<a href="https://colab.research.google.com/github/navyz/notebooks/blob/main/gcp_services.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# Google Cloud services

## Storages

### Firestore
Document Database

* Servless
* Live synchronization and offline mode
* Powerful query engine
* Multi-region replication

### Firebase
* Mobile development platform
* Have 3 commons module with normal GCP project

### Cloud SQL
* Multiple zones
* Support: MySQL, Postgres, SQL Server

## Compute

### Cloud Run
* Abstract away all infrastructure management 
* Built upon the container and Knative open standards
* Deploy container images using the programming language of your choice

### Cloud Function
* Deploy snippets of code (functions) written in a limited set of programming languages
* Similar as Lambda

### Kubenettes

#### Tools & platforms

* ``GKE``: Google Kubenetes Engine
* ``AKS``: Azure Kubernetes Service
* ``EKS``: AWS Elastic Kubenetes, managed service that you can use to run Kubernetes on AWS
* ``minikube`` is local Kubernetes, focusing on making it easy to learn 
and develop for Kubernetes.
* ``Kops``: Kubernetes Operations, is an open source project used to set up Kubernetes clusters easily and swiftly
* ``Kubeadm``: part of the Kubernetes distribution as of 1.4. 0 which helps you to install and set up a Kubernetes cluster.

#### Kubenetes componnents
* ``kutectl``: command line
* ``etcd``: the only component in stateful mode. Scaling will be a problem

#### Command line


**Config & authentication**
```
kubectl config view
gcloud container clusters list
kubectl config current-context
kubectl get clusterrolebinding
kubectl get clusterrole cluster-admin
```

**View Resource Info**
```
kubectl get nodes
kubectl get pods
kubectl api-resources
kubectl get pods -o wide
kubectl get deploy
kubectl get services                          
kubectl get pods --all-namespaces 
kubectl get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="ExternalIP")].address}'
kubectl get events --sort-by=.metadata.creationTimestamp
kubectl get hpa --namespace acg-ns
```

**Cluster Management**
```

gcloud container clusters list

gcloud container clusters create mshello-cluster --num-nodes=1 --zone "asia-southeast1-a" --network "projects/khoa-motsach-project-01/global/networks/khoa-vpc-01" --subnetwork "projects/khoa-motsach-project-01/regions/asia-southeast1/subnetworks/khoa-subnet-01-04"
```


**Container Management**

```
gcloud beta container --project "khoa-motsach-project-01" clusters create "ms-cluster" --zone "asia-southeast1-a" --no-enable-basic-auth --cluster-version "1.20.8-gke.900" --release-channel "regular" --machine-type "e2-medium" --image-type "COS_CONTAINERD" --disk-type "pd-standard" --disk-size "20" --metadata disable-legacy-endpoints=true --scopes "https://www.googleapis.com/auth/devstorage.read_only","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append" --max-pods-per-node "8" --num-nodes "1" --logging=SYSTEM,WORKLOAD --monitoring=SYSTEM --enable-ip-alias --network "projects/khoa-motsach-project-01/global/networks/khoa-vpc-01" --subnetwork "projects/khoa-motsach-project-01/regions/asia-southeast1/subnetworks/khoa-subnet-01-04" --no-enable-intra-node-visibility --default-max-pods-per-node "8" --enable-autoscaling --min-nodes "0" --max-nodes "3" --no-enable-master-authorized-networks --addons HorizontalPodAutoscaling,HttpLoadBalancing,GcePersistentDiskCsiDriver --enable-autoupgrade --enable-autorepair --max-surge-upgrade 1 --max-unavailable-upgrade 0 --enable-autoprovisioning --min-cpu 2 --max-cpu 6 --min-memory 8 --max-memory 24 --enable-autoprovisioning-autorepair --enable-autoprovisioning-autoupgrade --autoprovisioning-max-surge-upgrade 1 --autoprovisioning-max-unavailable-upgrade 0 --autoscaling-profile optimize-utilization --enable-vertical-pod-autoscaling --enable-shielded-nodes --node-locations "asia-southeast1-a"

gcloud container clusters delete cost-optimized-cluster-1
gcloud container clusters get-credentials mshello-cluster
kubectl exec -it pingtest-84646bf5d4-28d6h -- bash
```

**Artifactory**
```
gcloud artifacts repositories create mshello-repo --repository-format=docker --location=asia-southeast1 --description="Minh SonDocker repository"
docker build -t asia-southeast1-docker.pkg.dev/khoa-motsach-project-01/mshello-repo/hello-app:v1 .
gcloud auth configure-docker asia-southeast1-docker.pkg.dev
docker push asia-southeast1-docker.pkg.dev/khoa-motsach-project-01/mshello-repo/hello-app:v1
gcloud container clusters get-credentials mshello-cluster

kubectl create deployment mshello-app --image=asia-southeast1-docker.pkg.dev/khoa-motsach-project-01/mshello-repo/hello-app:v1
kubectl get pods -o wide
kubectl scale deployment hello-app --replicas=3
kubectl autoscale deployment mshello-app --cpu-percent=80 --min=1 --max=5
kubectl expose deployment mshello-app --name=mshello-app-service --type=LoadBalancer --port 80 --target-port 8080
kubectl get service

kubectl set image deployment/mshello-app mshello-app=asia-southeast1-docker.pkg.dev/${PROJECT_ID}/mshello-repo/hello-app:v2
```

**Storage**
```
kubectl create secret generic mysql-pass --from-literal=password=Password123
kubectl get secret
kubectl get pv
kubectl get pvc
```

**Auto scalling**
```
kubectl get deploy
kubectl get hba
kubectl get hpa --namespace acg-ns
```

**Load test**
```
kubectl run -i --tty loader --image=busybox /bin/sh
while true; do wget -q -O- http://acg-lb.acg-ns.svc.cluster.local; done
```

**Resources**

https://kubernetespodcast.com/
https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/
https://training.linuxfoundation.org/certification/certified-kubernetes-security-specialist/
https://www.cncf.io/certification/cks/

## Security

### Cloud Armor

| Features | Remark |
| --- | --- | 
| Protect ``live`` data at transit | |
| Against Global Load Balancer |  |
| DDoS | AWS Shield |
| WAF | AWS WAF |
| Pre-configured WAF rules. OWASP Top 10 risks | Required |
| IP-based and geo-based access control |  |
| Support for hybrid and multicloud deployments |  |
| Managed Protection Plus for enterprise | 3000$ per month |
| Log in StackDriver |  |


### Web Sercurity Scanner

| Features | Remark |
| --- | --- | 
| Protect ``live`` data at transit | |
| WAF | AWS Inspector |
| Free but limited vulnerability scanner |  |
| Supported services | GAE, GKE, GCE |
| Pre-configured WAF rules. OWASP Top 10 risks | Required |
| GET-only requests |  |


### Data lost prevention

| Features | Remark |
| --- | --- | 
| Protect ``data`` at rest | AWS Macie |
| Use machine learning |  |
| Data discovery and classification | |
| De-identify your data: redact, mask, tokenize, and transform text and images | |
| Pay as you go, servless|  |
| On and off the cloud |  |
| Text and images |  |


### Event Thread Protection

| Features | Remark |
| --- | --- | 
| Scan ``log`` for security detection | AWS Guard Duty |
| Malware, DDoS, port scanning, brute-force |  |


### Security Command Center

* Is a Security Information & Event Management System (SIEM)
* Similar services
  * AWS Security Hub
  * Splunk Enterprise Security
  * Sumo Logic



### KMS

* Regional & global
* Support HSM
* FIPS compliance

## Monitoring

### Audit log
| Features | Remark |
| --- | --- | 
| Admin log (eg. create new VM) | Required |
| System Event (eg. Auto scalling) | Required |
| Access transparency log (by Google support staff) | Required |
| BigQuery | Required |
| Data access | Custom |
| User defined | Custom |
| Required log | 400 days |
| Custom log | 30 days |

### Stack driver family
1. SD Logging
   * Base on Fluentd
   * Store, search, analyze, monitor, alert on log and events
   * Hybrid cloud
   * Scope: global
   * Similar as: AWS CloudWatch

2. SD Error Reporting
   * Error dashboard
   * Counts, analyze, aggregate, track crash
   * Alarm
   * Understand programming language
   * Support gcp, aws, on-premise
   * Similar: Rollbar, Bugsnag
3. SD Trace
   * Track call tree and ``latency`` across distributed system
   * Java, Node, Ruby, Go
   * Automatic captured for App Engine
   * Monitor ``performance``
   * Scope: global
   * Similar: AWS X-Ray, Zipkin, Open Tracking
4. SD Debugger
   * View the application state (variables) without adding logging statements.
   * Logpoint, conditional, source view
   * Support Java, Python, Node, Ruby
   * GCE, GKE, GAE
   * Automatic capture for App Engine
   * Scope: global
   * Support: github, gitlab, bitbucket, app engine
4. SD Profileer
   * Watch application CPU, memory
   * Low overhead (less than 5%)
   * Go, Java, Node, Python
   * Agent based
   * 30 days log
   * Free of chage


| Tool | Target | Method | Based on | Hybrid |
| --- | --- | --- | --- | --- |
| SD Logging | Log | SDK, role | fludentd | Yes |
| SD Error Reporting | Error | SDK |  | Yes |
| SD Trace | Performance | SDK | | - |
| SD Debugger | Debug | SDK | | Yes |
| SD Profiler | CPU/RAM |Agent|  | Yes |



## Development

### Deploy Management

1. Infrastructure as Service
2. Template based
3. Language supported: Yaml, Python, Jinja2, Json
4. Similar: AWS CloudFormation, HashiCorp TerraForm, Free of charge

### Billing API
1. Detial billing
2. Get list of billable SKU
3. Get public pricing
4. Regional availability

### Source repository
1. No pull requests
2. Auto sync from Bitbucket, Github
3. Integration with stackdriver debugger
4. Pay per active users + resources
5. No enhance feature like pull request


### Code build
1. CI/CD service
2. Can trigger from GitHub, BitBucket
3. Can build parallel for muiltiple source repos
4. Dockerfile built-in
5. Integrate with CCR
6. Build model: Pay per minutes, Free for 120 mins
7. Similar: AWS CodeBuild, Travis CI, Jenkins




### Google Container Registry
1. Google Container Registry
2. Stored in Cloud Storaged
3. Scope: Regional & Multi-regional
4. Similar: AWS ECR, Docker Hub

### Anthos

1. Unifies the management of infrastructure and applications
2. Multi-cloud + on-premise
3. Similar: AWS ECR, Docker Hub


### Cloud Endpoint

1. Handles authorization, monitoring, logging, AIP keys in GCP
2. Proxy base on LB
3. Use JWT
4. Integrate with firebase, Auth0, Google Auth
5. Extensible Service Proxy Container
6. Support both REST and gRPC
7. Similar: AWS API Gateway, Nginx

### Apigee

1. Full lifecycle api management
2. More powerful, more exepensive
3. Support both REST and gRPC
4. Support throttle, api versions
5. Similar: AWS API Gateway, AWS Shield, CA API Gateway



### Test Lab

1. For Android
2. Test with real devices
3. Similar: AWS Device Farm, Xamarin test cloud, Sauce Lab mobile testing


# Technologies used in Google Cloud

| Features | Remark |
| --- | --- | 
| Borg | cluster manager. Userd by Kubernetes |
| Spanner | globally-consistent, scalable regional database |
| Colossus | cluster-level file system |
| fluentd | logging |
| fluent-bit | logging, minified |
| loggingd | monitoring |


# Data & Data analytics

## Database


| Product | Remark | Similar |
| --- | --- | --- |
| CloudSQL | AWS Inspector | RDS |
| Cloud Spanner | Enterprise RDBM | Aurora |
| Cloud DataStore | Wide-column | DynamoDB |
| BigTable | Append only | DynamoDB |
| BigQuery | Rrelational structured data | Redshift |


## Data analytics


| Product | Purpose | Similar |
| --- | --- | --- |
| Datalab | - | Jupiter notebook |
| Google Data Studio | Dashboard, reporting | - |
| Looker | BI - third party | Anthena |
| Cloud Genomics | Genomics processing | - |
| BigQuery | Rrelational structured data | Athena, Redshift |


### Data processing


| Product | Purpose | Similar |
| --- | --- | --- |
| Dataprep (vendor) | data eingineering tool | MapReduce, AWS EMR |
| Dataflow | Batch data processing | Kinesis |
| Dataproc | Data processing | Hadoop, Spark |
| Data Composer | Orchestration | Datapipeline, Glue |
| Pub/Sub | Dashboard, reporting | Kinesis |


# Pricing

## Storage

| A | B | Compare |
| --- | --- | --- | 
| Class A | Class B | 10 times |
| Standard | Archived | 10 times |
| Standard | Coldline | 2 times |
| HD | Standard | 2 times |
| Firestore | Standard | 10 times |
| Snapshot | Standard | equal |

## Compute

| A | B | Compare |
| --- | --- | --- | 
| Standard | Preempty | > 3 times |
| Standard | Reserved | < 2 times |
| GKE | Compute | 2 times |
| GKE Demand | GKE reserved | 1.5 times |
| NVIDIA | Tesla | 8 times |
| GPU | CPU | 50 times |
| TPU | GPU | 5 times |
