Migrating to GCPΒΆ
Why migrate our application(s)?ΒΆ
- Access to self-service Google-managed buckets and Postgres databases.
- Access to Google Cloud features.
- Zero Trust security model instead of FSS/SBS zone model.
- Cost efficient and future proof.
PrerequisitesΒΆ
- The team needs to update their ROS and PVK analysis to migrate to GCP.
- Read this roles and responsibilites
SecurityΒΆ
Our GCP clusters use a zero trust security model, implying that the application must specify both incoming and outgoing connections in order to receive or send traffic at all. This is expressed using access policies.
PrivacyΒΆ
Google is cleared to be a data processor for personally identifiable information (PII) at NAV. However, before your team moves any applications or data to GCP the following steps should be taken:
- Verify that you have a valid and up-to-date PVK for your application. This document should be tech stack agnostic and as such does not need to be changed to reflect the move to GCP.
- If the application stores any data in GCP, update Behandlingskatalogen to reflect that Google is a data processor.
ROSΒΆ
The ROS analysis for the team's applications need to be updated to reflect any changes in platform components used. For example, if your team has any specific measures implemented to mitigate risks related to "Kode 6 / 7 users", you should consider if these measures still apply on the new infrastructure or if you want to initiate any additional measures. When updating the ROS, please be aware that the GCP components you are most likely to use have already undergone risk assessment by the nais team and that you can refer to these ROS documents in your own risk assessment process.
FAQΒΆ
What do we have to change?ΒΆ
Answer
- Cluster name: All references to cluster name. (Logs, grafana, deploy, etc.)
- Secrets: are now stored as native secrets in the cluster, rather than externally in Vault.
- Namespace: If your application is in the
default
namespace, you will have to move to team namespace - Storage: Use
GCS-buckets
instead ofs3
in GCP. Buckets, and access to them, are expressed in your application manifest - Ingress: There are some domains that are available both on-prem and in GCP, but some differ, make sure to verify before you move.
-
Postgres: A new database (and access to it) is automatically configured when expressing
sqlInstance
in your application manifestWe're currently investigating the possibility of using on-prem databases during a migration window.
-
PVK: Update your existing PVK to include cloud
GCP compared to on-premises summarizes the differences and how that may apply to your application.
What should we change?ΒΆ
Answer
- Use TokenX instead of API-GW.
- If using automatically configured Google-managed buckets, use Google APIs
What do we not need to change?ΒΆ
Answer
You do not have to make any changes to your application code. Ingresses work the same way, although some domains overlap and others are exclusive. Logging, secure logging, metrics and alerts work the same way.
What can we do now to ease migration to GCP later?ΒΆ
Answer
- Make sure your PVK is up to date.
- Deploy your application to your team's namespace instead of
default
, as this is not available in GCP. - Use a token auth flow between your applications. Either TokenX or Entra ID depending on your use case. This allows for a more seamless migration of your applications. E.g. if you have two apps in FSS, you can migrate one without the other.
What about PVK?ΒΆ
Answer
A PVK is not a unique requirement for GCP, so all applications should already have one. See PVK for details
How do we migrate our database?ΒΆ
Answer
Why is there no Vault in GCP?ΒΆ
Answer
There is native functionality in GCP that overlap with many of the use cases that Vault have covered on-prem. Using these mechanisms removes the need to deal with these secrets at all. Introducing team namespaces allows the teams to manage their own secrets in their own namespaces without the need for IAC and manual routines. For other secrets that are not used by the application during runtime, you can use the Secrets in Console.
How do we migrate from Vault to NAIS Secrets?ΒΆ
Answer
See the Secrets documentation.
How do we migrate from filestorage to buckets?ΒΆ
Answer
Add a bucket to your application spec Copy the data from the filestore using s3cmd to the bucket using gsutil
What are the plans for cloud migration in NAV?ΒΆ
Answer
Both sbs clusters are now retired. NAVs strategic goal is to shut off all on-prem datacenters by the end of 2023
What can we do in our GCP project?ΒΆ
Answer
The teams GCP projects are primarily used for automatically generated resources (buckets and postgres). We're working on extending the service offering. However, additional access may be granted if required by the team
How long does it take to migrate?ΒΆ
Answer
A minimal application without any external requirements only have to change a single configuration parameter when deploying and have migrated their application in 5 minutes. GCP compared to on-premises summarizes the differences and how that may apply to your application.
We have personally identifiable and/or sensitive data in our application, and we heard about the Privacy Shield invalidation. Can we still use GCP?ΒΆ
Answer
Yes. NAV's evaluation of our Data Processor Agreement with Google post-Schrems II is that it still protects us and is valid for use given that data is stored and processed in data centers located within the EU/EEA. If your team uses resources provisioned through NAIS, this is guaranteed by the nais team. If your team uses any other GCP services the team is responsible for ensuring that only resources within EU/EES are used (as well as for evaluating the risk of using these services).
See Laws and regulations/Application PVK for details.
How do I reach an application found on-premises from my application in GCP?ΒΆ
Answer
The application on-premises should generally fulfill the following requirements:
- Be secured with OAuth 2.0. That is, either:
- Exposed to GCP using a special ingress:
https://<app>.dev-fss-pub.nais.io
https://<app>.prod-fss-pub.nais.io
The application on-premises must then:
-
Add the ingress created above to the list of ingresses:
-
If secured with OAuth 2.0, ensure that the application also has set up inbound access policies:
The application in GCP must then:
-
Add the above hosts to their outbound external access policies:
-
Consume the application using the special ingress. Other ingresses are not reachable from GCP.
How do I reach an application found on GCP from my application on-premises?ΒΆ
Answer
The application in GCP must be exposed on a matching ingress:
ingress | reachable from zone |
---|---|
<app>.intern.dev.nav.no |
dev-fss |
<app>.intern.nav.no |
prod-fss |
<app>.nav.no |
internet, i.e. all clusters |
The application on-premises should not have to use webproxy to reach these ingresses.
GCP compared to on-premisesΒΆ
Feature | on-prem | gcp | Comment |
---|---|---|---|
Deploy | yes | yes | different clustername when deploying |
Logging | yes | yes | different clustername in logs.adeo.no |
Metrics | yes | yes | same mechanism, different datasource |
Nais app dashboard | yes | yes | new and improved in GCP |
Alerts | yes | yes | identical |
Secure logs | yes | yes | different clustername in logs.adeo.no |
Kafka | yes | yes | identical |
Secrets | Vault | Console secrets | |
Team namespaces | yes | yes | |
Shared namespaces | yes | no | Default namespace not available for teams in GCP |
Health checks | yes | yes | identical |
Ingress | yes | yes | See environments overview for available domains |
Storage | Ceph | Buckets | |
Postgres | yes (IAC) | yes (self-service) | |
Laptop access | yes | yes | |
domain: dev.intern.nav.no | yes (Automatic) | Wildcard DNS points to GCP load balancer | |
Access to FSS services | yes | Identical (either API-gw or TokenX) | |
NAV truststore | yes | yes | |
PVK required | yes | yes | amend to cover storage in cloud |
Security | Zone Model | zero-trust |