Skip to main content

Cloud Execution for Desktop in GCP

Follow this guide to deploy the Cloud Execution for Desktop (CEfD) module for Google Cloud Platform (GCP) private data processing.

Prerequisite

Before you deploy the CEfD module, you must complete these steps on the Set Up GCP Project and VPC for Private Data page...

  1. Configured a VPC dedicated to AACAAC as mentioned in the Configure Virtual Private Network section.

  2. Service account and base IAM roles attached to the service account as mentioned in the Configure IAM section.

  3. Successfully triggered private data processing provisioning as mentioned in the Trigger Private Data Handling Provisioning section.

Project Setup

Step 1: Configure IAM

Step 1a: IAM Binding to the Service Account

Assign these additional roles to the aac-automation-sa service account that you created during Set Up GCP Project and VPC for Private Data:

  • Compute Load Balancer Admin: roles/compute.loadBalancerAdmin

  • Compute Instance Admin (v1): roles/compute.instanceAdmin.v1

  • Cloud Functions Developer: roles/cloudfunctions.developer

  • Storage Admin: roles/storage.admin

  • Cloud Scheduler Admin: roles/cloudscheduler.admin

Step 2: Configure Subnet

CEfD in the private data processing environment requires 1 subnet.

  • aac-option (required): Use this group if you enable Cloud Execution for Desktop within your private data processing environment. If you enable this option, an AMI swarm runs in this subnet to handle Designer Desktop processing jobs that run in the cloud.

Step 2a: Create Subnets in the VPC

Configure subnets in the aac-vpc VPC.

Follow this example to create subnets with subnet name, subnet size, and other configurations (modify values, as needed, to meet your network architecture).

Subnet Name

Subnet

Secondary Subnet Name

Secondary Subnet Size

aac-option

10.30.0.0/23

N/A

N/A

重要

The subnet IP addresses and sizes in the table are an example. Modify values, as needed, to meet your network architecture.

The subnet region must match the region where you provision Private Data Handling.

The subnet name must match with the name as shown in the table.

Step 2b: Subnet Route Table

Create the route table for your subnets.

重要

You must configure the Vnet with a network connection to the internet in your subscription.

注意

This route table is an example.

Address Prefix

Next Hop Type

/23 CIDR Block (aac-option)

aac-vpc

0.0.0.0/0

<gateway_ID>

注意

Your <gateway id> can be either a NAT gateway or an internet gateway, depending on your network architecture.

Step 2c: Firewall Rule

Cloud Function is deployed to auto-scale CEFD VMs. A firewall rule is added to allow Cloud Function to communicate with CEFD VMs.

  1. From the GCP console, select VPC NetworksFirewall.

  2. Select Create Firewall Rule

    a. Name: aac-cefd-cloudfunction-allow

    b. Network: aac-vpc

    c. Traffic: Ingress

    d. Action: Allow

    e. IP Range: <aac-option subnet block>

    f. Protocols and Ports: TCP:2024

  3. Select Create.

Step 3: Enable Google APIs

To create cloud resources for private data handling, below set of APIs must be enabled in the project.

  1. From the GCP console, select APIs & Services.

  2. Select Enabled APIs and Services.

  3. Enable below mentioned APIs:

    Cloud Scheduler API

    Cloud Functions API

    Cloud Build API

    Cloud Run Admin API

Private Data Processing

小心

如果在预配了私有数据处理后修改或删除任何 AAC 预配的公有云资源,则会导致状态不一致。这种不一致性会导致在作业执行时出错,或取消预配好的私有数据平面处理。

Step 1: Trigger CEfD Deployment

Data processing provisioning triggers from the Admin Console inside AACAAC. You need Workspace Admin privileges within a workspace in order to see it.

  1. From the AACAAC landing page, select the Profile menu and then select Workspace Admin.

  2. From the Admin Console, select Private Data Handling and then select Processing.

  3. Select the Cloud Execution for Desktop checkbox and then select Update.

Selecting Update triggers the deployment of the cluster and resources in the GCP project. This runs a set of validation checks to verify the correct configuration of the GCP project.

注意

The provisioning process takes approximately 35–40 minutes to complete.

After the provisioning completes, you can view the created resources (for example, VM instances and node groups) through the GCP console. It is very important that you don't modify them on your own. Manual changes might cause issues with the function of the private data processing environment.