Professional Documents
Culture Documents
Federico Fregosi Landing Zones On GCP How To Boostrap Your Google Cloud Platform Environment at Scale 2020 11-30-17!00!45
Federico Fregosi Landing Zones On GCP How To Boostrap Your Google Cloud Platform Environment at Scale 2020 11-30-17!00!45
Federico Fregosi Landing Zones On GCP How To Boostrap Your Google Cloud Platform Environment at Scale 2020 11-30-17!00!45
#whoami
Federico Fregosi
Current: Principal Consultant - Technical
Past:
federico.fregosi@contino.io
https://www.linkedin.com/in/federico-fregosi/
About Contino
Contino is a leading transformation consultancy that helps large, heavily-regulated enterprises to become fast,
agile and competitive.
3
Agenda
01 | Cloud Foundations
02 | Organization Structure & Resource Deployment
03 | Authentication & Authorization
04 | Networking
05 | Secrets Management
06 | Logging
07 | Operating Model
08 | FinOps - Billing
09 | Q&A
4
Why Do You Need Cloud Foundations?
Landing zones enable management of standardised GCP projects, which in turn control
your Virtual Private Clouds (VPCs) and consumption of GCP cloud services.
● Prevents Project Sprawl: Project provision can be managed as cloud engagement increases
● Minimises Engineering Overhead: Eliminating manual changes reduces complexity and enables
scalability and consistency
● Enables Scaling by Design: Management of services and infrastructure in public cloud is made
simple by the use of a well-designed landing zone
● Accelerates Consumption of Cloud Services: Allows for GCP projects to be provisioned with a
standard set of tooling and services
5
Core Features
GCP Core System Operational Security, privacy, and Reliability Performance and cost
Design Practices Excellence compliance optimisation
Aligned with “Best practices” and the 5 pillars of “Google Cloud's Architecture Framework” principles
6
What is a Landing Zone?
On-Prem
Quota Connectivity
Monitoring
Hybrid
Cloud Billing Logging
URL Organization
Filtering Policies
Log Security Compliance
Exports
SaaS
integrations SIEM
Resource Project
Integration
Deployment Factory Google
Kubernetes
CI/CD Secure
Secrets Engine
Baseline
Dns Hub
7
GitHub solutions
● https://github.com/terraform-google-mod
ules/terraform-google-project-factory
● https://github.com/terraform-google-mod
ules/terraform-example-foundation
● https://github.com/contino/terraform-gcp
-modules
● https://github.com/GoogleCloudPlatform
/cloud-foundation-toolkit
8
Organization
Structure
GCP Resource Management
10
GCP Resource Management
11
Cloud Resource Manager: Organization Hierarchy
The Common folder will include the following
baseline projects:
12
Organisation Policies
The Organization Policy Service constrains the allowed
resource configurations. Policies can be applied to the
Organisation, Folders, and Projects.
13
Organization Policy Hierarchy Evaluation
Create
Create Seed Leverage
Organization Create
Project using Project
based on your Landing Zone
CLI Factory
domain
Attach Billing
Administrator Project Vending
Account
Create Service
Account
Grant SA permission
Enable APIs
16
Project Factory
Inherit/Define
Create Service Logging & Event Threat
Organization Add Users to Group
Account Configuration Detection
Policies
Enable APIs
18
Operator Personas
&
User Personas Direct Console Application
Service Users
Users Users
App Application:
Automation Containers
Images
Central or
App Operator BYO RPMs
Service
Automation Managed Services:
Central or
VMs, Anthos, Databases, Pub/Sub
Service Operator BYO
19
Continuous Integration and Delivery on GCP
Google Cloud
environment(s)
Cloud
Functions
On-premise
Source
Cluster
Cluster
20
Application CI/CD - Supporting Services
Cloud Container
Cloud Build
Source Repos Registry
● Private Git repositories hosted on ● Hosted build execution on Google Cloud ● Hosted image repository
Google Cloud ● Build container images or non-container ● Push builds to Container Registry
● Easily perform Git operations required artifacts from Cloud Build
by your workflow ● Trigger new builds based on changes to ● Analyze images to
● Sync to existing GitHub or Bitbucket CSR or other repo ● Discover vulnerabilities
repo
Container
Spinnaker
Analysis API
● Open source, multi-cloud application ● Store, query, and retrieve critical
deployment platform metadata about software artifacts
● Built-in best practices for deployment ● Query all metadata across all of your
● Supports many deployment best practices components in real time
21
Implementing Changes
The toolkit encourages customers to collaborate on infrastructure through a
compliant and secure platform.
23
Authentication &
Authorization
Authentication & Authorization
In order to ensure a consistent and secure manner of accessing the cloud environment and the various resources
under the scope of the Landing Zone implementation, the following aspects will be considered and included in the
initial landing zone deployment.
Components
● Native user and group management: Cloud identity provides unified identity, access, app,
and endpoint management (IAM/EMM) platform.
● Active Directory integration and Single Sign-on (SSO): By leveraging Google Directory Sync,
we can map Active Directory forests, domains, users, and groups to Cloud Identity entities
● Roles and permissions: Standardised IAM roles and permission policies will be created to
satisfy the principle of least privilege.
25
Cloud Identity
Google
Cloud Identity
Cloud
Devices
26
Cloud Identity
Cloud
Manual
Identity
Users
APIs Groups
Cloud
IAM GCP
Resources
CSV Org Units
Upload
Users and groups created in Cloud Identity are the Google Identities that can be assigned IAM roles in the GCP console
The Cloud Identity roles only manage aspects of Cloud Identity such as user/group management, and are different from GCP roles
which manage permissions to cloud resources
27
Cloud Identity - Typical Architecture
Intranet SaaS
Legacy
IT Infra (LDAP)
Applications
Secure LDAP
IT Infrastructure
VPN
Secure LDAP
Radius
server
MS Infra, (Wifi AuthN)
Print, File,
Certificate
GCDS
Secure LDAP
Legacy Apps
(LDAP)
28
Active Directory Integration
29
Cloud Directory Sync Implementation
30
Authorization with IAM
Roles are a collection of permissions that may be assigned to users, groups and service accounts.
Permissions grant the ability to execute specific API calls, for example: compute.instances.create
Legacy Google Cloud roles More granular roles than Ability to create roles with a
that grant broader set of primitive, based on job specific permission set.
permissions function.
(Owner, Editor, Viewer).
31
Authorization with IAM
32
Best Practices
● Controlling Scopes
● CIS Benchmarks
● Using Service Accounts outside original
● NIST Cybersecurity Framework
project
33
Networking
Networking Considerations
Components
Support for
Shared VPC Network
private DNS
Architecture Security
35
Shared VPC - Introduction
Shared VPC allows an organization to connect resources from multiple projects to a common Virtual Private Cloud
(VPC) network, so that they can communicate with each other securely and efficiently using internal IPs from that
network.
Definition:
● Host Project: contains one or more Shared VPC
networks. A Shared VPC Admin must first enable a
project as a host project. After that, a Shared VPC
Admin can attach one or more service projects to it.
● Service Project: A service project is any project that
has been attached to a host project by a Shared
VPC Admin. This attachment allows it to participate
in Shared VPC. It's a common practice to have
multiple service projects operated and administered
by different departments or teams in your
organization.
36
Shared VPC
37
DNS - Hub-and-spoke model
38
Firewall Rules
Service account
Network
Allow/Deny
VM
Ingress rule IP range/CIDR VPC Firewall
Instances by tag
Target tag
Instance tag or service ● Stateful with connection
Service account account tracking
Ingress rule
● Distributed: enforced on
All instances in underlying host
network
Target tag
39
VPC Service Controls
Unauthorized
Service Perimeter client
Authorized VM to
Extend perimeter security to managed GCP Project GCP service
services
40
Connectivity Options
41
On-premises Connectivity
Cloud Interconnect Metro Area
Colo Facility
VPC
same project
10.140.1/24
us-west1 | 10.240.0/24 IA BGP ● 99.9% or 99.99% SLAs
169.254.68.51 169.254.68.53
10.130.1.2
depending on the architecture
Cloud ASN: 64513 ASN: 12345
Router
Google Peering Router 2 chosen
Edge - Zone 2
us-central1 | 10.250.0/24
42
Zero Trust
Networking
Access Context Manager - Access Levels
Context-Aware Access Suite of Products Attributes Policy Apps & Data
collects attributes and data Context of the user Define and apply Protect all critical
and request policies data
● Endpoint verification collects device
identity and security posture
Location
44
Identity-aware Proxy
Central enforcement
Access control
Deployment
45
Detective Controls
46
Cloud DLP (Data Loss Prevention)
Cloud Data Loss Prevention provides programmatic access to a powerful detection engine for PII Data
Redaction
Hashing or
tokenizing
47
Implementation
Cloud
BigQuery Datastore
Storage
Action: Output
Trigger Scan Detailed Findings
one time,
on schedule, etc.
BigQuery
Cloud DLP
Summary Findings
UI or API
Action: Output
Cloud Security
Command Center
48
Secrets
Management
Secret Manager
Supports
versioning
Follows
Principle of
Least Privilege
●
Global
Names and
Replication
Integrated with
Cloud KMS
Audit
Accessible from
Logging
Hybrid Environments
Strong
Encryption
50
Global Names and Regional Data
projects/my-project/secrets/my-secret
51
Key Management Comparison
Default CMEK
Role CSEK
Encryption via Cloud KMS
Supported Products
All BigQuery, Compute Engine, Cloud Storage, Dataproc, Compute Engine, Cloud Storage
Dataflow, Kubernetes Engine, Cloud SQL
Data Encryption
None Low Medium (GCE,GCS)
Effort
52
Logging
Stackdriver
● Endpoint checks ● Filter, search, and ● Built on the same ● Google Cloud
to internet-facing view systems that Platform, Amazon
services power Google’s Web Services,
● Define metrics, global Hybrid
● Uptime checks for dashboards, and infrastructure configuration
URLs, groups, or alerts
resources ● Unprecedented ● Combines metrics,
● Export to scale, logs, and metadata
● Plugins for many BigQuery, Google performance, and
major stacks Cloud Storage, and resiliency
(Apache, MySQL, Pub/Sub
CouchDB etc.)
54
Log Compliance
55
Security Logging
Log redirection
Custom fluentd
config
project: my-app
project: security
linked to jsonPayload: { linked to
“user”:”xxx”,
“group”:”yyy”,
“account”:”123”
}
Logging Logging
Cloud Operations Cloud Operations
Account 1 Account 2
56
Log Exports
Common Pattern
Dataset location
BigQuery
Bucket type
Log Object lifecycle (retention for objects)
export
Bucket lock (securing objects)
Cloud Storage
Stackdriver
Logs An organization-level log sink
Logging
aggregates logs on the Log streaming (integration with log
analysis tools)
organization level.
Acknowledgement deadline for the
subscriber
Cloud Pub/Sub
57
Security Information and Event Management
Organization can export their logs to a third party SIEM solution
Integration through
● Agents @ SIEM side
● Add-on or connector
Example integrations
● Splunk
Add-on for Google Cloud
● Elasticsearch
Cloud Pub/Sub -> Logstash|Beats -> ES -> Kibana
● Sumo Logic
Cloud Pub/Sub -> API webhook -> Sumo
● ArcSight
FlexConnector for REST
58
Cloud Logging
59
Alerting
Project Static thresholds
Policy
Stackdriver
Virtual Machines Monitoring
Notification
channels SMS
Signal
60
FinOps - Billing
FinOps - Billing
Billing accounts are payment vehicles for your Google Cloud spend.
They come in two types:
Offline Online
62
FinOps - Billing
Billing account
● Use Project Factory to
(IaC) provision
Billing export
projects and set billing
accounts
Credits applied
Project Factory ● Hierarchical
● Report on costs
Project Project
● Ensure budgets and
spend alerts are in
place to control spend
63
Operating Model
The Model Needs to Fit in the Wider Digital Context Product
Management
Software
Cloud
Delivery
Corporate
Key Points: Strategy
Finance IT
Sales
65
Elements of Cloud Operating Model
Cloud Processes:
Cloud Vision:
The chain of practices
Why are we leveraging Cloud Vision through which value is
cloud delivered
Cloud Processes - Value Delivery Chain
How our teams and Cloud Governance Cloud Metrics Measurement of cloud
people are organised use, consumption and
benefit
There is a Need to Transition to a New Shared
Responsibility Model
Functional Application 3rd Party
User Testing
Requirements Access Control Management
Customer
Application Infrastructure Performance
Business Case
Deployment Deployment Management
Patch Environment
Data Encryption Cost Management
Management Provisioning
Key Points: Vulnerable Prerequisite
Management Management
Services
Cloud Identities Transit Services Monitoring/Alertin Directory Services
Cloud
● Customer teams consume reusable g
Application
assets from central repository. Service Reusable laC Golden Image
Monitoring/Alertin
Management Modules Management
g
● Run responsibilities owned by your Shared/Reusable
company and partners Tooling
Provider
Compute Storage Databases Networking
Cloud
Regions Availability Edge Locations
67
Operating Model
Decentralized Centralized
Access to and control of Google Cloud is shared Access and control of Google Cloud is centrally
among developers and engineers across the controlled by Corporate IT or Operations.
company. Corporate IT has little to no involvement
● Administering the platform
with running the platform.
● Granting access to engineers and
● Corporate IT: Creation of folders, shared developers as required
services, and common configuration
● Developers and engineers: Creation of
projects and, optionally, additional folders
under the relevant folder
68
Questions ?
federico.fregosi@contino.io https://www.linkedin.com/in/federico-fregosi/