Hub-and-Spoke Topology

• Hub VPC hosts Shared VPC, VPN/Interconnect
• Spoke VPCs peer with hub (no transitive peering!)
• Use Network Connectivity Center for large scale

Cloud Interconnect

• Dedicated: 10/100 Gbps, physical cross-connect
• Partner: via supported provider (Equinix, Megaport)
• VLAN attachments → Cloud Router → BGP

Cloud VPN

• HA VPN: 2 tunnels (two Cloud Router IPs)
• Classic VPN: single tunnel (deprecated)
• BGP dynamic routing recommended

Cloud Router & BGP

• Advertise VPC subnets via BGP
• Custom route advertisements
• Global dynamic routing for multi-region

Concept

• Producer publishes service via Service Attachment
• Consumer creates PSC endpoint (internal IP) in own VPC
• Traffic stays on Google network — never leaves it

vs VPC Peering

• PSC: consumer gets IP from its own range
• Peering: full bi-directional connectivity, no IP overlap allowed
• PSC: consumer/producer IPs can overlap!

Use Cases

• Access GCP managed services (GCS, Bigtable) privately
• Expose your internal API privately to consumers
• Multi-tenant SaaS on GCP

DNS w/ PSC

• Create private DNS zone with A record pointing to PSC IP
• Attach to consumer VPC
• On-prem: DNS forwarding zone → Cloud DNS → resolves PSC

Cloud DNS → On-Prem

• Create DNS forwarding zone in Cloud DNS
• Forward onprem.example.com → on-prem DNS server IP
• Uses VPN/Interconnect path (private zone)

On-Prem → Cloud DNS

• On-prem DNS forwards *.gcp.example.com → Cloud DNS inbound endpoint
• Cloud DNS inbound server policy → bound to VPC

Cloud DNS Inbound Setup

DNS Peering

• Peer zones between projects without forwarding
• Use for Shared VPC service project resolution

IAM Types

• Primitive: Owner/Editor/Viewer (do not use)
• Predefined: e.g. roles/storage.admin
• Custom: least privilege, scoped to permissions

IAM Conditions

• Attribute-based: resource type, IP range, time
• resource.matchTag, request.time
• Evaluated at access time

Deny Policies

• Explicit deny overrides any allow
• Org-level deny: iam.deny admin role
• Use for break-glass scenarios

Best Practices

• Use groups, not individual users
• Custom roles at folder level, not project
• Audit with Cloud Asset Inventory
• Policy Analyzer: gcloud policies analyze

Firewall Rules (VPC FW)

• Ingress + Egress, stateful
• Priority: 0-65535 (lower = higher)
• Implicit deny-all at end
• Network tags for targeted rules
• Service accounts as source/dest

Cloud Armor

• WAF + DDoS protection at LB edge
• Pre-configured rules: XSS, SQLi, L7 DDoS
• Custom rules: rate limiting, IP block, geo
• Can do bot management (reCAPTCHA)

VPC Firewall Rules

Private Google Access

• VMs without external IP access GCP APIs privately
• Enabled per subnet
• Routes via default internet gateway (Google-only)

Control Plane Components

• API Server: front-end, auth, validation
• etcd: distributed key-value store
• Scheduler: assigns pods to nodes
• Controller Manager: watches state, reconciles

Worker Node Components

• kubelet: agent, communicates with API server
• kube-proxy: network rules, iptables/ipvs
• Container Runtime: containerd

GKE Specific

• Autopilot vs Standard (node management)
• Workload Identity: K8s SA → GCP IAM (no keys!)
• GKE Dataplane V2 (eBPF, Cilium-based)
• Node auto-upgrade, auto-repair

Workload Resources

• Deployment: stateless apps, rolling update
• StatefulSet: stable identities, sticky storage
• DaemonSet: one pod per node (logging, monitoring)
• Job/CronJob: batch processing

Core Concepts

• Chart: package (templates + values + deps)
• Release: running instance of a chart
• Repository: chart storage (OCI, HTTP)
• Values: values.yaml overridable with --set

Helm 3 Changes

• No Tiller (pure client-side)
• 3-way strategic merge for upgrades
• Release info stored as Secrets
• OCI-based chart registry support

Chart Structure

Hooks

• pre/post-install, upgrade, delete, rollback
• Useful for: DB migration, config validation
• Annotation: helm.sh/hook: post-install

Design Patterns

• Sidecar: logging, proxy alongside app (e.g. Istio envoy)
• Ambassador: proxy as sidecar for external access
• Adapter: normalize monitoring output
• Circuit Breaker: fail-fast, retry w/ backoff

Service Mesh (Istio)

• Envoy sidecar proxies intercept traffic
• mTLS between services (mutual TLS)
• Traffic splitting (canary, blue-green)
• Observability: traces, metrics, logs

Azure DevOps Pipeline

• azure-pipelines.yml in repo root
• Stages: Build → Test → Deploy
• Environments: dev → staging → prod (approval gates)
• Variables + Variable Groups + Key Vault integration
• Service Connection → GCP (Workload Identity Federation)

GitHub Actions

• .github/workflows/*.yml
• Events: push, PR, schedule, workflow_dispatch
• OIDC to GCP (no static creds)
• Matrix builds, caches, artifacts

Key Practices

• Trunk-based: short-lived branches, main is deployable
• GitFlow: develop → release branches, for larger teams
• Semantic versioning: vMAJOR.MINOR.PATCH
• SBOM generation in pipeline (Trivy)

GitHub / Azure DevOps Integration

• GitHub repos ↔ Azure Boards (cross-link)
• GitHub Advanced Security (code scanning, secret scanning)
• Branch protection rules: require PR, status checks

Core Workflow

• terraform init (provider, backend, modules)
• terraform plan (preview, output to file)
• terraform apply (execute plan)
• terraform destroy

State Management

• Backend: GCS bucket (terraform state)
• Locking: GCS supports object lock
• terraform state list, terraform state mv
• Remote state data source: terraform_remote_state

Best Practices

• Modularize: modules/ directory
• Env segregation: envs/dev/, envs/prod/
• Use .tfvars files per env
• Pin provider version
• terraform plan in CI PR checks

Import & Move

• terraform import google_container_cluster.my_cluster PROJECT/location/name
• terraform state rm to remove from state
• terraform state mv to restructure state

Core Concepts

• Playbook: YAML with plays (hosts + tasks)
• Inventory: hosts file or dynamic (gcp_compute)
• Roles: reusable structured playbooks
• Modules: idempotent units (e.g. copy, template, package)

GCP Dynamic Inventory

SonarQube

• Static code analysis (SAST)
• Quality Gates: new code coverage, bugs, vulnerabilities
• Measures: reliability, security, maintainability, coverage, duplication
• CI integration: sonar-scanner, GitHub Action: SonarSource/sonarcloud-github-action
• sonar-project.properties in repo root

Checkov (IaC)

• Scans Terraform, CloudFormation, K8s, Helm, Dockerfile
• Checks misconfigurations (public buckets, open ports, etc.)
• CI: checkov --directory . --framework terraform
• .checkov.yml for skip/severity config
• Bridgecrew cloud platform for GUI/policies

Vertex AI Components

• Vertex AI Pipelines: Kubeflow-based DAGs
• Model Registry: versioning, staging/production
• Feature Store: managed feature serving
• Endpoint: model serving with autoscaling
• Model Evaluation: classification, regression metrics

MLOps Pipeline

• Data validation (TFX) → Feature engineering → Train → Evaluate
• If metrics pass → Deploy to staging → Shadow traffic → Prod
• Monitoring: prediction drift, feature drift
• Retrain trigger: scheduled or drift threshold

Key Concepts

• AutoML: train without code (image, tabular, text)
• Custom Training: bring your own container
• Hyperparameter Tuning: Vizier-based
• Explainable AI: feature attributions

CI/CD for ML

• Pipeline = code (Python SDK)
• Compile → Upload → Run (trigger on data change)
• Model validation in CI gate
• Deploy via CI: gcloud ai endpoints deploy-model

Gemini Models

• Gemini 1.5 Flash: fast, cost-effective
• Gemini 1.5 Pro: complex reasoning, long context (1M tokens)
• Gemini 2.0 Flash: latest (multimodal, tool use)
• Available via: AI Studio (dev) / Vertex AI (prod)

Google AI Studio

• Free tier, rapid prototyping
• System instructions, safety settings
• Export to Vertex AI for production
• API key based (no IAM)

Vertex AI Gemini API

• IAM-based auth (Service Account)
• Supports grounding (search, data store)
• Model Garden: curated + open models
• Safety filters, content moderation

Agents & Extensions

• Vertex AI Agent Builder: no-code/nocode agents
• Grounding in Google Search or enterprise data
• Function calling / tool use
• Conversational agents (Dialogflow integration)

Data Sources

• Prometheus (metrics from K8s/GKE)
• Cloud Monitoring (GCP metrics)
• Loki (logs)
• Tempo (traces)
• Cloud Logging (via Grafana Cloud or self-managed)

Key Features

• Dashboard as Code (JSON / Terraform)
• Alerting: rules, notification channels (PagerDuty, Slack)
• Annotations: mark deployments on graphs
• Explore: ad-hoc PromQL, LogQL queries

GCP Options

• Cloud Endpoints: Extensible Service Proxy (ESP), OpenAPI/gRPC
• Apigee: full lifecycle API management, monetization, analytics
• Cloud Load Balancer: L7 routing, URL maps, SSL
• Kong / Ambassador: open-source on K8s

When to Use What

• Simple REST/gRPC: Cloud Endpoints + Cloud LB
• Enterprise API management: Apigee
• K8s-native: Kong Ingress or Ambassador
• Serverless: API Gateway (Cloud Functions, Cloud Run)

Process Management

• ps aux | grep process — find process
• top/htop — live resource monitor
• systemctl status/start/stop/enable
• journalctl -u service-name -f — logs

Disk & Memory

• df -h — disk usage
• du -sh * — directory sizes
• free -h — memory
• lsblk — block devices

Network Troubleshooting

• ping / traceroute
• ss -tulpn — listening ports
• curl -v http://... — HTTP debug
• nslookup / dig — DNS
• tcpdump -i eth0 port 80 — packet capture

File Operations

• grep -r "pattern" . — recursive search
• find / -name "file" 2>/dev/null
• rsync -avz source/ dest/
• chmod / chown — permissions
• tar -czf archive.tar.gz dir