GCP General

Question 1

What is IaaS?

Answer 1

Virtualized data centers brought you Infrastructure as a Service,
IaaS, and Platform as a Service

Question 2

What is PaaS?

Answer 2

Platform as a Service, PaaS

PaaS offerings, on the other hand,
bind application code you write to libraries that
give access to the infrastructure your application needs.
That way, you can just focus on your application logic.
In the IaaS model,
you pay for what you allocate.
In the PaaS model, you pay for what you use.

Question 3

What is SaaS?

Answer 3

Software as a Service

applications like, Search, Gmail,
Docs and Drive are Software as
a Service applications in that they’re consumed directly over the internet by end users

Question 4

What is a GCP Zone?

Answer 4

The ZONE is finest grain level

A zone is a deployment area for Google Cloud Platform Resources.

Question 5

Is a GCP Zone the same as a DC?

Answer 5

Although people think of a zone as being like a GCP Data Center, that’s not strictly accurate because a zone
doesn’t always correspond to a single physical building

Question 6

What is A GCP region?

Answer 6

A group of Zones closely located, usually have
round trip network latencies of under five milliseconds.

Locations within regions Think of a zone as a single failure domain within a region.

Question 7

What is a multi-Region resource?

Answer 7

A few Google Cloud Platform Services
support placing resources in what we call a Multi-Region.

For example, Google Cloud Storage, which we’ll discuss later,
lets you place data within the Europe Multi-Region.
That means, it’s stored redundantly in at least two geographic locations, separated by at least 160 kilometers within Europe.

Question 8

What is the GFE and what is it for?

Answer 8

Google services that want to make themselves available on the Internet
register themselves with an infrastructure service called the Google Front End,
which checks incoming network connections for correct certificates and best practices.
The GFE also additionally,
applies protections against denial of service attacks.

Question 9

What are the 4 billing protection mechanisms that GCP provides?

Answer 9

1- budgets and alerts
2- billing
3- export
4- reports and quota

Question 10

What are budgets and alerts?

Answer 10

You can define budgets either per
billing account or per GCP project.
A budget can be a fixed limit
or you can tie it to another metric.
For example, a percentage of the previous month spend.

To be notified when costs approach your budget limit, create an alert.

Alerts are generally set at 50 percent, 90 percent, and 100 percent. Customisable.

Question 11

What are billing reports and quotas?

Answer 11

Reports is a visual tool in
the GCP console that
allows you to monitor your expenditure.

GCP also implements quotas,
which protect both account owners
and the GCP community as a whole.
Quotas are designed to prevent
the over-consumption of resources,
whether because of error or malicious attack.
Th

Question 12

What types of billing quotas are there?

Answer 12

There are two types of quotas: rate
quotas and allocation quotas.

Both get applied at the level of the GCP project.
Rate quotas reset after a specific time.

Allocation quotas, on the other hand, govern the number of
resources you can have in your projects.
For example, by default,
each GCP project has a quota allowing it no
more than five Virtual Private Cloud networks.

Although projects all start with the same quotas,
you can change some of them by requesting
an increase from Google Cloud support

Question 13

What are the GCP Resource Hierarchy levels?

Answer 13

Resources are organised into Projects, Projects into Folders and Folders into Organisation Nodes

Question 14

What are Projects?

Answer 14

All Google Cloud platform resources belong to a project.
Projects are the basis for enabling and using GCP services like managing APIs,
enabling billing and adding and removing
collaborators and enabling other Google services.
Each project is a separate compartment and each resource belongs to exactly one.

Question 15

What is the purpose of Folders?

Answer 15

You can organize projects into folders, although you don’t have to.
They’re a tool at your disposal to make your life easier.
For example, you can use folders to represent different departments,
teams, applications or environments in your organization.
Folders let teams have the ability to delegate administrative rights,
so they can work independently.
The resources in a folder inherit IAM policies from the folder.

Question 16

What is the Organisation Node for?

Answer 16

Most companies want the ability to have centralized visibility
on how resources are being used and to apply policy centrally.
That’s what the organization node is for.
It’s the top of the hierarchy.
There are some special roles associated with it.
For example, you can designate
an organization policy administrator so that
only people with privilege can change policies.
You can also assign a project creator role,
which is a great way to control who can spend money.

Question 17

Can Policies defined at a higher level be overriden?

Answer 17

There’s one important rule to keep in mind.
The policies implemented at a higher level in
this hierarchy can’t take away access that’s granted at a lower level.

Question 18

What is IAM?

Answer 18

Identity and Access Management

An IAM policy has a “who” part,
a “can do what” part,
and an “on which resource” part.

Question 19

What is an IAM Role?

Answer 19

The “can do what” part is defined by an IAM role.
An IAM role is a collection of permissions.
Most of the time, to do any meaningful operations,
you need more than one permission.
For example, to manage instances in a project,
you need to create, delete,
start, stop, and change an instance.
So the permissions are grouped together into a role that makes them easier to manage

Question 20

What can be an Identity in IAM?

Answer 20

The “who” part of an IAM policy can be a Google account,
a Google group, a Service account,
or an entire G Suite,
or Cloud Identity domain.

Question 21

What are the 3 Primitive roles in Cloud IAM?

Answer 21

owner, editor, and viewer roles.

Primitive roles are broad. You apply them to a GCP project and they affect all resources in that project.

Question 22

What can the viewer role do?

Answer 22

If you’re a viewer on a given resource,

you can examine it but not change its state.

Question 23

What can the editor role do?

Answer 23

If you’re an editor, you can do everything a viewer can do,
plus change its state.
If you’re an editor, you can do everything a viewer can do,
plus change its state.

Question 24

What can the Owner role do?

Answer 24

And if you are an owner, you can do everything an editor can do,
plus manage roles and permissions on the resource.

The owner role on a project also lets you do one more thing: set up billing.

Question 25

What is the billing administrator role?

Answer 25

Often, companies want someone to be able to control the billing for
a project without the right to change the resources in the project.
And that’s why you can grant someone the billing administrator role.

Question 26

What are the actions associated with a Compute Engine InstanceAdmin Role?

Answer 26

Compute Engines InstanceAdmin Role lets whoever has
that role perform a certain set of actions on virtual machines.

The actions are:
listing them,
reading and changing their configurations,
and starting and stopping them.

Question 27

What are Custom Roles

Answer 27

Custom Roles are user definedf groupings of actions for more fine grained control (rather than using the pre-difned ones like Compute Engines InstanceAdmin)

Question 28

Limitations of Custome roles?

Answer 28

A couple cautions about custom roles.
First, you have to decide to use custom roles. You’ll need to manage their permissions.

Second, custom roles can only be used at the project or organization levels. They can’t be used at the folder level.

Question 29

What is a service account?

Answer 29

Allows Compute Engine virtual machine to have permissions, rather than a person.

Question 30

How are Service Accounts Named?

Answer 30

Service accounts are named with an email address.

Question 31

Do Service Accounts use Passwords?

Answer 31

No, instead of passwords, they use cryptographic keys to access resources.

Question 32

Are Service Accounts also resources?

Answer 32

Yes, in addition to being an identity, a service account is also a resource.
So it can have IAM policies on its own attached to it.
For instance, Alice can have an editor role in
a service account and Bob can have the viewer role.
This is just like granting roles for any other GCP resource.