gcloud CLI Essentials
# Configuration
gcloud init
gcloud config set project PROJECT_ID
gcloud config set compute/region europe-west1
gcloud auth application-default login
# Info
gcloud config list
gcloud projects list
gcloud compute regions list
gcloud services list --enabled
Compute Engine
# Creer VM
gcloud compute instances create NAME \
--zone=ZONE \
--machine-type=e2-medium \
--image-family=debian-11 \
--image-project=debian-cloud
# Types de machines
E2: General purpose (cout optimise)
N2: Workloads equilibres
C2: Compute-intensive
M2: Memory-intensive
A2: GPU (ML/AI)
GKE
# Cluster Autopilot (recommande)
gcloud container clusters create-auto NAME \
--region=REGION
# Standard cluster
gcloud container clusters create NAME \
--num-nodes=3 \
--enable-autoscaling \
--min-nodes=1 --max-nodes=5
# Credentials
gcloud container clusters get-credentials NAME
Cloud Run
# Deployer
gcloud run deploy SERVICE \
--image=IMAGE \
--region=REGION \
--allow-unauthenticated
# Traffic splitting
gcloud run services update-traffic SERVICE \
--to-revisions=REV1=90,REV2=10
VPC & Networking
# VPC
gcloud compute networks create VPC \
--subnet-mode=custom
# Subnet
gcloud compute networks subnets create SUBNET \
--network=VPC \
--region=REGION \
--range=10.0.0.0/20
# Firewall
gcloud compute firewall-rules create RULE \
--network=VPC \
--allow=tcp:80,tcp:443 \
--source-ranges=0.0.0.0/0
Load Balancing
| Type | Scope | Usage |
|---|
| Global HTTP(S) | Global | Web apps |
| Regional HTTP(S) | Regional | Compliance |
| TCP/UDP Network | Regional | Gaming |
| Internal HTTP(S) | Regional | Microservices |
Cloud Storage
# Bucket
gsutil mb -l REGION gs://BUCKET
# Upload/Download
gsutil cp FILE gs://BUCKET/
gsutil cp gs://BUCKET/FILE ./
# Sync
gsutil rsync -r ./DIR gs://BUCKET/DIR
| Classe | Min | Usage |
|---|
| Standard | - | Frequent |
| Nearline | 30j | 1x/mois |
| Coldline | 90j | 1x/trim |
| Archive | 365j | 1x/an |
Databases
| Service | Type | Scale |
|---|
| Cloud SQL | RDBMS | Vertical |
| Spanner | NewSQL Global | Horizontal |
| Firestore | Document | Auto |
| Bigtable | Wide-column | Nodes |
| BigQuery | Data Warehouse | Serverless |
IAM
# Ajouter binding
gcloud projects add-iam-policy-binding PROJECT \
--member="user:EMAIL" \
--role="ROLE"
# Roles recommandes
roles/viewer # Lecture
roles/editor # Modification (eviter)
roles/owner # Admin (eviter)
roles/SERVICE.ROLE # Predefinis (utiliser)
Service Accounts
# Creer
gcloud iam service-accounts create NAME
# Workload Identity (GKE)
gcloud iam service-accounts add-iam-policy-binding \
SA@PROJECT.iam.gserviceaccount.com \
--role=roles/iam.workloadIdentityUser \
--member="serviceAccount:PROJECT.svc.id.goog[NS/KSA]"
Secret Manager & KMS
# Secret
gcloud secrets create NAME
echo "value" | gcloud secrets versions add NAME --data-file=-
gcloud secrets versions access latest --secret=NAME
# KMS
gcloud kms keyrings create RING --location=LOC
gcloud kms keys create KEY --keyring=RING \
--location=LOC --purpose=encryption
Monitoring & Logging
4 Golden Signals
- Latency - Temps de reponse
- Traffic - Requetes/sec
- Errors - Taux d'erreur
- Saturation - CPU/Mem usage
# Logs query
resource.type="gce_instance"
severity>=ERROR
Pub/Sub & Dataflow
# Pub/Sub
gcloud pubsub topics create TOPIC
gcloud pubsub subscriptions create SUB --topic=TOPIC
gcloud pubsub topics publish TOPIC --message="msg"
# Dataflow: Apache Beam runner
# Pipeline: Read -> Transform -> Write
Pricing
| Remise | Reduction | Engagement |
|---|
| Sustained Use | ~30% | Auto |
| CUD 1 an | ~37% | 1 an |
| CUD 3 ans | ~57% | 3 ans |
| Spot VMs | 60-91% | Preemptible |
Well-Architected Framework
- Excellence operationnelle - Automatisation, CI/CD
- Securite - IAM, encryption, audit
- Fiabilite - HA, DR, SLOs
- Performance - Scaling, caching
- Optimisation couts - Right-sizing, CUDs
- Durabilite - Green regions
App Engine
# Deployer
gcloud app deploy app.yaml
# Traffic splitting
gcloud app services set-traffic default \
--splits=v1=90,v2=10
# Standard: scale-to-zero, ms startup
# Flexible: custom Docker, VPC access
# 1 app par projet uniquement
Cloud DNS & Network Tiers
# Zone DNS
gcloud dns managed-zones create ZONE \
--dns-name="example.com." \
--visibility=public
# Enregistrement
gcloud dns record-sets create www.example.com. \
--zone=ZONE --type=A --rrdatas="IP"
# Network Tiers
Premium: reseau prive Google, LB global
Standard: Internet public, ~30% moins cher
Memorystore
# Redis (recommande)
gcloud redis instances create CACHE \
--size=5 --region=REGION \
--tier=standard --redis-version=redis_7_0
# Redis: structures riches, persistence, HA
# Memcached: simple K/V, multi-thread
# Accessible uniquement via VPC
Cloud Composer
# Environnement Airflow manage
gcloud composer environments create ENV \
--location=REGION \
--image-version=composer-2.x-airflow-2.x
# DAG = workflow (Python)
# Operators: BigQuery, Dataflow, GCS...
# Cher: preferer Cloud Workflows si simple
SLO / SLI / SLA
| Concept | Definition |
|---|
| SLI | Metrique mesuree |
| SLO | Cible interne (ex: 99.9%) |
| SLA | Contrat client (< SLO) |
| Error Budget | 1 - SLO = marge erreur |
SLO 99.9% = 43min downtime/mois
Migration (6 R)
| Strategie | Effort |
|---|
| Rehost (Lift&Shift) | Faible |
| Replatform | Moyen |
| Refactor | Eleve |
| Repurchase (SaaS) | Variable |
| Retire | Faible |
| Retain | Nul |
Outils: Migrate to VMs, DB Migration Service,
Transfer Appliance (>20TB physique)
Disaster Recovery
| Pattern | RPO | RTO |
|---|
| Cold | Heures | Heures+ |
| Warm | Minutes | Minutes |
| Hot | Secondes | Secondes |
RPO = perte de donnees max
RTO = temps de recovery max
Testez votre DR regulierement!
Certification Tips
- 100% questions scenario-based
- 4 case studies: EHR Healthcare, Helicopter Racing, Mountkirk Games, TerramEarth
- Focus sur le "pourquoi" pas le "comment"
- Penser securite et cout en premier
- Connaitre les trade-offs entre services
- SLA client < SLO interne toujours