Use Case: VPC deployment plus PKI #101
Description
example stackql-deploy corporate network bootstrap
This should be a lean corporate cloud bootstrap. The value proposition is that setup, teardown and extension are rapid and light on for cognitive load.
Background
Business technology changes can be in infrastructure, application, data, security posture, or some other dimension. These changes quite frequently cut across traditional views of control, compliance and ownership bounndary. For example, an application change may require:
- Deployment on a container platform owned by a container team.
- Corporate PKI changes under some Certificates team.
- Database adjustment, owned by a database team, with requisite reporting for a regulator in tow.
- Firewall changes under a network security team.
Rather than execute these changes in separate, interdependent steps, we propose to execute in one single transaction. To execute such transactions safely and usefully:
- The transaction should be explainable ahead of time (AOT).
- The transaction should proceed only once all requistite approvals are in place.
- The transaction should adhere to well-defined ACID semantics.
- The transaction should be auditable.
This is nothing new for user of RDBMS systems and stackql is heavily inspired and influenced by such systems (obviously). This use case seeks to illustrate:
Business transactions can be executed by the heterogenous tooling of
stackql-deploy.
Eventually, the stackql ecosystem will evolve such that:
Business transaction ACID semantics are exclusively managed by the core
stackqlapplication and this same application abstracts all implementation detail. This is advantageous in that extension and improvement are transaprent to users.
Regarding network bootstrap specifically:
- Probably based upon hybrid cloud example AWS-GCP per the google docs.
- VPN gateway is cost effective if used sparingly, per vendor docs.
- For client to gateway road warrior setup on one tenancy, consider strongswan.
- Packet mirroring and security devices???
- Cloud NAT. Does this support proxy whitelist pattern?
- Private DNS zone.
- Private / restricted google service access. Similar AWS if available.
- ACME server.
Acceptance Criteria
- Reference implementation of e2e deployment using
stackql/stackql-deploy:- VPC and subnets. Architecture???
- VPN Gateway.
- BGP.
- Private DNS.
- ACME Server for PKI.
- Some kind of NAT.
- Cheap PAAS workload in private only address space.
- NAT for egress.
- Cheapo security appliance monitoring ingress and egress.
- Blog to tell the story coherent story:
- theme = "we run our biz on
stackqland so can you." - demo = access corporate app using corporate PKI from registered devices.
- theme = "we run our biz on
- You tube video.
- Presentation to at least one group of business people.
High Level Plan
- Deploy the following, peered by Cloud VPN linkage:
- 1x GCP VPC.
- 1x AWS VPC.
- Cloud VPN peering between clouds.
- Private DNS zone using cloud resources.
- Private services access only, using cloud intrinsics.
- Artifact registry with SOE(s).
- GCP (can migrate elsewhere at any time) to contain a
k8scluster(s) including:- WAF with envoy or nginx.
- VPN server software supporting client to gateway road warrior setup on one tenancy, per this stackoverflow post. Consider strongswan.
- CRL server.
- ACME Server.
- A Network Intrusion Detection System (NIDS), such as snort.
- VMs for:
- A deep packet inspection application for analysis, processing data from packet mirroring. This will require a compute engine managed instance group on the collector side.
- Cloud NAT. Does this support proxy whitelist pattern?
- Re-use the existing
k8s the hard waystackql-deploydemo for the bulk of the GCP tenancy.
about stackql-deploy
stackql-deploy is a multi cloud deployment automation and testing framework which is an alternative to Terraform or similar IaC tools. stackql-deploy uses a declarative model/ELT based approach to cloud resource deployment (inspired by dbt). Advantages of stackql-deploy include:
- declarative framework
- no state file (state is determined from the target environment)
- multi-cloud/omni-cloud ready
- includes resource tests which can include secure config tests