Professional Documents
Culture Documents
cloud com·put·ing
noun
the practice of using a network of remote servers hosted on the Internet to store,
manage, and process data, rather than a local server or a personal computer.
Cloud Hosting
Multiple physical machines that act as one system.
The system is abstracted into multiple cloud services
Flexible, Scalable, Secure, Cost-Effective, High Configurability
What is Google?
Google was founded in 1996 and its claim The name of the Google search engine was a play
to fame was the Google Search Engine on the word "googol“
A googol means a large number, precisely 10100
10,000,000,000,000,000,000,000,000,000,000,00
0,000,000,000,000,000,000,000,000,000,000,000,
000,000,000,000,000,000,000,000,000,000,000.
A Cloud Service Provider (CSP) is a company which provides multiple Cloud Services,
and those Cloud Services can be chained together to create cloud architectures
What is Google Cloud Platform?
Google Meet
Google Docs
Video conferencing, screensharing
Real-time collaborative word processor
Google Slides
Real-time collaborative presentations
Benefits of Cloud Computing
Cost-effective You pay for what you consume, no up-front cost. On-demand pricing or Pay-as-
you-go (PAYG) with thousands of customers sharing the cost of the resources
Compute Networking
Imagine having a virtual computer that Imagine having a virtual network being able to
can run applications, programs, and code. define internet connections or network isolations
Storage Databases
Imagine having a virtual hard-drive that Imagine a virtual database for storing
can store files reporting data or a database for general
purpose web-application
Code
App Container
Runtime
OS
Virtualization
Customer GCP
Responsibility Level of Control Responsibility
Shared Responsibility Model
Configuration of Managed Services or Third-Party Software
Platforms Applications Identity and Access Management (IAM)
Customer
Customer Data
Software
Compute Storage Database Networking
GCP
OS OS OS OS
Public Cloud
Everything built on the Cloud Provider
Also known as: Cloud-Native
Private Cloud
Everything built on company’s datacenters
Also known as On-Premise
The cloud could be OpenStack
Hybrid
Using both On-Premise and
A Cloud Service Provider
Cloud Computing Deployment Models
Cross-Cloud
Using Multiple Cloud Providers
Aka multi-cloud, “hybrid-cloud”
On-Premise GCP
Software license Fees Subscription Fees
• Implementation • Implementation
• Configuration • Configuration
• Training • Training
• Physical Security
• Hardware
• IT Personal
• Maintenance
75% Savings
GCPs Responsibility
Capital vs Operational Expenditure
Spending money upfront on physical infrastructure The costs associated with an on-premises datacenter that
Deducting that expense from your tax bill over time. has shifted the cost to the service provider. The customer
only has to be concerned with non-physical costs.
With Capital Expenses you have to guess With Operation Expenses you can try a product or
upfront what you plan to spend service without investing in equipment
Cloud Architecture Terminologies
Availability – Your ability to ensure a service remains available
Highly Available (HA)
Horizonal Scaling
Scaling Out — Add more servers of the same size
Scaling In — Removing more servers of the same size
Fail-overs is when you have You can use Cloud DNS, which is a
a plan to shift traffic to a DNS service that can detect a failing
redundant system in case primary system and fail-over to a
the primary system fails stand-by secondary system.
A common example is having a copy (secondary) of your database where all ongoing changes
are synced. The secondary system is not in-use until a fail over occurs and it becomes the
primary database.
High Durability
Your ability to recover from a disaster and to prevent the loss of data
Solutions that recover from a disaster is known as Disaster Recovery (DR)
The Google Cloud Console is a portal is a web-based, unified console that provides an alternative to command-line tools.
Build, manage, and monitor everything from simple web apps to complex cloud deployments.
Cloud SDK
A Software Development Kit (SDK) is a collection of software
development tools in one installable package.
You can use the Cloud SDK to programmatic create, modify, delete
or interact with Google Cloud resources.
Resources within a single project can work together easily, for example
by communicating through an internal network, subject to the regions-
and-zones rules.
Each Google Cloud project has the following:
• A project name, which you provide.
• A project ID, which you can provide or Google Cloud can provide for you.
• A project number, which Google Cloud provides
• 25 Regions
• 76 Zones
• 144 Network Edge Locations
• 200+ Countries
Points of Presence (PoP) is an intermediate location between a GCP Region and the end user
This location could be a third-party datacenter or collection of hardware.
Edge PoP
A location where a user can quickly enter (ingress) the
GCP Network for accelerated access to cloud resources
CDN PoP
a location to serve (egress) cached website, files, assets
so they load very fast for the end user
Assured Workloads
a feature that allows you to apply various security controls to an environment:
• Data Residency
• Personnel data access controls based on attributes
• Personnel support case ownership controls based on attributes
• Encryption
Cloud Interconnect enables you to transfer large amounts of data between networks, which can
be more cost-effective than purchasing additional bandwidth over the public internet.
What is GovCloud?
A Cloud Service Provider (CSP) generally will offer an isolated region to run FedRAMP workloads.
GovCloud offering in practice can result in degraded service offerings, lower service availability, and
higher operational cost
Google Cloud has an alternate offering to GovCloud where FedRAMP workloads are authorized in
GCP's usual region’s datacenters. This scheme mitigates the disadvantage of a GovCloud offering.
What is Latency?
Latency is the time delay between two physical systems
What is Lag?
Lag is the noticeable delay between the actions of input and the
reactions of the server sent back to the client.
10ms
500ms
Burning platform is a term used when a company abandons old technology for
new technology with the uncertainty of success and can be motivated by fear that
the organization future survival hinges on its digital transformation
Evolution of Computing Power
What is Computing Power?
The throughput measured at which a computer can complete a computational task.
Digital Transformation is the adoption of digital technology to transform services or businesses through
• replacing non-digital or manual processes with digital processes (going paperless)
• replacing older digital technology with newer digital technology (adopting cloud technology)
Lead — The extent to which IT teams are supported by a mandate • How are the teams structured?
from leadership to migrate to cloud • Have they got executive sponsorship?
The degree to which the teams themselves are cross-functional, • How are cloud projects budgeted,
collaborative, and self-motivated. governed, assessed?
Scale: The extent to which you use cloud-native services that • How are cloud-based services provisioned?
reduce operational overhead and automate manual • How is capacity for workloads allocated?
processes and policies. • How are application updates managed?
Secure — The capability to protect your services • What controls are in place?
from unauthorized and inappropriate access with a • What technologies used?
multilayered, identity-centric security model. • What strategies govern the whole?
Dependent also on the advanced maturity of the
other three themes.
GCAF — Phases
Tactical: (Short term) Individual workloads are in place, but no coherent plan.
The focus is on reducing the cost of discrete systems.
Getting to the cloud with minimal disruption.
The wins are quick, but there is no provision for scale.
Strategic: (Mid Term) A broader vision governs individual workloads, which are designed and developed with an eye
to future needs and scale.
Have begun to embrace change, and people and processes are now involved in the adoption strategy.
IT teams are both efficient and effective, increasing the value of harnessing the cloud for your business operations.
Self taught Teams by function, Change is slow and risk Fear of public internet
Tactical
3rd party reliance heroic project manager ops heavy trust in private network
short-term
Strategic Organized training New cross-functional Templates ensure good Central identity
mid-term 3rd party assisted cloud team governance without hybrid network
manual review
Peer learning and sharing Cross-functional feature All change is constant Trust only the right
Transformational teams; greater autonomy low risk and quickly fixed people, device and
3rd party staff augmentation
long-term services
Organizations Maturity
GCAF — Epics
Tech Architecture
Process
If you are limited in time and resources Incident
focus on the epics in the coloured segements Resource Infra as Code
Management
since these align with Learn, Lead, Scale, and Management CI/CD
Secure Instrumentation
GCAF —Programs
Programs is a logical grouping of epics that correlate to themes to allow you to focus specific adoption efforts
It is a simple multiple choice form You will get an email with your maturity phase
Container-Optimized OS
You can deploy docker containers to any
Compute Engine VM by enabling container mode
Cloud Run
Run stateless containers on a fully
managed environment or on Anthos.
A database is more complex data stores because it requires using formal design and modeling techniques
A relational datastore designed for analytic workloads, which is generally column-oriented data-store
A key/value stores a unique Key Value Key values stores are dumb and fast.
key alongside a value Data 1010101000101011001010010101001 They generally lack features like:
• Relationships
Worf 0110101100010101010101011100010
• Indexes
Ro Laren 0010101001010110010101010101010 • Aggregation
Tables Collection
Rows Documents
Columns Fields
Indexes Indexes
File (Filestore)
File is stored with data and metadata
Multiple connections via a network share
Supports multiple reads, writing locks the file.
When you just want to upload files, and not have to worry
about underlying infrastructure. Not intended for high IOPs
Cloud Storage
Cloud Storage is a serverless object storage service.
You don’t have to worry about the underlying disks, right-sizing, availability
or durability. You only pay based on storage and download
• Files are called Objects • Unlimited storage with no minimum object size.
• Folders are called Buckets • Worldwide accessibility and worldwide storage locations.
• Low latency (time to first byte typically tens of milliseconds).
• High durability (99.999999999% annual durability).
• Geo-redundancy if the data is stored in a multi-region or dual-region.
• A uniform experience with Cloud Storage features, security, tools, and APIs.
Available Storage Classes
• Standard Storage (0 day min) – when you are frequently using files. The least cost-effective
• Nearline Storage (30 day min) – when you will only access a file once per month, cheaper than standard.
• Coldline Storage (90 day min) – higher access cost than nearline store but lower at-rest cost
• Archive Storage (365 day min) – very slow retrieval, very cost effective, rarely or never intended to be accessed
Shared VPC
share subnets with other project. connect resources from multiple projects to a common VPC
Borg
A cluster manager that runs hundreds of thousands of jobs, from many thousands of different
applications, across a number of clusters each with up to tens of thousands of machines.
Chubby
A distributed lock manager (DLM) as a service that temporarily prevents files and records from being
used by another user or operation on a Virtual Machine
Colossus
Cluster-level file system, successor to the Google File System (GFS) provides the underlying
infrastructure for all Google Cloud storage services, from Firestore to Cloud SQL to Filestore, and
Cloud Storage.
What is Apigee?
These API Gateways generally support the OpenAPI standard so you can
quickly import and export your APIs
API Management
BigQuery Dataproc
Understand your data using a fully managed, highly Perform batch processing, querying, and streaming
scalable data warehouse with built-in ML. using a managed Apache Spark and Hadoop service.
Eventarc
Build event-driven solutions by asynchronously
delivering events from Google services, SaaS, and your
own apps.
Hybrid and Multi-Cloud
Anthos
Modernize existing apps, and build new apps rapidly in hybrid and multi-cloud environments, while enabling consistency
between on-premises and cloud environments.
Anthos deployed on VMware
Modernize existing apps and build new apps on your VMware environments.
Anthos GKE
Deploy, manage, and scale containerized applications on Kubernetes, powered by Google Cloud.
Anthos Config Management
Automate policy and security at scale for your hybrid Kubernetes deployments.
Cloud Run for Anthos
Easily leverage the benefits of combining Kubernetes and serverless
Operations
Aggregate metrics, logs, and events from your infrastructure to get signals and to speed analysis.
Traffic Director
Deploy global load balancing across clusters and configure sophisticated traffic control policies for open service mesh.
Internet of Things
Internet of things (IoTs) are physical objects embedded with sensors, software and
other technologies that stream data to cloud services or other edge devices
IoT Core
Securely connect and manage IoT
devices using a fully managed service.
Drones
Smart Plant
Health Sensor Video Security IoT Kits
Game Servers
Deliver seamless multiplayer gaming experiences to a global player base.
• Fully manages Agones, an open source game server management
project that runs on Kubernetes.
OpenCue
Manage complex media rendering tasks using an open source
render manager.
Transcoder API
Convert video files and package them for optimized delivery to web, mobile
and connected TVs.
Operations Suite
Google’s Operations Suite allows you to monitor, log, trace, and profile your apps and services.
Cloud Monitoring
Cloud Monitoring provides visibility into the
performance, availability, and overall health of cloud-
powered applications.
Chrome Enterprise
Use Chrome management policies to
meet productivity and security needs.
Firebase
Firebase is Google’s fully-managed platform for rapidly
developing and deploying web and mobile applications.
Platform as a Service utilizing Serverless technology
Firebase is an alternative to Google Cloud for users who want to focus on building and
deploying their application in a highly opinionated framework.
Migration
Database Migration Service (DMS) When you’re migrating open-souce relational databases
Serverless, easy, minimal downtime migrations to Cloud SQL.
Lift-and-Shift
Move workloads from a source environment to a target
environment with minor or no modifications or refactoring.
Ideal when
• a workload can operate as-is in the target environment
• little or no business need for change
Considerations
• Requires the least amount of time because the amount of refactoring is kept to a minimum
• Team can continue to use the same set of tools and skills that they were using before
• Doesn’t take full advantage of cloud platform features:
• horizontal scalability
• fine-grained pricing
• highly managed services
Types of Migration — Move and Improve
Improve-and-move
Modernize the workload while migrating to take
advantage of cloud-native capabilities
Ideal when
• architecture or infrastructure of an app isn't supported in the target environment
• a major update to the workload is necessary
Considerations
• take longer than lift and shift migrations
• must be refactored in order for the app to migrate
• extra time and effort as part of the life cycle of the app
• requires that you learn new skills
Types of Migration – Rip and Replace
Rip-and-replace
decommission an existing app and completely
redesign and rewrite it as a cloud-native app
Ideal when:
• current app isn't meeting your goals
• you want to remove legacy technical debt
Considerations:
• Requires the most amount of time to develop
• Requires the most amount of learning
Migration Path
There are four phases of your migration
Assess. perform a thorough assessment and discovery of your Deploy. design, implement and execute a
existing environment in order to understand your app and deployment process to move workloads to
environment inventory, identify app dependencies and Google Cloud. You might also have to refine
requirements, perform total cost of ownership calculations, and your cloud infrastructure to deal with new
establish app performance benchmarks. needs.
Plan. create the basic cloud infrastructure for your Optimize. begin to take full advantage of cloud-native
workloads to live in and plan how you will move apps. This technologies and capabilities to expand your business's
planning includes identity management, organization and potential to things such as performance, scalability, disaster
project structure, networking, sorting your apps, and recovery, costs, training, as well as opening the doors to
developing a prioritized migration strategy. machine learning and artificial intelligence integrations for
your app.
Migration Path — Phase 1
In the assessment phase, you gather information about the workloads
you want to migrate and their current runtime environment.
Take inventory
Build a list all of your machines, hardware specifications, operating systems, and licenses
Catalog Apps
Build a catalog matrix to help you organize apps into categories based on their complexity and risk in moving to Google Cloud
Educate your organization about Google Cloud
train and certify your software and network engineers on how the cloud works and what Google Cloud products
In the deploy phase, implement a deployment process and refine it during the migration
Migrate for Compute Engine enables you to migrate (Lift and Shift) your virtual machines (VMs), with
minor automatic modifications, from your source environment to Google Compute Engine
• continuously replicates disk data from the source VMs to Google Cloud
• no downtime on the source via transfer
• quickly clone and test a migrated VM test clones
• easily perform all migration tasks within the Google Cloud Console
Anthos
Anthos is a modern application management platform used for managing hybrid architectures
that span from Google Cloud to other AWS or on-premise datacenters running VMWare.
Migrate for Anthos and Google Kubernetes Engine (GKE) is a tool to move and automatically convert workloads
directly into containers in Google Kubernetes Engine (GKE) and Anthos
With Migrate for Anthos, you can migrate your VMs from supported source platforms to:
• Google Kubernetes Engine (GKE)
• Anthos
• Anthos clusters on VMware
• Anthos clusters on AWS
Migrate for Anthos is offered at no charge and no Anthos subscription is required when migrating to GKE.
Charges for other GCP services (e.g. compute, storage, network, etc.) still apply.
Storage Transfer Service
Storage Transfer Service allows you to quickly import online data into Cloud Storage
100TB
480TB
Performance Features:
• All SSD drives — no moving parts, very fast IOPs
• Multiple network connectivity options — 10Gbps or 40Gbps transfer speed
• Scalability with multiple appliances — use multiple appliance to increase transfer speed
• Globally distributed processing — ships quickly to and from the the datacenter to Google Cloud
• Minimal software — use common software already on your Linux or Mac, Windows system
AI and ML Services
Vertex AI is Google Cloud’s unified ML platform for building ML solutions end-to-end
Auto ML
Vision Video Language Translation Tables
Experiments
AI Accelerators
Pipelines (Orchestration)
Notebooks
TensorFlow
TensorFlow is a low-level deep learning machine learning framework created by Google Brain Team
TensorFlow is written in Python, C++ and CUDA, there are APIs to allow you to use various other languages.
What is a tensor?
A Tensor is a multi-dimensional array eg. Ts.Tensor, similar to NumPy ndarray objects
tf.Tensors can reside in accelerator memory (like a GPU)
TensorFlow Enterprise
Accelerate and scale ML workflows on the cloud with compatibility-tested
and optimized TensorFlow along with enterprise-ready services and support
AI and ML Services
Vertex AI is the unification of AI Platform and the addition of AutoML
To offer an end-to-end solution for all your custom ML and DL needs.
AI Platform (deprecated)
• Preparing a dataset for supervised training with Data Labeling
• Notebooks to write and document building ML models
• A Model registry to hold all your trained models
• Pipelines for setting up automated CI/CD to rapidly deploy new changes (known as MLOps)
AutoML
Easily train high-quality, custom ML models.
You upload your data, choose what you want
to predict and it does the rest!
AutoML Tables
Build and deploy machine learning models
on structured data.
ML/DL Environment
To prepare, train, tune, predict for Machine Learning models you need to use compute
optimized and specialized for ML and DL tasks.
Vision AI Video AI
Derive insights from images, text, and more Enable powerful content discovery and
using custom or pretrained models. engaging video experiences.
Agent Assist
Empower human agents with continuous support during calls by
identifying intent and providing real-time, step-by-step assistance.
Dialogflow
Build engaging voice and text-based conversational interfaces.
• Dialogflow CX — Provides an advanced agent type suitable for large or very complex agents.
• Dialogflow ES — Provides the standard agent type suitable for small and simple agents.
Text-to-Speech Speech-to-Text
Convert text to natural-sounding speech using ML. Convert speech to text using the power of ML.
Identity and Access
IAM
Establish fine-grained identity and access Managed Service for Microsoft Active Directory
management for Google Cloud resources. Use a highly available, hardened service running Microsoft Active
Directory (AD).
Cloud Identity
Easily manage user identities, devices, and
applications from one console. Resource Manager
Hierarchically manage resources on Google Cloud.
Identity Platform
Add Google-grade identity and access Security key enforcement
management to your apps. Enforce the use of security keys to help prevent
account takeovers.
BeyondCorp Enterprise
A zero-trust solution that enables secure access with Titan Security Keys
integrated threat and data protection. Defend against account takeovers from phishing attacks.
Security Keys made by Google.
Identity-Aware Proxy
Use identity and context to guard access to your
applications and VMs.
Security
Access Transparency
Get visibility over your cloud provider through near real- Cloud Key Management Service
time logs. Manage encryption keys on Google Cloud.
Binary Authorization
Deploy only trusted containers on Kubernetes Engine. Security Command Center
Understand your security and data attack surface.
Cloud Asset Inventory
View, monitor, and analyze Google Cloud and Anthos
assets across projects and services.
Shielded VMs
Cloud Audit Logs Deploy hardened virtual machines on Google Cloud.
Gain visibility into who did what, when, and where for all
user activity on Google Cloud. VPC Service Controls
Protect sensitive data in Google Cloud services using
Cloud Data Loss Prevention security perimeters.
Discover and redact sensitive data.
Incident Response and Management
Cloud HSM Improve your incident median time to mitigation.
Protect cryptographic keys with a fully
managed hardware security module service.
User Protection Services
Phishing Protection
Help protect your users from phishing sites.
reCAPTCHA Enterprise
Help protect your website from fraudulent
activity, spam, and abuse.
Web Risk
Detect malicious URLs on your website and in
client applications.
Secure-By-Design Infrastructure
Operational and device security Service deployment
• develop and deploy infrastructure software using rigorous • Any application that runs on our infrastructure is deployed with
security practices. security in mind.
• operations teams detect and respond to threats to the • We don't assume any trust between services, and we use multiple
infrastructure from both insiders and external actors, mechanisms to establish and maintain trust.
24/7/365. • infrastructure was designed to be multi-tenant from the start.
Internet communication Hardware infrastructure From the physical premises to the purpose-
• Communications over the internet to our public cloud services built servers, networking equipment, and custom security chips to the
are encrypted in transit. low-level software stack running on every machine, our entire
• network and infrastructure have multiple layers of protection hardware infrastructure is Google-controlled, -secured, and -hardened.
to defend our customers against denial-of-service attacks.
Data centers Google data centers feature layered security with custom-
Identity designed electronic access cards, alarms, vehicle access barriers,
• Identities, users, and services are strongly authenticated. perimeter fencing, metal detectors, biometrics, and laser beam
• Access to sensitive data is protected by advanced tools like intrusion detection. They are monitored 24/7 by high-resolution
phishing-resistant security keys. cameras that can detect and track intruders. Only approved employees
with specific roles may enter.
Storage services
• Data stored on our infrastructure is automatically encrypted at
Continuous availability Infrastructure underpins how Google Cloud
rest and distributed for availability and reliability.
delivers services that meet our high standards for performance,
• guards against unauthorized access and service interruptions.
resilience, availability, correctness, and security. Design, operation, and
delivery all play a role in making services continuously available.
Compliance Reports Manager
Compliance Reports Manager provides you with easy, on-demand access to
critical compliance resources, at no additional cost.
5. Security and privacy are primary design criteria for all of our products
Prioritizing the privacy of our customers means protecting the data you trust us with. We build the strongest
security technologies into our products.
Google provides resources on privacy regulations such as the LGPD, GDPR, CCPA, the
Australian Privacy Act, My Number Act, and PIPEDA, among others.
GCP — Transparency
Cloud Armor
Victim
Attacker
GCP Network
Cloud Armor
Cloud Armor is a DDOS protection and Web Application Firewall (WAF) service
Private Cloud allows you to package Google cloud resources into a service offering that can be than made available
and discoverable in a catalog internally to your organization to quickly deploy governed stacks and workloads
Security Command Center
Security Command Center is a centralized security and risk
management platform for your google cloud resources.
BeyondCorp allows for: By shifting access controls from the network perimeter to
• single sign-on individual users, BeyondCorp enables secure work from
• access control policies virtually any location without the need for a traditional VPN.
• access proxy
• user-based authentication The BeyondCorp principles:
• device-based authentication • Access to services must not be determined by the network from which you connect
• authorization • Access to services is granted based on contextual factors from the user and their device
• Access to services must be authenticated, authorized, and encrypted
BeyondCorp
A Zero Trust model puts identity as the primary security perimeter to be protected.
BeyondCorp itself is just a collection of identity, access and security services to meet Zero Trust model requirements
Cloud Identity
Apps and Data
IP, Location Access Context Web apps
Session Age, Manager
User Trust Time
(Identity + Behavior) Virtual Machines
SaaS Applications
Access policies are automatically created for you when you create an access level, service perimeter or turn on IAP.
They cannot be directly managed by the customer.
Cloud Identity-Aware Proxy (IAP)
Cloud Identity-Aware Proxy (IAP) lets you establish a central authorization layer for applications accessed by
HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls
You can define access policies centrally and apply them to all of your applications and resources.
Use IAP when you want to enforce access control policies for applications and resources.
Identity-Aware Proxy (IAP) lets you manage who When IAP turned
has access to services hosted on App Engine, on, in side-panel add
Compute Engine, or an HTTPS Load Balancer. members and their roles
BeyondCorp Enterprise
BeyondCorp Enterprise is a zero trust model platform
BeyondCorp Enterprise enabled through Chrome Browser Cloud Management you can protect against
threats such as malware and phishing for your Chrome users as they download and upload files
BeyondCorp Enterprise is built into the Chrome Browser with no agents required
Identity and context-aware access control Easy adoption with our agentless approach
• policies based on: user identity, device health, contextual factors • non-disruptive overlay to your existing architecture
Integrated threat and data protection • no need to install additional agents
• Prevent data loss, stop common threats Rely on Google Cloud’s global infrastructure
• Real-time alerts and detailed reporting • scale, reliability, and security of Google's network
Support your environment: cloud, on-premises, or hybrid • 144 edge locations in over 200 countries and territories
• Access SaaS apps, web apps, and cloud resources wherever
Directory Service
What is a directory service? Client
A directory service maps the names of network resources to their network
addresses. Client Client
federate identities between: • manage access and compliance across all users in your domain
• Google Cloud • create a Cloud Identity account for each of your users and groups.
• Active Directory • then you can use Identity and Access Management (IAM) to manage access to
• Azure AD Google Cloud resources for each Cloud Identity account
• and more…
Cloud Identity — Versions
Cloud Identity comes in two version Free and Premium
Device Management Directory Security
Free Free Free
• Basic Mobile Management • Basic directory management • User security management
• Device inventory • Organizational units and groups (Unlimited) • Self-service password recovery
• Basic passcode enforcement • Admin managed groups • 2-Step verification (2SV) including security key management
• Remote account wipe • Groups for Business • 2SV enforcement controls
• Android • Google Cloud Directory Sync • with security key enforcement and management
• Apple® iOS® • Admin roles and privileges • Password management and strength alert
Premium • Google Admin App for Android Premium
• Advanced Mobile Management • Google Admin App for iOS • First-party session management
• Advanced passcode enforcement • Admin SDK/API • Google security center
• Security policies • Secure LDAP Reporting
• Application management Premium • Free
• Network management • User lifecycle management (no user cap) • Admin, Login, SAML, Groups, Token audit logs
• Remote device wipe • Secure LDAP • Security reports
• Reporting • SAML audit log
Single sign-on (SSO) and automated provisioning
• Application auditing • App reports
Free
• Company-owned devices • Account activity reports
• Set up SSO using Google as an identity provider (IdP) to access a pre-
• Mobile audit Premium
integrated list of third-party SAML apps (Unlimited)
• MDM rules • Devices audit log
• Set up SSO using Google as an IdP to access custom SAML apps
• Set up SSO using a third-party IdP with Google as a service provider • Auto export audit logs to BigQuery
Premium
Service Level Agreements
• Automated user provisioning
Premium has 99.9%
Active Directory
Forrest
Domain
OU
Tree Domain
Child Domain Child Domain
OU OU Organization
Tree Unit
Child Domain Child Domain
OU OU OU
Active Directory Domain Services
Active Directory Domain Services (AD DS)
Active Directory Services consist of multiple directory services
Domain Services
the foundation stone of every Windows domain network
stores information about members of the domain including devices and
users, verifies their credentials and defines their access rights.
The server running this service is called a domain controller.
Active Directory Lightweight Directory Services (AD LDS) Active Directory Certificate Services (AD CS)
an implementation of LDAP protocol for AD DS establishes an on-premises public key infrastructure.
create, validate and revoke public key certificates for internal uses of an
Active Directory Federation Services (AD FS) Active Directory Rights Management Services (AD RMS)
a single sign-on service so users may use several server software for information rights management
web-based services network resources using only shipped with Windows Server.
one set of credentials stored at a central location uses encryption and a form of selective functionality
denial for limiting access to documents
Active Directory Terminology
Domain
A domain is an area of a network organized by a single authentication database
An Active Directory domain is a logical grouping of AD objects on a network
Domain Controller (DC)
A domain controller is a server that authenticates user identities and authorizes their access to resources.
Domain Computer
A computer that is registered with a central authentication database A domain computer would be an AD Object
AD Object
An AD Object is the basic element of Active Directory such as:
Users, Groups, Printers, Computers, Shared folders
Group Policy Object (GPO)
A virtual collection of policy settings. It controls what AD Objects have access to
Organization Units (OU)
A subdivision within an Active Directory into which you can place users, groups, computers, and other organizational units
Directory Service
A directory service, such as Active Directory Domain Services (AD DS), provides the methods for storing directory data
and making this data available to network users and administrators. A Directory service runs on a Domain Controller
Managed Service for Microsoft Active Directory
Managed Service for Microsoft Active Directory (AD) is an
Active Directory hosted on the Google Cloud Platform
Federated identity is a method of linking a user's identity across multiple separate identity management systems
OpenID
open standard and decentralized authentication protocol. Eg be able to login into a different social
media platform using a Google or Facebook account
OpenID is about providing who are you
OAuth2.0
industry-standard protocol for authorization OAuth doesn’t share password data but instead uses
authorization tokens to prove an identity between consumers and service providers.
Oauth is about granting access to functionality
SAML
Security Assertion Markup Language is an open standard for exchanging authentication and authorization
between an identity provider and a service provider.
An important use case for SAML is Single-Sign-On via web browser.
Single-Sign-On
Single sign-on (SSO) is an authentication scheme that allows a user to log in with a
single ID and password to different systems and software.
SSO allows IT departments to administrator a single identity
that can access many machines and cloud services.
SAML SSO
LDAP enables for same-sign on. Same sign-on allows users to single ID and password,
but they have to enter it in every time they want to login.
Target percentages
• 99.95%
• 99.99%
• 99.999999999% (commonly called Nine nines)
• 99.99999999999% (commonly called Nine elevens)
GCP — Service Level Agreements
Compute Engine Cloud Storage
Apigee
Covered Service Monthly Uptime
Apigee Standard >= 99%
Apigee Enterprise >= 99.99% for environments provisioned in 2 or more Regions (i.e., with the purchase of
Additional Region / Distributed Network) with a dual-region, multi-regional, or global Cloud
KMS encryption key, or>= 99.9% for all other environments
Apigee Enterprise Plus >= 99.99% for environments provisioned in 2 or more Regions with a dual-region, multi-
regional, or global Cloud KMS encryption key, or>= 99.9% for all other environments
GCP Support Plans
Basic Support Standard Support Enhanced Support Premium Support
Unlimited access to support
Technical Support: Case (Email) Technical Support: Case (Email) and Phone
8/5 response for high-impact issues 24/7 response for high-impact and critical issues
The Cloud Support API is available to Customer Care customers with Enhanced or Premium Support.
Third-Party Technology Support
With Third-Party Technology Support Google Cloud support will assist you with integrating non Google
services and open-source technologies that are running or integrating with Google Cloud services.
There are 3 approaches to delivering Third-Party Technology Support:
• Collaborative support
• Google Cloud partners with other companies to create a joint support experience
• NetApp Cloud Volumes for Google Cloud
• IBM Power for Google Cloud
• F5 Networks BIG-IP as used with Anthos products
• Dell Technologies - PowerScale for Google Cloud
• DataStax Astra on Google Cloud
• Databricks
• Workload centric support
• Google Cloud has expertise in a variety of third-party technologies and can assist with
the setup, configuration, and troubleshooting of those technologies
• Third-party support
• Google Cloud provides commercially reasonable assistance with installation,
configuration, and troubleshooting of third-party software
• Operating Systems
• Databases
• Web Servers
• DevOps Tools
• SQL Server
Third-Party Technology Support is available to Customer Care customers with Enhanced or Premium Support.
Technical Account Advisor Service
Technical Account Advisor Service (TAAS) provides both proactive guidance
and reactive support to help you succeed with your Cloud journey.
When you purchase TAAS, you pay a monthly fee, with a minimum 1-year contract.
After the first year, your contract is month-to-month.
Third-Party Technology Support is available to Customer Care customers with Enhanced or Premium Support.
Premium Support — Assured Support
Customer Aware Support is a service that provides you with a jump start to resolving
technical issues and improving your Premium Support experience.
Customer Care creates Customer Aware Support by learning about and maintaining information
about your architecture, partners, and Google Cloud projects. This information ensures that our
Technical Support Engineers can resolve your support cases promptly and efficiently.
Premium Support — Operational Health Reviews
The reviews serve as a regular touchpoint with your TAM where you can discuss various
topics related to your Customer Care experience, including:
• The efficiency of your cloud operations, including support trends.
• Analysis of trends in operational metrics.
• Incidents, case escalations, and outages.
• Tracking of open cases.
• Status reports for high-priority Cloud projects.
Premium Support — Event Management Service
Premium Support's Event Management Service for planned peak events, such as a product
launch or major sales event. With this service, Customer Care partners with your team to create
a plan and provide guidance throughout the event.
With Event Management Service, your team is supported with the following tasks:
• Preparing your systems for key moments and heavy workloads.
• Running disaster tests to proactively resolve potential issues.
• Developing and implementing a faster path to resolution to reduce the impact of any issues
that might occur.
After the event, your TAM works with you to review the outcomes and make recommendations
for future events.
To initiate the Event Management Service for an upcoming event, contact your TAM.
Premium Support — Training Credits
With Premium Support, you receive training credits for the Google Cloud Qwiklabs
that you can distribute to users in your organization. Your TAM identifies learning
opportunities and indicates which training resources can be most beneficial to your
organization. With this training, your developers have the resources to find answers
quickly and test out ideas in safe environments.
For each 1-year contract with Premium Support, you receive 6,250 credits.
Premium Support — New Product Previews
As a Premium Support customer, you have access to Previews of new Google Cloud products. By
previewing a product, you have the opportunity to prepare your architecture for a new solution
before it becomes more broadly available to the market.
With your organization's goals in mind, your TAM analyzes your Google Cloud projects and usage
to identify opportunities to test and use new products and solutions. When your TAM identifies
an opportunity, they introduce you to the product team and help you gain access to the Preview.
As you test the product, your TAM also shares your feedback with the product team.
In addition to working with your TAM, you can request and manage access to Previews via the
Cloud Console. In the Cloud Console, you can check the status of your requests and manage
which users in your organization have access to Previews.
Premium Support — Technical Account Manager
As a Premium Support customer, you are assigned a named Technical Account Manager (TAM). Technical Account
Managers are trusted technical advisors that focus on operational rigor, platform health, and architectural stability
for your organization.
Your Technical Account Manager supports and guides you in the following ways:
• Assists you with onboarding to Premium Support.
• Assesses your cloud maturity and works with you to create an adoption roadmap
and operating model.
• Advises on best practices for using Google Cloud.
• Delivers frequent Operational Health Reviews.
• Connects you with Google technical experts, such as Product Managers and Support
Engineers.
• Works with you on support cases and case escalations. For high-priority cases, your
TAM analyzes the incident and identifies root causes.
Billing account includes one or more billing contacts defined on the Payments profile
Billing can have sub-accounts for resellers, so you can bill resources to be paid by your customer
Billing Account
Cloud Billing Account VS Payments Profile
• Is a cloud-level resource managed in the Cloud Console. • Is a Google-level resource managed at payments.google.com.
• Tracks all of the costs (charges and usage credits) • Connects to ALL of your Google services (such as Google Ads, Google
incurred by your Google Cloud usage Cloud, and Fi phone service).
• A Cloud Billing account can be linked to one or • Processes payments for ALL Google services (not just Google Cloud).
more projects. • Stores information like name, address, and tax ID (when required
• Project usage is charged to the linked Cloud Billing legally) of who is responsible for the profile.
account. • Stores your various payment instruments (credit cards, debit cards,
• Results in a single invoice per Cloud Billing account bank accounts, and other payment methods you've used to buy
• Operates in a single currency through Google in the past.)
• Defines who pays for a given set of resources • Functions as a document center, where you can view invoices,
• Is connected to a Google Payments Profile, which payment history, and so on.
includes a payment instrument, defining how you • Controls who can view and receive invoices for your various Cloud
pay for your charges Billing accounts and products.
• Has billing-specific roles and permissions to control
accessing and modifying billing-related functions
(established by IAM roles)
Billing Account Types
Individual
• You're using your account for your own personal payments.
• If you register your payments profile as an individual, then only you can manage the profile. You
won't be able to add or remove users, or change permissions on the profile.
Business
• You're paying on behalf of a business, organization, partnership, or educational institution.
• You use Google payments center to pay for Play apps and games, and Google services like Google
Ads, Google Cloud, and Fi phone service.
• A business profile allows you to add other users to the Google payments profile you manage, so
that more than one person can access or manage a payments profile.
• All users added to a business profile can see the payment information on that profile.
Charging Cycle
For self-serve Cloud Billing accounts, your charging cycle is automatically assigned when you create the
account. You do not get to choose your charging cycle and you cannot change the charging cycle.
For invoiced Cloud Billing accounts, you typically receive one invoice per month and the amount of time you
have to pay your invoice (your payment terms) is determined by the agreement you made with Google.
Cloud Billing IAM Roles
Cloud Billing lets you control which users have administrative and cost viewing permissions for
specified resources by setting Identity and Access Management (IAM) policies on the resources
To grant or limit access to Cloud Billing, you can set an IAM policy at the organization level,
the Cloud Billing account level, and/or the project level
budget alerts
multiple alert thresholds to reduce
spending surprises and unexpected
cost overruns.
Budget Alerts
Notification Options
• Email alerts to billing admins and users
• Link Monitoring email notification channels to this budget
• Connect a Pub/Sub topic to this budget
Billings Account
Use the billing report to view and analyze your Google Cloud usage
costs using many selectable settings and filters.
Configuring various views of the Cloud Billing report can help you
answer questions like these:
• How is my current month's Google Cloud spending trending?
• What Google Cloud project cost the most last month?
• What Google Cloud service (for example, Compute Engine or Cloud
Storage) cost me the most?
• What are my forecasted future costs based on historical trends?
• How much am I spending by region?
• What was the cost of resources with label X?
Your customized report views are saveable and shareable.
Cost Table Reports
Use the cost table report to access and analyze the details of
your invoices and statements.
Trial Limitations:
• You can't add GPUs to your VM instances
• You can't request a quota increase
• You can't create VM instances that are based on Windows Server images.
• You need to verify a credit card or other payment method to signup
• At end of trial to continue using Google Cloud, you must upgrade to a paid Cloud Billing account.
• upgrading early will end your trial
Free-Tier
All Google Cloud customers can use select Google Cloud products—like
Compute Engine, Cloud Storage, and BigQuery—free of charge, within
specified monthly usage limits.
When you stay within the Free Tier limits, these resources are not charged
against your Free Trial credits or to your Cloud Billing account's payment
method after your trial ends.
Free-Tier
App Engine
28 hours per day of "F" instances AutoML Vision
9 hours per day of "B" instances 40 node hours for training and online prediction
1 GB of egress per day 1 node hour for batch classification prediction
The Google Cloud Free Tier is available 15 node hours for Edge training
only for the Standard Environment.
BigQuery
1 TB of querying per month
Artifact Registry
10 GB of storage each month
0.5 GB storage per month
Cloud Build
AutoML Natural Language
120 build-minutes per day
5000 units of prediction per month
Cloud Functions
AutoML Tables
2 million invocations per month (includes both background and HTTP invocations)
6 node hours for training and prediction
400,000 GB-seconds, 200,000 GHz-seconds of compute time
5 GB network egress per month
AutoML Translation
500,000 translated characters per month Cloud Logging and Cloud Monitoring
Free monthly logging allotment
AutoML Video Intelligence Free monthly metrics allotment
40 node hours for training
5 node hours for prediction Cloud Natural Language API
5,000 units per month
Free-Tier
Cloud Run
2 million requests per month Cloud Vision
360,000 GB-seconds of memory, 180,000 vCPU-seconds of 1,000 units per month
compute time
1 GB network egress from North America per month
Firestore
The Free Tier is available only for Cloud Run.
1 GB storage
50,000 reads, 20,000 writes, 20,000 deletes per day
Cloud Shell
Free access to Cloud Shell, including 5 GB of persistent disk storage
Cloud Source Repositories Google Kubernetes Engine
Up to 5 users No cluster management fee for one Autopilot or Zonal cluster
50 GB of storage per billing account. For clusters created in Autopilot mode, pods
50 GB egress are billed per second for vCPU, memory and disk resource
requests. For clusters created in Standard mode, each user node
is charged at standard Compute Engine pricing.
Cloud Storage
5 GB-months of regional storage (US regions only)
5,000 Class A Operations per month
50,000 Class B Operations per month
1 GB network egress from North America to all region destinations (excluding China and Australia) per month
Free Tier is only available in us-east1, us-west1, and us-central1 regions. Usage calculations are combined across those regions.
Free-Tier
Compute Engine
Google Maps Platform 1 non-preemptible f1-micro VM instance per month within:
For more information, see the Pricing page.• us-west1, us-central1, us-east1
Pub/Sub 30 GB-months HDD
10 GB of messages per month 5 GB-month snapshot storage in the following regions:
• us-west1, us-central1, us-east1, asia-east1, europe-west1
1 GB network egress from North America to all region destinations (excluding
Speech-to-Text China and Australia) per month
60 minutes per month Your Free Tier f1-micro instance limit is by time, not by instance. Each month,
eligible use of all of your f1-micro instances is free until you have used a
number of hours equal to the total hours in the current month. Usage
Video Intelligence API
calculations are combined across the supported regions.
1,000 units per month
Google Cloud Free Tier does not include external IP addresses.
Workflows
5,000 internal steps per month Compute Engine offers discounts for sustained use of virtual machines. Your
2,000 external HTTP calls per month Free Tier use doesn't factor into sustained use.
GPUs and TPUs are not included in the Free Tier offer. You are always charged
for GPUs and TPUs that you add to VM instances.
On-Demand
On-demand pricing is when you pay for a google cloud resource based on a
consumption-based model.
A consumption based model means you only pay for what you use, based on a
consumption metric:
• By time: hourly, minutes, seconds, milliseconds
• Can be multiplied by configuration variables: vCPUs and Mem
• By API calls: $1 every 1000 transactions
% at which incremental is
Usage level (% of month)
charged
0%–25% 100% of base rate
25%–50% 86.78% of base rate
50%–75% 73.3% of base rate
75%–100% 60% of base rate
Flat-Rate Pricing
When you enroll in flat-rate pricing, you purchase dedicated query processing
capacity, measured in BigQuery slots.
Your queries consume this capacity, and you are not billed for bytes
processed. If your capacity demands exceed your committed capacity,
BigQuery will queue up slots, and you will not be charged additional fees.
GCP has idle Virtual Machines and they will offer discounts to ensure they are in use similar to:
• A hotel that will offer rooms at discount to avoid vacant rooms
• An airline that offers seats a discount to fill vacant seats
When you create sole-tenant nodes, you are billed for all of the vCPU and memory
resources on the sole-tenant nodes, plus a sole-tenancy premium, which is 10% of the
cost of all of the underlying vCPU and memory resources
Sustained use discounts apply to this premium, but committed use discounts do not.
After you create the node, you can place VMs on that node, and these VMs run for no additional cost.
You can create a shareable link or email the estimate to your organization or key stake holders
Dataproc
What is Hadoop?
Hadoop is an open-source framework for distributed processing of large data sets
Hadoop allows you to distribute:
• large dataset across many servers servers eg HDFS
• computing queries across many servers eg. MapReduce
• Run various open-source big-data, distributed projects as components
Dataproc is a fully managed and highly scalable service for running Apache Spark,
Apache Flink, Presto, and 30+ open source tools and frameworks.
Dataproc is a fully-managed Hadoop as a Service
Use Dataproc for data lake modernization, ETL, and secure data science, at
planet scale, fully integrated with Google Cloud, at a fraction of the cost.
Dataflow
Dataflow is a unified stream and batch data processing that's serverless, fast, and cost-effective
DataFlow SQL — use your SQL skills to develop streaming Dataflow pipelines right from the BigQuery web UI.
Flexible Resource Scheduling (FlexRS) — advanced scheduling techniques to reduce batch processing costs
Dataflow templates — easily share your pipelines across your organization and team
Vertex AI Notebook Integration
Private IPs — disable public IP and operate within the GCP network for added security
Horizonal scaling — automatically scales
Apache Beam — Integrate with Apache Beam