GCP PCA Preparation

SUB TOPIC

1. COMPUTE

=====Compute Engine========

-->> Create and run VM on top of Google Infrastructure

Type of deplyment

- Standalone VMs

- Unmanaged instance group

==>> Unmanaged instance groups are collections of standalone vm that exist in a single zone and
do not share a common instance template.

Use Case (Application need to run mix type of vm and you need control over vm operations
like start/stop,remove and custome script)

- Use instances that are not identical and do not allow automatic creation, deletation and scaling
(using as backend LB, with constant tarffic)

- Managed instance group (MIG)

This offers autoscaling capabilities, which let you automatically add or remove based on increases
or decreases in load

- Use identical instances templates

- Allow automatic creation, deletion and scaling.

MIG Stateless

MIG Statefull using for application that need persistent disk to store data.

Securing VM

- Shielded VMs

- VM with security capabilites such like Secure Boot, Virtual trusted platform module (vTPM)-
enabled Measured Boot, and Integrity monitoring.

- VM support defend with service support againt rookits bootkits

- Confodential VM

A Confidential VM is a Compute Engine VM that uses the N2D or C2D machine type and keeps your
sensitive code and other data encrypted in memory during processing.

- Spot VMs (Latest version of preemptible VM)

Sensitivity Label: General

 ---> Spot VMs are available at much lower prices—60-91% discounts for machine types and GPUs as
well as smaller discounts for local SSDs—compared to the on-demand price for standard VMs

=========App Engine=========

--->> App Engine is a fully managed, serverless platform for developing and hosting web
applications at scale

- App Engine Standart environment is based on container instances running on Google's

infrastructure, support languages (Java, GO, Python, Node.js, PHP, Ruby)

- Support scale to zero

- Does not use health checks

- App Engine Flexiable, support language as app engine standart with additional on custome
runtime (Docker Images, Dockerfiles)

- Minimal 1 instances

- Use health checks

========Cloud Run=======

--->> Develop and deploy highly scalable containerized applications that are invocable via requests
or events on a fully managed serverless platform

- Cloud Run Services automaticly deploy to many zone in given region

- Each Deployment are create a new revision of services, Requests are automatically routed as
soon as possible to the latest healthy service revision

=======Cloud Functions========

--->> Event-driven serverless compute platform

========GKE============

--->> (GKE) provides a managed environment for deploying,managing, and scaling your
containerized applications using Google infrastructure

- Node Affinity ensures that pods are hosted on particular nodes

- Pod Affinity ensure that two pods to be co-located in a single nodes

- Use Case : Deploy and manage workload ( web apps, mysql,etc), Run AI/ML Worload

- Migrate for GKE is a tool to containerize existing VM-based applications to run on GKE

- Backup for GKE is a service for backing up and restoring workloads in GKE clusters

2. Cloud Storage

3. Database

Sensitivity Label: General

 - Cloud SQL --->> Fully managed relational database service for MySQL, PostgreSQL, and SQL Server.

Use Case (CRM. ERP, Ecommerce and web)

- Cloud Spanner -->> A distributed SQL database management and storage service developed by
Google

Use Case (User profile and entitlements, Fintech, Online banking, Building personalized
leaderboards in games, Omni Channel)

- BigQuery -->> A serverless and cost-effective enterprise data warehouse that works across clouds
and scales with your data. Use built-in ML/AI and BI for insights at scale

Use Case (Data WH, Real-time analytics, Predictive Analytics, Log Analitics, Marketing
Analitics)

Feature ( BigQuery Studio, Duet AI, ML)

- Big Table --->> Highly performant, fully managed NoSQL database service for large analytical and
operational workloads. Offers up to 99.999% availability.

Use Case ( Personalization,Adtech,Recommendation engines,Fraud

detection,IoTMemorystore)

Feature (High throughput and low latency at any scale, Cluster resizing without
downtime, Flexible, automated replication to optimize any workload, Enterprise-grade
security and controls using CMEK)

- Don’t require transactional consistency

- Need read/write latency of less than 10 milliseconds along with strong

consistency, or need a storage service that is compatible with the HBase API

- Memorystore --->> Memorystore for Redis Cluster is a fully managed service which can easily
scale to terabytes of keyspace and tens of millions of operations per second with 99.9%
availability SLA

Use Case (Gaming season store and leaderboard, Social media content caching,

- Firestore --->> Serverless document database

Feature (Powerful query engine,ACID transcation,Live synchronization and offline mode)

Use Case ( Mobile/web/IoT applications, Real-time sync, Offline sync), Migrate from on
prime HBase or Casandra to BigTable

- Using for schema might change and need an adaptable database, need to scale
to zero, or low maintenance overhead scaling up to terabytes

- Firebase Realtime Database Use Case (Mobile sign-ins, ersonalized applications and ads, In-app
chat)

4. Network

Sensitivity Label: General

 - VPC Service Controls (VPC SC) is a Google Cloud feature that helps protect cloud resources. It
allows users to define a security perimeter for their resources, which limits the exporting
and importing of resources and their associated data.

Use case (Isolate multi-tenant services, Ensure sensitive data can only be accessed from
authorized networks, Restrict resource access to allowed IP addresses, identities, and
trusted client devices, Control which Google Cloud services are accessible from a VPC network)

- Media CDN and Cloud LB

Media CDN is a content delivery network (CDN) platform designed for delivering streaming
media with low latency across the globe. CDN delivers content to users based on their

location from a geographically distributed network of servers

- External HTTP LB Backend ( Hybrid NEG Backedn, MIG Compute Engine,Zonal Network Endpoint)

- VPC Peering connects two Virtual Private Cloud (VPC) networks so that resources in each
network can communicate with each other.

Benefit : (lower latency, network security, Lest cost due to no outbound traffic bill)

5. Security & Identity

- Cloud DLP --->> Fully managed service designed to discover, classify, and protect your most
sensitive data.

Use Case (Protecting PII in Cloud Storage with discovering, classification, masking,
Logging, Policy Enforcement, Automoted Remeditions)

- IAP --->> Service that provides secure access to applications and resources by verifying the
identity of users and devices

Use Case (Secure Application Access, Remote Access to GCP without VPN, API
Security)

- Google Cloud Armor is a network security service that protects Google Cloud deployments from
threats like DDoS attacks and application attacks

Feature -->> Adaptive DDoS protection by ML training, support hybrid and multicloud apps, Bot
management, Rate limiting)

Limits : Only support app runing behind External LB, doesn't support internal LB, Cloud storage,
and cloud CDN.

- Data encryptions - Encryptions in transit is encrypting data as it travels between systems, such as
over a network or the internet (HTTPS, TLS/SSL, VPN, etc)

- Encryption at rest is a security measure that protects data while it is stored on disk,
cloud storage or in database like CLoud SQL and Big Query

- CMEK This method allows customers to create and manage their own encryption
keys in Google Cloud KMS

- GMEK All data that is stored by Google at rest is encrypted by default

without any additional action using Google-managed keys

Sensitivity Label: General

 - CSEK This method allows customers to use their own encryption keys to
encrypt data at rest in Google Cloud Storage and Google Compute disks

- VPC Flow Logs -->> sample of network flows sent from and received by VM instances, logs can be
used for network monitoring, forensics, real-time security analysis, and expense
optimization.

6. Devops

- Cloud Source Repositories -->>> A fully-featured, scalable, private Git repository service valuable
for collaborative development and version control.

- Cloud Build -->> fully-managed CI/CD platform to build, test, and deploy across hybrid and multi-
cloud environments include VMs, Cloud Run, Kubernetes, and Firebase.

Cloud Build can import source code from Cloud Storage, Cloud Source Repositories,
GitHub, or Bitbucket and build into artifact like Docker Image or Java archive

- Artifact Registry --->> Provides a single place for your team to manage Docker images and
language packages (such as Maven and npm)

- Binary Authorization is a deploy-time security control that ensures only trusted container images
are deployed on Google Kubernetes Engine (GKE) or Cloud Run

With Binary Authorization, you can require images to be signed by trusted authorities
during the development process and then enforce signature validation when
deploying

- Cloud Deploy is a managed service that automates delivery of your applications to a series of
target environments in a defined promotion sequence.

7. Data Analytics / Big Data

- IoT Core is a fully managed service for managing IoT devices

- Work method: Device telemetry data is forwarded to a Cloud Pub/Sub topic, which can then be
used to trigger Cloud Functions as well as other third-party apps to consume the data.

And can also perform streaming analysis with Dataflow or custom analysis with your own
subscribers

6. Loging and Monitoring

- Google Cloud's operations suite formerly stackdriver

Feature:

- Cloud Logging a fully managed service that performs at scale and can ingest application and
platform log data, as well as custom log data from GKE, VMs, and other services
inside and outside of Google Cloud. Support buisnes insight with Log Analytic integrate with Big
Query.

- Cloud Monitoring provides visibility into the performance, uptime, and overall health of cloud-
powered applications.

Sensitivity Label: General

 - Application Performance Management (APM) combines the monitoring and troubleshooting
capabilities of Cloud Logging and Cloud Monitoring with Cloud Trace and Cloud Profiler\

to help reduce latency and cost

- Cloud Audit Logs provide information about administrative activities and accesses within
your Google Cloud resources.

- Access Transparency provides you with logs of actions taken by Google staff when accessing
your Google Cloud content.

7. On-premises to GCP migration

- Setup cloud IAM

- Setup Connection using VPN or dedicated interconnect

- Setup Firewall

- For VM Migrations, install Migrate for Compute Engine. Step for VM Migrations ( Onborad,
replicate, set target VM details, Cut over,Finalize)

- Step for VM Disk Migrations ( Onborad, replicate, set target VM details, Clone disk to target, Cut
over disk to target,Finalize)

- Enable VM Migrations API

- Google Cloud Directory Sync (GCDS) -->> Using to synchronize user accounts from your on-
premises Active Directory to Google Cloud Identity. This tool allows you to manage your Google
Cloud users in tandem with your on-premises AD users.

- Identity Federation: - Implement Identity Federation using solutions like Google Cloud Identity
Platform or using protocols like SAML (Security Assertion Markup Language) or OAuth.

- allows users to use their on-premises AD credentials to authenticate and

access Google Cloud resources.

Term Of SLA

1. P95 in 200 ms: This implies that 95% of response times are expected to be 200 ms or less. In other
words, only 5% of responses are allowed to exceed 200 ms.

2. P90 in 100 ms: This means that 90% of response times are expected to be 100 ms or less. In this
case, a higher percentage of responses (90%) is considered, but the target latency is lower at 100 ms.

Sensitivity Label: General

P95 in 200 ms: This option allows for a higher tolerance for slower responses (up to 200 ms) but
ensures that the majority of responses are still relatively fast. It might be suitable for applications
where occasional delays are acceptable as long as they are not too frequent.

P90 in 100 ms: This option aims for a lower latency target (100 ms) but allows for a higher
percentage (10%) of responses to be slower. This could be preferable for applications where low
latency is critical, and occasional delays are less tolerable.

===========Notes FROM TEST============

Setup new environment

gsutil mb -l asia gs://${project_id}-logs

Setup new instance

gsutil cp -r gs://${project_id}-setup ./install

Sensitivity Label: General