Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Implement GCP Cloud Armour in DuploCloud
GCP Cloud Armour helps protect your applications and websites against denial of service, web breaches, and cyber-attacks.
Use DuploCloud to activate your GCP Cloud Armour software and monitor your cloud infrastructures and deployed services and applications.
Before you can use DuploCloud with Cloud Armour, define a Security Policy in the DuploCloud Plan that supports your DuploCloud Infrastructure.
In the DuploCloud Portal, navigate to Administrator -> Plan. The Plans page displays.
From the Name column, select the Plan that corresponds to your Infrastructure. When you create a DuploCloud Infrastructure, a Plan is created with the same name.
Click the Security Policy tab.
Click Add. The Add Security Policy pane displays.
In the Name field, enter an appropriate name for the Security Policy. This is the name used in the DuploCloud portal. It is convenient to keep it the same as the Security Policy ID, but not required.
In the Security Policy ID field, enter the name of your GCP Cloud Armour Security Policy. This is the name used in the GCP console.
Click Create. The Security Policy that you specified is displayed in the Security Policy tab.
Now that the Cloud Armour Security Policy has been defined in your DuploCloud Plan, add the policy to a Load Balancer so that it can monitor network traffic.
In the DuploCloud Portal, navigate to Kubernetes -> Services or Docker -> Services.
Select the Service to which your Load Balancer is attached.
Click the Load Balancer tab.
In the Other Settings card, click Edit. The Other Load Balancer Settings pane displays.
From the Security Policy list box, select the Security Policy you added in the previous step.
Select the Enable HTTP to HTTPS Redirect option.
Select Enable Access Logs to view rule evaluations.
In the Idle Timeout field, enter the number of minutes for timeout, in seconds.
Click Save.
The Security Policy displays in the Load Balancer's Other Settings card.
To change your Cloud Armour configuration to use a different security policy, edit the Security Policy in the DuploCloud Plan.
In the DuploCloud Portal, navigate to Administrator -> Plans. The Plans page displays.
From the Name column, select the Plan that corresponds to your Infrastructure.
Click the Security Policy tab.
Modify the Security Policy Name and the Security Policy ID as appropriate.
Click Update. The changes are saved and displayed in the Security Policy tab.
Logs will only be visible if you Enable Access Logs in the Load Balancer's Other Settings card.
To view Cloud Armor Security Policy logs:
Locate the Security Policy in the GCP Console.
Click the Logs tab.
Click the View policy logs link on the Logs tab to view logs of the policy's rule evaluations.
Creating and managing GCP Services using containers
Using the Services pages (Kubernetes -> Services or Docker -> Services) in the DuploCloud Portal, you can display and manage the Services you have defined.
You can deploy any native Docker container in a virtual machine (VM) with the DuploCloud platform.
In the DuploCloud Portal, select Docker -> Services from the navigation pane.
Click Add. The Add Service page displays.
Complete the fields on the page, including Service Name, Docker Image name, and number of Replicas. Use Allocation Tags to deploy the container in a specific set of hosts.
Do not use spaces when creating Service or Docker image names.
The number of Replicas defined must be less than or equal to the number of hosts in the fleet.
In the DuploCloud Portal, you can display and manage the containers you have defined.
Select the Tenant from the Tenant list box in the upper left, and navigate to Kubernetes -> Containers.
In the row listing your security policy, click the Edit Icon ( ) to change the Security Policy ID. The Update Security Policy pane displays.
Use the Options Menu ( ) in each container row to display Logs, State, Container Shell, Host Shell, and Delete options.
Option | Functionality |
---|
Managing GCP services and related components
DuploCloud provides several configurable components when running Google Cloud Provider's Google Kubernetes Engine (GKE).
Applications involve GCP Services such as Cloud Armour, Redis and SQL databases, Storage Buckets, Load Balancers, and so on.
Using DuploCloud, you can create unlimited Services within each Tenant, using application-centric inputs. At the same time, the platform ensures that the lower-level nuances are programmed to best practices for security and compliance.
In addition to GKE standard and auto-pilot, the following services are supported. Supported Services are listed in alphabetical order.
Configuration and Secret management in GCP
There are many ways to pass configurations to containers at run-time. Although simple to set up, using Environmental Variables can become complex if there are too many configurations, especially files and certificates.
Using Kubernetes, you can populate environment variables using Kubernetes Configs and Secrets.
Logs | Displays container logs. |
State | Displays container state configuration, in YAML code, in a separate window. |
Container Shell |
Host Shell | Accesses the Host Shell. |
Delete | Deletes the container. |
Set Docker registry credentials and Kubernetes secrets
In the DuploCloud Portal, navigate to Docker -> Services. Docker registry credentials are passed to the Kubernetes cluster as kubernetes.io/dockerconfigjson
.
Click the Docker list box in the upper right, and select Docker Credentials. The Set Docker registry Creds pane displays.
Supply the credentials and click Submit.
Enable the Docker Shell Service by clicking Enable Docker Shell.
You can pull images from multiple Docker registries by adding multiple Docker Registry Credentials.
In the DuploCloud Portal, click Administrator -> Plan. The Plans page displays.
Select the Plan in the Name column.
Click the Config tab.
Click Add. The Add Config pane displays.
You can pass Docker Credentials using the Environment Variables config field in the Add Service Basic Options page. See the Kubernetes Configs and Secrets section.
Add GCP subscription details
The DuploCloud rules-based expert needs GCP Subscription details to manage cloud resources. Add Cloud Credentials in the DuploCloud Portal to add subscription details.
In the DuploCloud Portal, navigate to Administrator -> Cloud Credentials. The Cloud Credentials page displays.
Click Add.
In the Cloud list box, ensure Google is selected.
In the Project ID field, enter your Google Project ID.
In the Service Account Email field, enter the Service Account email. A service account is a special account used by an application or compute workload, rather than a person. Service accounts are managed by Identity and Access Management (IAM).
In the Service Account Private Key field, enter the private key associated with your service account.
Click Submit. Your credentials are displayed on the Cloud Credentials page.
Creating a Load balancer using GCP in DuploCloud
All containers are running inside a private network and cannot be accessed from an external network. To make them accessible from the an external network, create a Load Balancer.
If you need to create an Ingress Load Balancer, refer to the GKE Ingress page in the DuploCloud Kubernetes User Guide.
For an end-to-end example of deploying an application using a GCP Service, see the GCP Quick start.
In the DuploCloud Portal, navigate to Kubernetes -> Services.
On the Services page, select the Service name in the Name column.
Click the Load Balancers tab.
If no Load Balancers exist, click the Configure Load Balancer link. If other Load Balancers exist, click Add in the LB listeners card. The Add Load Balancer Listener pane displays.
From the Select Type list box, select a Load Balancer Listener type based on your Load Balancer.
Complete other fields as required and click Add to add the Load Balancer Listener.
DuploCloud allows no more than one (0 or 1) Load Balancer per DuploCloud Service.
Create cloud scheduler in GCP
Go under Cloud Services in the left nav bar and you can find the Cloud Scheduler menu. One can create a cloud scheduler to trigger from a pub/sub topic created in the previous section, an HTTP endpoint or an App Engine.
Create Cloud Functions in GCP
In GCP, Cloud Functions are for serverless execution of code.
In the DuploCloud Portal, navigate to Cloud Services -> Storage. The Buckets page displays. Create a bucket and upload the code package.
Navigate to Cloud Services -> Functions, and click Add. The Add Function page displays. Fill out the appropriate fields and click Create.
Accesses the Container Shell. To access the Container Shell option, you must first set up .
Create a Firestore Database from within the DuploCoud platform.
Firestore is a flexible, scalable database for mobile, web, and server development from Google Cloud Platform. It's part of Firebase, a platform for developing mobile and web applications. Firestore is a NoSQL document database that simplifies storing, syncing, and querying data across multiple platforms and devices.
There are two Firestore Database modes to choose from:
Firestore Native Mode is the default mode for Firestore. It provides a richer feature set and supports more advanced querying capabilities, such as compound queries and real-time updates. Use Firestore Native for new projects and applications that require real-time updates and advanced querying features.
Datastore Mode provides a subset of Firestore's features and capabilities, supports a simpler data model, and lacks support for nested subcollections. Use Datastore Mode for migrating existing applications from Google Cloud Datastore to Firestore or for applications that do not require real-time updates or complex querying capabilities.
From the Tenant list box in the upper left, select your Tenant name.
From the DuploCloud portal, navigate to Cloud Services -> Firestore Database.
Click Add. The Add Firestore DB page displays.
In the Name field, enter a name for your database.
From the Type list box, select FIRESTORE_NATIVE or DATASTORE_MODE.
Select your location from the Location list box.
From the Point in Time Recovery Enablement list box, enable or disable point in time recovery, or lock your resources pessimistically.
From the Delete Protection State list box, enable or disable delete protection.
Click Create. Your Firestore Database is created.
Create Node Pool for GCE in the DuploCloud Portal
GCP Node Pools are useful when you need to schedule Pods requiring more resources than others, such as more memory or local disk space. Node Pools can be created for the DuploCloud Infrastructure with GKE Standard Cluster only.
Add a Tenant, specifying the DuploCloud Plan corresponding to a GKE Standard Cluster.
In the DuploCloud Portal, navigate to Kubernetes -> Nodes.
Click the Node Pool tab.
Click Add. The Add Node Pools page displays.
Provide Name, Availability Zone, Instance Type, and Node Counts.
Click Submit.
DuploCloud Portal provides additional options when configuring a Node Pool, as depicted below. To use Advanced Options select Advanced Options in the Add Node Pool page.
You can add Accelerator types for GPUs while creating a NodePool. From the Add Node Pool page, click Add Accelerator.
Accelerator Types are not available in all regions.
In the Add Service page, click Next for Advanced Options.
Enter command
, args
, and resources
in the Other Container Config field.
Click Create.
For additional details, refer to the documentation from Google Cloud here .
Select the Node Pool to which you want to add taints.
Click Actions and select Add Taint. The Add Taint pane displays.
Enter the Key/Value pair and select the Effect from the list box.
Click Add Taint.
For example, the following screen applies a taint to a Node Pool that has a Key/Value of dedicated=experimental
with a NoSchedule
effect.
You need to configure the correct tolerations
in the Service to schedule the Pod in a Node Pool.
To continue the examples above, create a Service with tolerations
using the Other Container Config field, as depicted below.
You can Edit or Delete a Taint by selecting the Node Pool Name, clicking the Actions menu, and selecting Edit or Delete. You edit the Node Pool using the Edit Node Pool page.
View Node Pools by clicking the Node Pool tab and selecting the Node Pool Name.
Nodes created as part of a Node Pool, are displayed in the GCE VM tab.
Taints configured to a Node Pool are displayed with a Tainted Status. Click the Tainted icon to display a window with a Taint List.
Create Cloud Storage Buckets in GCP
In GCP, Cloud Storage Buckets are containers that hold your data. Everything in Google Cloud Storage resides in a bucket. Learn more about GCP Cloud Storage and Cloud Storage Buckets.
In the DuploCloud Portal, navigate to Cloud Services -> Storage. The Buckets page displays.
In the Buckets tab, click Add. The Create a Bucket pane displays.
In the Name field, enter a bucket name.
Optionally, select Enable Versioning or Allow Public Access; enter a label string for your bucket in the Labels field.
Click Create.
Adding SQL Databases in DuploCloud
Use this procedure to create:
MySQL databases
SQL databases with PostGres engines
SQL databases with SQLServer engines
In the DuploCloud Portal, navigate to Cloud Services -> Cloud SQL.
Click Add. The Add SQL DB page displays.
For MySQL databases and SQL databases with PostGres engines, provide the Name, SQL Version, and Tier (Machine Type/CPU). For SQL databases with SQLServer engines, provide the same inputs, in addition to Root Password and Disk Size in gigabytes (GB).
Click Create.
Select your database from the Name column in the SQL tab. The Details tab displays information about the database you created.
Refer to the graphics below for examples of creating and displaying the supported SQL databases.
Support for Redis database instances
DuploCloud supports Redis database instances. Redis stands for Remote Dictionary Server and is a fast, open-source, in-memory, key-value data store. Redis can function as a database, cache, message broker, and queue.
Redis delivers sub-millisecond response times, enabling millions of requests per second for real-time applications.
In the DuploCloud Portal, navigate to Cloud Services -> Redis.
Click Add. The Add Redis Instance page displays.
Enter the database Name.
In the Display Name field, enter a useful database name for reference.
From the Tier list box, select Basic for a Tier0 standalone instance; select Standard for a Tier1 High Availability primary/replica instance.
In the Memory Size field, enter memory size in gigabytes (GB).
In the Redis Config field, specify the Redis configuration.
In the Labels field, specify key
/value
pairs.
Select Enable Auth and Security to enable OSS Redis AUTH for the Redis instance.
Select Enable Encryption-in-Transit to select the TLS mode of the Redis instance.
Click Create. The Redis database Details tab displays on the Redis tab with Connectivity, General, and Security cards.
Create pub/sub in GCP
Creation of a pub sub topic is quite self explanatory with just a couple fields.