Cloud Workstations are a platform providing managed programming environments in Google Cloud. Let’s explore how they work, what they offer, and who can benefit from them.
How do Google Cloud Workstations work?
Cloud Workstations offer built-in security and configurable programming environments accessible through browser-based IDEs, local code editors like VSCode or JetBrains IDE, or via SSH. You don’t need to install software or run installation scripts.
These workstations run on temporary virtual machines. They can be started or stopped as needed to optimise costs. When workstations are stopped, the Compute Engine virtual machines are removed, and all runtime environment data associated with the workstation is deleted along with the virtual machine.
In the workstation configuration, administrators can set up a persistent home directory allowing storage of data between sessions. This persistent storage is implemented as a durable disk attached to the workstation virtual machine upon session start and detached upon session end. Any changes to the workstation configuration are automatically applied to workstations upon the next launch.
Managing development environments with Cloud Workstations
To manage environments, Cloud Workstations provide a number of functions.
- Administrators can create workstation clusters defining a group of workstations in a specific region and VPC network. Note that workstation clusters are not related to Google Kubernetes Engine (GKE) clusters.
- Administrators can create one or more workstation configurations within each workstation cluster, serving as templates for workstations. These configurations define details such as VM instance type, persistent storage, container image, IDE or code editor, and more.
- Admins can use IAM rules to grant access to individual developers or teams.
- Developers have the ability to create workstations defining programming environments, including Cloud IDE, programming language tools, libraries, and other features.
Using container images
Developers interact with the Cloud Workstations environment using a container image hosting the IDE and related tools. They provide several pre-configured base images containing popular IDEs and programming language tools.
Moreover, users can customize their environments by creating and specifying custom container images containing necessary tools meeting their programming needs. These custom container images can extend the base Cloud Workstations image or be entirely new Linux container images created from scratch. Custom container images can also run SSH servers on any port.
Security in Cloud Workstations
Cloud Workstations are part of the Software Delivery Shield solution, a fully managed comprehensive security solution for software delivery pipelines. This solution helps enhance the security of developer workflows and tools, software dependencies, CI/CD systems used for software creation and deployment, as well as runtime environments like Google Kubernetes Engine and Cloud Run.
The base editor in Cloud Workstations supports writing, compiling, testing, debugging, and running applications. It is built on the open-source Code-OSS project and supports IDE extensions from the Open VSX Registry. Additionally, the Cloud Code IDE extension is pre-installed with the base editor.
The base editor contains a pre-configured version control system. It works with public, private and individually hosted repositories, as long as they are accessible from the workstation.
Debugging apps in Cloud Workstations
Developers can debug Go, Node.js, Python, and Java applications in Cloud Workstations. They can create run configurations, set breakpoints, and inspect variables. It is also possible to debug Kubernetes applications on a local cluster like minikube or Docker Desktop, a remote GKE cluster, or any other cloud provider.
Developer workstations offer pre-configured images with JetBrains IDEs, including pre-installed images for IntelliJ IDEA, PyCharm, GoLand, WebStorm, CLion, PhpStorm, Rider, and RubyMine with the Cloud Code extension.
Benefits of Cloud Workstations
Cloud Workstations can mount Filestore Network File System (NFS) instances located in the same VPC network. Multiple workstations can share a Filestore instance.
By integrating Chrome OS with GCP Cloud Workstations, users can access a virtual desktop environment hosted on Google Cloud Platform from their Chromebooks. A virtual workstation allows users to run resource-intensive applications and work with large datasets without worrying about local hardware limitations.
The integration also provides a secure computing environment because all data and applications are hosted on GCP. This means that even if you lose your Chromebook, your data on the cloud workstation remains secure. Chrome OS integration with Google Cloud Workstations offers users efficient, secure, and consistent environments.
Best security practices for Cloud Workstations
Automatic updates of base images
Cloud Workstations offer pre-configured base images that can be used with the service. These images are subject to weekly updates to ensure that the included software has the latest security patches. The service also utilises a default runtime timeout to ensure automatic updates, and outdated images are not running.
Understanding vulnerability prioritisation
Although Google Cloud does not own all packages included in pre-configured images, package managers can prioritise updates based on how a vulnerability or Common Vulnerabilities and Exposures (CVE) impacts their product. In some cases, a product might only use a portion of a library and may be independent of discoveries in other parts. Despite CVE findings from image vulnerability scans, Cloud Workstations can still provide a secure product due to these factors.
Cloud Workstations maintain security through an authentication and authorisation system that ensures only designated developers have access to their workstations. This helps prevent unauthorised access and maintain the confidentiality of a developer’s work.
Trusted code sources
Developers should follow best practices when using Cloud Workstations, similar to any other customizable development environments. To ensure maximum security, developers should only run trusted code, operate only on trusted input data, and access only trusted domains.
It is not advisable to use workstations to host production servers or share a single workstation among multiple developers.
For greater control over the security of workstation images in an organisation, it’s possible to create custom container images. This allows customisation of the image to specific security needs and requirements.
In addition to the aforementioned best practices, here are some expert Cloud engineer recommendations.
Disable public IP
Disable public IP addresses on cloud workstations and configure firewall rules to restrict access to public destinations on the internet not required for daily work. If you disable public IP addresses, configure Private Google Access or Cloud NAT in your network.
When using Private Google Access and using private.googleapis.com or restricted.googleapis.com for Container Registry and Artifact Registry, make sure you configure DNS records for the domains .gcr.io and .pkg.dev.
Limit SSH access
To further enhance security, limit direct SSH access to virtual machines in the project hosting the workstations. Access should only be possible through the Cloud Workstations gateway, which enforce Identity and Access Management (IAM) policies. You can also enable VPC Flow Logs.
VPC Service Controls
Configuring VPC Service Controls can provide additional security for workstations and help reduce the risk of data exfiltration. By adding projects to service perimeters, you can protect resources and services from requests originating outside the perimeter.
Restrict Compute Engine API
Finally, it’s important to restrict the Compute Engine API in the service perimeter every time the Cloud Workstations API is restricted to fully secure Cloud Workstations.
Pre-configured base images
Cloud Workstations provide pre-configured base images that have a minimal environment with an IDE, basic Linux terminal, programming language support, and an sshd server.
To customise the programming environment, custom container images can be created that extend these base images with pre-installed tools and dependencies and run automation scripts.
We also recommend setting up a pipeline to automatically rebuild custom images and using container scanning tools like Container Analysis to check for additional dependencies.
Users are responsible for maintaining and updating custom packages and dependencies added to custom images.
Using own container images
Users can use their own container image or external container images as long as they are based on Linux and run a blocking process when the container is launched.
Customising Docker images
When customising Docker images for workstation configurations, it’s possible to install in the base image JetBrains IDE and JetBrains plugins, such as Cloud Code for IntelliJ. After creating and testing a custom container image locally, it needs to be “pushed” to the container registry. If the image is hosted in a private repository, make sure the configuration specifies a service account with “pull” permissions to download from the repository.
Learn more about Cloud Workstations
By using Cloud Workstations, you enhance the security of your development environments, while increasing their efficiency. If you want to learn more about this and other Google Cloud solutions, get in touch with FOTC experts.