SET UP SDK

                               Install the Google CLI 

 Install the latest gcloud CLI version for macOS users. Ensure you already install python

STEP 1:

Check the current version of your python3 -V

STEP 2: 

macOS 64-bit

(ARM64, Apple M1 silicon)

Run the package https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-449.0.0-darwin-arm.tar.gz 

macOS 64-bit

(x86_64)

https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-430.0.0-darwin-x86_64.tar.gz

STEP 3:

For practice, run this as root folder.

sudo su

./google-cloud-sdk/install.sh

STEP 4:

cd /var/root/.bash_profile

STEP 5:

STEP 6:

Provide the preference as flags. 

./google-cloud-sdk/install.sh --help

STEP 7:

Run and install the script with screen reader permission. 

./google-cloud-sdk/install.sh --screen-reader=true

STEP 8:

There should be an automated integration from your terminal to google console, requesting for google cloud email sign in and project Id. If configuration is confirmed implement the numeric 1, choose the region and zonal. 

cd /var/root/.bash_profile

./google-cloud-sdk/bin/gcloud init

STEP 9:

The connection network should passed.

STEP 10:

Run gcloud version. You should have google cloud SDK installed.  

You have successfully installed gcloud CLI version. Happy Learning 😊!!

Referencing : Google documentation

CREATE A GCS BUCKET- HANDS-ON

 

STEP 1:

Sign into your console account, search cloud storage and navigate to bucket. 

STEP 2:

Create a  GCS bucket and copy your project id, just to give your bucket name a unique name space. Create a label and attach the key and value. And click CONTINUE.  Label are used for automation and governance. 

STEP 3:

 Click on continue and select your region. Do you prefer dual, multiple or regional. In this case we will deploy multi-region. 

STEP 4:

Choose a storage class. You have to make that decision how to access data pattern. We select standard for the purpose of practice. 

STEP 5:

Access control, by default it is completely private. You grant access via uniform access (IAM) or fine grained access. 

STEP 6: 

Create your GCS bucket. 

STEP 7:

Upload a file in the  GCS bucket. 

STEP 8:

Once file is uploaded, you should see the file size, type , creation date , public access, last modified, encryption etc. 

STEP 9:

Click on the files to see the authentication URL. If you giving access to someone, you can provide the URL for a direct access in this particular bucket. 

STEP 10: 

This configuration is applied at the BUCKET LEVEL. 

STEP 11: 

Observability - This shows a level of visibility within your bucket. Shows you the amount of request to this buckets that failed. 

Write errors -Means trying to update what already existed in the bucket and for some reason the upload failed.

Read error- Means you try to download from GCS and it failed.

Client error- Means requests that was sent from outside to the bucket and you try to retrieve object to display on a specific application failed. 

Referencing : Google documentation. 

GCP-RELATIONAL DATABASES, CLOUD SQL,CLOUD SPANNER

                   RELATIONAL DATABASES

Google cloud provides another solution is relational databases, we talked about dynamic and static data. The dynamic data that changes like user sign up, product purchase, Gmail account, password. And one of the services is which can relational databases. 

OTHER SERVICES OF GCP DATABASE. 

Cloud SQL and Cloud Spanner can be used together. 

Cloud Spanner: Is a proprietary database owned by google cloud and it can scale horizontally to the moon (globally). Its great at enterprise application and highly available database guarantee. Its more robust.

Cloud SQL: Is a simpler and more structured database, straightforward, automatic backup and replicate for high availability. Examples of database engine PostgresSQL, MySQL databases

Non-relational databases

This is a database that is not specific, and can adapt based on the input that its receiving. In this regards google cloud use BIGTABLE and DATASTORE. 

BIG TABLE: Is a NoSQL distributed database developed by google. Its design to handle massive amount of data. And it stores data as KEY VALUE PAIRS in real time to access large volume of data. It is built on top of compute infrastructure including file system MapReduce which allow you to scale. 

DATA WARE HOUSE : Is a centralized repository that stores structured and processed data from various sources for easy business flow. Its used to store and manage large volume of data.

For example, In most cases, if an organization is taking advantage of aggregated data for decades like Coca-cola. Data is what keep an organization in business. You can use BIG QUERY to store any amount of data. You can manage your customers data by introducing business intelligence with the use of collected data. Its very cheap. 

Referencing : Questia https://www.blogger.com/blog/post/edit/5428112557550405099/1915938476651859976

Google Documentation

GOOGLE CLOUD STORAGE , FILE STORE, FILE SYSTEM.

 

Most organizations leverage cloud because of certain challenges that they might have on-premises. The on-premises organization may be concern about creating a disaster recovery platform for the actual data to manage their applications. The issues may be back-up and cost. 

The reasons why the database is not able to operate its possibly hardware failure, incompatible software, lack of maintenance, software bugs, insufficient space, security issues etc. When this occurs customers will be affected, at this point, you need back-ups to mitigate this issues. Your back-up is stored in a cloud storage. 

Reliability: Should a particular data centre is irresponsive, when it comes to the storage layer, google cloud provides you with the platform that has the benefit to replicate data across multiple regions. 

               GOOGLE CLOUD STORAGE

Is a storage solutions that google cloud provides for customers that have binary data or any back you want to store within google cloud, It could SQL back-up, it could be files that you're using to serve a particular application. Google Cloud is used to manage static files. 

For example: Netflix, Walmart, Amazon.com. They manage DYNAMIC AND STATIC DATA. 

DYNAMIC DATA: The description of a product within amazon.com changes from time to time. It can updated in the database. Your password, username can be updated. 

STATIC DATA: It could be picture that does not change. Netflix makes use of static data, which enables you to stream. And its stored in google cloud storage. 

   BENEFITS OF GCS.

• You make a Rest API CALL via the HTTP and you will able to pick up the data from bucket without connecting the instance directly with the actual storage platform. You do not need to mount the bucket on an instance. 

• Logs are the actual history of users interaction with the application. 

• Google cloud can house any kind of data logs and it can scale to any level. 

• Limitless storage.

• Automatic scaling.

• Google cloud provides you with 99.999 availability. The data is replicated across three or more zonal.  Your data will still be available even if your account gets deactivated.

VARIOUS GOOGLE CLOUD STORAGE 

FILE STORE.

You might be asked object based data and how is it used? There's another solution to manage file systems lets say you're making use of compute engine and the application running within its environment or a particular file need the user interactions. In this case, you will leverage CLOUD FILE STORE to set up FILE SYSTEM around your compute infrastructure to manage files for your application. It supports standard protocols NFV3 and NFV4.1 and its designed to be used with Google Kubernetes Engine, Compute Engine, App Engine. 

A used case, will be file storage, you will make use of NETWORK ATTACHED STORAGE (NAS) device which all the application running within GCE instance will be using the network device that you have established for storage and compute to fit on the data within the file system which is hosted in file store.  

BENEFITS OF FILE STORE 

• Retrieving data from network storage is 2x faster than google cloud storage.

• You mount file store it at the level of your virtual machine instance. After the mount, the integration with network can be establish.  File store is another compute platform managed by google.

• It's expensive for logs storage. 

• You have to tell file storage how many storage you want. 

• Network attached storage shares storage that can be accessed by multiple client on the network, clients can read, write, move, delete and modify files.

• NAS can scale.

• Network attached storage provides data backup. configured with IP address, network name and login credentials. 

For example: The physical machine, Disk or CD drive you can partition it, and you have to identify folders inside and then mount it. Or attaching another disc to the actual machine by mounting and this creates a link between the system and the storage layer. literally everything will happen via the network. 

SUMMARY: File Store is a network attach storage solution. If you have your data stored in NAS. You don't need to access the HTTP protocol to collect data. Its mostly used by application and can ONLY manage FILES. It's directly attached at the level of the network. File store cannot manage dynamic data and CANNOT use DATA LAKE. 

SUMMARY: GCS is an object based solution. Its not attach to the actual network that the VMs are making use, if you're making any call, It will use an HTTP protocol. GCS can be use as a data lake. With data lake, you need to set up the platform which is able to   integrate and manage structured and unstructured data from various sources which you can pin the data using DATA FLOW to a pipeline and then locate the GCS bucket.  

Referencing : Google documentation. 

GCP ORGANIZATIONAL STRUCTURE , PROJECT, RESOURCES, FOLDERS ,GROUPS, BILLINGS- HANDS-ON

 

In GCP, the highest level of permissions is typically associated with the "Project Owner" role. The Project Owner has full control over a project, including the ability to manage billing, modify project settings, create and manage other roles, and access and manage all resources within the project.

The organization administrator only operators at the hoc of the Root Node. 

A Cloud Architect should be able to design a well secured architecture. Company XYZ seeks your expertise around enterprise-specific implementation. One of their major challenges at this point is the design workload architecture with the banking and insurance applications. Some of the questions you possibly ask;

• What strategies do you think we need to put in place to effectively handle security and privacy?

• How can we keep up with innovation while reducing cost.

• How do you seize opportunities while mitigating risk managing identities.

 

  You need to focus on the solution that would manage workloads in a secured manner as well as inculcating the manager's suggestion that you should start off with the Identity and Access Management, that way, the team can have access to what you're building. The two applications will be;

a. Financial Application (Banking and investment) and Insurance Application (Individual & corporate). Technically you will have four projects and four leads.

TEAMS

Engineering Lead for financial Apps - Winston William

Engineering Manager for our E-commerce Apps-Ajibolou Gbacrown 

The CTO of the company is - YOU 

Chief Financial Officer - Vala Olaleye

Payment Profile Manager - Mbandi Micheal 

Based on your professionalism you will develop an Architecture like this. This is for practice purpose.

STEP 1:

Login into your cloud admin console. 

https://admin.google.com 

STEP 2:

Login into your console cloud account.

https://console.cloud.google.com/

STEP 3:

Click on Identity & Organization.

STEP 4:

Click on begin the setup.

STEP 5: 

A great feature about google cloud is that based on the above structure, you need to manage teams and workload in your environment by grouping the team according to their responsibilities. Google is suggesting that based on the previous years data it has gathered. In this case, you will have organizational admins that spare head teams. You also have the ability to create custom groups. 

 

STEP 6:

Cloud admin console. You have the option to create custom groups. "create group". We don't have any set-up. 

STEP 7:

Return to your google console. Click on create all groups and save and create. Should you get an error, refresh and you should create✅.

 

STEP 8: 

Within your google console, click administrative access and start. These are roles identified to be useful, google cloud is still "previewing", still testing to ensure its working. It automatically assign the role to individuals and you have to manually give permissions based on least privilege. At this level, this are group emails not administrator  emails. Any policy that's given to the groups is applicable to individual in that group. 

STEP 9:

Continue to billing. You need additional administrator assign to billing. Google cloud provided this to reduce risk. That's why you're giving all privileges.

STEP 10:

Search IAM and click "manage resources" and create folders and projects. Using the structure below to provision folders, projects and resources. Make sure the domain and location is specified. 

STEP 11:

Create a project, choose the project name "banking project" and location "banking".

STEP 12:

Go to cloud storage, create a bucket inside the "banking project".

This is how you structure folders, projects and resources. Next slide, will guide on structuring Folders and projects. Enjoy your study steps!!😊

Referencing: Google documentation.

BEST PRACTICES WITH CLOUD IAM, IMPERSONATION, KEYS

 

IDENTITY AND  ACCESS MANAGEMENT 

Identity Hardening : You need to make use of grouping, when it comes to managing a group of users that have a particular level of privilege which is similar or the same. You can have a group of service account that will be serving a particular project in that group. At this level you have to enable Multi-Factor Authenticator (MFA) for all user accounts which gives you a second layer of security.  You can set up MFA using google Authenticator. 

a. Google Authenticator: You can only set up in one device for security. 

b. Microsoft Authenticator - Microsoft 

example: Even network, when you switch your wifi network to another at times its detected and you will be asked to provide ONE TIME password. That is multi-factor authenticator. 

Service Account. It is important to scope the access of service account, make sure you incorporate segregation of duties. There two ways of using services account to access resources within GCP eco-system.

a. Impersonation : When it comes to access control, impersonation is a security bridge. And the IAM admin would be held responsible.  Anyone that has service account impersonation access can literally achieve anything in your environment without using their own credentials which is vulnerable. Best practice, you ensure the team does not have access to service account impersonation. 

b. Keys: Anyone can literally generate a key file from the service account  and escalate the privilege of the service account. Thats probably the person has access with IAM . At this point the individual is concealing their identity. With the use of the key, you can track and trace the activities of the individual using activity analyzer, you'll not be able to see the hacker that perform the action but you'll see the service account. You want to be very careful who can generate key in service account and monitor that you have one key in circulation. 

KEY MANAGEMENT

You ensure that automation process and rotate keys is achieved every months, 2months for best practice. 

See next slide on how to set-up google cloud account.  Happy Learning 😊!!!

Referencing : https://console.cloud.google.com/