AZURE:
GCP :
Policy inheritance
In Google Cloud, the hierarchical organization of resources lets you set access control policies and
conguration seings on a parent resource
The child resources inherit the policies and IAM settings of the parent resource.
Policies can be defined at the project, folder, and organization node levels.
Some Google Cloud services allow policies to be applied to individual resources.
For example, you can set policies on certain resources in BigQuery, Compute Engine, Pub/Sub, Cloud Storage, and many other services.
FOLDERS:
Google Cloud folders provide a way to organize Google Cloud Projects and other folders.
They operate similarly to how Azure management groups organize Azure subscriptions.
Folders let you provide boundaries for different legal entities, departments, and teams.
- Folders can be viewed as sub-organizations
- Folders allow delegation of administration rights
- Folders can contain projects or other folders
Google Cloud's Resource Manager tool
]
Azure Resource Manager, tool that lets an Azure administrator create, update, and delete resources, and use management features such as access control, locks, and tags.
With the Azure Resource Manager, you use declarative templates (using Bicep or JSON Azure
Resource Manager templates) to manage resources as a group
Google Cloud's Resource Manager is an application programming interface (API) that can gather a list
of all the projects associated with an account, create new projects, update existing projects, and delete
projects.
It can even recover projects that were previously deleted and can be accessed through the
Remote Procedure Call (RPC) API and the REST API.
Organization roles
Organizations
An organization node is a root node for Google Cloud resources.
Organization roles include the Organization Admin and the Project Creator.
The Organization Admin has control over all cloud resources. It is useful for auditing.
The Project Creator controls project creation.
IAM :
IAM defines "who can do what on which resource."
GCP:
For Google Cloud, user identities are managed outside of Google Cloud. For example, Google
Workspace or Gmail accounts can be used to manage identities.
With a tool called Cloud Identity, organizations can defines policies and manage their users and
groups using the Google Admin console.
Azure:
It is more common in Azure to have user identities managed by Active Directory tenants
Azure uses IAM to refer to Azure Active Directory (Azure AD). Azure AD is extensive, covering areas
from security through to multicloud identity and access management
What is Cloud Identity?
Cloud Identity is an Identity as a Service (IDaaS) and enterprise mobility management (EMM) product. It offers the identity services and endpoint administration that are available in Google Workspace as a stand-alone product.
As an administrator, you can use Cloud Identity to manage your users, apps, and devices from a central location—the Google Admin console.
Integrating with Azure AD or On-prem AD
If you already have an on-premises AD or an Azure AD-based solution in your organization, then here is
some good news: Google Cloud can provide federated access management of your users without the
need to create additional Google Identity accounts.
This allows your organization to migrate projects to
Google Cloud while maintaining existing AD tenants and DNS domains. Google Cloud also supports AD's version of IAM for Windows applications which allows you to use your existing org structure.
Google Cloud Directory Sync
What if you already have a different corporate directory? How can you get your users and groups into Google Cloud?
Google Cloud also offers a managed service for Microsoft Active Directory.
Google Cloud Directory Sync (GCDS) is a highly available, hardened Google Cloud service that runs Active Directory (AD) on a Windows server and lets you manage authentications and Directory operations for AD-dependent cloud applications.
- Runs as a utility in your server environment
- Syncs users, aliases, groups, and other data with your Google Account
- Configure rules for custom mapping
Module 1 Quiz
Your score: 100% Passing score: 75%
Congratulations! You passed this assessment.
check
1.
Consider an Azure environment, where there is an Azure Active Directory Service Principal and an Azure Managed Identity setup for a web application to access other services and resources. You need to set up an equivalent environment at Google. Which type of identity should you use in Google Cloud?
Identity and Access Management policy
Identity and Access Management user
Identity and Access Management role
check
Identity and Access Management service account
Correct! A service account is a special type of account used by an application or compute workload in Google Cloud.
check
2.
Your organization uses Active Directory as its corporate directory. Which managed service in Google Cloud automates best practices to sync your data and manage authentication and directory operations for Active Directory dependent cloud applications?
Active Directory Federation Services
Identity and Access Management
Cloud Identity
check
Google Cloud Directory Sync
Correct! Google Cloud Directory Sync is a Google Cloud service that runs Active Directory on a Windows server and lets you manage authentications and Directory operations for AD-dependent cloud applications.
check
3.
The Azure resource hierarchy uses management groups to organize subscriptions. These management groups contain resource groups with resources. How would you create a similar hierarchy in Google Cloud?
Subscriptions, folders, resource groups, resources
Folders, subscriptions, resource groups, resources
check
Folders, projects, resources
Projects, folders, resources
Correct! The resource hierarchy in Google Cloud is defined by four levels: organization, folder, project, and resource.
check
4.
Alexander is a Storage Administrator, responsible for managing objects in Cloud Storage. He needs to have the right permissions for every project across the organization. What should you do?
check
Add Alexander to a group that has the roles/storage.objectAdmin role assigned at the organizational level.
Assign Alexander the roles/editor at the organizational level.
Assign Alexander the roles/viewer on each project and the roles/storage.objectCreator for each bucket.
Assign Alexander the roles/storage.objectCreator on every project.
Correct! This would give Alexander the right level of access across all projects in your company.
check
5.
In Azure, PowerShell can be used to script, automate, and manage the Windows workloads running on Azure Virtual Machines. You need to reimplement your scripts in Google Cloud. Which similar tool could you use to reimplement your scripts in Google Cloud?
Google Apps Script
Cloud Shell
Google Cloud Console
check
Cloud SDK
Correct! The Cloud SDK provides this functionality.
check
6.
Which option best describes the difference in how user identities are managed between Azure and Google Cloud?
In Azure, user identities are managed using Active Directory; in Google Cloud, user identities are managed using Google Groups in Identity and Access Management.
In Azure, user identities are managed using Active Directory; in Google Cloud, user identities are managed using roles in Identity and Access Management.
In Azure, user identities are managed using Active Directory; in Google Cloud, user identities are managed using policies in Identity and Access Management.
check
In Azure, user identities are managed using Active Directory; in Google Cloud, user identities are managed outside IAM.
Correct! A key difference in identity management between Azure and Google Cloud is that in Azure, user identities are managed using Active Directory, while in Google Cloud, user identities are managed outside IAM.
Working with the Google Cloud Console and Cloud Shell (Azure)
40 minutes
5 Credits
As an IT professional who is familiar with Azure, you know that people within your organization have different ways of interacting with the Azure infrastructure based on their particular needs. Let’s do a high level overview of the different ways you can interact with Azure infrastructure.
Azure Portal The Azure Portal is a web application that includes and refers to a broad collection of service tabs for managing Azure resources. When you first sign in, you see the Azure Portal home page. The home page provides access to each service tab and resource. This portal offers a single place to access the information that you need to perform your Azure related tasks.
Azure Cloud Shell The Azure Cloud Shell is a browser-based, pre-authenticated shell that is launched directly from the Azure Portal and gives you the opportunity to choose between either bash or PowerShell as your CLI tool.
Azure Command Line Interface (Azure CLI) The Azure CLI is an open-source tool that enables you to interact with Azure services and resources using commands in your command-line shell. As with any CLI you can write your own scripts and automations to deploy and manage services and resources.
Azure Resource Manager The Azure Resource Manager (ARM) acts as the deployment and management service for Azure, authenticating and authorizing requests before forwarding them to the appropriate Azure service.
For people in teams, such as development and testing, you create roles and then assign them to groups and users programmatically through the CLI client in order to define who can access Azure services and resources. Let’s explore the different options available to interact with Google Cloud.
Overview
In this lab, you become familiar with the Google Cloud web-based interface. There are two integrated environments: a GUI (graphical user interface) environment called the Cloud Console, and a CLI (command-line interface) called Cloud Shell. In this lab, you use both environments.
Here are a few things you need to know about the Cloud Console:
The Cloud Console is under continuous development, so occasionally the graphical layout changes. This is most often to accommodate new Google Cloud features or changes in the technology, resulting in a slightly different workflow.
You can perform most common Google Cloud actions in the Cloud Console, but not all actions. In particular, very new technologies or sometimes detailed API or command options are not implemented (or not yet implemented) in the Cloud Console. In these cases, the command line or the API is the best alternative.
The Cloud Console is extremely fast for some activities. The Cloud Console can perform multiple actions on your behalf that might require many CLI commands. It can also perform repetitive actions. In a few clicks you can accomplish activities that would require a lot of typing and would be susceptible to typing errors.
The Cloud Console is able to reduce errors by offering only valid options through its menus. It can leverage access to the platform "behind the scenes" through the SDK to validate configuration before submitting changes. A command line can't do this kind of dynamic validation.
Objectives
In this lab, you learn how to perform the following tasks:
Get access to Google Cloud.
Use the Cloud Console to create a Cloud Storage bucket.
Use Cloud Shell to create a Cloud Storage bucket.
Become familiar with Cloud Shell features.
Qwiklabs setup
For each lab, you get a new Google Cloud project and set of resources for a fixed time at no cost.
Sign in to Qwiklabs using an incognito window.
Note the lab's access time (for example, 1:15:00), and make sure you can finish within that time.
There is no pause feature. You can restart if needed, but you have to start at the beginning.
When ready, click Start lab.
Note your lab credentials (Username and Password). You will use them to sign in to the Google Cloud Console.
Click Open Google Console.
Click Use another account and copy/paste credentials for this lab into the prompts.
If you use other credentials, you'll receive errors or incur charges.
Accept the terms and skip the recovery resource page.
Note: Do not click End Lab unless you have finished the lab or want to restart it. This clears your work and removes the project.
Task 1. Use the Cloud Console to create a bucket
In this task, you create a bucket. However, the text also helps you become familiar with how actions are presented in the lab instructions in this class and teaches you about the Cloud Console interface.
Navigate to the Storage service and create the bucket
In the Cloud Console, on the Navigation menu (Navigation menu), click Cloud Storage > Bucket.
Click Create.
For Name, type a globally unique bucket name; leave all other values as their defaults.
Click Create.
Explore features in the Cloud Console
The Google Cloud menu contains a Notifications icon. Sometimes, feedback from the underlying commands is provided there. If you are not sure what is happening, check Notifications for additional information and history.
Click Check my progress to verify the objective.
Create a bucket using the Cloud Console
Task 2. Access Cloud Shell
In this section, you explore Cloud Shell and some of its features.
You can use the Cloud Shell to manage projects and resources via command line without having to install the Cloud SDK and other tools on your computer.
Cloud shell provides the following:
Temporary Compute Engine VM
Command-line access to the instance via a browser
5 GB of persistent disk storage ($HOME dir)
Pre-installed Cloud SDK and other tools
gcloud: for working with Compute Engine and many Google Cloud services
gsutil: for working with Cloud Storage
kubectl: for working with Google Kubernetes Engine and Kubernetes
bq: for working with BigQuery
Language support for Java, Go, Python, Node.js, PHP, and Ruby
Web preview functionality
Built-in authorization for access to resources and instances
Learn more about Cloud Shell from the Google Cloud Cloud Shell Documentation.
Note: After 1 hour of inactivity, the Cloud Shell instance is recycled. Only the /home directory persists. Any changes made to the system configuration, including environment variables, are lost between sessions.
Open Cloud Shell and explore features
In the Google Cloud menu, click Activate Cloud Shell (Activate Cloud Shell icon). If prompted, click Continue. Cloud Shell opens at the bottom of the Cloud Console window.
There are three buttons on the far right of the Cloud Shell toolbar:
three icons on far right of Cloud Shell toolbar
Minimize/Restore: The first one minimizes or restores the window, giving you full access to the Cloud Console without closing Cloud Shell.
Open in a new window: Having Cloud Shell at the bottom of the Cloud Console is useful when you are issuing individual commands. However, sometimes you will be editing files or want to see the full output of a command. For these uses, this button pops the Cloud Shell out into a full-sized terminal window.
Close terminal: This button closes Cloud Shell. Every time you close Cloud Shell, the virtual machine is reset and all machine context is lost.
Close Cloud Shell now.
Cloud Shell provides you with which of the following? (Select all that apply).
5 GB of persistent storage (/home)
Built-in authorization for access to resources and instances
A command-line tool that requires you to install Cloud SDK
Command-line access to a free temporary Compute Engine VM
Task 3. Use Cloud Shell to create a Cloud Storage bucket
Create a second bucket and verify in the Cloud Console
Open Cloud Shell again.
Use the gsutil command to create another bucket. Replace <BUCKET_NAME> with a globally unique name (you can append a 2 to the globally unique bucket name you used previously):
gsutil mb gs://<BUCKET_NAME>
Copied!
If prompted, click Authorize.
In the Cloud Console, on the Navigation menu (Navigation menu icon), click Cloud Storage > Bucket, or click Refresh if you are already in the Storage browser. The second bucket should be displayed in the Buckets list.
Note: You have performed equivalent actions using the Cloud Console and Cloud Shell. You created a bucket using the Cloud Console and another bucket using Cloud Shell.
Click Check my progress to verify the objective.
Create a bucket using Cloud Shell
Task 4. Explore more Cloud Shell features
Upload a file
Open Cloud Shell.
Click the More button (More button) in the Cloud Shell toolbar to display further options.
Click Upload. Upload any file from your local machine to the Cloud Shell VM. This file will be referred to as [MY_FILE].
In Cloud Shell, type ls to confirm that the file was uploaded.
Copy the file into one of the buckets you created earlier in the lab. Replace [MY_FILE] with the file you uploaded and [BUCKET_NAME] with one of your bucket names:
gsutil cp [MY_FILE] gs://[BUCKET_NAME]
Copied!
If your filename has whitespaces, be sure to place single quotes around the filename. For example, gsutil cp ‘my file.txt' gs://[BUCKET_NAME]
Note: You have uploaded a file to the Cloud Shell VM and copied it to a bucket.
Explore the options available in Cloud Shell by clicking on different icons in the Cloud Shell toolbar.
Close all the Cloud Shell sessions.
Click Check my progress to verify the objective.
Upload a file to Storage bucket
Task 5. Create a persistent state in Cloud Shell
In this section you will learn a best practice for using Cloud Shell. The gcloud command often requires you to specify values such as a Region, Zone, or Project ID. Entering them repeatedly increases the chance of making typing errors. If you use Cloud Shell frequently, you may want to set common values in environment variables and use them instead of typing the actual values.
Identify available regions
Open Cloud Shell from the Cloud Console. Note that this allocates a new VM for you.
To list available regions, execute the following command:
gcloud compute regions list
Copied!
Select a region from the list and note the value in any text editor. This region will now be referred to as [YOUR_REGION] in the remainder of the lab.
Create and verify an environment variable
Create an environment variable and replace [YOUR_REGION] with the region you selected in the previous step:
INFRACLASS_REGION=[YOUR_REGION]
Copied!
Verify it with echo:
echo $INFRACLASS_REGION
Copied!
You can use environment variables like this in gcloud commands to reduce the opportunities for typos and so that you won't have to remember a lot of detailed information.
Note: Every time you close Cloud Shell and reopen it, a new VM is allocated, and the environment variable you just set disappears. In the next steps, you create a file to set the value so that you won't have to enter the command each time Cloud Shell is reset.
Append the environment variable to a file
Create a subdirectory for materials used in this lab:
mkdir infraclass
Copied!
Create a file called config in the infraclass directory:
touch infraclass/config
Copied!
Append the value of your Region environment variable to the config file:
echo INFRACLASS_REGION=$INFRACLASS_REGION >> ~/infraclass/config
Copied!
Create a second environment variable for your Project ID, replacing [YOUR_PROJECT_ID] with your Project ID. You can find the project ID on the Cloud Console Home page.
INFRACLASS_PROJECT_ID=[YOUR_PROJECT_ID]
Copied!
Append the value of your Project ID environment variable to the config file:
echo INFRACLASS_PROJECT_ID=$INFRACLASS_PROJECT_ID >> ~/infraclass/config
Copied!
Use the source command to set the environment variables, and use the echo command to verify that the project variable was set:
source infraclass/config
echo $INFRACLASS_PROJECT_ID
Copied!
Note: This gives you a method to create environment variables and to easily recreate them if the Cloud Shell is recycled or reset. However, you will still need to remember to issue the source command each time Cloud Shell is opened. In the next step, you modify the .profile file so that the source command is issued automatically every time a terminal to Cloud Shell is opened.
Close and re-open Cloud Shell. Then issue the echo command again:
echo $INFRACLASS_PROJECT_ID
Copied!
There will be no output because the environment variable no longer exists.
Modify the bash profile and create persistence
Edit the shell profile with the following command:
nano .profile
Copied!
Add the following line to the end of the file:
source infraclass/config
Copied!
Press Ctrl+O, ENTER to save the file, and then press Ctrl+X to exit nano.
Close and then re-open Cloud Shell to reset the VM.
Use the echo command to verify that the variable is still set:
echo $INFRACLASS_PROJECT_ID
Copied!
You should now see the expected value that you set in the config file.
Note: If your Cloud Shell environment is ever corrupted, instructions on resetting it are in the Cloud Shell Documentation article titled Disabling or Resetting Cloud Shell. This will cause everything in your Cloud Shell environment to be set back to its original default state.
To create a persistent state in Cloud Shell, which file would you configure?
.bashrc
.my_variables
.profile
.config
Task 6. Review the Google Cloud interface
Cloud Shell is an excellent interactive environment for exploring Google Cloud by using Google Cloud SDK commands like gcloud and gsutil.
You can install the Google Cloud SDK on a computer or on a VM instance in Google Cloud. The gcloud and gsutil commands can be automated by using a scripting language like bash (Linux) or Powershell (Windows). You can also explore using the command-line tools in Cloud Shell, and then use the parameters as an implementation guide in the SDK using one of the supported languages.
The Google Cloud interface consists of two parts: the Cloud Console and Cloud Shell.
The Console:
Provides a fast way to perform tasks.
Presents options to you, instead of requiring you to know them.
Performs behind-the-scenes validation before submitting the commands.
Cloud Shell provides:
Detailed control
A complete range of options and features
A path to automation through scripting
In this lab, you've explored the tools that you can use in Google Cloud. These tools manage the scripts that run your operations, as well as deploy and manage your resources programmatically similar to how you manage them in Azure. Let's do a quick recap of the similarities and differences between Azure and Google Cloud Platform.
Similarities:
Azure and Google Cloud Platform are public cloud providers that offer a range of services for hosting and managing applications and data.
Both platforms offer a web-based console that allows users to manage resources and services, view usage and billing information, and access documentation and support.
Both provide command-line interfaces (CLI) and shell environments for managing resources and automating tasks.
Differences:
Azure's web-based portal is called the Azure portal, while Google's equivalent is the Google Cloud Console.
Azure offers a PowerShell-based CLI, while Google Cloud Platform offers only a Bash-based CLI.
Azure's shell environment is called Azure Cloud Shell and is browser-based, while Google Cloud Platform's shell environment is called Cloud Shell and is integrated into the Cloud Console.
Azure provides a broader range of services for Windows-based workloads, while Google Cloud Platform has a stronger focus on Linux-based workloads.
No comments:
Post a Comment