Google Professional Cloud Developer – 1. Designing highly scalable, available, and reliable cloud-native applications Part 2

16. Test Tips Session Management

Now let’s talk about the test tip for Session Management. Now just be aware that there is going to likely be a question around this subject. The question is, what are you going to get for a question? Now, when I took the exam, it was mainly focused on knowing the differences in IAP handling. So be aware, understand, like non Ajax and Ajax based applications.

Also, go ahead and do a deep dive if you’re not familiar with what core restrictions are, or cores restrictions, I should say. For example, when we’re thinking about core restrictions, basically, which are cross origin resource sharing restrictions, basically what they’re doing is they’re restricting resources essentially on an application, a web page, for example. And if you have a cross domain issue, that may of course cause some restrictions. For example, if you have a server and the client on both sides, basically, and they’re different domains, then this will restrict basically by cores rules, a restriction in most cases.

Again, it depends on how you’re setting up your environment. But basically, if you’re not familiar with cores, take a quick look at that and understand how that plays in cross origin resource sharing is something that has definitely been on the exam when I took it. And if you’re not familiar with what they are, that can really be confusing. So try to understand cloud IAP cross origin restrictions as well. I’m assuming as a developer you’re more than familiar with it, but just in case, I wanted to just refresh your memory to go ahead and take a look at that. Look into that if you’re not familiar about a core restriction. Lastly, with Cloud Spanner, go ahead and make sure you understand their best practices with sessions. Cloud spanner is essentially a stateful service. Be aware of that as well. That’s the test tip for this session management section. Let’s move on.

17. Loosely coupled applications using asynchronous Cloud Pub/Sub events

Loosely coupled apps. Cloud pub sub. Now Cloud Pub sub is really focused on providing a really great tool for your experience in Google Cloud. Basically this tool is going to provide you to both resilient scalable, message oriented communication and this is really great especially for like microservices for example, or to set up a web hook, a trigger as well. Now it is really focused, for example, around when we speak about loosely coupled events component design.

It’s event driven. It’s enabled to reduce point to point connections. So we want to consider using Cloud Pub Sub for example. It is a publisher essentially and basically it works in a flow publisher event channel and then subscriber. When we think of Cloud Pub sub, we want to think about it from an architecture perspective as well, but also a developer perspective. It is a fully managed service and therefore we don’t need to do any work on the back end from a perspective of managing, for example, the storage or the queues or anything. What we want to worry about, for example, is setting up our topics, for example, and how to respond to events. Basically, Pub Sub allows up to 10,000 topics.
and you could send up to 10,000 messages per second from an architecture perspective. Cloud Pub sub, the servers run in multiple Google data centers. These are distributed around the world. So when you’re using Pub sub, you’re not specifying a region or zone or anything, you’re using a global service. And Google Cloud is going to handle this service for you so you don’t have to worry about pointing it to the right region. These topics, these messages I should say, are going to of course be handled appropriately by Google Cloud based on a lot of requirements in the back end that they have. So it’s a global service. There’s no need to be aware of the physical location of your servers that are being used for this and you can publish and subscribe from anywhere in the world. Now make a note though. Cloud Pub sub is divided into two primary parts. We have the data plane and the control plane. What I like to do now is go to a whiteboard first and then we’ll go to a demo after.

18. Demo Pub Sub

In this demo here, let’s go ahead and set up cloud Pub Sub. In other words, we’re going to go ahead and enable the API. We’re going to go ahead and create a topic and then create a subscription. So the first thing we want to do, of course, is to get our SDK environment the way we would want it. So let’s go ahead and do G Cloud in it. I’m going to go ahead and just and pick the current one I was on. And then we want to select the account that I want to use and then the project. So I’m going to go ahead and select the current project. I’m not going to worry about the region or anything. And now what I want to do is let’s go ahead and enable the API. Now, I believe I probably already enabled it, but let’s go ahead and enable it just in case. Okay, so it is enabled. Now what we want to do now is we need to go ahead and create basically a topic for Pub Sub. And the command to do that is and I’ll go ahead and show this to you here, let me just go ahead and put it that way, is g Cloud Pub sub topics Create and in this case, I’m just going to go call it Hello Pub Sub and that’ll go ahead and create that Pub sub topic.

And now the next thing we want to do is create a subscription for this topic. And to do that, I’m going to put in the syntax here and again, it would be right here g Cloud pub Sub subscriptions create topic and then Hello Pub Sub. We’ll go ahead and then also it’ll say down here, hello Pub Sub subscription. Then we’re going to go ahead and enter and that will go ahead and create that subscription. And you can see that it says Created subscription, and then the topic was created as well.

So from a Pub sub perspective, when we go in and decide to create a subscription and a topic, for example, this is a global service and we don’t need to worry about assigning a region or a zone. This is in our Google Cloud environment, which is actually quite nice to set up and not worry about what region and zone we’re using. So to sum up the demo, we essentially need to of course create a topic. We then create a subscription, and then we would of course tie in our services to create a message. One thing to keep in mind too, is that when we created message, it has a lifetime. That message again may not have been processed before. It expires a lot of things to keep in mind as well. We’ll be talking more about Pub Sub throughout the course.

19. Test Tips Cloud Pub Sub

Let’s talk about the test tips for Cloud Pub sub. The first thing we want to know is that it’s a managed global service. We do not need to worry about the region or zone or anything of that nature when we deploy Cloud Pub sub. The second thing to pay attention to is to understand that there’s two planes, the data and message plane. Be aware of why they’re use and what they’re for. Straightforward. But again, just be aware that there are two planes and not one or three. When it comes to commands, there’s going to likely be syntaxes for Cloud Pub sub.

How to set up a subscription on the exam. The beta exam I took there was certainly a command regarding basically Cloud Pub sub, so just be aware of the syntaxes. If you’re not familiar with Pub sub, go ahead and run through the demo that’s in the course, or go to a quick lab if that’s available to you, or just go to the docs and run it in the free tier, whatever makes sense. But the main thing about really getting a no club Pub sub is that it’s relatively easy to set up and there isn’t a whole lot to know about it. It’s all really handled for you in the back end. Let’s go ahead and move on.

20. Deploying and securing an API with cloud endpoints

API management. Let’s talk about how we can manage APIs on the GCP platform. Now we’re likely familiar with some of the options we could certainly use. Our own platform that we’re using now on Prem actually is a supported platform as well and also Google owned as well. So you have full support there. And then we have Cloud Endpoints as well. I’m going to go ahead and talk about Cloud Endpoints. We’ll talk about Apigee and then we’ll talk about which way should we go as far as the choices that we want to make on how we would manage our APIs on the platform. Now, Cloud Endpoints is perhaps probably the best way in a lot of cases for a lot of companies that are using Google Cloud to get on board Google Cloud and to get working as quickly as possible. However, again, it’s all about the right choice. Now Endpoints overall is a distributed API management system that comprises of run times and services and tools. The Endpoints of course provide management, monitoring and authentication as well and there’s components as well such as the ESP Service Control, the SDK Service Management as well. But anyways, for the exam though, we want to focus on a couple scenarios here. The first thing we want to be aware of is that Cloud Endpoints is an API gateway.

Cloud Endpoints is also in genex based as well and Cloud Endpoints are used to create a back end. For example, if we have mobile apps that we want to connect up to Google Cloud, we can certainly do that and tie that in, for example to load balancing to our proxy services. If we want, we can deploy our containers. We would of course decide for example as well. Do we want to use app engine? Flexible GKE. What is the scenario that we want to use now as part of a component? One of the things I did want to talk about is that there’s an ESP. Basically you have the Endpoint services and the ESP is an Ngenx based proxy essentially. And it runs basically in front of the back end. And when I go through the whiteboard I’ll talk more about this. But basically again, we need to have a way to connect the front end, which is our applications that are going to be tied into the cloud, to communicate with the back end. And we need service control. Service management. We of course have the choice as well to use open API. But anyways, there’s a whole suite here.

The goal of this module is to really just focus on what we want to know for the exam now, Cloud Endpoints supports of course open authentication. It supports Genius Firebase for those not familiar with. Firebase is really a platform meant for the mobile environment and we also have the ability as well to deploy this. Of course with App Engine Kubernetes, it’s fully tied in as well. And for example, here we would have a back end basically being tied in with cloud endpoints to App Engine. Now endpoints. Use the Google Protocol RPC remote procedure.

for http service calls. Now, the steps for basically getting this to work are as follows we want to know these stats at a high level. Now again, I’m not here to try to make you memorize stuff that you don’t need to memorize or want to memorize or whatever, but I’m just trying to make sure that we have the proper knowledge before we go into this exam. So we want to know the stats, we have to configure our application, we need to define the message classes, write the endpoint code and run and test the API. Now let’s look at it from this perspective. This is mainly focused for the RPC for web. Now, we can also use cloud endpoints for example, with open APIs and also other frameworks such as especially with App Engine, Java or Python. Now again, we don’t need to memorize everything below this. This is more or less for the exam.

To understand basically the steps from a development perspective, we would need to consider. Now when it comes to using an endpoint from a JavaScript client, basically we want to be aware of the steps. The first step is to include the Google hosted JavaScript client library. So basically we have to go out and get the proper libraries. Then we got to load our endpoint and then we would call the endpoint API. So that’s from a JavaScript client. And then here’s an example of code that we would load for JavaScript. Again, you can see that it references APIs, Google. com. And one more note about the JavaScript. For example, client on the exam, don’t get confused between the Java, the JavaScript clients and then we’ll be getting to the part of the course we’re going to talk about JWT. This is your JSON web token tokens that is. So the JWT is basically referenced in the documentation as well as on the exam. And we want to be aware that that’s a JSON web token. We would use a token for authorization. And essentially with cloud endpoints, basically you’re going to probably want to use a token and that token nine times out of ten would be the JWT token. Now again, when you’re using your token, we would have headers we have to validate. We also could install third party packages, so on and so on. We’ll be covering more about the token further on in the course. But just try not to get confused because one of the things on the exam, you may jump at the JavaScript, the Java clients, and then you’re not actually thinking that there’s a Java token as well, the JWT, that is the web token. Again, if your experience, this may not be a big deal, it’s just if you’re not super experienced, this stuff can be very confusing. Now let’s talk about apogee and endpoints and we’ll start comparing them.

First of all, we already know that Endpoints is an API management gateway. It’s going to help us deploy and manage APIs on our Google Cloud back end. These endpoints are running directly on Google Cloud platform. They also leverage, of course, the infrastructure as well. Endpoints also, as we know, has native hooks, so on and so on. And then when we’re having our apps on GCP, we of course are fully integrated into the Google ecosystem. Now, Apigee on the other hand, is a comprehensive management platform. It’s also a product of Google as well. They own it now and it was built for the enterprise. Apigee does have great deployment options on cloud, on premises or hybrid. So we’re getting down to the point to where we want to know the use case for Apigee versus cloud endpoints. Again, if we’re just deploying our apps on Google, cloud endpoints is probably going to be the best choice.

However, we may already be using Apigee, or maybe we want to tie in our AWS or Google Cloud and on prem services then Apigee would be the better choice in that situation. So Apigee again is much more flexible. It is really meant for that distributed API management approach that again will not really seep per se on cloud Endpoints. But with that said, Apigee also can be used for web back ends in and out of the cloud as well. Just a quick note there. Now, on the exam it was mainly focused on cloud endpoints. But if you’re see a note about Apigee on the exam, don’t be surprised. I just wanted to do a quick little discussion on Apigee in case you do see it. But mainly the focus was cloud endpoints. That of course may change at the time of writing, or after for that matter. Let’s go ahead and go to the demo and then go on to the test tips.

21. Demo Cloud Endpoints

Now, one of the areas for exam prep I’d recommend you do especially for the developer or the data architect exam is to go through the cloud endpoints quick start. And the reason is this will walk you through the process of setting up everything. And also as part of the process there is basically a GitHub repository clone with the sample app. It’s called essentially the airports app or something that nature. But with that said it’s got all that information to follow through. Basically the whole process doesn’t take more than 20 minutes and the reality is that they’re very simple commands. You run it in cloud shell or with the SDK, whatever you prefer. And most of the time though most of the 20 minutes is more just waiting around for the scripts to finish. For example, now what I want to do is go back here and I already went through this so let’s show you what you should see after you’re done.

If we go back to the Endpoint portal, I deployed my developer portal and if I click on this this will bring me to the portal. And this is the airport codes application that was deployed on app engine. And you could see that I have the guides, I have the airport name reference, basically very small app. I could execute this and you can see that it says no IATA code provided. Again we could add a string to it as well. You can play around with it, it’s pretty limited but again it’s meant just to walk you through the process. Now if I go back here to services you could see that I have one deployment. Now generally in case you haven’t deployed Endpoints before, you know that with Endpoints there’s nothing here you have to go in. Then over here the developer portal you have to create as well. And just be aware you need to get an application for this to be useful.

So this is a good start to get some data getting started and collected. Now if we go over here to APIs for example and also too if we see here I’m going to generate traffic you can see that right now it’s going to go ahead and start generating some packets so you can see that it’s starting to serve request. What we want to do now is go over to API and services and you can see that if I go down here you can see that I have the airport codes. This is private at this point and again I could start generating traffic. Now the reality is that this is going to take a little bit of time to update but eventually there will be traffic that will be shown in the graph. And again this brings me back to my airport codes endpoint.

With that said I’d recommend you go through the steps. So basically the steps are what we want to do is basically update our SDK. If we’re going to use that, then go through the next step, which is essentially downloading the GitHub and then go through the next step, which is configuring the scripts for the airport application. And then we would generate traffic. And also too, as part of this, if we go to the developer portal, if I go here to get to this point, you do actually need to authorize the endpoint service. So you’ll need to log back into your Google account, uses Google authentication, just be aware of that and it will log you into the developer portal. Within that said, let’s move on to the next exercise.

22. Test Tips -API Management

Let’s talk about the test tips for Cloud Endpoints. Now, the first thing we want to be aware of is that there are three options for using Cloud Endpoints and essentially we would use open API gRPC, or we could use Endpoints for App Engine. Now, App Engine and has two frameworks available, that is Java and Python. As far as authentication authorization, I should say the JWT token is going to be used. Now, we generally want to generate data for the client in JavaScript as well. And lastly, we want to know how to load an end point that is focused mainly on getting the proper library for JavaScript, loading the end point and then calling the API. So that’s the three steps that we want to memorize before we go into the exam. Now, let’s talk about do we use Apigee or do we use Cloud Endpoints? Now, generally the use case could be either depending on the scenario that you get on the exam, of course.

So when we read our case study or our question regarding endpoints with Google Cloud, what do we use? Generally we want to determine, does the customer, do they only use Google Cloud for their applications or are they using basically on perm services as well as maybe other cloud services like AWS? Apigee again, certainly would work. But on the other hand, there is somewhat better integration, especially with App Engine for the customer, if that makes sense. Generally we want to look at it from this perspective. If the customer is using Apigee already, makes sense to probably keep them there. On the other hand, if they’re just using Google Cloud for their applications in the cloud, then Endpoints would probably make more sense. Again, just go into the exam. Just be aware that this could come up. And with that said, let’s move on to the next subject.

23. Health checks

Let’s talk about help checks. Now a health check. We’re going to want to, of course, set up and monitor our cloud environment. Now generally as a developer you’re not really into monitoring and managing services a whole lot. However, this exam expects you to have that experience and I’ll be honest, a good amount of the exam and especially the last part of the objectives around monitoring and management for the course, which is Section Five, I think. But basically just be aware that there’s a lot here. Now this objective in the first part of the exam objectives is pretty light, but we just want to talk about a few things. First of all, we may need to monitor our resources when we deploy them. Some of the resources we may want to monitor would be, for example, our load balancing. We may also want to consider too what part of load balancing we want to monitor.

Is it, of course, the back end or the front end services? Again, we have to consider a few things there. When we monitor, we may want to set up what’s called a workspace. Now a workspace and Stackdriver is basically going to be a view I like to compare. It sort of like a project in Google Cloud where you may have your account set up and you have three or four projects. Each of those projects are buckets of resources. For example, now you create a workspace and monitor all your projects or create a workspace and only monitor some of your projects and resources.

So think of the workspace as a way to get a specific view and a way to also monitor and manage your resources. At the same time, we would go into Stackdriver and of course set up what is called an uptime check. Now a health check is an uptime check. This is one of the areas on the exam that I thought was a little bit confusing because some of the documentation refers to uptime, some of it refers to health check. But just be aware that an uptime check is a health check. That’s really the same thing. Here’s an example of how we could monitor, for example, our web services. For example, we could see their response by back end from cash, et cetera. Just one example.

We’ll be discussing this somewhat more in the Stackdriver section of the course. Here’s an example of how to set it up. And again, just be aware, for example, that health check is an uptime check. We would create this in the Stackdriver console or we could do this via Gcloud as well to set up a G cloud command. It’s simply Gcloud compute health checks, create the type of health check that we want to create and we could do it that way. We want to learn more about it. We go to this document here and there will be demos for Stackdriver. Because some of the these objectives are redundant. We’re going to cover Stackdriver in much detail in the last section of the course. Let’s go ahead and move on to the test tips and focus on what we want to know for this specific objective.

24. TestTips Healthchecks

As far as the test tips for health checks, we want to ensure we know how to set up and up time check. Go over to Stackdriver and set it up. Do it twice just to make sure you remember the steps. Then we want to know as far as the commands to set up in G Cloud as well on a VM. We then also wanted go and set up a workspace as well. Now this is commonly referred to as a dashboard a workspace. They seem to be referred to interchangeably sometimes, so I just wanted to make sure that you’re aware of that as well. And there’s a demo on that in the last part of the course so I hope to see you there as well. Let’s go ahead and move on.

25. Google-recommended practices and documentation

One of the areas on the exam that you really need to expect to be tested heavily on. And this is true for no matter what exam you take with Google, in reality, whether it’s the architect, the developer, data engineer, or even the specialized courses like the security to your network exams. Now the reality is that on the exam they don’t directly relate to best practices. What they do is they generally ask you to look at a question and solve a problem based on Google’s best Practices. The link for the Best Practices are here. Let’s go take a look at the website and I want to walk you through some highlights. This is the website for enterprise Best Practices. Now, what I would recommend before you take the exam, and this is true for this objective and any other objective that states Best practices, it will likely reference this page here. This is really the only page for best practices from Google. As far as cloud deployments, Google recommended best practices for enterprise customers. Now there are also some side pages and also some white papers that have best practices in them.

But this is really what you need for any Google exam. For example, you want to go through how to set up organizations and projects. And then I’d highly recommend you take a look at IAM management and understand how all of these work together to solve problems, cloud identity, G suite, et cetera. And then also to control access to resources, they have links. As part of this, go to the links that are listed, because again, this one page can account, depending on the exam that you’re taking, will easily account for 20% of the content. With that said, you need to really read this. Now here is an example. We recommend that enterprise customers create the following six groups. Again, check it out. Memorize these things. One of the things to pay attention to is also understand organizational policies and then networking and security, VPCs, VPCs and VPCs.

They really like to talk about VPCs and firewalls et cetera with it, but also to a lot of the questions. And again, this is true for any exam they really like to talk about. For example, if you have a VPC you want to customize your IP address range, what would you do? How would you handle this? If you want to deploy in one region or multiple regions. So from a networking perspective, we absolutely need to know the minimum, which is on this page right here. Firewall rules limit external access. One of the things that catches people is again through, for example, private Google access. If you’re not familiar with that, read the link. But basically the goal and again on the exams, generally the way they approach the best practices is they give you a scenario and they ask you to solve that scenario. You need to go into the Best Practices. Memorize these before you go to the exam.

And it really should really enable you to really focus on the areas of the exam, like case studies, if that’s applicable on the exam. For example, the developer exam, of course, has one case study. The architect has three. The data engineer has a few as well. So what I’m trying to get at is they generally don’t say, what is Google’s best practices? They like to round about in a way to make sure that you’re designing or solving a problem based on their best practices. And again, I could easily spend an hour talking about this. I won’t do that, I’m just going to move on. Just sort of providing insight into what you really want to know. And a lot of the content for the courses and exams come directly out of this web page. With that said, absolutely. Take a look at this page. And again, don’t be surprised if 20% of the content or so for the exam comes directly from this page. Let’s move on.

26. 1.2 Designing secure applications

One of the areas on the exam that you really need to expect to be tested heavily on. And this is true for no matter what exam you take with Google, in reality, whether it’s the architect, the developer, data engineer, or even the specialized courses like the security to your network exams. Now the reality is that on the exam they don’t directly relate to best practices. What they do is they generally ask you to look at a question and solve a problem based on Google’s best Practices. The link for the Best Practices are here. Let’s go take a look at the website and I want to walk you through some highlights. This is the website for enterprise Best Practices. Now, what I would recommend before you take the exam, and this is true for this objective and any other objective that states Best practices, it will likely reference this page here. This is really the only page for best practices from Google. As far as cloud deployments, Google recommended best practices for enterprise customers.

Now there are also some side pages and also some white papers that have best practices in them. But this is really what you need for any Google exam. For example, you want to go through how to set up organizations and projects. And then I’d highly recommend you take a look at IAM management and understand how all of these work together to solve problems, cloud identity, G suite, et cetera. And then also to control access to resources, they have links. As part of this, go to the links that are listed, because again, this one page can account, depending on the exam that you’re taking, will easily account for 20% of the content. With that said, you need to really read this. Now here is an example. We recommend that enterprise customers create the following six groups. Again, check it out. Memorize these things. One of the things to pay attention to is also understand organizational policies and then networking and security, VPCs, VPCs and VPCs.

They really like to talk about VPCs and firewalls et cetera with it, but also to a lot of the questions. And again, this is true for any exam they really like to talk about. For example, if you have a VPC you want to customize your IP address range, what would you do? How would you handle this? If you want to deploy in one region or multiple regions. So from a networking perspective, we absolutely need to know the minimum, which is on this page right here. Firewall rules limit external access. One of the things that catches people is again through, for example, private Google access. If you’re not familiar with that, read the link. But basically the goal and again on the exams, generally the way they approach the best practices is they give you a scenario and they ask you to solve that scenario.

You need to go into the Best Practices. Memorize these before you go to the exam. And it really should really enable you to really focus on the areas of the exam, like case studies, if that’s applicable on the exam. For example, the developer exam, of course, has one case study. The architect has three. The data engineer has a few as well. So what I’m trying to get at is they generally don’t say, what is Google’s best practices? They like to round about in a way to make sure that you’re designing or solving a problem based on their best practices. And again, I could easily spend an hour talking about this. I won’t do that, I’m just going to move on. Just sort of providing insight into what you really want to know. And a lot of the content for the courses and exams come directly out of this web page. With that said, absolutely. Take a look at this page. And again, don’t be surprised if 20% of the content or so for the exam comes directly from this page. Let’s move on.

27. Applicable regulatory requirements and legislation

Regulatory requirements. Now, this objective here is fairly short. From an objective point of view, it’s pretty what I would call vague. However, on the exam, I can tell you from that perspective, we do want to at least know a few things about how to handle compliance. And also we want to be aware of what GDPR is, but also where to find out information on how to get your cloud platform certified and ready to go around compliance, for example, reporting, et cetera. So we want to go over here to the compliance web page, take a quick look at that. If you haven’t, it covers the different compliance requirements that are supported. Basically, know what GDPR is, why it is important. Also understand compliance in the world. The cloud is essentially a shared responsibility.

Google is going to handle some things at the back end. You’ll need to follow the instructions to a T, basically to get your environment certified in that respect. Now, realize not every service is going to support this. I would of course, check out the GDPR page, for example, if that’s an area of interest. But before you go into the exam, know what GDPR is. It’s mainly focused on privacy for the European Union. However, there’s a wide net that accounts. With that said, do take a quick look at GDPR and when it comes to compliance requirements, we’ll go take a quick look at the web page here and I want to point out two things and then we’ll move on. Now I’m over here at the Google cloud compliance website around GDPR. What you may want to do is approach this two different ways. First of all, you don’t need to know the super details, the deep details I should say, about GDPR, but know what it is.

You’ll likely get a question around the aspect of GDPR. I can’t tell you exactly how I saw it just for test requirements. I won’t disclose exactly what you might see, but just be aware you want to know at least what GDPR is and a few other facets of it. But I would highly recommend if you do take the exam and again, this could be a give me question and we’re only looking at one or two questions around the exam or on compliance. But I would take a look at this reference guide now, click on the reference guide, check it out, and I want to just have you do two things. The first thing is understand what the business needs to do and also understand what Google has to do.

So basically that’s the first thing. So remember I had mentioned earlier that this is a shared responsibility model. Basically, it’s a collaborative effort. In other words, the services that you’re using Google Cloud are not going to be GDPR ready. You still need to do some things on your end and then over here will be the products that are supported. So if you go to google Cloud. Here are some of the services in Google Cloud and features that enable GDPR compliance and I would highly recommend you, again, take some time to understand what they’re coming from in this respect.

With that said, it is important to understand this for compliance purposes. And also too, do you understand with GDPR you’re going to need to have audits. You’re also going to have lots logging setup. You may need to create a sync with your logging. I’m going to talk more about logging and Stackdriver and syncs and all that fun stuff in the last part of the course, which is mainly focused on Stackdriver. So let’s go ahead and proceed on to the next module.

28. TestTips Regulatory Requirements

The main test tip for this module is really just focused on understanding what are the major compliance requirements in the US. And Europe. In reality, they don’t test you from what I’ve seen, nor in the objectives do they test you per se on any details of the compliance requirements. It’s more more on how we would approach compliance with Google Cloud. Which would be what? Through the implementation of audit logging? Through the implementation of best practices.

Again, if you do see anything related to compliance, chances are it would be more focused on GDPR or PCI. And it would just be like it would be more of an example if the customer wanted to implement GDPR or subjected to GDPR or is looking at having a mobile application that’s going to support credit cards, for example. And then if they say credit cards, then it would be subjected to PCI. But with that said, that’s about all that I had for this test tip. Let’s move on. You.

29. Security mechanisms that protect services and resources

Let’s talk about security mechanisms. Now, when it comes to managing security of your cloud infrastructure, just be aware that Google handles a lot of this for you. Now, the infrastructure that Google uses, of course, is really constrained in a couple of places. We have, of course, our technical constraints, we have our operational constraints, but also our software and our services constraints as well. When it comes to Google’s view of the world, they own the network and they own the infrastructure, and they, of course, want to secure that infrastructure. They support, for example, encryption at Rest, they support encryption in flight. They also have this chip called the Google titanship.

Now this chip is actually what establishes the root trust for all the machines. And essentially what this does is that it’s like to tertiary check during the boot up process and also the runtime environment. Essentially when you’re running your virtual machines validating that. Yes, this is actually the correct virtual machine and the image that should be running.

And it’s meant to also authenticate as well your data while it’s being processed on the virtual machine. Now there’s a whole white paper that goes through this. I’ll walk you through that in a second. And then as far as security mechanisms, there are many different ways to secure a data center your cloud environment. Some of the ways in Google cloud, of course, is through physical security. Google, of course, would handle that. And then a lot of the other facets around mechanisms that could be used would be mainly focused on AAA, which is essentially authentication authorization and access data encryption, firewall security scanner. Now security scanner, there is a separate module on that, a demo coming up as well. This is a really nice tool where developers use an app engine or compute engine, can actually scan for known vulnerabilities before they deploy their application services from development over to production or down the pipeline, binary authorization and data loss prevention as well.

Those are two things that are actually pretty useful as well for security mechanisms, and I’ll be talking about those as well. Now, one of the best practices is, of course, really being concerned with the principle of lease privilege. Generally, you don’t want to give access to someone that doesn’t need access. But it’s sort of like if you think about it from this perspective, if you have an auditor on site, they don’t need to have administrator access. They only really need, for example, to have access to app engine, maybe to view deployments or to Stackdriver, to view logs. There’s no need for deployment access for project level access or anything like that. Some of the other best practices are here. These are things I’d highly recommend that you memorize before taking the exam. And as I had mentioned earlier, the Titan chip. Now one of the aspects that sort of caught me off guard on the developer exam was discussions around how security is handled from a boot level perspective.

Now that’s something I would expect to see on perhaps the cloud engineer exam or the security exam, but not on the developer exam. So I wanted to bring this up. You want to go over here to the titanship. The easiest way to get to that is type in Google Cloud Titan chip and go over here. You can see there google Cloud Titan chip. The one you want to go to is the blog post. You could also look at the security key as well. And there is also a few other things here about what it is. But the main thing you want to look at is here. And the reason you want to look at this is this goes through what the titanship is, how it works. But we want to memorize the machine boot basics.

Now there’s four steps to this. We want to be aware that first of all, when we’re booting a machine, there’s a boot process that of course is fairly straightforward to remember. But we need to realize that the CPU will come out of a reset stage at the boot process. The CPU loads the firmware, and I’m not going to read this all to you, but just be aware that the next thing, number three, the firmware will then access the boot sector and then load a program called the bootloader. Then the next step and the final step before it’s booted is that there is basically some bootloader processes that are finished. The OS image is loaded in a memory and then there’s an execution phase that happens. Now, when it comes to secure boot with Titan, this sort of talks about how it works. You want to be aware of what titanship is, why it’s important, and know the boot processor also too. This talks about certificate, authority, signing, et cetera. I highly recommend you would read that to get an idea. It’s a very short post, let’s go ahead and move on.

30. TestTips Security Mechanisms

The main test tips that we want to know for this module are as follows we need to know what security mechanism to use and how or when, for that matter. Basically, do we use DLP or do we use binary authorization or do we use security scanner? We also want to know where they fit in. For example, Security Scanner is is used for a compute engine and app engine. However, for using containers, we may want to use binary authorization with Kubernetes engine when we’re considering preventing data losses.

For example, we may want to use the Data Loss Prevention API. This is going to scan our cloud storage or BigQuery tablespace, or we’re going to have it scan data store as well. And also do realize we could extend out the API as well. But when we review the exam content, we need to be very careful on how the questions are worded and just be aware of the security mechanisms and where they fit in. We’ll let’s move on.

• Category: Uncategorized