Google Cloud: Compute Services

GCP offers multiple compute options: GCE (full VMs), GKE (managed Kubernetes), Cloud Run (serverless containers), App Engine (PaaS), and Cloud Functions (serverless functions).

Cloud Run — Serverless Containers

Cloud Run is the most popular GCP compute service for new applications. It runs any containerized app with automatic scaling to zero.

# Build and deploy in one command
gcloud run deploy my-service \
  --source . \              # builds container via Cloud Build
  --region europe-west1 \
  --platform managed \
  --allow-unauthenticated \
  --port 8080 \
  --memory 512Mi \
  --cpu 1 \
  --min-instances 0 \
  --max-instances 100 \
  --set-env-vars NODE_ENV=production,DATABASE_URL=${DATABASE_URL}

# Deploy from existing image
gcloud run deploy my-service \
  --image europe-west1-docker.pkg.dev/my-project/my-repo/my-image:latest \
  --region europe-west1

# Update traffic split (canary)
gcloud run services update-traffic my-service \
  --to-revisions my-service-00010-abc=10,LATEST=90

# View logs
gcloud run services logs read my-service --region europe-west1

Compute Engine (GCE)

# Create a VM
gcloud compute instances create my-vm \
  --machine-type e2-medium \
  --image-family debian-12 \
  --image-project debian-cloud \
  --zone europe-west1-b \
  --tags http-server

# SSH into VM
gcloud compute ssh my-vm --zone europe-west1-b

# Create a managed instance group (auto-scaling VM fleet)
gcloud compute instance-groups managed create my-mig \
  --base-instance-name my-vm \
  --template my-template \
  --size 2 \
  --zone europe-west1-b

# Machine types:
# e2-micro, e2-small, e2-medium  — shared CPU, cost-effective
# n2-standard-2                  — balanced (2 vCPU, 8GB RAM)
# c2-standard-4                  — compute-optimized
# a2-highgpu-1g                  — GPU instances

App Engine

• Standard environment: language-specific runtimes (Node, Python, Go, Java) — scales to zero, free tier

• Flexible environment: any language via Docker — no scale-to-zero, more control

• Deploy: gcloud app deploy — reads app.yaml

• Traffic splitting: gcloud app services set-traffic --splits v1=90,v2=10

• Good for: simple web apps, APIs where Cloud Run is overkill but GCE is too complex

GKE — Managed Kubernetes

# Create Autopilot cluster (recommended — fully managed node pools)
gcloud container clusters create-auto my-cluster \
  --region europe-west1

# Get credentials
gcloud container clusters get-credentials my-cluster --region europe-west1

# Standard cluster (you manage nodes)
gcloud container clusters create my-cluster \
  --num-nodes 3 \
  --machine-type e2-standard-4 \
  --zone europe-west1-b

# Enable Workload Identity (recommended for IAM)
gcloud container clusters update my-cluster \
  --workload-pool my-project.svc.id.goog \
  --region europe-west1

Google Cloud: Storage Services

Cloud Storage (GCS)

GCS is Google's object storage — equivalent to AWS S3. Stores blobs, backups, static assets, ML datasets.

# Create bucket
gcloud storage buckets create gs://my-bucket \
  --location=europe-west1 \
  --default-storage-class=STANDARD \
  --uniform-bucket-level-access

# Upload / download
gcloud storage cp local-file.txt gs://my-bucket/
gcloud storage cp -r ./dist gs://my-bucket/website/
gcloud storage cp gs://my-bucket/file.txt ./

# Sync (like rsync)
gcloud storage rsync -r ./dist gs://my-bucket/website

# Set CORS for web access
gcloud storage buckets update gs://my-bucket --cors-file=cors.json

# Static website hosting
gcloud storage buckets update gs://my-bucket --web-main-page-suffix=index.html

// Node.js SDK
import { Storage } from '@google-cloud/storage'
const storage = new Storage()
const bucket = storage.bucket('my-bucket')

// Upload
await bucket.upload('./report.pdf', { destination: 'reports/2026/report.pdf' })

// Signed URL (time-limited access)
const [url] = await bucket.file('private/doc.pdf').getSignedUrl({
  action: 'read',
  expires: Date.now() + 15 * 60 * 1000,  // 15 minutes
})

// Stream upload
const file = bucket.file('uploads/image.jpg')
const writeStream = file.createWriteStream({ contentType: 'image/jpeg' })
readStream.pipe(writeStream)

Cloud SQL

• Fully managed PostgreSQL, MySQL, or SQL Server — automatic backups, HA, read replicas

• Create: gcloud sql instances create my-db --database-version=POSTGRES_15 --tier=db-f1-micro --region=europe-west1

• Connect via: Cloud SQL Auth Proxy (recommended for apps), Private IP (VPC), public IP + SSL

• Connection string via Secret Manager → mount as env var in Cloud Run

• Read replicas: gcloud sql instances create my-db-replica --master-instance-name=my-db

• Costs: per-instance-hour + storage + I/O operations. Use db-f1-micro for dev (free tier eligible)

Firestore

Firestore is a serverless NoSQL document database — native Firebase integration, real-time listeners, offline support.

import { Firestore } from '@google-cloud/firestore'
const db = new Firestore()

// Write
await db.collection('users').doc('alice').set({
  name: 'Alice',
  email: 'alice@example.com',
  createdAt: Firestore.Timestamp.now(),
})

// Read
const doc = await db.collection('users').doc('alice').get()
console.log(doc.data())

// Query
const query = await db.collection('users')
  .where('role', '==', 'admin')
  .orderBy('createdAt', 'desc')
  .limit(10)
  .get()

// Real-time listener (client-side)
db.collection('messages').onSnapshot(snapshot => {
  snapshot.docChanges().forEach(change => {
    if (change.type === 'added') console.log('New message:', change.doc.data())
  })
})

Google Cloud: BigQuery, Pub/Sub & Functions

BigQuery

BigQuery is Google's fully managed, serverless data warehouse. Runs SQL queries over petabytes of data using massive parallelism. Pay per query (TB scanned) or flat-rate.

-- Standard SQL in BigQuery
SELECT
  user_id,
  COUNT(*) AS orders,
  SUM(total_amount) AS revenue
FROM `my-project.sales.orders`
WHERE DATE(created_at) >= DATE_SUB(CURRENT_DATE(), INTERVAL 30 DAY)
  AND status = 'completed'
GROUP BY user_id
HAVING revenue > 1000
ORDER BY revenue DESC
LIMIT 100;

-- Partition pruning (critical for cost — only reads relevant partitions)
SELECT * FROM `my-project.events.page_views`
WHERE _PARTITIONDATE = '2026-05-01';

-- Query external data (GCS)
SELECT * FROM `my-project.external.logs`
WHERE timestamp > '2026-05-01';

# bq CLI
bq query --use_legacy_sql=false 'SELECT COUNT(*) FROM `project.dataset.table`'
bq load --source_format=CSV dataset.table gs://my-bucket/data.csv schema.json
bq mk --dataset my-project:analytics
bq extract --destination_format=PARQUET dataset.table gs://my-bucket/export/

Pub/Sub

Cloud Pub/Sub is a managed messaging service for asynchronous event-driven systems. Publishers send messages to topics; subscribers pull or push messages from subscriptions.

import { PubSub } from '@google-cloud/pubsub'
const pubsub = new PubSub()

// Publish
const messageId = await pubsub.topic('my-topic').publish(
  Buffer.from(JSON.stringify({ event: 'user.created', userId: '123' }))
)

// Pull subscription
const [messages] = await pubsub.subscription('my-sub').pull({ maxMessages: 10 })
for (const msg of messages) {
  console.log(msg.data.toString())
  msg.ack()  // or msg.nack() to retry
}

// Streaming pull (long-lived connection)
const subscription = pubsub.subscription('my-sub')
subscription.on('message', (msg) => {
  processMessage(JSON.parse(msg.data.toString()))
  msg.ack()
})
subscription.on('error', console.error)

Cloud Functions

// functions/index.ts
import { onRequest } from 'firebase-functions/v2/https'
import { onDocumentCreated } from 'firebase-functions/v2/firestore'
import { onMessagePublished } from 'firebase-functions/v2/pubsub'

// HTTP trigger
export const api = onRequest({ region: 'europe-west1' }, (req, res) => {
  res.json({ message: 'Hello!' })
})

// Firestore trigger
export const onUserCreated = onDocumentCreated('users/{userId}', async (event) => {
  const user = event.data?.data()
  await sendWelcomeEmail(user.email)
})

// Pub/Sub trigger
export const processOrder = onMessagePublished('orders', async (event) => {
  const order = JSON.parse(Buffer.from(event.data.message.data, 'base64').toString())
  await fulfillOrder(order)
})

# Deploy
gcloud functions deploy my-function \
  --gen2 \
  --runtime nodejs20 \
  --trigger-http \
  --region europe-west1 \
  --allow-unauthenticated

Google Cloud: Networking, IAM & CLI

gcloud CLI Essentials

# Auth
gcloud auth login
gcloud auth application-default login   # for SDK/library auth
gcloud config set project my-project
gcloud config set compute/region europe-west1

# Switch between projects/configs
gcloud config configurations create staging
gcloud config configurations activate production

# Common shortcuts
gcloud projects list
gcloud services enable run.googleapis.com
gcloud services enable cloudbuild.googleapis.com

# Secrets
gcloud secrets create my-secret --data-file=secret.txt
gcloud secrets versions access latest --secret=my-secret
# Mount in Cloud Run:
#   --set-secrets DATABASE_URL=my-secret:latest

IAM

• Project IAM: who can do what across the entire project

• Service accounts: identity for GCP resources (Cloud Run, GKE pods) — not for humans

• Roles: Basic (Owner/Editor/Viewer), Predefined (roles/run.invoker), Custom

• Workload Identity: bind GKE pod's Kubernetes service account to a GCP service account — no key files

• Principle of least privilege: grant minimum permissions needed

# Grant role to a user
gcloud projects add-iam-policy-binding my-project \
  --member="user:alice@example.com" \
  --role="roles/run.invoker"

# Create service account
gcloud iam service-accounts create my-sa \
  --display-name="My Service Account"

# Grant service account access to a resource
gcloud storage buckets add-iam-policy-binding gs://my-bucket \
  --member="serviceAccount:my-sa@my-project.iam.gserviceaccount.com" \
  --role="roles/storage.objectViewer"

VPC & Networking

# Create VPC and subnet
gcloud compute networks create my-vpc --subnet-mode=custom
gcloud compute networks subnets create my-subnet \
  --network=my-vpc \
  --region=europe-west1 \
  --range=10.0.0.0/24

# Firewall rules
gcloud compute firewall-rules create allow-http \
  --network=my-vpc \
  --allow=tcp:80,tcp:443 \
  --target-tags=http-server

# Cloud Armor (WAF + DDoS protection)
gcloud compute security-policies create my-policy
gcloud compute security-policies rules create 1000 \
  --security-policy=my-policy \
  --expression="inIpRange(origin.ip, '0.0.0.0/0')" \
  --action=allow

# Cloud Load Balancing
# Global HTTP(S) LB → Backend services → NEGs (Network Endpoint Groups)
# Cloud Run NEG allows LB → Cloud Run directly (no proxy needed)

Cost Optimization

• Committed use discounts: 1-3 year commitments → 37-55% savings on GCE/GKE

• Spot VMs: 60-91% cheaper than on-demand — can be preempted, good for batch workloads

• Cloud Run: scale to zero — no cost when idle

• BigQuery: partition and cluster tables to minimize bytes scanned; use slots pricing for predictable cost

• Budget alerts: Billing → Budgets & Alerts → set threshold notifications

• Cloud billing export to BigQuery: analyze GCP costs with SQL

• Recommender API: automatic cost and performance recommendations per service