Re: Placement of Serverless resources in Architect...

avindia · 06-17-2024 11:37 AM

1. I am using following serverless resources in my solution design - Cloud Storage,Cloud Dataflow, BigQuery and Cloud Composer. I believe Bigquery and Cloud storage (GCS Bucket) are PaaS model where they need not to be part of any VPC Network . They are associated with region and accessible using API endpoints and doesnt not have any IP address .Where as resources/Services like Cloud DataFlow, Cloud Composer has to be associated with some VPC Network when you configure it.

2.In order to access these services from your "GCP Project" on Internal network you need to enable "Private Google Access" on your Subnet !!

If my above statement is correct where and how should I represent these resources in Architecture diagram . I assume they are not part of my Shared VPC network (Host Project) or Service Project or google Managed VPC ? They must be part of overall Global VPC though !

I show resources like GCP compute, NLBs in internal zone project VPC , CloudSQL like services in Google managed VPC.But could no figure out of these serverless services. !! Please advice

avindia

Either no one is using solution design document or no need for architecture diagram that depicts complete picture

Manish_B

Hello @avindia,

I understand that you would like to know the placement of serverless resources in the architecture diagram when using Private Google Access(PGA). Please correct me, if I misunderstood.

Yes, you are correct. They are not part of the VPC network (Host Project) or Service Project, as the serverless resources you have mentioned are one of the Google APIs and Services. Please refer to this document for more information related to the architecture diagram.

Private Google Access(PGA) allows VM instances in a Virtual Private Cloud (VPC) network to reach Google APIs and services using internal IP addresses, rather than external IP addresses. This feature ensures that traffic between VMs and Google services stays within Google's network, enhancing security and reducing latency.

PGA allows you to access Google services such as Cloud Storage and BigQuery from within a VPC securely.
PGA allows VM instances to access Google APIs and services using internal IP addresses, ensuring traffic stays within Google’s network.

I hope the above provided information is helpful.

Thanks & Regards,
Manish Bavireddy.

avindia

Thanks manish

However the architect document you shared is using VPC network and resources under it are IP based (example Compute Engine,Internet Gateways.

Take a example of GCP CloudSQL , to represent this we have to refer "Google Managed VPC" and this is not owned or managed by Client. Also CloudSQL does not come under my VPC network.In similar way how one should show Serverless services.

When I request for Project workspace in APAC region , my GCP admin gives me one Project ID with VPC network ( May be Service Project) .Now I can host my IP based resources inside this VPC.Now if I want to use Serverless services , I select the region but not sure if these services come under same VPC ? These services I launched comes under my GCP Project though !

Surprisingly one of the google image shows everything in Shared VPC

avindia

I am still not able to find so looks like I need to do more reading outside of Google

Placement of Serverless resources in Architecture diagram