Getting Started with Google Cloud Platform: GCP Cloud Architect exam preparation

In this article, we will introduce the concept of cloud computing to better understand what Google Cloud Platform (GCP) is. We will take a look at GCP resources and their hierarchy. After that, we will create our first account and set up a project. Additionally, we will discuss the billing options that are available. We will examine how to create a billing account and associate it with the project. Finally, we will take a look at how to export the billing information. It is important to have this introduction before we start talking about GCP services. This will both help you to pass the exam and to implement the basic setup of GCP for real-life scenarios before you even begin using the services. We actively encourage you to set up your own free-tier Google Cloud account in order to acquire hands-on exposure and gain confidence.

In this post, we will cover the following topics :

• Introducing the cloud
• Understanding GCP
• Exam tips

  Exam Tip

  Having a good understanding of GCP resources is vital in order to pass the GCP Cloud Architect exam. Make sure that you go through this blog carefully and attentively. Read it multiple times if required, and play around with the creation of projects and billing accounts using your free-tier account. Try exporting billing data to both files and BigQuery. You need to remember individual Identity and Access Management (IAM) roles for billing. Make sure that you have a good understanding of the scope of the services.

Introducing the cloud

Before we jump into GCP, first, let's learn what the cloud is, as per the following diagram:

Figure 2.1 – What the cloud is

It is true—there is no cloud: it's just someone else's computer. With the cloud, what we are actually doing is accessing resources and consuming services that are hosted on someone else's computer. If we want to be more precise, the cloud is a pool of computers.

Now, let's take a look at a more accurate and professional definition used by Google that comes from the United States National Institute of Standards and Technology (https://csrc.nist.gov/publications/detail/sp/800-145/final):

"Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (for example, networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models."

The five essential characteristics of the cloud are as follows:

• On-demand self-service: Services are provisioned automatically without manual provider intervention, and you only pay for what is used.
• Broad network access: Resources are available throughout the network.
• Resource pooling: Resources are pooled from a shared pool, giving the user a sense of location independence. For some of the resources, the location might be restricted.
• Rapid elasticity: Services can be elastically provisioned and de-provisioned with the capacity being managed by the provider.
• Measured service: Resource usage is monitored and can be reported on.

The four deployment models are as follows:

• Private cloud: This is used by specific organizations but can be managed by third parties.
• Public cloud: This is used by the general public.
• Community cloud: This is used by specific communities.
• Hybrid cloud: This is composed of two or more different clouds.

When we look at GCP, it fulfills all of the five characteristics and fits into the public cloud deployment model. In the next section, we will take a look at GCP itself.

Understanding GCP

Google has been developing its own tools to deliver services such as Gmail, YouTube, and Google Workspace for years. These tools have been converted into services that can be consumed by others. Consumers are given the amazing scalability that Google must use for their own purposes. GCP allows you to choose from computing, storage, networking, big data, and Machine Learning (ML) services to build your application on top of them. The number of services is constantly growing, and new announcements are made on an almost weekly basis. New services and features are released, first, as alpha versions, then as beta versions, and finally, they are made globally available. The early releases are available even earlier for selected customers and partners. This allows the services to be tested by external parties even before their official release!

Google supports several service models, including the following:

• Infrastructure-as-a-Service (IaaS)
• Platform-as-a-Service (PaaS)
• Container-as-a-Service (CaaS)
• Function-as-a-Service (FaaS)
• Managed services

As you can see, the range of services in GCP is very broad. Let's quickly analyze this range of services offered by GCP. We will start from very simple IaaS, such as a traditional data center, and end with using FaaS, where we can run code without the need to manage any server infrastructure. The choice of service depends on our requirements. Put simply, if we require flexibility and control over our Virtual Machines (VMs), we would use Compute Engine. This service allows us to provision VM instances or simply lift and shift machines from our existing environment. However, the trade-off is that you are responsible for managing all of the layers above the VM instance. That includes the operating system, any middleware, and any applications on top of it.

When we move away from IaaS toward PaaS, CaaS, or FaaS, the responsibility of maintaining the infrastructure is taken away from us. With Cloud Functions, all we really care about is the coding of a function in a language supported by GCP. Once it's done and published, we access it through the HTTP(S) protocol.

Finally, as we move to managed services, we simply start to consume services that bring us a particular business value without having to worry about any underlying parts. They can be used in Software-as-a-Service (SaaS) models and consumed through APIs. An example of this is Dataprep, which is a data service that allows you to clean up and prepare your data for further analysis. Another example is the pretrained ML model, Vision API. Developers can consume this service by using the RESTful API to analyze images without having to write any code, except for the call itself.

Hopefully, now you understand that GCP is much more than just a hosting service. It provides you with sets of tools, services, and resources that will help you to develop and deliver your applications. The choice of the services you will use depends entirely on the set of requirements you have. If that feels overwhelming, then don't worry. This blog is written to help you to go through GCP step by step.

In This Post, Google Cloud Platform Core Services, you will get an overview of the most important GCP services. In the following posts, we will dive into each of them in more detail to get you prepared for the exam.

GCP differentiators

Every cloud provider has something that differentiates it from others. Each provider has its own strategy in terms of how to deliver value to customers, and the same is true for GCP. Let's take a look at what the key GCP features are that make it stand out from the crowd:

• Google Cloud's operations suite (formerly known as The Google Network): The Google Network is something that differentiates GCP from other cloud providers. Google claims that around 40% of the world's internet traffic is carried by the Google Network, making it the largest network on the globe. This allows the Google Network to respond with very low latency, as close to the end user as possible.
• Global scope: GCP was developed with global availability in mind. You will note that services such as load balancing are available globally rather than regionally, unlike other providers. This allows the client to concentrate on development and embrace out-of-the-box high availability and elasticity.
• ML services: GCP offers a great number of ML services for both data scientists and regular developers who might have limited knowledge of ML. The ML services allow pretrained models to be used, as well as offering AutoML services. The latter allows you to train ML models without knowing how they are actually created. The portfolio of these services is growing very quickly. The key goal of Google is to enable enterprises with ML to make faster and smarter decisions.
• Developer-focused: GCP was built with a focus on developers. If you look at the history of GCP, it started in 2008 with a preview release of App Engine, which is a fully serverless platform, allowing developers to initially run their applications written in Python, before support for other languages such as Java and Go were added. It provides out-of-the-box load balancing and autoscaling. Developers simply need to choose the platform they want to develop on and they can start coding. Also, if you look at Google Cloud's operations suite (formerly known as Stackdriver, a GCP monitoring tool) itself, it provides several tools that can be directly integrated with an application. This allows the developer to use them to monitor and debug their application. Google makes it very clear that GCP was created for developers to help them with their challenges. Having achieved this goal, they are now aiming toward large enterprises.
• Pricing: The VM instances are priced per second with a minimum runtime of one minute. This allows you to run the machines for short tests and not have to pay for a full hour of use.
• Service-Level Agreement (SLA): GCP provides the customer agreement with the level of service that will be delivered for the service. This is usually defined as a Service-Level Objective (SLO), which covers a Monthly Uptime Percentage for the service. If the SLO is not met, the customer is eligible for financial credits. Note that this percentage depends on the service and that alpha and beta features are not included with any SLA.
• Security: Google uses its many years of experience in running services such as Gmail in GCP. Your data is always encrypted with a choice of Google or customer-managed keys.
• Carbon neutral: This might not be the most important feature when it comes to functionality, but it is worth knowing. Google data centers are carbon-neutral, meaning that 100% of the energy used to power them comes from renewable energy. This includes the GCP data centers.

GCP locations

As we have already mentioned, GCP has a global footprint that includes North America, South America, Europe, Asia, and Australia. The locations are further split into regions and zones.

It is your decision where your application should be located to provide low latency and high availability:

• A region is defined by Google as an independent geographic area that is divided into multiple zones. Locations within regions should have round-trip network latencies of under 1 ms in 95% of cases.
• A zone is a deployment area for GCP resources. Note that a zone does not correspond to a single data center; it can consist of multiple buildings. Even though a zone provides a certain amount of fault protection, a zone is considered a single point of failure (SPOF). Therefore, you should consider placing your application across multiple zones to provide fault tolerance.
• Network edge locations are connections to GCP services located in a particular metropolitan area.

At the time of writing, GCP has the following:

• 28 regions
• 85 zones
• 146 network edge locations

These numbers are growing rapidly, and, at the time of writing, Google has announced an additional two regions at the Google Cloud Next conference. For the most up-to-date information, please refer to https://cloud.google.com/about/locations. The following map shows the current and future regions and zones across the globe:

Figure 2.2 – GCP locations (Source: https://cloud.google.com/about/locations/)

The preceding map shows current regions in blue and planned regions in white. It should also be noted that not all services are available in each region. For example, Cloud Functions, after being made globally available, was only introduced in a limited number of locations.

Resource manager

GCP consists of containers such as organizations, folders, and projects to hierarchically group your resources. This allows you to manage their configuration and access control. The resources can be managed programmatically using APIs. Also, Google provides tools such as Google Cloud Console and command-line utilities, which are wrappers around the API calls. Now, let's take a look at the hierarchy presented in the following diagram and familiarize ourselves with each of the resources:

Figure 2.3 – The resource manager hierarchy (Source: https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy, License: https://creativecommons.org/licenses/by/4.0/legalcode)

The preceding diagram shows the resource manager hierarchy. Starting from the top, we have an Organization that can be mapped to a company. Next, we have Folders that can represent a company's departments. Next, we have Projects, which further divide the actual company projects or environments, such as development and production. Finally, underneath Projects, we have GCP Resources. We will take a look at each of these in the following sections.

Organizations

At the top of the hierarchy, we have the organization. However, note that this is an optional resource, and you can use GCP very well without it. The organization is only available to users of Google Workspace (formerly G-Suite) and Cloud Identity, which are products outside of GCP.

To provide some context, Google Workspace is a bundle of collaboration tools, including Gmail, Google Drive, Hangouts, and Google Docs. Users use these tools, which are stored in the Google Workspace domain.

Cloud Identity is an Identity-as-a-Service (IDaaS) offering. Similarly, it allows you to create a domain and to manage your users, applications, and device accounts from a single point. You can learn more about Cloud Identity in This Post, Security and Compliance.

A single Google Workspace or Cloud Identity account can only be associated with a single organization. This implies that the organization is bound to one domain only. In both Google Workspace and Cloud Identity, there is a defined role of super administrators. When you create the organization, those users will have the highest privileges in the organization and underlying resources. Please ensure that this account is not used for day-to-day operations.

Instead, the super administrator should assign the role of organization administrator to designated users. This role is further used to define IAM policies, resource hierarchy, and delegate permissions using IAM roles.

Important Note

With the creation of a new organization, all users from the domain get project creator and Billing Account Creator IAM roles. This allows them to create new projects in that organization. Again, we will take a closer look at this in This Article, Security and Compliance.

Folders

Folders are logical containers that can group projects or other folders. They can be used to assign IAM policies. Again, the use of folders is optional and is only available when an organization resource exists. The use case for using folders is to group projects that will use the same IAM policies.

Projects

Projects are the smallest logical containers that group resources. Every resource within GCP needs to belong to exactly one project. Each project is managed separately, and IAM roles can be assigned per project to control the access in a fine-grained way.

Projects have three identification attributes:

• Project ID: This is a globally unique immutable ID generated by Google.
• Project name: This is a unique name provided by a user.
• Project number: This is a globally unique number generated by Google.

In most cases, you will use the project ID to identify your project. To manage resources within GCP, you will always need to identify which project they belong to by either the project ID or the project number. You can create multiple projects, but there is a quota that limits the number of projects per account. If you reach the quota, you will need to submit a request to extend it.

Resources' scope

Now that we know the physical and logical separation of GCP resources, let's take a look at their scope. The resources can be either global, regional, or zonal. This indicates how accessible the resource is to other resources. For example, a global image can be used in any region to provision VMs. On the other hand, a VM that needs to belong to a particular subnet must reside in the same region for which the subnet was configured.

Even though the resources have a narrow scope, bear in mind that they still need to have unique names within the project, meaning you can't have two VMs with the same name within one project.

OK, let's take a look at the resources and their scope. You might not be completely familiar with the following resources, but don't worry; they will be explained in more detail in the coming articles.

Global resources

Global resources are globally available within the same project and can be accessed from any zone. These include the following objects:

• Addresses: These are reserved external IP addresses and can be used by global load balancers.
• Images: These are either predefined or user-customized. They can be used to provision VMs.
• Snapshots: Snapshots of a persistent disk allow the creation of new disks and VMs. Note that you can also expose a snapshot to a different project. Snapshots can also act as a backup for VMs.
• Instance templates: These can be used for the creation of managed instance groups.
• Virtual Private Cloud (VPC) networks: These are virtual networks that you can connect your workloads to.
• Firewall: These are defined per VPC but are globally accessible.
• Routes: Routes allow you to direct your network traffic and are assigned to VPCs, but they are also considered global.

Regional resources

Regional resources are only accessible by other resources within the same region. These include the following objects:

• Addresses: Static, external IP addresses can only be used by instances that are in the same region.
• Subnets: These are associated with VPC networks and allow the assignment of IP addresses to VMs.
• Regional managed instance groups: These allow you to scale groups of instances. The scope can be set to either regions or zones.
• Regional persistent disks: These provide replicated, persistent storage to VM instances. They can also be shared between projects for the creation of snapshots and images, but not disk attachments.

Zonal resources

Zonal resources are only accessible by other resources within the same zone. These include the following objects:

• VM instances: These reside in a particular zone.
• Zonal persistent disks: These provide persistent storage to VM instances. They can also be shared as disks between projects for the creation of snapshots and images, but not disk attachments.
• Machine types: These define the hardware configuration for your VM instances and are defined for any particular zone.
• Zonal managed instance groups: These allow you to autoscale groups of instances. The scope can be set to either regions or zones.

Now that we understand the theory, let's take a look at how to create a project. Note that if you have not done so yet, navigate to https://cloud.google.com/free to create your free-tier GCP account.

Managing projects

To create a new project, perform the following steps:

1. Log in to the GCP console at https://console.cloud.google.com. Then, click on the drop-down arrow next to the name of the project you are currently logged into. A Select a project window will pop up. Click on NEW PROJECT in the upper-right corner:
   

   Figure 2.4 – Managing projects

2. Fill in the name and choose the billing account. You can attach the project to an organization or a folder. Choose the default billing account. In the following steps, we will show you how to create a new billing account and associate it with the project we are now creating. Click on the CREATE button, as shown in the following screenshot:
   

   Figure 2.5 – The New Project pane

   Note that the Billing account option will not be shown if you don't own an organization and use a private account.

3. A new project has been created. You can now manage it from the GCP console:
   

   Figure 2.6 – The Project info pane

4. To start using the GCP services, click on the hamburger icon. A menu will pop up. You can access all of the GCP services from here, as shown in the following screenshot:

Figure 2.7 – Start using the new project

In the following article of this blog, we will take a look at each of the services that are relevant to the exam. Don't get scared by the number of options available.

Granting permissions

In the IAM section of This Post, Security and Compliance, you will find more details about how to assign permissions to your GCP resources.

For the sake of this introduction, we will now learn how to add a member and assign previously defined roles to them. Essentially, roles are the settings of permissions.

Here are the step-by-step instructions to grant permissions:

1. To add a new member to your project, go to the IAM section of the IAM & admin pane.
2. Select the MEMBERS tab and click on ADD. Now, select a member and choose a role. Click on Save to confirm:
   

   Figure 2.8 – Adding members to roles

3. The user has been added and has been granted the permissions of the defined role:

Figure 2.9 – Users added to the role

Brian Gerrard has been sent an invitation to join the project as an owner. The triangle with an exclamation mark will be displayed until the invitation has been accepted.

Billing

Depending on your company structure, you might have different requirements regarding billing. With GCP, you have the option to create a single or multiple billing accounts. As shown in the following diagram, the billing accounts can be associated with one or more projects. The actual payment details are created in the payment profiles that are attached to the billing account, as follows:

Figure 2.10 – Google Cloud billing (Source: https://cloud.google.com/billing/docs/how-to/billing-access?hl=pl, License: https://creativecommons.org/licenses/by/4.0/legalcode)

Here, you can see that the smallest entity you are billed for is a single project. Therefore, you cannot split your bill inside the project. This affects how you can split the billing within your organization. Do you have multiple departments that need separate billing—for example, finance, engineering, and human resources—or do you manage it centrally?

In the first scenario, you might want multiple projects with multiple billing accounts; however, in the latter scenario, you might require multiple projects with a single billing account.

Managing billing accounts

The first billing account will be created upon the creation of your GCP account. However, as we have just learned, you might require multiple billing accounts.

To create a new billing account, perform the following steps:

1. Navigate to the GCP console and choose Billing from the left-hand side navigation pane. Click on the drop-down menu that shows your billing account and click on MANAGE BILLING ACCOUNTS.
2. You will be presented with the existing billing accounts. Click on Create account:
   

   Figure 2.11 – My billing accounts

3. In the next window, name your billing account, as shown in the following screenshot:
   

   Figure 2.12 – Creating a new billing account

4. Choose the country, and the currency will be updated for you. Click on the Confirm button:
   

   Figure 2.13 – Setting up the billing profile

5. Now, you can choose an existing payment profile or create a new one. Note that we do not see any existing profiles. This is because my existing payment profiles are set to Polish PLN, while the new billing profile is set to USD. Fill in the customer information and scroll down to Payment method:
   

   Figure 2.14 – Setting up the customer information

6. Fill in your payment details, and click on the Submit and enable billing button:
   

   Figure 2.15 – Payment details

7. Now, your billing account has been created, and you can manage it from the Billing window:

Figure 2.16 – The billing account has been created

We can now assign a project to the newly created billing account.

Assigning a project to a billing account

As mentioned already, you can assign multiple projects to one billing account. In the following screenshot, you can see that we now have three billing accounts and multiple projects assigned to them. Our newly created billing account has no project assigned to it; therefore, let's move our GCP Cloud Architect project to that billing account, as follows:

1. Click on Billing and then click on Account Management. Now, click on the three-dots next to the project name and choose Change billing:
   

   Figure 2.17 – Changing the billing account

2. In the next window, we select the billing account we want the project to be attached to and click on SET ACCOUNT:

Figure 2.18 – Selecting the billing account for the project

The project is now attached to its proper billing account.

Exporting billing

GCP allows you to export the billing information to a BigQuery dataset. This can be useful if you need to prepare reports or carry out an analysis of the cost of your cloud consumption.

Important Note

We will learn about BigQuery and Google Storage in the big data and storage articles of this blog. To understand billing exports, you just need to know that BigQuery is a GCP data warehouse service.

To perform the export, follow these steps:

1. Go to Billing and choose Billing export. Select the BIGQUERY EXPORT option. There are different levels of details available for exports:
   

   Figure 2.19 – Billing export

2. To export a standard report, click on the EDIT SETTINGS in the Standard usage cost section. Then, fill in the information regarding the dataset and click on SAVE. If you currently have no datasets set up in BigQuery, then you will be prompted to create one from the drop-down menu:
   

   Figure 2.20 – Daily cost detail

3. Next, you can create a new dataset with the values you require:
   

   Figure 2.21 – Dataset values

4. After the data has been exported to BigQuery, you can perform queries on it. For example, you can check which service has generated the most costs:

Figure 2.22 – BigQuery billing query (Source: https://cloud.google.com/billing/docs/how-to/visualize-data, License: https://creativecommons.org/licenses/by/4.0/legalcode)

This information is very useful when you wish to create all sorts of billing reports. In addition to the reporting, we would also like to be informed, upfront, whether we are exceeding our budget. In the next section, let's examine how this can be done.

Budgets and alerts

Budgets and alerts can be set for each billing account or project. You can set up a specific threshold. Once the amount spent is higher than the defined threshold, billing administrators and billing account users will be notified. This will not stop the usage of any services, and charges will continue to apply for the running resources. By default, there are three alert thresholds: 50%, 90%, and 100%. Both the number of thresholds and their values can be modified:

Figure 2.23 – Creating a budget

There are two types of notification targets: email and a Pub/Sub topic. If the mail channel is chosen, the billing administrators and users can be notified or a specific notification channel with an associated email address can be selected. If a Pub/Sub topic is selected, an already existing topic can be selected or a new topic can be created.

Exam Tip

If the alerts and budgets are attached to a billing account, and you have multiple projects attached to the alerts, this will count toward the total cost generated in all of those projects together. Remember the default thresholds for the alerts.

Billing account roles

Surely, you would want to have control over who has access to your billing and who can manage the payments. The following list shows the roles that can be used to control the billing:

• Billing Account Creator: This is used for the initial billing setup, including signing up for GCP with a credit card.
• Billing Account Administrator: This is the owner of the billing account. This role is allowed to link and unlink projects and manage other users' roles for the billing account. This role can manage payment instruments, billing exports, and view cost information.
• Billing Account User: In combination with the project creator role, the Billing Account User role is allowed to create new projects linked to the billing account on which the role has been granted.
• Billing Account Viewer: This role allows access to view the billing information. It can be used by the finance team.
• Billing Account Costs Manager: This role allows you to view and export the cost information of the billing account.
• Project Billing Manager: This role enables the attachment of the project to a billing account without rights to resources.

  Exam Tip

  Make sure you understand the billing roles; in particular, ensure you have a good understanding of who can manage new billing accounts and who can only view the data.

Summary

In this post, we learned about the basics of GCP. We discussed resources and their scopes and hierarchies. We set up our first account, created permissions for other users to access it, and configured billing. We also learned how to export billing information. Finally, we learned how to set up alerts and budgets to control the cost of GCP usage.

In the next post, we will take a look at GCP's core services, and, in the articles that follow, we will continue to deep dive into each of them.

Further reading

For more information on GCP billing and security, please refer to the following resources:

• IAM: https://cloud.google.com/billing/docs/how-to/billing-access
• Visualizing billing: https://cloud.google.com/billing/docs/how-to/visualize-data?hl=pl
• SLA: https://cloud.google.com/terms/sla/
• Security in GCP: https://cloud.google.com/security/
• Comparing GCP services to AWS and Azure: https://cloud.google.com/free/docs/aws-azure-gcp-service-comparison