Google Cloud Compute Engine Security

Questions and Answers

You create a new Google Kubernetes Engine (GKE) cluster and want to make sure that it always runs a supported and stable version of Kubernetes. What should you do?

Enable the Node Auto-Upgrades feature for your GKE cluster.

You have an instance group that you want to load balance. You want the load balancer to terminate the client SSL session. The instance group is used to serve a public web application over HTTPS. What should you do?

Configure an HTTP(S) load balancer.

You have 32 GB of data in a single file that you need to upload to a Nearline Storage bucket. What is the best way to upload the file rapidly?

Enable parallel composite uploads using gsutil on the file transfer.

You've deployed a microservice called myapp1 to a Google Kubernetes Engine cluster using a YAML file. How should you refactor the configuration to ensure the database password is not stored in plain text?

Store the database password inside a Secret object. Modify the YAML file to populate the DB_PASSWORD environment variable from the Secret.

You want to properly maintain instance group sizes when autoscaling on Google Cloud. What should you do?

Increase the initial delay of the HTTP health check to 200 seconds.

You need to select and configure compute resources for a set of batch processing jobs that run nightly and take around 2 hours to complete. What should you do to minimize service costs?

Select Compute Engine. Use preemptible VM instances of the appropriate standard machine type.

You want to configure 10 Compute Engine instances for availability during maintenance and ensure that they attempt to restart if they crash. What should you do?

Create an instance template for the instances. Set the 'Automatic Restart' to on. Set the 'On-host maintenance' to 'Migrate VM instance'. Add the instance template to an instance group.

What should you do to find out why an application deployed to the wrong project in Google Cloud Platform?

Go to Cloud Shell and run gcloud config list to review the Google Cloud configuration used for deployment.

You created an instance of SQL Server 2017 on Compute Engine to test features in the new version. You want to connect to this instance using the fewest number of steps. What should you do?

Install a RDP client in your desktop. Set a Windows username and password in the GCP Console. Use the credentials to log in to the instance.

Every employee of your company has a Google account. Your operational team needs to manage a large number of instances on Compute Engine. Each member of this team needs only administrative access to the servers. Your security team wants to ensure efficient credential deployment and the ability to determine who accessed a given instance. What should you do?

Ask each member of the team to generate a new SSH key pair and to add the public key to their Google account. Grant the 'compute.osAdminLogin' role to the Google group corresponding to this team.

You have one GCP account running in your default region and zone and another account running in a non-default region and zone. You want to start a new Compute Engine instance in these two Google Cloud Platform accounts using the command line interface. What should you do?

Create two configurations using gcloud config configurations create [NAME]. Run gcloud config configurations activate [NAME] to switch between accounts when running the commands to start the Compute Engine instances.

You significantly changed a complex Deployment Manager template and want to confirm that the dependencies of all defined resources are properly met before committing it to the project. You want the most rapid feedback on your changes. What should you do?

Execute the Deployment Manager template using the '-preview' option in the same project, and observe the state of interdependent resources.

You need to create a custom VPC with a single subnet. The subnet's range must be as large as possible. Which range should you use?

10.0.0.0/8

You are building a pipeline to process time-series data. Which Google Cloud Platform services should you put in boxes 1,2,3, and 4?

Cloud Pub/Sub, Cloud Dataflow, Cloud Bigtable, BigQuery

You want to select and configure a cost-effective solution for relational data on Google Cloud Platform. Working with a small set of operational data in one location and requiring point-in-time recovery, what should you do?

Select Cloud SQL (MySQL). Verify that the enable binary logging option is selected.

You want to configure autohealing for network load balancing for a group of Compute Engine instances in multiple zones, with VM re-creation after 3 unresponsive attempts. What should you do?

Create a managed instance group. Set the Autohealing health check to healthy (HTTP).

You have a project for your App Engine application that serves a development environment. The required testing has succeeded, and you want to create a new project to serve as your production environment. What should you do?

Use gcloud to create the new project, and then deploy your application to the new project.

You need to configure IAM access audit logging in BigQuery for external auditors. You want to follow Google-recommended practices. What should you do?

Add the auditors group to the 'logging.viewer' and 'bigQuery.dataViewer' predefined IAM roles.

You are using multiple configurations for gcloud and want to review the configured Kubernetes Engine cluster of an inactive configuration with few steps. What should you do?

Use kubectl config use-context and kubectl config view to review the output.

Your company uses Cloud Storage to store application backup files for disaster recovery following Google's recommended practices. Which storage option should you use?

Coldline Storage

You need to set up permissions for a set of Compute Engine instances to enable them to write data into a particular Cloud Storage bucket. You want to follow Google-recommended practices. What should you do?

Create a service account and add it to the IAM role 'storage.objectCreator' for that bucket.

You have sensitive data stored in three Cloud Storage buckets and have enabled data access logging. You want to verify activities for a particular user for these buckets, using the fewest possible steps. What should you do?

Using the GCP Console, filter the Activity log to view the information.

Several employees at your company have been creating projects with Cloud Platform and paying with personal credit cards, which the company reimburses. The company wants to centralize all projects under a single billing account. What should you do?

In the Google Platform Console, go to the Resource Manager and move all projects to the root Organization.

You host a static website on Cloud Storage. When users click on links to PDF files, their browsers prompt them to save the file onto their local system. What should you do to have the clicked PDF files displayed within the browser window directly?

Set Content-Type metadata to application/pdf on the PDF file objects.

You have an application that looks for its licensing server on the IP 10.0.3.21. Deploying the licensing server on Compute Engine without changing the application configuration requires ensuring the application can reach the server. What should you do?

Reserve the IP 10.0.3.21 as a static internal IP address using gcloud and assign it to the licensing server.

You are the project owner of a GCP project and want to delegate control to colleagues to manage buckets and files in Cloud Storage. You want to follow Google-recommended practices. Which IAM roles should you grant your colleagues?

Storage Admin

You have an object in a Cloud Storage bucket that you want to share with an external company. The object contains sensitive data. What method should you use to share the object securely with the external company?

Create a signed URL with a four-hour expiration and share the URL with the company.

You have a virtual machine running out of memory with 2 vCPUs and 4 GB of memory. You want to upgrade the virtual machine to have 8 GB of memory. What should you do?

Stop the VM, increase the memory to 8GB, and start the VM.

You are deploying an application to App Engine and want the number of instances to scale based on request rate, with at least 3 unoccupied instances always available. Which scaling type should you use?

Automatic Scaling with min_idle_instances set to 3.

You need to set up production and test workloads on Compute Engine with VMs in different subnets. Which configuration meets the requirements?

Create a single custom VPC with 2 subnets, each in a different region and with different CIDR ranges.

What should you do to create an autoscaling managed instance group for an HTTPS web application and ensure that unhealthy VMs are recreated?

Create a health check on port 443 and use it when creating the Managed Instance Group.

What should you do to allow members of a data science team to perform queries on BigQuery following Google-recommended practices?

Create a dedicated Google group in Cloud Identity. Add each data scientist's user account to the group. Assign the BigQuery jobUser role to the group.

How should you enable communication on TCP port 8080 between different tiers of a 3-tier solution running on Compute Engine?

Create an ingress firewall rule allowing communication between instances with tier #2 service account and instances with tier #1 service account, and another rule between tier #3 service account and tier #2 service account.

You are creating a Google Kubernetes Engine (GKE) cluster with a cluster autoscaler feature enabled. How should you ensure that each node of the cluster will run a monitoring pod that sends container metrics to a third-party monitoring solution?

Deploy the monitoring pod in a DaemonSet object.

To send and consume Cloud Pub/Sub messages from an App Engine application where the Cloud Pub/Sub API is disabled, what should you do?

Enable the Cloud Pub/Sub API in the API Library on the GCP Console.

How can you monitor resources distributed over different projects in Google Cloud Platform and consolidate reporting under the same Stackdriver Monitoring dashboard?

Configure a single Stackdriver account and link all projects to the same account.

When deploying an application to a Compute Engine VM in a managed instance group where only a single instance of the VM should run per GCP project, how should you configure the instance group?

Set autoscaling to On, set the minimum number of instances to 1, and then set the maximum number of instances to 1.

To verify the IAM users and roles assigned within a GCP project named 'my-project,' what should you do?

Navigate to the project and then to the IAM section in the GCP Console, and review the members and roles.

What should you do to create a new billing account and then link it with an existing Google Cloud Platform project?

Verify that you are Project Billing Manager for the GCP project. Create a new billing account and link the new billing account to the existing project.

If you have one project named 'proj-sa' where you manage service accounts and want to use a service account from this project to take snapshots of VMs running in another project called 'proj-vm,' what should you do?

Grant the service account the IAM Role of Compute Storage Admin in the project called 'proj-vm'.

You initially configured an App Engine application to be served from the us-central region. Now you want the application to be served from the asia-northeast1 region. What should you do?

Create a new GCP project and create an App Engine application inside this new project. Specify asia-northeast1 as the region to serve your application.

You want to run a single caching HTTP reverse proxy on GCP for a latency-sensitive website. This specific reverse proxy consumes almost no CPU. You want to have a 30-GB in-memory cache, and need an additional 2 GB of memory for the rest of the processes. You want to minimize cost. How should you run this reverse proxy?

Create a Cloud Memorystore for Redis instance with 32-GB capacity

You are hosting an application on bare-metal servers in your own data center. The application needs access to Cloud Storage. However, security policies prevent the servers hosting the application from having public IP addresses or access to the internet. What should you do?

Using Cloud VPN or Interconnect, create a tunnel to a VPC in Google Cloud and use Cloud Router to create a custom route advertisement.

You want to deploy an application on Cloud Run that processes messages from a Cloud Pub/Sub topic. What should you do?

Create a service account, give the Cloud Run Invoker role to that service account for your Cloud Run application, and create a Cloud Pub/Sub subscription that uses that service account and your Cloud Run application as the push endpoint.

You need to deploy an application, which is packaged in a container image, in a new project. The application exposes an HTTP endpoint and receives very few requests per day. You want to minimize costs. What should you do?

Deploy the container on Cloud Run

You are creating a production project and want to have the same IAM roles on the new project, using the fewest possible steps. What should you do?

Use gcloud iam roles copy and specify the production project as the destination project.

You need a dynamic way of provisioning VMs on Compute Engine, following Google's recommended practices. Which method should you use?

Deployment Manager

You have a Dockerfile that you need to deploy on Kubernetes Engine. What should you do?

Create a docker image from the Dockerfile and upload it to Container Registry. Create a Deployment YAML file to point to that image. Use kubectl to create the deployment with that file.

Your development team needs a new Jenkins server for their project, deployed in the fewest steps possible. What should you do?

Use GCP Marketplace to launch the Jenkins solution.

You need to update a deployment in Deployment Manager without any resource downtime. Which command should you use?

gcloud deployment-manager deployments update --config

You need to run an important query in BigQuery expecting a large record return. How can you estimate the cost using on-demand pricing?

Use the command line to run a dry run query to estimate the bytes read.

You have a single binary application that you want to run on Google Cloud Platform, scaling based on CPU usage. What should you do to ensure operationally efficient scaling?

Create an instance template and use a managed instance group with autoscaling configured.

You want to use GCP service costs from three projects to create estimates by service type daily and monthly for the next six months. What should you do?

Export your bill to a BigQuery dataset and write time window-based SQL queries for analysis.

You have a Linux VM that must connect to Cloud SQL using a specific service account. How can you ensure the VM uses this service account instead of the default Compute Engine service account?

Download a JSON Private Key for the service account, then add it to Project Metadata as the compute-engine-service-account key.

To follow Google-recommended practices, what should you do when a new instance needs access to the application?

Create a subnetwork in the same VPC, in europe-west1. Create the new instance in the new subnetwork and use the first instance's private address as the endpoint.

How can you quickly disable logs to reduce costs for a development GKE container?

Go to the Logs ingestion window in Stackdriver Logging, and disable the log source for the GKE container resource.

What should you do to ensure the available capacity does not decrease during the deployment of a new version of a web application in a managed instance group?

Perform a rolling-action start-update with maxSurge set to 1 and maxUnavailable set to 0.

Which storage solution should you use for an application that needs to scale with user growth with minimum configuration changes?

Cloud Spanner

How can you ensure that only the finance team is able to link projects to the billing account in Google Cloud?

Assign the finance team only the Billing Account User role on the billing account.

What should you do to enable a Compute Engine instance in a separate VPC to connect to an application on GKE with minimal effort?

Create a Service of type LoadBalancer in GKE, use the application's Pods as backend, and configure the Compute Engine to use the load balancer's address.

How should you implement a cost-effective approach for retaining audit log files for 3 years in a financial company with hundreds of Google Cloud projects?

Create an export to the sink that saves logs from Cloud Audit to a Coldline Storage bucket.

Study Notes

Managing Google Cloud Resources

• To manage a large number of instances on Compute Engine, each member of the operational team needs administrative access to the servers. The recommended approach is to ask each member of the team to generate a new SSH key pair, add the public key to their Google account, and grant the compute.osAdminLogin role to the Google group corresponding to the team.
• When creating a custom VPC with a single subnet, the recommended subnet range is 10.0.0.0/8 to ensure the largest possible range.

Relational Data on Google Cloud Platform

• For a cost-effective solution for relational data on Google Cloud Platform, consider selecting and configuring Cloud SQL (MySQL) with binary logging enabled to support point-in-time recovery.

Load Balancing and Autohealing

• To configure autohealing for network load balancing for a group of Compute Engine instances, create a managed instance group and set the Autohealing health check to healthy (HTTP).
• Use separate health checks for load balancing and autohealing, as they serve different purposes: load balancing detects unresponsive instances and directs traffic away, while autohealing detects and recreates failed instances.

Kubernetes Engine Cluster Configurations

• To review a configured Kubernetes Engine cluster of an inactive configuration, use gcloud config configurations describe and kubectl config get-contexts to list the available contexts, then kubectl config use-context and kubectl config view to review the output.

Storage Options

• For disaster recovery purposes, use Coldline Storage to store application backup files, as it is the recommended storage option for infrequently accessed data.

Billing and Organization

• To centralize projects under a single billing account, move all projects to the root organization, and then create a new billing account and set up a payment method.
• Contacting [email protected] with bank account details or creating a ticket with Google Support is not necessary.

Networking and Compute Engine

• To deploy a licensing server on Compute Engine, reserve the IP address 10.0.3.21 as a static internal IP address using gcloud, and assign it to the licensing server.
• To ensure that the application can reach the licensing server, do not change the configuration of the application.

App Engine Scaling

• To scale instances based on request rate, use Automatic Scaling with min_idle_instances set to 3, ensuring that at least 3 unoccupied instances are available at all times.

IAM Roles and Permissions

• To copy IAM roles from one project to another, use gcloud iam roles copy and specify the production project as the destination project.
• To create a new role from an existing role, use the create role from role functionality in the Google Cloud Platform Console.

Deployment Manager

• To deploy a Docker image on Kubernetes Engine, create a Deployment YAML file pointing to the image, and then use kubectl to create the deployment with that file.
• Deployment Manager is the recommended method for provisioning VMs on Compute Engine, as it allows specifying all resources needed for an application using YAML syntax.

Jenkins and Kubernetes

• To deploy a Jenkins server using the fewest steps possible, use the GCP Marketplace to launch the Jenkins solution.

BigQuery Pricing

• To estimate the cost of running a query in BigQuery, use the command line to run a dry run query to estimate the number of bytes read, then convert that bytes estimate to dollars using the Pricing Calculator.

Autoscaling and Virtual Machines

• To ensure that application scaling is operationally efficient and completed as quickly as possible, use a managed instance group with autoscaling configured, and create an instance template with the necessary settings.### Google Cloud Platform (GCP)
• Instance template: Create a template and use it in a managed instance group to scale up or down based on time of day.

Cost Analysis

• Service cost estimates: To create service cost estimates by service type, daily, and monthly, for the next six months, export the bill to a BigQuery dataset and write time window-based SQL queries for analysis.

Cloud Storage

• Object lifecycle management: Set up a policy to move videos stored in a specific Cloud Storage Regional bucket to Coldline after 90 days and delete them after one year from creation using Age conditions with SetStorageClass and Delete actions.

Compute Engine

• Service account: To connect a Linux VM to Cloud SQL, create a service account with the appropriate access rights and specify it under the 'Identity and API Access' section when creating the VM.
• Connect to instance: To connect to an instance of SQL Server 2017 on Compute Engine, install a RDP client on the desktop, set a Windows username and password in the GCP Console, and verify that a firewall rule for port 3389 exists.

Deployment Manager

• Template dependencies: To confirm that dependencies of all defined resources are properly met before committing a complex Deployment Manager template, execute the template against a separate project with the same configuration and monitor for failures, or use the "-preview" option in the same project and observe the state of interdependent resources.

Pipelines

• Time-series data processing: To process time-series data, use Cloud Pub/Sub, Cloud Dataflow, Cloud Bigtable, and BigQuery.

App Engine

• New project creation: To create a new project for a production environment, use gcloud to create the new project and then deploy the application to the new project.
• IAM access audit logging: To configure IAM access audit logging in BigQuery for external auditors, add the auditors group to the 'logging.viewer' and 'bigQuery.dataViewer' predefined IAM roles.

Identity and Access Management (IAM)

• Permissions: To set up permissions for a set of Compute Engine instances to enable them to write data into a particular Cloud Storage bucket, create a service account and add it to the IAM role 'storage.objectCreator' for that bucket.
• Role-based access: To delegate control to colleagues to manage buckets and files in Cloud Storage, grant them the IAM role 'Storage Admin'.

Cloud Storage Buckets

• Access control: To share an object in a Cloud Storage bucket with an external company, create a signed URL with a four-hour expiration and share the URL with the company.
• Activity logging: To verify activities for a particular user for a Cloud Storage bucket, use the GCP Console to filter the Activity log.

Google Kubernetes Engine (GKE)

• Cluster autoscaler: To ensure that each node of a GKE cluster runs a monitoring pod that sends container metrics to a third-party monitoring solution, deploy the monitoring pod in a DaemonSet object.

Cloud Pub/Sub

• API enablement: To use Cloud Pub/Sub from an App Engine application, enable the Cloud Pub/Sub API in the API Library on the GCP Console.
• Monitoring: To consolidate reporting under the same Stackdriver Monitoring dashboard for resources distributed over different projects, configure a single Stackdriver account and link all projects to the same account.### Configuring Stackdriver
• To configure a single Stackdriver account for one project, create a Group and add other project names as criteria for that Group.
• Each project will have its own workspace (Stackdriver account) linked to the active project.

Deploying an Application to a Compute Engine VM

• To ensure an application runs at all times, but only a single instance of the VM should run per GCP project, set autoscaling to On, set the minimum number of instances to 1, and set the maximum number of instances to 1.

Verifying IAM Users and Roles

• To verify IAM users and roles assigned within a GCP project, navigate to the project and then to the IAM section in the GCP Console and review the members and roles.

Creating a New Billing Account

• To create a new billing account and link it with an existing Google Cloud Platform project, verify that you are the Project Billing Manager for the GCP project, create a new billing account, and link the new billing account to the existing project.

Service Accounts

• To use a service account from one project to take snapshots of VMs running in another project, grant the service account the IAM Role of Compute Storage Admin in the project.

App Engine Application

• To change the region of an App Engine application from us-central to asia-northeast1, create a new GCP project and create an App Engine application inside this new project, specifying asia-northeast1 as the region.
• There can only be one App Engine application inside a project.

Granting Access to Cloud Spanner

• To grant access for three users to view and edit table data on a Cloud Spanner instance, run gcloud iam roles describe roles/spanner.databaseUser, add the users to a new group, and add the group to the role.

Creating a New GKE Cluster

• To ensure a new GKE cluster always runs a supported and stable version of Kubernetes, enable the Node Auto-Upgrades feature for the GKE cluster.

Load Balancing

• To load balance an instance group and terminate the client SSL session, configure an HTTP(S) load balancer.

Uploading Data to Nearline Storage

• To upload a large file to Nearline Storage rapidly, enable parallel composite uploads using gsutil.

Refactoring a YAML File

• To refactor a YAML file to store a database password securely, store the database password inside a Secret object, and modify the YAML file to populate the DB_PASSWORD environment variable from the Secret.

Autoscaling

• To properly maintain instance group sizes when autoscaling, increase the initial delay of the HTTP health check to 200 seconds.

Selecting Compute Resources

• To minimize service costs for a set of batch processing jobs, select Compute Engine and use preemptible VM instances of the appropriate standard machine type.

Reverting an Application

• To revert to a prior version of an application deployed to App Engine, on the App Engine Versions page, route 100% of the traffic to the previous version.

Deploying an App Engine Application

• To find out why an App Engine application deployed to the wrong project, check the Google Cloud configuration used for deployment by running gcloud config list.

Configuring Compute Engine Instances

• To configure Compute Engine instances for availability when maintenance occurs, create an instance template, set the 'Automatic Restart' to on, and set the 'On-host maintenance' to Migrate VM instance. Add the instance template to an instance group.