Google Cloud Platform¶
Google Cloud Platform (GCP) is a cloud computing platform and infrastructure provider often just referred to as "Google Cloud". New features to the NAIS platform are often exclusively available on GCP first, and we are actively encouraging teams to migrate their applications to GCP.
List of NAIS clusters in GCP
cluster | environment | comment |
---|---|---|
dev-gcp |
development | selected ingresses publicly accessible |
prod-gcp |
production | publicly accessible |
In GCP, we do not operate with a zone model like with the on-premise clusters. Instead, we rely on a zero trust model with a service mesh. The only thing we differentiate on a cluster level is development and production.
The applications running in GCP need access policy rules defined for every other service they receive requests from or sends requests to.
Make sure you have access to GCP clusters..
Supported features¶
Access to GCP¶
In order to use GCP, a team is required to add their team in NAIS console. This will generate a namespace for the team in each cluster, and dev and prod GCP projects will be created. The team's group is initially granted a restricted set of permissions in these projects, but have the ability to grant further permissions on demand using the GCP console
Warning
With the ability to grant permissions, the team has full control of the team's GCP projects, and should take care when granting further permissions or enabling features and APIs.
Accessing the application¶
Access is controlled in part by ingresses, which define where your application will be exposed as a HTTP endpoint. You can control where your application is reachable from by selecting the appropriate ingress domain.
Warning
Make sure you understand where you expose your application, taking into account the state of your application, what kind of data it exposes and how it is secured. If in doubt, ask in #nais or someone on the NAIS team.
You can control from where you application is reachable by selecting the appropriate ingress domain. If no ingress is selected, the application will not be reachable from outside the cluster.
dev-gcp ingresses¶
domain | accessible from | description |
---|---|---|
ekstern.dev.nav.no | internet | development ingress for applications exposed to internet. URLs containing /metrics , /actuator or /internal are blocked. |
intern.dev.nav.no | naisdevice and NAV internal networks | development ingress for non-public/internet-facing applications |
prod-gcp ingresses¶
domain | accessible from | description |
---|---|---|
nav.no | internet | subdomains are manually configured, contact at #tech-sikkerhet. Ingresses on nav.no/* are automatically available. URLs containing /metrics , /actuator or /internal are blocked |
intern.nav.no | naisdevice | used by non-public/internet-facing applications (previously called adeo.no). |
You can also learn about how DNS is configured.
Outbound addresses¶
If you communicate with a third party that allows traffic based on IP, these are the addresses your application will come from.
dev-gcp egress¶
35.228.4.248 34.88.219.93 35.228.165.176
prod-gcp egress¶
35.228.235.189 35.228.12.134 35.228.189.194
ROS and PVK¶
When establishing an application on GCP, it is a great time to update its platform privacy impact assessments (ROS). It is required to update the application's entry in the Behandlingsoversikt when changing platforms. If both of these words are unfamiliar to your team, it's time to sit down and take a look at both of them.
Every application needs to have a ROS analysis. Applications handling personal information needs a data protection impact assessment (PVK) and an entry in the Behandlingsoversikt.
See also additional information about ROS for applications using nais and PVK for applications using nais under Laws and regulations.
Questions about ROS can be directed to Leif Tore Løvmo or Line Langlo Spongsveen or posted in #tryggnok. Questions about Behandling should be directed to #behandlingskatalogen.
Created: 2020-06-08