# Essential Cloud Infrastructure: Core Services

## Cloud IAM

Identity and Access Management is a way of identifying WHO - CAN DO WHAT - ON WHAT RESOURCES

* WHO can be a person, Group or an Application
* CAN DO WHAT - refers to specific Privilages or Actions
* ON WHAT RESOURCE can be any GCP Resources

For example you can have a Privilage or Role of Compute Resource Viewer, This provides you with read only access to get and list compute engine resources without being able to read the data stored in them.

Cloud IAM Objects

![title](Cloud_IAM_Objects.PNG)

![title](Cloud_IAM_Resource_Hierarchy.PNG)

*Organisation Node* is the root node in this hierarchy. 

*Folders* are children of *Organisation*

*Projects* are children of *Folders*

*Individual Resources* are children of *Projects*

Each Resource has exactly One Parent.

Cloud IAM allows you to set Policies at all these Hierarchical Levels.

Policy contains set of roles and role members.

Resources inherit policies from the parent.

Organisation Resources represents your Company. Cloud IAM Roles granted at this level are inherited by all resources under the Organisation.

Folder Resource could represent your Department. Cloud IAM Roles granted at this level are inhretied by all resources unders the Folder.

Project represent a trust boundary within your company. Services within the same project have Default Level of Trust.

Cloud IAM Policy Hierarchy always follow the same path as the GCP Resource Hierarchy. If you change the resource hierarchy, policy hierarchy also changes. Example moving a project into a different organisation will update the project's Cloud IAM policy to inherit from the new organisation's Cloud IAM policy.

Child Policies cannot restrict access granted at the parent level. For example if you have Editor Role for Department X and you are granted Viewer Role at the Project Level, you will still have the Editor Role for that project. Thus, it is a best practice to follow the principle of Least Privilage, this principle applies to Identities, Roles and Resources. Always select the smallest scope necessary for the task in order to reduce your exposure to risk.

# Organization Node

Organization resource is the Root Node is the GCP Hierarchy.
Organization Roles
* Organization Admin - Control over all GCP resources. Useful for Audit.
* Project Creator - Controls Project Creation and Controls who can create projects. This can be applied at the organization level which would then be inherited by all the projects in the organization.

Organization Resource is closely associated with GSuite or Cloud Identity Account.
When any one with GSuite or Cloud Identity Account create a Project an Organization resource is automatically provisioned then Google Cloud communicates its availability to GSuite or Cloud Identity Super Admins. These Super Admin Accounts should be used very carefully because they have a lot of control over your Organization and all the resources underneath it. 

GSuite or Cloud Identity Super Admins and GCP Organization Admin are key roles during the setup process for life cycle control for the organization resource, the two roles are generally assigned to two different users or groups depending on organization structure and needs.

Resposbilities of Gsuite or Cloud Identity Super Admins are
* Assign Organization Admin roles to some users.
* Be a point of contact in case of recovery issues.
* Control the lifecycle of GSuite or Cloud Identity Account and Organization Resources.

Resposbilities of Organization Admins are
* Define IAM Policies 
* Determine structure of resource hierarchy
* Delegate responsibility over critical components like Networking, Billing, Resource Hierarchy through IAM roles.

Following the principle of Least Privilage the Organization Admin does not have the permission to perform other actions such as creating folders, to get these permissions Organization Admins must assign additional roles to their account.

# Folders

Folders can be viewed as sub organizations within an organization.
Folders provide additional grouping mechanism and isolation boundary between projects, They can be used to model different legal entities, departments and teams within a company.
Folders allow delegation of administration rights for example each head of a department can be granted full ownership of all GCP resources that belong to their department. Similarly access to resources can be limited by folders so users in one department can only access and create resources within that folder.

Other Resource Manager Roles
* Organization Node
    * Admin - Full control over all resouces
    * Viewer - View access to all resources
* Folder
    * Admin - Full control over all folders 
    * Creatior - Browse hierarchy and create folders
    * Viewer - View folders and projects below a resource
* Project
    * Creator - Create new projects making the user automatic owner of created projects and migrate projects into organizations.
    * Deleter - Delete Projects  

# Roles

There are three types of roles in Cloud IAM
* Primitive - These apply to all the GCP resources in a Project. They provide fixed, course - grained levels of access. They are Owner, Editor and Viewer roles. Each project can have multiple Owners, Editors, Viewers and Billing administrator roles.
    * Owner - Has full administrative access, which provides ability to add and remove members and delete projects.
    * Editor - Has Modlfy and Delete Access, which allows developers to deploy applications, modify or configure its resources.
    * Viewer - Has read only access.
    * Billing Administrator - Can be used to only manage billing and add and remove administrators without the right to change the resources in the project.
* Predefined - GCP provides a set of predefines roles and also define where those roles can be applied, this provides granular access to specific GCP resources and prevents unwanted access to other resources. These roles are collections of permissions because to do any meaningful operation you usually need more than one permissions.
* Custom - What if one of the roles does not have enough permissions or you need something even finer grained. That is what Custom roles permit. Custom roles are not maintained by google that means that when new permissions or features or services are added to GCP the custom roles will not be updated automatically.

# Cloud Identity

Cloud Identity is an Identity as a Service (IDaaS) solution that allows you to centrally manage users and groups who can access cloud resources.

If developers in your organization use non-managed consumer accounts (like personal Gmail accounts) for work purposes, those accounts are outside of your control. When you migrate those users to Cloud Identity accounts, you can manage access and compliance across all users in your domain.

Cloud Identity provides free identity services for users who don't need G Suite Services like Gmail or Drive. When you migrate to Cloud Identity, you create a free account for each of your users and you can manage all users from the Google Admin console.

# Cloud IAM

Cloud IAM lets administrators authorize who can take action on specific resources, giving you full control and visibility to manage cloud resources centrally.

# Members

There are 5 different types of members.
* Google Accounts - This represents a developer, administrator or any other person who interacts with GCP, any email address which is associated with a Google Account can be an identity including Gmail.com and Other domains.
* Service Accounts - This is an accounts which belongs to an application instead of an end user. When you run code that is hosted on GCP you specify the account the code should run as. You can create as many service accounts as needed to represent different logical components of your application. 
* Google Groups - This is a named collection of Google Accounts and Service accounts. Every group has a unique email address that is associated with the group. Google Groups is a convienent way of applying access policy to a collection of users. You can grant and change access control to a whole group of users at once instead of doing this one at a time.
* GSuite Domains -This represent your organization Internet Domain Names such as example.com. When you add a new user to your GSuite domain a new google account is created for the user inside this virtual group such as username@example.com. 
* Cloud Identity Domains - GCP Customers who are not GSuite customers can get these same capabilities through cloud identity. Cloud identity lets you manage users and groups using google admin console. But you do not pay for an recieve GSuites collaboration products like Gmail, Dox, Drive etc. Cloud Identity is available in free and premium edition. Permium editions adds capabilities for mobile device managements. It is important to know that you cannot use Cloud IAM to create or manage your users and groups instead you can use cloud identity or GSuite to create and manage users.

If you already have a different corporate directory and to get your users and groups into GCP use Google Cloud Directory Sync. This way your users and admins can log in and manage GCP resources using the same user names and passwords they already use. This tool synchronizes users and groups from your existing active directory or LDAP system with the users and groups in cloud identity domain. The sync is one way only which means that no information in your active directory or LDAP map is modified. Google cloud directory sync is designed to run scheduled sync without supervisions after sync rules are setup.

GCP Also provides SSO 

# Service Account

Service Account is an account which belongs to an application instead of an individual end user. This provides an identity to carry out server to server interactions in a project without providing user credentials.

For example you write an application that interacts with google cloud storage it must first authenticate to google cloud storage XML API or JSON API. You can enable service accounts and grant read, write access to the account on the instance where your plan to run your application then program the application to obtain credentials from the service account. Your application authenticates seemlesly to the API without embedding any secret key or credentials in your instance, image or application code.

Service accounts are identified by an email address. There are three types of service accounts.
* User Created (Custom) 
* Built In 
* Google API's Service Account

By Default all projects come with Built in compute engine service accounts. Apart from the default service account all projects come with Google Cloud Platform API's Service account. This is a service account designed specifically to run internal google processes on your behalf and it is automatically granted editor role on your project. Alternatively you can also start an instance with a custom service account. Custome service account provide more flexibility than the default service account but require more management from you. You can create as many custom service accounts as you need and assign any arbitrary access scopes or cloud IAM roles and assign service acccounts to any virtual machine instances.

## Default Compute Engine Service Account

This account is automatically created for each project. Name has suffix - compute@developer.gserviceaccount.com and is automatically granted editor role on your project. When you start a new instance using Gcloud default service account is enabled on that account. You can over write this behavior by enabling another service account or by disabling service accounts for the instance.

## Authorization

Authorization is a process of determining what permissions an authenticated identity has, on a set of specified resources.

## Scope 

Scopes is used to determine weather an authenticated identity is authorized.

![title](Scope.PNG)

In the example shown above Applications A and B contain authenticated identities or service accounts. Lets assume both applications want to use the cloud storage bucket, they each request access from google authorization server in return they recieve an access token, Application A recieves token with read only scope so it can only read from the storage bucket, Application B in contrast receives an access token with read-write scope so it can read and modify data in the cloud storage bucket.

Scopes can be customized when you create an instance using the default service account, and the scopes can be changed after an instance is creates by stopping the instance.

Default service accounts both support primtive and predefined roles, but user created service accounts only use predefined user IAM roles. Roles for service accounts can also be assigned to users or groups, for example You create a service account that has Instance Admin Role which has permissions to create, modify and delete virtual machine instances and disks. Then you treat this service account as a resource and decide who can use it by providing the users or groups with the service account user role, this allows these users to act as that service account to create, modify and delete virtual machine instances and disks. Users who are service account users for a service account can access all the resources the service account has access to thus be cautious when granting users or groups access to services accounts.

![title](ServiceAccount.PNG)

Cloud IAM lets you slice a project into microservices each with access to different resources by creating service accounts to represent each one. You assign the service accounts to the VM when they are created and you dont have to ensure that the credentials are being managed correctly because GCP manages security for you. 

Service accounts use keys to authenticate. There are two types of service account keys 
* GCP manage Keys - These are used by GCP Services like App Engine and Compute Engine these keys cannot be downloaded and are automatically rotated and used for a max of two weeks.
* User manage keys - These are created, downloadable and managed by users. When you create a new key pair you download the private key which is not retained by google, with user managed keys you are responsible for the security of the keys and other management operations such as key rotation 

# Cloud IAM Best Practices 

Leverage and understand resource hierarchy
* Use projects to group resources that share the same trust boundary.
* Check the policy granted on each resource and make sure you understand the inheritance.
* Because of inheritance use the principle of Least Privilge when granting roles.
* Audit policies using cloud audit log and audit memberships of groups used in policies.

Granting roles to groups instead of individuals
* This allows you to update Group Membership instead of updating Cloud IAM policy. If you do this make sure to audit membership  of groups used in policies.
* Control the ownership of groups used in Cloud IAM policy.

Service Accounts
* Be very careful when granting Service Accounts User Role, Because this provides access to all the resources that service account has access to.
* When you create a service account give it a display name which clearly identifies its purpose. Ideally using an establisged naming convention.
* As for keys establish key rotation policies and methods and audit keys with serviceaccount.keys.list() method.


![title](ModuleQuiz1.PNG)

# Over View

Every Application needs to store data, From an application centered perspective the technology stores retrieves the data. Whether it is data base or object store is less important than whether that service supports the applications requirements for efficiently storing and retrieving the data given its charateristics. 

Google offers several data storage services to choose from.

![title](DBOverView.PNG)

![title](StorageDecisionChart.PNG)

# Cloud Storage

Cloud Storage is GCP's Object Storage Service, It allows for world wide storage and retrieval of any amount of data at any time. 

Use Cases:
* Storing and serving website content. 
* Storing data for archival and disaster recovery 
* Distributing large data objects to users via direct download.

Key Features of Cloud Storage
* Scalabble to exabytes of data
* Time to first byte is in millisecods
* Very High Availability across all storage classes.
* Single API across those storage classes.

Some like to think of Cloud Storage as files in file system but it is not a file system. Cloud Storage is a collection of buckets that you place objects into. You use url to access specific objects in buckets.


![title](CloudStorageclasses.PNG)

* Regional - Regional storage enables you to store data at lower cost, with the trade off of data being stored in aspecific regional location instead of having redundancies distributed over large geographical area. Recommended use of regional storage is when storing frequently accessed data in the same reagion as your compute engine instances this provides with better performances for data intensive computations. You can also choose regional storage for data givernance reasons like if your data needs to remain in a specific region.

* Multi Regional - This is geo redundant, which means cloud storage stores your data redundantly in atleast two geographic location separated by atleast 100 Miles within the multi regional location of the bucket. Multi Regional storage can only be placed in multi regional locations such as United States, EU or Asia. Multi regional storage is appropriate to store data that is frequently accessed such as serving website content, interactive work loads data supporting mobile and gaming applications.

* Nearline Storage - Is a low cost highly durable storage service for storing infrequently accessed data. This storage class is a good choice when you plan to read or modify your data less than once a month because the storage cost is low but there is aan associated retrieval cost. If you plan to continuously add files to storage and plan to access those files once a month nearline storage is a great choice. They are also are recommended for storing backups and serving long tailed multimedia content. 

* Coldline Storage - This is a very low cost highly durable storage service for data archival, online backup and disaster recovery. Unline other cold storage service your data is available in milliseconds not hours or days. Cold Line storage is best choice for data you plan to access at most once a year due to its lower storage costs and higher retrival cost. 

All these storage classes have 99.999999999% Durability, This means you will not loose data.

Cloud Storage Items - Cloud Storage is broken down into couple of different items.

* Buckets - They are required to have globally unique name and cannot be nested. 
* Objects - The data you put into these Buckets are called Objects. They inherit storage class of the bucket, These objects can be txt files, doc files, video files etc. There is not minimum size to the objects and you can scale this as much as you want as long as your quota allows for it. 
* Access - To access the data you can use gsutil command or the JSON or XML API

## Changing Default Storage Classes.

When you upload an object to a bucket if you do not specify a storage class to the object, the object is assigned the bucket storage class. 

You can change the default storage class of the bucket, but you cannot change the Multi Regional Bucket to Regional and Viceversa. 

Multi Regional and Regional buckets can be changed to Near line or Cold line. 

When you upload an object you can specify a storage class for it, you can also change storage class of an object that already exists in your bucket without moving the object to a different bucket or changing the URL to the object. Setting up per object storage class is useful. For example if you have objects in your bucket you want to keep but dont expect to access it frequently in this case you can minimize cost by changing the storage class of those specified objects to nearline storage or clodline storage. 

In order to manage classes of obbjects in your bucket Cloud Storage offers Object Life Cycle Management. 

## Access Control

![title](AccessControl.PNG)

* Cloud IAM - We can use IAM for the project to control which individual user or service account can see the bucket, list the objects in the bucket, view names of objects in the bucket or create new buckets. For most purposes Cloud IAM is sufficient. And roles are inherited from project to bucket to object. 

* ACL's (Access Control Lists) - They offer finer control.

* Signed Url - Provide even more finer control, They provide cryptographic key that gives time limited access to a bucket or object.

* Signed Policy Document - This further defines the control by determining what kind of file can be uploaded to someone with a signed url.

Access Control List - This is a machenism you can use to define who has access to your buckets and objects as well as what level of access they have, Max number of ACL entries which you can create for a bucket and object is 100. Each ACL consists of one or more entries and these entries consist of 2 pieces of information. Scope which defines who can perform the specified actions like a specific user or group of users and a Permission which defines what actions can be performed like read or write. 

Signed Url - For some applications it is easier and more efficient to grant limited time access tokens that can be used by any user instead of using account based authentication for control resource access. Signed Url create a url that grants read or write access to a specific cloud storage resource and specifies when the access expires. That url is signed using a private key associated with a service account, when the request is recieved cloud storage can verify that the access granting url was issues on behalf trusted security principle in this it will be a service account and delegates the trust of that account to the holder of the url. After your give out a signed url it is out of your control. 

# Cloud Storage Features

* Customer Supplied Encryption Keys (CSEK) - We spoke about CSEk when attaching persistant disks to virtual machines. This allows you to supply your own encryption keys instead of google managed keys which is also available for cloud storage.
* Object Lifecycle Management - This lets you to automatically delete and archive objects. 
* Object Versioning - Allows you to maintain multiple versions of objects in your buckets. You will be charged for the versions as if they are multiple files. 
* Directory Sycnhronization - This allows you to sync VM directory with a bucket.


## Object Versioning

Objects in cloud storage are immutable, which means uploaded object cannot change throughout its storage lifetime. To support retrieval of objects that are deleted or over written cloud storage offers Object Versioning Feature. Object Versioning can be enabled for a bucket, once enabled cloud storage created an archived version of an object each timme the live version is over written or deleted. The archived version retains the name of the object but it is uniquely identified by a generation number. When Object Versioning is enables you can list Archived version of objects, restore an object to an older state, or permanently delete an archived version. You can turn versioning on or off for a bucket at any time. Turning versioning off leaves existing object versions in place and causes the bucket to stop accumulating new archived object versions. 

## Object Life Cycle Management Policies

For common usecases like setting a time to live for objects, archiving older versions of objects or downgrading storage classes of objects to help manage cost, cloud storage offers Object Life Cycle Management. You can assign a life cycle management configuration to a bucket, the configuration is a set of rules that apply to all the objects in the bucket. So when an object meets the criteria of one of the rules cloud storage automatically performs specified action on the object. Example - Downgrade Storage Classes of objects that are older than 3 years, Delete objects created before a specific date etc. Object Inspection occurs in asynchronous batches so the rules may not be applied immediately. Updates to Object life cycle configuration may take up to 24 hours to take effect. This means that when you make changes to your configuration the Object Life Cycle Management may still perform actions based on the old rules for up to 24 hours. 

## Object Change Notification

Object Change Notification can be used to notify an application when an object is updated or added to a bucket through a watch request. Completing a watch request creates a new notification channel, the notification channel is the means by which a notification message is sent to an application watching a bucket. After a notification channel is initiated cloud storage notifies the application any time an object is added, updated or removed from the bucket. 

Cloud Pub/Sub are the recommended ways to track changes to objects in your cloud storage buckets because they are faster more flexible easier to setup and more cost effective. Cloud Pubb/Sub is Google's distributed real time messaging service. 

## Data Import Service

GCP Console allows you to upload individual files to your bucket, what if you have to upload terrabytes or even petabytes of data, there are 3 services that address this.
* Transfer Appliance - This is a hardware applicance you can use to securely migrate large volumes of data from hundreds of terra bytes upto 1 petabyte to GCP without disrupting bussiness operations. 
* Storage Transfer Service - This enables high performance imports of online data, That data source can be another cloud storage bucket, amazon S3 bucket or an HTTP or an HTTPS location.
* Offline Media Import - This is a third party service where physical media such as storage arrays, harddisk drives tapes and USB Flash Drives is sent to a provider who up-loads the data. 

When you upload an object to cloud storage and you recieve a success response the object is immediately available for download and metadata operations from any locations where google offers services. This is true when you create a new object or over write an existing object. Because uploads are strongly consistant you will never recieve a 404 not found response or stale data for read after write or read after metadata update operation. 

Strong Global consistancy also extends to deletion operations on objects, if a deletion request succeeds an immediate attempt to download object or its metadata will result in a 404 not found status code. 

Bucket Listing is also strongly consistant. For example if you create a bucket and immediately perform a list bucket operation the new bucket appears in the returned list of buckets.

Object Listing is also strongly consistant. For example if you upload an object to a bucket and the immediately perform a list object operation the new object appears in the returned list of objects. 

![title](CloudStorageFeatures.PNG)

# Cloud SQL

Why would you use Google SQL when you can install SQL Server Application Image on an instance of VM on Google Compute Engine. The Question is should you build your own database solution or use a managed service. 

Benefits of using SQL as a managed service. 

* Cloud SQL is a fully managed service  of MYSQL or PostgreSQL databases. This means that patchhes and updates are automatically applied. 
* But you still have to administer MYSQL users with native authentication tools that come with these databases. 
* Cloud SQL Supports many clients such as Cloud Shell, App Engine and GSuite Scripts, It also supports other applications and tools like SQL Work Bench, Toad and other external applications using standard MYSQL Drivers. 

Cloud SQL Delivers high performance and scalability with upto 30TB of Storage Capacity, 40000 IOPS and 416 GB of ram per instance, You can easily scale upto 64 processors or cores and scale out with read replicas. You can use Cloud SQL with MYSQL 5.6/5.7 or PostgreSQL 9.6/11.1

Other Services Provides by Cloud SQL

* Replica Service - This replicates data between multiple zones, this is useful for automatic failover when an outage occurs.
* Backup Service - Cloud SQL also provides automated and ondemand backups with Point In Time recovery.
* Import/Export - You can import and export databases using MYSQL Dump or import and export CSV files. 
* Scaling - Cloud SQL can also scale up which requires machine restart or scale out using read replicas. 

Connecting to Cloud SQL Instance

![title](CloudSQL.PNG)

Checking if Cloud SQL is the right solution for you.

![title](CloudSQL1.PNG)


# Other Data Bases

## Cloud Spanner

If cloud SQL does not fit your requirements because you need horizontal scalability consider using Cloud Spanner. Cloud Spanner is a service built for the cloud specifically to combine the benefits of the relational database structure with non relational horizontal scale. 
* This service can provide petabytes of capacity.
* Offers transactional consistancy at global scale 
* Schemas and automatic synchronous replication for high availability 
* Use cases include financial application and inventory management applications traditionally served by relational database technology.

![title](CloudSpanner.PNG)

Cloud Spanner offers the best of the relational and non relational.

### Architecture of Cloud Spanner

![title](CloudSpannerArchitecture.PNG)

Cloud spanner instance replicates data in n cloud zones which can be in one region or across several regions, the database placement is configurable meaning you can choose which region to put your database in. This architecture allows for high availability and global placement, replication of data will be synchronized across zones using google's global fiber network using atomic clocks ensures atomicity when ever you are updating your data 

Why choose Cloud Spanner

![title](CloudSpannerWhy.PNG)




# Cloud Firestore

If your are looking for highly scalable NOSQL Database for your application consider using Firestore. Cloud Firestore is a Fast Fully Managed Serverless Cloud Native NoSQL Document Database which simplifies storing, syncing and querying your data for your mobile, web and IOT apps at global scale. Its client libraries provide Live Synchronization and offline support, Its security features and integration with Firebase in GCP accelerate building truly server less apps. Cloud Firestore also supports ACID Transactions so if any of the operations in the transaction fail and cannot be retried the whole transaction will fail. And with automatic multi region replication and strong consistancy your data is safe and available even when disaster strike. Cloud Firestore even allows you to run complex queries against your NoSQL data without any degradation in performance. This gives you more flexibility the way you structure your data. 

Cloud Firestore is the next generation of cloud data store. It can operate in data store mode making it backwards compatible with cloud datastore. By creating a cloud Firestore database in datastore mode you cann access cloud firestore's improved storage layer while keeping cloud datastore system behavior. This removes few cloud datastore limitations.
* All queries are strongly consistant 
* Transactions are no longer limited to 25 entity groups 
* Writes to an entity group are no longer limited to 1 per sec. 

Cloud Firestore in native mode introduces new features
* New strongly consistant storage layer 
* Collection and document datamodel 
* Realtime Updates
* Mobile and Web Client Libraries

Cloud Firestore is backward compatible with Cloud Datastore but the new features are not. To access all the new cloud Firestore features you must use Cloud Firestore in native mode.

Since Cloud Firestore is the next gen cloud datastore it is compatible with all cloud datastore APIs and client libraries.
Existing cloud store users will be live upgraded to cloud firestore automatically at a future data. 

![title](CloudFirestore.PNG)



# Cloud BigTable

If you do not require transactional consistancy you might want to consider Cloud BigTable. Cloud BitTable is a is a fully managed NoSQL Database with petabytes scale and very low latancy. It seemlesly scales for throughput and learns and adjusts to access pattern. Cloud BigTable is the same database that powers many of the Google's Core Services including Search Analytics Apps and Gmail. Cloud Big Table is a great choice for operational and analytical applications including IOT and User Analytics and Financial Data Analysis because it supports High Read and write throughput at low latancy. It is also a great storage engine for machine learning applications. Cloud Big Table integrates easily with popular big data tools like Hadoop, Cloud data Flow and Cloud Data Proc and it supports Open Source Industry Standard HBASE API which makes easy for your development team to get started. 

Cloud Big Table stores data in massively sacalable tables each of which is a sorted key value map the table is composed of rows each of which typically describes a single entity and columns which contain individual values for each row, Each row is indexed by a single row key. In columns which are related to one another are typically grouped together into a column family, each column is individually identified by a combination of column family and a column qualifier which is the unique name within a column family each row column intersection can contain multiple cells or versions at different time stamps providing a record of how the stored data has been altered over time.

Cloud Big Table tables are sparse if the cell does not contain any data it does not take up any space. Cloumn Qualifiers are used as data this design choice takes advantages of sparceness of cloud bigtable tables and the fact that new column qualifiers can be added as your data changes. the user name is used as the row key, assuming usernames are evenly spread across the alphabets, data access will be reasonably uniform across the entire table 

Cloud BigTable Over All Architecture.

![title](CloudBigTable.PNG)

Cloud BigTable Table is sharded into blocks of contiguous rows called tablets to help balance the work loads of queries. Tablets are similay to HBASE Regions. Tablets are stored on Colossus which is Google's File System in SS table format. A SS Table provides a Persistant, Ordered, Imutable map from keys to values, where keys and values are arbitrary byte strings.
Cloud BigTable learns to adjust to specific access patterns, if a certain bigtable node is frequently accessing a certain subset of data, cloud bigtable will update the indexes so that the other nodes can distribute the workloads evenly.

![title](CloudBigTable2.PNG)

The smallest cloud bigtable cluster you can create has 3 nodes and can handle 30000 operations per second. 

# Cloud MemoryStore

Cloud Memory Store for Redis provides fully managed inmemory datastore service built on scalable, secure and highly available infrastructure managed by Google. Application running on GCP can achieve exterme performance by leveraging the highly scalable, available and secure redis service without the burden of managing complex redis deployments. Cloud Memeory Store also automates complex tasks like enabling High Availability, Failover, Patching and monitoring. High Availablity instances are replicated across two zones and provide 99.9% availability SLA. You can easily achieve sub millisecond latancy and through put your applications need.

# Module Quiz

![title](DatabasesQuiz.PNG)


# Module Review

Cloud Storage - Fully Managed Object Store

Cloud SQL - Fully Managed MYSQL and PostgreSQL DataBase Service

Cloud Spanner - A Relational DataBase Service with Transactional Consistancy, Global Scale and High Availability

Cloud Firestore - Fully Managed NoSQL Document Database

Cloud Big Table - Fully Managed NoSQL Wide Column Database 

Cloud Memory Store - FUlly Managed In Memory Data Store Service for Redis 