WIXLIB

the persistent disk disk-1 has been created. In contrast, Terraformwould figure out the dependencies on its own.You can modularize your configuration files using templates so thatthey can be independently updated and shared. Templates can bedefined in Python or Jinja2. The contents of your templates will beinlined in the configuration file that references them.Deployment Manager will create a manifest containing youroriginal configuration, any templates you have imported, and theexpanded list of all the resources you want to create.Cloud Operations (formerlyStackdriver)Operations provide a set of tools for monitoring, logging,debugging, error reporting, profiling, and tracing of resources inGCP (AWS and even on-premise).Cloud LoggingCloud Logging is GCP's centralized solution for real-time logmanagement. For each of your projects, it allows you to store,search, analyze, monitor, and alert on logging data: By default, data will be stored for a certain period of time. Theretention period varies depending on the type of log. You cannotretrieve logs after they have passed this retention period. Logs can be exported for different purposes. To do this, you createa sink, which is composed of a filter (to select what you want tolog) and a destination: Google Cloud Storage (GCS) for long term

retention, BigQuery for analytics, or Pub/Sub to stream it into otherapplications. You can create log-based metrics in Cloud Monitoring and even getalerted when something goes wrong.Logs are a named collection of log entries. Log entries recordstatus or events and includes the name of its log, for example,compute.googleapis.com/activity. There are two main types of logs:First, User Logs:These are generated by your applications and services. They are written to Cloud Logging using the Cloud Logging API,client libraries, or logging agents installed on your virtual machines. They stream logs from common third-party applications likeMySQL, MongoDB, or Tomcat. Second, Security logs, divided into:Audit logs, for administrative changes, system events, and dataaccess to your resources. For example, who created a particulardatabase instance or to log a live migration. Data access logs mustbe explicitly enabled and may incur additional charges. The rest areenabled by default, cannot be disabled, and are free of charges.Access Transparency logs, for actions taken by Google staff whenthey access your resources for example to investigate an issue youreported to the support team.VPC Flow LogsThey are specific to VPC networks (which I will introduce later).VPC flow logs record a sample of network flows sent from andreceived by VM instances, which can be later access in CloudLogging.They can be used to monitor network performance, usage,forensics, real-time security analysis, and expense optimization.Note: you may want to log your billing data for analysis. In thiscase, you do not create a sink. You can directly export your reportsto BigQuery.Cloud Monitoring

Cloud Monitoring lets you monitor the performance of yourapplications and infrastructure, visualize it in dashboards,create uptime checks to detect resources that are down and alert youbased on these checks so that you can fix problems in yourenvironment. You can monitor resources in GCP, AWS, and evenon-premise.It is recommended to create a separate project for Cloud Monitoringsince it can keep track of resources across multiple projects.Also, it is recommended to install a monitoring agent in your virtualmachines to send application metrics (including many third-partyapplications) to Cloud Monitoring. Otherwise, Cloud Monitoringwill only display CPU, disk traffic, network traffic, and uptimemetrics.AlertsTo receive alerts, you must declare an alerting policy. An alertingpolicy defines the conditions under which a service is consideredunhealthy. When the conditions are met, a new incident will becreated and notifications will be sent (via email, Slack, SMS,PagerDuty, etc).A policy belongs to an individual workspace, which can contain amaximum of 500 policies.TraceTrace helps find bottlenecks in your services. You can use thisservice to figure out how long it takes to handle a request, whichmicroservice takes the longest to respond, where to focus to reducethe overall latency, and so on.It is enabled by default for applications running on Google AppEngine (GAE) - Standard environment - but can be used forapplications running on GCE, GKE, and Google App EngineFlexible.Error Reporting

Error Reporting will aggregate and display errors produced inservices written in Go, Java, Node.js, PHP, Python, Ruby, or .NET.running on GCE, GKE, GAP, Cloud Functions, or Cloud Run.DebugDebug lets you inspect the application's state without stopping yourservice. Currently supported for Java, Go, Node.js and Python. It isautomatically integrated with GAE but can be used on GCE, GKE,and Cloud Run.ProfileProfiler that continuously gathers CPU usage and memoryallocation information from your applications. To use it, you needto install a profiling agent.How to store data in GCPIn this section, I will cover both Google Cloud Storage (for anytype of data, including files, images, video, and so on), the differentdatabase services available in GCP, and how to decide whichstorage option works best for you.Google Cloud Storage (GCS)

GCS is Google's storage service for unstructured data: pictures,videos, files, scripts, database backups, and so on.Objects are placed in buckets, from which they inherit permissionsand storage classes.Storage classes provide different SLAs for storing your data tominimize costs for your use case. A bucket's storage class can bechanged (under some restrictions), but it will affect new objectsadded to the bucket only.In addition to Google's console, you can interact with GCS fromyour command line, using gsutil. You can use specify:Multithreaded updates when you need to upload a large numberof small files. The command looks like gsutil -m cp files gs://mybucket)

Parallel updates when you need to upload large files. For moredetails and restrictions, visit this link.Another option to upload files to GCS is Storage Transfer Service(STS), a service that imports data to a GCS bucket from:An AWS S3 bucket A resource that can be accessed through HTTP(S) Another Google Cloud Storage bucket If you need to upload huge amounts of data (from hundreds ofterabytes up to one petabyte) consider Data Transfer Appliance:ship your data to a Google facility. Once they have uploaded thedata to GCS, the process of data rehydration reconstitutes the filesso that they can be accessed again.Object lifecycle managementYou can define rules that determine what will happen to an object(will it be archived or deleted) when a certain condition is met.For example, you could define a policy to automatically change thestorage class of an object from Standard to Nearline after 30 daysand to delete it after 180 days.This is the way a rule can be tion":{

180,"isLive":false}}]}}It will be applied through gsutils or a REST API call. Rules can becreated also through the Google Console.Permissions in GCSIn addition to IAM roles, you can use Access Control Lists (ACLs)to manage access to the resources in a bucket.Use IAM roles when possible, but remember that ACLs grantaccess to buckets and individual objects, while IAM roles areproject or bucket wide permissions. Both methods work intandem.To grant temporary access to users outside of GCP, use SignedURLs.Bucket lockBucket locks allow you to enforce a minimum retentionperiod for objects in a bucket. You may need this for auditing orlegal reasons.Once a bucket is locked, it cannot be unlocked. To remove, youneed to first remove all objects in the bucket, which you can only

do after they all have reached the retention period specified by theretention policy. Only then, you can delete the bucket.You can include the retention policy when you are creating thebucket or add a retention policy to an existing bucket (itretroactively applies to existing objects in the bucket too).Fun fact: the maximum retention period is 100 years.Relational Managed Databases in GCPCloud SQL and Cloud Spanner are two managed database servicesavailable in GCP. If you do not want to deal with all the worknecessary to maintain a database online, they are a great option.You can always spin a virtual machine and manage your owndatabase.Cloud SQLCloud SQL provides access to a managed MySQL or PostgreSQLdatabase instance in GCP. Each instance is limited to a singleregion and has a maximum capacity of 30 TB.Google will take care of the installation, backups, scaling,monitoring, failover, and read replicas. For availability reasons,replicas must be defined in the same region but a different zonefrom the primary instances.Data can be easily imported (first uploading the data to GoogleCloud Storage and then to the instance) and exported using SQLdumps or CSV files format. Data can be compressed to reduce costs(you can directly import .gz files). For "lift and shift" migrations,this is a great option.If you need global availability or more capacity, consider usingCloud Spanner.Cloud SpannerCloud Spanner is globally available and can scale (horizontally)very well.

These two features make it capable of supporting different use casesthan Cloud SQL and more expensive too. Cloud Spanner is not anoption for lift and shift migrations.NoSQL Managed Databases in GCPSimilarly, GCP provides two managed NoSQL databases, Bigtableand Datastore, as well as an in-memory database service,Memorystore.DatastoreDatastore is a completely no-ops, highly-scalable documentdatabase ideal for web and mobile applications: game states,product catalogs, real-time inventory, and so on. It's great for: User profiles - mobile apps Game save statesBy default, Datastore has a built-in index that improvesperformance on simple queries. You can create your own indices,called composite indexes, defined in YAML format.If you need extreme throughput (huge number of reads/writes persecond), use Bigtable instead.BigtableBigtable is a NoSQL database ideal for analytical workloads whereyou can expect a very high volume of writes, reads in themilliseconds, and the ability to store terabytes to petabytes ofinformation. It's great for: Financial analysis IoT data Marketing dataBigtable requires the creation and configuration of your nodes (asopposed to the fully-managed Datastore or BigQuery). You can add

or remove nodes to your cluster with zero downtime. The simplestway to interact with Bigtable is the command-line tool cbt.Bigtable's performance will depend on the design of your databaseschema. You can only define one key per row and must keep all theinformation associated with an entity in the same row. Think of it asa hash table. Tables are sparse: if there is no information associated with acolumn, no space is required. To make reads more efficient, try to store related entities in adjacentrows.Since this topic is worth an article on its own, I recommend youread the documentation.MemorystoreIt provides a managed version of Redis and Memcache (in-memorydatabases), resulting in very fast performance. Instances areregional, like Cloud SQL, and have a capacity of up to 300 GB.How to choose your databaseGoogle loves decision trees. This one will help you choose the rightdatabase your your projects. For unstructured data consider GCS orprocess it using Dataflow (discussed later).How does networking work in GCP?Virtual Private Cloud (VPC) - see the docs hereYou can use the same network infrastructure that Google uses torun its services: YouTube, Search, Maps, Gmail, Drive, and so on.Google infrastructure is divided into:

Regions: Independent geographical areas, at least 100 miles apartfrom each other, where Google hosts datacenters. It consists of 3 ormore zones. For example, us-central1.Zones: Multiple individual datacenters within a region. Forexample, us-central1-a.Edge Points of Presence: points of connection between Google'snetwork and the rest of the internet.GCP infrastructure is designed in a way that all traffic betweenregions travels through a global private network, resulting in bettersecurity and performance.On top of this infrastructure, you can build networks for yourresources, Virtual Private Clouds. They are software-definednetworks, where all the traditional network concepts apply:Subnets. Logical partitions of a network defined using CIDRnotation. They belong to one region only but can span multiplezones. If you have multiple subnets (including your on-premisenetworks if they are connected to GCP), make sure the CIDRranges do not overlap.IP addresses. Can be internal (for private communication withinGCP) or external (to communicate with the rest of the internet). Forexternal IP addresses, you can use an ephemeral IP or pay fora static IP. In general, you need an external IP address to connect toGCP services. However, in some cases, you can configure privateaccess for instances that only have an internal IP.Firewalls rules, to allow or deny traffic to your virtual machines,both incoming (ingress) and outgoing (egress). By default, allingress traffic is denied and all egress traffic is allowed. Firewallrules are defined at the VPC level but they apply to individualinstances or groups of instances using network tags or IPranges.Common issue: If you know your VMs are working correctly butyou cannot access them through HTTP(s) or cannot SSH into them,have a look at your firewall rules.

You can create hybrid networks connecting your on-premiseinfrastructure to your VPC.When you create a project, a default network will be created withsubnets in each region (auto mode). You can delete this network,but you need to create at least one network to be able to createvirtual machines.You can also create your custom networks, where no subnets arecreated by default and you have full control over subnet creation(custom mode).The main goal of a VPC is the separation of network resources. AGCP project is a way to organize resources and managepermissions.Users of project A need permissions to access resources in projectB. All users can access any VPC defined in any project to whichthey belong. Within the same VPC, resources in subnet 1 need to begranted access to resources in subnet 2.In terms of IAM roles, there is a distinction between who can createnetwork resources (Network admin, to create subnets, virtualmachines, and so on) and who is responsible for the security of the

resources (Security Admin, to create firewall rules, SSL certificates,and so on).The Compute Instance Admin role combines both roles.As usual, there are quotas and limits to what you can do in a VPC,amongst them: The maximum number of VPCs in a project. The maximum number of virtual machines per VPC. No broadcast or multicast. VPCs cannot use IPv6 to communicate internally, although globalload balancers support IPv6 traffic.How to share resources between multiple VPCsShared VPCShared VPCs are a way to share resources between differentprojects within the same organization. This allows you to controlbilling and manage access to the resources in different projects,following the principle of least privilege. Otherwise you'd have toput all the resources in a single project.To design a shared VPC, projects fall under three categories: Host project. It is the project that hosts the common resources.There can only be one host project.Service project: Projects that can access the resources in the hostproject. A project cannot be both host and service.Standalone project. Any project that does not make use of theshared VPC.You will only be able to communicate between resourcescreated after you define your host and service projects. Anyexisting resources before this will not be part of the shared VPC.VPC Network Peering

Shared VPCs can be used when all the projects belong to the sameorganization. However, if: You need private communication across VPCs.The VPCs are in projects that may belong to differentorganizations.Want decentralized control, that is, no need to define host projects,server projects, and so on.Want to reuse existing resources.VPC Network peering is the right solution.In the next section, I will discuss how to connect your VPC(s) withnetworks outside of GCP.How to connect on-premise and GCP infrastructuresThere are three options to connect your on-premise infrastructure toGCP: Cloud VPN

Cloud Interconnect Cloud PeeringEach of them with different capabilities, use cases, and prices that Iwill describe in the following sections.Cloud VPNWith Cloud VPN, your traffic travels through the public internetover an encrypted tunnel. Each tunnel has a maximum capacity of 3Gb per second and you can use a maximum of 8 for betterperformance. These two characteristics make VPN the cheapestoption.You can define two types of routes between your VPC and your onpremise networks: Static routes. You have to manually define and update them, forexample when you add a new subnet. This is not the preferredoption.Dynamic routes. Routes are automatically handled (defined andupdated) for you using Cloud Router. This is the preferred optionwhen BGP is available.Your traffic gets encrypted and decrypted by VPN Gateways (inGCP, they are regional resources).To have a more robust connection, consider using multiple VPNgateways and tunnels. In case of failure, this redundancy guaranteesthat traffic will still flow.Cloud InterconnectWith Cloud VPN, traffic travels through the public internet. WithCloud Interconnect, there is a direct physical connection betweenyour on-premises network and your VPC. This option will be moreexpensive but will provide the best performance.There are two types of interconnect available, depending on howyou want your connection to GCP to materialize:

Dedicated interconnect. There is "a direct cable" connecting yourinfrastructure and GCP. This is the fastest option, with a capacity of10 to 200 Gb per second. However, it is not available everywhere:at the time of this writing, only in 62 locations in the world.Partner interconnect. You connect through a service provider.This option is more geographically available, but the not as fast as adedicated interconnects: from 50 Mb per second to 10 Gb persecond.Cloud PeeringCloud peering is not a GCP service, but you can use it to connectyour network to Google's network and access services like Youtube,Drive, or GCP services.A common use case is when you need to connect to Google butdon't want to do it over the public internet.Other networking servicesLoad Balancers (LB)In GCP, load balancers are pieces of software that distribute userrequests among a group of instances.A load balancer may have m

Google Groups are a collection of Google and service accounts. G Suite Domain* is the type of account you can use to identify organizations. If your organization is already using Active Directory, it can be synchronized with Cloud IAM using Cloud Identity. allAuthenticatedUsers. To represent any authenticated user in GCP. allUsers. To represent .