where does the auth data comes from?
What the diagram labels “Auth Data” is additional authenticated data which is more commonly called “associated data” or “additional data” and abbreviated AAD or AD. It's an input of the GCM calculation. You don't generate it. GCM always takes AD input. It can be empty, there's nothing special about empty AD in the calculation or the security.
How to produce Auth Data and tag in GCM?
To produce the GCM tag, you follow the GCM specification to calculate it.
If I encrypt a message by using counter mode, will the security be weaker than GCM
If you encrypt a message in counter mode, this won't be authenticated. So the security is completely different from GCM. GCM is authenticated encryption: it guarantees both the confidentiality and the authenticity of the message. Successfully decrypting a CTR-encrypted message means nothing: if the message was fake or corrupted, you just get corrupted data. Successfully decrypting a GCM-protected message guarantees that you're getting a message produced by a holder of the secret key. Notice how I wrote “GCM-protected” and not just “GCM-encrypted”; terminology around AEAD is sometimes a misleading. “GCM-encrypted” is correct, but misleading because GCM does more than encrypting. “Encrypting” a message with GCM (or any other AEAD algorithm) also authenticates it, and “decrypting” a message also verifies its authenticity. The verbs “encrypt” and “decrypt” are standard terminology, however, so keep using them, but be aware that they don't tell the full story.
Does MAC appended CTR mode encrypted text weaker than GCM?
If done right, a MAC appended to a CTR ciphertext, or CTR encryption of the plaintext plus a MAC, is a valid AEAD construct. In fact, that's how many standard AEAD constructs work, including GCM. However, there are many opportunities to do it wrong, such as undesirable interactions between the encryption key and the MAC key (that broke OCB2), bad nonce/IV choices, etc. (Another potential mistake would be to use CBC instead of CTR, which opens opportunities to padding oracle attacks.) For example, “use HMAC-SHA method” is a good way to generate a MAC, but “XOR along the way” could mean a lot of things, most of which would be insecure.