ACE Failed Topic Review Flashcards
What services fall under ‘Networking’?
1) Virtual Private Cloud (VPC)
2) Cloud Load Balancing
3) Cloud CDN
4) Cloud Interconnnect
5) Cloud DNS
6) Network Service Tiers (alpha)
What services fall under ‘Big Data’?
1) BigQuery
2) Cloud Dataflow
3) Cloud Dataproc
4) Cloud Datalab
5) Cloud Dataprep (beta)
6) Cloud Pub/Sub
7) Genomics
8) Google Data Studio (beta)
What services fall under ‘Data Transfer’?
1) Google Transfer Appliance
2) Google Storage Transfer Service
3) Google BigQuery Data Transfer Service
What services fall under ‘Machine Learning’?
1) Cloud Machine Learning Engine
2) Cloud Job Discovery (beta)
3) DialogFlow Enterprise Edition
4) Cloud Natural Language
5) Cloud Speech API
6) Cloud Translation API
7) Cloud Vision API
8) Cloud Video Intelligence
What services or features fall under ‘Identity & Security’?
1) Cloud IAM
2) Cloud Identity-Aware Proxy
3) Cloud Data Loss Prevention API (beta)
4) Security Key Enforcement
5) Cloud Key Management Service
6) Cloud Resource Manager
7) Cloud Security Scanner
What activities are required to setup a cloud solution environment?
Setup Account and Projects:
-Creating a resource hierarchy
-Applying organizational policies to the resource hierarchy
-Granting members IAM roles within a project
-Managing users and groups in Cloud Identity
-Enabling APIs within projects
-Provisioning and setting up products in Google Cloud’s operations suite
Managing billing configuration.
-Creating one or more billing accounts
-Linking projects to a billing account
-Establishing billing budgets and alerts
-Setting up billing exports
Installing and configuring the command line interface (CLI), specifically the Cloud SDK (e.g., setting the default project)
What are the steps to create a resource heirarcy
Create Organization
Create folders (one for each department)
Create projects in appropriate folders
Purpose of the Google Cloud resource hierarchy is two-fold:
Provide a hierarchy of ownership, which binds the lifecycle of a resource to its immediate parent in the hierarchy.
Provide attach points and inheritance for access control and organization policies.
Who owns the project resource in the heirarchy?
With an organization resource, project resources belong to your organization instead of the employee who created the project. This means that the project resources are no longer deleted when an employee leaves the company; instead they will follow the organization resource’s lifecycle on Google Cloud.
Where can you set an IAM policy on a resource?
You can set an IAM policy at the organization level, the folder level, the project level, or (in some cases) the resource level.
Resources inherit the policies of the parent resource. If you set a policy at the organization level, it is inherited by all its child folder and project resources, and if you set a policy at the project level, it is inherited by all its child resources.
How do you determine the effective policy for a resource?
The effective policy for a resource is the union of the policy set on the resource and the policy inherited from its ancestors.
This inheritance is transitive
Resources inherit policies from the project, which inherit policies from the organization resource.
Organization-level policies also apply at the resource level.
What happens to inherited resource permissions when you move a project to a new location?
IAM policy hierarchy follows the same path as the Google Cloud resource hierarchy. If you change the resource hierarchy, the policy hierarchy changes as well.
moving a project resource from one folder resource to another will change the inherited permissions. Permissions that were inherited by the project resource from the original parent resource will be lost when the project resource is moved to a new folder resource. Permissions set at the destination folder resource will be inherited by the project resource as it is moved.
What types of users can create an organization resource?
Google Workspace and Cloud Identity customers can create organization resources.
Each Google Workspace or Cloud Identity account is associated with one organization resource.
When an organization resource exists, it is the top of the Google Cloud resource hierarchy, and all resources that belong to an organization are grouped under the organization resource.
What pre - requisites are required to create folder resources?
An organization resource is required as a prerequisite to use folders. Folder resources and their child project resources are mapped under the organization resource.
What is the benefit of having Google Cloud organization and folder resources?
organization resource and folder resources, allows companies to map their organization onto Google Cloud.
These provide logical attachment points for access management policies (IAM) and Organization policies.
Are Orgnization resources required for Google Cloud?
Google Cloud users are not required to have an organization resource, but some features of Resource Manager will not be usable without one.
The organization resource is closely associated with a Google Workspace or Cloud Identity account.
When a user with a Google Workspace or Cloud Identity account creates a Google Cloud project resource, an organization resource is automatically provisioned for them.
What restrictions with a managed user (workspace or cloud identity) when they create a project?
If a user specifies an organization resource and they have the right permissions, the project is assigned to that organization.
Otherwise, it will default to the organization resource the user is associated with.
What happens when you adopt Cloud Identity for an IAM heirarchy.
When you adopt Cloud Identity, you create a Cloud Identity account for each of your users and groups.
You can then use Identity and Access Management (IAM) to manage access to Google Cloud resources for each Cloud Identity account.
Are you able to migrate projects from one organization to another?
Yes - must check services and see what is allowed with project resources?
Need IAM Permissions to move project resource
If need be, can change back
Use import and export folders
Where can you set an IAM Policy?
You can set an IAM policy at the organization level, the folder level, the project level, or (in some cases) the resource level.
Resources inherit the policies of the parent resource.
If you set a policy at the organization level, it is inherited by all its child folder and project resources, and if you set a policy at the project level, it is inherited by all its child resources.
Can you remove a permission that was granted at a higher level resource?
Roles are always inherited, and there is no way to explicitly remove a permission for a lower-level resource that is granted at a higher level in the resource hierarchy.
If you change the Google Cloud Resource Heirarchy, what happens to the policy Heirarchy?
The IAM policy hierarchy follows the same path as the Google Cloud resource hierarchy. If you change the resource hierarchy, the policy hierarchy changes as well. For example, moving a project into an organization resource will update the project’s IAM policy to inherit from the organization resource’s IAM policy.
What happens when a project moves from one folder resource to another?
Moving a project resource from one folder resource to another will change the inherited permissions. Permissions that were inherited by the project resource from the original parent resource will be lost when the project resource is moved to a new folder resource. Permissions set at the destination folder resource will be inherited by the project resource as it is moved.
How do you use projects for organizing resources?
Use projects to group resources that share the same trust boundary. For example, resources for the same product or microservice can belong to the same project.
Why should you audit your allow policies?
Audit your allow policies to ensure compliance. Audit logs contain all setIamPolicy() calls, so you can trace when an allow policy has been created or modified.
Audit the ownership and the membership of the Google groups used in allow policies.
How do you limit project creation in your organization?
If you want to limit project creation in your organization, change the organization policy to grant the Project Creator role to a group that you manage.
Remove the default roles for project creation that are setup by default.
What are the benefits of the Organization Policy Service?
Centralize control to configure restrictions on how your organization’s resources can be used.
Define and establish guardrails for your development teams to stay within compliance boundaries.
Help project owners and their teams move quickly without worry of breaking compliance.
What are common use cases for the organization policies?
Organization policies are made up of constraints that allow you to:
Limit resource sharing based on domain.
Limit the usage of Identity and Access Management service accounts.
Restrict the physical location of newly created resources.
What are the Differences from Identity and Access Management and Organization Policy Service?
Identity and Access Management focuses on who, and lets the administrator authorize who can take action on specific resources based on permissions.
Organization Policy focuses on what, and lets the administrator set restrictions on specific resources to determine how they can be configured.
What is a constraint for an organization policy service?
A constraint is a particular type of restriction against a Google Cloud service or a list of Google Cloud services. Think of the constraint as a blueprint that defines what behaviors are controlled. This blueprint is then applied to a resource hierarchy node (folder, project, or org) as an organization policy, which implements the rules defined in the constraint. The Google Cloud service mapped to that constraint and associated with that resource hierarchy node will then enforce the restrictions configured within the organization policy.
What are the different storage classes for any workload?
Storage classes for any workload
Save costs without sacrificing performance by storing data across different storage classes. You can start with a class that matches your current use, then reconfigure for cost savings.
Standard Storage: Good for “hot” data that’s accessed frequently, including websites, streaming videos, and mobile apps.
Nearline Storage: Low cost. Good for data that can be stored for at least 30 days, including data backup and long-tail multimedia content.
Coldline Storage: Very low cost. Good for data that can be stored for at least 90 days, including disaster recovery.
Archive Storage: Lowest cost. Good for data that can be stored for at least 365 days, including regulatory archives.
What are the different persistent disk types?
Standard persistent disks (pd-standard) are backed by standard hard disk drives (HDD).
Balanced persistent disks (pd-balanced) are backed by solid-state drives (SSD). They are an alternative to SSD persistent disks that balance performance and cost.
SSD persistent disks (pd-ssd) are backed by solid-state drives (SSD).
Extreme persistent disks (pd-extreme) are backed by solid-state drives (SSD). With consistently high performance for both random access workloads and bulk throughput, extreme persistent disks are designed for high-end database workloads. Unlike other disk types, you can provision your desired IOPS. For more information, see Extreme persistent disks.
How can you protect against data loss on persistent disks?
you can create snapshots of persistent disks to protect against data loss due to user error. Snapshots are incremental, and take only minutes to create even if you snapshot disks that are attached to running instances.
What are the 6 steps to setup a cloud solution?
What are examples of Global Resources?
Images
Snapshots
VPC Network
Firewalls
Routes
What are example of Regional Resources
Static external IP Addresses
Subnets
What are example of zonal resources?
Compute Instances (VMs)
Persistent Disks
What is the Billing Account Creator role authorized to do?
Create new self service accounts.
What can billing account administrator role authorized to do
Manage self service account, but can’t create new accounts.
What is the difference between billing account user and billing account viewer?
You can link projects to a billing account.
Link transactional and billing account data
How can you achieve billing alerts?
You can get alerts by pub/sub or email.
Alerts can be based off a threshold or % of last month’s bills.
Where can you export billing data from GCP?
To Big Query
As CSV in Cloud Storage
Before you can utilize any features within GCP, you must set up ?????? to associate a payment method to all services and resources that are not free within the GCP.
This requires what role?
Billing Account Information
Role required Billing Account User
Workspaces
Cloud Monitoring requires an organizational tool to monitor and collect information. In GCP, that tool is called a Workspace. The Workspace brings together Cloud Monitoring resources from one or more GCP projects.
The Workspace collects metric data from one or more monitored projects; however, the data remains project bound.
The data is pulled into the Workspace and then displayed.
To create an organization policy you choose a ?
Organization policy, you choose a constraint
Which is a particular type of restriction against either a Google Cloud service or a group of Google Cloud services.
You configure that constraint with your desired restrictions.
What type of policy do you create when you assign roles to users?
Allow policy
You can grant roles to users by creating an allow policy, which is a collection of statements that define who has what type of access. An allow policy is attached to a resource and is used to enforce access control whenever that resource is accessed.
How do you grant access to resources?
You can grant access to Google Cloud resources by using allow policies, also known as Identity and Access Management (IAM) policies, which are attached to resources. You can attach only one allow policy to each resource. The allow policy controls access to the resource itself, as well as any descendants of that resource that inherit the allow policy.
What is another name for an IAM Policy?
Also known as allow policy
There are two types of service accounts:
There are two types of service accounts, user-managed service accounts and Google- managed service accounts. Users can create up to 100 service accounts per project. When you create a project that has the Compute Engine API enabled, a Compute Engine service account is created automatically. You can only create 10 key pairs per project. Similarly, if you have an App Engine application in your project, GCP will automatically create an App Engine service account. Both the Compute Engine and App Engine service accounts are granted editor roles on the projects in which they are created. You can also create custom service accounts in your projects.
What are the events and information to use the Cloud Pub Sub?
Topic. A named resource to which messages are sent by publishers.
Subscription. A named resource representing the stream of messages from a single, specific topic, to be delivered to the subscribing application. For more details about subscriptions and message delivery semantics, see the Subscriber Guide.
Message. The combination of data and (optional) attributes that a publisher sends to a topic and is eventually delivered to subscribers.
Message attribute. A key-value pair that a publisher can define for a message. For example, key iana.org/language_tag and value en could be added to messages to mark them as readable by an English-speaking subscriber.
Publisher. An application that creates and sends messages to a topic(s).
Subscriber. An application with a subscription to a topic(s) to receive messages from it.
Acknowledgement (or “ack”). A signal sent by a subscriber to Pub/Sub after it has received a message successfully. Acked messages are removed from the subscription’s message queue.
Push and pull. The two message delivery methods. A subscriber receives messages either by Pub/Sub pushing them to the subscriber’s chosen endpoint, or by the subscriber pulling them from the service.
Event Types - Published
There is only one type of event that is triggered in Cloud Pub/Sub, and that is when a message is published,
What is a post-mortem is and why it is used.
Post-mortems are reviews of incidents or projects with the goal of improving services or project practices. Incidents are disruptions to services.
Major incidents are often the result of two or more failures within a system.
Post-mortems help developers better understand application failure modes and learn ways to mitigate risks of similar incidents.
Post-mortems are best conducted without assigning blame.
Understand how and when to use the GCP SDK.
The GCP SDK is a set of command-line tools for managing Google Cloud resources. These commands allow you to manage infrastructure and perform operations from the command line instead of the console. The GCP SDK components are especially useful for automating routine tasks and for viewing information about the state of your infrastructure.
Cloud migrations are inherently about incrementally changing existing infrastructure to use cloud services to deliver information services.
You will need to plan a migration carefully to minimize the risk of disrupting services while maximizing the likelihood of successfully moving applications and data to the cloud. For many organizations, cloud computing is a new approach to delivering information services. These organizations may have built large, complex infrastructures running a wide array of applications using on-premises data centers. Now those same organizations want to realize the advantages of cloud computing.
Know the four stages of migration planning?
During the assessment phase, take inventory of applications and infrastructure. During the planning stage, you will define fundamental aspects of your cloud services, including the structure of the resource hierarchy as well as identities, roles, and groups. You will also migrate one or two applications in an effort to learn about the cloud and develop experience running applications in the cloud. In the deployment phase, data and applications are moved in a logical order that minimizes the risk of service disruption. Finally, once data and applications are in the cloud, you can shift your focus to optimizing the cloud implementation.
Understand how to assess the risk of migrating an application.
Considerations include service-level agreements, criticality of the system, availability of support, and quality of documentation. Consider other systems on which the migrating system depends. Consider other applications that depend on the migrating system. Watch for challenging migration operations, such as performing a database replication and then switching to a cloud instance of a database.
Understand how to map licensing to the way you will use the licensed software in the cloud.
Operating system, application, middleware services, and third-party tools may all have licenses. There are a few different ways to pay for software running in the cloud. In some cases, the cost of licensing is included with cloud service charges. In other cases, you may have to pay for the software directly in one of two ways. You may have an existing license that can be used in the cloud, known as the BYOL model, or you may purchase a license from the vendor specifically for use in the cloud. In other cases, software vendors will charge based on usage, much like cloud service pricing.
Know the steps involved in planning a network migration.
Network migration planning can be broken down into four broad categories of planning tasks: VPCs, access controls, scaling, and connectivity. Planning for each of these will help identify potential risks and highlight architecture decisions that need to be made. Consider how you will use networks, subnets, IP addresses, routes, and VPNs. Plan for linking on-premises networks to the Google Cloud using either VPNs or Cloud Interconnect.
Managing default organization roles by?
When an organization resource is created, all users in your domain are granted the Billing Account Creator and Project Creator roles by default. These default roles allow your users to start using Google Cloud immediately, but are not intended for use in regular operation of your organization resource.
Next step is to designate a Billing Account Creator and Project Creator for regular operations, and how to remove roles that were assigned by default to the organization resource.
Adding a Billing Account Creator and Project Creator
To migrate existing billing accounts into an organization resource, a user must have the Billing Account Creator IAM role. Users with the Project Creator role are able to create and manage Project resources.
Remove default roles from the organization resource
After you designate your own Billing Account Creator and Project Creator roles, you can remove these roles from the organization resource to restrict those permissions to specifically designated users. T
Billing to BigQuery
Tools for monitoring, analyzing and optimizing cost have become an important part of managing development. Billing export to BigQuery enables you to export your daily usage and cost estimates automatically throughout the day to a BigQuery dataset you specify. You can then access your billing data from BigQuery. You can also use this export method to export data to a JSON file.
Regular file export to CSV and JSON is also available. However, if you use regular file export, you should be aware that regular file export captures a smaller dataset than export to BigQuery. For more information about regular file export and the data it captures, see Export Billing Data to a File.
Billing Account
A billing account is used to define who pays for a given set of resources. A billing account includes a payment instrument (setup in payment profile), to which costs are charged, and access control that is established by Cloud Platform Identity and Access Management (IAM) roles.
A billing account can be linked to one or more projects. Project usage is charged to the linked billing account. Projects that are not linked to a billing account cannot use GCP services that aren’t free.
Billing API
You can configure Billing on Google Cloud Platform (GCP) in a variety of ways to meet different needs.
GCP resources are the fundamental components that make up all GCP services, such as Google Compute Engine virtual machines (VMs), Google Cloud Pub/Sub topics, Google Cloud Storage buckets, and so on. For billing and access control purposes, resources exist at the lowest level of a hierarchy that also includes projects and an organization.
Projects: All lower level resources are parented by projects, which are the middle layer in the hierarchy of resources. You can use projects to represent logical projects, teams, environments, or other collections that map to a business function or structure. Any given resource can only exist in one project.
An organization is the top of the hierarchy of resources. All resources that belong to an organization are grouped under the organization node, to provide insight into and access control over every resource in the organization.
For more information on projects and organizations, see the Cloud Resource Manager documentation.
A billing account can be linked to one or more projects. Project usage is charged to the linked billing account. Projects that are not linked to a billing account cannot use GCP services that aren’t free.
Backend Bucket
Backend buckets allow you to use Google Cloud Storage buckets with HTTP(S) Load Balancing.
An HTTP(S) load balancer can direct traffic from specified URLs to either a backend bucket or a backend service. For example, the load balancer can send requests for static content to a Cloud Storage bucket and requests for dynamic content to a VM.
For example, you can have the load balancer send traffic with a path of /static to a storage bucket and all other requests to your instances.
What is Image Baking
Baking, Image
Manual: You can create a simple custom image by creating a new VM instance from a public image, configuring the instance with the applications and settings that you want, and then creating a custom image from that instance.
Use this method if you can configure your images from scratch manually rather than using automated baking or importing existing images.
You can create a simple custom image using the following steps:
Create an instance from a public image.
Connect to the instance.
Customize the instance for your needs.
Stop the instance.
Create a custom image from the boot disk of that instance. This process requires you to delete the instance but keep the boot disk.