Prestigious hospital/university in the Bay Area with several hundred users and researchers having huge on-premise infrastructure, aimed to move their applications to the cloud for greater security, agility, scalability, high availability, use managed services and add automated operations. Biarca successfully moved all the client’s applications to Google Cloud Platform (GCP), with the highest security by leveraging GCP’s Cloud SQL, GCE, Kubernetes, VPN and networking features. Finally, Biarca performed functional, performance, auto-scaling and high availability (HA) testing of GCP components to ensure that the solution was robust. Flux was used to automatically ensure that the state of Kubernetes cluster matches the configuration supplied in Git. With this solution, the client obtained both CapEx savings, due to GCP’s low system resource costs, and OpEx savings because of GCP’s automation of several resource management tasks.
The Challenge
The University had the following requirements for migrating its on-premise applications, such as health platform services, to the cloud:
- Re-architect existing stack, mapping to Google Cloud managed services where possible or to compute equivalents
- Create a detailed architecture design
- Bring up the entire stack on Google
- Perform functional and performance tests
- Test auto-scaling and HA across regions
- Make the solution highly secure
Customized Solution from Biarca
After careful study of the client’s application migration requirements, the Biarca team architected a solution involving the following components:
- Cloud SQL
- GKE Services
- Google VPC Networks
- Google Load Balancer
- Google SSL Policies
- Cloud Armor
- Cloud NAT
Google Cloud SQL is a fully-managed database service that enables users to set up, maintain, manage and administer their relational databases on the Google Cloud Platform. Biarca installed and configured a Cloud SQL instance with an SSL connection method, without exposing a public IP. By making SSL connections, Biarca guaranteed that the data is transferred in an encrypted way. By disabling public IP, Biarca guaranteed that no one outside of GCP can access this Cloud SQL instance, with a fault tolerance option to migrate the client’s existing database to GCP.
Google Kubernetes Engine (GKE) is a management and orchestration system for Docker containers and container clusters that run within Google’s public cloud services. Biarca installed and deployed all client applications on GKE services.
Biarca made sure that the cluster was private and there was no public IP address assigned for the master node and for the GCE instances. By making the cluster private, no one outside of GCP can access this cluster. Firewall rules have also been configured on the GKE instances to make sure that no unauthorized hosts/VMs can access these cluster instances.
GKE also offers auto healing capabilities that enable the nodes in the group to be recreated as needed.
Different applications and workloads require different network connectivity solutions. Google supports multiple ways to connect your infrastructure to Google Cloud Platform.
For better security and network management control, Biarca created a new VPC network and subnet. This subnet is used to assign a unique IP address to the GCE instances. Proper firewall rules have also been configured on this subnet to make sure that no unauthorized access could be made to access the instances in this subnet.
Google load balancer is a Google-managed service that acts as a reverse proxy and distributes network or application traffic across a number of servers. An HTTPS load balancer enables traffic encryption between the load balancer and the clients that initiate SSL or TLS sessions. Biarca created and configured an HTTPS load balancer for the health services that allows the clients to access the health services through a secured channel. Biarca also configured the firewall rules to accept incoming requests only from LoadBalancer IP to reach the backend health services.
Google SSL Policies control how load balancers negotiate SSL with clients. For closer control over SSL/TLS versions and ciphers, Biarca can create policies and attach them to HTTPS and SSL load balancers. Biarca created SSL policies with a minimum version of 1.2 to make sure that the clients use only version 1.2 to match with the server side policies.
Google Cloud Armor delivers defense at scale against infrastructure and application distributed denial of service (DDoS) attacks by using Google’s global infrastructure and security systems.
Cloud NAT (network address translation) allows Google Cloud virtual machine (VM) instances without external IP addresses and private Google Kubernetes Engine (GKE) clusters to connect to the Internet.
Customer Value Proposition
The solution that Biarca designed for migrating the client’s existing infrastructure to Google Cloud Platform had the following benefits:
- GKE cluster and instances are run in a fully managed environment. This reduces the burden on users for deploying, managing and scaling containerized applications. It also ensures high availability of services.
- Cloud SQL runs in GCP’s managed environment. Database operations like applying patches and updates, managing backups and configuring replication, etc. are automated. Users don’t need to worry about managing or maintaining the database and can fully focus on application development.
- HTTPS LoadBalancer ensures that it allows data transfer only in an encrypted way.
If you are looking for any additional information related to this case study, contact us.