PPA-Dun - Fantasy Baseball Draft Kit

Cloud 1 Backend 2 Frontend 1

CSE416 Software Engineering course project. Fantasy baseball draft recommendation service. Designed and evolved the cloud infrastructure from a minimal dev setup to a production-grade GKE environment with GitOps CI/CD.

Architecture Evolution

→

GCP Cloud CDN HTTPS LB Cloud DNS Docker Nginx VPC Peering GitHub Actions

Infrastructure Design

Designed the infrastructure with 2 VPCs connected via VPC Peering — separating application services from monitoring to isolate observability traffic.

System VPC

DEV subnet 10.10.0.0/16 → dev.ppa-dun.site
Minimal MVP setup. Single VM with Nginx + Docker (FastAPI + MySQL). No HTTPS, no CDN, HTTP only. Fast iteration for feature development.
PROD subnet 10.20.0.0/16 → ppa-dun.site
Production environment with Cloud CDN for frontend caching, Google-managed HTTPS certificate, Global Load Balancer with URL-based routing, and auto-scaling up to 2 instances.
API subnet 10.30.0.0/16 → api.ppa-dun.site
Shared API server with Nginx + Let's Encrypt SSL + FastAPI + MySQL. Serves both frontend and external API consumers.

Monitoring VPC

Monitoring subnet 10.40.0.0/16
Isolated VPC for Prometheus + Grafana. Connected to System VPC via VPC Peering for scraping application metrics without exposing monitoring endpoints.

Why DEV → PROD? Nginx scanning attacks detected — PHP RCE, .env probing, Git repo scanning, bot crawlers

GKE Autopilot Artifact Registry Secret Manager Cloud DNS Terraform Helm ArgoCD External Secrets Workload Identity

Troubleshooting

Why New GCP Project? CPU Quota 12 vCPU limit — Plan A (10.75 CPU ❌) vs Plan B (8 CPU ✅)

Infrastructure Setup

Created a new GCP project (v2-ppa-dun) to isolate GKE resources from the v1 project and work around the CPU quota constraint. All infrastructure provisioned via Terraform:

Terraform File	Resources
vpc.tf	New VPC + Subnet (`10.50.0.0/16`)
gke.tf	GKE Autopilot cluster (nodes managed by GKE)
secrets.tf	GCP Secret Manager secrets (DB credentials, API keys)
workload-identity.tf	GCP SA ↔ K8s SA binding for Secret Manager access

Application deployment managed via Helm chart + ArgoCD GitOps:

Helm — Templated K8s manifests for frontend (Nginx), backend (FastAPI), Ingress, SSL, and secrets
ArgoCD — Watches the Helm chart repo. Git push triggers automatic sync and pod redeployment
External Secrets Operator — Syncs GCP Secret Manager → K8s Secrets via Workload Identity (no credentials in Git)
GKE Ingress — Global LB with Google-managed SSL certificate for ppa-dun.site

IP	Method	User-Agent	Requests
63.168.71.160	GET	libwww-http	~35

Method

User-Agent

Requests

63.168.71.160

GET

libwww-http

~35

IP	Paths Scanned	Pattern
42.148.237.245	`.env`, `.aws/config`, `wp-config.php`	Single burst
78.153.140.40	`.env`	Repeated every 1-2 hrs
34.187.158.4	`.env`	HEAD (stealth probe)

Paths Scanned

Pattern

42.148.237.245

.env, .aws/config, wp-config.php

Single burst

78.153.140.40

.env

Repeated every 1-2 hrs

34.187.158.4

.env

HEAD (stealth probe)

IP	Paths Scanned
34.187.158.4	`.git/config`, `.git/HEAD`
88.242.246.64	`.gitignore`, `.git/config`, `/.env`

Paths Scanned

34.187.158.4

.git/config, .git/HEAD

88.242.246.64

.gitignore, .git/config, /.env

IP	User-Agent	Path
66.168.34.234	Companionbot/1.1	/
45.156.129.134	BotSquilla/1.0	/
45.156.87.70	Googlebot/2.1 (fake)	POST /

User-Agent

Path

66.168.34.234

Companionbot/1.1

45.156.129.134

BotSquilla/1.0

45.156.87.70

Googlebot/2.1 (fake)

POST /

Pod	CPU Request
ArgoCD (7 Pods)	~2.0
api-api	0.5
api-be	0.5
api-db (MySQL)	0.5
ppa-dun-fe (nginx)	0.5
ppa-dun-be	0.5
ppa-dun-db	0.5
External Secrets (3 Pods)	~0.5
Prometheus	0.5
Grafana	0.25
GKE System Pods	~4.5
Total	~10.75 / 12 CPU

Pod

CPU Request

ArgoCD (7 Pods)

~2.0

api-api

0.5

api-be

0.5

api-db (MySQL)

0.5

ppa-dun-fe (nginx)

0.5

ppa-dun-be

0.5

ppa-dun-db

0.5

External Secrets (3 Pods)

~0.5

Prometheus

0.5

Grafana

0.25

GKE System Pods

~4.5

Total

~10.75 / 12 CPU

Pod	CPU Request
ArgoCD (7 Pods)	~2.0
ppa-dun-fe (nginx)	0.5
ppa-dun-be	0.5
External Secrets (3 Pods)	~0.5
GKE System Pods	~4.5
Total	~8.0 / 12 CPU

Pod

CPU Request

ArgoCD (7 Pods)

~2.0

ppa-dun-fe (nginx)

0.5

ppa-dun-be

0.5

External Secrets (3 Pods)

~0.5

GKE System Pods

~4.5

Total

~8.0 / 12 CPU

Service	Domain	Stack
API Server	api.ppa-dun.site	Nginx + Let's Encrypt + FastAPI + MySQL
DEV Server	dev.ppa-dun.site	Nginx + Docker (FastAPI)

Service

Domain

Stack

API Server

api.ppa-dun.site

Nginx + Let's Encrypt + FastAPI + MySQL

DEV Server

dev.ppa-dun.site

Nginx + Docker (FastAPI)