This section is focused on designing solutions that meet the business and technical requirements of stakeholders.
It is important to go into the exam appreciating that Google defines best practices somewhat clearly and that the exam will reference existing industry best practices for design and migrations
Here is the complete list of Free Tutorials provided by TechCommanders.
- Exam Objectives — Designing and planning a cloud solution architecture (Part 1 of 6)
- Exam Objectives — Managing and provisioning a solution Infrastructure (Part 2 of 6)
- Exam Objectives — Designing for security and compliance (Part 3 of 6)(This Post)
- Exam Objectives — Analyzing and optimizing technical and business processes (Part 4 of 6)
- Exam Objectives — Managing implementation (Part 5 of 6)
- Exam Objectives — Ensuring solution and operations reliability (Part 6 of 6)
This section is focused on designing solutions that meet the business and technical requirements of stakeholders. Most of the focus is on the development of best practices.
It is important to go into the exam appreciating that Google defines best practices somewhat clearly and that the exam will reference existing industry best practices for design and migrations.
Below I have summarized the objectives as efficiently as I could to provide you an efficient study resource.
4.1 Analyzing and defining technical processes
Objectives of 4.1 and the areas of coverage are.
The software development lifecycle (SDLC) is a well-documented framework that software development teams use to produce high-quality software in a systematic and cost-effective way.
The SDLC methodology is used by both large and small software organizations. These teams follow development models ranging from agile to lean to waterfall and others.
The software development lifecycle gives organizations a methodical, step-by-step approach to developing successful software. From gathering the initial requirements for a new product, through maintaining a mature product on the market, we’ll teach you how to employ SDLC.
Using a secure SDLC process incorporates essential security modules such as code review, penetration testing, and architecture analysis into the entire process from beginning to end.
SDLC not only results in a more secure product but it also enables early detection of vulnerabilities in the software.
Creates massive efficiencies in Software Development
- Reduces Organizational Risks
- Implement in the Design Phase
Figure 1 shows the SDLC Lifecycles 5 steps
Figure 1 — SDLC Lifecycle
Google Container Registry provides secure, private Docker image storage on GCP. Container Analysis is a service that provides vulnerability scanning and metadata storage for software artifacts. The scanning service performs vulnerability scans on images in Container Registry, then stores the resulting metadata and makes it available for consumption through an API.
The Container Analysis API needs to be enabled and then Cloud Build built images are pushed to the Container Registry which then automatically scans the containers. Feedback on threats and issues is then given to the user.
Notes are metadata in Container Analysis storage that are associated with an Attestor.
Binary Authorization is a service that allows only “attested” images to be deployed to the cluster. An attested image is one that has been verified or guaranteed by an “attestor”. Any unauthorized images that do not match the Binary Authorization policy are rejected as shown in the figure below.
Before we continue there are some terms to understand.
- Container Analysis is an API that is used to store trusted metadata about our software artifacts and is used during the Binary Authorization process
- Attestor is a person or process that attests to the authenticity of the image
- Note is a piece of metadata in Container Analysis storage that is associated with an Attestor
- Attestation is a statement from the Attestor that an image is ready to be deployed. In our case, we will use an attestation that refers to the signing of our image.
To setup Binary Authorization there are some tasks that need to be completed in the project hosting the Kubernetes Cluster.
- Enable the required APIs,
- Create a Kubernetes cluster that has Binary Authorization enabled
- Set up a Note
- Generate the PGP keys
- Create an Attestor
Figure 2 shows how Binary Authorization can be enabled in the GKE console creation process.
Figure 2 GKE Cluster Security
Binary Authorization from my experience was heavily tested and therefore I would advise you to memorize the terms such as attest and attestation as well as what Container Analysis is. Container Analysis and Binary Authorization could be confused on the exam.
When you're automating your CI /CD processes you would execute the standard tasks of building your app
IAM policies per environment
Cloud Identity and Access Management (IAM), provides more granular access to specific Google Cloud resources and prevents unwanted access to other resources.
IAM lets you control who (users) has what access (roles) to which resources by setting IAM policies.
- A policy is a collection of bindings, audit configs, and metadata which binds one or more members to a single role. Members can be user accounts, service accounts, Google groups, and Gsuite domains.
- A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role.
Cloud IAM policies can be written in JSON or YAML.
Note that the policy manages access to the resource itself as well as any child resources through policy inheritance.
4.2 Analyzing and defining business processes
Objectives of 4.2 and the areas of coverage are
Stakeholder management — Stakeholders are the users or the application owners who generally are going to be concerned their applications are either performing poorly or not at all. Set reasonable expectations of when the service should back to normal and also communicate promptly and effectively.
You may want a code update to apply to only a subset of your users so that it is exercised realistically before you push it to your entire user base
A version control system records changes to files stored in the system. These files can be source code, assets, or other documents that might be part of a software development project. Dev teams can make changes in groups called commits or revisions. Ensures that you have consistency (reproducibility) in your deployments and that you have a record (traceability) of your codebase changes.
Versioning allows you to also rebuild it in a short amount of time without too much trouble. Other benefits revolve around the ability to test but also the You can also rapidly promote updates from dev to staging to production efficiently.
Terraform is a great example of a solid tool that is used for this purpose.
You may also want to review the version control page that Google has provided.
Make infrastructure changes safer
Sometimes things just do not go according to plan and therefore we need to make changes to the build or the deployment.
For example, Cloud Deployment Manager has a -preview flag you can use to preview changes before actually running the deployment.
Terraform, for example, will review the plan for incorrect changes and you safely abort with no changes made to your infrastructure. You have the choice to proceed or not with “terraform apply”
An immutable infrastructure is an effective infrastructure that is created once and does not change. This is a different way of thinking where updates/changes were commonly deployed on top of builds, OS, and applications.
Immutability can be achieved for example, by deploying your CI/CD pipelines to produce a completed image with the newer version of the application/code/config already deployed. Effectively, the image is ready to work when provisioned on a VM for example.
Spinnaker is a commonly used comprehensive end-to-end build and deploy a solution that provides for an immutable architecture.
Managing customer relationships is a critical role in being a Google Cloud Architect. As a cloud architect, you will need to understand the business requirements and then translate them into technical requirements.
For full exam objectives coverage, practice questions, and explanations please check out the Google Cloud Associate Cloud Architect -All in One Guide.
FREE Practice Exams
4.3 Developing procedures to ensure resilience of solution in production — For full exam objectives coverage, practice questions, and explanations please check out the Google Cloud Associate Cloud Architect -All in One Guide.
Additional Practice exams are on Udemy.
Originally published at https://thegcpgurus.com on October 27, 2020.
👋 Join FAUN today and receive similar stories each week in your inbox! ️ Get your weekly dose of the must-read tech stories, news, and tutorials.