Google Cloud Professional Architect Tutorial — Part 4 Of 6

Joseph Holbrook
Oct 27, 2020 · 7 min read
Image for post
Image for post

This section is focused on designing solutions that meet the business and technical requirements of stakeholders.

It is important to go into the exam appreciating that Google defines best practices somewhat clearly and that the exam will reference existing industry best practices for design and migrations

Here is the complete list of Free Tutorials provided by TechCommanders.

This section is focused on designing solutions that meet the business and technical requirements of stakeholders. Most of the focus is on the development of best practices.

It is important to go into the exam appreciating that Google defines best practices somewhat clearly and that the exam will reference existing industry best practices for design and migrations.

Below I have summarized the objectives as efficiently as I could to provide you an efficient study resource.

4.1 Analyzing and defining technical processes

Objectives of 4.1 and the areas of coverage are.

The software development lifecycle (SDLC) is a well-documented framework that software development teams use to produce high-quality software in a systematic and cost-effective way.

The SDLC methodology is used by both large and small software organizations. These teams follow development models ranging from agile to lean to waterfall and others.

The software development lifecycle gives organizations a methodical, step-by-step approach to developing successful software. From gathering the initial requirements for a new product, through maintaining a mature product on the market, we’ll teach you how to employ SDLC.

Using a secure SDLC process incorporates essential security modules such as code review, penetration testing, and architecture analysis into the entire process from beginning to end.

SDLC not only results in a more secure product but it also enables early detection of vulnerabilities in the software.

Creates massive efficiencies in Software Development

  • Reduces Organizational Risks
  • Implement in the Design Phase

Figure 1 shows the SDLC Lifecycles 5 steps

Figure 1 — SDLC Lifecycle

Image for post
Image for post

Google Container Registry provides secure, private Docker image storage on GCP. Container Analysis is a service that provides vulnerability scanning and metadata storage for software artifacts. The scanning service performs vulnerability scans on images in Container Registry, then stores the resulting metadata and makes it available for consumption through an API.

The Container Analysis API needs to be enabled and then Cloud Build built images are pushed to the Container Registry which then automatically scans the containers. Feedback on threats and issues is then given to the user.

Notes are metadata in Container Analysis storage that are associated with an Attestor.

Binary Authorization is a service that allows only “attested” images to be deployed to the cluster. An attested image is one that has been verified or guaranteed by an “attestor”. Any unauthorized images that do not match the Binary Authorization policy are rejected as shown in the figure below.

Before we continue there are some terms to understand.

  • Container Analysis is an API that is used to store trusted metadata about our software artifacts and is used during the Binary Authorization process
  • Attestor is a person or process that attests to the authenticity of the image
  • Note is a piece of metadata in Container Analysis storage that is associated with an Attestor
  • Attestation is a statement from the Attestor that an image is ready to be deployed. In our case, we will use an attestation that refers to the signing of our image.

To setup Binary Authorization there are some tasks that need to be completed in the project hosting the Kubernetes Cluster.

  • Enable the required APIs,
  • Create a Kubernetes cluster that has Binary Authorization enabled
  • Set up a Note
  • Generate the PGP keys
  • Create an Attestor

Figure 2 shows how Binary Authorization can be enabled in the GKE console creation process.

Figure 2 GKE Cluster Security

Image for post
Image for post

Binary Authorization from my experience was heavily tested and therefore I would advise you to memorize the terms such as attest and attestation as well as what Container Analysis is. Container Analysis and Binary Authorization could be confused on the exam.

When you're automating your CI /CD processes you would execute the standard tasks of building your app

IAM policies per environment

Cloud Identity and Access Management (IAM), provides more granular access to specific Google Cloud resources and prevents unwanted access to other resources.

IAM lets you control who (users) has what access (roles) to which resources by setting IAM policies.

  • A policy is a collection of bindings, audit configs, and metadata which binds one or more members to a single role. Members can be user accounts, service accounts, Google groups, and Gsuite domains.
  • A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role.

Cloud IAM policies can be written in JSON or YAML.

Note that the policy manages access to the resource itself as well as any child resources through policy inheritance.

4.2 Analyzing and defining business processes

Objectives of 4.2 and the areas of coverage are

Stakeholder management — Stakeholders are the users or the application owners who generally are going to be concerned their applications are either performing poorly or not at all. Set reasonable expectations of when the service should back to normal and also communicate promptly and effectively.

You may want a code update to apply to only a subset of your users so that it is exercised realistically before you push it to your entire user base

A version control system records changes to files stored in the system. These files can be source code, assets, or other documents that might be part of a software development project. Dev teams can make changes in groups called commits or revisions. Ensures that you have consistency (reproducibility) in your deployments and that you have a record (traceability) of your codebase changes.

Versioning allows you to also rebuild it in a short amount of time without too much trouble. Other benefits revolve around the ability to test but also the You can also rapidly promote updates from dev to staging to production efficiently.

Terraform is a great example of a solid tool that is used for this purpose.

You may also want to review the version control page that Google has provided.

https://cloud.google.com/solutions/devops/devops-tech-version-control

Make infrastructure changes safer

Sometimes things just do not go according to plan and therefore we need to make changes to the build or the deployment.

For example, Cloud Deployment Manager has a -preview flag you can use to preview changes before actually running the deployment.

Terraform, for example, will review the plan for incorrect changes and you safely abort with no changes made to your infrastructure. You have the choice to proceed or not with “terraform apply”

An immutable infrastructure is an effective infrastructure that is created once and does not change. This is a different way of thinking where updates/changes were commonly deployed on top of builds, OS, and applications.

Immutability can be achieved for example, by deploying your CI/CD pipelines to produce a completed image with the newer version of the application/code/config already deployed. Effectively, the image is ready to work when provisioned on a VM for example.

Spinnaker is a commonly used comprehensive end-to-end build and deploy a solution that provides for an immutable architecture.

Managing customer relationships is a critical role in being a Google Cloud Architect. As a cloud architect, you will need to understand the business requirements and then translate them into technical requirements.

For full exam objectives coverage, practice questions, and explanations please check out the Google Cloud Associate Cloud Architect -All in One Guide.

Image for post
Image for post

FREE Practice Exams

4.3 Developing procedures to ensure resilience of solution in productionFor full exam objectives coverage, practice questions, and explanations please check out the Google Cloud Associate Cloud Architect -All in One Guide.

Additional Practice exams are on Udemy.

https://www.udemy.com/google-cloud-certified-architect-practice-questions/learn/quiz/386948#overview

Joe Holbrook

TechCommanders

Joe Holbrook

TechCommanders

Originally published at https://thegcpgurus.com on October 27, 2020.

Image for post
Image for post

👋 Join FAUN today and receive similar stories each week in your inbox! Get your weekly dose of the must-read tech stories, news, and tutorials.

Follow us on Twitter 🐦 and Facebook 👥 and Instagram 📷 and join our Facebook and Linkedin Groups 💬

Image for post
Image for post

If this post was helpful, please click the clap 👏 button below a few times to show your support for the author! ⬇

FAUN

The Must-Read Publication for Creative Developers & DevOps Enthusiasts

Sign up for FAUN

By FAUN

Medium’s largest and most followed independent DevOps publication. Join thousands of aspiring developers and DevOps enthusiasts Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Joseph Holbrook

Written by

Blockchain and Cloud Evangelist Blogger, Author and Conference Speaker. I speak, write & teach blockchain.

FAUN

FAUN

The Must-Read Publication for Creative Developers & DevOps Enthusiasts. Medium’s largest DevOps publication.

Joseph Holbrook

Written by

Blockchain and Cloud Evangelist Blogger, Author and Conference Speaker. I speak, write & teach blockchain.

FAUN

FAUN

The Must-Read Publication for Creative Developers & DevOps Enthusiasts. Medium’s largest DevOps publication.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store