Business needs evolution
In this we will learn about the concept Business needs evolution which introduces best practices to help enterprise customers like you on your journey to Google Cloud. Its goal is to help enterprise architects and technology stakeholders understand the scope of activities and plan accordingly.
Organizational setup
Define your resource hierarchy
Google Cloud resources are organized hierarchically. This hierarchy allows you to map your enterprise’s operational structure to Google Cloud. Further, to manage access control and permissions for groups of related resources. The following diagram shows an example hierarchy.
Here, the top-level node of the hierarchy is the Organization resource, which represents an organization (for example, a company). Next in the hierarchy are folders. You can use folders to isolate requirements for different departments and teams in the parent organization. Then, at the bottom of the hierarchy are projects. Projects contain the computing, storage, and networking resources that constitute your apps. Lastly, the structure you define is flexible and allows you to adapt to evolving requirements.
Create an Organization node
Many of the features supported by Google Cloud require an Organization node. You can create an Organization node that maps to your corporate internet domain, such as example.com, through Cloud Identity. Further, you can migrate your existing Google Cloud projects and billing accounts into the Organization node.
Specify your project structure
A project is required in order to use Google Cloud. All Google Cloud resources, such as Compute Engine virtual machines and Cloud Storage buckets, belong to a single project. However, you control the scope of your projects. A single project might contain multiple separate apps, or conversely a single app might include several projects.
Further, the ideal project structure depends on your individual requirements, and might evolve over time. When designing project structure, determine whether resources need to be billed separately, what degree of isolation is required. And how the teams that manage the resources and apps are organized.
Automate project creation
When you automate the creation and management of your Google Cloud projects and resources, you get benefits such as consistency, reproducibility, and testability. Treating your configuration as code allows you to version and manage the lifecycle of your configuration alongside your software artifacts. Further, automation allows you to support best practices such as consistent naming conventions and labeling of resources.
However, for Google Cloud projects, use Cloud Deployment Manager, which is the Google Cloud native management tool. With Deployment Manager, you create a configuration file that describes a set of Google Cloud resources that you want to deploy together. You can define parameterized templates that act as reusable building blocks.
Networking and security
Use VPC to define your network
Use VPCs and subnets to map out your network, and to group and isolate related resources. Virtual Private Cloud (VPC) is a virtual version of a physical network. VPC networks provide scalable and flexible networking for your Compute Engine virtual machine (VM) instances, and for the services that leverage VM instances, including Google Kubernetes Engine (GKE), Dataproc, and Dataflow, among others. However, VPC networks are global resources; a single VPC can span multiple regions without communicating over the public internet. Further, VPC networks themselves do not define IP address ranges. Instead, each VPC network consists of one or more partitions called subnetworks.
Manage traffic with firewall rules
Each VPC network implements a distributed virtual firewall. Configure firewall rules that allow or deny traffic to and from the resources attached to the VPC, including Compute Engine VM instances and GKE clusters. Firewall rules are applied at the virtual networking level, so they help provide effective protection and traffic control regardless of the operating system your instances use.
However, firewall rules are specific to a particular VPC network. The rules allow you to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, tags, and service accounts. And, if your app is hosted in GKE, there are different considerations for managing network traffic and configuring firewall rules.
Limit external access
When you create a Google Cloud resource that leverages VPC, you choose a network and subnet to place the resource in. The resource is assigned an internal IP address from one of the IP ranges associated with the subnet. Resources in a VPC network can communicate among themselves through internal IP addresses as long as firewall rules permit.
However, to communicate with the internet, resources must have an external, public IP address or must use Cloud NAT. Similarly, resources must possess an external IP address to connect to other resources outside of the same VPC network, unless the networks are connected in some way. For example, through a VPN. For more details, see the IP addresses documentation.
Secure your apps and data
Google Cloud provides robust security features across its infrastructure and services, from the physical security of data centers and custom security hardware to dedicated teams of researchers. However, securing your Google Cloud resources is a shared responsibility. In addition to firewall rules and VPC isolation, use these additional tools to help secure and protect your apps:
- Firstly, use VPC Service Controls to define a security perimeter around your Google Cloud resources to constrain data within a VPC and help mitigate data exfiltration risks.
- Secondly, use a Google Cloud global HTTP(S) load balancer to support high availability and scaling for your internet-facing services.
- Thirdly, integrate Google Cloud Armor with the HTTP(S) load balancer to provide DDoS protection and the ability to denylist and allowlist (sometimes called blacklist and whitelist) IP addresses at the network edge.
- Lastly, control access to apps by using Identity-Aware Proxy (IAP) to verify user identity and the context of the request to determine if a user should be granted access.
Billing and management
Know how resources are charged
Google Cloud operates on a consumption model. You are charged based on how much of a particular resource or product you use over a given payment period. Products measure consumption in different ways, for example:
- Firstly, as an amount of time ( how many seconds a machine was running)
- Secondly, as a volume
- Thirdly, as the number of operations executed
- Lastly, as variations of those concepts
Further, make sure you understand how the billing works for the components in your system so that you can accurately gauge your costs. Each product provides detailed pricing information in its documentation. Many products provide a Free Tier where any consumption below a certain threshold does not incur any charges.
Set up billing controls
All Google Cloud resources, including Compute Engine VMs, Cloud Storage buckets, and BigQuery datasets, must be associated with a Google Cloud project. However, to consume resources beyond by the Free Tier, a project must associate with a billing account. There is a one-to-many relationship between billing accounts and projects. Further, use a billing account to define who pays for the resources in a set of projects. The account includes a payment instrument, such as a credit card, to which it charge costs. You can define billing accounts at the organization level, where you link projects under the Organization node to the billing accounts.
Plan for your capacity requirements
Google Cloud projects have quotas that limit the consumption of a particular resource or API. Quotas are in place to protect the wider Google Cloud community by preventing unforeseen spikes in usage. Plan the capacity requirements of your projects in advance to prevent unexpected limiting of your resource consumption. However, if the quotas are not sufficient, you can request changes in the Quotas section of the Cloud Console. Further, if you require a large capacity, contact your Google Cloud sales team.
Implement cost controls
As cloud services scale up, their costs also go up. Google Cloud provides several methods to limit resource consumption, and to notify interested parties of relevant billing events.
However, you can define budgets that generate alerts when spending reaches certain thresholds. Alerts take the form of emails and can optionally generate Pub/Sub messages for programmatic notification. You can apply the budget to the entire billing account or to an individual project in link to the billing account. For example, you could create a budget to generate alerts when total monthly spending for a billing account reaches 50, 80, and 100 percent of the specified budget amount. Further, you can also use quotas to cap the consumption of a particular resource. For example, you can set a maximum “query usage per day” quota over the BigQuery API to ensure that a project does not overspend on BigQuery.
Get help from the experts
The Google Cloud Professional Services organization (PSO) offers consulting services to help you on your Google Cloud journey. Contact PSO consultants, who can provide deep expertise to educate your team on best practices and guiding principles for a successful implementation.
However, Google Cloud also has a strong ecosystem of Google Cloud partners, from large global systems integrators to partners with a deep specialization in a particular area like machine learning. Partners have demonstrated customer success using Google Cloud and can accelerate your projects and improve business outcomes.
Reference: Google Documentation