Identity Management

1. Identity Management

Welcome back. So let's talk about one of the more exciting areas of Google Cloud—that is identity and access management. Before we continue, it's important to understand that there are many different ways you can connect to a cloud service. There are plenty of third-party providers. There are plenty of resources by the provider. Typically, you can use your own resources, single sign on, open up, and do whatever you want. And we're going to focus mainly on what Google wants you to know. So again, I'm not trying to make you an expert in identity and access management, but I want you to be an expert enough to address the questions that you're going to get on the exam and understand how they're going to ask them. So let's cover what you want to know. OK, the first thing is an organisational node. Now, for those companies that do have the Google Cloud platform, great. For those companies that also have Google at work, for example, that's great too. But how do you deal with having disparate resources and getting them to sort of come together to be organised together? The way you want to do that is through what's called an organisational node. An organisational node is great, especially for a company that has a lot of projects and a lot of large projects as well. The organisational node will essentially take your company domain and place all projects in that domain under the realm of that domain so that the organisational admin has control over all resources. So if you're a large organisation and you have, let's say, 1200 Google at Work emails and you're using Google Drive and all these other features, how do you sort of tie that all together? Again, use an organisational note. To be able to set up an organisation, this is created by Google Sales. And again, you need to contact sales with Google or your partner that you're working with, Google Cloud. Now the G Suite super admins are going to be the ones that are going to be the organisational owners. So again, I'm going to repeat this. You have to go through GoogleSales to get an organisational node. You can't set it up on the console, you can't write a script, you can't develop a programme to do it. It has to go through Google sales. So the organisational owner is going to be the one that is going to assign the admin role. And again, Admin is also just for thought purposes, not for the test, which is really considered a separate product, and this gets more complex than it seems, to be honest. But again, it's effective, it works. I've seen it in action. It does take a little leeway time to get this working, but it will work. So that's an organisational note. Here is some text about it. Just again, remember, if you do have Google at work. This is a great solution to tie everything together so that you don't have to have people log in twice or multiple times. Let's talk about an IAM best practise using what's called the principal lease knowledge or least privilege. Again, principle, at least privilege. So what I mean by that is, again, you don't want to give access to people that really don't need it or the level of access that they don't need it. So you want to definitely use the principle of least privilege. So again, always use minimal access. You want to use groups, you want to control who can change what. You also want to audit. That's another thing you want to do. But, for the purposes of the test, the one thing I've highlighted is that I understand that Google Cloud Platform best practises recommend at least privileging SSO. What is SSO? Now again, we all probably know what it is, but it is a single sign on. So this basically allows you to use your own authentication mechanism and manage your credentials. So if you're running LDAP in-house and want to use that perfectly, go ahead. If you're using a third-party resource, feel free. If you have another credential system set up, great, use that. So again, you could federate your identities. That's again, what a lot of companies would like to do. So go ahead and use that. Now let's talk about what Google Apps directory sync is. Now, you're going to see this again I'm going to highlight this because again, this is an forgive me question if you just remember what it is. So the goal of using Google Cloud directory service is that, and again, you need to have this sort of put together and look at the support sheet. Again, it's not something you just do on your own, but you go ahead and definitely sync upyour directory services like LDAP or Active Directory. Now it is a secure tool, and again, do realise that it's going to synchronize. And again, your main point of directory service should still be your directory services. Again, this does not really mean that you use this as a primary, but it can be. But again, the goal is that you're going to just use this as a feature or a capability that is going to make your life easier. So again, if you do need to use Google's credential systems, again, that's your call. Again, let's just recap. You could use other SSOs, you could use Google App Directorysync, or you could use Google G Suite as well. So again, a couple of different options. The simplest way to do that is to log in and keep control of your cloud platform. This is actually just using your Google account. So again, if you have a G suite account, using that is the simplest way. Now, SSO is again a simple process. We all know that it is built on Sam'l Two. Google SSOis the only assertion that is used in the user name. So just be aware of that. So the assertion is what? That's basically a way to define the account information. Essentially, Again, I won't read this all, but again, SSO, we understand what that is. Now, again, almost done here. To put it simply, there are two roles in cloud identity management. You have what's called primitive roles, and you have curated roles. Now, primitive roles are basically the roles available in GCP. So these are the owner, editor, and viewer roles. And again, you get to sign them by default to projects. Primitive roles are a little bit broad. In other words, if you need something granular, then don't use primitive. If you need something more granular, use curated. So, curated roles are basically fine or grain. That's really what I want you to know. So, again, here's an example of a curated role. And so if it's a curatedrole, it will provide greater granularity. So you're going to list specific permissions based on what can be done. Can you delete it? Can you start a service or stop it? Et cetera. Now, another area on the test that you're going to get questions on is going to be around what is a service account and why do you want to use a service account. So a service account is basically a server-to-server account. That's really the way I want you to think about it. And I'm going to put that in there. And again, when you download the crib sheet, you're going to have all this printed out, so you could do the dump before you take the test. Now, a service account is going to authenticate applications running on your VMs to other GCP services. So if you want to write an app that's going to write files on GC storage, great, but it has to be authenticated to the storage API. And again, your developers are going to understand all this. As an architect, you may not totally understand why,if you're running a Google VM, you need to use an API to actually write to storage. So again, the goal of this is part of what I like to call micro segmentation. And that's exactly what it is. You're able to microsegment all your services, all your resources. And this is very powerful, but it's also very complex if you're not particularly sure how to put it together. So basically, if you have an application trying to write to storage, it's got to authenticate to the storage. And the way it does that is with an API, you're going to need credentials and so on and so forth. So what do you want to know for the test? Well, let me break this up nice and simply. What you want to know is that a service account is a server-to-server account. So to get a question on the test, here's sort of the way I remember this question. They're going to be saying, Joe Blow,the developer, is writing an application and he's using virtual machines and he's having troublebasically trying to write to Google Storage. What could be the issue? What would solve Joe Blow's problem? Basically, So again, you need to have a service account to authenticate to Google Storage, for example. So just be aware of that. And again, it's going to use those credentials to be able to do that. And lastly, as far as service accounts, just one more quick note is that the service account, again, you need to use the API. But again, just remember that your developers will be creating these Compute Engine instances and we'll need to again acquire the righttokens to be able to do this. This is again a little bit more time-consuming than what you would expect, but it needs to be done to make that work. So how is this all done? I mean, here's an example. The example down here, for example, you have a project here, you have the two components, and you have a storage bucket here. And so you have basically this bucket. That bucket for this application to write to needs to be authenticated. So basically, by default, all projects come with the service account. So, Compute Engine has a service account built in the default. When you start a new instance using Gcloud, the default service account is actually enabled. So again, it's not enabled by default on the console because, again, it just assumes that you're using the console for a different reason. So if you need to enable the service account for that specific instance, you need to use Gcloud. Apart from the default service account, there are, of course, APIs, and you can download the APIs from the download section. It's all right there. And what's cool is when you go into the console to configure this, it actually just brings you the APIs to download if you need them. So it sort of works you through that. So then you identify a project number and then it has, for example, this would be for example, CloudServices at Gservice account.com. Again, the project number will facilitate this. Okay, what about permissions? So if you have a service account, the default permissions are going to support primitive and curated. So it's really up to your app developers to be as granular as possible. Remember, the least privilege, you're going to want to basically create the service account with only what they really need. So, for example, if the service account only needs to drop files in a bucket, great. Don't give it the right permission. In other words, edit or anything like that, that isn't there. If all you're going to do is drop files into an abucket, that's fine; that's all you need to do. Don't allow it to delete or remove those files. For example, Again, permission. Just pay attention to the permissions. And that's about all that I have. Let's move on to the next subject area.

2. Cloud Identity Proxy

Hello cloud architects. This is not on the exam, this is just a new feature that has been rolled out. I've not seen it on the exam, so you won't be tested on it. But I did want to take a minute to just sort of talk about what it is and maybe why you want to use it, because this is actually a very good solution now from what it appears. So again, this is essentially what is called Cloud Identity. Now, Cloud Identity basically is an ability to secure basically all these online identities and enforce them with multifactor authentication. Again, there are a lot of good capabilities built into it and it is built into the Google Cloud platform as well. So if we go over to the identity and access management admin area, you'll see that it's in beta. So basically, this is brand new and again, this is going to allow you to use the app engine and cloudload balancing as well, which is actually very cool. It provides developers with a little more flexibility and makes it easier for them to incorporate some additional feature-rich application capabilities. So again, it seems like a good deal. It seems like it could be really useful. Now to get this going, you need to basically select this,turn it on, configure the consent screen and first I got to do that, and then again, you want to, and what's cool too is that you could put your company logo here, turn it on, put in your domain and everything as well. And so, for example, you could actually set this up to, again, use a company service that's already been developed and just customise it to integrate with Google Cloud fairly seamlessly. So again, you have to consent, saying again, that you realise that your private data may be used with the open authentication services that are used. So again, feel free to take a look at that. I thought that was pretty neat. Again, this is called Identityaware Proxy and it's under which I am an admin. Let's continue on to the next here.

Managing Your Resources

1. GCP Cloud Resource Manager

Welcome back. So let's go and talk about resource management and organisational needs. Now you'll get a question that will, of course, ask you about how to manage identities and impolicies from a hierarchical perspective. And you want to know that the best solution for that is going to be the Cloud Resource Manager. Now basically, IAM policies are generally going to be inherited from the top down, so basically down this way. And so, basically, trying to understand how projects are affected by the GCP organisation could also be important as well. And then under projects you have resources like storage and the BigQuery, as well as virtual machines, et cetera. So basically, what you can do is essentially set policies that are going to be at the organisational level, project level, or at the individual resource level. So, when you set up usage policies, access policies, or whatever you want to call them, keep in mind that there are several ways to do so. However, when it comes to billing, it is more of a bottom-up approach. And so, if you're using a resource, it'll be billed to the project. But then if the projects are billed to the organization, that's essentially what you want to know from that perspective. So again, just remember, Cloud Resource Manager is hierarchical, so it's basically up and down or down and up. In essence, getting an organisation is not something you can do online. You do need to call or contact your Google sales folks, whoever that may be. This is an option where again, if you're a large company that might have many different deployments of the Google Cloud, then setting up an organisation could be a good decision, especially if you want to control spending or understand who's doing what. Again, we'll talk more about projects and resources here in a minute. In the next module, an organisation node Now again, this is something that would come back again with the sales team. Usually, to get the resource manager set up, you definitely want to have an organisational note, and again, this is a node for Google Cloud resources, and it could be either an organisation admin or it could be a project creator. Now again, you could create a project in the Google Cloud but an organisation. That's a different story. And so there are a couple of notes about resources. For example, resources are organised hierarchically. Again, we just mentioned that with Cloud Resource Manager, an organisation is the root node. So do know that as well. Let me highlight that because I think that's important to know. And then under that, which is under all the projects and folders, and they're essentially the children, you can set accesscontrols and configs based on the parent resource. Again, I'm not going to read this to you; it'll be in the notes you can download when you're done with the course. The Google cloud platform provides resource containers such as organizations, folders, and projects. So again, there are many ways to manage resources, billing, et cetera. Again, just have an idea that you've got Cloud Resource Manager. That is essentially how you could set up a GCP organisation and then manage all of your projects and resources through it.

2. GCP Resources - Zonal, Regional and Multi-Regional

Welcome back. Let's go ahead and talk about resources in the Google Cloud platform, specifically managing resources in the Google Cloud platform. Now there's a fair amount of, I guess, things to really understand and correlate for the exam around resources. And so some of the questions you're going to get will be mainly focused on what resources go where and can you migrate this resource from this zone to that zone or from this region to that region. So let's discuss the three types of resources in the Google Cloud platform. The first is global, the second is regional, and the third is zone or zonal. So here's a good diagram that shows you how the hierarchy is in GCP. So, if you look over here, you'll notice that there are global resources, regional resources, and zonal resources. So if you go back to the previous few modules,you'll see the GCT networks and regions demo I did that showed you how that's all lined up. So take a look at that again, make sure you understand it. Some of the questions on the exam will ask you if you can move resources from this region to this region, let's say. And again, it all depends on the type of resources. So you can't move a disc from one zone to another, but you can move an image that's different. An image is a global resource. So you need to understand the types of images and all that as far as not just images but resources like networking and everything like that as well. And let me turn off my email. Now as far as the sources go, let's go ahead and confirm a few things. So you see, here you have global resources,so images, snapshots, networks, those are global resources. And then if you have like an external IP address, we'll talk about external and internal IPS because they're very different and there's a lot of confusion over that. So, for example, an external IP address has to be correlated to an internal IP address, and so we'll talk more about that in the networking sections, and then Zona would be instances and discs as well. And you can see that you've got a correlation to a project, and so you have what's called the physical organisation and the logical organization. So let's go over and talk about what a global resource is. Global resources are accessible by any resource in any zone within the same project. Remember that you do not need to provide a scope specification for any of these when creating a globalresource. So again, an image, you create an image, or if it's a Google Predefined image, then again, that can be imported to another region or zone snapshots. As a result, you could recover a snapshot from anywhere. And then also to the virtual private cloud network, which is a global resource as well. But again, subnets are regional now on the test. Rest assured you will see a question that is going to ask you about moving virtual machines, moving networks, and a few other resources, and you will need to know what those are and whether you can move a subnet from one region to another. And the answer is no. Again, you could recreate that, but you can't just move it, unlike an image or something of that nature. Firewalls So firewall rules again apply to the network, but again, they're still considered a global resource. Routes and then global operations I won't read all this to you. Again, just take a few minutes before you take the test to make sure that you do understand the differences between resources. It's very important. Now, a regional resource, this is going to be a resource again that is in a specific region. So, for example, in the Americas, if you have a resource in the Americas and that's an international resource, it stays in the Americas. You can't just move it to Asia, for example. So what are some examples of regional resources? So again, you've got addresses. If you have an external IP address, now that's a static IP. So for example, in GCP, you need to go get an external IP. If you need to route outside of your GCP instances,you need to go get an external IP. And that IP is essentially considered a regional resource, a subnet, again, subnet and regional operations, and a zone resource. So a zone, for example, if you get something in Iowa, you just can't move it to another zone, even if it's in the same region. And what are some of these resources, for instance? So again, an example would be a virtual machine instance, a disk. So that disc essentially is a physical resource that you're using in a lot of cases, and you just can't attach that to another instance in another zone. machine types. Machine types are per zone resources. And lastly, again, operations. So let's go ahead and talk about quotas. Now, quotas are essentially important to understand in the sense that a quota is used to protect not only you but also other customers as well as Google. The goal of a quota is to make sure that you don't have a rogue user or just someone not paying attention,using up more resources than what is really needed. In a lot of cases, this should prevent runaway consumption, billing spikes, and therefore should enforce sizing conditions or consideration. So how do you check your quota? You go over to the console, or go use Gcloud as well. You don't need to know anything for the test, just as FYI labels. Now, a label is again another area that there is some confusion over initially because labels and tags were sort of what I recall, not well planned out. I guess that is a good way to look at it because, again, a lot of people confuse a label and a tag as the same thing. In reality, they're actually two different things. But again, initially, when he created a tag, it created a label. And then if you create a label,a tag is created as well. And so there's still a lot of confusion over what a label is. So what is a label? It's a utility for organising your GCP resources. So, for example, you want to attach it to a VM, a disk, a snapshot, etc. And the reason is that you want to be able to find something quickly. You want to be able to define billing. You want to be able to see who's doing what. Again, that's essentially what a label is for. So let's go head over to the console here and talk more about the labels and resources. Sources in the GCP.

3. Demo - GCP Projects

So we already have an idea of what a project is. So what I'm going to do now is create a project. And we're going to use this project for basically associating objects and services with billing purposes, or in this case, just to keep it nice and clean and organised and keep it standardised during the rest of this boot camp. Now you can also, of course, in the project set up networks, and we'll talk about networks coming up in the virtual networking section. Remember, there are three types. There's default, auto, and custom. I'm going to reiterate that again, default auto and custom. And there'll be a reason why I'm doing that. So let's go ahead and create a project. There are a couple of different ways to do this. You go over here and go to the project settings, and you can see that it brings me over to the settings. Now you can see that it has the GCP class virtual. June 16 is when I started it. Now I'm going to create one of the things too. I meant to also point out that the project name can change that.It's between four and 30 characters, but the project ID and the project number that's going to be assigned byGCP, you don't have any control over that. Now when you define a project name, make it so that it's easy for you to go up and do a search to find the resources that you need, especially if you have a large platform in the sense that you have a lot of different resources tied to a project. You want to find everything and make it nice and clean, but also for billing purposes. Remember that as well. So I'm going to go over here, and again,I'm going to change that to, let's see, I'm going to call this the GCP Professional Bootcamp. And so I had already tried that before. That's why that came up, because I wanted to use that just because this is a specific class that we're working on. So I'm going to go save it so you can see that it's been updated. Okay, so again, it's very simple to create a project. And you go over here as well and see, for example, if you want to find projects and folders, you go over here and you can do a search. Now you could also go over here to create a new project. And so, why not? Let's do that again. And so we have by default in the personal account, for example, a limit of twelve total projects at this time. So I'm going to call this GCP Professional BootCamp, and I'm going to call this. I'm going to create one for my Data Engineer class. So again, you can see that I've exceeded that. So I need to actually scroll that down a little bit. I'm going to call it De just to keep it. So again, you don't have too much flexibility in the sense that when you create a project, it's fairly straightforward. So I go to create and it looks like it should be done. I don't know if my eyes totally missed it, but it looks like it's still doing something. So again, it's creating. It shouldn't take that long. And again, you can see that it still seems a little bit slow. It could be my connection for some reason. You never know about A and T. So again, I'm going to go there because it looks like it has been updated. I just probably didn't catch the completion there. So again, now I have two projects. And why is that important? One of the main goals of a project,and again, I'm going to reiterate this, is to associate objects and services with billing. On this exam, they're going to expect you to understand what is going to be part of a project, how to create a project, and why projects are important. So again, that's a very simple demo. I wanted to make sure that you knew how to set up a project project. With that said, let's go ahead and proceed on to the next demo.

ExamSnap's Google Professional Cloud Architect Practice Test Questions and Exam Dumps, study guide, and video training course are complicated in premium bundle. The Exam Updated are monitored by Industry Leading IT Trainers with over 15 years of experience, Google Professional Cloud Architect Exam Dumps and Practice Test Questions cover all the Exam Objectives to make sure you pass your exam easily.