This document describes the prerequisites for deploying a SQL Server workload on Google Cloud using Workload Manager.
You must first meet the prerequisites for using the Guided Deployment Automation tool before deploying a SQL Server workload.
Prerequisite | Description |
---|---|
Google Cloud network resources | Create or select a VPC network and subnetwork for your SQL Server deployment. You must also configure outbound internet access for your machines to download the required packages. For more information, see Network. |
IAM roles and permissions | Users who deploy a SQL Server workload using the Guided Deployment Automation tool must have or be granted the required roles and permissions to configure the deployment. For more information, see IAM roles and permissions. |
Secrets for SQL Server workload | To securely provide the passwords for your workload, you must use a secret created using Secret Manager. For more information, see Secrets for SQL Server workload. |
Quotas | Make sure that you have sufficient resource quota in your project to deploy the SQL Server application. For more information, see Quotas. |
Secrets for SQL Server workload | To securely provide the passwords for your workload, you must use a secret created using Secret Manager. For more information, see Secrets for SQL Server workload. |
SQL Server installation media | Create a Cloud Storage bucket in the project in which you deploy the SQL Server application and upload all the SQL Server files required for deployment. For more information, see Prepare SQL Server installation files for deployment. |
Configure networking resources
This section describes the Google Cloud networking resources that you need to configure before deploying the SQL Server workload.
VPC Network And Subnetwork
Although your project has a default VPC and subnetwork (subnet), we recommend that you create a new network so that the only firewall rules in effect are those that you create explicitly. Create a VPC network and subnet or contact your Google Cloud organization's networking team.
Create a Cloud NAT gateway
During the deployment process, VMs need outbound internet access to download packages and register for licensing. Google recommends that you create a Cloud NAT gateway to provide external internet access for your VMs without creating external IP addresses. You can create a Cloud NAT in each subnet and region in which your VMs are located.
If you don't want to use a Cloud NAT gateway, during the deployment process you can specify external IP addresses to provide the required internet access for your VMs.
IAM permissions and roles
The following permission is required to enable the Workload Manager API in the project where you're deploying the workload. This permission only needs to be granted once in each project. An administrator or another user with this permission can enable the API and other users will be able to access Workload Manager in the project.
Action(s) | Permission Required(s) | Example Role(s) |
---|---|---|
Enabling Workload Manager API | serviceusage.services.enable | roles/editor roles/service.Usage.Admin |
Workload Manager also has roles to control who can access the deployment options and determine who can deploy, manage, and view deployments. Each role has the necessary permissions to perform the stated tasks. A complete list of the permissions assigned to each role can be found in the references section of the documentation.
Role | Deployment Actions in WLM |
---|---|
Workload Manager Deployment Admin | Create / Modify / Deploy View |
Workload Manager Deployment Viewer | View |
You must also have the following permission to create the service accounts that are used throughout the deployment process.
Action(s) | Permission Required(s) | Example Role(s) |
---|---|---|
Creating service accounts used in deployment | resourcemanager.projects.setIamPolicy | role/resourcemanager.projectIamAdmin |
Secrets for SQL Server workload
The Guided Deployment Automation tool uses Secret Manager to store passwords needed during the deployment process. Plain text passwords are prohibited in accordance with our Terraform best practices.
Before using the Guided Deployment Automation tool, you must create at least one Secret using Secret Manager.
Make sure to follow the password complexity requirements for SQL Server accounts. To ensure that the secrets meet the password requirements from SQL Server, follow the SQL Server guidance for creating passwords.
You must create secrets in the project in which you deploy the SQL Server workload.
Quotas
Google Cloud uses quotas to protect and control the number of resources that a particular account or organization can use. SQL Server workloads often consume a large portion of resources. Given the size of the databases and applications, you might experience quota issues during the deployment process.
To avoid quota issues, do the following:
- View available resource quota for your project.
- If needed, request a higher quota limit or contact your project administrator.
Licensing
Customers have a range of options for on-demand SQL Server and Windows Server licenses directly from Google Cloud, and also the option to bring their own existing licenses if those licenses meet the eligibility requirements. For more information, see the Microsoft licensing documentation.
Prepare the SQL Server installation files
For SQL Server high availability (HA) configuration using bring your own license (BYOL), you must create a Cloud Storage bucket in the project to hold the required installation media (ISO) file used during installation of SQL Server. Use the Google Cloud console to create a Cloud Storage bucket for storing the SQL Server installation files.
After creating the bucket, upload the SQL Server installation ISO file to the bucket by following your chosen method to upload objects to a bucket.
What's next
- Learn how to deploy a SQL Server workload.