Comprehensive guide for building secure, scalable infrastructure on Google Cloud Platform.
When to Use
- Designing GCP architecture for new projects
- Deploying applications to GCP services
- Setting up networking (VPC, firewall rules)
- Configuring IAM policies and service accounts
- Working with GKE (Google Kubernetes Engine)
- Optimizing costs and performance
Core Services Overview
Compute
| Service | Use Case | Key Features |
|---|
| Compute Engine | Virtual machines | Full control, custom images |
| GKE | Managed Kubernetes | Autopilot mode, node auto-provisioning |
| Cloud Run | Serverless containers | Scale to zero, any container |
| Cloud Functions | Serverless functions | Event-driven, 2nd gen |
| App Engine | PaaS | Standard/Flexible environments |
Storage
| Service | Use Case | Key Features |
|---|
| Cloud Storage | Object storage | Multi-regional, lifecycle |
| Persistent Disk | Block storage (GCE) | SSD/HDD, snapshots |
| Filestore | Managed NFS | High performance |
| Cloud SQL | Managed SQL | MySQL, PostgreSQL, SQL Server |
| Firestore | NoSQL document | Serverless, realtime |
| BigQuery | Data warehouse | Serverless, petabyte-scale |
| Cloud Spanner | Global SQL | Horizontal scaling |
| Memorystore | Managed Redis | In-memory cache |
Networking
| Service | Use Case | Key Features |
|---|
| VPC | Virtual network | Global, shared VPC |
| Cloud Load Balancing | Global LB | Layer 4/7, anycast IPs |
| Cloud CDN | Content delivery | Edge caching |
| Cloud DNS | DNS management | 100% SLA |
| Cloud NAT | Outbound NAT | No external IPs needed |
VPC Architecture
Shared VPC Pattern
┌──────────────────────────────────────────────────────────────────┐
│ Host Project (Shared VPC) │
│ │
│ ┌────────────────────────────────────────────────────────────┐ │
│ │ VPC Network: shared-vpc │ │
│ │ │ │
│ │ ┌─────────────────────┐ ┌─────────────────────┐ │ │
│ │ │ Subnet: prod-app │ │ Subnet: prod-data │ │ │
│ │ │ 10.0.0.0/20 │ │ 10.0.16.0/20 │ │ │
│ │ │ us-central1 │ │ us-central1 │ │ │
│ │ └─────────────────────┘ └─────────────────────┘ │ │
│ │ │ │
│ │ ┌─────────────────────┐ ┌─────────────────────┐ │ │
│ │ │ Subnet: staging-app │ │ Subnet: staging-data│ │ │
│ │ │ 10.1.0.0/20 │ │ 10.1.16.0/20 │ │ │
│ │ │ us-central1 │ │ us-central1 │ │ │
│ │ └─────────────────────┘ └─────────────────────┘ │ │
│ └────────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────┘
│ │
▼ ▼
┌─────────────────────┐ ┌─────────────────────┐
│ Service Project A │ │ Service Project B │
│ (Production) │ │ (Staging) │
│ │ │ │
│ GKE, Cloud Run │ │ GKE, Cloud Run │
│ Cloud SQL │ │ Cloud SQL │
└─────────────────────┘ └─────────────────────┘
hcl
1# VPC Network
2resource "google_compute_network" "main" {
3 name = "${var.project_id}-vpc"
4 auto_create_subnetworks = false
5 routing_mode = "GLOBAL"
6}
7
8# Subnets
9resource "google_compute_subnetwork" "app" {
10 name = "${var.project_id}-app-subnet"
11 ip_cidr_range = "10.0.0.0/20"
12 region = var.region
13 network = google_compute_network.main.id
14
15 secondary_ip_range {
16 range_name = "pods"
17 ip_cidr_range = "10.100.0.0/16"
18 }
19
20 secondary_ip_range {
21 range_name = "services"
22 ip_cidr_range = "10.200.0.0/20"
23 }
24
25 private_ip_google_access = true
26
27 log_config {
28 aggregation_interval = "INTERVAL_5_SEC"
29 flow_sampling = 0.5
30 metadata = "INCLUDE_ALL_METADATA"
31 }
32}
33
34# Cloud NAT
35resource "google_compute_router" "main" {
36 name = "${var.project_id}-router"
37 region = var.region
38 network = google_compute_network.main.id
39}
40
41resource "google_compute_router_nat" "main" {
42 name = "${var.project_id}-nat"
43 router = google_compute_router.main.name
44 region = var.region
45 nat_ip_allocate_option = "AUTO_ONLY"
46 source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
47
48 log_config {
49 enable = true
50 filter = "ERRORS_ONLY"
51 }
52}
53
54# Firewall Rules
55resource "google_compute_firewall" "allow_internal" {
56 name = "${var.project_id}-allow-internal"
57 network = google_compute_network.main.name
58
59 allow {
60 protocol = "tcp"
61 }
62 allow {
63 protocol = "udp"
64 }
65 allow {
66 protocol = "icmp"
67 }
68
69 source_ranges = ["10.0.0.0/8"]
70}
71
72resource "google_compute_firewall" "allow_health_checks" {
73 name = "${var.project_id}-allow-health-checks"
74 network = google_compute_network.main.name
75
76 allow {
77 protocol = "tcp"
78 }
79
80 source_ranges = [
81 "35.191.0.0/16", # GCP Health Checks
82 "130.211.0.0/22", # GCP Health Checks
83 ]
84
85 target_tags = ["allow-health-checks"]
86}
IAM & Service Accounts
Service Account Best Practices
hcl
1# Application Service Account
2resource "google_service_account" "app" {
3 account_id = "${var.project_id}-app-sa"
4 display_name = "Application Service Account"
5}
6
7# Workload Identity for GKE
8resource "google_service_account_iam_binding" "workload_identity" {
9 service_account_id = google_service_account.app.name
10 role = "roles/iam.workloadIdentityUser"
11 members = [
12 "serviceAccount:${var.project_id}.svc.id.goog[${var.namespace}/${var.k8s_service_account}]"
13 ]
14}
15
16# Grant specific permissions
17resource "google_project_iam_member" "app_storage" {
18 project = var.project_id
19 role = "roles/storage.objectUser"
20 member = "serviceAccount:${google_service_account.app.email}"
21
22 condition {
23 title = "Only app bucket"
24 expression = "resource.name.startsWith('projects/_/buckets/${var.project_id}-app-data')"
25 }
26}
27
28resource "google_project_iam_member" "app_secretmanager" {
29 project = var.project_id
30 role = "roles/secretmanager.secretAccessor"
31 member = "serviceAccount:${google_service_account.app.email}"
32}
33
34resource "google_project_iam_member" "app_cloudsql" {
35 project = var.project_id
36 role = "roles/cloudsql.client"
37 member = "serviceAccount:${google_service_account.app.email}"
38}
Custom IAM Role
hcl
1resource "google_project_iam_custom_role" "app_deployer" {
2 role_id = "appDeployer"
3 title = "Application Deployer"
4 description = "Can deploy applications to Cloud Run and GKE"
5
6 permissions = [
7 "run.services.create",
8 "run.services.update",
9 "run.services.delete",
10 "run.services.get",
11 "container.deployments.create",
12 "container.deployments.update",
13 "container.services.create",
14 "container.services.update",
15 ]
16}
GKE (Google Kubernetes Engine)
GKE Autopilot Cluster
hcl
1resource "google_container_cluster" "main" {
2 name = "${var.project_id}-gke"
3 location = var.region
4
5 # Autopilot mode
6 enable_autopilot = true
7
8 network = google_compute_network.main.name
9 subnetwork = google_compute_subnetwork.app.name
10
11 ip_allocation_policy {
12 cluster_secondary_range_name = "pods"
13 services_secondary_range_name = "services"
14 }
15
16 private_cluster_config {
17 enable_private_nodes = true
18 enable_private_endpoint = false
19 master_ipv4_cidr_block = "172.16.0.0/28"
20 }
21
22 master_authorized_networks_config {
23 cidr_blocks {
24 cidr_block = var.authorized_network
25 display_name = "Authorized Network"
26 }
27 }
28
29 release_channel {
30 channel = "REGULAR"
31 }
32
33 workload_identity_config {
34 workload_pool = "${var.project_id}.svc.id.goog"
35 }
36
37 # Security
38 binary_authorization {
39 evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
40 }
41
42 deletion_protection = var.environment == "prod"
43}
GKE Standard Cluster
hcl
1resource "google_container_cluster" "standard" {
2 name = "${var.project_id}-gke-standard"
3 location = var.region
4
5 # Remove default node pool
6 remove_default_node_pool = true
7 initial_node_count = 1
8
9 network = google_compute_network.main.name
10 subnetwork = google_compute_subnetwork.app.name
11
12 ip_allocation_policy {
13 cluster_secondary_range_name = "pods"
14 services_secondary_range_name = "services"
15 }
16
17 workload_identity_config {
18 workload_pool = "${var.project_id}.svc.id.goog"
19 }
20
21 addons_config {
22 http_load_balancing {
23 disabled = false
24 }
25 horizontal_pod_autoscaling {
26 disabled = false
27 }
28 gce_persistent_disk_csi_driver_config {
29 enabled = true
30 }
31 }
32}
33
34resource "google_container_node_pool" "primary" {
35 name = "primary-pool"
36 cluster = google_container_cluster.standard.name
37 location = var.region
38
39 node_count = var.environment == "prod" ? 3 : 1
40
41 autoscaling {
42 min_node_count = var.environment == "prod" ? 3 : 1
43 max_node_count = 10
44 }
45
46 management {
47 auto_repair = true
48 auto_upgrade = true
49 }
50
51 node_config {
52 machine_type = "e2-standard-4"
53 disk_size_gb = 100
54 disk_type = "pd-ssd"
55
56 oauth_scopes = [
57 "https://www.googleapis.com/auth/cloud-platform"
58 ]
59
60 service_account = google_service_account.gke_nodes.email
61
62 workload_metadata_config {
63 mode = "GKE_METADATA"
64 }
65
66 shielded_instance_config {
67 enable_secure_boot = true
68 enable_integrity_monitoring = true
69 }
70
71 labels = {
72 environment = var.environment
73 }
74
75 tags = ["gke-node", var.environment]
76 }
77}
Cloud Run
Cloud Run Service
hcl
1resource "google_cloud_run_v2_service" "app" {
2 name = "${var.project_id}-app"
3 location = var.region
4 ingress = "INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER"
5
6 template {
7 service_account = google_service_account.app.email
8
9 scaling {
10 min_instance_count = var.environment == "prod" ? 1 : 0
11 max_instance_count = 100
12 }
13
14 containers {
15 image = "${var.region}-docker.pkg.dev/${var.project_id}/app/myapp:${var.image_tag}"
16
17 ports {
18 container_port = 8080
19 }
20
21 resources {
22 limits = {
23 cpu = "2"
24 memory = "1Gi"
25 }
26 cpu_idle = true # Scale to zero
27 }
28
29 env {
30 name = "PROJECT_ID"
31 value = var.project_id
32 }
33
34 env {
35 name = "DATABASE_URL"
36 value_source {
37 secret_key_ref {
38 secret = google_secret_manager_secret.db_url.secret_id
39 version = "latest"
40 }
41 }
42 }
43
44 startup_probe {
45 http_get {
46 path = "/health"
47 }
48 initial_delay_seconds = 10
49 period_seconds = 3
50 failure_threshold = 3
51 }
52
53 liveness_probe {
54 http_get {
55 path = "/health"
56 }
57 period_seconds = 30
58 failure_threshold = 3
59 }
60 }
61
62 vpc_access {
63 network_interfaces {
64 network = google_compute_network.main.name
65 subnetwork = google_compute_subnetwork.app.name
66 }
67 egress = "PRIVATE_RANGES_ONLY"
68 }
69 }
70
71 traffic {
72 type = "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST"
73 percent = 100
74 }
75}
76
77# IAM - Allow unauthenticated (public API)
78resource "google_cloud_run_v2_service_iam_member" "public" {
79 count = var.public_access ? 1 : 0
80 location = google_cloud_run_v2_service.app.location
81 name = google_cloud_run_v2_service.app.name
82 role = "roles/run.invoker"
83 member = "allUsers"
84}
85
86# Custom domain
87resource "google_cloud_run_domain_mapping" "app" {
88 location = var.region
89 name = var.domain
90
91 metadata {
92 namespace = var.project_id
93 }
94
95 spec {
96 route_name = google_cloud_run_v2_service.app.name
97 }
98}
Cloud SQL
PostgreSQL Instance
hcl
1resource "google_sql_database_instance" "main" {
2 name = "${var.project_id}-postgres"
3 database_version = "POSTGRES_15"
4 region = var.region
5
6 settings {
7 tier = var.environment == "prod" ? "db-custom-4-16384" : "db-f1-micro"
8 availability_type = var.environment == "prod" ? "REGIONAL" : "ZONAL"
9 disk_size = 100
10 disk_type = "PD_SSD"
11 disk_autoresize = true
12
13 backup_configuration {
14 enabled = true
15 start_time = "03:00"
16 point_in_time_recovery_enabled = var.environment == "prod"
17 transaction_log_retention_days = 7
18 backup_retention_settings {
19 retained_backups = var.environment == "prod" ? 30 : 7
20 }
21 }
22
23 ip_configuration {
24 ipv4_enabled = false
25 private_network = google_compute_network.main.id
26 require_ssl = true
27 }
28
29 database_flags {
30 name = "log_checkpoints"
31 value = "on"
32 }
33 database_flags {
34 name = "log_connections"
35 value = "on"
36 }
37 database_flags {
38 name = "log_disconnections"
39 value = "on"
40 }
41
42 maintenance_window {
43 day = 7 # Sunday
44 hour = 3
45 update_track = "stable"
46 }
47
48 insights_config {
49 query_insights_enabled = true
50 query_string_length = 1024
51 record_application_tags = true
52 record_client_address = true
53 }
54 }
55
56 deletion_protection = var.environment == "prod"
57}
58
59resource "google_sql_database" "main" {
60 name = var.database_name
61 instance = google_sql_database_instance.main.name
62}
63
64resource "google_sql_user" "app" {
65 name = "app"
66 instance = google_sql_database_instance.main.name
67 password = random_password.db.result
68}
Cloud Storage
Secure Bucket
hcl
1resource "google_storage_bucket" "data" {
2 name = "${var.project_id}-data"
3 location = var.region
4 force_destroy = var.environment != "prod"
5
6 uniform_bucket_level_access = true
7
8 versioning {
9 enabled = true
10 }
11
12 encryption {
13 default_kms_key_name = google_kms_crypto_key.storage.id
14 }
15
16 lifecycle_rule {
17 condition {
18 age = 90
19 }
20 action {
21 type = "SetStorageClass"
22 storage_class = "NEARLINE"
23 }
24 }
25
26 lifecycle_rule {
27 condition {
28 age = 365
29 }
30 action {
31 type = "SetStorageClass"
32 storage_class = "COLDLINE"
33 }
34 }
35
36 lifecycle_rule {
37 condition {
38 num_newer_versions = 3
39 }
40 action {
41 type = "Delete"
42 }
43 }
44
45 cors {
46 origin = ["https://${var.domain}"]
47 method = ["GET", "PUT", "POST"]
48 response_header = ["*"]
49 max_age_seconds = 3600
50 }
51
52 labels = local.common_labels
53}
54
55# Prevent public access
56resource "google_storage_bucket_iam_binding" "prevent_public" {
57 bucket = google_storage_bucket.data.name
58 role = "roles/storage.objectViewer"
59 members = [
60 "serviceAccount:${google_service_account.app.email}",
61 ]
62}
Cost Optimization
Committed Use Discounts
| Commitment | Discount |
|---|
| 1-year CUD | 37% |
| 3-year CUD | 55% |
| Spot VMs | 60-91% |
Budget Alerts
hcl
1resource "google_billing_budget" "main" {
2 billing_account = var.billing_account_id
3 display_name = "${var.project_id} Budget"
4
5 budget_filter {
6 projects = ["projects/${var.project_id}"]
7 }
8
9 amount {
10 specified_amount {
11 currency_code = "USD"
12 units = var.monthly_budget
13 }
14 }
15
16 threshold_rules {
17 threshold_percent = 0.5
18 spend_basis = "CURRENT_SPEND"
19 }
20
21 threshold_rules {
22 threshold_percent = 0.8
23 spend_basis = "CURRENT_SPEND"
24 }
25
26 threshold_rules {
27 threshold_percent = 1.0
28 spend_basis = "FORECASTED_SPEND"
29 }
30
31 all_updates_rule {
32 pubsub_topic = google_pubsub_topic.budget_alerts.id
33 }
34}
CLI Reference
bash
1# Auth
2gcloud auth login
3gcloud auth application-default login
4gcloud config set project PROJECT_ID
5
6# Compute
7gcloud compute instances list
8gcloud compute instances start INSTANCE
9gcloud compute ssh INSTANCE --zone ZONE
10
11# GKE
12gcloud container clusters get-credentials CLUSTER --region REGION
13gcloud container clusters list
14
15# Cloud Run
16gcloud run services list
17gcloud run deploy SERVICE --image IMAGE --region REGION
18gcloud run services update-traffic SERVICE --to-latest
19
20# Cloud SQL
21gcloud sql instances list
22gcloud sql connect INSTANCE --user USER
23
24# Storage
25gsutil ls gs://BUCKET/
26gsutil cp FILE gs://BUCKET/
27gsutil rsync -r ./folder gs://BUCKET/folder
28
29# Secrets
30gcloud secrets list
31gcloud secrets versions access latest --secret SECRET_NAME
32
33# Logs
34gcloud logging read "resource.type=cloud_run_revision" --limit 100
Security Checklist
Integration
Works with:
/terraform - GCP provider configuration/k8s - GKE deployments/devops - GCP deployment pipelines/security - GCP security review
