alirezarezvani/gcp-cloud-architect

GCP Cloud Architect

Design scalable, cost-effective Google Cloud architectures for startups and enterprises with infrastructure-as-code templates.

---

Workflow

Step 1: Gather Requirements

Collect application specifications:

- Application type (web app, mobile backend, data pipeline, SaaS)
- Expected users and requests per second
- Budget constraints (monthly spend limit)
- Team size and GCP experience level
- Compliance requirements (GDPR, HIPAA, SOC 2)
- Availability requirements (SLA, RPO/RTO)

Step 2: Design Architecture

Run the architecture designer to get pattern recommendations:

python scripts/architecture_designer.py --input requirements.json

Example output:

{
  "recommended_pattern": "serverless_web",
  "service_stack": ["Cloud Storage", "Cloud CDN", "Cloud Run", "Firestore", "Identity Platform"],
  "estimated_monthly_cost_usd": 30,
  "pros": ["Low ops overhead", "Pay-per-use", "Auto-scaling", "No cold starts on Cloud Run min instances"],
  "cons": ["Vendor lock-in", "Regional limitations", "Eventual consistency with Firestore"]
}

Select from recommended patterns:

• Serverless Web: Cloud Storage + Cloud CDN + Cloud Run + Firestore
• Microservices on GKE: GKE Autopilot + Cloud SQL + Memorystore + Cloud Pub/Sub
• Serverless Data Pipeline: Pub/Sub + Dataflow + BigQuery + Looker
• ML Platform: Vertex AI + Cloud Storage + BigQuery + Cloud Functions

See references/architecture_patterns.md for detailed pattern specifications.

Validation checkpoint: Confirm the recommended pattern matches the team's operational maturity and compliance requirements before proceeding to Step 3.

Step 3: Estimate Cost

Analyze estimated costs and optimization opportunities:

python scripts/cost_optimizer.py --resources current_setup.json --monthly-spend 2000

Example output:

{
  "current_monthly_usd": 2000,
  "recommendations": [
    { "action": "Right-size Cloud SQL db-custom-4-16384 to db-custom-2-8192", "savings_usd": 380, "priority": "high" },
    { "action": "Purchase 1-yr committed use discount for GKE nodes", "savings_usd": 290, "priority": "high" },
    { "action": "Move Cloud Storage objects >90 days to Nearline", "savings_usd": 75, "priority": "medium" }
  ],
  "total_potential_savings_usd": 745
}

Output includes:

• Monthly cost breakdown by service
• Right-sizing recommendations
• Committed use discount opportunities
• Sustained use discount analysis
• Potential monthly savings

Use the GCP Pricing Calculator for detailed estimates.

Step 4: Generate IaC

Create infrastructure-as-code for the selected pattern:

python scripts/deployment_manager.py --app-name my-app --pattern serverless_web --region us-central1

Example Terraform HCL output (Cloud Run + Firestore):

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "~> 5.0"
    }
  }
}

provider "google" {
  project = var.project_id
  region  = var.region
}

variable "project_id" {
  description = "GCP project ID"
  type        = string
}

variable "region" {
  description = "GCP region"
  type        = string
  default     = "us-central1"
}

resource "google_cloud_run_v2_service" "api" {
  name     = "${var.environment}-${var.app_name}-api"
  location = var.region

  template {
    containers {
      image = "gcr.io/${var.project_id}/${var.app_name}:latest"
      resources {
        limits = {
          cpu    = "1000m"
          memory = "512Mi"
        }
      }
      env {
        name  = "FIRESTORE_PROJECT"
        value = var.project_id
      }
    }
    scaling {
      min_instance_count = 0
      max_instance_count = 10
    }
  }
}

resource "google_firestore_database" "default" {
  project     = var.project_id
  name        = "(default)"
  location_id = var.region
  type        = "FIRESTORE_NATIVE"
}

Example gcloud CLI deployment:

# Deploy Cloud Run service
gcloud run deploy my-app-api \
  --image gcr.io/$PROJECT_ID/my-app:latest \
  --region us-central1 \
  --platform managed \
  --allow-unauthenticated \
  --memory 512Mi \
  --cpu 1 \
  --min-instances 0 \
  --max-instances 10

# Create Firestore database
gcloud firestore databases create --location=us-central1

Full templates including Cloud CDN, Identity Platform, IAM, and Cloud Monitoring are generated by deployment_manager.py and also available in references/architecture_patterns.md.

Step 5: Configure CI/CD

Set up automated deployment with Cloud Build or GitHub Actions:

# cloudbuild.yaml
steps:
  - name: 'gcr.io/cloud-builders/docker'
    args: ['build', '-t', 'gcr.io/$PROJECT_ID/my-app:$COMMIT_SHA', '.']

  - name: 'gcr.io/cloud-builders/docker'
    args: ['push', 'gcr.io/$PROJECT_ID/my-app:$COMMIT_SHA']

  - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
    entrypoint: gcloud
    args:
      - 'run'
      - 'deploy'
      - 'my-app-api'
      - '--image=gcr.io/$PROJECT_ID/my-app:$COMMIT_SHA'
      - '--region=us-central1'
      - '--platform=managed'

images:
  - 'gcr.io/$PROJECT_ID/my-app:$COMMIT_SHA'

# Connect repo and create trigger
gcloud builds triggers create github \
  --repo-name=my-app \
  --repo-owner=my-org \
  --branch-pattern="^main$" \
  --build-config=cloudbuild.yaml

Step 6: Security Review

Verify security configuration:

# Review IAM bindings
gcloud projects get-iam-policy $PROJECT_ID --format=json

# Check service account permissions
gcloud iam service-accounts list --project=$PROJECT_ID

# Verify VPC Service Controls (if applicable)
gcloud access-context-manager perimeters list --policy=$POLICY_ID

Security checklist:

• IAM roles follow least privilege (prefer predefined roles over basic roles)
• Service accounts use Workload Identity for GKE
• VPC Service Controls configured for sensitive APIs
• Cloud KMS encryption keys for customer-managed encryption
• Cloud Audit Logs enabled for all admin activity
• Organization policies restrict public access
• Secret Manager used for all credentials

If deployment fails:

1. Check the failure reason:

   gcloud run services describe my-app-api --region us-central1
   gcloud logging read "resource.type=cloud_run_revision" --limit=20
   

2. Review Cloud Logging for application errors.
3. Fix the configuration or container image.
4. Redeploy:

   gcloud run deploy my-app-api --image gcr.io/$PROJECT_ID/my-app:latest --region us-central1
   

Common failure causes:

• IAM permission errors -- verify service account roles and --allow-unauthenticated flag
• Quota exceeded -- request quota increase via IAM & Admin > Quotas
• Container startup failure -- check container logs and health check configuration
• Region not enabled -- enable the required APIs with gcloud services enable

---

Tools

architecture_designer.py

Recommends GCP services based on workload requirements.

python scripts/architecture_designer.py --input requirements.json --output design.json

Input: JSON with app type, scale, budget, compliance needs Output: Recommended pattern, service stack, cost estimate, pros/cons

cost_optimizer.py

Analyzes GCP resources for cost savings.

python scripts/cost_optimizer.py --resources inventory.json --monthly-spend 5000

Output: Recommendations for:

• Idle resource removal
• Machine type right-sizing
• Committed use discounts
• Storage class transitions
• Network egress optimization

deployment_manager.py

Generates gcloud CLI deployment scripts and Terraform configurations.

python scripts/deployment_manager.py --app-name my-app --pattern serverless_web --region us-central1

Output: Production-ready deployment scripts with:

• Cloud Run or GKE deployment
• Firestore or Cloud SQL setup
• Identity Platform configuration
• IAM roles with least privilege
• Cloud Monitoring and Logging

---

Quick Start

Web App on Cloud Run (< $100/month)

Ask: "Design a serverless web backend for a mobile app with 1000 users"

Result:
- Cloud Run for API (auto-scaling, no cold start with min instances)
- Firestore for data (pay-per-operation)
- Identity Platform for authentication
- Cloud Storage + Cloud CDN for static assets
- Estimated: $15-40/month

Microservices on GKE ($500-2000/month)

Ask: "Design a scalable architecture for a SaaS platform with 50k users"

Result:
- GKE Autopilot for containerized workloads
- Cloud SQL (PostgreSQL) with read replicas
- Memorystore (Redis) for session caching
- Cloud CDN for global delivery
- Cloud Build for CI/CD
- Multi-zone deployment

Serverless Data Pipeline

Ask: "Design a real-time analytics pipeline for event data"

Result:
- Pub/Sub for event ingestion
- Dataflow (Apache Beam) for stream processing
- BigQuery for analytics and warehousing
- Looker for dashboards
- Cloud Functions for lightweight transforms

ML Platform

Ask: "Design a machine learning platform for model training and serving"

Result:
- Vertex AI for training and prediction
- Cloud Storage for datasets and model artifacts
- BigQuery for feature store
- Cloud Functions for preprocessing triggers
- Cloud Monitoring for model drift detection

---

Input Requirements

Provide these details for architecture design:

| Requirement | Description | Example | |-------------|-------------|---------| | Application type | What you're building | SaaS platform, mobile backend | | Expected scale | Users, requests/sec | 10k users, 100 RPS | | Budget | Monthly GCP limit | $500/month max | | Team context | Size, GCP experience | 3 devs, intermediate | | Compliance | Regulatory needs | HIPAA, GDPR, SOC 2 | | Availability | Uptime requirements | 99.9% SLA, 1hr RPO |

JSON Format:

{
  "application_type": "saas_platform",
  "expected_users": 10000,
  "requests_per_second": 100,
  "budget_monthly_usd": 500,
  "team_size": 3,
  "gcp_experience": "intermediate",
  "compliance": ["SOC2"],
  "availability_sla": "99.9%"
}

---

Output Formats

Architecture Design

• Pattern recommendation with rationale
• Service stack diagram (ASCII)
• Monthly cost estimate and trade-offs

IaC Templates

• Terraform HCL: Production-ready Google provider configs
• gcloud CLI: Scripted deployment commands
• Cloud Build YAML: CI/CD pipeline definitions

Cost Analysis

• Current spend breakdown with optimization recommendations
• Priority action list (high/medium/low) and implementation checklist

---

Anti-Patterns

| Anti-Pattern | Why It Fails | Better Approach | |---|---|---| | Using default VPC for production | No isolation, shared firewall rules | Create custom VPC with private subnets | | Over-provisioning GKE node pools | Wasted cost on idle capacity | Use GKE Autopilot or cluster autoscaler | | Storing secrets in environment variables | Visible in Cloud Console, logs | Use Secret Manager with Workload Identity | | Ignoring sustained use discounts | Missing 20-30% automatic savings | Right-size VMs for consistent baseline usage | | Single-region deployment for SaaS | One region outage = full downtime | Multi-region with Cloud Load Balancing | | BigQuery on-demand for heavy workloads | Unpredictable costs at scale | Use BigQuery slots (flat-rate) for consistent workloads | | Running Cloud Functions for long tasks | 9-minute timeout, cold starts | Use Cloud Run for tasks > 60 seconds |

---

Cross-References

| Skill | Relationship | |-------|-------------| | engineering-team/aws-solution-architect | AWS equivalent — same 6-step workflow, different services | | engineering-team/azure-cloud-architect | Azure equivalent — completes the cloud trifecta | | engineering-team/senior-devops | Broader DevOps scope — pipelines, monitoring, containerization | | engineering/terraform-patterns | IaC implementation — use for Terraform modules targeting GCP | | engineering/ci-cd-pipeline-builder | Pipeline construction — automates Cloud Build and deployment |

---

Reference Documentation

| Document | Contents | |----------|----------| | references/architecture_patterns.md | 6 patterns: serverless, GKE microservices, three-tier, data pipeline, ML platform, multi-region | | references/service_selection.md | Decision matrices for compute, database, storage, messaging | | references/best_practices.md | Naming, labels, IAM, networking, monitoring, disaster recovery |