3. Account Setup Flashcards
Resources: two categories
-
Service-level resources
- Compute Instance VMs
- Cloud Storage buckets
- Cloud SQL databases -
Account-level resources
- Organisation itself
- Folders
- Project
Resource Hierarchy
Comprises Service Level + Account Level resources.
Allows to Configure and grant access to the various resources
- Domain (cloud level)
- Organisation level (root node) - associated with ONE domain only.
- Folders layer (grouping mechanism and isolation boundary between each project - you can set separate folder for each of your work departments (HR, Finance, Legal etc))
- Projects layer (core organisational component)
- Resource layer (compute engine instances, APIs etc)
Note: labels help categorise resources using a key-value relationship between the project and the resource layers.
Note: points 2-4 are Account-level resources and policies can be applied to them; point 5 is a Service-level resource; altogether 1-5 are hierarchical resources
Note: if two projects need the same set of permissions/policies, it’s best to apply them to the folder level and but the two projects into that folder
Project identifying attributes
- Project ID - globally unique, assigned by google, immutable (cannot be changed)
- Project name - user created, mutable
- Project number - globally unique, immutable
Resource Manager Tool
It’s an API that helps to:
- Gather a list of projects
- Create new projects
- Update existing projects
- Delete projects
- Recover previously deleted projects
- Can be accessed through RPC API and REST API
Organisation node creation
Depends on whether the company is:
- A Google workplace customer
- OR Non-Google workplace customer
If workplace customer, then all projects will automatically belong to your org node.
If not, use Cloud Identity to create org node
IAM (Identity and Access Management)
Controls the hierarchical policies
- each child object is controlled by only ONE parent
- access control policies and configuration settings on a parent resource are inherited by the child
Cloud Billing Account
- can be linked to one or more projects
- Note that 1 project belongs to 1 billing account
There are
- Self-service (online) payment
- Invoiced (offline) payment
GCP Pricing Calculator
What the architecture will cost you
Note: Budget Alerts help to control costs.
Pub/Sub
Used for programmatic notifications or to automate cost management tasks.
So when certain events occur they are able to send custom notifications (send notification to Slack, or disable billing to stop usage).
Events from Cloud Storage and Pub/Sub can also trigger Cloud Functions for asynchronous execution OR HTTP invocation for synchronous execution.
Committed use discount (+ Reservations)
- resource based
- duration: 1 or 3 years (greater discount for 3 years)
Reservations - reserve the VM instances you need (ensures that these resources are always available for you); but your VM properties must exactly match those of the reserved machine!
Spend Base Commitment
(There are also resource based commitments)
- can be used either for Cloud SQL or for VMware Engine
Operations Suite (detailed) + Resource Monitoring and Quota increase requests
IAM - quotas:
- this is where I can increase the quota by clicking on ‘edit quotas’
Monitoring
- allows to add a monitoring space such that I can add people to this space and they can receive billing alerts too
- Basis of SRE (Site Reliability Engineering)
- can generate insights from these outputs
- Each metric scope contains monitoring and config info
- Each metric scope can contain several projects to monitor
- The first google monitoring object = Scoping Project
- All users that have access to the metric will have the access to view performance of ALL projects associated with the metric therefore consider using separate metric scopes
- Alerting policies can be created (notified through email) - use multiple notification channels just to be sure about alerting
- Uptime checks test the availability of your public services across the regions
- Ops Agent is used to collect system and application metrics specifically from VM instances and sends them to Monitoring (can be enabled for a VM when it’s being created)
- can look at standard metrics but also create custom ones
Operations Suite
1. Resource Monitoring
2. Logging
- read/write log entries
- monitor alerts
- export logs to Cloud Storage buckets (for 30+ days retention) BigQuery (to analyse logs and visualise them using Looker Studio) / Pub/Sub (stream logs to applications and end-points)
3. Error Reporting
- available for App Engine, Cloud Functions, Cloud Run, Kubernetes, Compute Engine, GKE
4. Tracing
- collects latency data
- performance insights
- App Engine, HTTP(s) Load Balancers
5. Profiling
- continuous analysis of the CPU
- it has low impact on the app performance without slowing them down, unlike some profiling tools
Export billing data
(to analyse in detail if I want)
- exported automatically to BigQuery
- but an API should be enabled
2 types of billing data I can obtain
1. Daily Cost detail data
2. Pricing data
API (definition)
Application Programming Interface. Important to have no matter what service you are using on Google Cloud.
Super Admin Account (most imp);
Billing Account Administrator (has permissions to view billing costs) Vs Billing Account User Role (Admin User)
Admin User doesn’t have all the privileges. They have power to create, edit and delete resources but not the permissions related to billing.
They can for instance associate the projects they are on with a specific billing account.
To add the role, go to Billing - Account Management - Add Members
Cloud SDK and CLI (command line interface):
Overview
Cloud SDK - set of command line tools that allow you to manage resources through the terminal:
- gcloud
- gsutil
- bq
- kubectl
Note: to access Google Cloud Platform, you should authorise Google Cloud SDK tools.
To grant authorisation to Google Cloud SDK tools, you can either use a user account (for SDK use on a single machine) or a service account (for SDK use on multiple machines).
Service account is normally associated with the GCP project and not specific account.
Cloud SDK and CLI (command line interface):
Commands
gcloud init - initialise, authorise and setup (sets up account, chooses the current project, prompts to authorise the use and also allows to choose a zone/region)
gcloud auth login - authorise access for gcloud (it’s used to prove that you are who you say you are and that you are allowed to use the services such as Compute Engine, Google Cloud Storage etc)
gcloud config - configure accounts and projects
gcloud config list - list current accounts and projects, project name, zone, region
gcloud config get-value - obtain info about zone/region/project
gcloud config set compute/region us-west1 - setting a project region
gcloud components - install, update, delete SDK components
export REGION=us-west1 - create a variable REGION that holds the ‘region’ value
Display (print) information in the console
echo -e “PROJECT ID: $PROJECT_ID\nZONE: $ZONE”
Output
PROJECT ID: qwiklabs-gcp-04-005ec4f89981
ZONE: us-west1-b
General format of the gcloud commands
gcloud + (component) + (entity) + (operation) + (positional arguments) + flags
E.g.:
gcloud + compute + instances + create + example-instance-1 –zone=us-central1-a
Cloud SDK: Command to identify what the active account is atm
gcloud auth list
Cloud SDK: Command for the path to the user config directory
gcloud info
This will show directory that holds your encrypted credentials and access tokens
Cloud SDK: Command for Information about active configuration
gcloud config list
- region
- zone
- account (who is currently “on”)
- project
- configuration name (nickname)
Cloud Shell: check disk storage (command)
df -h
Cloud shell provides 5gb storage on the VM for free
Cloud Shell: region choice
It is global, so you are automatically assigned to the closes region.
Unlike Cloud SDK, you cannot choose your own region/zone.
Cloud Shell: create a file and open using Code Editor (like VS code)
Create a file:
touch file_name
Code/Change a file:
edit file_name
Some VM memory properties
e2-small (memory 2GB)
e2-medium (memory 4GB)
Quotas: Rate Quota
Amount of API usage per day, resets after specified time
Quotas: Allocation Quota
E.g. no. of VMs or Load Balancers used by a project.
This quota must be explicitly released when you no longer want to use the resource, so it won’t reset after specified time on its own. (e.g. if a GKE cluster is deleted, this is the release of resource)
Quotas: finding in the console
IAM & Admin –> quotas –> edit quota (to send an increase request)
OR through API dashboard
APIs & Services –> select one of the APIs
Allow HTTP traffic
Selecting this option allows to access a web server that you install later.
Note: This automatically creates a firewall rule to allow HTTP traffic on port 80.
Updating the OS on the VM
sudo apt-get update
HTTPS
- Hypertext Transfer Protocol Secure
- default port number is 443
- to set up https one needs to obtain and configure SSL / TLS certificates
