{"id":2644,"date":"2019-03-17T19:28:43","date_gmt":"2019-03-17T13:58:43","guid":{"rendered":"http:\/\/navveenbalani.dev\/?p=2644"},"modified":"2019-12-17T21:02:09","modified_gmt":"2019-12-17T15:32:09","slug":"building-production-topology-with-google-cloud-part-4","status":"publish","type":"post","link":"https:\/\/navveenbalani.dev\/index.php\/articles\/building-production-topology-with-google-cloud-part-4\/","title":{"rendered":"Building Production Topology with Google Cloud &#8211; Part 4"},"content":{"rendered":"\n<p>In this article, we would invoke the microservices that was deployed in earlier article. You can use a tool like CURL to invoke the echo micro service as shown below.<\/p>\n\n\n\n<p>&gt; curl &#8211;request POST \\<\/p>\n\n\n\n<p>&nbsp;&nbsp;\n&#8211;header &#8220;content-type:application\/json&#8221; \\<\/p>\n\n\n\n<p>&nbsp;&nbsp;\n&#8211;data &#8216;{&#8220;message&#8221;:&#8221;hello echo&#8221;}&#8217; \\<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8220;<a href=\"https:\/\/apis.navveenbalani.dev\/echo?key=AIzaSyC0m7d4cc-jOwJ\">https:\/\/apis.navveenbalani.dev\/echo?key=AIzaSyC0m7d4cc-jOwJ<\/a>&#8220;<\/p>\n\n\n\n<p>(replace <a href=\"https:\/\/apis.navveenbalani.dev\/echo?key=AIzaSyC0m7d4cc-jOwJ\">AIzaSyC0m7d4cc-jOwJ<\/a> with\nyour endpoint key)<\/p>\n\n\n\n<p>You would see the response message being printed\nin the console.<\/p>\n\n\n\n<p>Next, execute the fetchWebsite service.<\/p>\n\n\n\n<p>&gt; curl -i\nhttps:\/\/apis.navveenbalani.dev\/fetchWebsite?key=<a href=\"https:\/\/apis.navveenbalani.dev\/echo?key=AIzaSyC0m7d4cc-jOwJ\">AIzaSyC0m7d4cc-jOwJ<\/a><\/p>\n\n\n\n<p>You would see the message \u201cok\u2019 being printed on\nthe console, denoting that your service can access internet (external IP) from\nyour private kubernetes cluster through Cloud NAT.<\/p>\n\n\n\n<p><em>Figure 27: Output of curl invocation<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" width=\"350\" height=\"124\" src=\"https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-27.png\" alt=\"\" class=\"wp-image-2646\" srcset=\"https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-27.png 350w, https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-27-300x106.png 300w\" sizes=\"(max-width: 350px) 100vw, 350px\" \/><\/figure>\n\n\n\n<p>Next, we would whitelist the IPs that can access\nour service. We would use Cloud Armor and configure it with our kubernetes\ncluster. <\/p>\n\n\n\n<h2>Configure Cloud Armor<\/h2>\n\n\n\n<p>Google Cloud Armor works with <a href=\"https:\/\/cloud.google.com\/load-balancing\/\">Global HTTP(S) Load Balancer<\/a> to provide built-in defenses against infrastructure DDoS attacks. It provides IP and geo-based access control and a set of rich rules (currently in alpha) to <\/p>\n\n\n\n<p>Let\u2019s create Cloud Armor configuration for our\napplication. To demonstrate, we would use IP whitelisting to all IPs for now\nand invoke our application. We would later change the configuration to deny all\nIP address that should provide an unauthorized error.<\/p>\n\n\n\n<p>Go to Network Security &gt; Click Cloud Armor\n-&gt; Click Create Policy<\/p>\n\n\n\n<p><em>Figure 28: <\/em>Cloud Armor -&gt; Create Policy<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" width=\"303\" height=\"153\" src=\"https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-29.png\" alt=\"\" class=\"wp-image-2648\" srcset=\"https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-29.png 303w, https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-29-300x151.png 300w\" sizes=\"(max-width: 303px) 100vw, 303px\" \/><\/figure>\n\n\n\n<ul><li>Enter the name in the policy and select Allow in\nrule action.<\/li><\/ul>\n\n\n\n<p><em>Figure 29: <\/em>Cloud Armor -&gt; Policy Details<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" width=\"357\" height=\"245\" src=\"https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-31.png\" alt=\"\" class=\"wp-image-2650\" srcset=\"https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-31.png 357w, https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-31-300x206.png 300w\" sizes=\"(max-width: 357px) 100vw, 357px\" \/><\/figure>\n\n\n\n<ul><li>Click Next Step and enter ip &#8211;&nbsp; 0.0.0.0\/0 &nbsp;(to allow all ip address) in the match and\npriority as 0 (executed first) as shown in figure below.<\/li><\/ul>\n\n\n\n<p><em>Figure 30: <\/em>Cloud Armor -&gt; Policy Details -&gt; IP Details<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" width=\"334\" height=\"228\" src=\"https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-30.png\" alt=\"\" class=\"wp-image-2649\" srcset=\"https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-30.png 334w, https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-30-300x205.png 300w\" sizes=\"(max-width: 334px) 100vw, 334px\" \/><\/figure>\n\n\n\n<ul><li>Click Done to create the configuration. Wait for\na couple of minutes for changes to be effective.<\/li><\/ul>\n\n\n\n<ul><li>Next, we would add the configuration created above to our kubernetes cluster. We need to create a BackendConfig as shown below which references the \u201ckube-armor-security-policy\u201d created earlier and later add the BackendConfig configuration to our service configuration.<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>apiVersion: cloud.google.com\/v1beta1\nkind: BackendConfig\nmetadata:\n  namespace: default\n  name: kube-armor-config\nspec:\n  securityPolicy:\n    name: \"kube-armor-security-policy\"\n<\/code><\/pre>\n\n\n\n<p>Run the command\nto create the backend configuration.<\/p>\n\n\n\n<p>&gt; kubectl apply -f kube-backend-armor-gcp.yaml <\/p>\n\n\n\n<ul><li>Then, delete the existing kube-node-service-gcp\nby navigating to Kubernetes Engine &gt; Services &amp; Ingress in cloud\nconsole. We would create a new configuration with the cloud armor backend\nconfiguration created in the earlier step.<\/li><\/ul>\n\n\n\n<p><em>Figure 31: <\/em>Service &amp; Ingress -&gt; Select &amp; Delete<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" width=\"342\" height=\"206\" src=\"https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-32.png\" alt=\"\" class=\"wp-image-2651\" srcset=\"https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-32.png 342w, https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-32-300x181.png 300w\" sizes=\"(max-width: 342px) 100vw, 342px\" \/><\/figure>\n\n\n\n<ul><li>Afterward, run the\nkube-backend-service-node-armor-gcp.yaml file. The contents of the file are the\nsame as the kube-backend-service-node-gcp.yaml file with the additional\nbackend-config annotation that references the kube-armor-config created in the\nearlier step.<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>metadata:\n  name:  kube-node-service-gcp\n  labels:\n    apps: backend-gcp\n  annotations:\n    beta.cloud.google.com\/backend-config: '{\"ports\": {\"8081\":\"kube-armor-config\"}}'  \nspec:\n  type: NodePort\n  selector:\n    apps: backend-gcp\n  ports:\n  - port: 8081\n    targetPort: 8081\n<\/code><\/pre>\n\n\n\n<p>Execute the command \u2013 <\/p>\n\n\n\n<p>&gt; kubectl apply -f\nkube-backend-service-node-armor-gcp.yaml<\/p>\n\n\n\n<p>After execution, wait for kube-ingress-gcp to be\nback in green state.<\/p>\n\n\n\n<h2>Test the Microservices with\nCloud Armor <\/h2>\n\n\n\n<p>Next, test the microservices again with the new\nconfiguration.<\/p>\n\n\n\n<p>&nbsp;&gt; curl -i\nhttps:\/\/apis.navveenbalani.dev\/fetchWebsite?key=<a href=\"https:\/\/apis.navveenbalani.dev\/echo?key=AIzaSyC0m7d4cc-jOwJ\">AIzaSyC0m7d4cc-jOwJ<\/a><\/p>\n\n\n\n<p>You should see the message \u201cok\u2019 being printed on\nthe console.<\/p>\n\n\n\n<p>Next, go to Cloud Console -&gt; Network Security\n-&gt; Cloud Armor and click on the kube-armor-security-policy. On the\nkube-armor-security-policy page, click Logs to view the request logs. You can\ninspect each incoming request (headers, message, ip address etc.) in detail by\ninspecting the logs.<\/p>\n\n\n\n<p><em>Figure 32: Cloud Armor Logs<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" width=\"353\" height=\"221\" src=\"https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-33.png\" alt=\"\" class=\"wp-image-2652\" srcset=\"https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-33.png 353w, https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-33-300x188.png 300w\" sizes=\"(max-width: 353px) 100vw, 353px\" \/><\/figure>\n\n\n\n<p>To test out IP whitelisting, modify the existing\nKube-armor-security-policy <\/p>\n\n\n\n<p>Policy. Click on Edit rule and select deny\ninstead of allow as shown below. Then, click update.<\/p>\n\n\n\n<p><em>Figure 33: Cloud Armor -&gt; Policy Details &#8211; &gt; Deny All<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" width=\"353\" height=\"217\" src=\"https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-34.png\" alt=\"\" class=\"wp-image-2653\" srcset=\"https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-34.png 353w, https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-34-300x184.png 300w\" sizes=\"(max-width: 353px) 100vw, 353px\" \/><\/figure>\n\n\n\n<p>Wait for a few minutes for changes to be\neffective.<\/p>\n\n\n\n<p>Next, execute the fetchWebsite service.<\/p>\n\n\n\n<p>&gt; curl -i\nhttps:\/\/apis.navveenbalani.dev\/fetchWebsite?key=<a href=\"https:\/\/apis.navveenbalani.dev\/echo?key=AIzaSyC0m7d4cc-jOwJ\">AIzaSyC0m7d4cc-jOwJ<\/a><\/p>\n\n\n\n<p>You should see 502 Bad Gateway as a response as\nshown below.<\/p>\n\n\n\n<p><em>Figure 34:&nbsp; Bad Gateway error<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" width=\"303\" height=\"95\" src=\"https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-35.png\" alt=\"\" class=\"wp-image-2654\" srcset=\"https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-35.png 303w, https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/12\/image-35-300x95.png 300w\" sizes=\"(max-width: 303px) 100vw, 303px\" \/><\/figure>\n\n\n\n<p>With this, we have tested IP whitelisting. Change the configuration back to allow all IP Addresses.  <a href=\"https:\/\/navveenbalani.dev\/index.php\/articles\/building-production-topology-with-google-cloud-part-5\/\">Click here for next section.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this article, we would invoke the microservices that was deployed in earlier article. You can use a tool like CURL to invoke the echo micro service as shown below. &gt; curl &#8211;request POST \\ &nbsp;&nbsp; &#8211;header &#8220;content-type:application\/json&#8221; \\ &nbsp;&nbsp; &#8211;data &#8216;{&#8220;message&#8221;:&#8221;hello echo&#8221;}&#8217; \\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8220;https:\/\/apis.navveenbalani.dev\/echo?key=AIzaSyC0m7d4cc-jOwJ&#8220; (replace AIzaSyC0m7d4cc-jOwJ with your endpoint key) You would see [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2128,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[3,79],"tags":[285],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v16.0.2 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Building Production Topology with Google Cloud - Part 4 - Current and Future Technology Trends by Navveen Balani<\/title>\n<meta name=\"description\" content=\"Building Production Topology with Google Cloud - Part 4 - Articles\" \/>\n<link rel=\"canonical\" href=\"https:\/\/navveenbalani.dev\/index.php\/articles\/building-production-topology-with-google-cloud-part-4\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Building Production Topology with Google Cloud - Part 4 - Current and Future Technology Trends by Navveen Balani\" \/>\n<meta property=\"og:description\" content=\"Building Production Topology with Google Cloud - Part 4 - Articles\" \/>\n<meta property=\"og:url\" content=\"https:\/\/navveenbalani.dev\/index.php\/articles\/building-production-topology-with-google-cloud-part-4\/\" \/>\n<meta property=\"og:site_name\" content=\"Current and Future Technology Trends by Navveen Balani\" \/>\n<meta property=\"article:published_time\" content=\"2019-03-17T13:58:43+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-12-17T15:32:09+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/navveenbalani.dev\/wp-content\/uploads\/2016\/09\/bk6.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"450\" \/>\n\t<meta property=\"og:image:height\" content=\"374\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\">\n\t<meta name=\"twitter:data1\" content=\"4 minutes\">\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/navveenbalani.dev\/#website\",\"url\":\"https:\/\/navveenbalani.dev\/\",\"name\":\"Current and Future Technology Trends by Navveen Balani\",\"description\":\"Current and Future Technology Trends by Navveen Balani\",\"publisher\":{\"@id\":\"https:\/\/navveenbalani.dev\/#\/schema\/person\/51f7ab14b20611d95e3c7fd4ea0950bf\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/navveenbalani.dev\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/navveenbalani.dev\/index.php\/articles\/building-production-topology-with-google-cloud-part-4\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/navveenbalani.dev\/wp-content\/uploads\/2016\/09\/bk6.jpg\",\"width\":450,\"height\":374},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/navveenbalani.dev\/index.php\/articles\/building-production-topology-with-google-cloud-part-4\/#webpage\",\"url\":\"https:\/\/navveenbalani.dev\/index.php\/articles\/building-production-topology-with-google-cloud-part-4\/\",\"name\":\"Building Production Topology with Google Cloud - Part 4 - Current and Future Technology Trends by Navveen Balani\",\"isPartOf\":{\"@id\":\"https:\/\/navveenbalani.dev\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/navveenbalani.dev\/index.php\/articles\/building-production-topology-with-google-cloud-part-4\/#primaryimage\"},\"datePublished\":\"2019-03-17T13:58:43+00:00\",\"dateModified\":\"2019-12-17T15:32:09+00:00\",\"description\":\"Building Production Topology with Google Cloud - Part 4 - Articles\",\"breadcrumb\":{\"@id\":\"https:\/\/navveenbalani.dev\/index.php\/articles\/building-production-topology-with-google-cloud-part-4\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/navveenbalani.dev\/index.php\/articles\/building-production-topology-with-google-cloud-part-4\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/navveenbalani.dev\/index.php\/articles\/building-production-topology-with-google-cloud-part-4\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/navveenbalani.dev\/\",\"url\":\"https:\/\/navveenbalani.dev\/\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"position\":2,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/navveenbalani.dev\/index.php\/articles\/building-production-topology-with-google-cloud-part-4\/\",\"url\":\"https:\/\/navveenbalani.dev\/index.php\/articles\/building-production-topology-with-google-cloud-part-4\/\",\"name\":\"Building Production Topology with Google Cloud &#8211; Part 4\"}}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/navveenbalani.dev\/index.php\/articles\/building-production-topology-with-google-cloud-part-4\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/navveenbalani.dev\/index.php\/articles\/building-production-topology-with-google-cloud-part-4\/#webpage\"},\"author\":{\"@id\":\"https:\/\/navveenbalani.dev\/#\/schema\/person\/51f7ab14b20611d95e3c7fd4ea0950bf\"},\"headline\":\"Building Production Topology with Google Cloud &#8211; Part 4\",\"datePublished\":\"2019-03-17T13:58:43+00:00\",\"dateModified\":\"2019-12-17T15:32:09+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/navveenbalani.dev\/index.php\/articles\/building-production-topology-with-google-cloud-part-4\/#webpage\"},\"publisher\":{\"@id\":\"https:\/\/navveenbalani.dev\/#\/schema\/person\/51f7ab14b20611d95e3c7fd4ea0950bf\"},\"image\":{\"@id\":\"https:\/\/navveenbalani.dev\/index.php\/articles\/building-production-topology-with-google-cloud-part-4\/#primaryimage\"},\"keywords\":\"google-cloud\",\"articleSection\":\"Articles,Cloud Computing\",\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/navveenbalani.dev\/#\/schema\/person\/51f7ab14b20611d95e3c7fd4ea0950bf\",\"name\":\"Navveen\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/navveenbalani.dev\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/navveenbalani.dev\/wp-content\/uploads\/2019\/07\/navveen_balani.jpeg\",\"width\":200,\"height\":200,\"caption\":\"Navveen\"},\"logo\":{\"@id\":\"https:\/\/navveenbalani.dev\/#personlogo\"},\"sameAs\":[\"http:\/\/naveenbalani.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/navveenbalani.dev\/index.php\/wp-json\/wp\/v2\/posts\/2644"}],"collection":[{"href":"https:\/\/navveenbalani.dev\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/navveenbalani.dev\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/navveenbalani.dev\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/navveenbalani.dev\/index.php\/wp-json\/wp\/v2\/comments?post=2644"}],"version-history":[{"count":3,"href":"https:\/\/navveenbalani.dev\/index.php\/wp-json\/wp\/v2\/posts\/2644\/revisions"}],"predecessor-version":[{"id":2683,"href":"https:\/\/navveenbalani.dev\/index.php\/wp-json\/wp\/v2\/posts\/2644\/revisions\/2683"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/navveenbalani.dev\/index.php\/wp-json\/wp\/v2\/media\/2128"}],"wp:attachment":[{"href":"https:\/\/navveenbalani.dev\/index.php\/wp-json\/wp\/v2\/media?parent=2644"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/navveenbalani.dev\/index.php\/wp-json\/wp\/v2\/categories?post=2644"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/navveenbalani.dev\/index.php\/wp-json\/wp\/v2\/tags?post=2644"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}