Tags

High-Level Overview Public Access: The only public entry point is via HTTPS through a Cloud Load Balancer, which routes traffic securely to backend services within a private VPC. Private Networking: All compute and data services live inside a VPC (Virtual Private Cloud) divided into two subnets: App Subnet (10.0.1.0/24) — web and backend workloads AI Subnet (10.0.2.0/24) — machine learning and GPU workloads 🧩 Components Breakdown 🌐 App Subnet Backend API: Runs on Cloud Run or GKE, accessible only via private IPs within the VPC. React Frontend: Hosted via Cloud Storage + CDN for performance and scalability. Cloud SQL (MySQL): Private IP access only for secure database communication. Cloud Storage (Input Bucket): Used to store input data for AI workloads. Pub/Sub (Input Topic): Used for event-driven communication between app and AI subsystems. 🤖 AI Subnet GKE GPU Workers: GPU-enabled nodes for heavy AI processing (e.g., inference or training tasks). Gemini API: AI service that consumes data from Pub/Sub and may egress via Cloud NAT for controlled outbound access. Cloud Storage (Output Bucket): Secure output location for processed AI data. Pub/Sub (Response Topic): Used for asynchronous communication back to the app or downstream consumers. 🌩️ Network Security Private Access Only: No direct internet exposure for compute or data components. Cloud NAT Gateway: Provides managed outbound internet access (for updates, external APIs, etc.) only to approved components such as the Gemini API. HTTPS Only Ingress: Ensures encrypted external communication. ✅ Key Benefits Strong isolation between web and AI workloads. Private communication within the VPC (no public IPs). Scalability via GKE and Pub/Sub decoupling. Compliance-ready design with least-privilege access and managed services.