Skip to content

GCP

  • IaaS -> PaaS -> Managed Services -> SaaS
  • Zone (eg London) < Region (eg europe-west2) < Multi-Region (eg Europe)
  • A zone is typically 1 data center but may have more than 1
  • Zone can be considered as a single failure domain within a region
  • Resources in a Region have low latency (5 ms)
  • Regions are > 100 miles apart
  • Zonal Resources belong to a specific zone, they can only be used in that zone
    • e.g. in order to attach a disk and an IP to a VM, all three must belong to the same zone
  • project has: ID (globally unique), Number (globally unique, auto generated, immutable) and Name (need not be unique, mutable)
  • Interact with GCP using: Web console, Cloud Shell and SDK, REST API, Console Mobile App
  • Access to APIs is not enabled by default for all services.
  • Client libraries make it easier to code APIs, installable via pip or npm
    • Cloud Client Libraries: Community owned, recommended, idiomatic, some are more performant because they use gRPC
    • Google API Client Libraries: Older but exist for all APIs, auto-generated, support only REST APIs (no gRPC)
  • Cloud Marketplace (formerly Cloud Launcher) are prebuilt software packages. 3rd party may have license fees, and Google charges usage fees
  • fully managed v/s serverless
  • fully managed => infrastructure is managed by google, eg Cloud SQl and Dataproc
  • Serverless => google allocates the infrastructure as needed; eg BigQuery, Cloud Dataflow
  • enable a service: gcloud services enable run.googleapis.com
  • services:
  • Compute: Compute Engine, Kubernetes Engine, App Engine, Cloud Functions
  • Storage: BigTable, Storage, SQL, Spanner, Datastore
  • Big Data: Big Query, PubSub, Data Flow, Data Proc, Data Lab
  • Machine Learning: NLP, Vision, Speech, Translate APIs and Machine Learning
  • Cloud Scheduler is a managed cron job scheduler
    • can trigger AppEngine, post pubsub, http end-point on Compute Engine, GKE or on-prem
  • GCP internal project code names:
  • Jupiter: petabit scale network fabric that connects VMs and/or storage
  • Colossus: massive distributed storage (used by BigQuery, CloudStorage)

products

Security

  • Storage: encryption at rest
  • Identity: support for U2F (must for employees)
  • Hardware: custom hardware, secure boot, hardened and stripped down Linux kernels, physical
  • Internet: Google Front End GFE: built-in Denial-of-service DOS protection, User authentication
  • Data-In-Transit:
  • WAN traffic encrypted,
  • eventually, all communication within a data center will be encrypted, but a connection is authenticated
  • Data deleted by customer may remain in GCP for 180 days but not user accessible
  • GCP maintains 3 types of Audit logs for each project, folder and organization
  • Admin activity: resource modification or its metadata changes. Not charged, retained for 13 months, cannot be disabled
  • System events: non user initiated google cloud administrative actions. Not charged, cannot be disabled
  • Data Access: user driven resource configuration or metadata access, and user-driven API calls that access/modify user resources.
    • doesn't log access to publicly shared resources
  • Access Transparency provides oversight over data access by Google support or engineering
  • BP: Use secret manager to store secrets

Pricing

  • Using Budgets, Alerts and Quotas
  • Budget can be at Account or Project level
  • two types of Quotas
  • Rate: eg GKE API, 1000 requests/100 seconds, reset after the specified period
  • Allocation: 5 networks per project
  • some quotas can be modified by contacting support