Question posted in
The official documentation can be found here.

Redis – Alternative to AWS's Security groups in GCP?

Is there an alternative to AWS’s security groups in the Google Cloud Platform?

Following is the situation which I have:

  1. A Basic Node.js server running in Cloud Run as a docker image.
  2. A Postgres SQL database at GCP.
  3. A Redis instance at GCP.

What I want to do is make a ‘security group’ sort of so that my Postgres SQL DB and Redis instance can only be accessed from my Node.js server and nowhere else. I don’t want them to be publically accessible via an IP.

What we do in AWS is, that only services part of a security group can access each other.

I’m not very sure but I guess in GCP I need to make use of Firewall rules (not sure at all).

If I’m correct could someone please guide me as to how to go about this? And if I’m wrong could someone suggest the correct method?

Tags:

3

Answers


  1. Chosen as BEST ANSWER
    0

    Thanks @amsh for the solution to the problem. But there were a few more things that were required to be done so I guess it'll be better if I list them out here if anyone needs in the future:

    • Create a VPC network and add a subnet for a particular region (Eg: us-central1).
    • Create a VPC connector from the Serverless VPC Access section for the created VPC network in the same region.
    • In Cloud Run add the created VPC connector in the Connection section.
    • Create the PostgreSQL and Redis instance in the same region as that of the created VPC network.
    • In the Private IP section of these instances, select the created VPC network. This will create a Private IP for the respective instances in the region of the created VPC network.
    • Use this Private IP in the Node.js server to connect to the instance and it'll be good to go.

    Common Problems you might face:

    • Error while creating the VPC Connector: Ensure the IP range of the VPC connector and the VPC network do not overlap.

    • Different regions: Ensure all instances are in the same region of the VPC network, else they won't connect via the Private IP.

    • Avoid changing the firewall rules: The firewall rules must not be changed unless you need them to perform differently than they normally do.

    • Instances in different regions: If the instances are spread across different regions, use VPC network peering to establish a connection between them.


  2. 0

    GCP has firewall rules for its VPC that work similar to AWS Security Groups. More details can be found here. You can place your PostgreSQL database, Redis instance and Node.js server inside GCP VPC.

    • Make Node.js server available to the public via DNS.
    • Set default-allow-internal rule, so that only the services present in VPC can access each other (halting public access of DB and Redis)

    As an alternative approach, you may also keep all three servers public and only allow Node.js IP address to access DB and Redis servers, but the above solution is recommended.

    Login or Signup to reply.
  3. 0

    Security groups inside AWS are instance-attached firewall-like components. So for example, you can have a SG on an instance level, similar to configuring IP-tables on regular Linux.

    On the other hand, Google Firewall rules are more on a Network level. I guess, for the level of "granularity", I’d say that Security Groups can be replaced to instance-level granularity, so then your alternatives are to use one of the following:

    • firewalld
    • nftables
    • iptables

    The thing is that in AWS you can also attach security groups to subnets. So SG’s when attached to subnets, are also kind of similar to google firewalls, still, security groups provide a bit more granularity since you can have different security groups per subnet, while in GCP you need to have a firewall per Network. At this level, protection should come from firewalls in subnets.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search