Skip to content

GCP

  • IaaS -> PaaS -> Managed Services -> SaaS
  • Zone (eg London) < Region (eg europe-west2) < Multi-Region (eg Europe)
    • A zone is typically 1 data center but may have more than 1
    • Zone can be considered as a single failure domain within a region
    • Resources in a Region have low latency (5 ms)
    • Regions are > 100 miles apart
    • Zonal Resources belong to a specific zone, they can only be used in that zone
      • e.g. in order to attach a disk and an IP to a VM, all three must belong to the same zone
  • project has: ID (globally unique), Number (globally unique, auto generated, immutable) and Name (need not be unique, mutable)
  • Interact with GCP using: Web console, Cloud Shell and SDK, REST API, Console Mobile App
    • Access to APIs is not enabled by default for all services.
    • Client libraries make it easier to code APIs, installable via pip or npm
      • Cloud Client Libraries: Community owned, recommended, idiomatic, some are more performant because they use gRPC
      • Google API Client Libraries: Older but exist for all APIs, auto-generated, support only REST APIs (no gRPC)
  • Cloud Marketplace (formerly Cloud Launcher) are prebuilt software packages. 3rd party may have license fees, and Google charges usage fees
  • fully managed v/s serverless
    • fully managed => infrastructure is managed by google, eg Cloud SQl and Dataproc
    • Serverless => google allocates the infrastructure as needed; eg BigQuery, Cloud Dataflow
  • enable a service: gcloud services enable run.googleapis.com
  • services:
    • Compute: Compute Engine, Kubernetes Engine, App Engine, Cloud Functions
    • Storage: BigTable, Storage, SQL, Spanner, Datastore
    • Big Data: Big Query, PubSub, Data Flow, Data Proc, Data Lab
    • Machine Learning: NLP, Vision, Speech, Translate APIs and Machine Learning
    • Cloud Scheduler is a managed cron job scheduler
      • can trigger AppEngine, post pubsub, http end-point on Compute Engine, GKE or on-prem
  • GCP internal project code names:
    • Jupiter: petabit scale network fabric that connects VMs and/or storage
    • Colossus: massive distributed storage (used by BigQuery, CloudStorage)

products

Security

  • Storage: encryption at rest
  • Identity: support for U2F (must for employees)
  • Hardware: custom hardware, secure boot, hardened and stripped down Linux kernels, physical
  • Internet: Google Front End GFE: built-in Denial-of-service DOS protection, User authentication
  • Data-In-Transit:
    • WAN traffic encrypted,
    • eventually, all communication within a data center will be encrypted, but a connection is authenticated
  • Data deleted by customer may remain in GCP for 180 days but not user accessible
  • GCP maintains 3 types of Audit logs for each project, folder and organization
    • Admin activity: resource modification or its metadata changes. Not charged, retained for 13 months, cannot be disabled
    • System events: non user initiated google cloud administrative actions. Not charged, cannot be disabled
    • Data Access: user driven resource configuration or metadata access, and user-driven API calls that access/modify user resources.
      • doesn't log access to publicly shared resources
  • Access Transparency provides oversight over data access by Google support or engineering
  • BP: Use secret manager to store secrets

Pricing

  • Using Budgets, Alerts and Quotas
  • Budget can be at Account or Project level
  • two types of Quotas
    • Rate: eg GKE API, 1000 requests/100 seconds, reset after the specified period
    • Allocation: 5 networks per project
  • some quotas can be modified by contacting support