Cloud Provider Notes
GCP Platform Notes
Use these notes to translate the blue book patterns into common Google Cloud services. GCP platform work often centers on project structure, IAM, organization policies, networking, and managed data services.
Common service mapping
| Capability | Common GCP services |
|---|---|
| Landing zone | Resource Manager, folders, projects |
| Identity | Cloud IAM, Workload Identity Federation |
| Networking | VPC, Shared VPC, Cloud DNS, Private Service Connect |
| Containers | GKE, Cloud Run, Artifact Registry |
| Serverless | Cloud Functions, Cloud Run jobs, Workflows |
| Data | Cloud SQL, Spanner, BigQuery, GCS, Dataflow, Pub/Sub |
| Secrets and keys | Secret Manager, Cloud KMS |
| Observability | Cloud Logging, Cloud Monitoring, Trace |
| Security | Security Command Center, Cloud Audit Logs, Org Policy |
Baseline practices
- Use folders and projects to isolate environments and ownership.
- Use Shared VPC intentionally for centralized network control.
- Use Workload Identity Federation for CI/CD and workload access.
- Use organization policies for baseline guardrails.
- Centralize audit logs and security findings.
- Define labels, budgets, and service ownership standards.
Runtime guidance
- Use Cloud Run for request-driven containers and simple workers.
- Use GKE when Kubernetes platform requirements justify cluster operations.
- Use Pub/Sub for asynchronous integration and buffering.
- Use Cloud Workflows when orchestration needs to be explicit and observable.
Watchouts
- Project sprawl needs lifecycle and ownership controls.
- IAM inheritance can surprise teams without clear folder structure.
- BigQuery and data egress costs need early visibility.
- Service account keys should be avoided or aggressively controlled.