paas

Author: alelapi

docs/gcp/paas-serverless/anthos.md

@@ -0,0 +1,359 @@
+# Anthos
+
+## Core Concepts
+
+Anthos is a hybrid and multi-cloud application platform built on Kubernetes. Enables consistent development and operations across on-premises, GCP, AWS, and Azure.
+
+**Key Principle**: Write once, run anywhere; consistent K8s experience across environments.
+
+## Anthos Components
+
+| Component | Purpose | Key Feature |
+|-----------|---------|-------------|
+| **GKE/Anthos clusters** | Kubernetes clusters | Anywhere (on-prem, clouds) |
+| **Anthos Config Management** | Policy and config | GitOps, multi-cluster sync |
+| **Anthos Service Mesh** | Service-to-service communication | Traffic management, security |
+| **Cloud Run for Anthos** | Serverless on K8s | Knative-based |
+| **Anthos on VMware/Bare Metal** | On-premises K8s | Run on existing infrastructure |
+
+## When to Use Anthos
+
+### ✅ Use Anthos When
+
+- Hybrid cloud strategy (on-prem + cloud)
+- Multi-cloud deployment needed
+- Existing on-premises infrastructure
+- Kubernetes standardization across environments
+- Modernizing VMs to containers gradually
+- Need consistent policy enforcement
+- Service mesh requirements
+
+### ❌ Don't Use Anthos When
+
+- GCP-only deployment → GKE sufficient
+- Simple applications → Cloud Run
+- No Kubernetes needed → App Engine, Cloud Functions
+- Not ready for containerization → Compute Engine
+- Budget-constrained (Anthos has licensing cost)
+
+## Deployment Options
+
+### GKE (Google Cloud)
+
+**Benefits**: Fully managed, latest features, easiest
+
+**Use case**: Cloud-native applications on GCP
+
+### Anthos on VMware
+
+**Architecture**: Run GKE on VMware vSphere
+
+**Benefits**:
+
+- Use existing VMware investment
+- Keep data on-premises (compliance)
+- Hybrid cloud connectivity
+
+**Requirements**: vSphere 6.7+, sufficient resources
+
+### Anthos on Bare Metal
+
+**Architecture**: Run GKE directly on physical servers
+
+**Benefits**:
+
+- No hypervisor overhead
+- Edge computing scenarios
+- Cost savings (no VMware licenses)
+
+**Requirements**: Qualified hardware, network configuration
+
+### Anthos on AWS/Azure
+
+**Purpose**: Consistent K8s across clouds
+
+**Benefits**: Multi-cloud strategy, avoid lock-in
+
+**Limitations**: Additional complexity, cost
+
+## Anthos Config Management (ACM)
+
+### Purpose
+
+Centralized configuration and policy management for multiple clusters using GitOps.
+
+### Key Features
+
+**Policy Controller**:
+
+- Enforce policies across clusters
+- Based on Open Policy Agent (OPA)
+- Examples: Require labels, restrict registries, enforce resource limits
+
+**Config Sync**:
+
+- Sync configs from Git to clusters
+- Single source of truth
+- Automatic reconciliation
+- Namespace and cluster-scoped configs
+
+### GitOps Workflow
+
+```
+Git Repository (configs) → Config Sync → Multiple clusters apply configs
+```
+
+**Benefits**: Version control, audit trail, declarative, automated
+
+### Common Policies
+
+- Require specific labels
+- Enforce namespace quotas
+- Restrict container registries
+- Require pod security policies
+- Enforce naming conventions
+
+## Anthos Service Mesh (ASM)
+
+### Purpose
+
+Managed service mesh for observability, security, and traffic management.
+
+### Architecture
+
+Based on Istio, fully managed by Google
+
+**Components**:
+
+- **Control Plane**: Managed by Google
+- **Data Plane**: Envoy sidecars in pods
+
+### Features
+
+**Traffic Management**:
+
+- Load balancing
+- Circuit breaking
+- Retries and timeouts
+- Canary deployments
+- Traffic splitting
+
+**Security**:
+
+- mTLS between services (automatic)
+- Authorization policies
+- Service-to-service auth
+- Certificate management
+
+**Observability**:
+
+- Service topology visualization
+- Distributed tracing
+- Metrics and logs
+- Service-level objectives (SLOs)
+
+### Use Cases
+
+- Microservices communication
+- Zero-trust security
+- Canary deployments
+- Service observability
+- Multi-cluster service mesh
+
+## Cloud Run for Anthos
+
+**Purpose**: Serverless containers on your GKE clusters
+
+**Benefits**:
+
+- Knative-based
+- Auto-scaling (including to zero)
+- Simplified deployment
+- Use existing GKE clusters
+
+**vs Cloud Run**: Same developer experience, runs on your infrastructure
+
+**Use case**: Serverless on-premises or in specific clusters
+
+## Architecture Patterns
+
+### Hybrid Application
+
+```
+On-prem (Anthos on VMware): Legacy systems + databases
+GCP (GKE): Modern microservices
+Connected via: VPN/Interconnect + Anthos Service Mesh
+```
+
+**Benefits**: Gradual migration, keep sensitive data on-prem
+
+### Multi-Region HA
+
+```
+GKE Cluster (us-central1)
+GKE Cluster (europe-west1)
+GKE Cluster (asia-east1)
+Managed by: Anthos Config Management
+Service Mesh: Cross-cluster communication
+```
+
+### Edge Computing
+
+```
+Anthos on Bare Metal (retail stores/factories)
+Central GKE (cloud)
+Sync: Anthos Config Management
+```
+
+**Use case**: Low latency, local data processing, offline capability
+
+### Multi-Cloud
+
+```
+GKE (GCP) + EKS via Anthos (AWS) + AKS via Anthos (Azure)
+Unified: Config Management + Service Mesh
+```
+
+**Benefits**: Avoid vendor lock-in, geographic coverage, redundancy
+
+## Migrate to Containers (M4C)
+
+**Purpose**: Migrate VMs to containers running on GKE/Anthos
+
+**Process**:
+
+1. Discover and assess VMs
+2. Generate migration plan
+3. Convert VM to container
+4. Deploy to GKE/Anthos
+5. Optimize containerized workload
+
+**Use case**: Modernize legacy applications, VM to container migration
+
+## Security Features
+
+### Binary Authorization
+
+**Purpose**: Enforce only trusted container images deployed
+
+**How**: Cryptographic signatures on images, attestation checks
+
+**Use case**: Compliance, supply chain security
+
+### Policy Controller
+
+**Purpose**: Enforce organizational policies on clusters
+
+**Examples**:
+
+- Only approved container registries
+- Required labels on resources
+- Prohibited capabilities
+- Resource quotas
+
+### Service Mesh Security
+
+**mTLS**: Automatic encryption between services
+**Authorization**: Fine-grained access control
+**Certificate Management**: Automated, no manual cert handling
+
+### Workload Identity
+
+**Purpose**: Kubernetes service accounts → Google service accounts
+
+**Benefits**: Secure access to GCP services, no keys in pods
+
+## Cost Considerations
+
+**Anthos Licensing**:
+
+- Per-vCPU pricing for on-premises
+- Included with GKE on GCP
+- Additional cost for multi-cloud
+
+**Infrastructure Costs**:
+
+- GKE: Standard GCP compute pricing
+- On-premises: Your hardware + VMware licenses (if applicable)
+- Network: Interconnect, VPN, egress
+
+**Optimization**:
+
+- Right-size clusters
+- Use Autopilot GKE (managed)
+- Optimize workload placement
+- Monitor with recommendations
+
+## Monitoring and Operations
+
+### Cloud Monitoring
+
+- Cluster metrics
+- Application metrics
+- Service mesh metrics
+- Custom metrics
+
+### Cloud Logging
+
+- Cluster logs
+- Application logs
+- Audit logs
+- Centralized logging
+
+### Service Mesh Observability
+
+- Service topology
+- Request rates
+- Latencies
+- Error rates
+- SLI/SLO tracking
+
+## Exam Focus
+
+### Core Concepts
+
+- What is Anthos (hybrid/multi-cloud K8s platform)
+- Components (GKE, Config Mgmt, Service Mesh)
+- When to use vs GKE alone
+- Deployment options (VMware, bare metal, clouds)
+
+### Use Cases
+
+- Hybrid cloud (on-prem + cloud)
+- Multi-cloud strategy
+- Edge computing
+- Gradual VM-to-container migration
+
+### Architecture
+
+- Hybrid application design
+- Multi-cluster management
+- Service mesh benefits
+- GitOps with Config Management
+
+### Config Management
+
+- Policy enforcement
+- Config sync
+- GitOps workflow
+- Multi-cluster consistency
+
+### Service Mesh
+
+- mTLS between services
+- Traffic management
+- Observability
+- Security policies
+
+### Security
+
+- Binary Authorization
+- Policy Controller
+- Workload Identity
+- Zero-trust networking
+
+### Migration
+
+- Migrate to Containers (M4C)
+- VM to container modernization
+- Gradual migration strategy