Introduction to Preemptible & Sheiled Virtual Machines in Google Cloud
#DecodeITeS
Google cloud platform also provides 2 special types of VM / Compute instances other than the standard one. There VM type is special due to their different characteristics and cost standards. These types are:-
Preemptible VM Instances
Shielded VM Instances
Preemptible VM instances
Preemptible instances are temporary VM instances that you can create and run on no extra or lower cost. Preemptible instances are configured to use additional resources your project has on a sharing basis. As and when these resources are needed control by the original owner, the compute engine shutdown the machine and assigns resources to the demanding task.
Compute Engine can terminate these instances when resources are asked by other processes or after a hard stop time interval of 24 hours. In case you restart your Preemptible Instance, this will reset your 24 hour counter.
Preemptible instances are dependent on assigned resources and they may be possibilities that resources are not able to create & start this instance.
Preemptible instances cannot be used for live migration and drive no SLA license.
Google's free account credits are not valid to create Preemptible instances.
In case you are using premium OS (like windows) on a Preemptible instance, you will be charged with OS cost.
Preemptible instances come up with Local SSD & GPU support however it will lead to additional charges.
Preemptible are instant, expendable, fixed price, and quickly reclaim after work is done. In short, it’s user friendly who plans to do lots with little extra efforts on fixed price.
Shield VM
Shielded VMs are virtual machines (VMs) on the Google Cloud platform with an additional security layer. Shielded VMs protects your VM instances from threats like remote attacks, privilege escalation, boot- or kernel-level malware, rootkits, and malicious insiders.
Shielded VMs achieve a high level of security functionality through the secure boot, measured boot, virtual trusted platform module (vTPM), UEFI firmware, and integrity monitoring.
How Shielded VM add security layer?
Secure Boot
Secure Boot ensures only authorized software runs on the system by verifying the digital signature of all boot components and halting the boot process if signature verification fails.
Shielded VM instances run on Unified Extensible Firmware Interface (UEFI) 2.3.1 firmware and give secure boot functionality. These VMs run on firmware signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishing the root of trust for Secure Boot.
On each boot, the UEFI firmware verifies the digital signature of each boot component against the secure store of approved keys. Any boot component that isn't properly signed, or isn't signed at all, isn't allowed to run. In case of an issue, VM will not load and give error UEFI: Failed to load image and Status: Security Violation.
Virtual Trusted Platform Module (vTPM)
A vTPM means a virtualized trusted platform module, which ensures authorized access to the system with required components only. vTPM is 2 steps process Measured Boot followed by Integrity monitoring.
Measured boot is a process of generating component hash and save it as the last good boot baseline. Measured boot-start generating the hash of each component in sequence and by clubbing it with a hash of the last component. The final hash value is considered as the final baseline and saved as the last good boot baseline.
Integrity monitoring is the process of comparing the current final hash value with the last good boot baseline hash value. In case of difference, an alarm start. The hash value can be changed when components changes, components missing or added and components sequence changed.
Features of Shielded VMs
Verifiable integrity with secure and measured boot
vTPM generates and securely stores encryption keys or sensitive data on guest operating systems.
Shield VM works on UEFI firmware (Unified Extensible Firmware Interface), which replaces legacy BIOS sub-systems and enables UEFI Secure Boot capability.
Integrity measurements help identify changes from the "healthy" baseline of your VM and current runtime state. GCP provides Cloud Logging and Cloud Monitoring which helps in monitoring such states with the log.
Live migration and patching helps you to keep your instances running even when a host system event occurs, such as a software or hardware update.
GCP IAM policies and permissions help to manage the use of Shielded VM disk images and have vTPM and integrity monitoring options enabled.
Shield existing VM images option helps you in migrating your existing VMs into Shielded VMs GCP.
Shielded VM is free. There is no separate charge for using Shielded VMs.
Watch video Introduction to Preemptible & Sheiled Virtual Machines in Google Cloud online without registration, duration hours minute second in high quality. This video was added by user Decode ITES 14 December 2020, don't forget to share it with your friends and acquaintances, it has been viewed on our site 716 once and liked it 3 people.