Certified Google Cloud Architect

Author Archives: anuj - Page 3

GKE Control Plane and Public IPs and Private Service Connect

anuj February 29, 2024 GKE Control Plane and Public IPs and Private Service Connect2024-02-29T13:49:09+00:00 GCP Networking No Comment

By default, when you create a public cluster, GKE assigns an external IP address (external endpoint) to the control plane and provisions public nodes. This means that any VM with…

Pass Through (Network) Load balancers and GKE Ingress Firewall Rule

anuj February 28, 2024 Pass Through (Network) Load balancers and GKE Ingress Firewall Rule2024-02-29T16:46:19+00:00 GKE No Comment

Overview If you created a GKE service that allows external access, you will be surprised to see a few firewall rules (at the VPC level) created automatically for you. Some…

Cloud CDN to deal with unauthenticated users

anuj February 15, 2024 Cloud CDN to deal with unauthenticated users2024-02-15T15:25:19+00:00 GCP Networking No Comment

Use Case - serve content to users who are not authenticated Cloud CDN can cache content that doesn't require authenticated users.

Routing Logs outside of GCP

anuj February 15, 2024 Routing Logs outside of GCP2024-02-15T05:29:04+00:00 GCP Operational No Comment

Use Case - To Route GCP Logs to external sinks ( Splunk) The only sink you can use here is pub sub. Install the logging agent to capture your application…

GCP – Failed SSH Attempts

anuj February 15, 2024 GCP – Failed SSH Attempts2024-02-15T05:19:57+00:00 Google Cloud Security No Comment

Use Case - monitor for failed SSH attempts and alert based on failures Log based alerts would be needed - there is no built in metric for failed SSH attempts.…

Retention Policies and Cloud Storage

anuj February 15, 2024 Retention Policies and Cloud Storage2024-02-15T05:19:35+00:00 GCP Cloud Storage No Comment

Use Case - Disallow deletion of bucket objects, regardless of IAM access Retention policy will lock the bucket (or object in a bucket) and not allow deletion, regardless of access…

Service accounts- at Org, Folder Levels – and at Resource Levels

anuj January 31, 2024 Service accounts- at Org, Folder Levels – and at Resource Levels2024-01-31T15:08:11+00:00 No Comment

High level service accounts (Folders, projects and Org level) should be few SAs. No keys allowed. The AD groups (containing human users) should be defined for these with all the…

Short lived access tokens in GCP – Service account impersonation

anuj January 31, 2024 Short lived access tokens in GCP – Service account impersonation2024-02-14T14:16:47+00:00 GCP IAM No Comment

Service account keys provide long lived access. One often has to provide short term access to GCP resources. That's what Service account impersonation does. Service account impersonation requires two service…

Firewall rules and GCP Cloud Storage

anuj January 27, 2024 Firewall rules and GCP Cloud Storage2024-02-08T22:51:03+00:00 No Comment

Firewall rules only apply at a VPC Network Level. They have nothing to do with preventing traffic to and from cloud storage. To do that, you have to either use…

Using only Trusted Images in GCP Projects

anuj January 27, 2024 Using only Trusted Images in GCP Projects2024-01-27T05:23:48+00:00 Compute Engine No Comment

Step 1 - Create a separate project - and store all hardened images in it. Step 2 - Enforce the Org Policy - Define trusted image project. This will ensure…

‹1 234 5 ›»