The bare metal solution contains all the necessary infrastructure that is required for the user to run a specialized workload, such as Oracle Database close to Google Cloud. The infrastructure has a direct connection with a dedicated, low-latency, and highly resilient interconnect and is connected to all the native Google Cloud services.
Understanding the bare metal solution components
The following components are included in the google cloud environment:
Google cloud project: A user uses google cloud project for the administration of their bare metal solution resources and billing.
VPC: The cloud project needs a VPC. Inside the VPC, the user needs to create one virtual machine that will act as a jump host and one to act as a Network Address Translation gateway.
Cloud router: The user needs to configure two cloud routers in order to provide routing and the redundant path between the VPC and bare metal solution environment.
Partner Interconnect: It provides a physical connection between the user's cloud project and the bare metal solution environment. The user generates VLAN attachments and pairing keys that the user can enter into the console during the bare metal solution environment.
Cloud firewall rules: It is uses firewall rules to allow traffic from the bare metal solution environment to access the cloud project.
Cloud IAM: The user can use identity and access management for granting bare metal solution permissions to users and administrators.
The following components are included in the bare metal solution environment:
Networking: Three subnets must be specified for the bare metal solution environment.
Client subnet: it's a mandatory subnet that provides access to Google cloud a user's VPC.
Private subnet: it provides access to other compute, networking, and storage devices that are located inside the bare metal solution regional extension.
Services subnet: it provides a small IP address range to offer IP addresses to devices providing storage and other services. It is a subset of the client subnet, the private subnet, or both.
Servers: the user needs to decide how many servers the user wants to include in their bare metal solution environment, along with what type and which operating system
Storage: the user needs to select the type of storage the user wants to deploy.
Grant an IAM role
The user needs to add an IAM policy to grant a bare metal solution role to the principal. The role contains permissions that enable the principal to perform certain actions. To grant a role:
The user must ensure that they have a role that contains proper IAM permissions to grant roles to others, like Owner, Project IAM admin, or Security Admin.
In the cloud project, open the cloud shell window.
Using the below command, add the cloud project ID, and email address to your principal's
google cloud account and the desired bare metal solution role path.
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=user:username@example.com \
--role=roles/baremetalsolution.admin
Paste the above command into the cloud shell window
Click on enter
Click on Authorize if you come across the Authorize Cloud Shell window.
Audit logs
Below mentioned are the types of audit logs that are available for bare metal solutions:
Data access audit logs It includes an "admin read" operation that reads either metadata or configuration information. It also has "data read" and, "data write" operations that read and write user-provided data.
Audit Log Format
The following objects are included in the audit log entries:
The log entry is an object of LogEntry, some of the useful fields are mentioned below:
LogName: it has the resource ID and audit log type.
resource: it has the target of the audited operation.
timeStamp: it has the time of the audited operation.
protoPayload: it has the audited information.
The AuditLog object is in the protoPayLoad field of the log entry and has the audit logging data.
Log name
It includes resource identifiers indicating the cloud project or any other google cloud entity that owns the audit logs. It also includes whether the log has Admin activity, data access, policy denied, or system event audit logging data.
Service Name
The service name which is used by the bare metal solution audit logs is baremetalsolution.googleapis.com. Use the Map services to resources options to view a list of all the cloud logging API service names and their corresponding monitored resource types.
Resource types
The resource type wish is used for all the audit logs by the bare metal solution audit logs is audited_resource.
Enable audit logging
By default, the data access audit logs are disabled and won't get written unless explicitly enabled.
Permissions and roles
The ability of a user to access the audit logs data in google cloud resources is determined by the IAM permissions and roles. Consider the below mentioned when deciding on which logging-specific permissions and roles to apply to your use case:
To give only the read-only access to Admin activity, policy denied, and system event audit logs, use the logs viewer role (roles/logging.viewer).
The private logs viewer role (roles/logging.privateLogViewer) includes permissions which are contained in roles/logging.viewer along with the ability to read data access audit logs in the _Required and _Default buckets. It must be noted that if in case the private logs are stored in the user-defined buckets, then any user who has permission to read the logs in those buckets will also be able to read these private logs.
Route audit logs
The route audit logs can be supported to destinations in a similar manner as one can route other kinds of logs. Following are the reasons that the user might want to route their audit logs:
If the user wishes to keep the audit logs for a longer period of time, then the user can route copies of their audit logs to cloud storage or Pub/Sub. Using the Pub/Sub, the user can route to other applications or third parties.
If the user wants to manage their audit logs across an entire organization, then the user can create aggregated sinks that can route logs from any or all cloud projects in the organization.
If the user's enabled data access audit logs are pushing the user's cloud projects over the log allotments, then the user can create sinks that will exclude the Data access audit logs from logging.
Frequently Asked Questions
Mention any two cases where you can use bare metal solution
You can use a bare metal solution to run third-party virtualization software and applications that require low-level access to the server.
What are the two types of storage volume snapshots?
The two types of storage volume snapshots are OS boot volume and data volume.
What is the use of cloud IAM?
Cloud IAM is used to grant bare metal solution permissions to users and administrators.
Conclusion
In this article, we have extensively discussed Advanced Concepts of Bare Metal Solution.
After reading about bare metal solutions, are you not feeling excited to read/explore more articles on AWS? Don't worry; Coding Ninjas has you covered. To learn about the difference between GCP and AWS, why to get certified by AWS, and how to prepare for AWS certification.
If you wish to enhance your skills in Data Structures and Algorithms, Competitive Programming, JavaScript, etc., you should check out our Guided path column at Coding Ninjas Studio. We at Coding Ninjas Studio organize many contests in which you can participate. You can also prepare for the contests and test your coding skills by giving the mock test series available. In case you have just started the learning process, and your dream is to crack major tech giants like Amazon, Microsoft, etc., then you should check out the most frequently asked problems and the interview experiences of your seniors that will surely help you in landing a job in your dream company.