I read the hipaa doc from google, i'm no sure is the google cloud load balancer hipaa complince. google cloud hipaa
google says all the networks and regions are hipaa complince, i think this includes this products:
VPC
cloud DNS
cloud interconnect
cloud cdn
cloud load balancer
is this correct or i'm wrong?
I think it is because kubernetes engine uses cloud load balancer.
According to the documentation that you provided and in here network is covered by HIPAA.
"The Google Cloud BAA covers GCP’s entire infrastructure (all regions, all zones, all network paths, all points of presence)"
But lets not forget that you need to do your bit by securing the environment and applications that run on top of GCP, hence why it's called a shared security model.
Related
Does changing the network service tier for a project in Google Cloud change or otherwise interrupt existing, running network services such as load balancers and compute engine VMs or does it only apply to new things?
Documentation suggests the latter, but we don't want to mess with this setting without getting a definitive answer.
Does changing the network service tier for a project in Google Cloud
change or otherwise interrupt existing, running network services such
as load balancers and compute engine VMs?
Existing services will not be interrupted.
The network service tier affects how traffic is routed from the client into the Google Cloud Network. Premium Tier means that clients will connect to the closest entry point (POP) into Google's network.
This does not directly affect services but does affect routing and latency of traffic to services. I am not aware of any direct impact on your services in the cloud except for the pricing of network traffic.
If Premium Tier is not enabled some features are not available such as global IP addresses.
Always configure Premium Tier. There are no solid technical reasons to select Standard Tier.
I'm trying to create a multi-region Google Cloud Run setup and can't find any documentation.
My goal is creating an Google HTTPS Load Balancer and map the targets as my 3 Google Cloud Run instances.
https://lb.test.com/ >
eu.test.com > Europe Cloud Run
na.test.com > North America Cloud Run
sa.test.com > South America Cloud Run
Problem is, I can't find the option of mapping my HTTPS load balancer into my Cloud Run instances.
If this is not possible yet, can I use an external DNS LB such as AWS Route 53?
Thanks!
Mapping load balancer to cloud run is possible now. This can be achieved by creating NEGs (Network Endpoint Groups) which points to a cloud run service.
I have implemented this today, and came across this thread. To find out how to implement this follow instructions in
https://cloud.google.com/load-balancing/docs/negs/setting-up-serverless-negs#creating_the
I have recently published a guide on this on our official documentation: http://cloud.google.com/run/docs/multiple-regions
The solution involves adding the newly introduced "Serverless Network Endpoint Groups" as backends to your load balancer.
I do not think you can use a Google HTTPS Load Balancer to make cloud run service multiregional (HTTPS Load Balancer supports only compute engine vm as backend). Your question was very interesting and I did some research.
The only useful documents I found about this topic:
Running Multi-Region Apps on Google Cloud (Cloud Next '19).
Going Multi-Regional in Google Cloud Platform
They are explaining how you can make a cloud service multiregional using Apigee (some proxy servers HA Proxy, Nginx).
I configured a Cloud Armor policy however when I try to apply the policy to a new target the '+Add Target' button is disabled.
I understand that you can't apply the policy to a new target.
This should be related to your HTTP(S) Load Balancer, because Cloud Armor is used in conjunction with HTTP(S) Load balancer. See the below link for more details:
https://cloud.google.com/armor/docs/security-policy-concepts
Once you have a healthy load balancer, it should be available to be added to your cloud armor policy. Also, make sure that the Load balancer is not using CDN there are some limitations. Cloud Armor Security Policies and IP blacklist/whitelist are not supported for Cloud CDN in the Beta release. If you try to associate a Cloud Armor Security Policy for a backend service and Cloud CDN is enabled, the config will be rejected. Targets are Google Cloud Platform resources that you want to control access to. For the Beta release, you can only use non-CDN HTTP(S) load balancer backend services as targets.
Also, you can try to apply the policy using the gcloud command line tool, and check if it is working or not. See the link below for more insight on gcloud command line tool.
https://cloud.google.com/kubernetes-engine/docs/how-to/cloud-armor-backendconfig
We have all of our cloud assets currently inside Azure, which includes a Service Fabric Cluster containing many applications and services which communicate with Azure VM's through Azure Load Balancers. The VM's have both public and private IP's, and the Load Balancers' frontend IP configurations point to the private IP's of the VM's.
What I need to do is move my VM's to AWS. Service Fabric has to stay put on Azure though. I don't know if this is possible or not. The Service Fabric services communicate with the Azure VM's through the Load Balancers using the VM's private IP addresses. So the only way I could see achieving this is either:
Keep the load balancers in Azure and direct the traffic from them to AWS VM's.
Point Azure Service Fabric to AWS load balancers.
I don't know if either of the above are technologically possible.
For #1, if I used Azure's load balancing, I believe the load balancer front-end IP config would have to use the public IP of the AWS VM, right? Is that not less secure? If I set it up to go through a VPN (if even possible) is that as secure as using internal private ip's as in the current load balancer config?
For #2, again, not sure if this is technologically achievable - can we even have Service Fabric Services "talk" to AWS load balancers? If so, what is the most secure way to achieve this?
I'm not new to the cloud engineering game, but very new to the idea of using two cloud services as a hybrid solution. Any thoughts would be appreciated.
As far as I know creating multiregion / multi-datacenter cluster in Service Fabric is possible.
Here are the brief list of requirements to have initial mindset about how this would work and here is a sample not approved by Microsoft with cross region Service Fabric cluster configuration (I know this are different regions in Azure not different cloud provider but this sample can be of use to see how some of the things are configured).
Hope this helps.
Based on the details provided in the comments of you own question:
SF is cloud agnostic, you could deploy your entire cluster without any dependencies on Azure at all.
The cluster you see in your azure portal is just an Azure Resource Screen used to describe the details of your cluster.
Your are better of creating the entire cluster in AWS, than doing the requested approach, because at the end, the only thing left in azure would be this Azure Resource Screen.
Extending the Oleg answer, "creating multiregion / multi-datacenter cluster in Service Fabric is possible." I would add, that is also possible to create an azure agnostic cluster where you can host on AWS, Google Cloud or On Premises.
The only details that is not well clear, is that any other option not hosted in azure requires an extra level of management, because you have to play around with the resources(VM, Load Balancers, AutoScaling, OS Updates, and so on) to keep the cluster updated and running.
Also, multi-region and multi-zone cluster were something left aside for a long time in the SF roadmap because it is something very complex to do and this is why they avoid recommend, but is possible.
If you want to go for AWS approach, I guide you to this tutorial: Create AWS infrastructure to host a Service Fabric cluster
This is the first of a 4 part tutorial with guidance on how you can Setup a SF Cluster on AWS infrastructure.
Regarding the other resources hosted on Azure, You could still access then from AWS without any problems.
I have a Google Cloud Compute Engine Windows VPS. I wanted to know that if i try to upload files on Google Drive from VPS will it charge me network fees.
as per the chart below I thought it will not because google cloud VPS and Google Drive is from Google and utilizing other google services from VPS is free. Please tell me if i am wrong? just wanted to confirm
Yes, you are right.
Network Egress traffic to Google products (such as YouTube, Maps, Drive), whether from a VM in GCP with a public (external) IP addresses or private (internal) IP addresses has no charge
General network pricing.
I know it used to be a promotional price but now it's in the General network pricing list as 'No charge'.