Please enable JavaScript.
Coggle requires JavaScript to display documents.
Best Practices for enterprise - Coggle Diagram
Best Practices for enterprise
Organizational Setup
Define resource hierarchy
nodes / resources
Organization (Company)
central visibility of overall resources
Folders (Dept, Teams)
isolate dept, teams, environment
Projects (App)
computing, storage, VPC
manage / organize permission and AC
company operational structure = GC resources
Create an organization node
use organization domain (glyph.com)
Cloud Identity (IDaaS)
manage project, AC, billings
Specify project structure
project architecture
VM, buckets, networking
recommendation
1:1 project, application, environment
benefits
changes to dev does not impact prod
gives better AC (restrict IAM)
Automate project creation
benefits
C
onsistency
naming convention
R
eproducibility
T
estability
Cloud Deployment Manager (CDM)
config file (YAML)
initialize IAM
ansible, etc.
templates for reusable bldg blocks
Identity and Access Management
Manage google identities
google accounts
tied in corporate domain
Cloud Identity
access GCP and Admin Console
enable / disable google services and employee accounts
automatically creates org node
Federate identity provider with GCloud
on-premise servers
sync user directory to Cloud Identity
control IAM of employees to google services
source of truth
Migrate unmanaged accounts
Cloud Identity
force accounts to be renamed or use different email
Control access to resources
authorize using IAM
prevents unwanted access
IAM
defines
who
(identity) has
what
(access) to
which
(resources)
roles > permissions
roles
collection of permissions
Delegate responsibility with groups and service accounts
assign roles by group instead by individuals
group recommendation
network admins
security admins
org admins
billing admins
devops
developers
benefits
manageable
new user inherits roles from the group
service accounts
special account by GC
server-to-server
non-human user
should be authorized / authenticated to access Google API
Define an organization policy
Organization Policy Service
focuses on
what
instead of
who
(IAM)
set restrictions / constraints to resources
Networking and Security
Use VPC to define your network
VPC
virtual version of physical network
subnetworks
1 or more IP
partition of VPC network
1 subnet for each region
one or more in a single GCP project
Manage traffic with firewall rules
firewall rules
applied at the virtual working level
allow / deny traffic
layman
source address = people
IP address = house
ports = rooms
Limit external access
internal IP address
communicate inside the same VPC
Private Google Access
access google services isolated from the internet
external IP address
if the resource needs to access resources outside VPC
Centralized Network Control
Shared VPC Concept
host project
contains one or more shared VPC
service project
attached to host project
standalone project
unshared VPC network
Connect your enterprise network
on-premise
Cloud Interconnect
cloud
Cloud VPN
Secure your apps and data
VPC Service Controls
HTTP Load Balancer
Google Cloud Armor
Identity-Aware Proxy (IAP)
Data Encryption
at rest
in transit
Cloud Architecture
Plan your migration
on-premise to cloud migrations
hybrid cloud [?]
Favor managed services
use GCloud managed services
help reduce operational burden
total cost ownership (TCO)
budget estimate cost
serverless
eliminate infrastructure management
Design for high availability
high availability
resilient
able to withstand difficulties
remain responsive despite failures
best practices
disperse regions
load balancing
distributes load traffic to available zones
data storage availability
Plan your disaster recovery strategy
Disaster Recovery (DR)
recover from rare but major incidents
basics
Recovery Time Objective (RTO)
max acceptable offline time
Recovery Point Objective (RPO)
max acceptable time for data loss due to major incident
the smaller your RTO and RPO values, the higher the app cost
patterns = tires
cold
no spare parts
warm
you have spare parts, but have to stop your journery
hot
run-flat tires, continuous journey
Logging, monitoring, and operations
Embrace DevOps and explore Site Reliability Engineering
breakdown org into silos (independent business teams)
operations strategy
SRE
DevOps
Export your logs
export storage
Cloud Storage
long-term storage
BigQuery
query / analyze logs
retention period ->
docs
Set up an audit trail
track how the team interacts with Google Resources
Cloud Audit Logs
types
Data Access Logs
disabled by default because its large
API calls (CRUD)
Admin Audit Logs
logs API calls, admin actions to metadata / resources
who did what, where, and when
Centralize logging and monitoring
Cloud Monitoring
checks your services health
monitoring techniques
log-based metrics
grey-box monitoring
white-box monitoring
black-box monitoring
Cloud Logging
write log entries
Billing and management
Know how resources are charged
consumptions
amount of time
volume
number of operations executed
concept variations
Set up billing controls
1 <-> 1 | project to billing account
1 <-> many | billing account to projects
billing account types
invoice
self-serve
Analyze and export your bill
billing report integration
BigQuery
Cloud Console
Plan for your capacity requirements
limit the resource consumption
set Quota
Implement cost controls
set budget alerts
Purchase a support package
Enterprise Support Package
support tickets to avoid duplication and miscommunication
Get help from the experts
PSO Consultants
Google Cloud partners
Build centers of excellence
nominate google cloud experts