{"id":693,"date":"2026-04-15T01:17:53","date_gmt":"2026-04-15T01:17:53","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-google-distributed-cloud-air-gapped-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-distributed-hybrid-and-multicloud\/"},"modified":"2026-04-15T01:17:53","modified_gmt":"2026-04-15T01:17:53","slug":"google-cloud-google-distributed-cloud-air-gapped-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-distributed-hybrid-and-multicloud","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-google-distributed-cloud-air-gapped-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-distributed-hybrid-and-multicloud\/","title":{"rendered":"Google Cloud Google Distributed Cloud air-gapped Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Distributed, hybrid, and multicloud"},"content":{"rendered":"\n

Category<\/h2>\n\n\n\n

Distributed, hybrid, and multicloud<\/p>\n\n\n\n

1. Introduction<\/h2>\n\n\n\n

Google Distributed Cloud air-gapped is a Google Cloud offering designed to run Google-managed Kubernetes-based infrastructure and workloads in environments that cannot maintain connectivity to Google Cloud or the public internet<\/strong>. It targets disconnected or tightly controlled networks such as defense, intelligence, regulated manufacturing, and critical infrastructure.<\/p>\n\n\n\n

In simple terms: it\u2019s a way to run modern containerized applications (Kubernetes) on-premises in a fully air-gapped environment<\/strong>, while still using Google Cloud\u2019s distributed cloud approach for consistent operations, security, and lifecycle management.<\/p>\n\n\n\n

Technically, Google Distributed Cloud air-gapped is an integrated hardware-and-software solution delivered for customer sites. It provides a Kubernetes platform (Google Kubernetes Engine technology adapted for distributed deployments) and supporting components needed to run clusters locally with offline software delivery and updates. Because it is air-gapped, many workflows you might associate with \u201ccloud\u201d (managed control planes, SaaS-based consoles, direct access to public container registries, online upgrades) must be adapted to disconnected operations.<\/p>\n\n\n\n

What problem it solves:<\/strong> organizations want cloud-native agility (containers, GitOps, policy-as-code, SRE practices) but must meet strict requirements for network isolation, data sovereignty, and compliance. Google Distributed Cloud air-gapped helps bring those practices to disconnected sites without forcing teams to assemble and maintain everything themselves.<\/p>\n\n\n\n

\n

Naming note (verify in official docs): Google has used multiple branding generations in this space (including Anthos). Today, the product family is branded Google Distributed Cloud<\/strong>, with an air-gapped<\/strong> variant for disconnected environments. If you encounter older \u201cAnthos\u201d terminology in legacy documents, treat it as historical branding and confirm the current product scope in the latest Google Cloud documentation.<\/p>\n<\/blockquote>\n\n\n\n

\n\n\n\n

2. What is Google Distributed Cloud air-gapped?<\/h2>\n\n\n\n

Official purpose<\/h3>\n\n\n\n

Google Distributed Cloud air-gapped is intended to provide a Google Cloud\u2013aligned Kubernetes platform<\/strong> for environments where no external connectivity<\/strong> is allowed or practical\u2014while supporting enterprise-grade operational requirements such as patching, upgrades, access controls, and audited change management.<\/p>\n\n\n\n

Core capabilities (high-level)<\/h3>\n\n\n\n
    \n
  • Run containerized workloads on Kubernetes in an air-gapped environment.<\/li>\n
  • Provide standardized cluster lifecycle operations (provisioning, upgrades, node management) using offline procedures.<\/li>\n
  • Support enterprise operations: access control, policy enforcement, logging\/monitoring (local), and workload isolation patterns.<\/li>\n
  • Enable consistent platform practices across distributed sites (to the extent possible without internet connectivity).<\/li>\n<\/ul>\n\n\n\n

    Because the environment is disconnected, capabilities that require SaaS endpoints or continuous cloud control-plane connectivity are typically not available<\/strong> or are provided through offline\/replicated<\/strong> mechanisms. Always verify feature availability for your specific release and configuration in official docs.<\/p>\n\n\n\n

    Major components (conceptual)<\/h3>\n\n\n\n

    Exact implementation details vary by release; confirm in current documentation. Common components in an air-gapped distributed Kubernetes platform include:<\/p>\n\n\n\n

      \n
    • Customer-site hardware footprint<\/strong>: server nodes (control plane and workers), networking, and storage integration appropriate to the validated hardware configuration for the product.<\/li>\n
    • Kubernetes clusters<\/strong>: the runtime environment for workloads.<\/li>\n
    • Cluster lifecycle tooling<\/strong>: installation and upgrade tooling designed for offline media and controlled change windows.<\/li>\n
    • Local artifact\/image management<\/strong>: an approach for hosting container images and platform artifacts inside the air-gapped network (for example, a private registry that you operate or that is included\u2014verify what is bundled vs required).<\/li>\n
    • Observability components<\/strong>: local logging\/monitoring stack or integrations to your existing on-prem tools; optional export paths if your environment supports it (verify).<\/li>\n
    • Security controls<\/strong>: Kubernetes RBAC, network policies, secrets management patterns, and audit logging; integration options depend on deployment (verify).<\/li>\n<\/ul>\n\n\n\n

      Service type<\/h3>\n\n\n\n
        \n
      • Distributed cloud \/ on-prem managed platform<\/strong> delivered to customer sites.<\/li>\n
      • Operational model is typically appliance-like<\/strong> (hardware + software) with structured support and offline update processes.<\/li>\n<\/ul>\n\n\n\n

        Scope (regional\/global\/zonal\/project-scoped, etc.)<\/h3>\n\n\n\n

        Google Distributed Cloud air-gapped is not a typical \u201cregional managed service\u201d like GKE in Google Cloud regions. Instead, it is primarily:\n– Site-scoped \/ deployment-scoped<\/strong>: each air-gapped installation is tied to a physical location and its local networks.\n– Cluster-scoped<\/strong> for many day-to-day operations (Kubernetes clusters, namespaces, workloads).\n– Tied to a commercial agreement and support model rather than per-project enablement alone.<\/p>\n\n\n\n

        Where Google Cloud projects, billing accounts, or organizations are involved (for procurement, support, licensing, or optional integrations), follow the official product guidance\u2014air-gapped deployments commonly require separate planning<\/strong> for identity, entitlement, and update delivery workflows.<\/p>\n\n\n\n

        Fit within the Google Cloud ecosystem<\/h3>\n\n\n\n

        Google Distributed Cloud air-gapped is part of Google Cloud\u2019s Distributed, hybrid, and multicloud<\/strong> portfolio. It is intended to complement:\n– Google Kubernetes Engine (GKE)<\/strong> for connected cloud environments.\n– Google Cloud\u2019s architecture patterns (GitOps, policy-as-code, zero trust, least privilege).\n– Hybrid designs where some sites are connected and others must be fully disconnected.<\/p>\n\n\n\n

        In practice, the air-gapped variant is used when connectivity to Google Cloud services is restricted or prohibited\u2014so you should treat it as its own operational domain with careful supply-chain and lifecycle planning.<\/p>\n\n\n\n

        \n\n\n\n

        3. Why use Google Distributed Cloud air-gapped?<\/h2>\n\n\n\n

        Business reasons<\/h3>\n\n\n\n
          \n
        • Modernize legacy environments<\/strong> without violating air-gap requirements.<\/li>\n
        • Standardize platforms<\/strong> across multiple sites (factory floors, bases, ships, substations).<\/li>\n
        • Reduce time-to-deliver for new applications through Kubernetes and containerization\u2014without waiting for network policy changes.<\/li>\n
        • Support long-lived environments with controlled update and accreditation processes.<\/li>\n<\/ul>\n\n\n\n

          Technical reasons<\/h3>\n\n\n\n
            \n
          • Run Kubernetes-based workloads<\/strong> in an offline environment.<\/li>\n
          • Support distributed application patterns: local processing, local databases, and local event pipelines.<\/li>\n
          • Provide a structured Kubernetes platform lifecycle rather than a fully bespoke DIY stack.<\/li>\n<\/ul>\n\n\n\n

            Operational reasons<\/h3>\n\n\n\n
              \n
            • Create repeatable operational procedures for:<\/li>\n
            • Provisioning and scaling clusters.<\/li>\n
            • Applying upgrades using offline artifacts.<\/li>\n
            • Enforcing configuration baselines.<\/li>\n
            • Auditing and change management.<\/li>\n<\/ul>\n\n\n\n

              Air-gapped operations shift complexity from \u201calways-online automation\u201d to \u201ccontrolled, offline lifecycle management,\u201d and this service is designed with that constraint in mind.<\/p>\n\n\n\n

              Security\/compliance reasons<\/h3>\n\n\n\n
                \n
              • Support strict network isolation (no direct internet access).<\/li>\n
              • Help meet data residency and sovereignty requirements.<\/li>\n
              • Enable controlled software supply chain practices: validated artifacts, offline scanning, and signed approvals (your process + product capabilities; verify exact mechanisms supported).<\/li>\n<\/ul>\n\n\n\n

                Scalability\/performance reasons<\/h3>\n\n\n\n
                  \n
                • Execute compute close to the data source to reduce latency.<\/li>\n
                • Keep mission-critical workloads operating even when external links are unavailable by design.<\/li>\n<\/ul>\n\n\n\n

                  When teams should choose it<\/h3>\n\n\n\n

                  Choose Google Distributed Cloud air-gapped when:\n– You have a hard air-gap requirement<\/strong> (policy or physical) and need Kubernetes.\n– You need a repeatable platform<\/strong> across one or more disconnected sites.\n– You need supportable lifecycle and security controls without relying on public cloud control planes.<\/p>\n\n\n\n

                  When teams should not choose it<\/h3>\n\n\n\n

                  Avoid it (or reassess) when:\n– You can meet requirements with a connected or partially connected hybrid model; the operational overhead of air-gapped is substantial.\n– Your organization is not prepared to operate:\n – Offline artifact management (images, OS updates, cluster updates),\n – Strict change control,\n – On-site hardware lifecycle and spares.\n– You only need a single small Kubernetes cluster and can manage it with a simpler distribution (after reviewing support and compliance requirements).<\/p>\n\n\n\n

                  \n\n\n\n

                  4. Where is Google Distributed Cloud air-gapped used?<\/h2>\n\n\n\n

                  Industries<\/h3>\n\n\n\n
                    \n
                  • Defense and national security<\/li>\n
                  • Critical infrastructure (energy, utilities)<\/li>\n
                  • Manufacturing and industrial environments<\/li>\n
                  • Healthcare (in tightly controlled environments)<\/li>\n
                  • Financial services (for specific isolated zones)<\/li>\n
                  • Maritime and remote operations (where connectivity is intermittent or prohibited)<\/li>\n<\/ul>\n\n\n\n

                    Team types<\/h3>\n\n\n\n
                      \n
                    • Platform engineering teams building standardized Kubernetes platforms.<\/li>\n
                    • SRE\/operations teams managing always-on, high-assurance environments.<\/li>\n
                    • Security engineering and compliance teams enforcing accreditation boundaries.<\/li>\n
                    • Application teams modernizing workloads for container platforms.<\/li>\n
                    • Edge\/OT (operational technology) teams integrating with factory or facility systems.<\/li>\n<\/ul>\n\n\n\n

                      Workloads<\/h3>\n\n\n\n
                        \n
                      • Mission applications requiring offline operation.<\/li>\n
                      • Data processing at the edge: telemetry aggregation, sensor processing, anomaly detection.<\/li>\n
                      • Local control systems dashboards and APIs.<\/li>\n
                      • Software-defined radios \/ tactical apps (industry-specific).<\/li>\n
                      • On-prem analytics where data cannot leave the site.<\/li>\n<\/ul>\n\n\n\n

                        Architectures<\/h3>\n\n\n\n
                          \n
                        • Disconnected site cluster<\/strong> with local storage and local load balancing.<\/li>\n
                        • Hub-and-spoke operations model<\/strong> where updates and approvals are staged externally then imported via offline media.<\/li>\n
                        • Multi-cluster patterns for separation of duties (platform vs workloads; dev\/test vs prod) at a site.<\/li>\n<\/ul>\n\n\n\n

                          Real-world deployment contexts<\/h3>\n\n\n\n
                            \n
                          • Physically isolated networks with strict ingress\/egress controls.<\/li>\n
                          • Secure facilities where removable media must follow chain-of-custody.<\/li>\n
                          • Sites with limited staff where platform operations must be highly procedural.<\/li>\n<\/ul>\n\n\n\n

                            Production vs dev\/test usage<\/h3>\n\n\n\n
                              \n
                            • Production:<\/strong> common due to strict requirements and criticality.<\/li>\n
                            • Dev\/test:<\/strong> often exists but may be separate from production due to accreditation boundaries; some organizations maintain a connected dev environment and a disconnected prod environment, then promote artifacts through a controlled pipeline.<\/li>\n<\/ul>\n\n\n\n
                              \n\n\n\n

                              5. Top Use Cases and Scenarios<\/h2>\n\n\n\n

                              Below are realistic scenarios where Google Distributed Cloud air-gapped can fit well. Exact feasibility depends on your environment and supported integrations\u2014verify in official docs.<\/p>\n\n\n\n

                              1) Secure on-prem Kubernetes for classified workloads<\/h3>\n\n\n\n
                                \n
                              • Problem:<\/strong> Need Kubernetes for apps handling sensitive data in a disconnected enclave.<\/li>\n
                              • Why this fits:<\/strong> Designed for air-gapped environments with offline lifecycle operations.<\/li>\n
                              • Example:<\/strong> A secure facility runs mission apps and internal APIs on Kubernetes, with updates imported monthly via approved media.<\/li>\n<\/ul>\n\n\n\n

                                2) Factory-floor analytics without cloud connectivity<\/h3>\n\n\n\n
                                  \n
                                • Problem:<\/strong> Plant telemetry must be processed locally; internet access is prohibited.<\/li>\n
                                • Why this fits:<\/strong> Local compute and container orchestration supports rapid deployment of analytics pipelines.<\/li>\n
                                • Example:<\/strong> Edge services aggregate sensor data, generate alerts, and store results on-prem.<\/li>\n<\/ul>\n\n\n\n

                                  3) Critical infrastructure operations in isolated networks<\/h3>\n\n\n\n
                                    \n
                                  • Problem:<\/strong> SCADA-adjacent environments require strict segmentation and offline operation.<\/li>\n
                                  • Why this fits:<\/strong> Provides a standardized platform for modern dashboards and integration services.<\/li>\n
                                  • Example:<\/strong> A utility runs an internal operational portal and data collectors in an air-gapped zone.<\/li>\n<\/ul>\n\n\n\n

                                    4) Distributed sites with standardized platform controls<\/h3>\n\n\n\n
                                      \n
                                    • Problem:<\/strong> Many remote sites need the same baseline platform, configs, and policies.<\/li>\n
                                    • Why this fits:<\/strong> Enables consistent Kubernetes-based deployments across sites (with procedural updates).<\/li>\n
                                    • Example:<\/strong> A transportation organization deploys the same service stack to multiple depots.<\/li>\n<\/ul>\n\n\n\n

                                      5) Modernizing legacy apps in a disconnected enclave<\/h3>\n\n\n\n
                                        \n
                                      • Problem:<\/strong> Legacy services must remain on-prem and isolated but need modernization.<\/li>\n
                                      • Why this fits:<\/strong> Kubernetes provides a controlled path to containerization and incremental refactoring.<\/li>\n
                                      • Example:<\/strong> A monolith is decomposed into services deployed in namespaces with network policies.<\/li>\n<\/ul>\n\n\n\n

                                        6) On-site CI runner execution in an air-gapped environment<\/h3>\n\n\n\n
                                          \n
                                        • Problem:<\/strong> Builds must occur inside the enclave; external CI tools cannot connect.<\/li>\n
                                        • Why this fits:<\/strong> Kubernetes can host runners\/build agents and internal artifact repositories.<\/li>\n
                                        • Example:<\/strong> A Git server and CI runners build images, push to a local registry, deploy to clusters.<\/li>\n<\/ul>\n\n\n\n

                                          7) Offline ML inference at the edge (no external calls)<\/h3>\n\n\n\n
                                            \n
                                          • Problem:<\/strong> Need local inference with controlled model updates.<\/li>\n
                                          • Why this fits:<\/strong> Containerized inference services can be deployed and scaled locally.<\/li>\n
                                          • Example:<\/strong> Video analytics inference runs on-site; models are updated via monthly approved releases.<\/li>\n<\/ul>\n\n\n\n

                                            8) Local API gateway and service mesh patterns (where supported)<\/h3>\n\n\n\n
                                              \n
                                            • Problem:<\/strong> Microservices need traffic management and mTLS internally.<\/li>\n
                                            • Why this fits:<\/strong> Kubernetes ecosystem supports these patterns; exact components depend on the platform bundle (verify).<\/li>\n
                                            • Example:<\/strong> Internal services communicate over mTLS with strict policy enforcement.<\/li>\n<\/ul>\n\n\n\n

                                              9) Data sovereignty and residency enforcement<\/h3>\n\n\n\n
                                                \n
                                              • Problem:<\/strong> Regulations require all processing and storage remain within a site.<\/li>\n
                                              • Why this fits:<\/strong> Workloads and data remain local; egress can be strictly controlled.<\/li>\n
                                              • Example:<\/strong> Healthcare imaging workflows process data in a restricted network without cloud access.<\/li>\n<\/ul>\n\n\n\n

                                                10) Resilient local operations when WAN is unavailable (by design)<\/h3>\n\n\n\n
                                                  \n
                                                • Problem:<\/strong> Site must remain operational even if external links fail or are removed.<\/li>\n
                                                • Why this fits:<\/strong> Air-gapped architecture assumes no reliance on external endpoints.<\/li>\n
                                                • Example:<\/strong> A remote operations site runs scheduling and logistics apps locally 24\/7.<\/li>\n<\/ul>\n\n\n\n
                                                  \n\n\n\n

                                                  6. Core Features<\/h2>\n\n\n\n

                                                  Because feature sets can evolve by release, treat the list below as the core, commonly expected capabilities<\/strong> of an air-gapped distributed Kubernetes platform and verify specifics in the official Google Distributed Cloud air-gapped documentation for your version.<\/p>\n\n\n\n

                                                  1) Air-gapped Kubernetes platform for running containers<\/h3>\n\n\n\n
                                                    \n
                                                  • What it does:<\/strong> Provides Kubernetes clusters on customer-site infrastructure.<\/li>\n
                                                  • Why it matters:<\/strong> Kubernetes is the standard control plane for modern containerized workloads.<\/li>\n
                                                  • Practical benefit:<\/strong> You can deploy apps with standard Kubernetes manifests and tooling (kubectl<\/code>, Helm, GitOps tooling where available).<\/li>\n
                                                  • Limitations\/caveats:<\/strong> Public registries and SaaS endpoints are not reachable; you must manage internal image sources and dependency mirrors.<\/li>\n<\/ul>\n\n\n\n

                                                    2) Offline installation and upgrades (controlled lifecycle)<\/h3>\n\n\n\n
                                                      \n
                                                    • What it does:<\/strong> Supports platform installation and version upgrades using offline artifact bundles and procedural steps.<\/li>\n
                                                    • Why it matters:<\/strong> Security and compliance often require controlled, auditable changes.<\/li>\n
                                                    • Practical benefit:<\/strong> Predictable maintenance windows and reduced \u201csurprise upgrades.\u201d<\/li>\n
                                                    • Limitations\/caveats:<\/strong> Operational overhead is higher; you need rigorous release management and staging environments.<\/li>\n<\/ul>\n\n\n\n

                                                      3) Standard Kubernetes APIs and ecosystem compatibility<\/h3>\n\n\n\n
                                                        \n
                                                      • What it does:<\/strong> Exposes Kubernetes API server endpoints and standard resources (Deployments, Services, Ingress, etc.).<\/li>\n
                                                      • Why it matters:<\/strong> Portability of skills and manifests across environments.<\/li>\n
                                                      • Practical benefit:<\/strong> Existing Kubernetes CI\/CD patterns can be adapted to offline workflows.<\/li>\n
                                                      • Limitations\/caveats:<\/strong> Some cloud-managed add-ons may not be available; confirm supported ingress\/load-balancing and storage options for your hardware.<\/li>\n<\/ul>\n\n\n\n

                                                        4) Workload isolation primitives<\/h3>\n\n\n\n
                                                          \n
                                                        • What it does:<\/strong> Supports namespaces, RBAC, quotas, network segmentation patterns (for example, NetworkPolicy\u2014verify availability and CNI behavior).<\/li>\n
                                                        • Why it matters:<\/strong> Multi-tenant or multi-team clusters need boundaries.<\/li>\n
                                                        • Practical benefit:<\/strong> Reduced blast radius and improved compliance posture.<\/li>\n
                                                        • Limitations\/caveats:<\/strong> \u201cHard\u201d multi-tenancy has nuances; you may need separate clusters for strict separation.<\/li>\n<\/ul>\n\n\n\n

                                                          5) Local observability options (monitoring\/logging)<\/h3>\n\n\n\n
                                                            \n
                                                          • What it does:<\/strong> Provides ways to collect metrics and logs locally; may integrate with your on-prem SIEM\/monitoring tools.<\/li>\n
                                                          • Why it matters:<\/strong> You still need SRE-grade visibility without Cloud-hosted tools.<\/li>\n
                                                          • Practical benefit:<\/strong> Faster incident response and capacity planning in disconnected sites.<\/li>\n
                                                          • Limitations\/caveats:<\/strong> If you cannot export telemetry externally, you must size local storage for logs\/metrics carefully.<\/li>\n<\/ul>\n\n\n\n

                                                            6) Security hardening and controlled supply chain (process + platform)<\/h3>\n\n\n\n
                                                              \n
                                                            • What it does:<\/strong> Supports secure-by-default configuration patterns and controlled update delivery.<\/li>\n
                                                            • Why it matters:<\/strong> Air-gapped environments are often high-assurance.<\/li>\n
                                                            • Practical benefit:<\/strong> Improved consistency and auditability of platform changes.<\/li>\n
                                                            • Limitations\/caveats:<\/strong> Your organization must still run vulnerability scanning, approvals, and artifact validation; platform capabilities vary.<\/li>\n<\/ul>\n\n\n\n

                                                              7) Role-based access control and auditability<\/h3>\n\n\n\n
                                                                \n
                                                              • What it does:<\/strong> Uses Kubernetes RBAC and audit logs; may support integration with enterprise identity providers depending on configuration (verify).<\/li>\n
                                                              • Why it matters:<\/strong> Least privilege and traceability are mandatory in regulated environments.<\/li>\n
                                                              • Practical benefit:<\/strong> Clear accountability for platform and workload changes.<\/li>\n
                                                              • Limitations\/caveats:<\/strong> Identity integration is often one of the most complex parts of air-gapped deployments.<\/li>\n<\/ul>\n\n\n\n

                                                                8) Multi-cluster patterns (where supported)<\/h3>\n\n\n\n
                                                                  \n
                                                                • What it does:<\/strong> Supports operating multiple clusters in a site for separation and lifecycle control.<\/li>\n
                                                                • Why it matters:<\/strong> You can isolate dev\/test\/prod or workloads with different accreditation requirements.<\/li>\n
                                                                • Practical benefit:<\/strong> Safer upgrades and clearer blast-radius control.<\/li>\n
                                                                • Limitations\/caveats:<\/strong> Operating multiple clusters increases operational burden (patching, monitoring, backup).<\/li>\n<\/ul>\n\n\n\n
                                                                  \n\n\n\n

                                                                  7. Architecture and How It Works<\/h2>\n\n\n\n

                                                                  High-level architecture<\/h3>\n\n\n\n

                                                                  At a high level, Google Distributed Cloud air-gapped runs Kubernetes clusters on customer-site infrastructure. Operators manage the platform from within the air-gapped network using local endpoints and offline artifacts.<\/p>\n\n\n\n

                                                                  Key architectural ideas:\n– Control plane lives on-site<\/strong>, not in a public cloud region.\n– Workload traffic stays on-site<\/strong> unless you explicitly design controlled egress paths.\n– Artifacts (images, upgrades, dependencies)<\/strong> must be imported via offline mechanisms.<\/p>\n\n\n\n

                                                                  Request\/data\/control flow<\/h3>\n\n\n\n

                                                                  Typical flows in an air-gapped cluster:<\/p>\n\n\n\n

                                                                    \n
                                                                  1. \n

                                                                    Admin\/operator flow<\/strong>\n – An admin workstation inside the enclave connects to the Kubernetes API server endpoint.\n – Admin applies manifests, policies, and performs upgrades (following offline procedures).<\/p>\n<\/li>\n

                                                                  2. \n

                                                                    Workload deployment flow<\/strong>\n – Workloads are defined via Kubernetes manifests (Deployment, Service).\n – Container images are pulled from an internal registry<\/strong> reachable within the enclave.\n – Pods start on worker nodes; Services route internal traffic.<\/p>\n<\/li>\n

                                                                  3. \n

                                                                    User traffic flow<\/strong>\n – Internal clients access apps via ClusterIP\/NodePort\/Ingress\/load balancer depending on site networking design and supported features.<\/p>\n<\/li>\n

                                                                  4. \n

                                                                    Observability flow<\/strong>\n – Logs\/metrics collected locally and stored locally, or forwarded to an internal SIEM\/monitoring system.\n – External export is generally not assumed.<\/p>\n<\/li>\n<\/ol>\n\n\n\n

                                                                    Integrations with related services<\/h3>\n\n\n\n

                                                                    In disconnected environments, \u201cintegration\u201d typically means:\n– On-prem identity providers (AD\/LDAP\/OIDC proxies) if supported.\n– On-prem registries (Harbor, Artifactory, Nexus, or bundled registry\u2014verify).\n– On-prem monitoring and logging stacks.\n– External Google Cloud services are generally not directly reachable; if a controlled gateway is permitted, it must be explicitly designed and approved.<\/p>\n\n\n\n

                                                                    Dependency services<\/h3>\n\n\n\n

                                                                    Dependencies are commonly:\n– Internal DNS and NTP (time sync is critical).\n– Internal PKI or certificate authority workflows.\n– Hardware management (out-of-band management network).\n– Storage systems or local disks depending on supported CSI\/storage design.<\/p>\n\n\n\n

                                                                    Security\/authentication model (typical)<\/h3>\n\n\n\n
                                                                      \n
                                                                    • Kubernetes API authentication: often client certificates and\/or an OIDC integration (deployment-specific).<\/li>\n
                                                                    • Authorization: Kubernetes RBAC.<\/li>\n
                                                                    • Workload identity: depends on platform features; in air-gapped mode, assume you manage service-to-service credentials and secrets locally unless docs specify otherwise.<\/li>\n<\/ul>\n\n\n\n

                                                                      Networking model (typical)<\/h3>\n\n\n\n
                                                                        \n
                                                                      • Cluster networking uses a Kubernetes CNI; ensure your IP addressing plan avoids conflicts with site networks.<\/li>\n
                                                                      • Ingress options vary; NodePort is the most universal fallback.<\/li>\n
                                                                      • North\/south exposure must be reviewed by security (firewalls, DMZ patterns, reverse proxies).<\/li>\n<\/ul>\n\n\n\n

                                                                        Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n
                                                                          \n
                                                                        • Plan for storage retention<\/strong> of logs\/metrics inside the enclave.<\/li>\n
                                                                        • Plan for offline incident response<\/strong>: you may not be able to \u201cjust open a support ticket with logs attached\u201d without sanitization and approved export paths.<\/li>\n
                                                                        • Use GitOps-style desired state where feasible\u2014adapted for offline operation (for example, local Git servers and internal artifact storage).<\/li>\n<\/ul>\n\n\n\n

                                                                          Simple architecture diagram (conceptual)<\/h3>\n\n\n\n
                                                                          flowchart LR\n  U[Internal Users] -->|HTTP\/HTTPS| EP[Site Endpoint\\n(Reverse proxy \/ Ingress \/ NodePort)]\n  EP --> SVC[Kubernetes Service]\n  SVC --> PODS[Workload Pods\\n(on Worker Nodes)]\n\n  ADM[Admin Workstation\\ninside air-gapped network] -->|kubectl| API[Kubernetes API Server\\n(on-site Control Plane)]\n  API --> PODS\n\n  REG[Internal Container Registry] -->|image pull| PODS\n<\/code><\/pre>\n\n\n\n
                                                                          Production-style architecture diagram (site-oriented)<\/h3>\n\n\n\n
                                                                          flowchart TB\n  subgraph Enclave[\"Air-gapped Site \/ Secure Enclave\"]\n    subgraph OOB[\"Out-of-band Management Network\"]\n      BMC[BMC \/ Hardware Mgmt]\n    end\n\n    subgraph MGMT[\"Platform Management Zone\"]\n      ADMIN[Admin Workstation]\n      GIT[Internal Git Server]\n      REG[Internal Image Registry]\n      MON[Monitoring & Logging\\n(SIEM\/Prometheus\/etc.)]\n      PKI[Internal PKI\/CA]\n      DNS[Internal DNS]\n      NTP[Internal NTP]\n    end\n\n    subgraph K8S[\"Google Distributed Cloud air-gapped\\nKubernetes Cluster(s)\"]\n      CP[Control Plane Nodes]\n      W1[Worker Nodes]\n      W2[Worker Nodes]\n      IN[Ingress\/Reverse Proxy\\n(or NodePort)]\n    end\n\n    USERS[Internal Applications \/ Users]\n  end\n\n  ADMIN -->|kubectl \/ cluster ops| CP\n  GIT -->|GitOps sync (local)| CP\n  REG -->|image pulls| W1\n  REG -->|image pulls| W2\n  MON -->|metrics\/logs| CP\n  MON -->|metrics\/logs| W1\n  MON -->|metrics\/logs| W2\n  PKI -->|cert issuance| CP\n  DNS --> CP\n  NTP --> CP\n  USERS -->|HTTP\/HTTPS| IN --> W1\n  USERS -->|HTTP\/HTTPS| IN --> W2\n<\/code><\/pre>\n\n\n\n
                                                                          \n\n\n\n
                                                                          8. Prerequisites<\/h2>\n\n\n\n
                                                                          Because Google Distributed Cloud air-gapped is a site-installed platform, prerequisites span commercial, physical, and technical readiness. Confirm exact requirements in official docs for your release.<\/p>\n\n\n\n
                                                                          Account\/subscription\/project\/tenancy requirements<\/h3>\n\n\n\n
                                                                            \n
                                                                          • A Google Cloud organization\/billing relationship is typically required for procurement and support.<\/li>\n
                                                                          • Entitlements and licensing are governed by your agreement.<\/li>\n
                                                                          • Any optional linkage to Google Cloud projects (if supported in your deployment) must be planned with security.<\/li>\n<\/ul>\n\n\n\n
                                                                            Permissions \/ IAM roles<\/h3>\n\n\n\n
                                                                            You will need a combination of:\n– Platform administrator<\/strong> access for the distributed cloud installation (site admin).\n– Kubernetes access:\n  – Cluster-admin for platform-level operations (limited to trusted operators).\n  – Namespace-scoped admin for application teams.\n– Access to internal systems:\n  – Image registry administration.\n  – Git server administration (if used).\n  – Monitoring\/logging administration.<\/p>\n\n\n\n
                                                                            Because \u201cIAM\u201d in air-gapped is often a mix of Kubernetes RBAC + enterprise IdP integration, treat permissions design as part of the platform build.<\/p>\n\n\n\n
                                                                            Billing requirements<\/h3>\n\n\n\n
                                                                              \n
                                                                            • Billing is typically contractual\/subscription-based rather than metered per API call like many Google Cloud services.<\/li>\n
                                                                            • Budget for: hardware footprint, support, spares, on-site operations, and internal dependencies.<\/li>\n<\/ul>\n\n\n\n
                                                                              CLI\/SDK\/tools needed (typical)<\/h3>\n\n\n\n
                                                                              Inside the enclave, you commonly need:\n– kubectl<\/code> (Kubernetes CLI)\n– A container toolchain on a build\/mirroring workstation:\n  – docker<\/code> or podman<\/code>\n  – skopeo<\/code> (helpful for mirroring images; optional)\n– openssl<\/code> and basic network troubleshooting tools (ping, curl, dig\/nslookup)\n– Any platform-specific lifecycle tooling provided by Google Distributed Cloud air-gapped (names and workflows vary\u2014use official docs for your version)<\/p>\n\n\n\n
                                                                              Region availability<\/h3>\n\n\n\n
                                                                                \n
                                                                              • This is site-based<\/strong>; availability is governed by where Google can deliver\/support the solution and any regulatory constraints.<\/li>\n
                                                                              • Confirm availability with Google Cloud sales\/support and official product pages.<\/li>\n<\/ul>\n\n\n\n
                                                                                Quotas\/limits<\/h3>\n\n\n\n
                                                                                  \n
                                                                                • Limits are frequently tied to:<\/li>\n
                                                                                • hardware sizing,<\/li>\n
                                                                                • validated configurations,<\/li>\n
                                                                                • maximum nodes\/clusters per deployment,<\/li>\n
                                                                                • storage throughput,<\/li>\n
                                                                                • networking constraints.<\/li>\n
                                                                                • Do not assume GKE-in-cloud quotas apply; verify air-gapped limits in official docs.<\/li>\n<\/ul>\n\n\n\n
                                                                                  Prerequisite services<\/h3>\n\n\n\n
                                                                                  In most air-gapped environments, you must provide (or integrate with):\n– Internal DNS\n– Internal NTP\n– Internal PKI\/certificate workflows (or platform-provided cert management\u2014verify)\n– Internal container registry (unless one is bundled\u2014verify)\n– Internal source control \/ artifact management (recommended)\n– A secure removable media process for importing updates and images<\/p>\n\n\n\n
                                                                                  \n\n\n\n
                                                                                  9. Pricing \/ Cost<\/h2>\n\n\n\n
                                                                                  Google Distributed Cloud air-gapped pricing is not typically a simple per-hour public price like standard cloud services. It is often contractual<\/strong> and may be influenced by:\n– hardware configuration,\n– support level,\n– term length,\n– number of sites,\n– included software components,\n– professional services and deployment support.<\/p>\n\n\n\n
                                                                                  Pricing dimensions (typical\u2014verify in official pricing)<\/h3>\n\n\n\n
                                                                                    \n
                                                                                  • Subscription \/ annual license<\/strong> for the distributed cloud platform.<\/li>\n
                                                                                  • Support<\/strong> (enterprise support tiers).<\/li>\n
                                                                                  • Hardware<\/strong> (if provided\/required as part of the solution) and spares.<\/li>\n
                                                                                  • Professional services<\/strong> (planning, installation, validation, training).<\/li>\n<\/ul>\n\n\n\n
                                                                                    Free tier<\/h3>\n\n\n\n
                                                                                      \n
                                                                                    • Air-gapped distributed platforms typically do not<\/strong> have a free tier in the sense of \u201calways-free usage.\u201d Verify with Google Cloud.<\/li>\n<\/ul>\n\n\n\n
                                                                                      Cost drivers<\/h3>\n\n\n\n
                                                                                      Direct drivers:\n– Number and size of nodes (compute, RAM) required to meet workload SLOs.\n– Storage requirements (capacity, performance, redundancy).\n– Network equipment and segmentation requirements.\n– High availability designs (more nodes, more racks, more operational overhead).<\/p>\n\n\n\n
                                                                                      Indirect\/hidden drivers (often bigger than you expect):\n– Offline artifact management<\/strong>: mirroring images, storing them, scanning them, and promoting them through environments.\n– Operational staffing<\/strong>: on-call, patch windows, compliance evidence collection.\n– Facility and physical security<\/strong>: racks, power, cooling, restricted access.\n– Backup and retention<\/strong>: on-prem backup infrastructure and media handling.\n– Staging environments<\/strong>: most regulated shops need dev\/test\/pre-prod that mirrors prod.<\/p>\n\n\n\n
                                                                                      Network\/data transfer implications<\/h3>\n\n\n\n
                                                                                        \n
                                                                                      • Air-gapped means you generally avoid internet egress charges, but you introduce:<\/li>\n
                                                                                      • costs for private internal networks,<\/li>\n
                                                                                      • costs for controlled gateways (if permitted),<\/li>\n
                                                                                      • removable media handling and secure transport.<\/li>\n<\/ul>\n\n\n\n
                                                                                        Storage\/compute\/API\/request pricing factors<\/h3>\n\n\n\n
                                                                                          \n
                                                                                        • Unlike a pure public-cloud service, you\u2019re typically paying for platform entitlement and the infrastructure footprint. API call metering is generally not the focus.<\/li>\n
                                                                                        • However, your internal dependencies (storage arrays, SIEM licensing, backup software) may add per-capacity or per-ingest charges.<\/li>\n<\/ul>\n\n\n\n
                                                                                          How to optimize cost (practical)<\/h3>\n\n\n\n
                                                                                            \n
                                                                                          • Right-size clusters: separate platform overhead from workload requirements.<\/li>\n
                                                                                          • Use namespaces and quotas effectively; avoid over-provisioning by default.<\/li>\n
                                                                                          • Standardize base images and reduce image sprawl to cut registry storage and scanning costs.<\/li>\n
                                                                                          • Establish clear log retention policies; high-volume logs can explode storage needs.<\/li>\n
                                                                                          • Invest in automation for offline promotion to reduce labor cost and reduce error rates.<\/li>\n<\/ul>\n\n\n\n
                                                                                            Example low-cost starter estimate (model, not numbers)<\/h3>\n\n\n\n
                                                                                            A \u201cstarter\u201d footprint is usually bounded not by cost per hour but by minimum viable hardware and operational needs:\n– Small cluster for dev\/test within an enclave\n– Internal registry + Git server\n– Local monitoring\/logging with modest retention<\/p>\n\n\n\n
                                                                                            Because actual prices are contractual and configuration-dependent, do not<\/strong> treat any internet-sourced numbers as authoritative. Build a bill-of-materials style estimate and validate with Google Cloud and your procurement team.<\/p>\n\n\n\n
                                                                                            Example production cost considerations (what to include)<\/h3>\n\n\n\n
                                                                                            For production, include:\n– HA control plane and sufficient worker redundancy (N+1 or more).\n– Backup\/restore infrastructure and procedures.\n– Dedicated staging environment for upgrades.\n– Security tooling: scanning, auditing, privileged access management.\n– Spares and replacement parts.\n– Staff time for patching, evidence capture, and incident response.<\/p>\n\n\n\n
                                                                                            Official pricing links<\/h3>\n\n\n\n
                                                                                              \n
                                                                                            • Google Cloud pricing landing: https:\/\/cloud.google.com\/pricing<\/li>\n
                                                                                            • Google Distributed Cloud pages (start here and navigate to pricing for your product): https:\/\/cloud.google.com\/distributed-cloud<\/li>\n
                                                                                            • Pricing details for the air-gapped variant may be contract-specific; confirm with your Google Cloud representative and official documentation for your region and edition.<\/li>\n<\/ul>\n\n\n\n
                                                                                              \n\n\n\n
                                                                                              10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n
                                                                                              This lab is designed to be realistic and executable<\/strong> if you have access to a Google Distributed Cloud air-gapped environment (or a training environment that simulates one). It focuses on what most teams must do early: verify cluster access, prepare an internal image flow, deploy a simple app, and validate service reachability\u2014without assuming internet access.<\/p>\n\n\n\n
                                                                                              Objective<\/h3>\n\n\n\n
                                                                                              Deploy and validate a small \u201cHello from the enclave\u201d web application on a Kubernetes cluster running on Google Distributed Cloud air-gapped, using an internal container image registry<\/strong> and standard Kubernetes manifests.<\/p>\n\n\n\n
                                                                                              Lab Overview<\/h3>\n\n\n\n
                                                                                              You will:\n1. Verify you can reach the Kubernetes API server from an admin workstation.\n2. Create a namespace and basic RBAC boundaries (minimal example).\n3. Ensure a container image is available inside the enclave (mirror\/import).\n4. Deploy the application and expose it internally.\n5. Validate access and review logs\/events.\n6. Clean up resources.<\/p>\n\n\n\n
                                                                                              \n
                                                                                              Assumptions (adapt as needed):\n– You have a kubeconfig file and credentials to access the cluster.\n– You have an internal container registry reachable from cluster nodes, or a documented platform-provided registry. If not, work with your platform team to establish one.\n– You have a workstation inside the air-gapped network with kubectl<\/code> installed.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                              \n\n\n\n
                                                                                              Step 1: Confirm access to the cluster (kubeconfig + connectivity)<\/h3>\n\n\n\n
                                                                                              1.1 Check kubectl<\/code> is installed<\/strong><\/p>\n\n\n\n
                                                                                              kubectl version --client\n<\/code><\/pre>\n\n\n\n
                                                                                              Expected outcome:<\/strong> kubectl<\/code> prints a client version.<\/p>\n\n\n\n
                                                                                              1.2 Point to the kubeconfig<\/strong>\nIf your platform team provided a kubeconfig file path:<\/p>\n\n\n\n
                                                                                              export KUBECONFIG=\"$HOME\/kubeconfig-gdc-airgapped\"\n<\/code><\/pre>\n\n\n\n
                                                                                              1.3 Verify cluster connectivity<\/strong><\/p>\n\n\n\n
                                                                                              kubectl cluster-info\n<\/code><\/pre>\n\n\n\n
                                                                                              Expected outcome:<\/strong> You see the Kubernetes control plane endpoint and basic service endpoints.<\/p>\n\n\n\n
                                                                                              1.4 Verify your permissions<\/strong><\/p>\n\n\n\n
                                                                                              kubectl auth can-i '*' '*' --all-namespaces\n<\/code><\/pre>\n\n\n\n
                                                                                              Expected outcome:<\/strong>\n– Platform admins may see yes<\/code>.\n– App operators should not have full privileges; that\u2019s okay. If you get no<\/code>, continue but adjust RBAC steps accordingly.<\/p>\n\n\n\n
                                                                                              \n\n\n\n
                                                                                              Step 2: Create a namespace and minimal RBAC (application boundary)<\/h3>\n\n\n\n
                                                                                              This step demonstrates how to create a dedicated namespace for a workload and grant a specific user\/group permissions. In air-gapped environments, separation of duties is important for audits.<\/p>\n\n\n\n
                                                                                              2.1 Create a namespace<\/strong><\/p>\n\n\n\n
                                                                                              kubectl create namespace hello-airgap\n<\/code><\/pre>\n\n\n\n
                                                                                              Expected outcome:<\/strong> Namespace created.<\/p>\n\n\n\n
                                                                                              2.2 (Optional) Apply a ResourceQuota<\/strong>\nThis prevents runaway usage. Adjust values for your environment.<\/p>\n\n\n\n
                                                                                              kubectl -n hello-airgap apply -f - <<'EOF'\napiVersion: v1\nkind: ResourceQuota\nmetadata:\n  name: rq-basic\nspec:\n  hard:\n    requests.cpu: \"500m\"\n    requests.memory: \"512Mi\"\n    limits.cpu: \"1\"\n    limits.memory: \"1Gi\"\n    pods: \"10\"\nEOF\n<\/code><\/pre>\n\n\n\n
                                                                                              Expected outcome:<\/strong> ResourceQuota created.<\/p>\n\n\n\n
                                                                                              2.3 (Optional) Create a Role and RoleBinding<\/strong>\nIf your cluster uses an identity integration, replace the subject<\/code> with the correct user\/group. If you are not sure what identity string to use, skip this and rely on existing access.<\/p>\n\n\n\n
                                                                                              kubectl -n hello-airgap apply -f - <<'EOF'\napiVersion: rbac.authorization.k8s.io\/v1\nkind: Role\nmetadata:\n  name: hello-deployer\nrules:\n- apiGroups: [\"\", \"apps\"]\n  resources: [\"pods\", \"services\", \"configmaps\", \"events\", \"deployments\", \"replicasets\"]\n  verbs: [\"get\", \"list\", \"watch\", \"create\", \"update\", \"patch\", \"delete\"]\nEOF\n<\/code><\/pre>\n\n\n\n
                                                                                              Now bind it to a subject (example uses a user string; adjust):<\/p>\n\n\n\n
                                                                                              kubectl -n hello-airgap apply -f - <<'EOF'\napiVersion: rbac.authorization.k8s.io\/v1\nkind: RoleBinding\nmetadata:\n  name: hello-deployer-binding\nsubjects:\n- kind: User\n  name: \"your.user@yourdomain.example\"\n  apiGroup: rbac.authorization.k8s.io\nroleRef:\n  kind: Role\n  name: hello-deployer\n  apiGroup: rbac.authorization.k8s.io\nEOF\n<\/code><\/pre>\n\n\n\n
                                                                                              Expected outcome:<\/strong> Role and RoleBinding created (or you adjust based on your IdP setup).<\/p>\n\n\n\n
                                                                                              \n\n\n\n
                                                                                              Step 3: Make a container image available inside the air-gapped network<\/h3>\n\n\n\n
                                                                                              In an air-gapped setup, Kubernetes nodes cannot pull images from public registries<\/strong>. You must mirror or import images into an internal registry.<\/p>\n\n\n\n
                                                                                              There are multiple approved patterns. Choose the one your security and platform governance allow.<\/p>\n\n\n\n
                                                                                              Option A (common): Mirror via a controlled \u201cbridge\u201d process (recommended pattern)<\/h4>\n\n\n\n
                                                                                              A connected staging environment downloads the image, scans it, then exports it as a tarball to approved media. Inside the enclave, you import it to the internal registry.<\/p>\n\n\n\n
                                                                                              3A.1 On a connected workstation (outside the air gap), pull and save the image<\/strong>\nUse a simple image. For example, nginx<\/code>. (Your org may require a hardened base image instead.)<\/p>\n\n\n\n
                                                                                              docker pull nginx:1.27\ndocker save nginx:1.27 -o nginx_1.27.tar\n<\/code><\/pre>\n\n\n\n
                                                                                              3A.2 Transfer nginx_1.27.tar<\/code> to the enclave using approved procedures<\/strong>\nFollow your organization\u2019s removable media and chain-of-custody policy.<\/p>\n\n\n\n
                                                                                              3A.3 Inside the enclave, load and push to your internal registry<\/strong>\nAssume your internal registry is registry.infra.local<\/code> and you have a project\/repo library<\/code>.<\/p>\n\n\n\n
                                                                                              docker load -i nginx_1.27.tar\ndocker tag nginx:1.27 registry.infra.local\/library\/nginx:1.27\ndocker push registry.infra.local\/library\/nginx:1.27\n<\/code><\/pre>\n\n\n\n
                                                                                              Expected outcome:<\/strong> Image exists in the internal registry and is pullable from cluster nodes.<\/p>\n\n\n\n
                                                                                              Option B: Build the image entirely inside the enclave<\/h4>\n\n\n\n
                                                                                              If you have a local build pipeline and base images already mirrored, you can build and push without any external pulls. This is often preferred for high-assurance environments.<\/p>\n\n\n\n
                                                                                              \n\n\n\n
                                                                                              Step 4: Deploy the application (Deployment + Service)<\/h3>\n\n\n\n
                                                                                              Now deploy an NGINX pod and expose it via a Service.<\/p>\n\n\n\n
                                                                                              4.1 Create a Deployment<\/strong>\nReplace the image name with your internal registry image from Step 3.<\/p>\n\n\n\n
                                                                                              kubectl -n hello-airgap apply -f - <<'EOF'\napiVersion: apps\/v1\nkind: Deployment\nmetadata:\n  name: hello-web\nspec:\n  replicas: 2\n  selector:\n    matchLabels:\n      app: hello-web\n  template:\n    metadata:\n      labels:\n        app: hello-web\n    spec:\n      containers:\n      - name: nginx\n        image: registry.infra.local\/library\/nginx:1.27\n        ports:\n        - containerPort: 80\n        resources:\n          requests:\n            cpu: 50m\n            memory: 64Mi\n          limits:\n            cpu: 200m\n            memory: 256Mi\nEOF\n<\/code><\/pre>\n\n\n\n
                                                                                              Expected outcome:<\/strong> Deployment created.<\/p>\n\n\n\n
                                                                                              4.2 Watch pods come up<\/strong><\/p>\n\n\n\n
                                                                                              kubectl -n hello-airgap get pods -w\n<\/code><\/pre>\n\n\n\n
                                                                                              Expected outcome:<\/strong> Two pods reach Running<\/code>. If they get stuck in ImagePullBackOff<\/code>, go to Troubleshooting.<\/p>\n\n\n\n
                                                                                              4.3 Create a Service<\/strong>\nUse ClusterIP first (works everywhere).<\/p>\n\n\n\n
                                                                                              kubectl -n hello-airgap apply -f - <<'EOF'\napiVersion: v1\nkind: Service\nmetadata:\n  name: hello-web-svc\nspec:\n  selector:\n    app: hello-web\n  ports:\n  - name: http\n    port: 80\n    targetPort: 80\n  type: ClusterIP\nEOF\n<\/code><\/pre>\n\n\n\n
                                                                                              Expected outcome:<\/strong> Service created.<\/p>\n\n\n\n
                                                                                              \n\n\n\n
                                                                                              Step 5: Validate access (port-forward + internal reachability)<\/h3>\n\n\n\n
                                                                                              5.1 Port-forward from your workstation<\/strong>\nThis avoids assumptions about ingress\/load balancers.<\/p>\n\n\n\n
                                                                                              kubectl -n hello-airgap port-forward svc\/hello-web-svc 8080:80\n<\/code><\/pre>\n\n\n\n
                                                                                              In a second terminal:<\/p>\n\n\n\n
                                                                                              curl -I http:\/\/127.0.0.1:8080\n<\/code><\/pre>\n\n\n\n
                                                                                              Expected outcome:<\/strong> You receive an HTTP response header like HTTP\/1.1 200 OK<\/code>.<\/p>\n\n\n\n
                                                                                              5.2 Check workload logs<\/strong><\/p>\n\n\n\n
                                                                                              kubectl -n hello-airgap logs deploy\/hello-web --tail=50\n<\/code><\/pre>\n\n\n\n
                                                                                              Expected outcome:<\/strong> NGINX access logs appear when you curl.<\/p>\n\n\n\n
                                                                                              5.3 Check events (useful in air-gapped debugging)<\/strong><\/p>\n\n\n\n
                                                                                              kubectl -n hello-airgap get events --sort-by=.metadata.creationTimestamp | tail -n 20\n<\/code><\/pre>\n\n\n\n
                                                                                              Expected outcome:<\/strong> Events show scheduling, pulling image from internal registry, and container start.<\/p>\n\n\n\n
                                                                                              \n\n\n\n
                                                                                              Validation<\/h3>\n\n\n\n
                                                                                              Use this checklist:<\/p>\n\n\n\n
                                                                                                \n
                                                                                              • kubectl cluster-info<\/code> works from the admin workstation.<\/li>\n
                                                                                              • Pods are Running<\/code> and replicas match desired count:\n  bash\n  kubectl -n hello-airgap get deploy,po<\/code><\/li>\n
                                                                                              • Service exists:\n  bash\n  kubectl -n hello-airgap get svc hello-web-svc<\/code><\/li>\n
                                                                                              • Port-forward and curl succeed.<\/li>\n<\/ul>\n\n\n\n
                                                                                                If all pass, you\u2019ve validated the critical basics: control-plane access, namespace boundary, internal image supply, and workload scheduling.<\/p>\n\n\n\n
                                                                                                \n\n\n\n
                                                                                                Troubleshooting<\/h3>\n\n\n\n
                                                                                                Common issues in Google Distributed Cloud air-gapped environments (and what to check):<\/p>\n\n\n\n
                                                                                                  \n
                                                                                                1. \n
                                                                                                  ImagePullBackOff<\/code> \/ ErrImagePull<\/code><\/strong>\n   – Confirm the image URL is correct and reachable inside the enclave.\n   – Confirm registry DNS resolves from nodes.\n   – Confirm registry TLS certs are trusted by nodes (common issue).\n   – Check pod events:\n     bash\n     kubectl -n hello-airgap describe pod <pod-name><\/code>\n   – If registry requires auth, ensure an imagePullSecret<\/code> is configured for the namespace\/service account (your platform team should provide the standard approach).<\/p>\n<\/li>\n
                                                                                                2. \n
                                                                                                  kubectl<\/code> cannot connect \/ timeout<\/strong>\n   – Validate you are on the correct network segment and firewall rules allow access to the API server endpoint\/port.\n   – Confirm your kubeconfig server address is correct.\n   – Confirm your workstation has proper DNS\/NTP (time skew can break TLS).<\/p>\n<\/li>\n
                                                                                                3. \n
                                                                                                  Pods stuck in Pending<\/code><\/strong>\n   – Check node readiness:\n     bash\n     kubectl get nodes<\/code>\n   – Check resource pressure and quotas:\n     bash\n     kubectl -n hello-airgap describe resourcequota rq-basic<\/code>\n   – Check taints\/tolerations (platform nodes may be tainted).<\/p>\n<\/li>\n
                                                                                                4. \n
                                                                                                  Port-forward works but internal clients can\u2019t reach the app<\/strong>\n   – That\u2019s expected if you haven\u2019t configured NodePort\/Ingress\/LoadBalancer for site access.\n   – Work with your platform networking design to expose the service appropriately.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Cleanup<\/h3>\n\n\n\n
                                                                                                  Delete the namespace (removes everything created inside it):<\/p>\n\n\n\n
                                                                                                  kubectl delete namespace hello-airgap\n<\/code><\/pre>\n\n\n\n
                                                                                                  Expected outcome:<\/strong> Namespace terminates and resources are removed.<\/p>\n\n\n\n
                                                                                                  If deletion hangs, check for finalizers on resources (rare for this simple lab). Use:<\/p>\n\n\n\n
                                                                                                  kubectl get namespace hello-airgap -o jsonpath='{.spec.finalizers}'\n<\/code><\/pre>\n\n\n\n
                                                                                                  Only remove finalizers if you understand why they exist and you have approval.<\/p>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  11. Best Practices<\/h2>\n\n\n\n
                                                                                                  Architecture best practices<\/h3>\n\n\n\n
                                                                                                    \n
                                                                                                  • Design for offline-first<\/strong>: assume no external dependencies at runtime\u2014no external DNS, no public container registry, no SaaS auth callbacks.<\/li>\n
                                                                                                  • Separate clusters by accreditation boundary<\/strong>: when compliance requires strong separation, prefer separate clusters over \u201csoft\u201d multi-tenancy.<\/li>\n
                                                                                                  • Use staged environments<\/strong> (dev\/test\/pre-prod\/prod) even if minimal. Air-gapped upgrades should be rehearsed.<\/li>\n
                                                                                                  • Standardize the platform blueprint<\/strong> across sites: IP plans, DNS patterns, registry naming, namespaces, quotas.<\/li>\n<\/ul>\n\n\n\n
                                                                                                    IAM\/security best practices<\/h3>\n\n\n\n
                                                                                                      \n
                                                                                                    • Use least privilege<\/strong> via Kubernetes RBAC:<\/li>\n
                                                                                                    • cluster-admin limited to platform\/SRE operators<\/li>\n
                                                                                                    • namespace admin for app teams<\/li>\n
                                                                                                    • read-only roles for auditors\/incident responders<\/li>\n
                                                                                                    • Prefer group-based bindings<\/strong> (from your enterprise IdP) over individual users (where supported).<\/li>\n
                                                                                                    • Enforce separation of duties<\/strong>: image promotion and scanning should not be controlled solely by app developers.<\/li>\n<\/ul>\n\n\n\n
                                                                                                      Cost best practices<\/h3>\n\n\n\n
                                                                                                        \n
                                                                                                      • Control image sprawl: set image retention policies in your internal registry.<\/li>\n
                                                                                                      • Set log retention to match compliance needs\u2014avoid \u201cretain forever\u201d unless required.<\/li>\n
                                                                                                      • Right-size nodes and avoid excessive reservations; use requests\/limits and quotas.<\/li>\n<\/ul>\n\n\n\n
                                                                                                        Performance best practices<\/h3>\n\n\n\n
                                                                                                          \n
                                                                                                        • Keep container images small and standardized; reduces import\/mirroring overhead and startup time.<\/li>\n
                                                                                                        • Use node affinity\/anti-affinity for critical workloads to spread replicas.<\/li>\n
                                                                                                        • Test storage performance and tune requests\/limits for I\/O-heavy workloads.<\/li>\n<\/ul>\n\n\n\n
                                                                                                          Reliability best practices<\/h3>\n\n\n\n
                                                                                                            \n
                                                                                                          • Define SLOs and error budgets even in air-gapped environments.<\/li>\n
                                                                                                          • Run multiple replicas for critical services and test failure modes (node loss, storage degradation).<\/li>\n
                                                                                                          • Implement backup\/restore procedures for:<\/li>\n
                                                                                                          • application data,<\/li>\n
                                                                                                          • cluster configuration,<\/li>\n
                                                                                                          • internal registries and Git servers.<\/li>\n<\/ul>\n\n\n\n
                                                                                                            Operations best practices<\/h3>\n\n\n\n
                                                                                                              \n
                                                                                                            • Treat upgrades as releases:<\/li>\n
                                                                                                            • document procedures,<\/li>\n
                                                                                                            • capture evidence,<\/li>\n
                                                                                                            • maintain rollback plans.<\/li>\n
                                                                                                            • Maintain an internal runbook library:<\/li>\n
                                                                                                            • cluster access procedures,<\/li>\n
                                                                                                            • certificate rotation,<\/li>\n
                                                                                                            • registry incident response,<\/li>\n
                                                                                                            • node replacement workflow.<\/li>\n
                                                                                                            • Plan spare capacity and hardware replacement timelines.<\/li>\n<\/ul>\n\n\n\n
                                                                                                              Governance\/tagging\/naming best practices<\/h3>\n\n\n\n
                                                                                                                \n
                                                                                                              • Use consistent naming for:<\/li>\n
                                                                                                              • clusters (site + environment + purpose),<\/li>\n
                                                                                                              • namespaces (team + app),<\/li>\n
                                                                                                              • registries\/repos (org + app + environment),<\/li>\n
                                                                                                              • labels\/annotations for ownership and cost allocation.<\/li>\n
                                                                                                              • Record ownership metadata in labels:<\/li>\n
                                                                                                              • owner<\/code>, cost-center<\/code>, data-classification<\/code>, env<\/code>.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                \n\n\n\n
                                                                                                                12. Security Considerations<\/h2>\n\n\n\n
                                                                                                                Air-gapped does not automatically mean \u201csecure.\u201d It changes the threat model and raises the importance of supply chain and insider risk controls.<\/p>\n\n\n\n
                                                                                                                Identity and access model<\/h3>\n\n\n\n
                                                                                                                  \n
                                                                                                                • Kubernetes RBAC is central. Keep RBAC simple and auditable.<\/li>\n
                                                                                                                • Cluster authentication methods vary; common approaches include client certs and\/or OIDC integration with an enterprise IdP (verify what\u2019s supported and recommended for your release).<\/li>\n
                                                                                                                • Require MFA for operator access to jump hosts and admin workstations.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                  Encryption<\/h3>\n\n\n\n
                                                                                                                    \n
                                                                                                                  • In transit:<\/strong> Use TLS for Kubernetes API and internal service communication where possible.<\/li>\n
                                                                                                                  • At rest:<\/strong> Ensure encryption is configured for:<\/li>\n
                                                                                                                  • etcd (Kubernetes state),<\/li>\n
                                                                                                                  • persistent volumes,<\/li>\n
                                                                                                                  • internal registry storage,<\/li>\n
                                                                                                                  • backups.\nExact mechanisms depend on platform and storage choice\u2014verify supported configurations.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                    Network exposure<\/h3>\n\n\n\n
                                                                                                                      \n
                                                                                                                    • Minimize north\/south exposure:<\/li>\n
                                                                                                                    • Avoid exposing Kubernetes API beyond operator networks.<\/li>\n
                                                                                                                    • Keep management endpoints on management VLANs.<\/li>\n
                                                                                                                    • Use internal firewalls and segmentation:<\/li>\n
                                                                                                                    • management zone vs workload zone vs user zone vs storage networks.<\/li>\n
                                                                                                                    • Prefer explicit allowlists.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                      Secrets handling<\/h3>\n\n\n\n
                                                                                                                        \n
                                                                                                                      • Don\u2019t store secrets in plain text in Git.<\/li>\n
                                                                                                                      • Use Kubernetes Secrets carefully:<\/li>\n
                                                                                                                      • restrict RBAC access,<\/li>\n
                                                                                                                      • rotate regularly,<\/li>\n
                                                                                                                      • consider envelope encryption if supported in your configuration.<\/li>\n
                                                                                                                      • For high-assurance environments, integrate with an on-prem secrets manager (HashiCorp Vault or equivalent) if policy requires\u2014verify integration patterns.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                        Audit\/logging<\/h3>\n\n\n\n
                                                                                                                          \n
                                                                                                                        • Enable Kubernetes audit logging (where supported\/configured).<\/li>\n
                                                                                                                        • Forward logs to your internal SIEM if required.<\/li>\n
                                                                                                                        • Protect logs: they are sensitive and often include metadata useful to attackers.<\/li>\n
                                                                                                                        • Maintain evidence for:<\/li>\n
                                                                                                                        • change approvals,<\/li>\n
                                                                                                                        • upgrade actions,<\/li>\n
                                                                                                                        • privileged access.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                          Compliance considerations<\/h3>\n\n\n\n
                                                                                                                            \n
                                                                                                                          • Air-gapped deployments often operate under formal accreditation:<\/li>\n
                                                                                                                          • change windows,<\/li>\n
                                                                                                                          • vulnerability scanning reports,<\/li>\n
                                                                                                                          • patch provenance and approval,<\/li>\n
                                                                                                                          • software bill of materials (SBOM) practices (organizational).<\/li>\n
                                                                                                                          • Align platform operations with frameworks such as NIST 800-53 or ISO 27001 depending on your compliance landscape.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                            Common security mistakes<\/h3>\n\n\n\n
                                                                                                                              \n
                                                                                                                            • Allowing developers to import arbitrary container images without scanning\/approval.<\/li>\n
                                                                                                                            • Weak controls on removable media used for offline transfers.<\/li>\n
                                                                                                                            • Overusing cluster-admin<\/code> and sharing admin kubeconfigs.<\/li>\n
                                                                                                                            • Not monitoring internal lateral movement because \u201cthere is no internet.\u201d<\/li>\n<\/ul>\n\n\n\n
                                                                                                                              Secure deployment recommendations<\/h3>\n\n\n\n
                                                                                                                                \n
                                                                                                                              • Establish a software supply chain pipeline<\/strong>:<\/li>\n
                                                                                                                              • mirror \u2192 scan \u2192 sign\/approve \u2192 import \u2192 deploy.<\/li>\n
                                                                                                                              • Use hardened base images and reduce the number of approved images.<\/li>\n
                                                                                                                              • Maintain a certificate lifecycle plan (rotation cadence, emergency replacement).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                \n\n\n\n
                                                                                                                                13. Limitations and Gotchas<\/h2>\n\n\n\n
                                                                                                                                The air-gapped requirement creates real constraints. Plan for them explicitly.<\/p>\n\n\n\n
                                                                                                                                Known limitations (typical)<\/h3>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                • No direct access to public container registries, public package repos, or SaaS APIs.<\/li>\n
                                                                                                                                • Upgrades require offline artifact handling and often more operator time.<\/li>\n
                                                                                                                                • Some managed-cloud conveniences may not be available (depending on the product design and your configuration).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                  Quotas and capacity constraints<\/h3>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                  • Capacity is bounded by on-site hardware.<\/li>\n
                                                                                                                                  • Scaling requires procurement and physical deployment lead time.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                    Regional\/site constraints<\/h3>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    • Support and delivery may be limited by geography, regulation, and facility requirements.<\/li>\n
                                                                                                                                    • Some environments require certified hardware baselines.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                      Pricing surprises<\/h3>\n\n\n\n
                                                                                                                                        \n
                                                                                                                                      • Indirect cost can exceed platform subscription:<\/li>\n
                                                                                                                                      • staffing,<\/li>\n
                                                                                                                                      • compliance evidence collection,<\/li>\n
                                                                                                                                      • internal tooling (registry, scanning, SIEM),<\/li>\n
                                                                                                                                      • backup infrastructure.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                        Compatibility issues<\/h3>\n\n\n\n
                                                                                                                                          \n
                                                                                                                                        • Kubernetes ecosystem tools often assume internet access (Helm charts pulling from public repos, images from Docker Hub, external auth callbacks).<\/li>\n
                                                                                                                                        • You must host:<\/li>\n
                                                                                                                                        • chart repositories internally (or vendor them into Git),<\/li>\n
                                                                                                                                        • image registries internally,<\/li>\n
                                                                                                                                        • dependencies internally.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                          Operational gotchas<\/h3>\n\n\n\n
                                                                                                                                            \n
                                                                                                                                          • Time sync (NTP) is critical; certificate validation failures can look like random outages.<\/li>\n
                                                                                                                                          • Internal DNS issues can break clusters and registries quickly.<\/li>\n
                                                                                                                                          • Registry TLS trust is a common pain point; standardize internal CAs and distribution.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                            Migration challenges<\/h3>\n\n\n\n
                                                                                                                                              \n
                                                                                                                                            • \u201cLift and shift\u201d from connected Kubernetes often fails due to:<\/li>\n
                                                                                                                                            • hidden external dependencies (telemetry exporters, license checks),<\/li>\n
                                                                                                                                            • external OAuth flows,<\/li>\n
                                                                                                                                            • public images.<\/li>\n
                                                                                                                                            • Build a dependency inventory before migration.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                              Vendor-specific nuances<\/h3>\n\n\n\n
                                                                                                                                                \n
                                                                                                                                              • Google Distributed Cloud air-gapped is not the same as:<\/li>\n
                                                                                                                                              • GKE in Google Cloud regions,<\/li>\n
                                                                                                                                              • generic upstream Kubernetes,<\/li>\n
                                                                                                                                              • other clouds\u2019 on-prem appliances.\nRead the specific product documentation and validated hardware\/software lists carefully.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                \n\n\n\n
                                                                                                                                                14. Comparison with Alternatives<\/h2>\n\n\n\n
                                                                                                                                                This section compares Google Distributed Cloud air-gapped with nearby options. Availability and capabilities change; verify with official docs and vendor materials.<\/p>\n\n\n\n
                                                                                                                                                Key comparison table<\/h3>\n\n\n\n
                                                                                                                                                \n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                Option<\/th>\nBest For<\/th>\nStrengths<\/th>\nWeaknesses<\/th>\nWhen to Choose<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                Google Distributed Cloud air-gapped<\/strong><\/td>\nFully disconnected environments needing a supported Kubernetes platform<\/td>\nDesigned for air-gapped ops; Google Cloud alignment; structured lifecycle<\/td>\nHigher operational overhead; requires offline supply chain; hardware footprint<\/td>\nWhen policy requires strict air gap and you want a supported distributed Kubernetes platform<\/td>\n<\/tr>\n
                                                                                                                                                Google Distributed Cloud (connected variants)<\/td>\nHybrid sites with controlled connectivity<\/td>\nMore integration with Google Cloud management\/telemetry (where supported)<\/td>\nNot suitable for strict air-gap requirements<\/td>\nWhen you can allow connectivity and want centralized fleet operations<\/td>\n<\/tr>\n
                                                                                                                                                GKE (Google Cloud regions)<\/td>\nCloud-native workloads in Google Cloud<\/td>\nFully managed control plane; elastic scaling; rich integrations<\/td>\nNot on-prem; not air-gapped<\/td>\nWhen workloads can run in public cloud regions<\/td>\n<\/tr>\n
                                                                                                                                                Red Hat OpenShift (self-managed)<\/td>\nEnterprises wanting a mature Kubernetes distribution on-prem<\/td>\nStrong ecosystem; many operators; flexible deployments<\/td>\nYou manage lifecycle; air-gapped still complex<\/td>\nWhen you want a vendor distribution with broad enterprise adoption and can manage it yourself<\/td>\n<\/tr>\n
                                                                                                                                                Rancher (SUSE) \/ RKE2 \/ K3s<\/td>\nLightweight or multi-cluster management<\/td>\nFlexible; can be air-gapped with effort<\/td>\nDIY integration; support depends on contracts<\/td>\nWhen you need flexibility and can own more of the platform engineering burden<\/td>\n<\/tr>\n
                                                                                                                                                VMware Tanzu (self-managed)<\/td>\nVMware-centric data centers<\/td>\nIntegration with VMware stack<\/td>\nStill requires connectivity planning; licensing complexity<\/td>\nWhen you are standardized on VMware and prefer VMware-native operations<\/td>\n<\/tr>\n
                                                                                                                                                AWS Outposts<\/strong><\/td>\nAWS-consistent services on-prem (not fully air-gapped by default)<\/td>\nAWS service consistency<\/td>\nTypically expects connectivity to AWS; air-gap may not be supported<\/td>\nWhen you want AWS hybrid and connectivity is allowed<\/td>\n<\/tr>\n
                                                                                                                                                Azure Stack Hub \/ Azure Stack Edge<\/strong><\/td>\nAzure hybrid\/edge patterns<\/td>\nAzure ecosystem integration<\/td>\nCapabilities and connectivity assumptions vary by product<\/td>\nWhen you want Azure-aligned edge\/on-prem solutions<\/td>\n<\/tr>\n
                                                                                                                                                Upstream Kubernetes (kubeadm)<\/td>\nTeams with strong Kubernetes expertise<\/td>\nMaximum control; no vendor lock<\/td>\nHighest DIY burden; compliance burden on you<\/td>\nWhen you need full control and can staff platform engineering and security deeply<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                \n\n\n\n
                                                                                                                                                15. Real-World Example<\/h2>\n\n\n\n
                                                                                                                                                Enterprise example (regulated critical infrastructure operator)<\/h3>\n\n\n\n
                                                                                                                                                Problem<\/strong>\nA critical infrastructure operator must run operational dashboards, alerting, and local data processing in a network zone that is physically and logically disconnected from the internet. The environment has strict audit requirements, controlled change windows, and long hardware lifecycles.<\/p>\n\n\n\n
                                                                                                                                                Proposed architecture<\/strong>\n– Google Distributed Cloud air-gapped Kubernetes cluster at each site.\n– Internal container registry with a formal mirror\/scan\/approve\/import pipeline.\n– Internal Git server hosting:\n  – Kubernetes manifests,\n  – Helm charts vendored internally,\n  – policy configurations.\n– Local monitoring\/logging stack integrated with internal SIEM.\n– Strict network segmentation:\n  – management VLAN for operators,\n  – workload VLAN for services,\n  – restricted user access via internal reverse proxy.<\/p>\n\n\n\n
                                                                                                                                                Why this service was chosen<\/strong>\n– Air-gapped requirement is non-negotiable.\n– Need a supported Kubernetes platform with structured lifecycle management rather than an entirely bespoke build.<\/p>\n\n\n\n
                                                                                                                                                Expected outcomes<\/strong>\n– Standardized deployment model across sites.\n– Reduced time to deploy updates (within change windows) due to containerization and automation.\n– Improved audit posture with consistent RBAC and deployment pipelines.<\/p>\n\n\n\n
                                                                                                                                                Startup\/small-team example (R&D lab with disconnected prototype environment)<\/h3>\n\n\n\n
                                                                                                                                                Problem<\/strong>\nA small robotics R&D team operates a secure lab network isolated from the corporate network. They need to run microservices for telemetry, UI dashboards, and local inference. They also need repeatability as they scale to multiple lab pods.<\/p>\n\n\n\n
                                                                                                                                                Proposed architecture<\/strong>\n– One Google Distributed Cloud air-gapped cluster per lab pod.\n– Internal registry running on modest hardware.\n– GitOps-style workflow using an internal Git server.\n– Minimal ingress exposure; primarily internal-only access, plus port-forward for debugging.<\/p>\n\n\n\n
                                                                                                                                                Why this service was chosen<\/strong>\n– They need Kubernetes in an offline lab with a supportable platform baseline.\n– They want to reuse patterns later in more controlled production environments.<\/p>\n\n\n\n
                                                                                                                                                Expected outcomes<\/strong>\n– Consistent developer experience across lab pods.\n– Faster iteration without breaking air-gap policy.\n– Clear path to scaling the lab environment with repeatable procedures.<\/p>\n\n\n\n
                                                                                                                                                \n\n\n\n
                                                                                                                                                16. FAQ<\/h2>\n\n\n\n
                                                                                                                                                  \n
                                                                                                                                                1. \n
                                                                                                                                                  Is Google Distributed Cloud air-gapped the same as GKE?<\/strong>\n   It uses Kubernetes and aligns with Google Cloud\u2019s Kubernetes approach, but it is not the same as running GKE in Google Cloud regions. The air-gapped variant is designed for disconnected sites with local control planes and offline operations.<\/p>\n<\/li>\n
                                                                                                                                                2. \n
                                                                                                                                                  Does Google Distributed Cloud air-gapped require an internet connection?<\/strong>\n   It is designed specifically for environments without internet connectivity. However, installation, support, and update logistics still require a defined offline process. Verify exact connectivity assumptions in official docs.<\/p>\n<\/li>\n
                                                                                                                                                3. \n
                                                                                                                                                  How do I pull container images without internet access?<\/strong>\n   Use an internal registry. Mirror\/import images through an approved process (download \u2192 scan \u2192 transfer \u2192 push internally). The tutorial above shows a basic pattern.<\/p>\n<\/li>\n
                                                                                                                                                4. \n
                                                                                                                                                  Can I use Helm charts in an air-gapped environment?<\/strong>\n   Yes, but you must host chart repositories internally or vendor charts into your internal Git repo, and ensure all referenced images are available internally.<\/p>\n<\/li>\n
                                                                                                                                                5. \n
                                                                                                                                                  How are upgrades handled?<\/strong>\n   Upgrades typically require offline artifact bundles and controlled maintenance windows. The exact upgrade tooling and steps are version-specific\u2014follow the official documentation for your release.<\/p>\n<\/li>\n
                                                                                                                                                6. \n
                                                                                                                                                  Can I use Cloud Monitoring and Cloud Logging?<\/strong>\n   In a strict air-gapped deployment, direct integration to Google Cloud SaaS endpoints is generally not possible. You\u2019ll usually run local observability tooling. If your environment allows controlled connectivity, check official docs for supported integration models.<\/p>\n<\/li>\n
                                                                                                                                                7. \n
                                                                                                                                                  What skills do operators need?<\/strong>\n   Kubernetes administration, Linux basics, networking, PKI\/certificates, and strong operational discipline for offline change management.<\/p>\n<\/li>\n
                                                                                                                                                8. \n
                                                                                                                                                  What are the biggest operational risks?<\/strong>\n   Supply chain process failures (importing unscanned images), certificate\/time sync issues, and insufficient staging\/testing for upgrades.<\/p>\n<\/li>\n
                                                                                                                                                9. \n
                                                                                                                                                  Can multiple teams share a cluster?<\/strong>\n   Yes via namespaces\/RBAC\/quotas, but for strict separation you may need separate clusters. This is a governance decision.<\/p>\n<\/li>\n
                                                                                                                                                10. \n
                                                                                                                                                  How do I handle secrets safely?<\/strong>\n   Use least privilege, restrict Secret access via RBAC, rotate secrets, and consider integration with an on-prem secrets manager if required by policy.<\/p>\n<\/li>\n
                                                                                                                                                11. \n
                                                                                                                                                  What does \u201cair-gapped\u201d mean in practice?<\/strong>\n   No direct connectivity to the internet (and often no connectivity to external corporate networks). All artifacts and updates move through controlled, audited channels.<\/p>\n<\/li>\n
                                                                                                                                                12. \n
                                                                                                                                                  Do I still need vulnerability scanning if the environment is offline?<\/strong>\n   Yes. Offline environments still face insider risks and supply chain risks. Scanning and approval become even more important.<\/p>\n<\/li>\n
                                                                                                                                                13. \n
                                                                                                                                                  How do I troubleshoot if I can\u2019t upload logs to external support?<\/strong>\n   Establish an internal log collection and sanitization workflow. Plan what you can export and how approvals work. Maintain strong internal runbooks.<\/p>\n<\/li>\n
                                                                                                                                                14. \n
                                                                                                                                                  Can I run stateful workloads (databases) on it?<\/strong>\n   Kubernetes can run stateful workloads, but success depends on storage design and operational maturity. Validate storage, backup\/restore, and performance requirements carefully.<\/p>\n<\/li>\n
                                                                                                                                                15. \n
                                                                                                                                                  Is this a good fit for small edge devices?<\/strong>\n   Usually not. Google Distributed Cloud air-gapped targets a more substantial on-site footprint. For very small devices, lightweight Kubernetes or device-focused runtimes may be more appropriate.<\/p>\n<\/li>\n
                                                                                                                                                16. \n
                                                                                                                                                  How do I design DR (disaster recovery) for an air-gapped site?<\/strong>\n   DR is often site-to-site replication (if permitted) or backup-to-media with strict procedures. Define RPO\/RTO, test restores, and consider multi-site strategies if your compliance rules allow.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                                  \n\n\n\n
                                                                                                                                                  17. Top Online Resources to Learn Google Distributed Cloud air-gapped<\/h2>\n\n\n\n
                                                                                                                                                  Use these starting points and always confirm you\u2019re reading the docs for the correct product variant and version.<\/p>\n\n\n\n
                                                                                                                                                  \n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                  Resource Type<\/th>\nName<\/th>\nWhy It Is Useful<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                  Official product landing page<\/td>\nhttps:\/\/cloud.google.com\/distributed-cloud<\/td>\nEntry point to Google Distributed Cloud offerings and documentation<\/td>\n<\/tr>\n
                                                                                                                                                  Official documentation (start page)<\/td>\nhttps:\/\/cloud.google.com\/docs<\/td>\nGoogle Cloud documentation hub (navigate to Distributed Cloud \/ air-gapped docs)<\/td>\n<\/tr>\n
                                                                                                                                                  Architecture Center<\/td>\nhttps:\/\/cloud.google.com\/architecture<\/td>\nReference architectures and design guidance (useful for hybrid patterns)<\/td>\n<\/tr>\n
                                                                                                                                                  Pricing hub<\/td>\nhttps:\/\/cloud.google.com\/pricing<\/td>\nOfficial pricing navigation; distributed offerings may be contract-based<\/td>\n<\/tr>\n
                                                                                                                                                  Google Cloud Skills Boost<\/td>\nhttps:\/\/www.cloudskillsboost.google<\/td>\nOfficial hands-on labs platform (availability of air-gapped-specific labs may vary)<\/td>\n<\/tr>\n
                                                                                                                                                  Google Cloud YouTube<\/td>\nhttps:\/\/www.youtube.com\/googlecloudtech<\/td>\nProduct talks and architecture sessions (filter for Distributed Cloud \/ hybrid topics)<\/td>\n<\/tr>\n
                                                                                                                                                  Google Cloud Blog<\/td>\nhttps:\/\/cloud.google.com\/blog<\/td>\nProduct updates and announcements; search for Distributed Cloud air-gapped<\/td>\n<\/tr>\n
                                                                                                                                                  Kubernetes documentation<\/td>\nhttps:\/\/kubernetes.io\/docs\/<\/td>\nCore Kubernetes concepts used day-to-day in air-gapped clusters<\/td>\n<\/tr>\n
                                                                                                                                                  Supply-chain security (SLSA)<\/td>\nhttps:\/\/slsa.dev\/<\/td>\nFramework for securing build and artifact provenance\u2014highly relevant to air-gapped promotion pipelines<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                  \n
                                                                                                                                                  Note: The most accurate step-by-step installation\/upgrade procedures for Google Distributed Cloud air-gapped are typically in the product\u2019s official documentation set for your exact release. If you can\u2019t find the air-gapped doc set from the links above, search within cloud.google.com for \u201cGoogle Distributed Cloud air-gapped documentation\u201d and validate the URL is official.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                                                  \n\n\n\n
                                                                                                                                                  18. Training and Certification Providers<\/h2>\n\n\n\n
                                                                                                                                                  The following are third-party training providers. Review their course outlines and verify instructor credentials, currency, and hands-on lab access for air-gapped topics.<\/p>\n\n\n\n
                                                                                                                                                  \n\n\n\n\n\n\n\n\n
                                                                                                                                                  Institute<\/th>\nSuitable Audience<\/th>\nLikely Learning Focus<\/th>\nMode<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                  DevOpsSchool.com<\/td>\nDevOps engineers, SREs, platform teams<\/td>\nDevOps, Kubernetes, cloud\/hybrid operations concepts<\/td>\ncheck website<\/td>\nhttps:\/\/www.devopsschool.com<\/td>\n<\/tr>\n
                                                                                                                                                  ScmGalaxy.com<\/td>\nBeginners to intermediate DevOps learners<\/td>\nSCM, CI\/CD, DevOps fundamentals<\/td>\ncheck website<\/td>\nhttps:\/\/www.scmgalaxy.com<\/td>\n<\/tr>\n
                                                                                                                                                  CLoudOpsNow.in<\/td>\nCloud ops and infrastructure teams<\/td>\nCloud operations, automation, operational practices<\/td>\ncheck website<\/td>\nhttps:\/\/www.cloudopsnow.in<\/td>\n<\/tr>\n
                                                                                                                                                  SreSchool.com<\/td>\nSREs and reliability-focused engineers<\/td>\nSRE principles, monitoring, incident management<\/td>\ncheck website<\/td>\nhttps:\/\/www.sreschool.com<\/td>\n<\/tr>\n
                                                                                                                                                  AiOpsSchool.com<\/td>\nOps teams exploring AIOps<\/td>\nAIOps concepts, automation, monitoring analytics<\/td>\ncheck website<\/td>\nhttps:\/\/www.aiopsschool.com<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                  \n\n\n\n
                                                                                                                                                  19. Top Trainers<\/h2>\n\n\n\n
                                                                                                                                                  These sites may offer trainer listings, training services, or related resources. Verify relevance to Google Distributed Cloud air-gapped specifically.<\/p>\n\n\n\n
                                                                                                                                                  \n\n\n\n\n\n\n\n
                                                                                                                                                  Platform\/Site<\/th>\nLikely Specialization<\/th>\nSuitable Audience<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                  RajeshKumar.xyz<\/td>\nDevOps\/Kubernetes training content<\/td>\nIndividuals and teams seeking guided training<\/td>\nhttps:\/\/www.rajeshkumar.xyz<\/td>\n<\/tr>\n
                                                                                                                                                  devopstrainer.in<\/td>\nDevOps and CI\/CD training<\/td>\nDevOps engineers and platform teams<\/td>\nhttps:\/\/www.devopstrainer.in<\/td>\n<\/tr>\n
                                                                                                                                                  devopsfreelancer.com<\/td>\nFreelance DevOps support\/training<\/td>\nSmall teams needing flexible help<\/td>\nhttps:\/\/www.devopsfreelancer.com<\/td>\n<\/tr>\n
                                                                                                                                                  devopssupport.in<\/td>\nDevOps support services and training<\/td>\nOps teams needing troubleshooting support<\/td>\nhttps:\/\/www.devopssupport.in<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                  \n\n\n\n
                                                                                                                                                  20. Top Consulting Companies<\/h2>\n\n\n\n
                                                                                                                                                  These organizations may provide consulting services relevant to Kubernetes, DevOps, and cloud\/hybrid operations. Validate specific experience with air-gapped distributed platforms during procurement.<\/p>\n\n\n\n
                                                                                                                                                  \n\n\n\n\n\n\n
                                                                                                                                                  Company<\/th>\nLikely Service Area<\/th>\nWhere They May Help<\/th>\nConsulting Use Case Examples<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                  cotocus.com<\/td>\nCloud\/DevOps consulting<\/td>\nArchitecture, platform engineering, automation<\/td>\nDesigning offline CI\/CD promotion pipeline; Kubernetes operations model<\/td>\nhttps:\/\/www.cotocus.com<\/td>\n<\/tr>\n
                                                                                                                                                  DevOpsSchool.com<\/td>\nDevOps consulting and training<\/td>\nDevOps transformation, Kubernetes enablement<\/td>\nBuilding cluster operations runbooks; RBAC and GitOps process setup<\/td>\nhttps:\/\/www.devopsschool.com<\/td>\n<\/tr>\n
                                                                                                                                                  DEVOPSCONSULTING.IN<\/td>\nDevOps consulting<\/td>\nDevOps practices, CI\/CD, infra automation<\/td>\nImplementing internal registry + scanning workflow; observability stack setup<\/td>\nhttps:\/\/www.devopsconsulting.in<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                  \n\n\n\n
                                                                                                                                                  21. Career and Learning Roadmap<\/h2>\n\n\n\n
                                                                                                                                                  What to learn before this service<\/h3>\n\n\n\n
                                                                                                                                                    \n
                                                                                                                                                  1. Kubernetes fundamentals<\/strong>\n   – Pods, Deployments, Services, Ingress\n   – Namespaces, RBAC, ConfigMaps, Secrets<\/li>\n
                                                                                                                                                  2. Linux and networking<\/strong>\n   – DNS, TLS, routing basics\n   – Firewalls and segmentation concepts<\/li>\n
                                                                                                                                                  3. Container fundamentals<\/strong>\n   – Images, registries, tagging, vulnerability basics<\/li>\n
                                                                                                                                                  4. Operational discipline<\/strong>\n   – Change management\n   – Incident response and runbooks\n   – Backup\/restore basics<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                                    What to learn after this service<\/h3>\n\n\n\n
                                                                                                                                                      \n
                                                                                                                                                    • Advanced Kubernetes operations:<\/li>\n
                                                                                                                                                    • cluster upgrades, node maintenance, capacity planning<\/li>\n
                                                                                                                                                    • Supply chain security:<\/li>\n
                                                                                                                                                    • image scanning, signing, SBOM practices, provenance<\/li>\n
                                                                                                                                                    • GitOps in disconnected environments:<\/li>\n
                                                                                                                                                    • internal Git, promotion strategies, environment parity<\/li>\n
                                                                                                                                                    • Observability engineering:<\/li>\n
                                                                                                                                                    • metrics\/log pipelines, retention, SIEM integration<\/li>\n
                                                                                                                                                    • Security engineering for Kubernetes:<\/li>\n
                                                                                                                                                    • network policies, admission policies (where supported), runtime security<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                      Job roles that use it<\/h3>\n\n\n\n
                                                                                                                                                        \n
                                                                                                                                                      • Platform Engineer (Kubernetes platform)<\/li>\n
                                                                                                                                                      • Site Reliability Engineer (SRE)<\/li>\n
                                                                                                                                                      • DevOps Engineer (hybrid\/distributed)<\/li>\n
                                                                                                                                                      • Security Engineer (container\/Kubernetes security, compliance)<\/li>\n
                                                                                                                                                      • Systems Engineer (on-prem infrastructure with cloud-native patterns)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                        Certification path (if available)<\/h3>\n\n\n\n
                                                                                                                                                          \n
                                                                                                                                                        • Google Cloud certifications focus mainly on public cloud services; for air-gapped distributed platforms, look for:<\/li>\n
                                                                                                                                                        • Google Cloud architect-level knowledge (for design patterns)<\/li>\n
                                                                                                                                                        • Kubernetes certifications (CKA\/CKAD\/CKS) for hands-on cluster skills\nVerify current certification guidance in official Google Cloud certification pages: https:\/\/cloud.google.com\/certification<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                          Project ideas for practice<\/h3>\n\n\n\n
                                                                                                                                                          Even without a full air-gapped appliance, you can practice the operational patterns<\/em>:\n1. Build an internal registry + mirror pipeline (simulate \u201cair-gapped\u201d by blocking internet egress).\n2. Create an offline Helm chart repository and deploy workloads without external downloads.\n3. Implement namespace multi-tenancy with quotas and RBAC.\n4. Design and test backup\/restore for a stateful app (e.g., PostgreSQL) with local storage.\n5. Create an \u201cupgrade rehearsal\u201d checklist and run it on a staging cluster.<\/p>\n\n\n\n
                                                                                                                                                          \n\n\n\n
                                                                                                                                                          22. Glossary<\/h2>\n\n\n\n
                                                                                                                                                            \n
                                                                                                                                                          • Air-gapped:<\/strong> A network\/environment physically or logically isolated from external networks (especially the internet). Data transfer occurs only through controlled channels.<\/li>\n
                                                                                                                                                          • Artifact bundle:<\/strong> A packaged set of software components used for installation or upgrades, often transferred via offline media.<\/li>\n
                                                                                                                                                          • CNI (Container Network Interface):<\/strong> Kubernetes networking plugin system that defines pod networking behavior.<\/li>\n
                                                                                                                                                          • Cluster control plane:<\/strong> Kubernetes components that manage cluster state (API server, scheduler, controller manager, etcd).<\/li>\n
                                                                                                                                                          • Container registry:<\/strong> A service that stores and serves container images (e.g., Harbor, Artifactory, private Docker registry).<\/li>\n
                                                                                                                                                          • GitOps:<\/strong> Operating model where desired system state is stored in Git and applied automatically\/consistently via controllers.<\/li>\n
                                                                                                                                                          • Ingress:<\/strong> Kubernetes resource that manages external access to services, typically HTTP\/HTTPS, often via an ingress controller.<\/li>\n
                                                                                                                                                          • Kubeconfig:<\/strong> Configuration file used by kubectl<\/code> to connect to a Kubernetes cluster.<\/li>\n
                                                                                                                                                          • Namespace:<\/strong> Kubernetes partitioning mechanism for isolating resources within a cluster.<\/li>\n
                                                                                                                                                          • Network segmentation:<\/strong> Separating networks into zones (management, workloads, users) to reduce attack surface and limit lateral movement.<\/li>\n
                                                                                                                                                          • RBAC:<\/strong> Role-Based Access Control; in Kubernetes, rules mapping identities to allowed operations.<\/li>\n
                                                                                                                                                          • ResourceQuota:<\/strong> Kubernetes object that limits resource consumption per namespace.<\/li>\n
                                                                                                                                                          • SLO\/SLA:<\/strong> Service Level Objective\/Agreement; reliability targets and commitments.<\/li>\n
                                                                                                                                                          • Supply chain security:<\/strong> Practices to ensure software artifacts are trusted (scanned, approved, provenance tracked) before deployment.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                            \n\n\n\n
                                                                                                                                                            23. Summary<\/h2>\n\n\n\n
                                                                                                                                                            Google Distributed Cloud air-gapped is a Google Cloud offering in the Distributed, hybrid, and multicloud<\/strong> category that brings a Kubernetes platform to fully disconnected<\/strong> environments. It matters because many organizations need modern cloud-native operations\u2014containers, standardized deployments, policy controls\u2014but must keep systems offline for security, sovereignty, or compliance reasons.<\/p>\n\n\n\n
                                                                                                                                                            Architecturally, it runs on-site with local control planes, local networking, and offline artifact delivery. Cost is typically contract-based, and the biggest cost drivers are often operational<\/strong>: offline image and update pipelines, staging environments, staffing, and evidence collection.<\/p>\n\n\n\n
                                                                                                                                                            Security success depends less on \u201cbeing air-gapped\u201d and more on disciplined controls: least privilege RBAC, internal registry governance, scanning\/approval, strong PKI practices, and segmented networking.<\/p>\n\n\n\n
                                                                                                                                                            Use Google Distributed Cloud air-gapped when a strict air-gap is mandatory and you want a supported, structured Kubernetes platform for on-prem sites. Next step: read the official Google Distributed Cloud documentation, then build an internal \u201cmirror \u2192 scan \u2192 approve \u2192 import \u2192 deploy\u201d pipeline and practice the hands-on deployment workflow in a staging enclave before moving to production.<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                                                                                                            Distributed, hybrid, and multicloud<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60,51],"tags":[],"class_list":["post-693","post","type-post","status-publish","format-standard","hentry","category-distributed-hybrid-and-multicloud","category-google-cloud"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/693","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=693"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/693\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=693"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=693"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=693"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}