GCP Deployment
1. Overview
All gateway components are deployed on Google Cloud Platform (GCP). This document covers the deployment topology, resource sizing, domain configuration, and operational procedures.
2. GCP Projects
| Project | Purpose | Environment |
|---|---|---|
peak-gateway-staging | Development and staging | Staging |
peak-gateway-prod | Production workloads | Production |
Both projects are in the same GCP organization, under the Myriad Ventures/Peak billing account.
3. Deployment Topology
Internet
│
┌───────┴────────┐
│ Cloud DNS │
│ *.peakgateway.co │
└───────┬────────┘
│
┌───────┴────────┐
│ Cloud Load │
│ Balancer │
│ (Global L7) │
│ + Cloud Armor │
└───────┬────────┘
│
┌────────────┼────────────┐
│ │ │
┌──────┴─────┐ ┌────┴────┐ ┌─────┴─────┐
│ api.peakgateway.co │ │ pay.peakgateway.co │ │ internal-only │
└──────┬─────┘ └────┬────┘ └─────┬─────┘
│ │ │
┌──────┴────────────┴────────────┴──────┐
│ VPC (10.0.0.0/24) │
│ │
│ ┌───────────────────────────────┐ │
│ │ Private services │ │
│ │ │ │
│ │ Cloud Spanner (CMEK) │ │
│ │ Cloud Pub/Sub │ │
│ │ Secret Manager │ │
│ │ Identity Platform │ │
│ └───────────────────────────────┘ │
└───────────────────────────────────────┘
4. Resource Sizing
Cloud Run Services
| Service | Staging | Production |
|---|---|---|
| processing | 1 CPU, 1Gi, 0 to 5 instances | 2 CPU, 2Gi, 1 to 20 instances |
| management | 1 CPU, 1Gi, 0 to 5 instances | 1 CPU, 1Gi, 1 to 20 instances |
| online-txn | 1 CPU, 1Gi, 0 to 5 instances | 2 CPU, 2Gi, 1 to 20 instances |
| auth | 1 CPU, 1Gi, 0 to 5 instances | 1 CPU, 1Gi, 1 to 20 instances |
| merchant-onboarding | 1 CPU, 1Gi, 0 to 5 instances | 1 CPU, 1Gi, 1 to 20 instances |
| status | 1 CPU, 1Gi, 0 to 5 instances | 1 CPU, 1Gi, 1 to 20 instances |
Cloud Spanner
| Property | Staging | Production |
|---|---|---|
| Instance Config | regional-us-central1 | regional-us-central1 |
| Processing Units | 100 PU | 1000 PU (1 Node) |
| Multi-regional | No | No (Single region HA) |
| Backups | Daily, 7-day retention | Daily, 7-day retention |
5. Domain & DNS Configuration
| Domain | Points To | Purpose |
|---|---|---|
api.peakgateway.co | Cloud Run (via LB) | Management, Auth, Status |
pay.peakgateway.co | Cloud Run (via LB) | Online Transaction Service |
Cloud Load Balancer URL Map (api.peakgateway.co)
/auth/*->gateway-auth/management/*->gateway-management/status/*->gateway-statusdefault->gateway-management
Cloud Load Balancer URL Map (pay.peakgateway.co)
/online-txn/*->gateway-online-txndefault->gateway-online-txn
NOTE: The
gateway-processingandgateway-merchant-onboardingservices have no external routes. Both are reachable only internally via service-to-service calls on the VPC's internal load balancer (Cloud Run ingress is set toINGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER, and neither is listed inexternally_routed_servicesininfra/terraform/main.tf). See Ops > Internal-Only Services for the verification checklist.
6. Cloud Armor WAF Rules
Cloud Armor is configured with the following rules:
| Priority | Rule | Action | Description |
|---|---|---|---|
| 850 | request.path.contains('internal') | Deny (403) | Block public access to internal service routes |
| 900 | evaluatePreconfiguredExpr('cve-canary') | Deny (403) | Block CVE canary patterns |
| 1000 | evaluatePreconfiguredWaf('sqli-v33-stable') | Deny (403) | Block SQL injection attacks |
| 1001 | evaluatePreconfiguredExpr('xss-v33-stable') | Deny (403) | Block cross-site scripting attacks |
| 1002 | evaluatePreconfiguredExpr('lfi-v33-stable') | Deny (403) | Block local file inclusion attacks |
| 1003 | evaluatePreconfiguredExpr('rce-v33-stable') | Deny (403) | Block remote code execution attacks |
| 2000 | Rate Limit (SRC_IPS_V1) | Throttle | 100 req/min per IP |
| 2147483647 | Default | Allow | Default allow all |
7. TLS Certificates
resource "google_compute_managed_ssl_certificate" "gateway" {
name = "gateway-gateway-domain-cert"
project = var.project_id
managed {
domains = ["api.peakgateway.co"]
}
}
resource "google_compute_managed_ssl_certificate" "pay" {
name = "gateway-pay-domain-cert"
project = var.project_id
managed {
domains = ["pay.peakgateway.co"]
}
}
8. Monitoring & Alerts
Uptime Checks
| Target | Interval | Timeout |
|---|---|---|
api.peakgateway.co/status/health | 60s | 10s |
pay.peakgateway.co/online-txn/health | 60s | 10s |
Alert Policies
| Alert | Condition | Notification |
|---|---|---|
| Service down | Uptime check fails 2 consecutive times | PagerDuty (P1) |
| Error rate > 5% | Cloud Run 5xx rate > 5% for 5 minutes | PagerDuty (P2) |
| Latency p95 > 5s | Cloud Run request latency p95 > 5s for 10 minutes | Slack (#gateway-alerts) |
| DB Storage > 80% | Cloud Spanner storage utilization > 80% | Slack (#gateway-alerts) |
| DB CPU > 80% | Cloud Spanner CPU utilization > 80% for 15 minutes | Slack (#gateway-alerts) |
9. Operational Procedures
Deploy New Version
- Merge PR to
main - CI builds and tests
- Staging auto-deploys via GitHub Actions
- Verify staging health checks
- Trigger production deploy via GitHub Actions workflow dispatch
- Monitor production health post-deploy
Rollback
# List revisions
gcloud run revisions list --service gateway-processing --region us-central1 --project peak-gateway-prod
# Route traffic back to previous revision
gcloud run services update-traffic gateway-processing \
--to-revisions=gateway-processing-PREVIOUS_REVISION=100 \
--region us-central1 \
--project peak-gateway-prod
Database Migration
- Spanner DDL migrations are applied via versioned SQL files
- Staging runs migrations first
- Production migrations run during the deploy step
- Always backward-compatible migrations
10. Cost Estimates (Monthly)
| Resource | Staging | Production |
|---|---|---|
| Cloud Run | ~$50 | ~$200 to 800 |
| Cloud Spanner | ~$65 | ~$650 |
| Cloud Load Balancer | ~$20 | ~$50 |
| Cloud Armor | ~$5 | ~$5 |
| Artifact Registry | ~$5 | ~$5 |
| Secret Manager | ~$1 | ~$1 |
| Cloud DNS | ~$1 | ~$1 |
| Pub/Sub | ~$1 | ~$10 |
| Total | ~$155 | ~$922 to 1,522 |