1 - Setting up a cloud solution environment 1.1 - Setting up cloud projects and accounts 4.4.4 - Creating projects 4.1.2 - Assigning users to pre-defined IAM roles within a project 41.4.3 - Linking users to G Suite identities bitps:lisupport.google.comicloudidentitylanswwer(73192512hI=en 1.4.4 - Enabling APIs within projects httpsilicloud, google,com/sdk/gcloud/reference/services! 1.1.5 - Provisioning one or more Stackdriver accounts hitps//cloud. google. com/monitoringlaccaunts! 1.2 - Managing billing configuration 1.2.4 - Creating one or more billing accounts 4.2.2 - Linking projects to a billing account 4.2.3 - Establishing billing budgets and alerts 4.2.4 Setting up billing exports to estimate dailymonthly charges 1.3 - Installing and configuring the command line interface (CLI), specifically the Cloud SDK (e.g., setting the default project). Install ‘To set the project property in the core section, run: Sgoiouc contig ash protect myProject. ‘To set the zone property in the compute section, run’ S.goloud config sel compute/zone asia-easti-b 2-Planning and configuring a cloud solution 2.1 - Planning and estimating GCP product use using the Pricing Calculator 2.2 - Planning and configuring compute resources 2.2.4 -Sel ing appropriate compute choices for a given workload2.2.4.1 -Compute Engine ‘And Compute Engine is, basically, kind of everything else, or even all of those things if you want. I's VM. So you have full control to do whatever you need to do to connect things together. Its also a really good fit for existing systems. 2.2.1.2 -Kubernetes Engine Container Engine is a system of containers working together to solve your problems. 2.2.4.3 - App Engine Getto know Google App Engine ‘App Engine is focused on making your web code run extremely well. Its optimized for that. And i's code first kind of thinking, 2.22-- Using praamptibla VMs and custom machine types as appropriate 1. // CREATE INSTANCE WITH 4 vCPUs and 5 GB MENORY 2. gcloud compute instances create my-vm --custom-cpu 4 --custon-nenory 5 3 4. // ENABLE PREEMPTIBLE OPTION 5. gcloud compute instances create my-vm --zone us-central1-b --preenptible 2.3 - Planning and configuring data storage options Etom_blobs to relational tables: Where do | store my Data? (Google Cloud Next'17) Siar @ oom e SS aS Giz —— —— Qos © cue @ at. @ inns || @ rin 2.3.1 - Product choice 2.3.4.4 -Cloud SQL Cloud SQL is a fully-managed database service that makes it easy to set up, maintain, manage, and administer your relational databases on Google Cloud Platform 2.3.1.2 -BigQuery A fast, highly scalable, cost-effective and fully-managed enterprise data warehouse for analytics at any scale BigQuery is Google's serverless, highly scalable, low cost enterprise data warehouse designed to make all your data analysts productive. Because there is no infrastructure to manage, you can fecus on analyzing data to find meaningful insights using familiar SQL and you don't need a database administrator. BigQuery enables you to analyze all your data by creating a logical data warehouse over managed, columnar storage as well as data from object storage, and spreadsheets. BigQuery makes it easy to securelyshare insights within your organization and beyond as datasets, queries, spreadsheets and reports. BigQuery allows organizationstocapture and analyze dat in real-time using its powerful streaming ingestion capabiliy so that your insights ways current. BigQuery is free for up to 1TB of data analyzed each month and 10GB of data stored. 2.3.4.3 - Cloud Spanner bitps.J4cloud.google.com/spannert ‘The first horizontally scalable, strongly consistent, relational database service Cloud Spanner: The best of the relational and non-relational worlds cxoun anne RADITIONAL RELATIONAL TRADITIONAL NON RELATIONAL sear v Yes v x No v Yes ve x Ne ° Y Sion YY S103 x praia v Hoh X Faloner v tah sal Y Hewizntal X Veta Y Hosectl rept VY hutomate © covtguadie (centric 2.3.1.4 - Cloud Bigtable bips.Jlcloud.gaogle.cam/bigtabley 2.3.2 - Choosing storage options bins cloud google com/storage/docs/gsutilcommandsimb 2.3.21 -Regional Storing frequently accessed in the same region as your Google Cloud DataProc or Google Compute Engine instances that use it, such as for data analytics. 2.3.2.2 - Multi-regional Storing data that is frequently accessed (‘hot” objects) around the world, such as serving website content, streaming videos, or gaming and mobile applications. 2.3.2.3 = Nearline Data you do not expect to access frequently (e., ne more than once per month). Ideal for back-up and serving Jong-il multimedia content. 2.3.2.4 -Coldline Data you expect to access infrequently (e., no more than once per year). Typically this is for disaster recovery, or data that is archived and may or may not be needed at some future time,Price (per StorageClass | Characteristics Use Cases GB per month)" Multi:Regional | © >99.99% typical monthly _| Storing data that is frequently $0.026 Storage availability accessed (‘hot” objects) around the ‘+ 99.95% availabilty SLA” | world, such as serving website © Geo-redundant content, streaming videos, or gaming and mobile applications. Regional ‘+ 99.99% typical monthly Storing frequently accessed inthe | $0.02 Storage availabilty same region as your Google Cloud ‘* 99.9% availability SLA* DataProc or Google Compute ‘+ Lower cost per GB stored | Engine instances that use it, such as ‘* Data stored in a narrow {or data analytics. geographic region * Redundant across availabilty zones Neartine '* 99.9% typical monthly Data you do not expect to access | $0.01 Storage availabilty frequently (e., no more than once ‘+ 99.0% availability SLAY per month). Ideal for back-up and ‘© Very low cost per GB stored | serving long-tail multimedia content, © Data retrieval costs '* Higher per-operation costs © 30-day minimum storage duration Goldline ‘© 99.9% typical monthly Data you expect to access $0,007 Storage availability infrequently (ie., no more than once + 99.0% availability SLA* Per year). Typically his is for disaster ‘+ Lowest cost per GB stored | recovery, or data that is archived and © Data retrieval costs may or may not be needed at some ‘* Higher per-operation costs | future time. ‘© 90-day minimum storage duration 2.4 - Planning and configuring network resources 2.4.4 - Different jing load balancing options httpsilicloud. google,com/compute/docsiload-balancinglinternall 2.4.2 - Identifying resource locations in a network for availability2.4.3 - Configuring Cloud ONS btips:licloud.google.comidasiquickstart 3 - Deploying and implementing a cloud solution 3.1 - Deploying and implementing Compute Engine resources 3.4.4 - Launching a compute instance using Cloud Console and Cloud SDK (gcloud) 3.4.4.1 assign disks [--disk=[auto-delete=AUTO-DELETE | , [boot-B007}, [device-name-DEVICE-NAME] , [mode-MODE], | name-NAME} ] 3.4.4.2 -availabllty policy 3.4.4.3 + SSH keys. 3.4.2 - Creating an autoscaled managed instance group using an instance template ‘You can create two types of managed instance groups: ‘© A zonal managed instance group, which contains instances from the same zone. ‘* Aregional managed instance group, which contains instances from multiple zones across the same region. 3.1.3 - Generating/uploading a custom SSH key for instances 3.1.4 - Configuring a VM for Stackdriver monitoring and logging 3.1.5 - Assessing compute quotas and requesting increases hitpsiliconsole.cloud. google,comliam-adminiquotas2proje hitpsilicloud. gaogle,com/monitoringiquotas le i quotas: 3.1.6 - Installing the Stackdriver Agent for monitoring and logging hitnsJ/cloud, google, com/menitoring/agentinstall-agent 3.2 - Deploying and implementing Kubernetes Engine resources ‘ubemetes Design and Architecture 3.2.4 - Deploying a Kubernetes Engine cluster btpscloud google com/kubamatas-engine/docs/cancapis/clister-architectura 3.2.2 - Deploying a container application to Kubernetes Engine using pods geloud config set container/cluster [CLUSTER_NAME] gcloud container clusters get-credentials [CLUSTER NAME]3.2.3 - Configuring Kubernetes Engine application monitoring and logging biips.kubernetes io/dacs/tasks/debug-application-clusterilagging-stackdriver! geloud beta container clusters update ust system -o yaml > éluenti jep-v2.0 prds. yal -yaml 3.3 - Deploying and implementing App Engine and Cloud Functions resources 3.3.1 - Deploying an application to App Engine Instance Instance Instance Instance 3.3.1.1 -sealing configuration hitps//cloud. google. com/appengine/docs/standardipython/how-instances-are-managed The scaling type you assign to a service determines the whether its instances are resident or dynamic: ‘© Auto scaling services use dynamic instances. ‘* Manual scaling services use resident instances ‘* Basic scaling services use dynamic instances. Manual scaling Aservice with manual scaling use resident instances that continuously run the specified number of instances irrespective ofthe load level, This allows tasks such as comple iniaizations and applications that rely on the state ‘of the memory over time. ‘Automatic scaling ‘Auto scaling services use dynamic instances that get created based on request rate, response latencies, and other application metrics. However, if you specify @ number of minimum idle instances, that specified number of instances run as resident instances while any additional instances are dynamic. Basic Scaling Aservice with basic scaling use dynamic instances. Each instance is created when the application receives a request. The instance will be turned down when the app becomes idle. Basic scaling is ideal for work that is intermittent or driven by user activity 3.3.1.2 -versions The recommended approach is to remove the version element from your app.yam file and instead, use a command-line flag to specify your version ID: hhps:lcloud google. comlappengina/dacs/admin-apildeplayina-apps gcloud app deploy ~v [YOUR_VERSTON_rD) appcfg.oy update -V [YOUR VERSTON_ TD) 3.3.1.3 -traffic splitting 3.3.2 - Deploying a Cloud Function that receives Google Cloud events 3.3.2.1 - Cloud Pub/Sub events 3.3.2.2 - Cloud Storage object change notification events htnsilicloud.goagle.com/functionsidocs/calling/storage 3.4 - Deploying and implementing data solutions3.4.4 «Inti ing data systems with products 3.4.1.4 -Cloud SL 3.4.1.2 -Cloud Datastore 3.4.1.3 -Cloud Bigtable 3.4.1.4 -BigQuery 3.4.15 -Cloud Spanner 3.4.1.6 - Cloud Pub/Sub 3.4.1.7 -Cloud Dataproc 3.4.1.8 -Gloud Storage 3.4.2- Leading data 3.4.21 - Command ine upload 3.4.22 -API transfer 3.4.2.3 - Import / export “ hitpsilictoud.gaagle.comisalidacsimysalimpor-expartt hhpsulloud google. com/salldocs/nostoreslimpor-expod 3.42.5 - streaming data to Cloud PubiSub btlpsulicioud.gogle.com/pubsub/dacs/quickstar-ci 3.5 - Deploying and implementing networking resources 3.5.1 - Creating a VPC with subnets 3.5.4.1 -Custom-mode VPC 3.5.4.2 «Shared VPC 3.5.2- Launching a Compute Engine instance with custom network configuration 3.5.2.1 -Internal-only IP address [--enable-private-ip-g ss] Enableidisable access to Google Cloud APIS from this subnet for instances without a public ip address. 3.5.2.2 - Google private access hiipsu/cloud.google.com/sdk/gcloudireference/camputelinstancesicreate [--private-network~ip=PRIVATE NETWORK_IP’ 3.5.2.3 - Static external and private IP address ess-ADDRESS =-no-ad 3.5.2.4 - network tags [--tage-2AG, (TAG, |] 43.5.3 - Creating ingress and egress firewall rules for a VPC [--direction=DIRECTION} If direction is NOT specified, then defaultis to apply on incoming trafic. For incoming trafic, itis NOT supported to specify destination-ranges; For outbound traff, itis NOT supported to specify source-ranges or source-tags. For convenience, 'IN' can be used to represent ingress direction and ‘OUT" can be used to represent egress direction. DIRECTION must be one of: INGRESS, EGRESS, IN, OUT. 3.6.3.1 -IP subnetsa -5-CIDR_RANGE, [CIDR_RANGE, A\list of IP address blocks that are allowed to make inbound connections that match the firewall rule to the instances on the network. The IP address blocks must be specified in CIDR format: btipven.wikipedia.orgiwikiGlassless_Inter-Domain_Routing, If neither ~source-ranges nor -source-tags are specified, -source-ranges defaults to 0.0.0,0/0, which means that the rule applies to all incoming connections from inside or outside the network. If both ~source-ranges and —source-tags are specified, the rule matches if either the range of the source matches ~source-ranges or the tag of the source matches ~source-tags. If neither ~source-ranges nor ~-source-tags is provided, then this flag will default to 0.0.0.0/0, allowing all sources. “Multiple IP address blocks can be specified if they are separated by commas. [--destination-ranges=CIDR_RANGE, [CIDR_RANGE, ..]] ‘The firewall rule wil apply to traffic that has destination IP address in these IP address block list. The IP address blocks must be specified in CIDR formatihito:/en. wikipedia orgiwiki/Classless_Inter-Damain_Routing. I —destination-ranges is NOT provided, then this flag will default to 0.0.0.0/0, allowing all destinations. Multiple IP address blocks can be specified if they are separated by commas, 3.5.3.2 -Tags rAG, (TAG, A\listof instance tags indicating the set of instances on the network to which the rule applies if all other fields match. If neither -source-ranges nor --source-tags are specified, -source-ranges defaults to 0.0.0.0/0, which ‘means that the rule applies to all incoming connections from inside or outside the network. If both —source-ranges and ~-source-tags are specified, an inbound connection is allowed if either the range of the source matches ~source-ranges or the tag of the source matches ~source-tags. ‘Tags can be assigned to instances during instance creation, If source tags are specified then neither a source nor target service account can also be specified. [ot FAG, (TAG, Allist of instance tags indicating the set of instances on the network which may accept inbound connections that match the firewall rule If both target tags and target service account are omitted, al instances on the network can receive inbound connections that match the rule. ‘Tags can be assigned to instances during instance creation, If target tags are specified then neither a source nor target service account can also be specified. 3.5.3.3 - Service accounts [--s01 vice-account s=EMAIL, [EMAIL, ‘The email of a service account indicating the set of instances on the network which match a trafic source in the firewall rule. Ifa source service account is specified then neither source tags nor target tags can also be specified [--tara: cunt s-EMAIL, (EMAIL, ‘The email ofa service account indicating the set of instances to which firewall rules apply. If both target tags and target service account are omitted, the frewall rule is applied to all instances on the network, Ifa target service account is specified then neither source tag nor target tags can also be specified 3.5.4 - Creating a VPN between a Google VPC and an external network using Cloud VPN This diagram shows a simple VPN connection between your Cloud VPN gateway and your on-premises VPN gateway. Internet On-premises Gateway Network VPN diagram (click to enlarge)3.5.5 - Creating a load balancer to distribute application network traffic to an application 3.5.5-1 - Global HTTP(S) load balancer 3.5.5.2 - Global SSL Proxy load balancer hips //cloud. google. com/compute/dacs/ioad-balancing/tcp-ssl/ 3.5.5.3 - Global TCP Proxy load balancer 3.5.5.4 - Regional Network load balancer 5.8.8.8 Regional Internal led balancer 3.6 - Deploying a Solution using Cloud Launcher hipsJ/console.cloud google. com/launcher 3.6.2 - Deploying a Cloud Launcher marketplace solution, hitpsJ/console cloud google comauncher, 3.7 - Deploying an Application using Deployment Manager 3.7.4 - Developing Deployment Manager templates to automate deployment of an application bitps:iiithub.com/GaogleCloudP latform/deplaymentmanager-samples 3.7.2 - Launching a Deployment Manager template to provision GCP resources and configure an application automatically 4-Ensuring successful operation of a cloud solution 4.1 - Managing Compute Engine resources 4.4.4 - Managing a single VM instance 4444 «start hhtis:lcloud google. com/sdk/gcloud/reference/computelinstances/statt 4.1.4.2 -stop 4.1.1.3 - edit configuration 4.1.4.4 -delete an instance 4.4.2 - SSHIRDP to the instance 4.1.3 - Attaching a GPU to a new instance and installing CUDA libraries You can attach GPUs only to instances with a predefined machine Iype or custom machine Iyoe that you are able to create in a zone. GPUs are not supported on sharad-core machine tynes or memory-onlimized machine typos, htps//cloud. google. com/compute/docs/gpusladd-gpus ‘* [ACCELERATOR_COUNT] is the number of GPUs that you want to add to your instance. See GPUs on Compute Enaine fora list of GPU limits based on the machine type of your instance. ‘* [ACCELERATOR_TYPE] is the GPU model that you want to use, See GPUs on Compute Engine for a list of available GPU models.4.4.4 - Viewing current running VM Inventory 4.4.4.4 -instance IDs 4.4.4.2 -details 4.4.5 - Working with snapshots 4.4.5.1 -create a snapshot from a VI bipsi/cloud.google, com/compute/docs/disksicreate-snapshots btinsJ/cloud google. comisdk/gcloudireference/computeldisks/create SOURCE_SNAPSHOT A source snapshot used to create the disks, Its safe to delete a snapshot after a disk has been croated from the ‘snapshot. In such cases, the disks will no longer reference the deleted snapshot. To get a list of snapshots in your ‘current project, run gcloud compute snapshats lst. A snapshot from an existing disk can be created using the ‘gcloud compute disks snapshot command, This flag is mutually exclusive with ~image, ‘When using this option, the size of the disks must be at least as large as the snapshot size, Use —size to adjust the size of the disks. 4.4.5.2 - view snapshots 4.1.5.3 - delet ‘a snapshot 4.4.6 - Working with Images 4.4.6.1 - create an image from a VM or a snapshot psa onece comedgrouselerancalcomouteimagesseaia 4.4.6.3 - delete an image 4.1.7 - Working with Instance Groups 4.1.7.1 -set auto scaling parameters hitpsilicloud. gaogle,com/compute/doos/autoscaler! Managed instance groups and autoscaling Managed instance groups support autoscaling so you can dynamically add or remove instances from a managed instance group in response to increases or decreases in load, You enable autoscaling and choose an autoscaling policy to determine how you want to scale. Applicable autoscaling policies include scaling based on CPU utilization, load balancing capacity, Stackdriver monitoring metrics, or by a queue-based workload like Google Cloud Pub/Sub. Because autoscaling requires adding and removing instances from a group, you can only use autoscaling with, managed instance groups so the autoscaler can maintain identical instances, Autoscaling does not work on unmanaged instance groups, which can contain heterogeneous instances. For more information, read Autoscaling Groups of Insiances. 4A72 + ign instance template 4.1.7.3 - create an instance template 4.4.7.4 - remove instance group bilnsJ/cloud.google.com/sdk/gcloudireference/computelinstance-groupsimanagedidelete ‘Working with management interfaces 4.1.8.1 -Cloud Console 4.1.82 -Cloud Shell 4.4.8.3 -GCloud SDK 4.2 - Managing Kubernetes Engine resources 4.2.4 - Viewing current running cluster inventory 4.2.4.4 -nodeskubect! get nodes 4.2.4.2 -pods kubect 4.2.1.3 - services kabect services 4.2.2 - Browsing the container image repository and vi 4.2.3 - Working with nodes 4.2.3.1 -add anode dips //cloud.googla.com/sak/acloudireference/containericlustarsirasiza geloud container clusters resize [CLUSTER NAME] \ node-pool [NODE_POOL] \ =-size [SIZE] 42.3.2 -edita node 4.2.3.3 -remove a node 4.2.4 - Working with pods 42.4.1 -add pods 42.4.2 -edit pods 4.2.4.3 -remove pods 4.25 - Working with services 42.5.4 -add a service 42.5.2 -edit a service 4.2.5.3 -remove a service 4.2.6 - Wor 19 with management interfaces 4.26.1 -Cloud Console 4.2.6.2 - Cloud Shell 4.2663 -Cloud SDK 4,3 - Managing App Engine resources 4.3.1 - Adjusting application traffic splitting parameters 4.3.2 - Setting scaling parameters for autoscaling instances 4.3.3 - Working with management interfaces 4.3.3.4 -Cloud Console 43.3.2 - Cloud Shell 43.3.3 -Cloud SDK 4.4 - Managing data solutions 4.4.1 - Executing queries to retrieve data from data instances4.4.4.4 -Cloud SQL 4.4.4.2 -BigQuery 4.4.1.3 - Cloud Spanner 4.4.1.4 - Cloud Datastore 4.4.1.5 - Cloud Bigtable 4.4.1.8 - Cloud Dataproc 4.4.2 - Estimating costs of a BigQuery query 4.43 - Backing up and restoring data instances 4.4.3.1 -Cloud SQL 44.3.2 - Cloud Datastore 4.4.3.3 - Cloud Dataproe 4.4.4 - Reviewing job status in Cloud Dataproc or BigQuery 4.4.5 - Moving objects between Cloud Storage buckets 4.4.6 - Converting Cloud Storage buckets between storage classes 4.4.7 - Setting object lifecycle management policies for Cloud Storage buckets 4.4.8 - Wor 9 with management interfaces 4.4.8.1 - Cloud Console 4.4.82 -Cloud Shell 4.4.83 - Cloud SDK 4.5 - Managing networking resources 4.5.1 - Adding a subnet to an existing VPC hitpslcloud. google comivecidocslusing-vnc ‘Adding a new subnet to an existing VPC network ‘You can add a subnet to a region of an existing VPC network. The primary IP range of this new subnet cannot ‘overlap the IP range of existing subnets in the current network, in peered VPC networks, or in on-premises networks connected via VPN or Interconnect. ‘You can optionally assign a secondary IP range to the subnet for use with Alias IP. The secondary IP range also cannot overlap the IP ranges of existing connected subnets. CONSOLE GCLOUD geloud conpute networks subnets create [SUBNET NAME] \ network [NETWORK] \ “range [1?_RANGE] \ vondary-range [RANGE_NAME]=(2ND_ RANGE, where [SUBNET_NAME] is the name of the new subnet you are creating [NETWORK] is the name of the existing network where you are creating the new subnet. [IP_RANGE] is the primary IP range of the subnet. Example: 192.168.0.0/20. [2ND_RANGE_NAME] is the name of the secondary IP range you can optionally create. [2ND_IP_RANGE] is the range of the secondary IP range you can optionally create, Example: 172.16.0.0/16. 4.5.2 - Expanding a CIDR block subnet to have more IP addresses Expanding a subnet ‘You can expand the IP range of a subnet, You cannot shrink it. Restrictions: ‘* The new subnet must not overlap with other subnets in the same VPC network in any region. ‘* The new subnet must stay inside the RFC 1918 address spaces. ‘¢ The new network range must be larger than the original, which means the prefix length value must be a smaller number,‘2 Auto mode subnets start with a /20 IP range. They can be expanded to a /16, but no larger. pute networks subnets expan ge [SUBNRT_NAMB} region [REGION] \ prefix-lengtn [PREFIX_LENG [SUBNET_NAME] - the name of the subnet whose IP range you want to expand. You do not have to specify the network because the subnet and region together identity the network [REGION] -the region the subnet exis in. [PREFIX_LENGTH] the new numeric prefx length forthe subnet. Must be smaller than the existing prefix length For examplo, ifthe current subnet isa /24, the new profix length must be 23 or smaller. This might change tho fst IP in the range. For example, if the original IP range was 10.128.131.0/24, specifying ~prefix-length 20 sets the new IP range to 0.128.128.0120 4.5.3 -Reserving static external or internal IP addresses 4.5.3.1 -Reserving static external IP addresses 4.5.3.2 - Reserving static internal IP addresses hittpsilicloud. google,com/compute/docsiip-addresses/reserve-statc-intemal-ip-address 4.5.4 - Working with management interfaces 4.5.4.1 -Cloud Console 4.5.42 -Cloud Shell 4.5.43 -Cloud SDK 4.6 - Monitoring and logs ig 4.6.1 - Creating Stackdriver alerts based on resource metrics hitps:licloud.google.com/monitoring/custom-metrics/creating-metrics Choosing a monitored resource type Each of your metric's data points must include a monitored resource object. Points fram different monitored resource objects are held in different time series. ‘You can use only the following monitored resource types in your custom metrics: ‘* goe_instance Google Compute Engine instance. ‘gke_container Google Kubernetes Engine container. dataflow_job Dataflow job. aws_ec2_instance Amazon EC2 instance, global Anything else. ‘Acommon practice is to use the monitored resource abject that represents the physical resource where your application code is running. This has several advantages: ‘* You get better performance. '* You avoid out-of-order data caused by multiple instances writing to the same time series. ‘+ Your custom metric data can be grouped with other metric data from the same instance. If none of the instance-related resource types are appropriate, use global. For example, Google App Engine users should use global because the resource type gae_app is not permitted in custom metric. 4.6.2 - Creating Stackdriver custom metrics hitpsilicloud. google.com/monitoring/custom-metrics! hittps:licloud. google.comimonitoringlapiivS/metrics-details 4.6.3 - Configuring log sinks to export logs to external systems 4.6.3.1 -on premises 4.6.3.2 - BigQuery 4.6.4 - Viewing and filtering logs in Stackdriver 4.6.5 - Viewing specific log message details in Stackdriver 4.8.6 - Using cloud diagnostics to research an application issue 4.6.6.1 - viewing Cloud Trace data 4.6.6.2 - using Cloud Debug to view an application point-in-time 4.6.7 - Viewing Google Cloud Platform status4.6.8 - Working with management interfaces 4.6.8.4 -Cloud Console 4.8.2 - Cloud Shell 4.8.3 - Cloud SDK 5 - Configuring access and security 5.1 - Managing Iden and Access Management (IAM) 5.1.4 - Viewing account IAM assignments 5.2 - Managing service accounts 5.2.1 - Managing service accounts with limited scopes Best practices In general, Google recommends that each instance that needs to call a Google API should run as a service account with the minimum permissions necessary for that instance to do its job. In practice, this means you should configure service accounts for your instances with the following process: 1. Create a new service account rather than using the Compute Engine default service account. 2, Grant JAM roles to that service account for only the resources that it needs, 3. Configure the instance to run as that service account 4. Grant the instance the netps: //www..qoogleapis .con/auth/cloud-platform scope. ‘Avoid granting more access than necessary and regularly check your service account permissions to make sure they are up-to-date. 5.2.2 - Assigning a servi account to VM instances. '5.2.3 - Granting access to a service account in another project, 5.3 - Viewing audit logs for project and managed service Cloud Audit Logging retums two types of logs: ‘Admin activity logs: Contains lag entries for operations that modify the configuration or metadata of a Compute Engine resource. Any API call that modifies a resource such as creation, deletion, updating, or modifying a resource using a custom verb fall nto this category. Data access logs: Contains log entries for operations that perform read-only operations do not modify any data, such as get, lst, and aggregated list methods, Unlike ausit logs for other services, Compute Engine only has ‘ADMIN_READ data access logs and do not generally offer DATA_READ and DATA_WRITE logs, This is because DATA_READ and DATA WRITE logs are only used for services that store and manage user data such as Google Cloud Storage, Google Gloud Spanner, and Google Cloud SQL, which does not apply to Compute Engine. There is ‘one exception to this rule: the instance.getSerialPortOutput does generate a DATA_READ log because the method roads data directly from the VM instance.