GCP Cloud Foundations

#whoami

Federico Fregosi
Current: Principal Consultant - Technical

Past:

federico.fregosi@contino.io

https://www.linkedin.com/in/federico-fregosi/
About Contino
Contino is a leading transformation consultancy that helps large, heavily-regulated enterprises to become fast,
agile and competitive.

360+ 5 300+ 150+

People
The deepest pool of
DevOps, data & cloud
transformation talent
in the industry
Global offices
We can scale rapidly
to support diverse
client requirements
across the globe
Engagements Customers
More DevOps Specializing in helping the
transformation executed world's leading brands
than any other professional accelerate digital
services firm transformation

3
Agenda
01 | Cloud Foundations
02 | Organization Structure & Resource Deployment
03 | Authentication & Authorization
04 | Networking
05 | Secrets Management
06 | Logging
07 | Operating Model
08 | FinOps - Billing
09 | Q&A

4
Why Do You Need Cloud Foundations?

Landing zones enable management of standardised GCP projects, which in turn control
your Virtual Private Clouds (VPCs) and consumption of GCP cloud services.

● Prevents Project Sprawl: Project provision can be managed as cloud engagement increases

● Minimises Engineering Overhead: Eliminating manual changes reduces complexity and enables
scalability and consistency

● Enables Scaling by Design: Management of services and infrastructure in public cloud is made
simple by the use of a well-designed landing zone

● Accelerates Consumption of Cloud Services: Allows for GCP projects to be provisioned with a
standard set of tooling and services

5
 Core Features

GCP Core System Operational Security, privacy, and Reliability Performance and cost
Design Practices Excellence compliance optimisation

Aligned with “Best practices” and the 5 pillars of “Google Cloud's Architecture Framework” principles

6
What is a Landing Zone?
On-Prem
Quota Connectivity
Monitoring
Hybrid
Cloud Billing Logging
URL Organization
Filtering Policies
Log Security Compliance
Exports
SaaS
integrations SIEM
Resource Project
Integration
Deployment Factory Google
Kubernetes
CI/CD Secure
Secrets Engine
Baseline
Dns Hub

Cloud SSO & Active

Data Directory
Platform Notifications Integration

7
GitHub solutions

● https://github.com/terraform-google-mod
ules/terraform-google-project-factory

● https://github.com/terraform-google-mod
ules/terraform-example-foundation

● https://github.com/contino/terraform-gcp
-modules

● https://github.com/GoogleCloudPlatform
/cloud-foundation-toolkit

8
Organization
Structure
GCP Resource Management

● Cloud Resource Manager provides

project management & IAM
functionality

● The top level component is the GCP

organization.

● An organization is tied to a GSuite OR a

Cloud Identity account

● Most of the available resources are

deployed into a project.

● A project is the main isolation

“container” in GCP

10
GCP Resource Management

The effective policy for a

resource is the union of the
policy set at that resource and
the policy inherited from its
Top-down parent.
access
inheritance:
Additive only

11
Cloud Resource Manager: Organization Hierarchy
The Common folder will include the following
baseline projects:

● Interconnect - connectivity between

an enterprise's on-premises
environment and Google Cloud.

● DNS Hub - central point of

communication between an
enterprise’s on-premises DNS system
and Cloud DNS.

● Notifications - managing Security

Command Center alerting.

● Logging - destination for log sink

and detective controls.

● Secrets - organization-level secrets.

12
Organisation Policies
The Organization Policy Service constrains the allowed
resource configurations. Policies can be applied to the
Organisation, Folders, and Projects.

*Requires IAM role: Organization policy / organization policy administrator

13
 Organization Policy Hierarchy Evaluation

Resource 3 defines a custom

policy that sets inheritFromParent
to FALSE and allows yellow
hexagon. The effective policy
evaluates to only allow yellow
In this example, the Organization Node defines
hexagon.
a policy that allows red square and green circle.
Resource 4 defines a custom
policy that sets inheritFromParent
Resource 1 defines a custom policy
to FALSE and includes the
that sets inheritFromParent to TRUE
restoreDefaultvalue. The default
and allows blue diamond. The
constraint behavior is used, so the
effective policy evaluates to allow red
effective policy evaluates to allow
square, green circle, and blue
all.
diamond.
Note: The exceptions are always
Resource 2 defines a custom policy
set by org-level Organization
that sets inheritFromParent to TRUE
Policy roles, and not by
and denies green circle. Deny takes
project-level roles.
precedence. The effective policy
evaluates to allow only red square.
Resource
Deployment
Cloud Fundations Creation
The seed project contains the Terraform state of the foundation infrastructure, a highly privileged service
account that's able to create new infrastructure, and the encryption configuration to protect that state.

Create
Create Seed Leverage
Organization Create
Project using Project
based on your Landing Zone
CLI Factory
domain

Attach Billing
Administrator Project Vending
Account

Create Service
Account

Grant SA permission

Enable APIs

16
Project Factory

Project creation is a Automatic

repetitive task. Projects are created automatically and consistently
based on Infrastructure as Code methodology
(Terraform and advanced project vending).
Projects should be configured to consistently meet
the organization needs:

● Project ID/name naming convention

● Billing account linking
● Networking configuration
● Enabled APIs/services
● Compute Engine access configuration
● Exporting logs and usage reports
● Project removal line
● And more
17
 Project Factory - Vending Process

Apply CIS Add to Enable

GCP Project IAM Baseline
Benchmark Compliance access to
Creation Configuration
configuration Service account

GCP Project Place into

Provision Baseline Add To security Create Group and
Requestor Org/Folder IAM Configuration
IAM Roles Command Center App Roles in AD
(Business Unit)

Inherit/Define
Create Service Logging & Event Threat
Organization Add Users to Group
Account Configuration Detection
Policies

Attach Billing Networking Add Service Account

Account (Shared VPC) to the Group

Enable APIs

18
Operator Personas
&
User Personas Direct Console Application
Service Users
Users Users

App Application:
Automation Containers
Images
Central or
App Operator BYO RPMs

Service
Automation Managed Services:
Central or
VMs, Anthos, Databases, Pub/Sub
Service Operator BYO

Infra GCP Foundation:

Pipeline
IAM, Routing, Firewalls, VPCs
Central Subnets, Projects, Folders,, Org Policy
Platform Operator

19
Continuous Integration and Delivery on GCP
Google Cloud
environment(s)

Continuous Integration Compute

Engine

Source code Build/Test Artifact Mgmt. Deploy App Monitor/Test

Engine
Cloud Source Cloud Registry /
Cloud Build Cloud Storage Spinnaker Stackdriver
Repository
Kubernetes
Engine

Cloud
Functions

On-premise

Source
Cluster

Cluster

20
 Application CI/CD - Supporting Services

Cloud Container
Cloud Build
Source Repos Registry
● Private Git repositories hosted on ● Hosted build execution on Google Cloud ● Hosted image repository
Google Cloud ● Build container images or non-container ● Push builds to Container Registry
● Easily perform Git operations required artifacts from Cloud Build
by your workflow ● Trigger new builds based on changes to ● Analyze images to
● Sync to existing GitHub or Bitbucket CSR or other repo ● Discover vulnerabilities
repo

Container
Spinnaker
Analysis API
● Open source, multi-cloud application ● Store, query, and retrieve critical
deployment platform metadata about software artifacts
● Built-in best practices for deployment ● Query all metadata across all of your
● Supports many deployment best practices components in real time

21
Implementing Changes
The toolkit encourages customers to collaborate on infrastructure through a
compliant and secure platform.

Developer Administrator Administrator CI/CD updates

CI runs
submits reviews for merges the deployed
validation
pull request policy compliance new config infrastructure

Collaborate in Reduce manual effort

source control and errors

Ensure Enforce policies

consistency proactively
22
Continuous Compliance.
It’s always green.

23
Authentication &
Authorization
Authentication & Authorization

In order to ensure a consistent and secure manner of accessing the cloud environment and the various resources
under the scope of the Landing Zone implementation, the following aspects will be considered and included in the
initial landing zone deployment.

Components
● Native user and group management: Cloud identity provides unified identity, access, app,
and endpoint management (IAM/EMM) platform.
● Active Directory integration and Single Sign-on (SSO): By leveraging Google Directory Sync,
we can map Active Directory forests, domains, users, and groups to Cloud Identity entities
● Roles and permissions: Standardised IAM roles and permission policies will be created to
satisfy the principle of least privilege.

25
 Cloud Identity

Chrome ● Cloud Identity is an Identity as a Service (IDaaS)

Apps
for Work solution that allows you to centrally manage
users and groups who can access Google Cloud
Android and G Suite cloud resources
for Work
● It is the same identity service that powers G
People
Suite and can also be used as IdP for 3rd party
applications (supports SAML and LDAP
applications)

Google
Cloud Identity
Cloud
Devices

26
Cloud Identity

Cloud
Manual
Identity
Users

APIs Groups

Cloud
IAM GCP
Resources
CSV Org Units
Upload

Users and groups created in Cloud Identity are the Google Identities that can be assigned IAM roles in the GCP console

The Cloud Identity roles only manage aspects of Cloud Identity such as user/group management, and are different from GCP roles
which manage permissions to cloud resources

27
 Cloud Identity - Typical Architecture

Intranet SaaS
Legacy
IT Infra (LDAP)
Applications
Secure LDAP

IT Infrastructure

VPN
Secure LDAP
Radius
server
MS Infra, (Wifi AuthN)
Print, File,
Certificate
GCDS

Secure LDAP
Legacy Apps
(LDAP)

28
Active Directory Integration

While Cloud Identity provides the necessary functionality to manage

Google identities (users and groups) for use in a GCP environment,
this might add unnecessary overhead for customers with existing
on-premises AD deployments. The following steps are required for AD
integration setup:
● Provisioning users - Relevant users and groups are one-way
synchronized periodically from Active Directory to Cloud
Identity. This process does not sync passwords as all
authentication will be done through the on-premises Active
directory
● Single Sign-on - Whenever a user needs to authenticate,
Google Cloud delegates the authentication to Active Directory
by using the Security Assertion Markup Language (SAML)
protocol. This delegation ensures that only Active Directory
manages user credentials and that any applicable policies or
multi-factor authentication (MFA) mechanisms are being
enforced

29
Cloud Directory Sync Implementation

Google Cloud Directory Sync (GCDS) is deployed on

an on-premises domain joined VM, either Linux or
1
Windows.

Leveraging cron, GCDS is triggered automatically at

regular intervals to sync identities between Active
2
Directory and Cloud Identity

In order to filter which users or groups are synced

with Cloud Identity, an attribute is added to the
users in AD and Directory Sync filters are
3
implemented to filter based on the provided
attribute.

30
Authorization with IAM

Roles are a collection of permissions that may be assigned to users, groups and service accounts.
Permissions grant the ability to execute specific API calls, for example: compute.instances.create

Primitive Roles Predefined Roles Custom Roles

Legacy Google Cloud roles More granular roles than Ability to create roles with a
that grant broader set of primitive, based on job specific permission set.
permissions function.
(Owner, Editor, Viewer).

31
Authorization with IAM

Give access to a subset of resources

within a project

Condition access based on

context-aware access levels

Grant time limited IAM policies

32
Best Practices

Controversial Follow Industry

Approaches Standards
● Disabling APIs by default

● Deleting Default Service Accounts

● G-Suite Super Admin Role management

● Controlling Scopes
● CIS Benchmarks
● Using Service Accounts outside original
● NIST Cybersecurity Framework
project

33
Networking
Networking Considerations
Components

Support for
Shared VPC Network
private DNS
Architecture Security

35
Shared VPC - Introduction
Shared VPC allows an organization to connect resources from multiple projects to a common Virtual Private Cloud
(VPC) network, so that they can communicate with each other securely and efficiently using internal IPs from that
network.

Definition:
● Host Project: contains one or more Shared VPC
networks. A Shared VPC Admin must first enable a
project as a host project. After that, a Shared VPC
Admin can attach one or more service projects to it.
● Service Project: A service project is any project that
has been attached to a host project by a Shared
VPC Admin. This attachment allows it to participate
in Shared VPC. It's a common practice to have
multiple service projects operated and administered
by different departments or teams in your
organization.

36
Shared VPC

37
DNS - Hub-and-spoke model

38
Firewall Rules

Target Ingress rule Source

Service account
Network
Allow/Deny
VM
Ingress rule IP range/CIDR VPC Firewall
Instances by tag
Target tag
Instance tag or service ● Stateful with connection
Service account account tracking
Ingress rule
● Distributed: enforced on
All instances in underlying host
network

Egress rule Destination Implied Rules

Service account ● Ingress deny
● Egress allow
Allow/Deny IP range/CIDR
Egress rule

Target tag

39
 VPC Service Controls

Unauthorized
Service Perimeter client
Authorized VM to
Extend perimeter security to managed GCP Project GCP service
services

● Control VM-to-service and

service-to-service paths.
Access from
Internet
● Ingress: prevent access from the
unauthorized networks.
Private PII Data GCP service
● Egress: prevent copying of data to Unauthorized access to Unauthorized
Project
unauthorized GCP Projects. VPC project GCP service project

● Project level granularity.

40
Connectivity Options
Public Internet (IPSEC VPN)
● Fastest way to connect to
the cloud or between
clouds
● Leverages existing internet
network connectivity
● Supports high availability
and aggregated bandwidth
with 1.5 to 3 Gbps per
tunnel
● Static/dynamic (BGP)
based VPC
● Easy HA setup: 99.99%
SLA
Cloud Interconnect
● Enterprise-grade, private
connectivity to GCP
● Provisioned as a dedicated
link to a Google PoP or via
a partner
● Dedicated Interconnect:
Highest bandwidth with
10 Gbps and 100 Gbps
links
● Partner Interconnect offers
more flexible subscriptions
(50 Mbps to 10 Gbps)
Peering
● Access G Suite and Google
services, as well as GCP
with reduced egress rates
● Utilizes existing BGP route
selection and internet
routing
● Greater control of peering
facilities
● Direct or carrier
41
 On-premises Connectivity
Cloud Interconnect Metro Area

Project Colo Facility On-premises

VPC ● Layer 2 connectivity

us-west1 | 10.240.1/24 IA BGP
169.254.68.50 169.254.68.52 10.120.1.1
Cloud ASN: 64513 ASN: 12345
● Up to eight 10 Gbps links, or
Google Peering Router 1
Router Edge - Zone 1 two 100 Gbps links
10.120.1/24
● Same Interconnect can link to
10.130.1/24 multiple VPCs within the
Routing

Colo Facility
VPC

same project
10.140.1/24
us-west1 | 10.240.0/24 IA BGP ● 99.9% or 99.99% SLAs
169.254.68.51 169.254.68.53
10.130.1.2
depending on the architecture
Cloud ASN: 64513 ASN: 12345

Router
Google Peering Router 2 chosen
Edge - Zone 2

us-central1 | 10.250.0/24

42
Zero Trust
Networking
Access Context Manager - Access Levels
Context-Aware Access Suite of Products Attributes Policy Apps & Data
collects attributes and data Context of the user Define and apply Protect all critical
and request policies data
● Endpoint verification collects device
identity and security posture

● Cloud Identity provides user

information

Access Context Manager Defines

Authorization Rules
Employee Device
● Define rules around geography, device Rules Engine
status, time of day, etc for granting
access

Location

User + Device + Context is the new security perimeter

44
Identity-aware Proxy

Central enforcement

● Single point of control for managing user access

● Security team can define and enforce policy

Access control

● Control access by user identity

● Apply policy by group membership
● Supports 2FA Security Keys

Deployment

● Little to no change to applications

● No need to implement own authentication for each
application
● Integrated with HTTP(s) Load Balancer

45
Detective Controls

46
Cloud DLP (Data Loss Prevention)
Cloud Data Loss Prevention provides programmatic access to a powerful detection engine for PII Data

Redaction

“This is my credit card: ******”

Hashing or
tokenizing

“This is my credit card: ga+32mx32s2as8cw38AEfknsFthc”

Data Loss Format preserving

Prevention encryption or tokenization
Raw API
Data

“This is my credit card: 5432-4232-4232-6322”

47
Implementation
Cloud
BigQuery Datastore
Storage

Action: Output
Trigger Scan Detailed Findings
one time,
on schedule, etc.
BigQuery
Cloud DLP

Summary Findings
UI or API

Action: Output
Cloud Security
Command Center

48
Secrets
Management
Secret Manager
Supports
versioning
Follows
Principle of
Least Privilege

●
Global
Names and
Replication

Integrated with
Cloud KMS
Audit
Accessible from
Logging
Hybrid Environments
Strong
Encryption

50
Global Names and Regional Data

projects/my-project/secrets/my-secret

us-east-1 us-west-2 europe-north1

[***] [***] [***]

51
Key Management Comparison

Default CMEK
Role CSEK
Encryption via Cloud KMS

Supported Products
All BigQuery, Compute Engine, Cloud Storage, Dataproc, Compute Engine, Cloud Storage
Dataflow, Kubernetes Engine, Cloud SQL

Key Management Effort

None Medium High

Data Encryption
None Low Medium (GCE,GCS)
Effort

Key rotation effect on

Automatic Re-Encrypt All data Re-Encrypt All data
encrypted data

52
Logging
Stackdriver

Monitoring Logging Performance Multi-cloud

● Endpoint checks ● Filter, search, and ● Built on the same ● Google Cloud
to internet-facing view systems that Platform, Amazon
services power Google’s Web Services,
● Define metrics, global Hybrid
● Uptime checks for dashboards, and infrastructure configuration
URLs, groups, or alerts
resources ● Unprecedented ● Combines metrics,
● Export to scale, logs, and metadata
● Plugins for many BigQuery, Google performance, and
major stacks Cloud Storage, and resiliency
(Apache, MySQL, Pub/Sub
CouchDB etc.)

54
Log Compliance

Separation of Duties Least privilege Non-repudiation

(SoD)
● Only grant the ● Cloud Storage
● Use Aggregated right level of automatically
Exports to permissions encrypts all data
centralise all logs required on the before it is written
from all projects project / bucket to disk
into a single containing the
separate project, logs ● Additional
with different fortification can
ownership than ● Avoid granting be implemented
the source permissions to by
delete buckets / object-versioning
● Choose Cloud objects log buckets in
Storage as the conjunction with
destination a Bucket Lock

55
Security Logging

Application Logging project

project

Log redirection

Custom fluentd
config

project: my-app
project: security
linked to jsonPayload: { linked to
“user”:”xxx”,
“group”:”yyy”,
“account”:”123”
}
Logging Logging
Cloud Operations Cloud Operations
Account 1 Account 2

56
Log Exports
Common Pattern

Table expiration time

Dataset location

BigQuery
Bucket type
Log Object lifecycle (retention for objects)
export
Bucket lock (securing objects)

Cloud Storage
Stackdriver
Logs An organization-level log sink
Logging
aggregates logs on the Log streaming (integration with log
analysis tools)
organization level.
Acknowledgement deadline for the
subscriber

Cloud Pub/Sub

57
Security Information and Event Management
Organization can export their logs to a third party SIEM solution

Integration through
● Agents @ SIEM side
● Add-on or connector

Example integrations
● Splunk
Add-on for Google Cloud

● Elasticsearch
Cloud Pub/Sub -> Logstash|Beats -> ES -> Kibana
● Sumo Logic
Cloud Pub/Sub -> API webhook -> Sumo
● ArcSight
FlexConnector for REST

58
Cloud Logging

59
Alerting
Project Static thresholds

Kubernetes cluster Group thresholds

Conditions
Percent change in X
Pod seconds

Signal Duration window

Policy
Stackdriver
Virtual Machines Monitoring

Notification
channels SMS
Signal

60
FinOps - Billing
FinOps - Billing
Billing accounts are payment vehicles for your Google Cloud spend.
They come in two types:

Offline Online

Billing account Billing account

Project 1 Project 2 Project 3 Project 4

Org node 1 Org node 2 Consumer

62
FinOps - Billing
Billing account
● Use Project Factory to
(IaC) provision
Billing export
projects and set billing
accounts
Credits applied
Project Factory ● Hierarchical

A billing account can be ● Resources have

manually added with correct consistent naming and
IAM permissions, however this labelling standards to
should be automated
allow for cost
attribution

● Report on costs
Project Project
● Ensure budgets and
spend alerts are in
place to control spend

Project-level bill Project-level bill ● Forecast usage costs

Bills itemized by resource type

63
Operating Model
The Model Needs to Fit in the Wider Digital Context Product
Management

Software
Cloud
Delivery

Corporate
Key Points: Strategy

Finance IT

● Cloud op model is only a part of the

overall IT op model
● The IT op model is only a part of the Enterprise
broader enterprise op model Marketing Operating Human
Resources
● There are a number of dependencies, Model
intersects and dependencies across the
enterprise wide op model
Business
Operations
Change

Sales

65
 Elements of Cloud Operating Model
Cloud Processes:
Cloud Vision:
The chain of practices
Why are we leveraging Cloud Vision through which value is
cloud delivered
Cloud Processes - Value Delivery Chain

Cloud Operating Building

Blocks

Capabilities for best use

of cloud
Cloud Operating Building Blocks
Cloud Technology
Cloud Organisation

Cloud Organisation Cloud Technology Selected platforms,

How our teams and
supporting technology
people are organised
and tooling

Cloud Governance Cloud Metrics

How our teams and Cloud Governance Cloud Metrics Measurement of cloud
people are organised use, consumption and
benefit
There is a Need to Transition to a New Shared
Responsibility Model
Functional Application 3rd Party
User Testing
Requirements Access Control Management

Customer
Application Infrastructure Performance
Business Case
Deployment Deployment Management

Patch Environment
Data Encryption Cost Management
Management Provisioning
Key Points: Vulnerable Prerequisite
Management Management

● Customer is a supplier of requirements Networking

VM Backup/ Data Backup/ Incident Fault
with shared responsibility for build Recovery Recovery
Monitoring/Alertin
Resolution
g
within your company. Compliance

Services
Cloud Identities Transit Services Monitoring/Alertin Directory Services

Cloud
● Customer teams consume reusable g
Application
assets from central repository. Service Reusable laC Golden Image
Monitoring/Alertin
Management Modules Management
g
● Run responsibilities owned by your Shared/Reusable
company and partners Tooling

Provider
Compute Storage Databases Networking

Cloud
Regions Availability Edge Locations

67
Operating Model

Decentralized Centralized
Access to and control of Google Cloud is shared Access and control of Google Cloud is centrally
among developers and engineers across the controlled by Corporate IT or Operations.
company. Corporate IT has little to no involvement
● Administering the platform
with running the platform.
● Granting access to engineers and
● Corporate IT: Creation of folders, shared developers as required
services, and common configuration
● Developers and engineers: Creation of
projects and, optionally, additional folders
under the relevant folder

68
Questions ?

federico.fregosi@contino.io https://www.linkedin.com/in/federico-fregosi/