23. Manasa Chalasani, Google Cloud
Gargi Adhav, Google Cloud
NET205
Proactive Network Operations:
Network Intelligence Center
24. Visualize your network so that you can
monitor network health easily
● Reduce the amount of time spent on
troubleshooting and monitoring network
issues using visualization
● Navigate through complex network
topologies with structure and insights
through visualization of traffic flows
● Track topology evolution over time
Network Topology
26. 03
Architecture
Optimization
04
Track Workload
Migration
05
Native SOC Audit
Support
01
Network Monitoring
02
Network
Troubleshooting
Network Topology Use Cases
Understand architecture
and network utilization
to plan and drive
optimizations (e.g.,
What’s contributing
to my egress costs?
Can this be optimized)
Utilize network topology
to show progress as
customers migrate their
VMs to GCP. Compare
with end-state.
Export and submit a point
in time topology for SOC
audits without requiring
export to 3rd party tools
Understand topology,
actual traffic flow,
and proactively detect
problem areas (e.g.,
are all my Asia users
being served through
GCE instances in
Asia regions?)
Root cause analysis of
network events, impact
analysis, workflow
support to reduce
time spent (e.g, did
the topology change
during the time of the
network event? )
27. Performance Dashboard
Deliver Cloud
Network SLI/Os,
that reflects
customer experience
Provide users with
intra-zone, inter-zone,
inter-region,
zone-to-Internet* VM to
VM Loss, Latency SLIs
Visualization:
○ Via NIC
dashboards
○ Via Network
Topology
○ Via Cloud
Monitoring
01 02 03
28. Live Google Cloud Inter-region
Performance Dashboard
https://cloud.google.com/vpc/docs/vpc#network-performance
Inter-region
performance metrics
using open source
PerfKit
Benchmarker
Can be reproduced
29. Ensure connectivity and prevent outages
using on demand connectivity diagnostics
The Problem:
● 75% of network outages and performance issues
are the result of misconfiguration*
● Diagnose and root-cause connectivity issues such as
those resulting from misconfiguration
● Understand impact of configuration changes on
connectivity to prevent configuration errors from
being discovered in production
Connectivity Tests
*Source:
https://blog.ipswitch.com/best-practices-in-network-configuration-and-chang
e-management
31. Firewall Insights
Firewall Rules
Massive Volume
Overgranting
Human Error
Outdated Rules
Strengthen and Optimize
Firewall Rule Configurations
Usage Metrics Visibility - Firewall rule
hit count, last hit timestamp, Stackdriver
export for custom dashboard and alerts
1
Shadowed Rule Detection - Automatic
detection of firewall rules overshadowed
by higher priority rules
2
Strengthen Firewall Control - Detect
allow rules not in use and tighten up
security boundary
3
42. Shopping cart
Client Instance
Payments
Server Instance
Business logic
Business logic
Non-business logic
Payments
Server Instance
Business logic
Non-business logic
Business logic
Shopping cart code
Holiday season – we need capacity!
46. Business logic
Business logic
Non-business logic
Shopping cart
Client Instance
Payments
Server Instance
Payments
Server Instance
Business logic
Business logic
Non-business logic
Shopping cart code
Holiday season – zero downtime!
47. Shopping cart
Client Instance
Payments
Server Instance
Payments
Server Instance
Load Balancer
Middle proxy
Non-business
logic lives here
Data plane traffic
Shopping cart
Client Instance
Shopping cart
Client Instance
Support
frontend
Client Instance
Support
backend
Server Instance
The good news: we've already solved this
48. Shopping cart
Sidecar proxy
Payments
Server Instance
Payments
Server Instance
Data plane traffic
Shopping cart
Sidecar proxy
A new(ish) solution: dedicated,
client-side load balancer
51. Region B
Region A
Service A
Client Instance
Service A
Client Instance
Service A
Sidecar proxy
Service A
Client Instance
Service B
Sidecar proxy
Service A
Client Instance
Service C
Sidecar proxy
Service A
Client Instance
Service A
Client Instance
Service A
Client Instance
Service D
Sidecar proxy
Data plane traffic
proxy.conf
Control plane
Control plane traffic
Make it real.
52. Region B
Region A
Service A
Client Instance
Service A
Client Instance
Service A
Sidecar proxy
Service A
Client Instance
Service B
Sidecar proxy
Service A
Client Instance
Service C
Sidecar proxy
Service A
Client Instance
Service A
Client Instance
Service A
Client Instance
Service D
Sidecar proxy
Data plane traffic
Control plane traffic (xDS)
Traffic Director
Control plane as a service
54. 01
Global
Services on VMs and
containers, in GCP,
on-prem or other clouds
02
More than service mesh
Control plane for service
mesh (sidecar proxies,
application libraries)
and load balancing
04
Control plane as
a service
Managed service,
backed by GCP with
an uptime SLA
03
Programmable
Centralized networking
based on policies
Traffic Director:
universal managed control plane
55. us-central1
Retail frontend
Kubernetes Engine
Traffic Director
Google Cloud Platform
Shopping cart
Compute Engine
Payments
Compute Engine
asia-southeast1
Retail frontend
Kubernetes Engine
Shopping cart
Compute Engine
Payments
Compute Engine
Client
Global Load
Balancer
Automatic failover for high availability
56. Google Cloud Platform
Traffic Director
Prediction v1
Kubernetes Engine
Prediction v2
Kubernetes Engine
Frontend
Compute Engine
Sidecar Proxy
95% traffictraffic split policy:
95% Prediction v1
5% Prediction v2
5% traffic
Traffic management for
zero downtime deployments
57. VPN or
Interconnect
On-Prem service
On-Prem VM
Google Cloud Platform
Client
Global Load
Balancer
On-Prem Data Center
Traffic Director
Load Balancer
Compute Engine
Middle Proxy
Cloud Armor
Cloud CDN
Google Cloud Load Balancing
* Global Anycast VIP
* HTTPS termination
* ...
Cloud service
Kubernetes Engine
Network edge services for GCP
and non-GCP environments
New
59. Service Mesh
Traffic Director
Frontend
Compute Engine
Sidecar Proxy
Google Cloud Platform
Backend
Compute Engine
Sidecar Proxy
Managed Envoy on GCE
GCE VM template:
`--service-proxy enabled`
Installs Envoy connected to
Traffic Director
No messing around
with iptables
Simple rolling updates
Simplified service mesh adoption –
the new way
New
60. Service Mesh
gRPC server
Compute Engine
Traffic Director
Google Cloud Platform
New
gRPC client
Kubernetes Engine
Proxyless
gRPC 1.30.0+
Proxyless gRPC
gRPC 1.30.0+ understands xDS,
connects to Traffic Director
Simplified service mesh
adoption – no proxy required
Service discovery and load
balancing (more to come)
Simplified service mesh adoption –
proxyless gRPC
61. Cloud OnAir
- Service Mesh により非ビジネスロジックをアプリケーションから
取り除くことができる
- Traffic Director は Istio 互換ではなく、 マネージド envoy や
プロキシーレスのメッシュをサポート
Service Mesh まとめ
67. Cloud OnAir
- STO303 Dive-Deep on Compute Engine and Persistent Disk Data
Protection Capabilities
- STO101 Introduction and Best Practices for Cloud Storage
- OPS302 Monitoring as Code
その他おすすめセッション
68. Cloud OnAir
Google Cloud Next ‘20: OnAir
Google Cloud Next ’20: OnAir の
セッションへのご登録はこちらから
https://cloud.withgoogle.com/next/sf/japan