GCP Compute Engine and VM (Road to Google Associate Cloud Engineer 2020 Certification)
Once IAM and network concepts are clear, we can start to build our applications on GCP.
The services that are available to deploy our applications code are inside the family GCP Compute:
- Compute Engine (GCE)
- Kubernetes Engine (GKE)
- App Engine
- Cloud Run
- Cloud Functions
The most basic service is GCE. It allows you to build Virtual Machines (VM) with the configuration you want for your project. You will have to size the machine and you are responsible for keeping them updated with the patches, configure their networking, replicas, etc.
In this article we’ll see some useful information about GCE.
The types of VM
The table below summarize the different machine classes that Google provides:
Each classes has a list of predefined configuration virtual machines. We start with the
e2-standard-2 (2 CPUs and 8GB of memory)
The last digit of a machine type is the number of CPU:
e2-standard-16
has, for example, 16 CPU.
In the standard class, the ratio between CPU and memory is 4 GB per CPU: so the e2-standard-16 will have 64 GB of memory
The “high-mem” type identifies machine with higher memory than the standard one so the
e2-highmem-2
will still have 2 CPUs but with 16GB of memory (vs the 8GB of the e2-standard-2)
The availability of the machine types depends by the region. For example, you might have a specific type available in us-central which is not available in europe-west.
You will find questions asking which aspects of GCP can vary between regions: availability of machine types is one of those.
Pricing
The price of a machine depends by the number of CPUs and RAM. A standard machine tends to balance CPU and RAM while a highmem gives more weight to memory. On the other hand, highcpu privileges processor’s power.
If number of CPU is equal, standard has more memory than highcpu and memory has bigger impact on price than cpu.
So n2-standard is more expensive than n2-highcpu.
In terms of price:
n2-highcpu < n2-standard < n2-highmem
Keep this in mind if you find questions about pricing of machine types.
Custom machines
When the predefined Google images don’t satisfy your needs, you can create custom images starting from General Purpose (E and N types) images and adapting cpu, memories as you wish.
Custom machine types are ideal for the following scenarios:
- Workloads that aren’t a good fit for the predefined machine types that are available to you.
- Workloads that require more processing power or more memory but don’t need all of the upgrades that are provided by the next machine type levels.
Important thing to remember for certification questions: custom images can be shared across projects
Modify existent VMs
Some questions of certification want to know how you would operate to change your VM configuration once this has been created. Normally, the answers are based on the concept that you should stop the instance, do the change you need and restart it.
Modify memory
If you want to increase memory, terminate the instance and proceed with the memory increment before restarting it.
Attach a GPU to an existent VM
To attach a GPU to a running instance you must terminate the instance while maintenance. The option can be found in the Availability Policies section.
Also, be sure that the GPU is available in your region’s project. GPU is another service whose availability is depending by the region. You might get some questions asking which services depend by the region.
Change service account
Also to change the service account of a running instance you need to stop it and update the account. Consider that the scope can be modified in a VM only when this is using the default service account.
Exception: update of the disk
It’s possible to upgrade (increase) the size of a persistent disk after the creation, but it’s not possible to downgrade. Upgrade of a disk doesn’t require to stop the instance. It’s anyway good practice to take a snapshot of the disk before the change to avoid loss of data.
Metadata, labels and properties
Metadata are pieces of information that you set in the GCE control plane and then applications running on your GCE instances can read.
The command to fetch metadata from an app running on an instance is
curl metadata.google.internal/computeMetadata/v1/.While querying metadata of an instance you must provide header “Metadata-Flavor: Google”.
This header indicates that the request was sent with the intention of retrieving metadata values, rather than unintentionally from an insecure source, and allows the metadata server to return the data you requested. If you do not provide this header, the metadata server denies your request.
Other data that you can attach to your instances are:
- Labels: they are used to organize resources for billing and reporting.
- Properties: they are used to set instance configuration, such as virtual CPUs, memory amount, etc.
Startup script
It’s possible to specify a script that will be executed every time your instance starts. You can do it in 2 different ways:
- While you’re creating the instance: in the console you can add the script code directly in the startup script field or use the command:
gcloud compute instances create example-instance --tags http-server \ --metadata startup-script=’#! /bin/bash
# Installs apache and a custom homepage
sudo su -
apt update
apt -y install apache2
cat <<EOF > /var/www/html/index.html
<html><body><h1>Hello World</h1>
<p>This page was created from a start up script.</p>
</body></html>
EOF’- While editing an instance: adding a metadata «startup-script» after having stopped the instance. There is no explicit field for startup-script in edit mode
Preemptible instances
A preemptible VM is an instance that you can create and run at a much lower price than normal instances.
However, Compute Engine might terminate (preempt) these instances if it requires access to those resources for other tasks.
These instances are a good answer to test questions where you have process that can accept to be stopped at any time and saving budget is demanded.
Compute Engine always terminates preemptible instances after they run for 24 hours unless some actions that reset the counter happen (if the action makes the instance pass to TERMINATED state)
For preemptible instances you can provide a shutdown script (limited to 256 KB). The script has 30 seconds to complete (see CLI commands detail at the end of the article)
Shielded VMs
Shielded VMs are virtual machines (VMs) hardened by a set of security controls that help defend against rootkits and bootkits.
Using Shielded VMs helps protect enterprise workloads from threats like remote attacks, privilege escalation, and malicious insiders. Shielded VMs leverage advanced platform security capabilities such as secure and measured boot, a virtual trusted platform module (vTPM), UEFI firmware, and integrity monitoring.
Windows based instances
Window based instances questions are mainly focused on how we can access them.
When you create a MS Windows based instance, you can access it getting the credentials and using a RDP clients to connect.
To get the credentials you have 2 possibilities:
- with the command:
gcloud compute reset-windows-password2. through the Google Console:
- On the VM instance details page, click Set Windows password.
- In the Username field, enter the username to change the password for, or enter a new username to create a new user.
- Click Set.
What’s OSLogin and when to use it
OS Login maintains a consistent Linux user identity across VM instances and is the recommended way to manage many users across multiple instances or projects.
You can let users to SSH to VM with non-administration account. To do that you can enable the OS Login setting the metadata enable-oslogin: TRUE and then assigning the role compute.osLogin to the accounts that need to SSH.
You can activate OS Login at project level or instance level.
This is a good solution instead of having to manage access via private and public key.
Live Migration
Compute Engine offers live migration to keep your virtual machine instances running even when a host system event, such as a software or hardware update, occurs
It allows to migrate the running instances to another host in the same zone so that Google can perform maintenance such as a software or hardware update. It can not be used for changing machine type.
Important remind about roles
Be aware that the default service account for Compute Engine is Cloud IAM Project Editor role which can create/modify resources, view permissions, etc.
Often, this is against the principle that Google recommends: “least privileges”. So, choose correctly the service account’s roles for your VM to respect the best practices.
Focus on CLI commands
Create a preemptible instance with a shutdown script
gcloud compute instances create example-instance --preemtible \
--metadata-from-file shutdown-script=examples/scripts/install.shYou can avoid to loose the disk of your preemptible instance using the creation flag
--no-boot-disk-auto-deleteGet metadata of a running instance
curl metadata.google.internal/computeMetadata/v1/.Add a starup script to an instance
gcloud compute instances create example-instance — tags http-server --metadata startup-script=....Get Windows VM credentials
gcloud compute reset-windows-password
