Видео

Very soon you gonna see variety of topics in one playlist for beginners.

@thecloudbaba8668 thank you sir awaiting for gcp projects

What do you mean ? Pls elaborate

Well technically load balancer received traffic from internet only .. if you want to stop traffic coming directly to your cloud run or cloud function then you can allow it only from the LB

In GCP, firewall rules don’t exactly override each other, instead, they combine based on priority and rule action (allow or deny) Generally it’s not a best practice to use both together. If you have critical and very sensitive server , go for service account based firewall rule and for generic use the tag based. Hope it answers your question

It’s simple. Use Apigee as internal load balancer when you configure it.. you configure you API so request can be forwarded to cloud function URL.. you can also use the PSC however you must configure your cloud function using cloud function NEG in ILB

Yes you can use psc but for simplicity peering seems to be a good option

I will make a video on this soon

You can think of PSC as private reserved resources becoz behind the scene it’s an ENI which takes your request privately in Google network to consume other services which is in different network.. Think of Private Service Connect as a VIP express lane that takes you directly from the airport to your terminal, bypassing the usual routes and ensuring a secure and efficient communication

@@thecloudbaba8668 thanks. So with that being said, what IP does PSC require to communicate with attachments and the wider network ? I thought it was using its own Nat range?

Private service connect is the solution.you don’t need to setup any vpn or something becoz cloud sql is owned by Google Cloud Vpc. Refer the following url cloud.google.com/sql/docs/mysql/configure-private-service-connect

@@thecloudbaba8668 actually you do need VPN, it's from VPC to VPC (project to project) and therefore you do need VPN. I was able to se it up and my mistake had been that my subnets were regional as oppose to global so the cloud router was only advertising regional routes to one another. Once I made both subnets global VPN created the routes

@@thecloudbaba8668 actually you do NEED VPN, the question is how you can get from one vpc to another (project to project) and gcp hosts your SQL and peers your VPC to that SQL endpoint but the other project's VPC can't get to this even if it's peered. The mistake I made was that the VPCs I created had a regional Routing Mode instead of Global. Once I set both VPCs to Global Routing, the HA VPN connection added the routes and I could get to the SQL endpoint from the other VPC

Well, the permission which you are looking for is in the error :) see carefully in the error. It’s starts with compute.regionNetwork…….. Alternatively you can give wider role like network Adminn for simplicity Hope it helps!

Understand the logic. You can ask Gemini to explain any logs that you want to read.. this particular log is about checking my impersonator service account to verify that whether it’s creating my resources or not.. hope it helps!

I will try my best to create it soon

Yes, absolutely. Cloud auth login is needed before you run terraform..

But understand what it looks like in automation in a real environment, why did you do this on your machine. But it's not ideal, right? what is the solution?

It’s an ideal approach. When you run gclouud auth login, you get authenticated using password and MFA. This approach is secure from the key-based approach. Hope it make sense

@@thecloudbaba8668 So this is good for you to run on your machine, right? because in an automation to use terraform this wouldn't be the best method, would it?

That is the best method.. always use impersonation service account which is keyless based authentication and authorization

If you want to expose Jenkins as a service to your consumer, yes you can use PSC.. peering also works here

Yup. Both separate network and project works

Org level rolesresourcemanager.organizationAdmin or roles/compute.xpnAdmin Project level: roles/compute.networkAdmin

I will cover this option in future video..stay tuned

Yes,using IAP or bastion host

Thanks.. Will surely cover GKE topic in future videos soon

You can but what is the use case ?

i want to create private uptime check but VPC information is showing only in host project not in the service project i.e monitoring project.

I think you can do that.. will try to cover this use case .. could you elaborate more specific details around your requirements..

Thanks@@thecloudbaba8668 i would like to create private uptime check for the applications which are running on GCP VM and GKE clusters with internal IP only.

Your terraform ram successfully? If yes than pls recheck your peering code block again. There must be something that may be wrong.

@@thecloudbaba8668 i figured out the problem yesterday. I was missing the vpc2 to vpc1 resource block code. I had just written code block to peer vpc1 to vpc2. Post i applied vpc2 to vpc1 peering block it changed to active immediately from inactive state.thanks