Section 1 — Designing and planning a cloud

solution architecture
1.1 Designing a solution infrastructure that meets business requirements
  Objectives of 1.1 and the areas of coverage are.

 Business use cases and product strategy

  Identifying a business use case to confirm but also meet the business requirements such as costs savings, time
to market, stakeholder requests is very important. Product strategy should meet what the customer will require
down the road from a production standpoint.

 Cost optimization           
Cost Optimization can be achieved around our deployments in Google Cloud by using the right resources and
tools available.  We can also be proactive with GCP by setting up Dashboards or alerts as well.

Cost Optimization in Google Cloud is built in around Compute Engine with a feature called Recommendation
Engine.

Figure 1 shows Recommendation Engine in Compute Engine

Figure 1 Compute Engine Recommendation Engine

Recommendation Engine    
For more information about Cost Optimization please reference the link below.

https://cloud.google.com/cost-management
Resource Forecasting – Forecasting is the process of making predictions of the future based on past and
present data and most commonly by analysis of trends.

Cloud Resource usage forecasting can be complex.  Resources that need to be monitored and usage forecasted
are VMS, Storage, Network Bandwidth, Objects for monitoring, Apps etc. In Google Cloud we can use
Stackdriver Monitoring to identify resource usage.
Baselines/Baseline Drifts – A baseline is the minimum level or starting point used for comparisons. Baseline
Drift (Noise) can occur when the original cloud purpose changes over time. Features added, removed, etc.  

We use a baseline to compare Cloud resources usage, performance, security, billing costs, etc

  One of the challenges around the cloud is not around technical concerns but more around financial concerns.
We must have full visibility around costs and be able to identify who is using what resources.  Cloud spending
is an ever-increasing challenge especially when resources are ever more complex and data storage requirement
grow exponentially every year.

  There are excellent resources in Google Cloud such as Cloud Billing, Resource Manager, Stackdriver
Monitoring and other tools/services.

   Google has an excellent post on this.  Please find the link below.

https://cloud.google.com/blog/topics/cost-management/principles-of-cloud-cost-optimization
Use preemptible VMs

   Preemptable VMS are a great way to run a very short-term batch job for example.  A preemptible VM is an
instance that you can create and use at a discounted price.  They last no longer than 24 hours and can be
terminated (preempted) if Google requires access to those resources for other tasks. Google Compute Engine
will initiate a preemption notice to the instance in the form of an ACPI G2 Soft Off signal.

  If a graceful shutdown is important then you should use a shutdown script to handle the preemption notice
and complete cleanup actions before the instance stops.

Figure 2 shows the Preemptibility options in Compute Engine

Figure 2 Preemptibility on VMS

Considering using committed-use discounts
A committed use discount is similar for example in AWS to what is called a reserved instance.  In GCP when
working on a long-term project or even a use case for infrastructure deployment workloads you can purchase
commitments to get a heavy discount. You would select either 1 or 3 years for usage of vCPUs and memory  

Figure 3 shows the comparison options from AWS to Compute Engine

Figure 3 Comparing AWS and GCP Compute Billing

Consider network pricing

   The cloud is all about networking when it comes to accessing resources. We need to use networking and
these services will run charges.  When developing applications for example understand that every API call the
application makes could result in a cost to the company cloud spending.
 Most access of resources is done thru APIs which access the cloud resources for the application users.  

  There are two types of network access that can incur usage charges which are:

 Ingress
 Egress
Ingress means that your placing, modifying or viewing resources. APIS use certain calls to accomplish, some
of which are GET, PUT,

For example, sending traffic between virtual machines through the external IP addresses will incur costs.

    Network logs generate charges. Charges are incurred for the following products:

 VPC Flow Logs

 Firewall Rules Logging
 Cloud NAT logging
To understand more details for network charges with Google Cloud please refer to the following link.

https://cloud.google.com/compute/network-pricing
There is an online pricing calculator that can provide an estimate of costs for your network transfers. This
calculator has several options to review for network relate pricing. 

 Networking Egress
 Interconnect and Cloud VPN
 Cloud Load Balancing
 Cloud Endpoints
Figure 4 shows the Pricing Calculator with an estimate for egress

Figure 4 Pricing Calculator

NOTE: Several components of Google Cloud Platform, including Cloud

Deployment Manager, Cloud SDK, Cloud Resource Manager API, and the
Cloud Calculator are all provided free of charge.
  Supporting the application design- Supporting the design can be approached in numerous
methods. 
 For this exam we want to focus on how to scale, migrate or balance the design for the
application traffic.
 For example, numerous challenges on the exam will be around whether we need to specify load balancing as
well as the load balancing type.  We also should be prepared to understand different application deployment
models such as A/B testing or Canary deployments.

When deploying applications, we want to ensure that we deploy our cloud native applications in a model that
makes sense for the use case.  The four most common models are Blue/Green, Traffic Splitting, Canary and
Rolling Updates.

Figure 5 shows the traffic splitting deployment approach.

Figure 5 A/B Testing/ Traffic Splitting

    A/B Deployments – Traffic Splitting

  Traffic Splitting – Traffic Splitting or A/B Testing provides your development team an easy way to compare
results of two components. 

We could compare Results Side by Side and can configure in console or gcloud

For example, in gcloud to send all traffic to v2

gcloud app services set-traffic s1 –splits v2=1

For example, in gcloud to split Traffic Evenly

gcloud app services set-traffic s1 –splits v2=.5,v1=.5

Canary Testing
Canary Testing could be used to deploy an application update or change some configuration variables to
validate how these update or changes would work out. Canary releases are a strategy to mitigate risk in
production and should be deployed in an incremental manner.

Rolling Updates
Rolling Updates are a recommended strategy to deploy with a managed instance group.  Managed Instance
groups are deployed with VMs that are dedicated to a specific application that should be updated, load
balanced or scaled together.

Figure 6 shows the Rolling Update deployment approach with one server being updated at a time.

Figure 6 Rolling Updates

 Movement of data – with data flowing in and out of our cloud applications as well as our on-
premise applications we must consider the following if we are using App Engine or GKE for
example.
Traffic Migration or Traffic Splitting?
Traffic Migration switches the request routing between the versions within a service of your application.
Essentially moving traffic from one or more versions to a single new version.

Traffic Splitting is between two or more versions of your application for A/B testing. Traffic splitting is
applied to URLs that do not explicitly target a version.

How does Traffic Splitting work with App Engine?

Standard environment – you can choose to route requests to the target version, either immediately or gradually.

Flexible environment – Gradual traffic migration traffic between versions running in the flexible environment
is not supported.

Warmup requests improve user response time by allowing the version currently receiving traffic to handle
those requests

 Design decision trade-offs – When designing a cloud service whether its on GCP or not we will
likely run into what is referred to as a “trade-off”.
 In cloud design there are some common trade offs that we will run into routinely such as performance or cost. 
We also have tradeoffs that could result around user experience around implementing layers of security
controls. 

The diagram 7 below references how to compare to a NIST model.  NIST defines some very specific tradeoffs.

Figure 7 NIST Cloud Service Model

When designing a cloud service, we need to understand the characteristics that the cloud service will need to
retain.  If we are considering performance, then we will need be concerned about areas such as latency or
throughput. 

The table 4.1  below reference provides a list of characteristics to the considerations of a cloud deployment.

Table 4.1 Consideration for cloud deployments

Characteristics Considerations

Performance TPS, Latency, Stack, Protocols, database support, etc

Governance Compliance Requirements such as GDPR, SOX, HIPPA, PCI, AML

Cloud Structures Structure of services, costing for example in GCP we would review VPCs, Orgs/Projects, IAM, etc

IAM, ACLs, Org Policy, Key Management, NAT, Groups, Service Accounts, etc  Cloud Armor, KS
Cloud Security Scanner

On Premise to Cloud Services, Migration Type, Containers, VMS, Application Frameworks, etc API
Integration Endpoints

Enterprise Networking VPC, Hybrid Connectivity Cloud VPN, Cloud DNS, NAT, Cloud Interconnect, Peering

Costing Models Instances, Storage, Data Services, ML/AI, etc. On Demand vs Reserved Licensing BYOL
When considering a cloud service such as virtual machines, these virtual machines could have different levels
of customer/provider responsibilities. Some services in GCP such as App Engine is managed by Google more
than Compute Engine is for example.

 Second, the service could be a container-based compute such as GKE or a serverless platform such as Cloud
Functions.
  Build, buy, or modify
 When considering building, buying or modifying a cloud solution we must consider, most if not all of the
following areas that we should be measuring.

1. Cost of the service to use monthly or annually

2. Expenditure Model needs to be determined around whether we could use a CAPEX procurement,
or we will use an OPEX model for paying for cloud services.
3. Performance needs to be addressed to understand what customer needs and what could be included
in a budget.
4. Integration into the current on premises environment and other services such as Gsuite or other
Cloud solutions
5. ROI/TCO is critical to establish around understanding what is within budget, what type of cloud
deployment model, etc.
6. Time to Market is an area that needs to be considered since the time to procure via a CAPEX
model may be a TTM scenario that the company may not want to consider.
7. Staffing the cloud services is critical and these costs for personnel and training must be considered.
Estimating the cost of certain services is part of the exam.  You should go to the pricing calculator and
understand how to estimate BigQuery, Cloud Storage and other services.

There is an online pricing calculator that can provide an estimate of costs for your cloud resources. It is
intuitive to use and has been covered in previous sections.

https://cloud.google.com/products/calculator
Figure 8 shows the pricing SKUs that are available in your account.

Figure 8 Billing Pricing SKUs

Cloud Pricing Page has pricing information on each service

https://cloud.google.com/pricing
Success measurements – Success of a cloud architecture depends on significant business requirements and
technical requirements.
Success Measures of your cloud project could be ROI, TCO , KPIs (Key Performance Indicator is a
measurable value that will demonstrate how effectively a company is achieving key business objectives.),
Availability, Workloads, Resource Allocation and Response Times.
  Compliance and observability
Google Cloud Platform is certified for a growing number of compliance standards and controls, and then
undergoes several independent third-party audits to test for data safety, privacy, and security.  Some of the
areas around compliance would be:

Certifications/Attestations/Reports
Laws/Regulations
Alignments/Frameworks
You may want to take a look at the GCP compliance page.

https://cloud.google.com/security/compliance/
Cloud Storage is an economical option and would meet compliance requirements if setup properly. 
Observability would be accomplished with Google Stackdriver Logging and Monitoring.

You can have as many Workspaces as you wish, but GCP projects and AWS accounts cannot be monitored by
more than one Workspace.

Test Tip – Every workspace has a host project.

A Workspace can access metric data from its monitored projects, but the metric data and log entries remain in
the individual projects.

1.2 Designing a solution infrastructure that meets technical requirements

  Objectives of 1.2 and the areas of coverage are.

 High availability and failover design

With HA and failover design we need to consider the application but also the regions and zones as well as the
services specified.  For example, some services are regional services and therefore failover for a service such
as App Engine needs to be considered differently that for Compute Engine.  Load Balancing and Autoscaling
are also important aspects to consider. Load Balancing in Google Cloud is a fully managed service.

In Google Types of Load Balancing

 Network Load Balancing (TCP) (UDP)

 HTTPS Load Balancing
 Cross-Region Load Balancing
 Content-based Load Balancing
 Cloud SSL Proxy

Figure 10 shows the default load balancing page where there are three options.

Figure 10 Load Balancing Options

Network Load Balancing

Network load balancing distributes incoming traffic across multiple instances

    – Supports non-HTTP(S) protocols (TCP/UDP)

    – Can be used for HTTPS traffic when you want to terminate connection on your  instances (not at HTTPS
load balancer)

Supports autoscaling with managed instance groups

HTTP(S) Load Balancing

HTTP(S) Load Balancing distributes HTTP(S) traffic among instance groups based on proximity to user or
URL or both

Autoscalers can be attached to HTTP(S)load balancers

Test Tip – Web and Mobile Apps and can use global forwarding.
Global Forwarding – A global forwarding rule provides a single global IP address for an application. The rule
routes traffic by IP address, port, and protocol to an HTTP or HTTPS target proxy.  A global forwarding rule
can only forward to a single port. Global forwarding rules can only be used by an HTTP(S) load balancer

Target proxies’ route incoming HTTP(requests) based on URL maps and backend service configurations.
(Provides termination)

 Elasticity of cloud resources – Elasticity provides the necessary resources required for the current
task and handles varying loads for short periods.
 Scalability to meet growth requirements –  Scalability handles the increase and decrease of
resources according to the applications workload requirements.
In figure 2 we can application requirements and how it would correlate to GCP services and capabilities.

Table 2 Load Balancing Options

App Engine Scaling is handled differently since it’s a managed service.

App.yaml specifies a scaling type and instance class that apply to every instance of that version. The scaling
type controls how instances are created.  The instance class determines compute resources (memory size and
CPU speed) and pricing.

  Test Tip –   In App Engine there are three scaling types: manual, basic,
and automatic. The available instance classes depend on the scaling type.

Figure 11 App Engine Instances

 Performance and latency

When testing your cloud application, we generally always need to view the latency of the application. This can
significantly affect the user experience (performance) of the application.

 Latency can be induced in most cases from the internet connection we use. If latency is a major concern, we
should consider using a dedicated connection for low latency.

Cloud Interconnect is used to extend your data center network into your Google Cloud projects via a well
provisioned, dedicated and low latency connection. Cloud Interconnect provides direct access to RFC1918 IPs
in your VPC (SLA)

For full exam objectives coverage, practices

questions and explanations please check out the
Google Cloud Associate Cloud Engineer -All in
One Guide.
The following objects are fully covered in my paid and free ebooks. Practice Questions and answers available.

1.3 Designing network, storage, and compute resources.

Objectives of 1.3 and the areas of coverage are.

 Integration with on-premises/multi-cloud environments – Using the public cloud you can extend
the capacity and capabilities of your IT without up-front capex investments. Adding one or more
cloud deployments to your existing infrastructure is a hybrid deployment. Hybrid strategy
modernizes applications and processes incrementally as resources permit.
1.4 Creating a migration plan
Objectives of 1.4 and the areas of coverage are.

1. Integrating solution with existing systems – Systems integration and application integration are the
main focus when moving to the cloud.  When integrating our on-premises solutions with GCP
Services there could be any number of concerns, dependencies, goals, etc to appreciate.
2. We need to make sure that data flows seamlessly between all of the components in our cloud and
on premises solutions.  
3. We may need to check for example how Cloud SQL supports our current version of MySQL or we
may need to understand how BigQuery can be used to query, import, and export data.
1.5 Envisioning future solution improvements
Objectives of 1.5 and the areas of coverage are.

 Cloud and technology improvements

Cloud in demand is clearly growing year over year. Technologies such as ML/AI for example, are becoming
much more integrated with cloud platforms.  Providers such as GCP are increasing their portfolios to meet
these new demand for extensive services.

Cloud has many benefits such as scalability works well for companies with high growth demands.  Cloud
provides significant other benefits that are just now being realized such as the element of Hybrid IT which can
provides amazing benefits such as extending Kubernetes to the cloud or extending the cloud to the data center. 
As a cloud architect we must be cognizant of the changing landscape and provide some insight to our customer
base where cloud capabilities and capacity may be going.  

Objectives Section 2 – Managing and provisioning a solution

infrastructure
This is one of the numerous Free posts by
TechCommanders in a series for studying for the Google
Cloud Platform Professional Cloud Architect Exam
This section is focused designing solutions that meet the business and technical requirements of stakeholders.
It is important to go into the exam appreciating that Google defines best practices somewhat clearly and that
the exam will reference existing industry best practices for design and migrations

Here is the complete list of Free Tutorials provided by

TechCommanders.
Exam Objectives — Designing and planning a cloud solution architecture (Part 1 of 6)
Exam Objectives — Managing and provisioning a solution infrastructure (Part 2 of
6) (This Post)
Exam Objectives — Designing for security and compliance (Part 3 of 6)
Exam Objectives — Analyzing and optimizing technical and business processes (Part 4 of 6)
Exam Objectives — Managing implementation (Part 5 of 6)
Exam Objectives — Ensuring solution and operations reliability (Part 6 of 6)
 Below I have summarized the objectives as efficiently as I could to provide
you an efficient study resource.
2.1 Configuring network topologies
  Objectives of 2.1 and the areas of coverage are.
 Cloud VPN-  Cloud VPN is an easy to setup site to site vpn that requires no expensive carrier
circuits or committed contracts. Cloud VPN allows you to build an encrypted connection over the
Internet from a VPN device on-prem and GCP. Cloud VPN’s transport is over the Internet and
latency may be persistent.
 Cloud Interconnect –  GCP has an interconnect called Cloud Interconnect which you could extend
your data center network into your Google Cloud projects. Provides direct access to RFC1918 IPs
in your VPC (SLA) and is meant for dedicated bandwidth. There are also Partner Interconnect
solutions that provide additional bandwidth and edge options.
  Test Tip – The main use case for Cloud Interconnect is for companies
who have to transfer a very large, constant flow of data between on-prem
and GCP and may also require a very high quality of connection for that
data flow between on-premise and GCP
 Peering and Edge locations(POPs) – Edge locations are where the internet at large can connect to
Google’s global private network. These locations are places where Google and another network
provider connect together their respective networking hardware to meet customer requirements. 
Google at the time of writing the book has over 142 locations. The link for current locations is
below.
https://cloud.google.com/vpc/docs/edge-locations
  Security and data protection  
Google Cloud Platform uses the same Google based infrastructure for security and protecting your data.
Google maintains a full suite of services for ensuring your cloud security.  For example, communications over
the Internet to Google are encrypted in transit and the network and infrastructure have multiple layers of
protection to deter Denial-of-service attacks. Data stored on GCP infrastructure is automatically encrypted at
rest and distributed for availability and reliability.

Read more about Googles security capabilities and infrastructure.

https://cloud.google.com/security/infrastructure
2.2 Configuring individual storage systems
  Objectives of 2.2 and the areas of coverage are.
  Data storage allocation
 Data processing/compute provisioning
 Security and access management – This sub objective is fairly wide and will cover the
following the areas.
1. Principle of Least Privilege

2. Oath2.0

3. Identity Aware Proxy (IAP)

One area we should be well versed in the understanding of security controls and capacity we have available in
the cloud.  Managing access is critical and we likely are aware of some best practices such as implementing the
“Principal of Least Privilege” . 

The principal of least privilege is an IT security concept in which users are given the minimum levels of
access/permissions that are needed to perform their job functions.

Implementing the Principle of Least Privilege requires you to audit the cloud environment to determine
privileged accounts.  After auditing you should then proceed to remove or modify accounts that are not at the
correct privilege level.  We should also consider setting up continuous monitoring and performing credential
reviews consistently.

Oath – Oath is a standard which was built to provide secure delegated access. Effectively an application can
take actions or access resources from a server on behalf of the user, without them having to share their
credentials. Oath performs this by allowing the identity provider (IdP) to issue what are tokens to third-party
applications with the user’s approval.  For the exam, we would be aware of Oath2.0 from a high level and how
to set this up. Google APIs use the OAuth 2.0 protocol for authentication and authorization.
It is important to note that GCP supports common OAuth 2.0 for deployments for web servers, client-side
apps, installed, and limited-input device applications.

The figure 1 below shows the high steps to setup Oath2.0

Figure 1 Oath workflow

In Google Cloud we can enable Oath thru API and Services > Credentials in the console. In Credentials we can
select

The figure 2 below shows the location to setup Oath2.0

Figure 2 Credentials
To learn more about Oath2.0, Google has an excellent step by step process in the following webpage resources
below

Tokens can become stale or expire so we will need to refresh the tokens.  There are four main reasons they
could expire.

1. The user has revoked the application access.

2. The refresh token has not been used for six months.
3. The user changed passwords and the refresh token contains Gmail scopes.
4. The user account has exceeded a maximum number of granted (live) refresh tokens.
Using OAuth 2.0 to Access Google APIs

https://developers.google.com/identity/protocols/OAuth2

Identity Aware Proxy (IAP)

Identity Aware Proxy (IAP) is a very useful Google Cloud service that lets manage who has access to services
on services such as App Engine (SSH/TCP), Compute Engine (SSH/TCP), Kubernetes Engine (SSH/TCP) and
the HTTPS Load Balancer (HTTP). For example, IAP intercepts web requests sent to your application and
then authenticates the user making the request using the Google Identity Service, and only lets the requests
through if they come from a user you authorize.

 IAP uses an application-level access control model instead of using the traditional network-level firewall.  

IAP can be used to implement a zero-trust access model which effectively means that trust should never be
assumed based on where a user is in your cloud network.

The figure 3 below shows an example application with IAP in use.

Figure 3 IAP

IAP in Cloud Console

 Data retention and data life cycle management

Data retention is a very important aspect for companies especially around compliance. However, not all data
needs to be kept on higher cost storage or even maintained at al. Deleting data is a very important aspect of
cloud spending.
Data lifecycle management is a high-level workflow that describes how data can flow through an organization.
The data lifecycle is critical to understand and implement in your organizations.

  The figure 4 below shows the data lifecycle workflow starting from Create to Destroy

Figure 4 Data Lifecycle Workflow

Data that needs to be retained for compliance reasons should be labeled. This compliance data such as audit
logs for example should be strictly controlled and also classified in a manner so that the organization can easily
identify and retrieve as needed.  Data could be archived or tiered as well in our Cloud Storage deployments.

Google Cloud has their own lifecycle that I would take a quick review of before the exam.
DevOps on Google Cloud Platform Course

The Google Cloud Data Lifecycle has four steps.

https://cloud.google.com/solutions/data-lifecycle-cloud-platform
 In Google Cloud we could use Cloud Storage for example and enable a lifecycle. We could also set strict
permissions, so data is not deleted. Google Cloud Storage has four specific classes that you should be aware
since this will affect durability and costing significantly.

Google Cloud Storage supports object control features such as

To retain object data in Google Cloud we could enable Object Lifecycle Management. Object Lifecycle
management policies specify actions to be performed on objects that meet certain rules sets.

The changes to Cloud Storage configurations can take 24 hours to apply and object inspection occurs in
asynchronous batches.

We could also use  Object Change notifications to notify us of any deletes, changes or attempts to modify. 
Object Change Notifications uses webhooks for this feature. Object change notification watches a bucket and
send notifications to external applications when objects change.

 Data growth management

Data growth is a significant concern from a cloud spending perspective, and we must maintain all required data
in a safe and secure manner.  Data that is not part of a compliance requirement or useful for any business
reason should be identified by the stakeholders for deletion.  As mentioned in the previous objective are, we
could use features in Cloud Storage such as Object Lifecycle Management to control costs.

2.3 Configuring compute systems

  https://thegcpgurus.com/google-cloud-architect-salaries-and-demand/
Objectives of 2.3 and the areas of coverage are
  Compute system provisioning Planning for capacity combines both change management and
capacity planning. Provisioning must be conducted efficiently since  capacity is considered
expensive. 
      Ensure your organization has proper tools to maintain capacity and also ensure your team is able to
comprehend demand vs capacity. 

Test Tip – Forecasting should be performed short term in an active manner

but also more strategically in a planned manner with forecasting.
SRE Teams should be working with development to produce long term plans as well. Collaboration is a key
factor around ensuring capacity is always available

 Compute volatility configuration

A preemptible VM is an instance that you can create and use at a discounted price.  They last no longer than 24
hours and can be terminated (preempted) if Google requires access to those resources for other tasks. Google
Compute Engine will initiate a preemption notice to the instance in the form of an ACPI G2 Soft Off signal.

  If a graceful shutdown is important then you should use a shutdown script to handle the preemption notice
and complete cleanup actions before the instance stops.

 Network configuration for compute nodes – The cloud is all about networking when it comes to
accessing resources. We need to use networking and these services will run charges.  When
developing applications for example understand that every API call the application makes could
result in a cost to the company cloud spending.
 Most access of resources is done thru APIs which access the cloud resources for the application users.  

  There are two types of network access that can incur usage charges which are:

 Ingress
 Egress
Ingress means that your placing, modifying or viewing resources. APIS use certain calls to accomplish, some
of which are GET, PUT,

For example, sending traffic between virtual machines through the external IP addresses will incur costs.

    Network logs generate charges. Charges are incurred for the following products:

 VPC Flow Logs

 Firewall Rules Logging
 Cloud NAT logging
To understand more details for network charges with Google Cloud please refer to the following link.

https://cloud.google.com/compute/network-pricing
There is an online pricing calculator that can provide an estimate of costs for your network transfers. This
calculator has several options to review for network relate pricing. 

 Networking Egress
 Interconnect and Cloud VPN
 Cloud Load Balancing
 Cloud Endpoints
  Infrastructure provisioning technology configuration – The exam will test you on the basics of
some of the common open source tools. Not at a deep level but more of at a functional level.
Below are the ones for these objectives.
 Jenkins is an open source automation server written in Java. It is used to continuously build and
test software projects, enabling developers to set up a CI/CD environment. It also supports version
control tools like Subversion, Git, Mercurial, and Maven.
 Spinnaker is an open source; multi-cloud continuous delivery tool that helps you be intentional
about how you ship software by granting visibility & control into your software delivery process.
 Gitlab is a service that provides remote access to Git repository. Git also provides features
designed to help manage the software development lifecycle.
 Concourse is an open source automation system written in Go. It is most commonly used for
CI/CD, and is built to scale to any kind of automation pipeline, from simple to complex
 Container orchestration with Kubernetes – Kubernetes Engine is a cluster manager and
orchestrator for running Docker containers. Kubernetes Engine schedules containers into a cluster
and automatically manages them based on requirements you define declaratively using
configuration files.
GKE is built on the open source Kubernetes system, and integrates with other Google Cloud Platform services
using dedicated client libraries for a variety of supported languages.

Test Tip –  Binary authorization is the process of creating attestations on

container images for the purpose of verifying that certain criteria are met
before you can deploy the images to GKE.
Kubernetes Engine clusters run on Compute Engine instances or virtual machines known as nodes. You can
create the container cluster using the Cloud SDK and then use the kubectl command line tool to deploy and
scale containers running your application on Kubernetes.

Objectives Section 3 – Designing for security

and compliance
This is one of the numerous Free posts by
TechCommanders in a series for studying for the Google
Cloud Platform Professional Cloud Architect Exam
This section is focused designing solutions that meet the business and technical requirements of stakeholders.

It is important to go into the exam appreciating that Google defines best practices somewhat clearly and that
the exam will reference existing industry best practices for design and migrations
Here is the complete list of Free Tutorials provided by
TechCommanders.
Exam Objectives — Designing and planning a cloud solution architecture (Part 1 of 6)
Exam Objectives — Managing and provisioning a solution infrastructure (Part 2 of 6)
Exam Objectives — Designing for security and compliance (Part 3 of 6) (This Post)
Exam Objectives — Analyzing and optimizing technical and business processes (Part 4 of 6)
Exam Objectives — Managing implementation (Part 5 of 6)
Exam Objectives — Ensuring solution and operations reliability (Part 6 of 6)
 Below I have summarized the objectives as efficiently as I could to provide
you an efficient study resource.
3.1 Design for Security
  Objectives of 3.1 and the areas of coverage are.
There are three types of roles in Cloud IAM:

Primitive roles: The original roles available in the Google Cloud Platform Console. These are the Owner,
Editor, and Viewer roles. Still assigned by default to projects. Primitive roles are quite broad.

Curated roles: Curated roles are new IAM roles that give finer-grained access control than the primitive roles

Custom Roles – provide granular access according to a user-specified list of permissions

To learn more about Roles in GCP

https://cloud.google.com/iam/docs/understanding-roles
Service Accounts
A service account is an identity for your programs to use to authenticate and gain access to GCP APIs. (Server
to Server)

Service accounts authenticate applications running on your virtual machine instances to other GCP services.
Each service account is associated with a key pair, which is managed by GCP. It is used for service-to-service
authentication within GCP. Note that Google rotates the keys daily.

Service Accounts need to know for Exam

By default, all projects come with the Compute Engine default service account. When you start a new instance
using gcloud, the default service account is enabled on that instance. Apart from the default service account, all
projects come with a Google APIs service account, identifiable using the email: {project-
number}@cloudservices.gserviceaccount.com

A large number of projects can become unwieldy to manage at scale. This is why IAM includes the concept of
an Organization Node. The Organization Node sits above Projects and is your company’s root node for Google
Cloud resources.

With Gsuite, you can enable the Organization Node, any project created by users in your domain will
automatically belong to your Organization Node
The account with Organization Owner role is empowered to modify all projects within the organization. Note
that changes to the organization must occur through Google Sales.

You can also use your own authentication mechanism and manage your own credentials.

Some of the benefits of Federation can be:

Google Cloud Directory Sync (GCDS) give the GSuite Admin the ability to automatically add, modify, and
delete users, groups, and non-employee contacts to synchronize the data in a GSuite domain with an LDAP
directory server or MS Active Directory. The data in the LDAP directory server is never modified or
compromised. (one-way update) GCDS is a secure tool that help keep track of users and groups.

 Data security
Google Cloud has some very important to understand the most important aspects for this exam are:   

Google states that an organization’s data remains encrypted when it is being transmitted and when it is in rest.
When data is at rest, it remains encrypted using AES 256-bit algorithm while in transit, Transport Layer
Security (TLS) protocol is followed for encryption.

Google uses a secure global API gateway infrastructure which used for managing all the services offered on
the platform. This infrastructure is only accessible via encrypted SSL/TSL channels and a time-limited
authentication key is generated. 2FA and hardware keys are also available for adding an extra layer of
authentication. All requests made by the platform APIs are logged and reviewed regularly.

Using a managed VPN and Cloud Interconnect, an organization can also create an encrypted communication
channel between its on-premise private IP environment and Google’s

Intelligent detection controllers are implemented on data entry points along with employing smart technologies
for automated responses.

Google complies with ISO 27001, PCI DSS, GDPR, HIPAA and many other global standards and country-
specific laws.

If you just want to give a user the ability to connect to a virtual machine instance using SSH, but don’t want to
grant them the ability to manage Compute Engine resources, add the user’s public key to the project, or add a
user’s public key to a specific instance. You can avoid adding a user as a project member, while still granting
them access to specific instances

OS Login
OS Login simplifies SSH access management by linking your Linux user account to your Google identity. Use
OS Login to manage SSH access to your instances using IAM without having to create and manage individual
SSH keys. OS Login maintains a consistent Linux user identity across VM instances and is the recommended
way to manage many users across multiple instances or projects.

To find out more about OS Login please refer to Google Clouds page on OS Login.

https://cloud.google.com/compute/docs/oslogin/
 Penetration testing
  Pen Testing can be a valuable exercise to understand the security of your Google Cloud resources. 
According to Google Cloud if you plan to evaluate the security of your Cloud Platform
infrastructure with penetration testing, you are not required to contact Google Cloud. 
Google Cloud has an FAQ on security subject below.

https://support.google.com/cloud/answer/6262505?hl=en
 Separation of duties (SoD) – Segregation of duties is a best practice especially in the financial
sector. SoD serves two key purposes for an organization.
 SoD ensures that there is oversight and review to catch errors.
 SoD helps prevent fraud or theft because it requires two people to collude in order to hide a
transaction
In Google Cloud separation of duties is configured by assigning IAM roles to accounts in different Google
Cloud projects.  

Each project is only granted the minimum required IAM roles to accomplish the activity and associated tasks.
These accounts include service accounts, used by GKE and Binary Authorization, and user accounts, accessed
by people

 Security controls – In Google Cloud we have several security controls we can implement. For
example, we can establish  Project Roles to give to Auditors such as Org viewer, project viewer
but at the same time limit access administratively. We can also develop a Service account key-
management strategy for migrating user profiles. (Key Management)
 Auditors – We should always provide access to auditors from a read perspective. For example, we
could export audit logs to GCS bucket and set IAM policy for read.
 Managing customer-managed encryption keys with Cloud KMS – It is very important to address
key management for your customer base.  A key management service is a software-only approach
that allows the client to create and manage the encryption keys used to protect sensitive data held
in the cloud. Encryption keys reside within the Google Cloud infrastructure and are accessible only
by the client.
Cloud KMS is a cloud-hosted key management service that lets you manage cryptographic keys for your cloud
services the same way you do on-premises.

Cloud KMS includes direct support for encryption, decryption, signing, and verification using a variety of key
types and sources including Cloud HSM for hardware-backed keys.

Cloud KMS must be enabled in your customers project. This only needs to be done once per project.

The command to enable the Cloud KMS service

gcloud services enable cloudkms.googleapis.com \

     –project “${GOOGLE_CLOUD_PROJECT}”
In Cloud KMS, a Key Ring is a logical collection of cryptographic keys. The Key Ring contains metadata
about the keys such as their location. To create a KMS Key Ring we would use the following command

gcloud kms keyrings create “my-keyring” \

    –location “us-east-1”

After the keyring we would need to encrypt data by using the command

“ gcloud kms encrypt” ….

Cloud KMS is fully integrated with Google Cloud Identity and Access Management (IAM).

The Cloud KMS IAM roles are divided into two categories:
 Permission to manage keys
 Permission to use keys
Cloud KMS is the preferred way as well to store secrets. Storing Secrets Best Practices in order.

In GCP you have two options for encrypting secrets which are. 

 Use application layer encryption using a key in Cloud KMS. This is the recommended option.
 Use the default encryption built into the Cloud Storage bucket. GCP encrypts customer content
stored at rest, using one or more encryption mechanisms. 
3.2 Design for Compliance
  Objectives of 3.2 and the areas of coverage are.
 Legislation, Commercial and Industry certifications – Google complies with ISO 27001, PCI
DSS, GDPR, HIPAA and many other global standards and country-specific laws.
For the purpose of the exam we really need a very generic idea of the capabilities of GCP around compliance
requirements. 

Google Cloud is fairly young as compared to AWS around compliance capabilities.  We should always review
any new developments with GCP but also third-party tools.

As for the configuration specifics, you can check if the component’s API can be helpful. For example,
Network Service Tiers APIs or Cloud SQL Admin API’s. Ensure you test your deployment with the API
Explorer to verify all methods in action.

To find out more please reference Google Cloud Compliance webpage below.

https://cloud.google.com/security/compliance

For full exam objectives coverage, practices questions and explanations

please check out the Google Cloud Associate Cloud Engineer -All in One
Guide

Objectives Section 4 – Analyzing and optimizing technical and business processes

This is one of the numerous Free posts by

TechCommanders in a series for studying for
the Google Cloud Platform Professional Cloud
Architect Exam
This section is focused designing solutions that meet the business and technical requirements of stakeholders.
It is important to go into the exam appreciating that Google defines best practices somewhat clearly and that
the exam will reference existing industry best practices for design and migrations

Here is the complete list of Free Tutorials

provided by TechCommanders.
Exam Objectives — Designing and planning a cloud solution architecture (Part 1 of 6)
Exam Objectives — Managing and provisioning a solution infrastructure (Part 2 of 6)
Exam Objectives — Designing for security and compliance (Part 3 of 6)
Exam Objectives — Analyzing and optimizing technical and business processes (Part 4 of
6) (This Post)
Exam Objectives — Managing implementation (Part 5 of 6)
Exam Objectives — Ensuring solution and operations reliability (Part 6 of 6)
Below I have summarized the objectives as efficiently as I could to provide
you an efficient study resource.
This section is focused designing solutions that meet the business and technical requirements of stakeholders.
Most of the focus is on development best practices.

It is important to go into the exam appreciating that Google defines best practices somewhat clearly and that
the exam will reference existing industry best practices for design and migrations.

 Below I have summarized the objectives as efficiently as I could to provide you an efficient study resource.

4.1 Analyzing and defining technical processes

  Objectives of 4.1 and the areas of coverage are.

 Software development life cycle plan (SDLC)

The software development lifecycle (SDLC) is a well-documented framework that software development
teams use to produce high-quality software in a systematic and cost-effective way.

The SDLC methodology is used by both large and small software organizations. These teams follow
development models ranging from agile to lean to waterfall and others.

The software development lifecycle gives organizations a methodical, step-by-step approach to developing
successful software. From gathering the initial requirements for a new product, through maintaining a mature
product on the market, we’ll teach you how to employ SDLC.

Using secure SDLC process incorporates essential security modules such as code review, penetration testing,
and architecture analysis into the entire process from beginning to end.

SDLC not only results in a more secure product but it also enables early
detection of vulnerabilities in the software.
Creates massive efficiencies in Software Development
 Reduces Organizational Risks
 Implement in the Design Phase
Figure 1 shows the SDLC Lifecycles 5 steps

Figure 1 – SDLC Lifecycle

 Continuous integration / continuous deployment – Security around the build steps are needed to
create a secure pipeline. But also, during the deployment phase keeping track of what code that is
sent production is important, the versioning and scanning the code to ensure it has not been
tampered with is critical.  Automation of your DevOps foundations will help the enterprise to
keep-up in an agile environment. Environment isolation and separation from production is also
very critical to implement.  This can be done in GCP thru the implementation of cloud projects and
proper IAM controls. Vulnerability analysis with Container Registry
  Google Container Registry provides secure, private Docker image storage on GCP.   Container Analysis is a
service that provides vulnerability scanning and metadata storage for software artifacts. The scanning service
performs vulnerability scans on images in Container Registry, then stores the resulting metadata and makes it
available for consumption through an API.

  The Container Analysis API needs to be enabled and then Cloud Build built images are pushed to the
Container Registry which then automatically scans the containers. Feedback on threats and issues is then given
to the user.

Test Tip – Container Analysis associate’s metadata to images through

notes and occurrences
 Notes are metadata in Container Analysis storage that are associated with an Attestor.

  Test Tip – you can view image vulnerabilities and image metadata for
containers in Container Registry with Cloud Console, Container Analysis
API (gRPC and REST/JSON) and gcloud command (gcloud beta container
images list-tags –show-occurrences)
 Binary Authorization
Binary Authorization is a service that allows only “attested” images to be deployed to the cluster. An attested
image is one that has been verified or guaranteed by an “attestor”. Any unauthorized images that do not match
the Binary Authorization policy are rejected as shown in the figure below.

  Test Tip – The default Binary Authorization policy allows all images.
Before we continue there are some terms to understand.

 Container Analysis is an API that is used to store trusted metadata about our software artifacts and
is used during the Binary Authorization process
 Attestor is a person or process that attests to the authenticity of the image
 Note is a piece of metadata in Container Analysis storage that is associated with an Attestor
 Attestation is a statement from the Attestor that an image is ready to be deployed. In our case we
will use an attestation that refers to the signing of our image. 
Test Tip –  A “Denied by Attestor”. Error will be returned if there are no
attestations found that were valid and signed by a key trusted by the
attestor.
To setup Binary Authorization there are some tasks that need to be completed in the project hosting the
Kubernetes Cluster.

 Enable the required APIs,

 Create a Kubernetes cluster that has Binary Authorization enabled
 Set up a Note
 Generate the PGP keys
 Create an Attestor
Figure 2 shows the how Binary Authorization can be enabled in the GKE console creation process.

Figure 2 GKE Cluster Security

Binary Authorization from my experience was heavily tested and therefore I would advise you memorize the
terms such as attest and attestation as well as what Container Analysis is.  Container Analysis and Binary
Authorization could be confused on the exam. 

Test Tip –  Container Analysis is an API that must be enabled  during the
Binary Authorization process.
When your automating your CI /CD processes you would execute the standard tasks of building your app

 Test your app  >>> Containerize it, >>> deploying it to Google Cloud Repositories >>>>Create
an image digest from the image >>>>>>sign it with the private key from a PGP key pair
>>>>>>>> create an attestation >>>>>>>>Finally  deploy it to Binary Authorization.
IAM policies per environment
Cloud Identity and Access Management (IAM), provides a more granular access to specific Google Cloud
resources and prevents unwanted access to other resources.  

 IAM lets you control who (users) has what access (roles) to which resources by setting IAM policies.

 A policy is a collection of bindings, audit configs and metadata which binds one or more members
to a single role. Members can be user accounts, service accounts, Google groups, and Gsuite
domains.
 A role is a named list of permissions; each role can be an IAM predefined role or a user-created
custom role.
Test Tip –  A role binding in a Cloud IAM policy is the combination of
both the role and a list of members.
Cloud IAM policies can be written in JSON or YAML. 
Note that the policy manages access to the resource itself as well as any child resources through policy
inheritance.

 Troubleshooting / postmortem analysis culture – Post Mortum and Post Incident Reviews are
needed to review problems in production and effectively learn more about how your system works
and can improve upon weaknesses Feedback is also very important to receive and provide as an
SRE. Feedback can be human or even tasking such as metrics like latency, error rate, rework rate,
and human time saved.  SRE considers acceptable risk as an “error budget.” When error budgets
are depleted, the focus should change from feature development to improving reliability.
 Testing and validation – Check out the Google Cloud Professional Cloud Architect Exam – All in
one Guide
 Service catalog and provisioning – Check out the Google Cloud Professional Cloud Architect
Exam – All in one Guide
 Business continuity and disaster recovery – For more exam study content, practice questions with
answers/explanations please check out the Google Cloud Professional Cloud Architect Exam –
All in One Guide.
4.2 Analyzing and defining business processes
  Objectives of 4.2 and the areas of coverage are
Stakeholder management  – Stakeholders are the users or the application owners who generally are going to
be concerned their applications are either performing poorly or not at all.  Set reasonable expectations of when
the service should back to normal and also communicate promptly and effectively.  
 Change management – An automated process that reliably builds, tests, and updates your
software is most effective. Code changes should automatically flow through a pipeline that
includes artifact creation, unit testing, functional testing, and production rollout.
You may want a code update to apply to only a subset of your users, so that it is exercised realistically before
you push it to your entire user base

      A version control system records changes to files stored in the system. These files can be source code,
assets, or other documents that might be part of a software development project. Dev teams can make changes
in groups called commits or revisions.  Ensures that you have consistency (reproducibility) in your
deployments and that you have a record (traceability) of your codebase changes.

  Test Tip – Version control helps your organization meet the critical
requirements around reproducibility and traceability. 
Versioning allows you to also rebuild it in a short amount of time without too much trouble. Other benefits
revolve around the ability to test but also the You can also rapidly promote updates from dev to staging to
production efficiently.

 Terraform is a great example of a solid tool that is used for this purpose.

 You may also want to review the version control page that Google has provided.

https://cloud.google.com/solutions/devops/devops-tech-version-control
Make infrastructure changes safer

Sometimes things just do not go according to plan and therefore we need to make changes to the build or the
deployment.

For example, Cloud Deployment Manager has a -preview flag you can use to preview changes before
actually running the deployment. 
Terraform for example, will review the plan for incorrect changes and you safely abort with no changes made
to your infrastructure. You have the choice to proceed or not with “terraform apply”

Immutable infrastructure is effectively infrastructure that is created once and does not change.  This is a
different way of thinking where updates/changes were commonly deployed on top of builds, OS, and
applications.  

Immutability can be achieved for example, by deploying your CI/CD pipelines to produce a completed image
with the newer version of the application/code/config already deployed.  Effectively, the image is ready to
work when provisioned on a VM for example.

Spinnaker is a commonly used comprehensive end-to-end build and deploy solution that provides for an
immutable architecture.

 Customer success management

Managing customer relationships is a critical role in being a Google Cloud Architect. As a cloud architect you
will need to understand the business requirements and then translate them into technical requirements.  

For full exam objectives coverage, practices questions and explanations

please check out the Google Cloud Associate Cloud Architect -All in One
Guide.

Objectives Section 5 – Managing implementation

This is one of the numerous Free posts by
TechCommanders in a series for studying for the Google
Cloud Platform Professional Cloud Architect Exam
This section is focused designing solutions that meet the business and technical requirements of stakeholders.
It is important to go into the exam appreciating that Google defines best practices somewhat clearly and that
the exam will reference existing industry best practices for design and migrations

Here is the complete list of Free Tutorials

provided by TechCommanders.
Exam Objectives — Designing and planning a cloud solution architecture (Part 1 of 6)
Exam Objectives — Managing and provisioning a solution infrastructure (Part 2 of 6)
Exam Objectives — Designing for security and compliance (Part 3 of 6)
Exam Objectives — Analyzing and optimizing technical and business processes (Part 4 of 6)
Exam Objectives — Managing implementation (Part 5 of 6) (This Post)
Exam Objectives — Ensuring solution and operations reliability (Part 6 of 6)
This section is focused on implementation aspects around Google Cloud Services and migrating to Google
Cloud.

It is important to go into the exam appreciating that Google defines best practices somewhat clearly and that
the exam will reference existing industry best practices for design and migrations

 Below I have summarized the objectives as efficiently as I could to provide

you an efficient study resource.

5.1 Advising development/operation team(s) to ensure successful

deployment of the solution.
  Objectives of 5.1 and the areas of coverage are.

 Application development – Modern application development support far better usability for cloud
native applications. 
 Some common themes are
 Event Driven
 Microservices
 API Gateways
Agile development is widely used and can be credited to lowering risk in cloud application development. 
Some common benefits of Agile are

 Business Value
 Higher Quality
 Reduce Time to Market (TTM)
 Cost Efficiency
 Better Stakeholder engagement
gRPC is a modern open source high performance RPC framework that can run in any environment. It can
efficiently connect services in and across data centers with pluggable support for load balancing, tracing,
health checking and authentication. It is also applicable in last mile of distributed computing to connect
devices, mobile applications and browsers to backend services.

Cloud Endpoints
Cloud Endpoints is a solution from Google Cloud to help create a Public API for your App Engine
applications. Cloud Endpoints also provides facilities to generate client libraries for Android and iOS, thus
easing your task to integrate your backend application functionality into your mobile applications on Android
and iOS.

Cloud Endpoints supports protocol transcoding so that clients can access your gRPC API by using
HTTP/JSON. The Extensible Service Proxy (ESP) transcodes HTTP/JSON to gRPC.

Cloud Endpoints use Google Protocol RPC for HTTP service calls. The steps that are needed are

1. Configure your Application

2. Define Message classes
3. Write your endpoint code
4. Run and test API
 Testing frameworks (load/unit/integration)
Performance testing measures the specified points of measurements. (Throughput, Response Time. Latency,
Usage)

Load testing is a form of performance testing which focuses on the variables of the load. It validates load as
compared to performance metrics such as latency or TPS.  Validates limits and thresholds and most
importantly it helps us isolate bottlenecks.

Unit Testing is commonly referred to as component testing. In unit testing we generally test a single
component which is common decoupled from the dependencies.

Integration testing is used to validate components of our applications work together.  It is commonly used for
testing multiple components and/or multiple systems. This form of testing is used to validate the quality of the
software components.

 Data and system migration tooling.  Migrations can occur form on premises or from other
providers.
The Google Cloud Adoption Framework was developed to serve both as a map for determining where your
business information technology capabilities are now, and as a guide to where you want to be.

You can use this framework to assess your organization’s readiness for Google Cloud. You may want to
review the framework here.

The framework has four specific themes to address cloud adoption. 

 Learn. – Your will want to review the quality and scale of your learning programs.
 Lead. – You will want to understand the extent to which your IT departments are supported by a
mandate from leadership to migrate to Google Cloud.
 Scale. – You need to review the true extent to which you use cloud-native services.
 Secure. – Understand the capability to secure the environment.
https://cloud.google.com/solutions/migration-to-gcp-getting-started
Migrating your VM and Container workloads to Google cloud
Moving you’re your VMS.
There are two ways to move your Virtual Machines.

 Manually
 Automatically
When preparing to move your VMs don’t use on a VM with a local SSD. The local SSD data cannot be backed
up and will just be discarded. Persistent disks have to be attached to only the VM you are going to move.
(Multiple not supported) Note that sufficient quota must exist for all the resources copied during duplication,
or the process will fail.

Migration Types
There are three major types of migrations according to Google:

 Lift and shift effectively move workloads from a source environment to a target environment with
minor or no modifications or refactoring.
 Improve and move effectively modernizes the workload while migrating it. In this type of
migration, you modify the workloads to take advantage of cloud-native capabilities, and not just to
make them work in the new environment.
 Rip and replace will decommission an existing app and completely redesign and rewrite it as a
cloud-native app. This type of migration allows you to use any Google Cloud capabilities.
There are several ways to migrate from Cloud Provider to GCP

1. Importing Virtual Disks – Use import tool supports most virtual disk file formats, including
VMDK, VHD, and RAW.
2. Migrate for Compute Engine has effectively provided all the features of Velostrata. There are
some really awesome features such in-place upgrade, and more recently the possibility of
migrating into a container rather than a VM.

DevOps on Google Cloud Platform

Migrate for Compute Engine supports migration from an on-premise VMware environment or from other
cloud providers.

At the time of writing these operating systems are supported:

 Windows 2003 and newer

  Linux with kernel 2.6+ for offline migrations
 Linux with kernel  3.13+ for online migrations
5.2  Interacting with Google Cloud using GCP SDK
  Objectives of 5.2 and the areas of coverage are.

The Cloud SDK is a set of tools for Cloud Platform.

It contains gcloud, gsutil, and by command-line tools, which you can use to access Google Compute Engine,
Google Cloud Storage, Google BigQuery, and other products and services from the command-line.

You can run these tools interactively or in your automated scripts.

Local installation
To download and install locally we first need to select our runtime:

https://cloud.google.com/sdk/downloads
The following are the steps to start locally installing on Linux.

 Extract file
 Setup paths/reporting: ./google-cloud-sdk/install.sh (or .bat)
 Initialize the SDK: gcloud init
 Authorization — gcloud auth activate-service-account –key-file [KEY_FILE]
Google Cloud Shell has the following components.
 gsutil
 PowerShell cmdlets (Windows)
 bq Tool
 kubectl Tool
Google Cloud Emulators and Components are meant to support testing and development.

There is support for Bigtable, Datastore, Firestore and Pub/Sub Emulators and support for components such as
Bigquery, Kubernetes, etc

To install components.

gcloud components – list, install, update, or remove Google Cloud SDK components

To install “kubectl” we need to install the component with the following syntax.

 gcloud components list

Figure 1 shows the SDK CLI with installed components

Figure 1 Kubectl
Objectives Section 6 – Ensuring solution and
operations reliability
This section is focused on maintain our cloud solutions in a professional manner that supports operations. Main
areas of focus are around Stackdriver and cloud development best practices.

It is important to go into the exam appreciating that Google defines best practices somewhat clearly and that
the exam will reference existing industry best practices for design and migrations

 Below I have summarized the objectives as efficiently as I could to provide

you an efficient study resource.

6. Ensuring solution and operations reliability

In this topic the focus on what the Stackdriver Operations Suite is utilized for and how to use the specific
capabilities. The subjects covered will provide an important review for the exam preparation

6.1 Monitoring/logging/profiling/alerting solution

For this section it is important to note that Stackdriver was extensively covered in Chapter 2 of the book. I
have included a snippet below.

To access Stackdriver simply go to the Cloud Console and go to Operations.

Stackdriver Monitoring Main Benefits

 Fully integrated with Google Cloud Console
 Monitors multi cloud (GCP and AWS)
 Identify trends and prevents issues
 Lowers Monitoring headaches
 Fix problems faster
 Aids with Cloud Security
 Aids with Compliance

In a nutshell we select the platform then we select metrics and then we will choose how to monitor or view.

Figure 1 Stackdriver Operations

Test Tip – Stackdriver. You can write logs from Python applications by
using the Stackdriver logging handler
You can have as many Workspaces as you wish, but GCP projects and AWS accounts cannot be monitored by
more than one Workspace.

Test Tip – Every workspace has a host project.

A Workspace can access metric data from its monitored projects, but the metric data and log entries remain in
the individual projects.

Figure 2 Stackdriver Operations

The above figure shows an App Engine dashboard and one for Development GKE.  Having very specific
dashboards aids in the rapid identification of potential issues by providing an immediate visual thru viewing
graphs/charts for example.

Test Tip – You can share Stackdriver Charts by sending a parameterized

URL
Figure 3 Dashboard View 

The monitoring dashboard in the figure above is just a sample of what could be customized. 

  It works simply by selecting the Resource and then available metrics you would like in your dashboard view.
Metrics Explorer lets you build charts for any metric collected by your project.

Figure 4 Metrics Explorer

DevOps on Google Cloud Platform
Uptime Checks
When you make a change to an uptime check delay could be 25 minutes.

Figure 5 Latency Uptime Check

Uptime checks are available under monitoring and the dashboard will show you Uptime, Latency, Alerts,
Checks Passed, etc.

Test Tip – You can setup alerts via email, SMS. PagerDuty, Web apps,
webhooks and even webhooks
Stackdriver Logging 
Logging supports these destinations for exported log entries.  These exports are facilitated with the Logging
API

 Cloud Storage
 BigQuery
 Pub/Sub
Logging Agent 
  The Logging agent which you would install on a VM is based on Fluentd.  Fluentd is an open source data
collector, which lets you unify the data collection and consumption for a better use and understanding of data.
Fluentd is used to obtain or write log files to syslog and other supported log types.

Install Logging Agent

The Logging Agent is installed the same way you would install the monitoring agent on a VM. It is just a
different script that your running.

Log Sinks
#gcloud logging sinks create

Sinks can be set up at the Google Cloud project level, or at the organization or folder levels using aggregated
sinks.

To view existing sinks, you must have the IAM roles Viewer or Logging/Logs Viewer in the sink’s parent
resource
Logs
Your GCP project has several logs that are relevant to a GKE cluster. These include the Admin Activity log,
the Data Access log, and the Events log.

Table 3.1 shows the current options Log Info and how long Google Cloud log retention trivia for the exam.

Table 1 Log Retention

Log Info Numbers to Learn

Log Entry Size 256KB

Default Log Retention 30 -400 days  

Custom Log Retention 1 day to 3650 days

Logging retention varies based on the type of log. The default range is between 30 days and up to 400 days.

Logs Router checks each log entry against existing rules to determine which log entries to discard, which log
entries to ingest into Cloud Logging, and which log entries to export using log sinks.

To list current logs.

#gcloud logging logs list
  Table 3.2 shows the current options Log Type and how long Google maintains the logs for you.

Table 2 Log Retention

Log Type Default Retention Time

Data Access Logs 30 Days

System Event Logs 400 Days

Admin Activity Audit Logs 400 Days

For more information on Log Retention please refer to the Google Cloud Documentation site here.

https://cloud.google.com/logging/quotas
For more exam study content, practice questions with answers/explanations please check out the Google
Cloud Professional Cloud Architect Exam – All in One Guide.
6.2 Deployment and release management
Deployment Manager is an infrastructure deployment service that automates the creation and management of
Google Cloud Platform resources for you.

Declarative format (Schema Files)– yaml

Python or Jinja2(Templates) 

Preview configuration in a deployments via Deployment Manager

    gcloud deployment-manager deployments create example-deployment –config configuration-file.yaml \      –
preview
https://cloud.google.com/deployment-manager/
6.3 Assisting with the support of solutions in operation
We can obtain support of our cloud services by finding the correct support. Support could be in the form of a
support contract, reviewing cloud documentation, following GCP best Practices or even going to communities
such as StackOverflow.

Google Cloud Support is located here.

https://support.google.com/cloud/answer/6305667?hl=en
There is also billing support for billing related support and free developer support.

Billing support is located at the link below. https://cloud.google.com/support/billing

6.4 Evaluating quality control measures – When evaluating measures, we
have in place for our deployments, we want to ensure that we have the
correct systems in place from a development perspective. 
   We also need to differentiate from quality control and quality assurance.  Let’s review.

 Quality control can be defined as “part of quality management focused on fulfilling quality
requirements.“
 Quality assurance can be defined as “part of quality management focused on providing confidence
that quality requirements will be fulfilled.” The confidence provided by quality assurance is
twofold—internally to management and externally to customers, government agencies, regulators,
certifiers, and third parties.
For example, we could use Stackdriver metrics to help identifying issues with our applications and confirm
they are performing as expected. 

For full exam objectives coverage, practices questions and explanations

please check out the Google Cloud Associate Cloud Architect -All in One
Guide.
Google Cloud Professional Architect Exam – All in One Guide
End of Exam Objectives
Additional Practice exams are on Udemy.