3. Account Setup Flashcards
Resources: two categories
-
Service-level resources
- Compute Instance VMs
- Cloud Storage buckets
- Cloud SQL databases -
Account-level resources
- Organisation itself
- Folders
- Project
Resource Hierarchy
Comprises Service Level + Account Level resources.
Allows to Configure and grant access to the various resources
- Domain (cloud level)
- Organisation level (root node) - associated with ONE domain only.
- Folders layer (grouping mechanism and isolation boundary between each project - you can set separate folder for each of your work departments (HR, Finance, Legal etc))
- Projects layer (core organisational component)
- Resource layer (compute engine instances, APIs etc)
Note: labels help categorise resources using a key-value relationship between the project and the resource layers.
Note: points 2-4 are Account-level resources and policies can be applied to them; point 5 is a Service-level resource; altogether 1-5 are hierarchical resources
Note: if two projects need the same set of permissions/policies, it’s best to apply them to the folder level and but the two projects into that folder
Project identifying attributes
- Project ID - globally unique, assigned by google, immutable (cannot be changed)
- Project name - user created, mutable
- Project number - globally unique, immutable
Resource Manager Tool
It’s an API that helps to:
- Gather a list of projects
- Create new projects
- Update existing projects
- Delete projects
- Recover previously deleted projects
- Can be accessed through RPC API and REST API
Organisation node creation
Depends on whether the company is:
- A Google workplace customer
- OR Non-Google workplace customer
If workplace customer, then all projects will automatically belong to your org node.
If not, use Cloud Identity to create org node
IAM (Identity and Access Management)
Controls the hierarchical policies
- each child object is controlled by only ONE parent
- access control policies and configuration settings on a parent resource are inherited by the child
Cloud Billing Account
- can be linked to one or more projects
- Note that 1 project belongs to 1 billing account
There are
- Self-service (online) payment
- Invoiced (offline) payment
GCP Pricing Calculator
What the architecture will cost you
Note: Budget Alerts help to control costs.
Pub/Sub
Used for programmatic notifications or to automate cost management tasks.
So when certain events occur they are able to send custom notifications (send notification to Slack, or disable billing to stop usage).
Events from Cloud Storage and Pub/Sub can also trigger Cloud Functions for asynchronous execution OR HTTP invocation for synchronous execution.
Committed use discount (+ Reservations)
- resource based
- duration: 1 or 3 years (greater discount for 3 years)
Reservations - reserve the VM instances you need (ensures that these resources are always available for you); but your VM properties must exactly match those of the reserved machine!
Spend Base Commitment
(There are also resource based commitments)
- can be used either for Cloud SQL or for VMware Engine
Operations Suite (detailed) + Resource Monitoring and Quota increase requests
IAM - quotas:
- this is where I can increase the quota by clicking on ‘edit quotas’
Monitoring
- allows to add a monitoring space such that I can add people to this space and they can receive billing alerts too
- Basis of SRE (Site Reliability Engineering)
- can generate insights from these outputs
- Each metric scope contains monitoring and config info
- Each metric scope can contain several projects to monitor
- The first google monitoring object = Scoping Project
- All users that have access to the metric will have the access to view performance of ALL projects associated with the metric therefore consider using separate metric scopes
- Alerting policies can be created (notified through email) - use multiple notification channels just to be sure about alerting
- Uptime checks test the availability of your public services across the regions
- Ops Agent is used to collect system and application metrics specifically from VM instances and sends them to Monitoring (can be enabled for a VM when it’s being created)
- can look at standard metrics but also create custom ones
Operations Suite
1. Resource Monitoring
2. Logging
- read/write log entries
- monitor alerts
- export logs to Cloud Storage buckets (for 30+ days retention) BigQuery (to analyse logs and visualise them using Looker Studio) / Pub/Sub (stream logs to applications and end-points)
3. Error Reporting
- available for App Engine, Cloud Functions, Cloud Run, Kubernetes, Compute Engine, GKE
4. Tracing
- collects latency data
- performance insights
- App Engine, HTTP(s) Load Balancers
5. Profiling
- continuous analysis of the CPU
- it has low impact on the app performance without slowing them down, unlike some profiling tools
Export billing data
(to analyse in detail if I want)
- exported automatically to BigQuery
- but an API should be enabled
2 types of billing data I can obtain
1. Daily Cost detail data
2. Pricing data
API (definition)
Application Programming Interface. Important to have no matter what service you are using on Google Cloud.
Super Admin Account (most imp);
Billing Account Administrator (has permissions to view billing costs) Vs Billing Account User Role (Admin User)
Admin User doesn’t have all the privileges. They have power to create, edit and delete resources but not the permissions related to billing.
They can for instance associate the projects they are on with a specific billing account.
To add the role, go to Billing - Account Management - Add Members
