We are excited to announce the preview of the Dev(Sec)Ops toolkit for global front-end internet-facing applications, which can help you launch new apps on Google Cloud in less than an hour. This toolkit is part of the recently announced Cross-Cloud Network solution to help customers scale and secure their applications.
The toolkit provides an out-of-the-box, expert-curated solution to accelerate the delivery of internet-facing applications. A sample application included in the toolkit demonstrates how customers can quickly integrate Cloud Load Balancing, Cloud Armor, and Cloud CDN according to the provided reference architecture. The toolkit supports deploying applications via Cloud Build or third-party CI/CD tools like Jenkins and Gitlab.
Using this toolkit, you can realize value from Google’s global compute and networking products without prior expertise in the individual components. The toolkit is delivered as a fully-formed Terraform example with composed submodules to enable easy customization.
Background
In today’s world, businesses need to be able to deploy changes quickly and reliably. Enterprises and cloud-focused organizations alike are rapidly adopting DevSecOps practices and tools to modernize the development, packaging, testing, deployment, operation and security of web applications. Businesses that adopt DevSecOps practices can simultaneously improve business agility, reduce costs, and increase the security posture of their infrastructure.
The near-universal goal for customers on this Dev(Sec)Ops journey is that a developer checks in code for a web service (web site, web app, or web based API), and then enables high-quality secure code to roll into production within hours. This is done through automation via CI/CD pipelines, without any additional manual intervention by other teams, compared to days or weeks for traditional approaches.
The Global Front End toolkit is launched as part of our new Cross-Cloud Network solution. The toolkit is being provided as part of the existing Web Application and API Protection blueprint, one of many Terraform-based blueprints that Google Cloud provides to accelerate customer implementation journeys. The toolkit is also compatible with the Security Foundations blueprint, which helps new Google Cloud organizations establish a secure baseline for all future workloads, including the setup of Identity and Access Management (IAM), Cloud Key Management (KMS), andCloud Security Command Center (SCC).
Architecture
The toolkit provides web services deployment and protection best practices, such as optimized configurations, high performance, flexible, and secure-by-default policies. The toolkit has the option of using multiple environments — ‘prd’ and ‘dev’ are given as examples.
The workloads are front-ended by our global front end for internet-facing applications using the External Application Load Balancer. The chosen backends are two Managed Instance Groups (MIGs), each one in a different region. The toolkit includes an example for traffic management that can be leveraged for canary development.
Google Cloud’s content delivery network, Cloud CDN, is also included in this toolkit. The Cloud CDN platform acts as a cache ahead of the origin load balancer to provide the full suite of CDN functionality, from QUIC and HTTP/2, through to routing and caching controls. This allows your application to reach global scale without compromising on performance, while reducing bandwidth and front-end compute costs. The default configuration leveraged by this toolkit is a subset of those documented in Cloud CDN’s Content delivery best practices and Web security best practices.
To protect against DDoS attacks and other types of threats, the toolkit uses Google Cloud Armor, Google Cloud’s DDoS Protection and WAF. The protection is divided into three parts: First, default protection against volumetric DDoS attacks (L3/L4). Second, Cloud Armor preconfigured WAF rules based on CRS3.3; the rules allow Google Cloud Armor to evaluate dozens of distinct traffic signatures by referring to conveniently named rules rather than requiring you to define each signature manually. Third, a basic configuration of edge security policy to filter and control access for content that is stored in cache.
Workflow
A user requests a web page from the External Application Load Balancer. The request is evaluated by Cloud Armor backend security policies before being distributed to one of the backend servers. The backend server retrieves the web page from the CDN if it is cached. If the web page is not cached, the backend server retrieves it from the application server and caches it for future requests. If the cache was used, the request is evaluated against the Cloud Armor edge security policy. Lastly, the backend server sends the web page to the user.
Traffic splitting is a built-in capability of our Application Load Balancers, and is often used to manage software versions by sending different users to different backend servers. In the example, there is a 60/40 simple traffic split that can be changed to create more complex traffic management schemes. For example, users who are using the latest version of the software can be sent to one backend server, while users who are using an older version of the software can be sent to another. This allows the application to be updated without disrupting service to users.
Get started
The full repository is accessible here. Configure your favorite CI/CD pipeline, clone the repository, and enjoy your Google Cloud hosted, global front-end, internet-facing application in less than an hour.