Running Eclipse HONO and Ditto on Google Cloud (5)
At the time of writing, Eclipse Ditto provides several authentication mechanism for HTTP Push connections.
Unfortunately, at the time of writing, Google Cloud does not support above authentication mechanism. To secure the Cloud Functions, there are several options.
- Secure the Cloud Function via network isolation.
- Secure the Cloud Function via another service that supports above authentication mechanisms.
- Secure the Cloud Function via custom codes.
- Combining different options mentioned above.
To secure the Cloud Functions by custom codes and another service that supports OAuth or HMAC signing is not discussed here for now. I will set up a network isolation so that the Cloud Functions is only accepting connections from within the same VPC network.
Secure the Cloud Function via network isolation
Cloud resources in a VPC can invoke Cloud Function from the VPC with Private Service Connect. To do this, you create a Private Service Connector and configure the Cloud Function to use the connector. A high-level architecture diagram illustrated below.
- Create a Private Service Connector
export VPC_SUBNET_NAME=<YOUR VPC SUBNET NAME>gcloud services enable vpcaccess.googleapis.com
gcloud compute networks vpc-access connectors create my-psc-connector \
--region asia-east1 \
--subnet $VPC_SUBNET_NAME
- Follow this instruction to update Cloud Function to use the Private Service Connector.
Once configured, your Cloud Function only accepts request coming from the same VPC, or within the same VPC Service Control Perimeter. You can verify this by running a curl from outside of the VPC.
curl -m 70 -X POST https://$YOUR_FUNCTION_URL \
-H "Authorization:bearer $(gcloud auth print-identity-token)" \
-H "Content-Type:application/json" \
-d '{}'You should get a HTTP 403 error.
Now let’s verify if your Eclipse Cluster is able to forward telemetry to the Cloud Function.
curl -X POST -i -u ${DEVICE_ID}-auth@${TENANT_NAME}:my-password \
-H ‘Content-Type: application/json’ \
-d ‘{“hum”: 12.17}’ http://${HTTP_ADAPTER_IP}:${HTTP_ADAPTER_PORT_http}/telemetryYou should see a log entry in Cloud Logging.
