPN in the DuploCloud Portal.

• Connect to the VPN: This section guides users through connecting to the provisioned VPN, enabling secure communication between local environments and cloud resources.

If you use an external Docker registry (outside of Google’s own GCR or GAR) like Docker Hub, Amazon ECR, or private registries, you must configure Docker registry credentials. This step ensures that your GCP environment has the proper authentication to access images from an external registry, preventing unauthorized access or image pull failures.

Set Docker Registry Credentials

1. In the DuploCloud Portal, navigate to Docker -> Services.

2. From the Docker list box, select Docker Credentials. The Set Docker registry Creds pane displays.

3. Enter your Docker credentials (Username, Password, and Email), and click Submit. The Docker registry credentials are passed to the Kubernetes cluster as a kubernetes.io/dockerconfigjson secret.

Add Multiple Docker Registry Credentials

Pull images from multiple Docker registries by adding multiple Docker Registry Credentials.

1. In the DuploCloud Portal, click Administrator -> Plan. The Plans page displays.

2. Select the Plan name from the NAME column.

3. Select the Config tab, and click Add. The Add Config pane displays.

4. In the Config Type list box, select DockerRegistryCreds.

5. In the Name field, enter the registry name.

6. In the Value field, enter your registry credentials.

7. Click Submit.

Each DuploCloud Infrastructure is a connection to a unique Virtual Private Cloud (VPC) network that resides in a region that can host Kubernetes clusters.

After you supply a few basic inputs, DuploCloud creates an Infrastructure for you within Google Cloud Platform (GCP) and DuploCloud, with a few clicks. Behind the scenes, DuploCloud does a lot with what little you supply — generating the VPC, Subnets, NAT Gateway, Routes, and Google Kubernetes Engine (GKE) cluster.

With the Infrastructure as your foundation, you can customize an extensible, versatile Platform Engineering development environment by adding Tenants, Hosts, Services, and more.

Estimated time to complete Step 1: 20 minutes. Much of this time is consumed by DuploCloud's creation of the Infrastructure and enabling your GKE cluster with Kubernetes.

Prerequisites

Before starting this tutorial:

• Learn more about DuploCloud Infrastructures, Plans, and Tenants.

• Reference the Access Control documentation to create User IDs with the Administrator role. To perform the tasks in this tutorial, you must have Administrator privileges.

Creating a DuploCloud Infrastructure

1. In the DuploCloud Portal, navigate to Administrator -> Infrastructure. The Infrastructure page displays.

2. Click Add. The Add Infrastructure page displays.

3. From the table below, enter the values that correspond to the fields on the Add Infrastructure page. Accept all other default values for fields not specified.

4. Use the toggle switch to Enable GKE.

5. Select either GKE Autopilot or GKE Standard options. You will follow different paths in the tutorial for creating clusters with GKE Autopilot or GKE Standard.

6. Click Create to create the Infrastructure. DuploCloud begins creating and configuring your Infrastructure and GKE Cluster using Kubernetes. It may take up to twenty (20) minutes to create the Infrastructure.

Verifying that a Plan exists for your Infrastructure

Every DuploCloud Infrastructure generates a Plan. Plans are sets of templates that are used to configure the Tenants or workspaces, in your Infrastructure. You will set up Tenants in the next tutorial step.

Before proceeding, confirm that a Plan exists that corresponds to your newly created Infrastructure.

1. In the DuploCloud Portal, navigate to Administrator -> Plans. The Plans page displays.

2. Verify that a Plan exists with the name you gave to the Infrastructure you created.

Checking your work

You previously verified that your Infrastructure and Plan were created. Now verify that Kubernetes is enabled before proceeding to Create a Tenant.

1. In the DuploCloud Portal, navigate to Administrator -> Infrastructure. The Infrastructure page displays.

2. From the NAME column, click on the name of the Infrastructure you created.

3. Click the GKE tab. When Kubernetes has been Enabled for GKE, details are listed in the tab. The Infrastructure page displays the Enabled status on the Kubernetes card for GKE Clusters.

Viewing GKE Cluster details

When an Infrastructure is created, a GKE Cluster is created by default. You can view the details and download the kubeconfig file from the DuploCloud portal.

From the DuploCloud portal, navigate to Administrator -> Infrastructure. Click on the name of the Infrastructure, and select the GKE tab. To download the kubeconfig file, click Download Kube Config.

SSL certificates secure connections between clients, servers, and Load Balancers by encrypting data transmitted over the network using Transport Layer Security (TLS). GCP provides two primary methods for configuring SSL certificates: Compute Engine SSL Certificates and Certificate Manager (using certificate maps). While DuploCloud supports both methods, we recommend Certificate Manager whenever possible. This approach is preferable because Compute Engine certificates cannot be validated until associated with a Load Balancer, potentially leading to downtime. In contrast, certificate maps can be validated in advance, helping to ensure consistent uptime and a smoother management experience.

Prerequisites

• Obtain public and private certificate files from your chosen SSL certificate provider, such as GoDaddy or Namecheap.

Creating a Certificate Map With Certificate Manager

1. Create a DNS authorization resource using the following command where YOUR_DOMAIN is your domain URL and MAP_NAME is your certificate name (a unique name you choose for your certificate map).

gcloud certificate-manager dns-authorizations create MAP_NAME \
  --domain="YOUR_DOMAIN"
gcloud certificate-manager dns-authorizations list

1. Manually create the DNS records shown in the output of the list command. You'll usually do this in the certificate's domain zone in the Cloud DNS service for the same project, but it depends on how you set up DNS.

2. Create the certificate:

gcloud certificate-manager certificates create MAP_NAME \
  --domains="YOUR_DOMAIN,*.YOUR_DOMAIN" \
  --dns-authorizations=MAP_NAME

1. Create the certificate map and its entries:

gcloud certificate-manager maps create MAP_NAME
gcloud certificate-manager maps entries create MAP_NAME \
  --map="MAP_NAME" \
  --certificates="MAP_NAME" \
  --hostname="YOUR_DOMAIN"
gcloud certificate-manager maps entries create MAP_NAME-wildcard \
  --map="MAP_NAME" \
  --certificates="MAP_NAME" \
  --hostname="*.YOUR_DOMAIN"

1. Add the certificate map to the DuploCloud Plan. Navigate to Administrator -> Plans. Select the Certificates tab and click Add. The Add a Certificate pane displays.

2. In the Name field, create a name for the certificate (the name is arbitrary as it is only a display name to be used within DuploCloud).

3. In the GCP Certificate Type list box, select the certificate type. The certificate type must match the certificate entered in the gcloud certificate-manager maps entries create command.

4. In the GCP Certificate Map field, enter the name of your map (in this example, MAP_NAME).

5. Click Create. The certificate can now be used with your DuploCloud Services.

Create a docker image repository in GCP's Artifact Registry service and push an image to it.

Prerequisites

1. Install Docker.

2. Install and configure the gcloud CLI.

3. Run gcloud info and confirm it shows your email address and GCP project.

Creating the Repository

1. Navigate Google Cloud Console and create a repository with the following inputs:

• Type: Docker

• Mode: Standard

• Location: Unless you know you need multiple regions, use the same region as your Duplo portal.

• Encryption: Google-managed encryption key

• Immutable tags: Enabled (this isn't required, but it's a common good practice)

• Cleanup policies: Dry run

1. Copy the repo path from the Google UI. This will be used to tag the image later. The path will look similar to this: us-east1-docker.pkg.dev/qa-gcp3/testrepo.

Building and Pushing an Image

Now you can tag and push any image you build. On some platforms (like Apple M1 laptops), you may need to specify a build architecture.

1. Authenticate Docker with GCP: gcloud auth configure-docker us-east1-docker.pkg.dev

2. Build an image: docker build --platform linux/amd64 . -t testimage:amd64

3. Add a tag to the image that includes the repo path from above: docker tag testimage:amd64 us-east1-docker.pkg.dev/qa-gcp3/testrepo/testimage:amd64 (Alternatively, you can add this tag with -t flags in the build step.)

4. Push the image: docker push us-east1-docker.pkg.dev/qa-gcp3/testrepo/testimage:amd64

5. The image tag displays in the GCP UI:

Using the Image in DuploCloud

Enter the image tag in the Docker Image field of any DuploCloud Service running in the same GCP account. Use the full path and tag (the arguments to the push command) as shown below.

us-east1-docker.pkg.dev/qa-gcp3/testrepo/testimage:amd64

DuploCloud integrates with OpenVPN by provisioning VPNs for users added through the DuploCloud Portal. The OpenVPN setup involves a two-step process: accepting the OpenVPN agreement in the GCP Marketplace, and Provisioning a VPN in the DuploCloud Portal.

Accepting OpenVPN

Accept the OpenVPN Free Tier (Bring Your Own License) agreement in the GCP marketplace:

1. Log into your GCP account.

2. In the Google Cloud Console, navigate to the Marketplace.

3. Search for OpenVPN in the Marketplace.

4. Select the product (OpenVPN Free Tier) and accept the agreement.

Provisioning a VPN

1. In the DuploCloud Portal, navigate to Administrator -> System Settings.

2. Select the VPN tab.

3. Click Provision VPN. Behind the scenes, DuploCloud launches a cloud formation script to provision the OpenVPN. OpenVPN is ready to use.

Optional VPN Configurations

Provisioning a VPN While Creating a User

1. In the DuploCloud Portal, navigate to Administrator -> Users.

2. Click Add. The Create User pane displays.

3. Enter the username in the Username field.

4. In the Roles field, select the appropriate role(s) for the user.

5. Select Provision VPN.

6. Click Submit.

Deleting VPN Access for a User

See Deleting a VPN user. To delete VPN access, you must have administrator privileges.

Opening a VPN Port

By default, users connected to a VPN can SSH or RDP into virtual machines (VMs). Users can also connect to internal Load Balancers and application endpoints. However, you must open a VPN port to connect to other Services, such as databases and ElastiCach.

1. In the DuploCloud Portal, navigate to Administrator -> Tenants.

2. Select the Tenant in the NAME column.

3. Select the Security tab.

4. Click Add. The Add Tenant Security pane displays.
5. In the Source Type field, select Ip Address.

6. In the IP CIDR field, enter the VPN IP address range in CIDR notation, for example, 10.0.0.0/24 or 192.168.1.0/24.

7. In the Protocol list box, select the protocol you wish to allow through the VPN port.

8. Enter the range in the Port Range field, specify the port or range of ports that need to be opened.

9. Enter a brief description of the security rule being added in the Description field.

10. Click Add. The VPN port is open.

The DuploCloud Platform requires a unique GCP Cloud DNS zone to create DNS entries for the services you deploy. The domain must be registered with a domain provider and set in DuploCloud before configuration. We recommend creating a subdomain such as apps.[MY-COMPANY].com or internal.[my-company].com.

Creating a DNS Zone

Create a DNS Zone in the GCP Console:

1. Log in to the GCP console.

2. Select Network Services -> Cloud DNS.

3. Click Create Zone, as shown below, and note the Zone Name you create. You will need it to add to DuploCloud in a later step.

4. Access the zone and note the Nameserver names.

Configuring NS Records

1. Navigate to your root Domain Provider's site (for acme.com, for example).

2. Create an NS record that references the domain name of the hosted zone you created (apps.acme.com), and add the zone name to the Nameservers you noted above.

Provisioning the Zone in DuploCloud

Provision the zone in every DuploCloud Plan, starting with the Plan created in the previous step.

1. In the DuploCloud Portal, navigate to Administrator -> Plans.

2. Select the Plan name from the NAME column.

3. Select the DNS tab, and click Edit. The Set Plan DNS pane displays.

4. In the Cloud DNS Zone field, enter the zone name.

5. In the External DNS Suffix and Internal DNS Suffix fields, enter the domain name, preceded with a dot (.)

6. Click Submit.

DuploCloud integrates with OpenVPN by automatically provisioning VPNs for users added through the DuploCloud Portal. As a DuploCloud user, you can securely access resources within the private network by connecting via the OpenVPN client.

Accessing VPN Credentials

1. Click on your user name in the upper right corner of the DuploCloud Portal, and select Profile. Your Profile page displays.

2. VPN credentials are displayed in the VPN Details area of the Profile page.

Setting up the OpenVPN User Profile and Client App

1. Click on your user name in the upper right corner of the DuploCloud Portal, and select Profile. Your Profile page displays.

2. Click the VPN URL link in the VPN Details section. Browsers may call the link unsafe since it is using a self-signed certificate. Proceed to it anyway.

3. Log in to the OpenVPN Access Server portal using the credentials from your Profile page.

4. Click on the OpenVPN Connect Recommended for your device link to install the OpenVPN Connect application on your local machine.

1. Click the link labeled Yourself (user-locked profile) to download your OpenVPN user profile.
2. Open the .ovpn file and click OK in the Import .ovpn profile dialog.
3. Click Connect. The OpenVPN user profile and client app are set up.

For Docker Native users, setting up shell access for Docker enables you to run Docker commands, build, push, and pull images, and manage containers deployed in GCP. Configuring shell access helps ensure that your GCP environment, integrated with DuploCloud, is fully equipped to handle container operations.

Enabling the Docker Native Container Shell

1. In the DuploCloud Portal, navigate to Docker -> Services. The Services page displays.

2. Click the Docker button, and select Enable Docker Shell. The Start Shell Service pane displays.
3. From the Platform list box, select Docker Native.

4. From the Certificate list box, select the certificate name.

5. From the Visibility list box, select Public.

6. Click Update. DuploCloud provisions a Service named dockerservices-shell, enabling you to access your containers using SSH.

This quick-start tutorial shows you how to set up an end-to-end cloud deployment. You will create Google Cloud Platform infrastructure and Tenants. By the end of this tutorial, you should be able to view the deployed sample web application.

Estimated time to complete tutorial: 60-70 minutes.

GCP Tutorial Roadmap

When you complete the GCP Quick Start Tutorial, you have two options or paths, as shown in the table below.

• Using GKE Autopilot - You create an app and service in DuploCloud using Google Kubernetes Engine-Autopilot and expose it using a load balancer within DuploCloud.

• Using GKE Standard - You create an app, service and a node pool in DuploCloud using Google Kubernetes Engine-Standard and expose it using a load balancer within DuploCloud.

For beginners, we recommend you use GKE Autopilot. GKE Autopilot manages the infrastructure, including the nodes, node pools, and underlying infrastructure resources such as networking and storage. You do not need to manage or configure node pools, node instance types, or autoscaling policies.

GKE Standard offers more granular control over resource management, including the ability to configure node pools with specific types of instances, set scaling policies, and manage node upgrades.

For a high-level comparison of GKE Autopilot and GKE Standard and to help you choose which method best suits your needs, skills, and environments, see this Google Cloud documentation.

* - Optional Step

GCP Video demo

Click the card below to watch a DuploCloud GCP demo.

Now that the exist and a Kubernetes GKE Cluster has been enabled, create one or more Tenants that use the configuration DuploCloud created.

in DuploCloud are similar to projects or workspaces and have a subordinate relationship to the Infrastructure. Think of the Infrastructure as a virtual "house" (cloud), with Tenants conceptually "residing" in the Infrastructure performing specific workloads that you define. As Infrastructure is an abstraction of a Virtual Private Cloud, Tenants abstract the segregation created by a , although Kubernetes Namespaces are only one component that Tenants can contain.

Estimated time to complete Step 2: 10 minutes.

Tenant use cases

DuploCloud customers often create at least two Tenants for their production and non-production cloud environments (Infrastructures).

For example:

• Production Infrastructure

  • Pre-production Tenant - for preparing or reviewing production code

  • Production Tenant - for deploying tested code

• Non-production Infrastructure

  • Development Tenant - for writing and reviewing code

  • Quality Assurance Tenant - for automated testing

In larger organizations, some customers create Tenants based on application environments, such as creating one Tenant for Data Science applications and another Tenant for web applications, and so on.

Tenants are sometimes created to isolate a single customer workload, allowing more granular performance monitoring, scaling flexibility, or tighter security. This is referred to as a single-Tenant setup.

Prerequisites

Before creating a Tenant, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:

Creating a Tenant

Create a Tenant for your Infrastructure and Plan:

1. In the DuploCloud Portal, navigate to Administrator -> Tenants.

2. Click Add. The Create a Tenant pane displays.

1. Enter a unique name for your Tenant in the Name field. Choose unique names that are not substrings of one another, for example, if you have a Tenant named dev, you cannot create another named dev2. We recommend using distinct numerical suffixes like dev01 and dev02.

2. Select the Plan that you created in the previous step.

3. Click Create.

Checking your work

From the DuploCloud portal, navigate to Administrator -> Tenants, and verify that a Tenant exists with the name and Plan you created.

You can test your application directly from the Services page.

Estimated time to complete Step 5 and finish tutorial: 10 minutes.

Prerequisites

Before creating a Load Balancer, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:

• An exist, both with the name you created.

• The Infrastructure you created has .

• A with the name you chose has been created.

• A with the name you chose has been created.

• An has been created.

Select the Tenant you created

In the Tenant list box, on the upper-left side of the DuploCloud Portal, select the Tenant that you created.

Testing the Application

1. In the DuploCloud Portal, navigate to Kubernetes -> Services. The Services page displays.

2. From the Name column, click on the Service you created.

3. Click the Load Balancers tab. The Application Load Balancer configuration is displayed.

4. In the LB Configuration card, click the Copy Icon ( ) to copy the IP Address displayed to your clipboard.

1. Open a browser instance and Paste the IP Address in the URL field of your browser.

2. Press ENTER. A web page with the text Welcome to nginx! is displayed.

Congratulations! You have just launched your first web service on DuploCloud!

In this tutorial for DuploCloud AWS, you have so far created a VPC network with configuration templates () and an isolated workspace ().

Now you need to create a DuploCloud Service on top of your Infrastructure and configure the Service to run and deploy your application. In this tutorial path, we'll deploy using Docker containers, leveraging Google Cloud Platform's (GCE) Google Kubernetes Engine (GKE) Standard.

Alternatively, you can finish this tutorial by:

For a comparison of the benefits of GKE Autopilot vs. GKE Standard, consult this .

Estimated time to complete remaining tutorial steps: 30-40 minutes

Deploying a GKE Standard Service in DuploCloud

For the remaining steps in this tutorial, you will:

1. Create a GCE Virtual Machine (VM) or a Node Pool.

2. Create a Service and applications (webapp) using the premade Docker image nginx:latest.

3. Expose the Service by creating and sharing a load balancer and DNS name.

4. Test the application.

In this exercise, we will create a simple Google Cloud Nginx service. When you run the application, DuploCloud accesses Docker images in a preconfigured Docker Hub.

When you run your own applications, you will choose a public image or provide credentials to access your private repository. Before you deploy your own applications, .

Estimated time to complete Step 3: 10 minutes.

Prerequisites

Before creating a Service, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:

• An exist, both with the name that you chose.

• The Infrastructure has .

• A Tenant with the .

Select the Tenant you created

In the Tenant list box, on the upper-left side of the DuploCloud Portal, select the Tenant that you created.

Adding a Service

1. In the DuploCloud Portal, navigate to Kubernetes -> Services. The Services page displays.

2. Click Add. The Add Service page displays.

3. In the Service Name field, enter a name for the service (in the example below, the name is "myservice").

4. In the Docker image field, enter the docker image (nginx:latest).

1. Click Next. The Advanced Options page is displayed.

2. At the bottom of the Advanced Options page, click Create. Your Service is created and initialized.

Checking your work

From the DuploCloud portal, navigate to Kubernetes -> Services, and verify that your DuploCloud Service has a Current status of Running.

In this tutorial for DuploCloud AWS, you have so far created a VPC network with configuration templates () and an isolated workspace ().

Now you need to create a DuploCloud Service on top of your Infrastructure and configure the Service to run and deploy your application. In this tutorial path, we'll deploy using Docker containers, leveraging Google Cloud Platform's (GCE) Google Kubernetes Engine (GKE) Autopilot.

Alternatively, you can finish this tutorial by:

For a comparison of the benefits of GKE Autopilot vs. GKE Standard, consult this .

Estimated time to complete remaining tutorial steps: 15-20 minutes

Deploying a GKE Standard Service in DuploCloud

For the remaining steps in this tutorial, you will:

1. Create a Service and applications (webapp) using the premade Docker image nginx:latest.

2. Expose the Service by creating and sharing a load balancer and DNS name.

3. Test the application.

Now that your DuploCloud Service is running, you have a mechanism to expose the containers and images in which your application resides. But because your containers are running inside a private network, you also need a load balancer to listen on the correct ports in order to access the application.

In this step, we add a Load Balancer Listener to complete this network configuration.

Estimated time to complete Step 4: 10 minutes.

Prerequisites

Before creating a Load Balancer, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:

• An exist, both with the name you created.

• The Infrastructure you created has .

• A with the name you chose has been created.

• A with the name you chose has been created.

Select the Tenant you created

In the Tenant list box, on the upper-left side of the DuploCloud Portal, select the Tenant that you created.

Creating a Load Balancer

All containers are running inside a private network and cannot be accessed from an external network. To do so one can create a load balancer.

1. In the DuploCloud Portal, navigate to Kubernetes -> Services. The Services page displays.

2. From the Name column, click on the name of your Service

3. Click the Load Balancers tab.

4. Click the Configure Load Balancer link. The Add Load Balancer Listener pane displays.

1. From the Type list box, select Application LB.

2. In the Container Port field, enter 80. This is the configured port on which the application inside the Docker Container Image is running.

3. In the External Port field, enter 80. This is the port through which users will access the web application.

4. From the Visibility list box, select Public.

5. From the Application Mode list box, select Docker Mode.

6. Type / (forward-slash) in the Health Check field to indicate that the cluster we want Kubernetes to perform Health Checks on is located at the root level.

7. In the Backend Protocol list box, select HTTP.

8. Click Add. The Load Balancer is created and initialized. In approximately 2-3 minutes you will see the load balancer details available in the portal. When the Load Balancer is ready for use the LB Status card displays Ready.

Checking your work

1. From the DuploCloud portal, navigate to Kubernetes -> Services.

2. Click on the name of your Service.

3. Verify that the Load Balancer has a status of Ready on the LB Status card.

A Node Pool is a group of Compute Engine VM instances within a GKE cluster that have the same configuration and provide the compute resources for running Kubernetes workloads. Node Pools allow you to customize and manage subsets of nodes within your GKE cluster to meet the requirements of your applications.

Estimated time to complete Step 3: 10 minutes.

Prerequisites

Before creating a Service, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:

• An exist, both with the name that you chose.

• The Infrastructure has .

• A Tenant with the .

Select the Tenant you created

In the Tenant list box, on the upper-left side of the DuploCloud Portal, select the Tenant that you created.

Creating a Node Pool

1. From the DuploCloud portal, navigate to Kubernetes -> Node Pools.

2. Click on the Node Pool tab and then click Add. The Add Node Pool page displays.

1. In the Name field, enter a unique name for your GCE Virtual Machine. Choose the same Availability Zone as your Infrastructure, and update the Instance Type, if needed.

2. Optionally, Enable Autoscaling.

3. If autoscaling is enabled, set the Initial Node Count, Min Node Count, Max Node Count, and Location Policy.

4. Click Create. The Node Pool is created.

Checking your work

1. Navigate to Kubernetes -> Nodes, and click on the Node Pool tab.

2. Click on the name of the Node Pool that you created.

3. Verify that the Status is Running.

Advanced node pool functions

When , use the Enable GKE toggle switch to enable GKE. In the Cluster Mode list box, select GKE Autopilot. Complete the remaining fields (GKE Version, GKE Endpoint Visibility, and Cluster IP CIDR). Click Create.

This takes about 20 minutes. Infrastructure status should move to Completed. Once the Infrastructure status shows Complete, navigate to Administrators -> Plans to verify that a Plan has been created with the same name (nonprod).

Now that your DuploCloud Service is running, you have a mechanism to expose the containers and images in which your application resides. But because your containers are running inside a private network, you also need a load balancer to listen on the correct ports in order to access the application.

In this step, we add a Load Balancer Listener to complete this network configuration.

Estimated time to complete Step 5: 10 minutes.

Prerequisites

Before creating a Load Balancer, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:

• An exist, both with the name you created.

• The Infrastructure you created has .

• A with the name you chose has been created.

• A had been created.

• A with the name you chose has been created.

Select the Tenant you created

In the Tenant list box, on the upper-left side of the DuploCloud Portal, select the Tenant that you created.

Creating a Load Balancer

All containers are running inside a private network and cannot be accessed from an external network. To do so one can create a load balancer.

1. In the DuploCloud Portal, navigate to Kubernetes -> Services. The Services page displays.

2. From the NAME column, select the name of your Service

3. Click the Load Balancers tab.

4. Click the Configure Load Balancer link. The Add Load Balancer Listener pane displays.

1. From the Type list box, select Application LB.

2. In the Container Port field, enter 80. This is the configured port on which the application inside the Docker Container Image is running.

3. In the External Port field, enter 80. This is the port through which users will access the web application.

4. From the Visibility list box, select Public.

5. From the Application Mode list box, select Docker Mode.

6. Type / (forward-slash) in the Health Check field to indicate that the cluster we want Kubernetes to perform Health Checks on is located at the root level.

7. In the Backend Protocol list box, select HTTP.

8. Click Add. The Load Balancer is created and initialized. In approximately 2-3 minutes you will see the load balancer details available in the portal. When the Load Balancer is ready for use the LB Status card displays Ready.

Checking your work

1. From the DuploCloud portal, navigate to Kubernetes -> Services.

2. Click on the name of your Service.

3. Verify that the Load Balancer has a status of Ready on the LB Status card.

Organization of use cases

Topics in this section are covered in the order of typical usage. Use cases that are foundational to DuploCloud such as Infrastructure, Tenant, and Hosts are listed at the beginning of this section; while supporting use cases such as Logs, Metrics, and Faults and alerts appear near the end.

Supported use cases for DuploCloud GCP

• and

In this exercise, we will create a simple Google Cloud Nginx service. When you run the application, DuploCloud accesses Docker images in a preconfigured Docker Hub.

When you run your own applications, you will choose a public image or provide credentials to access your private repository. Before you deploy your own applications, .

Estimated time to complete Step 4: 10 minutes.

Prerequisites

Before creating a Service, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:

• An exist, both with the name that you chose.

• The Infrastructure has .

• A with the name you chose has been created.

• A had been created.

Select the Tenant you created

In the Tenant list box, on the upper-left side of the DuploCloud Portal, select the Tenant that you created.

Adding a Service

1. In the DuploCloud Portal, navigate to Kubernetes -> Services. The Services page displays.

2. Click Add. The Add Service page displays.

3. In the Service Name field, enter a name for the service (in the example below, the name is "myservice").

4. In the Docker image field, enter the docker image (for example "nginx:latest").

1. Click Next. The Advanced Options page is displayed.

2. At the bottom of the Advanced Options page, click Create. Your Service is created and initialized.

Checking your work

From the DuploCloud portal, navigate to Kubernetes -> Services, and verify that your DuploCloud Service has a Current status of Running.

DuploCloud provides a way to connect directly to the Cluster namespace using the kubectl token.

See kubectl Setup for available options.

Creating an Infrastructure

1. Click Administrator -> Infrastructure from the navigation menu.

2. Click Add.

3. Complete the fields on the Add Infrastructure form to define the infrastructure.

4. Optionally, click Enable GKE and complete the additional fields to create a GKE Autopilot or Standard Cluster.

5. Click Create. The Infrastructure is created and is listed on the Infrastructure page. DuploCloud automatically creates a Plan with the same name and configuration as the Infrastructure.

Google frequently updates the version of GKE based on new features available in the Kubernetes platform.

In future releases, upgrades will be available for customers to install.

DuploCloud provides several configurable components when running Google Cloud Provider's Google Kubernetes Engine (GKE).

Applications involve GCP Services such as Cloud Armour, Redis and SQL databases, Storage Buckets, Load Balancers, and so on.

Using DuploCloud, you can create unlimited Services within each Tenant, using application-centric inputs. At the same time, the platform ensures that the lower-level nuances are programmed to best practices for security and compliance.

Supported Services for DuploCloud GCP

In addition to GKE standard and auto-pilot, the following services are supported. Supported Services are listed in alphabetical order.

Core Services

• Containers and Services

• Load Balancers

Additional Services

• Cloud Armour

• Cloud Credentials

• Cloud Functions

• Cloud Scheduler

• Cloud SQL

• Cloud Storage

• Firestore Database

• Managed Redis

• Node Pools

• Pub/Sub

When creating an Infrastructure, use the Enable GKE toggle switch to enable GKE. In the Cluster Mode list box, select GKE Standard. Complete the remaining fields (GKE Version, GKE Endpoint Visibility, and Cluster IP CIDR). Click Create.

This takes about 20 minutes. Infrastructure status should move to Completed. Once the Infrastructure status shows Complete, navigate to Administrators -> Plans to verify that a Plan has been created with the same name.

View GKE Cluster details

You can view the details and download the kubeconfig file to connect the cluster from GKE Tab available in the infrastructure created.

Managing Tenant Expiration

In the DuploCloud Portal, configure an expiration time for a Tenant. At the set expiration time, the Tenant and associated resources are deleted.

1. In the DuploCloud Portal, navigate to Administrator -> Tenants. The Tenants page displays.

2. From the Name column, select the Tenant for which you want to configure an expiration time.
3. From the Actions list box, select Set Tenant Expiration. The Tenant - Set Tenant Expiration pane displays.
4. Select the date and time (using your local time zone) when you want the Tenant to expire.

5. Click Set. At the configured day and time, the Tenant and associated resources will be deleted.

In GCP, cloud features such as Resource Groups, Identity and Access Management (IAM), Security Groups, Cloud KMS, as well as Kubernetes Namespaces, are exposed in Tenants which reference their configurations.

For more information about DuploCloud Tenants, see the Tenants topic in the DuploCloud Common Components documentation.

Creating a Tenant

1. Navigate to Administrator -> Tenant in the DuploCloud Portal and click Add. The Create a Tenant pane displays.

2. In the Name field, enter a name for the Tenant. Choose unique names that are not substrings of one another, for example, if you have a Tenant named dev, you cannot create another named dev2. We recommend using distinct numerical suffixes like dev01 and dev02.

3. In the Plan list box, select the Plan to associate the Tenant with.

4. Click Create. The Tenant is created.

You can test your application directly from the Services page.

Estimated time to complete Step 6 and finish tutorial: 10 minutes.

Prerequisites

Before creating a Load Balancer, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:

• An Infrastructure and Plan exist, both with the name you created.

• The Infrastructure you created has GKE Enabled.

• A Tenant with the name you chose has been created.

• A Node Pool has been created.

• A Service with the name you chose has been created.

• An Application Load Balancer has been created.

Select the Tenant you created

In the Tenant list box, on the upper-left side of the DuploCloud Portal, select the Tenant that you created.

Testing the Application

1. In the DuploCloud Portal, navigate to Kubernetes -> Services. The Services page displays.

2. From the Name column, select demo-service.

3. Click the Load Balancers tab. The Application Load Balancer configuration is displayed.

4. In the LB Configuration card, click the Copy Icon ( ) to copy the IP Address displayed to your clipboard.

1. Open a browser instance and Paste the IP Address in the URL field of your browser.

2. Press ENTER. A web page with the text Welcome to nginx! is displayed.

Congratulations! You have just launched your first web service on DuploCloud!

Configuring Tenant Config settings

You can configure settings to apply to all new Tenants under a Plan using the Config tab. Tenant Config settings will not apply to Tenants created under the Plan before the settings were configured.

1. From the DuploCloud portal, navigate to Administrator -> Plan.

2. Click on the Plan you want to configure settings under in the NAME column.

3. Select the Config tab.

4. Click Add. The Add Config pane displays.

5. From the Config Type field, select TenantConfig.

6. In the Name field, enter the setting that you would like to apply to new Tenants under this Plan. (In the example, the enable_alerting setting is entered.)

7. In the Value field, enter True.
8. Click Submit. The setting entered in the Name field (enable alerting in the example) will apply to all new Tenants added under the Plan.

Viewing Tenant Config settings

You can check that the Tenant Config settings are enabled for new Tenants on the Tenants details page, under the Settings tab.

1. From the DuploCloud portal, navigate to Administrator -> Tenants.

2. From the NAME column, select a Tenant that was added after the Tenant Config setting was enabled.

3. Click on the Settings tab.

4. Check that the configured setting is listed in the NAME column. (Enable Alerting in the example.)

By exporting your Google Cloud Platform (GCP) billing data to BigQuery, you can leverage DuploCloud's dashboard to monitor and analyze your GCP billing effectively.

Prerequisites

To export to BigQuery you must have:

• A Google Cloud Platform account with billing enabled.

• Permission to access the Google Cloud Billing API and BigQuery.

  • Billing Account Administrator permissions

  • BigQuery Admin permissions

Creating a BigQuery Dataset

1. Navigate to the BigQuery Console in your Google Cloud Platform account.

2. In GCP, select the Project where you want to create the dataset.

3. Click Create Dataset.
4. In the Create dataset window, configure your dataset with the following parameters:

   • Dataset ID: Enter a unique name for your dataset.

   • Location Type: Select Multi-Region.

   • Default table expiration: Select Enable table expiration and set a default expiration time for tables in this dataset, such as 60 days. Tables will be automatically deleted after this period.

   • Click Create Dataset.

   • Once the dataset is created, it appears in the BigQuery Console under your project. Select the dataset to view details.

Enabling billing export to BigQuery

1. In GCP, open the Google Cloud Console.

2. Select Billing from the main menu or visit Google Cloud Billing.

3. Select the billing account for which you want to enable the billing export.

4. In the Billing Account Details page, select Billing Export from the left navigational pane.

5. In the Billing Export page, in the Detailed usage cost area, click Edit Settings.
6. In the BigQuery Export tab, configure Detailed usage cost.

   • Select the Project: Choose the project where you created the BigQuery dataset.

   • Select the Dataset: Choose the dataset you created for billing data.
7. Click Save.

8. Contact DuploCloud Support to complete additional steps to enable the billing dashboard.

Once we have the Infrastructure (Networking, Kubernetes cluster, and other common configurations) and an environment (Tenant) set up, the next step is to create VMs. These could be for:

• Compute Engine virtual machines in GCP

• Worker Nodes (Docker Hosts) if built-in container orchestration is used.

• Regular nodes that are not part of any container orchestration, where a user manually connects and installs applications.

In the DuploCloud Portal, you can create GCE VMs, Node Pools, or BYOH (bring your own Hosts) virtual machine setups.

Creating a GCE VM

To create a GCE VM (Virtual Machine), navigate to Cloud Services -> Hosts -> GCE VM, and click Add.

Creating a Node Pool

A GCP node pool is a group of VMs that share the same configuration, including machine type, disk size, and operating system. Node pools allow you to manage scaling and updates for groups of nodes collectively.

To create a GCP node pool, navigate to Cloud Services -> Hosts -> Node Pool, and click Add.

Creating a BYOH Host

While lower-level details such as IAM roles and security groups are abstracted, deriving instead from the Tenant, only the most application-centric inputs are required to set up Hosts.

Most of these inputs are optional and some are available as list box selections, set by the administrator in the Plan (for example, Image ID, in Host Advanced Options).

There is an additional parameter labeled Fleet Type. This is applicable if the VM is to be used as a host for container orchestration by the platform. The choices are:

• Linux Docker/Native: To be used for hosting Linux containers using the Built-in Container orchestration.

• None: To be used for non-Container Orchestration purposes and contents inside the VM are self-managed by the user.

Increasing minimum ports per VM instance (GKE Standard)

You can increase the number of available ephemeral ports per GKE Standard VM instance in the DuploCloud Portal using Infrastructure systems settings. More ports help handle high volumes of network traffic, especially for applications that require many simultaneous connections.

To increase the minimum ports per VM for your Infrastructure:

• Navigate to Administrator -> Infrastructure.

• In the NAME column, select your Infrastructure name.

• Select the Settings tab, and click Add. The Infra - Set Custom Data pane displays.

• From the Setting Name list box, select GKE Minimum Ports Per VM.

• In the Setting Value field, enter the minimum number of ports you want or each VM.

• Click Set. VMs in this Infrastructure will have at least the minimum number of ports configured.

Configuring a friendly image name

Set a friendly name for an image in your DuploCloud Plan. This name will display in the Image list box when creating a GCE VM in the DuploCloud Portal.

1. From the DuploCloud Portal, navigate to Administrator -> Plans.

2. Select the Plan from the NAME column.

3. Select the Images tab, and click Add. The Add Image pane displays.

1. Enter a friendly name and complete the remaining fields, as required. Click Submit. The image name will display in the Image list box when creating a GCE VM under the Plan.

Usage costs for resources can be viewed and managed in the DuploCloud Portal, by month or week, and by Tenant. You can also explore historical resource costs.

To view the Billing page for GCP in the DuploCloud Portal, click Administrator -> Billing.

You can view usage by:

• Time

  • Select the Spend by Month tab and click More Details to display monthly and weekly spending options.

• Tenant

  • Select the Spend by Tenant tab.

There are many ways to pass configurations to containers at run-time. Although simple to set up, using Environmental Variables can become complex if there are too many configurations, especially files and certificates.

Using Kubernetes, you can populate environment variables using .

All containers run inside a private network and cannot be accessed from an external network. To make them accessible from an external network, create a Load Balancer.

Creating a GKE Ingress

If you need to create an Ingress Load Balancer, refer to the page in the DuploCloud Kubernetes User Guide.

Adding a Load Balancer Listener

1. In the DuploCloud Portal, navigate to Kubernetes -> Services.

2. On the Services page, select the Service name in the Name column.

3. Click the Load Balancers tab.

4. If no Load Balancers exist, click the Configure Load Balancer link. If other Load Balancers exist, click Add in the LB listeners card. The Add Load Balancer Listener pane displays.

5. From the Select Type list box, select a Load Balancer Listener type based on your Load Balancer.

6. Complete other fields as required and click Add to add the Load Balancer Listener.

Adding a certificate for an internal Load Balancer in GCP

For internal Load Balancers, you cannot use Google Managed Certificates. You can import a certificate from somewhere else or use a self-signed certificate. We recommend using the self-signed certificate option for internal Load Balancers because you control authentication at the IP level.

Here's an example Terraform code snippet to create a self-signed certificate for an internal Load Balancer in DuploCloud:

DuploCloud Services and Containers

Containers and Services are critical elements of deploying GCP applications in the DuploCloud platform. Containers refer to Docker containers: lightweight, standalone packages that contain everything needed to run an application including the code, runtime, system tools, libraries, and settings. Services in DuploCloud are microservices defined by a name, Docker image, and a number of replicas. They can be configured with various optional parameters and are mapped to Kubernetes deployment sets or StatefulSets, depending on whether they have stateful volumes.

Container Orchestration

DuploCloud supports deploying containerized applications in GCP using GKE (Google Kubernetes Engine).

GKE

(GKE) is a fully managed service that uses the open-source Kubernetes platform to orchestrate and manage containerized applications on Google Cloud. GKE offers deep integration with other Google Cloud services, making it highly optimized for workloads in the Google Cloud ecosystem. While GKE requires a bit more learning compared to simpler orchestration tools, it provides the flexibility, scalability, and portability that Kubernetes offers, allowing users to run complex workloads with fine-grained control over configurations and scaling.

Kubernetes

Adding a Service in the DuploCloud Platform is not the same as adding a Kubernetes service. When you deploy DuploCloud Services, the platform implicitly converts your DuploCloud Service into either a deployment set or a StatefulSet. The service is mapped to a deployment set if there are no volume mappings. Otherwise, it is mapped to a StatefulSet, which you can force creation of if needed. Most configuration values are self-explanatory, such as Images, Replicas, and Environmental Variables.

Kubernetes clusters are created during Infrastructure setup using the Administrator -> Infrastructure option in the DuploCloud Portal. The cluster is created in the same Virtual Private Cloud (VPC) as the Infrastructure. Building an Infrastructure with GKE cluster may take some time.

Next, you deploy an application within a Tenant in Kubernetes. The application contains a set of VMs, a Deployment set (Pods), and an application Load Balancer. Pods can be deployed either through the DuploCloud Portal or through kubectl,using HelmCharts.

Purpose

In Google Cloud Platform (GCP), billing data can be exported to a BigQuery dataset in only one project. However, when deploying instances of an application across multiple projects (e.g., dev, qa, stg, prod), it is necessary to replicate the billing dataset to enable billing monitoring on all DuploCloud dashboards in these projects. This documentation outlines the steps to configure automated replication of a BigQuery dataset from a source project to a destination project.

Prerequisites

• Two GCP projects: a source project where the original billing dataset resides, and a destination project where the dataset will be replicated.

• Appropriate permissions to create datasets and data transfer jobs in BigQuery.

• Google Cloud SDK installed and initialized.

• Enable BigQuery Data Transfer API from API and Services in Destination GCP Project.

Assumptions:

• Source Project: GCP project where the original billing dataset resides with billing export.

• Destination Project: New GCP project which has duplo-master running and dataset needs to be created.

Steps

1. Create a New Dataset in the Destination Project

• Open the BigQuery console in the source project: BigQuery Console

• Click on CREATE DATASET.

• Enter the dataset ID, choose a data location, and set other options as mentioned in the below screenshot.

• Click Create dataset.

2. Give required permissions

For the replication to work, you need to allow specific roles on the dataset in source project to the duplo-master GCP service account of the destination project

Following roles are needed:

• BigQuery Admin

• BigQuery Data Viewer

• BigQuery Data Editor

• BigQuery User

3. Set Up a Data Transfer Job in the Destination Project

• Open the BigQuery console in the destination project.

• In the left-hand menu, click on Data Transfers.

• Click on CREATE TRANSFER.

• Select Source Type as Dataset Copy

• Schedule options: Choose Start now. Set the frequency option to every 12 hours.

• Under the Destination Settings

  • Put destination project dataset as Dataset

  • Put source project dataset as Source Dataset

  • Put source project ID as Source Project

  • Enable checkbox Overwrite destination table

  • Click SAVE

4. Monitor the Transfer Job

• In the BigQuery console of the destination project, go to the Transfers tab.

• You should see your transfer job listed. You can click on it to view details and monitor its progress.

Conclusion

By following these steps, you can set up automated replication of a BigQuery dataset from one GCP project to another, enabling billing monitoring on all DuploCloud dashboards across multiple projects. Ensure to monitor the transfer job periodically to make sure it is running as expected.

Google Cloud Scheduler is a fully managed cron job service that allows you to schedule jobs to automate the execution of tasks at regular intervals without manual intervention. You can create a Cloud Scheduler job to trigger from a topic, an HTTP endpoint, or an App Engine.

The following table describes each target type's function and common use cases.

Create a Cloud Scheduler job

1. From the DuploCloud Portal, navigate to Cloud Services -> Cloud Scheduler, and click Add. The Cloud Scheduler Add Job pane displays.
2. Enter a Name, a Schedule (in cron format), and a Description, if needed.

3. From the Target Type list box, select Pub Sub, App Engine, or HTTP. Complete the fields associated with the selected target type:

• Pub/Sub: Select a Topic Name, and add Attributes and Data, if needed.

• App Engine: Enter a Service and Version. Select an HTTP Method. Enter a Relative URI and HTTP Headers, if required.

• HTTP: Select an HTTP Method. Enter a Target URI. Select an Authentication method. Enter HTTP Headers, if needed.

1. Click Create. The Cloud Scheduler job is created.

GCP Cloud Armour helps protect your applications and websites against denial of service, web breaches, and cyber-attacks.

Use DuploCloud to activate your GCP Cloud Armour software and monitor your cloud infrastructures and deployed services and applications.

Adding a Security Policy in the DuploCloud Plan

Before you can use DuploCloud with Cloud Armour, define a Security Policy in the DuploCloud Plan that supports your DuploCloud Infrastructure.

1. In the DuploCloud Portal, navigate to Administrator -> Plan. The Plans page displays.

2. From the Name column, select the Plan that corresponds to your Infrastructure. When you create a DuploCloud Infrastructure, a Plan is created with the same name.

3. Click the Security Policy tab.

4. Click Add. The Add Security Policy pane displays.
5. In the Name field, enter an appropriate name for the Security Policy. This is the name used in the DuploCloud portal. It is convenient to keep it the same as the Security Policy ID, but not required.

6. In the Security Policy ID field, enter the name of your GCP Cloud Armour Security Policy. This is the name used in the GCP console.

7. Click Create. The Security Policy that you specified is displayed in the Security Policy tab.

Adding the Cloud Armour Security Policy to a Load Balancer

Now that the Cloud Armour Security Policy has been defined in your DuploCloud Plan, add the policy to a Load Balancer so that it can monitor network traffic.

1. In the DuploCloud Portal, navigate to Kubernetes -> Services or Docker -> Services.

2. Select the Service to which your Load Balancer is attached.

3. Click the Load Balancer tab.

4. In the Other Settings card, click Edit. The Other Load Balancer Settings pane displays.
6. Select the Enable HTTP to HTTPS Redirect option.

7. Select Enable Access Logs to view rule evaluations.

8. In the Idle Timeout field, enter the number of minutes for timeout, in seconds.

9. Click Save.

The Security Policy displays in the Load Balancer's Other Settings card.

Modifying a Cloud Armour Configuration Security Policy

1. In the DuploCloud Portal, navigate to Administrator -> Plans. The Plans page displays.

2. From the Name column, select the Plan that corresponds to your Infrastructure.

3. Click the Security Policy tab.

5. Modify the Security Policy Name and the Security Policy ID as appropriate.

6. Click Update. The changes are saved and displayed in the Security Policy tab.

Viewing Security Policy logs

Logs will only be visible if you Enable Access Logs in the Load Balancer's Other Settings card.

To view Cloud Armor Security Policy logs:

1. Locate the Security Policy in the GCP Console.

2. Click the Logs tab.

3. Click the View policy logs link on the Logs tab to view logs of the policy's rule evaluations.

The DuploCloud rules-based expert system requires GCP Subscription details to manage cloud resources effectively. By adding Cloud Credentials in the DuploCloud Portal, you provide the necessary subscription details for this management.

Adding Cloud Credentials for GCP Subscriptions

To integrate GCP project cloud credentials into DuploCloud, follow these steps:

1. In the DuploCloud Portal, navigate to Administrator -> Cloud Credentials. The Cloud Credentials page displays.

2. Click Add to initiate the creation of new cloud credentials.

3. Ensure Google is selected from the Cloud list box as your cloud provider.

4. Enter your Google Project ID in the Project ID field. This ID uniquely identifies your GCP project.

5. Provide the Service Account email in the Service Account Email field. Service accounts are crucial for applications or compute workloads to interact with GCP services, managed through Identity and Access Management (IAM).

6. Paste the private key associated with your service account in the Service Account Private Key field. To extract and copy the private key from a JSON file, you can use the command: jq -r .private_key < filename.json | pbcopy.

7. Click Submit to save your credentials, which will be displayed on the Cloud Credentials page.

Setting Docker Registry Credentials

1. In the DuploCloud Portal, navigate to Docker -> Services. Docker registry credentials are passed to the Kubernetes cluster as kubernetes.io/dockerconfigjson.

2. Click the Docker list box in the upper right, and select Docker Credentials. The Set Docker registry Creds pane displays.

3. Supply the credentials and click Submit.

4. Enable the Docker Shell Service by clicking Enable Docker Shell.

Adding multiple Docker Registry Credentials

You can pull images from multiple Docker registries by adding multiple Docker Registry Credentials.

1. In the DuploCloud Portal, click Administrator -> Plan. The Plans page displays.

2. Select the Plan in the Name column.

3. Click the Config tab.

4. Click Add. The Add Config pane displays.

Passing Docker Credentials using Environment Variables

Firestore is a flexible, scalable database for mobile, web, and server development from Google Cloud Platform. It's part of Firebase, a platform for developing mobile and web applications. Firestore is a NoSQL document database that simplifies storing, syncing, and querying data across multiple platforms and devices.

There are two Firestore Database modes to choose from:

• Firestore Native Mode is the default mode for Firestore. It provides a richer feature set and supports more advanced querying capabilities, such as compound queries and real-time updates. Use Firestore Native for new projects and applications that require real-time updates and advanced querying features.

• Datastore Mode provides a subset of Firestore's features and capabilities, supports a simpler data model, and lacks support for nested subcollections. Use Datastore Mode for migrating existing applications from Google Cloud Datastore to Firestore or for applications that do not require real-time updates or complex querying capabilities.

Creating a Firestore Database

1. From the Tenant list box in the upper left, select your Tenant name.

2. From the DuploCloud portal, navigate to Cloud Services -> Firestore Database.

3. Click Add. The Add Firestore DB page displays.
4. In the Name field, enter a name for your database.

5. From the Type list box, select FIRESTORE_NATIVE or DATASTORE_MODE.

6. Select your location from the Location list box.

7. From the Point in Time Recovery Enablement list box, enable or disable point in time recovery, or lock your resources pessimistically.

8. From the Delete Protection State list box, enable or disable delete protection.

9. Click Create. Your Firestore Database is created.

In GCP, Cloud Functions are for serverless execution of code.

Creating a GCP Cloud Functions

1. In the DuploCloud Portal, navigate to Cloud Services -> Storage. The Buckets page displays. Create a bucket and upload the code package.

2. Navigate to Cloud Services -> Functions, and click Add. The Add Function page displays. Fill out the appropriate fields and click Create.

DuploCloud supports Redis database instances. Redis stands for Remote Dictionary Server and is a fast, open-source, in-memory, key-value data store. Redis can function as a database, cache, message broker, and queue.

Redis delivers sub-millisecond response times, enabling millions of requests per second for real-time applications.

Adding a Redis database instance

1. In the DuploCloud Portal, navigate to Cloud Services -> Redis.

2. Click Add. The Add Redis Instance page displays.

1. Enter the database Name.

2. In the Display Name field, enter a useful database name for reference.

3. From the Tier list box, select Basic for a Tier0 standalone instance; select Standard for a Tier1 High Availability primary/replica instance.

4. In the Memory Size field, enter memory size in gigabytes (GB).

5. In the Redis Config field, specify the Redis configuration.

6. In the Labels field, specify key/value pairs.

7. Select Enable Auth and Security to enable OSS Redis AUTH for the Redis instance.

8. Select Enable Encryption-in-Transit to select the TLS mode of the Redis instance.

9. Click Create. The Redis database Details tab displays on the Redis tab with Connectivity, General, and Security cards.

Creation of a pub sub topic is quite self explanatory with just a couple fields.

In GCP, Cloud Storage Buckets are containers that hold your data. Everything in Google Cloud Storage resides in a bucket. Learn more about GCP Cloud Storage and Cloud Storage Buckets.

Creating a GCP Cloud Storage Bucket

1. In the DuploCloud Portal, navigate to Cloud Services -> Storage. The Buckets page displays.

1. In the Buckets tab, click Add. The Create a Bucket pane displays.

1. In the Name field, enter a bucket name.

2. Optionally, select Enable Versioning or Allow Public Access; enter a label string for your bucket in the Labels field.

3. Optionally, select the Multi Region or Region (single region) location type for your data storage. In the Multi Region Options or Region Options list box, select your region(s).

4. Click Create.

Creating a DuploCloud GKE Service

1. In the DuploCloud Portal, navigate to Kubernetes -> Services.

2. Click Add. The Basic Options section of the Add Service page displays.

3. In the Service Name field, give the Service a name (without spaces).

4. From the Cloud list box, select Google.

5. From the Platform list box, select GKE Linux.

6. In the Docker Image field, enter the Docker image.

7. Optionally, enter any allocation tags in the Allocation Tag field.

8. From the Replica Strategy list box, select a replication strategy. Refer to the informational ToolTip ( ) for more information.

9. Specify the number of replicas in the Replicas field (for Static replica strategy). The number of replicas you define must be less than or equal to the number of Hosts in the fleet.

10. In the Replica Placement list box (for Static or Horizontal Pod Autoscaler replication strategies) select First Available, Place on Different Hosts, Spread Across Zones, or Different Hosts and Spread Across Zones. Refer to the informational ToolTip ( ) for more information.

11. Optionally, enter variables in the Environmental Variables field.

12. In the Force StatefulSets list box, select Yes or No (for Static or Horizontal Pod Autoscaler replication strategies).

13. Optionally, select Tolerate spot instances (for Static or Horizontal Pod Autoscaler replication strategies)

1. Click Next. The Add Service, Advanced Options page displays.

2. Configure advanced options as needed. For example, you can implement Kubernetes Lifecycle Hooks in the Other Container Config field (optional).

3. Click Create. The Service is created.

Viewing Services

1. From the DuploCloud Portal, navigate to Kubernetes -> Services. Select the Service from the NAME column. The Service details page displays.

Starting, Stopping, and Restarting Multiple DuploCloud Services

Using the Services page, you can start, stop, and restart multiple services simultaneously.

1. In the DuploCloud Portal, navigate to Kubernetes -> Services.

2. Use the checkbox column to select multiple services you want to start or stop at once.

3. From the Service Actions menu, select Start Service, Stop Service, or Restart Service. The selected Services are started, stopped, or restarted as you specified.

Managing Kubernetes Containers

In the DuploCloud Portal, you can display and manage the containers you have defined.

1. Select the Tenant from the Tenant list box in the upper left.

2. Navigate to Kubernetes -> Containers.

are useful when you need to schedule Pods requiring more resources than others, such as more memory or local disk space. Node Pools can be created for the DuploCloud Infrastructure with GKE Standard Cluster only.

Prerequisites

, specifying the DuploCloud Plan corresponding to a .

Adding a Node Pool

1. In the DuploCloud Portal, navigate to Kubernetes -> Nodes.

2. Click the Node Pool tab.

3. Click Add. The Add Node Pools page displays.

4. Provide Name, Availability Zone, Instance Type, and Node Counts.

5. Click Submit.

Adding a Node Pool with Advanced Options

DuploCloud Portal provides additional options when configuring a Node Pool, as depicted below. To use Advanced Options select Advanced Options in the Add Node Pool page.

Adding a Node Pool with Accelerator Type

You can add Accelerator types for GPUs while creating a NodePool. From the Add Node Pool page, click Add Accelerator.

Configure a Service to use an Accelerator Type

2. In the Add Service page, click Next for Advanced Options.

3. Enter command, args, and resources in the Other Container Config field.

4. Click Create.

Adding a Taint to a Node Pool

2. Select the Node Pool to which you want to add taints.

3. Click Actions and select Add Taint. The Add Taint pane displays.

4. Enter the Key/Value pair and select the Effect from the list box.

5. Click Add Taint.

For example, the following screen applies a taint to a Node Pool that has a Key/Value of dedicated=experimentalwith a NoSchedule effect.

Configure a Service to use Taints

You need to configure the correct tolerations in the Service to schedule the Pod in a Node Pool.

You can Edit or Delete a Taint by selecting the Node Pool Name, clicking the Actions menu, and selecting Edit or Delete. You edit the Node Pool using the Edit Node Pool page.

View Node Pool

View Node Pools by clicking the Node Pool tab and selecting the Node Pool Name.

Nodes created as part of a Node Pool, are displayed in the GCE VM tab.

Taints configured to a Node Pool are displayed with a Tainted Status. Click the Tainted icon to display a window with a Taint List.

My Kubernetes service status was Pending for several minutes, waiting to start a new Pod. After that, I was able to start and stop Pods quickly. What happened?

DuploCloud typically runs Kubernetes services in GCP on GKE in Autopilot mode. Autopilot dynamically provisions nodes as needed to run your Pods. This can add a couple of minutes to the Pod start time. You may see warnings from Kubernetes about being unable to place Pods while Autopilot Hosts are starting, but they’ll clear once the Hosts are available.

One or more of my containers are showing as pending; how can I debug them?

How do I give users access to only one Tenant in my GCP project?

To give a user access to a specific Tenant, navigate the Users page. For a new user, click Add and enter the user's information. From the Role list box, select User. In the Tenant list box, select the Tenant. Click Submit. For an established user, navigate to the Users page and select the user. From the Actions menu, click Update. From the Role list box, select User, and from the Tenant list box, select the Tenant. Click Submit.

How do I create a Google Managed certificate to use with DuploCloud?

To create a Google Managed certificate to use with DuploCloud, see the .

Creating a Cloud SQL database

Use this procedure to create:

• MySQL databases

• SQL databases with PostGres engines

• SQL databases with SQLServer engines

1. In the DuploCloud Portal, navigate to Cloud Services -> Cloud SQL.

2. Click Add. The Add SQL DB page displays.
3. Complete the fields (Name, Disk Size, SQL Version, Tier, Root Password) as required.

4. Click Create.

Viewing a Cloud SQL database

You can view database details and configure other options by navigating to Cloud Services -> Cloud SQL and selecting the Cloud SQL database from the NAME column.

Additional Supported Actions

1. Navigate to Cloud Services -> Cloud SQL.

Configuring Infrastructure settings:

1. Navigate to Administrator -> Infrastructure.

2. In the NAME column, select the name of the Infrastructure you want to configure settings for.

3. Select the Settings tab, and click Add. The Infra - Set Custom Data pane displays.

4. From the Setting Name list box, select the setting (see list of settings below).

5. Click Enable, or enter an appropriate value.

6. Click Set. The setting is applied to the Infrastructure.

Infrastructure Settings