Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Last reviewed 2025-01-23 UTC
Dengan pola pengalihan, arsitektur didasarkan pada penggunaan
layanan penyimpanan yang disediakanGoogle Clouduntuk menghubungkan lingkungan komputasi
pribadi ke project di Google Cloud. Pola ini terutama berlaku untuk
penyiapan yang mengikuti
pola arsitektur multicloud hybrid analisis,
dengan:
Workload yang berjalan di lingkungan komputasi pribadi atau di
cloud lain mengupload data ke lokasi penyimpanan bersama. Bergantung pada kasus
penggunaan, upload mungkin terjadi secara massal atau dalam penambahan yang lebih kecil.
Workload yang dihostingGoogle Cloudatau layanan Google lainnya (misalnya, layanan
analisis data dan kecerdasan buatan) menggunakan data
dari lokasi penyimpanan bersama dan memprosesnya secara streaming atau
batch.
Arsitektur
Diagram berikut menunjukkan arsitektur referensi untuk pola
pengalihan.
Diagram arsitektur sebelumnya menunjukkan alur kerja berikut:
Di sisi Google Cloud , Anda men-deploy workload ke dalam
VPC aplikasi. Workload ini dapat mencakup pemrosesan data, analisis,
dan aplikasi frontend terkait analisis.
Untuk mengekspos aplikasi frontend dengan aman kepada pengguna, Anda dapat menggunakan Cloud Load Balancing atau API Gateway.
Sekumpulan bucket Cloud Storage atau antrean Pub/Sub mengupload data
dari lingkungan komputasi pribadi dan menyediakannya untuk diproses lebih lanjut
oleh workload yang di-deploy di Google Cloud. Dengan
kebijakan Identity and Access Management (IAM),
Anda dapat membatasi akses ke workload tepercaya.
Gunakan
Kontrol Layanan VPC
untuk membatasi akses ke layanan dan meminimalkan risiko pemindahan data
yang tidak sah dari layanan Google Cloud .
Dalam arsitektur ini, komunikasi dengan bucket Cloud Storage, atau Pub/Sub, dilakukan melalui jaringan publik, atau melalui konektivitas pribadi menggunakan VPN, Cloud Interconnect, atau Cross-Cloud Interconnect. Biasanya, keputusan tentang cara menghubungkannya
bergantung pada beberapa aspek, seperti berikut:
Volume traffic yang diperkirakan
Apakah penyiapan bersifat sementara atau permanen
Persyaratan keamanan dan kepatuhan
Variasi
Opsi desain yang diuraikan dalam
pola ingress terkontrol,
yang menggunakan endpoint Private Service Connect untuk Google API, juga dapat
diterapkan ke pola ini.
Secara khusus, API ini memberikan akses ke Cloud Storage, BigQuery, dan API Layanan Google lainnya. Pendekatan ini memerlukan pengalamatan IP pribadi melalui
koneksi jaringan hybrid dan multicloud seperti VPN, Cloud Interconnect,
dan Cross-Cloud Interconnect.
Praktik terbaik
Kunci akses ke bucket Cloud Storage dan topik Pub/Sub.
Jika berlaku, gunakan solusi perpindahan data terintegrasi yang berfokus pada cloud
seperti Google Cloud
rangkaian solusi.
Untuk memenuhi kebutuhan kasus penggunaan Anda, solusi ini dirancang untuk memindahkan, mengintegrasikan, dan mengubah data secara efisien.
Evaluasi berbagai faktor yang memengaruhi opsi transfer data,
seperti biaya, perkiraan waktu transfer, dan keamanan. Untuk mengetahui informasi
selengkapnya, lihat
Mengevaluasi opsi transfer Anda.
Untuk meminimalkan latensi dan mencegah transfer dan pergerakan data dalam volume tinggi melalui internet publik, sebaiknya gunakan Cloud Interconnect atau Cross-Cloud Interconnect, termasuk mengakses endpoint Private Service Connect dalam Virtual Private Cloud untuk Google API.
Untuk melindungi layanan Google Cloud dalam project Anda dan memitigasi risiko pemindahan data yang tidak sah, gunakan Kontrol Layanan VPC. Kontrol layanan ini dapat menentukan perimeter layanan di tingkat project atau jaringan VPC.
Berkomunikasi dengan beban kerja analisis data yang dipublikasikan secara publik yang
dihosting di instance VM melalui gateway API, load balancer, atau
perangkat jaringan virtual. Gunakan salah satu metode komunikasi ini untuk keamanan tambahan dan untuk menghindari agar instance ini dapat dijangkau langsung dari internet.
Jika akses internet diperlukan,
Cloud NAT
dapat digunakan di VPC yang sama untuk menangani traffic keluar dari instance
ke internet publik.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-01-23 UTC."],[[["\u003cp\u003eThe handover pattern uses Google Cloud storage services to bridge data between private computing environments and Google Cloud projects, especially within analytics hybrid multicloud architectures.\u003c/p\u003e\n"],["\u003cp\u003eData is uploaded from private environments to shared Cloud Storage buckets or Pub/Sub queues, where Google Cloud workloads can then consume and process it.\u003c/p\u003e\n"],["\u003cp\u003eAccess to Cloud Storage and Pub/Sub can be secured using IAM policies and VPC Service Controls, limiting access to trusted workloads and minimizing data exfiltration risks.\u003c/p\u003e\n"],["\u003cp\u003eConnectivity between private environments and Google Cloud can be over public networks, VPN, Cloud Interconnect, or Cross-Cloud Interconnect, depending on factors like traffic volume, security, and setup duration.\u003c/p\u003e\n"],["\u003cp\u003eTo minimize latency and data movement over public networks, utilize Cloud Interconnect or Cross-Cloud Interconnect, and for added protection, use Private Service Connect endpoints within your Virtual Private Cloud for accessing Google APIs.\u003c/p\u003e\n"]]],[],null,["# Handover patterns\n\nWith the *handover* pattern, the architecture is based on using\nGoogle Cloud-provided storage services to connect a private computing\nenvironment to projects in Google Cloud. This pattern applies primarily to\nsetups that follow the\n[*analytics hybrid multicloud* architecture pattern](/architecture/hybrid-multicloud-patterns#analytics-hybrid-multicloud-patterns),\nwhere:\n\n- Workloads that are running in a private computing environment or in another cloud upload data to shared storage locations. Depending on use cases, uploads might happen in bulk or in smaller increments.\n- Google Cloud-hosted workloads or other Google services (data analytics and artificial intelligence services, for example) consume data from the shared storage locations and process it in a streaming or batch fashion.\n\nArchitecture\n------------\n\nThe following diagram shows a reference architecture for the handover\npattern.\n\nThe preceding architecture diagram shows the following workflows:\n\n- On the Google Cloud side, you deploy workloads into an application VPC. These workloads can include data processing, analytics, and analytics-related frontend applications.\n- To securely expose frontend applications to users, you can use Cloud Load Balancing or API Gateway.\n- A set of Cloud Storage buckets or Pub/Sub queues uploads data from the private computing environment and makes it available for further processing by workloads deployed in Google Cloud. Using Identity and Access Management (IAM) policies, you can restrict access to trusted workloads.\n- Use [VPC Service Controls](/vpc-service-controls) to restrict access to services and to minimize unwarranted data exfiltration risks from Google Cloud services.\n- In this architecture, communication with Cloud Storage buckets, or Pub/Sub, is conducted over public networks, or through private connectivity using VPN, Cloud Interconnect, or Cross-Cloud Interconnect. Typically, the decision on how to connect depends on several aspects, such as the following:\n - Expected traffic volume\n - Whether it's a temporary or permanent setup\n - Security and compliance requirements\n\nVariation\n---------\n\nThe design options outlined in the\n[*gated ingress* pattern](/architecture/hybrid-multicloud-secure-networking-patterns/gated-ingress),\nwhich uses Private Service Connect endpoints for Google APIs, can also\nbe applied to this pattern.\nSpecifically, it provides access to Cloud Storage, BigQuery,\nand other Google Service APIs. This approach requires private IP addressing over\na hybrid and multicloud network connection such as VPN, Cloud Interconnect\nand Cross-Cloud Interconnect.\n\nBest practices\n--------------\n\n- Lock down access to Cloud Storage buckets and Pub/Sub topics.\n- When applicable, use cloud-first, integrated data movement solutions like the Google Cloud [suite of solutions](/data-movement). To meet your use case needs, these solutions are designed to efficiently move, integrate, and transform data.\n- Assess the different factors that influence the data transfer options,\n such as cost, expected transfer time, and security. For more\n information, see\n [Evaluating your transfer options](/architecture/migration-to-google-cloud-transferring-your-large-datasets#step_3_evaluating_your_transfer_options).\n\n- To minimize latency and prevent high-volume data transfer and movement over\n the public internet, consider using Cloud Interconnect or\n Cross-Cloud Interconnect, including accessing\n Private Service Connect endpoints within your Virtual Private Cloud for\n Google APIs.\n\n- To protect Google Cloud services in your projects and to mitigate\n the risk of data exfiltration, use VPC Service Controls. These service\n controls can specify service perimeters at the project or VPC network level.\n\n - You can [extend service perimeters](/vpc-service-controls/docs/overview#hybrid_access) to a hybrid environment over an authorized VPN or Cloud Interconnect. For more information about the benefits of service perimeters, see [Overview of VPC Service Controls](/vpc-service-controls/docs/overview).\n- Communicate with publicly published data analytics workloads that are\n hosted on VM instances through an API gateway, a load balancer, or a\n virtual network appliance. Use one of these communication methods for added\n security and to avoid making these instances directly reachable from the\n internet.\n\n- If internet access is required,\n [Cloud NAT](/nat/docs)\n can be used in the same VPC to handle outbound traffic from the instances\n to the public internet.\n\n- Review the\n [general best practices](/architecture/hybrid-multicloud-secure-networking-patterns/general-best-practices)\n for hybrid and multicloud networking topologies."]]
