Motivation

I think there are many reasons to decide and take on a professional certification: learning, enhancing your resumé, being strongly advised by your management for a given position, etc.

In my case, it was rather curiosity: my employer announced this summer they would pay for a Google certification, there was a choice of 3 as far as I remember: Professional Cloud Architect, Security Engineer, and Data Engineer.

I have a decent AWS and Terraform experience (3+ years of professional experience), same for Kubernetes, and I played around with Google Cloud several times. Could be interesting and should be a walk in the park, right? Well… so I thought 😖 ..

👁 Image
That’s a lot of services to know about!

Going through all the certification program stages

After I registered for the program (July 16th), I was accepted into a cohort (August 19th) for a Stage 1 (few labs to complete in 7 days) that eventually gave access to the main event: Stage 2 where lessons would be given every week (until November) with an instructor, and at least 5 badges (out of 6) should be earned before asking a voucher for the 2 hours long multiple choices proctored exam (latest date December 30th)

So it’s a 6-month long experience, lessons are recorded in case you can’t make room for the Stage-2 2 hours long 10AM to 12PM weekly Tuesday class (I could not attend any of them 😩), and the badges can be earned when you complete a series of labs, some of them being almost 8 hours long!

The classes

Well, I skipped them, so I can’t really describe them 😅 ; but one thing you should know: they’re about preparing the exam, not hands on Google Cloud services; for this you have the self paced labs and their badges

The labs

For the most part, they’re pretty interesting: you receive Cloud Credits that you can spend on labs; each lab will then provision a temporary account (for 30mn to 2 hours), where you’ll discover Google Cloud Services through exercises using the Google Cloud console (the GUI), or the Google Cloud shell (a shell that has access to your temporary account / project) or even Terraform.

During all the labs, you’ll have a checkpoint button that will verify your progress – it usually works fine, but sometimes, it can take time to discover you did what was asked…

Labs are usually pretty easy, sometimes boring (repeating the same steps several times) you just need to follow through the steps. Except for the final lab of a series!!! This one does not guide you, and it can be challenging (but more interesting, as you need to apply your experience and previously acquired knowledge)

I completed 5 out of the 6 labs (I failed the last lab of a series 😞 and never re tried it… yet, cause I think I still can if I want with my remaining credits; talking about the credits, there are people actively looking for some, look at this Google Cloud community) and then my Google Cloud profile got updated with those badges, as well as another service named Credly that does link to your Google Account to display your badges too. It’s kind of confusing there are 2 different places to showcase your badges – just make sure you create your Credly account because this is where your Certification diploma will be uploaded.

After those labs were completed and those badges acquired, I had the opportunity to fill in a Google form to ask for a voucher to register for the exam.

Problem was it was already December 16th and my agenda only allowed me to choose December 24th for the exam date: I had 8 days (but truly only 3 cause I was working) to prepare for the exam 😱

Preparing for the exam

I decided to use external resources rather then the recorded sessions to fill the gap. I wanted to go through the maximum of mock exams.

Here are the external resources I used:

Among those 4 resources, I can not tell you which one better prepared me versus the other ones; I think with all of them I learned about new services or scenarios (a significant part of the exam preparation revolved around 4 case studies, where you need to know what’s the best GCP service , or combination of services – Pub/Sub + GCS + Dataflow + Big Query is always a winner 😊 – for a given business or technical requirement).

To gauge if you’re sufficiently prepared, make sure you don’t learn anything new when taking a mock exam – if so, you still have some learning and training to do.
Most mock exams gave more than 4 answers, or sometimes even allowed several correct answers: the real exam only ever had 4 answers, and only 1 to choose from.

Finally, there are a decent number of sites, blog posts on the internet about this certification; most of them a bit outdated, but they still helped:

The exam

The exam is provided by CertMetrics and you can either take it online of in presence. I chose online because there was no availability in presence in Montréal in the next 2 weeks.

Online exam software

You should really follow their advice and use a personal computer, because they (CertMetrics / WebAssessor) will make you install a « OEMSafeBrowser » that is an evolved spyware to make sure you only access the exam and they can see and hear you during the whole exam (it’s no joke, during one question I repeated the answers aloud and they asked me to stop talking!).

You also need to be in a closed room where you’ll show them (using your webcam) you don’t have food nor any phones nor any papers around you!💂

Final note: I tried Firefox and Safari to start the exam (link to open the safe browser), supposedly they’re supported, but only Chrome worked – took me 15mn to figure this out, so I was late but hopefully the support delayed my exam. Still, that made me stress, so just use Chrome!

At the end of the exam, you’ll have a « conditional » result (after being asked to answer a satisfaction form!); I had the PASS result, so I was very much relieved 🥳 – few days later you’ll receive a Credly badge.

Types of Questions asked

20% of the 50 questions were about the 2 of the 4 case studies. But the questions were not the typical questions found in the online resources I used and they were not obvious either. Read carefully, every word matters.
The questions were only 4 answers quizzes, with only 1 answer to choose – that part was easier than most of the mock exam I prepared with (some of them had questions with 7 answers and 4 to choose!). The most similar exam was the mock exam from Google.

I found the questions to be quite difficult during the exam – about the renamed products, don’t worry about it, the questions use old and new naming.

Final words

Trying to get up to speed in 3 or 4 full days (not counting the labs) was extremely challenging, so try and prepare on a longer period than this, it’s not technically difficult, but there’s a lot of products to remember, many of them you’ll never have used during the labs, and have confusing and similar names (Cloud Dataflow is based on Apache Beam, but Cloud Composer is based on Apache AirFlow 🫠 – AppEngine Flexible is about running containers, the same as CloudRun – while AppEngine classic is a PaaS that supports a limited number of languages 😥 )

From my own experience (I am maintaining Java buildpacks , but used to be an application/cloud architect and devops), I have learnt a few interesting details on CloudStorage (similar but different from AWS S3) and Big Query and some privacy and AI services. I can’t say I’ve learnt much about application architecture, since it was pretty basic (« use managed services », « use PubSub and different zones to scale » etc. ) and the Big Data part was pretty limited to « use BigTable to insert, BigQuery to query analytics » 🤷 . Also, as an application developer, I can’t say I need to know that Cloud Interconnect is better than a (HA) VPN when peering with Google Cloud with 10Gbps needs or that Cloud Identity interfaces with Microsoft Active Directory… I don’t take this kind of company infrastructure decision.

Do certifications matter to you? to your employer? to your future employer? If so, go ahead (I was surprised to see sites such as Coursera, Udemy and Whizlab advertise that certifications will get you a better job or better salary – when I used to interview people, I didn’t really care about their certifications, I know it’s mostly theoretic knowledge that can’t beat experience)

I enjoyed most of the labs honestly, pretty interesting, but knowing about all Google Cloud services and their names of the moment…well I guess I now know what this certification is about!

Bonus: my notes

A list of all the notes I took and reviewed before the exam; could be helpful to you!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
Compute
App Engine standard does notsupport custom containers-flexible does
App Engine standard can scale to0;flexible minimum1
App Engine standard,min cost15mn,are deployed tospecified instance classes..NET notsupported(flexible does)
Unmanaged instance groups can have nonidentical instances;Unmanaged instance groups donotoffer autoscaling,autohealing,rolling update support,multi-zone support,orthe useof instance templates andare notagood fit fordeploying highly available andscalable workloads.Useunmanaged instance groups ifyou need toapply load balancing togroups of heterogeneous instances,orifyou need tomanage the instances yourself.
Compute Engine VMs donotcome with stackdriver logging agent installed-but all other services do
Cloud Run binary authorization:only trusted images(inagiven repository)can be run
Cloud Functions don't need a VPC!
GKE Workload Identity: associate k8s service account with GCP service account
Shielded VM offers verifiable integrity of your Compute Engine VM instances, so you can be confident your instances haven'tbeen compromised by boot-orkernel-level malware orrootkits-Secure Boot,Virtual trusted platform module(vTPM)-,Integrity monitoring
Misc.
StackDriver Logging provides an agent that can be installed on AWS EC2s andGCP CEs.The agent can ingest log data from either type of VM.
Eachproject ID isunique across Google Cloud.After you have createdaproject,you can delete the project but its ID can never be used again.
Deployment Manager:Terraform copycat-only manage GCP resources-deleting everything isarisk
Lift andSHift?Migrate tocloud
gsutil being replaced with gcloud storage
CloudBuild can notdeploy local workloads
Organization,thenmultiple folders foreachdepartment;eachdepartment can have multiple teams andprojects
Storage
you can't migrate to CloudSQL to offload read operations; read replicas better
CloudSQL: on demand AND automated backups
Cloud Dataflow is an Apache Beam implem. - implement data workflows, most similar to Cloud Data Fusion - an ETL - for stream and batch
Cloud Composer: Apache airflow, a workflow orchestration system that executes workflows represented as directed acyclic graphs (DAGs) , fully managed workflow orchestration service that empowers you to author, schedule, and monitor pipelines
Cloud Dataproc can replace self-managed Spark and Hadoop clusters, can connect to BigTable, Bigquery, Storage - it is region specific, not multi region
Cloud Firestore document DB, eq. MongoDB
Cloud Memorystore: redis, valkey, memcached
Cloud Pub/Sub can be used instead of RabbitMQ.
Cloud Bigtable is a scalable, wide-column database designed for low-latency writes, making it a good choice for time-series data OR IoT storage, Each cluster is located in a single zone.
Big table better to ingest the data than Big query better to request it,  Apache HBase library for Java can insert to BiGtable
Cloud Spanner A distributed clock called TrueTime guarantees transactions are strongly consistent even across regions.
Cloud Datastore , same as Firebase, Highly scalable NoSQL database
BigQuery : several types of partioning : sharded, vertical, horizontal; If you need interactive querying in an online analytical processing (OLAP) system, consider BigQuery. Region and multi region
Big Query billing export
Storage: nearline, coldline, archive, max size 5TB for an object - buckets can be regional, multi regional, dual regional - GCS signed URL - buckets are immutable, Storage has global consistency, but does not provide CDN capability
You cannot use your own keys with local SSDs because local SSDs do not persist beyond the life of a virtual machine
Cloud Dataparse is not Cloud Dataprep. Cloud Dataparse does not exist, Dataprep is now BigQuery
Persistent disks support zonal and regional sync. replications
MongoDB Atlas, 3rd party managed MongoDB, in competition with Firestore
Storage Transfer Service to to regularly sync external data with Storage
AI
CloudDatalab now Vertex AI workbench provides a Jupyter notebook-based environment
DocumentAI can convert images to text, classify documents, analyze and extract entities
Networking
if you need >10 Gbps, then you should consider a Cloud Interconnect solution (same data center) - Partner Interconnect the same, but using a link from your DC to Google'sviaapartner privateline-overaVPN solution,which works up toabout3Gbps foreachVPN tunnel.
Cloud VPN isregional;foroptimal performance,place resources andVPN gateway inthe same region
Premium network tier:Google internal network(Standard over publicinternet)
Cloud Armor prevents DDOS
Cloud Security Scanner:identifies security vulnerabilities inyour App Engine,Google Kubernetes Engine(GKE),andCompute Engine web applications
VPC service controls tolimit access from VMs toStorage forexample,orfrom VMs tospecific remote APIs
Defaultandimplied VPC rules fordefaultnetwork:egress tointernet,ICMP,RDP andSSH incoming from internet
Identity-Aware Proxy(IAP)connector allows you tomanage access toHTTP-based apps outside of Google Cloud;andlet service accounts propagate from apps toresources
Identity Aware Proxy(IAP)lets you useSSH orRDP tonon publicIP machines via HTTPS andIAM
Multi Region:CDN better than multi region storage bucket
IPv6 inalmost all services but not:CloudSQL,MemoryStore,ClassicVPN
Cloud VPN:ClassicVPN andHA VPN
The region Montreal has3zones in1orseveral data centers
Dual regions donotexist everywhere,single continent
You can connect tothe serial console using the Google Cloud Console,the gcloud command-line tool,orathird-party SSH client
VPC networks are globalresources.EachVPC network consists of one ormore IP address ranges called subnets.Subnets are regional resources,andhave IP address ranges associated with them.
Subnets are regional resources,andthey can have PrivateGoogle Access toStorage forexample,without an external IP
CloudDNS supports logging andmonitoring,andautoscaling tohandle query volume,100%availability
CloudNAT toaccess internet from non external IP machines
Dual-Zones andMulti-Zones donotexist inGCP
Aproject can't access another project'sresources unless you useShared VPC orVPC Network Peering.
Simirlarly,aShared VPC can only be used with the network inthe same GCP org;SHared VPC lets createasingle globalVPC organized byacentral project
You cannot createarule todeny all traffic tothe entire subnet
Apigee->it's an API gateway
Cloud Endpoint: an API management system that helps you secure, monitor, analyze, and set quotas on your APIs using the same infrastructure Google uses for its own APIs.
Cloud Endpoint vs APigee: CloudEndpoint is not Hybrid nor does it support monetization
Cloud Service Mesh: service mesh on GCP, GKE, services running on different infra., controlled by an API
A network endpoint group (NEG) specifies a group of backend endpoints for a load balancer. A serverless NEG is a backend that points to a Cloud Run, App Engine, Cloud Run functions, or API Gateway service.
Security
HIPAA: governs, among other things, privacy and data protections for private medical information.
Children'sOnline Privacy Protection Act(COPPA)isaU.S.law that regulates websites that collect personal information toprotect children under the age of13.
Cloud HealthCare API-Asecure,compliant,fully managed service foringesting,transforming andstoring healthcare data inFHIR,HL7v2,andDICOM formats,andunstructured text.
Role.Arole isacollection of permissions.Permissions determine what operations are allowed onaresource.When you grantarole toaprincipal,you grant all the permissions that the role contains.
Policy.The allow policy isacollection of role bindings that bind one ormore principals toindividual roles.When you want todefine who(principal)has what type of access(role)onaresource,you create an allow policy andattach it tothe resource.3types of roles:basic orprimitive(notrecommeneded,too wide),predefined,custom
An allow policy,also known asan IAM policy,defines andenforces what roles are granted towhich principals.
The effective policy foraresource isthe union of the policy set at that resource andthe policy inherited from higher up inthe hierarchy.
tokenization:easy way tocomply with PII
Cloud Secret Manager:tostore credentials(like Vault)
HSM isHardware Security Module,integrated with Cloud KMS
Best practices
Code review of configuration files
Monitor app andinfra forsigns of problems
Mean time between failures isameasure of reliability
Request success rate isameasure of how many requests were successfully satisfied
SLOs with clear andmeasurable service level indicators
Cloud Data Loss Prevention API(DLP API)toobfuscate PII data
Subnets notenough forfirewall rules;can usetags forsource andtarget
exporting daily usage andcost estimates automatically throughout the day toaBigQuery dataset isagood way of providing visibility tothe finance department.Labels can thenbe used togroup the costs based on team orcost center.
ToenhanceaCompute Engine machine performance,without restart,you can enlarge the disk toget more IOPS(comes with bigger capacity)
Percent Uptime Downtime/Day Downtime/Week Downtime/Month
99.0014.4minutes1.68hours7.31hours
99.901.44minutes10.08minutes43.83minutes
99.998.64seconds1.01minutes4.38minutes
99.999864millis6.05seconds26.3seconds
99.999986.4millis604.8millis2.63seconds
4scenarios
*TerramEarth
increase fleet cellular connectivity
GCS,Dataflow,BigQuery,Pub/Sub
Move tocontainer
*Helicopter Racing League
useTranscoder API
CDN+Armor,Storage,Cloud Load Balancing
BigQuery+Dataflow+Composer
*MountKirkGames
using VMs forthe old games,move toKubernetes forthe newgame
useDataFlow forStream andbatch
GCS,DataFlow,BigQuery,Pub/Sub
*EHR Healthcare
Already moved toKubernetes