Follow this guide to deploy the Cloud Execution for Desktop (CEfD) module for Google Cloud Platform (GCP) private data processing.
Before you deploy the CEfD module, you must complete these steps on the Set Up GCP Project and VPC for Private Data page...
Configured a VPC dedicated to AACAAC as mentioned in the Configure Virtual Private Network section.
Service account and base IAM roles attached to the service account as mentioned in the Configure IAM section.
Successfully triggered private data processing provisioning as mentioned in the Trigger Private Data Handling Provisioning section.
Assign these additional roles to the aac-automation-sa
service account that you created during Set Up GCP Project and VPC for Private Data:
Compute Load Balancer Admin:
roles/compute.loadBalancerAdmin
Compute Instance Admin (v1):
roles/compute.instanceAdmin.v1
Storage Admin:
roles/storage.admin
Cloud Functions Developer:
roles/cloudfunctions.developer
Cloud Scheduler Admin:
roles/cloudscheduler.admin
Artifact Registry Reader:
roles/artifactregistry.reader
CEfD in private data processing environment requires 3 subnets. You created the aac-private
subnet earlier when creating the VPC. You do not need to create it again, but it is included here for completeness.
aac-public (required) - This group doesn’t run any services, but is used by the aac-option group for egress out of the cluster.
aac-private (required) - This group runs services private to the PDP.
aac-option (required): Use this group if you enable Cloud Execution for Desktop within your private data processing environment. If you enable this option, an AMI swarm runs in this subnet to handle Designer Desktop processing jobs that run in the cloud.
Configure subnets in the aac-vpc
VPC.
Create subnets following the example below. You can adjust the subnet size and secondary subnet size to match your network architecture.
The address spaces are designed to accommodate a fully scaled-out data processing environment. You can choose a smaller address space if required, but you could run into scaling issues under heavy processing loads.
Importante
The Subnet Name is not a flexible field, it must match the table below.
You may select any region from the Supported Regions list. However, you must use the same region for the Subnet Region now and when you reach the Trigger Provisioning step later.
Subnet Name | Subnet | Secondary Subnet Name | Secondary Subnet Size |
---|---|---|---|
aac-public | 10.10.0.0/25 | N/A | N/A |
aac-option | 10.30.0.0/23 | N/A | N/A |
Create the route table for your subnets.
Importante
You must configure the Vnet with a network connection to the internet in your subscription.
Nota
This route table is an example.
Address Prefix | Next Hop Type |
---|---|
/23 CIDR Block (aac-option) | aac-vpc |
0.0.0.0/0 | <gateway_ID> |
Nota
Your <gateway id>
can be either a NAT gateway or an internet gateway, depending on your network architecture.
Cloud Function is deployed to auto-scale CEFD VMs. A firewall rule is added to allow Cloud Function to communicate with CEFD VMs.
From the GCP console, select VPC Networks → Firewall.
Select Create Firewall Rule
a. Name:
aac-cefd-cloudfunction-allow
b. Network:
aac-vpc
c. Traffic:
Ingress
d. Action:
Allow
e. IP Range:
<aac-option subnet block>
f. Protocols and Ports:
TCP:2024
Select Create.
To create cloud resources for private data handling, you must enable these APIs in the project:
From the GCP console, select APIs & Services.
Select Enabled APIs and Services.
Enable these APIs:
Cloud Scheduler API
Cloud Functions API
Cloud Build API
Cloud Run Admin API
Cuidado
Modificar ou remover quaisquer recursos de nuvem pública provisionados pelo AAC depois que o tratamento de dados privados for configurado poderá causar inconsistências. Essas inconsistências podem levar a erros durante a execução do trabalho ou ao desprovisionamento da configuração do tratamento de dados privados.
Data processing provisioning triggers from the Admin Console inside AACAAC. You need Workspace Admin privileges within a workspace in order to see it.
From the AACAAC landing page, select the Profile menu and then select Workspace Admin.
From the Admin Console, select Private Data Handling and then select Processing.
Select the Cloud Execution for Desktop checkbox and then select Update.
Selecting Update triggers the deployment of the cluster and resources in the GCP project. This runs a set of validation checks to verify the correct configuration of the GCP project.
Nota
The provisioning process takes approximately 35–40 minutes to complete.
After the provisioning completes, you can view the created resources (for example, VM instances and node groups) through the GCP console. It is very important that you don't modify them on your own. Manual changes might cause issues with the function of the private data processing environment.