GCP Cloud Architect End-to-end GCP-specific architecture: service selection, Google Cloud Architecture Framework assessment, identity and networking patterns, cost optimization, operational defaults. Provider-specific complement to our generic skill — that one covers cross-cloud patterns; this one knows when to pick Spanner over Cloud SQL, how Workload Identity Federation differs from Service Account keys, and the right Cloud Run vs GKE call. --- When to use this skill | Situation | Skill applies | |-----------|---------------| | Designing a GCP architecture from scratch | Yes — start with co…

+ format(l.monthly_usd, ',.0f'):>12}\")\n out.append(\"-\" * 72)\n total = sum(l.monthly_usd for l in lines)\n out.append(f\"{'TOTAL':\u003c28} {'':\u003c28} {'

GCP Cloud Architect End-to-end GCP-specific architecture: service selection, Google Cloud Architecture Framework assessment, identity and networking patterns, cost optimization, operational defaults. Provider-specific complement to our generic skill — that one covers cross-cloud patterns; this one knows when to pick Spanner over Cloud SQL, how Workload Identity Federation differs from Service Account keys, and the right Cloud Run vs GKE call. --- When to use this skill | Situation | Skill applies | |-----------|---------------| | Designing a GCP architecture from scratch | Yes — start with co…

+ format(total, ',.0f'):>12}\")\n out.append(\"\")\n if suggestions:\n out.append(\"Optimization opportunities:\")\n for s in suggestions:\n out.append(f\" {s}\")\n out.append(\"\")\n out.append(\"NOTE: Estimates are approximations using list prices (no SUDs/CUDs).\")\n out.append(\"Always validate with Google Cloud Pricing Calculator for procurement.\")\n return \"\\n\".join(out)\n\n\ndef parse_args() -> argparse.Namespace:\n p = argparse.ArgumentParser(\n description=\"Estimate GCP monthly cost from workload spec\",\n formatter_class=argparse.RawDescriptionHelpFormatter,\n epilog=__doc__,\n )\n p.add_argument(\"--workload-config\", required=True, help=\"Path to workload YAML spec\")\n p.add_argument(\"--format\", choices=[\"human\", \"json\"], default=\"human\")\n p.add_argument(\"--output\", help=\"Output file path\")\n return p.parse_args()\n\n\ndef main() -> int:\n args = parse_args()\n try:\n spec = parse_yaml(Path(args.workload_config).read_text())\n except OSError as e:\n print(f\"error: {e}\", file=sys.stderr)\n return 2\n lines, suggestions = estimate(spec)\n if args.format == \"json\":\n out = json.dumps(\n {\n \"lines\": [asdict(l) for l in lines],\n \"total_monthly_usd\": sum(l.monthly_usd for l in lines),\n \"suggestions\": suggestions,\n },\n indent=2,\n )\n else:\n out = render_human(lines, suggestions)\n if args.output:\n Path(args.output).write_text(out)\n print(f\"wrote {args.output}\", file=sys.stderr)\n else:\n print(out)\n return 0\n\n\nif __name__ == \"__main__\":\n sys.exit(main())\n","content_type":"text/x-python; charset=utf-8","language":"python","size":16436,"content_sha256":"ab763b1e1e34b139a82802a465fd460d98de766d856ca431866340e034734037"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"GCP Cloud Architect","type":"text"}]},{"type":"paragraph","content":[{"text":"End-to-end GCP-specific architecture: service selection, Google Cloud Architecture Framework assessment, identity and networking patterns, cost optimization, operational defaults. Provider-specific complement to our generic ","type":"text"},{"text":"senior-cloud-architect","type":"text","marks":[{"type":"code_inline"}]},{"text":" skill — that one covers cross-cloud patterns; this one knows when to pick Spanner over Cloud SQL, how Workload Identity Federation differs from Service Account keys, and the right Cloud Run vs GKE call.","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"When to use this skill","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Situation","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Skill applies","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Designing a GCP architecture from scratch","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes — start with ","type":"text"},{"text":"compute decision tree","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Reviewing an existing GCP architecture","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes — run ","type":"text"},{"text":"CAF assessment","type":"text","marks":[{"type":"strong"}]},{"text":" via ","type":"text"},{"text":"scripts/gcp_caf_scorer.py","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Validating a Terraform / Deployment Manager plan","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes — ","type":"text"},{"text":"scripts/gcp_architecture_validator.py","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Estimating GCP cost for a workload","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes — ","type":"text"},{"text":"scripts/gcp_cost_estimator.py","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Picking between GKE / Cloud Run / Functions / Cloud Run Jobs","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes — see ","type":"text"},{"text":"compute decision tree","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Setting up IAM / Workload Identity correctly","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes — see ","type":"text"},{"text":"identity reference","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Designing multi-region / multi-zone resilience","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes — see ","type":"text"},{"text":"reliability reference","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Picking Cloud SQL vs Spanner vs Firestore vs BigQuery","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes — see ","type":"text"},{"text":"data store decision tree","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Going to production without CAF review","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Don't — run the CAF scorer first","type":"text"}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Compute decision tree","type":"text"}]},{"type":"paragraph","content":[{"text":"GCP gives you many compute paths; picking the wrong one wastes money and operational burden.","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"Stateless HTTP service?\n├── Need full control over OS / sidecar / custom runtime?\n│ └── → GKE (Autopilot for managed; Standard for full control)\n├── Container-packaged service, want zero infra?\n│ ├── Auto-scale to zero acceptable? Per-request billing?\n│ │ └── → Cloud Run (Service)\n│ └── Long-running container (always-warm)?\n│ └── → Cloud Run with min-instances OR GKE Autopilot\n├── Function-style, event-driven?\n│ └── → Cloud Functions (2nd gen, runs on Cloud Run under the hood)\n├── Batch / job processing?\n│ ├── Containers, finite duration?\n│ │ └── → Cloud Run Jobs\n│ ├── Large-scale batch (HPC)?\n│ │ └── → Batch (compute engine pool) OR Dataflow (for data)\n└── Long-running stateful processes / legacy?\n └── → Compute Engine VMs (MIGs for groups)\n\nStateful service (DBs you self-manage)?\n├── → Generally prefer managed: Cloud SQL, Spanner, Firestore, BigQuery\n└── Or VM + your own DB (rarely the right call)\n\nML inference?\n├── Realtime, GPU?\n│ └── → GKE (GPU node pools) OR Vertex AI online endpoints\n└── Batch?\n └── → Vertex AI batch prediction OR Dataflow pipelines\n\nStatic frontend?\n└── → Firebase Hosting OR Cloud Storage + Cloud CDN\n\nAPI gateway?\n├── In-VPC, internal-only?\n│ └── → Internal HTTP(S) Load Balancer\n├── Global edge, custom routing, WAF?\n│ └── → External HTTP(S) Load Balancer + Cloud Armor\n├── API management (rate limit, dev portal, monetization)?\n│ └── → Apigee","type":"text"}]},{"type":"paragraph","content":[{"text":"See ","type":"text"},{"text":"references/gcp-services-reference.md","type":"text","marks":[{"type":"link","attrs":{"href":"references/gcp-services-reference.md","title":null}}]},{"text":" for service-by-service depth: tiers, SLAs, limits, when to upgrade.","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Data store decision tree","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"Relational?\n├── Standard OLTP, regional or multi-zone?\n│ └── → Cloud SQL (MySQL / PostgreSQL / SQL Server)\n├── Global, strong consistency, horizontal scale?\n│ └── → Cloud Spanner (regional or multi-region)\n├── Multi-region with high concurrency, fault-tolerant?\n│ └── → Cloud Spanner (true multi-region active-active)\n\nDocument / NoSQL?\n├── Mobile/web client-direct, real-time updates?\n│ └── → Firestore (Native mode)\n├── Schemaless, low-latency, regional or multi-region?\n│ └── → Firestore OR Datastore (legacy Datastore Mode of Firestore)\n├── Wide-column at massive scale, \u003c 10ms reads?\n│ └── → Bigtable\n\nKey-value cache?\n└── → Memorystore (Redis or Memcached)\n\nObject storage?\n└── → Cloud Storage (pick Standard / Nearline / Coldline / Archive)\n\nTime-series / metrics?\n├── Operational (Stackdriver-style)?\n│ └── → Cloud Monitoring (built-in metric store)\n├── Application time series?\n│ └── → Bigtable OR BigQuery (depending on cardinality/query pattern)\n\nSearch?\n├── Full-text on app data?\n│ └── → Vertex AI Search OR self-managed Elasticsearch on GKE\n└── Vector search for ML?\n └── → Vertex AI Vector Search OR pgvector on Cloud SQL OR Bigtable with vectors\n\nData warehouse?\n└── → BigQuery (the answer to \"should we use a warehouse?\" on GCP)\n\nAnalytical OLAP?\n└── → BigQuery (serverless) OR BigQuery + BigQuery BI Engine\n\nStream processing?\n└── → Dataflow (Apache Beam) OR Pub/Sub + Dataflow","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Networking patterns","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Three core building blocks","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Component","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"What it does","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"When","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"VPC","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"L3 isolation; private IP space; global by default in GCP","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Every non-trivial GCP deployment","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Private Service Connect (PSC)","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Brings managed services into your VPC privately","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Default for production access to managed services","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Cloud Interconnect / VPN","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"On-prem connectivity (Interconnect is dedicated; VPN is over internet)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Hybrid setups","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Load balancers","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"LB","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"When","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Global External HTTP(S) Load Balancer","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Global anycast; Cloud Armor; CDN; serverless backends","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Regional External HTTP(S) LB","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Regional only; cheaper for non-global workloads","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Internal HTTP(S) LB","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Internal services; supports serverless backends","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"TCP/UDP Network LB","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"L4 load balancing; lower cost; for non-HTTP workloads","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Internal TCP/UDP LB","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Internal L4","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Common networking patterns","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Pattern","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"What","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"When","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Shared VPC","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Central host project owns VPC; service projects attach their resources","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Enterprise / multi-team","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"VPC peering","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Connect two VPCs (transitive routing not supported)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Multi-project organizations","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Private Service Connect","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Consumer endpoint in your VPC → producer service","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Default for managed services","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Cloud Armor + global LB","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"DDoS protection + WAF rules at the edge","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Public-facing apps","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Hub-and-spoke via Network Connectivity Center","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Centralized routing for multi-VPC orgs","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Large orgs","type":"text"}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Identity patterns","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"IAM, Service Accounts, Workload Identity Federation","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Concept","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Use","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Cloud IAM","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Role-based access control for users, groups, service accounts","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Service Account (SA)","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Identity for an app or workload","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Service Account Key","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Static credential for SA — avoid in modern setups","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Workload Identity Federation","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Federated identity; on-prem / other-cloud workloads get GCP access without keys","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Workload Identity (GKE)","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"K8s service accounts mapped to GCP SAs; no key mounting in pods","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Application Default Credentials (ADC)","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Standard library for auth; uses ambient credentials","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Choosing identity","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"Workload running on GCP that calls other GCP services?\n├── On GKE → GKE Workload Identity (KSA → GSA)\n├── On Cloud Run / Functions → service identity (built-in)\n├── On Compute Engine → instance service account\n└── In a CI/CD pipeline outside GCP → Workload Identity Federation (no keys)\n\nWorkload outside GCP needing GCP access?\n├── From AWS / Azure / OIDC provider → Workload Identity Federation\n└── Last resort → Service Account key (rotate frequently)\n\nUser-facing auth?\n└── Identity Platform (GCP's auth-as-a-service; or Firebase Auth for client-direct)","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Least-privilege IAM","type":"text"}]},{"type":"paragraph","content":[{"text":"GCP supports three forms:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Predefined roles","type":"text","marks":[{"type":"strong"}]},{"text":" (e.g., ","type":"text"},{"text":"roles/storage.objectViewer","type":"text","marks":[{"type":"code_inline"}]},{"text":") — preferred","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Custom roles","type":"text","marks":[{"type":"strong"}]},{"text":" at organization or project — when predefined doesn't fit","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Basic roles","type":"text","marks":[{"type":"strong"}]},{"text":" (","type":"text"},{"text":"owner","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"editor","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"viewer","type":"text","marks":[{"type":"code_inline"}]},{"text":") — too broad; avoid in production","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Bind roles at the most specific scope:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Resource → preferred","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Project → standard for project-scoped apps","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Folder → for organizational sub-tree","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Organization → only org-wide admins","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Google Cloud Architecture Framework (CAF)","type":"text"}]},{"type":"paragraph","content":[{"text":"GCP's framework has five pillars (same naming families as Azure/AWS but with Google flavor).","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Pillar","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Core question","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Operational Excellence","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Can the team operate, deploy, observe, and recover safely?","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Security, Privacy, and Compliance","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Can the workload defend, contain, recover, and meet regulatory needs?","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Reliability","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Will the workload remain available under expected and unexpected conditions?","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Cost Optimization","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Is the workload spending only what's needed for the value delivered?","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Performance Optimization","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Does it meet performance needs without over-provisioning?","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"text":"Use ","type":"text"},{"text":"scripts/gcp_caf_scorer.py --workload-config workload.yaml","type":"text","marks":[{"type":"code_inline"}]},{"text":" to score against each pillar.","type":"text"}]},{"type":"paragraph","content":[{"text":"See ","type":"text"},{"text":"references/gcp-well-architected.md","type":"text","marks":[{"type":"link","attrs":{"href":"references/gcp-well-architected.md","title":null}}]},{"text":" for the per-pillar deep dive: 10-question checklist per pillar, common findings, remediation patterns.","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Cost optimization","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Cost levers from biggest to smallest","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Lever","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Typical savings","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Effort","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Right-sizing","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"30-50%","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Low","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Committed Use Discounts (CUDs) / Sustained Use Discounts (SUDs)","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"20-70%","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Low (commitment)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Autoscaling","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"20-40%","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Medium","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Preemptible / Spot VMs","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"up to 91%","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Medium","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Storage class tiering","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"30-95% on storage","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Low","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Egress reduction","type":"text","marks":[{"type":"strong"}]},{"text":" (Cloud CDN; private peering)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Variable, large","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Medium-High","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Decommission unused","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Variable","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Low","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"BigQuery slot reservations","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"30-50% on analytics","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Medium","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Region choice","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"10-25%","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"High (move)","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Cost anti-patterns","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Premium service tiers by default.","type":"text","marks":[{"type":"strong"}]},{"text":" Enterprise Spanner / large BigQuery on-demand / GKE Standard when Autopilot suffices.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"No autoscaling.","type":"text","marks":[{"type":"strong"}]},{"text":" Always provisioned at peak. Easy 30-40% savings.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Egress through public internet.","type":"text","marks":[{"type":"strong"}]},{"text":" Multi-region without peering or Cloud CDN.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Logs / metrics retention at default 30+ days for all data.","type":"text","marks":[{"type":"strong"}]},{"text":" Tiering needed.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"BigQuery on-demand pricing for stable, high-query workloads.","type":"text","marks":[{"type":"strong"}]},{"text":" Reserved slots beat on-demand at scale.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Preemptible VMs not used for batch / fault-tolerant workloads.","type":"text","marks":[{"type":"strong"}]},{"text":" Up to 91% savings missed.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Public IPs forgotten.","type":"text","marks":[{"type":"strong"}]},{"text":" Each costs a few dollars/mo; multiply by hundreds of orphans.","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"See ","type":"text"},{"text":"references/gcp-cost-optimization.md","type":"text","marks":[{"type":"link","attrs":{"href":"references/gcp-cost-optimization.md","title":null}}]},{"text":" for the full lever catalog and detection patterns.","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"End-to-end workflows","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Workflow: Design a new workload","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Understand requirements","type":"text","marks":[{"type":"strong"}]},{"text":" — traffic, data scale, latency, region requirements, compliance.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Pick compute","type":"text","marks":[{"type":"strong"}]},{"text":" using the decision tree.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Pick data stores","type":"text","marks":[{"type":"strong"}]},{"text":" using the decision tree.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Design networking","type":"text","marks":[{"type":"strong"}]},{"text":" — VPC topology, PSC, LB pattern.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Design identity","type":"text","marks":[{"type":"strong"}]},{"text":" — Service Accounts, Workload Identity, IAM scopes.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Plan observability","type":"text","marks":[{"type":"strong"}]},{"text":" — Cloud Logging, Cloud Monitoring, Cloud Trace, Cloud Profiler.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Estimate cost","type":"text","marks":[{"type":"strong"}]},{"text":" with ","type":"text"},{"text":"scripts/gcp_cost_estimator.py","type":"text","marks":[{"type":"code_inline"}]},{"text":".","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Validate against CAF","type":"text","marks":[{"type":"strong"}]},{"text":" with ","type":"text"},{"text":"scripts/gcp_caf_scorer.py","type":"text","marks":[{"type":"code_inline"}]},{"text":".","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Document","type":"text","marks":[{"type":"strong"}]},{"text":" the architecture; share for review.","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Workflow: Review an existing GCP architecture","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Gather artifacts","type":"text","marks":[{"type":"strong"}]},{"text":" — Terraform code, network diagrams, service inventory.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Run the validator","type":"text","marks":[{"type":"strong"}]},{"text":" — ","type":"text"},{"text":"scripts/gcp_architecture_validator.py --terraform ./infra/*.tf","type":"text","marks":[{"type":"code_inline"}]},{"text":" flags structural issues.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Run CAF scorer","type":"text","marks":[{"type":"strong"}]},{"text":" with the workload's actual config.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Identify high-cost components","type":"text","marks":[{"type":"strong"}]},{"text":" with the cost estimator.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Produce findings","type":"text","marks":[{"type":"strong"}]},{"text":" by pillar with severity and recommendation.","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Workflow: Migrate from AWS / Azure to GCP","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Map services","type":"text","marks":[{"type":"strong"}]},{"text":" — most have equivalents (SQS → Pub/Sub; SNS → Pub/Sub topics; Lambda → Cloud Functions / Cloud Run; DynamoDB → Bigtable or Firestore; S3 → Cloud Storage; RDS → Cloud SQL or Spanner).","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Re-evaluate the architecture","type":"text","marks":[{"type":"strong"}]},{"text":" in GCP-native terms (BigQuery is often the right answer for analytics in ways no other cloud quite matches).","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Network parity","type":"text","marks":[{"type":"strong"}]},{"text":" — VPC equivalent (global VPC is unique to GCP); IAM equivalent; private connectivity (PSC).","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Data migration","type":"text","marks":[{"type":"strong"}]},{"text":" — Database Migration Service for many SQL scenarios; Storage Transfer Service for object data; Datastream for CDC.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Cost re-estimate","type":"text","marks":[{"type":"strong"}]},{"text":" — GCP pricing differs per-service; don't assume parity.","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Anti-patterns (GCP-specific)","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Service Account keys committed to source control.","type":"text","marks":[{"type":"strong"}]},{"text":" Use Workload Identity Federation everywhere possible.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Single-zone production","type":"text","marks":[{"type":"strong"}]},{"text":" — use multi-zone or regional resources by default.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"No org policies","type":"text","marks":[{"type":"strong"}]},{"text":" — set up Org Policy constraints (e.g., disallowed services, allowed regions, no public IPs).","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Compute Engine VMs with public IPs by default.","type":"text","marks":[{"type":"strong"}]},{"text":" Use NAT Gateway + private IPs.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"GCS bucket allUsers read","type":"text","marks":[{"type":"strong"}]},{"text":" — almost never wanted; use IAM + signed URLs.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Default network in use","type":"text","marks":[{"type":"strong"}]},{"text":" — delete the default VPC; create your own with explicit subnets.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"BigQuery on-demand for known high-volume workloads.","type":"text","marks":[{"type":"strong"}]},{"text":" Buy slot reservations.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Cloud SQL without HA","type":"text","marks":[{"type":"strong"}]},{"text":" — single-zone DB is one zone outage from disaster.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Service account = same email as default Compute SA used everywhere.","type":"text","marks":[{"type":"strong"}]},{"text":" Create distinct SAs per workload.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Firestore Native + Datastore mixed","type":"text","marks":[{"type":"strong"}]},{"text":" — same project can't have both modes simultaneously; design once.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"GKE Standard when Autopilot would work.","type":"text","marks":[{"type":"strong"}]},{"text":" Autopilot eliminates node management; cheaper to operate.","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Tooling outputs","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Script","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Input","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Output","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"scripts/gcp_architecture_validator.py","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Terraform file or YAML workload spec","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Structural issues, anti-pattern findings, missing best-practice settings","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"scripts/gcp_cost_estimator.py","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"YAML workload spec (services + tiers + scale)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Per-service monthly cost estimate, total, optimization opportunities","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"scripts/gcp_caf_scorer.py","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"YAML workload spec","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Score per CAF pillar, gap analysis, recommendations","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"text":"All scripts: stdlib only, argparse CLI, JSON or markdown output.","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"References","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"gcp-services-reference.md","type":"text","marks":[{"type":"link","attrs":{"href":"references/gcp-services-reference.md","title":null}}]},{"text":" — per-service depth: tiers, SLAs, limits, when to upgrade","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"gcp-well-architected.md","type":"text","marks":[{"type":"link","attrs":{"href":"references/gcp-well-architected.md","title":null}}]},{"text":" — 5-pillar CAF assessment with questions and remediations","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"gcp-cost-optimization.md","type":"text","marks":[{"type":"link","attrs":{"href":"references/gcp-cost-optimization.md","title":null}}]},{"text":" — cost levers, anti-patterns, detection heuristics","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Related skills","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"engineering/senior-cloud-architect","type":"text","marks":[{"type":"code_inline"}]},{"text":" — generic multi-cloud architecture patterns","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"engineering/aws-solution-architect","type":"text","marks":[{"type":"code_inline"}]},{"text":" — AWS counterpart","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"engineering/azure-cloud-architect","type":"text","marks":[{"type":"code_inline"}]},{"text":" — Azure counterpart","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"engineering/kubernetes-operator","type":"text","marks":[{"type":"code_inline"}]},{"text":" — for GKE operator-pattern workloads","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"ra-qm-team/information-security-manager-iso27001","type":"text","marks":[{"type":"code_inline"}]},{"text":" — compliance-mapped controls (GCP has Security Command Center)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"ra-qm-team/soc2-compliance-expert","type":"text","marks":[{"type":"code_inline"}]},{"text":" — GCP-specific SOC 2 evidence collection","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"gcp-cloud-architect","author":"@skillopedia","source":{"stars":209,"repo_name":"claude-skills","origin_url":"https://github.com/borghei/claude-skills/blob/HEAD/engineering/gcp-cloud-architect/SKILL.md","repo_owner":"borghei","body_sha256":"e450c209316fb91d6852dffc1e4aa7601121f6b2e0411bf3183b6580a4f0103c","cluster_key":"d54d8a2b8dfdca033630606d9d6a95e367b205cf7f67010e3c88c58738246bbf","clean_bundle":{"format":"clean-skill-bundle-v1","source":"borghei/claude-skills/engineering/gcp-cloud-architect/SKILL.md","attachments":[{"id":"6f54a48d-ab1d-5277-b533-565513270be6","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/6f54a48d-ab1d-5277-b533-565513270be6/attachment.md","path":"references/gcp-cost-optimization.md","size":12243,"sha256":"008ce4f4e5b50134742dcbb796aecc4736b8b7fb16b8b1d08d3d882a9443d762","contentType":"text/markdown; charset=utf-8"},{"id":"e3d62665-34bd-5076-93bc-63352c130d2d","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/e3d62665-34bd-5076-93bc-63352c130d2d/attachment.md","path":"references/gcp-services-reference.md","size":16144,"sha256":"3fa473c133b703cb1e7ff4c153c6540d1b8fd9240e3eef73140e4d2bf8c51fbd","contentType":"text/markdown; charset=utf-8"},{"id":"a56a6417-11a0-5265-83ef-be9de11544fe","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/a56a6417-11a0-5265-83ef-be9de11544fe/attachment.md","path":"references/gcp-well-architected.md","size":12438,"sha256":"4aebafe2f87e9146406dda81be5f1ba62bff173d64b0d4f473d28183503d6053","contentType":"text/markdown; charset=utf-8"},{"id":"ec81554d-0f7f-561f-9de0-3ffacc4298b4","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/ec81554d-0f7f-561f-9de0-3ffacc4298b4/attachment.py","path":"scripts/gcp_architecture_validator.py","size":15917,"sha256":"14a1cfb5dc0efcc7bebeba9f790f280c9685ec386e933a0ae174e8160e0d4d18","contentType":"text/x-python; charset=utf-8"},{"id":"b61a2361-c754-5ec5-b0c3-6f4e83a53a15","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/b61a2361-c754-5ec5-b0c3-6f4e83a53a15/attachment.py","path":"scripts/gcp_caf_scorer.py","size":23526,"sha256":"cfd3d49b15da582f5aea2da1f5363f883184c04a23ccf4ff5915622105b256d7","contentType":"text/x-python; charset=utf-8"},{"id":"b898a5d2-aa36-5da9-ae5b-ddf8051b70b0","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/b898a5d2-aa36-5da9-ae5b-ddf8051b70b0/attachment.py","path":"scripts/gcp_cost_estimator.py","size":16436,"sha256":"ab763b1e1e34b139a82802a465fd460d98de766d856ca431866340e034734037","contentType":"text/x-python; charset=utf-8"}],"bundle_sha256":"a353bb58b7a20ce74f5ec781d1cc7ade1a5309355f85c7a3def0787ee01ec168","attachment_count":6,"text_attachments":6,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"engineering/gcp-cloud-architect/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"license":"MIT + Commons Clause","version":"v1","category":"security","metadata":{"tags":["gcp","google-cloud","architecture","cloud-architecture-framework","gke","cloud-run","bigquery","iam","networking","cost-optimization"],"author":"borghei","domain":"engineering","updated":"2026-05-27T00:00:00.000Z","version":"1.0.0","category":"engineering"},"import_tag":"clean-skills-v1","description":"Design, review, and validate Google Cloud (GCP) architectures. Use when picking the right GCP compute (GKE / Cloud Run / Cloud Functions / GCE / Cloud Run Jobs), data store (Cloud SQL / Spanner / Firestore / BigQuery / Bigtable / Cloud Storage), networking (VPC / Private Service Connect / Cloud Load Balancing / Cloud Armor), identity (IAM / Workload Identity Federation / Service Accounts), or applying the Google Cloud Architecture Framework (Operational Excellence, Security, Reliability, Cost Optimization, Performance Optimization) to a workload. Pairs with our existing senior-cloud-architect (multi-cloud, abstract patterns) by going deep on GCP-specific services, pricing, and operational defaults.\n"}},"renderedAt":1782980727146}

GCP Cloud Architect End-to-end GCP-specific architecture: service selection, Google Cloud Architecture Framework assessment, identity and networking patterns, cost optimization, operational defaults. Provider-specific complement to our generic skill — that one covers cross-cloud patterns; this one knows when to pick Spanner over Cloud SQL, how Workload Identity Federation differs from Service Account keys, and the right Cloud Run vs GKE call. --- When to use this skill | Situation | Skill applies | |-----------|---------------| | Designing a GCP architecture from scratch | Yes — start with co…