The purpose of this document is to provide a comprehensive guide on the features, setup, and management of Private Clusters in Liferay Cloud. This document aims to explain the benefits, technical requirements, and procedures involved in provisioning and maintaining a Private Cluster to ensure a secure and dedicated environment for enterprise applications. It is intended to serve as a reference for customers who wish to purchase or know more about Private Cluster.
Overview of Private Cluster
Definition
A Private Cluster in Liferay Cloud is a dedicated set of infrastructure resources allocated exclusively for a single customer. Unlike shared environments where resources are pooled among multiple tenants, a Private Cluster provides isolated infrastructure, enhancing security and performance. This isolation ensures that the customer's applications run in a completely segregated environment, free from the potential risks and resource contention associated with multi-tenant environments.
Benefits
Dedicated Resources:
-
CPU, Memory, and Storage: Each Private Cluster is allocated specific computing resources such as CPU cores, RAM, and disk storage. This dedicated allocation prevents resource contention, ensuring that the customer's applications have consistent access to the necessary computational power and storage.
-
Performance and Reliability: By avoiding shared resource pools, Private Clusters provide a stable and predictable performance environment, reducing latency and improving the reliability of applications.
Enhanced Security:
-
Private Networking: Private Clusters are configured with private networks that isolate customer traffic from the public internet and other tenants. This ensures that only authorized traffic can access the customer’s applications and data.
-
Dedicated Encryption Keys: Each Private Cluster uses unique encryption keys for data at rest and in transit, providing an additional layer of security and reducing the risk of data breaches and unauthorized access. See our security and data policy documentation for additional information.
Custom Configuration:
-
Network Settings: Customers have the flexibility to configure their network settings, including IP address ranges, subnets, and routing rules, to meet specific security and operational requirements.
-
VPN Connections: Private Clusters support Site-to-Site VPN connections, enabling secure, bi-directional communication between the customer’s on-premises network and their Liferay Cloud environment.
-
Firewall Rules: Customers can define custom firewall rules to control traffic to and from their applications, ensuring that only legitimate traffic is allowed.
Use Cases
Compliance Requirements:
-
Regulatory Standards: Organizations that must comply with stringent regulatory standards such as GDPR, HIPAA, or PCI-DSS benefit from the isolated and secure environment provided by a Private Cluster. This isolation helps in meeting data residency and protection requirements.
-
Audit and Reporting: The dedicated nature of Private Clusters facilitates easier auditing and reporting, as all resources and logs are confined to a single tenant environment.
Performance-Sensitive Applications:
-
Low Latency: Applications that require low latency, such as financial trading platforms or real-time communication systems, can leverage the dedicated resources of a Private Cluster to achieve optimal performance.
-
High Throughput: High-performance applications that process large volumes of data benefit from the consistent and predictable performance of a Private Cluster.
Custom Integrations:
-
Hybrid Cloud: Enterprises that need to integrate cloud applications with on-premises systems can use Site-to-Site VPN to create secure, seamless connections between their Private Cluster and existing infrastructure.
Key Features
Dedicated Resources
A Private Cluster ensures that all computing resources are exclusively allocated to a single customer. This isolation prevents resource contention and guarantees consistent performance for critical applications.
-
Resource Allocation: Customers receive a fixed allocation of CPU cores, memory, and storage. These resources are reserved exclusively for their use, ensuring predictable performance.
-
Performance Monitoring: Tools and dashboards are available to monitor resource usage, allowing customers to optimize their applications and scale resources as needed.
Enhanced Security
Private Networking:
-
VPC Configuration: Each Private Cluster is deployed within a Virtual Private Cloud (VPC) that isolates customer traffic. Subnets within the VPC can be customized to align with the customer’s internal IP address schemes.
-
Traffic Isolation: Network segmentation ensures that traffic between the customer’s applications and the public internet is tightly controlled. Internal traffic between services in the cluster remains within the VPC, reducing exposure to external threats.
Encryption:
-
Data at Rest: Data stored in the Private Cluster is encrypted using AES-256 encryption, ensuring that it remains secure even if physical storage devices are compromised.
-
Data in Transit: All data transmitted to and from the Private Cluster is encrypted using TLS, ensuring that it cannot be intercepted or tampered with during transmission.
Site-to-Site VPN
Secure Connections:
-
IPSEC VPN: Establishes secure, bi-directional connections between the customer’s on-premises network and the Liferay Cloud environment using IPSEC VPN technology. This ensures that data is transmitted securely over the internet.
-
Redundancy and Failover: Configurations can include redundant VPN connections to ensure high availability and failover capabilities, minimizing downtime in case of network failures.
Configuration:
-
VPN Parameters: Customers need to provide specific VPN parameters, including:
-
Public VPN Gateway IP Address: The public IP address of the customer’s VPN gateway.
-
Pre Shared Key (PSK): A shared secret used to authenticate the VPN connection.
-
IKE Version: The version of the Internet Key Exchange protocol to use (IKEv2 is recommended).
-
Private IP Ranges: The IP ranges that will be advertised over the VPN tunnel, allowing communication between the customer’s on-premises network and the Private Cluster.
-
Web Application Firewall
Google Cloud Armor:
-
Threat Protection: Implements Google Cloud Armor to protect against various web-based threats, including Distributed Denial of Service (DDoS) attacks, SQL injections, and cross-site scripting (XSS).
-
Access Control: Allows customers to define and enforce security policies that restrict access to their applications based on IP addresses, geographical location, and other criteria.
Private Service Connect (PSC) and Cloud Interconnect Integration
Liferay Cloud has implemented a new feature facilitating the integration of Google Cloud's Private Service Connect (PSC) within its platform. PSC, a tunneling solution, enables the establishment of dedicated connections involving specific Kubernetes services or namespaces. Click here for more information on Liferay PSC.
Establishment of PSC Connection:
-
Dedicated Connections: Liferay Cloud platform now supports PSC connections, ensuring that only specified Kubernetes services or namespaces can initiate and access this connection. This dedicated channel enhances security by restricting access to specific resources.
Tunneling Solutions:
-
Secure Channels: With PSC in place, a dedicated tunnel is available for specific Google Cloud Platform (GCP) services or different GCP VPCs to connect in or out of a VPC within the Liferay Cloud platform. This setup ensures secure and controlled data transfer between designated endpoints.
Cloud Interconnect as a Bridge:
-
Secure Data Transfer: Cloud Interconnect provides a dedicated connection directly from an organization's on-premises network or other cloud environments to Google Cloud Platform. This connection bypasses the public internet, offering enhanced security, reduced latency, and predictable network performance.
-
Combined Utility: When combined with PSC, Cloud Interconnect serves as a robust solution for securely bridging on-premises data and systems with Liferay Cloud. This combination facilitates secure and efficient interactions between on-premises systems and Google Kubernetes Engine (GKE) or Google Cloud Storage, enabling rapid and secure data transfer.
Prerequisites and Requirements
Subscription
To use a Private Cluster, customers must subscribe to the necessary Liferay Cloud plans and add-ons. This includes purchasing the Private Cluster add-on in addition to their existing subscription. The add-on provides access to dedicated infrastructure and advanced security features.
-
Subscription Plans: Details about the available subscription plans and the specific add-ons required for Private Cluster functionality.
High Availability
Private Clusters are configured with High Availability (HA) to ensure redundancy and failover capabilities. This configuration requires a minimum of three environments (e.g., production, staging, development) to distribute the load and provide continuous availability.
-
Redundancy: Multiple instances of critical services are deployed across different availability zones to ensure that the failure of one zone does not impact the overall availability of the applications.
-
Failover Mechanisms: Automated failover mechanisms are in place to detect failures and switch to standby instances, ensuring minimal disruption to service.
Network Configuration
VPN Settings:
-
Subnet Allocation: Customers must provide details for configuring the Site-to-Site VPN, including two /20 subnets for private IP ranges. These subnets will be used for routing traffic between the customer’s on-premises network and the Private Cluster.
-
Public and Private IP Addresses: Allocation and configuration of public and private IP addresses for the VPN endpoints.
Firewall Rules:
-
Traffic Control: Proper firewall rules must be set up to allow traffic between the customer’s network and the Private Cluster. This includes rules for both ingress (incoming) and egress (outgoing) traffic.
-
Security Policies: Definition of security policies to restrict access to specific services and applications within the Private Cluster. These policies can be based on IP addresses, protocols, and ports.
5. Conclusion
Liferay Cloud's Private Cluster offers a secure and dedicated environment for enterprises with strict security and performance needs. It provides isolated resources, enhanced security features, and flexible configuration options to ensure that critical applications run efficiently.
This guide covers the key benefits, prerequisites, and detailed steps for provisioning and configuring a Private Cluster. By following these guidelines, IT professionals can effectively use Liferay Cloud's Private Cluster to meet compliance requirements, achieve high performance, and implement custom network configurations.