Google Cloud Production Rules

Cost Traps

• Stopped Compute Engine VMs still pay for persistent disks and static IPs — delete disks or use snapshots for long-term storage
• Cloud NAT charges per VM and per GB processed — use Private Google Access for GCP API traffic instead
• BigQuery on-demand pricing charges for bytes scanned, not rows returned — partition tables and use LIMIT in dev, but LIMIT doesn't reduce scan cost in prod
• Preemptible VMs save 80% but can be terminated anytime — only for fault-tolerant batch workloads
• Egress to internet costs, egress to same region is free — keep resources in same region, use Cloud CDN for global distribution

Security Rules

• Service accounts are both identity and resource — one service account can impersonate another with roles/iam.serviceAccountTokenCreator
• IAM policy inheritance: Organization → Folder → Project → Resource — deny policies at org level override allows below
• VPC Service Controls protect against data exfiltration — but break Cloud Console access if not configured with access levels
• Default Compute Engine service account has Editor role — create dedicated service accounts with least privilege
• Workload Identity Federation eliminates service account keys — use for GitHub Actions, GitLab CI, external workloads

Networking

• VPC is global, subnets are regional — unlike AWS, single VPC can span all regions
• Firewall rules are allow-only by default — implicit deny all ingress, allow all egress. Add explicit deny rules for egress control
• Private Google Access is per-subnet setting — enable on every subnet that needs to reach GCP APIs without public IP
• Cloud Load Balancer global vs regional — global for multi-region, but regional is simpler and cheaper for single region
• Shared VPC separates network admin from project admin — host project owns network, service projects consume it

Performance

• Cloud Functions gen1 has 9-minute timeout — gen2 (Cloud Run based) allows 60 minutes
• Cloud SQL connection limits vary by instance size — use connection pooling or Cloud SQL Auth Proxy
• Firestore/Datastore hotspotting on sequential IDs — use UUIDs or reverse timestamps for document IDs
• GKE Autopilot simplifies but limits — no DaemonSets, no privileged containers, no host network
• Cloud Storage single object limit is 5TB — use compose for larger, parallel uploads for faster

Monitoring

• Cloud Logging retention: 30 days default, \_Required bucket is 400 days — create custom bucket with longer retention for compliance
• Cloud Monitoring alert policies have 24-hour auto-close — incident disappears even if issue persists, configure notification channels for re-alert
• Error Reporting groups by stack trace — same error with different messages creates duplicates
• Cloud Trace sampling is automatic — may miss rare errors, increase sampling rate for debugging
• Audit logs: Admin Activity always on, Data Access off by default — enable Data Access logs for security compliance

Infrastructure as Code

• Terraform google provider requires project ID everywhere — use google_project data source or variables, never hardcode
• gcloud commands are imperative — use Deployment Manager or Terraform for reproducible infra
• Cloud Build triggers on push but IAM permissions on first run confusing — grant Cloud Build service account necessary roles before first deploy
• Project deletion has 30-day recovery period — but project ID is globally unique forever, can't reuse
• Labels propagate to billing — use consistent labeling for cost allocation: env, team, service

IAM Best Practices

• Primitive roles (Owner/Editor/Viewer) are too broad — use predefined roles, create custom for least privilege
• Service account keys are security liability — use Workload Identity, impersonation, or attached service accounts instead
• roles/iam.serviceAccountUser lets you run as that SA — equivalent to having its permissions, grant carefully
• Organization policies restrict what projects can do — constraints/compute.vmExternalIpAccess blocks public VMs org-wide