How To Integrate GCE with Directory-as-a-Service

Written by Rajat Bhargava on April 1, 2015

Share This Article

Google Compute Engine Is a Game Changer

Google Compute Engine (GCE) is one of the leading Infrastructure-as-a-Service (IaaS) platforms, and is enabling a whole set of businesses to operate in a new way.

With capabilities such as low cost instances and shared core machines to handle long-term workloads, Google provides unique capabilities to their customer base. Companies that used to have on-premise data centers or network infrastructure can shift almost entirely to GCE.

New organizations don’t even need to make the leap into building and managing their own server infrastructure, as GCE becomes their infrastructure on an as-needed basis. The benefits of IaaS are tremendous. Organizations don’t need to invest the time or money to build their own infrastructure.

Indeed, GCE has disturbed the status quo.

Integrating Google Compute Engine into IT

The challenge for most organizations is not how they can leverage GCE, but how they can integrate it into their existing IT process and organization properly in order to create a so called “hybrid” environment.

GCE for many of these organizations ends up being an adjunct to their infrastructure, rather than being integrated into it, because GCE often lives outside the traditional on-premise processes and systems.

For other organizations that don’t have an existing infrastructure, GCE ends up being a core part of their network infrastructure. However, IT admins still may treat it as separate and distinct from their on-premise network or SaaS applications, again, potentially limiting the benefits they could get from GCE.

To get the full value out of GCE, companies need to be integrating Google Compute Engine into the core processes and systems for an IT organization.

Directory services are arguably the place to start to bring GCE into the IT fold. Whether you have an existing directory or not, both the GCE server users, and your other users and IT resources need to be centrally controlled and managed. There are a number of reasons for this:

  • Centralized user control minimizes mistakes – There should be one central system to add, terminate, or modify user privileges. Having multiple locations where users can be managed is asking for mistakes. A user may be terminated in one system, but not another. Or, a user may not have all of the access they need, causing additional IT support requests.
  • Controlling user access enhances security – GCE server users will potentially be accessing mission critical applications and data. A terminated user that retains access to a core GCE server is a security risk. Further, a central directory services system ensures that there is a central place to audit access control which is a requirement for many security regulations.
  • One point of truth increases IT/user efficiency – With the number of devices and IT applications rising, users need more tools than ever to do their jobs. Manually connecting users to all of the resources they need is time consuming. Helping users reset their passwords, manage their keys, or keep their accounts secure ends up costing IT admins a lot of time.

A central directory service solves a number of needs within any organization. Connecting that directory to your GCE environment integrates it into your core IT processes.

Google Compute Engine and Directory Services

So how do you actually connect GCE to directory services? Because the GCE environment is in the cloud and not on-premise, linking the two presents some interesting technical problems. If an organization has an existing directory, they often do not expose it to the Internet or allow Internet facing systems to route to the directory. These are done for security reasons. Not all directories will also easily connect to all platforms. For instance, connecting a Linux system to Active Directory is not trivial. These technical challenges and others generally force GCE users to manually manage users.

With the advent of Directory-as-a-Service® (DaaS) solutions, the process of connecting GCE resources to a directory is now simple and straightforward. There are two scenarios to review:

  1. The case of connecting GCE to an existing Active Directory user store
  2. The path of managing GCE with a new user directory

1—Connecting GCE to an Existing Active Directory

DaaS solutions (often referred to as a cloud-based directory) such as JumpCloud bridge a company’s existing AD user store to GCE by mirroring users in a cloud-based directory through a small agent that lives on the AD server. The cloud-based directory is kept in sync with AD to ensure that any changes are automatically reflected in the DaaS solution. From there, the DaaS solution is connected to the GCE servers either via an agent or a simple config pointing to the DaaS solution as the authentication point (via LDAP). As a result, the cloud-based directory now contains all of the users that need access to GCE and a mechanism to control authentication and authorization on those GCE servers.

Note, with the DaaS agent IT admins can also manage GCE servers, gaining the ability to centrally execute commands and tasks via commands or scripts. The mechanism to control access can be done via the native user access controls per platform or via LDAP.

Once the cloud-based directory is connected to AD and the GCE servers, the process to manage server access control is straightforward. A list of users appears in the DaaS console. These users can easily and quickly be connected to GCE servers. This can be done one at a time or in bulk through groups. Simple clicks in the interface provision or deprovision access. Finer-grained controls can setup and manage groups or admin/root/sudo level access. It should be noted that any changes in AD automatically flow through to the GCE server fleet. For example, a user that is terminated in AD is automatically terminated in all GCE servers.

Connecting GCE to your on-premise Active Directory user store can simplify your user management, increase security, and provide greater control of employee access to sensitive data.

To learn more about connecting GCE to AD, click here.

2—Connecting GCE to a New Directory

Some organizations, like new businesses or startups, do not have a central directory such as AD or LDAP. Others don’t want to co-mingle their GCE users with their central user store, like in the case of outsourced development firms needing access to GCE. In both of these instances, creating a new directory from scratch is the right answer, but perhaps choosing to use a SaaS-based directory service would be an easier, more cost-effective, path.

Apart from being able to bridge AD to the cloud, DaaS solutions also have the ability to create and fully run directory services in the cloud. IT admins look at DaaS as a plug-and-play directory services module for their GCE infrastructure. Users are populated in the cloud-based directory through an easy-to-use web interface. From there, GCE servers are connected to the cloud-based directory. The servers can be connected via a lightweight agent that is installed on each server or by configuring the server to connect to the DaaS solution via LDAP. Both methods provide for authentication and authorization control over user access.

If IT admins also desire management control over the GCE server fleet, the agent provides this capability. Commands or scripts written in any language supported by the server can be executed on each server. They can be triggered ad hoc, scheduled, or triggered by events. Workflows involving multiple sets of servers can also be created, and triggered by a remote webhook.

Another critical capability of DaaS is multi-factor authentication on Linux servers. With major organizations keeping their most critical digital assets at GCE servers, adding another layer of access control can be a smart step. The second factor is provided by Google Authenticator on a user’s smartphone.

Connecting GCE to a strong cloud-based directory automates a number of the manual user management steps, increases security, and locks down control over your GCE infrastructure.

Learn More About Integrating Google Compute Engine

By connecting your GCE cloud servers to directory services, your organization has the opportunity to fully leverage GCE while ensuring that access is securely controlled. DaaS solutions like JumpCloud are enabling this GCE to directory connection. If you would like to learn more about how you can take your GCE infrastructure to the next level, drop JumpCloud a note here.

Rajat Bhargava

Rajat Bhargava is an entrepreneur, investor, author, and CEO and co-founder of JumpCloud. An MIT graduate with over two decades of high-tech experience, Rajat is a ten-time entrepreneur with six exits including two IPOs and four trade sales.

Continue Learning with our Newsletter