Goggle Cloud Virtual Private Cloud – VPC

February 2, 2021 ~ Last updated on : January 10, 2022 ~ jayendrapatil

Google Cloud Virtual Private Cloud – VPC

Virtual Private Cloud – VPC provides networking functionality for the cloud-based resources and services that is global, scalable, and flexible.

VPC Networks

VPC network is a virtual version of a physical network
A VPC network is a global resource that consists of a list of regional virtual subnets in data centers, all connected by a global wide area network.
VPC networks are logically isolated from each other in Google Cloud.
VPC networks
- provides connectivity for the VMs and products built on it like GKE
- offers built-in Internal TCP/UDP Load Balancing and proxy systems for Internal HTTP(S) Load Balancing.
- connects to on-premises networks using Cloud VPN tunnels and Cloud Interconnect attachments.
- distributes traffic from GCP external load balancers to backends

Specifications

VPC networks are global resources, including the associated routes and firewall rules, and are not associated with any particular region or zone.
Subnets are regional resources and each subnet defines a range of IP addresses
Network firewall rules control the Traffic to and from instances. Rules are implemented on the VMs themselves, so traffic can only be controlled and logged as it leaves or arrives at a VM.
Resources within a VPC network can communicate with one another by using internal IPv4 addresses, subject to applicable network firewall rules.
Private access options for services allow instances with internal IP addresses can communicate with Google APIs and services.
Network administration can be secured by using IAM roles.
An organization can use Shared VPC to keep a VPC network in a common host project. Authorized IAM members from other projects in the same organization can create resources that use Shared VPC network subnets.
VPC Network Peering allows VPC networks to be connected with other VPC networks in different projects or organizations.
VPC networks can be securely connected in hybrid environments by using Cloud VPN or Cloud Interconnect.
VPC networks only support IPv4 unicast traffic. They do not support broadcast, multicast, or IPv6 traffic within the network; VMs in the VPC network can only send to IPv4 destinations and only receive traffic from IPv4 sources.

VPC Subnets

VPC networks do not have any IP address ranges associated with them.
Each VPC network consists of one or more useful IP range partitions called subnets and IP ranges are defined for the subnets.
Subnets are regional resources and each subnet is associated with a region.
A network must have at least one subnet before it can be used.
More than one subnet per region can be created
VPC Network supports the following subnet creation mode
- Auto mode VPC networks
  - create subnets in each region automatically
  - adds new subnets automatically, if a new region becomes available
  - can be switched to custom mode VPC networks
- Custom mode VPC networks
  - start with no subnets, giving full control over subnet creation.
  - are more flexible and are better suited for production
  - cannot be switched to auto mode VPC networks
Subnet must have a defined primary IP address range, and any resources created within are assigned an IP address from the defined range.
Subnets can be assigned a secondary IP address range, which is only used by alias IP ranges. This is useful if you have multiple services running on a VM and want to assign each service a different IP address.
Primary IP range of an existing subnet can be expanded by modifying its subnet mask, setting the prefix length to a smaller number.

VPC Routes

Routes define paths for packets leaving instances (egress traffic), either inside the network or outside of Google Cloud
A route consists of
- a single destination prefix in CIDR format (0.0.0.0/0) and
- a single next hop (for e.g Internet Gateway)
When an instance in a VPC network sends a packet, GCP delivers the packet to the route’s next hop if the packet’s destination address is within the route’s destination range.
Routes are defined at the VPC network level but implemented at each VM instance level.
Each VM instance has a controller that is kept informed of all applicable routes from the network’s routing table. Each packet leaving a VM is delivered to the appropriate next hop of an applicable route based on a routing order. When a route is added or deleted, the set of changes is propagated to the VM controllers by using an eventually consistent design.
Routes are divided into two categories: system-generated and custom.
- system-generated routes
  - default – send traffic from eligible instances to the internet and can be removed or replaced
  - subnet routes – route traffic among its subnets and updated automatically by Google Cloud
  - are applied at the VPC level to all the instances
- custom routes
  - are either static routes created manually or dynamic routes maintained automatically by one or more of the Cloud Routers
  - can be applied to all the instances or specific instance using network tag

VPC Firewall Rules

Refer blog post @ Google Cloud VPC Firewall Rules

VPC Private Access Options

Google Cloud provides several private access options which allow VM instances with internal IP addresses to reach certain APIs and services
Private Google Access
- allows VMs to connect to the set of external IP addresses used by Google APIs and services by enabling Private Google Access on the subnet used by the VM’s network interface.
- allows access to the external IP addresses used by App Engine, including third-party App Engine-based services.
- configured on a subnet by subnet basis
- provides following routing options
  - use default route with its next-hop being the default internet gateway, and it provides a path to the default domains, private.googleapis.com, and restricted.googleapis.com.
  - use custom static routes, each having a more specific destination, and each using the default internet gateway next hop.
- Use this option to connect to Google APIs and services without giving the Google Cloud resources external IP addresses.
Private services access
- is a private connection between the VPC network and a network owned by Google or a third party i.e. service producers
- enables VM instances in the VPC network and the accessed services to communicate exclusively by using internal IP addresses.
- VM instances don’t need Internet access or external IP addresses to reach services that are available through private services access.
- Use this option to connect to specific Google and third-party services without assigning external IP addresses to the Google Cloud and Google or third-party resources.

Refer blog post GCP Shared VPC

VPC Peering

Refer blog post GCP VPC Peering

VPC Flow Logs

VPC Flow Logs records a sample of network flows sent from and received by VM instances, including instances used as GKE nodes.
Flow Logs can be used for network monitoring, forensics, real-time security analysis, and expense optimization.
Flow logs are enabled on the VPC subnet level.
Flow logs only record TCP and UDP connections.
With GCP Shared VPC, all Flow logs are in the host project.
Cloud Logging can be used to view the flow logs and it can be exported to any destination that Cloud Logging export supports.
Flow logs are aggregated by the connection from Compute Engine VMs and exported in real-time.
Flow logs can be analyzed using real-time streaming APIs by subscribing to Pub/Sub.
Flow logs are collected for each VM connection at specific intervals (sampling period). All packets collected for a given interval for a given connection are aggregated for a period of time (aggregation interval) into a single flow log entry

GCP Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

GCP services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

GCP exam questions are not updated to keep up the pace with GCP updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

Your VMs are running in a subnet that has a subnet mask of 255.255.255.240. The current subnet has no more free IP addresses and you require an additional 10 IP addresses for new VMs. The existing and new VMs should all be able to reach each other without additional routes. What should you do?
1. Use gcloud to expand the IP range of the current subnet.
2. Delete the subnet, and recreate it using a wider range of IP addresses.
3. Create a new project. Use Shared VPC to share the current network with the new project.
4. Create a new subnet with the same starting IP but a wider range to overwrite the current subnet
An IT company has a set of compute engine instances hosted in a VPC. They are not exposed to the internet. These instances now need to install an important security patch. How can the security patch be installed on the instances?
1. Upload to Cloud Storage and enable VPC peering
2. Upload to Cloud Storage and whitelist instance IP address
3. Upload to Cloud Storage and enable Private Google Access
4. Upload to Cloud Source Repository and enable VPC peering
Your security team wants to be able to audit network traffic inside of your network. What’s the best way to ensure they have access to the data they need?
1. Disable flow logs.
2. Enable flow logs.
3. Enable VPC Network logs
4. Add a firewall capture filter.

References

GCP_Virtual_Private_Cloud

Google Cloud Shared VPC

January 29, 2021 ~ Last updated on : May 12, 2021 ~ jayendrapatil ~ 1 Comment

Shared VPC allows an organization to connect resources from multiple projects to a common VPC network to communicate with each other securely and efficiently using internal IPs from that network.
requires designating a project as a host project and attach one or more other service projects to it.
allows organization administrators to delegate administrative responsibilities, such as creating and managing instances, to Service Project Admins while maintaining centralized control over network resources like subnets, routes, and firewalls.
allows you to
- implement a security best practice of least privilege for network administration, auditing, and access control.
- apply and enforce consistent access control policies at the network level for multiple service projects in the organization while delegating administrative responsibilities
- use service projects to separate budgeting or internal cost centers.

Shared VPC Concepts

GCP Shared VPC - Multiple host projects

Shared VPC connects projects within the same organization. Participating host and service projects cannot belong to different organizations
Linked projects can be in the same or different folders, but if they are in different folders the admin must have Shared VPC Admin rights to both folders
Each project in Shared VPC is either a host project or a service project
- A host project contains one or more Shared VPC networks. A Shared VPC Admin must first enable a project as a host project. After that, a Shared VPC Admin can attach one or more service projects to it.
- A service project is any project that has been attached to a host project by a Shared VPC Admin. This attachment allows it to participate in Shared VPC.
A project cannot be both a host and a service project simultaneously. Thus, a service project cannot be a host project to further service projects.
Multiple host projects can be created; however, each service project can only be attached to a single host project.
A project that does not participate in Shared VPC is called a standalone project.
VPC networks in the host project are called Shared VPC networks. Service projects resources can use subnets in the Shared VPC network
Shared VPC networks can be either auto or custom mode, but legacy networks are not supported.
Host and service projects are connected by attachments at the project level.
Subnets of the Shared VPC networks in the host project are accessible by Service Project Admins
Organization policies and IAM permissions work together to provide different levels of access control.
Organization policies enable setting controls at the organization, folder, or project level.

IAM Roles

Administrator (IAM role)	Purpose
Organization Admin	Organization Admins nominate Shared VPC Admins by granting them appropriate project creation and deletion roles, and the Shared VPC Admin role for the organization. These admins can define organization-level policies, but specific folder and project actions require additional folder and project roles.
Shared VPC Admin	Shared VPC Admins have the Compute Shared VPC Admin and Project IAM Admin roles for the organization or one or more folders. They perform various tasks necessary to set up Shared VPC, such as enabling host projects, attaching service projects to host projects, and delegating access to some or all of the subnets in Shared VPC networks to Service Project Admins. A Shared VPC Admin for a given host project is typically its project owner as well. A Shared VPC Admin can link projects in two different folders only if the admin has the role for both folders.
Service Project Admin	A Shared VPC Admin defines a Service Project Admin by granting an IAM member the Network User role to either the whole host project or select subnets of its Shared VPC networks. Service Project Admins also maintain ownership and control over resources defined in the service projects, so they should have the Instance Admin role in the corresponding service projects. They may have additional IAM roles to the service projects, such as project owner.

Cloud Interconnect with Shared VPC

Shared VPC can help share the VLAN attachment in a project with other VPC networks.
Shared VPC is preferable if you need to create many projects and would like to prevent individual project owners from managing their connectivity back to the on-premises network.
Host project contains a common Shared VPC network that VMs in service projects can use. Because VMs in service projects use this network, Service Project Admins don’t need to create other VLAN attachments or Cloud Routers in the service projects.
VLAN attachments and Cloud Routers for an Interconnect connection must be created only in the Shared VPC host project.
The combination of a VLAN attachment and its associated Cloud Router is unique to a given Shared VPC network.
Service Project Admins can create VMs in subnets that exist in a host project’s Shared VPC network based on the permissions that they have to the host project.
VMs that use the Shared VPC network can use the custom dynamic routes for VLAN attachments available to that network.

GCP Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

GCP services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

GCP exam questions are not updated to keep up the pace with GCP updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

Your company is building a large-scale web application. Each team is responsible for its own service component of the application
and wants to manage its own individual projects. You want each service to communicate with the others over the RFC1918 address
space. What should you do?
1. Deploy each service into a single project within the same VPC.
2. Configure Shared VPC, and add each project as a service of the Shared VPC project.
3. Configure each service to communicate with the others over HTTPS protocol.
4. Configure a global load balancer for each project, and communicate between each service using the global load balancer IP
  addresses.
Where should you create the Cloud Router instance in a Shared VPC to allow connection from service projects across a new Dedicated Interconnect to your data center?
1. VPC network in all projects
2. VPC network in the IT Project
3. VPC network in the Host Project
4. VPC network in the Sales, Marketing, and IT Projects

Reference

GCP Virtual Private Cloud – Shared VPC

Google Cloud VPC Peering

January 28, 2021 ~ Last updated on : May 12, 2021 ~ jayendrapatil

Google Cloud VPC Peering

Google Cloud VPC Network Peering allows internal IP address or private connectivity across two VPC networks regardless of whether they belong to the same project or the same organization.
VPC Network Peering enables VPC networks connection, so that workloads in different VPC networks can communicate internally.
Traffic stays within Google’s network and doesn’t traverse public internet
VPC Network Peering provides following advantages over using external IP addresses or VPNs to connect networks, including:
- Network Latency – connectivity uses only internal addresses and provides lower latency than connectivity that uses external addresses
- Network Security – service owners do not need to have their services exposed to the public Internet and deal with its associated risks.
- Network Cost – GCP charges egress bandwidth or outbound traffic for networks using external IPs to communicate even if the traffic is within the same zone. However, for peered networks as they use internal IPs to communicate and save on those egress costs.
VPC Network Peering is useful in these environments:
- SaaS (Software-as-a-Service) ecosystems in Google Cloud, which can be made available privately across different VPC networks within and across organizations.
- Organizations that have several network administrative domains that need to communicate using internal IP addresses.

VPC Peering Properties

VPC Network Peering works with Compute Engine, GKE, and App Engine flexible environment.
Peered VPC networks remain administratively separate. Routes, firewalls, VPNs, and other traffic management tools are administered and applied separately in each of the VPC networks.
Each side of a peering association is set up independently. Peering will be active only when the configuration from both sides matches. Either side can choose to delete the peering association at any time.
VPC peers always exchange subnet routes that don’t use privately used public IP addresses. Networks must explicitly export privately used public IP subnet routes for other networks to use them and must explicitly import privately used public IP subnet routes to receive them from other networks
Subnet and static routes are global. Dynamic routes can be regional or global, depending on the VPC network’s dynamic routing mode.
VPC network can peer with multiple VPC networks (limit of 25 currently)
IAM permissions for creating and deleting VPC Network Peering are included as part of the Compute Network Admin role.
Peering traffic (traffic flowing between peered networks) has the same latency, throughput, and availability as private traffic in the same network.
Billing policy for peering traffic is the same as the billing policy for private traffic in the same network.
Peering is allowed with Shared VPC
An organization policy administrator can use an organization policy to constrain which VPC networks can peer with VPC networks in the organization. Peering connections to particular VPC networks or to VPC networks in a particular folder or organization can be denied. The constraint applies to new peering configurations and doesn’t affect existing connections. An existing peering connection can continue to work even if a new policy denies new connections.

VPC Peering Restrictions

A subnet CIDR range in one peered VPC network cannot overlap with a static route in another peered network. This rule covers both subnet routes and static routes

GCP VPC Peering - Overlapping Subnet IP ranges between two peers

A dynamic route can overlap with a subnet route in a peer network. For dynamic routes, the destination ranges that overlap with a subnet route from the peer network are silently dropped. Google Cloud uses the subnet route
Only VPC networks are supported for VPC Network Peering. Peering is NOT supported for legacy networks.
Subnet route exchange can’t be disabled or subnet routes that can be exchanged cannot be selected. After peering is established, all resources within subnet IP addresses are accessible across directly peered networks.
VPC Network Peering doesn’t provide granular route controls to filter out which subnet CIDR ranges are reachable across peered networks. It needs to be done using firewall rules
Transitive peering is NOT supported.
Tags or service account from one peered network in the other peered network CANNOT be used.
Compute Engine internal DNS names created in a network are NOT accessible to peered networks. Use the IP address instead.
By default, VPC Network Peering with GKE is supported when used with IP aliases. If you don’t use IP aliases, custom routes can be exported so that GKE containers are reachable from peered networks.

GCP Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

GCP services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

GCP exam questions are not updated to keep up the pace with GCP updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are
using GCP. There are applications in the partner’s network that need access to some resources in your company’s VPC. There is
no CIDR overlap between the VPCs.Which two solutions can you implement to achieve the desired results without compromising
security?
1. VPC peering
2. Shared VPC
3. Dedicated Interconnect
4. Cloud NAT
Your organization is deploying a single project for 3 separate departments. Two of these departments require network
connectivity between each other, but the third department should remain in isolation. Your design should create separate network
administrative domains between these departments. You want to minimize operational overhead. How should you design the
topology?
1. Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments.
2. Create 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs.
3. Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs.
4. Create a single project, and deploy specific firewall rules. Use network tags to isolate access between the departments.

Reference

Google Cloud – VPC Peering

Google Cloud Compute Engine – GCE

January 25, 2021 ~ Last updated on : June 8, 2021 ~ jayendrapatil

Google Cloud Compute Engine

Compute Engine instance is a virtual machine (VM) hosted on Google’s infrastructure.
Compute Engine instances can run the public images for Linux and Windows Server that Google provides as well as private custom images created or imported from existing systems.
Docker containers can also be deployed, which are automatically launched on instances running the Container-Optimized OS public image.
Each instance belongs to a GCP project, and a project can have one or more instances. When you delete an instance, it is removed from the project.
For instance creation, the zone, operating system, and machine type (number of virtual CPUs and the amount of memory) need to be specified.
By default, each Compute Engine instance has a small boot persistent disk that contains the OS. Additional storage options can be attached.
Each network interface of a Compute Engine instance is associated with a subnet of a unique VPC network.
Regardless of the region where the VM instance is created, the default time for the VM instance is Coordinated Universal Time (UTC).

Compute Engine Instance Lifecycle

Instance life cycle.

PROVISIONING. Resources are being allocated for the instance. The instance is not running yet.
STAGING. Resources have been acquired and the instance is being prepared for the first boot.
RUNNING. The instance is booting up or running. You should be able to ssh into the instance soon, but not immediately after it enters this state.
REPAIRING – The instance is being repaired because the instance encountered an internal error or the underlying machine is unavailable due to maintenance. During this time, the instance is unusable. If repair is successful, the instance returns to one of the above states.
STOPPING: The instance is being stopped because a user has made a request to stop the instance or there was a failure. This is a temporary status and the instance will move to TERMINATED.
TERMINATED. A user shut down the instance, or the instance encountered a failure. You can choose to restart the instance or delete it.
SUSPENDING The instance is being suspended due to a user action
SUSPENDED – Instance is suspended and can be resumed or deleted

Compute Engine Machine Types

A machine type is a set of virtualized hardware resources available to a virtual machine (VM) instance, including the system memory size, virtual CPU (vCPU) count, and persistent disk limits.
Machine types are grouped and curated by families for different workloads

GCP Compute Engine Machine Types

Compute Engine Storage

Refer blog post @ Compute Engine Storage Options

Compute Engine Guest Environment

A Guest environment is automatically installed on the VM instance when using Google-provided public images
Guest environment is a set of scripts, daemons, and binaries that read the content of the metadata server to make a VM run properly on CE
A metadata server is a communication channel for transferring information from a client to the guest operating system.
Guest environment can be manually installed on custom images

Compute Engine Instance Availability Policies

Compute Engine does regular maintenance of its infrastructure which entails hardware and software updates
Google might require to move the VM away from the host undergoing maintenance and Compute Engine automatically manages the scheduling behavior of these instances.
Compute Engine instance’s availability policy determines how it behaves when there is a maintenance event
- Live migrate – move the VM instances to another host machine
- Stop the instances
Instance’s availability policy can be changed by configuring the following two settings:
- VM instance’s maintenance behavior onHostMaintenance, which determines whether the instance is live migrated MIGRATE (default) or stopped TERMINATE
- Instance’s restart behavior automaticRestart which determines whether the instance automatically restarts (default) if it crashes or gets stopped

Compute Engine Live Migration

Live migration helps keep the VM instances running even when a host system event, such as a software or hardware update, occurs
Compute Engine live migrates the running instances to another host in the same zone instead of requiring the VMs to be rebooted
Live migration allows Google to perform maintenance to keep infrastructure protected and reliable without interrupting any of the VMs.
GCP provides a notification to the guest that migration is imminent, when a VM is scheduled to be live migrated
- Regular infrastructure maintenance and upgrades.
- Network and power grid maintenance in the data centers.
- Failed hardware such as memory, CPU, network interface cards, disks, power, and so on. This is done on a best-effort basis; if hardware fails completely or otherwise prevents live migration, the VM crashes and restarts automatically and a hostError is logged.
- Host OS and BIOS upgrades.
- Security-related updates, with the need to respond quickly.
- System configuration changes, including changing the size of the host root partition, for storage of the host image and packages. Live migration keeps the instances running during:
Live migration does not change any attributes or properties of the VM including internal and external IP addresses, instance metadata, block storage data and volumes, OS and application state, network settings, network connections, and so on.
Compute Engine can also live migrate instances with local SSDs attached, moving the VMs along with their local SSD to a new machine in advance of any planned maintenance.
Instances with GPUs attached cannot be live migrated and must be set to stop and optionally restart. Compute Engine offers a 60-minute notice before a VM instance with a GPU attached is stopped
Preemptible instance cannot be configured for live migration

Preemptible VM instances

A preemptible VM is an instance that can be created and run at a much lower price than normal instances.
Compute Engine might stop (preempt) these instances if it requires access to those resources for other tasks.
Preemptible VMs are excess Compute Engine capacity, so their availability varies with usage.
Preemptible VM are ideal to reduce costs significantly, if the apps are fault-tolerant and can withstand possible instance preemptions or interruptions
Preemptible instance limitations
- might stop preemptible instances at any time due to system events.
- always stops preemptible instances after they run for 24 hours.
- are finite GCE resources, so they might not always be available.
- can’t live migrate to a regular VM instance, or be set to automatically restart when there is a maintenance event.
- are not covered by any Service Level Agreement
- GCP Free Tier credits for Compute Engine don’t apply to preemptible instances
Preemption process
- Compute Engine sends a preemption notice to the instance in the form of an ACPI G2 Soft Off signal.
- Shutdown script can be used to handle the preemption notice and complete cleanup actions before the instance stops
- If the instance does not stop after 30 seconds, Compute Engine sends an ACPI G3 Mechanical Off signal to the operating system.
- Compute Engine transitions the instance to a TERMINATED state.
Managed Instance group supports Preemptible instances.

Shielded VM

Shielded VM offers verifiable integrity of the Compute Engine VM instances, to confirm the instances haven’t been compromised by boot- or kernel-level malware or rootkits.
Shielded VM’s verifiable integrity is achieved through the use of Secure Boot, virtual trusted platform module (vTPM)-enabled Measured Boot, and integrity monitoring.

Managing access to the instances

Linux instances:
- Compute Engine uses key-based SSH authentication to establish connections to Linux virtual machine (VM) instances.
- By default, local users with passwords aren’t configured on Linux VMs.
- By default, Compute Engine uses custom project and/or instance metadata to configure SSH keys and to manage SSH access. If OS Login is used, metadata SSH keys are disabled.
- Managing Instance Access Using OS Login,
  - allows associating SSH keys with the Google Account or Google Workspace account and manage admin or non-admin access to the instance through IAM roles.
  - connecting to the instances using the gcloud command-line tool or SSH from the console, Compute Engine can automatically generate SSH keys and apply them to the Google Account or Google Workspace account.
- Manage the SSH keys in the project or instance metadata
  - allows granting admin access to instances with metadata access that does not use OS Login.
  - connecting to the instances using the gcloud command-line tool or SSH from the console, Compute Engine can automatically generate SSH keys and apply them to project metadata.
  - Project-wide public SSH keys
    - give users general access to a Linux instance.
    - give users access to all of the Linux instances in a project that allows project-wide public SSH keys
  - Instance metadata
    - If an instance blocks project-wide public SSH keys, a user can’t use the project-wide public SSH key to connect to the instance unless the same public SSH key is also added to instance metadata
On Windows Server instances:
- Create a password for a Windows Server instance

Compute Engine Images

Compute Engine Images help provide operation system images to create boot disks and application images with preinstalled, configured software
Main purpose is to create new instances or configure instance templates
Images can be regional or multi-regional and can be shared and accessed across projects and organizations
Compute Engine instances can run the public images for Linux and Windows Server that Google provides as well as private custom images created or imported from existing systems.
- Public images
  - provided and maintained by Google, open-source communities, and third-party vendors.
  - All Google Cloud projects have access to these images and can use them to create instances.
- Custom images
  - are available only to the Cloud project.
  - Custom images can be created from boot disks and other images.
Image families
- help image versioning
- helps to manage images in the project by grouping related images together, so that they can roll forward and roll back between specific image versions
- always points to newest latest non-deprecated version
Linux images can be exported as a tar.gz file to Cloud Storage
Google Cloud supports images with Container-Optimized OS, an OS image for the CE instances optimized for running Docker containers

Instance Templates

Instance template is a resource used to create VM instances and managed instance groups (MIGs) with identical configuration
Instance templates define the machine type, boot disk image or container image, labels, and other instance properties
Instance templates are a convenient way to save a VM instance’s configuration to create VMs or groups of VMs later
Instance template is a global resource that is not bound to a zone or a region. However, if some zonal resources are specified in an instance template for e.g. disks, which restricts the template to the zone where that resource resides.
Labels defined within an instance template are applied to all instances that are created from that instance template. The labels do not apply to the instance template itself.
Existing instance template cannot be updated or changed after its created

Instance Groups

Refer blog post @ Compute Engine Instance Groups

Snapshots

Refer blog post @ Compute Engine Snapshots

Startup & Shutdown Scripts

Startup scripts
- can be added and executed on the VM instances to perform automated tasks every time the instance boots up.
- can perform actions such as installing software, turning on services, performing updates, and any other tasks defined in the script.
Shutdown scripts
- execute commands right before a VM instance is stopped or restarted.
- can be useful allowing instances time to clean up or perform tasks, such as exporting logs, or syncing with other systems.
- are executed only on a best-effort basis
- have a limited amount of time to finish running before the instance stops i.e. 90 secs for on-demand and 30 secs for Preemptible instances
Startup & Shutdown scripts are executed using root user
Startup & Shutdown scripts can be provided to the VM instance using
- local file, supported by gcloud only
- inline using startup-script or shutdown-script option
- Cloud Storage URL and startup-script-url or shutdown-script-url as the metadata key, provided the instance has access to the script

Machine Image

A machine image is a Compute Engine resource that stores all the configuration, metadata, permissions, and data from one or more disks required to create a virtual machine (VM) instance.

Sole Tenant Nodes

Sole-tenancy provides dedicated hosting only for the project’s VM and provides an added layer of hardware isolation
Sole-tenant nodes ensure that the VMs do not share host hardware with VMs from other projects
Each sole-tenant node maintains a one-to-one mapping to the physical server that is backing the node
Project has exclusive access to a sole-tenant node, which is a physical CE server and can be used to keep the VMs physically separated from VMs in other projects or to group the VMs together on the same host hardware
Sole-tenant nodes can help meet dedicated hardware requirements for bring your own license (BYOL) scenarios that require per-core or per-processor licenses

Projects on a multi-tenant host versus a sole-tenant node.

Preventing Accidental VM Deletion

Accidental VM deletion can be prevented by setting the property deletionProtection on an instance resource esp. for VMs running critical workloads and need to be protected
Deletion request fails if a user attempts to delete a VM instance for which the deletionProtection flag is set
Only a user granted with compute.instances.create permission can reset the flag to allow the resource to be deleted.
Deletion prevention does not prevent the following actions:
- Terminating an instance from within the VM (such as running the shutdown command)
- Stopping an instance
- Resetting an instance
- Suspending an instance
- Instances being removed due to fraud and abuse after being detected by Google
- Instances being removed due to project termination
Deletion protection can be applied to both regular and preemptible VMs.
Deletion protection cannot be applied to VMs that are part of a managed instance group but can be applied to instances that are part of unmanaged instance groups.
Deletion prevention cannot be specified in instance templates.

GCP Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

GCP services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

GCP exam questions are not updated to keep up the pace with GCP updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

Your company hosts multiple applications on Compute Engine instances. They want the instances to be resilient to any Host maintenance activities performed on the instance. How would you configure the instances?
1. Set automaticRestart availability policy to true
2. Set automaticRestart availability policy to false
3. Set onHostMaintenance availability policy to migrate instances
4. Set onHostMaintenance availability policy to terminate instances

References

Google Cloud Engine – Compute Engine documentation

Google Cloud Compute Engine Instance Groups

January 25, 2021 ~ Last updated on : May 12, 2021 ~ jayendrapatil

Google Cloud – Compute Engine Instance Groups

An instance group is a collection of virtual machine (VM) instances that can be managed as a single entity.
Compute Engine offers two kinds of VM instance groups
- Managed instance groups (MIGs)
  - allows app creation with multiple identical VMs.
  - workloads can be made scalable and highly available by taking advantage of automated MIG services, including: autoscaling, autohealing, regional (multiple zones) deployment, and automatic updating
- Unmanaged instance groups
  - allows load balance across a fleet of self managed nonidentical VMs

Managed instance groups (MIGs)

A MIG creates each of its managed instances based on the instance template and specified optional stateful configuration
Managed instance group (MIG) is ideal for scenarios
- Stateless serving workloads, such as a website frontend
- Stateless batch, high-performance, or high-throughput compute workloads, such as image processing from a queue
- Stateful applications, such as databases, legacy applications, and long-running batch computations with check pointing

Use a managed instance group to build highly available deployments for stateless serving, stateful applications, or batch workloads.

Health Checking

Managed instance group health checks proactively signal to delete and recreate instances that become UNHEALTHY.
Load balancing health checks help direct traffic away from non-responsive instances and toward healthy instances; these health checks do not cause Compute Engine to recreate instances.
Health checks used to monitor MIGs are similar to the health checks used for load balancing, with some differences in behavior.

High Availability & Autohealing

Managed instance groups maintain high availability of the applications by proactively maintaining the number of instances and keeping the instances available, which means in RUNNING state.
Application-based autohealing improves application availability by relying on a health checking signal that detects application-specific issues such as freezing, crashing, or overloading.
If a health check determines that an application has failed on a VM, the MIG automatically recreates that VM instance.
A MIG automatically recreates an instance that is not RUNNING. However, relying only on VM state may not be sufficient and should include check for application freezes, crashes, or runs out of memory.

Regional or Zonal groups

Zonal MIG,
- deploys instances to a single zone.
Regional MIG
- deploys instances to multiple zones across the same region
- provides higher availability by spreading application load across multiple zones,
- protects the workload against zonal failure
- offer more capacity, with a maximum of 2,000 instances per regional group.

Load Balancing

MIGs work with load balancing services to distribute traffic across all of the instances in the group.
Google Cloud load balancing can use instance groups to serve traffic by adding instance groups to a target pool or to a backend service.

Scalability & Autoscaling

MIGs provides scalability and supports autoscaling that dynamically adds or removes instances in response to increases or decreases in load.
Autoscaling policy determines how the group would scale which includes scaling based on CPU utilization, Cloud Monitoring metrics, load balancing capacity, or, for zonal MIGs, by using a queue-based workload like Pub/Sub
Autoscaler continuously collects usage information based on the selected utilization metric, compares actual utilization to the desired target utilization, and uses this information to determine whether the group needs to remove instances (scale in) or add instances (scale out).
Cool down period
- is known as the application initialization period
Stabilization period
- For scaling in, the autoscaler calculates the group’s recommended target size based on peak load over the last 10 minutes which is called the Stabilization period
- Using the stabilization period, the autoscaler ensures that the recommended size for the managed instance group is always sufficient to serve the peak load observed during the previous 10 minutes.
Predictive autoscaling
- helps to optimize your MIG for availability,
- the autoscaler forecasts future load based on historical data and scales out a MIG in advance of predicted load, so that new instances are ready to serve when the load arrives.

Automatic Updating

MIG automatic updater supports a flexible range of rollout scenarios to deploy new versions of the software to instances in the MIG such as rolling updates and canary updates.
Speed and scope of deployment can be controlled as well as the level of disruption to the service.

Stateful Workloads Support

MIGs can be used for building highly available deployments and automating operation of applications with stateful data or configuration, such as databases, DNS servers, legacy monolith applications, or long-running batch computations with checkpointing.
Uptime and resiliency of such applications can be improved with autohealing, controlled updates, and multi-zone deployments, while preserving each instance’s unique state, including customizable instance name, persistent disks, and metadata.
Stateful MIGs preserve each instance’s unique state (instance name, attached persistent disks, and metadata) on machine restart, recreation, auto-healing, and update events.

Preemptible Instances Groups

MIG supports preemptible VM instances, which can help reduce cost.
Preemptible instances last up to 24 hours and are preempted gracefully and the application has 30 seconds to exit correctly.
Preemptible instances can be deleted any time, but autohealing will bring the instances back when preemptible capacity becomes available again

Containers

MIG supports the deployment of containers to container-optimized OS that includes docker, if the instance template used specifies a container image.

Network and Subnet

Instance template, used with MIG, defines the VPC network and subnet that member instances use.
For auto mode VPC networks, the subnet can be omitted ; this instructs GCP to select the automatically-created subnet in the region specified in the template.
If VPC network is omitted, GCP attempts to use the VPC network named default.

Unmanaged instance groups

Unmanaged instance groups can contain heterogeneous instances that can be arbitrarily added and removed from the group.
Unmanaged instance groups do not offer autoscaling, autohealing, rolling update support, multi-zone support, or the use of instance templates and are not a good fit for deploying highly available and scalable workloads.
Use unmanaged instance groups, if load balancing needs to be added to groups of heterogeneous instances, or needs self managed instances

GCP Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

GCP services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

GCP exam questions are not updated to keep up the pace with GCP updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

Your company’s test suite is a custom C++ application that runs tests throughout each day on Linux virtual machines. The full
test suite takes several hours to complete, running on a limited number of on-premises servers reserved for testing. Your company
wants to move the testing infrastructure to the cloud, to reduce the amount of time it takes to fully test a change to the system,
while changing the tests as little as possible. Which cloud infrastructure should you recommend?
1. Google Compute Engine unmanaged instance groups and Network Load Balancer.
2. Google Compute Engine managed instance groups with auto-scaling.
3. Google Cloud Dataproc to run Apache Hadoop jobs to process each test.
4. Google App Engine with Google Stackdriver for logging.
Your company has a set of compute engine instances that would be hosting production-based applications. These applications
would be running 24×7 throughout the year. You need to implement the cost-effective, scalable and high availability solution even
if a zone fails. How would you design the solution?
1. Use Managed instance groups with preemptible instances across multiple zones
2. Use Managed instance groups across multiple zones
3. Use managed instance groups with instances in a single zone
4. Use Unmanaged instance groups across multiple zones

Google Cloud Identity and Access Management – IAM

January 23, 2021 ~ Last updated on : June 2, 2021 ~ jayendrapatil

Google Cloud Identity and Access Management – IAM

Google Cloud Identity and Access Management – IAM lets administrators authorize who can take what action on which resources
IAM provides a unified view into security policy across the entire organization, with built-in auditing to ease compliance processes.

IAM Components

IAM manages access control by defining who (identity) has what access (role) for which resource

IAM architecture

Member

A member can be a Google Account (for end users), a service account (for apps and virtual machines), a Google group, or a Google Workspace or Cloud Identity domain that can access a resource.
Identity of a member is an email address associated with a user, service account, or Google group; or a domain name associated with Google Workspace or Cloud Identity domains.

Role

Permission to access a resource isn’t granted directly to the end user
A role is a collection of permissions and is granted to authenticated members
Permissions are represented in the form service.resource.verb for e.g. compute.instances.list
Permissions determine what operations are allowed on a resource.
Role granted to a member grants all the permissions that the role contains
GCP supports different role types
- Basic or Primitive roles
  - Roles historically available in the Google Cloud Console. Also, referred to as primitive roles
  - Roles are Owner, Editor, and Viewer.
  - Provide board level of permissions and not recommended
- Predefined roles
  - Roles that give fine-grained granular access control
  - Roles are created and maintained by Google and automatically updated as necessary, such as when Google Cloud adds new features or services.
- Custom roles
  - Roles created to tailor permissions to the needs of the organization, when predefined roles don’t meet the needs.
  - Custom roles are not maintained by Google; when new permissions, features, or services are added to Google Cloud, the custom roles will not be updated automatically.

IAM Policy

IAM policy binds one or more members to a role.
An IAM policy defines and enforces what roles are granted to which members, and this policy is attached to a resource.
IAM policy attached to the resource defines who (member) has what type of access (role) on the resource
IAM policy can be set at any level in the resource hierarchy: organization level, folder level, project level, or resource level.
IAM Policy inheritance is transitive and resources inherit the policies of all of their parent resources.
The effective policy for a resource is the union of the policy set on that resource and the policies inherited from higher up in the hierarchy.
Basically Permissions -> Roles -> (IAM Policy) -> Members
When an authenticated member attempts to access a resource, IAM checks the resource’s policy to determine whether the action is permitted.

Service Accounts

A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person.
Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as Google Workspace or Cloud Identity users through domain-wide delegation.
is identified by its email address, which is unique to the account.
does not have passwords, and cannot log in via browsers or cookies.
are associated with private/public RSA key-pairs that are used for authentication to Google.
Other users or service accounts cannot impersonate a service account.
are not members of the Google Workspace domain, unlike user accounts.
users need to be granted serviceAccountUser role to be able to use service accounts
are both a member (who) and a resource (what)
- Services accounts are granted permissions to a resource (what)
- Users are granted the serviceAccountUser role (who)
Service accounts are used in scenarios such as:
- Running workloads on virtual machines (VMs).
- Running workloads on on-premises workstations or data centers that call Google APIs.
- Running workloads which are not tied to the lifecycle of a human user.
Service Account Keys
- Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate to Google:
- Google-managed keys
  - Google-managed key pairs imply that Google stores both the public and private portion of the key, rotates them regularly (each key can be used for signing a maximum of two weeks), and the private key is always held in escrow and is never directly accessible.
  - IAM provides APIs to use these keys to sign on behalf of the service account.
- User-managed keys.
  - User-managed key pairs imply that you own both the public and private portions of a key pair.
  - User-managed key pairs (also known as “external” keys) can be created and used from outside of Google Cloud.
  - Google only stores the public portion of a user-managed key.
  - The creator is responsible for the security of the private key and other management operations such as key rotation
Service Account Types
- Default service accounts
  - Google Cloud creates user-managed service accounts when you enable or use some Google Cloud services that enable the service to deploy jobs that access other Google Cloud resources.
  - For applications running in a Google Cloud environment that has a default service account, the application can use the credentials for the default service account to call Google Cloud APIs.
- User-managed service accounts
  - User-managed service accounts are created in the project using the IAM API, the Cloud Console, or the gcloud command-line tool.
  - Creator is responsible for managing and securing these accounts
Service Account Permissions
- Service account permissions are controlled by IAM roles and Access Scopes
  - IAM Roles
    - restricts access to APIs based on the IAM roles that are granted to the service account.
    - are account-specific
  - Access scopes
    - potentially further limit access to API methods when authenticating through OAuth
    - apply on a per-instance basis
    - only apply for the default service accounts
    - are the legacy method of specifying permissions for the instance
- Best practice is to set the full cloud-platform access scope on the instance, then securely limit the service account’s access using IAM roles
Service Account, if accidentally deleted, can be recovered if the time gap is less than 30 days and a service account by the same name wasn’t created

Google Cloud Service Account Decision Tree

IAM User vs Service Account Decision Tree

Google Cloud IAM User vs Service Account Decision Tree

Workload Identity Federation

Using identity federation, on-premises or multi-cloud workloads can be granted access to GCP resources, without using a service account key.
Identity federation can be used with AWS, or with any identity provider that supports OpenID Connect (OIDC), such as Microsoft Azure
With identity federation, IAM can be used to grant external identities IAM roles, including the ability to impersonate service accounts using short-lived access tokens, and eliminates the maintenance and security burden associated with service account keys.

IAM Best Practices

IAM focuses on who, providing the ability to authorize users and groups to take action on specific resources based on permissions.
Use Predefined over primitive roles
- provide granular access and roles at the smallest scope to users to control what they can access
Control access to resources
- enforce the principle of least privilege by ensuring that members have only the permissions that they actually need.
Delegate responsibility with groups and service accounts
- use groups for users requiring the same responsibilities and assigning IAM roles to the groups rather than to individual users
- use service accounts for server-to-server interactions.
- rotate service account keys for user-managed service accounts
Understand IAM Policy Inheritance
- a child resource cannot restrict access granted on its parent
Define an Organization Policy
- Use Organization Policy Service to get centralized and programmatic control over the organization’s cloud resources.
- An organization policy focuses on what, providing the ability to set restrictions on specific resources to determine how they can be configured and used
- All descendants of a resource inherit its policies by default.
- A base set of constraints can be defined that apply to all elements in the hierarchy by attaching a policy to the top-level Organization node.
- Custom organization policies can be set on child nodes, which overwrite or merge with the inherited policy.
Federate identity provider with Google Cloud
- for an organization using an on-premises or third-party identity provider, synchronize the user directory with Cloud Identity to let users access Google Cloud with their corporate credentials.
- identity platform remains the source of truth while Cloud Identity controls how the employees access Google services.

IAM Recommender

IAM recommender helps enforce the principle of least privilege by ensuring that members have only the permissions that they actually need.
IAM uses Recommender to compare project-level role grants with the permissions that each member used during the past 90 days.
Depending on the usage of the member and permissions provided, IAM recommender recommends a less permissive role or to revoke the role.
IAM recommender never suggests a change that increases a member’s level of access.
IAM recommender also uses machine learning to identify permissions in a member’s current role that the member is likely to need in the future, even if the member did not use those permissions in the past 90 days.
IAM recommender does not apply recommendations automatically, but the recommendations should be reviewed and then applied or dismissed.
IAM recommender does not evaluate
- Role grants made at the folder or organization level
- Role grants made below the project level; that is, role grants on service-specific resources within a project
- Conditional role grants
- Role grants for Google-managed service accounts
- Access controls that are separate from IAM

IAM Audit Logging

Google Cloud services write audit logs to help answer the questions, “Who did what, where, and when?”
Cloud projects contain only the audit logs for resources that are directly within the project. Other entities, such as folders, organizations, and Cloud Billing accounts, contain the audit logs for the entity itself.
IAM writes Admin Activity audit logs, which record operations that modify the configuration or metadata of a resource. Admin Activity audit logs cannot be disabled
IAM writes Data Access audit logs if explicitly enabled. Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data.
IAM doesn’t write System Event audit logs.
IAM doesn’t write Policy Denied audit logs.
Cloud Audit Logs provides the following audit logs for each Cloud project, folder, and organization:
- Admin Activity audit logs
- Data Access audit logs
- System Event audit logs
- Policy Denied audit logs
IAM Audit Logs can be exported to Cloud Storage for long term retention

GCP Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

GCP services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

GCP exam questions are not updated to keep up the pace with GCP updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

You built an application on your development laptop that uses Google Cloud services. Your application uses Application Default Credentials for authentication and works fine on your development laptop. You want to migrate this application to a Compute Engine virtual machine (VM) and set up authentication using Google-recommended practices and minimal changes. What should you do?
1. Assign appropriate access for Google services to the service account used by the Compute Engine VM.
2. Create a service account with appropriate access for Google services, and configure the application to use this account.
3. Store credentials for service accounts with appropriate access for Google services in a config file, and deploy this config file with your application.
4. Store credentials for your user account with appropriate access for Google services in a config file, and deploy this config file with your application.
You need to set up permissions for a set of Compute Engine instances to enable them to write data into a particular Cloud Storage bucket. What should you do following Google-recommended practices?
1. Create a service account with an access scope. Use the access scope https://www.googleapis.com/auth/devstorage.write_o….
2. Create a service account with an access scope. Use the access scope https://www.googleapis.com/auth/cloud-platform.
3. Create a service account and add it to the IAM role storage.objectCreator for that bucket.
4. Create a service account and add it to the IAM role storage.objectAdmin for that bucket.

References

Google_Cloud_IAM

Google Cloud Resource Manager

January 22, 2021 ~ Last updated on : December 23, 2021 ~ jayendrapatil

Google Cloud Resource Manager

Google Cloud Platform – Resource manager help manage resource containers such as organizations, folders, and projects that allow you to group and hierarchically organize other GCP resources

Resource Hierarchy

Organizations

Organization resource is the root node in the Google Cloud resource hierarchy and is the hierarchical supernode and ancestor of project resources and folders.
Organization is at the top of the hierarchy and does not have a parent.
Organization provides central visibility and control over every resource that belongs to an organization
With an Organization resource, projects belong to the organization instead of the employee who created the project, which means that the projects are no longer deleted when an employee leaves the company; instead, they will follow the organization’s lifecycle on Google Cloud.
Organization administrators have central control of all resources and can view and manage all of the company’s projects
IAM access control policies applied to the Organization resource apply throughout the hierarchy on all resources in the organization.
Roles granted at the organization level are inherited by all projects and folders under the Organization resource
Organization is not applicable for personal (e.g. Gmail) accounts
Google Workspace or Cloud Identity account represents a company and is a prerequisite to having access to the Organization resource. It provides identity management, recovery mechanism, ownership, and lifecycle management
Google Workspace super admin is the individual responsible for domain ownership verification and the contact in cases of recovery.

Folders

Folders are an additional optional grouping mechanism on top of projects and provide isolation boundaries between projects
Organization resource is a prerequisite to use folders.
Folders can be used to model different legal entities, departments, teams, and environments within a company
Folders allow delegation of administration rights as well as control or limit access to resources within the folder

Projects

Project resource is the base-level organizing entity
Organizations and folders may contain multiple projects
Projects are a core organizational component of GCP
A project is required to use Google Cloud and forms the basis for creating, enabling, and using all Google Cloud services, managing APIs, enabling billing, adding and removing collaborators, and managing permissions.
Each project has a name and a unique project ID across Google Cloud
Project ID cannot be reused even if the project is deleted
Each project is associated with a billing account.
Multiple projects can have their usage billed to the same billing account

IAM Policy Inheritance

Identity and Access Management helps control who (users) has what access (roles) to which resources by setting IAM policies on the resources.
Resources inherit the policies of the parent node i.e. policy set at the Organization level is inherited by all its child folders and projects, and if a policy set at the project level, it is inherited by all its child resources.
Most permissive parent policy always overrules more restrictive child policy i.e. There is no way to explicitly remove permission for a lower-level resource that is granted at a higher level in the resource hierarchy.
The effective policy for a resource is the union of the policy set on the resource and the policy inherited from its ancestors.
Permission inheritance is transitive i.e. resources inherit policies from the project, which inherit policies from the organization.
IAM policy hierarchy follows the same path as the Google Cloud resource hierarchy i.e. if the resource hierarchy is changed for e.g. moving a project from one folder to the other, the policy hierarchy changes as well.

Organization Policy Service

Organization Policy Service gives centralized and programmatic control over the organization’s cloud resources
Organization Policy Service benefits
- Centralize control to configure restrictions on how the organization’s resources can be used.
- Define and establish guardrails for the development teams to stay within compliance boundaries.
- Help project owners and their teams move quickly without the worry of breaking compliance.
Organization policy is set on a resource hierarchy node, all descendants of that node inherit the organization policy by default. i.e. organization policy set at the root organization node will pass down the defined restriction through all descendant folders, projects, and service resources.

Restricting Identities by Domain

Resource Manager provides a domain restriction constraint that can be used in organization policies to limit resource sharing based on domain.
This constraint allows restricting the set of identities allowed to be used in Identity and Access Management policies
Organization policies can use this constraint to limit resource sharing to a specified set of one or more Google Workspace domains, and exceptions can be granted on a per-folder or per-project basis.
Domain restriction constraint is not retroactive. Once a domain restriction is set, this limitation will apply to IAM policy changes made from that point forward, and not to any previous changes.

GCP Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

GCP services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

GCP exam questions are not updated to keep up the pace with GCP updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

Google Cloud Platform resources are managed hierarchically using organization, folders, and projects. When Cloud Identity and Access Management (IAM) policies exist at these different levels, what is the
effective policy at a particular node of the hierarchy?
1. The effective policy is determined only by the policy set at the node
2. The effective policy is the union of the policy set at the node and policies inherited from its ancestors
3. The effective policy is the policy set at the node and restricted by the policies of its ancestors
4. The effective policy is the intersection of the policy set at the node and policies inherited from its ancestors
An Organization has setup an IAM policy at the organization level, the folder level, the project level, and on the resource level. They want to understand what policy takes effect on the entity. What would be the
correct option?
1. Effective policy for a resource is the Intersection of the policy set on the resource and the policy inherited from its ancestors
2. Effective policy for a resource is the policy inherited from its ancestors overriding the policy defined on the resource
3. Effective policy for a resource is the union of the policy set on the resource and the policy inherited from its ancestors
4. Effective policy for a resource is the policy defined overriding the policy inherited from its ancestors
Several employees at your company have been creating projects with Cloud Platform and paying for it with their personal credit
cards, which the company reimburses. The company wants to centralize all these projects under a single, new billing account.
What should you do?
1. Contact [email protected] with your bank account details and request a corporate billing account for your company.
2. Create a ticket with Google Support and wait for their call to share your credit card details over the phone.
3. In the Google Platform Console, go to the Resource Manager and move all projects to the root Organization.
4. In the Google Cloud Platform Console, create a new billing account and set up a payment method.

Reference

Google Cloud Platform – Resource Manager

Google Cloud Storage – GCS

January 20, 2021 ~ Last updated on : July 22, 2021 ~ jayendrapatil

Google Cloud Storage – GCS

Google Cloud Storage is a service for storing unstructured data i.e. objects/blobs in Google Cloud.
Google Cloud Storage provides a RESTful service for storing and accessing the data on Google’s infrastructure.
GCS combines the performance and scalability of Google’s cloud with advanced security and sharing capabilities.

Google Cloud Storage Components

Buckets

Buckets are the logical containers for objects
All buckets are associated with a project and projects can be grouped under an organization.
Bucket name considerations
- reside in a single Cloud Storage namespace.
- must be unique.
- are publicly visible.
- can only be assigned during creation and cannot be changed.
- can be used in a DNS record as part of a CNAME or A redirect.
Bucket name requirements
- must contain only lowercase letters, numbers, dashes (-), underscores (_), and dots (.). Spaces are not allowed. Names containing dots require verification.
- must start and end with a number or letter.
- must contain 3-63 characters. Names containing dots can contain up to 222 characters, but each dot-separated component can be no longer than 63 characters.
- cannot be represented as an IP address for e.g., 192.168.5.4
- cannot begin with the goog prefix.
- cannot contain google or close misspellings, such as g00gle.

Objects

An object is a piece of data consisting of a file of any format.
Objects are stored in containers called buckets.
Objects are immutable, which means that an uploaded object cannot change throughout its storage lifetime.
Objects can be overwritten and overwrites are Atomic
Object names reside in a flat namespace within a bucket, which means
- Different buckets can have objects with the same name.
- Objects do not reside within subdirectories in a bucket.
Existing objects cannot be directly renamed and need to be copied

Object Metadata

Objects stored in Cloud Storage have metadata associated with them
Metadata exists as key:value pairs and identifies properties of the object
Mutability of metadata varies as some metadata is set at the time the object is created for e.g. Content-Type, Cache-Control while for others they can be edited at any time

Composite Objects

Composite objects help to make appends to an existing object, as well as for recreating objects uploaded as multiple components in parallel.
Compose operation works with objects
- having the same storage class.
- be stored in the same Cloud Storage bucket.
- NOT use customer-managed encryption keys.

Cloud Storage Locations

GCS buckets need to be created in a location for storing the object data.
GCS support different location types
- regional
  - A region is a specific geographic place, such as London.
  - helps optimize latency and network bandwidth for data consumers, such as analytics pipelines, that are grouped in the same region.
- dual-region
  - is a specific pair of regions, such as Finland and the Netherlands.
  - provides higher availability that comes with being geo-redundant.
- multi-region
  - is a large geographic area, such as the United States, that contains two or more geographic places.
  - allows serving content to data consumers that are outside of the Google network and distributed across large geographic areas, or
  - provides higher availability that comes with being geo-redundant.
Objects stored in a multi-region or dual-region are geo-redundant i.e. data is stored redundantly in at least two separate geographic places separated by at least 100 miles.

Cloud Storage Classes

Refer blog Google Cloud Storage – Storage Classes

Cloud Storage Security

Refer blog Google Cloud Storage – Security

GCS Upload and Download

GCS supports upload and storage of any MIME type of data up to 5 TB
Uploaded object consists of the data along with any associated metadata
GCS supports multiple upload types
- Simple upload – ideal for small files that can be uploaded again in their entirety if the connection fails, and if there are no object metadata to send as part of the request.
- Multipart upload – ideal for small files that can be uploaded again in their entirety if the connection fails, and there is a need to include object metadata as part of the request.
- Resumable upload – ideal for large files with a need for more reliable transfer. Supports streaming transfers, which is a type of resumable upload that allows uploading an object of unknown size.

Resumable Upload

Resumable uploads are the recommended method for uploading large files because they don’t need to be restarted from the beginning if there is a network failure while the upload is underway.
Resumable upload allows resumption of data transfer operations to Cloud Storage after a communication failure has interrupted the flow of data
Resumable uploads work by sending multiple requests, each of which contains a portion of the object you’re uploading.
Resumable upload mechanism supports transfers where the file size is not known in advance or for streaming transfer.
Resumable upload must be completed within a week of being initiated.

Streaming Transfers

Streaming transfers allow streaming data to and from the Cloud Storage account without requiring that the data first be saved to a file.
Streaming uploads are useful when uploading data whose final size is not known at the start of the upload, such as when generating the upload data from a process, or when compressing an object on the fly.
Streaming downloads are useful to download data from Cloud Storage into a process.

Parallel Composite Uploads

Parallel composite uploads divide a file into up to 32 chunks, which are uploaded in parallel to temporary objects, the final object is recreated using the temporary objects, and the temporary objects are deleted
Parallel composite uploads can be significantly faster if network and disk speed are not limiting factors; however, the final object stored in the bucket is a composite object, which only has a crc32c hash and not an MD5 hash
As a result, crcmod needs to be used to perform integrity checks when downloading the object with gsutil or other Python applications.
You should only perform parallel composite uploads if the following apply:
Parallel composite uploads do not support buckets with default customer-managed encryption keys, because the compose operation does not support source objects encrypted in this way.
Parallel composite uploads do not need the uploaded objects to have an MD5 hash.

Object Versioning

Object Versioning retains a noncurrent object version when the live object version gets replaced, overwritten, or deleted
Object Versioning is disabled by default.
Object Versioning prevents accidental overwrites and deletion
Object Versioning causes deleted or overwritten objects to be archived instead of being deleted
Object Versioning increases storage costs as it maintains the current and noncurrent versions of the object, which can be partially mitigated by lifecycle management
Noncurrent versions retain the name of the object but are uniquely identified by their generation number.
Noncurrent versions only appear in requests that explicitly call for object versions to be included.
Objects versions can be permanently deleted by including the generation number or configuring Object Lifecycle Management to delete older object versions
Object versioning, if disabled, does not create versions for new ones but old versions are not deleted

Object Lifecycle Management

Object Lifecycle Management sets Time To Live (TTL) on an object and helps configure transition or expiration of the objects based on specified rules for e.g. SetStorageClass to downgrade the storage class, delete to expire noncurrent or archived objects
Lifecycle management configuration can be applied to a bucket, which contains a set of rules applied to current and future objects in the bucket
Lifecycle management rules precedence
- Delete action takes precedence over any SetStorageClass action.
- SetStorageClass action switches the object to the storage class with the lowest at-rest storage pricing takes precedence.
Cloud Storage doesn’t validate the correctness of the storage class transition
Lifecycle actions can be tracked using Cloud Storage usage logs or using Pub/Sub Notifications for Cloud Storage
Lifecycle management is done using rules, conditions, and actions and is applied if
- With multiple rules, any of the rules can be met (OR operation)
- All the conditions in a rule (AND operation) should be met

GCS Object Lifecycle Management

Object Lifecycle Behavior

Cloud Storage performs the action asynchronously, so there can be a lag between when the conditions are satisfied and the action is taken
Updates to lifecycle configuration may take up to 24 hours to take effect.
Delete action will not take effect on an object while the object either has an object hold placed on it or an unfulfilled retention policy.
SetStorageClass action is not affected by the existence of object holds or retention policies.
SetStorageClass does not rewrite an object and hence you are not charged for retrieval and deletion operations.

GCS Requester Pays

Project owner of the resource is billed normally for the access which includes operation charges, network charges, and data retrieval charges
However, if the requester provides a billing project with their request, the requester’s project is billed instead.
Requester Pays requires the requester to include a billing project in their requests, thus billing the requester’s project
Enabling Requester Pays is useful, e.g. if you have a lot of data to share, but you don’t want to be charged for their access to that data.
Requester Pays does not cover the storage charges and early deletion charges

CORS

Cloud Storage allows setting CORS configuration at the bucket level only

Cloud Storage Tracking Updates

Pub/Sub notifications
- sends information about changes to objects in the buckets to Pub/Sub, where the information is added to a specified Pub/Sub topic in the form of messages.
- Each notification contains information describing both the event that triggered it and the object that changed.
Audit Logs
- Google Cloud services write audit logs to help you answer the questions, “Who did what, where, and when?”
- Cloud projects contain only the audit logs for resources that are directly within the project.
- Cloud Audit Logs generates the following audit logs for operations in Cloud Storage:
  - Admin Activity logs: Entries for operations that modify the configuration or metadata of a project, bucket, or object.
    - Data Access logs: Entries for operations that modify objects or read a project, bucket, or object.

Data Consistency

Cloud Storage operations are primarily strongly consistent with few exceptions being eventually consistent
Cloud Storage provides strong global consistency for the following operations, including both data and metadata:
- Read-after-write
- Read-after-metadata-update
- Read-after-delete
- Bucket listing
- Object listing
Cloud Storage provides eventual consistency for following operations
- Granting access to or revoking access from resources.

gsutil

gsutil tool is the standard tool for small- to medium-sized transfers (less than 1 TB) over a typical enterprise-scale network, from a private data center to Google Cloud.
gsutil provides all the basic features needed to manage the Cloud Storage instances, including copying the data to and from the local file system and Cloud Storage.
gsutil can also move, rename and remove objects and perform real-time incremental syncs, like rsync, to a Cloud Storage bucket.
gsutil is especially useful in the following scenarios:
- as-needed transfers or during command-line sessions by your users.
- transferring only a few files or very large files, or both.
- consuming the output of a program (streaming output to Cloud Storage)
- watch a directory with a moderate number of files and sync any updates with very low latencies.
gsutil provides following features
- Parallel multi-threaded transfers with gsutil -m, increasing transfer speeds.
- Composite transfers for a single large file to break them into smaller chunks to increase transfer speed. Chunks are transferred and validated in parallel, sending all data to Google. Once the chunks arrive at Google, they are combined (referred to as compositing) to form a single object
gsutil perfdiag can help gather stats to provide diagnostic output to the Cloud Storage team

Best Practices

Use IAM over ACL whenever possible as IAM provides an audit trail
Cloud Storage auto-scaling performs well if requests ram up gradually rather than having a sudden spike.
- If the request rate is less than 1000 write requests per second or 5000 read requests per second, then no ramp-up is needed.
- If the request rate is expected to go over these thresholds, start with a request rate below or near the thresholds and then double the request rate no faster than every 20 minutes.
Avoid sequential naming bottleneck as Cloud Storage uploads data to different shards based on the file name/path as using the same pattern would overload a shard leading to performance degrade
Use Truncated exponential backoff as a standard error handling strategy
For multiple smaller files, use gsutil with -m option that performs a batched, parallel, multi-threaded/multi-processing to upload which can significantly increase the performance of an upload
For large objects downloads, use gsutil with HTTP Range GET requests to perform “sliced” downloads in parallel
To upload large files efficiently, use parallel composite upload with object composition to perform uploads in parallel for large, local files. It splits a large file into component pieces, uploads them in parallel, and then recomposes them once they’re in the cloud (and deletes the temporary components it created locally).

GCP Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

GCP services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

GCP exam questions are not updated to keep up the pace with GCP updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

You have a collection of media files over 50GB each that you need to migrate to Google Cloud Storage. The files are in your on-premises data center. What migration method can you use to help speed up the transfer process?
1. Use multi-threaded uploads using the -m option.
2. Use parallel uploads to break the file into smaller chunks then transfer it simultaneously.
3. Use the Cloud Transfer Service to transfer.
4. Start a recursive upload.
Your company has decided to store data files in Cloud Storage. The data would be hosted in a regional bucket to start with. You need to configure Cloud Storage lifecycle rule to move the data for archival after 30 days and delete the data after a year. Which two actions should you take?
1. Create a Cloud Storage lifecycle rule with Age: “30”, Storage Class: “Standard”, and Action: “Set to Coldline”, and create a second GCS life-cycle rule with Age: “365”, Storage Class: “Coldline”, and Action: “Delete”.
2. Create a Cloud Storage lifecycle rule with Age: “30”, Storage Class: “Standard”, and Action: “Set to Coldline”, and create a second GCS life-cycle rule with Age: “275”, Storage Class: “Coldline”, and Action: “Delete”.
3. Create a Cloud Storage lifecycle rule with Age: “30”, Storage Class: “Standard”, and Action: “Set to Nearline”, and create a second GCS life-cycle rule with Age: “365”, Storage Class: “Nearline”, and Action: “Delete”.
4. Create a Cloud Storage lifecycle rule with Age: “30”, Storage Class: “Standard”, and Action: “Set to Nearline”, and create a second GCS life-cycle rule with Age: “275”, Storage Class: “Nearline”, and Action: “Delete”.

References

Google Cloud Platform – Cloud Storage

Google Cloud Storage – Storage Classes

January 15, 2021 ~ Last updated on : July 22, 2021 ~ jayendrapatil

Google Cloud Storage – Storage Classes

Google Cloud Storage – Storage class affects the object’s availability and pricing model
Storage class of an existing object can be changed either by rewriting the object or by using Object Lifecycle Management.
Bucket’s default storage class is set to Standard Storage, if not specified
A default storage class for the bucket can be specified so when a bucket is created, all the objects added to the bucket will inherit this storage class unless explicitly set otherwise.
Changing the default storage class of a bucket does not affect any of the objects that already exist in the bucket.

Storage Classes Options

All storage classes provide the following
- Unlimited storage with no minimum object size.
- Worldwide accessibility and worldwide storage locations.
- Low latency (time to the first byte typically tens of milliseconds).
- High durability (99.999999999% annual durability).
- Geo-redundancy, if the data is stored in a multi-region or dual-region.
- A uniform experience with Cloud Storage features, security, tools, and APIs

Standard Storage

Standard Storage is best for data that is frequently accessed (hot data) and/or stored for only brief periods of time.
for regional locations
- is appropriate for storing data in the same location for co-locating the resources such as GKE clusters or GCE instances with the data used, which helps in maximizing performance can reduce network charges.
- Availability SLA – 99.99%
for dual-region,
- provides optimized performance when accessing Google Cloud products that are located in one of the associated regions,
- provides improved availability that comes from storing data in geographically separate locations.
- Availability SLA > 99.99%
for multi-region
- ideal for storing data that is accessed around the world, such as serving website content, streaming videos, executing interactive workloads, or serving data supporting mobile and gaming applications.
- Availability SLA > 99.99%

Nearline Storage

Nearline Storage is a low-cost, highly durable storage service for storing infrequently accessed data (warm data)
Nearline Storage is a better choice than Standard Storage in scenarios where slightly lower availability, a 30-day minimum storage duration, and data access costs are acceptable trade-offs for lowered at-rest storage cost
Nearline Storage is ideal for data you plan to read or modify on average once per month or less. for e.g., if you want to continuously add files to Cloud Storage and plan to access those files once a month for analysis, Nearline Storage is a great choice.
Nearline Storage is also appropriate for data backup, long-tail multimedia content, and data archiving.

Coldline Storage

Coldline Storage provides a very-low-cost, highly durable storage service for storing infrequently accessed data (cold data)
Coldline Storage is a better choice than Standard Storage or Nearline Storage in scenarios where slightly lower availability, a 90-day minimum storage duration, and higher costs for data access are acceptable trade-offs for lowered at-rest storage costs.
Coldline Storage is ideal for data you plan to read or modify at most once a quarter.

Archive Storage

Archive Storage is the lowest-cost, highly durable storage service for data archiving, online backup, and disaster recovery. (coldest data)
Archive Storage has no availability SLA, though the typical availability is comparable to Nearline Storage and Coldline Storage.
Data is available within milliseconds, not hours or days.
Archive Storage has higher costs for data access and operations, as well as a 365-day minimum storage duration.
Archive Storage is the best choice for data that you plan to access less than once a year. for e.g. cold data storage for archival and disaster recovery

Google Cloud Storage - Storage Classes

Legacy Storage Classes

Google Cloud Storage provided additional storage classes which have been phased out
- Multi-Regional Storage
  - Equivalent to Standard Storage, except Multi-Regional Storage can only be used for objects stored in multi-regions or dual-regions.
- Regional Storage
  - Equivalent to Standard Storage, except Regional Storage, can only be used for objects stored in regions.
- Durable Reduced Availability (DRA) Storage:
  - Similar to Standard Storage except:
    - DRA has higher pricing for operations.
    - DRA has lower performance, particularly in terms of availability (DRA has a 99% availability SLA).

GCP Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

GCP services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

GCP exam questions are not updated to keep up the pace with GCP updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

You’ve created a bucket to store some data archives for compliance. The data isn’t likely to need to be viewed. However, you need to store it for at least 7 years. What is the best default storage class?
1. Multi-regional
2. Coldline
3. Regional
4. Nearline

References

Google Cloud Storage – Storage Classes

Google Cloud – Associate Cloud Engineer Certification learning path

March 3, 2019 ~ Last updated on : March 30, 2022 ~ jayendrapatil ~ 27 Comments

Google Cloud – Associate Cloud Engineer Certification learning path

Google Cloud – Associate Cloud Engineer certification exam is basically for one who works day-in day-out with the Google Cloud Services. It targets an Cloud Engineer who deploys applications, monitors operations, and manages enterprise solutions. The exam makes sure it covers gamut of services and concepts. Although, the exam is not that tough and time available of 2 hours a quite plenty, if you well prepared.

Google Cloud – Associate Cloud Engineer Certification Summary

Has 50 questions to be answered in 2 hours.
Covers wide range of Google Cloud services and what they actually do. It focuses heavily on IAM, Compute, Storage with a little bit of Network but hardly any data services.
Hands-on is a must. Covers Cloud SDK, CLI commands and Console operations that you would use for day-to-day work. If you have not worked on GCP before make sure you do lot of labs else you would be absolute clueless for some of the questions and commands
Once again be sure that NO Online Course or Practice tests is going to cover all. I did ACloud Guru – LA course which covered maybe 60-70%, but hands-on or practical knowledge is MUST

Google Cloud – Associate Cloud Engineer Certification Topics

General Services

Cloud Billing
- understand how Cloud Billing works. Monthly vs Threshold and which has priority
- Budgets can be set to alert for projects
- how to change a billing account for a project and what roles you need. Hint – Project Owner and Billing Administrator for the billing account
- Cloud Billing can be exported to BigQuery and Cloud Storage
Resource Manager
- Understand Resource Manager the hierarchy Organization -> Folders -> Projects -> Resources
- IAM Policy inheritance is transitive and resources inherit the policies of all of their parent resources.
- Effective policy for a resource is the union of the policy set on that resource and the policies inherited from higher up in the hierarchy.
Cloud SDK
- understand gcloud commands esp. when dealing with
  - configurations i.e. gcloud config
    - activate profiles – gcloud config configurations activate
    - GKE setting default cluster i.e. gcloud config set container/cluster CLUSTER_NAME
    - set project gcloud config set project mygcp-demo
    - set region gcloud config set compute/region us-west1
    - set zone gcloud config set compute/zone us-west1-a
  - Get project list and ids gcloud projects list
  - Auth i.e gcloud auth
    - Auth login using user gcloud auth login
    - Auth login using service accountgcloud auth activate-service-account --key-file=sa_key.json
  - deployment manager i.e. gcloud deployment-manager
  - VPC firewalls i.e. gcloud compute firewall-rules

Network Services

Virtual Private Cloud
- Understand Virtual Private Cloud (VPC), subnets and host applications within them Hint VPC spans across region
- Understand how Firewall rules works and how they are configured. Hint – Focus on Network Tags. Also, there are 2 implicit firewall rules – default ingress deny and default egress allow
- Understand VPC Peering and Shared VPC
- Understand the concept internal and external IPs and difference between static and ephemeral IPs
- Primary IP range of an existing subnet can be expanded by modifying its subnet mask, setting the prefix length to a smaller number.
Cloud Load Balancing
- Understand Google Cloud Load Balancing
- Know load balancer options and differences esp. HTTPS and SSL proxy when handing SSL termination.

Identity Services

Identity and Access Management – IAM
- Identify and Access Management – IAM provides administrators the ability to manage cloud resources centrally by controlling who can take what action on specific resources.
- Understand how IAM works and how rules apply esp. the hierarchy from Organization -> Folder -> Project -> Resources
- Understand the difference between Primitive, Pre-defined and Custom roles and their use cases
- IAM Policy inheritance is transitive and resources inherit the policies of all of their parent resources.
- Effective policy for a resource is the union of the policy set on that resource and the policies inherited from higher up in the hierarchy.
- Basically Permissions -> Roles -> (IAM Policy) -> Members
- Need to know and understand the roles for the following services atleast
  - Cloud Storage – Admin vs Creator vs Viewer
  - Compute Engine – Admin vs Instance Admin
  - Spanner – Viewer vs Database User
  - BigQuery – User vs JobUser
- Know how to copy roles to different projects or organization. Hint – gcloud iam roles copy
- Know how to use service accounts with applications
Cloud Identity
- Cloud Identity provides IDaaS (Identify as a Service) and provides single sign-on functionality and federation with external identity provides like Active Directory.

Compute Services

Make sure you know all the compute services Google Compute Engine, Google App Engine and Google Kubernetes Engine, they are heavily covered in the exam.
Google Compute Engine
- Google Compute Engine is the best IaaS option for compute and provides fine grained control
- Know how to create a Compute Engine instance, connect to it using Cloud shell or ssh keys
- Difference between backups and images and how to create instances from the same.
- Instance templates with managed instance groups. Instance template cannot be edited, create a new one and attach.
- Difference between managed vs unmanaged instance groups and auto-healing feature
- Preemptible VMs and their use cases. HINT – can be terminated any time and supports max 24 hours.
- Upgrade an instance without downtime using Live Migration
- Managing access using OS Login or project and instance metadata
- Prevent accidental deletion using deletion protection flag
- In case of any issues or errors, how to debug the same
Google App Engine
- Google App Engine is mainly the best option for PaaS with platforms supported and features provided.
- Deploy an application with App Engine and understand how versioning and rolling deployments can be done
- Understand how to keep auto scaling and traffic splitting and migration.
- Know App Engine is a regional resource and understand the steps to migrate or deploy application to different region and project.
- Know the difference between App Engine Flexible vs Standard
Google Kubernetes Engine
- Google Container Engine is now officially Google Kubernetes Engine and the questions refer to the same
- Google Kubernetes Engine, powered by the open source container scheduler Kubernetes, enables you to run containers on Google Cloud Platform.
- Kubernetes Engine takes care of provisioning and maintaining the underlying virtual machine cluster, scaling your application, and operational logistics such as logging, monitoring, and cluster health management.
- Be sure to Create a Kubernetes Cluster and configure it to host an application
- Understand how to make the cluster auto repairable and upgradable. Hint – Node auto-upgrades and auto-repairing feature
- Very important to understand where to use gcloud commands (to create a cluster) and kubectl commands (manage the cluster components)
- Very important to understand how to increase cluster size and enable autoscaling for the cluster
- know how to manage secrets like database passwords

Storage Services

Understand each storage service options and their use cases.
Cloud Storage
- Cloud Storage is cost-effective object storage for unstructured data.
- very important to know the different storage classes and their use cases esp. Regional and Multi-Regional (frequent access), Nearline (monthly access) and Coldline (yearly access)
- Understand life cycle management. HINT – Changes are in accordance to object creation date
- Understand Signed URL to give temporary access and the users do not need to be GCP users
- Understand access control and permissions – IAM vs ACLs (fine grained control)
- Understand best practices esp. uploading and downloading the data. HINT using parallel composite uploads
Relational Databases
- Cloud SQL
  - Cloud SQL is a fully-managed service that provides MySQL, PostgreSQL and MS SQL Server
  - limited to ~~10TB~~ 64TB and is a regional service.
  - Difference between Failover and Read replicas. Failover provides High Availability and almost zero downtime while Read replicas provide scalability. Cross region Read Replicas are supported
  - Perform Point-In-Time recovery. Hint – requires binary logging and backups
- Cloud Spanner
  - is a fully managed, mission-critical relational database service.
  - provides a scalable online transaction processing (OLTP) database with high availability and strong consistency at global scale.
  - globally distributed and can scale and handle more than 10TB.
  - not a direct replacement and would need migration
- There are no direct options for Microsoft SQL Server or Oracle yet.
Data Warehousing
- BigQuery
  - provides scalable, fully managed enterprise data warehouse (EDW) with SQL and fast ad-hoc queries.
  - Remember it is most suitable for historical analysis.
  - know how to perform a preview or dry run. Hint – price is determined by bytes read not bytes returned.
  - supports federated tables or external tables that can support Cloud Storage, BigTable, Google Drive and Cloud SQL.

Data Services

Although there were only a couple of reference of big data services in the exam, it is important to know (DO NOT DEEP DIVE) the Big Data stack (esp. IoT gateway, Pub/Sub, Bigtable vs BigQuery) to understand which service fits the different layers of ingest, store, process, analytics, use
- Cloud Storage as the medium to store data as data lake
- Cloud Pub/Sub as the messaging service to capture real time data esp. IoT
- Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications esp. real time IoT data capture
- Cloud Dataflow to process, transform, transfer data and the key service to integrate store and analytics.
- Cloud BigQuery for storage and analytics. Remember BigQuery provides the same cost-effective option for storage as Cloud Storage
- Cloud Dataprep to clean and prepare data. Hint – It can be used anomaly detection.
- Cloud Dataproc to handle existing Hadoop/Spark jobs. Hint – Use it to replace existing hadoop infra.
- Cloud Datalab is an interactive tool for exploration, transformation, analysis and visualization of your data on Google Cloud Platform

Monitoring

Google Cloud Monitoring or Stackdriver
- provides everything from monitoring, alert, error reporting, metrics, diagnostics, debugging, trace.
- remember audits are mainly checking Stackdriver

DevOps services

Deployment Manager
- is Infrastructure as Code
- provides dynamic provisioning with templates
- know how to dry run the deployments. Hint preview feature.
Google Marketplace (Cloud Launcher)
- provides a way to launch common software packages e.g. Jenkins or WordPress and stacks on Google Compute Engine with just a few clicks like a prepackaged solution.
- It can help minimize deployment time and can be used without any knowledge about the product

Google Cloud – Associate Cloud Engineer Certification Resources

Official Google Cloud Certified Associate Cloud Engineer Study Guide
Online Courses
- Udemy GCP Associate Cloud Engineer – Google Cloud Certification
- Udemy GCP Associate Cloud Engineer Certification
- Coursera – Preparing for the Google Cloud Associate Cloud Engineer Exam
- Linux Academy – Google Cloud Certified – Associate Cloud Engineer
- A Cloud Guru Udemy course – Google Certified Associate Cloud Engineer Certification
- Whizlabs – Training videos for Google Cloud Certified Associate Cloud Engineer
Practice Tests
- Braincert – Google Cloud Certified – Associate Cloud Engineer Practice Exams
- Whizlabs – Practice Questions for Google Cloud Certified Associate Cloud Engineer – Buy Now
Use Google Free Tier and Qwiklabs as much as possible.

Google Cloud Virtual Private Cloud – VPC

VPC Networks

Specifications

VPC Subnets

VPC Routes

VPC Firewall Rules

VPC Private Access Options

Shared VPC – VPC Sharing

VPC Peering

VPC Flow Logs

GCP Certification Exam Practice Questions

References

Google Cloud Shared VPC

Shared VPC Concepts

IAM Roles

Cloud Interconnect with Shared VPC

GCP Certification Exam Practice Questions

Reference

Google Cloud VPC Peering

VPC Peering Properties

VPC Peering Restrictions

GCP Certification Exam Practice Questions

Reference

Google Cloud Compute Engine

Compute Engine Instance Lifecycle

Compute Engine Machine Types

Compute Engine Storage

Compute Engine Guest Environment

Compute Engine Instance Availability Policies

Compute Engine Live Migration

Preemptible VM instances

Shielded VM

Managing access to the instances

Compute Engine Images

Instance Templates

Instance Groups

Snapshots

Startup & Shutdown Scripts

Machine Image

Sole Tenant Nodes

Preventing Accidental VM Deletion

GCP Certification Exam Practice Questions

References

Google Cloud – Compute Engine Instance Groups

Managed instance groups (MIGs)

Health Checking

High Availability & Autohealing

Regional or Zonal groups

Load Balancing

Scalability & Autoscaling

Automatic Updating

Stateful Workloads Support

Preemptible Instances Groups

Containers

Network and Subnet

Unmanaged instance groups

GCP Certification Exam Practice Questions

Google Cloud Identity and Access Management – IAM

IAM Components

Member

Role

IAM Policy

Service Accounts

IAM User vs Service Account Decision Tree

Workload Identity Federation

IAM Best Practices

IAM Recommender

IAM Audit Logging

GCP Certification Exam Practice Questions

References

Google Cloud Resource Manager

Resource Hierarchy

Organizations

Folders

Projects

IAM Policy Inheritance

Organization Policy Service

Restricting Identities by Domain

GCP Certification Exam Practice Questions

Reference