NEQTO CloudSync for GCP

Introduction

CloudSync diagram

NEQTO CloudSync for GCP is a tool that allows customers to easily manage and sync devices from NEQTO to their GCP environment. Complementary to the GCP libraries for neqto.js, this tool makes sending data to GCP's IoT Core a breeze.

NEQTO CloudSync is distributed as a container on the GCP Marketplace. It is free of charge and can be utilized on Google Kubernetes Engine, Compute Instances, or Google App Engine Flexible Environment (GAE Flex). Our recommendation is to deploy this tool on GAE Flex with the Custom Runtime Environment.

Prequisites

Deploying to GAE Flex (Custom Runtime) using Cloud Shell

For this tutorial we will utilize Cloud Shell to deploy CloudSync to App Engine.

First, start by curling the application zip file to your Cloud Shell instance, then unzipping it.

curl https://download.neqto.com/cloudsync/nqcloudsync-dist-gcp.zip -o nqcloudsync-dist-gcp.zip
unzip nqcloudsync-dist-gcp.zip
cd nqcloudsync-dist-gcp

After navigating to the nqcloudsync-dist-gcp folder, utilize the ls command to list the contained two files. The first file is app.yaml. This is a configuration file that gives App Engine directions on how to execute our application in addition to environment variables. Please edit the env_variables section based on your NEQTO and GCP environments.

Note: Do not modify runtime or env.

runtime: custom
env: flex
env_variables:
  COMPANY_CODE: "COMPANY CODE HERE"
  NQ_REGION: "NEQTOREGION HERE"
  PROJECT_ID:  "GCPPPROJECTID HERE"
  CLOUD_REGION: "GCPREGION HERE"
  REGISTRY_ID: "REGISTRY ID HERE"
KeyValue
COMPANY_CODEYour NEQTO Company Code. (Used at login)
NQ_REGIONThe NEQTO region you would like to sync with GCP. (e.g. asia-pacific-1)
PROJECT_IDThe ID of the GCP project you will sync to.
CLOUD_REGIONThe region of your registry in GCP.
REGISTRY_IDThe ID of the IoT Core registry you wish to sync with.

The second file in the nqcloudsync-dist-gcp folder is the Dockerfile. This file simply directs the app engine to the locations that it can get the CloudSync image. This file will not need to be edited, so please confirm its contents.

FROM marketplace.gcr.io/cloudsync-public/cloudsync

Once environment variables are set in the app.yaml, you may deploy the application.

gcloud app deploy

You may need to set your project and app engine environment first. You may also need to "Authorize" this via a prompt and input (Y) to confirm the details of this release is correct.

Warning: Please be aware that when your app is deployed with this step, it will be temporarily accessible to anyone on the internet. This app programmatically interacts with Google APIs and thus we highly recommend you secure the app to limit the parties who may access it. Please refer to the following section on measures to easily enable security.

Security

To secure the Web App, Google Cloud's Identity Aware Proxy (IAP) will be used. This will restrict access to allow only users which are logged-in to Google Cloud Console and given access to utilize CloudSync.

First, login to Google Cloud and select the project you are using. Next, use the search function to navigate to the "Identity-Aware Proxy".

GCP Console Search

From the Identity-Aware Proxy screen, view the list of applications and find your App Engine instance. Then slide the toggle to enable IAP for your instance.

GCP Console Search

In the list of applications, find your App Engine instance and slide the toggle for IAP to the on posiiton.

IAP

Finally, check the desired app instances and in the panel to the right, click "Add Member".

IAP Add Member

Enter the Google email for the member to grant access to, then click "Select a role". Click "Cloud IAP" from the list, then select the "IAP-Secured Web App User" option. Save your changes.

Select Settings

After a few moments, verify the security of your app by navigating to the app page in a new private browser and confirming that you are prompted to log in. Logging into an account which has not been explicitly granted access will block you out. Logging into an account which you have added as a member will grant access to the app.

This concludes the set-up for NEQTO CloudSync for GCP.

How to Use

Once deployed to GAE, you may access via the url app engine provides to you. By going to that URL you will be greeted by a login screen.

Login Screen

Before you can use CloudSync, you must first login.

Note: Company code is not required since it was set as an environment variable in the installation step.

After logging in, all groups that have been created in NEQTO Console are visible.

Groups

By clicking on one of the groups in the list you will be transported to the Node list screen.

Nodes

A Node is synced when it exists both on GCP and NEQTO Console, and has all the necessary environment variables for communicating with GCP IoT Core.

In the Node list, the "synced" column shows the status by displaying one of 3 icons.

Nodes that are currently synced will have a Checkmark.

Synced Icon

Nodes that are not synced will have an "X" icon.

Not Synced Icon

Nodes that exist in just GCP or just NEQTO denote that a node may have become unintentionally unsynced. Hovering gives a hint.

Issue

To find out more you can click the info icon in the row to the right hand side of the list.

Info Icon

You can verify which environment has become out of sync as well as various information on your Node.

Details

In order to fix a Node that has become out of sync, first "unsync" it by selecting the desired Nodes. In the upper right hand corner an "Unsync" button will appear. Click it to unsync the device.

Details

Unsyncing a device will delete it from Google Cloud and remove the GCP environment variables created when syncing from the NEQTO Console Node.

To sync the device again, or sync any new devices, select everything then click the "sync" icon instead.

Sync

Clicking sync will make calls to the GCP API to register and provision a device. It will then take the private key and other necessary information and save it in the environment variables of the Node in NEQTO Console.

The environment variables created are as followed:

KeyValue
gcp_cloud_sync_keyThe private key needed for connecting to GCP IoT Core.
gcp_registry_idThe ID of the GCP IoT Core registry.
gcp_project_idThe ID of the GCP project you will sync to.
gcp_region_idThe region of your registry.
gcp_device_idThe device ID in GCP. This is a concatenation of "nq_" and the NEQTO Node uuid.

Via the NEQTO GCP Library you may simply use these environment variables to begin sending data to GCP IoT Core.

Sample Script

// Ref: GCP IoT Core Library documentation
var gcpIotCa =  "-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----\n";
var params = {
    privateKey: ENV["gcp_cloud_sync_key"],
    project: ENV["gcp_project_id"],
    location: ENV["gcp_region_id"],
    registry: ENV["gcp_registry_id"],
    device: ENV["gcp_device_id"],
};

var iot_core = new GOOGLE_IOT_CORE(params);

iot_core.setRootCa(gcpIotCa);

var host = iot.buildGrpcUrl();
var payload = secure.base64Encode("Publishing via HTTP");
var callback = function(err, resp) {
    if (err) {
        print(JSON.stringify(err));
    }

    if (resp) {
        print(JSON.stringify(resp));
    }
}
var body = {
    "binary_data": payload
}
var jwt = iot.makeDeviceJWT(3600);  //update JWT each connection. 3600 == 1 hour.
iot.httpPost(jwt, `${host}:publishEvent`, JSON.stringify(body), callback);
Updated: 2021-06-30
API UsageNEQTO Engine Firmware List