Google Professional Cloud Architect

Cheat Sheets
These cheat sheets are provided for non-commercial purpose for personal study.

Please do not redistribute or upload these cheat sheets elsewhere.

Good luck on your exam!

Google Professional Cloud Architect CheatSheet
Networking
iPV4 which is the original version of the internet protocol that first came on the scene in 1981
iPV6 is a newer version designed in 2017 to deal with the problem of ipv4 address exhaustion (useable ips)
Private IP addresses - Defined by standard RFC1918
Single Class A - 10.0.0.0 – 10.255.255.255 - 16,777,216 addresses
16 Class B - 172.16.0.0 – 172.31.255.255 - 1,048,576 addresses
256 Class C - 192.168.0.0 – 192.168.255.255 - 65,536 addresses
Classless Inter-Domain Routing (CIDR)
With CIDR based networks, you aren’t limited to only these three classes of networks
Class A B and C have been removed for something more efficient which Will allow you to create networks in any one of those ranges.
Cider ranges are represented by it’s starting IP address called a network address followed by what is called a prefix which is a / and then a number
IP - TCP/UDP
A packet is the basic unit of information in network transmission. Most networks use TCP/IP as the network protocol, or set of rules for communication
between devices, and the rules of TCP/IP require information to be split into packets that contain a segment of data to be transferred along with the protocol
and its port number, the originating address and the address of where the data is to be sent.
UDP is another protocol that is sent with IP and is used in specific applications.
Virtual Private Cloud (VPC)
• Virtualized network within Google Cloud
• A VPC is a Global resource
• Encapsulated within a Project
• VPC’s do not have any IP address ranges associated with them
• Firewall rules control traffic flowing in and out of the VPC
• Resources within a VPC can communicate with one another by using internal (private) IPv4 addresses
• Support only for IPv4 addresses
• Each VPC contains a default network
• 2 Network types: Auto Mode or Custom Mode
Google Professional Cloud Architect CheatSheet
Subnets
• A subnetwork of a VPC
• Each VPC network consists of one or more subnets and each subnet is associated with a region
• The name or region of a subnet cannot be changed after you have created it
• Primary and secondary ranges for subnets cannot overlap with any allocated range
Routing
• Routes define the network traffic path from one destination to the other
• In a VPC routes consists of a single destination (CIDR) and a single next hop
• All routes are stored in the routing table for the VPC
• Each packet leaving a VM is delivered to the next hop of an applicable route based on a routing order
Routing Types
System-generated – Default, Subnet Route
Custom Routes - Static Route, Dynamic Route
Default Route
• Path to the Internet
• Path for Private Google Access
• Can be deleted only by replacing with custom route
• Lowest priority
Subnet Route
• Routes that define paths to each subnet in the VPC
• Each subnet has at least one subnet route whose destination matches the primary IP range of the subnet
• When a subnet is created, a corresponding subnet route is created for both primary and secondary IP range
• Cannot delete a subnet route unless you modify or delete the subnet
Static Route
• Can use the next hop feature
• Can be created manually
Google Professional Cloud Architect CheatSheet
• Static routes for the remote traffic selectors are created automatically when creating Cloud VPN tunnels
Dynamic Route
• Managed by one or more Cloud Routers
• Dynamically exchange routes between a VPC and on-premises networks
• Destination IP ranges outside the VPC network
• Used with dynamically routed VPNs and Interconnect
Subnet routes are considered first because Google Cloud requires that subnet routes have the most specific destinations matching the IP address ranges of
their respective subnets
VM instances that only have internal IP addresses can use Private Google Access. They can reach the external IP addresses of Google APIs and services
Internal IP addresses are not publicly advertised. They are used only within a network. Every VPC network or on-premises network has at least one internal IP
address range. In Google Cloud you do this by defining a subnet range and Google will automatically reserve 3 IP’s, as we discussed earlier.
You can assign an external IP address to an instance or a forwarding rule if you need to communicate with the internet, with resources in another network, or
need to communicate with a public Google Cloud service
VPC firewall rules let you allow or deny connections to or from your virtual machine (VM) instances based on a configuration that you specify. And these rules
apply to either incoming connections or outgoing connections, but never both at the same time.
VPC Peering
• Private connectivity across two VPC networks (RFC 1918)
• Peer across the same or different projects and organizations
• Reduces network latency
• Increases network security
• Reduces network costs
Shared VPC allows an organization to connect resources from multiple projects to a common VPC network so that they can communicate with each other
securely and efficiently using internal IPs from that network.
VPC Flow Logs records a sample of network flows sent from and received by VM instances, including instances used as GKE nodes. These logs can be used for
network monitoring, forensics, real-time security analysis, and expense optimization.
When you enable VPC Flow Logs, you enable for all VMs in a subnet.
Google Professional Cloud Architect CheatSheet
Record format - Log records contain base fields, which are the core fields of every log record, and metadata fields that add additional information. Metadata
fields may be omitted to save storage costs. Base fields are always included and cannot be omitted.
Domain Name system (DNS)
A global decentralized distributed database that lets you store IP addresses and other data and look them up by name.
This system uses human readable names like www.google.com and translates it into a language that computers understand which are numeric IP addresses
DNS resource records (RR) are the basic information elements of the Domain Name System. They are entries in the DNS database which provide information
about hosts. These records are physically stored in the Zone Files on the DNS server. This lesson will go through some of the most commonly used DNS records
that we will be coming across throughout the course. So with that being siad, let’s dive in.
Name Server (NS) - This record identifies which DNS server contains the current records for a domain.
An A record (or Address Record) points a domain name to an IP address
A CNAME record, short for Canonical Name record is a type of resource record that maps one domain name to another.
A TXT record (short for text record) is a type of resource record that provides text information to sources outside your domain, that can be used for a number
of arbitrary purposes.
A DNS MX record also known as the 'mail exchange' record is the resource record that directs email to a mail server.
A DNS pointer record (PTR for short) provides the domain name associated with an IP address.
A Start of authority resource record (SOA) is created for you when you create your managed zone specifies authoritative information including global
parameters about a DNS zone
Network Address Translation - NAT
• Translates local private IP(s) to public IP(s) before transferring packets
• Originally designed to deal with the scarcity of free IPv4 addresses
• IPv6 networks do not require NAT as there are no shortage of addresses
• Provides security and privacy
Types of NAT
• Static NAT - 1 private IP to 1 public IP
• Dynamic NAT - 1 private IP to 1 public IP in pool of public addresses
• Port Address Translation (PAT) - Multiple private IPs to 1 public IP
Google Professional Cloud Architect CheatSheet
• Cloud DNS
• Host authoritative name servers and allow authoritative DNS lookups (DNS as a Service)
• 100% SLA - Globally Resilient
Host zones through managed name servers
• Public Zone - visible to the internet
• Private Zone - visible only within your network
Virtualization is the process of running multiple operating systems on a server simultaneously.
Paravirtualization (PV)
In this model a modified guest OS can speak directly to the Hypervisor. This involves having the operating system kernel to be modified and recompiled before
installation into the virtual machine.
Hardware-assisted virtualization is a virtualization approach that enables efficient full virtualization using help from hardware capabilities, from the host CPU.
Kernel level Virtualization - Instead of using a hypervisor, it runs a separate version of the Linux kernel and sees the associated virtual machine as a user –
space process on the physical host. This makes it easy to run multiple virtual machines on a single host. A device driver is used for communication between the
main Linux kernel and the virtual machine.
Containers are packages of software that contain all of the necessary elements to run in any environment. In this way, containers virtualize the operating
system and run anywhere, from a private data center to the public cloud or even on a developer's personal laptop.
A Docker image is a collection or stack of layers that are created from sequential instructions on a docker file.
Container Registry is a single place for you to store and manage Docker images
Resource Hierarchy
• Configure and grant access to the various resources
Resource Hierarchy Structure
• Resources are organized hierarchically using a parent/child relationship
• Designed to map organizational structure to Google Cloud
• Better management of permissions and access control
• Policies controlled by IAM
Google Professional Cloud Architect CheatSheet
• Access control policies and configuration settings on a parent resource are inherited by the child
• Each child object has exactly one parent.
Domain (cloud level)
Organization (root node)
Folders - Grouping mechanism and isolation boundary
Projects - Core organizational component
Resources - Any service-level resource
Labels - Categorize resources
Super Admin Best Practices
• Not specific to a particular user
• Multi-factor Authentication Setup
• Organization Admin group
• Daily administration of the organization
• Assign principle of least privilege
• Do not add Super Admin to group
• Lock away MFA token in a safe
• Alerting when IAM policies are modified
• Account recovery process
Cloud Billing Account
• Defines who pays for a given set of Google Cloud resources and tracks all costs incurred by Google Cloud usage.
• It can be linked to a Payments profile and to one or more projects.
• Can be linked to one or more projects
• Billing specific roles and permissions to control access
Two Billing Account types
Self-service (Online) or Invoiced (Offline) payments available
Google Professional Cloud Architect CheatSheet
Payments Profile
• Processes payments for all Google services
• Stores all payment methods
• Single pane of glass for viewing invoices and payment history
• Controls who can view and receive invoice
• Individual or Business profile types – cannot be changed
Committed Use Discounts (CUD’s)
• Discounted prices when you commit to using a minimum level of resource for a specified term
• 1- or 3-year Commitment
Commitment Types - The commitment fee is billed monthly
Spend-based commitment
• Discount for a commitment to spend a minimum amount for a service (hours) in a particular region
• 25% discount for 1 year – 52% discount on a 3 year
• Available for Cloud SQL database instances and Google Cloud VMWare Engine
• Applies only to CPU and memory usage
Resource-based commitment
• Discount for commitment to spend a minimum amount for Compute Engine resource in a particular region.
• Available for vCPU, Memory, GPU and Local SSD
• 57% discount for most resources
• 70% for memory-optimized machine types
• For use across Projects
Sustained-use discounts
• Automatic discounts of running Compute Engine resources a significant portion of the billing month
• Applies to VCPUs and memory for most Compute Engine instance types
• Includes VM’s created by GKE
• Does not apply to App Engine flexible, Dataflow and E2 machine types
Google Professional Cloud Architect CheatSheet
GCP Pricing Calculator – Quick estimate of what your usage will cost on Google Cloud
Cloud Billing Budgets
• Enables you to track your actual Google Cloud spend against your planned spend
• Budget alert threshold rules that are used to trigger email notifications to help you stay informed about your spending
Billing Export
• Billing export enables granular billing data (such as usage, cost details, and pricing data) to be exported automatically to BigQuery for detailed analysis
• Not retroactive
• Daily cost detail data and pricing data
Identity and Access Management (IAM)
You manage access control by defining who (identity) has what access (role) for which resource. This also includes organizations, folders, and projects.
A policy is a collection of bindings, audit configuration, and metadata.
A binding specifies how access should be granted on resources. It binds one or more members with a single role and any context-specific conditions that
change how and when the role is granted.
The metadata includes additional information about the policy, such as an etag and version to facilitate policy management.
The AuditConfig field specifies the configuration data for how access attempts should be audited.
Google Account - Any email address that's associated with a Google Account, including gmail.com or other domains.
Service Account - An account for an application instead of an individual end user.
Google Groups - A named collection of Google Accounts and service accounts
G Suite Domain - Google Accounts that have been created in an organization's G Suite account
Cloud Identity Domain - Google Accounts in an organization that are not tied to any G Suite applications or features
AllAuthenticatedUsers - A special identifier that represents all service accounts and all users on the internet who have authenticated with a Google Account
AllUsers - A special identifier that represents anyone who is on the internet, including authenticated and unauthenticated users
Roles
• This is a named collection of permissions that grant access to perform actions on Google Cloud resources.
• You cannot grant a permission to the user directly
• You grant a role to a user and all the permissions that the role contains.
Google Professional Cloud Architect CheatSheet
Permissions
• Determines what operations are allowed on a resource
• Correspond one-to-one with REST API methods
• Not granted to users directly
E.g., compute.instances.list
Primitive - Roles historically available in the Google Cloud
• Owner
• Editor
• Viewer
Avoid using these roles if possible
Predefined - Finer-grained access control than the primitive roles
Custom - Tailor permissions to the needs of your organization
Conditions
• Used to define and enforce conditional, attribute-based access control for Google Cloud resources.
• Conditions allow you to choose granting resource access to identities only if configured conditions are met
• When a condition exists, the access request is only granted if the condition expression = true
Metadata
To help prevent a race condition when updating the policy, IAM supports concurrency control through the use of an etag field in the policy
Audit Config
Determines which permission types are logged, and what identities, if any, are exempted from logging
Policy Limitations
• 1 policy per resource (including organizations, folders, projects)
• 1500 members or 250 Google groups per policy
• Up to 7 minutes for policy changes to fully propagate across GCP
• Limit of 100 conditional role bindings per policy
Google Professional Cloud Architect CheatSheet
Conditions - Condition attributes are either based on resource or based on details about the request (timestamp, originating/destination IP address)
Condition Limitations
• Limited to specific services
• Primitive roles are unsupported
• Members cannot be allUsers or allAuthenticatedUsers
• Limit of 100 conditional role bindings per policy
• 20 role bindings for same role and same member
AuditConfig Logs
Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from
logging. An AuditConfig must have one or more AuditLogConfigs.
A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person.
An application uses the service account to authenticate between the application and GCP services so that the users aren't directly involved
A special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs.
Service Account types
• User-managed, User created, You choose the name
Default
• Using some GCP services create user-managed service accounts
• Automatically granted the Editor role for the project
Google-managed
• Managed by Google, and they are used by Google services
• Some are visible, some hidden
• Name ends with "Service Agent" or "Service Account”
Service Account Keys
Key Management – None, All handled by Google
User managed
Key Management - Key storage, Key distribution, Key revocation, Key rotation, Protecting the keys from unauthorized users, Key recovery
Google Professional Cloud Architect CheatSheet
Access scopes
• Service Account scopes are the legacy method of specifying permissions for your instance
• And they are used in substitution of IAM roles
• These are used specifically for default
• Or automatically created service accounts
• Based on enabled API's
Cloud Identity is an Identity as a Service (IDaaS) solution that centrally manages users and groups. This would be the sole system for authentication and that
provides a single sign-on experience for all employees of an organization to be used for all your internal and external applications.
Device management - lets people in any organization access their work accounts from mobile devices while keeping the organization's data more secure.
Security - Helps by applying security best practices along with being able to deploy 2SV for the whole company along with enforcement controls and can also
manage passwords to make sure they are meeting the enforced password requirements automatically.
Single Sign on - With single sign-on (SSO), users can access many applications without having to enter their username and password for each application
Reporting - This covers audit logs for logins, groups, devices and even tokens. You are even able to export these logs to BigQuery for analysis. You can then
create reports from these logs that cover security, applications and activity.
Directory Management - Provides profile information for users in your organization, email and group addresses, and shared external contacts in the Directory.
Using Google Cloud Directory Sync (GCDS), you can synchronize the data in your Google Account with your Microsoft Active Directory or LDAP server. GCDS
doesn't migrate any content (such as email messages, calendar events, or files) to your Google Account. You use GCDS to synchronize all your users, groups,
and shared contacts to match the information in your LDAP server.
Google Cloud Directory Sync is a free Google-provided tool that implements the synchronization process and can be run either on Google Cloud or in your on-
premises environment. Synchronization is one-way so that Active Directory remains the source of truth.
Least Privilege
• Apply only the minimal access level required for what’s needed
• Predefined roles over primitive roles
• Grant roles at the smallest scope
• Child resources cannot restrict access granted on its parent
• Restrict who can create and manage service accounts
Google Professional Cloud Architect CheatSheet
Policy Management
• To grant access to all projects in your Organization, use an organization-level policy
• Grant roles to a Google group instead of individual users where possible
• When granting multiple roles to a particular task, create a Google group instead
Subnets
• A subnetwork of a VPC
• Each VPC network consists of one or more subnets and each subnet is associated with a region
• The name or region of a subnet cannot be changed after you have created it
• Primary and secondary ranges for subnets cannot overlap with any allocated range
Routing
• Routes define the network traffic path from one destination to the other
• In a VPC routes consists of a single destination (CIDR) and a single next hop
• All routes are stored in the routing table for the VPC
• Each packet leaving a VM is delivered to the next hop of an applicable route based on a routing order
Routing Types
System-generated – Default, Subnet Route
Custom Routes - Static Route, Dynamic Route
Default Route
• Path to the Internet
• Path for Private Google Access
• Can be deleted only by replacing with custom route
• Lowest priority
Subnet Route
• Routes that define paths to each subnet in the VPC
• Each subnet has at least one subnet route whose destination matches the primary IP range of the subnet
• When a subnet is created, a corresponding subnet route is created for both primary and secondary IP range
Google Professional Cloud Architect CheatSheet
• Cannot delete a subnet route unless you modify or delete the subnet
Static Route
• Can use the next hop feature
• Can be created manually
• Static routes for the remote traffic selectors are created automatically when creating Cloud VPN tunnels
Dynamic Route
• Managed by one or more Cloud Routers
• Dynamically exchange routes between a VPC and on-premises networks
• Destination IP ranges outside the VPC network
• Used with dynamically routed VPNs and Interconnect
Subnet routes are considered first because Google Cloud requires that subnet routes have the most specific destinations matching the IP address ranges of
their respective subnets
VM instances that only have internal IP addresses can use Private Google Access. They can reach the external IP addresses of Google APIs and services
Internal IP addresses are not publicly advertised. They are used only within a network. Every VPC network or on-premises network has at least one internal IP
address range. In Google Cloud you do this by defining a subnet range and Google will automatically reserve 3 IP’s, as we discussed earlier.
You can assign an external IP address to an instance or a forwarding rule if you need to communicate with the internet, with resources in another network, or
need to communicate with a public Google Cloud service
VPC firewall rules let you allow or deny connections to or from your virtual machine (VM) instances based on a configuration that you specify. And these rules
apply to either incoming connections or outgoing connections, but never both at the same time.
VPC Peering
• Private connectivity across two VPC networks (RFC 1918)
• Peer across the same or different projects and organizations
• Reduces network latency
• Increases network security
• Reduces network costs
Google Professional Cloud Architect CheatSheet
Shared VPC allows an organization to connect resources from multiple projects to a common VPC network so that they can communicate with each other
securely and efficiently using internal IPs from that network.
Cloud NAT lets certain resources without external IP addresses create outbound connections to the internet.
Cloud CDN - is used for caching objects like web content to serve content closer to users accelerating your websites and applications.
VPC Flow Logs records a sample of network flows sent from and received by VM instances, including instances used as GKE nodes. These logs can be used for
network monitoring, forensics, real-time security analysis, and expense optimization.
When you enable VPC Flow Logs, you enable for all VMs in a subnet.
Cloud VPN
• Connects your peer network to your VPC network through an IPsec VPN connection.
• IPsec tunnel over the public internet
• Encrypted by one VPN gateway, and then decrypted by the other VPN gateway.
• Regional Service
• Site to site VPN only (no site to client)
• Allows Private Google Access for on-premises hosts
• Supports up to 3Gbps per tunnel
• Dynamic and static routing
• Supports IKEv1 and IKEv2 using Shared Secret
Classic VPN
• 99.9% SLA
• Static and dynamic routing
• 1 external IP address for a single interface
• Deprecating functionality in 2021
HA VPN
• Dynamic routing only
• 2 external IPs to be configured for 2 interfaces
• New default VPN
Google Professional Cloud Architect CheatSheet
When to use Cloud VPN
• Public internet access is needed
• Peering location is not available
• Budget constraints
• High speeds/ low latency not needed
• Outgoing traffic (egress) from GCP
Cloud Interconnect
• Low latency, highly available connection between your on-premises and Google Cloud VPC networks
• Directly accessible internal IP addresses - Private Google Access
• Does not traverse the public internet
• Dedicated connection
• Not encrypted
• Expensive
Dedicated Interconnect provides direct physical connections between your on-premises network and Google's network.
Dedicated Interconnect enables you to transfer large amounts of data between your network and Google Cloud, which can be more cost-effective than
purchasing additional bandwidth over the public internet.
Partner Interconnect provides connectivity between your on-premises network and your Virtual Private Cloud (VPC) network through a supported service
provider.
A Partner Interconnect connection is useful if a Dedicated Interconnect colocation facility is physically out of reach, or your workloads don’t warrant an entire
10-Gbps connection.
Direct Peering
• Direct peering connection between your on-premises network and Google's edge network
• 100 locations in 33 countries
• Direct egress pricing available
• Direct Peering connection with Google is FREE
Google Professional Cloud Architect CheatSheet
Cloud Router
• Fully Managed service that uses Border Gateway Protocol (BGP) to advertise IP address ranges
• Custom dynamic routes
• Used instead of a physical deice or appliance
• Control plane for Cloud NAT
• Used for Dedicated/Partner Interconnect, HA VPN
• Not used for Direct/Carrier peering
Compute Engine
• Virtual machine = Instance (IaaS)
• Multiple instance sizes and types
• Per second billing
• Launched in a VPC network
• Host is available in a Zone
• Multi-tenant host or Sole-tenant node
Machine Configuration
• Many machine types - General, compute, memory
• Intel or AMD
• vCPU = single hardware hyper-thread on CPU
• Network throughput = 2Gbps per vCPU
Operating System
• Image – Linux or Windows
• Custom Image - Private Images (Snapshots/existing disk)
• Marketplace - OS + software
Storage
• Standard - Spinning Hard Drive
Google Professional Cloud Architect CheatSheet
• Balanced - Solid State Drive (alternative to SSD)
• SSD - Solid State Drive
• Local SSD - Physically attached (swap disk)
Networking
• Auto, default, custom networks
• Many available regions and zones
• Ingress/egress firewall rules (IP ranges, tags, instances)
• Network load balancing
• Regional/global load balancing
Compute Engine Machine Types
Standard machine type
General-purpose
Standard - Balance of CPU and memory
High-memory - High memory to CPU ratio
High-CPU - High CPU to memory ratio
E2 - Day-to-day computing at a lower cost
N1 - Balanced price/performance across a wide range of VM shapes
Compute-optimised
C2 - Standard
• Ultra high performance for compute-intensive workloads
Memory-optimised
• Ultra high-memory workloads
Shared-core machine types use context-switching to share a physical core between vCPUs for the purpose of multitasking. Different shared-core machine types
sustain different amounts of time on a physical core.
In general, shared-core instances can be more cost-effective for running small, non-resource intensive applications than standard, high-memory or high-CPU
machine types.
Google Professional Cloud Architect CheatSheet
Custom machine types are ideal for:
Workloads that are not a good fit for the predefined machine types that are available to you.
Workloads that require more processing power or more memory, but don't need all the upgrades provided by the next larger predefined machine type.
It costs slightly more to use a custom machine type than an equivalent predefined machine type, and there are limitations in the amount of memory and
vCPUs you can select.
Managing Instances
PROVISIONING - This is where Resources are being allocated for the instance. The instance is not running yet.
STAGING - After finishing the provisioning state, the lifecycle continues with the staging state.
RUNNING - Once the instance has left staging it will move onto the running state. This is where the instance is booting up or running and should allow you to
login to the instance (either ssh or rdp) within a short waiting period due to any startup scripts or any boot maintenance tasks for the OS, but not immediately
after it enters this state.
STOPPING - When it comes to stopping, Either a user has made a request to stop the instance or there was a failure. This is a temporary status, and the
instance will move to TERMINATED.
TERMINATED - Touching on the last state is the terminated state and this is where A user either shut down the instance, or the instance encountered a failure.
You can choose to restart the instance or delete it. Here you still pay for static IP’s and disks, but like the suspending or stopping state, you do not pay for the
CPU and memory resources allocated to the instance.
Shielded VM’s offer verifiable integrity of your Compute Engine VM instances, so you can be sure your instances haven't been compromised by boot- or kernel-
level malware or rootkits. This is achieved through using a 4-step process which is covered by Secure Boot, virtual trusted platform module (vTPM)
running Measured Boot, and integrity monitoring.
VM Access
SSH
• Requires firewall rule allow - tcp:22
• Google Cloud console
• Cloudshell using CloudSDK
• OS Login (use 2SV)
• Manually creating SSH key pair
Google Professional Cloud Architect CheatSheet
RDP
• Requires firewall rule allow - tcp:3389
• Connect using RDP
• Powershell terminal
• Requires setting Windows password
• RDP Chrome extension
• 3rd party RDP client
Live migration keeps your instances running during compute engine hosts that are in need of:
Regular infrastructure maintenance and upgrades, replacement of failed hardware, and system configuration changes
Compute Engine Pricing
• Each individual vCPU and each GB of memory is billed separately - resource based
• All vCPUs, GPUs, and GB of memory are charged by the second with a minimum of 1 minute
• Instance uptime - number of seconds between when you start an instance and when you stop an instance (terminated)
Reservations
Ensuring resources are available for when you need it
• Future increases in demand
• Planned or unplanned spikes
• Backup and disaster recovery
• Buffer
Include sustained use and committed use discounts
Apply only to Compute Engine, Dataproc and GKE VM’s
Discount types
• Sustained use discounts
• Committed use discounts
• Preemptible VM’s
Google Professional Cloud Architect CheatSheet
Sustained use discounts are automatic discounts for running specific Compute Engine resources a significant portion of the billing month.
Compute Engine lets you purchase committed use contracts in return for deeply discounted prices for VM usage.
When you purchase a committed use contract, you purchase compute resource which is comprised of vCPUs, memory, GPUs, and local SSDs) at a discounted
price in return for committing to paying for those resources for 1 year or 3 years.
Preemptible VMs are up to 80% cheaper than regular instances. Pricing is fixed you never have to worry about variable pricing. These prices can be found on
the link to Instance pricing that I have included in the lesson text.
Storage Fundamentals
Block storage is a technology that is used to store data files on storage systems or cloud-based storage environments. Block storage is the fastest available
storage type. It is also efficient, and reliable.
• Evenly sized blocks, Uniquely identifiable, Mountable, Bootable
File Storage is normally storage that is presented to users and applications as a traditional network file system.
• Network File System, Directory tree structure, Mountable, Not bootable
Object storage is a general term that refers to the way in which we organize and work with units of storage, called objects.
• Unstructured data, Infinitely scalable, Not mountable, Not bootable
IOPS - is a metric that stands for input/output operations per second. More value in the IOPS signifies the capability of executing more operations per second.
Persistent Disk Snapshots
• Backup and restore of persistent disks
• Global resources
• Support for zonal and regional PDs
• Incremental and automatically compressed
• Snapshots are stored in Cloud Storage
• Stored in regional or multi-regional location
Snapshot schedules
• Best practice for backups
• Must be in same region as pd
Google Professional Cloud Architect CheatSheet
Managing Snapshots
• 1 snapshot = 10min
• Create regular schedules
• Eliminate excessive snapshots
• Set schedule to off-peak hours
• Windows - create VSS snapshots
Sole-tenant Nodes
A physical compute engine server that is dedicated to hosting only your project’s VMs.
You can use sole-tenant nodes to keep your VMs physically separated from VMs in other projects or to group your VMs together on the same host hardware.
Node Templates - This is a regional resource that defines the properties of each node in a node group
Node Groups
When creating a node group by using a node template, each node in the node group inherits the node templates node type specification and applies to each
individual node within a node group.
Sole-tenant Node Pricing
• Billed for entire sole-tenant node on a per-second basis
• All vCPU and memory + 10% cost of underlying vCPU and memory
• Only sustained use discounts apply
• Billed for GPUs and SSDs
• No support for preemptible VM instances
Load Balancing
• Distributes user traffic across multiple instances
• Single point of entry with multiple backends
• Fully distributed and software defined
• Global and Regional
• Serve content as close as possible to users
• Autoscaling with health checks
Google Professional Cloud Architect CheatSheet
Load Balancer Types
HTTP(S) Load Balancer
Global, proxy-based Layer 7 load balancer behind a single external IP address
SSL Proxy
Reverse proxy load balancer that distributes SSL traffic coming from the internet to VMs
TCP Proxy
Reverse proxy load balancer that distributes TCP traffic coming from the internet to VMs
TCP/UDP Network Load Balancing (after this referred to as Network Load Balancing) is a regional, pass-through load balancer.
A network load balancer distributes TCP or UDP traffic among instances in the same region.
Internal Load Balancer
Internal TCP/UDP Load Balancing distributes traffic among VM instances in the same region by using an internal IP address.
An instance group is a collection of virtual machine (VM) instances that you can manage as a single entity.
Managed Instance Groups (MIGs) are great for Stateless serving workloads such as website frontends, web servers and website applications as the application
does not preserve its state and saves no data to persistent storage.
All user and session data stays with the client and makes scaling up and down quick and easy
Stateless batch: high-performance or high throughput compute workloads
Stateful workloads: use stateful managed instance groups
Autohealing
• Keeps VMs in RUNNING state
• Recreate VMs not in RUNNING state
• Application-based autohealing
• Recreate VMs when app is frozen or has crashed
Regional (multi-zone) Zonal or Regional
• Regional provides higher availability
• Zonal MIGs are in one zone only
• Google recommends regional MIGs
Google Professional Cloud Architect CheatSheet
Load Balancing
• Load balancing can use instance groups to serve traffic
• Work together to know how much traffic can be handled
• LB health checks do not send traffic to unhealthy instances
Autoscaling
• Dynamically add or remove instances from the MIG
• Scale up to meet load demands
• Shrink as the load decreases to reduce costs
Auto-updating
• Deploy new versions of software to instances
• Update deployment happens automatically
• Perform rolling updates
An instance template is a resource that you can use to create VM instances and managed instance groups
Instance templates define the machine type, boot disk image or container image, labels, and other instance properties
App Engine Overview
• Fully managed, serverless platform to develop and host web apps
• PaaS service
• Code or containers - Python, Java, Node.js, Go, Ruby, PHP, or .NET
• Autoscaling based on load
• Versions - Allow for rollbacks, migrating or traffic splitting
• Support for connecting to external storage
• Standard and Flexible environments
Standard and Flexible environments
Standard
• Apps run in sandbox environment
• Specific versions of runtimes used
Google Professional Cloud Architect CheatSheet
• Run for free or at very low cost
• Designed for sudden and extreme spikes of traffic
• Pricing based on instance hours
Flexible
• Apps run in docker containers
• Any version of runtimes used
• No free quota available
• Designed for consistent traffic
• Pricing based on VM resources
• Managed VMs
Deploying applications to App Engine is as simple as using the gcloud app deploy command
Managing Instances
• Automatically create and shut down instances
• Specify a number of instances to run
• Specify a scaling type
Automatic scaling
• based on metrics like request rate and response latencies
Basic scaling
• creates instances when your application receives requests
Manual scaling
• specifies the number of instances that continuously run
Traffic migration switches the request routing between the versions within a service of your application, moving traffic from one or more versions to a single
new version.
You can use traffic splitting to specify a percentage distribution of traffic across two or more of the versions within a service.
Cloud Functions
• Serverless
Google Professional Cloud Architect CheatSheet
• FaaS - Function as a Service
• Runtime - Python, Java, Node.js, Go, .NET core
• Event-driven
• Triggers - HTTP, Pub/Sub, Cloud Storage (Firestore, Firebase)
• Billing - time + resources provisioned (memory)
• Free Tier
Cloud Run
• Managed compute platform to run stateless containers that are invocable by requests or events
• Serverless
• Fast autoscaling – Scale to zero
• High availability – Regional service
• Any language or operating system library – Cloud Code integration
• Security focused – Secret Manager, Binary Authorization, CMEK
• Cloud Run services are secured by IAM
Two different types – Cloud Run for Anthos and Cloud Run
Knative 3 components
Build – Provides a set of portable and reusable container building methods based on the existing Kubernetes capabilities
Serving – Builds on Kubernetes and Istio to deploy and serve serverless applications and functions
Eventing - enables developers to use an event-driven architecture with serverless applications.
Anthos Overview
• Modern application management platform
• Consistent development/operations experience for cloud and on-0premises
• Google Cloud, on-premises, other cloud provider
Manage Kubernetes installations
• Creating, scaling and upgrading
Google Professional Cloud Architect CheatSheet
Common orchestration layer for application deployment
• Configuration, upgrade, and scaling
Does not mange Kubernetes control plane or nodes, only Anthos services
Environ - Google Cloud's concept for logically organizing clusters and other resources to let you use and manage multi-cluster capabilities and apply consistent
policies across your systems thus making administration of infrastructure easier.
Anthos Clusters
Provides a unified way to work with Kubernetes Clusters as part of Anthos, extending GKE to work in multiple environments.
It gives a consistent, unified, and secure infrastructure, as well as cluster, and container management.
Anthos on VMware
Software that brings GKE to on-premises
Runs in a vSphere environment
Admin Cluster
• Admin cluster control plane – K8s API server, scheduler, controllers
• User cluster control plane – K8s API server, scheduler, controllers
• Add-ons – Grafana, Prometheus, Operations suite
User cluster – Deploy and run workloads and services
Anthos on Bare-metal
This allows take advantage of your existing infrastructure and offers the flexibility of running Anthos with no hypervisor.
It gives the ability to deploy applications directly on your hardware infrastructure.
Anthos on AWS - This is hybrid cloud software that extends GKE to AWS.
Connect – component that allows you to connect any of your Kubernetes clusters to Google Cloud.
• It enables access to cluster and workload management features
Ingress for Anthos
• Google Cloud hosted multi-cluster ingress controller for Anthos GKE clusters.
• Supports deploying shared load balancing resources across clusters and across regions enabling users to use a same load balancing within anycast IP for
applications running in a multi-cluster and multi-region topology.
Google Professional Cloud Architect CheatSheet
Multi-cluster service (MCS) - a custom resource used by multi-cluster ingress that is a logical representation of a service across multiple clusters.
Istio - an open platform that provides a uniform way to connect, manage, and secure microservices.
Service Mesh
• a dedicated infrastructure layer for facilitating service-to-service communications between services or microservices using a proxy.
• A way to control how different parts of an application share data with one another.
Istio on GKE provides automated installation and upgrade of Istio in your GKE cluster
Anthos Service Mesh
Controls the flow of traffic between services as well as Ingress and egress traffic
Anthos Service Mesh – Security
Configures a layer of service context-aware and request context-aware network security, indepent of the underlying network security
Anthos Service Mesh – Observability
Service metrics and logs for HTTP traffic are automatically ingested
• Delivers monitoring, latency, traffic, and error telemetry data
• Automatically uploaded to Anthos service mesh console
Anthos Config Management
a suite of components that work together to help ensure consistency for configurations and policies across multi-cluster and hybrid Kubernetes environments
Config Sync
This lets cluster operators and platform administrators deploy consistent configurations and policies.
Policy Controller
a component that enables the enforcement of fully programmable policies for your clusters.
These policies act as guardrails and prevent any changes to the configuration of the Kubernetes API from violating security, operational, or compliance controls.
Hierarchy Controller
introduces the concept of hierarchical namespaces that let you group Kubernetes namespaces according to their owners, and manipulate the groups as
cohesive units
Google Cloud Marketplace
Easy install and management for third party apps – storage, database, CI/CD tools
Google Professional Cloud Architect CheatSheet
Migrate for Anthos
a tool used to containerize existing VM-based applications to run on GKE or Anthos.
Migrate for Compute Engine
a lift and shift option that enables you to migrate your VMs to Google Cloud and continuously replicate disk data from the source VMs to Google Cloud
without causing any downtime on the source.
Cloud Run for Anthos - Serverless container development platform for GKE
Autoscaling
• Rapid, request-based autoscaling, concurrency controls and scale to zero
Networking
• Built-in load balancing
• Traffic Splitting
Releases & Rollouts
• Supports for revisions and pining container references
• Canary deployments
Monitoring – Aware of all requests
Binary Authorization - a deploy time security control that ensures only trusted container images are deployed.
CI/CD - the concept to frequently deliver applications to customers by introducing automation into various stages of application development.
Cloud Code – a tool that enables integration to help write, deploy and debug GKE applications from within your IDE
Operations Suite - GCP service provides a set of tools for managing your web application including Monitoring, Debugging, Logging, and Tracing
Cloud Monitoring - collects measurements, or metrics, to help you understand how your applications and system services are performing.
Cloud Logging - A central repository for log data from multiple sources. Collect and correlate log data from cloud applications, services, and infrastructure.
Error reporting – Real time error monitoring and alerting
Debugger - lets you inspect the state of a running application without stopping it
Trace – Collects latency data from App Engine, HTTPS load balancer and applications
Profiler – Continuously gathers CPU usage and memory allocation information from your applications
Google Professional Cloud Architect CheatSheet
Cloud Storage
• Consistent, scalable, large-capacity, highly durable object storage - not file or block
• Worldwide accessibility and worldwide storage locations
• Use for data files, text files, pictures, videos
• Excels for content delivery, big data sets and backups
• Buckets and Objects
Cloud Storage buckets
• basic container that holds your data
• Organize your data
• Access control
• Storage Classes
Hot data
Standard
• Maximum availability
• No storage duration
• Analytical workloads and transcoding
• $0.02 /GB/month
Nearline
• Low-cost for infrequently accessed data
• 30 day min. storage duration
• Data backup and data archiving
• $0.01 /GB/month
• $ Data access
Cold data
Coldline
• Very low-cost for infrequently accessed data
Google Professional Cloud Architect CheatSheet
• 90 day min. storage duration
• Data backup and data archiving
• $0.004 /GB/month
• $$ Data access
Archive
• Lowest-cost archival storage
• 365 day min. storage duration
• Cold data storage
• Disaster recovery
• $0.0012 /GB/month
• $$$ Data access
Access Control
IAM
• standard IAM permissions
• permissions inherited hierarchically
• Recommended over ACLs
• Two levels of granularity: project or bucket level
• Roles available: Primitive, Standard, Legacy
• Legacy roles are equivalent to ACLs
Access Control List (ACL)
• defines who has access to your buckets and objects, as well as what level of access they have
• Granular permissions
• Entry = permission + scope
Signed URLs
• time-limited read/write access URL
• access the object for the duration of time you specify
Google Professional Cloud Architect CheatSheet
• Allows users without credentials to perform specific actions on a resource
Signed Policy Documents
• specify what can be uploaded to a bucket
Objects are immutable, which means that an uploaded object cannot change throughout its storage lifetime.
Object Lifecycle Management
Rules - there are a set of rules, conditions and the action when the conditions are met. Rules are any set of conditions for any action
• Any set of conditions
• for any action
Conditions - Conditions is something an object must meet before the action defined in the rule occurs on the object
• 1 or multiple
Action - where you only have the option to delete or set storage class
• Delete
• SetStorageClass
Cloud SQL
• Fully managed, relational database service (RDBMS)
• DBaaS (Database as a Service)
• Low latency, transactional, relational db workloads
• MySQL, PostgreSQL and SQL Server - NEW
• Replication - Read Replicas
• High Availability
• On-demand and automatic backups
• Point in time recovery
• 30TB storage capacity
• Automatic storage increase
• Encryption at rest and in transit
• Billed for instance, persistent disk and egress traffic
Google Professional Cloud Architect CheatSheet
Cloud SQL instances are not available in the same instance types as Compute Engine and are only available in the shared-core, standard and high memory
CPU types
Storage types for Cloud SQL are only available in HDD and SSDs
You can configure it with a Public or Private IP, but after configuring the instance with a private IP, it cannot be changed
Connecting with a private IP is preferred when connecting from a client on a resource with access to a VPC
The Cloud SQL proxy allows you to authorize and secure your connections using Identity and Access Management (IAM) permissions.
In a Cloud SQL instance, the instance that is replicated is called the primary instance and the copies are called read replicas.
A Cloud SQL instance configured for High Availability (HA) is also called a regional instance and is located in a primary and secondary zone within the
configured region.
If an HA-configured instance becomes unresponsive, Cloud SQL automatically switches to serving data from the standby instance. This is called a failover.
When the primary instance is available again, a failback will happen, and this is when traffic will be redirected back to the primary instance
Backups help you restore lost data to your Cloud SQL instance.
Cloud Spanner
• Fully managed relational database service that is both strongly consistent and horizontally scalable
• DBaaS (Database as a Service)
• Supports schemas, ACID transactions, and SQL queries
• Globally distributed
• Handles replicas and sharding
• Synchronous data replication
• Automatic scaling and node redundancy
• Up to 99.999% availability
• Data layer encryption, audit logging, IAM integration
• Designed for financial services, ad tech, retail and global supply chain, gaming
• Pricing: $0.90 /node/hr + $0.30/GB/mo.
To use Cloud Spanner, you must first create a Cloud Spanner instance
This instance is an allocation of resources that is used by Cloud Spanner databases created in that instance.
Google Professional Cloud Architect CheatSheet
Performance
• 10,000 queries QPS of reads or 2,000 QPS of writes
• 2TB of storage per node
• Add nodes to increase data throughput and QPS
• Scale nodes automatically using Cloud Monitoring metrics triggered by Cloud Functions
NoSQL Databases
Cloud Bigtable
Fully managed, wide-column NoSQL database designed for terabyte to petabyte-scale workloads that offers low latency and high throughput.
• Built for real-time app serving & large-scale analytical workloads
• Regional Service
• Automated replication
• Store large amounts of single-keyed data
• Add nodes when you need them
• Cluster resizing
• Ideal data source for MapReduce operations, High-priced
Use cases
• Time-series data
• Marketing data
• Financial data
• IoT data
• Graph data
What is Big Data?
Massive amounts of data that would typically be too expensive to store, manage, and analyze using traditional database systems.
Traditional databases are not cost effective
• No flexibility for storing unstructured data
• Inability to accommodate “real time” data
Google Professional Cloud Architect CheatSheet
• Lacks support for petabyte-scale data volumes
• Apache Hadoop & NoSQL to the rescue
• Extremely complex to deploy and manage
When this data is captured, formatted, manipulated, stored and then analyzed, can help a company make better decisions (business value).
• Gain useful insight
• Increase revenue
• Get or retain customers
• Improve operations
• Better with Machine Learning
Big Data Services
Big Query
Fully managed, petabyte scale, low cost analytics data warehouse
• Serverless
• Real-time analytics insertion
• Use Standard SQL for querying
• Process external data
• Dataproc, Dataflow, Cloud Storage, Big Table, Cloud SQL, Google Drive
• Parquet, ORC, Google sheets
Data Transfer Service (DTS)
• 145 Services - Teradata, Amazon S3, Azure Blob, etc.
Run open source data science workloads
• Spark, Tensorflow, Dataflow, Apache Beam, MapReduce
Automatic backups
Automatic high availability
Data Governance and security
• Geographic data control, and data encryption at rest and in-transit
Google Professional Cloud Architect CheatSheet
Composer - Managed workflow orchestration service, built on Apache Airflow
Dataflow - Fully managed processing service for executing Apache Beam pipelines for batch and realtime data streaming
Dataproc - Fully managed Spark and Hadoop service
• Can be used to replace on-prem Hadoop infrastructure
DataLab - An easy-to-use interactive tool for data exploration, analysis, visualization, and machine learning.
Pub/Sub - Fully-managed, real-time messaging service that allows you to send and receive messages between independent applications.
Dataprep - Serverless, intelligent data service for visually exploring, cleaning, and preparing structured and unstructured data for analysis, reporting, and
machine learning
What is Machine Learning/AI?
Functionality that enables software to perform tasks without any explicit programming or rules.
• Trained to recognize patterns in collected data using algorithmic models
• Collected data includes video, images, speech or text
• Cloud is an efficient place for ML due to the use of massive computation at scale
• AI completes tasks based on a set of stipulated rules that solve problems
What can Machine Learning do?
• Categorize images such as photos, faces, or satellite imagery
• Look for keywords in text documents or emails
• Flag potentially fraudulent transactions
• Enable software to respond accurately to voice commands
• Translate languages in text or audio
Tensorflow – End-to-end open-source platform for machine learning.
It has a comprehensive flexible ecosystem of tools, libraries and community resources that lets researchers push the state of the art in machine learning and
developers build and deploy machine learning powered applications.
AI Platform (Vertex AI) - End-to-end ML platform for data scientists and ML engineers to accelerate ML experimentation and deployment.
Unifies Google Cloud’s existing ML offerings into a single environment for efficiently building and managing the lifecycle of ML projects
BigQuery ML - service that lets you create and execute machine learning models in BigQuery using standard SQL.
Google Professional Cloud Architect CheatSheet
Sight
Vision - Pre-trained machine learning models that allow you to assign labels to images and quickly classify them into millions of predefined categories
Video Intelligence
• Pre-trained machine learning models that automatically recognize a vast number of objects, places, and actions in stored and streaming video
Language
Natural Language - Derive insights from unstructured text using Google machine learning
Translation - Translation enables you to dynamically translate between languages using Google’s pre-trained or custom machine learning models
Conversation
Dialog Flow
• Natural language understanding platform that makes it easy to design and integrate a conversational user interface into your application or device
Speech-to-Text
• Accurately convert speech into text using Google’s AI technologies
Text-to-Speech
• Enables developers to synthesize natural-sounding speech with 100+ voices, available in multiple languages and variants
AutoML - a suite of ML products that enables developers with limited machine learning expertise to train high-quality models specific to their business needs.
Data Lifecycle – Ingest, Store, Process & Analyze, Explore and Visualize
Ingest - pulling the data in so that you are able to collect it. Different approaches to collect raw data, based on data’s size, source and latency
Store – Data and analytics workloads that is ingested can be stored in variety of formats and locations
Process and Analyze – Data is analyzed directly or prepared for downstream analysis to derive business value and insights
Explore and Visualize – Better understand the results of the processing and analysis through data exploration and visualization
DevOps
a cross-functional community of practiced dedicated to the study of building, evolving, and operating rapidly-changing secure, resilient systems at scale.
• Improved deployment frequency
• Faster time to market and faster mean time to recovery
• Lower failure rate of new releases
• Shortened lead time between fixes and
Google Professional Cloud Architect CheatSheet
Agile SDLC development method focuses on collaborative decision-making, customer satisfaction, and development over multiple short cycles or sprints,
rather than a top-down process with a single series of stages.
Continuous Integration - an automated process for developers where new code changes to an application are regularly built, tested, and merged to a shared
git repository.
Pillars of DevOps – Culture, Automation, Lean, Measurement, Sharing
Culture in DevOps
• High cooperation – share responsibility for a product
• Surfacing problems – when blame is removed, so is fear
• Sharing risks – It’s everyone’s job
• Communication and collaboration – Breaking down silos
Automation in DevOps
• Continuous Integration - Automated build process & Automated testing
• Version Control – Reproducibility and Traceability
• Continuous Deployment – Use same deployment process for every environment
• Continuous Delivery – Release changes on demand quickly, safely and sustainably
Lean in DevOps
• Identify Value – What is the customer willing to pay for
• Map the value system – What is the end goal of the project
• Create Flow - Optimal flow of activities
• Establish Pull - Limit inventory and work-in-progress items
• Seek perfections - Continuous improvement
Measurements in DevOps
• Collecting, analyzing and using information to track applications and infrastructure
• Insight – Systems and work
• Rapid Feedback – Find and fix problems
• Communicate information on your systems – Knowledge acquired for knowledge transfer
Google Professional Cloud Architect CheatSheet
Sharing in DevOps
• Effective Communication – No excessive meetings or emails, Use collaboration tools (Slack)
• Shared Goals – Sharing responsibilities, environments, workflows and experiences
• Frictionless environment – Eliminate the “irreplaceable” mindset
Infrastructure as Code (IaC)
• Manage and provision infrastructure through configuration files (code) instead of through a manual process
• Fast, consistent, repeatable, and scalable
• Declarative, TAML, or JSON files – Modular components
• Committed to Version Control
• Documented and audited
• Deployed using IaC tool – Deployment Manager, Terraform
IaC Tools
Deployment Manager – GCP Native Tool, Declarative, YAML config language, Jinja or Python template language
Terraform – Open-source, multi-cloud, Declarative, HashiCorp config language (HCL)
Configuration Management - the process of maintaining systems, such as computer software in a desired and consistent state
Deployment Strategies
Recreate - update the current application version, you first scale down the existing node of the version from one to zero, and then you concurrently deploy
replicas with the new replicas.
Rolling update - a deployment strategy that slowly replaces previous versions of an application with new versions of an application by completely replacing the
infrastructure on which the application is running.
Blue/Green - a deployment strategy in which you create two separate, but identical environments. One environment (blue) is running the current application
version and one environment (green) is running the new application version.
Canary Testing - a canary deployment is to reduce the risk of deploying a new version that impacts the workload.
The method will incrementally deploy the new version, making it visible to new users in a slow fashion. As you gain confidence in the deployment, you will
deploy it to replace the current version in its entirety.
Google Professional Cloud Architect CheatSheet
A/B Testing - route a subset of users to new functionality based on routing rules or conditions such as browser version, geolocation, and operating systems.
After the versions are measured and compared, the production environment is updated with the version that yields better results.
Shadow Testing – deploy and run a new version alongside the current version but the new version is hidden from the users and incoming requests is mirrored
and replayed in a test environment
This process can happen in either in real-time or asynchronously after a copy of the previously captured production traffic is replayed against the newly
deployed service.
Deployment Manager
Configuration
• Defines the structure of your deployment
Must contain resources section
• list of resources to create
3 Components
Name - A user-defined string to identify this resource and can be anything you choose from instance-1 my-vm, bowtie-instance
A type can represent a single API resource, known as a base type, or a set of resources, known as a composite type, that will be created as part of your
deployment.
Base type: [API].[VERSION].[RESOURCE]
A composite type contains one or more templates that are preconfigured to work together.
type: gcp-types/[PROVIDER]:[RESOURCE]
type: gcp-types/compute-v1:addresses
Properties - The parameters for this resource type.
A configuration can contain templates, which are essentially parts of the configuration file that has been abstracted into individual building blocks.
A template is a separate file that is imported and used as a type in a configuration.
A deployment is a collection of resources that are deployed and managed together, using a configuration.
A manifest is a read-only property that describes all the resources in your deployment and is automatically created with each new deployment.
Manifests are not modifiable after they have been created
Google Professional Cloud Architect CheatSheet
CI/CD Tools
Cloud Source Repositories - a service that provides fully featured private git repositories hosted on Google Cloud.
Cloud Build - CI/CD tool executes your builds on GCP as a series of steps including importing source code, executing a build, and producing artifacts
• Build config used to instruct what tsks to perform – Fetch dependencies, run unit tests, etc
• Trigger > Build and Test > Deploy/Store
Container Registry
a single private repository to manage Docker images, perform vulnerability analysis and enable CI/CD integrations for setting up fully automated Docker
pipelines.
Spinnaker – Open Source, Continuous Delivery Platform, Created at Netflix
Jenkins – Open Source, Continuous Delivery/Deployment Platform, 100’s of plugins
Gitlab – Free w/ paid, All-in-one platform, source code management
Types of Migration
Lift and Shift
• Move from source to target environment
• Minor or no modifications or refactoring
• Ideal when a workload can operate as-is or little change needed, and least amount of time to migrate
Improve and Move
• Modernize workload while migrating it
• Takes advantage of cloud-native capabilities
• Requires some refactoring if target env is not supported
• Take advantage of some Google cloud capabilities
• Longer to migrate than lift and shift
Rip and Replace
• Decommission existing app and rewrite as cloud-native
• Take full advantage of Google Cloud features
• Longest amount of time to migrate
Google Professional Cloud Architect CheatSheet
Google Cloud Adoption Framework – Tactical, Strategic, Transformational
Lead
Your cloud adoption effectiveness derives from both sponsors’ top-down mandates and bottom-up momentum from your teams’ cross-functional
collaboration.
Learn
Your ability to continuously learn is determined by both efforts to upskill your IT staff and knowledge shared by third-party contractors and partners.
Scale
Your ability to scale in the cloud is determined by the extent to which you abstract away your infrastructure with managed and serverless cloud services.
Secure
You can ensure your cloud estate’s security by controlling who can access and impact which resources and understanding the data that needs protecting.
Migration Path
Migration Phase 1: Access
• Take inventory – Hardware, applications and data
• Catalog applications - Organize based on complexity and risk
• Learn and build proof of concepts (POC)
• Calculate total cost of ownership (TCO)
• Identify workload migration priority
Migration Phase 2: Plan
• Provision and configure foundation of cloud
• Establish identities and identity types – Google accounts, service accounts, AD federation
• Design structure of top-level resources – Folders, groups of folders, projects
• Design network topology – Hybrid connectivity
Migration Phase 3: Deploy
• Designing the deployment process
• Manual deployment process not recommended
• Automate your deployments
Google Professional Cloud Architect CheatSheet
• Configuration Management – Chef, Puppet, Ansible
• Container Orchestration – GKE
• CI/CD pipelines
• Infrastructure as Code – Deployment Manager, Terraform
Migration Phase 4: Optimize
• Build and train your team
• Monitor everything
• Automate and codify everything
• Use managed services, whenever possible
• Optimize for performance and scalability – Horizontal and vertical scaling
• Reduce costs
Storage Transfer Service
• a service from Google Cloud that enables you to move data from one location (source) to a destination (sink).
• It enables you to move or backup data to a cloud storage bucket either from other cloud storage providers or from your on-premises storage
Transfer Service for on-premises data
• a fully managed software service that enables you to transfer large amounts of data from your data center to a cloud storage bucket.
• This service is designed to handle hundreds of terabytes of data in a single transfer.
Big Query Data Transfer Service
• a service that automates data movement into BigQuery on a scheduled, ongoing managed basis or one-off transfers.
Transfer Appliance - a high-capacity storage device that enables you to transfer and securely ship your data to a Google upload facility, where data is uploaded
to your Cloud Storage
Migrate for Anthos – a service is used to containerize your existing VM-based applications to run on GKE or Anthos and enables a fast and simple way to
extract modernized applications without rewriting or rearchitecting those currently running applications
Database Migration Service – a service that helps you migrate MySQL and PostgreSQL databases to Cloud SQL from on-premises, Google Compute Engine, and
other clouds.
Service Level Indicator (SLI) - quantitative measure of some aspects of the level of service that is being provided - availability, latency durability
Google Professional Cloud Architect CheatSheet
Service Level Objectives (SLO) – specify a target level for the reliability of your service
Service Level Agreement (SLA) – explicit or implicit contract with your users that includes consequences of meeting (or missing) the SLOs they contain
Error Budgets
A concept is used to manage development velocity. They tell you if your system is more or less reliable than is needed over a certain time window.
Scale and high availability
• Multi-region architecture with failover
• Eliminate scalability bottlenecks
• Degrade service levels gracefully
• Predict peak traffic events and plan for them
• Conduct disaster recovery testing
Automated deployment capabilities
provides support rollback, spreads out traffic, implements rollouts using canary testing, and automates, tests, and deploys using CI/CD.
Alerting
Build efficient alerting, optimize alerting delay, alert on symptoms not causes
Disaster Recovery
The process of resuming normal operations following a disaster by regaining access and functionality to its IT infrastructure after events like a natural disaster,
a cyberattack, or business disruptions.
Recovery Time Objective (RTO) - the metric that defines the maximum acceptable length of time that your application can be offline
Recovery Point Objective (RPO) - the metric that defines the maximum acceptable length of time during which data might be lost from your application due to
a major incident.
Cold Disaster Recovery Pattern – involves system downtime until the data is restored and the cost is very low due to the lack of extra infrastructure. Downtime
is sustainable and may take some time to recovery
Warm Disaster Recovery Pattern – implemented to keep RTO and RPO values as small as possible without the effort and expense of a fully redundant
environment. This pattern offers a good tradeoff between budget and availability.
Hot Disaster Recovery Pattern – This pattern is when your production environment is running on a well-architected highly available deployment, alleviate
having to initiating any failover steps as they will automatically occur
Google Professional Cloud Architect CheatSheet
Data and Database Backups
Data Backups
• Copy data from one place to another
• Restore from corruption of data or if production environment is down
Database Backups
• Recovery = backup + configuration + transaction logs
• HA configuration recommended for smaller RTO and RPO
Cloud Storage
gsutil
gsutil –m cp –r [SOURCE_DIRECTORY] gs://[BUCKET_NAME]
gsutil –m rsync –r [SOURCE_DIRECTORY] gs://[BUCKET_NAME]
Checksum validation
Content MD5 header – must match value
Cyclic Redundancy Check (CRC) header – crcmod module
Object versioning
gsutil versioning set on gs://[BUCKET_NAME]
Encryption at Rest
designed to prevent the attacker from accessing the unencrypted data by ensuring the data is encrypted when on disk
Encryption by default - Google Cloud encrypts customer data stored at rest by default and key creation and rotation are managed by Google Cloud.
Cloud Key Management Service (KMS)
a central repository for storing Key Encryption Keys(KEKs) and to centrally manage symmetric and asymmetric cryptographic keys.
Encryption Key Hierarchy - The encryption key hierarchy protects a chunk of data with a DEK wrapped with a KEK in KMS, which is in turn protected by Root
KMS and the Root KMS master key distributor.
Customer-Managed Encryption Key
provides more control over the keys used to encrypt data at rest within a Google Cloud project that are managed by you within KMS
Google Professional Cloud Architect CheatSheet
Key States
Pending Generation – Version is still being generated. Sate will automatically change to enabled when creation is done.
Enabled – Version can be used for crypto graphic operations
Disabled – Version cannot be used but key material remains indefinitely
Scheduled for Destruction – Version cannot be used but key material remains until auto destruction
Destroyed – Version cannot be used; key material has been destroyed
Key Management – Key Rotation
Symmetric
New key version of a key is generated, new key marked as primary, previous key not destroyed, old key available for decryption
Asymmetric
New key version of key is generated, manual key rotation only
Secret Manager
• Secure objects that store sensitive data, such as passwords, OAuth tokens, and API keys
• Control over how sensitive data is used and reduce the risk of exposing the data to unauthorized users
• IAM and Audit Log integration – Permissions, Who accessed that secret and when
Secret – Project-based, global object. Collection of metadata and secret versions
Version – Stores the actual secret data, Cannot be modified, only deleted
Rotation – Rotate by adding a new secret version to the secret. Must be enabled to access
Identity-Aware Proxy (IAP)
This GCP security and compliance service lets you establish a central authorization layer for applications accessed by HTTPS
• User identity > request > access
• Access without the need for VPN
• Centrally define access policies
• Uses signed headers or Users API on App Engine Standard
• Use with on-premises apps
• Enable Cloud Audit Logs for AIP
Google Professional Cloud Architect CheatSheet
Data Loss Prevention (DLP)
• Discover, manage, and redact sensitive data from anywhere – Social security numbers, phone numbers, drivers license
• Redact, mask, tokenize, and transform sensitive data from text and images
• Supports structured and unstructured data
• Native support for Cloud Storage, BigQuery and Cloud Datastore
• Streaming Content API
• Covered under all compliance standards
Kinds of Infotype detectors
Built-in infotype detectors
• Country or region specific
• Globally applicable
Custom infotype detectors
• Regular custom dictionary
• Large custom dictionary
• Regex detector
De-identification
transform sensitive data by masking, deleting or obscuring the data so that it cannot be identified. It masks all personally identifiable information (PII).
Date Shifting – randomly shifting a set of dates but preserve the sequence and duration of a period where each individuals' dates are shifted by an amount of
time that is unique to that individual.
Generalization and Bucketing – process of taking a distinguish value and abstracting it into a more general less distinguishing value. Groups buckets into
smaller buckets in an attempt to minimize risks of an attacker associated sensitive information with identification.
Pseudonymization – A technique that uses encryption keys to replace sensitive data values with cryptographic generated tokens.
Image inspection and redaction – Technique you can inspect for and redact sensitive text from an image according to criteria that you specify.
Text classification and redaction – Inspect and redact sensitive content that exists within text. Uses a placeholder text to replace sensitive data.
Recommender
• Provides recommendations and insights for using resources on Google Cloud
Google Professional Cloud Architect CheatSheet
• Per product or per service
• Ongoing analysis of current cloud usage to or provide recommendations and insights
• Optimize performance, security, and cost
• Recommendation includes a suggested action and its impact
• Applied manually or programmatically
Compliance and Regulations
Compliance and Audits
International Standards
• ISO 27001 – Information security management systems
• ISO 27017 – Cloud Security Controls
• ISO 27018 – Protection of PII (Personally Identifiable Information)
3rd Party Audits
• SOC1 – Documents a cloud service provider’s internal controls that may be relevant to a customer’s financial reporting
• SOC2 – Evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, and privacy
• SOC3 – Report of internal controls over security, availability, processing integrity, and confidentiality.
FIPS 140-2 Validated – Aids in the protection of digitally stored unclassified, yet sensitive, information
HIPAA – Health insurance portability and accountability act. Makes sure that individual’s health information is kept private.
GDPR – General data protection regulation. Regulates how businesses can collect, use, and store data within Europe.
COPPA – Children’s Online Privacy Protection Act – Requirements on operators of websites or online services directed to children under 13 years of age.
PCI-DSS – Payment card industry – Data security standard – Security standard to protect customers payment card information
Penetration Testing
Identify risks, vulnerabilities, and gaps
Impact of exploitable vulnerabilities
Determine how to leverage any access obtained via exploitation
Deliver clear and actional remediation information
Provide best practices in maintaining visibility