Saturday, April 11, 2009

Connecting back from the Google cloud

Big news this week, the rumor finally became true: Google App Engine supports Java, next to Python. So Google AppEngine is now a big Servlet Engine in the cloud.

Along with the Java on Google App Engine announcement, I noticed another component: the Secure Data Connector. This SDC allows applications running in the Google cloud to inter operate with Intranet applications. Through the Secure Data Connector, Intranet applications can be accessed.

  • The Secure Data Connector is installed on a Linux server within the Enterprise.
  • An administrator configures the SDC to access certain resources within the Intranet.
  • The SDC is started and runs continuously as a background process.
  • The SDC connects to Google ( on port 443 (HTTPS). The connection is made from the enterprise to Google, so no need to configure the firewall at Enterprise side to allow inbound connections (from Google into the Enterprise).
  • The SDC authenticates itself using username and password.
  • Once the SSL connection is established, the connection remains open.
  • An application running in the Google cloud (AppEninge, Google Spreadsheet, ...) needs to access data from the Intranet or send data to the Intranet.
  • In AppEngine, this is done using the URLFetchService. To specify that an Intranet resource should be accessed, add the HTTP header use_intranet=true in the request.
  • From the Google AppEngine, a call is made to the SDC deployed in the Enterprise. Remember, TCP connections are bidirectional!
  • The SDC verifies if the access the local resources, e.g. using the local DNS from within the Enterprise.
  • The SDC accesses the local resource or web service and returns the data back to the applicaton running in te Google cloud. The size of request and response messages is limited to 1 MB.
The access to protected data within the enterprise is somewhat of a challenge. The only mechanism the SDC can provide credentials to Intranet application/service/resource is OpenSocial and OAuth signatures. And

One of the evolutions that I envision is that ESB's or B2B services will embed the SDC logic as an adapter. The ESB is able to transform the requests coming from Google into other protocols or formats and add the necessary credentials.

Some more thoughts and remarks I made while going through the Secure Data Connector docs:
  • How is the configuration file of the SDC protected? In particular the username and password contained therein.
  • Support is limited to Linux. What prevents this open source code to be ported to other platforms?
  • How about load balancing or failover?
  • How about interoperability between clouds: anyone already tried to deploy the SDC on EC2?
  • Where is the SOAP support? How to invoke SOAP web services using the URLFetchService?
  • How about identity services and mapping the identity of a Google user to an internal Enterprise user account?
  • The SDC is not comparable to the .Net Services Bus of Windows Azure.
  • Can the SDC access the Internet through a proxy?
  • To deploy the Secure Data Connector in a large enterprise, you might have a hard time convincing the security department.

No comments: