Securing and Integrating Components of your Application on GCP
Securing and Integrating Components of your Application on GCP
07 August 2020
Google Cloud Platform is built on a foundation for strong security. GCP is built using secure hardware infrastructure, storage services, identity services, and network communications, offering secure and reliable architecture. For building complex web applications on Google Cloud Platform(GCP), it’s very tedious work to manage all the resources and services. In order to manage web applications on GCP, It provides you various tools to manage and distribute the services among members. When the complexity of web applications grows, GCP provides you to distribute all the services across microservice-based architecture. So that you can easily manage, debug and fix the issue in an application. For a microservice-based architecture based application you need to integrate all the microservices.
Things to be discussed
- IAM handling authentication and authorization
- OAth2.0, IAP & Firebase Authentication
- Cloud Pub/Sub
- Adding Intelligence to your Application
- Cloud Function
- Cloud Endpoints
IAM handling authentication and authorization
Using the GCP’s Identity and Access Management (IAM), We can create IAM members and grant respective permission i.e roles for particular operations.
Types of IAM members:
- Google account: This is a normal Gmail account.
- Service account: This account is attached to the resources to make the authorized API calls.
- Google group: It is a named collection of Google account and Service account.
- G suite domain: It is a virtual group for members of an organization.
- Cloud Identity domain: This one is a virtual group in an organization but doesn’t provide any G suite app access.
- Role is a collection of permissions.
- Syntax for the role in the GCP for IAM members: <service>.<resources>.<verb>
- Primitive roles defined as a project level.
- Predefined roles for granular access to GCP resources.
- Cloud IAM policy defined by the policy objects and policy consists of a list of bindings and a binding binds a list of members to a role.
Use service account to authenticate your application when invoking Google APIs:
We can use Application default credentials(ADC) to authenticate between applications. ADC checks for credentials in the following order:
- Check for the GOOGLE_APPLICATION_CREDENTIALS environment variable.
- Checks for default service accounts.
- If 1 and 2 aren’t found, an error is thrown.
Here, ADC uses the service account file that the variable points to. If the environment variable isn’t set ADC will use the default service account that compute engine, container engine, app engine, and cloud function provide. Assuming that your application runs on those services, if neither the environment variable nor the default service accounts can be found, an error will occur.
OAth2.0, IAP & Firebase Authentication
Firebase can be used to authenticate and authorize the user application and OAuth 2.0 to access resources on behalf of a user OAuth token.
OAth 2.0 Use cases include:
- Application needs to access Google BigQuery datasets that belong to the user.
- Application needs to authenticate as a user to create projects on their behalf.
Cloud Identity-Aware Proxy (IAP):
- Verifies a user’s identity.
- It helps you to control access to your cloud applications running on GCP.
- IAP lets you adapt to application level access control instead of relying on network level firewalls.
- It determines whether that user should be allowed to access the application.
- Users→ IAP(Identity) → ERP(Enterprise resource planning) or CRM(Customer relationship management)
- Precautions: Configure firewall and load balancer to protect traffic. Use signed headers or the App Engine standard environment Users API.
Use the Firebase SDK to authenticate application users. Here, firebase backend services verify credentials and return a response to the client.
Adding User Authentication on your Application:
- Register a GCP project with Firebase.
- Add Firebase configuration to a client-side web application.
Cloud pub/sub is a fully managed real-time messaging architecture that enables you to build loosely coupled microservices that can communicate asynchronously.
- You can use cloud Pub/Sub to integrate components of your application.
- Cloud Pub/Sub is a key component of GCP’s streaming data pipeline.
- Cloud Pub/Sub can rapidly ingest large amounts of data and deliver the data reliably to cloud DataFlow and BigQuery for data processing and analytics.
Ingest(Cloud Pub/Sub) → Transform(Cloud DataStore) → Analyse(Cloud BigQuery)
- Gaming applications.
- On stream data injection and processing.
- Device or sensor data processing for healthcare and manufacturing .
- Integrating various data sources in financial application.
Cloud Pub/Sub Concepts:
In cloud Pub/Sub, an application that publishes messages is called a publisher. A publisher creates a message to a topic. To receive messages, a subscriber application creates a subscription to a topic. A subscriber can use either push/pull method for message delivery.
Publisher →[Topic → Subscription in Cloud Pub/Sub] → Subscriber Publisher order service → Topic orders → Subscription → Subscriber Inventory Services
Cloud Pub/Sub acts as a buffer to handle spikes in data volume.
Use the pull subscription model when you need to process a very large volume of messages with high throughput. In the push subscription model, Cloud Pub/Sub sends each message as an HTTP request to the subscriber at pre-configured HTTP endpoint. The push endpoint can be a load balancer or GAP standard application.
Here we have a choice for execution environments for subscribers eg. cloud function and cloud dataflow. Where you can develop highly scalable subscribers with these choices.
Here you can deploy subscribers on Google compute Engine, Google kubernetes engine(GKE) or Google app engine(GAE) flexible environment. Autoscale based on Google stackdriver metrics.
Cloud Pub/Sub Use cases:
You can take examples for inventory services in e-commerce applications that use cloud pub/sub services to build loosely coupled microservices.
Publisher order service → Topic orders → Subscription → Subscriber Inventory Services
Use Cloud Pub/Sub to fan out messages from one publisher to multiple subscribers. Eg.
Publisher order service → Topic orders → Subscription for inventory → services/subscription for payment services → Subscriber Inventory Services/Subscriber Payment service
It also handles duplicate messages by keeping Datastore and BigQuery as a subscriber. Here publish messages that contain a unique ID.
For scalability, reduce or eliminate dependencies on message ordering.
Subscriber knows the order in which messages must be processed and also checks oldest unacknowledged messages in Cloud Monitoring metrics with cloud DataStore.
Adding Intelligence to your Application
Here you can add Google pre-trained machine learning API to your application.
Use pre-trained ML models:
- Vision API(complex image)
- Speech API(speech to text eg. gtts)
- Video Intelligence API(search video files)
- Translation API(translator)
- Natural Language API(text args like people, places and events)
Use your own data to train models:
- Cloud ML Engine
For event-driven processing, you can use cloud functions. With cloud function, you can build a serverless microservice architecture that’s highly scalable. Cloud functions can have synchronous and asynchronous triggers.
Writing, Deploying and Monitoring cloud function:
In background function:
- It takes an event and callback function as input parameters. For node.js it is written in index.js file.
- Specify dependencies in a package.json file.
In HTTP function:
- Request and response objects as input parameters.
Google Cloud Endpoints is used to manage APIs. It enables you to deploy and manage APIs.
- Interface definition(open API/ gRPC API).
- Authentication and Authorization(service to service authentication, User authentication using firebase, Auth0, and google authentication).
- Management and scalability(Extensible service proxy, service management, service control).
- Logging and Monitoring(Stackdriver Logging, Stackdriver Traces).
Cloud Endpoints for REST APIs
Service Management API(API config registered at deployment), Service control API(check against API config at Runtime), and Extensible Service Proxy(API Backend) form the core of cloud endpoints.
By using these services that are offered by Google Cloud Platform(GCP), you can create, secure, and integrate your web applications. It helps you to build microservices-based applications over monolithic web applications where you can easily manage, debug, and secure applications.