GCP FAQ & Answers

Create a Compute Engine VM using: gcloud compute instances create my-vm --zone=us-central1-a --machine-type=e2-medium --image-family=debian-12 --image-project=debian-cloud --boot-disk-size=20GB --boot-disk-type=pd-balanced. The VM starts automatically. SSH: gcloud compute ssh my-vm --zone=us-central1-a. Check status: gcloud compute instances list --filter="name=(my-vm)". Production best practices: Enable OS Login --metadata enable-oslogin=TRUE, add Shielded VM --shielded-secure-boot --shielded-vtpm --shielded-integrity-monitoring, use service accounts for IAM. E2-medium pricing: ~$0.067/hour ($49/month). Delete: gcloud compute instances delete my-vm --zone=us-central1-a --quiet.

Compute Engine machine families (2025): (1) E2: Cost-optimized, $0.01-$0.07/hour, no sustained use discounts but consistently low pricing. E2-standard-2: $48.92/month. (2) N2: Balanced, Intel Ice Lake, benefits from sustained use discounts. N2-standard-2: ~$70/month. (3) N2D: AMD EPYC, 10-15% cheaper than N2. (4) C3: Latest compute-optimized, Intel Sapphire Rapids. (5) C3D: AMD-based compute-optimized. Choose: E2 for web servers/dev, N2 for production apps, C3 for HPC/batch. List: gcloud compute machine-types list --filter="zone:(us-central1-a)". View AI recommendations: Cloud Console → Compute Engine → Recommendations (includes rightsizing suggestions).

Create Spot VMs (replaces preemptible): gcloud compute instances create spot-vm --zone=us-central1-a --machine-type=e2-medium --provisioning-model=SPOT --image-family=debian-12 --image-project=debian-cloud. Spot VMs save 60-91% vs standard pricing with no 24-hour runtime limit (unlike old preemptible). Receive 30-second termination notice. Use for: batch processing, CI/CD, rendering, ML training. Best practices: (1) Shutdown script: --metadata-from-file shutdown-script=shutdown.sh. (2) MIG for auto-recreation: gcloud compute instance-groups managed create mig-spot --zone=us-central1-a --template=spot-template --size=3. (3) Combine with committed use discounts for additional 28-46% savings on baseline compute.

Create GKE Autopilot cluster (recommended 2025): gcloud container clusters create-auto my-cluster --region=us-central1. Autopilot manages nodes, scaling, and security automatically. Workload Identity Federation always enabled. Get credentials: gcloud container clusters get-credentials my-cluster --region=us-central1. Deploy: kubectl create deployment hello-app --image=us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0 and expose: kubectl expose deployment hello-app --type=LoadBalancer --port=8080. Check: kubectl get all. Standard mode: gcloud container clusters create my-cluster --zone=us-central1-a --num-nodes=3 --machine-type=e2-medium --workload-pool=PROJECT_ID.svc.id.goog --release-channel=stable. Autopilot pricing: pay only for pod requests, no idle charges.

Node pools group VMs with same configuration (GKE Standard only; Autopilot manages nodes automatically). Create pool: gcloud container node-pools create high-mem-pool --cluster=my-cluster --zone=us-central1-a --machine-type=e2-highmem-4 --num-nodes=2 --disk-type=pd-balanced --disk-size=100GB. View: gcloud container node-pools list --cluster=my-cluster --zone=us-central1-a. Autoscaling: --enable-autoscaling --min-nodes=1 --max-nodes=10. Spot nodes (60-91% savings): --spot. Image type: --image-type=COS_CONTAINERD (default). Best practices: Separate pools for GPU/CPU workloads, use node taints/tolerations, enable surge upgrades --max-surge-upgrade=1 --max-unavailable-upgrade=0. Monitor: kubectl top nodes.

Deploy to Cloud Run (gen2): gcloud run deploy hello-service --image=us-docker.pkg.dev/PROJECT_ID/REPO/hello --region=us-central1 --allow-unauthenticated --memory=512Mi --cpu=1 --timeout=3600s --concurrency=80 --min-instances=0 --max-instances=100. Gen2 uses execution environment based on Cloud Run infrastructure. Get URL: gcloud run services describe hello-service --region=us-central1 --format='value(status.url)'. Test: curl $(gcloud run services describe hello-service --region=us-central1 --format='value(status.url)')/hello. Private service: --no-allow-unauthenticated + IAM: gcloud run services add-iam-policy-binding hello-service --member='serviceAccount:app@PROJECT_ID.iam.gserviceaccount.com' --role='roles/run.invoker'. Pricing: Free 180K vCPU-sec, 360K GiB-sec, 2M requests/month (us-central1).

Configure Cloud Run autoscaling: gcloud run services update hello-service --region=us-central1 --min-instances=0 --max-instances=100 --concurrency=80. Concurrency default: 80 (max 1000). Higher concurrency reduces costs by maximizing instance utilization. For CPU-intensive: lower to 1-10. For I/O-bound APIs: increase to 200-1000. Startup boost: --cpu-boost allocates more CPU during startup. Instance limits by memory: --cpu=4 --memory=16Gi --concurrency=1000 for high-throughput. Traffic splitting: gcloud run services update-traffic hello-service --region=us-central1 --to-revisions=rev1=50,rev2=50. Monitor: Cloud Console → Cloud Run → Metrics (shows instance count, request latency). Load test to optimize concurrency for lowest billable time.

Create Cloud Function (2nd gen, default 2025): mkdir my-function && cd my-function. Create main.py: import functions_framework\n@functions_framework.http\ndef hello_http(request):\n return 'Hello World', 200. Deploy: gcloud functions deploy hello-http --gen2 --runtime=python312 --trigger-http --allow-unauthenticated --region=us-central1 --entry-point=hello_http --memory=256Mi --timeout=60s. Python 3.12 GA since Nov 2025. Test: curl $(gcloud functions describe hello-http --gen2 --region=us-central1 --format='value(serviceConfig.uri)'). View logs: gcloud functions logs read hello-http --gen2 --region=us-central1. Dependencies: requirements.txt (e.g., functions-framework==3.*). Env vars: --set-env-vars=KEY=VALUE. Gen2 benefits: longer timeouts (3600s), configurable concurrency, Cloud Run integration.

Create Cloud Function triggered by Cloud Storage (gen2): gcloud functions deploy process-file --gen2 --runtime=python312 --trigger-event-filters='type=google.cloud.storage.object.v1.finalized' --trigger-event-filters='bucket=my-bucket' --entry-point=process_file --region=us-central1 --memory=512Mi. Python code: import functions_framework\nfrom cloudevents.http import CloudEvent\n@functions_framework.cloud_event\ndef process_file(cloud_event: CloudEvent):\n data = cloud_event.data\n filename = data['name']\n print(f'Processing {filename}'). Test: gsutil cp test.txt gs://my-bucket/. Filter by prefix: --trigger-event-filters='bucket=my-bucket,name=uploads/*'. Events: object.v1.finalized (created), object.v1.deleted (deleted). View logs: gcloud functions logs read process-file --gen2 --region=us-central1.

Create bucket with gcloud: gcloud storage buckets create gs://my-unique-bucket-name --location=us-central1 --default-storage-class=standard --uniform-bucket-level-access. Or gsutil: gsutil mb -c standard -l us-central1 gs://my-unique-bucket-name/. Lifecycle policy lifecycle.json: {"lifecycle":{"rule":[{"action":{"type":"SetStorageClass","storageClass":"NEARLINE"},"condition":{"age":30}},{"action":{"type":"SetStorageClass","storageClass":"COLDLINE"},"condition":{"age":90}},{"action":{"type":"Delete"},"condition":{"age":365}}]}}. Apply: gcloud storage buckets update gs://my-unique-bucket-name --lifecycle-file=lifecycle.json. View: gcloud storage buckets describe gs://my-unique-bucket-name --format='json(lifecycle)'. Enable Autoclass for automatic optimization: --autoclass.

Cloud Storage classes (2025 US pricing): (1) Standard: $0.020/GB/month, no minimum, no retrieval fee. Use for: active data, websites, streaming. (2) Nearline: $0.010/GB/month, 30-day minimum, $0.01/GB retrieval. Use for: monthly backups, disaster recovery. (3) Coldline: $0.004/GB/month, 90-day minimum, $0.02/GB retrieval. Use for: quarterly access, archival. (4) Archive: $0.0012/GB/month, 365-day minimum, $0.05/GB retrieval. Use for: compliance, cold archives. Autoclass: automatic tier transitions, no retrieval fees. Enable: gcloud storage buckets update gs://bucket --autoclass. Monitor costs: gcloud storage buckets describe gs://bucket --format='yaml(storageClass,lifecycle)'. Example: 1TB Standard = $20/month, 1TB Archive = $1.20/month (17x cheaper).

Create Cloud SQL PostgreSQL (Enterprise edition, 2025): gcloud sql instances create my-postgres --database-version=POSTGRES_16 --edition=ENTERPRISE --tier=db-perf-optimized-N-2 --region=us-central1 --storage-type=SSD --storage-size=100GB --storage-auto-increase --backup-start-time=02:00. Enterprise Plus for 99.99% SLA: --edition=ENTERPRISE_PLUS --availability-type=REGIONAL. Set password: gcloud sql users set-password postgres --instance=my-postgres --prompt-for-password. Connect: gcloud sql connect my-postgres --user=postgres. Enable Cloud SQL Proxy for production: cloud-sql-proxy --port 5432 PROJECT:REGION:my-postgres. Create DB: CREATE DATABASE myapp;. Import: gcloud sql import sql my-postgres gs://bucket/backup.sql --database=myapp. Monitor: Cloud Console → SQL → my-postgres → Monitoring.

Create read replica: gcloud sql instances create my-postgres-replica --master-instance-name=my-postgres --tier=db-perf-optimized-N-2 --region=us-west1 --replica-type=READ. Cross-region replica for disaster recovery: use different --region. List replicas: gcloud sql instances list --filter="masterInstanceName:my-postgres". Connect for reads: cloud-sql-proxy PROJECT:REGION:my-postgres-replica. Promote to standalone (failover): gcloud sql instances promote-replica my-postgres-replica. Monitor replication lag: Cloud Console → SQL → my-postgres → Replicas tab (target: <10ms for same region, <100ms cross-region). Replication is asynchronous. Use application-level read/write splitting or pgpool-II. Cost: same as primary instance tier. Committed use discounts: up to 52% savings (3-year).

Enable Firestore: gcloud services enable firestore.googleapis.com. Create database (Firestore Native mode): gcloud firestore databases create --location=us-central1 --type=firestore-native. Install client: pip install google-cloud-firestore==2.19.0. Python code: from google.cloud import firestore\ndb = firestore.Client(project='PROJECT_ID')\ndoc_ref = db.collection('users').document('user1')\ndoc_ref.set({'name': 'Alice', 'age': 30, 'created': firestore.SERVER_TIMESTAMP}). Query: docs = db.collection('users').where('age', '>=', 25).order_by('age').limit(10).stream()\nfor doc in docs: print(f'{doc.id} => {doc.to_dict()}'). Security rules: Firebase Console → Firestore → Rules. Document size limit: 1MB. Batch writes (500 docs): batch = db.batch(); batch.commit().

Firestore security rules in firestore.rules: rules_version = '2';\nservice cloud.firestore {\n match /databases/{database}/documents {\n match /users/{userId} {\n allow read, write: if request.auth != null && request.auth.uid == userId;\n }\n match /public/{document=**} {\n allow read: if true;\n allow write: if request.auth != null;\n }\n }\n}. Deploy: firebase deploy --only firestore:rules or Cloud Console. Test: Firebase Console → Rules → Rules Playground. Functions: request.auth.token.email, resource.data, request.resource.data. Validate data: allow write: if request.resource.data.age is int && request.resource.data.age >= 0. Rate limiting: use request.time checks. Max rules size: 256KB.

Create dataset: bq mk --location=us-central1 --description='Production dataset' my_dataset. Load CSV from GCS: bq load --source_format=CSV --autodetect --skip_leading_rows=1 my_dataset.my_table gs://my-bucket/data.csv. JSON: bq load --source_format=NEWLINE_DELIMITED_JSON --autodetect my_dataset.table gs://bucket/data.json. Schema file: bq load --source_format=CSV --schema=schema.json my_dataset.table gs://bucket/*.csv. Query: bq query --use_legacy_sql=false 'SELECT * FROM my_dataset.my_table LIMIT 10'. Export: bq extract --destination_format=CSV my_dataset.table gs://bucket/output-*.csv. Partitioning on load: --time_partitioning_field=date. Cost: Loading data is free. Storage: $0.02/GB/month (active), $0.01/GB/month (long-term >90 days).

Create partitioned+clustered table: CREATE TABLE sales (order_id STRING, product_id STRING, sale_date DATE, amount FLOAT64, region STRING) PARTITION BY sale_date CLUSTER BY region, product_id OPTIONS(partition_expiration_days=365, require_partition_filter=true). BigQuery auto-recommends partitioning/clustering based on 30-day query patterns. View recommendations: Cloud Console → BigQuery → Recommendations. Query optimization: WHERE sale_date BETWEEN '2025-01-01' AND '2025-01-31' AND region = 'US' (filters on partition then cluster). Integer range partitioning: PARTITION BY RANGE_BUCKET(customer_id, GENERATE_ARRAY(0, 100000, 1000)). Check partitions: SELECT * FROM my_dataset.INFORMATION_SCHEMA.PARTITIONS WHERE table_name='sales'. Clustering columns: max 4, total 1TB per clustered block. Automatic re-clustering: BigQuery handles in background.

Create service account: gcloud iam service-accounts create my-app-sa --display-name='My App Service Account' --description='Service account for my-app'. List: gcloud iam service-accounts list. Assign role: gcloud projects add-iam-policy-binding PROJECT_ID --member='serviceAccount:my-app-sa@PROJECT_ID.iam.gserviceaccount.com' --role='roles/storage.objectViewer'. Workload Identity Federation (recommended 2025): No keys needed for GKE/Cloud Run. For external apps, create key: gcloud iam service-accounts keys create key.json --iam-account=my-app-sa@PROJECT_ID.iam.gserviceaccount.com. Use: export GOOGLE_APPLICATION_CREDENTIALS=key.json. Best practices: Rotate keys every 90 days, use short-lived tokens, prefer Workload Identity over keys. Naming: wlifgke- prefix for GKE, wlif- for external workloads.

Use predefined roles over basic roles (Owner/Editor/Viewer). Create custom role: gcloud iam roles create customBQViewer --project=PROJECT_ID --title='Custom BigQuery Viewer' --permissions='bigquery.jobs.get,bigquery.jobs.list,bigquery.tables.get,bigquery.tables.list,bigquery.datasets.get' --stage=GA. Assign: gcloud projects add-iam-policy-binding PROJECT_ID --member='user:[email protected]' --role='projects/PROJECT_ID/roles/customBQViewer'. IAM Conditions for time/resource-based access: --condition='title=Business Hours,expression=request.time.getHours("America/New_York") >= 9 && request.time.getHours("America/New_York") < 17'. Test permissions: gcloud iam roles describe roles/storage.objectViewer. Policy Analyzer: gcloud asset analyze-iam-policy --project=PROJECT_ID. Review every 90 days, use IAM Recommender for over-privileged accounts.

Create custom VPC: gcloud compute networks create my-vpc --subnet-mode=custom --bgp-routing-mode=regional --mtu=1460. Create subnet with Private Google Access: gcloud compute networks subnets create web-subnet --network=my-vpc --range=10.0.1.0/24 --region=us-central1 --enable-flow-logs --enable-private-ip-google-access --secondary-range=pods=10.4.0.0/14,services=10.8.0.0/20. Secondary ranges for GKE pod/service IPs. Create data subnet: gcloud compute networks subnets create data-subnet --network=my-vpc --range=10.0.2.0/24 --region=us-west1. List: gcloud compute networks subnets list --network=my-vpc. Firewall rules: gcloud compute firewall-rules create allow-internal --network=my-vpc --allow=tcp,udp,icmp --source-ranges=10.0.0.0/8. Private Service Connect: Use for managed services like Cloud SQL.

Create ingress rule for web traffic: gcloud compute firewall-rules create allow-web --network=my-vpc --allow=tcp:80,tcp:443 --source-ranges=0.0.0.0/0 --target-tags=web --priority=1000 --direction=INGRESS. Restrict SSH to bastion: gcloud compute firewall-rules create allow-ssh-bastion --network=my-vpc --allow=tcp:22 --source-ranges=203.0.113.0/24 --target-service-accounts=bastion-sa@PROJECT_ID.iam.gserviceaccount.com. Deny all egress (default allow): gcloud compute firewall-rules create deny-all-egress --network=my-vpc --deny=all --direction=EGRESS --priority=65534 --destination-ranges=0.0.0.0/0. Allow specific egress: gcloud compute firewall-rules create allow-egress-apis --network=my-vpc --allow=tcp:443 --direction=EGRESS --destination-ranges=199.36.153.8/30 --priority=1000. Enable logging: --enable-logging (flow samples). Apply tags: gcloud compute instances add-tags my-vm --tags=web.

Create global external Application Load Balancer: (1) Reserve IP: gcloud compute addresses create lb-ipv4 --ip-version=IPV4 --global. (2) Health check: gcloud compute health-checks create http health-check-http --port=80 --request-path=/health --check-interval=10s --timeout=5s --unhealthy-threshold=3. (3) Backend service: gcloud compute backend-services create web-backend --protocol=HTTP --health-checks=health-check-http --global --load-balancing-scheme=EXTERNAL_MANAGED --enable-cdn. (4) Add MIG: gcloud compute backend-services add-backend web-backend --instance-group=web-mig --instance-group-zone=us-central1-a --balancing-mode=UTILIZATION --max-utilization=0.8 --global. (5) URL map: gcloud compute url-maps create web-map --default-service=web-backend. (6) SSL cert: gcloud compute ssl-certificates create web-cert --domains=example.com --global. (7) HTTPS proxy: gcloud compute target-https-proxies create https-lb-proxy --url-map=web-map --ssl-certificates=web-cert. (8) Forwarding rule: gcloud compute forwarding-rules create https-lb-rule --address=lb-ipv4 --global --target-https-proxy=https-lb-proxy --ports=443.

Create Internal Application Load Balancer (L7, regional): (1) Reserve internal IP: gcloud compute addresses create ilb-ip --region=us-central1 --subnet=web-subnet --purpose=SHARED_LOADBALANCER_VIP. (2) Health check: gcloud compute health-checks create http ilb-health-check --region=us-central1 --port=8080. (3) Backend service: gcloud compute backend-services create ilb-backend --load-balancing-scheme=INTERNAL_MANAGED --protocol=HTTP --health-checks=ilb-health-check --health-checks-region=us-central1 --region=us-central1. (4) Add backend: gcloud compute backend-services add-backend ilb-backend --instance-group=app-mig --instance-group-zone=us-central1-a --region=us-central1. (5) URL map: gcloud compute url-maps create ilb-map --default-service=ilb-backend --region=us-central1. (6) Target proxy: gcloud compute target-http-proxies create ilb-proxy --url-map=ilb-map --region=us-central1. (7) Forwarding rule: gcloud compute forwarding-rules create ilb-rule --load-balancing-scheme=INTERNAL_MANAGED --network=my-vpc --subnet=web-subnet --address=ilb-ip --ports=80 --region=us-central1 --target-http-proxy=ilb-proxy.

Enable Cloud CDN on backend service: gcloud compute backend-services update web-backend --global --enable-cdn --cache-mode=CACHE_ALL_STATIC. Cache key policy: gcloud compute backend-services update web-backend --global --cache-key-include-protocol --cache-key-include-host --cache-key-include-query-string --cache-key-query-string-whitelist='product_id,category'. TTL settings: gcloud compute backend-services update web-backend --global --default-ttl=3600 --client-ttl=3600 --max-ttl=86400. Invalidate cache: gcloud compute url-maps invalidate-cdn-cache web-map --path='/static/*' --host='www.example.com' --async. Monitor hit ratio: Cloud Console → Network Services → Cloud CDN → web-backend. Signed URLs for private content: Generate HMAC-SHA1 signature. Negative caching: --negative-caching --negative-caching-policy='404=300,403=60'. Cost: $0.04-$0.08/GB (varies by region), ~40% cheaper than origin.

Flexible CUDs (2025 recommended): Commit to spend amount (not specific resources). gcloud billing accounts commitments create --billing-account=BILLING_ACCOUNT --amount=1000 --plan=12-month --type=SPEND_BASED --region=us-central1. Savings: 28% (1-year), 46% (3-year). Resource-based CUDs: Commit to specific vCPU/memory. gcloud compute commitments create compute-1y --resources=vcpu=100,memory=400 --region=us-central1 --plan=12-month. View commitments: gcloud compute commitments list. Analyze savings: Cloud Console → Billing → Commitments → CUD Analysis. Query in BigQuery: SELECT invoice.month, SUM(cost + IFNULL((SELECT SUM(c.amount) FROM UNNEST(credits) c), 0)) AS total_cost FROM billing_export WHERE cost_type = 'regular' GROUP BY 1. Combine with Spot VMs for 70-85% total savings. Recommendations: Cloud Console → Recommender → Commitment recommendations shows optimal commitment size.

View recommendations: gcloud recommender recommendations list --recommender=google.compute.instance.MachineTypeRecommender --location=us-central1. Categories: VM rightsizing, idle resources, committed use discounts, IP address optimization. Apply recommendation: gcloud compute instances set-machine-type my-vm --zone=us-central1-a --machine-type=e2-medium (after reviewing recommendation). Batch apply: gcloud recommender recommendations mark-claimed RECOMMENDATION_ID --etag=ETAG --recommender=google.compute.instance.MachineTypeRecommender --location=us-central1. View savings estimate: gcloud recommender recommendations describe RECOMMENDATION_ID --recommender=google.compute.instance.MachineTypeRecommender --location=us-central1 --format='value(primaryImpact.costProjection.cost.units)'. Enable API: gcloud services enable recommender.googleapis.com. Check all recommenders: Cloud Console → Recommender (shows $savings potential). Set up alerts: Pub/Sub topic for new recommendations. Best practice: Review weekly, focus on high-impact (>$100/month savings) first.

Create budget with thresholds: gcloud billing budgets create --billing-account=BILLING_ACCOUNT_ID --display-name='Monthly Budget 2025' --budget-amount=5000USD --all-updates-rule-pubsub-topic=projects/PROJECT_ID/topics/budget-alerts --threshold-rule=percent=50 --threshold-rule=percent=75 --threshold-rule=percent=90 --threshold-rule=percent=100. Filter by project: --filter-projects='projects/my-project'. Filter by service: --filter-services='services/6F81-5844-456A' (Compute Engine service ID). Credit treatment: --credit-types-treatment=INCLUDE_ALL_CREDITS or EXCLUDE_ALL_CREDITS. Forecasted spend alerts: --threshold-rule=percent=100,basis=FORECASTED_SPEND. List budgets: gcloud billing budgets list --billing-account=BILLING_ACCOUNT_ID. Pub/Sub to Cloud Functions: Trigger actions (email, Slack, auto-shutdown). Example: Budget alert → Pub/Sub → Cloud Function → Stop non-prod VMs. Monitor in Cloud Console → Billing → Budgets & alerts.

Create topic with schema: gcloud pubsub topics create orders-topic --message-retention-duration=7d --message-storage-policy-allowed-regions=us-central1. Create pull subscription: gcloud pubsub subscriptions create orders-sub --topic=orders-topic --ack-deadline=60 --message-retention-duration=7d --expiration-period=never. Push subscription: gcloud pubsub subscriptions create orders-push --topic=orders-topic --push-endpoint=https://myapp.example.com/webhook --push-auth-service-account=push-sa@PROJECT_ID.iam.gserviceaccount.com. Publish: gcloud pubsub topics publish orders-topic --message='{"order_id": "12345"}' --attribute=priority=high. Pull messages: gcloud pubsub subscriptions pull orders-sub --limit=10 --auto-ack. Dead letter queue: --dead-letter-topic=orders-dlq --max-delivery-attempts=5. Enable exactly-once delivery: --enable-exactly-once-delivery. Monitor: Cloud Console → Pub/Sub → orders-topic → Metrics (throughput, age, unacked messages).

Enable exactly-once delivery: gcloud pubsub subscriptions create orders-sub --topic=orders-topic --enable-exactly-once-delivery --ack-deadline=60. Requirements: Subscription must use pull or Cloud Run/Cloud Functions push. Update existing: gcloud pubsub subscriptions update orders-sub --enable-exactly-once-delivery. Publisher best practices: Include unique message ID in data, use idempotency tokens. Subscriber: Check delivery_attempt attribute, use database constraints (unique indexes) for deduplication. Ordering keys: gcloud pubsub topics publish orders-topic --message='order1' --ordering-key=customer-123. Note: Exactly-once has higher latency (+10-20ms) and cost (+$0.01 per 1M operations). Monitor duplicate rate: gcloud logging read 'resource.type=pubsub_subscription AND jsonPayload.subscription=orders-sub' --limit=100. Use cases: Financial transactions, inventory updates, critical state changes. Guarantees: Message processed exactly once end-to-end (at-most-once + retry logic).

Create keyring: gcloud kms keyrings create production-keyring --location=us-central1. Create symmetric encryption key with auto-rotation: gcloud kms keys create app-data-key --keyring=production-keyring --location=us-central1 --purpose=encryption --rotation-period=90d --next-rotation-time=$(date -u -d '+90 days' +%Y-%m-%dT%H:%M:%SZ). Asymmetric key for signing: gcloud kms keys create signing-key --keyring=production-keyring --location=us-central1 --purpose=asymmetric-signing --default-algorithm=rsa-sign-pkcs1-4096-sha512. Encrypt file: gcloud kms encrypt --location=us-central1 --keyring=production-keyring --key=app-data-key --plaintext-file=secret.txt --ciphertext-file=secret.enc. Decrypt: gcloud kms decrypt --location=us-central1 --keyring=production-keyring --key=app-data-key --ciphertext-file=secret.enc --plaintext-file=secret-decrypted.txt. Set IAM: gcloud kms keys add-iam-policy-binding app-data-key --keyring=production-keyring --location=us-central1 --member='serviceAccount:app@PROJECT_ID.iam.gserviceaccount.com' --role='roles/cloudkms.cryptoKeyEncrypterDecrypter'. CMEK for Cloud Storage: gsutil kms encryption -k projects/PROJECT_ID/locations/us-central1/keyRings/production-keyring/cryptoKeys/app-data-key gs://my-bucket.

Enable API: gcloud services enable secretmanager.googleapis.com. Create secret with automatic replication: gcloud secrets create db-password --replication-policy='automatic' --labels='env=prod,app=myapp'. Add version from file: gcloud secrets versions add db-password --data-file=password.txt. From stdin: echo -n 'my-secret-password' | gcloud secrets versions add db-password --data-file=-. Access latest version: gcloud secrets versions access latest --secret=db-password. Access specific version: gcloud secrets versions access 2 --secret=db-password. Set IAM: gcloud secrets add-iam-policy-binding db-password --member='serviceAccount:app@PROJECT_ID.iam.gserviceaccount.com' --role='roles/secretmanager.secretAccessor'. Rotate secret: Add new version, test app, destroy old version: gcloud secrets versions destroy 1 --secret=db-password. Python usage: from google.cloud import secretmanager; client = secretmanager.SecretManagerServiceClient(); name = f'projects/{project_id}/secrets/{secret_id}/versions/latest'; response = client.access_secret_version(request={'name': name}); secret = response.payload.data.decode('UTF-8'). Audit access: gcloud logging read 'protoPayload.methodName="google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion"'.

Create alerting policy for high CPU: gcloud alpha monitoring policies create --notification-channels=CHANNEL_ID --display-name='High CPU Alert' --conditions='conditions: [{displayName: "VM CPU > 80%", conditionThreshold: {filter: "resource.type=\"gce_instance\" metric.type=\"compute.googleapis.com/instance/cpu/utilization\"", comparison: COMPARISON_GT, thresholdValue: 0.8, duration: 300s, aggregations: [{alignmentPeriod: 60s, perSeriesAligner: ALIGN_MEAN}]}}]'. Create notification channel: gcloud alpha monitoring channels create --display-name='Team Email' --type=email [email protected]. Create dashboard via JSON: Save dashboard config to dashboard.json, then gcloud monitoring dashboards create --config-from-file=dashboard.json. Uptime check: gcloud monitoring uptime create https-check --resource-type=uptime-url --host=example.com --path=/health --port=443 --check-interval=60s. Query metrics with MQL: fetch gce_instance | metric 'compute.googleapis.com/instance/cpu/utilization' | group_by 1h, [value_utilization_mean: mean(value.utilization)] | filter value_utilization_mean > 0.8. View in Cloud Console → Monitoring → Metrics Explorer. Create SLO: gcloud monitoring slos create --service=my-service --slo-id=latency-slo --goal=0.99.

Query logs with filters: gcloud logging read 'resource.type="gce_instance" AND severity>=ERROR AND timestamp>="2025-01-01T00:00:00Z"' --limit=50 --format='table(timestamp,severity,jsonPayload.message)'. Advanced query: resource.type="cloud_run_revision" AND jsonPayload.message=~"timeout" AND labels.service_name="my-service". Create log-based metric (counter): gcloud logging metrics create error-rate --description='HTTP 5xx errors' --log-filter='resource.type="cloud_run_revision" httpRequest.status>=500'. Distribution metric: gcloud logging metrics create request-latency --description='Request latency' --value-extractor='EXTRACT(jsonPayload.latency)' --metric-kind=DELTA --value-type=DISTRIBUTION --log-filter='resource.type="cloud_run_revision"'. Export to BigQuery: gcloud logging sinks create export-to-bq bigquery.googleapis.com/projects/PROJECT_ID/datasets/logs --log-filter='resource.type="gce_instance" severity>=WARNING' --use-partitioned-tables. Query in BigQuery: SELECT timestamp, severity, jsonPayload.message FROM \project.logs.cloudaudit_googleapis_com_activity_*` WHERE timestamp > TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 7 DAY) AND severity = 'ERROR' LIMIT 1000. Export to Cloud Storage for archival: gcloud logging sinks create archive-sink storage.googleapis.com/logs-archive-bucket --log-filter='timestamp<="2024-12-31T23:59:59Z"'`.

Create VPC peering from VPC1 to VPC2: gcloud compute networks peerings create vpc1-to-vpc2 --network=vpc1 --peer-project=PROJECT_ID_2 --peer-network=vpc2 --export-custom-routes --import-custom-routes --export-subnet-routes-with-public-ip --import-subnet-routes-with-public-ip. Create reverse peering from VPC2 to VPC1: gcloud compute networks peerings create vpc2-to-vpc1 --network=vpc2 --peer-project=PROJECT_ID_1 --peer-network=vpc1 --export-custom-routes --import-custom-routes. Check status: gcloud compute networks peerings list --network=vpc1 (look for STATE: ACTIVE). Test connectivity: gcloud compute ssh vm-in-vpc1 --command='ping -c 3 10.20.1.5' (private IP in VPC2). Limitations: Max 25 peering connections per VPC, no transitive peering (VPC1-VPC2-VPC3 doesn't allow VPC1↔VPC3), subnet ranges cannot overlap. For multi-VPC hub-spoke: Use Cloud Router + VPN or Cloud Interconnect. Delete peering: gcloud compute networks peerings delete vpc1-to-vpc2 --network=vpc1. Monitor traffic: Enable VPC Flow Logs on subnets.

Create Cloud Router: gcloud compute routers create nat-router --network=my-vpc --region=us-central1 --advertisement-mode=CUSTOM --set-advertisement-ranges=10.0.0.0/8. Create Cloud NAT with static IP: Reserve IP: gcloud compute addresses create nat-ip-1 nat-ip-2 --region=us-central1. Configure NAT: gcloud compute routers nats create nat-config --router=nat-router --region=us-central1 --nat-external-ip-pool=nat-ip-1,nat-ip-2 --nat-all-subnet-ip-ranges --enable-logging --log-filter=ERRORS_ONLY. NAT for specific subnets only: --nat-custom-subnet-ip-ranges=subnet-1,subnet-2. Test from private VM: gcloud compute ssh private-vm --internal-ip --tunnel-through-iap --command='curl -s ifconfig.me' (should show NAT IP). Enable dynamic port allocation: Default 64 ports/VM, increase: --min-ports-per-vm=128. Auto-scale NAT IPs: Use --auto-allocate-nat-external-ips instead of static pool. Monitor NAT: Cloud Console → Network Services → Cloud NAT → nat-config → Monitoring (shows connections, dropped packets, port exhaustion). Cost: $0.045/hour per gateway + $0.045/GB processed. Troubleshooting: Check logs gcloud logging read 'resource.type="nat_gateway"'.

Upload custom model (sklearn example): gcloud ai models upload --region=us-central1 --display-name=fraud-detector --container-image-uri=us-docker.pkg.dev/vertex-ai/prediction/sklearn-cpu.1-3:latest --artifact-uri=gs://my-bucket/model/ --explanation-method=sampled-shapley --explanation-path-count=10. Create endpoint: gcloud ai endpoints create --region=us-central1 --display-name=fraud-endpoint. Deploy model to endpoint: gcloud ai endpoints deploy-model ENDPOINT_ID --region=us-central1 --model=MODEL_ID --display-name=fraud-v1 --machine-type=n1-standard-4 --min-replica-count=1 --max-replica-count=5 --accelerator=type=nvidia-tesla-t4,count=1 --enable-access-logging. Get predictions: Create instances.json: {"instances": [{"feature1": 1.5, "feature2": 2.3}]}. Predict: gcloud ai endpoints predict ENDPOINT_ID --region=us-central1 --json-request=instances.json. Batch prediction: gcloud ai batch-prediction-jobs create --region=us-central1 --display-name=batch-job --model=MODEL_ID --input-uri=gs://bucket/input.jsonl --output-uri=gs://bucket/output/. Monitor: Cloud Console → Vertex AI → Endpoints → fraud-endpoint → Monitoring (latency, predictions/sec). AutoML model: gcloud ai custom-jobs create --region=us-central1 --display-name=automl-training --worker-pool-spec=machine-type=n1-standard-4,replica-count=1,container-image-uri=TRAINING_IMAGE.

Create GitHub trigger: gcloud builds triggers create github --name=main-trigger --repo-name=my-app --repo-owner=myorg --branch-pattern=^main$ --build-config=cloudbuild.yaml --service-account=projects/PROJECT_ID/serviceAccounts/cloudbuild-sa@PROJECT_ID.iam.gserviceaccount.com. cloudbuild.yaml example: steps: [{name: 'gcr.io/cloud-builders/docker', args: ['build', '-t', 'us-docker.pkg.dev/$PROJECT_ID/my-repo/my-app:$SHORT_SHA', '.']}, {name: 'gcr.io/cloud-builders/docker', args: ['push', 'us-docker.pkg.dev/$PROJECT_ID/my-repo/my-app:$SHORT_SHA']}, {name: 'gcr.io/google.com/cloudsdktool/cloud-sdk', entrypoint: 'gcloud', args: ['run', 'deploy', 'my-app', '--image=us-docker.pkg.dev/$PROJECT_ID/my-repo/my-app:$SHORT_SHA', '--region=us-central1']}]; timeout: 1200s; options: {machineType: E2_HIGHCPU_8, logging: CLOUD_LOGGING_ONLY}. Manual build: gcloud builds submit --config=cloudbuild.yaml --substitutions=_ENV=prod. View builds: gcloud builds list --ongoing. Get logs: gcloud builds log BUILD_ID. Use private pools for sensitive workloads: gcloud builds worker-pools create private-pool --region=us-central1 --worker-machine-type=e2-standard-4. Cost: First 120 build-minutes/day free, $0.003/build-minute after.

Create security policy: gcloud compute security-policies create web-security-policy --description='Production WAF'. Add OWASP Top 10 protection: gcloud compute security-policies rules create 1000 --security-policy=web-security-policy --expression='evaluatePreconfiguredExpr("xss-v33-stable")' --action=deny-403. SQL injection: gcloud compute security-policies rules create 1100 --security-policy=web-security-policy --expression='evaluatePreconfiguredExpr("sqli-v33-stable")' --action=deny-403. Rate limiting (100 req/min per IP): gcloud compute security-policies rules create 2000 --security-policy=web-security-policy --expression='true' --action=rate-based-ban --rate-limit-threshold-count=100 --rate-limit-threshold-interval-sec=60 --ban-duration-sec=600 --conform-action=allow --exceed-action=deny-429 --enforce-on-key=IP. Geo-blocking: gcloud compute security-policies rules create 3000 --security-policy=web-security-policy --expression='origin.region_code == "CN" || origin.region_code == "RU"' --action=deny-403. Attach to backend: gcloud compute backend-services update web-backend --security-policy=web-security-policy --global. Enable preview mode: --action=deny-403 --preview (logs but doesn't block). View blocked requests: gcloud logging read 'resource.type="http_load_balancer" jsonPayload.enforcedSecurityPolicy.name="web-security-policy"' --limit=100. Custom rules with CEL: inIpRange(origin.ip, '192.0.2.0/24') && request.path.matches('/admin').

Time-based condition (business hours only): gcloud projects add-iam-policy-binding PROJECT_ID --member='user:[email protected]' --role='roles/compute.instanceAdmin.v1' --condition='expression=request.time.getHours("America/New_York") >= 9 && request.time.getHours("America/New_York") < 17 && request.time.getDayOfWeek("America/New_York") >= 1 && request.time.getDayOfWeek("America/New_York") <= 5,title=Business Hours Only,description=Access restricted to weekdays 9AM-5PM EST'. Resource-based condition (production only): gcloud storage buckets add-iam-policy-binding gs://my-bucket --member='serviceAccount:app@PROJECT_ID.iam.gserviceaccount.com' --role='roles/storage.objectViewer' --condition='expression=resource.name.startsWith("projects/_/buckets/my-bucket/objects/production/"),title=Production Only'. IP-based condition: --condition='expression=request.origin.ip.startsWith("203.0.113."),title=Office IP Only'. Date range: --condition='expression=request.time < timestamp("2025-12-31T23:59:59Z"),title=Valid Until EOY 2025'. List conditions: gcloud projects get-iam-policy PROJECT_ID --flatten='bindings[].condition' --format='table(bindings.role,bindings.members,bindings.condition.title,bindings.condition.expression)'. Test condition: Use IAM Policy Simulator in Cloud Console. Maximum: 20 conditional bindings per principal. CEL functions: request.time, resource.name, request.auth, request.origin.

Create Google-managed SSL certificate (auto-renewal): gcloud compute ssl-certificates create web-cert --domains=example.com,www.example.com,api.example.com --global. Certificate provisions automatically via DNS/HTTP challenge (takes 15-60 minutes). Check status: gcloud compute ssl-certificates describe web-cert --global --format='value(managed.status,managed.domainStatus)'. Domain validation: Ensure DNS A/AAAA records point to load balancer IP before creating cert. For regional Load Balancer: gcloud compute ssl-certificates create regional-cert --domains=internal.example.com --region=us-central1 --certificate-manager. Attach to HTTPS proxy: gcloud compute target-https-proxies create https-proxy --ssl-certificates=web-cert --url-map=web-map --global. Self-managed certificate: gcloud compute ssl-certificates create custom-cert --certificate=cert.pem --private-key=key.pem --global. View all certs: gcloud compute ssl-certificates list --global. Certificate renewal: Google-managed certs auto-renew 30 days before expiry. Monitor: Cloud Console → Load Balancing → Certificates (shows status, expiry date). Wildcard support: --domains='*.example.com,example.com'. Certificate Manager (2025 recommended): gcloud certificate-manager certificates create web-cert --domains=example.com --dns-authorizations=dns-auth.

Create multi-region instance: gcloud spanner instances create prod-spanner --config=nam3 --description='Production Spanner' --processing-units=1000 --instance-type=PROVISIONED. Regional (cheaper): --config=regional-us-central1 --processing-units=100. Create database: gcloud spanner databases create orders-db --instance=prod-spanner --database-dialect=GOOGLE_STANDARD_SQL. Create schema: gcloud spanner databases ddl update orders-db --instance=prod-spanner --ddl='CREATE TABLE Orders (OrderId STRING(36) NOT NULL, CustomerId STRING(36) NOT NULL, Amount NUMERIC, CreatedAt TIMESTAMP NOT NULL OPTIONS (allow_commit_timestamp=true)) PRIMARY KEY (OrderId); CREATE INDEX OrdersByCustomer ON Orders(CustomerId, CreatedAt DESC);'. Insert data: gcloud spanner rows insert --instance=prod-spanner --database=orders-db --table=Orders --data='OrderId=order-1,CustomerId=cust-1,Amount=99.99,CreatedAt=PENDING_COMMIT_TIMESTAMP()'. Query: gcloud spanner databases execute-sql orders-db --instance=prod-spanner --sql='SELECT OrderId, Amount FROM Orders WHERE CustomerId = "cust-1" ORDER BY CreatedAt DESC LIMIT 10'. Backup: gcloud spanner backups create orders-backup --instance=prod-spanner --database=orders-db --retention-period=30d. Autoscaling (2025): gcloud spanner instances update prod-spanner --processing-units=1000 --autoscaling-min-processing-units=100 --autoscaling-max-processing-units=5000 --autoscaling-high-priority-cpu-target=65. Cost: $0.90/hour per 1000 processing units (regional), $0.09/GB storage/month.

Create public managed zone: gcloud dns managed-zones create example-zone --dns-name=example.com. --description='Production domain' --dnssec-state=on --visibility=public. Private zone for VPC: gcloud dns managed-zones create internal-zone --dns-name=internal.example.com. --visibility=private --networks=my-vpc --description='Internal DNS'. Create A record: gcloud dns record-sets create example.com. --type=A --zone=example-zone --ttl=300 --rrdatas='34.98.112.25'. Create CNAME: gcloud dns record-sets create www.example.com. --type=CNAME --zone=example-zone --ttl=300 --rrdatas='example.com.'. MX records: gcloud dns record-sets create example.com. --type=MX --zone=example-zone --ttl=3600 --rrdatas='10 mail1.example.com.,20 mail2.example.com.'. Import zone file: gcloud dns record-sets import zone-file.txt --zone=example-zone --zone-file-format. Export: gcloud dns record-sets export zone-export.txt --zone=example-zone. Update nameservers: Get NS records: gcloud dns record-sets list --zone=example-zone --filter='type=NS', then update at domain registrar. DNSSEC: Enabled by default for new zones. Get DS records: gcloud dns managed-zones describe example-zone --format='value(dnssecConfig.defaultKeySpecs)'. Geo-routing (traffic steering): Use Cloud Load Balancer with Cloud DNS, not available in Cloud DNS directly. Cost: $0.20 per million queries.

Enable APIs: gcloud services enable monitoring.googleapis.com logging.googleapis.com cloudtrace.googleapis.com cloudprofiler.googleapis.com. Create workspace: Navigate to Cloud Console → Monitoring (auto-creates workspace for project). Set up comprehensive logging: Export to BigQuery: gcloud logging sinks create logs-to-bq bigquery.googleapis.com/projects/PROJECT_ID/datasets/all_logs --log-filter='resource.type=("gce_instance" OR "cloud_run_revision" OR "k8s_container")' --use-partitioned-tables. Export to Cloud Storage (archival): gcloud logging sinks create logs-archive storage.googleapis.com/logs-archive-bucket --log-filter='timestamp<="2024-12-31T23:59:59Z"'. Create notification channel: gcloud alpha monitoring channels create --display-name='Ops Team Email' --type=email --channel-labels='[email protected]'. gcloud alpha monitoring channels create --display-name='PagerDuty' --type=pagerduty --channel-labels='service_key=PAGERDUTY_KEY'. Create SLO for service: gcloud monitoring slos create latency-slo --service=my-service --display-name='99% requests < 500ms' --goal=0.99 --calendar-period=DAY --windows-based-sli --good-total-ratio-threshold=0.5 --latency-threshold=500ms. Create uptime checks: gcloud monitoring uptime create https-check --resource-type=uptime-url --host=example.com --path=/health --port=443 --check-interval=60s. Create dashboard: Save JSON config, then gcloud monitoring dashboards create --config-from-file=dashboard.json. View in Cloud Console → Monitoring → Dashboards.