CI/CD in a private network
1. CI/CD in a private network
CI/CD is rarely an isolated process. CI/CD tools integrate with source code, artifact repositories, runtimes, and other services to automate developer workflows. Most enterprise organizations have resources running in a private network, like in a VPC, on premises, or on another Cloud provider. If it's behind a firewall, Cloud Build cannot securely access these resources, unless access is created in the firewall, and it is advised that you do not take this approach. So how do you deploy CI/CD tools on a private network. Cloud Build and Cloud Deploy, offer two modes for running worker pools in Google Cloud. Shared and private. Shared pools are global and can access the internet. Private pools are regional and run in a peered VPC network. Both are fully managed and share the same APIs. Cloud Deploy uses the backend from Cloud Build for rendering and deployment. The user interface, or CLI tools, act as the control plane, but the actual execution occurs in Cloud Build. This is important, because all features available to Cloud Build are applicable to Cloud Deploy. Private pools are controllable, scalable, and secure by placing the CI/CD worker pool within a peered VPC, and implementing Service Perimeter controls, you restrict deployments to your clusters to a defined set of private IP addresses, enhancing security. You can specify the types of machines that will perform the build process, keep a warm pool of machines to avoid long queue times, and scale to over 100 concurrent builds. Finally, if you have data locality requirements, private pools are a great option, because you can choose the country to run your CI/CD pipelines in. Notice also, that Cloud Build provides integrations with other platforms, like GitHub Enterprise or Artifactory, so you can continue using your existing tooling. Let's examine how to configure private pools in Google Cloud. Private pools are hosted in the Google VPC Network, called the Service Producer Network. When configuring private pools, you can either use a private connection with the service producer network, or use the service producer network directly. When using a private connection service producer network, you can peer your VPC with Google's network to communicate with your VPC resources over private IP addresses. If you choose not to peer your networks, the private pool will use a public endpoint to communicate with your VPC resources. If you only need to configure machine types and sizes, or deploy in a specific region, it's not necessary to configure the network, and you can use the Service Producer Network directly. To configure a private pool, the first step is to enable communication through private IP addresses by connecting networks. For private GKE clusters, create a VPC network in your project, then allocate a unique CIDR range for Google's service producer network, ensuring it doesn't conflict with your existing subnet ranges. Use the reserved CIDR range, create VPC peering between your VPC and Google service producer network. Regardless of whether you created the peering, the next step is to create the private pool on Google service producer network, by creating a configuration file that specifies the type of egress, whether it should use a peered connection, and the configuration for the worker nodes, like the disk size and machine type. When the template is ready, run the gcloud builds worker-pools create command, to build the private pool in the selected region. Now, you can start a new build with a Git trigger, or by manually specifying the worker pool in a flag. You can monitor progress in the Google Cloud console. Cloud Deploy runs within Cloud Build, allowing you to choose the workerPool it uses. There are two key configuration options. First, you can specify whether Cloud Deploy should use the same workerPool as your Cloud Build pipeline. Second, you can determine if the chosen pool applies to both, the render and deploy stages, or only one of them.2. Let's practice!
Create Your Free Account
or
By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.