Google Network

Built to give to the users the highest possible througput and the lowest possible latencies for their
applications.

When an internet user send traffic to a Google resource, google respond to the user request from
and edge network location that will provide the lowest latency.

Google´s Edge-catching network cities content close to end users to minimize latency.

CGP is Organized into regions and zones

A zone is a deployment area for Google Cloud Platform Resources.

When launch a virtual machine in GCP using Compute Engine it runs in a zone that the user specify.

A zone doesn´t always correspond to a single physical building. Zones are grouped into regions,
independt geographis areas and the user can choose what regions you´re GCP resources are in. All
the zones within a region have fast network connectivity among them.

Locations within regions usually have round trip network latencies of under 5 milliseconds.

Think of a zone as a single failure domain within a region. As part of building a fault tolerance
application, the user can spread the resources acroos multiple zones in a region. That helps protect
against unexpected failures. The user can run resources in different regions too. Protect against the
loss of an entire region, due a natural disaster.

A few goolge cloud platform services support placing resources in a Multi-region. (example goole
store allows store data in multi regions, its mean, it stored redundantly in at least two geographip
locations, separted by at least 160 kilometres within Europe.( GCP has 15 regions).

Google is commited to environment responsibility

All existing data centers use roughly 2% the world´s electricity, works to run data center as efficiently
as possible. One of the world´s largest corporate purchasers of renewable energy

First data centers to achieve ISO 14001 certification.

Customer-friendly Pricing innovations
Per second billing is offered for virtual machine use through computer engine and for several other
services too, Kubernetes engine, which is container infrastructure as service, cloud data proc, which
is the open source big data system haddop as service and app engines flexible enviroment, which is a
platform as a service.

When run an instance from more than 25 percent of the month automaticaalyy discount are offered
for every incremental minute.

Open APIs and open source mean customers can leave

Google gives customers the ability to run their applications elsewhere if google becomes no longer
the best provider for the customer needs.-

GCP services are compatible with the open source products.

BigTable use the interfaces of the open database Apache HBase, which gives customers the benefit
of code portabiity.

Cloud dataproc offers open source big data enviroment Hadoop.

Google publishes key elements using open source licences to create,

TensoFlow open source library machine learning developed inside Google.

GCP tegchnology provides interoperability.

Kubernete gives customers the ability to mix and match microservices running across different
clouds, and google stackdriver lets customers monitor workload across multiple cloud providers
Why choose Google Cloud Platform
Google Cloud platform lets the customer chooses from computing, storage, big data, machine
learning and application service for the web, mobile, and analytics and backend solutions.

GCP enables developers to build, test, and deploy applications on Google´s highly secure, reliable,
and scalable infrastructure.

It´s global, it´s cost effective, it´s open source friendly and it´s desing for security.

GCP products and services can be broadly categorized as compute, storage, big data, machine
learning, networking and operations and tools.

Multi-layered security approach

Google has seven services with more than a billion users. Design for security is pervasive, throughput
the infrastructure, the GCP and google services run-on.

Keep customer data safe, the servers boards and the networking equipament in google data centers
are custom designed by google.

Google also designs custom chips, incluidng a hardware security chip called Titan, which currently
being deployed on both servers and peripherals.
Google server machines use cryptographic signatures to make sure they are booting the correct
software.

Google design and builds its own data centers which incorporate multiple layers of physical security
protections. Access to these data centers is limited to only a very small fraction of google employees.

Google´s infrastructure provides cryptographic privacy and integrity for remote procedure called
data-on-the-network which is how google services communicate with each other.

The infrastructure automatically encrypsts the customer pc traffics in transit between data centers.

Google center identity services which manifest to end users as the google log in page goes beyond
askinf for a simple username and password. Also additional information based on risk factors, same
device or different location.

Users can also use second factors when signing in, incluiding devices bases on the universal second
factor u2f open standard.

Google also enables hardware encryption support in hard drives and SSDs

Google services that make themselves available on the internet, register themselves with an
infrastructure service called google front end, with checks incoming network connections for correct
certificates and best practices. the GFE also additionally applies proteccion against denial of services
attacks.

The sheer scale of its infrastructure enables google to simply absorb many denial of services attacks
even behind the GFE´s.

Google has a multi-tier, multi layer denial of service protection that reduce the risk of any denial of
service impact.

Inside google´s infrastructure, machine intelligence and rules warn of possible incidents. Google
conducts Red TEam exercises simulate attacks. Google aggressively limits and actively monitors the
activities of the employees.

Google stores its source code centrally and requires two party review of new code. Also gives the
developers libraries that keep them from introducing certain classes of security books
CGP Fundamentals: Core Infrastructure:
GCP uses organize projects to deploy workloads in.

Use google cloud identity, and access management(IM or IAM) to control who can do what? And the
customer can choose several interfaces to connect.

Projects is the main way to organize the resources in GCP.

Each user should have only those privileges needed to do their jobs In at least privilege enviroment,
people are protected from an entire class of errors. GCP Customers use IM to implement least
privilege.

There are 4 ways to interact with GCP´s management layer.

 Through the web-based console

 Through SDK
 Command line tools
 Through the API
 Through mobile app

When the customer build an application on-premise infrastructure,the customer is responisble

for the entire stack security.

An application in GCP, google handle many of the lower layers of security. Because it scale,
google can deliver a higher level of security.

Google provides IAM to help the customers implement the policies which choose at these layers.
The Google Cloud Platform resouce hierarchy

All resources are organized into projects, optionally these projects may be organized into folders.
Folders can contain other folders.

All folders and projects used by the organization can be brought toguether under an organization
node.

Projects and organization nodes are all places where the policies can be defined. Some GCP
resources, let you policies on individual resources too (cloud storage buckets.

Policies are inherited downwards in the hierachy.

All GCP resources belong to a project. Projects are the basic for enabling and using GCP services like
managing API´s, enabiliing biling and adding or removing collaborators and enabling other google
services,

Each project is a separate compartment and each resouce belongs to exactly one. Projects can have
different owners and users, they`re built separatly and they´re managed separatly.
Each GCP project has a name and a project ID that the customer assign. The project ID is a permanet
unchangeable identifier and it has be unique across GCP.

The customer can use project ID´s in several context to tell GCP which project the customer want to
work with. GCP also assigns each of the customer projects a unique project number and the
customer will see a display to the customer in various contexts.

The customer can organize projects into folders. Folders let teams have the ability to delegate
administrative rights, so they can work independently.

The resources in a folder inherit IAM policies from the folder. To use folders, the customer needs an
organization node at the top of the hierarchy.
The organiztion node is the top of the hierarchy. There are some special roles associated with it.

If the customer has a Gswee domain, GCP projects will automatically belong to the customer
organization node.

Otherwise the customer can use GCP identity to create one organization node. It´s a best practice
decides who on the team should really be able to create projects and billing accounts.

When the organization node is created, can create folders underneath it and put it in projects.

Resources inherit the policies of their parent resouce, and this inherit is transitive, which means that
all the resources in those projects inherit the policy too.

The policies implemented at a higher level in this hearchy can´t take away access that´s granted at a
lower level. The more generous policy is the one that takes effect
Identity and Access Management (IAM)
Identity and Access Management (IAM)
IAM lets administrators authorize who can take action on specific resources. An IAM policy has a
who part, a can do what part, and an on which resource part.

The who part names the users that the customer are talking about. The who part of an IAM policy
can be defined either by a Google account, a google group, a Service account and an entire G Suite
or a cloud identity domain.

The can do what part is defined by an IAM role. An IAM role is a collection of permission. Most of the
time, to do any meaningful operations, need more one permission.

The permissions are grouped together into a role that makes them easier to manage.

The Who part of an IAM policy can be a Google account, a google group a service account or an
entire G-suite or Cloud identity domain
There are 3 kinds of roles in Cloud IAM

Primitive roles are broad, the customer apply them to GCP project and they affect all resources in
that project.

These are the owner, editor and viewer roles. If a viewer on a given resource, you can examine it but
not change it´s state.
If you are an editor, you can do everything a viewer can do, plus change its state.
If you are an owner, you can do everything an editor can do, plus manage rolls and permissions on
the resources.
The owner role on a project also let you do one more thing, set up billing
GCP IAM provides a finer grained type of roles.

GCP services offer their own sets of predifened roles and they define where those roles can be
applied.
Compute Engine offers virtual machines as a service. Compute engine offers a set of predifined roles
which can be applyed to compute engine resources in a given project, a given folder or in an entire
organization.

Cloud Bigtable which managed database service offers roles that can apply across an entire
organization to a particular project or even to individual Bigtable database instances.

IAM Roles

Cases study . To prepare the exam certification

https://cloud.google.com/certification/guides/cloud-architect/#sample-case-study