Securing Inference APIs on GCP with SSL Policies

Question

Pulumi · Accepted Answer

To secure Inference APIs on Google Cloud Platform (GCP) with SSL policies, you would generally need to utilize Google Cloud Load Balancers along with Google Cloud SSL Policies. Load balancers help distribute incoming API requests across multiple instances, improving performance and uptime, while SSL policies define the security parameters for the SSL connections they terminate, enabling you to enforce a particular set of security protocols and ciphers easily.

Here's how you can use Pulumi to provision an SSL Policy and connect it to a Load Balancer which serves your Inference API:

1. **Google Cloud SSL Policy**: This resource allows you to define a custom SSL Policy that specifies the allowed versions of the SSL/TLS protocol and ciphers to be used when the Load Balancer is serving requests. For inference APIs, you would typically want to support only the latest and most secure protocols and ciphers to ensure the confidentiality and integrity of your API traffic.

2. **Google Cloud Load Balancer**: This is the resource that receives incoming requests and distributes them across your Inference services. You will attach the SSL Policy to the target proxy of a Google Cloud HTTPS Load Balancer, which in turn is connected to the backend services that host your API.

Below is a Pulumi program written in Python that demonstrates how to create an SSL policy and attach it to an HTTPS Load Balancer which connects to a backend service hosting your Inference API. This example assumes that the backend service and health checks for it have already been configured; it focuses on the SSL policy and its association with the Load Balancer.

```python
import pulumi
import pulumi_gcp as gcp

# Create a custom SSL Policy with modern security features
ssl_policy = gcp.compute.SSLPolicy("ssl-policy",
    profile="MODERN",
    min_tls_version="TLS_1_2",
    custom_features=[
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    ]
)

# Load balancer's frontend configuration - assuming you have a static IP address reserved
address = gcp.compute.GlobalAddress("global-address")

# SSL certificate - assuming you have already created one
ssl_certificate = gcp.compute.ManagedSslCertificate("ssl-certificate",
    name="your-certificate-name"
)

# HTTPS target proxy that uses the SSL certificate and SSL policy
target_https_proxy = gcp.compute.TargetHttpsProxy("target-https-proxy",
    url_map="your-url-map",
    ssl_certificates=[ssl_certificate.id],
    ssl_policy=ssl_policy.id
)

# Global forwarding rule to route incoming requests to the target proxy
global_forwarding_rule = gcp.compute.GlobalForwardingRule("global-forwarding-rule",
    ip_address=address.address,
    ip_protocol="TCP",
    port_range="443",
    target=target_https_proxy.id
)

# Export the IP to which the DNS record should point
pulumi.export("lb_ip_address", address.address)
```

Here's a breakdown of what each section is doing:

- The `SSL Policy` is created with a modern profile and specifies only secure TLS versions and ciphers.
- The `Global Address` secures a static IP address that will be used by the Load Balancer.
- The `Managed SSL Certificate` represents an SSL certificate which you should have already generated (through Google-managed services or a self-managed certificate).
- The `Target HTTPS Proxy` creates an HTTPS proxy that uses the SSL certificate and policy you've defined.
- The `Global Forwarding Rule` directs traffic to the HTTPS proxy at the static IP address on port 443 (standard port for HTTPS traffic).
- Finally, the IP address of the Load Balancer is exported as `lb_ip_address`. You will need to create a DNS record that points your domain to this IP address for your API to be served over SSL.

This Pulumi program lays the groundwork for securing your Inference API with SSL policies. Please replace placeholder text like `"your-certificate-name"` and `"your-url-map"` with actual resource identifiers from your existing GCP infrastructure.

Ensure that you have logged into the GCP console and set the appropriate environments for Pulumi using the `gcloud` CLI. When you run `pulumi up`, it will provision the resources as per the configuration you established.