Google Compute Engine Cheat Sheet

• Linux-based and Windows-based virtual machines
• Each instance you create belongs to a project
• A project can have one or more instances

Configurations

• Generally, when you create an instance, you should specify the following.
  • Zone
  • Operating System
  • Machine type
    • General purpose (E2, N1, N2, N2D) – provides a good balance of price and performance
    • Compute optimized (C2) – offers high-end vCPU performance for compute-intensive workloads
    • Memory optimized (M2) – offers the highest memory and are great for in-memory databases
    • Accelerator optimized (A2) – these machines are based on the A100 GPU, for very demanding applications
    • You can also create custom machine types depending on your infrastructure need.
  • Storage Options
    • Zonal persistent disk: Efficient, reliable block storage.
    • Regional persistent disk: Regional block storage replicated in two zones.
    • Local SSD: High performance, transient, local block storage.
    • Cloud Storage buckets: Affordable object storage.
    • Filestore: High-performance file storage for Google Cloud users.

Instance Templates

• Instance templates are a convenient way to save a VM instance’s configuration so you can use it later to create VMs or groups of VMs.
• You can use instance templates to provision a MIG or create individual VMs.
• An instance template is a global resource that is not attached solely to a zone or a region. However, since you need to specify some zonal resources in an instance template, this restricts the template to the zone where that resource is located.

Instance Groups

• An instance group is a set of virtual machine (VM) instances that you can collectively manage as a single entity.
• There are two kinds of VM instance groups, namely:
  • Managed Instance Groups (MIGs)
    • Let you operate apps on multiple identical VMs.
    • MIG is scalable and highly available
    • It supports autoscaling, autohealing, regional (multiple zone) deployment, and automatic updating.
    • MIG can be set to perform autohealing to keep your instances running at all times. Activating this triggers health checks to determine the status of instances and will try to recreate them when an instance is unhealthy.
  • Unmanaged Instance Groups
    • Lets you load balance across a fleet of virtual machines (VMs) that you manage yourself.

Managing access to your instances

• Linux instances
  • Manually create SSH keys in metadata
  • Use OS Login to associate SSH keys with your Google Account or G Suite Account and manage admin and non-admin access to the instance through IAM roles.
    • If you connect to your instance using the gcloud command-line tool or SSH from console, Compute Engine automatically generates SSH keys for you and applies them to your Google Account or GSuite Account.
    • If you manage your SSH keys by using OS Login on instances, metadata-based SSH key configurations on those instances are disabled.
• Windows Server
  • Create a password for a Windows Server instance

Backing up your instance

• To backup instances stored on regional and zonal persistent disks, Google Cloud gives you the ability to create snapshots. You can create snapshots from disks even while they are attached to running instances.
• Snapshots are global resources, which means you can utilize them to restore data to a new disk or instance within the same project regardless of location. Moreover, you are also allowed to share snapshots across different projects.
• It is best practice to create a snapshot schedule to regularly backup your instance.

Sole-tenant Nodes

• A physical Compute Engine server dedicated exclusively for your use.

Preemptible Instances

• A preemptible VM is an instance that you can provision at a much lower price point than normal instances.
• Compute Engine might stop preemptible instances at any time due to system events.
• This is perfect for fault-tolerant applications that can withstand possible instance preemption.

Shielded Instances

• Offers verifiable integrity of your Compute Engine VM instances, so you can be confident that your instances haven’t been compromised by boot- or kernel-level malware or rootkits.
• Shielded VM’s verifiable integrity is achieved through the use of:
  • Secure Boot
  • Virtual trusted platform module (vTPM)-enabled Measured Boot
  • Integrity monitoring.

Instance Life Cycle

An instance can have the following states:

• Provisioning – means that resources are being allocated for the instance.
• Staging – means that resources have been acquired and the instance is being prepared for the first boot.
• Running – means that the instance is booting up and running. You should be able to ssh into the instance soon, but not immediately after it enters this state.
• Stopping – means that the instance was stopped. This can be a user-made request or there was a failure. This serves as a temporary status and the instance will move to terminated state.
• Repairing – means that the instance is being repaired. This can happen when the instance encountered an internal error or the machine is unavailable due to some maintenance.
• Terminated – means that a user explicitly shut the instance down or the instance has encountered a failure.
• Suspending – means that the instance is being suspended. A user has suspended the instance.
• Suspended – means that the instance was suspended.

GCP Marketplace

• To quickly deploy a Compute Engine instance, you can utilize the Google Cloud Marketplace which offers a wide array of loud solutions that you can choose from to quickly deploy your application.

Live Migration

• GCE offers live migration to keep your virtual machine instances running even when a host system event, such as a software or hardware update, occurs.
• Instead of requiring your VMs to be rebooted, GCE live migrates your running instances to another host in the same zone keeping infrastructure protected and reliable without interrupting any of your virtual machines.
• Google provides a notification that migration is imminent when a VM is scheduled to be live migrated.

Pricing

• Custom Machine Types
• Reservation
  • You can create reservations for Virtual Machine instances in a specific zone.
• Disk Pricing
  • Persistent disks are priced by the amount of provisioned space per disk.
• Preemptible VMs
  • Low-cost, short-term instances designed to run batch jobs and fault-tolerant workloads.
  • Preemptible VM instances provide a significant amount of savings of up to 80%.
• Suspended VM Instances
  • You will not be charged for the instance as if it was running, but suspended instances still incur charges for the following:
    • Memory and Device State
    • Persistent disk usage
    • Static IPs attached to the VM instance
  • Sustained Use Savings
    • Are automatic discounts when running specific Compute Engine resources for a significant portion of the billing month.
  • Commitment Savings
    • You can get committed use discounts by purchasing committed use contracts for instances you want to provision with no up-front cost or instance-type lock-in.
    • You commit to pay for provisioned resources for 1 year or 3 years.
    • The discount can be up to 57% for most resources

Validate Your Knowledge

Question 1

All employees in your organization have a Google account. Your operations team needs to manage over a hundred Compute Engine instances. The members of this team must be provided only with administrative access to the VM instances. Moreover, the security team wants to audit instance logins and ensure that the provision of credentials is operationally efficient.

What should you do?

1. Create a new SSH key pair. Issue the private key to each member of the team. Configure the public key in the metadata of each instance.
2. Require each member of the team to generate a new SSH key pair. Have them send their public key to you. Utilize a configuration management tool to deploy those SSH keys on each instance.
3. Require each member of the team to generate a new SSH key pair and to add the public key to their respective Google account. Then grant the compute.osAdminLogin role to the corresponding Google group of the operations team.
4. Create a new SSH key pair. Issue the private key to each member of the operations team. Configure the public key as a project-wide public SSH key in your project. Lastly, allow project-wide public SSH keys on each instance.

Show me the answer!

Correct Answer: 3

If you need to manage user access to your Linux VM instances, you can use one of the following methods:

– OS Login

– Managing SSH keys in metadata

– Temporarily grant a user access to an instance

In most scenarios, Google recommends using OS Login. The OS Login feature lets you use Compute Engine IAM roles to manage SSH access to Linux instances. You can add an extra layer of security by setting up OS Login with two-factor authentication and manage access at the organization level by setting up organization policies.

After you enable OS Login on one or more instances in your project, those instances accept connections only from user accounts that have the necessary IAM roles in your project or organization. There are two predefined roles that you can utilize.

– roles/compute.osLogin, which does not grant administrator permissions

– roles/compute.osAdminLogin, which grants administrator permissions

OS Login lets you use Compute Engine IAM roles to efficiently manage SSH access to Linux instances and is an alternative to manually managing instance access by adding and removing SSH keys in the metadata.

To manage instance access using IAM roles, you must enable the OS Login feature by setting a metadata key-value pair in your project or in your instance’s metadata: enable-oslogin=TRUE.

After you enable OS Login on one or more instances in your project, those VMs accept connections only from user accounts that have the necessary IAM roles in your project or organization.

Therefore, the correct answer is: Require each member of the team to generate a new SSH key pair and to add the public key to their respective Google account. Then grant the compute.osAdminLogin role to the corresponding Google group of the operations team.

The option that says: Create a new SSH key pair. Issue the private key to each member of the team. Configure the public key in the metadata of each instance is incorrect because reusing a single SSH key pair with all employees is a poor security practice as auditing instance login for each user becomes impossible.

The option that says: Require each member of the team to generate a new SSH key pair. Have them send their public key to you. Utilize a configuration management tool to deploy those SSH keys on each instance is incorrect because this approach is not operationally efficient. Doing this would mean that you will have to add SSH keys to each instance whenever there is a new member. Similarly, you will have to remove the SSH keys on each instance whenever you want to remove their access.

The option that says: Create a new SSH key pair. Issue the private key to each member of the operations team. Configure the public key as a project-wide public SSH key in your project. Lastly, allow project-wide public SSH keys on each instance is incorrect because reusing a single SSH key pair with all employees is not a good security practice. Auditing instance login is difficult in this approach.

References:
https://cloud.google.com/compute/docs/instances/access-overview
https://cloud.google.com/compute/docs/instances/managing-instance-access

Note: This question was extracted from our Google Certified Associate Cloud Engineer Practice Exams.

Question 2

1. Create a snapshot of your instance boot disk. Create a custom image from the snapshot to handle the large traffic.
2. Create a snapshot of your instance’s base VM. Use the snapshot to handle the large traffic.
3. Create a snapshot of your instance boot disk. Create a custom image from the snapshot. Use the custom image to launch new instances.
4. Create a snapshot of your instance’s base VM. Use the snapshot to launch new instances.

For more Google Cloud practice exam questions with detailed explanations, check out the Tutorials Dojo Portal:

Google Compute Engine Cheat Sheet References:

https://cloud.google.com/compute
https://cloud.google.com/compute/docs/
https://cloud.google.com/compute/docs/instance-templates
https://cloud.google.com/compute/docs/instance-groups