GCP Cloud Digital Leader Slides

What is Cloud Computing?
cloud com·put·ing
noun
the practice of using a network of remote servers hosted on the Internet to store,
manage, and process data, rather than a local server or a personal computer.
On-Premise Cloud Providers

• You own the servers • Someone else owns the servers
• You hire the IT people • Someone else hires the IT people
• You pay or rent the real-estate • Someone else pays or rents the real-estate
• You take all the risk • You are responsible for your configuring cloud services
and code, someone else takes care of the rest.
The Evolution of Cloud Hosting
Dedicated Server
One physical machine dedicated to single a business.
Runs a single web-app/site.
Very Expensive, High Maintenance, High Security*
Virtual Private Server

One physical machine dedicated to a single business.
The physical machine is virtualized into sub-machines
Runs multiple web-apps/sites
Shared Hosting
One physical machine, shared by hundred of businesses
Relies on most tenants under-utilizing their resources.
Very Cheap, Very Limited.
Cloud Hosting
Multiple physical machines that act as one system.
The system is abstracted into multiple cloud services
Flexible, Scalable, Secure, Cost-Effective, High Configurability
What is Google?
An American multinational technology cooperation

headquartered in Mountain View, California
Google was founded in 1996 and its claim The name of the Google search engine was a play
to fame was the Google Search Engine on the word "googol“
A googol means a large number, precisely 10100
10,000,000,000,000,000,000,000,000,000,000,00
0,000,000,000,000,000,000,000,000,000,000,000,
000,000,000,000,000,000,000,000,000,000,000.
GOOGLE is also an initialism for:

• Global Organization of Oriented Group Language of Earth
What is a Cloud Service Provider?
A Cloud Service Provider (CSP) is a company which provides multiple Cloud Services,
and those Cloud Services can be chained together to create cloud architectures
What is Google Cloud Platform?
Google calls their cloud provider service offering

Google Cloud Platform
Commonly referred to as GCP
The first product offered by GCP

was App Engine back in 2008
What is Google Workspace?
Google Workspace is a bundled offering of SaaS products for

team communication, collaboration for an organization.
formally known as G-Suite
Google Calendar Google Drive

A cloud-based team calendar Cloud storage for documents and files
Gmail Google Sheets
A cloud-based email client Real-time collaborative spreadsheets
Google Meet
Google Docs
Video conferencing, screensharing
Real-time collaborative word processor
Google Slides
Real-time collaborative presentations
Benefits of Cloud Computing
Cost-effective You pay for what you consume, no up-front cost. On-demand pricing or Pay-as-
you-go (PAYG) with thousands of customers sharing the cost of the resources
Global Launch workloads anywhere in the world, Just choose a region

Secure Cloud provider takes care of physical security. Cloud services can
be secure by default or you have the ability to configure access down
to a granular level.
Reliable Data backup, disaster recovery, data replication, and fault tolerance
Scalable Increase or decrease resources and services based on demand

Elastic Automate scaling during spikes and drop in demand
Current The underlying hardware and managed software is patched, upgraded and
replaced by the cloud provider without interruption to you.
Common Cloud Services
A cloud provider can have hundreds of cloud services that are grouped into various types of services.
The four most common types of cloud services for Infrastructure as a Service (IaaS) would be:
Compute Networking
Imagine having a virtual computer that Imagine having a virtual network being able to
can run applications, programs, and code. define internet connections or network isolations
Storage Databases
Imagine having a virtual hard-drive that Imagine a virtual database for storing
can store files reporting data or a database for general
purpose web-application
GCP has over 60+ cloud services

The term “Cloud Computing” can be used to refer to all
categories, even though it has “compute” in the name.
Types of Cloud Computing
SaaS Software as a Service For Customers

A product that is run and managed by the service provider
Don’t worry about how the service is maintained.
It just works and remains available.
PaaS Platform as a Service For Developers

Focus on the deployment and management of your apps.
Don’t worry about provisioning, configuring or
understanding the hardware or OS.
IaaS Infrastructure as a Service For Admins

The basic building blocks for cloud IT. Provides access to
networking features, computers and data storage space.
Don’t worry about IT staff, data centers and hardware.
Google’s Shared Responsibility Model
IaaS PaaS SaaS
The Shared Responsibility Model is a simple
Content
visualization that helps determine what the
Access Policies
customer is responsible for and what Google is
responsible for related to GCP. Usage
Deployment
The customer is responsible for the data and the Web application security
configuration of access controls that resides in GCP. Identity
The customer is responsible for the configuration of Operations
cloud services and granting access to users via Access and authentication
permissions. Network security
Guest OS, data & content
Google is generally responsible for the underlying
Audit logging
Infrastructure.
Network
Responsibility of in the cloud Storage + encryption
If you can configure or store it then you (the Hardened Kernel + IPC
customer) are responsible for it. Boot
Responsibility of the cloud Hardware
If you can not configure it then Google is
responsible for it Google’s Responsibility Customer’s Responsibility
Shared Responsibility Model
Let us take a look at compute as a comparison example of the Shared Responsibility Model
Infrastructure as a Service (IaaS)
Bare Metal Virtual Machine Containers
Compute Engine Compute Engine Google Kubernetes Engine (GKE)
Customer: Customer:
Customer: • Configuration of containers
• The Host OS Configuration • The Guest OS Configuration
• Container Runtime • Deployment of Containers
• Hypervisor • Storage of containers
Google Google
• Hypervisor, Physical machine Google
• Physical machine • The OS, The Hypervisor, Container
Runtime
Platform as a Service (PaaS) Software as a Service (SaaS) Function as a Service (FaaS)
Word Processor
Managed Platform Functions
Google Docs
App Engine Cloud Functions
Customer: Customer: Customer:
• Uploading your code • Contents of documents • Upload your code
• Some configuration of environment • Management of files Google
• Deployment strategies • Configuration of sharing access controls • Deployment, Container Runtime,
• Configuration of associated services Google Networking, Storage, Security, Physical
Google • Servers, OS, Networking, Storage, Security Machine, (basically everything)
• Servers, OS, Networking, Storage, Security
Bare Metal Dedicate Host Virtual Machines (VM) Containers Functions

Sole-tenant Node Compute Engine Google Kubernetes Engine (GKE) Cloud Functions
Code
App Container
Runtime
OS
Virtualization
Customer GCP
Responsibility Level of Control Responsibility
Configuration of Managed Services or Third-Party Software
Platforms Applications Identity and Access Management (IAM)
Customer
Configuration of Virtual Infrastructure and Systems

Operating System Network Firewall
Security Configuration of Data

Client-Side Data Encryption Server-Side Encryption Networking Traffic Protection
Customer Data
Software
Compute Storage Database Networking
GCP
Hardware / Global Infrastructure

Region Zones / Fault Domains Physical Security
On-Premise Infrastructure as a Service Platform as a Service Software as a Service
Applications Applications Applications Applications
Data Data Data Data
Runtime Runtime Runtime Runtime
Middleware Middleware Middleware Middleware
OS OS OS OS
Virtualization Virtualization Virtualization Virtualization
Servers Servers Servers Servers
Storage Storage Storage Storage
Networking Networking Networking Networking
Legend: Customer is Responsible CSP is Responsible

Cloud Computing Deployment Models
Public Cloud
Everything built on the Cloud Provider
Also known as: Cloud-Native
Private Cloud
Everything built on company’s datacenters
Also known as On-Premise
The cloud could be OpenStack
Hybrid
Using both On-Premise and
A Cloud Service Provider
Cross-Cloud
Using Multiple Cloud Providers
Aka multi-cloud, “hybrid-cloud”
Anthos is GCP’s offering for a control plane for compute

across multiple CSPs and On-premise environments
Cloud Hybrid On-Premise
Fully utilizing cloud computing Using both Cloud and On-Premise Deploying resources on-premises,
using virtualization and resource
management tools, is sometimes
called “private cloud”.
• Startups • Banks • Public Sector eg. Government

• SaaS offerings • FinTech, Investment Management • Super Sensitive Data eg. Hospitals
• New projects and companies • Large Professional Service providers • Large Enterprise with heavy regulation
• Legacy on-premise eg. Insurance Companies
Total Cost of Ownership (TCO)
CAPEX OPEX
On-Premise GCP
Software license Fees Subscription Fees
• Implementation • Implementation
• Configuration • Configuration
• Training • Training
• Physical Security
• Hardware
• IT Personal
• Maintenance
75% Savings
GCPs Responsibility
Capital vs Operational Expenditure
Capital Expenditure (CAPEX) Operational Expenditure (OPEX)
Spending money upfront on physical infrastructure The costs associated with an on-premises datacenter that
Deducting that expense from your tax bill over time. has shifted the cost to the service provider. The customer
only has to be concerned with non-physical costs.
• Server Costs (computers) • Leasing Software and Customizing features

• Storage Costs (hard drives) • Training Employees in Cloud Services
• Network Costs (Routers, Cables, Switches) • Paying for Cloud Support
• Backup and Archive Costs • Billing based on cloud metrics eg.
• Disaster Recovery Costs • compute usage
• Datacenter Costs (Rent, Cooling, Physical Security) • storage usage
• Technical Personal
With Capital Expenses you have to guess With Operation Expenses you can try a product or
upfront what you plan to spend service without investing in equipment
Cloud Architecture Terminologies
Availability – Your ability to ensure a service remains available
Highly Available (HA)
Scalability – Your ability to grow rapidly or unimpeded
Elasticity – Your ability to shrink and grow to meet the demand
Fault Tolerance – Your ability to prevent a failure
Disaster Recovery – Your ability to recover from a failure

Highly Durable (DR)
High Availability
Your ability for your service to remain available by ensuring there is

*no single point of failure and/or ensure a certain level of performance
Cloud Load Balancing

A load balancer allows you to evenly
distribute traffic to multiple servers in one
or more datacenter. If a datacenter or server
becomes unavailable (unhealthy) the load
balancer will route the traffic to only
available datacenters with servers.
Running your workload across multiple Zones ensures that if 1 or 2

Zones become unavailable your service/applications remain available.
High Scalability
Your ability to increase your capacity based on the increasing

demand of traffic, memory and computing power
Vertical Scaling Horizonal Scaling

Scaling Up Scaling Out
Upgrade to a bigger server Add more servers of the same size
High Elasticity
Your ability to automatically increase or decrease your capacity based

on the current demand of traffic, memory and computing power
Managed instance groups (MIGs)
Automatically increase or decrease in response to demand or a
defined schedule.
Horizonal Scaling
Scaling Out — Add more servers of the same size
Scaling In — Removing more servers of the same size
Vertical Scaling is generally hard for traditional architecture so you’ll usually

only see horizontal scaling described with Elasticity.
Highly Fault Tolerant
Your ability for your service to ensure there is no

no single point of failure. Preventing the chance of failure
Fail-overs is when you have You can use Cloud DNS, which is a
a plan to shift traffic to a DNS service that can detect a failing
redundant system in case primary system and fail-over to a
the primary system fails stand-by secondary system.
A common example is having a copy (secondary) of your database where all ongoing changes
are synced. The secondary system is not in-use until a fail over occurs and it becomes the
primary database.
High Durability
Your ability to recover from a disaster and to prevent the loss of data
Solutions that recover from a disaster is known as Disaster Recovery (DR)
• Do you have a backup?

• How fast can you restore that backup?
• Does your backup still work?
• How do you ensure current live data is not corrupt?
The Evolution of Computing
*Dedicated VMs Containers Functions
• A physical server wholly utilized by a single customer.

• You have to guess your capacity
• you’ll overpay for an underutilized server
• You can’t vertical scale, you need a manual migration
• Replacing a server is very difficult
• You are limited by your Host Operating System
• Multiple apps can result in conflicts in resource sharing
• You have a *guarantee of security, privacy, and full utility of
underlying resources
• You can run multiple Virtual Machines on one machine.

• Hypervisor is the software layer that lets you run the VMs
• A physical server shared by multiple customers
• You are to pay for a fraction of the server
• You’ll overpay for an underutilized Virtual Machine
• You are limited by your Guest Operating System
• Multiple apps on a single Virtual Machine can result in conflicts
in resource sharing
• Easy to export or import images for migration
• Easy to Vertical or Hortizonaalty scale
• Virtual Machine running multiple containers

• Docker Deamon is the name of the software layer that
lets you run multiple containers.
• You can maximize the utilize of the available capacity
which is more cost-effective
• Your containers share the same underlying OS so
containers are more efficient than multiple VMs
• Multiple apps can run side by side without being limited
to the same OS requirements and will not cause conflicts
during resource sharing
• Are managed VMs running managed containers.

• Known as Serverless Compute
• You upload a piece of code, choose the amount of
memory and duration.
• Only responsible for code and data, nothing else
• Very cost-effective, only pay for the time code is
running, VMs only run when there is code to be
executed
• Cold Starts is a side-effect of this setup
Google Cloud Console
The Google Cloud Console is a portal is a web-based, unified console that provides an alternative to command-line tools.
Build, manage, and monitor everything from simple web apps to complex cloud deployments.
Cloud SDK
A Software Development Kit (SDK) is a collection of software
development tools in one installable package.
You can use the Cloud SDK to programmatic create, modify, delete
or interact with Google Cloud resources.
Google Cloud SDK is offered in

various programing languages:
• Java
• Python
• Node.js
• Ruby
• Go
• .NET
• PHP
Cloud CLI
A Command Line Interface (CLI) processes commands

to a computer program in the form of lines of text.
Operating systems (OS) implement a command-line interface in a shell or terminal

Cloud Shell
Cloud Shell is a free online environment, with
• command-line access for managing your infrastructure
• online code editor for cloud development
Google Cloud - Projects
A Project in Google Cloud is a logical grouping of resources.
A cloud resource must belong to a project
A project is made up of the:

• settings
• permissions
• other metadata
A project can't access another project's resources unless you use
Shared VPC or VPC Network Peering.
Resources within a single project can work together easily, for example
by communicating through an internal network, subject to the regions-
and-zones rules.
Each Google Cloud project has the following:
• A project name, which you provide.
• A project ID, which you can provide or Google Cloud can provide for you.
• A project number, which Google Cloud provides
As you work with Google Cloud, you'll use these

identifiers in certain command lines and API calls.
Google Cloud - Projects
• Each project ID is unique across Google Cloud.

• Once you have created a project, you can delete the project but its ID can never be used again.
• When billing is enabled, each project is associated with one billing account.
• Multiple projects can have their resource usage billed to the same account.
• A project serves as a namespace.
• This means every resource within each project must have a unique name, but you can usually
reuse resource names if they are in separate projects
Google Cloud — Folders
Folder allows you to logical group

multiple projects that share
common IAM permissions.
Folders are commonly used to isolate

projects for different departments or for
different environments.
Global Infrastructure
What is global infrastructure?
Global infrastructure refers the global presence of datacenters,
networking and cloud resources available to the customer.
• 25 Regions
• 76 Zones
• 144 Network Edge Locations
• 200+ Countries
Exterior of Google Cloud Datacenter Interior of Google Cloud Datacenter

Global Infrastructure - Regions
Regions are independent geographic areas that consist of zones.
Americas Europe
GCP has 25 Regions London (europe-west2)
Oregon (us-west1)
Los Angeles (us-west2) Belgium (europe-west1)
Salt Lake City (us-west3) Netherlands (europe-west4)
Las Vegas (us-west4) Zurich (europe-west6)
Iowa (us-central1) Frankfurt (europe-west3)
South Carolina (us-east1) Finland (europe-north1)
N. Virginia (us-east4) Warsaw (europe-central2)
Montréal (northamerica-northeast1)
São Paulo (southamerica-east1)
Asia Pacific
Mumbai (asia-south1)
Singapore (asia-southeast1)
Jakarta (asia-southeast2)
Hong Kong (asia-east2)
Taiwan (asia-east1)
Tokyo (asia-northeast1)
Osaka (asia-northeast2)
Sydney (australia-southeast1)
Seoul (asia-northeast3)
Global Infrastructure - Regions
When you are launching a new cloud

resource such as VM instance you
will need to choose the region
Global Infrastructure – Edge Network
Edge networking is the practice of having compute and data storage resources
as closest as possible to the end user in order to deliver the lowest latency and to save bandwidth
Points of Presence (PoP) is an intermediate location between a GCP Region and the end user
This location could be a third-party datacenter or collection of hardware.
Edge PoP
A location where a user can quickly enter (ingress) the
GCP Network for accelerated access to cloud resources
CDN PoP
a location to serve (egress) cached website, files, assets
so they load very fast for the end user
Cloud Media Edge

a location specialized for the delivery of media
such as video content
Global Infrastructure – Zones
A Zone is a physical location made up of one or more datacenter.
A datacenter is a secured building that contains

hundreds of thousands of computers.
A region will *generally contain 3 Zones
Datacenters within a region will be isolated from

each other (so different buildings). But they will
be close enough to provide low-latency.
Its common practice to run workloads in at least

3 Zones to ensure services remain available in case
one or two datacenters fail. (High Availability)
Global Infrastructure – Zones
Once you have chosen your Region, you will proceed to

choose your Zone or Zones when launching cloud resources.
Global Infrastructure — Resource Scoping
A Zone is a deployment area for Google Cloud resources within a region

• Zones should be considered a single failure domain within a region.
• deploy redundant resource is multiple zones (multi-zones) for fault tolerance and high availability
Products/services can scoped based on
Zonal resource Regional resource Multi-regional resource

Resource resides in a Resource resides in Resource resides
single zone in a single region multiple zones in a single region across multiple specific zones
Global service Internal Services

Resources reside globally and regions Foundational services used by many other
and zones are abstracted away. services. You don’t interact with these services
directly, they are managed by Google.
Spanner, Colossus, Borg, and Chubby
Global Infrastructure – Data Residency
What is Data Residency?
The physical or geographic location of where an organization or cloud resources reside.
What is Compliance Boundaries?
A regulatory compliance (legal requirement) by a government or organization that
describes where data and cloud resources are allowed to reside
For workloads that need to meet compliance boundaries strictly defining

the data residency of data and cloud resources in GCP you can use:
Assured Workloads
a feature that allows you to apply various security controls to an environment:
• Data Residency
• Personnel data access controls based on attributes
• Personnel support case ownership controls based on attributes
• Encryption
You need update an Organization Policy called

“Resource Location Restriction” and choose
allowed region or multi-regions
Global Infrastructure – Cloud Interconnect
Cloud Interconnect provides direct physical connections
between your on-premises network and Google's network
Cloud Interconnect enables you to transfer large amounts of data between networks, which can
be more cost-effective than purchasing additional bandwidth over the public internet.
Cloud Interconnect has two offerings: Dedicated and Partner

Dedicated Partner
a direct physical connection between the a direct physical connection between the on-premises
on-premises network and Google’s network network and Google’s network through a trusted third-party
through a co-location facility
between 10 to 200 Gbps between 50 Mbps to 10 Gbps
A co-location (aka carrier-hotel) is a data center

where equipment, space, and bandwidth are
available for rental to retail customers
Global Infrastructure – Google Cloud for government
What is Public Sector? • military • public education

• law enforcement • health care
Public sectors include public goods • the government itself
• infrastructure
and governmental services such as: • public transit
Google Cloud can be utilized by public sector or organizations

developing cloud workloads for the public sector.
Google Cloud achieves this by meeting regulatory compliance

programs along with specific governance and security controls
Global Infrastructure – Google Cloud for government
Federal Risk and Authorization Management Program (FedRAMP)

a US government-wide program that provides a standardized approach to security
assessment, authorization, and continuous monitoring for cloud products and services.
What is GovCloud?
A Cloud Service Provider (CSP) generally will offer an isolated region to run FedRAMP workloads.
GovCloud offering in practice can result in degraded service offerings, lower service availability, and
higher operational cost
Google Cloud has an alternate offering to GovCloud where FedRAMP workloads are authorized in
GCP's usual region’s datacenters. This scheme mitigates the disadvantage of a GovCloud offering.
GCP Regions will be authorized for either High or Moderate baseline.

Global Infrastructure - Latency
What is Latency?
Latency is the time delay between two physical systems
What is Lag?
Lag is the noticeable delay between the actions of input and the
reactions of the server sent back to the client.
Inter-Regional Latency Inter-Zonal Latency

The latency between regions The latency between zones residing in a single region
10ms
500ms
triple digit double digit

us-east-1 us-west-1 us-east-1-a us-east-b
Innovation Waves
Kondratiev waves (also known as Innovation Waves) are hypothesized
cycle-like phenomena in the global world economy.
The phenomenon is closely connected with Technology life cycles.
A common pattern of a wave Each wave irreversibly changes the

change of supply and demand society on a global scale.
The latest wave is Cloud Technology
Burning Platform
Burning platform is a term used when a company abandons old technology for
new technology with the uncertainty of success and can be motivated by fear that
the organization future survival hinges on its digital transformation
Evolution of Computing Power
What is Computing Power?
The throughput measured at which a computer can complete a computational task.
General Computing Tensor Computing Quantum Computing

Xeon CPU Processor Tensor Processing Unit 3.0 (TPUs) • Google Foxtail (2016)
50x faster than traditional CPUs • Google Bristlecone (2017)
• Google Sycamore (2018)
100 Million times faster
Google’s Cloud Service Offering
Compute Engine Cloud TPU Google Quantum AI

Digital Transformation
Digital Transformation is the adoption of digital technology to transform services or businesses through
• replacing non-digital or manual processes with digital processes (going paperless)
• replacing older digital technology with newer digital technology (adopting cloud technology)
Google’s Digital Transformation Concept
Infrastructure Business applications Application Database and Smart Artificial Security

modernization platform portfolio modernization storage solutions Analytics Intelligence
Google’s 7 Solutions Pillars

Google Cloud Solution Pillars
1. Infrastructure modernization Anthos
Replacing legacy hardware and software systems with cloud solutions. Manage compute from both on-
Allows organizations to adopt hybrid architectures and have more premise and public cloud in a single
infrastructure mobility choosing a mix of best cloud service provider offerings unified interface
for their organization's use-case.
2. Business applications platform portfolio
• Cloud SDK
The backbone of cloud service providers (CSPs) are built on-top of robust, well documented APIs
• Cloud API
standardized across all offered cloud services. Organizations can focus on the configuration and
• Cloud CLI
interconnections of various systems instead of having to build their own systems.
• Google Cloud Documentation
3. Application modernization
Building web-applications on-top of cloud services allows organizations to globally
App Engine
deliver and rapidly iterate faster than ever before. CSPs offer automated deployment
Migrate your web-app over to App
pipelines, AI-powered code-reviews, Easy staging, and testing of new features. The
Engine. You just upload your code
ability to test in-production, and rollback changes. Apps are more durable and can
and mostly does the rest
remain available even when facing catastrophic regional failure.
4. Database and storage solutions

Most companies can tolerate losing application code, you can always rewrite. Cloud Storage
Losing data is not something you can recover. Store files and documents as objects.
Cloud service providers have guaranteed SLAs of data durability, as well as Availability 99.5% SLA
the ability to easily migrate and secure your data.
Google Cloud Solution Pillars
5. Smart Analytics
When you store data on cloud service providers, you can tap into
BigData and BI cloud offerings assisted by AI to help you analyze Data exploration and discovery business intelligence
your data platform acquired by Google and now part of GCP
6. Artificial Intelligence Vertex AI

AI, Deep learning, and Machine Learning are specialized domains that traditionally Unfied platform for, AI, ML, DL and AutoML
required scarce and expensive subject matter experts. Cloud is commoditizing,
TensorFlow
simplifying AI knowledge while driving costs lower for adoption.
A deep learning framework
7. Security Identity and Access Management (IAM)

Cloud services by default have strong mechanisms built in for Security, Role-base-access-controls and user management
Governance, and Compliance.
CSPs are continually developing new and innovative security offerings not BeyondCorp
just at the service-per-service level, but to analyze, recommend and Zero trust model framework
remediate at the project and organization level.
You can easily and quickly audit and apply security controls to become Security Command Center
compliant in a fraction of the time than an on-premise solution. Centralized visibility and control
Google Cloud Adoption Framework
Google Cloud Adoption Framework (GCAF) is a whitepaper that
• determines an organization readiness to adopt google cloud
• steps to fill in the knowledge gaps
• develop new competencies
What is a whitepaper?
A report or guide that informs readers concisely about a complex issue
It is intended to help readers understand an issue, solve a problem, or
make a decision.
Whitepaper are generally PDFs but can be HTML format as well.

The GCAP is composed of:
• 4 themes — Learn, Lead, Scale, Secure
• 3 maturity phases — Tactical, Strategic, Transformational
• Cloud Maturity Scale — Matrix of Themes and Phases
• Epics — Workstreams to scope and structure cloud adoption
• Programs — Logical Grouping of Epics
GCAF — Themes
Learn — The quality and scale of the learning programs you • Who is engaged?
have in place to upskill your technical teams. • How widespread is that engagement?
Your ability to augment your IT staff with experienced partners. • How concerted is the effort?
• How effective are the results?
Lead — The extent to which IT teams are supported by a mandate • How are the teams structured?
from leadership to migrate to cloud • Have they got executive sponsorship?
The degree to which the teams themselves are cross-functional, • How are cloud projects budgeted,
collaborative, and self-motivated. governed, assessed?
Scale: The extent to which you use cloud-native services that • How are cloud-based services provisioned?
reduce operational overhead and automate manual • How is capacity for workloads allocated?
processes and policies. • How are application updates managed?
Secure — The capability to protect your services • What controls are in place?
from unauthorized and inappropriate access with a • What technologies used?
multilayered, identity-centric security model. • What strategies govern the whole?
Dependent also on the advanced maturity of the
other three themes.
GCAF — Phases
Tactical: (Short term) Individual workloads are in place, but no coherent plan.
The focus is on reducing the cost of discrete systems.
Getting to the cloud with minimal disruption.
The wins are quick, but there is no provision for scale.
Strategic: (Mid Term) A broader vision governs individual workloads, which are designed and developed with an eye
to future needs and scale.
Have begun to embrace change, and people and processes are now involved in the adoption strategy.
IT teams are both efficient and effective, increasing the value of harnessing the cloud for your business operations.
Transformational: (Long Term) Cloud operations are functioning smoothly,

The focus is on integrating the data and insights working in the cloud.
Existing data is transparently shared. New data is collected and analyzed.

Predictive and prescriptive analytics via Machine Learning (ML) is used.
People and processes are being transformed, which further supports technological changes.
IT is no longer a cost center, but has become instead a partner to the business.
GCAF — Cloud Maturity Scale
Cloud Maturity Scale is a matrix made up of themes and phases
This helps your organization pinpoint their exact adoption position
Learn Lead Scale Secure
Adoption Theme
Self taught Teams by function, Change is slow and risk Fear of public internet
Tactical
3rd party reliance heroic project manager ops heavy trust in private network
short-term
Strategic Organized training New cross-functional Templates ensure good Central identity
mid-term 3rd party assisted cloud team governance without hybrid network
manual review
Peer learning and sharing Cross-functional feature All change is constant Trust only the right
Transformational teams; greater autonomy low risk and quickly fixed people, device and
3rd party staff augmentation
long-term services
Organizations Maturity
GCAF — Epics
When you’ve determine where your organization is in People

the adoption process using the Cloud Maturity Scale People Operations
then you need to define Epics.
Behaviours Communication
Epics are workstreams to scope and structure
cloud adoption External Sponsorship
• epics are defined so that they do not overlap Experience
• they are aligned to manageable groups of Team-work
Identity &
stakeholders Upskills
Access
• they can be further broken down into individual Cost
user stories Data Mgmt. Control
Networking
Tech Architecture
Process
If you are limited in time and resources Incident
focus on the epics in the coloured segements Resource Infra as Code
Management
since these align with Learn, Lead, Scale, and Management CI/CD
Secure Instrumentation
GCAF —Programs
Programs is a logical grouping of epics that correlate to themes to allow you to focus specific adoption efforts
Training Program Change Management

Learn Lead
Cloud Operation Model Secure Account Setup

Scale Secure
GCAF — TAM
Technical Account Manager (TAM) is a human resource assigned to work

with your organization when paying for Google Cloud’s Premium Support
A TAM can assist with Google Cloud Adoption Framework by:

• performing a high-level assessment of your organization’s cloud maturity
• tell you how to prioritize your:
• training and change management programs
• partner relationships
• cloud operating model
• secure account configuration
Cloud Maturity Assessment
Cloud Maturity Assessment is a guided form to asses your organizations against the
Google Cloud Adoption framework along four themes - Learn, Lead, Scale and Secure
It is a simple multiple choice form You will get an email with your maturity phase
With additional information on how you compare to the average

Compute
Compute Engine Virtual Machines Bare Metal Solution
Create and deploy scalable, high-performance VMs. Providing hardware to run specialized workloads with low
latency on Google Cloud.
App Engine Platform as a Service
Build and deploy apps on a fully managed, highly scalable Cloud GPUs
platform without having to manage the underlying Add GPUs to your workloads for machine learning,
infrastructure. scientific computing, and 3D visualization.
Google Kubernetes Engine (GKE) Sole-tenant nodes Dedicated Virtual Machines
Reliably, efficiently, and securely deploy and Help meet compliance, licensing, and
scale containerized applications on Kubernetes. management needs by keeping your instances
physically separated with dedicated hardware.
Cloud Functions Function as a Service (FaaS)

Create serverless, single-purpose functions that respond to events.
Google Cloud VMware Engine Preemptible VMs

Migrate and run your VMware workloads natively on Google Cloud. Deploy affordable, short-lived compute instances
suitable for batch jobs and fault-tolerant workloads.
Migrate for Compute Engine
Migrate servers and VMs from on-premises or another cloud to Shielded VMs
Compute Engine. (Formerly Velostrata) Deploy hardened virtual machines on Google Cloud.
App Engine
App Engine is a Platform as a Service (PaaS) for your application.

Quickly deploy and scale web-applications without worrying about the underlying infrastructure
Think of it like the Heroku of GCP
Use your favourite programing language

• Node.js, Java, Ruby, C#, Go, Python, or PHP
• Bring-Your-Own-Language-Runtime (BuoLR)
• custom docker container
Powerful application diagnostics

• Cloud Monitoring and Cloud Logging to monitor the health and performance
• Cloud Debugger and Error Reporting to diagnose and fix bugs quickly
Application versioning — easily create development, test, staging, and production environments
Traffic splitting — Route incoming requests to different app versions, A/B test, and do incremental feature rollouts.
Application security
• defining access rules with App Engine firewall
• leverage managed SSL/TLS certificates by default
App Engine — Environments
App Engine has two types of environments: Flexible and Standard
You can simultaneously use both environments for your application.

App Engine is well suited to applications that are designed using a microservice architecture
Standard serverless compute Flexible fully managed containers

• starts in seconds • starts in minutes
• Runs in a sandbox • Runs within Docker Containers on Compute Engine (VMs)
• designed for rapid scaling (sudden traffic spikes) • designed for predictable and consistent traffic
• supports specific language versions, not custom runtime • supports generally any language version or run custom time
• can scale to zero instances (scale to zero) • must have at least once instance running
• pricing based on hours • pricing based on vCPUs, Memory and Disks
• cannot SSH to debug • can SSH to debug
• no background processes • can have background processes
Containers
Google Kubernetes Engine (GKE) Cloud Build
Reliably, efficiently, and securely deploy and scale Continuously build, test, and deploy containers using
containerized applications on Kubernetes. the Google Cloud infrastructure.
Artifact Registry Container Registry

Store, manage, and secure container images and Store, manage, and secure your Docker
language packages. container images.
Container-Optimized OS
You can deploy docker containers to any
Compute Engine VM by enabling container mode
Cloud Run
Run stateless containers on a fully
managed environment or on Anthos.
AI Platform Deep Learning Containers Kubernetes applications on Google Cloud Marketplace

Take advantage of containers preconfigured with Deploy prebuilt containerized apps.
data science frameworks, libraries, and tools.
Efficiently run batch jobs using Kubernetes.
Kubernetes
Kubernetes is an open-source container orchestration system for
automating deployment, scaling and management of containers.
Originally created by Google and now maintained by

the Cloud Native Computing Foundation (CNCF)
Kubernetes is commonly called K8

• The 8 represent the remaining letters “ubernete”
The advantage of Kubernetes over Docker is the ability to

run containers distributed across multiple VMs
A unique component of Kubernetes are Pods.

A pod is a group of one more containers with shared
storage, network resources and other shared settings.
Kubernetes is ideally for micro-service architectures where a

company has tens to hundreds of services they need to manage
Databases
BigQuery Serverless Data-Warehouse Cloud Spanner Fully-Managed Relational Database

Store terabytes or petabytes of data using a NoSQL A proprietary relational database designed for scale.
wide-column database service. Built in ML! Uses SQL
Cloud Bigtable No-SQL Key/Value store
Fully managed NoSQL databases for large analytic Cloud SQL Relational Database Service
and operational workloads. MySQL, PostgreSQL, and SQL Server
database services
Firestore No-SQL Document database
a NoSQL document database access to Memorystore In-Memory
mobile and web apps. Achieve extreme performance using a managed
in-memory data store service.
Firestore Realtime
Store and sync data in real time.
Database Migration Service (DMS)

Serverless, easy, minimal downtime migrations to Cloud SQL.
What is a Database?
A database is a data-store that stores semi-structured and structured data.
A database is more complex data stores because it requires using formal design and modeling techniques
Databases can be generally categorized as either:

• Relational databases
• Structured data that strongly represents tabular data (tables, rows and columns)
• Row-oriented or Columnar-oriented
• Non-relational databases
• Semi-structured that may or may not distantly resemble tabular data.
Databases have a rich set of functionality:

• specialized language to query (retrieve data)
• specialized modeling strategies to optimize retrieval
for different use cases
• more fine tune control over the transformation of
the data into useful data structures or reports
Normally a databases infers someone is using a relational row-oriented data store
What is Data Warehouse?
A relational datastore designed for analytic workloads, which is generally column-oriented data-store
Companies will have terabytes and millions of rows of data,

and they need a fast way to be able to produce analytics reports
Data warehouses generally perform aggregation

• aggregation is grouping data eg. find a total or average
• Data warehouses are optimized around columns since
they need to quickly aggerate column data
Data warehouses are generally designed be HOT

• Hot means they can return queries very fast even though
they have vast amounts of data
Data warehouses are infrequently accessed meaning they aren’t

intended for real-time reporting but maybe once or twice a a day or
once a week to generate business and user reports.
A data warehouse needs to consume data from a relational
databases on a regular basis.
What is a Key / Value store?
A key-value database is a type of non-relational database (NoSQL) that uses a simple key-value method to store data.
A key/value stores a unique Key Value Key values stores are dumb and fast.
key alongside a value Data 1010101000101011001010010101001 They generally lack features like:
• Relationships
Worf 0110101100010101010101011100010
• Indexes
Ro Laren 0010101001010110010101010101010 • Aggregation
Key Value A simple key/value store will

Data {species: android, rank: ‘lt commander’ } interpret this data resembling a
Worf {species: klingon, rank: ‘lt commander’ }
dictionary (aka Associative arrays
or hash)
Ro Laren {species: bajoran, affiliation: ‘maquis’}
Key (Name) Species Rank Affiliation

A key/value store can resemble
tabular data, it does not have to Data andriod Lt commander Due to their simple design
have the consistent columns per Worf klingon Lt commander they can scale well beyond a
row (hence its schemaless) relational database
Ro Laren bajoran maquis
What is a Document store?
A document store is a NOSQL database that stores documents as its primary data structure.
A document could be an XML but more commonly is JSON or JSON-Like
Document stores are sub-class of Key/Value stores
The components of a document store compared to Relational database
Database (RDBMS) Database (Document)
Tables Collection
Rows Documents
Columns Fields
Indexes Indexes
Joins Embedding and Linking

Serverless Services
What is Serverless?
Serverless architecture are fully-managed services that automatically scale, are highly available,
durable and secure by default. Abstracts away the underlying infrastructure and are billed based on
the execution of your business task. Pay-for-Value (you don’t pay for idle servers ).
Serverless can Scale-to-Zero meaning when not in use they cost nothing.
Cloud Functions Function as a Service Cloud Run serverless containers

Choose a runtime, upload single function code. Run stateless containers on a fully managed
Intended to be short-lived. environment or on Anthos.
App Engine Platform as a Service
Eventarc Serverless Event Bus
Build and deploy apps built using traditional web-
Build event-driven solutions by asynchronously
frameworks. All the underlying infrastructure is taken
delivering events from Google services, SaaS, and your
care of for you.
own apps. Used for application integration
Knative Serverless K8 containers Workflows Serverless State Machine
Deploy and manage serverless, cloud- Orchestrate and automate Google Cloud and HTTP-
native applications for Kubernetes. based API services with serverless workflows.
BigQuery Serverless Data-Warehouse Cloud Storage Serverless Storage

Understand your data using a fully managed, highly Store objects with global edge caching.
scalable data warehouse with built-in ML.
Storage
Persistent Disk block-Storage

Cloud Storage object Storage
Add block storage to VM instances.
Store objects with global edge caching.
Cloud Storage for Firebase Filestore file-system storage

Add Google-scale object storage Create fully managed, high-
and serving to your apps. performance NFS file servers on
Google Cloud.
Storage
Block (Persistent Disk)
Data is split into evenly split blocks
Directly accessed by the Operation System
Supports only a single write volume
When you need a virtual hard drive attached to a VM
File (Filestore)
File is stored with data and metadata
Multiple connections via a network share
Supports multiple reads, writing locks the file.
When you need a file-share where multiple users or

VMs need to access the same drive
Object (Cloud Storage)

Object is stored with data, metadata and Unique ID
Scales with limited no file limit or storage limit
Supports multiple reads and writes (no locks)
When you just want to upload files, and not have to worry
about underlying infrastructure. Not intended for high IOPs
Cloud Storage
Cloud Storage is a serverless object storage service.
You don’t have to worry about the underlying disks, right-sizing, availability
or durability. You only pay based on storage and download
• Files are called Objects • Unlimited storage with no minimum object size.
• Folders are called Buckets • Worldwide accessibility and worldwide storage locations.
• Low latency (time to first byte typically tens of milliseconds).
• High durability (99.999999999% annual durability).
• Geo-redundancy if the data is stored in a multi-region or dual-region.
• A uniform experience with Cloud Storage features, security, tools, and APIs.
Available Storage Classes
• Standard Storage (0 day min) – when you are frequently using files. The least cost-effective
• Nearline Storage (30 day min) – when you will only access a file once per month, cheaper than standard.
• Coldline Storage (90 day min) – higher access cost than nearline store but lower at-rest cost
• Archive Storage (365 day min) – very slow retrieval, very cost effective, rarely or never intended to be accessed
Minimum storage duration is the minimum days a file needs to remain in a

storage before deleting, if deleted prematurely a charge will occur
Networking
Virtual Private Cloud (VPC) is a logically isolated section of the Google Cloud
Network where you can launch Google Cloud resources.
You choose a range of IPs using CIDR Range
CIDR Range of 10.0.0.0/16 = 65,536 IP Addresses
Subnets a logical partition of an IP network into multiple

smaller network segments. You are breaking up your IP
range for VPCs into smaller networks.
Subnets need to have a smaller CIDR range than to the

VPCs represent their portion.
eg Subnet CIDR Range 10.0.0.0/24 = 256 IP Addresses
A Public Subnet is one that can reach the internet
A Private Subnet is one that cannot reach the internet

Networking
Cloud Armor Cloud Load Balancing
Help protect your services against DoS Scale and distribute app access with high-
and web attacks. performance load balancing.
Cloud CDN Cloud NAT
Cache your content close to your users using Google's Provision application instances without public IP
global network. addresses while allowing them to access the internet.
Cloud DNS Traffic Director
Publish and manage your domain names using Deploy global load balancing across clusters and configure
Google's reliable, resilient, low-latency DNS serving. sophisticated traffic control policies for open service mesh.
Cloud Interconnect Cloud VPN

Connect your infrastructure to Google Cloud on your Securely extend your on-premises network to Google's
terms, from anywhere. network through an IPsec VPN tunnel.
Cloud Router
Dynamically exchange routes between your Google Cloud Virtual Private Cloud (VPC)
network and your on-premises networks using Border Gateway Protocol (BGP).
Network Intelligence Center Network Telemetry Network Service Tiers

Use a single console for comprehensive network Track network flows for monitoring, forensics, real- Optimize your network for
monitoring, verification, and optimization. time security analysis, and expense optimization. performance or cost.
Networking
Private Google Cloud

allows your instances to reach Google APIs and services using an internal IP address rather than a public IP address
Shared VPC
share subnets with other project. connect resources from multiple projects to a common VPC
VPC network peering

privately connect two VPC networks, which can reduce latency, cost, and increase security
Serverless VPC Access

allows Cloud Functions, Cloud Run (fully managed) services and App Engine standard environment
apps to access resources in a VPC network using those resources’ private IPs
Internal Services
These are Google Cloud’s internal services. Internal services are the
underlying infrastructure to many Google cloud services
Spanner
Globally-consistent, scalable relational database. Cloud Spanner is the external offering of this service.
Borg
A cluster manager that runs hundreds of thousands of jobs, from many thousands of different
applications, across a number of clusters each with up to tens of thousands of machines.
Chubby
A distributed lock manager (DLM) as a service that temporarily prevents files and records from being
used by another user or operation on a Virtual Machine
Colossus
Cluster-level file system, successor to the Google File System (GFS) provides the underlying
infrastructure for all Google Cloud storage services, from Firestore to Cloud SQL to Filestore, and
Cloud Storage.
What is Apigee?
Apigee Corp. was an API management and predictive analytics

software provider before its merger into Google Cloud.
Apigee is a founding member of the OpenAPI Initiative

• OpenAPI 3.0 Specification is originally known as the Swagger Specification
OpenAPI Specification is an open-source standard for writing

declarative structure of an Application Programming Interface (API)
It can be written in either JSON or YAML format.
Cloud Service Providers (CSPs) will have a fully-managed API service

offering known as an API Gateway.
These API Gateways generally support the OpenAPI standard so you can
quickly import and export your APIs
API Management
Apigee API Platform API Gateway Cloud Endpoints API Gateway

Develop, secure, deploy, and monitor your APIs everywhere. Develop, deploy, and manage APIs on Google Cloud.
Expensive, but has many advanced features Cheap and simple, good integrations with App Engine
API Analytics Developer Portal

Get insight into operational and business Create a lightweight portal that enables
metrics for your APIs. developers and API teams, using a
API Monetization turnkey self-service platform.
Realize value from your APIs with a flexible, easy-
to-use solution.
Apigee Sense
Add intelligent behavior detection to
protect APIs from attacks.
Apigee Hybrid
Manage APIs on-premises, on Google Cloud, or in a hybrid
environment.
Cloud Healthcare API
Help secure APIs that power actionable healthcare
insights.
Data Analytics
BigQuery Dataproc
Understand your data using a fully managed, highly Perform batch processing, querying, and streaming
scalable data warehouse with built-in ML. using a managed Apache Spark and Hadoop service.
Cloud Composer Google Data Studio

Create, schedule, monitor, and manage Tell great data stories to support better business decisions.
workflows using a fully managed orchestration
service built on Apache Airflow.
Pub/Sub
Dataflow Ingest event streams from anywhere, at any scale.
Develop real-time batch and stream data
processing pipelines. (Apache Beam)
Data Catalog
Discover and understand your data using a fully managed and scalable
Cloud Data Fusion
data discovery and metadata management service.
Quickly build and manage data pipelines using fully
managed, code-free data integration with a graphical
interface Cloud Life Sciences
Process, analyze, and annotate genomics and biomedical data at
Dataprep by Trifacta scale using containerized workflows.
Explore, clean, and prepare data for
analysis.
Dataproc vs Dataflow vs Cloud Data Fusion
Dataproc Open-source pipelines

Perform batch processing, querying, and streaming using a Apache Spark is known to be the
managed Apache Spark and Apache Hadoop service. fastest tool for ELT Jobs
Dataflow Fully-Managed Pipelines

Uses Apache Beam. Fully-managed batch and streaming pipelines. You
don’t need to balancing work, scaling workers, or any other cluster
management
Cloud Data Fusion Visually build Pipelines

A no-code enterprise solution for building ETL pipelines
via drag-and-drop interface
150+ preconfigured connectors and transformation

Developer Tools
Artifact Registry Cloud Source Repositories

Store, manage, and secure container images and language Manage code and extend your Git workflow by
packages. connecting to Cloud Build, App Engine, Cloud Logging,
Cloud Monitoring, Pub/Sub, and more.
Cloud SDK
Install a command-line interface to script and manage Cloud Scheduler
Google Cloud products from your own computer. Schedule batch jobs, big data jobs, and cloud
infrastructure operations using a fully managed cron job
Container Registry service.
Store, manage, and secure your Docker container images.
Cloud Tasks
Cloud Code Asynchronously execute, dispatch, and deliver
Extend your IDE with tools to write, debug, and deploy distributed tasks.
Kubernetes applications.
Cloud Code for IntelliJ
Cloud Build Debug production cloud apps inside IntelliJ.
Continuously build, test, and deploy containers, Java
archives, and more using the Google Cloud infrastructure.
Developer Tools
Tools for PowerShell Firebase Test Lab

Use PowerShell to script, automate, and manage Test your mobile apps across a wide variety of devices
Windows workloads running on Google Cloud. and device configurations.
Tools for Visual Studio Firebase Crashlytics

Develop ASP.NET apps in Visual Studio on Google Cloud. Get clear, actionable insight into app issues.
Tools for Eclipse Tekton

Develop apps in the Eclipse IDE for Google Cloud. Create CI/CD-style pipelines using Kubernetes-native
building blocks.
Gradle App Engine Plugin
Build your App Engine projects using Gradle.
Workflows
Maven App Engine Plugin Orchestrate and automate Google Cloud and HTTP-
Build and deploy your App Engine projects using Maven. based API services with serverless workflows.
Eventarc
Build event-driven solutions by asynchronously
delivering events from Google services, SaaS, and your
own apps.
Hybrid and Multi-Cloud
Anthos
Modernize existing apps, and build new apps rapidly in hybrid and multi-cloud environments, while enabling consistency
between on-premises and cloud environments.
Anthos deployed on VMware
Modernize existing apps and build new apps on your VMware environments.
Anthos GKE
Deploy, manage, and scale containerized applications on Kubernetes, powered by Google Cloud.
Anthos Config Management
Automate policy and security at scale for your hybrid Kubernetes deployments.
Cloud Run for Anthos
Easily leverage the benefits of combining Kubernetes and serverless
Apigee API Management

Develop, secure, deploy, and monitor your APIs everywhere.
Google Cloud Marketplace for Anthos
Easily deploy containerized apps that feature prebuilt deployment templates and consolidated billing.
Migrate for Anthos
Migrate VMs from on-premises or other clouds directly into containers in GKE.
Operations
Aggregate metrics, logs, and events from your infrastructure to get signals and to speed analysis.
Traffic Director
Deploy global load balancing across clusters and configure sophisticated traffic control policies for open service mesh.
Internet of Things
Internet of things (IoTs) are physical objects embedded with sensors, software and
other technologies that stream data to cloud services or other edge devices
An Edge device is a device that is an entry point to a service provider network.
IoT Core
Securely connect and manage IoT
devices using a fully managed service.
Drones
Smart Plant
Health Sensor Video Security IoT Kits
Conversational AI Temperature Control

Home Assistant
Cloud Deployment Manager
Infrastructure as Code (IaC) is the process of managing and provisioning cloud services through machine-readable definition
files (eg, YAML, JSON files) rather manual configuration
Cloud Deployment Manager is google cloud’s IaC service.

You write Yaml files, and you need to execute IaC files via the Cloud CLI
Media and Gaming
Game Servers
Deliver seamless multiplayer gaming experiences to a global player base.
• Fully manages Agones, an open source game server management
project that runs on Kubernetes.
OpenCue
Manage complex media rendering tasks using an open source
render manager.
Transcoder API
Convert video files and package them for optimized delivery to web, mobile
and connected TVs.
Operations Suite
Google’s Operations Suite allows you to monitor, log, trace, and profile your apps and services.
Cloud Monitoring
Cloud Monitoring provides visibility into the
performance, availability, and overall health of cloud-
powered applications.
Service Level Monitoring

Define and measure availability, performance and other
service levels for cloud-powered applications.
Cloud Logging and Error Reporting Application Performance Management (APM)

Cloud Logging Cloud Trace
Store, search, analyze, monitor, and alert on log data Find performance bottlenecks in production.
and events from Google Cloud and AWS. Cloud Debugger
Error Reporting Investigate code behavior in production.
Identify and understand application errors. Cloud Profiler
Continuously gather performance information using a low-
impact CPU and heap profiling service.
Other Google Products
Google Maps Platform

Integrate static and dynamic maps
into your apps.
Chrome Enterprise
Use Chrome management policies to
meet productivity and security needs.
Firebase
Firebase is Google’s fully-managed platform for rapidly
developing and deploying web and mobile applications.
Platform as a Service utilizing Serverless technology
Firebase offers the following services and features:
• Cloud Firestore • Test Lab

• Machine Learning • App Distribution
• Cloud Functions • Google Analytics
• Authentication • In-App Messaging
• Hosting • Predictions
• Cloud Storage • A/B Testing
• Realtime Database • Cloud Messaging
• Crashlytics • Remote Config
• Performance Monitoring • Dynamic Links
Firebase is an alternative to Google Cloud for users who want to focus on building and
deploying their application in a highly opinionated framework.
Migration
Database Migration Service (DMS) When you’re migrating open-souce relational databases
Serverless, easy, minimal downtime migrations to Cloud SQL.
BigQuery Data Transfer Service

Automate scheduled data movement into BigQuery using a fully managed data import service.
Migrate for Compute Engine formerly Velostrata Migrate for Anthos

When you’re migrating VMs When you’re migrating containers
Migrate servers and VMs from on-premises or Migrate VMs from on-premises or other
another cloud to Compute Engine. clouds directly into containers in GKE.
Cloud Storage Transfer Service Transfer Appliance

When you are migrating storage data When you have TBs of data, and its
Transfer data between cloud storage services faster to ship physical drives
such as AWS S3 and Cloud Storage. Ship large volumes of data to Google
Cloud using trackable storage.
Types of Migration
There are three types of migrations from

on-premise to the cloud:
• Refactor your existing application

• Take advantage of most of the cloud offerings
• Slow migration process
Easier to Implement Labour Intensive

Lift and Shift Improve and Move Rip and Replace
Limited Cloud Benefits Full Cloud Benefits
• Rebuild your app from scratch

• Little to no modification • Take advantage of the maximum value of cloud offerings
• Taking least advantage of the cloud • Can take the longest amount of time
• Fastest migration strategy
Types of Migration — Lift and Shift
Lift-and-Shift
Move workloads from a source environment to a target
environment with minor or no modifications or refactoring.
Ideal when
• a workload can operate as-is in the target environment
• little or no business need for change
Considerations
• Requires the least amount of time because the amount of refactoring is kept to a minimum
• Team can continue to use the same set of tools and skills that they were using before
• Doesn’t take full advantage of cloud platform features:
• horizontal scalability
• fine-grained pricing
• highly managed services
Types of Migration — Move and Improve
Improve-and-move
Modernize the workload while migrating to take
advantage of cloud-native capabilities
Ideal when
• architecture or infrastructure of an app isn't supported in the target environment
• a major update to the workload is necessary
Considerations
• take longer than lift and shift migrations
• must be refactored in order for the app to migrate
• extra time and effort as part of the life cycle of the app
• requires that you learn new skills
Types of Migration – Rip and Replace
Rip-and-replace
decommission an existing app and completely
redesign and rewrite it as a cloud-native app
Ideal when:
• current app isn't meeting your goals
• you want to remove legacy technical debt
Considerations:
• Requires the most amount of time to develop
• Requires the most amount of learning
Migration Path
There are four phases of your migration
Assess. perform a thorough assessment and discovery of your Deploy. design, implement and execute a
existing environment in order to understand your app and deployment process to move workloads to
environment inventory, identify app dependencies and Google Cloud. You might also have to refine
requirements, perform total cost of ownership calculations, and your cloud infrastructure to deal with new
establish app performance benchmarks. needs.
Plan. create the basic cloud infrastructure for your Optimize. begin to take full advantage of cloud-native
workloads to live in and plan how you will move apps. This technologies and capabilities to expand your business's
planning includes identity management, organization and potential to things such as performance, scalability, disaster
project structure, networking, sorting your apps, and recovery, costs, training, as well as opening the doors to
developing a prioritized migration strategy. machine learning and artificial intelligence integrations for
your app.
Migration Path — Phase 1
In the assessment phase, you gather information about the workloads
you want to migrate and their current runtime environment.
Take inventory
Build a list all of your machines, hardware specifications, operating systems, and licenses
Catalog Apps
Build a catalog matrix to help you organize apps into categories based on their complexity and risk in moving to Google Cloud
Educate your organization about Google Cloud
train and certify your software and network engineers on how the cloud works and what Google Cloud products
Experiment and design proofs of concept

choosing a proof of concept (PoC) and implementing it
Calculate total cost of ownership (TCO)

compare your costs on Google Cloud with the costs you have today
Use the Google Calculator
Choose which workloads to migrate first

identify apps with features that make them likely first-movers
Starting with a less complex app lowers your initial risk because later you can apply your team's new knowledge to harder to migrate apps
In the plan phase, you provision and configure the cloud infrastructure and
services that will support your workloads on Google Cloud
Establish user and service identities.
• Google Accounts — An account that usually belongs to an individual user that interacts with Google Cloud.
• Service Accounts — An account that usually belongs to an app or a service, rather than to a user.
• Google Groups — A named collection of Google accounts.
• Google Workspace domains — A virtual group of all the Google accounts that have been created in an organization's
Google Workspace account.
• Cloud Identity domains — These domains are like Google Workspace domains, but they don't have access to Google
Workspace applications.
Design your resource organization.

organize your resources using Google’s Resource Hierarchy
• Organizations are the root of a resource hierarchy and represent a real organization, such as a company
• Folders are an additional layer of isolation between projects and can be seen as sub-organizations
• Projects are the base-level organization entities and must be used to access other Google Cloud resources
• hierarchy architectures: Environment-oriented, Function-oriented, Granular access-oriented
Define groups and roles for resource access

set up the groups and roles to grant the necessary access to resources
Design your network topology and establish connectivity.

set up the network topology and connectivity from your existing environment to Google Cloud
• Cloud VPN, Peering, Cloud Interconnect
In the deploy phase, implement a deployment process and refine it during the migration
Fully manual deployments

lets you quickly experiment with the platform and the tools, but it's also error prone, often not documented, and not repeatable.
Configuration management tools (CM)

configure an environment in an automated, repeatable, and controlled way.
eg. Run remote commands on a Virtual Machine that check the state and remediate of an instance to the desired configuration/state
Container orchestration
Consider using Kubernetes so you don't have to worry about the underlying infrastructure and the deployment logic
• Google Kubernetes Engine (GKE)
Deployment automation
automate the deployment process by implementing a continuous integration and continuous delivery (CI/CD) pipeline
Infrastructure as code (IaC)

Write a script that defines resources to be created or updated in a single deployment action
Share and stand-up entire workflows and environments easily
IaC tools: Google Deployment Manager, Hashicrop Terraform
The Optimize phase, start optimizing your target environment
Build and train your team
train your development and operation teams to take full advantage of the new cloud environment
Monitor everything
Monitoring is the key to ensure that everything in your environment is working as expected
• Prometheus, Google Cloud Logging, Google Cloud Monitoring
Automate everything
Manual operations are exposed to a high error risk and are also time consuming
Automation leads to cost and time savings, and reduces risk.
• Google Cloud Composer (Apache Airflow), Spinnaker
Codify everything
By implementing processes such as Infrastructure as Code and Policy as Code,
make your environment fully auditable and repeatable
Use managed services instead of self-managed ones
• CloudSQL, AutoML, Google Kubernetes Engine (GKE), App Engine
Optimize for performance and scalability
• Horizontal scaling — add or remove more machines for compute, storage or databases
• Vertical scaling — increase (resize) the underlying machine eg. vCPU and Mem for compute storage and databases
Reduce costs
take advantage of sustained use discounts (SUD), committed use contracts (CUC), Flat-Rate Pricing eg. BigQuery
Migrate for Compute Engine
Migrate for Compute Engine enables you to migrate (Lift and Shift) your virtual machines (VMs), with
minor automatic modifications, from your source environment to Google Compute Engine
• continuously replicates disk data from the source VMs to Google Cloud
• no downtime on the source via transfer
• quickly clone and test a migrated VM test clones
• easily perform all migration tasks within the Google Cloud Console
Anthos
Anthos is a modern application management platform used for managing hybrid architectures
that span from Google Cloud to other AWS or on-premise datacenters running VMWare.
Anthos is a single control plane to manage

Kubernetes compute in hybrid scenarios
Core component of Anthos

• Infrastructure, container, and cluster management
• Managed Service Mesh
• Multicluster management
• Configuration management
• Migration
• Service management
• Serverless
• Secure software supply chain
• Logging and monitoring
• Marketplace
Migrate for Anthos (and GKE)
Migrate for Anthos and Google Kubernetes Engine (GKE) is a tool to move and automatically convert workloads
directly into containers in Google Kubernetes Engine (GKE) and Anthos
With Migrate for Anthos, you can migrate your VMs from supported source platforms to:
• Google Kubernetes Engine (GKE)
• Anthos
• Anthos clusters on VMware
• Anthos clusters on AWS
Use auto-generated container artifacts including container images, Dockerfiles, deployment

YAMLs and persistent data volumes to deploy migrated workloads and integrate with services such
as Anthos Service Mesh, Anthos Config Management, Stackdriver, and Cloud Build for
maintenance using CI/CD pipelines.
Migrate for Anthos is offered at no charge and no Anthos subscription is required when migrating to GKE.
Charges for other GCP services (e.g. compute, storage, network, etc.) still apply.
Storage Transfer Service
Storage Transfer Service allows you to quickly import online data into Cloud Storage
Set up a repeating schedule for transferring data, as well as

transfer data within Cloud Storage, from one bucket to another
enables you to:
• Move or backup data to a Cloud Storage bucket either from other cloud storage providers or from your on-premises storage.
• Move data from one Cloud Storage bucket to another, so that it is available to different groups of users or applications.
• Periodically move data as part of a data processing pipeline or analytical workflow.
• Schedule one-time transfer operations or recurring transfer operations

• Delete existing objects in the destination bucket if they don't have a corresponding object in the source
• Delete data source objects after transferring them
• Schedule periodic synchronization from a data source to a data sink with advanced filters based on file creation
dates, file-names, and the times of day you prefer to import data
Transfer Appliance
Transfer Appliance is a hardware appliance you can use to securely migrate large volumes of data
Migrate hundreds of terabytes up to 1 petabyte
comes in two configurations 100TB and 480TB
100TB
480TB
You can mount Transfer Appliance as an NFS volume,

making it easy to drag and drop files, or rsync, from your current NAS to the appliance
When to use Transfer Appliance:
• Your data size is greater than or equal to 10TB
• It would take more than one week to upload your data over the network
Transfer Appliance
Security Features (safe to connect) Security features (safe in transit)

• Tamper resistant • AES 256 encryption
• cannot be easily opened • Customer-managed encryption keys
• apply tamper-evident tags to the shipping case • NIST 800-88 compliant data erasure
• Ruggedized
• Trusted Platform Module (TPM) chip
• immutable root filesystem and software components haven't been tampered with
• Hardware attestation
• validate the appliance before you can connect it to your device and copy data to it
Performance Features:
• All SSD drives — no moving parts, very fast IOPs
• Multiple network connectivity options — 10Gbps or 40Gbps transfer speed
• Scalability with multiple appliances — use multiple appliance to increase transfer speed
• Globally distributed processing — ships quickly to and from the the datacenter to Google Cloud
• Minimal software — use common software already on your Linux or Mac, Windows system
AI and ML Services
Vertex AI is Google Cloud’s unified ML platform for building ML solutions end-to-end
Data Feature Training / Model Understanding / Edge Model Model

Readiness Engineering HP-Tuning Serving Tuning Monitoring Management
Auto ML
Vision Video Language Translation Tables
Data Labeling Feature Store Training Prediction Hybrid AI Continuous Metadata

Monitoring
Datasets Vizier Explainable AI
Optimization
Experiments
AI Accelerators
Pipelines (Orchestration)
Deep Learning Environment (DL VM, DL Containers)
Notebooks
TensorFlow
TensorFlow is a low-level deep learning machine learning framework created by Google Brain Team
TensorFlow is written in Python, C++ and CUDA, there are APIs to allow you to use various other languages.
What is a tensor?
A Tensor is a multi-dimensional array eg. Ts.Tensor, similar to NumPy ndarray objects
tf.Tensors can reside in accelerator memory (like a GPU)
Google created their own hardware called

Tensor Processing Units (TPU) specifically
Optimized for TensorFlow and the tensor
data structure
You write TensorFlow in Python
Example of a ML model in TensorFlow

(technically using keras)
TensorFlow Enterprise
Accelerate and scale ML workflows on the cloud with compatibility-tested
and optimized TensorFlow along with enterprise-ready services and support
AI and ML Services
Vertex AI is the unification of AI Platform and the addition of AutoML
To offer an end-to-end solution for all your custom ML and DL needs.
AI Platform (deprecated)
• Preparing a dataset for supervised training with Data Labeling
• Notebooks to write and document building ML models
• A Model registry to hold all your trained models
• Pipelines for setting up automated CI/CD to rapidly deploy new changes (known as MLOps)
AutoML
Easily train high-quality, custom ML models.
You upload your data, choose what you want
to predict and it does the rest!
AutoML Tables
Build and deploy machine learning models
on structured data.
ML/DL Environment
To prepare, train, tune, predict for Machine Learning models you need to use compute
optimized and specialized for ML and DL tasks.
A ML compute solution will be:

• Prepackaged with specific ML framework and data-science libraries
• either CPU or GPU (GPUs being more powerful, very expensive and suited for DL)
Deep Learning VM Images

Deploy VM images that are optimized for data
science and ML tasks.
Deep Learning Containers
Take advantage of preconfigured and optimized containers
for deep learning environments.
Cloud GPUs
Add GPUs to your workloads for
machine learning, scientific computing,
and 3D visualization.
A container for a Notebook instance to
run TensorFlow 2.5 Enterprise
ML/DL Environment
Notebooks
A Web-based application for authoring documents that combine:
• live-code
• narrative text
• equations
• visualizations
A Notebook makes it easy to code all the steps to an ML solution

while intermixing documentation. It makes it easy to rerun
segments of code for a fast and iterative developer experience.
Vertex AI’s Notebooks are powered by JupyterLab IDE.

Jupyter is the industry standard for interactive
notebooks for building ML models or for data analysis
AI Services
AI is when machines mimic human-behaviour or can perform human tasks.
AI leverages ML and DL and generally AI refers to fully-managed ML SaaS offering
Vision AI Video AI
Derive insights from images, text, and more Enable powerful content discovery and
using custom or pretrained models. engaging video experiences.
Natural Language API Recommendations AI

Derive insights from unstructured text. Provide a catalog of records, will make suggest
recommendations to users. eg. Retail Product suggestions
(part of Retail AI)
Translation
Dynamically translate between languages. Talent Solution
the capability to create, read, update, and delete job postings
Document AI
Uses Natural Language Processing (NLP) to train
and simulate human review of documents
Conversational AI
Conversational AI is technology that can participate in conversations with humans.
• Chatbots Use Cases
• Voice Assistants • Online Customer Support — replaces human agents for replying to customer FAQs, shipping
• Interactive Voice Recognition Systems (IVRS) • Accessibility — voice operated UI for those who are visually impaired
• HR processes — employee training, onboarding, updating employee information
• Health Care — accessible and affordable health care eg. claim processes
• Internet of Things (IoT) — Amazon Alexa, Apple Siri and Google Home
• Computer Software — autocomplete search on phone or desktop
Agent Assist
Empower human agents with continuous support during calls by
identifying intent and providing real-time, step-by-step assistance.
Dialogflow
Build engaging voice and text-based conversational interfaces.
• Dialogflow CX — Provides an advanced agent type suitable for large or very complex agents.
• Dialogflow ES — Provides the standard agent type suitable for small and simple agents.
Text-to-Speech Speech-to-Text
Convert text to natural-sounding speech using ML. Convert speech to text using the power of ML.
Identity and Access
IAM
Establish fine-grained identity and access Managed Service for Microsoft Active Directory
management for Google Cloud resources. Use a highly available, hardened service running Microsoft Active
Directory (AD).
Cloud Identity
Easily manage user identities, devices, and
applications from one console. Resource Manager
Hierarchically manage resources on Google Cloud.
Identity Platform
Add Google-grade identity and access Security key enforcement
management to your apps. Enforce the use of security keys to help prevent
account takeovers.
BeyondCorp Enterprise
A zero-trust solution that enables secure access with Titan Security Keys
integrated threat and data protection. Defend against account takeovers from phishing attacks.
Security Keys made by Google.
Identity-Aware Proxy
Use identity and context to guard access to your
applications and VMs.
Security
Access Transparency
Get visibility over your cloud provider through near real- Cloud Key Management Service
time logs. Manage encryption keys on Google Cloud.
Binary Authorization
Deploy only trusted containers on Kubernetes Engine. Security Command Center
Understand your security and data attack surface.
Cloud Asset Inventory
View, monitor, and analyze Google Cloud and Anthos
assets across projects and services.
Shielded VMs
Cloud Audit Logs Deploy hardened virtual machines on Google Cloud.
Gain visibility into who did what, when, and where for all
user activity on Google Cloud. VPC Service Controls
Protect sensitive data in Google Cloud services using
Cloud Data Loss Prevention security perimeters.
Discover and redact sensitive data.
Incident Response and Management
Cloud HSM Improve your incident median time to mitigation.
Protect cryptographic keys with a fully
managed hardware security module service.
User Protection Services
Phishing Protection
Help protect your users from phishing sites.
reCAPTCHA Enterprise
Help protect your website from fraudulent
activity, spam, and abuse.
Web Risk
Detect malicious URLs on your website and in
client applications.
Secure-By-Design Infrastructure
Operational and device security Service deployment
• develop and deploy infrastructure software using rigorous • Any application that runs on our infrastructure is deployed with
security practices. security in mind.
• operations teams detect and respond to threats to the • We don't assume any trust between services, and we use multiple
infrastructure from both insiders and external actors, mechanisms to establish and maintain trust.
24/7/365. • infrastructure was designed to be multi-tenant from the start.
Internet communication Hardware infrastructure From the physical premises to the purpose-
• Communications over the internet to our public cloud services built servers, networking equipment, and custom security chips to the
are encrypted in transit. low-level software stack running on every machine, our entire
• network and infrastructure have multiple layers of protection hardware infrastructure is Google-controlled, -secured, and -hardened.
to defend our customers against denial-of-service attacks.
Data centers Google data centers feature layered security with custom-
Identity designed electronic access cards, alarms, vehicle access barriers,
• Identities, users, and services are strongly authenticated. perimeter fencing, metal detectors, biometrics, and laser beam
• Access to sensitive data is protected by advanced tools like intrusion detection. They are monitored 24/7 by high-resolution
phishing-resistant security keys. cameras that can detect and track intruders. Only approved employees
with specific roles may enter.
Storage services
• Data stored on our infrastructure is automatically encrypted at
Continuous availability Infrastructure underpins how Google Cloud
rest and distributed for availability and reliability.
delivers services that meet our high standards for performance,
• guards against unauthorized access and service interruptions.
resilience, availability, correctness, and security. Design, operation, and
delivery all play a role in making services continuously available.
Compliance Reports Manager
Compliance Reports Manager provides you with easy, on-demand access to
critical compliance resources, at no additional cost.
Downloadable PDFs that prove that GCP

is compliant with various compliance and
security standards
Google Cloud Compliance
International Organization for Standardization (ISO) / International Electrotechnical Commission
ISO/IEC 27001 — control implementation guidance
ISO/IEC 27017 — enhanced focus on cloud security
ISO/IEC 27018 — protection of personal data in the cloud. eg. PII
ISO/IEC 27701 — Privacy Information Management System (PIMS) framework
• outlines controls and processes to manage data privacy and protect PII.
System and Organization Controls (SOC)

SOC 1 — 18 standard and report on the effectiveness of internal controls (SSAE) at a service organization
• relevant to their client’s internal control over financial reporting (ICFR).
SOC 2 — evaluates internal controls, policies, and procedures that directly relate to the security of a system
at a service organization
SOC 3 — A report based on the Trust Services Criteria that can be freely distributed
Payment Card Industry Data Security Standard (PCI DSS)

a set of security standards designed to ensure that ALL companies that accept, process, store or
transmit credit card information maintain a secure environment.
Federal Information Processing Standard (FIPS) 140-2

US and Canadian government standard that specifies the security requirements for
cryptographic modules that protect sensitive information.
Personal Health Information Protection Act (PHIPA)

An Ontario provincial law (Canada) that regulates patient Protected Health Information
Health Insurance Portability and Accountability Act (HIPAA).

US federal law that regulates patient Protected Health Information
Cloud Security Alliance (CSA) STAR Certification

Independent third-party assessment of a cloud provider's security posture
Federal Risk and Authorization Management Program (FedRAMP)

US government standardized approach to security authorizations
for Cloud Service Offerings
Criminal Justice Information Services (CJIS)

Any US state or local agency that wants to access the FBI's CJIS database is
required to adhere to the CJIS Security Policy.
General Data Protection Regulation (GDPR)

A European privacy law. Imposes new rules on companies, government agencies,
non-profits, and other organizations that offer goods and services to people in the
European Union (EU), or that collect and analyze data tied to EU residents.
GCP — Privacy
Google Cloud Enterprise Privacy Commitments describe how we protect the
privacy of Google Cloud Platform and Google Workspace customers
1. You control your data
Customer data is your data, not Google’s. We only process your data according to your agreement(s).
2. We never use your data for ads targeting

We do not process your customer data to create ads profiles or improve Google Ads products.
3. We are transparent about data collection and use

We’re committed to transparency, compliance with regulations like the GDPR, and privacy best practices.
4. We never sell customer data or service data

We never sell customer data or service data to third parties.
5. Security and privacy are primary design criteria for all of our products
Prioritizing the privacy of our customers means protecting the data you trust us with. We build the strongest
security technologies into our products.
Google provides resources on privacy regulations such as the LGPD, GDPR, CCPA, the
Australian Privacy Act, My Number Act, and PIPEDA, among others.
GCP — Transparency
Google’s Trust Principles:

1. You own your data, not Google
2. Google does not sell customer data to third parties
3. Google Cloud does not use customer data for advertising
4. All customer data is encrypted by default
5. We guard against insider access to your data
6. We never give any government entity "backdoor" access
7. Our privacy practices are audited against international standards
Cloud Armor
What is a DDoS (Distributed Denial of Service) Attack?

A malicious attempt to disrupt normal traffic by flooding a website with large amounts of fake traffic.
Cloud Armor
Victim
Attacker
GCP Network
Cloud Armor
Cloud Armor is a DDOS protection and Web Application Firewall (WAF) service
• IP-based and geo-based access control

• Support for hybrid and multicloud deployments
• Adaptive protection
• Detect and mitigate attacks against your Cloud Load Balancing workloads
• Pre-defined WAF rules to mitigate OWASP Top 10 risks
• Named IP Lists
• Rich rules language for web application firewall
• Visibility and monitoring
Cloud Armor has two tiers:

• Standard Pay-As-You-Go (PAYG)
• Managed Protection Plus Starting at $3,000/month
Private Catalog
Private Cloud allows you to package Google cloud resources into a service offering that can be than made available
and discoverable in a catalog internally to your organization to quickly deploy governed stacks and workloads
Security Command Center
Security Command Center is a centralized security and risk
management platform for your google cloud resources.
Asset discovery and inventory

• inventory and historical information
about your google cloud resources
Threat detection
• audits your cloud resources for
security vulnerability
Threat prevention
• fix security misconfiguration with
single-click remediation
Google Cloud Data Loss Prevention
Cloud Data Loss Prevention (DLP) detect and protect sensitive

information within GCP storage repositories
What is Personally identifiable information (PII)
any data that can be used to identify a specific individual:
• birthday, government ID, full name, email address, mailing address etc..
What is Personally/Protected Health information (PHI)

any data that can be used to identify health information about a patient
• Provides tools to classify, mask, tokenize, and transform sensitive data

• support for structured and unstructured data
• Create dashboards and audit reports
• Automate tagging, remediation, or policy based on findings
• Connect DLP results into Security Command Center, Data Catalog
• or export to your own Security Information and Event Management (SIEM) or governance tool
• Schedule inspection jobs directly in the console UI
• over 120 built-in Information Types (infoTypes)
• info types define what sensitive information to scan
BeyondCorp
The Zero Trust model operates on the principle of “trust no one, verify everything.”
Malicious actors being able to by-pass conventional access controls
demonstrates traditional security measures are no long sufficient
BeyondCorp is Google's implementation of the zero trust model
BeyondCorp allows for: By shifting access controls from the network perimeter to
• single sign-on individual users, BeyondCorp enables secure work from
• access control policies virtually any location without the need for a traditional VPN.
• access proxy
• user-based authentication The BeyondCorp principles:
• device-based authentication • Access to services must not be determined by the network from which you connect
• authorization • Access to services is granted based on contextual factors from the user and their device
• Access to services must be authenticated, authorized, and encrypted
BeyondCorp
A Zero Trust model puts identity as the primary security perimeter to be protected.
BeyondCorp itself is just a collection of identity, access and security services to meet Zero Trust model requirements
Cloud Identity
Apps and Data
IP, Location Access Context Web apps
Session Age, Manager
User Trust Time
(Identity + Behavior) Virtual Machines
SaaS Applications
Global Frontend Rules Enforcement Infrastructure

(Context, Location and Time) Engine Point
Cloud IAP APIs
Device Trust
(Identity + Posture) Google’s Frontend Cloud IAM
Cloud Identity
Endpoint Verification VPC Service Controls
Access Context Manager
Access Context Manager allows Google Cloud organization admins to
define fine-grained, attribute based access control for projects and
resources in Google Cloud.
Access Context Manager keeps mobile workforces utilizing
Bring-Your-Own-Devices (BYOD) secure.
You create an access policy and to determine
what level of access based on attributes such as:
• Device Type Set an access level to high
• Operating System for a specific subnet in for
• IP Address a specific region
• User Identity
VPC Service Controls
VPC Service Controls allows you to create a service perimeter
VPC Service Perimeters function like a firewall for GCP APIs
Apply access levels
Access policies are automatically created for you when you create an access level, service perimeter or turn on IAP.
They cannot be directly managed by the customer.
Cloud Identity-Aware Proxy (IAP)
Cloud Identity-Aware Proxy (IAP) lets you establish a central authorization layer for applications accessed by
HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls
You can define access policies centrally and apply them to all of your applications and resources.
Use IAP when you want to enforce access control policies for applications and resources.
Identity-Aware Proxy (IAP) lets you manage who When IAP turned
has access to services hosted on App Engine, on, in side-panel add
Compute Engine, or an HTTPS Load Balancer. members and their roles
BeyondCorp Enterprise
BeyondCorp Enterprise is a zero trust model platform
BeyondCorp Enterprise enabled through Chrome Browser Cloud Management you can protect against
threats such as malware and phishing for your Chrome users as they download and upload files
BeyondCorp Enterprise is built into the Chrome Browser with no agents required
Identity and context-aware access control Easy adoption with our agentless approach
• policies based on: user identity, device health, contextual factors • non-disruptive overlay to your existing architecture
Integrated threat and data protection • no need to install additional agents
• Prevent data loss, stop common threats Rely on Google Cloud’s global infrastructure
• Real-time alerts and detailed reporting • scale, reliability, and security of Google's network
Support your environment: cloud, on-premises, or hybrid • 144 edge locations in over 200 countries and territories
• Access SaaS apps, web apps, and cloud resources wherever
Directory Service
What is a directory service? Client
A directory service maps the names of network resources to their network
addresses. Client Client
A directory service is shared information infrastructure for locating,

managing, administering and organizing resources:
• Volumes
• Folders
• Files Directory Service
• Printers
• Users Well known directory services:
• Groups • Domain Name Service (DNS)
• Devices • the directory service for the internet
• Telephone numbers • Microsoft Active Directory
• other objects • Azure Active Directory
A directory service is a critical component of a network operating system • Apache Directory Server
A directory server (name server) is a server which provides a directory service • Oracle Internet Directory (OID)
Each resource on the network is considered an object by the • OpenLDAP
directory server. Information about a particular resource is stored as • Cloud Identity
a collection of attributes associated with that resource or object • JumpCloud
Cloud Identity
Cloud Identity is an Identity as a Service (IDaaS) that centrally manages users and groups.
federate identities between: • manage access and compliance across all users in your domain
• Google Cloud • create a Cloud Identity account for each of your users and groups.
• Active Directory • then you can use Identity and Access Management (IAM) to manage access to
• Azure AD Google Cloud resources for each Cloud Identity account
• and more…
Cloud Identity — Versions
Cloud Identity comes in two version Free and Premium
Device Management Directory Security
Free Free Free
• Basic Mobile Management • Basic directory management • User security management
• Device inventory • Organizational units and groups (Unlimited) • Self-service password recovery
• Basic passcode enforcement • Admin managed groups • 2-Step verification (2SV) including security key management
• Remote account wipe • Groups for Business • 2SV enforcement controls
• Android • Google Cloud Directory Sync • with security key enforcement and management
• Apple® iOS® • Admin roles and privileges • Password management and strength alert
Premium • Google Admin App for Android Premium
• Advanced Mobile Management • Google Admin App for iOS • First-party session management
• Advanced passcode enforcement • Admin SDK/API • Google security center
• Security policies • Secure LDAP Reporting
• Application management Premium • Free
• Network management • User lifecycle management (no user cap) • Admin, Login, SAML, Groups, Token audit logs
• Remote device wipe • Secure LDAP • Security reports
• Reporting • SAML audit log
Single sign-on (SSO) and automated provisioning
• Application auditing • App reports
Free
• Company-owned devices • Account activity reports
• Set up SSO using Google as an identity provider (IdP) to access a pre-
• Mobile audit Premium
integrated list of third-party SAML apps (Unlimited)
• MDM rules • Devices audit log
• Set up SSO using Google as an IdP to access custom SAML apps
• Set up SSO using a third-party IdP with Google as a service provider • Auto export audit logs to BigQuery
Premium
Service Level Agreements
• Automated user provisioning
Premium has 99.9%
Active Directory
Microsoft introduced Active Directory Domain Services in Windows 2000 to give

organizations the ability to manage multiple on-premises infrastructure components
and systems using a single identity per user.
Forrest
Domain
OU
Tree Domain
Child Domain Child Domain
OU OU Organization
Tree Unit
Child Domain Child Domain
OU OU OU
Active Directory Domain Services
Active Directory Domain Services (AD DS)
Active Directory Services consist of multiple directory services
Domain Services
the foundation stone of every Windows domain network
stores information about members of the domain including devices and
users, verifies their credentials and defines their access rights.
The server running this service is called a domain controller.
Active Directory Lightweight Directory Services (AD LDS) Active Directory Certificate Services (AD CS)
an implementation of LDAP protocol for AD DS establishes an on-premises public key infrastructure.
create, validate and revoke public key certificates for internal uses of an
Active Directory Federation Services (AD FS) Active Directory Rights Management Services (AD RMS)
a single sign-on service so users may use several server software for information rights management
web-based services network resources using only shipped with Windows Server.
one set of credentials stored at a central location uses encryption and a form of selective functionality
denial for limiting access to documents
Active Directory Terminology
Domain
A domain is an area of a network organized by a single authentication database
An Active Directory domain is a logical grouping of AD objects on a network
Domain Controller (DC)
A domain controller is a server that authenticates user identities and authorizes their access to resources.
Domain Computer
A computer that is registered with a central authentication database A domain computer would be an AD Object
AD Object
An AD Object is the basic element of Active Directory such as:
Users, Groups, Printers, Computers, Shared folders
Group Policy Object (GPO)
A virtual collection of policy settings. It controls what AD Objects have access to
Organization Units (OU)
A subdivision within an Active Directory into which you can place users, groups, computers, and other organizational units
Directory Service
A directory service, such as Active Directory Domain Services (AD DS), provides the methods for storing directory data
and making this data available to network users and administrators. A Directory service runs on a Domain Controller
Managed Service for Microsoft Active Directory
Managed Service for Microsoft Active Directory (AD) is an
Active Directory hosted on the Google Cloud Platform
Compatibility with AD-dependent apps

• runs real Microsoft AD Domain Controllers
• use standard Active Directory features:
• eg. Group Policy, Remote Server Administration Tools (RSAT)
Virtually maintenance-free
• highly available
• automatically patched
• configured with secure defaults
• protected by appropriate network firewall rules
Seamless multi-region deployment
• simply expand the service to additional regions while continuing
to use the same managed AD domain
Hybrid identity support
• connect your on-premises AD domain to Google Cloud
• deploy a standalone domain for your cloud-based workloads
Identity Providers (IpD)
Identity Provider (IdP) a system entity that creates, maintains, and manages identity information for
principals and also provides authentication services to applications within a federation or distributed network.
A trusted provider of your user identity that lets you use authenticate to access other services.
Identity Providers could be: Facebook, Amazon, Google, Twitter, Github, LinkedIn
Federated identity is a method of linking a user's identity across multiple separate identity management systems
OpenID
open standard and decentralized authentication protocol. Eg be able to login into a different social
media platform using a Google or Facebook account
OpenID is about providing who are you
OAuth2.0
industry-standard protocol for authorization OAuth doesn’t share password data but instead uses
authorization tokens to prove an identity between consumers and service providers.
Oauth is about granting access to functionality
SAML
Security Assertion Markup Language is an open standard for exchanging authentication and authorization
between an identity provider and a service provider.
An important use case for SAML is Single-Sign-On via web browser.
Single-Sign-On
Single sign-on (SSO) is an authentication scheme that allows a user to log in with a
single ID and password to different systems and software.
SSO allows IT departments to administrator a single identity
that can access many machines and cloud services.
Azure Active Directory
SAML SSO
Login for SSO is seamless, where a user once a user is logged

into to their primary directory, as soon as they utilize this
software they are presented with a login screen
LDAP
Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry
standard application protocol for accessing and maintaining distributed directory
information services over an Internet Protocol (IP) network.
A common use of LDAP is to provide a central place to store usernames and passwords
LDAP enables for same-sign on. Same sign-on allows users to single ID and password,
but they have to enter it in every time they want to login.
Why use LDAP when SSO is more convenient?
Most SSO systems are using LDAP.

LDAP was not designed natively to work with
web-applications.
On-Premise LDAP
Some systems only support integration with
Active Directory Directory
LDAP and not SSO
Google Cloud Directory Sync
Google Cloud Directory Sync enables administrators to synchronize users, groups and other data from an
Active Directory/LDAP service to their Managed Service for Microsoft Active Directory within Google
Service Level Agreements
What is a Service Level Agreement (SLA)?
A SLA is a formal commitment about the expected level of service between a customer and provider.
When a service level is not met and if Customer meets its obligations under the SLA, Customer will be eligible to
receive the compensation eg. Financial or Service Credits
What is a Service Level Indicator (SLI)?
A metric/measurement that indicates what measure of performance a customer is receiving at a given time
A SLI metric could be uptime, performance, availability, throughput, latency, error rate, durability, correctness
What is a Service Level Objective (SLO)?

The objective that the provider has agreed to meet Availability SLA of 99.99% in a
SLOs are represented as a specific target percentage over a period of time. period of 3 months
Target percentages
• 99.95%
• 99.99%
• 99.999999999% (commonly called Nine nines)
• 99.99999999999% (commonly called Nine elevens)
GCP — Service Level Agreements
Compute Engine Cloud Storage
Covered Service Monthly Uptime Covered Service Monthly Uptime

Instances in Multiple Zones >= 99.99% Standard storage class in a multi-region or dual-region >= 99.95%
A Single Instance >= 99.5% location of Cloud Storage
Load balancing >= 99.99% Standard storage class in a regional location of Cloud >= 99.9%
Storage; Nearline or Coldline storage class in a multi-
region or dual-region location of Cloud Storage
Nearline or Coldline storage class in a regional location >= 99.0%
Cloud SQL, Cloud Functions of Cloud Storage; Durable Reduced Availability storage
Monthly Uptime Percentage to class in any location of Cloud Storage
Customer of at least 99.95%
BigQuery, App Engine Cloud NAT

Monthly Uptime Percentage to Monthly Uptime Percentage to Customer of at least 99.9%
Customer of at least 99.99%
AI Platform Training and Prediction
Monthly Uptime Percentage to Customer of at least 99.5%
GCP — Service Level Agreements
Cloud BigTable
Covered Service Monthly Uptime Cloud Spanner
Cloud Bigtable - Replicated Instance (2 or more clusters)
Covered Service Monthly Uptime
with Multi-Cluster routing policy (3 or more >= 99.999%
Regions) Cloud Spanner - Multi-Regional Instance >= 99.999%
with Multi-Cluster routing policy (fewer than 3 >= 99.99% Cloud Spanner - Regional Instance >= 99.99%
Regions)
with Single-Cluster routing policy >= 99.9%
Cloud Bigtable - Zonal instance (single cluster) >= 99.9%
Apigee
Covered Service Monthly Uptime
Apigee Standard >= 99%
Apigee Enterprise >= 99.99% for environments provisioned in 2 or more Regions (i.e., with the purchase of
Additional Region / Distributed Network) with a dual-region, multi-regional, or global Cloud
KMS encryption key, or>= 99.9% for all other environments
Apigee Enterprise Plus >= 99.99% for environments provisioned in 2 or more Regions with a dual-region, multi-
regional, or global Cloud KMS encryption key, or>= 99.9% for all other environments
GCP Support Plans
Basic Support Standard Support Enhanced Support Premium Support
Unlimited access to support
Billing Support: Case (Email), Phone, and Chat

P2: 4-hour response P1: 1-hour response P1: 15min response
Technical Support: Case (Email) Technical Support: Case (Email) and Phone
8/5 response for high-impact issues 24/7 response for high-impact and critical issues
Only English Support English, Japanese, Mandarin Chinese, and Korean
• Active Assist Recommender API

• Third Party Support
• Cloud Support API
• Technical support escalation
• Access to purchase Technical • Technical Account Manager (TAM)

Account Advisor Service (TAAS) • Event management service
• Operational Health Reviews
• Customer Aware Support
• New Product previews
• Training credits
• Access to purchase Mission Critical Services
• Access to purchase Assured Support
FREE $29 per month + 3% net spend $500 per month + 3% net spend $$$$ Contact Sales
Active Assist Recommender
Active Assist, a portfolio of intelligent tools and capabilities to help actively
assist you in managing complexity in your cloud operations.
Helps with 3 key activities:

• making proactive improvements to your cloud with smart recommendations
• preventing mistakes from happening in the first place by giving you better analysis
• helping you figure out why something went wrong by using intuitive troubleshooting tools
Cloud Support API
Cloud Support API allows you to integrate google cloud’s customer

care within your organizations Customer Relationship Manager (CRM)
The API Supports

• Create and manage support cases.
• List, create, and download attachments for cases.
• List and create comments in cases.
The Cloud Support API is available to Customer Care customers with Enhanced or Premium Support.
Third-Party Technology Support
With Third-Party Technology Support Google Cloud support will assist you with integrating non Google
services and open-source technologies that are running or integrating with Google Cloud services.
There are 3 approaches to delivering Third-Party Technology Support:
• Collaborative support
• Google Cloud partners with other companies to create a joint support experience
• NetApp Cloud Volumes for Google Cloud
• IBM Power for Google Cloud
• F5 Networks BIG-IP as used with Anthos products
• Dell Technologies - PowerScale for Google Cloud
• DataStax Astra on Google Cloud
• Databricks
• Workload centric support
• Google Cloud has expertise in a variety of third-party technologies and can assist with
the setup, configuration, and troubleshooting of those technologies
• Third-party support
• Google Cloud provides commercially reasonable assistance with installation,
configuration, and troubleshooting of third-party software
• Operating Systems
• Databases
• Web Servers
• DevOps Tools
• SQL Server
Third-Party Technology Support is available to Customer Care customers with Enhanced or Premium Support.
Technical Account Advisor Service
Technical Account Advisor Service (TAAS) provides both proactive guidance
and reactive support to help you succeed with your Cloud journey.
TAAS deliver the following services:

• Guided onboarding to help you get started with Enhanced Support and set up your operations
with Google Cloud.
• Best practices and additional support for your most critical cases, including proactive monitoring
and guidance on case escalation.
• Monthly, quarterly, and yearly reviews to assess your operational health across Google Cloud and
deliver recommendations for improving your usage of Enhanced Support.
• Recommended training paths and courses tailored to your organization's needs.
When you purchase TAAS, you pay a monthly fee, with a minimum 1-year contract.
After the first year, your contract is month-to-month.
Third-Party Technology Support is available to Customer Care customers with Enhanced or Premium Support.
Premium Support — Assured Support
Assured Support enables you to secure your regulated workloads and

accelerate your path to running compliant workloads on Google Cloud.
To help you meet your compliance requirements,

Assured Support ensures that your workloads are Regulated Workloads
handled by Google support personnel that possess • FedRAMP Moderate Technical Support Services
certain attributes. • US regions and Support Technical Support Services
• IL4 Technical Support Services
The supported personnel attributes include • CJIS Technical Support Services
geographical access location (United States only), • FedRAMP High Technical Support Services
background checks, and "US Person" status.
Premium Support — Mission Critical Services
Mission Critical Services assess and mitigate potential service disruptions for environments that are essential to
an organization and cause significant impact to operations when disrupted. To prepare you for this service,
Google Cloud analyzes your current operations and onboards you to Mission Critical Operations mode, a mode
standardized by Google.
The onboarding process includes the following:

• Assessing key elements of your mission critical environment, including architecture, observability,
measurement, and control.
• Delivering a gap analysis to help you prepare for mission critical operations.
• Bringing your organization into Mission Critical Operations mode to drive continuous improvement of your
environment through proactive and preventative engagement.
After you've onboarded, you receive the following services:

• Drills, testing, and training for your mission critical environments
• Customer-centric incident reporting
• Proactive monitoring and case generation
• Priority 0 (P0) support case filing privileges with 5-minute response time
• War room incident management
• Impact prevention follow-ups
Premium Support — Cloud Aware Support
Customer Aware Support is a service that provides you with a jump start to resolving
technical issues and improving your Premium Support experience.
While onboarding your organization to Premium Support, your TAM focuses on

building Customer Aware Support.
Customer Care creates Customer Aware Support by learning about and maintaining information
about your architecture, partners, and Google Cloud projects. This information ensures that our
Technical Support Engineers can resolve your support cases promptly and efficiently.
Premium Support — Operational Health Reviews
Operational Health Reviews help you measure your progress and

proactively address blockers to your goals with Google Cloud.
The reviews serve as a regular touchpoint with your TAM where you can discuss various
topics related to your Customer Care experience, including:
• The efficiency of your cloud operations, including support trends.
• Analysis of trends in operational metrics.
• Incidents, case escalations, and outages.
• Tracking of open cases.
• Status reports for high-priority Cloud projects.
Premium Support — Event Management Service
Premium Support's Event Management Service for planned peak events, such as a product
launch or major sales event. With this service, Customer Care partners with your team to create
a plan and provide guidance throughout the event.
With Event Management Service, your team is supported with the following tasks:
• Preparing your systems for key moments and heavy workloads.
• Running disaster tests to proactively resolve potential issues.
• Developing and implementing a faster path to resolution to reduce the impact of any issues
that might occur.
After the event, your TAM works with you to review the outcomes and make recommendations
for future events.
To initiate the Event Management Service for an upcoming event, contact your TAM.
Premium Support — Training Credits
With Premium Support, you receive training credits for the Google Cloud Qwiklabs
that you can distribute to users in your organization. Your TAM identifies learning
opportunities and indicates which training resources can be most beneficial to your
organization. With this training, your developers have the resources to find answers
quickly and test out ideas in safe environments.
For each 1-year contract with Premium Support, you receive 6,250 credits.
Premium Support — New Product Previews
As a Premium Support customer, you have access to Previews of new Google Cloud products. By
previewing a product, you have the opportunity to prepare your architecture for a new solution
before it becomes more broadly available to the market.
With your organization's goals in mind, your TAM analyzes your Google Cloud projects and usage
to identify opportunities to test and use new products and solutions. When your TAM identifies
an opportunity, they introduce you to the product team and help you gain access to the Preview.
As you test the product, your TAM also shares your feedback with the product team.
In addition to working with your TAM, you can request and manage access to Previews via the
Cloud Console. In the Cloud Console, you can check the status of your requests and manage
which users in your organization have access to Previews.
Premium Support — Technical Account Manager
As a Premium Support customer, you are assigned a named Technical Account Manager (TAM). Technical Account
Managers are trusted technical advisors that focus on operational rigor, platform health, and architectural stability
for your organization.
Your Technical Account Manager supports and guides you in the following ways:
• Assists you with onboarding to Premium Support.
• Assesses your cloud maturity and works with you to create an adoption roadmap
and operating model.
• Advises on best practices for using Google Cloud.
• Delivers frequent Operational Health Reviews.
• Connects you with Google technical experts, such as Product Managers and Support
Engineers.
• Works with you on support cases and case escalations. For high-priority cases, your
TAM analyzes the incident and identifies root causes.
By default, you receive 8 hours per week of foundational technical account

management services. If you require more assistance, you can purchase
additional TAM services
Resource Hierarchy
Resource — service-level resources that are used to process your workloads
Resource Management
how you should configure and grant access to cloud resources for your team
setup and organization of the account-level resources
Domain — primary identity of your organization
• define which users should be associated with your org
• universally administer policy for your users and devices
• linked to either a Google Workspace or Cloud Identity account
• A Google Workspace or Cloud Identity can only have one org
Organization — root node of the Google Cloud hierarchy of resources
• define settings, permissions, and policies for all projects, folders, resources, and
Cloud Billing accounts it parents
• Organization is associated with exactly one Domain
• Using an Organization, you can centrally manage your Google Cloud resources and
your users' access with Proactive and Reactive management
Folders — logical grouping of projects and/or other folders
• Folders can be used to group resources that share common IAM policies
Projects — logical grouping of service-level resources There are 3 suggested hierarchy
• Projects can represent: teams, environments, organization units, business departments architectures you can use:
• basis for enabling services, APIs, and IAM permissions
• Environment-oriented
• A service-level resource can only belong to a single project
• Function-oriented
Labels categorize and filter you resources with key /value pairs
• great for cost tracking at a granular-level
• Granular access-oriented
Environment Oriented Hierarchy
• you have one organization that contains one folder per environment simple to implement
• can pose challenges if you have to deploy services that are shared by multiple environments
Function-Oriented Hierarchy
• one organization that contains one
folder per business function
• Each business function folder can
contain multiple environment folders
• multiple business functions are apps,
management, and information
technology
• more flexible compared to
environment-oriented
• gives you the same environment
separation
• allows you to deploy shared
services
• function-oriented hierarchy is more
complex to manage than an
environment-oriented
• separate access by business
Granular-Access Oriented Hierarchy
• one organization that contains one folder per

business unit
• Each business unit folder can contain one folder
per business function
• Each business function folder can contain one
folder per environment
• most flexible and extensible option
• you need to spend a greater effort to manage
the structure, roles, and permissions
• network topology is more complex
Billing Account
Cloud Billing Account is used to define

who pays for a given set of Google Cloud
resources and is connected to a Google
payments profile
Billing account includes one or more billing contacts defined on the Payments profile
Billing can have sub-accounts for resellers, so you can bill resources to be paid by your customer
Billing Account
Cloud Billing Account VS Payments Profile
• Is a cloud-level resource managed in the Cloud Console. • Is a Google-level resource managed at payments.google.com.
• Tracks all of the costs (charges and usage credits) • Connects to ALL of your Google services (such as Google Ads, Google
incurred by your Google Cloud usage Cloud, and Fi phone service).
• A Cloud Billing account can be linked to one or • Processes payments for ALL Google services (not just Google Cloud).
more projects. • Stores information like name, address, and tax ID (when required
• Project usage is charged to the linked Cloud Billing legally) of who is responsible for the profile.
account. • Stores your various payment instruments (credit cards, debit cards,
• Results in a single invoice per Cloud Billing account bank accounts, and other payment methods you've used to buy
• Operates in a single currency through Google in the past.)
• Defines who pays for a given set of resources • Functions as a document center, where you can view invoices,
• Is connected to a Google Payments Profile, which payment history, and so on.
includes a payment instrument, defining how you • Controls who can view and receive invoices for your various Cloud
pay for your charges Billing accounts and products.
• Has billing-specific roles and permissions to control
accessing and modifying billing-related functions
(established by IAM roles)
Billing Account Types
There are 2 types of Cloud Billing accounts:
Self-serve (or Online) account

• Payment instrument is a credit or debit card or ACH direct debit, depending on availability in each
country or region.
• Costs are charged automatically to the payment instrument connected to Cloud Billing account.
• You can sign up for self-serve accounts online.
• The documents generated for self-serve accounts include statements, payment receipts, and tax
invoices, and are accessible in the Cloud Console.
Invoiced (or Offline) account

• Payment instrument can be check or wire transfer.
• Invoices are sent by mail or electronically.
• Invoices are also accessible in the Cloud Console, as are payment receipts.
• You must be eligible for invoiced billing. Learn more about invoiced billing eligibility.
Payment Profile Types
There are 2 types of payment profiles
Individual
• You're using your account for your own personal payments.
• If you register your payments profile as an individual, then only you can manage the profile. You
won't be able to add or remove users, or change permissions on the profile.
Business
• You're paying on behalf of a business, organization, partnership, or educational institution.
• You use Google payments center to pay for Play apps and games, and Google services like Google
Ads, Google Cloud, and Fi phone service.
• A business profile allows you to add other users to the Google payments profile you manage, so
that more than one person can access or manage a payments profile.
• All users added to a business profile can see the payment information on that profile.
Charging Cycle
For self-serve Cloud Billing accounts, your Google Cloud

costs are charged automatically in one of two ways
• Monthly billing: Costs are charged on a regular monthly cycle.

• Threshold billing: Costs are charged when your account has accrued a specific amount.
For self-serve Cloud Billing accounts, your charging cycle is automatically assigned when you create the
account. You do not get to choose your charging cycle and you cannot change the charging cycle.
For invoiced Cloud Billing accounts, you typically receive one invoice per month and the amount of time you
have to pay your invoice (your payment terms) is determined by the agreement you made with Google.
Cloud Billing IAM Roles
Cloud Billing lets you control which users have administrative and cost viewing permissions for
specified resources by setting Identity and Access Management (IAM) policies on the resources
To grant or limit access to Cloud Billing, you can set an IAM policy at the organization level,
the Cloud Billing account level, and/or the project level
Cloud Billing roles in IAM

• Billing Account Creator
• Create new self-serve (online) billing accounts
• Billing Account Administrator
• Manage billing accounts (but not create them).
• Billing Account User
• Link projects to billing accounts
• Billing Account Viewer
• View billing account cost information and
transactions
• Project Billing Manager
• Link/unlink the project to/from a billing account
• Billing Account Costs Manager
• Can view and export cost information of billing
accounts.
Billing Health Checks
Billing Health Checks are Recommendations to avoid common billing issues
budget alerts
multiple alert thresholds to reduce
spending surprises and unexpected
cost overruns.
Budget Alerts
You can narrow the budget scope to:

• Specific Projects
• Specific Resources
You can set multiple thresholds that preemptively

warn you when you approach your budgets limit
Notification Options
• Email alerts to billing admins and users
• Link Monitoring email notification channels to this budget
• Connect a Pub/Sub topic to this budget
Billings Account
Within the Google Cloud under Billing you can get

granular details about your spend for GCP resources
Built-in billing reports

Billings Reports
• An interactive pricing explorer including graph visualization
Cost Table Report
• A tabular breakdown of cost to analyze details of invoices
Cost Breakdown Report
• at-a-glance waterfall overview of monthly charges and credit
Pricing Report
• access SKU prices for Google's cloud services
Billing Reports
Use the billing report to view and analyze your Google Cloud usage
costs using many selectable settings and filters.
Configuring various views of the Cloud Billing report can help you
answer questions like these:
• How is my current month's Google Cloud spending trending?
• What Google Cloud project cost the most last month?
• What Google Cloud service (for example, Compute Engine or Cloud
Storage) cost me the most?
• What are my forecasted future costs based on historical trends?
• How much am I spending by region?
• What was the cost of resources with label X?
Your customized report views are saveable and shareable.
Cost Table Reports
Use the cost table report to access and analyze the details of
your invoices and statements.
Because your generated invoice and statement PDFs only

contain simplified, summarized views of your costs, the cost
table report is available to provide invoice or statement cost
details, such as the following:
• Includes project-level cost details from your invoices and

statements, including your tax costs broken out by project.
• Includes additional details you might need, such as service
IDs, SKU IDs, and project numbers.
• The report view is customizable and downloadable to CSV.
Cost Breakdown Report
Use the cost breakdown report for an at-a-glance waterfall
overview of your monthly costs and savings.
This report shows the following summarized view of monthly

charges and credits:
• The combined costs of your monthly Google Cloud usage

at the on-demand rate, calculated using non-discounted
list prices.
• Savings realized on your invoice due to negotiated pricing
(if applicable to your Cloud Billing account).
• Savings earned on your invoice with usage-based credits,
broken down by credit type (for example, committed use
discounts, sustained use discounts, free tier usage).
• Your invoice-level charges such as tax and adjustments (if
any) applied for that invoice month.
Pricing Report
Use the pricing table report to access SKU prices for
Google's cloud services, including Google Cloud,
Google Maps Platform, and Google Workspace, as of
the date the report is viewed.
This report shows the following pricing information:
• Displays SKU prices specific to the selected Cloud

Billing account.
• If your Cloud Billing account has negotiated
contract pricing, each SKU displays the list price,
your contract price, and your effective discount.
• If a SKU is subject to tiered pricing, each pricing
tier for a SKU is listed as a separate row.
• All the prices are shown in the currency of the
selected billing account.
• The report view is customizable and
downloadable to CSV for offline analysis.
Pricing Overview
Google Cloud offers a various different pricing schemas that vary per
service. Broadly there are 7 types of pricing
Free-Trial — A risk-free trial period, with specific limitations

Free-Tier — Services that have minimum monthly limits of free-use.
On-Demand — The standard price payed by hour, minute, seconds or milliseconds (varies per service)
Committed Use Discounts — A lower price than on-demand for agreeing to a 1 year or 3 year contract
Sustained Use Discounts — Passive savings when using resources past a period of continuous use
Preemptible VM instances — Instances with deep savings but at the cost of being interrupted
Flat-Rate Pricing — Prefer a stable cost for queries rather than paying the on-demand (Only BigQuery)
Sole-Tenant Node Pricing — dedicate compute eg. single-tenant virtual machines

Free Trial
90-day, $300 Free Trial

New Google Cloud and Google Maps Platform users can take advantage of a 90-day trial period that
includes $300 in free Cloud Billing credits to explore and evaluate Google Cloud and Google Maps
Platform products and services. You can use these credits toward one or a combination of products.
Trial Limitations:
• You can't add GPUs to your VM instances
• You can't request a quota increase
• You can't create VM instances that are based on Windows Server images.
• You need to verify a credit card or other payment method to signup
• At end of trial to continue using Google Cloud, you must upgrade to a paid Cloud Billing account.
• upgrading early will end your trial
Free-Tier
All Google Cloud customers can use select Google Cloud products—like
Compute Engine, Cloud Storage, and BigQuery—free of charge, within
specified monthly usage limits.
When you stay within the Free Tier limits, these resources are not charged
against your Free Trial credits or to your Cloud Billing account's payment
method after your trial ends.
Free-Tier
App Engine
28 hours per day of "F" instances AutoML Vision
9 hours per day of "B" instances 40 node hours for training and online prediction
1 GB of egress per day 1 node hour for batch classification prediction
The Google Cloud Free Tier is available 15 node hours for Edge training
only for the Standard Environment.
BigQuery
1 TB of querying per month
Artifact Registry
10 GB of storage each month
0.5 GB storage per month
Cloud Build
AutoML Natural Language
120 build-minutes per day
5000 units of prediction per month
Cloud Functions
AutoML Tables
2 million invocations per month (includes both background and HTTP invocations)
6 node hours for training and prediction
400,000 GB-seconds, 200,000 GHz-seconds of compute time
5 GB network egress per month
AutoML Translation
500,000 translated characters per month Cloud Logging and Cloud Monitoring
Free monthly logging allotment
AutoML Video Intelligence Free monthly metrics allotment
40 node hours for training
5 node hours for prediction Cloud Natural Language API
5,000 units per month
Free-Tier
Cloud Run
2 million requests per month Cloud Vision
360,000 GB-seconds of memory, 180,000 vCPU-seconds of 1,000 units per month
compute time
1 GB network egress from North America per month
Firestore
The Free Tier is available only for Cloud Run.
1 GB storage
50,000 reads, 20,000 writes, 20,000 deletes per day
Cloud Shell
Free access to Cloud Shell, including 5 GB of persistent disk storage
Cloud Source Repositories Google Kubernetes Engine
Up to 5 users No cluster management fee for one Autopilot or Zonal cluster
50 GB of storage per billing account. For clusters created in Autopilot mode, pods
50 GB egress are billed per second for vCPU, memory and disk resource
requests. For clusters created in Standard mode, each user node
is charged at standard Compute Engine pricing.
Cloud Storage
5 GB-months of regional storage (US regions only)
5,000 Class A Operations per month
50,000 Class B Operations per month
1 GB network egress from North America to all region destinations (excluding China and Australia) per month
Free Tier is only available in us-east1, us-west1, and us-central1 regions. Usage calculations are combined across those regions.
Free-Tier
Compute Engine
Google Maps Platform 1 non-preemptible f1-micro VM instance per month within:
For more information, see the Pricing page.• us-west1, us-central1, us-east1
Pub/Sub 30 GB-months HDD
10 GB of messages per month 5 GB-month snapshot storage in the following regions:
• us-west1, us-central1, us-east1, asia-east1, europe-west1
1 GB network egress from North America to all region destinations (excluding
Speech-to-Text China and Australia) per month
60 minutes per month Your Free Tier f1-micro instance limit is by time, not by instance. Each month,
eligible use of all of your f1-micro instances is free until you have used a
number of hours equal to the total hours in the current month. Usage
Video Intelligence API
calculations are combined across the supported regions.
1,000 units per month
Google Cloud Free Tier does not include external IP addresses.
Workflows
5,000 internal steps per month Compute Engine offers discounts for sustained use of virtual machines. Your
2,000 external HTTP calls per month Free Tier use doesn't factor into sustained use.
GPUs and TPUs are not included in the Free Tier offer. You are always charged
for GPUs and TPUs that you add to VM instances.
On-Demand
On-demand pricing is when you pay for a google cloud resource based on a
consumption-based model.
A consumption based model means you only pay for what you use, based on a
consumption metric:
• By time: hourly, minutes, seconds, milliseconds
• Can be multiplied by configuration variables: vCPUs and Mem
• By API calls: $1 every 1000 transactions
On Demand is ideal for:

low cost and flexible
only pay per hour
short-term, spiky, unpredictable workloads
cannot be interrupted
For first time apps
Committed Use discounts (CUD)
Committed Use Discounts (CUD) lets commit to a contract for deeply
discounted Virtual Machines on Google Compute Engine
• simple and flexible, and require no upfront costs

• ideal for workloads with predictable resource needs
• you purchase compute resource (vCPUs, memory, GPUs, and local SSDs)
• Discounts apply to the aggregate number of vCPUs, memory, GPUs, and local SSDs
within a region
• not affected by changes to your instance's machine setup
• You commit for payment terms of 1 Years to 3 Years
• purchase a committed use contract for a single project
• purchase multiple contracts share across many projects by enabling Shared Discounts
• you are billed monthly for the resources you purchased for the duration of the term
• whether or not you use the services
57% — Most Machine Types and GPU

70% — Memory-Optimized Machine Types
Sustained Use discounts (SUD)
Sustained use discounts are automatic discounts for running specific
Compute Engine resources for a significant portion of the billing month
Sustained use discounts apply to the following resources
• The vCPUs and memory for:
• general-purpose custom and predefined machine types
• compute-optimized machine types
• memory-optimized machine types
• sole-tenant nodes
• 10% premium cost even if the vCPUs and memory in those nodes are covered by
committed use discounts
• GPU devices
Applied on incremental use after you reach certain usage thresholds
• you pay only for the number of minutes that you use an instance,
• Compute Engine automatically gives you the best price
• There's no reason to run an instance for longer than you need it.
• automatically apply to VMs created by both Google Kubernetes Engine and Compute Engine.
• do not apply to
• VMs created using the App Engine flexible environment and Dataflow.
• E2 and A2 machine types.
Sustained use discounts for up to 30%
• General-purpose N1 predefined and custom machine types

• memory-optimized machine types
• shared-core machine types
• sole-tenant nodes
Usage level (% of month) % at which incremental is charged
0%–25% 100% of base rate

Sustained use discounts for up to 20%
• General-purpose N2 and N2D predefined and custom machine types

• Compute-optimized machine types
% at which incremental is
Usage level (% of month)
charged
25%–50% 86.78% of base rate
50%–75% 73.3% of base rate
Flat-Rate Pricing
BigQuery offers flat-rate pricing for high-volume or enterprise

customers who prefer a stable monthly cost for queries rather
than paying the on-demand price per GB of data processed
When you enroll in flat-rate pricing, you purchase dedicated query processing
capacity, measured in BigQuery slots.
Your queries consume this capacity, and you are not billed for bytes
processed. If your capacity demands exceed your committed capacity,
BigQuery will queue up slots, and you will not be charged additional fees.
To enable flat-rate pricing, use BigQuery Reservations.

Preemptible VM instances
Preemptible Virtual Machines (pVMs) is an instance running at a lower price than normal instances
but could be turned off at anytime (preempt) for customers who will pay the normal price.
GCP has idle Virtual Machines and they will offer discounts to ensure they are in use similar to:
• A hotel that will offer rooms at discount to avoid vacant rooms
• An airline that offers seats a discount to fill vacant seats
Preemptible VMs are good for: Preemptible VMs conditions

• apps that are fault tolerant • Compute Engine might stop preemptible instances
• workloads that are not time or availability sensitive at any time due to system events
• workloads than can resume or are okay restarting • Probability of a VM being stopped is low
• commonly use for batch and scientific processing • time of day and which region will vary
• always stops preemptible instances after they run
for 24 hours
• finite resource, pVMs might not always be avaliable
• cannot live-migrate from pVM to regular instances
• Not covered by Compute Engine SLA
Sole Tenant Node Pricing
A sole-tenant node (single tenant VM) is physical Compute Engine server
that is dedicated to hosting only your project's VM instances.
When you create sole-tenant nodes, you are billed for all of the vCPU and memory
resources on the sole-tenant nodes, plus a sole-tenancy premium, which is 10% of the
cost of all of the underlying vCPU and memory resources
Sustained use discounts apply to this premium, but committed use discounts do not.
After you create the node, you can place VMs on that node, and these VMs run for no additional cost.
vCPUs and GB of memory are charged a minimum of 1 minute.

After 1 minute of use, sole-tenant nodes are billed in 1 second increments
The price of a node type depends on the following:

• Number of vCPUs of the node type
• GBs of memory of the node type
• Region where you create the node
Google Pricing Calculator
Google Pricing Calculator is a free web-based cost calculating tool to generally calculate
cost of various GCP resources. You do not need a GCP account to use this tool
You can create a shareable link or email the estimate to your organization or key stake holders
Dataproc
What is Hadoop?
Hadoop is an open-source framework for distributed processing of large data sets
Hadoop allows you to distribute:
• large dataset across many servers servers eg HDFS
• computing queries across many servers eg. MapReduce
• Run various open-source big-data, distributed projects as components
Dataproc is a fully managed and highly scalable service for running Apache Spark,
Apache Flink, Presto, and 30+ open source tools and frameworks.
Dataproc is a fully-managed Hadoop as a Service
Use Dataproc for data lake modernization, ETL, and secure data science, at
planet scale, fully integrated with Google Cloud, at a fraction of the cost.
Dataflow
Dataflow is a unified stream and batch data processing that's serverless, fast, and cost-effective
• Stream analytics — ingest, process, and analyze fluctuating volumes of real-time

data for real-time business insights
• Real-time AI — streaming events to Google Cloud’s Vertex AI and TensorFlow
Extended (TFX)
• ML Use cases, predictive analytics, fraud detection, real-time personalization,
anomaly detection
• supported with CI/CD for ML through Kubeflow pipelines
• IoT Streaming — Sensor and log data processing
Dataflow
DataFlow SQL — use your SQL skills to develop streaming Dataflow pipelines right from the BigQuery web UI.
Flexible Resource Scheduling (FlexRS) — advanced scheduling techniques to reduce batch processing costs
Dataflow templates — easily share your pipelines across your organization and team
Vertex AI Notebook Integration
Private IPs — disable public IP and operate within the GCP network for added security
Horizonal scaling — automatically scales
Apache Beam — Integrate with Apache Beam
What is Apache Beam?

An open source, unified model for defining both batch and streaming data-parallel processing pipelines
DataFlow Prime — serverless, no-ops, auto-tuning architecture

Vertical Autoscaling — don't have to spend days determining the optimum configuration of resources for your pipeline
Right Fitting — custom resource configuration for each stage of the data pipeline, reducing waste
New diagnostics tools

GCP Cloud Digital Leader Slides

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GCP Cloud Digital Leader Slides

Uploaded by

Copyright:

Available Formats

What is Cloud Computing?

On-Premise Cloud Providers

Virtual Private Server

An American multinational technology cooperation

GOOGLE is also an initialism for:

Google calls their cloud provider service offering

The first product offered by GCP

Google Workspace is a bundled offering of SaaS products for

Google Calendar Google Drive

Global Launch workloads anywhere in the world, Just choose a region

Scalable Increase or decrease resources and services based on demand

GCP has over 60+ cloud services

SaaS Software as a Service For Customers

PaaS Platform as a Service For Developers

IaaS Infrastructure as a Service For Admins

Bare Metal Dedicate Host Virtual Machines (VM) Containers Functions

Configuration of Virtual Infrastructure and Systems

Security Configuration of Data

Hardware / Global Infrastructure

Data Data Data Data

Runtime Runtime Runtime Runtime

Middleware Middleware Middleware Middleware

Virtualization Virtualization Virtualization Virtualization

Servers Servers Servers Servers

Storage Storage Storage Storage

Networking Networking Networking Networking

Legend: Customer is Responsible CSP is Responsible

Anthos is GCP’s offering for a control plane for compute

• Startups • Banks • Public Sector eg. Government

Capital Expenditure (CAPEX) Operational Expenditure (OPEX)

• Server Costs (computers) • Leasing Software and Customizing features

Scalability – Your ability to grow rapidly or unimpeded

Elasticity – Your ability to shrink and grow to meet the demand

Fault Tolerance – Your ability to prevent a failure

Disaster Recovery – Your ability to recover from a failure

Your ability for your service to remain available by ensuring there is

Cloud Load Balancing

Running your workload across multiple Zones ensures that if 1 or 2

Your ability to increase your capacity based on the increasing

Vertical Scaling Horizonal Scaling

Your ability to automatically increase or decrease your capacity based

Vertical Scaling is generally hard for traditional architecture so you’ll usually

Your ability for your service to ensure there is no

• Do you have a backup?

*Dedicated VMs Containers Functions

• A physical server wholly utilized by a single customer.

*Dedicated VMs Containers Functions

• You can run multiple Virtual Machines on one machine.

*Dedicated VMs Containers Functions

• Virtual Machine running multiple containers

*Dedicated VMs Containers Functions

• Are managed VMs running managed containers.

Google Cloud SDK is offered in

A Command Line Interface (CLI) processes commands

Operating systems (OS) implement a command-line interface in a shell or terminal

A project is made up of the:

As you work with Google Cloud, you'll use these

• Each project ID is unique across Google Cloud.

Folder allows you to logical group

Folders are commonly used to isolate

Exterior of Google Cloud Datacenter Interior of Google Cloud Datacenter

When you are launching a new cloud

Cloud Media Edge

A Zone is a physical location made up of one or more datacenter.