You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
migration concerns from migrating from on-premises over into google cloud
code snippet to troubleshoot and diagnose
Part 2 - Hands-on with tools
Role of Cloud Architect
plans, designs and builds the infrastructure for an org to host their workload on GCP; able to plan to scale;
scalability and automation
The Importance of Hands-on Practice
Practice
Core Management Services
Cloud Resource Manager(Quotas, IAM, Billing)
Management Services: (IMPORTANT FOR EXAM)
Organization Node and Folders
Org -> Folders -> Projects -> Resources
Org - Highest root node for all GCP resources; Org Admin(Highest level, useful for Auditing), Org Owner(reserved for G suite super admin)
Folder - Group projects under org; share common IAM policies; Roles granted to folder
Quotas
caps on resources you can create; ex: 48 CPU per region, 5 static IP's per project; prevent unexpected spikes in usage;
3 Types - Resources per project, API rate limit requests per project, Per region
Increasing Quota caps - soft caps can be raised by request; support ticket or self service form; quota can be viewed on console; proactively request
Labels
Method of organization and segregation(projects & folders); Labels are tool for organizing GCP resources; any resouce can be labeled(via console, gcloud or API)
64 labels per resource; key:value pair; Ex: Environment - env:prod, env:test; Owner or POC - owner:matt, contact:devops; Team or cost center - team:research,
FROM `cloud-training-prod-bucket.arch_infra.billing_data`
WHERE (cost > 3)
find which product had the highest total number of records:
SELECT product, COUNT(*)
FROM `cloud-training-prod-bucket.arch_infra.billing_data`
GROUP BY product
LIMIT 200
which product most frequently cost more than a dollar:
SELECT product, cost, COUNT(*)
FROM `cloud-training-prod-bucket.arch_infra.billing_data`
WHERE (cost > 1)
GROUP BY cost, product
LIMIT 200
Stackdriver
suite of tools for monitoring, logging, and tracking diagnostics for apps; native monitoring of both GCP and AWS; Dynamically discover all GCP resources
1.Monitoring - monitor metrics, health checks, dashboard and alerts etc
2.Logging - audit of activity
3.Error Reporting - identify and understand app errors
4.Trace - app engine find bottlenecks
5.Debugger - find/fix code errors in prod
Benefits - Multicloud monitoring, Identify trends and prevent problems before they occur, Centralized logging, Better signal-noise ratio, Find & fix problems faster
Error reporting - real time error monitoring; automatic and real time analysis; automatically enabled in App Engine;
Trace - find performance bottlenecks(latency); collect data from GAE, LB, or apps with Stackdriver Trace SDK;automatically enabled in App Engine
Debugger - Inspect app state without stopping or slowing app; doesnt req additional log statement; automatically enabled in App Engine standard
GCP Core Building Blocks
Google Cloud Storage - Unstructured data, virtually limitless size, Pay per use not allocation, primary unit is bucket, object inside bucket
Storage Class - Regional, Multi-regional, Nearline, Coldline
Changing storage class - cannot change from multi-regional to regional vice versa; gsutil to change class of existing object or move obj to another bucket
IAM - granted at projects, resource or bucket level; Roles - Primitive, Standard Storage roles (independently from ACLs), Legacy roles (work with ACLs)
ACLs - can be applied to buckets/objects; Objects inherit ACS from default bucket ACL
Best Practice - use IAM over ACL(enterprise grade access control, leaves audit trail); use ACL to grant access to obj without access to bucket
signed URLs - times access to object data (temporary access without google account)
storage.cloud.google.com/bucketname
Assign IAM role to bucket
via console
gsutil iam ch user"[email protected]:objectCreator,objectViewer gs://pwnet-test1-test
gsutil iam -d user"[email protected]:objectCreator,objectViewer gs://pwnet-test1-test
get the URL from output and give it to user who need access to the object
Object Versioning and Lifecycle Management Concepts
Object versioning - retrieve objects that are deleted or overwritten; applied at bucket level; disabled by default; when enabled objects archived
version increase bucket size, archive version retains ACLs; Versioing properties - Generation (obj content change), Metageneration
Object Lifecycle management
Sets TTL on an object(to delete version/downgrade storage class); Applied to bucket level ; implemented with combination of rules, conditions, actions
Rule - Specify set of conditions in order to take action
Condition - criteria to meet before action; Age, CreateBefore, IsLive, MatchesStorgaeClass, NumberOfNewerVersions
Actions - Delete, SetStorageClass
gsutil versioning help
gsutil versioning get gs://pwnet-test1-test
gsutil versioning set on gs://pwnet-test1-test
gsutil ls -a gs://pwnet-test1-test
gsutil lifecycle get gs://pwnet-test1-test > policy.json
edit the file to change the rule
gsutil lifecycle set policy.json gs://pwnet-test1-test
Bucket and Object Command Line A-Z
gsutil ls -al gs://pwnet-test1-test #gets metageneration
gsutil -m rewrite -s NEARLINE gs://pwnet-test1-test/* # set off versioning before, to move diff storage class
gsutil acl ch -u AllUsers:R gs://pwnet-test1-test/file.txt # shows as public link on console
Interconnecting Networks
Worldwide private network; communication between regions and on-premises never touches public internet; networking handled differently than others.
SDN - traditional network(manage network hardware, high mgmt overhead req) SDN(Everything is virtualized)
single global/cross region VPC; global internal DNS/load balancing/firewalls/routes; global public DNS; Rapid scaling with global LB(Layer 7/HTTP);
Subnets within VPC group resources by region/zone; IP range between subnets dynamically expandable.
Extend Google Private Network to On-premises - VPN, Cloud Interconnect, Direct Peering
Connecting your Network to Google
1. Dedicated Interconnect - Physically connect on-premise network to GCP VPC via Google Edge location; Useful for Hybrid env, High bandwidth traffic;
Must be at supported peering location; can be direct with Google or ISP; $1700 per 10Gbps link, upto 80 Gbps total; Reduced egress fees
Use Cases - On-premise data processing, low latency needs,
2. Peering - connect business directly to google; 70+ location in 33 countries for Direct peering; Exchange BGP routes; Direct and Carrier Peering;
Does not connect to internet; Also save on egress fees; 10GBps per link(direct), variable for carrier; Use case Ex: Private API excess
3. Cloud VPN - Site to site VPN connection over IPSec; connect internal network to GCP over encrypted tunnel over public internet; Up to 1.5 Gbps per tunnel;
Can use multiple tunnels for increased performance; Static and dynamic routes(using Cloud Router); Supports IKEv1 and IKEv2 using shared secret;
connect on-premises to GCP or connect twoo different VPC's on GCP; No site to client option available.
CloudVPN
connect on-premise network to GCP VPC; IPSec connection over VPN over public internet; traffic encrypted by one gateway, decrypted by other gateway.
99.9% SLA, Site-to-site only; Upto 1.5Gbps per tunnel, can have multiple tunnel; Static and Dynamic routes
Use case - Connect to on-premises or connect 2 different VPC network on GCP
Requirement - VPN Gateway on both ends(peer), Peer Gateway must have static IP; Non conflicting CIDR range/subnet with rest of network
Cloud Router - Static vs Dynamic routing; Static:create routing table for existing and new routes, Can't re-route if link fails; Dynamic:networks
automatically discovery topology changes via BGP; Can re-route if link fails
To use Dynamic routing, change dynamic routing mode to Global on VPC network.
Google ASN(65000-65001) and BGP address(169.254.0.1-169.254.0.2) required
subnets are region bound and can span span multiple zones
isolated per project; but can share between projects with Shared VPC
Quotas - Hardcap of 7000 VMs in a VPC; IPv4 unicast traffic only; Most other quotas can be increased by request
Network Tags - primary method of segmenting network traffic access; apply to firewall and network routes; individual instances are tagged
Firewall - single firewall for entire VPC; manage both ingress and egress traffic; Deny all Ingress, Allow all egress; Conditions - source/target, port, protocols, Tags
Routes - software based, not limited by hardware; routes traffic leaving VMs; special case for advanced routing Many-to-one route, Proxy server;
Routes+firewall rules combine to determine traffic access
Shared VPC Concepts
share VPC across projects within Org(Cross Project Networking)
Host project - project hosting the shared VPC; Service project - project with permission to shared VPC; Standalone project - project not using shared VPC;
Shared VPC admin - IAM role for admin of shared VPC; Service project admin - project admin of shared VPC service project
Use cases - Seperation of projects for access control/billing, but need access to same VPC environment; 2 tier web service; Hybrid cloud scenario
GCE, GKE, GAE all run on VMs; Single VM, Force multipliers, Automation, Autoscaling, Managed Instance Groups, Load Balancer, Custom Image, Disk manipulation,
Disk concepts - Single root disk for OS; Persistent(most common, default, Not Directly attached) or Local SSD (Directly attached) or Cloud Storage Buckets
Persistent - 64 TB in total, Scope of access zone, no RAID config necessary
Local SSD - cannot be boot device, encrypted(Google Supplied Keys only), 375GB in size (can attach upto 8), must create on instance creation
Cloud Storage Bucket - Not a root disk, Encrypted, Lower performance
ease managemet of large no of VM's; easily and programmatically customize VM; key component to instance group and scaling capabilities
always run as root/administrator; Input methods - Direct (script field in instance properties), Link to script on Cloud Storage
Shutdown scripts - great for managed instance group/autoscaler; Ex: copy processed data to cloud storage, backup logs etc; Good to pair with preemptible
Metadata server - Built into GCP; Manage config and env variables programmatically; Default and custom values; Key/value pair
j-mprabhakaran created this gist