Fundamentals

avatar
Created by
PetiteIguana61093

Subdecks (1)

Cards (74)

  • Hardware Infrastructure Layer:
    • Custom Hardware Design: Google designs server boards and networking equipment in-house for enhanced security.
    • Custom Chips: Google develops custom chips, including a hardware security chip, deployed on servers and peripherals.
    • Secure Boot Stack: Utilizes cryptographic signatures over BIOS, bootloader, kernel, and base OS image to ensure correct software stack during boot process.
    • Premises Security: Google's data centers incorporate multiple layers of physical security, limiting access to a small number of authorized personnel.
  • Service Deployment Layer:
    • Encryption of Inter-Service Communication: Google's infrastructure encrypts all RPC (remote procedure call) traffic between data centers.
    • Hardware Cryptographic Accelerators: Deployment underway to extend default encryption to all infrastructure RPC traffic within Google data centers.
    3. User Identity Layer:
    • Intelligent Identity Service: Google's central identity service challenges users based on risk factors, employing secondary factors like U2F devices for authentication.
  • Storage Services Layer:
    • Encryption at Rest: Encryption using centrally managed keys is applied to storage services, including support for hardware encryption in drives.
    Internet Communication Layer:
    • TLS Encryption: Google Front End ensures TLS connections are ended with public-private key pairs and X.509 certificates from Certified Authorities, supporting perfect forward secrecy.
    • DoS Protection: Google absorbs many DoS attacks due to infrastructure scale and provides multi-tier, multi-layer protection against DoS impacts.
  • Operational Security Layer:
    • Intrusion Detection: Rules and machine intelligence warn operational security teams of possible incidents; Red Team exercises measure and improve effectiveness.
    • Insider Risk Reduction: Google limits and monitors activities of employees with administrative access.
    • Employee U2F Use: Employees require U2F-compatible Security Keys to mitigate phishing attacks.
    • Software Development Practices: Central source control, two-party code review, libraries preventing certain security bugs, and Vulnerability Rewards Program for bug discovery.
  • Overview:
    • New Google Cloud customers typically use their Gmail accounts to access the Google Cloud Console and collaborate with teammates via Google Groups.
    • While this approach is convenient initially, it may lead to challenges later due to the lack of centralized identity management.
    • Cloud Identity provides a solution for organizations to centrally manage users and groups, enabling better control over access to cloud resources.
    1. Introduction of Cloud Identity:
    • Allows organizations to define policies and manage users and groups using the Google Admin Console.
    • Administrators can log in and manage Google Cloud resources using the same credentials from existing Active Directory or LDAP systems.
    1. Benefits of Cloud Identity:
    • Enables administrators to disable accounts and remove users from groups easily, enhancing security and access control.
    • Available in both a free edition and a premium edition with additional capabilities for managing mobile devices.
  • Cloud Identity Integration with Google Workspace:
    • Customers who use both Google Cloud and Google Workspace have access to Cloud Identity functionalities within the Google Admin Console.
    • Provides seamless integration for managing users and access across Google services.
  • NOTE: The project ID is immutable (cannot be changed) after creation, but can be changed during creation.
  • VPC:
    • Routing Tables:
    • Built-in routing tables within VPCs eliminate the need for provisioning or managing routers.
    • Used to forward traffic within the same network, across subnetworks, or between Google Cloud zones without requiring external IP addresses.
    • Global Distributed Firewall:
    • VPCs provide a global distributed firewall that does not require manual provisioning or management.
    • Controls access to instances through both incoming and outgoing traffic.
  • VPCs:
    • Firewall Rules with Network Tags:
    • Firewall rules can be defined using network tags on Compute Engine instances, offering convenience and flexibility.
    • Example: Tagging web servers with "WEB" allows firewall rules to permit traffic on ports 80 or 443 into all VMs with the "WEB" tag, irrespective of their IP addresses.
    • VPC Peering:
    • Establishes a relationship between two VPCs to exchange traffic.
    • Enables communication between VPCs belonging to different Google Cloud projects.
  • Shared VPC:
    • Allows multiple Google Cloud projects within the same organization to share a common VPC.
    • Utilizes Identity Access Management (IAM) to control interactions between projects and shared VPCs, ensuring security and governance.
    1. Cloud DNS:
    • Managed DNS service running on Google's infrastructure.
    • Offers low latency, high availability, and cost-effectiveness for making applications and services available to users.
    • DNS information served from redundant locations globally.
    • Programmable via Cloud Console, command-line interface, or API, allowing management of millions of DNS zones and records.
    1. Cloud CDN Integration:
    • Accelerates content delivery by caching content at edge locations.
    • Easily enabled with a single checkbox after setting up HTTP(S) Load Balancing.
    • Complements applications hosted on Google Cloud, enhancing performance and user experience.
    1. CDN Interconnect Partner Program:
    • Google Cloud's CDN Interconnect partner program allows integration with various CDNs.
    • Users already using other CDNs may continue to do so seamlessly within Google Cloud's ecosystem.
  • Global Edge Caching:
    • Google's global system of edge caches stores content closer to end users.
    • Utilized for accelerating content delivery in applications through Cloud CDN (Content Delivery Network).
    • Results in lower network latency for customers, reduced load on content origins, and potential cost savings.
  • Cloud VPN and Cloud Router:
    • Establishes a Virtual Private Network (VPN) connection over the internet using Cloud VPN.
    • Cloud Router enables dynamic routing, allowing exchange of route information between Google VPC and other networks using Border Gateway Protocol (BGP).
    • Provides automatic route updates, ensuring connectivity between newly added subnets and on-premises networks.
    1. Direct Peering:
    • Places a router in the same public data center as a Google point of presence to exchange traffic between networks.
    • Google has over 100 points of presence globally, facilitating direct access.
    • Customers not already in a point of presence can use Carrier Peering program partners for connectivity.
    1. Dedicated Interconnect:
    • Provides direct, private connections to Google Cloud.
    • Offers high reliability with SLA coverage of up to 99.99% for connections meeting Google's specifications.
    • Connections can be backed up by VPN for enhanced reliability.
  • Partner Interconnect:
    • Establishes connectivity between on-premises networks and VPC networks through supported service providers.
    • Useful for locations unable to reach Dedicated Interconnect colocation facilities or for lower bandwidth requirements.
    • SLA coverage of up to 99.99% for connections meeting Google's specifications, but Google isn't responsible for third-party service provider issues.
  • Cross-Cloud Interconnect:
    • Establishes high-bandwidth dedicated connectivity between Google Cloud and other cloud service providers.
    • Google provisions a dedicated physical connection between networks.
    • Supports multicloud strategies, offering reduced complexity, site-to-site data transfer, and encryption.
    • Available in 10 Gbps or 100 Gbps sizes.
  • Object Storage Basics:
    • Definition: Object storage manages data as objects, each containing the binary data, associated metadata (e.g., creation date, permissions), and a unique identifier (URL).
    • Interoperability: Object storage interacts well with web technologies due to its URL-based unique keys.
    • Common Data Types: Objects commonly stored include video, images, audio recordings, and binary large objects (BLOBs).
  • Key Features of Google Cloud Storage:
    • Fully Managed and Scalable: Offers fully managed, scalable service for storing any amount of data with flexible retrieval options.
    • Versatile Uses: Supports various applications including serving website content, data archival, disaster recovery, and distributing large data objects.
    • Primary Use Cases: Ideal for storing binary large objects (BLOBs) for online content, backup/archival data, and intermediate processing results.
  • Organization and Management:
    • Buckets: Storage files are organized into buckets, each requiring a globally unique name and specific geographic location for optimal latency.
    • Immutability: Objects are immutable, meaning changes create new versions; administrators can opt for versioning to track modifications.
    • Access Control: Managed through IAM roles and access control lists (ACLs) to ensure security and privacy compliance.
  • Lifecycle Management and Cost Optimization:
    • Lifecycle Policies: Allows defining rules for object lifecycle management, such as automatic deletion of objects after a specified time or retaining a certain number of versions.
    • Cost Efficiency: Helps optimize costs by ensuring only necessary data is retained and stored.
  • Cloud Storage Classes:
    1. Standard Storage:
    • Ideal for frequently accessed or hot data.
    • Suitable for data stored for brief periods.
    • Offers quick access and low-latency retrieval.
    2. Nearline Storage:
    • Designed for infrequently accessed data (e.g., monthly access).
    • Suited for data backups, long-term multimedia content, and archiving.
    • Offers a cost-effective option for data retrieval with slightly longer latency.
    3. Coldline Storage:
    • Cost-effective option for infrequently accessed data.
    • Intended for data accessed at most once every 90 days.
    • Suitable for long-term storage with occasional access needs.
  • 4. Archive Storage:
    • Lowest cost option for data archiving and online backup.
    • Best for data accessed less than once a year.
    • Higher costs for data access and operations with a 365-day minimum storage duration.
  • Common Characteristics Across Storage Classes:
    • Unlimited Storage: No minimum object size requirement.
    • Worldwide Accessibility: Available globally with low latency.
    • High Durability: Ensures data integrity and availability.
    • Uniform Experience: Consistent security tools and APIs across all classes.
    • Geo-Redundancy: Data stored in multi-region or dual region for disaster recovery and optimal performance.
  • Cloud Storage: Additional Features and Options:
    • Auto-Class: Automatically transitions objects to suitable storage classes based on access patterns, optimizing storage costs.
    • No Minimum Fee: Pay only for what you use with no prior capacity provisioning required.
    • Encryption: Data encrypted on server-side and during transmission using HTTPS/TLS.
    • Data Ingestion Options: Multiple methods for data upload, including Cloud SDK, Cloud Console, Storage Transfer Service, and Transfer Appliance.
  • Integration with Other Google Cloud Services:
    • Supports importing and exporting tables to and from BigQuery and Cloud SQL.
    • Stores App Engine logs, backups, images, instance startup scripts, and Compute Engine images.
  • Google Cloud SQL: Fully Managed Relational Databases
    Overview:
    • Cloud SQL offers fully managed relational databases, including MySQL, PostgreSQL, and SQL Server as a service.
    • Designed to streamline database management tasks, allowing focus on application development.
  • Google Cloud SQL:
    • Fully Managed Service: Google handles tasks such as patching, updates, backups, and replication configuration.
    • Scalability: Supports scaling up to 128 processor cores, 864 GB of RAM, and 64 TB of storage.
    • Automatic Replication: Supports replication scenarios from Cloud SQL primary instance, external primary instance, and external MySQL instances.
    • Managed Backups: Automatically stores backups securely, with the cost of an instance covering seven backups.
  • Google Cloud SQL:
    Security Measures:
    • Data Encryption: Encrypts customer data on Google’s internal networks and in storage, including database tables, temporary files, and backups.
    • Network Firewall: Controls network access to each database instance, enhancing security.
  • Cloud SQL
    Integration with Google Cloud Services:
    • Accessibility: Cloud SQL instances are accessible by other Google Cloud services and external services.
    • Integration with App Engine: Utilizes standard drivers like Connector/J for Java or MySQLdb for Python.
    • Access from Compute Engine: Compute Engine instances can be authorized to access Cloud SQL instances, allowing for easy configuration in the same zone.
    Compatibility with External Applications:
    • Support for Tools: Compatible with applications and tools like SQL Workbench, Toad, and other external applications using standard MySQL drivers.
  • Firestore:
    • Firestore is a flexible, horizontally scalable, NoSQL cloud database designed for mobile, web, and server development.
    Data Organization:
    • Data stored in documents organized into collections.
    • Documents can contain complex nested objects and subcollections.
    • Each document comprises key-value pairs, e.g., firstname and lastname for a user.
  • Firestore:
    • Querying:
    • NoSQL queries retrieve specific documents or all documents in a collection based on query parameters.
    • Supports multiple chained filters and combines filtering and sorting options.
    • Default indexing ensures query performance scales with the result set size, not the dataset size.
  • Firestore:
    Data Synchronization:
    • Utilizes data synchronization to update data on connected devices.
    • Efficiently handles simple one-time fetch queries.
    • Caches actively used data for offline access and synchronizes local changes back to Firestore when online.
  • Firestore:
    Infrastructure and Pricing:
    • Leverages Google Cloud infrastructure for automatic multi-region data replication, strong consistency guarantees, atomic batch operations, and real transaction support.
    • Pricing based on document reads, writes, deletes, storage consumption, and network bandwidth usage.
    • Ingress currently free; egress may be free in many cases.
    • Free daily quota includes 50,000 document reads, 20,000 document writes, 20,000 document deletes, and 1 GB of stored data.
  • Google Cloud Bigtable: NoSQL Big Data Database Service
    Overview:
    • Cloud Bigtable is Google's NoSQL Big data database service, powering core Google services such as search, analytics, maps, and Gmail.
    • Designed for massive workloads with consistent low latency and high throughput.
  • Google Cloud Bigtable: NoSQL Big Data Database Service
    Use Cases:
    • Ideal for operational and analytical applications, including IoT, user analytics, and financial data analysis.
    • Preferred choice for scenarios involving:
    • Data exceeding one terabyte.
    • High throughput or rapidly changing data.
    • NoSQL data without strong relational semantics.
    • Time-series or naturally ordered data.
    • Big data processing, including asynchronous batch or synchronous real-time processing, and machine learning algorithms.
  • BigTable:
    Integration and Interoperability:
    • Interacts with other Google Cloud services and third-party clients.
    • APIs allow reading from and writing to Cloud Bigtable through data service layers like Managed VMs, HBase REST server, or Java servers using the HBase client.
    • Commonly used to serve data to applications, dashboards, and data services.
    • Supports data streaming through popular stream processing frameworks like Dataflow streaming, Spark streaming, and Storm.
    • Also supports batch processes such as Hadoop MapReduce, Dataflow, or Spark for reading from and writing to Cloud Bigtable.
  • Storage Comparisons
  • Infrastructure as a Service (IaaS) and Virtual Machines (VMs):
    • IaaS enables sharing compute resources using VMs to virtualize hardware.
    • Each developer can deploy their own OS, access hardware, and build applications in a self-contained environment with access to resources like RAM, file systems, and networking interfaces.