Edge Appliance User Guide

Overview

Edge Appliance is a Google Cloud-managed, secure, high-performance appliance for edge locations. It provides local storage, ML inference, data transformation, and export.

Customers are increasingly generating digital signals at their locations with cameras, sensors, and devices. This data needs to be securely stored and quickly processed to generate actionable insights. Low latency connectivity and high bandwidth may be limitations to running these far edge workloads in cloud datacenters. Regulatory compliance may require data being sent to the cloud to be obfuscated.

Google Distributed Cloud Edge Appliance simplifies data collection, analytics, and processing at far-edge locations. Your data is stored on the appliance, where containerized applications process the data locally using ML inference, aggregation, and custom logic to generate insights. Configurable transfer jobs easily move aggregated insights and relevant data to Cloud Storage when connectivity and bandwidth are available.

Specifications

Specification EA-GPU-T4
Processor NVIDIA T4 GPU, 16 core CPU, 64GB RAM
Storage 4x 2TB SSDs. Usable storage is 3.6 TB (using RAID).
Networking 2x 10GBASE-T RJ45, 2x 1GbE RJ45
Shipping weight 13.6 kg (30 lbs)
Dimensions Height: 43 mm (1.7 in.), width: 209 mm (8.2 in.), depth: 376 mm (14.8 in.)
Mounting options Horizontal or vertical orientation. Bookshelf mount (3 servers), DIN rail wall mount, ceiling mount, 1U rack mount (2 servers), 2U short-depth rack mount (2 servers). Available locking bezel with dust filter.
Appliance weight 3.75 kg (8.3 lb)
Power requirements 12V DC using one or two external AC power adapters with plugged inputs. Two adapters form a redundant pair in most configurations. Power source is 100-127 V AC (3.2A) or 200-240V AC (1.6A) for each adapter.

Request Edge Appliance

You can order Edge Appliance from the Google Cloud console.

Required permissions

The console requires the following predefined role for access to the ordering screen:

  • Transfer Appliance Admin (roles/transferappliance.admin)

To grant read-only access to order status information, grant the following role:

  • Transfer Appliance Viewer (roles/transferappliance.viewer)

Learn how to grant or revoke a role using the console.

Order Edge Appliance

Once the required permissions have been granted, visit the order page:

Go to Edge Appliance ordering

Google Cloud project configuration

The steps below walk you through the process of creating and configuring service accounts and keys, to provide the required permissions on your Google Cloud project.

This section can be completed before you receive the appliance.

When you're done, you'll have created the following service accounts and keys.

Service account Description
edge-appliance The appliance service account. The service account name must be unique for each appliance in your project, so the name of a specific appliance's service account may differ from the name used in this document.
gke-register-sa The Anthos cluster registration service account.
project-NUMBER@storage-transfer-service.iam.gserviceaccount.com The Storage Transfer Service service account.
Service account key Description
key.json The appliance service account key.
register_key.json The Anthos cluster registration service account key.

Configure your Google Cloud project

We strongly recommend creating a separate Google Cloud project that will be exclusively used for your appliances. Appliances require some project level permissions; a separate project ensures that appliances deployed at edge locations cannot be used to access or disrupt other Google Cloud projects containing sensitive resources.

Enable the required APIs using gcloud or the console.

When using gcloud we recommend using Cloud Shell. If you're not using Cloud Shell, you may need to install and configure the gcloud tool in your environment.

Open Cloud Shell

gcloud

This document uses $PROJECT_ID in sample code to refer to your unique project name. You can use this variable in your examples if you first assign your own project ID to the variable:

export PROJECT_ID=YOUR_PROJECT_ID

Then, execute the following commands.

gcloud auth login
gcloud config set project $PROJECT_ID
gcloud services enable \
    anthos.googleapis.com \
    anthosgke.googleapis.com \
    cloudresourcemanager.googleapis.com \
    container.googleapis.com \
    gkeconnect.googleapis.com \
    gkehub.googleapis.com \
    serviceusage.googleapis.com \
    stackdriver.googleapis.com \
    monitoring.googleapis.com \
    logging.googleapis.com \
    pubsub.googleapis.com \
    storagetransfer.googleapis.com \
    anthosaudit.googleapis.com \
    opsconfigmonitoring.googleapis.com

Google Cloud console

Follow these instructions to enable the following APIs from the console:

Create and configure the appliance service account

Create the service account to be used in the appliance, grant it the necessary permissions, and download the key file. You'll need to provide this key to the person configuring the Edge Appliance.

gcloud

# The service account name needs to be unique for each appliance
export SA_NAME=edge-appliance

# If online transfer will be enabled, specify the destination bucket name.
# Do not include the gs:// prefix.
export DESTINATION_BUCKET=YOUR_BUCKET_NAME

# Create service account
gcloud iam service-accounts create $SA_NAME

# Grant project permissions
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/gkehub.connect"

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/logging.logWriter"

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/monitoring.metricWriter"

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/monitoring.dashboardEditor"

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/opsconfigmonitoring.resourceMetadata.writer"

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/stackdriver.resourceMetadata.writer"

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/storagetransfer.admin"

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/storagetransfer.transferAgent"

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/compute.viewer"

# If online transfer will be enabled, grant bucket permissions
gsutil iam ch serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com:admin gs://$DESTINATION_BUCKET

# Download key file
gcloud iam service-accounts keys create key.json \
  --iam-account=$SA_NAME@${PROJECT_ID}.iam.gserviceaccount.com

Google Cloud console

Follow the instructions here to create a service account from the console. The service account name needs to be unique for each appliance. This document uses edge-appliance in its examples.

Grant the following roles:

  • GKE Connect Agent
  • Logs Writer
  • Monitoring Editor
  • Stackdriver Resource Metadata Writer
  • Pub/Sub Editor
  • Storage Transfer Admin
  • Storage Transfer Transfer Agent
  • Compute Viewer

Follow the instructions here to grant Storage Admin permissions to your service account on your destination bucket.

Finally, follow these instructions to create and download the key file for the service account. Rename the key file to key.json.

Create and configure the cluster registration service account

Create the service account for registering your Anthos cluster, grant it the necessary permissions, and download the key file. You'll need to provide this key to the person configuring the Edge Appliance.

This service account can be used across all of your appliances, but a new key must be generated for each appliance.

gcloud

# Create service account
gcloud iam service-accounts create gke-register-sa

# Grant project permissions
# If asked to specify a condition select 'None'
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:gke-register-sa@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/gkehub.admin"

# Download key file
gcloud iam service-accounts keys create register_key.json \
  --iam-account=gke-register-sa@${PROJECT_ID}.iam.gserviceaccount.com

Google Cloud console

Follow the instructions here to create a service account named gke-register-sa from the console.

Grant the following roles:

  • GKE Hub Admin

Follow these instructions to create and download the key file for the service account. Rename the key file to register_key.json.

Create and configure the Storage Transfer Service service account

Grant the necessary permissions to the Storage Transfer service account. This is a Google-created service account that is created the first time you call googleServiceAccounts/get from the Storage Transfer Service endpoint.

To create the service account and retrieve its email:

  1. Go to the googleServiceAccounts/get reference page.
  2. In the Try this method pane on the right side of the page, enter your project ID and click execute.

Note the value of accountEmail in the API response. It uses the format project-NUMBER@storage-transfer-service.iam.gserviceaccount.com.

Then, follow the instructions below to assign the required role and permissions.

gcloud

export P4SA_EMAIL=SERVICE_ACCOUNT_EMAIL>

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$P4SA_EMAIL" \
  --role="roles/pubsub.editor"

gsutil iam ch serviceAccount:$P4SA_EMAIL:admin gs://$DESTINATION_BUCKET

Google Cloud console

  • Follow the steps here to grant the Pub/Sub Editor role to the service account.
  • Follow the instructions here to grant Storage Admin permissions to the service account on your destination bucket.

Connect Edge Appliance

  1. Use the two provided power cords to plug in the server. There are two power bricks in the inner center box, and two power cords in the side boxes.

  2. Insert an ethernet cable into port 1 (the left-most ethernet port, shown below in a red circle). Connect the other end of the cable to a switch or router.

    An image of the rear panel of the site appliance, showing the power button at the top left, and an ethernet port near the bottom left.

  3. Press the power button to turn on the server (at the top-left of the appliance's back panel, shown above in a red rectangle).

Configure Edge Appliance

The following steps must be completed on the Edge Appliance. You'll need the two service keys that were created in the Google Cloud project configuration section: key.json and register_key.json.

Configure your IP address

You can configure your appliance to use DHCP or a static IP.

Use DHCP

To configure DHCP:

  1. SSH into the appliance.
  2. Run the following command from the appliance command line:
ta config --ip=dhcp

If ta doesn't work, use sudo /opt/ta/ta.

Use a static IP

To use a static IP:

  1. Connect the appliance's port 3 to your laptop.

  2. SSH into the appliance using the IP address 169.254.20.1.

  3. Enter the username and password provided to you by the Transfer Appliance Team.

  4. Provide the static IP and gateway details to the ta config command:

    ta config --ip=STATIC_IP --gw=GATEWAY_IP
    

Once you've configured your IP address:

  1. Terminate this session.
  2. Disconnect the ethernet cable from port 3.
  3. Connect to port 1 to the network and SSH into the appliance using the IP you assigned.

Move service account keys onto the appliance

The steps to configure your Google Cloud project created two service account keys: key.json and register_key.json.

Transfer both keys onto your Edge Appliance. You can either copy the files, or copy and paste the contents into new files on the appliance. The keys must end up in the following locations:

/mnt/ta_metadata/key.json
/mnt/ta_metadata/register_key.json

Create the Anthos Bare Metal cluster

From your SSH session, run the following commands to create your project's Anthos cluster.

Replace the placeholders below with your project ID and your choice of cluster name.

# Set the project ID if not already set on the appliance
export PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_NAME=YOUR_CLUSTER_NAME

# Create the Anthos Bare Metal cluster
cd ~
ta create_cluster --project_id=$PROJECT_ID --cluster_id=$CLUSTER_NAME

Cluster creation may take up to 20 minutes to complete.

Enable online data transfer

You can optionally enable online data transfer. When online data transfer is enabled, data copied to the appliance is streamed to your Cloud Storage bucket. After the data is uploaded to your Cloud Storage bucket, the data is removed from the appliance. Online transfer requires outbound internet access.

ta start_transfer --project_id=$PROJECT_ID --output_bucket=<output bucket name>

Install drivers

If your appliance is a GPU appliance, you must install the Nvidia drivers:

ta install_nvidia_drivers

Transfer data to your appliance

Edge Appliance supports the following methods to copy data to the appliance:

  • SCP or SFTP for Microsoft Windows, Linux, and macOS.
  • NFS share for Linux and macOS.

Refer to Transfer data in the Transfer Appliance documentation for details.

Monitor transfers

Refer to Monitor your appliance in the Transfer Appliance documentation for details.

Deploy and manage workloads

Your Anthos clusters are listed in the Google Cloud console. From there, you can deploy and manage workloads. See the Anthos documentation for instructions.

Return an appliance

To begin the process of returning an appliance, contact us at edge-appliance@google.com.

Support

For support with your Edge Appliance, contact us at edge-appliance@google.com.