GCP

Question 1

Cloud Composer

Answer 1

Fully managed workflow orchestration service built on Apache Workflow.
Create, Schedule, Monitor, Manage workflows.

DAG - Directed Acyclic Graphs

Question 2

Create Instances

Answer 2

gcloud compute instances create gcelab2 –machine-type n1-standard-2 –zone us-central1-f

Question 3

SSH into created VM machine

Answer 3

gcloud compute ssh gcelab2 –zone us-central1-f

Question 4

Check windows machine is up

Answer 4

gcould compute instances get-serial-port-output instance-1 –zone us-central1-a

Question 5

Reset password of windows machine

Answer 5

gcloud compute reset-windows-password instance-1 –zone us-central1-a –user admin

Question 6

Check the project from gcloud

Answer 6

gcloud config list project

Question 7

Fetch set values

Answer 7

gcloud config get-value compute/zone

Question 8

Create kubeconfig entry for kubernetes cluster

Answer 8

gcloud container clusters get-credentials gcelab2

Question 9

Resource Hierarchy

Answer 9

Google Cloud resources are organized hierarchically. This allows us to map the enterprise’s operational structure to GCP, and to manage access control and permissions for groups of related resources.

Top-level node - Organization resource
provides central visibility and control over all resources.

Next in the hierarchy are Folders.
Used for isolating requirements for different departments and teams.

Next in the hierarchy are Projects.
They contain computing, storage and networking resources.

Question 10

What is Cloud Identity

Answer 10

A unified identity, access, app, and endpoint management (IAM/EMM) platform.

• give users access to apps with single sign on
• multi factor authentication
• endpoint management enforces policies for personal and corporate devices.

Question 11

BeyondCorp

Answer 11

Google’s Zero trust solution, that let’s employees work from anywhere without having to log into VPN.

BeyondCorp allows for single sign-on, access control policies, access proxy, and user- and device-based authentication and authorization. The BeyondCorp principles are:

• Access to services must not be determined by the network from which you connect
• Access to services is granted based on contextual factors from the user and their device
• Access to services must be authenticated, authorized, and encrypted

Question 12

VPC Service Controls

Answer 12

Used to create perimeters that protect the resources and data of services specified.
Following controls:
1. Clients within a perimeter do not have access to resources outside the perimeter.
2. Data cannot be copied to unauthorized resources outside the perimeter.
3. Data exchange between clients and resources separated by perimeter is secured by ingress and egress rules.
4. Context-aware access to resources is based on client attributes.

Created at the organization level.

Question 13

Cloud Computing

Answer 13

• On-demand self-service
• Broad network access
• Resource Pooling
• Rapid Elasticity
• Measured service

Question 14

Edge network location

Answer 14

Information served from here for lowest latency.

Question 15

Zone

Answer 15

The zone is not a single DC. They are independent geographic areas.

Question 16

Data Center

Answer 16

ISO 14001 Certification

Question 17

Billing

Answer 17

• Billing in sub-hour
• Discount for sustained use
• Discount for committed use
• Discount for preemptible use
• Custom VM - Pay only for application

Question 18

GCP doesn’t lock-in

Answer 18

BigTable - Apache HSpace
Dataproc - Hadoop
TensorFlow - Opensource libraries

Question 19

Compute

Answer 19

• Compute Engine
• Kubernetes Engine
• App Engine
• Cloud Functions

Question 20

Storage

Answer 20

• Bigtable
• Cloud Storage
• Cloud SQL
• Cloud Spanner
• Cloud Datastore

Question 21

Big Data

Answer 21

• Big Query
• Pub/Sub
• Data flow
• Data proc
• Data lab

Question 22

Machine Learning

Answer 22

• Natural Language API
• Vision API
• Machine Learning
• Speech API
• Translate API

Question 23

Operational Security

Answer 23

• Intrusion detection systems
• techniques to reduce insider risk
• employee U2F use
• software development practices

Question 24

Internet Communication security

Answer 24

• Google Front End

- Designed-in Denial of Service protection

Question 25

Storage services security

Answer 25

• Encryption at rest

Question 26

Service deployment security

Answer 26

• Encryption of inter-service communication

Question 27

Hardware Infrastructure

Answer 27

• Hardware design and provenance
• Secure boot stack
• Premises security

Question 28

User Identity Security

Answer 28

Central identity service with support for U2F

Question 29

Budgets

Answer 29

• Budgets and alerts
  
  • can be based on the billing account or GCP project
  • can be triggered as a % previous month spend or fixed amount
• Billing export
  store detailed information in a location which can be analyzed later, like in Big Query or Cloud Storage
• Reports
  Visual tool
• Quotas
  prevent overconsumption of resources
  Rate quota - Resets after a certain time
  Allocation quota - Fixed quotas, for example, 5 networks per project. Can be raised by Google support.

Question 30

Resources organization

Answer 30

The main way to organize the resources we use in GCP

All resources in a project should have a common business objective.

This helps in setting up policies that follow the principle of least privilege.

Organization

• Folder
  
  • Folder
    
    • Folder
      
      • Project
        
        • Resources

Policies are inherited downwards. Each of the elements above is a point where policies can be defined.

Question 31

Google Cloud Security Responsibility

Answer 31

Google:

• Managing infrastructure security
• helps with best practices, templates, products, and solutions.

Customer:
- responsible for securing their data

Question 32

Project attributes

Answer 32

• Project ID - globally unique - by client - immutable
• Project name - not unique - by client - mutable
• Priject number - globally unique - by GCP - Immutable

Question 33

Folders

Answer 33

Provide flexible management
Can be used to assign policies for specific departments.

The organization node is mandatory to use this.

We can move projects to folders at any time.

Question 34

Organization node

Answer 34

Top of hierarchy

Special roles:

• Organization Policy Administrator
• Project Creator

GSuite automatically creates an organization node, if the client doesn’t have this, they can use Client Identity to create one.

Question 35

Hierarchy policies

Answer 35

The more generous policies are accepted.

If project says Bob can access GCS while Org policy says Bob can’t access, the final result would be Bob being able to access GCS,

Question 36

IAM Policy

Answer 36

• who (google group, google account, gsuite/cloud identity domain)
• can do what (Roles: Primitive, Predefined, Custom)
• on which resource

Primitive roles: Very coarse
Owner, Editor, Viewer, Billing Administrator

Predefined roles: A little finer control on access.
E.g. Instance Admin Role - specific to instance service.

Custom roles can be used only at project and organization level, and cannot be used at folder level.

Question 37

Service Account

Answer 37

SAs, control server to server interactions.
Used to authenticate one service to another.
Used to control privileges used by resources.
Identified with email address:
PROJECT_NUMBER-compute@developer.gserviceaccount.com

They use cryptographic keys/tokens to manage access. They do not have passwords.

A predefined or custom role can be assigned to the service account.

A service account also acts as a resource, so an IAM policy can be attached to it.